getdoorman 1.0.0

package/package.json

@@ -0,0 +1,74 @@
+{
+  "name": "getdoorman",
+  "version": "1.0.0",
+  "description": "Zero-config security scanner for AI-assisted development. 2000+ rules, 11 languages, 4 detection engines.",
+  "main": "src/index.js",
+  "exports": {
+    ".": "./src/index.js",
+    "./fixer": "./src/fixer.js",
+    "./reporter": "./src/reporter.js"
+  },
+  "bin": {
+    "getdoorman": "./bin/doorman.js"
+  },
+  "type": "module",
+  "scripts": {
+    "start": "node bin/doorman.js",
+    "test": "node --test test/*.test.js",
+    "update-stats": "node scripts/update-stats.js"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "linter",
+    "sast",
+    "vulnerability",
+    "compliance",
+    "code-quality",
+    "performance",
+    "ai",
+    "mcp",
+    "cli",
+    "zero-config",
+    "auto-fix"
+  ],
+  "author": "",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/tiago520/VoiceAI.git"
+  },
+  "homepage": "https://github.com/tiago520/VoiceAI#readme",
+  "bugs": {
+    "url": "https://github.com/tiago520/VoiceAI/issues"
+  },
+  "files": [
+    "src/",
+    "bin/",
+    "README.md",
+    "LICENSE"
+  ],
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "glob": "^11.0.0",
+    "minimatch": "^9.0.0",
+    "ora": "^8.1.0"
+  },
+  "optionalDependencies": {
+    "tree-sitter": "^0.22.4",
+    "tree-sitter-javascript": "^0.23.0",
+    "tree-sitter-python": "^0.23.0",
+    "tree-sitter-go": "^0.23.0",
+    "tree-sitter-ruby": "^0.23.0",
+    "tree-sitter-php": "^0.23.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "devDependencies": {
+    "better-sqlite3": "^12.8.0",
+    "cors": "^2.8.6",
+    "express": "^5.2.1"
+  }
+}

package/src/ai-fixer.js

@@ -0,0 +1,559 @@
+/**
+ * ai-fixer.js — AI-powered vulnerability explanation and fix generation.
+ *
+ * PRO feature that uses the Claude API (or OpenAI as fallback) to:
+ *   - Explain vulnerabilities in plain English
+ *   - Generate context-aware, style-matching code fixes
+ *   - Batch-process multiple findings with progress reporting
+ *
+ * Requires an API key via:
+ *   1. ANTHROPIC_API_KEY environment variable
+ *   2. OPENAI_API_KEY environment variable (fallback)
+ *   3. .doormanrc.json { "apiKey": "..." }
+ *
+ * Uses native fetch() — no external dependencies. Requires Node 18+.
+ */
+
+import { readFileSync, existsSync } from 'fs';
+import { resolve } from 'path';
+import chalk from 'chalk';
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const ANTHROPIC_API_URL = 'https://api.anthropic.com/v1/messages';
+const OPENAI_API_URL = 'https://api.openai.com/v1/chat/completions';
+
+const ANTHROPIC_MODEL = 'claude-sonnet-4-6';
+const OPENAI_MODEL = 'gpt-4o';
+
+const REQUEST_TIMEOUT_MS = 30_000;
+const RATE_LIMIT_BACKOFF_MS = 2_000;
+const BATCH_SIZE = 5;
+const CONTEXT_LINES = 20; // lines above and below the finding to include
+
+// Claude Sonnet pricing (per million tokens)
+const PRICING = {
+  anthropic: { input: 3, output: 15 },
+  openai: { input: 5, output: 15 },
+};
+
+// ---------------------------------------------------------------------------
+// API key resolution
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolve the API key and provider from environment variables or config file.
+ *
+ * @param {string} [cwd='.'] - Working directory to search for .doormanrc.json
+ * @returns {{ provider: 'anthropic'|'openai', apiKey: string } | null}
+ */
+function resolveApiKey(cwd = '.') {
+  // 1. ANTHROPIC_API_KEY env var
+  if (process.env.ANTHROPIC_API_KEY) {
+    return { provider: 'anthropic', apiKey: process.env.ANTHROPIC_API_KEY };
+  }
+
+  // 2. OPENAI_API_KEY env var (fallback)
+  if (process.env.OPENAI_API_KEY) {
+    return { provider: 'openai', apiKey: process.env.OPENAI_API_KEY };
+  }
+
+  // 3. .doormanrc.json
+  const rcPath = resolve(cwd, '.doormanrc.json');
+  if (existsSync(rcPath)) {
+    try {
+      const rc = JSON.parse(readFileSync(rcPath, 'utf-8'));
+      if (rc.apiKey) {
+        // Infer provider from key prefix
+        const provider = rc.apiKey.startsWith('sk-ant-') ? 'anthropic' : 'openai';
+        return { provider, apiKey: rc.apiKey };
+      }
+    } catch {
+      // Malformed config — ignore
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Print a helpful message when no API key is found and throw.
+ */
+function requireApiKey(cwd) {
+  const resolved = resolveApiKey(cwd);
+  if (!resolved) {
+    console.log('');
+    console.log(
+      chalk.yellow(
+        '  AI fixes require an API key. Set ANTHROPIC_API_KEY=your-key or add it to .doormanrc.json',
+      ),
+    );
+    console.log(
+      chalk.gray('  Example: export ANTHROPIC_API_KEY=sk-ant-...'),
+    );
+    console.log(
+      chalk.gray('  Or add { "apiKey": "sk-ant-..." } to .doormanrc.json'),
+    );
+    console.log('');
+    throw new Error('Missing API key for AI fixes');
+  }
+  return resolved;
+}
+
+// ---------------------------------------------------------------------------
+// Low-level API helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Call the Anthropic Messages API.
+ *
+ * @param {string} apiKey
+ * @param {string} systemPrompt
+ * @param {string} userMessage
+ * @returns {Promise<{ text: string, inputTokens: number, outputTokens: number }>}
+ */
+async function callAnthropic(apiKey, systemPrompt, userMessage) {
+  const body = {
+    model: ANTHROPIC_MODEL,
+    max_tokens: 2048,
+    system: systemPrompt,
+    messages: [{ role: 'user', content: userMessage }],
+  };
+
+  const response = await fetchWithRetry(ANTHROPIC_API_URL, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'x-api-key': apiKey,
+      'anthropic-version': '2023-06-01',
+    },
+    body: JSON.stringify(body),
+  });
+
+  const data = await response.json();
+
+  if (!response.ok) {
+    const msg = data?.error?.message || JSON.stringify(data);
+    throw new Error(`Anthropic API error (${response.status}): ${msg}`);
+  }
+
+  const text = data.content?.[0]?.text || '';
+  const inputTokens = data.usage?.input_tokens || 0;
+  const outputTokens = data.usage?.output_tokens || 0;
+
+  return { text, inputTokens, outputTokens };
+}
+
+/**
+ * Call the OpenAI Chat Completions API.
+ *
+ * @param {string} apiKey
+ * @param {string} systemPrompt
+ * @param {string} userMessage
+ * @returns {Promise<{ text: string, inputTokens: number, outputTokens: number }>}
+ */
+async function callOpenAI(apiKey, systemPrompt, userMessage) {
+  const body = {
+    model: OPENAI_MODEL,
+    max_tokens: 2048,
+    messages: [
+      { role: 'system', content: systemPrompt },
+      { role: 'user', content: userMessage },
+    ],
+  };
+
+  const response = await fetchWithRetry(OPENAI_API_URL, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${apiKey}`,
+    },
+    body: JSON.stringify(body),
+  });
+
+  const data = await response.json();
+
+  if (!response.ok) {
+    const msg = data?.error?.message || JSON.stringify(data);
+    throw new Error(`OpenAI API error (${response.status}): ${msg}`);
+  }
+
+  const text = data.choices?.[0]?.message?.content || '';
+  const inputTokens = data.usage?.prompt_tokens || 0;
+  const outputTokens = data.usage?.completion_tokens || 0;
+
+  return { text, inputTokens, outputTokens };
+}
+
+/**
+ * Unified API call dispatcher.
+ *
+ * @param {'anthropic'|'openai'} provider
+ * @param {string} apiKey
+ * @param {string} systemPrompt
+ * @param {string} userMessage
+ * @returns {Promise<{ text: string, inputTokens: number, outputTokens: number }>}
+ */
+async function callLLM(provider, apiKey, systemPrompt, userMessage) {
+  if (provider === 'anthropic') {
+    return callAnthropic(apiKey, systemPrompt, userMessage);
+  }
+  return callOpenAI(apiKey, systemPrompt, userMessage);
+}
+
+/**
+ * Fetch with a timeout and a single retry on HTTP 429 (rate limit).
+ *
+ * @param {string} url
+ * @param {RequestInit} options
+ * @returns {Promise<Response>}
+ */
+async function fetchWithRetry(url, options) {
+  const attempt = async () => {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+
+    try {
+      const res = await fetch(url, { ...options, signal: controller.signal });
+      clearTimeout(timer);
+      return res;
+    } catch (err) {
+      clearTimeout(timer);
+      if (err.name === 'AbortError') {
+        throw new Error(`API request timed out after ${REQUEST_TIMEOUT_MS / 1000}s`);
+      }
+      throw err;
+    }
+  };
+
+  const first = await attempt();
+
+  // Retry once on 429 with backoff
+  if (first.status === 429) {
+    await sleep(RATE_LIMIT_BACKOFF_MS);
+    return attempt();
+  }
+
+  return first;
+}
+
+/** Simple async sleep helper. */
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+// ---------------------------------------------------------------------------
+// Code context extraction
+// ---------------------------------------------------------------------------
+
+/**
+ * Extract lines around a finding for context.
+ *
+ * @param {string} fileContent - Full file content.
+ * @param {number} [line]      - 1-based line number of the finding.
+ * @param {number} [radius]    - Number of lines above and below to include.
+ * @returns {string} The surrounding code snippet with line numbers.
+ */
+function extractContext(fileContent, line, radius = CONTEXT_LINES) {
+  if (!fileContent) return '';
+  const lines = fileContent.split('\n');
+
+  if (!line || line < 1) {
+    // No line info — return first 40 lines (or entire file if shorter)
+    return lines.slice(0, radius * 2).map((l, i) => `${i + 1}: ${l}`).join('\n');
+  }
+
+  const start = Math.max(0, line - 1 - radius);
+  const end = Math.min(lines.length, line - 1 + radius + 1);
+  return lines
+    .slice(start, end)
+    .map((l, i) => {
+      const lineNum = start + i + 1;
+      const marker = lineNum === line ? '>>>' : '   ';
+      return `${marker} ${lineNum}: ${l}`;
+    })
+    .join('\n');
+}
+
+// ---------------------------------------------------------------------------
+// Cost tracking
+// ---------------------------------------------------------------------------
+
+/** Mutable token counters for the current session. */
+const tokenUsage = { input: 0, output: 0 };
+
+function trackTokens(inputTokens, outputTokens) {
+  tokenUsage.input += inputTokens;
+  tokenUsage.output += outputTokens;
+}
+
+function resetTokenUsage() {
+  tokenUsage.input = 0;
+  tokenUsage.output = 0;
+}
+
+/**
+ * Calculate estimated cost and print a summary.
+ *
+ * @param {'anthropic'|'openai'} provider
+ */
+function printCostSummary(provider) {
+  const pricing = PRICING[provider] || PRICING.anthropic;
+  const inputCost = (tokenUsage.input / 1_000_000) * pricing.input;
+  const outputCost = (tokenUsage.output / 1_000_000) * pricing.output;
+  const totalCost = inputCost + outputCost;
+
+  console.log('');
+  console.log(
+    chalk.gray(
+      `  AI fixes cost: ~$${totalCost.toFixed(2)} (${tokenUsage.input} input + ${tokenUsage.output} output tokens)`,
+    ),
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Prompt templates
+// ---------------------------------------------------------------------------
+
+const EXPLAIN_SYSTEM_PROMPT = `You are a security expert explaining vulnerabilities to non-technical people.
+Be clear, specific, and avoid jargon. Use analogies when helpful.
+Always respond with valid JSON in exactly this format:
+{
+  "explanation": "A 2-4 sentence plain-English explanation of the vulnerability.",
+  "risk": "critical|high|medium|low",
+  "tldr": "A single sentence summary."
+}`;
+
+const FIX_SYSTEM_PROMPT = `You are a senior security engineer generating minimal, targeted code fixes.
+Rules:
+- Match the existing code style exactly (indentation, quotes, semicolons, etc.).
+- Return ONLY the minimal change needed — do not refactor unrelated code.
+- Always respond with valid JSON in exactly this format:
+{
+  "old": "the exact lines to replace (copy from the source)",
+  "new": "the replacement lines",
+  "explanation": "1-2 sentences explaining what the fix does and why."
+}`;
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Explain a vulnerability in plain English for non-developers.
+ *
+ * @param {object} finding      - A Doorman finding object.
+ * @param {string} fileContent  - Full content of the file containing the vulnerability.
+ * @param {object} [options]
+ * @param {string} [options.cwd='.'] - Working directory (for API key resolution).
+ * @returns {Promise<{ explanation: string, risk: string, tldr: string }>}
+ */
+export async function explainVulnerability(finding, fileContent, options = {}) {
+  const { provider, apiKey } = requireApiKey(options.cwd || '.');
+
+  const context = extractContext(fileContent, finding.line);
+
+  const userMessage = `## Vulnerability
+Title: ${finding.title || 'Unknown'}
+Severity: ${finding.severity || 'unknown'}
+Rule: ${finding.ruleId || 'N/A'}
+File: ${finding.file || 'unknown'}
+Line: ${finding.line || 'unknown'}
+
+## Code Context
+\`\`\`
+${context}
+\`\`\`
+
+Explain this security vulnerability to a non-technical person. What could go wrong? How bad is it? What should they do?`;
+
+  const { text, inputTokens, outputTokens } = await callLLM(
+    provider,
+    apiKey,
+    EXPLAIN_SYSTEM_PROMPT,
+    userMessage,
+  );
+
+  trackTokens(inputTokens, outputTokens);
+
+  try {
+    const parsed = JSON.parse(text);
+    return {
+      explanation: parsed.explanation || text,
+      risk: parsed.risk || finding.severity || 'medium',
+      tldr: parsed.tldr || '',
+    };
+  } catch {
+    // If the model didn't return valid JSON, wrap the raw text
+    return {
+      explanation: text,
+      risk: finding.severity || 'medium',
+      tldr: '',
+    };
+  }
+}
+
+/**
+ * Generate a minimal, style-matching fix for a vulnerability.
+ *
+ * @param {object} finding      - A Doorman finding object.
+ * @param {string} fileContent  - Full content of the file containing the vulnerability.
+ * @param {object} [options]
+ * @param {string} [options.cwd='.'] - Working directory (for API key resolution).
+ * @returns {Promise<{ fix: { type: string, old: string, new: string, tier: number }, explanation: string }>}
+ */
+export async function generateFix(finding, fileContent, options = {}) {
+  const { provider, apiKey } = requireApiKey(options.cwd || '.');
+
+  const userMessage = `## Vulnerability
+Title: ${finding.title || 'Unknown'}
+Severity: ${finding.severity || 'unknown'}
+Rule: ${finding.ruleId || 'N/A'}
+File: ${finding.file || 'unknown'}
+Line: ${finding.line || 'unknown'}
+Description: ${finding.description || ''}
+
+## Full File Content
+\`\`\`
+${fileContent}
+\`\`\`
+
+Generate a minimal fix for this vulnerability. Match the existing code style. Return only the changed lines as a diff.`;
+
+  const { text, inputTokens, outputTokens } = await callLLM(
+    provider,
+    apiKey,
+    FIX_SYSTEM_PROMPT,
+    userMessage,
+  );
+
+  trackTokens(inputTokens, outputTokens);
+
+  try {
+    const parsed = JSON.parse(text);
+    return {
+      fix: {
+        type: 'replace',
+        old: parsed.old || '',
+        new: parsed.new || '',
+        tier: 2, // AI fixes always require review
+      },
+      explanation: parsed.explanation || '',
+    };
+  } catch {
+    // Best-effort extraction if JSON parsing fails
+    return {
+      fix: {
+        type: 'replace',
+        old: '',
+        new: text,
+        tier: 2,
+      },
+      explanation: 'AI returned a non-structured response. Please review manually.',
+    };
+  }
+}
+
+/**
+ * Batch-process multiple findings: explain each vulnerability and generate a fix.
+ *
+ * Processes findings in batches of {@link BATCH_SIZE} to respect rate limits.
+ * Prints progress to stdout.
+ *
+ * @param {object[]} findings    - Array of Doorman finding objects.
+ * @param {Map<string, string>|object} files - Map (or plain object) of filePath -> fileContent.
+ * @param {object} [options]
+ * @param {string}  [options.cwd='.']       - Working directory.
+ * @param {boolean} [options.explainOnly]    - Only explain, skip fix generation.
+ * @param {boolean} [options.silent]         - Suppress progress output.
+ * @returns {Promise<Array<{ finding: object, explanation: object|null, fix: object|null }>>}
+ */
+export async function aiFixAll(findings, files, options = {}) {
+  const { provider } = requireApiKey(options.cwd || '.');
+  const silent = options.silent || false;
+  const explainOnly = options.explainOnly || false;
+
+  resetTokenUsage();
+
+  const total = findings.length;
+  const results = [];
+
+  for (let i = 0; i < total; i += BATCH_SIZE) {
+    const batch = findings.slice(i, i + BATCH_SIZE);
+
+    const batchPromises = batch.map(async (finding, batchIdx) => {
+      const idx = i + batchIdx + 1;
+
+      if (!silent) {
+        console.log(chalk.gray(`  Generating AI fix ${idx}/${total}...`));
+      }
+
+      // Resolve file content
+      const filePath = finding.file || '';
+      let fileContent = '';
+      if (files instanceof Map) {
+        fileContent = files.get(filePath) || '';
+      } else if (files && typeof files === 'object') {
+        fileContent = files[filePath] || '';
+      }
+
+      // If we don't have the content in the map, try reading from disk
+      if (!fileContent && filePath) {
+        const fullPath = resolve(options.cwd || '.', filePath);
+        if (existsSync(fullPath)) {
+          try {
+            fileContent = readFileSync(fullPath, 'utf-8');
+          } catch (err) {
+            if (!silent) {
+              console.log(chalk.yellow(`  Warning: Could not read ${filePath}: ${err.message}`));
+            }
+          }
+        }
+      }
+
+      let explanation = null;
+      let fix = null;
+
+      try {
+        explanation = await explainVulnerability(finding, fileContent, options);
+      } catch (err) {
+        if (!silent) {
+          console.log(chalk.red(`  Failed to explain finding ${idx}: ${err.message}`));
+        }
+      }
+
+      if (!explainOnly) {
+        try {
+          const fixResult = await generateFix(finding, fileContent, options);
+          fix = fixResult.fix;
+          // Merge the fix explanation if the explain step failed
+          if (!explanation && fixResult.explanation) {
+            explanation = { explanation: fixResult.explanation, risk: finding.severity || 'medium', tldr: '' };
+          }
+        } catch (err) {
+          if (!silent) {
+            console.log(chalk.red(`  Failed to generate fix for finding ${idx}: ${err.message}`));
+          }
+        }
+      }
+
+      return { finding, explanation, fix };
+    });
+
+    const batchResults = await Promise.all(batchPromises);
+    results.push(...batchResults);
+
+    // Small delay between batches to be kind to rate limits (skip after last batch)
+    if (i + BATCH_SIZE < total) {
+      await sleep(500);
+    }
+  }
+
+  if (!silent) {
+    printCostSummary(provider);
+  }
+
+  return results;
+}