agileflow 2.90.6 → 2.91.0

package/scripts/validators/security-validator.js

@@ -0,0 +1,276 @@
+#!/usr/bin/env node
+/**
+ * Security Validator
+ *
+ * Validates files for security issues, secrets, and vulnerabilities.
+ *
+ * Exit codes:
+ *   0 = Success
+ *   2 = Error (Claude will attempt to fix)
+ *   1 = Warning (logged but not blocking)
+ *
+ * Usage in agent hooks:
+ *   hooks:
+ *     PostToolUse:
+ *       - matcher: "Write"
+ *         hooks:
+ *           - type: command
+ *             command: "node .agileflow/hooks/validators/security-validator.js"
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+let input = '';
+process.stdin.on('data', chunk => input += chunk);
+process.stdin.on('end', () => {
+  try {
+    const context = JSON.parse(input);
+    const filePath = context.tool_input?.file_path;
+
+    if (!filePath) {
+      process.exit(0);
+    }
+
+    // Skip if file doesn't exist
+    if (!fs.existsSync(filePath)) {
+      console.log(`File not found: ${filePath} (skipping validation)`);
+      process.exit(0);
+    }
+
+    // Skip binary files
+    if (isBinaryFile(filePath)) {
+      process.exit(0);
+    }
+
+    const issues = validateSecurity(filePath);
+
+    if (issues.length > 0) {
+      console.error(`Security issues in ${filePath}:`);
+      issues.forEach(i => console.error(`  - ${i}`));
+      process.exit(2); // Claude will fix
+    }
+
+    console.log(`Security validation passed: ${filePath}`);
+    process.exit(0);
+  } catch (e) {
+    console.error(`Validator error: ${e.message}`);
+    process.exit(1);
+  }
+});
+
+function isBinaryFile(filePath) {
+  const binaryExtensions = ['.png', '.jpg', '.jpeg', '.gif', '.ico', '.woff', '.woff2', '.ttf', '.eot', '.pdf', '.zip', '.tar', '.gz'];
+  const ext = path.extname(filePath).toLowerCase();
+  return binaryExtensions.includes(ext);
+}
+
+function validateSecurity(filePath) {
+  const issues = [];
+
+  try {
+    const content = fs.readFileSync(filePath, 'utf8');
+    const ext = path.extname(filePath).toLowerCase();
+    const fileName = path.basename(filePath);
+
+    // Check for secrets and credentials
+    issues.push(...checkSecrets(content, fileName));
+
+    // Check for SQL injection vulnerabilities
+    issues.push(...checkSqlInjection(content, ext));
+
+    // Check for XSS vulnerabilities
+    issues.push(...checkXss(content, ext));
+
+    // Check for command injection
+    issues.push(...checkCommandInjection(content, ext));
+
+    // Check for path traversal
+    issues.push(...checkPathTraversal(content, ext));
+
+    // Check for insecure crypto
+    issues.push(...checkInsecureCrypto(content));
+
+    // Check for insecure randomness
+    issues.push(...checkInsecureRandom(content));
+
+  } catch (e) {
+    issues.push(`Read error: ${e.message}`);
+  }
+
+  return issues;
+}
+
+function checkSecrets(content, fileName) {
+  const issues = [];
+
+  // Skip .env.example files
+  if (fileName === '.env.example' || fileName === '.env.sample') {
+    return issues;
+  }
+
+  const secretPatterns = [
+    // API Keys
+    { pattern: /['"]sk-[a-zA-Z0-9]{20,}['"]/, message: 'Possible OpenAI API key detected' },
+    { pattern: /['"]AIza[a-zA-Z0-9_-]{35}['"]/, message: 'Possible Google API key detected' },
+    { pattern: /['"]AKIA[A-Z0-9]{16}['"]/, message: 'Possible AWS access key detected' },
+    { pattern: /['"]ghp_[a-zA-Z0-9]{36}['"]/, message: 'Possible GitHub personal access token detected' },
+    { pattern: /['"]npm_[a-zA-Z0-9]{36}['"]/, message: 'Possible npm token detected' },
+
+    // Generic patterns
+    { pattern: /password\s*[:=]\s*['"][^'"${\s]{8,}['"](?!\s*;?\s*\/\/\s*example)/i, message: 'Possible hardcoded password detected' },
+    { pattern: /api[_-]?key\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/i, message: 'Possible hardcoded API key detected' },
+    { pattern: /secret\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/i, message: 'Possible hardcoded secret detected' },
+    { pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/, message: 'Private key detected in source code' },
+    { pattern: /-----BEGIN\s+CERTIFICATE-----/, message: 'Certificate detected in source code (verify this is intentional)' },
+  ];
+
+  for (const { pattern, message } of secretPatterns) {
+    if (pattern.test(content)) {
+      issues.push(`${message} - use environment variables or secrets manager`);
+    }
+  }
+
+  return issues;
+}
+
+function checkSqlInjection(content, ext) {
+  const issues = [];
+
+  // Only check relevant file types
+  if (!['.js', '.ts', '.jsx', '.tsx', '.py', '.php', '.java', '.go', '.rb'].includes(ext)) {
+    return issues;
+  }
+
+  // Check for string concatenation in SQL
+  const sqlInjectionPatterns = [
+    { pattern: /['"`]\s*SELECT\s+.*\+\s*\w+/i, message: 'Possible SQL injection: string concatenation in SELECT query' },
+    { pattern: /['"`]\s*INSERT\s+.*\+\s*\w+/i, message: 'Possible SQL injection: string concatenation in INSERT query' },
+    { pattern: /['"`]\s*UPDATE\s+.*\+\s*\w+/i, message: 'Possible SQL injection: string concatenation in UPDATE query' },
+    { pattern: /['"`]\s*DELETE\s+.*\+\s*\w+/i, message: 'Possible SQL injection: string concatenation in DELETE query' },
+    { pattern: /\$\{[^}]+\}.*WHERE/i, message: 'Possible SQL injection: template literal in WHERE clause - use parameterized queries' },
+  ];
+
+  for (const { pattern, message } of sqlInjectionPatterns) {
+    if (pattern.test(content)) {
+      issues.push(message);
+    }
+  }
+
+  return issues;
+}
+
+function checkXss(content, ext) {
+  const issues = [];
+
+  // Only check relevant file types
+  if (!['.js', '.ts', '.jsx', '.tsx', '.vue', '.svelte', '.html'].includes(ext)) {
+    return issues;
+  }
+
+  const xssPatterns = [
+    { pattern: /innerHTML\s*=\s*[^'"`]/, message: 'Direct innerHTML assignment detected - sanitize content or use textContent' },
+    { pattern: /dangerouslySetInnerHTML/, message: 'dangerouslySetInnerHTML used - ensure content is sanitized' },
+    { pattern: /document\.write\s*\(/, message: 'document.write() is dangerous - use DOM manipulation instead' },
+    { pattern: /v-html\s*=/, message: 'v-html directive detected - ensure content is sanitized' },
+    { pattern: /\{@html\s+/, message: 'Svelte @html directive detected - ensure content is sanitized' },
+  ];
+
+  for (const { pattern, message } of xssPatterns) {
+    if (pattern.test(content)) {
+      // These are warnings, not blocking errors (they're sometimes necessary)
+      console.log(`Warning: ${message}`);
+    }
+  }
+
+  return issues;
+}
+
+function checkCommandInjection(content, ext) {
+  const issues = [];
+
+  // Only check relevant file types
+  if (!['.js', '.ts', '.py', '.php', '.rb', '.sh'].includes(ext)) {
+    return issues;
+  }
+
+  const cmdInjectionPatterns = [
+    // JavaScript/Node
+    { pattern: /exec\s*\(\s*[`'"]\s*\$\{/, message: 'Possible command injection: template literal in exec()' },
+    { pattern: /exec\s*\(\s*\w+\s*\+/, message: 'Possible command injection: string concatenation in exec()' },
+    { pattern: /execSync\s*\(\s*[`'"]\s*\$\{/, message: 'Possible command injection: template literal in execSync()' },
+    { pattern: /spawn\s*\(\s*[`'"]\s*\$\{/, message: 'Possible command injection: template literal in spawn()' },
+
+    // Python
+    { pattern: /os\.system\s*\(\s*f['"]/, message: 'Possible command injection: f-string in os.system()' },
+    { pattern: /subprocess\.(call|run|Popen)\s*\(\s*f['"]/, message: 'Possible command injection: f-string in subprocess - use list args instead' },
+  ];
+
+  for (const { pattern, message } of cmdInjectionPatterns) {
+    if (pattern.test(content)) {
+      issues.push(message);
+    }
+  }
+
+  return issues;
+}
+
+function checkPathTraversal(content, ext) {
+  const issues = [];
+
+  // Only check relevant file types
+  if (!['.js', '.ts', '.py', '.php', '.java', '.go', '.rb'].includes(ext)) {
+    return issues;
+  }
+
+  const pathTraversalPatterns = [
+    { pattern: /path\.join\s*\([^)]*req\.(params|query|body)/, message: 'Possible path traversal: user input in path.join()' },
+    { pattern: /readFile(Sync)?\s*\([^)]*req\.(params|query|body)/, message: 'Possible path traversal: user input in file read' },
+    { pattern: /open\s*\(\s*f['"].*\{.*\}/, message: 'Possible path traversal: user input in file open (Python)' },
+  ];
+
+  for (const { pattern, message } of pathTraversalPatterns) {
+    if (pattern.test(content)) {
+      issues.push(message);
+    }
+  }
+
+  return issues;
+}
+
+function checkInsecureCrypto(content) {
+  const issues = [];
+
+  const insecureCryptoPatterns = [
+    { pattern: /createHash\s*\(\s*['"]md5['"]\s*\)/, message: 'MD5 is insecure for cryptographic use - use SHA-256 or better' },
+    { pattern: /createHash\s*\(\s*['"]sha1['"]\s*\)/, message: 'SHA-1 is deprecated - use SHA-256 or better' },
+    { pattern: /hashlib\.md5\s*\(/, message: 'MD5 is insecure for cryptographic use - use SHA-256 or better' },
+    { pattern: /DES|3DES|RC4/, message: 'Insecure encryption algorithm detected - use AES-256-GCM' },
+    { pattern: /ECB/, message: 'ECB mode is insecure - use GCM or CBC with proper IV' },
+  ];
+
+  for (const { pattern, message } of insecureCryptoPatterns) {
+    if (pattern.test(content)) {
+      issues.push(message);
+    }
+  }
+
+  return issues;
+}
+
+function checkInsecureRandom(content) {
+  const issues = [];
+
+  const insecureRandomPatterns = [
+    { pattern: /Math\.random\s*\(\s*\).*(?:token|key|secret|password|auth|session)/i, message: 'Math.random() used for security-sensitive value - use crypto.randomBytes()' },
+    { pattern: /random\.random\s*\(\s*\).*(?:token|key|secret|password|auth|session)/i, message: 'random.random() is not cryptographically secure - use secrets module' },
+  ];
+
+  for (const { pattern, message } of insecureRandomPatterns) {
+    if (pattern.test(content)) {
+      issues.push(message);
+    }
+  }
+
+  return issues;
+}

package/scripts/validators/story-format-validator.js

@@ -0,0 +1,176 @@
+#!/usr/bin/env node
+/**
+ * Story Format Validator
+ *
+ * Validates story structure in status.json after Write operations.
+ * Ensures stories have required fields and valid values.
+ *
+ * Exit codes:
+ *   0 = Success
+ *   2 = Error (Claude will attempt to fix)
+ *   1 = Warning (logged but not blocking)
+ *
+ * Usage in agent hooks (e.g., epic-planner.md):
+ *   hooks:
+ *     PostToolUse:
+ *       - matcher: "Write"
+ *         hooks:
+ *           - type: command
+ *             command: "node .agileflow/hooks/validators/story-format-validator.js"
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+let input = '';
+process.stdin.on('data', chunk => input += chunk);
+process.stdin.on('end', () => {
+  try {
+    const context = JSON.parse(input);
+    const filePath = context.tool_input?.file_path;
+
+    // Only validate status.json
+    if (!filePath || !filePath.endsWith('status.json')) {
+      process.exit(0);
+    }
+
+    // Skip if file doesn't exist
+    if (!fs.existsSync(filePath)) {
+      console.log(`File not found: ${filePath} (skipping validation)`);
+      process.exit(0);
+    }
+
+    const issues = validateStoryFormat(filePath);
+
+    if (issues.length > 0) {
+      console.error(`Resolve these story format issues in ${filePath}:`);
+      issues.forEach(i => console.error(`  - ${i}`));
+      process.exit(2); // Claude will fix
+    }
+
+    console.log(`Story format validation passed: ${filePath}`);
+    process.exit(0);
+  } catch (e) {
+    console.error(`Validator error: ${e.message}`);
+    process.exit(1);
+  }
+});
+
+function validateStoryFormat(filePath) {
+  const issues = [];
+
+  try {
+    const content = fs.readFileSync(filePath, 'utf8');
+    const data = JSON.parse(content);
+
+    // Validate stories array
+    if (data.stories) {
+      if (!Array.isArray(data.stories)) {
+        issues.push('stories must be an array');
+        return issues;
+      }
+
+      data.stories.forEach((story, index) => {
+        const storyIssues = validateSingleStory(story, index);
+        issues.push(...storyIssues);
+      });
+
+      // Check for duplicate IDs
+      const ids = data.stories.map(s => s.id).filter(Boolean);
+      const duplicates = ids.filter((id, i) => ids.indexOf(id) !== i);
+      if (duplicates.length > 0) {
+        issues.push(`Duplicate story IDs: ${duplicates.join(', ')}`);
+      }
+    }
+
+    // Validate epics if present
+    if (data.epics) {
+      if (!Array.isArray(data.epics)) {
+        issues.push('epics must be an array');
+      } else {
+        data.epics.forEach((epic, index) => {
+          if (!epic.id) {
+            issues.push(`Epic at index ${index} missing 'id' field`);
+          }
+          if (!epic.title && !epic.name) {
+            issues.push(`Epic ${epic.id || index} missing 'title' or 'name' field`);
+          }
+        });
+      }
+    }
+
+    // Validate current_story reference if present
+    if (data.current_story) {
+      if (typeof data.current_story !== 'string') {
+        issues.push('current_story must be a string (story ID)');
+      } else if (data.stories) {
+        const storyExists = data.stories.some(s => s.id === data.current_story);
+        if (!storyExists) {
+          issues.push(`current_story "${data.current_story}" not found in stories array`);
+        }
+      }
+    }
+
+  } catch (e) {
+    if (e instanceof SyntaxError) {
+      issues.push(`Invalid JSON: ${e.message}`);
+    } else {
+      issues.push(`Read error: ${e.message}`);
+    }
+  }
+
+  return issues;
+}
+
+function validateSingleStory(story, index) {
+  const issues = [];
+  const storyRef = story.id || `index ${index}`;
+
+  // Required fields
+  if (!story.id) {
+    issues.push(`Story at ${storyRef}: missing 'id' field`);
+  } else {
+    // ID format validation (US-XXXX or EP-XXXX)
+    if (!/^(US|EP|TECH|BUG)-\d{4}$/.test(story.id)) {
+      issues.push(`Story ${storyRef}: ID should match pattern US-XXXX, EP-XXXX, TECH-XXXX, or BUG-XXXX`);
+    }
+  }
+
+  if (!story.title && !story.name) {
+    issues.push(`Story ${storyRef}: missing 'title' or 'name' field`);
+  }
+
+  // Status validation
+  const validStatuses = ['pending', 'ready', 'in_progress', 'in-progress', 'in_review', 'in-review', 'completed', 'blocked', 'archived'];
+  if (story.status && !validStatuses.includes(story.status)) {
+    issues.push(`Story ${storyRef}: invalid status "${story.status}". Valid: ${validStatuses.join(', ')}`);
+  }
+
+  // Priority validation
+  const validPriorities = ['critical', 'high', 'medium', 'low'];
+  if (story.priority && !validPriorities.includes(story.priority)) {
+    issues.push(`Story ${storyRef}: invalid priority "${story.priority}". Valid: ${validPriorities.join(', ')}`);
+  }
+
+  // Owner validation (if present)
+  if (story.owner) {
+    const validOwners = ['AG-UI', 'AG-API', 'AG-CI', 'AG-DB', 'AG-TEST', 'AG-DOC', 'AG-SEC', 'human'];
+    if (!validOwners.includes(story.owner)) {
+      issues.push(`Story ${storyRef}: unknown owner "${story.owner}". Valid: ${validOwners.join(', ')}`);
+    }
+  }
+
+  // Acceptance criteria should be array
+  if (story.acceptance_criteria && !Array.isArray(story.acceptance_criteria)) {
+    issues.push(`Story ${storyRef}: acceptance_criteria must be an array`);
+  }
+
+  // Epic reference validation
+  if (story.epic_id) {
+    if (!/^EP-\d{4}$/.test(story.epic_id)) {
+      issues.push(`Story ${storyRef}: epic_id should match pattern EP-XXXX`);
+    }
+  }
+
+  return issues;
+}

package/scripts/validators/test-result-validator.js

@@ -0,0 +1,99 @@
+#!/usr/bin/env node
+/**
+ * Test Result Validator
+ *
+ * Validates test command outputs for the testing agent.
+ * Checks for passing tests and coverage thresholds.
+ *
+ * Exit codes:
+ *   0 = Success
+ *   2 = Error (Claude will attempt to fix)
+ *   1 = Warning (logged but not blocking)
+ *
+ * Usage in agent hooks (testing.md):
+ *   hooks:
+ *     PostToolUse:
+ *       - matcher: "Bash"
+ *         hooks:
+ *           - type: command
+ *             command: "node .agileflow/hooks/validators/test-result-validator.js"
+ */
+
+let input = '';
+process.stdin.on('data', chunk => input += chunk);
+process.stdin.on('end', () => {
+  try {
+    const context = JSON.parse(input);
+    const command = context.tool_input?.command || '';
+    const result = context.result || '';
+
+    // Only validate test-related commands
+    const testCommands = ['npm test', 'npm run test', 'jest', 'pytest', 'cargo test', 'go test', 'vitest', 'mocha'];
+    const isTestCommand = testCommands.some(tc => command.includes(tc));
+
+    if (!isTestCommand) {
+      process.exit(0); // Not a test command, skip
+    }
+
+    const issues = validateTestResult(command, result);
+
+    if (issues.length > 0) {
+      console.error(`Test validation issues (command: ${command}):`);
+      issues.forEach(i => console.error(`  - ${i}`));
+      process.exit(2); // Claude will fix
+    }
+
+    console.log(`Test validation passed for: ${command}`);
+    process.exit(0);
+  } catch (e) {
+    console.error(`Validator error: ${e.message}`);
+    process.exit(1);
+  }
+});
+
+function validateTestResult(command, result) {
+  const issues = [];
+  const resultLower = result.toLowerCase();
+
+  // Check for test failures
+  if (resultLower.includes('failed') || resultLower.includes('failure')) {
+    // Extract failure count if possible
+    const failMatch = result.match(/(\d+)\s*(failed|failure)/i);
+    if (failMatch) {
+      issues.push(`${failMatch[1]} test(s) failed - fix failing tests before continuing`);
+    } else {
+      issues.push('Tests failed - fix failing tests before continuing');
+    }
+  }
+
+  // Check for errors (not test failures, but execution errors)
+  if (resultLower.includes('error:') || resultLower.includes('exception')) {
+    if (!resultLower.includes('0 errors')) {
+      issues.push('Test execution had errors - check test setup');
+    }
+  }
+
+  // Check for coverage warnings (if coverage was run)
+  if (resultLower.includes('coverage')) {
+    // Look for coverage percentage
+    const coverageMatch = result.match(/(\d+(?:\.\d+)?)\s*%\s*(?:coverage|statements|branches|functions|lines)/i);
+    if (coverageMatch) {
+      const coverage = parseFloat(coverageMatch[1]);
+      if (coverage < 70) {
+        issues.push(`Coverage at ${coverage}% is below 70% threshold - add more tests`);
+      }
+    }
+  }
+
+  // Check for "no tests" scenarios
+  if (resultLower.includes('no tests') || resultLower.includes('no test') || resultLower.includes('0 tests')) {
+    issues.push('No tests were run - ensure test files exist and are properly configured');
+  }
+
+  // Check for timeout
+  if (resultLower.includes('timeout') || resultLower.includes('timed out')) {
+    issues.push('Test timed out - check for infinite loops or slow async operations');
+  }
+
+  return issues;
+}