@mestreyoda/fabrica 0.1.0

package/genesis/scripts/security-review.sh

@@ -0,0 +1,141 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Step 8: Security review — run SecureClaw audit + pattern matching on spec
+# Input: stdin JSON (session state)
+# Output: JSON with security findings to stdout
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+SECURECLAW_AUDIT="$HOME/.openclaw/extensions/secureclaw/skill/scripts/quick-audit.sh"
+
+if [[ -n "${1:-}" && -f "${1:-}" ]]; then
+  INPUT="$(cat "$1")"
+else
+  INPUT="$(cat)"
+fi
+SESSION_ID="$(echo "$INPUT" | jq -r '.session_id')"
+SPEC="$(echo "$INPUT" | jq '.spec // {}')"
+METADATA="$(echo "$INPUT" | jq '.metadata // {}')"
+CLASSIFICATION="$(echo "$INPUT" | jq '.classification // {}')"
+INTERVIEW="$(echo "$INPUT" | jq '.interview // {}')"
+IMPACT="$(echo "$INPUT" | jq '.impact // {}')"
+QA_CONTRACT="$(echo "$INPUT" | jq '.qa_contract // {}')"
+PROJECT_MAP="$(echo "$INPUT" | jq '.project_map // {}')"
+SCAFFOLD="$(echo "$INPUT" | jq '.scaffold // {}')"
+
+echo "Running security review for session $SESSION_ID..." >&2
+
+# Run SecureClaw audit if available
+AUDIT_RAN=false
+AUDIT_SCORE=0
+AUDIT_FINDINGS="[]"
+
+if [[ -f "$SECURECLAW_AUDIT" ]]; then
+  echo "Running SecureClaw quick-audit..." >&2
+  AUDIT_OUTPUT="$(bash "$SECURECLAW_AUDIT" 2>&1 || true)"
+  AUDIT_RAN=true
+
+  # Extract score
+  AUDIT_SCORE="$(echo "$AUDIT_OUTPUT" | grep -oP 'Security Score: \K[0-9]+' || echo "0")"
+
+  # Extract findings (FAIL lines)
+  while IFS= read -r line; do
+    [[ -z "$line" ]] && continue
+    AUDIT_FINDINGS="$(echo "$AUDIT_FINDINGS" | jq --arg f "$line" '. + [$f]')"
+  done < <(echo "$AUDIT_OUTPUT" | grep -E '🔴|🟠|🟡' | sed 's/^[[:space:]]*//' || true)
+
+  echo "SecureClaw score: $AUDIT_SCORE/100" >&2
+else
+  echo "SecureClaw not installed — skipping audit" >&2
+fi
+
+# Pattern matching on spec for security concerns
+SPEC_TEXT="$(echo "$SPEC" | jq -r '[.title, .objective, (.scope_v1 // [] | .[]), (.acceptance_criteria // [] | .[])] | join(" ")' | tr '[:upper:]' '[:lower:]')"
+AUTH_SIGNAL_FROM_META="$(echo "$INPUT" | jq -r '.metadata.auth_gate.signal // false')"
+AUTH_EVIDENCE_FROM_META="$(echo "$INPUT" | jq -r '.metadata.auth_gate.evidence // false')"
+
+SECURITY_NOTES="[]"
+
+# Check for common security-sensitive patterns
+declare -A PATTERNS=(
+  ["auth"]="Authentication/authorization detected — ensure proper session management, password hashing, and token validation"
+  ["login"]="Login flow detected — protect against brute force, credential stuffing, and session fixation"
+  ["password"]="Password handling detected — use bcrypt/argon2, never store plaintext"
+  ["api"]="API detected — validate all inputs, implement rate limiting, use HTTPS"
+  ["database"]="Database access detected — use parameterized queries, prevent SQL injection"
+  ["banco de dados"]="Database access detected — use parameterized queries, prevent SQL injection"
+  ["upload"]="File upload detected — validate file types, limit size, scan for malware"
+  ["payment"]="Payment processing detected — PCI DSS compliance required"
+  ["pagamento"]="Payment processing detected — PCI DSS compliance required"
+  ["email"]="Email handling detected — sanitize inputs, prevent header injection"
+  ["jwt"]="JWT detected — validate signatures, check expiration, use strong secrets"
+  ["token"]="Token handling detected — secure storage, rotation policy, revocation"
+  ["admin"]="Admin functionality detected — enforce RBAC, audit logging"
+  ["webhook"]="Webhook detected — validate signatures, implement replay protection"
+  ["secret"]="Secrets handling detected — use env vars or vault, never hardcode"
+  ["encrypt"]="Encryption detected — use standard libraries, proper key management"
+  ["criptograf"]="Encryption detected — use standard libraries, proper key management"
+)
+
+for pattern in "${!PATTERNS[@]}"; do
+  if [[ "$SPEC_TEXT" == *"$pattern"* ]]; then
+    SECURITY_NOTES="$(echo "$SECURITY_NOTES" | jq --arg n "${PATTERNS[$pattern]}" '. + [$n]')"
+  fi
+done
+
+if [[ "$AUTH_SIGNAL_FROM_META" == "true" ]]; then
+  SECURITY_NOTES="$(echo "$SECURITY_NOTES" | jq '. + ["Auth/perfil requirement detected from intake context. Keep authz/authn checks mandatory in implementation and review."]')"
+  if [[ "$AUTH_EVIDENCE_FROM_META" != "true" ]]; then
+    SECURITY_NOTES="$(echo "$SECURITY_NOTES" | jq '. + ["Potential contract drift: auth signal detected without explicit acceptance evidence in spec."]')"
+  fi
+fi
+
+NOTE_COUNT="$(echo "$SECURITY_NOTES" | jq 'length')"
+
+# Recommendation
+if [[ "$AUTH_SIGNAL_FROM_META" == "true" && "$AUTH_EVIDENCE_FROM_META" != "true" ]]; then
+  RECOMMENDATION="HIGH security sensitivity — auth requirements appear incomplete and must be reconciled before dispatch"
+elif [[ "$NOTE_COUNT" -gt 3 ]]; then
+  RECOMMENDATION="HIGH security sensitivity — require security-focused code review and penetration testing before release"
+elif [[ "$NOTE_COUNT" -gt 0 ]]; then
+  RECOMMENDATION="MODERATE security sensitivity — standard security review during code review phase"
+else
+  RECOMMENDATION="LOW security sensitivity — standard QA gates should suffice"
+fi
+
+echo "Security notes: $NOTE_COUNT concerns found. $RECOMMENDATION" >&2
+
+jq -n \
+  --arg sid "$SESSION_ID" \
+  --argjson audit_ran "$AUDIT_RAN" \
+  --argjson score "$AUDIT_SCORE" \
+  --argjson findings "$AUDIT_FINDINGS" \
+  --argjson notes "$SECURITY_NOTES" \
+  --arg rec "$RECOMMENDATION" \
+  --argjson spec "$SPEC" \
+  --argjson cls "$CLASSIFICATION" \
+  --argjson interview "$INTERVIEW" \
+  --argjson impact "$IMPACT" \
+  --argjson qa "$QA_CONTRACT" \
+  --argjson map "$PROJECT_MAP" \
+  --argjson scaffold "$SCAFFOLD" \
+  --argjson meta "$METADATA" \
+  '{
+    session_id: $sid,
+    step: "security",
+    security: {
+      audit_ran: $audit_ran,
+      score: $score,
+      findings: $findings,
+      spec_security_notes: $notes,
+      recommendation: $rec
+    },
+    spec: $spec,
+    classification: $cls,
+    interview: $interview,
+    impact: $impact,
+    qa_contract: $qa,
+    project_map: $map,
+    scaffold: $scaffold,
+    metadata: $meta
+  }'

package/genesis/scripts/sideband-lib.sh

@@ -0,0 +1,243 @@
+#!/usr/bin/env bash
+
+# sideband-lib.sh — Genesis sideband IPC + shared utilities
+# Now delegates utility functions to genesis-utils.sh.
+# Existing callers that `source sideband-lib.sh` get all functions
+# (utils + sideband IPC) for backward compatibility.
+# shellcheck shell=bash
+
+if [ -z "${BASH_VERSION:-}" ]; then
+  echo "ERROR: sideband-lib.sh requires bash." >&2
+  return 1 2>/dev/null || exit 1
+fi
+
+set -euo pipefail
+
+# Load shared utilities (categories A-E: parsing, project queries, CLI, factory logic)
+_SIDEBAND_LIB_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$_SIDEBAND_LIB_DIR/genesis-utils.sh"
+
+# === Category C: Sideband IPC Protocol (Secure Envelope Exchange) ===
+
+genesis_sideband_dir() {
+  local dir="${GENESIS_SIDEBAND_DIR:-$HOME/.openclaw/workspace/devclaw/sideband}"
+
+  if [[ -L "$dir" ]]; then
+    echo "ERROR: Sideband dir must not be a symlink: $dir" >&2
+    return 1
+  fi
+  if [[ -e "$dir" && ! -d "$dir" ]]; then
+    echo "ERROR: Sideband path is not a directory: $dir" >&2
+    return 1
+  fi
+
+  if ! (umask 077 && mkdir -p "$dir"); then
+    echo "ERROR: Failed to create sideband dir: $dir" >&2
+    return 1
+  fi
+  chmod 700 "$dir" 2>/dev/null || true
+  if [[ ! -d "$dir" || -L "$dir" || ! -O "$dir" ]]; then
+    echo "ERROR: Sideband dir is not secure: $dir" >&2
+    return 1
+  fi
+
+  printf '%s\n' "$dir"
+}
+
+genesis_sideband_secret() {
+  local session_id="${1:-}"
+  local secret="${GENESIS_SIDEBAND_SECRET:-${OPENCLAW_SIDEBAND_SECRET:-}}"
+
+  if [[ -z "$secret" ]]; then
+    local dir secret_file
+    dir="$(genesis_sideband_dir)"
+    secret_file="$dir/.genesis-sideband-secret"
+
+    if [[ -f "$secret_file" ]]; then
+      if [[ ! -O "$secret_file" || -L "$secret_file" ]]; then
+        echo "ERROR: Sideband secret file is not secure: $secret_file" >&2
+        return 1
+      fi
+      secret="$(head -n 1 "$secret_file" 2>/dev/null || true)"
+    fi
+
+    if [[ -z "$secret" ]]; then
+      secret="$(head -c 32 /dev/urandom | od -An -tx1 | tr -d ' \n')"
+      if [[ -z "$secret" ]]; then
+        secret="$(hostname)-$(id -u)-${GENESIS_RUN_ID:-$session_id}"
+      fi
+      if ! (umask 077 && printf '%s\n' "$secret" > "$secret_file"); then
+        echo "WARNING: Failed to persist sideband secret file; using in-memory secret" >&2
+      fi
+      chmod 600 "$secret_file" 2>/dev/null || true
+    fi
+  fi
+
+  if [[ -z "$secret" ]]; then
+    secret="$(hostname)-$(id -u)-${GENESIS_RUN_ID:-$session_id}"
+  fi
+
+  printf '%s\n' "$secret"
+}
+
+genesis_sideband_key() {
+  local session_id="${1:-}"
+  local seed=""
+
+  # Use session_id as canonical key to keep sideband stable across workflow steps.
+  # GENESIS_RUN_ID may vary depending on runner internals and must not break reads.
+  if [[ -n "$session_id" ]]; then
+    seed="$session_id"
+  else
+    seed="${GENESIS_RUN_ID:-}"
+  fi
+
+  if [[ -z "$seed" ]]; then
+    echo "ERROR: Missing session seed for sideband key" >&2
+    return 1
+  fi
+
+  printf '%s' "$seed" | sha256sum | cut -c1-24
+}
+
+genesis_sideband_signature() {
+  local session_id="$1"
+  local key="$2"
+  local nonce="$3"
+  local created_at="$4"
+  local payload_json="$5"
+  local secret
+  secret="$(genesis_sideband_secret "$session_id")"
+  printf '%s' "${secret}|${key}|${nonce}|${created_at}|${payload_json}" | sha256sum | cut -d' ' -f1
+}
+
+genesis_sideband_write() {
+  local kind="$1"
+  local session_id="$2"
+  local payload_json="$3"
+
+  local dir key nonce created_at signature tmp_path
+  if [[ -z "$kind" || -z "$session_id" || -z "$payload_json" ]]; then
+    echo "ERROR: genesis_sideband_write requires kind, session_id, and payload" >&2
+    return 1
+  fi
+
+  dir="$(genesis_sideband_dir)"
+  key="$(genesis_sideband_key "$session_id")"
+  nonce="$(head -c 16 /dev/urandom | od -An -tx1 | tr -d ' \n')"
+  created_at="$(date +%s)"
+  signature="$(genesis_sideband_signature "$session_id" "$key" "$nonce" "$created_at" "$payload_json")"
+
+  tmp_path="$(mktemp "$dir/genesis-${key}-${kind}-${nonce}-XXXXXX.json")"
+  chmod 600 "$tmp_path"
+
+  if ! jq -n \
+    --arg kind "$kind" \
+    --arg key "$key" \
+    --arg nonce "$nonce" \
+    --argjson created_at "$created_at" \
+    --arg signature "$signature" \
+    --argjson payload "$payload_json" \
+    '{
+      kind: $kind,
+      key: $key,
+      nonce: $nonce,
+      created_at: $created_at,
+      signature: $signature,
+      payload: $payload
+    }' > "$tmp_path"; then
+    rm -f "$tmp_path"
+    return 1
+  fi
+
+  if [[ ! -O "$tmp_path" || -L "$tmp_path" ]]; then
+    rm -f "$tmp_path"
+    return 1
+  fi
+
+  printf '%s\n' "$tmp_path"
+}
+
+genesis_sideband_resolve() {
+  local kind="$1"
+  local session_id="$2"
+  local key dir latest
+  key="$(genesis_sideband_key "$session_id")"
+  dir="$(genesis_sideband_dir)"
+
+  latest="$(ls -1t -- "$dir"/genesis-"$key"-"$kind"-*.json 2>/dev/null | head -n 1 || true)"
+  [[ -n "$latest" ]] || return 1
+  printf '%s\n' "$latest"
+}
+
+genesis_sideband_read_payload() {
+  local kind="$1"
+  local session_id="$2"
+  local ttl_seconds="${3:-1800}"
+
+  local file_path now created_at key nonce signature payload_json expected expected_key perms
+
+  if [[ ! "$ttl_seconds" =~ ^[0-9]+$ || "$ttl_seconds" -le 0 ]]; then
+    ttl_seconds=1800
+  fi
+
+  if ! file_path="$(genesis_sideband_resolve "$kind" "$session_id" 2>/dev/null)"; then
+    return 1
+  fi
+  if [[ ! -f "$file_path" ]]; then
+    return 1
+  fi
+  if [[ ! -O "$file_path" || -L "$file_path" ]]; then
+    return 1
+  fi
+  perms="$(stat -c '%a' "$file_path" 2>/dev/null || true)"
+  if [[ -n "$perms" ]] && (( (8#$perms & 077) != 0 )); then
+    return 1
+  fi
+
+  now="$(date +%s)"
+  created_at="$(jq -r '.created_at // 0' "$file_path" 2>/dev/null || echo 0)"
+  if [[ "$created_at" == "null" || "$created_at" == "" || ! "$created_at" =~ ^[0-9]+$ ]]; then
+    return 1
+  fi
+  if (( created_at > now + 60 )); then
+    return 1
+  fi
+  if (( now - created_at > ttl_seconds )); then
+    return 1
+  fi
+
+  key="$(jq -r '.key // ""' "$file_path" 2>/dev/null || true)"
+  nonce="$(jq -r '.nonce // ""' "$file_path" 2>/dev/null || true)"
+  signature="$(jq -r '.signature // ""' "$file_path" 2>/dev/null || true)"
+  payload_json="$(jq -c '.payload' "$file_path" 2>/dev/null || true)"
+  expected_key="$(genesis_sideband_key "$session_id")"
+
+  if [[ -z "$key" || -z "$nonce" || -z "$signature" || -z "$payload_json" || "$payload_json" == "null" ]]; then
+    return 1
+  fi
+  if [[ "$key" != "$expected_key" ]]; then
+    return 1
+  fi
+  if [[ ! "$nonce" =~ ^[0-9a-f]{16,64}$ ]]; then
+    return 1
+  fi
+  if [[ ! "$signature" =~ ^[0-9a-f]{64}$ ]]; then
+    return 1
+  fi
+
+  expected="$(genesis_sideband_signature "$session_id" "$key" "$nonce" "$created_at" "$payload_json")"
+  if [[ "$expected" != "$signature" ]]; then
+    return 1
+  fi
+
+  printf '%s\n' "$payload_json"
+}
+
+genesis_sideband_cleanup() {
+  local session_id="$1"
+  local dir key
+  dir="$(genesis_sideband_dir)"
+  key="$(genesis_sideband_key "$session_id")"
+  rm -f "$dir"/genesis-"$key"-*.json 2>/dev/null || true
+}

package/genesis/scripts/stack-detection-lib.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+# stack-detection-lib.sh — Unified stack detection for Genesis pipeline
+# Single source of truth: scaffold-project.sh and generate-qa-contract.sh
+# both import this instead of maintaining their own detection logic.
+# shellcheck shell=bash
+
+if [ -z "${BASH_VERSION:-}" ]; then
+  echo "ERROR: stack-detection-lib.sh requires bash." >&2
+  return 1 2>/dev/null || exit 1
+fi
+
+# genesis_detect_stack_from_hint <stack_hint>
+# Maps a raw stack hint (from GENESIS_STACK, scaffold.stack, etc.) to a
+# canonical stack name, or returns empty string if unknown.
+# Canonical stacks: nextjs, express, fastapi, flask, django, python-cli
+genesis_normalize_stack_hint() {
+  local hint="${1:-}"
+  hint="$(echo "$hint" | tr '[:upper:]' '[:lower:]' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')"
+  case "$hint" in
+    nextjs|express|fastapi|flask|django|python-cli)
+      printf '%s\n' "$hint"
+      ;;
+    *)
+      # Unknown or generic (e.g., "python") — caller should auto-detect
+      ;;
+  esac
+}
+
+# genesis_detect_stack_from_text <text>
+# Keyword-based stack detection from spec/idea text.
+# Returns canonical stack name or empty string.
+genesis_detect_stack_from_text() {
+  local text="${1:-}"
+  [[ -n "$text" ]] || return 0
+
+  if echo "$text" | grep -qiE '\bnext\.?js\b|nextjs|\bnext\s+app\b'; then
+    echo "nextjs"
+  elif echo "$text" | grep -qiE '\bexpress\b|\bnode\.?js.*api\b|\bexpress\.?js\b'; then
+    echo "express"
+  elif echo "$text" | grep -qiE '\bfastapi\b|\bfast.?api\b'; then
+    echo "fastapi"
+  elif echo "$text" | grep -qiE '\bflask\b'; then
+    echo "flask"
+  elif echo "$text" | grep -qiE '\bdjango\b'; then
+    echo "django"
+  elif echo "$text" | grep -qiE '\bpython\b.*\bcli\b|\bcli\b.*\bpython\b|\bclick\b|\bargparse\b|\btyper\b'; then
+    echo "python-cli"
+  elif echo "$text" | grep -qiE '\bpython\b'; then
+    echo "fastapi"
+  elif echo "$text" | grep -qiE '\breact\b|\btypescript\b|\bfrontend\b|\bdashboard\b'; then
+    echo "nextjs"
+  elif echo "$text" | grep -qiE '\bapi\b|\bbackend\b|\brest\b|\bendpoint\b'; then
+    echo "fastapi"
+  fi
+}
+
+# genesis_detect_stack_from_delivery_target <delivery_target>
+# Fallback: infer stack from delivery target.
+genesis_detect_stack_from_delivery_target() {
+  local target="${1:-}"
+  case "$target" in
+    web-ui|hybrid) echo "nextjs" ;;
+    api)           echo "fastapi" ;;
+    cli)           echo "python-cli" ;;
+    *)             echo "fastapi" ;;
+  esac
+}
+
+# genesis_stack_flags <stack>
+# Given a canonical stack name, outputs IS_PY IS_JS IS_GO (space-separated booleans).
+# Usage: read IS_PY IS_JS IS_GO <<< "$(genesis_stack_flags "$STACK")"
+genesis_stack_flags() {
+  local stack="${1:-}"
+  case "$stack" in
+    fastapi|flask|django|python-cli|python)
+      echo "true false false"
+      ;;
+    nextjs|express|node|javascript|typescript)
+      echo "false true false"
+      ;;
+    go|golang)
+      echo "false false true"
+      ;;
+    *)
+      echo "false false false"
+      ;;
+  esac
+}
+
+# genesis_detect_stack_flags_from_context <stack_hint> <languages_text> <scope_text>
+# Comprehensive flag detection used by generate-qa-contract.sh.
+# Sets IS_PY, IS_JS, IS_GO based on multiple signal sources.
+# Outputs: IS_PY IS_JS IS_GO (space-separated)
+genesis_detect_stack_flags_from_context() {
+  local stack_hint="${1:-}"
+  local languages="${2:-}"
+  local scope_text="${3:-}"
+  local IS_PY=false IS_JS=false IS_GO=false
+
+  # Priority 1: explicit scaffold stack
+  case "$stack_hint" in
+    fastapi|flask|django|python|python-cli) IS_PY=true ;;
+    nextjs|express|node|javascript|typescript) IS_JS=true ;;
+    go|golang) IS_GO=true ;;
+  esac
+
+  # Priority 2: language/scope signals (additive — a project can be multi-stack)
+  if [[ "$languages" == *"python"* ]] || [[ "$scope_text" == *"python"* ]] || \
+     [[ "$scope_text" == *"django"* ]] || [[ "$scope_text" == *"flask"* ]] || \
+     [[ "$scope_text" == *"fastapi"* ]]; then
+    IS_PY=true
+  fi
+  if [[ "$languages" == *"javascript"* ]] || [[ "$languages" == *"typescript"* ]] || \
+     [[ "$scope_text" == *"node"* ]] || [[ "$scope_text" == *"react"* ]] || \
+     [[ "$scope_text" == *"next"* ]]; then
+    IS_JS=true
+  fi
+  if [[ "$languages" == *"go"* ]] || [[ "$scope_text" == *"golang"* ]]; then
+    IS_GO=true
+  fi
+
+  # Priority 3: file detection (only if nothing found yet)
+  if ! $IS_PY && ! $IS_JS && ! $IS_GO; then
+    [[ -f "package.json" ]] && IS_JS=true
+    [[ -f "requirements.txt" || -f "pyproject.toml" || -f "setup.py" || -f "Pipfile" ]] && IS_PY=true
+    [[ -f "go.mod" ]] && IS_GO=true
+  fi
+
+  echo "$IS_PY $IS_JS $IS_GO"
+}