@poolzin/pool-bot 2026.3.7 → 2026.3.9

package/dist/skills/security.js

@@ -0,0 +1,318 @@
+/**
+ * Skill security scanner
+ * Detects potential security issues in skill files
+ *
+ * @module skills/security
+ */
+// ============================================================================
+// Constants
+// ============================================================================
+const SCANNER_VERSION = "1.0.0";
+// Patterns that indicate potential security issues
+const PATTERNS = [
+    // Prompt injection attempts
+    {
+        type: "prompt_injection",
+        severity: "critical",
+        pattern: /ignore\s+(?:previous|above|prior)|disregard\s+(?:instructions?|prompt)|system\s*:\s*you\s+are|new\s+instructions?\s*:/i,
+        description: "Potential prompt injection attempt detected",
+        remediation: "Review skill content for malicious instruction overrides",
+    },
+    {
+        type: "prompt_injection",
+        severity: "high",
+        pattern: /\[\s*system\s*\]|\(\s*system\s*\)|\{\s*system\s*\}|\bDAN\b|do\s+anything\s+now/i,
+        description: "Suspicious system role reference",
+        remediation: "Verify skill doesn't attempt to override system behavior",
+    },
+    // Command injection
+    {
+        type: "command_injection",
+        severity: "critical",
+        pattern: /(?:bash|sh|zsh|cmd|powershell)\s+-c\s+["']|exec\s*\(|eval\s*\(|system\s*\(/i,
+        description: "Potential command injection pattern",
+        remediation: "Avoid executing arbitrary shell commands from skill content",
+    },
+    {
+        type: "command_injection",
+        severity: "high",
+        pattern: /`[^`]*(?:rm|del|format|mkfs|dd|wget|curl|fetch)[^`]*`|\$\([^)]*(?:rm|del|wget|curl)[^)]*\)/i,
+        description: "Dangerous command in template literal",
+        remediation: "Review shell command usage for safety",
+    },
+    // Path traversal
+    {
+        type: "path_traversal",
+        severity: "high",
+        pattern: /\.\.[/\\]|\.\.%2f|\.\.%5c|%2e%2e[/\\]/i,
+        description: "Path traversal attempt detected",
+        remediation: "Validate and sanitize all file paths",
+    },
+    // Suspicious patterns
+    {
+        type: "suspicious_pattern",
+        severity: "medium",
+        pattern: /(?:password|secret|token|key|credential)\s*=\s*["'][^"']{8,}["']/i,
+        description: "Hardcoded credential-like pattern",
+        remediation: "Use environment variables or secure secret storage",
+    },
+    {
+        type: "suspicious_pattern",
+        severity: "medium",
+        pattern: /base64\s*\(\s*["'][^"']{20,}["']\s*\)|atob\s*\(|btoa\s*\(/i,
+        description: "Suspicious encoding/decoding pattern",
+        remediation: "Verify encoding is not used to obfuscate malicious content",
+    },
+    // External dependencies
+    {
+        type: "external_dependency",
+        severity: "low",
+        pattern: /(?:npm|pip|gem|cargo|go\s+get)\s+install/i,
+        description: "External package installation mentioned",
+        remediation: "Verify all external dependencies are trustworthy",
+    },
+    // Permission requests
+    {
+        type: "permission_request",
+        severity: "medium",
+        pattern: /(?:sudo|administrator|root|elevated|privileged)\s*(?:access|permission|required|needed)/i,
+        description: "Elevated permissions mentioned",
+        remediation: "Ensure elevated permissions are truly necessary",
+    },
+    // Network access
+    {
+        type: "network_access",
+        severity: "low",
+        pattern: /(?:http|https|ftp|ssh|telnet):\/\/|(?:fetch|axios|request|curl)\s*\(/i,
+        description: "Network access pattern detected",
+        remediation: "Verify all network requests are legitimate",
+    },
+    // File system access
+    {
+        type: "file_system_access",
+        severity: "low",
+        pattern: /(?:fs\.|file|readFile|writeFile|appendFile|unlink|mkdir|rmdir)\s*\(/i,
+        description: "File system access pattern detected",
+        remediation: "Validate file operations are scoped appropriately",
+    },
+];
+// Content limits
+const MAX_CONTENT_LENGTH = 1024 * 1024; // 1MB
+const MAX_LINE_LENGTH = 1000;
+// ============================================================================
+// Scanner Implementation
+// ============================================================================
+/**
+ * Scan skill content for security issues
+ */
+export async function scanSkill(skill) {
+    const startTime = Date.now();
+    const findings = [];
+    // Combine all content for scanning
+    const contentToScan = [
+        skill.metadata.name,
+        skill.metadata.description,
+        skill.content.usage,
+        skill.content.quickstart,
+        skill.content.configuration,
+        skill.content.environment,
+        skill.content.examples,
+        skill.content.api,
+        skill.content.troubleshooting,
+    ]
+        .filter(Boolean)
+        .join("\n\n");
+    // Check content size
+    if (contentToScan.length > MAX_CONTENT_LENGTH) {
+        findings.push({
+            type: "suspicious_pattern",
+            severity: "medium",
+            description: `Skill content exceeds maximum size (${contentToScan.length} > ${MAX_CONTENT_LENGTH})`,
+            location: "content",
+            remediation: "Consider splitting large skills into smaller modules",
+        });
+    }
+    // Scan line by line for better location reporting
+    const lines = contentToScan.split("\n");
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        // Check line length
+        if (line.length > MAX_LINE_LENGTH) {
+            findings.push({
+                type: "suspicious_pattern",
+                severity: "low",
+                description: `Line ${lineNum + 1} exceeds maximum length`,
+                location: `line:${lineNum + 1}`,
+                remediation: "Break long lines for readability and safety",
+            });
+        }
+        // Check against patterns
+        for (const { type, severity, pattern, description, remediation, } of PATTERNS) {
+            if (pattern.test(line)) {
+                findings.push({
+                    type,
+                    severity,
+                    description,
+                    location: `line:${lineNum + 1}`,
+                    remediation,
+                    evidence: line.trim().slice(0, 100), // First 100 chars
+                });
+            }
+        }
+    }
+    // Check linked files
+    for (const linkedFile of skill.linkedFiles) {
+        // Flag executable files
+        if (/\.(exe|bat|cmd|sh|bin|app)$/i.test(linkedFile.path)) {
+            findings.push({
+                type: "suspicious_pattern",
+                severity: "high",
+                description: `Linked executable file detected: ${linkedFile.path}`,
+                location: `linked:${linkedFile.path}`,
+                remediation: "Review executable content before execution",
+            });
+        }
+        // Flag scripts
+        if (/\.(js|ts|py|rb|pl|php)$/i.test(linkedFile.path)) {
+            findings.push({
+                type: "external_dependency",
+                severity: "low",
+                description: `Linked script file: ${linkedFile.path}`,
+                location: `linked:${linkedFile.path}`,
+                remediation: "Review script content for safety",
+            });
+        }
+    }
+    // Determine overall result
+    const hasCritical = findings.some((f) => f.severity === "critical");
+    const hasHigh = findings.some((f) => f.severity === "high");
+    const hasWarnings = findings.some((f) => f.severity === "medium" || f.severity === "low");
+    let result;
+    if (hasCritical) {
+        result = "failed";
+    }
+    else if (hasHigh) {
+        result = "failed";
+    }
+    else if (hasWarnings) {
+        result = "warning";
+    }
+    else {
+        result = "verified";
+    }
+    const durationMs = Date.now() - startTime;
+    return {
+        scannedAt: new Date(),
+        result,
+        findings,
+        durationMs,
+        scannerVersion: SCANNER_VERSION,
+    };
+}
+/**
+ * Quick scan for critical issues only
+ */
+export async function quickSecurityCheck(skill) {
+    const criticalPatterns = PATTERNS.filter((p) => p.severity === "critical" || p.severity === "high");
+    const contentToScan = [
+        skill.metadata.name,
+        skill.metadata.description,
+        skill.content.usage,
+        skill.content.quickstart,
+    ]
+        .filter(Boolean)
+        .join("\n");
+    for (const { pattern } of criticalPatterns) {
+        if (pattern.test(contentToScan)) {
+            return false;
+        }
+    }
+    return true;
+}
+/**
+ * Get security summary for display
+ */
+export function getSecuritySummary(report) {
+    const counts = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        info: 0,
+    };
+    for (const finding of report.findings) {
+        counts[finding.severity]++;
+    }
+    let status;
+    let color;
+    let summary;
+    switch (report.result) {
+        case "verified":
+            status = "✓ Verified";
+            color = "green";
+            summary = "No security issues found";
+            break;
+        case "warning":
+            status = "⚠ Warning";
+            color = "yellow";
+            summary = `${counts.medium + counts.low} warning(s) found`;
+            break;
+        case "failed":
+            status = "✗ Failed";
+            color = "red";
+            summary = `${counts.critical + counts.high} critical issue(s) found`;
+            break;
+        default:
+            status = "? Unverified";
+            color = "gray";
+            summary = "Not yet scanned";
+    }
+    return { status, color, summary, counts };
+}
+/**
+ * Format security findings for display
+ */
+export function formatFindings(findings) {
+    if (findings.length === 0) {
+        return ["No security issues found."];
+    }
+    const lines = [];
+    // Group by severity
+    const bySeverity = {
+        critical: [],
+        high: [],
+        medium: [],
+        low: [],
+        info: [],
+    };
+    for (const finding of findings) {
+        bySeverity[finding.severity].push(finding);
+    }
+    for (const severity of [
+        "critical",
+        "high",
+        "medium",
+        "low",
+        "info",
+    ]) {
+        const group = bySeverity[severity];
+        if (group.length === 0)
+            continue;
+        lines.push(`\n${severity.toUpperCase()} (${group.length}):`);
+        for (const finding of group) {
+            lines.push(`  [${finding.type}] ${finding.description}`);
+            lines.push(`    Location: ${finding.location}`);
+            if (finding.evidence) {
+                lines.push(`    Evidence: ${finding.evidence}`);
+            }
+            if (finding.remediation) {
+                lines.push(`    Fix: ${finding.remediation}`);
+            }
+        }
+    }
+    return lines;
+}
+// ============================================================================
+// Export patterns for testing
+// ============================================================================
+export { PATTERNS };

package/dist/skills/types.js

@@ -0,0 +1,21 @@
+/**
+ * Skill types and interfaces for PoolBot Skills System
+ * Compatible with agentskills.io ecosystem
+ *
+ * @module skills/types
+ */
+/**
+ * Skill system error
+ */
+export class SkillError extends Error {
+    code;
+    skillId;
+    cause;
+    constructor(code, message, skillId, cause) {
+        super(message);
+        this.code = code;
+        this.skillId = skillId;
+        this.cause = cause;
+        this.name = "SkillError";
+    }
+}

package/dist/test-utils/index.js

@@ -0,0 +1,219 @@
+/**
+ * Test Utilities for PoolBot
+ *
+ * Shared testing helpers and fixtures for consistent testing.
+ */
+import { afterEach } from "vitest";
+/**
+ * Frozen time utility for deterministic time-based tests
+ */
+export class FrozenTime {
+    originalDateNow;
+    currentTime;
+    constructor(startTime = 1700000000000) {
+        this.originalDateNow = Date.now;
+        this.currentTime = startTime;
+    }
+    /**
+     * Freeze time at a specific timestamp
+     */
+    freeze(timestamp) {
+        if (timestamp !== undefined) {
+            this.currentTime = timestamp;
+        }
+        Date.now = () => this.currentTime;
+    }
+    /**
+     * Advance time by milliseconds
+     */
+    advance(ms) {
+        this.currentTime += ms;
+    }
+    /**
+     * Get current frozen time
+     */
+    now() {
+        return this.currentTime;
+    }
+    /**
+     * Restore original Date.now
+     */
+    restore() {
+        Date.now = this.originalDateNow;
+    }
+    /**
+     * Create ISO timestamp from current frozen time
+     */
+    toISOString() {
+        return new Date(this.currentTime).toISOString();
+    }
+}
+/**
+ * Create a test fixture with isolated state
+ */
+export function createFixture(factory, options = {}) {
+    let instance = null;
+    const get = () => {
+        if (!instance) {
+            instance = factory();
+        }
+        return instance;
+    };
+    const reset = () => {
+        instance = null;
+    };
+    if (options.autoCleanup !== false) {
+        afterEach(reset);
+    }
+    return { get, reset };
+}
+/**
+ * Type-safe test case builder
+ */
+export function typedCases(cases) {
+    return cases;
+}
+/**
+ * Temporary directory helper
+ */
+export class TempDir {
+    dirs = [];
+    /**
+     * Create a temporary directory
+     */
+    create(prefix = "poolbot-test-") {
+        const dir = `${prefix}${Date.now()}-${Math.random().toString(36).slice(2)}`;
+        this.dirs.push(dir);
+        return dir;
+    }
+    /**
+     * Clean up all created directories
+     */
+    cleanup() {
+        this.dirs = [];
+    }
+}
+/**
+ * Mock utilities for common dependencies
+ */
+export class MockFactory {
+    /**
+     * Create a mock function with tracking
+     */
+    static fn(implementation) {
+        const calls = [];
+        const mockFn = ((...args) => {
+            const result = implementation ? implementation(...args) : undefined;
+            calls.push({ args, result });
+            return result;
+        });
+        mockFn.calls = calls;
+        mockFn.mockClear = () => {
+            calls.length = 0;
+        };
+        return mockFn;
+    }
+    /**
+     * Create a mock logger
+     */
+    static logger() {
+        return {
+            info: MockFactory.fn(),
+            warn: MockFactory.fn(),
+            error: MockFactory.fn(),
+            debug: MockFactory.fn(),
+            logs: [],
+        };
+    }
+}
+/**
+ * Assertion helpers
+ */
+export class Assert {
+    /**
+     * Assert that a promise resolves within a timeout
+     */
+    static async resolvesWithin(promise, timeoutMs, message) {
+        const timeout = new Promise((_, reject) => {
+            setTimeout(() => reject(new Error(message ?? `Promise did not resolve within ${timeoutMs}ms`)), timeoutMs);
+        });
+        return Promise.race([promise, timeout]);
+    }
+    /**
+     * Assert that an error is thrown
+     */
+    static async throws(fn, expectedMessage) {
+        try {
+            await fn();
+            throw new Error("Expected function to throw but it did not");
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                if (expectedMessage) {
+                    if (expectedMessage instanceof RegExp) {
+                        if (!expectedMessage.test(error.message)) {
+                            throw new Error(`Expected error message to match ${expectedMessage}, got: ${error.message}`);
+                        }
+                    }
+                    else if (!error.message.includes(expectedMessage)) {
+                        throw new Error(`Expected error message to include "${expectedMessage}", got: ${error.message}`);
+                    }
+                }
+                return error;
+            }
+            throw error;
+        }
+    }
+}
+/**
+ * Data generators for tests
+ */
+export class Generators {
+    /**
+     * Generate a UUID v4
+     */
+    static uuid() {
+        return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, (c) => {
+            const r = (Math.random() * 16) | 0;
+            const v = c === "x" ? r : (r & 0x3) | 0x8;
+            return v.toString(16);
+        });
+    }
+    /**
+     * Generate a random session ID
+     */
+    static sessionId() {
+        return `session-${Date.now()}-${Math.random().toString(36).slice(2, 11)}`;
+    }
+    /**
+     * Generate a timestamp with optional offset
+     */
+    static timestamp(offsetMs = 0) {
+        return Date.now() + offsetMs;
+    }
+    /**
+     * Generate random text of specified length
+     */
+    static text(length = 100) {
+        const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 ";
+        let result = "";
+        for (let i = 0; i < length; i++) {
+            result += chars.charAt(Math.floor(Math.random() * chars.length));
+        }
+        return result;
+    }
+}
+/**
+ * Setup helper for common test patterns
+ */
+export function setupTestEnvironment() {
+    const frozenTime = new FrozenTime();
+    const tempDir = new TempDir();
+    frozenTime.freeze();
+    const cleanup = () => {
+        frozenTime.restore();
+        tempDir.cleanup();
+    };
+    afterEach(cleanup);
+    return { frozenTime, tempDir, cleanup };
+}