sertivibed 0.1.0

package/dist/scan.js

@@ -0,0 +1,278 @@
+"use strict";
+/**
+ * Sertivibed Scanner
+ *
+ * Hovedlogikk for å kjøre regler og samle claims.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RULES = void 0;
+exports.scan = scan;
+const types_1 = require("./types");
+const index_1 = require("./rules/index");
+const rg_1 = require("./utils/rg");
+const fs_1 = require("./utils/fs");
+// ============================================
+// MAIN SCAN FUNCTION
+// ============================================
+async function scan(config) {
+    const startTime = Date.now();
+    const { targetPath, verbose } = config;
+    if (verbose)
+        console.log(`🔍 Scanning ${targetPath}...`);
+    // Detect project
+    const project = (0, fs_1.detectProject)(targetPath);
+    if (verbose)
+        console.log(`📦 Project: ${project.name} (${project.stack.join(", ")})`);
+    // Discover files
+    const allFiles = (0, fs_1.discoverFiles)(targetPath);
+    if (verbose)
+        console.log(`📁 Found ${allFiles.length} files to analyze`);
+    // Run all rules
+    const claims = [];
+    const rulesChecked = [];
+    const rulesSkipped = [];
+    for (const rule of index_1.RULES) {
+        // Skip RLS rules for Prisma projects without Supabase
+        // Prisma handles authorization differently (API routes, middleware)
+        if (rule.category === "RLS" && project.hasPrisma && !project.hasSupabase) {
+            if (verbose)
+                console.log(`  ⏭️  Skipping ${rule.id}: Prisma project (RLS not applicable)`);
+            rulesSkipped.push({
+                ruleId: rule.id,
+                reason: "Prisma detected - check API authorization instead"
+            });
+            continue;
+        }
+        if (verbose)
+            console.log(`  ⏳ Checking ${rule.id}: ${rule.title}`);
+        const ruleClaims = runRule(rule, targetPath, verbose);
+        claims.push(...ruleClaims);
+        rulesChecked.push(rule.id);
+        if (verbose && ruleClaims.length > 0) {
+            console.log(`  ⚠️  Found ${ruleClaims.length} issue(s)`);
+        }
+    }
+    // Add info claim for Prisma projects
+    if (project.hasPrisma && !project.hasSupabase && rulesSkipped.length > 0) {
+        claims.push({
+            ruleId: "INFO001",
+            title: "Prisma-prosjekt oppdaget",
+            category: "RLS",
+            severity: "INFO",
+            impactType: "info_leak",
+            statement: `RLS-regler hoppet over. Prisma bruker ikke Row Level Security. Sjekk autorisasjon i API-ruter og middleware.`,
+            evidence: [],
+            verificationSteps: [
+                "Sjekk at alle API-ruter validerer brukerens tilgang",
+                "Verifiser at middleware beskytter sensitive ruter",
+                "Sjekk Prisma queries for proper filtering på user_id"
+            ],
+            fixHint: "Implementer autorisasjonssjekker i API-ruter: if (session.user.id !== resource.userId) throw new Error('Unauthorized')",
+        });
+    }
+    // Sort claims by severity
+    claims.sort((a, b) => types_1.SEVERITY_ORDER[b.severity] - types_1.SEVERITY_ORDER[a.severity]);
+    // Build result
+    const meta = {
+        projectName: project.name,
+        projectPath: targetPath,
+        stack: project.stack,
+        scannedAt: new Date().toISOString(),
+        certivibeVersion: "0.1.0",
+        rulesVersion: "0.1.0",
+        totalFilesScanned: allFiles.length,
+        scanDurationMs: Date.now() - startTime,
+    };
+    const summary = buildSummary(claims, rulesChecked.length);
+    return {
+        meta,
+        summary,
+        claims,
+        rulesChecked,
+        rulesSkipped,
+    };
+}
+// ============================================
+// RULE EXECUTION
+// ============================================
+function runRule(rule, cwd, verbose) {
+    switch (rule.kind) {
+        case "presence":
+            return runPresenceRule(rule, cwd);
+        case "absence":
+            return runAbsenceRule(rule, cwd);
+        case "correlation":
+            return runCorrelationRule(rule, cwd, verbose);
+        default:
+            return [];
+    }
+}
+/**
+ * Presence rule: Problem hvis pattern FINNES
+ */
+function runPresenceRule(rule, cwd) {
+    if (!rule.pattern)
+        return [];
+    const result = (0, rg_1.search)({
+        pattern: rule.pattern,
+        paths: rule.paths,
+        cwd,
+    });
+    if (!result.found)
+        return [];
+    // Dedupliser på fil (ikke rapporter samme fil flere ganger)
+    const seenFiles = new Set();
+    const uniqueMatches = [];
+    for (const match of result.matches) {
+        if (!seenFiles.has(match.path)) {
+            seenFiles.add(match.path);
+            // Hent utvidet kontekst
+            match.snippet = (0, rg_1.getExpandedContext)(cwd, match.path, match.lineStart + 2);
+            uniqueMatches.push(match);
+        }
+    }
+    if (uniqueMatches.length === 0)
+        return [];
+    return [{
+            ruleId: rule.id,
+            title: rule.title,
+            category: rule.category,
+            severity: rule.severity,
+            impactType: rule.impactType,
+            statement: `Fant ${uniqueMatches.length} forekomst(er) av potensielt problematisk mønster.`,
+            evidence: uniqueMatches,
+            verificationSteps: [
+                `Søk etter pattern: ${rule.pattern}`,
+                `Sjekk filene: ${uniqueMatches.map(m => m.path).join(", ")}`,
+                "Vurder om dette er intendert bruk eller et sikkerhetsproblem."
+            ],
+            fixHint: rule.fixHint,
+        }];
+}
+/**
+ * Absence rule: Problem hvis pattern MANGLER
+ */
+function runAbsenceRule(rule, cwd) {
+    if (!rule.pattern)
+        return [];
+    // Sjekk først om relevante filer finnes
+    const sqlFiles = (0, fs_1.findSqlFiles)(cwd);
+    if (sqlFiles.length === 0 && rule.category === "RLS") {
+        // Ingen SQL-filer, kan ikke sjekke RLS
+        return [];
+    }
+    const result = (0, rg_1.search)({
+        pattern: rule.pattern,
+        paths: rule.paths,
+        cwd,
+    });
+    // Hvis pattern finnes, ingen problem
+    if (result.found)
+        return [];
+    // Pattern mangler - dette er et funn
+    return [{
+            ruleId: rule.id,
+            title: rule.title,
+            category: rule.category,
+            severity: rule.severity,
+            impactType: rule.impactType,
+            statement: `Forventet mønster ble ikke funnet: ${rule.pattern}`,
+            evidence: [], // Ingen evidence for absence
+            verificationSteps: [
+                `Søk etter: ${rule.pattern}`,
+                `I filer som matcher: ${rule.paths.join(", ")}`,
+                "Hvis du ikke finner det, er funnet bekreftet."
+            ],
+            fixHint: rule.fixHint,
+        }];
+}
+/**
+ * Correlation rule: Problem hvis kode finnes MEN SQL mangler
+ */
+function runCorrelationRule(rule, cwd, verbose) {
+    if (!rule.correlate)
+        return [];
+    const { codePattern, codePaths, sqlPattern, sqlPaths, condition } = rule.correlate;
+    // Steg 1: Finn kode som bruker funksjonaliteten
+    const codeResult = (0, rg_1.search)({
+        pattern: codePattern,
+        paths: codePaths,
+        cwd,
+    });
+    if (!codeResult.found) {
+        // Koden bruker ikke denne funksjonaliteten, ingen problem
+        if (verbose)
+            console.log(`    ℹ️  No code using pattern: ${codePattern}`);
+        return [];
+    }
+    // Steg 2: Sjekk om SQL-pattern finnes
+    const sqlResult = (0, rg_1.search)({
+        pattern: sqlPattern,
+        paths: sqlPaths,
+        cwd,
+    });
+    if (condition === "code_without_sql" && !sqlResult.found) {
+        // Koden bruker funksjonaliteten, men SQL mangler
+        const codeEvidence = codeResult.matches.map(m => ({
+            ...m,
+            snippet: (0, rg_1.getExpandedContext)(cwd, m.path, m.lineStart + 2),
+        }));
+        return [{
+                ruleId: rule.id,
+                title: rule.title,
+                category: rule.category,
+                severity: rule.severity,
+                impactType: rule.impactType,
+                statement: `Koden bruker ${codePattern} men tilsvarende ${sqlPattern} mangler i SQL.`,
+                evidence: codeEvidence,
+                verificationSteps: [
+                    `1. Bekreft at koden bruker: ${codePattern}`,
+                    `2. Søk etter: ${sqlPattern} i SQL-filer`,
+                    "3. Hvis SQL-pattern mangler, er funnet bekreftet."
+                ],
+                fixHint: rule.fixHint,
+                correlationDetails: {
+                    codeEvidence,
+                    sqlMissing: sqlPattern,
+                },
+            }];
+    }
+    return [];
+}
+// ============================================
+// SUMMARY BUILDING
+// ============================================
+function buildSummary(claims, rulesChecked) {
+    const bySeverity = {
+        INFO: 0,
+        LOW: 0,
+        MEDIUM: 0,
+        HIGH: 0,
+        CRITICAL: 0,
+    };
+    const byCategory = {
+        RLS: 0,
+        AUTH: 0,
+        XSS: 0,
+        SECRETS: 0,
+        PRIVACY: 0,
+        STORAGE: 0,
+        CONFIG: 0,
+    };
+    for (const claim of claims) {
+        bySeverity[claim.severity]++;
+        byCategory[claim.category]++;
+    }
+    return {
+        total: claims.length,
+        bySeverity,
+        byCategory,
+        passed: rulesChecked - claims.length,
+        failed: claims.length,
+    };
+}
+// ============================================
+// EXPORTS
+// ============================================
+var index_2 = require("./rules/index");
+Object.defineProperty(exports, "RULES", { enumerable: true, get: function () { return index_2.RULES; } });

package/dist/types.d.ts

@@ -0,0 +1,120 @@
+/**
+ * Sertivibed Types
+ *
+ * Datamodeller for scanning, regler, claims og rapporter.
+ */
+export type Severity = "INFO" | "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+export declare const SEVERITY_ORDER: Record<Severity, number>;
+export type Category = "RLS" | "AUTH" | "XSS" | "SECRETS" | "PRIVACY" | "STORAGE" | "CONFIG";
+export type RuleKind = "presence" | "absence" | "correlation";
+export interface Rule {
+    id: string;
+    title: string;
+    category: Category;
+    severity: Severity;
+    kind: RuleKind;
+    pattern?: string;
+    paths: string[];
+    correlate?: {
+        codePattern: string;
+        codePaths: string[];
+        sqlPattern: string;
+        sqlPaths: string[];
+        condition: "code_without_sql";
+    };
+    rationale: string;
+    fixHint: string;
+    impactType: ImpactType;
+}
+export type ImpactType = "data_exposure" | "privilege_escalation" | "functional_break" | "info_leak";
+export interface Evidence {
+    path: string;
+    lineStart: number;
+    lineEnd: number;
+    snippet: string;
+    matchText?: string;
+}
+export interface Claim {
+    ruleId: string;
+    title: string;
+    category: Category;
+    severity: Severity;
+    impactType: ImpactType;
+    statement: string;
+    evidence: Evidence[];
+    verificationSteps: string[];
+    fixHint: string;
+    correlationDetails?: {
+        codeEvidence: Evidence[];
+        sqlMissing: string;
+    };
+}
+export interface ScanMeta {
+    projectName: string;
+    projectPath: string;
+    stack: string[];
+    scannedAt: string;
+    certivibeVersion: string;
+    rulesVersion: string;
+    totalFilesScanned: number;
+    scanDurationMs: number;
+}
+export interface ScanSummary {
+    total: number;
+    bySeverity: Record<Severity, number>;
+    byCategory: Record<Category, number>;
+    passed: number;
+    failed: number;
+}
+export interface SkippedRule {
+    ruleId: string;
+    reason: string;
+}
+export interface ScanResult {
+    meta: ScanMeta;
+    summary: ScanSummary;
+    claims: Claim[];
+    rulesChecked: string[];
+    rulesSkipped: SkippedRule[];
+}
+export interface RgMatch {
+    type: "match";
+    data: {
+        path: {
+            text: string;
+        };
+        lines: {
+            text: string;
+        };
+        line_number: number;
+        submatches: Array<{
+            match: {
+                text: string;
+            };
+            start: number;
+            end: number;
+        }>;
+    };
+}
+export interface RgSummary {
+    type: "summary";
+    data: {
+        stats: {
+            matches: number;
+            searches: number;
+        };
+    };
+}
+export type RgOutput = RgMatch | RgSummary | {
+    type: string;
+};
+export interface ScanConfig {
+    targetPath: string;
+    includePaths?: string[];
+    excludePaths?: string[];
+    failOn?: Severity;
+    outputJson?: string;
+    outputMd?: string;
+    verbose?: boolean;
+    quiet?: boolean;
+}

package/dist/types.js

@@ -0,0 +1,15 @@
+"use strict";
+/**
+ * Sertivibed Types
+ *
+ * Datamodeller for scanning, regler, claims og rapporter.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SEVERITY_ORDER = void 0;
+exports.SEVERITY_ORDER = {
+    INFO: 0,
+    LOW: 1,
+    MEDIUM: 2,
+    HIGH: 3,
+    CRITICAL: 4,
+};

package/dist/utils/fs.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Filesystem Utilities
+ *
+ * Hjelpefunksjoner for å jobbe med filer og prosjektstruktur.
+ */
+export interface ProjectInfo {
+    name: string;
+    path: string;
+    stack: string[];
+    hasSupabase: boolean;
+    hasNextJs: boolean;
+    hasReact: boolean;
+    hasVite: boolean;
+    hasPrisma: boolean;
+}
+export declare function detectProject(projectPath: string): ProjectInfo;
+export interface FileInfo {
+    path: string;
+    relativePath: string;
+    extension: string;
+    size: number;
+}
+export declare function discoverFiles(projectPath: string, extensions?: Set<string>): FileInfo[];
+export declare function readFile(filePath: string): string | null;
+export declare function fileExists(filePath: string): boolean;
+export declare function getLines(filePath: string, startLine: number, endLine: number): string[];
+export declare function findSqlFiles(projectPath: string): string[];
+export declare function findSourceFiles(projectPath: string): string[];
+export interface TableInfo {
+    name: string;
+    file: string;
+    hasRls: boolean;
+    policies: string[];
+}
+export declare function extractTables(sqlContent: string, fileName: string): TableInfo[];

package/dist/utils/fs.js

@@ -0,0 +1,195 @@
+"use strict";
+/**
+ * Filesystem Utilities
+ *
+ * Hjelpefunksjoner for å jobbe med filer og prosjektstruktur.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectProject = detectProject;
+exports.discoverFiles = discoverFiles;
+exports.readFile = readFile;
+exports.fileExists = fileExists;
+exports.getLines = getLines;
+exports.findSqlFiles = findSqlFiles;
+exports.findSourceFiles = findSourceFiles;
+exports.extractTables = extractTables;
+const fs_1 = require("fs");
+const path_1 = require("path");
+function detectProject(projectPath) {
+    const info = {
+        name: "unknown",
+        path: projectPath,
+        stack: [],
+        hasSupabase: false,
+        hasNextJs: false,
+        hasReact: false,
+        hasVite: false,
+        hasPrisma: false,
+    };
+    // Les package.json
+    const pkgPath = (0, path_1.join)(projectPath, "package.json");
+    if ((0, fs_1.existsSync)(pkgPath)) {
+        try {
+            const pkg = JSON.parse((0, fs_1.readFileSync)(pkgPath, "utf-8"));
+            info.name = pkg.name || "unknown";
+            const allDeps = {
+                ...pkg.dependencies,
+                ...pkg.devDependencies,
+            };
+            // Detect stack
+            if (allDeps["@supabase/supabase-js"] || allDeps["@supabase/ssr"]) {
+                info.hasSupabase = true;
+                info.stack.push("Supabase");
+            }
+            if (allDeps["next"]) {
+                info.hasNextJs = true;
+                info.stack.push("Next.js");
+            }
+            if (allDeps["react"]) {
+                info.hasReact = true;
+                info.stack.push("React");
+            }
+            if (allDeps["vite"]) {
+                info.hasVite = true;
+                info.stack.push("Vite");
+            }
+            if (allDeps["typescript"]) {
+                info.stack.push("TypeScript");
+            }
+            if (allDeps["prisma"] || allDeps["@prisma/client"]) {
+                info.hasPrisma = true;
+                info.stack.push("Prisma");
+            }
+        }
+        catch {
+            // Ignore parse errors
+        }
+    }
+    // Check for Supabase files
+    if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, "supabase")) ||
+        (0, fs_1.existsSync)((0, path_1.join)(projectPath, "supabase-setup.sql"))) {
+        if (!info.hasSupabase) {
+            info.hasSupabase = true;
+            info.stack.push("Supabase");
+        }
+    }
+    // Check for Prisma folder
+    if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, "prisma"))) {
+        if (!info.hasPrisma) {
+            info.hasPrisma = true;
+            info.stack.push("Prisma");
+        }
+    }
+    return info;
+}
+const IGNORED_DIRS = new Set([
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    ".next",
+    ".vercel",
+    "coverage",
+    ".nyc_output",
+]);
+const SCAN_EXTENSIONS = new Set([
+    ".ts",
+    ".tsx",
+    ".js",
+    ".jsx",
+    ".sql",
+    ".json",
+    ".mjs",
+    ".cjs",
+]);
+function discoverFiles(projectPath, extensions = SCAN_EXTENSIONS) {
+    const files = [];
+    function walk(dir) {
+        try {
+            const entries = (0, fs_1.readdirSync)(dir, { withFileTypes: true });
+            for (const entry of entries) {
+                const fullPath = (0, path_1.join)(dir, entry.name);
+                if (entry.isDirectory()) {
+                    if (!IGNORED_DIRS.has(entry.name) && !entry.name.startsWith(".")) {
+                        walk(fullPath);
+                    }
+                }
+                else if (entry.isFile()) {
+                    const ext = (0, path_1.extname)(entry.name);
+                    if (extensions.has(ext)) {
+                        const stat = (0, fs_1.statSync)(fullPath);
+                        files.push({
+                            path: fullPath,
+                            relativePath: (0, path_1.relative)(projectPath, fullPath),
+                            extension: ext,
+                            size: stat.size,
+                        });
+                    }
+                }
+            }
+        }
+        catch {
+            // Ignore permission errors etc
+        }
+    }
+    walk(projectPath);
+    return files;
+}
+// ============================================
+// FILE READING
+// ============================================
+function readFile(filePath) {
+    try {
+        return (0, fs_1.readFileSync)(filePath, "utf-8");
+    }
+    catch {
+        return null;
+    }
+}
+function fileExists(filePath) {
+    return (0, fs_1.existsSync)(filePath);
+}
+function getLines(filePath, startLine, endLine) {
+    const content = readFile(filePath);
+    if (!content)
+        return [];
+    const lines = content.split("\n");
+    return lines.slice(Math.max(0, startLine - 1), endLine);
+}
+// ============================================
+// SQL FILE HELPERS
+// ============================================
+function findSqlFiles(projectPath) {
+    const files = discoverFiles(projectPath, new Set([".sql"]));
+    return files.map((f) => f.relativePath);
+}
+function findSourceFiles(projectPath) {
+    const files = discoverFiles(projectPath, new Set([".ts", ".tsx", ".js", ".jsx"]));
+    return files.map((f) => f.relativePath);
+}
+function extractTables(sqlContent, fileName) {
+    const tables = [];
+    // Find CREATE TABLE statements
+    const tableRegex = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?(\w+)/gi;
+    let match;
+    while ((match = tableRegex.exec(sqlContent)) !== null) {
+        const tableName = match[1];
+        // Check if RLS is enabled for this table
+        const rlsRegex = new RegExp(`ALTER\\s+TABLE\\s+(?:public\\.)?${tableName}\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, "i");
+        const hasRls = rlsRegex.test(sqlContent);
+        // Find policies for this table
+        const policyRegex = new RegExp(`CREATE\\s+POLICY\\s+[\\w"']+\\s+ON\\s+(?:public\\.)?${tableName}`, "gi");
+        const policies = [];
+        let policyMatch;
+        while ((policyMatch = policyRegex.exec(sqlContent)) !== null) {
+            policies.push(policyMatch[0]);
+        }
+        tables.push({
+            name: tableName,
+            file: fileName,
+            hasRls,
+            policies,
+        });
+    }
+    return tables;
+}

package/dist/utils/rg.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Ripgrep Wrapper
+ *
+ * Kjører ripgrep (rg) med JSON output for stabil parsing.
+ * Fallback til grep hvis rg ikke er installert.
+ */
+import { Evidence } from "../types";
+export declare function isRipgrepAvailable(): boolean;
+export interface SearchOptions {
+    pattern: string;
+    paths: string[];
+    cwd: string;
+    ignoreCase?: boolean;
+    contextLines?: number;
+}
+export interface SearchResult {
+    found: boolean;
+    matches: Evidence[];
+    matchCount: number;
+}
+/**
+ * Søk etter pattern i filer med ripgrep
+ */
+export declare function search(options: SearchOptions): SearchResult;
+/**
+ * Sjekk om pattern IKKE finnes (for absence-regler)
+ */
+export declare function searchAbsence(options: SearchOptions): SearchResult;
+/**
+ * Hent flere linjer rundt en match for bedre kontekst
+ */
+export declare function getExpandedContext(cwd: string, filePath: string, lineNumber: number, contextBefore?: number, contextAfter?: number): string;