npm - @sparkleideas/security - Versions diffs - 3.0.0-alpha.20 → 3.0.0-alpha.29 - Mend

@sparkleideas/security 3.0.0-alpha.20 → 3.0.0-alpha.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/dist/CVE-REMEDIATION.d.ts +86 -0
package/dist/CVE-REMEDIATION.d.ts.map +1 -0
package/dist/CVE-REMEDIATION.js +221 -0
package/dist/CVE-REMEDIATION.js.map +1 -0
package/dist/application/index.d.ts +7 -0
package/dist/application/index.d.ts.map +1 -0
package/dist/application/index.js +7 -0
package/dist/application/index.js.map +1 -0
package/dist/application/services/security-application-service.d.ts +71 -0
package/dist/application/services/security-application-service.d.ts.map +1 -0
package/dist/application/services/security-application-service.js +153 -0
package/dist/application/services/security-application-service.js.map +1 -0
package/dist/credential-generator.d.ts +176 -0
package/dist/credential-generator.d.ts.map +1 -0
package/dist/credential-generator.js +272 -0
package/dist/credential-generator.js.map +1 -0
package/dist/domain/entities/security-context.d.ts +68 -0
package/dist/domain/entities/security-context.d.ts.map +1 -0
package/dist/domain/entities/security-context.js +132 -0
package/dist/domain/entities/security-context.js.map +1 -0
package/dist/domain/index.d.ts +8 -0
package/dist/domain/index.d.ts.map +1 -0
package/dist/domain/index.js +8 -0
package/dist/domain/index.js.map +1 -0
package/dist/domain/services/security-domain-service.d.ts +71 -0
package/dist/domain/services/security-domain-service.d.ts.map +1 -0
package/dist/domain/services/security-domain-service.js +237 -0
package/dist/domain/services/security-domain-service.js.map +1 -0
package/dist/index.d.ts +119 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +145 -0
package/dist/index.js.map +1 -0
package/dist/input-validator.d.ts +338 -0
package/dist/input-validator.d.ts.map +1 -0
package/dist/input-validator.js +393 -0
package/dist/input-validator.js.map +1 -0
package/dist/password-hasher.d.ts +128 -0
package/dist/password-hasher.d.ts.map +1 -0
package/dist/password-hasher.js +183 -0
package/dist/password-hasher.js.map +1 -0
package/dist/path-validator.d.ts +148 -0
package/dist/path-validator.d.ts.map +1 -0
package/dist/path-validator.js +421 -0
package/dist/path-validator.js.map +1 -0
package/dist/safe-executor.d.ts +173 -0
package/dist/safe-executor.d.ts.map +1 -0
package/dist/safe-executor.js +370 -0
package/dist/safe-executor.js.map +1 -0
package/dist/token-generator.d.ts +224 -0
package/dist/token-generator.d.ts.map +1 -0
package/dist/token-generator.js +351 -0
package/dist/token-generator.js.map +1 -0
package/package.json +1 -1
package/tsconfig.build.tsbuildinfo +1 -0

package/dist/input-validator.js ADDED Viewed

@@ -0,0 +1,393 @@
+/**
+ * Input Validator - Comprehensive Input Validation
+ *
+ * Provides Zod-based validation schemas for all security-critical inputs.
+ *
+ * Security Properties:
+ * - Type-safe validation
+ * - Custom error messages
+ * - Sanitization transforms
+ * - Reusable schemas
+ *
+ * @module v3/security/input-validator
+ */
+import { z } from 'zod';
+/**
+ * Custom error map for security-focused messages
+ */
+const securityErrorMap = (issue, ctx) => {
+    switch (issue.code) {
+        case z.ZodIssueCode.too_big:
+            return { message: `Input exceeds maximum allowed size` };
+        case z.ZodIssueCode.too_small:
+            return { message: `Input below minimum required size` };
+        case z.ZodIssueCode.invalid_string:
+            if (issue.validation === 'email') {
+                return { message: 'Invalid email format' };
+            }
+            if (issue.validation === 'url') {
+                return { message: 'Invalid URL format' };
+            }
+            if (issue.validation === 'uuid') {
+                return { message: 'Invalid UUID format' };
+            }
+            return { message: 'Invalid string format' };
+        default:
+            return { message: ctx.defaultError };
+    }
+};
+// Apply custom error map globally for this module
+z.setErrorMap(securityErrorMap);
+/**
+ * Common validation patterns as reusable regex
+ */
+const PATTERNS = {
+    // Safe identifier: alphanumeric with underscore/hyphen
+    SAFE_IDENTIFIER: /^[a-zA-Z][a-zA-Z0-9_-]*$/,
+    // Safe filename: alphanumeric with dot, underscore, hyphen
+    SAFE_FILENAME: /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/,
+    // Safe path segment: no traversal
+    SAFE_PATH_SEGMENT: /^[^<>:"|?*\x00-\x1f]+$/,
+    // No shell metacharacters
+    NO_SHELL_CHARS: /^[^;&|`$(){}><\n\r\0]+$/,
+    // Semantic version
+    SEMVER: /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/,
+};
+/**
+ * Validation limits
+ */
+const LIMITS = {
+    MIN_PASSWORD_LENGTH: 8,
+    MAX_PASSWORD_LENGTH: 128,
+    MAX_EMAIL_LENGTH: 254,
+    MAX_IDENTIFIER_LENGTH: 64,
+    MAX_PATH_LENGTH: 4096,
+    MAX_CONTENT_LENGTH: 1024 * 1024, // 1MB
+    MAX_ARRAY_LENGTH: 1000,
+    MAX_OBJECT_KEYS: 100,
+};
+// ============================================================================
+// Base Validation Schemas
+// ============================================================================
+/**
+ * Safe string that cannot contain shell metacharacters
+ */
+export const SafeStringSchema = z.string()
+    .min(1, 'String cannot be empty')
+    .max(LIMITS.MAX_CONTENT_LENGTH, 'String too long')
+    .regex(PATTERNS.NO_SHELL_CHARS, 'String contains invalid characters');
+/**
+ * Safe identifier for IDs, names, etc.
+ */
+export const IdentifierSchema = z.string()
+    .min(1, 'Identifier cannot be empty')
+    .max(LIMITS.MAX_IDENTIFIER_LENGTH, 'Identifier too long')
+    .regex(PATTERNS.SAFE_IDENTIFIER, 'Invalid identifier format');
+/**
+ * Safe filename
+ */
+export const FilenameSchema = z.string()
+    .min(1, 'Filename cannot be empty')
+    .max(255, 'Filename too long')
+    .regex(PATTERNS.SAFE_FILENAME, 'Invalid filename format');
+/**
+ * Email schema with length limit
+ */
+export const EmailSchema = z.string()
+    .email('Invalid email format')
+    .max(LIMITS.MAX_EMAIL_LENGTH, 'Email too long')
+    .toLowerCase();
+/**
+ * Password schema with complexity requirements
+ */
+export const PasswordSchema = z.string()
+    .min(LIMITS.MIN_PASSWORD_LENGTH, `Password must be at least ${LIMITS.MIN_PASSWORD_LENGTH} characters`)
+    .max(LIMITS.MAX_PASSWORD_LENGTH, `Password must not exceed ${LIMITS.MAX_PASSWORD_LENGTH} characters`)
+    .refine((val) => /[A-Z]/.test(val), 'Password must contain uppercase letter')
+    .refine((val) => /[a-z]/.test(val), 'Password must contain lowercase letter')
+    .refine((val) => /\d/.test(val), 'Password must contain digit');
+/**
+ * UUID schema
+ */
+export const UUIDSchema = z.string().uuid('Invalid UUID format');
+/**
+ * URL schema with HTTPS enforcement
+ */
+export const HttpsUrlSchema = z.string()
+    .url('Invalid URL format')
+    .refine((val) => val.startsWith('https://'), 'URL must use HTTPS');
+/**
+ * URL schema (allows HTTP for development)
+ */
+export const UrlSchema = z.string()
+    .url('Invalid URL format');
+/**
+ * Semantic version schema
+ */
+export const SemverSchema = z.string()
+    .regex(PATTERNS.SEMVER, 'Invalid semantic version format');
+/**
+ * Port number schema
+ */
+export const PortSchema = z.number()
+    .int('Port must be an integer')
+    .min(1, 'Port must be at least 1')
+    .max(65535, 'Port must be at most 65535');
+/**
+ * IP address schema (v4)
+ */
+export const IPv4Schema = z.string()
+    .ip({ version: 'v4', message: 'Invalid IPv4 address' });
+/**
+ * IP address schema (v4 or v6)
+ */
+export const IPSchema = z.string()
+    .ip({ message: 'Invalid IP address' });
+// ============================================================================
+// Authentication Schemas
+// ============================================================================
+/**
+ * User role schema
+ */
+export const UserRoleSchema = z.enum([
+    'admin',
+    'operator',
+    'developer',
+    'viewer',
+    'service',
+]);
+/**
+ * Permission schema
+ */
+export const PermissionSchema = z.enum([
+    'swarm.create',
+    'swarm.read',
+    'swarm.update',
+    'swarm.delete',
+    'swarm.scale',
+    'agent.spawn',
+    'agent.read',
+    'agent.terminate',
+    'task.create',
+    'task.read',
+    'task.cancel',
+    'metrics.read',
+    'system.admin',
+    'api.access',
+]);
+/**
+ * Login request schema
+ */
+export const LoginRequestSchema = z.object({
+    email: EmailSchema,
+    password: z.string().min(1, 'Password is required'),
+    mfaCode: z.string().length(6, 'MFA code must be 6 digits').optional(),
+});
+/**
+ * User creation schema
+ */
+export const CreateUserSchema = z.object({
+    email: EmailSchema,
+    password: PasswordSchema,
+    role: UserRoleSchema,
+    permissions: z.array(PermissionSchema).optional(),
+    isActive: z.boolean().optional().default(true),
+});
+/**
+ * API key creation schema
+ */
+export const CreateApiKeySchema = z.object({
+    name: IdentifierSchema,
+    permissions: z.array(PermissionSchema).optional(),
+    expiresAt: z.date().optional(),
+});
+// ============================================================================
+// Agent & Task Schemas
+// ============================================================================
+/**
+ * Agent type schema
+ */
+export const AgentTypeSchema = z.enum([
+    'coder',
+    'reviewer',
+    'tester',
+    'planner',
+    'researcher',
+    'security-architect',
+    'security-auditor',
+    'memory-specialist',
+    'swarm-specialist',
+    'integration-architect',
+    'performance-engineer',
+    'core-architect',
+    'test-architect',
+    'queen-coordinator',
+    'project-coordinator',
+]);
+/**
+ * Agent spawn request schema
+ */
+export const SpawnAgentSchema = z.object({
+    type: AgentTypeSchema,
+    id: IdentifierSchema.optional(),
+    config: z.record(z.unknown()).optional(),
+    timeout: z.number().positive().optional(),
+});
+/**
+ * Task input schema
+ */
+export const TaskInputSchema = z.object({
+    taskId: UUIDSchema,
+    content: SafeStringSchema.max(10000, 'Task content too long'),
+    agentType: AgentTypeSchema,
+    priority: z.enum(['low', 'medium', 'high', 'critical']).optional(),
+    metadata: z.record(z.unknown()).optional(),
+});
+// ============================================================================
+// Command & Path Schemas
+// ============================================================================
+/**
+ * Command argument schema
+ */
+export const CommandArgumentSchema = z.string()
+    .max(1024, 'Argument too long')
+    .refine((val) => !val.includes('\0'), 'Argument contains null byte')
+    .refine((val) => !/[;&|`$(){}><]/.test(val), 'Argument contains shell metacharacters');
+/**
+ * Path schema
+ */
+export const PathSchema = z.string()
+    .max(LIMITS.MAX_PATH_LENGTH, 'Path too long')
+    .refine((val) => !val.includes('\0'), 'Path contains null byte')
+    .refine((val) => !val.includes('..'), 'Path contains traversal pattern');
+// ============================================================================
+// Configuration Schemas
+// ============================================================================
+/**
+ * Security configuration schema
+ */
+export const SecurityConfigSchema = z.object({
+    bcryptRounds: z.number().int().min(10).max(20).default(12),
+    jwtExpiresIn: z.string().default('24h'),
+    sessionTimeout: z.number().positive().default(3600000),
+    maxLoginAttempts: z.number().int().positive().default(5),
+    lockoutDuration: z.number().positive().default(900000),
+    requireMFA: z.boolean().default(false),
+});
+/**
+ * Executor configuration schema
+ */
+export const ExecutorConfigSchema = z.object({
+    allowedCommands: z.array(IdentifierSchema).min(1),
+    blockedPatterns: z.array(z.string()).optional(),
+    timeout: z.number().positive().default(30000),
+    maxBuffer: z.number().positive().default(10 * 1024 * 1024),
+    cwd: PathSchema.optional(),
+    allowSudo: z.boolean().default(false),
+});
+// ============================================================================
+// Sanitization Functions
+// ============================================================================
+/**
+ * Sanitizes a string by removing dangerous characters
+ */
+export function sanitizeString(input) {
+    return input
+        .replace(/\0/g, '') // Remove null bytes
+        .replace(/[<>]/g, '') // Remove HTML brackets
+        .replace(/javascript:/gi, '') // Remove javascript: protocol
+        .replace(/data:/gi, '') // Remove data: protocol
+        .trim();
+}
+/**
+ * Sanitizes HTML entities
+ */
+export function sanitizeHtml(input) {
+    return input
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#x27;');
+}
+/**
+ * Sanitizes a path by removing traversal patterns
+ */
+export function sanitizePath(input) {
+    return input
+        .replace(/\0/g, '') // Remove null bytes
+        .replace(/\.\./g, '') // Remove traversal patterns
+        .replace(/\/+/g, '/') // Normalize slashes
+        .replace(/^\//, '') // Remove leading slash
+        .trim();
+}
+// ============================================================================
+// Validation Helper Class
+// ============================================================================
+export class InputValidator {
+    /**
+     * Validates input against a schema
+     */
+    static validate(schema, input) {
+        return schema.parse(input);
+    }
+    /**
+     * Safely validates input, returning result
+     */
+    static safeParse(schema, input) {
+        return schema.safeParse(input);
+    }
+    /**
+     * Validates email
+     */
+    static validateEmail(email) {
+        return EmailSchema.parse(email);
+    }
+    /**
+     * Validates password
+     */
+    static validatePassword(password) {
+        return PasswordSchema.parse(password);
+    }
+    /**
+     * Validates identifier
+     */
+    static validateIdentifier(id) {
+        return IdentifierSchema.parse(id);
+    }
+    /**
+     * Validates path
+     */
+    static validatePath(path) {
+        return PathSchema.parse(path);
+    }
+    /**
+     * Validates command argument
+     */
+    static validateCommandArg(arg) {
+        return CommandArgumentSchema.parse(arg);
+    }
+    /**
+     * Validates login request
+     */
+    static validateLoginRequest(data) {
+        return LoginRequestSchema.parse(data);
+    }
+    /**
+     * Validates user creation request
+     */
+    static validateCreateUser(data) {
+        return CreateUserSchema.parse(data);
+    }
+    /**
+     * Validates task input
+     */
+    static validateTaskInput(data) {
+        return TaskInputSchema.parse(data);
+    }
+}
+// ============================================================================
+// Export all schemas for direct use
+// ============================================================================
+export { z, PATTERNS, LIMITS, };
+//# sourceMappingURL=input-validator.js.map

package/dist/input-validator.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"input-validator.js","sourceRoot":"","sources":["../src/input-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;GAEG;AACH,MAAM,gBAAgB,GAAkB,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IACrD,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,CAAC,CAAC,YAAY,CAAC,OAAO;YACzB,OAAO,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC;QAC3D,KAAK,CAAC,CAAC,YAAY,CAAC,SAAS;YAC3B,OAAO,EAAE,OAAO,EAAE,mCAAmC,EAAE,CAAC;QAC1D,KAAK,CAAC,CAAC,YAAY,CAAC,cAAc;YAChC,IAAI,KAAK,CAAC,UAAU,KAAK,OAAO,EAAE,CAAC;gBACjC,OAAO,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC;YAC7C,CAAC;YACD,IAAI,KAAK,CAAC,UAAU,KAAK,KAAK,EAAE,CAAC;gBAC/B,OAAO,EAAE,OAAO,EAAE,oBAAoB,EAAE,CAAC;YAC3C,CAAC;YACD,IAAI,KAAK,CAAC,UAAU,KAAK,MAAM,EAAE,CAAC;gBAChC,OAAO,EAAE,OAAO,EAAE,qBAAqB,EAAE,CAAC;YAC5C,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;QAC9C;YACE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC;IACzC,CAAC;AACH,CAAC,CAAC;AAEF,kDAAkD;AAClD,CAAC,CAAC,WAAW,CAAC,gBAAgB,CAAC,CAAC;AAEhC;;GAEG;AACH,MAAM,QAAQ,GAAG;IACf,uDAAuD;IACvD,eAAe,EAAE,0BAA0B;IAE3C,2DAA2D;IAC3D,aAAa,EAAE,8BAA8B;IAE7C,kCAAkC;IAClC,iBAAiB,EAAE,wBAAwB;IAE3C,0BAA0B;IAC1B,cAAc,EAAE,yBAAyB;IAEzC,mBAAmB;IACnB,MAAM,EAAE,qLAAqL;CAC9L,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,GAAG;IACb,mBAAmB,EAAE,CAAC;IACtB,mBAAmB,EAAE,GAAG;IACxB,gBAAgB,EAAE,GAAG;IACrB,qBAAqB,EAAE,EAAE;IACzB,eAAe,EAAE,IAAI;IACrB,kBAAkB,EAAE,IAAI,GAAG,IAAI,EAAE,MAAM;IACvC,gBAAgB,EAAE,IAAI;IACtB,eAAe,EAAE,GAAG;CACrB,CAAC;AAEF,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,EAAE;KACvC,GAAG,CAAC,CAAC,EAAE,wBAAwB,CAAC;KAChC,GAAG,CAAC,MAAM,CAAC,kBAAkB,EAAE,iBAAiB,CAAC;KACjD,KAAK,CAAC,QAAQ,CAAC,cAAc,EAAE,oCAAoC,CAAC,CAAC;AAExE;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,EAAE;KACvC,GAAG,CAAC,CAAC,EAAE,4BAA4B,CAAC;KACpC,GAAG,CAAC,MAAM,CAAC,qBAAqB,EAAE,qBAAqB,CAAC;KACxD,KAAK,CAAC,QAAQ,CAAC,eAAe,EAAE,2BAA2B,CAAC,CAAC;AAEhE;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,EAAE;KACrC,GAAG,CAAC,CAAC,EAAE,0BAA0B,CAAC;KAClC,GAAG,CAAC,GAAG,EAAE,mBAAmB,CAAC;KAC7B,KAAK,CAAC,QAAQ,CAAC,aAAa,EAAE,yBAAyB,CAAC,CAAC;AAE5D;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,EAAE;KAClC,KAAK,CAAC,sBAAsB,CAAC;KAC7B,GAAG,CAAC,MAAM,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;KAC9C,WAAW,EAAE,CAAC;AAEjB;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,EAAE;KACrC,GAAG,CAAC,MAAM,CAAC,mBAAmB,EAAE,6BAA6B,MAAM,CAAC,mBAAmB,aAAa,CAAC;KACrG,GAAG,CAAC,MAAM,CAAC,mBAAmB,EAAE,4BAA4B,MAAM,CAAC,mBAAmB,aAAa,CAAC;KACpG,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,wCAAwC,CAAC;KAC5E,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,wCAAwC,CAAC;KAC5E,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,6BAA6B,CAAC,CAAC;AAElE;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;AAEjE;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,EAAE;KACrC,GAAG,CAAC,oBAAoB,CAAC;KACzB,MAAM,CACL,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EACnC,oBAAoB,CACrB,CAAC;AAEJ;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,EAAE;KAChC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AAE7B;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,EAAE;KACnC,KAAK,CAAC,QAAQ,CAAC,MAAM,EAAE,iCAAiC,CAAC,CAAC;AAE7D;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,EAAE;KACjC,GAAG,CAAC,yBAAyB,CAAC;KAC9B,GAAG,CAAC,CAAC,EAAE,yBAAyB,CAAC;KACjC,GAAG,CAAC,KAAK,EAAE,4BAA4B,CAAC,CAAC;AAE5C;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,EAAE;KACjC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC,CAAC;AAE1D;;GAEG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAC,CAAC,MAAM,EAAE;KAC/B,EAAE,CAAC,EAAE,OAAO,EAAE,oBAAoB,EAAE,CAAC,CAAC;AAEzC,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,IAAI,CAAC;IACnC,OAAO;IACP,UAAU;IACV,WAAW;IACX,QAAQ;IACR,SAAS;CACV,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,IAAI,CAAC;IACrC,cAAc;IACd,YAAY;IACZ,cAAc;IACd,cAAc;IACd,aAAa;IACb,aAAa;IACb,YAAY;IACZ,iBAAiB;IACjB,aAAa;IACb,WAAW;IACX,aAAa;IACb,cAAc;IACd,cAAc;IACd,YAAY;CACb,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,KAAK,EAAE,WAAW;IAClB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,sBAAsB,CAAC;IACnD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,EAAE,2BAA2B,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,KAAK,EAAE,WAAW;IAClB,QAAQ,EAAE,cAAc;IACxB,IAAI,EAAE,cAAc;IACpB,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,QAAQ,EAAE;IACjD,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAC/C,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,IAAI,EAAE,gBAAgB;IACtB,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,QAAQ,EAAE;IACjD,SAAS,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAC;AAEH,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,CAAC,IAAI,CAAC;IACpC,OAAO;IACP,UAAU;IACV,QAAQ;IACR,SAAS;IACT,YAAY;IACZ,oBAAoB;IACpB,kBAAkB;IAClB,mBAAmB;IACnB,kBAAkB;IAClB,uBAAuB;IACvB,sBAAsB;IACtB,gBAAgB;IAChB,gBAAgB;IAChB,mBAAmB;IACnB,qBAAqB;CACtB,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,IAAI,EAAE,eAAe;IACrB,EAAE,EAAE,gBAAgB,CAAC,QAAQ,EAAE;IAC/B,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CAC1C,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,MAAM,EAAE,UAAU;IAClB,OAAO,EAAE,gBAAgB,CAAC,GAAG,CAAC,KAAK,EAAE,uBAAuB,CAAC;IAC7D,SAAS,EAAE,eAAe;IAC1B,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClE,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC3C,CAAC,CAAC;AAEH,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,EAAE;KAC5C,GAAG,CAAC,IAAI,EAAE,mBAAmB,CAAC;KAC9B,MAAM,CACL,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAC5B,6BAA6B,CAC9B;KACA,MAAM,CACL,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,EACnC,wCAAwC,CACzC,CAAC;AAEJ;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,EAAE;KACjC,GAAG,CAAC,MAAM,CAAC,eAAe,EAAE,eAAe,CAAC;KAC5C,MAAM,CACL,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAC5B,yBAAyB,CAC1B;KACA,MAAM,CACL,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAC5B,iCAAiC,CAClC,CAAC;AAEJ,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC1D,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACvC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;IACtD,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACxD,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;IACtD,UAAU,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACvC,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACjD,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC/C,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC7C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;IAC1D,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE;IAC1B,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACtC,CAAC,CAAC;AAEH,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,OAAO,KAAK;SACT,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAW,oBAAoB;SACjD,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAU,uBAAuB;SACrD,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAE,8BAA8B;SAC5D,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAQ,wBAAwB;SACtD,IAAI,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,OAAO,KAAK;SACT,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAW,oBAAoB;SACjD,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAS,4BAA4B;SACzD,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAS,oBAAoB;SACjD,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAW,uBAAuB;SACpD,IAAI,EAAE,CAAC;AACZ,CAAC;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E,MAAM,OAAO,cAAc;IACzB;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAI,MAAsB,EAAE,KAAc;QACvD,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,SAAS,CAAI,MAAsB,EAAE,KAAc;QACxD,OAAO,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,aAAa,CAAC,KAAa;QAChC,OAAO,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,QAAgB;QACtC,OAAO,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,kBAAkB,CAAC,EAAU;QAClC,OAAO,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,IAAY;QAC9B,OAAO,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,kBAAkB,CAAC,GAAW;QACnC,OAAO,qBAAqB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,oBAAoB,CAAC,IAAa;QACvC,OAAO,kBAAkB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,kBAAkB,CAAC,IAAa;QACrC,OAAO,gBAAgB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,iBAAiB,CAAC,IAAa;QACpC,OAAO,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrC,CAAC;CACF;AAED,+EAA+E;AAC/E,oCAAoC;AACpC,+EAA+E;AAE/E,OAAO,EACL,CAAC,EACD,QAAQ,EACR,MAAM,GACP,CAAC"}

package/dist/password-hasher.d.ts ADDED Viewed

@@ -0,0 +1,128 @@
+/**
+ * Password Hasher - CVE-2 Remediation
+ *
+ * Fixes weak password hashing by replacing SHA-256 with hardcoded salt
+ * with bcrypt using 12 rounds (configurable).
+ *
+ * Security Properties:
+ * - bcrypt with adaptive cost factor (12 rounds)
+ * - Automatic salt generation per password
+ * - Timing-safe comparison
+ * - Minimum password length enforcement
+ *
+ * @module v3/security/password-hasher
+ */
+export interface PasswordHasherConfig {
+    /**
+     * Number of bcrypt rounds (cost factor).
+     * Default: 12 (recommended minimum for production)
+     * Each increment doubles the computation time.
+     */
+    rounds?: number;
+    /**
+     * Minimum password length.
+     * Default: 8 characters
+     */
+    minLength?: number;
+    /**
+     * Maximum password length.
+     * Default: 128 characters (bcrypt limit is 72 bytes)
+     */
+    maxLength?: number;
+    /**
+     * Require at least one uppercase letter.
+     * Default: true
+     */
+    requireUppercase?: boolean;
+    /**
+     * Require at least one lowercase letter.
+     * Default: true
+     */
+    requireLowercase?: boolean;
+    /**
+     * Require at least one digit.
+     * Default: true
+     */
+    requireDigit?: boolean;
+    /**
+     * Require at least one special character.
+     * Default: false
+     */
+    requireSpecial?: boolean;
+}
+export interface PasswordValidationResult {
+    isValid: boolean;
+    errors: string[];
+}
+export declare class PasswordHashError extends Error {
+    readonly code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Secure password hasher using bcrypt.
+ *
+ * This class replaces the vulnerable SHA-256 + hardcoded salt implementation
+ * with industry-standard bcrypt hashing.
+ *
+ * @example
+ * ```typescript
+ * const hasher = new PasswordHasher({ rounds: 12 });
+ * const hash = await hasher.hash('securePassword123');
+ * const isValid = await hasher.verify('securePassword123', hash);
+ * ```
+ */
+export declare class PasswordHasher {
+    private readonly config;
+    constructor(config?: PasswordHasherConfig);
+    /**
+     * Validates password against configured requirements.
+     *
+     * @param password - The password to validate
+     * @returns Validation result with errors if any
+     */
+    validate(password: string): PasswordValidationResult;
+    /**
+     * Hashes a password using bcrypt.
+     *
+     * @param password - The plaintext password to hash
+     * @returns The bcrypt hash
+     * @throws PasswordHashError if password is invalid
+     */
+    hash(password: string): Promise<string>;
+    /**
+     * Verifies a password against a bcrypt hash.
+     * Uses timing-safe comparison internally.
+     *
+     * @param password - The plaintext password to verify
+     * @param hash - The bcrypt hash to compare against
+     * @returns True if password matches, false otherwise
+     */
+    verify(password: string, hash: string): Promise<boolean>;
+    /**
+     * Checks if a hash needs to be rehashed with updated parameters.
+     * Useful for upgrading hash strength over time.
+     *
+     * @param hash - The bcrypt hash to check
+     * @returns True if hash should be updated
+     */
+    needsRehash(hash: string): boolean;
+    /**
+     * Validates bcrypt hash format.
+     *
+     * @param hash - The hash to validate
+     * @returns True if valid bcrypt hash format
+     */
+    private isValidBcryptHash;
+    /**
+     * Returns current configuration (without sensitive defaults).
+     */
+    getConfig(): Readonly<Omit<Required<PasswordHasherConfig>, never>>;
+}
+/**
+ * Factory function to create a production-ready password hasher.
+ *
+ * @param rounds - Bcrypt rounds (default: 12)
+ * @returns Configured PasswordHasher instance
+ */
+export declare function createPasswordHasher(rounds?: number): PasswordHasher;
+//# sourceMappingURL=password-hasher.d.ts.map

package/dist/password-hasher.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"password-hasher.d.ts","sourceRoot":"","sources":["../src/password-hasher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,MAAM,WAAW,oBAAoB;IACnC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAE3B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAE3B;;;OAGG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,qBAAa,iBAAkB,SAAQ,KAAK;aAGxB,IAAI,EAAE,MAAM;gBAD5B,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM;CAK/B;AAED;;;;;;;;;;;;GAYG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiC;gBAE5C,MAAM,GAAE,oBAAyB;IA2B7C;;;;;OAKG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,wBAAwB;IAsCpD;;;;;;OAMG;IACG,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAqB7C;;;;;;;OAOG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAmB9D;;;;;;OAMG;IACH,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAelC;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;IAMzB;;OAEG;IACH,SAAS,IAAI,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,KAAK,CAAC,CAAC;CAGnE;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,SAAK,GAAG,cAAc,CAEhE"}