aura-security 0.4.0

package/dist/integrations/slop-scanner.d.ts

@@ -0,0 +1,69 @@
+/**
+ * SLOP Protocol Scanner
+ *
+ * Wrapper that uses the SLOP Protocol multi-agent architecture
+ * while maintaining backward compatibility with the existing scanner interface.
+ */
+import { orchestrator, OrchestratorResult } from '../orchestrator/index.js';
+import { ZoneFinding } from '../zones/types.js';
+import type { LocalScanResult } from './local-scanner.js';
+export interface SlopScanConfig {
+    targetPath: string;
+    fullScan?: boolean;
+    enableScannerZone?: boolean;
+    enablePolicyZone?: boolean;
+}
+export interface SlopScanResult {
+    legacy: LocalScanResult;
+    slop: {
+        zones: Array<{
+            id: string;
+            name: string;
+            type: string;
+            color: string;
+            status: string;
+            findingCount: number;
+            duration: number;
+        }>;
+        agents: Array<{
+            id: string;
+            name: string;
+            role: string;
+            status: string;
+            findingCount: number;
+            duration: number;
+        }>;
+        findings: ZoneFinding[];
+        summary: OrchestratorResult['summary'];
+    };
+}
+/**
+ * Run a security scan using the SLOP Protocol architecture
+ */
+export declare function slopScan(config: SlopScanConfig): Promise<SlopScanResult>;
+/**
+ * Get orchestrator state for visualization
+ */
+export declare function getSlopState(): {
+    zones: Array<{
+        id: string;
+        name: string;
+        type: string;
+        color: string;
+        status: import("../zones/types.js").ZoneStatus;
+        agentCount: number;
+        findingCount: number;
+    }>;
+    agents: Array<{
+        id: string;
+        name: string;
+        role: string;
+        zoneId: string | null;
+        status: string;
+    }>;
+};
+/**
+ * Get available agents
+ */
+export declare function getAvailableAgents(): Promise<import("../agents/types.js").Agent[]>;
+export { orchestrator };

package/dist/integrations/slop-scanner.js

@@ -0,0 +1,155 @@
+/**
+ * SLOP Protocol Scanner
+ *
+ * Wrapper that uses the SLOP Protocol multi-agent architecture
+ * while maintaining backward compatibility with the existing scanner interface.
+ */
+import * as os from 'os';
+import { orchestrator } from '../orchestrator/index.js';
+/**
+ * Run a security scan using the SLOP Protocol architecture
+ */
+export async function slopScan(config) {
+    console.log('[SLOP] Starting SLOP Protocol scan...');
+    console.log(`[SLOP] Target: ${config.targetPath}`);
+    // Run orchestrator
+    const result = config.fullScan !== false
+        ? await orchestrator.fullScan(config.targetPath)
+        : await orchestrator.quickScan(config.targetPath);
+    console.log(`[SLOP] Scan complete in ${result.duration}ms`);
+    console.log(`[SLOP] Agents used: ${result.summary.agentsUsed.join(', ')}`);
+    console.log(`[SLOP] Total findings: ${result.summary.totalFindings}`);
+    // Convert to legacy format
+    const legacy = convertToLegacyFormat(result);
+    // Build SLOP format with zone info
+    const zones = Array.from(result.zoneResults.entries()).map(([zoneId, zoneResult]) => ({
+        id: zoneId,
+        name: zoneResult.zoneName,
+        type: zoneResult.zoneType,
+        color: getZoneColor(zoneResult.zoneType),
+        status: zoneResult.status,
+        findingCount: zoneResult.findings.length,
+        duration: zoneResult.duration,
+    }));
+    const agents = Array.from(result.zoneResults.values()).flatMap((zoneResult) => zoneResult.agentResults.map((agentResult) => ({
+        id: agentResult.agentId,
+        name: agentResult.agentName,
+        role: getAgentRole(agentResult.agentId),
+        status: agentResult.status,
+        findingCount: agentResult.findings.length,
+        duration: agentResult.duration,
+    })));
+    return {
+        legacy,
+        slop: {
+            zones,
+            agents,
+            findings: result.findings,
+            summary: result.summary,
+        },
+    };
+}
+/**
+ * Convert orchestrator result to legacy LocalScanResult format
+ */
+function convertToLegacyFormat(result) {
+    const secrets = [];
+    const packages = [];
+    const sastFindings = [];
+    const iacFindings = [];
+    for (const finding of result.findings) {
+        if (finding.type === 'secret') {
+            secrets.push({
+                file: finding.file || '',
+                line: finding.line || 0,
+                type: finding.title,
+                snippet: finding.metadata?.match || '***',
+                severity: finding.severity,
+            });
+        }
+        else if (finding.type === 'vulnerability') {
+            packages.push({
+                name: finding.metadata?.package || finding.title,
+                version: finding.metadata?.installedVersion || finding.metadata?.version || 'unknown',
+                vulnerabilities: 1,
+                severity: finding.severity,
+                vulnId: finding.metadata?.vulnerabilityId || undefined,
+                title: finding.title,
+                fixedVersion: finding.metadata?.fixedVersion || finding.metadata?.fixVersions?.[0],
+            });
+        }
+        else if (finding.type === 'policy_violation') {
+            // Map policy violations to SAST findings
+            sastFindings.push({
+                file: finding.file || '',
+                line: finding.line || 0,
+                rule: finding.title,
+                message: finding.description,
+                severity: finding.severity,
+            });
+        }
+    }
+    return {
+        path: result.targetPath,
+        timestamp: new Date().toISOString(),
+        secrets,
+        packages,
+        sastFindings,
+        iacFindings,
+        dockerfileFindings: [],
+        gitInfo: null,
+        envFiles: [],
+        systemInfo: {
+            platform: process.platform,
+            hostname: os.hostname(),
+            user: os.userInfo().username,
+            nodeVersion: process.version,
+            cwd: process.cwd(),
+        },
+        discoveredServices: [],
+        discoveredModules: [],
+        toolsUsed: result.summary.agentsUsed,
+        languagesDetected: [],
+    };
+}
+function getZoneColor(zoneType) {
+    switch (zoneType) {
+        case 'scanner':
+            return '#22c55e'; // Green
+        case 'policy':
+            return '#ef4444'; // Red
+        case 'reporting':
+            return '#3b82f6'; // Blue
+        default:
+            return '#888888';
+    }
+}
+function getAgentRole(agentId) {
+    const scannerAgents = ['gitleaks', 'trivy', 'semgrep', 'grype', 'npm-audit'];
+    const policyAgents = ['policy-evaluator', 'validator'];
+    const reporterAgents = ['sarif-reporter'];
+    const notifierAgents = ['slack-notifier', 'discord-notifier'];
+    if (scannerAgents.includes(agentId))
+        return 'scanner';
+    if (policyAgents.includes(agentId))
+        return 'policy';
+    if (reporterAgents.includes(agentId))
+        return 'reporter';
+    if (notifierAgents.includes(agentId))
+        return 'notifier';
+    return 'unknown';
+}
+/**
+ * Get orchestrator state for visualization
+ */
+export function getSlopState() {
+    return orchestrator.getState();
+}
+/**
+ * Get available agents
+ */
+export async function getAvailableAgents() {
+    return orchestrator.getAvailableAgents();
+}
+// Export orchestrator for direct access
+export { orchestrator };

package/dist/integrations/webhook.d.ts

@@ -0,0 +1,37 @@
+import type { AuditorInput } from '../types/events.js';
+export interface WebhookConfig {
+    port: number;
+    secret?: string;
+    allowedSources?: string[];
+}
+export interface WebhookEvent {
+    source: 'github' | 'gitlab' | 'jenkins' | 'custom';
+    type: string;
+    payload: Record<string, unknown>;
+    timestamp: string;
+    signature?: string;
+}
+export type WebhookHandler = (event: WebhookEvent) => Promise<AuditorInput | null>;
+export declare class WebhookServer {
+    private server;
+    private config;
+    private handlers;
+    private onAuditRequest;
+    constructor(config: WebhookConfig);
+    registerHandler(eventType: string, handler: WebhookHandler): void;
+    onAudit(callback: (input: AuditorInput) => Promise<void>): void;
+    private handleRequest;
+    private detectSource;
+    private getSignature;
+    private getEventType;
+    private verifySignature;
+    private readBody;
+    start(): Promise<void>;
+    stop(): Promise<void>;
+}
+export declare const defaultHandlers: {
+    'github:pull_request': (event: WebhookEvent) => Promise<AuditorInput | null>;
+    'github:push': (event: WebhookEvent) => Promise<AuditorInput | null>;
+    'gitlab:merge_request': (event: WebhookEvent) => Promise<AuditorInput | null>;
+    'jenkins:build': (event: WebhookEvent) => Promise<AuditorInput | null>;
+};

package/dist/integrations/webhook.js

@@ -0,0 +1,256 @@
+// Webhook Server - Receive events from external systems
+// Supports GitHub, GitLab, Jenkins, and custom webhooks
+import { createServer } from 'http';
+import { createHmac } from 'crypto';
+export class WebhookServer {
+    server = null;
+    config;
+    handlers = new Map();
+    onAuditRequest = null;
+    constructor(config) {
+        this.config = config;
+    }
+    // Register handler for specific event types
+    registerHandler(eventType, handler) {
+        this.handlers.set(eventType, handler);
+    }
+    // Set callback for when audit should be triggered
+    onAudit(callback) {
+        this.onAuditRequest = callback;
+    }
+    async handleRequest(req, res) {
+        // CORS
+        res.setHeader('Access-Control-Allow-Origin', '*');
+        res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS');
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, X-Hub-Signature-256, X-GitLab-Token');
+        res.setHeader('Content-Type', 'application/json');
+        if (req.method === 'OPTIONS') {
+            res.statusCode = 204;
+            res.end();
+            return;
+        }
+        if (req.method !== 'POST') {
+            res.statusCode = 405;
+            res.end(JSON.stringify({ error: 'Method not allowed' }));
+            return;
+        }
+        const url = new URL(req.url ?? '/', `http://${req.headers.host}`);
+        const path = url.pathname;
+        try {
+            const body = await this.readBody(req);
+            const payload = JSON.parse(body);
+            // Detect source and verify signature
+            const source = this.detectSource(req, path);
+            const signature = this.getSignature(req);
+            if (this.config.secret && !this.verifySignature(body, signature, source)) {
+                res.statusCode = 401;
+                res.end(JSON.stringify({ error: 'Invalid signature' }));
+                return;
+            }
+            // Create webhook event
+            const event = {
+                source,
+                type: this.getEventType(req, source, payload),
+                payload,
+                timestamp: new Date().toISOString(),
+                signature
+            };
+            console.log(`[Webhook] Received ${event.source}:${event.type}`);
+            // Find handler
+            const handler = this.handlers.get(`${event.source}:${event.type}`) ||
+                this.handlers.get(event.source) ||
+                this.handlers.get('*');
+            if (handler) {
+                const auditInput = await handler(event);
+                if (auditInput && this.onAuditRequest) {
+                    await this.onAuditRequest(auditInput);
+                    res.statusCode = 200;
+                    res.end(JSON.stringify({ status: 'audit_triggered', event_id: auditInput.change_event.id }));
+                    return;
+                }
+            }
+            res.statusCode = 200;
+            res.end(JSON.stringify({ status: 'received', processed: !!handler }));
+        }
+        catch (err) {
+            console.error('[Webhook] Error:', err);
+            res.statusCode = 500;
+            res.end(JSON.stringify({ error: 'Internal error' }));
+        }
+    }
+    detectSource(req, path) {
+        if (req.headers['x-github-event'] || path.includes('github'))
+            return 'github';
+        if (req.headers['x-gitlab-event'] || path.includes('gitlab'))
+            return 'gitlab';
+        if (req.headers['x-jenkins-event'] || path.includes('jenkins'))
+            return 'jenkins';
+        return 'custom';
+    }
+    getSignature(req) {
+        return req.headers['x-hub-signature-256'] ||
+            req.headers['x-gitlab-token'] ||
+            req.headers['x-signature'];
+    }
+    getEventType(req, source, payload) {
+        if (source === 'github') {
+            return req.headers['x-github-event'] || 'unknown';
+        }
+        if (source === 'gitlab') {
+            return payload.object_kind || req.headers['x-gitlab-event'] || 'unknown';
+        }
+        if (source === 'jenkins') {
+            const build = payload.build;
+            return build?.phase || 'build';
+        }
+        return payload.type || 'unknown';
+    }
+    verifySignature(body, signature, source) {
+        if (!signature || !this.config.secret)
+            return false;
+        if (source === 'github') {
+            const expected = 'sha256=' + createHmac('sha256', this.config.secret).update(body).digest('hex');
+            return signature === expected;
+        }
+        if (source === 'gitlab') {
+            return signature === this.config.secret;
+        }
+        // Generic HMAC verification
+        const expected = createHmac('sha256', this.config.secret).update(body).digest('hex');
+        return signature === expected;
+    }
+    readBody(req) {
+        return new Promise((resolve, reject) => {
+            const chunks = [];
+            req.on('data', chunk => chunks.push(chunk));
+            req.on('end', () => resolve(Buffer.concat(chunks).toString()));
+            req.on('error', reject);
+        });
+    }
+    async start() {
+        return new Promise((resolve, reject) => {
+            this.server = createServer((req, res) => {
+                this.handleRequest(req, res).catch(() => {
+                    res.statusCode = 500;
+                    res.end(JSON.stringify({ error: 'Internal error' }));
+                });
+            });
+            this.server.on('error', reject);
+            this.server.listen(this.config.port, '0.0.0.0', () => {
+                console.log(`[Webhook] Server listening on port ${this.config.port}`);
+                resolve();
+            });
+        });
+    }
+    async stop() {
+        return new Promise((resolve) => {
+            if (this.server) {
+                this.server.close(() => resolve());
+            }
+            else {
+                resolve();
+            }
+        });
+    }
+}
+// Default handlers for common webhook types
+export const defaultHandlers = {
+    // GitHub Pull Request
+    'github:pull_request': async (event) => {
+        const pr = event.payload.pull_request;
+        const repo = event.payload.repository;
+        const action = event.payload.action;
+        if (!['opened', 'synchronize', 'reopened'].includes(action)) {
+            return null;
+        }
+        return {
+            change_event: {
+                id: `github-pr-${pr.number}`,
+                type: 'pull_request',
+                environment: pr.base?.ref === 'main' ? 'prod' : 'staging',
+                repo: repo.full_name,
+                commit: pr.head?.sha,
+                files_changed: [], // Would need separate API call
+                diff: '' // Would need separate API call
+            },
+            evidence_bundle: {},
+            policy_context: {
+                critical_assets: ['auth', 'billing', 'database', 'secrets'],
+                risk_tolerance: 'medium'
+            }
+        };
+    },
+    // GitHub Push
+    'github:push': async (event) => {
+        const repo = event.payload.repository;
+        const commits = event.payload.commits || [];
+        const ref = event.payload.ref;
+        const isProd = ref === 'refs/heads/main' || ref === 'refs/heads/master';
+        return {
+            change_event: {
+                id: `github-push-${event.payload.after}`,
+                type: isProd ? 'deploy' : 'pull_request',
+                environment: isProd ? 'prod' : 'dev',
+                repo: repo.full_name,
+                commit: event.payload.after,
+                files_changed: commits.flatMap(c => [
+                    ...(c.added || []),
+                    ...(c.modified || [])
+                ]),
+                diff: commits.map(c => c.message).join('\n')
+            },
+            evidence_bundle: {},
+            policy_context: {
+                critical_assets: ['auth', 'billing', 'database', 'secrets'],
+                risk_tolerance: isProd ? 'low' : 'medium'
+            }
+        };
+    },
+    // GitLab Merge Request
+    'gitlab:merge_request': async (event) => {
+        const mr = event.payload.object_attributes;
+        const project = event.payload.project;
+        if (!['open', 'reopen', 'update'].includes(mr.action)) {
+            return null;
+        }
+        return {
+            change_event: {
+                id: `gitlab-mr-${mr.iid}`,
+                type: 'pull_request',
+                environment: mr.target_branch === 'main' ? 'prod' : 'staging',
+                repo: project.path_with_namespace,
+                commit: mr.last_commit,
+                files_changed: [],
+                diff: ''
+            },
+            evidence_bundle: {},
+            policy_context: {
+                critical_assets: ['auth', 'billing', 'database', 'secrets'],
+                risk_tolerance: 'medium'
+            }
+        };
+    },
+    // Jenkins Build
+    'jenkins:build': async (event) => {
+        const build = event.payload.build || {};
+        const params = build.parameters || {};
+        const envVal = params.ENVIRONMENT;
+        const environment = (envVal === 'prod' || envVal === 'staging' || envVal === 'dev') ? envVal : 'staging';
+        return {
+            change_event: {
+                id: `jenkins-${build.number || Date.now()}`,
+                type: 'deploy',
+                environment,
+                repo: event.payload.name || 'unknown',
+                commit: build.scm?.commit || '',
+                files_changed: [],
+                diff: ''
+            },
+            evidence_bundle: {},
+            policy_context: {
+                critical_assets: ['auth', 'billing', 'database', 'secrets'],
+                risk_tolerance: 'medium'
+            }
+        };
+    }
+};

package/dist/orchestrator/index.d.ts

@@ -0,0 +1,72 @@
+/**
+ * Aura Protocol - Parallel Orchestrator
+ *
+ * Orchestrates parallel execution of zones and manages data flow between them.
+ * This is the main entry point for running security scans using the Aura architecture.
+ */
+import { EventEmitter } from 'events';
+import { ZoneManager } from '../zones/manager.js';
+import { ZoneConfig, ZoneResult, ZoneFinding } from '../zones/types.js';
+import { Agent } from '../agents/types.js';
+export interface OrchestratorConfig {
+    targetPath: string;
+    zones?: string[];
+    runPolicyZone?: boolean;
+    customZones?: ZoneConfig[];
+}
+export interface OrchestratorResult {
+    success: boolean;
+    duration: number;
+    targetPath: string;
+    zoneResults: Map<string, ZoneResult>;
+    findings: ZoneFinding[];
+    summary: {
+        totalFindings: number;
+        byType: Record<string, number>;
+        bySeverity: Record<string, number>;
+        byZone: Record<string, number>;
+        agentsUsed: string[];
+    };
+}
+export declare class ParallelOrchestrator extends EventEmitter {
+    private manager;
+    private agents;
+    private initialized;
+    constructor(manager?: ZoneManager);
+    /**
+     * Initialize the orchestrator with all agents
+     */
+    initialize(): Promise<void>;
+    /**
+     * Run a full security scan using Aura Protocol
+     *
+     * Execution flow:
+     * 1. Scanner Zone - Run all scanners in parallel
+     * 2. Policy Zone - Evaluate and validate findings (sequential)
+     */
+    scan(config: OrchestratorConfig): Promise<OrchestratorResult>;
+    /**
+     * Run only the scanner zone (faster, no policy evaluation)
+     */
+    quickScan(targetPath: string): Promise<OrchestratorResult>;
+    /**
+     * Run a full scan with policy evaluation
+     */
+    fullScan(targetPath: string): Promise<OrchestratorResult>;
+    /**
+     * Get available agents
+     */
+    getAvailableAgents(): Promise<Agent[]>;
+    /**
+     * Get current state for visualization
+     */
+    getState(): ReturnType<ZoneManager['exportState']>;
+    /**
+     * Reset all zones
+     */
+    reset(): void;
+    private buildSummary;
+}
+export declare const orchestrator: ParallelOrchestrator;
+export * from '../zones/types.js';
+export * from '../zones/manager.js';