archicore 0.1.0

package/dist/analyzers/security.js

@@ -0,0 +1,484 @@
+/**
+ * Security Analyzer
+ *
+ * Обнаружение уязвимостей безопасности:
+ * - SQL Injection
+ * - XSS (Cross-Site Scripting)
+ * - Command Injection
+ * - Path Traversal
+ * - Hardcoded Secrets
+ * - Insecure Dependencies
+ * - OWASP Top 10
+ */
+import { Logger } from '../utils/logger.js';
+export class SecurityAnalyzer {
+    vulnerabilityPatterns = [
+        // SQL Injection
+        {
+            type: 'sql-injection',
+            pattern: /(?:query|execute|raw)\s*\(\s*[`'"]\s*(?:SELECT|INSERT|UPDATE|DELETE|DROP).*\$\{|\+\s*\w+/gi,
+            severity: 'critical',
+            title: 'Potential SQL Injection',
+            description: 'User input may be directly concatenated into SQL query',
+            cwe: 'CWE-89',
+            owasp: 'A03:2021-Injection',
+            remediation: 'Use parameterized queries or prepared statements'
+        },
+        {
+            type: 'sql-injection',
+            pattern: /\.query\s*\(\s*`[^`]*\$\{[^}]+\}[^`]*`/g,
+            severity: 'critical',
+            title: 'SQL Injection via Template Literal',
+            description: 'Template literal with interpolation used in SQL query',
+            cwe: 'CWE-89',
+            owasp: 'A03:2021-Injection',
+            remediation: 'Use parameterized queries: query($1, [param])'
+        },
+        // XSS
+        {
+            type: 'xss',
+            pattern: /innerHTML\s*=\s*(?!\s*['"`])/g,
+            severity: 'high',
+            title: 'Potential XSS via innerHTML',
+            description: 'Setting innerHTML with dynamic content can lead to XSS',
+            cwe: 'CWE-79',
+            owasp: 'A03:2021-Injection',
+            remediation: 'Use textContent or sanitize HTML with DOMPurify'
+        },
+        {
+            type: 'xss',
+            pattern: /document\.write\s*\(/g,
+            severity: 'high',
+            title: 'XSS via document.write',
+            description: 'document.write() can execute arbitrary scripts',
+            cwe: 'CWE-79',
+            owasp: 'A03:2021-Injection',
+            remediation: 'Use DOM manipulation methods instead'
+        },
+        {
+            type: 'xss',
+            pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/g,
+            severity: 'medium',
+            title: 'React dangerouslySetInnerHTML',
+            description: 'Ensure HTML is properly sanitized before use',
+            cwe: 'CWE-79',
+            owasp: 'A03:2021-Injection',
+            remediation: 'Sanitize HTML with DOMPurify before setting'
+        },
+        // Command Injection
+        {
+            type: 'command-injection',
+            pattern: /(?:exec|spawn|execSync|spawnSync)\s*\([^)]*\$\{|\+\s*\w+/g,
+            severity: 'critical',
+            title: 'Potential Command Injection',
+            description: 'User input may be passed to shell command',
+            cwe: 'CWE-78',
+            owasp: 'A03:2021-Injection',
+            remediation: 'Validate and sanitize input, use spawn with array args'
+        },
+        {
+            type: 'command-injection',
+            pattern: /child_process.*exec\s*\(\s*`/g,
+            severity: 'critical',
+            title: 'Shell Command with Template',
+            description: 'Shell command constructed from template literal',
+            cwe: 'CWE-78',
+            owasp: 'A03:2021-Injection',
+            remediation: 'Use execFile or spawn with argument array'
+        },
+        // Path Traversal
+        {
+            type: 'path-traversal',
+            pattern: /(?:readFile|writeFile|createReadStream|access|stat|unlink)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/g,
+            severity: 'high',
+            title: 'Potential Path Traversal',
+            description: 'User input may be used in file path without validation',
+            cwe: 'CWE-22',
+            owasp: 'A01:2021-Broken Access Control',
+            remediation: 'Validate path with path.normalize() and check prefix'
+        },
+        {
+            type: 'path-traversal',
+            pattern: /\.\.\/|\.\.\\|\.\.[/\\]/g,
+            severity: 'medium',
+            title: 'Directory Traversal Pattern',
+            description: 'Path contains directory traversal sequence',
+            cwe: 'CWE-22',
+            owasp: 'A01:2021-Broken Access Control',
+            remediation: 'Use path.resolve() and validate against base directory'
+        },
+        // Insecure Randomness
+        {
+            type: 'insecure-random',
+            pattern: /Math\.random\s*\(\)/g,
+            severity: 'medium',
+            title: 'Insecure Random Number Generator',
+            description: 'Math.random() is not cryptographically secure',
+            cwe: 'CWE-330',
+            owasp: 'A02:2021-Cryptographic Failures',
+            remediation: 'Use crypto.randomBytes() or crypto.randomUUID()',
+            contextCheck: (code) => {
+                // Не ругаемся если это не для безопасности
+                return code.includes('token') || code.includes('secret') ||
+                    code.includes('password') || code.includes('auth') ||
+                    code.includes('session') || code.includes('key');
+            }
+        },
+        // Weak Cryptography
+        {
+            type: 'weak-crypto',
+            pattern: /createHash\s*\(\s*['"](?:md5|sha1)['"]\s*\)/g,
+            severity: 'medium',
+            title: 'Weak Hash Algorithm',
+            description: 'MD5 and SHA1 are considered weak for security',
+            cwe: 'CWE-328',
+            owasp: 'A02:2021-Cryptographic Failures',
+            remediation: 'Use SHA-256 or stronger: createHash("sha256")'
+        },
+        {
+            type: 'weak-crypto',
+            pattern: /createCipher\s*\(\s*['"](?:des|rc4|rc2)['"]/gi,
+            severity: 'high',
+            title: 'Weak Encryption Algorithm',
+            description: 'DES, RC4, RC2 are deprecated encryption algorithms',
+            cwe: 'CWE-327',
+            owasp: 'A02:2021-Cryptographic Failures',
+            remediation: 'Use AES-256-GCM: createCipheriv("aes-256-gcm", ...)'
+        },
+        // Open Redirect
+        {
+            type: 'open-redirect',
+            pattern: /(?:redirect|location\.href|window\.location)\s*=?\s*(?:req\.|params\.|query\.)/g,
+            severity: 'medium',
+            title: 'Potential Open Redirect',
+            description: 'User-controlled URL in redirect can lead to phishing',
+            cwe: 'CWE-601',
+            owasp: 'A01:2021-Broken Access Control',
+            remediation: 'Validate redirect URL against whitelist of allowed domains'
+        },
+        // SSRF
+        {
+            type: 'ssrf',
+            pattern: /(?:fetch|axios|request|http\.get)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/g,
+            severity: 'high',
+            title: 'Potential Server-Side Request Forgery',
+            description: 'User input used in server-side HTTP request',
+            cwe: 'CWE-918',
+            owasp: 'A10:2021-SSRF',
+            remediation: 'Validate URLs against whitelist, block internal IPs'
+        },
+        // Prototype Pollution
+        {
+            type: 'prototype-pollution',
+            pattern: /\[(?:req\.|params\.|query\.|body\.)[^\]]+\]\s*=/g,
+            severity: 'high',
+            title: 'Potential Prototype Pollution',
+            description: 'User-controlled object key assignment',
+            cwe: 'CWE-1321',
+            owasp: 'A03:2021-Injection',
+            remediation: 'Validate keys against whitelist, use Object.create(null)'
+        },
+        {
+            type: 'prototype-pollution',
+            pattern: /Object\.assign\s*\(\s*\{\s*\}\s*,\s*(?:req\.|params\.|query\.|body\.)/g,
+            severity: 'medium',
+            title: 'Object.assign with User Input',
+            description: 'Merging user input can lead to prototype pollution',
+            cwe: 'CWE-1321',
+            owasp: 'A03:2021-Injection',
+            remediation: 'Use structured cloning or explicit property copying'
+        },
+        // Regex DoS
+        {
+            type: 'regex-dos',
+            pattern: /new RegExp\s*\([^)]*(?:req\.|params\.|query\.|body\.)/g,
+            severity: 'medium',
+            title: 'ReDoS via User Input',
+            description: 'User-controlled regex can cause denial of service',
+            cwe: 'CWE-1333',
+            owasp: 'A03:2021-Injection',
+            remediation: 'Avoid user input in regex, use safe-regex library'
+        },
+        // Sensitive Data Exposure
+        {
+            type: 'sensitive-data-exposure',
+            pattern: /console\.log\s*\([^)]*(?:password|secret|token|key|credential|auth)/gi,
+            severity: 'medium',
+            title: 'Sensitive Data in Logs',
+            description: 'Sensitive information may be exposed in logs',
+            cwe: 'CWE-532',
+            owasp: 'A09:2021-Security Logging Failures',
+            remediation: 'Remove sensitive data from logs, use masking'
+        },
+        // Missing Security Headers
+        {
+            type: 'security-misconfiguration',
+            pattern: /cors\s*\(\s*\{\s*origin\s*:\s*['"]\*['"]/g,
+            severity: 'medium',
+            title: 'Overly Permissive CORS',
+            description: 'CORS allows any origin',
+            cwe: 'CWE-942',
+            owasp: 'A05:2021-Security Misconfiguration',
+            remediation: 'Specify allowed origins explicitly'
+        },
+        // Insecure Deserialization
+        {
+            type: 'insecure-deserialization',
+            pattern: /eval\s*\(/g,
+            severity: 'critical',
+            title: 'Use of eval()',
+            description: 'eval() can execute arbitrary code',
+            cwe: 'CWE-95',
+            owasp: 'A08:2021-Software and Data Integrity',
+            remediation: 'Avoid eval(), use JSON.parse() or safer alternatives'
+        },
+        {
+            type: 'insecure-deserialization',
+            pattern: /new Function\s*\(/g,
+            severity: 'high',
+            title: 'Dynamic Function Creation',
+            description: 'new Function() can execute arbitrary code',
+            cwe: 'CWE-95',
+            owasp: 'A08:2021-Software and Data Integrity',
+            remediation: 'Avoid dynamic code execution'
+        }
+    ];
+    secretPatterns = [
+        // API Keys
+        {
+            type: 'api-key',
+            pattern: /['"](?:api[_-]?key|apikey)\s*['"]\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/gi,
+            confidence: 'high'
+        },
+        {
+            type: 'api-key',
+            pattern: /(?:OPENAI|ANTHROPIC|DEEPSEEK|STRIPE|SENDGRID|TWILIO|GITHUB|GITLAB)[_]?(?:API)?[_]?KEY\s*[:=]\s*['"][^'"]+['"]/gi,
+            confidence: 'high'
+        },
+        // AWS
+        {
+            type: 'aws-key',
+            pattern: /AKIA[0-9A-Z]{16}/g,
+            confidence: 'high'
+        },
+        {
+            type: 'aws-key',
+            pattern: /aws[_-]?(?:secret|access)[_-]?key\s*[:=]\s*['"][^'"]{20,}['"]/gi,
+            confidence: 'high'
+        },
+        // Passwords
+        {
+            type: 'password',
+            pattern: /['"]?(?:password|passwd|pwd)\s*['"]\s*[:=]\s*['"][^'"]{8,}['"]/gi,
+            confidence: 'high'
+        },
+        {
+            type: 'password',
+            pattern: /(?:DB|DATABASE|MYSQL|POSTGRES|MONGO)[_]?PASSWORD\s*[:=]\s*['"][^'"]+['"]/gi,
+            confidence: 'high'
+        },
+        // Private Keys
+        {
+            type: 'private-key',
+            pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/g,
+            confidence: 'high'
+        },
+        {
+            type: 'private-key',
+            pattern: /-----BEGIN OPENSSH PRIVATE KEY-----/g,
+            confidence: 'high'
+        },
+        // JWT
+        {
+            type: 'jwt-secret',
+            pattern: /(?:jwt|jws)[_-]?secret\s*[:=]\s*['"][^'"]{10,}['"]/gi,
+            confidence: 'high'
+        },
+        {
+            type: 'jwt-secret',
+            pattern: /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g,
+            confidence: 'medium'
+        },
+        // Database URLs
+        {
+            type: 'database-url',
+            pattern: /(?:mongodb|postgres|mysql|redis):\/\/[^:]+:[^@]+@[^\s'"]+/gi,
+            confidence: 'high'
+        },
+        // OAuth
+        {
+            type: 'oauth-secret',
+            pattern: /(?:client|app)[_-]?secret\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/gi,
+            confidence: 'high'
+        },
+        // Generic Secrets
+        {
+            type: 'generic-secret',
+            pattern: /['"]?secret[_-]?(?:key|token)?\s*['"]\s*[:=]\s*['"][^'"]{10,}['"]/gi,
+            confidence: 'medium'
+        },
+        {
+            type: 'generic-secret',
+            pattern: /['"]?(?:auth|access)[_-]?token\s*['"]\s*[:=]\s*['"][^'"]{20,}['"]/gi,
+            confidence: 'medium'
+        }
+    ];
+    /**
+     * Анализ безопасности
+     */
+    async analyze(fileContents) {
+        Logger.progress('Analyzing security vulnerabilities...');
+        const vulnerabilities = [];
+        const secrets = [];
+        let idCounter = 0;
+        for (const [filePath, content] of fileContents) {
+            // Пропускаем не-исходные файлы
+            if (!filePath.match(/\.(ts|js|tsx|jsx|py|rb|php|java|go)$/))
+                continue;
+            const lines = content.split('\n');
+            // Проверяем паттерны уязвимостей
+            for (const pattern of this.vulnerabilityPatterns) {
+                const matches = content.matchAll(pattern.pattern);
+                for (const match of matches) {
+                    // Проверяем контекст если нужно
+                    if (pattern.contextCheck) {
+                        const contextStart = Math.max(0, (match.index || 0) - 100);
+                        const contextEnd = Math.min(content.length, (match.index || 0) + 200);
+                        const context = content.substring(contextStart, contextEnd);
+                        if (!pattern.contextCheck(context, match))
+                            continue;
+                    }
+                    const line = this.getLineNumber(content, match.index || 0);
+                    const codeLine = lines[line - 1] || '';
+                    vulnerabilities.push({
+                        id: `SEC-${++idCounter}`,
+                        type: pattern.type,
+                        severity: pattern.severity,
+                        title: pattern.title,
+                        description: pattern.description,
+                        file: filePath,
+                        line,
+                        code: codeLine.trim().substring(0, 100),
+                        cwe: pattern.cwe,
+                        owasp: pattern.owasp,
+                        remediation: pattern.remediation
+                    });
+                }
+            }
+            // Проверяем секреты
+            for (const pattern of this.secretPatterns) {
+                const matches = content.matchAll(pattern.pattern);
+                for (const match of matches) {
+                    const line = this.getLineNumber(content, match.index || 0);
+                    const codeLine = lines[line - 1] || '';
+                    // Пропускаем если это комментарий или пример
+                    if (codeLine.trim().startsWith('//') || codeLine.trim().startsWith('#'))
+                        continue;
+                    if (codeLine.includes('example') || codeLine.includes('placeholder'))
+                        continue;
+                    if (codeLine.includes('process.env') || codeLine.includes('getenv'))
+                        continue;
+                    secrets.push({
+                        type: pattern.type,
+                        file: filePath,
+                        line,
+                        preview: this.maskSecret(match[0]),
+                        confidence: pattern.confidence
+                    });
+                }
+            }
+        }
+        // Убираем дубликаты
+        const uniqueVulns = this.deduplicateVulnerabilities(vulnerabilities);
+        const uniqueSecrets = this.deduplicateSecrets(secrets);
+        const summary = this.calculateSummary(uniqueVulns, uniqueSecrets);
+        Logger.success(`Security analysis complete: ${uniqueVulns.length} vulnerabilities, ${uniqueSecrets.length} secrets`);
+        return {
+            vulnerabilities: uniqueVulns,
+            secrets: uniqueSecrets,
+            summary
+        };
+    }
+    /**
+     * Получить номер строки по индексу
+     */
+    getLineNumber(content, index) {
+        return content.substring(0, index).split('\n').length;
+    }
+    /**
+     * Маскировка секрета
+     */
+    maskSecret(secret) {
+        if (secret.length <= 10) {
+            return '*'.repeat(secret.length);
+        }
+        const visible = 4;
+        return secret.substring(0, visible) + '*'.repeat(secret.length - visible * 2) + secret.substring(secret.length - visible);
+    }
+    /**
+     * Удаление дубликатов уязвимостей
+     */
+    deduplicateVulnerabilities(vulnerabilities) {
+        const seen = new Set();
+        return vulnerabilities.filter(v => {
+            const key = `${v.file}:${v.line}:${v.type}`;
+            if (seen.has(key))
+                return false;
+            seen.add(key);
+            return true;
+        });
+    }
+    /**
+     * Удаление дубликатов секретов
+     */
+    deduplicateSecrets(secrets) {
+        const seen = new Set();
+        return secrets.filter(s => {
+            const key = `${s.file}:${s.line}:${s.type}`;
+            if (seen.has(key))
+                return false;
+            seen.add(key);
+            return true;
+        });
+    }
+    /**
+     * Подсчёт статистики
+     */
+    calculateSummary(vulnerabilities, secrets) {
+        const critical = vulnerabilities.filter(v => v.severity === 'critical').length;
+        const high = vulnerabilities.filter(v => v.severity === 'high').length;
+        const medium = vulnerabilities.filter(v => v.severity === 'medium').length;
+        const low = vulnerabilities.filter(v => v.severity === 'low').length;
+        // Risk Score: 0-100 (выше = хуже)
+        const riskScore = Math.min(100, Math.round(critical * 25 + high * 15 + medium * 5 + low * 1 +
+            secrets.filter(s => s.confidence === 'high').length * 20 +
+            secrets.filter(s => s.confidence === 'medium').length * 10));
+        let grade;
+        if (riskScore === 0) {
+            grade = 'A';
+        }
+        else if (riskScore <= 20) {
+            grade = 'B';
+        }
+        else if (riskScore <= 50) {
+            grade = 'C';
+        }
+        else if (riskScore <= 80) {
+            grade = 'D';
+        }
+        else {
+            grade = 'F';
+        }
+        return {
+            totalVulnerabilities: vulnerabilities.length,
+            critical,
+            high,
+            medium,
+            low,
+            secretsFound: secrets.length,
+            riskScore,
+            grade
+        };
+    }
+}
+//# sourceMappingURL=security.js.map

package/dist/architecture/index.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Architecture Knowledge Layer
+ *
+ * Слой архитектурных знаний:
+ * - Bounded Contexts (границы контекстов)
+ * - Domain Entities (доменные сущности)
+ * - Architectural Rules (архитектурные правила)
+ * - Invariants (инварианты)
+ */
+import { ArchitectureModel, BoundedContext, DomainEntity, ArchitecturalRule, Invariant, RuleViolation, ValidationContext } from '../types/index.js';
+export declare class ArchitectureKnowledge {
+    private model;
+    private configPath;
+    constructor(configPath?: string);
+    load(): Promise<void>;
+    save(): Promise<void>;
+    getModel(): ArchitectureModel;
+    addBoundedContext(context: BoundedContext): void;
+    addEntity(entity: DomainEntity): void;
+    addRule(rule: ArchitecturalRule): void;
+    addInvariant(invariant: Invariant): void;
+    validateArchitecture(context: ValidationContext): RuleViolation[];
+    private validateBoundedContexts;
+    private validateInvariants;
+    private checkDependency;
+    getBoundedContext(name: string): BoundedContext | undefined;
+    getEntity(name: string): DomainEntity | undefined;
+    getContextForFile(filePath: string): BoundedContext | null;
+    private initializeDefaults;
+    private createDefaultRules;
+    private detectCircularDependencies;
+    generateReport(): string;
+}
+export * from '../types/index.js';
+//# sourceMappingURL=index.d.ts.map