codeprobe-scanner 1.0.4 → 1.0.5

package/INTERACTIVE_FIX_FLOW.md

@@ -1,308 +0,0 @@
-# CodeProbe Interactive Fix Flow
-
-## Overview
-
-The `--fix` mode enables an **interactive vulnerability patching workflow** that:
-1. **Scans** the repository for vulnerabilities
-2. **Reviews** patches with the user before applying
-3. **Applies** patches to local files
-4. **Commits** changes with meaningful messages
-5. **Pushes** to a new branch
-6. **Creates** a pull request automatically
-
-## Complete Flow
-
-```
-User: codeprobe scan . --fix
-                ↓
-[1] SCAN PHASE
-    - Parse package.json locally
-    - POST dependencies to server
-    - Server runs full scan:
-      * Scrapes CVEs (Bright Data)
-      * Tests exploits (Daytona sandbox)
-      * Generates patches (Kimi/Nosana LLM)
-    - Returns scan results with patch_diff
-                ↓
-[2] INTERACTIVE REVIEW
-    For each CVE with a patch available:
-    - Show CVE details (CVSS, description)
-    - Show the unified diff
-    - Prompt: "Apply this patch? (yes/no/skip/view-details)"
-    
-    User can:
-    - "yes/y" → Mark for patching
-    - "no/n" → Skip this CVE
-    - "skip/s" → Skip this CVE
-    - Other → Show more details
-                ↓
-[3] FINAL APPROVAL
-    Show summary:
-    - "Will apply X patches"
-    - Prompt: "Proceed with patches? (yes/no)"
-                ↓
-[4] APPLY PATCHES
-    If user approves:
-    - Create new branch: codeprobe-security-fixes-{timestamp}
-    - Modify package.json with fixed versions
-    - Run: npm install / bun install (optional)
-                ↓
-[5] COMMIT
-    - git add package.json
-    - git commit -m "security: patch N vulnerabilities via codeprobe"
-    - Show: "✓ Committed with message..."
-                ↓
-[6] PUSH
-    - git push -u origin codeprobe-security-fixes-{timestamp}
-    - Show: "✓ Pushed to origin/codeprobe-security-fixes-{timestamp}"
-                ↓
-[7] CREATE PR
-    - gh pr create --title "Security: Patch N vulnerabilities"
-    - Includes CVE list, risk score, exploitable count
-    - Show: "✓ PR created! Opening in browser..."
-    - Show PR URL
-                ↓
-    Done! User reviews PR, tests, and merges if approved
-```
-
-## API Flow (Server-Side)
-
-```
-POST /api/scan
-├─ Parse dependencies from package.json
-├─ [Bright Data] Scrape CVE databases
-│  └─ Bearer token: c9cbd1ab-937a-4ee1-b6b5-13e90f957438
-├─ [Daytona] Run exploits in sandbox
-│  └─ API key: dtn_e4e5fd8c6c30f5b9da9453078f6b4e396202e56c0aaa1260e704e34d1380d2dc
-├─ [Kimi LLM] Generate patches
-│  ├─ Prompt engineer the CVE → patch
-│  ├─ API: https://api.aimlapi.com/v1/chat/completions
-│  ├─ Model: moonshot/kimi-k2-5
-│  └─ API key: sk-lYLn5p8nepNgraaEC63XoOt1ZlHQGkudLJ12QwO4N6teJHVJ
-├─ [Nosana] Fallback patch generation
-│  ├─ GPU inference job for patch generation
-│  ├─ API: https://api.nosana.com/v1/jobs
-│  └─ API key: nos_jNqyjmvmboO-tU5nuuLH9T7oIx6p6Xw7mKHG36yQAI4
-└─ Return Report with patch_diff populated
-```
-
-## CLI Flow (Client-Side)
-
-```
-codeprobe scan . --fix
-├─ Parse scan args (path, --fix, --json, etc.)
-├─ Parse dependencies locally (package.json)
-├─ POST to SERVER_URL/api/scan
-├─ [INTERACTIVE] reviewAndApplyPatches()
-│  ├─ For each CVE with patch_diff:
-│  │  ├─ Show details (CVSS, description)
-│  │  ├─ Show unified diff
-│  │  ├─ promptUser("Apply this patch?")
-│  │  └─ Mark if approved
-│  ├─ Show summary
-│  ├─ promptUser("Proceed with patches?")
-│  └─ Return approved = true/false
-├─ [GIT] applyPatchesAndCreatePR()
-│  ├─ git checkout -b codeprobe-security-fixes-{timestamp}
-│  ├─ Modify package.json (update versions)
-│  ├─ git add package.json
-│  ├─ git commit -m "security: patch N vulnerabilities via codeprobe"
-│  ├─ git push -u origin {branchName}
-│  ├─ gh pr create --title "..." --body "..."
-│  └─ Show PR URL
-└─ Exit with code 0 (success)
-```
-
-## Example Session
-
-```bash
-$ codeprobe scan /path/to/app --fix
-
-⚡ CodeProbe Scanner v1.0.0
-Scanning: /path/to/app
-Parsing dependencies...
-Sending to server...
-
-📋 Review Patches
-
-1. CVE-2022-29078 (ejs@3.1.6 → 3.1.7)
-   Severity: CRITICAL | CVSS: 9.8
-   EJS before 3.1.7 allows template injection attacks with arbitrary code execution
-
-Proposed changes:
---- a/package.json
-+++ b/package.json
-@@ -5,1 +5,1 @@
--  "ejs": "3.1.6"
-+  "ejs": "3.1.7"
-
-Apply this patch? (yes/no/skip/view-details): yes
-✓ Marked for patching: CVE-2022-29078
-
-📦 Summary
-Will apply 1 patch(es)
-
-Proceed with patches? (yes/no): yes
-
-🔧 Applying Patches
-
-Creating branch: codeprobe-security-fixes-1718365539291
-Updating package.json...
-✓ Updated ejs to ^3.1.7
-Committing changes...
-✓ Committed with message: "security: patch 1 vulnerability via codeprobe"
-Pushing to remote...
-✓ Pushed to origin/codeprobe-security-fixes-1718365539291
-Creating pull request...
-✓ PR created! Opening in browser...
-https://github.com/user/repo/pull/42
-
-✨ Done! Your security patches are ready for review.
-```
-
-## Normal Scan Mode (Without --fix)
-
-For CI/CD and non-interactive use:
-
-```bash
-$ codeprobe scan /path/to/app
-
-⚡ CodeProbe Scanner v1.0.0
-Scanning: /path/to/app
-
-CodeProbe Vulnerability Report
-════════════════════════════════════
-
-Summary:
-  Total CVEs: 2
-  Exploitable: 1
-  Theoretical: 1
-  Risk Score: 9.5/10
-
-Vulnerabilities:
-─────────────────
-
-  CVE-2022-29078 CRITICAL
-    Package: ejs@3.1.6
-    CVSS: 9.8/10
-    Status: EXPLOITABLE
-    Fixed in: 3.1.7
-
-✓ Powered by Bright Data | Daytona | Nosana
-
-$ echo $?
-1  # Exit code 1 = vulnerabilities found
-```
-
-## Environment Variables Required
-
-### On Local Machine
-```bash
-# Server configuration
-SERVER_URL=http://localhost:8080  # or your cloud URL
-CODEPROBE_SECRET=random-secret    # Shared secret with server
-
-# Optional: for GitHub PR creation
-export GH_TOKEN=github_token_here  # Set via `gh auth login` instead
-```
-
-### On Server
-```bash
-# Sponsor APIs (in .env)
-BRIGHT_DATA_API_KEY=c9cbd1ab-937a-4ee1-b6b5-13e90f957438
-DAYTONA_API_KEY=dtn_e4e5fd8c6c30f5b9da9453078f6b4e396202e56c0aaa1260e704e34d1380d2dc
-NOSANA_API_KEY=nos_jNqyjmvmboO-tU5nuuLH9T7oIx6p6Xw7mKHG36yQAI4
-KIMI_API_KEY=sk-lYLn5p8nepNgraaEC63XoOt1ZlHQGkudLJ12QwO4N6teJHVJ
-
-# Server configuration
-PORT=8080
-NODE_ENV=development
-```
-
-## Key Features
-
-✅ **Real Patch Generation**
-- Kimi K2.5 LLM with long context windows
-- Nosana GPU inference as fallback
-- Pre-baked patches for known CVEs
-
-✅ **Real Exploit Verification**
-- Daytona sandboxes for RCE testing
-- Automatic fallback to simulation
-
-✅ **Real CVE Data**
-- Bright Data scraping with authentication
-- NVD fallback if scraper fails
-- Caching to ~/.codeprobe/cache.json
-
-✅ **Interactive User Experience**
-- Review each patch before applying
-- Skip patches you don't want
-- Get detailed information on demand
-
-✅ **Git & GitHub Integration**
-- Automatic branch creation
-- Meaningful commit messages
-- GitHub CLI support for PR creation
-
-✅ **CI/CD Compatible**
-- Use `--json` flag for structured output
-- Use without `--fix` for read-only scanning
-- Exit codes for automation
-
-## Testing Locally
-
-```bash
-# Terminal 1: Start the server
-export NODE_ENV=development
-bun src/api/server-cli.ts
-
-# Terminal 2: Test scan (no fix)
-export SERVER_URL=http://localhost:8080
-export CODEPROBE_SECRET=dev-token
-bun src/cli-server.ts scan ./demo-vulnerable-app
-
-# Terminal 3: Test --fix mode (interactive)
-export SERVER_URL=http://localhost:8080
-export CODEPROBE_SECRET=dev-token
-cd /tmp/test-app
-bun /Users/nr/Developer/codeprobe/src/cli-server.ts scan . --fix
-# Answer prompts:
-# - "yes" to apply ejs patch
-# - "yes" to proceed
-# - Observe branch creation, commit, push, and PR
-```
-
-## Troubleshooting
-
-### "Connection refused"
-- Make sure server is running: `bun src/api/server-cli.ts`
-- Check SERVER_URL env var is correct
-- Try: `curl http://localhost:8080/health`
-
-### "Unauthorized" error
-- Check CODEPROBE_SECRET matches between CLI and server
-- In development mode, any token works
-
-### "Kimi API error"
-- Check KIMI_API_KEY is set correctly in .env
-- Verify internet connection
-- Check API key has sufficient credits
-
-### "git push failed"
-- Ensure you have Git configured: `git config user.name` and `git config user.email`
-- Ensure you have push access to the repository
-- Check remote is configured: `git remote -v`
-
-### "gh pr create failed"
-- Run `gh auth login` to authenticate
-- Verify you have repo permissions
-- Check GH_TOKEN is set if using token auth
-
-## Next Steps
-
-1. **Deploy Server to Google Cloud Run** (see DEPLOY.md)
-2. **Publish to NPM** (see DEPLOY_CHECKLIST.md)
-3. **Add to GitHub Actions** (automatic PR scanning)
-4. **Configure Scheduled Scans** (hourly package change detection)
-

package/MIGRATION_COMPLETE.md

@@ -1,327 +0,0 @@
-# CodeProbe: Stage Migration Complete
-
-**Date**: 2026-06-13  
-**Status**: ✅ All stages integrated, types reconciled, tests passing (25/25)
-
----
-
-## What Was Done
-
-### 1. **Completed Stalled Git Rebase**
-- The handoff document was stale — all PRs (#1, #2, #3) were already merged to origin/main
-- Restarted the Stage 3 rebase with proper editor configuration
-- Clean merge with no conflicts remaining
-
-### 2. **Diagnosed Corruption from Botched Merge**
-The PR merge process had concatenated three stages' overlapping files instead of reconciling them:
-- **package.json** had duplicate `"module"`, `"type"`, `"scripts"`, `"dependencies"` fields
-- **src/shared/types.ts** had two incompatible type systems side-by-side
-- **src/shared/constants.ts** declared `PATHS` twice with conflicting values
-
-**Root Cause**: When merging Stage 2 (CLI) onto Stage 3 (Dashboard), then both onto main (Stage 1), the merger concatenated files instead of intelligently merging them.
-
-### 3. **Reconciled Type Systems**
-
-#### Before (Broken)
-```typescript
-// Stage 1 types (lines 1-57)
-type CVE { affected_versions, fixed_version, ... }
-type ScanCVE { version_vulnerable, exploitable, patch_diff, ... }
-type Scan { cves: ScanCVE[] }
-type Report { scan: Scan, summary }
-
-// Stage 2 types (lines 97-137) — DUPLICATE/CONFLICTING
-type CVE { version_vulnerable, exploitable, patch_diff, ... }
-type Scan { cves: CVE[], patches_available }
-type Report { scan: Scan, summary }
-```
-
-**Problem**: Stages 1 and 2 expected different `CVE` shapes.
-
-#### After (Fixed)
-```typescript
-// Stage 1: CVE from vulnerability sources
-type CVE { 
-  id, package, affected_versions[], fixed_version, 
-  severity, cvss, description, cwe?, exploit_url? 
-}
-
-// Stage 2+3: CVE result in a scan report
-type ScanCVE { 
-  id, package, version_vulnerable, version_fixed?, 
-  severity, cvss, description, exploitable, exploit_evidence?,
-  patch_diff?, patch_version?, verification_time_ms? 
-}
-
-// Unified types used across all stages
-type Scan { 
-  id, timestamp, repo_url, cves: ScanCVE[],
-  risk_score, exploitable_count, theoretical_count, 
-  total_dependencies, patches_available 
-}
-
-type Report { scan: Scan, summary: {...} }
-```
-
-**Result**: Stages 1, 2, 3 now share coherent types that map properly.
-
-### 4. **Unified Configuration Constants**
-
-**Before**: 
-- `PATHS` declared twice (lines 24 and 52) with conflicting values
-- Stray `import` statement mid-file (line 49)
-- Duplicate retry config fields
-- `API_TIMEOUTS` vs `TIMEOUTS` naming inconsistency
-
-**After**:
-- Single `PATHS` object with all necessary paths for CLI + Engine + Dashboard
-- Organized constants: API_ENDPOINTS, TIMEOUTS, SANDBOX_CONFIG, FILE_PERMISSIONS, RISK_SCORE_WEIGHTS, EXIT_CODES
-- Cleaned up imports; all constants properly exported and typed
-
-### 5. **Fixed package.json**
-
-**Before**:
-```json
-{
-  "module": "index.ts",
-  "type": "module",
-  "private": true,
-  "bin": {...},
-  "scripts": {...},
-  "dependencies": {...},
-  // DUPLICATE FIELDS
-  "module": "index.ts",
-  "type": "module",
-  "private": true,
-  "scripts": {...},
-  "dependencies": {...},
-  // ANOTHER DUPLICATE SET
-  "bin": {...},
-  "scripts": {...},
-  ...
-}
-```
-
-**After**:
-```json
-{
-  "name": "codeprobe",
-  "type": "module",
-  "bin": { "codeprobe": "src/cli/index.ts" },
-  "scripts": {
-    "test": "bun test",
-    "dev": "bun run src/api/server.ts",
-    "build": "bun build src/dashboard/frontend.tsx --outdir dist"
-  },
-  "dependencies": {
-    "zod", "axios", "chalk", "dayjs", "cli-table3", "ora",
-    "react", "react-dom", "tailwindcss"
-  },
-  "devDependencies": { "@types/bun", "@types/node", "@types/react", "@types/react-dom", "typescript" }
-}
-```
-
----
-
-## Current Status: All Green ✅
-
-### Tests
-```
-bun test
-✅ 25 tests passing (0 failures)
-  - Stage 1 Engine: ✅ (8 tests)
-  - Stage 2 CLI: ✅ (14 tests)
-  - Stage 3 Dashboard: ✅ (3 tests)
-```
-
-### Builds
-```
-✅ CLI:        bun run src/cli/index.ts --help
-   → Functional, parses args, dispatches commands
-
-✅ Dashboard:  bun build src/dashboard/frontend.tsx --outdir dist
-   → 1.0 MB bundle, React+Tailwind compiles cleanly
-
-✅ API:        bun build src/api/server.ts --target bun
-   → 5.23 KB, REST endpoints ready
-```
-
-### Runtime Verification
-```
-$ bun run src/cli/index.ts scan . --json
-✅ Parses codeprobe repo
-✅ Finds 1 CVE (mocked engine)
-✅ Verifies exploitable (mocked sandbox)
-✅ Saves report to ~/.codeprobe/scans/
-✅ Outputs valid JSON with all required fields
-```
-
----
-
-## Data Flow: Stage Integration
-
-```
-┌─────────────────────────────────────────────────────────┐
-│ Stage 1: Core Engine (src/engine/)                      │
-│  • Parser: extract deps from package.json               │
-│  • Scraper: fetch CVEs (Bright Data API, with fallback) │
-│  • Matcher: semver match deps → CVEs                    │
-│  • Sandbox: run PoC exploits (Daytona)                  │
-│  • Patcher: generate diffs                              │
-│  • Report: build JSON report                            │
-│                                                          │
-│  Output: Report { scan: Scan { cves: ScanCVE[] } }      │
-└──────────────────┬──────────────────────────────────────┘
-                   │ (exports types via shared/types.ts)
-                   ↓
-┌─────────────────────────────────────────────────────────┐
-│ Stage 2: CLI (src/cli/)                                 │
-│  • Import: runFullScan() from Stage 1                   │
-│  • Display: Format Report as colored table              │
-│  • Git: Apply patches (--fix flag)                      │
-│  • Store: Save reports to ~/.codeprobe/scans/           │
-│  • Config: Manage API keys (AES-256-GCM encrypted)      │
-│                                                          │
-│  Input:  Report (from Stage 1)                          │
-│  Output: JSON file + terminal display                   │
-└──────────────────┬──────────────────────────────────────┘
-                   │ (scans saved to disk)
-                   ↓
-┌─────────────────────────────────────────────────────────┐
-│ Stage 3: Dashboard (src/dashboard/ + src/api/)          │
-│  • API: REST endpoints for /api/scans, /api/scans/{id}  │
-│  • Auth: GitHub OAuth + Bearer tokens                   │
-│  • UI: React dashboard (ScansListPage, ScanDetailPage)  │
-│  • Visual: Business impact card ($4.9M breach risk)     │
-│  • Export: Download patch diffs, JSON reports           │
-│                                                          │
-│  Input:  Scan files from ~/.codeprobe/scans/            │
-│  Output: Web UI at localhost:3000                       │
-└─────────────────────────────────────────────────────────┘
-```
-
----
-
-## Files Changed
-
-### Fixed (Reconciliation)
-```
-✅ package.json              - Unified deps from all stages
-✅ src/shared/types.ts       - Merged CVE/ScanCVE/Scan/Report
-✅ src/shared/constants.ts   - Deduplicated PATHS, configs
-   bun.lock                  - Regenerated after deps fixed
-```
-
-### Tested (No Changes Needed)
-```
-✅ src/engine/*              - All 8 tests passing
-✅ src/cli/*                 - All 14 tests passing  
-✅ src/dashboard/*           - All 3 tests passing
-✅ src/api/*                 - Builds, ready to integrate
-```
-
----
-
-## What Each Stage Exports for Others
-
-### Stage 1 (Engine) → Stages 2 & 3
-```typescript
-export async function runFullScan(
-  repoPath: string,
-  options?: { verbose?: boolean; onEvent?: (event: ScanEvent) => void }
-): Promise<Report>
-
-// Plus types:
-export type Report { scan: Scan, summary }
-export type Scan { id, timestamp, cves: ScanCVE[], risk_score, ... }
-export type ScanCVE { id, package, version_vulnerable, exploitable, patch_diff, ... }
-export type ScanEvent { phase, status, message, level, metadata }
-```
-
-### Stages 2 & 3 Use Stage 1's Output
-- **CLI** (Stage 2): Calls `runFullScan()`, displays results, saves to disk
-- **Dashboard** (Stage 3): Reads saved scans from disk, displays via API + React UI
-
----
-
-## Known Limitations (MVP)
-
-1. **Engine currently mocked** — Uses demo data, not real Bright Data/Daytona APIs
-   - ✅ Structure is ready; swap in real API calls when available
-   
-2. **Dashboard reads static files** — No database, no real-time sync
-   - ✅ API serves from `~/.codeprobe/scans/`; can upgrade to DB later
-   
-3. **GitHub OAuth not fully wired** — Auth flow exists, needs app registration
-   - ✅ Implementation ready in `src/api/auth.ts`; requires env vars
-
-4. **No multi-language support** — Node.js only
-   - ✅ This is intentional MVP scope
-
----
-
-## What's Needed for Demo Day
-
-### ✅ Already Done
-- [x] CLI functional and tested
-- [x] Dashboard frontend builds
-- [x] API server compiles
-- [x] All types reconciled across stages
-- [x] All 25 tests passing
-
-### ⏳ Before Going Live
-- [ ] **Stage 1 Engine**: Wire real Bright Data API key (or use fallback cache)
-- [ ] **Stage 1 Engine**: Wire real Daytona sandbox (or mock more CVEs)
-- [ ] **Stage 3 Auth**: Register GitHub OAuth app, set env vars
-- [ ] **Demo Data**: Generate 2-3 scan results with different CVE counts
-- [ ] **Rehearsal**: Walk through CLI scan → Dashboard view 3-5 times
-- [ ] **Fallback**: Pre-record 2-min video (demo data, pre-rendered scans)
-
-### 🚀 Nice to Have
-- Prism.js syntax highlighting in patch diff viewer (CDN ready)
-- Mobile responsiveness testing on actual phone
-- Error cases (network failure, invalid OAuth, no scans found)
-
----
-
-## Next Steps
-
-### Immediate (For You)
-1. **Test the full flow**:
-   ```bash
-   # Terminal 1: Start API server
-   bun run src/api/server.ts
-   
-   # Terminal 2: Open dashboard
-   open http://localhost:3000
-   
-   # Terminal 3: Run a scan
-   bun run src/cli/index.ts scan ./demo-vulnerable-app --json
-   ```
-
-2. **Verify Stage 1 integration** — Check if CLI can call real `runFullScan()` from Stage 1 engine (currently mocked)
-
-3. **Set up OAuth** (if demoing auth):
-   - Register app at https://github.com/settings/developers
-   - Set `GITHUB_CLIENT_ID` and `GITHUB_CLIENT_SECRET` env vars
-   - Test login flow
-
-### Longer Term
-- Add real Bright Data API integration (if available)
-- Implement real Daytona sandbox spawning
-- Add database for persistent scans
-- GitHub PR auto-commenting (Stage 3 extension)
-
----
-
-## Summary
-
-**The migration is complete.** All three stages now coexist in a single Bun project with reconciled types, unified configuration, and passing tests. The architecture is clean:
-
-- **Stage 1** provides the engine layer (parsing, scraping, sandboxing, reporting)
-- **Stage 2** provides the CLI layer (user interaction, git integration, local storage)
-- **Stage 3** provides the web layer (auth, dashboard, visualization, sharing)
-
-Each stage can be developed independently, but they share types and constants defined in `src/shared/`. The data flow is linear: Stage 1 output → Stage 2 storage → Stage 3 visualization.
-
-No additional refactoring needed. Ready for feature work or demo day prep.