@devtrack-solution/codesdd 1.2.3 → 1.2.4

package/dist/core/sdd/package-security-gates.js

@@ -0,0 +1,121 @@
+import { existsSync } from 'node:fs';
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import fg from 'fast-glob';
+const FORBIDDEN_PACKAGE_FILE_PATTERNS = [
+    /^\.env/u,
+    /^\.npmrc$/u,
+    /^\.sdd\/state\//u,
+    /^\.git/u,
+    /^node_modules\//u,
+    /^coverage\//u,
+    /^\.turbo\//u,
+    /^\.cache\//u,
+    /(?:^|\/)[^/]+\.log$/u,
+    /(?:^|\/)(?:secret|secrets|credential|credentials)(?:\/|$)/u,
+];
+const SECRET_SIGNATURES = [
+    { code: 'PRIVATE_KEY', pattern: /-----BEGIN (?:RSA |DSA |EC |OPENSSH |)PRIVATE KEY-----/u },
+    { code: 'NPM_TOKEN', pattern: /\/\/registry\.npmjs\.org\/:_authToken=(?!\$\{NODE_AUTH_TOKEN\})\S+/u },
+    { code: 'OPENAI_KEY', pattern: /\bsk-[A-Za-z0-9_-]{24,}\b/u },
+    { code: 'GITHUB_TOKEN', pattern: /\bgh[pousr]_[A-Za-z0-9_]{24,}\b/u },
+    { code: 'AWS_ACCESS_KEY', pattern: /\bAKIA[0-9A-Z]{16}\b/u },
+];
+const SECRET_SCAN_IGNORE = [
+    'node_modules/**',
+    '**/node_modules/**',
+    'dist/**',
+    'coverage/**',
+    '.git/**',
+    '.temp/**',
+    '.sdd/state/**',
+    '.sdd/archived/**',
+    '.sdd/active/**',
+    '.sdd/planned/**',
+    'pnpm-lock.yaml',
+];
+export async function evaluatePackageSecurityGates(projectRoot) {
+    const packageJson = await readPackageJson(projectRoot);
+    const allowedFiles = normalizePackageFiles(packageJson.files ?? []);
+    const packageIssues = evaluatePackageFileAllowlist(allowedFiles);
+    const secretScan = await scanForHighConfidenceSecrets(projectRoot);
+    return {
+        status: packageIssues.length === 0 && secretScan.issues.length === 0 ? 'pass' : 'fail',
+        package_allowlist: {
+            status: packageIssues.length === 0 ? 'pass' : 'fail',
+            allowed_files: allowedFiles,
+            issues: packageIssues,
+        },
+        secret_scan: {
+            status: secretScan.issues.length === 0 ? 'pass' : 'fail',
+            scanned_files: secretScan.scannedFiles,
+            issues: secretScan.issues,
+        },
+    };
+}
+export function evaluatePackageFileAllowlist(files) {
+    const issues = [];
+    for (const file of files) {
+        const normalized = normalizePath(file);
+        if (FORBIDDEN_PACKAGE_FILE_PATTERNS.some((pattern) => pattern.test(normalized))) {
+            issues.push({
+                code: 'PACKAGE_FILE_FORBIDDEN',
+                path: normalized,
+                message: 'Package publish allowlist includes a forbidden path or pattern.',
+            });
+        }
+    }
+    return issues;
+}
+async function scanForHighConfidenceSecrets(projectRoot) {
+    const files = await fg(['**/*'], {
+        cwd: projectRoot,
+        onlyFiles: true,
+        dot: true,
+        ignore: SECRET_SCAN_IGNORE,
+    });
+    const issues = [];
+    let scannedFiles = 0;
+    for (const relativeFile of files) {
+        const normalized = normalizePath(relativeFile);
+        if (isBinaryLike(normalized))
+            continue;
+        if (normalized === '.npmrc' && existsSync(path.join(projectRoot, normalized))) {
+            issues.push({
+                code: 'LOCAL_NPMRC',
+                path: normalized,
+                message: 'Project-local .npmrc is not allowed in release readiness.',
+            });
+            continue;
+        }
+        const content = await fs.readFile(path.join(projectRoot, normalized), 'utf-8').catch(() => '');
+        scannedFiles += 1;
+        for (const signature of SECRET_SIGNATURES) {
+            if (signature.pattern.test(content)) {
+                issues.push({
+                    code: signature.code,
+                    path: normalized,
+                    message: 'High-confidence secret signature detected.',
+                });
+            }
+        }
+    }
+    return { scannedFiles, issues };
+}
+function normalizePackageFiles(files) {
+    return files
+        .filter((file) => typeof file === 'string')
+        .map(normalizePath)
+        .filter(Boolean);
+}
+function normalizePath(value) {
+    return value.replace(/\\/gu, '/').replace(/^\.\/+/u, '').trim();
+}
+function isBinaryLike(fileName) {
+    return /\.(?:png|jpg|jpeg|gif|webp|pdf|tgz|zip|gz|br|woff2?)$/iu.test(fileName);
+}
+async function readPackageJson(projectRoot) {
+    const content = await fs.readFile(path.join(projectRoot, 'package.json'), 'utf-8');
+    return JSON.parse(content);
+}
+//# sourceMappingURL=package-security-gates.js.map

package/dist/core/sdd/package-structure-gate.d.ts

@@ -1,7 +1,7 @@
 import { z } from 'zod';
 export declare const DerivationProfileSchema: z.ZodEnum<{
-    prototype: "prototype";
     "foundation-compatible": "foundation-compatible";
+    prototype: "prototype";
     "enterprise-strict": "enterprise-strict";
 }>;
 export declare const PreviewGateStatusSchema: z.ZodEnum<{
@@ -14,20 +14,92 @@ export declare const PackageStructureNodeKindSchema: z.ZodEnum<{
     file: "file";
     dir: "dir";
 }>;
+export declare const PreviewContextPatternSchema: z.ZodEnum<{
+    "bo-pattern": "bo-pattern";
+    "entity-pattern": "entity-pattern";
+    "application-only": "application-only";
+}>;
+export declare const PreviewDiagnosticSeveritySchema: z.ZodEnum<{
+    block: "block";
+    warn: "warn";
+}>;
 export declare const PackageStructureNodeSchema: z.ZodSchema<PackageStructureNode>;
+export declare const ApplicationOnlyContextSchema: z.ZodObject<{
+    context: z.ZodString;
+    path: z.ZodString;
+    reason: z.ZodString;
+    adr_required: z.ZodDefault<z.ZodBoolean>;
+    contract_rule_ref: z.ZodLiteral<"DTAPI-P1-APPONLY-001">;
+}, z.core.$strip>;
+export declare const PreviewContextClassificationSchema: z.ZodObject<{
+    context: z.ZodString;
+    pattern: z.ZodEnum<{
+        "bo-pattern": "bo-pattern";
+        "entity-pattern": "entity-pattern";
+        "application-only": "application-only";
+    }>;
+    source_paths: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    decision_refs: z.ZodDefault<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+export declare const PreviewDiagnosticSchema: z.ZodObject<{
+    code: z.ZodString;
+    severity: z.ZodEnum<{
+        block: "block";
+        warn: "warn";
+    }>;
+    message: z.ZodString;
+    remediation: z.ZodString;
+    path: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
 export declare const PackageStructurePreviewSchema: z.ZodObject<{
     schema_version: z.ZodLiteral<1>;
     generated_at: z.ZodString;
     project_name: z.ZodString;
     profile: z.ZodEnum<{
-        prototype: "prototype";
         "foundation-compatible": "foundation-compatible";
+        prototype: "prototype";
         "enterprise-strict": "enterprise-strict";
     }>;
+    source: z.ZodDefault<z.ZodEnum<{
+        template: "template";
+        "artifact-map": "artifact-map";
+    }>>;
     contexts: z.ZodArray<z.ZodString>;
     subsystems: z.ZodArray<z.ZodString>;
     transports: z.ZodArray<z.ZodString>;
     tree: z.ZodType<PackageStructureNode, unknown, z.core.$ZodTypeInternals<PackageStructureNode, unknown>>;
+    foundation_tests_projection: z.ZodOptional<z.ZodType<PackageStructureNode, unknown, z.core.$ZodTypeInternals<PackageStructureNode, unknown>>>;
+    runtime_scripts_projection: z.ZodOptional<z.ZodType<PackageStructureNode, unknown, z.core.$ZodTypeInternals<PackageStructureNode, unknown>>>;
+    application_only_contexts: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        context: z.ZodString;
+        path: z.ZodString;
+        reason: z.ZodString;
+        adr_required: z.ZodDefault<z.ZodBoolean>;
+        contract_rule_ref: z.ZodLiteral<"DTAPI-P1-APPONLY-001">;
+    }, z.core.$strip>>>;
+    context_classification: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        context: z.ZodString;
+        pattern: z.ZodEnum<{
+            "bo-pattern": "bo-pattern";
+            "entity-pattern": "entity-pattern";
+            "application-only": "application-only";
+        }>;
+        source_paths: z.ZodDefault<z.ZodArray<z.ZodString>>;
+        decision_refs: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>>;
+    contract_pack_refs: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    diagnostics: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        code: z.ZodString;
+        severity: z.ZodEnum<{
+            block: "block";
+            warn: "warn";
+        }>;
+        message: z.ZodString;
+        remediation: z.ZodString;
+        path: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>>;
+    artifact_languages: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    material_signature: z.ZodString;
 }, z.core.$strip>;
 export declare const HumanValidationGateSchema: z.ZodObject<{
     gate_id: z.ZodString;
@@ -43,6 +115,9 @@ export declare const HumanValidationGateSchema: z.ZodObject<{
     approved_by: z.ZodOptional<z.ZodString>;
     correction_notes: z.ZodOptional<z.ZodString>;
     exception_refs: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    contract_pack_refs: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    material_signature: z.ZodString;
+    serialized_at: z.ZodString;
 }, z.core.$strip>;
 export interface HumanValidationGateData {
     selected_profile: z.infer<typeof DerivationProfileSchema>;
@@ -62,16 +137,23 @@ export interface DebGateInput {
     subsystems?: string[];
     transports?: string[];
     generated_at?: string;
+    artifact_map?: unknown;
+    previous_human_validation_gate?: z.infer<typeof HumanValidationGateSchema>;
+    contract_pack_refs?: string[];
 }
 export declare function generatePackageStructurePreview(input: DebGateInput): z.infer<typeof PackageStructurePreviewSchema>;
 export declare function formatPreviewAsTree(node: z.infer<typeof PackageStructureNodeSchema>, prefix?: string): string;
-export declare function buildHumanValidationGate(preview: z.infer<typeof PackageStructurePreviewSchema>): z.infer<typeof HumanValidationGateSchema>;
+export declare function buildHumanValidationGate(preview: z.infer<typeof PackageStructurePreviewSchema>, options?: {
+    previous_gate?: z.infer<typeof HumanValidationGateSchema>;
+    exception_refs?: string[];
+}): z.infer<typeof HumanValidationGateSchema>;
 export declare function generateDevtrackApiDebGate(input: DebGateInput): HumanValidationGateData;
 export declare function isGatePending(gate: z.infer<typeof HumanValidationGateSchema>): boolean;
 export declare function isGateApproved(gate: z.infer<typeof HumanValidationGateSchema>): boolean;
 export type DerivationProfile = z.infer<typeof DerivationProfileSchema>;
 export type PreviewGateStatus = z.infer<typeof PreviewGateStatusSchema>;
 export type PackageStructureNodeKind = z.infer<typeof PackageStructureNodeKindSchema>;
+export type PreviewContextPattern = z.infer<typeof PreviewContextPatternSchema>;
 export type PackageStructureNode = {
     name: string;
     kind: PackageStructureNodeKind;