@hongmaple0820/med-scale-research-os 0.43.0

package/dist/guardrails/OWASPDetector.d.ts

@@ -0,0 +1,58 @@
+import type { IDetector, DetectorContext } from './Gateway.js';
+import type { ToolUseInput, ToolResultInput, StopInput, DetectorResult } from '../artifact/types.js';
+interface OWASPCheck {
+    id: string;
+    name: string;
+    patterns: RegExp[];
+    severity: 'CRITICAL' | 'HIGH' | 'MEDIUM';
+    category: string;
+    description: string;
+    remediation: string;
+}
+/**
+ * OWASP Top 10 (2021) Security Detector
+ *
+ * 检测代码中常见的安全漏洞模式：
+ * A01: Broken Access Control - Auth bypass, missing auth checks
+ * A02: Cryptographic Failures - Weak crypto, hardcoded secrets
+ * A03: Injection - SQL, NoSQL, Command injection
+ * A04: Insecure Design - Missing security patterns
+ * A05: Security Misconfiguration - CORS, CSP issues
+ * A06: Vulnerable Components - Known vulnerable patterns
+ * A07: Auth Failures - Weak auth, session issues
+ * A08: Software/Data Integrity - Unsafe deserialization
+ * A09: Logging/Monitoring Failures - Missing logs
+ * A10: SSRF - Server-side request forgery
+ */
+export declare class OWASPDetector implements IDetector {
+    name: string;
+    private checks;
+    check(input: ToolUseInput | ToolResultInput | StopInput, ctx: DetectorContext): Promise<DetectorResult>;
+    private formatFindings;
+    /**
+     * Manual scan for code review
+     */
+    scanCode(code: string): OWASPCheck[];
+    /**
+     * Get all check definitions
+     */
+    getChecks(): OWASPCheck[];
+}
+/**
+ * Security scan result for reporting
+ */
+export interface SecurityScanResult {
+    file: string;
+    findings: OWASPCheck[];
+    riskLevel: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW';
+    summary: string;
+}
+/**
+ * Batch security scanner for multiple files
+ */
+export declare class SecurityScanner {
+    private detector;
+    scanFile(content: string, filePath: string): SecurityScanResult;
+    private calculateRiskLevel;
+}
+export {};

package/dist/guardrails/OWASPDetector.js

@@ -0,0 +1,508 @@
+// SCALE Engine — OWASP Top 10 Detector
+// 安全漏洞检测器，覆盖 OWASP Top 10 主要类别
+// 设计参考：docs/03-CORE-MODULES.md §3.5 + OWASP 2021
+/**
+ * OWASP Top 10 (2021) Security Detector
+ *
+ * 检测代码中常见的安全漏洞模式：
+ * A01: Broken Access Control - Auth bypass, missing auth checks
+ * A02: Cryptographic Failures - Weak crypto, hardcoded secrets
+ * A03: Injection - SQL, NoSQL, Command injection
+ * A04: Insecure Design - Missing security patterns
+ * A05: Security Misconfiguration - CORS, CSP issues
+ * A06: Vulnerable Components - Known vulnerable patterns
+ * A07: Auth Failures - Weak auth, session issues
+ * A08: Software/Data Integrity - Unsafe deserialization
+ * A09: Logging/Monitoring Failures - Missing logs
+ * A10: SSRF - Server-side request forgery
+ */
+export class OWASPDetector {
+    constructor() {
+        this.name = 'owasp-security';
+        this.checks = [
+            // A01: Broken Access Control
+            {
+                id: 'auth-bypass',
+                name: 'Authentication Bypass',
+                patterns: [
+                    /skipAuth\s*[=:]\s*true/i,
+                    /bypassAuth\s*[=:]\s*true/i,
+                    /auth\s*[=:]\s*false/i,
+                    /\.skipAuth\(\)/i,
+                    /public\s+route/i,
+                    / unprotected\s+endpoint/i,
+                ],
+                severity: 'CRITICAL',
+                category: 'A01-BrokenAccessControl',
+                description: 'Authentication bypass detected - allows unauthorized access',
+                remediation: 'Remove auth bypass logic. Ensure all sensitive endpoints require authentication.',
+            },
+            {
+                id: 'missing-auth-check',
+                name: 'Missing Authorization Check',
+                patterns: [
+                    /isAdmin\s*\(\)\s*\{\s*return\s+true/i,
+                    /checkPermission\s*\(\)\s*\{\s*return\s+true/i,
+                    /hasAccess\s*\(\)\s*;\s*\/\/.*TODO/i,
+                ],
+                severity: 'HIGH',
+                category: 'A01-BrokenAccessControl',
+                description: 'Missing or placeholder authorization check',
+                remediation: 'Implement proper authorization checks before sensitive operations.',
+            },
+            // A02: Cryptographic Failures
+            {
+                id: 'weak-crypto-md5',
+                name: 'Weak Cryptography (MD5)',
+                patterns: [
+                    /md5\s*\(/i,
+                    /createHash\s*\(\s*['"]md5['"]\s*\)/i,
+                    /MD5\s*=\s*require/i,
+                ],
+                severity: 'HIGH',
+                category: 'A02-CryptographicFailures',
+                description: 'MD5 is cryptographically broken and unsuitable for security purposes',
+                remediation: 'Use SHA-256 or stronger algorithms for hashing. For passwords, use bcrypt/scrypt/argon2.',
+            },
+            {
+                id: 'weak-crypto-sha1',
+                name: 'Weak Cryptography (SHA1)',
+                patterns: [
+                    /sha1\s*\(/i,
+                    /createHash\s*\(\s*['"]sha1['"]\s*\)/i,
+                ],
+                severity: 'HIGH',
+                category: 'A02-CryptographicFailures',
+                description: 'SHA1 is deprecated and vulnerable to collision attacks',
+                remediation: 'Use SHA-256 or SHA-3 for cryptographic operations.',
+            },
+            {
+                id: 'hardcoded-secret',
+                name: 'Hardcoded Secret/Credential',
+                patterns: [
+                    /password\s*[=:]\s*['"][^'"]{8,}['"]/i,
+                    /secret\s*[=:]\s*['"][^'"]{8,}['"]/i,
+                    /api_key\s*[=:]\s*['"][a-zA-Z0-9]{20,}['"]/i,
+                    /apiKey\s*[=:]\s*['"][a-zA-Z0-9]{20,}['"]/i,
+                    /token\s*[=:]\s*['"][a-zA-Z0-9]{20,}['"]/i,
+                    /private_key\s*[=:]\s*['"]/i,
+                    /aws_access_key\s*[=:]\s*['"]/i,
+                    /AKIA[A-Z0-9]{16}/, // AWS Access Key ID pattern
+                ],
+                severity: 'CRITICAL',
+                category: 'A02-CryptographicFailures',
+                description: 'Hardcoded secrets can be leaked through source code exposure',
+                remediation: 'Use environment variables or secure secret management (Vault, AWS Secrets Manager).',
+            },
+            {
+                id: 'weak-random',
+                name: 'Weak Random Number Generator',
+                patterns: [
+                    /Math\.random\s*\(\)\s*[=:]*\s*token/i,
+                    /Math\.random\s*\(\)\s*[=:]*\s*key/i,
+                    /Math\.random\s*\(\)\s*[=:]*\s*secret/i,
+                    /new\s+Random\s*\(\)\s*[=:]*\s*token/i,
+                ],
+                severity: 'HIGH',
+                category: 'A02-CryptographicFailures',
+                description: 'Math.random() is not cryptographically secure',
+                remediation: 'Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive randomness.',
+            },
+            // A03: Injection
+            {
+                id: 'sql-injection',
+                name: 'SQL Injection',
+                patterns: [
+                    /executeQuery\s*\(\s*[`'"]\s*SELECT.*\+/i,
+                    /query\s*\(\s*[`'"]\s*.*\$\{/i,
+                    /\.query\s*\(\s*[`'"]\s*INSERT.*\+/i,
+                    /\.exec\s*\(\s*[`'"]\s*DELETE.*\+/i,
+                    /sql\s*[=:]\s*[`'"]\s*.*\+.*req\./i,
+                    /\$\{.*req\..*\}.*FROM/i,
+                    /WHERE.*=.*req\.body/i,
+                    /WHERE.*=.*req\.query/i,
+                    /WHERE.*=.*req\.params/i,
+                    /["'`]\s*SELECT\s+.*\s*WHERE.*\+/i, // String concatenation in WHERE
+                    /["'`]\s*.*SELECT.*\+\s*\w+/i, // SELECT with + variable
+                ],
+                severity: 'CRITICAL',
+                category: 'A03-Injection',
+                description: 'SQL injection vulnerability - user input directly in SQL query',
+                remediation: 'Use parameterized queries or prepared statements. Never concatenate user input into SQL.',
+            },
+            {
+                id: 'nosql-injection',
+                name: 'NoSQL Injection',
+                patterns: [
+                    /\.find\s*\(\s*req\.body/i,
+                    /\.find\s*\(\s*req\.query/i,
+                    /\.where\s*\(\s*req\.body/i,
+                    /\$where\s*:\s*req\./i,
+                ],
+                severity: 'CRITICAL',
+                category: 'A03-Injection',
+                description: 'NoSQL injection vulnerability - user input in query object',
+                remediation: 'Sanitize and validate user input before using in NoSQL queries.',
+            },
+            {
+                id: 'command-injection',
+                name: 'Command Injection',
+                patterns: [
+                    /exec\s*\(\s*[`'"]\s*.*\+/i,
+                    /spawn\s*\(\s*[`'"]\s*.*\+/i,
+                    /eval\s*\(\s*req\./i,
+                    /system\s*\(\s*[`'"]\s*.*\+/i,
+                    /\$\{.*req\..*\}/, // Shell command with template literal
+                ],
+                severity: 'CRITICAL',
+                category: 'A03-Injection',
+                description: 'Command injection vulnerability - user input in system command',
+                remediation: 'Avoid shell commands with user input. Use safe APIs with proper escaping.',
+            },
+            {
+                id: 'ldap-injection',
+                name: 'LDAP Injection',
+                patterns: [
+                    /ldap\.search\s*\(\s*[`'"]\s*.*\+/i,
+                    /\$\{.*req\..*\}.*LDAP/i,
+                ],
+                severity: 'CRITICAL',
+                category: 'A03-Injection',
+                description: 'LDAP injection vulnerability',
+                remediation: 'Use parameterized LDAP queries or proper escaping.',
+            },
+            // A04: Insecure Design (missing security patterns)
+            {
+                id: 'missing-rate-limit',
+                name: 'Missing Rate Limiting',
+                patterns: [
+                    /\.post\s*\(\s*['"]\/login['"]/i,
+                    /\.post\s*\(\s*['"]\/auth['"]/i,
+                    /\.post\s*\(\s*['"]\/api\/['"]/i,
+                ],
+                severity: 'MEDIUM',
+                category: 'A04-InsecureDesign',
+                description: 'API endpoint without rate limiting',
+                remediation: 'Add rate limiting to prevent brute force and abuse.',
+            },
+            {
+                id: 'missing-input-validation',
+                name: 'Missing Input Validation',
+                patterns: [
+                    /req\.body\.\w+\s*[=:]\s*[^;]/i,
+                    /const\s+\w+\s*[=:]\s*req\.body\.\w+/i,
+                    /\.save\s*\(\s*req\.body\s*\)/i,
+                ],
+                severity: 'HIGH',
+                category: 'A04-InsecureDesign',
+                description: 'Direct use of request body without validation',
+                remediation: 'Validate and sanitize all user input before processing.',
+            },
+            // A05: Security Misconfiguration
+            {
+                id: 'cors-misconfig',
+                name: 'CORS Misconfiguration',
+                patterns: [
+                    /cors\s*\(\s*\{\s*origin\s*:\s*['"]\*['"]/i,
+                    /Access-Control-Allow-Origin\s*:\s*['"]\*['"]/i,
+                    /origin\s*:\s*true/i,
+                ],
+                severity: 'HIGH',
+                category: 'A05-SecurityMisconfiguration',
+                description: 'Overly permissive CORS configuration',
+                remediation: 'Restrict CORS to specific domains. Never use wildcard (*) for sensitive APIs.',
+            },
+            {
+                id: 'cors-credentials',
+                name: 'CORS with Credentials Wildcard',
+                patterns: [
+                    /credentials\s*:\s*true/i,
+                    /origin\s*:\s*['"]\*['"]/i,
+                ],
+                severity: 'CRITICAL',
+                category: 'A05-SecurityMisconfiguration',
+                description: 'CORS credentials with wildcard origin - security violation',
+                remediation: 'Cannot use credentials: true with origin: *. Specify allowed origins explicitly.',
+            },
+            {
+                id: 'csp-missing',
+                name: 'Missing Content Security Policy',
+                patterns: [
+                    /Content-Security-Policy\s*:\s*['"]/i,
+                ],
+                severity: 'MEDIUM',
+                category: 'A05-SecurityMisconfiguration',
+                description: 'Missing or weak CSP header',
+                remediation: 'Implement strong Content-Security-Policy header.',
+            },
+            {
+                id: 'debug-enabled',
+                name: 'Debug Mode Enabled',
+                patterns: [
+                    /debug\s*[=:]\s*true/i,
+                    /DEBUG\s*[=:]\s*true/i,
+                    /NODE_ENV\s*[=:]\s*['"]development['"]/i,
+                    /\.env\s*\(\s*['"]development['"]/i,
+                ],
+                severity: 'MEDIUM',
+                category: 'A05-SecurityMisconfiguration',
+                description: 'Debug mode enabled in production-like code',
+                remediation: 'Ensure debug mode is disabled in production.',
+            },
+            // A07: Auth Failures
+            {
+                id: 'weak-password',
+                name: 'Weak Password Policy',
+                patterns: [
+                    /password\.length\s*[<=>]\s*[1-5]/i,
+                    /minLength\s*:\s*[1-5]/i,
+                    /\.validate\s*\(\s*\{\s*minLength\s*:\s*[1-5]/i,
+                ],
+                severity: 'HIGH',
+                category: 'A07-IdentificationAuthFailures',
+                description: 'Weak password length requirement',
+                remediation: 'Require minimum 8 characters for passwords. Use password strength validators.',
+            },
+            {
+                id: 'session-fixation',
+                name: 'Session Fixation Risk',
+                patterns: [
+                    /session\s*\(\s*\{\s*secret\s*:\s*['"][^'"]{8,}['"]/i,
+                    /\.session\s*\(\s*req\.body/i,
+                ],
+                severity: 'HIGH',
+                category: 'A07-IdentificationAuthFailures',
+                description: 'Potential session fixation vulnerability',
+                remediation: 'Regenerate session ID after authentication. Use strong session secrets.',
+            },
+            // A08: Software/Data Integrity
+            {
+                id: 'unsafe-deserialize',
+                name: 'Unsafe Deserialization',
+                patterns: [
+                    /JSON\.parse\s*\(\s*req\.body/i,
+                    /eval\s*\(\s*req\.body/i,
+                    /Function\s*\(\s*req\.body/i,
+                    /\.deserialize\s*\(\s*req\.body/i,
+                ],
+                severity: 'CRITICAL',
+                category: 'A08-SoftwareDataIntegrity',
+                description: 'Unsafe deserialization of user input',
+                remediation: 'Validate and sanitize input before parsing. Avoid eval/Function with user data.',
+            },
+            // A09: Logging/Monitoring Failures
+            {
+                id: 'missing-error-log',
+                name: 'Missing Error Logging',
+                patterns: [
+                    /catch\s*\(\s*\w+\s*\)\s*\{\s*\}/i, // Empty catch block
+                    /catch\s*\(\s*\)\s*\{/i,
+                    /\.catch\s*\(\s*\(\s*\)\s*[=>]\s*\{\s*\}/i,
+                ],
+                severity: 'MEDIUM',
+                category: 'A09-LoggingMonitoringFailures',
+                description: 'Error silently swallowed without logging',
+                remediation: 'Log all errors for debugging and security monitoring.',
+            },
+            {
+                id: 'sensitive-log',
+                name: 'Sensitive Data in Log',
+                patterns: [
+                    /console\.log\s*\(\s*.*password/i,
+                    /console\.log\s*\(\s*.*token/i,
+                    /console\.log\s*\(\s*.*secret/i,
+                    /logger\.info\s*\(\s*.*password/i,
+                    /log\s*\(\s*.*apiKey/i,
+                ],
+                severity: 'HIGH',
+                category: 'A09-LoggingMonitoringFailures',
+                description: 'Sensitive data being logged',
+                remediation: 'Never log passwords, tokens, or secrets. Mask sensitive data in logs.',
+            },
+            // A10: SSRF
+            {
+                id: 'ssrf',
+                name: 'Server-Side Request Forgery',
+                patterns: [
+                    /fetch\s*\(\s*req\.body\.url/i,
+                    /fetch\s*\(\s*req\.query\.url/i,
+                    /axios\s*\(\s*req\.body\.url/i,
+                    /request\s*\(\s*req\.params\.url/i,
+                    /\.get\s*\(\s*req\.body/i,
+                ],
+                severity: 'CRITICAL',
+                category: 'A10-SSRF',
+                description: 'SSRF vulnerability - user-controlled URL in server request',
+                remediation: 'Validate and whitelist allowed URLs. Never accept arbitrary URLs from users.',
+            },
+            // Additional: XSS (cross-cutting)
+            {
+                id: 'xss-innerHTML',
+                name: 'XSS via innerHTML',
+                patterns: [
+                    /\.innerHTML\s*[=:]\s*[^'"][^`]/i,
+                    /\.innerHTML\s*[=:]\s*req\./i,
+                    /dangerouslySetInnerHTML\s*[=:]\s*\{\{?\s*__html\s*:\s*[^'"]/i, // React syntax: {{ }} or { }
+                    /document\.write\s*\(/i,
+                ],
+                severity: 'CRITICAL',
+                category: 'XSS',
+                description: 'Potential XSS vulnerability via innerHTML',
+                remediation: 'Use textContent or sanitize HTML before insertion.',
+            },
+            {
+                id: 'xss-template',
+                name: 'XSS via Template',
+                patterns: [
+                    /\$\{.*req\..*\}/,
+                    /v-html\s*[=:]\s*[^'"]/i,
+                ],
+                severity: 'HIGH',
+                category: 'XSS',
+                description: 'User input in HTML template without sanitization',
+                remediation: 'Sanitize user input before rendering in HTML.',
+            },
+            // Additional: Path Traversal
+            {
+                id: 'path-traversal',
+                name: 'Path Traversal',
+                patterns: [
+                    /readFileSync\s*\(\s*.*req\./i,
+                    /writeFile\s*\(\s*.*req\./i,
+                    /fs\.read\s*\(\s*.*req\.body/i,
+                    /\.sendFile\s*\(\s*req\.params/i,
+                    /path\.join\s*\(\s*.*req\./i,
+                    /\.open\s*\(\s*.*req\.body\.path/i,
+                ],
+                severity: 'CRITICAL',
+                category: 'PathTraversal',
+                description: 'Path traversal vulnerability - user input in file path',
+                remediation: 'Validate and sanitize file paths. Use path.resolve and check against allowed directories.',
+            },
+        ];
+    }
+    async check(input, ctx) {
+        // Only check ToolUseInput with Edit/Write tools (code being written)
+        if (!('tool' in input))
+            return { triggered: false };
+        if (!['Edit', 'Write', 'MultiEdit'].includes(input.tool))
+            return { triggered: false };
+        const args = input.args;
+        const codeContent = args.content ?? args.new_string ?? '';
+        if (!codeContent)
+            return { triggered: false };
+        const findings = [];
+        for (const check of this.checks) {
+            for (const pattern of check.patterns) {
+                if (pattern.test(codeContent)) {
+                    findings.push(check);
+                    break; // Only report each check once per scan
+                }
+            }
+        }
+        if (findings.length === 0)
+            return { triggered: false };
+        // Group findings by severity
+        const critical = findings.filter(f => f.severity === 'CRITICAL');
+        const high = findings.filter(f => f.severity === 'HIGH');
+        if (critical.length > 0) {
+            ctx.eventBus.emit('security.owasp_critical', {
+                file: args.file_path,
+                findings: critical.map(f => f.id)
+            }, { sessionId: input.sessionId });
+            return {
+                triggered: true,
+                severity: 'block',
+                reason: this.formatFindings(critical, 'CRITICAL'),
+                suggestion: 'Fix critical security vulnerabilities before committing.',
+            };
+        }
+        if (high.length > 0) {
+            ctx.eventBus.emit('security.owasp_high', {
+                file: args.file_path,
+                findings: high.map(f => f.id)
+            }, { sessionId: input.sessionId });
+            return {
+                triggered: true,
+                severity: 'warn',
+                reason: this.formatFindings(high, 'HIGH'),
+                suggestion: 'Review and fix high severity security issues.',
+            };
+        }
+        // Medium severity - info only
+        ctx.eventBus.emit('security.owasp_info', {
+            file: args.file_path,
+            findings: findings.map(f => f.id)
+        }, { sessionId: input.sessionId });
+        return {
+            triggered: true,
+            severity: 'warn',
+            reason: this.formatFindings(findings.filter(f => f.severity === 'MEDIUM'), 'MEDIUM'),
+        };
+    }
+    formatFindings(findings, severity) {
+        const lines = [
+            `\n🚨 OWASP Security Alert (${severity})`,
+            '',
+        ];
+        for (const f of findings) {
+            lines.push(`[${f.category}] ${f.name}`);
+            lines.push(`  Issue: ${f.description}`);
+            lines.push(`  Fix: ${f.remediation}`);
+            lines.push('');
+        }
+        return lines.join('\n');
+    }
+    /**
+     * Manual scan for code review
+     */
+    scanCode(code) {
+        const findings = [];
+        for (const check of this.checks) {
+            for (const pattern of check.patterns) {
+                if (pattern.test(code)) {
+                    findings.push(check);
+                    break;
+                }
+            }
+        }
+        return findings;
+    }
+    /**
+     * Get all check definitions
+     */
+    getChecks() {
+        return this.checks;
+    }
+}
+/**
+ * Batch security scanner for multiple files
+ */
+export class SecurityScanner {
+    constructor() {
+        this.detector = new OWASPDetector();
+    }
+    scanFile(content, filePath) {
+        const findings = this.detector.scanCode(content);
+        const riskLevel = this.calculateRiskLevel(findings);
+        const summary = findings.length === 0
+            ? 'No security issues detected'
+            : `Found ${findings.length} potential security issues (${riskLevel} risk)`;
+        return {
+            file: filePath,
+            findings,
+            riskLevel,
+            summary,
+        };
+    }
+    calculateRiskLevel(findings) {
+        if (findings.some(f => f.severity === 'CRITICAL'))
+            return 'CRITICAL';
+        if (findings.some(f => f.severity === 'HIGH'))
+            return 'HIGH';
+        if (findings.some(f => f.severity === 'MEDIUM'))
+            return 'MEDIUM';
+        return 'LOW';
+    }
+}
+//# sourceMappingURL=OWASPDetector.js.map

package/dist/guardrails/OWASPDetector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OWASPDetector.js","sourceRoot":"","sources":["../../src/guardrails/OWASPDetector.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,+BAA+B;AAC/B,iDAAiD;AAejD;;;;;;;;;;;;;;GAcG;AACH,MAAM,OAAO,aAAa;IAA1B;QACE,SAAI,GAAG,gBAAgB,CAAA;QAEf,WAAM,GAAiB;YAC7B,6BAA6B;YAC7B;gBACE,EAAE,EAAE,aAAa;gBACjB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,yBAAyB;oBACzB,2BAA2B;oBAC3B,sBAAsB;oBACtB,iBAAiB;oBACjB,iBAAiB;oBACjB,0BAA0B;iBAC3B;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,yBAAyB;gBACnC,WAAW,EAAE,6DAA6D;gBAC1E,WAAW,EAAE,kFAAkF;aAChG;YACD;gBACE,EAAE,EAAE,oBAAoB;gBACxB,IAAI,EAAE,6BAA6B;gBACnC,QAAQ,EAAE;oBACR,sCAAsC;oBACtC,8CAA8C;oBAC9C,oCAAoC;iBACrC;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,yBAAyB;gBACnC,WAAW,EAAE,4CAA4C;gBACzD,WAAW,EAAE,oEAAoE;aAClF;YAED,8BAA8B;YAC9B;gBACE,EAAE,EAAE,iBAAiB;gBACrB,IAAI,EAAE,yBAAyB;gBAC/B,QAAQ,EAAE;oBACR,WAAW;oBACX,qCAAqC;oBACrC,oBAAoB;iBACrB;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,2BAA2B;gBACrC,WAAW,EAAE,sEAAsE;gBACnF,WAAW,EAAE,0FAA0F;aACxG;YACD;gBACE,EAAE,EAAE,kBAAkB;gBACtB,IAAI,EAAE,0BAA0B;gBAChC,QAAQ,EAAE;oBACR,YAAY;oBACZ,sCAAsC;iBACvC;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,2BAA2B;gBACrC,WAAW,EAAE,wDAAwD;gBACrE,WAAW,EAAE,oDAAoD;aAClE;YACD;gBACE,EAAE,EAAE,kBAAkB;gBACtB,IAAI,EAAE,6BAA6B;gBACnC,QAAQ,EAAE;oBACR,sCAAsC;oBACtC,oCAAoC;oBACpC,4CAA4C;oBAC5C,2CAA2C;oBAC3C,0CAA0C;oBAC1C,4BAA4B;oBAC5B,+BAA+B;oBAC/B,kBAAkB,EAAE,4BAA4B;iBACjD;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,2BAA2B;gBACrC,WAAW,EAAE,8DAA8D;gBAC3E,WAAW,EAAE,qFAAqF;aACnG;YACD;gBACE,EAAE,EAAE,aAAa;gBACjB,IAAI,EAAE,8BAA8B;gBACpC,QAAQ,EAAE;oBACR,sCAAsC;oBACtC,oCAAoC;oBACpC,uCAAuC;oBACvC,sCAAsC;iBACvC;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,2BAA2B;gBACrC,WAAW,EAAE,+CAA+C;gBAC5D,WAAW,EAAE,yFAAyF;aACvG;YAED,iBAAiB;YACjB;gBACE,EAAE,EAAE,eAAe;gBACnB,IAAI,EAAE,eAAe;gBACrB,QAAQ,EAAE;oBACR,yCAAyC;oBACzC,8BAA8B;oBAC9B,oCAAoC;oBACpC,mCAAmC;oBACnC,mCAAmC;oBACnC,wBAAwB;oBACxB,sBAAsB;oBACtB,uBAAuB;oBACvB,wBAAwB;oBACxB,kCAAkC,EAAE,gCAAgC;oBACpE,6BAA6B,EAAE,yBAAyB;iBACzD;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,eAAe;gBACzB,WAAW,EAAE,gEAAgE;gBAC7E,WAAW,EAAE,0FAA0F;aACxG;YACD;gBACE,EAAE,EAAE,iBAAiB;gBACrB,IAAI,EAAE,iBAAiB;gBACvB,QAAQ,EAAE;oBACR,0BAA0B;oBAC1B,2BAA2B;oBAC3B,2BAA2B;oBAC3B,sBAAsB;iBACvB;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,eAAe;gBACzB,WAAW,EAAE,4DAA4D;gBACzE,WAAW,EAAE,iEAAiE;aAC/E;YACD;gBACE,EAAE,EAAE,mBAAmB;gBACvB,IAAI,EAAE,mBAAmB;gBACzB,QAAQ,EAAE;oBACR,2BAA2B;oBAC3B,4BAA4B;oBAC5B,oBAAoB;oBACpB,6BAA6B;oBAC7B,iBAAiB,EAAE,sCAAsC;iBAC1D;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,eAAe;gBACzB,WAAW,EAAE,gEAAgE;gBAC7E,WAAW,EAAE,2EAA2E;aACzF;YACD;gBACE,EAAE,EAAE,gBAAgB;gBACpB,IAAI,EAAE,gBAAgB;gBACtB,QAAQ,EAAE;oBACR,mCAAmC;oBACnC,wBAAwB;iBACzB;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,eAAe;gBACzB,WAAW,EAAE,8BAA8B;gBAC3C,WAAW,EAAE,oDAAoD;aAClE;YAED,mDAAmD;YACnD;gBACE,EAAE,EAAE,oBAAoB;gBACxB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,gCAAgC;oBAChC,+BAA+B;oBAC/B,gCAAgC;iBACjC;gBACD,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,oBAAoB;gBAC9B,WAAW,EAAE,oCAAoC;gBACjD,WAAW,EAAE,qDAAqD;aACnE;YACD;gBACE,EAAE,EAAE,0BAA0B;gBAC9B,IAAI,EAAE,0BAA0B;gBAChC,QAAQ,EAAE;oBACR,+BAA+B;oBAC/B,sCAAsC;oBACtC,+BAA+B;iBAChC;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,oBAAoB;gBAC9B,WAAW,EAAE,+CAA+C;gBAC5D,WAAW,EAAE,yDAAyD;aACvE;YAED,iCAAiC;YACjC;gBACE,EAAE,EAAE,gBAAgB;gBACpB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,2CAA2C;oBAC3C,+CAA+C;oBAC/C,oBAAoB;iBACrB;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,8BAA8B;gBACxC,WAAW,EAAE,sCAAsC;gBACnD,WAAW,EAAE,+EAA+E;aAC7F;YACD;gBACE,EAAE,EAAE,kBAAkB;gBACtB,IAAI,EAAE,gCAAgC;gBACtC,QAAQ,EAAE;oBACR,yBAAyB;oBACzB,0BAA0B;iBAC3B;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,8BAA8B;gBACxC,WAAW,EAAE,4DAA4D;gBACzE,WAAW,EAAE,kFAAkF;aAChG;YACD;gBACE,EAAE,EAAE,aAAa;gBACjB,IAAI,EAAE,iCAAiC;gBACvC,QAAQ,EAAE;oBACR,qCAAqC;iBACtC;gBACD,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,8BAA8B;gBACxC,WAAW,EAAE,4BAA4B;gBACzC,WAAW,EAAE,kDAAkD;aAChE;YACD;gBACE,EAAE,EAAE,eAAe;gBACnB,IAAI,EAAE,oBAAoB;gBAC1B,QAAQ,EAAE;oBACR,sBAAsB;oBACtB,sBAAsB;oBACtB,wCAAwC;oBACxC,mCAAmC;iBACpC;gBACD,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,8BAA8B;gBACxC,WAAW,EAAE,4CAA4C;gBACzD,WAAW,EAAE,8CAA8C;aAC5D;YAED,qBAAqB;YACrB;gBACE,EAAE,EAAE,eAAe;gBACnB,IAAI,EAAE,sBAAsB;gBAC5B,QAAQ,EAAE;oBACR,mCAAmC;oBACnC,wBAAwB;oBACxB,+CAA+C;iBAChD;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,gCAAgC;gBAC1C,WAAW,EAAE,kCAAkC;gBAC/C,WAAW,EAAE,+EAA+E;aAC7F;YACD;gBACE,EAAE,EAAE,kBAAkB;gBACtB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,qDAAqD;oBACrD,6BAA6B;iBAC9B;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,gCAAgC;gBAC1C,WAAW,EAAE,0CAA0C;gBACvD,WAAW,EAAE,yEAAyE;aACvF;YAED,+BAA+B;YAC/B;gBACE,EAAE,EAAE,oBAAoB;gBACxB,IAAI,EAAE,wBAAwB;gBAC9B,QAAQ,EAAE;oBACR,+BAA+B;oBAC/B,wBAAwB;oBACxB,4BAA4B;oBAC5B,iCAAiC;iBAClC;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,2BAA2B;gBACrC,WAAW,EAAE,sCAAsC;gBACnD,WAAW,EAAE,iFAAiF;aAC/F;YAED,mCAAmC;YACnC;gBACE,EAAE,EAAE,mBAAmB;gBACvB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,kCAAkC,EAAE,oBAAoB;oBACxD,uBAAuB;oBACvB,0CAA0C;iBAC3C;gBACD,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,+BAA+B;gBACzC,WAAW,EAAE,0CAA0C;gBACvD,WAAW,EAAE,uDAAuD;aACrE;YACD;gBACE,EAAE,EAAE,eAAe;gBACnB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,iCAAiC;oBACjC,8BAA8B;oBAC9B,+BAA+B;oBAC/B,iCAAiC;oBACjC,sBAAsB;iBACvB;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,+BAA+B;gBACzC,WAAW,EAAE,6BAA6B;gBAC1C,WAAW,EAAE,uEAAuE;aACrF;YAED,YAAY;YACZ;gBACE,EAAE,EAAE,MAAM;gBACV,IAAI,EAAE,6BAA6B;gBACnC,QAAQ,EAAE;oBACR,8BAA8B;oBAC9B,+BAA+B;oBAC/B,8BAA8B;oBAC9B,kCAAkC;oBAClC,yBAAyB;iBAC1B;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,UAAU;gBACpB,WAAW,EAAE,4DAA4D;gBACzE,WAAW,EAAE,8EAA8E;aAC5F;YAED,kCAAkC;YAClC;gBACE,EAAE,EAAE,eAAe;gBACnB,IAAI,EAAE,mBAAmB;gBACzB,QAAQ,EAAE;oBACR,iCAAiC;oBACjC,6BAA6B;oBAC7B,8DAA8D,EAAE,6BAA6B;oBAC7F,uBAAuB;iBACxB;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,KAAK;gBACf,WAAW,EAAE,2CAA2C;gBACxD,WAAW,EAAE,oDAAoD;aAClE;YACD;gBACE,EAAE,EAAE,cAAc;gBAClB,IAAI,EAAE,kBAAkB;gBACxB,QAAQ,EAAE;oBACR,iBAAiB;oBACjB,wBAAwB;iBACzB;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,KAAK;gBACf,WAAW,EAAE,kDAAkD;gBAC/D,WAAW,EAAE,+CAA+C;aAC7D;YAED,6BAA6B;YAC7B;gBACE,EAAE,EAAE,gBAAgB;gBACpB,IAAI,EAAE,gBAAgB;gBACtB,QAAQ,EAAE;oBACR,8BAA8B;oBAC9B,2BAA2B;oBAC3B,8BAA8B;oBAC9B,gCAAgC;oBAChC,4BAA4B;oBAC5B,kCAAkC;iBACnC;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,eAAe;gBACzB,WAAW,EAAE,wDAAwD;gBACrE,WAAW,EAAE,2FAA2F;aACzG;SACF,CAAA;IA2GH,CAAC;IAzGC,KAAK,CAAC,KAAK,CAAC,KAAiD,EAAE,GAAoB;QACjF,qEAAqE;QACrE,IAAI,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC;YAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;QACnD,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;QAErF,MAAM,IAAI,GAAG,KAAK,CAAC,IAA0F,CAAA;QAC7G,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,UAAU,IAAI,EAAE,CAAA;QACzD,IAAI,CAAC,WAAW;YAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;QAE7C,MAAM,QAAQ,GAAiB,EAAE,CAAA;QAEjC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACrC,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC9B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;oBACpB,MAAK,CAAC,uCAAuC;gBAC/C,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;QAEtD,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAA;QAChE,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAA;QAExD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,yBAAyB,EAAE;gBAC3C,IAAI,EAAE,IAAI,CAAC,SAAS;gBACpB,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAClC,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAA;YAElC,OAAO;gBACL,SAAS,EAAE,IAAI;gBACf,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,UAAU,CAAC;gBACjD,UAAU,EAAE,0DAA0D;aACvE,CAAA;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,qBAAqB,EAAE;gBACvC,IAAI,EAAE,IAAI,CAAC,SAAS;gBACpB,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC9B,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAA;YAElC,OAAO;gBACL,SAAS,EAAE,IAAI;gBACf,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC;gBACzC,UAAU,EAAE,+CAA+C;aAC5D,CAAA;QACH,CAAC;QAED,8BAA8B;QAC9B,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,qBAAqB,EAAE;YACvC,IAAI,EAAE,IAAI,CAAC,SAAS;YACpB,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAClC,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAA;QAElC,OAAO;YACL,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,EAAE,QAAQ,CAAC;SACrF,CAAA;IACH,CAAC;IAEO,cAAc,CAAC,QAAsB,EAAE,QAAgB;QAC7D,MAAM,KAAK,GAAG;YACZ,8BAA8B,QAAQ,GAAG;YACzC,EAAE;SACH,CAAA;QAED,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;YACvC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;YACvC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;YACrC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAChB,CAAC;QAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACzB,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,IAAY;QACnB,MAAM,QAAQ,GAAiB,EAAE,CAAA;QACjC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACrC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;oBACpB,MAAK;gBACP,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAA;IACpB,CAAC;CACF;AAYD;;GAEG;AACH,MAAM,OAAO,eAAe;IAA5B;QACU,aAAQ,GAAG,IAAI,aAAa,EAAE,CAAA;IAyBxC,CAAC;IAvBC,QAAQ,CAAC,OAAe,EAAE,QAAgB;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;QAEhD,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAA;QAEnD,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC;YACnC,CAAC,CAAC,6BAA6B;YAC/B,CAAC,CAAC,SAAS,QAAQ,CAAC,MAAM,+BAA+B,SAAS,QAAQ,CAAA;QAE5E,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,QAAQ;YACR,SAAS;YACT,OAAO;SACR,CAAA;IACH,CAAC;IAEO,kBAAkB,CAAC,QAAsB;QAC/C,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC;YAAE,OAAO,UAAU,CAAA;QACpE,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;YAAE,OAAO,MAAM,CAAA;QAC5D,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC;YAAE,OAAO,QAAQ,CAAA;QAChE,OAAO,KAAK,CAAA;IACd,CAAC;CACF"}

package/dist/guardrails/ReviewEnforcer.d.ts

@@ -0,0 +1,52 @@
+import type { IArtifactStore } from '../artifact/store.js';
+import type { IEventBus } from '../core/eventBus.js';
+import type { IFSM } from '../artifact/fsm.js';
+/**
+ * ReviewEnforcer - 编码完成后强制调用评审 Agent
+ *
+ * 文章证据：评审 Agent 发现了编码 Agent 遗漏的渠道判断逻辑（潜在线上故障）
+ *
+ * 工作流程：
+ * 1. Task 状态从 IN_PROGRESS → REVIEW_REQUIRED (新增状态)
+ * 2. 自动触发 code-reviewer agent 评审
+ * 3. 评审通过 → REVIEW_PASSED → DONE
+ * 4. 评审不通过 → REVIEW_FAILED → 回退到 IN_PROGRESS
+ */
+export declare class ReviewEnforcer {
+    private store;
+    private eventBus;
+    private fsm;
+    constructor(store: IArtifactStore, eventBus: IEventBus, fsm: IFSM);
+    /**
+     * Harness: 检查是否需要强制评审
+     */
+    shouldEnforceReview(taskId: string): Promise<boolean>;
+    /**
+     * Harness: 强制评审入口
+     * 编码完成后自动触发，不依赖人工
+     */
+    enforceReview(taskId: string): Promise<ReviewResult>;
+    /**
+     * Harness: 自动回退机制
+     * 评审不通过时，自动回退到 IN_PROGRESS 状态
+     */
+    rollbackOnReviewFailure(taskId: string, reasons: string[]): Promise<void>;
+    /**
+     * Harness: 评审循环上限
+     * 文章启发：评审最多 2 轮，超出升级人工决策
+     */
+    checkReviewIteration(taskId: string): Promise<{
+        exceeded: boolean;
+        iteration: number;
+    }>;
+}
+export interface ReviewResult {
+    passed: boolean;
+    taskId: string;
+    reasons?: string[];
+    gateResults?: Array<{
+        gate: any;
+        passed: boolean;
+        reason?: string;
+    }>;
+}