codeprobe-scanner 1.0.0

package/src/cli/commands/scan.ts

@@ -0,0 +1,137 @@
+import chalk from 'chalk';
+import { writeFile, chmod, mkdir } from 'fs/promises';
+import { existsSync } from 'fs';
+import path from 'path';
+import { PATHS, EXIT_CODES, FILE_PERMISSIONS } from '../../shared/constants.js';
+import { ProgressLogger, createEventHandler } from '../progress.js';
+import { handleError, CodeProbeError } from '../errors.js';
+import { generateScanId, formatRiskScore, msToHuman } from '../../shared/utils.js';
+import { Report } from '../../shared/types.js';
+import { createEngine } from '../../engine/index.js';
+
+interface ScanOptions {
+  fix: boolean;
+  json: boolean;
+  verbose: boolean;
+}
+
+function parseArgs(args: string[]): { repoPath: string; options: ScanOptions } {
+  const options: ScanOptions = {
+    fix: false,
+    json: false,
+    verbose: false,
+  };
+
+  let repoPath = '.';
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === '--fix') {
+      options.fix = true;
+    } else if (arg === '--json') {
+      options.json = true;
+    } else if (arg === '--verbose') {
+      options.verbose = true;
+    } else if (!arg.startsWith('--')) {
+      repoPath = arg;
+    }
+  }
+
+  return { repoPath, options };
+}
+
+async function saveReport(report: Report): Promise<string> {
+  // Ensure directory exists
+  if (!existsSync(PATHS.SCANS_DIR)) {
+    await mkdir(PATHS.SCANS_DIR, { mode: FILE_PERMISSIONS.DIR, recursive: true });
+  }
+
+  const scanPath = path.join(PATHS.SCANS_DIR, `${report.scan.id}.json`);
+  const content = JSON.stringify(report, null, 2);
+
+  await writeFile(scanPath, content, 'utf-8');
+  await chmod(scanPath, FILE_PERMISSIONS.FILE); // Owner read/write only
+
+  // Also update latest.json (copy, not symlink, for portability)
+  const latestPath = path.join(PATHS.SCANS_DIR, 'latest.json');
+  await writeFile(latestPath, content, 'utf-8');
+  await chmod(latestPath, FILE_PERMISSIONS.FILE);
+
+  return scanPath;
+}
+
+function displayReport(report: Report, json: boolean, durationMs: number): void {
+  if (json) {
+    console.log(JSON.stringify({ report, duration_ms: durationMs }, null, 2));
+    return;
+  }
+
+  const logger = new ProgressLogger(false);
+  logger.printSeparator();
+
+  console.log(chalk.bold('SCAN COMPLETE'));
+  console.log(`Risk Score: ${formatRiskScore(report.scan.risk_score)}`);
+  console.log(
+    chalk.cyan(
+      `Confirmed Exploitable: ${report.summary.exploitable_count} | ` +
+        `Theoretical Risk: ${report.summary.theoretical_count}`
+    )
+  );
+  console.log(`Patches Available: ${report.scan.patches_available}`);
+  console.log(`Duration: ${msToHuman(durationMs)}`);
+
+  if (report.scan.cves.length > 0) {
+    console.log(chalk.bold('\nCVE Details:'));
+    report.scan.cves.forEach((cve) => {
+      const exploitStatus = cve.exploitable
+        ? chalk.red('✓ CONFIRMED EXPLOITABLE')
+        : chalk.yellow('~ Theoretical Risk');
+      console.log(
+        `  ${cve.id}: ${cve.package} ${cve.version_vulnerable} [${cve.severity}] ${exploitStatus}`
+      );
+      if (cve.patch_version) {
+        console.log(`    → Patch available: ${cve.patch_version}`);
+      }
+    });
+  }
+
+  logger.printSeparator();
+}
+
+export async function scanCommand(args: string[]): Promise<void> {
+  const { repoPath, options } = parseArgs(args);
+  const logger = new ProgressLogger(options.verbose);
+
+  logger.printHeader();
+
+  const startTime = Date.now();
+
+  try {
+    // Initialize engine
+    const engine = createEngine();
+
+    // Run the actual engine scan (not mocked)
+    const report = await engine.scan(repoPath);
+
+    const duration = Date.now() - startTime;
+
+    // Save report
+    const scanPath = await saveReport(report);
+    logger.logPhaseComplete('report', `Report saved to ${scanPath}`);
+
+    // Display results
+    displayReport(report, options.json, duration);
+
+    // If --fix, handle that next
+    if (options.fix) {
+      const { scanWithFixCommand } = await import('./scan-with-fix.js');
+      await scanWithFixCommand([repoPath], report, logger);
+    }
+
+    // Exit with appropriate code
+    const hasVulnerabilities = report.scan.cves.length > 0;
+    process.exit(hasVulnerabilities ? EXIT_CODES.VULNERABILITIES_FOUND : EXIT_CODES.SUCCESS);
+  } catch (error) {
+    handleError(error, logger, true);
+  }
+}

package/src/cli/config.ts

@@ -0,0 +1,188 @@
+import { existsSync, mkdirSync } from 'fs';
+import { readFile, writeFile, chmod } from 'fs/promises';
+import path from 'path';
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'crypto';
+import chalk from 'chalk';
+import { PATHS, FILE_PERMISSIONS } from '../shared/constants.js';
+
+interface ConfigData {
+  github_token?: string;
+  bright_data_api_key?: string;
+  daytona_api_key?: string;
+  nosana_api_key?: string;
+  [key: string]: string | undefined;
+}
+
+// Key derivation for AES-256-GCM
+// Recommendation: Use machine ID for cross-session consistency
+// For MVP: Use a fixed salt (in production, store per-machine)
+const ENCRYPTION_SALT = 'codeprobe-mvp-salt-2026';
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 16; // 128 bits for GCM
+const TAG_LENGTH = 16; // GCM tag length
+
+function getMachineKey(): Buffer {
+  // Derive key from stable machine fingerprint (hostname + platform + arch)
+  // Using process.pid breaks cross-session decryption
+  const os = require('os');
+  const fingerprint = `${os.hostname()}-${process.platform}-${process.arch}`;
+  return scryptSync(fingerprint, ENCRYPTION_SALT, KEY_LENGTH);
+}
+
+function encryptToken(token: string): string {
+  try {
+    const key = getMachineKey();
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+
+    let encrypted = cipher.update(token, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    const tag = cipher.getAuthTag();
+
+    // Format: iv:tag:encrypted
+    return `${iv.toString('hex')}:${tag.toString('hex')}:${encrypted}`;
+  } catch (error) {
+    console.warn(
+      chalk.yellow(
+        '⚠️  Token encryption failed. Falling back to plaintext (not secure).\n' +
+          'Warning: ~/.codeprobe/config.json contains unencrypted secrets.'
+      )
+    );
+    return token;
+  }
+}
+
+function decryptToken(encryptedToken: string): string {
+  try {
+    // Check if token is already plaintext (fallback case)
+    if (!encryptedToken.includes(':')) {
+      return encryptedToken;
+    }
+
+    const [ivHex, tagHex, encrypted] = encryptedToken.split(':');
+    const key = getMachineKey();
+    const iv = Buffer.from(ivHex, 'hex');
+    const tag = Buffer.from(tagHex, 'hex');
+
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(tag);
+
+    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+
+    return decrypted;
+  } catch (error) {
+    console.warn(chalk.yellow('⚠️  Token decryption failed. Token may be corrupted.'));
+    return encryptedToken;
+  }
+}
+
+export async function ensureConfigDir(): Promise<void> {
+  if (!existsSync(PATHS.CODEPROBE_DIR)) {
+    mkdirSync(PATHS.CODEPROBE_DIR, { mode: FILE_PERMISSIONS.DIR, recursive: true });
+  }
+  if (!existsSync(PATHS.SCANS_DIR)) {
+    mkdirSync(PATHS.SCANS_DIR, { mode: FILE_PERMISSIONS.DIR, recursive: true });
+  }
+
+  // Ensure permissions are correct
+  try {
+    await chmod(PATHS.CODEPROBE_DIR, FILE_PERMISSIONS.DIR);
+    await chmod(PATHS.SCANS_DIR, FILE_PERMISSIONS.DIR);
+  } catch (error) {
+    // Ignore permission errors on some filesystems
+  }
+}
+
+async function loadConfig(): Promise<ConfigData> {
+  try {
+    if (!existsSync(PATHS.CONFIG_FILE)) {
+      return {};
+    }
+
+    const content = await readFile(PATHS.CONFIG_FILE, 'utf-8');
+    return JSON.parse(content);
+  } catch (error) {
+    console.warn(chalk.yellow('⚠️  Failed to load config file.'));
+    return {};
+  }
+}
+
+async function saveConfig(config: ConfigData): Promise<void> {
+  await ensureConfigDir();
+
+  const content = JSON.stringify(config, null, 2);
+  await writeFile(PATHS.CONFIG_FILE, content, 'utf-8');
+  await chmod(PATHS.CONFIG_FILE, FILE_PERMISSIONS.FILE);
+}
+
+export async function getConfig(key?: string): Promise<ConfigData | string | undefined> {
+  const config = await loadConfig();
+
+  if (key) {
+    const value = config[key];
+    if (!value) return undefined;
+
+    // Decrypt if it looks like an encrypted token
+    if (typeof value === 'string' && value.includes(':')) {
+      return decryptToken(value);
+    }
+    return value;
+  }
+
+  return config;
+}
+
+export async function setConfig(key: string, value: string): Promise<void> {
+  const config = await loadConfig();
+
+  // Encrypt if it's a token/secret field (specific fields only)
+  const secretFields = ['github_token', 'bright_data_api_key', 'daytona_api_key', 'nosana_api_key'];
+  if (secretFields.includes(key.toLowerCase())) {
+    config[key] = encryptToken(value);
+  } else {
+    config[key] = value;
+  }
+
+  await saveConfig(config);
+  console.log(chalk.green(`✓ Config saved: ${key}`));
+}
+
+export async function clearConfig(key: string): Promise<void> {
+  const config = await loadConfig();
+  delete config[key];
+  await saveConfig(config);
+  console.log(chalk.green(`✓ Config cleared: ${key}`));
+}
+
+export async function getApiKey(service: 'BRIGHT_DATA' | 'DAYTONA' | 'NOSANA'): Promise<string> {
+  const envKey = process.env[`${service}_API_KEY`];
+  if (envKey) {
+    return envKey;
+  }
+
+  const configKey = await getConfig(service.toLowerCase() + '_api_key');
+  if (configKey && typeof configKey === 'string') {
+    return configKey;
+  }
+
+  throw new Error(
+    `No ${service} API key found.\n` +
+      `Set environment variable: export ${service}_API_KEY=<key>\n` +
+      `Or run: codeprobe config set ${service.toLowerCase()}_api_key <key>`
+  );
+}
+
+export async function getGitHubToken(): Promise<string> {
+  const token = await getConfig('github_token');
+  if (token && typeof token === 'string') {
+    return token;
+  }
+
+  throw new Error(
+    'No GitHub token found.\n' +
+      'Set: codeprobe config set github_token <token>\n' +
+      'Or: export GITHUB_TOKEN=<token>'
+  );
+}

package/src/cli/errors.ts

@@ -0,0 +1,120 @@
+import chalk from 'chalk';
+import { ProgressLogger } from './progress.js';
+
+export class CodeProbeError extends Error {
+  constructor(
+    public code: string,
+    public message: string,
+    public details?: string
+  ) {
+    super(message);
+    this.name = 'CodeProbeError';
+  }
+}
+
+export class BrightDataError extends CodeProbeError {
+  constructor(details?: string) {
+    super('BRIGHT_DATA_FAILED', 'CVE scraping failed', details);
+  }
+}
+
+export class DaytonaError extends CodeProbeError {
+  constructor(details?: string) {
+    super('DAYTONA_FAILED', 'Sandbox operation failed', details);
+  }
+}
+
+export class NetworkError extends CodeProbeError {
+  constructor(details?: string) {
+    super('NETWORK_ERROR', 'Network operation failed', details);
+  }
+}
+
+export class GitError extends CodeProbeError {
+  constructor(details?: string) {
+    super('GIT_ERROR', 'Git operation failed', details);
+  }
+}
+
+export class ConfigError extends CodeProbeError {
+  constructor(details?: string) {
+    super('CONFIG_ERROR', 'Configuration error', details);
+  }
+}
+
+export function handleError(error: unknown, logger: ProgressLogger, exitOnError = true): void {
+  console.log('');
+  logger.printSeparator();
+
+  if (error instanceof CodeProbeError) {
+    logger.logError(error.message, error.details);
+
+    // Provide guidance for specific errors
+    if (error.code === 'BRIGHT_DATA_FAILED') {
+      console.log(chalk.yellow('→ Using cached CVE data (may be outdated)'));
+      console.log(chalk.cyan('→ Run: codeprobe config set bright_data_api_key <key>'));
+    } else if (error.code === 'GIT_ERROR') {
+      console.log(chalk.yellow('→ Ensure git repository is clean'));
+      console.log(chalk.cyan('→ Run: git status && git commit'));
+    } else if (error.code === 'CONFIG_ERROR') {
+      console.log(chalk.yellow('→ Run: codeprobe config set <key> <value>'));
+    }
+  } else if (error instanceof Error) {
+    logger.logError(error.message, error.stack);
+  } else {
+    logger.logError('Unknown error occurred');
+  }
+
+  logger.printSeparator();
+  console.log('');
+
+  if (exitOnError) {
+    process.exit(2); // Exit code 2 = scan failed
+  }
+}
+
+export function wrapWithTimeout<T>(
+  promise: Promise<T>,
+  timeoutMs: number,
+  errorMessage: string
+): Promise<T> {
+  return Promise.race([
+    promise,
+    new Promise<T>((_, reject) =>
+      setTimeout(() => reject(new Error(`${errorMessage} (timeout: ${timeoutMs}ms)`)), timeoutMs)
+    ),
+  ]);
+}
+
+export async function retryWithBackoff<T>(
+  fn: () => Promise<T>,
+  maxRetries = 2,
+  backoffMs = 1000
+): Promise<T> {
+  let lastError: Error | undefined;
+
+  for (let i = 0; i <= maxRetries; i++) {
+    try {
+      return await fn();
+    } catch (error) {
+      lastError = error instanceof Error ? error : new Error(String(error));
+      if (i < maxRetries) {
+        await new Promise((resolve) => setTimeout(resolve, backoffMs * (i + 1)));
+      }
+    }
+  }
+
+  throw lastError;
+}
+
+export function formatError(error: unknown): string {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+}
+
+export function logFallback(message: string, reason: string): void {
+  console.log(chalk.yellow(`→ ${message}`));
+  console.log(chalk.gray(`  Reason: ${reason}`));
+}

package/src/cli/index.ts

@@ -0,0 +1,137 @@
+#!/usr/bin/env bun
+
+import chalk from 'chalk';
+import { APP_NAME, APP_VERSION, EXIT_CODES } from '../shared/constants.js';
+import { ProgressLogger } from './progress.js';
+import { handleError } from './errors.js';
+import { scanCommand } from './commands/scan.js';
+import { reportCommand } from './commands/report.js';
+
+const logger = new ProgressLogger();
+
+function showHelp(): void {
+  console.log(`
+${chalk.bold.cyan(`⚡ ${APP_NAME} v${APP_VERSION}`)}
+
+${chalk.bold('USAGE')}
+  codeprobe <command> [options] [arguments]
+
+${chalk.bold('COMMANDS')}
+  scan [path]     Scan a repository for vulnerabilities (default: current dir)
+  report          Display last scan results
+  config          Manage configuration
+  help            Show this help message
+
+${chalk.bold('OPTIONS')}
+  --fix           Auto-fix vulnerabilities (creates git branch & commits)
+  --json          Output results as JSON
+  --verbose       Show detailed logs
+  --help          Show help
+
+${chalk.bold('EXAMPLES')}
+  codeprobe scan
+  codeprobe scan ./my-app
+  codeprobe scan --fix
+  codeprobe scan --json > report.json
+  codeprobe report
+  codeprobe config set bright_data_api_key <key>
+
+${chalk.bold('DOCS')}
+  https://github.com/codeprobe/codeprobe
+`);
+}
+
+async function main(): Promise<void> {
+  const args = process.argv.slice(2);
+
+  // No args = show help
+  if (args.length === 0) {
+    showHelp();
+    process.exit(EXIT_CODES.SUCCESS);
+  }
+
+  const command = args[0];
+  const restArgs = args.slice(1);
+
+  try {
+    switch (command) {
+      case 'scan':
+        await scanCommand(restArgs);
+        break;
+
+      case 'report':
+        await reportCommand(restArgs);
+        break;
+
+      case 'config':
+        await handleConfigCommand(restArgs);
+        break;
+
+      case '--help':
+      case '-h':
+      case 'help':
+        showHelp();
+        break;
+
+      default:
+        console.error(chalk.red(`Unknown command: ${command}`));
+        console.log(`Run ${chalk.cyan('codeprobe --help')} for usage`);
+        process.exit(EXIT_CODES.SCAN_FAILED);
+    }
+  } catch (error) {
+    handleError(error, logger, true);
+  }
+}
+
+async function handleConfigCommand(args: string[]): Promise<void> {
+  const { getConfig, setConfig, clearConfig } = await import('./config.js');
+
+  const subcommand = args[0];
+
+  switch (subcommand) {
+    case 'get':
+      {
+        const key = args[1];
+        if (!key) {
+          const config = await getConfig();
+          console.log(JSON.stringify(config, null, 2));
+        } else {
+          const value = await getConfig(key);
+          console.log(value || `${key} not set`);
+        }
+      }
+      break;
+
+    case 'set':
+      {
+        const key = args[1];
+        const value = args[2];
+        if (!key || !value) {
+          console.error(chalk.red('Usage: codeprobe config set <key> <value>'));
+          process.exit(EXIT_CODES.SCAN_FAILED);
+        }
+        await setConfig(key, value);
+      }
+      break;
+
+    case 'clear':
+      {
+        const key = args[1];
+        if (!key) {
+          console.error(chalk.red('Usage: codeprobe config clear <key>'));
+          process.exit(EXIT_CODES.SCAN_FAILED);
+        }
+        await clearConfig(key);
+      }
+      break;
+
+    default:
+      console.error(chalk.red(`Unknown config subcommand: ${subcommand}`));
+      console.log(`Usage: codeprobe config [get|set|clear]`);
+      process.exit(EXIT_CODES.SCAN_FAILED);
+  }
+}
+
+main().catch((error) => {
+  handleError(error, logger, true);
+});

package/src/cli/progress.ts

@@ -0,0 +1,119 @@
+import chalk from 'chalk';
+import dayjs from 'dayjs';
+import { ScanEvent } from '../shared/types.js';
+
+export class ProgressLogger {
+  private startTime: number = Date.now();
+  private lastPhase: string = '';
+
+  constructor(private verbose: boolean = false) {}
+
+  log(event: ScanEvent): void {
+    if (!this.verbose && event.level === 'info') {
+      // Only show progress/complete/error in non-verbose mode
+      if (event.status === 'progress' || event.status === 'start') {
+        return;
+      }
+    }
+
+    const timestamp = dayjs().format('HH:mm:ss');
+    const prefix = `[${timestamp}]`;
+
+    let output = '';
+    const icon = this.getIcon(event.level, event.status);
+
+    switch (event.level) {
+      case 'success':
+        output = chalk.green(`${prefix} ${icon} ${event.message}`);
+        break;
+      case 'warn':
+        output = chalk.yellow(`${prefix} ${icon} ${event.message}`);
+        break;
+      case 'error':
+        output = chalk.red(`${prefix} ${icon} ${event.message}`);
+        break;
+      default:
+        output = chalk.cyan(`${prefix} ${icon} ${event.message}`);
+    }
+
+    if (event.metadata && this.verbose) {
+      output += chalk.gray(` ${JSON.stringify(event.metadata)}`);
+    }
+
+    console.log(output);
+    this.lastPhase = event.phase;
+  }
+
+  private getIcon(level: string, status: string): string {
+    switch (level) {
+      case 'success':
+        return '✓';
+      case 'error':
+        return '❌';
+      case 'warn':
+        return '⚠️';
+      default:
+        if (status === 'start') return '▶️';
+        if (status === 'complete') return '✓';
+        return '•';
+    }
+  }
+
+  logPhaseStart(phase: string, message: string): void {
+    const timestamp = dayjs().format('HH:mm:ss');
+    console.log(chalk.cyan(`[${timestamp}] ▶️  ${message}...`));
+  }
+
+  logPhaseComplete(phase: string, message: string): void {
+    const timestamp = dayjs().format('HH:mm:ss');
+    console.log(chalk.green(`[${timestamp}] ✓ ${message}`));
+  }
+
+  logError(message: string, details?: string): void {
+    const timestamp = dayjs().format('HH:mm:ss');
+    console.log(chalk.red(`[${timestamp}] ❌ ${message}`));
+    if (details) {
+      console.log(chalk.gray(`    ${details}`));
+    }
+  }
+
+  logWarning(message: string, details?: string): void {
+    const timestamp = dayjs().format('HH:mm:ss');
+    console.log(chalk.yellow(`[${timestamp}] ⚠️  ${message}`));
+    if (details) {
+      console.log(chalk.gray(`    ${details}`));
+    }
+  }
+
+  printSeparator(): void {
+    console.log(chalk.gray('────────────────────────────────────────────────'));
+  }
+
+  printHeader(): void {
+    console.log(chalk.bold.cyan('⚡ CodeProbe v1.0.0'));
+  }
+
+  printElapsedTime(): void {
+    const elapsed = Date.now() - this.startTime;
+    const ms = elapsed % 1000;
+    const s = Math.floor(elapsed / 1000) % 60;
+    const m = Math.floor(elapsed / 60000);
+
+    const timeStr =
+      m > 0
+        ? `${m}m ${s}s`
+        : s > 0
+          ? `${s}s`
+          : `${ms}ms`;
+
+    console.log(chalk.gray(`⏱️  Completed in ${timeStr}`));
+  }
+}
+
+export function createEventHandler(verbose: boolean = false) {
+  const logger = new ProgressLogger(verbose);
+
+  return (event: ScanEvent) => {
+    logger.log(event);
+  };
+}