codeprobe-scanner 1.0.4 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (71) hide show
  1. package/package.json +1 -1
  2. package/.claude/settings.local.json +0 -19
  3. package/.dockerignore +0 -17
  4. package/.env.development +0 -8
  5. package/.env.setup +0 -214
  6. package/.github/workflows/codeprobe-scan.yml +0 -137
  7. package/.github/workflows/codeprobe.yml +0 -84
  8. package/.github/workflows/scan-schedule.yml +0 -28
  9. package/ANALYSIS_SUMMARY.md +0 -365
  10. package/API_INTEGRATIONS.md +0 -469
  11. package/BUILD_PLAYBOOK.md +0 -349
  12. package/CLAUDE.md +0 -106
  13. package/DEPLOY.md +0 -452
  14. package/DEPLOYMENT_STATUS.md +0 -240
  15. package/DEPLOY_CHECKLIST.md +0 -316
  16. package/Dockerfile +0 -24
  17. package/EXECUTION_PLAN.html +0 -1086
  18. package/IMPLEMENTATION_COMPLETE.md +0 -288
  19. package/IMPLEMENTATION_SUMMARY.md +0 -443
  20. package/INTERACTIVE_FIX_FLOW.md +0 -308
  21. package/MIGRATION_COMPLETE.md +0 -327
  22. package/ORCHESTRATOR_SYNTHESIS.json +0 -80
  23. package/PENDING_WORK.md +0 -308
  24. package/PREFLIGHT_PLAN.md +0 -182
  25. package/QUICKSTART.md +0 -305
  26. package/STAGE_1_SETUP_ENGINE.md +0 -245
  27. package/STAGE_2_ARCHITECTURE.md +0 -714
  28. package/STAGE_2_CLI_VERIFICATION.md +0 -269
  29. package/STAGE_2_COMPLETE.md +0 -332
  30. package/STAGE_2_IMPLEMENTATION_PLAN.md +0 -679
  31. package/STAGE_3_COMPLETE.md +0 -246
  32. package/STAGE_3_DASHBOARD_POLISH.md +0 -371
  33. package/STAGE_3_SETUP.md +0 -155
  34. package/VIDEODB_INTEGRATION.md +0 -237
  35. package/archived/DASHBOARD_UI_WALKTHROUGH.md +0 -392
  36. package/archived/FRONTEND_SETUP.md +0 -236
  37. package/archived/auth.ts +0 -40
  38. package/archived/dashboard/components/BusinessImpactCard.tsx +0 -48
  39. package/archived/dashboard/components/CVETable.tsx +0 -104
  40. package/archived/dashboard/components/ErrorBoundary.tsx +0 -48
  41. package/archived/dashboard/components/PatchDiffViewer.tsx +0 -43
  42. package/archived/dashboard/components/RiskGauge.tsx +0 -64
  43. package/archived/dashboard/frontend.tsx +0 -104
  44. package/archived/dashboard/hooks/useAuth.ts +0 -32
  45. package/archived/dashboard/hooks/useScan.ts +0 -65
  46. package/archived/dashboard/index.html +0 -15
  47. package/archived/dashboard/pages/LoginPage.tsx +0 -28
  48. package/archived/dashboard/pages/ScanDetailPage.tsx +0 -143
  49. package/archived/dashboard/pages/ScansListPage.tsx +0 -160
  50. package/bun.lock +0 -603
  51. package/codeprobe-prd.md +0 -674
  52. package/cve-cache.json +0 -25
  53. package/demo-vulnerable-app/.github/workflows/codeprobe.yml +0 -32
  54. package/demo-vulnerable-app/README.md +0 -70
  55. package/demo-vulnerable-app/package-lock.json +0 -27
  56. package/demo-vulnerable-app/package.json +0 -15
  57. package/demo-vulnerable-app/server.js +0 -34
  58. package/demo.sh +0 -45
  59. package/index.ts +0 -19
  60. package/patches.json +0 -12
  61. package/serve-dashboard.ts +0 -23
  62. package/src/cli/index.ts +0 -137
  63. package/src/engine/index.ts +0 -90
  64. package/src/test/cli.test.ts +0 -211
  65. package/src/test/dashboard.test.ts +0 -38
  66. package/src/test/demo-scan.json +0 -32
  67. package/src/test/engine.test.ts +0 -157
  68. package/tailwind.config.js +0 -11
  69. package/tsconfig.json +0 -30
  70. package/verify-dashboard.ts +0 -87
  71. package/verify-env.sh +0 -98
package/EXECUTION_PLAN.html DELETED
@@ -1,1086 +0,0 @@
1
- <!DOCTYPE html>
2
- <html lang="en">
3
- <head>
4
- <meta charset="UTF-8">
5
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
6
- <title>CodeProbe MVP — 5-Hour Execution Plan</title>
7
- <link rel="preconnect" href="https://fonts.googleapis.com">
8
- <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
9
- <link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600&family=Sora:wght@600;700&family=Inter:wght@400;500&display=swap" rel="stylesheet">
10
- <style>
11
- * {
12
- margin: 0;
13
- padding: 0;
14
- box-sizing: border-box;
15
- }
16
-
17
- :root {
18
- --primary: #0f172a;
19
- --secondary: #1e293b;
20
- --accent: #10b981;
21
- --accent-dark: #059669;
22
- --accent-light: #d1fae5;
23
- --warn: #f59e0b;
24
- --critical: #ef4444;
25
- --text-primary: #f1f5f9;
26
- --text-secondary: #cbd5e1;
27
- --text-muted: #94a3b8;
28
- --border: #334155;
29
- --surface: #1e293b;
30
- --surface-light: #334155;
31
- }
32
-
33
- html {
34
- scroll-behavior: smooth;
35
- }
36
-
37
- body {
38
- font-family: 'Inter', system-ui, sans-serif;
39
- background: linear-gradient(135deg, var(--primary) 0%, #0a0f1b 100%);
40
- color: var(--text-primary);
41
- line-height: 1.6;
42
- font-size: 1rem;
43
- }
44
-
45
- /* Typography */
46
- h1 {
47
- font-family: 'Sora', sans-serif;
48
- font-size: 2.5rem;
49
- font-weight: 700;
50
- letter-spacing: -1px;
51
- margin-bottom: 0.5rem;
52
- }
53
-
54
- h2 {
55
- font-family: 'Sora', sans-serif;
56
- font-size: 1.75rem;
57
- font-weight: 700;
58
- letter-spacing: -0.5px;
59
- margin-bottom: 1.5rem;
60
- margin-top: 3rem;
61
- }
62
-
63
- h3 {
64
- font-family: 'Sora', sans-serif;
65
- font-size: 1.25rem;
66
- font-weight: 600;
67
- margin-bottom: 1rem;
68
- color: var(--accent-light);
69
- }
70
-
71
- .subtitle {
72
- font-size: 1.1rem;
73
- color: var(--text-secondary);
74
- margin-bottom: 2rem;
75
- }
76
-
77
- /* Header */
78
- header {
79
- border-bottom: 1px solid var(--border);
80
- padding: 3rem 2rem;
81
- background: linear-gradient(180deg, rgba(31, 41, 55, 0.3) 0%, rgba(31, 41, 55, 0) 100%);
82
- }
83
-
84
- header .container {
85
- max-width: 1200px;
86
- margin: 0 auto;
87
- }
88
-
89
- .logo {
90
- display: flex;
91
- align-items: center;
92
- gap: 0.75rem;
93
- margin-bottom: 1.5rem;
94
- }
95
-
96
- .logo-icon {
97
- width: 32px;
98
- height: 32px;
99
- background: var(--accent);
100
- border-radius: 8px;
101
- display: flex;
102
- align-items: center;
103
- justify-content: center;
104
- font-weight: 700;
105
- font-size: 1.25rem;
106
- color: white;
107
- }
108
-
109
- .logo-text {
110
- font-family: 'Sora', sans-serif;
111
- font-size: 1.5rem;
112
- font-weight: 700;
113
- }
114
-
115
- /* Main Container */
116
- .container {
117
- max-width: 1200px;
118
- margin: 0 auto;
119
- padding: 0 2rem;
120
- }
121
-
122
- main {
123
- padding: 3rem 0;
124
- }
125
-
126
- /* Sections */
127
- section {
128
- margin-bottom: 4rem;
129
- }
130
-
131
- /* Status Badge */
132
- .status-badge {
133
- display: inline-block;
134
- padding: 0.5rem 1rem;
135
- border-radius: 6px;
136
- font-size: 0.875rem;
137
- font-weight: 600;
138
- margin-bottom: 2rem;
139
- letter-spacing: 0.5px;
140
- font-family: 'JetBrains Mono', monospace;
141
- }
142
-
143
- .status-ready {
144
- background: var(--accent);
145
- color: var(--primary);
146
- }
147
-
148
- .status-critical {
149
- background: var(--critical);
150
- color: white;
151
- }
152
-
153
- .status-warning {
154
- background: var(--warn);
155
- color: var(--primary);
156
- }
157
-
158
- /* Summary Grid */
159
- .summary-grid {
160
- display: grid;
161
- grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
162
- gap: 1.5rem;
163
- margin-bottom: 3rem;
164
- }
165
-
166
- .summary-card {
167
- background: var(--surface);
168
- border: 1px solid var(--border);
169
- border-radius: 12px;
170
- padding: 1.5rem;
171
- transition: all 0.3s ease;
172
- }
173
-
174
- .summary-card:hover {
175
- border-color: var(--accent);
176
- background: var(--surface-light);
177
- transform: translateY(-2px);
178
- }
179
-
180
- .summary-card-label {
181
- font-size: 0.875rem;
182
- color: var(--text-muted);
183
- text-transform: uppercase;
184
- letter-spacing: 1px;
185
- margin-bottom: 0.5rem;
186
- font-family: 'JetBrains Mono', monospace;
187
- }
188
-
189
- .summary-card-value {
190
- font-size: 1.75rem;
191
- font-weight: 700;
192
- color: var(--accent);
193
- margin-bottom: 0.5rem;
194
- }
195
-
196
- .summary-card-detail {
197
- font-size: 0.9rem;
198
- color: var(--text-secondary);
199
- }
200
-
201
- /* Findings Box */
202
- .findings-box {
203
- background: linear-gradient(135deg, rgba(16, 185, 129, 0.1) 0%, rgba(16, 185, 129, 0.05) 100%);
204
- border: 1px solid rgba(16, 185, 129, 0.3);
205
- border-left: 4px solid var(--accent);
206
- border-radius: 8px;
207
- padding: 1.5rem;
208
- margin-bottom: 2rem;
209
- }
210
-
211
- .findings-box h4 {
212
- color: var(--accent);
213
- margin-bottom: 1rem;
214
- font-size: 1rem;
215
- font-weight: 600;
216
- }
217
-
218
- .findings-box ul {
219
- list-style: none;
220
- padding: 0;
221
- }
222
-
223
- .findings-box li {
224
- padding-left: 1.5rem;
225
- margin-bottom: 0.75rem;
226
- position: relative;
227
- color: var(--text-secondary);
228
- }
229
-
230
- .findings-box li:before {
231
- content: "✓";
232
- position: absolute;
233
- left: 0;
234
- color: var(--accent);
235
- font-weight: 700;
236
- }
237
-
238
- /* Critical Issues */
239
- .critical-issues {
240
- background: linear-gradient(135deg, rgba(239, 68, 68, 0.1) 0%, rgba(239, 68, 68, 0.05) 100%);
241
- border: 1px solid rgba(239, 68, 68, 0.3);
242
- border-left: 4px solid var(--critical);
243
- border-radius: 8px;
244
- padding: 1.5rem;
245
- margin-bottom: 2rem;
246
- }
247
-
248
- .critical-issues h4 {
249
- color: var(--critical);
250
- margin-bottom: 1rem;
251
- font-size: 1rem;
252
- font-weight: 600;
253
- }
254
-
255
- .critical-issues ol {
256
- padding-left: 1.5rem;
257
- }
258
-
259
- .critical-issues li {
260
- margin-bottom: 0.75rem;
261
- color: var(--text-secondary);
262
- }
263
-
264
- /* Workstreams */
265
- .workstreams-grid {
266
- display: grid;
267
- grid-template-columns: repeat(auto-fit, minmax(320px, 1fr));
268
- gap: 2rem;
269
- margin-bottom: 3rem;
270
- }
271
-
272
- .workstream {
273
- background: var(--surface);
274
- border: 1px solid var(--border);
275
- border-radius: 12px;
276
- overflow: hidden;
277
- transition: all 0.3s ease;
278
- }
279
-
280
- .workstream:hover {
281
- border-color: var(--accent);
282
- box-shadow: 0 8px 24px rgba(16, 185, 129, 0.1);
283
- }
284
-
285
- .workstream-header {
286
- background: linear-gradient(135deg, var(--accent) 0%, var(--accent-dark) 100%);
287
- padding: 1.5rem;
288
- color: white;
289
- }
290
-
291
- .workstream-number {
292
- font-size: 2.5rem;
293
- font-weight: 700;
294
- opacity: 0.3;
295
- margin-bottom: 0.5rem;
296
- }
297
-
298
- .workstream-title {
299
- font-family: 'Sora', sans-serif;
300
- font-size: 1.5rem;
301
- font-weight: 700;
302
- margin-bottom: 0.5rem;
303
- }
304
-
305
- .workstream-subtitle {
306
- font-size: 0.9rem;
307
- opacity: 0.9;
308
- }
309
-
310
- .workstream-content {
311
- padding: 1.5rem;
312
- }
313
-
314
- .workstream-item {
315
- margin-bottom: 1.5rem;
316
- padding-bottom: 1.5rem;
317
- border-bottom: 1px solid var(--border);
318
- }
319
-
320
- .workstream-item:last-child {
321
- border-bottom: none;
322
- margin-bottom: 0;
323
- padding-bottom: 0;
324
- }
325
-
326
- .workstream-label {
327
- font-size: 0.75rem;
328
- text-transform: uppercase;
329
- letter-spacing: 1px;
330
- color: var(--text-muted);
331
- font-weight: 600;
332
- margin-bottom: 0.5rem;
333
- font-family: 'JetBrains Mono', monospace;
334
- }
335
-
336
- .workstream-text {
337
- color: var(--text-secondary);
338
- line-height: 1.5;
339
- }
340
-
341
- .time-estimate {
342
- background: var(--surface-light);
343
- padding: 0.75rem 1rem;
344
- border-radius: 6px;
345
- font-family: 'JetBrains Mono', monospace;
346
- font-size: 0.875rem;
347
- color: var(--accent);
348
- font-weight: 600;
349
- margin-top: 0.75rem;
350
- }
351
-
352
- /* Task List */
353
- .task-list {
354
- list-style: none;
355
- padding: 0;
356
- }
357
-
358
- .task-list li {
359
- padding: 0.75rem 0;
360
- padding-left: 1.5rem;
361
- position: relative;
362
- color: var(--text-secondary);
363
- font-size: 0.95rem;
364
- }
365
-
366
- .task-list li:before {
367
- content: "→";
368
- position: absolute;
369
- left: 0;
370
- color: var(--accent);
371
- }
372
-
373
- /* Dependencies */
374
- .dependencies {
375
- background: var(--surface-light);
376
- padding: 1rem;
377
- border-radius: 8px;
378
- border: 1px solid var(--border);
379
- margin-top: 1rem;
380
- }
381
-
382
- .dependencies-title {
383
- font-size: 0.875rem;
384
- font-weight: 600;
385
- color: var(--text-muted);
386
- text-transform: uppercase;
387
- margin-bottom: 0.5rem;
388
- letter-spacing: 0.5px;
389
- }
390
-
391
- .dependencies ul {
392
- list-style: none;
393
- padding: 0;
394
- }
395
-
396
- .dependencies li {
397
- font-size: 0.9rem;
398
- color: var(--text-secondary);
399
- padding: 0.25rem 0;
400
- padding-left: 1rem;
401
- position: relative;
402
- }
403
-
404
- .dependencies li:before {
405
- content: "◆";
406
- position: absolute;
407
- left: 0;
408
- color: var(--accent);
409
- font-size: 0.6rem;
410
- }
411
-
412
- /* Timeline */
413
- .timeline {
414
- position: relative;
415
- padding: 2rem 0;
416
- margin-bottom: 3rem;
417
- }
418
-
419
- .timeline-item {
420
- margin-bottom: 2rem;
421
- padding-left: 3rem;
422
- position: relative;
423
- }
424
-
425
- .timeline-marker {
426
- position: absolute;
427
- left: 0;
428
- width: 24px;
429
- height: 24px;
430
- background: var(--accent);
431
- border: 3px solid var(--primary);
432
- border-radius: 50%;
433
- top: 0;
434
- }
435
-
436
- .timeline-time {
437
- font-family: 'JetBrains Mono', monospace;
438
- font-size: 0.875rem;
439
- font-weight: 600;
440
- color: var(--accent);
441
- margin-bottom: 0.25rem;
442
- }
443
-
444
- .timeline-content {
445
- color: var(--text-secondary);
446
- }
447
-
448
- /* Decision Table */
449
- .decision-table {
450
- width: 100%;
451
- border-collapse: collapse;
452
- margin-bottom: 2rem;
453
- }
454
-
455
- .decision-table th {
456
- background: var(--surface-light);
457
- padding: 1rem;
458
- text-align: left;
459
- font-weight: 600;
460
- color: var(--accent);
461
- border: 1px solid var(--border);
462
- font-size: 0.95rem;
463
- }
464
-
465
- .decision-table td {
466
- padding: 1rem;
467
- border: 1px solid var(--border);
468
- color: var(--text-secondary);
469
- }
470
-
471
- .decision-table tr:hover {
472
- background: rgba(16, 185, 129, 0.05);
473
- }
474
-
475
- /* Footer */
476
- footer {
477
- border-top: 1px solid var(--border);
478
- padding: 2rem;
479
- text-align: center;
480
- color: var(--text-muted);
481
- font-size: 0.9rem;
482
- margin-top: 4rem;
483
- }
484
-
485
- /* Responsive */
486
- @media (max-width: 768px) {
487
- h1 {
488
- font-size: 1.75rem;
489
- }
490
-
491
- h2 {
492
- font-size: 1.3rem;
493
- }
494
-
495
- header {
496
- padding: 2rem 1rem;
497
- }
498
-
499
- .container {
500
- padding: 0 1rem;
501
- }
502
-
503
- main {
504
- padding: 2rem 0;
505
- }
506
-
507
- .workstreams-grid {
508
- grid-template-columns: 1fr;
509
- }
510
- }
511
-
512
- /* Print */
513
- @media print {
514
- body {
515
- background: white;
516
- color: black;
517
- }
518
-
519
- .status-badge,
520
- .summary-card,
521
- .workstream,
522
- .findings-box,
523
- .critical-issues {
524
- page-break-inside: avoid;
525
- }
526
- }
527
- </style>
528
- </head>
529
- <body>
530
- <header>
531
- <div class="container">
532
- <div class="logo">
533
- <div class="logo-icon">⚡</div>
534
- <div class="logo-text">CodeProbe</div>
535
- </div>
536
- <h1>MVP Execution Plan</h1>
537
- <p class="subtitle">5-Hour Hackathon Build | AgentForge SG Super AI Edition</p>
538
- <span class="status-badge status-ready">PREFLIGHT: HUMAN-IN-LOOP → RESOLVED</span>
539
- </div>
540
- </header>
541
-
542
- <main>
543
- <div class="container">
544
- <!-- PREFLIGHT SUMMARY -->
545
- <section>
546
- <h2>Preflight Review Summary</h2>
547
- <p style="color: var(--text-secondary); margin-bottom: 1.5rem;">
548
- Four parallel agent reviews (Eng, Design, QA, Security) flagged critical contradictions in the initial plan.
549
- All have been <strong>resolved</strong>. This document reflects the corrected MVP scope.
550
- </p>
551
-
552
- <div class="summary-grid">
553
- <div class="summary-card">
554
- <div class="summary-card-label">Eng Confidence</div>
555
- <div class="summary-card-value">85/100</div>
556
- <div class="summary-card-detail">Architecture sound after CVE fix</div>
557
- </div>
558
- <div class="summary-card">
559
- <div class="summary-card-label">Design Confidence</div>
560
- <div class="summary-card-value">82/100</div>
561
- <div class="summary-card-detail">Scope revised; interactions defined</div>
562
- </div>
563
- <div class="summary-card">
564
- <div class="summary-card-label">QA Confidence</div>
565
- <div class="summary-card-value">75/100</div>
566
- <div class="summary-card-detail">Smoke tests; fallbacks pre-tested</div>
567
- </div>
568
- <div class="summary-card">
569
- <div class="summary-card-label">Security Confidence</div>
570
- <div class="summary-card-value">85/100</div>
571
- <div class="summary-card-detail">Known risks documented</div>
572
- </div>
573
- </div>
574
-
575
- <div class="critical-issues">
576
- <h4>🔧 Blockers Resolved</h4>
577
- <ol>
578
- <li><strong>Log4Shell contradiction:</strong> Java library, not Node.js. Replaced with Prototype Pollution RCE (Node.js native).</li>
579
- <li><strong>Sandbox isolation vs. exploit mechanism:</strong> No longer required. Prototype Pollution works in isolated sandbox.</li>
580
- <li><strong>Claude API fallback:</strong> Removed. Nosana-only patch generation. Cold start risk accepted.</li>
581
- <li><strong>Timeline realism:</strong> 5h timeline is aggressive; 3-person split mitigates. Prioritization: CLI + Exploit verify → Bot/Dashboard → Polish.</li>
582
- <li><strong>Test coverage:</strong> Zero automated tests for MVP. Smoke tests on demo path only. Pre-record fallback video.</li>
583
- </ol>
584
- </div>
585
-
586
- <div class="findings-box">
587
- <h4>✓ Corrected MVP Scope</h4>
588
- <ul>
589
- <li><strong>Demo CVE 1:</strong> CVE-2023-44487 (HTTP/2 Rapid Reset) — DoS, genuine Node.js vulnerability</li>
590
- <li><strong>Demo CVE 2:</strong> Prototype Pollution RCE — Code execution, Node.js ecosystem</li>
591
- <li><strong>Patch Generation:</strong> Nosana LLM only (no Claude fallback). If cold start > 60s, show "Nosana unavailable" gracefully.</li>
592
- <li><strong>GitHub Bot:</strong> Real OAuth + PR comments + auto-fix PR creation (write access required for branches).</li>
593
- <li><strong>Dashboard:</strong> Functional React (Technical + Executive views). Unlisted URL (no auth). Known limitation for MVP.</li>
594
- <li><strong>Testing:</strong> Manual rehearsal + fallback video. No automated test suite.</li>
595
- </ul>
596
- </div>
597
- </section>
598
-
599
- <!-- PRD SNAPSHOT -->
600
- <section>
601
- <h2>Problem & Solution (PRD Snapshot)</h2>
602
- <div style="background: var(--surface); border: 1px solid var(--border); border-radius: 12px; padding: 2rem; margin-bottom: 2rem;">
603
- <h3 style="color: var(--accent);">The Problem</h3>
604
- <p style="color: var(--text-secondary); margin-bottom: 1.5rem;">
605
- 60% of data breaches in 2026 involve vulnerabilities for which a patch was already available. SAST tools like Snyk identify CVEs theoretically present in dependencies, but cannot confirm whether a specific codebase is actually exploitable. Engineers deprioritize patches based on theoretical risk, leading to breaches costing an average of <strong>$4.9M</strong> per incident.
606
- </p>
607
-
608
- <h3 style="color: var(--accent);">The Solution</h3>
609
- <p style="color: var(--text-secondary); margin-bottom: 1.5rem;">
610
- An autonomous AI agent that confirms which CVEs are actually exploitable in a target codebase by:
611
- </p>
612
- <ul class="task-list" style="margin-bottom: 1.5rem;">
613
- <li><strong>Running known PoC exploits</strong> in isolated Daytona sandboxes</li>
614
- <li><strong>Verifying success/failure</strong> (Confirmed Exploitable vs. Theoretical Risk)</li>
615
- <li><strong>Generating verified patches</strong> using Nosana LLM</li>
616
- <li><strong>Providing results</strong> via CLI, GitHub Bot, CI/CD, and MCP</li>
617
- </ul>
618
-
619
- <h3 style="color: var(--accent);">Business Impact</h3>
620
- <p style="color: var(--text-secondary);">
621
- Ship security fixes faster with confidence. Every confirmed exploitable CVE fixed = <strong>$4.9M breach cost averted</strong>.
622
- </p>
623
- </div>
624
- </section>
625
-
626
- <!-- DEMO MOMENT -->
627
- <section>
628
- <h2>The "Wow Moment" (Demo Day)</h2>
629
- <div style="background: rgba(16, 185, 129, 0.1); border: 1px solid rgba(16, 185, 129, 0.3); border-radius: 12px; padding: 2rem; margin-bottom: 2rem;">
630
- <p style="color: var(--text-secondary); margin-bottom: 1.5rem;">
631
- <strong>2-minute live demo:</strong> User runs <code style="background: var(--surface); padding: 0.25rem 0.5rem; border-radius: 4px;">codeprobe scan &lt;demo-repo&gt;</code>
632
- </p>
633
- <ol style="color: var(--text-secondary); padding-left: 1.5rem;">
634
- <li style="margin-bottom: 0.75rem;"><strong>Progress output:</strong> "Scraping CVE databases... Found 14 vulnerabilities" (Bright Data + cache)</li>
635
- <li style="margin-bottom: 0.75rem;"><strong>Sandbox spawning:</strong> "Spinning up 2 isolated sandboxes for CRITICAL CVEs..." (Daytona)</li>
636
- <li style="margin-bottom: 0.75rem;"><strong>Live exploit execution:</strong> <span style="color: var(--accent);">✓ CVE-2023-44487: CONFIRMED EXPLOITABLE (DoS in 2.1s)</span></li>
637
- <li style="margin-bottom: 0.75rem;"><strong>Patch generation:</strong> "Generating patches..." (Nosana LLM)</li>
638
- <li style="margin-bottom: 0.75rem;"><strong>Report:</strong> <span style="color: var(--accent);">Risk Score: 8.2/10 | Confirmed: 1 | Theoretical: 13 | Estimated breach cost: $4.9M</span></li>
639
- <li><strong>Dashboard:</strong> Judges see full CVE breakdown + business impact in browser</li>
640
- </ol>
641
- </div>
642
- </section>
643
-
644
- <!-- WORKSTREAMS -->
645
- <section>
646
- <h2>3-Workstream Split (5-Hour Build)</h2>
647
- <p style="color: var(--text-secondary); margin-bottom: 2rem;">
648
- Each workstream is assigned to one person. <strong>Workstream 2 (Verify-Fix) is demo-critical and must not be split.</strong>
649
- Clock starts at 10:30 AM. Submit by 4:30 PM (6 hours with 30min buffer).
650
- </p>
651
-
652
- <div class="workstreams-grid">
653
- <!-- WORKSTREAM 1 -->
654
- <div class="workstream">
655
- <div class="workstream-header">
656
- <div class="workstream-number">1</div>
657
- <div class="workstream-title">Find Vulns</div>
658
- <div class="workstream-subtitle">Dependency analysis & CVE discovery</div>
659
- </div>
660
- <div class="workstream-content">
661
- <div class="workstream-item">
662
- <div class="workstream-label">Person</div>
663
- <div class="workstream-text">Backend engineer (Node.js parser, API design)</div>
664
- </div>
665
-
666
- <div class="workstream-item">
667
- <div class="workstream-label">Scope</div>
668
- <div class="workstream-text">
669
- <ul class="task-list">
670
- <li>Dependency parser (extract versions from package.json, package-lock.json)</li>
671
- <li>Bright Data scraper (async CVE database scraping, NVD + Exploit-DB)</li>
672
- <li>CVE matcher (semver matching of deps to CVEs)</li>
673
- <li>Report builder (JSON output)</li>
674
- <li>API: POST /api/scan, GET /api/scan/:id</li>
675
- </ul>
676
- </div>
677
- </div>
678
-
679
- <div class="workstream-item">
680
- <div class="workstream-label">Deliverable</div>
681
- <div class="workstream-text">
682
- Node.js module that takes a repo path, returns JSON with CVEs.
683
- <div class="time-estimate">1.5 hours (core) + 0.5h (testing)</div>
684
- </div>
685
- </div>
686
-
687
- <div class="workstream-item">
688
- <div class="workstream-label">Dependencies</div>
689
- <div class="dependencies">
690
- <div class="dependencies-title">Requires:</div>
691
- <ul>
692
- <li>Bright Data API key + sandbox proof</li>
693
- <li>Demo repo (Node.js, intentional vulns)</li>
694
- <li>Zod for validation</li>
695
- </ul>
696
- </div>
697
- </div>
698
-
699
- <div class="workstream-item">
700
- <div class="workstream-label">Risks</div>
701
- <div class="workstream-text" style="color: var(--warn);">
702
- Bright Data rate-limited. Mitigation: pre-cache CVE data for demo repo.
703
- </div>
704
- </div>
705
- </div>
706
- </div>
707
-
708
- <!-- WORKSTREAM 2 -->
709
- <div class="workstream">
710
- <div class="workstream-header" style="background: linear-gradient(135deg, #ef4444 0%, #dc2626 100%);">
711
- <div class="workstream-number">2</div>
712
- <div class="workstream-title">Verify & Fix</div>
713
- <div class="workstream-subtitle">Exploit execution + patch generation (DEMO-CRITICAL)</div>
714
- </div>
715
- <div class="workstream-content">
716
- <div class="workstream-item">
717
- <div class="workstream-label">Person</div>
718
- <div class="workstream-text">Lead engineer (orchestration, sandbox, exploit verification)</div>
719
- </div>
720
-
721
- <div class="workstream-item">
722
- <div class="workstream-label">Scope</div>
723
- <div class="workstream-text">
724
- <ul class="task-list">
725
- <li><strong>Daytona orchestrator:</strong> Spawn isolated Node.js containers, install vulnerable packages, run PoCs</li>
726
- <li><strong>Exploit runner:</strong> Inject PoC scripts (HTTP/2 Rapid Reset + Prototype Pollution), capture output/errors</li>
727
- <li><strong>Verification logic:</strong> Success detection (exploit output patterns, exit codes)</li>
728
- <li><strong>Nosana integration:</strong> Call LLM to generate patches, validate syntax</li>
729
- <li><strong>Fallback:</strong> Nosana cold start > 60s → show "unavailable" (don't fall back to Claude)</li>
730
- <li><strong>Retry logic:</strong> Sandbox crash → retry once, mark as "Verification Failed" on 2nd failure</li>
731
- </ul>
732
- </div>
733
- </div>
734
-
735
- <div class="workstream-item">
736
- <div class="workstream-label">Deliverable</div>
737
- <div class="workstream-text">
738
- Orchestrator module + exploit runner. Takes CVE list, returns results with exploit evidence + patches.
739
- <div class="time-estimate">2.5 hours (core exploit) + 1h (Nosana + fallback)</div>
740
- </div>
741
- </div>
742
-
743
- <div class="workstream-item">
744
- <div class="workstream-label">Demo CVEs (Pre-tested)</div>
745
- <div class="workstream-text">
746
- <strong>CVE-2023-44487 (HTTP/2 Rapid Reset):</strong> Node.js http2 module, DoS via stream reset flood. PoC: send rapid RST_STREAM frames. Verify: connection drops or timeout.<br><br>
747
- <strong>Prototype Pollution RCE:</strong> Node.js object/array prototype override. PoC: pollution via vulnerable package input, execute code via Object.defineProperty. Verify: code execution in stdout.
748
- </div>
749
- </div>
750
-
751
- <div class="workstream-item">
752
- <div class="workstream-label">Dependencies</div>
753
- <div class="dependencies">
754
- <div class="dependencies-title">Requires:</div>
755
- <ul>
756
- <li>Daytona API key + sandbox pool tested</li>
757
- <li>Nosana GPU container or API key</li>
758
- <li>PoC scripts for both CVEs (pre-written)</li>
759
- <li>Demo repo with vulnerable packages installed</li>
760
- <li>Workstream 1 output (CVE list)</li>
761
- </ul>
762
- </div>
763
- </div>
764
-
765
- <div class="workstream-item">
766
- <div class="workstream-label" style="color: var(--critical);">CRITICAL</div>
767
- <div class="workstream-text" style="color: var(--critical);">
768
- This is the "wow moment." Demo relies 100% on live exploit execution. Pre-record a 2-minute working video as insurance.
769
- </div>
770
- </div>
771
- </div>
772
- </div>
773
-
774
- <!-- WORKSTREAM 3 -->
775
- <div class="workstream">
776
- <div class="workstream-header">
777
- <div class="workstream-number">3</div>
778
- <div class="workstream-title">Surfaces</div>
779
- <div class="workstream-subtitle">CLI + Dashboard + GitHub Bot</div>
780
- </div>
781
- <div class="workstream-content">
782
- <div class="workstream-item">
783
- <div class="workstream-label">Person</div>
784
- <div class="workstream-text">Full-stack engineer (CLI, React dashboard, GitHub integration)</div>
785
- </div>
786
-
787
- <div class="workstream-item">
788
- <div class="workstream-label">Scope A: CLI</div>
789
- <div class="workstream-text">
790
- <ul class="task-list">
791
- <li>Bun CLI entry point: <code>codeprobe scan &lt;repo&gt;</code></li>
792
- <li>Real-time progress output (colors, progress indicator)</li>
793
- <li>Terminal table: CVE list with exploit status (✓ Confirmed / ✗ Theoretical)</li>
794
- <li>Risk score + business impact messaging</li>
795
- <li>Config file: ~/.codeprobe/config (API keys, auth token)</li>
796
- <li>Optional: `codeprobe scan --fix` (generate patches, push to branch)</li>
797
- </ul>
798
- </div>
799
- </div>
800
-
801
- <div class="workstream-item">
802
- <div class="workstream-label">Scope B: Dashboard</div>
803
- <div class="workstream-text">
804
- <ul class="task-list">
805
- <li>React + Vite (TailwindCSS)</li>
806
- <li><strong>Technical view:</strong> CVE table, severity, package version, PoC evidence, patch diffs</li>
807
- <li><strong>Executive view:</strong> Risk score (0–10 gauge), $4.9M impact callout, count of confirmed/theoretical</li>
808
- <li>View switcher (tabs or button)</li>
809
- <li>Scan metadata: timestamp, duration, repo URL</li>
810
- <li><strong>Known limitation:</strong> Unlisted URL, no authentication (MVP)</li>
811
- </ul>
812
- </div>
813
- </div>
814
-
815
- <div class="workstream-item">
816
- <div class="workstream-label">Scope C: GitHub Bot</div>
817
- <div class="workstream-text">
818
- <ul class="task-list">
819
- <li>GitHub App (webhook for PR events)</li>
820
- <li>OAuth flow for CLI: `codeprobe init` (opens browser, user authorizes)</li>
821
- <li>PR comment: scan results table + business impact</li>
822
- <li>"Auto-fix available" button → triggers patch generation → opens new PR</li>
823
- <li>New PR title: `[CodeProbe] Fix 2 confirmed CVEs (PR #123)`</li>
824
- </ul>
825
- </div>
826
- </div>
827
-
828
- <div class="workstream-item">
829
- <div class="workstream-label">Deliverable</div>
830
- <div class="workstream-text">
831
- <ul class="task-list">
832
- <li>CLI: Bun binary with Chalk colors + terminal output</li>
833
- <li>Dashboard: Vite React app (served static or S3)</li>
834
- <li>Bot: GitHub App handler (webhook receiver + PR commenter)</li>
835
- </ul>
836
- <div class="time-estimate">1h (CLI) + 1.5h (Dashboard) + 1h (Bot) = 3.5h</div>
837
- </div>
838
- </div>
839
-
840
- <div class="workstream-item">
841
- <div class="workstream-label">Dependencies</div>
842
- <div class="dependencies">
843
- <div class="dependencies-title">Requires:</div>
844
- <ul>
845
- <li>Workstream 1 + 2 modules (loaded as libraries)</li>
846
- <li>GitHub App credentials (pre-created)</li>
847
- <li>Demo repo URL (for test PR)</li>
848
- <li>S3 bucket or local file storage for scan results</li>
849
- </ul>
850
- </div>
851
- </div>
852
-
853
- <div class="workstream-item">
854
- <div class="workstream-label">Risks</div>
855
- <div class="workstream-text" style="color: var(--warn);">
856
- <strong>Dashboard scope creep.</strong> Two full React views in 1.5 hours is tight. Prioritize: Technical view (CVE table) first, Executive (gauge + $4.9M message) second. If time runs out, Executive view becomes a static screenshot.
857
- </div>
858
- </div>
859
- </div>
860
- </div>
861
- </div>
862
- </section>
863
-
864
- <!-- TIMELINE -->
865
- <section>
866
- <h2>5-Hour Timeline</h2>
867
-
868
- <div class="timeline">
869
- <div class="timeline-item">
870
- <div class="timeline-marker"></div>
871
- <div class="timeline-time">10:30 – 10:45 (15m)</div>
872
- <div class="timeline-content">
873
- <strong>Kickoff & Setup:</strong> Distribute workstreams, verify API keys (Bright Data, Daytona, Nosana), test sandbox spawn, confirm demo repo is ready.
874
- </div>
875
- </div>
876
-
877
- <div class="timeline-item">
878
- <div class="timeline-marker"></div>
879
- <div class="timeline-time">10:45 – 12:15 (1.5h)</div>
880
- <div class="timeline-content">
881
- <strong>Parallel build:</strong> WS1 builds parser + Bright Data, WS2 sets up Daytona + PoC injection, WS3 initializes Bun CLI project.
882
- </div>
883
- </div>
884
-
885
- <div class="timeline-item">
886
- <div class="timeline-marker"></div>
887
- <div class="timeline-time">12:15 – 13:45 (1.5h)</div>
888
- <div class="timeline-content">
889
- <strong>Integration:</strong> WS1 + WS2 merge. CLI skeleton calls both. Dashboard Vite build starts. Bot OAuth flow tested offline.
890
- </div>
891
- </div>
892
-
893
- <div class="timeline-item">
894
- <div class="timeline-marker"></div>
895
- <div class="timeline-time">13:45 – 14:45 (1h)</div>
896
- <div class="timeline-content">
897
- <strong>Demo path E2E:</strong> Full CLI scan on demo repo. Both CVEs execute. Results flow through dashboard. GitHub bot posts comment on test PR.
898
- </div>
899
- </div>
900
-
901
- <div class="timeline-item">
902
- <div class="timeline-marker"></div>
903
- <div class="timeline-time">14:45 – 15:30 (45m)</div>
904
- <div class="timeline-content">
905
- <strong>Polish & Fallbacks:</strong> Terminal output formatting. Dashboard styling. Pre-record exploit video backup. Test Nosana cold-start fallback.
906
- </div>
907
- </div>
908
-
909
- <div class="timeline-item">
910
- <div class="timeline-marker"></div>
911
- <div class="timeline-time">15:30 – 16:30 (1h)</div>
912
- <div class="timeline-content">
913
- <strong>Rehearsal & Buffer:</strong> Dry-run 2-minute demo 3x. Troubleshoot issues. Prepare backup video. Final checks.
914
- </div>
915
- </div>
916
-
917
- <div class="timeline-item">
918
- <div class="timeline-marker"></div>
919
- <div class="timeline-time">16:30</div>
920
- <div class="timeline-content">
921
- <strong>SUBMIT</strong>
922
- </div>
923
- </div>
924
- </div>
925
-
926
- <div class="critical-issues">
927
- <h4>⏱️ Time Crunch Cuts (If Running Behind)</h4>
928
- <ol>
929
- <li><strong>Hour 4.5, 15 min behind:</strong> Skip `--fix` flag. Keep `scan` only.</li>
930
- <li><strong>Hour 4.5, 30 min behind:</strong> Skip GitHub bot auto-fix PR creation. Keep PR comment only.</li>
931
- <li><strong>Hour 4.5, 45 min behind:</strong> Skip Executive view dashboard. Show Technical view only + static $4.9M message.</li>
932
- <li><strong>Hour 5, any time:</strong> Use pre-recorded demo video.</li>
933
- </ol>
934
- </div>
935
- </section>
936
-
937
- <!-- SUCCESS CRITERIA -->
938
- <section>
939
- <h2>Demo Success Criteria</h2>
940
-
941
- <div style="background: var(--surface); border: 1px solid var(--border); border-radius: 12px; padding: 2rem; margin-bottom: 2rem;">
942
- <h3 style="color: var(--accent); margin-top: 0;">Must Have (Demo Will Not Work Without)</h3>
943
- <ul class="task-list" style="margin-bottom: 2rem;">
944
- <li>Working CLI: <code style="background: var(--surface-light); padding: 0.25rem 0.5rem; border-radius: 4px;">codeprobe scan &lt;demo-repo&gt;</code> executes end-to-end</li>
945
- <li>Live Bright Data CVE scraping (or cached fallback shown)</li>
946
- <li>Daytona sandbox spawning + exploit execution visible</li>
947
- <li>At least 1 confirmed exploitable CVE shown (✓ status)</li>
948
- <li>Patch generated + displayed (from Nosana, or example)</li>
949
- <li>Terminal output is colored, readable, <strong>impressive</strong></li>
950
- </ul>
951
-
952
- <h3 style="color: var(--accent);">Should Have (Strong Demo)</h3>
953
- <ul class="task-list" style="margin-bottom: 2rem;">
954
- <li>GitHub bot PR comment (real OAuth, real webhook)</li>
955
- <li>Dashboard view: both Technical + Executive visible</li>
956
- <li>Business impact messaging: "$4.9M breach cost" clearly stated</li>
957
- <li>Risk score displayed (0–10 gauge or number)</li>
958
- <li>2 confirmed exploitable CVEs (both demo CVEs)</li>
959
- </ul>
960
-
961
- <h3 style="color: var(--accent);">Nice to Have (Impressive Demo)</h3>
962
- <ul class="task-list">
963
- <li>Auto-fix PR creation (working branch push + PR open)</li>
964
- <li>Dashboard responsive on mobile (judges may view on phone)</li>
965
- <li>Dark mode polish (smooth transitions, accent colors)</li>
966
- <li>Real-time progress animation during scan</li>
967
- </ul>
968
- </div>
969
- </section>
970
-
971
- <!-- KNOWN LIMITATIONS -->
972
- <section>
973
- <h2>Known Limitations (Documented for Judges)</h2>
974
-
975
- <table class="decision-table">
976
- <thead>
977
- <tr>
978
- <th>Aspect</th>
979
- <th>MVP Scope</th>
980
- <th>Why (Reason)</th>
981
- </tr>
982
- </thead>
983
- <tbody>
984
- <tr>
985
- <td><strong>Node.js Only</strong></td>
986
- <td>Python, Rust, Java support cut</td>
987
- <td>5-hour MVP; N-language support is post-launch work</td>
988
- </tr>
989
- <tr>
990
- <td><strong>Dashboard Auth</strong></td>
991
- <td>Unlisted URL (no login required)</td>
992
- <td>OAuth adds 1–2 hours; acceptable for internal demo</td>
993
- </tr>
994
- <tr>
995
- <td><strong>Test Coverage</strong></td>
996
- <td>Manual demo only; no automated tests</td>
997
- <td>Full test suite = 20+ hours; hackathon prioritizes demo</td>
998
- </tr>
999
- <tr>
1000
- <td><strong>Patch Validation</strong></td>
1001
- <td>Nosana output trusted; no re-exploit verification</td>
1002
- <td>Validation loop adds 2–3 hours; accepted risk for demo</td>
1003
- </tr>
1004
- <tr>
1005
- <td><strong>MCP Server</strong></td>
1006
- <td>Skipped</td>
1007
- <td>Nice-to-have; CLI + Bot demonstrate agent integration</td>
1008
- </tr>
1009
- <tr>
1010
- <td><strong>CI/CD Action</strong></td>
1011
- <td>Skipped</td>
1012
- <td>Time trade-off; bot + dashboard show multi-interface capability</td>
1013
- </tr>
1014
- <tr>
1015
- <td><strong>Nosana Cold Start</strong></td>
1016
- <td>If > 60s, show "unavailable" (no Claude fallback)</td>
1017
- <td>Transparent about limitations; pure Nosana branding</td>
1018
- </tr>
1019
- </tbody>
1020
- </table>
1021
- </section>
1022
-
1023
- <!-- RISKS & MITIGATIONS -->
1024
- <section>
1025
- <h2>Risks & Fallback Plans</h2>
1026
-
1027
- <table class="decision-table">
1028
- <thead>
1029
- <tr>
1030
- <th>Risk</th>
1031
- <th>Likelihood</th>
1032
- <th>Fallback</th>
1033
- </tr>
1034
- </thead>
1035
- <tbody>
1036
- <tr>
1037
- <td><strong>Bright Data rate-limited</strong></td>
1038
- <td>Medium</td>
1039
- <td>Pre-cache demo repo CVE data. Show "Using cached CVE data" message.</td>
1040
- </tr>
1041
- <tr>
1042
- <td><strong>Daytona sandbox timeout</strong></td>
1043
- <td>Low</td>
1044
- <td>Retry once. If still fails, mark CVE as "Verification Failed". Continue scan.</td>
1045
- </tr>
1046
- <tr>
1047
- <td><strong>Nosana cold start > 60s</strong></td>
1048
- <td>Medium</td>
1049
- <td>Show "Nosana unavailable" gracefully. Display example patch instead.</td>
1050
- </tr>
1051
- <tr>
1052
- <td><strong>GitHub OAuth fails</strong></td>
1053
- <td>Low</td>
1054
- <td>Manual token input. Users provide PAT (Personal Access Token).</td>
1055
- </tr>
1056
- <tr>
1057
- <td><strong>Demo CVE PoC fails</strong></td>
1058
- <td>Low</td>
1059
- <td><strong>Pre-record 2-minute working video.</strong> Play video if live fails.</td>
1060
- </tr>
1061
- <tr>
1062
- <td><strong>Dashboard React build fails</strong></td>
1063
- <td>Low</td>
1064
- <td>Show static HTML screenshot. Skip interactive demo.</td>
1065
- </tr>
1066
- <tr>
1067
- <td><strong>Time overrun (30+ min behind)</strong></td>
1068
- <td>Medium</td>
1069
- <td>Use pre-recorded video + screenshots of full system. Focus demo on exploit execution.</td>
1070
- </tr>
1071
- </tbody>
1072
- </table>
1073
- </section>
1074
- </div>
1075
- </main>
1076
-
1077
- <footer>
1078
- <div class="container">
1079
- <p>CodeProbe MVP Execution Plan | Generated: June 13, 2026</p>
1080
- <p style="font-size: 0.85rem; margin-top: 1rem;">
1081
- Three-person, five-hour build. Questions? Review PREFLIGHT_PLAN.md and ORCHESTRATOR_SYNTHESIS.json in repo.
1082
- </p>
1083
- </div>
1084
- </footer>
1085
- </body>
1086
- </html>