forgedev 1.2.0 → 1.4.0

package/src/chainproof-bridge.js

@@ -0,0 +1,330 @@
+/**
+ * ChainProof bridge - pure Node.js trust chain operations.
+ * Uses node:crypto for Ed25519 + SHA-256, no Python dependency needed.
+ * All operations are file-based, reading and writing to .chainproof/.
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { createHash, generateKeyPairSync, sign, verify, randomUUID } from 'node:crypto';
+
+// --- Crypto primitives (interoperable with chainproof/core/crypto.py) ---
+
+export function hashContent(content) {
+  return createHash('sha256').update(content, 'utf-8').digest('hex');
+}
+
+export function buildSignablePayload(entry) {
+  // Length-prefixed using UTF-8 byte length for cross-language interop.
+  // JS .length and Python len() diverge on emoji; Buffer.byteLength is stable.
+  const fields = [
+    entry.prevHash,
+    entry.contentHash,
+    entry.timestamp,
+    entry.entryType,
+    entry.sessionId,
+  ];
+  return fields.map((f) => {
+    const s = String(f ?? '');
+    return `${Buffer.byteLength(s, 'utf-8')}:${s}`;
+  }).join(':');
+}
+
+export function signEntry(payload, privateKeyPem) {
+  const signature = sign(null, Buffer.from(payload, 'utf-8'), privateKeyPem);
+  return signature.toString('base64');
+}
+
+export function verifySignature(payload, signatureB64, publicKeyPem) {
+  try {
+    return verify(
+      null,
+      Buffer.from(payload, 'utf-8'),
+      publicKeyPem,
+      Buffer.from(signatureB64, 'base64')
+    );
+  } catch {
+    // Invalid key or malformed signature
+    return false;
+  }
+}
+
+export function computeChainHash(prevHash, contentHash) {
+  return createHash('sha256')
+    .update(prevHash + contentHash, 'utf-8')
+    .digest('hex');
+}
+
+export function generateKeypair() {
+  const { publicKey, privateKey } = generateKeyPairSync('ed25519', {
+    publicKeyEncoding: { type: 'spki', format: 'pem' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+  });
+  return { publicKey, privateKey };
+}
+
+// --- High-level chain operations ---
+
+const GENESIS_HASH = '0'.repeat(64);
+
+export function initChainproof(projectDir) {
+  const cpDir = path.join(projectDir, '.chainproof');
+  const keysDir = path.join(cpDir, 'keys');
+
+  fs.mkdirSync(cpDir, { recursive: true });
+  fs.mkdirSync(keysDir, { recursive: true });
+
+  // Config — merge with any template-composed config (from templates/chainproof/)
+  const configPath = path.join(cpDir, 'config.json');
+  const projectName = path.basename(projectDir);
+  const defaults = {
+    version: '1.0.0',
+    projectName,
+    hashAlgorithm: 'sha256',
+    signatureAlgorithm: 'ed25519',
+    createdAt: new Date().toISOString(),
+  };
+
+  if (fs.existsSync(configPath)) {
+    // Template already composed a config — merge our defaults under it
+    try {
+      const existing = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+      const merged = { ...defaults, ...existing, createdAt: existing.createdAt || defaults.createdAt };
+      fs.writeFileSync(configPath, JSON.stringify(merged, null, 2) + '\n', 'utf-8');
+    } catch {
+      // Corrupted config, overwrite with defaults
+      fs.writeFileSync(configPath, JSON.stringify(defaults, null, 2) + '\n', 'utf-8');
+    }
+  } else {
+    fs.writeFileSync(configPath, JSON.stringify(defaults, null, 2) + '\n', 'utf-8');
+  }
+
+  // Chain — only create if missing
+  const chainPath = path.join(cpDir, 'chain.json');
+  if (!fs.existsSync(chainPath)) {
+    fs.writeFileSync(
+      chainPath,
+      JSON.stringify({ entries: [], currentHash: GENESIS_HASH }, null, 2) + '\n',
+      'utf-8'
+    );
+  }
+
+  // Artifacts — only create if missing
+  const artifactsPath = path.join(cpDir, 'artifacts.json');
+  if (!fs.existsSync(artifactsPath)) {
+    fs.writeFileSync(
+      artifactsPath,
+      JSON.stringify({ artifacts: [] }, null, 2) + '\n',
+      'utf-8'
+    );
+  }
+
+  // Generate keypair only if missing
+  const privateKeyPath = path.join(keysDir, 'private.pem');
+  const publicKeyPath = path.join(keysDir, 'public.pem');
+  if (!fs.existsSync(privateKeyPath) || !fs.existsSync(publicKeyPath)) {
+    const { publicKey, privateKey } = generateKeypair();
+    fs.writeFileSync(privateKeyPath, privateKey, { encoding: 'utf-8', mode: 0o600 });
+    fs.writeFileSync(publicKeyPath, publicKey, 'utf-8');
+  }
+
+  // Gitignore for keys
+  const gitignorePath = path.join(cpDir, '.gitignore');
+  if (!fs.existsSync(gitignorePath)) {
+    fs.writeFileSync(gitignorePath, 'keys/\n', 'utf-8');
+  }
+}
+
+export function recordDecision(projectDir, entry) {
+  if (!entry || typeof entry.content !== 'string') {
+    throw new Error('entry.content must be a non-empty string');
+  }
+  if (entry.content.length > 1_048_576) {
+    throw new Error('entry.content exceeds 1MB limit');
+  }
+
+  const cpDir = path.join(projectDir, '.chainproof');
+  const chainPath = path.join(cpDir, 'chain.json');
+
+  let chain;
+  try {
+    chain = JSON.parse(fs.readFileSync(chainPath, 'utf-8'));
+  } catch (err) {
+    throw new Error(`Failed to read chain.json: ${err.message}`, { cause: err });
+  }
+
+  const contentHash = hashContent(entry.content);
+  const prevHash = chain.currentHash;
+  const chainHash = computeChainHash(prevHash, contentHash);
+  const timestamp = new Date().toISOString();
+  const entryType = entry.entryType || 'decision';
+  const sessionId = entry.sessionId || 'default';
+
+  // Build the full entry before signing so all metadata is covered
+  const nllEntry = {
+    id: randomUUID(),
+    timestamp,
+    entryType,
+    content: entry.content,
+    contentHash,
+    prevHash,
+    chainHash,
+    signature: null,
+    sessionId,
+  };
+
+  // Sign the full canonical payload (not just content)
+  const privateKeyPath = path.join(cpDir, 'keys', 'private.pem');
+  if (fs.existsSync(privateKeyPath)) {
+    const privateKey = fs.readFileSync(privateKeyPath, 'utf-8');
+    const payload = buildSignablePayload(nllEntry);
+    nllEntry.signature = signEntry(payload, privateKey);
+  }
+
+  chain.entries.push(nllEntry);
+  chain.currentHash = chainHash;
+
+  // Atomic write: write to temp file first, then rename
+  const tmpPath = chainPath + '.tmp';
+  fs.writeFileSync(tmpPath, JSON.stringify(chain, null, 2) + '\n', 'utf-8');
+  fs.renameSync(tmpPath, chainPath);
+
+  return nllEntry;
+}
+
+export function recordCodeArtifact(projectDir, artifact) {
+  const cpDir = path.join(projectDir, '.chainproof');
+  const artifactsPath = path.join(cpDir, 'artifacts.json');
+
+  let data;
+  try {
+    data = JSON.parse(fs.readFileSync(artifactsPath, 'utf-8'));
+  } catch (err) {
+    throw new Error(`Failed to read artifacts.json: ${err.message}`, { cause: err });
+  }
+
+  const record = {
+    id: randomUUID(),
+    timestamp: new Date().toISOString(),
+    filePath: artifact.filePath,
+    contentHash: artifact.contentHash || hashContent(artifact.content || ''),
+    language: artifact.language || null,
+    generator: artifact.generator || null,
+    promptHash: artifact.promptHash || null,
+    nllEntryId: artifact.nllEntryId || null,
+  };
+
+  data.artifacts.push(record);
+
+  // Atomic write: write to temp file first, then rename
+  const tmpPath = artifactsPath + '.tmp';
+  fs.writeFileSync(tmpPath, JSON.stringify(data, null, 2) + '\n', 'utf-8');
+  fs.renameSync(tmpPath, artifactsPath);
+
+  return record;
+}
+
+export function verifyChain(projectDir) {
+  const cpDir = path.join(projectDir, '.chainproof');
+  const chainPath = path.join(cpDir, 'chain.json');
+
+  if (!fs.existsSync(chainPath)) {
+    return { valid: false, errors: ['chain.json not found'] };
+  }
+
+  const chain = JSON.parse(fs.readFileSync(chainPath, 'utf-8'));
+  const errors = [];
+  let expectedHash = GENESIS_HASH;
+
+  for (let i = 0; i < chain.entries.length; i++) {
+    const entry = chain.entries[i];
+
+    // Verify prev_hash links correctly
+    if (entry.prevHash !== expectedHash) {
+      errors.push(
+        `Entry ${i}: prevHash mismatch (expected ${expectedHash.slice(0, 8)}..., got ${entry.prevHash.slice(0, 8)}...)`
+      );
+    }
+
+    // Verify content hash
+    const actualContentHash = hashContent(entry.content);
+    if (entry.contentHash !== actualContentHash) {
+      errors.push(`Entry ${i}: contentHash mismatch (content was tampered)`);
+    }
+
+    // Verify chain hash
+    const actualChainHash = computeChainHash(entry.prevHash, entry.contentHash);
+    if (entry.chainHash !== actualChainHash) {
+      errors.push(`Entry ${i}: chainHash mismatch`);
+    }
+
+    // Verify signature covers full payload (not just content)
+    if (entry.signature) {
+      const publicKeyPath = path.join(cpDir, 'keys', 'public.pem');
+      if (fs.existsSync(publicKeyPath)) {
+        const publicKey = fs.readFileSync(publicKeyPath, 'utf-8');
+        const payload = buildSignablePayload(entry);
+        if (!verifySignature(payload, entry.signature, publicKey)) {
+          errors.push(`Entry ${i}: invalid signature`);
+        }
+      }
+    }
+
+    expectedHash = entry.chainHash;
+  }
+
+  // Verify current hash matches last entry
+  if (chain.entries.length > 0 && chain.currentHash !== expectedHash) {
+    errors.push('currentHash does not match last entry chainHash');
+  }
+
+  return { valid: errors.length === 0, errors };
+}
+
+export function getChainStatus(projectDir) {
+  const cpDir = path.join(projectDir, '.chainproof');
+  const chainPath = path.join(cpDir, 'chain.json');
+  const configPath = path.join(cpDir, 'config.json');
+
+  if (!fs.existsSync(cpDir)) {
+    return { initialized: false };
+  }
+
+  let chain;
+  try {
+    chain = JSON.parse(fs.readFileSync(chainPath, 'utf-8'));
+  } catch (err) {
+    throw new Error(`Failed to read chain.json: ${err.message}`, { cause: err });
+  }
+  let config = {};
+  if (fs.existsSync(configPath)) {
+    try {
+      config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+    } catch (err) {
+      throw new Error(`Failed to read config.json: ${err.message}`, { cause: err });
+    }
+  }
+
+  const artifactsPath = path.join(cpDir, 'artifacts.json');
+  let artifacts = { artifacts: [] };
+  if (fs.existsSync(artifactsPath)) {
+    try {
+      artifacts = JSON.parse(fs.readFileSync(artifactsPath, 'utf-8'));
+    } catch (err) {
+      throw new Error(`Failed to read artifacts.json: ${err.message}`, { cause: err });
+    }
+  }
+
+  const unsignedCount = chain.entries.filter((e) => !e.signature).length;
+
+  return {
+    initialized: true,
+    projectName: config.projectName || path.basename(projectDir),
+    entryCount: chain.entries.length,
+    artifactCount: artifacts.artifacts.length,
+    currentHash: chain.currentHash,
+    unsignedEntries: unsignedCount,
+    createdAt: config.createdAt || null,
+    lastEntry: chain.entries.length > 0 ? chain.entries[chain.entries.length - 1].timestamp : null,
+  };
+}

package/src/ci-mode.js

@@ -0,0 +1,85 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import chalk from 'chalk';
+import { log } from './utils.js';
+import { scanProject, detectStack } from './scanner.js';
+import { runAllChecks } from './doctor-checks.js';
+import { generateReport } from './doctor-prompts.js';
+
+export async function runCI(projectDir) {
+  const resolvedDir = path.resolve(projectDir);
+
+  if (!fs.existsSync(resolvedDir)) {
+    log.error(`Directory not found: ${resolvedDir}`);
+    process.exit(1);
+  }
+
+  console.log('');
+  log.info('  DevForge CI  Automated project health check');
+  console.log('');
+
+  // Scan project
+  const scan = scanProject(resolvedDir);
+  const stack = detectStack(resolvedDir, scan);
+  log.dim(`  Stack: ${stack || 'unknown'}`);
+
+  // Run all checks
+  const issues = runAllChecks(resolvedDir, scan);
+
+  const critical = issues.filter(i => i.severity === 'critical');
+  const warnings = issues.filter(i => i.severity === 'warning');
+  const info = issues.filter(i => i.severity === 'info');
+
+  // Output results
+  console.log('');
+  if (critical.length > 0) {
+    log.error(`  CRITICAL: ${critical.length} issue${critical.length > 1 ? 's' : ''}`);
+    for (const issue of critical) {
+      console.error(`    - ${issue.title}`);
+      if (issue.files?.length) {
+        for (const detail of issue.files.slice(0, 5)) {
+          console.error(chalk.dim(`      ${detail}`));
+        }
+        if (issue.files.length > 5) {
+          console.error(chalk.dim(`      ... and ${issue.files.length - 5} more`));
+        }
+      }
+    }
+  }
+
+  if (warnings.length > 0) {
+    log.warn(`  WARNINGS: ${warnings.length} issue${warnings.length > 1 ? 's' : ''}`);
+    for (const issue of warnings) {
+      console.error(`    - ${issue.title}`);
+    }
+  }
+
+  if (info.length > 0) {
+    log.dim(`  INFO: ${info.length} suggestion${info.length > 1 ? 's' : ''}`);
+  }
+
+  if (critical.length === 0 && warnings.length === 0) {
+    log.success('  All checks passed!');
+  }
+
+  // Save report if docs/ exists
+  const docsDir = path.join(resolvedDir, 'docs');
+  if (fs.existsSync(docsDir)) {
+    const reportPath = path.join(docsDir, 'ci-report.md');
+    const projectName = path.basename(resolvedDir);
+    const report = generateReport(issues, projectName);
+    fs.writeFileSync(reportPath, report, 'utf-8');
+    log.dim(`  Report saved to docs/ci-report.md`);
+  }
+
+  console.log('');
+
+  // Summary line for CI parsers
+  const total = issues.length;
+  console.log(`DevForge CI: ${critical.length} critical, ${warnings.length} warnings, ${info.length} info (${total} total)`);
+
+  // Exit with error code if critical issues found
+  if (critical.length > 0) {
+    process.exit(1);
+  }
+}