sequant 1.11.0 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (66) hide show
  1. package/README.md +93 -7
  2. package/dist/bin/cli.js +12 -9
  3. package/dist/src/commands/doctor.js +25 -20
  4. package/dist/src/commands/init.js +152 -65
  5. package/dist/src/commands/logs.js +7 -6
  6. package/dist/src/commands/run.d.ts +13 -1
  7. package/dist/src/commands/run.js +75 -12
  8. package/dist/src/commands/stats.js +67 -48
  9. package/dist/src/commands/status.js +30 -12
  10. package/dist/src/index.d.ts +6 -0
  11. package/dist/src/index.js +4 -0
  12. package/dist/src/lib/ac-linter.d.ts +116 -0
  13. package/dist/src/lib/ac-linter.js +304 -0
  14. package/dist/src/lib/cli-ui.d.ts +196 -0
  15. package/dist/src/lib/cli-ui.js +544 -0
  16. package/dist/src/lib/content-analyzer.d.ts +89 -0
  17. package/dist/src/lib/content-analyzer.js +437 -0
  18. package/dist/src/lib/phase-signal.d.ts +94 -0
  19. package/dist/src/lib/phase-signal.js +171 -0
  20. package/dist/src/lib/plugin-version-sync.d.ts +26 -0
  21. package/dist/src/lib/plugin-version-sync.js +91 -0
  22. package/dist/src/lib/project-name.d.ts +40 -0
  23. package/dist/src/lib/project-name.js +191 -0
  24. package/dist/src/lib/semgrep.d.ts +136 -0
  25. package/dist/src/lib/semgrep.js +406 -0
  26. package/dist/src/lib/solve-comment-parser.d.ts +84 -0
  27. package/dist/src/lib/solve-comment-parser.js +200 -0
  28. package/dist/src/lib/stack-config.d.ts +51 -0
  29. package/dist/src/lib/stack-config.js +77 -0
  30. package/dist/src/lib/stacks.d.ts +66 -0
  31. package/dist/src/lib/stacks.js +332 -0
  32. package/dist/src/lib/templates.d.ts +2 -0
  33. package/dist/src/lib/templates.js +12 -3
  34. package/dist/src/lib/upstream/assessment.d.ts +70 -0
  35. package/dist/src/lib/upstream/assessment.js +385 -0
  36. package/dist/src/lib/upstream/index.d.ts +11 -0
  37. package/dist/src/lib/upstream/index.js +14 -0
  38. package/dist/src/lib/upstream/issues.d.ts +38 -0
  39. package/dist/src/lib/upstream/issues.js +267 -0
  40. package/dist/src/lib/upstream/relevance.d.ts +50 -0
  41. package/dist/src/lib/upstream/relevance.js +209 -0
  42. package/dist/src/lib/upstream/report.d.ts +29 -0
  43. package/dist/src/lib/upstream/report.js +391 -0
  44. package/dist/src/lib/upstream/types.d.ts +207 -0
  45. package/dist/src/lib/upstream/types.js +5 -0
  46. package/dist/src/lib/workflow/log-writer.d.ts +1 -1
  47. package/dist/src/lib/workflow/metrics-schema.d.ts +3 -3
  48. package/dist/src/lib/workflow/qa-cache.d.ts +199 -0
  49. package/dist/src/lib/workflow/qa-cache.js +440 -0
  50. package/dist/src/lib/workflow/run-log-schema.d.ts +34 -6
  51. package/dist/src/lib/workflow/run-log-schema.js +12 -1
  52. package/dist/src/lib/workflow/state-schema.d.ts +4 -4
  53. package/dist/src/lib/workflow/types.d.ts +4 -0
  54. package/package.json +6 -1
  55. package/templates/hooks/pre-tool.sh +6 -0
  56. package/templates/memory/constitution.md +1 -5
  57. package/templates/skills/_shared/references/prompt-templates.md +350 -0
  58. package/templates/skills/_shared/references/subagent-types.md +131 -0
  59. package/templates/skills/exec/SKILL.md +82 -0
  60. package/templates/skills/fullsolve/SKILL.md +19 -2
  61. package/templates/skills/loop/SKILL.md +3 -1
  62. package/templates/skills/qa/SKILL.md +79 -9
  63. package/templates/skills/qa/references/quality-gates.md +85 -1
  64. package/templates/skills/qa/references/semgrep-rules.md +207 -0
  65. package/templates/skills/qa/scripts/quality-checks.sh +525 -15
  66. package/templates/skills/spec/SKILL.md +322 -9
@@ -0,0 +1,207 @@
1
+ # Semgrep Integration Guide
2
+
3
+ This guide explains how to configure and use Semgrep static analysis in the `/qa` workflow.
4
+
5
+ ## Overview
6
+
7
+ Semgrep is a fast, open-source static analysis tool that finds bugs and enforces code standards. The `/qa` skill integrates Semgrep to automatically scan code changes for security vulnerabilities and anti-patterns.
8
+
9
+ ## Installation
10
+
11
+ Semgrep is **optional**. If not installed, the `/qa` skill will gracefully skip Semgrep analysis.
12
+
13
+ ### Install Semgrep
14
+
15
+ ```bash
16
+ # Using pip (recommended)
17
+ pip install semgrep
18
+
19
+ # Using Homebrew (macOS)
20
+ brew install semgrep
21
+
22
+ # Using npm (via npx - no install required)
23
+ npx semgrep --version
24
+ ```
25
+
26
+ ### Verify Installation
27
+
28
+ ```bash
29
+ semgrep --version
30
+ # Or
31
+ npx semgrep --version
32
+ ```
33
+
34
+ ## How It Works
35
+
36
+ 1. During `/qa`, the quality checks script detects if Semgrep is installed
37
+ 2. If installed, it runs Semgrep with stack-appropriate rulesets
38
+ 3. Findings are categorized by severity (critical, warning, info)
39
+ 4. Critical findings block the merge verdict (`AC_NOT_MET`)
40
+ 5. Warnings are noted but don't block merges
41
+
42
+ ## Default Rulesets
43
+
44
+ Semgrep uses stack-specific rulesets for targeted analysis:
45
+
46
+ | Stack | Rulesets Applied |
47
+ |-------|------------------|
48
+ | **Next.js** | p/typescript, p/javascript, p/react, p/security-audit, p/secrets |
49
+ | **Astro** | p/typescript, p/javascript, p/security-audit, p/secrets |
50
+ | **SvelteKit** | p/typescript, p/javascript, p/security-audit, p/secrets |
51
+ | **Remix** | p/typescript, p/javascript, p/react, p/security-audit, p/secrets |
52
+ | **Nuxt** | p/typescript, p/javascript, p/security-audit, p/secrets |
53
+ | **Python** | p/python, p/django, p/flask, p/security-audit, p/secrets |
54
+ | **Go** | p/golang, p/security-audit, p/secrets |
55
+ | **Rust** | p/rust, p/security-audit, p/secrets |
56
+ | **Generic** | p/security-audit, p/secrets |
57
+
58
+ ## Custom Rules
59
+
60
+ You can add project-specific rules by creating `.sequant/semgrep-rules.yaml` in your project root.
61
+
62
+ ### Getting Started
63
+
64
+ Copy the example template to your project:
65
+
66
+ ```bash
67
+ # Copy the example template
68
+ cp docs/examples/semgrep-rules.example.yaml .sequant/semgrep-rules.yaml
69
+ ```
70
+
71
+ ### Custom Rules File Location
72
+
73
+ ```
74
+ your-project/
75
+ ├── .sequant/
76
+ │ └── semgrep-rules.yaml # Your custom rules
77
+ ├── src/
78
+ └── package.json
79
+ ```
80
+
81
+ ### Example Custom Rules
82
+
83
+ ```yaml
84
+ rules:
85
+ # Prevent console.log in production code
86
+ - id: no-console-log
87
+ pattern: console.log(...)
88
+ message: "Remove console.log before merging"
89
+ severity: WARNING
90
+ languages: [typescript, javascript]
91
+ paths:
92
+ exclude:
93
+ - "**/*.test.*"
94
+ - "**/__tests__/**"
95
+
96
+ # Require explicit return types on exported functions
97
+ - id: explicit-return-type
98
+ pattern: |
99
+ export function $FUNC(...): $RET { ... }
100
+ pattern-not: |
101
+ export function $FUNC(...): void { ... }
102
+ message: "Exported functions should have explicit return types"
103
+ severity: INFO
104
+ languages: [typescript]
105
+
106
+ # Detect potential SQL injection
107
+ - id: sql-injection-risk
108
+ patterns:
109
+ - pattern: $DB.query($SQL + ...)
110
+ - pattern: $DB.query(`...${...}...`)
111
+ message: "Potential SQL injection - use parameterized queries"
112
+ severity: ERROR
113
+ languages: [typescript, javascript]
114
+
115
+ # Prevent hardcoded API keys
116
+ - id: no-hardcoded-api-key
117
+ pattern-regex: "(api[_-]?key|apikey|secret[_-]?key)\\s*[:=]\\s*['\"][^'\"]{8,}['\"]"
118
+ message: "Don't hardcode API keys - use environment variables"
119
+ severity: ERROR
120
+ languages: [typescript, javascript, python]
121
+ ```
122
+
123
+ ### Rule Severity Levels
124
+
125
+ | Severity | Verdict Impact | Description |
126
+ |----------|----------------|-------------|
127
+ | `ERROR` | **Blocking** | Critical issues that must be fixed |
128
+ | `WARNING` | Non-blocking | Issues that should be reviewed |
129
+ | `INFO` | Non-blocking | Style suggestions |
130
+
131
+ ## Running Semgrep Manually
132
+
133
+ You can run Semgrep manually using the provided script:
134
+
135
+ ```bash
136
+ # Scan entire project with auto-detected stack
137
+ npx tsx scripts/semgrep-scan.ts
138
+
139
+ # Scan only changed files (faster, recommended)
140
+ npx tsx scripts/semgrep-scan.ts --changed-only
141
+
142
+ # Scan specific directories
143
+ npx tsx scripts/semgrep-scan.ts src/api/ src/lib/
144
+
145
+ # Override detected stack
146
+ npx tsx scripts/semgrep-scan.ts --stack python
147
+
148
+ # Get JSON output
149
+ npx tsx scripts/semgrep-scan.ts --json > semgrep-results.json
150
+ ```
151
+
152
+ ## Interpreting Results
153
+
154
+ ### Clean Output
155
+
156
+ ```
157
+ ## Static Analysis (Semgrep)
158
+
159
+ ✅ No security issues found
160
+ ```
161
+
162
+ ### Issues Found
163
+
164
+ ```
165
+ ## Static Analysis (Semgrep)
166
+
167
+ ❌ 1 critical finding(s)
168
+ ⚠️ 2 warning(s)
169
+
170
+ ### ❌ Critical Issues
171
+
172
+ - `src/api/users.ts:47` - Potential SQL injection (user input in query) (security.sql-injection)
173
+
174
+ ### ⚠️ Warnings
175
+
176
+ - `src/utils/exec.ts:12` - Command injection risk (unsanitized shell arg) (security.command-injection)
177
+ - `src/lib/logger.ts:8` - Remove console.log before merging (custom.no-console-log)
178
+ ```
179
+
180
+ ## Troubleshooting
181
+
182
+ ### Semgrep Not Running
183
+
184
+ 1. Check if Semgrep is installed: `semgrep --version`
185
+ 2. If not installed, install it or use `npx semgrep`
186
+ 3. Check for error messages in the quality checks output
187
+
188
+ ### False Positives
189
+
190
+ If a rule produces false positives:
191
+
192
+ 1. Add a `# nosemgrep: rule-id` comment to ignore specific lines
193
+ 2. Create custom rules that exclude specific patterns
194
+ 3. Use path exclusions in your custom rules
195
+
196
+ ### Performance
197
+
198
+ - Semgrep only scans changed files by default (via `--changed-only`)
199
+ - Large codebases may take longer on first scan
200
+ - Results are not cached between runs
201
+
202
+ ## Resources
203
+
204
+ - [Semgrep Documentation](https://semgrep.dev/docs/)
205
+ - [Semgrep Rule Registry](https://semgrep.dev/r)
206
+ - [Writing Custom Rules](https://semgrep.dev/docs/writing-rules/overview/)
207
+ - [Rule Syntax Reference](https://semgrep.dev/docs/writing-rules/rule-syntax/)