@nahisaho/musubix-security 2.0.0 → 2.1.0

package/dist/rules/engine/rule-registry.js

@@ -0,0 +1,281 @@
+/**
+ * @fileoverview Rule Registry - Manages rule registration and retrieval
+ * @module @nahisaho/musubix-security/rules/engine/rule-registry
+ * @trace REQ-RULE-003
+ */
+/**
+ * Rule Registry
+ * Manages registration and retrieval of security rules
+ */
+export class RuleRegistry {
+    rules = new Map();
+    rulesByCategory = new Map([
+        ['owasp', new Set()],
+        ['cwe', new Set()],
+        ['custom', new Set()],
+    ]);
+    rulesByTag = new Map();
+    /**
+     * Register a rule
+     * @param rule The rule to register
+     * @param overwrite Whether to overwrite existing rule with same ID
+     */
+    register(rule, overwrite = false) {
+        if (this.rules.has(rule.id) && !overwrite) {
+            throw new Error(`Rule ${rule.id} is already registered`);
+        }
+        // If overwriting, clean up old indexes first
+        if (this.rules.has(rule.id)) {
+            this.unregister(rule.id);
+        }
+        this.rules.set(rule.id, rule);
+        // Categorize by ID prefix
+        const category = this.categorizeRule(rule.id);
+        this.rulesByCategory.get(category)?.add(rule.id);
+        // Index by tags
+        if (rule.tags) {
+            for (const tag of rule.tags) {
+                if (!this.rulesByTag.has(tag)) {
+                    this.rulesByTag.set(tag, new Set());
+                }
+                this.rulesByTag.get(tag).add(rule.id);
+            }
+        }
+    }
+    /**
+     * Register multiple rules
+     */
+    registerAll(rules) {
+        for (const rule of rules) {
+            this.register(rule);
+        }
+    }
+    /**
+     * Unregister a rule
+     */
+    unregister(ruleId) {
+        const rule = this.rules.get(ruleId);
+        if (!rule)
+            return false;
+        this.rules.delete(ruleId);
+        // Remove from category index
+        const category = this.categorizeRule(ruleId);
+        this.rulesByCategory.get(category)?.delete(ruleId);
+        // Remove from tag index
+        if (rule.tags) {
+            for (const tag of rule.tags) {
+                this.rulesByTag.get(tag)?.delete(ruleId);
+            }
+        }
+        return true;
+    }
+    /**
+     * Get a rule by ID
+     */
+    get(ruleId) {
+        return this.rules.get(ruleId);
+    }
+    /**
+     * Check if a rule exists
+     */
+    has(ruleId) {
+        return this.rules.has(ruleId);
+    }
+    /**
+     * Get all registered rules
+     */
+    getAll() {
+        return Array.from(this.rules.values());
+    }
+    /**
+     * Get rules by filter
+     */
+    getFiltered(filter, config) {
+        let ruleIds;
+        // Start with all rules or category-filtered
+        if (filter.category && filter.category !== 'all') {
+            ruleIds = new Set(this.rulesByCategory.get(filter.category) ?? []);
+        }
+        else {
+            ruleIds = new Set(this.rules.keys());
+        }
+        // Filter by specific IDs
+        if (filter.ids && filter.ids.length > 0) {
+            const idSet = new Set(filter.ids);
+            ruleIds = new Set([...ruleIds].filter(id => idSet.has(id)));
+        }
+        // Filter by tags
+        if (filter.tags && filter.tags.length > 0) {
+            const tagRules = new Set();
+            for (const tag of filter.tags) {
+                const rulesWithTag = this.rulesByTag.get(tag);
+                if (rulesWithTag) {
+                    for (const id of rulesWithTag) {
+                        tagRules.add(id);
+                    }
+                }
+            }
+            ruleIds = new Set([...ruleIds].filter(id => tagRules.has(id)));
+        }
+        // Filter by detection method
+        if (filter.detectionMethod) {
+            ruleIds = new Set([...ruleIds].filter(id => {
+                const rule = this.rules.get(id);
+                return rule?.detectionMethod === filter.detectionMethod;
+            }));
+        }
+        // Filter by enabled status
+        if (filter.enabledOnly && config) {
+            ruleIds = new Set([...ruleIds].filter(id => this.isRuleEnabled(id, config)));
+        }
+        return [...ruleIds]
+            .map(id => this.rules.get(id))
+            .filter(Boolean);
+    }
+    /**
+     * Get rules by category
+     */
+    getByCategory(category) {
+        if (category === 'all') {
+            return this.getAll();
+        }
+        const ids = this.rulesByCategory.get(category) ?? new Set();
+        return [...ids].map(id => this.rules.get(id)).filter(Boolean);
+    }
+    /**
+     * Get rules by tag
+     */
+    getByTag(tag) {
+        const ids = this.rulesByTag.get(tag) ?? new Set();
+        return [...ids].map(id => this.rules.get(id)).filter(Boolean);
+    }
+    /**
+     * Get enabled rules based on config
+     */
+    getEnabled(config) {
+        return this.getFiltered({ enabledOnly: true }, config);
+    }
+    /**
+     * Check if a rule is enabled
+     */
+    isRuleEnabled(ruleId, config) {
+        const ruleSettings = config.rules[ruleId];
+        // Explicit setting
+        if (ruleSettings !== undefined) {
+            return ruleSettings.enabled;
+        }
+        // Default based on profile
+        switch (config.profile) {
+            case 'strict':
+                return true; // All rules enabled
+            case 'permissive':
+                // Only critical/high by default
+                const rule = this.rules.get(ruleId);
+                return rule?.defaultSeverity === 'critical' || rule?.defaultSeverity === 'high';
+            case 'standard':
+            default:
+                return true; // All rules enabled by default
+        }
+    }
+    /**
+     * Get rule settings with defaults
+     */
+    getRuleSettings(ruleId, config) {
+        const rule = this.rules.get(ruleId);
+        const customSettings = config.rules[ruleId];
+        return {
+            enabled: this.isRuleEnabled(ruleId, config),
+            severity: customSettings?.severity ?? rule?.defaultSeverity,
+            options: customSettings?.options ?? {},
+        };
+    }
+    /**
+     * Get rule count
+     */
+    get size() {
+        return this.rules.size;
+    }
+    /**
+     * Get rule count (alias for size)
+     */
+    count() {
+        return this.rules.size;
+    }
+    /**
+     * Get all rule IDs
+     */
+    getIds() {
+        return Array.from(this.rules.keys());
+    }
+    /**
+     * Get all tags
+     */
+    getTags() {
+        return Array.from(this.rulesByTag.keys());
+    }
+    /**
+     * Get rules by severity
+     */
+    getBySeverity(severity) {
+        return this.getAll().filter(rule => rule.defaultSeverity === severity);
+    }
+    /**
+     * Get rules by detection method
+     */
+    getByDetectionMethod(method) {
+        return this.getAll().filter(rule => rule.detectionMethod === method);
+    }
+    /**
+     * Filter rules by predicate
+     */
+    filter(predicate) {
+        return this.getAll().filter(predicate);
+    }
+    /**
+     * Clear all rules
+     */
+    clear() {
+        this.rules.clear();
+        this.rulesByCategory.forEach(set => set.clear());
+        this.rulesByTag.clear();
+    }
+    /**
+     * Categorize rule by ID prefix
+     */
+    categorizeRule(ruleId) {
+        const upper = ruleId.toUpperCase();
+        if (upper.startsWith('OWASP') || upper.startsWith('A0')) {
+            return 'owasp';
+        }
+        if (upper.startsWith('CWE')) {
+            return 'cwe';
+        }
+        return 'custom';
+    }
+}
+/**
+ * Global rule registry instance
+ */
+let globalRegistry = null;
+/**
+ * Get or create global registry
+ */
+export function getGlobalRegistry() {
+    if (!globalRegistry) {
+        globalRegistry = new RuleRegistry();
+    }
+    return globalRegistry;
+}
+/**
+ * Create a new registry (for isolated use)
+ */
+export function createRegistry() {
+    return new RuleRegistry();
+}
+/**
+ * Reset global registry (for testing)
+ */
+export function resetGlobalRegistry() {
+    globalRegistry = null;
+}
+//# sourceMappingURL=rule-registry.js.map

package/dist/rules/engine/rule-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rule-registry.js","sourceRoot":"","sources":["../../../src/rules/engine/rule-registry.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA6BH;;;GAGG;AACH,MAAM,OAAO,YAAY;IACf,KAAK,GAA8B,IAAI,GAAG,EAAE,CAAC;IAC7C,eAAe,GAAmC,IAAI,GAAG,CAAC;QAChE,CAAC,OAAO,EAAE,IAAI,GAAG,EAAE,CAAC;QACpB,CAAC,KAAK,EAAE,IAAI,GAAG,EAAE,CAAC;QAClB,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAE,CAAC;KACtB,CAAC,CAAC;IACK,UAAU,GAA6B,IAAI,GAAG,EAAE,CAAC;IAEzD;;;;OAIG;IACH,QAAQ,CAAC,IAAkB,EAAE,YAAqB,KAAK;QACrD,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,QAAQ,IAAI,CAAC,EAAE,wBAAwB,CAAC,CAAC;QAC3D,CAAC;QAED,6CAA6C;QAC7C,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3B,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QAE9B,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEjD,gBAAgB;QAChB,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;gBACtC,CAAC;gBACD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,KAAqB;QAC/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,MAAc;QACvB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACpC,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAExB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAE1B,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QAEnD,wBAAwB;QACxB,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,MAAc;QAChB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,MAAc;QAChB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,MAAkB,EAAE,MAAmB;QACjD,IAAI,OAAoB,CAAC;QAEzB,4CAA4C;QAC5C,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;YACjD,OAAO,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QACrE,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QACvC,CAAC;QAED,yBAAyB;QACzB,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAClC,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC9D,CAAC;QAED,iBAAiB;QACjB,IAAI,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;YACnC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC9B,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC9C,IAAI,YAAY,EAAE,CAAC;oBACjB,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;wBAC9B,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;oBACnB,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACjE,CAAC;QAED,6BAA6B;QAC7B,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;YAC3B,OAAO,GAAG,IAAI,GAAG,CACf,CAAC,GAAG,OAAO,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE;gBACvB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChC,OAAO,IAAI,EAAE,eAAe,KAAK,MAAM,CAAC,eAAe,CAAC;YAC1D,CAAC,CAAC,CACH,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,IAAI,MAAM,CAAC,WAAW,IAAI,MAAM,EAAE,CAAC;YACjC,OAAO,GAAG,IAAI,GAAG,CACf,CAAC,GAAG,OAAO,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,CAC1D,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,GAAG,OAAO,CAAC;aAChB,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC;aAC9B,MAAM,CAAC,OAAO,CAAC,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,QAAsB;QAClC,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC;QAC5D,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjE,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,GAAW;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC;QAClD,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjE,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,MAAkB;QAC3B,OAAO,IAAI,CAAC,WAAW,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IACzD,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,MAAc,EAAE,MAAkB;QAC9C,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE1C,mBAAmB;QACnB,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC/B,OAAO,YAAY,CAAC,OAAO,CAAC;QAC9B,CAAC;QAED,2BAA2B;QAC3B,QAAQ,MAAM,CAAC,OAAO,EAAE,CAAC;YACvB,KAAK,QAAQ;gBACX,OAAO,IAAI,CAAC,CAAC,oBAAoB;YACnC,KAAK,YAAY;gBACf,gCAAgC;gBAChC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBACpC,OAAO,IAAI,EAAE,eAAe,KAAK,UAAU,IAAI,IAAI,EAAE,eAAe,KAAK,MAAM,CAAC;YAClF,KAAK,UAAU,CAAC;YAChB;gBACE,OAAO,IAAI,CAAC,CAAC,+BAA+B;QAChD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,MAAc,EAAE,MAAkB;QAChD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACpC,MAAM,cAAc,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE5C,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC;YAC3C,QAAQ,EAAE,cAAc,EAAE,QAAQ,IAAI,IAAI,EAAE,eAAe;YAC3D,OAAO,EAAE,cAAc,EAAE,OAAO,IAAI,EAAE;SACvC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,KAAK;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,OAAO;QACL,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,QAAgB;QAC5B,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,eAAe,KAAK,QAAQ,CAAC,CAAC;IACzE,CAAC;IAED;;OAEG;IACH,oBAAoB,CAAC,MAAc;QACjC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,eAAe,KAAK,MAAM,CAAC,CAAC;IACvE,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,SAA0C;QAC/C,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;IAC1B,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,MAAc;QACnC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACnC,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAED;;GAEG;AACH,IAAI,cAAc,GAAwB,IAAI,CAAC;AAE/C;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,cAAc,GAAG,IAAI,YAAY,EAAE,CAAC;IACtC,CAAC;IACD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc;IAC5B,OAAO,IAAI,YAAY,EAAE,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,cAAc,GAAG,IAAI,CAAC;AACxB,CAAC"}

package/dist/rules/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * @fileoverview Rules Module Exports
+ * @module @nahisaho/musubix-security/rules
+ */
+export type { SecurityRule, RuleContext, RuleFinding, RuleResult, RuleConfig, RuleSettings, FixSuggestion, SourceLocation, DetectionMethod, RuleSeverity, AnalysisProgress, AnalysisReport, AnalysisSummary, RuleEngineOptions as RuleEngineOptionsBase, } from './types.js';
+export { SEVERITY_ORDER, DEFAULT_RULE_CONFIG, meetsSeverityThreshold, } from './types.js';
+export { RuleEngine, createRuleEngine, RuleRegistry, getGlobalRegistry, createRegistry, RuleContextBuilder, createContextBuilder, } from './engine/index.js';
+export type { RuleEngineOptions, RuleEngineProgress, RuleEngineResult, RuleEngineError, RuleEngineSummary, RuleContextBuildOptions, } from './engine/index.js';
+export { parseConfig, loadConfigFile, findConfigFile, loadProjectConfig, createConfigBuilder, validateConfig, writeConfigFile, ConfigBuilder, DEFAULT_CONFIG, getProfile, getProfileNames, hasProfile, getProfileRuleIds, mergeProfileConfig, PROFILES, PROFILE_MINIMAL, PROFILE_STANDARD, PROFILE_STRICT, PROFILE_OWASP, PROFILE_CWE, } from './config/index.js';
+export type { RawRuleConfig, RawRuleSettings, ParseResult, ConfigFormat, RuleProfile, ProfileRuleConfig, } from './config/index.js';
+export { owaspA01BrokenAccessControl, owaspA02CryptographicFailures, owaspA03Injection, owaspA04InsecureDesign, owaspA05SecurityMisconfiguration, owaspRulesA01A05, } from './owasp/index.js';
+export { owaspA06VulnerableComponents, owaspA07AuthFailures, owaspA08IntegrityFailures, owaspA09LoggingFailures, owaspA10SSRF, owaspRulesA06A10, owaspTop10Rules, } from './owasp/index.js';
+export { cwe787OutOfBoundsWrite, cwe79XSS, cwe89SQLInjection, cwe416UseAfterFree, cwe78CommandInjection, cwe20InputValidation, cwe125OutOfBoundsRead, cwe22PathTraversal, cwe352CSRF, cwe434FileUpload, cwe862MissingAuth, cwe476NullDeref, cwe287ImproperAuth, cweTop25Rules1to13, cweTop25Rules, } from './cwe/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/rules/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,YAAY,EACV,YAAY,EACZ,WAAW,EACX,WAAW,EACX,UAAU,EACV,UAAU,EACV,YAAY,EACZ,aAAa,EACb,cAAc,EACd,eAAe,EACf,YAAY,EACZ,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,iBAAiB,IAAI,qBAAqB,GAC3C,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,UAAU,EACV,gBAAgB,EAChB,YAAY,EACZ,iBAAiB,EACjB,cAAc,EACd,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,mBAAmB,CAAC;AAE3B,YAAY,EACV,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,WAAW,EACX,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,mBAAmB,EACnB,cAAc,EACd,eAAe,EACf,aAAa,EACb,cAAc,EACd,UAAU,EACV,eAAe,EACf,UAAU,EACV,iBAAiB,EACjB,kBAAkB,EAClB,QAAQ,EACR,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,aAAa,EACb,WAAW,GACZ,MAAM,mBAAmB,CAAC;AAE3B,YAAY,EACV,aAAa,EACb,eAAe,EACf,WAAW,EACX,YAAY,EACZ,WAAW,EACX,iBAAiB,GAClB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC7B,iBAAiB,EACjB,sBAAsB,EACtB,gCAAgC,EAChC,gBAAgB,GACjB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,4BAA4B,EAC5B,oBAAoB,EACpB,yBAAyB,EACzB,uBAAuB,EACvB,YAAY,EACZ,gBAAgB,EAChB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,sBAAsB,EACtB,QAAQ,EACR,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,oBAAoB,EACpB,qBAAqB,EACrB,kBAAkB,EAClB,UAAU,EACV,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EACf,kBAAkB,EAClB,kBAAkB,EAClB,aAAa,GACd,MAAM,gBAAgB,CAAC"}

package/dist/rules/index.js

@@ -0,0 +1,16 @@
+/**
+ * @fileoverview Rules Module Exports
+ * @module @nahisaho/musubix-security/rules
+ */
+export { SEVERITY_ORDER, DEFAULT_RULE_CONFIG, meetsSeverityThreshold, } from './types.js';
+// Engine
+export { RuleEngine, createRuleEngine, RuleRegistry, getGlobalRegistry, createRegistry, RuleContextBuilder, createContextBuilder, } from './engine/index.js';
+// Config
+export { parseConfig, loadConfigFile, findConfigFile, loadProjectConfig, createConfigBuilder, validateConfig, writeConfigFile, ConfigBuilder, DEFAULT_CONFIG, getProfile, getProfileNames, hasProfile, getProfileRuleIds, mergeProfileConfig, PROFILES, PROFILE_MINIMAL, PROFILE_STANDARD, PROFILE_STRICT, PROFILE_OWASP, PROFILE_CWE, } from './config/index.js';
+// OWASP A01-A05 Rules (TSK-RULE-003)
+export { owaspA01BrokenAccessControl, owaspA02CryptographicFailures, owaspA03Injection, owaspA04InsecureDesign, owaspA05SecurityMisconfiguration, owaspRulesA01A05, } from './owasp/index.js';
+// OWASP A06-A10 Rules (TSK-RULE-004)
+export { owaspA06VulnerableComponents, owaspA07AuthFailures, owaspA08IntegrityFailures, owaspA09LoggingFailures, owaspA10SSRF, owaspRulesA06A10, owaspTop10Rules, } from './owasp/index.js';
+// CWE Top 25 Rules (1-13) (TSK-RULE-005)
+export { cwe787OutOfBoundsWrite, cwe79XSS, cwe89SQLInjection, cwe416UseAfterFree, cwe78CommandInjection, cwe20InputValidation, cwe125OutOfBoundsRead, cwe22PathTraversal, cwe352CSRF, cwe434FileUpload, cwe862MissingAuth, cwe476NullDeref, cwe287ImproperAuth, cweTop25Rules1to13, cweTop25Rules, } from './cwe/index.js';
+//# sourceMappingURL=index.js.map

package/dist/rules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAoBH,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,YAAY,CAAC;AAEpB,SAAS;AACT,OAAO,EACL,UAAU,EACV,gBAAgB,EAChB,YAAY,EACZ,iBAAiB,EACjB,cAAc,EACd,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,mBAAmB,CAAC;AAW3B,SAAS;AACT,OAAO,EACL,WAAW,EACX,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,mBAAmB,EACnB,cAAc,EACd,eAAe,EACf,aAAa,EACb,cAAc,EACd,UAAU,EACV,eAAe,EACf,UAAU,EACV,iBAAiB,EACjB,kBAAkB,EAClB,QAAQ,EACR,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,aAAa,EACb,WAAW,GACZ,MAAM,mBAAmB,CAAC;AAW3B,qCAAqC;AACrC,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC7B,iBAAiB,EACjB,sBAAsB,EACtB,gCAAgC,EAChC,gBAAgB,GACjB,MAAM,kBAAkB,CAAC;AAE1B,qCAAqC;AACrC,OAAO,EACL,4BAA4B,EAC5B,oBAAoB,EACpB,yBAAyB,EACzB,uBAAuB,EACvB,YAAY,EACZ,gBAAgB,EAChB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,yCAAyC;AACzC,OAAO,EACL,sBAAsB,EACtB,QAAQ,EACR,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,oBAAoB,EACpB,qBAAqB,EACrB,kBAAkB,EAClB,UAAU,EACV,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EACf,kBAAkB,EAClB,kBAAkB,EAClB,aAAa,GACd,MAAM,gBAAgB,CAAC"}

package/dist/rules/owasp/a01-broken-access-control.d.ts

@@ -0,0 +1,19 @@
+/**
+ * @fileoverview OWASP A01:2021 - Broken Access Control Rule
+ * @module @nahisaho/musubix-security/rules/owasp/a01-broken-access-control
+ * @trace TSK-RULE-003
+ *
+ * Detects:
+ * - Missing authorization checks
+ * - Direct object references without validation
+ * - Path traversal vulnerabilities
+ * - CORS misconfigurations
+ * - Privilege escalation patterns
+ */
+import type { SecurityRule } from '../types.js';
+/**
+ * OWASP A01 - Broken Access Control
+ */
+export declare const owaspA01BrokenAccessControl: SecurityRule;
+export default owaspA01BrokenAccessControl;
+//# sourceMappingURL=a01-broken-access-control.d.ts.map

package/dist/rules/owasp/a01-broken-access-control.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"a01-broken-access-control.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp/a01-broken-access-control.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,2BAA2B,EAAE,YAoCzC,CAAC;AAmRF,eAAe,2BAA2B,CAAC"}

package/dist/rules/owasp/a01-broken-access-control.js

@@ -0,0 +1,295 @@
+/**
+ * @fileoverview OWASP A01:2021 - Broken Access Control Rule
+ * @module @nahisaho/musubix-security/rules/owasp/a01-broken-access-control
+ * @trace TSK-RULE-003
+ *
+ * Detects:
+ * - Missing authorization checks
+ * - Direct object references without validation
+ * - Path traversal vulnerabilities
+ * - CORS misconfigurations
+ * - Privilege escalation patterns
+ */
+/**
+ * OWASP A01 - Broken Access Control
+ */
+export const owaspA01BrokenAccessControl = {
+    id: 'owasp-a01-broken-access-control',
+    name: 'OWASP A01:2021 - Broken Access Control',
+    description: 'Detects missing or improper access control implementations that could allow unauthorized access to resources',
+    defaultSeverity: 'critical',
+    detectionMethod: 'combined',
+    tags: ['owasp', 'access-control', 'authorization', 'security'],
+    owasp: ['A01:2021'],
+    cwe: ['284', '285', '639', '862', '863'],
+    references: [
+        { title: 'OWASP A01:2021 - Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
+        { title: 'CWE-284: Improper Access Control', url: 'https://cwe.mitre.org/data/definitions/284.html' },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const sourceFile = context.sourceFile;
+        if (!sourceFile)
+            return findings;
+        // Check for route handlers without auth middleware
+        checkMissingAuthMiddleware(context, findings);
+        // Check for direct object references
+        checkDirectObjectReferences(context, findings);
+        // Check for CORS misconfigurations
+        checkCorsMisconfigurations(context, findings);
+        // Check for path traversal patterns
+        checkPathTraversal(context, findings);
+        // Check for admin/privileged operations without checks
+        checkPrivilegedOperations(context, findings);
+        return findings;
+    },
+};
+/**
+ * Check for route handlers that lack authentication middleware
+ */
+function checkMissingAuthMiddleware(context, findings) {
+    const sourceCode = context.sourceCode;
+    // Pattern: Express-style routes without auth middleware
+    const routePatterns = [
+        /app\.(get|post|put|delete|patch)\s*\(\s*(['"`][^'"`]*['"`])\s*,\s*(?!.*auth)/gi,
+        /router\.(get|post|put|delete|patch)\s*\(\s*(['"`][^'"`]*['"`])\s*,\s*(?!.*auth)/gi,
+    ];
+    // Sensitive endpoint patterns
+    const sensitiveEndpoints = [
+        /\/admin/i,
+        /\/api\/users/i,
+        /\/api\/settings/i,
+        /\/api\/config/i,
+        /\/api\/private/i,
+        /\/delete/i,
+        /\/edit/i,
+        /\/update/i,
+    ];
+    for (const pattern of routePatterns) {
+        let match;
+        while ((match = pattern.exec(sourceCode)) !== null) {
+            const endpoint = match[2];
+            // Check if it's a sensitive endpoint
+            if (sensitiveEndpoints.some(p => p.test(endpoint))) {
+                const lines = sourceCode.substring(0, match.index).split('\n');
+                const line = lines.length;
+                findings.push({
+                    id: `owasp-a01-${findings.length + 1}`,
+                    ruleId: 'owasp-a01-broken-access-control',
+                    severity: 'high',
+                    message: `Sensitive endpoint ${endpoint} may lack authentication middleware`,
+                    location: {
+                        file: context.filePath,
+                        startLine: line,
+                        endLine: line,
+                        startColumn: 0,
+                        endColumn: match[0].length,
+                    },
+                    suggestion: {
+                        description: 'Add authentication middleware before the route handler',
+                        example: `// Add auth middleware: app.${match[1]}(${endpoint}, authMiddleware, handler)`,
+                    },
+                });
+            }
+        }
+    }
+}
+/**
+ * Check for insecure direct object references (IDOR)
+ */
+function checkDirectObjectReferences(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    // Patterns indicating IDOR vulnerabilities
+    const idorPatterns = [
+        // Direct use of user-provided ID without ownership check
+        /(?:req\.params|req\.query|req\.body)\s*\.\s*(?:id|userId|user_id)/gi,
+        // Direct database queries with user input
+        /findById\s*\(\s*(?:req\.params|req\.query|req\.body)/gi,
+        /where\s*:\s*\{\s*id\s*:\s*(?:req\.params|req\.query)/gi,
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const pattern of idorPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                // Check if there's no ownership/authorization check nearby
+                const surroundingCode = lines.slice(Math.max(0, lineNum - 5), lineNum + 5).join('\n');
+                if (!hasAuthorizationCheck(surroundingCode)) {
+                    findings.push({
+                        id: `owasp-a01-idor-${findings.length + 1}`,
+                        ruleId: 'owasp-a01-broken-access-control',
+                        severity: 'high',
+                        message: 'Potential Insecure Direct Object Reference (IDOR) - user-provided ID used without ownership verification',
+                        location: {
+                            file: context.filePath,
+                            startLine: lineNum + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        suggestion: {
+                            description: 'Verify resource ownership before allowing access',
+                            example: '// Add ownership check: if (resource.userId !== req.user.id) return res.status(403).json({ error: "Forbidden" })',
+                        },
+                    });
+                }
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for CORS misconfigurations
+ */
+function checkCorsMisconfigurations(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const corsPatterns = [
+        // Wildcard origin
+        { pattern: /['"`]\*['"`]/g, message: 'CORS allows all origins (*)' },
+        // Reflecting origin without validation
+        { pattern: /origin\s*:\s*(?:req\.headers\.origin|true)/gi, message: 'CORS reflects any origin' },
+        // credentials with wildcard
+        { pattern: /credentials\s*:\s*true.*origin\s*:\s*['"`]\*['"`]/gi, message: 'CORS allows credentials with wildcard origin' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, message } of corsPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a01-cors-${findings.length + 1}`,
+                    ruleId: 'owasp-a01-broken-access-control',
+                    severity: 'medium',
+                    message: `CORS misconfiguration: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    suggestion: {
+                        description: 'Restrict CORS to specific trusted origins',
+                        example: "// Use specific origins: origin: ['https://trusted-domain.com']",
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for path traversal vulnerabilities
+ */
+function checkPathTraversal(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    // Patterns for potential path traversal
+    const pathPatterns = [
+        /path\.join\s*\([^)]*(?:req\.params|req\.query|req\.body)/gi,
+        /fs\.(?:readFile|readdir|writeFile|unlink|stat)\s*\([^)]*(?:req\.params|req\.query)/gi,
+        /res\.sendFile\s*\([^)]*(?:req\.params|req\.query)/gi,
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const pattern of pathPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                // Check if there's path normalization
+                if (!line.includes('normalize') && !line.includes('realpath') && !line.includes('sanitize')) {
+                    findings.push({
+                        id: `owasp-a01-path-${findings.length + 1}`,
+                        ruleId: 'owasp-a01-broken-access-control',
+                        severity: 'high',
+                        message: 'Potential path traversal vulnerability - user input used in file path without sanitization',
+                        location: {
+                            file: context.filePath,
+                            startLine: lineNum + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        suggestion: {
+                            description: 'Sanitize and validate file paths to prevent directory traversal',
+                            example: `// Use path.normalize() and verify path doesn't escape base directory
+const safePath = path.normalize(userInput).replace(/^(\\.\\.\\/)+/, '');
+if (!safePath.startsWith(baseDir)) throw new Error('Invalid path');`,
+                        },
+                    });
+                }
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for privileged operations without authorization checks
+ */
+function checkPrivilegedOperations(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    // Privileged operation patterns
+    const privilegedPatterns = [
+        { pattern: /\.destroy\s*\(/gi, operation: 'delete' },
+        { pattern: /\.delete\s*\(/gi, operation: 'delete' },
+        { pattern: /\.remove\s*\(/gi, operation: 'delete' },
+        { pattern: /role\s*[:=]\s*['"`]admin['"`]/gi, operation: 'role assignment' },
+        { pattern: /isAdmin\s*[:=]\s*true/gi, operation: 'admin flag' },
+        { pattern: /\.executeRaw\s*\(/gi, operation: 'raw SQL execution' },
+        { pattern: /eval\s*\(/gi, operation: 'code evaluation' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, operation } of privilegedPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                // Check surrounding context for authorization
+                const surroundingCode = lines.slice(Math.max(0, lineNum - 10), lineNum + 1).join('\n');
+                if (!hasAuthorizationCheck(surroundingCode)) {
+                    findings.push({
+                        id: `owasp-a01-priv-${findings.length + 1}`,
+                        ruleId: 'owasp-a01-broken-access-control',
+                        severity: 'high',
+                        message: `Privileged operation (${operation}) without visible authorization check`,
+                        location: {
+                            file: context.filePath,
+                            startLine: lineNum + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        suggestion: {
+                            description: 'Add authorization check before privileged operations',
+                            example: '// Add: if (!user.hasPermission("admin")) throw new ForbiddenError();',
+                        },
+                    });
+                }
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check if code contains authorization checks
+ */
+function hasAuthorizationCheck(code) {
+    const authPatterns = [
+        /isAuth/i,
+        /isAdmin/i,
+        /authorize/i,
+        /hasPermission/i,
+        /hasRole/i,
+        /checkAuth/i,
+        /requireAuth/i,
+        /guard/i,
+        /canAccess/i,
+        /userId\s*===\s*req\.user/i,
+        /req\.user\.id\s*===\s*/i,
+        /\.where\s*\([^)]*userId/i,
+    ];
+    return authPatterns.some(p => p.test(code));
+}
+export default owaspA01BrokenAccessControl;
+//# sourceMappingURL=a01-broken-access-control.js.map