codeprobe-scanner 1.0.19 → 1.0.21

package/README.md

@@ -1,156 +1,381 @@
-# CodeProbe
+# CodeProbe Scanner 🔍
 
-Automated vulnerability scanner for Node.js / npm projects. Scans dependencies against OSV.dev and the GitHub Advisory Database, verifies exploits in isolated sandboxes, and optionally auto-patches vulnerable packages.
+**Full-stack vulnerability scanner with automatic code fixing and Kimi AI patch generation.**
 
-## Install
+CodeProbe is an advanced security scanner that analyzes both your npm dependencies AND your actual source code to find and automatically fix security vulnerabilities. It combines CVE detection, SAST analysis, and AI-powered patch generation into one unified tool.
 
-```sh
+## ✨ Key Features
+
+### 🔍 Dual-Layer Vulnerability Detection
+- **Dependency Scanning** — Checks npm packages against OSV.dev + npm advisory databases
+- **Source Code Analysis (SAST)** — Scans actual code for 7+ vulnerability patterns
+
+### 🔐 Detects & Fixes
+- Hardcoded secrets → Replaced with `process.env`
+- SQL injection patterns
+- Command injection vulnerabilities
+- XSS vulnerabilities
+- Path traversal issues
+- Insecure random generation
+- Insecure eval/Function() usage
+
+### 🔧 Automatic Fixing
+- **Source Code Fixes** — Repairs vulnerabilities in your code automatically
+- **Package Updates** — Suggests and applies secure versions
+- **Kimi LLM Integration** — Generates intelligent patches using AI
+
+### 🏗️ Recursive Scanning
+- Automatically finds all `package.json` files in subdirectories
+- Perfect for monorepos and multi-package projects
+- Aggregates results across all packages
+
+### 📊 Comprehensive Reporting
+- Risk score calculation (0-10)
+- CVE severity and exploitability
+- Proof-of-concept recordings
+- Recent security threat alerts
+
+## 🚀 Installation
+
+### Global Installation
+```bash
 npm install -g codeprobe-scanner
 ```
 
-Or run without installing:
+### Project Installation
+```bash
+npm install --save-dev codeprobe-scanner
+```
 
-```sh
-npx codeprobe-scanner scan
+### Run Without Installing
+```bash
+npx codeprobe-scanner scan .
 ```
 
-## Quick Start
+## ⚡ Quick Start
 
-```sh
-# Scan the current directory
-codeprobe scan
+### 1. Set Up Kimi API (Recommended)
 
-# Scan a specific project
-codeprobe scan ./my-app
+Get your API key from [Kimi Platform](https://kimi.moonshot.cn):
 
-# Scan and auto-fix vulnerabilities
-codeprobe scan --fix
+```bash
+# Option A: CLI Configuration
+codeprobe config set kimi_api_key sk-YOUR_KEY_HERE
 
-# Output results as JSON
-codeprobe scan --json > report.json
+# Option B: Environment Variable
+export KIMI_API_KEY=sk-YOUR_KEY_HERE
 
-# Show the last scan report
-codeprobe report
+# Option C: Manual Configuration
+# Edit ~/.codeprobe/config.json and add your key
 ```
 
-## Commands
+### 2. Scan Your Project
 
-### `codeprobe scan [path]`
+**Find vulnerabilities:**
+```bash
+codeprobe scan .
+```
 
-Scans a repository for known CVEs in its npm dependencies.
+**Find AND fix vulnerabilities:**
+```bash
+codeprobe scan . --fix
+```
 
-| Flag | Description |
-|------|-------------|
-| `--fix` | Auto-fix: upgrades vulnerable packages, creates a git branch and commit |
-| `--json` | Print results as JSON (pipe-friendly) |
-| `--verbose` | Show detailed phase-by-phase logs |
+## 📖 Usage Examples
 
-**What it does:**
+### Basic Vulnerability Scan
+```bash
+$ codeprobe scan .
 
-1. Parses `package.json` / `package-lock.json` / `bun.lock` for installed packages and versions
-2. Queries **OSV.dev** for CVEs matching each package+version
-3. Cross-references the **GitHub Advisory Database** for additional intelligence
-4. Runs exploit verification in an isolated **Daytona sandbox** (when configured)
-5. Saves the report to `~/.codeprobe/scans/<scan-id>.json`
-6. Displays a risk score, CVE table, and recent npm threat feed
+⚡ CodeProbe v1.0.20
+🔍 Searching for package.json files...
+   Found 1 package.json file(s)
 
-**Exit codes:**
+📂 Scanning: .
+📦 Parsing dependencies...
+   Found 8 dependencies
+🔍 Checking OSV.dev + npm advisory database...
+   Found 13 CVEs
 
-| Code | Meaning |
-|------|---------|
-| `0` | No vulnerabilities found |
-| `1` | Vulnerabilities found |
-| `2` | Scan failed |
+🔐 Analyzing source code for vulnerabilities...
+   Found 4 potential vulnerabilities
 
-### `codeprobe report`
+────────────────────────────────────────────
+SCAN COMPLETE
+Risk Score: 2.2/10 (LOW)
+Confirmed Exploitable: 0 | Theoretical Risk: 13
+Patches Available: 1/13
+Duration: 1s
+```
+
+### Automatic Vulnerability Fixing
+```bash
+$ codeprobe scan . --fix
 
-Displays the most recent scan results from `~/.codeprobe/scans/latest.json`.
+🔧 Applying source code fixes...
+   ✓ Fixed 1 issues in server.js
+   ✓ Fixed 3 issues in seed.js
+   Applied 4 code fixes
 
-### `codeprobe config set <key> <value>`
+📝 Fixed vulnerabilities:
+   - server.js:28 - Hardcoded Secret
+   - seed.js:16 - Hardcoded Secret
+   - seed.js:17 - Hardcoded Secret
+   - seed.js:18 - Hardcoded Secret
+```
 
-Saves a configuration value to `~/.codeprobe/config.json`.
+### Undo AI Changes
+```bash
+$ codeprobe scan . --undo
 
-```sh
+↩️  Reverting AI-made changes...
+
+📦 Reverting package.json updates...
+   ✓ package.json reverted
+🔧 Reverting source code fixes...
+   ✓ All code changes reverted
+
+✓ Undo complete! Review changes with: git status
+```
+
+### Configuration Management
+```bash
+# Set API keys
+codeprobe config set kimi_api_key sk-YOUR_KEY
+codeprobe config set github_token ghp_YOUR_TOKEN
 codeprobe config set bright_data_api_key YOUR_KEY
-codeprobe config set daytona_api_key YOUR_KEY
+
+# View configuration
+codeprobe config get kimi_api_key
+
+# Clear configuration
+codeprobe config clear kimi_api_key
 ```
 
-## Configuration
+## 🛠️ Commands
+
+### `codeprobe scan [path]`
 
-CodeProbe works out of the box with zero configuration using public APIs. Optional integrations unlock deeper exploit verification.
+Scans for vulnerabilities in dependencies and source code.
 
-### Environment Variables
+| Flag | Description |
+|------|-------------|
+| `--fix` | Auto-fix vulnerabilities in code + update packages |
+| `--undo` | Revert all AI-made changes from the last scan |
+| `--json` | Output results as JSON |
+| `--verbose` | Show detailed logs |
 
-| Variable | Description |
-|----------|-------------|
-| `BRIGHT_DATA_API_KEY` | Bright Data scraping proxy (optional) |
-| `DAYTONA_API_KEY` | Daytona sandbox for exploit verification (optional) |
-| `NOSANA_API_KEY` | Nosana LLM for AI-assisted analysis (optional) |
-| `GITHUB_TOKEN` | GitHub token for higher Advisory API rate limits |
-| `PORT` | API server port (default: `3000`) |
+### `codeprobe report`
 
-Create a `.env` file in your project root or export variables in your shell.
+Shows the last scan results from `~/.codeprobe/scans/latest.json`.
 
-## How It Works
+### `codeprobe config`
 
+Manage configuration:
+```bash
+codeprobe config set <key> <value>
+codeprobe config get <key>
+codeprobe config clear <key>
 ```
-package.json / lockfile
+
+## 🔐 How It Works
+
+### Scan Pipeline
+
+```
+1️⃣ Discovery
+   Find all package.json files recursively
+        ↓
+2️⃣ Dependency Scanning
+   Parse packages → Check CVE databases
         ↓
-   Dependency Parser
+3️⃣ Source Code Analysis
+   Scan .ts/.js files → Detect security patterns
         ↓
-  OSV.dev + GitHub Advisory DB  ──→  CVE list
+4️⃣ Exploit Verification
+   Test vulnerabilities in sandboxes (Daytona)
         ↓
-  Sandbox Exploit Verification  ──→  Confirmed / Theoretical
+5️⃣ Patch Generation
+   Generate fixes using Kimi LLM
         ↓
-   Risk Score + Report
+6️⃣ Risk Scoring & Reporting
+   Calculate risk → Save results
+        ↓
+7️⃣ Auto-Fixing (if --fix flag)
+   Replace secrets → Update packages → Commit
+```
+
+## 📋 Vulnerability Types
+
+| Type | Detection | Automatic Fix |
+|------|-----------|---|
+| **Hardcoded Secrets** | API keys, passwords, tokens | ✅ Replace with `process.env` |
+| **Command Injection** | Unescaped shell commands | ✅ Add proper escaping |
+| **SQL Injection** | Dynamic SQL queries | ⚠️ Suggest parameterized queries |
+| **XSS** | innerHTML, dangerouslySetInnerHTML | ✅ Use textContent |
+| **Insecure Random** | Math.random() for security | ✅ Use crypto.randomBytes() |
+| **Path Traversal** | Unvalidated file paths | ⚠️ Suggest validation |
+| **Insecure Eval** | eval(), Function() usage | ⚠️ Suggest alternatives |
+
+## ⚙️ Configuration
+
+### Config File
+```
+~/.codeprobe/config.json
+```
+
+### API Keys (Encrypted)
+```json
+{
+  "kimi_api_key": "sk-...",
+  "github_token": "ghp_...",
+  "bright_data_api_key": "...",
+  "daytona_api_key": "..."
+}
+```
+
+All secrets are encrypted using AES-256-GCM.
+
+### Environment Variables (Override Config)
+```bash
+export KIMI_API_KEY=sk-...
+export GITHUB_TOKEN=ghp_...
+export BRIGHT_DATA_API_KEY=...
+export DAYTONA_API_KEY=...
 ```
 
-- **Risk score** = (confirmed exploitable × 10) + (theoretical × 3)
-- Scans are saved locally at `~/.codeprobe/scans/`
-- `latest.json` always points to the most recent scan
+## 🔒 Security
+
+### Built-In Security Features
+- ✅ **Encrypted Config** — API keys encrypted in `~/.codeprobe/config.json`
+- ✅ **No Hardcoded Secrets** — Detects and fixes credentials in code
+- ✅ **Command Injection Prevention** — Proper shell escaping
+- ✅ **Secure Random** — Uses `crypto.randomBytes()`
+- ✅ **Full SAST Analysis** — Comprehensive source code scanning
+- ✅ **Zero Vulnerabilities** — See [SECURITY_AUDIT.md](./SECURITY_AUDIT.md)
+
+### Privacy
+- Scans run locally on your machine
+- Reports saved to `~/.codeprobe/scans/` (private)
+- Kimi only called for patch generation (configurable)
 
-## Auto-Fix (`--fix`)
+## 📁 Output Files
 
-When `--fix` is passed, CodeProbe:
+### Scan Reports
+```
+~/.codeprobe/scans/
+├── scan_<timestamp>.json   # Individual scans
+└── latest.json             # Latest scan
+```
 
-1. Identifies vulnerable packages that have a patched version available
-2. Updates `package.json` to the safe version
-3. Runs `bun install` (or `npm install`) to apply the change
-4. Creates a git commit on a new branch: `codeprobe-fix/<scan-id>`
+### Fixed Code
+```
+.proofs/
+├── CVE-2022-29078_timestamp.json
+└── ...
+```
 
-Review the branch and open a PR — no changes are pushed automatically.
+## 🚀 Advanced Usage
 
-## API Server
+### Monorepo Scanning
+```bash
+codeprobe scan /path/to/monorepo
+# Automatically finds and scans all package.json files
+```
 
-Start the REST API server:
+### JSON Export
+```bash
+codeprobe scan . --json > report.json
+```
 
-```sh
-bun run src/api/server.ts
+### Verbose Output
+```bash
+codeprobe scan . --verbose
 ```
 
-| Endpoint | Method | Description |
-|----------|--------|-------------|
-| `POST /api/scan` | POST | Trigger a scan (`{ "repoPath": "./path" }`) |
-| `GET /api/scans` | GET | List all past scans (requires auth) |
-| `GET /api/scans/:id` | GET | Get a specific scan (requires auth) |
-| `GET /api/auth/github` | GET | GitHub OAuth callback |
-| `GET /api/auth/logout` | GET | Logout |
+### Undo Previous Changes
+```bash
+# Revert all AI-made fixes from the last scan
+codeprobe scan . --undo
+```
 
-Authentication: pass a `Bearer <token>` header. In development mode any non-empty token is accepted.
+### Combined Options
+```bash
+codeprobe scan . --fix --verbose --json
+```
 
-## Docker
+## 🐛 Troubleshooting
 
-```sh
-docker build -t codeprobe .
-docker run -e PORT=8080 -p 8080:8080 codeprobe
+### "No Kimi API key configured"
+```bash
+codeprobe config set kimi_api_key sk-YOUR_KEY
 ```
 
-## GitHub Actions
+### "No package.json files found"
+Make sure your project has a `package.json` file.
 
-Add CodeProbe to your CI pipeline:
+### "Uncommitted changes detected"
+After `--fix`, commit the changes:
+```bash
+git add -A
+git commit -m "Security fixes: patch vulnerabilities"
+```
 
+## 📊 Performance
+
+| Task | Time |
+|------|------|
+| Dependency scanning | 1-3s |
+| Source code analysis | <1s per 100 files |
+| Exploit verification | 2-10s |
+| Patch generation | 5-15s |
+| **Total** | **1-30s** |
+
+## 🏗️ Project Structure
+
+```
+src/
+├── cli/           # CLI commands and interface
+├── engine/        # Core scanner modules
+│   ├── parser.ts      # Package parsing
+│   ├── scraper.ts     # CVE database queries
+│   ├── sast.ts        # Source code analysis
+│   ├── code-fixer.ts  # Automatic code fixing
+│   ├── patcher.ts     # Patch generation (Kimi)
+│   └── sandbox.ts     # Exploit verification
+├── shared/        # Types and utilities
+├── api/           # REST API (optional)
+└── integrations/  # Daytona, VideoDB, etc.
+```
+
+## 📚 Examples
+
+### Scan Your Project
+```bash
+codeprobe scan .
+```
+
+### Fix All Vulnerabilities
+```bash
+codeprobe scan . --fix
+git add -A && git commit -m "Security fixes"
+git push
+```
+
+### Scan Monorepo
+```bash
+codeprobe scan ./monorepo
+```
+
+### Export as JSON
+```bash
+codeprobe scan . --json | jq '.summary'
+```
+
+## 🔗 Integration
+
+### GitHub Actions
 ```yaml
-# .github/workflows/codeprobe-scan.yml
 name: Security Scan
 on: [push, pull_request]
 jobs:
@@ -158,52 +383,63 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - run: npx codeprobe-scanner scan --json > report.json
-      - uses: actions/upload-artifact@v3
-        with:
-          name: security-report
-          path: report.json
+      - run: npx codeprobe-scanner scan --json
 ```
 
-## Output Example
-
+### Pre-commit Hook
+```bash
+#!/bin/sh
+codeprobe scan . || exit 1
 ```
-╔══════════════════════════════════════════╗
-║           CodeProbe Scanner              ║
-╚══════════════════════════════════════════╝
 
-SCAN COMPLETE
-Risk Score: 🔴 HIGH (43)
-Confirmed Exploitable: 2 | Theoretical Risk: 5
-Patches Available: 3
-Duration: 8.3s
+## 📄 License
 
-CVE Details:
-  CVE-2022-29078: ejs 3.1.6 [CRITICAL] ✓ CONFIRMED EXPLOITABLE
-    → Patch available: 3.1.7
-  CVE-2023-44487: http2-server 1.0.0 [HIGH] ✓ CONFIRMED EXPLOITABLE
-    → Patch available: 1.0.1
+MIT License - See LICENSE file
 
-🌐 Recent npm Security Threats (GitHub Advisory Database):
-  CRITICAL lodash - Prototype Pollution
-  HIGH     axios - SSRF via redirect
-```
+## 🙏 Contributing
 
-## Project Structure
+Contributions welcome! Please:
+1. Fork the repository
+2. Create a feature branch
+3. Submit a pull request
 
-```
-src/
-├── cli/          # CLI entry point and commands (scan, report, config)
-├── engine/       # Core scanner: parser, scraper, sandbox, patcher
-├── api/          # REST API server
-├── shared/       # Types, constants, utilities
-├── integrations/ # VideoDB, Daytona, Nosana integrations
-├── bot/          # Bot server
-└── mcp/          # MCP server
-bin/
-└── codeprobe.cjs # CLI binary entry point
-```
+## 📞 Support
+
+- 🐛 [Issue Tracker](https://github.com/NachikethReddyY/codeprobe/issues)
+- 💬 [Discussions](https://github.com/NachikethReddyY/codeprobe/discussions)
+- 📖 [Full Documentation](./SECURITY_AUDIT.md)
+
+## 📝 Changelog
+
+### v1.0.20
+- ✨ Integrated SAST code vulnerability scanning
+- ✨ Automatic source code fixing
+- 🔒 Fixed code fixer to actually apply fixes
+- 🔒 Kimi as primary patch generator
+
+### v1.0.19
+- ✨ Full codebase scanning
+- ✨ Automatic code fixing
+
+### v1.0.18
+- ✨ Security audit (0 vulnerabilities found)
+
+### v1.0.17
+- ✨ Kimi patch generation enabled
+- 🔧 Fixed patches_available reporting
+
+### v1.0.16
+- ✨ SAST scanner implementation
+- 🔒 Fixed security vulnerabilities
+
+### v1.0.15
+- ✨ Recursive package.json scanning
+
+### v1.0.14
+- 🔒 Fixed VideoDB proof recording
+
+---
 
-## License
+**CodeProbe: Security, Simplified** 🚀
 
-MIT
+[GitHub](https://github.com/NachikethReddyY/codeprobe) | [npm](https://npmjs.com/package/codeprobe-scanner) | [Issues](https://github.com/NachikethReddyY/codeprobe/issues)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeprobe-scanner",
-  "version": "1.0.19",
+  "version": "1.0.21",
   "description": "Automated vulnerability scanner with exploit verification and video evidence",
   "type": "module",
   "bin": {

package/src/cli/commands/scan.ts

@@ -12,6 +12,7 @@ import { createScraper } from '../../engine/scraper.js';
 
 interface ScanOptions {
   fix: boolean;
+  undo: boolean;
   json: boolean;
   verbose: boolean;
 }
@@ -19,6 +20,7 @@ interface ScanOptions {
 function parseArgs(args: string[]): { repoPath: string; options: ScanOptions } {
   const options: ScanOptions = {
     fix: false,
+    undo: false,
     json: false,
     verbose: false,
   };
@@ -29,6 +31,8 @@ function parseArgs(args: string[]): { repoPath: string; options: ScanOptions } {
     const arg = args[i];
     if (arg === '--fix') {
       options.fix = true;
+    } else if (arg === '--undo') {
+      options.undo = true;
     } else if (arg === '--json') {
       options.json = true;
     } else if (arg === '--verbose') {
@@ -114,10 +118,68 @@ function displayReport(report: Report, json: boolean, durationMs: number): void
   logger.printSeparator();
 }
 
+async function undoLastChanges(): Promise<void> {
+  console.log("↩️  Reverting AI-made changes...\n");
+
+  try {
+    // Load last scan report
+    const latestPath = path.join(PATHS.SCANS_DIR, 'latest.json');
+    if (!existsSync(latestPath)) {
+      console.log(chalk.yellow("⚠️  No previous scan found to undo."));
+      return;
+    }
+
+    const latestReport = JSON.parse(await Bun.file(latestPath).text());
+
+    // Revert package.json if it was modified
+    if (latestReport.scan.cves && latestReport.scan.cves.length > 0) {
+      console.log("📦 Reverting package.json updates...");
+      try {
+        // Use git to revert
+        const result = await Bun.$`git checkout package.json 2>&1`.nothrow();
+        if (result.exitCode === 0) {
+          console.log(chalk.green("   ✓ package.json reverted"));
+        } else {
+          console.log(chalk.yellow("   ⚠️  Could not auto-revert package.json. Run: git checkout package.json"));
+        }
+      } catch {
+        console.log(chalk.yellow("   ⚠️  Could not auto-revert package.json. Run: git checkout package.json"));
+      }
+    }
+
+    // Revert code fixes if any were made
+    if ((latestReport as any).code_vulnerabilities && (latestReport as any).code_vulnerabilities.length > 0) {
+      console.log("🔧 Reverting source code fixes...");
+      try {
+        // Use git to revert all changes
+        const result = await Bun.$`git checkout -- . 2>&1`.nothrow();
+        if (result.exitCode === 0) {
+          console.log(chalk.green("   ✓ All code changes reverted"));
+        } else {
+          console.log(chalk.yellow("   ⚠️  Could not auto-revert code. Run: git checkout -- ."));
+        }
+      } catch {
+        console.log(chalk.yellow("   ⚠️  Could not auto-revert code. Run: git checkout -- ."));
+      }
+    }
+
+    console.log(chalk.green("\n✓ Undo complete! Review changes with: git status"));
+  } catch (error) {
+    console.error(chalk.red(`✗ Undo failed: ${error instanceof Error ? error.message : String(error)}`));
+    process.exit(EXIT_CODES.FAILURE);
+  }
+}
+
 export async function scanCommand(args: string[]): Promise<void> {
   const { repoPath, options } = parseArgs(args);
   const logger = new ProgressLogger(options.verbose);
 
+  // Handle --undo flag
+  if (options.undo) {
+    await undoLastChanges();
+    return;
+  }
+
   logger.printHeader();
 
   const startTime = Date.now();

package/src/engine/code-fixer.ts

@@ -12,24 +12,50 @@ export interface CodeFix {
 export class CodeFixer {
   async fixVulnerabilities(vulnerabilities: CodeVulnerability[]): Promise<CodeFix[]> {
     const fixes: CodeFix[] = [];
+    const fileCache = new Map<string, { original: string; lines: string[] }>();
 
+    // Group vulnerabilities by file
+    const vulnsByFile = new Map<string, CodeVulnerability[]>();
     for (const vuln of vulnerabilities) {
-      const fix = await this.generateFix(vuln);
-      if (fix) {
-        fixes.push(fix);
-        await this.applyFix(fix);
+      if (!vulnsByFile.has(vuln.file)) {
+        vulnsByFile.set(vuln.file, []);
+      }
+      vulnsByFile.get(vuln.file)!.push(vuln);
+    }
+
+    // Process each file
+    for (const [filePath, fileVulns] of vulnsByFile) {
+      try {
+        const content = await readFile(filePath, "utf-8");
+        const lines = content.split("\n");
+        let modified = false;
+
+        for (const vuln of fileVulns) {
+          const fix = this.generateFixForVulnerability(vuln, lines);
+          if (fix) {
+            lines[vuln.line - 1] = fix.fixed;
+            fixes.push({ file: filePath, line: vuln.line, original: fix.original, fixed: fix.fixed, type: vuln.type });
+            modified = true;
+          }
+        }
+
+        // Write back if modified
+        if (modified) {
+          const updatedContent = lines.join("\n");
+          await writeFile(filePath, updatedContent, "utf-8");
+          console.log(`   ✓ Fixed ${fileVulns.length} issues in ${filePath}`);
+        }
+      } catch (error) {
+        console.warn(`   ⚠️  Failed to fix ${filePath}: ${error instanceof Error ? error.message : String(error)}`);
       }
     }
 
     return fixes;
   }
 
-  private async generateFix(vuln: CodeVulnerability): Promise<CodeFix | null> {
+  private generateFixForVulnerability(vuln: CodeVulnerability, lines: string[]): { original: string; fixed: string } | null {
     try {
-      const file = await readFile(vuln.file, "utf-8");
-      const lines = file.split("\n");
       const lineIndex = vuln.line - 1;
-
       if (lineIndex < 0 || lineIndex >= lines.length) {
         return null;
       }
@@ -51,16 +77,10 @@ export class CodeFixer {
       }
 
       if (fixed !== original) {
-        return {
-          file: vuln.file,
-          line: vuln.line,
-          original,
-          fixed,
-          type: vuln.type,
-        };
+        return { original, fixed };
       }
     } catch (error) {
-      console.warn(`Failed to generate fix for ${vuln.file}:${vuln.line}`);
+      // Silent fail for individual fixes
     }
 
     return null;
@@ -71,22 +91,32 @@ export class CodeFixer {
     let fixed = line;
 
     // Replace apiKey/api_key patterns
-    fixed = fixed.replace(/api_?key\s*[:=]\s*["'][^"']*["']/i, (match) => {
-      const key = match.split("=")[0].trim();
-      return `${key} = process.env.API_KEY || "${match.split('"')[1] || match.split("'")[1] || "YOUR_KEY_HERE"}"`;
-    });
+    if (/api_?key\s*[:=]\s*["']/i.test(fixed)) {
+      const varName = fixed.match(/(\w+)\s*[:=]/)?.[1] || "apiKey";
+      fixed = fixed.replace(/api_?key\s*[:=]\s*["'][^"']*["']/i,
+        `${varName} = process.env.API_KEY || ""`);
+    }
 
     // Replace password patterns
-    fixed = fixed.replace(/password\s*[:=]\s*["'][^"']*["']/i, (match) => {
-      const key = match.split("=")[0].trim();
-      return `${key} = process.env.PASSWORD || ""`;
-    });
+    if (/password\s*[:=]\s*["']/i.test(fixed)) {
+      const varName = fixed.match(/(\w+)\s*[:=]/)?.[1] || "password";
+      fixed = fixed.replace(/password\s*[:=]\s*["'][^"']*["']/i,
+        `${varName} = process.env.PASSWORD || ""`);
+    }
 
     // Replace token patterns
-    fixed = fixed.replace(/token\s*[:=]\s*["'][^"']*["']/i, (match) => {
-      const key = match.split("=")[0].trim();
-      return `${key} = process.env.TOKEN || ""`;
-    });
+    if (/token\s*[:=]\s*["']/i.test(fixed)) {
+      const varName = fixed.match(/(\w+)\s*[:=]/)?.[1] || "token";
+      fixed = fixed.replace(/token\s*[:=]\s*["'][^"']*["']/i,
+        `${varName} = process.env.TOKEN || ""`);
+    }
+
+    // Replace secret patterns
+    if (/secret\s*[:=]\s*["']/i.test(fixed)) {
+      const varName = fixed.match(/(\w+)\s*[:=]/)?.[1] || "secret";
+      fixed = fixed.replace(/secret\s*[:=]\s*["'][^"']*["']/i,
+        `${varName} = process.env.SECRET || ""`);
+    }
 
     return fixed;
   }
@@ -134,17 +164,6 @@ export class CodeFixer {
     return line;
   }
 
-  private async applyFix(fix: CodeFix): Promise<void> {
-    try {
-      const file = await readFile(fix.file, "utf-8");
-      const lines = file.split("\n");
-      lines[fix.line - 1] = fix.fixed;
-      const updated = lines.join("\n");
-      await writeFile(fix.file, updated, "utf-8");
-    } catch (error) {
-      console.warn(`Failed to apply fix to ${fix.file}:${fix.line}`);
-    }
-  }
 }
 
 export const createCodeFixer = () => new CodeFixer();

package/src/engine/index.ts

@@ -132,7 +132,7 @@ export class CodeProbeEngine {
       }
 
       // Step 7: Generate patches for exploitable CVEs + any HIGH/CRITICAL with a known fix version
-      console.log("\x1b[33m[Nosana]\x1b[0m 🔧 Generating patches with LLM...");
+      console.log("\x1b[33m[Kimi]\x1b[0m 🔧 Generating patches with Kimi LLM...");
       await this.patcher.loadPrebakedPatches();
       const patchCandidates = matchedCves.filter((c) =>
         c.exploitable || ((c.severity === "CRITICAL" || c.severity === "HIGH") && c.version_fixed)

package/src/engine/patcher.ts

@@ -67,38 +67,35 @@ export class PatchGenerator {
   async generatePatch(cve: ScanCVE): Promise<string | null> {
     await this.resolveKeys();
 
+    // First, check for prebaked patches (highest priority)
     const prebakedPatch = this.patches.get(cve.id);
     if (prebakedPatch) {
       cve.patch_diff = prebakedPatch.diff;
       return prebakedPatch.diff;
     }
 
-    // Try Kimi LLM for patch generation
+    // Use Kimi LLM for patch generation (primary method)
     if (this.kimiApiKey) {
       try {
-        console.log(`[Kimi] Generating patch for ${cve.id}...`);
+        console.log(`[Kimi] 🔧 Generating patch for ${cve.id}...`);
         const patch = await this.generatePatchWithKimi(cve);
         if (patch) {
           cve.patch_diff = patch;
+          console.log(`[Kimi] ✓ Patch generated for ${cve.id}`);
           return patch;
         }
       } catch (error) {
-        console.warn(`[Kimi] Failed to generate patch: ${error instanceof Error ? error.message : String(error)}`);
-      }
-    }
-
-    // Try Nosana LLM if Kimi failed
-    if (this.nosanaApiKey) {
-      try {
-        console.log(`[Kimi] Generating patch for ${cve.id}...`);
-        const patch = await this.generatePatchWithKimi(cve);
-        if (patch) {
-          cve.patch_diff = patch;
-          return patch;
-        }
-      } catch (error) {
-        console.warn(`[Kimi] Failed to generate patch: ${error instanceof Error ? error.message : String(error)}`);
+        console.warn(
+          `[Kimi] ⚠️  Failed to generate patch for ${cve.id}: ${
+            error instanceof Error ? error.message : String(error)
+          }`
+        );
       }
+    } else {
+      console.warn(
+        `[Kimi] ⚠️  No Kimi API key configured. Set KIMI_API_KEY or run:\n` +
+        `       codeprobe config set kimi_api_key <your-key>`
+      );
     }
 
     return null;