sentinelayer-cli 0.4.4 → 0.6.2

package/src/review/omargate-interactive.js

@@ -0,0 +1,68 @@
+/**
+ * Interactive post-scan menu for Omar Gate deep-dive.
+ *
+ * After the scan completes, prompts the user to select a domain agent
+ * for full agentic loop analysis (multi-turn, tool-using).
+ */
+
+import { createInterface } from "node:readline/promises";
+import { stdin as input, stdout as output } from "node:process";
+import pc from "picocolors";
+
+import { PERSONA_IDS } from "./persona-prompts.js";
+
+/**
+ * Show interactive persona selection after Omar Gate scan.
+ *
+ * @param {object} options
+ * @param {object} options.scanResult - Result from runOmarGateOrchestrator
+ * @returns {Promise<string|null>} Selected persona ID, "all", or null (skip)
+ */
+export async function promptPersonaDeepDive({ scanResult } = {}) {
+  const summary = scanResult?.summary || {};
+  const personas = scanResult?.personas || [];
+
+  console.log("");
+  console.log(pc.bold("Omar Gate scan complete."));
+  console.log(
+    `Findings: P0=${summary.P0 || 0} P1=${summary.P1 || 0} P2=${summary.P2 || 0} P3=${summary.P3 || 0} | ` +
+      `Cost: $${(scanResult?.totalCostUsd || 0).toFixed(4)} | ` +
+      `Duration: ${((scanResult?.totalDurationMs || 0) / 1000).toFixed(1)}s`
+  );
+  console.log("");
+
+  // Show persona results
+  for (const p of personas) {
+    const icon = p.status === "ok" ? pc.green("✓") : p.status === "skipped" ? pc.gray("○") : pc.red("✗");
+    const count = p.findings || 0;
+    console.log(`  ${icon} ${p.id} — ${count} finding${count === 1 ? "" : "s"}`);
+  }
+
+  console.log("");
+  console.log(pc.gray("Deep-dive runs a full agentic loop (multi-turn, tool-using) for deeper analysis."));
+  console.log(pc.gray(`Available: ${PERSONA_IDS.join(", ")}, all, none`));
+  console.log("");
+
+  const rl = createInterface({ input, output });
+  try {
+    const answer = await rl.question(pc.cyan("Deep-dive into which agent? [none] "));
+    const normalized = String(answer || "").trim().toLowerCase();
+
+    if (!normalized || normalized === "none" || normalized === "n" || normalized === "skip") {
+      return null;
+    }
+
+    if (normalized === "all") {
+      return "all";
+    }
+
+    if (PERSONA_IDS.includes(normalized)) {
+      return normalized;
+    }
+
+    console.log(pc.yellow(`Unknown agent '${normalized}'. Skipping deep-dive.`));
+    return null;
+  } finally {
+    rl.close();
+  }
+}

package/src/review/omargate-orchestrator.js

@@ -0,0 +1,300 @@
+/**
+ * Omar Gate multi-persona orchestrator.
+ *
+ * Runs N persona-scoped AI review calls in parallel (bounded concurrency),
+ * merges findings into a blackboard, deduplicates, and produces a unified report.
+ */
+
+import { randomUUID } from "node:crypto";
+
+import { runAiReviewLayer } from "./ai-review.js";
+import { buildPersonaReviewPrompt, PERSONA_IDS } from "./persona-prompts.js";
+import { resolveScanMode } from "./scan-modes.js";
+import { syncRunToDashboard } from "../telemetry/sync.js";
+
+/**
+ * Run bounded-concurrency parallel execution.
+ * @param {Array} items
+ * @param {number} maxConcurrent
+ * @param {Function} fn
+ * @returns {Promise<Array>}
+ */
+async function runWithConcurrency(items, maxConcurrent, fn) {
+  const results = [];
+  const executing = new Set();
+
+  for (const item of items) {
+    const p = fn(item).then((result) => {
+      executing.delete(p);
+      return result;
+    });
+    executing.add(p);
+    results.push(p);
+
+    if (executing.size >= maxConcurrent) {
+      await Promise.race(executing);
+    }
+  }
+
+  return Promise.allSettled(results);
+}
+
+/**
+ * Deduplicate findings by file:line:title key.
+ */
+function deduplicateFindings(allFindings) {
+  const seen = new Set();
+  const unique = [];
+  for (const finding of allFindings) {
+    const key = `${finding.file || ""}:${finding.line || 0}:${String(finding.title || finding.message || "").toLowerCase().slice(0, 80)}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    unique.push(finding);
+  }
+  return unique;
+}
+
+/**
+ * Run the Omar Gate multi-persona orchestrator.
+ *
+ * @param {object} options
+ * @param {string} options.targetPath - Repository path
+ * @param {string} [options.scanMode] - "baseline", "deep", or "full-depth"
+ * @param {number} [options.maxParallel] - Max concurrent persona calls (default 4)
+ * @param {string} [options.provider] - LLM provider override
+ * @param {string} [options.model] - LLM model override
+ * @param {number} [options.maxCostUsd] - Global cost ceiling (default 5.0)
+ * @param {boolean} [options.dryRun] - Dry-run mode (no LLM calls)
+ * @param {string} [options.outputDir] - Output directory override
+ * @param {object} [options.deterministic] - Deterministic scan results
+ * @param {Function} [options.onEvent] - Event callback for streaming
+ * @returns {Promise<object>} Orchestrated results
+ */
+export async function runOmarGateOrchestrator({
+  targetPath,
+  scanMode = "deep",
+  maxParallel = 4,
+  provider = "",
+  model = "",
+  maxCostUsd = 5.0,
+  dryRun = false,
+  outputDir = "",
+  deterministic = null,
+  onEvent = null,
+} = {}) {
+  const runId = `omargate-${Date.now()}-${randomUUID().slice(0, 8)}`;
+  const startTime = Date.now();
+
+  const { mode, personas } = resolveScanMode(scanMode);
+
+  if (onEvent) {
+    onEvent({
+      stream: "sl_event",
+      event: "omargate_start",
+      payload: { runId, mode, personas, maxParallel, maxCostUsd, dryRun },
+    });
+  }
+
+  const detSummary = deterministic?.summary || { P0: 0, P1: 0, P2: 0, P3: 0 };
+  const detFindings = deterministic?.findings || [];
+
+  // Per-persona cost budget = global / persona count (with minimum floor)
+  const perPersonaCost = Math.max(0.25, maxCostUsd / personas.length);
+  let runningCostUsd = 0;
+
+  const personaResults = await runWithConcurrency(personas, maxParallel, async (personaId) => {
+    // Global budget check — skip remaining personas if exhausted
+    if (runningCostUsd >= maxCostUsd) {
+      if (onEvent) {
+        onEvent({
+          stream: "sl_event",
+          event: "persona_skipped",
+          payload: { personaId, reason: "global_budget_exhausted", runningCostUsd, maxCostUsd },
+        });
+      }
+      return {
+        personaId,
+        status: "skipped",
+        findings: [],
+        summary: { P0: 0, P1: 0, P2: 0, P3: 0 },
+        costUsd: 0,
+        durationMs: 0,
+        reason: "global_budget_exhausted",
+      };
+    }
+
+    const personaStart = Date.now();
+
+    if (onEvent) {
+      onEvent({
+        stream: "sl_event",
+        event: "persona_start",
+        payload: { personaId, mode, runId },
+      });
+    }
+
+    try {
+      const systemPrompt = buildPersonaReviewPrompt({
+        personaId,
+        targetPath,
+        deterministicSummary: detSummary,
+      });
+
+      const result = await runAiReviewLayer({
+        targetPath,
+        mode: "full",
+        runId: `${runId}-${personaId}`,
+        runDirectory: targetPath,
+        deterministic: {
+          summary: detSummary,
+          findings: detFindings,
+          metadata: deterministic?.metadata || {},
+        },
+        outputDir,
+        provider: provider || undefined,
+        model: model || undefined,
+        maxCostUsd: perPersonaCost,
+        dryRun,
+        env: process.env,
+      });
+
+      const findings = (result?.findings || []).map((f) => ({
+        ...f,
+        persona: personaId,
+        layer: personaId,
+      }));
+
+      if (onEvent) {
+        for (const finding of findings) {
+          onEvent({
+            stream: "sl_event",
+            event: "persona_finding",
+            payload: { personaId, ...finding },
+          });
+        }
+        onEvent({
+          stream: "sl_event",
+          event: "persona_complete",
+          payload: {
+            personaId,
+            findings: findings.length,
+            summary: result?.summary || {},
+            costUsd: result?.costUsd || 0,
+            durationMs: Date.now() - personaStart,
+          },
+        });
+      }
+
+      const personaCost = result?.costUsd || 0;
+      runningCostUsd += personaCost;
+
+      return {
+        personaId,
+        status: "ok",
+        findings,
+        summary: result?.summary || { P0: 0, P1: 0, P2: 0, P3: 0 },
+        costUsd: personaCost,
+        model: result?.model || model || null,
+        durationMs: Date.now() - personaStart,
+      };
+    } catch (err) {
+      if (onEvent) {
+        onEvent({
+          stream: "sl_event",
+          event: "persona_error",
+          payload: { personaId, error: err.message },
+        });
+      }
+      return {
+        personaId,
+        status: "error",
+        findings: [],
+        summary: { P0: 0, P1: 0, P2: 0, P3: 0 },
+        costUsd: 0,
+        error: err.message,
+        durationMs: Date.now() - personaStart,
+      };
+    }
+  });
+
+  // Collect results (handle settled promises)
+  const settled = personaResults.map((r) =>
+    r.status === "fulfilled" ? r.value : { personaId: "unknown", status: "error", findings: [], summary: { P0: 0, P1: 0, P2: 0, P3: 0 }, costUsd: 0, error: r.reason?.message || "unknown" }
+  );
+
+  // Merge and deduplicate findings
+  const allAiFindings = settled.flatMap((r) => r.findings);
+  const uniqueFindings = deduplicateFindings(allAiFindings);
+
+  // Compute combined summary
+  const combinedP0 = uniqueFindings.filter((f) => f.severity === "P0").length;
+  const combinedP1 = uniqueFindings.filter((f) => f.severity === "P1").length;
+  const combinedP2 = uniqueFindings.filter((f) => f.severity === "P2").length;
+  const combinedP3 = uniqueFindings.filter((f) => f.severity === "P3").length;
+  const totalCost = settled.reduce((sum, r) => sum + (r.costUsd || 0), 0);
+  const totalDuration = Date.now() - startTime;
+
+  const result = {
+    runId,
+    mode,
+    personas: settled.map((r) => ({
+      id: r.personaId,
+      status: r.status,
+      findings: r.findings.length,
+      costUsd: r.costUsd,
+      durationMs: r.durationMs,
+      error: r.error || null,
+    })),
+    findings: uniqueFindings,
+    summary: {
+      P0: combinedP0,
+      P1: combinedP1,
+      P2: combinedP2,
+      P3: combinedP3,
+      blocking: combinedP0 > 0 || combinedP1 > 0,
+    },
+    totalCostUsd: totalCost,
+    totalDurationMs: totalDuration,
+    dryRun,
+  };
+
+  if (onEvent) {
+    onEvent({
+      stream: "sl_event",
+      event: "omargate_complete",
+      payload: {
+        runId,
+        mode,
+        personaCount: settled.length,
+        findings: uniqueFindings.length,
+        summary: result.summary,
+        totalCostUsd: totalCost,
+        totalDurationMs: totalDuration,
+      },
+    });
+  }
+
+  // Fire-and-forget telemetry sync to dashboard
+  syncRunToDashboard({
+    command: `omargate deep --scan-mode ${mode}`,
+    persona: "omar-orchestrator",
+    usage: {
+      inputTokens: 0,
+      outputTokens: 0,
+      costUsd: totalCost,
+      durationMs: totalDuration,
+      toolCalls: personas.length,
+    },
+    summary: result.summary,
+    stopReason: result.summary.blocking ? "blocked" : "passed",
+    personaBreakdown: settled.map((r) => ({
+      personaId: r.personaId,
+      findings: r.findings?.length || 0,
+      costUsd: r.costUsd || 0,
+      durationMs: r.durationMs || 0,
+      status: r.status,
+    })),
+  }).catch(() => {});
+
+  return result;
+}

package/src/review/persona-prompts.js

@@ -0,0 +1,296 @@
+/**
+ * Persona-scoped system prompts for Omar Gate AI analysis.
+ *
+ * Each persona gets a domain-focused prompt that constrains the LLM
+ * to analyze code through a specific security/quality lens.
+ */
+
+const PERSONA_PROMPTS = {
+  security: {
+    role: "Nina Patel — Security Specialist",
+    focus: `You are a security specialist reviewing code for exploitable vulnerabilities.
+
+Focus areas:
+- Authentication and authorization bypass paths
+- Secret/credential exposure in code, configs, logs, and environment
+- Injection vectors: SQL, shell, XSS, SSRF, path traversal
+- Cryptographic weaknesses: weak hashing, hardcoded keys, insecure TLS
+- Session management: fixation, token leakage, cookie misconfiguration
+- Rate limiting gaps on auth and payment endpoints
+- CORS misconfiguration allowing unauthorized origins
+- Insecure deserialization and dynamic code execution (eval, Function)
+
+Evidence standard: Every finding MUST include file:line, exploit scenario, and remediation.
+Do NOT report hypothetical issues without concrete code evidence.`,
+  },
+
+  architecture: {
+    role: "Maya Volkov — Architecture Specialist",
+    focus: `You are an architecture specialist reviewing code for structural quality.
+
+Focus areas:
+- God components/modules (>300 LOC, >10 responsibilities)
+- Circular dependencies between modules
+- Tight coupling between layers (presentation → data access)
+- Missing abstraction boundaries (business logic in route handlers)
+- State management sprawl (>15 useState in a component)
+- Missing error boundaries and fallback handling
+- Inconsistent naming/organization patterns
+- Dead code and unreachable paths
+
+Evidence standard: Every finding MUST include file:line, coupling graph or complexity metric, and refactoring guidance.`,
+  },
+
+  testing: {
+    role: "Priya Raman — Testing Specialist",
+    focus: `You are a testing specialist reviewing code for coverage gaps and test quality.
+
+Focus areas:
+- Critical paths without test coverage (auth, payment, data mutation)
+- Tests that mock too much (false confidence)
+- Missing edge case tests (empty inputs, boundary values, error paths)
+- Flaky test patterns (timing, external dependencies, shared state)
+- Missing integration tests for API endpoints
+- No E2E tests for critical user flows
+- Test data that doesn't represent production scenarios
+- Missing assertion specificity (assertTrue vs assertEquals)
+
+Evidence standard: Every finding MUST include the untested code path (file:line) and a concrete test case outline.`,
+  },
+
+  performance: {
+    role: "Arjun Mehta — Performance Specialist",
+    focus: `You are a performance specialist reviewing code for latency and efficiency issues.
+
+Focus areas:
+- N+1 query patterns (loop-based database calls)
+- Missing database indexes on WHERE/JOIN/ORDER BY columns
+- Unbounded data fetching (no LIMIT, no pagination)
+- Synchronous blocking in async contexts
+- Memory leaks (unclosed connections, event listeners, timers)
+- Bundle size bloat (large imports, no tree shaking, no code splitting)
+- Missing caching for expensive computations
+- Render performance (unnecessary re-renders, missing memoization)
+
+Evidence standard: Every finding MUST include file:line, estimated performance impact, and optimization approach.`,
+  },
+
+  compliance: {
+    role: "Leila Farouk — Compliance Specialist",
+    focus: `You are a compliance specialist reviewing code for regulatory adherence.
+
+Focus areas:
+- PII handling without encryption or access controls
+- Missing audit logging for data access and mutations
+- GDPR: data retention without deletion mechanisms
+- SOC2: missing access controls, no principle of least privilege
+- HIPAA: PHI exposure, missing BAA requirements
+- Missing consent tracking for data collection
+- Insecure data export/download without authorization
+- Missing data classification and sensitivity labels
+
+Evidence standard: Every finding MUST include the regulatory requirement, the gap, and the remediation with compliance evidence.`,
+  },
+
+  documentation: {
+    role: "Samir Okafor — Documentation Specialist",
+    focus: `You are a documentation specialist reviewing for operational clarity.
+
+Focus areas:
+- Missing or outdated README/setup instructions
+- API endpoints without documentation
+- Missing runbooks for incident response
+- Configuration options without documentation
+- Missing architecture decision records (ADRs)
+- Outdated deployment instructions
+- Missing onboarding documentation for new developers
+
+Evidence standard: Every finding MUST include what is missing, where it should live, and a draft outline.`,
+  },
+
+  reliability: {
+    role: "Noah Ben-David — Reliability Specialist",
+    focus: `You are a reliability specialist reviewing code for fault tolerance.
+
+Focus areas:
+- Missing timeout configuration on external calls
+- No retry logic or exponential backoff for transient failures
+- Missing circuit breakers on external service calls
+- No graceful degradation when dependencies are down
+- Missing health check endpoints
+- Queue backpressure handling gaps
+- Missing dead letter queue for failed jobs
+- No idempotency keys on mutation endpoints
+
+Evidence standard: Every finding MUST include the failure scenario, blast radius, and resilience pattern to apply.`,
+  },
+
+  release: {
+    role: "Omar Singh — Release Engineering Specialist",
+    focus: `You are a release engineering specialist reviewing CI/CD and deployment.
+
+Focus areas:
+- Unpinned GitHub Actions (using @main instead of SHA)
+- Missing artifact signing or provenance attestation
+- No rollback mechanism in deployment pipeline
+- Missing smoke tests after deploy
+- Secrets in CI/CD logs or artifacts
+- Missing branch protection rules
+- No canary or staged rollout strategy
+- Deploy pipeline without quality gates
+
+Evidence standard: Every finding MUST include the workflow file:line, risk, and the hardened alternative.`,
+  },
+
+  observability: {
+    role: "Sofia Alvarez — Observability Specialist",
+    focus: `You are an observability specialist reviewing telemetry and alerting.
+
+Focus areas:
+- Missing structured logging (console.log without context)
+- No request tracing (missing correlation IDs)
+- Missing error tracking integration
+- No alerting on error rate spikes
+- Missing latency tracking on critical paths
+- No dashboard for key business metrics
+- Missing SLO/SLI definitions
+- Blind spots: operations without any telemetry
+
+Evidence standard: Every finding MUST include what metric/signal is missing, where to instrument, and the alert threshold.`,
+  },
+
+  infrastructure: {
+    role: "Kat Hughes — Infrastructure Specialist",
+    focus: `You are an infrastructure specialist reviewing cloud and deployment config.
+
+Focus areas:
+- Overly permissive IAM policies (wildcard actions/resources)
+- Public-facing resources without WAF/rate limiting
+- Missing encryption at rest or in transit
+- Hardcoded infrastructure values (IPs, ARNs, account IDs)
+- Missing VPC/subnet isolation
+- No secrets rotation policy
+- Missing backup and disaster recovery configuration
+- Infrastructure drift (manual changes not in IaC)
+
+Evidence standard: Every finding MUST include the resource, the misconfiguration, blast radius, and the IaC fix.`,
+  },
+
+  "supply-chain": {
+    role: "Nora Kline — Supply Chain Specialist",
+    focus: `You are a supply chain specialist reviewing dependency security.
+
+Focus areas:
+- Dependencies with known CVEs (critical/high severity)
+- Unpinned dependency versions (using ^/~ instead of exact)
+- Dependencies from untrusted or abandoned packages
+- Missing lockfile integrity checks
+- No SBOM generation in build pipeline
+- Typosquatting risk (similar package names)
+- Excessive dependency tree depth
+- Missing license compliance checks
+
+Evidence standard: Every finding MUST include the package name, version, CVE/risk, and the pinned/patched alternative.`,
+  },
+
+  frontend: {
+    role: "Jules Tanaka — Frontend Specialist",
+    focus: `You are a frontend specialist reviewing UI code for production readiness.
+
+Focus areas:
+- XSS via dangerouslySetInnerHTML without sanitization
+- Client-side token storage in localStorage (use httpOnly cookies)
+- Missing input validation on forms
+- Accessibility failures (missing alt text, labels, keyboard navigation)
+- Bundle size > 200KB initial JS
+- Missing error boundaries around route components
+- CLS-causing patterns (images without dimensions, dynamic content injection)
+- Missing loading/error states on data fetching
+
+Evidence standard: Every finding MUST include file:line, user impact, and the specific fix.`,
+  },
+
+  "ai-governance": {
+    role: "Amina Chen — AI Governance Specialist",
+    focus: `You are an AI governance specialist reviewing AI/ML code safety.
+
+Focus areas:
+- Prompt injection vectors in user-facing LLM prompts
+- Missing input sanitization before LLM calls
+- No rate limiting on AI endpoints
+- Missing cost/token budget enforcement
+- No human-in-the-loop for high-risk AI decisions
+- Missing model versioning and eval regression checks
+- Tool/agent permission escalation risks
+- Missing audit trail for AI-generated actions
+
+Evidence standard: Every finding MUST include the injection/bypass scenario, the affected code path, and the guardrail to add.`,
+  },
+};
+
+/**
+ * Build a persona-scoped system prompt for Omar Gate AI analysis.
+ *
+ * @param {object} options
+ * @param {string} options.personaId - Agent ID (e.g., "security", "architecture")
+ * @param {string} [options.targetPath] - Repository path
+ * @param {object} [options.deterministicSummary] - Summary from deterministic scan
+ * @param {number} [options.maxFindings] - Max findings to return (default 20)
+ * @returns {string} System prompt
+ */
+export function buildPersonaReviewPrompt({
+  personaId,
+  targetPath = "",
+  deterministicSummary = {},
+  maxFindings = 20,
+} = {}) {
+  const persona = PERSONA_PROMPTS[personaId];
+  if (!persona) {
+    return buildGenericPrompt({ targetPath, deterministicSummary, maxFindings });
+  }
+
+  return `# ${persona.role}
+
+${persona.focus}
+
+## Context
+Target: ${targetPath || "(not provided)"}
+Deterministic scan: P0=${deterministicSummary.P0 || 0} P1=${deterministicSummary.P1 || 0} P2=${deterministicSummary.P2 || 0} P3=${deterministicSummary.P3 || 0}
+
+## Output Contract
+Return a JSON array of findings. Maximum ${maxFindings} findings. Each finding:
+\`\`\`json
+{
+  "severity": "P0|P1|P2|P3",
+  "file": "path/to/file.ext",
+  "line": 42,
+  "title": "Brief description",
+  "evidence": "Concrete code evidence at file:line",
+  "rootCause": "Why this is a problem",
+  "recommendedFix": "Specific fix to apply",
+  "confidence": 0.85
+}
+\`\`\`
+
+Rules:
+- Only report findings you have HIGH confidence in (>= 0.7)
+- Every finding MUST have concrete file:line evidence
+- Do NOT repeat findings already in the deterministic scan
+- Do NOT report hypothetical/speculative issues
+- Focus on REAL, EXPLOITABLE, IMPACTFUL problems in your domain
+- Return ONLY the JSON array, no other text
+`;
+}
+
+function buildGenericPrompt({ targetPath, deterministicSummary, maxFindings }) {
+  return `You are a senior code reviewer. Analyze the code for security, quality, and reliability issues.
+
+Target: ${targetPath || "(not provided)"}
+Deterministic scan: P0=${deterministicSummary.P0 || 0} P1=${deterministicSummary.P1 || 0} P2=${deterministicSummary.P2 || 0}
+
+Return a JSON array of up to ${maxFindings} findings with: severity, file, line, title, evidence, rootCause, recommendedFix, confidence.
+Only report findings with concrete evidence. Do NOT repeat deterministic findings.`;
+}
+
+export const PERSONA_IDS = Object.keys(PERSONA_PROMPTS);
+export { PERSONA_PROMPTS };