@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/enterprise.js

@@ -1,300 +0,0 @@
-/**
- * Enterprise Module Index
- * 
- * All enterprise-grade features in one place:
- * - Proof Certificates
- * - Compliance Reporting (SOC2, HIPAA, PCI-DSS)
- * - Audit Logging
- * - Policy Enforcement
- * - SBOM Generation
- */
-
-"use strict";
-
-// Proof Certificates
-let proofCertificate;
-try {
-  proofCertificate = require("./proof-certificate");
-} catch (e) {
-  proofCertificate = null;
-}
-
-// Compliance Reporter
-let complianceReporter;
-try {
-  complianceReporter = require("./compliance-reporter");
-} catch (e) {
-  complianceReporter = null;
-}
-
-// Audit Logger
-let auditLogger;
-try {
-  auditLogger = require("./audit-logger");
-} catch (e) {
-  auditLogger = null;
-}
-
-// Policy Engine
-let policyEngine;
-try {
-  policyEngine = require("./policy-engine");
-} catch (e) {
-  policyEngine = null;
-}
-
-// SBOM Generator
-let sbomGenerator;
-try {
-  sbomGenerator = require("./sbom-generator");
-} catch (e) {
-  sbomGenerator = null;
-}
-
-/**
- * Check if all enterprise features are available
- */
-function isEnterpriseReady() {
-  return !!(
-    proofCertificate &&
-    complianceReporter &&
-    auditLogger &&
-    policyEngine &&
-    sbomGenerator
-  );
-}
-
-/**
- * Get list of available enterprise features
- */
-function getAvailableFeatures() {
-  const features = [];
-  
-  if (proofCertificate) {
-    features.push({
-      name: "Proof Certificates",
-      module: "proof-certificate",
-      description: "Cryptographic proof certificates with risk radar and pre-flight checklist",
-    });
-  }
-  
-  if (complianceReporter) {
-    features.push({
-      name: "Compliance Reporting",
-      module: "compliance-reporter",
-      description: "SOC 2, HIPAA, PCI-DSS compliance reports",
-    });
-  }
-  
-  if (auditLogger) {
-    features.push({
-      name: "Audit Logging",
-      module: "audit-logger",
-      description: "Tamper-evident audit logs with SIEM integration",
-    });
-  }
-  
-  if (policyEngine) {
-    features.push({
-      name: "Policy Enforcement",
-      module: "policy-engine",
-      description: "Custom security policies with override workflow",
-    });
-  }
-  
-  if (sbomGenerator) {
-    features.push({
-      name: "SBOM Generation",
-      module: "sbom-generator",
-      description: "CycloneDX and SPDX SBOMs with vulnerability correlation",
-    });
-  }
-  
-  return features;
-}
-
-/**
- * Run full enterprise scan
- */
-async function runEnterpriseScan(options = {}) {
-  const {
-    projectPath = process.cwd(),
-    findings = [],
-    proofGraph = null,
-    tier = "pro",
-    version = "1.0.0",
-  } = options;
-  
-  const results = {
-    certificate: null,
-    compliance: {},
-    audit: null,
-    policy: null,
-    sbom: null,
-  };
-  
-  // Generate Proof Certificate
-  if (proofCertificate) {
-    const path = require("path");
-    results.certificate = proofCertificate.generateProofCertificate({
-      projectPath,
-      projectName: path.basename(projectPath),
-      verdict: findings.some(f => f.severity === "critical") ? "BLOCK" :
-               findings.length > 5 ? "WARN" : "SHIP",
-      score: Math.max(0, 100 - findings.length * 5),
-      findings,
-      proofGraph,
-      duration: 0,
-      tier,
-      version,
-    });
-  }
-  
-  // Generate Compliance Reports
-  if (complianceReporter) {
-    results.compliance = {
-      soc2: complianceReporter.generateSOC2Report(findings, { projectName: path.basename(projectPath) }),
-      hipaa: complianceReporter.generateHIPAAReport(findings, { projectName: path.basename(projectPath) }),
-      pciDss: complianceReporter.generatePCIDSSReport(findings, { projectName: path.basename(projectPath) }),
-    };
-  }
-  
-  // Log audit event
-  if (auditLogger) {
-    const logger = auditLogger.getAuditLogger();
-    results.audit = logger.log("SCAN_COMPLETED", {
-      projectPath,
-      findingsCount: findings.length,
-      critical: findings.filter(f => f.severity === "critical").length,
-      high: findings.filter(f => f.severity === "high").length,
-    });
-  }
-  
-  // Evaluate policies
-  if (policyEngine) {
-    const engine = new policyEngine.PolicyEngine();
-    const policyResults = engine.evaluate({
-      findings,
-      summary: {
-        critical: findings.filter(f => f.severity === "critical").length,
-        high: findings.filter(f => f.severity === "high").length,
-        medium: findings.filter(f => f.severity === "warning" || f.severity === "medium").length,
-        low: findings.filter(f => f.severity === "suggestion" || f.severity === "low").length,
-      },
-      score: Math.max(0, 100 - findings.length * 5),
-    });
-    results.policy = engine.generateSummary(policyResults);
-  }
-  
-  // Generate SBOM
-  if (sbomGenerator) {
-    try {
-      const cycloneDX = sbomGenerator.generateCycloneDX(projectPath, { version });
-      results.sbom = {
-        cycloneDX,
-        summary: sbomGenerator.generateSBOMSummary(cycloneDX),
-      };
-    } catch (e) {
-      // SBOM generation may fail if no package.json
-      results.sbom = null;
-    }
-  }
-  
-  return results;
-}
-
-/**
- * Render enterprise dashboard for terminal
- */
-function renderEnterpriseDashboard(results) {
-  const lines = [];
-  
-  // Terminal UI
-  let terminalUI;
-  try {
-    terminalUI = require("./terminal-ui");
-  } catch {
-    terminalUI = {
-      c: { reset: "", bold: "", dim: "" },
-      rgb: () => "",
-    };
-  }
-  
-  const { c, rgb } = terminalUI;
-  const accent = rgb(0, 200, 255);
-  const success = rgb(0, 255, 150);
-  const warn = rgb(255, 200, 0);
-  const error = rgb(255, 80, 80);
-  
-  lines.push("");
-  lines.push(`  ${accent}╔${"═".repeat(62)}╗${c.reset}`);
-  lines.push(`  ${accent}║${c.reset}  ${c.bold}🏢 ENTERPRISE SECURITY DASHBOARD${c.reset}                            ${accent}║${c.reset}`);
-  lines.push(`  ${accent}╠${"═".repeat(62)}╣${c.reset}`);
-  
-  // Certificate
-  if (results.certificate) {
-    const cert = results.certificate.certificate;
-    const verdictColor = cert.verdict.status === "SHIP" ? success :
-                        cert.verdict.status === "WARN" ? warn : error;
-    lines.push(`  ${accent}║${c.reset}                                                              ${accent}║${c.reset}`);
-    lines.push(`  ${accent}║${c.reset}  📜 ${c.bold}Proof Certificate${c.reset}                                        ${accent}║${c.reset}`);
-    lines.push(`  ${accent}║${c.reset}     Verdict: ${verdictColor}${c.bold}${cert.verdict.status}${c.reset}  Score: ${cert.verdict.score}/100            ${accent}║${c.reset}`);
-    lines.push(`  ${accent}║${c.reset}     ID: ${c.dim}${cert.shortCode}${c.reset}                                          ${accent}║${c.reset}`);
-  }
-  
-  // Compliance
-  if (results.compliance?.soc2) {
-    const soc2 = results.compliance.soc2;
-    const scoreColor = soc2.summary.complianceScore >= 80 ? success :
-                      soc2.summary.complianceScore >= 60 ? warn : error;
-    lines.push(`  ${accent}║${c.reset}                                                              ${accent}║${c.reset}`);
-    lines.push(`  ${accent}║${c.reset}  📋 ${c.bold}Compliance Status${c.reset}                                         ${accent}║${c.reset}`);
-    lines.push(`  ${accent}║${c.reset}     SOC 2: ${scoreColor}${soc2.summary.complianceScore}%${c.reset}  HIPAA: ${scoreColor}${results.compliance.hipaa?.summary.complianceScore || 0}%${c.reset}  PCI: ${scoreColor}${results.compliance.pciDss?.summary.complianceScore || 0}%${c.reset}   ${accent}║${c.reset}`);
-  }
-  
-  // Policy
-  if (results.policy) {
-    const actionColor = results.policy.finalAction === "allow" ? success :
-                       results.policy.finalAction === "warn" ? warn : error;
-    lines.push(`  ${accent}║${c.reset}                                                              ${accent}║${c.reset}`);
-    lines.push(`  ${accent}║${c.reset}  🛡️  ${c.bold}Policy Enforcement${c.reset}                                        ${accent}║${c.reset}`);
-    lines.push(`  ${accent}║${c.reset}     Action: ${actionColor}${results.policy.finalAction.toUpperCase()}${c.reset}  Violations: ${results.policy.blocked}          ${accent}║${c.reset}`);
-  }
-  
-  // SBOM
-  if (results.sbom) {
-    const vulnColor = results.sbom.summary.vulnerabilities.total > 0 ? error : success;
-    lines.push(`  ${accent}║${c.reset}                                                              ${accent}║${c.reset}`);
-    lines.push(`  ${accent}║${c.reset}  📦 ${c.bold}Software Bill of Materials${c.reset}                                ${accent}║${c.reset}`);
-    lines.push(`  ${accent}║${c.reset}     Components: ${results.sbom.summary.totalComponents}  Vulnerabilities: ${vulnColor}${results.sbom.summary.vulnerabilities.total}${c.reset}     ${accent}║${c.reset}`);
-  }
-  
-  lines.push(`  ${accent}║${c.reset}                                                              ${accent}║${c.reset}`);
-  lines.push(`  ${accent}╚${"═".repeat(62)}╝${c.reset}`);
-  lines.push("");
-  
-  return lines.join("\n");
-}
-
-module.exports = {
-  // Proof Certificates
-  proofCertificate,
-  
-  // Compliance
-  complianceReporter,
-  
-  // Audit
-  auditLogger,
-  
-  // Policy
-  policyEngine,
-  
-  // SBOM
-  sbomGenerator,
-  
-  // Utilities
-  isEnterpriseReady,
-  getAvailableFeatures,
-  runEnterpriseScan,
-  renderEnterpriseDashboard,
-};

package/bin/runners/lib/firewall/command-validator.js

@@ -1,351 +0,0 @@
-/**
- * Command Validator
- * 
- * Validates shell commands against:
- * - Dangerous commands (rm -rf, curl | bash, etc.)
- * - System-modifying commands
- * - Database destructive operations
- * - Commands requiring confirmation
- */
-
-"use strict";
-
-/**
- * CommandValidator class for validating shell commands
- */
-class CommandValidator {
-  /**
-   * Create a command validator
-   * @param {object} config - Firewall configuration
-   */
-  constructor(config) {
-    this.config = config;
-    
-    // Extract command configuration
-    const commands = config.commands || {};
-    this.blockedCommands = commands.blocked || [];
-    this.requireConfirmation = commands.requireConfirmation || [];
-    
-    // Build blocked patterns
-    this.blockedPatterns = this.buildBlockedPatterns();
-  }
-  
-  /**
-   * Build regex patterns for blocked commands
-   * @returns {Array} Array of {pattern, name, severity} objects
-   */
-  buildBlockedPatterns() {
-    const patterns = [];
-    
-    // Destructive file operations
-    patterns.push({
-      pattern: /rm\s+(-[rf]+\s+)*[\/~\.]\s*$/i,
-      name: "destructive-rm",
-      severity: "critical",
-      message: "Destructive rm command detected",
-    });
-    
-    patterns.push({
-      pattern: /rm\s+-rf\s+\/(?!\w)/i,
-      name: "rm-root",
-      severity: "critical",
-      message: "Attempting to remove root directory",
-    });
-    
-    patterns.push({
-      pattern: /rmdir\s+\/s\s+\/q/i,
-      name: "rmdir-force",
-      severity: "critical",
-      message: "Windows recursive delete detected",
-    });
-    
-    // Remote code execution
-    patterns.push({
-      pattern: /curl\s+.*\|\s*(ba)?sh/i,
-      name: "curl-pipe-shell",
-      severity: "critical",
-      message: "Piping curl output to shell is dangerous",
-    });
-    
-    patterns.push({
-      pattern: /wget\s+.*\|\s*(ba)?sh/i,
-      name: "wget-pipe-shell",
-      severity: "critical",
-      message: "Piping wget output to shell is dangerous",
-    });
-    
-    patterns.push({
-      pattern: /curl\s+-s\s+.*\|\s*(ba)?sh/i,
-      name: "curl-silent-shell",
-      severity: "critical",
-      message: "Silent curl to shell is especially dangerous",
-    });
-    
-    // Dangerous permissions
-    patterns.push({
-      pattern: /chmod\s+777/i,
-      name: "chmod-777",
-      severity: "high",
-      message: "chmod 777 grants excessive permissions",
-    });
-    
-    patterns.push({
-      pattern: /chmod\s+\+s/i,
-      name: "setuid-bit",
-      severity: "critical",
-      message: "Setting setuid bit is dangerous",
-    });
-    
-    // Sudo operations
-    patterns.push({
-      pattern: /sudo\s+rm\s+-rf/i,
-      name: "sudo-rm-rf",
-      severity: "critical",
-      message: "sudo rm -rf is extremely dangerous",
-    });
-    
-    // Database operations
-    patterns.push({
-      pattern: /DROP\s+(DATABASE|TABLE|SCHEMA)/i,
-      name: "drop-database",
-      severity: "critical",
-      message: "DROP operation detected - data loss risk",
-    });
-    
-    patterns.push({
-      pattern: /TRUNCATE\s+TABLE/i,
-      name: "truncate-table",
-      severity: "high",
-      message: "TRUNCATE operation detected - data loss risk",
-    });
-    
-    patterns.push({
-      pattern: /DELETE\s+FROM\s+\w+\s*(?:WHERE\s+1\s*=\s*1)?$/i,
-      name: "delete-all",
-      severity: "high",
-      message: "DELETE without proper WHERE clause",
-    });
-    
-    // Git force operations
-    patterns.push({
-      pattern: /git\s+push\s+(-f|--force)/i,
-      name: "git-force-push",
-      severity: "high",
-      message: "Force push can overwrite remote history",
-    });
-    
-    patterns.push({
-      pattern: /git\s+push\s+.*\s+(main|master)\s*$/i,
-      name: "push-to-main",
-      severity: "warn",
-      message: "Direct push to main/master branch",
-    });
-    
-    patterns.push({
-      pattern: /git\s+reset\s+--hard/i,
-      name: "git-reset-hard",
-      severity: "high",
-      message: "Hard reset can lose uncommitted changes",
-    });
-    
-    // NPM/package operations
-    patterns.push({
-      pattern: /npm\s+publish\s*$/i,
-      name: "npm-publish",
-      severity: "warn",
-      message: "Publishing package - ensure this is intentional",
-    });
-    
-    // Eval and dynamic code
-    patterns.push({
-      pattern: /node\s+-e\s+['"]/i,
-      name: "node-eval",
-      severity: "warn",
-      message: "Inline Node.js code execution",
-    });
-    
-    patterns.push({
-      pattern: /python\s+-c\s+['"]/i,
-      name: "python-eval",
-      severity: "warn",
-      message: "Inline Python code execution",
-    });
-    
-    return patterns;
-  }
-  
-  /**
-   * Validate a shell command
-   * @param {object} params - Validation parameters
-   * @param {string} params.command - Command to validate
-   * @returns {object} Validation result
-   */
-  validate({ command }) {
-    // Skip if no command provided
-    if (!command) {
-      return { valid: true };
-    }
-    
-    // Normalize command
-    const normalizedCommand = command.trim();
-    
-    // Check against blocked patterns
-    for (const { pattern, name, severity, message } of this.blockedPatterns) {
-      if (pattern.test(normalizedCommand)) {
-        return {
-          valid: false,
-          rule: name,
-          severity,
-          message,
-          details: {
-            command: normalizedCommand,
-            matchedPattern: pattern.toString(),
-            suggestion: this.getSuggestion(name),
-          },
-        };
-      }
-    }
-    
-    // Check against user-configured blocked commands
-    for (const blocked of this.blockedCommands) {
-      if (normalizedCommand.toLowerCase().includes(blocked.toLowerCase())) {
-        return {
-          valid: false,
-          rule: "blocked-command",
-          severity: "high",
-          message: `Command matches blocked pattern: "${blocked}"`,
-          details: {
-            command: normalizedCommand,
-            blockedPattern: blocked,
-          },
-        };
-      }
-    }
-    
-    // Check for commands requiring confirmation
-    const needsConfirmation = this.checkRequiresConfirmation(normalizedCommand);
-    if (needsConfirmation) {
-      return {
-        valid: true,
-        requiresConfirmation: true,
-        rule: "requires-confirmation",
-        severity: "warn",
-        message: needsConfirmation.message,
-        details: {
-          command: normalizedCommand,
-          pattern: needsConfirmation.pattern,
-        },
-      };
-    }
-    
-    return { valid: true };
-  }
-  
-  /**
-   * Check if command requires confirmation
-   * @param {string} command - Command to check
-   * @returns {object|null} Confirmation requirement or null
-   */
-  checkRequiresConfirmation(command) {
-    const confirmPatterns = [
-      { pattern: /npm\s+install/i, message: "Installing npm packages" },
-      { pattern: /yarn\s+add/i, message: "Installing yarn packages" },
-      { pattern: /pnpm\s+add/i, message: "Installing pnpm packages" },
-      { pattern: /git\s+checkout/i, message: "Switching git branches" },
-      { pattern: /git\s+merge/i, message: "Merging git branches" },
-      { pattern: /git\s+rebase/i, message: "Rebasing git history" },
-      { pattern: /docker\s+run/i, message: "Running Docker container" },
-      { pattern: /kubectl\s+apply/i, message: "Applying Kubernetes config" },
-    ];
-    
-    for (const { pattern, message } of confirmPatterns) {
-      if (pattern.test(command)) {
-        return { pattern: pattern.toString(), message };
-      }
-    }
-    
-    // Check user-configured patterns
-    for (const userPattern of this.requireConfirmation) {
-      if (command.toLowerCase().includes(userPattern.toLowerCase())) {
-        return { 
-          pattern: userPattern, 
-          message: `Command matches confirmation pattern: "${userPattern}"` 
-        };
-      }
-    }
-    
-    return null;
-  }
-  
-  /**
-   * Get suggestion for how to fix a blocked command
-   * @param {string} ruleName - Name of the violated rule
-   * @returns {string} Suggestion text
-   */
-  getSuggestion(ruleName) {
-    const suggestions = {
-      "destructive-rm": "Use specific file paths instead of wildcards",
-      "rm-root": "Never remove root directory",
-      "curl-pipe-shell": "Download the script first, review it, then execute",
-      "wget-pipe-shell": "Download the script first, review it, then execute",
-      "chmod-777": "Use more restrictive permissions (e.g., 755 or 644)",
-      "sudo-rm-rf": "Be very specific about what you're removing",
-      "drop-database": "Use migrations for schema changes",
-      "truncate-table": "Use migrations for data changes",
-      "git-force-push": "Use --force-with-lease for safer force push",
-      "push-to-main": "Create a feature branch and open a PR",
-      "git-reset-hard": "Make sure you've committed or stashed changes first",
-      "npm-publish": "Review package contents with 'npm pack' first",
-    };
-    
-    return suggestions[ruleName] || "Review the command and consider safer alternatives";
-  }
-  
-  /**
-   * Analyze command for potential risks
-   * @param {string} command - Command to analyze
-   * @returns {object} Risk analysis
-   */
-  analyzeRisk(command) {
-    const result = this.validate({ command });
-    
-    if (!result.valid) {
-      return {
-        riskLevel: result.severity === "critical" ? "high" : "medium",
-        blocked: true,
-        reason: result.message,
-        details: result.details,
-      };
-    }
-    
-    if (result.requiresConfirmation) {
-      return {
-        riskLevel: "low",
-        blocked: false,
-        requiresConfirmation: true,
-        reason: result.message,
-      };
-    }
-    
-    return {
-      riskLevel: "none",
-      blocked: false,
-      requiresConfirmation: false,
-    };
-  }
-  
-  /**
-   * Get all blocked command patterns
-   * @returns {string[]} Blocked patterns
-   */
-  getBlockedPatterns() {
-    return [
-      ...this.blockedCommands,
-      ...this.blockedPatterns.map(p => p.pattern.toString()),
-    ];
-  }
-}
-
-module.exports = {
-  CommandValidator,
-};