@sparkleideas/security 3.0.0-alpha.10

package/src/domain/entities/security-context.ts

@@ -0,0 +1,173 @@
+/**
+ * Security Context Entity - Domain Layer
+ *
+ * Represents security context for operations with validation and policy enforcement.
+ *
+ * @module v3/security/domain/entities
+ */
+
+import { randomUUID } from 'crypto';
+
+/**
+ * Permission levels
+ */
+export type PermissionLevel = 'read' | 'write' | 'execute' | 'admin';
+
+/**
+ * Security context properties
+ */
+export interface SecurityContextProps {
+  id?: string;
+  principalId: string;
+  principalType: 'agent' | 'user' | 'system';
+  permissions: PermissionLevel[];
+  allowedPaths?: string[];
+  blockedPaths?: string[];
+  allowedCommands?: string[];
+  blockedCommands?: string[];
+  metadata?: Record<string, unknown>;
+  expiresAt?: Date;
+  createdAt?: Date;
+}
+
+/**
+ * Security Context - Entity
+ */
+export class SecurityContext {
+  private _id: string;
+  private _principalId: string;
+  private _principalType: 'agent' | 'user' | 'system';
+  private _permissions: Set<PermissionLevel>;
+  private _allowedPaths: Set<string>;
+  private _blockedPaths: Set<string>;
+  private _allowedCommands: Set<string>;
+  private _blockedCommands: Set<string>;
+  private _metadata: Record<string, unknown>;
+  private _expiresAt?: Date;
+  private _createdAt: Date;
+
+  private constructor(props: SecurityContextProps) {
+    this._id = props.id ?? randomUUID();
+    this._principalId = props.principalId;
+    this._principalType = props.principalType;
+    this._permissions = new Set(props.permissions);
+    this._allowedPaths = new Set(props.allowedPaths ?? []);
+    this._blockedPaths = new Set(props.blockedPaths ?? []);
+    this._allowedCommands = new Set(props.allowedCommands ?? []);
+    this._blockedCommands = new Set(props.blockedCommands ?? []);
+    this._metadata = props.metadata ?? {};
+    this._expiresAt = props.expiresAt;
+    this._createdAt = props.createdAt ?? new Date();
+  }
+
+  static create(props: SecurityContextProps): SecurityContext {
+    return new SecurityContext(props);
+  }
+
+  static fromPersistence(props: SecurityContextProps): SecurityContext {
+    return new SecurityContext(props);
+  }
+
+  get id(): string { return this._id; }
+  get principalId(): string { return this._principalId; }
+  get principalType(): string { return this._principalType; }
+  get permissions(): PermissionLevel[] { return Array.from(this._permissions); }
+  get allowedPaths(): string[] { return Array.from(this._allowedPaths); }
+  get blockedPaths(): string[] { return Array.from(this._blockedPaths); }
+  get allowedCommands(): string[] { return Array.from(this._allowedCommands); }
+  get blockedCommands(): string[] { return Array.from(this._blockedCommands); }
+  get metadata(): Record<string, unknown> { return { ...this._metadata }; }
+  get expiresAt(): Date | undefined { return this._expiresAt; }
+  get createdAt(): Date { return new Date(this._createdAt); }
+
+  // Business Logic
+
+  hasPermission(level: PermissionLevel): boolean {
+    return this._permissions.has(level) || this._permissions.has('admin');
+  }
+
+  isExpired(): boolean {
+    if (!this._expiresAt) return false;
+    return Date.now() > this._expiresAt.getTime();
+  }
+
+  canAccessPath(path: string): boolean {
+    if (this.isExpired()) return false;
+
+    // Check blocked paths first
+    for (const blocked of this._blockedPaths) {
+      if (path.startsWith(blocked) || this.matchGlob(path, blocked)) {
+        return false;
+      }
+    }
+
+    // If no allowed paths specified, allow all non-blocked
+    if (this._allowedPaths.size === 0) return true;
+
+    // Check allowed paths
+    for (const allowed of this._allowedPaths) {
+      if (path.startsWith(allowed) || this.matchGlob(path, allowed)) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  canExecuteCommand(command: string): boolean {
+    if (this.isExpired()) return false;
+
+    const cmdBase = command.split(' ')[0];
+
+    // Check blocked commands first
+    if (this._blockedCommands.has(cmdBase) || this._blockedCommands.has(command)) {
+      return false;
+    }
+
+    // If no allowed commands specified, allow all non-blocked
+    if (this._allowedCommands.size === 0) return true;
+
+    // Check allowed commands
+    return this._allowedCommands.has(cmdBase) || this._allowedCommands.has(command);
+  }
+
+  private matchGlob(path: string, pattern: string): boolean {
+    const regex = pattern
+      .replace(/\*\*/g, '.*')
+      .replace(/\*/g, '[^/]*')
+      .replace(/\?/g, '.');
+    return new RegExp(`^${regex}$`).test(path);
+  }
+
+  grantPermission(level: PermissionLevel): void {
+    this._permissions.add(level);
+  }
+
+  revokePermission(level: PermissionLevel): void {
+    this._permissions.delete(level);
+  }
+
+  addAllowedPath(path: string): void {
+    this._allowedPaths.add(path);
+  }
+
+  addBlockedPath(path: string): void {
+    this._blockedPaths.add(path);
+  }
+
+  toPersistence(): Record<string, unknown> {
+    return {
+      id: this._id,
+      principalId: this._principalId,
+      principalType: this._principalType,
+      permissions: Array.from(this._permissions),
+      allowedPaths: Array.from(this._allowedPaths),
+      blockedPaths: Array.from(this._blockedPaths),
+      allowedCommands: Array.from(this._allowedCommands),
+      blockedCommands: Array.from(this._blockedCommands),
+      metadata: this._metadata,
+      expiresAt: this._expiresAt?.toISOString(),
+      createdAt: this._createdAt.toISOString(),
+    };
+  }
+}

package/src/domain/index.ts

@@ -0,0 +1,17 @@
+/**
+ * Security Domain Layer - Public Exports
+ *
+ * @module v3/security/domain
+ */
+
+export {
+  SecurityContext,
+  type PermissionLevel,
+  type SecurityContextProps,
+} from './entities/security-context.js';
+
+export {
+  SecurityDomainService,
+  type ValidationResult,
+  type ThreatDetectionResult,
+} from './services/security-domain-service.js';

package/src/domain/services/security-domain-service.ts

@@ -0,0 +1,296 @@
+/**
+ * Security Domain Service - Domain Layer
+ *
+ * Contains security logic for validation, policy enforcement, and threat detection.
+ *
+ * @module v3/security/domain/services
+ */
+
+import { SecurityContext, PermissionLevel } from '../entities/security-context.js';
+
+/**
+ * Validation result
+ */
+export interface ValidationResult {
+  valid: boolean;
+  errors: string[];
+  warnings: string[];
+  sanitized?: string;
+}
+
+/**
+ * Threat detection result
+ */
+export interface ThreatDetectionResult {
+  safe: boolean;
+  threats: Array<{
+    type: string;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    description: string;
+    location?: string;
+  }>;
+}
+
+/**
+ * Security Domain Service
+ */
+export class SecurityDomainService {
+  // Dangerous patterns for path traversal
+  private static readonly PATH_TRAVERSAL_PATTERNS = [
+    /\.\./,
+    /~\//,
+    /^\/etc\//,
+    /^\/tmp\//,
+    /^\/var\/log\//,
+    /^C:\\Windows/i,
+    /^C:\\Users\\[^\\]+\\AppData/i,
+  ];
+
+  // Dangerous command patterns
+  private static readonly DANGEROUS_COMMANDS = [
+    /^rm\s+-rf\s+\//,
+    /^rm\s+-rf\s+\*/,
+    /^dd\s+if=/,
+    /^mkfs\./,
+    /^format\s+/i,
+    /^del\s+\/s\s+\/q/i,
+    />\s*\/dev\/sd[a-z]/,
+    /\|\s*bash$/,
+    /\|\s*sh$/,
+    /eval\s*\(/,
+    /exec\s*\(/,
+  ];
+
+  // SQL injection patterns
+  private static readonly SQL_INJECTION_PATTERNS = [
+    /'\s*OR\s+'1'\s*=\s*'1/i,
+    /'\s*OR\s+1\s*=\s*1/i,
+    /;\s*DROP\s+TABLE/i,
+    /;\s*DELETE\s+FROM/i,
+    /UNION\s+SELECT/i,
+    /--\s*$/,
+  ];
+
+  // XSS patterns
+  private static readonly XSS_PATTERNS = [
+    /<script[\s>]/i,
+    /javascript:/i,
+    /on\w+\s*=/i,
+    /<iframe/i,
+    /<object/i,
+    /<embed/i,
+  ];
+
+  /**
+   * Validate a file path
+   */
+  validatePath(path: string, context: SecurityContext): ValidationResult {
+    const errors: string[] = [];
+    const warnings: string[] = [];
+
+    // Check path traversal
+    for (const pattern of SecurityDomainService.PATH_TRAVERSAL_PATTERNS) {
+      if (pattern.test(path)) {
+        errors.push(`Path traversal detected: ${pattern.source}`);
+      }
+    }
+
+    // Check context permissions
+    if (!context.canAccessPath(path)) {
+      errors.push(`Access denied to path: ${path}`);
+    }
+
+    // Check for suspicious paths
+    if (path.includes('..')) {
+      warnings.push('Path contains parent directory reference');
+    }
+
+    return {
+      valid: errors.length === 0,
+      errors,
+      warnings,
+      sanitized: this.sanitizePath(path),
+    };
+  }
+
+  /**
+   * Validate a command
+   */
+  validateCommand(command: string, context: SecurityContext): ValidationResult {
+    const errors: string[] = [];
+    const warnings: string[] = [];
+
+    // Check dangerous commands
+    for (const pattern of SecurityDomainService.DANGEROUS_COMMANDS) {
+      if (pattern.test(command)) {
+        errors.push(`Dangerous command pattern detected: ${pattern.source}`);
+      }
+    }
+
+    // Check context permissions
+    if (!context.canExecuteCommand(command)) {
+      errors.push(`Command execution denied: ${command}`);
+    }
+
+    if (!context.hasPermission('execute')) {
+      errors.push('Execute permission required');
+    }
+
+    // Check for shell injection
+    if (/[;&|`$(){}]/.test(command)) {
+      warnings.push('Command contains shell metacharacters');
+    }
+
+    return {
+      valid: errors.length === 0,
+      errors,
+      warnings,
+      sanitized: this.sanitizeCommand(command),
+    };
+  }
+
+  /**
+   * Validate user input
+   */
+  validateInput(input: string): ValidationResult {
+    const errors: string[] = [];
+    const warnings: string[] = [];
+
+    // Check for SQL injection
+    for (const pattern of SecurityDomainService.SQL_INJECTION_PATTERNS) {
+      if (pattern.test(input)) {
+        errors.push(`SQL injection pattern detected`);
+        break;
+      }
+    }
+
+    // Check for XSS
+    for (const pattern of SecurityDomainService.XSS_PATTERNS) {
+      if (pattern.test(input)) {
+        errors.push(`XSS pattern detected`);
+        break;
+      }
+    }
+
+    // Check length
+    if (input.length > 10000) {
+      warnings.push('Input exceeds recommended length');
+    }
+
+    return {
+      valid: errors.length === 0,
+      errors,
+      warnings,
+      sanitized: this.sanitizeInput(input),
+    };
+  }
+
+  /**
+   * Detect threats in content
+   */
+  detectThreats(content: string): ThreatDetectionResult {
+    const threats: ThreatDetectionResult['threats'] = [];
+
+    // Check for various threat patterns
+    if (/<script/i.test(content)) {
+      threats.push({
+        type: 'xss',
+        severity: 'high',
+        description: 'Script tag detected',
+      });
+    }
+
+    if (/password\s*[:=]\s*["'][^"']+["']/i.test(content)) {
+      threats.push({
+        type: 'credential-exposure',
+        severity: 'critical',
+        description: 'Hardcoded password detected',
+      });
+    }
+
+    if (/api[_-]?key\s*[:=]\s*["'][^"']+["']/i.test(content)) {
+      threats.push({
+        type: 'credential-exposure',
+        severity: 'critical',
+        description: 'API key detected',
+      });
+    }
+
+    if (/eval\s*\(/.test(content)) {
+      threats.push({
+        type: 'code-injection',
+        severity: 'high',
+        description: 'Eval statement detected',
+      });
+    }
+
+    return {
+      safe: threats.length === 0,
+      threats,
+    };
+  }
+
+  /**
+   * Sanitize path
+   */
+  private sanitizePath(path: string): string {
+    return path
+      .replace(/\.\./g, '')
+      .replace(/\/\//g, '/')
+      .replace(/^~\//, '')
+      .trim();
+  }
+
+  /**
+   * Sanitize command
+   */
+  private sanitizeCommand(command: string): string {
+    return command
+      .replace(/[;&|`$]/g, '')
+      .replace(/\$\([^)]*\)/g, '')
+      .trim();
+  }
+
+  /**
+   * Sanitize user input
+   */
+  private sanitizeInput(input: string): string {
+    return input
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#x27;')
+      .replace(/\//g, '&#x2F;');
+  }
+
+  /**
+   * Create security context for agent
+   */
+  createAgentContext(
+    agentId: string,
+    role: string,
+    customPaths?: string[]
+  ): SecurityContext {
+    // Default permissions based on role
+    const rolePermissions: Record<string, PermissionLevel[]> = {
+      'queen-coordinator': ['read', 'write', 'execute', 'admin'],
+      'security-architect': ['read', 'write', 'execute', 'admin'],
+      'coder': ['read', 'write', 'execute'],
+      'reviewer': ['read'],
+      'tester': ['read', 'execute'],
+      default: ['read'],
+    };
+
+    const permissions = rolePermissions[role] ?? rolePermissions.default;
+
+    return SecurityContext.create({
+      principalId: agentId,
+      principalType: 'agent',
+      permissions,
+      allowedPaths: customPaths ?? ['./src', './tests', './docs'],
+      blockedPaths: ['/etc', '/var', '~/', '../'],
+      allowedCommands: ['npm', 'npx', 'node', 'git', 'vitest'],
+      blockedCommands: ['rm -rf /', 'dd', 'mkfs', 'format'],
+    });
+  }
+}