fivosense 0.1.0

package/src/rules/destructive.ts

@@ -0,0 +1,131 @@
+/**
+ * Destructive command detection
+ * Blocks dangerous operations: rm -rf, DROP TABLE, mass deletes, etc.
+ */
+
+export interface DestructivePattern {
+  pattern: RegExp;
+  description: string;
+  severity: 'critical' | 'high';
+  category: 'filesystem' | 'database' | 'system';
+}
+
+/**
+ * Filesystem destructive patterns
+ */
+export const FS_DESTRUCTIVE: DestructivePattern[] = [
+  {
+    pattern: /rm\s+-rf\s+[\/~]/,
+    description: 'Recursive force delete from root',
+    severity: 'critical',
+    category: 'filesystem',
+  },
+  {
+    pattern: /rm\s+-rf\s+\*/,
+    description: 'Recursive force delete with wildcard',
+    severity: 'critical',
+    category: 'filesystem',
+  },
+  {
+    pattern: /unlink\s*\(\s*['"]\/['"]\s*\)/,
+    description: 'Unlink root directory',
+    severity: 'critical',
+    category: 'filesystem',
+  },
+  {
+    pattern: /fs\.rmdir\s*\(\s*['"]\/['"]/,
+    description: 'Remove root directory',
+    severity: 'critical',
+    category: 'filesystem',
+  },
+];
+
+/**
+ * Database destructive patterns
+ */
+export const DB_DESTRUCTIVE: DestructivePattern[] = [
+  {
+    pattern: /DROP\s+TABLE/i,
+    description: 'SQL DROP TABLE',
+    severity: 'critical',
+    category: 'database',
+  },
+  {
+    pattern: /DROP\s+DATABASE/i,
+    description: 'SQL DROP DATABASE',
+    severity: 'critical',
+    category: 'database',
+  },
+  {
+    pattern: /TRUNCATE\s+TABLE/i,
+    description: 'SQL TRUNCATE TABLE',
+    severity: 'high',
+    category: 'database',
+  },
+  {
+    pattern: /DELETE\s+FROM\s+\w+\s*;/i,
+    description: 'SQL DELETE without WHERE clause',
+    severity: 'critical',
+    category: 'database',
+  },
+  {
+    pattern: /db\.collection\(\w+\)\.drop\(\)/,
+    description: 'MongoDB collection drop',
+    severity: 'high',
+    category: 'database',
+  },
+];
+
+/**
+ * System destructive patterns
+ */
+export const SYSTEM_DESTRUCTIVE: DestructivePattern[] = [
+  {
+    pattern: /shutdown|reboot|halt/i,
+    description: 'System shutdown command',
+    severity: 'critical',
+    category: 'system',
+  },
+  {
+    pattern: /kill\s+-9\s+1/,
+    description: 'Kill init process',
+    severity: 'critical',
+    category: 'system',
+  },
+];
+
+/**
+ * All destructive patterns
+ */
+export const ALL_DESTRUCTIVE = [
+  ...FS_DESTRUCTIVE,
+  ...DB_DESTRUCTIVE,
+  ...SYSTEM_DESTRUCTIVE,
+];
+
+/**
+ * Check if code contains destructive patterns
+ */
+export function detectDestructive(code: string): DestructivePattern[] {
+  const matches: DestructivePattern[] = [];
+  
+  for (const pattern of ALL_DESTRUCTIVE) {
+    if (pattern.pattern.test(code)) {
+      matches.push(pattern);
+    }
+  }
+  
+  return matches;
+}
+
+/**
+ * Check if specific line contains destructive command
+ */
+export function isDestructiveLine(line: string): DestructivePattern | null {
+  for (const pattern of ALL_DESTRUCTIVE) {
+    if (pattern.pattern.test(line)) {
+      return pattern;
+    }
+  }
+  return null;
+}

package/src/rules/secrets.ts

@@ -0,0 +1,120 @@
+/**
+ * Secret detection - finds hardcoded API keys, tokens, passwords
+ */
+
+export interface SecretPattern {
+  pattern: RegExp;
+  type: string;
+  description: string;
+  severity: 'high' | 'medium';
+}
+
+/**
+ * Common secret patterns
+ */
+export const SECRET_PATTERNS: SecretPattern[] = [
+  {
+    pattern: /['"][A-Za-z0-9_]{32,}['"]/,
+    type: 'generic_token',
+    description: 'Generic API token (32+ chars)',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]sk-[A-Za-z0-9]{48}['"]/,
+    type: 'openai_key',
+    description: 'OpenAI API key',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]AIza[A-Za-z0-9_-]{35}['"]/,
+    type: 'google_api_key',
+    description: 'Google API key',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]AKIA[A-Z0-9]{16}['"]/,
+    type: 'aws_access_key',
+    description: 'AWS Access Key ID',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]ghp_[A-Za-z0-9]{36}['"]/,
+    type: 'github_token',
+    description: 'GitHub Personal Access Token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]xox[baprs]-[A-Za-z0-9-]{10,}['"]/,
+    type: 'slack_token',
+    description: 'Slack Token',
+    severity: 'high',
+  },
+  {
+    pattern: /password\s*[:=]\s*['"][^'"]+['"]/i,
+    type: 'password',
+    description: 'Hardcoded password',
+    severity: 'high',
+  },
+  {
+    pattern: /api[_-]?key\s*[:=]\s*['"][^'"]+['"]/i,
+    type: 'api_key',
+    description: 'Hardcoded API key',
+    severity: 'high',
+  },
+  {
+    pattern: /secret\s*[:=]\s*['"][^'"]+['"]/i,
+    type: 'secret',
+    description: 'Hardcoded secret',
+    severity: 'high',
+  },
+];
+
+export interface SecretMatch {
+  type: string;
+  description: string;
+  severity: 'high' | 'medium';
+  line: number;
+  match: string;
+}
+
+/**
+ * Detect secrets in code
+ */
+export function detectSecrets(code: string): SecretMatch[] {
+  const lines = code.split('\n');
+  const matches: SecretMatch[] = [];
+
+  lines.forEach((line, index) => {
+    // Skip comments
+    if (line.trim().startsWith('//') || line.trim().startsWith('*')) {
+      return;
+    }
+
+    for (const pattern of SECRET_PATTERNS) {
+      const match = line.match(pattern.pattern);
+      if (match) {
+        matches.push({
+          type: pattern.type,
+          description: pattern.description,
+          severity: pattern.severity,
+          line: index + 1,
+          match: match[0].substring(0, 20) + '...',
+        });
+      }
+    }
+  });
+
+  return matches;
+}
+
+/**
+ * Check if specific line contains a secret
+ */
+export function isSecretLine(line: string): SecretPattern | null {
+  for (const pattern of SECRET_PATTERNS) {
+    if (pattern.pattern.test(line)) {
+      return pattern;
+    }
+  }
+  return null;
+}

package/test/engine.test.ts

@@ -0,0 +1,110 @@
+/**
+ * FivoCore Engine Tests
+ */
+
+import { describe, it, expect } from 'vitest';
+import { buildDataFlowGraph, getVulnerablePaths } from '../src/engine/graph.js';
+import { generateTaintTraces, getVulnerableTraces } from '../src/engine/taint.js';
+import { detectSecrets } from '../src/rules/secrets.js';
+import { detectDestructive } from '../src/rules/destructive.js';
+
+describe('FivoCore Engine', () => {
+  describe('Taint Analysis', () => {
+    it('should detect SQL injection', () => {
+      const code = `
+        const userId = req.query.id;
+        const query = \`SELECT * FROM users WHERE id = \${userId}\`;
+        db.execute(query);
+      `;
+      
+      const graph = buildDataFlowGraph(code);
+      const vulnPaths = getVulnerablePaths(graph);
+      
+      expect(vulnPaths.length).toBeGreaterThan(0);
+      expect(vulnPaths[0].sink.sinkPattern?.category).toBe('sql');
+    });
+    
+    it('should detect XSS', () => {
+      const code = `
+        const name = req.query.name;
+        res.send('<h1>Hello ' + name + '</h1>');
+      `;
+      
+      const graph = buildDataFlowGraph(code);
+      const vulnPaths = getVulnerablePaths(graph);
+      
+      expect(vulnPaths.length).toBeGreaterThan(0);
+      expect(vulnPaths[0].sink.sinkPattern?.category).toBe('xss');
+    });
+    
+    it('should detect command injection', () => {
+      const code = `
+        const file = req.body.filename;
+        exec('tar -czf backup.tar.gz ' + file);
+      `;
+      
+      const graph = buildDataFlowGraph(code);
+      const vulnPaths = getVulnerablePaths(graph);
+      
+      expect(vulnPaths.length).toBeGreaterThan(0);
+      expect(vulnPaths[0].sink.sinkPattern?.category).toBe('command');
+    });
+    
+    it('should track taint through variables', () => {
+      const code = `
+        const userInput = req.query.name;
+        const greeting = 'Hello ' + userInput;
+        res.send(greeting);
+      `;
+      
+      const graph = buildDataFlowGraph(code);
+      const vulnPaths = getVulnerablePaths(graph);
+      
+      expect(vulnPaths.length).toBeGreaterThan(0);
+    });
+  });
+  
+  describe('Secret Detection', () => {
+    it('should detect hardcoded API keys', () => {
+      const code = `
+        const apiKey = "sk-AbCdEfGhIjKlMnOpQrStUvWxYz1234567890123456";
+        const client = new OpenAI({ apiKey });
+      `;
+      
+      const secrets = detectSecrets(code);
+      expect(secrets.length).toBeGreaterThan(0);
+      // Match either openai_key or api_key (both valid)
+      expect(['openai_key', 'api_key']).toContain(secrets[0].type);
+    });
+    
+    it('should detect hardcoded passwords', () => {
+      const code = `
+        const config = {
+          password: "SuperSecret123"
+        };
+      `;
+      
+      const secrets = detectSecrets(code);
+      expect(secrets.length).toBeGreaterThan(0);
+      expect(secrets[0].type).toBe('password');
+    });
+  });
+  
+  describe('Destructive Command Detection', () => {
+    it('should detect rm -rf', () => {
+      const code = `exec('rm -rf /')`;
+      const destructive = detectDestructive(code);
+      
+      expect(destructive.length).toBeGreaterThan(0);
+      expect(destructive[0].severity).toBe('critical');
+    });
+    
+    it('should detect DROP TABLE', () => {
+      const code = `db.execute('DROP TABLE users')`;
+      const destructive = detectDestructive(code);
+      
+      expect(destructive.length).toBeGreaterThan(0);
+      expect(destructive[0].category).toBe('database');
+    });
+  });
+});

package/test/features.test.ts

@@ -0,0 +1,131 @@
+/**
+ * Features Tests - Roast, Badge, Fix, Verify
+ */
+
+import { describe, it, expect } from 'vitest';
+import { generateRoast } from '../src/features/roast.js';
+import { generateBadge } from '../src/features/badge.js';
+import { generateFix } from '../src/features/fix.js';
+import { verifyFix } from '../src/engine/verify.js';
+import { auditCode } from '../src/index.js';
+
+describe('Features', () => {
+  describe('Roast Mode', () => {
+    it('should generate roast for clean code', async () => {
+      const result = await auditCode('const x = 1;');
+      const roast = generateRoast(result);
+      
+      expect(roast.title).toBe('Clean Code Champion');
+      expect(roast.severity).toBe('mild');
+    });
+    
+    it('should generate spicy/brutal roast for multiple critical issues', async () => {
+      const code = `
+        const id = req.query.id;
+        db.execute(\`DELETE FROM users WHERE id = \${id}\`);
+        exec('rm -rf ' + req.body.path);
+        res.send('<h1>' + req.query.name + '</h1>');
+      `;
+      
+      const result = await auditCode(code);
+      const roast = generateRoast(result);
+      
+      expect(['spicy', 'brutal']).toContain(roast.severity);
+    });
+  });
+  
+  describe('Security Badge', () => {
+    it('should generate A+ grade for clean code', async () => {
+      const result = await auditCode('const x = 1;');
+      const badge = generateBadge(result);
+      
+      expect(badge.grade).toBe('A+');
+      expect(badge.score).toBe(100);
+      expect(badge.color).toBe('brightgreen');
+    });
+    
+    it('should generate low grade for critical issues', async () => {
+      const code = `
+        const id = req.query.id;
+        db.execute(\`DELETE FROM users WHERE id = \${id}\`);
+        exec('rm -rf ' + req.body.path);
+      `;
+      
+      const result = await auditCode(code);
+      const badge = generateBadge(result);
+      
+      expect(['D', 'F']).toContain(badge.grade);
+      expect(badge.score).toBeLessThan(100);
+    });
+  });
+  
+  describe('Fix Generation', () => {
+    it('should generate SQL injection fix', async () => {
+      const code = `
+        const userId = req.query.id;
+        const query = \`SELECT * FROM users WHERE id = \${userId}\`;
+        db.execute(query);
+      `;
+      
+      const result = await auditCode(code);
+      const vuln = result.vulnerabilities[0];
+      const fix = generateFix(vuln, code);
+      
+      expect(fix).not.toBeNull();
+      expect(fix?.type).toBe('parameterize');
+      expect(fix?.confidence).toBeGreaterThan(0.5);
+    });
+    
+    it('should generate XSS fix', async () => {
+      const code = `
+        const name = req.query.name;
+        res.send('<h1>Hello ' + name + '</h1>');
+      `;
+      
+      const result = await auditCode(code);
+      const vuln = result.vulnerabilities[0];
+      const fix = generateFix(vuln, code);
+      
+      expect(fix).not.toBeNull();
+      expect(fix?.type).toBe('encode');
+    });
+  });
+  
+  describe('Fix Verification', () => {
+    it('should verify successful fix', () => {
+      const original = `
+        const userId = req.query.id;
+        db.execute(\`SELECT * FROM users WHERE id = \${userId}\`);
+      `;
+      
+      const fixed = `
+        const userId = parseInt(req.query.id);
+        db.execute(\`SELECT * FROM users WHERE id = \${userId}\`);
+      `;
+      
+      const verification = verifyFix(original, fixed, 3);
+      
+      expect(verification.success).toBe(true);
+      expect(verification.regression).toBe(false);
+    });
+    
+    it('should detect regressions', () => {
+      const original = `
+        const userId = req.query.id;
+        db.execute(\`SELECT * FROM users WHERE id = \${userId}\`);
+      `;
+      
+      const fixed = `
+        const userId = req.query.id;
+        const name = req.query.name;
+        db.execute(\`SELECT * FROM users WHERE id = \${userId}\`);
+        eval(name);
+      `;
+      
+      const verification = verifyFix(original, fixed, 3);
+      
+      expect(verification.regression).toBe(true);
+      expect(verification.newIssues).toBeGreaterThan(0);
+    });
+  });
+});

package/test/phase3.test.ts

@@ -0,0 +1,129 @@
+/**
+ * Phase 3 Tests - Reachability, Adversary, Agent Hooks
+ */
+
+import { describe, it, expect } from 'vitest';
+import { analyzeReachability, filterReachablePaths } from '../src/engine/reach.js';
+import { buildAdversarialPrompt, parseAdversarialResult } from '../src/engine/adversary.js';
+import { checkAction, preToolUseHook } from '../src/hooks/agent.js';
+
+describe('Phase 3 Features', () => {
+  describe('Reachability Analysis', () => {
+    it('should identify entry points', () => {
+      const code = `
+        app.get('/users', (req, res) => {
+          const id = req.query.id;
+          getUser(id);
+        });
+        
+        function getUser(id) {
+          return db.query('SELECT * FROM users WHERE id = ' + id);
+        }
+      `;
+      
+      const result = analyzeReachability(code);
+      
+      expect(result.entryPoints.length).toBeGreaterThan(0);
+      expect(result.entryPoints[0]).toContain('app.get');
+    });
+    
+    it('should filter reachable paths', () => {
+      const paths = [
+        { location: { line: 5 } },
+        { location: { line: 10 } },
+        { location: { line: 15 } },
+      ];
+      
+      const reachability = {
+        reachableFunctions: new Set(),
+        reachableLines: new Set([5, 10]),
+        entryPoints: [],
+        totalFunctions: 0,
+        reachableFunctions: 0,
+        reductionPercent: 0,
+      };
+      
+      const filtered = filterReachablePaths(paths, reachability);
+      
+      expect(filtered.length).toBe(2);
+    });
+  });
+  
+  describe('Adversarial Verification', () => {
+    it('should build adversarial prompt', () => {
+      const trace = {
+        finding: 'SQL Injection',
+        category: 'sql',
+        cwe: 'CWE-89',
+        path: 'req.query.id → db.execute',
+        evidence: [],
+        location: { file: 'test.js', line: 5, column: 0 },
+        sanitized: false,
+        confidence: 0.9,
+        severity: 'critical' as const,
+      };
+      
+      const prompt = buildAdversarialPrompt(trace, 'const id = req.query.id;');
+      
+      expect(prompt).toContain('security researcher');
+      expect(prompt).toContain('SQL Injection');
+      expect(prompt).toContain('exploit');
+    });
+    
+    it('should parse adversarial result', () => {
+      const response = `
+      Here's my analysis:
+      \`\`\`json
+      {
+        "exploitable": true,
+        "confidence": 0.95,
+        "attackVector": "SQL injection via query parameter",
+        "payload": "' OR '1'='1",
+        "reasoning": "No sanitization present"
+      }
+      \`\`\`
+      `;
+      
+      const result = parseAdversarialResult(response);
+      
+      expect(result).not.toBeNull();
+      expect(result?.exploitable).toBe(true);
+      expect(result?.confidence).toBe(0.95);
+    });
+  });
+  
+  describe('Agent Hooks', () => {
+    it('should block destructive commands', () => {
+      const result = checkAction('rm -rf /');
+      
+      expect(result.blocked).toBe(true);
+      expect(result.severity).toBe('critical');
+    });
+    
+    it('should block hardcoded secrets', () => {
+      const code = 'const apiKey = "sk-1234567890123456789012345678901234567890123456";';
+      const result = checkAction('', code);
+      
+      expect(result.blocked).toBe(true);
+      expect(result.severity).toBe('high');
+    });
+    
+    it('should allow safe actions', () => {
+      const result = checkAction('ls -la');
+      
+      expect(result.blocked).toBe(false);
+    });
+    
+    it('should return exit code 2 for blocked actions', () => {
+      const exitCode = preToolUseHook('bash', { command: 'rm -rf /' });
+      
+      expect(exitCode).toBe(2);
+    });
+    
+    it('should return exit code 0 for allowed actions', () => {
+      const exitCode = preToolUseHook('bash', { command: 'echo hello' });
+      
+      expect(exitCode).toBe(0);
+    });
+  });
+});

package/tsconfig.json

@@ -0,0 +1,20 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "node",
+    "lib": ["ES2022"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist", "test", "**/*.test.ts"]
+}

package/vitest.config.ts

@@ -0,0 +1,9 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'node',
+    include: ['test/**/*.test.ts'],
+  },
+});