npm - dravix-agent - Versions diffs - 0.1.0 - Mend

dravix-agent 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (208) hide show

package/.claude/settings.example.json +30 -0
package/ARCHITECTURE.md +410 -0
package/LICENSE +21 -0
package/README.md +153 -0
package/ROADMAP.md +117 -0
package/data/vulnkb.json +666 -0
package/dist/bin/aegis.d.ts +3 -0
package/dist/bin/aegis.d.ts.map +1 -0
package/dist/bin/aegis.js +489 -0
package/dist/bin/aegis.js.map +1 -0
package/dist/cache.d.ts +9 -0
package/dist/cache.d.ts.map +1 -0
package/dist/cache.js +146 -0
package/dist/cache.js.map +1 -0
package/dist/engines/ai-sinks.d.ts +52 -0
package/dist/engines/ai-sinks.d.ts.map +1 -0
package/dist/engines/ai-sinks.js +204 -0
package/dist/engines/ai-sinks.js.map +1 -0
package/dist/engines/eslint.d.ts +9 -0
package/dist/engines/eslint.d.ts.map +1 -0
package/dist/engines/eslint.js +245 -0
package/dist/engines/eslint.js.map +1 -0
package/dist/engines/joern.d.ts +3 -0
package/dist/engines/joern.d.ts.map +1 -0
package/dist/engines/joern.js +98 -0
package/dist/engines/joern.js.map +1 -0
package/dist/engines/js-sinks.d.ts +70 -0
package/dist/engines/js-sinks.d.ts.map +1 -0
package/dist/engines/js-sinks.js +370 -0
package/dist/engines/js-sinks.js.map +1 -0
package/dist/engines/llm-critic.d.ts +130 -0
package/dist/engines/llm-critic.d.ts.map +1 -0
package/dist/engines/llm-critic.js +551 -0
package/dist/engines/llm-critic.js.map +1 -0
package/dist/engines/pragma.d.ts +20 -0
package/dist/engines/pragma.d.ts.map +1 -0
package/dist/engines/pragma.js +83 -0
package/dist/engines/pragma.js.map +1 -0
package/dist/engines/property-test.d.ts +3 -0
package/dist/engines/property-test.d.ts.map +1 -0
package/dist/engines/property-test.js +134 -0
package/dist/engines/property-test.js.map +1 -0
package/dist/engines/pyright.d.ts +10 -0
package/dist/engines/pyright.d.ts.map +1 -0
package/dist/engines/pyright.js +143 -0
package/dist/engines/pyright.js.map +1 -0
package/dist/engines/pysa.d.ts +3 -0
package/dist/engines/pysa.d.ts.map +1 -0
package/dist/engines/pysa.js +83 -0
package/dist/engines/pysa.js.map +1 -0
package/dist/engines/python-sinks.d.ts +82 -0
package/dist/engines/python-sinks.d.ts.map +1 -0
package/dist/engines/python-sinks.js +459 -0
package/dist/engines/python-sinks.js.map +1 -0
package/dist/engines/registry.d.ts +26 -0
package/dist/engines/registry.d.ts.map +1 -0
package/dist/engines/registry.js +70 -0
package/dist/engines/registry.js.map +1 -0
package/dist/engines/secret-scan.d.ts +22 -0
package/dist/engines/secret-scan.d.ts.map +1 -0
package/dist/engines/secret-scan.js +179 -0
package/dist/engines/secret-scan.js.map +1 -0
package/dist/engines/semgrep.d.ts +10 -0
package/dist/engines/semgrep.d.ts.map +1 -0
package/dist/engines/semgrep.js +200 -0
package/dist/engines/semgrep.js.map +1 -0
package/dist/engines/treesitter.d.ts +18 -0
package/dist/engines/treesitter.d.ts.map +1 -0
package/dist/engines/treesitter.js +135 -0
package/dist/engines/treesitter.js.map +1 -0
package/dist/engines/tsc.d.ts +10 -0
package/dist/engines/tsc.d.ts.map +1 -0
package/dist/engines/tsc.js +142 -0
package/dist/engines/tsc.js.map +1 -0
package/dist/engines/types.d.ts +47 -0
package/dist/engines/types.d.ts.map +1 -0
package/dist/engines/types.js +27 -0
package/dist/engines/types.js.map +1 -0
package/dist/findings.d.ts +121 -0
package/dist/findings.d.ts.map +1 -0
package/dist/findings.js +98 -0
package/dist/findings.js.map +1 -0
package/dist/hooks/claude-code.d.ts +3 -0
package/dist/hooks/claude-code.d.ts.map +1 -0
package/dist/hooks/claude-code.js +187 -0
package/dist/hooks/claude-code.js.map +1 -0
package/dist/index/context.d.ts +127 -0
package/dist/index/context.d.ts.map +1 -0
package/dist/index/context.js +267 -0
package/dist/index/context.js.map +1 -0
package/dist/index/embeddings.d.ts +68 -0
package/dist/index/embeddings.d.ts.map +1 -0
package/dist/index/embeddings.js +570 -0
package/dist/index/embeddings.js.map +1 -0
package/dist/index/graph_routing.d.ts +36 -0
package/dist/index/graph_routing.d.ts.map +1 -0
package/dist/index/graph_routing.js +170 -0
package/dist/index/graph_routing.js.map +1 -0
package/dist/index/joern.d.ts +76 -0
package/dist/index/joern.d.ts.map +1 -0
package/dist/index/joern.js +782 -0
package/dist/index/joern.js.map +1 -0
package/dist/index/property-test.d.ts +88 -0
package/dist/index/property-test.d.ts.map +1 -0
package/dist/index/property-test.js +466 -0
package/dist/index/property-test.js.map +1 -0
package/dist/index/proto/scip.proto +897 -0
package/dist/index/pysa.d.ts +91 -0
package/dist/index/pysa.d.ts.map +1 -0
package/dist/index/pysa.js +617 -0
package/dist/index/pysa.js.map +1 -0
package/dist/index/scip.d.ts +76 -0
package/dist/index/scip.d.ts.map +1 -0
package/dist/index/scip.js +541 -0
package/dist/index/scip.js.map +1 -0
package/dist/index/vulrag.d.ts +86 -0
package/dist/index/vulrag.d.ts.map +1 -0
package/dist/index/vulrag.js +242 -0
package/dist/index/vulrag.js.map +1 -0
package/dist/index.d.ts +9 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +8 -0
package/dist/index.js.map +1 -0
package/dist/install/claude-code.d.ts +31 -0
package/dist/install/claude-code.d.ts.map +1 -0
package/dist/install/claude-code.js +447 -0
package/dist/install/claude-code.js.map +1 -0
package/dist/lang.d.ts +5 -0
package/dist/lang.d.ts.map +1 -0
package/dist/lang.js +52 -0
package/dist/lang.js.map +1 -0
package/dist/learning/suppressions.d.ts +70 -0
package/dist/learning/suppressions.d.ts.map +1 -0
package/dist/learning/suppressions.js +179 -0
package/dist/learning/suppressions.js.map +1 -0
package/dist/mcp/server.d.ts +2 -0
package/dist/mcp/server.d.ts.map +1 -0
package/dist/mcp/server.js +187 -0
package/dist/mcp/server.js.map +1 -0
package/dist/mcp/tools/explain.d.ts +58 -0
package/dist/mcp/tools/explain.d.ts.map +1 -0
package/dist/mcp/tools/explain.js +60 -0
package/dist/mcp/tools/explain.js.map +1 -0
package/dist/mcp/tools/precheck.d.ts +29 -0
package/dist/mcp/tools/precheck.d.ts.map +1 -0
package/dist/mcp/tools/precheck.js +42 -0
package/dist/mcp/tools/precheck.js.map +1 -0
package/dist/mcp/tools/validate.d.ts +73 -0
package/dist/mcp/tools/validate.d.ts.map +1 -0
package/dist/mcp/tools/validate.js +66 -0
package/dist/mcp/tools/validate.js.map +1 -0
package/dist/mcp/warm.d.ts +88 -0
package/dist/mcp/warm.d.ts.map +1 -0
package/dist/mcp/warm.js +331 -0
package/dist/mcp/warm.js.map +1 -0
package/dist/orchestrator.d.ts +46 -0
package/dist/orchestrator.d.ts.map +1 -0
package/dist/orchestrator.js +596 -0
package/dist/orchestrator.js.map +1 -0
package/dist/policy.d.ts +51 -0
package/dist/policy.d.ts.map +1 -0
package/dist/policy.js +201 -0
package/dist/policy.js.map +1 -0
package/dist/risk.d.ts +31 -0
package/dist/risk.d.ts.map +1 -0
package/dist/risk.js +92 -0
package/dist/risk.js.map +1 -0
package/dist/stats.d.ts +72 -0
package/dist/stats.d.ts.map +1 -0
package/dist/stats.js +217 -0
package/dist/stats.js.map +1 -0
package/dist/telemetry/collector.d.ts +10 -0
package/dist/telemetry/collector.d.ts.map +1 -0
package/dist/telemetry/collector.js +75 -0
package/dist/telemetry/collector.js.map +1 -0
package/dist/telemetry/consent.d.ts +9 -0
package/dist/telemetry/consent.d.ts.map +1 -0
package/dist/telemetry/consent.js +42 -0
package/dist/telemetry/consent.js.map +1 -0
package/dist/telemetry/installation.d.ts +2 -0
package/dist/telemetry/installation.d.ts.map +1 -0
package/dist/telemetry/installation.js +32 -0
package/dist/telemetry/installation.js.map +1 -0
package/dist/telemetry/sanitizer.d.ts +5 -0
package/dist/telemetry/sanitizer.d.ts.map +1 -0
package/dist/telemetry/sanitizer.js +60 -0
package/dist/telemetry/sanitizer.js.map +1 -0
package/dist/telemetry/types.d.ts +39 -0
package/dist/telemetry/types.d.ts.map +1 -0
package/dist/telemetry/types.js +4 -0
package/dist/telemetry/types.js.map +1 -0
package/dist/telemetry/uploader.d.ts +12 -0
package/dist/telemetry/uploader.d.ts.map +1 -0
package/dist/telemetry/uploader.js +92 -0
package/dist/telemetry/uploader.js.map +1 -0
package/dist/util/logger.d.ts +19 -0
package/dist/util/logger.d.ts.map +1 -0
package/dist/util/logger.js +58 -0
package/dist/util/logger.js.map +1 -0
package/dist/util/safe-paths.d.ts +8 -0
package/dist/util/safe-paths.d.ts.map +1 -0
package/dist/util/safe-paths.js +102 -0
package/dist/util/safe-paths.js.map +1 -0
package/dist/util/subprocess.d.ts +32 -0
package/dist/util/subprocess.d.ts.map +1 -0
package/dist/util/subprocess.js +137 -0
package/dist/util/subprocess.js.map +1 -0
package/package.json +93 -0

package/ROADMAP.md ADDED Viewed

@@ -0,0 +1,117 @@
+# Aegis-v2 Roadmap
+Phase 0 ships in this session. Phase 1-3 ship in their own sessions, each
+phase fully production-ready — no stubs left behind.
+---
+## Phase 0 — Real-time Phase-0 gate (SHIPPED)
+**Status:** Done.
+**What ships:**
+- `aegis` CLI: `mcp`, `hook`, `scan`, `doctor`, `--version`.
+- MCP server (stdio) exposing `precheck_change`, `validate_edit`, `explain_risk`.
+- Engines: `secret-scan` (built-in), `treesitter`, `eslint`, `pyright`, `tsc`, `semgrep`.
+- Orchestrator: parallel run, per-engine + total timeout, LMDB cache.
+- Risk scoring: confidence × severity → ALLOW / WARN / BLOCK; exit 0 / 2.
+- Path safety: deny home-secret + system paths; reject outside-root.
+- Audit log: append-only `.aegis/audit.jsonl`.
+- Claude Code hook config (`.claude/settings.example.json`).
+- Tests: findings schema, lang, risk, secret-scan, tree-sitter, eslint, orchestrator.
+**Exit criteria (met):**
+- `npm install && npm run build && npm test` passes on this machine.
+- `aegis doctor` prints engine availability.
+- `aegis scan tests/fixtures/with_secret.ts` blocks (exit 2).
+- `aegis scan tests/fixtures/clean.py` allows (exit 0).
+- Hook config attaches to Claude Code and blocks a `Write` with secrets.
+---
+## Phase 1 — Project-aware context (NEXT)
+**Goal:** raise recall on cross-file bugs by giving every engine the
+project graph + symbol resolution + similar-code retrieval.
+**Deliverables:**
+- `src/index/scip.ts` — wrapper around `scip-typescript` and `scip-python`;
+  builds an incremental SCIP index of the project; LMDB-backed lookup
+  for `defOf(sym)` / `refsOf(sym)` / `callersOf(fn)` in O(log n).
+- `src/index/joern.ts` — Joern CPG: invoke `joern-parse` once per project,
+  store CPG in OverflowDB; query API for `dataFlow(src, sink)` and
+  `cpg.method.name("X").caller`. Incremental update on file save.
+- `src/index/embeddings.ts` — local `CodeT5p-110M` (ONNX) embedder via
+  `@xenova/transformers` (no Python dep); FAISS-style brute-force top-K
+  on small projects, `hnswlib-node` on larger ones.
+- `src/engines/context.ts` — uses the three indexes to enrich the
+  Tier-1 prompt with focused, per-symbol context (not generic dump).
+- Updated `validate_edit` returns a `project_context` block alongside
+  the findings list — the LLM critic in Phase 2 will consume it.
+**Exit criteria:**
+- Indexing fixme/argus (~100 files) completes in < 5 s cold, < 200 ms incremental.
+- Cross-file lookup (`callers_of("require_admin")`) returns the right call site.
+- Latency budget: p50 ≤ 600 ms (Phase 0 + Phase 1 combined).
+- New tests: SCIP index, Joern query, embedding round-trip, focused-context block.
+**Cite-tools:** RepoGraph (ICLR 2025), SCIP (Sourcegraph), Joern, CodeT5+.
+---
+## Phase 2 — Deep semantic + critic
+**Goal:** catch the bugs no static analyzer alone can — taint reachability,
+race conditions, deep logic — by combining best-of-class OSS analyzers
+with an LLM critic that reasons over a *retrieved evidence trail*
+(Vul-RAG pattern; +16-24% over pure-LLM per Du 2024).
+**Deliverables:**
+- `src/engines/pysa.ts` — Pyre/Pysa taint analysis for Python; pre-warmed
+  function summaries cached per commit; sub-second per-file query.
+- `src/engines/racerd.ts` — Joern-CPGQL race queries for Python/TS/JS
+  modeled on RacerD's `NoThread` / `AnyThread` lattice; static candidates
+  + post-filter.
+- `src/engines/vulrag.ts` — local vector store of CVE knowledge (cause +
+  vuln-pattern + fix-pattern + CWE), populated from the existing 313K-row
+  argus corpus; retrieval by `(cwe, semantic)`.
+- `src/engines/router-150m.ts` — local 150M classifier (ONNX, INT8) that
+  routes each edit to `pass` / `lint` / `deep_review`.
+- `src/engines/llm-critic.ts` — calls Claude/GPT with structured evidence
+  (diff + Joern path + Vul-RAG knowledge + callers); returns
+  `{verdict, cwe, evidence, fix, confidence}`. Ensemble vote with a
+  second-vendor model.
+**Exit criteria:**
+- Catches 4/6 planted bugs in the argus smoke test (vs. 1/6 today).
+- p50 ≤ 1.0 s for non-critic path; p95 ≤ 4 s with critic.
+- LLM critic budget cap: 10% of edits / $0.05 max per call.
+**Cite-tools:** Pysa, Infer/RacerD, Vul-RAG (arxiv 2406.11147), IRIS (ICLR 2025).
+---
+## Phase 3 — Production hardening
+**Goal:** suppression learning + telemetry + property-based testing gate +
+policy-as-code — what turns a working prototype into something a team can rely on.
+**Deliverables:**
+- `src/learning/suppressions.ts` — every `accepted` / `rejected` /
+  `edited-then-saved` outcome appended; weekly re-tunes the router and
+  per-rule confidence priors.
+- `src/learning/telemetry.ts` — local p50/p95/p99 dashboard via a small
+  CLI command (`aegis stats`).
+- `src/engines/property-tests.ts` — for high-suspicion functions
+  (money/auth/perm), LLM emits a Hypothesis (Python) or fast-check (JS/TS)
+  property; runner executes in subprocess sandbox; counterexample = proven bug.
+- `src/policy.ts` — YAML-driven policy: `CWE-89 → BLOCK`,
+  `CWE-704 → WARN`, etc.; per-project override.
+**Exit criteria:**
+- Suppression-aware re-training reduces FP rate by ≥ 20% over baseline.
+- Property-test gate catches at least one of: tax-before-discount,
+  cache stampede, off-by-one in argus smoke test.
+- `aegis stats` shows true p50/p95 from real audit log.
+**Cite-tools:** Hypothesis ghostwriter, fast-check, Fuzz4All (arxiv 2308.04748).