corpus-cli 0.1.0

package/dist/commands/watch.js

@@ -0,0 +1,380 @@
+import { watch, readFileSync, writeFileSync, statSync, readdirSync, existsSync, mkdirSync } from 'fs';
+import path from 'path';
+import { green, amber, red, dim, bold, cyan } from '../utils/colors.js';
+import { detectSecrets } from '@corpus/core';
+import { checkCodeSafety } from '@corpus/core';
+import { checkForCVEs } from '@corpus/core';
+import { checkDependencies } from '@corpus/core';
+import { checkFile } from '@corpus/core';
+import { shouldSuppress } from '@corpus/core';
+const IGNORE_DIRS = new Set([
+    'node_modules', '.git', 'dist', '.next', '__pycache__', '.venv',
+    'venv', '.cache', '.turbo', 'coverage', '.nyc_output', '.claude',
+    '.swarm', '.claude-flow', '.insforge', '.corpus',
+]);
+const SCAN_EXTENSIONS = new Set([
+    '.ts', '.tsx', '.js', '.jsx', '.py', '.json', '.yaml', '.yml',
+    '.env', '.toml', '.sh', '.sql', '.tf', '.hcl', '.md',
+]);
+const stats = {
+    filesScanned: 0,
+    issuesFound: 0,
+    criticalCount: 0,
+    warningCount: 0,
+    passCount: 0,
+    startTime: Date.now(),
+    lastScanTime: '-',
+    recentEvents: [],
+    cvesDetected: 0,
+    depsChecked: 0,
+    contractViolations: 0,
+    autoHealed: 0,
+};
+function deepScan(content, filepath, projectRoot) {
+    const results = [];
+    // Core secret detection
+    try {
+        const secrets = detectSecrets(content, filepath);
+        for (const s of secrets) {
+            results.push({ severity: s.severity === 'CRITICAL' ? 'CRIT' : 'WARN', message: `${s.type}: ${s.redacted}`, type: s.type });
+        }
+    }
+    catch { }
+    // Code safety
+    try {
+        const safety = checkCodeSafety(content, filepath);
+        for (const s of safety) {
+            // Check pattern intelligence for suppression
+            const suppression = shouldSuppress(projectRoot, s.rule, filepath);
+            if (suppression.suppress)
+                continue;
+            results.push({ severity: s.severity === 'CRITICAL' ? 'CRIT' : s.severity === 'WARNING' ? 'WARN' : 'INFO', message: s.message, type: s.rule });
+        }
+    }
+    catch { }
+    // CVE pattern detection
+    try {
+        const cves = checkForCVEs(content, filepath);
+        for (const c of cves) {
+            results.push({ severity: 'CRIT', message: `${c.cveId}: ${c.name}`, type: `CVE:${c.cveId}`, cveId: c.cveId });
+        }
+    }
+    catch { }
+    // Graph contract verification (if graph exists)
+    try {
+        const graphResult = checkFile(projectRoot, filepath, content);
+        if (graphResult.verdict === 'VIOLATES') {
+            for (const v of graphResult.violations) {
+                results.push({ severity: v.severity === 'CRITICAL' ? 'CRIT' : 'WARN', message: `Contract: ${v.message}`, type: `contract:${v.type}` });
+            }
+        }
+    }
+    catch { }
+    return results;
+}
+// Async dependency check (runs separately due to network)
+async function checkDeps(content, filepath, projectRoot) {
+    const results = [];
+    try {
+        const findings = await checkDependencies(content, filepath, { projectRoot });
+        for (const f of findings) {
+            results.push({
+                severity: f.severity === 'CRITICAL' ? 'CRIT' : 'WARN',
+                message: `Dep: ${f.package} (${f.reason})${f.similarPackages?.length ? ' → did you mean ' + f.similarPackages[0] + '?' : ''}`,
+                type: `dep:${f.reason}`,
+            });
+        }
+    }
+    catch { }
+    return results;
+}
+function isScannable(filepath) {
+    const ext = path.extname(filepath).toLowerCase();
+    return SCAN_EXTENSIONS.has(ext) || filepath.includes('.env');
+}
+// ── Disk persistence for web dashboard ───────────────────────────────────────
+const DASHBOARD_FILE = '/tmp/corpus-dashboard.json';
+let eventsFilePath = '';
+function ensureCorpusDir(projectRoot) {
+    const corpusDir = path.join(projectRoot, '.corpus');
+    if (!existsSync(corpusDir))
+        mkdirSync(corpusDir, { recursive: true });
+    eventsFilePath = path.join(corpusDir, 'events.json');
+}
+function writeDashboardState(dir) {
+    const passRate = stats.filesScanned > 0
+        ? Math.round((stats.passCount / stats.filesScanned) * 100)
+        : 100;
+    const dashboard = {
+        score: passRate,
+        filesScanned: stats.filesScanned,
+        issues: {
+            critical: stats.criticalCount,
+            warning: stats.warningCount,
+            info: 0,
+        },
+        events: stats.recentEvents.map(e => ({
+            time: e.time,
+            file: e.file,
+            severity: e.severity,
+            message: e.message,
+        })),
+        uptime: uptime(),
+        lastUpdate: formatTime(),
+        status: 'active',
+        cvesDetected: stats.cvesDetected,
+        contractViolations: stats.contractViolations,
+        depsChecked: stats.depsChecked,
+        autoHealed: stats.autoHealed,
+    };
+    try {
+        writeFileSync(DASHBOARD_FILE, JSON.stringify(dashboard));
+    }
+    catch { /* /tmp write failed */ }
+}
+function writeEventToDisk(event) {
+    if (!eventsFilePath)
+        return;
+    try {
+        let events = [];
+        if (existsSync(eventsFilePath)) {
+            events = JSON.parse(readFileSync(eventsFilePath, 'utf-8'));
+        }
+        events.push({
+            ...event,
+            timestamp: new Date().toISOString(),
+        });
+        // Keep last 200 events
+        if (events.length > 200)
+            events = events.slice(-200);
+        writeFileSync(eventsFilePath, JSON.stringify(events));
+    }
+    catch { /* write failed */ }
+}
+function formatTime() {
+    const now = new Date();
+    return `${String(now.getHours()).padStart(2, '0')}:${String(now.getMinutes()).padStart(2, '0')}:${String(now.getSeconds()).padStart(2, '0')}`;
+}
+function uptime() {
+    const ms = Date.now() - stats.startTime;
+    const s = Math.floor(ms / 1000);
+    if (s < 60)
+        return `${s}s`;
+    const m = Math.floor(s / 60);
+    if (m < 60)
+        return `${m}m ${s % 60}s`;
+    return `${Math.floor(m / 60)}h ${m % 60}m`;
+}
+// ── Dashboard rendering ─────────────────────────────────────────────────────
+function renderDashboard(dir) {
+    const passRate = stats.filesScanned > 0
+        ? Math.round((stats.passCount / stats.filesScanned) * 100)
+        : 100;
+    const passColor = passRate >= 95 ? green : passRate >= 80 ? amber : red;
+    process.stdout.write('\x1b[2J\x1b[H'); // Clear screen
+    process.stdout.write('\n');
+    process.stdout.write(bold(`  CORPUS WATCH`) + dim(`  ${dir}\n`));
+    process.stdout.write('  ' + '\u2550'.repeat(60) + '\n\n');
+    // Stats row
+    process.stdout.write(`  ${bold('Pass rate')}  ${passColor(`${passRate}%`)}    `);
+    process.stdout.write(`${bold('Scanned')}  ${cyan(String(stats.filesScanned))}    `);
+    process.stdout.write(`${bold('Issues')}  ${stats.issuesFound > 0 ? red(String(stats.issuesFound)) : green('0')}    `);
+    process.stdout.write(`${bold('Uptime')}  ${dim(uptime())}\n`);
+    process.stdout.write('\n');
+    // Breakdown
+    if (stats.criticalCount > 0 || stats.warningCount > 0) {
+        process.stdout.write(`  ${red(`\u2716 ${stats.criticalCount} critical`)}  ${amber(`\u26A0 ${stats.warningCount} warning`)}  ${green(`\u2714 ${stats.passCount} clean`)}\n\n`);
+    }
+    else {
+        process.stdout.write(`  ${green(`\u2714 ${stats.passCount} clean`)}  ${dim('No issues found')}\n\n`);
+    }
+    // Intelligence stats
+    if (stats.cvesDetected > 0 || stats.contractViolations > 0 || stats.depsChecked > 0) {
+        process.stdout.write(`  ${red(`CVEs: ${stats.cvesDetected}`)}  ${amber(`Contracts: ${stats.contractViolations}`)}  ${cyan(`Deps checked: ${stats.depsChecked}`)}  ${green(`Auto-healed: ${stats.autoHealed}`)}\n\n`);
+    }
+    // Recent events — prioritize findings over PASS
+    process.stdout.write(dim('  Recent activity:\n'));
+    if (stats.recentEvents.length === 0) {
+        process.stdout.write(dim('  Waiting for file changes...\n'));
+    }
+    else {
+        // Show findings first, then recent clean files
+        const findings = stats.recentEvents.filter(e => e.severity !== 'PASS');
+        const clean = stats.recentEvents.filter(e => e.severity === 'PASS');
+        const display = [...findings.slice(-10), ...clean.slice(-2)].slice(-12);
+        for (const event of display) {
+            const sev = event.severity === 'CRIT' ? red('CRIT') :
+                event.severity === 'WARN' ? amber('WARN') :
+                    event.severity === 'INFO' ? dim('INFO') :
+                        green('PASS');
+            process.stdout.write(`  ${dim(event.time)}  ${sev}  ${event.file.padEnd(38)}  ${dim(event.message)}\n`);
+        }
+    }
+    process.stdout.write('\n' + dim('  Press Ctrl+C to stop\n'));
+}
+// ── Initial scan ────────────────────────────────────────────────────────────
+function initialScan(dir) {
+    function walkAndScan(d) {
+        try {
+            for (const entry of readdirSync(d)) {
+                if (IGNORE_DIRS.has(entry))
+                    continue;
+                const full = path.join(d, entry);
+                try {
+                    const s = statSync(full);
+                    if (s.isDirectory())
+                        walkAndScan(full);
+                    else if (s.isFile() && isScannable(full)) {
+                        const content = readFileSync(full, 'utf-8');
+                        const findings = deepScan(content, full, dir);
+                        stats.filesScanned++;
+                        const cveCount = findings.filter(f => f.type.startsWith('CVE:')).length;
+                        const contractCount = findings.filter(f => f.type.startsWith('contract:')).length;
+                        stats.cvesDetected += cveCount;
+                        stats.contractViolations += contractCount;
+                        if (findings.length === 0) {
+                            stats.passCount++;
+                        }
+                        else {
+                            stats.issuesFound += findings.length;
+                            const hasCrit = findings.some((f) => f.severity === 'CRIT');
+                            if (hasCrit)
+                                stats.criticalCount++;
+                            else
+                                stats.warningCount++;
+                            stats.recentEvents.push({
+                                time: formatTime(),
+                                file: path.relative(dir, full),
+                                severity: hasCrit ? 'CRIT' : 'WARN',
+                                message: findings[0].message,
+                            });
+                        }
+                    }
+                }
+                catch { /* skip */ }
+            }
+        }
+        catch { /* skip */ }
+    }
+    walkAndScan(dir);
+}
+// ── Main ────────────────────────────────────────────────────────────────────
+export async function runWatch() {
+    const targetDir = process.argv[3] || '.';
+    const resolvedDir = path.resolve(targetDir);
+    // Ensure .corpus dir exists for event writing
+    ensureCorpusDir(resolvedDir);
+    // Initial scan
+    process.stdout.write(dim('\n  Running initial scan...\n'));
+    initialScan(resolvedDir);
+    // Write initial dashboard state
+    writeDashboardState(resolvedDir);
+    // Render dashboard
+    renderDashboard(resolvedDir);
+    const debounce = new Map();
+    function handleFileChange(filepath) {
+        if (!isScannable(filepath))
+            return;
+        const existing = debounce.get(filepath);
+        if (existing)
+            clearTimeout(existing);
+        debounce.set(filepath, setTimeout(() => {
+            debounce.delete(filepath);
+            try {
+                const s = statSync(filepath);
+                if (!s.isFile())
+                    return;
+                const content = readFileSync(filepath, 'utf-8');
+                const findings = deepScan(content, filepath, resolvedDir);
+                const relPath = path.relative(resolvedDir, filepath);
+                const time = formatTime();
+                stats.filesScanned++;
+                stats.lastScanTime = time;
+                const cveCount = findings.filter(f => f.type.startsWith('CVE:')).length;
+                const contractCount = findings.filter(f => f.type.startsWith('contract:')).length;
+                stats.cvesDetected += cveCount;
+                stats.contractViolations += contractCount;
+                if (findings.length === 0) {
+                    stats.passCount++;
+                    stats.recentEvents.push({ time, file: relPath, severity: 'PASS', message: 'Clean' });
+                    writeEventToDisk({ type: 'verified', file: relPath, verdict: 'VERIFIED', details: 'All contracts satisfied' });
+                }
+                else {
+                    stats.issuesFound += findings.length;
+                    const hasCrit = findings.some((f) => f.severity === 'CRIT');
+                    if (hasCrit)
+                        stats.criticalCount++;
+                    else
+                        stats.warningCount++;
+                    for (const f of findings) {
+                        stats.recentEvents.push({ time, file: relPath, severity: f.severity, message: f.message });
+                        writeEventToDisk({
+                            type: f.severity === 'CRIT' ? 'violation' : 'scan',
+                            file: relPath,
+                            verdict: f.severity === 'CRIT' ? 'VIOLATION' : 'WARNING',
+                            details: f.message,
+                        });
+                    }
+                }
+                // Async: check dependencies (non-blocking)
+                checkDeps(content, filepath, resolvedDir).then(depResults => {
+                    if (depResults.length > 0) {
+                        stats.depsChecked++;
+                        for (const r of depResults) {
+                            stats.issuesFound++;
+                            if (r.severity === 'CRIT')
+                                stats.criticalCount++;
+                            else
+                                stats.warningCount++;
+                            stats.recentEvents.push({ time: formatTime(), file: relPath, severity: r.severity, message: r.message });
+                        }
+                        renderDashboard(resolvedDir);
+                    }
+                });
+                // Keep only last 50 events
+                if (stats.recentEvents.length > 50) {
+                    stats.recentEvents = stats.recentEvents.slice(-50);
+                }
+                renderDashboard(resolvedDir);
+            }
+            catch { /* file deleted */ }
+        }, 300));
+    }
+    // Watch
+    try {
+        watch(resolvedDir, { recursive: true }, (_event, filename) => {
+            if (!filename)
+                return;
+            const fullPath = path.join(resolvedDir, filename);
+            const parts = filename.split(path.sep);
+            if (parts.some((p) => IGNORE_DIRS.has(p)))
+                return;
+            handleFileChange(fullPath);
+        });
+    }
+    catch {
+        process.stderr.write(red(`  Could not watch ${resolvedDir}\n`));
+        process.exit(1);
+    }
+    // Refresh dashboard every 5s (uptime counter)
+    setInterval(() => renderDashboard(resolvedDir), 5000);
+    await new Promise(() => {
+        process.on('SIGINT', () => {
+            process.stdout.write('\n\n');
+            process.stdout.write(bold('  CORPUS WATCH SESSION SUMMARY\n'));
+            process.stdout.write('  ' + '\u2550'.repeat(40) + '\n');
+            process.stdout.write(`  Files scanned:  ${stats.filesScanned}\n`);
+            process.stdout.write(`  Issues found:   ${stats.issuesFound}\n`);
+            process.stdout.write(`  Critical:       ${stats.criticalCount}\n`);
+            process.stdout.write(`  Warnings:       ${stats.warningCount}\n`);
+            process.stdout.write(`  Clean:          ${stats.passCount}\n`);
+            process.stdout.write(`  CVEs detected:  ${stats.cvesDetected}\n`);
+            process.stdout.write(`  Deps checked:   ${stats.depsChecked}\n`);
+            process.stdout.write(`  Violations:     ${stats.contractViolations}\n`);
+            process.stdout.write(`  Auto-healed:    ${stats.autoHealed}\n`);
+            process.stdout.write(`  Duration:       ${uptime()}\n`);
+            process.stdout.write('\n');
+            process.exit(0);
+        });
+    });
+}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+declare const command: string;
+declare function main(): Promise<void>;

package/dist/index.js

@@ -0,0 +1,87 @@
+#!/usr/bin/env node
+"use strict";
+const command = process.argv[2];
+async function main() {
+    switch (command) {
+        case 'init': {
+            const { runInit } = await import('./commands/init.js');
+            await runInit();
+            // After init completes, also build the codebase graph
+            const { initGraph } = await import('./commands/init-graph.js');
+            await initGraph(process.argv.slice(3));
+            break;
+        }
+        case 'graph': {
+            const { initGraph } = await import('./commands/init-graph.js');
+            await initGraph(process.argv.slice(3));
+            break;
+        }
+        case 'verify': {
+            const { runVerify } = await import('./commands/verify.js');
+            await runVerify();
+            break;
+        }
+        case 'scan': {
+            const { runScan } = await import('./commands/scan.js');
+            await runScan();
+            break;
+        }
+        case 'watch': {
+            const { runWatch } = await import('./commands/watch.js');
+            await runWatch();
+            break;
+        }
+        case 'check': {
+            const { runCheck } = await import('./commands/check.js');
+            await runCheck();
+            break;
+        }
+        case 'report': {
+            const { runReport } = await import('./commands/report.js');
+            await runReport();
+            break;
+        }
+        default:
+            process.stdout.write(`
+  corpus - Runtime safety for AI agents and AI-generated code
+
+  Trust Verification:
+    verify    Compute trust score (0-100) per file with line-by-line findings
+
+  Security Scanning:
+    scan      Scan files for secrets, PII, injection patterns, unsafe code
+    watch     Real-time file watcher with live security scanning
+
+  Policy Management:
+    init      Initialize Corpus in your project (+ pre-commit hooks + graph)
+    check     Validate all policy files
+    report    View your agent's behavioral report
+
+  Graph & Analysis:
+    graph     Build / rebuild the codebase graph
+
+  Usage:
+    corpus verify                Trust score for your codebase
+    corpus verify --json         Machine-readable trust report
+    corpus scan                  Scan current directory
+    corpus scan --staged         Scan staged git changes (pre-commit)
+    corpus scan --json           Machine-readable output for CI
+    corpus watch                 Watch files and scan on every save
+    corpus watch src/            Watch specific directory
+    corpus init                  Set up Corpus in your project
+    corpus graph                 Build the codebase graph
+    corpus check                 Validate policy files
+
+  MCP Server (for AI coding tools):
+    npx corpus-mcp               Start the MCP server for Claude Code / Cursor
+
+`);
+            if (command && command !== '--help' && command !== '-h') {
+                process.exit(1);
+            }
+    }
+}
+main().catch((e) => {
+    process.stderr.write(`Error: ${e instanceof Error ? e.message : String(e)}\n`);
+    process.exit(1);
+});

package/dist/utils/colors.d.ts

@@ -0,0 +1,6 @@
+export declare const green: (s: string) => string;
+export declare const amber: (s: string) => string;
+export declare const red: (s: string) => string;
+export declare const dim: (s: string) => string;
+export declare const bold: (s: string) => string;
+export declare const cyan: (s: string) => string;

package/dist/utils/colors.js

@@ -0,0 +1,6 @@
+export const green = (s) => `\x1b[32m${s}\x1b[0m`;
+export const amber = (s) => `\x1b[33m${s}\x1b[0m`;
+export const red = (s) => `\x1b[31m${s}\x1b[0m`;
+export const dim = (s) => `\x1b[2m${s}\x1b[0m`;
+export const bold = (s) => `\x1b[1m${s}\x1b[0m`;
+export const cyan = (s) => `\x1b[36m${s}\x1b[0m`;

package/dist/utils/config.d.ts

@@ -0,0 +1,3 @@
+export declare function readPolicyFile(path?: string): Record<string, unknown> | null;
+export declare function readEnvFile(path?: string): Record<string, string>;
+export declare function writeEnvFile(path: string, vars: Record<string, string>): void;

package/dist/utils/config.js

@@ -0,0 +1,39 @@
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+export function readPolicyFile(path = './corpus.policy.yaml') {
+    if (!existsSync(path))
+        return null;
+    const raw = readFileSync(path, 'utf-8');
+    // Simple YAML key extraction for CLI (no dependency).
+    // NOTE: This parser only handles top-level scalar key:value pairs.
+    // Nested objects, arrays, multi-line strings, and anchors are NOT supported.
+    // This is sufficient for reading `agent` and `version` fields used by report.ts,
+    // but should be replaced with a proper YAML parser if deeper parsing is needed.
+    const lines = raw.split('\n');
+    const result = {};
+    for (const line of lines) {
+        const match = line.match(/^(\w+):\s*(.+)/);
+        if (match) {
+            result[match[1]] = match[2].replace(/^["']|["']$/g, '');
+        }
+    }
+    return result;
+}
+export function readEnvFile(path = './.env.corpus') {
+    if (!existsSync(path))
+        return {};
+    const raw = readFileSync(path, 'utf-8');
+    const result = {};
+    for (const line of raw.split('\n')) {
+        const match = line.match(/^([A-Z_]+)=(.+)/);
+        if (match) {
+            result[match[1]] = match[2];
+        }
+    }
+    return result;
+}
+export function writeEnvFile(path, vars) {
+    const content = Object.entries(vars)
+        .map(([k, v]) => `${k}=${v}`)
+        .join('\n') + '\n';
+    writeFileSync(path, content);
+}

package/dist/utils/table.d.ts

@@ -0,0 +1,2 @@
+export declare function renderTable(rows: string[][]): string;
+export declare function progressBar(value: number, width?: number): string;

package/dist/utils/table.js

@@ -0,0 +1,24 @@
+export function renderTable(rows) {
+    if (rows.length === 0)
+        return '';
+    const colWidths = [];
+    for (const row of rows) {
+        for (let i = 0; i < row.length; i++) {
+            const stripped = row[i].replace(/\x1b\[[0-9;]*m/g, '');
+            colWidths[i] = Math.max(colWidths[i] ?? 0, stripped.length);
+        }
+    }
+    return rows
+        .map((row) => row
+        .map((cell, i) => {
+        const stripped = cell.replace(/\x1b\[[0-9;]*m/g, '');
+        const padding = colWidths[i] - stripped.length;
+        return cell + ' '.repeat(Math.max(0, padding));
+    })
+        .join('  '))
+        .join('\n');
+}
+export function progressBar(value, width = 20) {
+    const filled = Math.round((value / 100) * width);
+    return '\u2588'.repeat(filled) + '\u2591'.repeat(width - filled);
+}

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "corpus-cli",
+  "version": "0.1.0",
+  "description": "The immune system for AI-generated code — scan, watch, and auto-heal vibe-coded software",
+  "type": "module",
+  "bin": {
+    "corpus": "dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc"
+  },
+  "dependencies": {
+    "corpus-core": "0.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.0",
+    "typescript": "^5.3.0"
+  },
+  "keywords": ["ai", "security", "scanner", "trust-score", "secrets", "vibe-coding", "claude", "cursor", "copilot", "mcp", "jac"],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/fluentflier/corpus"
+  },
+  "license": "MIT"
+}