codeproof 1.0.0

package/utils/apiClient.js

@@ -0,0 +1,56 @@
+import http from "http";
+import https from "https";
+
+// Boundary: integration layer only. Must not import CLI, rule engine, or reporting.
+// Network calls are fail-open to avoid impacting commits or developer flow.
+
+const DEFAULT_ENDPOINT = "https://api.codeproof.dev/report";
+
+export function sendReportToServer(report, options = {}) {
+  const enabled = Boolean(options.enabled);
+  if (!enabled) {
+    return;
+  }
+
+  const endpointUrl = typeof options.endpointUrl === "string" && options.endpointUrl.trim()
+    ? options.endpointUrl.trim()
+    : DEFAULT_ENDPOINT;
+
+  try {
+    const url = new URL(endpointUrl);
+    const payload = JSON.stringify(report);
+    const transport = url.protocol === "http:" ? http : https;
+
+    const request = transport.request(
+      {
+        method: "POST",
+        hostname: url.hostname,
+        port: url.port || (url.protocol === "http:" ? 80 : 443),
+        path: `${url.pathname}${url.search}`,
+        headers: {
+          "Content-Type": "application/json",
+          "Content-Length": Buffer.byteLength(payload)
+        },
+        timeout: 2000
+      },
+      (res) => {
+        // UX: fail-open integrations never read or store server responses.
+        res.resume();
+      }
+    );
+
+    request.on("timeout", () => {
+      // Integrations are fail-open: timeout should not block or throw.
+      request.destroy();
+    });
+
+    request.on("error", () => {
+      // Integrations are fail-open: network errors are ignored silently.
+    });
+
+    request.write(payload);
+    request.end();
+  } catch {
+    // Integrations are fail-open: invalid URLs or serialization issues are ignored silently.
+  }
+}

package/utils/envManager.js

@@ -0,0 +1,48 @@
+import fs from "fs";
+import os from "os";
+import path from "path";
+
+export function ensureEnvFile(projectRoot) {
+  const envPath = path.join(projectRoot, ".env");
+  if (!fs.existsSync(envPath)) {
+    fs.writeFileSync(envPath, "", "utf8");
+  }
+  return envPath;
+}
+
+export function readEnvKeys(envPath) {
+  if (!fs.existsSync(envPath)) {
+    return new Set();
+  }
+
+  const content = fs.readFileSync(envPath, "utf8");
+  const keys = new Set();
+  const lines = content.split(/\r?\n/);
+
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      continue;
+    }
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) {
+      continue;
+    }
+    const key = trimmed.slice(0, eqIndex).trim();
+    if (key) {
+      keys.add(key);
+    }
+  }
+
+  return keys;
+}
+
+export function appendEnvEntries(envPath, entries) {
+  if (!entries.length) {
+    return;
+  }
+  // Safety: append only to avoid overwriting existing .env entries.
+  const lines = entries.map((entry) => `${entry.key}=${entry.value}`);
+  const content = lines.join(os.EOL) + os.EOL;
+  fs.appendFileSync(envPath, content, "utf8");
+}

package/utils/fileRewriter.js

@@ -0,0 +1,145 @@
+import fs from "fs";
+import path from "path";
+
+function detectLineEnding(content) {
+  return content.includes("\r\n") ? "\r\n" : "\n";
+}
+
+function ensureBackupDir(projectRoot) {
+  const backupRoot = path.join(projectRoot, ".codeproof-backup");
+  if (!fs.existsSync(backupRoot)) {
+    fs.mkdirSync(backupRoot, { recursive: true });
+  }
+  return backupRoot;
+}
+
+export function backupFileOnce(projectRoot, filePath, backedUp) {
+  if (backedUp.has(filePath)) {
+    return;
+  }
+
+  const backupRoot = ensureBackupDir(projectRoot);
+  const relative = path.relative(projectRoot, filePath);
+  const backupPath = path.join(backupRoot, relative);
+  const backupDir = path.dirname(backupPath);
+  if (!fs.existsSync(backupDir)) {
+    fs.mkdirSync(backupDir, { recursive: true });
+  }
+  fs.copyFileSync(filePath, backupPath);
+  backedUp.add(filePath);
+}
+
+function findValueSegment(line) {
+  const equalsIndex = line.indexOf("=");
+  const colonIndex = line.indexOf(":");
+  let separatorIndex = -1;
+  if (equalsIndex !== -1 && colonIndex !== -1) {
+    separatorIndex = Math.min(equalsIndex, colonIndex);
+  } else if (equalsIndex !== -1) {
+    separatorIndex = equalsIndex;
+  } else if (colonIndex !== -1) {
+    separatorIndex = colonIndex;
+  }
+
+  if (separatorIndex === -1) {
+    return null;
+  }
+
+  const right = line.slice(separatorIndex + 1);
+  const leadingMatch = right.match(/^\s*/);
+  const leading = leadingMatch ? leadingMatch[0] : "";
+  const startIndex = separatorIndex + 1 + leading.length;
+
+  const quoteChar = right[leading.length];
+  if (quoteChar === "'" || quoteChar === '"') {
+    const endIndex = right.indexOf(quoteChar, leading.length + 1);
+    if (endIndex === -1) {
+      return null;
+    }
+    return {
+      separatorIndex,
+      valueStart: startIndex,
+      valueEnd: separatorIndex + 1 + endIndex + 1,
+      secretValue: right.slice(leading.length + 1, endIndex)
+    };
+  }
+
+  const candidates = [];
+  const delimiters = [" ", "\t", ";", ",", ")"];
+  for (const delimiter of delimiters) {
+    const index = right.indexOf(delimiter, leading.length);
+    if (index !== -1) {
+      candidates.push(separatorIndex + 1 + index);
+    }
+  }
+  const commentIndex = right.indexOf("//", leading.length);
+  if (commentIndex !== -1) {
+    candidates.push(separatorIndex + 1 + commentIndex);
+  }
+  const hashIndex = right.indexOf("#", leading.length);
+  if (hashIndex !== -1) {
+    candidates.push(separatorIndex + 1 + hashIndex);
+  }
+
+  const valueEnd = candidates.length > 0 ? Math.min(...candidates) : line.length;
+  const rawValue = line.slice(startIndex, valueEnd).trim();
+  if (!rawValue) {
+    return null;
+  }
+
+  return {
+    separatorIndex,
+    valueStart: startIndex,
+    valueEnd,
+    secretValue: rawValue
+  };
+}
+
+export function extractSecretValueFromLine(line) {
+  const segment = findValueSegment(line);
+  return segment?.secretValue ? segment.secretValue : null;
+}
+
+export function replaceSecretInFile({ filePath, lineNumber, envKey, expectedSnippet, expectedSecretValue }) {
+  const content = fs.readFileSync(filePath, "utf8");
+  const eol = detectLineEnding(content);
+  const lines = content.split(/\r?\n/);
+  const index = lineNumber - 1;
+
+  if (index < 0 || index >= lines.length) {
+    return { updated: false, reason: "line_out_of_range" };
+  }
+
+  const originalLine = lines[index];
+  if (originalLine.includes(`process.env.${envKey}`) || originalLine.includes("process.env.CODEPROOF_SECRET_")) {
+    return { updated: false, reason: "already_moved" };
+  }
+
+  if (expectedSnippet && !String(originalLine).includes(String(expectedSnippet))) {
+    return { updated: false, reason: "line_mismatch" };
+  }
+
+  // Safety: only rewrite the specific line from the latest report; no regex rescanning.
+  const segment = findValueSegment(originalLine);
+  if (!segment || !segment.secretValue) {
+    return { updated: false, reason: "unable_to_extract" };
+  }
+
+  if (expectedSecretValue && segment.secretValue !== expectedSecretValue) {
+    return { updated: false, reason: "value_mismatch" };
+  }
+
+  const before = originalLine.slice(0, segment.valueStart);
+  const after = originalLine.slice(segment.valueEnd);
+  const replacement = `process.env.${envKey}`;
+  // Preserve original formatting and line endings by replacing only the value segment.
+  const updatedLine = `${before}${replacement}${after}`;
+
+  lines[index] = updatedLine;
+
+  const hasTrailingNewline = content.endsWith(eol);
+  const newContent = lines.join(eol) + (hasTrailingNewline ? eol : "");
+  fs.writeFileSync(filePath, newContent, "utf8");
+
+  return { updated: true, secretValue: segment.secretValue };
+}

package/utils/files.js

@@ -0,0 +1,50 @@
+import fs from "fs";
+import path from "path";
+
+const DEFAULT_EXCLUDES = new Set([".git", "node_modules", ".venv", "dist", "build"]);
+
+export function getDefaultExcludes() {
+  return DEFAULT_EXCLUDES;
+}
+
+export function isBinaryFile(filePath) {
+  // Heuristic: if the first chunk contains a null byte, treat as binary.
+  try {
+    const fd = fs.openSync(filePath, "r");
+    const buffer = Buffer.alloc(8000);
+    const bytesRead = fs.readSync(fd, buffer, 0, buffer.length, 0);
+    fs.closeSync(fd);
+    for (let i = 0; i < bytesRead; i += 1) {
+      if (buffer[i] === 0) {
+        return true;
+      }
+    }
+    return false;
+  } catch {
+    return true;
+  }
+}
+
+export function listFilesRecursive(rootDir, excludes = DEFAULT_EXCLUDES) {
+  const results = [];
+
+  function walk(currentDir) {
+    const entries = fs.readdirSync(currentDir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (excludes.has(entry.name)) {
+        continue;
+      }
+
+      const fullPath = path.join(currentDir, entry.name);
+
+      if (entry.isDirectory()) {
+        walk(fullPath);
+      } else if (entry.isFile()) {
+        results.push(fullPath);
+      }
+    }
+  }
+
+  walk(rootDir);
+  return results;
+}

package/utils/git.js

@@ -0,0 +1,46 @@
+import { spawnSync } from "child_process";
+import { logError } from "./logger.js";
+
+function runGit(args, cwd) {
+    const result = spawnSync("git", args, {
+        cwd,
+        stdio: "pipe",
+        encoding: "utf8"
+    });
+
+    if (result.error) {
+        throw result.error;
+    }
+
+    return result;
+}
+
+export function ensureGitRepo(cwd) {
+    const result = runGit(["rev-parse", "--is-inside-work-tree"], cwd);
+    if (result.status !== 0 || !String(result.stdout).trim().includes("true")) {
+        logError("Not a Git repository. Run this inside a Git repo.");
+        process.exit(1);
+    }
+}
+
+export function getGitRoot(cwd) {
+    const result = runGit(["rev-parse", "--show-toplevel"], cwd);
+    if (result.status !== 0) {
+        logError("Failed to resolve Git root.");
+        process.exit(1);
+    }
+    return String(result.stdout).trim();
+}
+
+export function getStagedFiles(cwd) {
+    const result = runGit(["diff", "--cached", "--name-only"], cwd);
+    if (result.status !== 0) {
+        logError("Failed to read staged files.");
+        process.exit(1);
+    }
+
+    return String(result.stdout)
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter(Boolean);
+}

package/utils/logger.js

@@ -0,0 +1,25 @@
+function formatPrefix(level) {
+  const map = {
+    info: "[codeproof]",
+    success: "[codeproof]",
+    warn: "[codeproof]",
+    error: "[codeproof]"
+  };
+  return map[level] || "[codeproof]";
+}
+
+export function logInfo(message) {
+  console.log(`${formatPrefix("info")} ${message}`);
+}
+
+export function logSuccess(message) {
+  console.log(`${formatPrefix("success")} ${message}`);
+}
+
+export function logWarn(message) {
+  console.warn(`${formatPrefix("warn")} ${message}`);
+}
+
+export function logError(message) {
+  console.error(`${formatPrefix("error")} ${message}`);
+}

package/utils/projectType.js

@@ -0,0 +1,20 @@
+import fs from "fs";
+import path from "path";
+
+export function detectProjectType(rootDir) {
+  const hasFile = (fileName) => fs.existsSync(path.join(rootDir, fileName));
+
+  if (hasFile("package.json")) {
+    return "Node";
+  }
+
+  if (hasFile("requirements.txt") || hasFile("pyproject.toml")) {
+    return "Python";
+  }
+
+  if (hasFile("pom.xml") || hasFile("build.gradle")) {
+    return "Java";
+  }
+
+  return "Unknown";
+}