@hatem427/code-guard-ci 1.0.0

package/scripts/utils/bypass-manager.ts

@@ -0,0 +1,566 @@
+/**
+ * ============================================================================
+ * bypass-manager.ts — Bypass audit logging with authentication
+ * ============================================================================
+ *
+ * Tracks all bypass attempts with:
+ *   - Author name (from git config)
+ *   - Timestamp
+ *   - Reason
+ *   - Password verification
+ *   - Commit hash
+ *
+ * Bypass log saved to: .code-guardian/bypass-log.json
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import { execSync } from 'child_process';
+import * as crypto from 'crypto';
+
+// ── Types ───────────────────────────────────────────────────────────────────
+
+export interface BypassEntry {
+  /** Unique ID for this bypass */
+  id: string;
+  /** Git author name */
+  author: string;
+  /** Git author email */
+  email: string;
+  /** When the bypass occurred */
+  timestamp: string;
+  /** Reason for bypass */
+  reason: string;
+  /** Commit message */
+  commitMessage: string;
+  /** Commit hash (after commit) */
+  commitHash?: string;
+  /** Branch name */
+  branch: string;
+  /** Files that were bypassed */
+  files: string[];
+  /** How bypass was triggered (message flag or env var) */
+  method: 'commit-message' | 'env-variable' | 'password';
+}
+
+export interface BypassLog {
+  /** All bypass entries */
+  entries: BypassEntry[];
+  /** Last updated timestamp */
+  lastUpdated: string;
+  /** Integrity checksum to detect tampering */
+  checksum?: string;
+  /** Flag indicating if log is immutable (cannot be deleted) */
+  immutable: boolean;
+}
+
+// ── Configuration ───────────────────────────────────────────────────────────
+
+const BYPASS_DIR = '.code-guardian';
+const BYPASS_LOG_FILE = 'bypass-log.json';
+const PASSWORD_FILE = 'bypass-password.hash';
+const ADMIN_FILE = 'admin-credentials.hash';
+const LOG_ARCHIVE_DIR = 'bypass-archive';
+
+// Default password hash (password: "bypass123" - CHANGE THIS!)
+const DEFAULT_PASSWORD_HASH = '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92'; // SHA-256 of "bypass123"
+// Default admin password hash (password: "admin123" - CHANGE THIS IMMEDIATELY!)
+const DEFAULT_ADMIN_PASSWORD_HASH = '240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9'; // SHA-256 of "admin123"
+
+// ── Password Management ─────────────────────────────────────────────────────
+
+/**
+ * Hash a password using SHA-256
+ */
+function hashPassword(password: string): string {
+  return crypto.createHash('sha256').update(password).digest('hex');
+}
+
+/**
+ * Get the stored password hash, or create default if not exists
+ */
+function getPasswordHash(): string {
+  const passwordPath = path.join(process.cwd(), BYPASS_DIR, PASSWORD_FILE);
+
+  if (!fs.existsSync(passwordPath)) {
+    // Create default password file
+    const dir = path.join(process.cwd(), BYPASS_DIR);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+
+    fs.writeFileSync(passwordPath, DEFAULT_PASSWORD_HASH, 'utf-8');
+    console.warn('⚠️  Default bypass password created. Change it by running:');
+    console.warn('   npm run set-bypass-password');
+    return DEFAULT_PASSWORD_HASH;
+  }
+
+  return fs.readFileSync(passwordPath, 'utf-8').trim();
+}
+
+/**
+ * Verify a password against the stored hash
+ */
+export function verifyBypassPassword(password: string): boolean {
+  const storedHash = getPasswordHash();
+  const inputHash = hashPassword(password);
+  return inputHash === storedHash;
+}
+
+/**
+ * Set a new bypass password
+ */
+export function setBypassPassword(newPassword: string): void {
+  const dir = path.join(process.cwd(), BYPASS_DIR);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+
+  const passwordPath = path.join(dir, PASSWORD_FILE);
+  const hash = hashPassword(newPassword);
+  fs.writeFileSync(passwordPath, hash, 'utf-8');
+
+  console.log('✅ Bypass password updated successfully.');
+  console.log('⚠️  Keep this password secure and share only with authorized team members.');
+}
+
+// ── Admin Management ────────────────────────────────────────────────────────
+
+/**
+ * Get the stored admin password hash, or create default if not exists
+ */
+function getAdminPasswordHash(): string {
+  const adminPath = path.join(process.cwd(), BYPASS_DIR, ADMIN_FILE);
+
+  if (!fs.existsSync(adminPath)) {
+    // Create default admin password file
+    const dir = path.join(process.cwd(), BYPASS_DIR);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+
+    fs.writeFileSync(adminPath, DEFAULT_ADMIN_PASSWORD_HASH, 'utf-8');
+    console.warn('⚠️  Default admin password created. CHANGE IT IMMEDIATELY by running:');
+    console.warn('   npm run set-admin-password');
+    return DEFAULT_ADMIN_PASSWORD_HASH;
+  }
+
+  return fs.readFileSync(adminPath, 'utf-8').trim();
+}
+
+/**
+ * Verify admin password
+ */
+export function verifyAdminPassword(password: string): boolean {
+  const storedHash = getAdminPasswordHash();
+  const inputHash = hashPassword(password);
+  return inputHash === storedHash;
+}
+
+/**
+ * Set a new admin password
+ */
+export function setAdminPassword(newPassword: string): void {
+  const dir = path.join(process.cwd(), BYPASS_DIR);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+
+  const adminPath = path.join(dir, ADMIN_FILE);
+  const hash = hashPassword(newPassword);
+  fs.writeFileSync(adminPath, hash, 'utf-8');
+
+  console.log('✅ Admin password updated successfully.');
+  console.log('🔐 Admin privileges: View and delete bypass logs');
+  console.log('⚠️  Keep this password highly secure!');
+}
+
+// ── Log Integrity ───────────────────────────────────────────────────────────
+
+/**
+ * Calculate checksum for bypass log to detect tampering
+ */
+function calculateLogChecksum(log: BypassLog): string {
+  // Create a stable string representation (excluding checksum itself)
+  const data = JSON.stringify({
+    entries: log.entries,
+    lastUpdated: log.lastUpdated,
+  });
+  return crypto.createHash('sha256').update(data).digest('hex');
+}
+
+/**
+ * Verify log integrity
+ */
+function verifyLogIntegrity(log: BypassLog): boolean {
+  if (!log.checksum) {
+    // Legacy log without checksum - consider valid but warn
+    return true;
+  }
+  const expectedChecksum = calculateLogChecksum(log);
+  return expectedChecksum === log.checksum;
+}
+
+// ── Git Helpers ─────────────────────────────────────────────────────────────
+
+function getGitAuthor(): { name: string; email: string } {
+  try {
+    const name = execSync('git config user.name', { encoding: 'utf-8' }).trim();
+    const email = execSync('git config user.email', { encoding: 'utf-8' }).trim();
+    return { name, email };
+  } catch {
+    return { name: 'Unknown', email: 'unknown@example.com' };
+  }
+}
+
+function getCurrentBranch(): string {
+  try {
+    return execSync('git rev-parse --abbrev-ref HEAD', { encoding: 'utf-8' }).trim();
+  } catch {
+    return 'unknown';
+  }
+}
+
+function getStagedFiles(): string[] {
+  try {
+    const output = execSync('git diff --cached --name-only', { encoding: 'utf-8' }).trim();
+    return output ? output.split('\n') : [];
+  } catch {
+    return [];
+  }
+}
+
+// ── Bypass Log Management ───────────────────────────────────────────────────
+
+/**
+ * Load the bypass log from disk
+ */
+function loadBypassLog(): BypassLog {
+  const logPath = path.join(process.cwd(), BYPASS_DIR, BYPASS_LOG_FILE);
+
+  if (!fs.existsSync(logPath)) {
+    return {
+      entries: [],
+      lastUpdated: new Date().toISOString(),
+      immutable: true,
+    };
+  }
+
+  try {
+    const content = fs.readFileSync(logPath, 'utf-8');
+    const log = JSON.parse(content);
+    
+    // Ensure immutable flag exists (for backward compatibility)
+    if (log.immutable === undefined) {
+      log.immutable = true;
+    }
+    
+    // Verify integrity
+    if (!verifyLogIntegrity(log)) {
+      console.warn('⚠️  WARNING: Bypass log integrity check failed!');
+      console.warn('   The log may have been tampered with.');
+      console.warn('   Location: ' + logPath);
+      // Archive the potentially tampered log
+      archiveTamperedLog(log);
+    }
+    
+    return log;
+  } catch (err) {
+    console.error('❌ Error loading bypass log:', err);
+    return {
+      entries: [],
+      lastUpdated: new Date().toISOString(),
+      immutable: true,
+    };
+  }
+}
+
+/**
+ * Save the bypass log to disk
+ */
+function saveBypassLog(log: BypassLog): void {
+  const dir = path.join(process.cwd(), BYPASS_DIR);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+
+  const logPath = path.join(dir, BYPASS_LOG_FILE);
+  log.lastUpdated = new Date().toISOString();
+  log.immutable = true; // Always mark as immutable
+
+  // Calculate and store checksum for integrity verification
+  log.checksum = calculateLogChecksum(log);
+
+  try {
+    // Temporarily make file writable if it exists and is read-only.
+    // This allows the log to remain effectively "read-only" to users while
+    // still letting Code Guardian append new entries.
+    if (fs.existsSync(logPath)) {
+      try {
+        fs.chmodSync(logPath, 0o644); // rw-r--r--
+      } catch {
+        // If chmod fails (e.g., filesystem does not support it), continue and
+        // rely on the write below to surface any real permission problems.
+      }
+    }
+
+    // Write the log file
+    fs.writeFileSync(logPath, JSON.stringify(log, null, 2), 'utf-8');
+
+    // After a successful write, set file permissions back to read-only
+    // (444 = r--r--r--) to discourage manual edits.
+    try {
+      fs.chmodSync(logPath, 0o444);
+    } catch {
+      // Non-fatal: if we cannot change permissions, keep going.
+    }
+  } catch (err: any) {
+    // If we cannot write the log (for example, the file was made truly
+    // immutable with OS-level flags), do NOT block the bypass or commit.
+    // Instead, warn and continue so the hook stays usable.
+    console.warn('⚠️  Code Guardian: Failed to update bypass log file.');
+    console.warn(
+      '    Reason: ' + (err && err.message ? err.message : String(err))
+    );
+    console.warn(
+      '    Tip: Ensure `.code-guardian/bypass-log.json` is writable by git user, '
+      + 'or remove OS-level immutability flags if you want new bypasses to be recorded.'
+    );
+  }
+}
+
+/**
+ * Archive a potentially tampered log file
+ */
+function archiveTamperedLog(log: BypassLog): void {
+  try {
+    const archiveDir = path.join(process.cwd(), BYPASS_DIR, LOG_ARCHIVE_DIR);
+    if (!fs.existsSync(archiveDir)) {
+      fs.mkdirSync(archiveDir, { recursive: true });
+    }
+    
+    const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+    const archivePath = path.join(archiveDir, `tampered-log-${timestamp}.json`);
+    
+    fs.writeFileSync(archivePath, JSON.stringify(log, null, 2), 'utf-8');
+    console.log(`   Archived to: ${archivePath}`);
+  } catch (err) {
+    console.error('   Failed to archive tampered log:', err);
+  }
+}
+
+/**
+ * Record a bypass attempt in the audit log
+ */
+export function recordBypass(
+  reason: string,
+  commitMessage: string,
+  method: 'commit-message' | 'env-variable' | 'password'
+): void {
+  const author = getGitAuthor();
+  const branch = getCurrentBranch();
+  const files = getStagedFiles();
+
+  const entry: BypassEntry = {
+    id: crypto.randomUUID(),
+    author: author.name,
+    email: author.email,
+    timestamp: new Date().toISOString(),
+    reason,
+    commitMessage,
+    branch,
+    files,
+    method,
+  };
+
+  const log = loadBypassLog();
+  log.entries.push(entry);
+  saveBypassLog(log);
+
+  console.log('');
+  console.log('📝 Bypass recorded in audit log:');
+  console.log(`   Author: ${author.name} <${author.email}>`);
+  console.log(`   Reason: ${reason}`);
+  console.log(`   Method: ${method}`);
+  console.log(`   Files: ${files.length} file(s)`);
+  console.log('');
+}
+
+/**
+ * Update a bypass entry with the commit hash after commit succeeds
+ */
+export function updateBypassWithCommitHash(entryId: string, commitHash: string): void {
+  const log = loadBypassLog();
+  const entry = log.entries.find((e) => e.id === entryId);
+
+  if (entry) {
+    entry.commitHash = commitHash;
+    saveBypassLog(log);
+  }
+}
+
+/**
+ * Get all bypass entries for a specific author
+ */
+export function getBypassesByAuthor(authorEmail: string): BypassEntry[] {
+  const log = loadBypassLog();
+  return log.entries.filter((e) => e.email === authorEmail);
+}
+
+/**
+ * Get recent bypass entries (last N days)
+ */
+export function getRecentBypasses(days: number = 30): BypassEntry[] {
+  const log = loadBypassLog();
+  const cutoff = new Date();
+  cutoff.setDate(cutoff.getDate() - days);
+
+  return log.entries.filter((e) => new Date(e.timestamp) >= cutoff);
+}
+
+/**
+ * Delete bypass entries (ADMIN ONLY)
+ * @param entryIds - Array of entry IDs to delete
+ * @param adminPassword - Admin password for verification
+ * @returns Success status and message
+ */
+export function deleteBypassEntries(
+  entryIds: string[],
+  adminPassword: string
+): { success: boolean; message: string; deletedCount: number } {
+  // Verify admin password
+  if (!verifyAdminPassword(adminPassword)) {
+    return {
+      success: false,
+      message: '❌ Invalid admin password. Access denied.',
+      deletedCount: 0,
+    };
+  }
+
+  const logPath = path.join(process.cwd(), BYPASS_DIR, BYPASS_LOG_FILE);
+  
+  // Remove read-only protection temporarily
+  try {
+    fs.chmodSync(logPath, 0o644);
+  } catch (err) {
+    // Ignore if chmod fails
+  }
+
+  const log = loadBypassLog();
+  const initialCount = log.entries.length;
+  
+  // Archive deleted entries before removal
+  const deletedEntries = log.entries.filter((e) => entryIds.includes(e.id));
+  if (deletedEntries.length > 0) {
+    archiveDeletedEntries(deletedEntries, adminPassword);
+  }
+  
+  // Remove entries
+  log.entries = log.entries.filter((e) => !entryIds.includes(e.id));
+  const deletedCount = initialCount - log.entries.length;
+  
+  if (deletedCount === 0) {
+    return {
+      success: false,
+      message: '⚠️  No matching entries found to delete.',
+      deletedCount: 0,
+    };
+  }
+  
+  // Save updated log
+  saveBypassLog(log);
+  
+  return {
+    success: true,
+    message: `✅ Deleted ${deletedCount} bypass entry(ies) successfully.`,
+    deletedCount,
+  };
+}
+
+/**
+ * Archive deleted entries for audit trail
+ */
+function archiveDeletedEntries(entries: BypassEntry[], adminPassword: string): void {
+  try {
+    const archiveDir = path.join(process.cwd(), BYPASS_DIR, LOG_ARCHIVE_DIR);
+    if (!fs.existsSync(archiveDir)) {
+      fs.mkdirSync(archiveDir, { recursive: true });
+    }
+    
+    const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+    const archivePath = path.join(archiveDir, `deleted-entries-${timestamp}.json`);
+    
+    const archiveData = {
+      deletedAt: new Date().toISOString(),
+      deletedBy: 'admin',
+      adminPasswordHash: hashPassword(adminPassword), // For audit purposes
+      entries,
+    };
+    
+    fs.writeFileSync(archivePath, JSON.stringify(archiveData, null, 2), 'utf-8');
+    console.log(`📦 Deleted entries archived to: ${archivePath}`);
+  } catch (err) {
+    console.error('⚠️  Warning: Failed to archive deleted entries:', err);
+  }
+}
+
+/**
+ * Get all archived logs (deleted and tampered)
+ */
+export function getArchivedLogs(): { deleted: string[]; tampered: string[] } {
+  const archiveDir = path.join(process.cwd(), BYPASS_DIR, LOG_ARCHIVE_DIR);
+  
+  if (!fs.existsSync(archiveDir)) {
+    return { deleted: [], tampered: [] };
+  }
+  
+  const files = fs.readdirSync(archiveDir);
+  
+  return {
+    deleted: files.filter((f) => f.startsWith('deleted-entries-')),
+    tampered: files.filter((f) => f.startsWith('tampered-log-')),
+  };
+}
+
+/**
+ * Generate a bypass audit report
+ */
+export function generateBypassReport(): string {
+  const log = loadBypassLog();
+
+  if (log.entries.length === 0) {
+    return '📊 Bypass Audit Report\n\nNo bypass entries found.';
+  }
+
+  let report = '📊 Bypass Audit Report\n';
+  report += '═'.repeat(60) + '\n\n';
+  report += `Total bypasses: ${log.entries.length}\n`;
+  report += `Last updated: ${log.lastUpdated}\n\n`;
+
+  // Group by author
+  const byAuthor = new Map<string, BypassEntry[]>();
+  for (const entry of log.entries) {
+    const key = `${entry.author} <${entry.email}>`;
+    const existing = byAuthor.get(key) || [];
+    existing.push(entry);
+    byAuthor.set(key, existing);
+  }
+
+  report += '📈 Bypasses by Author:\n';
+  report += '─'.repeat(60) + '\n';
+  for (const [author, entries] of byAuthor) {
+    report += `\n${author}: ${entries.length} bypass(es)\n`;
+
+    for (const entry of entries.slice(-5)) {
+      // Show last 5
+      const date = new Date(entry.timestamp).toLocaleString();
+      report += `  • ${date} - ${entry.reason}\n`;
+      report += `    Branch: ${entry.branch}, Files: ${entry.files.length}\n`;
+    }
+  }
+
+  report += '\n' + '═'.repeat(60) + '\n';
+  report += `\nFull log: ${path.join(BYPASS_DIR, BYPASS_LOG_FILE)}\n`;
+
+  return report;
+}