ship-safe 2.0.0 → 3.0.0

package/cli/commands/guard.js

@@ -0,0 +1,297 @@
+/**
+ * Guard Command
+ * =============
+ *
+ * Installs a git pre-push hook that runs ship-safe scan before every push.
+ * If secrets are found, the push is blocked.
+ *
+ * USAGE:
+ *   ship-safe guard                    Install pre-push hook
+ *   ship-safe guard --pre-commit       Install pre-commit hook instead
+ *   ship-safe guard remove             Remove installed hooks
+ *
+ * HUSKY SUPPORT:
+ *   If a .husky/ directory is detected, the hook is added there instead.
+ *   Otherwise it goes directly into .git/hooks/.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import * as output from '../utils/output.js';
+
+// =============================================================================
+// HOOK SCRIPTS
+// =============================================================================
+
+const PRE_PUSH_HOOK = `#!/bin/sh
+# ship-safe pre-push hook
+# Scans for leaked secrets before every git push.
+# Remove this hook with: npx ship-safe guard remove
+
+echo ""
+echo "🔍 ship-safe: Scanning for secrets before push..."
+
+npx --yes ship-safe scan . --json > /tmp/ship-safe-scan.json 2>/dev/null
+
+if [ $? -ne 0 ]; then
+  echo ""
+  echo "❌ ship-safe: Secrets detected! Push blocked."
+  echo ""
+  echo "Run 'npx ship-safe scan .' to see details."
+  echo "Fix the issues, then push again."
+  echo ""
+  echo "To skip this check (not recommended):"
+  echo "  git push --no-verify"
+  echo ""
+  rm -f /tmp/ship-safe-scan.json
+  exit 1
+fi
+
+echo "✅ ship-safe: No secrets detected. Pushing..."
+rm -f /tmp/ship-safe-scan.json
+exit 0
+`;
+
+const PRE_COMMIT_HOOK = `#!/bin/sh
+# ship-safe pre-commit hook
+# Scans staged files for leaked secrets before every commit.
+# Remove this hook with: npx ship-safe guard remove
+
+echo ""
+echo "🔍 ship-safe: Scanning for secrets before commit..."
+
+npx --yes ship-safe scan . --json > /tmp/ship-safe-scan.json 2>/dev/null
+
+if [ $? -ne 0 ]; then
+  echo ""
+  echo "❌ ship-safe: Secrets detected! Commit blocked."
+  echo ""
+  echo "Run 'npx ship-safe scan .' to see details."
+  echo "Fix the issues, then commit again."
+  echo ""
+  echo "To skip this check (not recommended):"
+  echo "  git commit --no-verify"
+  echo ""
+  rm -f /tmp/ship-safe-scan.json
+  exit 1
+fi
+
+echo "✅ ship-safe: No secrets detected. Committing..."
+rm -f /tmp/ship-safe-scan.json
+exit 0
+`;
+
+const HUSKY_PRE_PUSH = `#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+echo ""
+echo "🔍 ship-safe: Scanning for secrets before push..."
+
+npx ship-safe scan . --json > /tmp/ship-safe-scan.json 2>/dev/null
+
+if [ $? -ne 0 ]; then
+  echo ""
+  echo "❌ ship-safe: Secrets detected! Push blocked."
+  echo "Run 'npx ship-safe scan .' to see details."
+  rm -f /tmp/ship-safe-scan.json
+  exit 1
+fi
+
+echo "✅ ship-safe: No secrets detected."
+rm -f /tmp/ship-safe-scan.json
+`;
+
+const HUSKY_PRE_COMMIT = `#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+echo ""
+echo "🔍 ship-safe: Scanning for secrets before commit..."
+
+npx ship-safe scan . --json > /tmp/ship-safe-scan.json 2>/dev/null
+
+if [ $? -ne 0 ]; then
+  echo ""
+  echo "❌ ship-safe: Secrets detected! Commit blocked."
+  echo "Run 'npx ship-safe scan .' to see details."
+  rm -f /tmp/ship-safe-scan.json
+  exit 1
+fi
+
+echo "✅ ship-safe: No secrets detected."
+rm -f /tmp/ship-safe-scan.json
+`;
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function guardCommand(action, options = {}) {
+  const cwd = process.cwd();
+
+  // Verify this is a git repo
+  const gitDir = findGitDir(cwd);
+  if (!gitDir) {
+    output.error('Not a git repository. Run this from your project root.');
+    process.exit(1);
+  }
+
+  if (action === 'remove') {
+    return removeHooks(gitDir, cwd);
+  }
+
+  return installHook(gitDir, cwd, options);
+}
+
+// =============================================================================
+// INSTALL
+// =============================================================================
+
+function installHook(gitDir, cwd, options) {
+  const hookType = options.preCommit ? 'pre-commit' : 'pre-push';
+  const hookScript = options.preCommit ? PRE_COMMIT_HOOK : PRE_PUSH_HOOK;
+  const huskyScript = options.preCommit ? HUSKY_PRE_COMMIT : HUSKY_PRE_PUSH;
+
+  output.header('Installing ship-safe Guard');
+
+  // Check for Husky
+  const huskyDir = path.join(cwd, '.husky');
+  const useHusky = fs.existsSync(huskyDir);
+
+  if (useHusky) {
+    installHuskyHook(huskyDir, hookType, huskyScript);
+  } else {
+    installGitHook(gitDir, hookType, hookScript);
+  }
+
+  console.log();
+  console.log(chalk.gray('What happens now:'));
+  console.log(chalk.gray(`  Every git ${hookType === 'pre-push' ? 'push' : 'commit'} will run ship-safe scan`));
+  console.log(chalk.gray('  If secrets are found, the operation is blocked'));
+  console.log(chalk.gray('  Use --no-verify to skip (not recommended)'));
+  console.log();
+  console.log(chalk.gray('To remove: npx ship-safe guard remove'));
+}
+
+function installGitHook(gitDir, hookType, script) {
+  const hooksDir = path.join(gitDir, 'hooks');
+  const hookPath = path.join(hooksDir, hookType);
+
+  // Ensure hooks directory exists
+  if (!fs.existsSync(hooksDir)) {
+    fs.mkdirSync(hooksDir, { recursive: true });
+  }
+
+  // Check if hook already exists (not from ship-safe)
+  if (fs.existsSync(hookPath)) {
+    const existing = fs.readFileSync(hookPath, 'utf-8');
+    if (!existing.includes('ship-safe')) {
+      output.warning(`Existing ${hookType} hook found. Appending ship-safe check.`);
+      fs.appendFileSync(hookPath, '\n' + script);
+      output.success(`Appended to .git/hooks/${hookType}`);
+      return;
+    }
+    output.warning(`ship-safe guard already installed in .git/hooks/${hookType}`);
+    return;
+  }
+
+  fs.writeFileSync(hookPath, script);
+  // Make executable (chmod +x)
+  try {
+    fs.chmodSync(hookPath, '755');
+  } catch {
+    // Windows doesn't support chmod, but hooks still run via git
+  }
+
+  output.success(`Hook installed at .git/hooks/${hookType}`);
+}
+
+function installHuskyHook(huskyDir, hookType, script) {
+  const hookPath = path.join(huskyDir, hookType);
+
+  if (fs.existsSync(hookPath)) {
+    const existing = fs.readFileSync(hookPath, 'utf-8');
+    if (!existing.includes('ship-safe')) {
+      output.warning(`Existing Husky ${hookType} found. Appending ship-safe check.`);
+      fs.appendFileSync(hookPath, '\n# ship-safe\n' + script.split('\n').slice(3).join('\n'));
+      output.success(`Appended to .husky/${hookType}`);
+      return;
+    }
+    output.warning(`ship-safe guard already installed in .husky/${hookType}`);
+    return;
+  }
+
+  fs.writeFileSync(hookPath, script);
+  try {
+    fs.chmodSync(hookPath, '755');
+  } catch {}
+
+  output.success(`Hook installed at .husky/${hookType} (Husky detected)`);
+}
+
+// =============================================================================
+// REMOVE
+// =============================================================================
+
+function removeHooks(gitDir, cwd) {
+  output.header('Removing ship-safe Guard');
+
+  let removed = 0;
+
+  // Check .git/hooks
+  const hookTypes = ['pre-push', 'pre-commit'];
+  for (const hookType of hookTypes) {
+    const hookPath = path.join(gitDir, 'hooks', hookType);
+    if (fs.existsSync(hookPath)) {
+      const content = fs.readFileSync(hookPath, 'utf-8');
+      if (content.includes('ship-safe')) {
+        if (content.trim() === PRE_PUSH_HOOK.trim() || content.trim() === PRE_COMMIT_HOOK.trim()) {
+          // Ship-safe is the only hook — delete the file
+          fs.unlinkSync(hookPath);
+          output.success(`Removed .git/hooks/${hookType}`);
+        } else {
+          // Other hooks exist — only remove ship-safe lines
+          const cleaned = content
+            .replace(/# ship-safe[\s\S]*?exit 0\n/g, '')
+            .trimEnd() + '\n';
+          fs.writeFileSync(hookPath, cleaned);
+          output.success(`Removed ship-safe from .git/hooks/${hookType}`);
+        }
+        removed++;
+      }
+    }
+
+    // Check .husky
+    const huskyHookPath = path.join(cwd, '.husky', hookType);
+    if (fs.existsSync(huskyHookPath)) {
+      const content = fs.readFileSync(huskyHookPath, 'utf-8');
+      if (content.includes('ship-safe')) {
+        fs.unlinkSync(huskyHookPath);
+        output.success(`Removed .husky/${hookType}`);
+        removed++;
+      }
+    }
+  }
+
+  if (removed === 0) {
+    output.warning('No ship-safe hooks found.');
+  }
+}
+
+// =============================================================================
+// UTILITIES
+// =============================================================================
+
+function findGitDir(startPath) {
+  let current = startPath;
+
+  while (true) {
+    const gitPath = path.join(current, '.git');
+    if (fs.existsSync(gitPath)) {
+      return gitPath;
+    }
+    const parent = path.dirname(current);
+    if (parent === current) return null; // Reached filesystem root
+    current = parent;
+  }
+}

package/cli/commands/mcp.js

@@ -0,0 +1,303 @@
+/**
+ * MCP Server
+ * ==========
+ *
+ * Exposes ship-safe as a Model Context Protocol (MCP) server.
+ * Allows AI editors (Claude Desktop, Cursor, Windsurf, Zed) to call
+ * ship-safe's security tools directly during conversations.
+ *
+ * USAGE:
+ *   npx ship-safe mcp       Start the MCP server (stdio transport)
+ *
+ * SETUP (Claude Desktop):
+ *   Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
+ *   {
+ *     "mcpServers": {
+ *       "ship-safe": {
+ *         "command": "npx",
+ *         "args": ["ship-safe", "mcp"]
+ *       }
+ *     }
+ *   }
+ *
+ * AVAILABLE TOOLS:
+ *   scan_secrets    - Scan a directory for leaked secrets
+ *   get_checklist   - Return the launch-day security checklist
+ *   analyze_file    - Analyze a single file for security issues
+ *
+ * PROTOCOL:
+ *   JSON-RPC 2.0 over stdio (MCP spec: https://modelcontextprotocol.io)
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { glob } from 'glob';
+import { SECRET_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS, TEST_FILE_PATTERNS, MAX_FILE_SIZE } from '../utils/patterns.js';
+import { isHighEntropyMatch } from '../utils/entropy.js';
+
+// =============================================================================
+// MCP TOOL DEFINITIONS
+// =============================================================================
+
+const TOOLS = [
+  {
+    name: 'scan_secrets',
+    description: 'Scan a directory or file for leaked secrets, API keys, and credentials. Returns structured findings with severity, file location, and remediation advice.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        path: {
+          type: 'string',
+          description: 'The directory or file path to scan. Use "." for the current directory.',
+        },
+        includeTests: {
+          type: 'boolean',
+          description: 'Whether to include test files in the scan (default: false)',
+        },
+      },
+      required: ['path'],
+    },
+  },
+  {
+    name: 'get_checklist',
+    description: 'Return the ship-safe launch-day security checklist as structured data. Use this to guide users through pre-launch security checks.',
+    inputSchema: {
+      type: 'object',
+      properties: {},
+    },
+  },
+  {
+    name: 'analyze_file',
+    description: 'Analyze a single file for security issues including secrets, hardcoded credentials, and dangerous patterns.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        path: {
+          type: 'string',
+          description: 'The absolute or relative path to the file to analyze.',
+        },
+      },
+      required: ['path'],
+    },
+  },
+];
+
+// =============================================================================
+// TOOL IMPLEMENTATIONS
+// =============================================================================
+
+async function scanSecrets({ path: targetPath, includeTests = false }) {
+  const absolutePath = path.resolve(targetPath);
+
+  if (!fs.existsSync(absolutePath)) {
+    return { error: `Path does not exist: ${absolutePath}` };
+  }
+
+  const stat = fs.statSync(absolutePath);
+  const files = stat.isFile()
+    ? [absolutePath]
+    : await findFiles(absolutePath, includeTests);
+
+  const results = [];
+
+  for (const file of files) {
+    const findings = scanFile(file);
+    if (findings.length > 0) {
+      results.push({ file: path.relative(process.cwd(), file), findings });
+    }
+  }
+
+  return {
+    filesScanned: files.length,
+    totalFindings: results.reduce((sum, r) => sum + r.findings.length, 0),
+    clean: results.length === 0,
+    findings: results,
+    summary: results.length === 0
+      ? 'No secrets detected.'
+      : `Found ${results.reduce((s, r) => s + r.findings.length, 0)} secret(s) across ${results.length} file(s).`,
+    remediation: results.length > 0
+      ? 'Move secrets to environment variables. Add .env to .gitignore. Rotate any already-committed credentials.'
+      : null,
+  };
+}
+
+function getChecklist() {
+  return {
+    title: 'Ship Safe Launch-Day Security Checklist',
+    items: [
+      { id: 1, category: 'Secrets', check: 'No API keys hardcoded in source code', command: 'npx ship-safe scan .' },
+      { id: 2, category: 'Secrets', check: '.env file is in .gitignore', command: null },
+      { id: 3, category: 'Secrets', check: '.env.example exists with placeholder values', command: 'npx ship-safe fix' },
+      { id: 4, category: 'Database', check: 'Row Level Security (RLS) enabled on all Supabase tables', command: null },
+      { id: 5, category: 'Database', check: 'Service role key is server-side only (never in frontend)', command: null },
+      { id: 6, category: 'Auth', check: 'Authentication required on all sensitive API routes', command: null },
+      { id: 7, category: 'Auth', check: 'JWT tokens expire within 24 hours', command: null },
+      { id: 8, category: 'Headers', check: 'Security headers configured (CSP, X-Frame-Options, HSTS)', command: 'npx ship-safe init --headers' },
+      { id: 9, category: 'API', check: 'Rate limiting implemented on auth and AI endpoints', command: null },
+      { id: 10, category: 'API', check: 'Input validation on all API endpoints', command: null },
+      { id: 11, category: 'AI', check: 'Token limits set on all LLM API calls', command: null },
+      { id: 12, category: 'AI', check: 'Budget caps configured in AI provider dashboard', command: null },
+      { id: 13, category: 'CI/CD', check: 'ship-safe scan runs in CI pipeline', command: null },
+      { id: 14, category: 'CI/CD', check: 'Pre-push hook installed', command: 'npx ship-safe guard' },
+    ],
+  };
+}
+
+async function analyzeFile({ path: filePath }) {
+  const absolutePath = path.resolve(filePath);
+
+  if (!fs.existsSync(absolutePath)) {
+    return { error: `File does not exist: ${absolutePath}` };
+  }
+
+  const findings = scanFile(absolutePath);
+
+  return {
+    file: filePath,
+    totalFindings: findings.length,
+    clean: findings.length === 0,
+    findings,
+    summary: findings.length === 0
+      ? `No secrets detected in ${path.basename(filePath)}.`
+      : `Found ${findings.length} potential secret(s) in ${path.basename(filePath)}.`,
+  };
+}
+
+// =============================================================================
+// SCAN UTILITIES (shared with scan command)
+// =============================================================================
+
+async function findFiles(rootPath, includeTests) {
+  const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
+  const files = await glob('**/*', { cwd: rootPath, absolute: true, nodir: true, ignore: globIgnore, dot: true });
+
+  return files.filter(file => {
+    const ext = path.extname(file).toLowerCase();
+    if (SKIP_EXTENSIONS.has(ext)) return false;
+    const basename = path.basename(file);
+    if (basename.endsWith('.min.js') || basename.endsWith('.min.css')) return false;
+    if (!includeTests && TEST_FILE_PATTERNS.some(p => p.test(file))) return false;
+    try {
+      return fs.statSync(file).size <= MAX_FILE_SIZE;
+    } catch { return false; }
+  });
+}
+
+function scanFile(filePath) {
+  const findings = [];
+  try {
+    const content = fs.readFileSync(filePath, 'utf-8');
+    const lines = content.split('\n');
+
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+      const line = lines[lineNum];
+      if (/ship-safe-ignore/i.test(line)) continue;
+
+      for (const pattern of SECRET_PATTERNS) {
+        pattern.pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.pattern.exec(line)) !== null) {
+          if (pattern.requiresEntropyCheck && !isHighEntropyMatch(match[0])) continue;
+          findings.push({
+            line: lineNum + 1,
+            type: pattern.name,
+            severity: pattern.severity,
+            description: pattern.description,
+            fix: 'Move to environment variable. Never commit to source control.',
+          });
+        }
+      }
+    }
+  } catch {}
+  return findings;
+}
+
+// =============================================================================
+// MCP STDIO SERVER
+// =============================================================================
+
+export async function mcpCommand() {
+  // MCP uses JSON-RPC 2.0 over stdio
+  process.stdin.setEncoding('utf-8');
+
+  let buffer = '';
+
+  process.stdin.on('data', async (chunk) => {
+    buffer += chunk;
+
+    // MCP messages are newline-delimited JSON
+    const lines = buffer.split('\n');
+    buffer = lines.pop(); // Keep incomplete line in buffer
+
+    for (const line of lines) {
+      if (!line.trim()) continue;
+
+      try {
+        const request = JSON.parse(line);
+        const response = await handleRequest(request);
+        process.stdout.write(JSON.stringify(response) + '\n');
+      } catch (err) {
+        const errorResponse = {
+          jsonrpc: '2.0',
+          id: null,
+          error: { code: -32700, message: 'Parse error', data: err.message },
+        };
+        process.stdout.write(JSON.stringify(errorResponse) + '\n');
+      }
+    }
+  });
+
+  process.stdin.on('end', () => process.exit(0));
+}
+
+async function handleRequest(request) {
+  const { jsonrpc, id, method, params } = request;
+
+  const respond = (result) => ({ jsonrpc: '2.0', id, result });
+  const respondError = (code, message) => ({ jsonrpc: '2.0', id, error: { code, message } });
+
+  switch (method) {
+    case 'initialize':
+      return respond({
+        protocolVersion: '2024-11-05',
+        capabilities: { tools: {} },
+        serverInfo: { name: 'ship-safe', version: '3.0.0' },
+      });
+
+    case 'tools/list':
+      return respond({ tools: TOOLS });
+
+    case 'tools/call': {
+      const { name, arguments: args } = params;
+
+      try {
+        let result;
+        switch (name) {
+          case 'scan_secrets':
+            result = await scanSecrets(args);
+            break;
+          case 'get_checklist':
+            result = getChecklist();
+            break;
+          case 'analyze_file':
+            result = await analyzeFile(args);
+            break;
+          default:
+            return respondError(-32601, `Unknown tool: ${name}`);
+        }
+
+        return respond({
+          content: [{ type: 'text', text: JSON.stringify(result, null, 2) }],
+        });
+      } catch (err) {
+        return respondError(-32603, err.message);
+      }
+    }
+
+    case 'notifications/initialized':
+      return null; // No response needed for notifications
+
+    default:
+      return respondError(-32601, `Method not found: ${method}`);
+  }
+}