agentic-qe 3.8.4 → 3.8.5

package/dist/mcp/security/validators/validation-orchestrator.js

@@ -1,146 +1,3 @@
-/**
- * Agentic QE v3 - MCP Security: Validation Orchestrator
- * Coordinates all validation strategies using the Strategy Pattern
- */
-import { PathTraversalValidator } from './path-traversal-validator';
-import { RegexSafetyValidator } from './regex-safety-validator';
-import { CommandValidator } from './command-validator';
-// ============================================================================
-// Validation Orchestrator Implementation
-// ============================================================================
-/**
- * Validation Orchestrator
- * Coordinates multiple validation strategies and provides a unified interface
- */
-export class ValidationOrchestrator {
-    strategies = new Map();
-    /**
-     * Create a new orchestrator with default validators
-     */
-    constructor(registerDefaults = true) {
-        if (registerDefaults) {
-            this.registerDefaultStrategies();
-        }
-    }
-    /**
-     * Register the default validation strategies
-     */
-    registerDefaultStrategies() {
-        this.registerStrategy(new PathTraversalValidator());
-        this.registerStrategy(new RegexSafetyValidator());
-        this.registerStrategy(new CommandValidator());
-        // Note: InputSanitizer and CryptoValidator don't implement IValidationStrategy
-        // They have their own interfaces (IInputSanitizationStrategy, ICryptoValidationStrategy)
-        // They can be accessed directly through the facade
-    }
-    /**
-     * Register a validation strategy
-     */
-    registerStrategy(strategy) {
-        this.strategies.set(strategy.name, strategy);
-    }
-    /**
-     * Get a registered strategy by name
-     */
-    getStrategy(name) {
-        return this.strategies.get(name);
-    }
-    /**
-     * Get all registered strategy names
-     */
-    getStrategyNames() {
-        return Array.from(this.strategies.keys());
-    }
-    /**
-     * Validate using a specific strategy
-     */
-    validateWith(strategyName, input, options) {
-        const strategy = this.strategies.get(strategyName);
-        if (!strategy) {
-            throw new Error(`Strategy '${strategyName}' not found`);
-        }
-        return strategy.validate(input, options);
-    }
-    /**
-     * Run all registered validators on an input
-     * Useful for comprehensive input validation
-     */
-    validateAll(input) {
-        const results = new Map();
-        for (const [name, strategy] of this.strategies) {
-            try {
-                results.set(name, strategy.validate(input));
-            }
-            catch (error) {
-                results.set(name, {
-                    valid: false,
-                    error: error instanceof Error ? error.message : 'Unknown error',
-                    riskLevel: 'high',
-                });
-            }
-        }
-        return results;
-    }
-    /**
-     * Check if any validator found issues
-     */
-    hasIssues(results) {
-        for (const result of results.values()) {
-            if (!result.valid) {
-                return true;
-            }
-        }
-        return false;
-    }
-    /**
-     * Get the highest risk level from validation results
-     */
-    getHighestRisk(results) {
-        const riskOrder = ['none', 'low', 'medium', 'high', 'critical'];
-        let highest = 'none';
-        for (const result of results.values()) {
-            const currentIndex = riskOrder.indexOf(result.riskLevel);
-            const highestIndex = riskOrder.indexOf(highest);
-            if (currentIndex > highestIndex) {
-                highest = result.riskLevel;
-            }
-        }
-        return highest;
-    }
-    /**
-     * Get all issues from validation results
-     */
-    getAllIssues(results) {
-        const issues = [];
-        for (const [name, result] of results) {
-            if (!result.valid && result.error) {
-                issues.push({
-                    validator: name,
-                    error: result.error,
-                    riskLevel: result.riskLevel,
-                });
-            }
-        }
-        return issues;
-    }
-}
-// ============================================================================
-// Singleton Instance
-// ============================================================================
-let defaultOrchestrator = null;
-/**
- * Get the default validation orchestrator instance
- */
-export function getOrchestrator() {
-    if (!defaultOrchestrator) {
-        defaultOrchestrator = new ValidationOrchestrator();
-    }
-    return defaultOrchestrator;
-}
-/**
- * Create a new validation orchestrator
- */
-export function createOrchestrator(registerDefaults = true) {
-    return new ValidationOrchestrator(registerDefaults);
-}
+// Re-export from shared/security for backward compatibility
+export * from '../../../shared/security/validation-orchestrator.js';
 //# sourceMappingURL=validation-orchestrator.js.map

package/dist/shared/io/file-reader.js

@@ -5,7 +5,7 @@
 import * as fs from 'node:fs/promises';
 import * as path from 'node:path';
 import { ok, err } from '../types';
-import { validatePath } from '../../mcp/security/cve-prevention';
+import { validatePath } from '../security/path-traversal-validator.js';
 import { safeJsonParse } from '../safe-json.js';
 export class FileReadError extends Error {
     filePath;

package/dist/shared/security/command-validator.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Agentic QE v3 - MCP Security: Command Validator
+ * Implements the Strategy Pattern for command injection prevention
+ *
+ * Moved from src/mcp/security/validators/command-validator.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+import { ICommandValidationStrategy, CommandValidationOptions, CommandValidationResult, RiskLevel } from './validators-interfaces.js';
+/**
+ * Allowed commands whitelist (default safe commands)
+ */
+export declare const DEFAULT_ALLOWED_COMMANDS: string[];
+/**
+ * Blocked command patterns (injection vectors)
+ */
+export declare const BLOCKED_COMMAND_PATTERNS: RegExp[];
+/**
+ * Command Validator Strategy
+ * Validates and sanitizes shell commands to prevent injection attacks
+ */
+export declare class CommandValidator implements ICommandValidationStrategy {
+    readonly name = "command-injection";
+    private defaultAllowedCommands;
+    constructor(defaultAllowedCommands?: string[]);
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel(): RiskLevel;
+    /**
+     * Validate a command (IValidationStrategy interface)
+     */
+    validate(command: string, options?: CommandValidationOptions): CommandValidationResult;
+    /**
+     * Validate and sanitize a command
+     */
+    validateCommand(command: string, allowedCommands?: string[]): CommandValidationResult;
+    /**
+     * Escape a string for safe shell usage
+     */
+    escapeShellArg(arg: string): string;
+}
+export declare const validateCommand: (command: string, allowedCommands?: string[]) => CommandValidationResult;
+export declare const escapeShellArg: (arg: string) => string;
+//# sourceMappingURL=command-validator.d.ts.map

package/dist/shared/security/command-validator.js

@@ -0,0 +1,126 @@
+/**
+ * Agentic QE v3 - MCP Security: Command Validator
+ * Implements the Strategy Pattern for command injection prevention
+ *
+ * Moved from src/mcp/security/validators/command-validator.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+// ============================================================================
+// Constants
+// ============================================================================
+/**
+ * Allowed commands whitelist (default safe commands)
+ */
+export const DEFAULT_ALLOWED_COMMANDS = [
+    'ls', 'cat', 'echo', 'grep', 'find', 'head', 'tail', 'wc',
+    'npm', 'node', 'yarn', 'pnpm',
+    'git', 'jest', 'vitest', 'playwright',
+];
+/**
+ * Blocked command patterns (injection vectors)
+ */
+export const BLOCKED_COMMAND_PATTERNS = [
+    /;/, // Command chaining with semicolon
+    /&&/, // Command chaining with AND
+    /\|\|/, // Command chaining with OR
+    /\|/, // Piping
+    /`.*`/, // Backtick command substitution
+    /\$\(.*\)/, // $() command substitution
+    />\s*\/dev\/sd/i, // Writing to block devices
+    />\s*\/etc\//i, // Writing to /etc
+];
+/**
+ * Shell metacharacters (excludes parentheses which are common in normal text)
+ */
+const SHELL_METACHARACTERS = /[|;&$`<>{}[\]!#*?~]/g;
+// ============================================================================
+// Command Validator Implementation
+// ============================================================================
+/**
+ * Command Validator Strategy
+ * Validates and sanitizes shell commands to prevent injection attacks
+ */
+export class CommandValidator {
+    name = 'command-injection';
+    defaultAllowedCommands;
+    constructor(defaultAllowedCommands = DEFAULT_ALLOWED_COMMANDS) {
+        this.defaultAllowedCommands = defaultAllowedCommands;
+    }
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel() {
+        return 'critical';
+    }
+    /**
+     * Validate a command (IValidationStrategy interface)
+     */
+    validate(command, options = {}) {
+        const allowedCommands = options.allowedCommands ?? this.defaultAllowedCommands;
+        return this.validateCommand(command, allowedCommands);
+    }
+    /**
+     * Validate and sanitize a command
+     */
+    validateCommand(command, allowedCommands = this.defaultAllowedCommands) {
+        const blockedPatterns = [];
+        // Check for blocked patterns
+        for (const pattern of BLOCKED_COMMAND_PATTERNS) {
+            if (pattern.test(command)) {
+                blockedPatterns.push(pattern.source);
+            }
+        }
+        if (blockedPatterns.length > 0) {
+            return {
+                valid: false,
+                error: 'Command contains blocked patterns',
+                blockedPatterns,
+                riskLevel: 'critical',
+            };
+        }
+        // Extract base command
+        const parts = command.trim().split(/\s+/);
+        const baseCommand = parts[0].split('/').pop() || '';
+        // Check against whitelist
+        if (!allowedCommands.includes(baseCommand)) {
+            return {
+                valid: false,
+                error: `Command '${baseCommand}' is not in the allowed list`,
+                blockedPatterns: [],
+                riskLevel: 'high',
+            };
+        }
+        // Sanitize arguments
+        const sanitizedParts = parts.map((part, i) => {
+            if (i === 0)
+                return part;
+            // Remove shell metacharacters from arguments
+            return part.replace(SHELL_METACHARACTERS, '');
+        });
+        return {
+            valid: true,
+            sanitizedCommand: sanitizedParts.join(' '),
+            blockedPatterns: [],
+            riskLevel: 'none',
+        };
+    }
+    /**
+     * Escape a string for safe shell usage
+     */
+    escapeShellArg(arg) {
+        // Wrap in single quotes and escape any internal single quotes
+        return `'${arg.replace(/'/g, "'\\''")}'`;
+    }
+}
+// ============================================================================
+// Standalone Functions (for backward compatibility)
+// ============================================================================
+const defaultValidator = new CommandValidator();
+export const validateCommand = (command, allowedCommands) => {
+    if (allowedCommands) {
+        return defaultValidator.validateCommand(command, allowedCommands);
+    }
+    return defaultValidator.validate(command);
+};
+export const escapeShellArg = (arg) => defaultValidator.escapeShellArg(arg);
+//# sourceMappingURL=command-validator.js.map

package/dist/shared/security/crypto-validator.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Agentic QE v3 - MCP Security: Crypto Validator
+ * Implements the Strategy Pattern for cryptographic security operations
+ *
+ * Moved from src/mcp/security/validators/crypto-validator.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+import { ICryptoValidationStrategy, RiskLevel } from './validators-interfaces.js';
+/**
+ * Crypto Validator Strategy
+ * Provides timing-safe comparisons and secure cryptographic operations
+ */
+export declare class CryptoValidator implements ICryptoValidationStrategy {
+    readonly name = "crypto-security";
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel(): RiskLevel;
+    /**
+     * Perform a timing-safe string comparison
+     * Prevents timing attacks by ensuring constant-time comparison
+     */
+    timingSafeCompare(a: string, b: string): boolean;
+    /**
+     * Timing-safe comparison for hashed values
+     * Hashes the input value and compares against expected hash
+     */
+    timingSafeHashCompare(value: string, expectedHash: string): boolean;
+    /**
+     * Generate a secure random token
+     * Uses cryptographically secure random bytes
+     */
+    generateSecureToken(length?: number): string;
+    /**
+     * Hash a value securely using SHA-256
+     */
+    secureHash(value: string, salt?: string): string;
+}
+export declare const timingSafeCompare: (a: string, b: string) => boolean;
+export declare const timingSafeHashCompare: (value: string, expectedHash: string) => boolean;
+export declare const generateSecureToken: (length?: number) => string;
+export declare const secureHash: (value: string, salt?: string) => string;
+//# sourceMappingURL=crypto-validator.d.ts.map

package/dist/shared/security/crypto-validator.js

@@ -0,0 +1,75 @@
+/**
+ * Agentic QE v3 - MCP Security: Crypto Validator
+ * Implements the Strategy Pattern for cryptographic security operations
+ *
+ * Moved from src/mcp/security/validators/crypto-validator.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+import { createHash, timingSafeEqual, randomBytes } from 'crypto';
+// ============================================================================
+// Crypto Validator Implementation
+// ============================================================================
+/**
+ * Crypto Validator Strategy
+ * Provides timing-safe comparisons and secure cryptographic operations
+ */
+export class CryptoValidator {
+    name = 'crypto-security';
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel() {
+        return 'critical';
+    }
+    /**
+     * Perform a timing-safe string comparison
+     * Prevents timing attacks by ensuring constant-time comparison
+     */
+    timingSafeCompare(a, b) {
+        // Pad shorter string to prevent length-based timing attacks
+        const maxLen = Math.max(a.length, b.length);
+        const paddedA = a.padEnd(maxLen, '\0');
+        const paddedB = b.padEnd(maxLen, '\0');
+        try {
+            return timingSafeEqual(Buffer.from(paddedA), Buffer.from(paddedB));
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Timing-safe comparison for hashed values
+     * Hashes the input value and compares against expected hash
+     */
+    timingSafeHashCompare(value, expectedHash) {
+        const hash = createHash('sha256').update(value).digest('hex');
+        return this.timingSafeCompare(hash, expectedHash);
+    }
+    /**
+     * Generate a secure random token
+     * Uses cryptographically secure random bytes
+     */
+    generateSecureToken(length = 32) {
+        return randomBytes(length)
+            .toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+    }
+    /**
+     * Hash a value securely using SHA-256
+     */
+    secureHash(value, salt) {
+        const data = salt ? `${salt}:${value}` : value;
+        return createHash('sha256').update(data).digest('hex');
+    }
+}
+// ============================================================================
+// Standalone Functions (for backward compatibility)
+// ============================================================================
+const defaultValidator = new CryptoValidator();
+export const timingSafeCompare = (a, b) => defaultValidator.timingSafeCompare(a, b);
+export const timingSafeHashCompare = (value, expectedHash) => defaultValidator.timingSafeHashCompare(value, expectedHash);
+export const generateSecureToken = (length) => defaultValidator.generateSecureToken(length);
+export const secureHash = (value, salt) => defaultValidator.secureHash(value, salt);
+//# sourceMappingURL=crypto-validator.js.map

package/dist/shared/security/index.d.ts

@@ -5,4 +5,11 @@ export { OSVClient } from './osv-client';
 export type { OSVClientConfig, OSVQueryRequest, OSVEcosystem, OSVVulnerability, OSVSeverity, OSVAffected, OSVRange, OSVReference, OSVQueryResponse, OSVBatchQueryRequest, OSVBatchQueryResponse, ParsedVulnerability, } from './osv-client';
 export { CompliancePatternAnalyzer, getCompliancePatternAnalyzer } from './compliance-patterns';
 export type { PatternMatch, CompliancePatternResult, EncryptionAnalysis, AccessControlAnalysis, LoggingAnalysis, DataProtectionAnalysis, SecurityControlsAnalysis, } from './compliance-patterns';
+export type { RiskLevel, ValidationResult, PathValidationResult, RegexSafetyResult, CommandValidationResult, SanitizationOptions, PathValidationOptions, RegexValidationOptions, CommandValidationOptions, IValidationStrategy, IPathValidationStrategy, IRegexValidationStrategy, ICommandValidationStrategy, IInputSanitizationStrategy, ICryptoValidationStrategy, IValidationOrchestrator, } from './validators-interfaces';
+export { PathTraversalValidator, PATH_TRAVERSAL_PATTERNS, DANGEROUS_PATH_COMPONENTS, validatePath, normalizePath, joinPaths, joinPathsAbsolute, getExtension, } from './path-traversal-validator';
+export { RegexSafetyValidator, REDOS_PATTERNS, countQuantifierNesting, hasExponentialBacktracking, isRegexSafe, escapeRegex, createSafeRegex, } from './regex-safety-validator';
+export { CommandValidator, DEFAULT_ALLOWED_COMMANDS, BLOCKED_COMMAND_PATTERNS, validateCommand, escapeShellArg, } from './command-validator';
+export { InputSanitizer, HTML_ESCAPE_MAP, SQL_INJECTION_PATTERNS, SHELL_METACHARACTERS, DANGEROUS_CONTROL_CHARS, sanitizeInput, escapeHtml, stripHtmlTags, } from './input-sanitizer';
+export { CryptoValidator, timingSafeCompare, timingSafeHashCompare, generateSecureToken, secureHash, } from './crypto-validator';
+export { ValidationOrchestrator, getOrchestrator, createOrchestrator, } from './validation-orchestrator';
 //# sourceMappingURL=index.d.ts.map

package/dist/shared/security/index.js

@@ -3,4 +3,19 @@
  */
 export { OSVClient } from './osv-client';
 export { CompliancePatternAnalyzer, getCompliancePatternAnalyzer } from './compliance-patterns';
+// ============================================================================
+// Validators (moved from mcp/security/validators/)
+// ============================================================================
+// Path Traversal
+export { PathTraversalValidator, PATH_TRAVERSAL_PATTERNS, DANGEROUS_PATH_COMPONENTS, validatePath, normalizePath, joinPaths, joinPathsAbsolute, getExtension, } from './path-traversal-validator';
+// Regex Safety
+export { RegexSafetyValidator, REDOS_PATTERNS, countQuantifierNesting, hasExponentialBacktracking, isRegexSafe, escapeRegex, createSafeRegex, } from './regex-safety-validator';
+// Command Validator
+export { CommandValidator, DEFAULT_ALLOWED_COMMANDS, BLOCKED_COMMAND_PATTERNS, validateCommand, escapeShellArg, } from './command-validator';
+// Input Sanitizer
+export { InputSanitizer, HTML_ESCAPE_MAP, SQL_INJECTION_PATTERNS, SHELL_METACHARACTERS, DANGEROUS_CONTROL_CHARS, sanitizeInput, escapeHtml, stripHtmlTags, } from './input-sanitizer';
+// Crypto Validator
+export { CryptoValidator, timingSafeCompare, timingSafeHashCompare, generateSecureToken, secureHash, } from './crypto-validator';
+// Orchestrator
+export { ValidationOrchestrator, getOrchestrator, createOrchestrator, } from './validation-orchestrator';
 //# sourceMappingURL=index.js.map

package/dist/shared/security/input-sanitizer.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Agentic QE v3 - MCP Security: Input Sanitizer
+ * Implements the Strategy Pattern for input sanitization
+ *
+ * Moved from src/mcp/security/validators/input-sanitizer.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+import { IInputSanitizationStrategy, SanitizationOptions, RiskLevel } from './validators-interfaces.js';
+/**
+ * HTML escape characters mapping
+ */
+export declare const HTML_ESCAPE_MAP: Record<string, string>;
+/**
+ * SQL injection patterns to detect and remove
+ */
+export declare const SQL_INJECTION_PATTERNS: RegExp[];
+/**
+ * Shell metacharacters (excludes parentheses which are common in normal text)
+ */
+export declare const SHELL_METACHARACTERS: RegExp;
+/**
+ * Dangerous control characters that should be stripped:
+ * - Null byte (\x00): String termination attacks, filter bypass
+ * - Backspace (\x08): Log manipulation
+ * - Bell (\x07): Terminal escape attacks
+ * - Vertical tab (\x0B): Filter bypass
+ * - Form feed (\x0C): Filter bypass
+ * - Escape (\x1B): Terminal escape sequences (ANSI attacks)
+ * - Delete (\x7F): Buffer manipulation
+ */
+export declare const DANGEROUS_CONTROL_CHARS: RegExp;
+/**
+ * Input Sanitizer Strategy
+ * Sanitizes user input to prevent XSS, SQL injection, and command injection
+ */
+export declare class InputSanitizer implements IInputSanitizationStrategy {
+    readonly name = "input-sanitization";
+    /**
+     * Get the primary risk level this sanitizer addresses
+     */
+    getRiskLevel(): RiskLevel;
+    /**
+     * Sanitize input string with configurable options
+     */
+    sanitize(input: string, options?: SanitizationOptions): string;
+    /**
+     * Escape HTML special characters
+     */
+    escapeHtml(str: string): string;
+    /**
+     * Strip HTML tags from a string
+     * Handles both complete tags and incomplete/malformed tags to prevent XSS
+     */
+    stripHtmlTags(str: string): string;
+}
+export declare const sanitizeInput: (input: string, options?: SanitizationOptions) => string;
+export declare const escapeHtml: (str: string) => string;
+export declare const stripHtmlTags: (str: string) => string;
+//# sourceMappingURL=input-sanitizer.d.ts.map