fivosense 0.1.5 → 0.2.0

package/src/ai/judge.ts

@@ -1,7 +1,16 @@
+/**
+ * FivoSense - AI Security Scanner
+ * Copyright (c) 2026 thevinsoni
+ * Licensed under the MIT License
+ * https://github.com/thevinsoni/sense
+ */
+
 /**
  * AI Path Judge - Uses host AI to determine exploitability
  */
 
+import { callAI, getAIProviderFromEnv, type AIProvider } from './client.js';
+
 export interface PathJudgment {
   exploitable: boolean;
   confidence: number;
@@ -80,21 +89,56 @@ export function parsePathJudgment(response: string): PathJudgment | null {
 }
 
 /**
- * Placeholder for host AI integration
- * In Phase 2, this will call the actual host AI (Claude/etc.)
+ * Judge path exploitability using AI
  */
-export async function judgePathWithAI(context: PathContext): Promise<PathJudgment> {
-  const prompt = buildPathJudgePrompt(context);
+export async function judgePathWithAI(
+  context: PathContext,
+  provider?: AIProvider
+): Promise<PathJudgment> {
+  // Get provider from env if not provided
+  const aiProvider = provider || getAIProviderFromEnv();
   
-  // TODO: Phase 2 - integrate with host AI
-  // For now, return a conservative judgment
-  console.warn('⚠️  AI path judgment not yet integrated - using conservative defaults');
+  // If no AI provider available, return conservative judgment
+  if (!aiProvider) {
+    console.warn('⚠️  No AI provider configured - using conservative defaults');
+    console.warn('💡 Set OPENAI_API_KEY, ANTHROPIC_API_KEY, or OLLAMA_HOST to enable AI judgment');
+    
+    return {
+      exploitable: true, // Conservative: assume exploitable
+      confidence: 0.7,
+      reasoning: 'AI judgment not configured - marked as potentially exploitable',
+      severity: 'high',
+      recommendation: 'Configure AI provider or review manually',
+    };
+  }
   
-  return {
-    exploitable: true, // Conservative: assume exploitable until AI confirms otherwise
-    confidence: 0.7,
-    reasoning: 'AI judgment not yet integrated - marked as potentially exploitable',
-    severity: 'high',
-    recommendation: 'Manual review required until AI integration complete',
-  };
+  try {
+    const prompt = buildPathJudgePrompt(context);
+    const response = await callAI(aiProvider, prompt);
+    
+    const judgment = parsePathJudgment(response.text);
+    
+    if (!judgment) {
+      console.warn('⚠️  Failed to parse AI response - using conservative defaults');
+      return {
+        exploitable: true,
+        confidence: 0.6,
+        reasoning: 'Failed to parse AI response',
+        severity: 'high',
+        recommendation: 'Review manually',
+      };
+    }
+    
+    return judgment;
+  } catch (error) {
+    console.warn(`⚠️  AI judgment failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    
+    return {
+      exploitable: true,
+      confidence: 0.7,
+      reasoning: `AI judgment failed: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      severity: 'high',
+      recommendation: 'Review manually',
+    };
+  }
 }

package/src/cli/index.ts

@@ -1,4 +1,10 @@
-#!/usr/bin/env node
+/**
+ * FivoSense CLI
+ * Copyright (c) 2026 thevinsoni
+ * Licensed under the MIT License
+ * https://github.com/thevinsoni/sense
+ */
+
 /**
  * FivoSense CLI
  */

package/src/core/orchestrator.ts

@@ -0,0 +1,266 @@
+/**
+ * FivoSense - AI Security Scanner
+ * Copyright (c) 2026 thevinsoni
+ * Licensed under the MIT License
+ * https://github.com/thevinsoni/sense
+ */
+
+/**
+ * Orchestrator - Coordinates analysis pipeline and flow control
+ */
+
+import { buildDataFlowGraph } from '../engine/graph.js';
+import { generateTaintTraces, type TaintTrace } from '../engine/taint.js';
+import { detectSecrets } from '../rules/secrets.js';
+import { detectDestructive } from '../rules/destructive.js';
+import { judgePathWithAI } from '../ai/judge.js';
+import { verifyWithAdversary } from '../engine/adversary.js';
+import { generatePoC } from '../engine/poc.js';
+import { getDiffScope, filterFindingsByScope, type CodeScope } from './scope.js';
+import type { AuditResult } from '../index.js';
+import type { AIProvider } from '../ai/client.js';
+
+export interface OrchestratorOptions {
+  enableAI?: boolean;
+  enableAdversarial?: boolean;
+  enablePoC?: boolean;
+  scopeToDiff?: boolean;
+  diffBase?: string;
+  aiProvider?: AIProvider;
+  verbose?: boolean;
+}
+
+/**
+ * Main orchestration pipeline
+ */
+export async function orchestrateAudit(
+  code: string,
+  filepath: string,
+  options: OrchestratorOptions = {}
+): Promise<AuditResult> {
+  const {
+    enableAI = false,
+    enableAdversarial = false,
+    enablePoC = false,
+    scopeToDiff = false,
+    diffBase = 'main',
+    aiProvider,
+    verbose = false,
+  } = options;
+
+  if (verbose) {
+    console.log(`🔍 Starting audit: ${filepath}`);
+    console.log(`   AI Judge: ${enableAI ? '✅' : '❌'}`);
+    console.log(`   Adversarial: ${enableAdversarial ? '✅' : '❌'}`);
+    console.log(`   PoC Generation: ${enablePoC ? '✅' : '❌'}`);
+    console.log(`   Scope to diff: ${scopeToDiff ? '✅' : '❌'}`);
+  }
+
+  // Step 1: Get scope if needed
+  let scope: CodeScope | undefined;
+  if (scopeToDiff) {
+    if (verbose) console.log(`📋 Getting diff scope (base: ${diffBase})...`);
+    scope = await getDiffScope(diffBase);
+    if (verbose) console.log(`   ${scope.files.length} files in scope`);
+  }
+
+  // Step 2: Build data-flow graph
+  if (verbose) console.log(`🔨 Building data-flow graph...`);
+  const graph = buildDataFlowGraph(code, filepath);
+
+  // Step 3: Taint analysis
+  if (verbose) console.log(`🔍 Running taint analysis...`);
+  const traces = generateTaintTraces(graph, filepath);
+  
+  // Convert traces to vulnerabilities format
+  const allVulnerabilities = traces.map(trace => ({
+    finding: trace.finding,
+    severity: trace.severity,
+    category: trace.category,
+    cwe: trace.cwe,
+    path: trace.path.split(' → '),
+    evidence: trace.evidence,
+    location: trace.location,
+    sanitized: trace.sanitized,
+    confidence: 0.8,
+  }));
+
+  // Step 4: Filter by scope if enabled
+  let vulnerabilities = allVulnerabilities;
+  if (scope && scopeToDiff) {
+    if (verbose) console.log(`🎯 Filtering by scope...`);
+    vulnerabilities = filterFindingsByScope(vulnerabilities, filepath, scope);
+    if (verbose) console.log(`   ${vulnerabilities.length} vulnerabilities in scope`);
+  }
+
+  // Step 5: AI judgment (if enabled)
+  if (enableAI && vulnerabilities.length > 0) {
+    if (verbose) console.log(`🤖 Running AI judgment...`);
+    
+    for (let i = 0; i < vulnerabilities.length; i++) {
+      const vuln = vulnerabilities[i];
+      
+      try {
+        const judgment = await judgePathWithAI({
+          source: vuln.path[0] || 'unknown',
+          sourceType: 'user input',
+          sourceLoc: `line ${vuln.location.line}`,
+          sink: vuln.path[vuln.path.length - 1] || 'unknown',
+          sinkType: vuln.category,
+          category: vuln.category,
+          cwe: vuln.cwe,
+          dataFlow: vuln.path.join(' → '),
+          codeSnippet: code.split('\n').slice(
+            Math.max(0, vuln.location.line - 3),
+            vuln.location.line + 2
+          ).join('\n'),
+          language: filepath.endsWith('.ts') || filepath.endsWith('.tsx') ? 'typescript' : 'javascript',
+        }, aiProvider);
+
+        // Update vulnerability with AI judgment
+        vuln.confidence = judgment.confidence;
+        
+        if (verbose) {
+          console.log(`   [${i + 1}/${vulnerabilities.length}] ${vuln.finding}: ${judgment.exploitable ? '❌ Exploitable' : '✅ Safe'} (confidence: ${judgment.confidence})`);
+        }
+      } catch (error) {
+        if (verbose) {
+          console.warn(`   [${i + 1}/${vulnerabilities.length}] AI judgment failed:`, error);
+        }
+      }
+    }
+  }
+
+  // Step 6: Adversarial verification (if enabled)
+  if (enableAdversarial && vulnerabilities.length > 0) {
+    if (verbose) console.log(`⚔️  Running adversarial verification...`);
+    
+    for (let i = 0; i < vulnerabilities.length; i++) {
+      const vuln = vulnerabilities[i];
+      
+      try {
+        const trace = traces.find((t: TaintTrace) => 
+          t.category === vuln.category && t.location.line === vuln.location.line
+        );
+        
+        if (trace) {
+          const adversary = await verifyWithAdversary(trace, code, aiProvider);
+          
+          // Update confidence based on adversarial result
+          vuln.confidence = Math.min(vuln.confidence, adversary.confidence);
+          
+          if (verbose) {
+            console.log(`   [${i + 1}/${vulnerabilities.length}] ${adversary.exploitable ? '⚔️  Exploit found' : '🛡️  Defense holds'}`);
+          }
+        }
+      } catch (error) {
+        if (verbose) {
+          console.warn(`   [${i + 1}/${vulnerabilities.length}] Adversarial verification failed:`, error);
+        }
+      }
+    }
+  }
+
+  // Step 7: PoC generation (if enabled)
+  if (enablePoC && vulnerabilities.length > 0) {
+    if (verbose) console.log(`💣 Generating PoCs...`);
+    
+    for (const vuln of vulnerabilities) {
+      try {
+        const trace = traces.find((t: TaintTrace) => 
+          t.category === vuln.category && t.location.line === vuln.location.line
+        );
+        
+        if (trace) {
+          const poc = generatePoC(trace);
+          // Attach PoC to vulnerability (could extend Vulnerability type)
+          (vuln as any).poc = poc;
+        }
+      } catch (error) {
+        if (verbose) {
+          console.warn(`   Failed to generate PoC:`, error);
+        }
+      }
+    }
+  }
+
+  // Step 8: Secret detection
+  if (verbose) console.log(`🔑 Detecting secrets...`);
+  const secrets = detectSecrets(code);
+
+  // Step 9: Destructive command detection
+  if (verbose) console.log(`💥 Detecting destructive commands...`);
+  const destructive = detectDestructive(code);
+
+  // Step 10: Build summary
+  const summary = {
+    total: vulnerabilities.length + secrets.length + destructive.length,
+    critical: vulnerabilities.filter((v: any) => v.severity === 'critical').length,
+    high: vulnerabilities.filter((v: any) => v.severity === 'high').length + secrets.length,
+    medium: vulnerabilities.filter((v: any) => v.severity === 'medium').length + destructive.length,
+  };
+
+  if (verbose) {
+    console.log(`\n📊 Audit complete:`);
+    console.log(`   Total: ${summary.total}`);
+    console.log(`   Critical: ${summary.critical}`);
+    console.log(`   High: ${summary.high}`);
+    console.log(`   Medium: ${summary.medium}\n`);
+  }
+
+  return {
+    vulnerabilities,
+    secrets,
+    destructive,
+    summary,
+  };
+}
+
+/**
+ * Quick audit (no AI, no scope)
+ */
+export async function quickAudit(code: string, filepath: string): Promise<AuditResult> {
+  return orchestrateAudit(code, filepath, {
+    enableAI: false,
+    enableAdversarial: false,
+    enablePoC: false,
+    scopeToDiff: false,
+    verbose: false,
+  });
+}
+
+/**
+ * Full audit (with AI and adversarial)
+ */
+export async function fullAudit(
+  code: string,
+  filepath: string,
+  aiProvider?: AIProvider
+): Promise<AuditResult> {
+  return orchestrateAudit(code, filepath, {
+    enableAI: true,
+    enableAdversarial: true,
+    enablePoC: true,
+    scopeToDiff: false,
+    aiProvider,
+    verbose: true,
+  });
+}
+
+/**
+ * Diff-scoped audit (only changed code)
+ */
+export async function diffAudit(
+  code: string,
+  filepath: string,
+  diffBase: string = 'main'
+): Promise<AuditResult> {
+  return orchestrateAudit(code, filepath, {
+    enableAI: false,
+    enableAdversarial: false,
+    enablePoC: false,
+    scopeToDiff: true,
+    diffBase,
+    verbose: true,
+  });
+}

package/src/core/scope.ts

@@ -0,0 +1,175 @@
+/**
+ * FivoSense - AI Security Scanner
+ * Copyright (c) 2026 thevinsoni
+ * Licensed under the MIT License
+ * https://github.com/thevinsoni/sense
+ */
+
+/**
+ * Scope Management - Track and filter relevant code changes
+ */
+
+import { exec } from 'child_process';
+import { promisify } from 'util';
+
+const execAsync = promisify(exec);
+
+export interface CodeScope {
+  files: string[];
+  lines: Map<string, Set<number>>;
+  changedFunctions: Map<string, string[]>;
+}
+
+/**
+ * Get diff scope for current changes
+ */
+export async function getDiffScope(base: string = 'main'): Promise<CodeScope> {
+  const scope: CodeScope = {
+    files: [],
+    lines: new Map(),
+    changedFunctions: new Map(),
+  };
+
+  try {
+    // Get changed files
+    const { stdout: filesOutput } = await execAsync(`git diff --name-only ${base}...HEAD`);
+    const files = filesOutput
+      .split('\n')
+      .filter(f => f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.jsx') || f.endsWith('.tsx'))
+      .filter(f => f.trim().length > 0);
+
+    scope.files = files;
+
+    // Get changed lines for each file
+    for (const file of files) {
+      try {
+        const { stdout: diffOutput } = await execAsync(`git diff ${base}...HEAD -- ${file}`);
+        const changedLines = parseDiffLines(diffOutput);
+        scope.lines.set(file, changedLines);
+      } catch (error) {
+        console.warn(`Failed to get diff for ${file}:`, error);
+      }
+    }
+
+    return scope;
+  } catch (error) {
+    console.warn('Failed to get diff scope:', error);
+    return scope;
+  }
+}
+
+/**
+ * Parse diff output to extract changed line numbers
+ */
+function parseDiffLines(diff: string): Set<number> {
+  const lines = new Set<number>();
+  const diffLines = diff.split('\n');
+  
+  let currentLine = 0;
+  
+  for (const line of diffLines) {
+    // Parse hunk header: @@ -1,5 +1,7 @@
+    const hunkMatch = line.match(/^@@\s+-\d+,?\d*\s+\+(\d+),?(\d*)\s+@@/);
+    if (hunkMatch) {
+      currentLine = parseInt(hunkMatch[1], 10);
+      continue;
+    }
+    
+    // Track added/modified lines
+    if (line.startsWith('+') && !line.startsWith('+++')) {
+      lines.add(currentLine);
+      currentLine++;
+    } else if (!line.startsWith('-')) {
+      currentLine++;
+    }
+  }
+  
+  return lines;
+}
+
+/**
+ * Filter findings to only those in changed scope
+ */
+export function filterFindingsByScope<T extends { location?: { line: number } }>(
+  findings: T[],
+  file: string,
+  scope: CodeScope
+): T[] {
+  const changedLines = scope.lines.get(file);
+  
+  if (!changedLines || changedLines.size === 0) {
+    // No scope info, include all findings
+    return findings;
+  }
+  
+  return findings.filter(finding => {
+    const line = finding.location?.line;
+    if (!line) return false;
+    
+    // Include if exact line changed
+    if (changedLines.has(line)) return true;
+    
+    // Include if within 5 lines of a change (context)
+    for (const changedLine of changedLines) {
+      if (Math.abs(line - changedLine) <= 5) return true;
+    }
+    
+    return false;
+  });
+}
+
+/**
+ * Get scope for staged changes
+ */
+export async function getStagedScope(): Promise<CodeScope> {
+  const scope: CodeScope = {
+    files: [],
+    lines: new Map(),
+    changedFunctions: new Map(),
+  };
+
+  try {
+    // Get staged files
+    const { stdout: filesOutput } = await execAsync('git diff --cached --name-only --diff-filter=ACM');
+    const files = filesOutput
+      .split('\n')
+      .filter(f => f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.jsx') || f.endsWith('.tsx'))
+      .filter(f => f.trim().length > 0);
+
+    scope.files = files;
+
+    // Get changed lines for each file
+    for (const file of files) {
+      try {
+        const { stdout: diffOutput } = await execAsync(`git diff --cached -- ${file}`);
+        const changedLines = parseDiffLines(diffOutput);
+        scope.lines.set(file, changedLines);
+      } catch (error) {
+        console.warn(`Failed to get staged diff for ${file}:`, error);
+      }
+    }
+
+    return scope;
+  } catch (error) {
+    console.warn('Failed to get staged scope:', error);
+    return scope;
+  }
+}
+
+/**
+ * Check if a line is in scope
+ */
+export function isLineInScope(file: string, line: number, scope: CodeScope): boolean {
+  const changedLines = scope.lines.get(file);
+  if (!changedLines) return false;
+  
+  // Exact match
+  if (changedLines.has(line)) return true;
+  
+  // Context match (within 5 lines)
+  for (const changedLine of changedLines) {
+    if (Math.abs(line - changedLine) <= 5) return true;
+  }
+  
+  return false;
+}

package/src/editors/vscode.ts

@@ -1,3 +1,10 @@
+/**
+ * FivoSense - AI Security Scanner
+ * Copyright (c) 2026 thevinsoni
+ * Licensed under the MIT License
+ * https://github.com/thevinsoni/sense
+ */
+
 /**
  * VS Code Extension Adapter
  * Integrates FivoSense with VS Code

package/src/engine/adversary.ts

@@ -1,8 +1,16 @@
+/**
+ * FivoSense - AI Security Scanner
+ * Copyright (c) 2026 thevinsoni
+ * Licensed under the MIT License
+ * https://github.com/thevinsoni/sense
+ */
+
 /**
  * Adversarial Verification - AI attacker proves exploitability
  */
 
 import { TaintTrace } from './taint.js';
+import { callAI, getAIProviderFromEnv, type AIProvider } from '../ai/client.js';
 
 export interface AdversarialResult {
   exploitable: boolean;
@@ -79,22 +87,57 @@ export function parseAdversarialResult(response: string): AdversarialResult | nu
 }
 
 /**
- * Placeholder for adversarial verification
+ * Verify exploitability using adversarial AI
  */
 export async function verifyWithAdversary(
   trace: TaintTrace,
-  code: string
+  code: string,
+  provider?: AIProvider
 ): Promise<AdversarialResult> {
-  const prompt = buildAdversarialPrompt(trace, code);
+  // Get provider from env if not provided
+  const aiProvider = provider || getAIProviderFromEnv();
   
-  // TODO: Phase 3 - integrate with host AI
-  console.warn('⚠️  Adversarial verification not yet integrated');
+  // If no AI provider available, return conservative result
+  if (!aiProvider) {
+    console.warn('⚠️  No AI provider configured for adversarial verification');
+    console.warn('💡 Set OPENAI_API_KEY, ANTHROPIC_API_KEY, or OLLAMA_HOST to enable');
+    
+    return {
+      exploitable: true,
+      confidence: 0.7,
+      attackVector: 'Adversarial verification not configured',
+      payload: '',
+      reasoning: 'Marked as potentially exploitable - configure AI provider to verify',
+    };
+  }
   
-  return {
-    exploitable: true,
-    confidence: 0.7,
-    attackVector: 'Adversarial verification not yet integrated',
-    payload: '',
-    reasoning: 'Marked as potentially exploitable until AI attacker confirms',
-  };
+  try {
+    const prompt = buildAdversarialPrompt(trace, code);
+    const response = await callAI(aiProvider, prompt);
+    
+    const result = parseAdversarialResult(response.text);
+    
+    if (!result) {
+      console.warn('⚠️  Failed to parse adversarial response');
+      return {
+        exploitable: true,
+        confidence: 0.6,
+        attackVector: 'Failed to parse AI response',
+        payload: '',
+        reasoning: 'Parser error - marked as potentially exploitable',
+      };
+    }
+    
+    return result;
+  } catch (error) {
+    console.warn(`⚠️  Adversarial verification failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    
+    return {
+      exploitable: true,
+      confidence: 0.7,
+      attackVector: `AI verification failed: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      payload: '',
+      reasoning: 'Marked as potentially exploitable due to verification error',
+    };
+  }
 }

package/src/engine/graph.ts

@@ -1,3 +1,10 @@
+/**
+ * FivoSense - AI Security Scanner
+ * Copyright (c) 2026 thevinsoni
+ * Licensed under the MIT License
+ * https://github.com/thevinsoni/sense
+ */
+
 /**
  * FivoCore Graph Builder
  */