npm - @etcsec-com/etc-collector - Versions diffs - 1.4.0 - Mend

@etcsec-com/etc-collector 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

package/.env.example +60 -0
package/.env.test.example +33 -0
package/.github/workflows/ci.yml +83 -0
package/.github/workflows/release.yml +246 -0
package/.prettierrc.json +10 -0
package/CHANGELOG.md +15 -0
package/Dockerfile +57 -0
package/LICENSE +190 -0
package/README.md +194 -0
package/dist/api/controllers/audit.controller.d.ts +21 -0
package/dist/api/controllers/audit.controller.d.ts.map +1 -0
package/dist/api/controllers/audit.controller.js +179 -0
package/dist/api/controllers/audit.controller.js.map +1 -0
package/dist/api/controllers/auth.controller.d.ts +16 -0
package/dist/api/controllers/auth.controller.d.ts.map +1 -0
package/dist/api/controllers/auth.controller.js +146 -0
package/dist/api/controllers/auth.controller.js.map +1 -0
package/dist/api/controllers/export.controller.d.ts +27 -0
package/dist/api/controllers/export.controller.d.ts.map +1 -0
package/dist/api/controllers/export.controller.js +80 -0
package/dist/api/controllers/export.controller.js.map +1 -0
package/dist/api/controllers/health.controller.d.ts +5 -0
package/dist/api/controllers/health.controller.d.ts.map +1 -0
package/dist/api/controllers/health.controller.js +16 -0
package/dist/api/controllers/health.controller.js.map +1 -0
package/dist/api/controllers/jobs.controller.d.ts +13 -0
package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
package/dist/api/controllers/jobs.controller.js +125 -0
package/dist/api/controllers/jobs.controller.js.map +1 -0
package/dist/api/controllers/providers.controller.d.ts +15 -0
package/dist/api/controllers/providers.controller.d.ts.map +1 -0
package/dist/api/controllers/providers.controller.js +112 -0
package/dist/api/controllers/providers.controller.js.map +1 -0
package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
package/dist/api/dto/AuditRequest.dto.js +3 -0
package/dist/api/dto/AuditRequest.dto.js.map +1 -0
package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
package/dist/api/dto/AuditResponse.dto.js +3 -0
package/dist/api/dto/AuditResponse.dto.js.map +1 -0
package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
package/dist/api/dto/TokenRequest.dto.js +3 -0
package/dist/api/dto/TokenRequest.dto.js.map +1 -0
package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
package/dist/api/dto/TokenResponse.dto.js +3 -0
package/dist/api/dto/TokenResponse.dto.js.map +1 -0
package/dist/api/middlewares/authenticate.d.ts +12 -0
package/dist/api/middlewares/authenticate.d.ts.map +1 -0
package/dist/api/middlewares/authenticate.js +141 -0
package/dist/api/middlewares/authenticate.js.map +1 -0
package/dist/api/middlewares/errorHandler.d.ts +3 -0
package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
package/dist/api/middlewares/errorHandler.js +30 -0
package/dist/api/middlewares/errorHandler.js.map +1 -0
package/dist/api/middlewares/rateLimit.d.ts +3 -0
package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
package/dist/api/middlewares/rateLimit.js +34 -0
package/dist/api/middlewares/rateLimit.js.map +1 -0
package/dist/api/middlewares/validate.d.ts +4 -0
package/dist/api/middlewares/validate.d.ts.map +1 -0
package/dist/api/middlewares/validate.js +31 -0
package/dist/api/middlewares/validate.js.map +1 -0
package/dist/api/routes/audit.routes.d.ts +5 -0
package/dist/api/routes/audit.routes.d.ts.map +1 -0
package/dist/api/routes/audit.routes.js +24 -0
package/dist/api/routes/audit.routes.js.map +1 -0
package/dist/api/routes/auth.routes.d.ts +6 -0
package/dist/api/routes/auth.routes.d.ts.map +1 -0
package/dist/api/routes/auth.routes.js +22 -0
package/dist/api/routes/auth.routes.js.map +1 -0
package/dist/api/routes/export.routes.d.ts +5 -0
package/dist/api/routes/export.routes.d.ts.map +1 -0
package/dist/api/routes/export.routes.js +16 -0
package/dist/api/routes/export.routes.js.map +1 -0
package/dist/api/routes/health.routes.d.ts +4 -0
package/dist/api/routes/health.routes.d.ts.map +1 -0
package/dist/api/routes/health.routes.js +11 -0
package/dist/api/routes/health.routes.js.map +1 -0
package/dist/api/routes/index.d.ts +10 -0
package/dist/api/routes/index.d.ts.map +1 -0
package/dist/api/routes/index.js +20 -0
package/dist/api/routes/index.js.map +1 -0
package/dist/api/routes/providers.routes.d.ts +5 -0
package/dist/api/routes/providers.routes.d.ts.map +1 -0
package/dist/api/routes/providers.routes.js +13 -0
package/dist/api/routes/providers.routes.js.map +1 -0
package/dist/api/validators/audit.schemas.d.ts +60 -0
package/dist/api/validators/audit.schemas.d.ts.map +1 -0
package/dist/api/validators/audit.schemas.js +55 -0
package/dist/api/validators/audit.schemas.js.map +1 -0
package/dist/api/validators/auth.schemas.d.ts +17 -0
package/dist/api/validators/auth.schemas.d.ts.map +1 -0
package/dist/api/validators/auth.schemas.js +21 -0
package/dist/api/validators/auth.schemas.js.map +1 -0
package/dist/app.d.ts +3 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +62 -0
package/dist/app.js.map +1 -0
package/dist/config/config.schema.d.ts +65 -0
package/dist/config/config.schema.d.ts.map +1 -0
package/dist/config/config.schema.js +95 -0
package/dist/config/config.schema.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +75 -0
package/dist/config/index.js.map +1 -0
package/dist/container.d.ts +47 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +137 -0
package/dist/container.js.map +1 -0
package/dist/data/database.d.ts +13 -0
package/dist/data/database.d.ts.map +1 -0
package/dist/data/database.js +68 -0
package/dist/data/database.js.map +1 -0
package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
package/dist/data/jobs/token-cleanup.job.js +96 -0
package/dist/data/jobs/token-cleanup.job.js.map +1 -0
package/dist/data/migrations/migration.runner.d.ts +13 -0
package/dist/data/migrations/migration.runner.d.ts.map +1 -0
package/dist/data/migrations/migration.runner.js +136 -0
package/dist/data/migrations/migration.runner.js.map +1 -0
package/dist/data/models/Token.model.d.ts +30 -0
package/dist/data/models/Token.model.d.ts.map +1 -0
package/dist/data/models/Token.model.js +3 -0
package/dist/data/models/Token.model.js.map +1 -0
package/dist/data/repositories/token.repository.d.ts +16 -0
package/dist/data/repositories/token.repository.d.ts.map +1 -0
package/dist/data/repositories/token.repository.js +97 -0
package/dist/data/repositories/token.repository.js.map +1 -0
package/dist/providers/azure/auth.provider.d.ts +5 -0
package/dist/providers/azure/auth.provider.d.ts.map +1 -0
package/dist/providers/azure/auth.provider.js +13 -0
package/dist/providers/azure/auth.provider.js.map +1 -0
package/dist/providers/azure/azure-errors.d.ts +40 -0
package/dist/providers/azure/azure-errors.d.ts.map +1 -0
package/dist/providers/azure/azure-errors.js +121 -0
package/dist/providers/azure/azure-errors.js.map +1 -0
package/dist/providers/azure/azure-retry.d.ts +41 -0
package/dist/providers/azure/azure-retry.d.ts.map +1 -0
package/dist/providers/azure/azure-retry.js +85 -0
package/dist/providers/azure/azure-retry.js.map +1 -0
package/dist/providers/azure/graph-client.d.ts +26 -0
package/dist/providers/azure/graph-client.d.ts.map +1 -0
package/dist/providers/azure/graph-client.js +146 -0
package/dist/providers/azure/graph-client.js.map +1 -0
package/dist/providers/azure/graph.provider.d.ts +23 -0
package/dist/providers/azure/graph.provider.d.ts.map +1 -0
package/dist/providers/azure/graph.provider.js +161 -0
package/dist/providers/azure/graph.provider.js.map +1 -0
package/dist/providers/azure/queries/app.queries.d.ts +6 -0
package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/app.queries.js +9 -0
package/dist/providers/azure/queries/app.queries.js.map +1 -0
package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/policy.queries.js +9 -0
package/dist/providers/azure/queries/policy.queries.js.map +1 -0
package/dist/providers/azure/queries/user.queries.d.ts +7 -0
package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/user.queries.js +10 -0
package/dist/providers/azure/queries/user.queries.js.map +1 -0
package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
package/dist/providers/interfaces/IGraphProvider.js +3 -0
package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.js +3 -0
package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
package/dist/providers/ldap/acl-parser.d.ts +8 -0
package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
package/dist/providers/ldap/acl-parser.js +157 -0
package/dist/providers/ldap/acl-parser.js.map +1 -0
package/dist/providers/ldap/ad-mappers.d.ts +8 -0
package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
package/dist/providers/ldap/ad-mappers.js +162 -0
package/dist/providers/ldap/ad-mappers.js.map +1 -0
package/dist/providers/ldap/ldap-client.d.ts +33 -0
package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
package/dist/providers/ldap/ldap-client.js +195 -0
package/dist/providers/ldap/ldap-client.js.map +1 -0
package/dist/providers/ldap/ldap-errors.d.ts +48 -0
package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
package/dist/providers/ldap/ldap-errors.js +120 -0
package/dist/providers/ldap/ldap-errors.js.map +1 -0
package/dist/providers/ldap/ldap-retry.d.ts +14 -0
package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
package/dist/providers/ldap/ldap-retry.js +102 -0
package/dist/providers/ldap/ldap-retry.js.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.js +104 -0
package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
package/dist/providers/ldap/ldap.provider.d.ts +21 -0
package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
package/dist/providers/ldap/ldap.provider.js +165 -0
package/dist/providers/ldap/ldap.provider.js.map +1 -0
package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/computer.queries.js +9 -0
package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/group.queries.js +9 -0
package/dist/providers/ldap/queries/group.queries.js.map +1 -0
package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/user.queries.js +10 -0
package/dist/providers/ldap/queries/user.queries.js.map +1 -0
package/dist/providers/smb/smb.provider.d.ts +68 -0
package/dist/providers/smb/smb.provider.d.ts.map +1 -0
package/dist/providers/smb/smb.provider.js +382 -0
package/dist/providers/smb/smb.provider.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +44 -0
package/dist/server.js.map +1 -0
package/dist/services/audit/ad-audit.service.d.ts +70 -0
package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
package/dist/services/audit/ad-audit.service.js +1019 -0
package/dist/services/audit/ad-audit.service.js.map +1 -0
package/dist/services/audit/attack-graph.service.d.ts +62 -0
package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
package/dist/services/audit/attack-graph.service.js +702 -0
package/dist/services/audit/attack-graph.service.js.map +1 -0
package/dist/services/audit/audit.service.d.ts +4 -0
package/dist/services/audit/audit.service.d.ts.map +1 -0
package/dist/services/audit/audit.service.js +10 -0
package/dist/services/audit/audit.service.js.map +1 -0
package/dist/services/audit/azure-audit.service.d.ts +37 -0
package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
package/dist/services/audit/azure-audit.service.js +153 -0
package/dist/services/audit/azure-audit.service.js.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/index.d.ts +15 -0
package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/index.js +51 -0
package/dist/services/audit/detectors/ad/index.js.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.js +257 -0
package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.js +235 -0
package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
package/dist/services/audit/detectors/index.d.ts +2 -0
package/dist/services/audit/detectors/index.d.ts.map +1 -0
package/dist/services/audit/detectors/index.js +38 -0
package/dist/services/audit/detectors/index.js.map +1 -0
package/dist/services/audit/response-formatter.d.ts +176 -0
package/dist/services/audit/response-formatter.d.ts.map +1 -0
package/dist/services/audit/response-formatter.js +240 -0
package/dist/services/audit/response-formatter.js.map +1 -0
package/dist/services/audit/scoring.service.d.ts +15 -0
package/dist/services/audit/scoring.service.d.ts.map +1 -0
package/dist/services/audit/scoring.service.js +139 -0
package/dist/services/audit/scoring.service.js.map +1 -0
package/dist/services/auth/crypto.service.d.ts +19 -0
package/dist/services/auth/crypto.service.d.ts.map +1 -0
package/dist/services/auth/crypto.service.js +135 -0
package/dist/services/auth/crypto.service.js.map +1 -0
package/dist/services/auth/errors.d.ts +19 -0
package/dist/services/auth/errors.d.ts.map +1 -0
package/dist/services/auth/errors.js +46 -0
package/dist/services/auth/errors.js.map +1 -0
package/dist/services/auth/token.service.d.ts +41 -0
package/dist/services/auth/token.service.d.ts.map +1 -0
package/dist/services/auth/token.service.js +208 -0
package/dist/services/auth/token.service.js.map +1 -0
package/dist/services/config/config.service.d.ts +6 -0
package/dist/services/config/config.service.d.ts.map +1 -0
package/dist/services/config/config.service.js +64 -0
package/dist/services/config/config.service.js.map +1 -0
package/dist/services/export/export.service.d.ts +28 -0
package/dist/services/export/export.service.d.ts.map +1 -0
package/dist/services/export/export.service.js +28 -0
package/dist/services/export/export.service.js.map +1 -0
package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/csv.formatter.js +46 -0
package/dist/services/export/formatters/csv.formatter.js.map +1 -0
package/dist/services/export/formatters/json.formatter.d.ts +40 -0
package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/json.formatter.js +58 -0
package/dist/services/export/formatters/json.formatter.js.map +1 -0
package/dist/services/jobs/azure-job-runner.d.ts +38 -0
package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
package/dist/services/jobs/azure-job-runner.js +199 -0
package/dist/services/jobs/azure-job-runner.js.map +1 -0
package/dist/services/jobs/index.d.ts +4 -0
package/dist/services/jobs/index.d.ts.map +1 -0
package/dist/services/jobs/index.js +20 -0
package/dist/services/jobs/index.js.map +1 -0
package/dist/services/jobs/job-runner.d.ts +64 -0
package/dist/services/jobs/job-runner.d.ts.map +1 -0
package/dist/services/jobs/job-runner.js +952 -0
package/dist/services/jobs/job-runner.js.map +1 -0
package/dist/services/jobs/job-store.d.ts +27 -0
package/dist/services/jobs/job-store.d.ts.map +1 -0
package/dist/services/jobs/job-store.js +261 -0
package/dist/services/jobs/job-store.js.map +1 -0
package/dist/services/jobs/job.types.d.ts +67 -0
package/dist/services/jobs/job.types.d.ts.map +1 -0
package/dist/services/jobs/job.types.js +36 -0
package/dist/services/jobs/job.types.js.map +1 -0
package/dist/types/ad.types.d.ts +74 -0
package/dist/types/ad.types.d.ts.map +1 -0
package/dist/types/ad.types.js +3 -0
package/dist/types/ad.types.js.map +1 -0
package/dist/types/adcs.types.d.ts +58 -0
package/dist/types/adcs.types.d.ts.map +1 -0
package/dist/types/adcs.types.js +38 -0
package/dist/types/adcs.types.js.map +1 -0
package/dist/types/attack-graph.types.d.ts +135 -0
package/dist/types/attack-graph.types.d.ts.map +1 -0
package/dist/types/attack-graph.types.js +58 -0
package/dist/types/attack-graph.types.js.map +1 -0
package/dist/types/audit.types.d.ts +34 -0
package/dist/types/audit.types.d.ts.map +1 -0
package/dist/types/audit.types.js +3 -0
package/dist/types/audit.types.js.map +1 -0
package/dist/types/azure.types.d.ts +61 -0
package/dist/types/azure.types.d.ts.map +1 -0
package/dist/types/azure.types.js +3 -0
package/dist/types/azure.types.js.map +1 -0
package/dist/types/config.types.d.ts +63 -0
package/dist/types/config.types.d.ts.map +1 -0
package/dist/types/config.types.js +3 -0
package/dist/types/config.types.js.map +1 -0
package/dist/types/error.types.d.ts +33 -0
package/dist/types/error.types.d.ts.map +1 -0
package/dist/types/error.types.js +70 -0
package/dist/types/error.types.js.map +1 -0
package/dist/types/finding.types.d.ts +133 -0
package/dist/types/finding.types.d.ts.map +1 -0
package/dist/types/finding.types.js +3 -0
package/dist/types/finding.types.js.map +1 -0
package/dist/types/gpo.types.d.ts +39 -0
package/dist/types/gpo.types.d.ts.map +1 -0
package/dist/types/gpo.types.js +15 -0
package/dist/types/gpo.types.js.map +1 -0
package/dist/types/token.types.d.ts +26 -0
package/dist/types/token.types.d.ts.map +1 -0
package/dist/types/token.types.js +3 -0
package/dist/types/token.types.js.map +1 -0
package/dist/types/trust.types.d.ts +45 -0
package/dist/types/trust.types.d.ts.map +1 -0
package/dist/types/trust.types.js +71 -0
package/dist/types/trust.types.js.map +1 -0
package/dist/utils/entity-converter.d.ts +17 -0
package/dist/utils/entity-converter.d.ts.map +1 -0
package/dist/utils/entity-converter.js +285 -0
package/dist/utils/entity-converter.js.map +1 -0
package/dist/utils/graph.util.d.ts +66 -0
package/dist/utils/graph.util.d.ts.map +1 -0
package/dist/utils/graph.util.js +382 -0
package/dist/utils/graph.util.js.map +1 -0
package/dist/utils/logger.d.ts +7 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +86 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/type-name-normalizer.d.ts +5 -0
package/dist/utils/type-name-normalizer.d.ts.map +1 -0
package/dist/utils/type-name-normalizer.js +218 -0
package/dist/utils/type-name-normalizer.js.map +1 -0
package/docker-compose.yml +26 -0
package/docs/api/README.md +178 -0
package/docs/api/openapi.yaml +1524 -0
package/eslint.config.js +54 -0
package/jest.config.js +38 -0
package/package.json +97 -0
package/scripts/fetch-ad-cert.sh +142 -0
package/src/.gitkeep +0 -0
package/src/api/.gitkeep +0 -0
package/src/api/controllers/.gitkeep +0 -0
package/src/api/controllers/audit.controller.ts +313 -0
package/src/api/controllers/auth.controller.ts +258 -0
package/src/api/controllers/export.controller.ts +153 -0
package/src/api/controllers/health.controller.ts +16 -0
package/src/api/controllers/jobs.controller.ts +187 -0
package/src/api/controllers/providers.controller.ts +165 -0
package/src/api/dto/.gitkeep +0 -0
package/src/api/dto/AuditRequest.dto.ts +8 -0
package/src/api/dto/AuditResponse.dto.ts +19 -0
package/src/api/dto/TokenRequest.dto.ts +8 -0
package/src/api/dto/TokenResponse.dto.ts +14 -0
package/src/api/middlewares/.gitkeep +0 -0
package/src/api/middlewares/authenticate.ts +203 -0
package/src/api/middlewares/errorHandler.ts +54 -0
package/src/api/middlewares/rateLimit.ts +35 -0
package/src/api/middlewares/validate.ts +32 -0
package/src/api/routes/.gitkeep +0 -0
package/src/api/routes/audit.routes.ts +77 -0
package/src/api/routes/auth.routes.ts +71 -0
package/src/api/routes/export.routes.ts +34 -0
package/src/api/routes/health.routes.ts +14 -0
package/src/api/routes/index.ts +40 -0
package/src/api/routes/providers.routes.ts +24 -0
package/src/api/validators/.gitkeep +0 -0
package/src/api/validators/audit.schemas.ts +59 -0
package/src/api/validators/auth.schemas.ts +59 -0
package/src/app.ts +87 -0
package/src/config/.gitkeep +0 -0
package/src/config/config.schema.ts +108 -0
package/src/config/index.ts +82 -0
package/src/container.ts +221 -0
package/src/data/.gitkeep +0 -0
package/src/data/database.ts +78 -0
package/src/data/jobs/token-cleanup.job.ts +166 -0
package/src/data/migrations/.gitkeep +0 -0
package/src/data/migrations/001_initial_schema.sql +47 -0
package/src/data/migrations/migration.runner.ts +125 -0
package/src/data/models/.gitkeep +0 -0
package/src/data/models/Token.model.ts +35 -0
package/src/data/repositories/.gitkeep +0 -0
package/src/data/repositories/token.repository.ts +160 -0
package/src/providers/.gitkeep +0 -0
package/src/providers/azure/.gitkeep +0 -0
package/src/providers/azure/auth.provider.ts +14 -0
package/src/providers/azure/azure-errors.ts +189 -0
package/src/providers/azure/azure-retry.ts +168 -0
package/src/providers/azure/graph-client.ts +315 -0
package/src/providers/azure/graph.provider.ts +294 -0
package/src/providers/azure/queries/app.queries.ts +9 -0
package/src/providers/azure/queries/policy.queries.ts +9 -0
package/src/providers/azure/queries/user.queries.ts +10 -0
package/src/providers/interfaces/.gitkeep +0 -0
package/src/providers/interfaces/IGraphProvider.ts +117 -0
package/src/providers/interfaces/ILDAPProvider.ts +142 -0
package/src/providers/ldap/.gitkeep +0 -0
package/src/providers/ldap/acl-parser.ts +231 -0
package/src/providers/ldap/ad-mappers.ts +280 -0
package/src/providers/ldap/ldap-client.ts +259 -0
package/src/providers/ldap/ldap-errors.ts +188 -0
package/src/providers/ldap/ldap-retry.ts +267 -0
package/src/providers/ldap/ldap-sanitizer.ts +273 -0
package/src/providers/ldap/ldap.provider.ts +293 -0
package/src/providers/ldap/queries/computer.queries.ts +9 -0
package/src/providers/ldap/queries/group.queries.ts +9 -0
package/src/providers/ldap/queries/user.queries.ts +10 -0
package/src/providers/smb/smb.provider.ts +653 -0
package/src/server.ts +60 -0
package/src/services/.gitkeep +0 -0
package/src/services/audit/.gitkeep +0 -0
package/src/services/audit/ad-audit.service.ts +1481 -0
package/src/services/audit/attack-graph.service.ts +1104 -0
package/src/services/audit/audit.service.ts +12 -0
package/src/services/audit/azure-audit.service.ts +286 -0
package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
package/src/services/audit/detectors/ad/index.ts +84 -0
package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
package/src/services/audit/detectors/ad/network.detector.ts +538 -0
package/src/services/audit/detectors/ad/password.detector.ts +324 -0
package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
package/src/services/audit/detectors/index.ts +18 -0
package/src/services/audit/response-formatter.ts +604 -0
package/src/services/audit/scoring.service.ts +234 -0
package/src/services/auth/.gitkeep +0 -0
package/src/services/auth/crypto.service.ts +230 -0
package/src/services/auth/errors.ts +47 -0
package/src/services/auth/token.service.ts +420 -0
package/src/services/config/.gitkeep +0 -0
package/src/services/config/config.service.ts +75 -0
package/src/services/export/.gitkeep +0 -0
package/src/services/export/export.service.ts +99 -0
package/src/services/export/formatters/csv.formatter.ts +124 -0
package/src/services/export/formatters/json.formatter.ts +160 -0
package/src/services/jobs/azure-job-runner.ts +312 -0
package/src/services/jobs/index.ts +9 -0
package/src/services/jobs/job-runner.ts +1280 -0
package/src/services/jobs/job-store.ts +384 -0
package/src/services/jobs/job.types.ts +182 -0
package/src/types/.gitkeep +0 -0
package/src/types/ad.types.ts +91 -0
package/src/types/adcs.types.ts +107 -0
package/src/types/attack-graph.types.ts +260 -0
package/src/types/audit.types.ts +42 -0
package/src/types/azure.types.ts +68 -0
package/src/types/config.types.ts +79 -0
package/src/types/error.types.ts +69 -0
package/src/types/finding.types.ts +284 -0
package/src/types/gpo.types.ts +72 -0
package/src/types/smb2.d.ts +73 -0
package/src/types/token.types.ts +32 -0
package/src/types/trust.types.ts +140 -0
package/src/utils/.gitkeep +0 -0
package/src/utils/entity-converter.ts +453 -0
package/src/utils/graph.util.ts +609 -0
package/src/utils/logger.ts +111 -0
package/src/utils/type-name-normalizer.ts +302 -0
package/tests/.gitkeep +0 -0
package/tests/e2e/.gitkeep +0 -0
package/tests/fixtures/.gitkeep +0 -0
package/tests/integration/.gitkeep +0 -0
package/tests/integration/README.md +156 -0
package/tests/integration/ad-audit.integration.test.ts +216 -0
package/tests/integration/api/.gitkeep +0 -0
package/tests/integration/api/endpoints.integration.test.ts +431 -0
package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
package/tests/integration/providers/.gitkeep +0 -0
package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
package/tests/mocks/.gitkeep +0 -0
package/tests/setup.ts +16 -0
package/tests/unit/.gitkeep +0 -0
package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
package/tests/unit/providers/.gitkeep +0 -0
package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
package/tests/unit/sample.test.ts +19 -0
package/tests/unit/services/.gitkeep +0 -0
package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
package/tests/unit/services/auth/crypto.service.test.ts +296 -0
package/tests/unit/services/auth/token.service.test.ts +579 -0
package/tests/unit/services/export/export.service.test.ts +241 -0
package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
package/tests/unit/utils/.gitkeep +0 -0
package/tsconfig.json +50 -0

package/src/services/audit/attack-graph.service.ts ADDED Viewed

@@ -0,0 +1,1104 @@
+/**
+ * Attack Graph Service
+ *
+ * Builds and exports attack path data for visualization.
+ * Uses BFS to find shortest paths from non-privileged objects
+ * to privileged targets (Domain Admins, Enterprise Admins, etc.)
+ */
+import { ADUser, ADGroup, ADComputer, AclEntry } from '../../types/ad.types';
+import { ADCSCertificateTemplate } from '../../types/adcs.types';
+import { ADGPO } from '../../types/gpo.types';
+import {
+  AttackGraphExport,
+  AttackGraphNode,
+  AttackGraphRelation,
+  AttackPath,
+  AttackPathRisk,
+  AttackPathType,
+  AttackRelationType,
+  AttackTarget,
+  AttackGraphStats,
+  AttackGraphUniqueNode,
+  AttackChainElement,
+  AttackEntryPoint,
+  AttackNodeType,
+  ACCESS_MASK,
+  ACL_GUIDS,
+  PRIVILEGED_SID_SUFFIXES,
+  isAttackGraphNode,
+} from '../../types/attack-graph.types';
+import { logger } from '../../utils/logger';
+/**
+ * Internal graph node with additional metadata
+ */
+interface InternalNode {
+  id: string; // SID or DN-based ID
+  dn: string;
+  name: string;
+  type: AttackNodeType;
+  sid?: string;
+  isEnabled: boolean;
+  isPrivileged: boolean;
+  adminCount?: number;
+  memberOf: string[];
+  servicePrincipalName?: string[];
+  userAccountControl?: number;
+  delegateTo?: string[];
+  rbcdFrom?: string[];
+}
+/**
+ * Internal graph edge
+ */
+interface InternalEdge {
+  source: string; // Node ID
+  target: string; // Node ID
+  relation: AttackRelationType;
+  accessMask?: number;
+  objectType?: string;
+  isAbusable: boolean;
+}
+/**
+ * BFS path result
+ */
+interface BFSPath {
+  nodes: string[]; // Node IDs in order
+  edges: InternalEdge[]; // Edges between nodes
+}
+/**
+ * Attack Graph Service
+ */
+export class AttackGraphService {
+  private nodes: Map<string, InternalNode> = new Map();
+  private edges: Map<string, InternalEdge[]> = new Map(); // source -> edges
+  private reverseEdges: Map<string, InternalEdge[]> = new Map(); // target -> edges
+  private privilegedTargets: Map<string, AttackTarget> = new Map();
+  private dnToId: Map<string, string> = new Map(); // DN -> node ID
+  private domainSid: string = '';
+  private domainName: string = '';
+  /**
+   * Initialize the attack graph service with AD data
+   */
+  constructor(
+    private users: ADUser[],
+    private groups: ADGroup[],
+    private computers: ADComputer[],
+    private aclEntries: AclEntry[],
+    _certTemplates: ADCSCertificateTemplate[] = [],
+    _gpos: ADGPO[] = [],
+    domain?: { name?: string; sid?: string }
+  ) {
+    this.domainName = domain?.name || '';
+    this.domainSid = domain?.sid || this.extractDomainSid();
+    logger.debug(`AttackGraphService initialized with domain SID: ${this.domainSid}`);
+  }
+  /**
+   * Build and export the attack graph
+   */
+  public export(maxPaths: number = 500): AttackGraphExport {
+    const startTime = Date.now();
+    // Build the graph
+    this.buildGraph();
+    // Identify privileged targets
+    this.identifyPrivilegedTargets();
+    // Find all attack paths
+    const paths = this.findAllAttackPaths(maxPaths);
+    // Compute statistics
+    const stats = this.computeStats(paths);
+    // Get unique nodes involved in paths
+    const uniqueNodes = this.getUniqueNodes(paths);
+    const duration = Date.now() - startTime;
+    logger.info(
+      `Attack graph exported: ${paths.length} paths, ${uniqueNodes.length} unique nodes in ${duration}ms`
+    );
+    return {
+      version: '1.0',
+      generatedAt: new Date().toISOString(),
+      domain: this.domainName,
+      targets: Array.from(this.privilegedTargets.values()),
+      paths,
+      stats,
+      uniqueNodes,
+    };
+  }
+  /**
+   * Build the internal graph from AD data
+   */
+  private buildGraph(): void {
+    // Add all nodes
+    this.addUserNodes();
+    this.addGroupNodes();
+    this.addComputerNodes();
+    // Add all edges
+    this.addMembershipEdges();
+    this.addAclEdges();
+    this.addDelegationEdges();
+    this.addKerberosEdges();
+    logger.debug(
+      `Graph built: ${this.nodes.size} nodes, ${this.countEdges()} edges`
+    );
+  }
+  /**
+   * Add user nodes to the graph
+   */
+  private addUserNodes(): void {
+    for (const user of this.users) {
+      const sid = this.extractSid(user);
+      const id = sid || this.dnToId.get(user.dn.toLowerCase()) || this.generateId(user.dn);
+      const node: InternalNode = {
+        id,
+        dn: user.dn,
+        name: user.sAMAccountName || user.displayName || user.dn,
+        type: 'user',
+        sid,
+        isEnabled: user.enabled,
+        isPrivileged: user.adminCount === 1,
+        adminCount: user.adminCount,
+        memberOf: user.memberOf || [],
+        servicePrincipalName: this.getSpn(user),
+        userAccountControl: user.userAccountControl,
+        delegateTo: this.getDelegationTargets(user),
+      };
+      this.nodes.set(id, node);
+      this.dnToId.set(user.dn.toLowerCase(), id);
+      this.edges.set(id, []);
+      this.reverseEdges.set(id, []);
+    }
+  }
+  /**
+   * Add group nodes to the graph
+   */
+  private addGroupNodes(): void {
+    for (const group of this.groups) {
+      const sid = this.extractSid(group);
+      const id = sid || this.generateId(group.dn);
+      // Check if this is a privileged group by SID
+      const isPrivileged = this.isPrivilegedBySid(sid);
+      const node: InternalNode = {
+        id,
+        dn: group.dn,
+        name: group.sAMAccountName || group.displayName || group.cn || group.dn,
+        type: 'group',
+        sid,
+        isEnabled: true,
+        isPrivileged,
+        memberOf: group.memberOf || [],
+      };
+      this.nodes.set(id, node);
+      this.dnToId.set(group.dn.toLowerCase(), id);
+      this.edges.set(id, []);
+      this.reverseEdges.set(id, []);
+    }
+  }
+  /**
+   * Add computer nodes to the graph
+   */
+  private addComputerNodes(): void {
+    for (const computer of this.computers) {
+      const sid = this.extractSid(computer);
+      const id = sid || this.generateId(computer.dn);
+      // Check if Domain Controller
+      const memberOf = (computer as any).memberOf || [];
+      const isDC = memberOf.some(
+        (m: string) =>
+          m.toLowerCase().includes('cn=domain controllers') ||
+          m.toLowerCase().includes('cn=contrôleurs de domaine')
+      );
+      const node: InternalNode = {
+        id,
+        dn: computer.dn,
+        name: computer.sAMAccountName || computer.dNSHostName || computer.cn || computer.dn,
+        type: 'computer',
+        sid,
+        isEnabled: computer.enabled,
+        isPrivileged: isDC,
+        memberOf: memberOf,
+        delegateTo: this.getDelegationTargets(computer),
+        rbcdFrom: this.getRbcdPrincipals(computer),
+      };
+      this.nodes.set(id, node);
+      this.dnToId.set(computer.dn.toLowerCase(), id);
+      this.edges.set(id, []);
+      this.reverseEdges.set(id, []);
+    }
+  }
+  /**
+   * Add membership edges (MemberOf)
+   */
+  private addMembershipEdges(): void {
+    for (const [nodeId, node] of this.nodes) {
+      for (const groupDn of node.memberOf) {
+        const targetId = this.dnToId.get(groupDn.toLowerCase());
+        if (targetId) {
+          this.addEdge({
+            source: nodeId,
+            target: targetId,
+            relation: 'MemberOf',
+            isAbusable: false, // Membership itself isn't abusable, but paths through it are
+          });
+        }
+      }
+    }
+  }
+  /**
+   * Add ACL-based edges
+   */
+  private addAclEdges(): void {
+    for (const acl of this.aclEntries) {
+      // Skip denied ACEs
+      if (acl.aceType !== '0' && acl.aceType !== 'ACCESS_ALLOWED_ACE_TYPE') {
+        continue;
+      }
+      const sourceId = this.resolveAclTrustee(acl.trustee);
+      const targetId = this.dnToId.get(acl.objectDn.toLowerCase());
+      if (!sourceId || !targetId) continue;
+      // Determine relation type based on access mask and object type
+      const relations = this.classifyAclRelation(acl);
+      for (const relation of relations) {
+        this.addEdge({
+          source: sourceId,
+          target: targetId,
+          relation: relation.type,
+          accessMask: acl.accessMask,
+          objectType: acl.objectType,
+          isAbusable: relation.isAbusable,
+        });
+      }
+    }
+  }
+  /**
+   * Add delegation edges
+   */
+  private addDelegationEdges(): void {
+    for (const [nodeId, node] of this.nodes) {
+      // Constrained delegation
+      if (node.delegateTo && node.delegateTo.length > 0) {
+        for (const spn of node.delegateTo) {
+          // Try to resolve SPN to a target
+          const targetId = this.resolveSPNTarget(spn);
+          if (targetId) {
+            this.addEdge({
+              source: nodeId,
+              target: targetId,
+              relation: 'AllowedToDelegate',
+              isAbusable: true,
+            });
+          }
+        }
+      }
+      // RBCD - reverse direction: those who can act get edge TO this computer
+      if (node.rbcdFrom && node.rbcdFrom.length > 0) {
+        for (const principalSid of node.rbcdFrom) {
+          const sourceId = this.nodes.has(principalSid)
+            ? principalSid
+            : this.findNodeBySid(principalSid);
+          if (sourceId) {
+            this.addEdge({
+              source: sourceId,
+              target: nodeId,
+              relation: 'AllowedToAct',
+              isAbusable: true,
+            });
+          }
+        }
+      }
+    }
+  }
+  /**
+   * Add Kerberos-related edges (HasSPN, NoPreauth)
+   * Note: These are tracked as node properties for path classification
+   */
+  private addKerberosEdges(): void {
+    // HasSPN and NoPreauth are tracked as node properties, not edges
+    // They are used during path classification to determine path type
+    // (KERBEROASTING, ASREP_ROASTING)
+  }
+  /**
+   * Identify privileged targets
+   */
+  private identifyPrivilegedTargets(): void {
+    for (const [nodeId, node] of this.nodes) {
+      let reason: string | null = null;
+      // Check SID-based privileged groups
+      if (node.sid) {
+        if (node.sid.endsWith(PRIVILEGED_SID_SUFFIXES.DOMAIN_ADMINS)) {
+          reason = 'Domain Admins';
+        } else if (node.sid.endsWith(PRIVILEGED_SID_SUFFIXES.ENTERPRISE_ADMINS)) {
+          reason = 'Enterprise Admins';
+        } else if (node.sid.endsWith(PRIVILEGED_SID_SUFFIXES.SCHEMA_ADMINS)) {
+          reason = 'Schema Admins';
+        } else if (node.sid.endsWith(PRIVILEGED_SID_SUFFIXES.ADMINISTRATORS)) {
+          reason = 'Administrators';
+        } else if (node.sid.endsWith(PRIVILEGED_SID_SUFFIXES.DOMAIN_CONTROLLERS)) {
+          reason = 'Domain Controllers';
+        } else if (node.sid.endsWith(PRIVILEGED_SID_SUFFIXES.ACCOUNT_OPERATORS)) {
+          reason = 'Account Operators';
+        } else if (node.sid.endsWith(PRIVILEGED_SID_SUFFIXES.BACKUP_OPERATORS)) {
+          reason = 'Backup Operators';
+        }
+      }
+      // Check adminCount=1
+      if (!reason && node.adminCount === 1) {
+        reason = 'adminCount=1';
+      }
+      // Check name-based privileged groups
+      if (!reason && node.type === 'group') {
+        const nameLower = node.name.toLowerCase();
+        if (
+          nameLower === 'domain admins' ||
+          nameLower === 'admins du domaine' ||
+          nameLower === 'administrateurs du domaine'
+        ) {
+          reason = 'Domain Admins';
+        } else if (
+          nameLower === 'enterprise admins' ||
+          nameLower === 'administrateurs de l\'entreprise'
+        ) {
+          reason = 'Enterprise Admins';
+        } else if (nameLower === 'administrators' || nameLower === 'administrateurs') {
+          reason = 'Administrators';
+        }
+      }
+      // Check Domain Controller computers
+      if (!reason && node.type === 'computer' && node.isPrivileged) {
+        reason = 'Domain Controller';
+      }
+      if (reason) {
+        node.isPrivileged = true;
+        this.privilegedTargets.set(nodeId, {
+          id: nodeId,
+          name: node.name,
+          type: node.type,
+          sid: node.sid,
+          dn: node.dn,
+          reason,
+        });
+      }
+    }
+    logger.debug(`Identified ${this.privilegedTargets.size} privileged targets`);
+  }
+  /**
+   * Find all attack paths using BFS
+   */
+  private findAllAttackPaths(maxPaths: number): AttackPath[] {
+    const paths: AttackPath[] = [];
+    const targetIds = Array.from(this.privilegedTargets.keys());
+    // For each non-privileged node, find shortest path to any privileged target
+    for (const [sourceId, sourceNode] of this.nodes) {
+      // Skip if source is already privileged
+      if (sourceNode.isPrivileged) continue;
+      // Skip disabled users
+      if (sourceNode.type === 'user' && !sourceNode.isEnabled) continue;
+      // BFS to find shortest path to any target
+      const path = this.bfsShortestPath(sourceId, targetIds);
+      if (path && path.nodes.length > 1) {
+        const attackPath = this.buildAttackPath(path, sourceNode, paths.length + 1);
+        if (attackPath) {
+          paths.push(attackPath);
+          if (paths.length >= maxPaths) {
+            logger.debug(`Reached max paths limit: ${maxPaths}`);
+            break;
+          }
+        }
+      }
+    }
+    // Sort by risk (critical first) then by hops (shortest first)
+    paths.sort((a, b) => {
+      const riskOrder: Record<AttackPathRisk, number> = {
+        critical: 0,
+        high: 1,
+        medium: 2,
+        low: 3,
+      };
+      if (riskOrder[a.risk] !== riskOrder[b.risk]) {
+        return riskOrder[a.risk] - riskOrder[b.risk];
+      }
+      return a.hops - b.hops;
+    });
+    return paths;
+  }
+  /**
+   * BFS to find shortest path from source to any target
+   */
+  private bfsShortestPath(sourceId: string, targetIds: string[]): BFSPath | null {
+    const targetSet = new Set(targetIds);
+    const visited = new Set<string>([sourceId]);
+    const queue: { nodeId: string; path: BFSPath }[] = [
+      { nodeId: sourceId, path: { nodes: [sourceId], edges: [] } },
+    ];
+    while (queue.length > 0) {
+      const current = queue.shift()!;
+      // Check if we reached a target
+      if (targetSet.has(current.nodeId) && current.path.nodes.length > 1) {
+        return current.path;
+      }
+      // Early termination for very long paths
+      if (current.path.nodes.length > 6) continue;
+      // Explore neighbors
+      const outEdges = this.edges.get(current.nodeId) || [];
+      for (const edge of outEdges) {
+        if (visited.has(edge.target)) continue;
+        visited.add(edge.target);
+        const newPath: BFSPath = {
+          nodes: [...current.path.nodes, edge.target],
+          edges: [...current.path.edges, edge],
+        };
+        // Prioritize paths to targets
+        if (targetSet.has(edge.target)) {
+          return newPath;
+        }
+        queue.push({ nodeId: edge.target, path: newPath });
+      }
+    }
+    return null;
+  }
+  /**
+   * Build an AttackPath from BFS result
+   */
+  private buildAttackPath(
+    bfsPath: BFSPath,
+    sourceNode: InternalNode,
+    pathIndex: number
+  ): AttackPath | null {
+    const chain: AttackChainElement[] = [];
+    // Build alternating node-relation-node chain
+    for (let i = 0; i < bfsPath.nodes.length; i++) {
+      const nodeId = bfsPath.nodes[i];
+      if (!nodeId) continue;
+      const node = this.nodes.get(nodeId);
+      if (!node) continue;
+      // Add node
+      chain.push(this.toAttackGraphNode(node));
+      // Add relation (if not last node)
+      if (i < bfsPath.edges.length) {
+        const edge = bfsPath.edges[i];
+        if (edge) {
+          chain.push(this.toAttackGraphRelation(edge));
+        }
+      }
+    }
+    // Get target node
+    const targetId = bfsPath.nodes[bfsPath.nodes.length - 1];
+    if (!targetId) return null;
+    const targetNode = this.nodes.get(targetId);
+    if (!targetNode) return null;
+    // Classify path type
+    const pathType = this.classifyPathType(bfsPath);
+    // Calculate risk
+    const risk = this.calculatePathRisk(bfsPath, pathType);
+    // Generate description and mitigation
+    const description = this.generateDescription(bfsPath, pathType, sourceNode, targetNode);
+    const mitigation = this.generateMitigation(bfsPath, pathType);
+    return {
+      id: `path-${String(pathIndex).padStart(3, '0')}`,
+      risk,
+      type: pathType,
+      hops: bfsPath.edges.length,
+      description,
+      chain,
+      entryPoint: this.toEntryPoint(sourceNode),
+      target: this.toAttackGraphNode(targetNode),
+      mitigation,
+    };
+  }
+  /**
+   * Classify path type based on edges
+   */
+  private classifyPathType(path: BFSPath): AttackPathType {
+    const relations = path.edges.map((e) => e.relation);
+    // Check for DCSync
+    if (relations.includes('DCSync')) {
+      return 'DCSYNC';
+    }
+    // Check for delegation abuse
+    if (relations.includes('AllowedToDelegate') || relations.includes('AllowedToAct')) {
+      return 'DELEGATION_ABUSE';
+    }
+    // Check for Kerberoasting (user with SPN -> privileged)
+    const firstNodeId = path.nodes[0];
+    const sourceNode = firstNodeId ? this.nodes.get(firstNodeId) : undefined;
+    if (
+      sourceNode?.type === 'user' &&
+      sourceNode.servicePrincipalName &&
+      sourceNode.servicePrincipalName.length > 0
+    ) {
+      return 'KERBEROASTING';
+    }
+    // Check for AS-REP roasting
+    if (
+      sourceNode?.userAccountControl &&
+      (sourceNode.userAccountControl & 0x400000) !== 0
+    ) {
+      return 'ASREP_ROASTING';
+    }
+    // Check for ownership abuse
+    if (relations.includes('Owns')) {
+      return 'OWNERSHIP_ABUSE';
+    }
+    // Check for ACL abuse
+    const aclRelations: AttackRelationType[] = [
+      'GenericAll',
+      'WriteDacl',
+      'WriteOwner',
+      'GenericWrite',
+      'ForceChangePassword',
+      'AddMember',
+    ];
+    if (relations.some((r) => aclRelations.includes(r))) {
+      return 'ACL_ABUSE';
+    }
+    // Check for pure group membership
+    if (relations.every((r) => r === 'MemberOf')) {
+      return 'GROUP_MEMBERSHIP';
+    }
+    // Default to ACL abuse
+    return 'ACL_ABUSE';
+  }
+  /**
+   * Calculate risk level for a path
+   */
+  private calculatePathRisk(path: BFSPath, pathType: AttackPathType): AttackPathRisk {
+    const hops = path.edges.length;
+    const hasAbusableEdge = path.edges.some((e) => e.isAbusable);
+    // DCSync is always critical
+    if (pathType === 'DCSYNC') return 'critical';
+    // Short paths with abusable edges are critical
+    if (hops <= 2 && hasAbusableEdge) return 'critical';
+    // Delegation abuse is high risk
+    if (pathType === 'DELEGATION_ABUSE') return 'high';
+    // Short paths are high risk
+    if (hops <= 2) return 'high';
+    // Medium paths
+    if (hops <= 4) return 'medium';
+    // Long paths are lower risk
+    return 'low';
+  }
+  /**
+   * Generate path description
+   */
+  private generateDescription(
+    path: BFSPath,
+    pathType: AttackPathType,
+    source: InternalNode,
+    target: InternalNode
+  ): string {
+    const typeDescriptions: Record<AttackPathType, string> = {
+      ACL_ABUSE: 'can abuse ACL permissions to reach',
+      KERBEROASTING: 'has an SPN and can be Kerberoasted to reach',
+      ASREP_ROASTING: 'has no pre-authentication and can be AS-REP roasted to reach',
+      DELEGATION_ABUSE: 'can abuse delegation to reach',
+      LATERAL_MOVEMENT: 'can move laterally to reach',
+      CERTIFICATE_ABUSE: 'can abuse certificate services to reach',
+      GROUP_MEMBERSHIP: 'is a member of groups leading to',
+      DCSYNC: 'has DCSync rights to',
+      OWNERSHIP_ABUSE: 'owns objects leading to',
+    };
+    return `${source.name} ${typeDescriptions[pathType]} ${target.name} in ${path.edges.length} hop(s)`;
+  }
+  /**
+   * Generate mitigation advice
+   */
+  private generateMitigation(_path: BFSPath, pathType: AttackPathType): string {
+    const mitigations: Record<AttackPathType, string> = {
+      ACL_ABUSE:
+        'Review and remove unnecessary ACL permissions. Apply least privilege principle.',
+      KERBEROASTING:
+        'Remove unnecessary SPNs from user accounts. Use Group Managed Service Accounts (gMSA) or strong passwords for service accounts.',
+      ASREP_ROASTING:
+        'Enable Kerberos pre-authentication for all user accounts.',
+      DELEGATION_ABUSE:
+        'Review and restrict delegation settings. Use resource-based constrained delegation with explicit trusts.',
+      LATERAL_MOVEMENT:
+        'Segment networks and restrict local admin access. Implement LAPS for local administrator passwords.',
+      CERTIFICATE_ABUSE:
+        'Review certificate template permissions. Disable vulnerable enrollment patterns.',
+      GROUP_MEMBERSHIP:
+        'Review nested group memberships. Remove unnecessary members from privileged groups.',
+      DCSYNC:
+        'Remove DCSync rights from non-DC accounts. Monitor for DCSync activity.',
+      OWNERSHIP_ABUSE:
+        'Review object ownership. Ensure privileged objects are owned by appropriate administrators.',
+    };
+    return mitigations[pathType];
+  }
+  /**
+   * Convert internal node to export format
+   */
+  private toAttackGraphNode(node: InternalNode): AttackGraphNode {
+    return {
+      id: node.id,
+      name: node.name,
+      type: node.type,
+      sid: node.sid,
+      dn: node.dn,
+      domain: this.domainName,
+      isEnabled: node.isEnabled,
+      isPrivileged: node.isPrivileged,
+    };
+  }
+  /**
+   * Convert internal edge to export relation
+   */
+  private toAttackGraphRelation(edge: InternalEdge): AttackGraphRelation {
+    return {
+      relation: edge.relation,
+      isAbusable: edge.isAbusable,
+      accessMask: edge.accessMask,
+      objectType: edge.objectType,
+    };
+  }
+  /**
+   * Convert node to entry point
+   */
+  private toEntryPoint(node: InternalNode): AttackEntryPoint {
+    return {
+      id: node.id,
+      name: node.name,
+      type: node.type,
+      properties: {
+        hasSPN: node.servicePrincipalName && node.servicePrincipalName.length > 0,
+        noPreauth: node.userAccountControl
+          ? (node.userAccountControl & 0x400000) !== 0
+          : false,
+        passwordNotExpire: node.userAccountControl
+          ? (node.userAccountControl & 0x10000) !== 0
+          : false,
+        unconstrained: node.userAccountControl
+          ? (node.userAccountControl & 0x80000) !== 0
+          : false,
+        constrained: node.delegateTo && node.delegateTo.length > 0,
+        rbcd: node.rbcdFrom && node.rbcdFrom.length > 0,
+        adminCount: node.adminCount === 1,
+        enabled: node.isEnabled,
+      },
+    };
+  }
+  /**
+   * Compute statistics
+   */
+  private computeStats(paths: AttackPath[]): AttackGraphStats {
+    const byRisk = { critical: 0, high: 0, medium: 0, low: 0 };
+    const byType: Record<AttackPathType, number> = {
+      ACL_ABUSE: 0,
+      KERBEROASTING: 0,
+      ASREP_ROASTING: 0,
+      DELEGATION_ABUSE: 0,
+      LATERAL_MOVEMENT: 0,
+      CERTIFICATE_ABUSE: 0,
+      GROUP_MEMBERSHIP: 0,
+      DCSYNC: 0,
+      OWNERSHIP_ABUSE: 0,
+    };
+    let totalHops = 0;
+    let shortestPath = Infinity;
+    let longestPath = 0;
+    for (const path of paths) {
+      byRisk[path.risk]++;
+      byType[path.type]++;
+      totalHops += path.hops;
+      shortestPath = Math.min(shortestPath, path.hops);
+      longestPath = Math.max(longestPath, path.hops);
+    }
+    return {
+      totalPaths: paths.length,
+      byRisk,
+      byType,
+      averageHops: paths.length > 0 ? Math.round((totalHops / paths.length) * 100) / 100 : 0,
+      shortestPath: paths.length > 0 ? shortestPath : 0,
+      longestPath: paths.length > 0 ? longestPath : 0,
+    };
+  }
+  /**
+   * Get unique nodes involved in paths
+   */
+  private getUniqueNodes(paths: AttackPath[]): AttackGraphUniqueNode[] {
+    const nodeCount = new Map<string, { node: AttackGraphNode; count: number }>();
+    for (const path of paths) {
+      for (const element of path.chain) {
+        if (isAttackGraphNode(element)) {
+          const existing = nodeCount.get(element.id);
+          if (existing) {
+            existing.count++;
+          } else {
+            nodeCount.set(element.id, { node: element, count: 1 });
+          }
+        }
+      }
+    }
+    return Array.from(nodeCount.values())
+      .map(({ node, count }) => ({
+        id: node.id,
+        name: node.name,
+        type: node.type,
+        pathCount: count,
+        sid: node.sid,
+      }))
+      .sort((a, b) => b.pathCount - a.pathCount);
+  }
+  // ========== Helper Methods ==========
+  /**
+   * Add an edge to the graph
+   */
+  private addEdge(edge: InternalEdge): void {
+    const sourceEdges = this.edges.get(edge.source);
+    if (sourceEdges) {
+      sourceEdges.push(edge);
+    }
+    const targetEdges = this.reverseEdges.get(edge.target);
+    if (targetEdges) {
+      targetEdges.push(edge);
+    }
+  }
+  /**
+   * Count total edges
+   */
+  private countEdges(): number {
+    let count = 0;
+    for (const edges of this.edges.values()) {
+      count += edges.length;
+    }
+    return count;
+  }
+  /**
+   * Extract SID from AD object
+   */
+  private extractSid(obj: ADUser | ADGroup | ADComputer): string | undefined {
+    const sid = (obj as any).objectSid || (obj as any).objectSID || (obj as any).sid;
+    if (typeof sid === 'string') return sid;
+    if (Buffer.isBuffer(sid)) return this.bufferToSid(sid);
+    return undefined;
+  }
+  /**
+   * Convert Buffer to SID string
+   */
+  private bufferToSid(buffer: Buffer): string {
+    if (buffer.length < 8) return '';
+    const revision = buffer.readUInt8(0);
+    const subAuthCount = buffer.readUInt8(1);
+    const authority =
+      buffer.readUInt8(2) * Math.pow(2, 40) +
+      buffer.readUInt8(3) * Math.pow(2, 32) +
+      buffer.readUInt8(4) * Math.pow(2, 24) +
+      buffer.readUInt8(5) * Math.pow(2, 16) +
+      buffer.readUInt8(6) * Math.pow(2, 8) +
+      buffer.readUInt8(7);
+    let sid = `S-${revision}-${authority}`;
+    for (let i = 0; i < subAuthCount; i++) {
+      const offset = 8 + i * 4;
+      if (offset + 4 <= buffer.length) {
+        const subAuth = buffer.readUInt32LE(offset);
+        sid += `-${subAuth}`;
+      }
+    }
+    return sid;
+  }
+  /**
+   * Extract domain SID from first user/computer SID
+   */
+  private extractDomainSid(): string {
+    for (const user of this.users) {
+      const sid = this.extractSid(user);
+      if (sid) {
+        // Domain SID is everything except the last RID
+        const parts = sid.split('-');
+        if (parts.length > 4) {
+          return parts.slice(0, -1).join('-');
+        }
+      }
+    }
+    return '';
+  }
+  /**
+   * Check if SID is privileged
+   */
+  private isPrivilegedBySid(sid?: string): boolean {
+    if (!sid) return false;
+    for (const suffix of Object.values(PRIVILEGED_SID_SUFFIXES)) {
+      if (sid.endsWith(suffix)) return true;
+    }
+    return false;
+  }
+  /**
+   * Generate ID from DN
+   */
+  private generateId(dn: string): string {
+    return `dn:${dn.toLowerCase()}`;
+  }
+  /**
+   * Get SPN array from user
+   */
+  private getSpn(user: ADUser): string[] | undefined {
+    const spn = (user as any).servicePrincipalName;
+    if (!spn) return undefined;
+    return Array.isArray(spn) ? spn : [spn];
+  }
+  /**
+   * Get delegation targets
+   */
+  private getDelegationTargets(obj: ADUser | ADComputer): string[] | undefined {
+    const attr = (obj as any)['msDS-AllowedToDelegateTo'];
+    if (!attr) return undefined;
+    return Array.isArray(attr) ? attr : [attr];
+  }
+  /**
+   * Get RBCD principals
+   */
+  private getRbcdPrincipals(computer: ADComputer): string[] | undefined {
+    const attr = (computer as any)['msDS-AllowedToActOnBehalfOfOtherIdentity'];
+    if (!attr) return undefined;
+    // This is typically a binary security descriptor - would need to parse it
+    // For now, just track that RBCD is configured
+    return [];
+  }
+  /**
+   * Resolve ACL trustee to node ID
+   */
+  private resolveAclTrustee(trustee: string): string | undefined {
+    // Trustee might be a SID or DN
+    if (trustee.startsWith('S-1-')) {
+      // It's a SID - look up by SID
+      if (this.nodes.has(trustee)) {
+        return trustee;
+      }
+      return this.findNodeBySid(trustee);
+    }
+    // It's a DN
+    return this.dnToId.get(trustee.toLowerCase());
+  }
+  /**
+   * Find node by SID
+   */
+  private findNodeBySid(sid: string): string | undefined {
+    for (const [nodeId, node] of this.nodes) {
+      if (node.sid === sid) return nodeId;
+    }
+    return undefined;
+  }
+  /**
+   * Resolve SPN to target node
+   */
+  private resolveSPNTarget(spn: string): string | undefined {
+    // SPN format: service/host:port or service/host
+    const parts = spn.split('/');
+    if (parts.length < 2 || !parts[1]) return undefined;
+    const hostPart = parts[1].split(':')[0];
+    if (!hostPart) return undefined;
+    const host = hostPart.toLowerCase();
+    // Look for computer with matching hostname
+    const hostShort = host.split('.')[0] || host;
+    for (const [nodeId, node] of this.nodes) {
+      if (node.type === 'computer') {
+        const nodeName = node.name.toLowerCase().replace(/\$$/, '');
+        if (nodeName === host || nodeName.startsWith(hostShort)) {
+          return nodeId;
+        }
+      }
+    }
+    return undefined;
+  }
+  /**
+   * Classify ACL to relation types
+   */
+  private classifyAclRelation(
+    acl: AclEntry
+  ): { type: AttackRelationType; isAbusable: boolean }[] {
+    const relations: { type: AttackRelationType; isAbusable: boolean }[] = [];
+    const mask = acl.accessMask;
+    const objectType = acl.objectType?.toLowerCase();
+    // GenericAll
+    if (mask & ACCESS_MASK.GENERIC_ALL) {
+      relations.push({ type: 'GenericAll', isAbusable: true });
+    }
+    // GenericWrite
+    if (mask & ACCESS_MASK.GENERIC_WRITE) {
+      relations.push({ type: 'GenericWrite', isAbusable: true });
+    }
+    // WriteDacl
+    if (mask & ACCESS_MASK.WRITE_DACL) {
+      relations.push({ type: 'WriteDacl', isAbusable: true });
+    }
+    // WriteOwner
+    if (mask & ACCESS_MASK.WRITE_OWNER) {
+      relations.push({ type: 'WriteOwner', isAbusable: true });
+    }
+    // Extended rights - check object type
+    if (mask & ACCESS_MASK.CONTROL_ACCESS && objectType) {
+      // ForceChangePassword
+      if (objectType === ACL_GUIDS.FORCE_CHANGE_PASSWORD.toLowerCase()) {
+        relations.push({ type: 'ForceChangePassword', isAbusable: true });
+      }
+      // DCSync rights
+      if (
+        objectType === ACL_GUIDS.DS_REPLICATION_GET_CHANGES.toLowerCase() ||
+        objectType === ACL_GUIDS.DS_REPLICATION_GET_CHANGES_ALL.toLowerCase()
+      ) {
+        relations.push({ type: 'DCSync', isAbusable: true });
+      }
+    }
+    // Self membership (AddMember)
+    if (mask & ACCESS_MASK.SELF && objectType === ACL_GUIDS.SELF_MEMBERSHIP.toLowerCase()) {
+      relations.push({ type: 'AddMember', isAbusable: true });
+    }
+    return relations;
+  }
+}
+/**
+ * Create and export attack graph
+ */
+export function computeAttackGraph(
+  users: ADUser[],
+  groups: ADGroup[],
+  computers: ADComputer[],
+  aclEntries: AclEntry[],
+  certTemplates: ADCSCertificateTemplate[] = [],
+  gpos: ADGPO[] = [],
+  domain?: { name?: string; sid?: string },
+  maxPaths: number = 500
+): AttackGraphExport {
+  const service = new AttackGraphService(
+    users,
+    groups,
+    computers,
+    aclEntries,
+    certTemplates,
+    gpos,
+    domain
+  );
+  return service.export(maxPaths);
+}