devforgeai 1.0.4 → 1.0.6

package/src/claude/scripts/devforgeai_cli/validators/grep_fallback.py

@@ -0,0 +1,300 @@
+"""
+GrepFallbackAnalyzer - Grep-based pattern matching fallback.
+
+Used when ast-grep is unavailable. Provides ~60-75% accuracy
+compared to ast-grep's 90-95% accuracy.
+
+Output format matches ast-grep schema for interoperability.
+"""
+
+import re
+import json
+import logging
+from pathlib import Path
+from typing import List, Dict, Tuple, Optional
+from dataclasses import dataclass, field, asdict
+
+logger = logging.getLogger(__name__)
+
+
+# =============================================================================
+# Data Classes
+# =============================================================================
+
+@dataclass
+class GrepPattern:
+    """Pattern definition for grep-based detection."""
+    id: str
+    pattern: str  # Regex pattern
+    severity: str  # CRITICAL, HIGH, MEDIUM, LOW
+    message: str
+    category: str  # security, anti-pattern, etc.
+    languages: List[str] = field(default_factory=list)
+
+
+@dataclass
+class Violation:
+    """Standardized violation result."""
+    file: str
+    line: int
+    column: int
+    rule_id: str
+    severity: str
+    message: str
+    evidence: str
+    analysis_method: str = "grep-fallback"
+    category: str = "security"
+
+    def to_dict(self) -> Dict:
+        """Convert to dictionary for JSON serialization."""
+        return asdict(self)
+
+
+# =============================================================================
+# Utility Functions
+# =============================================================================
+
+def log_fallback_warning() -> None:
+    """Log warning about reduced accuracy in fallback mode."""
+    logger.warning(
+        "Using grep-based fallback for code analysis. "
+        "Accuracy: 60-75% (vs 90-95% with ast-grep). "
+        "Install ast-grep-cli for better results: pip install ast-grep-cli"
+    )
+
+
+# =============================================================================
+# Main Analyzer Class
+# =============================================================================
+
+class GrepFallbackAnalyzer:
+    """Grep-based pattern matching for code analysis."""
+
+    # Built-in security patterns
+    SECURITY_PATTERNS: List[GrepPattern] = [
+        GrepPattern(
+            id="SEC-001",
+            pattern=r'(SELECT|INSERT|UPDATE|DELETE).*WHERE.*[\+\{]|[\+\{].*WHERE|execute\(["\']SELECT.*[\+\{]|f["\']SELECT.*\{|\.format\(.*SELECT',
+            severity="CRITICAL",
+            message="Potential SQL injection via string concatenation",
+            category="security",
+            languages=["python", "py", "csharp", "cs"]
+        ),
+        GrepPattern(
+            id="SEC-002",
+            pattern=r'(API_KEY|SECRET|PASSWORD|TOKEN|ACCESS_KEY)\s*=\s*["\']\w{8,}["\']',
+            severity="HIGH",
+            message="Hardcoded secret detected",
+            category="security",
+            languages=["python", "py", "javascript", "js", "typescript", "ts", "csharp", "cs"]
+        ),
+        GrepPattern(
+            id="SEC-003",
+            pattern=r'(AWS_ACCESS_KEY|AWS_SECRET|AKIA[0-9A-Z]{16})',
+            severity="CRITICAL",
+            message="AWS credentials detected",
+            category="security",
+            languages=["python", "py", "javascript", "js", "typescript", "ts", "csharp", "cs"]
+        ),
+    ]
+
+    def __init__(self, custom_patterns: Optional[List[GrepPattern]] = None):
+        """
+        Initialize analyzer with patterns.
+
+        Args:
+            custom_patterns: Additional patterns to use
+        """
+        self.patterns = self.SECURITY_PATTERNS.copy()
+        if custom_patterns:
+            self.patterns.extend(custom_patterns)
+
+    def analyze_file(self, file_path: str) -> List[Dict]:
+        """
+        Analyze single file with grep patterns.
+
+        Args:
+            file_path: Path to file to analyze
+
+        Returns:
+            List of violations found (as dicts for compatibility)
+        """
+        violations = []
+        file_path_obj = Path(file_path)
+
+        if not file_path_obj.exists():
+            return violations
+
+        if not file_path_obj.is_file():
+            return violations
+
+        # Skip binary files
+        try:
+            with open(file_path_obj, 'r', encoding='utf-8') as f:
+                content = f.read()
+        except (UnicodeDecodeError, PermissionError):
+            # Binary file or permission denied - skip gracefully
+            return violations
+
+        # Apply each pattern
+        for pattern in self.patterns:
+            # Check if pattern applies to this file type
+            if pattern.languages:
+                file_ext = file_path_obj.suffix.lstrip('.')
+                if file_ext not in pattern.languages and not any(lang in file_ext for lang in pattern.languages):
+                    continue
+
+            # Search for pattern in content
+            matches = re.finditer(pattern.pattern, content, re.MULTILINE | re.IGNORECASE)
+
+            for match in matches:
+                # Find line number and column
+                line_num = content[:match.start()].count('\n') + 1
+                line_start = content.rfind('\n', 0, match.start()) + 1
+                column = match.start() - line_start + 1
+
+                # Extract evidence (the matching line)
+                line_end = content.find('\n', match.start())
+                if line_end == -1:
+                    line_end = len(content)
+                evidence = content[line_start:line_end].strip()
+
+                violation = Violation(
+                    file=str(file_path_obj),
+                    line=line_num,
+                    column=column,
+                    rule_id=pattern.id,
+                    severity=pattern.severity,
+                    message=pattern.message,
+                    evidence=evidence,
+                    analysis_method="grep-fallback",
+                    category=pattern.category
+                )
+
+                violations.append(violation.to_dict())
+
+        return violations
+
+    def analyze_directory(self, directory: str,
+                          category: Optional[str] = None,
+                          language: Optional[str] = None) -> List[Dict]:
+        """
+        Analyze directory recursively.
+
+        Args:
+            directory: Directory to scan
+            category: Filter by category (security, anti-patterns)
+            language: Filter by language (python, typescript, csharp)
+
+        Returns:
+            List of all violations found
+        """
+        all_violations = []
+        directory_path = Path(directory)
+
+        if not directory_path.exists() or not directory_path.is_dir():
+            return all_violations
+
+        # Find all relevant files
+        if language:
+            # Map language to file extensions
+            ext_map = {
+                'python': ['.py'],
+                'typescript': ['.ts', '.tsx'],
+                'javascript': ['.js', '.jsx'],
+                'csharp': ['.cs']
+            }
+            extensions = ext_map.get(language, [])
+        else:
+            extensions = ['.py', '.ts', '.tsx', '.js', '.jsx', '.cs']
+
+        # Scan all files
+        for ext in extensions:
+            for file_path in directory_path.rglob(f'*{ext}'):
+                if file_path.is_file():
+                    violations = self.analyze_file(str(file_path))
+
+                    # Filter by category if specified
+                    if category:
+                        violations = [v for v in violations if v.get('category') == category]
+
+                    all_violations.extend(violations)
+
+        return all_violations
+
+    def format_results(self, violations: List[Dict], format: str = "json") -> str:
+        """
+        Format results for output.
+
+        Args:
+            violations: List of violations
+            format: Output format (json, text, markdown)
+
+        Returns:
+            Formatted output string
+        """
+        if format == "json":
+            return self._format_json(violations)
+        elif format == "text":
+            return self._format_text(violations)
+        elif format == "markdown":
+            return self._format_markdown(violations)
+        else:
+            return self._format_json(violations)
+
+    def _format_json(self, violations: List[Dict]) -> str:
+        """Format as JSON matching ast-grep schema."""
+        # Calculate summary
+        by_severity = {}
+        for v in violations:
+            severity = v.get('severity', 'UNKNOWN')
+            by_severity[severity] = by_severity.get(severity, 0) + 1
+
+        result = {
+            "violations": violations,
+            "analysis_method": "grep-fallback",
+            "summary": {
+                "total_violations": len(violations),
+                "by_severity": by_severity,
+                "accuracy_note": "60-75% vs 90-95% with ast-grep"
+            }
+        }
+
+        return json.dumps(result, indent=2)
+
+    def _format_text(self, violations: List[Dict]) -> str:
+        """Format as human-readable text."""
+        if not violations:
+            return "No violations found.\n"
+
+        lines = []
+        lines.append(f"Found {len(violations)} violation(s):\n")
+
+        for v in violations:
+            lines.append(f"{v.get('severity', 'UNKNOWN')}: {v.get('file', 'unknown')}")
+            lines.append(f"  Line {v.get('line', '?')}, Column {v.get('column', '?')}")
+            lines.append(f"  {v.get('message', 'No message')}")
+            lines.append(f"  Evidence: {v.get('evidence', 'N/A')}")
+            lines.append("")
+
+        return "\n".join(lines)
+
+    def _format_markdown(self, violations: List[Dict]) -> str:
+        """Format as Markdown."""
+        if not violations:
+            return "## Code Analysis Results\n\nNo violations found.\n"
+
+        lines = []
+        lines.append("## Code Analysis Results\n")
+        lines.append(f"**Total Violations:** {len(violations)}\n")
+        lines.append("**Analysis Method:** grep-fallback (60-75% accuracy)\n")
+        lines.append("### Violations\n")
+
+        for v in violations:
+            lines.append(f"#### {v.get('severity', 'UNKNOWN')}: {v.get('rule_id', 'UNKNOWN')}\n")
+            lines.append(f"**File:** `{v.get('file', 'unknown')}`  ")
+            lines.append(f"**Line:** {v.get('line', '?')}, **Column:** {v.get('column', '?')}\n")
+            lines.append(f"**Message:** {v.get('message', 'No message')}\n")
+            lines.append(f"**Evidence:**\n```\n{v.get('evidence', 'N/A')}\n```\n")
+
+        return "\n".join(lines)

package/src/claude/scripts/install_hooks.sh

@@ -0,0 +1,186 @@
+#!/bin/bash
+#
+# DevForgeAI Pre-Commit Hook Installer
+#
+# Installs pre-commit hook that validates:
+# - DoD completion (prevents autonomous deferrals)
+# - Story file format
+# - User approval markers
+#
+# Based on industry patterns: pre-commit.com, SpecDriven AI
+#
+
+set -e
+
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo "  DevForgeAI Pre-Commit Hook Installer"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo ""
+
+# Check if in Git repository
+if [ ! -d ".git" ]; then
+    echo "❌ Error: Not in a Git repository"
+    echo ""
+    echo "Initialize Git first:"
+    echo "  git init"
+    echo "  git add ."
+    echo "  git commit -m 'Initial commit'"
+    echo ""
+    exit 1
+fi
+
+# Check if Python available
+if ! command -v python3 &> /dev/null; then
+    echo "❌ Error: Python 3 not found"
+    echo ""
+    echo "Install Python 3.8 or higher"
+    exit 1
+fi
+
+# Check if DevForgeAI CLI validators available
+if [ ! -f ".claude/scripts/devforgeai_cli/validators/dod_validator.py" ]; then
+    echo "❌ Error: DevForgeAI CLI not found"
+    echo ""
+    echo "Expected location: .claude/scripts/devforgeai_cli/"
+    echo ""
+    echo "Install DevForgeAI CLI first:"
+    echo "  pip install -e .claude/scripts/"
+    exit 1
+fi
+
+echo "Installing pre-commit hook..."
+echo ""
+
+# Create pre-commit hook
+cat > .git/hooks/pre-commit <<'EOF'
+#!/bin/bash
+#
+# DevForgeAI Pre-Commit Validation Hook
+#
+# Validates story files before commit to prevent:
+# - Autonomous deferrals (DoD [x] but Impl [ ] without user approval)
+# - Missing Implementation Notes
+# - Invalid deferral justifications
+#
+# To bypass (NOT RECOMMENDED): git commit --no-verify
+#
+
+echo ""
+echo "🔍 DevForgeAI Validators Running..."
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+VALIDATION_FAILED=0
+
+# ============================================================================
+# Registry Drift Detection (STORY-109)
+# ============================================================================
+AGENT_FILES=$(git diff --cached --name-only --diff-filter=d | grep '^\.claude/agents/.*\.md$' || true)
+if [ -n "$AGENT_FILES" ]; then
+    echo "  📋 Checking subagent registry..."
+    if [ -f "scripts/generate-subagent-registry.sh" ]; then
+        if ! bash scripts/generate-subagent-registry.sh --check 2>/dev/null; then
+            echo "     ❌ Registry out of date"
+            echo "     Run: bash scripts/generate-subagent-registry.sh"
+            echo "     Then: git add CLAUDE.md"
+            VALIDATION_FAILED=1
+        else
+            echo "     ✅ Registry up to date"
+        fi
+    fi
+fi
+
+# ============================================================================
+# Story-Scoped Validation (STORY-121)
+# Set DEVFORGEAI_STORY=STORY-NNN to validate only that story
+# ============================================================================
+
+if [ -n "$DEVFORGEAI_STORY" ]; then
+    # Validate format: STORY-NNN (3+ digits, uppercase only)
+    if ! echo "$DEVFORGEAI_STORY" | grep -qE '^STORY-[0-9]{3,}$'; then
+        echo "  WARNING: Invalid DEVFORGEAI_STORY format: $DEVFORGEAI_STORY"
+        echo "  Expected: STORY-NNN (e.g., STORY-120)"
+        echo "  Falling back to unscoped validation..."
+        DEVFORGEAI_STORY=""
+    fi
+fi
+
+if [ -n "$DEVFORGEAI_STORY" ]; then
+    # Scoped validation - only validate specific story
+    STORY_FILES=$(git diff --cached --name-only --diff-filter=d | grep "${DEVFORGEAI_STORY}" | grep -v '^tests/' || true)
+    echo "  Scoped to: $DEVFORGEAI_STORY"
+else
+    # Default behavior - validate all staged story files
+    STORY_FILES=$(git diff --cached --name-only --diff-filter=d | grep '\.story\.md$' | grep -v '^tests/' || true)
+fi
+
+if [ -z "$STORY_FILES" ]; then
+    echo "  No story files to validate"
+    echo "✅ Pre-commit validation passed"
+    echo ""
+    exit 0
+fi
+
+# Validate each story file
+VALIDATION_FAILED=0
+
+for file in $STORY_FILES; do
+    # Skip if file doesn't exist (shouldn't happen with --diff-filter=d, but safety check)
+    if [ ! -f "$file" ]; then
+        echo "  ⚠️  Skipping (file not found): $file"
+        continue
+    fi
+
+    echo "  📋 Validating: $file"
+
+    # Run DoD validator with PYTHONPATH set (fixes relative import issue)
+    # This allows the validator to import from parent package without pip install
+    if PYTHONPATH=".claude/scripts:$PYTHONPATH" python3 -m devforgeai_cli.validators.dod_validator "$file" --project-root .; then
+        echo "     ✅ Passed"
+    else
+        echo "     ❌ Failed"
+        VALIDATION_FAILED=1
+    fi
+done
+
+echo ""
+
+if [ $VALIDATION_FAILED -eq 1 ]; then
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "❌ COMMIT BLOCKED - Fix violations"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+    echo "One or more story files have validation errors."
+    echo "Fix the violations shown above before committing."
+    echo ""
+    echo "To bypass validation (NOT RECOMMENDED):"
+    echo "  git commit --no-verify"
+    echo ""
+    exit 1
+fi
+
+echo "✅ All validators passed - commit allowed"
+echo ""
+exit 0
+EOF
+
+# Make hook executable
+chmod +x .git/hooks/pre-commit
+
+echo "✅ Pre-commit hook installed successfully"
+echo ""
+echo "Location: .git/hooks/pre-commit"
+echo ""
+echo "The hook will automatically run on 'git commit' and validate:"
+echo "  • DoD completion status"
+echo "  • Autonomous deferral detection"
+echo "  • User approval markers for deferrals"
+echo "  • Story/ADR reference validation"
+echo ""
+echo "To test the hook:"
+echo "  git add devforgeai/specs/Stories/STORY-XXX.story.md"
+echo "  git commit -m 'Test commit'"
+echo ""
+echo "To bypass validation (not recommended):"
+echo "  git commit --no-verify"
+echo ""
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

package/src/claude/scripts/invoke_feedback_hooks.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# Reusable helper function for feedback hook integration
+# Used by: /ideate, /create-story, /create-epic, /create-sprint, /create-context, /dev
+# Pattern: STORY-023 pilot, implemented across STORY-027-031
+
+set -euo pipefail
+
+# Usage: invoke_feedback_hooks.sh <operation> <status> [additional-args...]
+# Examples:
+#   invoke_feedback_hooks.sh ideate completed --artifacts='[epic1.md]' --complexity-score=42
+#   invoke_feedback_hooks.sh dev completed --story=STORY-001
+#   invoke_feedback_hooks.sh create-context completed
+
+OPERATION="${1:-}"
+STATUS="${2:-completed}"
+shift 2 || true  # Remove first 2 args, keep remaining as passthrough
+
+# Validate required arguments
+if [ -z "$OPERATION" ]; then
+    echo "❌ ERROR: Operation required" >&2
+    echo "Usage: invoke_feedback_hooks.sh <operation> <status> [additional-args...]" >&2
+    exit 1
+fi
+
+# Phase 1: Check Hook Eligibility
+echo "Checking hook eligibility for operation: $OPERATION..."
+
+devforgeai check-hooks --operation="$OPERATION" --status="$STATUS" 2>/dev/null
+CHECK_EXIT=$?
+
+# Interpret exit code
+case $CHECK_EXIT in
+    0)
+        # Eligible - proceed to invocation
+        echo "✓ Hooks eligible for $OPERATION"
+        ;;
+    1)
+        # Not eligible (disabled/rate-limited) - silent exit
+        exit 0
+        ;;
+    *)
+        # Unexpected error - warn and continue
+        echo "⚠️ Hook eligibility check failed (exit code: $CHECK_EXIT), continuing..." >&2
+        exit 0
+        ;;
+esac
+
+# Phase 2: Invoke Feedback Hooks
+echo "Invoking feedback hooks for $OPERATION..."
+
+devforgeai invoke-hooks --operation="$OPERATION" "$@" 2>/dev/null || {
+    # Hook invocation failed - non-blocking
+    echo "⚠️ Post-$OPERATION feedback skipped (hook system unavailable)" >&2
+    exit 0
+}
+
+# Phase 3: Display Success
+echo "✓ Post-$OPERATION feedback initiated"
+exit 0

package/src/claude/scripts/migrate-ac-headers.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+# Migrate story template v2.0 → v2.1 (remove AC header checkboxes)
+# Usage: migrate-ac-headers.sh <story-file-or-directory>
+
+TARGET="$1"
+
+if [[ -z "$TARGET" ]]; then
+  echo "Usage: migrate-ac-headers.sh <story-file-or-directory>"
+  echo ""
+  echo "Examples:"
+  echo "  migrate-ac-headers.sh devforgeai/specs/Stories/STORY-052.story.md"
+  echo "  migrate-ac-headers.sh devforgeai/specs/Stories/"
+  exit 1
+fi
+
+# Track if any file migration failed
+MIGRATION_FAILED=0
+
+# ============================================================================
+# Helper: update_format_version(file)
+# Updates format_version from 2.0 to 2.1 in YAML frontmatter
+# Handles three quote formats: double quotes, single quotes, and unquoted
+# ============================================================================
+update_format_version() {
+  local file="$1"
+
+  # Handle double quotes: format_version: "2.0"
+  sed -i 's/format_version: "2.0"/format_version: "2.1"/' "$file"
+
+  # Handle single quotes: format_version: '2.0'
+  sed -i "s/format_version: '2.0'/format_version: \"2.1\"/" "$file"
+
+  # Handle unquoted: format_version: 2.0
+  sed -i 's/format_version: 2.0$/format_version: "2.1"/' "$file"
+}
+
+# ============================================================================
+# Helper: migrate_ac_headers(file)
+# Converts AC header format from v2.0 to v2.1
+# Changes: ### N. [ ] Title → ### AC#N: Title
+# ============================================================================
+migrate_ac_headers() {
+  local file="$1"
+
+  sed -i 's/^### \([0-9]\+\)\. \[ \] /### AC#\1: /' "$file"
+}
+
+# ============================================================================
+# Helper: backup_file(file)
+# Creates backup copy of file with .backup extension
+# ============================================================================
+backup_file() {
+  local file="$1"
+
+  cp "$file" "$file.backup"
+}
+
+# ============================================================================
+# Function: migrate_file(file)
+# Main entry point for migrating a single story file
+# Performs: backup → migrate AC headers → update format version
+# ============================================================================
+migrate_file() {
+  local file="$1"
+
+  if [[ ! -f "$file" ]]; then
+    echo "Error: File not found: $file"
+    return 1
+  fi
+
+  backup_file "$file"
+  migrate_ac_headers "$file"
+  update_format_version "$file"
+
+  echo "Migrated: $file"
+  echo "  Backup: $file.backup"
+}
+
+# ============================================================================
+# Main Logic: Process TARGET (file or directory)
+# ============================================================================
+
+if [[ -d "$TARGET" ]]; then
+  # Directory mode - migrate all story files
+  # Tracks failures and reports summary
+  FILES_PROCESSED=0
+  FILES_FAILED=0
+
+  for file in "$TARGET"/*.story.md; do
+    if [[ -f "$file" ]]; then
+      FILES_PROCESSED=$((FILES_PROCESSED + 1))
+      if ! migrate_file "$file"; then
+        FILES_FAILED=$((FILES_FAILED + 1))
+        MIGRATION_FAILED=1
+      fi
+    fi
+  done
+
+  # Report directory migration summary
+  if [[ $FILES_PROCESSED -gt 0 ]]; then
+    echo ""
+    echo "Directory migration complete:"
+    echo "  Files processed: $FILES_PROCESSED"
+    if [[ $FILES_FAILED -gt 0 ]]; then
+      echo "  Files failed:    $FILES_FAILED"
+    fi
+  fi
+else
+  # Single file mode
+  if ! migrate_file "$TARGET"; then
+    MIGRATION_FAILED=1
+  fi
+fi
+
+echo ""
+echo "Migration complete!"
+echo "To undo, restore from .backup files"
+
+# Exit with error if migration failed
+if [[ $MIGRATION_FAILED -eq 1 ]]; then
+  exit 1
+fi