aura-security 0.4.0

package/dist/agents/scanners/trivy.js

@@ -0,0 +1,122 @@
+/**
+ * Aura Protocol - Trivy Agent
+ *
+ * Scans for vulnerabilities in dependencies and containers.
+ */
+import { BaseAgent } from '../base.js';
+const CONFIG = {
+    id: 'trivy',
+    name: 'Trivy',
+    role: 'scanner',
+    description: 'Scan for vulnerabilities in dependencies and containers',
+    enabled: true,
+    externalTool: 'trivy',
+};
+const CAPABILITIES = {
+    fileTypes: ['package.json', 'package-lock.json', 'requirements.txt', 'Gemfile', 'go.mod', 'Cargo.toml'],
+    languages: ['javascript', 'typescript', 'python', 'ruby', 'go', 'rust'],
+    requiresExternalTool: true,
+    supportsParallel: true,
+};
+export class TrivyAgent extends BaseAgent {
+    constructor() {
+        super(CONFIG, CAPABILITIES);
+    }
+    async execute(context) {
+        const startTime = Date.now();
+        this.status = 'running';
+        const findings = [];
+        try {
+            context.log('info', `Trivy scanning: ${context.targetPath}`);
+            // Run trivy filesystem scan
+            const { stdout, stderr, exitCode } = await this.executeCommand('trivy', [
+                'fs',
+                '--format',
+                'json',
+                '--scanners',
+                'vuln',
+                '--skip-dirs',
+                'node_modules,.git,dist,build',
+                context.targetPath,
+            ], { cwd: context.targetPath, timeout: 300000 });
+            if (stdout.trim()) {
+                try {
+                    const output = JSON.parse(stdout);
+                    if (output.Results) {
+                        for (const result of output.Results) {
+                            if (result.Vulnerabilities) {
+                                for (const vuln of result.Vulnerabilities) {
+                                    const finding = this.createFinding('trivy', {
+                                        type: 'vulnerability',
+                                        severity: this.mapSeverity(vuln.Severity),
+                                        title: `${vuln.PkgName}: ${vuln.VulnerabilityID}`,
+                                        description: vuln.Title || vuln.Description || `Vulnerability in ${vuln.PkgName}`,
+                                        file: result.Target,
+                                        metadata: {
+                                            vulnerabilityId: vuln.VulnerabilityID,
+                                            package: vuln.PkgName,
+                                            installedVersion: vuln.InstalledVersion,
+                                            fixedVersion: vuln.FixedVersion,
+                                            references: vuln.References?.slice(0, 3),
+                                            cvssScore: this.getCvssScore(vuln),
+                                        },
+                                    });
+                                    findings.push(finding);
+                                    context.addFinding(finding);
+                                }
+                            }
+                        }
+                    }
+                }
+                catch (parseError) {
+                    context.log('warn', `Failed to parse trivy output: ${parseError}`);
+                }
+            }
+            this.status = 'complete';
+            context.log('info', `Trivy found ${findings.length} vulnerabilities`);
+            return {
+                agentId: this.config.id,
+                agentName: this.config.name,
+                status: 'success',
+                findings,
+                duration: Date.now() - startTime,
+            };
+        }
+        catch (error) {
+            this.status = 'error';
+            const errorMsg = error instanceof Error ? error.message : String(error);
+            context.log('error', `Trivy error: ${errorMsg}`);
+            return {
+                agentId: this.config.id,
+                agentName: this.config.name,
+                status: 'error',
+                findings,
+                duration: Date.now() - startTime,
+                error: errorMsg,
+            };
+        }
+    }
+    mapSeverity(trivySeverity) {
+        switch (trivySeverity.toUpperCase()) {
+            case 'CRITICAL':
+                return 'critical';
+            case 'HIGH':
+                return 'high';
+            case 'MEDIUM':
+                return 'medium';
+            case 'LOW':
+                return 'low';
+            default:
+                return 'info';
+        }
+    }
+    getCvssScore(vuln) {
+        if (!vuln.CVSS)
+            return undefined;
+        for (const source of Object.values(vuln.CVSS)) {
+            if (source.V3Score)
+                return source.V3Score;
+        }
+        return undefined;
+    }
+}

package/dist/agents/types.d.ts

@@ -0,0 +1,137 @@
+/**
+ * Aura Protocol - Agent Types
+ *
+ * Agents are specialized workers that execute within zones.
+ * Each agent has a specific role and can only operate within its assigned zone.
+ */
+import { ZoneContext, ZoneFinding, AgentResult } from '../zones/types.js';
+export { AgentResult } from '../zones/types.js';
+export type AgentRole = 'scanner' | 'policy' | 'validator' | 'reporter' | 'notifier';
+export type AgentStatus = 'idle' | 'running' | 'complete' | 'error' | 'disabled';
+export interface AgentConfig {
+    id: string;
+    name: string;
+    role: AgentRole;
+    description: string;
+    enabled: boolean;
+    externalTool?: string;
+    config?: Record<string, unknown>;
+}
+export interface AgentCapabilities {
+    fileTypes?: string[];
+    languages?: string[];
+    requiresExternalTool: boolean;
+    supportsParallel: boolean;
+}
+/**
+ * Base Agent Interface
+ *
+ * All agents must implement this interface.
+ */
+export interface Agent {
+    readonly config: AgentConfig;
+    readonly capabilities: AgentCapabilities;
+    /**
+     * Check if the agent is available (external tools installed, etc.)
+     */
+    isAvailable(): Promise<boolean>;
+    /**
+     * Execute the agent within a zone context
+     */
+    execute(context: ZoneContext): Promise<AgentResult>;
+    /**
+     * Get agent status
+     */
+    getStatus(): AgentStatus;
+}
+/**
+ * Scanner Agent Interface
+ *
+ * Agents that scan for secrets, vulnerabilities, etc.
+ */
+export interface ScannerAgent extends Agent {
+    readonly config: AgentConfig & {
+        role: 'scanner';
+    };
+    /**
+     * Run the scan and return findings
+     */
+    scan(targetPath: string, context: ZoneContext): Promise<ZoneFinding[]>;
+}
+/**
+ * Policy Agent Interface
+ *
+ * Agents that evaluate policies and context
+ */
+export interface PolicyAgent extends Agent {
+    readonly config: AgentConfig & {
+        role: 'policy';
+    };
+    /**
+     * Evaluate findings against policies
+     */
+    evaluate(findings: ZoneFinding[], context: ZoneContext): Promise<{
+        filtered: ZoneFinding[];
+        falsePositives: ZoneFinding[];
+        escalated: ZoneFinding[];
+    }>;
+}
+/**
+ * Validator Agent Interface
+ *
+ * Agents that validate and deduplicate findings
+ */
+export interface IValidatorAgent extends Agent {
+    readonly config: AgentConfig & {
+        role: 'validator';
+    };
+    /**
+     * Validate findings and remove false positives
+     */
+    validate(findings: ZoneFinding[], context: ZoneContext): Promise<ZoneFinding[]>;
+}
+/**
+ * Reporter Agent Interface
+ *
+ * Agents that generate reports
+ */
+export interface ReporterAgent extends Agent {
+    readonly config: AgentConfig & {
+        role: 'reporter';
+    };
+    /**
+     * Generate a report from findings
+     */
+    generateReport(findings: ZoneFinding[], format: 'sarif' | 'json' | 'html' | 'markdown', context: ZoneContext): Promise<string>;
+}
+/**
+ * Notifier Agent Interface
+ *
+ * Agents that send notifications
+ */
+export interface NotifierAgent extends Agent {
+    readonly config: AgentConfig & {
+        role: 'notifier';
+    };
+    /**
+     * Send notification about findings
+     */
+    notify(findings: ZoneFinding[], channel: string, context: ZoneContext): Promise<boolean>;
+}
+/**
+ * Agent Registry
+ *
+ * Stores all available agents
+ */
+export interface AgentRegistry {
+    register(agent: Agent): void;
+    unregister(agentId: string): void;
+    get(agentId: string): Agent | undefined;
+    getAll(): Agent[];
+    getByRole(role: AgentRole): Agent[];
+    getAvailable(): Promise<Agent[]>;
+}
+/**
+ * Default agent configurations
+ */
+export declare const DEFAULT_AGENTS: AgentConfig[];

package/dist/agents/types.js

@@ -0,0 +1,91 @@
+/**
+ * Aura Protocol - Agent Types
+ *
+ * Agents are specialized workers that execute within zones.
+ * Each agent has a specific role and can only operate within its assigned zone.
+ */
+/**
+ * Default agent configurations
+ */
+export const DEFAULT_AGENTS = [
+    // Scanner agents
+    {
+        id: 'gitleaks',
+        name: 'Gitleaks',
+        role: 'scanner',
+        description: 'Detect secrets and API keys in code',
+        enabled: true,
+        externalTool: 'gitleaks',
+    },
+    {
+        id: 'trivy',
+        name: 'Trivy',
+        role: 'scanner',
+        description: 'Scan for vulnerabilities in dependencies and containers',
+        enabled: true,
+        externalTool: 'trivy',
+    },
+    {
+        id: 'semgrep',
+        name: 'Semgrep',
+        role: 'scanner',
+        description: 'Static analysis for security patterns',
+        enabled: true,
+        externalTool: 'semgrep',
+    },
+    {
+        id: 'grype',
+        name: 'Grype',
+        role: 'scanner',
+        description: 'Vulnerability scanner for container images and filesystems',
+        enabled: true,
+        externalTool: 'grype',
+    },
+    {
+        id: 'npm-audit',
+        name: 'NPM Audit',
+        role: 'scanner',
+        description: 'Audit npm packages for vulnerabilities',
+        enabled: true,
+        externalTool: 'npm',
+    },
+    // Policy agents
+    {
+        id: 'policy-evaluator',
+        name: 'Policy Evaluator',
+        role: 'policy',
+        description: 'Evaluate findings against security policies',
+        enabled: true,
+    },
+    // Validator agents
+    {
+        id: 'validator',
+        name: 'Finding Validator',
+        role: 'validator',
+        description: 'Validate and deduplicate findings, remove false positives',
+        enabled: true,
+    },
+    // Reporter agents
+    {
+        id: 'sarif-reporter',
+        name: 'SARIF Reporter',
+        role: 'reporter',
+        description: 'Generate SARIF format reports',
+        enabled: true,
+    },
+    // Notifier agents
+    {
+        id: 'slack-notifier',
+        name: 'Slack Notifier',
+        role: 'notifier',
+        description: 'Send notifications to Slack',
+        enabled: true,
+    },
+    {
+        id: 'discord-notifier',
+        name: 'Discord Notifier',
+        role: 'notifier',
+        description: 'Send notifications to Discord',
+        enabled: true,
+    },
+];

package/dist/auditor/index.d.ts

@@ -0,0 +1,3 @@
+export { AuditorPipeline } from './pipeline.js';
+export type { PipelineConfig } from './pipeline.js';
+export { SchemaValidator, ValidationError } from './validator.js';

package/dist/auditor/index.js

@@ -0,0 +1,2 @@
+export { AuditorPipeline } from './pipeline.js';
+export { SchemaValidator, ValidationError } from './validator.js';

package/dist/auditor/pipeline.d.ts

@@ -0,0 +1,19 @@
+import type { AuditorOutput } from '../types/events.js';
+import { AuraClient } from '../aura/client.js';
+export interface PipelineConfig {
+    auraClient: AuraClient;
+    strictMode?: boolean;
+}
+export declare class AuditorPipeline {
+    private validator;
+    private client;
+    private strictMode;
+    constructor(config: PipelineConfig);
+    analyze(rawInput: unknown): Promise<AuditorOutput>;
+    private runAnalysisRules;
+    private findCriticalAssetChanges;
+    private detectSecretPatterns;
+    private parseVulnScan;
+    private getSeverityForRisk;
+    private createEvent;
+}

package/dist/auditor/pipeline.js

@@ -0,0 +1,240 @@
+// Auditor Pipeline - Rule-based security analysis with fail-closed behavior
+import { SchemaValidator } from './validator.js';
+import { AuraConnectionError } from '../aura/client.js';
+const AGENT_ID = 'exploit-reviewer';
+export class AuditorPipeline {
+    validator;
+    client;
+    strictMode;
+    constructor(config) {
+        this.validator = new SchemaValidator();
+        this.client = config.auraClient;
+        this.strictMode = config.strictMode ?? true;
+    }
+    // Main entry point - fail-closed on any error
+    async analyze(rawInput) {
+        // Fail-closed: must be connected to Aura
+        if (!this.client.connected) {
+            throw new AuraConnectionError('No Aura connection - blocking execution');
+        }
+        // Fail-closed: validate input
+        this.validator.assertValidInput(rawInput);
+        const input = rawInput;
+        // Start analysis
+        const events = [];
+        const assumptions = [];
+        const uncertainties = [];
+        // Emit analysis_started
+        events.push(this.createEvent('analysis_started', 'self', {
+            severity: 'low',
+            claim: `Analyzing ${input.change_event.type} in ${input.change_event.environment}`,
+            attack_path: ['Initiated audit pipeline'],
+            affected_assets: [],
+            evidence_refs: [{ type: 'diff', pointer: input.change_event.id }],
+            assurance_break: [],
+            confidence: 1.0
+        }));
+        // Run analysis rules
+        const findings = this.runAnalysisRules(input, assumptions, uncertainties);
+        events.push(...findings);
+        // Determine final state
+        const hasCritical = findings.some(e => e.payload.severity === 'critical');
+        const hasHigh = findings.some(e => e.payload.severity === 'high');
+        const hasConflict = findings.some(e => e.event_type === 'conflict_detected');
+        let agentState = 'idle';
+        if (hasCritical) {
+            agentState = 'blocked';
+        }
+        else if (hasConflict) {
+            agentState = 'conflict';
+        }
+        else if (hasHigh) {
+            agentState = 'escalated';
+        }
+        else if (findings.length > 0) {
+            agentState = 'analyzing';
+        }
+        const output = {
+            agent_id: AGENT_ID,
+            agent_state: agentState,
+            events,
+            meta: { assumptions, uncertainties }
+        };
+        // Fail-closed: validate output
+        this.validator.assertValidOutput(output);
+        // Publish to Aura memory (audit log)
+        await this.client.publishToMemory({
+            key: `audit:${input.change_event.id}:${Date.now()}`,
+            value: output,
+            metadata: {
+                commit: input.change_event.commit,
+                repo: input.change_event.repo,
+                environment: input.change_event.environment
+            }
+        });
+        return output;
+    }
+    runAnalysisRules(input, assumptions, uncertainties) {
+        const findings = [];
+        const { change_event, evidence_bundle, policy_context } = input;
+        // Rule: Critical asset modification
+        const criticalFiles = this.findCriticalAssetChanges(change_event.files_changed, policy_context.critical_assets);
+        if (criticalFiles.length > 0) {
+            findings.push(this.createEvent('finding_raised', 'self', {
+                severity: this.getSeverityForRisk(policy_context.risk_tolerance, 'high'),
+                claim: 'Critical asset files modified without explicit approval chain',
+                attack_path: [
+                    'Attacker gains commit access',
+                    'Modifies critical asset configuration',
+                    'Changes bypass standard review due to file location'
+                ],
+                affected_assets: criticalFiles,
+                evidence_refs: criticalFiles.map(f => ({ type: 'diff', pointer: f })),
+                assurance_break: ['integrity', 'access_control'],
+                confidence: 0.85
+            }));
+        }
+        // Rule: Production deployment without staging
+        if (change_event.environment === 'prod' && change_event.type === 'deploy') {
+            assumptions.push('Assumes staging validation is required before prod');
+            findings.push(this.createEvent('finding_raised', 'self', {
+                severity: this.getSeverityForRisk(policy_context.risk_tolerance, 'medium'),
+                claim: 'Direct production deployment detected',
+                attack_path: [
+                    'Change bypasses staging environment',
+                    'Untested code reaches production',
+                    'Runtime errors expose attack surface'
+                ],
+                affected_assets: ['production-environment'],
+                evidence_refs: [{ type: 'diff', pointer: change_event.commit }],
+                assurance_break: ['isolation'],
+                confidence: 0.7
+            }));
+        }
+        // Rule: Check for secrets in diff
+        const secretPatterns = this.detectSecretPatterns(change_event.diff);
+        if (secretPatterns.length > 0) {
+            findings.push(this.createEvent('escalation_triggered', 'self', {
+                severity: 'critical',
+                claim: 'Potential secrets or credentials detected in diff',
+                attack_path: [
+                    'Credentials committed to repository',
+                    'Secrets exposed in version history',
+                    'Attacker extracts credentials from git history'
+                ],
+                affected_assets: secretPatterns.map(p => p.file),
+                evidence_refs: secretPatterns.map(p => ({ type: 'diff', pointer: p.line })),
+                assurance_break: ['integrity', 'access_control'],
+                confidence: 0.95
+            }));
+        }
+        // Rule: Vulnerability scan findings
+        if (evidence_bundle.vuln_scan) {
+            const vulnFindings = this.parseVulnScan(evidence_bundle.vuln_scan);
+            if (vulnFindings.critical > 0 || vulnFindings.high > 0) {
+                findings.push(this.createEvent('finding_raised', 'self', {
+                    severity: vulnFindings.critical > 0 ? 'critical' : 'high',
+                    claim: `Vulnerability scan detected ${vulnFindings.critical} critical and ${vulnFindings.high} high severity issues`,
+                    attack_path: [
+                        'Known vulnerability present in dependencies',
+                        'Attacker identifies CVE in deployed version',
+                        'Exploit executed against vulnerable component'
+                    ],
+                    affected_assets: ['dependencies'],
+                    evidence_refs: [{ type: 'scan', pointer: 'vuln_scan' }],
+                    assurance_break: ['integrity'],
+                    confidence: 0.9
+                }));
+            }
+        }
+        // Rule: Infrastructure changes
+        if (change_event.type === 'infra_change') {
+            uncertainties.push('Infrastructure change impact depends on cloud provider specifics');
+            findings.push(this.createEvent('finding_raised', 'self', {
+                severity: this.getSeverityForRisk(policy_context.risk_tolerance, 'medium'),
+                claim: 'Infrastructure modification requires manual review',
+                attack_path: [
+                    'IaC change modifies security boundaries',
+                    'Misconfiguration exposes internal services',
+                    'Attacker gains network access to protected resources'
+                ],
+                affected_assets: ['infrastructure'],
+                evidence_refs: change_event.files_changed.map(f => ({ type: 'diff', pointer: f })),
+                assurance_break: ['isolation', 'access_control'],
+                confidence: 0.6
+            }));
+        }
+        return findings;
+    }
+    findCriticalAssetChanges(files, criticalAssets) {
+        const matches = [];
+        for (const file of files) {
+            const fileLower = file.toLowerCase();
+            for (const asset of criticalAssets) {
+                if (fileLower.includes(asset.toLowerCase())) {
+                    matches.push(file);
+                    break;
+                }
+            }
+        }
+        return matches;
+    }
+    detectSecretPatterns(diff) {
+        const patterns = [
+            /api[_-]?key\s*[=:]\s*['"][^'"]+['"]/gi,
+            /secret\s*[=:]\s*['"][^'"]+['"]/gi,
+            /password\s*[=:]\s*['"][^'"]+['"]/gi,
+            /bearer\s+[a-z0-9_-]+/gi,
+            /-----BEGIN\s+(RSA|EC|OPENSSH)\s+PRIVATE\s+KEY-----/g,
+            /aws[_-]?secret[_-]?access[_-]?key/gi
+        ];
+        const findings = [];
+        const lines = diff.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (line.startsWith('+')) {
+                for (const pattern of patterns) {
+                    if (pattern.test(line)) {
+                        findings.push({ file: 'diff', line: `line:${i + 1}` });
+                        break;
+                    }
+                }
+            }
+        }
+        return findings;
+    }
+    parseVulnScan(scan) {
+        // Simple parser - in production would parse actual scanner output
+        const criticalMatch = scan.match(/critical[:\s]+(\d+)/i);
+        const highMatch = scan.match(/high[:\s]+(\d+)/i);
+        return {
+            critical: criticalMatch ? parseInt(criticalMatch[1], 10) : 0,
+            high: highMatch ? parseInt(highMatch[1], 10) : 0
+        };
+    }
+    getSeverityForRisk(tolerance, baseSeverity) {
+        if (tolerance === 'low') {
+            if (baseSeverity === 'low')
+                return 'medium';
+            if (baseSeverity === 'medium')
+                return 'high';
+            return 'critical';
+        }
+        if (tolerance === 'high') {
+            if (baseSeverity === 'high')
+                return 'medium';
+            if (baseSeverity === 'medium')
+                return 'low';
+            return 'low';
+        }
+        return baseSeverity;
+    }
+    createEvent(eventType, target, payload) {
+        return {
+            event_type: eventType,
+            target,
+            payload,
+            timestamp: new Date().toISOString()
+        };
+    }
+}

package/dist/auditor/validator.d.ts

@@ -0,0 +1,17 @@
+import type { AuditorInput, AuditorOutput } from '../types/events.js';
+export declare class ValidationError extends Error {
+    readonly errors: unknown[];
+    constructor(message: string, errors: unknown[]);
+}
+export declare class SchemaValidator {
+    private ajv;
+    private validateInput;
+    private validateOutput;
+    constructor();
+    assertValidInput(data: unknown): asserts data is AuditorInput;
+    assertValidOutput(data: unknown): asserts data is AuditorOutput;
+    isValidInput(data: unknown): data is AuditorInput;
+    isValidOutput(data: unknown): data is AuditorOutput;
+    getInputErrors(data: unknown): unknown[];
+    getOutputErrors(data: unknown): unknown[];
+}