@rigour-labs/core 2.22.0 → 3.0.1

package/dist/gates/runner.js

@@ -17,6 +17,7 @@ import { DuplicationDriftGate } from './duplication-drift.js';
 import { HallucinatedImportsGate } from './hallucinated-imports.js';
 import { InconsistentErrorHandlingGate } from './inconsistent-error-handling.js';
 import { ContextWindowArtifactsGate } from './context-window-artifacts.js';
+import { PromiseSafetyGate } from './promise-safety.js';
 import { execa } from 'execa';
 import { Logger } from '../utils/logger.js';
 export class GateRunner {
@@ -73,6 +74,10 @@ export class GateRunner {
         if (this.config.gates.context_window_artifacts?.enabled !== false) {
             this.gates.push(new ContextWindowArtifactsGate(this.config.gates.context_window_artifacts));
         }
+        // v2.17+ Promise Safety Gate (async/promise AI failure modes)
+        if (this.config.gates.promise_safety?.enabled !== false) {
+            this.gates.push(new PromiseSafetyGate(this.config.gates.promise_safety));
+        }
         // Environment Alignment Gate (Should be prioritized)
         if (this.config.gates.environment?.enabled) {
             this.gates.unshift(new EnvironmentGate(this.config.gates));
@@ -114,6 +119,8 @@ export class GateRunner {
                     id: gate.id,
                     title: `Gate Error: ${gate.title}`,
                     details: error.message,
+                    severity: 'medium',
+                    provenance: 'traditional',
                     hint: 'There was an internal error running this gate. Check the logs.',
                 });
             }
@@ -137,6 +144,8 @@ export class GateRunner {
                         id: key,
                         title: `${key.toUpperCase()} Check Failed`,
                         details: error.stderr || error.stdout || error.message,
+                        severity: 'medium',
+                        provenance: 'traditional',
                         hint: `Fix the issues reported by \`${cmd}\`. Use rigorous standards (SOLID, DRY) in your resolution.`,
                     });
                 }
@@ -144,7 +153,6 @@ export class GateRunner {
         }
         const status = failures.length > 0 ? 'FAIL' : 'PASS';
         // Severity-weighted scoring: each failure deducts based on its severity
-        // critical=20, high=10, medium=5, low=2, info=0
         const severityBreakdown = {};
         let totalDeduction = 0;
         for (const f of failures) {
@@ -153,6 +161,23 @@ export class GateRunner {
             totalDeduction += SEVERITY_WEIGHTS[sev] ?? 5;
         }
         const score = Math.max(0, 100 - totalDeduction);
+        // Two-score system: separate AI health from structural quality
+        let aiDeduction = 0;
+        let aiCount = 0;
+        let structuralDeduction = 0;
+        let structuralCount = 0;
+        for (const f of failures) {
+            const sev = (f.severity || 'medium');
+            const weight = SEVERITY_WEIGHTS[sev] ?? 5;
+            if (f.provenance === 'ai-drift') {
+                aiDeduction += weight;
+                aiCount++;
+            }
+            else {
+                structuralDeduction += weight;
+                structuralCount++;
+            }
+        }
         return {
             status,
             summary,
@@ -160,7 +185,15 @@ export class GateRunner {
             stats: {
                 duration_ms: Date.now() - start,
                 score,
+                ai_health_score: Math.max(0, 100 - aiDeduction),
+                structural_score: Math.max(0, 100 - structuralDeduction),
                 severity_breakdown: severityBreakdown,
+                provenance_breakdown: {
+                    'ai-drift': aiCount,
+                    traditional: structuralCount - failures.filter(f => f.provenance === 'security' || f.provenance === 'governance').length,
+                    security: failures.filter(f => f.provenance === 'security').length,
+                    governance: failures.filter(f => f.provenance === 'governance').length,
+                },
             },
         };
     }

package/dist/gates/safety.d.ts

@@ -1,8 +1,9 @@
 import { Gate, GateContext } from './base.js';
-import { Failure, Gates } from '../types/index.js';
+import { Failure, Gates, Provenance } from '../types/index.js';
 export declare class FileGuardGate extends Gate {
     private config;
     constructor(config: Gates);
+    protected get provenance(): Provenance;
     run(context: GateContext): Promise<Failure[]>;
     private isProtected;
 }

package/dist/gates/safety.js

@@ -6,6 +6,7 @@ export class FileGuardGate extends Gate {
         super('file-guard', 'File Guard — Protected Paths');
         this.config = config;
     }
+    get provenance() { return 'governance'; }
     async run(context) {
         const failures = [];
         const safety = this.config.safety || {};
@@ -27,7 +28,7 @@ export class FileGuardGate extends Gate {
             for (const file of modifiedFiles) {
                 if (this.isProtected(file, protectedPaths)) {
                     const message = `Protected file '${file}' was modified.`;
-                    failures.push(this.createFailure(message, [file], `Agents are forbidden from modifying files in ${protectedPaths.join(', ')}.`, message));
+                    failures.push(this.createFailure(message, [file], `Agents are forbidden from modifying files in ${protectedPaths.join(', ')}.`, message, undefined, undefined, 'high'));
                 }
             }
         }

package/dist/gates/security-patterns-owasp.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/gates/security-patterns-owasp.test.js

@@ -0,0 +1,171 @@
+/**
+ * Tests for OWASP-aligned security patterns added in v3.0.0.
+ * Covers: ReDoS, overly permissive code, unsafe output, missing input validation.
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { SecurityPatternsGate, checkSecurityPatterns } from './security-patterns.js';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+describe('SecurityPatternsGate — OWASP extended patterns', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'owasp-test-'));
+    });
+    afterEach(() => {
+        fs.rmSync(testDir, { recursive: true, force: true });
+    });
+    describe('ReDoS detection (OWASP #7)', () => {
+        it('should detect dynamic regex from user input', async () => {
+            const filePath = path.join(testDir, 'search.ts');
+            fs.writeFileSync(filePath, `
+                const pattern = new RegExp(req.query.search);
+                const matches = text.match(pattern);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'redos')).toBe(true);
+        });
+        it('should detect nested quantifiers', async () => {
+            const filePath = path.join(testDir, 'regex.ts');
+            fs.writeFileSync(filePath, `
+                const re = /(?:a+)+b/;
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'redos')).toBe(true);
+        });
+        it('should allow safe regex patterns', async () => {
+            const filePath = path.join(testDir, 'safe-regex.ts');
+            fs.writeFileSync(filePath, `
+                const re = /^[a-z]+$/;
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'redos')).toHaveLength(0);
+        });
+    });
+    describe('Overly Permissive Code (OWASP #9)', () => {
+        it('should detect CORS wildcard origin', async () => {
+            const filePath = path.join(testDir, 'server.ts');
+            fs.writeFileSync(filePath, `
+                import cors from 'cors';
+                app.use(cors({ origin: '*' }));
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect CORS origin true', async () => {
+            const filePath = path.join(testDir, 'server2.ts');
+            fs.writeFileSync(filePath, `
+                app.use(cors({ origin: true }));
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect 0.0.0.0 binding', async () => {
+            const filePath = path.join(testDir, 'listen.ts');
+            fs.writeFileSync(filePath, `
+                app.listen(3000, '0.0.0.0');
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect chmod 777', async () => {
+            const filePath = path.join(testDir, 'perms.ts');
+            fs.writeFileSync(filePath, `
+                fs.chmod('/tmp/data', 0o777);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect wildcard CORS header', async () => {
+            const filePath = path.join(testDir, 'headers.ts');
+            fs.writeFileSync(filePath, `
+                res.setHeader('Access-Control-Allow-Origin', '*');
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should allow specific CORS origin', async () => {
+            const filePath = path.join(testDir, 'safe-cors.ts');
+            fs.writeFileSync(filePath, `
+                app.use(cors({ origin: 'https://myapp.com' }));
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'overly_permissive')).toHaveLength(0);
+        });
+    });
+    describe('Unsafe Output Handling (OWASP #6)', () => {
+        it('should detect response reflecting user input', async () => {
+            const filePath = path.join(testDir, 'handler.ts');
+            fs.writeFileSync(filePath, `
+                app.get('/echo', (req, res) => {
+                    res.send(req.query.msg);
+                });
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'unsafe_output')).toBe(true);
+        });
+        it('should detect eval with user input', async () => {
+            const filePath = path.join(testDir, 'eval.ts');
+            fs.writeFileSync(filePath, `
+                eval(req.body.code);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'unsafe_output')).toBe(true);
+        });
+        it('should allow safe response patterns', async () => {
+            const filePath = path.join(testDir, 'safe-res.ts');
+            fs.writeFileSync(filePath, `
+                res.json({ status: 'ok', data: processedData });
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'unsafe_output')).toHaveLength(0);
+        });
+    });
+    describe('Missing Input Validation (OWASP #8)', () => {
+        it('should detect JSON.parse on raw body', async () => {
+            const filePath = path.join(testDir, 'parse.ts');
+            fs.writeFileSync(filePath, `
+                const data = JSON.parse(req.body);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'missing_input_validation')).toBe(true);
+        });
+        it('should detect "as any" type assertion', async () => {
+            const filePath = path.join(testDir, 'assert.ts');
+            fs.writeFileSync(filePath, `
+                const user = payload as any;
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'missing_input_validation')).toBe(true);
+        });
+        it('should allow validated JSON parse', async () => {
+            const filePath = path.join(testDir, 'safe-parse.ts');
+            fs.writeFileSync(filePath, `
+                const data = JSON.parse(rawString);
+                const validated = schema.parse(data);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'missing_input_validation')).toHaveLength(0);
+        });
+    });
+    describe('config toggles for new patterns', () => {
+        it('should disable redos when configured', async () => {
+            const gate = new SecurityPatternsGate({ enabled: true, redos: false });
+            const filePath = path.join(testDir, 'regex.ts');
+            fs.writeFileSync(filePath, `
+                const pattern = new RegExp(req.query.search);
+            `);
+            const failures = await gate.run({ cwd: testDir });
+            expect(failures.filter(f => f.title?.includes('ReDoS') || f.title?.includes('regex'))).toHaveLength(0);
+        });
+        it('should disable overly_permissive when configured', async () => {
+            const gate = new SecurityPatternsGate({ enabled: true, overly_permissive: false });
+            const filePath = path.join(testDir, 'cors.ts');
+            fs.writeFileSync(filePath, `
+                app.use(cors({ origin: '*' }));
+            `);
+            const failures = await gate.run({ cwd: testDir });
+            expect(failures.filter(f => f.title?.includes('CORS') || f.title?.includes('permissive'))).toHaveLength(0);
+        });
+    });
+});

package/dist/gates/security-patterns.d.ts

@@ -15,7 +15,7 @@
  * @since v2.14.0
  */
 import { Gate, GateContext } from './base.js';
-import { Failure } from '../types/index.js';
+import { Failure, Provenance } from '../types/index.js';
 export interface SecurityVulnerability {
     type: string;
     severity: 'critical' | 'high' | 'medium' | 'low';
@@ -33,12 +33,17 @@ export interface SecurityPatternsConfig {
     hardcoded_secrets?: boolean;
     insecure_randomness?: boolean;
     command_injection?: boolean;
+    redos?: boolean;
+    overly_permissive?: boolean;
+    unsafe_output?: boolean;
+    missing_input_validation?: boolean;
     block_on_severity?: 'critical' | 'high' | 'medium' | 'low';
 }
 export declare class SecurityPatternsGate extends Gate {
     private config;
     private severityOrder;
     constructor(config?: SecurityPatternsConfig);
+    protected get provenance(): Provenance;
     run(context: GateContext): Promise<Failure[]>;
     private scanFileForVulnerabilities;
 }

package/dist/gates/security-patterns.js

@@ -131,6 +131,98 @@ const VULNERABILITY_PATTERNS = [
         cwe: 'CWE-78',
         languages: ['ts', 'js']
     },
+    // ReDoS — Denial of Service via regex (OWASP #7)
+    {
+        type: 'redos',
+        regex: /new RegExp\s*\([^)]*(?:req\.|params|query|body|input|user)/g,
+        severity: 'high',
+        description: 'Dynamic regex from user input — potential ReDoS',
+        cwe: 'CWE-1333',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'redos',
+        regex: /\(\?:[^)]*\+[^)]*\)\+|\([^)]*\*[^)]*\)\+|\(\.\*\)\{/g,
+        severity: 'medium',
+        description: 'Regex with nested quantifiers — potential ReDoS',
+        cwe: 'CWE-1333',
+        languages: ['ts', 'js', 'py']
+    },
+    // Overly Permissive Code (OWASP #9)
+    {
+        type: 'overly_permissive',
+        regex: /cors\s*\(\s*\{[^}]*origin\s*:\s*(?:true|['"`]\*['"`])/g,
+        severity: 'high',
+        description: 'CORS wildcard origin — allows any domain',
+        cwe: 'CWE-942',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /(?:listen|bind)\s*\(\s*(?:\d+\s*,\s*)?['"`]0\.0\.0\.0['"`]/g,
+        severity: 'medium',
+        description: 'Binding to 0.0.0.0 exposes service to all interfaces',
+        cwe: 'CWE-668',
+        languages: ['ts', 'js', 'py', 'go']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /chmod\s*\(\s*[^,]*,\s*['"`]?(?:0o?)?777['"`]?\s*\)/g,
+        severity: 'high',
+        description: 'chmod 777 — world-readable/writable permissions',
+        cwe: 'CWE-732',
+        languages: ['ts', 'js', 'py']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /(?:Access-Control-Allow-Origin|x-powered-by)['"`,\s:]+\*/gi,
+        severity: 'high',
+        description: 'Wildcard Access-Control-Allow-Origin header',
+        cwe: 'CWE-942',
+        languages: ['ts', 'js', 'py']
+    },
+    // Unsafe Output Handling (OWASP #6)
+    {
+        type: 'unsafe_output',
+        regex: /res\.(?:send|write|end)\s*\(\s*(?:req\.|params|query|body|input|user)/g,
+        severity: 'high',
+        description: 'Reflecting user input in response without sanitization',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'unsafe_output',
+        regex: /\$\{[^}]*(?:req\.|params|query|body|input|user)[^}]*\}.*(?:html|template|render)/gi,
+        severity: 'high',
+        description: 'User input interpolated into template/HTML output',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js', 'py']
+    },
+    {
+        type: 'unsafe_output',
+        regex: /eval\s*\(\s*(?:req\.|params|query|body|input|user)/g,
+        severity: 'critical',
+        description: 'eval() with user input — code injection',
+        cwe: 'CWE-94',
+        languages: ['ts', 'js', 'py']
+    },
+    // Missing Input Validation (OWASP #8)
+    {
+        type: 'missing_input_validation',
+        regex: /JSON\.parse\s*\(\s*(?:req\.body|request\.body|body|data|input)\s*\)/g,
+        severity: 'medium',
+        description: 'JSON.parse on raw input without schema validation',
+        cwe: 'CWE-20',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'missing_input_validation',
+        regex: /(?:as\s+any|:\s*any)\s*(?:[;,)\]}])/g,
+        severity: 'medium',
+        description: 'Type assertion to "any" bypasses type safety',
+        cwe: 'CWE-20',
+        languages: ['ts']
+    },
 ];
 export class SecurityPatternsGate extends Gate {
     config;
@@ -145,9 +237,14 @@ export class SecurityPatternsGate extends Gate {
             hardcoded_secrets: config.hardcoded_secrets ?? true,
             insecure_randomness: config.insecure_randomness ?? true,
             command_injection: config.command_injection ?? true,
+            redos: config.redos ?? true,
+            overly_permissive: config.overly_permissive ?? true,
+            unsafe_output: config.unsafe_output ?? true,
+            missing_input_validation: config.missing_input_validation ?? true,
             block_on_severity: config.block_on_severity ?? 'high',
         };
     }
+    get provenance() { return 'security'; }
     async run(context) {
         if (!this.config.enabled) {
             return [];
@@ -177,6 +274,10 @@ export class SecurityPatternsGate extends Gate {
                 case 'hardcoded_secrets': return this.config.hardcoded_secrets;
                 case 'insecure_randomness': return this.config.insecure_randomness;
                 case 'command_injection': return this.config.command_injection;
+                case 'redos': return this.config.redos;
+                case 'overly_permissive': return this.config.overly_permissive;
+                case 'unsafe_output': return this.config.unsafe_output;
+                case 'missing_input_validation': return this.config.missing_input_validation;
                 default: return true;
             }
         });

package/dist/gates/structure.js

@@ -17,7 +17,7 @@ export class StructureGate extends Gate {
         }
         if (missing.length > 0) {
             return [
-                this.createFailure('The following required files are missing:', missing, 'Create these files to maintain project documentation and consistency.'),
+                this.createFailure('The following required files are missing:', missing, 'Create these files to maintain project documentation and consistency.', undefined, undefined, undefined, 'low'),
             ];
         }
         return [];

package/dist/hooks/checker.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Lightweight per-file checker for hook integration.
+ *
+ * Runs a fast subset of Rigour gates on individual files,
+ * designed to complete in <200ms for real-time hook feedback.
+ *
+ * Used by all tool-specific hooks (Claude, Cursor, Cline, Windsurf).
+ *
+ * @since v3.0.0
+ */
+import type { HookCheckerResult } from './types.js';
+interface CheckerOptions {
+    cwd: string;
+    files: string[];
+    timeout_ms?: number;
+    block_on_failure?: boolean;
+}
+/**
+ * Run fast gates on a set of files.
+ * Returns structured JSON for hook consumers.
+ */
+export declare function runHookChecker(options: CheckerOptions): Promise<HookCheckerResult>;
+export {};