pqm-cli 1.0.0

package/src/commands/init.js

@@ -0,0 +1,61 @@
+import fs from 'fs';
+import path from 'path';
+import { logger } from '../utils/logger.js';
+
+const CONFIG_FILE = '.pqmrc';
+
+const DEFAULT_CONFIG = {
+  root: './src',
+  exclude: ['node_modules', 'dist', '.git', '**/*.test.js', '**/*.spec.js'],
+  buildTool: 'auto',
+  buildMode: 'incremental',
+  buildOnStart: true,
+  webhook: {
+    enabled: false,
+    port: 3200
+  },
+  log: {
+    level: 'info',
+    file: '.pqm/pqm.log'
+  }
+};
+
+export default function (program) {
+  program
+    .command('init')
+    .description('Initialize pqm configuration in current directory')
+    .option('-f, --force', 'Overwrite existing configuration')
+    .action(async (options) => {
+      const configPath = path.resolve(process.cwd(), CONFIG_FILE);
+
+      // Check if config already exists
+      if (fs.existsSync(configPath) && !options.force) {
+        logger.warn('.pqmrc already exists. Use --force to overwrite.');
+        return;
+      }
+
+      // Create logs directory
+      const logsDir = path.resolve(process.cwd(), '.pqm');
+      if (!fs.existsSync(logsDir)) {
+        fs.mkdirSync(logsDir, { recursive: true });
+        logger.info('Created .pqm directory');
+      }
+
+      // Write default configuration
+      fs.writeFileSync(configPath, JSON.stringify(DEFAULT_CONFIG, null, 2));
+      logger.success(`Created ${CONFIG_FILE} with default configuration`);
+
+      // Create .gitignore entry if .gitignore exists
+      const gitignorePath = path.resolve(process.cwd(), '.gitignore');
+      if (fs.existsSync(gitignorePath)) {
+        const gitignore = fs.readFileSync(gitignorePath, 'utf-8');
+        if (!gitignore.includes('.pqm/')) {
+          fs.appendFileSync(gitignorePath, '\n# PQM CLI\n.pqm/\n');
+          logger.info('Added .pqm/ to .gitignore');
+        }
+      }
+
+      console.log('\nConfiguration created successfully!');
+      console.log('Run `pqm watch` to start monitoring.');
+    });
+}

package/src/commands/login.js

@@ -0,0 +1,37 @@
+import { execSync } from 'child_process';
+import { logger } from '../utils/logger.js';
+import chalk from 'chalk';
+
+export default function (program) {
+  program
+    .command('login')
+    .description('Login to npm registry')
+    .option('--registry <registry>', 'NPM registry URL', 'https://registry.npmjs.org/')
+    .action(async (options) => {
+      console.log(chalk.bold(chalk.cyan('\n🔐 NPM 登录\n')));
+
+      logger.info(`Registry: ${options.registry}`);
+      console.log('');
+
+      try {
+        // 使用 npm login
+        execSync('npm login', {
+          stdio: 'inherit',
+          env: { ...process.env }
+        });
+
+        // 验证登录
+        console.log(chalk.yellow('\n验证登录状态...'));
+        const user = execSync('npm whoami', {
+          encoding: 'utf8'
+        }).trim();
+
+        if (user) {
+          console.log(chalk.green(`\n✅ 登录成功! 用户: ${user}`));
+        }
+      } catch (error) {
+        logger.error(`登录失败: ${error.message}`);
+        process.exit(1);
+      }
+    });
+}

package/src/commands/publish.js

@@ -0,0 +1,250 @@
+import { execSync, spawn } from 'child_process';
+import { existsSync, readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { createInterface } from 'readline';
+import { logger } from '../utils/logger.js';
+import chalk from 'chalk';
+
+// 认证状态
+const AuthStatus = {
+  LOGGED_IN: 'logged_in',
+  NOT_LOGGED_IN: 'not_logged_in',
+  TOKEN_EXPIRED: 'token_expired'
+};
+
+function question(rl, query) {
+  return new Promise((resolve) => rl.question(query, resolve));
+}
+
+function execSilent(command) {
+  try {
+    return execSync(command, { encoding: 'utf8', stdio: 'pipe' }).trim();
+  } catch {
+    return null;
+  }
+}
+
+function getAuthStatus() {
+  const result = {
+    status: AuthStatus.NOT_LOGGED_IN,
+    user: null,
+    registry: 'https://registry.npmjs.org/'
+  };
+
+  try {
+    const registry = execSilent('npm config get registry');
+    if (registry && registry !== 'undefined') {
+      result.registry = registry;
+    }
+  } catch {}
+
+  try {
+    const user = execSilent('npm whoami');
+    if (user && user !== 'undefined') {
+      result.status = AuthStatus.LOGGED_IN;
+      result.user = user;
+    }
+  } catch {}
+
+  return result;
+}
+
+async function interactiveLogin(rl) {
+  console.log(chalk.cyan('\n启动交互式登录...\n'));
+
+  return new Promise((resolve) => {
+    const child = spawn('npm', ['login'], {
+      stdio: 'inherit',
+      shell: true
+    });
+
+    child.on('close', () => {
+      console.log(chalk.yellow('\n验证登录状态...'));
+      const authStatus = getAuthStatus();
+
+      if (authStatus.status === AuthStatus.LOGGED_IN) {
+        console.log(chalk.green(`✓ 登录成功! 用户: ${authStatus.user}`));
+        resolve(true);
+      } else {
+        console.log(chalk.red('❌ 登录验证失败'));
+        resolve(false);
+      }
+    });
+  });
+}
+
+async function setupTokenAuth(rl) {
+  console.log(chalk.cyan('\n🔑 Token 认证'));
+  console.log(chalk.gray('获取 Token: https://www.npmjs.com/settings/tokens/new'));
+
+  const token = await question(rl, chalk.yellow('\n请输入 NPM Token: '));
+
+  if (!token || token.trim().length < 10) {
+    console.log(chalk.red('❌ Token 格式不正确'));
+    return false;
+  }
+
+  try {
+    const registry = execSilent('npm config get registry') || 'https://registry.npmjs.org/';
+    const registryKey = registry.replace(/^https?:/, '').replace(/\/$/, '');
+
+    execSync(`npm config set ${registryKey}/:_authToken=${token.trim()}`, { stdio: 'pipe' });
+
+    // 验证
+    const user = execSilent('npm whoami');
+    if (user) {
+      console.log(chalk.green(`✓ 认证成功! 用户: ${user}`));
+
+      // 询问是否保存到项目
+      const saveToProject = await question(rl, chalk.yellow('\n保存到项目 .npmrc? (y/N): '));
+      if (saveToProject.toLowerCase() === 'y') {
+        const npmrcPath = join(process.cwd(), '.npmrc');
+        const content = `${registryKey}/:_authToken=${token.trim()}\nregistry=${registry}\n`;
+        writeFileSync(npmrcPath, content);
+        console.log(chalk.green('✓ Token 已保存到项目'));
+      }
+
+      return true;
+    }
+  } catch (error) {
+    console.log(chalk.red(`❌ Token 验证失败: ${error.message}`));
+  }
+
+  return false;
+}
+
+async function ensureAuth(rl) {
+  console.log(chalk.blue('\n🔍 检查 NPM 认证状态...'));
+
+  const authStatus = getAuthStatus();
+
+  console.log(chalk.cyan('\n📋 认证状态'));
+  console.log(chalk.gray('─'.repeat(40)));
+  console.log(`Registry: ${authStatus.registry}`);
+
+  if (authStatus.status === AuthStatus.LOGGED_IN) {
+    console.log(`状态: ${chalk.green('✓ 已认证')}`);
+    console.log(`用户: ${chalk.green(authStatus.user)}`);
+    return authStatus;
+  }
+
+  console.log(`状态: ${chalk.red('✗ 未认证')}`);
+  console.log(chalk.gray('─'.repeat(40)));
+
+  console.log(chalk.yellow('\n🔐 请选择认证方式:'));
+  console.log('  1) Token 认证 (推荐)');
+  console.log('  2) 交互式登录 (npm login)');
+  console.log('  0) 退出');
+
+  const choice = await question(rl, chalk.cyan('\n请选择 (0-2): '));
+
+  switch (choice.trim()) {
+    case '1':
+      return await setupTokenAuth(rl) ? getAuthStatus() : null;
+    case '2':
+      return await interactiveLogin(rl) ? getAuthStatus() : null;
+    default:
+      console.log(chalk.yellow('已退出'));
+      process.exit(0);
+  }
+}
+
+export default function (program) {
+  program
+    .command('publish')
+    .description('Publish package to npm with smart authentication')
+    .option('--skip-test', 'Skip running tests')
+    .option('--skip-build', 'Skip build step')
+    .option('--access <access>', 'Access level (public|restricted)', 'public')
+    .action(async (options) => {
+      const rl = createInterface({
+        input: process.stdin,
+        output: process.stdout
+      });
+
+      try {
+        console.log(chalk.bold(chalk.blue('\n📦 NPM 发布工具\n')));
+
+        // 1. 检查认证
+        const authStatus = await ensureAuth(rl);
+        if (!authStatus || authStatus.status !== AuthStatus.LOGGED_IN) {
+          console.log(chalk.red('\n❌ 认证失败，无法继续'));
+          process.exit(1);
+        }
+
+        // 2. 读取 package.json
+        const pkgPath = join(process.cwd(), 'package.json');
+        if (!existsSync(pkgPath)) {
+          console.log(chalk.red('❌ 未找到 package.json'));
+          process.exit(1);
+        }
+
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+        console.log(chalk.cyan('\n📦 包信息'));
+        console.log(chalk.gray('─'.repeat(40)));
+        console.log(`名称: ${chalk.bold(pkg.name)}`);
+        console.log(`版本: ${pkg.version}`);
+        console.log(chalk.gray('─'.repeat(40)));
+
+        // 3. 测试
+        if (!options.skipTest && pkg.scripts?.test) {
+          console.log(chalk.yellow('\n📋 执行测试...'));
+          try {
+            execSync('npm test', { stdio: 'inherit' });
+            console.log(chalk.green('✓ 测试通过'));
+          } catch {
+            console.log(chalk.red('❌ 测试失败'));
+            process.exit(1);
+          }
+        }
+
+        // 4. 构建
+        if (!options.skipBuild && pkg.scripts?.build) {
+          console.log(chalk.yellow('\n🔨 执行构建...'));
+          try {
+            execSync('npm run build', { stdio: 'inherit' });
+            console.log(chalk.green('✓ 构建成功'));
+          } catch {
+            console.log(chalk.red('❌ 构建失败'));
+            process.exit(1);
+          }
+        }
+
+        // 5. 确认发布
+        console.log(chalk.cyan('\n🎯 发布确认'));
+        console.log(chalk.gray('─'.repeat(40)));
+        console.log(`包名: ${chalk.bold(pkg.name)}`);
+        console.log(`版本: ${chalk.bold(pkg.version)}`);
+        console.log(`Registry: ${authStatus.registry}`);
+        console.log(`Access: ${options.access}`);
+        console.log(chalk.gray('─'.repeat(40)));
+
+        const confirm = await question(rl, chalk.yellow('\n确认发布? (Y/n): '));
+        if (confirm.toLowerCase() === 'n') {
+          console.log(chalk.yellow('已取消'));
+          process.exit(0);
+        }
+
+        // 6. 发布
+        console.log(chalk.yellow('\n🚀 发布到 npm...'));
+        try {
+          execSync(`npm publish --access ${options.access}`, { stdio: 'inherit' });
+          console.log(chalk.green(`\n✅ 发布成功! ${pkg.name}@${pkg.version}`));
+          console.log(chalk.cyan(`   https://www.npmjs.com/package/${pkg.name}`));
+        } catch (error) {
+          console.log(chalk.red(`\n❌ 发布失败: ${error.message}`));
+
+          // 检查是否需要 2FA
+          const errorOutput = error.message;
+          if (errorOutput.includes('OTP') || errorOutput.includes('two-factor')) {
+            console.log(chalk.yellow('\n需要双因素认证，请使用 Automation Token'));
+          }
+
+          process.exit(1);
+        }
+
+      } finally {
+        rl.close();
+      }
+    });
+}

package/src/commands/release.js

@@ -0,0 +1,107 @@
+import { execSync } from 'child_process';
+import { existsSync, readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { logger } from '../utils/logger.js';
+import chalk from 'chalk';
+
+export default function (program) {
+  program
+    .command('release [type]')
+    .description('Create a new release (patch|minor|major)')
+    .option('-p, --pre-release', 'Create pre-release version')
+    .option('--skip-push', 'Skip pushing to remote')
+    .option('--skip-tag', 'Skip creating git tag')
+    .action((type = 'patch', options) => {
+      // 验证版本类型
+      const validTypes = ['patch', 'minor', 'major'];
+      if (!validTypes.includes(type)) {
+        logger.error(`版本类型必须是: ${validTypes.join(' | ')}`);
+        process.exit(1);
+      }
+
+      // 检查是否有 package.json
+      const pkgPath = join(process.cwd(), 'package.json');
+      if (!existsSync(pkgPath)) {
+        logger.error('当前目录没有 package.json');
+        process.exit(1);
+      }
+
+      // 检查是否有未提交变更
+      try {
+        const status = execSync('git status --porcelain', {
+          encoding: 'utf8'
+        }).trim();
+
+        if (status) {
+          logger.error('有未提交的变更，请先提交:');
+          console.log(status);
+          console.log('\n运行: pqm commit "提交信息"');
+          process.exit(1);
+        }
+      } catch {
+        // 可能不是 git 仓库，继续
+      }
+
+      // 读取当前版本
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+      logger.info(`当前版本: v${pkg.version}`);
+
+      // 计算新版本
+      const [major, minor, patch] = pkg.version.split('.').map(Number);
+      let newVersion;
+
+      if (type === 'major') newVersion = `${major + 1}.0.0`;
+      else if (type === 'minor') newVersion = `${major}.${minor + 1}.0`;
+      else newVersion = `${major}.${minor}.${patch + 1}`;
+
+      logger.info(`新版本: v${newVersion}`);
+
+      // 确认发布
+      console.log(chalk.yellow('\n即将执行以下操作:'));
+      console.log(`  1. 更新 package.json 版本到 ${newVersion}`);
+      console.log(`  2. 提交变更`);
+      if (!options.skipTag) {
+        console.log(`  3. 创建标签 v${newVersion}`);
+      }
+      if (!options.skipPush) {
+        console.log(`  4. 推送到远程`);
+      }
+
+      // 执行发布
+      try {
+        // 更新 package.json
+        pkg.version = newVersion;
+        writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
+        logger.success(`版本已更新到 ${newVersion}`);
+
+        // Git 操作
+        if (!options.skipTag || !options.skipPush) {
+          const branch = execSync('git branch --show-current', {
+            encoding: 'utf8'
+          }).trim();
+
+          execSync('git add package.json', { stdio: 'inherit' });
+          execSync(`git commit -m "chore(release): v${newVersion}"`, { stdio: 'inherit' });
+
+          if (!options.skipTag) {
+            execSync(`git tag -a v${newVersion} -m "Release v${newVersion}"`, { stdio: 'inherit' });
+            logger.success(`标签 v${newVersion} 已创建`);
+          }
+
+          if (!options.skipPush) {
+            execSync(`git push origin ${branch}`, { stdio: 'inherit' });
+            if (!options.skipTag) {
+              execSync(`git push origin v${newVersion}`, { stdio: 'inherit' });
+            }
+            logger.success('已推送到远程');
+          }
+        }
+
+        console.log(chalk.green(`\n🎉 发布成功！v${newVersion}`));
+
+      } catch (error) {
+        logger.error(`发布失败: ${error.message}`);
+        process.exit(1);
+      }
+    });
+}

package/src/commands/scan.js

@@ -0,0 +1,239 @@
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import { logger } from '../utils/logger.js';
+import { Spinner } from '../utils/spinner.js';
+import {
+  loadGlobalConfig,
+  getAIConfig,
+  isAIConfigured
+} from '../config/global.js';
+import { createProvider, createAnalyzer, AnalysisType } from '../ai/index.js';
+import { collectFiles } from '../ai/analyzer/collector.js';
+import { formatReport } from '../report/formatter.js';
+
+export default function (program) {
+  const scanCmd = program
+    .command('scan')
+    .description('代码安全分析');
+
+  scanCmd
+    .option('--type <type>', '分析类型 (security/quality/dependency)', 'full')
+    .option('--fix', '生成修复建议')
+    .option('--output <format>', '输出格式 (console/json/html)', 'console')
+    .option('--ai', '使用 AI 深度分析')
+    .option('--path <path>', '分析路径', '.')
+    .action(async (options) => {
+      await runScan(options);
+    });
+}
+
+/**
+ * Run code scan
+ * @param {Object} options - Scan options
+ */
+async function runScan(options) {
+  const {
+    type = 'full',
+    fix = false,
+    output = 'console',
+    ai = false,
+    path: scanPath = '.'
+  } = options;
+
+  // Resolve path
+  const projectPath = path.resolve(process.cwd(), scanPath);
+
+  if (!fs.existsSync(projectPath)) {
+    logger.error(`路径不存在: ${projectPath}`);
+    return;
+  }
+
+  console.log('');
+  console.log(chalk.bold('🔍 代码安全分析'));
+  console.log('');
+  console.log(`目标路径: ${chalk.cyan(projectPath)}`);
+  console.log(`分析类型: ${chalk.cyan(type)}`);
+  console.log(`输出格式: ${chalk.cyan(output)}`);
+  console.log('');
+
+  // Validate analysis type
+  const validTypes = ['security', 'quality', 'dependency', 'full'];
+  if (!validTypes.includes(type)) {
+    logger.error(`无效的分析类型: ${type}`);
+    console.log(`有效类型: ${validTypes.join(', ')}`);
+    return;
+  }
+
+  // Validate output format
+  const validOutputs = ['console', 'json', 'html'];
+  if (!validOutputs.includes(output)) {
+    logger.error(`无效的输出格式: ${output}`);
+    console.log(`有效格式: ${validOutputs.join(', ')}`);
+    return;
+  }
+
+  // Create analyzer options
+  const analyzerOptions = {
+    projectPath,
+    useAI: ai && isAIConfigured()
+  };
+
+  // Create AI provider if needed
+  if (ai) {
+    if (!isAIConfigured()) {
+      logger.warn('未配置 AI Provider，跳过 AI 分析');
+      logger.info('运行 pqm ai config 进行配置');
+      console.log('');
+    } else {
+      const aiConfig = getAIConfig();
+      try {
+        analyzerOptions.provider = createProvider(aiConfig.provider, {
+          apiKey: aiConfig.apiKey,
+          model: aiConfig.model
+        });
+        console.log(chalk.green(`✓ 已启用 AI 分析 (${aiConfig.provider})`));
+        console.log('');
+      } catch (error) {
+        logger.warn(`无法创建 AI Provider: ${error.message}`);
+        console.log('');
+      }
+    }
+  }
+
+  // Create analyzer
+  const analyzer = createAnalyzer(analyzerOptions);
+
+  // Collect files
+  const spinner = new Spinner('正在收集项目文件...').start();
+  let files;
+
+  try {
+    files = await collectFiles(projectPath);
+    spinner.succeed(`已收集 ${files.length} 个文件`);
+  } catch (error) {
+    spinner.fail(`文件收集失败: ${error.message}`);
+    return;
+  }
+
+  if (files.length === 0) {
+    logger.warn('未找到可分析的代码文件');
+    console.log('');
+    console.log(chalk.gray('提示: 确保目标目录包含代码文件'));
+    return;
+  }
+
+  // Run analysis
+  spinner.start('正在分析代码...');
+
+  let report;
+  try {
+    report = await analyzer.analyzeFiles(files, type);
+    spinner.succeed('分析完成');
+  } catch (error) {
+    spinner.fail(`分析失败: ${error.message}`);
+    return;
+  }
+
+  // Add dependency analysis if needed
+  if (type === 'dependency' || type === 'full') {
+    let depSpinner = new Spinner('正在分析依赖...').start();
+    try {
+      const depIssues = await analyzer.analyzeDependency(projectPath);
+      if (depIssues.length > 0) {
+        report.byFile['package.json'] = depIssues;
+        report.issues.push(...depIssues);
+      }
+
+      // Recalculate summary
+      for (const issue of depIssues) {
+        const sev = issue.severity?.toLowerCase();
+        if (sev && sev in report.summary) {
+          report.summary[sev]++;
+        }
+      }
+
+      depSpinner.succeed(`依赖分析完成 (${depIssues.length} 个问题)`);
+    } catch (error) {
+      depSpinner.warn(`依赖分析跳过: ${error.message}`);
+    }
+  }
+
+  // Generate fix suggestions if requested
+  if (fix && report.issues.length > 0) {
+    console.log('');
+    console.log(chalk.cyan('生成修复建议...'));
+
+    for (const issue of report.issues.slice(0, 10)) {
+      if (issue.suggestion) {
+        continue;
+      }
+      // Add auto-generated fix suggestions
+      issue.suggestion = generateFixSuggestion(issue);
+    }
+  }
+
+  // Output report
+  console.log('');
+  const formatted = formatReport(report, output);
+
+  if (output === 'console') {
+    console.log(formatted);
+  } else if (output === 'json') {
+    const outputPath = path.join(projectPath, 'scan-report.json');
+    fs.writeFileSync(outputPath, formatted);
+    logger.success(`报告已保存到: ${outputPath}`);
+  } else if (output === 'html') {
+    const outputPath = path.join(projectPath, 'scan-report.html');
+    fs.writeFileSync(outputPath, formatted);
+    logger.success(`报告已保存到: ${outputPath}`);
+  }
+
+  // Exit code based on severity
+  const hasCritical = report.summary.critical > 0;
+  const hasHigh = report.summary.high > 0;
+
+  if (hasCritical || hasHigh) {
+    console.log('');
+    if (hasCritical) {
+      logger.error(`发现 ${report.summary.critical} 个严重漏洞，请立即修复`);
+    }
+    if (hasHigh) {
+      logger.warn(`发现 ${report.summary.high} 个高危问题`);
+    }
+    console.log('');
+    process.exitCode = 1;
+  } else if (report.issues.length > 0) {
+    console.log('');
+    logger.info(`发现 ${report.issues.length} 个问题，建议处理`);
+    console.log('');
+  } else {
+    console.log('');
+    logger.success('没有发现问题');
+    console.log('');
+  }
+}
+
+/**
+ * Generate fix suggestion based on issue type
+ * @param {Object} issue - Issue object
+ * @returns {string} Fix suggestion
+ */
+function generateFixSuggestion(issue) {
+  const suggestions = {
+    'XSS 跨站脚本': '使用 textContent 替代 innerHTML，或使用 DOMPurify 库进行净化',
+    'SQL 注入': '使用参数化查询或 ORM 框架',
+    '命令注入': '使用 child_process.spawn 并分离命令和参数',
+    '危险 eval': '使用 JSON.parse 解析数据，或使用 new Function 配合严格模式',
+    '硬编码密钥': '使用环境变量存储敏感信息: process.env.API_KEY',
+    '路径遍历': '使用 path.resolve 并验证路径前缀',
+    '行过长': '将长行拆分为多行，提高可读性',
+    'var 关键字': '使用 const 声明不可变变量，使用 let 声明可变变量',
+    '空 catch 块': '添加日志记录或错误转发处理',
+    '调试代码': '移除调试代码或使用条件编译'
+  };
+
+  return suggestions[issue.type] || '查看相关文档了解修复方案';
+}
+
+export { runScan };