tlc-claude-code 2.0.1 → 2.2.0

package/server/lib/deploy/runners/secrets-runner.js

@@ -0,0 +1,174 @@
+/**
+ * Secrets Runner
+ *
+ * Scans project files for hardcoded secrets using regex patterns.
+ * No external tools required — pure pattern matching.
+ */
+
+import { readdir, readFile as fsReadFile } from 'node:fs/promises';
+import path from 'node:path';
+
+/** Secret detection patterns */
+const SECRET_PATTERNS = [
+  {
+    name: 'hardcoded-password',
+    pattern: /(?:password|passwd|pwd)\s*[:=]\s*["'][^"']{4,}["']/i,
+    severity: 'high',
+  },
+  {
+    name: 'aws-access-key',
+    pattern: /AKIA[0-9A-Z]{16}/,
+    severity: 'critical',
+  },
+  {
+    name: 'private-key',
+    pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/,
+    severity: 'critical',
+  },
+  {
+    name: 'generic-api-key',
+    pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*["'][^"']{8,}["']/i,
+    severity: 'high',
+  },
+  {
+    name: 'generic-secret',
+    pattern: /(?:secret|token)\s*[:=]\s*["'](?:sk_live_|sk_test_|ghp_|gho_|ghs_)[^"']+["']/i,
+    severity: 'high',
+  },
+];
+
+/** File extensions to scan */
+const SCAN_EXTENSIONS = new Set([
+  '.js', '.ts', '.json', '.env', '.yml', '.yaml', '.jsx', '.tsx', '.mjs', '.cjs',
+]);
+
+/** Default file glob pattern (used with injected glob) */
+const DEFAULT_GLOB = '**/*.{js,ts,json,env,yml,yaml,jsx,tsx,mjs,cjs}';
+
+/** Default exclusion patterns */
+const DEFAULT_IGNORE = [
+  '**/node_modules/**',
+  '**/.git/**',
+  '**/package-lock.json',
+  '**/yarn.lock',
+  '**/pnpm-lock.yaml',
+  '**/*.test.*',
+  '**/*.spec.*',
+  '**/__tests__/**',
+];
+
+/** Directory names to skip during recursive walk */
+const SKIP_DIRS = new Set(['node_modules', '.git', '__tests__']);
+
+/** File patterns to skip */
+const SKIP_FILE_PATTERNS = [
+  /\.test\./,
+  /\.spec\./,
+  /package-lock\.json$/,
+  /yarn\.lock$/,
+  /pnpm-lock\.yaml$/,
+];
+
+/**
+ * Recursively find files matching scan extensions
+ * @param {string} dir - Directory to walk
+ * @param {string} baseDir - Base directory for relative paths
+ * @returns {Promise<string[]>} Relative file paths
+ */
+async function walkDir(dir, baseDir) {
+  const results = [];
+  const entries = await readdir(dir, { withFileTypes: true });
+
+  for (const entry of entries) {
+    if (entry.isDirectory()) {
+      if (SKIP_DIRS.has(entry.name)) continue;
+      const subResults = await walkDir(path.join(dir, entry.name), baseDir);
+      results.push(...subResults);
+    } else if (entry.isFile()) {
+      const ext = path.extname(entry.name);
+      if (!SCAN_EXTENSIONS.has(ext)) continue;
+
+      const relPath = path.relative(baseDir, path.join(dir, entry.name));
+      if (SKIP_FILE_PATTERNS.some((p) => p.test(relPath))) continue;
+
+      results.push(relPath);
+    }
+  }
+
+  return results;
+}
+
+/**
+ * Create a secrets scanning runner
+ * @param {Object} [deps] - Injectable dependencies for testing
+ * @param {Function} [deps.glob] - Glob function (pattern, options) => string[]
+ * @param {Function} [deps.readFile] - File reader (path) => string
+ * @param {string[]} [deps.extraIgnore] - Additional exclusion patterns
+ * @returns {Function} Runner function: (projectPath, options) => { passed, findings }
+ */
+export function createSecretsRunner(deps = {}) {
+  const {
+    glob: globFn,
+    readFile: readFileFn,
+    extraIgnore = [],
+  } = deps;
+
+  const ignorePatterns = [...DEFAULT_IGNORE, ...extraIgnore];
+
+  return async (projectPath, options = {}) => {
+    let files;
+
+    if (globFn) {
+      // Use injected glob (testing)
+      files = await globFn(DEFAULT_GLOB, {
+        cwd: projectPath,
+        ignore: ignorePatterns,
+      });
+    } else {
+      // Use built-in recursive walker (production)
+      try {
+        files = await walkDir(projectPath, projectPath);
+      } catch {
+        files = [];
+      }
+    }
+
+    if (files.length === 0) {
+      return { passed: true, findings: [] };
+    }
+
+    const findings = [];
+
+    for (const file of files) {
+      let content;
+      if (readFileFn) {
+        content = await readFileFn(file);
+      } else {
+        content = await fsReadFile(path.join(projectPath, file), 'utf-8');
+      }
+
+      const lines = content.split('\n');
+
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+
+        for (const secretPattern of SECRET_PATTERNS) {
+          if (secretPattern.pattern.test(line)) {
+            findings.push({
+              severity: secretPattern.severity,
+              file,
+              line: i + 1,
+              pattern: secretPattern.name,
+              match: line.trim().substring(0, 80),
+            });
+          }
+        }
+      }
+    }
+
+    return {
+      passed: findings.length === 0,
+      findings,
+    };
+  };
+}

package/server/lib/deploy/runners/secrets-runner.test.js

@@ -0,0 +1,127 @@
+/**
+ * Secrets Runner Tests
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { createSecretsRunner } from './secrets-runner.js';
+
+describe('secrets-runner', () => {
+  let globMock;
+  let readFileMock;
+  let runner;
+
+  beforeEach(() => {
+    globMock = vi.fn().mockResolvedValue([]);
+    readFileMock = vi.fn().mockResolvedValue('');
+    runner = createSecretsRunner({ glob: globMock, readFile: readFileMock });
+  });
+
+  it('passes when no secrets found in clean project', async () => {
+    globMock.mockResolvedValue(['src/index.js']);
+    readFileMock.mockResolvedValue('const x = 1;\nconsole.log(x);');
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toEqual([]);
+  });
+
+  it('detects hardcoded password assignment', async () => {
+    globMock.mockResolvedValue(['src/config.js']);
+    readFileMock.mockResolvedValue(
+      'const config = {\n  password: "supersecret123"\n};'
+    );
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings.length).toBeGreaterThan(0);
+    expect(result.findings[0].file).toBe('src/config.js');
+    expect(result.findings[0].pattern).toBeDefined();
+  });
+
+  it('detects AWS access key pattern', async () => {
+    globMock.mockResolvedValue(['src/aws.js']);
+    readFileMock.mockResolvedValue(
+      'const key = "AKIAIOSFODNN7EXAMPLE";\n'
+    );
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings.length).toBeGreaterThan(0);
+  });
+
+  it('detects private key header', async () => {
+    globMock.mockResolvedValue(['certs/key.pem']);
+    readFileMock.mockResolvedValue(
+      '-----BEGIN RSA PRIVATE KEY-----\nMIIEpA...\n-----END RSA PRIVATE KEY-----'
+    );
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings.length).toBeGreaterThan(0);
+  });
+
+  it('detects generic API key pattern', async () => {
+    globMock.mockResolvedValue(['src/api.js']);
+    readFileMock.mockResolvedValue(
+      'const token = "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";\n'
+    );
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings.length).toBeGreaterThan(0);
+  });
+
+  it('excludes test files by default', async () => {
+    globMock.mockResolvedValue([]);
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+
+    // Verify glob was called with exclusion patterns
+    const callArgs = globMock.mock.calls[0];
+    expect(callArgs[0]).toBeDefined(); // pattern
+    expect(callArgs[1]).toBeDefined(); // options with ignore
+  });
+
+  it('excludes node_modules by default', async () => {
+    globMock.mockResolvedValue([]);
+
+    await runner('/test/project', {});
+    const callArgs = globMock.mock.calls[0];
+    const options = callArgs[1];
+    expect(options.ignore).toContain('**/node_modules/**');
+  });
+
+  it('supports configurable exclusion patterns', async () => {
+    const customRunner = createSecretsRunner({
+      glob: globMock,
+      readFile: readFileMock,
+      extraIgnore: ['**/fixtures/**'],
+    });
+
+    globMock.mockResolvedValue([]);
+
+    await customRunner('/test/project', {});
+    const callArgs = globMock.mock.calls[0];
+    const options = callArgs[1];
+    expect(options.ignore).toContain('**/fixtures/**');
+  });
+
+  it('handles empty project directory', async () => {
+    globMock.mockResolvedValue([]);
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toEqual([]);
+  });
+
+  it('includes line number in findings', async () => {
+    globMock.mockResolvedValue(['src/config.js']);
+    readFileMock.mockResolvedValue(
+      'const a = 1;\nconst password = "secret";\nconst b = 2;'
+    );
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings[0].line).toBe(2);
+  });
+});

package/server/lib/deploy/security-gates.js

@@ -5,6 +5,9 @@
  * running security gates during deployment validation.
  */
 
+import { createDependencyRunner } from './runners/dependency-runner.js';
+import { createSecretsRunner } from './runners/secrets-runner.js';
+
 /**
  * Gate type constants
  */
@@ -36,29 +39,13 @@ const DEFAULT_TIER_GATES = {
 };
 
 /**
- * Default security gate runners (placeholder implementations)
+ * Built-in runners for dependencies and secrets gates.
+ * SAST, DAST, and container gates require custom runner injection.
+ * Gates without runners will SKIP (not fake-pass).
  */
-const defaultRunners = {
-  sast: async (projectPath, options) => {
-    // Placeholder SAST implementation
-    return { passed: true, findings: [] };
-  },
-  dast: async (projectPath, options) => {
-    // Placeholder DAST implementation
-    return { passed: true, findings: [] };
-  },
-  dependencies: async (projectPath, options) => {
-    // Placeholder dependency scanning implementation
-    return { passed: true, findings: [] };
-  },
-  container: async (projectPath, options) => {
-    // Placeholder container scanning implementation
-    return { passed: true, findings: [] };
-  },
-  secrets: async (projectPath, options) => {
-    // Placeholder secrets scanning implementation
-    return { passed: true, findings: [] };
-  },
+const builtInRunners = {
+  dependencies: createDependencyRunner(),
+  secrets: createSecretsRunner(),
 };
 
 /**
@@ -197,8 +184,8 @@ export async function runAllGates(tier, options = {}) {
 export function createSecurityGates(config = {}) {
   const { runners = {}, gateConfig = null } = config;
 
-  // Merge custom runners with defaults
-  const allRunners = { ...defaultRunners, ...runners };
+  // Merge built-in runners with custom runners (custom overrides built-in)
+  const allRunners = { ...builtInRunners, ...runners };
 
   return {
     /**

package/server/lib/deploy/security-gates.test.js

@@ -213,10 +213,17 @@ describe('security-gates', () => {
       expect(gates.hasRunner('custom')).toBe(true);
     });
 
-    it('provides default runners', () => {
+    it('has built-in runners for dependencies and secrets', () => {
       const gates = createSecurityGates();
-      expect(gates.hasRunner('sast')).toBe(true);
       expect(gates.hasRunner('dependencies')).toBe(true);
+      expect(gates.hasRunner('secrets')).toBe(true);
+    });
+
+    it('skips SAST/DAST/container without custom runners', () => {
+      const gates = createSecurityGates();
+      expect(gates.hasRunner('sast')).toBe(false);
+      expect(gates.hasRunner('dast')).toBe(false);
+      expect(gates.hasRunner('container')).toBe(false);
     });
   });
 });

package/server/lib/deploy-engine.js

@@ -0,0 +1,182 @@
+/**
+ * Deploy Engine — deploy projects to VPS via SSH
+ * Phase 80 Task 6
+ */
+
+const { generateSiteConfig } = require('./nginx-config.js');
+const { isValidBranch, isValidRepoUrl, isValidDomain, isValidProjectName } = require('./input-sanitizer.js');
+
+/**
+ * Sanitize branch name for DNS/container use
+ */
+function sanitizeBranch(branch) {
+  if (!branch) return 'unknown';
+  return branch.toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-').replace(/^-|-$/g, '').slice(0, 63);
+}
+
+/**
+ * Create deploy engine
+ * @param {Object} options
+ * @param {Object} options.sshClient - SSH client instance
+ * @returns {Object} Deploy engine API
+ */
+function createDeployEngine({ sshClient }) {
+  const BASE_PORT = 4000;
+
+  /**
+   * Deploy a project to VPS
+   */
+  async function deploy(sshConfig, project, options = {}, onProgress) {
+    const { domain, branch = 'main' } = options;
+    if (!isValidProjectName(project.name)) throw new Error(`Invalid project name: ${project.name}`);
+    if (!isValidBranch(branch)) throw new Error(`Invalid branch name: ${branch}`);
+    if (project.repoUrl && !isValidRepoUrl(project.repoUrl)) throw new Error(`Invalid repo URL: ${project.repoUrl}`);
+    if (domain && !isValidDomain(domain)) throw new Error(`Invalid domain: ${domain}`);
+    const deployDir = `/opt/deploys/${project.name}`;
+    const report = (step, msg) => onProgress && onProgress({ step, message: msg });
+
+    // Step 1: Ensure deploy directory
+    report('prepare', 'Creating deploy directory...');
+    await sshClient.exec(sshConfig, `mkdir -p ${deployDir}`);
+
+    // Step 2: Clone or pull
+    report('git', 'Fetching latest code...');
+    const checkGit = await sshClient.exec(sshConfig, `test -d ${deployDir}/.git && echo "exists" || echo "new"`);
+    if (checkGit.stdout.trim() === 'exists') {
+      await sshClient.exec(sshConfig, `cd ${deployDir} && git fetch origin && git checkout ${branch} && git pull origin ${branch}`);
+    } else {
+      await sshClient.exec(sshConfig, `git clone ${project.repoUrl} ${deployDir} && cd ${deployDir} && git checkout ${branch}`);
+    }
+
+    // Step 3: Docker compose up
+    report('docker', 'Starting containers...');
+    await sshClient.exec(sshConfig, `cd ${deployDir} && docker compose up -d --build`);
+
+    // Step 4: Nginx config
+    if (domain) {
+      report('nginx', 'Configuring Nginx...');
+      const nginxConf = generateSiteConfig({ domain, port: 3000, proxyPass: 'http://127.0.0.1:3000' });
+      await sshClient.exec(sshConfig, `cat > /etc/nginx/sites-available/${project.name} << 'NGINX_EOF'\n${nginxConf}\nNGINX_EOF`);
+      await sshClient.exec(sshConfig, `ln -sf /etc/nginx/sites-available/${project.name} /etc/nginx/sites-enabled/`);
+      await sshClient.exec(sshConfig, `nginx -t && nginx -s reload`);
+    }
+
+    // Step 5: SSL
+    if (domain) {
+      report('ssl', 'Setting up SSL...');
+      await sshClient.exec(sshConfig, `certbot --nginx -d ${domain} --non-interactive --agree-tos --email admin@${domain} 2>/dev/null || true`);
+    }
+
+    report('done', 'Deployment complete');
+  }
+
+  /**
+   * Deploy a branch preview
+   */
+  async function deployBranch(sshConfig, project, branch, baseDomain, onProgress) {
+    if (!isValidProjectName(project.name)) throw new Error(`Invalid project name: ${project.name}`);
+    if (!isValidBranch(branch)) throw new Error(`Invalid branch name: ${branch}`);
+    if (project.repoUrl && !isValidRepoUrl(project.repoUrl)) throw new Error(`Invalid repo URL: ${project.repoUrl}`);
+    if (baseDomain && !isValidDomain(baseDomain)) throw new Error(`Invalid base domain: ${baseDomain}`);
+    const sanitized = sanitizeBranch(branch);
+    const deployDir = `/opt/deploys/${project.name}/branches/${sanitized}`;
+    const containerName = `tlc-${sanitizeBranch(project.name)}-${sanitized}`;
+    const report = (step, msg) => onProgress && onProgress({ step, message: msg });
+
+    // Allocate port
+    report('prepare', 'Allocating port...');
+    let portData = {};
+    try {
+      const portsResult = await sshClient.exec(sshConfig, `cat /opt/deploys/${project.name}/ports.json 2>/dev/null || echo "{}"`);
+      portData = JSON.parse(portsResult.stdout.trim());
+    } catch {}
+    const usedPorts = Object.values(portData);
+    let port = BASE_PORT;
+    while (usedPorts.includes(port)) port++;
+    portData[sanitized] = port;
+    const portJson = Buffer.from(JSON.stringify(portData)).toString('base64');
+    await sshClient.exec(sshConfig, `mkdir -p /opt/deploys/${project.name} && echo '${portJson}' | base64 -d > /opt/deploys/${project.name}/ports.json`);
+
+    // Clone branch
+    report('git', `Cloning branch ${branch}...`);
+    await sshClient.exec(sshConfig, `mkdir -p ${deployDir}`);
+    const checkGit = await sshClient.exec(sshConfig, `test -d ${deployDir}/.git && echo "exists" || echo "new"`);
+    if (checkGit.stdout.trim() === 'exists') {
+      await sshClient.exec(sshConfig, `cd ${deployDir} && git fetch origin && git reset --hard origin/${branch} 2>/dev/null || git checkout -b ${branch} origin/${branch}`);
+    } else {
+      await sshClient.exec(sshConfig, `git clone -b ${branch} ${project.repoUrl} ${deployDir}`);
+    }
+
+    // Docker compose with custom port
+    report('docker', 'Starting container...');
+    await sshClient.exec(sshConfig, `cd ${deployDir} && APP_PORT=${port} COMPOSE_PROJECT_NAME=${containerName} docker compose up -d --build`);
+
+    // Nginx for subdomain
+    report('nginx', `Configuring ${sanitized}.${baseDomain}...`);
+    const nginxConf = generateSiteConfig({
+      domain: `${sanitized}.${baseDomain}`,
+      port,
+      proxyPass: `http://127.0.0.1:${port}`,
+    });
+    await sshClient.exec(sshConfig, `cat > /etc/nginx/sites-available/${containerName} << 'NGINX_EOF'\n${nginxConf}\nNGINX_EOF`);
+    await sshClient.exec(sshConfig, `ln -sf /etc/nginx/sites-available/${containerName} /etc/nginx/sites-enabled/`);
+    await sshClient.exec(sshConfig, `nginx -t && nginx -s reload`);
+
+    report('done', `Preview at ${sanitized}.${baseDomain}`);
+    return { subdomain: `${sanitized}.${baseDomain}`, port, containerName };
+  }
+
+  /**
+   * Rollback to previous commit
+   */
+  async function rollback(sshConfig, project, onProgress) {
+    const deployDir = `/opt/deploys/${project.name}`;
+    const report = (step, msg) => onProgress && onProgress({ step, message: msg });
+
+    report('rollback', 'Rolling back...');
+    await sshClient.exec(sshConfig, `cd ${deployDir} && git checkout HEAD~1`);
+    await sshClient.exec(sshConfig, `cd ${deployDir} && docker compose up -d --build`);
+    report('done', 'Rollback complete');
+  }
+
+  /**
+   * Clean up a branch preview
+   */
+  async function cleanupBranch(sshConfig, project, branch) {
+    const sanitized = sanitizeBranch(branch);
+    const containerName = `tlc-${sanitizeBranch(project.name)}-${sanitized}`;
+    const deployDir = `/opt/deploys/${project.name}/branches/${sanitized}`;
+
+    // Stop and remove containers
+    await sshClient.exec(sshConfig, `cd ${deployDir} && docker compose down 2>/dev/null; docker stop ${containerName} 2>/dev/null; docker rm ${containerName} 2>/dev/null || true`);
+
+    // Remove nginx config
+    await sshClient.exec(sshConfig, `rm -f /etc/nginx/sites-enabled/${containerName} /etc/nginx/sites-available/${containerName}`);
+    await sshClient.exec(sshConfig, `nginx -t && nginx -s reload 2>/dev/null || true`);
+
+    // Remove deploy directory
+    await sshClient.exec(sshConfig, `rm -rf ${deployDir}`);
+
+    // Remove from port allocation
+    try {
+      const portsResult = await sshClient.exec(sshConfig, `cat /opt/deploys/${project.name}/ports.json 2>/dev/null || echo "{}"`);
+      const portData = JSON.parse(portsResult.stdout.trim());
+      delete portData[sanitized];
+      const portJson = Buffer.from(JSON.stringify(portData)).toString('base64');
+      await sshClient.exec(sshConfig, `echo '${portJson}' | base64 -d > /opt/deploys/${project.name}/ports.json`);
+    } catch {}
+  }
+
+  /**
+   * List active deployments
+   */
+  async function listDeployments(sshConfig, project) {
+    const result = await sshClient.exec(sshConfig, `ls /opt/deploys/${project.name}/branches/ 2>/dev/null || echo ""`);
+    const branches = result.stdout.trim().split('\n').filter(Boolean);
+    return branches.map(name => ({ branch: name, directory: `/opt/deploys/${project.name}/branches/${name}` }));
+  }
+
+  return { deploy, deployBranch, rollback, cleanupBranch, listDeployments, sanitizeBranch };
+}
+
+module.exports = { createDeployEngine };