facult 1.0.1

package/src/util/codex-toml.ts

@@ -0,0 +1,126 @@
+const SECTION_RE = /^\s*\[([^\]]+)\]\s*$/;
+const DOUBLE_QUOTED_KEY_RE = /^"([^"]+)"(.*)$/;
+const SINGLE_QUOTED_KEY_RE = /^'([^']+)'(.*)$/;
+
+const SECRETY_STRING_RE =
+  /\b(sk-[A-Za-z0-9]{10,}|ghp_[A-Za-z0-9]{10,}|github_pat_[A-Za-z0-9_]{10,})\b/g;
+const SECRET_KEY_RE = /(TOKEN|KEY|SECRET|PASSWORD|PASS|BEARER)/i;
+
+function normalizeNewlines(text: string): string {
+  return text.replace(/\r\n/g, "\n").replace(/\r/g, "\n");
+}
+
+function parseCodexMcpServerNameFromSection(section: string): string | null {
+  const prefix = "mcp_servers.";
+  if (!section.startsWith(prefix)) {
+    return null;
+  }
+  const rest = section.slice(prefix.length).trim();
+  if (!rest) {
+    return null;
+  }
+
+  // Quoted key: mcp_servers."Sequential_Thinking"
+  if (rest.startsWith('"')) {
+    const m = DOUBLE_QUOTED_KEY_RE.exec(rest);
+    if (!m) {
+      return null;
+    }
+    return m[1] || null;
+  }
+
+  // Single-quoted keys are unusual in TOML, but handle best-effort.
+  if (rest.startsWith("'")) {
+    const m = SINGLE_QUOTED_KEY_RE.exec(rest);
+    if (!m) {
+      return null;
+    }
+    return m[1] || null;
+  }
+
+  // Unquoted: mcp_servers.github.env -> github
+  const first = rest.split(".")[0];
+  return first || null;
+}
+
+export function extractCodexTomlMcpServerBlocks(
+  text: string
+): Record<string, string> {
+  const lines = normalizeNewlines(text).split("\n");
+  const out = new Map<string, string[]>();
+  let current: string | null = null;
+
+  for (const line of lines) {
+    const m = SECTION_RE.exec(line);
+    if (m) {
+      const section = m[1] ?? "";
+      const server = parseCodexMcpServerNameFromSection(section);
+      if (server) {
+        current = server;
+        const arr = out.get(server) ?? [];
+        arr.push(line);
+        out.set(server, arr);
+      } else {
+        current = null;
+      }
+      continue;
+    }
+
+    if (current) {
+      const arr = out.get(current) ?? [];
+      arr.push(line);
+      out.set(current, arr);
+    }
+  }
+
+  const obj: Record<string, string> = {};
+  for (const [name, lines] of out.entries()) {
+    obj[name] = `${lines.join("\n")}\n`;
+  }
+  return obj;
+}
+
+export function extractCodexTomlMcpServerNames(text: string): string[] {
+  return Object.keys(extractCodexTomlMcpServerBlocks(text)).sort();
+}
+
+export function sanitizeCodexTomlMcpText(text: string): string {
+  const normalized = normalizeNewlines(text);
+
+  // 1) Redact obvious token formats.
+  let out = normalized.replace(SECRETY_STRING_RE, "<redacted>");
+
+  // 2) Redact TOML assignments for secret-ish keys: FOO_TOKEN = "..."
+  out = out.replace(
+    /^(\s*[A-Za-z0-9_]*(TOKEN|KEY|SECRET|PASSWORD|PASS|BEARER)[A-Za-z0-9_]*\s*=\s*).+$/gim,
+    '$1"<redacted>"'
+  );
+
+  // 3) Redact inline env assignments embedded in strings: API_KEY="..."
+  out = out.replace(
+    /\b([A-Z0-9_]*(TOKEN|KEY|SECRET|PASSWORD|PASS|BEARER)[A-Z0-9_]*)="[^"]*"/gi,
+    '$1="<redacted>"'
+  );
+
+  // 4) As a last pass, redact any remaining long quoted values for secret-ish keys
+  // inside nested tables (best-effort).
+  out = out.replace(
+    /^(\s*[A-Za-z0-9_]*(TOKEN|KEY|SECRET|PASSWORD|PASS|BEARER)[A-Za-z0-9_]*\s*=\s*)'.*'$/gim,
+    "$1'<redacted>'"
+  );
+
+  return out;
+}
+
+export function sanitizeCodexTomlForAudit(value: unknown): unknown {
+  // Keep this file focused; callers can use sanitizeCodexTomlMcpText() on strings.
+  if (typeof value === "string") {
+    // Avoid leaking token-like substrings when embedding in other payloads.
+    const redacted = value.replace(SECRETY_STRING_RE, "<redacted>");
+    if (SECRET_KEY_RE.test(value)) {
+      return "<redacted>";
+    }
+    return redacted;
+  }
+  return value;
+}

package/src/util/json.ts

@@ -0,0 +1,32 @@
+import { parse as parseJsonc } from "jsonc-parser";
+
+type JsoncParseError = { error: number; offset: number; length: number };
+
+/**
+ * Parse JSON, falling back to JSONC (comments + trailing commas).
+ *
+ * This is mainly needed for VS Code-like settings files (`settings.json`) which
+ * are commonly JSONC.
+ */
+export function parseJsonLenient(text: string): unknown {
+  try {
+    return JSON.parse(text) as unknown;
+  } catch {
+    // fall through to JSONC
+  }
+
+  const errors: JsoncParseError[] = [];
+  const value = parseJsonc(text, errors, {
+    allowTrailingComma: true,
+    disallowComments: false,
+  });
+
+  if (errors.length) {
+    const first = errors[0];
+    throw new Error(
+      `JSONC Parse error at offset ${first?.offset ?? 0} (code ${first?.error ?? "unknown"})`
+    );
+  }
+
+  return value as unknown;
+}

package/src/util/skills.ts

@@ -0,0 +1,55 @@
+import { basename } from "node:path";
+import type { ScanResult } from "../scan";
+
+export interface SkillOccurrence {
+  name: string;
+  count: number;
+  // One entry per appearance, formatted as "<sourceId>:<entryDir>".
+  locations: string[];
+}
+
+function skillNameFromEntryDir(entryDir: string): string {
+  // The skill name is derived from the directory that contains SKILL.md.
+  // e.g. /path/to/skills/my-skill -> my-skill
+  return basename(entryDir);
+}
+
+export function computeSkillOccurrences(res: ScanResult): SkillOccurrence[] {
+  const byName = new Map<string, { count: number; locations: Set<string> }>();
+
+  for (const src of res.sources) {
+    for (const entryDir of src.skills.entries) {
+      const name = skillNameFromEntryDir(entryDir);
+      const cur = byName.get(name) ?? {
+        count: 0,
+        locations: new Set<string>(),
+      };
+      cur.count += 1;
+      cur.locations.add(`${src.id}:${entryDir}`);
+      byName.set(name, cur);
+    }
+  }
+
+  return [...byName.entries()]
+    .map(([name, v]) => ({
+      name,
+      count: v.count,
+      locations: [...v.locations].sort(),
+    }))
+    .sort((a, b) => b.count - a.count || a.name.localeCompare(b.name));
+}
+
+export async function lastModified(p: string): Promise<Date | null> {
+  try {
+    const st = await Bun.file(p).stat();
+    if (st.mtime instanceof Date) {
+      return st.mtime;
+    }
+    if (typeof st.mtimeMs === "number") {
+      return new Date(st.mtimeMs);
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}