@node9/policy-engine 1.0.0 → 1.4.0

package/dist/index.mjs

@@ -1,4 +1,5 @@
 // src/dlp/index.ts
+import safeRegex from "safe-regex2";
 var ASSIGNMENT_CONTEXT_RE = /\b(?:password|passwd|secret|token|api[_-]?key|auth(?:_key|_token)?|credential|private[_-]?key|access[_-]?key|client[_-]?secret)\s*[=:]\s*/i;
 function isAssignmentContext(text) {
   return ASSIGNMENT_CONTEXT_RE.test(text);
@@ -482,6 +483,23 @@ function sensitivePathMatch(originalPath) {
   };
 }
 var SENSITIVE_PATH_REGEXES = SENSITIVE_PATH_PATTERNS;
+function assertBuiltinPatternsAreSafe() {
+  for (const p of DLP_PATTERNS) {
+    if (!safeRegex(p.regex.source)) {
+      throw new Error(
+        `[node9 engine] Builtin DLP pattern '${p.name}' is vulnerable to ReDoS: ${p.regex.source}`
+      );
+    }
+  }
+  for (const re of SENSITIVE_PATH_PATTERNS) {
+    if (!safeRegex(re.source)) {
+      throw new Error(
+        `[node9 engine] Builtin sensitive-path pattern is vulnerable to ReDoS: ${re.source}`
+      );
+    }
+  }
+}
+assertBuiltinPatternsAreSafe();
 function maskSecret(raw, pattern) {
   const match = raw.match(pattern);
   if (!match) return "****";
@@ -1073,7 +1091,7 @@ function parseAllSshHostsFromCommand(command) {
 import pm from "picomatch";
 
 // src/utils/regex.ts
-import safeRegex from "safe-regex2";
+import safeRegex2 from "safe-regex2";
 var MAX_REGEX_LENGTH = 100;
 var REGEX_CACHE_MAX = 500;
 var regexCache = /* @__PURE__ */ new Map();
@@ -1086,7 +1104,7 @@ function validateRegex(pattern) {
     return `Invalid regex syntax: ${e.message}`;
   }
   if (/\\\d+[*+{]/.test(pattern)) return "Quantified backreferences are forbidden (ReDoS risk)";
-  if (!safeRegex(pattern)) return "Pattern rejected: potential ReDoS vulnerability detected";
+  if (!safeRegex2(pattern)) return "Pattern rejected: potential ReDoS vulnerability detected";
   return null;
 }
 function getCompiledRegex(pattern, flags = "") {
@@ -1123,9 +1141,14 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
+var FORBIDDEN_PATH_SEGMENTS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
 function getNestedValue(obj, path) {
   if (!obj || typeof obj !== "object") return null;
-  return path.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  const segments = path.split(".");
+  for (const seg of segments) {
+    if (FORBIDDEN_PATH_SEGMENTS.has(seg)) return null;
+  }
+  return segments.reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -1411,6 +1434,9 @@ function isIgnoredTool(toolName, config) {
   return matchesPattern(toolName, config.policy.ignoredTools);
 }
 
+// src/shields/index.ts
+import safeRegex3 from "safe-regex2";
+
 // src/shields/builtin/aws.json
 var aws_default = {
   name: "aws",
@@ -1842,15 +1868,6 @@ var k8s_default = {
   dangerousWords: []
 };
 
-// src/shields/builtin/mcp-tool-gating.json
-var mcp_tool_gating_default = {
-  name: "mcp-tool-gating",
-  description: "Intercept MCP tool lists and require user approval before the agent can use any tools from a new server",
-  aliases: ["mcp-gating", "mcp-tools"],
-  smartRules: [],
-  dangerousWords: []
-};
-
 // src/shields/builtin/mongodb.json
 var mongodb_default = {
   name: "mongodb",
@@ -2165,12 +2182,29 @@ var BUILTIN_SHIELDS = {
   [filesystem_default.name]: filesystem_default,
   [github_default.name]: github_default,
   [k8s_default.name]: k8s_default,
-  [mcp_tool_gating_default.name]: mcp_tool_gating_default,
   [mongodb_default.name]: mongodb_default,
   [postgres_default.name]: postgres_default,
   [project_jail_default.name]: project_jail_default,
   [redis_default.name]: redis_default
 };
+function assertBuiltinShieldRegexesAreSafe() {
+  for (const shield of Object.values(BUILTIN_SHIELDS)) {
+    for (const rule of shield.smartRules) {
+      const conditions = rule.conditions ?? [];
+      for (const cond of conditions) {
+        if (cond.op !== "matches" && cond.op !== "notMatches") continue;
+        const pattern = cond.value;
+        if (!pattern) continue;
+        if (!safeRegex3(pattern)) {
+          throw new Error(
+            `[node9 engine] Shield '${shield.name}' rule '${rule.name ?? rule.tool}' has unsafe regex: ${pattern}`
+          );
+        }
+      }
+    }
+  }
+}
+assertBuiltinShieldRegexesAreSafe();
 
 // src/loop/index.ts
 import crypto from "crypto";
@@ -2189,19 +2223,266 @@ function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
   return { nextRecords, count, looping: count >= threshold };
 }
 
+// src/scan/index.ts
+function emptySignals() {
+  return {
+    dlpFindings: 0,
+    piiFindings: 0,
+    sensitiveFileReads: 0,
+    privilegeEscalation: 0,
+    networkExfil: 0,
+    pipeToShell: 0,
+    evalOfRemote: 0,
+    destructiveOps: 0,
+    loops: 0,
+    longOutputRedactions: 0
+  };
+}
+var FINDING_TO_SIGNAL = {
+  dlp: "dlpFindings",
+  pii: "piiFindings",
+  "sensitive-file-read": "sensitiveFileReads",
+  "privilege-escalation": "privilegeEscalation",
+  "network-exfil": "networkExfil",
+  "pipe-to-shell": "pipeToShell",
+  "eval-of-remote": "evalOfRemote",
+  "destructive-op": "destructiveOps",
+  loop: "loops",
+  "long-output-redacted": "longOutputRedactions"
+};
+var SCAN_SIGNAL_WEIGHTS = {
+  dlpFindings: 30,
+  piiFindings: 10,
+  sensitiveFileReads: 20,
+  privilegeEscalation: 15,
+  networkExfil: 25,
+  pipeToShell: 30,
+  evalOfRemote: 30,
+  destructiveOps: 15,
+  loops: 3,
+  longOutputRedactions: 1
+};
+function computeScanScore(signals) {
+  let deduction = 0;
+  for (const key of Object.keys(signals)) {
+    deduction += signals[key] * SCAN_SIGNAL_WEIGHTS[key];
+  }
+  return Math.max(0, Math.min(100, 100 - deduction));
+}
+var LOOP_THRESHOLD_FOR_WASTE = 3;
+var COST_PER_LOOP_ITER_USD = 6e-3;
+function summarizeScan(findings, opts = {}) {
+  const totalToolCalls = opts.totalToolCalls ?? 0;
+  const topN = opts.topN ?? 10;
+  const signals = emptySignals();
+  const sessionIds = /* @__PURE__ */ new Set();
+  const patternCounts = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    sessionIds.add(f.sessionId);
+    const key = FINDING_TO_SIGNAL[f.type];
+    signals[key]++;
+    if (f.patternName) {
+      patternCounts.set(f.patternName, (patternCounts.get(f.patternName) ?? 0) + 1);
+    }
+  }
+  const topPatterns = [...patternCounts.entries()].sort((a, b) => {
+    if (b[1] !== a[1]) return b[1] - a[1];
+    return a[0].localeCompare(b[0]);
+  }).slice(0, topN).map(([patternName, count]) => ({ patternName, count }));
+  return {
+    totalSessions: sessionIds.size,
+    totalToolCalls,
+    signals,
+    topPatterns,
+    score: computeScanScore(signals)
+  };
+}
+
+// src/severity/index.ts
+function classifyRuleSeverity(name, verdict) {
+  const n = name.toLowerCase();
+  const criticalPatterns = [
+    "rm-rf",
+    "eval-remote",
+    "eval-curl",
+    "read-aws",
+    "read-ssh",
+    "read-gcp",
+    "read-cred",
+    "delete-repo",
+    "helm-uninstall",
+    "drop-table",
+    "drop-database",
+    "drop-collection",
+    "truncate",
+    "flushall",
+    "flushdb",
+    "pipe-shell"
+  ];
+  if (criticalPatterns.some((p) => n.includes(p))) return "critical";
+  const highPatterns = [
+    "force-push",
+    "force_push",
+    "git-destructive",
+    "reset-hard",
+    "rebase",
+    "delete-branch",
+    "delete-remote"
+  ];
+  if (highPatterns.some((p) => n.includes(p))) return "high";
+  if (verdict === "block") return "high";
+  return "medium";
+}
+function narrativeRuleLabel(name) {
+  const stripped = stripRulePrefixes(name);
+  const map = {
+    "read-aws": "AWS credentials read",
+    "read-ssh": "SSH private key read",
+    "read-gcp": "GCP credentials read",
+    "read-cred": "credential file read",
+    "delete-repo": "GitHub repository deletion",
+    "helm-uninstall": "helm uninstall",
+    "rm-rf-home": "rm -rf on home directory",
+    "rm-rf": "rm -rf",
+    "eval-remote": "eval of remote download",
+    "eval-curl": "eval of curl output",
+    "pipe-shell": "curl | bash",
+    "drop-table": "DROP TABLE",
+    "drop-database": "DROP DATABASE",
+    "drop-collection": "DROP COLLECTION",
+    truncate: "TRUNCATE",
+    flushall: "Redis FLUSHALL",
+    flushdb: "Redis FLUSHDB",
+    "force-push": "force pushes",
+    force_push: "force pushes",
+    "reset-hard": "git reset --hard",
+    "git-destructive": "destructive git operations",
+    "delete-branch": "branch deletion",
+    "delete-remote": "remote deletion",
+    rebase: "git rebase",
+    rm: "rm calls",
+    sudo: "sudo calls",
+    "eval-dynamic": "dynamic eval",
+    "config-set": "Redis CONFIG SET"
+  };
+  for (const [key, label] of Object.entries(map)) {
+    if (stripped.includes(key)) return label;
+  }
+  return stripped;
+}
+function stripRulePrefixes(name) {
+  let n = name.toLowerCase();
+  if (n.startsWith("org:")) n = n.slice(4);
+  const shieldMatch = /^shield:[^:]+:(.+)$/.exec(n);
+  if (shieldMatch) n = shieldMatch[1];
+  n = n.replace(/^(block|review|allow)-/, "");
+  return n;
+}
+function classifyAuditEntry(entry) {
+  const ruleName = entry.riskMetadata?.ruleName;
+  if (typeof ruleName === "string" && ruleName.length > 0) {
+    const verdict = entry.action === "AUTO_BLOCKED" || entry.action === "DENIED" ? "block" : entry.action === "APPROVED" || entry.action === "AUTO_ALLOWED" ? "allow" : "review";
+    return classifyRuleSeverity(ruleName, verdict);
+  }
+  const cb = entry.checkedBy ?? "";
+  if (cb === "dlp-block" || cb.startsWith("dlp-saas:")) return "critical";
+  if (cb.startsWith("eval-saas") || cb === "pipe-chain-saas:critical") {
+    return "critical";
+  }
+  if (cb === "loop-detected") return "medium";
+  const isBlocked = entry.action === "AUTO_BLOCKED" || entry.action === "DENIED";
+  if (isBlocked) return "high";
+  return null;
+}
+function computeSecurityScore(opts) {
+  const { critical, high, medium, total } = opts;
+  if (total === 0) return { score: 100, tier: "good" };
+  const criticalRate = critical / total;
+  const highRate = high / total;
+  const mediumRate = medium / total;
+  const deduction = Math.min(criticalRate * 3e3, 60) + Math.min(highRate * 500, 30) + Math.min(mediumRate * 100, 15);
+  const score = Math.max(0, Math.min(100, Math.round(100 - deduction)));
+  const tier = score >= 80 ? "good" : score >= 50 ? "at-risk" : "critical";
+  return { score, tier };
+}
+function classifyScanSignal(key) {
+  const w = SCAN_SIGNAL_WEIGHTS[key];
+  if (w >= 25) return "critical";
+  if (w >= 11) return "high";
+  return "medium";
+}
+function computeBlendedSecurityScore(opts) {
+  const { audit, scan } = opts;
+  let critical = audit.critical;
+  let high = audit.high;
+  let medium = audit.medium;
+  let total = audit.total;
+  if (scan) {
+    let scanFindingSum = 0;
+    for (const key of Object.keys(scan.signals)) {
+      const count = scan.signals[key];
+      if (count <= 0) continue;
+      const tier = classifyScanSignal(key);
+      if (tier === "critical") critical += count;
+      else if (tier === "high") high += count;
+      else medium += count;
+      scanFindingSum += count;
+    }
+    const scanContribution = Math.max(scan.totalToolCalls ?? 0, scanFindingSum);
+    total += scanContribution;
+  }
+  return computeSecurityScore({ critical, high, medium, total });
+}
+
+// src/blast/index.ts
+function truncateBlastPath(full) {
+  if (!full) return "";
+  const cleaned = full.replace(/[/\\]+$/, "");
+  const parts = cleaned.split(/[/\\]+/).filter((p) => p.length > 0);
+  if (parts.length <= 2) {
+    return cleaned.startsWith("~") && !cleaned.startsWith("~/") ? cleaned : cleaned.startsWith("~/") ? cleaned : parts.join("/");
+  }
+  return parts.slice(-2).join("/");
+}
+function summarizeBlast(result, opts = {}) {
+  const topN = opts.topN ?? 5;
+  const sorted = [...result.reachable].sort((a, b) => {
+    if (b.score !== a.score) return b.score - a.score;
+    return a.label.localeCompare(b.label);
+  });
+  return {
+    score: result.score,
+    exposureCount: result.reachable.length + result.envFindings.length,
+    envExposureCount: result.envFindings.length,
+    worstPaths: sorted.slice(0, topN).map((f) => ({
+      path: truncateBlastPath(f.label),
+      score: f.score
+    }))
+  };
+}
+
 // src/index.ts
-var ENGINE_VERSION = "1.0.0";
+var ENGINE_VERSION = "1.4.0";
 export {
   BUILTIN_SHIELDS,
+  COST_PER_LOOP_ITER_USD,
   DLP_PATTERNS,
   ENGINE_VERSION,
   FLAGS_WITH_VALUES,
   LOOP_MAX_RECORDS,
+  LOOP_THRESHOLD_FOR_WASTE,
+  SCAN_SIGNAL_WEIGHTS,
   SENSITIVE_PATH_REGEXES,
   analyzePipeChain,
   analyzeShellCommand,
   checkDangerousSql,
+  classifyAuditEntry,
+  classifyRuleSeverity,
+  classifyScanSignal,
   computeArgsHash,
+  computeBlendedSecurityScore,
+  computeScanScore,
+  computeSecurityScore,
   detectDangerousEval,
   detectDangerousShellExec,
   evaluateLoopWindow,
@@ -2216,12 +2497,16 @@ export {
   isShieldVerdict,
   matchSensitivePath,
   matchesPattern,
+  narrativeRuleLabel,
   normalizeCommandForPolicy,
   parseAllSshHostsFromCommand,
   redactText,
   scanArgs,
   scanText,
   sensitivePathMatch,
+  summarizeBlast,
+  summarizeScan,
+  truncateBlastPath,
   validateOverrides,
   validateRegex,
   validateShieldDefinition

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "@node9/policy-engine",
-  "version": "1.0.0",
+  "version": "1.4.0",
   "description": "Shared policy evaluation engine for node9 — DLP, smart rules, AST shell parsing, shields, loop detection. Pure functions, no I/O. Used by both node9-proxy and the node9 SaaS firewall.",
   "license": "Apache-2.0",
   "homepage": "https://node9.ai",
   "repository": {
     "type": "git",
-    "url": "https://github.com/node9-ai/node9-proxy.git",
+    "url": "git+https://github.com/node9-ai/node9-proxy.git",
     "directory": "packages/policy-engine"
   },
   "keywords": [