ship18ion 1.0.0

package/src/rules/frameworks/nextjs.ts

@@ -0,0 +1,33 @@
+import { RuleContext, RuleResult } from '../../engine/types';
+import { findEnvUsages } from '../../engine/ast';
+
+export async function checkNextJs(ctx: RuleContext): Promise<RuleResult[]> {
+    const results: RuleResult[] = [];
+
+    // 1. Check for NEXT_PUBLIC_ secrets
+    const codeFiles = ctx.files.filter(f => f.match(/\.(js|ts|jsx|tsx)$/));
+
+    for (const file of codeFiles) {
+        const usages = findEnvUsages(file);
+        for (const usage of usages) {
+            if (usage.name.startsWith('NEXT_PUBLIC_')) {
+                // Heuristic: Does it look like a secret?
+                // e.g. NEXT_PUBLIC_SECRET_KEY, NEXT_PUBLIC_API_SECRET
+                if (usage.name.match(/SECRET|PASSWORD|TOKEN|KEY|AUTH/i)) {
+                    // Exception: PUBLIC_KEY is often safe
+                    if (!usage.name.match(/PUBLIC_KEY/i)) {
+                        results.push({
+                            status: 'warn',
+                            message: `Potential secret exposed via NEXT_PUBLIC_ variable: ${usage.name}`,
+                            ruleId: 'nextjs-public-secret',
+                            file: file,
+                            line: usage.line
+                        });
+                    }
+                }
+            }
+        }
+    }
+
+    return results;
+}

package/src/rules/git.ts

@@ -0,0 +1,36 @@
+import { execSync } from 'child_process';
+import { RuleContext, RuleResult } from '../engine/types';
+
+export async function checkGit(ctx: RuleContext): Promise<RuleResult[]> {
+    const results: RuleResult[] = [];
+
+    try {
+        // Check for uncommitted changes
+        const status = execSync('git status --porcelain', { cwd: ctx.cwd, encoding: 'utf-8' });
+        if (status.trim().length > 0) {
+            results.push({
+                status: 'warn',
+                message: 'Git working directory is dirty (uncommitted changes). Verify before shipping.',
+                ruleId: 'git-dirty',
+            });
+        }
+
+        // Check current branch
+        const branch = execSync('git rev-parse --abbrev-ref HEAD', { cwd: ctx.cwd, encoding: 'utf-8' }).trim();
+        const allowedBranches = ['main', 'master', 'staging', 'production', 'prod'];
+        if (!allowedBranches.includes(branch)) {
+            results.push({
+                status: 'warn',
+                message: `You are on branch '${branch}'. Production builds typically come from main/master.`,
+                ruleId: 'git-branch',
+            });
+        }
+
+    } catch (e) {
+        // Not a git repo or git not found
+        // Silently fail or warn?
+        // results.push({ status: 'warn', message: 'Not a git repository or git command failed.', ruleId: 'git-error' });
+    }
+
+    return results;
+}

package/src/rules/secrets.ts

@@ -0,0 +1,53 @@
+import fs from 'fs';
+import { RuleContext, RuleResult } from '../engine/types';
+import { SECRET_PATTERNS } from '../engine/secrets';
+
+export async function checkSecrets(ctx: RuleContext): Promise<RuleResult[]> {
+    const results: RuleResult[] = [];
+
+    // Skip binary files, lock files, node_modules (already ignored by scanner but specific check here)
+    const filesToCheck = ctx.files.filter(f => !f.match(/\.(png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|lock|pdf)$/));
+
+    for (const file of filesToCheck) {
+        try {
+            const content = fs.readFileSync(file, 'utf-8');
+            const lines = content.split('\n');
+
+            lines.forEach((line, index) => {
+                // Check Regex Patterns
+                for (const pattern of SECRET_PATTERNS) {
+                    if (pattern.regex.test(line)) {
+                        results.push({
+                            status: 'fail',
+                            message: `Potential secret found: ${pattern.name}`,
+                            ruleId: 'secret-pattern',
+                            file,
+                            line: index + 1
+                        });
+                    }
+                }
+
+                // Check Heuristics for assignments
+                // matches "key = '...'"
+                const genericMsg = line.match(/(api_?key|secret|token|password|auth)[\s]*[:=][\s]*['"]([a-zA-Z0-9_\-]{8,})['"]/i);
+                if (genericMsg) {
+                    const match = genericMsg[2];
+                    // Heuristic: Must be > 8 chars and not contain 'process.env' or template placeholders
+                    if (match && match.length > 8 && !line.includes('process.env') && !match.includes('${')) {
+                        results.push({
+                            status: 'warn',
+                            message: `Possible hardcoded secret (heuristic): ${genericMsg[1]}`,
+                            ruleId: 'secret-heuristic',
+                            file,
+                            line: index + 1
+                        });
+                    }
+                }
+            });
+        } catch (e) {
+            // Ignore read errors
+        }
+    }
+
+    return results;
+}

package/src/rules/security.ts

@@ -0,0 +1,55 @@
+import fs from 'fs';
+import { RuleContext, RuleResult } from '../engine/types';
+
+export async function checkSecurity(ctx: RuleContext): Promise<RuleResult[]> {
+    const results: RuleResult[] = [];
+
+    const codeFiles = ctx.files.filter(f => f.match(/\.(js|ts|jsx|tsx|json)$/));
+
+    for (const file of codeFiles) {
+        const content = fs.readFileSync(file, 'utf-8');
+
+        // 1. Check for Hardcoded NODE_ENV not being production?
+        // Actually we want to verify we are NOT hardcoding 'development' in prod context?
+        // Or "Debug / dev configs enabled" -> debug: true
+
+        if (content.match(/debug:\s*true/)) {
+            results.push({
+                status: 'warn',
+                message: 'Debug mode enabled (debug: true) found',
+                ruleId: 'security-debug-enabled',
+                file
+            });
+        }
+
+        // 2. CORS Wildcard
+        // "origin: '*'" or "origin: *"
+        if (content.match(/origin:\s*['"]?\*['"]?/)) {
+            // Default: Enabled (fail on wildcard) unless explicitly set to false
+            if (ctx.config.security?.noCorsWildcard !== false) {
+                results.push({
+                    status: 'fail',
+                    message: 'CORS wildcard origin (*) detected',
+                    ruleId: 'security-cors-wildcard',
+                    file
+                });
+            }
+        }
+
+        // 3. Hardcoded credentials (simple db keywords)
+        // postgres://user:pass@...
+        if (content.match(/:\/\/[a-zA-Z0-9]+:[a-zA-Z0-9]+@/)) {
+            // Exclude localhost
+            if (!content.includes('localhost') && !content.includes('127.0.0.1')) {
+                results.push({
+                    status: 'fail',
+                    message: 'Hardcoded database credentials in connection string',
+                    ruleId: 'security-db-creds',
+                    file
+                });
+            }
+        }
+    }
+
+    return results;
+}

package/tests/fixtures/leaky-app/.env

@@ -0,0 +1,3 @@
+DB_URL=postgres://localhost:5432/db
+UNUSED_VAR=123
+SECRET_KEY=supersecret

package/tests/fixtures/leaky-app/package.json

@@ -0,0 +1,7 @@
+{
+    "name": "leaky-app",
+    "dependencies": {
+        "express": "^4.17.1",
+        "eslint": "8.0.0"
+    }
+}

package/tests/fixtures/leaky-app/src/index.js

@@ -0,0 +1,21 @@
+const express = require('express');
+const app = express();
+
+// Hardcoded secret (fake AWS key)
+const awsKey = "AKIA1234567890123456";
+
+// Missing env var usage (API_KEY is not in .env)
+const apiKey = process.env.API_KEY;
+
+// Debug mode enabled
+const config = {
+    debug: true
+};
+
+// CORS wildcard
+app.use(cors({ origin: '*' }));
+
+// Hardcoded DB credentials
+const db = "postgres://user:password@production-db.com/db";
+
+app.listen(process.env.PORT || 3000);

package/tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "**/*.test.ts"]
+}

package/walkthrough.md

@@ -0,0 +1,51 @@
+ship18ion - Production Readiness Inspector
+I have successfully built ship18ion, a CLI tool to check for production readiness.
+
+Features Implemented
+1. Environment Variable Safety
+Unused Variable Detection: Scans 
+
+.env
+ files and code to find variables defined but never used.
+Missing Variable Detection: Identifies process.env.VAR usages that lack a corresponding definition in 
+
+.env
+ (or config).
+Format Support: Supports 
+
+.env
+, .env.production files.
+Robust AST Parsing: Correctly detects process.env.VAR, import.meta.env.VAR (Vite), and process.env["VAR"].
+2. Secrets Detection
+Pattern Matching: Detects AWS Keys, Google API Keys, Stripe Keys, and generic private keys.
+Entropy Heuristics: Detects potential high-entropy strings assigned to "secret" or "key" variables.
+3. Framework & Security Checks
+Next.js Safety: Scans for NEXT_PUBLIC_ variables that appear to contain secrets (e.g. NEXT_PUBLIC_SECRET_KEY).
+Git Safety: Warns if deploying from a dirty working directory or a non-production branch.
+Debug Mode: Alerts on debug: true.
+CORS Wildcards: Fails if origin: '*' is detected.
+Database Credentials: Detects hardcoded connection strings.
+4. Dependency & Build Safety
+Dev Dependencies: Warns if eslint or other dev tools are in dependencies.
+Build Artifacts: Alerts if source maps (.map) or 
+
+.env
+ files are found in build directories.
+Usage
+# In your project root
+npx ship18ion check
+# CI Mode (minimal output)
+npx ship18ion check --ci
+How to Ship & Share
+See 
+
+SHIPPING.md
+ for detailed instructions on:
+
+Local Testing: Using npm link to test on your other projects instantly.
+Publishing: Pushing to NPM so anyone can use npx ship18ion.
+Architecture
+CLI: Built with commander.
+Engine: TypeScript-based rule engine.
+Parsing: Babel-based AST parsing.
+Config: ship18ion.config.json support.