coverme-scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/README.md +227 -0
  2. package/commands/scan.md +317 -0
  3. package/dist/cli/index.d.ts +3 -0
  4. package/dist/cli/index.d.ts.map +1 -0
  5. package/dist/cli/index.js +39 -0
  6. package/dist/cli/index.js.map +1 -0
  7. package/dist/cli/init.d.ts +6 -0
  8. package/dist/cli/init.d.ts.map +1 -0
  9. package/dist/cli/init.js +636 -0
  10. package/dist/cli/init.js.map +1 -0
  11. package/dist/cli/scan.d.ts +11 -0
  12. package/dist/cli/scan.d.ts.map +1 -0
  13. package/dist/cli/scan.js +498 -0
  14. package/dist/cli/scan.js.map +1 -0
  15. package/dist/report/generator.d.ts +48 -0
  16. package/dist/report/generator.d.ts.map +1 -0
  17. package/dist/report/generator.js +368 -0
  18. package/dist/report/generator.js.map +1 -0
  19. package/dist/report/index.d.ts +35 -0
  20. package/dist/report/index.d.ts.map +1 -0
  21. package/dist/report/index.js +463 -0
  22. package/dist/report/index.js.map +1 -0
  23. package/dist/templates/report.html +796 -0
  24. package/dist/types.d.ts +94 -0
  25. package/dist/types.d.ts.map +1 -0
  26. package/dist/types.js +3 -0
  27. package/dist/types.js.map +1 -0
  28. package/package.json +48 -0
  29. package/src/cli/index.ts +43 -0
  30. package/src/cli/init.ts +611 -0
  31. package/src/cli/scan.ts +483 -0
  32. package/src/prompts/architecture-reviewer.md +171 -0
  33. package/src/prompts/consensus-builder.md +247 -0
  34. package/src/prompts/context-discovery.md +174 -0
  35. package/src/prompts/cross-validator.md +224 -0
  36. package/src/prompts/deep-dive-expert.md +224 -0
  37. package/src/prompts/dependency-auditor.md +190 -0
  38. package/src/prompts/performance-hunter.md +200 -0
  39. package/src/prompts/quality-analyzer.md +150 -0
  40. package/src/prompts/report-generator.md +285 -0
  41. package/src/prompts/security-scanner.md +180 -0
  42. package/src/report/generator.ts +382 -0
  43. package/src/report/index.ts +483 -0
  44. package/src/templates/report.html +796 -0
  45. package/src/types.ts +107 -0
  46. package/tsconfig.json +20 -0
@@ -0,0 +1,636 @@
1
+ "use strict";
2
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
+ if (k2 === undefined) k2 = k;
4
+ var desc = Object.getOwnPropertyDescriptor(m, k);
5
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
+ desc = { enumerable: true, get: function() { return m[k]; } };
7
+ }
8
+ Object.defineProperty(o, k2, desc);
9
+ }) : (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ o[k2] = m[k];
12
+ }));
13
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
14
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
15
+ }) : function(o, v) {
16
+ o["default"] = v;
17
+ });
18
+ var __importStar = (this && this.__importStar) || (function () {
19
+ var ownKeys = function(o) {
20
+ ownKeys = Object.getOwnPropertyNames || function (o) {
21
+ var ar = [];
22
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
23
+ return ar;
24
+ };
25
+ return ownKeys(o);
26
+ };
27
+ return function (mod) {
28
+ if (mod && mod.__esModule) return mod;
29
+ var result = {};
30
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
31
+ __setModuleDefault(result, mod);
32
+ return result;
33
+ };
34
+ })();
35
+ Object.defineProperty(exports, "__esModule", { value: true });
36
+ exports.init = init;
37
+ const fs = __importStar(require("fs"));
38
+ const path = __importStar(require("path"));
39
+ const os = __importStar(require("os"));
40
+ const SLASH_COMMAND = `# CoverMe - Ultimate AI Security Scanner
41
+
42
+ The most comprehensive AI-powered code scanner. 10 specialized agents + 3 validators + deep analysis.
43
+
44
+ $ARGUMENTS
45
+
46
+ ## IMPORTANT: Execute ALL phases automatically. Do NOT stop until the HTML report is open.
47
+
48
+ ---
49
+
50
+ ## Phase 1: Discovery (10 parallel agents)
51
+
52
+ Launch ALL 10 agents IN PARALLEL using the Task tool with subagent_type="Explore":
53
+
54
+ ### Agent 1: Security Scanner (Core)
55
+ \`\`\`
56
+ Scan for OWASP Top 10 and common vulnerabilities:
57
+
58
+ INJECTION:
59
+ - SQL injection (string concatenation in queries, raw queries)
60
+ - NoSQL injection (MongoDB $where, $regex with user input)
61
+ - Command injection (exec, spawn, system with user input)
62
+ - LDAP injection, XPath injection
63
+ - Template injection (SSTI in Jinja2, EJS, Handlebars)
64
+ - Header injection (CRLF in headers)
65
+ - Log injection (unescaped user input in logs)
66
+
67
+ XSS:
68
+ - Reflected XSS (user input in response without encoding)
69
+ - Stored XSS (database content rendered without escaping)
70
+ - DOM XSS (innerHTML, document.write, eval with user data)
71
+ - dangerouslySetInnerHTML in React without sanitization
72
+
73
+ AUTHENTICATION:
74
+ - Hardcoded credentials (check git ls-files first!)
75
+ - Weak password policies (no complexity, short length)
76
+ - Missing rate limiting on login/register
77
+ - Session fixation (session ID not rotated after login)
78
+ - JWT issues (none algorithm, weak secret, no expiry)
79
+ - Missing MFA on sensitive operations
80
+
81
+ AUTHORIZATION:
82
+ - IDOR (direct object references without ownership check)
83
+ - Missing authorization checks on endpoints
84
+ - Privilege escalation paths
85
+ - Horizontal access (user A accessing user B's data)
86
+ - Vertical access (user accessing admin functions)
87
+
88
+ CRYPTOGRAPHY:
89
+ - MD5/SHA1 for passwords (use bcrypt/argon2)
90
+ - Math.random() for security (use crypto.randomBytes)
91
+ - Hardcoded encryption keys/IVs
92
+ - ECB mode usage
93
+ - Missing HTTPS enforcement
94
+
95
+ Output JSON: [{id: "SEC-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
96
+ \`\`\`
97
+
98
+ ### Agent 2: Auth & Session Scanner
99
+ \`\`\`
100
+ Deep dive into authentication and session management:
101
+
102
+ SSO/OAUTH:
103
+ - Open redirect in return_url/redirect_uri (CRITICAL!)
104
+ - State parameter missing or predictable
105
+ - PKCE not implemented for public clients
106
+ - Token stored in localStorage (XSS vulnerable)
107
+ - Refresh token rotation missing
108
+ - ID token validation incomplete
109
+
110
+ SESSION:
111
+ - Session ID in URL
112
+ - Session not invalidated on logout
113
+ - Session timeout too long (>24h)
114
+ - Same session across devices without tracking
115
+ - Session data not encrypted
116
+
117
+ COOKIES:
118
+ - Missing Secure flag
119
+ - Missing HttpOnly flag
120
+ - Missing SameSite attribute
121
+ - Overly broad domain/path
122
+ - Sensitive data in cookies
123
+
124
+ PASSWORD RESET:
125
+ - Predictable reset tokens
126
+ - Token not expiring
127
+ - No rate limiting on reset requests
128
+ - User enumeration via reset flow
129
+ - Reset link not single-use
130
+
131
+ Output JSON: [{id: "AUTH-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
132
+ \`\`\`
133
+
134
+ ### Agent 3: API Security Scanner
135
+ \`\`\`
136
+ Scan API endpoints for security issues:
137
+
138
+ INPUT VALIDATION:
139
+ - Missing input validation on request body
140
+ - Type coercion attacks (string vs number)
141
+ - Array/object pollution
142
+ - Prototype pollution
143
+ - Mass assignment vulnerabilities
144
+ - GraphQL introspection enabled in production
145
+ - GraphQL depth/complexity limits missing
146
+
147
+ RATE LIMITING:
148
+ - No rate limiting on expensive operations
149
+ - Rate limit bypass via headers (X-Forwarded-For)
150
+ - Missing rate limiting on auth endpoints
151
+ - No account lockout after failed attempts
152
+
153
+ API DESIGN:
154
+ - Verbose error messages leaking internals
155
+ - Stack traces in production
156
+ - Version information exposed
157
+ - Debug endpoints accessible
158
+ - CORS misconfiguration (wildcard origin with credentials)
159
+ - Missing security headers (CSP, HSTS, X-Frame-Options)
160
+
161
+ WEBHOOKS:
162
+ - Webhook signature not verified
163
+ - SSRF via webhook URLs
164
+ - No webhook replay protection
165
+ - Webhook secrets logged
166
+
167
+ Output JSON: [{id: "API-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
168
+ \`\`\`
169
+
170
+ ### Agent 4: Infrastructure Scanner
171
+ \`\`\`
172
+ Scan infrastructure and deployment configs:
173
+
174
+ DOCKER:
175
+ - Running as root user
176
+ - Secrets in Dockerfile or build args
177
+ - Latest tag usage (unpinned versions)
178
+ - Sensitive ports exposed
179
+ - Missing health checks
180
+ - No resource limits
181
+ - Privileged mode enabled
182
+ - Writable root filesystem
183
+
184
+ KUBERNETES/HELM:
185
+ - No resource limits/requests
186
+ - Running as root
187
+ - Privileged containers
188
+ - Host network/PID enabled
189
+ - Missing network policies
190
+ - Secrets not encrypted at rest
191
+ - No pod security policies/standards
192
+ - Service account auto-mount enabled
193
+
194
+ CI/CD:
195
+ - Secrets in CI config files
196
+ - Credentials in environment variables logged
197
+ - Missing secret scanning in pipeline
198
+ - Deploy keys with write access
199
+ - No branch protection
200
+ - Missing SAST/DAST in pipeline
201
+
202
+ CLOUD:
203
+ - S3 buckets public or misconfigured
204
+ - IAM roles too permissive
205
+ - Security groups too open
206
+ - Logging not enabled
207
+ - Encryption at rest disabled
208
+
209
+ Output JSON: [{id: "INFRA-XXX", title, severity, category: "infrastructure", file, line, code, description, recommendation, confidence}]
210
+ \`\`\`
211
+
212
+ ### Agent 5: Data & Privacy Scanner
213
+ \`\`\`
214
+ Scan for data protection and privacy issues:
215
+
216
+ PII HANDLING:
217
+ - PII logged (emails, names, IPs, phone numbers)
218
+ - PII in URLs/query strings
219
+ - PII in error messages
220
+ - PII not encrypted at rest
221
+ - PII not masked in UI/logs
222
+
223
+ GDPR/PRIVACY:
224
+ - Missing data retention policy implementation
225
+ - No data deletion mechanism (right to erasure)
226
+ - No data export mechanism (data portability)
227
+ - Consent not tracked properly
228
+ - Third-party data sharing without consent
229
+ - Cross-border data transfer issues
230
+
231
+ DATABASE:
232
+ - Sensitive data not encrypted (column-level)
233
+ - No audit logging for sensitive operations
234
+ - Backup not encrypted
235
+ - Connection strings with credentials in code
236
+
237
+ SECRETS:
238
+ - API keys in code (check git ls-files!)
239
+ - Secrets in environment files committed
240
+ - Secrets logged
241
+ - Secrets in client-side code
242
+ - Hardcoded tokens/passwords
243
+ - .env files not in .gitignore
244
+
245
+ Output JSON: [{id: "DATA-XXX", title, severity, category: "privacy", file, line, code, description, recommendation, confidence}]
246
+ \`\`\`
247
+
248
+ ### Agent 6: AI/LLM Security Scanner
249
+ \`\`\`
250
+ Scan for AI/LLM specific vulnerabilities:
251
+
252
+ PROMPT INJECTION:
253
+ - User input directly in prompts without sanitization
254
+ - System prompts exposed to users
255
+ - Prompt leakage via error messages
256
+ - No input length limits on prompts
257
+ - Missing output validation from LLM
258
+ - Jailbreak vulnerabilities
259
+
260
+ DATA LEAKAGE:
261
+ - Training data in responses
262
+ - PII in AI context
263
+ - Conversation history not cleared
264
+ - AI accessing unauthorized data
265
+ - Model output not sanitized
266
+
267
+ SUPPLY CHAIN:
268
+ - CDN imports without Subresource Integrity (SRI)
269
+ - Unpinned AI model versions
270
+ - External AI APIs without TLS verification
271
+ - Model files from untrusted sources
272
+
273
+ RESOURCE:
274
+ - No token limits on AI calls
275
+ - Missing rate limiting on AI endpoints
276
+ - Cost explosion attacks (large inputs)
277
+ - Denial of service via AI
278
+
279
+ BUSINESS LOGIC:
280
+ - AI bypassing business rules
281
+ - AI making unauthorized decisions
282
+ - Content filter bypasses
283
+ - AI output directly executed (code injection)
284
+
285
+ Output JSON: [{id: "AI-XXX", title, severity, category: "ai-security", file, line, code, description, recommendation, confidence}]
286
+ \`\`\`
287
+
288
+ ### Agent 7: Performance & DoS Scanner
289
+ \`\`\`
290
+ Scan for performance issues and DoS vectors:
291
+
292
+ DATABASE:
293
+ - N+1 query patterns
294
+ - Missing indexes on filtered/sorted columns
295
+ - Full table scans
296
+ - Unbounded queries (no LIMIT)
297
+ - Connection pool exhaustion
298
+ - Long-running transactions
299
+
300
+ MEMORY:
301
+ - Memory leaks (event listeners not removed)
302
+ - Unbounded caches
303
+ - Large object accumulation
304
+ - Buffer handling issues
305
+ - Stream not properly closed
306
+ - SSE/WebSocket buffer accumulation
307
+
308
+ CPU:
309
+ - ReDoS (Regular Expression DoS)
310
+ - Algorithmic complexity attacks
311
+ - Synchronous crypto operations
312
+ - JSON parsing of large payloads
313
+ - XML parsing without limits (billion laughs)
314
+
315
+ NETWORK:
316
+ - No timeout on external calls
317
+ - Missing circuit breakers
318
+ - Retry storms
319
+ - No backpressure handling
320
+ - Connection leaks
321
+
322
+ RESOURCE EXHAUSTION:
323
+ - File upload without size limits
324
+ - Zip bomb potential
325
+ - Unbounded pagination
326
+ - Missing request size limits
327
+ - Too many concurrent connections
328
+
329
+ Output JSON: [{id: "PERF-XXX", title, severity, category: "performance", file, line, code, description, recommendation, confidence}]
330
+ \`\`\`
331
+
332
+ ### Agent 8: Business Logic Scanner
333
+ \`\`\`
334
+ Scan for business logic vulnerabilities:
335
+
336
+ RACE CONDITIONS:
337
+ - TOCTOU (time-of-check-time-of-use)
338
+ - Double-spend in transactions
339
+ - Inventory overselling
340
+ - Concurrent booking conflicts
341
+ - Non-atomic read-modify-write
342
+
343
+ WORKFLOW:
344
+ - Step skipping in multi-step processes
345
+ - State manipulation attacks
346
+ - Order of operations bypass
347
+ - Workflow replay attacks
348
+
349
+ FINANCIAL:
350
+ - Rounding errors in calculations
351
+ - Currency handling issues
352
+ - Negative amount bypass
353
+ - Discount stacking exploits
354
+ - Price manipulation
355
+
356
+ ACCESS CONTROL:
357
+ - Role hierarchy bypass
358
+ - Feature flag manipulation
359
+ - Subscription level bypass
360
+ - Time-based access bypass
361
+
362
+ DATA INTEGRITY:
363
+ - Missing referential integrity
364
+ - Orphaned records possible
365
+ - Data inconsistency between services
366
+ - Missing transaction boundaries
367
+
368
+ Output JSON: [{id: "BIZ-XXX", title, severity, category: "business-logic", file, line, code, description, recommendation, confidence}]
369
+ \`\`\`
370
+
371
+ ### Agent 9: Code Quality Scanner
372
+ \`\`\`
373
+ Scan for code quality and maintainability issues:
374
+
375
+ COMPLEXITY:
376
+ - Cyclomatic complexity > 10
377
+ - Functions > 50 lines
378
+ - Files > 500 lines
379
+ - Deep nesting (> 4 levels)
380
+ - Too many parameters (> 5)
381
+
382
+ DRY VIOLATIONS:
383
+ - Duplicated code blocks (> 10 lines)
384
+ - Copy-paste code with minor changes
385
+ - Similar functions that should be unified
386
+
387
+ ANTI-PATTERNS:
388
+ - God objects/classes
389
+ - Callback hell
390
+ - Magic numbers/strings
391
+ - Dead code
392
+ - Unused imports/variables
393
+ - Any type overuse (TypeScript)
394
+ - Console.log in production
395
+ - TODO/FIXME comments in production
396
+
397
+ ERROR HANDLING:
398
+ - Empty catch blocks
399
+ - Generic error swallowing
400
+ - Missing error boundaries (React)
401
+ - Unhandled promise rejections
402
+ - Missing finally blocks for cleanup
403
+
404
+ NAMING:
405
+ - Inconsistent naming conventions
406
+ - Misleading names
407
+ - Single letter variables (except i,j,k)
408
+ - Abbreviations without context
409
+
410
+ Output JSON: [{id: "QUAL-XXX", title, severity, category: "quality", file, line, code, description, recommendation, confidence}]
411
+ \`\`\`
412
+
413
+ ### Agent 10: Testing & Reliability Scanner
414
+ \`\`\`
415
+ Scan for testing gaps and reliability issues:
416
+
417
+ TEST COVERAGE:
418
+ - Critical paths without tests (auth, payments, data access)
419
+ - Error handlers not tested
420
+ - Edge cases not covered
421
+ - No integration tests
422
+ - No E2E tests for main flows
423
+
424
+ TEST QUALITY:
425
+ - Tests without assertions
426
+ - Mocked security checks (dangerous!)
427
+ - Flaky tests (time-dependent)
428
+ - Tests with hardcoded data that can expire
429
+ - Missing negative tests (what should fail)
430
+
431
+ RELIABILITY:
432
+ - Missing health checks
433
+ - No graceful shutdown
434
+ - Missing readiness/liveness probes
435
+ - No circuit breakers for external calls
436
+ - Missing retry logic with backoff
437
+ - No fallback mechanisms
438
+
439
+ OBSERVABILITY:
440
+ - Missing structured logging
441
+ - No correlation IDs
442
+ - Missing metrics collection
443
+ - No distributed tracing
444
+ - Errors not properly categorized
445
+
446
+ DEPLOYMENT:
447
+ - No feature flags for risky changes
448
+ - Missing rollback mechanism
449
+ - No canary/blue-green deployment
450
+ - Database migrations not reversible
451
+
452
+ Output JSON: [{id: "TEST-XXX", title, severity, category: "testing", file, line, code, description, recommendation, confidence}]
453
+ \`\`\`
454
+
455
+ ---
456
+
457
+ ## Phase 2: Cross-Validation (3 parallel validators)
458
+
459
+ After ALL Phase 1 agents complete, launch 3 validators IN PARALLEL:
460
+
461
+ ### Validator A: False Positive Hunter
462
+ \`\`\`
463
+ Review ALL findings from Phase 1. For each finding:
464
+ 1. Read the actual code file
465
+ 2. Check if there are mitigating controls elsewhere
466
+ 3. For secrets: run "git ls-files <file>" - if not tracked, mark FALSE POSITIVE
467
+ 4. Check if code is actually reachable in production
468
+ 5. Verify the context (is it test code? example code? disabled feature?)
469
+
470
+ Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
471
+ \`\`\`
472
+
473
+ ### Validator B: Evidence Challenger
474
+ \`\`\`
475
+ Challenge every HIGH and CRITICAL finding:
476
+ 1. Read the actual code with 20 lines of context
477
+ 2. Trace data flow from source to sink
478
+ 3. Check for sanitization/validation in between
479
+ 4. Verify the exploit scenario is realistic
480
+ 5. Consider the deployment environment
481
+ 6. Check if it's actually exploitable in production
482
+
483
+ Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
484
+ \`\`\`
485
+
486
+ ### Validator C: Missing Issues Hunter
487
+ \`\`\`
488
+ Look for issues that Phase 1 agents MISSED:
489
+ - Race conditions in critical operations
490
+ - Business logic flaws specific to this application
491
+ - Edge cases (empty input, null, undefined, max length)
492
+ - Integration point vulnerabilities
493
+ - Configuration issues for specific environment
494
+ - Combination attacks (multiple low issues = high)
495
+
496
+ Output: { missedIssues: [{id, title, severity, file, line, description, recommendation},...] }
497
+ \`\`\`
498
+
499
+ ---
500
+
501
+ ## Phase 3: Build Consensus
502
+
503
+ Combine all results:
504
+ 1. Calculate confidence: (confirmations / validators) * 100
505
+ 2. Remove findings with confidence < 50%
506
+ 3. Add missed issues from Validator C
507
+ 4. Identify positive observations (good patterns found)
508
+
509
+ ---
510
+
511
+ ## Phase 4: Generate Report
512
+
513
+ Create a JSON file named \`coverme-scan.json\` with this EXACT structure:
514
+
515
+ \`\`\`json
516
+ {
517
+ "projectName": "<name from package.json or folder name>",
518
+ "scanDate": "<today's date formatted nicely>",
519
+ "findings": [
520
+ {
521
+ "id": "SEC-001",
522
+ "title": "Issue title",
523
+ "severity": "critical|high|medium|low|info",
524
+ "category": "security|auth|api|infrastructure|privacy|ai-security|performance|business-logic|quality|testing",
525
+ "file": "path/to/file.ts",
526
+ "line": 123,
527
+ "description": "Clear description of the issue",
528
+ "code": "the problematic code snippet (include 5+ lines of context)",
529
+ "recommendation": "Specific fix with code example if possible",
530
+ "confidence": 95,
531
+ "cwe": "CWE-XXX if applicable"
532
+ }
533
+ ],
534
+ "falsePositives": [
535
+ {
536
+ "id": "SEC-002",
537
+ "title": "What was originally flagged",
538
+ "file": "path/to/file.ts",
539
+ "reason": "Why it was rejected"
540
+ }
541
+ ],
542
+ "positiveObservations": [
543
+ "Uses parameterized queries for all database access",
544
+ "Implements proper rate limiting on authentication endpoints",
545
+ "PKCE implemented for OAuth flow",
546
+ "Proper secret management with environment variables",
547
+ "Comprehensive error handling with proper logging",
548
+ "Input validation using Zod/Joi schemas"
549
+ ],
550
+ "scanDuration": 300000,
551
+ "agentCount": 13
552
+ }
553
+ \`\`\`
554
+
555
+ Use the Write tool to save this JSON to \`coverme-scan.json\`.
556
+
557
+ ---
558
+
559
+ ## Phase 5: Generate HTML Report
560
+
561
+ 1. Create the .coverme directory and save the JSON:
562
+ \`\`\`bash
563
+ mkdir -p .coverme
564
+ \`\`\`
565
+
566
+ 2. Use the Write tool to save the JSON to \`coverme-scan.json\`
567
+
568
+ 3. Generate the HTML report and open it:
569
+ \`\`\`bash
570
+ TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
571
+ npx coverme report coverme-scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
572
+ mv coverme-scan.json ".coverme/scan_$TIMESTAMP.json"
573
+ open ".coverme/report_$TIMESTAMP.html"
574
+ \`\`\`
575
+
576
+ ---
577
+
578
+ ## DONE
579
+
580
+ Tell the user: "Scan complete! Report saved to .coverme/ and opened in browser. Found X issues across Y categories. All scan history is in .coverme/ folder."
581
+ `;
582
+ async function init(options) {
583
+ const targetDir = options.global
584
+ ? path.join(os.homedir(), '.claude', 'commands')
585
+ : path.join(process.cwd(), '.claude', 'commands');
586
+ console.log(`Installing vibecode commands to: ${targetDir}`);
587
+ // Create directory if needed
588
+ if (!fs.existsSync(targetDir)) {
589
+ fs.mkdirSync(targetDir, { recursive: true });
590
+ console.log(`Created directory: ${targetDir}`);
591
+ }
592
+ // Write the slash command
593
+ const commandPath = path.join(targetDir, 'coverme.md');
594
+ fs.writeFileSync(commandPath, SLASH_COMMAND);
595
+ console.log(`Created: ${commandPath}`);
596
+ // Create .coverme directory for reports
597
+ const covermeDir = path.join(process.cwd(), '.coverme');
598
+ if (!fs.existsSync(covermeDir)) {
599
+ fs.mkdirSync(covermeDir, { recursive: true });
600
+ console.log(`Created: ${covermeDir}/`);
601
+ }
602
+ // Add .coverme to .gitignore if not already there
603
+ const gitignorePath = path.join(process.cwd(), '.gitignore');
604
+ const covermeIgnore = '\n# CoverMe scan reports\n.coverme/\n';
605
+ if (fs.existsSync(gitignorePath)) {
606
+ const gitignoreContent = fs.readFileSync(gitignorePath, 'utf-8');
607
+ if (!gitignoreContent.includes('.coverme')) {
608
+ fs.appendFileSync(gitignorePath, covermeIgnore);
609
+ console.log(`Added .coverme/ to .gitignore`);
610
+ }
611
+ }
612
+ else {
613
+ fs.writeFileSync(gitignorePath, covermeIgnore.trim() + '\n');
614
+ console.log(`Created .gitignore with .coverme/`);
615
+ }
616
+ console.log(`
617
+ ================================================================================
618
+ COVERME INSTALLED
619
+ ================================================================================
620
+
621
+ Usage:
622
+ 1. Open Claude Code in your project
623
+ 2. Type /coverme and press Enter
624
+ 3. Wait for the scan to complete
625
+ 4. Report opens automatically in your browser
626
+
627
+ Reports saved to: .coverme/
628
+ - report_YYYY-MM-DD_HH-MM-SS.html
629
+ - scan_YYYY-MM-DD_HH-MM-SS.json
630
+
631
+ The .coverme/ folder is automatically added to .gitignore
632
+
633
+ ================================================================================
634
+ `);
635
+ }
636
+ //# sourceMappingURL=init.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuiBA,oBA2DC;AAlmBD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAMzB,MAAM,aAAa,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6hBrB,CAAC;AAEK,KAAK,UAAU,IAAI,CAAC,OAAoB;IAC7C,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM;QAC9B,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC;QAChD,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IAEpD,OAAO,CAAC,GAAG,CAAC,oCAAoC,SAAS,EAAE,CAAC,CAAC;IAE7D,6BAA6B;IAC7B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,sBAAsB,SAAS,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,0BAA0B;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IACvD,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,YAAY,WAAW,EAAE,CAAC,CAAC;IAEvC,wCAAwC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,YAAY,UAAU,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,kDAAkD;IAClD,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,YAAY,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,uCAAuC,CAAC;IAE9D,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACjE,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3C,EAAE,CAAC,cAAc,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YAChD,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,aAAa,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;CAkBb,CAAC,CAAC;AACH,CAAC"}
@@ -0,0 +1,11 @@
1
+ interface ScanCommandOptions {
2
+ output: string;
3
+ outputPath?: string;
4
+ categories: string;
5
+ severity: string;
6
+ verbose?: boolean;
7
+ parallel: string;
8
+ }
9
+ export declare function scan(scanPath: string, options: ScanCommandOptions): Promise<void>;
10
+ export {};
11
+ //# sourceMappingURL=scan.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../../src/cli/scan.ts"],"names":[],"mappings":"AAIA,UAAU,kBAAkB;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,wBAAsB,IAAI,CACxB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,IAAI,CAAC,CA4Cf"}