mpx-scan 1.0.0

package/src/generators/fixes.js

@@ -0,0 +1,256 @@
+/**
+ * Fix Generator
+ * 
+ * Generates copy-paste configuration snippets for fixing security issues
+ * Supports: nginx, apache, caddy, cloudflare
+ */
+
+const chalk = require('chalk');
+
+const PLATFORMS = ['nginx', 'apache', 'caddy', 'cloudflare'];
+
+function generateFixes(platform, results) {
+  if (!PLATFORMS.includes(platform)) {
+    throw new Error(`Unknown platform: ${platform}. Supported: ${PLATFORMS.join(', ')}`);
+  }
+  
+  const lines = [];
+  
+  lines.push('');
+  lines.push(chalk.bold.cyan('═'.repeat(70)));
+  lines.push(chalk.bold.cyan(`  Security Fix Configuration — ${platform.toUpperCase()}`));
+  lines.push(chalk.bold.cyan('═'.repeat(70)));
+  lines.push('');
+  
+  // Collect all failed/warned checks with recommendations
+  const issues = [];
+  
+  for (const [sectionName, section] of Object.entries(results.sections)) {
+    for (const check of section.checks) {
+      if ((check.status === 'fail' || check.status === 'warn') && check.recommendation) {
+        issues.push({ section: sectionName, check });
+      }
+    }
+  }
+  
+  if (issues.length === 0) {
+    lines.push(chalk.green('✓ No security issues found! Your site is well-configured.'));
+    lines.push('');
+    return lines.join('\n');
+  }
+  
+  lines.push(chalk.yellow(`Found ${issues.length} issue(s) to fix:\n`));
+  
+  // Generate platform-specific configs
+  switch (platform) {
+    case 'nginx':
+      lines.push(...generateNginxConfig(issues));
+      break;
+    case 'apache':
+      lines.push(...generateApacheConfig(issues));
+      break;
+    case 'caddy':
+      lines.push(...generateCaddyConfig(issues));
+      break;
+    case 'cloudflare':
+      lines.push(...generateCloudflareConfig(issues));
+      break;
+  }
+  
+  lines.push('');
+  lines.push(chalk.gray('─'.repeat(70)));
+  lines.push(chalk.gray('After applying these changes:'));
+  lines.push(chalk.gray('1. Test your configuration'));
+  lines.push(chalk.gray(`2. Reload/restart your ${platform} server`));
+  lines.push(chalk.gray('3. Run mpx-scan again to verify'));
+  lines.push(chalk.gray('─'.repeat(70)));
+  lines.push('');
+  
+  return lines.join('\n');
+}
+
+function generateNginxConfig(issues) {
+  const lines = [];
+  
+  lines.push(chalk.bold('Add these headers to your nginx config:'));
+  lines.push(chalk.gray('# Location: /etc/nginx/sites-available/your-site'));
+  lines.push(chalk.gray('# Inside the server {} block:\n'));
+  
+  lines.push(chalk.cyan('server {'));
+  lines.push(chalk.cyan('    # ... your existing config ...\n'));
+  
+  const headers = extractHeaders(issues);
+  
+  for (const [header, value] of Object.entries(headers)) {
+    lines.push(chalk.green(`    add_header ${header} "${value}" always;`));
+  }
+  
+  // SSL-specific recommendations
+  if (hasSSLIssues(issues)) {
+    lines.push('');
+    lines.push(chalk.gray('    # SSL/TLS Configuration'));
+    lines.push(chalk.green('    ssl_protocols TLSv1.2 TLSv1.3;'));
+    lines.push(chalk.green('    ssl_prefer_server_ciphers on;'));
+    lines.push(chalk.green('    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384";'));
+  }
+  
+  lines.push(chalk.cyan('}'));
+  lines.push('');
+  lines.push(chalk.gray('# Then reload nginx:'));
+  lines.push(chalk.yellow('sudo nginx -t && sudo systemctl reload nginx'));
+  lines.push('');
+  
+  return lines;
+}
+
+function generateApacheConfig(issues) {
+  const lines = [];
+  
+  lines.push(chalk.bold('Add these headers to your Apache config:'));
+  lines.push(chalk.gray('# Location: /etc/apache2/sites-available/your-site.conf'));
+  lines.push(chalk.gray('# Or .htaccess in your document root\n'));
+  
+  lines.push(chalk.cyan('<IfModule mod_headers.c>'));
+  
+  const headers = extractHeaders(issues);
+  
+  for (const [header, value] of Object.entries(headers)) {
+    lines.push(chalk.green(`    Header always set ${header} "${value}"`));
+  }
+  
+  lines.push(chalk.cyan('</IfModule>'));
+  lines.push('');
+  
+  if (hasSSLIssues(issues)) {
+    lines.push(chalk.gray('# SSL/TLS Configuration'));
+    lines.push(chalk.cyan('<IfModule mod_ssl.c>'));
+    lines.push(chalk.green('    SSLProtocol -all +TLSv1.2 +TLSv1.3'));
+    lines.push(chalk.green('    SSLCipherSuite HIGH:!aNULL:!MD5'));
+    lines.push(chalk.green('    SSLHonorCipherOrder on'));
+    lines.push(chalk.cyan('</IfModule>'));
+    lines.push('');
+  }
+  
+  lines.push(chalk.gray('# Then reload Apache:'));
+  lines.push(chalk.yellow('sudo apachectl configtest && sudo systemctl reload apache2'));
+  lines.push('');
+  
+  return lines;
+}
+
+function generateCaddyConfig(issues) {
+  const lines = [];
+  
+  lines.push(chalk.bold('Add these headers to your Caddyfile:'));
+  lines.push(chalk.gray('# Location: /etc/caddy/Caddyfile\n'));
+  
+  lines.push(chalk.cyan('your-domain.com {'));
+  lines.push(chalk.gray('    # ... your existing config ...\n'));
+  
+  const headers = extractHeaders(issues);
+  
+  lines.push(chalk.green('    header {'));
+  for (const [header, value] of Object.entries(headers)) {
+    lines.push(chalk.green(`        ${header} "${value}"`));
+  }
+  lines.push(chalk.green('    }'));
+  
+  lines.push(chalk.cyan('}'));
+  lines.push('');
+  lines.push(chalk.gray('# Caddy automatically handles TLS 1.2/1.3'));
+  lines.push(chalk.gray('# Then reload Caddy:'));
+  lines.push(chalk.yellow('sudo systemctl reload caddy'));
+  lines.push('');
+  
+  return lines;
+}
+
+function generateCloudflareConfig(issues) {
+  const lines = [];
+  
+  lines.push(chalk.bold('Configure Cloudflare security headers:'));
+  lines.push(chalk.gray('Dashboard → Rules → Transform Rules → Modify Response Header\n'));
+  
+  const headers = extractHeaders(issues);
+  
+  lines.push(chalk.yellow('Create these Transform Rules:'));
+  lines.push('');
+  
+  for (const [header, value] of Object.entries(headers)) {
+    lines.push(chalk.green(`• Set "${header}" to "${value}"`));
+  }
+  
+  lines.push('');
+  lines.push(chalk.gray('Or use Cloudflare Workers:'));
+  lines.push('');
+  lines.push(chalk.cyan('addEventListener("fetch", event => {'));
+  lines.push(chalk.cyan('  event.respondWith(handleRequest(event.request));'));
+  lines.push(chalk.cyan('});'));
+  lines.push('');
+  lines.push(chalk.cyan('async function handleRequest(request) {'));
+  lines.push(chalk.cyan('  const response = await fetch(request);'));
+  lines.push(chalk.cyan('  const newHeaders = new Headers(response.headers);'));
+  lines.push('');
+  
+  for (const [header, value] of Object.entries(headers)) {
+    lines.push(chalk.green(`  newHeaders.set("${header}", "${value}");`));
+  }
+  
+  lines.push('');
+  lines.push(chalk.cyan('  return new Response(response.body, {'));
+  lines.push(chalk.cyan('    status: response.status,'));
+  lines.push(chalk.cyan('    statusText: response.statusText,'));
+  lines.push(chalk.cyan('    headers: newHeaders'));
+  lines.push(chalk.cyan('  });'));
+  lines.push(chalk.cyan('}'));
+  lines.push('');
+  
+  if (hasSSLIssues(issues)) {
+    lines.push(chalk.gray('# Also check:'));
+    lines.push(chalk.yellow('• SSL/TLS → Edge Certificates → Minimum TLS Version → TLS 1.2'));
+    lines.push('');
+  }
+  
+  return lines;
+}
+
+function extractHeaders(issues) {
+  const headers = {};
+  
+  for (const { check } of issues) {
+    const rec = check.recommendation;
+    
+    if (rec.includes('Strict-Transport-Security')) {
+      headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains; preload';
+    }
+    if (rec.includes('Content-Security-Policy')) {
+      headers['Content-Security-Policy'] = "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'";
+    }
+    if (rec.includes('X-Content-Type-Options')) {
+      headers['X-Content-Type-Options'] = 'nosniff';
+    }
+    if (rec.includes('X-Frame-Options')) {
+      headers['X-Frame-Options'] = 'DENY';
+    }
+    if (rec.includes('Referrer-Policy')) {
+      headers['Referrer-Policy'] = 'strict-origin-when-cross-origin';
+    }
+    if (rec.includes('Permissions-Policy')) {
+      headers['Permissions-Policy'] = 'camera=(), microphone=(), geolocation=()';
+    }
+    if (rec.includes('Cross-Origin-Opener-Policy')) {
+      headers['Cross-Origin-Opener-Policy'] = 'same-origin';
+    }
+    if (rec.includes('Cross-Origin-Resource-Policy')) {
+      headers['Cross-Origin-Resource-Policy'] = 'same-origin';
+    }
+  }
+  
+  return headers;
+}
+
+function hasSSLIssues(issues) {
+  return issues.some(({ section }) => section === 'ssl');
+}
+
+module.exports = { generateFixes, PLATFORMS };

package/src/index.js

@@ -0,0 +1,153 @@
+/**
+ * mpx-scan — Professional Website Security Scanner
+ * 
+ * Core engine. Runs all security checks against a target URL
+ * and returns a structured report with grades and recommendations.
+ * 
+ * Zero external dependencies for scanning (only chalk/commander for CLI)
+ */
+
+const { scanHeaders } = require('./scanners/headers');
+const { scanSSL } = require('./scanners/ssl');
+const { scanCookies } = require('./scanners/cookies');
+const { scanExposedFiles } = require('./scanners/exposed-files');
+const { scanDNS } = require('./scanners/dns');
+const { scanServer } = require('./scanners/server');
+const { scanSRI } = require('./scanners/sri');
+const { scanMixedContent } = require('./scanners/mixed-content');
+const { scanRedirects } = require('./scanners/redirects');
+
+const GRADES = ['A+', 'A', 'B', 'C', 'D', 'F'];
+
+const SCANNER_TIERS = {
+  free: ['headers', 'ssl', 'server'],
+  pro: ['headers', 'ssl', 'cookies', 'server', 'exposedFiles', 'dns', 'sri', 'mixedContent', 'redirects']
+};
+
+/**
+ * Run a full security scan on the target URL
+ * @param {string} url - Target URL to scan
+ * @param {object} options - Scan options
+ * @returns {object} Structured scan report
+ */
+async function scan(url, options = {}) {
+  const startTime = Date.now();
+  
+  // Normalize URL
+  if (!url.startsWith('http://') && !url.startsWith('https://')) {
+    url = 'https://' + url;
+  }
+  
+  const parsedUrl = new URL(url);
+  const results = {
+    url: parsedUrl.href,
+    hostname: parsedUrl.hostname,
+    scannedAt: new Date().toISOString(),
+    scanDuration: 0,
+    grade: 'F',
+    score: 0,
+    maxScore: 0,
+    sections: {},
+    summary: {
+      passed: 0,
+      warnings: 0,
+      failed: 0,
+      info: 0
+    },
+    tier: options.tier || 'free'
+  };
+
+  const allScanners = [
+    { name: 'headers', fn: scanHeaders, weight: 25 },
+    { name: 'ssl', fn: scanSSL, weight: 20 },
+    { name: 'cookies', fn: scanCookies, weight: 10 },
+    { name: 'server', fn: scanServer, weight: 8 },
+    { name: 'exposedFiles', fn: scanExposedFiles, weight: 10 },
+    { name: 'dns', fn: scanDNS, weight: 7 },
+    { name: 'sri', fn: scanSRI, weight: 5 },
+    { name: 'mixedContent', fn: scanMixedContent, weight: 5 },
+    { name: 'redirects', fn: scanRedirects, weight: 5 },
+  ];
+
+  // Determine which scanners to run based on tier and options
+  const tier = options.tier || 'free';
+  const allowedScanners = options.full ? SCANNER_TIERS.pro : (SCANNER_TIERS[tier] || SCANNER_TIERS.free);
+  
+  const enabledScanners = allScanners.filter(s => allowedScanners.includes(s.name));
+
+  // Run scanners concurrently
+  const scanPromises = enabledScanners.map(async (scanner) => {
+    try {
+      const result = await scanner.fn(parsedUrl, options);
+      return { name: scanner.name, weight: scanner.weight, result };
+    } catch (err) {
+      return { 
+        name: scanner.name, 
+        weight: scanner.weight,
+        result: {
+          score: 0,
+          maxScore: scanner.weight,
+          checks: [{ 
+            name: `${scanner.name} scan`, 
+            status: 'error', 
+            message: err.message 
+          }]
+        }
+      };
+    }
+  });
+
+  const scanResults = await Promise.all(scanPromises);
+
+  // Aggregate results
+  let totalScore = 0;
+  let totalMax = 0;
+
+  for (const { name, weight, result } of scanResults) {
+    // Normalize scores to weight
+    const normalizedScore = result.maxScore > 0 
+      ? (result.score / result.maxScore) * weight 
+      : 0;
+    
+    totalScore += normalizedScore;
+    totalMax += weight;
+
+    results.sections[name] = {
+      score: Math.round(normalizedScore * 10) / 10,
+      maxScore: weight,
+      grade: calculateGrade(normalizedScore / weight),
+      checks: result.checks || []
+    };
+
+    // Count statuses
+    for (const check of (result.checks || [])) {
+      if (check.status === 'pass') results.summary.passed++;
+      else if (check.status === 'warn') results.summary.warnings++;
+      else if (check.status === 'fail') results.summary.failed++;
+      else if (check.status === 'info') results.summary.info++;
+    }
+  }
+
+  results.score = Math.round(totalScore * 10) / 10;
+  results.maxScore = totalMax;
+  results.grade = calculateGrade(totalScore / totalMax);
+  results.scanDuration = Date.now() - startTime;
+
+  return results;
+}
+
+function calculateGrade(ratio) {
+  if (ratio >= 0.95) return 'A+';
+  if (ratio >= 0.85) return 'A';
+  if (ratio >= 0.70) return 'B';
+  if (ratio >= 0.55) return 'C';
+  if (ratio >= 0.40) return 'D';
+  return 'F';
+}
+
+function scoreToPercentage(score, maxScore) {
+  if (maxScore === 0) return 0;
+  return Math.round((score / maxScore) * 100);
+}
+
+module.exports = { scan, calculateGrade, scoreToPercentage, SCANNER_TIERS };

package/src/license.js

@@ -0,0 +1,187 @@
+/**
+ * License Management
+ * 
+ * Free tier: 3 scans/day, basic checks only
+ * Pro tier: unlimited scans, all checks, JSON export
+ * 
+ * Simple file-based license tracking (can be upgraded to LemonSqueezy API later)
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const LICENSE_DIR = path.join(os.homedir(), '.mpx-scan');
+const LICENSE_FILE = path.join(LICENSE_DIR, 'license.json');
+const USAGE_FILE = path.join(LICENSE_DIR, 'usage.json');
+
+const FREE_DAILY_LIMIT = 3;
+
+function ensureDir() {
+  if (!fs.existsSync(LICENSE_DIR)) {
+    fs.mkdirSync(LICENSE_DIR, { recursive: true });
+  }
+}
+
+/**
+ * Get current license status
+ * @returns {object} { tier: 'free'|'pro', key: string|null }
+ */
+function getLicense() {
+  ensureDir();
+  
+  try {
+    if (fs.existsSync(LICENSE_FILE)) {
+      const data = JSON.parse(fs.readFileSync(LICENSE_FILE, 'utf8'));
+      
+      // Validate license key format (simple check for now)
+      if (data.key && data.key.startsWith('MPX-PRO-')) {
+        return { tier: 'pro', key: data.key, email: data.email || null };
+      }
+    }
+  } catch (err) {
+    // Invalid license file, treat as free
+  }
+  
+  return { tier: 'free', key: null, email: null };
+}
+
+/**
+ * Activate a pro license
+ * @param {string} key - License key
+ * @param {string} email - User email (optional)
+ */
+function activateLicense(key, email = null) {
+  ensureDir();
+  
+  // TODO: Validate with LemonSqueezy API
+  // For now, just check format
+  if (!key.startsWith('MPX-PRO-')) {
+    throw new Error('Invalid license key format. Pro keys start with MPX-PRO-');
+  }
+  
+  const licenseData = {
+    key,
+    email,
+    activatedAt: new Date().toISOString()
+  };
+  
+  fs.writeFileSync(LICENSE_FILE, JSON.stringify(licenseData, null, 2));
+  
+  return { success: true, tier: 'pro' };
+}
+
+/**
+ * Check if user can perform a scan (rate limiting for free tier)
+ * @returns {object} { allowed: boolean, remaining: number, resetsAt: string }
+ */
+function checkRateLimit() {
+  const license = getLicense();
+  
+  // Pro users have unlimited scans
+  if (license.tier === 'pro') {
+    return { allowed: true, remaining: -1, resetsAt: null };
+  }
+  
+  ensureDir();
+  
+  // Free tier: check daily usage
+  let usage = { scans: [], lastReset: null };
+  
+  try {
+    if (fs.existsSync(USAGE_FILE)) {
+      usage = JSON.parse(fs.readFileSync(USAGE_FILE, 'utf8'));
+    }
+  } catch (err) {
+    // Invalid usage file, reset
+  }
+  
+  const now = new Date();
+  const today = now.toISOString().split('T')[0];
+  
+  // Reset if it's a new day
+  if (usage.lastReset !== today) {
+    usage = { scans: [], lastReset: today };
+  }
+  
+  // Filter scans from today
+  const todayScans = usage.scans.filter(s => s.startsWith(today));
+  
+  if (todayScans.length >= FREE_DAILY_LIMIT) {
+    const tomorrow = new Date(now);
+    tomorrow.setDate(tomorrow.getDate() + 1);
+    tomorrow.setHours(0, 0, 0, 0);
+    
+    return {
+      allowed: false,
+      remaining: 0,
+      resetsAt: tomorrow.toISOString()
+    };
+  }
+  
+  return {
+    allowed: true,
+    remaining: FREE_DAILY_LIMIT - todayScans.length,
+    resetsAt: null
+  };
+}
+
+/**
+ * Record a scan (for free tier rate limiting)
+ */
+function recordScan() {
+  const license = getLicense();
+  
+  // No need to track pro scans
+  if (license.tier === 'pro') {
+    return;
+  }
+  
+  ensureDir();
+  
+  let usage = { scans: [], lastReset: null };
+  
+  try {
+    if (fs.existsSync(USAGE_FILE)) {
+      usage = JSON.parse(fs.readFileSync(USAGE_FILE, 'utf8'));
+    }
+  } catch (err) {
+    // Invalid usage file, reset
+  }
+  
+  const now = new Date();
+  const today = now.toISOString().split('T')[0];
+  
+  // Reset if it's a new day
+  if (usage.lastReset !== today) {
+    usage = { scans: [], lastReset: today };
+  }
+  
+  usage.scans.push(now.toISOString());
+  
+  // Keep only last 10 scans for privacy
+  if (usage.scans.length > 10) {
+    usage.scans = usage.scans.slice(-10);
+  }
+  
+  fs.writeFileSync(USAGE_FILE, JSON.stringify(usage, null, 2));
+}
+
+/**
+ * Deactivate license
+ */
+function deactivateLicense() {
+  if (fs.existsSync(LICENSE_FILE)) {
+    fs.unlinkSync(LICENSE_FILE);
+  }
+  return { success: true, tier: 'free' };
+}
+
+module.exports = {
+  getLicense,
+  activateLicense,
+  deactivateLicense,
+  checkRateLimit,
+  recordScan,
+  FREE_DAILY_LIMIT
+};

package/src/reporters/json.js

@@ -0,0 +1,32 @@
+/**
+ * JSON Reporter
+ * 
+ * Machine-readable output for CI/CD pipelines
+ */
+
+function formatJSON(results, pretty = false) {
+  const output = {
+    mpxScan: {
+      version: '1.0.0',
+      scannedAt: results.scannedAt,
+      scanDuration: results.scanDuration
+    },
+    target: {
+      url: results.url,
+      hostname: results.hostname
+    },
+    score: {
+      grade: results.grade,
+      numeric: results.score,
+      maxScore: results.maxScore,
+      percentage: Math.round((results.score / results.maxScore) * 100)
+    },
+    summary: results.summary,
+    sections: results.sections,
+    tier: results.tier
+  };
+  
+  return JSON.stringify(output, null, pretty ? 2 : 0);
+}
+
+module.exports = { formatJSON };