pi-lens 3.6.2 → 3.6.4

package/clients/secrets-scanner.js

@@ -1,119 +0,0 @@
-/**
- * Content-level secrets scanner
- *
- * Scans file content for potential secret patterns before write.
- * Works on all file types via regex matching.
- *
- * Detected patterns:
- * - Stripe/OpenAI keys (sk-*)
- * - GitHub tokens (ghp_*, gho_*, github_pat_*)
- * - AWS keys (AKIA*)
- * - Slack tokens (xoxp-*, xoxb-*)
- * - Private keys (BEGIN PRIVATE KEY)
- * - Generic API key/password patterns
- */
-import { isTestFile } from "./file-utils.js";
-// Patterns ordered by specificity - first match wins per line
-const SECRET_PATTERNS = [
-    // High-confidence: specific key prefixes
-    {
-        pattern: /sk-[a-zA-Z0-9-]{20,}/g,
-        name: "stripe-openai-key",
-        message: "Possible Stripe or OpenAI API key (sk-*)",
-    },
-    {
-        pattern: /ghp_[a-zA-Z0-9]{36}/g,
-        name: "github-personal-token",
-        message: "GitHub personal access token (ghp_*)",
-    },
-    {
-        pattern: /gho_[a-zA-Z0-9]{36}/g,
-        name: "github-oauth-token",
-        message: "GitHub OAuth token (gho_*)",
-    },
-    {
-        pattern: /github_pat_[a-zA-Z_]{82}/g,
-        name: "github-fine-grained-pat",
-        message: "GitHub fine-grained PAT (github_pat_*)",
-    },
-    {
-        pattern: /AKIA[0-9A-Z]{16}/g,
-        name: "aws-access-key",
-        message: "AWS access key ID (AKIA*)",
-    },
-    {
-        pattern: /xox[bp]-[a-zA-Z0-9]{10,}/g,
-        name: "slack-token",
-        message: "Slack token (xoxb-*/xoxp-*)",
-    },
-    {
-        pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE KEY-----/g,
-        name: "private-key",
-        message: "Private key material detected",
-    },
-    // Medium-confidence: quoted credentials
-    {
-        pattern: /password\s*[:=]\s*["'][^"']{4,}["']/gi,
-        name: "hardcoded-password",
-        message: "Possible hardcoded password",
-    },
-    {
-        pattern: /(?:secret|api_?key|token|access_?key)\s*[:=]\s*["'][a-zA-Z0-9_\-/.]{8,}["']/gi,
-        name: "hardcoded-secret",
-        message: "Possible hardcoded secret or API key",
-    },
-    // .env format: KEY=VALUE (no quotes)
-    {
-        pattern: /^(?:API_?KEY|SECRET|TOKEN|PASSWORD|AWS_?ACCESS_?KEY)\s*=\s*\S{8,}/gim,
-        name: "env-file-secret",
-        message: "Possible secret in .env format",
-    },
-];
-/**
- * Scan content for potential secrets
- * Returns findings with line numbers.
- * Skips test files to avoid false positives.
- */
-export function scanForSecrets(content, filePath) {
-    // Skip test files — secrets in tests are usually fake/test values
-    if (filePath && isTestFile(filePath)) {
-        return [];
-    }
-    const findings = [];
-    const lines = content.split("\n");
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        let _matched = false;
-        for (const pattern of SECRET_PATTERNS) {
-            // Reset lastIndex before each test (important for global regex)
-            const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-            if (regex.test(line)) {
-                findings.push({
-                    line: i + 1,
-                    message: pattern.message,
-                });
-                _matched = true;
-                break; // One finding per line
-            }
-        }
-    }
-    return findings;
-}
-/**
- * Format secrets findings for terminal output
- */
-export function formatSecrets(findings, filePath) {
-    if (findings.length === 0)
-        return "";
-    const lines = [
-        `🔴 STOP — ${findings.length} potential secret(s) in ${filePath}:`,
-    ];
-    for (const f of findings.slice(0, 5)) {
-        lines.push(`  L${f.line}: ${f.message}`);
-    }
-    if (findings.length > 5) {
-        lines.push(`  ... and ${findings.length - 5} more`);
-    }
-    lines.push("  → Remove before continuing. Use env vars instead.");
-    return lines.join("\n");
-}

package/clients/secrets-scanner.test.js

@@ -1,100 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { formatSecrets, scanForSecrets } from "./secrets-scanner.js";
-describe("scanForSecrets", () => {
-    it("should detect Stripe/OpenAI keys (sk-*)", () => {
-        const content = `const apiKey = "sk-live-1234567890abcdefghij";`;
-        const findings = scanForSecrets(content);
-        expect(findings.length).toBe(1);
-        expect(findings[0].message).toContain("Stripe or OpenAI");
-    });
-    it("should detect GitHub personal tokens (ghp_*)", () => {
-        const content = `token = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";`;
-        const findings = scanForSecrets(content);
-        expect(findings.length).toBe(1);
-        expect(findings[0].message).toContain("GitHub personal");
-    });
-    it("should detect AWS access keys (AKIA*)", () => {
-        const content = `const AWS_KEY = "AKIAIOSFODNN7EXAMPLE";`;
-        const findings = scanForSecrets(content);
-        expect(findings.length).toBe(1);
-        expect(findings[0].message).toContain("AWS access key");
-    });
-    it("should detect private key material", () => {
-        const content = `-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA...`;
-        const findings = scanForSecrets(content);
-        expect(findings.length).toBe(1);
-        expect(findings[0].message).toContain("Private key");
-    });
-    it("should detect hardcoded passwords", () => {
-        const content = `const config = { password: "hunter2" };`;
-        const findings = scanForSecrets(content);
-        expect(findings.length).toBe(1);
-        expect(findings[0].message).toContain("password");
-    });
-    it("should detect secrets in .env format", () => {
-        const content = `API_KEY=sk-live-1234567890abcdefghij
-DATABASE_URL=postgres://localhost`;
-        const findings = scanForSecrets(content);
-        expect(findings.length).toBe(1);
-        // sk-* pattern catches this first (more specific)
-        expect(findings[0].message).toContain("Stripe or OpenAI");
-    });
-    it("should NOT flag safe content", () => {
-        const content = `
-const name = "test";
-const url = "https://example.com";
-const port = 3000;
-const message = "Hello world";
-`;
-        const findings = scanForSecrets(content);
-        expect(findings.length).toBe(0);
-    });
-    it("should NOT flag env var references", () => {
-        const content = `const key = process.env.API_KEY;`;
-        const findings = scanForSecrets(content);
-        expect(findings.length).toBe(0);
-    });
-    it("should detect multiple secrets", () => {
-        const content = `
-const sk = "sk-live-1234567890abcdefghij";
-const gh = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";
-`;
-        const findings = scanForSecrets(content);
-        expect(findings.length).toBe(2);
-    });
-    it("should report correct line numbers", () => {
-        const content = `line 1
-line 2
-const secret = "sk-live-1234567890abcdefghij";
-line 4`;
-        const findings = scanForSecrets(content);
-        expect(findings.length).toBe(1);
-        expect(findings[0].line).toBe(3);
-    });
-});
-describe("formatSecrets", () => {
-    it("should format findings for terminal output", () => {
-        const findings = [
-            { line: 5, message: "Possible Stripe or OpenAI API key (sk-*)" },
-        ];
-        const output = formatSecrets(findings, "src/config.ts");
-        expect(output).toContain("STOP");
-        expect(output).toContain("1 potential secret(s)");
-        expect(output).toContain("L5");
-        expect(output).toContain("src/config.ts");
-    });
-    it("should return empty string for no findings", () => {
-        const output = formatSecrets([], "src/config.ts");
-        expect(output).toBe("");
-    });
-    it("should truncate at 5 findings", () => {
-        const findings = Array.from({ length: 10 }, (_, i) => ({
-            line: i + 1,
-            message: "Test secret",
-        }));
-        const output = formatSecrets(findings, "src/config.ts");
-        expect(output).toContain("10 potential secret(s)");
-        expect(output).toContain("... and 5 more");
-    });
-});

package/clients/secrets-scanner.test.ts

@@ -1,113 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { formatSecrets, scanForSecrets } from "./secrets-scanner.js";
-
-describe("scanForSecrets", () => {
-	it("should detect Stripe/OpenAI keys (sk-*)", () => {
-		const content = `const apiKey = "sk-live-1234567890abcdefghij";`;
-		const findings = scanForSecrets(content);
-		expect(findings.length).toBe(1);
-		expect(findings[0].message).toContain("Stripe or OpenAI");
-	});
-
-	it("should detect GitHub personal tokens (ghp_*)", () => {
-		const content = `token = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";`;
-		const findings = scanForSecrets(content);
-		expect(findings.length).toBe(1);
-		expect(findings[0].message).toContain("GitHub personal");
-	});
-
-	it("should detect AWS access keys (AKIA*)", () => {
-		const content = `const AWS_KEY = "AKIAIOSFODNN7EXAMPLE";`;
-		const findings = scanForSecrets(content);
-		expect(findings.length).toBe(1);
-		expect(findings[0].message).toContain("AWS access key");
-	});
-
-	it("should detect private key material", () => {
-		const content = `-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA...`;
-		const findings = scanForSecrets(content);
-		expect(findings.length).toBe(1);
-		expect(findings[0].message).toContain("Private key");
-	});
-
-	it("should detect hardcoded passwords", () => {
-		const content = `const config = { password: "hunter2" };`;
-		const findings = scanForSecrets(content);
-		expect(findings.length).toBe(1);
-		expect(findings[0].message).toContain("password");
-	});
-
-	it("should detect secrets in .env format", () => {
-		const content = `API_KEY=sk-live-1234567890abcdefghij
-DATABASE_URL=postgres://localhost`;
-		const findings = scanForSecrets(content);
-		expect(findings.length).toBe(1);
-		// sk-* pattern catches this first (more specific)
-		expect(findings[0].message).toContain("Stripe or OpenAI");
-	});
-
-	it("should NOT flag safe content", () => {
-		const content = `
-const name = "test";
-const url = "https://example.com";
-const port = 3000;
-const message = "Hello world";
-`;
-		const findings = scanForSecrets(content);
-		expect(findings.length).toBe(0);
-	});
-
-	it("should NOT flag env var references", () => {
-		const content = `const key = process.env.API_KEY;`;
-		const findings = scanForSecrets(content);
-		expect(findings.length).toBe(0);
-	});
-
-	it("should detect multiple secrets", () => {
-		const content = `
-const sk = "sk-live-1234567890abcdefghij";
-const gh = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";
-`;
-		const findings = scanForSecrets(content);
-		expect(findings.length).toBe(2);
-	});
-
-	it("should report correct line numbers", () => {
-		const content = `line 1
-line 2
-const secret = "sk-live-1234567890abcdefghij";
-line 4`;
-		const findings = scanForSecrets(content);
-		expect(findings.length).toBe(1);
-		expect(findings[0].line).toBe(3);
-	});
-});
-
-describe("formatSecrets", () => {
-	it("should format findings for terminal output", () => {
-		const findings = [
-			{ line: 5, message: "Possible Stripe or OpenAI API key (sk-*)" },
-		];
-		const output = formatSecrets(findings, "src/config.ts");
-		expect(output).toContain("STOP");
-		expect(output).toContain("1 potential secret(s)");
-		expect(output).toContain("L5");
-		expect(output).toContain("src/config.ts");
-	});
-
-	it("should return empty string for no findings", () => {
-		const output = formatSecrets([], "src/config.ts");
-		expect(output).toBe("");
-	});
-
-	it("should truncate at 5 findings", () => {
-		const findings = Array.from({ length: 10 }, (_, i) => ({
-			line: i + 1,
-			message: "Test secret",
-		}));
-		const output = formatSecrets(findings, "src/config.ts");
-		expect(output).toContain("10 potential secret(s)");
-		expect(output).toContain("... and 5 more");
-	});
-});

package/clients/sg-runner.js

@@ -1,292 +0,0 @@
-/**
- * SgRunner - encapsulates ast-grep subprocess management
- *
- * Extracted from AstGrepClient to simplify the main client.
- * Handles: spawn, spawnSync, temp dir management, JSON parsing.
- */
-import { spawn } from "node:child_process";
-import * as fs from "node:fs";
-import * as os from "node:os";
-import * as path from "node:path";
-import { safeSpawn } from "./safe-spawn.js";
-/**
- * Escape an argument for Windows cmd.exe shell execution.
- * Handles spaces, quotes, and special characters.
- */
-function escapeWindowsArg(arg) {
-    // If no special characters, return as-is
-    if (!/[\s"]/.test(arg))
-        return arg;
-    // Escape quotes by doubling them
-    return `"${arg.replace(/"/g, '""')}"`;
-}
-export class SgRunner {
-    constructor(verbose = false) {
-        this.sgPath = null;
-        this.available = null;
-        this.log = verbose
-            ? (msg) => console.error(`[sg-runner] ${msg}`)
-            : () => { };
-    }
-    /**
-     * Check if ast-grep CLI is available, auto-install if not
-     */
-    async ensureAvailable() {
-        // Fast path: already checked
-        if (this.available !== null)
-            return this.available;
-        // Check if available in PATH (fast)
-        const pathResult = safeSpawn("sg", ["--version"], {
-            timeout: 5000,
-        });
-        if (!pathResult.error && pathResult.status === 0) {
-            this.sgPath = "sg";
-            this.available = true;
-            this.log("ast-grep found in PATH");
-            return true;
-        }
-        // Auto-install via pi-lens installer
-        this.log("ast-grep not found, attempting auto-install...");
-        const { ensureTool } = await import("./installer/index.js");
-        const installedPath = await ensureTool("ast-grep");
-        if (installedPath) {
-            this.sgPath = installedPath;
-            this.available = true;
-            this.log(`ast-grep auto-installed: ${installedPath}`);
-            return true;
-        }
-        this.available = false;
-        return false;
-    }
-    /**
-     * Check if ast-grep CLI is available (legacy sync method)
-     * Prefer ensureAvailable() for auto-install behavior
-     */
-    isAvailable() {
-        if (this.available !== null)
-            return this.available;
-        const result = safeSpawn("npx", ["sg", "--version"], {
-            timeout: 10000,
-        });
-        this.available = !result.error && result.status === 0;
-        return this.available;
-    }
-    /**
-     * Get the sg command to use (local binary or "sg" from PATH)
-     */
-    getSgCommand() {
-        return this.sgPath || "sg";
-    }
-    /**
-     * Run ast-grep asynchronously, return parsed matches
-     */
-    async exec(args) {
-        return new Promise((resolve) => {
-            // On Windows with Git Bash/MSYS2, we need to use bash to properly
-            // handle $variables in patterns (prevent shell expansion)
-            const isWindows = process.platform === "win32";
-            const hasBash = process.env.MSYSTEM || process.env.GIT_SHELL;
-            let proc;
-            if (isWindows && hasBash) {
-                // Use bash -c with properly escaped command
-                // In bash, use single quotes around arguments containing $ to prevent expansion
-                const escapedArgs = args.map((arg) => {
-                    // For bash, wrap $-containing args in single quotes
-                    if (arg.includes("$")) {
-                        return `'${arg.replace(/'/g, "'\\''")}'`;
-                    }
-                    // For other args with spaces/special chars, use double quotes
-                    if (/[\s"]/.test(arg)) {
-                        return `"${arg.replace(/"/g, '\\"')}"`;
-                    }
-                    return arg;
-                });
-                const bashCommand = `${this.getSgCommand()} ${escapedArgs.join(" ")}`;
-                proc = spawn("bash", ["-c", bashCommand], {
-                    stdio: ["ignore", "pipe", "pipe"],
-                    windowsHide: true,
-                });
-            }
-            else if (isWindows) {
-                // Fallback: use cmd.exe with standard escaping
-                const fullCommand = `${this.getSgCommand()} ${args.map(escapeWindowsArg).join(" ")}`;
-                proc = spawn(fullCommand, {
-                    stdio: ["ignore", "pipe", "pipe"],
-                    shell: true,
-                    windowsHide: true,
-                });
-            }
-            else {
-                // Unix: normal spawn without shell
-                proc = spawn(this.getSgCommand(), args, {
-                    stdio: ["ignore", "pipe", "pipe"],
-                });
-            }
-            let stdout = "";
-            let stderr = "";
-            proc.stdout.on("data", (data) => (stdout += data.toString()));
-            proc.stderr.on("data", (data) => (stderr += data.toString()));
-            proc.on("error", (err) => {
-                if (err.message.includes("ENOENT")) {
-                    resolve({
-                        matches: [],
-                        error: "ast-grep CLI not found. Install: npm i -D @ast-grep/cli",
-                    });
-                }
-                else {
-                    resolve({ matches: [], error: err.message });
-                }
-            });
-            proc.on("close", (code) => {
-                if (code !== 0 && !stdout.trim()) {
-                    // Enhanced error messages for common pattern issues
-                    let errorMsg = stderr.trim() || `Exit code ${code}`;
-                    if (stderr.includes("Multiple AST nodes are detected")) {
-                        errorMsg =
-                            `Invalid AST pattern: The pattern appears to contain multiple AST nodes or is malformed.\n` +
-                                `Common causes:\n` +
-                                `  1. Missing parentheses: use it($TEST) not it"test"\n` +
-                                `  2. Raw text without structure: use console.log($MSG) not just "console.log"\n` +
-                                `  3. Unclosed quotes or brackets\n\n` +
-                                `Original error: ${errorMsg}`;
-                    }
-                    else if (stderr.includes("Cannot parse query")) {
-                        errorMsg =
-                            `Pattern syntax error: The pattern could not be parsed as valid code.\n` +
-                                `Tips:\n` +
-                                `  - Patterns must be valid ${args.includes("--lang") ? args[args.indexOf("--lang") + 1] : "language"} syntax\n` +
-                                `  - Use metavariables like $NAME, $ARGS for variable parts\n` +
-                                `  - Example: 'function $NAME($$$PARAMS) { $$$BODY }'\n\n` +
-                                `Original error: ${errorMsg}`;
-                    }
-                    resolve({
-                        matches: [],
-                        error: stderr.includes("No files found") ? undefined : errorMsg,
-                    });
-                    return;
-                }
-                if (!stdout.trim()) {
-                    resolve({ matches: [] });
-                    return;
-                }
-                try {
-                    const parsed = JSON.parse(stdout);
-                    const matches = Array.isArray(parsed) ? parsed : [parsed];
-                    resolve({ matches });
-                }
-                catch {
-                    resolve({ matches: [], error: "Failed to parse output" });
-                }
-            });
-        });
-    }
-    /**
-     * Run ast-grep synchronously (for simple scans)
-     */
-    execSync(args) {
-        const result = safeSpawn("npx", ["sg", ...args], {
-            timeout: 30000,
-        });
-        if (result.error) {
-            return { output: "", error: result.error.message };
-        }
-        const output = result.stdout || result.stderr || "";
-        return { output };
-    }
-    /**
-     * Run a temporary rule scan (creates temp dir with rule file)
-     */
-    tempScan(dir, ruleId, ruleYaml, timeout = 30000) {
-        const tmpDir = os.tmpdir();
-        const ts = Date.now();
-        const sessionDir = path.join(tmpDir, `pi-lens-temp-${ruleId}-${ts}`);
-        const rulesSubdir = path.join(sessionDir, "rules");
-        const ruleFile = path.join(rulesSubdir, `${ruleId}.yml`);
-        const configFile = path.join(sessionDir, ".sgconfig.yml");
-        try {
-            fs.mkdirSync(rulesSubdir, { recursive: true });
-            fs.writeFileSync(configFile, `ruleDirs:\n  - ./rules\n`);
-            fs.writeFileSync(ruleFile, ruleYaml);
-            const result = safeSpawn("npx", ["sg", "scan", "--config", configFile, "--json", dir], { timeout });
-            const output = result.stdout || result.stderr || "";
-            if (!output.trim())
-                return [];
-            const items = JSON.parse(output);
-            return Array.isArray(items) ? items : [items];
-        }
-        catch {
-            return [];
-        }
-        finally {
-            try {
-                fs.rmSync(sessionDir, { recursive: true, force: true });
-            }
-            catch (err) {
-                this.log(`Cleanup failed: ${err.message}`);
-            }
-        }
-    }
-    /**
-     * Run a rule file scan (temporary config approach) - alias for tempScan
-     */
-    scanWithRule(ruleYaml, dir, timeout = 30000) {
-        const sessionDir = path.join(os.tmpdir(), `sg-scan-${Date.now()}`);
-        const rulesSubdir = path.join(sessionDir, "rules");
-        const configFile = path.join(sessionDir, ".sgconfig.yml");
-        const ruleFile = path.join(rulesSubdir, "rule.yml");
-        try {
-            fs.mkdirSync(rulesSubdir, { recursive: true });
-            fs.writeFileSync(configFile, `ruleDirs:\n  - ./rules\n`);
-            fs.writeFileSync(ruleFile, ruleYaml);
-            const result = safeSpawn("npx", ["sg", "scan", "--config", configFile, "--json", dir], { timeout });
-            const output = result.stdout || result.stderr || "";
-            if (!output.trim())
-                return [];
-            const items = JSON.parse(output);
-            return Array.isArray(items) ? items : [items];
-        }
-        catch {
-            return [];
-        }
-        finally {
-            try {
-                fs.rmSync(sessionDir, { recursive: true, force: true });
-            }
-            catch (err) {
-                this.log(`Cleanup failed: ${err.message}`);
-            }
-        }
-    }
-    /**
-     * Format matches for display
-     */
-    formatMatches(matches, isDryRun = false, maxItems = 50, showModeIndicator = false) {
-        if (matches.length === 0) {
-            if (showModeIndicator) {
-                return isDryRun
-                    ? "[DRY-RUN] No matches found."
-                    : "[APPLIED] No changes made (no matches found).";
-            }
-            return "No matches found";
-        }
-        const shown = matches.slice(0, maxItems);
-        const lines = shown.map((m) => {
-            const loc = `${m.file}:${m.range.start.line + 1}:${m.range.start.column + 1}`;
-            const text = m.text.length > 100 ? `${m.text.slice(0, 100)}...` : m.text;
-            return isDryRun && m.replacement
-                ? `${loc}\n  - ${text}\n  + ${m.replacement}`
-                : `${loc}: ${text}`;
-        });
-        if (matches.length > maxItems) {
-            lines.unshift(`Found ${matches.length} matches (showing first ${maxItems}):`);
-        }
-        if (showModeIndicator) {
-            const prefix = isDryRun ? "[DRY-RUN]" : "[APPLIED]";
-            const suffix = isDryRun
-                ? "\n\n(Dry run — use apply=true to apply changes)"
-                : "";
-            return `${prefix} ${matches.length} replacement(s):\n\n${lines.join("\n")}${suffix}`;
-        }
-        return lines.join("\n");
-    }
-}