npm - @etcsec-com/etc-collector - Versions diffs - 1.4.0 - Mend

@etcsec-com/etc-collector 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

package/.env.example +60 -0
package/.env.test.example +33 -0
package/.github/workflows/ci.yml +83 -0
package/.github/workflows/release.yml +246 -0
package/.prettierrc.json +10 -0
package/CHANGELOG.md +15 -0
package/Dockerfile +57 -0
package/LICENSE +190 -0
package/README.md +194 -0
package/dist/api/controllers/audit.controller.d.ts +21 -0
package/dist/api/controllers/audit.controller.d.ts.map +1 -0
package/dist/api/controllers/audit.controller.js +179 -0
package/dist/api/controllers/audit.controller.js.map +1 -0
package/dist/api/controllers/auth.controller.d.ts +16 -0
package/dist/api/controllers/auth.controller.d.ts.map +1 -0
package/dist/api/controllers/auth.controller.js +146 -0
package/dist/api/controllers/auth.controller.js.map +1 -0
package/dist/api/controllers/export.controller.d.ts +27 -0
package/dist/api/controllers/export.controller.d.ts.map +1 -0
package/dist/api/controllers/export.controller.js +80 -0
package/dist/api/controllers/export.controller.js.map +1 -0
package/dist/api/controllers/health.controller.d.ts +5 -0
package/dist/api/controllers/health.controller.d.ts.map +1 -0
package/dist/api/controllers/health.controller.js +16 -0
package/dist/api/controllers/health.controller.js.map +1 -0
package/dist/api/controllers/jobs.controller.d.ts +13 -0
package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
package/dist/api/controllers/jobs.controller.js +125 -0
package/dist/api/controllers/jobs.controller.js.map +1 -0
package/dist/api/controllers/providers.controller.d.ts +15 -0
package/dist/api/controllers/providers.controller.d.ts.map +1 -0
package/dist/api/controllers/providers.controller.js +112 -0
package/dist/api/controllers/providers.controller.js.map +1 -0
package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
package/dist/api/dto/AuditRequest.dto.js +3 -0
package/dist/api/dto/AuditRequest.dto.js.map +1 -0
package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
package/dist/api/dto/AuditResponse.dto.js +3 -0
package/dist/api/dto/AuditResponse.dto.js.map +1 -0
package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
package/dist/api/dto/TokenRequest.dto.js +3 -0
package/dist/api/dto/TokenRequest.dto.js.map +1 -0
package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
package/dist/api/dto/TokenResponse.dto.js +3 -0
package/dist/api/dto/TokenResponse.dto.js.map +1 -0
package/dist/api/middlewares/authenticate.d.ts +12 -0
package/dist/api/middlewares/authenticate.d.ts.map +1 -0
package/dist/api/middlewares/authenticate.js +141 -0
package/dist/api/middlewares/authenticate.js.map +1 -0
package/dist/api/middlewares/errorHandler.d.ts +3 -0
package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
package/dist/api/middlewares/errorHandler.js +30 -0
package/dist/api/middlewares/errorHandler.js.map +1 -0
package/dist/api/middlewares/rateLimit.d.ts +3 -0
package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
package/dist/api/middlewares/rateLimit.js +34 -0
package/dist/api/middlewares/rateLimit.js.map +1 -0
package/dist/api/middlewares/validate.d.ts +4 -0
package/dist/api/middlewares/validate.d.ts.map +1 -0
package/dist/api/middlewares/validate.js +31 -0
package/dist/api/middlewares/validate.js.map +1 -0
package/dist/api/routes/audit.routes.d.ts +5 -0
package/dist/api/routes/audit.routes.d.ts.map +1 -0
package/dist/api/routes/audit.routes.js +24 -0
package/dist/api/routes/audit.routes.js.map +1 -0
package/dist/api/routes/auth.routes.d.ts +6 -0
package/dist/api/routes/auth.routes.d.ts.map +1 -0
package/dist/api/routes/auth.routes.js +22 -0
package/dist/api/routes/auth.routes.js.map +1 -0
package/dist/api/routes/export.routes.d.ts +5 -0
package/dist/api/routes/export.routes.d.ts.map +1 -0
package/dist/api/routes/export.routes.js +16 -0
package/dist/api/routes/export.routes.js.map +1 -0
package/dist/api/routes/health.routes.d.ts +4 -0
package/dist/api/routes/health.routes.d.ts.map +1 -0
package/dist/api/routes/health.routes.js +11 -0
package/dist/api/routes/health.routes.js.map +1 -0
package/dist/api/routes/index.d.ts +10 -0
package/dist/api/routes/index.d.ts.map +1 -0
package/dist/api/routes/index.js +20 -0
package/dist/api/routes/index.js.map +1 -0
package/dist/api/routes/providers.routes.d.ts +5 -0
package/dist/api/routes/providers.routes.d.ts.map +1 -0
package/dist/api/routes/providers.routes.js +13 -0
package/dist/api/routes/providers.routes.js.map +1 -0
package/dist/api/validators/audit.schemas.d.ts +60 -0
package/dist/api/validators/audit.schemas.d.ts.map +1 -0
package/dist/api/validators/audit.schemas.js +55 -0
package/dist/api/validators/audit.schemas.js.map +1 -0
package/dist/api/validators/auth.schemas.d.ts +17 -0
package/dist/api/validators/auth.schemas.d.ts.map +1 -0
package/dist/api/validators/auth.schemas.js +21 -0
package/dist/api/validators/auth.schemas.js.map +1 -0
package/dist/app.d.ts +3 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +62 -0
package/dist/app.js.map +1 -0
package/dist/config/config.schema.d.ts +65 -0
package/dist/config/config.schema.d.ts.map +1 -0
package/dist/config/config.schema.js +95 -0
package/dist/config/config.schema.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +75 -0
package/dist/config/index.js.map +1 -0
package/dist/container.d.ts +47 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +137 -0
package/dist/container.js.map +1 -0
package/dist/data/database.d.ts +13 -0
package/dist/data/database.d.ts.map +1 -0
package/dist/data/database.js +68 -0
package/dist/data/database.js.map +1 -0
package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
package/dist/data/jobs/token-cleanup.job.js +96 -0
package/dist/data/jobs/token-cleanup.job.js.map +1 -0
package/dist/data/migrations/migration.runner.d.ts +13 -0
package/dist/data/migrations/migration.runner.d.ts.map +1 -0
package/dist/data/migrations/migration.runner.js +136 -0
package/dist/data/migrations/migration.runner.js.map +1 -0
package/dist/data/models/Token.model.d.ts +30 -0
package/dist/data/models/Token.model.d.ts.map +1 -0
package/dist/data/models/Token.model.js +3 -0
package/dist/data/models/Token.model.js.map +1 -0
package/dist/data/repositories/token.repository.d.ts +16 -0
package/dist/data/repositories/token.repository.d.ts.map +1 -0
package/dist/data/repositories/token.repository.js +97 -0
package/dist/data/repositories/token.repository.js.map +1 -0
package/dist/providers/azure/auth.provider.d.ts +5 -0
package/dist/providers/azure/auth.provider.d.ts.map +1 -0
package/dist/providers/azure/auth.provider.js +13 -0
package/dist/providers/azure/auth.provider.js.map +1 -0
package/dist/providers/azure/azure-errors.d.ts +40 -0
package/dist/providers/azure/azure-errors.d.ts.map +1 -0
package/dist/providers/azure/azure-errors.js +121 -0
package/dist/providers/azure/azure-errors.js.map +1 -0
package/dist/providers/azure/azure-retry.d.ts +41 -0
package/dist/providers/azure/azure-retry.d.ts.map +1 -0
package/dist/providers/azure/azure-retry.js +85 -0
package/dist/providers/azure/azure-retry.js.map +1 -0
package/dist/providers/azure/graph-client.d.ts +26 -0
package/dist/providers/azure/graph-client.d.ts.map +1 -0
package/dist/providers/azure/graph-client.js +146 -0
package/dist/providers/azure/graph-client.js.map +1 -0
package/dist/providers/azure/graph.provider.d.ts +23 -0
package/dist/providers/azure/graph.provider.d.ts.map +1 -0
package/dist/providers/azure/graph.provider.js +161 -0
package/dist/providers/azure/graph.provider.js.map +1 -0
package/dist/providers/azure/queries/app.queries.d.ts +6 -0
package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/app.queries.js +9 -0
package/dist/providers/azure/queries/app.queries.js.map +1 -0
package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/policy.queries.js +9 -0
package/dist/providers/azure/queries/policy.queries.js.map +1 -0
package/dist/providers/azure/queries/user.queries.d.ts +7 -0
package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/user.queries.js +10 -0
package/dist/providers/azure/queries/user.queries.js.map +1 -0
package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
package/dist/providers/interfaces/IGraphProvider.js +3 -0
package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.js +3 -0
package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
package/dist/providers/ldap/acl-parser.d.ts +8 -0
package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
package/dist/providers/ldap/acl-parser.js +157 -0
package/dist/providers/ldap/acl-parser.js.map +1 -0
package/dist/providers/ldap/ad-mappers.d.ts +8 -0
package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
package/dist/providers/ldap/ad-mappers.js +162 -0
package/dist/providers/ldap/ad-mappers.js.map +1 -0
package/dist/providers/ldap/ldap-client.d.ts +33 -0
package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
package/dist/providers/ldap/ldap-client.js +195 -0
package/dist/providers/ldap/ldap-client.js.map +1 -0
package/dist/providers/ldap/ldap-errors.d.ts +48 -0
package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
package/dist/providers/ldap/ldap-errors.js +120 -0
package/dist/providers/ldap/ldap-errors.js.map +1 -0
package/dist/providers/ldap/ldap-retry.d.ts +14 -0
package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
package/dist/providers/ldap/ldap-retry.js +102 -0
package/dist/providers/ldap/ldap-retry.js.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.js +104 -0
package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
package/dist/providers/ldap/ldap.provider.d.ts +21 -0
package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
package/dist/providers/ldap/ldap.provider.js +165 -0
package/dist/providers/ldap/ldap.provider.js.map +1 -0
package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/computer.queries.js +9 -0
package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/group.queries.js +9 -0
package/dist/providers/ldap/queries/group.queries.js.map +1 -0
package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/user.queries.js +10 -0
package/dist/providers/ldap/queries/user.queries.js.map +1 -0
package/dist/providers/smb/smb.provider.d.ts +68 -0
package/dist/providers/smb/smb.provider.d.ts.map +1 -0
package/dist/providers/smb/smb.provider.js +382 -0
package/dist/providers/smb/smb.provider.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +44 -0
package/dist/server.js.map +1 -0
package/dist/services/audit/ad-audit.service.d.ts +70 -0
package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
package/dist/services/audit/ad-audit.service.js +1019 -0
package/dist/services/audit/ad-audit.service.js.map +1 -0
package/dist/services/audit/attack-graph.service.d.ts +62 -0
package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
package/dist/services/audit/attack-graph.service.js +702 -0
package/dist/services/audit/attack-graph.service.js.map +1 -0
package/dist/services/audit/audit.service.d.ts +4 -0
package/dist/services/audit/audit.service.d.ts.map +1 -0
package/dist/services/audit/audit.service.js +10 -0
package/dist/services/audit/audit.service.js.map +1 -0
package/dist/services/audit/azure-audit.service.d.ts +37 -0
package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
package/dist/services/audit/azure-audit.service.js +153 -0
package/dist/services/audit/azure-audit.service.js.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/index.d.ts +15 -0
package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/index.js +51 -0
package/dist/services/audit/detectors/ad/index.js.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.js +257 -0
package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.js +235 -0
package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
package/dist/services/audit/detectors/index.d.ts +2 -0
package/dist/services/audit/detectors/index.d.ts.map +1 -0
package/dist/services/audit/detectors/index.js +38 -0
package/dist/services/audit/detectors/index.js.map +1 -0
package/dist/services/audit/response-formatter.d.ts +176 -0
package/dist/services/audit/response-formatter.d.ts.map +1 -0
package/dist/services/audit/response-formatter.js +240 -0
package/dist/services/audit/response-formatter.js.map +1 -0
package/dist/services/audit/scoring.service.d.ts +15 -0
package/dist/services/audit/scoring.service.d.ts.map +1 -0
package/dist/services/audit/scoring.service.js +139 -0
package/dist/services/audit/scoring.service.js.map +1 -0
package/dist/services/auth/crypto.service.d.ts +19 -0
package/dist/services/auth/crypto.service.d.ts.map +1 -0
package/dist/services/auth/crypto.service.js +135 -0
package/dist/services/auth/crypto.service.js.map +1 -0
package/dist/services/auth/errors.d.ts +19 -0
package/dist/services/auth/errors.d.ts.map +1 -0
package/dist/services/auth/errors.js +46 -0
package/dist/services/auth/errors.js.map +1 -0
package/dist/services/auth/token.service.d.ts +41 -0
package/dist/services/auth/token.service.d.ts.map +1 -0
package/dist/services/auth/token.service.js +208 -0
package/dist/services/auth/token.service.js.map +1 -0
package/dist/services/config/config.service.d.ts +6 -0
package/dist/services/config/config.service.d.ts.map +1 -0
package/dist/services/config/config.service.js +64 -0
package/dist/services/config/config.service.js.map +1 -0
package/dist/services/export/export.service.d.ts +28 -0
package/dist/services/export/export.service.d.ts.map +1 -0
package/dist/services/export/export.service.js +28 -0
package/dist/services/export/export.service.js.map +1 -0
package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/csv.formatter.js +46 -0
package/dist/services/export/formatters/csv.formatter.js.map +1 -0
package/dist/services/export/formatters/json.formatter.d.ts +40 -0
package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/json.formatter.js +58 -0
package/dist/services/export/formatters/json.formatter.js.map +1 -0
package/dist/services/jobs/azure-job-runner.d.ts +38 -0
package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
package/dist/services/jobs/azure-job-runner.js +199 -0
package/dist/services/jobs/azure-job-runner.js.map +1 -0
package/dist/services/jobs/index.d.ts +4 -0
package/dist/services/jobs/index.d.ts.map +1 -0
package/dist/services/jobs/index.js +20 -0
package/dist/services/jobs/index.js.map +1 -0
package/dist/services/jobs/job-runner.d.ts +64 -0
package/dist/services/jobs/job-runner.d.ts.map +1 -0
package/dist/services/jobs/job-runner.js +952 -0
package/dist/services/jobs/job-runner.js.map +1 -0
package/dist/services/jobs/job-store.d.ts +27 -0
package/dist/services/jobs/job-store.d.ts.map +1 -0
package/dist/services/jobs/job-store.js +261 -0
package/dist/services/jobs/job-store.js.map +1 -0
package/dist/services/jobs/job.types.d.ts +67 -0
package/dist/services/jobs/job.types.d.ts.map +1 -0
package/dist/services/jobs/job.types.js +36 -0
package/dist/services/jobs/job.types.js.map +1 -0
package/dist/types/ad.types.d.ts +74 -0
package/dist/types/ad.types.d.ts.map +1 -0
package/dist/types/ad.types.js +3 -0
package/dist/types/ad.types.js.map +1 -0
package/dist/types/adcs.types.d.ts +58 -0
package/dist/types/adcs.types.d.ts.map +1 -0
package/dist/types/adcs.types.js +38 -0
package/dist/types/adcs.types.js.map +1 -0
package/dist/types/attack-graph.types.d.ts +135 -0
package/dist/types/attack-graph.types.d.ts.map +1 -0
package/dist/types/attack-graph.types.js +58 -0
package/dist/types/attack-graph.types.js.map +1 -0
package/dist/types/audit.types.d.ts +34 -0
package/dist/types/audit.types.d.ts.map +1 -0
package/dist/types/audit.types.js +3 -0
package/dist/types/audit.types.js.map +1 -0
package/dist/types/azure.types.d.ts +61 -0
package/dist/types/azure.types.d.ts.map +1 -0
package/dist/types/azure.types.js +3 -0
package/dist/types/azure.types.js.map +1 -0
package/dist/types/config.types.d.ts +63 -0
package/dist/types/config.types.d.ts.map +1 -0
package/dist/types/config.types.js +3 -0
package/dist/types/config.types.js.map +1 -0
package/dist/types/error.types.d.ts +33 -0
package/dist/types/error.types.d.ts.map +1 -0
package/dist/types/error.types.js +70 -0
package/dist/types/error.types.js.map +1 -0
package/dist/types/finding.types.d.ts +133 -0
package/dist/types/finding.types.d.ts.map +1 -0
package/dist/types/finding.types.js +3 -0
package/dist/types/finding.types.js.map +1 -0
package/dist/types/gpo.types.d.ts +39 -0
package/dist/types/gpo.types.d.ts.map +1 -0
package/dist/types/gpo.types.js +15 -0
package/dist/types/gpo.types.js.map +1 -0
package/dist/types/token.types.d.ts +26 -0
package/dist/types/token.types.d.ts.map +1 -0
package/dist/types/token.types.js +3 -0
package/dist/types/token.types.js.map +1 -0
package/dist/types/trust.types.d.ts +45 -0
package/dist/types/trust.types.d.ts.map +1 -0
package/dist/types/trust.types.js +71 -0
package/dist/types/trust.types.js.map +1 -0
package/dist/utils/entity-converter.d.ts +17 -0
package/dist/utils/entity-converter.d.ts.map +1 -0
package/dist/utils/entity-converter.js +285 -0
package/dist/utils/entity-converter.js.map +1 -0
package/dist/utils/graph.util.d.ts +66 -0
package/dist/utils/graph.util.d.ts.map +1 -0
package/dist/utils/graph.util.js +382 -0
package/dist/utils/graph.util.js.map +1 -0
package/dist/utils/logger.d.ts +7 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +86 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/type-name-normalizer.d.ts +5 -0
package/dist/utils/type-name-normalizer.d.ts.map +1 -0
package/dist/utils/type-name-normalizer.js +218 -0
package/dist/utils/type-name-normalizer.js.map +1 -0
package/docker-compose.yml +26 -0
package/docs/api/README.md +178 -0
package/docs/api/openapi.yaml +1524 -0
package/eslint.config.js +54 -0
package/jest.config.js +38 -0
package/package.json +97 -0
package/scripts/fetch-ad-cert.sh +142 -0
package/src/.gitkeep +0 -0
package/src/api/.gitkeep +0 -0
package/src/api/controllers/.gitkeep +0 -0
package/src/api/controllers/audit.controller.ts +313 -0
package/src/api/controllers/auth.controller.ts +258 -0
package/src/api/controllers/export.controller.ts +153 -0
package/src/api/controllers/health.controller.ts +16 -0
package/src/api/controllers/jobs.controller.ts +187 -0
package/src/api/controllers/providers.controller.ts +165 -0
package/src/api/dto/.gitkeep +0 -0
package/src/api/dto/AuditRequest.dto.ts +8 -0
package/src/api/dto/AuditResponse.dto.ts +19 -0
package/src/api/dto/TokenRequest.dto.ts +8 -0
package/src/api/dto/TokenResponse.dto.ts +14 -0
package/src/api/middlewares/.gitkeep +0 -0
package/src/api/middlewares/authenticate.ts +203 -0
package/src/api/middlewares/errorHandler.ts +54 -0
package/src/api/middlewares/rateLimit.ts +35 -0
package/src/api/middlewares/validate.ts +32 -0
package/src/api/routes/.gitkeep +0 -0
package/src/api/routes/audit.routes.ts +77 -0
package/src/api/routes/auth.routes.ts +71 -0
package/src/api/routes/export.routes.ts +34 -0
package/src/api/routes/health.routes.ts +14 -0
package/src/api/routes/index.ts +40 -0
package/src/api/routes/providers.routes.ts +24 -0
package/src/api/validators/.gitkeep +0 -0
package/src/api/validators/audit.schemas.ts +59 -0
package/src/api/validators/auth.schemas.ts +59 -0
package/src/app.ts +87 -0
package/src/config/.gitkeep +0 -0
package/src/config/config.schema.ts +108 -0
package/src/config/index.ts +82 -0
package/src/container.ts +221 -0
package/src/data/.gitkeep +0 -0
package/src/data/database.ts +78 -0
package/src/data/jobs/token-cleanup.job.ts +166 -0
package/src/data/migrations/.gitkeep +0 -0
package/src/data/migrations/001_initial_schema.sql +47 -0
package/src/data/migrations/migration.runner.ts +125 -0
package/src/data/models/.gitkeep +0 -0
package/src/data/models/Token.model.ts +35 -0
package/src/data/repositories/.gitkeep +0 -0
package/src/data/repositories/token.repository.ts +160 -0
package/src/providers/.gitkeep +0 -0
package/src/providers/azure/.gitkeep +0 -0
package/src/providers/azure/auth.provider.ts +14 -0
package/src/providers/azure/azure-errors.ts +189 -0
package/src/providers/azure/azure-retry.ts +168 -0
package/src/providers/azure/graph-client.ts +315 -0
package/src/providers/azure/graph.provider.ts +294 -0
package/src/providers/azure/queries/app.queries.ts +9 -0
package/src/providers/azure/queries/policy.queries.ts +9 -0
package/src/providers/azure/queries/user.queries.ts +10 -0
package/src/providers/interfaces/.gitkeep +0 -0
package/src/providers/interfaces/IGraphProvider.ts +117 -0
package/src/providers/interfaces/ILDAPProvider.ts +142 -0
package/src/providers/ldap/.gitkeep +0 -0
package/src/providers/ldap/acl-parser.ts +231 -0
package/src/providers/ldap/ad-mappers.ts +280 -0
package/src/providers/ldap/ldap-client.ts +259 -0
package/src/providers/ldap/ldap-errors.ts +188 -0
package/src/providers/ldap/ldap-retry.ts +267 -0
package/src/providers/ldap/ldap-sanitizer.ts +273 -0
package/src/providers/ldap/ldap.provider.ts +293 -0
package/src/providers/ldap/queries/computer.queries.ts +9 -0
package/src/providers/ldap/queries/group.queries.ts +9 -0
package/src/providers/ldap/queries/user.queries.ts +10 -0
package/src/providers/smb/smb.provider.ts +653 -0
package/src/server.ts +60 -0
package/src/services/.gitkeep +0 -0
package/src/services/audit/.gitkeep +0 -0
package/src/services/audit/ad-audit.service.ts +1481 -0
package/src/services/audit/attack-graph.service.ts +1104 -0
package/src/services/audit/audit.service.ts +12 -0
package/src/services/audit/azure-audit.service.ts +286 -0
package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
package/src/services/audit/detectors/ad/index.ts +84 -0
package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
package/src/services/audit/detectors/ad/network.detector.ts +538 -0
package/src/services/audit/detectors/ad/password.detector.ts +324 -0
package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
package/src/services/audit/detectors/index.ts +18 -0
package/src/services/audit/response-formatter.ts +604 -0
package/src/services/audit/scoring.service.ts +234 -0
package/src/services/auth/.gitkeep +0 -0
package/src/services/auth/crypto.service.ts +230 -0
package/src/services/auth/errors.ts +47 -0
package/src/services/auth/token.service.ts +420 -0
package/src/services/config/.gitkeep +0 -0
package/src/services/config/config.service.ts +75 -0
package/src/services/export/.gitkeep +0 -0
package/src/services/export/export.service.ts +99 -0
package/src/services/export/formatters/csv.formatter.ts +124 -0
package/src/services/export/formatters/json.formatter.ts +160 -0
package/src/services/jobs/azure-job-runner.ts +312 -0
package/src/services/jobs/index.ts +9 -0
package/src/services/jobs/job-runner.ts +1280 -0
package/src/services/jobs/job-store.ts +384 -0
package/src/services/jobs/job.types.ts +182 -0
package/src/types/.gitkeep +0 -0
package/src/types/ad.types.ts +91 -0
package/src/types/adcs.types.ts +107 -0
package/src/types/attack-graph.types.ts +260 -0
package/src/types/audit.types.ts +42 -0
package/src/types/azure.types.ts +68 -0
package/src/types/config.types.ts +79 -0
package/src/types/error.types.ts +69 -0
package/src/types/finding.types.ts +284 -0
package/src/types/gpo.types.ts +72 -0
package/src/types/smb2.d.ts +73 -0
package/src/types/token.types.ts +32 -0
package/src/types/trust.types.ts +140 -0
package/src/utils/.gitkeep +0 -0
package/src/utils/entity-converter.ts +453 -0
package/src/utils/graph.util.ts +609 -0
package/src/utils/logger.ts +111 -0
package/src/utils/type-name-normalizer.ts +302 -0
package/tests/.gitkeep +0 -0
package/tests/e2e/.gitkeep +0 -0
package/tests/fixtures/.gitkeep +0 -0
package/tests/integration/.gitkeep +0 -0
package/tests/integration/README.md +156 -0
package/tests/integration/ad-audit.integration.test.ts +216 -0
package/tests/integration/api/.gitkeep +0 -0
package/tests/integration/api/endpoints.integration.test.ts +431 -0
package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
package/tests/integration/providers/.gitkeep +0 -0
package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
package/tests/mocks/.gitkeep +0 -0
package/tests/setup.ts +16 -0
package/tests/unit/.gitkeep +0 -0
package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
package/tests/unit/providers/.gitkeep +0 -0
package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
package/tests/unit/sample.test.ts +19 -0
package/tests/unit/services/.gitkeep +0 -0
package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
package/tests/unit/services/auth/crypto.service.test.ts +296 -0
package/tests/unit/services/auth/token.service.test.ts +579 -0
package/tests/unit/services/export/export.service.test.ts +241 -0
package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
package/tests/unit/utils/.gitkeep +0 -0
package/tsconfig.json +50 -0

package/src/services/audit/detectors/ad/gpo.detector.ts ADDED Viewed

@@ -0,0 +1,485 @@
+/**
+ * GPO Security Vulnerability Detector
+ *
+ * Analyzes Group Policy Objects for security misconfigurations.
+ *
+ * Vulnerabilities detected (9):
+ * CRITICAL (1) - Phase 4:
+ * - GPO_PASSWORD_IN_SYSVOL: Passwords found in GPO preferences
+ *
+ * HIGH (2):
+ * - GPO_DANGEROUS_PERMISSIONS: Non-admin can edit GPO linked to sensitive OUs
+ * - GPO_WEAK_PASSWORD_POLICY: GPO with password length < 12 characters
+ *
+ * MEDIUM (5):
+ * - GPO_LAPS_NOT_DEPLOYED: No LAPS deployment GPO found
+ * - GPO_DISABLED_BUT_LINKED: GPO disabled but still linked
+ * - GPO_NO_SECURITY_FILTERING: GPO without security filtering
+ * - GPO_AUTHENTICATED_USERS_APPLY: GPO applies to all Authenticated Users
+ * - GPO_ORPHANED: Orphaned GPO (Phase 4)
+ *
+ * LOW (1):
+ * - GPO_UNLINKED: GPO exists but not linked anywhere
+ */
+import { Finding } from '../../../../types/finding.types';
+import {
+  ADGPO,
+  GPOLink,
+  GPOAclEntry,
+  GPO_FLAG_ALL_DISABLED,
+  LAPS_CSE_GUID,
+  LAPS_LEGACY_CSE_GUID,
+} from '../../../../types/gpo.types';
+// Well-known SIDs for security filtering analysis
+const SID_AUTHENTICATED_USERS = 'S-1-5-11';
+const SID_EVERYONE = 'S-1-1-0';
+const SID_DOMAIN_COMPUTERS = '-515'; // Ends with this RID
+// "Apply Group Policy" extended right GUID
+const APPLY_GROUP_POLICY_RIGHT = 0x00000004; // Read + Execute equivalent for GPO
+/**
+ * Check if GPO has LAPS Client-Side Extension
+ */
+function hasLapsCse(gpo: ADGPO): boolean {
+  const extensions = gpo.gPCMachineExtensionNames || '';
+  return extensions.includes(LAPS_CSE_GUID) || extensions.includes(LAPS_LEGACY_CSE_GUID);
+}
+/**
+ * GPO_DANGEROUS_PERMISSIONS: Non-admin can edit GPO
+ * Note: Requires ACL analysis - placeholder for now
+ */
+export function detectGpoDangerousPermissions(
+  gpos: ADGPO[],
+  _links: GPOLink[],
+  _includeDetails: boolean
+): Finding {
+  // Would analyze nTSecurityDescriptor on GPO objects for:
+  // - GenericAll, GenericWrite, WriteDacl, WriteOwner, WriteProperty
+  // granted to non-admin principals (Domain Users, Authenticated Users, etc.)
+  return {
+    type: 'GPO_DANGEROUS_PERMISSIONS',
+    severity: 'high',
+    category: 'gpo',
+    title: 'GPO Permissions Review Required',
+    description:
+      'Group Policy Objects should be reviewed for overly permissive ACLs that allow non-administrators to modify GPO settings.',
+    count: 0, // Placeholder until ACL analysis implemented
+    affectedEntities: undefined,
+    details: {
+      note: 'Manual review of GPO ACLs recommended. Check for non-admin principals with write access.',
+      gposToReview: gpos.length,
+    },
+  };
+}
+/**
+ * GPO_LAPS_NOT_DEPLOYED: No LAPS deployment GPO found
+ */
+export function detectGpoLapsNotDeployed(
+  gpos: ADGPO[],
+  links: GPOLink[],
+  _includeDetails: boolean
+): Finding {
+  // Check if any GPO has LAPS CSE and is linked
+  const lapsGpos = gpos.filter((gpo) => hasLapsCse(gpo));
+  const linkedLapsGpos = lapsGpos.filter((gpo) =>
+    links.some((link) => link.gpoGuid.toLowerCase() === gpo.cn.toLowerCase() && !link.disabled)
+  );
+  const noLapsDeployed = linkedLapsGpos.length === 0;
+  return {
+    type: 'GPO_LAPS_NOT_DEPLOYED',
+    severity: 'medium',
+    category: 'gpo',
+    title: 'LAPS Not Deployed via GPO',
+    description:
+      'No active Group Policy Object was found deploying LAPS (Local Administrator Password Solution). This leaves local admin passwords vulnerable to reuse attacks.',
+    count: noLapsDeployed ? 1 : 0,
+    affectedEntities: undefined,
+    details: {
+      lapsGposFound: lapsGpos.length,
+      linkedLapsGpos: linkedLapsGpos.length,
+      note: noLapsDeployed
+        ? 'LAPS not deployed - local admin passwords are not being rotated.'
+        : 'LAPS is deployed via GPO.',
+      recommendation: noLapsDeployed
+        ? 'Deploy LAPS via GPO to manage local administrator passwords.'
+        : undefined,
+    },
+  };
+}
+/**
+ * GPO_WEAK_PASSWORD_POLICY: GPO with weak password settings
+ * Note: Requires reading GptTmpl.inf via SMB - check domain policy instead
+ */
+export function detectGpoWeakPasswordPolicy(
+  _gpos: ADGPO[],
+  _links: GPOLink[],
+  domainPasswordPolicy: { minPasswordLength?: number } | null,
+  includeDetails: boolean
+): Finding {
+  const minLength = domainPasswordPolicy?.minPasswordLength ?? 0;
+  const isWeak = minLength < 12;
+  return {
+    type: 'GPO_WEAK_PASSWORD_POLICY',
+    severity: 'medium',
+    category: 'gpo',
+    title: 'Weak Password Policy',
+    description: `Domain password policy requires only ${minLength} characters minimum. Microsoft recommends at least 12 characters for standard accounts, 14+ for privileged accounts.`,
+    count: isWeak ? 1 : 0,
+    affectedEntities: includeDetails && isWeak ? ['Default Domain Policy'] : undefined,
+    details: isWeak
+      ? {
+          currentMinLength: minLength,
+          recommendedMinLength: 12,
+        }
+      : undefined,
+  };
+}
+/**
+ * GPO_UNLINKED: GPO exists but not linked anywhere
+ */
+export function detectGpoUnlinked(
+  gpos: ADGPO[],
+  links: GPOLink[],
+  includeDetails: boolean
+): Finding {
+  // Find GPOs that have no links
+  const linkedGuids = new Set(links.map((l) => l.gpoGuid.toLowerCase()));
+  const unlinkedGpos = gpos.filter((gpo) => !linkedGuids.has(gpo.cn.toLowerCase()));
+  // Exclude Default Domain Policy and Default Domain Controllers Policy
+  const excludeGuids = [
+    '31B2F340-016D-11D2-945F-00C04FB984F9', // Default Domain Policy
+    '6AC1786C-016F-11D2-945F-00C04FB984F9', // Default Domain Controllers Policy
+  ];
+  const relevantUnlinked = unlinkedGpos.filter(
+    (gpo) => !excludeGuids.some((guid) => gpo.cn.toUpperCase().includes(guid))
+  );
+  return {
+    type: 'GPO_UNLINKED',
+    severity: 'low',
+    category: 'gpo',
+    title: 'Unlinked Group Policy Objects',
+    description:
+      'GPOs exist that are not linked to any OU, domain, or site. These may be orphaned or indicate incomplete deployment.',
+    count: relevantUnlinked.length,
+    affectedEntities: includeDetails
+      ? relevantUnlinked.map((gpo) => gpo.displayName || gpo.cn)
+      : undefined,
+  };
+}
+/**
+ * GPO_DISABLED_BUT_LINKED: GPO is disabled but still linked
+ */
+export function detectGpoDisabledButLinked(
+  gpos: ADGPO[],
+  links: GPOLink[],
+  includeDetails: boolean
+): Finding {
+  // Find GPOs that are disabled (flags = 3) but have active links
+  const disabledGpos = gpos.filter((gpo) => gpo.flags === GPO_FLAG_ALL_DISABLED);
+  const disabledButLinked = disabledGpos.filter((gpo) =>
+    links.some((link) => link.gpoGuid.toLowerCase() === gpo.cn.toLowerCase() && !link.disabled)
+  );
+  return {
+    type: 'GPO_DISABLED_BUT_LINKED',
+    severity: 'medium',
+    category: 'gpo',
+    title: 'Disabled GPO Still Linked',
+    description:
+      'GPOs are disabled (both user and computer settings) but remain linked. This may indicate configuration drift or incomplete changes.',
+    count: disabledButLinked.length,
+    affectedEntities: includeDetails
+      ? disabledButLinked.map((gpo) => gpo.displayName || gpo.cn)
+      : undefined,
+  };
+}
+/**
+ * GPO_NO_SECURITY_FILTERING: GPO without explicit security filtering
+ * GPO applies to all objects in the linked OU without restrictions
+ */
+export function detectGpoNoSecurityFiltering(
+  gpos: ADGPO[],
+  links: GPOLink[],
+  gpoAcls: GPOAclEntry[],
+  includeDetails: boolean
+): Finding {
+  // Get linked GPO GUIDs
+  const linkedGuids = new Set(
+    links.filter((l) => !l.disabled).map((l) => l.gpoGuid.toLowerCase())
+  );
+  // Find GPOs that are linked but have no security filtering
+  // Security filtering = only specific groups have "Apply Group Policy" right
+  // No filtering = Authenticated Users or Everyone has Apply right
+  const noFiltering: ADGPO[] = [];
+  for (const gpo of gpos) {
+    // Only check linked GPOs
+    if (!linkedGuids.has(gpo.cn.toLowerCase())) continue;
+    // Get ACLs for this GPO
+    const aclsForGpo = gpoAcls.filter(
+      (acl) => acl.gpoDn.toLowerCase() === gpo.dn.toLowerCase()
+    );
+    // If no ACL data, skip (can't determine)
+    if (aclsForGpo.length === 0) continue;
+    // Check if Authenticated Users or Everyone has Apply permission
+    const hasUnrestrictedApply = aclsForGpo.some(
+      (acl) =>
+        (acl.trusteeSid === SID_AUTHENTICATED_USERS || acl.trusteeSid === SID_EVERYONE) &&
+        (acl.accessMask & APPLY_GROUP_POLICY_RIGHT) !== 0
+    );
+    // Check if there's any specific group filtering (exclude auth users and everyone)
+    const hasSpecificFiltering = aclsForGpo.some(
+      (acl) =>
+        acl.trusteeSid !== SID_AUTHENTICATED_USERS &&
+        acl.trusteeSid !== SID_EVERYONE &&
+        !acl.trusteeSid.endsWith(SID_DOMAIN_COMPUTERS) &&
+        (acl.accessMask & APPLY_GROUP_POLICY_RIGHT) !== 0
+    );
+    // No filtering if auth users/everyone can apply and no specific groups defined
+    if (hasUnrestrictedApply && !hasSpecificFiltering) {
+      noFiltering.push(gpo);
+    }
+  }
+  return {
+    type: 'GPO_NO_SECURITY_FILTERING',
+    severity: 'medium',
+    category: 'gpo',
+    title: 'GPO Without Security Filtering',
+    description:
+      'GPOs that apply to all Authenticated Users or Everyone without specific security filtering. Consider restricting GPO application to specific groups.',
+    count: noFiltering.length,
+    affectedEntities: includeDetails
+      ? noFiltering.map((gpo) => gpo.displayName || gpo.cn)
+      : undefined,
+    details:
+      noFiltering.length > 0
+        ? {
+            recommendation:
+              'Apply security filtering to restrict GPO application to specific groups.',
+          }
+        : undefined,
+  };
+}
+/**
+ * GPO_AUTHENTICATED_USERS_APPLY: GPO explicitly grants Apply to Authenticated Users
+ * This is the default but may be unintended for sensitive GPOs
+ */
+export function detectGpoAuthenticatedUsersApply(
+  gpos: ADGPO[],
+  links: GPOLink[],
+  gpoAcls: GPOAclEntry[],
+  includeDetails: boolean
+): Finding {
+  // Get linked GPO GUIDs
+  const linkedGuids = new Set(
+    links.filter((l) => !l.disabled).map((l) => l.gpoGuid.toLowerCase())
+  );
+  // Find GPOs where Authenticated Users has explicit Apply permission
+  const authUsersApply: ADGPO[] = [];
+  for (const gpo of gpos) {
+    // Only check linked GPOs
+    if (!linkedGuids.has(gpo.cn.toLowerCase())) continue;
+    // Get ACLs for this GPO
+    const aclsForGpo = gpoAcls.filter(
+      (acl) => acl.gpoDn.toLowerCase() === gpo.dn.toLowerCase()
+    );
+    // If no ACL data, skip
+    if (aclsForGpo.length === 0) continue;
+    // Check if Authenticated Users specifically has Apply permission
+    const authUsersHasApply = aclsForGpo.some(
+      (acl) =>
+        acl.trusteeSid === SID_AUTHENTICATED_USERS &&
+        (acl.accessMask & APPLY_GROUP_POLICY_RIGHT) !== 0
+    );
+    if (authUsersHasApply) {
+      authUsersApply.push(gpo);
+    }
+  }
+  return {
+    type: 'GPO_AUTHENTICATED_USERS_APPLY',
+    severity: 'medium',
+    category: 'gpo',
+    title: 'GPO Applies to All Authenticated Users',
+    description:
+      'GPOs with Authenticated Users granted the "Apply Group Policy" permission. This is the default but may be too broad for sensitive policies.',
+    count: authUsersApply.length,
+    affectedEntities: includeDetails
+      ? authUsersApply.map((gpo) => gpo.displayName || gpo.cn)
+      : undefined,
+    details:
+      authUsersApply.length > 0
+        ? {
+            recommendation:
+              'Review if all GPOs should apply to all users. Consider using security filtering for sensitive policies.',
+            note: 'This is informational - Authenticated Users is the default.',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect GPOs with passwords stored in SYSVOL (cPassword)
+ *
+ * MS14-025 patched this, but old GPOs may still contain cleartext passwords
+ * in Groups.xml, Services.xml, Scheduledtasks.xml, etc.
+ *
+ * @param gpos - Array of GPOs
+ * @param _links - Array of GPO links (not used)
+ * @param includeDetails - Whether to include affected entity details
+ * @returns Finding for GPO_PASSWORD_IN_SYSVOL
+ */
+export function detectGpoPasswordInSysvol(
+  gpos: ADGPO[],
+  _links: GPOLink[],
+  includeDetails: boolean
+): Finding {
+  // Check GPO flags or attributes that might indicate password presence
+  // This would ideally need SYSVOL file content reading
+  // For now, check for GPOs with "cpassword" mentioned or old-style preferences
+  const affected = gpos.filter((gpo) => {
+    const gpoName = (gpo.displayName || gpo.cn || '').toLowerCase();
+    const gpoPath = (gpo.gPCFileSysPath || '').toLowerCase();
+    // GPOs that commonly contain passwords
+    const riskyPatterns = [
+      'password',
+      'credential',
+      'local admin',
+      'service account',
+      'scheduled task',
+      'drive map',
+    ];
+    return riskyPatterns.some(
+      (pattern) => gpoName.includes(pattern) || gpoPath.includes(pattern)
+    );
+  });
+  return {
+    type: 'GPO_PASSWORD_IN_SYSVOL',
+    severity: 'critical',
+    category: 'gpo',
+    title: 'Potential Passwords in GPO SYSVOL',
+    description:
+      'GPOs that may contain cleartext passwords in SYSVOL (cPassword vulnerability MS14-025). ' +
+      'Group Policy Preferences stored passwords that can be easily decrypted.',
+    count: affected.length,
+    affectedEntities: includeDetails
+      ? affected.map((g) => g.displayName || g.cn || g.dn)
+      : undefined,
+    details: {
+      note: affected.length > 0
+        ? `Found ${affected.length} GPO(s) with names suggesting password storage. Manual SYSVOL scan required.`
+        : 'No GPOs with suspicious names found. Manual SYSVOL scan still recommended.',
+      recommendation:
+        'Scan SYSVOL for Groups.xml, Services.xml, ScheduledTasks.xml, DataSources.xml containing cpassword. ' +
+        'Use tools like Get-GPPPassword or gpp-decrypt.',
+      reference: 'MS14-025',
+      gposScanned: gpos.length,
+    },
+  };
+}
+/**
+ * Detect orphaned GPOs
+ *
+ * GPOs that exist in AD but have missing SYSVOL content, or vice versa.
+ *
+ * @param gpos - Array of GPOs
+ * @param _links - Array of GPO links (not used)
+ * @param includeDetails - Whether to include affected entity details
+ * @returns Finding for GPO_ORPHANED
+ */
+export function detectGpoOrphaned(
+  gpos: ADGPO[],
+  _links: GPOLink[],
+  includeDetails: boolean
+): Finding {
+  // Check for GPOs with potential orphan indicators
+  // A proper check would compare AD GPOs vs SYSVOL folders
+  const affected = gpos.filter((gpo) => {
+    // Missing SYSVOL path indicates potential orphan
+    const hasSysvolPath = gpo.gPCFileSysPath && gpo.gPCFileSysPath.length > 0;
+    // Missing version might indicate corruption
+    const hasVersion = gpo.versionNumber !== undefined && gpo.versionNumber > 0;
+    // Check for obviously broken GPOs
+    const hasName = gpo.displayName || gpo.cn;
+    return !hasSysvolPath || !hasVersion || !hasName;
+  });
+  return {
+    type: 'GPO_ORPHANED',
+    severity: 'medium',
+    category: 'gpo',
+    title: 'Potentially Orphaned GPOs',
+    description:
+      'GPOs that may be orphaned (missing SYSVOL content or AD object). ' +
+      'Orphaned GPOs can cause processing errors and may indicate tampering.',
+    count: affected.length,
+    affectedEntities: includeDetails
+      ? affected.map((g) => g.displayName || g.cn || g.dn)
+      : undefined,
+    details: {
+      recommendation:
+        'Compare AD GPOs with SYSVOL folders. Use gpotool.exe or Get-GPO to identify orphans. ' +
+        'Delete orphaned GPOs after verification.',
+    },
+  };
+}
+/**
+ * Aggregate function: Detect all GPO vulnerabilities
+ */
+export function detectGpoVulnerabilities(
+  gpos: ADGPO[],
+  links: GPOLink[],
+  domainPasswordPolicy: { minPasswordLength?: number } | null,
+  includeDetails: boolean,
+  gpoAcls: GPOAclEntry[] = []
+): Finding[] {
+  return [
+    detectGpoDangerousPermissions(gpos, links, includeDetails),
+    detectGpoLapsNotDeployed(gpos, links, includeDetails),
+    detectGpoWeakPasswordPolicy(gpos, links, domainPasswordPolicy, includeDetails),
+    detectGpoUnlinked(gpos, links, includeDetails),
+    detectGpoDisabledButLinked(gpos, links, includeDetails),
+    detectGpoNoSecurityFiltering(gpos, links, gpoAcls, includeDetails),
+    detectGpoAuthenticatedUsersApply(gpos, links, gpoAcls, includeDetails),
+    // Phase 4: Advanced GPO detections
+    detectGpoPasswordInSysvol(gpos, links, includeDetails),
+    detectGpoOrphaned(gpos, links, includeDetails),
+  ].filter((finding) => finding.count > 0 || finding.details?.['note']);
+}