ship-safe 4.1.0 → 4.3.0

package/cli/utils/cache-manager.js

@@ -1,258 +1,311 @@
-/**
- * Cache Manager
- * =============
- *
- * Provides incremental scanning by caching file hashes and findings.
- * On subsequent runs, only changed files are re-scanned.
- *
- * Cache location: .ship-safe/context.json
- *
- * USAGE:
- *   import { CacheManager } from './cache-manager.js';
- *   const cache = new CacheManager(rootPath);
- *   const { changedFiles, cachedFindings } = await cache.getChangedFiles(currentFiles);
- *   // ... scan only changedFiles ...
- *   cache.save(allFiles, allFindings, recon, scoreResult);
- */
-
-import fs from 'fs';
-import path from 'path';
-import crypto from 'crypto';
-import { readFileSync } from 'fs';
-import { fileURLToPath } from 'url';
-import { dirname, join } from 'path';
-
-// Read version from package.json
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-const PACKAGE_VERSION = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf8')).version;
-
-// Cache TTL: 24 hours
-const CACHE_TTL_MS = 24 * 60 * 60 * 1000;
-
-export class CacheManager {
-  /**
-   * @param {string} rootPath — Absolute path to project root
-   */
-  constructor(rootPath) {
-    this.rootPath = rootPath;
-    this.cacheDir = path.join(rootPath, '.ship-safe');
-    this.cachePath = path.join(this.cacheDir, 'context.json');
-    this.cache = null;
-  }
-
-  /**
-   * Load the cache from disk. Returns null if cache is missing, expired, or invalid.
-   */
-  load() {
-    try {
-      if (!fs.existsSync(this.cachePath)) return null;
-
-      const raw = fs.readFileSync(this.cachePath, 'utf-8');
-      const cache = JSON.parse(raw);
-
-      // Version mismatch — patterns may have changed
-      if (cache.version !== PACKAGE_VERSION) return null;
-
-      // TTL expired
-      const age = Date.now() - new Date(cache.generatedAt).getTime();
-      if (age > CACHE_TTL_MS) return null;
-
-      this.cache = cache;
-      return cache;
-    } catch {
-      return null;
-    }
-  }
-
-  /**
-   * Compute SHA-256 hash of a file's contents.
-   */
-  hashFile(filePath) {
-    try {
-      const content = fs.readFileSync(filePath);
-      return crypto.createHash('sha256').update(content).digest('hex');
-    } catch {
-      return null;
-    }
-  }
-
-  /**
-   * Compare current files against cached file index to find what changed.
-   *
-   * @param {string[]} currentFiles — Array of absolute file paths
-   * @returns {{ changedFiles: string[], cachedFindings: object[], unchangedCount: number, newCount: number, modifiedCount: number, deletedCount: number }}
-   */
-  diff(currentFiles) {
-    if (!this.cache || !this.cache.fileIndex) {
-      return {
-        changedFiles: currentFiles,
-        cachedFindings: [],
-        unchangedCount: 0,
-        newCount: currentFiles.length,
-        modifiedCount: 0,
-        deletedCount: 0,
-      };
-    }
-
-    const cachedIndex = this.cache.fileIndex;
-    const cachedFindings = this.cache.lastFindings || {};
-    const changedFiles = [];
-    const reusedFindings = [];
-    let unchangedCount = 0;
-    let newCount = 0;
-    let modifiedCount = 0;
-
-    const currentSet = new Set(currentFiles);
-
-    for (const file of currentFiles) {
-      const relPath = path.relative(this.rootPath, file).replace(/\\/g, '/');
-      const cached = cachedIndex[relPath];
-
-      if (!cached) {
-        // New file — needs scanning
-        changedFiles.push(file);
-        newCount++;
-        continue;
-      }
-
-      // Quick size check before expensive hash
-      try {
-        const stats = fs.statSync(file);
-        if (stats.size !== cached.size) {
-          changedFiles.push(file);
-          modifiedCount++;
-          continue;
-        }
-      } catch {
-        changedFiles.push(file);
-        modifiedCount++;
-        continue;
-      }
-
-      // Hash check
-      const currentHash = this.hashFile(file);
-      if (currentHash !== cached.hash) {
-        changedFiles.push(file);
-        modifiedCount++;
-        continue;
-      }
-
-      // File unchanged — reuse cached findings
-      unchangedCount++;
-      if (cachedFindings[relPath]) {
-        // Restore absolute paths for cached findings
-        for (const finding of cachedFindings[relPath]) {
-          reusedFindings.push({ ...finding, file });
-        }
-      }
-    }
-
-    // Count deleted files (in cache but not in current)
-    const currentRelPaths = new Set(
-      currentFiles.map(f => path.relative(this.rootPath, f).replace(/\\/g, '/'))
-    );
-    const deletedCount = Object.keys(cachedIndex).filter(p => !currentRelPaths.has(p)).length;
-
-    return {
-      changedFiles,
-      cachedFindings: reusedFindings,
-      unchangedCount,
-      newCount,
-      modifiedCount,
-      deletedCount,
-    };
-  }
-
-  /**
-   * Save the cache to disk.
-   *
-   * @param {string[]} allFiles — All scanned file paths
-   * @param {object[]} allFindings — All findings from the scan
-   * @param {object} recon — ReconAgent output
-   * @param {object} [scoreResult] — Optional score result
-   */
-  save(allFiles, allFindings, recon, scoreResult) {
-    try {
-      // Ensure .ship-safe directory exists
-      if (!fs.existsSync(this.cacheDir)) {
-        fs.mkdirSync(this.cacheDir, { recursive: true });
-      }
-
-      // Build file index with hashes
-      const fileIndex = {};
-      for (const file of allFiles) {
-        const relPath = path.relative(this.rootPath, file).replace(/\\/g, '/');
-        const hash = this.hashFile(file);
-        if (hash) {
-          try {
-            const stats = fs.statSync(file);
-            fileIndex[relPath] = {
-              hash,
-              size: stats.size,
-              lastScanned: new Date().toISOString(),
-            };
-          } catch {
-            // Skip files we can't stat
-          }
-        }
-      }
-
-      // Group findings by file (relative paths)
-      const lastFindings = {};
-      for (const f of allFindings) {
-        const relPath = path.relative(this.rootPath, f.file).replace(/\\/g, '/');
-        if (!lastFindings[relPath]) lastFindings[relPath] = [];
-        // Store a lightweight copy (no absolute paths)
-        lastFindings[relPath].push({
-          line: f.line,
-          column: f.column,
-          severity: f.severity,
-          category: f.category,
-          rule: f.rule,
-          title: f.title,
-          description: f.description,
-          matched: f.matched,
-          confidence: f.confidence,
-          cwe: f.cwe,
-          owasp: f.owasp,
-          fix: f.fix,
-        });
-      }
-
-      const cache = {
-        version: PACKAGE_VERSION,
-        generatedAt: new Date().toISOString(),
-        rootPath: this.rootPath,
-        recon: recon || null,
-        fileIndex,
-        lastFindings,
-        stats: {
-          totalFiles: allFiles.length,
-          totalFindings: allFindings.length,
-          lastScore: scoreResult?.score ?? null,
-          lastGrade: scoreResult?.grade?.letter ?? null,
-        },
-      };
-
-      fs.writeFileSync(this.cachePath, JSON.stringify(cache, null, 2));
-    } catch {
-      // Silent failure — caching should never break a scan
-    }
-  }
-
-  /**
-   * Delete the cache file.
-   */
-  invalidate() {
-    try {
-      if (fs.existsSync(this.cachePath)) {
-        fs.unlinkSync(this.cachePath);
-      }
-    } catch {
-      // Silent
-    }
-  }
-}
-
-export default CacheManager;
+/**
+ * Cache Manager
+ * =============
+ *
+ * Provides incremental scanning by caching file hashes and findings.
+ * On subsequent runs, only changed files are re-scanned.
+ *
+ * Cache location: .ship-safe/context.json
+ *
+ * USAGE:
+ *   import { CacheManager } from './cache-manager.js';
+ *   const cache = new CacheManager(rootPath);
+ *   const { changedFiles, cachedFindings } = await cache.getChangedFiles(currentFiles);
+ *   // ... scan only changedFiles ...
+ *   cache.save(allFiles, allFindings, recon, scoreResult);
+ */
+
+import fs from 'fs';
+import path from 'path';
+import crypto from 'crypto';
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+// Read version from package.json
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const PACKAGE_VERSION = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf8')).version;
+
+// Cache TTL: 24 hours
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000;
+
+export class CacheManager {
+  /**
+   * @param {string} rootPath — Absolute path to project root
+   */
+  constructor(rootPath) {
+    this.rootPath = rootPath;
+    this.cacheDir = path.join(rootPath, '.ship-safe');
+    this.cachePath = path.join(this.cacheDir, 'context.json');
+    this.cache = null;
+  }
+
+  /**
+   * Load the cache from disk. Returns null if cache is missing, expired, or invalid.
+   */
+  load() {
+    try {
+      if (!fs.existsSync(this.cachePath)) return null;
+
+      const raw = fs.readFileSync(this.cachePath, 'utf-8');
+      const cache = JSON.parse(raw);
+
+      // Version mismatch — patterns may have changed
+      if (cache.version !== PACKAGE_VERSION) return null;
+
+      // TTL expired
+      const age = Date.now() - new Date(cache.generatedAt).getTime();
+      if (age > CACHE_TTL_MS) return null;
+
+      this.cache = cache;
+      return cache;
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Compute SHA-256 hash of a file's contents.
+   */
+  hashFile(filePath) {
+    try {
+      const content = fs.readFileSync(filePath);
+      return crypto.createHash('sha256').update(content).digest('hex');
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Compare current files against cached file index to find what changed.
+   *
+   * @param {string[]} currentFiles — Array of absolute file paths
+   * @returns {{ changedFiles: string[], cachedFindings: object[], unchangedCount: number, newCount: number, modifiedCount: number, deletedCount: number }}
+   */
+  diff(currentFiles) {
+    if (!this.cache || !this.cache.fileIndex) {
+      return {
+        changedFiles: currentFiles,
+        cachedFindings: [],
+        unchangedCount: 0,
+        newCount: currentFiles.length,
+        modifiedCount: 0,
+        deletedCount: 0,
+      };
+    }
+
+    const cachedIndex = this.cache.fileIndex;
+    const cachedFindings = this.cache.lastFindings || {};
+    const changedFiles = [];
+    const reusedFindings = [];
+    let unchangedCount = 0;
+    let newCount = 0;
+    let modifiedCount = 0;
+
+    const currentSet = new Set(currentFiles);
+
+    for (const file of currentFiles) {
+      const relPath = path.relative(this.rootPath, file).replace(/\\/g, '/');
+      const cached = cachedIndex[relPath];
+
+      if (!cached) {
+        // New file — needs scanning
+        changedFiles.push(file);
+        newCount++;
+        continue;
+      }
+
+      // Quick size check before expensive hash
+      try {
+        const stats = fs.statSync(file);
+        if (stats.size !== cached.size) {
+          changedFiles.push(file);
+          modifiedCount++;
+          continue;
+        }
+      } catch {
+        changedFiles.push(file);
+        modifiedCount++;
+        continue;
+      }
+
+      // Hash check
+      const currentHash = this.hashFile(file);
+      if (currentHash !== cached.hash) {
+        changedFiles.push(file);
+        modifiedCount++;
+        continue;
+      }
+
+      // File unchanged — reuse cached findings
+      unchangedCount++;
+      if (cachedFindings[relPath]) {
+        // Restore absolute paths for cached findings
+        for (const finding of cachedFindings[relPath]) {
+          reusedFindings.push({ ...finding, file });
+        }
+      }
+    }
+
+    // Count deleted files (in cache but not in current)
+    const currentRelPaths = new Set(
+      currentFiles.map(f => path.relative(this.rootPath, f).replace(/\\/g, '/'))
+    );
+    const deletedCount = Object.keys(cachedIndex).filter(p => !currentRelPaths.has(p)).length;
+
+    return {
+      changedFiles,
+      cachedFindings: reusedFindings,
+      unchangedCount,
+      newCount,
+      modifiedCount,
+      deletedCount,
+    };
+  }
+
+  /**
+   * Save the cache to disk.
+   *
+   * @param {string[]} allFiles — All scanned file paths
+   * @param {object[]} allFindings — All findings from the scan
+   * @param {object} recon — ReconAgent output
+   * @param {object} [scoreResult] — Optional score result
+   */
+  save(allFiles, allFindings, recon, scoreResult) {
+    try {
+      // Ensure .ship-safe directory exists
+      if (!fs.existsSync(this.cacheDir)) {
+        fs.mkdirSync(this.cacheDir, { recursive: true });
+      }
+
+      // Build file index with hashes
+      const fileIndex = {};
+      for (const file of allFiles) {
+        const relPath = path.relative(this.rootPath, file).replace(/\\/g, '/');
+        const hash = this.hashFile(file);
+        if (hash) {
+          try {
+            const stats = fs.statSync(file);
+            fileIndex[relPath] = {
+              hash,
+              size: stats.size,
+              lastScanned: new Date().toISOString(),
+            };
+          } catch {
+            // Skip files we can't stat
+          }
+        }
+      }
+
+      // Group findings by file (relative paths)
+      const lastFindings = {};
+      for (const f of allFindings) {
+        const relPath = path.relative(this.rootPath, f.file).replace(/\\/g, '/');
+        if (!lastFindings[relPath]) lastFindings[relPath] = [];
+        // Store a lightweight copy (no absolute paths)
+        lastFindings[relPath].push({
+          line: f.line,
+          column: f.column,
+          severity: f.severity,
+          category: f.category,
+          rule: f.rule,
+          title: f.title,
+          description: f.description,
+          matched: f.matched,
+          confidence: f.confidence,
+          cwe: f.cwe,
+          owasp: f.owasp,
+          fix: f.fix,
+        });
+      }
+
+      const cache = {
+        version: PACKAGE_VERSION,
+        generatedAt: new Date().toISOString(),
+        rootPath: this.rootPath,
+        recon: recon || null,
+        fileIndex,
+        lastFindings,
+        stats: {
+          totalFiles: allFiles.length,
+          totalFindings: allFindings.length,
+          lastScore: scoreResult?.score ?? null,
+          lastGrade: scoreResult?.grade?.letter ?? null,
+        },
+      };
+
+      fs.writeFileSync(this.cachePath, JSON.stringify(cache, null, 2));
+    } catch {
+      // Silent failure — caching should never break a scan
+    }
+  }
+
+  /**
+   * Delete the cache file.
+   */
+  invalidate() {
+    try {
+      if (fs.existsSync(this.cachePath)) {
+        fs.unlinkSync(this.cachePath);
+      }
+    } catch {
+      // Silent
+    }
+  }
+
+  // ===========================================================================
+  // LLM CLASSIFICATION CACHE
+  // ===========================================================================
+
+  get llmCachePath() {
+    return path.join(this.cacheDir, 'llm-cache.json');
+  }
+
+  /**
+   * Generate a cache key for an LLM classification.
+   */
+  getLLMCacheKey(finding) {
+    const data = `${finding.file}:${finding.line}:${finding.rule}:${finding.matched || ''}`;
+    return crypto.createHash('sha256').update(data).digest('hex').slice(0, 16);
+  }
+
+  /**
+   * Load cached LLM classifications. Returns {} if none or expired.
+   */
+  loadLLMClassifications() {
+    const LLM_CACHE_TTL = 7 * 24 * 60 * 60 * 1000; // 7 days
+    try {
+      if (!fs.existsSync(this.llmCachePath)) return {};
+      const raw = JSON.parse(fs.readFileSync(this.llmCachePath, 'utf-8'));
+      const now = Date.now();
+      const valid = {};
+      for (const [key, entry] of Object.entries(raw)) {
+        if (now - new Date(entry.cachedAt).getTime() < LLM_CACHE_TTL) {
+          valid[key] = entry;
+        }
+      }
+      return valid;
+    } catch {
+      return {};
+    }
+  }
+
+  /**
+   * Save LLM classifications to cache.
+   */
+  saveLLMClassifications(classifications) {
+    try {
+      if (!fs.existsSync(this.cacheDir)) {
+        fs.mkdirSync(this.cacheDir, { recursive: true });
+      }
+      const existing = this.loadLLMClassifications();
+      const merged = { ...existing, ...classifications };
+      fs.writeFileSync(this.llmCachePath, JSON.stringify(merged, null, 2));
+    } catch {
+      // Silent
+    }
+  }
+}
+
+export default CacheManager;

package/cli/utils/pdf-generator.js

@@ -0,0 +1,94 @@
+/**
+ * PDF Generator
+ * ==============
+ *
+ * Zero-dependency PDF generation via Chrome/Chromium headless mode.
+ * Falls back to generating a print-optimized HTML file if Chrome is not found.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { execFileSync } from 'child_process';
+
+/**
+ * Well-known Chrome/Chromium paths by platform.
+ */
+function findChrome() {
+  const candidates = process.platform === 'win32'
+    ? [
+        process.env.CHROME_PATH,
+        'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe',
+        'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe',
+        process.env.LOCALAPPDATA && path.join(process.env.LOCALAPPDATA, 'Google\\Chrome\\Application\\chrome.exe'),
+      ]
+    : process.platform === 'darwin'
+    ? [
+        process.env.CHROME_PATH,
+        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
+        '/Applications/Chromium.app/Contents/MacOS/Chromium',
+      ]
+    : [
+        process.env.CHROME_PATH,
+        '/usr/bin/google-chrome',
+        '/usr/bin/google-chrome-stable',
+        '/usr/bin/chromium',
+        '/usr/bin/chromium-browser',
+        '/snap/bin/chromium',
+      ];
+
+  for (const c of candidates) {
+    if (c && fs.existsSync(c)) return c;
+  }
+  return null;
+}
+
+/**
+ * Check if Chrome is available.
+ */
+export function isChromeAvailable() {
+  return findChrome() !== null;
+}
+
+/**
+ * Generate PDF from an HTML file using Chrome headless.
+ * Returns the output path, or null if Chrome is not available.
+ */
+export function generatePDF(htmlPath, outputPath) {
+  const chrome = findChrome();
+  if (!chrome) return null;
+
+  try {
+    const args = [
+      '--headless',
+      '--disable-gpu',
+      '--no-sandbox',
+      `--print-to-pdf=${outputPath}`,
+      '--print-to-pdf-no-header',
+      htmlPath,
+    ];
+    execFileSync(chrome, args, { timeout: 30000, stdio: 'pipe' });
+    return outputPath;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Generate a print-optimized HTML file as PDF fallback.
+ */
+export function generatePrintHTML(htmlPath, outputPath) {
+  let html = fs.readFileSync(htmlPath, 'utf-8');
+  // Add print-optimized styles
+  const printCSS = `
+<style media="print">
+  body { background: #fff !important; color: #1e293b !important; }
+  .score-card, .stat, .summary-card, .toc { background: #f8fafc !important; border: 1px solid #e2e8f0 !important; }
+  table, th, td { border: 1px solid #e2e8f0 !important; }
+  code { background: #f1f5f9 !important; color: #0f172a !important; }
+  pre { background: #f1f5f9 !important; }
+  a { color: #0369a1 !important; }
+</style>`;
+  html = html.replace('</head>', printCSS + '\n</head>');
+  fs.writeFileSync(outputPath, html);
+  return outputPath;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship-safe",
-  "version": "4.1.0",
+  "version": "4.3.0",
   "description": "AI-powered multi-agent security platform. 12 agents scan 50+ attack classes. Red team your code before attackers do.",
   "main": "cli/index.js",
   "bin": {
@@ -8,7 +8,7 @@
   },
   "type": "module",
   "scripts": {
-    "test": "node --test",
+    "test": "node --test cli/__tests__/*.test.js",
     "lint": "eslint cli/",
     "ship-safe": "node cli/bin/ship-safe.js"
   },