@odavl/guardian 0.2.0 → 1.0.0

package/src/enterprise/rbac-gate.js

@@ -0,0 +1,142 @@
+/**
+ * Phase C: RBAC Gate Enforcement
+ * Single shared gate for all sensitive commands
+ * Ensures no bypass paths exist
+ */
+
+const { requirePermission } = require('./rbac');
+const { logAudit, AUDIT_ACTIONS } = require('./audit-logger');
+
+/**
+ * Definitive list of all sensitive commands and their required permissions
+ */
+const SENSITIVE_COMMANDS = {
+  // Scan operations
+  'scan:run': {
+    action: AUDIT_ACTIONS.SCAN_RUN,
+    description: 'Execute scan',
+  },
+  'scan:view': {
+    action: AUDIT_ACTIONS.SCAN_VIEW,
+    description: 'View scan results',
+  },
+
+  // Live scheduling
+  'live:start': {
+    action: AUDIT_ACTIONS.LIVE_START,
+    description: 'Start live scheduler',
+  },
+  'live:stop': {
+    action: AUDIT_ACTIONS.LIVE_STOP,
+    description: 'Stop live scheduler',
+  },
+
+  // Site management
+  'site:add': {
+    action: AUDIT_ACTIONS.SITE_ADD,
+    description: 'Add site',
+  },
+  'site:remove': {
+    action: AUDIT_ACTIONS.SITE_REMOVE,
+    description: 'Remove site',
+  },
+
+  // User management
+  'user:add': {
+    action: AUDIT_ACTIONS.USER_ADD,
+    description: 'Add user',
+  },
+  'user:remove': {
+    action: AUDIT_ACTIONS.USER_REMOVE,
+    description: 'Remove user',
+  },
+
+  // Recipe management
+  'recipe:import': {
+    action: AUDIT_ACTIONS.RECIPE_IMPORT,
+    description: 'Import recipe',
+  },
+  'recipe:export': {
+    action: AUDIT_ACTIONS.RECIPE_EXPORT,
+    description: 'Export recipe',
+  },
+  'recipe:remove': {
+    action: 'recipe:remove',
+    description: 'Remove recipe',
+  },
+
+  // Export operations
+  'export:pdf': {
+    action: AUDIT_ACTIONS.EXPORT_PDF,
+    description: 'Export PDF report',
+  },
+
+  // Plan operations
+  'plan:upgrade': {
+    action: AUDIT_ACTIONS.PLAN_UPGRADE,
+    description: 'Upgrade plan',
+  },
+
+  // Audit operations
+  'audit:view': {
+    action: 'audit:view',
+    description: 'View audit logs',
+  },
+};
+
+/**
+ * Gate function: Check permission and log action
+ * This is the SINGLE entry point for all sensitive commands
+ * 
+ * @param {string} permission - Permission string (e.g., 'scan:run', 'user:add')
+ * @param {Object} context - Optional context info for audit log
+ * @throws {Error} If permission denied
+ */
+function enforceGate(permission, context = {}) {
+  // Validate permission exists in sensitive commands
+  if (!SENSITIVE_COMMANDS[permission]) {
+    throw new Error(`Unknown sensitive command: ${permission}`);
+  }
+
+  // Enforce RBAC
+  requirePermission(permission, SENSITIVE_COMMANDS[permission].description);
+
+  // Log to audit trail (immediately after successful permission check)
+  const cmdInfo = SENSITIVE_COMMANDS[permission];
+  logAudit(cmdInfo.action, {
+    permission,
+    description: cmdInfo.description,
+    ...context,
+  });
+
+  // Return context for caller to use
+  return {
+    permission,
+    action: cmdInfo.action,
+    description: cmdInfo.description,
+  };
+}
+
+/**
+ * Get all sensitive commands (for testing/documentation)
+ */
+function listSensitiveCommands() {
+  return Object.entries(SENSITIVE_COMMANDS).map(([permission, info]) => ({
+    permission,
+    ...info,
+  }));
+}
+
+/**
+ * Check if a permission is sensitive (gated)
+ */
+function isSensitiveCommand(permission) {
+  return permission in SENSITIVE_COMMANDS;
+}
+
+module.exports = {
+  enforceGate,
+  listSensitiveCommands,
+  isSensitiveCommand,
+  SENSITIVE_COMMANDS,
+};

package/src/enterprise/rbac.js

@@ -0,0 +1,239 @@
+/**
+ * Phase 11: Role-Based Access Control (RBAC)
+ * Enforce permission checks for enterprise features
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const RBAC_DIR = path.join(os.homedir(), '.odavl-guardian', 'rbac');
+const USERS_FILE = path.join(RBAC_DIR, 'users.json');
+
+// Role definitions
+const ROLES = {
+  ADMIN: {
+    name: 'ADMIN',
+    permissions: [
+      'scan:run',
+      'scan:view',
+      'live:run',
+      'site:add',
+      'site:remove',
+      'site:view',
+      'plan:view',
+      'plan:upgrade',
+      'user:add',
+      'user:remove',
+      'user:view',
+      'audit:view',
+      'export:pdf',
+      'recipe:manage',
+    ],
+  },
+  OPERATOR: {
+    name: 'OPERATOR',
+    permissions: [
+      'scan:run',
+      'scan:view',
+      'live:run',
+      'site:view',
+      'plan:view',
+      'export:pdf',
+    ],
+  },
+  VIEWER: {
+    name: 'VIEWER',
+    permissions: [
+      'scan:view',
+      'site:view',
+      'plan:view',
+      'audit:view',
+    ],
+  },
+};
+
+/**
+ * Ensure RBAC directory exists
+ */
+function ensureRbacDir() {
+  if (!fs.existsSync(RBAC_DIR)) {
+    fs.mkdirSync(RBAC_DIR, { recursive: true });
+  }
+}
+
+/**
+ * Get all users
+ */
+function getUsers() {
+  ensureRbacDir();
+  
+  if (!fs.existsSync(USERS_FILE)) {
+    // Default: current user is ADMIN
+    const defaultUser = {
+      username: os.userInfo().username || 'admin',
+      role: 'ADMIN',
+      addedAt: new Date().toISOString(),
+    };
+    return { users: [defaultUser] };
+  }
+  
+  try {
+    return JSON.parse(fs.readFileSync(USERS_FILE, 'utf-8'));
+  } catch (error) {
+    const defaultUser = {
+      username: os.userInfo().username || 'admin',
+      role: 'ADMIN',
+      addedAt: new Date().toISOString(),
+    };
+    return { users: [defaultUser] };
+  }
+}
+
+/**
+ * Save users
+ */
+function saveUsers(data) {
+  ensureRbacDir();
+  fs.writeFileSync(USERS_FILE, JSON.stringify(data, null, 2), 'utf-8');
+}
+
+/**
+ * Add a user
+ */
+function addUser(username, role = 'VIEWER') {
+  if (!ROLES[role]) {
+    throw new Error(`Invalid role: ${role}. Must be ADMIN, OPERATOR, or VIEWER`);
+  }
+  
+  const data = getUsers();
+  
+  // Check if user already exists
+  const existing = data.users.find(u => u.username === username);
+  if (existing) {
+    throw new Error(`User '${username}' already exists`);
+  }
+  
+  const user = {
+    username,
+    role,
+    addedAt: new Date().toISOString(),
+  };
+  
+  data.users.push(user);
+  saveUsers(data);
+  
+  return user;
+}
+
+/**
+ * Remove a user
+ */
+function removeUser(username) {
+  const data = getUsers();
+  
+  const index = data.users.findIndex(u => u.username === username);
+  if (index === -1) {
+    throw new Error(`User '${username}' not found`);
+  }
+  
+  // Prevent removing last ADMIN
+  const user = data.users[index];
+  if (user.role === 'ADMIN') {
+    const adminCount = data.users.filter(u => u.role === 'ADMIN').length;
+    if (adminCount === 1) {
+      throw new Error('Cannot remove last ADMIN user');
+    }
+  }
+  
+  data.users.splice(index, 1);
+  saveUsers(data);
+  
+  return user;
+}
+
+/**
+ * Get current user
+ */
+function getCurrentUser() {
+  const currentUsername = os.userInfo().username || 'admin';
+  const data = getUsers();
+  
+  let user = data.users.find(u => u.username === currentUsername);
+  
+  // If user doesn't exist, create as ADMIN
+  if (!user) {
+    user = {
+      username: currentUsername,
+      role: 'ADMIN',
+      addedAt: new Date().toISOString(),
+    };
+    data.users.push(user);
+    saveUsers(data);
+  }
+  
+  return user;
+}
+
+/**
+ * Check if user has permission
+ */
+function hasPermission(permission) {
+  const user = getCurrentUser();
+  const role = ROLES[user.role];
+  
+  if (!role) {
+    return false;
+  }
+  
+  return role.permissions.includes(permission);
+}
+
+/**
+ * Require permission (throws if denied)
+ */
+function requirePermission(permission, action = null) {
+  if (!hasPermission(permission)) {
+    const user = getCurrentUser();
+    const actionMsg = action ? ` to ${action}` : '';
+    throw new Error(
+      `Permission denied${actionMsg}. Required: ${permission}. Your role: ${user.role}`
+    );
+  }
+}
+
+/**
+ * Get role details
+ */
+function getRole(roleName) {
+  return ROLES[roleName];
+}
+
+/**
+ * List all roles
+ */
+function listRoles() {
+  return Object.values(ROLES);
+}
+
+/**
+ * Reset users (for testing)
+ */
+function resetUsers() {
+  if (fs.existsSync(USERS_FILE)) {
+    fs.unlinkSync(USERS_FILE);
+  }
+}
+
+module.exports = {
+  ROLES,
+  addUser,
+  removeUser,
+  getUsers,
+  getCurrentUser,
+  hasPermission,
+  requirePermission,
+  getRole,
+  listRoles,
+  resetUsers,
+};

package/src/enterprise/site-manager.js

@@ -0,0 +1,180 @@
+/**
+ * Phase 11: Multi-Site Management
+ * Support multiple sites per install with project organization
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const SITES_DIR = path.join(os.homedir(), '.odavl-guardian', 'sites');
+const SITES_FILE = path.join(SITES_DIR, 'sites.json');
+
+/**
+ * Ensure sites directory exists
+ */
+function ensureSitesDir() {
+  if (!fs.existsSync(SITES_DIR)) {
+    fs.mkdirSync(SITES_DIR, { recursive: true });
+  }
+}
+
+/**
+ * Get all sites
+ */
+function getSites() {
+  ensureSitesDir();
+  
+  if (!fs.existsSync(SITES_FILE)) {
+    return { sites: [], projects: {} };
+  }
+  
+  try {
+    return JSON.parse(fs.readFileSync(SITES_FILE, 'utf-8'));
+  } catch (error) {
+    return { sites: [], projects: {} };
+  }
+}
+
+/**
+ * Save sites
+ */
+function saveSites(data) {
+  ensureSitesDir();
+  fs.writeFileSync(SITES_FILE, JSON.stringify(data, null, 2), 'utf-8');
+}
+
+/**
+ * Add a site
+ */
+function addSite(name, url, project = 'default') {
+  const data = getSites();
+  
+  // Check if site name already exists
+  const existing = data.sites.find(s => s.name === name);
+  if (existing) {
+    throw new Error(`Site '${name}' already exists`);
+  }
+  
+  // Validate URL
+  try {
+    new URL(url);
+  } catch (error) {
+    throw new Error(`Invalid URL: ${url}`);
+  }
+  
+  const site = {
+    name,
+    url,
+    project,
+    addedAt: new Date().toISOString(),
+    lastScannedAt: null,
+    scanCount: 0,
+  };
+  
+  data.sites.push(site);
+  
+  // Add to project index
+  if (!data.projects[project]) {
+    data.projects[project] = [];
+  }
+  data.projects[project].push(name);
+  
+  saveSites(data);
+  return site;
+}
+
+/**
+ * Remove a site
+ */
+function removeSite(name) {
+  const data = getSites();
+  
+  const index = data.sites.findIndex(s => s.name === name);
+  if (index === -1) {
+    throw new Error(`Site '${name}' not found`);
+  }
+  
+  const site = data.sites[index];
+  
+  // Remove from sites array
+  data.sites.splice(index, 1);
+  
+  // Remove from project index
+  if (data.projects[site.project]) {
+    data.projects[site.project] = data.projects[site.project].filter(n => n !== name);
+    
+    // Clean up empty projects
+    if (data.projects[site.project].length === 0) {
+      delete data.projects[site.project];
+    }
+  }
+  
+  saveSites(data);
+  return site;
+}
+
+/**
+ * Get a site by name
+ */
+function getSite(name) {
+  const data = getSites();
+  return data.sites.find(s => s.name === name);
+}
+
+/**
+ * Update site scan stats
+ */
+function recordSiteScan(name) {
+  const data = getSites();
+  
+  const site = data.sites.find(s => s.name === name);
+  if (!site) {
+    return null;
+  }
+  
+  site.lastScannedAt = new Date().toISOString();
+  site.scanCount += 1;
+  
+  saveSites(data);
+  return site;
+}
+
+/**
+ * Get sites by project
+ */
+function getSitesByProject(project) {
+  const data = getSites();
+  return data.sites.filter(s => s.project === project);
+}
+
+/**
+ * List all projects
+ */
+function listProjects() {
+  const data = getSites();
+  return Object.keys(data.projects).map(name => ({
+    name,
+    siteCount: data.projects[name].length,
+  }));
+}
+
+/**
+ * Reset sites (for testing)
+ */
+function resetSites() {
+  if (fs.existsSync(SITES_FILE)) {
+    fs.unlinkSync(SITES_FILE);
+  }
+}
+
+module.exports = {
+  addSite,
+  removeSite,
+  getSite,
+  getSites,
+  recordSiteScan,
+  getSitesByProject,
+  listProjects,
+  resetSites,
+};

package/src/founder/feedback-system.js

@@ -0,0 +1,156 @@
+/**
+ * Phase 10: Feedback System
+ * Lightweight feedback capture from users
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const readline = require('readline');
+
+const FEEDBACK_DIR = path.join(os.homedir(), '.odavl-guardian', 'feedback');
+
+/**
+ * Ensure feedback directory exists
+ */
+function ensureFeedbackDir() {
+  if (!fs.existsSync(FEEDBACK_DIR)) {
+    fs.mkdirSync(FEEDBACK_DIR, { recursive: true });
+  }
+}
+
+/**
+ * Create readline interface for interactive prompts
+ */
+function createPrompt() {
+  return readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+}
+
+/**
+ * Ask a question and get response
+ */
+function ask(rl, question) {
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      resolve(answer.trim());
+    });
+  });
+}
+
+/**
+ * Run interactive feedback session
+ */
+async function runFeedbackSession() {
+  console.log('\n🙏 Thank you for taking time to share feedback!\n');
+  console.log('This helps us improve Guardian for everyone.\n');
+  
+  const rl = createPrompt();
+  const feedback = {
+    timestamp: new Date().toISOString(),
+    responses: {},
+  };
+  
+  try {
+    // Question 1: What worked?
+    console.log('1️⃣  What worked well for you?');
+    feedback.responses.whatWorked = await ask(rl, '   → ');
+    console.log();
+    
+    // Question 2: What blocked you?
+    console.log('2️⃣  What blocked you or was frustrating?');
+    feedback.responses.whatBlocked = await ask(rl, '   → ');
+    console.log();
+    
+    // Question 3: Would you recommend?
+    console.log('3️⃣  Would you recommend Guardian to others? (yes/no)');
+    const recommend = await ask(rl, '   → ');
+    feedback.responses.wouldRecommend = recommend.toLowerCase().startsWith('y') ? 'yes' : 'no';
+    console.log();
+    
+    // Optional: Email
+    console.log('📧 (Optional) Share your email if you\'d like updates:');
+    const email = await ask(rl, '   → ');
+    if (email && email.includes('@')) {
+      feedback.email = email;
+    }
+    
+    rl.close();
+    
+    // Save feedback
+    saveFeedback(feedback);
+    
+    console.log('\n✅ Feedback saved! Thank you for helping improve Guardian.\n');
+    
+    return feedback;
+  } catch (error) {
+    rl.close();
+    throw error;
+  }
+}
+
+/**
+ * Save feedback to local file
+ */
+function saveFeedback(feedback) {
+  ensureFeedbackDir();
+  
+  const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+  const filename = `feedback-${timestamp}.json`;
+  const filepath = path.join(FEEDBACK_DIR, filename);
+  
+  fs.writeFileSync(filepath, JSON.stringify(feedback, null, 2), 'utf-8');
+  
+  return filepath;
+}
+
+/**
+ * Get all feedback submissions
+ */
+function getAllFeedback() {
+  ensureFeedbackDir();
+  
+  const files = fs.readdirSync(FEEDBACK_DIR)
+    .filter(f => f.startsWith('feedback-') && f.endsWith('.json'))
+    .sort()
+    .reverse();
+  
+  return files.map(filename => {
+    const filepath = path.join(FEEDBACK_DIR, filename);
+    try {
+      return JSON.parse(fs.readFileSync(filepath, 'utf-8'));
+    } catch (error) {
+      return null;
+    }
+  }).filter(Boolean);
+}
+
+/**
+ * Get feedback count
+ */
+function getFeedbackCount() {
+  const feedback = getAllFeedback();
+  return feedback.length;
+}
+
+/**
+ * Clear all feedback (for testing)
+ */
+function clearFeedback() {
+  if (fs.existsSync(FEEDBACK_DIR)) {
+    const files = fs.readdirSync(FEEDBACK_DIR);
+    files.forEach(file => {
+      fs.unlinkSync(path.join(FEEDBACK_DIR, file));
+    });
+  }
+}
+
+module.exports = {
+  runFeedbackSession,
+  saveFeedback,
+  getAllFeedback,
+  getFeedbackCount,
+  clearFeedback,
+};