corpus-core 0.1.0

package/dist/cve-patterns.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Corpus CVE Pattern Detector
+ *
+ * Loads a curated database of CVE-linked vulnerability patterns and
+ * scans source code for matches. Each finding includes the CVE ID,
+ * severity, matched code, and remediation guidance.
+ *
+ * This is the "known threat" layer of the immune system — it catches
+ * patterns linked to real-world CVEs before they ship.
+ */
+export interface CVEPattern {
+    id: string;
+    name: string;
+    pattern: RegExp;
+    description: string;
+    severity: 'CRITICAL' | 'HIGH' | 'MEDIUM';
+    ecosystem: string;
+    affectedPackages: string[];
+    references: string[];
+    codeExample: string;
+    fixExample: string;
+}
+export interface CVEFinding {
+    cveId: string;
+    name: string;
+    severity: 'CRITICAL' | 'HIGH' | 'MEDIUM';
+    line: number;
+    file: string;
+    matchedCode: string;
+    description: string;
+    fixExample: string;
+    references: string[];
+}
+/**
+ * Load and compile all CVE patterns from the JSON database.
+ * Results are cached in module scope so the file is read only once.
+ */
+export declare function loadCVEPatterns(): CVEPattern[];
+/**
+ * Scan file content for CVE-linked vulnerability patterns.
+ *
+ * Returns an array of findings with line numbers, matched code snippets,
+ * and remediation guidance. Test files are skipped automatically.
+ */
+export declare function checkForCVEs(content: string, filepath: string): CVEFinding[];
+/**
+ * Return a summary of the loaded CVE database.
+ */
+export declare function getCVESummary(): {
+    total: number;
+    critical: number;
+    high: number;
+    medium: number;
+};

package/dist/cve-patterns.js

@@ -0,0 +1,124 @@
+/**
+ * Corpus CVE Pattern Detector
+ *
+ * Loads a curated database of CVE-linked vulnerability patterns and
+ * scans source code for matches. Each finding includes the CVE ID,
+ * severity, matched code, and remediation guidance.
+ *
+ * This is the "known threat" layer of the immune system — it catches
+ * patterns linked to real-world CVEs before they ship.
+ */
+import { readFileSync } from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+// ---------------------------------------------------------------------------
+// Module-level cache
+// ---------------------------------------------------------------------------
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const DATABASE_PATH = path.join(__dirname, 'cve-database.json');
+let cachedPatterns = null;
+// ---------------------------------------------------------------------------
+// Test-file heuristic (shared with other Corpus scanners)
+// ---------------------------------------------------------------------------
+const TEST_INDICATORS = [
+    'test',
+    'spec',
+    '__tests__',
+    '__mocks__',
+    'fixture',
+    'mock',
+    'stub',
+    'e2e',
+    'integration-test',
+    '.test.',
+    '.spec.',
+    '.stories.',
+];
+function isTestFile(filepath) {
+    const lower = filepath.toLowerCase();
+    return TEST_INDICATORS.some((t) => lower.includes(t));
+}
+// ---------------------------------------------------------------------------
+// Core API
+// ---------------------------------------------------------------------------
+/**
+ * Load and compile all CVE patterns from the JSON database.
+ * Results are cached in module scope so the file is read only once.
+ */
+export function loadCVEPatterns() {
+    if (cachedPatterns)
+        return cachedPatterns;
+    const raw = JSON.parse(readFileSync(DATABASE_PATH, 'utf-8'));
+    cachedPatterns = raw.patterns.map((entry) => ({
+        id: entry.id,
+        name: entry.name,
+        pattern: new RegExp(entry.pattern, entry.flags),
+        description: entry.description,
+        severity: entry.severity,
+        ecosystem: entry.ecosystem,
+        affectedPackages: entry.affectedPackages,
+        references: entry.references,
+        codeExample: entry.codeExample,
+        fixExample: entry.fixExample,
+    }));
+    return cachedPatterns;
+}
+/**
+ * Scan file content for CVE-linked vulnerability patterns.
+ *
+ * Returns an array of findings with line numbers, matched code snippets,
+ * and remediation guidance. Test files are skipped automatically.
+ */
+export function checkForCVEs(content, filepath) {
+    // Skip test files — same heuristic used by other Corpus scanners
+    if (isTestFile(filepath))
+        return [];
+    const patterns = loadCVEPatterns();
+    const lines = content.split('\n');
+    const findings = [];
+    for (const cve of patterns) {
+        // Reset lastIndex for stateful regexes (global flag)
+        cve.pattern.lastIndex = 0;
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            cve.pattern.lastIndex = 0;
+            if (cve.pattern.test(line)) {
+                findings.push({
+                    cveId: cve.id,
+                    name: cve.name,
+                    severity: cve.severity,
+                    line: i + 1,
+                    file: filepath,
+                    matchedCode: line.trim(),
+                    description: cve.description,
+                    fixExample: cve.fixExample,
+                    references: cve.references,
+                });
+            }
+        }
+    }
+    return findings;
+}
+/**
+ * Return a summary of the loaded CVE database.
+ */
+export function getCVESummary() {
+    const patterns = loadCVEPatterns();
+    let critical = 0;
+    let high = 0;
+    let medium = 0;
+    for (const p of patterns) {
+        switch (p.severity) {
+            case 'CRITICAL':
+                critical++;
+                break;
+            case 'HIGH':
+                high++;
+                break;
+            case 'MEDIUM':
+                medium++;
+                break;
+        }
+    }
+    return { total: patterns.length, critical, high, medium };
+}

package/dist/engine.d.ts

@@ -0,0 +1,6 @@
+import type { PolicyResult, CorpusInput, CorpusConfig } from './types.js';
+export interface EvalResult {
+    result: PolicyResult;
+    durationMs: number;
+}
+export declare function evaluatePolicies(input: CorpusInput, config: CorpusConfig): Promise<EvalResult>;

package/dist/engine.js

@@ -0,0 +1,71 @@
+import path from 'path';
+import { fileURLToPath } from 'url';
+import { evaluateYamlPolicies, loadPolicyFile } from './yaml-evaluator.js';
+import { runJacWalker } from './subprocess.js';
+import { DEFAULT_POLICY_EVAL_TIMEOUT_MS } from './constants.js';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+// In source: src/ -> packages/core/ -> packages/ -> repo root -> policies/builtin
+// In dist:   dist/ -> packages/core/ -> packages/ -> repo root -> policies/builtin
+const BUILTIN_POLICY_DIR = path.resolve(__dirname, '..', '..', '..', 'policies', 'builtin');
+export async function evaluatePolicies(input, config) {
+    const start = Date.now();
+    const timeout = config.timeouts?.policyEvalMs ?? DEFAULT_POLICY_EVAL_TIMEOUT_MS;
+    // Load the developer's policy file
+    const policyFile = await loadPolicyFile(config.policyPath);
+    // Step 1: Evaluate YAML rules (developer-defined, fast, synchronous)
+    const yamlResult = evaluateYamlPolicies(input, policyFile);
+    if (yamlResult.verdict !== 'PASS') {
+        return { result: yamlResult, durationMs: Date.now() - start };
+    }
+    // Step 2: Built-in action safety walker (hard rules, always runs)
+    const safetyResult = await runJacWalker(path.join(BUILTIN_POLICY_DIR, 'action_safety.jac'), 'CheckActionSafety', {
+        action_type: input.actionType,
+        user_approved: input.userApproved ?? false,
+    }, timeout);
+    if (safetyResult.verdict !== 'PASS') {
+        return { result: safetyResult, durationMs: Date.now() - start };
+    }
+    // Step 3: Scope guard (only if policy declares allowed_actions)
+    if (policyFile.allowedActions && policyFile.allowedActions.length > 0) {
+        const scopeResult = await runJacWalker(path.join(BUILTIN_POLICY_DIR, 'scope_guard.jac'), 'CheckScope', {
+            action_type: input.actionType,
+            allowed_actions: policyFile.allowedActions,
+            intent_context: String(input.context?.intent ?? ''),
+        }, timeout);
+        if (scopeResult.verdict !== 'PASS') {
+            return { result: scopeResult, durationMs: Date.now() - start };
+        }
+    }
+    // Step 4: Rate guard (only if policy declares rate limits)
+    if (policyFile.rateLimits) {
+        const limit = policyFile.rateLimits[input.actionType] ?? policyFile.rateLimits['*'];
+        if (limit) {
+            const rateResult = await runJacWalker(path.join(BUILTIN_POLICY_DIR, 'rate_guard.jac'), 'CheckRateLimit', {
+                action_type: input.actionType,
+                limit: limit.count,
+                window_seconds: limit.windowSeconds,
+                current_epoch: Math.floor(Date.now() / 1000),
+            }, timeout);
+            if (rateResult.verdict !== 'PASS') {
+                return { result: rateResult, durationMs: Date.now() - start };
+            }
+        }
+    }
+    // Step 5: Custom Jac extension (if declared in policy file)
+    if (policyFile.jacExtension) {
+        const customResult = await runJacWalker(policyFile.jacExtension, 'CheckCustom', { action_type: input.actionType, context: input.context ?? {} }, timeout);
+        if (customResult.verdict !== 'PASS') {
+            return { result: customResult, durationMs: Date.now() - start };
+        }
+    }
+    return {
+        result: {
+            verdict: 'PASS',
+            blockReason: null,
+            message: '',
+            policyName: '__pass__',
+            requiresConfirmation: false,
+        },
+        durationMs: Date.now() - start,
+    };
+}

package/dist/graph-engine.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Corpus Graph Engine
+ *
+ * Auto-scans a TypeScript/JavaScript codebase and builds a structural graph.
+ * Nodes = functions, modules, classes. Edges = calls, imports, exports.
+ * This is the "immune system memory" -- Corpus learns what your codebase looks like.
+ *
+ * No manual configuration. No YAML to write. It figures it out.
+ */
+export interface GraphNode {
+    id: string;
+    type: 'function' | 'class' | 'module' | 'variable';
+    name: string;
+    file: string;
+    line: number;
+    exported: boolean;
+    params: string[];
+    returnType: string | null;
+    guards: string[];
+    health: 'verified' | 'violates' | 'uncertain';
+    trustScore: number;
+}
+export interface GraphEdge {
+    source: string;
+    target: string;
+    type: 'calls' | 'imports' | 'exports' | 'extends' | 'implements';
+}
+export interface CodebaseGraph {
+    version: 1;
+    created: string;
+    updated: string;
+    projectRoot: string;
+    nodes: GraphNode[];
+    edges: GraphEdge[];
+    stats: {
+        totalFiles: number;
+        totalFunctions: number;
+        totalExports: number;
+        healthScore: number;
+    };
+}
+export declare function buildGraph(projectRoot: string): CodebaseGraph;
+export interface GraphDiff {
+    added: GraphNode[];
+    removed: GraphNode[];
+    modified: {
+        before: GraphNode;
+        after: GraphNode;
+        changes: string[];
+    }[];
+    verdict: 'VERIFIED' | 'VIOLATES' | 'UNCERTAIN';
+    violations: string[];
+}
+export declare function diffFile(graph: CodebaseGraph, filePath: string, newContent: string): GraphDiff;
+export declare function saveGraph(graph: CodebaseGraph, projectRoot: string): string;
+export declare function loadGraph(projectRoot: string): CodebaseGraph | null;