ultimate-pi 0.18.1 → 0.19.1

package/.pi/lib/harness-lens/clients/safe-spawn.ts

@@ -0,0 +1,339 @@
+/**
+ * Safe cross-platform spawn utilities
+ *
+ * Provides both sync (deprecated) and async versions for gradual migration.
+ *
+ * Async version features:
+ * - Non-blocking execution
+ * - Proper process cleanup on timeout (no zombies)
+ * - Batch execution with concurrency limits
+ * - AbortSignal support for cancellation
+ *
+ * Migration guide:
+ * - Change: safeSpawn(cmd, args, opts)
+ * - To: await safeSpawnAsync(cmd, args, opts)
+ */
+
+import { type SpawnOptions, spawn, spawnSync } from "node:child_process";
+
+export interface SpawnResult {
+	stdout: string;
+	stderr: string;
+	status: number | null;
+	error?: Error;
+}
+
+export interface SafeSpawnOptions {
+	timeout?: number;
+	cwd?: string;
+	env?: NodeJS.ProcessEnv;
+	signal?: AbortSignal;
+}
+
+// ============================================================================
+// INTERNAL HELPERS
+// ============================================================================
+
+/**
+ * Escape a single argument for cmd.exe when shell:true is required.
+ * Only used on Windows to avoid DEP0190 (args+shell concatenation warning).
+ */
+function cmdEscapeArg(arg: string): string {
+	if (!/[\s"&|<>^()]/.test(arg)) return arg;
+	return `"${arg.replace(/"/g, '""')}"`;
+}
+
+// ============================================================================
+// ASYNC VERSION (Recommended - Non-blocking)
+// ============================================================================
+
+/**
+ * Async spawn with timeout and proper process cleanup.
+ *
+ * Unlike spawnSync, this:
+ * - Doesn't block the event loop
+ * - Kills the process on timeout (preventing zombies)
+ * - Supports cancellation via AbortSignal
+ *
+ * @example
+ * const result = await safeSpawnAsync("npm", ["test"], { timeout: 30000 });
+ * if (result.error) console.error("Failed:", result.error);
+ */
+export async function safeSpawnAsync(
+	command: string,
+	args: string[],
+	options?: SafeSpawnOptions,
+): Promise<SpawnResult> {
+	const timeout = options?.timeout ?? 30000;
+	const abortSignal = options?.signal;
+
+	return new Promise((resolve) => {
+		// Check for early abort
+		if (abortSignal?.aborted) {
+			resolve({
+				stdout: "",
+				stderr: "",
+				status: null,
+				error: new Error("Spawn aborted before start"),
+			});
+			return;
+		}
+
+		let stdout = "";
+		let stderr = "";
+		let timedOut = false;
+		let killed = false;
+
+		// Spawn the process (non-blocking)
+		// On Windows, use shell mode for .cmd files (like pyright, biome).
+		// Bake args into the command string when shell:true to avoid DEP0190.
+		const isWindows = process.platform === "win32";
+		const spawnCmd = isWindows
+			? [command, ...args.map(cmdEscapeArg)].join(" ")
+			: command;
+		const spawnArgs = isWindows ? [] : args;
+		const child = spawn(spawnCmd, spawnArgs, {
+			cwd: options?.cwd,
+			env: { ...process.env, ...options?.env },
+			windowsHide: true,
+			shell: isWindows,
+		});
+
+		// On Windows, shell:true means child.pid is cmd.exe — child.kill() only
+		// kills the wrapper, leaving the actual subprocess (e.g. knip/npx) alive
+		// as an orphan. Use taskkill /F /T to kill the full process tree instead.
+		const killTree = () => {
+			if (isWindows && child.pid && child.pid > 0) {
+				const taskkill = `${process.env.SystemRoot ?? "C:\\Windows"}\\System32\\taskkill.exe`;
+				try {
+					spawn(taskkill, ["/F", "/T", "/PID", String(child.pid)], {
+						shell: false,
+						windowsHide: true,
+					});
+				} catch {
+					child.kill("SIGKILL");
+				}
+			} else {
+				child.kill("SIGTERM");
+				setTimeout(() => {
+					if (!child.killed) child.kill("SIGKILL");
+				}, 1000);
+			}
+		};
+
+		// Handle abort signal
+		const onAbort = () => {
+			if (!killed && !child.killed) {
+				killed = true;
+				killTree();
+			}
+		};
+		abortSignal?.addEventListener("abort", onAbort, { once: true });
+
+		// Collect output
+		child.stdout?.setEncoding("utf-8");
+		child.stderr?.setEncoding("utf-8");
+		child.stdout?.on("data", (data) => (stdout += data));
+		child.stderr?.on("data", (data) => (stderr += data));
+
+		// Timeout handling - KILL the process, don't just abandon it
+		const timeoutId = setTimeout(() => {
+			timedOut = true;
+			if (!killed && !child.killed) {
+				killed = true;
+				killTree();
+			}
+		}, timeout);
+
+		// Process completion
+		child.on("close", (code, signal) => {
+			clearTimeout(timeoutId);
+			abortSignal?.removeEventListener("abort", onAbort);
+
+			if (timedOut) {
+				resolve({
+					stdout,
+					stderr,
+					status: null,
+					error: new Error(
+						`Process timed out after ${timeout}ms (killed with ${signal || "SIGTERM"})`,
+					),
+				});
+			} else if (signal) {
+				resolve({
+					stdout,
+					stderr,
+					status: null,
+					error: new Error(`Process killed by signal: ${signal}`),
+				});
+			} else {
+				resolve({ stdout, stderr, status: code });
+			}
+		});
+
+		child.on("error", (err) => {
+			clearTimeout(timeoutId);
+			abortSignal?.removeEventListener("abort", onAbort);
+			resolve({ stdout, stderr, status: null, error: err });
+		});
+	});
+}
+
+/**
+ * Run multiple commands concurrently with limited concurrency.
+ *
+ * This prevents resource contention when running many linters.
+ * Uses async spawn with concurrency limiting built-in.
+ *
+ * @example
+ * const results = await safeSpawnBatch([
+ *   { command: "biome", args: ["check", "file.ts"] },
+ *   { command: "ruff", args: ["check", "file.py"] },
+ * ], 3); // Max 3 concurrent
+ */
+export async function safeSpawnBatch(
+	commands: Array<{
+		command: string;
+		args: string[];
+		options?: SafeSpawnOptions;
+	}>,
+	concurrency = 3,
+): Promise<SpawnResult[]> {
+	const results: SpawnResult[] = [];
+
+	// Process in batches to limit concurrent processes
+	for (let i = 0; i < commands.length; i += concurrency) {
+		const batch = commands.slice(i, i + concurrency);
+		const batchResults = await Promise.all(
+			batch.map(({ command, args, options }) =>
+				safeSpawnAsync(command, args, options),
+			),
+		);
+		results.push(...batchResults);
+	}
+
+	return results;
+}
+
+/**
+ * Check if a command is available in PATH (async version)
+ */
+export async function isCommandAvailableAsync(
+	command: string,
+): Promise<boolean> {
+	const finder = process.platform === "win32" ? "where" : "which";
+	const result = await safeSpawnAsync(finder, [command], { timeout: 5000 });
+	return result.status === 0 && !result.error;
+}
+
+/**
+ * Find the full path to a command (async version)
+ */
+export async function findCommandAsync(
+	command: string,
+): Promise<string | null> {
+	const finder = process.platform === "win32" ? "where" : "which";
+	const result = await safeSpawnAsync(finder, [command], { timeout: 5000 });
+
+	if (result.status !== 0 || result.error) return null;
+
+	// Take first line (first match)
+	return result.stdout.trim().split("\n")[0] || null;
+}
+
+// ============================================================================
+// SYNC VERSION (Deprecated - Blocking, for backward compatibility)
+// ============================================================================
+
+/**
+ * Escape an argument for Windows shell execution.
+ * Handles spaces, quotes, $variables, and special characters.
+ */
+function escapeWindowsArg(arg: string): string {
+	if (arg.includes("$")) {
+		return `'${arg.replace(/'/g, "'\\''")}'`;
+	}
+	if (!/[\s"]/.test(arg)) return arg;
+	return `"${arg.replace(/"/g, '""')}"`;
+}
+
+/**
+ * Construct a command string for Windows shell execution.
+ */
+function buildWindowsCommand(command: string, args: string[]): string {
+	const escapedArgs = args.map(escapeWindowsArg).join(" ");
+	return `${command} ${escapedArgs}`;
+}
+
+/**
+ * ⚠️ DEPRECATED: Use safeSpawnAsync instead.
+ *
+ * This blocks the entire Node.js event loop until the process exits.
+ * If the process hangs, pi will freeze.
+ *
+ * Kept for backward compatibility during migration.
+ */
+export function safeSpawn(
+	command: string,
+	args: string[],
+	options?: SafeSpawnOptions,
+): SpawnResult {
+	if (process.platform === "win32") {
+		// shell:true here is justified only because this deprecated sync function
+		// predates safeSpawnAsync. It will be eliminated when safeSpawn is removed.
+		const fullCommand = buildWindowsCommand(command, args);
+		const result = spawnSync(fullCommand, {
+			...(options as SpawnOptions),
+			encoding: "utf-8",
+			shell: true,
+			windowsHide: true,
+		});
+
+		return {
+			stdout: result.stdout?.toString() || "",
+			stderr: result.stderr?.toString() || "",
+			status: result.status,
+			error: result.error,
+		};
+	}
+
+	const result = spawnSync(command, args, {
+		...(options as SpawnOptions),
+		encoding: "utf-8",
+		shell: false,
+		windowsHide: true,
+	});
+
+	return {
+		stdout: result.stdout?.toString() || "",
+		stderr: result.stderr?.toString() || "",
+		status: result.status,
+		error: result.error,
+	};
+}
+
+/**
+ * Check if a command is available in PATH (sync version - deprecated)
+ * @deprecated Use isCommandAvailableAsync
+ */
+export function isCommandAvailable(command: string): boolean {
+	const result = safeSpawn(
+		process.platform === "win32" ? "where" : "which",
+		[command],
+		{ timeout: 5000 },
+	);
+	return result.status === 0;
+}
+
+/**
+ * Find the full path to a command (sync version - deprecated)
+ * @deprecated Use findCommandAsync
+ */
+export function findCommand(command: string): string | null {
+	const finder = process.platform === "win32" ? "where" : "which";
+	const result = safeSpawn(finder, [command], { timeout: 5000 });
+
+	if (result.status !== 0) return null;
+
+	return result.stdout.trim().split("\n")[0] || null;
+}

package/.pi/lib/harness-lens/clients/secrets-scanner.ts

@@ -0,0 +1,214 @@
+/**
+ * Content-level secrets scanner
+ *
+ * Scans file content for potential secret patterns before write.
+ * Works on all file types via regex matching.
+ *
+ * Detected patterns:
+ * - Stripe/OpenAI keys (sk-*)
+ * - GitHub tokens (ghp_*, gho_*, github_pat_*)
+ * - AWS keys (AKIA*)
+ * - Slack tokens (xoxp-*, xoxb-*)
+ * - Private keys (BEGIN PRIVATE KEY)
+ * - Generic API key/password patterns
+ */
+
+import { isTestFile } from "./file-utils.js";
+
+interface SecretPattern {
+	pattern: RegExp;
+	name: string;
+	message: string;
+}
+
+const SAFE_HEADER_KEYS = new Set([
+	"user-agent",
+	"accept",
+	"accept-language",
+	"accept-encoding",
+	"content-type",
+	"content-length",
+	"origin",
+	"referer",
+	"host",
+	"connection",
+	"cache-control",
+	"pragma",
+	"x-requested-with",
+]);
+
+function extractHeaderKey(line: string): string | null {
+	const m = line.match(/["']([A-Za-z][A-Za-z0-9-]{0,63})["']\s*:\s*["'][^"']+/);
+	if (!m) return null;
+	return m[1].toLowerCase();
+}
+
+function shouldIgnorePatternMatch(line: string, patternName: string): boolean {
+	// Ignore obvious non-secret HTTP header literals such as "User-Agent".
+	if (
+		patternName === "hardcoded-secret" ||
+		patternName === "hardcoded-password"
+	) {
+		const key = extractHeaderKey(line);
+		if (key && SAFE_HEADER_KEYS.has(key)) {
+			return true;
+		}
+	}
+
+	return false;
+}
+
+/**
+ * Check if a string value looks like an environment variable name.
+ * Env var names typically use UPPERCASE_SNAKE_CASE.
+ * Used to filter false positives like: api_key = "FIREWORKS_API_KEY"
+ * where the value is just referencing the env var name, not a secret.
+ */
+function looksLikeEnvVarName(value: string): boolean {
+	// Must be all uppercase with underscores (no lowercase letters)
+	// Must start with a letter and contain at least one underscore
+	return /^[A-Z][A-Z0-9_]*$/.test(value) && value.includes("_");
+}
+
+/**
+ * Extract the quoted value from a hardcoded secret pattern match.
+ * Returns null if no quoted value found.
+ */
+function extractQuotedValue(line: string): string | null {
+	// Match content inside quotes after : or =
+	const match = line.match(/[:=]\s*["']([^"']+)["']/);
+	return match ? match[1] : null;
+}
+
+// Patterns ordered by specificity - first match wins per line
+const SECRET_PATTERNS: SecretPattern[] = [
+	// High-confidence: specific key prefixes
+	{
+		pattern: /sk-[a-zA-Z0-9-]{20,}/g,
+		name: "stripe-openai-key",
+		message: "Possible Stripe or OpenAI API key (sk-*)",
+	},
+	{
+		pattern: /ghp_[a-zA-Z0-9]{36}/g,
+		name: "github-personal-token",
+		message: "GitHub personal access token (ghp_*)",
+	},
+	{
+		pattern: /gho_[a-zA-Z0-9]{36}/g,
+		name: "github-oauth-token",
+		message: "GitHub OAuth token (gho_*)",
+	},
+	{
+		pattern: /github_pat_[a-zA-Z_]{82}/g,
+		name: "github-fine-grained-pat",
+		message: "GitHub fine-grained PAT (github_pat_*)",
+	},
+	{
+		pattern: /AKIA[0-9A-Z]{16}/g,
+		name: "aws-access-key",
+		message: "AWS access key ID (AKIA*)",
+	},
+	{
+		pattern: /xox[bp]-[a-zA-Z0-9]{10,}/g,
+		name: "slack-token",
+		message: "Slack token (xoxb-*/xoxp-*)",
+	},
+	{
+		pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE KEY-----/g,
+		name: "private-key",
+		message: "Private key material detected",
+	},
+	// Medium-confidence: quoted credentials
+	{
+		pattern: /password\s*[:=]\s*["'][^"']{4,}["']/gi,
+		name: "hardcoded-password",
+		message: "Possible hardcoded password",
+	},
+	{
+		pattern:
+			/\b(secret|api_?key|token|access_?key)\b\s*[:=]\s*["']([a-zA-Z0-9_./-]{8,})["']/gi,
+		name: "hardcoded-secret",
+		message: "Possible hardcoded secret or API key",
+	},
+	// .env format: KEY=VALUE (no quotes)
+	{
+		pattern:
+			/^(?:API_?KEY|SECRET|TOKEN|PASSWORD|AWS_?ACCESS_?KEY)\s*=\s*\S{8,}/gim,
+		name: "env-file-secret",
+		message: "Possible secret in .env format",
+	},
+];
+
+export interface SecretFinding {
+	line: number;
+	message: string;
+}
+
+/**
+ * Scan content for potential secrets
+ * Returns findings with line numbers.
+ * Skips test files to avoid false positives.
+ */
+export function scanForSecrets(
+	content: string,
+	filePath?: string,
+): SecretFinding[] {
+	// Skip test files — secrets in tests are usually fake/test values
+	if (filePath && isTestFile(filePath)) {
+		return [];
+	}
+
+	const findings: SecretFinding[] = [];
+	const lines = content.split("\n");
+
+	for (let i = 0; i < lines.length; i++) {
+		const line = lines[i];
+		for (const pattern of SECRET_PATTERNS) {
+			// Reset lastIndex before each test (important for global regex)
+			const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+			const match = regex.exec(line);
+			if (match) {
+				if (shouldIgnorePatternMatch(line, pattern.name)) {
+					continue;
+				}
+				// For hardcoded-secret pattern, check if the value looks like an env var name
+				// This prevents false positives like: api_key = "FIREWORKS_API_KEY"
+				if (pattern.name === "hardcoded-secret") {
+					const value = extractQuotedValue(line);
+					if (value && looksLikeEnvVarName(value)) {
+						continue; // Skip - just referencing env var name, not a secret
+					}
+				}
+				findings.push({
+					line: i + 1,
+					message: pattern.message,
+				});
+				break; // One finding per line
+			}
+		}
+	}
+
+	return findings;
+}
+
+/**
+ * Format secrets findings for terminal output
+ */
+export function formatSecrets(
+	findings: SecretFinding[],
+	filePath: string,
+): string {
+	if (findings.length === 0) return "";
+
+	const lines = [
+		`🔴 STOP — ${findings.length} potential secret(s) in ${filePath}:`,
+	];
+	for (const f of findings.slice(0, 5)) {
+		lines.push(`  L${f.line}: ${f.message}`);
+	}
+	if (findings.length > 5) {
+		lines.push(`  ... and ${findings.length - 5} more`);
+	}
+	lines.push("  → Remove before continuing. Use env vars instead.");
+	return lines.join("\n");
+}