npm - @defai.digital/ax-cli - Versions diffs - 3.5.4 → 3.6.1 - Mend

@defai.digital/ax-cli 3.5.4 → 3.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (162) hide show

package/.ax-cli/checkpoints/2025-11-20/checkpoint-11e9e0ba-c39d-4fd2-aa77-bc818811c921.json +69 -0
package/.ax-cli/checkpoints/2025-11-20/checkpoint-2b260b98-b418-4c7c-9694-e2b94967e662.json +24 -0
package/.ax-cli/checkpoints/2025-11-20/checkpoint-7e03601e-e8ab-4cd7-9841-a74b66adf78f.json +69 -0
package/.ax-cli/checkpoints/2025-11-20/checkpoint-7f9c6562-771f-4fd0-adcf-9e7e9ac34ae8.json +44 -0
package/.ax-cli/checkpoints/2025-11-20/checkpoint-e1ebe666-4c3a-4367-ba5c-27fe512a9c70.json +24 -0
package/.ax-cli/checkpoints/2025-11-21/checkpoint-15743e7d-430c-4d76-b6fc-955d7a5c250c.json +44 -0
package/.ax-cli/checkpoints/2025-11-21/checkpoint-25cf7679-0b3f-4988-83d7-704548fbba91.json +69 -0
package/.ax-cli/checkpoints/2025-11-21/checkpoint-54aedbac-6db0-464e-8ebb-dbb3979e6dca.json +24 -0
package/.ax-cli/checkpoints/2025-11-21/checkpoint-7658aed8-fe5d-4222-903f-1a7c63717ea7.json +24 -0
package/.ax-cli/checkpoints/2025-11-21/checkpoint-c9c13497-40dc-4294-a327-6a5fc854eaa1.json +69 -0
package/.ax-cli/memory.json +15 -8
package/README.md +423 -82
package/ax.config.json +333 -0
package/config-defaults/messages.yaml +75 -0
package/config-defaults/models.yaml +66 -0
package/config-defaults/prompts.yaml +156 -0
package/config-defaults/settings.yaml +86 -0
package/dist/agent/chat-history-manager.d.ts +56 -0
package/dist/agent/chat-history-manager.js +150 -0
package/dist/agent/chat-history-manager.js.map +1 -0
package/dist/agent/llm-agent.js +1 -1
package/dist/agent/llm-agent.js.map +1 -1
package/dist/agent/tool-manager.d.ts +39 -0
package/dist/agent/tool-manager.js +76 -0
package/dist/agent/tool-manager.js.map +1 -0
package/dist/analyzers/code-smells/detectors/data-clumps-detector.js +7 -9
package/dist/analyzers/code-smells/detectors/data-clumps-detector.js.map +1 -1
package/dist/analyzers/code-smells/detectors/dead-code-detector.js +1 -1
package/dist/analyzers/code-smells/detectors/dead-code-detector.js.map +1 -1
package/dist/analyzers/code-smells/detectors/duplicate-code-detector.js +22 -10
package/dist/analyzers/code-smells/detectors/duplicate-code-detector.js.map +1 -1
package/dist/analyzers/code-smells/detectors/feature-envy-detector.js +1 -1
package/dist/analyzers/code-smells/detectors/feature-envy-detector.js.map +1 -1
package/dist/analyzers/code-smells/detectors/inappropriate-intimacy-detector.js +1 -1
package/dist/analyzers/code-smells/detectors/inappropriate-intimacy-detector.js.map +1 -1
package/dist/analyzers/code-smells/detectors/large-class-detector.js +4 -1
package/dist/analyzers/code-smells/detectors/large-class-detector.js.map +1 -1
package/dist/analyzers/code-smells/detectors/long-method-detector.js +4 -1
package/dist/analyzers/code-smells/detectors/long-method-detector.js.map +1 -1
package/dist/analyzers/code-smells/detectors/long-parameter-list-detector.js +4 -1
package/dist/analyzers/code-smells/detectors/long-parameter-list-detector.js.map +1 -1
package/dist/analyzers/code-smells/detectors/magic-numbers-detector.js +4 -5
package/dist/analyzers/code-smells/detectors/magic-numbers-detector.js.map +1 -1
package/dist/analyzers/code-smells/detectors/nested-conditionals-detector.js +4 -1
package/dist/analyzers/code-smells/detectors/nested-conditionals-detector.js.map +1 -1
package/dist/commands/memory.js +1 -1
package/dist/commands/memory.js.map +1 -1
package/dist/commands/setup.js +19 -6
package/dist/commands/setup.js.map +1 -1
package/dist/index.js +7 -0
package/dist/index.js.bak +664 -0
package/dist/index.js.map +1 -1
package/dist/llm/client.d.ts +1 -0
package/dist/llm/client.js +44 -0
package/dist/llm/client.js.map +1 -1
package/dist/mcp/health.js +4 -2
package/dist/mcp/health.js.map +1 -1
package/dist/mcp/ssrf-protection.d.ts +86 -0
package/dist/mcp/ssrf-protection.js +313 -0
package/dist/mcp/ssrf-protection.js.map +1 -0
package/dist/mcp/validation.d.ts +4 -0
package/dist/mcp/validation.js +122 -11
package/dist/mcp/validation.js.map +1 -1
package/dist/schemas/settings-schemas.d.ts +53 -0
package/dist/schemas/settings-schemas.js +47 -0
package/dist/schemas/settings-schemas.js.map +1 -1
package/dist/tools/bash.d.ts +3 -2
package/dist/tools/bash.js +31 -2
package/dist/tools/bash.js.map +1 -1
package/dist/tools/search.d.ts +1 -1
package/dist/tools/search.js +121 -128
package/dist/tools/search.js.map +1 -1
package/dist/tools/text-editor.js +52 -15
package/dist/tools/text-editor.js.map +1 -1
package/dist/tools/web-search/index.d.ts +0 -2
package/dist/tools/web-search/index.js +0 -2
package/dist/tools/web-search/index.js.map +1 -1
package/dist/tools/web-search/router.d.ts +0 -2
package/dist/tools/web-search/router.js +2 -37
package/dist/tools/web-search/router.js.map +1 -1
package/dist/tools/web-search/web-search-tool.js +2 -12
package/dist/tools/web-search/web-search-tool.js.map +1 -1
package/dist/ui/components/chat-history.js +1 -1
package/dist/ui/components/chat-history.js.map +1 -1
package/dist/ui/components/chat-input.d.ts +4 -1
package/dist/ui/components/chat-input.js +133 -52
package/dist/ui/components/chat-input.js.map +1 -1
package/dist/ui/components/chat-interface.js +5 -4
package/dist/ui/components/chat-interface.js.map +1 -1
package/dist/ui/components/confirmation-dialog.js +1 -1
package/dist/ui/components/confirmation-dialog.js.map +1 -1
package/dist/ui/components/keyboard-hints.js +2 -0
package/dist/ui/components/keyboard-hints.js.map +1 -1
package/dist/ui/components/status-bar.js +3 -13
package/dist/ui/components/status-bar.js.map +1 -1
package/dist/ui/components/welcome-panel.js +4 -0
package/dist/ui/components/welcome-panel.js.map +1 -1
package/dist/ui/hooks/use-chat-reducer.d.ts +61 -0
package/dist/ui/hooks/use-chat-reducer.js +118 -0
package/dist/ui/hooks/use-chat-reducer.js.map +1 -0
package/dist/ui/hooks/use-enhanced-input.d.ts +44 -0
package/dist/ui/hooks/use-enhanced-input.js +364 -0
package/dist/ui/hooks/use-enhanced-input.js.map +1 -0
package/dist/ui/hooks/use-input-handler.d.ts +48 -0
package/dist/ui/hooks/use-input-handler.js +1446 -0
package/dist/ui/hooks/use-input-handler.js.map +1 -0
package/dist/utils/audit-logger.d.ts +205 -0
package/dist/utils/audit-logger.js +269 -0
package/dist/utils/audit-logger.js.map +1 -0
package/dist/utils/command-security.d.ts +85 -0
package/dist/utils/command-security.js +200 -0
package/dist/utils/command-security.js.map +1 -0
package/dist/utils/config-loader.js +3 -3
package/dist/utils/config-loader.js.map +1 -1
package/dist/utils/encryption.d.ts +78 -0
package/dist/utils/encryption.js +216 -0
package/dist/utils/encryption.js.map +1 -0
package/dist/utils/error-sanitizer.d.ts +119 -0
package/dist/utils/error-sanitizer.js +253 -0
package/dist/utils/error-sanitizer.js.map +1 -0
package/dist/utils/input-sanitizer.d.ts +210 -0
package/dist/utils/input-sanitizer.js +362 -0
package/dist/utils/input-sanitizer.js.map +1 -0
package/dist/utils/json-utils.d.ts +13 -0
package/dist/utils/json-utils.js +55 -1
package/dist/utils/json-utils.js.map +1 -1
package/dist/utils/paste-collapse.d.ts +46 -0
package/dist/utils/paste-collapse.js +77 -0
package/dist/utils/paste-collapse.js.map +1 -0
package/dist/utils/paste-utils.d.ts +99 -0
package/dist/utils/paste-utils.js +239 -0
package/dist/utils/paste-utils.js.map +1 -0
package/dist/utils/path-security.d.ts +90 -0
package/dist/utils/path-security.js +328 -0
package/dist/utils/path-security.js.map +1 -0
package/dist/utils/process-pool.d.ts +105 -0
package/dist/utils/process-pool.js +326 -0
package/dist/utils/process-pool.js.map +1 -0
package/dist/utils/rate-limiter.d.ts +221 -0
package/dist/utils/rate-limiter.js +317 -0
package/dist/utils/rate-limiter.js.map +1 -0
package/dist/utils/settings-manager.js +99 -6
package/dist/utils/settings-manager.js.map +1 -1
package/dist/utils/streaming-analyzer.js +9 -21
package/dist/utils/streaming-analyzer.js.map +1 -1
package/package.json +3 -7
package/packages/schemas/dist/index.d.ts +14 -0
package/packages/schemas/dist/index.d.ts.map +1 -0
package/packages/schemas/dist/index.js +19 -0
package/packages/schemas/dist/index.js.map +1 -0
package/packages/schemas/dist/public/core/brand-types.d.ts +308 -0
package/packages/schemas/dist/public/core/brand-types.d.ts.map +1 -0
package/packages/schemas/dist/public/core/brand-types.js +243 -0
package/packages/schemas/dist/public/core/brand-types.js.map +1 -0
package/packages/schemas/dist/public/core/enums.d.ts +227 -0
package/packages/schemas/dist/public/core/enums.d.ts.map +1 -0
package/packages/schemas/dist/public/core/enums.js +222 -0
package/packages/schemas/dist/public/core/enums.js.map +1 -0
package/packages/schemas/dist/public/core/id-types.d.ts +286 -0
package/packages/schemas/dist/public/core/id-types.d.ts.map +1 -0
package/packages/schemas/dist/public/core/id-types.js +136 -0
package/packages/schemas/dist/public/core/id-types.js.map +1 -0

package/dist/utils/error-sanitizer.js ADDED Viewed

@@ -0,0 +1,253 @@
+/**
+ * Error Message Sanitization (REQ-SEC-010)
+ *
+ * Sanitizes error messages to prevent information disclosure
+ * Removes:
+ * - File system paths
+ * - API keys and secrets
+ * - Stack traces (for user-facing errors)
+ * - Internal implementation details
+ *
+ * Security: CVSS 6.5 (Medium Priority)
+ */
+import { homedir } from 'os';
+import { getAuditLogger, AuditCategory } from './audit-logger.js';
+/**
+ * Patterns to detect and sanitize in error messages
+ */
+const SENSITIVE_PATTERNS = {
+    // File paths (Windows and Unix)
+    FILE_PATH: /([A-Za-z]:\\|\/)[^\s"'<>|]+/g,
+    // API keys and tokens (common formats)
+    // Matches patterns like "api_key=XXX", "secret: XXX", "API key: XXX", "bearer XXX"
+    API_KEY: /\b(?:api[_ -]?key|token|secret|password|bearer)[\s:=]+['"]?[a-zA-Z0-9_\-]{16,}['"]?/gi,
+    // Environment variables
+    ENV_VAR: /\$\{?[A-Z_][A-Z0-9_]*\}?/g,
+    // IP addresses (for SSRF protection)
+    IP_ADDRESS: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g,
+    // URLs with credentials
+    URL_WITH_CREDS: /https?:\/\/[^:]+:[^@]+@[^\s]+/g,
+    // Stack trace lines
+    STACK_TRACE_LINE: /^\s*at\s+.+\(.+:\d+:\d+\)$/gm,
+    // Home directory references
+    HOME_DIR: new RegExp(homedir().replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'g'),
+};
+/**
+ * Replacement strings for sanitized content
+ */
+const REPLACEMENTS = {
+    FILE_PATH: '[REDACTED_PATH]',
+    API_KEY: '[REDACTED_KEY]',
+    ENV_VAR: '[REDACTED_ENV]',
+    IP_ADDRESS: '[REDACTED_IP]',
+    URL_WITH_CREDS: '[REDACTED_URL]',
+    STACK_TRACE_LINE: '',
+    HOME_DIR: '[USER_HOME]',
+};
+/**
+ * Error categories for user-friendly messages
+ */
+export var ErrorCategory;
+(function (ErrorCategory) {
+    ErrorCategory["NETWORK"] = "NETWORK";
+    ErrorCategory["FILE_SYSTEM"] = "FILE_SYSTEM";
+    ErrorCategory["VALIDATION"] = "VALIDATION";
+    ErrorCategory["AUTHENTICATION"] = "AUTHENTICATION";
+    ErrorCategory["RATE_LIMIT"] = "RATE_LIMIT";
+    ErrorCategory["API_ERROR"] = "API_ERROR";
+    ErrorCategory["INTERNAL"] = "INTERNAL";
+    ErrorCategory["USER_INPUT"] = "USER_INPUT";
+})(ErrorCategory || (ErrorCategory = {}));
+/**
+ * Sanitize error message by removing sensitive information
+ *
+ * @param message - Raw error message
+ * @returns Sanitized message safe for user display
+ */
+export function sanitizeErrorMessage(message) {
+    let sanitized = message;
+    // Remove URLs with credentials first (before FILE_PATH catches them)
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.URL_WITH_CREDS, REPLACEMENTS.URL_WITH_CREDS);
+    // Remove home directory references (before FILE_PATH catches them)
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.HOME_DIR, REPLACEMENTS.HOME_DIR);
+    // Remove file paths
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.FILE_PATH, REPLACEMENTS.FILE_PATH);
+    // Remove API keys and secrets
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.API_KEY, REPLACEMENTS.API_KEY);
+    // Remove environment variables
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.ENV_VAR, REPLACEMENTS.ENV_VAR);
+    // Remove IP addresses
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.IP_ADDRESS, REPLACEMENTS.IP_ADDRESS);
+    return sanitized;
+}
+/**
+ * Sanitize stack trace by removing sensitive paths
+ *
+ * @param stack - Raw stack trace
+ * @returns Sanitized stack trace
+ */
+export function sanitizeStackTrace(stack) {
+    let sanitized = stack;
+    // Remove home directory references first
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.HOME_DIR, REPLACEMENTS.HOME_DIR);
+    // Remove file paths from stack frames
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.FILE_PATH, REPLACEMENTS.FILE_PATH);
+    return sanitized;
+}
+/**
+ * Remove stack trace entirely (for user-facing errors)
+ *
+ * @param message - Error message with potential stack trace
+ * @returns Message without stack trace
+ */
+export function removeStackTrace(message) {
+    // Split at first "at " (stack trace start)
+    const parts = message.split(/\n\s*at\s+/);
+    return parts[0].trim();
+}
+/**
+ * Categorize error and create user-friendly message
+ *
+ * @param error - Error object
+ * @returns Sanitized error with category and suggestion
+ */
+export function sanitizeError(error) {
+    const errorObj = error instanceof Error ? error : new Error(String(error));
+    const message = errorObj.message;
+    // Sanitize the message
+    const sanitizedMessage = sanitizeErrorMessage(removeStackTrace(message));
+    // Determine category and suggestion
+    let category = ErrorCategory.INTERNAL;
+    let suggestion;
+    let code;
+    // Network errors
+    if (message.includes('ENOTFOUND') || message.includes('ECONNREFUSED') || message.includes('fetch failed')) {
+        category = ErrorCategory.NETWORK;
+        suggestion = 'Check your network connection and try again.';
+        code = 'ERR_NETWORK';
+    }
+    // File system errors
+    else if (message.includes('ENOENT') || message.includes('EACCES') || message.includes('EPERM')) {
+        category = ErrorCategory.FILE_SYSTEM;
+        suggestion = 'Check that the file exists and you have permission to access it.';
+        code = 'ERR_FILE_SYSTEM';
+    }
+    // Validation errors
+    else if (message.includes('validation') || message.includes('invalid') || message.includes('required')) {
+        category = ErrorCategory.VALIDATION;
+        suggestion = 'Check your input and try again.';
+        code = 'ERR_VALIDATION';
+    }
+    // Authentication errors
+    else if (message.includes('unauthorized') || message.includes('authentication') || message.includes('API key')) {
+        category = ErrorCategory.AUTHENTICATION;
+        suggestion = 'Check your API key configuration.';
+        code = 'ERR_AUTH';
+    }
+    // Rate limit errors
+    else if (message.includes('rate limit') || message.includes('too many requests')) {
+        category = ErrorCategory.RATE_LIMIT;
+        suggestion = 'Please wait a moment before trying again.';
+        code = 'ERR_RATE_LIMIT';
+    }
+    // API errors
+    else if (message.includes('API') || message.includes('status code')) {
+        category = ErrorCategory.API_ERROR;
+        suggestion = 'The API returned an error. Please try again later.';
+        code = 'ERR_API';
+    }
+    // REQ-SEC-008: Audit log errors with sensitive info detection
+    if (message !== sanitizedMessage) {
+        const auditLogger = getAuditLogger();
+        auditLogger.logWarning({
+            category: AuditCategory.SYSTEM_EVENT,
+            action: 'sensitive_data_in_error',
+            outcome: 'success',
+            details: {
+                category,
+                sanitized: true,
+            },
+        });
+    }
+    return {
+        message: sanitizedMessage,
+        code,
+        category,
+        suggestion,
+        originalError: errorObj,
+    };
+}
+/**
+ * Format sanitized error for user display
+ *
+ * @param sanitizedError - Sanitized error object
+ * @returns Formatted error message
+ */
+export function formatUserError(sanitizedError) {
+    const parts = [];
+    if (sanitizedError.code) {
+        parts.push(`[${sanitizedError.code}]`);
+    }
+    parts.push(sanitizedError.message);
+    if (sanitizedError.suggestion) {
+        parts.push(`\nℹ️  ${sanitizedError.suggestion}`);
+    }
+    return parts.join(' ');
+}
+/**
+ * Create internal log message with full details (not sanitized)
+ *
+ * @param error - Original error
+ * @param context - Additional context
+ * @returns Detailed log message
+ */
+export function createInternalLogMessage(error, context) {
+    const errorObj = error instanceof Error ? error : new Error(String(error));
+    const parts = [
+        `Error: ${errorObj.message}`,
+    ];
+    if (errorObj.stack) {
+        parts.push(`Stack: ${sanitizeStackTrace(errorObj.stack)}`);
+    }
+    if (context) {
+        parts.push(`Context: ${JSON.stringify(context, null, 2)}`);
+    }
+    return parts.join('\n');
+}
+/**
+ * Safe error wrapper for user-facing operations
+ *
+ * @param operation - Async operation to execute
+ * @param errorHandler - Optional custom error handler
+ * @returns Result or sanitized error
+ *
+ * @example
+ * ```typescript
+ * const result = await safeExecute(
+ *   () => riskyOperation(),
+ *   (error) => console.error('Internal error:', error)
+ * );
+ *
+ * if (!result.success) {
+ *   console.log(formatUserError(result.error));
+ * }
+ * ```
+ */
+export async function safeExecute(operation, errorHandler) {
+    try {
+        const data = await operation();
+        return { success: true, data };
+    }
+    catch (error) {
+        const sanitized = sanitizeError(error);
+        // Log internal error details
+        if (errorHandler) {
+            errorHandler(sanitized.originalError, sanitized);
+        }
+        else {
+            console.error(createInternalLogMessage(error));
+        }
+        return { success: false, error: sanitized };
+    }
+}
+//# sourceMappingURL=error-sanitizer.js.map

package/dist/utils/error-sanitizer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"error-sanitizer.js","sourceRoot":"","sources":["../../src/utils/error-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElE;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACzB,gCAAgC;IAChC,SAAS,EAAE,8BAA8B;IAEzC,uCAAuC;IACvC,mFAAmF;IACnF,OAAO,EAAE,uFAAuF;IAEhG,wBAAwB;IACxB,OAAO,EAAE,2BAA2B;IAEpC,qCAAqC;IACrC,UAAU,EAAE,8BAA8B;IAE1C,wBAAwB;IACxB,cAAc,EAAE,gCAAgC;IAEhD,oBAAoB;IACpB,gBAAgB,EAAE,8BAA8B;IAEhD,4BAA4B;IAC5B,QAAQ,EAAE,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,EAAE,GAAG,CAAC;CACnE,CAAC;AAEX;;GAEG;AACH,MAAM,YAAY,GAAG;IACnB,SAAS,EAAE,iBAAiB;IAC5B,OAAO,EAAE,gBAAgB;IACzB,OAAO,EAAE,gBAAgB;IACzB,UAAU,EAAE,eAAe;IAC3B,cAAc,EAAE,gBAAgB;IAChC,gBAAgB,EAAE,EAAE;IACpB,QAAQ,EAAE,aAAa;CACf,CAAC;AAgCX;;GAEG;AACH,MAAM,CAAN,IAAY,aASX;AATD,WAAY,aAAa;IACvB,oCAAmB,CAAA;IACnB,4CAA2B,CAAA;IAC3B,0CAAyB,CAAA;IACzB,kDAAiC,CAAA;IACjC,0CAAyB,CAAA;IACzB,wCAAuB,CAAA;IACvB,sCAAqB,CAAA;IACrB,0CAAyB,CAAA;AAC3B,CAAC,EATW,aAAa,KAAb,aAAa,QASxB;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,IAAI,SAAS,GAAG,OAAO,CAAC;IAExB,qEAAqE;IACrE,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,cAAc,EAAE,YAAY,CAAC,cAAc,CAAC,CAAC;IAE9F,mEAAmE;IACnE,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;IAElF,oBAAoB;IACpB,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC;IAEpF,8BAA8B;IAC9B,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;IAEhF,+BAA+B;IAC/B,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;IAEhF,sBAAsB;IACtB,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,UAAU,EAAE,YAAY,CAAC,UAAU,CAAC,CAAC;IAEtF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,yCAAyC;IACzC,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;IAElF,sCAAsC;IACtC,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC;IAEpF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,2CAA2C;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IAC1C,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AACzB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,KAAsB;IAClD,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3E,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IAEjC,uBAAuB;IACvB,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC;IAEzE,oCAAoC;IACpC,IAAI,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC;IACtC,IAAI,UAA8B,CAAC;IACnC,IAAI,IAAwB,CAAC;IAE7B,iBAAiB;IACjB,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QAC1G,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC;QACjC,UAAU,GAAG,8CAA8C,CAAC;QAC5D,IAAI,GAAG,aAAa,CAAC;IACvB,CAAC;IACD,qBAAqB;SAChB,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/F,QAAQ,GAAG,aAAa,CAAC,WAAW,CAAC;QACrC,UAAU,GAAG,kEAAkE,CAAC;QAChF,IAAI,GAAG,iBAAiB,CAAC;IAC3B,CAAC;IACD,oBAAoB;SACf,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACvG,QAAQ,GAAG,aAAa,CAAC,UAAU,CAAC;QACpC,UAAU,GAAG,iCAAiC,CAAC;QAC/C,IAAI,GAAG,gBAAgB,CAAC;IAC1B,CAAC;IACD,wBAAwB;SACnB,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC/G,QAAQ,GAAG,aAAa,CAAC,cAAc,CAAC;QACxC,UAAU,GAAG,mCAAmC,CAAC;QACjD,IAAI,GAAG,UAAU,CAAC;IACpB,CAAC;IACD,oBAAoB;SACf,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACjF,QAAQ,GAAG,aAAa,CAAC,UAAU,CAAC;QACpC,UAAU,GAAG,2CAA2C,CAAC;QACzD,IAAI,GAAG,gBAAgB,CAAC;IAC1B,CAAC;IACD,aAAa;SACR,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACpE,QAAQ,GAAG,aAAa,CAAC,SAAS,CAAC;QACnC,UAAU,GAAG,oDAAoD,CAAC;QAClE,IAAI,GAAG,SAAS,CAAC;IACnB,CAAC;IAED,8DAA8D;IAC9D,IAAI,OAAO,KAAK,gBAAgB,EAAE,CAAC;QACjC,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;QACrC,WAAW,CAAC,UAAU,CAAC;YACrB,QAAQ,EAAE,aAAa,CAAC,YAAY;YACpC,MAAM,EAAE,yBAAyB;YACjC,OAAO,EAAE,SAAS;YAClB,OAAO,EAAE;gBACP,QAAQ;gBACR,SAAS,EAAE,IAAI;aAChB;SACF,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,EAAE,gBAAgB;QACzB,IAAI;QACJ,QAAQ;QACR,UAAU;QACV,aAAa,EAAE,QAAQ;KACxB,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,cAA8B;IAC5D,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,cAAc,CAAC,IAAI,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,IAAI,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IAEnC,IAAI,cAAc,CAAC,UAAU,EAAE,CAAC;QAC9B,KAAK,CAAC,IAAI,CAAC,SAAS,cAAc,CAAC,UAAU,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CAAC,KAAsB,EAAE,OAAiC;IAChG,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAE3E,MAAM,KAAK,GAAa;QACtB,UAAU,QAAQ,CAAC,OAAO,EAAE;KAC7B,CAAC;IAEF,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QACnB,KAAK,CAAC,IAAI,CAAC,UAAU,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAA2B,EAC3B,YAAgE;IAEhE,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,SAAS,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QAEvC,6BAA6B;QAC7B,IAAI,YAAY,EAAE,CAAC;YACjB,YAAY,CAAC,SAAS,CAAC,aAAc,EAAE,SAAS,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAC,CAAC;QACjD,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAC9C,CAAC;AACH,CAAC"}

package/dist/utils/input-sanitizer.d.ts ADDED Viewed

@@ -0,0 +1,210 @@
+/**
+ * Input Sanitization Framework (REQ-SEC-007)
+ *
+ * Provides comprehensive input validation and sanitization to prevent:
+ * - ReDoS (Regular Expression Denial of Service)
+ * - Command injection
+ * - Path traversal
+ * - Unicode attacks
+ * - Buffer overflow
+ *
+ * Security: CVSS 7.3 (High Priority)
+ */
+/**
+ * Sanitization result with validation and cleaned value
+ */
+export interface SanitizationResult {
+    /**
+     * Whether the input passed validation
+     */
+    valid: boolean;
+    /**
+     * Sanitized/cleaned value (only if valid)
+     */
+    value?: string;
+    /**
+     * Error message if validation failed
+     */
+    error?: string;
+    /**
+     * Warning messages (non-fatal issues)
+     */
+    warnings?: string[];
+}
+/**
+ * Configuration for input sanitization
+ */
+export interface SanitizerOptions {
+    /**
+     * Maximum allowed length (default: 10,000 characters)
+     */
+    maxLength?: number;
+    /**
+     * Whether to normalize Unicode (default: true)
+     */
+    normalizeUnicode?: boolean;
+    /**
+     * Character whitelist pattern (regex)
+     */
+    allowedPattern?: RegExp;
+    /**
+     * Whether to trim whitespace (default: true)
+     */
+    trim?: boolean;
+    /**
+     * Whether to allow empty strings (default: false)
+     */
+    allowEmpty?: boolean;
+}
+/**
+ * Default maximum input lengths for different contexts
+ */
+export declare const MAX_INPUT_LENGTHS: {
+    readonly COMMAND: 10000;
+    readonly FILE_PATH: 4096;
+    readonly USER_INPUT: 50000;
+    readonly SEARCH_QUERY: 1000;
+    readonly ENV_VALUE: 10000;
+    readonly CONFIG_VALUE: 10000;
+};
+/**
+ * Safe characters for different contexts
+ */
+export declare const SAFE_PATTERNS: {
+    /**
+     * Alphanumeric, spaces, and common punctuation
+     */
+    readonly BASIC: RegExp;
+    /**
+     * Safe for file paths (no directory traversal)
+     */
+    readonly FILE_PATH: RegExp;
+    /**
+     * Safe for environment variable values
+     */
+    readonly ENV_VALUE: RegExp;
+    /**
+     * Printable ASCII only (most restrictive)
+     */
+    readonly ASCII_PRINTABLE: RegExp;
+};
+/**
+ * Normalize Unicode string to prevent homograph attacks
+ *
+ * Uses NFC (Canonical Decomposition, followed by Canonical Composition)
+ * which is the recommended normalization form for most use cases
+ *
+ * @param input - String to normalize
+ * @returns Normalized string
+ */
+export declare function normalizeUnicode(input: string): string;
+/**
+ * Check for dangerous patterns in input
+ *
+ * @param input - String to check
+ * @returns Array of detected dangerous patterns
+ */
+export declare function detectDangerousPatterns(input: string): string[];
+/**
+ * Sanitize general user input with configurable options
+ *
+ * @param input - Raw input string
+ * @param options - Sanitization options
+ * @returns Sanitization result
+ *
+ * @example
+ * ```typescript
+ * const result = sanitizeInput('User input here', {
+ *   maxLength: 1000,
+ *   normalizeUnicode: true,
+ *   allowedPattern: SAFE_PATTERNS.BASIC,
+ * });
+ *
+ * if (result.valid) {
+ *   // Use result.value safely
+ * } else {
+ *   console.error(result.error);
+ * }
+ * ```
+ */
+export declare function sanitizeInput(input: string, options?: SanitizerOptions): SanitizationResult;
+/**
+ * Sanitize file path input to prevent path traversal
+ *
+ * @param path - File path to sanitize
+ * @returns Sanitization result
+ *
+ * @example
+ * ```typescript
+ * const result = sanitizeFilePath('../../../etc/passwd');
+ * if (!result.valid) {
+ *   console.error('Invalid path:', result.error);
+ * }
+ * ```
+ */
+export declare function sanitizeFilePath(path: string): SanitizationResult;
+/**
+ * Sanitize shell command input
+ *
+ * NOTE: This is a last line of defense. Prefer execFile over exec
+ * and use argument arrays instead of concatenating commands.
+ *
+ * @param command - Command string to sanitize
+ * @returns Sanitization result
+ *
+ * @example
+ * ```typescript
+ * const result = sanitizeCommand('ls -la');
+ * if (result.valid) {
+ *   // Still prefer execFile with args array
+ *   execFile(result.value.split(' ')[0], result.value.split(' ').slice(1));
+ * }
+ * ```
+ */
+export declare function sanitizeCommand(command: string): SanitizationResult;
+/**
+ * Sanitize search query input
+ *
+ * @param query - Search query to sanitize
+ * @returns Sanitization result
+ */
+export declare function sanitizeSearchQuery(query: string): SanitizationResult;
+/**
+ * Sanitize environment variable value
+ *
+ * @param value - Environment variable value to sanitize
+ * @returns Sanitization result
+ */
+export declare function sanitizeEnvValue(value: string): SanitizationResult;
+/**
+ * Escape shell arguments for safe execution
+ *
+ * NOTE: This is a defense-in-depth measure. Always prefer:
+ * 1. execFile with argument array over exec
+ * 2. Argument validation/whitelisting
+ * 3. This escaping function as a last resort
+ *
+ * @param arg - Argument to escape
+ * @returns Safely escaped argument
+ */
+export declare function escapeShellArg(arg: string): string;
+/**
+ * Validate regex pattern for ReDoS protection
+ *
+ * Checks for common ReDoS patterns:
+ * - Nested quantifiers (e.g., (a+)+)
+ * - Alternation with overlapping patterns
+ * - Excessive backtracking potential
+ *
+ * @param pattern - Regex pattern to validate
+ * @returns Validation result
+ *
+ * @example
+ * ```typescript
+ * const result = validateRegexPattern('(a+)+b');
+ * if (!result.valid) {
+ *   console.error('Unsafe regex:', result.error);
+ * }
+ * ```
+ */
+export declare function validateRegexPattern(pattern: string): SanitizationResult;