sentinelayer-cli 0.8.0 → 0.8.2

package/src/agents/supply-chain/tools/attestation-check.js

@@ -0,0 +1,42 @@
+// attestation-check — advise when CI doesn't publish provenance (#A22).
+
+import fsp from "node:fs/promises";
+import path from "node:path";
+
+import { createFinding, toPosix, walkRepoFiles } from "./base.js";
+
+export async function runAttestationCheck({ rootPath } = {}) {
+  const resolvedRoot = path.resolve(String(rootPath || "."));
+  let hasRelease = false;
+  let hasAttestation = false;
+  for await (const { fullPath, relativePath } of walkRepoFiles({ rootPath: resolvedRoot })) {
+    const rel = toPosix(relativePath);
+    if (!/(^|\/)\.github\/workflows\//.test(rel)) continue;
+    let content;
+    try {
+      content = await fsp.readFile(fullPath, "utf-8");
+    } catch {
+      continue;
+    }
+    if (/(?:release|publish|deploy)/i.test(rel) || /npm\s+publish|docker\s+push|gh\s+release\s+create/.test(content)) {
+      hasRelease = true;
+    }
+    if (/actions\/attest-build-provenance|sigstore|cosign|slsa/i.test(content)) {
+      hasAttestation = true;
+    }
+  }
+  if (!hasRelease || hasAttestation) return [];
+  return [
+    createFinding({
+      tool: "attestation-check",
+      kind: "supply-chain.no-attestation",
+      severity: "P2",
+      file: "",
+      line: 0,
+      evidence: "Release / publish workflow found without any sigstore / cosign / SLSA provenance attestation",
+      rootCause: "Artifacts published without attestations can't be verified downstream. Attackers who compromise a maintainer account ship silently.",
+      recommendedFix: "Add actions/attest-build-provenance (GitHub) or cosign to the release workflow. Verify on install via cosign verify-blob / npm-audit-signatures.",
+      confidence: 0.6,
+    }),
+  ];
+}

package/src/agents/supply-chain/tools/base.js

@@ -0,0 +1,151 @@
+// Shared helpers for Nora's (supply-chain) domain tools (#A22).
+
+import fsp from "node:fs/promises";
+import path from "node:path";
+import process from "node:process";
+
+import ignore from "ignore";
+
+const DEFAULT_IGNORED_DIRS = new Set([
+  ".git",
+  "node_modules",
+  ".venv",
+  ".next",
+  "dist",
+  "build",
+  "coverage",
+  ".sentinelayer",
+  ".sentinel",
+  ".turbo",
+  ".idea",
+  ".vscode",
+  "__pycache__",
+  ".cache",
+]);
+const MAX_FILE_SIZE_BYTES = 1024 * 1024;
+const SEVERITIES = Object.freeze(["P0", "P1", "P2", "P3"]);
+
+export function toPosix(value) {
+  return String(value || "").replace(/\\/g, "/");
+}
+
+export function createFinding({
+  severity,
+  kind,
+  file,
+  line = 0,
+  evidence = "",
+  rootCause = "",
+  recommendedFix = "",
+  confidence = null,
+  tool = "",
+  persona = "supply-chain",
+} = {}) {
+  const normalizedSeverity = SEVERITIES.includes(String(severity || "").toUpperCase())
+    ? String(severity).toUpperCase()
+    : "P2";
+  return {
+    persona,
+    tool: String(tool || "").trim(),
+    kind: String(kind || "").trim() || "supply-chain",
+    severity: normalizedSeverity,
+    file: toPosix(file || ""),
+    line: Number.isFinite(Number(line)) ? Math.max(0, Math.floor(Number(line))) : 0,
+    evidence: String(evidence || "").trim().slice(0, 400),
+    rootCause: String(rootCause || "").trim(),
+    recommendedFix: String(recommendedFix || "").trim(),
+    confidence:
+      confidence === null || confidence === undefined
+        ? null
+        : Math.max(0, Math.min(1, Number(confidence) || 0)),
+  };
+}
+
+async function readIgnorePatterns(filePath) {
+  try {
+    const raw = await fsp.readFile(filePath, "utf-8");
+    return String(raw || "")
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter((line) => line && !line.startsWith("#"));
+  } catch (err) {
+    if (err && typeof err === "object" && err.code === "ENOENT") {
+      return [];
+    }
+    throw err;
+  }
+}
+
+async function createIgnoreMatcher(rootPath) {
+  const matcher = ignore();
+  const gitignore = await readIgnorePatterns(path.join(rootPath, ".gitignore"));
+  const sentinel = await readIgnorePatterns(
+    path.join(rootPath, ".sentinelayerignore")
+  );
+  matcher.add([...gitignore, ...sentinel]);
+  return (relativePath, isDirectory) => {
+    const normalized = toPosix(relativePath);
+    if (!normalized) {
+      return false;
+    }
+    const candidate = isDirectory ? `${normalized}/` : normalized;
+    return matcher.ignores(candidate);
+  };
+}
+
+export async function* walkRepoFiles({
+  rootPath = process.cwd(),
+  extensions = new Set(),
+  maxFileSize = MAX_FILE_SIZE_BYTES,
+} = {}) {
+  const resolvedRoot = path.resolve(rootPath);
+  const ignoreMatcher = await createIgnoreMatcher(resolvedRoot);
+  const wantedExtensions =
+    extensions instanceof Set
+      ? extensions
+      : new Set(Array.isArray(extensions) ? extensions : []);
+  const stack = [resolvedRoot];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    let entries = [];
+    try {
+      entries = await fsp.readdir(current, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const fullPath = path.join(current, entry.name);
+      const relativePath = toPosix(path.relative(resolvedRoot, fullPath));
+      if (entry.isDirectory()) {
+        if (!relativePath || DEFAULT_IGNORED_DIRS.has(entry.name)) {
+          continue;
+        }
+        if (ignoreMatcher(relativePath, true)) {
+          continue;
+        }
+        stack.push(fullPath);
+        continue;
+      }
+      if (!entry.isFile()) {
+        continue;
+      }
+      if (ignoreMatcher(relativePath, false)) {
+        continue;
+      }
+      const ext = path.extname(entry.name).toLowerCase();
+      if (wantedExtensions.size > 0 && !wantedExtensions.has(ext) && !wantedExtensions.has("")) {
+        continue;
+      }
+      let stat = null;
+      try {
+        stat = await fsp.stat(fullPath);
+      } catch {
+        stat = null;
+      }
+      if (!stat || stat.size > maxFileSize) {
+        continue;
+      }
+      yield { fullPath, relativePath };
+    }
+  }
+}

package/src/agents/supply-chain/tools/index.js

@@ -0,0 +1,52 @@
+// Nora (supply-chain persona) domain-tool registry (#A22).
+
+import { runAttestationCheck } from "./attestation-check.js";
+import { runLockfileIntegrity } from "./lockfile-integrity.js";
+import { runPackageVerify } from "./package-verify.js";
+import { runSbomDiff } from "./sbom-diff.js";
+
+export const SUPPLY_CHAIN_TOOLS = Object.freeze({
+  "sbom-diff": {
+    id: "sbom-diff",
+    description: "Advise when project has a manifest but no SBOM (CycloneDX / SPDX) checked in.",
+    schema: { type: "object", properties: { rootPath: { type: "string" } } },
+    handler: runSbomDiff,
+  },
+  "package-verify": {
+    id: "package-verify",
+    description: "Flag package.json deps pinned to git URLs, file: paths, or wildcards.",
+    schema: { type: "object", properties: { rootPath: { type: "string" } } },
+    handler: runPackageVerify,
+  },
+  "attestation-check": {
+    id: "attestation-check",
+    description: "Advise when a release / publish workflow ships artifacts without sigstore / cosign / SLSA provenance.",
+    schema: { type: "object", properties: { rootPath: { type: "string" } } },
+    handler: runAttestationCheck,
+  },
+  "lockfile-integrity": {
+    id: "lockfile-integrity",
+    description: "Verify every non-private package.json has a colocated lockfile at a modern version.",
+    schema: { type: "object", properties: { rootPath: { type: "string" } } },
+    handler: runLockfileIntegrity,
+  },
+});
+
+export const SUPPLY_CHAIN_TOOL_IDS = Object.freeze(Object.keys(SUPPLY_CHAIN_TOOLS));
+
+export async function dispatchSupplyChainTool(toolId, args = {}) {
+  const tool = SUPPLY_CHAIN_TOOLS[toolId];
+  if (!tool) throw new Error(`Unknown supply-chain tool: ${toolId}`);
+  return tool.handler(args);
+}
+
+export async function runAllSupplyChainTools({ rootPath, files = null } = {}) {
+  const findings = [];
+  for (const toolId of SUPPLY_CHAIN_TOOL_IDS) {
+    const out = await dispatchSupplyChainTool(toolId, { rootPath, files });
+    findings.push(...out);
+  }
+  return findings;
+}
+
+export { runAttestationCheck, runLockfileIntegrity, runPackageVerify, runSbomDiff };

package/src/agents/supply-chain/tools/lockfile-integrity.js

@@ -0,0 +1,73 @@
+// lockfile-integrity — verify lockfile shape (#A22).
+
+import fsp from "node:fs/promises";
+import path from "node:path";
+
+import { createFinding, toPosix, walkRepoFiles } from "./base.js";
+
+export async function runLockfileIntegrity({ rootPath } = {}) {
+  const resolvedRoot = path.resolve(String(rootPath || "."));
+  const findings = [];
+  const manifestsByDir = new Map();
+  const lockfilesByDir = new Map();
+  for await (const { fullPath, relativePath } of walkRepoFiles({ rootPath: resolvedRoot })) {
+    const rel = toPosix(relativePath);
+    const dir = path.posix.dirname(rel);
+    if (/(^|\/)package\.json$/.test(rel)) {
+      try {
+        const raw = await fsp.readFile(fullPath, "utf-8");
+        manifestsByDir.set(dir, { fullPath, rel, parsed: JSON.parse(raw) });
+      } catch {
+        /* bad JSON — skip */
+      }
+    }
+    if (/(^|\/)(package-lock\.json|yarn\.lock|pnpm-lock\.yaml)$/.test(rel)) {
+      lockfilesByDir.set(dir, { fullPath, rel });
+    }
+  }
+  for (const [dir, manifest] of manifestsByDir) {
+    if (manifest.parsed?.private === true) continue;
+    const lockfile = lockfilesByDir.get(dir);
+    if (!lockfile) {
+      findings.push(
+        createFinding({
+          tool: "lockfile-integrity",
+          kind: "supply-chain.no-lockfile",
+          severity: "P1",
+          file: manifest.rel,
+          line: 0,
+          evidence: `package.json in ${dir}/ has no colocated lockfile`,
+          rootCause: "Without a lockfile every install resolves dependencies freshly — non-reproducible builds and open to dependency-confusion attacks.",
+          recommendedFix: "Commit package-lock.json (npm 7+), yarn.lock, or pnpm-lock.yaml. Run `npm ci` / `yarn install --frozen-lockfile` / `pnpm install --frozen-lockfile` in CI.",
+          confidence: 0.95,
+        })
+      );
+      continue;
+    }
+    // Quick shape check on package-lock.json
+    if (/package-lock\.json$/.test(lockfile.rel)) {
+      try {
+        const raw = await fsp.readFile(lockfile.fullPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        if (!parsed.lockfileVersion || parsed.lockfileVersion < 2) {
+          findings.push(
+            createFinding({
+              tool: "lockfile-integrity",
+              kind: "supply-chain.stale-lockfile-version",
+              severity: "P2",
+              file: lockfile.rel,
+              line: 0,
+              evidence: `lockfileVersion = ${parsed.lockfileVersion}`,
+              rootCause: "npm lockfileVersion < 2 misses integrity hashes for nested deps and is incompatible with modern npm.",
+              recommendedFix: "Run `npm install` with npm 7+ to regenerate the lockfile at version 3.",
+              confidence: 0.85,
+            })
+          );
+        }
+      } catch {
+        /* malformed lockfile — skip */
+      }
+    }
+  }
+  return findings;
+}

package/src/agents/supply-chain/tools/package-verify.js

@@ -0,0 +1,56 @@
+// package-verify — flag packages pinned to suspicious versions (#A22).
+
+import fsp from "node:fs/promises";
+import path from "node:path";
+
+import { createFinding, toPosix, walkRepoFiles } from "./base.js";
+
+const SUSPICIOUS_VERSION_PATTERNS = [
+  { pattern: /^(?:github|git)[:+]/i, reason: "installed directly from a git URL" },
+  { pattern: /^file:/i, reason: "installed from a local file path" },
+  { pattern: /^\*$/, reason: "wildcard version (pins to any release)" },
+];
+
+export async function runPackageVerify({ rootPath } = {}) {
+  const resolvedRoot = path.resolve(String(rootPath || "."));
+  const findings = [];
+  for await (const { fullPath, relativePath } of walkRepoFiles({ rootPath: resolvedRoot, extensions: new Set([".json"]) })) {
+    if (!/(^|\/)package\.json$/.test(toPosix(relativePath))) continue;
+    let raw;
+    try {
+      raw = await fsp.readFile(fullPath, "utf-8");
+    } catch {
+      continue;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      continue;
+    }
+    for (const field of ["dependencies", "devDependencies", "optionalDependencies"]) {
+      const deps = parsed?.[field];
+      if (!deps || typeof deps !== "object") continue;
+      for (const [name, version] of Object.entries(deps)) {
+        for (const rule of SUSPICIOUS_VERSION_PATTERNS) {
+          if (rule.pattern.test(String(version))) {
+            findings.push(
+              createFinding({
+                tool: "package-verify",
+                kind: "supply-chain.unpinned-dep",
+                severity: rule.reason.includes("wildcard") ? "P1" : "P2",
+                file: toPosix(relativePath),
+                line: 0,
+                evidence: `"${name}": "${version}" — ${rule.reason}`,
+                rootCause: "Dependencies pinned to unverifiable sources (git URLs, local paths, wildcards) mean the install graph is non-reproducible and potentially unaudited.",
+                recommendedFix: "Pin to a registry version (semver range or exact). If you truly need a git dep, pin to a commit SHA and mirror through a private registry.",
+                confidence: 0.75,
+              })
+            );
+          }
+        }
+      }
+    }
+  }
+  return findings;
+}

package/src/agents/supply-chain/tools/sbom-diff.js

@@ -0,0 +1,34 @@
+// sbom-diff — advise when no SBOM is generated (#A22).
+
+import path from "node:path";
+
+import { createFinding, toPosix, walkRepoFiles } from "./base.js";
+
+export async function runSbomDiff({ rootPath } = {}) {
+  const resolvedRoot = path.resolve(String(rootPath || "."));
+  let hasManifest = false;
+  let hasSbom = false;
+  for await (const { relativePath } of walkRepoFiles({ rootPath: resolvedRoot })) {
+    const rel = toPosix(relativePath);
+    if (/(^|\/)(package\.json|requirements\.txt|pyproject\.toml|go\.mod|Cargo\.toml|Gemfile)$/i.test(rel)) {
+      hasManifest = true;
+    }
+    if (/(^|\/)(sbom|bom)\.(xml|json|spdx|spdx\.json|cdx\.json)$/i.test(rel) || /cyclonedx|spdx/i.test(rel)) {
+      hasSbom = true;
+    }
+  }
+  if (!hasManifest || hasSbom) return [];
+  return [
+    createFinding({
+      tool: "sbom-diff",
+      kind: "supply-chain.no-sbom",
+      severity: "P2",
+      file: "",
+      line: 0,
+      evidence: "Project manifest present but no SBOM (CycloneDX / SPDX) checked in",
+      rootCause: "Without an SBOM, consumers of the build can't verify what they're running. Compliance regimes (EO 14028, CRA) increasingly require one.",
+      recommendedFix: "Generate SBOM in CI via syft or cyclonedx-bom and attach to every release. Commit an example (sbom.cdx.json) so reviewers can diff.",
+      confidence: 0.55,
+    }),
+  ];
+}

package/src/agents/testing/index.js

@@ -0,0 +1,12 @@
+// Priya (testing persona) — barrel export (#A15).
+
+export {
+  TESTING_TOOLS,
+  TESTING_TOOL_IDS,
+  dispatchTestingTool,
+  runAllTestingTools,
+  runCoverageGap,
+  runFlakeDetect,
+  runMutationTest,
+  runSnapshotDiff,
+} from "./tools/index.js";

package/src/agents/testing/tools/base.js

@@ -0,0 +1,202 @@
+// Shared helpers for Priya's (testing) domain tools (#A15).
+// Same pattern as security/tools/base.js and backend/tools/base.js — default
+// persona is "testing". Later refactor (#A25+) can hoist to shared-tools/.
+
+import fsp from "node:fs/promises";
+import path from "node:path";
+import process from "node:process";
+
+import ignore from "ignore";
+
+const DEFAULT_IGNORED_DIRS = new Set([
+  ".git",
+  "node_modules",
+  ".venv",
+  ".next",
+  "dist",
+  "build",
+  "coverage",
+  ".sentinelayer",
+  ".sentinel",
+  ".turbo",
+  ".idea",
+  ".vscode",
+  "__pycache__",
+  ".cache",
+]);
+const MAX_FILE_SIZE_BYTES = 1024 * 1024;
+const SEVERITIES = Object.freeze(["P0", "P1", "P2", "P3"]);
+
+export function toPosix(value) {
+  return String(value || "").replace(/\\/g, "/");
+}
+
+export function normalizeSeverity(value) {
+  const normalized = String(value || "").trim().toUpperCase();
+  if (SEVERITIES.includes(normalized)) {
+    return normalized;
+  }
+  return "P2";
+}
+
+export function createFinding({
+  severity,
+  kind,
+  file,
+  line = 0,
+  evidence = "",
+  rootCause = "",
+  recommendedFix = "",
+  confidence = null,
+  tool = "",
+  persona = "testing",
+} = {}) {
+  return {
+    persona,
+    tool: String(tool || "").trim(),
+    kind: String(kind || "").trim() || "testing",
+    severity: normalizeSeverity(severity),
+    file: toPosix(file || ""),
+    line: Number.isFinite(Number(line)) ? Math.max(0, Math.floor(Number(line))) : 0,
+    evidence: String(evidence || "").trim().slice(0, 400),
+    rootCause: String(rootCause || "").trim(),
+    recommendedFix: String(recommendedFix || "").trim(),
+    confidence:
+      confidence === null || confidence === undefined
+        ? null
+        : Math.max(0, Math.min(1, Number(confidence) || 0)),
+  };
+}
+
+async function readIgnorePatterns(filePath) {
+  try {
+    const raw = await fsp.readFile(filePath, "utf-8");
+    return String(raw || "")
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter((line) => line && !line.startsWith("#"));
+  } catch (err) {
+    if (err && typeof err === "object" && err.code === "ENOENT") {
+      return [];
+    }
+    throw err;
+  }
+}
+
+async function createIgnoreMatcher(rootPath) {
+  const matcher = ignore();
+  const gitignore = await readIgnorePatterns(path.join(rootPath, ".gitignore"));
+  const sentinel = await readIgnorePatterns(
+    path.join(rootPath, ".sentinelayerignore")
+  );
+  matcher.add([...gitignore, ...sentinel]);
+  return (relativePath, isDirectory) => {
+    const normalized = toPosix(relativePath);
+    if (!normalized) {
+      return false;
+    }
+    const candidate = isDirectory ? `${normalized}/` : normalized;
+    return matcher.ignores(candidate);
+  };
+}
+
+export async function* walkRepoFiles({
+  rootPath = process.cwd(),
+  extensions = new Set(),
+  maxFileSize = MAX_FILE_SIZE_BYTES,
+} = {}) {
+  const resolvedRoot = path.resolve(rootPath);
+  const ignoreMatcher = await createIgnoreMatcher(resolvedRoot);
+  const wantedExtensions =
+    extensions instanceof Set
+      ? extensions
+      : new Set(Array.isArray(extensions) ? extensions : []);
+  const stack = [resolvedRoot];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    let entries = [];
+    try {
+      entries = await fsp.readdir(current, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const fullPath = path.join(current, entry.name);
+      const relativePath = toPosix(path.relative(resolvedRoot, fullPath));
+      if (entry.isDirectory()) {
+        if (!relativePath || DEFAULT_IGNORED_DIRS.has(entry.name)) {
+          continue;
+        }
+        if (ignoreMatcher(relativePath, true)) {
+          continue;
+        }
+        stack.push(fullPath);
+        continue;
+      }
+      if (!entry.isFile()) {
+        continue;
+      }
+      if (ignoreMatcher(relativePath, false)) {
+        continue;
+      }
+      const ext = path.extname(entry.name).toLowerCase();
+      if (wantedExtensions.size > 0 && !wantedExtensions.has(ext) && !wantedExtensions.has("")) {
+        continue;
+      }
+      let stat = null;
+      try {
+        stat = await fsp.stat(fullPath);
+      } catch {
+        stat = null;
+      }
+      if (!stat || stat.size > maxFileSize) {
+        continue;
+      }
+      yield { fullPath, relativePath, stat };
+    }
+  }
+}
+
+export function findLineMatches(content, pattern) {
+  const text = String(content || "");
+  if (!pattern) {
+    return [];
+  }
+  const global = new RegExp(
+    pattern.source,
+    pattern.flags.includes("g") ? pattern.flags : `${pattern.flags}g`
+  );
+  const matches = [];
+  let match;
+  while ((match = global.exec(text)) !== null) {
+    const lineIndex = text.slice(0, match.index).split(/\r?\n/).length;
+    matches.push({
+      index: match.index,
+      line: lineIndex,
+      match: match[0],
+    });
+  }
+  return matches;
+}
+
+export function getLineContent(content, line) {
+  const lines = String(content || "").split(/\r?\n/);
+  return (lines[Math.max(0, (Number(line) || 1) - 1)] || "").trim();
+}
+
+const TEST_FILE_PATTERNS = [
+  /\.test\.(js|jsx|ts|tsx|mjs|cjs)$/,
+  /\.spec\.(js|jsx|ts|tsx|mjs|cjs)$/,
+  /(^|\/)tests?\//,
+  /(^|\/)__tests__\//,
+  /_test\.py$/,
+  /\.test\.py$/,
+  /(^|\/)tests?\/[^/]*\.py$/,
+];
+
+export function isTestFile(relativePath) {
+  const normalized = toPosix(relativePath);
+  return TEST_FILE_PATTERNS.some((pattern) => pattern.test(normalized));
+}
+
+export { DEFAULT_IGNORED_DIRS, MAX_FILE_SIZE_BYTES, SEVERITIES };