@node9/policy-engine 1.0.0 → 1.4.0

package/dist/index.js

@@ -31,15 +31,24 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var src_exports = {};
 __export(src_exports, {
   BUILTIN_SHIELDS: () => BUILTIN_SHIELDS,
+  COST_PER_LOOP_ITER_USD: () => COST_PER_LOOP_ITER_USD,
   DLP_PATTERNS: () => DLP_PATTERNS,
   ENGINE_VERSION: () => ENGINE_VERSION,
   FLAGS_WITH_VALUES: () => FLAGS_WITH_VALUES,
   LOOP_MAX_RECORDS: () => LOOP_MAX_RECORDS,
+  LOOP_THRESHOLD_FOR_WASTE: () => LOOP_THRESHOLD_FOR_WASTE,
+  SCAN_SIGNAL_WEIGHTS: () => SCAN_SIGNAL_WEIGHTS,
   SENSITIVE_PATH_REGEXES: () => SENSITIVE_PATH_REGEXES,
   analyzePipeChain: () => analyzePipeChain,
   analyzeShellCommand: () => analyzeShellCommand,
   checkDangerousSql: () => checkDangerousSql,
+  classifyAuditEntry: () => classifyAuditEntry,
+  classifyRuleSeverity: () => classifyRuleSeverity,
+  classifyScanSignal: () => classifyScanSignal,
   computeArgsHash: () => computeArgsHash,
+  computeBlendedSecurityScore: () => computeBlendedSecurityScore,
+  computeScanScore: () => computeScanScore,
+  computeSecurityScore: () => computeSecurityScore,
   detectDangerousEval: () => detectDangerousEval,
   detectDangerousShellExec: () => detectDangerousShellExec,
   evaluateLoopWindow: () => evaluateLoopWindow,
@@ -54,12 +63,16 @@ __export(src_exports, {
   isShieldVerdict: () => isShieldVerdict,
   matchSensitivePath: () => matchSensitivePath,
   matchesPattern: () => matchesPattern,
+  narrativeRuleLabel: () => narrativeRuleLabel,
   normalizeCommandForPolicy: () => normalizeCommandForPolicy,
   parseAllSshHostsFromCommand: () => parseAllSshHostsFromCommand,
   redactText: () => redactText,
   scanArgs: () => scanArgs,
   scanText: () => scanText,
   sensitivePathMatch: () => sensitivePathMatch,
+  summarizeBlast: () => summarizeBlast,
+  summarizeScan: () => summarizeScan,
+  truncateBlastPath: () => truncateBlastPath,
   validateOverrides: () => validateOverrides,
   validateRegex: () => validateRegex,
   validateShieldDefinition: () => validateShieldDefinition
@@ -67,6 +80,7 @@ __export(src_exports, {
 module.exports = __toCommonJS(src_exports);
 
 // src/dlp/index.ts
+var import_safe_regex2 = __toESM(require("safe-regex2"));
 var ASSIGNMENT_CONTEXT_RE = /\b(?:password|passwd|secret|token|api[_-]?key|auth(?:_key|_token)?|credential|private[_-]?key|access[_-]?key|client[_-]?secret)\s*[=:]\s*/i;
 function isAssignmentContext(text) {
   return ASSIGNMENT_CONTEXT_RE.test(text);
@@ -550,6 +564,23 @@ function sensitivePathMatch(originalPath) {
   };
 }
 var SENSITIVE_PATH_REGEXES = SENSITIVE_PATH_PATTERNS;
+function assertBuiltinPatternsAreSafe() {
+  for (const p of DLP_PATTERNS) {
+    if (!(0, import_safe_regex2.default)(p.regex.source)) {
+      throw new Error(
+        `[node9 engine] Builtin DLP pattern '${p.name}' is vulnerable to ReDoS: ${p.regex.source}`
+      );
+    }
+  }
+  for (const re of SENSITIVE_PATH_PATTERNS) {
+    if (!(0, import_safe_regex2.default)(re.source)) {
+      throw new Error(
+        `[node9 engine] Builtin sensitive-path pattern is vulnerable to ReDoS: ${re.source}`
+      );
+    }
+  }
+}
+assertBuiltinPatternsAreSafe();
 function maskSecret(raw, pattern) {
   const match = raw.match(pattern);
   if (!match) return "****";
@@ -1141,7 +1172,7 @@ function parseAllSshHostsFromCommand(command) {
 var import_picomatch = __toESM(require("picomatch"));
 
 // src/utils/regex.ts
-var import_safe_regex2 = __toESM(require("safe-regex2"));
+var import_safe_regex22 = __toESM(require("safe-regex2"));
 var MAX_REGEX_LENGTH = 100;
 var REGEX_CACHE_MAX = 500;
 var regexCache = /* @__PURE__ */ new Map();
@@ -1154,7 +1185,7 @@ function validateRegex(pattern) {
     return `Invalid regex syntax: ${e.message}`;
   }
   if (/\\\d+[*+{]/.test(pattern)) return "Quantified backreferences are forbidden (ReDoS risk)";
-  if (!(0, import_safe_regex2.default)(pattern)) return "Pattern rejected: potential ReDoS vulnerability detected";
+  if (!(0, import_safe_regex22.default)(pattern)) return "Pattern rejected: potential ReDoS vulnerability detected";
   return null;
 }
 function getCompiledRegex(pattern, flags = "") {
@@ -1191,9 +1222,14 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
+var FORBIDDEN_PATH_SEGMENTS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
 function getNestedValue(obj, path) {
   if (!obj || typeof obj !== "object") return null;
-  return path.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  const segments = path.split(".");
+  for (const seg of segments) {
+    if (FORBIDDEN_PATH_SEGMENTS.has(seg)) return null;
+  }
+  return segments.reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -1479,6 +1515,9 @@ function isIgnoredTool(toolName, config) {
   return matchesPattern(toolName, config.policy.ignoredTools);
 }
 
+// src/shields/index.ts
+var import_safe_regex23 = __toESM(require("safe-regex2"));
+
 // src/shields/builtin/aws.json
 var aws_default = {
   name: "aws",
@@ -1910,15 +1949,6 @@ var k8s_default = {
   dangerousWords: []
 };
 
-// src/shields/builtin/mcp-tool-gating.json
-var mcp_tool_gating_default = {
-  name: "mcp-tool-gating",
-  description: "Intercept MCP tool lists and require user approval before the agent can use any tools from a new server",
-  aliases: ["mcp-gating", "mcp-tools"],
-  smartRules: [],
-  dangerousWords: []
-};
-
 // src/shields/builtin/mongodb.json
 var mongodb_default = {
   name: "mongodb",
@@ -2233,12 +2263,29 @@ var BUILTIN_SHIELDS = {
   [filesystem_default.name]: filesystem_default,
   [github_default.name]: github_default,
   [k8s_default.name]: k8s_default,
-  [mcp_tool_gating_default.name]: mcp_tool_gating_default,
   [mongodb_default.name]: mongodb_default,
   [postgres_default.name]: postgres_default,
   [project_jail_default.name]: project_jail_default,
   [redis_default.name]: redis_default
 };
+function assertBuiltinShieldRegexesAreSafe() {
+  for (const shield of Object.values(BUILTIN_SHIELDS)) {
+    for (const rule of shield.smartRules) {
+      const conditions = rule.conditions ?? [];
+      for (const cond of conditions) {
+        if (cond.op !== "matches" && cond.op !== "notMatches") continue;
+        const pattern = cond.value;
+        if (!pattern) continue;
+        if (!(0, import_safe_regex23.default)(pattern)) {
+          throw new Error(
+            `[node9 engine] Shield '${shield.name}' rule '${rule.name ?? rule.tool}' has unsafe regex: ${pattern}`
+          );
+        }
+      }
+    }
+  }
+}
+assertBuiltinShieldRegexesAreSafe();
 
 // src/loop/index.ts
 var import_crypto = __toESM(require("crypto"));
@@ -2257,20 +2304,267 @@ function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
   return { nextRecords, count, looping: count >= threshold };
 }
 
+// src/scan/index.ts
+function emptySignals() {
+  return {
+    dlpFindings: 0,
+    piiFindings: 0,
+    sensitiveFileReads: 0,
+    privilegeEscalation: 0,
+    networkExfil: 0,
+    pipeToShell: 0,
+    evalOfRemote: 0,
+    destructiveOps: 0,
+    loops: 0,
+    longOutputRedactions: 0
+  };
+}
+var FINDING_TO_SIGNAL = {
+  dlp: "dlpFindings",
+  pii: "piiFindings",
+  "sensitive-file-read": "sensitiveFileReads",
+  "privilege-escalation": "privilegeEscalation",
+  "network-exfil": "networkExfil",
+  "pipe-to-shell": "pipeToShell",
+  "eval-of-remote": "evalOfRemote",
+  "destructive-op": "destructiveOps",
+  loop: "loops",
+  "long-output-redacted": "longOutputRedactions"
+};
+var SCAN_SIGNAL_WEIGHTS = {
+  dlpFindings: 30,
+  piiFindings: 10,
+  sensitiveFileReads: 20,
+  privilegeEscalation: 15,
+  networkExfil: 25,
+  pipeToShell: 30,
+  evalOfRemote: 30,
+  destructiveOps: 15,
+  loops: 3,
+  longOutputRedactions: 1
+};
+function computeScanScore(signals) {
+  let deduction = 0;
+  for (const key of Object.keys(signals)) {
+    deduction += signals[key] * SCAN_SIGNAL_WEIGHTS[key];
+  }
+  return Math.max(0, Math.min(100, 100 - deduction));
+}
+var LOOP_THRESHOLD_FOR_WASTE = 3;
+var COST_PER_LOOP_ITER_USD = 6e-3;
+function summarizeScan(findings, opts = {}) {
+  const totalToolCalls = opts.totalToolCalls ?? 0;
+  const topN = opts.topN ?? 10;
+  const signals = emptySignals();
+  const sessionIds = /* @__PURE__ */ new Set();
+  const patternCounts = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    sessionIds.add(f.sessionId);
+    const key = FINDING_TO_SIGNAL[f.type];
+    signals[key]++;
+    if (f.patternName) {
+      patternCounts.set(f.patternName, (patternCounts.get(f.patternName) ?? 0) + 1);
+    }
+  }
+  const topPatterns = [...patternCounts.entries()].sort((a, b) => {
+    if (b[1] !== a[1]) return b[1] - a[1];
+    return a[0].localeCompare(b[0]);
+  }).slice(0, topN).map(([patternName, count]) => ({ patternName, count }));
+  return {
+    totalSessions: sessionIds.size,
+    totalToolCalls,
+    signals,
+    topPatterns,
+    score: computeScanScore(signals)
+  };
+}
+
+// src/severity/index.ts
+function classifyRuleSeverity(name, verdict) {
+  const n = name.toLowerCase();
+  const criticalPatterns = [
+    "rm-rf",
+    "eval-remote",
+    "eval-curl",
+    "read-aws",
+    "read-ssh",
+    "read-gcp",
+    "read-cred",
+    "delete-repo",
+    "helm-uninstall",
+    "drop-table",
+    "drop-database",
+    "drop-collection",
+    "truncate",
+    "flushall",
+    "flushdb",
+    "pipe-shell"
+  ];
+  if (criticalPatterns.some((p) => n.includes(p))) return "critical";
+  const highPatterns = [
+    "force-push",
+    "force_push",
+    "git-destructive",
+    "reset-hard",
+    "rebase",
+    "delete-branch",
+    "delete-remote"
+  ];
+  if (highPatterns.some((p) => n.includes(p))) return "high";
+  if (verdict === "block") return "high";
+  return "medium";
+}
+function narrativeRuleLabel(name) {
+  const stripped = stripRulePrefixes(name);
+  const map = {
+    "read-aws": "AWS credentials read",
+    "read-ssh": "SSH private key read",
+    "read-gcp": "GCP credentials read",
+    "read-cred": "credential file read",
+    "delete-repo": "GitHub repository deletion",
+    "helm-uninstall": "helm uninstall",
+    "rm-rf-home": "rm -rf on home directory",
+    "rm-rf": "rm -rf",
+    "eval-remote": "eval of remote download",
+    "eval-curl": "eval of curl output",
+    "pipe-shell": "curl | bash",
+    "drop-table": "DROP TABLE",
+    "drop-database": "DROP DATABASE",
+    "drop-collection": "DROP COLLECTION",
+    truncate: "TRUNCATE",
+    flushall: "Redis FLUSHALL",
+    flushdb: "Redis FLUSHDB",
+    "force-push": "force pushes",
+    force_push: "force pushes",
+    "reset-hard": "git reset --hard",
+    "git-destructive": "destructive git operations",
+    "delete-branch": "branch deletion",
+    "delete-remote": "remote deletion",
+    rebase: "git rebase",
+    rm: "rm calls",
+    sudo: "sudo calls",
+    "eval-dynamic": "dynamic eval",
+    "config-set": "Redis CONFIG SET"
+  };
+  for (const [key, label] of Object.entries(map)) {
+    if (stripped.includes(key)) return label;
+  }
+  return stripped;
+}
+function stripRulePrefixes(name) {
+  let n = name.toLowerCase();
+  if (n.startsWith("org:")) n = n.slice(4);
+  const shieldMatch = /^shield:[^:]+:(.+)$/.exec(n);
+  if (shieldMatch) n = shieldMatch[1];
+  n = n.replace(/^(block|review|allow)-/, "");
+  return n;
+}
+function classifyAuditEntry(entry) {
+  const ruleName = entry.riskMetadata?.ruleName;
+  if (typeof ruleName === "string" && ruleName.length > 0) {
+    const verdict = entry.action === "AUTO_BLOCKED" || entry.action === "DENIED" ? "block" : entry.action === "APPROVED" || entry.action === "AUTO_ALLOWED" ? "allow" : "review";
+    return classifyRuleSeverity(ruleName, verdict);
+  }
+  const cb = entry.checkedBy ?? "";
+  if (cb === "dlp-block" || cb.startsWith("dlp-saas:")) return "critical";
+  if (cb.startsWith("eval-saas") || cb === "pipe-chain-saas:critical") {
+    return "critical";
+  }
+  if (cb === "loop-detected") return "medium";
+  const isBlocked = entry.action === "AUTO_BLOCKED" || entry.action === "DENIED";
+  if (isBlocked) return "high";
+  return null;
+}
+function computeSecurityScore(opts) {
+  const { critical, high, medium, total } = opts;
+  if (total === 0) return { score: 100, tier: "good" };
+  const criticalRate = critical / total;
+  const highRate = high / total;
+  const mediumRate = medium / total;
+  const deduction = Math.min(criticalRate * 3e3, 60) + Math.min(highRate * 500, 30) + Math.min(mediumRate * 100, 15);
+  const score = Math.max(0, Math.min(100, Math.round(100 - deduction)));
+  const tier = score >= 80 ? "good" : score >= 50 ? "at-risk" : "critical";
+  return { score, tier };
+}
+function classifyScanSignal(key) {
+  const w = SCAN_SIGNAL_WEIGHTS[key];
+  if (w >= 25) return "critical";
+  if (w >= 11) return "high";
+  return "medium";
+}
+function computeBlendedSecurityScore(opts) {
+  const { audit, scan } = opts;
+  let critical = audit.critical;
+  let high = audit.high;
+  let medium = audit.medium;
+  let total = audit.total;
+  if (scan) {
+    let scanFindingSum = 0;
+    for (const key of Object.keys(scan.signals)) {
+      const count = scan.signals[key];
+      if (count <= 0) continue;
+      const tier = classifyScanSignal(key);
+      if (tier === "critical") critical += count;
+      else if (tier === "high") high += count;
+      else medium += count;
+      scanFindingSum += count;
+    }
+    const scanContribution = Math.max(scan.totalToolCalls ?? 0, scanFindingSum);
+    total += scanContribution;
+  }
+  return computeSecurityScore({ critical, high, medium, total });
+}
+
+// src/blast/index.ts
+function truncateBlastPath(full) {
+  if (!full) return "";
+  const cleaned = full.replace(/[/\\]+$/, "");
+  const parts = cleaned.split(/[/\\]+/).filter((p) => p.length > 0);
+  if (parts.length <= 2) {
+    return cleaned.startsWith("~") && !cleaned.startsWith("~/") ? cleaned : cleaned.startsWith("~/") ? cleaned : parts.join("/");
+  }
+  return parts.slice(-2).join("/");
+}
+function summarizeBlast(result, opts = {}) {
+  const topN = opts.topN ?? 5;
+  const sorted = [...result.reachable].sort((a, b) => {
+    if (b.score !== a.score) return b.score - a.score;
+    return a.label.localeCompare(b.label);
+  });
+  return {
+    score: result.score,
+    exposureCount: result.reachable.length + result.envFindings.length,
+    envExposureCount: result.envFindings.length,
+    worstPaths: sorted.slice(0, topN).map((f) => ({
+      path: truncateBlastPath(f.label),
+      score: f.score
+    }))
+  };
+}
+
 // src/index.ts
-var ENGINE_VERSION = "1.0.0";
+var ENGINE_VERSION = "1.4.0";
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   BUILTIN_SHIELDS,
+  COST_PER_LOOP_ITER_USD,
   DLP_PATTERNS,
   ENGINE_VERSION,
   FLAGS_WITH_VALUES,
   LOOP_MAX_RECORDS,
+  LOOP_THRESHOLD_FOR_WASTE,
+  SCAN_SIGNAL_WEIGHTS,
   SENSITIVE_PATH_REGEXES,
   analyzePipeChain,
   analyzeShellCommand,
   checkDangerousSql,
+  classifyAuditEntry,
+  classifyRuleSeverity,
+  classifyScanSignal,
   computeArgsHash,
+  computeBlendedSecurityScore,
+  computeScanScore,
+  computeSecurityScore,
   detectDangerousEval,
   detectDangerousShellExec,
   evaluateLoopWindow,
@@ -2285,12 +2579,16 @@ var ENGINE_VERSION = "1.0.0";
   isShieldVerdict,
   matchSensitivePath,
   matchesPattern,
+  narrativeRuleLabel,
   normalizeCommandForPolicy,
   parseAllSshHostsFromCommand,
   redactText,
   scanArgs,
   scanText,
   sensitivePathMatch,
+  summarizeBlast,
+  summarizeScan,
+  truncateBlastPath,
   validateOverrides,
   validateRegex,
   validateShieldDefinition