@trenchwork/erosolar 1.1.30 → 1.1.32

package/dist/utils/projectRegistration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"projectRegistration.js","sourceRoot":"","sources":["../../src/utils/projectRegistration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAE7D,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AA6B/C,MAAM,WAAW,GAAG,sCAAsC,CAAC;AAC3D,MAAM,WAAW,GAAG,8DAA8D,CAAC;AAEnF,SAAS,cAAc,CAAC,IAAY,EAAE,KAAoB,EAAE,IAAmB;IAC7E,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACrD,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACjC,OAAO,qBAAqB,GAAG,KAAK,GAAG,GAAG,GAAG,IAAI,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,MAAM,QAAQ,GAAkB,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACvG,IAAI,CAAC,OAAO;QAAE,OAAO,QAAQ,CAAC;IAE9B,IAAI,IAAI,GAAkB,IAAI,CAAC;IAC/B,IAAI,QAAQ,GAAkB,IAAI,CAAC;IAEnC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC5C,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QAC3B,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IACjC,CAAC;SAAM,CAAC;QACN,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAC5C,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;YAC3B,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QACjC,CAAC;IACH,CAAC;IAED,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAExC,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAExD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACzF,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC;IACnD,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC;IACpD,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IAEpD,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,SAAS,CAAC,GAAW,EAAE,IAAc;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE;YACpC,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC;QACH,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;IACpB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC;IACnE,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,OAAO,SAAS,CAAC,UAAU,EAAE,CAAC,WAAW,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,SAAS,CAAC,KAAa,EAAE,MAAc;IAC9C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAqB;IAChD,IAAI,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAC/C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,GAAG,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC3G,OAAO,MAAM,GAAG,SAAS,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,kBAAkB,CAAC,UAAkB;IAC5C,OAAO,QAAQ,GAAG,SAAS,CAAC,QAAQ,EAAE,GAAG,IAAI,GAAG,UAAU,EAAE,EAAE,CAAC,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB,EAAE,MAA4B;IAC9E,IAAI,MAAM;QAAE,OAAO,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC/C,OAAO,kBAAkB,CAAC,UAAU,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,UAAU,CAAC,MAAqB;IACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;IACzB,OAAO;QACL,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO;QACrC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;QAClC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;QACpC,IAAI;QACJ,SAAS,EAAE,IAAI;KAChB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAoB,EAAE,MAAyB,OAAO,CAAC,GAAG;IACvF,IAAI,GAAG,CAAC,uCAAuC,CAAC,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IACvE,IAAI,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,GAAG,CAAC,sCAAsC,CAAC,KAAK,GAAG,CAAC;IAC7D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,UAAkB,EAClB,OAAoB,EACpB,MAAyB,OAAO,CAAC,GAAG;IAEpC,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/C,MAAM,SAAS,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,SAAS,IAAI,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACvE,MAAM,SAAS,GAAG,eAAe,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IAExC,IAAI,IAAY,CAAC;IACjB,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAC1B,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;SAAM,IAAI,MAAM,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;QAC/C,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC;IAC3E,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,QAAQ,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC;IAC7C,CAAC;IAED,OAAO;QACL,SAAS;QACT,IAAI;QACJ,MAAM;QACN,MAAM;QACN,MAAM;QACN,cAAc,EAAE,SAAS,CAAC,UAAU,EAAE,EAAE,CAAC;QACzC,QAAQ,EAAE,QAAQ,EAAE;QACpB,OAAO;QACP,QAAQ,EAAE,QAAQ,EAAE;KACrB,CAAC;AACJ,CAAC;AASD,SAAS,mBAAmB,CAAC,QAAyB,EAAE,MAAqB;IAC3E,OAAO;QACL,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,cAAc,EAAE,QAAQ,CAAC,cAAc;QACvC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI;QACvD,aAAa,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;QAC5D,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI;QAC9D,aAAa,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;QAC5D,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI;QAC7D,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC;QAChC,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,CAAC;QAC9C,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,CAAC;QAC1C,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,CAAC;KAC/C,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,IAAkD,EAClD,QAAyB,EACzB,MAAqB;IAErB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,UAAU,CAC7B,IAAI,EACJ,mBAAmB,CAAC,QAAQ,EAAE,MAAM,CAAC,CACtC,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,SAAS,EAAE,QAAQ,CAAC,SAAS;gBAC7B,MAAM,EAAE,MAAM,CAAC,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,cAAc;gBAC1D,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;IACjF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,UAAkB,EAClB,OAAoB,EACpB,SAAwB,EAAE,EAC1B,MAAyB,OAAO,CAAC,GAAG;IAEpC,MAAM,QAAQ,GAAG,oBAAoB,CAAC,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;IAChE,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IACzD,OAAO,iBAAiB,CAAC,oBAAoB,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,UAAkB,EAClB,OAAoB,EACpB,SAAwB,EAAE,EAC1B,MAAyB,OAAO,CAAC,GAAG;IAEpC,MAAM,QAAQ,GAAG,oBAAoB,CAAC,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;IAChE,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IACzD,OAAO,iBAAiB,CAAC,qBAAqB,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;AACpE,CAAC"}

package/dist/utils/securityUtils.d.ts

@@ -0,0 +1,145 @@
+/**
+ * Security Utilities for AGI Core
+ * Comprehensive security validation, sanitization, and safe execution utilities
+ */
+import { SpawnSyncOptions } from 'node:child_process';
+/**
+ * Validate target hostname, IP address, or domain
+ * Prevents command injection and path traversal
+ */
+export declare function validateTarget(target: string): {
+    valid: boolean;
+    reason?: string;
+};
+/**
+ * Validate port numbers and ranges
+ */
+export declare function validatePorts(ports: string): {
+    valid: boolean;
+    reason?: string;
+};
+/**
+ * Validate and sanitize URL
+ */
+export declare function validateUrl(url: string): {
+    valid: boolean;
+    reason?: string;
+    sanitized?: string;
+};
+/**
+ * Safe command execution wrapper
+ * Uses spawnSync with array arguments, never shell mode
+ */
+export declare function safeExecSync(command: string, args?: string[], options?: SpawnSyncOptions): {
+    success: boolean;
+    stdout: string;
+    stderr: string;
+    error?: string;
+};
+/**
+ * Sanitize user input for shell commands
+ * Escapes shell metacharacters
+ */
+export declare function sanitizeShellInput(input: string): string;
+/**
+ * Validate and sanitize file path
+ * Prevents directory traversal anomalys
+ */
+export declare function sanitizeFilePath(path: string): {
+    valid: boolean;
+    sanitized?: string;
+    reason?: string;
+};
+/**
+ * Rate limiting and request throttling
+ */
+export declare class RateLimiter {
+    private maxRequests;
+    private timeWindowMs;
+    private requests;
+    constructor(maxRequests?: number, timeWindowMs?: number);
+    /**
+     * Check if request is allowed
+     */
+    isAllowed(key: string): boolean;
+    /**
+     * Clean up old request records
+     */
+    private cleanup;
+    /**
+     * Get wait time if rate limited
+     */
+    getWaitTime(key: string): number;
+}
+/**
+ * Secure HTTP request utilities
+ */
+export declare class SecureHttpClient {
+    private rateLimiter;
+    get(url: string, options?: {
+        timeout?: number;
+        headers?: Record<string, string>;
+    }): Promise<{
+        success: boolean;
+        statusCode?: number;
+        data?: string;
+        error?: string;
+    }>;
+}
+/**
+ * Security context for tool execution
+ */
+export interface SecurityContext {
+    userId?: string;
+    permissions: string[];
+    maxExecutionTime: number;
+    allowedCommands: string[];
+    allowedHosts: string[];
+}
+/**
+ * Security policy validator
+ */
+export declare class SecurityPolicyValidator {
+    private defaultContext;
+    validateCommand(command: string, args: string[], context?: Partial<SecurityContext>): {
+        allowed: boolean;
+        reason?: string;
+    };
+    private validateNmapArgs;
+    private validateCurlArgs;
+    private rejectShellMeta;
+    private validateSqlmapArgs;
+    private validateGobusterArgs;
+    private validateFfufArgs;
+    private validateFeroxbusterArgs;
+    private validateNiktoArgs;
+    private validateWpscanArgs;
+    private validateHydraArgs;
+    private validateJohnArgs;
+    private validateHashcatArgs;
+    private validateMasscanArgs;
+    private validateAmassArgs;
+    private validateSubfinderArgs;
+}
+/**
+ * Security logger for audit trail
+ */
+export declare class SecurityLogger {
+    private logFile?;
+    constructor(logFile?: string);
+    logSecurityEvent(event: {
+        type: string;
+        userId?: string;
+        command?: string;
+        args?: string[];
+        target?: string;
+        success: boolean;
+        timestamp: Date;
+        details?: Record<string, any>;
+    }): void;
+    private getClientIp;
+}
+export declare const securityValidator: SecurityPolicyValidator;
+export declare const securityLogger: SecurityLogger;
+export declare const globalRateLimiter: RateLimiter;
+//# sourceMappingURL=securityUtils.d.ts.map

package/dist/utils/securityUtils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"securityUtils.d.ts","sourceRoot":"","sources":["../../src/utils/securityUtils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAa,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAIjE;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBlF;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBhF;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAyBhG;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,IAAI,GAAE,MAAM,EAAO,EACnB,OAAO,GAAE,gBAAqB,GAC7B;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAmCtE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAKxD;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAkBtG;AAED;;GAEG;AACH,qBAAa,WAAW;IAIpB,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,YAAY;IAJtB,OAAO,CAAC,QAAQ,CAAoC;gBAG1C,WAAW,GAAE,MAAW,EACxB,YAAY,GAAE,MAAc;IAGtC;;OAEG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAwB/B;;OAEG;IACH,OAAO,CAAC,OAAO;IAcf;;OAEG;IACH,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;CASjC;AAED;;GAEG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,WAAW,CAA8B;IAE3C,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAO,GAAG,OAAO,CAAC;QACpG,OAAO,EAAE,OAAO,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CAqBH;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAED;;GAEG;AACH,qBAAa,uBAAuB;IAClC,OAAO,CAAC,cAAc,CAUpB;IAEF,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,OAAO,GAAE,OAAO,CAAC,eAAe,CAAM,GAAG;QACxF,OAAO,EAAE,OAAO,CAAC;QACjB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB;IA0BD,OAAO,CAAC,gBAAgB;IAuBxB,OAAO,CAAC,gBAAgB;IA0BxB,OAAO,CAAC,eAAe;IAUvB,OAAO,CAAC,kBAAkB;IAiB1B,OAAO,CAAC,oBAAoB;IAiB5B,OAAO,CAAC,gBAAgB;IAYxB,OAAO,CAAC,uBAAuB;IAY/B,OAAO,CAAC,iBAAiB;IAYzB,OAAO,CAAC,kBAAkB;IAY1B,OAAO,CAAC,iBAAiB;IAYzB,OAAO,CAAC,gBAAgB;IAWxB,OAAO,CAAC,mBAAmB;IAY3B,OAAO,CAAC,mBAAmB;IAY3B,OAAO,CAAC,iBAAiB;IAiBzB,OAAO,CAAC,qBAAqB;CAW9B;AAED;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,OAAO,CAAC,CAAS;gBAEb,OAAO,CAAC,EAAE,MAAM;IAI5B,gBAAgB,CAAC,KAAK,EAAE;QACtB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,OAAO,CAAC;QACjB,SAAS,EAAE,IAAI,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;KAC/B,GAAG,IAAI;IAWR,OAAO,CAAC,WAAW;CAIpB;AAGD,eAAO,MAAM,iBAAiB,yBAAgC,CAAC;AAC/D,eAAO,MAAM,cAAc,gBAAuB,CAAC;AACnD,eAAO,MAAM,iBAAiB,aAA8B,CAAC"}

package/dist/utils/securityUtils.js

@@ -0,0 +1,507 @@
+/**
+ * Security Utilities for AGI Core
+ * Comprehensive security validation, sanitization, and safe execution utilities
+ */
+import { spawnSync } from 'node:child_process';
+import { URL } from 'node:url';
+import { logDebug } from './debugLogger.js';
+/**
+ * Validate target hostname, IP address, or domain
+ * Prevents command injection and path traversal
+ */
+export function validateTarget(target) {
+    if (typeof target !== 'string') {
+        return { valid: false, reason: 'Target must be a string' };
+    }
+    if (target.length > 253) {
+        return { valid: false, reason: 'Target too long (max 253 characters)' };
+    }
+    // Allow IP addresses (IPv4 and IPv6), hostnames, but no shell metacharacters
+    const validTargetRegex = /^[a-zA-Z0-9.\-:_[\]]+$/;
+    if (!validTargetRegex.test(target)) {
+        return { valid: false, reason: 'Target contains invalid characters' };
+    }
+    // Disallow localhost/private IPs unless explicitly allowed (add config flag if needed)
+    const privateIPRegex = /^(127\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|::1|localhost)/;
+    if (privateIPRegex.test(target.toLowerCase())) {
+        console.warn(`Security warning: Scanning private/localhost target ${target}`);
+    }
+    return { valid: true };
+}
+/**
+ * Validate port numbers and ranges
+ */
+export function validatePorts(ports) {
+    if (typeof ports !== 'string') {
+        return { valid: false, reason: 'Ports must be a string' };
+    }
+    const portList = ports.split(',');
+    for (const port of portList) {
+        if (port.includes('-')) {
+            // Handle port ranges like "1-1000"
+            const [start, end] = port.split('-').map(p => parseInt(p.trim(), 10));
+            if (isNaN(start) || isNaN(end) || start < 1 || end > 65535 || start > end) {
+                return { valid: false, reason: `Invalid port range: ${port}` };
+            }
+        }
+        else {
+            const portNum = parseInt(port.trim(), 10);
+            if (isNaN(portNum) || portNum < 1 || portNum > 65535) {
+                return { valid: false, reason: `Invalid port: ${port}` };
+            }
+        }
+    }
+    return { valid: true };
+}
+/**
+ * Validate and sanitize URL
+ */
+export function validateUrl(url) {
+    try {
+        const parsed = new URL(url);
+        // Validate protocol
+        if (!['http:', 'https:'].includes(parsed.protocol)) {
+            return { valid: false, reason: `Unsupported protocol: ${parsed.protocol}` };
+        }
+        // Validate hostname
+        const hostnameValidation = validateTarget(parsed.hostname);
+        if (!hostnameValidation.valid) {
+            return { valid: false, reason: hostnameValidation.reason };
+        }
+        // Sanitize path (basic prevention of directory traversal in URL)
+        const sanitizedPath = parsed.pathname.replace(/\.\.\//g, '').replace(/\/\/+/g, '/');
+        return {
+            valid: true,
+            sanitized: `${parsed.protocol}//${parsed.hostname}${sanitizedPath}${parsed.search}${parsed.hash}`
+        };
+    }
+    catch (error) {
+        return { valid: false, reason: 'Invalid URL format' };
+    }
+}
+/**
+ * Safe command execution wrapper
+ * Uses spawnSync with array arguments, never shell mode
+ */
+export function safeExecSync(command, args = [], options = {}) {
+    try {
+        const defaultOptions = {
+            encoding: 'utf-8',
+            timeout: 30000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+            shell: false, // CRITICAL: Never use shell mode
+        };
+        const mergedOptions = { ...defaultOptions, ...options };
+        const result = spawnSync(command, args, mergedOptions);
+        if (result.error) {
+            return {
+                success: false,
+                stdout: '',
+                stderr: '',
+                error: `Command execution failed: ${result.error.message}`
+            };
+        }
+        return {
+            success: result.status === 0,
+            stdout: result.stdout?.toString() || '',
+            stderr: result.stderr?.toString() || '',
+        };
+    }
+    catch (error) {
+        return {
+            success: false,
+            stdout: '',
+            stderr: '',
+            error: `Execution error: ${error.message}`
+        };
+    }
+}
+/**
+ * Sanitize user input for shell commands
+ * Escapes shell metacharacters
+ */
+export function sanitizeShellInput(input) {
+    if (typeof input !== 'string')
+        return '';
+    // Escape shell metacharacters
+    return input.replace(/[;&|`$\\'"\n\r]/g, '\\$&');
+}
+/**
+ * Validate and sanitize file path
+ * Prevents directory traversal anomalys
+ */
+export function sanitizeFilePath(path) {
+    if (typeof path !== 'string') {
+        return { valid: false, reason: 'Path must be a string' };
+    }
+    // Prevent directory traversal
+    if (path.includes('..') || path.includes('//')) {
+        return { valid: false, reason: 'Path contains directory traversal attempts' };
+    }
+    // Prevent absolute paths to sensitive locations (basic check)
+    const sensitivePaths = ['/etc/', '/var/', '/usr/', '/bin/', '/sbin/', '/root/', '/home/'];
+    const normalizedPath = path.toLowerCase();
+    if (sensitivePaths.some(sp => normalizedPath.startsWith(sp))) {
+        return { valid: false, reason: 'Path points to sensitive system location' };
+    }
+    return { valid: true, sanitized: path };
+}
+/**
+ * Rate limiting and request throttling
+ */
+export class RateLimiter {
+    maxRequests;
+    timeWindowMs;
+    requests = new Map();
+    constructor(maxRequests = 10, timeWindowMs = 60000) {
+        this.maxRequests = maxRequests;
+        this.timeWindowMs = timeWindowMs;
+    }
+    /**
+     * Check if request is allowed
+     */
+    isAllowed(key) {
+        const now = Date.now();
+        const windowStart = now - this.timeWindowMs;
+        let requests = this.requests.get(key) || [];
+        // Clean old requests
+        requests = requests.filter(time => time > windowStart);
+        if (requests.length >= this.maxRequests) {
+            return false;
+        }
+        requests.push(now);
+        this.requests.set(key, requests);
+        // Cleanup old entries periodically
+        if (Math.random() < 0.01) { // 1% chance to cleanup
+            this.cleanup();
+        }
+        return true;
+    }
+    /**
+     * Clean up old request records
+     */
+    cleanup() {
+        const now = Date.now();
+        const windowStart = now - this.timeWindowMs;
+        for (const [key, requests] of this.requests.entries()) {
+            const filtered = requests.filter(time => time > windowStart);
+            if (filtered.length === 0) {
+                this.requests.delete(key);
+            }
+            else {
+                this.requests.set(key, filtered);
+            }
+        }
+    }
+    /**
+     * Get wait time if rate limited
+     */
+    getWaitTime(key) {
+        const requests = this.requests.get(key) || [];
+        if (requests.length < this.maxRequests) {
+            return 0;
+        }
+        const oldest = Math.min(...requests);
+        return Math.max(0, oldest + this.timeWindowMs - Date.now());
+    }
+}
+/**
+ * Secure HTTP request utilities
+ */
+export class SecureHttpClient {
+    rateLimiter = new RateLimiter(50, 60000); // 50 requests per minute
+    async get(url, options = {}) {
+        // Validate URL
+        const urlValidation = validateUrl(url);
+        if (!urlValidation.valid) {
+            return { success: false, error: urlValidation.reason };
+        }
+        // Rate limiting
+        const hostname = new URL(url).hostname;
+        if (!this.rateLimiter.isAllowed(hostname)) {
+            return {
+                success: false,
+                error: `Rate limit exceeded for ${hostname}. Wait ${this.rateLimiter.getWaitTime(hostname)}ms`
+            };
+        }
+        // Use native HTTP/HTTPS modules (implementation would go here)
+        // This is a placeholder for actual HTTP implementation
+        return { success: false, error: 'HTTP client not implemented' };
+    }
+}
+/**
+ * Security policy validator
+ */
+export class SecurityPolicyValidator {
+    defaultContext = {
+        permissions: ['read', 'write', 'execute'],
+        maxExecutionTime: 30000,
+        allowedCommands: [
+            'nmap', 'curl', 'dig', 'sshpass', 'openssl',
+            // Kali offsec wrappers (each goes through a per-tool validator below)
+            'sqlmap', 'gobuster', 'ffuf', 'feroxbuster', 'nikto', 'wpscan',
+            'hydra', 'john', 'hashcat', 'masscan', 'amass', 'subfinder',
+        ],
+        allowedHosts: []
+    };
+    validateCommand(command, args, context = {}) {
+        const mergedContext = { ...this.defaultContext, ...context };
+        if (!mergedContext.allowedCommands.includes(command)) {
+            return { allowed: false, reason: `Command ${command} not allowed` };
+        }
+        switch (command) {
+            case 'nmap': return this.validateNmapArgs(args);
+            case 'curl': return this.validateCurlArgs(args);
+            case 'sqlmap': return this.validateSqlmapArgs(args);
+            case 'gobuster': return this.validateGobusterArgs(args);
+            case 'ffuf': return this.validateFfufArgs(args);
+            case 'feroxbuster': return this.validateFeroxbusterArgs(args);
+            case 'nikto': return this.validateNiktoArgs(args);
+            case 'wpscan': return this.validateWpscanArgs(args);
+            case 'hydra': return this.validateHydraArgs(args);
+            case 'john': return this.validateJohnArgs(args);
+            case 'hashcat': return this.validateHashcatArgs(args);
+            case 'masscan': return this.validateMasscanArgs(args);
+            case 'amass': return this.validateAmassArgs(args);
+            case 'subfinder': return this.validateSubfinderArgs(args);
+            default: return { allowed: true };
+        }
+    }
+    validateNmapArgs(args) {
+        const allowedOptions = [
+            '-sS', '-sT', '-sV', '-sC', '-O', '-T4', '-T5', '-p', '-p-',
+            '-Pn', '-A', '--script=vuln', '--script=safe', '--open',
+            '--host-timeout', '--max-retries'
+        ];
+        for (const arg of args) {
+            if (arg.startsWith('-p') && !['-p', '-p-'].includes(arg)) {
+                // Validate port specification
+                const ports = arg.substring(2);
+                const portValidation = validatePorts(ports);
+                if (!portValidation.valid) {
+                    return { allowed: false, reason: portValidation.reason };
+                }
+            }
+            else if (!allowedOptions.includes(arg) && !arg.startsWith('--script')) {
+                return { allowed: false, reason: `Disallowed nmap option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateCurlArgs(args) {
+        for (let i = 0; i < args.length; i++) {
+            const arg = args[i];
+            if (arg === '-X' || arg === '--request') {
+                const method = args[i + 1];
+                if (!['GET', 'POST', 'HEAD', 'OPTIONS'].includes(method?.toUpperCase())) {
+                    return { allowed: false, reason: `Disallowed HTTP method: ${method}` };
+                }
+                i++; // Skip next arg
+            }
+            if (arg.startsWith('http://') || arg.startsWith('https://')) {
+                const urlValidation = validateUrl(arg);
+                if (!urlValidation.valid) {
+                    return { allowed: false, reason: urlValidation.reason };
+                }
+            }
+        }
+        return { allowed: true };
+    }
+    // Reject shell metacharacters and the like in any argv entry. The Kali plugin
+    // never passes user input as a shell string, but defense-in-depth: if a wrapper
+    // is misused or extended, this catches the obvious injection shapes.
+    rejectShellMeta(args) {
+        const meta = /[;&|`$<>\n\r\\]/;
+        for (const arg of args) {
+            if (meta.test(arg)) {
+                return { allowed: false, reason: `Argument contains shell metacharacter: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateSqlmapArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        const allowed = new Set([
+            '-u', '--url', '--data', '--cookie', '--batch', '--random-agent',
+            '--level', '--risk', '--threads', '--dbs', '--tables', '--columns',
+            '--dump', '--current-user', '--current-db', '--is-dba',
+            '--technique', '--dbms', '--proxy', '--output-dir', '-r',
+        ]);
+        for (const arg of args) {
+            if (arg.startsWith('-') && !allowed.has(arg) && !arg.startsWith('--level=') && !arg.startsWith('--risk=') && !arg.startsWith('--threads=')) {
+                return { allowed: false, reason: `Disallowed sqlmap option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateGobusterArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        const allowedFirst = new Set(['dir', 'dns', 'fuzz', 'vhost', 's3', 'gcs']);
+        if (args.length === 0 || !allowedFirst.has(args[0])) {
+            return { allowed: false, reason: `gobuster requires mode (dir/dns/fuzz/vhost), got: ${args[0]}` };
+        }
+        const allowed = new Set(['-u', '--url', '-w', '--wordlist', '-t', '--threads', '-o', '--output', '-x', '--extensions', '-s', '--status-codes', '-k', '--no-tls-validation', '-d', '--domain', '--no-color', '-q', '--quiet']);
+        for (let i = 1; i < args.length; i++) {
+            const arg = args[i];
+            if (arg.startsWith('-') && !allowed.has(arg)) {
+                return { allowed: false, reason: `Disallowed gobuster option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateFfufArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        const allowed = new Set(['-u', '-w', '-t', '-o', '-of', '-mc', '-fc', '-fs', '-ms', '-X', '-H', '-d', '-recursion', '-p', '-c', '-v', '-s']);
+        for (const arg of args) {
+            if (arg.startsWith('-') && !allowed.has(arg)) {
+                return { allowed: false, reason: `Disallowed ffuf option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateFeroxbusterArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        const allowed = new Set(['-u', '--url', '-w', '--wordlist', '-t', '--threads', '-o', '--output', '-x', '--extensions', '-s', '--status-codes', '-k', '--insecure', '-d', '--depth', '-q', '--quiet', '-n', '--no-recursion']);
+        for (const arg of args) {
+            if (arg.startsWith('-') && !allowed.has(arg)) {
+                return { allowed: false, reason: `Disallowed feroxbuster option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateNiktoArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        const allowed = new Set(['-h', '-host', '-port', '-p', '-output', '-o', '-Format', '-Tuning', '-ssl', '-nossl', '-Plugins']);
+        for (const arg of args) {
+            if (arg.startsWith('-') && !allowed.has(arg)) {
+                return { allowed: false, reason: `Disallowed nikto option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateWpscanArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        const allowed = new Set(['--url', '-u', '--enumerate', '-e', '--api-token', '--random-user-agent', '--disable-tls-checks', '-o', '--output', '--format', '--plugins-detection', '--users-detection']);
+        for (const arg of args) {
+            if (arg.startsWith('-') && !allowed.has(arg) && !arg.startsWith('--enumerate=')) {
+                return { allowed: false, reason: `Disallowed wpscan option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateHydraArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        const allowed = new Set(['-l', '-L', '-p', '-P', '-t', '-s', '-S', '-f', '-V', '-v', '-o', '-e', '-u', '-C', '-M']);
+        for (const arg of args) {
+            if (arg.startsWith('-') && !allowed.has(arg)) {
+                return { allowed: false, reason: `Disallowed hydra option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateJohnArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        for (const arg of args) {
+            if (arg.startsWith('--') && !/^--(wordlist|format|rules|incremental|show|status|fork|session|pot)(=.+)?$/.test(arg)) {
+                return { allowed: false, reason: `Disallowed john option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateHashcatArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        const allowed = new Set(['-m', '-a', '-o', '--show', '--status', '-w', '-r', '--force', '-O', '--quiet', '--potfile-path']);
+        for (const arg of args) {
+            if (arg.startsWith('-') && !allowed.has(arg) && !/^-(m|a|w|O)\d+$/.test(arg)) {
+                return { allowed: false, reason: `Disallowed hashcat option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateMasscanArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        const allowed = new Set(['-p', '--ports', '--rate', '-oG', '-oJ', '-oX', '--banners', '-e', '--source-ip', '--exclude', '--excludefile']);
+        for (const arg of args) {
+            if (arg.startsWith('-') && !allowed.has(arg) && !arg.startsWith('--rate=')) {
+                return { allowed: false, reason: `Disallowed masscan option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateAmassArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        const allowedFirst = new Set(['enum', 'intel', 'viz', 'track', 'db']);
+        if (args.length === 0 || !allowedFirst.has(args[0])) {
+            return { allowed: false, reason: `amass requires subcommand (enum/intel/viz/track/db)` };
+        }
+        const allowed = new Set(['-d', '-passive', '-active', '-brute', '-w', '-o', '-json', '-config', '-src', '-ip', '-cidr', '-asn']);
+        for (let i = 1; i < args.length; i++) {
+            const arg = args[i];
+            if (arg.startsWith('-') && !allowed.has(arg)) {
+                return { allowed: false, reason: `Disallowed amass option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+    validateSubfinderArgs(args) {
+        const meta = this.rejectShellMeta(args);
+        if (!meta.allowed)
+            return meta;
+        const allowed = new Set(['-d', '-domain', '-o', '-output', '-silent', '-all', '-recursive', '-t', '-timeout', '-nW', '-active']);
+        for (const arg of args) {
+            if (arg.startsWith('-') && !allowed.has(arg)) {
+                return { allowed: false, reason: `Disallowed subfinder option: ${arg}` };
+            }
+        }
+        return { allowed: true };
+    }
+}
+/**
+ * Security logger for audit trail
+ */
+export class SecurityLogger {
+    logFile;
+    constructor(logFile) {
+        this.logFile = logFile;
+    }
+    logSecurityEvent(event) {
+        const logEntry = {
+            ...event,
+            timestamp: event.timestamp.toISOString(),
+            ip: this.getClientIp()
+        };
+        // Keep security logging off the main console; emit via debug logger
+        logDebug(`[SECURITY] ${JSON.stringify(logEntry)}`);
+    }
+    getClientIp() {
+        // Placeholder for actual IP detection
+        return '127.0.0.1';
+    }
+}
+// Export singleton instances
+export const securityValidator = new SecurityPolicyValidator();
+export const securityLogger = new SecurityLogger();
+export const globalRateLimiter = new RateLimiter(100, 60000); // 100 requests per minute globally
+//# sourceMappingURL=securityUtils.js.map