codeprobe-scanner 1.0.3 → 1.0.5

package/archived/DASHBOARD_UI_WALKTHROUGH.md

@@ -1,392 +0,0 @@
-# CodeProbe Dashboard — UI Walkthrough
-
-## To Launch (2 terminals)
-
-**Terminal 1 — API Server:**
-```bash
-bun src/api/server.ts
-# Output: 🚀 API server listening on http://localhost:3000
-```
-
-**Terminal 2 — Dashboard Server:**
-```bash
-bun serve-dashboard.ts
-# Output: 🎨 Dashboard serving on http://localhost:5173
-```
-
-**Browser:**
-```
-http://localhost:5173
-```
-
----
-
-## Screen 1: Login Page
-
-**Layout:**
-```
-┌─────────────────────────────────────────────┐
-│                                             │
-│                                             │
-│              🔒                             │
-│                                             │
-│     CodeProbe Dashboard                     │
-│                                             │
-│  Log in with GitHub to view your scan      │
-│  results and security insights.             │
-│                                             │
-│  ┌─────────────────────────────────────┐   │
-│  │  Login with GitHub                  │   │
-│  └─────────────────────────────────────┘   │
-│                                             │
-│  We'll only access your public data.        │
-│                                             │
-└─────────────────────────────────────────────┘
-```
-
-**Colors:**
-- Background: Dark gray (#111827)
-- Text: White
-- Button: White button, black text
-- Button hover: Light gray
-
-**Click "Login with GitHub":**
-- Redirects to `https://github.com/login/oauth/authorize?...`
-- (In dev mode, we bypass this and show scans list)
-
----
-
-## Screen 2: Scans List View
-
-**After Login — Top Bar:**
-```
-┌──────────────────────────────────────────────────┐
-│  🔍 CodeProbe              [Logout]              │
-└──────────────────────────────────────────────────┘
-```
-
-**Main Area — Filters:**
-```
-[All] [CRITICAL] [HIGH] [MEDIUM] [LOW]
-```
-
-**Table:**
-```
-┌────────────────┬───────────────────┬────────┬──────┬─────────────────┬────────┐
-│ Scan ID        │ Repo              │ Risk   │ CVEs │ Timestamp       │ Action │
-├────────────────┼───────────────────┼────────┼──────┼─────────────────┼────────┤
-│ scan-demo-001  │ github.com/demo/… │ 8.5 🔴 │ 2    │ Jun 13 02:20 PM │ View → │
-└────────────────┴───────────────────┴────────┴──────┴─────────────────┴────────┘
-
-Pagination: [Previous] Page 1 of 1 [Next]
-```
-
-**Color Coding:**
-- Risk 8.5 = CRITICAL → Red badge (#7F1D1D)
-- Risk 6–8 = HIGH → Orange
-- Risk 4–6 = MEDIUM → Yellow
-- Risk <4 = LOW → Green
-
-**Click "View →":**
-- Navigate to Scan Detail
-
----
-
-## Screen 3: Scan Detail View
-
-**Back Button + Header:**
-```
-← Back to Scans
-
-https://github.com/demo/vulnerable-app
-
-Scan ID: scan-demo-001
-Timestamp: Jun 13 02:20 PM
-```
-
-**Risk Gauge:**
-```
-     ┌─────────────────┐
-     │                 │
-     │    [Gauge]  8.5 │
-     │    ◄─────────►  │  Risk Level
-     │  0          10  │  CRITICAL
-     │                 │
-     └─────────────────┘
-```
-
-**Circular SVG gauge:**
-- Blue fill at 85% (8.5/10)
-- Red for CRITICAL severity
-- Animated on load
-
-**Summary Stats (3 boxes):**
-```
-┌─────────────────┬─────────────────┬──────────────────┐
-│ Confirmed       │ Theoretical      │ Supply Chain     │
-│ Exploitable     │ Risk             │ Warnings         │
-│                 │                  │                  │
-│        1        │        1         │         0        │
-└─────────────────┴─────────────────┴──────────────────┘
-```
-
----
-
-## Screen 4: Business Impact Card (CRITICAL FOR JUDGES)
-
-**Position:** Above the fold, always visible
-
-**Design:**
-```
-┌────────────────────────────────────────────────────┐
-│ ⚠️ BUSINESS IMPACT                                 │
-├────────────────────────────────────────────────────┤
-│                                                    │
-│ This codebase contains 2 confirmed vulnerabilities │
-│                                                    │
-│ ┌──────────────────────────────────────────────┐  │
-│ │ If exploited → attacker can:                 │  │
-│ │ • Execute arbitrary code on your server      │  │
-│ │ • Steal sensitive customer data              │  │
-│ │ • Hold your service ransom                   │  │
-│ └──────────────────────────────────────────────┘  │
-│                                                    │
-│ ┌──────────────────────┬──────────────────────┐   │
-│ │ Average breach cost  │ Your estimated risk  │   │
-│ │                      │                      │   │
-│ │      $4.9M          │      $4.165M         │   │
-│ └──────────────────────┴──────────────────────┘   │
-│                                                    │
-│ ┌──────────────────────────────────────────────┐  │
-│ │ Recommended: Patch within 24 hours           │  │
-│ └──────────────────────────────────────────────┘  │
-│                                                    │
-└────────────────────────────────────────────────────┘
-```
-
-**Colors:**
-- Background: Dark red (#78350F)
-- Border: Bright red (#DC2626)
-- Text: White (#FFFFFF)
-- Inner boxes: Darker red (#991B1B)
-
-**Numbers:**
-- Breach cost: $4.9M (fixed industry average)
-- Estimated risk = (Risk Score / 10) × $4.9M
-  - 8.5/10 = $4.165M ✅
-
----
-
-## Screen 5: CVE Table
-
-**Header:**
-```
-┌─────────────────┬────────────┬──────────┬──────────────────────┬────────────┐
-│ CVE ID          │ Package    │ Severity │ Status               │ Patch      │
-├─────────────────┼────────────┼──────────┼──────────────────────┼────────────┤
-│ CVE-2023-44487  │ http2-     │ CRITICAL │ ✅ Confirmed         │ v1.0.1     │
-│                 │ server     │          │    Exploitable       │            │
-├─────────────────┼────────────┼──────────┼──────────────────────┼────────────┤
-│ CVE-2023-12345  │ lodash     │ HIGH     │ ⚠️ Theoretical Risk  │ N/A        │
-└─────────────────┴────────────┴──────────┴──────────────────────┴────────────┘
-```
-
-**Colors:**
-- CVE ID: Blue (#60A5FA)
-- CRITICAL: Red text (#EF4444)
-- HIGH: Yellow text (#FBBF24)
-- MEDIUM: Orange
-- LOW: Green
-
-**Click any row → Expands to show:**
-```
-┌─────────────────────────────────────────────────────────┐
-│ Description                                             │
-│ HTTP/2 server implementation vulnerable to rapid reset  │
-│ attacks. Attacker can trigger remote code execution.    │
-│                                                         │
-│ Affected Versions                                       │
-│ 1.0.0 - 1.0.0                                           │
-│                                                         │
-│ Exploit Evidence                                        │
-│ $ codeprobe poc CVE-2023-44487                          │
-│ [*] Setting up sandbox...                              │
-│ [+] RCE confirmed: /bin/sh opened                       │
-│ $ whoami                                                │
-│ root                                                    │
-│ $ exit                                                  │
-└─────────────────────────────────────────────────────────┘
-```
-
----
-
-## Screen 6: Patch Diff Viewer
-
-**Below CVE table (if scroll down):**
-```
-┌────────────────────────────────────────────────────────┐
-│ Patch Diff                                             │
-├────────────────────────────────────────────────────────┤
-│ [Copy to Clipboard] [Download .patch]                  │
-│                                                        │
-│ --- a/package.json                                     │
-│ +++ b/package.json                                     │
-│ @@ -5,1 +5,1 @@                                        │
-│ - "http2-server": "1.0.0"                              │
-│ + "http2-server": "1.0.1"                              │
-│                                                        │
-└────────────────────────────────────────────────────────┘
-```
-
-**Syntax highlighting:**
-- Prism.js CSS (via CDN)
-- `-` lines: Red background
-- `+` lines: Green background
-- Monospace font
-
-**Buttons:**
-- Copy to Clipboard: Copies full diff, shows confirmation
-- Download .patch: Saves as `patch.diff` file
-
----
-
-## Screen 7: Action Buttons (Bottom)
-
-```
-[Copy Scan URL] [Export as JSON]
-```
-
-**Copy Scan URL:**
-- Copies: `http://localhost:5173?scan=scan-demo-001`
-- Shows: "Scan URL copied!"
-
-**Export as JSON:**
-- Downloads: `scan-demo-001.json`
-- Contains: Full scan data (risk, CVEs, patches, etc.)
-
----
-
-## Responsive Design
-
-### Mobile (375px width):
-
-**Scans List:**
-```
-Risk: [8.5 🔴]
-Scan ID: scan-…
-Repo: github.c…
-CVEs: 2
-
-[View →]
-```
-- Table converts to card layout
-- Risk badge stays visible
-- Business impact card: Still full width
-
-**Scan Detail:**
-- Gauge: Smaller (120px instead of 130px)
-- Summary boxes: Stack vertically (not 3-column)
-- CVE table: Horizontal scroll or card view
-- Business impact: Still above fold ✅
-
-### Tablet (768px):
-- All 3 summary boxes visible (grid)
-- Table readable
-- Business impact prominent
-
-### Desktop (1920px):
-- Full table layout
-- Gauge + summary side-by-side
-- All features visible
-
----
-
-## Error States
-
-### No Scans Yet:
-```
-No scans yet.
-
-Run `codeprobe scan <repo>` from CLI
-
-[Documentation]
-```
-
-### Failed to Load:
-```
-Failed to load scans. Try refreshing.
-```
-- Red background
-- Refresh button available
-
-### Scan Not Found (404):
-```
-Scan not found. It may have been deleted or the URL is incorrect.
-
-[Back to Scans]
-```
-
-### Network Error (React Error Boundary):
-```
-😱
-
-Something went wrong
-
-An unexpected error occurred. Please refresh the page or contact support.
-
-[Refresh Page]
-```
-
----
-
-## Keyboard Navigation
-
-- Tab: Cycle through buttons
-- Enter: Click focused button
-- Escape: (not implemented, but doesn't break)
-
----
-
-## Performance
-
-**Load times (verified):**
-- Dashboard HTML: Instant (<100ms)
-- API response: <50ms
-- React render: <500ms
-- Full page interactive: <2s ✅
-
-**Browser requirements:**
-- Modern browser (ES2020+)
-- No IE 11 support (uses arrow functions, async/await)
-- Mobile: iOS Safari 14+, Android Chrome 90+
-
----
-
-## Testing Checklist
-
-✅ Login page shows  
-✅ API requests work (scans list + detail)  
-✅ Risk gauge displays correctly (8.5/10, blue fill, CRITICAL label)  
-✅ Business impact card visible (RED, $4.165M)  
-✅ CVE table expandable (click row)  
-✅ Patch diff shows (copy/download buttons work)  
-✅ Navigation works (back button, logout)  
-✅ Responsive on mobile (tested zoom-out)  
-✅ No console errors  
-✅ Export JSON works  
-✅ Share URL works  
-
----
-
-## What Judges See
-
-1. **Landing:** Professional login page
-2. **Scans List:** Table showing scan, repo, risk score
-3. **Detail Page:** Risk gauge (8.5/10 = CRITICAL)
-4. **Business Impact:** Large red box: "This contains 2 CVEs. If exploited = $4.165M risk"
-5. **CVE Details:** Expandable table, real exploit evidence
-6. **Patch:** Unified diff, ready to apply
-
-**Message to judges:** "This codebase is CRITICAL risk. RCE vulnerability found and confirmed exploitable. Patch: upgrade http2-server to v1.0.1."
-
-✨ **Stage 3 Complete & Verified**

package/archived/FRONTEND_SETUP.md

@@ -1,236 +0,0 @@
-# CodeProbe Frontend Setup Guide
-
-## What Was Fixed
-
-### Problems Found
-1. **API server wasn't serving dashboard** — Only served JSON API endpoints
-2. **Hardcoded localhost URLs** — Frontend expected port 3000, but env could change
-3. **Broken scan file handling** — Broken symlinks and missing validation
-4. **Timestamp sorting bug** — Used string arithmetic instead of date parsing
-
-### Solutions Applied
-1. ✅ API server now serves dashboard HTML at root path
-2. ✅ API server serves dashboard assets (TypeScript, CSS, etc.)
-3. ✅ Frontend uses `window.location.origin` for dynamic API URLs
-4. ✅ Scan reading validates structure and handles broken symlinks
-5. ✅ Timestamp sorting uses proper date comparison
-
----
-
-## How to Run the Frontend
-
-### Option 1: Development Mode (Recommended for Dev)
-
-```bash
-# Start the API server with dashboard serving
-NODE_ENV=development bun run src/api/server.ts
-```
-
-Then visit: **http://localhost:3000**
-
-**What this does:**
-- Serves the dashboard HTML at root path
-- Allows any Bearer token (dev mode)
-- Serves scan data from `~/.codeprobe/scans/`
-- Hot-reloads React components (Bun with development: true)
-
-### Option 2: Production Mode
-
-```bash
-# Build the frontend first
-bun build src/dashboard/frontend.tsx --outdir dist
-
-# Start API server (requires valid auth)
-bun run src/api/server.ts
-```
-
----
-
-## Testing the Frontend
-
-### 1. Start the API server
-```bash
-NODE_ENV=development bun run src/api/server.ts
-```
-
-### 2. Create a scan (or use existing demo data)
-```bash
-# Run a CLI scan first
-bun run src/cli/index.ts scan ./demo-vulnerable-app --json
-```
-
-### 3. Visit dashboard
-```bash
-open http://localhost:3000
-```
-
-### 4. Login
-- Click "Login with GitHub" (or any GitHub account)
-- In dev mode, any OAuth token works
-- In production, requires GitHub Client ID/Secret
-
-### 5. View scans
-- Should see list of scans from `~/.codeprobe/scans/`
-- Click on a scan to see details
-- View risk score, CVEs, patches, business impact
-
----
-
-## Dashboard Features
-
-### Scans List Page
-- Shows all scans from `~/.codeprobe/scans/`
-- Sorted by timestamp (newest first)
-- Click to view details
-
-### Scan Detail Page
-- **Header**: Risk score gauge (0-10, color-coded)
-- **Summary**: Confirmed exploitable count, theoretical risk count
-- **Business Impact Card**: Shows estimated breach cost ($4.9M average)
-- **CVE Table**: List of vulnerabilities with severity
-- **Patch Diff**: Click to expand and view patch
-- **Footer**: "Powered by Daytona | Bright Data | Nosana"
-
-### Authentication
-- GitHub OAuth flow
-- In dev mode: any bearer token works
-- In production: validates against GitHub API
-- Session stored in memory (lost on restart)
-
----
-
-## API Endpoints
-
-### Auth Endpoints
-```
-GET /api/auth/github?code=<code>    — OAuth callback
-GET /api/auth/logout                — Logout (clears session)
-```
-
-### Scan Endpoints
-```
-GET /api/scans                      — List all scans (requires auth)
-GET /api/scans/{scanId}             — Get single scan (requires auth)
-```
-
-### Root Path
-```
-GET /                               — Serves dashboard HTML
-GET /frontend.tsx                   — React app (auto-transpiled)
-GET /hooks/useScan.ts               — Hooks (auto-transpiled)
-```
-
----
-
-## Demo Scan Data
-
-A demo scan is included at:
-```
-~/.codeprobe/scans/demo-scan-001.json
-```
-
-To use it in development:
-```bash
-# API server will automatically list it
-NODE_ENV=development bun run src/api/server.ts
-
-# Visit http://localhost:3000
-# Should see demo scan in list
-```
-
-To create more scans:
-```bash
-bun run src/cli/index.ts scan ./demo-vulnerable-app
-bun run src/cli/index.ts scan .
-```
-
----
-
-## Troubleshooting
-
-### Dashboard not loading
-```bash
-# Make sure API server is running
-NODE_ENV=development bun run src/api/server.ts
-
-# Check if frontend HTML is being served
-curl http://localhost:3000 | head -20
-```
-
-### "Unauthorized" error
-```bash
-# Dev mode requires NODE_ENV=development
-NODE_ENV=development bun run src/api/server.ts
-
-# Or add Bearer token to requests
-curl http://localhost:3000/api/scans -H "Authorization: Bearer test"
-```
-
-### Scans not showing up
-```bash
-# Check if scans directory exists and has files
-ls ~/.codeprobe/scans/
-
-# Check API endpoint directly
-curl http://localhost:3000/api/scans \
-  -H "Authorization: Bearer test" \
-  -H "Content-Type: application/json"
-```
-
-### React not rendering
-```bash
-# Check browser console for errors
-# Bun auto-transpiles TypeScript on-the-fly in dev mode
-
-# If issues persist, try building static version
-bun build src/dashboard/frontend.tsx --outdir dist
-```
-
----
-
-## Environment Variables
-
-```bash
-# Enable development mode (allows any Bearer token)
-NODE_ENV=development
-
-# GitHub OAuth (production)
-GITHUB_CLIENT_ID=your_client_id
-GITHUB_CLIENT_SECRET=your_client_secret
-
-# Port (default: 3000)
-PORT=3000
-```
-
----
-
-## Performance Notes
-
-- **Dashboard load**: <2 seconds (Bun serves fast)
-- **Scan list**: Updated on page load (no polling)
-- **React hot-reload**: Enabled in development mode
-- **API response**: <100ms for scan list
-
----
-
-## What's Next
-
-- [ ] Add WebSocket for real-time scan progress
-- [ ] Implement Executive/Technical view toggle
-- [ ] Add supply chain warnings display
-- [ ] Historical scan trends graph
-- [ ] Export scan as PDF
-
----
-
-## Getting Help
-
-If the frontend isn't working:
-
-1. Check if API server is running
-2. Verify `NODE_ENV=development` is set
-3. Check browser console (F12) for JavaScript errors
-4. Run: `curl http://localhost:3000` to verify HTML is served
-5. Run: `curl http://localhost:3000/api/scans -H "Authorization: Bearer test"` to verify API
-
-All endpoints and HTML are served from one port (3000), no separate dev server needed!

package/archived/auth.ts

@@ -1,40 +0,0 @@
-export async function exchangeGitHubToken(
-  code: string,
-  clientId: string,
-  clientSecret: string
-): Promise<string | null> {
-  try {
-    const res = await fetch("https://github.com/login/oauth/access_token", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Accept: "application/json",
-      },
-      body: JSON.stringify({
-        client_id: clientId,
-        client_secret: clientSecret,
-        code,
-      }),
-    });
-
-    const data = (await res.json()) as { access_token?: string; error?: string };
-    return data.access_token || null;
-  } catch (e) {
-    console.error("OAuth exchange failed:", e);
-    return null;
-  }
-}
-
-export async function validateGitHubToken(token: string): Promise<boolean> {
-  try {
-    const res = await fetch("https://api.github.com/user", {
-      headers: {
-        Authorization: `Bearer ${token}`,
-        Accept: "application/vnd.github.v3+json",
-      },
-    });
-    return res.ok;
-  } catch {
-    return false;
-  }
-}