prodlint 0.7.2 → 0.8.1

package/dist/index.js

@@ -715,7 +715,8 @@ var SECRET_PATTERNS = [
   { name: "AWS access key", pattern: /AKIA[0-9A-Z]{16}/ },
   { name: "AWS secret key", pattern: /(?:aws_secret_access_key|AWS_SECRET)\s*[=:]\s*['"]?[A-Za-z0-9/+=]{40}['"]?/ },
   { name: "Supabase service role key", pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]{50,}\.[A-Za-z0-9_-]{20,}/ },
-  { name: "OpenAI API key", pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/ },
+  { name: "OpenAI API key (legacy)", pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/ },
+  { name: "OpenAI API key", pattern: /sk-proj-[a-zA-Z0-9_\-]{20,}/ },
   { name: "GitHub token", pattern: /gh[ps]_[A-Za-z0-9_]{36,}/ },
   { name: "GitHub fine-grained token", pattern: /github_pat_[A-Za-z0-9_]{22,}/ },
   { name: "Generic API key assignment", pattern: /(?:api_key|apikey|api_secret|secret_key|private_key)\s*[=:]\s*['"][a-zA-Z0-9_\-]{20,}['"]/ },
@@ -2254,7 +2255,7 @@ var codebaseConsistencyRule = {
 // src/rules/dead-exports.ts
 function isEntryPoint(relativePath) {
   const name = relativePath.split("/").pop() ?? "";
-  return /^(page|layout|loading|error|not-found|route|middleware|instrumentation)\.(tsx?|jsx?)$/.test(name) || /^index\.(tsx?|jsx?)$/.test(name) || name === "global-error.tsx" || name === "global-error.jsx";
+  return /^(page|layout|loading|error|not-found|route|middleware|instrumentation|opengraph-image|twitter-image|icon|apple-icon|sitemap|robots|manifest)\.(tsx?|jsx?)$/.test(name) || /^index\.(tsx?|jsx?)$/.test(name) || name === "global-error.tsx" || name === "global-error.jsx";
 }
 var THRESHOLD = 5;
 var deadExportsRule = {
@@ -2277,8 +2278,31 @@ var deadExportsRule = {
     const importedFiles = /* @__PURE__ */ new Set();
     for (const file of sourceFiles) {
       if (isEntryPoint(file.relativePath)) continue;
+      let inTemplateLiteral = false;
       for (let i = 0; i < file.lines.length; i++) {
         const line = file.lines[i];
+        let backtickCount = 0;
+        for (let j = 0; j < line.length; j++) {
+          if (line[j] === "\\") {
+            j++;
+            continue;
+          }
+          if (line[j] === "`") backtickCount++;
+        }
+        if (backtickCount % 2 === 1) inTemplateLiteral = !inTemplateLiteral;
+        if (inTemplateLiteral && backtickCount % 2 === 0) continue;
+        const exportIdx = line.indexOf("export");
+        if (exportIdx >= 0) {
+          let inStr = false;
+          for (let j = 0; j < exportIdx; j++) {
+            if (line[j] === "\\") {
+              j++;
+              continue;
+            }
+            if (line[j] === "'" || line[j] === '"' || line[j] === "`") inStr = !inStr;
+          }
+          if (inStr) continue;
+        }
         let match;
         const namedRe = /export\s+(?:async\s+)?(?:function|const|let|class|enum)\s+(\w+)/g;
         while ((match = namedRe.exec(line)) !== null) {
@@ -3847,6 +3871,8 @@ var hydrationMismatchRule = {
     if (isClientComponent(file.content)) return [];
     if (!/(?:^|\/)(?:src\/)?app\//.test(file.relativePath)) return [];
     if (/route\.[jt]sx?$/.test(file.relativePath)) return [];
+    if (/(?:^|\/)(?:src\/)?app\/(?:lib|utils|helpers|server|actions)\//.test(file.relativePath)) return [];
+    if (/\.[jt]s$/.test(file.relativePath) && !/<[A-Z]/.test(file.content)) return [];
     const findings = [];
     let useEffectRanges = [];
     if (file.ast) {
@@ -4385,8 +4411,249 @@ async function scan(options) {
     summary
   };
 }
+
+// src/web-scanner/checks.ts
+function make(id, name, description, maxPoints, severity, status, details) {
+  return {
+    id,
+    name,
+    description,
+    status,
+    severity,
+    details,
+    points: status === "pass" ? maxPoints : status === "warn" ? Math.floor(maxPoints / 2) : 0,
+    maxPoints
+  };
+}
+function checkRobotsTxt(ctx) {
+  if (!ctx.robotsTxt) return make("robots_txt", "robots.txt", "robots.txt exists and is accessible", 5, "medium", "fail", "No robots.txt found.");
+  return make("robots_txt", "robots.txt", "robots.txt exists and is accessible", 5, "medium", "pass", "robots.txt found.");
+}
+function checkRobotsAiDirectives(ctx) {
+  if (!ctx.robotsTxt) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "fail", "No robots.txt found. AI bots have no guidance.");
+  const agents = ["GPTBot", "ChatGPT-User", "ClaudeBot", "Claude-Web", "Google-Extended", "PerplexityBot", "Bytespider", "CCBot", "anthropic-ai", "cohere-ai"];
+  const found = agents.filter((a) => ctx.robotsTxt.toLowerCase().includes(a.toLowerCase()));
+  if (found.length === 0) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "fail", "No AI-specific user-agent directives found.");
+  if (found.length < 3) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "warn", `Found ${found.length} AI bot directive(s): ${found.join(", ")}.`);
+  return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "pass", `Found ${found.length} AI bot directive(s): ${found.join(", ")}.`);
+}
+function checkContentUsage(ctx) {
+  const hasHeader = ctx.headers["content-usage"] != null;
+  const hasInRobots = ctx.robotsTxt?.toLowerCase().includes("content-usage") ?? false;
+  if (!hasHeader && !hasInRobots) return make("content_usage", "Content-Usage (IETF aipref)", "Content-Usage header or directives", 10, "high", "fail", "No Content-Usage directives found.");
+  return make("content_usage", "Content-Usage (IETF aipref)", "Content-Usage header or directives", 10, "high", "pass", hasHeader ? `Header: ${ctx.headers["content-usage"]}` : "Found in robots.txt.");
+}
+function checkLlmsTxt(ctx) {
+  if (!ctx.llmsTxt) return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "fail", "No llms.txt found.");
+  const lines = ctx.llmsTxt.split("\n").filter((l) => l.trim().length > 0);
+  if (lines.length < 3) return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "warn", "llms.txt found but appears minimal.");
+  return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "pass", `llms.txt found with ${lines.length} lines.`);
+}
+function checkTdmRep(ctx) {
+  const hasWK = ctx.tdmRep != null;
+  const hasHeader = ctx.headers["tdm-reservation"] != null;
+  if (!hasWK && !hasHeader) return make("tdmrep", "TDMRep (W3C)", "Text & data mining reservation file or header", 8, "medium", "fail", "No TDMRep configuration found.");
+  return make("tdmrep", "TDMRep (W3C)", "Text & data mining reservation file or header", 8, "medium", "pass", hasWK ? "/.well-known/tdmrep.json found." : `TDM-Reservation header: ${ctx.headers["tdm-reservation"]}`);
+}
+function checkAiDisclosure(ctx) {
+  if (!ctx.headers["ai-disclosure"]) return make("ai_disclosure", "AI-Disclosure Header", "Declares AI involvement in content generation", 5, "low", "fail", "No AI-Disclosure header found.");
+  return make("ai_disclosure", "AI-Disclosure Header", "Declares AI involvement in content generation", 5, "low", "pass", `Header: ${ctx.headers["ai-disclosure"]}`);
+}
+function checkAgentCard(ctx) {
+  if (!ctx.agentCard) return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "fail", "No A2A AgentCard found.");
+  try {
+    const card = JSON.parse(ctx.agentCard);
+    if (!card.name || !Array.isArray(card.skills) || card.skills.length === 0) return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "warn", "AgentCard found but missing name or skills.");
+    return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "pass", `AgentCard found with ${card.skills.length} skill(s).`);
+  } catch {
+    return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "warn", "AgentCard found but contains invalid JSON.");
+  }
+}
+function checkAiTxt(ctx) {
+  if (!ctx.aiTxt) return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "fail", "No ai.txt found at site root.");
+  const lines = ctx.aiTxt.split("\n").filter((l) => l.trim().length > 0 && !l.trim().startsWith("#"));
+  if (lines.length < 2) return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "warn", "ai.txt found but appears minimal.");
+  return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "pass", `ai.txt found with ${lines.length} directive(s).`);
+}
+function checkWebMCP(ctx) {
+  if (!ctx.html) return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "info", "Could not check for WebMCP tools.");
+  const hasToolname = /toolname=/i.test(ctx.html);
+  const hasModelContext = /navigator\.modelContext/i.test(ctx.html) || /registerTool/i.test(ctx.html);
+  if (!hasToolname && !hasModelContext) return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "fail", "No WebMCP tools detected.");
+  const count = (ctx.html.match(/toolname=/gi) || []).length;
+  return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "pass", hasToolname ? `${count} form(s) with toolname attributes.` : "registerTool() usage detected.");
+}
+function checkStructuredData(ctx) {
+  if (!ctx.html) return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "info", "Could not fetch page HTML.");
+  const jsonLd = ctx.html.match(/<script[^>]*type=["']application\/ld\+json["'][^>]*>/gi);
+  const hasMicrodata = ctx.html.includes("itemscope") && ctx.html.includes("itemtype");
+  if (!jsonLd && !hasMicrodata) return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "fail", "No structured data found.");
+  return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "pass", `Found ${(jsonLd?.length || 0) + (hasMicrodata ? 1 : 0)} structured data block(s).`);
+}
+function checkOpenGraph(ctx) {
+  if (!ctx.html) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "info", "Could not fetch HTML.");
+  const checks = [/og:title/i.test(ctx.html), /og:description/i.test(ctx.html), /og:image/i.test(ctx.html), /name=["']description["']/i.test(ctx.html)];
+  const passed = checks.filter(Boolean).length;
+  if (passed === 0) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "fail", "No OpenGraph tags or meta description.");
+  if (passed < 3) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "warn", `Found ${passed}/4 meta tags.`);
+  return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "pass", `All ${passed} key meta tags present.`);
+}
+function checkSitemap(ctx) {
+  if (!ctx.sitemapXml) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "fail", "No sitemap.xml found.");
+  const count = Math.max((ctx.sitemapXml.match(/<url>/gi) || []).length, (ctx.sitemapXml.match(/<loc>/gi) || []).length);
+  if (count === 0 && /<sitemapindex/i.test(ctx.sitemapXml)) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "pass", "Sitemap index found.");
+  if (count === 0) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "warn", "sitemap.xml found but appears empty.");
+  return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "pass", `sitemap.xml found with ${count} URL(s).`);
+}
+function checkHttpSignatures(ctx) {
+  const hasDirectory = ctx.httpSigDirectory != null;
+  const hasSignatureHeader = ctx.headers["signature"] != null || ctx.headers["signature-input"] != null;
+  const hasSignatureAgent = ctx.headers["signature-agent"] != null;
+  if (!hasDirectory && !hasSignatureHeader && !hasSignatureAgent) return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "fail", "No HTTP signature support detected.");
+  if (hasDirectory) return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "pass", "/.well-known/http-message-signatures-directory found.");
+  return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "pass", hasSignatureAgent ? "Signature-Agent header detected." : "Signature/Signature-Input headers detected.");
+}
+function checkPageSpeed(ctx) {
+  if (ctx.loadTimeMs == null) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "info", "Could not measure.");
+  if (ctx.loadTimeMs > 5e3) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "fail", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s \u2014 agents may time out.`);
+  if (ctx.loadTimeMs > 2e3) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "warn", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s \u2014 consider optimizing.`);
+  return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "pass", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s.`);
+}
+var allChecks = [
+  checkRobotsTxt,
+  checkRobotsAiDirectives,
+  checkContentUsage,
+  checkLlmsTxt,
+  checkAiTxt,
+  checkTdmRep,
+  checkAiDisclosure,
+  checkAgentCard,
+  checkWebMCP,
+  checkHttpSignatures,
+  checkStructuredData,
+  checkOpenGraph,
+  checkSitemap,
+  checkPageSpeed
+];
+
+// src/web-scanner/index.ts
+function getGrade(score) {
+  if (score >= 80) return "A";
+  if (score >= 60) return "B";
+  if (score >= 40) return "C";
+  if (score >= 20) return "D";
+  return "F";
+}
+function getDomain(url) {
+  try {
+    return new URL(url).hostname;
+  } catch {
+    return url;
+  }
+}
+var PRIVATE_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "0.0.0.0", "[::1]", "metadata.google.internal"]);
+function isPrivateHost(hostname) {
+  if (PRIVATE_HOSTNAMES.has(hostname.toLowerCase())) return true;
+  const h = hostname.replace(/^\[|\]$/g, "").toLowerCase();
+  if (h === "::1" || h.startsWith("fe80:") || h.startsWith("fc") || h.startsWith("fd") || h === "::") return true;
+  const ipv4 = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+  if (ipv4) {
+    const [, a, b] = ipv4.map(Number);
+    if (a === 10 || a === 127 || a === 0) return true;
+    if (a === 172 && b >= 16 && b <= 31) return true;
+    if (a === 192 && b === 168) return true;
+    if (a === 169 && b === 254) return true;
+    if (a === 100 && b >= 64 && b <= 127) return true;
+    if (a === 198 && (b === 18 || b === 19)) return true;
+  }
+  return false;
+}
+function validateRedirectUrl(responseUrl) {
+  try {
+    const parsed = new URL(responseUrl);
+    return !isPrivateHost(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+async function fetchText(url, timeout = 8e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return null;
+    return r.ok ? await r.text() : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchHeaders(url, timeout = 8e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return {};
+    const h = {};
+    r.headers.forEach((v, k) => {
+      h[k.toLowerCase()] = v;
+    });
+    return h;
+  } catch {
+    return {};
+  }
+}
+async function fetchWithTiming(url, timeout = 15e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const start = Date.now();
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    const html = await r.text();
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return { html: null, loadTimeMs: null };
+    return r.ok ? { html, loadTimeMs: Date.now() - start } : { html: null, loadTimeMs: null };
+  } catch {
+    return { html: null, loadTimeMs: null };
+  }
+}
+async function runWebScan(targetUrl) {
+  const domain = getDomain(targetUrl);
+  const [robotsTxt, llmsTxt, aiTxt, tdmRep, agentCard, sitemapXml, httpSigDirectory, headers, pageData] = await Promise.all([
+    fetchText(`${targetUrl}/robots.txt`),
+    fetchText(`${targetUrl}/llms.txt`),
+    fetchText(`${targetUrl}/ai.txt`),
+    fetchText(`${targetUrl}/.well-known/tdmrep.json`),
+    fetchText(`${targetUrl}/.well-known/agent-card.json`),
+    fetchText(`${targetUrl}/sitemap.xml`),
+    fetchText(`${targetUrl}/.well-known/http-message-signatures-directory`),
+    fetchHeaders(targetUrl),
+    fetchWithTiming(targetUrl)
+  ]);
+  const ctx = { url: targetUrl, domain, robotsTxt, llmsTxt, aiTxt, tdmRep, agentCard, sitemapXml, httpSigDirectory, headers, html: pageData.html, loadTimeMs: pageData.loadTimeMs };
+  const checks = allChecks.map((fn) => fn(ctx));
+  const totalPoints = checks.reduce((s, c) => s + c.points, 0);
+  const maxPoints = checks.reduce((s, c) => s + c.maxPoints, 0);
+  const overallScore = maxPoints > 0 ? Math.round(totalPoints / maxPoints * 100) : 0;
+  return {
+    url: targetUrl,
+    domain,
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    overallScore,
+    grade: getGrade(overallScore),
+    checks,
+    summary: {
+      passed: checks.filter((c) => c.status === "pass").length,
+      failed: checks.filter((c) => c.status === "fail").length,
+      warnings: checks.filter((c) => c.status === "warn").length,
+      totalChecks: checks.length
+    }
+  };
+}
 export {
   rules,
+  runWebScan,
   scan
 };
 //# sourceMappingURL=index.js.map