@poolzin/pool-bot 2026.3.17 → 2026.3.18

package/dist/security/audit-findings.js

@@ -0,0 +1,165 @@
+/**
+ * Security Audit Findings Collection
+ *
+ * Collects security findings from various audit checks
+ */
+export async function collectSecurityAuditFindings(options) {
+    const findings = [];
+    // Config security checks
+    findings.push(...checkConfigSecurity(options.config));
+    // Gateway security checks
+    findings.push(...checkGatewaySecurity(options.config));
+    // Channel security checks (DM policies, allowlists)
+    if (options.includeChannelSecurity) {
+        findings.push(...checkChannelSecurity(options.config));
+    }
+    // Model security checks
+    findings.push(...checkModelSecurity(options.config));
+    // Filesystem checks (if enabled)
+    if (options.includeFilesystem) {
+        findings.push(...checkFilesystemSecurity(options));
+    }
+    return findings;
+}
+/**
+ * Check configuration file security
+ */
+function checkConfigSecurity(config) {
+    const findings = [];
+    // Check for secrets in config
+    const configStr = JSON.stringify(config);
+    const secretPatterns = [
+        { pattern: /sk-[a-zA-Z0-9]{32,}/g, name: "API Key" },
+        { pattern: /Bearer [a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+/g, name: "JWT Token" },
+        { pattern: /ghp_[a-zA-Z0-9]{36}/g, name: "GitHub Token" },
+    ];
+    for (const { pattern, name } of secretPatterns) {
+        if (pattern.test(configStr)) {
+            findings.push({
+                checkId: "CFG-001",
+                severity: "critical",
+                title: `${name} found in configuration`,
+                detail: `Potential ${name} detected in config file. Secrets should be stored in environment variables or secrets manager.`,
+                remediation: "Move secrets to environment variables or use a secrets manager",
+            });
+        }
+    }
+    return findings;
+}
+/**
+ * Check gateway security configuration
+ */
+function checkGatewaySecurity(config) {
+    const findings = [];
+    const gateway = config.gateway;
+    if (!gateway)
+        return findings;
+    // Check for loopback binding
+    const host = gateway.host ?? "127.0.0.1";
+    if (host === "0.0.0.0" || host === "::") {
+        findings.push({
+            checkId: "GTW-001",
+            severity: "warn",
+            title: "Gateway bound to all interfaces",
+            detail: `Gateway is bound to ${host}, making it accessible from any network interface.`,
+            remediation: "Bind gateway to 127.0.0.1 or use a firewall to restrict access",
+        });
+    }
+    return findings;
+}
+/**
+ * Check channel security (DM policies, allowlists)
+ */
+function checkChannelSecurity(config) {
+    const findings = [];
+    const channels = config.channels;
+    if (!channels)
+        return findings;
+    // Check Telegram DM policy
+    const telegram = channels.telegram;
+    if (telegram && telegram.dmPolicy === "open") {
+        findings.push({
+            checkId: "CHN-001",
+            severity: "warn",
+            title: "Telegram DM policy is 'open'",
+            detail: "Telegram allows messages from any user without pairing. This may expose the bot to spam or abuse.",
+            remediation: "Set 'channels.telegram.dmPolicy' to 'pairing' for unknown senders",
+        });
+    }
+    // Check Discord DM policy
+    const discord = channels.discord;
+    if (discord && discord.dmPolicy === "open") {
+        findings.push({
+            checkId: "CHN-002",
+            severity: "warn",
+            title: "Discord DM policy is 'open'",
+            detail: "Discord allows DMs from any user without pairing.",
+            remediation: "Set 'channels.discord.dmPolicy' to 'pairing' for unknown senders",
+        });
+    }
+    // Check for overly permissive allowFrom
+    const checkAllowFrom = (channelName, allowFrom) => {
+        if (allowFrom?.includes("*") || allowFrom?.includes("*")) {
+            findings.push({
+                checkId: "CHN-003",
+                severity: "warn",
+                title: `${channelName} allows messages from anyone`,
+                detail: `The ${channelName} channel has '*' in allowFrom, allowing messages from any user.`,
+                remediation: `Remove '*' from allowFrom and specify allowed users`,
+            });
+        }
+    };
+    if (telegram?.allowFrom)
+        checkAllowFrom("Telegram", telegram.allowFrom);
+    if (discord?.allowFrom)
+        checkAllowFrom("Discord", discord.allowFrom);
+    return findings;
+}
+/**
+ * Check model security configuration
+ */
+function checkModelSecurity(config) {
+    const findings = [];
+    const models = config.models;
+    if (!models)
+        return findings;
+    // Check for model without fallback
+    const modelsRecord = models;
+    if (!modelsRecord.fallbacks || modelsRecord.fallbacks.length === 0) {
+        findings.push({
+            checkId: "MDL-001",
+            severity: "info",
+            title: "No model fallback configured",
+            detail: "No fallback models configured. If primary model fails, requests will fail.",
+            remediation: "Add fallback models in 'models.fallbacks'",
+        });
+    }
+    return findings;
+}
+/**
+ * Check filesystem security (deep audit)
+ */
+function checkFilesystemSecurity(options) {
+    const findings = [];
+    // Check state directory permissions (Unix only)
+    if (options.platform !== "win32") {
+        findings.push({
+            checkId: "FS-001",
+            severity: "info",
+            title: "Filesystem audit check",
+            detail: `State directory: ${options.stateDir}`,
+            remediation: "Ensure state directory has restrictive permissions (chmod 700)",
+        });
+    }
+    // Check for world-readable config
+    if (options.includeFilesystem) {
+        findings.push({
+            checkId: "FS-002",
+            severity: "info",
+            title: "Config file accessibility check",
+            detail: `Config file: ${options.configPath}`,
+            remediation: "Ensure config file has restrictive permissions (chmod 600)",
+        });
+    }
+    return findings;
+}