npm - octocode-cli - Versions diffs - 1.2.8 → 1.2.9 - Mend

octocode-cli 1.2.8 → 1.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (282) hide show

package/skills/{octocode-code-engineer → octocode-engineer}/src/ast/ts-analyzer.ts RENAMED Viewed

@@ -29,6 +29,8 @@ import { TS_CONTROL_KINDS } from '../types/index.js';
 import type {
   AnalysisOptions,
+  BooleanParamCluster,
+  CatchRethrowEntry,
   CodeLocation,
   DependencyProfile,
   FileCriticality,
@@ -38,9 +40,11 @@ import type {
   FunctionEntry,
   Location,
   MagicNumberEntry,
+  MagicStringEntry,
   Metrics,
   NodeBudget,
   PackageFileSummary,
+  PromiseAllUnhandledEntry,
   TreeEntry,
 } from '../types/index.js';
@@ -72,7 +76,7 @@ export function buildDependencyCriticality(
   for (const fn of fileSummary.functions) {
     const complexity = Number(fn.complexity) || 0;
     totalComplexity += complexity;
-    if (complexity >= options.criticalComplexityThreshold) {
+    if (complexity >= options.thresholds.criticalComplexityThreshold) {
       highComplexity += 1;
     }
   }
@@ -339,7 +343,7 @@ export function analyzeSourceFile(
         entry.declared = true;
       }
-      if (statementCount >= options.minFunctionStatements) {
+      if (statementCount >= options.thresholds.minFunctionStatements) {
         const bodyHash = body
           ? makeFingerprint(body)
           : hashString(fileRelative);
@@ -374,7 +378,7 @@ export function analyzeSourceFile(
       fileEntry.flows.push(flowEntry);
       packageFileSummary.flowCount += 1;
-      if (statementCount >= options.minFlowStatements) {
+      if (statementCount >= options.thresholds.minFlowStatements) {
         const flowHash = makeFingerprint(node);
         increment(maps.controlMap, `${flowHash}|${node.kind}`, {
           ...flowEntry,
@@ -400,6 +404,7 @@ export function analyzeSourceFile(
   analyzeAsyncPatterns(sourceFile, fileEntry);
   collectFileProfiles(sourceFile, fileRelative, fileEntry);
+  collectSmartQualityData(sourceFile, fileRelative, fileEntry);
   return fileEntry;
 }
@@ -507,3 +512,168 @@ function collectFileProfiles(
     }
   }
 }
+const PROMISE_COMBINATORS = new Set(['all', 'allSettled', 'race', 'any']);
+const PROMISE_KIND_MAP: Record<string, PromiseAllUnhandledEntry['kind']> = {
+  all: 'Promise.all',
+  allSettled: 'Promise.allSettled',
+  race: 'Promise.race',
+  any: 'Promise.any',
+};
+function collectSmartQualityData(
+  sourceFile: ts.SourceFile,
+  fileRelative: string,
+  fileEntry: FileEntry
+): void {
+  if (isTestFile(fileRelative)) return;
+  const magicStrings: MagicStringEntry[] = [];
+  const catchRethrows: CatchRethrowEntry[] = [];
+  const booleanParamClusters: BooleanParamCluster[] = [];
+  const promiseAllUnhandled: PromiseAllUnhandledEntry[] = [];
+  const stringCompareValues = new Map<string, CodeLocation[]>();
+  const visit = (node: ts.Node): void => {
+    if (
+      ts.isBinaryExpression(node) &&
+      (node.operatorToken.kind === ts.SyntaxKind.EqualsEqualsEqualsToken ||
+        node.operatorToken.kind === ts.SyntaxKind.ExclamationEqualsEqualsToken ||
+        node.operatorToken.kind === ts.SyntaxKind.EqualsEqualsToken ||
+        node.operatorToken.kind === ts.SyntaxKind.ExclamationEqualsToken)
+    ) {
+      const checkStringLiteral = (operand: ts.Expression): void => {
+        if (ts.isStringLiteral(operand) && operand.text.length > 0) {
+          const loc = getLineAndCharacter(sourceFile, operand);
+          const locs = stringCompareValues.get(operand.text) || [];
+          locs.push({ file: fileRelative, lineStart: loc.lineStart, lineEnd: loc.lineEnd });
+          stringCompareValues.set(operand.text, locs);
+        }
+      };
+      checkStringLiteral(node.left);
+      checkStringLiteral(node.right);
+    }
+    if (ts.isSwitchStatement(node)) {
+      for (const clause of node.caseBlock.clauses) {
+        if (ts.isCaseClause(clause) && ts.isStringLiteral(clause.expression)) {
+          const text = clause.expression.text;
+          if (text.length > 0) {
+            const loc = getLineAndCharacter(sourceFile, clause.expression);
+            const locs = stringCompareValues.get(text) || [];
+            locs.push({ file: fileRelative, lineStart: loc.lineStart, lineEnd: loc.lineEnd });
+            stringCompareValues.set(text, locs);
+          }
+        }
+      }
+    }
+    if (ts.isCatchClause(node)) {
+      const block = node.block;
+      if (
+        block.statements.length === 1 &&
+        ts.isThrowStatement(block.statements[0])
+      ) {
+        const throwExpr = block.statements[0].expression;
+        const catchParam = node.variableDeclaration?.name;
+        if (
+          throwExpr &&
+          catchParam &&
+          ts.isIdentifier(catchParam) &&
+          ts.isIdentifier(throwExpr) &&
+          throwExpr.text === catchParam.text
+        ) {
+          const loc = getLineAndCharacter(sourceFile, node);
+          catchRethrows.push({
+            file: fileRelative,
+            lineStart: loc.lineStart,
+            lineEnd: loc.lineEnd,
+          });
+        }
+      }
+    }
+    if (isFunctionLike(node)) {
+      const funcNode = node as ts.FunctionLikeDeclaration;
+      if (funcNode.parameters && funcNode.parameters.length >= 2) {
+        let boolCount = 0;
+        for (const param of funcNode.parameters) {
+          if (
+            param.type &&
+            param.type.kind === ts.SyntaxKind.BooleanKeyword
+          ) {
+            boolCount++;
+          }
+        }
+        if (boolCount >= 3) {
+          const name = getFunctionName(node, sourceFile);
+          const loc = getLineAndCharacter(sourceFile, node);
+          booleanParamClusters.push({
+            name,
+            booleanCount: boolCount,
+            totalParams: funcNode.parameters.length,
+            lineStart: loc.lineStart,
+            lineEnd: loc.lineEnd,
+          });
+        }
+      }
+    }
+    if (
+      ts.isCallExpression(node) &&
+      ts.isPropertyAccessExpression(node.expression) &&
+      ts.isIdentifier(node.expression.expression) &&
+      node.expression.expression.text === 'Promise' &&
+      PROMISE_COMBINATORS.has(node.expression.name.text)
+    ) {
+      const combinator = node.expression.name.text;
+      let hasTryCatch = false;
+      let hasCatchChain = false;
+      let parent = node.parent;
+      while (parent) {
+        if (ts.isTryStatement(parent)) {
+          hasTryCatch = true;
+          break;
+        }
+        if (
+          ts.isCallExpression(parent) &&
+          ts.isPropertyAccessExpression(parent.expression) &&
+          parent.expression.name.text === 'catch'
+        ) {
+          hasCatchChain = true;
+          break;
+        }
+        if (isFunctionLike(parent)) break;
+        parent = parent.parent;
+      }
+      if (!hasTryCatch && !hasCatchChain) {
+        const loc = getLineAndCharacter(sourceFile, node);
+        promiseAllUnhandled.push({
+          file: fileRelative,
+          lineStart: loc.lineStart,
+          lineEnd: loc.lineEnd,
+          kind: PROMISE_KIND_MAP[combinator] || 'Promise.all',
+        });
+      }
+    }
+    ts.forEachChild(node, visit);
+  };
+  ts.forEachChild(sourceFile, visit);
+  for (const [value, locs] of stringCompareValues) {
+    if (locs.length >= 2) {
+      for (const loc of locs) {
+        magicStrings.push({ ...loc, value });
+      }
+    }
+  }
+  if (magicStrings.length > 0) fileEntry.magicStrings = magicStrings;
+  if (catchRethrows.length > 0) fileEntry.catchRethrows = catchRethrows;
+  if (booleanParamClusters.length > 0) fileEntry.booleanParamClusters = booleanParamClusters;
+  if (promiseAllUnhandled.length > 0) fileEntry.promiseAllUnhandled = promiseAllUnhandled;
+}

package/skills/{octocode-code-engineer → octocode-engineer}/src/collectors/security.test.ts RENAMED Viewed

@@ -121,4 +121,77 @@ describe('collectSecurityData', () => {
     expect(fileEntry.suspiciousStrings).toBeDefined();
     expect(fileEntry.suspiciousStrings!.length).toBe(0);
   });
+  it('does not mark generic auth/session logs as sensitive without secret values', () => {
+    const code = `
+      console.log("auth flow started");
+      console.info("session refreshed successfully");
+      console.warn("user auth status changed");
+    `;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.consoleLogs).toBeDefined();
+    expect(fileEntry.consoleLogs).toHaveLength(3);
+    expect(fileEntry.consoleLogs!.every(log => log.hasSensitiveArg === false)).toBe(
+      true
+    );
+  });
+  it('marks token-bearing log calls as sensitive', () => {
+    const code = `
+      const token = "abc123";
+      console.log("token", token);
+    `;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.consoleLogs).toBeDefined();
+    expect(fileEntry.consoleLogs).toHaveLength(1);
+    expect(fileEntry.consoleLogs![0].hasSensitiveArg).toBe(true);
+  });
+  it('does not mark CLI usage/help templates as sensitive token logs', () => {
+    const code = `
+      console.error(\`Unknown \${flagName}: "\${token}". Use pillar names\`);
+      console.log(\`
+        Usage:
+          node scripts/run.js [options]
+        Options:
+          --root <path>
+      \`);
+    `;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.consoleLogs).toBeDefined();
+    expect(fileEntry.consoleLogs).toHaveLength(2);
+    expect(fileEntry.consoleLogs![0].hasSensitiveArg).toBe(false);
+    expect(fileEntry.consoleLogs![1].hasSensitiveArg).toBe(false);
+  });
+  it('does not flag high-entropy literals without secret-like identifier context', () => {
+    const code = `
+      const traceId = "a9F3kLmN2pQr8sTuVwX4yZaB6cDe7fGh";
+    `;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.suspiciousStrings).toBeDefined();
+    expect(fileEntry.suspiciousStrings!.length).toBe(0);
+  });
+  it('flags high-entropy literals when assigned to secret-like identifiers', () => {
+    const code = `
+      const apiToken = "a9F3kLmN2pQr8sTuVwX4yZaB6cDe7fGh";
+    `;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.suspiciousStrings).toBeDefined();
+    const secretEntry = fileEntry.suspiciousStrings!.find(
+      s => s.kind === 'hardcoded-secret'
+    );
+    expect(secretEntry).toBeDefined();
+  });
 });

package/skills/{octocode-code-engineer → octocode-engineer}/src/collectors/security.ts RENAMED Viewed

@@ -4,12 +4,11 @@ import { getLineAndCharacter } from '../common/utils.js';
 import type { CodeLocation, ConsoleLogEntry, FileEntry, SuspiciousString } from '../types/index.js';
-const SENSITIVE_LOG_PATTERNS = [
+const HIGH_CONFIDENCE_SENSITIVE_LOG_PATTERNS = [
   /password/i,
   /passwd/i,
   /\bsecret\b/i,
   /\btoken\b/i,
-  /\bauth\b/i,
   /credential/i,
   /credit.?card/i,
   /\bssn\b/i,
@@ -17,9 +16,23 @@ const SENSITIVE_LOG_PATTERNS = [
   /api[_-]?key/i,
   /private[_-]?key/i,
   /access[_-]?key/i,
+];
+const LOW_CONFIDENCE_SENSITIVE_LOG_PATTERNS = [
+  /\bauth\b/i,
   /\bsession\b/i,
 ];
+const NON_SECRET_AUTH_SESSION_CONTEXT =
+  /\b(auth|session)\b.{0,40}\b(flow|status|state|start(?:ed)?|success(?:ful|fully)?|fail(?:ed|ure)?|refresh(?:ed)?|renew(?:ed)?|expire(?:d)?|invalid|chang(?:e|ed)|required|created|destroyed)\b/i;
+const AUTH_SESSION_VALUE_HINT =
+  /\b(id|sid|jwt|bearer|cookie|header|authorization|credential|secret|token|key)\b|[:=]|\{|\}/i;
+const NON_SECRET_USAGE_HINT =
+  /\busage:\b|\boptions:\b|--[a-z0-9-]+|\bunknown\b.{0,20}\btoken\b|\bpillar names?\b|\bcategory names?\b/i;
+const SECRET_CONTEXT_NAME_PATTERN =
+  /(password|passwd|secret|token|api[_-]?key|private[_-]?key|access[_-]?key|credential|auth|session|jwt|bearer|ssn)/i;
 const CONSOLE_LOG_METHODS = new Set([
   'log', 'debug', 'trace', 'info', 'warn', 'error', 'dir', 'table',
 ]);
@@ -93,6 +106,44 @@ function computeShannonEntropy(s: string): number {
   return entropy;
 }
+function hasSecretLikeIdentifierContext(
+  node: ts.Node,
+  sourceFile: ts.SourceFile
+): boolean {
+  const parent = node.parent;
+  if (ts.isVariableDeclaration(parent)) {
+    if (ts.isIdentifier(parent.name)) {
+      return SECRET_CONTEXT_NAME_PATTERN.test(parent.name.text);
+    }
+    return false;
+  }
+  if (ts.isPropertyAssignment(parent)) {
+    if (ts.isIdentifier(parent.name)) {
+      return SECRET_CONTEXT_NAME_PATTERN.test(parent.name.text);
+    }
+    if (ts.isStringLiteral(parent.name) || ts.isNumericLiteral(parent.name)) {
+      return SECRET_CONTEXT_NAME_PATTERN.test(parent.name.text);
+    }
+  }
+  if (ts.isBinaryExpression(parent) && ts.isPropertyAccessExpression(parent.left)) {
+    return SECRET_CONTEXT_NAME_PATTERN.test(parent.left.name.getText(sourceFile));
+  }
+  return false;
+}
+function hasSensitiveLogArgument(argText: string): boolean {
+  if (NON_SECRET_USAGE_HINT.test(argText)) return false;
+  if (HIGH_CONFIDENCE_SENSITIVE_LOG_PATTERNS.some(p => p.test(argText))) {
+    return true;
+  }
+  const hasLowConfidenceTerm = LOW_CONFIDENCE_SENSITIVE_LOG_PATTERNS.some(p =>
+    p.test(argText)
+  );
+  if (!hasLowConfidenceTerm) return false;
+  if (NON_SECRET_AUTH_SESSION_CONTEXT.test(argText)) return false;
+  return AUTH_SESSION_VALUE_HINT.test(argText);
+}
 export function collectSecurityData(
   sourceFile: ts.SourceFile,
   fileRelative: string,
@@ -127,7 +178,7 @@ export function collectSecurityData(
         if (obj === 'console' && CONSOLE_LOG_METHODS.has(method)) {
           const loc = getLineAndCharacter(sourceFile, node);
           const argText = node.arguments.map(a => a.getText(sourceFile)).join(' ');
-          const hasSensitiveArg = SENSITIVE_LOG_PATTERNS.some(p => p.test(argText));
+          const hasSensitiveArg = hasSensitiveLogArgument(argText);
           consoleLogs.push({
             method,
             lineStart: loc.lineStart,
@@ -229,6 +280,7 @@ export function collectSecurityData(
       if (!isInsideMetadataProperty(node) && !isInsideRegexLiteral(node)) {
         const value = node.text;
         if (!isPlaceholderOrUuid(value)) {
+          let matchedSecretPattern = false;
           for (const pattern of SECRET_PATTERNS) {
             if (pattern.test(value)) {
               const loc = getLineAndCharacter(sourceFile, node);
@@ -239,10 +291,16 @@ export function collectSecurityData(
                 snippet: value.slice(0, 40),
                 context: 'literal',
               });
+              matchedSecretPattern = true;
               break;
             }
           }
-          if (value.length >= 20 && computeShannonEntropy(value) > 4.5) {
+          if (
+            !matchedSecretPattern &&
+            value.length >= 20 &&
+            computeShannonEntropy(value) > 4.5 &&
+            hasSecretLikeIdentifierContext(node, sourceFile)
+          ) {
             const loc = getLineAndCharacter(sourceFile, node);
             suspiciousStrings.push({
               lineStart: loc.lineStart,

package/skills/octocode-engineer/src/detector-gating.test.ts ADDED Viewed

@@ -0,0 +1,59 @@
+import { describe, expect, it } from 'vitest';
+import { resolveEnabledPillars } from './index.js';
+describe('resolveEnabledPillars', () => {
+  it('enables all pillars when no feature filter is provided', () => {
+    expect(resolveEnabledPillars(null)).toEqual({
+      architecture: true,
+      codeQuality: true,
+      deadCode: true,
+      security: true,
+      testQuality: true,
+    });
+  });
+  it('enables only security for security-only categories', () => {
+    expect(resolveEnabledPillars(new Set(['hardcoded-secret']))).toEqual({
+      architecture: false,
+      codeQuality: false,
+      deadCode: false,
+      security: true,
+      testQuality: false,
+    });
+  });
+  it('enables only test quality for test-quality-only categories', () => {
+    expect(resolveEnabledPillars(new Set(['missing-mock-restoration']))).toEqual({
+      architecture: false,
+      codeQuality: false,
+      deadCode: false,
+      security: false,
+      testQuality: true,
+    });
+  });
+  it('enables dead code categories explicitly', () => {
+    expect(resolveEnabledPillars(new Set(['dead-export']))).toEqual({
+      architecture: false,
+      codeQuality: false,
+      deadCode: true,
+      security: false,
+      testQuality: false,
+    });
+  });
+  it('enables multiple pillars when categories span pillars', () => {
+    expect(
+      resolveEnabledPillars(
+        new Set(['dependency-cycle', 'cognitive-complexity', 'hardcoded-secret'])
+      )
+    ).toEqual({
+      architecture: true,
+      codeQuality: true,
+      deadCode: false,
+      security: true,
+      testQuality: false,
+    });
+  });
+});