@wardnmesh/sdk-node 0.4.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/dist/detectors/base.d.ts +18 -20
  2. package/dist/detectors/base.js +50 -49
  3. package/dist/detectors/sequence.js +20 -3
  4. package/dist/detectors/state.d.ts +1 -0
  5. package/dist/detectors/state.js +39 -66
  6. package/dist/utils/safe-regex.d.ts +9 -0
  7. package/dist/utils/safe-regex.js +43 -10
  8. package/dist/wardn.d.ts +1 -13
  9. package/dist/wardn.js +11 -45
  10. package/package.json +2 -2
package/dist/detectors/base.d.ts CHANGED
@@ -1,35 +1,33 @@
1
1
  import { ToolData, Violation, Rule, Detector, StateProvider, DetectorType, ThreatAction } from '../types';
2
2
  /**
3
- * Abstract base detector class
3
+ * Map rule severity to recommended action, with optional rule action override.
4
4
  *
5
+ * Default mapping:
6
+ * - critical -> block (immediate threat)
7
+ * - high -> confirm (needs user approval)
8
+ * - medium -> warn (notify but allow)
9
+ * - low -> log (record only)
10
+ *
11
+ * Rules can override default mapping via rule.action.
12
+ */
13
+ export declare function mapSeverityToAction(rule: Rule): ThreatAction;
14
+ /**
15
+ * Map rule category to scope description.
16
+ */
17
+ export declare function mapCategoryToScope(category: string): string;
18
+ /**
19
+ * Abstract base detector class.
5
20
  * Provides common functionality for all detectors.
6
21
  */
7
22
  export declare abstract class BaseDetector implements Detector {
8
23
  abstract detect(toolData: ToolData, rule: Rule, sessionState: StateProvider): Violation | null;
9
24
  abstract getType(): DetectorType | string;
10
25
  /**
11
- * Generate unique violation ID
26
+ * Generate unique violation ID using cryptographically secure random.
12
27
  */
13
28
  protected generateViolationId(): string;
14
29
  /**
15
- * v0.4.0: Map severity to recommended action, with optional rule action override
16
- *
17
- * Default mapping:
18
- * - critical → block (immediate threat)
19
- * - high → confirm (needs user approval)
20
- * - medium → warn (notify but allow)
21
- * - low → log (record only)
22
- *
23
- * Rules can override default mapping via rule.action
24
- */
25
- protected getRecommendedActionForSeverity(rule: Rule): ThreatAction;
26
- /**
27
- * v0.3.0: Determine scope description based on rule category
28
- */
29
- protected getScopeForCategory(category: string): string;
30
- /**
31
- * Create violation object
32
- * v0.4.0: Use rule.action override for recommendedAction
30
+ * Create violation object with standardized structure.
33
31
  */
34
32
  protected createViolation(rule: Rule, toolData: ToolData, additionalInfo?: Record<string, unknown>): Violation;
35
33
  /**
package/dist/detectors/base.js CHANGED
@@ -1,62 +1,64 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.BaseDetector = void 0;
4
+ exports.mapSeverityToAction = mapSeverityToAction;
5
+ exports.mapCategoryToScope = mapCategoryToScope;
6
+ const crypto_1 = require("crypto");
4
7
  /**
5
- * Abstract base detector class
8
+ * Map rule severity to recommended action, with optional rule action override.
6
9
  *
10
+ * Default mapping:
11
+ * - critical -> block (immediate threat)
12
+ * - high -> confirm (needs user approval)
13
+ * - medium -> warn (notify but allow)
14
+ * - low -> log (record only)
15
+ *
16
+ * Rules can override default mapping via rule.action.
17
+ */
18
+ function mapSeverityToAction(rule) {
19
+ if (rule.action) {
20
+ return rule.action;
21
+ }
22
+ switch (rule.severity) {
23
+ case 'critical': return 'block';
24
+ case 'high': return 'confirm';
25
+ case 'medium': return 'warn';
26
+ case 'low': return 'log';
27
+ default: return 'block';
28
+ }
29
+ }
30
+ /**
31
+ * Map rule category to scope description.
32
+ */
33
+ function mapCategoryToScope(category) {
34
+ switch (category) {
35
+ case 'workflow': return 'Workflow safety';
36
+ case 'quality': return 'Code quality';
37
+ case 'safety': return 'Security';
38
+ case 'network_boundary': return 'Network access';
39
+ case 'supply_chain': return 'Supply chain';
40
+ default: return 'Security violation';
41
+ }
42
+ }
43
+ /**
44
+ * Abstract base detector class.
7
45
  * Provides common functionality for all detectors.
8
46
  */
9
47
  class BaseDetector {
10
48
  /**
11
- * Generate unique violation ID
49
+ * Generate unique violation ID using cryptographically secure random.
12
50
  */
13
51
  generateViolationId() {
14
- // Note: Using substring() instead of deprecated substr()
15
- return `violation_${Date.now()}_${Math.random().toString(36).substring(2, 11)}`;
16
- }
17
- /**
18
- * v0.4.0: Map severity to recommended action, with optional rule action override
19
- *
20
- * Default mapping:
21
- * - critical → block (immediate threat)
22
- * - high → confirm (needs user approval)
23
- * - medium → warn (notify but allow)
24
- * - low → log (record only)
25
- *
26
- * Rules can override default mapping via rule.action
27
- */
28
- getRecommendedActionForSeverity(rule) {
29
- // Rule action override takes precedence
30
- if (rule.action) {
31
- return rule.action;
32
- }
33
- // Default severity-to-action mapping
34
- switch (rule.severity) {
35
- case 'critical': return 'block';
36
- case 'high': return 'confirm'; // v0.4.0: Changed from 'warn' to 'confirm'
37
- case 'medium': return 'warn';
38
- case 'low': return 'log';
39
- default: return 'block';
40
- }
41
- }
42
- /**
43
- * v0.3.0: Determine scope description based on rule category
44
- */
45
- getScopeForCategory(category) {
46
- switch (category) {
47
- case 'workflow': return 'Workflow safety';
48
- case 'quality': return 'Code quality';
49
- case 'safety': return 'Security';
50
- case 'network_boundary': return 'Network access';
51
- case 'supply_chain': return 'Supply chain';
52
- default: return 'Security violation';
53
- }
52
+ return `violation_${(0, crypto_1.randomUUID)()}`;
54
53
  }
55
54
  /**
56
- * Create violation object
57
- * v0.4.0: Use rule.action override for recommendedAction
55
+ * Create violation object with standardized structure.
58
56
  */
59
57
  createViolation(rule, toolData, additionalInfo) {
58
+ const filePath = (toolData.parameters.file_path ||
59
+ toolData.parameters.TargetFile ||
60
+ toolData.parameters.AbsolutePath ||
61
+ toolData.parameters.path);
60
62
  return {
61
63
  id: this.generateViolationId(),
62
64
  ruleId: rule.id,
@@ -66,13 +68,12 @@ class BaseDetector {
66
68
  context: {
67
69
  toolName: toolData.toolName,
68
70
  toolData,
69
- filePath: (toolData.parameters.file_path || toolData.parameters.TargetFile || toolData.parameters.AbsolutePath || toolData.parameters.path),
70
- additionalInfo
71
+ filePath,
72
+ additionalInfo,
71
73
  },
72
74
  timestamp: new Date().toISOString(),
73
- // v0.4.0: Support rule.action override
74
- recommendedAction: this.getRecommendedActionForSeverity(rule),
75
- scope: this.getScopeForCategory(rule.category)
75
+ recommendedAction: mapSeverityToAction(rule),
76
+ scope: mapCategoryToScope(rule.category),
76
77
  };
77
78
  }
78
79
  /**
package/dist/detectors/sequence.js CHANGED
@@ -2,6 +2,7 @@
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.SequenceDetector = void 0;
4
4
  const base_1 = require("./base");
5
+ const safe_regex_1 = require("../utils/safe-regex");
5
6
  class SequenceDetector extends base_1.BaseDetector {
6
7
  getType() {
7
8
  return 'sequence';
@@ -60,7 +61,12 @@ class SequenceDetector extends base_1.BaseDetector {
60
61
  }
61
62
  if (step.matchesPattern) {
62
63
  const currentValue = this.extractValue(currentTool, step.extractPath);
63
- const regex = new RegExp(step.matchesPattern);
64
+ // SECURITY FIX Round 16: Use getCachedRegex for ReDoS protection
65
+ const regex = (0, safe_regex_1.getCachedRegex)(step.matchesPattern);
66
+ if (!regex) {
67
+ // Invalid or unsafe pattern - skip this check
68
+ return { matched: true };
69
+ }
64
70
  if (typeof currentValue === 'string' && !regex.test(currentValue)) {
65
71
  return {
66
72
  matched: false,
@@ -103,7 +109,12 @@ class SequenceDetector extends base_1.BaseDetector {
103
109
  }
104
110
  }
105
111
  if (step.matchesPattern) {
106
- const regex = new RegExp(step.matchesPattern);
112
+ // SECURITY FIX Round 16: Use getCachedRegex for ReDoS protection
113
+ const regex = (0, safe_regex_1.getCachedRegex)(step.matchesPattern);
114
+ if (!regex) {
115
+ // Invalid or unsafe pattern - skip this tool
116
+ continue;
117
+ }
107
118
  if (typeof value === 'string' && !regex.test(value)) {
108
119
  continue;
109
120
  }
@@ -123,7 +134,13 @@ class SequenceDetector extends base_1.BaseDetector {
123
134
  }
124
135
  if (lastStep.matchesPattern) {
125
136
  const val = this.extractValue(toolData, lastStep.extractPath);
126
- if (typeof val === 'string' && !new RegExp(lastStep.matchesPattern).test(val)) {
137
+ // SECURITY FIX Round 16: Use getCachedRegex for ReDoS protection
138
+ const regex = (0, safe_regex_1.getCachedRegex)(lastStep.matchesPattern);
139
+ if (!regex) {
140
+ // Invalid or unsafe pattern - skip this check (allow through)
141
+ return null;
142
+ }
143
+ if (typeof val === 'string' && !regex.test(val)) {
127
144
  return null;
128
145
  }
129
146
  }
package/dist/detectors/state.d.ts CHANGED
@@ -5,4 +5,5 @@ export declare class StateDetector extends BaseDetector {
5
5
  detect(toolData: ToolData, rule: Rule, sessionState: StateProvider): Violation | null;
6
6
  private isTriggerEvent;
7
7
  private updateStateFromTool;
8
+ private setStateWithTimestamp;
8
9
  }
package/dist/detectors/state.js CHANGED
@@ -2,6 +2,7 @@
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.StateDetector = void 0;
4
4
  const base_1 = require("./base");
5
+ const safe_regex_1 = require("../utils/safe-regex");
5
6
  class StateDetector extends base_1.BaseDetector {
6
7
  getType() {
7
8
  return 'state';
@@ -9,84 +10,56 @@ class StateDetector extends base_1.BaseDetector {
9
10
  detect(toolData, rule, sessionState) {
10
11
  const config = rule.detector.config;
11
12
  this.updateStateFromTool(config, toolData, sessionState);
12
- if (this.isTriggerEvent(config, toolData)) {
13
- const currentState = sessionState.getCustomState(config.requiredState);
14
- if (currentState !== config.targetStateValue) {
15
- return {
16
- id: this.generateViolationId(),
17
- ruleId: rule.id,
18
- ruleName: rule.name,
19
- severity: rule.severity,
20
- timestamp: new Date().toISOString(),
21
- description: rule.description,
22
- context: {
23
- toolName: toolData.toolName,
24
- toolData: toolData,
25
- additionalInfo: {
26
- message: `Required state '${config.requiredState}' is '${currentState || 'undefined'}', expected '${config.targetStateValue}'.`
27
- }
28
- },
29
- // v0.4.0: Support rule.action override
30
- recommendedAction: this.getRecommendedActionForSeverity(rule),
31
- scope: this.getScopeForCategory(rule.category)
32
- };
33
- }
34
- if (config.stateDerivation?.validityDurationMs) {
35
- const lastUpdate = sessionState.getCustomState(`${config.requiredState}_timestamp`);
36
- if (lastUpdate && typeof lastUpdate === 'string') {
37
- const timeDiff = new Date().getTime() - new Date(lastUpdate).getTime();
38
- if (timeDiff > config.stateDerivation.validityDurationMs) {
39
- return {
40
- id: this.generateViolationId(),
41
- ruleId: rule.id,
42
- ruleName: rule.name,
43
- severity: rule.severity,
44
- timestamp: new Date().toISOString(),
45
- description: rule.description,
46
- context: {
47
- toolName: toolData.toolName,
48
- toolData: toolData,
49
- additionalInfo: {
50
- message: `Required state '${config.requiredState}' has expired (last verified ${Math.floor(timeDiff / 1000)}s ago).`
51
- }
52
- },
53
- // v0.4.0: Support rule.action override
54
- recommendedAction: this.getRecommendedActionForSeverity(rule),
55
- scope: this.getScopeForCategory(rule.category)
56
- };
57
- }
13
+ if (!this.isTriggerEvent(config, toolData)) {
14
+ return null;
15
+ }
16
+ const currentState = sessionState.getCustomState(config.requiredState);
17
+ if (currentState !== config.targetStateValue) {
18
+ const message = `Required state '${config.requiredState}' is '${currentState ?? 'undefined'}', expected '${config.targetStateValue}'.`;
19
+ return this.createViolation(rule, toolData, { message });
20
+ }
21
+ if (config.stateDerivation?.validityDurationMs) {
22
+ const lastUpdate = sessionState.getCustomState(`${config.requiredState}_timestamp`);
23
+ if (lastUpdate && typeof lastUpdate === 'string') {
24
+ const timeDiff = Date.now() - new Date(lastUpdate).getTime();
25
+ if (timeDiff > config.stateDerivation.validityDurationMs) {
26
+ const message = `Required state '${config.requiredState}' has expired (last verified ${Math.floor(timeDiff / 1000)}s ago).`;
27
+ return this.createViolation(rule, toolData, { message });
58
28
  }
59
29
  }
60
30
  }
61
31
  return null;
62
32
  }
63
33
  isTriggerEvent(config, toolData) {
64
- if (toolData.toolName !== config.trigger.tool)
34
+ if (toolData.toolName !== config.trigger.tool) {
35
+ return false;
36
+ }
37
+ if (!config.trigger.parameterMatch) {
38
+ return true;
39
+ }
40
+ const paramValue = this.extractValue(toolData.parameters, config.trigger.parameterMatch.key);
41
+ if (!paramValue || typeof paramValue !== 'string') {
65
42
  return false;
66
- if (config.trigger.parameterMatch) {
67
- const paramValue = this.extractValue(toolData.parameters, config.trigger.parameterMatch.key);
68
- if (!paramValue || typeof paramValue !== 'string')
69
- return false;
70
- const regex = new RegExp(config.trigger.parameterMatch.valuePattern, 'i');
71
- return regex.test(paramValue);
72
43
  }
73
- return true;
44
+ const regex = (0, safe_regex_1.getCachedRegex)(config.trigger.parameterMatch.valuePattern, 'i');
45
+ return regex ? regex.test(paramValue) : false;
74
46
  }
75
47
  updateStateFromTool(config, toolData, sessionState) {
76
- if (config.stateDerivation && toolData.toolName === config.stateDerivation.fromTool) {
77
- // Heuristic check for 'test' in command line if it's run_command
78
- if (toolData.toolName === 'run_command' && toolData.parameters.CommandLine) {
79
- const commandLine = toolData.parameters.CommandLine;
80
- if (commandLine.includes('test') || commandLine.includes('vitest')) {
81
- sessionState.setCustomState(config.stateDerivation.setState, config.stateDerivation.setValue);
82
- sessionState.setCustomState(`${config.stateDerivation.setState}_timestamp`, new Date().toISOString());
83
- }
84
- }
85
- else {
86
- sessionState.setCustomState(config.stateDerivation.setState, config.stateDerivation.setValue);
87
- sessionState.setCustomState(`${config.stateDerivation.setState}_timestamp`, new Date().toISOString());
48
+ if (!config.stateDerivation || toolData.toolName !== config.stateDerivation.fromTool) {
49
+ return;
50
+ }
51
+ // For run_command tool, only update state if command contains test keywords
52
+ if (toolData.toolName === 'run_command' && toolData.parameters.CommandLine) {
53
+ const commandLine = toolData.parameters.CommandLine;
54
+ if (!commandLine.includes('test') && !commandLine.includes('vitest')) {
55
+ return;
88
56
  }
89
57
  }
58
+ this.setStateWithTimestamp(sessionState, config.stateDerivation.setState, config.stateDerivation.setValue);
59
+ }
60
+ setStateWithTimestamp(sessionState, key, value) {
61
+ sessionState.setCustomState(key, value);
62
+ sessionState.setCustomState(`${key}_timestamp`, new Date().toISOString());
90
63
  }
91
64
  }
92
65
  exports.StateDetector = StateDetector;
package/dist/utils/safe-regex.d.ts CHANGED
@@ -51,3 +51,12 @@ export declare function safeRegexExec(regex: RegExp, content: string, maxLength?
51
51
  * Safe regex test with content length limit
52
52
  */
53
53
  export declare function safeRegexTest(regex: RegExp, content: string, maxLength?: number): boolean;
54
+ /**
55
+ * Create a safe regex with validation
56
+ * Throws error if pattern is unsafe
57
+ */
58
+ export declare function createSafeRegex(pattern: string, flags?: string): RegExp;
59
+ /**
60
+ * Validate multiple regex patterns
61
+ */
62
+ export declare function validateRegexPatterns(patterns: string[]): RegexValidationResult;
package/dist/utils/safe-regex.js CHANGED
@@ -12,18 +12,23 @@ exports.resetPatternErrorMetrics = resetPatternErrorMetrics;
12
12
  exports.getCachedRegex = getCachedRegex;
13
13
  exports.safeRegexExec = safeRegexExec;
14
14
  exports.safeRegexTest = safeRegexTest;
15
+ exports.createSafeRegex = createSafeRegex;
16
+ exports.validateRegexPatterns = validateRegexPatterns;
15
17
  const logger_1 = require("./logger");
16
18
  // Patterns that are known to cause catastrophic backtracking
19
+ // SECURITY FIX: Detect dangerous patterns in BOTH non-capturing (?...) AND capturing (...) groups
20
+ // VULNERABILITY (v1): Required `\?` which only matched (?...) groups, missing dangerous (...) groups
21
+ // FIX (v2): Remove `\?` requirement to catch all dangerous nested quantifiers
17
22
  const DANGEROUS_PATTERNS = [
18
- /\(\?[^)]*\+[^)]*\)\+/, // Nested quantifiers with +
19
- /\(\?[^)]*\*[^)]*\)\+/, // Nested quantifiers with *
20
- /\(\?[^)]*\+[^)]*\)\*/, // Nested quantifiers
21
- /\(\?[^)]*\*[^)]*\)\*/, // Nested quantifiers
22
- /\([^)]+\)\{[0-9]+,\}/, // Unbounded repetition of groups
23
- /\.\*\.\*/, // Multiple greedy wildcards
24
- /\.\+\.\+/, // Multiple greedy wildcards
25
- /\([^)]*\|[^)]*\)\+/, // Alternation with quantifier
26
- /\([^)]*\|[^)]*\)\*/, // Alternation with quantifier
23
+ /\([^)]*\+[^)]*\)\+/, // Nested quantifiers: (...+...)+ or (?...+...)+
24
+ /\([^)]*\*[^)]*\)\+/, // Nested quantifiers: (...*...)+ or (?...*...)+
25
+ /\([^)]*\+[^)]*\)\*/, // Nested quantifiers: (...+...)* or (?...+...)*
26
+ /\([^)]*\*[^)]*\)\*/, // Nested quantifiers: (...*...)* or (?...*...)*
27
+ /\([^)]+\)\{[0-9]+,\}/, // Unbounded repetition of groups: (...){10,}
28
+ /\.\*\.\*/, // Multiple greedy wildcards: .*.*
29
+ /\.\+\.\+/, // Multiple greedy wildcards: .+.+
30
+ /\([^)]*\|[^)]*\)\+/, // Alternation with quantifier: (a|b)+
31
+ /\([^)]*\|[^)]*\)\*/, // Alternation with quantifier: (a|b)*
27
32
  ];
28
33
  // Maximum allowed regex pattern length
29
34
  const MAX_PATTERN_LENGTH = 1000;
@@ -166,7 +171,12 @@ function getCachedRegex(pattern, flags = "") {
166
171
  errorMetrics.totalPatternsProcessed++;
167
172
  // Convert PCRE modifiers first
168
173
  const pcreResult = convertPCREModifiers(pattern);
169
- if (pcreResult.converted && pcreResult.error) {
174
+ // SECURITY FIX: Check for PCRE conversion errors
175
+ // VULNERABILITY (v1): Condition `converted && error` was always false when error exists
176
+ // - When unsupported modifiers found: converted=false, error=truthy
177
+ // - Condition: false && truthy = false (check skipped!)
178
+ // FIX (v2): Check error first, regardless of converted status
179
+ if (pcreResult.error) {
170
180
  // Unsupported PCRE modifiers - skip this pattern
171
181
  errorMetrics.pcreConversionFailures++;
172
182
  logger_1.logger.warn(`Skipping pattern with unsupported PCRE modifiers: ${pcreResult.error}`);
@@ -218,3 +228,26 @@ function safeRegexTest(regex, content, maxLength = 50000) {
218
228
  const safeContent = content.length > maxLength ? content.substring(0, maxLength) : content;
219
229
  return regex.test(safeContent);
220
230
  }
231
+ /**
232
+ * Create a safe regex with validation
233
+ * Throws error if pattern is unsafe
234
+ */
235
+ function createSafeRegex(pattern, flags = "") {
236
+ const validation = validateRegexPattern(pattern);
237
+ if (!validation.valid) {
238
+ throw new Error(validation.error || "Invalid regex pattern");
239
+ }
240
+ return new RegExp(pattern, flags);
241
+ }
242
+ /**
243
+ * Validate multiple regex patterns
244
+ */
245
+ function validateRegexPatterns(patterns) {
246
+ for (const pattern of patterns) {
247
+ const result = validateRegexPattern(pattern);
248
+ if (!result.valid) {
249
+ return result;
250
+ }
251
+ }
252
+ return { valid: true };
253
+ }
package/dist/wardn.d.ts CHANGED
@@ -47,19 +47,7 @@ export declare class Wardn {
47
47
  private detectViolation;
48
48
  /** Handle semantic detection */
49
49
  private detectSemanticViolation;
50
- /**
51
- * v0.4.0: Map severity to recommended action, with optional rule action override
52
- *
53
- * Default mapping:
54
- * - critical → block (immediate threat)
55
- * - high → confirm (needs user approval)
56
- * - medium → warn (notify but allow)
57
- * - low → log (record only)
58
- *
59
- * Rules can override default mapping via rule.action
60
- */
61
- private getRecommendedActionForSeverity;
62
- /** Report violation to telemetry */
50
+ /** Report violation to telemetry (redacts sensitive toolData) */
63
51
  private reportViolation;
64
52
  /** Report scan completion to telemetry */
65
53
  private reportScanComplete;
package/dist/wardn.js CHANGED
@@ -4,6 +4,7 @@ exports.Wardn = void 0;
4
4
  const pattern_1 = require("./detectors/pattern");
5
5
  const sequence_1 = require("./detectors/sequence");
6
6
  const state_1 = require("./detectors/state");
7
+ const base_1 = require("./detectors/base");
7
8
  const safe_regex_1 = require("./utils/safe-regex");
8
9
  const update_checker_1 = require("./update-checker");
9
10
  const session_manager_1 = require("./state/session-manager");
@@ -201,7 +202,7 @@ class Wardn {
201
202
  if (violation) {
202
203
  violations.push(violation);
203
204
  stateAdapter.addViolation(violation);
204
- this.reportViolation(violation, toolData, currentSessionId);
205
+ this.reportViolation(violation, currentSessionId);
205
206
  }
206
207
  }
207
208
  await this.stateProvider.setState(currentSessionId, stateAdapter.exportState());
@@ -352,50 +353,17 @@ This operation requires your approval to proceed.`;
352
353
  additionalInfo: { score },
353
354
  },
354
355
  timestamp: new Date().toISOString(),
355
- // v0.4.0: Set recommended action (rule.action or default severity mapping)
356
- recommendedAction: this.getRecommendedActionForSeverity(rule),
356
+ recommendedAction: (0, base_1.mapSeverityToAction)(rule),
357
357
  scope: 'Semantic analysis',
358
358
  };
359
359
  }
360
- /**
361
- * v0.4.0: Map severity to recommended action, with optional rule action override
362
- *
363
- * Default mapping:
364
- * - critical → block (immediate threat)
365
- * - high → confirm (needs user approval)
366
- * - medium → warn (notify but allow)
367
- * - low → log (record only)
368
- *
369
- * Rules can override default mapping via rule.action
370
- */
371
- getRecommendedActionForSeverity(rule) {
372
- // Rule action override takes precedence
373
- if (rule.action) {
374
- return rule.action;
375
- }
376
- // Default severity-to-action mapping
377
- switch (rule.severity) {
378
- case 'critical':
379
- return 'block';
380
- case 'high':
381
- return 'confirm'; // v0.4.0: Changed from 'warn' to 'confirm'
382
- case 'medium':
383
- return 'warn';
384
- case 'low':
385
- return 'log';
386
- default:
387
- return 'block'; // Safe default
388
- }
389
- }
390
- /** Report violation to telemetry */
391
- reportViolation(violation, toolData, sessionId) {
392
- // REDACTION: Create a safe copy for the cloud
393
- const safeViolation = { ...violation };
394
- if (safeViolation.context) {
395
- // Remove raw toolData (prompts) from the cloud payload
396
- const { toolData: _removed, ...safeContext } = safeViolation.context;
397
- safeViolation.context = safeContext;
398
- }
360
+ /** Report violation to telemetry (redacts sensitive toolData) */
361
+ reportViolation(violation, sessionId) {
362
+ const { toolData: _redacted, ...safeContext } = violation.context;
363
+ const safeViolation = {
364
+ ...violation,
365
+ context: safeContext,
366
+ };
399
367
  this.telemetry.emit({
400
368
  eventType: "violation_detected",
401
369
  timestamp: new Date().toISOString(),
@@ -491,14 +459,12 @@ This operation requires your approval to proceed.`;
491
459
  async pollRemoteRules() {
492
460
  if (!this.config.remoteRulesUrl || this.isShutdown)
493
461
  return;
494
- const FETCH_TIMEOUT_MS = 10000; // 10 second timeout
495
462
  const poll = async () => {
496
463
  if (this.isShutdown)
497
464
  return;
498
465
  try {
499
- // Create AbortController for timeout
500
466
  const controller = new AbortController();
501
- const timeoutId = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
467
+ const timeoutId = setTimeout(() => controller.abort(), security_limits_1.SECURITY_LIMITS.FETCH_TIMEOUT_MS);
502
468
  const response = await fetch(this.config.remoteRulesUrl, {
503
469
  headers: {
504
470
  "Accept": "application/json",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@wardnmesh/sdk-node",
3
- "version": "0.4.0",
3
+ "version": "0.4.1",
4
4
  "description": "WardnMesh.AI Node.js SDK - Active Defense Middleware for AI Agents",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
@@ -68,4 +68,4 @@
68
68
  "dependencies": {
69
69
  "@xenova/transformers": "^2.17.2"
70
70
  }
71
- }
71
+ }