@claude-flow/shared 3.0.0-alpha.1 → 3.0.0-alpha.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-flow/daemon-state.json +135 -0
- package/.claude-flow/data/pending-insights.jsonl +2 -0
- package/.claude-flow/data/ranked-context.json +5 -0
- package/.claude-flow/logs/daemon.log +45 -0
- package/.claude-flow/logs/headless/audit_1777379186972_h5un5x_prompt.log +3210 -0
- package/.claude-flow/logs/headless/audit_1777379186972_h5un5x_result.log +117 -0
- package/.claude-flow/logs/headless/audit_1777379816437_w0eaul_prompt.log +3210 -0
- package/.claude-flow/logs/headless/audit_1777379816437_w0eaul_result.log +53 -0
- package/.claude-flow/logs/headless/audit_1777380440097_621y8m_prompt.log +3210 -0
- package/.claude-flow/logs/headless/audit_1777380440097_621y8m_result.log +75 -0
- package/.claude-flow/logs/headless/optimize_1777379306973_an4lmy_prompt.log +3504 -0
- package/.claude-flow/logs/headless/optimize_1777379306973_an4lmy_result.log +166 -0
- package/.claude-flow/logs/headless/optimize_1777380274732_apxz3s_prompt.log +3504 -0
- package/.claude-flow/logs/headless/optimize_1777380274732_apxz3s_result.log +219 -0
- package/.claude-flow/logs/headless/testgaps_1777379546969_dvf2a1_prompt.log +3189 -0
- package/.claude-flow/logs/headless/testgaps_1777379546969_dvf2a1_result.log +155 -0
- package/.claude-flow/metrics/codebase-map.json +11 -0
- package/.claude-flow/metrics/consolidation.json +6 -0
- package/.claude-flow/sessions/current.json +13 -0
- package/.swarm/hnsw.index +0 -0
- package/.swarm/hnsw.metadata.json +1 -0
- package/.swarm/memory.db +0 -0
- package/.swarm/memory.db-shm +0 -0
- package/.swarm/memory.db-wal +0 -0
- package/.swarm/schema.sql +305 -0
- package/dist/core/config/loader.d.ts.map +1 -1
- package/dist/core/config/loader.js +17 -1
- package/dist/core/config/loader.js.map +1 -1
- package/dist/core/config/schema.d.ts +697 -103
- package/dist/core/config/schema.d.ts.map +1 -1
- package/dist/core/config/schema.js +3 -1
- package/dist/core/config/schema.js.map +1 -1
- package/dist/events/event-store.d.ts.map +1 -1
- package/dist/events/event-store.js +20 -9
- package/dist/events/event-store.js.map +1 -1
- package/dist/events/example-usage.js +1 -1
- package/dist/events/example-usage.js.map +1 -1
- package/dist/events/index.d.ts +2 -0
- package/dist/events/index.d.ts.map +1 -1
- package/dist/events/index.js +2 -0
- package/dist/events/index.js.map +1 -1
- package/dist/events/rvf-event-log.d.ts +82 -0
- package/dist/events/rvf-event-log.d.ts.map +1 -0
- package/dist/events/rvf-event-log.js +340 -0
- package/dist/events/rvf-event-log.js.map +1 -0
- package/dist/hooks/example-usage.js +3 -3
- package/dist/hooks/example-usage.js.map +1 -1
- package/dist/hooks/executor.d.ts.map +1 -1
- package/dist/hooks/executor.js +7 -4
- package/dist/hooks/executor.js.map +1 -1
- package/dist/hooks/verify-exports.test.js +6 -6
- package/dist/hooks/verify-exports.test.js.map +1 -1
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +4 -0
- package/dist/index.js.map +1 -1
- package/dist/mcp/server.d.ts.map +1 -1
- package/dist/mcp/server.js +3 -6
- package/dist/mcp/server.js.map +1 -1
- package/dist/mcp/types.d.ts +4 -6
- package/dist/mcp/types.d.ts.map +1 -1
- package/dist/mcp/types.js.map +1 -1
- package/dist/plugins/official/hive-mind-plugin.js +2 -2
- package/dist/plugins/official/hive-mind-plugin.js.map +1 -1
- package/dist/plugins/official/maestro-plugin.js +3 -3
- package/dist/plugins/official/maestro-plugin.js.map +1 -1
- package/dist/services/index.d.ts +7 -0
- package/dist/services/index.d.ts.map +1 -0
- package/dist/services/index.js +7 -0
- package/dist/services/index.js.map +1 -0
- package/dist/services/v3-progress.service.d.ts +124 -0
- package/dist/services/v3-progress.service.d.ts.map +1 -0
- package/dist/services/v3-progress.service.js +402 -0
- package/dist/services/v3-progress.service.js.map +1 -0
- package/package.json +12 -3
- package/ruvector.db +0 -0
- package/src/core/config/loader.ts +17 -1
- package/src/core/config/schema.ts +3 -1
- package/src/events/event-store.ts +18 -9
- package/src/events/example-usage.ts +1 -1
- package/src/events/index.ts +4 -0
- package/src/events/rvf-event-log.ts +427 -0
- package/src/hooks/example-usage.ts +3 -3
- package/src/hooks/executor.ts +7 -5
- package/src/hooks/verify-exports.test.ts +6 -6
- package/src/index.ts +5 -0
- package/src/mcp/server.ts +3 -6
- package/src/mcp/types.ts +4 -6
- package/src/plugins/official/hive-mind-plugin.ts +2 -2
- package/src/plugins/official/maestro-plugin.ts +3 -3
- package/src/services/index.ts +16 -0
- package/src/services/v3-progress.service.ts +505 -0
- package/tmp.json +0 -0
- package/tsconfig.tsbuildinfo +1 -1
- package/.agentic-flow/intelligence.json +0 -16
- package/__tests__/coverage/base.css +0 -224
- package/__tests__/coverage/block-navigation.js +0 -87
- package/__tests__/coverage/coverage-final.json +0 -50
- package/__tests__/coverage/favicon.png +0 -0
- package/__tests__/coverage/index.html +0 -326
- package/__tests__/coverage/lcov-report/base.css +0 -224
- package/__tests__/coverage/lcov-report/block-navigation.js +0 -87
- package/__tests__/coverage/lcov-report/favicon.png +0 -0
- package/__tests__/coverage/lcov-report/index.html +0 -326
- package/__tests__/coverage/lcov-report/prettify.css +0 -1
- package/__tests__/coverage/lcov-report/prettify.js +0 -2
- package/__tests__/coverage/lcov-report/sort-arrow-sprite.png +0 -0
- package/__tests__/coverage/lcov-report/sorter.js +0 -210
- package/__tests__/coverage/lcov-report/src/core/config/defaults.ts.html +0 -706
- package/__tests__/coverage/lcov-report/src/core/config/index.html +0 -161
- package/__tests__/coverage/lcov-report/src/core/config/loader.ts.html +0 -898
- package/__tests__/coverage/lcov-report/src/core/config/schema.ts.html +0 -649
- package/__tests__/coverage/lcov-report/src/core/config/validator.ts.html +0 -712
- package/__tests__/coverage/lcov-report/src/core/event-bus.ts.html +0 -793
- package/__tests__/coverage/lcov-report/src/core/index.html +0 -116
- package/__tests__/coverage/lcov-report/src/core/interfaces/event.interface.ts.html +0 -886
- package/__tests__/coverage/lcov-report/src/core/interfaces/index.html +0 -116
- package/__tests__/coverage/lcov-report/src/core/orchestrator/event-coordinator.ts.html +0 -451
- package/__tests__/coverage/lcov-report/src/core/orchestrator/health-monitor.ts.html +0 -727
- package/__tests__/coverage/lcov-report/src/core/orchestrator/index.html +0 -176
- package/__tests__/coverage/lcov-report/src/core/orchestrator/lifecycle-manager.ts.html +0 -874
- package/__tests__/coverage/lcov-report/src/core/orchestrator/session-manager.ts.html +0 -922
- package/__tests__/coverage/lcov-report/src/core/orchestrator/task-manager.ts.html +0 -1036
- package/__tests__/coverage/lcov-report/src/events/domain-events.ts.html +0 -1837
- package/__tests__/coverage/lcov-report/src/events/event-store.ts.html +0 -1849
- package/__tests__/coverage/lcov-report/src/events/example-usage.ts.html +0 -964
- package/__tests__/coverage/lcov-report/src/events/index.html +0 -176
- package/__tests__/coverage/lcov-report/src/events/projections.ts.html +0 -1768
- package/__tests__/coverage/lcov-report/src/events/state-reconstructor.ts.html +0 -1132
- package/__tests__/coverage/lcov-report/src/events.ts.html +0 -1186
- package/__tests__/coverage/lcov-report/src/hooks/example-usage.ts.html +0 -1582
- package/__tests__/coverage/lcov-report/src/hooks/executor.ts.html +0 -1222
- package/__tests__/coverage/lcov-report/src/hooks/index.html +0 -191
- package/__tests__/coverage/lcov-report/src/hooks/registry.ts.html +0 -1084
- package/__tests__/coverage/lcov-report/src/hooks/safety/bash-safety.ts.html +0 -1897
- package/__tests__/coverage/lcov-report/src/hooks/safety/file-organization.ts.html +0 -1504
- package/__tests__/coverage/lcov-report/src/hooks/safety/git-commit.ts.html +0 -1954
- package/__tests__/coverage/lcov-report/src/hooks/safety/index.html +0 -146
- package/__tests__/coverage/lcov-report/src/hooks/session-hooks.ts.html +0 -1762
- package/__tests__/coverage/lcov-report/src/hooks/task-hooks.ts.html +0 -1624
- package/__tests__/coverage/lcov-report/src/hooks/types.ts.html +0 -1156
- package/__tests__/coverage/lcov-report/src/index.html +0 -176
- package/__tests__/coverage/lcov-report/src/mcp/connection-pool.ts.html +0 -1399
- package/__tests__/coverage/lcov-report/src/mcp/index.html +0 -176
- package/__tests__/coverage/lcov-report/src/mcp/server.ts.html +0 -2407
- package/__tests__/coverage/lcov-report/src/mcp/session-manager.ts.html +0 -1369
- package/__tests__/coverage/lcov-report/src/mcp/tool-registry.ts.html +0 -1783
- package/__tests__/coverage/lcov-report/src/mcp/transport/http.ts.html +0 -1756
- package/__tests__/coverage/lcov-report/src/mcp/transport/index.html +0 -146
- package/__tests__/coverage/lcov-report/src/mcp/transport/stdio.ts.html +0 -1057
- package/__tests__/coverage/lcov-report/src/mcp/transport/websocket.ts.html +0 -1537
- package/__tests__/coverage/lcov-report/src/mcp/types.ts.html +0 -1780
- package/__tests__/coverage/lcov-report/src/plugin-interface.ts.html +0 -2074
- package/__tests__/coverage/lcov-report/src/plugin-loader.ts.html +0 -1999
- package/__tests__/coverage/lcov-report/src/plugin-registry.ts.html +0 -1897
- package/__tests__/coverage/lcov-report/src/plugins/official/hive-mind-plugin.ts.html +0 -1075
- package/__tests__/coverage/lcov-report/src/plugins/official/index.html +0 -131
- package/__tests__/coverage/lcov-report/src/plugins/official/maestro-plugin.ts.html +0 -1609
- package/__tests__/coverage/lcov-report/src/resilience/bulkhead.ts.html +0 -916
- package/__tests__/coverage/lcov-report/src/resilience/circuit-breaker.ts.html +0 -1063
- package/__tests__/coverage/lcov-report/src/resilience/index.html +0 -161
- package/__tests__/coverage/lcov-report/src/resilience/rate-limiter.ts.html +0 -1345
- package/__tests__/coverage/lcov-report/src/resilience/retry.ts.html +0 -757
- package/__tests__/coverage/lcov-report/src/security/index.html +0 -131
- package/__tests__/coverage/lcov-report/src/security/input-validation.ts.html +0 -880
- package/__tests__/coverage/lcov-report/src/security/secure-random.ts.html +0 -562
- package/__tests__/coverage/lcov-report/src/types/index.html +0 -131
- package/__tests__/coverage/lcov-report/src/types/swarm.types.ts.html +0 -850
- package/__tests__/coverage/lcov-report/src/types/task.types.ts.html +0 -700
- package/__tests__/coverage/lcov-report/src/types.ts.html +0 -1186
- package/__tests__/coverage/lcov-report/src/utils/index.html +0 -116
- package/__tests__/coverage/lcov-report/src/utils/secure-logger.ts.html +0 -856
- package/__tests__/coverage/lcov.info +0 -19877
- package/__tests__/coverage/prettify.css +0 -1
- package/__tests__/coverage/prettify.js +0 -2
- package/__tests__/coverage/sort-arrow-sprite.png +0 -0
- package/__tests__/coverage/sorter.js +0 -210
- package/__tests__/coverage/src/core/config/defaults.ts.html +0 -706
- package/__tests__/coverage/src/core/config/index.html +0 -161
- package/__tests__/coverage/src/core/config/loader.ts.html +0 -898
- package/__tests__/coverage/src/core/config/schema.ts.html +0 -649
- package/__tests__/coverage/src/core/config/validator.ts.html +0 -712
- package/__tests__/coverage/src/core/event-bus.ts.html +0 -793
- package/__tests__/coverage/src/core/index.html +0 -116
- package/__tests__/coverage/src/core/interfaces/event.interface.ts.html +0 -886
- package/__tests__/coverage/src/core/interfaces/index.html +0 -116
- package/__tests__/coverage/src/core/orchestrator/event-coordinator.ts.html +0 -451
- package/__tests__/coverage/src/core/orchestrator/health-monitor.ts.html +0 -727
- package/__tests__/coverage/src/core/orchestrator/index.html +0 -176
- package/__tests__/coverage/src/core/orchestrator/lifecycle-manager.ts.html +0 -874
- package/__tests__/coverage/src/core/orchestrator/session-manager.ts.html +0 -922
- package/__tests__/coverage/src/core/orchestrator/task-manager.ts.html +0 -1036
- package/__tests__/coverage/src/events/domain-events.ts.html +0 -1837
- package/__tests__/coverage/src/events/event-store.ts.html +0 -1849
- package/__tests__/coverage/src/events/example-usage.ts.html +0 -964
- package/__tests__/coverage/src/events/index.html +0 -176
- package/__tests__/coverage/src/events/projections.ts.html +0 -1768
- package/__tests__/coverage/src/events/state-reconstructor.ts.html +0 -1132
- package/__tests__/coverage/src/events.ts.html +0 -1186
- package/__tests__/coverage/src/hooks/example-usage.ts.html +0 -1582
- package/__tests__/coverage/src/hooks/executor.ts.html +0 -1222
- package/__tests__/coverage/src/hooks/index.html +0 -191
- package/__tests__/coverage/src/hooks/registry.ts.html +0 -1084
- package/__tests__/coverage/src/hooks/safety/bash-safety.ts.html +0 -1897
- package/__tests__/coverage/src/hooks/safety/file-organization.ts.html +0 -1504
- package/__tests__/coverage/src/hooks/safety/git-commit.ts.html +0 -1954
- package/__tests__/coverage/src/hooks/safety/index.html +0 -146
- package/__tests__/coverage/src/hooks/session-hooks.ts.html +0 -1762
- package/__tests__/coverage/src/hooks/task-hooks.ts.html +0 -1624
- package/__tests__/coverage/src/hooks/types.ts.html +0 -1156
- package/__tests__/coverage/src/index.html +0 -176
- package/__tests__/coverage/src/mcp/connection-pool.ts.html +0 -1399
- package/__tests__/coverage/src/mcp/index.html +0 -176
- package/__tests__/coverage/src/mcp/server.ts.html +0 -2407
- package/__tests__/coverage/src/mcp/session-manager.ts.html +0 -1369
- package/__tests__/coverage/src/mcp/tool-registry.ts.html +0 -1783
- package/__tests__/coverage/src/mcp/transport/http.ts.html +0 -1756
- package/__tests__/coverage/src/mcp/transport/index.html +0 -146
- package/__tests__/coverage/src/mcp/transport/stdio.ts.html +0 -1057
- package/__tests__/coverage/src/mcp/transport/websocket.ts.html +0 -1537
- package/__tests__/coverage/src/mcp/types.ts.html +0 -1780
- package/__tests__/coverage/src/plugin-interface.ts.html +0 -2074
- package/__tests__/coverage/src/plugin-loader.ts.html +0 -1999
- package/__tests__/coverage/src/plugin-registry.ts.html +0 -1897
- package/__tests__/coverage/src/plugins/official/hive-mind-plugin.ts.html +0 -1075
- package/__tests__/coverage/src/plugins/official/index.html +0 -131
- package/__tests__/coverage/src/plugins/official/maestro-plugin.ts.html +0 -1609
- package/__tests__/coverage/src/resilience/bulkhead.ts.html +0 -916
- package/__tests__/coverage/src/resilience/circuit-breaker.ts.html +0 -1063
- package/__tests__/coverage/src/resilience/index.html +0 -161
- package/__tests__/coverage/src/resilience/rate-limiter.ts.html +0 -1345
- package/__tests__/coverage/src/resilience/retry.ts.html +0 -757
- package/__tests__/coverage/src/security/index.html +0 -131
- package/__tests__/coverage/src/security/input-validation.ts.html +0 -880
- package/__tests__/coverage/src/security/secure-random.ts.html +0 -562
- package/__tests__/coverage/src/types/index.html +0 -131
- package/__tests__/coverage/src/types/swarm.types.ts.html +0 -850
- package/__tests__/coverage/src/types/task.types.ts.html +0 -700
- package/__tests__/coverage/src/types.ts.html +0 -1186
- package/__tests__/coverage/src/utils/index.html +0 -116
- package/__tests__/coverage/src/utils/secure-logger.ts.html +0 -856
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
[2026-04-28T12:47:54.421Z] RESULT
|
|
2
|
+
============================================================
|
|
3
|
+
{
|
|
4
|
+
"success": true,
|
|
5
|
+
"output": "```json\n{\n \"vulnerabilities\": [\n {\n \"severity\": \"medium\",\n \"file\": \"src/core/config/loader.ts\",\n \"line\": 68,\n \"description\": \"Environment variable MCP_PORT parsed without bounds validation. parseInt(process.env.CLAUDE_FLOW_MCP_PORT, 10) could result in NaN or invalid port number (0-65535). No range validation present.\"\n },\n {\n \"severity\": \"medium\",\n \"file\": \"src/core/config/loader.ts\",\n \"line\": 48,\n \"description\": \"Environment variable MAX_AGENTS parsed without bounds validation. Missing range check allows invalid values (negative numbers, zero, or extremely large numbers). Should validate: 1 ≤ value ≤ 1000.\"\n },\n {\n \"severity\": \"medium\",\n \"file\": \"src/core/event-bus.ts\",\n \"line\": 148,\n \"description\": \"Error objects logged directly to console without sanitization. Event handlers pass unfiltered errors to console.error(), potentially exposing file paths, stack traces, and sensitive information. Should use SecureLogger.\"\n },\n {\n \"severity\": \"medium\",\n \"file\": \"src/core/event-bus.ts\",\n \"line\": 137,\n \"description\": \"Async handler errors logged to console without sanitization. Error object from rejected promise logged directly: `result.catch((error) => console.error(...))`. Uses same vector as line 148.\"\n },\n {\n \"severity\": \"low\",\n \"file\": \"src/utils/secure-logger.js\",\n \"line\": 51,\n \"description\": \"Base64 detection regex `/[a-zA-Z0-9+/]{40,}={0,2}/g` is overly broad and may fail to redact keys with different lengths or padding. Attackers could obfuscate secrets as 39-char strings to bypass redaction.\"\n },\n {\n \"severity\": \"low\",\n \"file\": \"src/core/config/schema.ts\",\n \"line\": 145,\n \"description\": \"Redis password field has no maximum length constraint. Extremely long password strings (>10MB) could cause memory exhaustion or parsing delays. Should add: `z.string().max(512).optional()`\"\n },\n {\n \"severity\": \"low\",\n \"file\": \"src/core/config/loader.ts\",\n \"line\": 35,\n \"description\": \"JSON config file loaded with JSON.parse() without size limit. Malicious config files can cause ReDoS or memory exhaustion. Should validate file size before parsing (recommend <5MB limit).\"\n },\n {\n \"severity\": \"low\",\n \"file\": \"src/core/config/schema.ts\",\n \"line\": 110,\n \"description\": \"Orchestrator session.dataDir accepts any string path. No validation that path is within expected directories. Could allow writing session data outside intended location if configurable.\"\n }\n ],\n \"riskScore\": 38,\n \"recommendations\": [\n \"ADD BOUNDS VALIDATION: Validate all environment variable integers with min/max checks. Use helper: `function validatePort(val) { const p = parseInt(val, 10); if (p < 1 || p > 65535) throw new Error('Invalid port'); return p; }`\",\n \"IMPLEMENT ERROR SANITIZATION: Replace all console.error() calls in event-bus.ts with SecureLogger.error(). Create logger instance in EventBus constructor.\",\n \"FIX ENVIRONMENT PARSING: Wrap parseInt() in try/catch or use Number.isInteger() validation. Example: `const port = Number(env); if (!Number.isInteger(port) || port < 1) throw new Error('Invalid port');`\",\n \"STRENGTHEN REGEX REDACTION: Use length-agnostic patterns. Add specific patterns for: API keys (alphanumeric >32 chars), JWTs (3-part base64), SSH keys (-----BEGIN-type headers).\",\n \"ADD FILE SIZE LIMITS: In loadJsonConfig(), check file size before parsing: `if (stat.size > 5_000_000) throw new Error('Config too large');`\",\n \"VALIDATE DIRECTORY PATHS: In ConfigLoader, use path.resolve() + path.relative() to ensure configurable paths don't escape root: `if (relative.startsWith('..')) throw new Error('Invalid path');`\",\n \"ADD STRING LENGTH CONSTRAINTS: In schema.ts, add `.max()` validators to all string fields in redis config (password, host: max 256, etc).\",\n \"CREATE ERROR HANDLER POLICY: Define allowed error properties in event handlers to prevent sensitive data leakage. Only log: type, code, message. Redact: stack, file paths, values.\"\n ]\n}\n```\n\n**Summary**: The codebase has solid security foundations with input validation via Zod schemas and a secure logger utility. However, three medium-severity gaps exist: (1) environment variables bypass validation bounds, (2) event error logging bypasses the secure logger, and (3) missing file size limits on JSON config loading. The low-severity findings are regex overbreadth and missing string constraints. **Risk is manageable** — fix the medium issues (30 min) and add validation helpers as shown above.\n",
|
|
6
|
+
"parsedOutput": {
|
|
7
|
+
"vulnerabilities": [
|
|
8
|
+
{
|
|
9
|
+
"severity": "medium",
|
|
10
|
+
"file": "src/core/config/loader.ts",
|
|
11
|
+
"line": 68,
|
|
12
|
+
"description": "Environment variable MCP_PORT parsed without bounds validation. parseInt(process.env.CLAUDE_FLOW_MCP_PORT, 10) could result in NaN or invalid port number (0-65535). No range validation present."
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
"severity": "medium",
|
|
16
|
+
"file": "src/core/config/loader.ts",
|
|
17
|
+
"line": 48,
|
|
18
|
+
"description": "Environment variable MAX_AGENTS parsed without bounds validation. Missing range check allows invalid values (negative numbers, zero, or extremely large numbers). Should validate: 1 ≤ value ≤ 1000."
|
|
19
|
+
},
|
|
20
|
+
{
|
|
21
|
+
"severity": "medium",
|
|
22
|
+
"file": "src/core/event-bus.ts",
|
|
23
|
+
"line": 148,
|
|
24
|
+
"description": "Error objects logged directly to console without sanitization. Event handlers pass unfiltered errors to console.error(), potentially exposing file paths, stack traces, and sensitive information. Should use SecureLogger."
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
"severity": "medium",
|
|
28
|
+
"file": "src/core/event-bus.ts",
|
|
29
|
+
"line": 137,
|
|
30
|
+
"description": "Async handler errors logged to console without sanitization. Error object from rejected promise logged directly: `result.catch((error) => console.error(...))`. Uses same vector as line 148."
|
|
31
|
+
},
|
|
32
|
+
{
|
|
33
|
+
"severity": "low",
|
|
34
|
+
"file": "src/utils/secure-logger.js",
|
|
35
|
+
"line": 51,
|
|
36
|
+
"description": "Base64 detection regex `/[a-zA-Z0-9+/]{40,}={0,2}/g` is overly broad and may fail to redact keys with different lengths or padding. Attackers could obfuscate secrets as 39-char strings to bypass redaction."
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
"severity": "low",
|
|
40
|
+
"file": "src/core/config/schema.ts",
|
|
41
|
+
"line": 145,
|
|
42
|
+
"description": "Redis password field has no maximum length constraint. Extremely long password strings (>10MB) could cause memory exhaustion or parsing delays. Should add: `z.string().max(512).optional()`"
|
|
43
|
+
},
|
|
44
|
+
{
|
|
45
|
+
"severity": "low",
|
|
46
|
+
"file": "src/core/config/loader.ts",
|
|
47
|
+
"line": 35,
|
|
48
|
+
"description": "JSON config file loaded with JSON.parse() without size limit. Malicious config files can cause ReDoS or memory exhaustion. Should validate file size before parsing (recommend <5MB limit)."
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
"severity": "low",
|
|
52
|
+
"file": "src/core/config/schema.ts",
|
|
53
|
+
"line": 110,
|
|
54
|
+
"description": "Orchestrator session.dataDir accepts any string path. No validation that path is within expected directories. Could allow writing session data outside intended location if configurable."
|
|
55
|
+
}
|
|
56
|
+
],
|
|
57
|
+
"riskScore": 38,
|
|
58
|
+
"recommendations": [
|
|
59
|
+
"ADD BOUNDS VALIDATION: Validate all environment variable integers with min/max checks. Use helper: `function validatePort(val) { const p = parseInt(val, 10); if (p < 1 || p > 65535) throw new Error('Invalid port'); return p; }`",
|
|
60
|
+
"IMPLEMENT ERROR SANITIZATION: Replace all console.error() calls in event-bus.ts with SecureLogger.error(). Create logger instance in EventBus constructor.",
|
|
61
|
+
"FIX ENVIRONMENT PARSING: Wrap parseInt() in try/catch or use Number.isInteger() validation. Example: `const port = Number(env); if (!Number.isInteger(port) || port < 1) throw new Error('Invalid port');`",
|
|
62
|
+
"STRENGTHEN REGEX REDACTION: Use length-agnostic patterns. Add specific patterns for: API keys (alphanumeric >32 chars), JWTs (3-part base64), SSH keys (-----BEGIN-type headers).",
|
|
63
|
+
"ADD FILE SIZE LIMITS: In loadJsonConfig(), check file size before parsing: `if (stat.size > 5_000_000) throw new Error('Config too large');`",
|
|
64
|
+
"VALIDATE DIRECTORY PATHS: In ConfigLoader, use path.resolve() + path.relative() to ensure configurable paths don't escape root: `if (relative.startsWith('..')) throw new Error('Invalid path');`",
|
|
65
|
+
"ADD STRING LENGTH CONSTRAINTS: In schema.ts, add `.max()` validators to all string fields in redis config (password, host: max 256, etc).",
|
|
66
|
+
"CREATE ERROR HANDLER POLICY: Define allowed error properties in event handlers to prevent sensitive data leakage. Only log: type, code, message. Redact: stack, file paths, values."
|
|
67
|
+
]
|
|
68
|
+
},
|
|
69
|
+
"durationMs": 34324,
|
|
70
|
+
"model": "haiku",
|
|
71
|
+
"sandboxMode": "strict",
|
|
72
|
+
"workerType": "audit",
|
|
73
|
+
"timestamp": "2026-04-28T12:47:54.421Z",
|
|
74
|
+
"executionId": "audit_1777380440097_621y8m"
|
|
75
|
+
}
|