codeproof 1.0.0

package/bin/codeproof.js

@@ -0,0 +1,43 @@
+#!/usr/bin/env node
+import { runInit } from "../commands/init.js";
+import { runCli } from "../commands/run.js";
+import { runReportDashboard } from "../commands/reportDashboard.js";
+import { runMoveSecret } from "../commands/moveSecret.js";
+import { logError, logInfo } from "../utils/logger.js";
+
+const [, , command, ...args] = process.argv;
+
+async function main() {
+  if (!command || command === "-h" || command === "--help") {
+    logInfo("Usage: codeproof <command>\n\nCommands:\n  init               Initialize CodeProof in a Git repository\n  run                Run CodeProof checks (stub)\n  report@dashboard   Send latest report and show dashboard link\n  move-secret        Move high-confidence secrets to .env");
+    process.exit(0);
+  }
+
+  if (command === "init") {
+    await runInit({ args, cwd: process.cwd() });
+    return;
+  }
+
+  if (command === "run") {
+    await runCli({ args, cwd: process.cwd() });
+    return;
+  }
+
+  if (command === "report@dashboard") {
+    await runReportDashboard({ args, cwd: process.cwd() });
+    return;
+  }
+
+  if (command === "move-secret") {
+    await runMoveSecret({ args, cwd: process.cwd() });
+    return;
+  }
+
+  logError(`Unknown command: ${command}`);
+  process.exit(1);
+}
+
+main().catch((error) => {
+  logError(error?.message || String(error));
+  process.exit(1);
+});

package/commands/init.js

@@ -0,0 +1,72 @@
+import path from "path";
+import fs from "fs";
+import { ensureGitRepo, getGitRoot } from "../utils/git.js";
+import { logInfo, logSuccess, logWarn } from "../utils/logger.js";
+import { detectProjectType } from "../utils/projectType.js";
+import { installPreCommitHook } from "../hooks/preCommit.js";
+import { showWelcomeScreen } from "../ui/welcomeScreen.js";
+
+
+
+export async function runInit({ cwd }) {
+  logInfo("Initializing CodeProof...");
+  
+  ensureGitRepo(cwd);
+  logSuccess("Git repository detected.");
+  
+  const gitRoot = getGitRoot(cwd);
+  logInfo(`Project root: ${gitRoot}`);
+
+  const projectType = detectProjectType(gitRoot);
+  logInfo(`Detected project type: ${projectType}`);
+
+  const configPath = path.join(gitRoot, "codeproof.config.json");
+  // Avoid overwriting user configuration to keep init idempotent.
+  if (fs.existsSync(configPath)) {
+    logWarn("Config already exists. Skipping creation.");
+  } else {
+    const config = {
+      projectType,
+      scanMode: "staged",
+      features: {
+        reporting: true,
+        integration: false,
+        aiEscalation: false,
+        secretRemediation: false
+      },
+      integration: {
+        enabled: false,
+        endpointUrl: ""
+      },
+      severityRules: {
+        block: [],
+        warn: [],
+        allow: []
+      }
+    };
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", "utf8");
+    logSuccess("Created codeproof.config.json");
+  }
+
+  installPreCommitHook(gitRoot);
+  logSuccess("Pre-commit hook installed.");
+
+  logSuccess("CodeProof initialization complete.");
+
+  let scanMode = "staged";
+  try {
+    const configRaw = fs.readFileSync(configPath, "utf8");
+    const parsed = JSON.parse(configRaw);
+    if (parsed?.scanMode) {
+      scanMode = String(parsed.scanMode).toLowerCase();
+    }
+  } catch {
+    // UX: welcome message should never fail init; fall back to defaults for display.
+  }
+
+  showWelcomeScreen({
+    projectType,
+    scanMode,
+    configPath
+  });
+}

package/commands/moveSecret.js

@@ -0,0 +1,220 @@
+import fs from "fs";
+import path from "path";
+import readline from "readline";
+import { ensureGitRepo, getGitRoot } from "../utils/git.js";
+import { getDefaultExcludes } from "../utils/files.js";
+import { logInfo, logWarn } from "../utils/logger.js";
+import { ensureEnvFile, readEnvKeys, appendEnvEntries } from "../utils/envManager.js";
+import { backupFileOnce, extractSecretValueFromLine, replaceSecretInFile } from "../utils/fileRewriter.js";
+import { resolveFeatureFlags, isVerbose } from "../core/featureFlags.js";
+import { reportFeatureDisabled, warnExperimentalOnce } from "../core/safetyGuards.js";
+
+const TEST_PATH_HINTS = [
+  "test",
+  "tests",
+  "__tests__",
+  "spec",
+  "example",
+  "examples",
+  "sample",
+  "samples",
+  "mock",
+  "mocks"
+];
+
+function isTestLike(filePath) {
+  const normalized = filePath.toLowerCase();
+  return TEST_PATH_HINTS.some((hint) => normalized.includes(path.sep + hint));
+}
+
+function isIgnoredPath(filePath, excludes) {
+  const segments = filePath.split(path.sep).map((segment) => segment.toLowerCase());
+  for (const segment of segments) {
+    if (excludes.has(segment)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+function readLatestReport(reportPath) {
+  if (!fs.existsSync(reportPath)) {
+    return null;
+  }
+
+  const content = fs.readFileSync(reportPath, "utf8");
+  const lines = content.split(/\r?\n/).filter(Boolean);
+  if (lines.length === 0) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(lines[lines.length - 1]);
+  } catch {
+    return null;
+  }
+}
+
+function confirmProceed(message) {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+
+    rl.question(message, (answer) => {
+      rl.close();
+      resolve(String(answer).trim().toLowerCase() === "y");
+    });
+  });
+}
+
+export async function runMoveSecret({ cwd }) {
+  // Boundary: remediation reads reports only and must not depend on analysis state.
+  ensureGitRepo(cwd);
+  const gitRoot = getGitRoot(cwd);
+  const reportPath = path.join(gitRoot, "codeproof-report.log");
+  const configPath = path.join(gitRoot, "codeproof.config.json");
+  let config = {};
+  try {
+    const raw = fs.readFileSync(configPath, "utf8");
+    config = JSON.parse(raw);
+  } catch {
+    config = {};
+    logWarn("Unable to read codeproof.config.json. Using safe defaults.");
+  }
+  const features = resolveFeatureFlags(config);
+  const verbose = isVerbose(config);
+
+  if (!features.secretRemediation) {
+    reportFeatureDisabled("Secret remediation", verbose, logInfo);
+    process.exit(0);
+  }
+
+  warnExperimentalOnce("Experimental feature enabled: move-secret.", logWarn);
+  const latestReport = readLatestReport(reportPath);
+
+  if (!latestReport || !Array.isArray(latestReport.findings)) {
+    logWarn("No reports found. Run 'codeproof run' first.");
+    process.exit(0);
+  }
+
+  const excludes = getDefaultExcludes();
+
+  const eligible = latestReport.findings.filter((finding) => {
+    if (finding.ruleId?.startsWith("secret.") !== true) {
+      return false;
+    }
+    if (finding.severity !== "block" || finding.confidence !== "high") {
+      return false;
+    }
+    if (!finding.filePath || !finding.lineNumber) {
+      return false;
+    }
+
+    if (!finding.codeSnippet) {
+      return false;
+    }
+
+    const absolutePath = path.isAbsolute(finding.filePath)
+      ? finding.filePath
+      : path.join(gitRoot, finding.filePath);
+
+    if (isTestLike(absolutePath)) {
+      return false;
+    }
+
+    if (isIgnoredPath(absolutePath, excludes)) {
+      return false;
+    }
+
+    return true;
+  });
+
+  if (eligible.length === 0) {
+    logInfo("No eligible high-confidence secrets to move.");
+    process.exit(0);
+  }
+
+  // Safety: secrets are never auto-fixed silently; users must confirm every change.
+  logInfo("Eligible secrets preview:");
+  for (const finding of eligible) {
+    const relative = path.relative(gitRoot, finding.filePath) || finding.filePath;
+    logInfo(`- ${relative}:${finding.lineNumber}`);
+  }
+  logInfo(`Secrets to move: ${eligible.length}`);
+
+  const confirmed = await confirmProceed("Proceed with moving these secrets? (y/N): ");
+  if (!confirmed) {
+    logInfo("No changes made.");
+    process.exit(0);
+  }
+
+  const envPath = ensureEnvFile(gitRoot);
+  const existingKeys = readEnvKeys(envPath);
+  const newEntries = [];
+  const backedUp = new Set();
+  let secretIndex = 1;
+  let secretsMoved = 0;
+  const modifiedFiles = new Set();
+
+  for (const finding of eligible) {
+    const absolutePath = path.isAbsolute(finding.filePath)
+      ? finding.filePath
+      : path.join(gitRoot, finding.filePath);
+
+    let lineContent = "";
+    try {
+      const content = fs.readFileSync(absolutePath, "utf8");
+      const lines = content.split(/\r?\n/);
+      lineContent = lines[finding.lineNumber - 1] || "";
+    } catch {
+      logWarn(`Skipped ${finding.filePath}:${finding.lineNumber} (unable to read file).`);
+      continue;
+    }
+
+    const expectedSecretValue = extractSecretValueFromLine(lineContent);
+    if (!expectedSecretValue) {
+      logWarn(`Skipped ${finding.filePath}:${finding.lineNumber} (unable to validate secret value).`);
+      continue;
+    }
+
+    while (existingKeys.has(`CODEPROOF_SECRET_${secretIndex}`)) {
+      secretIndex += 1;
+    }
+
+    const envKey = `CODEPROOF_SECRET_${secretIndex}`;
+
+    // Safety: keep an original copy before any rewrite.
+    backupFileOnce(gitRoot, absolutePath, backedUp);
+
+    const result = replaceSecretInFile({
+      filePath: absolutePath,
+      lineNumber: finding.lineNumber,
+      envKey,
+      expectedSnippet: finding.codeSnippet,
+      expectedSecretValue
+    });
+
+    if (!result.updated) {
+      logWarn(`Skipped ${finding.filePath}:${finding.lineNumber} (${result.reason}).`);
+      continue;
+    }
+
+    newEntries.push({ key: envKey, value: result.secretValue });
+    existingKeys.add(envKey);
+    secretsMoved += 1;
+    secretIndex += 1;
+    modifiedFiles.add(absolutePath);
+
+    const relative = path.relative(gitRoot, absolutePath) || absolutePath;
+    logInfo(`Updated ${relative}:${finding.lineNumber} → process.env.${envKey}`);
+  }
+
+  appendEnvEntries(envPath, newEntries);
+
+  logInfo("Secret move summary:");
+  logInfo(`Secrets moved: ${secretsMoved}`);
+  logInfo(`Files modified: ${modifiedFiles.size}`);
+  logInfo(`Backup location: ${path.join(gitRoot, ".codeproof-backup")}`);
+}

package/commands/reportDashboard.js

@@ -0,0 +1,78 @@
+import fs from "fs";
+import path from "path";
+import { ensureGitRepo, getGitRoot } from "../utils/git.js";
+import { logError, logInfo, logWarn } from "../utils/logger.js";
+import { sendReportToServer } from "../utils/apiClient.js";
+import { resolveFeatureFlags, isVerbose } from "../core/featureFlags.js";
+import { reportFeatureDisabled, withFailOpenIntegration } from "../core/safetyGuards.js";
+
+function readConfig(configPath) {
+  if (!fs.existsSync(configPath)) {
+    logError("Missing codeproof.config.json. Run codeproof init first.");
+    process.exit(1);
+  }
+
+  try {
+    const raw = fs.readFileSync(configPath, "utf8");
+    return JSON.parse(raw);
+  } catch {
+    logError("Invalid codeproof.config.json. Please fix the file.");
+    process.exit(1);
+  }
+}
+
+function readLatestReport(reportPath) {
+  if (!fs.existsSync(reportPath)) {
+    return null;
+  }
+
+  const content = fs.readFileSync(reportPath, "utf8");
+  const lines = content.split(/\r?\n/).filter(Boolean);
+  if (lines.length === 0) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(lines[lines.length - 1]);
+  } catch {
+    return null;
+  }
+}
+
+export async function runReportDashboard({ cwd }) {
+  // Boundary: CLI orchestration only. Avoid importing this module in lower layers.
+  ensureGitRepo(cwd);
+  const gitRoot = getGitRoot(cwd);
+  const configPath = path.join(gitRoot, "codeproof.config.json");
+  const config = readConfig(configPath);
+  const features = resolveFeatureFlags(config);
+  const verbose = isVerbose(config);
+
+  if (features.reporting) {
+    const reportPath = path.join(gitRoot, "codeproof-report.log");
+    const latestReport = readLatestReport(reportPath);
+
+    if (!latestReport) {
+      logWarn("No reports found. Run 'codeproof run' first.");
+    } else {
+      const integration = config?.integration || {};
+      const integrationEnabled = features.integration && Boolean(integration.enabled);
+      if (integrationEnabled) {
+        // Integrations are fail-open: skip silently when disabled, never throw on network errors.
+        withFailOpenIntegration(() => {
+          sendReportToServer(latestReport, {
+            enabled: true,
+            endpointUrl: integration.endpointUrl
+          });
+        });
+      } else {
+        reportFeatureDisabled("Integration", verbose, logInfo);
+      }
+    }
+  } else {
+    reportFeatureDisabled("Reporting", verbose, logInfo);
+  }
+
+  const projectId = encodeURIComponent(path.basename(gitRoot) || "project");
+  logInfo(`Dashboard: https://dashboard.codeproof.dev/project/${projectId}`);
+}

package/commands/run.js

@@ -0,0 +1,196 @@
+import fs from "fs";
+import path from "path";
+import { ensureGitRepo, getGitRoot, getStagedFiles } from "../utils/git.js";
+import { logError, logInfo, logSuccess, logWarn } from "../utils/logger.js";
+import { getDefaultExcludes, isBinaryFile, listFilesRecursive } from "../utils/files.js";
+import { runRuleEngine } from "../engine/ruleEngine.js";
+import { analyze } from "../engine/aiAnalyzer.js";
+import { mergeDecisions } from "../engine/decisionMerger.js";
+import { buildAiInputs, buildProjectContext } from "../engine/contextBuilder.js";
+import { buildReport } from "../reporting/reportBuilder.js";
+import { appendReport } from "../reporting/reportWriter.js";
+import { sendReportToServer } from "../utils/apiClient.js";
+import { resolveFeatureFlags, isVerbose } from "../core/featureFlags.js";
+import {
+    reportFeatureDisabled,
+    warnExperimentalOnce,
+    withFailOpenAiEscalation,
+    withFailOpenIntegration,
+    withFailOpenReporting
+} from "../core/safetyGuards.js";
+
+function readConfig(configPath) {
+    if (!fs.existsSync(configPath)) {
+        logError("Missing codeproof.config.json. Run codeproof init first.");
+        process.exit(1);
+    }
+
+    try {
+        const raw = fs.readFileSync(configPath, "utf8");
+        return JSON.parse(raw);
+    } catch {
+        logError("Invalid codeproof.config.json. Please fix the file.");
+        process.exit(1);
+    }
+}
+
+function normalizeScopeFiles(files, gitRoot) {
+    return files
+        .map((filePath) => (path.isAbsolute(filePath) ? filePath : path.join(gitRoot, filePath)))
+        .filter((filePath) => {
+            try {
+                return fs.statSync(filePath).isFile();
+            } catch {
+                return false;
+            }
+        });
+}
+
+function filterBinaryFiles(files) {
+    return files.filter((filePath) => !isBinaryFile(filePath));
+}
+
+export async function runCli({ cwd }) {
+    // Boundary: CLI orchestration only. Avoid importing this module in lower layers.
+    logInfo("CodeProof run started.");
+
+    ensureGitRepo(cwd);
+    const gitRoot = getGitRoot(cwd);
+    const configPath = path.join(gitRoot, "codeproof.config.json");
+    const config = readConfig(configPath);
+    const features = resolveFeatureFlags(config);
+    const verbose = isVerbose(config);
+
+    if (!config.scanMode) {
+        logError("Config missing scanMode. Expected 'staged' or 'full'.");
+        process.exit(1);
+    }
+
+    const scanMode = String(config.scanMode).toLowerCase();
+    let targets = [];
+
+    if (scanMode === "staged") {
+        logInfo("Scan mode: staged");
+        const staged = getStagedFiles(gitRoot);
+        targets = normalizeScopeFiles(staged, gitRoot);
+    } else if (scanMode === "full") {
+        logInfo("Scan mode: full");
+        const excludes = getDefaultExcludes();
+        const allFiles = listFilesRecursive(gitRoot, excludes);
+        targets = normalizeScopeFiles(allFiles, gitRoot);
+    } else {
+        logError("Invalid scanMode. Expected 'staged' or 'full'.");
+        process.exit(1);
+    }
+
+    const filtered = filterBinaryFiles(targets);
+
+    if (filtered.length === 0) {
+        logWarn("No relevant files found. Exiting.");
+        // Exit code 0 allows the Git commit to continue.
+        process.exit(0);
+    }
+
+    const { findings, escalations } = runRuleEngine({ files: filtered });
+    const projectContext = buildProjectContext({ gitRoot, config });
+    let aiInputs = [];
+    if (features.aiEscalation) {
+        warnExperimentalOnce("Experimental feature enabled: AI escalation.", logWarn);
+        aiInputs = buildAiInputs(escalations, projectContext);
+        if (aiInputs.length > 0) {
+            // Regex-first keeps scans fast; only ambiguous findings go to AI.
+            logWarn(`Escalating ${aiInputs.length} findings to AI for contextual analysis`);
+        }
+    } else {
+        reportFeatureDisabled("AI escalation", verbose, logInfo);
+    }
+
+    const aiDecisions = aiInputs.length > 0
+        ? withFailOpenAiEscalation(features.aiEscalation, () => analyze(aiInputs, projectContext))
+        : [];
+    const { blockFindings, warnFindings, aiReviewed, exitCode } = mergeDecisions({
+        baselineFindings: [...findings, ...escalations],
+        aiDecisions
+    });
+
+    if (features.reporting) {
+        withFailOpenReporting(() => {
+            const timestamp = new Date().toISOString();
+            const runId = `${Date.now()}-${process.pid}`;
+            const report = buildReport({
+                projectRoot: gitRoot,
+                scanMode,
+                filesScannedCount: filtered.length,
+                baselineFindings: [...findings, ...escalations],
+                aiReviewed,
+                runId,
+                timestamp
+            });
+            // Reporting is fail-open: never block commits if logging fails.
+            appendReport({ projectRoot: gitRoot, report });
+
+            const integration = config?.integration || {};
+            const integrationEnabled = features.integration && Boolean(integration.enabled);
+            if (integrationEnabled) {
+                withFailOpenIntegration(() => {
+                    // Network calls are fail-open; never affect exit codes.
+                    sendReportToServer(report, {
+                        enabled: true,
+                        endpointUrl: integration.endpointUrl
+                    });
+                });
+            } else {
+                reportFeatureDisabled("Integration", verbose, logInfo);
+            }
+        }, () => {
+            logWarn("Failed to write CodeProof report. Continuing without blocking.");
+        });
+    } else {
+        reportFeatureDisabled("Reporting", verbose, logInfo);
+    }
+
+    if (blockFindings.length > 0) {
+        logError(`Baseline rule violations (${blockFindings.length}):`);
+        for (const finding of blockFindings) {
+            const relative = path.relative(gitRoot, finding.filePath) || finding.filePath;
+            logError(
+                `${finding.ruleId} [${finding.severity}/${finding.confidence}] ${relative}:${finding.line} ${finding.message}`
+            );
+            logError(`  ${finding.snippet}`);
+        }
+    }
+
+    if (warnFindings.length > 0) {
+        logWarn(`Baseline warnings (${warnFindings.length}):`);
+        for (const finding of warnFindings) {
+            const relative = path.relative(gitRoot, finding.filePath) || finding.filePath;
+            logWarn(
+                `${finding.ruleId} [${finding.severity}/${finding.confidence}] ${relative}:${finding.line} ${finding.message}`
+            );
+            logWarn(`  ${finding.snippet}`);
+        }
+    }
+
+    if (aiReviewed.length > 0) {
+        logWarn(`AI-reviewed findings (${aiReviewed.length}):`);
+        for (const entry of aiReviewed) {
+            const { finding, decision } = entry;
+            const relative = path.relative(gitRoot, finding.filePath) || finding.filePath;
+            logWarn(
+                `${finding.ruleId} [${decision.verdict}/${decision.confidence.toFixed(2)}] ${relative}:${finding.line} ${decision.explanation}`
+            );
+            if (decision.suggestedFix) {
+                logWarn(`  Suggested fix: ${decision.suggestedFix}`);
+            }
+        }
+    }
+
+    if (exitCode === 1) {
+        // Exit code 1 blocks the Git commit via the pre-commit hook.
+        process.exit(1);
+    }
+
+    logSuccess("CodeProof run complete.");
+    // Exit code 0 allows the Git commit to continue.
+    process.exit(0);
+}

package/core/boundaries.md

@@ -0,0 +1,26 @@
+# CodeProof Internal Boundaries
+
+This is a short internal guide to prevent accidental coupling between subsystems.
+
+## Allowed Dependencies
+- Rule engine → May depend on rules and utilities only.
+- Reporting → May depend on report input data and file I/O only.
+- Integration → May depend on HTTP/HTTPS only.
+- Secret remediation → May depend on reports, env helpers, and file I/O only.
+- CLI commands → Orchestrate flows and call feature guards.
+
+## Forbidden Dependencies
+- Rule engine must never import reporting, integration, or remediation.
+- Reporting must never import rule logic or AI logic.
+- Integration must never import CLI or rule logic.
+- Secret remediation must never import analysis state (only reports).
+
+## Fail-Open Guarantees
+- Reporting failures never affect exit codes.
+- Integration failures never affect commits.
+- AI failures always downgrade to warn and never block.
+
+## Safe Extension Points
+- Add new features to core/featureFlags.js with default-off behavior.
+- Use core/safetyGuards.js for all fail-open or experimental flows.
+- Keep experimental features opt-in and guarded by feature flags.

package/core/featureFlags.js

@@ -0,0 +1,25 @@
+const DEFAULT_FEATURES = {
+  reporting: true,
+  integration: false,
+  aiEscalation: false,
+  secretRemediation: false
+};
+
+// Boundary: feature flags are configuration only and must not import runtime systems.
+// Future features should be added here with safe defaults and explicit gating.
+export function resolveFeatureFlags(config) {
+  const features = config?.features || {};
+  return {
+    reporting: typeof features.reporting === "boolean" ? features.reporting : DEFAULT_FEATURES.reporting,
+    integration: typeof features.integration === "boolean" ? features.integration : DEFAULT_FEATURES.integration,
+    aiEscalation: typeof features.aiEscalation === "boolean" ? features.aiEscalation : DEFAULT_FEATURES.aiEscalation,
+    secretRemediation:
+      typeof features.secretRemediation === "boolean"
+        ? features.secretRemediation
+        : DEFAULT_FEATURES.secretRemediation
+  };
+}
+
+export function isVerbose(config) {
+  return Boolean(config?.verbose) || process.env.CODEPROOF_VERBOSE === "1";
+}