npm - agentic-qe - Versions diffs - 3.2.3 → 3.3.1 - Mend

agentic-qe 3.2.3 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (658) hide show

package/v3/dist/mcp/security/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/mcp/security/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,2BAA2B,EAC3B,kBAAkB,EAClB,aAAa,GACd,MAAM,oBAAoB,CAAC;AAE5B,YAAY,EACV,UAAU,EACV,cAAc,EACd,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAM5B,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,iBAAiB,EACjB,uBAAuB,EACvB,0BAA0B,EAC1B,cAAc,EACd,uBAAuB,GACxB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EACV,iBAAiB,EACjB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AAMxB,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAE5B,YAAY,EACV,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,aAAa,EACb,oBAAoB,EACpB,iBAAiB,EACjB,YAAY,EACZ,aAAa,EACb,SAAS,EACT,kBAAkB,EAClB,UAAU,EACV,cAAc,EACd,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAM5B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,mBAAmB,CAAC;AAE3B,YAAY,EACV,eAAe,EACf,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,UAAU,EACV,eAAe,EACf,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,mBAAmB,CAAC;AAM3B,OAAO,EAEL,YAAY,EACZ,aAAa,EACb,SAAS,EACT,YAAY,EAGZ,WAAW,EACX,WAAW,EACX,eAAe,EAGf,iBAAiB,EACjB,qBAAqB,EACrB,mBAAmB,EACnB,UAAU,EAGV,aAAa,EACb,UAAU,EACV,aAAa,EAGb,eAAe,EACf,cAAc,EAGd,aAAa,GACd,MAAM,kBAAkB,CAAC;AAE1B,YAAY,EACV,oBAAoB,EACpB,qBAAqB,EACrB,iBAAiB,EACjB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAM1B,OAAO,EAAyB,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAqB,KAAK,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAC3E,OAAO,EAAyB,KAAK,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAGvF;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,WAAW,CAAC,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACzC,KAAK,CAAC,EAAE,OAAO,CAAC,qBAAqB,CAAC,CAAC;CACxC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,EAAE,CAAC,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,eAAe,CAAC;CAC3B;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,GAAE,wBAA6B;IAe1E;;OAEG;kBACW,CAAC,SAAS,OAAO,UAAU,UAAU,GAAG;QAAE,KAAK,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,CAAC,CAAA;KAAE,GAAG;QAAE,KAAK,EAAE,KAAK,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE;IAgBnH;;OAEG;8BACuB,MAAM,aAAa,MAAM;;;iBAEa,GAAG;;IAMnE;;OAEG;yBACkB,MAAM;;;;;;;;;;IAQ3B;;OAEG;2BACoB,MAAM,aAAa,MAAM;IAQhD;;OAEG;oBACa,MAAM;IAQtB;;OAEG;kCAC2B,MAAM,oBAAoB,MAAM,EAAE;IAQhE;;OAEG;+BAEQ,eAAe,UAChB,OAAO,WACN,UAAU,GAClB,OAAO,CAAC,mBAAmB,CAAC;IAsC/B;;OAEG;;EAUN;AAOD;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,UAAU,CAAC,OAAO,wBAAwB,CAAC,CAKnF"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/mcp/security/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,2BAA2B,EAC3B,kBAAkB,EAClB,aAAa,GACd,MAAM,oBAAoB,CAAC;AAE5B,YAAY,EACV,UAAU,EACV,cAAc,EACd,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAM5B,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,iBAAiB,EACjB,uBAAuB,EACvB,0BAA0B,EAC1B,cAAc,EACd,uBAAuB,GACxB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EACV,iBAAiB,EACjB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AAMxB,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAE5B,YAAY,EACV,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,aAAa,EACb,oBAAoB,EACpB,iBAAiB,EACjB,YAAY,EACZ,aAAa,EACb,SAAS,EACT,kBAAkB,EAClB,UAAU,EACV,cAAc,EACd,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAM5B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,mBAAmB,CAAC;AAE3B,YAAY,EACV,eAAe,EACf,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,UAAU,EACV,eAAe,EACf,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,mBAAmB,CAAC;AAM3B,OAAO,EAEL,YAAY,EACZ,aAAa,EACb,SAAS,EACT,YAAY,EAGZ,WAAW,EACX,WAAW,EACX,eAAe,EAGf,iBAAiB,EACjB,qBAAqB,EACrB,mBAAmB,EACnB,UAAU,EAGV,aAAa,EACb,UAAU,EACV,aAAa,EAGb,eAAe,EACf,cAAc,EAGd,aAAa,GACd,MAAM,kBAAkB,CAAC;AAE1B,YAAY,EACV,oBAAoB,EACpB,qBAAqB,EACrB,iBAAiB,EACjB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAM1B,OAAO,EAAyB,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAqB,KAAK,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAC3E,OAAO,EAAyB,KAAK,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAGvF;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,WAAW,CAAC,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACzC,KAAK,CAAC,EAAE,OAAO,CAAC,qBAAqB,CAAC,CAAC;CACxC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,EAAE,CAAC,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,eAAe,CAAC;CAC3B;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,GAAE,wBAA6B;IAe1E;;OAEG;kBACW,CAAC,SAAS,OAAO,UAAU,UAAU,GAAG;QAAE,KAAK,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,CAAC,CAAA;KAAE,GAAG;QAAE,KAAK,EAAE,KAAK,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE;IAgBnH;;OAEG;8BACuB,MAAM,aAAa,MAAM;;;iBAEa,GAAG;;IAMnE;;OAEG;yBACkB,MAAM;;;;;;;;;;IAQ3B;;OAEG;2BACoB,MAAM,aAAa,MAAM;IAQhD;;OAEG;oBACa,MAAM;IAQtB;;OAEG;kCAC2B,MAAM,oBAAoB,MAAM,EAAE;;;;;IAQhE;;OAEG;+BAEQ,eAAe,UAChB,OAAO,WACN,UAAU,GAClB,OAAO,CAAC,mBAAmB,CAAC;IAsC/B;;OAEG;;EAUN;AAOD;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,UAAU,CAAC,OAAO,wBAAwB,CAAC,CAKnF"}

package/v3/dist/mcp/security/validators/command-validator.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+/**
+ * Agentic QE v3 - MCP Security: Command Validator
+ * Implements the Strategy Pattern for command injection prevention
+ */
+import { ICommandValidationStrategy, CommandValidationOptions, CommandValidationResult, RiskLevel } from './interfaces';
+/**
+ * Allowed commands whitelist (default safe commands)
+ */
+export declare const DEFAULT_ALLOWED_COMMANDS: string[];
+/**
+ * Blocked command patterns (injection vectors)
+ */
+export declare const BLOCKED_COMMAND_PATTERNS: RegExp[];
+/**
+ * Command Validator Strategy
+ * Validates and sanitizes shell commands to prevent injection attacks
+ */
+export declare class CommandValidator implements ICommandValidationStrategy {
+    readonly name = "command-injection";
+    private defaultAllowedCommands;
+    constructor(defaultAllowedCommands?: string[]);
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel(): RiskLevel;
+    /**
+     * Validate a command (IValidationStrategy interface)
+     */
+    validate(command: string, options?: CommandValidationOptions): CommandValidationResult;
+    /**
+     * Validate and sanitize a command
+     */
+    validateCommand(command: string, allowedCommands?: string[]): CommandValidationResult;
+    /**
+     * Escape a string for safe shell usage
+     */
+    escapeShellArg(arg: string): string;
+}
+export declare const validateCommand: (command: string, allowedCommands?: string[]) => CommandValidationResult;
+export declare const escapeShellArg: (arg: string) => string;
+//# sourceMappingURL=command-validator.d.ts.map

package/v3/dist/mcp/security/validators/command-validator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"command-validator.d.ts","sourceRoot":"","sources":["../../../../src/mcp/security/validators/command-validator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,0BAA0B,EAC1B,wBAAwB,EACxB,uBAAuB,EACvB,SAAS,EACV,MAAM,cAAc,CAAC;AAMtB;;GAEG;AACH,eAAO,MAAM,wBAAwB,UAIpC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,wBAAwB,UASpC,CAAC;AAWF;;;GAGG;AACH,qBAAa,gBAAiB,YAAW,0BAA0B;IACjE,SAAgB,IAAI,uBAAuB;IAE3C,OAAO,CAAC,sBAAsB,CAAW;gBAE7B,sBAAsB,WAA2B;IAI7D;;OAEG;IACI,YAAY,IAAI,SAAS;IAIhC;;OAEG;IACI,QAAQ,CACb,OAAO,EAAE,MAAM,EACf,OAAO,GAAE,wBAA6B,GACrC,uBAAuB;IAK1B;;OAEG;IACI,eAAe,CACpB,OAAO,EAAE,MAAM,EACf,eAAe,GAAE,MAAM,EAAgC,GACtD,uBAAuB;IAgD1B;;OAEG;IACI,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;CAI3C;AAQD,eAAO,MAAM,eAAe,GAC1B,SAAS,MAAM,EACf,kBAAkB,MAAM,EAAE,KACzB,uBAKF,CAAC;AAEF,eAAO,MAAM,cAAc,GAAI,KAAK,MAAM,KAAG,MACP,CAAC"}

package/v3/dist/mcp/security/validators/command-validator.js ADDED Viewed

@@ -0,0 +1,123 @@
+/**
+ * Agentic QE v3 - MCP Security: Command Validator
+ * Implements the Strategy Pattern for command injection prevention
+ */
+// ============================================================================
+// Constants
+// ============================================================================
+/**
+ * Allowed commands whitelist (default safe commands)
+ */
+export const DEFAULT_ALLOWED_COMMANDS = [
+    'ls', 'cat', 'echo', 'grep', 'find', 'head', 'tail', 'wc',
+    'npm', 'node', 'yarn', 'pnpm',
+    'git', 'jest', 'vitest', 'playwright',
+];
+/**
+ * Blocked command patterns (injection vectors)
+ */
+export const BLOCKED_COMMAND_PATTERNS = [
+    /;/, // Command chaining with semicolon
+    /&&/, // Command chaining with AND
+    /\|\|/, // Command chaining with OR
+    /\|/, // Piping
+    /`.*`/, // Backtick command substitution
+    /\$\(.*\)/, // $() command substitution
+    />\s*\/dev\/sd/i, // Writing to block devices
+    />\s*\/etc\//i, // Writing to /etc
+];
+/**
+ * Shell metacharacters (excludes parentheses which are common in normal text)
+ */
+const SHELL_METACHARACTERS = /[|;&$`<>{}[\]!#*?~]/g;
+// ============================================================================
+// Command Validator Implementation
+// ============================================================================
+/**
+ * Command Validator Strategy
+ * Validates and sanitizes shell commands to prevent injection attacks
+ */
+export class CommandValidator {
+    name = 'command-injection';
+    defaultAllowedCommands;
+    constructor(defaultAllowedCommands = DEFAULT_ALLOWED_COMMANDS) {
+        this.defaultAllowedCommands = defaultAllowedCommands;
+    }
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel() {
+        return 'critical';
+    }
+    /**
+     * Validate a command (IValidationStrategy interface)
+     */
+    validate(command, options = {}) {
+        const allowedCommands = options.allowedCommands ?? this.defaultAllowedCommands;
+        return this.validateCommand(command, allowedCommands);
+    }
+    /**
+     * Validate and sanitize a command
+     */
+    validateCommand(command, allowedCommands = this.defaultAllowedCommands) {
+        const blockedPatterns = [];
+        // Check for blocked patterns
+        for (const pattern of BLOCKED_COMMAND_PATTERNS) {
+            if (pattern.test(command)) {
+                blockedPatterns.push(pattern.source);
+            }
+        }
+        if (blockedPatterns.length > 0) {
+            return {
+                valid: false,
+                error: 'Command contains blocked patterns',
+                blockedPatterns,
+                riskLevel: 'critical',
+            };
+        }
+        // Extract base command
+        const parts = command.trim().split(/\s+/);
+        const baseCommand = parts[0].split('/').pop() || '';
+        // Check against whitelist
+        if (!allowedCommands.includes(baseCommand)) {
+            return {
+                valid: false,
+                error: `Command '${baseCommand}' is not in the allowed list`,
+                blockedPatterns: [],
+                riskLevel: 'high',
+            };
+        }
+        // Sanitize arguments
+        const sanitizedParts = parts.map((part, i) => {
+            if (i === 0)
+                return part;
+            // Remove shell metacharacters from arguments
+            return part.replace(SHELL_METACHARACTERS, '');
+        });
+        return {
+            valid: true,
+            sanitizedCommand: sanitizedParts.join(' '),
+            blockedPatterns: [],
+            riskLevel: 'none',
+        };
+    }
+    /**
+     * Escape a string for safe shell usage
+     */
+    escapeShellArg(arg) {
+        // Wrap in single quotes and escape any internal single quotes
+        return `'${arg.replace(/'/g, "'\\''")}'`;
+    }
+}
+// ============================================================================
+// Standalone Functions (for backward compatibility)
+// ============================================================================
+const defaultValidator = new CommandValidator();
+export const validateCommand = (command, allowedCommands) => {
+    if (allowedCommands) {
+        return defaultValidator.validateCommand(command, allowedCommands);
+    }
+    return defaultValidator.validate(command);
+};
+export const escapeShellArg = (arg) => defaultValidator.escapeShellArg(arg);
+//# sourceMappingURL=command-validator.js.map

package/v3/dist/mcp/security/validators/command-validator.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"command-validator.js","sourceRoot":"","sources":["../../../../src/mcp/security/validators/command-validator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI;IACzD,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAC7B,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY;CACtC,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,GAAG,EAAwB,kCAAkC;IAC7D,IAAI,EAAuB,4BAA4B;IACvD,MAAM,EAAqB,2BAA2B;IACtD,IAAI,EAAuB,SAAS;IACpC,MAAM,EAAqB,gCAAgC;IAC3D,UAAU,EAAiB,2BAA2B;IACtD,gBAAgB,EAAW,2BAA2B;IACtD,cAAc,EAAa,kBAAkB;CAC9C,CAAC;AAEF;;GAEG;AACH,MAAM,oBAAoB,GAAG,sBAAsB,CAAC;AAEpD,+EAA+E;AAC/E,mCAAmC;AACnC,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACX,IAAI,GAAG,mBAAmB,CAAC;IAEnC,sBAAsB,CAAW;IAEzC,YAAY,sBAAsB,GAAG,wBAAwB;QAC3D,IAAI,CAAC,sBAAsB,GAAG,sBAAsB,CAAC;IACvD,CAAC;IAED;;OAEG;IACI,YAAY;QACjB,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;OAEG;IACI,QAAQ,CACb,OAAe,EACf,UAAoC,EAAE;QAEtC,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,IAAI,CAAC,sBAAsB,CAAC;QAC/E,OAAO,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IACxD,CAAC;IAED;;OAEG;IACI,eAAe,CACpB,OAAe,EACf,kBAA4B,IAAI,CAAC,sBAAsB;QAEvD,MAAM,eAAe,GAAa,EAAE,CAAC;QAErC,6BAA6B;QAC7B,KAAK,MAAM,OAAO,IAAI,wBAAwB,EAAE,CAAC;YAC/C,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1B,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;QAED,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,mCAAmC;gBAC1C,eAAe;gBACf,SAAS,EAAE,UAAU;aACtB,CAAC;QACJ,CAAC;QAED,uBAAuB;QACvB,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;QAEpD,0BAA0B;QAC1B,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC3C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,YAAY,WAAW,8BAA8B;gBAC5D,eAAe,EAAE,EAAE;gBACnB,SAAS,EAAE,MAAM;aAClB,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,MAAM,cAAc,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;YAC3C,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACzB,6CAA6C;YAC7C,OAAO,IAAI,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,OAAO;YACL,KAAK,EAAE,IAAI;YACX,gBAAgB,EAAE,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC;YAC1C,eAAe,EAAE,EAAE;YACnB,SAAS,EAAE,MAAM;SAClB,CAAC;IACJ,CAAC;IAED;;OAEG;IACI,cAAc,CAAC,GAAW;QAC/B,8DAA8D;QAC9D,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;IAC3C,CAAC;CACF;AAED,+EAA+E;AAC/E,oDAAoD;AACpD,+EAA+E;AAE/E,MAAM,gBAAgB,GAAG,IAAI,gBAAgB,EAAE,CAAC;AAEhD,MAAM,CAAC,MAAM,eAAe,GAAG,CAC7B,OAAe,EACf,eAA0B,EACD,EAAE;IAC3B,IAAI,eAAe,EAAE,CAAC;QACpB,OAAO,gBAAgB,CAAC,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC5C,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,GAAW,EAAU,EAAE,CACpD,gBAAgB,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC"}

package/v3/dist/mcp/security/validators/crypto-validator.d.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * Agentic QE v3 - MCP Security: Crypto Validator
+ * Implements the Strategy Pattern for cryptographic security operations
+ */
+import { ICryptoValidationStrategy, RiskLevel } from './interfaces';
+/**
+ * Crypto Validator Strategy
+ * Provides timing-safe comparisons and secure cryptographic operations
+ */
+export declare class CryptoValidator implements ICryptoValidationStrategy {
+    readonly name = "crypto-security";
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel(): RiskLevel;
+    /**
+     * Perform a timing-safe string comparison
+     * Prevents timing attacks by ensuring constant-time comparison
+     */
+    timingSafeCompare(a: string, b: string): boolean;
+    /**
+     * Timing-safe comparison for hashed values
+     * Hashes the input value and compares against expected hash
+     */
+    timingSafeHashCompare(value: string, expectedHash: string): boolean;
+    /**
+     * Generate a secure random token
+     * Uses cryptographically secure random bytes
+     */
+    generateSecureToken(length?: number): string;
+    /**
+     * Hash a value securely using SHA-256
+     */
+    secureHash(value: string, salt?: string): string;
+}
+export declare const timingSafeCompare: (a: string, b: string) => boolean;
+export declare const timingSafeHashCompare: (value: string, expectedHash: string) => boolean;
+export declare const generateSecureToken: (length?: number) => string;
+export declare const secureHash: (value: string, salt?: string) => string;
+//# sourceMappingURL=crypto-validator.d.ts.map

package/v3/dist/mcp/security/validators/crypto-validator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"crypto-validator.d.ts","sourceRoot":"","sources":["../../../../src/mcp/security/validators/crypto-validator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,yBAAyB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAMpE;;;GAGG;AACH,qBAAa,eAAgB,YAAW,yBAAyB;IAC/D,SAAgB,IAAI,qBAAqB;IAEzC;;OAEG;IACI,YAAY,IAAI,SAAS;IAIhC;;;OAGG;IACI,iBAAiB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO;IAavD;;;OAGG;IACI,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAK1E;;;OAGG;IACI,mBAAmB,CAAC,MAAM,SAAK,GAAG,MAAM;IAQ/C;;OAEG;IACI,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM;CAIxD;AAQD,eAAO,MAAM,iBAAiB,GAAI,GAAG,MAAM,EAAE,GAAG,MAAM,KAAG,OACf,CAAC;AAE3C,eAAO,MAAM,qBAAqB,GAAI,OAAO,MAAM,EAAE,cAAc,MAAM,KAAG,OACf,CAAC;AAE9D,eAAO,MAAM,mBAAmB,GAAI,SAAS,MAAM,KAAG,MACR,CAAC;AAE/C,eAAO,MAAM,UAAU,GAAI,OAAO,MAAM,EAAE,OAAO,MAAM,KAAG,MAChB,CAAC"}

package/v3/dist/mcp/security/validators/crypto-validator.js ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * Agentic QE v3 - MCP Security: Crypto Validator
+ * Implements the Strategy Pattern for cryptographic security operations
+ */
+import { createHash, timingSafeEqual, randomBytes } from 'crypto';
+// ============================================================================
+// Crypto Validator Implementation
+// ============================================================================
+/**
+ * Crypto Validator Strategy
+ * Provides timing-safe comparisons and secure cryptographic operations
+ */
+export class CryptoValidator {
+    name = 'crypto-security';
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel() {
+        return 'critical';
+    }
+    /**
+     * Perform a timing-safe string comparison
+     * Prevents timing attacks by ensuring constant-time comparison
+     */
+    timingSafeCompare(a, b) {
+        // Pad shorter string to prevent length-based timing attacks
+        const maxLen = Math.max(a.length, b.length);
+        const paddedA = a.padEnd(maxLen, '\0');
+        const paddedB = b.padEnd(maxLen, '\0');
+        try {
+            return timingSafeEqual(Buffer.from(paddedA), Buffer.from(paddedB));
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Timing-safe comparison for hashed values
+     * Hashes the input value and compares against expected hash
+     */
+    timingSafeHashCompare(value, expectedHash) {
+        const hash = createHash('sha256').update(value).digest('hex');
+        return this.timingSafeCompare(hash, expectedHash);
+    }
+    /**
+     * Generate a secure random token
+     * Uses cryptographically secure random bytes
+     */
+    generateSecureToken(length = 32) {
+        return randomBytes(length)
+            .toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+    }
+    /**
+     * Hash a value securely using SHA-256
+     */
+    secureHash(value, salt) {
+        const data = salt ? `${salt}:${value}` : value;
+        return createHash('sha256').update(data).digest('hex');
+    }
+}
+// ============================================================================
+// Standalone Functions (for backward compatibility)
+// ============================================================================
+const defaultValidator = new CryptoValidator();
+export const timingSafeCompare = (a, b) => defaultValidator.timingSafeCompare(a, b);
+export const timingSafeHashCompare = (value, expectedHash) => defaultValidator.timingSafeHashCompare(value, expectedHash);
+export const generateSecureToken = (length) => defaultValidator.generateSecureToken(length);
+export const secureHash = (value, salt) => defaultValidator.secureHash(value, salt);
+//# sourceMappingURL=crypto-validator.js.map

package/v3/dist/mcp/security/validators/crypto-validator.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"crypto-validator.js","sourceRoot":"","sources":["../../../../src/mcp/security/validators/crypto-validator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAGlE,+EAA+E;AAC/E,kCAAkC;AAClC,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,OAAO,eAAe;IACV,IAAI,GAAG,iBAAiB,CAAC;IAEzC;;OAEG;IACI,YAAY;QACjB,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;;OAGG;IACI,iBAAiB,CAAC,CAAS,EAAE,CAAS;QAC3C,4DAA4D;QAC5D,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAEvC,IAAI,CAAC;YACH,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QACrE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;OAGG;IACI,qBAAqB,CAAC,KAAa,EAAE,YAAoB;QAC9D,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9D,OAAO,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;IACpD,CAAC;IAED;;;OAGG;IACI,mBAAmB,CAAC,MAAM,GAAG,EAAE;QACpC,OAAO,WAAW,CAAC,MAAM,CAAC;aACvB,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACvB,CAAC;IAED;;OAEG;IACI,UAAU,CAAC,KAAa,EAAE,IAAa;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;QAC/C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;CACF;AAED,+EAA+E;AAC/E,oDAAoD;AACpD,+EAA+E;AAE/E,MAAM,gBAAgB,GAAG,IAAI,eAAe,EAAE,CAAC;AAE/C,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAS,EAAE,CAAS,EAAW,EAAE,CACjE,gBAAgB,CAAC,iBAAiB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAE3C,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,KAAa,EAAE,YAAoB,EAAW,EAAE,CACpF,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;AAE9D,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,MAAe,EAAU,EAAE,CAC7D,gBAAgB,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;AAE/C,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,KAAa,EAAE,IAAa,EAAU,EAAE,CACjE,gBAAgB,CAAC,UAAU,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC"}

package/v3/dist/mcp/security/validators/index.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+/**
+ * Agentic QE v3 - MCP Security: Validators Index
+ * Re-exports all validators and interfaces for easy importing
+ */
+export type { RiskLevel, ValidationResult, PathValidationResult, RegexSafetyResult, CommandValidationResult, SanitizationOptions, PathValidationOptions, RegexValidationOptions, CommandValidationOptions, IValidationStrategy, IPathValidationStrategy, IRegexValidationStrategy, ICommandValidationStrategy, IInputSanitizationStrategy, ICryptoValidationStrategy, IValidationOrchestrator, } from './interfaces';
+export { PathTraversalValidator, PATH_TRAVERSAL_PATTERNS, DANGEROUS_PATH_COMPONENTS, validatePath, normalizePath, joinPaths, joinPathsAbsolute, getExtension, } from './path-traversal-validator';
+export { RegexSafetyValidator, REDOS_PATTERNS, countQuantifierNesting, hasExponentialBacktracking, isRegexSafe, escapeRegex, createSafeRegex, } from './regex-safety-validator';
+export { CommandValidator, DEFAULT_ALLOWED_COMMANDS, BLOCKED_COMMAND_PATTERNS, validateCommand, escapeShellArg, } from './command-validator';
+export { InputSanitizer, HTML_ESCAPE_MAP, SQL_INJECTION_PATTERNS, SHELL_METACHARACTERS, DANGEROUS_CONTROL_CHARS, sanitizeInput, escapeHtml, stripHtmlTags, } from './input-sanitizer';
+export { CryptoValidator, timingSafeCompare, timingSafeHashCompare, generateSecureToken, secureHash, } from './crypto-validator';
+export { ValidationOrchestrator, getOrchestrator, createOrchestrator, } from './validation-orchestrator';
+//# sourceMappingURL=index.d.ts.map

package/v3/dist/mcp/security/validators/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/mcp/security/validators/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,YAAY,EAEV,SAAS,EACT,gBAAgB,EAChB,oBAAoB,EACpB,iBAAiB,EACjB,uBAAuB,EAGvB,mBAAmB,EACnB,qBAAqB,EACrB,sBAAsB,EACtB,wBAAwB,EAGxB,mBAAmB,EACnB,uBAAuB,EACvB,wBAAwB,EACxB,0BAA0B,EAC1B,0BAA0B,EAC1B,yBAAyB,EACzB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAOtB,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,yBAAyB,EACzB,YAAY,EACZ,aAAa,EACb,SAAS,EACT,iBAAiB,EACjB,YAAY,GACb,MAAM,4BAA4B,CAAC;AAGpC,OAAO,EACL,oBAAoB,EACpB,cAAc,EACd,sBAAsB,EACtB,0BAA0B,EAC1B,WAAW,EACX,WAAW,EACX,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,EACxB,eAAe,EACf,cAAc,GACf,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,cAAc,EACd,eAAe,EACf,sBAAsB,EACtB,oBAAoB,EACpB,uBAAuB,EACvB,aAAa,EACb,UAAU,EACV,aAAa,GACd,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,mBAAmB,EACnB,UAAU,GACX,MAAM,oBAAoB,CAAC;AAM5B,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,kBAAkB,GACnB,MAAM,2BAA2B,CAAC"}

package/v3/dist/mcp/security/validators/index.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Agentic QE v3 - MCP Security: Validators Index
+ * Re-exports all validators and interfaces for easy importing
+ */
+// ============================================================================
+// Validators
+// ============================================================================
+// Path Traversal
+export { PathTraversalValidator, PATH_TRAVERSAL_PATTERNS, DANGEROUS_PATH_COMPONENTS, validatePath, normalizePath, joinPaths, joinPathsAbsolute, getExtension, } from './path-traversal-validator';
+// Regex Safety
+export { RegexSafetyValidator, REDOS_PATTERNS, countQuantifierNesting, hasExponentialBacktracking, isRegexSafe, escapeRegex, createSafeRegex, } from './regex-safety-validator';
+// Command Validator
+export { CommandValidator, DEFAULT_ALLOWED_COMMANDS, BLOCKED_COMMAND_PATTERNS, validateCommand, escapeShellArg, } from './command-validator';
+// Input Sanitizer
+export { InputSanitizer, HTML_ESCAPE_MAP, SQL_INJECTION_PATTERNS, SHELL_METACHARACTERS, DANGEROUS_CONTROL_CHARS, sanitizeInput, escapeHtml, stripHtmlTags, } from './input-sanitizer';
+// Crypto Validator
+export { CryptoValidator, timingSafeCompare, timingSafeHashCompare, generateSecureToken, secureHash, } from './crypto-validator';
+// ============================================================================
+// Orchestrator
+// ============================================================================
+export { ValidationOrchestrator, getOrchestrator, createOrchestrator, } from './validation-orchestrator';
+//# sourceMappingURL=index.js.map

package/v3/dist/mcp/security/validators/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/mcp/security/validators/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA8BH,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E,iBAAiB;AACjB,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,yBAAyB,EACzB,YAAY,EACZ,aAAa,EACb,SAAS,EACT,iBAAiB,EACjB,YAAY,GACb,MAAM,4BAA4B,CAAC;AAEpC,eAAe;AACf,OAAO,EACL,oBAAoB,EACpB,cAAc,EACd,sBAAsB,EACtB,0BAA0B,EAC1B,WAAW,EACX,WAAW,EACX,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAElC,oBAAoB;AACpB,OAAO,EACL,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,EACxB,eAAe,EACf,cAAc,GACf,MAAM,qBAAqB,CAAC;AAE7B,kBAAkB;AAClB,OAAO,EACL,cAAc,EACd,eAAe,EACf,sBAAsB,EACtB,oBAAoB,EACpB,uBAAuB,EACvB,aAAa,EACb,UAAU,EACV,aAAa,GACd,MAAM,mBAAmB,CAAC;AAE3B,mBAAmB;AACnB,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,mBAAmB,EACnB,UAAU,GACX,MAAM,oBAAoB,CAAC;AAE5B,+EAA+E;AAC/E,eAAe;AACf,+EAA+E;AAE/E,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,kBAAkB,GACnB,MAAM,2BAA2B,CAAC"}

package/v3/dist/mcp/security/validators/input-sanitizer.d.ts ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * Agentic QE v3 - MCP Security: Input Sanitizer
+ * Implements the Strategy Pattern for input sanitization
+ */
+import { IInputSanitizationStrategy, SanitizationOptions, RiskLevel } from './interfaces';
+/**
+ * HTML escape characters mapping
+ */
+export declare const HTML_ESCAPE_MAP: Record<string, string>;
+/**
+ * SQL injection patterns to detect and remove
+ */
+export declare const SQL_INJECTION_PATTERNS: RegExp[];
+/**
+ * Shell metacharacters (excludes parentheses which are common in normal text)
+ */
+export declare const SHELL_METACHARACTERS: RegExp;
+/**
+ * Dangerous control characters that should be stripped:
+ * - Null byte (\x00): String termination attacks, filter bypass
+ * - Backspace (\x08): Log manipulation
+ * - Bell (\x07): Terminal escape attacks
+ * - Vertical tab (\x0B): Filter bypass
+ * - Form feed (\x0C): Filter bypass
+ * - Escape (\x1B): Terminal escape sequences (ANSI attacks)
+ * - Delete (\x7F): Buffer manipulation
+ */
+export declare const DANGEROUS_CONTROL_CHARS: RegExp;
+/**
+ * Input Sanitizer Strategy
+ * Sanitizes user input to prevent XSS, SQL injection, and command injection
+ */
+export declare class InputSanitizer implements IInputSanitizationStrategy {
+    readonly name = "input-sanitization";
+    /**
+     * Get the primary risk level this sanitizer addresses
+     */
+    getRiskLevel(): RiskLevel;
+    /**
+     * Sanitize input string with configurable options
+     */
+    sanitize(input: string, options?: SanitizationOptions): string;
+    /**
+     * Escape HTML special characters
+     */
+    escapeHtml(str: string): string;
+    /**
+     * Strip HTML tags from a string
+     * Handles both complete tags and incomplete/malformed tags to prevent XSS
+     */
+    stripHtmlTags(str: string): string;
+}
+export declare const sanitizeInput: (input: string, options?: SanitizationOptions) => string;
+export declare const escapeHtml: (str: string) => string;
+export declare const stripHtmlTags: (str: string) => string;
+//# sourceMappingURL=input-sanitizer.d.ts.map

package/v3/dist/mcp/security/validators/input-sanitizer.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"input-sanitizer.d.ts","sourceRoot":"","sources":["../../../../src/mcp/security/validators/input-sanitizer.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,SAAS,EACV,MAAM,cAAc,CAAC;AAMtB;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CASlD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB,UAWlC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,QAAyB,CAAC;AAE3D;;;;;;;;;GASG;AACH,eAAO,MAAM,uBAAuB,QAAsC,CAAC;AAM3E;;;GAGG;AACH,qBAAa,cAAe,YAAW,0BAA0B;IAC/D,SAAgB,IAAI,wBAAwB;IAE5C;;OAEG;IACI,YAAY,IAAI,SAAS;IAIhC;;OAEG;IACI,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,mBAAwB,GAAG,MAAM;IAuDzE;;OAEG;IACI,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;IAItC;;;OAGG;IACI,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;CAkC1C;AAQD,eAAO,MAAM,aAAa,GACxB,OAAO,MAAM,EACb,UAAU,mBAAmB,KAC5B,MAAmD,CAAC;AAEvD,eAAO,MAAM,UAAU,GAAI,KAAK,MAAM,KAAG,MACP,CAAC;AAEnC,eAAO,MAAM,aAAa,GAAI,KAAK,MAAM,KAAG,MACP,CAAC"}

package/v3/dist/mcp/security/validators/input-sanitizer.js ADDED Viewed

@@ -0,0 +1,157 @@
+/**
+ * Agentic QE v3 - MCP Security: Input Sanitizer
+ * Implements the Strategy Pattern for input sanitization
+ */
+// ============================================================================
+// Constants
+// ============================================================================
+/**
+ * HTML escape characters mapping
+ */
+export const HTML_ESCAPE_MAP = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#x27;',
+    '/': '&#x2F;',
+    '`': '&#x60;',
+    '=': '&#x3D;',
+};
+/**
+ * SQL injection patterns to detect and remove
+ */
+export const SQL_INJECTION_PATTERNS = [
+    /('|")\s*;\s*--/i,
+    /'\s*OR\s+'1'\s*=\s*'1/i,
+    /"\s*OR\s+"1"\s*=\s*"1/i,
+    /UNION\s+SELECT/i,
+    /INSERT\s+INTO/i,
+    /DROP\s+TABLE/i,
+    /DELETE\s+FROM/i,
+    /UPDATE\s+.*\s+SET/i,
+    /EXEC(\s+|\()sp_/i,
+    /xp_cmdshell/i,
+];
+/**
+ * Shell metacharacters (excludes parentheses which are common in normal text)
+ */
+export const SHELL_METACHARACTERS = /[|;&$`<>{}[\]!#*?~]/g;
+/**
+ * Dangerous control characters that should be stripped:
+ * - Null byte (\x00): String termination attacks, filter bypass
+ * - Backspace (\x08): Log manipulation
+ * - Bell (\x07): Terminal escape attacks
+ * - Vertical tab (\x0B): Filter bypass
+ * - Form feed (\x0C): Filter bypass
+ * - Escape (\x1B): Terminal escape sequences (ANSI attacks)
+ * - Delete (\x7F): Buffer manipulation
+ */
+export const DANGEROUS_CONTROL_CHARS = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g;
+// ============================================================================
+// Input Sanitizer Implementation
+// ============================================================================
+/**
+ * Input Sanitizer Strategy
+ * Sanitizes user input to prevent XSS, SQL injection, and command injection
+ */
+export class InputSanitizer {
+    name = 'input-sanitization';
+    /**
+     * Get the primary risk level this sanitizer addresses
+     */
+    getRiskLevel() {
+        return 'high';
+    }
+    /**
+     * Sanitize input string with configurable options
+     */
+    sanitize(input, options = {}) {
+        const { maxLength = 10000, allowedChars, stripHtml = true, stripSql = true, escapeShell = true, trim = true, stripControlChars = true, } = options;
+        let result = input;
+        // Strip dangerous control characters first (null bytes, escape sequences, etc.)
+        // This must happen early to prevent bypass of later sanitization steps
+        if (stripControlChars) {
+            result = result.replace(DANGEROUS_CONTROL_CHARS, '');
+        }
+        // Trim
+        if (trim) {
+            result = result.trim();
+        }
+        // Max length
+        if (result.length > maxLength) {
+            result = result.substring(0, maxLength);
+        }
+        // Strip HTML
+        if (stripHtml) {
+            result = this.stripHtmlTags(result);
+        }
+        // Strip SQL injection attempts
+        if (stripSql) {
+            for (const pattern of SQL_INJECTION_PATTERNS) {
+                result = result.replace(pattern, '');
+            }
+        }
+        // Escape shell metacharacters
+        if (escapeShell) {
+            result = result.replace(SHELL_METACHARACTERS, '');
+        }
+        // Filter to allowed characters
+        if (allowedChars) {
+            // Filter character by character to respect the provided regex
+            result = result.split('').filter(char => allowedChars.test(char)).join('');
+        }
+        return result;
+    }
+    /**
+     * Escape HTML special characters
+     */
+    escapeHtml(str) {
+        return str.replace(/[&<>"'`=/]/g, char => HTML_ESCAPE_MAP[char] || char);
+    }
+    /**
+     * Strip HTML tags from a string
+     * Handles both complete tags and incomplete/malformed tags to prevent XSS
+     */
+    stripHtmlTags(str) {
+        // Limit input length to prevent ReDoS
+        const MAX_LENGTH = 100000;
+        if (str.length > MAX_LENGTH) {
+            str = str.slice(0, MAX_LENGTH);
+        }
+        let result = str;
+        let prevLength;
+        // Loop until no more changes (handles nested/malformed tags like <script<script>>)
+        do {
+            prevLength = result.length;
+            // Remove complete HTML tags using a non-backtracking approach
+            // Process character by character to avoid regex backtracking
+            let cleaned = '';
+            let inTag = false;
+            for (let i = 0; i < result.length; i++) {
+                const char = result[i];
+                if (char === '<') {
+                    inTag = true;
+                }
+                else if (char === '>' && inTag) {
+                    inTag = false;
+                }
+                else if (!inTag) {
+                    cleaned += char;
+                }
+            }
+            result = cleaned;
+        } while (result.length < prevLength && result.length > 0);
+        // Encode any remaining angle brackets
+        result = result.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+        return result;
+    }
+}
+// ============================================================================
+// Standalone Functions (for backward compatibility)
+// ============================================================================
+const defaultSanitizer = new InputSanitizer();
+export const sanitizeInput = (input, options) => defaultSanitizer.sanitize(input, options);
+export const escapeHtml = (str) => defaultSanitizer.escapeHtml(str);
+export const stripHtmlTags = (str) => defaultSanitizer.stripHtmlTags(str);
+//# sourceMappingURL=input-sanitizer.js.map

package/v3/dist/mcp/security/validators/input-sanitizer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"input-sanitizer.js","sourceRoot":"","sources":["../../../../src/mcp/security/validators/input-sanitizer.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAQH,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAA2B;IACrD,GAAG,EAAE,OAAO;IACZ,GAAG,EAAE,MAAM;IACX,GAAG,EAAE,MAAM;IACX,GAAG,EAAE,QAAQ;IACb,GAAG,EAAE,QAAQ;IACb,GAAG,EAAE,QAAQ;IACb,GAAG,EAAE,QAAQ;IACb,GAAG,EAAE,QAAQ;CACd,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,iBAAiB;IACjB,wBAAwB;IACxB,wBAAwB;IACxB,iBAAiB;IACjB,gBAAgB;IAChB,eAAe;IACf,gBAAgB;IAChB,oBAAoB;IACpB,kBAAkB;IAClB,cAAc;CACf,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,sBAAsB,CAAC;AAE3D;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,mCAAmC,CAAC;AAE3E,+EAA+E;AAC/E,iCAAiC;AACjC,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,OAAO,cAAc;IACT,IAAI,GAAG,oBAAoB,CAAC;IAE5C;;OAEG;IACI,YAAY;QACjB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACI,QAAQ,CAAC,KAAa,EAAE,UAA+B,EAAE;QAC9D,MAAM,EACJ,SAAS,GAAG,KAAK,EACjB,YAAY,EACZ,SAAS,GAAG,IAAI,EAChB,QAAQ,GAAG,IAAI,EACf,WAAW,GAAG,IAAI,EAClB,IAAI,GAAG,IAAI,EACX,iBAAiB,GAAG,IAAI,GACzB,GAAG,OAAO,CAAC;QAEZ,IAAI,MAAM,GAAG,KAAK,CAAC;QAEnB,gFAAgF;QAChF,uEAAuE;QACvE,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC;QACvD,CAAC;QAED,OAAO;QACP,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QACzB,CAAC;QAED,aAAa;QACb,IAAI,MAAM,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;YAC9B,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QAC1C,CAAC;QAED,aAAa;QACb,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QACtC,CAAC;QAED,+BAA+B;QAC/B,IAAI,QAAQ,EAAE,CAAC;YACb,KAAK,MAAM,OAAO,IAAI,sBAAsB,EAAE,CAAC;gBAC7C,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;QAED,8BAA8B;QAC9B,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC;QACpD,CAAC;QAED,+BAA+B;QAC/B,IAAI,YAAY,EAAE,CAAC;YACjB,8DAA8D;YAC9D,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACI,UAAU,CAAC,GAAW;QAC3B,OAAO,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,IAAI,CAAC,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;IAC3E,CAAC;IAED;;;OAGG;IACI,aAAa,CAAC,GAAW;QAC9B,sCAAsC;QACtC,MAAM,UAAU,GAAG,MAAM,CAAC;QAC1B,IAAI,GAAG,CAAC,MAAM,GAAG,UAAU,EAAE,CAAC;YAC5B,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;QACjC,CAAC;QAED,IAAI,MAAM,GAAG,GAAG,CAAC;QACjB,IAAI,UAAkB,CAAC;QAEvB,mFAAmF;QACnF,GAAG,CAAC;YACF,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC;YAC3B,8DAA8D;YAC9D,6DAA6D;YAC7D,IAAI,OAAO,GAAG,EAAE,CAAC;YACjB,IAAI,KAAK,GAAG,KAAK,CAAC;YAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACvC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBACvB,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;oBACjB,KAAK,GAAG,IAAI,CAAC;gBACf,CAAC;qBAAM,IAAI,IAAI,KAAK,GAAG,IAAI,KAAK,EAAE,CAAC;oBACjC,KAAK,GAAG,KAAK,CAAC;gBAChB,CAAC;qBAAM,IAAI,CAAC,KAAK,EAAE,CAAC;oBAClB,OAAO,IAAI,IAAI,CAAC;gBAClB,CAAC;YACH,CAAC;YACD,MAAM,GAAG,OAAO,CAAC;QACnB,CAAC,QAAQ,MAAM,CAAC,MAAM,GAAG,UAAU,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE;QAE1D,sCAAsC;QACtC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC5D,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,+EAA+E;AAC/E,oDAAoD;AACpD,+EAA+E;AAE/E,MAAM,gBAAgB,GAAG,IAAI,cAAc,EAAE,CAAC;AAE9C,MAAM,CAAC,MAAM,aAAa,GAAG,CAC3B,KAAa,EACb,OAA6B,EACrB,EAAE,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;AAEvD,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,GAAW,EAAU,EAAE,CAChD,gBAAgB,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AAEnC,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,GAAW,EAAU,EAAE,CACnD,gBAAgB,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC"}