@sparkleideas/security 3.0.0-alpha.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. package/README.md +234 -0
  2. package/__tests__/acceptance/security-compliance.test.ts +674 -0
  3. package/__tests__/credential-generator.test.ts +310 -0
  4. package/__tests__/fixtures/configurations.ts +419 -0
  5. package/__tests__/fixtures/index.ts +21 -0
  6. package/__tests__/helpers/create-mock.ts +469 -0
  7. package/__tests__/helpers/index.ts +32 -0
  8. package/__tests__/input-validator.test.ts +381 -0
  9. package/__tests__/integration/security-flow.test.ts +606 -0
  10. package/__tests__/password-hasher.test.ts +239 -0
  11. package/__tests__/path-validator.test.ts +302 -0
  12. package/__tests__/safe-executor.test.ts +292 -0
  13. package/__tests__/token-generator.test.ts +371 -0
  14. package/__tests__/unit/credential-generator.test.ts +182 -0
  15. package/__tests__/unit/password-hasher.test.ts +359 -0
  16. package/__tests__/unit/path-validator.test.ts +509 -0
  17. package/__tests__/unit/safe-executor.test.ts +667 -0
  18. package/__tests__/unit/token-generator.test.ts +310 -0
  19. package/package.json +28 -0
  20. package/src/CVE-REMEDIATION.ts +251 -0
  21. package/src/application/index.ts +10 -0
  22. package/src/application/services/security-application-service.ts +193 -0
  23. package/src/credential-generator.ts +368 -0
  24. package/src/domain/entities/security-context.ts +173 -0
  25. package/src/domain/index.ts +17 -0
  26. package/src/domain/services/security-domain-service.ts +296 -0
  27. package/src/index.ts +271 -0
  28. package/src/input-validator.ts +466 -0
  29. package/src/password-hasher.ts +270 -0
  30. package/src/path-validator.ts +525 -0
  31. package/src/safe-executor.ts +525 -0
  32. package/src/token-generator.ts +463 -0
  33. package/tmp.json +0 -0
  34. package/tsconfig.json +9 -0
package/README.md ADDED
@@ -0,0 +1,234 @@
1
+ # @claude-flow/security
2
+
3
+ [![npm version](https://img.shields.io/npm/v/@claude-flow/security.svg)](https://www.npmjs.com/package/@claude-flow/security)
4
+ [![npm downloads](https://img.shields.io/npm/dm/@claude-flow/security.svg)](https://www.npmjs.com/package/@claude-flow/security)
5
+ [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
6
+ [![TypeScript](https://img.shields.io/badge/TypeScript-5.0+-blue.svg)](https://www.typescriptlang.org/)
7
+ [![Security Audit](https://img.shields.io/badge/Security-Audited-green.svg)](https://github.com/ruvnet/claude-flow)
8
+
9
+ > Comprehensive security module for Claude Flow V3 - CVE fixes, input validation, path security, and secure credential management.
10
+
11
+ ## Features
12
+
13
+ - **CVE Remediation** - Fixes for CVE-2 (Weak Password Hashing), CVE-3 (Hardcoded Credentials), HIGH-1 (Command Injection), HIGH-2 (Path Traversal)
14
+ - **Password Hashing** - Secure bcrypt-based password hashing with configurable rounds (12+ recommended)
15
+ - **Credential Generation** - Cryptographically secure credential and API key generation
16
+ - **Safe Command Execution** - Allowlist-based command execution preventing injection attacks
17
+ - **Path Validation** - Protection against path traversal and symlink attacks
18
+ - **Input Validation** - Zod-based schema validation for all input types
19
+ - **Token Generation** - Secure token creation with HMAC signing
20
+
21
+ ## Installation
22
+
23
+ ```bash
24
+ npm install @claude-flow/security
25
+ ```
26
+
27
+ ## Quick Start
28
+
29
+ ```typescript
30
+ import { createSecurityModule } from '@claude-flow/security';
31
+
32
+ // Create a complete security module
33
+ const security = createSecurityModule({
34
+ projectRoot: '/workspaces/project',
35
+ hmacSecret: process.env.HMAC_SECRET!,
36
+ bcryptRounds: 12,
37
+ allowedCommands: ['git', 'npm', 'npx', 'node']
38
+ });
39
+
40
+ // Hash a password
41
+ const hash = await security.passwordHasher.hash('userPassword123');
42
+
43
+ // Validate a path
44
+ const pathResult = await security.pathValidator.validate('/workspaces/project/src/file.ts');
45
+
46
+ // Execute command safely
47
+ const output = await security.safeExecutor.execute('git', ['status']);
48
+
49
+ // Generate secure credentials
50
+ const creds = await security.credentialGenerator.generate();
51
+ ```
52
+
53
+ ## API Reference
54
+
55
+ ### Password Hashing (CVE-2 Fix)
56
+
57
+ ```typescript
58
+ import { PasswordHasher, createPasswordHasher } from '@claude-flow/security';
59
+
60
+ const hasher = createPasswordHasher({ rounds: 12 });
61
+
62
+ // Hash password
63
+ const hash = await hasher.hash('password');
64
+
65
+ // Verify password
66
+ const isValid = await hasher.verify('password', hash);
67
+
68
+ // Check if hash needs rehashing
69
+ const needsRehash = hasher.needsRehash(hash);
70
+ ```
71
+
72
+ ### Credential Generation (CVE-3 Fix)
73
+
74
+ ```typescript
75
+ import { CredentialGenerator, generateCredentials } from '@claude-flow/security';
76
+
77
+ const generator = new CredentialGenerator();
78
+
79
+ // Generate API key
80
+ const apiKey = await generator.generateApiKey({
81
+ prefix: 'cf',
82
+ length: 32
83
+ });
84
+
85
+ // Generate complete credentials
86
+ const creds = generateCredentials({
87
+ includeApiKey: true,
88
+ includeSecret: true
89
+ });
90
+ ```
91
+
92
+ ### Safe Command Execution (HIGH-1 Fix)
93
+
94
+ ```typescript
95
+ import { SafeExecutor, createDevelopmentExecutor } from '@claude-flow/security';
96
+
97
+ const executor = createDevelopmentExecutor();
98
+
99
+ // Execute allowed command
100
+ const result = await executor.execute('git', ['status']);
101
+
102
+ // With timeout
103
+ const result2 = await executor.execute('npm', ['install'], {
104
+ timeout: 60000,
105
+ cwd: '/workspaces/project'
106
+ });
107
+ ```
108
+
109
+ ### Path Validation (HIGH-2 Fix)
110
+
111
+ ```typescript
112
+ import { PathValidator, createProjectPathValidator } from '@claude-flow/security';
113
+
114
+ const validator = createProjectPathValidator('/workspaces/project');
115
+
116
+ // Validate path
117
+ const result = await validator.validate('../../../etc/passwd');
118
+ // { valid: false, reason: 'Path traversal detected' }
119
+
120
+ // Safe path
121
+ const result2 = await validator.validate('/workspaces/project/src/index.ts');
122
+ // { valid: true, normalized: '/workspaces/project/src/index.ts' }
123
+ ```
124
+
125
+ ### Input Validation
126
+
127
+ ```typescript
128
+ import {
129
+ InputValidator,
130
+ SafeStringSchema,
131
+ EmailSchema,
132
+ PasswordSchema,
133
+ SpawnAgentSchema
134
+ } from '@claude-flow/security';
135
+
136
+ // Validate email
137
+ const email = EmailSchema.parse('user@example.com');
138
+
139
+ // Validate password
140
+ const password = PasswordSchema.parse('SecurePass123!');
141
+
142
+ // Validate agent spawn request
143
+ const agentRequest = SpawnAgentSchema.parse({
144
+ type: 'coder',
145
+ name: 'code-agent-1'
146
+ });
147
+
148
+ // Sanitize HTML
149
+ import { sanitizeHtml } from '@claude-flow/security';
150
+ const safe = sanitizeHtml('<script>alert("xss")</script>Hello');
151
+ // 'Hello'
152
+ ```
153
+
154
+ ### Token Generation
155
+
156
+ ```typescript
157
+ import { TokenGenerator, quickGenerate } from '@claude-flow/security';
158
+
159
+ const generator = new TokenGenerator({
160
+ hmacSecret: process.env.HMAC_SECRET!
161
+ });
162
+
163
+ // Generate signed token
164
+ const token = await generator.generate({
165
+ type: 'session',
166
+ expiresIn: 3600
167
+ });
168
+
169
+ // Verify token
170
+ const verified = await generator.verify(token);
171
+
172
+ // Quick generation
173
+ const sessionToken = quickGenerate.sessionToken();
174
+ const verificationCode = quickGenerate.verificationCode();
175
+ ```
176
+
177
+ ## Security Constants
178
+
179
+ ```typescript
180
+ import {
181
+ MIN_BCRYPT_ROUNDS, // 12
182
+ MAX_BCRYPT_ROUNDS, // 14
183
+ MIN_PASSWORD_LENGTH, // 8
184
+ MAX_PASSWORD_LENGTH, // 72 (bcrypt limit)
185
+ DEFAULT_TOKEN_EXPIRATION, // 3600 (1 hour)
186
+ DEFAULT_SESSION_EXPIRATION // 86400 (24 hours)
187
+ } from '@claude-flow/security';
188
+ ```
189
+
190
+ ## Security Audit
191
+
192
+ ```typescript
193
+ import { auditSecurityConfig } from '@claude-flow/security';
194
+
195
+ const warnings = auditSecurityConfig({
196
+ bcryptRounds: 10,
197
+ hmacSecret: 'short'
198
+ });
199
+
200
+ // ['bcryptRounds (10) below recommended minimum (12)',
201
+ // 'hmacSecret should be at least 32 characters']
202
+ ```
203
+
204
+ ## Validation Schemas
205
+
206
+ | Schema | Description |
207
+ |--------|-------------|
208
+ | `SafeStringSchema` | Basic safe string with length limits |
209
+ | `IdentifierSchema` | Alphanumeric identifiers |
210
+ | `FilenameSchema` | Safe filenames |
211
+ | `EmailSchema` | Email addresses |
212
+ | `PasswordSchema` | Secure passwords |
213
+ | `UUIDSchema` | UUID v4 format |
214
+ | `HttpsUrlSchema` | HTTPS URLs only |
215
+ | `SemverSchema` | Semantic versions |
216
+ | `PortSchema` | Valid port numbers |
217
+ | `IPv4Schema` | IPv4 addresses |
218
+ | `SpawnAgentSchema` | Agent spawn requests |
219
+ | `TaskInputSchema` | Task definitions |
220
+ | `SecurityConfigSchema` | Security configuration |
221
+
222
+ ## Dependencies
223
+
224
+ - `bcrypt` - Password hashing
225
+ - `zod` - Schema validation
226
+
227
+ ## Related Packages
228
+
229
+ - [@claude-flow/shared](../shared) - Shared types and utilities
230
+ - [@claude-flow/swarm](../swarm) - Swarm coordination (secure agent spawning)
231
+
232
+ ## License
233
+
234
+ MIT