create-backlist 10.0.2 → 10.0.4

package/src/qa/analyzers/performance.js

@@ -0,0 +1,137 @@
+// Real performance profiler — Playwright + Performance API
+export class PerformanceProfiler {
+  #session;
+
+  constructor(session) { this.#session = session; }
+
+  async profile(url) {
+    let playwright;
+    try { playwright = await import('playwright'); }
+    catch { return this.#empty(); }
+
+    const browser = await playwright.chromium.launch({
+      headless: true,
+      args    : ['--no-sandbox'],
+    });
+
+    const context = await browser.newContext({
+      ignoreHTTPSErrors: true,
+    });
+    const page    = await context.newPage();
+
+    const slowResources = [];
+    const resourceTimings = [];
+
+    page.on('response', async res => {
+      const timing = res.timing();
+      if (timing && timing.responseEnd > 0) {
+        const duration = timing.responseEnd - timing.requestStart;
+        const entry = {
+          url     : res.url(),
+          type    : res.request().resourceType(),
+          status  : res.status(),
+          duration: Math.round(duration),
+          size    : 0,
+        };
+        try {
+          const body  = await res.body().catch(() => null);
+          entry.size  = body?.length || 0;
+        } catch {}
+        resourceTimings.push(entry);
+        if (duration > 2000) slowResources.push(entry);
+      }
+    });
+
+    try {
+      await page.goto(url, { waitUntil: 'networkidle', timeout: 30_000 });
+
+      // Real Web Vitals via Performance API
+      const metrics = await page.evaluate(() => {
+        return new Promise(resolve => {
+          const result = {
+            lcp : null, fcp : null, cls : null,
+            fid : null, ttfb: null, tti : null, tbt: null,
+            memoryUsed: null, domNodes: document.querySelectorAll('*').length,
+          };
+
+          // FCP + LCP
+          const po = new PerformanceObserver(list => {
+            for (const entry of list.getEntries()) {
+              if (entry.entryType === 'paint') {
+                if (entry.name === 'first-contentful-paint') result.fcp = Math.round(entry.startTime);
+              }
+              if (entry.entryType === 'largest-contentful-paint') {
+                result.lcp = Math.round(entry.startTime);
+              }
+            }
+          });
+          try { po.observe({ entryTypes: ['paint','largest-contentful-paint'] }); } catch {}
+
+          // CLS
+          let clsValue = 0;
+          const clsPo  = new PerformanceObserver(list => {
+            for (const entry of list.getEntries()) {
+              if (!entry.hadRecentInput) clsValue += entry.value;
+            }
+          });
+          try { clsPo.observe({ entryTypes: ['layout-shift'] }); } catch {}
+
+          // TTFB
+          const nav = performance.getEntriesByType('navigation')[0];
+          if (nav) result.ttfb = Math.round(nav.responseStart);
+
+          // Memory
+          if (performance.memory) {
+            result.memoryUsed = performance.memory.usedJSHeapSize;
+          }
+
+          setTimeout(() => {
+            result.cls = parseFloat(clsValue.toFixed(4));
+            po.disconnect();
+            clsPo.disconnect();
+            resolve(result);
+          }, 5000);
+        });
+      });
+
+      // CPU timing via long task detection
+      const longTasks = await page.evaluate(() => {
+        const tasks = [];
+        const po    = new PerformanceObserver(list => {
+          tasks.push(...list.getEntries().map(e => ({
+            duration : Math.round(e.duration),
+            startTime: Math.round(e.startTime),
+          })));
+        });
+        try { po.observe({ entryTypes: ['longtask'] }); } catch {}
+        return new Promise(r => setTimeout(() => { po.disconnect(); r(tasks); }, 3000));
+      }).catch(() => []);
+
+      const tbt = longTasks.reduce((sum, t) => sum + Math.max(t.duration - 50, 0), 0);
+
+      return {
+        ...metrics,
+        tbt          : Math.round(tbt),
+        slowResources,
+        resourceTimings: resourceTimings.slice(0, 50),
+        longTasks,
+        url,
+      };
+
+    } catch (err) {
+      return { ...this.#empty(), error: err.message, url };
+    } finally {
+      await page.close().catch(() => {});
+      await context.close().catch(() => {});
+      await browser.close().catch(() => {});
+    }
+  }
+
+  #empty() {
+    return {
+      lcp: null, fcp: null, cls: null, fid: null,
+      ttfb: null, tti: null, tbt: null,
+      slowResources: [], resourceTimings: [], longTasks: [],
+    };
+  }
+}

package/src/qa/analyzers/security.js

@@ -0,0 +1,207 @@
+// Real security scanner — every result from actual HTTP responses
+const SECURITY_CHECKS = [
+  {
+    id    : 'csp',
+    name  : 'Content-Security-Policy',
+    header: 'content-security-policy',
+    sev   : 'P1',
+    category: 'headers',
+    validate: (v) => !!v,
+    recommendation: 'Add CSP header to prevent XSS attacks',
+  },
+  {
+    id    : 'hsts',
+    name  : 'HSTS',
+    header: 'strict-transport-security',
+    sev   : 'P1',
+    category: 'headers',
+    validate: (v) => !!v,
+    recommendation: 'Add HSTS to enforce HTTPS',
+  },
+  {
+    id    : 'xframe',
+    name  : 'X-Frame-Options',
+    header: 'x-frame-options',
+    sev   : 'P1',
+    category: 'headers',
+    validate: (v) => v && ['DENY','SAMEORIGIN'].includes(v.toUpperCase()),
+    recommendation: 'Set X-Frame-Options: DENY or SAMEORIGIN',
+  },
+  {
+    id    : 'xcto',
+    name  : 'X-Content-Type-Options',
+    header: 'x-content-type-options',
+    sev   : 'P2',
+    category: 'headers',
+    validate: (v) => v === 'nosniff',
+    recommendation: 'Set X-Content-Type-Options: nosniff',
+  },
+  {
+    id    : 'rp',
+    name  : 'Referrer-Policy',
+    header: 'referrer-policy',
+    sev   : 'P2',
+    category: 'headers',
+    validate: (v) => !!v,
+    recommendation: 'Add Referrer-Policy header',
+  },
+  {
+    id    : 'pp',
+    name  : 'Permissions-Policy',
+    header: 'permissions-policy',
+    sev   : 'P3',
+    category: 'headers',
+    validate: (v) => !!v,
+    recommendation: 'Add Permissions-Policy header',
+  },
+  {
+    id    : 'server',
+    name  : 'Server version not exposed',
+    header: 'server',
+    sev   : 'P2',
+    category: 'information-disclosure',
+    validate: (v) => !v || (!v.includes('/') && !(/\d+\.\d+/.test(v))),
+    recommendation: 'Remove or genericize the Server header',
+  },
+  {
+    id    : 'xpb',
+    name  : 'X-Powered-By not exposed',
+    header: 'x-powered-by',
+    sev   : 'P2',
+    category: 'information-disclosure',
+    validate: (v) => !v,
+    recommendation: 'Remove X-Powered-By header (app.disable("x-powered-by"))',
+  },
+];
+
+const CORS_CHECKS = [
+  {
+    id    : 'cors-wildcard-creds',
+    name  : 'CORS wildcard + credentials',
+    sev   : 'P0',
+    category: 'cors',
+    check : (h) => !(h['access-control-allow-origin'] === '*' && h['access-control-allow-credentials'] === 'true'),
+    recommendation: 'Never combine CORS wildcard with allow-credentials',
+  },
+];
+
+const HTTPS_TIMEOUT = 10_000;
+
+export class SecurityScanner {
+  #session;
+
+  constructor(session) { this.#session = session; }
+
+  async scan(url) {
+    const findings = [];
+
+    // Real HTTP request to get actual headers
+    let headers = {};
+    let statusCode = 0;
+    try {
+      const controller = new AbortController();
+      const timer      = setTimeout(() => controller.abort(), HTTPS_TIMEOUT);
+      const res        = await fetch(url, {
+        method : 'GET',
+        signal : controller.signal,
+        headers: { 'User-Agent': 'Backlist-SecurityScanner/12.0' },
+        redirect: 'follow',
+      });
+      clearTimeout(timer);
+      statusCode = res.status;
+      res.headers.forEach((v, k) => { headers[k] = v; });
+    } catch (err) {
+      findings.push({
+        check  : 'Server reachability',
+        detail : `Cannot reach ${url}: ${err.message}`,
+        pass   : false,
+        severity: 'P0',
+        category: 'connectivity',
+        evidence: { error: err.message },
+        recommendation: 'Ensure server is running and accessible',
+      });
+      return findings;
+    }
+
+    // Check all security headers against real response
+    for (const check of SECURITY_CHECKS) {
+      const value   = headers[check.header] || '';
+      const pass    = check.validate(value);
+      findings.push({
+        check   : check.name,
+        detail  : pass
+          ? `${check.header}: ${value || '(present)'}`
+          : `Missing or invalid ${check.header} — ${check.recommendation}`,
+        pass,
+        severity: pass ? 'INFO' : check.sev,
+        category: check.category,
+        evidence: { header: check.header, value: value || null, allHeaders: headers },
+        recommendation: check.recommendation,
+      });
+    }
+
+    // CORS checks on real headers
+    for (const check of CORS_CHECKS) {
+      const pass = check.check(headers);
+      findings.push({
+        check   : check.name,
+        detail  : pass ? 'CORS configuration looks safe' : `CORS misconfiguration: ${check.recommendation}`,
+        pass,
+        severity: pass ? 'INFO' : check.sev,
+        category: check.category,
+        evidence: {
+          'access-control-allow-origin'     : headers['access-control-allow-origin'],
+          'access-control-allow-credentials': headers['access-control-allow-credentials'],
+        },
+        recommendation: check.recommendation,
+      });
+    }
+
+    // HTTPS check
+    const isHTTPS = url.startsWith('https://');
+    findings.push({
+      check   : 'HTTPS enforced',
+      detail  : isHTTPS ? 'Site uses HTTPS' : 'Site is using HTTP — not encrypted',
+      pass    : isHTTPS,
+      severity: isHTTPS ? 'INFO' : 'P1',
+      category: 'encryption',
+      evidence: { url, protocol: new URL(url).protocol },
+      recommendation: 'Enforce HTTPS with valid SSL certificate',
+    });
+
+    // Probe sensitive files
+    const sensitiveProbes = [
+      { path: '/.env',          name: '.env exposed' },
+      { path: '/.git/config',   name: 'Git config exposed' },
+      { path: '/wp-config.php', name: 'WP config exposed' },
+      { path: '/phpinfo.php',   name: 'phpinfo exposed' },
+      { path: '/server-status', name: 'Apache server-status' },
+      { path: '/actuator',      name: 'Spring actuator exposed' },
+      { path: '/graphql',       name: 'GraphQL introspection' },
+    ];
+
+    const base = new URL(url).origin;
+    for (const probe of sensitiveProbes) {
+      try {
+        const controller = new AbortController();
+        const timer      = setTimeout(() => controller.abort(), 5000);
+        const r          = await fetch(`${base}${probe.path}`, { signal: controller.signal, redirect: 'manual' });
+        clearTimeout(timer);
+        const exposed    = r.status === 200;
+        findings.push({
+          check   : probe.name,
+          detail  : exposed
+            ? `EXPOSED at ${base}${probe.path} — critical security risk`
+            : `Not exposed: ${probe.path}`,
+          pass    : !exposed,
+          severity: exposed ? 'P0' : 'INFO',
+          category: 'information-disclosure',
+          evidence: { url: `${base}${probe.path}`, status: r.status },
+          recommendation: exposed ? `Immediately restrict access to ${probe.path}` : null,
+        });
+      } catch {}
+    }
+
+    return findings;
+  }
+}

package/src/qa/analyzers/seo.js

@@ -0,0 +1,248 @@
+// Real SEO scanner — fetches and parses actual HTML
+export class SEOScanner {
+  #session;
+
+  constructor(session) { this.#session = session; }
+
+  async scan(url) {
+    let html = '';
+    let statusCode = 0;
+    let headers    = {};
+    let responseTime = 0;
+
+    const t0 = Date.now();
+    try {
+      const controller = new AbortController();
+      const timer      = setTimeout(() => controller.abort(), 12_000);
+      const res        = await fetch(url, {
+        headers : { 'User-Agent': 'Googlebot/2.1 (+http://www.google.com/bot.html)' },
+        signal  : controller.signal,
+        redirect: 'follow',
+      });
+      clearTimeout(timer);
+      statusCode   = res.status;
+      responseTime = Date.now() - t0;
+      res.headers.forEach((v, k) => { headers[k] = v; });
+      html = await res.text();
+    } catch (err) {
+      return {
+        pass  : false,
+        checks: [{ name: 'Page reachable', pass: false, detail: err.message, severity: 'P0' }],
+        url,
+      };
+    }
+
+    const checks = [];
+
+    // Real HTML parsing checks
+    const has  = (pattern) => pattern.test(html);
+    const get  = (pattern) => (html.match(pattern) || [])[1]?.trim() || null;
+
+    // Title
+    const title = get(/<title[^>]*>([^<]+)<\/title>/i);
+    checks.push({
+      name    : 'Title tag',
+      pass    : !!title,
+      detail  : title ? `"${title.slice(0, 60)}"` : 'Missing <title> tag',
+      category: 'meta',
+      severity: 'P1',
+      data    : { title, length: title?.length },
+      recommendation: 'Add a unique, descriptive title (50-60 chars)',
+    });
+
+    if (title) {
+      checks.push({
+        name    : 'Title length optimal',
+        pass    : title.length >= 30 && title.length <= 60,
+        detail  : `Title is ${title.length} chars (optimal: 30-60)`,
+        category: 'meta',
+        severity: 'P2',
+        data    : { length: title.length },
+        recommendation: 'Keep title between 30-60 characters',
+      });
+    }
+
+    // Meta description
+    const desc = get(/<meta[^>]+name=["']description["'][^>]+content=["']([^"']+)["']/i)
+               || get(/<meta[^>]+content=["']([^"']+)["'][^>]+name=["']description["']/i);
+    checks.push({
+      name    : 'Meta description',
+      pass    : !!desc,
+      detail  : desc ? `"${desc.slice(0, 80)}..."` : 'Missing meta description',
+      category: 'meta',
+      severity: 'P1',
+      data    : { description: desc, length: desc?.length },
+      recommendation: 'Add meta description (120-160 chars)',
+    });
+
+    if (desc) {
+      checks.push({
+        name    : 'Meta description length',
+        pass    : desc.length >= 120 && desc.length <= 160,
+        detail  : `Description is ${desc.length} chars (optimal: 120-160)`,
+        category: 'meta',
+        severity: 'P2',
+        data    : { length: desc.length },
+        recommendation: 'Keep description between 120-160 characters',
+      });
+    }
+
+    // H1
+    const h1Count = (html.match(/<h1[^>]*>/gi) || []).length;
+    checks.push({
+      name    : 'H1 tag',
+      pass    : h1Count === 1,
+      detail  : h1Count === 0 ? 'No H1 found' : h1Count > 1 ? `${h1Count} H1 tags (should be 1)` : 'Exactly 1 H1',
+      category: 'structure',
+      severity: 'P1',
+      data    : { count: h1Count },
+      recommendation: 'Use exactly one H1 per page',
+    });
+
+    // Viewport
+    const hasViewport = has(/<meta[^>]+name=["']viewport["']/i);
+    checks.push({
+      name    : 'Viewport meta',
+      pass    : hasViewport,
+      detail  : hasViewport ? 'Viewport meta found' : 'Missing viewport meta — mobile SEO broken',
+      category: 'mobile',
+      severity: 'P1',
+      recommendation: 'Add <meta name="viewport" content="width=device-width,initial-scale=1">',
+    });
+
+    // Lang
+    const lang = get(/<html[^>]+lang=["']([^"']+)["']/i);
+    checks.push({
+      name    : 'HTML lang attribute',
+      pass    : !!lang,
+      detail  : lang ? `lang="${lang}"` : 'Missing lang attribute on <html>',
+      category: 'accessibility-seo',
+      severity: 'P1',
+      data    : { lang },
+      recommendation: 'Add lang attribute to <html> element',
+    });
+
+    // Canonical
+    const canonical = get(/<link[^>]+rel=["']canonical["'][^>]+href=["']([^"']+)["']/i);
+    checks.push({
+      name    : 'Canonical link',
+      pass    : !!canonical,
+      detail  : canonical ? `Canonical: ${canonical}` : 'Missing canonical link',
+      category: 'technical-seo',
+      severity: 'P2',
+      data    : { canonical },
+      recommendation: 'Add <link rel="canonical"> to prevent duplicate content',
+    });
+
+    // OG tags
+    const ogTitle = has(/<meta[^>]+property=["']og:title["']/i);
+    const ogDesc  = has(/<meta[^>]+property=["']og:description["']/i);
+    const ogImage = has(/<meta[^>]+property=["']og:image["']/i);
+    const ogUrl   = has(/<meta[^>]+property=["']og:url["']/i);
+    checks.push({
+      name    : 'Open Graph tags',
+      pass    : ogTitle && ogDesc && ogImage,
+      detail  : `og:title=${ogTitle} og:description=${ogDesc} og:image=${ogImage} og:url=${ogUrl}`,
+      category: 'social',
+      severity: 'P2',
+      data    : { ogTitle, ogDesc, ogImage, ogUrl },
+      recommendation: 'Add og:title, og:description, og:image for social sharing',
+    });
+
+    // Twitter card
+    const twitterCard = has(/<meta[^>]+name=["']twitter:card["']/i);
+    checks.push({
+      name    : 'Twitter Card',
+      pass    : twitterCard,
+      detail  : twitterCard ? 'Twitter card found' : 'No Twitter card meta',
+      category: 'social',
+      severity: 'P3',
+      recommendation: 'Add twitter:card meta for Twitter sharing',
+    });
+
+    // Images with alt
+    const imgTotal   = (html.match(/<img[^>]*>/gi) || []).length;
+    const imgNoAlt   = (html.match(/<img(?![^>]*\balt=)[^>]*>/gi) || []).length;
+    checks.push({
+      name    : 'Images have alt text',
+      pass    : imgNoAlt === 0,
+      detail  : imgNoAlt === 0
+        ? `All ${imgTotal} images have alt text`
+        : `${imgNoAlt}/${imgTotal} images missing alt text`,
+      category: 'accessibility-seo',
+      severity: 'P2',
+      data    : { total: imgTotal, missing: imgNoAlt },
+      recommendation: 'Add descriptive alt text to all images',
+    });
+
+    // Structured data
+    const hasStructuredData = has(/application\/ld\+json/i);
+    checks.push({
+      name    : 'Structured data (JSON-LD)',
+      pass    : hasStructuredData,
+      detail  : hasStructuredData ? 'JSON-LD structured data found' : 'No structured data',
+      category: 'structured-data',
+      severity: 'P3',
+      recommendation: 'Add JSON-LD structured data for rich search results',
+    });
+
+    // robots.txt
+    try {
+      const base      = new URL(url).origin;
+      const robotsRes = await fetch(`${base}/robots.txt`, { signal: AbortSignal.timeout(5000) });
+      checks.push({
+        name    : 'robots.txt',
+        pass    : robotsRes.status === 200,
+        detail  : robotsRes.status === 200 ? 'robots.txt accessible' : `robots.txt returned ${robotsRes.status}`,
+        category: 'crawling',
+        severity: 'P1',
+        recommendation: 'Ensure robots.txt exists and is properly configured',
+      });
+    } catch {
+      checks.push({ name: 'robots.txt', pass: false, detail: 'robots.txt unreachable', category: 'crawling', severity: 'P2' });
+    }
+
+    // sitemap.xml
+    try {
+      const base       = new URL(url).origin;
+      const sitemapRes = await fetch(`${base}/sitemap.xml`, { signal: AbortSignal.timeout(5000) });
+      const sitemapOk  = sitemapRes.status === 200;
+      let sitemapValid = false;
+      if (sitemapOk) {
+        const sitemapText = await sitemapRes.text().catch(() => '');
+        sitemapValid = sitemapText.includes('<urlset') || sitemapText.includes('<sitemapindex');
+      }
+      checks.push({
+        name    : 'sitemap.xml',
+        pass    : sitemapOk && sitemapValid,
+        detail  : sitemapOk
+          ? (sitemapValid ? 'Valid sitemap.xml found' : 'sitemap.xml present but invalid XML')
+          : `sitemap.xml returned ${sitemapRes.status}`,
+        category: 'crawling',
+        severity: 'P1',
+        recommendation: 'Add a valid sitemap.xml and submit to Google Search Console',
+      });
+    } catch {
+      checks.push({ name: 'sitemap.xml', pass: false, detail: 'sitemap.xml unreachable', category: 'crawling', severity: 'P2' });
+    }
+
+    // Page speed (response time as SEO factor)
+    checks.push({
+      name    : 'Server response time',
+      pass    : responseTime < 800,
+      detail  : `TTFB: ${responseTime}ms (Google recommends < 800ms)`,
+      category: 'performance-seo',
+      severity: responseTime > 2000 ? 'P1' : 'P2',
+      data    : { responseTime },
+      recommendation: 'Optimize TTFB — use CDN, caching, or faster hosting',
+    });
+
+    return {
+      pass    : checks.every(c => c.pass || c.severity === 'P3'),
+      checks,
+      url,
+      statusCode,
+      responseTime,
+    };
+  }
+}