reactjsquality-check911 1.0.0 → 1.0.1

package/bin/reactjsquality-check911.js

@@ -33,9 +33,14 @@ program
     .description("Scan components, pages, and services — rebuild architecture.md")
     .action(() => require("../commands/scan")());
 
+program
+    .command("audit")
+    .description("Run npm audit for high/critical CVEs (only if vulnerabilities check is enabled)")
+    .action(() => require("../commands/audit")());
+
 program
     .command("hooks")
-    .description("Install pre-commit (ESLint + coverage) and pre-push (Playwright) git hooks")
+    .description("Install pre-commit (ESLint + coverage) and pre-push (Playwright + audit) git hooks")
     .action(() => require("../commands/hooks")());
 
 program.parse(process.argv);

package/commands/audit.js

@@ -0,0 +1,64 @@
+"use strict";
+
+const { execSync } = require("child_process");
+const fs = require("fs");
+
+function loadConfig() {
+    try { return JSON.parse(fs.readFileSync(".reactjs-quality-agent.json", "utf8")); } catch (_) { return null; }
+}
+
+module.exports = function audit() {
+    const config = loadConfig();
+    if (!config) {
+        console.log("No .reactjs-quality-agent.json found — skipping audit.");
+        return;
+    }
+    if (!config.checks || !config.checks.vulnerabilities) {
+        return; // not opted in — silent skip
+    }
+
+    process.stdout.write("Running npm audit...          ");
+    try {
+        let auditOutput = "";
+        let hasVulns    = false;
+        try {
+            execSync("npm audit --audit-level=high --json", {
+                encoding: "utf8", stdio: ["pipe", "pipe", "pipe"]
+            });
+        } catch (e) {
+            // npm audit exits 1 when vulnerabilities found — stdout still has JSON
+            auditOutput = e.stdout || "{}";
+            hasVulns    = true;
+        }
+
+        if (!hasVulns) {
+            console.log("✅");
+            return;
+        }
+
+        let high = 0, critical = 0;
+        try {
+            const data = JSON.parse(auditOutput);
+            if (data.metadata && data.metadata.vulnerabilities) {
+                // npm v7+
+                high     = data.metadata.vulnerabilities.high     || 0;
+                critical = data.metadata.vulnerabilities.critical  || 0;
+            } else if (data.vulnerabilities) {
+                // npm v6
+                for (const v of Object.values(data.vulnerabilities)) {
+                    if (v.severity === "critical") critical++;
+                    else if (v.severity === "high") high++;
+                }
+            }
+        } catch (_) {}
+
+        console.log("❌");
+        console.log(`  ${critical} critical, ${high} high severity vulnerabilities in dependencies`);
+        console.log("  Fix: npm audit fix          — auto-fix compatible updates");
+        console.log("       npm audit fix --force  — force upgrades (may include breaking changes)");
+        console.log("       npm audit              — see full vulnerability details");
+        process.exit(1);
+    } catch (e) {
+        console.log("⚠️  npm audit unavailable:", e.message.slice(0, 80));
+    }
+};

package/commands/hooks.js

@@ -27,7 +27,7 @@ reactjsquality-check911 coverage
 
 const PRE_PUSH = `#!/bin/sh
 # reactjsquality-check911 — pre-push hook
-# Runs Playwright smoke tests before every push
+# Runs Playwright smoke tests and npm audit before every push
 
 set -e
 
@@ -43,6 +43,7 @@ if [ ! -f "$CONFIG" ]; then
 fi
 
 reactjsquality-check911 playwright
+reactjsquality-check911 audit
 `;
 
 module.exports = function hooks() {
@@ -66,9 +67,12 @@ module.exports = function hooks() {
     console.log(`
 Hooks installed. From now on:
 
-  git commit  →  ESLint errors on changed chunks block the commit
-                 Jest coverage < 80% on changed files blocks the commit
+  git commit  →  ESLint errors block the commit (changed chunks only)
+                 Code Smells (SonarJS) block the commit  [if enabled]
+                 Security violations block the commit    [if enabled]
+                 Jest coverage < 80% blocks the commit   [if enabled]
 
-  git push    →  Playwright smoke tests must all pass before push is allowed
+  git push    →  Playwright smoke tests must pass        [if enabled]
+                 npm audit for high/critical CVEs         [if enabled]
 `);
 };

package/commands/init.js

@@ -15,9 +15,11 @@ const FRAMEWORKS = [
 ];
 
 const CHECKS = [
-    { id: "eslint",     label: "ESLint      — code style and error rules on staged chunks" },
-    { id: "coverage",   label: "Coverage    — Jest line coverage (80% threshold per changed file)" },
-    { id: "playwright", label: "Playwright  — smoke tests run before every git push" }
+    { id: "eslint",           label: "ESLint          — code style and error rules on staged chunks" },
+    { id: "codesmells",       label: "Code Smells      — SonarJS: cognitive complexity, duplicate code, dead code" },
+    { id: "vulnerabilities",  label: "Vulnerabilities  — eslint-security: eval/injection/unsafe regex + npm audit CVE scan on push" },
+    { id: "coverage",         label: "Coverage         — Jest line coverage (80% threshold per changed file)" },
+    { id: "playwright",       label: "Playwright       — E2E smoke tests run before every git push" }
 ];
 
 const COPILOT_INSTRUCTIONS = {

package/commands/quality.js

@@ -1,8 +1,9 @@
 "use strict";
 
 const { execSync } = require("child_process");
-const fs   = require("fs");
-const path = require("path");
+const fs      = require("fs");
+const path    = require("path");
+const PKG_ROOT = path.join(__dirname, "..");
 
 const CONFIG_FILE = ".reactjs-quality-agent.json";
 
@@ -96,6 +97,58 @@ function runEslint(staged, changedRanges) {
     }
 }
 
+function runWithPlugin(staged, changedRanges, configFile, label) {
+    process.stdout.write(`Running ${label}...`.padEnd(30));
+    const eslintJs   = path.join(PKG_ROOT, "node_modules", "eslint", "bin", "eslint.js");
+    const configPath = path.join(PKG_ROOT, "config", configFile);
+
+    if (!fs.existsSync(eslintJs)) {
+        console.log("⚠️  (ESLint not in package — reinstall reactjsquality-check911)");
+        return { passed: true, summary: `⚠️  ${label}: ESLint not found` };
+    }
+
+    try {
+        const fileArgs = staged.map(f => `"${f}"`).join(" ");
+        let output = "";
+        try {
+            output = execSync(
+                `node "${eslintJs}" ${fileArgs} --format json --no-eslintrc --resolve-plugins-relative-to "${PKG_ROOT}" --config "${configPath}"`,
+                { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] }
+            );
+        } catch (e) {
+            output = e.stdout || "[]";
+        }
+
+        const data   = JSON.parse(output || "[]");
+        const viols  = [];
+        const errors = [];
+
+        for (const file of data) {
+            const ranges = findRanges(file.filePath, changedRanges);
+            if (!ranges) continue;
+            for (const msg of file.messages) {
+                if (!inChangedRange(msg.line, ranges)) continue;
+                const lbl   = msg.severity === 2 ? "error" : "warn";
+                const entry = `  [${label}:${msg.ruleId || "?"}] ${path.basename(file.filePath)}:${msg.line} — ${msg.message} (${lbl})`;
+                viols.push(entry);
+                if (msg.severity === 2) errors.push(entry);
+            }
+        }
+
+        if (errors.length) {
+            console.log("❌");
+            viols.forEach(v => console.log(v));
+            return { passed: false, summary: `❌ ${label}: ${errors.length} issue(s) in changed lines` };
+        }
+        console.log("✅");
+        if (viols.length) viols.forEach(v => console.log(v));
+        return { passed: true, summary: `✅ ${label} passed` };
+    } catch (e) {
+        console.log("⚠️");
+        return { passed: true, summary: `⚠️  ${label}: ${e.message.slice(0, 80)}` };
+    }
+}
+
 function runTypeScript(staged) {
     const tsFiles = staged.filter(f => f.endsWith(".ts") || f.endsWith(".tsx"));
     process.stdout.write("Running TypeScript... ");
@@ -141,6 +194,18 @@ module.exports = function quality() {
         if (!r.passed) failed = true;
     }
 
+    if (config.checks.codesmells) {
+        const r = runWithPlugin(staged, changedRanges, "sonarjs.eslintrc.json", "Code Smells");
+        results.push(r.summary);
+        if (!r.passed) failed = true;
+    }
+
+    if (config.checks.vulnerabilities) {
+        const r = runWithPlugin(staged, changedRanges, "security.eslintrc.json", "Security");
+        results.push(r.summary);
+        if (!r.passed) failed = true;
+    }
+
     const r2 = runTypeScript(staged);
     results.push(r2.summary);
     if (!r2.passed) failed = true;

package/config/security.eslintrc.json

@@ -0,0 +1,16 @@
+{
+  "env": { "browser": true, "es2022": true, "node": true },
+  "parserOptions": { "ecmaVersion": 2022, "sourceType": "module" },
+  "plugins": ["security"],
+  "rules": {
+    "security/detect-eval-with-expression":           "error",
+    "security/detect-non-literal-regexp":             "warn",
+    "security/detect-non-literal-require":            "warn",
+    "security/detect-object-injection":               "warn",
+    "security/detect-possible-timing-attacks":        "warn",
+    "security/detect-pseudoRandomBytes":              "error",
+    "security/detect-unsafe-regex":                   "error",
+    "security/detect-no-csrf-before-method-override": "error",
+    "security/detect-disable-mustache-escape":        "error"
+  }
+}

package/config/sonarjs.eslintrc.json

@@ -0,0 +1,16 @@
+{
+  "env": { "browser": true, "es2022": true, "node": true },
+  "parserOptions": { "ecmaVersion": 2022, "sourceType": "module" },
+  "plugins": ["sonarjs"],
+  "rules": {
+    "sonarjs/cognitive-complexity":    ["error", 15],
+    "sonarjs/no-duplicate-string":     ["warn",  { "threshold": 3 }],
+    "sonarjs/no-identical-functions":  "error",
+    "sonarjs/no-empty-collection":     "error",
+    "sonarjs/no-unused-collection":    "error",
+    "sonarjs/no-redundant-boolean":    "error",
+    "sonarjs/no-small-switch":         "warn",
+    "sonarjs/prefer-immediate-return": "warn",
+    "sonarjs/no-nested-switch":        "warn"
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "reactjsquality-check911",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "GitHub Copilot agent for React/JS projects — enforces ESLint, Jest coverage, and Playwright tests on every commit and push",
   "bin": {
     "reactjsquality-check911": "./bin/reactjsquality-check911.js"
@@ -39,6 +39,9 @@
   ],
   "type": "commonjs",
   "dependencies": {
-    "commander": "^15.0.0"
+    "commander": "^15.0.0",
+    "eslint": "^8.57.0",
+    "eslint-plugin-sonarjs": "^0.25.0",
+    "eslint-plugin-security": "^3.0.0"
   }
 }