getdoorman 1.0.0

package/src/ast-scanner.js

@@ -0,0 +1,434 @@
+/**
+ * Tree-sitter based AST analysis engine.
+ *
+ * Provides precise, structure-aware code analysis that avoids the false
+ * positives and false negatives inherent in regex-based scanning.
+ *
+ * Gracefully falls back when tree-sitter native modules are not installed —
+ * the code becomes fully functional once `npm install` is run.
+ */
+
+let Parser;
+let treeSitterAvailable = false;
+
+const LANGUAGE_MODULES = {};
+
+try {
+  // eslint-disable-next-line
+  const TreeSitter = await import('tree-sitter');
+  Parser = TreeSitter.default || TreeSitter;
+  treeSitterAvailable = true;
+} catch {
+  // tree-sitter is not installed — AST analysis will be unavailable
+}
+
+/**
+ * Lazily load a tree-sitter language grammar.
+ */
+async function loadLanguage(lang) {
+  if (LANGUAGE_MODULES[lang]) return LANGUAGE_MODULES[lang];
+
+  const moduleMap = {
+    javascript: 'tree-sitter-javascript',
+    python: 'tree-sitter-python',
+    go: 'tree-sitter-go',
+    ruby: 'tree-sitter-ruby',
+    php: 'tree-sitter-php',
+  };
+
+  const modName = moduleMap[lang];
+  if (!modName) return null;
+
+  try {
+    const mod = await import(modName);
+    LANGUAGE_MODULES[lang] = mod.default || mod;
+    return LANGUAGE_MODULES[lang];
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Map file extension to language name.
+ */
+export function detectLanguage(filePath) {
+  const ext = filePath.slice(filePath.lastIndexOf('.'));
+  const map = {
+    '.js': 'javascript',
+    '.jsx': 'javascript',
+    '.ts': 'javascript',   // tree-sitter-javascript handles TS basics
+    '.tsx': 'javascript',
+    '.mjs': 'javascript',
+    '.cjs': 'javascript',
+    '.py': 'python',
+    '.go': 'go',
+    '.rb': 'ruby',
+    '.php': 'php',
+  };
+  return map[ext] || null;
+}
+
+/**
+ * Check whether the tree-sitter AST engine is available.
+ */
+export function isASTAvailable() {
+  return treeSitterAvailable;
+}
+
+/**
+ * Parse source code into a tree-sitter AST.
+ *
+ * @param {string} content  - Source code to parse
+ * @param {string} language - Language name (javascript, python, go, ruby, php)
+ * @returns {ASTContext|null} An ASTContext wrapping the AST, or null on failure.
+ */
+export async function parseFile(content, language) {
+  if (!treeSitterAvailable) return null;
+
+  const lang = await loadLanguage(language);
+  if (!lang) return null;
+
+  try {
+    const parser = new Parser();
+    parser.setLanguage(lang);
+    const tree = parser.parse(content);
+    return new ASTContext(tree, content, language);
+  } catch {
+    return null;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers: walk the tree
+// ---------------------------------------------------------------------------
+
+function* walk(node) {
+  yield node;
+  for (let i = 0; i < node.childCount; i++) {
+    yield* walk(node.child(i));
+  }
+}
+
+// ---------------------------------------------------------------------------
+// ASTContext — query API for AST rules
+// ---------------------------------------------------------------------------
+
+export class ASTContext {
+  /**
+   * @param {object} tree     - tree-sitter Tree object
+   * @param {string} source   - original source text
+   * @param {string} language - language name
+   */
+  constructor(tree, source, language) {
+    this.tree = tree;
+    this.source = source;
+    this.language = language;
+    this._root = tree.rootNode;
+  }
+
+  // -----------------------------------------------------------------------
+  // findNodes(type) — return every node whose type matches `type`.
+  // -----------------------------------------------------------------------
+  findNodes(type) {
+    const results = [];
+    for (const node of walk(this._root)) {
+      if (node.type === type) {
+        results.push(node);
+      }
+    }
+    return results;
+  }
+
+  // -----------------------------------------------------------------------
+  // findCalls(functionName) — find call_expression nodes for a function.
+  //
+  // Handles:
+  //   foo()              — identifier calls
+  //   obj.method()       — member expression calls
+  //   a.b.method()       — chained member expression calls
+  // -----------------------------------------------------------------------
+  findCalls(functionName) {
+    const callNodes = this.findNodes('call_expression');
+    const results = [];
+
+    for (const node of callNodes) {
+      const callee = node.childForFieldName('function') || node.child(0);
+      if (!callee) continue;
+
+      const calleeText = callee.text;
+
+      // Exact match: foo() or obj.method()
+      if (calleeText === functionName) {
+        results.push(node);
+        continue;
+      }
+
+      // Match just the method name for member expressions: *.method()
+      if (callee.type === 'member_expression') {
+        const property = callee.childForFieldName('property') || callee.child(callee.childCount - 1);
+        if (property && property.text === functionName) {
+          results.push(node);
+          continue;
+        }
+      }
+
+      // Match dot-separated name: e.g. "db.query"
+      if (functionName.includes('.') && calleeText === functionName) {
+        results.push(node);
+      }
+    }
+
+    return results;
+  }
+
+  // -----------------------------------------------------------------------
+  // findAssignments(variableName) — find assignments to a variable.
+  //
+  // Handles variable_declarator and assignment_expression.
+  // -----------------------------------------------------------------------
+  findAssignments(variableName) {
+    const results = [];
+
+    // variable_declarator: const x = ...
+    for (const node of this.findNodes('variable_declarator')) {
+      const name = node.childForFieldName('name') || node.child(0);
+      if (name && name.text === variableName) {
+        results.push(node);
+      }
+    }
+
+    // assignment_expression: x = ...
+    for (const node of this.findNodes('assignment_expression')) {
+      const left = node.childForFieldName('left') || node.child(0);
+      if (left && left.text === variableName) {
+        results.push(node);
+      }
+    }
+
+    return results;
+  }
+
+  // -----------------------------------------------------------------------
+  // getParentFunction(node) — walk up to the enclosing function node.
+  // -----------------------------------------------------------------------
+  getParentFunction(node) {
+    const functionTypes = new Set([
+      'function_declaration',
+      'function_expression',
+      'arrow_function',
+      'method_definition',
+      'function_definition',   // python
+      'func_declaration',      // go
+    ]);
+
+    let current = node.parent;
+    while (current) {
+      if (functionTypes.has(current.type)) return current;
+      current = current.parent;
+    }
+    return null;
+  }
+
+  // -----------------------------------------------------------------------
+  // getScope(node) — return the innermost scope context.
+  // -----------------------------------------------------------------------
+  getScope(node) {
+    const scopeTypes = new Set([
+      'function_declaration',
+      'function_expression',
+      'arrow_function',
+      'method_definition',
+      'class_declaration',
+      'class_expression',
+      'program',
+      'module',
+      'function_definition',
+      'class_definition',
+    ]);
+
+    let current = node.parent;
+    while (current) {
+      if (scopeTypes.has(current.type)) {
+        return { type: current.type, node: current };
+      }
+      current = current.parent;
+    }
+    return { type: 'module', node: this._root };
+  }
+
+  // -----------------------------------------------------------------------
+  // isInsideTryCatch(node) — check whether node is inside a try body.
+  // -----------------------------------------------------------------------
+  isInsideTryCatch(node) {
+    let current = node.parent;
+    while (current) {
+      if (current.type === 'try_statement' || current.type === 'try') {
+        return true;
+      }
+      current = current.parent;
+    }
+    return false;
+  }
+
+  // -----------------------------------------------------------------------
+  // getArguments(callNode) — return the argument nodes of a call.
+  // -----------------------------------------------------------------------
+  getArguments(callNode) {
+    const args = callNode.childForFieldName('arguments');
+    if (!args) {
+      // fallback: look for an arguments node among children
+      for (let i = 0; i < callNode.childCount; i++) {
+        const child = callNode.child(i);
+        if (child.type === 'arguments' || child.type === 'argument_list') {
+          return this._extractArgChildren(child);
+        }
+      }
+      return [];
+    }
+    return this._extractArgChildren(args);
+  }
+
+  _extractArgChildren(argsNode) {
+    const result = [];
+    for (let i = 0; i < argsNode.childCount; i++) {
+      const child = argsNode.child(i);
+      // Skip punctuation (, and )
+      if (child.type !== ',' && child.type !== '(' && child.type !== ')') {
+        result.push(child);
+      }
+    }
+    return result;
+  }
+
+  // -----------------------------------------------------------------------
+  // isStringLiteral(node) — check if a node is a string literal.
+  // -----------------------------------------------------------------------
+  isStringLiteral(node) {
+    const stringTypes = new Set([
+      'string',
+      'string_literal',
+      'template_string',
+      'interpreted_string_literal',
+      'raw_string_literal',
+    ]);
+    return stringTypes.has(node.type);
+  }
+
+  // -----------------------------------------------------------------------
+  // isUserInput(node) — check if node references common user-input sources.
+  //
+  // Recognises: req.query, req.body, req.params, req.headers,
+  //             request.GET, request.POST, request.args, request.form,
+  //             process.env, params[:...], etc.
+  // -----------------------------------------------------------------------
+  isUserInput(node) {
+    const text = node.text;
+    const patterns = [
+      /\breq\.(query|body|params|headers|cookies)\b/,
+      /\brequest\.(query|body|params|headers|cookies)\b/,
+      /\brequest\.(GET|POST|args|form|data|json)\b/,
+      /\bparams\[/,
+      /\bctx\.(request|query|params)\b/,
+      /\bc\.Query\b/,      // Go gin
+      /\bc\.Param\b/,      // Go gin
+      /\br\.URL\.Query\b/, // Go net/http
+      /\br\.FormValue\b/,  // Go net/http
+    ];
+    return patterns.some((p) => p.test(text));
+  }
+
+  // -----------------------------------------------------------------------
+  // nodeText(node) — safe accessor for a node's source text.
+  // -----------------------------------------------------------------------
+  nodeText(node) {
+    return node ? node.text : '';
+  }
+
+  // -----------------------------------------------------------------------
+  // nodeLocation(node) — return { line, column } (1-based line).
+  // -----------------------------------------------------------------------
+  nodeLocation(node) {
+    return {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column,
+    };
+  }
+
+  // -----------------------------------------------------------------------
+  // containsConcatenation(node) — check if a node contains string
+  // concatenation with non-literal operands.
+  // -----------------------------------------------------------------------
+  containsConcatenation(node) {
+    if (node.type === 'binary_expression') {
+      const op = node.childForFieldName('operator');
+      if (op && op.text === '+') {
+        const left = node.childForFieldName('left');
+        const right = node.childForFieldName('right');
+        // At least one side is not a string literal
+        if (
+          (left && !this.isStringLiteral(left)) ||
+          (right && !this.isStringLiteral(right))
+        ) {
+          return true;
+        }
+      }
+    }
+
+    // Check template literals with expressions
+    if (node.type === 'template_string') {
+      for (let i = 0; i < node.childCount; i++) {
+        const child = node.child(i);
+        if (child.type === 'template_substitution') {
+          return true;
+        }
+      }
+    }
+
+    // Recurse into children
+    for (let i = 0; i < node.childCount; i++) {
+      if (this.containsConcatenation(node.child(i))) return true;
+    }
+
+    return false;
+  }
+
+  // -----------------------------------------------------------------------
+  // containsUserInput(node) — recursively check if any descendant is
+  // user input.
+  // -----------------------------------------------------------------------
+  containsUserInput(node) {
+    if (this.isUserInput(node)) return true;
+    for (let i = 0; i < node.childCount; i++) {
+      if (this.containsUserInput(node.child(i))) return true;
+    }
+    return false;
+  }
+
+  // -----------------------------------------------------------------------
+  // isNonLiteral(node) — check if a node is NOT a simple literal value.
+  // -----------------------------------------------------------------------
+  isNonLiteral(node) {
+    const literalTypes = new Set([
+      'string',
+      'string_literal',
+      'number',
+      'integer',
+      'float',
+      'true',
+      'false',
+      'null',
+      'undefined',
+      'template_string',
+    ]);
+
+    // A template_string with substitutions is non-literal
+    if (node.type === 'template_string') {
+      for (let i = 0; i < node.childCount; i++) {
+        if (node.child(i).type === 'template_substitution') return true;
+      }
+      return false;
+    }
+
+    return !literalTypes.has(node.type);
+  }
+}

package/src/auth.js

@@ -0,0 +1,149 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+const AUTH_DIR = join(homedir(), '.doorman');
+const AUTH_FILE = join(AUTH_DIR, 'auth.json');
+
+// Plans
+const PLANS = {
+  free: {
+    name: 'Free', price: '$0', maxScans: 5,
+    categories: ['security', 'bugs'],
+  },
+  pro: {
+    name: 'Pro', price: '$20/mo', maxScans: Infinity,
+    categories: ['security', 'bugs', 'performance', 'reliability', 'cost', 'data', 'quality'],
+    dashboard: true, autoRun: true, cicd: true,
+  },
+  enterprise: {
+    name: 'Enterprise', price: '$100/mo', maxScans: Infinity,
+    categories: 'all',
+    dashboard: true, autoRun: true, cicd: true,
+    compliance: true, teamDashboard: true, prComments: true, slack: true, customRules: true,
+  },
+};
+
+const FREE_MONTHLY_SCANS = 5;
+
+/**
+ * Load saved account from ~/.doorman/auth.json
+ */
+export function loadAuth() {
+  if (!existsSync(AUTH_FILE)) return null;
+  try {
+    return JSON.parse(readFileSync(AUTH_FILE, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Save account locally.
+ */
+function saveAuthData(data) {
+  if (!existsSync(AUTH_DIR)) mkdirSync(AUTH_DIR, { recursive: true });
+  writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2) + '\n');
+}
+
+/**
+ * Save account by email.
+ */
+export function saveAuth(email) {
+  const existing = loadAuth();
+  const data = {
+    email,
+    plan: existing?.plan || 'free',
+    scansThisMonth: existing?.scansThisMonth || 0,
+    monthKey: getCurrentMonthKey(),
+    savedAt: new Date().toISOString(),
+  };
+  saveAuthData(data);
+  return data;
+}
+
+/**
+ * Get current month key (YYYY-MM) for tracking monthly scan count.
+ */
+function getCurrentMonthKey() {
+  const now = new Date();
+  return `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, '0')}`;
+}
+
+/**
+ * Record a scan and check if the user has scans remaining.
+ * Returns { allowed: boolean, remaining: number, plan: string }
+ */
+export function recordScanUsage() {
+  const bypass = process.env.DOORMAN_BYPASS === '1';
+  if (bypass) return { allowed: true, remaining: Infinity, plan: 'bypass' };
+
+  let auth = loadAuth();
+
+  // No account yet — create one
+  if (!auth) {
+    auth = { plan: 'free', scansThisMonth: 0, monthKey: getCurrentMonthKey(), savedAt: new Date().toISOString() };
+    saveAuthData(auth);
+  }
+
+  const plan = PLANS[auth.plan] || PLANS.free;
+
+  // Reset count if new month
+  if (auth.monthKey !== getCurrentMonthKey()) {
+    auth.scansThisMonth = 0;
+    auth.monthKey = getCurrentMonthKey();
+  }
+
+  const maxScans = plan.maxScans ?? FREE_MONTHLY_SCANS;
+  const remaining = maxScans - auth.scansThisMonth;
+
+  if (remaining <= 0 && maxScans !== Infinity) {
+    return { allowed: false, remaining: 0, plan: plan.name };
+  }
+
+  // Record this scan
+  auth.scansThisMonth = (auth.scansThisMonth || 0) + 1;
+  saveAuthData(auth);
+
+  return {
+    allowed: true,
+    remaining: maxScans === Infinity ? Infinity : maxScans - auth.scansThisMonth,
+    plan: plan.name,
+  };
+}
+
+/**
+ * Get the user's plan and which categories they can see.
+ */
+export function getUserPlan(email) {
+  const auth = loadAuth();
+  if (!auth || auth.email !== email) return PLANS.free;
+  const planId = auth.plan || 'free';
+  return PLANS[planId] || PLANS.free;
+}
+
+/**
+ * Get the user's scan usage info without recording a scan.
+ */
+export function getScanUsage() {
+  const auth = loadAuth();
+  if (!auth) return { scansUsed: 0, maxScans: FREE_MONTHLY_SCANS, plan: 'Free' };
+
+  const plan = PLANS[auth.plan] || PLANS.free;
+  const monthKey = getCurrentMonthKey();
+  const scansUsed = auth.monthKey === monthKey ? (auth.scansThisMonth || 0) : 0;
+
+  return {
+    scansUsed,
+    maxScans: plan.maxScans ?? FREE_MONTHLY_SCANS,
+    plan: plan.name,
+    email: auth.email,
+  };
+}
+
+/**
+ * Get all plan definitions.
+ */
+export function getPlans() {
+  return PLANS;
+}

package/src/baseline.js

@@ -0,0 +1,48 @@
+// Baseline mode: save/load/diff findings to show only NEW issues
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { createHash } from 'crypto';
+
+const DEFAULT_PATH = '.doorman-baseline.json';
+
+/**
+ * Create a fingerprint for a finding (file + rule + line range)
+ */
+function fingerprint(f) {
+  return createHash('sha256')
+    .update(`${f.ruleId}::${f.file}::${Math.floor((f.line || 0) / 5)}`)
+    .digest('hex')
+    .slice(0, 32);
+}
+
+/**
+ * Save current findings as baseline
+ */
+export function saveBaseline(findings, path = DEFAULT_PATH) {
+  const baseline = {
+    version: 1,
+    createdAt: new Date().toISOString(),
+    count: findings.length,
+    fingerprints: findings.map(fingerprint),
+  };
+  writeFileSync(path, JSON.stringify(baseline, null, 2) + '\n');
+  return baseline;
+}
+
+/**
+ * Load existing baseline
+ */
+export function loadBaseline(path = DEFAULT_PATH) {
+  if (!existsSync(path)) return null;
+  try {
+    return JSON.parse(readFileSync(path, 'utf-8'));
+  } catch { return null; }
+}
+
+/**
+ * Filter findings to only show NEW ones (not in baseline)
+ */
+export function diffFindings(findings, baseline) {
+  if (!baseline || !baseline.fingerprints) return findings;
+  const known = new Set(baseline.fingerprints);
+  return findings.filter(f => !known.has(fingerprint(f)));
+}