fivosense 0.1.0

package/src/engine/verify.ts

@@ -0,0 +1,94 @@
+/**
+ * Fix Verification - Re-analyze code after fix to check for regressions
+ */
+
+import { buildDataFlowGraph, getVulnerablePaths } from './graph.js';
+import { generateTaintTraces } from './taint.js';
+
+export interface VerificationResult {
+  success: boolean;
+  originalIssues: number;
+  remainingIssues: number;
+  newIssues: number;
+  regression: boolean;
+  message: string;
+}
+
+/**
+ * Verify that a fix actually resolved the vulnerability
+ */
+export function verifyFix(
+  originalCode: string,
+  fixedCode: string,
+  targetLine: number
+): VerificationResult {
+  // Analyze original code
+  const originalGraph = buildDataFlowGraph(originalCode);
+  const originalTraces = generateTaintTraces(originalGraph, 'original.js');
+  const originalVulns = originalTraces.filter(t => !t.sanitized);
+  
+  // Analyze fixed code
+  const fixedGraph = buildDataFlowGraph(fixedCode);
+  const fixedTraces = generateTaintTraces(fixedGraph, 'fixed.js');
+  const fixedVulns = fixedTraces.filter(t => !t.sanitized);
+  
+  // Check for target vulnerability
+  const targetVuln = originalVulns.find(v => v.location.line === targetLine);
+  const targetFixed = !fixedVulns.find(v => v.location.line === targetLine);
+  
+  // Check for regressions (new vulnerabilities introduced)
+  const newIssues = fixedVulns.filter(fv => 
+    !originalVulns.some(ov => 
+      ov.location.line === fv.location.line && 
+      ov.category === fv.category
+    )
+  ).length;
+  
+  const regression = newIssues > 0;
+  
+  let message = '';
+  if (targetFixed && !regression) {
+    message = '✅ Fix verified: vulnerability resolved, no regressions';
+  } else if (targetFixed && regression) {
+    message = `⚠️ Fix applied but introduced ${newIssues} new issue(s)`;
+  } else if (!targetFixed) {
+    message = '❌ Fix failed: vulnerability still present';
+  }
+  
+  return {
+    success: targetFixed && !regression,
+    originalIssues: originalVulns.length,
+    remainingIssues: fixedVulns.length,
+    newIssues,
+    regression,
+    message,
+  };
+}
+
+/**
+ * Verify multiple fixes
+ */
+export function verifyMultipleFixes(
+  originalCode: string,
+  fixedCode: string
+): VerificationResult {
+  const originalGraph = buildDataFlowGraph(originalCode);
+  const originalTraces = generateTaintTraces(originalGraph, 'original.js');
+  const originalVulns = originalTraces.filter(t => !t.sanitized);
+  
+  const fixedGraph = buildDataFlowGraph(fixedCode);
+  const fixedTraces = generateTaintTraces(fixedGraph, 'fixed.js');
+  const fixedVulns = fixedTraces.filter(t => !t.sanitized);
+  
+  const resolved = originalVulns.length - fixedVulns.length;
+  const newIssues = Math.max(0, fixedVulns.length - originalVulns.length);
+  
+  return {
+    success: fixedVulns.length < originalVulns.length && newIssues === 0,
+    originalIssues: originalVulns.length,
+    remainingIssues: fixedVulns.length,
+    newIssues,
+    regression: newIssues > 0,
+    message: `Resolved ${resolved} issue(s), ${newIssues} new issue(s) introduced`,
+  };
+}

package/src/features/badge.ts

@@ -0,0 +1,102 @@
+/**
+ * Security Badge Generator - Creates shareable security report cards
+ */
+
+import { AuditResult } from '../index.js';
+
+export interface SecurityBadge {
+  grade: string;
+  score: number;
+  color: string;
+  markdown: string;
+  shield: string;
+}
+
+/**
+ * Generate security badge
+ */
+export function generateBadge(result: AuditResult): SecurityBadge {
+  const grade = calculateGrade(result);
+  const score = calculateScore(result);
+  const color = getGradeColor(grade);
+  
+  const shield = `https://img.shields.io/badge/security-${grade}-${color}`;
+  
+  const markdown = `## 🛡️ Security Report Card
+
+![Security Grade](${shield})
+
+**Grade:** ${grade}  
+**Score:** ${score}/100
+
+### Summary
+- Total Issues: ${result.summary.total}
+- Critical: ${result.summary.critical}
+- High: ${result.summary.high}
+- Medium: ${result.summary.medium}
+
+---
+Scanned by [FivoSense](https://github.com/fivosense) — Neuro-symbolic AI security scanner
+`;
+  
+  return {
+    grade,
+    score,
+    color,
+    markdown,
+    shield,
+  };
+}
+
+/**
+ * Calculate security grade (A+ to F)
+ */
+function calculateGrade(result: AuditResult): string {
+  const { summary } = result;
+  
+  if (summary.total === 0) return 'A+';
+  if (summary.critical === 0 && summary.high === 0) return 'A';
+  if (summary.critical === 0 && summary.high <= 2) return 'B';
+  if (summary.critical === 0 && summary.high <= 5) return 'C';
+  if (summary.critical <= 1) return 'D';
+  return 'F';
+}
+
+/**
+ * Calculate numeric security score (0-100)
+ */
+function calculateScore(result: AuditResult): number {
+  const { summary } = result;
+  
+  // Start at 100, deduct for issues
+  let score = 100;
+  score -= summary.critical * 20;  // -20 per critical
+  score -= summary.high * 10;      // -10 per high
+  score -= summary.medium * 5;     // -5 per medium
+  
+  return Math.max(0, score);
+}
+
+/**
+ * Get color for grade
+ */
+function getGradeColor(grade: string): string {
+  const colors: Record<string, string> = {
+    'A+': 'brightgreen',
+    'A': 'green',
+    'B': 'yellowgreen',
+    'C': 'yellow',
+    'D': 'orange',
+    'F': 'red',
+  };
+  
+  return colors[grade] || 'lightgrey';
+}
+
+/**
+ * Generate badge markdown for README
+ */
+export function generateBadgeMarkdown(result: AuditResult): string {
+  const badge = generateBadge(result);
+  return badge.markdown;
+}

package/src/features/fix.ts

@@ -0,0 +1,138 @@
+/**
+ * Auto-fix Generator - Suggests and applies security fixes
+ */
+
+import { TaintTrace } from '../engine/taint.js';
+
+export interface SecurityFix {
+  original: string;
+  fixed: string;
+  explanation: string;
+  confidence: number;
+  type: 'sanitize' | 'parameterize' | 'encode' | 'validate';
+}
+
+/**
+ * Generate fix for a vulnerability
+ */
+export function generateFix(trace: TaintTrace, code: string): SecurityFix | null {
+  const { category, location } = trace;
+  
+  switch (category) {
+    case 'sql':
+      return generateSQLFix(trace, code);
+    case 'xss':
+      return generateXSSFix(trace, code);
+    case 'command':
+      return generateCommandFix(trace, code);
+    default:
+      return null;
+  }
+}
+
+/**
+ * Generate SQL injection fix
+ */
+function generateSQLFix(trace: TaintTrace, code: string): SecurityFix {
+  // Extract the vulnerable line
+  const lines = code.split('\n');
+  const line = lines[trace.location.line - 1] || '';
+  
+  // Detect query pattern
+  if (line.includes('db.execute') || line.includes('db.query')) {
+    return {
+      original: line.trim(),
+      fixed: line.replace(/`([^`]+)`/, (match, query) => {
+        // Convert template literal to parameterized query
+        const parameterized = query.replace(/\$\{([^}]+)\}/g, '?');
+        return `'${parameterized}', [${query.match(/\$\{([^}]+)\}/g)?.map((m: string) => m.slice(2, -1)).join(', ') || ''}]`;
+      }),
+      explanation: 'Use parameterized queries to prevent SQL injection',
+      confidence: 0.9,
+      type: 'parameterize',
+    };
+  }
+  
+  return {
+    original: line.trim(),
+    fixed: line.trim(),
+    explanation: 'Manual review required - complex SQL pattern',
+    confidence: 0.5,
+    type: 'validate',
+  };
+}
+
+/**
+ * Generate XSS fix
+ */
+function generateXSSFix(trace: TaintTrace, code: string): SecurityFix {
+  const lines = code.split('\n');
+  const line = lines[trace.location.line - 1] || '';
+  
+  if (line.includes('res.send')) {
+    return {
+      original: line.trim(),
+      fixed: line.replace(/res\.send\(([^)]+)\)/, 'res.send(escapeHtml($1))'),
+      explanation: 'Escape HTML to prevent XSS',
+      confidence: 0.85,
+      type: 'encode',
+    };
+  }
+  
+  if (line.includes('innerHTML')) {
+    return {
+      original: line.trim(),
+      fixed: line.replace(/\.innerHTML\s*=/, '.textContent ='),
+      explanation: 'Use textContent instead of innerHTML to prevent XSS',
+      confidence: 0.9,
+      type: 'encode',
+    };
+  }
+  
+  return {
+    original: line.trim(),
+    fixed: line.trim(),
+    explanation: 'Manual review required - XSS context unclear',
+    confidence: 0.5,
+    type: 'encode',
+  };
+}
+
+/**
+ * Generate command injection fix
+ */
+function generateCommandFix(trace: TaintTrace, code: string): SecurityFix {
+  const lines = code.split('\n');
+  const line = lines[trace.location.line - 1] || '';
+  
+  if (line.includes('exec(')) {
+    return {
+      original: line.trim(),
+      fixed: line.replace(/exec\(([^)]+)\)/, 'execFile(command, args)'),
+      explanation: 'Use execFile with array arguments to prevent command injection',
+      confidence: 0.8,
+      type: 'validate',
+    };
+  }
+  
+  return {
+    original: line.trim(),
+    fixed: line.trim(),
+    explanation: 'Validate and sanitize all command arguments',
+    confidence: 0.6,
+    type: 'validate',
+  };
+}
+
+/**
+ * Apply fix to code
+ */
+export function applyFix(code: string, fix: SecurityFix, lineNumber: number): string {
+  const lines = code.split('\n');
+  if (lineNumber < 1 || lineNumber > lines.length) {
+    return code;
+  }
+  
+  lines[lineNumber - 1] = fix.fixed;
+  return lines.join('\n');
+}

package/src/features/roast.ts

@@ -0,0 +1,110 @@
+/**
+ * Roast Mode - Generates viral, shareable roasts for insecure code
+ */
+
+import { AuditResult } from '../index.js';
+
+export interface Roast {
+  title: string;
+  message: string;
+  severity: 'mild' | 'spicy' | 'brutal';
+  emoji: string;
+}
+
+/**
+ * Generate roast based on audit results
+ */
+export function generateRoast(result: AuditResult): Roast {
+  const { summary } = result;
+  const total = summary.total;
+  const critical = summary.critical;
+  const high = summary.high;
+  
+  if (total === 0) {
+    return {
+      title: 'Clean Code Champion',
+      message: '🎉 No vulnerabilities found! Your code is cleaner than your browser history.',
+      severity: 'mild',
+      emoji: '✨',
+    };
+  }
+  
+  if (critical >= 3) {
+    return {
+      title: 'Security Nightmare',
+      message: `💀 ${critical} critical vulnerabilities? Even script kiddies are embarrassed for you. This code is more open than a 24/7 convenience store.`,
+      severity: 'brutal',
+      emoji: '💀',
+    };
+  }
+  
+  if (critical >= 1) {
+    return {
+      title: 'Living Dangerously',
+      message: `🔥 ${critical} critical issue(s) detected. Your code has more holes than Swiss cheese. SQL injection goes brrr.`,
+      severity: 'spicy',
+      emoji: '🔥',
+    };
+  }
+  
+  if (high >= 3) {
+    return {
+      title: 'Almost There',
+      message: `⚠️ ${high} high-severity issues. You're one XSS away from trending on HackerNews for the wrong reasons.`,
+      severity: 'spicy',
+      emoji: '⚠️',
+    };
+  }
+  
+  return {
+    title: 'Needs Improvement',
+    message: `📝 ${total} security issue(s) found. Not terrible, but your future self will judge you.`,
+    severity: 'mild',
+    emoji: '📝',
+  };
+}
+
+/**
+ * Format roast for display
+ */
+export function formatRoast(roast: Roast): string {
+  return `
+${roast.emoji} ${roast.title} ${roast.emoji}
+
+${roast.message}
+`;
+}
+
+/**
+ * Generate shareable roast badge
+ */
+export function generateRoastBadge(result: AuditResult): string {
+  const roast = generateRoast(result);
+  const grade = getSecurityGrade(result);
+  
+  return `
+## 🛡️ FivoSense Security Roast
+
+**Grade:** ${grade}  
+**Verdict:** ${roast.title}
+
+${roast.message}
+
+---
+Roasted by [FivoSense](https://github.com/fivosense) — Neuro-symbolic security scanner
+`;
+}
+
+/**
+ * Get security grade (A-F)
+ */
+function getSecurityGrade(result: AuditResult): string {
+  const { summary } = result;
+  
+  if (summary.total === 0) return 'A+';
+  if (summary.critical === 0 && summary.high === 0) return 'A';
+  if (summary.critical === 0 && summary.high <= 2) return 'B';
+  if (summary.critical === 0) return 'C';
+  if (summary.critical <= 1) return 'D';
+  return 'F';
+}

package/src/hooks/agent.ts

@@ -0,0 +1,84 @@
+/**
+ * Agent PreToolUse Hook - Blocks dangerous AI actions in real-time
+ */
+
+import { detectDestructive } from '../rules/destructive.js';
+import { detectSecrets } from '../rules/secrets.js';
+
+export interface BlockResult {
+  blocked: boolean;
+  reason: string;
+  severity: 'critical' | 'high' | 'medium';
+  suggestion?: string;
+}
+
+/**
+ * Check if proposed action should be blocked
+ */
+export function checkAction(action: string, code?: string): BlockResult {
+  // Check for destructive commands
+  const destructive = detectDestructive(action);
+  if (destructive.length > 0) {
+    return {
+      blocked: true,
+      reason: `Destructive command detected: ${destructive[0].description}`,
+      severity: destructive[0].severity,
+      suggestion: 'Review the command carefully before executing',
+    };
+  }
+  
+  // Check for hardcoded secrets in code
+  if (code) {
+    const secrets = detectSecrets(code);
+    if (secrets.length > 0) {
+      return {
+        blocked: true,
+        reason: `Hardcoded secret detected: ${secrets[0].description}`,
+        severity: 'high',
+        suggestion: 'Use environment variables instead',
+      };
+    }
+  }
+  
+  return {
+    blocked: false,
+    reason: '',
+    severity: 'medium',
+  };
+}
+
+/**
+ * PreToolUse hook for AI agents
+ * Returns exit code 2 if action should be blocked
+ */
+export function preToolUseHook(toolName: string, args: any): number {
+  // Check file write operations
+  if (toolName === 'write_file' || toolName === 'edit_file') {
+    const content = args.content || args.new_content || '';
+    const result = checkAction('', content);
+    
+    if (result.blocked) {
+      console.error(`\n❌ BLOCKED: ${result.reason}`);
+      if (result.suggestion) {
+        console.error(`💡 Suggestion: ${result.suggestion}`);
+      }
+      return 2; // Exit code 2 signals block
+    }
+  }
+  
+  // Check shell commands
+  if (toolName === 'bash' || toolName === 'execute') {
+    const command = args.command || args.cmd || '';
+    const result = checkAction(command);
+    
+    if (result.blocked) {
+      console.error(`\n❌ BLOCKED: ${result.reason}`);
+      if (result.suggestion) {
+        console.error(`💡 Suggestion: ${result.suggestion}`);
+      }
+      return 2;
+    }
+  }
+  
+  return 0; // Allow
+}

package/src/index.ts

@@ -0,0 +1,147 @@
+/**
+ * FivoSense - Neuro-symbolic AI security plugin
+ * Entry point for the engine
+ */
+
+import { readFileSync, statSync } from 'fs';
+import { buildDataFlowGraph, getVulnerablePaths } from './engine/graph.js';
+import { generateTaintTraces, getVulnerableTraces, formatTrace } from './engine/taint.js';
+import { detectSecrets } from './rules/secrets.js';
+import { detectDestructive } from './rules/destructive.js';
+
+export interface AuditResult {
+  vulnerabilities: any[];
+  secrets: any[];
+  destructive: any[];
+  summary: {
+    total: number;
+    critical: number;
+    high: number;
+    medium: number;
+  };
+}
+
+// Security: Max file size to prevent memory exhaustion
+const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+
+/**
+ * Audit a file for security issues
+ */
+export async function auditFile(filepath: string): Promise<AuditResult> {
+  // Security check: File size limit
+  const stats = statSync(filepath);
+  if (stats.size > MAX_FILE_SIZE) {
+    throw new Error(`File too large: ${(stats.size / 1024 / 1024).toFixed(2)}MB (max ${MAX_FILE_SIZE / 1024 / 1024}MB)`);
+  }
+  
+  const code = readFileSync(filepath, 'utf-8');
+  return auditCode(code, filepath);
+}
+
+/**
+ * Audit code string for security issues
+ */
+export async function auditCode(code: string, filename = 'input.js'): Promise<AuditResult> {
+  // Security check: Code length
+  if (code.length > MAX_FILE_SIZE) {
+    throw new Error(`Code too large: ${(code.length / 1024 / 1024).toFixed(2)}MB (max ${MAX_FILE_SIZE / 1024 / 1024}MB)`);
+  }
+  
+  // Build data-flow graph
+  const graph = buildDataFlowGraph(code, filename);
+  
+  // Generate taint traces
+  const allTraces = generateTaintTraces(graph, filename);
+  const vulnerabilities = getVulnerableTraces(allTraces);
+  
+  // Detect secrets
+  const secrets = detectSecrets(code);
+  
+  // Detect destructive commands
+  const destructive = detectDestructive(code);
+  
+  // Calculate summary
+  const criticalCount = vulnerabilities.filter(v => v.severity === 'critical').length + 
+                        destructive.filter(d => d.severity === 'critical').length;
+  const highCount = vulnerabilities.filter(v => v.severity === 'high').length + 
+                    secrets.length + 
+                    destructive.filter(d => d.severity === 'high').length;
+  const mediumCount = vulnerabilities.filter(v => v.severity === 'medium').length;
+  
+  return {
+    vulnerabilities,
+    secrets,
+    destructive,
+    summary: {
+      total: vulnerabilities.length + secrets.length + destructive.length,
+      critical: criticalCount,
+      high: highCount,
+      medium: mediumCount,
+    },
+  };
+}
+
+/**
+ * Format audit result for display
+ */
+export function formatAuditResult(result: AuditResult): string {
+  const lines: string[] = [];
+  
+  lines.push('🛡️  FivoSense Security Audit\n');
+  lines.push('═'.repeat(50));
+  lines.push('');
+  
+  // Summary
+  lines.push('📊 Summary:');
+  lines.push(`   Total findings: ${result.summary.total}`);
+  lines.push(`   Critical: ${result.summary.critical}`);
+  lines.push(`   High: ${result.summary.high}`);
+  lines.push(`   Medium: ${result.summary.medium}`);
+  lines.push('');
+  
+  // Vulnerabilities
+  if (result.vulnerabilities.length > 0) {
+    lines.push('❌ Vulnerabilities:');
+    lines.push('');
+    result.vulnerabilities.forEach((vuln, i) => {
+      lines.push(`${i + 1}. ${formatTrace(vuln)}`);
+      lines.push('');
+    });
+  }
+  
+  // Secrets
+  if (result.secrets.length > 0) {
+    lines.push('🔑 Hardcoded Secrets:');
+    lines.push('');
+    result.secrets.forEach((secret, i) => {
+      lines.push(`${i + 1}. [${secret.severity.toUpperCase()}] ${secret.description}`);
+      lines.push(`   Line ${secret.line}: ${secret.match}`);
+      lines.push('');
+    });
+  }
+  
+  // Destructive commands
+  if (result.destructive.length > 0) {
+    lines.push('💥 Destructive Commands:');
+    lines.push('');
+    result.destructive.forEach((cmd, i) => {
+      lines.push(`${i + 1}. [${cmd.severity.toUpperCase()}] ${cmd.description}`);
+      lines.push(`   Category: ${cmd.category}`);
+      lines.push('');
+    });
+  }
+  
+  if (result.summary.total === 0) {
+    lines.push('✅ No security issues found!');
+  }
+  
+  return lines.join('\n');
+}
+
+// Export main functions
+export * from './engine/graph.js';
+export * from './engine/taint.js';
+export * from './engine/sources.js';
+export * from './engine/sinks.js';
+export * from './rules/secrets.js';
+export * from './rules/destructive.js';