forgedev 1.2.0 → 1.4.0

package/src/composer.js

@@ -1,214 +1,242 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import { ROOT_DIR, ensureDir, readTemplate, replaceVars, toPascalCase, toSnakeCase, log } from './utils.js';
-
-const TEMPLATES_DIR = path.join(ROOT_DIR, 'templates');
-
-export async function compose(outputDir, stackConfig) {
-  const variables = buildVariables(stackConfig);
-
-  ensureDir(outputDir);
-
-  for (const mod of stackConfig.templateModules) {
-    const templateDir = path.join(TEMPLATES_DIR, mod.path);
-    if (!fs.existsSync(templateDir)) {
-      log.warn(`Template module not found: ${mod.path} — skipping`);
-      continue;
-    }
-    processTemplateDir(templateDir, outputDir, variables, mod.prefix || '');
-  }
-
-  // Inject auth dependencies into package.json if auth is enabled
-  injectAuthDependencies(outputDir, stackConfig);
-}
-
-export function buildVariables(stackConfig) {
-  const vars = {
-    PROJECT_NAME: stackConfig.projectName,
-    PROJECT_NAME_PASCAL: toPascalCase(stackConfig.projectName),
-    PROJECT_NAME_SNAKE: toSnakeCase(stackConfig.projectName),
-  };
-
-  if (stackConfig.frontend) {
-    vars.FRONTEND_FRAMEWORK = stackConfig.frontend.framework;
-    vars.FRONTEND_LANGUAGE = stackConfig.frontend.language;
-    vars.FRONTEND_STYLING = stackConfig.frontend.styling;
-    vars.FRONTEND_UI = stackConfig.frontend.ui || '';
-  }
-
-  if (stackConfig.backend) {
-    vars.BACKEND_FRAMEWORK = stackConfig.backend.framework;
-    vars.BACKEND_LANGUAGE = stackConfig.backend.language;
-    vars.BACKEND_ORM = stackConfig.backend.orm;
-  }
-
-  if (stackConfig.database) {
-    vars.DATABASE_TYPE = stackConfig.database.type;
-    vars.DATABASE_ORM = stackConfig.database.orm;
-  }
-
-  vars.AUTH_TYPE = stackConfig.auth || 'none';
-  vars.DEPLOYMENT = stackConfig.deployment || 'docker';
-
-  // Commands vary by stack
-  if (stackConfig.stackId === 'nextjs-fullstack') {
-    vars.LINT_COMMAND = 'npx eslint .';
-    vars.TYPE_CHECK_COMMAND = 'npx tsc --noEmit';
-    vars.TEST_COMMAND = 'npx vitest run';
-    vars.BUILD_COMMAND = 'npm run build';
-    vars.DEV_COMMAND = 'npm run dev';
-    vars.STACK_DESCRIPTION = 'Next.js full-stack application with TypeScript, Tailwind CSS, Prisma, and PostgreSQL';
-    vars.EXTRA_IGNORES = '';
-  } else if (stackConfig.stackId === 'fastapi-backend') {
-    vars.LINT_COMMAND = 'ruff check .';
-    vars.TYPE_CHECK_COMMAND = 'pyright';
-    vars.TEST_COMMAND = 'pytest';
-    vars.BUILD_COMMAND = 'docker build -t app .';
-    vars.DEV_COMMAND = 'uvicorn app.main:app --reload';
-    vars.STACK_DESCRIPTION = 'FastAPI backend service with SQLAlchemy, PostgreSQL, and Alembic';
-    vars.EXTRA_IGNORES = '\n# Python\n__pycache__/\n*.pyc\nvenv/\n.venv/\n*.egg-info/';
-  } else if (stackConfig.stackId === 'polyglot-fullstack') {
-    vars.LINT_COMMAND = 'cd frontend && npx eslint . && cd ../backend && ruff check .';
-    vars.TYPE_CHECK_COMMAND = 'cd frontend && npx tsc --noEmit';
-    vars.TEST_COMMAND = 'cd frontend && npx vitest run && cd ../backend && pytest';
-    vars.BUILD_COMMAND = 'docker compose build';
-    vars.DEV_COMMAND = 'docker compose up';
-    vars.STACK_DESCRIPTION = 'Full-stack application with Next.js frontend and FastAPI backend';
-    vars.EXTRA_IGNORES = '\n# Python\n__pycache__/\n*.pyc\nvenv/\n.venv/\n*.egg-info/';
-  }
-
-  // Setup commands for README
-  vars.SETUP_COMMANDS = buildSetupCommands(stackConfig);
-  vars.AVAILABLE_SCRIPTS = buildAvailableScripts(stackConfig);
-
-  return vars;
-}
-
-function buildSetupCommands(config) {
-  if (config.stackId === 'nextjs-fullstack') {
-    return `npm install
-cp .env.example .env
-npx prisma db push
-npm run dev`;
-  }
-  if (config.stackId === 'fastapi-backend') {
-    return `cd backend
-python -m venv venv
-source venv/bin/activate
-pip install -r requirements.txt
-cp .env.example .env
-uvicorn app.main:app --reload`;
-  }
-  if (config.stackId === 'polyglot-fullstack') {
-    return `docker compose up -d postgres
-# Frontend
-cd frontend && npm install && npm run dev
-# Backend
-cd backend && pip install -r requirements.txt && uvicorn app.main:app --reload`;
-  }
-  return '';
-}
-
-function buildAvailableScripts(config) {
-  if (config.stackId === 'nextjs-fullstack') {
-    return `- \`npm run dev\` — Start development server
-- \`npm run build\` — Production build
-- \`npm run lint\` — Run ESLint
-- \`npx prisma studio\` — Database GUI
-- \`npx vitest\` — Run unit tests
-- \`npx playwright test\` — Run E2E tests`;
-  }
-  if (config.stackId === 'fastapi-backend') {
-    return `- \`uvicorn app.main:app --reload\` — Start dev server
-- \`pytest\` — Run tests
-- \`ruff check .\` — Run linter
-- \`alembic upgrade head\` — Run migrations`;
-  }
-  if (config.stackId === 'polyglot-fullstack') {
-    return `- \`docker compose up\` — Start all services
-- \`docker compose up -d postgres\` — Start database only
-- Frontend: \`cd frontend && npm run dev\`
-- Backend: \`cd backend && uvicorn app.main:app --reload\``;
-  }
-  return '';
-}
-
-export function processTemplateDir(templateDir, outputDir, variables, prefix) {
-  const entries = walkDir(templateDir);
-
-  for (const filePath of entries) {
-    const relativePath = path.relative(templateDir, filePath);
-    let outputRelative = prefix ? path.join(prefix, relativePath) : relativePath;
-
-    if (outputRelative.endsWith('.template')) {
-      // Process template: replace vars, strip .template extension
-      const content = readTemplate(filePath);
-      const processed = replaceVars(content, variables);
-      const outputPath = path.join(outputDir, outputRelative.replace(/\.template$/, ''));
-      ensureDir(path.dirname(outputPath));
-      fs.writeFileSync(outputPath, processed, 'utf-8');
-    } else if (path.basename(filePath) === '.gitkeep') {
-      // Create the directory but don't copy .gitkeep itself
-      ensureDir(path.join(outputDir, path.dirname(outputRelative)));
-    } else {
-      // Binary copy
-      const outputPath = path.join(outputDir, outputRelative);
-      ensureDir(path.dirname(outputPath));
-      fs.copyFileSync(filePath, outputPath);
-    }
-  }
-}
-
-function walkDir(dir) {
-  const results = [];
-  const entries = fs.readdirSync(dir, { withFileTypes: true });
-  for (const entry of entries) {
-    const fullPath = path.join(dir, entry.name);
-    if (entry.isDirectory()) {
-      results.push(...walkDir(fullPath));
-    } else {
-      results.push(fullPath);
-    }
-  }
-  return results;
-}
-
-function injectAuthDependencies(outputDir, stackConfig) {
-  if (!stackConfig.auth || stackConfig.auth === 'none') return;
-
-  // Next.js projects with nextauth
-  if (stackConfig.auth === 'nextauth' || stackConfig.auth === 'both') {
-    const pkgPaths = [
-      path.join(outputDir, 'package.json'),
-      path.join(outputDir, 'frontend', 'package.json'),
-    ];
-    for (const pkgPath of pkgPaths) {
-      if (!fs.existsSync(pkgPath)) continue;
-      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
-      pkg.dependencies = pkg.dependencies || {};
-      pkg.dependencies['next-auth'] = '^5.0.0-beta.25';
-      pkg.dependencies['@auth/prisma-adapter'] = '^2.7.4';
-      pkg.dependencies['bcryptjs'] = '^2.4.3';
-      pkg.devDependencies = pkg.devDependencies || {};
-      pkg.devDependencies['@types/bcryptjs'] = '^2.4.6';
-      fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n', 'utf-8');
-    }
-  }
-
-  // FastAPI projects with jwt-custom
-  if (stackConfig.auth === 'jwt-custom' || stackConfig.auth === 'both') {
-    const reqPaths = [
-      path.join(outputDir, 'requirements.txt'),
-      path.join(outputDir, 'backend', 'requirements.txt'),
-    ];
-    for (const reqPath of reqPaths) {
-      if (!fs.existsSync(reqPath)) continue;
-      const content = fs.readFileSync(reqPath, 'utf-8');
-      const authDeps = ['python-jose[cryptography]', 'passlib[bcrypt]', 'python-multipart'];
-      const additions = authDeps.filter(dep => !content.includes(dep.split('[')[0]));
-      if (additions.length > 0) {
-        fs.writeFileSync(reqPath, content.trimEnd() + '\n' + additions.join('\n') + '\n', 'utf-8');
-      }
-    }
-  }
-}
+import fs from 'node:fs';
+import path from 'node:path';
+import { ROOT_DIR, ensureDir, readTemplate, replaceVars, toPascalCase, toSnakeCase, getStackMetadata, log } from './utils.js';
+
+const TEMPLATES_DIR = path.join(ROOT_DIR, 'templates');
+
+export async function compose(outputDir, stackConfig) {
+  const variables = buildVariables(stackConfig);
+
+  ensureDir(outputDir);
+
+  for (const mod of stackConfig.templateModules) {
+    const templateDir = path.join(TEMPLATES_DIR, mod.path);
+    if (!fs.existsSync(templateDir)) {
+      log.warn(`Template module not found: ${mod.path}, skipping`);
+      continue;
+    }
+    processTemplateDir(templateDir, outputDir, variables, mod.prefix || '');
+  }
+
+  // Inject auth dependencies into package.json if auth is enabled
+  injectAuthDependencies(outputDir, stackConfig);
+
+  // Apply user plugins from ~/.devforge/templates/ if they exist
+  applyUserPlugins(outputDir, variables, stackConfig);
+}
+
+export function buildVariables(stackConfig) {
+  const vars = {
+    PROJECT_NAME: stackConfig.projectName,
+    PROJECT_NAME_PASCAL: toPascalCase(stackConfig.projectName),
+    PROJECT_NAME_SNAKE: toSnakeCase(stackConfig.projectName),
+  };
+
+  if (stackConfig.frontend) {
+    vars.FRONTEND_FRAMEWORK = stackConfig.frontend.framework;
+    vars.FRONTEND_LANGUAGE = stackConfig.frontend.language;
+    vars.FRONTEND_STYLING = stackConfig.frontend.styling;
+    vars.FRONTEND_UI = stackConfig.frontend.ui || '';
+  }
+
+  if (stackConfig.backend) {
+    vars.BACKEND_FRAMEWORK = stackConfig.backend.framework;
+    vars.BACKEND_LANGUAGE = stackConfig.backend.language;
+    vars.BACKEND_ORM = stackConfig.backend.orm;
+  }
+
+  if (stackConfig.database) {
+    vars.DATABASE_TYPE = stackConfig.database.type;
+    vars.DATABASE_ORM = stackConfig.database.orm;
+  }
+
+  vars.AUTH_TYPE = stackConfig.auth || 'none';
+  vars.DEPLOYMENT = stackConfig.deployment || 'docker';
+
+  // All per-stack values come from a single metadata source
+  const meta = getStackMetadata(stackConfig.stackId);
+  if (meta) {
+    Object.assign(vars, meta.commands);
+    vars.STACK_DESCRIPTION = meta.description;
+    vars.EXTRA_IGNORES = meta.extraIgnores;
+    vars.APP_PORT = meta.port;
+    vars.SETUP_COMMANDS = meta.setupCommands();
+    vars.AVAILABLE_SCRIPTS = meta.availableScripts;
+  } else {
+    vars.STACK_DESCRIPTION = '';
+    vars.EXTRA_IGNORES = '';
+    vars.APP_PORT = '3000';
+    vars.SETUP_COMMANDS = '';
+    vars.AVAILABLE_SCRIPTS = '';
+  }
+
+  vars.IMAGE_TAG = '0.1.0';
+
+  return vars;
+}
+
+export function processTemplateDir(templateDir, outputDir, variables, prefix) {
+  const entries = walkDir(templateDir);
+
+  for (const filePath of entries) {
+    const relativePath = path.relative(templateDir, filePath);
+    const outputRelative = prefix ? path.join(prefix, relativePath) : relativePath;
+
+    // Guard against path traversal (e.g. ../../etc/passwd in plugin templates)
+    const resolved = path.resolve(outputDir, outputRelative);
+    if (!resolved.startsWith(path.resolve(outputDir))) {
+      log.warn(`Skipping "${outputRelative}" (path traversal detected)`);
+      continue;
+    }
+
+    if (outputRelative.endsWith('.template')) {
+      // Process template: replace vars, strip .template extension
+      const content = readTemplate(filePath);
+      const processed = replaceVars(content, variables);
+      const outputPath = path.join(outputDir, outputRelative.replace(/\.template$/, ''));
+      ensureDir(path.dirname(outputPath));
+      fs.writeFileSync(outputPath, processed, 'utf-8');
+    } else if (path.basename(filePath) === '.gitkeep') {
+      // Create the directory but don't copy .gitkeep itself
+      ensureDir(path.join(outputDir, path.dirname(outputRelative)));
+    } else {
+      // Binary copy
+      const outputPath = path.join(outputDir, outputRelative);
+      ensureDir(path.dirname(outputPath));
+      fs.copyFileSync(filePath, outputPath);
+    }
+  }
+}
+
+function walkDir(dir, depth = 0) {
+  if (depth > 20) return []; // guard against deeply nested or circular structures
+  const results = [];
+  const entries = fs.readdirSync(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    if (entry.isSymbolicLink()) continue; // skip symlinks to prevent infinite loops
+    const fullPath = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      results.push(...walkDir(fullPath, depth + 1));
+    } else {
+      results.push(fullPath);
+    }
+  }
+  return results;
+}
+
+function injectAuthDependencies(outputDir, stackConfig) {
+  if (!stackConfig.auth || stackConfig.auth === 'none') return;
+
+  // Next.js projects with nextauth
+  if (stackConfig.auth === 'nextauth' || stackConfig.auth === 'both') {
+    const pkgPaths = [
+      path.join(outputDir, 'package.json'),
+      path.join(outputDir, 'frontend', 'package.json'),
+    ];
+    for (const pkgPath of pkgPaths) {
+      if (!fs.existsSync(pkgPath)) continue;
+      let pkg;
+      try {
+        pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+      } catch {
+        log.warn(`Skipping auth dependency injection — could not parse ${pkgPath}`);
+        continue;
+      }
+      pkg.dependencies = pkg.dependencies || {};
+      pkg.dependencies['next-auth'] = '^5.0.0-beta.25';
+      pkg.dependencies['@auth/prisma-adapter'] = '^2.7.4';
+      pkg.dependencies['bcryptjs'] = '^2.4.3';
+      pkg.devDependencies = pkg.devDependencies || {};
+      pkg.devDependencies['@types/bcryptjs'] = '^2.4.6';
+      fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n', 'utf-8');
+    }
+  }
+
+  // FastAPI projects with jwt-custom
+  if (stackConfig.auth === 'jwt-custom' || stackConfig.auth === 'both') {
+    const reqPaths = [
+      path.join(outputDir, 'requirements.txt'),
+      path.join(outputDir, 'backend', 'requirements.txt'),
+    ];
+    for (const reqPath of reqPaths) {
+      if (!fs.existsSync(reqPath)) continue;
+      const content = fs.readFileSync(reqPath, 'utf-8');
+      const authDeps = ['python-jose[cryptography]', 'passlib[bcrypt]', 'python-multipart'];
+      const additions = authDeps.filter(dep => !content.includes(dep.split('[')[0]));
+      if (additions.length > 0) {
+        fs.writeFileSync(reqPath, content.trimEnd() + '\n' + additions.join('\n') + '\n', 'utf-8');
+      }
+    }
+  }
+}
+
+function applyUserPlugins(outputDir, variables, stackConfig) {
+  const homeDir = process.env.HOME || process.env.USERPROFILE;
+  if (!homeDir) return;
+
+  const pluginDir = path.join(homeDir, '.devforge');
+  if (!fs.existsSync(pluginDir)) return;
+
+  // User templates: ~/.devforge/templates/<stackId>/ → overlay onto output
+  const userTemplatesDir = path.join(pluginDir, 'templates', stackConfig.stackId);
+  if (fs.existsSync(userTemplatesDir)) {
+    processTemplateDir(userTemplatesDir, outputDir, variables, '');
+    log.dim(`  Applied user templates from ~/.devforge/templates/${stackConfig.stackId}/`);
+  }
+
+  // Universal user templates: ~/.devforge/templates/universal/ → always applied
+  const universalDir = path.join(pluginDir, 'templates', 'universal');
+  if (fs.existsSync(universalDir)) {
+    processTemplateDir(universalDir, outputDir, variables, '');
+    log.dim('  Applied user templates from ~/.devforge/templates/universal/');
+  }
+
+  // User agents: ~/.devforge/agents/*.md → copy into .claude/agents/
+  const userAgentsDir = path.join(pluginDir, 'agents');
+  if (fs.existsSync(userAgentsDir)) {
+    const agents = fs.readdirSync(userAgentsDir).filter(f => f.endsWith('.md'));
+    for (const agent of agents) {
+      const src = path.join(userAgentsDir, agent);
+      const dest = path.join(outputDir, '.claude', 'agents', agent);
+      ensureDir(path.dirname(dest));
+      fs.copyFileSync(src, dest);
+    }
+    if (agents.length > 0) {
+      log.dim(`  Applied ${agents.length} user agent(s) from ~/.devforge/agents/`);
+    }
+  }
+
+  // User commands: ~/.devforge/commands/*.md → copy into .claude/commands/
+  const userCommandsDir = path.join(pluginDir, 'commands');
+  if (fs.existsSync(userCommandsDir)) {
+    const commands = fs.readdirSync(userCommandsDir).filter(f => f.endsWith('.md'));
+    for (const cmd of commands) {
+      const src = path.join(userCommandsDir, cmd);
+      const dest = path.join(outputDir, '.claude', 'commands', cmd);
+      ensureDir(path.dirname(dest));
+      fs.copyFileSync(src, dest);
+    }
+    if (commands.length > 0) {
+      log.dim(`  Applied ${commands.length} user command(s) from ~/.devforge/commands/`);
+    }
+  }
+
+  // User skills: ~/.devforge/skills/<name>/SKILL.md → copy into .claude/skills/
+  const userSkillsDir = path.join(pluginDir, 'skills');
+  if (fs.existsSync(userSkillsDir)) {
+    const skills = fs.readdirSync(userSkillsDir, { withFileTypes: true })
+      .filter(d => d.isDirectory())
+      .map(d => d.name);
+    for (const skill of skills) {
+      const skillFile = path.join(userSkillsDir, skill, 'SKILL.md');
+      if (fs.existsSync(skillFile)) {
+        const dest = path.join(outputDir, '.claude', 'skills', skill, 'SKILL.md');
+        ensureDir(path.dirname(dest));
+        fs.copyFileSync(skillFile, dest);
+      }
+    }
+    if (skills.length > 0) {
+      log.dim(`  Applied ${skills.length} user skill(s) from ~/.devforge/skills/`);
+    }
+  }
+}

package/src/doctor-checks-chainproof.js

@@ -0,0 +1,106 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { createHash } from 'node:crypto';
+
+export function checkChainproofExists(projectDir) {
+  const cpDir = path.join(projectDir, '.chainproof');
+  if (fs.existsSync(cpDir)) return [];
+
+  return [{
+    severity: 'info',
+    title: 'ChainProof trust chain not initialized',
+    impact: 'No provenance tracking for AI-generated code changes',
+    files: [],
+    autoFixable: true,
+    promptId: 'CHAINPROOF_MISSING',
+    effort: 'quick',
+  }];
+}
+
+export function checkChainproofIntegrity(projectDir) {
+  const chainPath = path.join(projectDir, '.chainproof', 'chain.json');
+  if (!fs.existsSync(chainPath)) return [];
+
+  try {
+    const chain = JSON.parse(fs.readFileSync(chainPath, 'utf-8'));
+    let expectedHash = '0'.repeat(64);
+
+    for (let i = 0; i < chain.entries.length; i++) {
+      const entry = chain.entries[i];
+      if (entry.prevHash !== expectedHash) {
+        return [{
+          severity: 'critical',
+          title: `ChainProof hash chain broken at entry ${i}`,
+          impact: 'Trust chain integrity compromised. Provenance trail is unreliable',
+          files: ['.chainproof/chain.json'],
+          autoFixable: false,
+          promptId: 'CHAINPROOF_BROKEN',
+          effort: 'medium',
+        }];
+      }
+      const contentHash = createHash('sha256').update(entry.content, 'utf-8').digest('hex');
+      const computedChainHash = createHash('sha256').update(entry.prevHash + contentHash, 'utf-8').digest('hex');
+      if (entry.chainHash !== computedChainHash) {
+        return [{
+          severity: 'critical',
+          title: `ChainProof chainHash mismatch at entry ${i}`,
+          impact: 'Entry hash does not match computed value. Chain may have been tampered with',
+          files: ['.chainproof/chain.json'],
+          autoFixable: false,
+          promptId: 'CHAINPROOF_BROKEN',
+          effort: 'medium',
+        }];
+      }
+      expectedHash = computedChainHash;
+    }
+
+    // Verify currentHash matches the last entry (same check as runtime verifier)
+    if (chain.entries.length > 0 && chain.currentHash !== expectedHash) {
+      return [{
+        severity: 'critical',
+        title: 'ChainProof currentHash is inconsistent with chain',
+        impact: 'The stored current hash does not match the last entry. Chain state is corrupted',
+        files: ['.chainproof/chain.json'],
+        autoFixable: false,
+        promptId: 'CHAINPROOF_BROKEN',
+        effort: 'medium',
+      }];
+    }
+  } catch {
+    // Malformed chain.json
+    return [{
+      severity: 'critical',
+      title: 'ChainProof chain.json is malformed',
+      impact: 'Cannot verify trust chain integrity',
+      files: ['.chainproof/chain.json'],
+      autoFixable: false,
+      promptId: 'CHAINPROOF_MALFORMED',
+      effort: 'medium',
+    }];
+  }
+
+  return [];
+}
+
+export function checkChainproofUnsigned(projectDir) {
+  const chainPath = path.join(projectDir, '.chainproof', 'chain.json');
+  if (!fs.existsSync(chainPath)) return [];
+
+  try {
+    const chain = JSON.parse(fs.readFileSync(chainPath, 'utf-8'));
+    const unsigned = chain.entries.filter(e => !e.signature);
+    if (unsigned.length === 0) return [];
+
+    return [{
+      severity: 'warning',
+      title: `${unsigned.length} unsigned entries in ChainProof trust chain`,
+      impact: 'Unsigned entries cannot be cryptographically verified',
+      files: ['.chainproof/chain.json'],
+      autoFixable: false,
+      promptId: 'CHAINPROOF_UNSIGNED',
+      effort: 'quick',
+    }];
+  } catch {
+    return [];
+  }
+}