1/**
  2 * Scan a project tree for Content-Security-Policy signals and classify the
  3 * shape so the agent knows which patch template to propose.
  4 *
  5 * Used at first-time `live.mjs` setup. Mechanical (grep-based) — no network,
  6 * no dev server, no JS evaluation. The classification drives a user-facing
  7 * consent prompt; the agent does the actual patch writing.
  8 *
  9 * Shapes are named by patch mechanism, not framework origin:
 10 *   - "append-arrays":  CSP defined as structured directive arrays. Patch
 11 *                       appends a dev-only localhost entry. Covers:
 12 *                         - Monorepo helpers with additional*Src options
 13 *                           (e.g. createBaseNextConfig for Next)
 14 *                         - SvelteKit kit.csp.directives
 15 *                         - nuxt-security module's contentSecurityPolicy
 16 *   - "append-string":  CSP built as a literal value string. Patch splices
 17 *                       a dev-only token into script-src and connect-src.
 18 *                       Covers:
 19 *                         - Inline Next.js headers() with CSP string
 20 *                         - Nuxt routeRules / nitro.routeRules CSP headers
 21 *   - "middleware":     CSP set dynamically in middleware.{ts,js}.
 22 *                       Detected but not auto-patched in v1.
 23 *   - "meta-tag":       <meta http-equiv="Content-Security-Policy"> in
 24 *                       layout files. Detected but not auto-patched in v1.
 25 *   - null:             no CSP signals found; no patch needed.
 26 */
 27
 28import fs from 'node:fs';
 29import path from 'node:path';
 30
 31const SKIP_DIRS = new Set([
 32  'node_modules',
 33  '.git',
 34  '.next',
 35  '.turbo',
 36  '.svelte-kit',
 37  '.nuxt',
 38  '.astro',
 39  'dist',
 40  'build',
 41  'out',
 42  '.vercel',
 43]);
 44
 45const SCAN_EXTS = new Set(['.js', '.mjs', '.cjs', '.ts', '.mts', '.cts', '.tsx', '.jsx']);
 46const LAYOUT_EXTS = new Set(['.tsx', '.jsx', '.astro', '.vue', '.svelte', '.html']);
 47const MAX_DEPTH = 6;
 48const MAX_READ_BYTES = 64 * 1024;
 49
 50// append-arrays signals: CSP expressed as structured directive arrays
 51const MONOREPO_HELPER_SIGNALS = [
 52  /\bbuildCSPConfig\b/,
 53  /\bbuildSecurityHeaders\b/,
 54  /\badditionalScriptSrc\b/,
 55  /\badditionalConnectSrc\b/,
 56  /\bcreateBaseNextConfig\b/,
 57];
 58const SVELTEKIT_CSP_SIGNALS = [
 59  /\bkit\s*:/,
 60  /\bcsp\s*:/,
 61  /\bdirectives\s*:/,
 62];
 63const NUXT_SECURITY_SIGNALS = [
 64  /['"]nuxt-security['"]/,
 65  /\bcontentSecurityPolicy\b/,
 66];
 67
 68// append-string signals: CSP written as a literal value string
 69const INLINE_HEADER_SIGNALS = [
 70  /["']Content-Security-Policy["']/i,
 71  /\bscript-src\b/,
 72  /\bconnect-src\b/,
 73];
 74const NUXT_ROUTE_RULES_SIGNALS = [
 75  /\brouteRules\b/,
 76  /Content-Security-Policy/i,
 77  /\bscript-src\b/,
 78];
 79
 80const MIDDLEWARE_HINT = /headers\.set\(\s*["']Content-Security-Policy["']/i;
 81const META_TAG_HINT = /http-equiv\s*=\s*["']Content-Security-Policy["']/i;
 82
 83/**
 84 * @param {string} cwd Project root.
 85 * @returns {{ shape: string|null, signals: string[] }}
 86 */
 87export function detectCsp(cwd = process.cwd()) {
 88  const hits = { appendArrays: [], appendString: [], middleware: [], metaTag: [] };
 89
 90  walk(cwd, cwd, 0, (absPath, relPath, body) => {
 91    const ext = path.extname(absPath);
 92    const base = path.basename(absPath).toLowerCase();
 93    const isConfig = (name) =>
 94      new RegExp('(^|/)' + name + '\\.config\\.').test(relPath);
 95
 96    // === append-arrays candidates ===
 97
 98    // Monorepo CSP helper: packages/*/src/.../(config|security)/*
 99    if (SCAN_EXTS.has(ext) &&
100        /packages\/[^/]+\/src\/.*(config|next-config|security)/.test(relPath) &&
101        MONOREPO_HELPER_SIGNALS.some((re) => re.test(body))) {
102      hits.appendArrays.push(relPath);
103      return;
104    }
105
106    // SvelteKit kit.csp.directives
107    if (SCAN_EXTS.has(ext) && isConfig('svelte') &&
108        SVELTEKIT_CSP_SIGNALS.every((re) => re.test(body))) {
109      hits.appendArrays.push(relPath);
110      return;
111    }
112
113    // Nuxt nuxt-security module
114    if (SCAN_EXTS.has(ext) && isConfig('nuxt') &&
115        NUXT_SECURITY_SIGNALS.every((re) => re.test(body))) {
116      hits.appendArrays.push(relPath);
117      return;
118    }
119
120    // === append-string candidates ===
121
122    // Inline headers in Next/Nuxt/SvelteKit/Astro/Vite config
123    if (SCAN_EXTS.has(ext) &&
124        /(^|\/)(next|nuxt|vite|astro|svelte)\.config\./.test(relPath) &&
125        INLINE_HEADER_SIGNALS.every((re) => re.test(body))) {
126      // Nuxt routeRules is a sub-shape of append-string; we already covered
127      // nuxt-security above via return, so any remaining Nuxt CSP match here
128      // is a route-rules / inline-headers case. Either way, same patch
129      // mechanism.
130      hits.appendString.push(relPath);
131      return;
132    }
133
134    // === detect-only shapes ===
135
136    if ((base === 'middleware.ts' || base === 'middleware.js' || base === 'middleware.mjs') &&
137        MIDDLEWARE_HINT.test(body)) {
138      hits.middleware.push(relPath);
139    }
140
141    if (LAYOUT_EXTS.has(ext) && META_TAG_HINT.test(body)) {
142      hits.metaTag.push(relPath);
143    }
144  });
145
146  // Priority: append-arrays > append-string > middleware > meta-tag.
147  // Structured patches are safer than string splices; runtime and HTML
148  // injection patches are less reliable and v1 doesn't auto-apply them.
149  if (hits.appendArrays.length > 0) {
150    return { shape: 'append-arrays', signals: hits.appendArrays };
151  }
152  if (hits.appendString.length > 0) {
153    return { shape: 'append-string', signals: hits.appendString };
154  }
155  if (hits.middleware.length > 0) {
156    return { shape: 'middleware', signals: hits.middleware };
157  }
158  if (hits.metaTag.length > 0) {
159    return { shape: 'meta-tag', signals: hits.metaTag };
160  }
161  return { shape: null, signals: [] };
162}
163
164function walk(root, dir, depth, visit) {
165  if (depth > MAX_DEPTH) return;
166  let entries;
167  try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
168  catch { return; }
169
170  for (const entry of entries) {
171    const abs = path.join(dir, entry.name);
172    if (entry.isDirectory()) {
173      if (SKIP_DIRS.has(entry.name)) continue;
174      walk(root, abs, depth + 1, visit);
175      continue;
176    }
177    if (!entry.isFile()) continue;
178    const ext = path.extname(entry.name);
179    if (!SCAN_EXTS.has(ext) && !LAYOUT_EXTS.has(ext)) continue;
180    let body;
181    try {
182      const fd = fs.openSync(abs, 'r');
183      try {
184        const buf = Buffer.alloc(MAX_READ_BYTES);
185        const n = fs.readSync(fd, buf, 0, MAX_READ_BYTES, 0);
186        body = buf.slice(0, n).toString('utf-8');
187      } finally { fs.closeSync(fd); }
188    } catch { continue; }
189    visit(abs, path.relative(root, abs), body);
190  }
191}
192
193// CLI mode
194const _running = process.argv[1];
195if (_running?.endsWith('detect-csp.mjs') || _running?.endsWith('detect-csp.mjs/')) {
196  const result = detectCsp(process.cwd());
197  console.log(JSON.stringify(result, null, 2));
198}