@jaimevalasek/aioson 1.7.0 → 1.8.0

package/src/lib/security/artifact-reader.js

@@ -0,0 +1,167 @@
+'use strict';
+
+const fs = require('node:fs/promises');
+const path = require('node:path');
+
+const ARTIFACT_NAMES = Object.freeze([
+  { key: 'prd', name: (slug) => `prd-${slug}.md` },
+  { key: 'requirements', name: (slug) => `requirements-${slug}.md` },
+  { key: 'architecture', name: () => 'architecture.md' },
+  { key: 'implementation_plan', name: (slug) => `implementation-plan-${slug}.md` },
+  { key: 'spec', name: (slug) => `spec-${slug}.md` },
+  { key: 'conformance', name: (slug) => `conformance-${slug}.yaml` }
+]);
+
+async function readSlugArtifacts(targetDir, slug) {
+  const baseDir = path.join(targetDir, '.aioson', 'context');
+  const result = { slug, baseDir, artifacts: {} };
+  for (const def of ARTIFACT_NAMES) {
+    const filePath = path.join(baseDir, def.name(slug));
+    try {
+      const content = await fs.readFile(filePath, 'utf8');
+      result.artifacts[def.key] = { path: filePath, content, present: true };
+    } catch (err) {
+      if (err && err.code === 'ENOENT') {
+        result.artifacts[def.key] = { path: filePath, content: null, present: false };
+      } else {
+        throw err;
+      }
+    }
+  }
+  return result;
+}
+
+function extractClassification(content) {
+  if (!content) return null;
+  const match = content.match(/^classification:\s*["']?([A-Z]+)["']?/m);
+  return match ? match[1].toUpperCase() : null;
+}
+
+function hasSection(content, headerRegex) {
+  if (!content) return false;
+  return headerRegex.test(content);
+}
+
+const TABLE_ROW_TO_SURFACE = Object.freeze({
+  'authenticated endpoints': 'auth',
+  'owned resources': 'ownership',
+  'financial state changes': 'money',
+  uploads: 'uploads',
+  'external urls': 'external_urls',
+  'secrets or credentials': 'secrets',
+  'storage boundaries': 'storage',
+  'pentester trigger': 'pentester_trigger'
+});
+
+const NON_APPLICABLE_SURFACE_PATTERNS = [
+  /\bnone introduced\b/i,
+  /\bno new\b/i,
+  /\bn\/a\b/i,
+  /\bnot applicable\b/i,
+  /\bout of scope\b/i,
+  /\bnot required\b/i,
+  /\bfuture\b/i,
+  /\bwhen present\b/i,
+  /\blater verif(?:y|ies)\b/i,
+  /\bdefines controls\b/i,
+  /\bphase \d+\b/i,
+  /\.aioson\//i,
+  /\btemplate sync\b/i,
+  /\bruntime sqlite\b/i
+];
+
+function extractAttackSurfaceSection(requirementsContent) {
+  if (!requirementsContent) return null;
+  const lines = requirementsContent.split(/\r?\n/);
+  const startIndex = lines.findIndex((line) => /^##\s+Attack Surface(?: Map)?\b/i.test(line));
+  if (startIndex === -1) return null;
+  const sectionLines = [];
+  for (let i = startIndex + 1; i < lines.length; i += 1) {
+    if (/^##\s+/.test(lines[i])) break;
+    sectionLines.push(lines[i]);
+  }
+  return sectionLines.join('\n');
+}
+
+function normalizeSurfaceLabel(label) {
+  return String(label || '')
+    .toLowerCase()
+    .replace(/[`*_]/g, '')
+    .replace(/\s+/g, ' ')
+    .trim();
+}
+
+function parseAttackSurfaceRows(sectionContent) {
+  if (!sectionContent) return [];
+  const rows = [];
+  for (const rawLine of sectionContent.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line.startsWith('|')) continue;
+    const cells = line
+      .split('|')
+      .slice(1, -1)
+      .map((cell) => cell.trim());
+    if (cells.length < 2) continue;
+    const [label, value] = cells;
+    if (!label || /^-+$/.test(label.replace(/\s+/g, ''))) continue;
+    if (!value || /^-+$/.test(value.replace(/\s+/g, ''))) continue;
+    if (normalizeSurfaceLabel(label) === 'surface') continue;
+    rows.push({ label, value });
+  }
+  return rows;
+}
+
+function isApplicableSurfaceValue(value) {
+  const normalized = String(value || '').trim();
+  if (!normalized) return false;
+  return !NON_APPLICABLE_SURFACE_PATTERNS.some((pattern) => pattern.test(normalized));
+}
+
+function extractAttackSurfaceFlags(requirementsContent) {
+  if (!requirementsContent) {
+    return { hasMap: false, surfaces: [] };
+  }
+  const section = extractAttackSurfaceSection(requirementsContent);
+  const hasMap = Boolean(section) || /##\s+Attack Surface Map|##\s+Attack Surface\b/i.test(requirementsContent);
+  const surfaces = [];
+  if (section) {
+    const seen = new Set();
+    const rows = parseAttackSurfaceRows(section);
+    for (const row of rows) {
+      const key = TABLE_ROW_TO_SURFACE[normalizeSurfaceLabel(row.label)];
+      if (!key || key === 'pentester_trigger') continue;
+      if (!isApplicableSurfaceValue(row.value) || seen.has(key)) continue;
+      seen.add(key);
+      surfaces.push(key);
+    }
+    if (rows.length > 0) {
+      return { hasMap, surfaces };
+    }
+  }
+
+  const checks = [
+    { key: 'auth', re: /authenticated_endpoints|authenticated endpoints|\bauth\b/i },
+    { key: 'ownership', re: /owned[_ -]?resources|ownership/i },
+    { key: 'money', re: /financial[_ -]?state[_ -]?changes|payments?|money/i },
+    { key: 'uploads', re: /uploads?/i },
+    { key: 'external_urls', re: /external[_ -]?urls?/i },
+    { key: 'secrets', re: /secrets?[_ -]?or[_ -]?credentials|api[_ -]?keys?/i },
+    { key: 'storage', re: /storage[_ -]?boundaries?|rls\b/i }
+  ];
+  const fallbackContent = section || requirementsContent;
+  for (const c of checks) {
+    if (c.re.test(fallbackContent)) surfaces.push(c.key);
+  }
+  return { hasMap, surfaces };
+}
+
+module.exports = {
+  ARTIFACT_NAMES,
+  readSlugArtifacts,
+  extractClassification,
+  hasSection,
+  extractAttackSurfaceFlags,
+  extractAttackSurfaceSection,
+  parseAttackSurfaceRows,
+  isApplicableSurfaceValue
+};

package/src/lib/security/exit-codes.js

@@ -0,0 +1,51 @@
+'use strict';
+
+const EXIT_CODES = Object.freeze({
+  PASS: 0,
+  BLOCKING: 10,
+  INCONCLUSIVE: 11,
+  BAD_INPUT: 12,
+  CONTRACT_VIOLATION: 13
+});
+
+const SEVERITY_RANK = Object.freeze({
+  critical: 5,
+  high: 4,
+  medium: 3,
+  low: 2,
+  info: 1,
+  advisory: 0,
+  inconclusive: -1
+});
+
+function isBlockingSeverity(severity) {
+  return severity === 'critical' || severity === 'high';
+}
+
+function resolveExitCode({ classification, findings, hasInconclusive, strict }) {
+  const cls = String(classification || 'MICRO').toUpperCase();
+  const blocking = findings.some(
+    (f) => f.status === 'open' && isBlockingSeverity(f.severity)
+  );
+
+  if (strict && findings.some((f) => f.status === 'open')) {
+    return EXIT_CODES.BLOCKING;
+  }
+
+  if (cls === 'MEDIUM' && blocking) {
+    return EXIT_CODES.BLOCKING;
+  }
+
+  if (hasInconclusive) {
+    return EXIT_CODES.INCONCLUSIVE;
+  }
+
+  return EXIT_CODES.PASS;
+}
+
+module.exports = {
+  EXIT_CODES,
+  SEVERITY_RANK,
+  isBlockingSeverity,
+  resolveExitCode
+};

package/src/lib/security/findings-writer.js

@@ -0,0 +1,176 @@
+'use strict';
+
+const fs = require('node:fs/promises');
+const path = require('node:path');
+const crypto = require('node:crypto');
+
+const SCHEMA_VERSION = '1.0.0';
+const MAX_FINDINGS = 500;
+const ARTIFACT_DIR = path.join('.aioson', 'context');
+const PRESERVED_STATUSES_ON_REDETECT = new Set(['accepted', 'accepted_risk', 'false_positive']);
+
+function hash6(input) {
+  return crypto.createHash('sha1').update(String(input)).digest('hex').slice(0, 6);
+}
+
+function buildFindingId({ source, control_id, scope }) {
+  return `${source}-${control_id}-${hash6(scope || '')}`;
+}
+
+function normalizeFinding(input, { generator }) {
+  const finding_id = input.finding_id || buildFindingId({
+    source: input.source,
+    control_id: input.control_id,
+    scope: input.scope
+  });
+  return {
+    finding_id,
+    source: input.source,
+    control_id: input.control_id,
+    severity: input.severity,
+    status: input.status || 'open',
+    scope: input.scope,
+    affected_artifacts: Array.isArray(input.affected_artifacts) ? [...input.affected_artifacts] : [],
+    preconditions: Array.isArray(input.preconditions) ? [...input.preconditions] : [],
+    reproduction_steps: Array.isArray(input.reproduction_steps) ? [...input.reproduction_steps] : [],
+    evidence: Array.isArray(input.evidence) ? [...input.evidence] : [],
+    impact: input.impact || '',
+    suggested_fix: input.suggested_fix || '',
+    recommended_owner: input.recommended_owner || 'dev',
+    recommended_gate_status: input.recommended_gate_status || gateStatusFromSeverity(input.severity),
+    safe_to_reproduce: input.safe_to_reproduce !== false,
+    detected_by: generator
+  };
+}
+
+function gateStatusFromSeverity(severity) {
+  if (severity === 'critical' || severity === 'high') return 'block';
+  if (severity === 'medium') return 'review';
+  return 'note';
+}
+
+function sortFindings(findings) {
+  return [...findings].sort((a, b) => a.finding_id.localeCompare(b.finding_id));
+}
+
+function summarize(findings) {
+  const summary = { critical: 0, high: 0, medium: 0, low: 0, inconclusive: 0 };
+  for (const f of findings) {
+    if (f.status !== 'open' && f.status !== 'needs_validation') continue;
+    if (f.severity === 'inconclusive') {
+      summary.inconclusive += 1;
+    } else if (summary[f.severity] !== undefined) {
+      summary[f.severity] += 1;
+    }
+  }
+  return summary;
+}
+
+function artifactPathFor(targetDir, slug) {
+  const safeSlug = slug && slug.length > 0 ? slug : 'project';
+  return path.join(targetDir, ARTIFACT_DIR, `security-findings-${safeSlug}.json`);
+}
+
+async function readArtifact(artifactPath) {
+  try {
+    const raw = await fs.readFile(artifactPath, 'utf8');
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== 'object' || !Array.isArray(parsed.findings)) {
+      return null;
+    }
+    return parsed;
+  } catch (err) {
+    if (err && err.code === 'ENOENT') return null;
+    throw err;
+  }
+}
+
+function mergeFindings(existing, incoming) {
+  const byId = new Map();
+  for (const f of existing) {
+    byId.set(f.finding_id, f);
+  }
+  const seenIncoming = new Set();
+  for (const f of incoming) {
+    seenIncoming.add(f.finding_id);
+    const prior = byId.get(f.finding_id);
+    if (
+      prior &&
+      PRESERVED_STATUSES_ON_REDETECT.has(prior.status) &&
+      (f.status === 'open' || f.status === 'needs_validation')
+    ) {
+      byId.set(f.finding_id, { ...f, status: prior.status });
+      continue;
+    }
+    byId.set(f.finding_id, { ...f });
+  }
+  for (const f of existing) {
+    if (!seenIncoming.has(f.finding_id) && (f.status === 'open' || f.status === 'needs_validation')) {
+      byId.set(f.finding_id, { ...f, status: 'fixed' });
+    }
+  }
+  return sortFindings([...byId.values()]);
+}
+
+async function writeFindings({
+  targetDir,
+  slug,
+  source,
+  generator,
+  generatedAt,
+  scopeMode,
+  findings
+}) {
+  const artifactPath = artifactPathFor(targetDir, slug);
+  const normalized = findings.map((f) => normalizeFinding({ ...f, source: f.source || source }, { generator }));
+
+  const existing = await readArtifact(artifactPath);
+  const previous = existing && Array.isArray(existing.findings) ? existing.findings : [];
+  const merged = mergeFindings(previous, normalized);
+
+  if (merged.length > MAX_FINDINGS) {
+    return {
+      ok: false,
+      reason: 'contract_violation_too_many_findings',
+      count: merged.length,
+      max: MAX_FINDINGS,
+      artifactPath
+    };
+  }
+
+  const payload = {
+    schema_version: SCHEMA_VERSION,
+    slug: slug || 'project',
+    generated_at: generatedAt,
+    generator,
+    review_contract: {
+      scope_mode: scopeMode,
+      evidence_policy: 'high_critical_require_reproduction',
+      findings_artifact_path: path.posix.join('.aioson', 'context', `security-findings-${slug || 'project'}.json`)
+    },
+    summary: summarize(merged),
+    findings: merged
+  };
+
+  await fs.mkdir(path.dirname(artifactPath), { recursive: true });
+  const json = JSON.stringify(payload, null, 2) + '\n';
+  await fs.writeFile(artifactPath, json, 'utf8');
+
+  return { ok: true, artifactPath, payload };
+}
+
+module.exports = {
+  SCHEMA_VERSION,
+  MAX_FINDINGS,
+  ARTIFACT_DIR,
+  buildFindingId,
+  hash6,
+  gateStatusFromSeverity,
+  normalizeFinding,
+  summarize,
+  sortFindings,
+  mergeFindings,
+  artifactPathFor,
+  readArtifact,
+  writeFindings
+};

package/src/lib/security/runtime-events.js

@@ -0,0 +1,77 @@
+'use strict';
+
+const { openRuntimeDb, appendRunEvent } = require('../../runtime-store');
+const { recordRuntimeOperation, makeWorkflowSessionKey } = require('../../execution-gateway');
+
+function normalizeText(value) {
+  return String(value || '').trim();
+}
+
+async function emitSecurityRuntimeEvent({
+  targetDir,
+  eventType,
+  message,
+  payload = null,
+  runKey = null,
+  status = 'completed',
+  agentName = 'qa',
+  source = 'direct',
+  workflowState = null,
+  workflowStage = null
+}) {
+  if (!targetDir || !eventType) {
+    return { ok: false, reason: 'missing_target_or_event' };
+  }
+
+  try {
+    if (runKey) {
+      const handle = await openRuntimeDb(targetDir);
+      try {
+        appendRunEvent(handle.db, {
+          runKey,
+          eventType,
+          phase: 'security',
+          status,
+          message: normalizeText(message) || eventType,
+          payload: payload && typeof payload === 'object' ? payload : null,
+          toolName: 'aioson'
+        });
+        return { ok: true, dbPath: handle.dbPath, runKey };
+      } finally {
+        handle.db.close();
+      }
+    }
+
+    const workflowId = workflowState ? makeWorkflowSessionKey(workflowState) : null;
+    const featureSlug = normalizeText(workflowState && workflowState.featureSlug);
+    const resolvedStage = normalizeText(workflowStage || (workflowState && workflowState.current) || '');
+
+    return await recordRuntimeOperation(targetDir, {
+      agentName,
+      source,
+      workflowId: workflowId || null,
+      workflowStage: resolvedStage || null,
+      sessionKey: workflowId
+        ? `${workflowId}:security:${eventType}:${Date.now()}`
+        : `security:${eventType}:${Date.now()}`,
+      title: featureSlug
+        ? `Security event ${eventType} (${featureSlug})`
+        : `Security event ${eventType}`,
+      runTitle: eventType,
+      goal: featureSlug
+        ? `Registrar ${eventType} para ${featureSlug}`
+        : `Registrar ${eventType}`,
+      phase: 'security',
+      eventType,
+      status,
+      message: normalizeText(message) || eventType,
+      summary: normalizeText(message) || eventType,
+      payload: payload && typeof payload === 'object' ? payload : null,
+      toolName: 'aioson'
+    });
+  } catch {
+    return { ok: false, reason: 'runtime_emit_failed' };
+  }
+}
+
+module.exports = { emitSecurityRuntimeEvent };

package/src/lib/security/secrets-regex.js

@@ -0,0 +1,115 @@
+'use strict';
+
+const ALLOW_MARKERS = Object.freeze([
+  'EXAMPLE',
+  'example',
+  'dummy',
+  'DUMMY',
+  'placeholder',
+  'PLACEHOLDER',
+  'your-key-here',
+  'YOUR_KEY_HERE',
+  'xxxxxxxx',
+  'XXXXXXXX',
+  '<replace',
+  'REPLACE_ME',
+  'changeme',
+  'CHANGEME'
+]);
+
+const ALLOW_PATH_SUFFIXES = Object.freeze([
+  '.env.example',
+  '.env.sample',
+  '.env.template'
+]);
+
+const PATTERNS = Object.freeze([
+  {
+    id: 'aws-access-key',
+    name: 'AWS access key',
+    pattern: /\bAKIA[0-9A-Z]{16}\b/g,
+    severity: 'critical',
+    control: 'SEC-SBD-05'
+  },
+  {
+    id: 'stripe-live-key',
+    name: 'Stripe live secret key',
+    pattern: /\bsk_live_[A-Za-z0-9]{24,}\b/g,
+    severity: 'critical',
+    control: 'SEC-SBD-05'
+  },
+  {
+    id: 'openai-api-key',
+    name: 'OpenAI API key',
+    pattern: /\bsk-[A-Za-z0-9]{20,}\b/g,
+    severity: 'high',
+    control: 'SEC-SBD-05'
+  },
+  {
+    id: 'anthropic-api-key',
+    name: 'Anthropic API key',
+    pattern: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g,
+    severity: 'high',
+    control: 'SEC-SBD-05'
+  },
+  {
+    id: 'rsa-private-key',
+    name: 'RSA / SSH private key block',
+    pattern: /-----BEGIN (?:RSA |OPENSSH |DSA |EC |PGP )?PRIVATE KEY-----/g,
+    severity: 'critical',
+    control: 'SEC-SBD-05'
+  },
+  {
+    id: 'generic-password-assignment',
+    name: 'Inline password assignment',
+    pattern: /\b(?:password|passwd|pwd)\s*[:=]\s*['"][^'"\s]{8,}['"]/gi,
+    severity: 'high',
+    control: 'SEC-SBD-05'
+  },
+  {
+    id: 'generic-token-assignment',
+    name: 'Inline token / api_key assignment with long value',
+    pattern: /\b(?:api[_-]?key|access[_-]?token|secret[_-]?token|auth[_-]?token)\s*[:=]\s*['"][A-Za-z0-9._-]{20,}['"]/gi,
+    severity: 'high',
+    control: 'SEC-SBD-05'
+  }
+]);
+
+const FORBIDDEN_FILES = Object.freeze([
+  '.env',
+  '.env.local',
+  '.env.production',
+  '.env.staging',
+  'id_rsa',
+  'id_ed25519',
+  'id_dsa',
+  'id_ecdsa'
+]);
+
+function isAllowedByMarkers(line) {
+  for (const marker of ALLOW_MARKERS) {
+    if (line.indexOf(marker) !== -1) {
+      return true;
+    }
+  }
+  return false;
+}
+
+function isAllowedByPath(filePath) {
+  const lower = filePath.toLowerCase();
+  for (const suffix of ALLOW_PATH_SUFFIXES) {
+    if (lower.endsWith(suffix)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+module.exports = {
+  PATTERNS,
+  FORBIDDEN_FILES,
+  ALLOW_MARKERS,
+  ALLOW_PATH_SUFFIXES,
+  isAllowedByMarkers,
+  isAllowedByPath
+};