npm - agentic-qe - Versions diffs - 3.8.4 → 3.8.6 - Mend

agentic-qe 3.8.4 → 3.8.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (198) hide show

package/dist/shared/security/regex-safety-validator.js ADDED Viewed

@@ -0,0 +1,186 @@
+/**
+ * Agentic QE v3 - MCP Security: Regex Safety Validator
+ * Implements the Strategy Pattern for ReDoS prevention
+ *
+ * Moved from src/mcp/security/validators/regex-safety-validator.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+// ============================================================================
+// Constants
+// ============================================================================
+/**
+ * Patterns that can cause ReDoS (Regular Expression Denial of Service)
+ */
+export const REDOS_PATTERNS = [
+    /\(\.\*\)\+/, // (.*)+
+    /\(\.\+\)\+/, // (.+)+
+    /\([^)]*?\?\)\+/, // (...?)+
+    /\([^)]*?\*\)\+/, // (...*)+
+    /\([^)]*?\+\)\+/, // (...+)+
+    /\(\[[^\]]*\]\+\)\+/, // ([...]+)+
+    /\(\[[^\]]*\]\*\)\+/, // ([...]*)+
+    /\(\[[^\]]*\]\?\)\+/, // ([...]?)+
+    /\(\[[^\]]*\]\*\)\*/, // ([...]*)*
+    /\.\*\.\*/, // .*.*
+    /\.\+\.\+/, // .+.+
+    /\(\.\|\.\)/, // (.|.)
+];
+/**
+ * Maximum allowed regex complexity (nested quantifiers)
+ */
+const MAX_REGEX_COMPLEXITY = 3;
+// ============================================================================
+// Helper Functions
+// ============================================================================
+/**
+ * Count nested quantifier depth in a regex pattern
+ */
+export function countQuantifierNesting(pattern) {
+    let maxDepth = 0;
+    let currentDepth = 0;
+    let inGroup = false;
+    let escaped = false;
+    for (let i = 0; i < pattern.length; i++) {
+        const char = pattern[i];
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        if (char === '\\') {
+            escaped = true;
+            continue;
+        }
+        if (char === '(') {
+            inGroup = true;
+            continue;
+        }
+        if (char === ')') {
+            inGroup = false;
+            // Check if followed by quantifier
+            const next = pattern[i + 1];
+            if (next === '*' || next === '+' || next === '?' || next === '{') {
+                currentDepth++;
+                maxDepth = Math.max(maxDepth, currentDepth);
+            }
+            continue;
+        }
+        if ((char === '*' || char === '+' || char === '?') && !inGroup) {
+            currentDepth = 1;
+            maxDepth = Math.max(maxDepth, currentDepth);
+        }
+    }
+    return maxDepth;
+}
+/**
+ * Check for exponential backtracking potential
+ */
+export function hasExponentialBacktracking(pattern) {
+    // Simplified check for common exponential patterns
+    const dangerous = [
+        /\(\[^\\]*\]\+\)\+/, // ([...]+)+
+        /\(\[^\\]*\]\*\)\*/, // ([...]*)*
+        /\([^)]+\|[^)]+\)\+/, // (a|b)+
+        /\(\.\*\)[*+]/, // (.*)+, (.*)*
+        /\(\.\+\)[*+]/, // (.+)+, (.+)*
+    ];
+    return dangerous.some(d => d.test(pattern));
+}
+// ============================================================================
+// Regex Safety Validator Implementation
+// ============================================================================
+/**
+ * Regex Safety Validator Strategy
+ * Validates regex patterns to prevent ReDoS attacks
+ */
+export class RegexSafetyValidator {
+    name = 'regex-safety';
+    maxComplexity;
+    constructor(maxComplexity = MAX_REGEX_COMPLEXITY) {
+        this.maxComplexity = maxComplexity;
+    }
+    /**
+     * Get the primary risk level this validator addresses
+     */
+    getRiskLevel() {
+        return 'high';
+    }
+    /**
+     * Validate a regex pattern (IValidationStrategy interface)
+     */
+    validate(pattern, options = {}) {
+        const { maxLength = 10000, maxComplexity = this.maxComplexity } = options;
+        if (pattern.length > maxLength) {
+            return {
+                valid: false,
+                error: `Pattern exceeds maximum length of ${maxLength}`,
+                riskLevel: 'medium',
+            };
+        }
+        const result = this.isRegexSafe(pattern, maxComplexity);
+        return {
+            valid: result.safe,
+            error: result.error,
+            riskLevel: result.safe ? 'none' : 'high',
+        };
+    }
+    /**
+     * Check if a regex pattern is safe from ReDoS
+     */
+    isRegexSafe(pattern, maxComplexity = this.maxComplexity) {
+        const riskyPatterns = [];
+        // Check for known ReDoS patterns
+        for (const redosPattern of REDOS_PATTERNS) {
+            if (redosPattern.test(pattern)) {
+                riskyPatterns.push(redosPattern.source);
+            }
+        }
+        // Check nesting depth of quantifiers
+        const quantifierDepth = countQuantifierNesting(pattern);
+        if (quantifierDepth > maxComplexity) {
+            riskyPatterns.push(`Quantifier nesting depth: ${quantifierDepth} (max: ${maxComplexity})`);
+        }
+        // Check for exponential backtracking potential
+        if (hasExponentialBacktracking(pattern)) {
+            riskyPatterns.push('Exponential backtracking potential detected');
+        }
+        return {
+            safe: riskyPatterns.length === 0,
+            pattern,
+            escapedPattern: this.escapeRegex(pattern),
+            riskyPatterns,
+            error: riskyPatterns.length > 0 ? 'Pattern may cause ReDoS' : undefined,
+        };
+    }
+    /**
+     * Escape special regex characters in a string
+     */
+    escapeRegex(str) {
+        return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    }
+    /**
+     * Create a safe regex with validation
+     */
+    createSafeRegex(pattern, flags, maxLength = 10000) {
+        const safety = this.isRegexSafe(pattern);
+        if (!safety.safe) {
+            return null;
+        }
+        if (pattern.length > maxLength) {
+            return null;
+        }
+        try {
+            return new RegExp(pattern, flags);
+        }
+        catch {
+            return null;
+        }
+    }
+}
+// ============================================================================
+// Standalone Functions (for backward compatibility)
+// ============================================================================
+const defaultValidator = new RegexSafetyValidator();
+export const isRegexSafe = (pattern) => defaultValidator.isRegexSafe(pattern);
+export const escapeRegex = (str) => defaultValidator.escapeRegex(str);
+export const createSafeRegex = (pattern, flags, maxLength) => defaultValidator.createSafeRegex(pattern, flags, maxLength);
+//# sourceMappingURL=regex-safety-validator.js.map

package/dist/shared/security/validation-orchestrator.d.ts ADDED Viewed

@@ -0,0 +1,69 @@
+/**
+ * Agentic QE v3 - MCP Security: Validation Orchestrator
+ * Coordinates all validation strategies using the Strategy Pattern
+ *
+ * Moved from src/mcp/security/validators/validation-orchestrator.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+import { IValidationOrchestrator, IValidationStrategy, ValidationResult, RiskLevel } from './validators-interfaces.js';
+/**
+ * Validation Orchestrator
+ * Coordinates multiple validation strategies and provides a unified interface
+ */
+export declare class ValidationOrchestrator implements IValidationOrchestrator {
+    private strategies;
+    /**
+     * Create a new orchestrator with default validators
+     */
+    constructor(registerDefaults?: boolean);
+    /**
+     * Register the default validation strategies
+     */
+    private registerDefaultStrategies;
+    /**
+     * Register a validation strategy
+     */
+    registerStrategy(strategy: IValidationStrategy): void;
+    /**
+     * Get a registered strategy by name
+     */
+    getStrategy(name: string): IValidationStrategy | undefined;
+    /**
+     * Get all registered strategy names
+     */
+    getStrategyNames(): string[];
+    /**
+     * Validate using a specific strategy
+     */
+    validateWith<TResult extends ValidationResult>(strategyName: string, input: unknown, options?: unknown): TResult;
+    /**
+     * Run all registered validators on an input
+     * Useful for comprehensive input validation
+     */
+    validateAll(input: unknown): Map<string, ValidationResult>;
+    /**
+     * Check if any validator found issues
+     */
+    hasIssues(results: Map<string, ValidationResult>): boolean;
+    /**
+     * Get the highest risk level from validation results
+     */
+    getHighestRisk(results: Map<string, ValidationResult>): RiskLevel;
+    /**
+     * Get all issues from validation results
+     */
+    getAllIssues(results: Map<string, ValidationResult>): Array<{
+        validator: string;
+        error: string;
+        riskLevel: RiskLevel;
+    }>;
+}
+/**
+ * Get the default validation orchestrator instance
+ */
+export declare function getOrchestrator(): ValidationOrchestrator;
+/**
+ * Create a new validation orchestrator
+ */
+export declare function createOrchestrator(registerDefaults?: boolean): ValidationOrchestrator;
+//# sourceMappingURL=validation-orchestrator.d.ts.map

package/dist/shared/security/validation-orchestrator.js ADDED Viewed

@@ -0,0 +1,149 @@
+/**
+ * Agentic QE v3 - MCP Security: Validation Orchestrator
+ * Coordinates all validation strategies using the Strategy Pattern
+ *
+ * Moved from src/mcp/security/validators/validation-orchestrator.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+import { PathTraversalValidator } from './path-traversal-validator.js';
+import { RegexSafetyValidator } from './regex-safety-validator.js';
+import { CommandValidator } from './command-validator.js';
+// ============================================================================
+// Validation Orchestrator Implementation
+// ============================================================================
+/**
+ * Validation Orchestrator
+ * Coordinates multiple validation strategies and provides a unified interface
+ */
+export class ValidationOrchestrator {
+    strategies = new Map();
+    /**
+     * Create a new orchestrator with default validators
+     */
+    constructor(registerDefaults = true) {
+        if (registerDefaults) {
+            this.registerDefaultStrategies();
+        }
+    }
+    /**
+     * Register the default validation strategies
+     */
+    registerDefaultStrategies() {
+        this.registerStrategy(new PathTraversalValidator());
+        this.registerStrategy(new RegexSafetyValidator());
+        this.registerStrategy(new CommandValidator());
+        // Note: InputSanitizer and CryptoValidator don't implement IValidationStrategy
+        // They have their own interfaces (IInputSanitizationStrategy, ICryptoValidationStrategy)
+        // They can be accessed directly through the facade
+    }
+    /**
+     * Register a validation strategy
+     */
+    registerStrategy(strategy) {
+        this.strategies.set(strategy.name, strategy);
+    }
+    /**
+     * Get a registered strategy by name
+     */
+    getStrategy(name) {
+        return this.strategies.get(name);
+    }
+    /**
+     * Get all registered strategy names
+     */
+    getStrategyNames() {
+        return Array.from(this.strategies.keys());
+    }
+    /**
+     * Validate using a specific strategy
+     */
+    validateWith(strategyName, input, options) {
+        const strategy = this.strategies.get(strategyName);
+        if (!strategy) {
+            throw new Error(`Strategy '${strategyName}' not found`);
+        }
+        return strategy.validate(input, options);
+    }
+    /**
+     * Run all registered validators on an input
+     * Useful for comprehensive input validation
+     */
+    validateAll(input) {
+        const results = new Map();
+        for (const [name, strategy] of this.strategies) {
+            try {
+                results.set(name, strategy.validate(input));
+            }
+            catch (error) {
+                results.set(name, {
+                    valid: false,
+                    error: error instanceof Error ? error.message : 'Unknown error',
+                    riskLevel: 'high',
+                });
+            }
+        }
+        return results;
+    }
+    /**
+     * Check if any validator found issues
+     */
+    hasIssues(results) {
+        for (const result of results.values()) {
+            if (!result.valid) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Get the highest risk level from validation results
+     */
+    getHighestRisk(results) {
+        const riskOrder = ['none', 'low', 'medium', 'high', 'critical'];
+        let highest = 'none';
+        for (const result of results.values()) {
+            const currentIndex = riskOrder.indexOf(result.riskLevel);
+            const highestIndex = riskOrder.indexOf(highest);
+            if (currentIndex > highestIndex) {
+                highest = result.riskLevel;
+            }
+        }
+        return highest;
+    }
+    /**
+     * Get all issues from validation results
+     */
+    getAllIssues(results) {
+        const issues = [];
+        for (const [name, result] of results) {
+            if (!result.valid && result.error) {
+                issues.push({
+                    validator: name,
+                    error: result.error,
+                    riskLevel: result.riskLevel,
+                });
+            }
+        }
+        return issues;
+    }
+}
+// ============================================================================
+// Singleton Instance
+// ============================================================================
+let defaultOrchestrator = null;
+/**
+ * Get the default validation orchestrator instance
+ */
+export function getOrchestrator() {
+    if (!defaultOrchestrator) {
+        defaultOrchestrator = new ValidationOrchestrator();
+    }
+    return defaultOrchestrator;
+}
+/**
+ * Create a new validation orchestrator
+ */
+export function createOrchestrator(registerDefaults = true) {
+    return new ValidationOrchestrator(registerDefaults);
+}
+//# sourceMappingURL=validation-orchestrator.js.map

package/dist/shared/security/validators-interfaces.d.ts ADDED Viewed

@@ -0,0 +1,167 @@
+/**
+ * Agentic QE v3 - MCP Security: Validation Strategy Interfaces
+ * Defines the Strategy Pattern interfaces for security validators
+ *
+ * Moved from src/mcp/security/validators/interfaces.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+/**
+ * Risk level classification for security validation
+ */
+export type RiskLevel = 'none' | 'low' | 'medium' | 'high' | 'critical';
+/**
+ * Base validation result returned by all validators
+ */
+export interface ValidationResult {
+    valid: boolean;
+    error?: string;
+    riskLevel: RiskLevel;
+}
+/**
+ * Path validation result with normalized path
+ */
+export interface PathValidationResult extends ValidationResult {
+    normalizedPath?: string;
+}
+/**
+ * Regex safety result with pattern analysis
+ */
+export interface RegexSafetyResult {
+    safe: boolean;
+    pattern?: string;
+    escapedPattern?: string;
+    error?: string;
+    riskyPatterns: string[];
+}
+/**
+ * Command validation result with sanitized command
+ */
+export interface CommandValidationResult extends ValidationResult {
+    sanitizedCommand?: string;
+    blockedPatterns: string[];
+}
+/**
+ * Input sanitization options
+ */
+export interface SanitizationOptions {
+    maxLength?: number;
+    allowedChars?: RegExp;
+    stripHtml?: boolean;
+    stripSql?: boolean;
+    escapeShell?: boolean;
+    trim?: boolean;
+    /** Strip dangerous control characters (null bytes, escape sequences, etc.) - default: true */
+    stripControlChars?: boolean;
+}
+/**
+ * Path validation options
+ */
+export interface PathValidationOptions {
+    basePath?: string;
+    allowAbsolute?: boolean;
+    allowedExtensions?: string[];
+    deniedExtensions?: string[];
+    maxDepth?: number;
+    maxLength?: number;
+}
+/**
+ * Regex validation options
+ */
+export interface RegexValidationOptions {
+    maxLength?: number;
+    maxComplexity?: number;
+}
+/**
+ * Command validation options
+ */
+export interface CommandValidationOptions {
+    allowedCommands?: string[];
+}
+/**
+ * Base interface for all validation strategies
+ * Implements the Strategy Pattern for modular security validation
+ */
+export interface IValidationStrategy<TInput = unknown, TOptions = unknown, TResult extends ValidationResult = ValidationResult> {
+    /**
+     * Unique name identifier for this validator
+     */
+    readonly name: string;
+    /**
+     * Validate the input according to this strategy
+     * @param input - The input to validate
+     * @param options - Optional validation options
+     * @returns The validation result
+     */
+    validate(input: TInput, options?: TOptions): TResult;
+    /**
+     * Get the risk level this validator typically addresses
+     * @returns The primary risk level category
+     */
+    getRiskLevel(): RiskLevel;
+}
+/**
+ * Path traversal validation strategy interface
+ */
+export interface IPathValidationStrategy extends IValidationStrategy<string, PathValidationOptions, PathValidationResult> {
+    normalizePath(path: string): string;
+    joinPaths(...paths: string[]): string;
+    joinPathsAbsolute(...paths: string[]): string;
+    getExtension(path: string): string | null;
+}
+/**
+ * Regex safety validation strategy interface
+ */
+export interface IRegexValidationStrategy extends IValidationStrategy<string, RegexValidationOptions, ValidationResult> {
+    isRegexSafe(pattern: string): RegexSafetyResult;
+    escapeRegex(str: string): string;
+    createSafeRegex(pattern: string, flags?: string, maxLength?: number): RegExp | null;
+}
+/**
+ * Command validation strategy interface
+ */
+export interface ICommandValidationStrategy extends IValidationStrategy<string, CommandValidationOptions, CommandValidationResult> {
+    escapeShellArg(arg: string): string;
+}
+/**
+ * Input sanitization strategy interface
+ */
+export interface IInputSanitizationStrategy {
+    readonly name: string;
+    sanitize(input: string, options?: SanitizationOptions): string;
+    escapeHtml(str: string): string;
+    stripHtmlTags(str: string): string;
+    getRiskLevel(): RiskLevel;
+}
+/**
+ * Crypto validation strategy interface
+ */
+export interface ICryptoValidationStrategy {
+    readonly name: string;
+    timingSafeCompare(a: string, b: string): boolean;
+    timingSafeHashCompare(value: string, expectedHash: string): boolean;
+    generateSecureToken(length?: number): string;
+    secureHash(value: string, salt?: string): string;
+    getRiskLevel(): RiskLevel;
+}
+/**
+ * Validation orchestrator interface for coordinating multiple validators
+ */
+export interface IValidationOrchestrator {
+    /**
+     * Register a validation strategy
+     */
+    registerStrategy(strategy: IValidationStrategy): void;
+    /**
+     * Get a registered strategy by name
+     */
+    getStrategy(name: string): IValidationStrategy | undefined;
+    /**
+     * Validate using a specific strategy
+     */
+    validateWith<TResult extends ValidationResult>(strategyName: string, input: unknown, options?: unknown): TResult;
+    /**
+     * Run all registered validators on an input
+     */
+    validateAll(input: unknown): Map<string, ValidationResult>;
+}
+//# sourceMappingURL=validators-interfaces.d.ts.map

package/dist/shared/security/validators-interfaces.js ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Agentic QE v3 - MCP Security: Validation Strategy Interfaces
+ * Defines the Strategy Pattern interfaces for security validators
+ *
+ * Moved from src/mcp/security/validators/interfaces.ts to shared/security
+ * for cross-domain reuse without DDD boundary violations.
+ */
+export {};
+//# sourceMappingURL=validators-interfaces.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agentic-qe",
-  "version": "3.8.4",
+  "version": "3.8.6",
   "description": "Agentic Quality Engineering V3 - Domain-Driven Design Architecture with 13 Bounded Contexts, O(log n) coverage analysis, ReasoningBank learning, 60 specialized QE agents, mathematical Coherence verification, deep Claude Flow integration",
   "type": "module",
   "main": "./dist/index.js",