agentic-qe 3.8.4 → 3.8.6

package/dist/mcp/security/validators/command-validator.d.ts

@@ -1,41 +1,2 @@
-/**
- * Agentic QE v3 - MCP Security: Command Validator
- * Implements the Strategy Pattern for command injection prevention
- */
-import { ICommandValidationStrategy, CommandValidationOptions, CommandValidationResult, RiskLevel } from './interfaces';
-/**
- * Allowed commands whitelist (default safe commands)
- */
-export declare const DEFAULT_ALLOWED_COMMANDS: string[];
-/**
- * Blocked command patterns (injection vectors)
- */
-export declare const BLOCKED_COMMAND_PATTERNS: RegExp[];
-/**
- * Command Validator Strategy
- * Validates and sanitizes shell commands to prevent injection attacks
- */
-export declare class CommandValidator implements ICommandValidationStrategy {
-    readonly name = "command-injection";
-    private defaultAllowedCommands;
-    constructor(defaultAllowedCommands?: string[]);
-    /**
-     * Get the primary risk level this validator addresses
-     */
-    getRiskLevel(): RiskLevel;
-    /**
-     * Validate a command (IValidationStrategy interface)
-     */
-    validate(command: string, options?: CommandValidationOptions): CommandValidationResult;
-    /**
-     * Validate and sanitize a command
-     */
-    validateCommand(command: string, allowedCommands?: string[]): CommandValidationResult;
-    /**
-     * Escape a string for safe shell usage
-     */
-    escapeShellArg(arg: string): string;
-}
-export declare const validateCommand: (command: string, allowedCommands?: string[]) => CommandValidationResult;
-export declare const escapeShellArg: (arg: string) => string;
+export * from '../../../shared/security/command-validator.js';
 //# sourceMappingURL=command-validator.d.ts.map

package/dist/mcp/security/validators/command-validator.js

@@ -1,123 +1,3 @@
-/**
- * Agentic QE v3 - MCP Security: Command Validator
- * Implements the Strategy Pattern for command injection prevention
- */
-// ============================================================================
-// Constants
-// ============================================================================
-/**
- * Allowed commands whitelist (default safe commands)
- */
-export const DEFAULT_ALLOWED_COMMANDS = [
-    'ls', 'cat', 'echo', 'grep', 'find', 'head', 'tail', 'wc',
-    'npm', 'node', 'yarn', 'pnpm',
-    'git', 'jest', 'vitest', 'playwright',
-];
-/**
- * Blocked command patterns (injection vectors)
- */
-export const BLOCKED_COMMAND_PATTERNS = [
-    /;/, // Command chaining with semicolon
-    /&&/, // Command chaining with AND
-    /\|\|/, // Command chaining with OR
-    /\|/, // Piping
-    /`.*`/, // Backtick command substitution
-    /\$\(.*\)/, // $() command substitution
-    />\s*\/dev\/sd/i, // Writing to block devices
-    />\s*\/etc\//i, // Writing to /etc
-];
-/**
- * Shell metacharacters (excludes parentheses which are common in normal text)
- */
-const SHELL_METACHARACTERS = /[|;&$`<>{}[\]!#*?~]/g;
-// ============================================================================
-// Command Validator Implementation
-// ============================================================================
-/**
- * Command Validator Strategy
- * Validates and sanitizes shell commands to prevent injection attacks
- */
-export class CommandValidator {
-    name = 'command-injection';
-    defaultAllowedCommands;
-    constructor(defaultAllowedCommands = DEFAULT_ALLOWED_COMMANDS) {
-        this.defaultAllowedCommands = defaultAllowedCommands;
-    }
-    /**
-     * Get the primary risk level this validator addresses
-     */
-    getRiskLevel() {
-        return 'critical';
-    }
-    /**
-     * Validate a command (IValidationStrategy interface)
-     */
-    validate(command, options = {}) {
-        const allowedCommands = options.allowedCommands ?? this.defaultAllowedCommands;
-        return this.validateCommand(command, allowedCommands);
-    }
-    /**
-     * Validate and sanitize a command
-     */
-    validateCommand(command, allowedCommands = this.defaultAllowedCommands) {
-        const blockedPatterns = [];
-        // Check for blocked patterns
-        for (const pattern of BLOCKED_COMMAND_PATTERNS) {
-            if (pattern.test(command)) {
-                blockedPatterns.push(pattern.source);
-            }
-        }
-        if (blockedPatterns.length > 0) {
-            return {
-                valid: false,
-                error: 'Command contains blocked patterns',
-                blockedPatterns,
-                riskLevel: 'critical',
-            };
-        }
-        // Extract base command
-        const parts = command.trim().split(/\s+/);
-        const baseCommand = parts[0].split('/').pop() || '';
-        // Check against whitelist
-        if (!allowedCommands.includes(baseCommand)) {
-            return {
-                valid: false,
-                error: `Command '${baseCommand}' is not in the allowed list`,
-                blockedPatterns: [],
-                riskLevel: 'high',
-            };
-        }
-        // Sanitize arguments
-        const sanitizedParts = parts.map((part, i) => {
-            if (i === 0)
-                return part;
-            // Remove shell metacharacters from arguments
-            return part.replace(SHELL_METACHARACTERS, '');
-        });
-        return {
-            valid: true,
-            sanitizedCommand: sanitizedParts.join(' '),
-            blockedPatterns: [],
-            riskLevel: 'none',
-        };
-    }
-    /**
-     * Escape a string for safe shell usage
-     */
-    escapeShellArg(arg) {
-        // Wrap in single quotes and escape any internal single quotes
-        return `'${arg.replace(/'/g, "'\\''")}'`;
-    }
-}
-// ============================================================================
-// Standalone Functions (for backward compatibility)
-// ============================================================================
-const defaultValidator = new CommandValidator();
-export const validateCommand = (command, allowedCommands) => {
-    if (allowedCommands) {
-        return defaultValidator.validateCommand(command, allowedCommands);
-    }
-    return defaultValidator.validate(command);
-};
-export const escapeShellArg = (arg) => defaultValidator.escapeShellArg(arg);
+// Re-export from shared/security for backward compatibility
+export * from '../../../shared/security/command-validator.js';
 //# sourceMappingURL=command-validator.js.map

package/dist/mcp/security/validators/crypto-validator.d.ts

@@ -1,40 +1,2 @@
-/**
- * Agentic QE v3 - MCP Security: Crypto Validator
- * Implements the Strategy Pattern for cryptographic security operations
- */
-import { ICryptoValidationStrategy, RiskLevel } from './interfaces';
-/**
- * Crypto Validator Strategy
- * Provides timing-safe comparisons and secure cryptographic operations
- */
-export declare class CryptoValidator implements ICryptoValidationStrategy {
-    readonly name = "crypto-security";
-    /**
-     * Get the primary risk level this validator addresses
-     */
-    getRiskLevel(): RiskLevel;
-    /**
-     * Perform a timing-safe string comparison
-     * Prevents timing attacks by ensuring constant-time comparison
-     */
-    timingSafeCompare(a: string, b: string): boolean;
-    /**
-     * Timing-safe comparison for hashed values
-     * Hashes the input value and compares against expected hash
-     */
-    timingSafeHashCompare(value: string, expectedHash: string): boolean;
-    /**
-     * Generate a secure random token
-     * Uses cryptographically secure random bytes
-     */
-    generateSecureToken(length?: number): string;
-    /**
-     * Hash a value securely using SHA-256
-     */
-    secureHash(value: string, salt?: string): string;
-}
-export declare const timingSafeCompare: (a: string, b: string) => boolean;
-export declare const timingSafeHashCompare: (value: string, expectedHash: string) => boolean;
-export declare const generateSecureToken: (length?: number) => string;
-export declare const secureHash: (value: string, salt?: string) => string;
+export * from '../../../shared/security/crypto-validator.js';
 //# sourceMappingURL=crypto-validator.d.ts.map

package/dist/mcp/security/validators/crypto-validator.js

@@ -1,72 +1,3 @@
-/**
- * Agentic QE v3 - MCP Security: Crypto Validator
- * Implements the Strategy Pattern for cryptographic security operations
- */
-import { createHash, timingSafeEqual, randomBytes } from 'crypto';
-// ============================================================================
-// Crypto Validator Implementation
-// ============================================================================
-/**
- * Crypto Validator Strategy
- * Provides timing-safe comparisons and secure cryptographic operations
- */
-export class CryptoValidator {
-    name = 'crypto-security';
-    /**
-     * Get the primary risk level this validator addresses
-     */
-    getRiskLevel() {
-        return 'critical';
-    }
-    /**
-     * Perform a timing-safe string comparison
-     * Prevents timing attacks by ensuring constant-time comparison
-     */
-    timingSafeCompare(a, b) {
-        // Pad shorter string to prevent length-based timing attacks
-        const maxLen = Math.max(a.length, b.length);
-        const paddedA = a.padEnd(maxLen, '\0');
-        const paddedB = b.padEnd(maxLen, '\0');
-        try {
-            return timingSafeEqual(Buffer.from(paddedA), Buffer.from(paddedB));
-        }
-        catch {
-            return false;
-        }
-    }
-    /**
-     * Timing-safe comparison for hashed values
-     * Hashes the input value and compares against expected hash
-     */
-    timingSafeHashCompare(value, expectedHash) {
-        const hash = createHash('sha256').update(value).digest('hex');
-        return this.timingSafeCompare(hash, expectedHash);
-    }
-    /**
-     * Generate a secure random token
-     * Uses cryptographically secure random bytes
-     */
-    generateSecureToken(length = 32) {
-        return randomBytes(length)
-            .toString('base64')
-            .replace(/\+/g, '-')
-            .replace(/\//g, '_')
-            .replace(/=/g, '');
-    }
-    /**
-     * Hash a value securely using SHA-256
-     */
-    secureHash(value, salt) {
-        const data = salt ? `${salt}:${value}` : value;
-        return createHash('sha256').update(data).digest('hex');
-    }
-}
-// ============================================================================
-// Standalone Functions (for backward compatibility)
-// ============================================================================
-const defaultValidator = new CryptoValidator();
-export const timingSafeCompare = (a, b) => defaultValidator.timingSafeCompare(a, b);
-export const timingSafeHashCompare = (value, expectedHash) => defaultValidator.timingSafeHashCompare(value, expectedHash);
-export const generateSecureToken = (length) => defaultValidator.generateSecureToken(length);
-export const secureHash = (value, salt) => defaultValidator.secureHash(value, salt);
+// Re-export from shared/security for backward compatibility
+export * from '../../../shared/security/crypto-validator.js';
 //# sourceMappingURL=crypto-validator.js.map

package/dist/mcp/security/validators/input-sanitizer.d.ts

@@ -1,56 +1,2 @@
-/**
- * Agentic QE v3 - MCP Security: Input Sanitizer
- * Implements the Strategy Pattern for input sanitization
- */
-import { IInputSanitizationStrategy, SanitizationOptions, RiskLevel } from './interfaces';
-/**
- * HTML escape characters mapping
- */
-export declare const HTML_ESCAPE_MAP: Record<string, string>;
-/**
- * SQL injection patterns to detect and remove
- */
-export declare const SQL_INJECTION_PATTERNS: RegExp[];
-/**
- * Shell metacharacters (excludes parentheses which are common in normal text)
- */
-export declare const SHELL_METACHARACTERS: RegExp;
-/**
- * Dangerous control characters that should be stripped:
- * - Null byte (\x00): String termination attacks, filter bypass
- * - Backspace (\x08): Log manipulation
- * - Bell (\x07): Terminal escape attacks
- * - Vertical tab (\x0B): Filter bypass
- * - Form feed (\x0C): Filter bypass
- * - Escape (\x1B): Terminal escape sequences (ANSI attacks)
- * - Delete (\x7F): Buffer manipulation
- */
-export declare const DANGEROUS_CONTROL_CHARS: RegExp;
-/**
- * Input Sanitizer Strategy
- * Sanitizes user input to prevent XSS, SQL injection, and command injection
- */
-export declare class InputSanitizer implements IInputSanitizationStrategy {
-    readonly name = "input-sanitization";
-    /**
-     * Get the primary risk level this sanitizer addresses
-     */
-    getRiskLevel(): RiskLevel;
-    /**
-     * Sanitize input string with configurable options
-     */
-    sanitize(input: string, options?: SanitizationOptions): string;
-    /**
-     * Escape HTML special characters
-     */
-    escapeHtml(str: string): string;
-    /**
-     * Strip HTML tags from a string
-     * Handles both complete tags and incomplete/malformed tags to prevent XSS
-     */
-    stripHtmlTags(str: string): string;
-}
-export declare const sanitizeInput: (input: string, options?: SanitizationOptions) => string;
-export declare const escapeHtml: (str: string) => string;
-export declare const stripHtmlTags: (str: string) => string;
+export * from '../../../shared/security/input-sanitizer.js';
 //# sourceMappingURL=input-sanitizer.d.ts.map

package/dist/mcp/security/validators/input-sanitizer.js

@@ -1,157 +1,3 @@
-/**
- * Agentic QE v3 - MCP Security: Input Sanitizer
- * Implements the Strategy Pattern for input sanitization
- */
-// ============================================================================
-// Constants
-// ============================================================================
-/**
- * HTML escape characters mapping
- */
-export const HTML_ESCAPE_MAP = {
-    '&': '&',
-    '<': '&lt;',
-    '>': '&gt;',
-    '"': '&quot;',
-    "'": '&#x27;',
-    '/': '&#x2F;',
-    '`': '&#x60;',
-    '=': '&#x3D;',
-};
-/**
- * SQL injection patterns to detect and remove
- */
-export const SQL_INJECTION_PATTERNS = [
-    /('|")\s*;\s*--/i,
-    /'\s*OR\s+'1'\s*=\s*'1/i,
-    /"\s*OR\s+"1"\s*=\s*"1/i,
-    /UNION\s+SELECT/i,
-    /INSERT\s+INTO/i,
-    /DROP\s+TABLE/i,
-    /DELETE\s+FROM/i,
-    /UPDATE\s+.*\s+SET/i,
-    /EXEC(\s+|\()sp_/i,
-    /xp_cmdshell/i,
-];
-/**
- * Shell metacharacters (excludes parentheses which are common in normal text)
- */
-export const SHELL_METACHARACTERS = /[|;&$`<>{}[\]!#*?~]/g;
-/**
- * Dangerous control characters that should be stripped:
- * - Null byte (\x00): String termination attacks, filter bypass
- * - Backspace (\x08): Log manipulation
- * - Bell (\x07): Terminal escape attacks
- * - Vertical tab (\x0B): Filter bypass
- * - Form feed (\x0C): Filter bypass
- * - Escape (\x1B): Terminal escape sequences (ANSI attacks)
- * - Delete (\x7F): Buffer manipulation
- */
-export const DANGEROUS_CONTROL_CHARS = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g;
-// ============================================================================
-// Input Sanitizer Implementation
-// ============================================================================
-/**
- * Input Sanitizer Strategy
- * Sanitizes user input to prevent XSS, SQL injection, and command injection
- */
-export class InputSanitizer {
-    name = 'input-sanitization';
-    /**
-     * Get the primary risk level this sanitizer addresses
-     */
-    getRiskLevel() {
-        return 'high';
-    }
-    /**
-     * Sanitize input string with configurable options
-     */
-    sanitize(input, options = {}) {
-        const { maxLength = 10000, allowedChars, stripHtml = true, stripSql = true, escapeShell = true, trim = true, stripControlChars = true, } = options;
-        let result = input;
-        // Strip dangerous control characters first (null bytes, escape sequences, etc.)
-        // This must happen early to prevent bypass of later sanitization steps
-        if (stripControlChars) {
-            result = result.replace(DANGEROUS_CONTROL_CHARS, '');
-        }
-        // Trim
-        if (trim) {
-            result = result.trim();
-        }
-        // Max length
-        if (result.length > maxLength) {
-            result = result.substring(0, maxLength);
-        }
-        // Strip HTML
-        if (stripHtml) {
-            result = this.stripHtmlTags(result);
-        }
-        // Strip SQL injection attempts
-        if (stripSql) {
-            for (const pattern of SQL_INJECTION_PATTERNS) {
-                result = result.replace(pattern, '');
-            }
-        }
-        // Escape shell metacharacters
-        if (escapeShell) {
-            result = result.replace(SHELL_METACHARACTERS, '');
-        }
-        // Filter to allowed characters
-        if (allowedChars) {
-            // Filter character by character to respect the provided regex
-            result = result.split('').filter(char => allowedChars.test(char)).join('');
-        }
-        return result;
-    }
-    /**
-     * Escape HTML special characters
-     */
-    escapeHtml(str) {
-        return str.replace(/[&<>"'`=/]/g, char => HTML_ESCAPE_MAP[char] || char);
-    }
-    /**
-     * Strip HTML tags from a string
-     * Handles both complete tags and incomplete/malformed tags to prevent XSS
-     */
-    stripHtmlTags(str) {
-        // Limit input length to prevent ReDoS
-        const MAX_LENGTH = 100000;
-        if (str.length > MAX_LENGTH) {
-            str = str.slice(0, MAX_LENGTH);
-        }
-        let result = str;
-        let prevLength;
-        // Loop until no more changes (handles nested/malformed tags like <script<script>>)
-        do {
-            prevLength = result.length;
-            // Remove complete HTML tags using a non-backtracking approach
-            // Process character by character to avoid regex backtracking
-            let cleaned = '';
-            let inTag = false;
-            for (let i = 0; i < result.length; i++) {
-                const char = result[i];
-                if (char === '<') {
-                    inTag = true;
-                }
-                else if (char === '>' && inTag) {
-                    inTag = false;
-                }
-                else if (!inTag) {
-                    cleaned += char;
-                }
-            }
-            result = cleaned;
-        } while (result.length < prevLength && result.length > 0);
-        // Encode any remaining angle brackets
-        result = result.replace(/</g, '&lt;').replace(/>/g, '&gt;');
-        return result;
-    }
-}
-// ============================================================================
-// Standalone Functions (for backward compatibility)
-// ============================================================================
-const defaultSanitizer = new InputSanitizer();
-export const sanitizeInput = (input, options) => defaultSanitizer.sanitize(input, options);
-export const escapeHtml = (str) => defaultSanitizer.escapeHtml(str);
-export const stripHtmlTags = (str) => defaultSanitizer.stripHtmlTags(str);
+// Re-export from shared/security for backward compatibility
+export * from '../../../shared/security/input-sanitizer.js';
 //# sourceMappingURL=input-sanitizer.js.map

package/dist/mcp/security/validators/interfaces.d.ts

@@ -1,164 +1,2 @@
-/**
- * Agentic QE v3 - MCP Security: Validation Strategy Interfaces
- * Defines the Strategy Pattern interfaces for security validators
- */
-/**
- * Risk level classification for security validation
- */
-export type RiskLevel = 'none' | 'low' | 'medium' | 'high' | 'critical';
-/**
- * Base validation result returned by all validators
- */
-export interface ValidationResult {
-    valid: boolean;
-    error?: string;
-    riskLevel: RiskLevel;
-}
-/**
- * Path validation result with normalized path
- */
-export interface PathValidationResult extends ValidationResult {
-    normalizedPath?: string;
-}
-/**
- * Regex safety result with pattern analysis
- */
-export interface RegexSafetyResult {
-    safe: boolean;
-    pattern?: string;
-    escapedPattern?: string;
-    error?: string;
-    riskyPatterns: string[];
-}
-/**
- * Command validation result with sanitized command
- */
-export interface CommandValidationResult extends ValidationResult {
-    sanitizedCommand?: string;
-    blockedPatterns: string[];
-}
-/**
- * Input sanitization options
- */
-export interface SanitizationOptions {
-    maxLength?: number;
-    allowedChars?: RegExp;
-    stripHtml?: boolean;
-    stripSql?: boolean;
-    escapeShell?: boolean;
-    trim?: boolean;
-    /** Strip dangerous control characters (null bytes, escape sequences, etc.) - default: true */
-    stripControlChars?: boolean;
-}
-/**
- * Path validation options
- */
-export interface PathValidationOptions {
-    basePath?: string;
-    allowAbsolute?: boolean;
-    allowedExtensions?: string[];
-    deniedExtensions?: string[];
-    maxDepth?: number;
-    maxLength?: number;
-}
-/**
- * Regex validation options
- */
-export interface RegexValidationOptions {
-    maxLength?: number;
-    maxComplexity?: number;
-}
-/**
- * Command validation options
- */
-export interface CommandValidationOptions {
-    allowedCommands?: string[];
-}
-/**
- * Base interface for all validation strategies
- * Implements the Strategy Pattern for modular security validation
- */
-export interface IValidationStrategy<TInput = unknown, TOptions = unknown, TResult extends ValidationResult = ValidationResult> {
-    /**
-     * Unique name identifier for this validator
-     */
-    readonly name: string;
-    /**
-     * Validate the input according to this strategy
-     * @param input - The input to validate
-     * @param options - Optional validation options
-     * @returns The validation result
-     */
-    validate(input: TInput, options?: TOptions): TResult;
-    /**
-     * Get the risk level this validator typically addresses
-     * @returns The primary risk level category
-     */
-    getRiskLevel(): RiskLevel;
-}
-/**
- * Path traversal validation strategy interface
- */
-export interface IPathValidationStrategy extends IValidationStrategy<string, PathValidationOptions, PathValidationResult> {
-    normalizePath(path: string): string;
-    joinPaths(...paths: string[]): string;
-    joinPathsAbsolute(...paths: string[]): string;
-    getExtension(path: string): string | null;
-}
-/**
- * Regex safety validation strategy interface
- */
-export interface IRegexValidationStrategy extends IValidationStrategy<string, RegexValidationOptions, ValidationResult> {
-    isRegexSafe(pattern: string): RegexSafetyResult;
-    escapeRegex(str: string): string;
-    createSafeRegex(pattern: string, flags?: string, maxLength?: number): RegExp | null;
-}
-/**
- * Command validation strategy interface
- */
-export interface ICommandValidationStrategy extends IValidationStrategy<string, CommandValidationOptions, CommandValidationResult> {
-    escapeShellArg(arg: string): string;
-}
-/**
- * Input sanitization strategy interface
- */
-export interface IInputSanitizationStrategy {
-    readonly name: string;
-    sanitize(input: string, options?: SanitizationOptions): string;
-    escapeHtml(str: string): string;
-    stripHtmlTags(str: string): string;
-    getRiskLevel(): RiskLevel;
-}
-/**
- * Crypto validation strategy interface
- */
-export interface ICryptoValidationStrategy {
-    readonly name: string;
-    timingSafeCompare(a: string, b: string): boolean;
-    timingSafeHashCompare(value: string, expectedHash: string): boolean;
-    generateSecureToken(length?: number): string;
-    secureHash(value: string, salt?: string): string;
-    getRiskLevel(): RiskLevel;
-}
-/**
- * Validation orchestrator interface for coordinating multiple validators
- */
-export interface IValidationOrchestrator {
-    /**
-     * Register a validation strategy
-     */
-    registerStrategy(strategy: IValidationStrategy): void;
-    /**
-     * Get a registered strategy by name
-     */
-    getStrategy(name: string): IValidationStrategy | undefined;
-    /**
-     * Validate using a specific strategy
-     */
-    validateWith<TResult extends ValidationResult>(strategyName: string, input: unknown, options?: unknown): TResult;
-    /**
-     * Run all registered validators on an input
-     */
-    validateAll(input: unknown): Map<string, ValidationResult>;
-}
+export * from '../../../shared/security/validators-interfaces.js';
 //# sourceMappingURL=interfaces.d.ts.map

package/dist/mcp/security/validators/interfaces.js

@@ -1,6 +1,3 @@
-/**
- * Agentic QE v3 - MCP Security: Validation Strategy Interfaces
- * Defines the Strategy Pattern interfaces for security validators
- */
-export {};
+// Re-export from shared/security for backward compatibility
+export * from '../../../shared/security/validators-interfaces.js';
 //# sourceMappingURL=interfaces.js.map