@hongmaple0820/scale-engine 0.10.0 → 0.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.en.md +127 -196
- package/README.md +168 -1114
- package/dist/api/cli.js +2 -2
- package/dist/api/cli.js.map +1 -1
- package/dist/artifact/types.d.ts +1 -1
- package/dist/artifact/types.js.map +1 -1
- package/dist/capabilities/BrowserQACapability.d.ts +151 -0
- package/dist/capabilities/BrowserQACapability.js +344 -0
- package/dist/capabilities/BrowserQACapability.js.map +1 -0
- package/dist/cli/evolutionCommands.d.ts +112 -0
- package/dist/cli/evolutionCommands.js +246 -0
- package/dist/cli/evolutionCommands.js.map +1 -0
- package/dist/cli/phaseCommands.d.ts +9 -0
- package/dist/cli/phaseCommands.js +169 -48
- package/dist/cli/phaseCommands.js.map +1 -1
- package/dist/guardrails/OWASPDetector.d.ts +58 -0
- package/dist/guardrails/OWASPDetector.js +508 -0
- package/dist/guardrails/OWASPDetector.js.map +1 -0
- package/dist/workflow/ReviewAnalyzer.d.ts +5 -0
- package/dist/workflow/ReviewAnalyzer.js +194 -10
- package/dist/workflow/ReviewAnalyzer.js.map +1 -1
- package/dist/workflow/VerificationCommands.d.ts +4 -0
- package/dist/workflow/VerificationCommands.js +2 -0
- package/dist/workflow/VerificationCommands.js.map +1 -1
- package/dist/workflow/WorkflowEngine.js +1 -1
- package/dist/workflow/WorkflowEngine.js.map +1 -1
- package/dist/workflow/evolution/LessonExtractor.d.ts +90 -0
- package/dist/workflow/evolution/LessonExtractor.js +317 -0
- package/dist/workflow/evolution/LessonExtractor.js.map +1 -0
- package/dist/workflow/evolution/SelfImproveEngine.d.ts +156 -0
- package/dist/workflow/evolution/SelfImproveEngine.js +361 -0
- package/dist/workflow/evolution/SelfImproveEngine.js.map +1 -0
- package/dist/workflow/gates/GateSystem.d.ts +28 -2
- package/dist/workflow/gates/GateSystem.js +291 -82
- package/dist/workflow/gates/GateSystem.js.map +1 -1
- package/dist/workflow/qa/E2ETestRunner.d.ts +102 -0
- package/dist/workflow/qa/E2ETestRunner.js +227 -0
- package/dist/workflow/qa/E2ETestRunner.js.map +1 -0
- package/dist/workflow/types.d.ts +7 -0
- package/package.json +3 -3
|
@@ -0,0 +1,508 @@
|
|
|
1
|
+
// SCALE Engine — OWASP Top 10 Detector
|
|
2
|
+
// 安全漏洞检测器,覆盖 OWASP Top 10 主要类别
|
|
3
|
+
// 设计参考:docs/03-CORE-MODULES.md §3.5 + OWASP 2021
|
|
4
|
+
/**
|
|
5
|
+
* OWASP Top 10 (2021) Security Detector
|
|
6
|
+
*
|
|
7
|
+
* 检测代码中常见的安全漏洞模式:
|
|
8
|
+
* A01: Broken Access Control - Auth bypass, missing auth checks
|
|
9
|
+
* A02: Cryptographic Failures - Weak crypto, hardcoded secrets
|
|
10
|
+
* A03: Injection - SQL, NoSQL, Command injection
|
|
11
|
+
* A04: Insecure Design - Missing security patterns
|
|
12
|
+
* A05: Security Misconfiguration - CORS, CSP issues
|
|
13
|
+
* A06: Vulnerable Components - Known vulnerable patterns
|
|
14
|
+
* A07: Auth Failures - Weak auth, session issues
|
|
15
|
+
* A08: Software/Data Integrity - Unsafe deserialization
|
|
16
|
+
* A09: Logging/Monitoring Failures - Missing logs
|
|
17
|
+
* A10: SSRF - Server-side request forgery
|
|
18
|
+
*/
|
|
19
|
+
export class OWASPDetector {
|
|
20
|
+
constructor() {
|
|
21
|
+
this.name = 'owasp-security';
|
|
22
|
+
this.checks = [
|
|
23
|
+
// A01: Broken Access Control
|
|
24
|
+
{
|
|
25
|
+
id: 'auth-bypass',
|
|
26
|
+
name: 'Authentication Bypass',
|
|
27
|
+
patterns: [
|
|
28
|
+
/skipAuth\s*[=:]\s*true/i,
|
|
29
|
+
/bypassAuth\s*[=:]\s*true/i,
|
|
30
|
+
/auth\s*[=:]\s*false/i,
|
|
31
|
+
/\.skipAuth\(\)/i,
|
|
32
|
+
/public\s+route/i,
|
|
33
|
+
/ unprotected\s+endpoint/i,
|
|
34
|
+
],
|
|
35
|
+
severity: 'CRITICAL',
|
|
36
|
+
category: 'A01-BrokenAccessControl',
|
|
37
|
+
description: 'Authentication bypass detected - allows unauthorized access',
|
|
38
|
+
remediation: 'Remove auth bypass logic. Ensure all sensitive endpoints require authentication.',
|
|
39
|
+
},
|
|
40
|
+
{
|
|
41
|
+
id: 'missing-auth-check',
|
|
42
|
+
name: 'Missing Authorization Check',
|
|
43
|
+
patterns: [
|
|
44
|
+
/isAdmin\s*\(\)\s*\{\s*return\s+true/i,
|
|
45
|
+
/checkPermission\s*\(\)\s*\{\s*return\s+true/i,
|
|
46
|
+
/hasAccess\s*\(\)\s*;\s*\/\/.*TODO/i,
|
|
47
|
+
],
|
|
48
|
+
severity: 'HIGH',
|
|
49
|
+
category: 'A01-BrokenAccessControl',
|
|
50
|
+
description: 'Missing or placeholder authorization check',
|
|
51
|
+
remediation: 'Implement proper authorization checks before sensitive operations.',
|
|
52
|
+
},
|
|
53
|
+
// A02: Cryptographic Failures
|
|
54
|
+
{
|
|
55
|
+
id: 'weak-crypto-md5',
|
|
56
|
+
name: 'Weak Cryptography (MD5)',
|
|
57
|
+
patterns: [
|
|
58
|
+
/md5\s*\(/i,
|
|
59
|
+
/createHash\s*\(\s*['"]md5['"]\s*\)/i,
|
|
60
|
+
/MD5\s*=\s*require/i,
|
|
61
|
+
],
|
|
62
|
+
severity: 'HIGH',
|
|
63
|
+
category: 'A02-CryptographicFailures',
|
|
64
|
+
description: 'MD5 is cryptographically broken and unsuitable for security purposes',
|
|
65
|
+
remediation: 'Use SHA-256 or stronger algorithms for hashing. For passwords, use bcrypt/scrypt/argon2.',
|
|
66
|
+
},
|
|
67
|
+
{
|
|
68
|
+
id: 'weak-crypto-sha1',
|
|
69
|
+
name: 'Weak Cryptography (SHA1)',
|
|
70
|
+
patterns: [
|
|
71
|
+
/sha1\s*\(/i,
|
|
72
|
+
/createHash\s*\(\s*['"]sha1['"]\s*\)/i,
|
|
73
|
+
],
|
|
74
|
+
severity: 'HIGH',
|
|
75
|
+
category: 'A02-CryptographicFailures',
|
|
76
|
+
description: 'SHA1 is deprecated and vulnerable to collision attacks',
|
|
77
|
+
remediation: 'Use SHA-256 or SHA-3 for cryptographic operations.',
|
|
78
|
+
},
|
|
79
|
+
{
|
|
80
|
+
id: 'hardcoded-secret',
|
|
81
|
+
name: 'Hardcoded Secret/Credential',
|
|
82
|
+
patterns: [
|
|
83
|
+
/password\s*[=:]\s*['"][^'"]{8,}['"]/i,
|
|
84
|
+
/secret\s*[=:]\s*['"][^'"]{8,}['"]/i,
|
|
85
|
+
/api_key\s*[=:]\s*['"][a-zA-Z0-9]{20,}['"]/i,
|
|
86
|
+
/apiKey\s*[=:]\s*['"][a-zA-Z0-9]{20,}['"]/i,
|
|
87
|
+
/token\s*[=:]\s*['"][a-zA-Z0-9]{20,}['"]/i,
|
|
88
|
+
/private_key\s*[=:]\s*['"]/i,
|
|
89
|
+
/aws_access_key\s*[=:]\s*['"]/i,
|
|
90
|
+
/AKIA[A-Z0-9]{16}/, // AWS Access Key ID pattern
|
|
91
|
+
],
|
|
92
|
+
severity: 'CRITICAL',
|
|
93
|
+
category: 'A02-CryptographicFailures',
|
|
94
|
+
description: 'Hardcoded secrets can be leaked through source code exposure',
|
|
95
|
+
remediation: 'Use environment variables or secure secret management (Vault, AWS Secrets Manager).',
|
|
96
|
+
},
|
|
97
|
+
{
|
|
98
|
+
id: 'weak-random',
|
|
99
|
+
name: 'Weak Random Number Generator',
|
|
100
|
+
patterns: [
|
|
101
|
+
/Math\.random\s*\(\)\s*[=:]*\s*token/i,
|
|
102
|
+
/Math\.random\s*\(\)\s*[=:]*\s*key/i,
|
|
103
|
+
/Math\.random\s*\(\)\s*[=:]*\s*secret/i,
|
|
104
|
+
/new\s+Random\s*\(\)\s*[=:]*\s*token/i,
|
|
105
|
+
],
|
|
106
|
+
severity: 'HIGH',
|
|
107
|
+
category: 'A02-CryptographicFailures',
|
|
108
|
+
description: 'Math.random() is not cryptographically secure',
|
|
109
|
+
remediation: 'Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive randomness.',
|
|
110
|
+
},
|
|
111
|
+
// A03: Injection
|
|
112
|
+
{
|
|
113
|
+
id: 'sql-injection',
|
|
114
|
+
name: 'SQL Injection',
|
|
115
|
+
patterns: [
|
|
116
|
+
/executeQuery\s*\(\s*[`'"]\s*SELECT.*\+/i,
|
|
117
|
+
/query\s*\(\s*[`'"]\s*.*\$\{/i,
|
|
118
|
+
/\.query\s*\(\s*[`'"]\s*INSERT.*\+/i,
|
|
119
|
+
/\.exec\s*\(\s*[`'"]\s*DELETE.*\+/i,
|
|
120
|
+
/sql\s*[=:]\s*[`'"]\s*.*\+.*req\./i,
|
|
121
|
+
/\$\{.*req\..*\}.*FROM/i,
|
|
122
|
+
/WHERE.*=.*req\.body/i,
|
|
123
|
+
/WHERE.*=.*req\.query/i,
|
|
124
|
+
/WHERE.*=.*req\.params/i,
|
|
125
|
+
/["'`]\s*SELECT\s+.*\s*WHERE.*\+/i, // String concatenation in WHERE
|
|
126
|
+
/["'`]\s*.*SELECT.*\+\s*\w+/i, // SELECT with + variable
|
|
127
|
+
],
|
|
128
|
+
severity: 'CRITICAL',
|
|
129
|
+
category: 'A03-Injection',
|
|
130
|
+
description: 'SQL injection vulnerability - user input directly in SQL query',
|
|
131
|
+
remediation: 'Use parameterized queries or prepared statements. Never concatenate user input into SQL.',
|
|
132
|
+
},
|
|
133
|
+
{
|
|
134
|
+
id: 'nosql-injection',
|
|
135
|
+
name: 'NoSQL Injection',
|
|
136
|
+
patterns: [
|
|
137
|
+
/\.find\s*\(\s*req\.body/i,
|
|
138
|
+
/\.find\s*\(\s*req\.query/i,
|
|
139
|
+
/\.where\s*\(\s*req\.body/i,
|
|
140
|
+
/\$where\s*:\s*req\./i,
|
|
141
|
+
],
|
|
142
|
+
severity: 'CRITICAL',
|
|
143
|
+
category: 'A03-Injection',
|
|
144
|
+
description: 'NoSQL injection vulnerability - user input in query object',
|
|
145
|
+
remediation: 'Sanitize and validate user input before using in NoSQL queries.',
|
|
146
|
+
},
|
|
147
|
+
{
|
|
148
|
+
id: 'command-injection',
|
|
149
|
+
name: 'Command Injection',
|
|
150
|
+
patterns: [
|
|
151
|
+
/exec\s*\(\s*[`'"]\s*.*\+/i,
|
|
152
|
+
/spawn\s*\(\s*[`'"]\s*.*\+/i,
|
|
153
|
+
/eval\s*\(\s*req\./i,
|
|
154
|
+
/system\s*\(\s*[`'"]\s*.*\+/i,
|
|
155
|
+
/\$\{.*req\..*\}/, // Shell command with template literal
|
|
156
|
+
],
|
|
157
|
+
severity: 'CRITICAL',
|
|
158
|
+
category: 'A03-Injection',
|
|
159
|
+
description: 'Command injection vulnerability - user input in system command',
|
|
160
|
+
remediation: 'Avoid shell commands with user input. Use safe APIs with proper escaping.',
|
|
161
|
+
},
|
|
162
|
+
{
|
|
163
|
+
id: 'ldap-injection',
|
|
164
|
+
name: 'LDAP Injection',
|
|
165
|
+
patterns: [
|
|
166
|
+
/ldap\.search\s*\(\s*[`'"]\s*.*\+/i,
|
|
167
|
+
/\$\{.*req\..*\}.*LDAP/i,
|
|
168
|
+
],
|
|
169
|
+
severity: 'CRITICAL',
|
|
170
|
+
category: 'A03-Injection',
|
|
171
|
+
description: 'LDAP injection vulnerability',
|
|
172
|
+
remediation: 'Use parameterized LDAP queries or proper escaping.',
|
|
173
|
+
},
|
|
174
|
+
// A04: Insecure Design (missing security patterns)
|
|
175
|
+
{
|
|
176
|
+
id: 'missing-rate-limit',
|
|
177
|
+
name: 'Missing Rate Limiting',
|
|
178
|
+
patterns: [
|
|
179
|
+
/\.post\s*\(\s*['"]\/login['"]/i,
|
|
180
|
+
/\.post\s*\(\s*['"]\/auth['"]/i,
|
|
181
|
+
/\.post\s*\(\s*['"]\/api\/['"]/i,
|
|
182
|
+
],
|
|
183
|
+
severity: 'MEDIUM',
|
|
184
|
+
category: 'A04-InsecureDesign',
|
|
185
|
+
description: 'API endpoint without rate limiting',
|
|
186
|
+
remediation: 'Add rate limiting to prevent brute force and abuse.',
|
|
187
|
+
},
|
|
188
|
+
{
|
|
189
|
+
id: 'missing-input-validation',
|
|
190
|
+
name: 'Missing Input Validation',
|
|
191
|
+
patterns: [
|
|
192
|
+
/req\.body\.\w+\s*[=:]\s*[^;]/i,
|
|
193
|
+
/const\s+\w+\s*[=:]\s*req\.body\.\w+/i,
|
|
194
|
+
/\.save\s*\(\s*req\.body\s*\)/i,
|
|
195
|
+
],
|
|
196
|
+
severity: 'HIGH',
|
|
197
|
+
category: 'A04-InsecureDesign',
|
|
198
|
+
description: 'Direct use of request body without validation',
|
|
199
|
+
remediation: 'Validate and sanitize all user input before processing.',
|
|
200
|
+
},
|
|
201
|
+
// A05: Security Misconfiguration
|
|
202
|
+
{
|
|
203
|
+
id: 'cors-misconfig',
|
|
204
|
+
name: 'CORS Misconfiguration',
|
|
205
|
+
patterns: [
|
|
206
|
+
/cors\s*\(\s*\{\s*origin\s*:\s*['"]\*['"]/i,
|
|
207
|
+
/Access-Control-Allow-Origin\s*:\s*['"]\*['"]/i,
|
|
208
|
+
/origin\s*:\s*true/i,
|
|
209
|
+
],
|
|
210
|
+
severity: 'HIGH',
|
|
211
|
+
category: 'A05-SecurityMisconfiguration',
|
|
212
|
+
description: 'Overly permissive CORS configuration',
|
|
213
|
+
remediation: 'Restrict CORS to specific domains. Never use wildcard (*) for sensitive APIs.',
|
|
214
|
+
},
|
|
215
|
+
{
|
|
216
|
+
id: 'cors-credentials',
|
|
217
|
+
name: 'CORS with Credentials Wildcard',
|
|
218
|
+
patterns: [
|
|
219
|
+
/credentials\s*:\s*true/i,
|
|
220
|
+
/origin\s*:\s*['"]\*['"]/i,
|
|
221
|
+
],
|
|
222
|
+
severity: 'CRITICAL',
|
|
223
|
+
category: 'A05-SecurityMisconfiguration',
|
|
224
|
+
description: 'CORS credentials with wildcard origin - security violation',
|
|
225
|
+
remediation: 'Cannot use credentials: true with origin: *. Specify allowed origins explicitly.',
|
|
226
|
+
},
|
|
227
|
+
{
|
|
228
|
+
id: 'csp-missing',
|
|
229
|
+
name: 'Missing Content Security Policy',
|
|
230
|
+
patterns: [
|
|
231
|
+
/Content-Security-Policy\s*:\s*['"]/i,
|
|
232
|
+
],
|
|
233
|
+
severity: 'MEDIUM',
|
|
234
|
+
category: 'A05-SecurityMisconfiguration',
|
|
235
|
+
description: 'Missing or weak CSP header',
|
|
236
|
+
remediation: 'Implement strong Content-Security-Policy header.',
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
id: 'debug-enabled',
|
|
240
|
+
name: 'Debug Mode Enabled',
|
|
241
|
+
patterns: [
|
|
242
|
+
/debug\s*[=:]\s*true/i,
|
|
243
|
+
/DEBUG\s*[=:]\s*true/i,
|
|
244
|
+
/NODE_ENV\s*[=:]\s*['"]development['"]/i,
|
|
245
|
+
/\.env\s*\(\s*['"]development['"]/i,
|
|
246
|
+
],
|
|
247
|
+
severity: 'MEDIUM',
|
|
248
|
+
category: 'A05-SecurityMisconfiguration',
|
|
249
|
+
description: 'Debug mode enabled in production-like code',
|
|
250
|
+
remediation: 'Ensure debug mode is disabled in production.',
|
|
251
|
+
},
|
|
252
|
+
// A07: Auth Failures
|
|
253
|
+
{
|
|
254
|
+
id: 'weak-password',
|
|
255
|
+
name: 'Weak Password Policy',
|
|
256
|
+
patterns: [
|
|
257
|
+
/password\.length\s*[<=>]\s*[1-5]/i,
|
|
258
|
+
/minLength\s*:\s*[1-5]/i,
|
|
259
|
+
/\.validate\s*\(\s*\{\s*minLength\s*:\s*[1-5]/i,
|
|
260
|
+
],
|
|
261
|
+
severity: 'HIGH',
|
|
262
|
+
category: 'A07-IdentificationAuthFailures',
|
|
263
|
+
description: 'Weak password length requirement',
|
|
264
|
+
remediation: 'Require minimum 8 characters for passwords. Use password strength validators.',
|
|
265
|
+
},
|
|
266
|
+
{
|
|
267
|
+
id: 'session-fixation',
|
|
268
|
+
name: 'Session Fixation Risk',
|
|
269
|
+
patterns: [
|
|
270
|
+
/session\s*\(\s*\{\s*secret\s*:\s*['"][^'"]{8,}['"]/i,
|
|
271
|
+
/\.session\s*\(\s*req\.body/i,
|
|
272
|
+
],
|
|
273
|
+
severity: 'HIGH',
|
|
274
|
+
category: 'A07-IdentificationAuthFailures',
|
|
275
|
+
description: 'Potential session fixation vulnerability',
|
|
276
|
+
remediation: 'Regenerate session ID after authentication. Use strong session secrets.',
|
|
277
|
+
},
|
|
278
|
+
// A08: Software/Data Integrity
|
|
279
|
+
{
|
|
280
|
+
id: 'unsafe-deserialize',
|
|
281
|
+
name: 'Unsafe Deserialization',
|
|
282
|
+
patterns: [
|
|
283
|
+
/JSON\.parse\s*\(\s*req\.body/i,
|
|
284
|
+
/eval\s*\(\s*req\.body/i,
|
|
285
|
+
/Function\s*\(\s*req\.body/i,
|
|
286
|
+
/\.deserialize\s*\(\s*req\.body/i,
|
|
287
|
+
],
|
|
288
|
+
severity: 'CRITICAL',
|
|
289
|
+
category: 'A08-SoftwareDataIntegrity',
|
|
290
|
+
description: 'Unsafe deserialization of user input',
|
|
291
|
+
remediation: 'Validate and sanitize input before parsing. Avoid eval/Function with user data.',
|
|
292
|
+
},
|
|
293
|
+
// A09: Logging/Monitoring Failures
|
|
294
|
+
{
|
|
295
|
+
id: 'missing-error-log',
|
|
296
|
+
name: 'Missing Error Logging',
|
|
297
|
+
patterns: [
|
|
298
|
+
/catch\s*\(\s*\w+\s*\)\s*\{\s*\}/i, // Empty catch block
|
|
299
|
+
/catch\s*\(\s*\)\s*\{/i,
|
|
300
|
+
/\.catch\s*\(\s*\(\s*\)\s*[=>]\s*\{\s*\}/i,
|
|
301
|
+
],
|
|
302
|
+
severity: 'MEDIUM',
|
|
303
|
+
category: 'A09-LoggingMonitoringFailures',
|
|
304
|
+
description: 'Error silently swallowed without logging',
|
|
305
|
+
remediation: 'Log all errors for debugging and security monitoring.',
|
|
306
|
+
},
|
|
307
|
+
{
|
|
308
|
+
id: 'sensitive-log',
|
|
309
|
+
name: 'Sensitive Data in Log',
|
|
310
|
+
patterns: [
|
|
311
|
+
/console\.log\s*\(\s*.*password/i,
|
|
312
|
+
/console\.log\s*\(\s*.*token/i,
|
|
313
|
+
/console\.log\s*\(\s*.*secret/i,
|
|
314
|
+
/logger\.info\s*\(\s*.*password/i,
|
|
315
|
+
/log\s*\(\s*.*apiKey/i,
|
|
316
|
+
],
|
|
317
|
+
severity: 'HIGH',
|
|
318
|
+
category: 'A09-LoggingMonitoringFailures',
|
|
319
|
+
description: 'Sensitive data being logged',
|
|
320
|
+
remediation: 'Never log passwords, tokens, or secrets. Mask sensitive data in logs.',
|
|
321
|
+
},
|
|
322
|
+
// A10: SSRF
|
|
323
|
+
{
|
|
324
|
+
id: 'ssrf',
|
|
325
|
+
name: 'Server-Side Request Forgery',
|
|
326
|
+
patterns: [
|
|
327
|
+
/fetch\s*\(\s*req\.body\.url/i,
|
|
328
|
+
/fetch\s*\(\s*req\.query\.url/i,
|
|
329
|
+
/axios\s*\(\s*req\.body\.url/i,
|
|
330
|
+
/request\s*\(\s*req\.params\.url/i,
|
|
331
|
+
/\.get\s*\(\s*req\.body/i,
|
|
332
|
+
],
|
|
333
|
+
severity: 'CRITICAL',
|
|
334
|
+
category: 'A10-SSRF',
|
|
335
|
+
description: 'SSRF vulnerability - user-controlled URL in server request',
|
|
336
|
+
remediation: 'Validate and whitelist allowed URLs. Never accept arbitrary URLs from users.',
|
|
337
|
+
},
|
|
338
|
+
// Additional: XSS (cross-cutting)
|
|
339
|
+
{
|
|
340
|
+
id: 'xss-innerHTML',
|
|
341
|
+
name: 'XSS via innerHTML',
|
|
342
|
+
patterns: [
|
|
343
|
+
/\.innerHTML\s*[=:]\s*[^'"][^`]/i,
|
|
344
|
+
/\.innerHTML\s*[=:]\s*req\./i,
|
|
345
|
+
/dangerouslySetInnerHTML\s*[=:]\s*\{\{?\s*__html\s*:\s*[^'"]/i, // React syntax: {{ }} or { }
|
|
346
|
+
/document\.write\s*\(/i,
|
|
347
|
+
],
|
|
348
|
+
severity: 'CRITICAL',
|
|
349
|
+
category: 'XSS',
|
|
350
|
+
description: 'Potential XSS vulnerability via innerHTML',
|
|
351
|
+
remediation: 'Use textContent or sanitize HTML before insertion.',
|
|
352
|
+
},
|
|
353
|
+
{
|
|
354
|
+
id: 'xss-template',
|
|
355
|
+
name: 'XSS via Template',
|
|
356
|
+
patterns: [
|
|
357
|
+
/\$\{.*req\..*\}/,
|
|
358
|
+
/v-html\s*[=:]\s*[^'"]/i,
|
|
359
|
+
],
|
|
360
|
+
severity: 'HIGH',
|
|
361
|
+
category: 'XSS',
|
|
362
|
+
description: 'User input in HTML template without sanitization',
|
|
363
|
+
remediation: 'Sanitize user input before rendering in HTML.',
|
|
364
|
+
},
|
|
365
|
+
// Additional: Path Traversal
|
|
366
|
+
{
|
|
367
|
+
id: 'path-traversal',
|
|
368
|
+
name: 'Path Traversal',
|
|
369
|
+
patterns: [
|
|
370
|
+
/readFileSync\s*\(\s*.*req\./i,
|
|
371
|
+
/writeFile\s*\(\s*.*req\./i,
|
|
372
|
+
/fs\.read\s*\(\s*.*req\.body/i,
|
|
373
|
+
/\.sendFile\s*\(\s*req\.params/i,
|
|
374
|
+
/path\.join\s*\(\s*.*req\./i,
|
|
375
|
+
/\.open\s*\(\s*.*req\.body\.path/i,
|
|
376
|
+
],
|
|
377
|
+
severity: 'CRITICAL',
|
|
378
|
+
category: 'PathTraversal',
|
|
379
|
+
description: 'Path traversal vulnerability - user input in file path',
|
|
380
|
+
remediation: 'Validate and sanitize file paths. Use path.resolve and check against allowed directories.',
|
|
381
|
+
},
|
|
382
|
+
];
|
|
383
|
+
}
|
|
384
|
+
async check(input, ctx) {
|
|
385
|
+
// Only check ToolUseInput with Edit/Write tools (code being written)
|
|
386
|
+
if (!('tool' in input))
|
|
387
|
+
return { triggered: false };
|
|
388
|
+
if (!['Edit', 'Write', 'MultiEdit'].includes(input.tool))
|
|
389
|
+
return { triggered: false };
|
|
390
|
+
const args = input.args;
|
|
391
|
+
const codeContent = args.content ?? args.new_string ?? '';
|
|
392
|
+
if (!codeContent)
|
|
393
|
+
return { triggered: false };
|
|
394
|
+
const findings = [];
|
|
395
|
+
for (const check of this.checks) {
|
|
396
|
+
for (const pattern of check.patterns) {
|
|
397
|
+
if (pattern.test(codeContent)) {
|
|
398
|
+
findings.push(check);
|
|
399
|
+
break; // Only report each check once per scan
|
|
400
|
+
}
|
|
401
|
+
}
|
|
402
|
+
}
|
|
403
|
+
if (findings.length === 0)
|
|
404
|
+
return { triggered: false };
|
|
405
|
+
// Group findings by severity
|
|
406
|
+
const critical = findings.filter(f => f.severity === 'CRITICAL');
|
|
407
|
+
const high = findings.filter(f => f.severity === 'HIGH');
|
|
408
|
+
if (critical.length > 0) {
|
|
409
|
+
ctx.eventBus.emit('security.owasp_critical', {
|
|
410
|
+
file: args.file_path,
|
|
411
|
+
findings: critical.map(f => f.id)
|
|
412
|
+
}, { sessionId: input.sessionId });
|
|
413
|
+
return {
|
|
414
|
+
triggered: true,
|
|
415
|
+
severity: 'block',
|
|
416
|
+
reason: this.formatFindings(critical, 'CRITICAL'),
|
|
417
|
+
suggestion: 'Fix critical security vulnerabilities before committing.',
|
|
418
|
+
};
|
|
419
|
+
}
|
|
420
|
+
if (high.length > 0) {
|
|
421
|
+
ctx.eventBus.emit('security.owasp_high', {
|
|
422
|
+
file: args.file_path,
|
|
423
|
+
findings: high.map(f => f.id)
|
|
424
|
+
}, { sessionId: input.sessionId });
|
|
425
|
+
return {
|
|
426
|
+
triggered: true,
|
|
427
|
+
severity: 'warn',
|
|
428
|
+
reason: this.formatFindings(high, 'HIGH'),
|
|
429
|
+
suggestion: 'Review and fix high severity security issues.',
|
|
430
|
+
};
|
|
431
|
+
}
|
|
432
|
+
// Medium severity - info only
|
|
433
|
+
ctx.eventBus.emit('security.owasp_info', {
|
|
434
|
+
file: args.file_path,
|
|
435
|
+
findings: findings.map(f => f.id)
|
|
436
|
+
}, { sessionId: input.sessionId });
|
|
437
|
+
return {
|
|
438
|
+
triggered: true,
|
|
439
|
+
severity: 'warn',
|
|
440
|
+
reason: this.formatFindings(findings.filter(f => f.severity === 'MEDIUM'), 'MEDIUM'),
|
|
441
|
+
};
|
|
442
|
+
}
|
|
443
|
+
formatFindings(findings, severity) {
|
|
444
|
+
const lines = [
|
|
445
|
+
`\n🚨 OWASP Security Alert (${severity})`,
|
|
446
|
+
'',
|
|
447
|
+
];
|
|
448
|
+
for (const f of findings) {
|
|
449
|
+
lines.push(`[${f.category}] ${f.name}`);
|
|
450
|
+
lines.push(` Issue: ${f.description}`);
|
|
451
|
+
lines.push(` Fix: ${f.remediation}`);
|
|
452
|
+
lines.push('');
|
|
453
|
+
}
|
|
454
|
+
return lines.join('\n');
|
|
455
|
+
}
|
|
456
|
+
/**
|
|
457
|
+
* Manual scan for code review
|
|
458
|
+
*/
|
|
459
|
+
scanCode(code) {
|
|
460
|
+
const findings = [];
|
|
461
|
+
for (const check of this.checks) {
|
|
462
|
+
for (const pattern of check.patterns) {
|
|
463
|
+
if (pattern.test(code)) {
|
|
464
|
+
findings.push(check);
|
|
465
|
+
break;
|
|
466
|
+
}
|
|
467
|
+
}
|
|
468
|
+
}
|
|
469
|
+
return findings;
|
|
470
|
+
}
|
|
471
|
+
/**
|
|
472
|
+
* Get all check definitions
|
|
473
|
+
*/
|
|
474
|
+
getChecks() {
|
|
475
|
+
return this.checks;
|
|
476
|
+
}
|
|
477
|
+
}
|
|
478
|
+
/**
|
|
479
|
+
* Batch security scanner for multiple files
|
|
480
|
+
*/
|
|
481
|
+
export class SecurityScanner {
|
|
482
|
+
constructor() {
|
|
483
|
+
this.detector = new OWASPDetector();
|
|
484
|
+
}
|
|
485
|
+
scanFile(content, filePath) {
|
|
486
|
+
const findings = this.detector.scanCode(content);
|
|
487
|
+
const riskLevel = this.calculateRiskLevel(findings);
|
|
488
|
+
const summary = findings.length === 0
|
|
489
|
+
? 'No security issues detected'
|
|
490
|
+
: `Found ${findings.length} potential security issues (${riskLevel} risk)`;
|
|
491
|
+
return {
|
|
492
|
+
file: filePath,
|
|
493
|
+
findings,
|
|
494
|
+
riskLevel,
|
|
495
|
+
summary,
|
|
496
|
+
};
|
|
497
|
+
}
|
|
498
|
+
calculateRiskLevel(findings) {
|
|
499
|
+
if (findings.some(f => f.severity === 'CRITICAL'))
|
|
500
|
+
return 'CRITICAL';
|
|
501
|
+
if (findings.some(f => f.severity === 'HIGH'))
|
|
502
|
+
return 'HIGH';
|
|
503
|
+
if (findings.some(f => f.severity === 'MEDIUM'))
|
|
504
|
+
return 'MEDIUM';
|
|
505
|
+
return 'LOW';
|
|
506
|
+
}
|
|
507
|
+
}
|
|
508
|
+
//# sourceMappingURL=OWASPDetector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"OWASPDetector.js","sourceRoot":"","sources":["../../src/guardrails/OWASPDetector.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,+BAA+B;AAC/B,iDAAiD;AAejD;;;;;;;;;;;;;;GAcG;AACH,MAAM,OAAO,aAAa;IAA1B;QACE,SAAI,GAAG,gBAAgB,CAAA;QAEf,WAAM,GAAiB;YAC7B,6BAA6B;YAC7B;gBACE,EAAE,EAAE,aAAa;gBACjB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,yBAAyB;oBACzB,2BAA2B;oBAC3B,sBAAsB;oBACtB,iBAAiB;oBACjB,iBAAiB;oBACjB,0BAA0B;iBAC3B;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,yBAAyB;gBACnC,WAAW,EAAE,6DAA6D;gBAC1E,WAAW,EAAE,kFAAkF;aAChG;YACD;gBACE,EAAE,EAAE,oBAAoB;gBACxB,IAAI,EAAE,6BAA6B;gBACnC,QAAQ,EAAE;oBACR,sCAAsC;oBACtC,8CAA8C;oBAC9C,oCAAoC;iBACrC;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,yBAAyB;gBACnC,WAAW,EAAE,4CAA4C;gBACzD,WAAW,EAAE,oEAAoE;aAClF;YAED,8BAA8B;YAC9B;gBACE,EAAE,EAAE,iBAAiB;gBACrB,IAAI,EAAE,yBAAyB;gBAC/B,QAAQ,EAAE;oBACR,WAAW;oBACX,qCAAqC;oBACrC,oBAAoB;iBACrB;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,2BAA2B;gBACrC,WAAW,EAAE,sEAAsE;gBACnF,WAAW,EAAE,0FAA0F;aACxG;YACD;gBACE,EAAE,EAAE,kBAAkB;gBACtB,IAAI,EAAE,0BAA0B;gBAChC,QAAQ,EAAE;oBACR,YAAY;oBACZ,sCAAsC;iBACvC;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,2BAA2B;gBACrC,WAAW,EAAE,wDAAwD;gBACrE,WAAW,EAAE,oDAAoD;aAClE;YACD;gBACE,EAAE,EAAE,kBAAkB;gBACtB,IAAI,EAAE,6BAA6B;gBACnC,QAAQ,EAAE;oBACR,sCAAsC;oBACtC,oCAAoC;oBACpC,4CAA4C;oBAC5C,2CAA2C;oBAC3C,0CAA0C;oBAC1C,4BAA4B;oBAC5B,+BAA+B;oBAC/B,kBAAkB,EAAE,4BAA4B;iBACjD;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,2BAA2B;gBACrC,WAAW,EAAE,8DAA8D;gBAC3E,WAAW,EAAE,qFAAqF;aACnG;YACD;gBACE,EAAE,EAAE,aAAa;gBACjB,IAAI,EAAE,8BAA8B;gBACpC,QAAQ,EAAE;oBACR,sCAAsC;oBACtC,oCAAoC;oBACpC,uCAAuC;oBACvC,sCAAsC;iBACvC;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,2BAA2B;gBACrC,WAAW,EAAE,+CAA+C;gBAC5D,WAAW,EAAE,yFAAyF;aACvG;YAED,iBAAiB;YACjB;gBACE,EAAE,EAAE,eAAe;gBACnB,IAAI,EAAE,eAAe;gBACrB,QAAQ,EAAE;oBACR,yCAAyC;oBACzC,8BAA8B;oBAC9B,oCAAoC;oBACpC,mCAAmC;oBACnC,mCAAmC;oBACnC,wBAAwB;oBACxB,sBAAsB;oBACtB,uBAAuB;oBACvB,wBAAwB;oBACxB,kCAAkC,EAAE,gCAAgC;oBACpE,6BAA6B,EAAE,yBAAyB;iBACzD;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,eAAe;gBACzB,WAAW,EAAE,gEAAgE;gBAC7E,WAAW,EAAE,0FAA0F;aACxG;YACD;gBACE,EAAE,EAAE,iBAAiB;gBACrB,IAAI,EAAE,iBAAiB;gBACvB,QAAQ,EAAE;oBACR,0BAA0B;oBAC1B,2BAA2B;oBAC3B,2BAA2B;oBAC3B,sBAAsB;iBACvB;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,eAAe;gBACzB,WAAW,EAAE,4DAA4D;gBACzE,WAAW,EAAE,iEAAiE;aAC/E;YACD;gBACE,EAAE,EAAE,mBAAmB;gBACvB,IAAI,EAAE,mBAAmB;gBACzB,QAAQ,EAAE;oBACR,2BAA2B;oBAC3B,4BAA4B;oBAC5B,oBAAoB;oBACpB,6BAA6B;oBAC7B,iBAAiB,EAAE,sCAAsC;iBAC1D;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,eAAe;gBACzB,WAAW,EAAE,gEAAgE;gBAC7E,WAAW,EAAE,2EAA2E;aACzF;YACD;gBACE,EAAE,EAAE,gBAAgB;gBACpB,IAAI,EAAE,gBAAgB;gBACtB,QAAQ,EAAE;oBACR,mCAAmC;oBACnC,wBAAwB;iBACzB;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,eAAe;gBACzB,WAAW,EAAE,8BAA8B;gBAC3C,WAAW,EAAE,oDAAoD;aAClE;YAED,mDAAmD;YACnD;gBACE,EAAE,EAAE,oBAAoB;gBACxB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,gCAAgC;oBAChC,+BAA+B;oBAC/B,gCAAgC;iBACjC;gBACD,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,oBAAoB;gBAC9B,WAAW,EAAE,oCAAoC;gBACjD,WAAW,EAAE,qDAAqD;aACnE;YACD;gBACE,EAAE,EAAE,0BAA0B;gBAC9B,IAAI,EAAE,0BAA0B;gBAChC,QAAQ,EAAE;oBACR,+BAA+B;oBAC/B,sCAAsC;oBACtC,+BAA+B;iBAChC;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,oBAAoB;gBAC9B,WAAW,EAAE,+CAA+C;gBAC5D,WAAW,EAAE,yDAAyD;aACvE;YAED,iCAAiC;YACjC;gBACE,EAAE,EAAE,gBAAgB;gBACpB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,2CAA2C;oBAC3C,+CAA+C;oBAC/C,oBAAoB;iBACrB;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,8BAA8B;gBACxC,WAAW,EAAE,sCAAsC;gBACnD,WAAW,EAAE,+EAA+E;aAC7F;YACD;gBACE,EAAE,EAAE,kBAAkB;gBACtB,IAAI,EAAE,gCAAgC;gBACtC,QAAQ,EAAE;oBACR,yBAAyB;oBACzB,0BAA0B;iBAC3B;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,8BAA8B;gBACxC,WAAW,EAAE,4DAA4D;gBACzE,WAAW,EAAE,kFAAkF;aAChG;YACD;gBACE,EAAE,EAAE,aAAa;gBACjB,IAAI,EAAE,iCAAiC;gBACvC,QAAQ,EAAE;oBACR,qCAAqC;iBACtC;gBACD,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,8BAA8B;gBACxC,WAAW,EAAE,4BAA4B;gBACzC,WAAW,EAAE,kDAAkD;aAChE;YACD;gBACE,EAAE,EAAE,eAAe;gBACnB,IAAI,EAAE,oBAAoB;gBAC1B,QAAQ,EAAE;oBACR,sBAAsB;oBACtB,sBAAsB;oBACtB,wCAAwC;oBACxC,mCAAmC;iBACpC;gBACD,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,8BAA8B;gBACxC,WAAW,EAAE,4CAA4C;gBACzD,WAAW,EAAE,8CAA8C;aAC5D;YAED,qBAAqB;YACrB;gBACE,EAAE,EAAE,eAAe;gBACnB,IAAI,EAAE,sBAAsB;gBAC5B,QAAQ,EAAE;oBACR,mCAAmC;oBACnC,wBAAwB;oBACxB,+CAA+C;iBAChD;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,gCAAgC;gBAC1C,WAAW,EAAE,kCAAkC;gBAC/C,WAAW,EAAE,+EAA+E;aAC7F;YACD;gBACE,EAAE,EAAE,kBAAkB;gBACtB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,qDAAqD;oBACrD,6BAA6B;iBAC9B;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,gCAAgC;gBAC1C,WAAW,EAAE,0CAA0C;gBACvD,WAAW,EAAE,yEAAyE;aACvF;YAED,+BAA+B;YAC/B;gBACE,EAAE,EAAE,oBAAoB;gBACxB,IAAI,EAAE,wBAAwB;gBAC9B,QAAQ,EAAE;oBACR,+BAA+B;oBAC/B,wBAAwB;oBACxB,4BAA4B;oBAC5B,iCAAiC;iBAClC;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,2BAA2B;gBACrC,WAAW,EAAE,sCAAsC;gBACnD,WAAW,EAAE,iFAAiF;aAC/F;YAED,mCAAmC;YACnC;gBACE,EAAE,EAAE,mBAAmB;gBACvB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,kCAAkC,EAAE,oBAAoB;oBACxD,uBAAuB;oBACvB,0CAA0C;iBAC3C;gBACD,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,+BAA+B;gBACzC,WAAW,EAAE,0CAA0C;gBACvD,WAAW,EAAE,uDAAuD;aACrE;YACD;gBACE,EAAE,EAAE,eAAe;gBACnB,IAAI,EAAE,uBAAuB;gBAC7B,QAAQ,EAAE;oBACR,iCAAiC;oBACjC,8BAA8B;oBAC9B,+BAA+B;oBAC/B,iCAAiC;oBACjC,sBAAsB;iBACvB;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,+BAA+B;gBACzC,WAAW,EAAE,6BAA6B;gBAC1C,WAAW,EAAE,uEAAuE;aACrF;YAED,YAAY;YACZ;gBACE,EAAE,EAAE,MAAM;gBACV,IAAI,EAAE,6BAA6B;gBACnC,QAAQ,EAAE;oBACR,8BAA8B;oBAC9B,+BAA+B;oBAC/B,8BAA8B;oBAC9B,kCAAkC;oBAClC,yBAAyB;iBAC1B;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,UAAU;gBACpB,WAAW,EAAE,4DAA4D;gBACzE,WAAW,EAAE,8EAA8E;aAC5F;YAED,kCAAkC;YAClC;gBACE,EAAE,EAAE,eAAe;gBACnB,IAAI,EAAE,mBAAmB;gBACzB,QAAQ,EAAE;oBACR,iCAAiC;oBACjC,6BAA6B;oBAC7B,8DAA8D,EAAE,6BAA6B;oBAC7F,uBAAuB;iBACxB;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,KAAK;gBACf,WAAW,EAAE,2CAA2C;gBACxD,WAAW,EAAE,oDAAoD;aAClE;YACD;gBACE,EAAE,EAAE,cAAc;gBAClB,IAAI,EAAE,kBAAkB;gBACxB,QAAQ,EAAE;oBACR,iBAAiB;oBACjB,wBAAwB;iBACzB;gBACD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,KAAK;gBACf,WAAW,EAAE,kDAAkD;gBAC/D,WAAW,EAAE,+CAA+C;aAC7D;YAED,6BAA6B;YAC7B;gBACE,EAAE,EAAE,gBAAgB;gBACpB,IAAI,EAAE,gBAAgB;gBACtB,QAAQ,EAAE;oBACR,8BAA8B;oBAC9B,2BAA2B;oBAC3B,8BAA8B;oBAC9B,gCAAgC;oBAChC,4BAA4B;oBAC5B,kCAAkC;iBACnC;gBACD,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,eAAe;gBACzB,WAAW,EAAE,wDAAwD;gBACrE,WAAW,EAAE,2FAA2F;aACzG;SACF,CAAA;IA2GH,CAAC;IAzGC,KAAK,CAAC,KAAK,CAAC,KAAiD,EAAE,GAAoB;QACjF,qEAAqE;QACrE,IAAI,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC;YAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;QACnD,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;QAErF,MAAM,IAAI,GAAG,KAAK,CAAC,IAA0F,CAAA;QAC7G,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,UAAU,IAAI,EAAE,CAAA;QACzD,IAAI,CAAC,WAAW;YAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;QAE7C,MAAM,QAAQ,GAAiB,EAAE,CAAA;QAEjC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACrC,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC9B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;oBACpB,MAAK,CAAC,uCAAuC;gBAC/C,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;QAEtD,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAA;QAChE,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAA;QAExD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,yBAAyB,EAAE;gBAC3C,IAAI,EAAE,IAAI,CAAC,SAAS;gBACpB,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAClC,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAA;YAElC,OAAO;gBACL,SAAS,EAAE,IAAI;gBACf,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,UAAU,CAAC;gBACjD,UAAU,EAAE,0DAA0D;aACvE,CAAA;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,qBAAqB,EAAE;gBACvC,IAAI,EAAE,IAAI,CAAC,SAAS;gBACpB,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC9B,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAA;YAElC,OAAO;gBACL,SAAS,EAAE,IAAI;gBACf,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC;gBACzC,UAAU,EAAE,+CAA+C;aAC5D,CAAA;QACH,CAAC;QAED,8BAA8B;QAC9B,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,qBAAqB,EAAE;YACvC,IAAI,EAAE,IAAI,CAAC,SAAS;YACpB,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAClC,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAA;QAElC,OAAO;YACL,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,EAAE,QAAQ,CAAC;SACrF,CAAA;IACH,CAAC;IAEO,cAAc,CAAC,QAAsB,EAAE,QAAgB;QAC7D,MAAM,KAAK,GAAG;YACZ,8BAA8B,QAAQ,GAAG;YACzC,EAAE;SACH,CAAA;QAED,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;YACvC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;YACvC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;YACrC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAChB,CAAC;QAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACzB,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,IAAY;QACnB,MAAM,QAAQ,GAAiB,EAAE,CAAA;QACjC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACrC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;oBACpB,MAAK;gBACP,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAA;IACpB,CAAC;CACF;AAYD;;GAEG;AACH,MAAM,OAAO,eAAe;IAA5B;QACU,aAAQ,GAAG,IAAI,aAAa,EAAE,CAAA;IAyBxC,CAAC;IAvBC,QAAQ,CAAC,OAAe,EAAE,QAAgB;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;QAEhD,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAA;QAEnD,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC;YACnC,CAAC,CAAC,6BAA6B;YAC/B,CAAC,CAAC,SAAS,QAAQ,CAAC,MAAM,+BAA+B,SAAS,QAAQ,CAAA;QAE5E,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,QAAQ;YACR,SAAS;YACT,OAAO;SACR,CAAA;IACH,CAAC;IAEO,kBAAkB,CAAC,QAAsB;QAC/C,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC;YAAE,OAAO,UAAU,CAAA;QACpE,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;YAAE,OAAO,MAAM,CAAA;QAC5D,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC;YAAE,OAAO,QAAQ,CAAA;QAChE,OAAO,KAAK,CAAA;IACd,CAAC;CACF"}
|
|
@@ -8,10 +8,15 @@ export interface DiffInput {
|
|
|
8
8
|
file: string;
|
|
9
9
|
text: string;
|
|
10
10
|
}
|
|
11
|
+
export interface VerificationEvidenceSummary {
|
|
12
|
+
gate: string;
|
|
13
|
+
passed: boolean;
|
|
14
|
+
}
|
|
11
15
|
export interface ReviewAnalysisInput {
|
|
12
16
|
statusOutput: string;
|
|
13
17
|
diffs: DiffInput[];
|
|
14
18
|
taskPayload?: Pick<TaskPayload, 'verificationEvidenceIds'>;
|
|
19
|
+
verificationEvidence?: VerificationEvidenceSummary[];
|
|
15
20
|
largeDiffThreshold?: number;
|
|
16
21
|
}
|
|
17
22
|
export declare function parseChangedFiles(output: string): ChangedFile[];
|