codeproof 1.0.4 → 1.1.0

package/engine/aiAnalyzer.js

@@ -1,143 +1,143 @@
-import http from "http";
-import https from "https";
-import { logWarn } from "../utils/logger.js";
-
-// AI contextual analysis layer. Only low-confidence findings reach this stage.
-// Regex-first keeps the fast baseline deterministic; AI is a cautious fallback.
-
-const DEFAULT_TIMEOUT_MS = 5000;
-
-function getAiConfig() {
-  const apiUrl = process.env.AI_API_URL || "";
-  const timeoutMs = Number(process.env.AI_TIMEOUT_MS) || DEFAULT_TIMEOUT_MS;
-  return { apiUrl, timeoutMs };
-}
-
-function fallbackDecision(finding, reason) {
-  if (reason) {
-    logWarn(`AI escalation failed: ${reason}`);
-  }
-
-  return {
-    findingId: finding.findingId,
-    verdict: "warn",
-    confidence: 0.35,
-    explanation: "AI unavailable; defaulting to warn for manual review.",
-    suggestedFix: "Review the value and move secrets to environment variables."
-  };
-}
-
-function postJsonWithTimeout({ url, payload, timeoutMs }) {
-  return new Promise((resolve, reject) => {
-    let parsedUrl;
-    try {
-      parsedUrl = new URL(url);
-    } catch {
-      reject(new Error("Invalid AI_API_URL"));
-      return;
-    }
-
-    const data = JSON.stringify(payload);
-    const transport = parsedUrl.protocol === "http:" ? http : https;
-
-    const request = transport.request(
-      {
-        method: "POST",
-        hostname: parsedUrl.hostname,
-        port: parsedUrl.port || (parsedUrl.protocol === "http:" ? 80 : 443),
-        path: `${parsedUrl.pathname}${parsedUrl.search}`,
-        headers: {
-          "Content-Type": "application/json",
-          "Content-Length": Buffer.byteLength(data)
-        },
-        timeout: timeoutMs
-      },
-      (res) => {
-        let body = "";
-        res.setEncoding("utf8");
-        res.on("data", (chunk) => {
-          body += chunk;
-        });
-        res.on("end", () => {
-          if (res.statusCode && res.statusCode >= 400) {
-            reject(new Error(`AI API responded with ${res.statusCode}`));
-            return;
-          }
-          try {
-            resolve(JSON.parse(body));
-          } catch {
-            reject(new Error("AI API returned invalid JSON"));
-          }
-        });
-      }
-    );
-
-    request.on("timeout", () => {
-      request.destroy(new Error("AI request timed out"));
-    });
-
-    request.on("error", (err) => {
-      reject(err);
-    });
-
-    request.write(data);
-    request.end();
-  });
-}
-
-async function callModel(finding) {
-  const { apiUrl, timeoutMs } = getAiConfig();
-
-  if (!apiUrl) {
-    throw new Error("AI_API_URL is not configured");
-  }
-
-  const response = await postJsonWithTimeout({
-    url: apiUrl,
-    timeoutMs,
-    payload: {
-      code: finding.snippet || ""
-    }
-  });
-
-  if (!response || typeof response.found !== "boolean") {
-    throw new Error("AI API returned invalid payload");
-  }
-
-  const verdict = response.found && response.risk === "Critical" ? "block" : "warn";
-  const confidence = response.found ? 0.85 : 0.35;
-  const explanation = response.found
-    ? `AI detected ${response.risk} risk: ${response.secret || "secret value"}`
-    : "AI did not detect risk in this code snippet.";
-
-  return {
-    findingId: finding.findingId,
-    verdict,
-    confidence,
-    explanation,
-    suggestedFix: response.found ? "Move secrets to environment variables." : undefined
-  };
-}
-
-export async function analyze(findings, projectContext) {
-  void projectContext;
-
-  if (!Array.isArray(findings) || findings.length === 0) {
-    return [];
-  }
-
-  return Promise.all(
-    findings.map(async (finding) => {
-      try {
-        return await callModel(finding);
-      } catch (error) {
-        const reason = error instanceof Error ? error.message : "AI call failed";
-        return fallbackDecision(finding, reason);
-      }
-    })
-  );
-}
-
-
-
-
+import http from "http";
+import https from "https";
+import { logWarn } from "../utils/logger.js";
+
+// AI contextual analysis layer. Only low-confidence findings reach this stage.
+// Regex-first keeps the fast baseline deterministic; AI is a cautious fallback.
+
+const DEFAULT_TIMEOUT_MS = 5000;
+
+function getAiConfig() {
+  const apiUrl = process.env.AI_API_URL || "";
+  const timeoutMs = Number(process.env.AI_TIMEOUT_MS) || DEFAULT_TIMEOUT_MS;
+  return { apiUrl, timeoutMs };
+}
+
+function fallbackDecision(finding, reason) {
+  if (reason) {
+    logWarn(`AI escalation failed: ${reason}`);
+  }
+
+  return {
+    findingId: finding.findingId,
+    verdict: "warn",
+    confidence: 0.35,
+    explanation: "AI unavailable; defaulting to warn for manual review.",
+    suggestedFix: "Review the value and move secrets to environment variables."
+  };
+}
+
+function postJsonWithTimeout({ url, payload, timeoutMs }) {
+  return new Promise((resolve, reject) => {
+    let parsedUrl;
+    try {
+      parsedUrl = new URL(url);
+    } catch {
+      reject(new Error("Invalid AI_API_URL"));
+      return;
+    }
+
+    const data = JSON.stringify(payload);
+    const transport = parsedUrl.protocol === "http:" ? http : https;
+
+    const request = transport.request(
+      {
+        method: "POST",
+        hostname: parsedUrl.hostname,
+        port: parsedUrl.port || (parsedUrl.protocol === "http:" ? 80 : 443),
+        path: `${parsedUrl.pathname}${parsedUrl.search}`,
+        headers: {
+          "Content-Type": "application/json",
+          "Content-Length": Buffer.byteLength(data)
+        },
+        timeout: timeoutMs
+      },
+      (res) => {
+        let body = "";
+        res.setEncoding("utf8");
+        res.on("data", (chunk) => {
+          body += chunk;
+        });
+        res.on("end", () => {
+          if (res.statusCode && res.statusCode >= 400) {
+            reject(new Error(`AI API responded with ${res.statusCode}`));
+            return;
+          }
+          try {
+            resolve(JSON.parse(body));
+          } catch {
+            reject(new Error("AI API returned invalid JSON"));
+          }
+        });
+      }
+    );
+
+    request.on("timeout", () => {
+      request.destroy(new Error("AI request timed out"));
+    });
+
+    request.on("error", (err) => {
+      reject(err);
+    });
+
+    request.write(data);
+    request.end();
+  });
+}
+
+async function callModel(finding) {
+  const { apiUrl, timeoutMs } = getAiConfig();
+
+  if (!apiUrl) {
+    throw new Error("AI_API_URL is not configured");
+  }
+
+  const response = await postJsonWithTimeout({
+    url: apiUrl,
+    timeoutMs,
+    payload: {
+      code: finding.snippet || ""
+    }
+  });
+
+  if (!response || typeof response.found !== "boolean") {
+    throw new Error("AI API returned invalid payload");
+  }
+
+  const verdict = response.found && response.risk === "Critical" ? "block" : "warn";
+  const confidence = response.found ? 0.85 : 0.35;
+  const explanation = response.found
+    ? `AI detected ${response.risk} risk: ${response.secret || "secret value"}`
+    : "AI did not detect risk in this code snippet.";
+
+  return {
+    findingId: finding.findingId,
+    verdict,
+    confidence,
+    explanation,
+    suggestedFix: response.found ? "Move secrets to environment variables." : undefined
+  };
+}
+
+export async function analyze(findings, projectContext) {
+  void projectContext;
+
+  if (!Array.isArray(findings) || findings.length === 0) {
+    return [];
+  }
+
+  return Promise.all(
+    findings.map(async (finding) => {
+      try {
+        return await callModel(finding);
+      } catch (error) {
+        const reason = error instanceof Error ? error.message : "AI call failed";
+        return fallbackDecision(finding, reason);
+      }
+    })
+  );
+}
+
+
+
+

package/engine/aiEscalation.js

@@ -1,6 +1,6 @@
-// Stub interface for future AI contextual review.
-// This keeps the AI boundary clear and avoids network calls at this stage.
-export function aiReview(findings, context) {
-  void context;
-  return findings;
-}
+// Stub interface for future AI contextual review.
+// This keeps the AI boundary clear and avoids network calls at this stage.
+export function aiReview(findings, context) {
+  void context;
+  return findings;
+}

package/engine/contextBuilder.js

@@ -1,65 +1,65 @@
-import fs from "fs";
-import path from "path";
-
-const TEST_PATH_HINTS = [
-  "test",
-  "tests",
-  "__tests__",
-  "spec",
-  "example",
-  "examples",
-  "sample",
-  "samples",
-  "mock",
-  "mocks"
-];
-
-function isTestLike(filePath) {
-  const normalized = filePath.toLowerCase();
-  return TEST_PATH_HINTS.some((hint) => normalized.includes(path.sep + hint));
-}
-
-function getFileType(filePath) {
-  const ext = path.extname(filePath).toLowerCase();
-  return ext ? ext.slice(1) : "unknown";
-}
-
-function getSnippetAroundLine(content, lineNumber, padding = 2, maxChars = 800) {
-  const lines = content.split("\n");
-  const start = Math.max(0, lineNumber - 1 - padding);
-  const end = Math.min(lines.length, lineNumber + padding);
-  const snippet = lines.slice(start, end).join("\n");
-  return snippet.length > maxChars ? snippet.slice(0, maxChars) + "..." : snippet;
-}
-
-export function buildProjectContext({ gitRoot, config }) {
-  return {
-    projectType: config?.projectType || "Unknown",
-    scanMode: config?.scanMode || "staged"
-  };
-}
-
-export function buildAiInputs(findings, projectContext) {
-  return findings.map((finding) => {
-    let content = "";
-    try {
-      content = fs.readFileSync(finding.filePath, "utf8");
-    } catch {
-      content = "";
-    }
-
-    const snippet = content
-      ? getSnippetAroundLine(content, finding.line || 1)
-      : finding.snippet || "";
-
-    return {
-      findingId: finding.findingId,
-      ruleId: finding.ruleId,
-      filePath: finding.filePath,
-      fileType: getFileType(finding.filePath),
-      isTestLike: isTestLike(finding.filePath),
-      snippet,
-      projectContext
-    };
-  });
-}
+import fs from "fs";
+import path from "path";
+
+const TEST_PATH_HINTS = [
+  "test",
+  "tests",
+  "__tests__",
+  "spec",
+  "example",
+  "examples",
+  "sample",
+  "samples",
+  "mock",
+  "mocks"
+];
+
+function isTestLike(filePath) {
+  const normalized = filePath.toLowerCase();
+  return TEST_PATH_HINTS.some((hint) => normalized.includes(path.sep + hint));
+}
+
+function getFileType(filePath) {
+  const ext = path.extname(filePath).toLowerCase();
+  return ext ? ext.slice(1) : "unknown";
+}
+
+function getSnippetAroundLine(content, lineNumber, padding = 2, maxChars = 800) {
+  const lines = content.split("\n");
+  const start = Math.max(0, lineNumber - 1 - padding);
+  const end = Math.min(lines.length, lineNumber + padding);
+  const snippet = lines.slice(start, end).join("\n");
+  return snippet.length > maxChars ? snippet.slice(0, maxChars) + "..." : snippet;
+}
+
+export function buildProjectContext({ gitRoot, config }) {
+  return {
+    projectType: config?.projectType || "Unknown",
+    scanMode: config?.scanMode || "staged"
+  };
+}
+
+export function buildAiInputs(findings, projectContext) {
+  return findings.map((finding) => {
+    let content = "";
+    try {
+      content = fs.readFileSync(finding.filePath, "utf8");
+    } catch {
+      content = "";
+    }
+
+    const snippet = content
+      ? getSnippetAroundLine(content, finding.line || 1)
+      : finding.snippet || "";
+
+    return {
+      findingId: finding.findingId,
+      ruleId: finding.ruleId,
+      filePath: finding.filePath,
+      fileType: getFileType(finding.filePath),
+      isTestLike: isTestLike(finding.filePath),
+      snippet,
+      projectContext
+    };
+  });
+}

package/engine/decisionMerger.js

@@ -1,30 +1,30 @@
-// Combine baseline results with AI decisions without overriding blocks.
-
-export function mergeDecisions({ baselineFindings, aiDecisions }) {
-  const blockFindings = baselineFindings.filter(
-    (finding) => finding.severity === "block" && finding.confidence === "high"
-  );
-  const warnFindings = baselineFindings.filter(
-    (finding) => finding.severity === "warn"
-  );
-
-  const aiById = new Map(aiDecisions.map((decision) => [decision.findingId, decision]));
-  const aiReviewed = baselineFindings
-    .filter((finding) => finding.confidence === "low")
-    .map((finding) => ({
-      finding,
-      decision: aiById.get(finding.findingId)
-    }))
-    .filter((entry) => entry.decision);
-
-  const aiBlocks = aiReviewed.filter((entry) => entry.decision.verdict === "block");
-
-  const exitCode = blockFindings.length > 0 || aiBlocks.length > 0 ? 1 : 0;
-
-  return {
-    blockFindings,
-    warnFindings,
-    aiReviewed,
-    exitCode
-  };
-}
+// Combine baseline results with AI decisions without overriding blocks.
+
+export function mergeDecisions({ baselineFindings, aiDecisions }) {
+  const blockFindings = baselineFindings.filter(
+    (finding) => finding.severity === "block" && finding.confidence === "high"
+  );
+  const warnFindings = baselineFindings.filter(
+    (finding) => finding.severity === "warn"
+  );
+
+  const aiById = new Map(aiDecisions.map((decision) => [decision.findingId, decision]));
+  const aiReviewed = baselineFindings
+    .filter((finding) => finding.confidence === "low")
+    .map((finding) => ({
+      finding,
+      decision: aiById.get(finding.findingId)
+    }))
+    .filter((entry) => entry.decision);
+
+  const aiBlocks = aiReviewed.filter((entry) => entry.decision.verdict === "block");
+
+  const exitCode = blockFindings.length > 0 || aiBlocks.length > 0 ? 1 : 0;
+
+  return {
+    blockFindings,
+    warnFindings,
+    aiReviewed,
+    exitCode
+  };
+}

package/engine/ruleEngine.js

@@ -1,52 +1,52 @@
-import fs from "fs";
-import { buildLineIndex } from "../rules/ruleUtils.js";
-import { evaluateSecretRule } from "../rules/secretRule.js";
-import { evaluateDangerousUsageRule } from "../rules/dangerousUsageRule.js";
-import { evaluateInsecureConfigRule } from "../rules/insecureConfigRule.js";
-
-// Boundary: rule engine must never import reporting, integration, or remediation.
-// Rationale: regex-first keeps scans fast and deterministic; AI is a cautious fallback.
-
-// The engine aggregates deterministic regex rules and prepares low-confidence items
-// for AI escalation. This keeps the baseline fast and predictable.
-export function runRuleEngine({ files }) {
-  const findings = [];
-  const escalations = [];
-  let counter = 0;
-
-  for (const filePath of files) {
-    let content = "";
-    try {
-      content = fs.readFileSync(filePath, "utf8");
-    } catch {
-      continue;
-    }
-
-    const lineStarts = buildLineIndex(content);
-
-    const secretResult = evaluateSecretRule({ content, filePath, lineStarts });
-    findings.push(...secretResult.findings.map((finding) => ({
-      ...finding,
-      findingId: `f-${counter++}`
-    })));
-    escalations.push(...secretResult.escalations.map((finding) => ({
-      ...finding,
-      findingId: `f-${counter++}`
-    })));
-
-    findings.push(
-      ...evaluateDangerousUsageRule({ content, filePath, lineStarts }).map((finding) => ({
-        ...finding,
-        findingId: `f-${counter++}`
-      }))
-    );
-    findings.push(
-      ...evaluateInsecureConfigRule({ content, filePath, lineStarts }).map((finding) => ({
-        ...finding,
-        findingId: `f-${counter++}`
-      }))
-    );
-  }
-
-  return { findings, escalations };
-}
+import fs from "fs";
+import { buildLineIndex } from "../rules/ruleUtils.js";
+import { evaluateSecretRule } from "../rules/secretRule.js";
+import { evaluateDangerousUsageRule } from "../rules/dangerousUsageRule.js";
+import { evaluateInsecureConfigRule } from "../rules/insecureConfigRule.js";
+
+// Boundary: rule engine must never import reporting, integration, or remediation.
+// Rationale: regex-first keeps scans fast and deterministic; AI is a cautious fallback.
+
+// The engine aggregates deterministic regex rules and prepares low-confidence items
+// for AI escalation. This keeps the baseline fast and predictable.
+export function runRuleEngine({ files }) {
+  const findings = [];
+  const escalations = [];
+  let counter = 0;
+
+  for (const filePath of files) {
+    let content = "";
+    try {
+      content = fs.readFileSync(filePath, "utf8");
+    } catch {
+      continue;
+    }
+
+    const lineStarts = buildLineIndex(content);
+
+    const secretResult = evaluateSecretRule({ content, filePath, lineStarts });
+    findings.push(...secretResult.findings.map((finding) => ({
+      ...finding,
+      findingId: `f-${counter++}`
+    })));
+    escalations.push(...secretResult.escalations.map((finding) => ({
+      ...finding,
+      findingId: `f-${counter++}`
+    })));
+
+    findings.push(
+      ...evaluateDangerousUsageRule({ content, filePath, lineStarts }).map((finding) => ({
+        ...finding,
+        findingId: `f-${counter++}`
+      }))
+    );
+    findings.push(
+      ...evaluateInsecureConfigRule({ content, filePath, lineStarts }).map((finding) => ({
+        ...finding,
+        findingId: `f-${counter++}`
+      }))
+    );
+  }
+
+  return { findings, escalations };
+}