pkg-scaffold 3.2.0 → 3.3.2

package/src/performance/SecretDetector.js

@@ -0,0 +1,378 @@
+/**
+ * ============================================================================
+ * Secret Detection Engine for pkg-scaffold v3.3.2 (AST + REGEX Fallback)
+ * 
+ * Uses OXC parser for fast, accurate detection of hardcoded secrets.
+ * Falls back to REGEX patterns if AST parsing fails.
+ * ============================================================================
+ */
+
+import fs from 'fs/promises';
+import path from 'path';
+
+export class SecretDetector {
+  constructor(context) {
+    this.context = context;
+    this.secrets = [];
+    
+    // REGEX patterns for detecting secrets (fallback)
+    this.regexPatterns = {
+      apiKey: /['\"]?api[_-]?key['\"]?\s*[:=]\s*['\"]([a-zA-Z0-9\-_]{20,})['\"]?/gi,
+      bearerToken: /bearer\s+([a-zA-Z0-9\-_\.]{20,})/gi,
+      jwtToken: /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g,
+      awsAccessKey: /AKIA[0-9A-Z]{16}/g,
+      awsSecretKey: /aws_secret_access_key\s*[:=]\s*['\"]([a-zA-Z0-9\/+]{40})['\"]?/gi,
+      databaseUrl: /(postgres|mysql|mongodb|redis):\/\/([a-zA-Z0-9_-]+):([a-zA-Z0-9_\-@!$%^&*()+=]+)@/gi,
+      dbPassword: /password\s*[:=]\s*['\"]([^'\"]{6,})['\"]?/gi,
+      githubToken: /ghp_[a-zA-Z0-9]{36}/g,
+      gitlabToken: /glpat-[a-zA-Z0-9_-]{20,}/g,
+      privateKey: /-----BEGIN (RSA|DSA|EC|PGP|OPENSSH) PRIVATE KEY-----/g,
+      slackWebhook: /https:\/\/hooks\.slack\.com\/services\/[a-zA-Z0-9\/]+/g,
+      discordWebhook: /https:\/\/discord\.com\/api\/webhooks\/[a-zA-Z0-9\/]+/g,
+      secretKey: /['\"]?secret[_-]?key['\"]?\s*[:=]\s*['\"]([a-zA-Z0-9\-_]{20,})['\"]?/gi,
+      accessToken: /['\"]?access[_-]?token['\"]?\s*[:=]\s*['\"]([a-zA-Z0-9\-_\.]{20,})['\"]?/gi,
+      stripeKey: /sk_live_[a-zA-Z0-9]{24,}/g,
+      googleApiKey: /AIza[0-9A-Za-z\-_]{35}/g,
+    };
+
+    // Secret pattern metadata
+    this.secretMetadata = {
+      apiKey: { severity: 'HIGH', keywords: ['api_key', 'apikey'] },
+      bearerToken: { severity: 'CRITICAL', keywords: ['bearer', 'token'] },
+      jwtToken: { severity: 'CRITICAL', keywords: ['jwt', 'token'] },
+      awsAccessKey: { severity: 'CRITICAL', keywords: ['aws', 'access'] },
+      awsSecretKey: { severity: 'CRITICAL', keywords: ['aws', 'secret'] },
+      databaseUrl: { severity: 'CRITICAL', keywords: ['database', 'db', 'postgres', 'mysql'] },
+      dbPassword: { severity: 'CRITICAL', keywords: ['password', 'passwd'] },
+      githubToken: { severity: 'CRITICAL', keywords: ['github', 'token'] },
+      gitlabToken: { severity: 'CRITICAL', keywords: ['gitlab', 'token'] },
+      privateKey: { severity: 'CRITICAL', keywords: ['private', 'key', 'pem'] },
+      slackWebhook: { severity: 'HIGH', keywords: ['slack', 'webhook'] },
+      discordWebhook: { severity: 'HIGH', keywords: ['discord', 'webhook'] },
+      secretKey: { severity: 'HIGH', keywords: ['secret', 'key'] },
+      accessToken: { severity: 'CRITICAL', keywords: ['access', 'token'] },
+      stripeKey: { severity: 'CRITICAL', keywords: ['stripe', 'key'] },
+      googleApiKey: { severity: 'HIGH', keywords: ['google', 'api'] },
+    };
+  }
+
+  /**
+   * Scans a file for hardcoded secrets using REGEX
+   */
+  scanFileForSecretsRegex(filePath, content) {
+    const detectedSecrets = [];
+    const lines = content.split('\n');
+
+    lines.forEach((line, lineIndex) => {
+      // Skip comments and empty lines
+      if (line.trim().startsWith('//') || line.trim().startsWith('#') || line.trim().startsWith('*') || !line.trim()) {
+        return;
+      }
+
+      // Check each pattern
+      for (const [patternName, pattern] of Object.entries(this.regexPatterns)) {
+        const matches = [...line.matchAll(pattern)];
+        
+        for (const match of matches) {
+          const metadata = this.secretMetadata[patternName] || { severity: 'MEDIUM', keywords: [] };
+          
+          detectedSecrets.push({
+            file: filePath,
+            line: lineIndex + 1,
+            column: match.index + 1,
+            type: patternName,
+            secret: match[0].substring(0, 20) + '***',
+            severity: metadata.severity,
+            variable: this.extractVariableName(line, match.index)
+          });
+        }
+      }
+    });
+
+    return detectedSecrets;
+  }
+
+  /**
+   * Extracts variable name from line
+   */
+  extractVariableName(line, matchIndex) {
+    // Look backwards for variable assignment
+    const beforeMatch = line.substring(0, matchIndex);
+    const varMatch = beforeMatch.match(/(?:const|let|var|=)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)\s*[:=]?/);
+    if (varMatch) return varMatch[1];
+    
+    // Look for object property
+    const propMatch = beforeMatch.match(/([a-zA-Z_$][a-zA-Z0-9_$]*)\s*[:=]\s*$/);
+    if (propMatch) return propMatch[1];
+    
+    return 'unknown';
+  }
+
+  /**
+   * Scans entire codebase for secrets (reads from disk)
+   */
+  async scanCodebaseForSecrets(context) {
+    this.secrets = [];
+    this.cwd = context?.cwd || this.context.cwd;
+    const cwd = this.cwd;
+
+    try {
+      // Recursively scan all source files
+      await this.scanDirectory(cwd);
+    } catch (e) {
+      console.error('Error scanning codebase for secrets:', e.message);
+    }
+
+    return this.secrets;
+  }
+
+  /**
+   * Recursively scans directory for source files
+   */
+  async scanDirectory(dirPath) {
+    try {
+      const entries = await fs.readdir(dirPath, { withFileTypes: true });
+
+      for (const entry of entries) {
+        const fullPath = path.join(dirPath, entry.name);
+
+        // Skip node_modules, dist, build, .git
+        if (['node_modules', 'dist', 'build', '.git', '.scaffold-cache', '.next', 'out'].includes(entry.name)) {
+          continue;
+        }
+
+        if (entry.isDirectory()) {
+          await this.scanDirectory(fullPath);
+        } else if (entry.isFile()) {
+          const ext = path.extname(entry.name);
+          if (['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.env', '.env.local'].includes(ext)) {
+            await this.scanFile(fullPath);
+          }
+        }
+      }
+    } catch (e) {
+      // Silently skip directories that can't be read
+    }
+  }
+
+  /**
+   * Scans a single file for secrets
+   */
+  async scanFile(filePath) {
+    try {
+      const content = await fs.readFile(filePath, 'utf8');
+      
+      // Try AST parsing first (if available)
+      let detectedSecrets = [];
+      try {
+        detectedSecrets = this.scanFileForSecretsAST(filePath, content);
+      } catch (e) {
+        // Fall back to REGEX if AST fails
+        detectedSecrets = this.scanFileForSecretsRegex(filePath, content);
+      }
+
+      // If AST returned nothing, try REGEX as additional pass
+      if (detectedSecrets.length === 0) {
+        detectedSecrets = this.scanFileForSecretsRegex(filePath, content);
+      }
+
+      this.secrets.push(...detectedSecrets);
+    } catch (e) {
+      // Skip files that can't be read
+    }
+  }
+
+  /**
+   * Scans file using AST (with OXC if available)
+   */
+  scanFileForSecretsAST(filePath, content) {
+    const detectedSecrets = [];
+
+    try {
+      // Try to use OXC parser if available
+      let ast;
+      try {
+        const { parseSync } = require('oxc-parser');
+        ast = parseSync(content, {
+          sourceType: 'module',
+          ecmaVersion: 'latest'
+        });
+      } catch (e) {
+        // OXC not available, fall back to REGEX
+        return this.scanFileForSecretsRegex(filePath, content);
+      }
+
+      // Walk AST and find variable assignments with secret values
+      this.walkAST(ast, (node) => {
+        // Variable declarations: const API_KEY = "sk_..."
+        if (node.type === 'VariableDeclarator' && node.init) {
+          const varName = node.id?.name || '';
+          const secret = this.extractSecretValue(node.init);
+          
+          if (secret) {
+            const detectedType = this.classifySecret(varName, secret.value);
+            if (detectedType) {
+              detectedSecrets.push({
+                file: filePath,
+                line: node.loc?.start?.line || 0,
+                column: node.loc?.start?.column || 0,
+                type: detectedType.type,
+                severity: detectedType.severity,
+                variable: varName,
+                secret: secret.value.substring(0, 20) + '***'
+              });
+            }
+          }
+        }
+
+        // Object properties: { password: "...", apiKey: "..." }
+        if (node.type === 'Property' && node.value) {
+          const propName = node.key?.name || node.key?.value || '';
+          const secret = this.extractSecretValue(node.value);
+          
+          if (secret) {
+            const detectedType = this.classifySecret(propName, secret.value);
+            if (detectedType) {
+              detectedSecrets.push({
+                file: filePath,
+                line: node.loc?.start?.line || 0,
+                column: node.loc?.start?.column || 0,
+                type: detectedType.type,
+                severity: detectedType.severity,
+                variable: propName,
+                secret: secret.value.substring(0, 20) + '***'
+              });
+            }
+          }
+        }
+
+        // Assignment expressions: API_KEY = "..."
+        if (node.type === 'AssignmentExpression' && node.right) {
+          const varName = node.left?.name || '';
+          const secret = this.extractSecretValue(node.right);
+          
+          if (secret) {
+            const detectedType = this.classifySecret(varName, secret.value);
+            if (detectedType) {
+              detectedSecrets.push({
+                file: filePath,
+                line: node.loc?.start?.line || 0,
+                column: node.loc?.start?.column || 0,
+                type: detectedType.type,
+                severity: detectedType.severity,
+                variable: varName,
+                secret: secret.value.substring(0, 20) + '***'
+              });
+            }
+          }
+        }
+      });
+    } catch (e) {
+      // Return empty on error, will fall back to REGEX
+      return [];
+    }
+
+    return detectedSecrets;
+  }
+
+  /**
+   * Extracts string value from AST node
+   */
+  extractSecretValue(node) {
+    if (node.type === 'StringLiteral' || node.type === 'Literal') {
+      return { value: node.value || '' };
+    }
+    if (node.type === 'TemplateLiteral') {
+      return { value: node.quasis?.[0]?.value?.raw || '' };
+    }
+    return null;
+  }
+
+  /**
+   * Classifies a secret based on variable name and value
+   */
+  classifySecret(variableName, value) {
+    const lowerName = variableName.toLowerCase();
+
+    for (const [type, metadata] of Object.entries(this.secretMetadata)) {
+      const pattern = this.regexPatterns[type];
+      if (!pattern) continue;
+
+      // Check if variable name matches keywords
+      const nameMatches = metadata.keywords.some(kw => lowerName.includes(kw));
+      
+      // Check if value matches pattern
+      const valueMatches = pattern.test(value);
+
+      if ((nameMatches && value.length > 8) || valueMatches) {
+        return { type, severity: metadata.severity };
+      }
+    }
+
+    return null;
+  }
+
+  /**
+   * Simple AST walker
+   */
+  walkAST(node, callback) {
+    if (!node || typeof node !== 'object') return;
+
+    callback(node);
+
+    for (const key in node) {
+      if (key === 'loc' || key === 'range' || key === 'start' || key === 'end') continue;
+      
+      const child = node[key];
+      if (Array.isArray(child)) {
+        child.forEach(item => this.walkAST(item, callback));
+      } else if (typeof child === 'object') {
+        this.walkAST(child, callback);
+      }
+    }
+  }
+
+  /**
+   * Formats secrets for reporting
+   */
+  formatSecretsForReport() {
+    if (this.secrets.length === 0) return [];
+
+    return this.secrets.map(secret => ({
+      file: secret.file,
+      line: secret.line,
+      column: secret.column,
+      type: secret.type,
+      severity: secret.severity,
+      variable: secret.variable,
+      redacted: secret.secret
+    }));
+  }
+
+  /**
+   * Gets secrets by severity level
+   */
+  getSecretsBySeverity(severity) {
+    return this.secrets.filter(s => s.severity === severity);
+  }
+
+  /**
+   * Gets critical secrets only
+   */
+  getCriticalSecrets() {
+    return this.getSecretsBySeverity('CRITICAL');
+  }
+
+  /**
+   * Gets count of secrets by type
+   */
+  getSecretStats() {
+    const stats = {};
+    this.secrets.forEach(secret => {
+      stats[secret.type] = (stats[secret.type] || 0) + 1;
+    });
+    return stats;
+  }
+}
+
+export default SecretDetector;

package/src/plugins/KnipAdapter.js

@@ -0,0 +1,106 @@
+/**
+ * ============================================================================
+ * Knip Plugin Adapter for pkg-scaffold v4.0.0
+ * ============================================================================
+ * This adapter allows pkg-scaffold to use existing Knip plugins without
+ * requiring knip as a dependency. It implements the Knip plugin interface
+ * internally to ensure full compatibility.
+ */
+
+import path from 'path';
+import fs from 'fs/promises';
+
+export class KnipAdapter {
+  constructor(context) {
+    this.context = context;
+    this.knipPlugins = new Map();
+  }
+
+  /**
+   * Discovers and loads Knip plugins from the project's node_modules
+   * or a specified directory.
+   */
+  async discoverPlugins(projectRoot) {
+    // Knip plugins are typically named 'knip-plugin-*' or are part of knip's core
+    // We look for common Knip plugin patterns in node_modules
+    const nodeModulesPath = path.join(projectRoot, 'node_modules');
+    
+    try {
+      const dirs = await fs.readdir(nodeModulesPath);
+      for (const dir of dirs) {
+        if (dir.startsWith('knip-plugin-') || dir === '@knip/plugin') {
+          await this.loadPlugin(path.join(nodeModulesPath, dir));
+        }
+      }
+    } catch (e) {
+      // node_modules not found or unreadable
+    }
+  }
+
+  /**
+   * Loads a specific Knip plugin and wraps it for pkg-scaffold
+   */
+  async loadPlugin(pluginPath) {
+    try {
+      const pluginModule = await import(pluginPath);
+      const plugin = pluginModule.default || pluginModule;
+      
+      if (plugin.name && (plugin.config || plugin.entry)) {
+        this.knipPlugins.set(plugin.name, this.wrapKnipPlugin(plugin));
+        if (this.context.verbose) {
+          console.log(`[KnipAdapter] Successfully integrated Knip plugin: ${plugin.name}`);
+        }
+      }
+    } catch (e) {
+      // Failed to load plugin
+    }
+  }
+
+  /**
+   * Wraps a Knip plugin to match the pkg-scaffold BasePlugin interface
+   */
+  wrapKnipPlugin(knipPlugin) {
+    return {
+      name: `knip-${knipPlugin.name}`,
+      isKnipWrapped: true,
+      
+      getConfigFiles: () => {
+        if (Array.isArray(knipPlugin.config)) return knipPlugin.config;
+        if (typeof knipPlugin.config === 'string') return [knipPlugin.config];
+        return [];
+      },
+      
+      getRoutePatterns: () => {
+        if (Array.isArray(knipPlugin.entry)) return knipPlugin.entry.map(e => new RegExp(e.replace('*', '.*')));
+        if (typeof knipPlugin.entry === 'string') return [new RegExp(knipPlugin.entry.replace('*', '.*'))];
+        return [];
+      },
+      
+      isActive: async (baseDir) => {
+        const configFiles = Array.isArray(knipPlugin.config) ? knipPlugin.config : [knipPlugin.config];
+        for (const file of configFiles) {
+          if (!file) continue;
+          try {
+            await fs.access(path.join(baseDir, file));
+            return true;
+          } catch {
+            continue;
+          }
+        }
+        return false;
+      },
+      
+      // Map other Knip plugin properties to pkg-scaffold
+      get: (key) => knipPlugin[key]
+    };
+  }
+
+  /**
+   * Returns all integrated Knip plugins
+   */
+  getPlugins() {
+    return Array.from(this.knipPlugins.values());
+  }
+}
+
+export default KnipAdapter;

package/src/plugins/PluginRegistry.js

@@ -1,16 +1,18 @@
 import path from 'path';
 import fs from 'fs/promises';
 import { pathToFileURL } from 'url';
+import { KnipAdapter } from './KnipAdapter.js';
 
 /**
  * Advanced Plugin Registry supporting Builtin, Custom, and Knip-style plugins.
- * Version 3.2.0: Enhanced with support for dynamic custom getters.
+ * Version 4.0.0: Enhanced with Modern Frameworks, Backend Services, and Standalone Knip Integration.
  */
 export class PluginRegistry {
     constructor(context) {
         this.context = context;
         this.plugins = new Map();
         this.config = null;
+        this.knipAdapter = new KnipAdapter(context);
     }
 
     async init(projectRoot) {
@@ -35,14 +37,21 @@ export class PluginRegistry {
         }
 
         if (this.config.supportKnipPlugins) {
-            await this.initKnipAdapter();
+            await this.initKnipAdapter(projectRoot);
         }
     }
 
     async loadBuiltinPlugins() {
+        // Core Ecosystems
         const { NextJsPlugin } = await import('./ecosystems/NextJsPlugin.js');
         const { NuxtPlugin, RemixPlugin, SvelteKitPlugin, AstroPlugin } = await import('./ecosystems/GenericPlugins.js');
         const { TypeScriptPlugin } = await import('./ecosystems/TypeScriptPlugin.js');
+        
+        // Modern Frameworks (New in v4.0)
+        const { ReactPlugin, VuePlugin, SveltePlugin, AngularPlugin } = await import('./ecosystems/ModernFrameworks.js');
+        
+        // Backend Services (New in v4.0)
+        const { GraphQLPlugin, DatabasePlugin } = await import('./ecosystems/BackendServices.js');
 
         const builtins = [
             new NextJsPlugin(this.context),
@@ -50,7 +59,13 @@ export class PluginRegistry {
             new RemixPlugin(this.context),
             new SvelteKitPlugin(this.context),
             new AstroPlugin(this.context),
-            new TypeScriptPlugin(this.context)
+            new TypeScriptPlugin(this.context),
+            new ReactPlugin(this.context),
+            new VuePlugin(this.context),
+            new SveltePlugin(this.context),
+            new AngularPlugin(this.context),
+            new GraphQLPlugin(this.context),
+            new DatabasePlugin(this.context)
         ];
 
         builtins.forEach(p => {
@@ -82,8 +97,11 @@ export class PluginRegistry {
         }
     }
 
-    async initKnipAdapter() {
+    async initKnipAdapter(projectRoot) {
         this.context.knipCompatible = true;
+        await this.knipAdapter.discoverPlugins(projectRoot);
+        const knipPlugins = this.knipAdapter.getPlugins();
+        knipPlugins.forEach(p => this.register(p));
     }
 
     register(plugin) {

package/src/plugins/ecosystems/BackendServices.js

@@ -0,0 +1,59 @@
+/**
+ * ============================================================================
+ * Backend Services Plugins for pkg-scaffold v4.0.0
+ * ============================================================================
+ * Built-in support for GraphQL, REST APIs, and Databases.
+ */
+
+import { BasePlugin } from '../BasePlugin.js';
+
+/**
+ * GraphQL Ecosystem Plugin
+ */
+export class GraphQLPlugin extends BasePlugin {
+  get name() {
+    return 'graphql';
+  }
+
+  getConfigFiles() {
+    return ['package.json', 'graphql.config.js', '.graphqlconfig'];
+  }
+
+  async isActive(baseDir) {
+    try {
+      const pkgJson = JSON.parse(await require('fs').promises.readFile(require('path').join(baseDir, 'package.json'), 'utf8'));
+      return !!(pkgJson.dependencies?.graphql || pkgJson.devDependencies?.graphql || pkgJson.dependencies?.['@apollo/client']);
+    } catch {
+      return false;
+    }
+  }
+
+  async analyze(node, filePath) {
+    // Detect GraphQL tagged templates
+    const gqlPattern = /gql\s*`([\s\S]*?)`/g;
+    const matches = node.rawCode?.match(gqlPattern) || [];
+    if (matches.length > 0) {
+      node.graphqlQueries = matches;
+    }
+  }
+}
+
+/**
+ * Database Ecosystem Plugin (Prisma, Drizzle, TypeORM)
+ */
+export class DatabasePlugin extends BasePlugin {
+  get name() {
+    return 'database';
+  }
+
+  getConfigFiles() {
+    return ['package.json', 'prisma/schema.prisma', 'drizzle.config.ts', 'ormconfig.json'];
+  }
+
+  async analyze(node, filePath) {
+    // Detect DB usage
+    if (node.explicitImports.has('@prisma/client') || node.explicitImports.has('drizzle-orm')) {
+      node.usesDatabase = true;
+    }
+  }
+}