archicore 0.2.0 → 0.2.2

package/dist/server/routes/report-issue.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Report Issue Routes
+ *
+ * API for submitting bug reports and feedback
+ */
+export declare const reportIssueRouter: import("express-serve-static-core").Router;
+//# sourceMappingURL=report-issue.d.ts.map

package/dist/server/routes/report-issue.js

@@ -0,0 +1,307 @@
+/**
+ * Report Issue Routes
+ *
+ * API for submitting bug reports and feedback
+ */
+import { Router } from 'express';
+import multer from 'multer';
+import path from 'path';
+import fs from 'fs/promises';
+import { Logger } from '../../utils/logger.js';
+export const reportIssueRouter = Router();
+// Directory for storing reports
+const REPORTS_DIR = process.env.REPORTS_DIR || path.join('.archicore', 'reports');
+// File signature (magic bytes) validation
+const FILE_SIGNATURES = {
+    'image/png': { magic: [0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A], ext: '.png' },
+    'image/jpeg': { magic: [0xFF, 0xD8, 0xFF], ext: '.jpg' },
+    'image/gif': { magic: [0x47, 0x49, 0x46, 0x38], ext: '.gif' }, // GIF87a or GIF89a
+    'application/pdf': { magic: [0x25, 0x50, 0x44, 0x46], ext: '.pdf' } // %PDF
+};
+/**
+ * Validate file by checking magic bytes (file signature)
+ * Prevents MIME type spoofing attacks
+ */
+function validateFileSignature(buffer) {
+    for (const [mimeType, { magic, ext }] of Object.entries(FILE_SIGNATURES)) {
+        if (buffer.length >= magic.length) {
+            const matches = magic.every((byte, index) => buffer[index] === byte);
+            if (matches) {
+                return { valid: true, detectedType: mimeType, ext };
+            }
+        }
+    }
+    return { valid: false, detectedType: null, ext: null };
+}
+/**
+ * Sanitize filename - remove path traversal attempts and dangerous characters
+ * @deprecated Use validated extension from FILE_SIGNATURES instead
+ */
+function _sanitizeFilename(filename) {
+    // Remove path components
+    const basename = path.basename(filename);
+    // Remove null bytes and other dangerous characters
+    return basename
+        .replace(/\0/g, '')
+        .replace(/[<>:"/\\|?*]/g, '_')
+        .replace(/\.{2,}/g, '.'); // Prevent ..
+}
+void _sanitizeFilename; // Prevent unused warning
+// Multer config for screenshot uploads
+const upload = multer({
+    storage: multer.memoryStorage(),
+    limits: {
+        fileSize: 10 * 1024 * 1024 // 10MB max
+    },
+    fileFilter: (_req, file, cb) => {
+        // First check - MIME type (can be spoofed, but filters obvious garbage)
+        const allowedTypes = ['image/png', 'image/jpeg', 'image/gif', 'application/pdf'];
+        if (!allowedTypes.includes(file.mimetype)) {
+            cb(new Error('Invalid file type. Allowed: PNG, JPG, GIF, PDF'));
+            return;
+        }
+        // Real validation happens after upload when we can check magic bytes
+        cb(null, true);
+    }
+});
+/**
+ * POST /api/report-issue
+ * Submit a new issue report
+ */
+reportIssueRouter.post('/', upload.single('screenshot'), async (req, res) => {
+    try {
+        const { description, category, priority, email, additionalInfo } = req.body;
+        // Validate required fields
+        if (!description || !category || !priority) {
+            res.status(400).json({
+                error: 'Missing required fields'
+            });
+            return;
+        }
+        // Whitelist validation - only allow known categories and priorities
+        const allowedCategories = ['bug', 'analysis', 'performance', 'ui', 'github', 'feature', 'other'];
+        const allowedPriorities = ['critical', 'high', 'medium', 'low'];
+        if (!allowedCategories.includes(category)) {
+            res.status(400).json({ error: 'Invalid category' });
+            return;
+        }
+        if (!allowedPriorities.includes(priority)) {
+            res.status(400).json({ error: 'Invalid priority' });
+            return;
+        }
+        // Basic email validation if provided
+        if (email && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+            res.status(400).json({ error: 'Invalid email format' });
+            return;
+        }
+        // Generate unique ID
+        const reportId = `report_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+        // Ensure reports directory exists
+        await fs.mkdir(REPORTS_DIR, { recursive: true });
+        // Save screenshot if provided (with security validation)
+        let screenshotFilename;
+        if (req.file) {
+            // Validate file signature (magic bytes) - prevents MIME spoofing
+            const validation = validateFileSignature(req.file.buffer);
+            if (!validation.valid) {
+                Logger.warn(`Invalid file signature detected for report ${reportId}. Claimed: ${req.file.mimetype}`);
+                res.status(400).json({
+                    error: 'Invalid file content',
+                    message: 'File does not match expected format. Please upload a valid PNG, JPG, GIF, or PDF.'
+                });
+                return;
+            }
+            // Use extension from validated file type, NOT from user input
+            const safeExt = validation.ext;
+            screenshotFilename = `${reportId}${safeExt}`;
+            const screenshotPath = path.join(REPORTS_DIR, 'screenshots', screenshotFilename);
+            // Verify path doesn't escape reports directory (defense in depth)
+            const resolvedPath = path.resolve(screenshotPath);
+            const screenshotsDir = path.resolve(REPORTS_DIR, 'screenshots');
+            if (!resolvedPath.startsWith(screenshotsDir)) {
+                Logger.warn(`Path traversal attempt detected for report ${reportId}`);
+                res.status(400).json({ error: 'Invalid request' });
+                return;
+            }
+            await fs.mkdir(path.join(REPORTS_DIR, 'screenshots'), { recursive: true });
+            await fs.writeFile(screenshotPath, req.file.buffer);
+            Logger.debug(`Screenshot saved for report ${reportId}`);
+        }
+        // Create report object - only store safe, non-sensitive data
+        const report = {
+            id: reportId,
+            description: description.substring(0, 10000), // Limit description length
+            category,
+            priority,
+            email: email || undefined,
+            additionalInfo: additionalInfo?.substring(0, 5000) || undefined,
+            hasScreenshot: !!screenshotFilename,
+            screenshotFilename, // Only filename, not full path
+            timestamp: new Date().toISOString(),
+            status: 'new'
+        };
+        // Save report to JSON file
+        const reportPath = path.join(REPORTS_DIR, `${reportId}.json`);
+        await fs.writeFile(reportPath, JSON.stringify(report, null, 2));
+        Logger.info(`New issue report submitted: ${reportId} (${category}/${priority})`);
+        // Optional: Send notification (webhook, email, etc.)
+        await sendNotification(report);
+        res.json({
+            success: true,
+            reportId,
+            message: 'Report submitted successfully'
+        });
+    }
+    catch (error) {
+        // Log full error internally, but don't expose details to client
+        Logger.error('Failed to submit report:', error);
+        if (error instanceof multer.MulterError) {
+            if (error.code === 'LIMIT_FILE_SIZE') {
+                res.status(413).json({ error: 'Screenshot too large. Maximum size is 10MB.' });
+                return;
+            }
+        }
+        // Generic error message - never expose internal error details
+        res.status(500).json({
+            error: 'Failed to submit report. Please try again later.'
+        });
+    }
+});
+/**
+ * GET /api/report-issue/list
+ * Get list of reports (admin only)
+ */
+reportIssueRouter.get('/list', async (req, res) => {
+    try {
+        // Basic auth check - in production use proper admin middleware
+        const adminKey = req.headers['x-admin-key'];
+        if (adminKey !== process.env.ADMIN_SECRET) {
+            res.status(403).json({ error: 'Admin access required' });
+            return;
+        }
+        const files = await fs.readdir(REPORTS_DIR).catch(() => []);
+        const reports = [];
+        for (const file of files) {
+            if (file.endsWith('.json')) {
+                const content = await fs.readFile(path.join(REPORTS_DIR, file), 'utf-8');
+                reports.push(JSON.parse(content));
+            }
+        }
+        // Sort by timestamp descending
+        reports.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+        res.json({ reports, total: reports.length });
+    }
+    catch (error) {
+        Logger.error('Failed to list reports:', error);
+        res.status(500).json({ error: 'Failed to list reports' });
+    }
+});
+/**
+ * PATCH /api/report-issue/:id/status
+ * Update report status (admin only)
+ */
+reportIssueRouter.patch('/:id/status', async (req, res) => {
+    try {
+        const adminKey = req.headers['x-admin-key'];
+        if (adminKey !== process.env.ADMIN_SECRET) {
+            res.status(403).json({ error: 'Admin access required' });
+            return;
+        }
+        const { id } = req.params;
+        const { status } = req.body;
+        if (!['new', 'reviewed', 'resolved'].includes(status)) {
+            res.status(400).json({ error: 'Invalid status' });
+            return;
+        }
+        const reportPath = path.join(REPORTS_DIR, `${id}.json`);
+        const content = await fs.readFile(reportPath, 'utf-8');
+        const report = JSON.parse(content);
+        report.status = status;
+        await fs.writeFile(reportPath, JSON.stringify(report, null, 2));
+        res.json({ success: true, report });
+    }
+    catch (error) {
+        Logger.error('Failed to update report status:', error);
+        res.status(500).json({ error: 'Failed to update status' });
+    }
+});
+/**
+ * Send notification about new report (optional integrations)
+ */
+async function sendNotification(report) {
+    // Discord webhook
+    const discordWebhook = process.env.DISCORD_WEBHOOK_URL;
+    if (discordWebhook) {
+        try {
+            const priorityColors = {
+                critical: 0xff0000,
+                high: 0xff6600,
+                medium: 0xffcc00,
+                low: 0x00cc00
+            };
+            await fetch(discordWebhook, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    embeds: [{
+                            title: `New Issue Report: ${report.category}`,
+                            description: report.description.substring(0, 500),
+                            color: priorityColors[report.priority] || 0x808080,
+                            fields: [
+                                { name: 'Priority', value: report.priority, inline: true },
+                                { name: 'Category', value: report.category, inline: true },
+                                { name: 'Report ID', value: report.id, inline: false }
+                            ],
+                            timestamp: report.timestamp
+                        }]
+                })
+            });
+        }
+        catch (err) {
+            Logger.warn('Failed to send Discord notification:', err);
+        }
+    }
+    // Slack webhook
+    const slackWebhook = process.env.SLACK_WEBHOOK_URL;
+    if (slackWebhook) {
+        try {
+            await fetch(slackWebhook, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    text: `*New Issue Report*\n*Category:* ${report.category}\n*Priority:* ${report.priority}\n*Description:* ${report.description.substring(0, 200)}...`
+                })
+            });
+        }
+        catch (err) {
+            Logger.warn('Failed to send Slack notification:', err);
+        }
+    }
+    // Telegram bot
+    const telegramToken = process.env.TELEGRAM_BOT_TOKEN;
+    const telegramChatId = process.env.TELEGRAM_CHAT_ID;
+    if (telegramToken && telegramChatId) {
+        try {
+            const priorityEmoji = {
+                critical: '🔴',
+                high: '🟠',
+                medium: '🟡',
+                low: '🟢'
+            };
+            const message = `${priorityEmoji[report.priority] || '⚪'} *New Issue Report*\n\n*Category:* ${report.category}\n*Priority:* ${report.priority}\n*Description:* ${report.description.substring(0, 300)}...\n\n_ID: ${report.id}_`;
+            await fetch(`https://api.telegram.org/bot${telegramToken}/sendMessage`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    chat_id: telegramChatId,
+                    text: message,
+                    parse_mode: 'Markdown'
+                })
+            });
+        }
+        catch (err) {
+            Logger.warn('Failed to send Telegram notification:', err);
+        }
+    }
+}
+//# sourceMappingURL=report-issue.js.map

package/dist/server/services/audit-service.d.ts

@@ -0,0 +1,88 @@
+/**
+ * Audit Log Service for ArchiCore
+ *
+ * Logs user actions for security and compliance purposes
+ * Supports PostgreSQL (primary) with JSON file fallback
+ */
+export type AuditAction = 'auth.login' | 'auth.logout' | 'auth.register' | 'auth.password_change' | 'auth.device_login' | 'user.update' | 'user.tier_change' | 'user.delete' | 'project.create' | 'project.delete' | 'project.analyze' | 'project.simulate' | 'project.ask' | 'project.docs' | 'github.connect' | 'github.disconnect' | 'github.repo_connect' | 'github.repo_disconnect' | 'github.webhook_received' | 'api.key_create' | 'api.key_revoke' | 'api.request' | 'admin.login' | 'admin.user_update' | 'admin.user_delete' | 'admin.tier_change' | 'admin.view_logs';
+export type AuditSeverity = 'info' | 'warning' | 'critical';
+export interface AuditLogEntry {
+    id: string;
+    timestamp: Date;
+    userId?: string;
+    username?: string;
+    action: AuditAction;
+    severity: AuditSeverity;
+    ip?: string;
+    userAgent?: string;
+    details?: Record<string, any>;
+    success: boolean;
+    errorMessage?: string;
+}
+export interface AuditLogQuery {
+    userId?: string;
+    action?: AuditAction;
+    severity?: AuditSeverity;
+    startDate?: Date;
+    endDate?: Date;
+    success?: boolean;
+    limit?: number;
+    offset?: number;
+}
+export declare class AuditService {
+    private dataDir;
+    private logs;
+    private jsonInitialized;
+    private saveTimeout;
+    constructor(dataDir?: string);
+    private useDatabase;
+    private ensureJsonInitialized;
+    private saveJson;
+    private generateId;
+    private getSeverity;
+    private rowToEntry;
+    /**
+     * Log an action
+     */
+    log(params: {
+        userId?: string;
+        username?: string;
+        action: AuditAction;
+        ip?: string;
+        userAgent?: string;
+        details?: Record<string, any>;
+        success?: boolean;
+        errorMessage?: string;
+    }): Promise<AuditLogEntry>;
+    /**
+     * Query audit logs
+     */
+    query(params?: AuditLogQuery): Promise<{
+        logs: AuditLogEntry[];
+        total: number;
+    }>;
+    /**
+     * Get recent logs for a user
+     */
+    getUserLogs(userId: string, limit?: number): Promise<AuditLogEntry[]>;
+    /**
+     * Get failed login attempts for an IP
+     */
+    getFailedLogins(ip: string, since: Date): Promise<number>;
+    /**
+     * Get statistics
+     */
+    getStats(days?: number): Promise<{
+        totalActions: number;
+        uniqueUsers: number;
+        failedLogins: number;
+        criticalEvents: number;
+        actionCounts: Record<string, number>;
+    }>;
+    /**
+     * Clear old logs (retention policy)
+     */
+    cleanup(retentionDays?: number): Promise<number>;
+}
+export declare const auditService: AuditService;
+//# sourceMappingURL=audit-service.d.ts.map