codeslick-cli 1.5.2 → 1.5.4

package/package.json

@@ -1,14 +1,15 @@
 {
   "name": "codeslick-cli",
-  "version": "1.5.2",
-  "description": "CodeSlick CLI tool for pre-commit security scanning with Terraform IaC support",
+  "version": "1.5.4",
+  "description": "CodeSlick CLI tool for pre-commit security scanning — 308 checks across JS, TS, Python, Java, Go",
   "main": "dist/index.js",
   "bin": {
     "codeslick": "./bin/codeslick.cjs",
     "cs": "./bin/codeslick.cjs"
   },
   "scripts": {
-    "build": "tsc",
+    "build": "node build.mjs",
+    "build:typecheck": "tsc --noEmit",
     "dev": "tsc --watch",
     "test": "vitest",
     "prepublishOnly": "npm run build"
@@ -20,27 +21,24 @@
     "pre-commit",
     "git-hook",
     "vulnerability-scanner",
-    "terraform",
-    "iac",
-    "infrastructure-as-code"
+    "sast",
+    "owasp",
+    "devsecops"
   ],
   "author": "CodeSlick <support@codeslick.dev>",
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/VitorLourenco/codeslick2",
-    "directory": "packages/cli"
+    "url": "https://github.com/VitorLourenco/codeslick-cli.git"
   },
   "bugs": {
-    "url": "https://github.com/VitorLourenco/codeslick2/issues"
+    "url": "https://github.com/VitorLourenco/codeslick-cli/issues"
   },
   "homepage": "https://codeslick.dev",
   "engines": {
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "acorn": "^8.16.0",
-    "acorn-walk": "^8.3.5",
     "chalk": "^4.1.2",
     "cli-table3": "^0.6.3",
     "glob": "^13.0.1",
@@ -51,6 +49,7 @@
   "devDependencies": {
     "@types/node": "^20.10.0",
     "@types/yargs": "^17.0.32",
+    "esbuild": "^0.24.2",
     "vitest": "^1.0.4"
   }
 }

package/src/cli-entry.ts

@@ -0,0 +1,178 @@
+#!/usr/bin/env node
+/**
+ * CodeSlick CLI Entry Point
+ *
+ * This file is the esbuild bundle entry. It replaces bin/codeslick.cjs as the
+ * main logic container. The bin script is now a thin shim that calls this bundle.
+ *
+ * Bundled output: dist/codeslick-bundle.cjs
+ * All internal deps (@codeslick/*, acorn, analyzers) are bundled here.
+ * Runtime deps (typescript, glob, chalk, ora, yargs) stay external.
+ */
+
+import yargs from 'yargs';
+import { hideBin } from 'yargs/helpers';
+import { scanCommand } from './commands/scan';
+import { initCommand } from './commands/init';
+import { configCommand } from './commands/config';
+import { loginCommand, logoutCommand, whoamiCommand } from './commands/auth';
+import { startBackgroundUpdateCheck } from './utils/version-check';
+
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { version } = require('../package.json') as { version: string };
+
+// Start version check in background (non-blocking)
+void startBackgroundUpdateCheck();
+
+// Detect if running as 'cs' or 'codeslick'
+const scriptName = process.argv[1]?.includes('/cs') ? 'cs' : 'codeslick';
+
+// Main CLI application
+yargs(hideBin(process.argv))
+  .scriptName(scriptName)
+  .usage('$0 <command> [options]')
+  .command(
+    'init',
+    'Initialize CodeSlick in your repository',
+    (yargs) => {
+      return yargs
+        .option('force', {
+          alias: 'f',
+          type: 'boolean',
+          description: 'Force re-initialization (overwrite existing config)',
+          default: false,
+        })
+        .option('severity', {
+          alias: 's',
+          type: 'string',
+          description: 'Default severity threshold (critical|high|medium|low)',
+          default: 'critical',
+          choices: ['critical', 'high', 'medium', 'low'],
+        });
+    },
+    initCommand
+  )
+  .command(
+    'scan [files..]',
+    'Scan files for security vulnerabilities',
+    (yargs) => {
+      return yargs
+        .positional('files', {
+          type: 'string',
+          array: true,
+          description: 'Files or patterns to scan (default: staged files)',
+        })
+        .option('staged', {
+          type: 'boolean',
+          description: 'Scan only staged files (git) - this is the default',
+          default: true,
+        })
+        .option('all', {
+          alias: 'a',
+          type: 'boolean',
+          description: 'Scan all files in repository (overrides --staged)',
+          default: false,
+        })
+        .option('quick', {
+          alias: 'q',
+          type: 'boolean',
+          description: 'Quick scan - skip deep TypeScript type checking for speed',
+          default: false,
+        })
+        .option('verbose', {
+          alias: 'v',
+          type: 'boolean',
+          description: 'Show detailed results for all files (default: top 10 only)',
+          default: false,
+        })
+        .option('severity', {
+          alias: 's',
+          type: 'string',
+          description: 'Severity threshold (critical|high|medium|low)',
+          choices: ['critical', 'high', 'medium', 'low'],
+        })
+        .option('fix', {
+          type: 'boolean',
+          description: 'Auto-apply fixes (where possible)',
+          default: false,
+        })
+        .option('json', {
+          type: 'boolean',
+          description: 'Output results as JSON',
+          default: false,
+        })
+        .option('verify', {
+          type: 'boolean',
+          description: 'Run tests after security scan (combined pass/fail)',
+          default: false,
+        })
+        .option('test-command', {
+          type: 'string',
+          description: 'Custom test command (e.g., "npm test", "pytest")',
+        });
+    },
+    scanCommand
+  )
+  .command(
+    'config <action> [key] [value]',
+    'Manage CodeSlick configuration',
+    (yargs) => {
+      return yargs
+        .positional('action', {
+          type: 'string',
+          description: 'Action to perform (get|set|list)',
+          choices: ['get', 'set', 'list'],
+        })
+        .positional('key', {
+          type: 'string',
+          description: 'Configuration key',
+        })
+        .positional('value', {
+          type: 'string',
+          description: 'Configuration value',
+        });
+    },
+    configCommand
+  )
+  .command(
+    'auth <action>',
+    'Manage CLI authentication',
+    (yargs) => {
+      return yargs
+        .positional('action', {
+          type: 'string',
+          description: 'Action to perform (login|logout|whoami)',
+          choices: ['login', 'logout', 'whoami'],
+        });
+    },
+    async (argv) => {
+      switch (argv.action) {
+        case 'login':
+          await loginCommand();
+          break;
+        case 'logout':
+          await logoutCommand();
+          break;
+        case 'whoami':
+          await whoamiCommand();
+          break;
+      }
+    }
+  )
+  .example('$0 init', 'Initialize CodeSlick in your repository')
+  .example('$0 scan', 'Scan all staged files')
+  .example('$0 scan src/**/*.js', 'Scan specific files')
+  .example('$0 scan --staged --severity high', 'Scan staged files, block on HIGH+')
+  .example('$0 scan --verify', 'Scan files AND run tests (combined pass/fail)')
+  .example('$0 config set severity critical', 'Set severity threshold')
+  .example('$0 config list', 'List all configuration')
+  .example('$0 auth login', 'Authenticate CLI via browser')
+  .example('$0 auth whoami', 'Show current user and quota')
+  .demandCommand(1, 'You must provide a command')
+  .help()
+  .alias('help', 'h')
+  .version(version)
+  .alias('version', 'v')
+  .epilog('For more information, visit https://codeslick.dev/docs/cli')
+  .strict()
+  .parse();

package/src/commands/scan.ts

@@ -19,6 +19,7 @@
 import { exec } from 'child_process';
 import { promisify } from 'util';
 import { resolve } from 'path';
+import * as fs from 'fs';
 import { glob } from 'glob';
 import ora from 'ora';
 import chalk from 'chalk';
@@ -45,6 +46,12 @@ import {
   printThresholdResult,
 } from '../utils/threshold-handler';
 import { DEFAULT_THRESHOLD_CONFIG, type ThresholdConfig } from '../../../../src/lib/security/threshold-evaluator';
+import {
+  findConfigFile,
+  evaluatePolicy,
+  exceedsThreshold as exceedsPolicyThreshold,
+  type PolicyViolation,
+} from '../../../../src/lib/policy/policy-engine';
 
 const execAsync = promisify(exec);
 
@@ -235,6 +242,27 @@ export async function scanCommand(args: ScanArgs): Promise<void> {
       spinner.succeed(`Analyzed ${results.length} files`);
     }
 
+    // SR2-3: Policy Engine evaluation (.codeslick.yml)
+    const policyConfigPath = findConfigFile(process.cwd());
+    const allPolicyViolations: PolicyViolation[] = [];
+    let policyThresholds = null;
+    let policyUsingDefaults = true;
+
+    if (policyConfigPath) {
+      for (const fileResult of results) {
+        try {
+          const code = fs.readFileSync(fileResult.filePath, 'utf8');
+          const policyResult = evaluatePolicy(code, fileResult.filePath, policyConfigPath);
+          allPolicyViolations.push(...policyResult.violations);
+          // All files share one config — last assignment is identical to any other
+          policyThresholds = policyResult.thresholds;
+          policyUsingDefaults = policyResult.usingDefaults;
+        } catch {
+          // File unreadable — skip policy evaluation for this file
+        }
+      }
+    }
+
     const duration = Date.now() - startTime;
 
     // Track unsupported files (files that were in the glob but not scanned)
@@ -282,6 +310,24 @@ export async function scanCommand(args: ScanArgs): Promise<void> {
       }
     }
 
+    // SR2-3: Print policy violations block
+    if (!args.json && allPolicyViolations.length > 0) {
+      console.log('');
+      console.log(chalk.yellow.bold('  Policy Violations (.codeslick.yml)'));
+      console.log(chalk.gray('  ' + '─'.repeat(48)));
+      for (const v of allPolicyViolations) {
+        const dot =
+          v.severity === 'critical' ? chalk.red('●') :
+          v.severity === 'high' ? chalk.yellow('●') :
+          v.severity === 'medium' ? chalk.blue('●') :
+          chalk.gray('●');
+        const lineInfo = v.line != null ? chalk.gray(` [line ${v.line}]`) : '';
+        const ruleInfo = v.ruleId ? chalk.gray(` (${v.ruleId})`) : '';
+        console.log(`  ${dot} ${chalk.white(v.message)}${lineInfo}${ruleInfo}`);
+      }
+      console.log('');
+    }
+
     // Calculate totals for telemetry and display
     const totalCritical = results.reduce((sum, r) => sum + r.critical, 0);
     const totalHigh = results.reduce((sum, r) => sum + r.high, 0);
@@ -363,9 +409,19 @@ export async function scanCommand(args: ScanArgs): Promise<void> {
       }
     }
 
+    // SR2-3: Policy gate — only active when .codeslick.yml is present and valid
+    let policyBlocks = false;
+    if (!policyUsingDefaults && policyThresholds) {
+      const allFindingsFlat = results.flatMap(r => {
+        const vulns = (r.result as any)?.security?.vulnerabilities ?? [];
+        return (vulns as Array<{ severity: string }>).map(v => ({ severity: v.severity }));
+      });
+      policyBlocks = exceedsPolicyThreshold(allFindingsFlat, allPolicyViolations, policyThresholds, 'cli');
+    }
+
     // Determine final exit code
-    // Both security scan and tests must pass
-    const finalSuccess = !shouldBlock && testsPassed;
+    // Both security scan and tests must pass, and policy must not block
+    const finalSuccess = !shouldBlock && !policyBlocks && testsPassed;
 
     if (!finalSuccess) {
       if (!args.json) {