javi-forge 1.6.0 → 1.6.1

package/dist/commands/security.js

@@ -1,32 +1,43 @@
-import { execFile } from 'child_process';
-import { promisify } from 'util';
-import fs from 'fs-extra';
-import path from 'path';
-import { detectCIStack } from './ci.js';
+import { execFile } from "child_process";
+import fs from "fs-extra";
+import path from "path";
+import { promisify } from "util";
+import { detectCIStack } from "./ci.js";
 const execFileAsync = promisify(execFile);
 // =============================================================================
 // Constants
 // =============================================================================
-const BASELINE_DIR = '.javi-forge';
-const BASELINE_FILE = 'security-baseline.json';
-const BASELINE_VERSION = '1.0.0';
+const BASELINE_DIR = ".javi-forge";
+const BASELINE_FILE = "security-baseline.json";
+const BASELINE_VERSION = "2.0.0";
+const SEVERITY_ORDER = {
+    critical: 5,
+    high: 4,
+    moderate: 3,
+    low: 2,
+    info: 1,
+};
+const DEFAULT_STALE_DAYS = 30;
 // =============================================================================
 // Audit command resolution
 // =============================================================================
 export function getAuditCommand(stack, buildTool) {
     switch (stack) {
-        case 'node':
+        case "node":
             switch (buildTool) {
-                case 'pnpm': return { cmd: 'pnpm', args: ['audit', '--json'] };
-                case 'yarn': return { cmd: 'yarn', args: ['npm', 'audit', '--json'] };
-                default: return { cmd: 'npm', args: ['audit', '--json'] };
+                case "pnpm":
+                    return { cmd: "pnpm", args: ["audit", "--json"] };
+                case "yarn":
+                    return { cmd: "yarn", args: ["npm", "audit", "--json"] };
+                default:
+                    return { cmd: "npm", args: ["audit", "--json"] };
             }
-        case 'python':
-            return { cmd: 'pip-audit', args: ['--format=json', '--output=-'] };
-        case 'go':
-            return { cmd: 'govulncheck', args: ['-json', './...'] };
-        case 'rust':
-            return { cmd: 'cargo', args: ['audit', '--json'] };
+        case "python":
+            return { cmd: "pip-audit", args: ["--format=json", "--output=-"] };
+        case "go":
+            return { cmd: "govulncheck", args: ["-json", "./..."] };
+        case "rust":
+            return { cmd: "cargo", args: ["audit", "--json"] };
         default:
             return null;
     }
@@ -46,7 +57,7 @@ export function parseNpmAudit(raw) {
         for (const [pkgName, info] of Object.entries(vulns)) {
             const v = info;
             // via can contain objects (direct vulns) or strings (transitive refs)
-            const directVias = (v.via ?? []).filter((x) => typeof x === 'object');
+            const directVias = (v.via ?? []).filter((x) => typeof x === "object");
             if (directVias.length === 0) {
                 findings.push({
                     id: `npm-${pkgName}`,
@@ -80,10 +91,10 @@ export function parsePipAudit(raw) {
         // pip-audit JSON: array of { name, version, vulns: [{ id, fix_versions, description }] }
         const deps = Array.isArray(data) ? data : (data.dependencies ?? []);
         for (const dep of deps) {
-            for (const vuln of (dep.vulns ?? [])) {
+            for (const vuln of dep.vulns ?? []) {
                 findings.push({
                     id: vuln.id ?? `pip-${dep.name}`,
-                    severity: normalizeSeverity(vuln.fix_versions?.length ? 'high' : 'moderate'),
+                    severity: normalizeSeverity(vuln.fix_versions?.length ? "high" : "moderate"),
                     package: dep.name,
                     title: vuln.description ?? `Vulnerability in ${dep.name}`,
                 });
@@ -103,10 +114,10 @@ export function parseCargoAudit(raw) {
         for (const v of vulns) {
             const advisory = v.advisory ?? {};
             findings.push({
-                id: advisory.id ?? `cargo-${v.package?.name ?? 'unknown'}`,
+                id: advisory.id ?? `cargo-${v.package?.name ?? "unknown"}`,
                 severity: normalizeSeverity(advisory.cvss?.severity),
-                package: v.package?.name ?? 'unknown',
-                title: advisory.title ?? `Vulnerability in ${v.package?.name ?? 'unknown'}`,
+                package: v.package?.name ?? "unknown",
+                title: advisory.title ?? `Vulnerability in ${v.package?.name ?? "unknown"}`,
                 url: advisory.url,
             });
         }
@@ -120,16 +131,16 @@ export function parseGovulncheck(raw) {
     const findings = [];
     try {
         // govulncheck JSON outputs one JSON object per line (NDJSON)
-        const lines = raw.split('\n').filter(l => l.trim());
+        const lines = raw.split("\n").filter((l) => l.trim());
         for (const line of lines) {
             try {
                 const entry = JSON.parse(line);
                 if (entry.osv) {
                     findings.push({
-                        id: entry.osv.id ?? 'unknown',
+                        id: entry.osv.id ?? "unknown",
                         severity: normalizeSeverity(entry.osv.database_specific?.severity),
-                        package: entry.osv.affected?.[0]?.package?.name ?? 'unknown',
-                        title: entry.osv.summary ?? entry.osv.id ?? 'Go vulnerability',
+                        package: entry.osv.affected?.[0]?.package?.name ?? "unknown",
+                        title: entry.osv.summary ?? entry.osv.id ?? "Go vulnerability",
                         url: entry.osv.references?.[0]?.url,
                     });
                 }
@@ -146,39 +157,120 @@ export function parseGovulncheck(raw) {
 }
 function normalizeSeverity(raw) {
     if (!raw)
-        return 'moderate';
+        return "moderate";
     const lower = raw.toLowerCase();
-    if (lower === 'critical')
-        return 'critical';
-    if (lower === 'high')
-        return 'high';
-    if (lower === 'moderate' || lower === 'medium')
-        return 'moderate';
-    if (lower === 'low')
-        return 'low';
-    if (lower === 'info' || lower === 'none')
-        return 'info';
-    return 'moderate';
+    if (lower === "critical")
+        return "critical";
+    if (lower === "high")
+        return "high";
+    if (lower === "moderate" || lower === "medium")
+        return "moderate";
+    if (lower === "low")
+        return "low";
+    if (lower === "info" || lower === "none")
+        return "info";
+    return "moderate";
 }
 export function parseAuditOutput(stack, raw) {
     switch (stack) {
-        case 'node': return parseNpmAudit(raw);
-        case 'python': return parsePipAudit(raw);
-        case 'rust': return parseCargoAudit(raw);
-        case 'go': return parseGovulncheck(raw);
-        default: return [];
+        case "node":
+            return parseNpmAudit(raw);
+        case "python":
+            return parsePipAudit(raw);
+        case "rust":
+            return parseCargoAudit(raw);
+        case "go":
+            return parseGovulncheck(raw);
+        default:
+            return [];
+    }
+}
+// =============================================================================
+// Severity helpers
+// =============================================================================
+export function severityAtOrAbove(severity, threshold) {
+    return SEVERITY_ORDER[severity] >= SEVERITY_ORDER[threshold];
+}
+export function filterBySeverity(findings, minSeverity) {
+    return findings.filter((f) => severityAtOrAbove(f.severity, minSeverity));
+}
+// =============================================================================
+// Allowlist filtering
+// =============================================================================
+export function filterAllowlisted(findings, allowlist) {
+    if (allowlist.length === 0)
+        return findings;
+    const allowSet = new Set(allowlist);
+    return findings.filter((f) => !allowSet.has(makeFindingKey(f)));
+}
+// =============================================================================
+// Staleness detection
+// =============================================================================
+export function checkStaleness(baseline, staleDays) {
+    const refDate = baseline.updatedAt ?? baseline.createdAt;
+    const ageMs = Date.now() - new Date(refDate).getTime();
+    const ageDays = Math.floor(ageMs / (1000 * 60 * 60 * 24));
+    if (ageDays > staleDays) {
+        return `Baseline is ${ageDays} days old (threshold: ${staleDays}). Consider running \`javi-forge security update\`.`;
     }
+    return undefined;
+}
+export function baselineAgeDays(baseline) {
+    const refDate = baseline.updatedAt ?? baseline.createdAt;
+    const ageMs = Date.now() - new Date(refDate).getTime();
+    return Math.floor(ageMs / (1000 * 60 * 60 * 24));
+}
+// =============================================================================
+// Summary computation
+// =============================================================================
+export function computeSummary(current, regressions, resolved, filteredRegressions, baseline) {
+    const bySeverity = {
+        critical: 0,
+        high: 0,
+        moderate: 0,
+        low: 0,
+        info: 0,
+    };
+    for (const f of current) {
+        bySeverity[f.severity]++;
+    }
+    return {
+        total: current.length,
+        bySeverity,
+        regressionCount: regressions.length,
+        resolvedCount: resolved.length,
+        filteredCount: filteredRegressions.length,
+        baselineAge: baselineAgeDays(baseline),
+    };
 }
 // =============================================================================
 // Regression detection
 // =============================================================================
-export function detectRegressions(baseline, current) {
+export function detectRegressions(baseline, current, options = {}) {
     const baselineKeySet = new Set(baseline.findingKeys);
     const currentKeys = current.map(makeFindingKey);
     const currentKeySet = new Set(currentKeys);
-    const regressions = current.filter(f => !baselineKeySet.has(makeFindingKey(f)));
-    const resolved = baseline.findings.filter(f => !currentKeySet.has(makeFindingKey(f)));
-    return { baseline, current, regressions, resolved };
+    let regressions = current.filter((f) => !baselineKeySet.has(makeFindingKey(f)));
+    const resolved = baseline.findings.filter((f) => !currentKeySet.has(makeFindingKey(f)));
+    // Apply allowlist filtering
+    const allowlist = baseline.allowlist ?? [];
+    regressions = filterAllowlisted(regressions, allowlist);
+    // Apply severity threshold
+    const minSeverity = options.minSeverity ?? "low";
+    const filteredRegressions = filterBySeverity(regressions, minSeverity);
+    // Check staleness
+    const staleDays = options.staleDays ?? DEFAULT_STALE_DAYS;
+    const staleWarning = checkStaleness(baseline, staleDays);
+    const summary = computeSummary(current, regressions, resolved, filteredRegressions, baseline);
+    return {
+        baseline,
+        current,
+        regressions,
+        resolved,
+        filteredRegressions,
+        staleWarning,
+        summary,
+    };
 }
 // =============================================================================
 // Baseline file I/O
@@ -188,7 +280,7 @@ function baselinePath(projectDir) {
 }
 export async function readBaseline(projectDir) {
     const bp = baselinePath(projectDir);
-    if (!await fs.pathExists(bp))
+    if (!(await fs.pathExists(bp)))
         return null;
     try {
         return await fs.readJson(bp);
@@ -217,7 +309,7 @@ async function runAuditTool(projectDir, auditCmd) {
     catch (err) {
         // npm audit exits non-zero when vulns are found — that's expected
         // We still want the stdout (JSON output)
-        if (err && typeof err === 'object' && 'stdout' in err) {
+        if (err && typeof err === "object" && "stdout" in err) {
             const stdout = err.stdout;
             if (stdout && stdout.trim().length > 0)
                 return stdout;
@@ -231,75 +323,123 @@ async function runAuditTool(projectDir, auditCmd) {
 function report(onStep, id, label, status, detail) {
     onStep({ id, label, status, detail });
 }
-export async function runSecurity(mode, projectDir, onStep) {
+export async function runSecurity(mode, projectDir, onStep, options = {}) {
     // ── Detect stack ────────────────────────────────────────────────────────
-    report(onStep, 'detect', 'Detecting stack', 'running');
+    report(onStep, "detect", "Detecting stack", "running");
     let stackInfo;
     try {
         stackInfo = await detectCIStack(projectDir);
-        report(onStep, 'detect', `Stack: ${stackInfo.stackType} (${stackInfo.buildTool})`, 'done');
+        report(onStep, "detect", `Stack: ${stackInfo.stackType} (${stackInfo.buildTool})`, "done");
     }
     catch (e) {
-        report(onStep, 'detect', 'Detecting stack', 'error', String(e));
+        report(onStep, "detect", "Detecting stack", "error", String(e));
         throw e;
     }
     // ── Resolve audit command ──────────────────────────────────────────────
     const auditCmd = getAuditCommand(stackInfo.stackType, stackInfo.buildTool);
     if (!auditCmd) {
-        report(onStep, 'audit', 'Security audit', 'error', `No audit tool for stack "${stackInfo.stackType}". Supported: node, python, go, rust`);
+        report(onStep, "audit", "Security audit", "error", `No audit tool for stack "${stackInfo.stackType}". Supported: node, python, go, rust`);
         throw new Error(`Unsupported stack for security audit: ${stackInfo.stackType}`);
     }
     // ── Run audit ──────────────────────────────────────────────────────────
-    report(onStep, 'audit', `Running ${auditCmd.cmd} audit`, 'running');
+    report(onStep, "audit", `Running ${auditCmd.cmd} audit`, "running");
     let raw;
     try {
         raw = await runAuditTool(projectDir, auditCmd);
-        report(onStep, 'audit', `Audit complete`, 'done');
+        report(onStep, "audit", `Audit complete`, "done");
     }
     catch (e) {
-        report(onStep, 'audit', `Audit failed`, 'error', `${auditCmd.cmd} not found or failed. Install it first.`);
+        report(onStep, "audit", `Audit failed`, "error", `${auditCmd.cmd} not found or failed. Install it first.`);
         throw e;
     }
     // ── Parse findings ─────────────────────────────────────────────────────
     const findings = parseAuditOutput(stackInfo.stackType, raw);
     switch (mode) {
-        case 'baseline':
-        case 'update': {
-            report(onStep, 'save', mode === 'update' ? 'Updating baseline' : 'Creating baseline', 'running');
+        case "baseline":
+        case "update": {
+            report(onStep, "save", mode === "update" ? "Updating baseline" : "Creating baseline", "running");
+            // Preserve createdAt and allowlist on update
+            let createdAt = new Date().toISOString();
+            let allowlist = [];
+            if (mode === "update") {
+                const existing = await readBaseline(projectDir);
+                if (existing) {
+                    createdAt = existing.createdAt;
+                    allowlist = existing.allowlist ?? [];
+                }
+            }
             const baseline = {
                 version: BASELINE_VERSION,
-                createdAt: new Date().toISOString(),
+                createdAt,
+                updatedAt: mode === "update" ? new Date().toISOString() : undefined,
                 stack: stackInfo.stackType,
                 buildTool: stackInfo.buildTool,
                 findings,
                 findingKeys: findings.map(makeFindingKey),
+                allowlist,
             };
             await writeBaseline(projectDir, baseline);
-            report(onStep, 'save', `Baseline saved with ${findings.length} finding(s)`, 'done', baselinePath(projectDir));
+            report(onStep, "save", `Baseline saved with ${findings.length} finding(s)`, "done", baselinePath(projectDir));
             return null;
         }
-        case 'check': {
-            report(onStep, 'check', 'Checking for regressions', 'running');
+        case "check": {
+            report(onStep, "check", "Checking for regressions", "running");
             const existing = await readBaseline(projectDir);
             if (!existing) {
-                report(onStep, 'check', 'No baseline found', 'error', 'Run `javi-forge security baseline` first to create a baseline');
-                throw new Error('No security baseline found. Run `javi-forge security baseline` first.');
+                report(onStep, "check", "No baseline found", "error", "Run `javi-forge security baseline` first to create a baseline");
+                throw new Error("No security baseline found. Run `javi-forge security baseline` first.");
+            }
+            const result = detectRegressions(existing, findings, options);
+            // Staleness warning
+            if (result.staleWarning) {
+                report(onStep, "stale", "Baseline staleness", "skipped", result.staleWarning);
+            }
+            // Summary line
+            const { summary } = result;
+            const sevBreakdown = Object.entries(summary.bySeverity)
+                .filter(([, count]) => count > 0)
+                .map(([sev, count]) => `${count} ${sev}`)
+                .join(", ");
+            if (sevBreakdown) {
+                report(onStep, "summary", `Current findings: ${summary.total} (${sevBreakdown})`, "done");
             }
-            const result = detectRegressions(existing, findings);
-            if (result.regressions.length === 0) {
+            // Use filteredRegressions (severity-filtered + allowlist-filtered) for pass/fail
+            if (result.filteredRegressions.length === 0) {
                 const resolvedMsg = result.resolved.length > 0
                     ? ` (${result.resolved.length} resolved)`
-                    : '';
-                report(onStep, 'check', `No new vulnerabilities${resolvedMsg}`, 'done');
+                    : "";
+                const belowThreshold = result.regressions.length > result.filteredRegressions.length
+                    ? ` (${result.regressions.length - result.filteredRegressions.length} below threshold)`
+                    : "";
+                report(onStep, "check", `No actionable regressions${resolvedMsg}${belowThreshold}`, "done");
             }
             else {
-                const details = result.regressions
-                    .map(r => `  ${r.severity.toUpperCase()} ${r.package}: ${r.title}`)
-                    .join('\n');
-                report(onStep, 'check', `${result.regressions.length} regression(s) found`, 'error', details);
+                const details = result.filteredRegressions
+                    .map((r) => `  ${r.severity.toUpperCase()} ${r.package}: ${r.title}`)
+                    .join("\n");
+                report(onStep, "check", `${result.filteredRegressions.length} regression(s) found`, "error", details);
             }
             return result;
         }
+        case "allowlist": {
+            report(onStep, "allowlist", "Updating allowlist", "running");
+            const existing = await readBaseline(projectDir);
+            if (!existing) {
+                report(onStep, "allowlist", "No baseline found", "error", "Run `javi-forge security baseline` first to create a baseline");
+                throw new Error("No security baseline found. Run `javi-forge security baseline` first.");
+            }
+            // Add all current findings to the allowlist
+            const currentKeys = findings.map(makeFindingKey);
+            const existingAllowlist = new Set(existing.allowlist ?? []);
+            for (const key of currentKeys) {
+                existingAllowlist.add(key);
+            }
+            existing.allowlist = [...existingAllowlist];
+            existing.updatedAt = new Date().toISOString();
+            await writeBaseline(projectDir, existing);
+            report(onStep, "allowlist", `Allowlist updated: ${existingAllowlist.size} finding(s) allowed`, "done", baselinePath(projectDir));
+            return null;
+        }
     }
 }
 //# sourceMappingURL=security.js.map

package/dist/commands/skill-scanner.d.ts

@@ -0,0 +1,63 @@
+/**
+ * CI-level skill security scanner — pre-install analysis of SKILL.md files.
+ *
+ * Detects credential theft, code injection, data exfiltration, and scope escape
+ * patterns before skills are installed. Inspired by the SkillGuard skill
+ * (javi-ai) but implemented as a programmatic module with structured output.
+ */
+import type { SecuritySeverity } from "../types/index.js";
+export type SkillThreatCategory = "credential-theft" | "code-injection" | "data-exfiltration" | "scope-escape" | "privilege-escalation" | "destructive-command" | "self-modification" | "hook-tampering" | "obfuscation" | "missing-provenance" | "excessive-permissions" | "file-traversal";
+export interface SkillThreat {
+    category: SkillThreatCategory;
+    severity: SecuritySeverity;
+    pattern: string;
+    line: number;
+    context: string;
+    message: string;
+}
+export type SkillScanVerdict = "pass" | "warn" | "block";
+export interface SkillScanResult {
+    skillPath: string;
+    skillName: string;
+    verdict: SkillScanVerdict;
+    threats: SkillThreat[];
+    summary: SkillScanSummary;
+}
+export interface SkillScanSummary {
+    total: number;
+    critical: number;
+    high: number;
+    moderate: number;
+    low: number;
+}
+interface ThreatPattern {
+    category: SkillThreatCategory;
+    severity: SecuritySeverity;
+    pattern: RegExp;
+    message: string;
+}
+/**
+ * Ordered by severity (critical first). Each pattern is tested against
+ * every non-comment line in the skill file.
+ */
+export declare const THREAT_PATTERNS: ThreatPattern[];
+interface ProvenanceInfo {
+    hasAuthor: boolean;
+    hasVersion: boolean;
+    hasDescription: boolean;
+}
+export declare function checkProvenance(content: string): ProvenanceInfo;
+export declare function scanSkillContent(content: string, filePath: string): SkillThreat[];
+export declare function computeVerdict(threats: SkillThreat[]): SkillScanVerdict;
+export declare function computeScanSummary(threats: SkillThreat[]): SkillScanSummary;
+export declare function extractSkillName(content: string, filePath: string): string;
+export declare function scanSkillFile(filePath: string): Promise<SkillScanResult>;
+/**
+ * Scan all SKILL.md files in a directory (recursive).
+ * Useful for scanning a plugin's skills directory before installation.
+ */
+export declare function scanSkillsDirectory(dir: string): Promise<SkillScanResult[]>;
+export declare function formatScanReport(result: SkillScanResult): string;
+export declare function formatBatchReport(results: SkillScanResult[]): string;
+export {};
+//# sourceMappingURL=skill-scanner.d.ts.map