pinata-security-cli 0.2.0 → 0.2.1

package/dist/cli/index.js

@@ -1,12 +1,12 @@
 #!/usr/bin/env node
 import { z } from 'zod';
-import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync } from 'fs';
-import fs, { mkdir, writeFile, readFile, readdir, stat } from 'fs/promises';
+import fs, { mkdir, writeFile, readFile, stat, readdir } from 'fs/promises';
 import path, { dirname, resolve, basename, relative, join, extname } from 'path';
 import { useState } from 'react';
 import { render, useApp, useInput, Box, Text } from 'ink';
 import Spinner from 'ink-spinner';
 import { jsx, jsxs } from 'react/jsx-runtime';
+import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync } from 'fs';
 import { homedir } from 'os';
 import { fileURLToPath } from 'url';
 import chalk5 from 'chalk';
@@ -160,9 +160,7 @@ async function saveScanResults(projectRoot, result) {
   try {
     const cacheDir = resolve(projectRoot, CACHE_DIR);
     const cachePath = getCachePath(projectRoot);
-    if (!existsSync(cacheDir)) {
-      await mkdir(cacheDir, { recursive: true });
-    }
+    await mkdir(cacheDir, { recursive: true });
     const cached = {
       timestamp: result.completedAt.toISOString(),
       targetDirectory: result.targetDirectory,
@@ -187,7 +185,10 @@ async function saveScanResults(projectRoot, result) {
 async function loadScanResults(projectRoot) {
   try {
     const cachePath = getCachePath(projectRoot);
-    if (!existsSync(cachePath)) {
+    let content;
+    try {
+      content = await readFile(cachePath, "utf-8");
+    } catch {
       return err(
         new PinataError(
           "No cached scan results found. Run `pinata analyze` first.",
@@ -195,7 +196,6 @@ async function loadScanResults(projectRoot) {
         )
       );
     }
-    const content = await readFile(cachePath, "utf-8");
     const cached = JSON.parse(content);
     if (cached.version !== CACHE_VERSION) {
       return err(
@@ -743,97 +743,233 @@ var init_junit_formatter = __esm({
 });
 
 // src/core/verifier/ai-verifier.ts
-var VERIFICATION_PROMPT, AIVerifier;
+var SKIP_PATTERNS, BATCH_PROMPT, SINGLE_ITEM_TEMPLATE, AIVerifier;
 var init_ai_verifier = __esm({
   "src/core/verifier/ai-verifier.ts"() {
     init_types();
-    VERIFICATION_PROMPT = `You are a security code reviewer. Analyze this potential vulnerability and determine if it's a real issue.
-
-CATEGORY: {{category}}
-DESCRIPTION: {{description}}
-
-CODE CONTEXT:
-\`\`\`{{language}}
-{{codeContext}}
-\`\`\`
-
-FLAGGED LINE(S):
-\`\`\`{{language}}
-{{flaggedCode}}
-\`\`\`
-
-FILE: {{filePath}}
-
-Analyze this code and determine:
-1. Is this actually vulnerable, or is it a false positive?
-2. What is your confidence level (high/medium/low)?
-3. What is your reasoning?
-4. Are there any mitigating factors visible in the code?
-5. If vulnerable, describe a concrete exploit scenario.
-6. What is your recommendation?
+    SKIP_PATTERNS = {
+      paths: [
+        /\.test\.(ts|js|tsx|jsx)$/,
+        /\.spec\.(ts|js|tsx|jsx)$/,
+        /tests?\//i,
+        /fixtures?\//i,
+        /mocks?\//i,
+        /__tests__\//,
+        /node_modules\//,
+        /dist\//,
+        /\.d\.ts$/,
+        /examples?\//i
+      ],
+      // Content patterns that indicate false positive
+      content: [
+        /\/\/ SAFE:/i,
+        // Explicit safe marker
+        /\/\/ nosec/i,
+        // Security ignore
+        /eslint-disable/i,
+        /sanitized?|escaped?|validated?/i
+        // Near sanitization
+      ]
+    };
+    BATCH_PROMPT = `You are a security code reviewer. Analyze these potential vulnerabilities and determine which are real issues vs false positives.
 
-Be rigorous. Consider:
+For each item, consider:
 - Is user input actually reaching this code?
 - Is there sanitization, validation, or encoding nearby?
 - Is this test code, example code, or production code?
 - Is there context that makes this safe?
 
-Respond in JSON format:
-{
-  "isVulnerable": boolean,
-  "confidence": "high" | "medium" | "low",
-  "reasoning": "detailed explanation",
-  "mitigatingFactors": ["factor1", "factor2"],
-  "exploitScenario": "how an attacker would exploit this, or null if not exploitable",
-  "recommendation": "what the developer should do"
-}`;
+Be rigorous. Most pattern matches are false positives.
+
+ITEMS TO ANALYZE:
+{{items}}
+
+Respond with a JSON array. Each object MUST have these exact fields:
+[
+  {
+    "id": "1",
+    "isVulnerable": true/false,
+    "confidence": "high"/"medium"/"low",
+    "reasoning": "brief explanation"
+  },
+  ...
+]
+
+Only return the JSON array, no other text.`;
+    SINGLE_ITEM_TEMPLATE = `
+---
+ID: {{id}}
+CATEGORY: {{category}}
+FILE: {{filePath}}:{{lineNumber}}
+CODE:
+\`\`\`{{language}}
+{{codeContext}}
+\`\`\`
+FLAGGED LINE: {{flaggedLine}}
+---`;
     AIVerifier = class {
       config;
+      batchSize;
+      concurrency;
       constructor(config2) {
         this.config = config2;
+        this.batchSize = config2.batchSize ?? 10;
+        this.concurrency = config2.concurrency ?? 3;
       }
       /**
-       * Verify a single gap using AI analysis.
-       */
-      async verify(gap, fileContent) {
-        const codeContext = this.extractContext(fileContent, gap.lineStart, 20);
-        const flaggedCode = this.extractContext(fileContent, gap.lineStart, 5);
-        const prompt = VERIFICATION_PROMPT.replace("{{category}}", gap.categoryName).replace("{{description}}", this.getCategoryDescription(gap.categoryId)).replace(/\{\{language\}\}/g, this.getLanguage(gap.filePath)).replace("{{codeContext}}", codeContext).replace("{{flaggedCode}}", flaggedCode).replace("{{filePath}}", gap.filePath);
-        const response = await this.callAI(prompt);
-        return this.parseResponse(response);
-      }
-      /**
-       * Verify multiple gaps, filtering out false positives.
+       * Verify multiple gaps efficiently using filtering, batching, and parallelism.
+       *
+       * Flow:
+       * 1. Pre-filter obvious false positives (test files, etc.)
+       * 2. Group remaining gaps into batches of 10
+       * 3. Process 3 batches in parallel
+       * 4. Return verified gaps and dismissed with reasons
        */
       async verifyAll(gaps, getFileContent) {
         const verified = [];
         const dismissed = [];
-        let aiFailures = 0;
-        for (const gap of gaps) {
-          try {
-            const content = await getFileContent(gap.filePath);
-            const result = await this.verify(gap, content);
-            if (result.isVulnerable) {
-              gap.verification = result;
-              verified.push(gap);
-            } else {
-              dismissed.push({
-                gap,
-                reason: result.reasoning
-              });
+        const { toVerify, preFiltered } = this.preFilter(gaps);
+        dismissed.push(...preFiltered);
+        if (toVerify.length === 0) {
+          return {
+            verified: [],
+            dismissed,
+            stats: {
+              total: gaps.length,
+              preFiltered: preFiltered.length,
+              aiDismissed: 0,
+              aiVerified: 0
             }
-          } catch (error) {
-            aiFailures++;
-            if (aiFailures === 1) {
-              console.error(`AI verification failed: ${error instanceof Error ? error.message : String(error)}`);
+          };
+        }
+        console.log(`Pre-filtered ${preFiltered.length} gaps. Verifying ${toVerify.length} with AI...`);
+        const fileContents = /* @__PURE__ */ new Map();
+        const uniquePaths = [...new Set(toVerify.map((g) => g.filePath))];
+        await Promise.all(
+          uniquePaths.map(async (path2) => {
+            try {
+              fileContents.set(path2, await getFileContent(path2));
+            } catch {
+              fileContents.set(path2, "");
             }
+          })
+        );
+        const batches = this.createBatches(toVerify, fileContents);
+        console.log(`Created ${batches.length} batches of ~${this.batchSize} gaps each`);
+        const results = await this.processParallel(batches, toVerify);
+        let aiVerified = 0;
+        let aiDismissed = 0;
+        for (const gap of toVerify) {
+          const gapId = `${gap.filePath}:${gap.lineStart}`;
+          const result = results.get(gapId);
+          if (!result || result.isVulnerable) {
             verified.push(gap);
+            aiVerified++;
+          } else {
+            dismissed.push({
+              gap,
+              reason: result.reasoning
+            });
+            aiDismissed++;
           }
         }
-        if (aiFailures > 0) {
-          console.error(`AI verification failed for ${aiFailures}/${gaps.length} gaps (kept as fail-safe)`);
+        return {
+          verified,
+          dismissed,
+          stats: {
+            total: gaps.length,
+            preFiltered: preFiltered.length,
+            aiDismissed,
+            aiVerified
+          }
+        };
+      }
+      /**
+       * Pre-filter gaps that are obviously false positives without needing AI.
+       */
+      preFilter(gaps) {
+        const toVerify = [];
+        const preFiltered = [];
+        for (const gap of gaps) {
+          const pathMatch = SKIP_PATTERNS.paths.find((p) => p.test(gap.filePath));
+          if (pathMatch) {
+            preFiltered.push({
+              gap,
+              reason: `Skipped: test/example file (${pathMatch.source})`
+            });
+            continue;
+          }
+          if (gap.categoryId === "precision-loss" && gap.filePath.endsWith(".ts")) {
+            preFiltered.push({
+              gap,
+              reason: "TypeScript type annotation, not runtime code"
+            });
+            continue;
+          }
+          toVerify.push(gap);
+        }
+        return { toVerify, preFiltered };
+      }
+      /**
+       * Create batches of gaps for batch API calls.
+       */
+      createBatches(gaps, fileContents) {
+        const batches = [];
+        for (let i = 0; i < gaps.length; i += this.batchSize) {
+          const batchGaps = gaps.slice(i, i + this.batchSize);
+          const items = [];
+          const gapIds = [];
+          for (let j = 0; j < batchGaps.length; j++) {
+            const gap = batchGaps[j];
+            const content = fileContents.get(gap.filePath) ?? "";
+            const gapId = `${gap.filePath}:${gap.lineStart}`;
+            gapIds.push(gapId);
+            const codeContext = this.extractContext(content, gap.lineStart, 10);
+            const flaggedLine = this.extractLine(content, gap.lineStart);
+            items.push(
+              SINGLE_ITEM_TEMPLATE.replace("{{id}}", String(j + 1)).replace("{{category}}", gap.categoryName).replace("{{filePath}}", gap.filePath).replace("{{lineNumber}}", String(gap.lineStart)).replace("{{language}}", this.getLanguage(gap.filePath)).replace("{{codeContext}}", codeContext).replace("{{flaggedLine}}", flaggedLine)
+            );
+          }
+          const prompt = BATCH_PROMPT.replace("{{items}}", items.join("\n"));
+          batches.push({ prompt, gapIds });
         }
-        return { verified, dismissed };
+        return batches;
+      }
+      /**
+       * Process batches in parallel with limited concurrency.
+       */
+      async processParallel(batches, gaps) {
+        const results = /* @__PURE__ */ new Map();
+        let completed = 0;
+        for (let i = 0; i < batches.length; i += this.concurrency) {
+          const wave = batches.slice(i, i + this.concurrency);
+          const waveResults = await Promise.all(
+            wave.map(async (batch) => {
+              try {
+                const response = await this.callAI(batch.prompt);
+                return { gapIds: batch.gapIds, response };
+              } catch (error) {
+                console.error(`Batch failed: ${error instanceof Error ? error.message : String(error)}`);
+                return { gapIds: batch.gapIds, response: null };
+              }
+            })
+          );
+          for (const { gapIds, response } of waveResults) {
+            if (response) {
+              const parsed = this.parseBatchResponse(response);
+              for (let j = 0; j < gapIds.length && j < parsed.length; j++) {
+                const gapId = gapIds[j];
+                const result = parsed[j];
+                if (result) {
+                  results.set(gapId, result);
+                }
+              }
+            }
+          }
+          completed += wave.length;
+          console.log(`Processed ${completed}/${batches.length} batches...`);
+        }
+        return results;
       }
       extractContext(content, lineNumber, radius) {
         const lines = content.split("\n");
@@ -842,9 +978,13 @@ Respond in JSON format:
         return lines.slice(start, end).map((line, i) => {
           const num = start + i + 1;
           const marker = num === lineNumber ? ">" : " ";
-          return `${marker} ${num.toString().padStart(4)}| ${line}`;
+          return `${marker}${num.toString().padStart(4)}| ${line}`;
         }).join("\n");
       }
+      extractLine(content, lineNumber) {
+        const lines = content.split("\n");
+        return lines[lineNumber - 1] ?? "";
+      }
       getLanguage(filePath) {
         if (filePath.endsWith(".ts") || filePath.endsWith(".tsx")) return "typescript";
         if (filePath.endsWith(".js") || filePath.endsWith(".jsx")) return "javascript";
@@ -852,21 +992,6 @@ Respond in JSON format:
         if (filePath.endsWith(".go")) return "go";
         return "text";
       }
-      getCategoryDescription(categoryId) {
-        const descriptions = {
-          "sql-injection": "SQL queries built with string concatenation allowing attackers to inject malicious SQL",
-          "xss": "User input rendered in HTML without sanitization, allowing script injection",
-          "command-injection": "Shell commands built with user input, allowing arbitrary command execution",
-          "path-traversal": "File paths built with user input, allowing access to files outside intended directory",
-          "hardcoded-secrets": "API keys, passwords, or tokens embedded in source code",
-          "timing-attack": "Non-constant-time comparison of secrets, leaking information via timing",
-          "memory-bloat": "Unbounded memory growth from accumulating data or inefficient patterns",
-          "precision-loss": "Floating-point arithmetic for currency causing rounding errors",
-          "ssrf": "Server-side requests with user-controlled URLs, allowing internal network access",
-          "deserialization": "Deserializing untrusted data, potentially leading to code execution"
-        };
-        return descriptions[categoryId] ?? "Potential security or reliability issue";
-      }
       async callAI(prompt) {
         const apiKey = this.config.apiKey ?? this.getApiKeyFromEnv();
         if (!apiKey) {
@@ -880,7 +1005,7 @@ Respond in JSON format:
       }
       async callAnthropic(prompt, apiKey) {
         const controller = new AbortController();
-        const timeout = setTimeout(() => controller.abort(), 3e4);
+        const timeout = setTimeout(() => controller.abort(), 6e4);
         try {
           const response = await fetch("https://api.anthropic.com/v1/messages", {
             method: "POST",
@@ -891,13 +1016,15 @@ Respond in JSON format:
             },
             body: JSON.stringify({
               model: this.config.model ?? "claude-sonnet-4-20250514",
-              max_tokens: 1024,
+              max_tokens: 4096,
+              // Larger for batch responses
               messages: [{ role: "user", content: prompt }]
             }),
             signal: controller.signal
           });
           if (!response.ok) {
-            throw new Error(`Anthropic API error: ${response.status}`);
+            const body = await response.text();
+            throw new Error(`Anthropic API error: ${response.status} - ${body}`);
           }
           const data = await response.json();
           return data.content[0]?.text ?? "";
@@ -907,7 +1034,7 @@ Respond in JSON format:
       }
       async callOpenAI(prompt, apiKey) {
         const controller = new AbortController();
-        const timeout = setTimeout(() => controller.abort(), 3e4);
+        const timeout = setTimeout(() => controller.abort(), 6e4);
         try {
           const response = await fetch("https://api.openai.com/v1/chat/completions", {
             method: "POST",
@@ -918,12 +1045,13 @@ Respond in JSON format:
             body: JSON.stringify({
               model: this.config.model ?? "gpt-4o",
               messages: [{ role: "user", content: prompt }],
-              max_tokens: 1024
+              max_tokens: 4096
             }),
             signal: controller.signal
           });
           if (!response.ok) {
-            throw new Error(`OpenAI API error: ${response.status}`);
+            const body = await response.text();
+            throw new Error(`OpenAI API error: ${response.status} - ${body}`);
           }
           const data = await response.json();
           return data.choices[0]?.message?.content ?? "";
@@ -937,31 +1065,49 @@ Respond in JSON format:
         }
         return process.env["OPENAI_API_KEY"] ?? "";
       }
-      parseResponse(response) {
+      parseBatchResponse(response) {
         try {
-          const jsonMatch = response.match(/\{[\s\S]*\}/);
+          const jsonMatch = response.match(/\[[\s\S]*\]/);
           if (!jsonMatch) {
-            throw new Error("No JSON found in response");
+            console.error("No JSON array found in batch response");
+            return [];
           }
           const parsed = JSON.parse(jsonMatch[0]);
-          return {
-            isVulnerable: Boolean(parsed.isVulnerable),
-            confidence: parsed.confidence ?? "medium",
-            reasoning: parsed.reasoning ?? "No reasoning provided",
-            mitigatingFactors: parsed.mitigatingFactors ?? [],
-            exploitScenario: parsed.exploitScenario ?? null,
-            recommendation: parsed.recommendation ?? "Review this code manually"
-          };
-        } catch {
+          return parsed.map((item) => ({
+            id: String(item.id),
+            isVulnerable: Boolean(item.isVulnerable),
+            confidence: item.confidence ?? "medium",
+            reasoning: item.reasoning ?? "No reasoning provided"
+          }));
+        } catch (error) {
+          console.error(`Failed to parse batch response: ${error instanceof Error ? error.message : String(error)}`);
+          return [];
+        }
+      }
+      /**
+       * Legacy single-gap verification (kept for backwards compatibility).
+       */
+      async verify(gap, fileContent) {
+        const result = await this.verifyAll([gap], async () => fileContent);
+        if (result.verified.length > 0) {
           return {
             isVulnerable: true,
-            confidence: "low",
-            reasoning: "AI analysis failed to parse, flagging for manual review",
+            confidence: "high",
+            reasoning: "AI confirmed vulnerability",
             mitigatingFactors: [],
             exploitScenario: null,
-            recommendation: "Manual review required"
+            recommendation: "Fix this issue"
           };
         }
+        const dismissal = result.dismissed[0];
+        return {
+          isVulnerable: false,
+          confidence: "high",
+          reasoning: dismissal?.reason ?? "AI dismissed as false positive",
+          mitigatingFactors: [],
+          exploitScenario: null,
+          recommendation: "No action needed"
+        };
       }
     };
   }
@@ -1327,15 +1473,10 @@ __export(config_exports, {
   validateApiKey: () => validateApiKey
 });
 function ensureConfigDir() {
-  if (!existsSync(CONFIG_DIR)) {
-    mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
-  }
+  mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
 }
 function loadConfig() {
   try {
-    if (!existsSync(CONFIG_FILE)) {
-      return {};
-    }
     const content = readFileSync(CONFIG_FILE, "utf-8");
     const parsed = JSON.parse(content);
     const result = ConfigSchema.safeParse(parsed);
@@ -2896,7 +3037,12 @@ var Scanner = class {
     const startedAt = /* @__PURE__ */ new Date();
     const opts = this.mergeOptions(targetDirectory, options);
     this.log.info(`Starting scan of ${targetDirectory}`);
-    if (!existsSync(targetDirectory)) {
+    try {
+      const dirStat = await stat(targetDirectory);
+      if (!dirStat.isDirectory()) {
+        return err(new AnalysisError(`Not a directory: ${targetDirectory}`));
+      }
+    } catch {
       return err(new AnalysisError(`Directory not found: ${targetDirectory}`));
     }
     const categoriesResult = this.getCategoriesToScan(opts);
@@ -3092,9 +3238,6 @@ var Scanner = class {
    */
   readPinataIgnore(targetDirectory) {
     const ignorePath = resolve(targetDirectory, ".pinataignore");
-    if (!existsSync(ignorePath)) {
-      return [];
-    }
     try {
       const { readFileSync: readFileSync2 } = __require("fs");
       const content = readFileSync2(ignorePath, "utf-8");
@@ -3433,7 +3576,7 @@ function createScanner(categoryStore) {
 init_types();
 
 // src/core/index.ts
-var VERSION = "0.2.0";
+var VERSION = "0.2.1";
 
 // src/lib/index.ts
 init_errors();
@@ -4354,11 +4497,11 @@ var AIService = class {
    */
   getApiKeyFromConfig(provider) {
     try {
-      const { existsSync: existsSync7, readFileSync: readFileSync2 } = __require("fs");
+      const { existsSync: existsSync4, readFileSync: readFileSync2 } = __require("fs");
       const { homedir: homedir2 } = __require("os");
       const { join: join3 } = __require("path");
       const configPath = join3(homedir2(), ".pinata", "config.json");
-      if (!existsSync7(configPath)) {
+      if (!existsSync4(configPath)) {
         return "";
       }
       const content = readFileSync2(configPath, "utf-8");
@@ -5005,13 +5148,13 @@ async function writeGeneratedTests(tests, basePath, outputDir) {
   for (const [outputPath, fileTests] of testsByFile) {
     try {
       const dir = dirname(outputPath);
-      if (!existsSync(dir)) {
-        await mkdir(dir, { recursive: true });
-      }
-      const fileExists = existsSync(outputPath);
+      await mkdir(dir, { recursive: true });
       let existingContent = "";
-      if (fileExists) {
+      let fileExists = false;
+      try {
         existingContent = await readFile(outputPath, "utf-8");
+        fileExists = true;
+      } catch {
       }
       const contentParts = [];
       const allImports = /* @__PURE__ */ new Set();
@@ -5836,7 +5979,7 @@ program.command("analyze [path]").description("Analyze codebase for test coverag
         const { AIVerifier: AIVerifier2 } = await Promise.resolve().then(() => (init_verifier(), verifier_exports));
         const { readFile: readFile5 } = await import('fs/promises');
         const verifier = new AIVerifier2({ provider: "anthropic" });
-        const { verified, dismissed } = await verifier.verifyAll(
+        const { verified, dismissed, stats } = await verifier.verifyAll(
           scanResult.data.gaps,
           async (path2) => readFile5(path2, "utf-8")
         );
@@ -5850,7 +5993,9 @@ program.command("analyze [path]").description("Analyze codebase for test coverag
         const newGrade = newOverall >= 90 ? "A" : newOverall >= 80 ? "B" : newOverall >= 70 ? "C" : newOverall >= 60 ? "D" : "F";
         scanResult.data.score.overall = newOverall;
         scanResult.data.score.grade = newGrade;
-        verifySpinner?.succeed(`Verified: ${verified.length} real issues, ${dismissed.length} false positives dismissed`);
+        verifySpinner?.succeed(
+          `AI Verification: ${stats.total} total \u2192 ${stats.preFiltered} pre-filtered \u2192 ${stats.aiVerified} verified, ${stats.aiDismissed} AI-dismissed`
+        );
         if (isVerbose && dismissed.length > 0) {
           console.log(chalk5.gray("\nDismissed as false positives:"));
           for (const { gap, reason } of dismissed.slice(0, 5)) {