tlc-claude-code 2.0.1 → 2.1.0

package/server/lib/command-runner.js

@@ -0,0 +1,159 @@
+/**
+ * Command Runner — execute TLC commands via container, Claude Code, or queue
+ * Phase 80 Task 8
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { execSync, spawn } = require('child_process');
+
+const VALID_COMMANDS = ['build', 'deploy', 'test', 'plan', 'verify', 'review', 'status'];
+
+/**
+ * Create command runner
+ * @param {Object} [options]
+ * @param {Function} [options._checkDocker] - Check if tlc-standalone image exists
+ * @param {Function} [options._checkClaude] - Check if Claude Code is running
+ * @returns {Object} Command runner API
+ */
+function createCommandRunner(options = {}) {
+  const checkDocker = options._checkDocker || defaultCheckDocker;
+  const checkClaude = options._checkClaude || defaultCheckClaude;
+
+  async function defaultCheckDocker() {
+    try {
+      execSync('docker image inspect tlc-standalone 2>/dev/null', { stdio: 'pipe' });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  function defaultCheckClaude() {
+    try {
+      const result = execSync('pgrep -f "claude" 2>/dev/null', { stdio: 'pipe' });
+      return result.toString().trim().length > 0;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Detect best execution method
+   * @param {string} projectPath
+   * @returns {Promise<string>} 'container' | 'claude-code' | 'queue'
+   */
+  async function detectExecutionMethod(projectPath) {
+    if (await checkDocker()) return 'container';
+    if (checkClaude()) return 'claude-code';
+    return 'queue';
+  }
+
+  /**
+   * Execute command via Docker container
+   * @param {string} projectPath
+   * @param {string} command
+   * @param {Function} onOutput
+   * @returns {Promise<{ exitCode: number }>}
+   */
+  async function executeViaContainer(projectPath, command, onOutput) {
+    return new Promise((resolve, reject) => {
+      const proc = spawn('docker', [
+        'run', '--rm',
+        '-v', `${projectPath}:/project`,
+        '-w', '/project',
+        'tlc-standalone',
+        'tlc', command,
+      ]);
+
+      proc.stdout.on('data', (data) => onOutput && onOutput(data.toString()));
+      proc.stderr.on('data', (data) => onOutput && onOutput(data.toString()));
+      proc.on('close', (code) => resolve({ exitCode: code }));
+      proc.on('error', (err) => reject(err));
+    });
+  }
+
+  /**
+   * Queue command as task in PLAN.md
+   * @param {string} projectPath
+   * @param {string} command
+   */
+  async function queueCommand(projectPath, command) {
+    const timestamp = new Date().toISOString();
+    const entry = `\n### Queued: tlc ${command}\n_Queued at ${timestamp}_\n`;
+
+    // Find most recent plan file
+    const planDir = path.join(projectPath, '.planning', 'phases');
+    if (fs.existsSync(planDir)) {
+      const plans = fs.readdirSync(planDir).filter(f => f.endsWith('-PLAN.md')).sort((a, b) => {
+        const numA = parseInt(a.match(/^(\d+)/)?.[1] || '0', 10);
+        const numB = parseInt(b.match(/^(\d+)/)?.[1] || '0', 10);
+        return numA - numB;
+      });
+      if (plans.length > 0) {
+        const planPath = path.join(planDir, plans[plans.length - 1]);
+        fs.appendFileSync(planPath, entry);
+      }
+    }
+
+    // Log to history
+    logCommand(projectPath, { command, timestamp, method: 'queue' });
+
+    return { queued: true, method: 'queue', command };
+  }
+
+  /**
+   * Log a command to history
+   */
+  function logCommand(projectPath, entry) {
+    const histPath = path.join(projectPath, '.tlc', 'command-history.json');
+    const dir = path.dirname(histPath);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+
+    let history = [];
+    try {
+      if (fs.existsSync(histPath)) {
+        history = JSON.parse(fs.readFileSync(histPath, 'utf8'));
+      }
+    } catch {}
+    history.push(entry);
+    // Keep last 100
+    if (history.length > 100) history = history.slice(-100);
+    fs.writeFileSync(histPath, JSON.stringify(history, null, 2));
+  }
+
+  /**
+   * Get command history for a project
+   * @param {string} projectPath
+   * @returns {Array}
+   */
+  function getCommandHistory(projectPath) {
+    const histPath = path.join(projectPath, '.tlc', 'command-history.json');
+    try {
+      if (fs.existsSync(histPath)) {
+        return JSON.parse(fs.readFileSync(histPath, 'utf8'));
+      }
+    } catch {}
+    return [];
+  }
+
+  /**
+   * Validate command type
+   * @param {string} command
+   * @returns {boolean}
+   */
+  function validateCommand(command) {
+    if (!command || typeof command !== 'string') return false;
+    return VALID_COMMANDS.includes(command);
+  }
+
+  return {
+    detectExecutionMethod,
+    executeViaContainer,
+    queueCommand,
+    getCommandHistory,
+    validateCommand,
+  };
+}
+
+module.exports = { createCommandRunner };

package/server/lib/command-runner.test.js

@@ -0,0 +1,92 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+
+const { createCommandRunner } = await import('./command-runner.js');
+
+describe('CommandRunner', () => {
+  let runner;
+  let tempDir;
+
+  beforeEach(() => {
+    tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cmd-runner-test-'));
+    runner = createCommandRunner({
+      _checkDocker: vi.fn().mockResolvedValue(false),
+      _checkClaude: vi.fn().mockReturnValue(false),
+    });
+  });
+
+  afterEach(() => {
+    fs.rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  describe('detectExecutionMethod', () => {
+    it('returns container when tlc-standalone image exists', async () => {
+      const r = createCommandRunner({
+        _checkDocker: vi.fn().mockResolvedValue(true),
+        _checkClaude: vi.fn().mockReturnValue(false),
+      });
+      const method = await r.detectExecutionMethod(tempDir);
+      expect(method).toBe('container');
+    });
+
+    it('returns claude-code when Claude Code process running', async () => {
+      const r = createCommandRunner({
+        _checkDocker: vi.fn().mockResolvedValue(false),
+        _checkClaude: vi.fn().mockReturnValue(true),
+      });
+      const method = await r.detectExecutionMethod(tempDir);
+      expect(method).toBe('claude-code');
+    });
+
+    it('returns queue as fallback', async () => {
+      const method = await runner.detectExecutionMethod(tempDir);
+      expect(method).toBe('queue');
+    });
+  });
+
+  describe('queueCommand', () => {
+    it('appends task to PLAN.md', async () => {
+      const planDir = path.join(tempDir, '.planning', 'phases');
+      fs.mkdirSync(planDir, { recursive: true });
+      fs.writeFileSync(path.join(planDir, '1-PLAN.md'), '# Phase 1\n');
+
+      const result = await runner.queueCommand(tempDir, 'build');
+      expect(result.queued).toBe(true);
+      expect(result.method).toBe('queue');
+    });
+  });
+
+  describe('getCommandHistory', () => {
+    it('returns recent commands', () => {
+      const histDir = path.join(tempDir, '.tlc');
+      fs.mkdirSync(histDir, { recursive: true });
+      fs.writeFileSync(path.join(histDir, 'command-history.json'), JSON.stringify([
+        { command: 'build', timestamp: '2026-02-18T00:00:00Z', method: 'queue' },
+      ]));
+
+      const history = runner.getCommandHistory(tempDir);
+      expect(history).toHaveLength(1);
+      expect(history[0].command).toBe('build');
+    });
+
+    it('returns empty array when no history', () => {
+      const history = runner.getCommandHistory(tempDir);
+      expect(history).toEqual([]);
+    });
+  });
+
+  describe('validateCommand', () => {
+    it('accepts valid commands', () => {
+      expect(runner.validateCommand('build')).toBe(true);
+      expect(runner.validateCommand('deploy')).toBe(true);
+      expect(runner.validateCommand('test')).toBe(true);
+    });
+
+    it('rejects invalid commands', () => {
+      expect(runner.validateCommand('')).toBe(false);
+      expect(runner.validateCommand(null)).toBe(false);
+    });
+  });
+});

package/server/lib/deploy/runners/dependency-runner.js

@@ -0,0 +1,106 @@
+/**
+ * Dependency Runner
+ *
+ * Scans project dependencies using npm audit.
+ * Returns findings with severity, package name, and fix availability.
+ */
+
+import { execFile as defaultExecFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import fs from 'node:fs';
+import path from 'node:path';
+
+const execFileAsync = promisify(defaultExecFile);
+
+/** Severity levels ordered from lowest to highest */
+const SEVERITY_ORDER = ['info', 'low', 'moderate', 'high', 'critical'];
+
+/**
+ * Check if a severity meets or exceeds the threshold
+ * @param {string} severity - The vulnerability severity
+ * @param {string} threshold - The minimum severity to fail on
+ * @returns {boolean} True if severity >= threshold
+ */
+function meetsThreshold(severity, threshold) {
+  return SEVERITY_ORDER.indexOf(severity) >= SEVERITY_ORDER.indexOf(threshold);
+}
+
+/**
+ * Create a dependency scanning runner
+ * @param {Object} [deps] - Injectable dependencies for testing
+ * @param {Function} [deps.exec] - Command executor (replaces execFile)
+ * @param {Object} [deps.fs] - File system module
+ * @param {string} [deps.severityThreshold] - Minimum severity to fail on (default: 'high')
+ * @returns {Function} Runner function: (projectPath, options) => { passed, findings, error? }
+ */
+export function createDependencyRunner(deps = {}) {
+  const {
+    exec: execFn,
+    fs: fsMod = fs,
+    severityThreshold = 'high',
+  } = deps;
+
+  return async (projectPath, options = {}) => {
+    // Check if package.json exists
+    const pkgPath = path.join(projectPath, 'package.json');
+    if (!fsMod.existsSync(pkgPath)) {
+      return { passed: true, findings: [] };
+    }
+
+    let stdout;
+    try {
+      if (execFn) {
+        // Injected exec for testing
+        const result = await execFn('npm', ['audit', '--json'], { cwd: projectPath });
+        stdout = result.stdout;
+      } else {
+        // Real exec
+        try {
+          const result = await execFileAsync('npm', ['audit', '--json'], { cwd: projectPath });
+          stdout = result.stdout;
+        } catch (execErr) {
+          // npm audit exits with code 1 when vulnerabilities found — that's expected
+          if (execErr.stdout) {
+            stdout = execErr.stdout;
+          } else {
+            throw execErr;
+          }
+        }
+      }
+    } catch (err) {
+      return { passed: false, findings: [], error: err.message };
+    }
+
+    // Parse the JSON output
+    let auditData;
+    try {
+      auditData = JSON.parse(stdout);
+    } catch {
+      return { passed: false, findings: [], error: 'Failed to parse npm audit output' };
+    }
+
+    const vulnerabilities = auditData.vulnerabilities || {};
+    const findings = [];
+    let hasFailingSeverity = false;
+
+    for (const [name, vuln] of Object.entries(vulnerabilities)) {
+      const finding = {
+        severity: vuln.severity,
+        package: vuln.name || name,
+        title: vuln.title || 'Unknown vulnerability',
+        url: vuln.url || '',
+        fixAvailable: Boolean(vuln.fixAvailable),
+      };
+      findings.push(finding);
+
+      if (meetsThreshold(vuln.severity, severityThreshold)) {
+        hasFailingSeverity = true;
+      }
+    }
+
+    return {
+      passed: !hasFailingSeverity,
+      findings,
+    };
+  };
+}

package/server/lib/deploy/runners/dependency-runner.test.js

@@ -0,0 +1,148 @@
+/**
+ * Dependency Runner Tests
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { createDependencyRunner } from './dependency-runner.js';
+
+describe('dependency-runner', () => {
+  let execMock;
+  let fsMock;
+  let runner;
+
+  beforeEach(() => {
+    execMock = vi.fn();
+    fsMock = { existsSync: vi.fn().mockReturnValue(true) };
+    runner = createDependencyRunner({ exec: execMock, fs: fsMock });
+  });
+
+  it('passes when npm audit returns no vulnerabilities', async () => {
+    execMock.mockResolvedValue({
+      stdout: JSON.stringify({ vulnerabilities: {} }),
+      exitCode: 0,
+    });
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toEqual([]);
+  });
+
+  it('fails when npm audit finds high-severity vulnerability', async () => {
+    execMock.mockResolvedValue({
+      stdout: JSON.stringify({
+        vulnerabilities: {
+          'bad-pkg': {
+            name: 'bad-pkg',
+            severity: 'high',
+            title: 'Prototype Pollution',
+            url: 'https://npmjs.com/advisories/123',
+            fixAvailable: true,
+          },
+        },
+      }),
+      exitCode: 1,
+    });
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings).toHaveLength(1);
+    expect(result.findings[0].severity).toBe('high');
+    expect(result.findings[0].package).toBe('bad-pkg');
+    expect(result.findings[0].title).toBe('Prototype Pollution');
+  });
+
+  it('passes when only low/moderate vulnerabilities found', async () => {
+    execMock.mockResolvedValue({
+      stdout: JSON.stringify({
+        vulnerabilities: {
+          'ok-pkg': {
+            name: 'ok-pkg',
+            severity: 'moderate',
+            title: 'ReDoS',
+            url: 'https://npmjs.com/advisories/456',
+            fixAvailable: true,
+          },
+        },
+      }),
+      exitCode: 1,
+    });
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toHaveLength(1);
+  });
+
+  it('fails when critical vulnerability found', async () => {
+    execMock.mockResolvedValue({
+      stdout: JSON.stringify({
+        vulnerabilities: {
+          'evil-pkg': {
+            name: 'evil-pkg',
+            severity: 'critical',
+            title: 'RCE',
+            url: 'https://npmjs.com/advisories/789',
+            fixAvailable: false,
+          },
+        },
+      }),
+      exitCode: 1,
+    });
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings[0].severity).toBe('critical');
+  });
+
+  it('handles missing package.json', async () => {
+    fsMock.existsSync.mockReturnValue(false);
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toEqual([]);
+  });
+
+  it('handles npm audit JSON parse error', async () => {
+    execMock.mockResolvedValue({
+      stdout: 'not valid json',
+      exitCode: 1,
+    });
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.error).toBeDefined();
+  });
+
+  it('handles npm audit process error', async () => {
+    execMock.mockRejectedValue(new Error('npm not found'));
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.error).toContain('npm not found');
+  });
+
+  it('respects configurable severity threshold', async () => {
+    execMock.mockResolvedValue({
+      stdout: JSON.stringify({
+        vulnerabilities: {
+          'bad-pkg': {
+            name: 'bad-pkg',
+            severity: 'high',
+            title: 'Prototype Pollution',
+            url: 'https://npmjs.com/advisories/123',
+            fixAvailable: true,
+          },
+        },
+      }),
+      exitCode: 1,
+    });
+
+    const lenientRunner = createDependencyRunner({
+      exec: execMock,
+      fs: fsMock,
+      severityThreshold: 'critical',
+    });
+
+    const result = await lenientRunner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toHaveLength(1);
+  });
+});

package/server/lib/deploy/runners/secrets-runner.js

@@ -0,0 +1,174 @@
+/**
+ * Secrets Runner
+ *
+ * Scans project files for hardcoded secrets using regex patterns.
+ * No external tools required — pure pattern matching.
+ */
+
+import { readdir, readFile as fsReadFile } from 'node:fs/promises';
+import path from 'node:path';
+
+/** Secret detection patterns */
+const SECRET_PATTERNS = [
+  {
+    name: 'hardcoded-password',
+    pattern: /(?:password|passwd|pwd)\s*[:=]\s*["'][^"']{4,}["']/i,
+    severity: 'high',
+  },
+  {
+    name: 'aws-access-key',
+    pattern: /AKIA[0-9A-Z]{16}/,
+    severity: 'critical',
+  },
+  {
+    name: 'private-key',
+    pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/,
+    severity: 'critical',
+  },
+  {
+    name: 'generic-api-key',
+    pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*["'][^"']{8,}["']/i,
+    severity: 'high',
+  },
+  {
+    name: 'generic-secret',
+    pattern: /(?:secret|token)\s*[:=]\s*["'](?:sk_live_|sk_test_|ghp_|gho_|ghs_)[^"']+["']/i,
+    severity: 'high',
+  },
+];
+
+/** File extensions to scan */
+const SCAN_EXTENSIONS = new Set([
+  '.js', '.ts', '.json', '.env', '.yml', '.yaml', '.jsx', '.tsx', '.mjs', '.cjs',
+]);
+
+/** Default file glob pattern (used with injected glob) */
+const DEFAULT_GLOB = '**/*.{js,ts,json,env,yml,yaml,jsx,tsx,mjs,cjs}';
+
+/** Default exclusion patterns */
+const DEFAULT_IGNORE = [
+  '**/node_modules/**',
+  '**/.git/**',
+  '**/package-lock.json',
+  '**/yarn.lock',
+  '**/pnpm-lock.yaml',
+  '**/*.test.*',
+  '**/*.spec.*',
+  '**/__tests__/**',
+];
+
+/** Directory names to skip during recursive walk */
+const SKIP_DIRS = new Set(['node_modules', '.git', '__tests__']);
+
+/** File patterns to skip */
+const SKIP_FILE_PATTERNS = [
+  /\.test\./,
+  /\.spec\./,
+  /package-lock\.json$/,
+  /yarn\.lock$/,
+  /pnpm-lock\.yaml$/,
+];
+
+/**
+ * Recursively find files matching scan extensions
+ * @param {string} dir - Directory to walk
+ * @param {string} baseDir - Base directory for relative paths
+ * @returns {Promise<string[]>} Relative file paths
+ */
+async function walkDir(dir, baseDir) {
+  const results = [];
+  const entries = await readdir(dir, { withFileTypes: true });
+
+  for (const entry of entries) {
+    if (entry.isDirectory()) {
+      if (SKIP_DIRS.has(entry.name)) continue;
+      const subResults = await walkDir(path.join(dir, entry.name), baseDir);
+      results.push(...subResults);
+    } else if (entry.isFile()) {
+      const ext = path.extname(entry.name);
+      if (!SCAN_EXTENSIONS.has(ext)) continue;
+
+      const relPath = path.relative(baseDir, path.join(dir, entry.name));
+      if (SKIP_FILE_PATTERNS.some((p) => p.test(relPath))) continue;
+
+      results.push(relPath);
+    }
+  }
+
+  return results;
+}
+
+/**
+ * Create a secrets scanning runner
+ * @param {Object} [deps] - Injectable dependencies for testing
+ * @param {Function} [deps.glob] - Glob function (pattern, options) => string[]
+ * @param {Function} [deps.readFile] - File reader (path) => string
+ * @param {string[]} [deps.extraIgnore] - Additional exclusion patterns
+ * @returns {Function} Runner function: (projectPath, options) => { passed, findings }
+ */
+export function createSecretsRunner(deps = {}) {
+  const {
+    glob: globFn,
+    readFile: readFileFn,
+    extraIgnore = [],
+  } = deps;
+
+  const ignorePatterns = [...DEFAULT_IGNORE, ...extraIgnore];
+
+  return async (projectPath, options = {}) => {
+    let files;
+
+    if (globFn) {
+      // Use injected glob (testing)
+      files = await globFn(DEFAULT_GLOB, {
+        cwd: projectPath,
+        ignore: ignorePatterns,
+      });
+    } else {
+      // Use built-in recursive walker (production)
+      try {
+        files = await walkDir(projectPath, projectPath);
+      } catch {
+        files = [];
+      }
+    }
+
+    if (files.length === 0) {
+      return { passed: true, findings: [] };
+    }
+
+    const findings = [];
+
+    for (const file of files) {
+      let content;
+      if (readFileFn) {
+        content = await readFileFn(file);
+      } else {
+        content = await fsReadFile(path.join(projectPath, file), 'utf-8');
+      }
+
+      const lines = content.split('\n');
+
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+
+        for (const secretPattern of SECRET_PATTERNS) {
+          if (secretPattern.pattern.test(line)) {
+            findings.push({
+              severity: secretPattern.severity,
+              file,
+              line: i + 1,
+              pattern: secretPattern.name,
+              match: line.trim().substring(0, 80),
+            });
+          }
+        }
+      }
+    }
+
+    return {
+      passed: findings.length === 0,
+      findings,
+    };
+  };
+}