npm - codymaster - Versions diffs - 4.5.1 → 4.5.2 - Mend

codymaster 4.5.1 → 4.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/package.json +2 -1
package/scripts/gate-0-secrets.js +63 -0
package/scripts/gate-1-syntax.js +53 -0
package/scripts/gate-5-dist-verify.js +55 -0
package/scripts/gate-6-smoke-test.js +30 -0
package/scripts/index-codebase.sh +552 -0
package/scripts/mcp-bridge.js +284 -0
package/scripts/postinstall.js +301 -0
package/scripts/security-fixer.js +143 -0
package/scripts/security-scan.js +55 -0
package/scripts/test-gemini.js +13 -0
package/scripts/todo-bridge.js +112 -0

package/scripts/security-fixer.js ADDED Viewed

@@ -0,0 +1,143 @@
+#!/usr/bin/env node
+/**
+ * 🛠️ CodyMaster Security Fixer
+ * Automated remediation for security vulnerabilities and secret leaks.
+ *
+ * Usage:
+ *   node scripts/security-fixer.js          # Audit only
+ *   node scripts/security-fixer.js --fix    # Audit + Fix
+ */
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+const DANGEROUS_PATTERNS = [
+  { name: 'Service Key Variable', regex: /(?:SERVICE_KEY|SERVICE_ROLE)\s*[=:]\s*['\"][a-zA-Z0-9._\/-]{20,}/g },
+  { name: 'Anon Key Variable', regex: /ANON_KEY\s*[=:]\s*['\"][a-zA-Z0-9._\/-]{20,}/g },
+  { name: 'Private Key Block', regex: /-----BEGIN\s+(RSA|EC|DSA|OPENSSH)?\s*PRIVATE KEY-----/g },
+  { name: 'JWT Token', regex: /eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g },
+  { name: 'Generic API Key', regex: /(?:api[_-]?key|api[_-]?secret|access[_-]?token)\s*[=:]\s*['\"][a-zA-Z0-9\/+=]{20,}['\"/]/gi },
+  { name: 'AWS Key', regex: /AKIA[0-9A-Z]{16}/g },
+  { name: 'Slack Token', regex: /xox[baprs]-[0-9a-zA-Z-]{10,}/g },
+  { name: 'GitHub Token', regex: /gh[ps]_[a-zA-Z0-9]{36,}/g },
+  { name: 'Stripe Key', regex: /[sr]k_(test|live)_[a-zA-Z0-9]{20,}/g },
+  { name: 'DB Password', regex: /(?:DB_PASSWORD|DATABASE_URL)\s*[=:]\s*['\"][^'\"]{8,}/gi },
+];
+const SKIP_DIRS = ['node_modules', '.git', 'dist', '.wrangler', '.next', 'coverage', '.cm'];
+const SCAN_EXTS = ['.js', '.ts', '.jsx', '.tsx', '.json', '.toml', '.yaml', '.yml',
+                    '.env', '.cfg', '.conf', '.ini', '.md', '.html', '.jsonc'];
+const args = process.argv.slice(2);
+const shouldFix = args.includes('--fix');
+const isDryRun = args.includes('--dry-run');
+let findings = [];
+function scanDir(dir) {
+  try {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (SKIP_DIRS.includes(entry.name)) continue;
+      const fullPath = path.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        scanDir(fullPath);
+      } else if (entry.isFile() && SCAN_EXTS.some(ext => entry.name.endsWith(ext))) {
+        const content = fs.readFileSync(fullPath, 'utf-8');
+        let fileStatus = { file: fullPath, issues: [] };
+        for (const pattern of DANGEROUS_PATTERNS) {
+          const matches = content.match(pattern.regex);
+          if (matches) {
+            fileStatus.issues.push({ pattern: pattern.name, matches: matches });
+          }
+        }
+        if (fileStatus.issues.length > 0) {
+          findings.push(fileStatus);
+        }
+      }
+    }
+  } catch (e) {}
+}
+console.log('🔍 Starting Security Audit...');
+scanDir('.');
+if (findings.length === 0) {
+  console.log('✅ No vulnerabilities detected.');
+  process.exit(0);
+}
+console.error(`❌ Found ${findings.length} files with issues:`);
+findings.forEach(f => {
+  console.error(`  ⚠ ${f.file}`);
+  f.issues.forEach(i => console.error(`    - ${i.pattern}: ${i.matches.length} matches`));
+});
+if (shouldFix) {
+  console.log('\n🔧 Applying Automated Remediation...');
+  findings.forEach(f => {
+    let content = fs.readFileSync(f.file, 'utf-8');
+    let originalContent = content;
+    f.issues.forEach(issue => {
+      issue.matches.forEach(match => {
+        const half = Math.floor(match.length / 2);
+        const prefix = match.substring(0, Math.max(4, match.length - 12));
+        const masked = prefix + '*'.repeat(match.length - prefix.length);
+        content = content.replace(match, masked);
+      });
+    });
+    if (content !== originalContent) {
+      if (isDryRun) {
+        console.log(`  [DRY RUN] Would mask secrets in ${f.file}`);
+      } else {
+        fs.writeFileSync(f.file, content);
+        console.log(`  ✅ Masked secrets in ${f.file}`);
+      }
+    }
+    // Auto-gitignore check
+    if (!SKIP_DIRS.includes(path.basename(f.file))) {
+        const gitIgnorePath = path.join(path.dirname(f.file), '.gitignore');
+        const fileName = path.basename(f.file);
+        if (fs.existsSync(gitIgnorePath)) {
+            const gitIgnoreContent = fs.readFileSync(gitIgnorePath, 'utf-8');
+            if (!gitIgnoreContent.includes(fileName)) {
+                if (isDryRun) {
+                    console.log(`  [DRY RUN] Would add ${fileName} to ${gitIgnorePath}`);
+                } else {
+                    fs.appendFileSync(gitIgnorePath, `\n${fileName}\n`);
+                    console.log(`  ✅ Added ${fileName} to .gitignore`);
+                }
+            }
+        }
+    }
+  });
+  // Dependency check
+  console.log('\n📦 Checking for dependency vulnerabilities...');
+  try {
+    execSync('npm audit fix', { stdio: 'inherit' });
+  } catch (e) {
+    console.error('  ⚠️ npm audit fix failed or found issues that require manual attention.');
+  }
+} else {
+  console.log('\n💡 Tip: Run with --fix to apply automated remediation.');
+}
+// Generate Report
+const report = {
+  timestamp: new Date().toISOString(),
+  summary: {
+    total_files_scanned: findings.length, // approximation of issues
+    total_issues: findings.reduce((acc, f) => acc + f.issues.length, 0),
+  },
+  findings: findings
+};
+fs.writeFileSync('security-report.json', JSON.stringify(report, null, 2));
+console.log('\n📊 Security report generated: security-report.json');

package/scripts/security-scan.js ADDED Viewed

@@ -0,0 +1,55 @@
+const fs = require('fs');
+const path = require('path');
+const DANGEROUS_PATTERNS = [
+  { name: 'Service Key Variable', regex: /(?:SERVICE_KEY|SERVICE_ROLE)\s*[=:]\s*['\"][a-zA-Z0-9._\/-]{20,}/g },
+  { name: 'Anon Key Variable', regex: /ANON_KEY\s*[=:]\s*['\"][a-zA-Z0-9._\/-]{20,}/g },
+  { name: 'Private Key Block', regex: /-----BEGIN\s+(RSA|EC|DSA|OPENSSH)?\s*PRIVATE KEY-----/g },
+  { name: 'JWT Token', regex: /eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g },
+  { name: 'Generic API Key', regex: /(?:api[_-]?key|api[_-]?secret|access[_-]?token)\s*[=:]\s*['\"][a-zA-Z0-9\/+=]{20,}['\"/]/gi },
+  { name: 'AWS Key', regex: /AKIA[0-9A-Z]{16}/g },
+  { name: 'Slack Token', regex: /xox[baprs]-[0-9a-zA-Z-]{10,}/g },
+  { name: 'GitHub Token', regex: /gh[ps]_[a-zA-Z0-9]{36,}/g },
+  { name: 'Stripe Key', regex: /[sr]k_(test|live)_[a-zA-Z0-9]{20,}/g },
+  { name: 'DB Password', regex: /(?:DB_PASSWORD|DATABASE_URL)\s*[=:]\s*['\"][^'\"]{8,}/gi },
+];
+const SKIP_DIRS = ['node_modules', '.git', 'dist', '.wrangler', '.next', 'coverage'];
+const SCAN_EXTS = ['.js', '.ts', '.jsx', '.tsx', '.json', '.toml', '.yaml', '.yml',
+                    '.env', '.cfg', '.conf', '.ini', '.md', '.html', '.jsonc'];
+let findings = [];
+function scanDir(dir) {
+  try {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (SKIP_DIRS.includes(entry.name)) continue;
+      const fullPath = path.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        scanDir(fullPath);
+      } else if (entry.isFile() && SCAN_EXTS.some(ext => entry.name.endsWith(ext))) {
+        const content = fs.readFileSync(fullPath, 'utf-8');
+        for (const pattern of DANGEROUS_PATTERNS) {
+          const matches = content.match(pattern.regex);
+          if (matches) {
+            findings.push({ file: fullPath, pattern: pattern.name, count: matches.length });
+          }
+        }
+      }
+    }
+  } catch (e) { /* skip unreadable dirs */ }
+}
+scanDir('.');
+if (findings.length > 0) {
+  console.error('❌ SECRET SCAN FOUND ' + findings.length + ' POTENTIAL ISSUES:');
+  findings.forEach(f => {
+    console.error('  ⚠ ' + f.file + ' — ' + f.pattern + ' (' + f.count + ' match(es))');
+  });
+  console.error('');
+  process.exit(1);
+} else {
+  console.log('✅ Repo scan: no secrets detected');
+}

package/scripts/test-gemini.js ADDED Viewed

@@ -0,0 +1,13 @@
+const { exec, spawn } = require('child_process');
+// Method 1: exec
+exec('gemini -y -p "Hello!"', (err, stdout, stderr) => {
+    console.log('EXEC Result:', stdout || stderr);
+});
+// Method 2: spawn
+const child = spawn('gemini', ['-y', '-p', 'Hello!']);
+let out = '';
+child.stdout.on('data', d => out += d);
+child.stderr.on('data', d => out += d);
+child.on('close', () => console.log('SPAWN Result:', out));

package/scripts/todo-bridge.js ADDED Viewed

@@ -0,0 +1,112 @@
+#!/usr/bin/env node
+/**
+ * cm-dashboard Todo Bridge — Phase 1 (Claude Code PostToolUse hook)
+ *
+ * Invoked by Claude Code as a PostToolUse hook on every TodoWrite event.
+ * Reads the hook payload from stdin, maps todos to dashboard tasks,
+ * and POSTs each to /api/tasks/auto-sync.
+ *
+ * Install:
+ *   cp scripts/todo-bridge.js ~/.claude/scripts/todo-bridge.js
+ *
+ * Hook config (~/.claude/settings.json):
+ *   {
+ *     "hooks": {
+ *       "PostToolUse": [{
+ *         "matcher": "TodoWrite",
+ *         "hooks": [{ "type": "command", "command": "node ~/.claude/scripts/todo-bridge.js" }]
+ *       }]
+ *     }
+ *   }
+ */
+'use strict';
+const http = require('http');
+const path = require('path');
+const DASHBOARD_PORT = process.env.CM_DASHBOARD_PORT || 6969;
+// Map TodoWrite status → dashboard column
+const STATUS_MAP = {
+  pending: 'backlog',
+  in_progress: 'in-progress',
+  completed: 'done',
+};
+// Map TodoWrite priority → dashboard priority
+const PRIORITY_MAP = {
+  high: 'high',
+  medium: 'medium',
+  low: 'low',
+  urgent: 'urgent',
+};
+function postJson(payload) {
+  return new Promise((resolve) => {
+    const body = JSON.stringify(payload);
+    const req = http.request(
+      {
+        hostname: 'localhost',
+        port: DASHBOARD_PORT,
+        path: '/api/tasks/auto-sync',
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Content-Length': Buffer.byteLength(body),
+        },
+      },
+      (res) => {
+        res.resume(); // drain
+        resolve(res.statusCode);
+      }
+    );
+    req.on('error', () => resolve(null)); // silent — dashboard may not be running
+    req.write(body);
+    req.end();
+  });
+}
+async function main() {
+  // Read stdin
+  const chunks = [];
+  for await (const chunk of process.stdin) chunks.push(chunk);
+  const raw = Buffer.concat(chunks).toString('utf8').trim();
+  if (!raw) process.exit(0);
+  let payload;
+  try {
+    payload = JSON.parse(raw);
+  } catch {
+    process.exit(0); // not JSON — ignore
+  }
+  // Only handle TodoWrite
+  if (payload.tool_name !== 'TodoWrite') process.exit(0);
+  const todos = payload.tool_input?.todos;
+  if (!Array.isArray(todos) || todos.length === 0) process.exit(0);
+  const sessionId = payload.session_id || 'unknown';
+  const cwd = payload.cwd || process.cwd();
+  const projectName = path.basename(cwd);
+  // Fire all syncs concurrently
+  await Promise.all(
+    todos.map((todo) => {
+      const column = STATUS_MAP[todo.status] || 'backlog';
+      return postJson({
+        conversationId: `${sessionId}:${todo.id}`,
+        title: todo.content,
+        status: column,
+        agent: 'claude-code',
+        priority: PRIORITY_MAP[todo.priority] || 'medium',
+        projectName,
+      });
+    })
+  );
+  process.exit(0);
+}
+main().catch(() => process.exit(0)); // always silent