@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/audit-logger.js

@@ -1,532 +0,0 @@
-/**
- * Enterprise Audit Logger
- * 
- * Comprehensive audit logging for:
- * - Security events
- * - Compliance tracking
- * - User actions
- * - System changes
- * - Evidence generation
- */
-
-"use strict";
-
-const crypto = require("crypto");
-const fs = require("fs");
-const path = require("path");
-const os = require("os");
-
-/**
- * Audit event categories
- */
-const AUDIT_CATEGORIES = {
-  SECURITY: "security",
-  COMPLIANCE: "compliance",
-  ACCESS: "access",
-  CHANGE: "change",
-  SYSTEM: "system",
-  USER: "user",
-  SCAN: "scan",
-  DEPLOY: "deploy",
-};
-
-/**
- * Audit event severity levels
- */
-const AUDIT_SEVERITY = {
-  CRITICAL: "critical",
-  HIGH: "high",
-  MEDIUM: "medium",
-  LOW: "low",
-  INFO: "info",
-};
-
-/**
- * Audit event types
- */
-const AUDIT_EVENTS = {
-  // Security events
-  SECRET_DETECTED: { category: AUDIT_CATEGORIES.SECURITY, severity: AUDIT_SEVERITY.CRITICAL },
-  VULNERABILITY_FOUND: { category: AUDIT_CATEGORIES.SECURITY, severity: AUDIT_SEVERITY.HIGH },
-  AUTH_FAILURE: { category: AUDIT_CATEGORIES.SECURITY, severity: AUDIT_SEVERITY.HIGH },
-  AUTH_SUCCESS: { category: AUDIT_CATEGORIES.SECURITY, severity: AUDIT_SEVERITY.INFO },
-  POLICY_VIOLATION: { category: AUDIT_CATEGORIES.SECURITY, severity: AUDIT_SEVERITY.HIGH },
-  
-  // Compliance events
-  SCAN_COMPLETED: { category: AUDIT_CATEGORIES.COMPLIANCE, severity: AUDIT_SEVERITY.INFO },
-  COMPLIANCE_CHECK: { category: AUDIT_CATEGORIES.COMPLIANCE, severity: AUDIT_SEVERITY.INFO },
-  CERTIFICATE_GENERATED: { category: AUDIT_CATEGORIES.COMPLIANCE, severity: AUDIT_SEVERITY.INFO },
-  REPORT_GENERATED: { category: AUDIT_CATEGORIES.COMPLIANCE, severity: AUDIT_SEVERITY.INFO },
-  
-  // Access events
-  API_KEY_CREATED: { category: AUDIT_CATEGORIES.ACCESS, severity: AUDIT_SEVERITY.MEDIUM },
-  API_KEY_REVOKED: { category: AUDIT_CATEGORIES.ACCESS, severity: AUDIT_SEVERITY.MEDIUM },
-  API_KEY_USED: { category: AUDIT_CATEGORIES.ACCESS, severity: AUDIT_SEVERITY.INFO },
-  PERMISSION_CHANGED: { category: AUDIT_CATEGORIES.ACCESS, severity: AUDIT_SEVERITY.MEDIUM },
-  
-  // Change events
-  CONFIG_CHANGED: { category: AUDIT_CATEGORIES.CHANGE, severity: AUDIT_SEVERITY.MEDIUM },
-  POLICY_CHANGED: { category: AUDIT_CATEGORIES.CHANGE, severity: AUDIT_SEVERITY.MEDIUM },
-  RULE_ADDED: { category: AUDIT_CATEGORIES.CHANGE, severity: AUDIT_SEVERITY.LOW },
-  RULE_REMOVED: { category: AUDIT_CATEGORIES.CHANGE, severity: AUDIT_SEVERITY.MEDIUM },
-  
-  // System events
-  CLI_STARTED: { category: AUDIT_CATEGORIES.SYSTEM, severity: AUDIT_SEVERITY.INFO },
-  CLI_COMPLETED: { category: AUDIT_CATEGORIES.SYSTEM, severity: AUDIT_SEVERITY.INFO },
-  ERROR_OCCURRED: { category: AUDIT_CATEGORIES.SYSTEM, severity: AUDIT_SEVERITY.HIGH },
-  
-  // User events
-  FIX_APPLIED: { category: AUDIT_CATEGORIES.USER, severity: AUDIT_SEVERITY.MEDIUM },
-  FINDING_SUPPRESSED: { category: AUDIT_CATEGORIES.USER, severity: AUDIT_SEVERITY.LOW },
-  OVERRIDE_REQUESTED: { category: AUDIT_CATEGORIES.USER, severity: AUDIT_SEVERITY.MEDIUM },
-  OVERRIDE_APPROVED: { category: AUDIT_CATEGORIES.USER, severity: AUDIT_SEVERITY.MEDIUM },
-  
-  // Scan events
-  SCAN_STARTED: { category: AUDIT_CATEGORIES.SCAN, severity: AUDIT_SEVERITY.INFO },
-  FINDING_DETECTED: { category: AUDIT_CATEGORIES.SCAN, severity: AUDIT_SEVERITY.INFO },
-  VERDICT_ISSUED: { category: AUDIT_CATEGORIES.SCAN, severity: AUDIT_SEVERITY.INFO },
-  
-  // Deploy events
-  DEPLOY_BLOCKED: { category: AUDIT_CATEGORIES.DEPLOY, severity: AUDIT_SEVERITY.HIGH },
-  DEPLOY_APPROVED: { category: AUDIT_CATEGORIES.DEPLOY, severity: AUDIT_SEVERITY.INFO },
-  GATE_CHECK_FAILED: { category: AUDIT_CATEGORIES.DEPLOY, severity: AUDIT_SEVERITY.HIGH },
-  GATE_CHECK_PASSED: { category: AUDIT_CATEGORIES.DEPLOY, severity: AUDIT_SEVERITY.INFO },
-};
-
-/**
- * Audit log entry structure
- */
-class AuditEntry {
-  constructor(eventType, data = {}) {
-    const eventConfig = AUDIT_EVENTS[eventType] || { 
-      category: AUDIT_CATEGORIES.SYSTEM, 
-      severity: AUDIT_SEVERITY.INFO 
-    };
-    
-    this.id = crypto.randomUUID();
-    this.timestamp = new Date().toISOString();
-    this.eventType = eventType;
-    this.category = eventConfig.category;
-    this.severity = eventConfig.severity;
-    this.data = data;
-    this.context = this.buildContext();
-    this.hash = null;
-    
-    // Generate tamper-evident hash
-    this.hash = this.generateHash();
-  }
-  
-  buildContext() {
-    return {
-      hostname: os.hostname(),
-      platform: os.platform(),
-      arch: os.arch(),
-      nodeVersion: process.version,
-      pid: process.pid,
-      cwd: process.cwd(),
-      user: os.userInfo().username,
-      environment: process.env.NODE_ENV || "development",
-    };
-  }
-  
-  generateHash() {
-    const content = JSON.stringify({
-      id: this.id,
-      timestamp: this.timestamp,
-      eventType: this.eventType,
-      category: this.category,
-      data: this.data,
-    });
-    return crypto.createHash("sha256").update(content).digest("hex").substring(0, 16);
-  }
-  
-  toJSON() {
-    return {
-      id: this.id,
-      timestamp: this.timestamp,
-      eventType: this.eventType,
-      category: this.category,
-      severity: this.severity,
-      data: this.data,
-      context: this.context,
-      hash: this.hash,
-    };
-  }
-}
-
-/**
- * Audit logger class
- */
-class AuditLogger {
-  constructor(options = {}) {
-    this.options = {
-      logDir: options.logDir || path.join(process.cwd(), ".vibecheck", "audit"),
-      maxLogSize: options.maxLogSize || 10 * 1024 * 1024, // 10MB
-      maxLogFiles: options.maxLogFiles || 30,
-      enableConsole: options.enableConsole !== false,
-      enableFile: options.enableFile !== false,
-      enableRemote: options.enableRemote || false,
-      remoteEndpoint: options.remoteEndpoint,
-      encryptLogs: options.encryptLogs || false,
-      encryptionKey: options.encryptionKey,
-    };
-    
-    this.sessionId = crypto.randomUUID();
-    this.entryCount = 0;
-    this.previousHash = null;
-    
-    if (this.options.enableFile) {
-      this.ensureLogDir();
-    }
-  }
-  
-  ensureLogDir() {
-    if (!fs.existsSync(this.options.logDir)) {
-      fs.mkdirSync(this.options.logDir, { recursive: true });
-    }
-  }
-  
-  /**
-   * Log an audit event
-   */
-  log(eventType, data = {}) {
-    const entry = new AuditEntry(eventType, {
-      ...data,
-      sessionId: this.sessionId,
-      entryNumber: ++this.entryCount,
-      previousHash: this.previousHash,
-    });
-    
-    this.previousHash = entry.hash;
-    
-    // Write to various destinations
-    if (this.options.enableFile) {
-      this.writeToFile(entry);
-    }
-    
-    if (this.options.enableRemote) {
-      this.sendToRemote(entry);
-    }
-    
-    return entry;
-  }
-  
-  /**
-   * Log security event
-   */
-  security(eventType, data = {}) {
-    return this.log(eventType, { ...data, _auditCategory: AUDIT_CATEGORIES.SECURITY });
-  }
-  
-  /**
-   * Log compliance event
-   */
-  compliance(eventType, data = {}) {
-    return this.log(eventType, { ...data, _auditCategory: AUDIT_CATEGORIES.COMPLIANCE });
-  }
-  
-  /**
-   * Log access event
-   */
-  access(eventType, data = {}) {
-    return this.log(eventType, { ...data, _auditCategory: AUDIT_CATEGORIES.ACCESS });
-  }
-  
-  /**
-   * Write entry to log file
-   */
-  writeToFile(entry) {
-    const date = new Date().toISOString().split("T")[0];
-    const logFile = path.join(this.options.logDir, `audit-${date}.jsonl`);
-    
-    let line = JSON.stringify(entry.toJSON()) + "\n";
-    
-    if (this.options.encryptLogs && this.options.encryptionKey) {
-      line = this.encryptLine(line);
-    }
-    
-    try {
-      fs.appendFileSync(logFile, line);
-      this.rotateLogsIfNeeded();
-    } catch (error) {
-      console.error("Failed to write audit log:", error.message);
-    }
-  }
-  
-  /**
-   * Encrypt a log line
-   */
-  encryptLine(line) {
-    const iv = crypto.randomBytes(16);
-    const cipher = crypto.createCipheriv("aes-256-gcm", this.options.encryptionKey, iv);
-    let encrypted = cipher.update(line, "utf8", "hex");
-    encrypted += cipher.final("hex");
-    const tag = cipher.getAuthTag();
-    return JSON.stringify({
-      iv: iv.toString("hex"),
-      tag: tag.toString("hex"),
-      data: encrypted,
-    }) + "\n";
-  }
-  
-  /**
-   * Send entry to remote endpoint
-   */
-  async sendToRemote(entry) {
-    if (!this.options.remoteEndpoint) return;
-    
-    try {
-      const response = await fetch(this.options.remoteEndpoint, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-        },
-        body: JSON.stringify(entry.toJSON()),
-      });
-      
-      if (!response.ok) {
-        console.error("Failed to send audit log to remote:", response.status);
-      }
-    } catch (error) {
-      console.error("Failed to send audit log to remote:", error.message);
-    }
-  }
-  
-  /**
-   * Rotate log files if needed
-   */
-  rotateLogsIfNeeded() {
-    try {
-      const files = fs.readdirSync(this.options.logDir)
-        .filter(f => f.startsWith("audit-") && f.endsWith(".jsonl"))
-        .sort()
-        .reverse();
-      
-      // Remove old files
-      while (files.length > this.options.maxLogFiles) {
-        const oldFile = files.pop();
-        fs.unlinkSync(path.join(this.options.logDir, oldFile));
-      }
-    } catch (error) {
-      // Ignore rotation errors
-    }
-  }
-  
-  /**
-   * Query audit logs
-   */
-  query(options = {}) {
-    const {
-      startDate,
-      endDate,
-      eventTypes,
-      categories,
-      severities,
-      limit = 1000,
-    } = options;
-    
-    const results = [];
-    const files = fs.readdirSync(this.options.logDir)
-      .filter(f => f.startsWith("audit-") && f.endsWith(".jsonl"))
-      .sort()
-      .reverse();
-    
-    for (const file of files) {
-      const filePath = path.join(this.options.logDir, file);
-      const content = fs.readFileSync(filePath, "utf-8");
-      const lines = content.trim().split("\n");
-      
-      for (const line of lines) {
-        if (results.length >= limit) break;
-        
-        try {
-          const entry = JSON.parse(line);
-          
-          // Apply filters
-          if (startDate && new Date(entry.timestamp) < new Date(startDate)) continue;
-          if (endDate && new Date(entry.timestamp) > new Date(endDate)) continue;
-          if (eventTypes && !eventTypes.includes(entry.eventType)) continue;
-          if (categories && !categories.includes(entry.category)) continue;
-          if (severities && !severities.includes(entry.severity)) continue;
-          
-          results.push(entry);
-        } catch {
-          // Skip malformed lines
-        }
-      }
-      
-      if (results.length >= limit) break;
-    }
-    
-    return results;
-  }
-  
-  /**
-   * Verify audit log integrity
-   */
-  verifyIntegrity() {
-    const results = {
-      verified: 0,
-      failed: 0,
-      gaps: 0,
-      issues: [],
-    };
-    
-    const files = fs.readdirSync(this.options.logDir)
-      .filter(f => f.startsWith("audit-") && f.endsWith(".jsonl"))
-      .sort();
-    
-    let previousHash = null;
-    
-    for (const file of files) {
-      const filePath = path.join(this.options.logDir, file);
-      const content = fs.readFileSync(filePath, "utf-8");
-      const lines = content.trim().split("\n");
-      
-      for (const line of lines) {
-        try {
-          const entry = JSON.parse(line);
-          
-          // Verify hash
-          const expectedHash = crypto.createHash("sha256")
-            .update(JSON.stringify({
-              id: entry.id,
-              timestamp: entry.timestamp,
-              eventType: entry.eventType,
-              category: entry.category,
-              data: entry.data,
-            }))
-            .digest("hex")
-            .substring(0, 16);
-          
-          if (entry.hash !== expectedHash) {
-            results.failed++;
-            results.issues.push({
-              id: entry.id,
-              issue: "hash_mismatch",
-              expected: expectedHash,
-              actual: entry.hash,
-            });
-          } else {
-            results.verified++;
-          }
-          
-          // Verify chain
-          if (entry.data?.previousHash && entry.data.previousHash !== previousHash) {
-            results.gaps++;
-            results.issues.push({
-              id: entry.id,
-              issue: "chain_break",
-              expected: previousHash,
-              actual: entry.data.previousHash,
-            });
-          }
-          
-          previousHash = entry.hash;
-        } catch {
-          results.failed++;
-        }
-      }
-    }
-    
-    return results;
-  }
-  
-  /**
-   * Export audit logs for compliance
-   */
-  exportForCompliance(options = {}) {
-    const { format = "json", startDate, endDate } = options;
-    const entries = this.query({ startDate, endDate, limit: Infinity });
-    
-    if (format === "json") {
-      return JSON.stringify(entries, null, 2);
-    }
-    
-    if (format === "csv") {
-      const headers = ["id", "timestamp", "eventType", "category", "severity", "hash"];
-      const rows = entries.map(e => [
-        e.id,
-        e.timestamp,
-        e.eventType,
-        e.category,
-        e.severity,
-        e.hash,
-      ]);
-      return [headers.join(","), ...rows.map(r => r.join(","))].join("\n");
-    }
-    
-    if (format === "siem") {
-      // Common Event Format (CEF) for SIEM integration
-      return entries.map(e => {
-        const severity = { critical: 10, high: 7, medium: 4, low: 2, info: 1 }[e.severity] || 1;
-        return `CEF:0|VibeCheck|CLI|1.0|${e.eventType}|${e.eventType}|${severity}|rt=${new Date(e.timestamp).getTime()} src=${e.context?.hostname} suser=${e.context?.user}`;
-      }).join("\n");
-    }
-    
-    return JSON.stringify(entries);
-  }
-  
-  /**
-   * Get audit statistics
-   */
-  getStatistics(days = 30) {
-    const startDate = new Date(Date.now() - days * 24 * 60 * 60 * 1000).toISOString();
-    const entries = this.query({ startDate });
-    
-    const stats = {
-      totalEvents: entries.length,
-      byCategory: {},
-      bySeverity: {},
-      byEventType: {},
-      dailyTrend: {},
-    };
-    
-    for (const entry of entries) {
-      // By category
-      stats.byCategory[entry.category] = (stats.byCategory[entry.category] || 0) + 1;
-      
-      // By severity
-      stats.bySeverity[entry.severity] = (stats.bySeverity[entry.severity] || 0) + 1;
-      
-      // By event type
-      stats.byEventType[entry.eventType] = (stats.byEventType[entry.eventType] || 0) + 1;
-      
-      // Daily trend
-      const date = entry.timestamp.split("T")[0];
-      stats.dailyTrend[date] = (stats.dailyTrend[date] || 0) + 1;
-    }
-    
-    return stats;
-  }
-}
-
-// Singleton instance
-let _instance = null;
-
-/**
- * Get or create audit logger instance
- */
-function getAuditLogger(options = {}) {
-  if (!_instance) {
-    _instance = new AuditLogger(options);
-  }
-  return _instance;
-}
-
-/**
- * Quick log helper
- */
-function auditLog(eventType, data = {}) {
-  return getAuditLogger().log(eventType, data);
-}
-
-module.exports = {
-  AuditLogger,
-  AuditEntry,
-  getAuditLogger,
-  auditLog,
-  AUDIT_CATEGORIES,
-  AUDIT_SEVERITY,
-  AUDIT_EVENTS,
-};