0xray 2.1.2 → 2.1.4

package/dist/reporting/report-formatter.js

@@ -98,7 +98,7 @@ ${data.recommendations.map((rec) => `- ${rec}`).join("\n")}
 4. **Performance Monitoring**: Track rule enforcement effectiveness metrics
 
 ---
-*Consumer runtime compat shim from prior StringRay releases (1-line min per Scope Rule; primary xray paths + XRAY_||STRRAY_ env + .xray fallbacks)*
+*Consumer runtime compat (XRAY_ env + .xray fallbacks)*
 *Framework Status: Operational*
     `;
 }

package/dist/security/security-hardener.d.ts

@@ -3,11 +3,29 @@
  *
  * Implements additional security measures and hardening for the framework.
  * Addresses vulnerabilities identified during security audit.
+ * Includes AES-256-GCM encryption, scrypt password hashing, and event tracking.
  *
- * @version 1.0.0
+ * @version 2.0.0
  * @since 2026-01-07
  */
-import { SecurityIssue } from "./security-auditor.js";
+export interface SecurityIssue {
+    severity: "critical" | "high" | "medium" | "low" | "info";
+    category: string;
+    file: string;
+    line?: number;
+    description: string;
+    recommendation: string;
+    cwe?: string;
+}
+interface SecurityEvent {
+    id: string;
+    type: string;
+    severity: "low" | "medium" | "high" | "critical";
+    message: string;
+    source: string;
+    timestamp: number;
+    metadata?: Record<string, unknown>;
+}
 export interface SecurityHardeningConfig {
     enableInputValidation: boolean;
     enableRateLimiting: boolean;
@@ -19,7 +37,55 @@ export interface SecurityHardeningConfig {
 }
 export declare class SecurityHardener {
     private config;
+    private encryptionKey;
+    private securityEvents;
+    private readonly maxSecurityEvents;
     constructor(config?: Partial<SecurityHardeningConfig>);
+    /**
+     * Initialize encryption with an optional key.
+     * Generates a random key if none provided.
+     */
+    initEncryption(secret?: string): void;
+    /**
+     * AES-256-GCM encrypt data.
+     * Returns Base64 string with IV + ciphertext + auth tag.
+     */
+    encryptData(data: string): string;
+    /**
+     * AES-256-GCM decrypt data.
+     * Returns null on auth failure (tampered key or data).
+     */
+    decryptData(encryptedData: string): string | null;
+    /**
+     * Hash password with scrypt and unique salt.
+     */
+    hashPassword(password: string): Promise<{
+        hash: string;
+        salt: string;
+    }>;
+    /**
+     * Verify password against a scrypt hash.
+     */
+    verifyPassword(password: string, hash: string, salt: string): Promise<boolean>;
+    /**
+     * Generate a cryptographically secure random hex token.
+     */
+    generateSecureToken(length?: number): string;
+    /**
+     * Record a security event for tracking and stats.
+     */
+    recordSecurityEvent(event: Omit<SecurityEvent, "id" | "timestamp">): void;
+    /**
+     * Get recent security events.
+     */
+    getSecurityEvents(limit?: number): SecurityEvent[];
+    /**
+     * Get security event statistics.
+     */
+    getSecurityStats(): {
+        totalEvents: number;
+        eventsBySeverity: Record<string, number>;
+    };
     /**
      * Apply security hardening based on audit results
      */
@@ -60,3 +126,4 @@ export declare class SecurityHardener {
     }): void;
 }
 export declare const securityHardener: SecurityHardener;
+export {};

package/dist/security/security-hardener.js

@@ -3,13 +3,22 @@
  *
  * Implements additional security measures and hardening for the framework.
  * Addresses vulnerabilities identified during security audit.
+ * Includes AES-256-GCM encryption, scrypt password hashing, and event tracking.
  *
- * @version 1.0.0
+ * @version 2.0.0
  * @since 2026-01-07
  */
 import { promises as fs } from "fs";
+import * as crypto from "crypto";
+import { frameworkLogger } from "../core/framework-logger.js";
+const ENCRYPTION_ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 16;
 export class SecurityHardener {
     config;
+    encryptionKey = null;
+    securityEvents = [];
+    maxSecurityEvents = 1000;
     constructor(config = {}) {
         this.config = {
             enableInputValidation: true,
@@ -22,6 +31,125 @@ export class SecurityHardener {
             ...config,
         };
     }
+    /**
+     * Initialize encryption with an optional key.
+     * Generates a random key if none provided.
+     */
+    initEncryption(secret) {
+        if (this.encryptionKey)
+            return;
+        this.encryptionKey = secret
+            ? crypto.scryptSync(secret, "salt", KEY_LENGTH)
+            : crypto.randomBytes(KEY_LENGTH);
+    }
+    /**
+     * AES-256-GCM encrypt data.
+     * Returns Base64 string with IV + ciphertext + auth tag.
+     */
+    encryptData(data) {
+        this.initEncryption();
+        const iv = crypto.randomBytes(IV_LENGTH);
+        const cipher = crypto.createCipheriv(ENCRYPTION_ALGORITHM, this.encryptionKey, iv);
+        let encrypted = cipher.update(data, "utf8", "binary");
+        encrypted += cipher.final("binary");
+        const authTag = cipher.getAuthTag();
+        const combined = Buffer.concat([iv, Buffer.from(encrypted, "binary"), authTag]);
+        return combined.toString("base64");
+    }
+    /**
+     * AES-256-GCM decrypt data.
+     * Returns null on auth failure (tampered key or data).
+     */
+    decryptData(encryptedData) {
+        this.initEncryption();
+        try {
+            const combined = Buffer.from(encryptedData, "base64");
+            const iv = combined.subarray(0, IV_LENGTH);
+            const authTag = combined.subarray(combined.length - 16);
+            const encrypted = combined.subarray(IV_LENGTH, combined.length - 16);
+            const decipher = crypto.createDecipheriv(ENCRYPTION_ALGORITHM, this.encryptionKey, iv);
+            decipher.setAuthTag(authTag);
+            return Buffer.concat([decipher.update(encrypted), decipher.final()]).toString("utf8");
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Hash password with scrypt and unique salt.
+     */
+    async hashPassword(password) {
+        return new Promise((resolve, reject) => {
+            const salt = crypto.randomBytes(32).toString("hex");
+            crypto.scrypt(password, salt, KEY_LENGTH, { N: 16384, r: 8, p: 1 }, (err, derivedKey) => {
+                if (err)
+                    reject(err);
+                else
+                    resolve({ hash: derivedKey.toString("hex"), salt });
+            });
+        });
+    }
+    /**
+     * Verify password against a scrypt hash.
+     */
+    async verifyPassword(password, hash, salt) {
+        return new Promise((resolve) => {
+            crypto.scrypt(password, salt, KEY_LENGTH, { N: 16384, r: 8, p: 1 }, (err, derivedKey) => {
+                if (err)
+                    return resolve(false);
+                try {
+                    resolve(crypto.timingSafeEqual(Buffer.from(derivedKey.toString("hex"), "hex"), Buffer.from(hash, "hex")));
+                }
+                catch {
+                    resolve(false);
+                }
+            });
+        });
+    }
+    /**
+     * Generate a cryptographically secure random hex token.
+     */
+    generateSecureToken(length = 32) {
+        return crypto.randomBytes(length).toString("hex");
+    }
+    /**
+     * Record a security event for tracking and stats.
+     */
+    recordSecurityEvent(event) {
+        const entry = {
+            id: this.generateSecureToken(16),
+            timestamp: Date.now(),
+            ...event,
+        };
+        this.securityEvents.push(entry);
+        if (this.securityEvents.length > this.maxSecurityEvents) {
+            this.securityEvents.shift();
+        }
+        if (event.severity === "high" || event.severity === "critical") {
+            frameworkLogger.log("security-hardener", "security-event", "error", {
+                severity: event.severity,
+                type: event.type,
+                message: event.message,
+                source: event.source,
+            });
+        }
+    }
+    /**
+     * Get recent security events.
+     */
+    getSecurityEvents(limit = 100) {
+        return this.securityEvents.slice(-limit);
+    }
+    /**
+     * Get security event statistics.
+     */
+    getSecurityStats() {
+        const eventsBySeverity = { low: 0, medium: 0, high: 0, critical: 0 };
+        this.securityEvents.forEach((e) => {
+            eventsBySeverity[e.severity] = (eventsBySeverity[e.severity] || 0) + 1;
+        });
+        return { totalEvents: this.securityEvents.length, eventsBySeverity };
+    }
     /**
      * Apply security hardening based on audit results
      */

package/dist/skills/registry.json

@@ -1,5 +1,5 @@
 {
-  "version": "2.0.1",
+  "version": "2.1.3",
   "description": "0xRay Skills Registry - recommended skill sources for consumers",
   "sources": [
     {

package/dist/state/index.d.ts

@@ -1,5 +1,3 @@
-export * from "./state-manager.js";
-export * from "./context-providers.js";
-export * from "./state-types.js";
-export { XrayStateManager } from "./state-manager.js";
-export { XrayStateManager as StringRayStateManager } from "./state-manager.js";
+export { StateManager, XrayStateManager, XrayStateManager as StrRayStateManager } from "./state-manager.js";
+export type { StateValue, StateTypes } from "./state-types.js";
+export type { ContextProviders } from "./context-providers.js";

package/dist/state/index.js

@@ -1,8 +1,2 @@
 // 0xRay Framework State Management
-// Export all state management utilities and providers
-export * from "./state-manager.js";
-export * from "./context-providers.js";
-export * from "./state-types.js";
-// Re-export commonly used state utilities
-export { XrayStateManager } from "./state-manager.js";
-export { XrayStateManager as StringRayStateManager } from "./state-manager.js";
+export { XrayStateManager, XrayStateManager as StrRayStateManager } from "./state-manager.js";

package/dist/state/state-manager.d.ts

@@ -39,4 +39,4 @@ export declare class XrayStateManager implements StateManager {
         value2: unknown;
     }): unknown;
 }
-export { XrayStateManager as StringRayStateManager, XrayStateManager as StrRayStateManager };
+export { XrayStateManager as StrRayStateManager };

package/dist/state/state-manager.js

@@ -204,6 +204,5 @@ export class XrayStateManager {
         return conflict.value2; // Prefer the second value as newer
     }
 }
-// Export alias for scripts expecting XrayStateManager
-// Backward compat: StringRayStateManager and StrRayStateManager aliases
-export { XrayStateManager as StringRayStateManager, XrayStateManager as StrRayStateManager };
+// Keep StrRayStateManager for internal backward compat
+export { XrayStateManager as StrRayStateManager };

package/package.json

@@ -1,12 +1,11 @@
 {
   "name": "0xray",
-  "version": "2.1.2",
+  "version": "2.1.4",
   "description": "Multi-agent orchestration and Codex governance for OpenCode, Hermes, Grok Build, and OpenClaw",
-  "readme": "README.md",
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/0xRayAI/xray.git"
+    "url": "git+https://github.com/0xRayAI/xray.git"
   },
   "homepage": "https://github.com/0xRayAI/xray#readme",
   "bugs": {
@@ -46,13 +45,13 @@
     "mcps": "./dist/mcps/"
   },
   "scripts": {
-    "prepublishOnly": "npm run prepare-consumer && npm run build:all && find dist -name '*.d.ts' -o -name '*.d.ts.map' -o -name '*.js.map' | xargs rm -f",
+    "prepublishOnly": "npm run prepare-consumer && npm run build:all && find dist -name '*.d.ts' -o -name '*.d.ts.map' -o -name '*.js.map' | xargs rm -f && echo 'Checking for stale STRRAY_ references...' && ! grep -rn 'STRRAY_' dist/ --include='*.js' --include='*.mjs' 2>/dev/null | grep -v '//.*STRRAY_' || { echo 'ERROR: Stale STRRAY_ references found in dist/'; exit 1; }",
     "version:bump": "node scripts/node/version-manager.mjs",
     "version": "node scripts/node/version-manager.mjs",
     "postinstall": "node scripts/node/postinstall.cjs",
     "prepare": "npm run build",
     "prebuild": "rm -rf dist tsconfig.tsbuildinfo tsconfig.*.tsbuildinfo",
-    "build": "tsc && mkdir -p dist/public dist/scripts && cp -r public/* dist/public/ && cp scripts/hooks/pre-command dist/scripts/ && cp scripts/hooks/pre-command.mjs dist/scripts/ && cp README.md AGENTS.md CHANGELOG.md LICENSE dist/ && find src -name '*.mjs' ! -path '*/__tests__/*' | while read f; do tgt=\"dist/${f#src/}\"; mkdir -p \"$(dirname $tgt)\"; cp \"$f\" \"$tgt\"; done && for dir in skills integrations mcps; do find src/$dir -type f ! -name '*.ts' ! -path '*/.pytest_cache/*' | while read f; do tgt=\"dist/${f#src/}\"; mkdir -p \"$(dirname $tgt)\"; cp \"$f\" \"$tgt\"; done; done && mkdir -p dist/plugin && (find dist/plugin -name '*codex-injection*.js' -exec cp {} dist/plugin/xray-codex-injection.js \\; 2>/dev/null || true) && cp -r src/opencode/ .opencode/ && rm -rf .opencode/xray 2>/dev/null; mkdir -p .opencode/xray && cp xray/codex.json .opencode/xray/codex.json 2>/dev/null; cp xray/features.json .opencode/xray/features.json 2>/dev/null || true",
+    "build": "tsc && mkdir -p dist/public dist/scripts && cp -r public/* dist/public/ && cp scripts/hooks/pre-command dist/scripts/ && cp scripts/hooks/pre-command.mjs dist/scripts/ && cp README.md AGENTS.md CHANGELOG.md LICENSE dist/ && find src -name '*.mjs' ! -path '*/__tests__/*' | while read f; do tgt=\"dist/${f#src/}\"; mkdir -p \"$(dirname $tgt)\"; cp \"$f\" \"$tgt\"; done && for dir in skills integrations mcps; do find src/$dir -type f ! -name '*.ts' ! -path '*/.pytest_cache/*' | while read f; do tgt=\"dist/${f#src/}\"; mkdir -p \"$(dirname $tgt)\"; cp \"$f\" \"$tgt\"; done; done && mkdir -p dist/plugin && (find dist/plugin -name '*codex-injection*.js' -exec cp {} dist/plugin/xray-codex-injection.js \\; 2>/dev/null || true) && cp -r src/opencode/ .opencode/ && echo 'build artifacts in .opencode/xray/ removed — runtime reads from xray/ directly'",
     "build:all": "npm run build",
     "ci-install": "npm ci",
     "clean": "rm -rf dist tsconfig.tsbuildinfo tsconfig.*.tsbuildinfo",
@@ -60,13 +59,14 @@
     "test:batch": "npm test",
     "test:unit": "npm test -- src/__tests__/unit/config-loader.test.ts src/__tests__/unit/state-manager.test.ts src/__tests__/unit/state-manager-persistence.test.ts src/__tests__/unit/context-loader.test.ts src/__tests__/unit/pattern-analyzer.test.ts src/__tests__/unit/complexity-calibrator.test.ts",
     "test:core-framework": "npm test -- src/__tests__/unit/self-direction-activation.test.ts src/__tests__/unit/ast-code-parser.test.ts src/__tests__/unit/v2-deletion-protection.test.ts",
-    "test:security": "npm test -- src/__tests__/unit/security/security-hardener.test.ts src/__tests__/unit/security/security-headers.test.ts src/__tests__/unit/security/security-auditor.test.ts",
+    "test:security": "npm test -- src/__tests__/unit/security/security-hardener.test.ts src/__tests__/unit/security/security-headers.test.ts",
     "test:performance": "npm test -- src/__tests__/unit/monitoring.test.ts src/__tests__/unit/benchmark.test.ts src/__tests__/unit/analytics.test.ts",
     "test:session-management": "npm test -- src/__tests__/unit/session-state-manager.test.ts src/__tests__/unit/session-security-validator.test.ts src/__tests__/unit/session-coordination-validator.test.ts src/__tests__/unit/session-migration-validator.test.ts src/__tests__/unit/session-migration-logic.test.ts",
     "test:code-analysis": "npm test -- src/__tests__/unit/codebase-context-analyzer.test.ts src/__tests__/unit/dependency-graph-builder.test.ts src/__tests__/unit/rule-enforcer.test.ts src/__tests__/unit/codex-parser.test.ts src/__tests__/unit/codex-injector.test.ts",
     "test:processors": "npm test -- src/__tests__/unit/processor-activation.test.ts src/__tests__/unit/typescript-compilation-processor.test.ts",
     "test:miscellaneous": "npm test -- src/__tests__/unit/blocked-test.test.ts",
     "test:quick": "npm test -- src/__tests__/integration/boot-orchestrator.integration.test.ts src/__tests__/unit/config-loader.test.ts src/__tests__/unit/state-manager.test.ts",
+    "analyze:size": "find src -name '*.ts' ! -path '*/__tests__/*' ! -path '*/node_modules/*' | xargs wc -l | sort -rn | awk '{if(NR==1)print \"Total source LOC: \" $1; else if($1>1000)print $0}' && echo '' && echo 'Files 600-1000 LOC:' && find src -name '*.ts' ! -path '*/__tests__/*' ! -path '*/node_modules/*' | xargs wc -l | sort -rn | awk '$1>600 && $1<=1000' && echo '' && echo 'Source file count:' && find src -name '*.ts' ! -path '*/__tests__/*' ! -path '*/node_modules/*' | wc -l",
     "test:comprehensive": "npm run typecheck && npm run test:unit && npm run test:core-framework && npm run test:security && npm run test:performance && npm run test:session-management && npm run test:code-analysis && npm run test:processors && npm run test:miscellaneous",
     "test:integration-all": "npm test -- src/__tests__/integration/",
     "test:performance-all": "npm test -- src/__tests__/performance/ src/__tests__/unit/performance-system.test.ts src/__tests__/unit/benchmark.test.ts src/__tests__/unit/analytics.test.ts",
@@ -149,16 +149,13 @@
   ],
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.4",
-    "0xray": "^2.0.1",
     "commander": "^11.1.0",
     "express": "^5.2.1",
-    "jsonwebtoken": "^9.0.3",
     "ws": "^8.16.0"
   },
   "devDependencies": {
     "@eslint/js": "^9.39.2",
     "@types/express": "^5.0.0",
-    "@types/jsonwebtoken": "^9.0.7",
     "@types/node": "^22.10.2",
     "@types/ws": "^8.5.13",
     "@typescript-eslint/eslint-plugin": "^8.18.0",
@@ -168,5 +165,11 @@
     "ts-node": "^10.9.2",
     "typescript": "^5.7.2",
     "vitest": "^4.1.8"
-  }
+  },
+  "directories": {
+    "doc": "docs",
+    "example": "examples",
+    "test": "tests"
+  },
+  "author": ""
 }

package/scripts/node/universal-version-manager.js

@@ -147,7 +147,7 @@ function detectCodexInfo() {
       return { version: cver.startsWith("v") ? cver : `v${cver}`, termsCount: termCount, lastUpdated: new Date().toISOString().split("T")[0] };
     } catch {}
   }
-  return { version: "v2.0.0", termsCount: 68, lastUpdated: new Date().toISOString().split("T")[0] };
+  return { version: "v2.1.1", termsCount: 68, lastUpdated: new Date().toISOString().split("T")[0] };
 }
 
 const detectedCodex = detectCodexInfo();
@@ -155,9 +155,9 @@ const detectedCodex = detectCodexInfo();
 const OFFICIAL_VERSIONS = {
   // Framework version
   framework: {
-    version: "2.1.1",
+    version: "2.1.4",
       displayName: "xray: Self-Healing AI Governance OS",
-      lastUpdated: "2026-06-08",
+      lastUpdated: "2026-06-09",
     // Counts (auto-calculated, but can be overridden)
     ...CALCULATED_COUNTS,
   },
@@ -346,29 +346,29 @@ const UPDATE_PATTERNS = [
     },
 
     // === BADGE AND COUNT PATTERNS ===
-    // Test count in docs badge (e.g., tests-2290-brightgreen)
+    // Test count in docs badge (e.g., tests-2282-brightgreen)
     {
       pattern: /tests-[0-9]+(?=-brightgreen)/g,
       replacement: `tests-${OFFICIAL_VERSIONS.framework.tests}`,
     },
-    // Test count in npm badge (e.g., tests-2290%20passed-brightgreen)
+    // Test count in npm badge (e.g., tests-2282%20passed-brightgreen)
     {
       pattern: /tests-[0-9,]+%20passed/g,
       replacement: `tests-${OFFICIAL_VERSIONS.framework.tests}%20passed`,
     },
-    // Test count in prose (e.g., "2,2290 Tests" or "2290 Tests" but NOT in badge URLs)
+    // Test count in prose (e.g., "2,2282 Tests" or "2282 Tests" but NOT in badge URLs)
     {
       pattern: /(\*\s*✅\s*)([0-9]{1,3},?[0-9]{3})(\s*Tests)/g,
       replacement: (match, p1, p2, p3) => {
         return `${p1}${OFFICIAL_VERSIONS.framework.tests}${p3}`;
       },
     },
-    // Test count in feature bullets (e.g., "✅ 2290 Tests")
+    // Test count in feature bullets (e.g., "✅ 2282 Tests")
     {
       pattern: /[0-9]+ Tests/g,
       replacement: `${OFFICIAL_VERSIONS.framework.tests} Tests`,
     },
-    // Test count in config tree (e.g., "2290 tests")
+    // Test count in config tree (e.g., "2282 tests")
     {
       pattern: /[0-9]+ tests/g,
       replacement: `${OFFICIAL_VERSIONS.framework.tests} tests`,
@@ -403,7 +403,7 @@ const UPDATE_PATTERNS = [
       pattern: /xray AI v[0-9]+\.[0-9]+\.[0-9]+/g,
       replacement: `xray AI v${OFFICIAL_VERSIONS.framework.version}`,
     },
-    // Footer bare version (e.g., "**Version**: 2.0.1")
+    // Footer bare version (e.g., "**Version**: 2.1.3")
     {
       pattern: /\*\*Version\*\*:\s*[0-9]+\.[0-9]+\.[0-9]+/g,
       replacement: `**Version**: ${OFFICIAL_VERSIONS.framework.version}`,
@@ -438,7 +438,7 @@ const UPDATE_PATTERNS = [
   async function createBackup() {
     try {
       const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
-      backupDir = `backups/version-manager-backup-${timestamp}`;
+      backupDir = `docs/reflections/backups/version-manager-${timestamp}`;
 
       // Create backup directory
       fs.mkdirSync(backupDir, { recursive: true });
@@ -1014,7 +1014,7 @@ const UPDATE_PATTERNS = [
  * - No files reference old versions
  *
  * 💾 BACKUP LOCATION:
- * - Created in 'backups/version-manager-backup-[timestamp]/'
+ * - Created in 'docs/reflections/backups/version-manager-[timestamp]/'
  * - Includes changelog.md with all changes
  *
  * 📝 TO ROLLBACK: