oncecheck 0.1.0__tar.gz

oncecheck-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Oncecheck
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

oncecheck-0.1.0/MANIFEST.in

@@ -0,0 +1,3 @@
+include LICENSE
+include README.md
+recursive-include oncecheck/rules *.yaml *.yml

oncecheck-0.1.0/PKG-INFO

@@ -0,0 +1,198 @@
+Metadata-Version: 2.4
+Name: oncecheck
+Version: 0.1.0
+Summary: A terminal-first CLI tool that scans iOS, Android, and Web projects for launch-critical compliance risks.
+Author-email: Oncecheck <hello@oncecheck.com>
+License: MIT
+Project-URL: Homepage, https://oncecheck.com
+Project-URL: Documentation, https://oncecheck.com
+Project-URL: Repository, https://github.com/oncecheck/oncecheck-cli
+Project-URL: Issues, https://github.com/oncecheck/oncecheck-cli/issues
+Keywords: compliance,scanner,ios,android,web,app-store,play-store,owasp,privacy,accessibility
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Software Development :: Quality Assurance
+Classifier: Topic :: Software Development :: Testing
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: click>=8.1
+Requires-Dist: rich>=13.0
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: readchar>=4.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-cov>=5.0; extra == "dev"
+Dynamic: license-file
+
+# Oncecheck CLI
+
+A terminal-first CLI tool that scans iOS, Android, and Web projects for launch-critical compliance risks.
+
+## Features
+
+- **73+ compliance rules** across iOS, Android, Web, and cross-platform categories
+- **Auto-detection** — identifies your project type automatically
+- **Interactive browser** — arrow-key driven UI to explore findings
+- **Multiple export formats** — JSON, SARIF 2.1, plain text
+- **CI/CD ready** — exit codes: 0 (pass), 1 (warnings), 2 (failures)
+- **Cross-platform checks** — COPPA, HIPAA, PCI-DSS, accessibility, supply chain
+- **Rule suppression** — `.oncecheckignore` file and `.oncecheckrc` config
+- **Shell completions** — bash, zsh, and fish
+
+## Rule Categories
+
+| Platform | Rules | Covers |
+|----------|-------|--------|
+| iOS | 20 | Info.plist, ATS, entitlements, privacy manifests, HealthKit, Keychain |
+| Android | 18 | AndroidManifest, target SDK, permissions, ProGuard, Play Integrity |
+| Web | 27 | CSP, CORS, OWASP Top 10, accessibility, privacy, cookies |
+| Common | 8 | COPPA, HIPAA, PCI-DSS, color contrast, data retention, supply chain |
+
+## Installation
+
+```bash
+pip install oncecheck
+```
+
+### Development
+
+```bash
+git clone <repo-url>
+cd oncecheck-cli
+python -m venv .venv
+source .venv/bin/activate
+pip install -e ".[dev]"
+```
+
+## Usage
+
+### Interactive mode
+
+```bash
+oncecheck
+```
+
+Launches the full interactive UI with welcome screen, menu navigation, and findings browser.
+
+### Direct scan
+
+```bash
+# Auto-detect platform
+oncecheck scan ./my-project
+
+# Force a specific platform
+oncecheck scan ./my-project --platform ios
+
+# Export as JSON (Team plan)
+oncecheck scan ./my-project --format json --output results.json
+
+# Export as SARIF (Team plan — for GitHub/VS Code)
+oncecheck scan ./my-project --format sarif --output results.sarif
+
+# Interactive findings browser
+oncecheck scan ./my-project --interactive
+
+# Fail CI on warnings or higher
+oncecheck scan ./my-project --fail-on WARN
+```
+
+### Authentication
+
+```bash
+# Sign in (opens browser)
+oncecheck login
+
+# Check status
+oncecheck status
+
+# Sign out
+oncecheck logout
+```
+
+### Configuration
+
+```bash
+# Generate config files in your project
+oncecheck init ./my-project
+```
+
+This creates:
+- `.oncecheckrc` — YAML config for disabled rules, severity overrides, and fail threshold
+- `.oncecheckignore` — one rule ID per line to suppress
+
+Example `.oncecheckrc`:
+```yaml
+disabled_rules:
+  - IOS-SEC-001
+  - WEB-OWASP-003
+
+severity_overrides:
+  WEB-A11Y-001: INFO
+
+fail_on: FAIL
+```
+
+### Shell Completions
+
+```bash
+# Bash
+oncecheck completions bash >> ~/.bashrc
+
+# Zsh
+oncecheck completions zsh >> ~/.zshrc
+
+# Fish
+oncecheck completions fish > ~/.config/fish/completions/oncecheck.fish
+```
+
+## CI/CD Integration
+
+```yaml
+# GitHub Actions example
+- name: Compliance scan
+  run: |
+    pip install oncecheck
+    oncecheck login
+    oncecheck scan . --fail-on WARN
+
+- name: Upload SARIF (Team plan)
+  run: oncecheck scan . --format sarif --output results.sarif
+```
+
+### Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | No issues (or only INFO) |
+| 1 | Warnings found |
+| 2 | Failures found |
+
+## Plans
+
+| Feature | Starter (Free) | Team ($19/mo) |
+|---------|----------------|---------------|
+| Scans per day | 3 | Unlimited |
+| Terminal output | Yes | Yes |
+| JSON/text export | — | Yes |
+| SARIF export | — | Yes |
+| File export (`--output`) | — | Yes |
+
+## Testing
+
+```bash
+python -m pytest tests/ -v
+```
+
+## License
+
+MIT

oncecheck-0.1.0/README.md

@@ -0,0 +1,162 @@
+# Oncecheck CLI
+
+A terminal-first CLI tool that scans iOS, Android, and Web projects for launch-critical compliance risks.
+
+## Features
+
+- **73+ compliance rules** across iOS, Android, Web, and cross-platform categories
+- **Auto-detection** — identifies your project type automatically
+- **Interactive browser** — arrow-key driven UI to explore findings
+- **Multiple export formats** — JSON, SARIF 2.1, plain text
+- **CI/CD ready** — exit codes: 0 (pass), 1 (warnings), 2 (failures)
+- **Cross-platform checks** — COPPA, HIPAA, PCI-DSS, accessibility, supply chain
+- **Rule suppression** — `.oncecheckignore` file and `.oncecheckrc` config
+- **Shell completions** — bash, zsh, and fish
+
+## Rule Categories
+
+| Platform | Rules | Covers |
+|----------|-------|--------|
+| iOS | 20 | Info.plist, ATS, entitlements, privacy manifests, HealthKit, Keychain |
+| Android | 18 | AndroidManifest, target SDK, permissions, ProGuard, Play Integrity |
+| Web | 27 | CSP, CORS, OWASP Top 10, accessibility, privacy, cookies |
+| Common | 8 | COPPA, HIPAA, PCI-DSS, color contrast, data retention, supply chain |
+
+## Installation
+
+```bash
+pip install oncecheck
+```
+
+### Development
+
+```bash
+git clone <repo-url>
+cd oncecheck-cli
+python -m venv .venv
+source .venv/bin/activate
+pip install -e ".[dev]"
+```
+
+## Usage
+
+### Interactive mode
+
+```bash
+oncecheck
+```
+
+Launches the full interactive UI with welcome screen, menu navigation, and findings browser.
+
+### Direct scan
+
+```bash
+# Auto-detect platform
+oncecheck scan ./my-project
+
+# Force a specific platform
+oncecheck scan ./my-project --platform ios
+
+# Export as JSON (Team plan)
+oncecheck scan ./my-project --format json --output results.json
+
+# Export as SARIF (Team plan — for GitHub/VS Code)
+oncecheck scan ./my-project --format sarif --output results.sarif
+
+# Interactive findings browser
+oncecheck scan ./my-project --interactive
+
+# Fail CI on warnings or higher
+oncecheck scan ./my-project --fail-on WARN
+```
+
+### Authentication
+
+```bash
+# Sign in (opens browser)
+oncecheck login
+
+# Check status
+oncecheck status
+
+# Sign out
+oncecheck logout
+```
+
+### Configuration
+
+```bash
+# Generate config files in your project
+oncecheck init ./my-project
+```
+
+This creates:
+- `.oncecheckrc` — YAML config for disabled rules, severity overrides, and fail threshold
+- `.oncecheckignore` — one rule ID per line to suppress
+
+Example `.oncecheckrc`:
+```yaml
+disabled_rules:
+  - IOS-SEC-001
+  - WEB-OWASP-003
+
+severity_overrides:
+  WEB-A11Y-001: INFO
+
+fail_on: FAIL
+```
+
+### Shell Completions
+
+```bash
+# Bash
+oncecheck completions bash >> ~/.bashrc
+
+# Zsh
+oncecheck completions zsh >> ~/.zshrc
+
+# Fish
+oncecheck completions fish > ~/.config/fish/completions/oncecheck.fish
+```
+
+## CI/CD Integration
+
+```yaml
+# GitHub Actions example
+- name: Compliance scan
+  run: |
+    pip install oncecheck
+    oncecheck login
+    oncecheck scan . --fail-on WARN
+
+- name: Upload SARIF (Team plan)
+  run: oncecheck scan . --format sarif --output results.sarif
+```
+
+### Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | No issues (or only INFO) |
+| 1 | Warnings found |
+| 2 | Failures found |
+
+## Plans
+
+| Feature | Starter (Free) | Team ($19/mo) |
+|---------|----------------|---------------|
+| Scans per day | 3 | Unlimited |
+| Terminal output | Yes | Yes |
+| JSON/text export | — | Yes |
+| SARIF export | — | Yes |
+| File export (`--output`) | — | Yes |
+
+## Testing
+
+```bash
+python -m pytest tests/ -v
+```
+
+## License
+
+MIT

oncecheck-0.1.0/oncecheck/__init__.py

@@ -0,0 +1,3 @@
+"""Oncecheck — CLI compliance scanner for iOS, Android, and Web projects."""
+
+__version__ = "0.1.0"

oncecheck-0.1.0/oncecheck/__main__.py

@@ -0,0 +1,5 @@
+"""Allow running as `python -m oncecheck`."""
+
+from .cli import cli
+
+cli()

oncecheck-0.1.0/oncecheck/auth/api.py

@@ -0,0 +1,46 @@
+"""Server-side scan quota check via the Oncecheck API."""
+
+from __future__ import annotations
+
+import json
+import urllib.error
+import urllib.request
+from typing import TypedDict
+
+
+WEB_APP_URL = "https://oncecheck.com"
+
+
+class QuotaResult(TypedDict):
+    allowed: bool
+    plan: str
+    used: int
+    limit: int
+
+
+def check_scan_quota(access_token: str) -> QuotaResult:
+    """Check scan quota with the server and consume a scan slot if allowed.
+
+    Raises ConnectionError if the server is unreachable,
+    PermissionError if the token is invalid/expired.
+    """
+    url = f"{WEB_APP_URL}/api/scan-check"
+    req = urllib.request.Request(
+        url,
+        method="POST",
+        headers={
+            "Authorization": f"Bearer {access_token}",
+            "Content-Type": "application/json",
+        },
+    )
+
+    try:
+        with urllib.request.urlopen(req, timeout=10) as resp:
+            return json.loads(resp.read())
+    except urllib.error.HTTPError as exc:
+        if exc.code == 401:
+            raise PermissionError("Token expired or invalid. Run `oncecheck login` to re-authenticate.")
+        body = exc.read().decode(errors="replace")
+        raise ConnectionError(f"Scan check failed ({exc.code}): {body}")
+    except (urllib.error.URLError, TimeoutError, OSError) as exc:
+        raise ConnectionError(f"Could not reach Oncecheck server: {exc}")

oncecheck-0.1.0/oncecheck/auth/login.py

@@ -0,0 +1,141 @@
+"""CLI authentication via localhost callback — opens browser, receives tokens."""
+
+from __future__ import annotations
+
+import socket
+import threading
+import webbrowser
+from http.server import HTTPServer, BaseHTTPRequestHandler
+from typing import Optional
+from urllib.parse import urlparse, parse_qs
+
+from rich.console import Console
+
+from .token_store import load_token, save_token, clear_token
+
+console = Console()
+
+WEB_APP_URL = "https://oncecheck.com"
+
+
+def _find_free_port() -> int:
+    """Find an available port on localhost."""
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+        s.bind(("127.0.0.1", 0))
+        return s.getsockname()[1]
+
+
+class _CallbackHandler(BaseHTTPRequestHandler):
+    """Handles the OAuth callback from the web app."""
+
+    token_data: Optional[dict] = None
+
+    def do_GET(self) -> None:
+        parsed = urlparse(self.path)
+        if parsed.path != "/callback":
+            self.send_response(404)
+            self.end_headers()
+            return
+
+        params = parse_qs(parsed.query)
+        access_token = params.get("access_token", [None])[0]
+        refresh_token = params.get("refresh_token", [None])[0]
+        email = params.get("email", [None])[0]
+        plan = params.get("plan", ["starter"])[0]
+
+        if not access_token:
+            self.send_response(400)
+            self.send_header("Content-Type", "text/html")
+            self.end_headers()
+            self.wfile.write(b"<html><body><h2>Authentication failed.</h2>"
+                             b"<p>No token received. Please try again.</p></body></html>")
+            return
+
+        # Store on the class so the caller can retrieve it
+        _CallbackHandler.token_data = {
+            "access_token": access_token,
+            "refresh_token": refresh_token or "",
+            "email": email or "",
+            "plan": plan,
+        }
+
+        self.send_response(200)
+        self.send_header("Content-Type", "text/html")
+        self.end_headers()
+        self.wfile.write(
+            b"<html><body style='font-family:system-ui;text-align:center;padding:60px'>"
+            b"<h2 style='color:#22c55e'>Authenticated!</h2>"
+            b"<p>You can close this tab and return to the terminal.</p>"
+            b"</body></html>"
+        )
+
+        # Shutdown the server in a separate thread to avoid deadlock
+        threading.Thread(target=self.server.shutdown, daemon=True).start()
+
+    def log_message(self, format: str, *args: object) -> None:
+        """Suppress default HTTP logging."""
+        pass
+
+
+def login_flow() -> dict:
+    """Run the browser-based login flow with localhost callback.
+
+    1. Starts a temporary HTTP server on a free port.
+    2. Opens the web app login page with a cli_redirect parameter.
+    3. Waits for the browser to redirect back with tokens.
+    4. Saves the tokens and returns the token data.
+    """
+    port = _find_free_port()
+    redirect_url = f"http://localhost:{port}/callback"
+    login_url = f"{WEB_APP_URL}/login?cli_redirect={redirect_url}"
+
+    _CallbackHandler.token_data = None
+
+    server = HTTPServer(("127.0.0.1", port), _CallbackHandler)
+
+    console.print()
+    console.print("[bold yellow]Authentication required.[/bold yellow]")
+    console.print("Opening your browser to sign in...\n")
+    console.print(f"  [bold cyan]{login_url}[/bold cyan]\n")
+    console.print("[dim]Waiting for authentication...[/dim]")
+
+    try:
+        webbrowser.open(login_url)
+    except OSError:
+        console.print("[dim]Could not open browser. Please visit the URL above manually.[/dim]")
+
+    # Run server in background thread with a 5-minute timeout
+    server_thread = threading.Thread(target=server.serve_forever, daemon=True)
+    server_thread.start()
+    server_thread.join(timeout=300)
+
+    if server_thread.is_alive():
+        server.shutdown()
+        server.server_close()
+        console.print("\n[bold red]Login timed out.[/bold red] Please try again.")
+        raise SystemExit(1)
+
+    server.server_close()
+
+    token_data = _CallbackHandler.token_data
+    if not token_data or not token_data.get("access_token"):
+        console.print("[bold red]Authentication failed.[/bold red] No token received.")
+        raise SystemExit(1)
+
+    save_token(token_data)
+    console.print(f"[bold green]Authenticated![/bold green] ({token_data.get('email', '')} — {token_data.get('plan', 'starter').capitalize()} plan)")
+    return token_data
+
+
+def ensure_authenticated() -> dict:
+    """Return token data if already authenticated, or trigger login flow."""
+    token = load_token()
+    if token and token.get("access_token"):
+        return token
+    return login_flow()
+
+
+def logout() -> None:
+    """Clear stored credentials."""
+    clear_token()
+    console.print("[green]Logged out successfully.[/green]")

oncecheck-0.1.0/oncecheck/auth/token_store.py

@@ -0,0 +1,85 @@
+"""Persistent token storage for CLI authentication."""
+
+from __future__ import annotations
+
+import json
+import os
+import platform
+import stat
+import time
+from pathlib import Path
+from typing import Optional
+
+
+APP_NAME = "oncecheck"
+TOKEN_TTL_SECONDS = 7 * 24 * 3600  # 7 days
+
+
+def _token_dir() -> Path:
+    system = platform.system()
+    if system == "Darwin":
+        base = Path.home() / "Library" / "Application Support"
+    elif system == "Windows":
+        base = Path(os.environ.get("APPDATA", str(Path.home() / "AppData" / "Roaming")))
+    else:
+        base = Path(os.environ.get("XDG_CONFIG_HOME", str(Path.home() / ".config")))
+    return base / APP_NAME
+
+
+def _token_path() -> Path:
+    return _token_dir() / "token.json"
+
+
+def _set_file_permissions(path: Path, is_dir: bool = False) -> None:
+    """Restrict to owner-only: 0o700 for dirs, 0o600 for files."""
+    try:
+        if platform.system() != "Windows":
+            if is_dir:
+                os.chmod(path, stat.S_IRWXU)  # 0o700
+            else:
+                os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)  # 0o600
+    except OSError:
+        pass
+
+
+def save_token(data: dict) -> Path:
+    """Write token data to disk with restricted permissions and return the path."""
+    # Stamp the token with an issued-at time for expiration checks
+    if "issued_at" not in data:
+        data["issued_at"] = time.time()
+
+    path = _token_path()
+    path.parent.mkdir(parents=True, exist_ok=True)
+
+    # Set restrictive permissions on directory (needs execute for traversal)
+    _set_file_permissions(path.parent, is_dir=True)
+
+    path.write_text(json.dumps(data, indent=2))
+    _set_file_permissions(path)
+    return path
+
+
+def load_token() -> Optional[dict]:
+    """Load saved token, or return None if absent / invalid / expired."""
+    path = _token_path()
+    if not path.exists():
+        return None
+    try:
+        data = json.loads(path.read_text())
+    except (json.JSONDecodeError, OSError):
+        return None
+
+    # Check token expiration
+    issued_at = data.get("issued_at", 0)
+    if time.time() - issued_at > TOKEN_TTL_SECONDS:
+        clear_token()
+        return None
+
+    return data
+
+
+def clear_token() -> None:
+    """Delete the saved token file."""
+    path = _token_path()
+    if path.exists():
+        path.unlink()