ship18ion 1.0.0

package/dist/rules/git.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkGit = checkGit;
+const child_process_1 = require("child_process");
+async function checkGit(ctx) {
+    const results = [];
+    try {
+        // Check for uncommitted changes
+        const status = (0, child_process_1.execSync)('git status --porcelain', { cwd: ctx.cwd, encoding: 'utf-8' });
+        if (status.trim().length > 0) {
+            results.push({
+                status: 'warn',
+                message: 'Git working directory is dirty (uncommitted changes). Verify before shipping.',
+                ruleId: 'git-dirty',
+            });
+        }
+        // Check current branch
+        const branch = (0, child_process_1.execSync)('git rev-parse --abbrev-ref HEAD', { cwd: ctx.cwd, encoding: 'utf-8' }).trim();
+        const allowedBranches = ['main', 'master', 'staging', 'production', 'prod'];
+        if (!allowedBranches.includes(branch)) {
+            results.push({
+                status: 'warn',
+                message: `You are on branch '${branch}'. Production builds typically come from main/master.`,
+                ruleId: 'git-branch',
+            });
+        }
+    }
+    catch (e) {
+        // Not a git repo or git not found
+        // Silently fail or warn?
+        // results.push({ status: 'warn', message: 'Not a git repository or git command failed.', ruleId: 'git-error' });
+    }
+    return results;
+}

package/dist/rules/secrets.js

@@ -0,0 +1,53 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkSecrets = checkSecrets;
+const fs_1 = __importDefault(require("fs"));
+const secrets_1 = require("../engine/secrets");
+async function checkSecrets(ctx) {
+    const results = [];
+    // Skip binary files, lock files, node_modules (already ignored by scanner but specific check here)
+    const filesToCheck = ctx.files.filter(f => !f.match(/\.(png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|lock|pdf)$/));
+    for (const file of filesToCheck) {
+        try {
+            const content = fs_1.default.readFileSync(file, 'utf-8');
+            const lines = content.split('\n');
+            lines.forEach((line, index) => {
+                // Check Regex Patterns
+                for (const pattern of secrets_1.SECRET_PATTERNS) {
+                    if (pattern.regex.test(line)) {
+                        results.push({
+                            status: 'fail',
+                            message: `Potential secret found: ${pattern.name}`,
+                            ruleId: 'secret-pattern',
+                            file,
+                            line: index + 1
+                        });
+                    }
+                }
+                // Check Heuristics for assignments
+                // matches "key = '...'"
+                const genericMsg = line.match(/(api_?key|secret|token|password|auth)[\s]*[:=][\s]*['"]([a-zA-Z0-9_\-]{8,})['"]/i);
+                if (genericMsg) {
+                    const match = genericMsg[2];
+                    // Heuristic: Must be > 8 chars and not contain 'process.env' or template placeholders
+                    if (match && match.length > 8 && !line.includes('process.env') && !match.includes('${')) {
+                        results.push({
+                            status: 'warn',
+                            message: `Possible hardcoded secret (heuristic): ${genericMsg[1]}`,
+                            ruleId: 'secret-heuristic',
+                            file,
+                            line: index + 1
+                        });
+                    }
+                }
+            });
+        }
+        catch (e) {
+            // Ignore read errors
+        }
+    }
+    return results;
+}

package/dist/rules/security.js

@@ -0,0 +1,52 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkSecurity = checkSecurity;
+const fs_1 = __importDefault(require("fs"));
+async function checkSecurity(ctx) {
+    const results = [];
+    const codeFiles = ctx.files.filter(f => f.match(/\.(js|ts|jsx|tsx|json)$/));
+    for (const file of codeFiles) {
+        const content = fs_1.default.readFileSync(file, 'utf-8');
+        // 1. Check for Hardcoded NODE_ENV not being production?
+        // Actually we want to verify we are NOT hardcoding 'development' in prod context?
+        // Or "Debug / dev configs enabled" -> debug: true
+        if (content.match(/debug:\s*true/)) {
+            results.push({
+                status: 'warn',
+                message: 'Debug mode enabled (debug: true) found',
+                ruleId: 'security-debug-enabled',
+                file
+            });
+        }
+        // 2. CORS Wildcard
+        // "origin: '*'" or "origin: *"
+        if (content.match(/origin:\s*['"]?\*['"]?/)) {
+            // Default: Enabled (fail on wildcard) unless explicitly set to false
+            if (ctx.config.security?.noCorsWildcard !== false) {
+                results.push({
+                    status: 'fail',
+                    message: 'CORS wildcard origin (*) detected',
+                    ruleId: 'security-cors-wildcard',
+                    file
+                });
+            }
+        }
+        // 3. Hardcoded credentials (simple db keywords)
+        // postgres://user:pass@...
+        if (content.match(/:\/\/[a-zA-Z0-9]+:[a-zA-Z0-9]+@/)) {
+            // Exclude localhost
+            if (!content.includes('localhost') && !content.includes('127.0.0.1')) {
+                results.push({
+                    status: 'fail',
+                    message: 'Hardcoded database credentials in connection string',
+                    ruleId: 'security-db-creds',
+                    file
+                });
+            }
+        }
+    }
+    return results;
+}

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "ship18ion",
+  "version": "1.0.0",
+  "description": "",
+  "main": "dist/cli/index.js",
+  "bin": {
+    "ship18ion": "./dist/cli/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build",
+    "start": "node dist/cli/index.js",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [
+    "cli",
+    "security",
+    "production",
+    "env",
+    "secrets",
+    "deployment",
+    "linter"
+  ],
+  "author": "TRIPLE HASH",
+  "license": "ISC",
+  "dependencies": {
+    "@babel/parser": "^7.28.5",
+    "@babel/traverse": "^7.28.5",
+    "@types/babel__traverse": "^7.28.0",
+    "@types/node": "^25.0.3",
+    "chalk": "^4.1.2",
+    "commander": "^14.0.2",
+    "dotenv": "^17.2.3",
+    "glob": "^13.0.0",
+    "typescript": "^5.9.3"
+  }
+}

package/src/cli/index.ts

@@ -0,0 +1,34 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import chalk from 'chalk';
+import { loadConfig } from '../engine/config';
+import { runChecks } from '../engine/runner';
+import { reportConsole } from '../reporters/console';
+
+const program = new Command();
+
+program
+    .name('ship18ion')
+    .description('Production Readiness Inspector')
+    .version('0.1.0');
+
+program
+    .command('check', { isDefault: true })
+    .description('Run production readiness checks')
+    .option('--ci', 'Run in CI mode (minimal output, exit codes)')
+    .action(async (options) => {
+        // console.log(chalk.blue('Starting ship18ion checks...'));
+        const cwd = process.cwd();
+        const config = await loadConfig(cwd);
+
+        try {
+            const results = await runChecks(config, cwd);
+            // Uses console reporter for both normal and CI for now (it handles exit codes)
+            reportConsole(results, cwd);
+        } catch (e) {
+            console.error(chalk.red('Error running checks:'), e);
+            process.exit(1);
+        }
+    });
+
+program.parse(process.argv);

package/src/engine/ast.ts

@@ -0,0 +1,84 @@
+import fs from 'fs';
+import * as parser from '@babel/parser';
+import traverse from '@babel/traverse';
+import * as t from '@babel/types';
+
+export interface EnvUsage {
+    name: string;
+    line: number;
+    file: string;
+}
+
+export function findEnvUsages(filePath: string): EnvUsage[] {
+    if (!fs.existsSync(filePath)) return [];
+
+    const code = fs.readFileSync(filePath, 'utf-8');
+    const usages: EnvUsage[] = [];
+
+    // Only parse JS/TS files
+    if (!/\.(js|ts|jsx|tsx)$/.test(filePath)) {
+        return [];
+    }
+
+    try {
+        const ast = parser.parse(code, {
+            sourceType: 'module',
+            plugins: ['typescript', 'jsx'],
+        });
+
+        traverse(ast, {
+            MemberExpression(path) {
+                // 1. Check for process.env.VAR
+                if (
+                    t.isMemberExpression(path.node.object) &&
+                    t.isIdentifier(path.node.object.object) &&
+                    path.node.object.object.name === 'process' &&
+                    t.isIdentifier(path.node.object.property) &&
+                    path.node.object.property.name === 'env'
+                ) {
+                    if (t.isIdentifier(path.node.property)) {
+                        usages.push({
+                            name: path.node.property.name,
+                            line: path.node.loc?.start.line || 0,
+                            file: filePath
+                        });
+                    } else if (t.isStringLiteral(path.node.property)) {
+                        usages.push({
+                            name: path.node.property.value,
+                            line: path.node.loc?.start.line || 0,
+                            file: filePath
+                        });
+                    }
+                }
+
+                // 2. Check for import.meta.env.VAR (Vite)
+                // AST structure: MemberExpression
+                //   object: MemberExpression
+                //     object: MetaProperty (import.meta)
+                //     property: Identifier (env)
+                //   property: Identifier (VAR)
+
+                if (
+                    t.isMemberExpression(path.node.object) &&
+                    t.isMetaProperty(path.node.object.object) &&
+                    path.node.object.object.meta.name === 'import' &&
+                    path.node.object.object.property.name === 'meta' &&
+                    t.isIdentifier(path.node.object.property) &&
+                    path.node.object.property.name === 'env'
+                ) {
+                    if (t.isIdentifier(path.node.property)) {
+                        usages.push({
+                            name: path.node.property.name,
+                            line: path.node.loc?.start.line || 0,
+                            file: filePath
+                        });
+                    }
+                }
+            }
+        });
+
+    } catch (e) {
+        // console.warn(`Failed to parse ${filePath}:`, e);
+    }
+    return usages;
+}

package/src/engine/config.ts

@@ -0,0 +1,28 @@
+import fs from 'fs';
+import path from 'path';
+
+export interface Ship18ionConfig {
+    env?: {
+        required?: string[];
+        disallowed?: string[];
+    };
+    security?: {
+        noCorsWildcard?: boolean;
+        requireRateLimit?: boolean;
+    };
+    ignore?: string[];
+}
+
+export async function loadConfig(cwd: string = process.cwd()): Promise<Ship18ionConfig> {
+    const configPath = path.join(cwd, 'ship18ion.config.json');
+    if (fs.existsSync(configPath)) {
+        const content = fs.readFileSync(configPath, 'utf-8');
+        try {
+            return JSON.parse(content);
+        } catch (e) {
+            console.error('Failed to parse config file:', e);
+            return {};
+        }
+    }
+    return {};
+}

package/src/engine/runner.ts

@@ -0,0 +1,27 @@
+import { Ship18ionConfig } from './config';
+import { scanFiles } from './scanner';
+import { RuleContext, RuleResult } from './types';
+import { checkEnvVars } from '../rules/env';
+import { checkSecrets } from '../rules/secrets';
+import { checkSecurity } from '../rules/security';
+import { checkDependencies, checkBuild } from '../rules/build';
+import { checkNextJs } from '../rules/frameworks/nextjs';
+import { checkGit } from '../rules/git';
+
+export async function runChecks(config: Ship18ionConfig, cwd: string): Promise<RuleResult[]> {
+    const files = await scanFiles(cwd, config.ignore);
+    const ctx: RuleContext = { config, files, cwd };
+
+    const results: RuleResult[] = [];
+
+    // Run all checks
+    results.push(...await checkEnvVars(ctx));
+    results.push(...await checkSecrets(ctx));
+    results.push(...await checkSecurity(ctx));
+    results.push(...await checkDependencies(ctx));
+    results.push(...await checkBuild(ctx));
+    results.push(...await checkNextJs(ctx));
+    results.push(...await checkGit(ctx));
+
+    return results;
+}

package/src/engine/scanner.ts

@@ -0,0 +1,13 @@
+import { glob } from 'glob';
+import path from 'path';
+
+export async function scanFiles(cwd: string, ignore: string[] = []): Promise<string[]> {
+    const defaultIgnore = ['**/node_modules/**', '**/dist/**', '**/.git/**'];
+    // Scan for relevant files: JS/TS code, Configs (JSON/YAML), Env files
+    return glob('**/*.{js,ts,jsx,tsx,json,yaml,yml,env,env.*}', {
+        cwd,
+        ignore: [...defaultIgnore, ...ignore],
+        absolute: true,
+        dot: true, // Include .env files
+    });
+}

package/src/engine/secrets.ts

@@ -0,0 +1,26 @@
+export const SECRET_PATTERNS = [
+    { name: 'AWS Access Key', regex: /AKIA[0-9A-Z]{16}/ },
+    { name: 'Google API Key', regex: /AIza[0-9A-Za-z\\-_]{35}/ },
+    { name: 'Stripe Secret Key', regex: /sk_live_[0-9a-zA-Z]{24}/ },
+    { name: 'GitHub Personal Access Token', regex: /ghp_[0-9a-zA-Z]{36}/ },
+    { name: 'Generic Private Key', regex: /-----BEGIN .* PRIVATE KEY-----/ },
+    { name: 'Slack Bot Token', regex: /xoxb-[0-9]{11}-[0-9]{12}-[0-9a-zA-Z]{24}/ },
+    { name: 'OpenAI API Key', regex: /sk-[a-zA-Z0-9]{48}/ }
+];
+
+export function calculateEntropy(str: string): number {
+    const len = str.length;
+    const frequencies = Array.from(str).reduce((freq, char) => {
+        freq[char] = (freq[char] || 0) + 1;
+        return freq;
+    }, {} as Record<string, number>);
+
+    return Object.values(frequencies).reduce((sum, f) => {
+        const p = f / len;
+        return sum - (p * Math.log2(p));
+    }, 0);
+}
+
+export function isHighEntropy(str: string, threshold = 4.5): boolean {
+    return calculateEntropy(str) > threshold;
+}

package/src/engine/types.ts

@@ -0,0 +1,15 @@
+import { Ship18ionConfig } from './config';
+
+export interface RuleResult {
+    status: 'pass' | 'fail' | 'warn';
+    message: string;
+    file?: string;
+    line?: number;
+    ruleId: string;
+}
+
+export interface RuleContext {
+    config: Ship18ionConfig;
+    files: string[];
+    cwd: string;
+}

package/src/reporters/console.ts

@@ -0,0 +1,62 @@
+import chalk from 'chalk';
+import path from 'path';
+import { RuleResult } from '../engine/types';
+
+const CATEGORIES: Record<string, { icon: string; label: string }> = {
+    'env': { icon: '🌱', label: 'Environment' },
+    'secret': { icon: '🔐', label: 'Secrets' },
+    'security': { icon: '⚠️', label: 'Security' },
+    'dep': { icon: '📦', label: 'Dependency & Build' },
+    'build': { icon: '📦', label: 'Dependency & Build' },
+};
+
+function getCategory(ruleId: string) {
+    const prefix = ruleId.split('-')[0];
+    return CATEGORIES[prefix] || { icon: '❓', label: 'Other' };
+}
+
+export function reportConsole(results: RuleResult[], cwd: string) {
+    if (results.length === 0) {
+        console.log(chalk.green('\n✅  Production Readiness Check Passed!\n'));
+        return;
+    }
+
+    const fails = results.filter(r => r.status === 'fail');
+    const warns = results.filter(r => r.status === 'warn');
+
+    if (fails.length > 0) {
+        console.log(chalk.red('\n❌  Production Readiness Check Failed\n'));
+    } else {
+        console.log(chalk.yellow('\n⚠️  Production Readiness Check Passed with Warnings\n'));
+    }
+
+    // Group by category
+    const grouped: Record<string, RuleResult[]> = {};
+    results.forEach(r => {
+        const cat = getCategory(r.ruleId);
+        const key = `${cat.icon} ${cat.label}`;
+        if (!grouped[key]) grouped[key] = [];
+        grouped[key].push(r);
+    });
+
+    for (const [category, items] of Object.entries(grouped)) {
+        console.log(chalk.bold(category));
+        for (const item of items) {
+            const sym = item.status === 'fail' ? chalk.red('✖') : chalk.yellow('!');
+            const location = item.file ? `${path.relative(cwd, item.file)}${item.line ? `:${item.line}` : ''}` : '';
+            console.log(`  ${sym} ${item.message} ${chalk.gray(location)}`);
+        }
+        console.log('');
+    }
+
+    const summary = [];
+    if (fails.length > 0) summary.push(chalk.red(`${fails.length} errors`));
+    if (warns.length > 0) summary.push(chalk.yellow(`${warns.length} warnings`));
+
+    console.log(`Summary: ${summary.join(', ')}`);
+    console.log('');
+
+    if (fails.length > 0) {
+        process.exit(1);
+    }
+}

package/src/rules/build.ts

@@ -0,0 +1,74 @@
+import fs from 'fs';
+import path from 'path';
+import { RuleContext, RuleResult } from '../engine/types';
+
+export async function checkDependencies(ctx: RuleContext): Promise<RuleResult[]> {
+    const results: RuleResult[] = [];
+
+    const packageJsons = ctx.files.filter(f => f.endsWith('package.json') && !f.includes('node_modules'));
+
+    const devToolsInProd = ['eslint', 'jest', 'mocha', 'nodemon', 'ts-node', 'typescript', 'webpack', 'babel-loader'];
+
+    for (const pkgFile of packageJsons) {
+        try {
+            const content = JSON.parse(fs.readFileSync(pkgFile, 'utf-8'));
+            const deps = content.dependencies || {};
+
+            for (const tool of devToolsInProd) {
+                if (deps[tool]) {
+                    results.push({
+                        status: 'warn',
+                        message: `Dev dependency found in 'dependencies': ${tool}. Should be in 'devDependencies'?`,
+                        ruleId: 'dep-dev-in-prod',
+                        file: pkgFile
+                    });
+                }
+            }
+        } catch (e) {
+            // ignore
+        }
+    }
+    return results;
+}
+
+export async function checkBuild(ctx: RuleContext): Promise<RuleResult[]> {
+    const results: RuleResult[] = [];
+
+    // Check for source maps in potential build dirs (dist, build, out, .next)
+    // Scanner ignores dist by default, but if we want to check build artifacts we might need to scan explicitly OR assumes user runs this in root.
+    // If the scanner ignores 'dist', we won't see them.
+    // So this check is effective only if scanner INCLUDES build dirs or we explicitly look for them.
+
+    // Let's explicitly check common build folders in CWD if they exist, ignoring scanner's ignore list for this specific check?
+    // Or just warn if we find .map files in the file list (meaning they were NOT ignored/cleaned).
+
+    const mapFiles = ctx.files.filter(f => f.endsWith('.map'));
+    for (const file of mapFiles) {
+        // Only if it looks like a build artifact
+        if (file.includes('/dist/') || file.includes('/build/') || file.includes('/.next/')) {
+            results.push({
+                status: 'warn',
+                message: 'Source map found in build output (information leak)',
+                ruleId: 'build-source-map',
+                file
+            });
+        }
+    }
+
+    // Check for .env in build folders
+    const envInBuild = ctx.files.filter(f =>
+        (f.endsWith('.env') || f.includes('.env.')) &&
+        (f.includes('/dist/') || f.includes('/build/') || f.includes('/.next/'))
+    );
+
+    for (const file of envInBuild) {
+        results.push({
+            status: 'fail',
+            message: 'Environment file found in build output!',
+            ruleId: 'build-env-leak',
+            file
+        });
+    }
+
+    return results;
+}

package/src/rules/env.ts

@@ -0,0 +1,99 @@
+import fs from 'fs';
+import dotenv from 'dotenv';
+import { RuleContext, RuleResult } from '../engine/types';
+import { findEnvUsages } from '../engine/ast';
+
+export async function checkEnvVars(ctx: RuleContext): Promise<RuleResult[]> {
+    const results: RuleResult[] = [];
+    const declaredEnvs = new Set<string>();
+    const usedEnvs = new Map<string, { file: string, line: number }[]>();
+
+    // 1. Find and parse .env files (definition detection)
+    const envFiles = ctx.files.filter(f => f.match(/\.env(\..+)?$/));
+    for (const file of envFiles) {
+        const content = fs.readFileSync(file, 'utf-8');
+        try {
+            const parsed = dotenv.parse(content);
+            Object.keys(parsed).forEach(k => declaredEnvs.add(k));
+        } catch (e) {
+            results.push({
+                status: 'warn',
+                message: `Failed to parse env file: ${file}`,
+                ruleId: 'env-parse-error',
+                file: file
+            });
+        }
+    }
+
+    // 2. Scan for usages
+    const codeFiles = ctx.files.filter(f => f.match(/\.(js|ts|jsx|tsx)$/));
+    for (const file of codeFiles) {
+        const usages = findEnvUsages(file);
+        for (const u of usages) {
+            if (!usedEnvs.has(u.name)) {
+                usedEnvs.set(u.name, []);
+            }
+            usedEnvs.get(u.name)?.push({ file, line: u.line });
+        }
+    }
+
+    // 3. Rule: Unused env vars
+    // Fail if Env vars exist but never used
+    for (const env of declaredEnvs) {
+        if (!usedEnvs.has(env)) {
+            // Ignore some common framework vars if needed, but strict mode says unused is bad.
+            results.push({
+                status: 'warn', // Warn for now, maybe fail? User said "Fail if Env vars exist but never used"
+                message: `Unused environment variable: ${env}`,
+                ruleId: 'env-unused',
+                file: envFiles[0] // Just point to first env file for now
+            });
+        }
+    }
+
+    // 4. Rule: Missing required env vars
+    // "App references process.env.X But it’s not defined anywhere"
+    // Also check strict list from config
+    const required = ctx.config.env?.required || [];
+
+    // Check missing from strict config
+    for (const req of required) {
+        if (!declaredEnvs.has(req)) {
+            results.push({
+                status: 'fail',
+                message: `Missing required environment variable (configured): ${req}`,
+                ruleId: 'env-missing-config',
+            });
+        }
+    }
+
+    // Check usage without definition
+    const commonSystemVars = ['NODE_ENV', 'PORT', 'CI'];
+    for (const [env, locs] of usedEnvs) {
+        if (!declaredEnvs.has(env) && !commonSystemVars.includes(env)) {
+            // Check if it is in disallowed list?
+            if (ctx.config.env?.disallowed?.includes(env)) {
+                results.push({
+                    status: 'fail',
+                    message: `Disallowed environment variable used: ${env}`,
+                    ruleId: 'env-disallowed',
+                    file: locs[0].file,
+                    line: locs[0].line
+                });
+            } else {
+                // It's used but not in .env. 
+                // We should probably warn unless we are in strict mode.
+                // User said: "Fail if Required env var is missing" -> checking usage implies requirement.
+                results.push({
+                    status: 'warn',
+                    message: `Environment variable used but not defined in .env: ${env}`,
+                    ruleId: 'env-missing-definition',
+                    file: locs[0].file,
+                    line: locs[0].line
+                });
+            }
+        }
+    }
+
+    return results;
+}