aura-security 0.4.0

package/dist/client/index.d.ts

@@ -0,0 +1,41 @@
+import type { AuditorInput, AuditorOutput, ChangeEvent, EvidenceBundle, PolicyContext } from '../types/events.js';
+export interface AuditClientConfig {
+    serverUrl?: string;
+    apiKey?: string;
+    timeout?: number;
+    retries?: number;
+}
+export interface AuditRequest {
+    changeEvent: ChangeEvent;
+    evidenceBundle?: Partial<EvidenceBundle>;
+    policyContext?: Partial<PolicyContext>;
+}
+export interface AuditResult {
+    success: boolean;
+    output?: AuditorOutput;
+    error?: string;
+    duration: number;
+}
+export interface ServerInfo {
+    name: string;
+    version: string;
+    endpoints: string[];
+    tools: string[];
+}
+export declare class AuditClient {
+    private config;
+    constructor(config?: AuditClientConfig);
+    private headers;
+    private fetchWithRetry;
+    private delay;
+    getServerInfo(): Promise<ServerInfo>;
+    isHealthy(): Promise<boolean>;
+    audit(request: AuditRequest): Promise<AuditResult>;
+    getAuditLogs(): Promise<string[]>;
+    getAuditEntry(key: string): Promise<AuditorOutput | null>;
+    watchAudits(pollInterval?: number): AsyncGenerator<AuditorOutput>;
+}
+export declare function createPullRequestEvent(repo: string, commit: string, filesChanged: string[], diff: string, environment?: 'dev' | 'staging' | 'prod'): ChangeEvent;
+export declare function createDeployEvent(repo: string, commit: string, environment: 'dev' | 'staging' | 'prod'): ChangeEvent;
+export declare function createInfraChangeEvent(repo: string, commit: string, filesChanged: string[], diff: string): ChangeEvent;
+export { AuditorInput, AuditorOutput, ChangeEvent, EvidenceBundle, PolicyContext };

package/dist/client/index.js

@@ -0,0 +1,170 @@
+// Aura Client SDK - High-level API for interacting with the auditor
+// Provides typed methods, automatic retries, and event streaming
+export class AuditClient {
+    config;
+    constructor(config = {}) {
+        this.config = {
+            serverUrl: config.serverUrl ?? 'http://127.0.0.1:3000',
+            apiKey: config.apiKey ?? '',
+            timeout: config.timeout ?? 30000,
+            retries: config.retries ?? 3
+        };
+    }
+    headers() {
+        const h = {
+            'Content-Type': 'application/json'
+        };
+        if (this.config.apiKey) {
+            h['Authorization'] = `Bearer ${this.config.apiKey}`;
+        }
+        return h;
+    }
+    async fetchWithRetry(url, options, retries = this.config.retries) {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.config.timeout);
+        try {
+            const res = await fetch(url, {
+                ...options,
+                signal: controller.signal
+            });
+            clearTimeout(timeoutId);
+            if (!res.ok) {
+                throw new Error(`HTTP ${res.status}: ${res.statusText}`);
+            }
+            return await res.json();
+        }
+        catch (err) {
+            clearTimeout(timeoutId);
+            if (retries > 0 && !(err instanceof DOMException && err.name === 'AbortError')) {
+                await this.delay(1000);
+                return this.fetchWithRetry(url, options, retries - 1);
+            }
+            throw err;
+        }
+    }
+    delay(ms) {
+        return new Promise(resolve => setTimeout(resolve, ms));
+    }
+    async getServerInfo() {
+        return this.fetchWithRetry(`${this.config.serverUrl}/info`, { method: 'GET', headers: this.headers() });
+    }
+    async isHealthy() {
+        try {
+            await this.getServerInfo();
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async audit(request) {
+        const startTime = Date.now();
+        const input = {
+            change_event: request.changeEvent,
+            evidence_bundle: {
+                sbom: request.evidenceBundle?.sbom,
+                vuln_scan: request.evidenceBundle?.vuln_scan,
+                sast_results: request.evidenceBundle?.sast_results,
+                iac_scan: request.evidenceBundle?.iac_scan,
+                provenance: request.evidenceBundle?.provenance,
+                runtime_delta: request.evidenceBundle?.runtime_delta
+            },
+            policy_context: {
+                critical_assets: request.policyContext?.critical_assets ?? ['auth', 'billing', 'phi', 'infra'],
+                risk_tolerance: request.policyContext?.risk_tolerance ?? 'medium'
+            }
+        };
+        try {
+            const response = await this.fetchWithRetry(`${this.config.serverUrl}/tools`, {
+                method: 'POST',
+                headers: this.headers(),
+                body: JSON.stringify({ tool: 'audit', arguments: input })
+            });
+            return {
+                success: true,
+                output: response.result,
+                duration: Date.now() - startTime
+            };
+        }
+        catch (err) {
+            return {
+                success: false,
+                error: err instanceof Error ? err.message : String(err),
+                duration: Date.now() - startTime
+            };
+        }
+    }
+    async getAuditLogs() {
+        const response = await this.fetchWithRetry(`${this.config.serverUrl}/memory`, { method: 'GET', headers: this.headers() });
+        return response.keys;
+    }
+    async getAuditEntry(key) {
+        try {
+            const response = await this.fetchWithRetry(`${this.config.serverUrl}/memory?key=${encodeURIComponent(key)}`, { method: 'GET', headers: this.headers() });
+            return response.value;
+        }
+        catch {
+            return null;
+        }
+    }
+    // Stream audit logs in real-time
+    async *watchAudits(pollInterval = 2000) {
+        let lastCount = 0;
+        const seenKeys = new Set();
+        while (true) {
+            try {
+                const keys = await this.getAuditLogs();
+                if (keys.length > lastCount) {
+                    for (const key of keys) {
+                        if (!seenKeys.has(key)) {
+                            seenKeys.add(key);
+                            const entry = await this.getAuditEntry(key);
+                            if (entry) {
+                                yield entry;
+                            }
+                        }
+                    }
+                    lastCount = keys.length;
+                }
+            }
+            catch {
+                // Ignore errors in watch mode
+            }
+            await this.delay(pollInterval);
+        }
+    }
+}
+// Helper functions for building audit requests
+export function createPullRequestEvent(repo, commit, filesChanged, diff, environment = 'dev') {
+    return {
+        id: `pr-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+        type: 'pull_request',
+        environment,
+        repo,
+        commit,
+        files_changed: filesChanged,
+        diff
+    };
+}
+export function createDeployEvent(repo, commit, environment) {
+    return {
+        id: `deploy-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+        type: 'deploy',
+        environment,
+        repo,
+        commit,
+        files_changed: [],
+        diff: ''
+    };
+}
+export function createInfraChangeEvent(repo, commit, filesChanged, diff) {
+    return {
+        id: `infra-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+        type: 'infra_change',
+        environment: 'prod',
+        repo,
+        commit,
+        files_changed: filesChanged,
+        diff
+    };
+}

package/dist/compliance/index.d.ts

@@ -0,0 +1,40 @@
+export interface LicenseInfo {
+    package: string;
+    version: string;
+    license: string;
+    licenseFile?: string;
+    repository?: string;
+}
+export interface LicensePolicy {
+    name: string;
+    description: string;
+    allowed: string[];
+    denied: string[];
+    unknown: 'allow' | 'warn' | 'deny';
+}
+export interface LicenseViolation {
+    package: string;
+    version: string;
+    license: string;
+    violation: string;
+    severity: 'high' | 'medium' | 'low';
+}
+export interface LicenseCheckResult {
+    policy: string;
+    licenses: LicenseInfo[];
+    violations: LicenseViolation[];
+    summary: {
+        total: number;
+        compliant: number;
+        violations: number;
+        unknown: number;
+    };
+}
+export declare const POLICIES: Record<string, LicensePolicy>;
+export interface LicenseCheckOptions {
+    policy?: string | LicensePolicy;
+    allowedLicenses?: string[];
+    deniedLicenses?: string[];
+}
+export declare function checkLicenses(targetPath: string, options?: LicenseCheckOptions): LicenseCheckResult;
+export declare const POLICY_NAMES: string[];

package/dist/compliance/index.js

@@ -0,0 +1,292 @@
+// License Compliance Checker
+// Checks dependencies for license compliance with configurable policies
+import { spawnSync } from 'child_process';
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+// ============ Built-in Policies ============
+export const POLICIES = {
+    permissive: {
+        name: 'Permissive',
+        description: 'Only allow permissive open source licenses',
+        allowed: [
+            'MIT', 'ISC', 'BSD-2-Clause', 'BSD-3-Clause', 'Apache-2.0',
+            'Unlicense', '0BSD', 'CC0-1.0', 'WTFPL', 'Zlib', 'BlueOak-1.0.0'
+        ],
+        denied: [
+            'GPL-2.0', 'GPL-3.0', 'AGPL-3.0', 'LGPL-2.1', 'LGPL-3.0',
+            'GPL-2.0-only', 'GPL-3.0-only', 'AGPL-3.0-only',
+            'GPL-2.0-or-later', 'GPL-3.0-or-later', 'AGPL-3.0-or-later'
+        ],
+        unknown: 'warn'
+    },
+    strict: {
+        name: 'Strict',
+        description: 'Strict policy - only well-known permissive licenses',
+        allowed: ['MIT', 'ISC', 'BSD-2-Clause', 'BSD-3-Clause', 'Apache-2.0'],
+        denied: [
+            'GPL-2.0', 'GPL-3.0', 'AGPL-3.0', 'LGPL-2.1', 'LGPL-3.0',
+            'GPL-2.0-only', 'GPL-3.0-only', 'AGPL-3.0-only',
+            'SSPL-1.0', 'BSL-1.1', 'Elastic-2.0'
+        ],
+        unknown: 'deny'
+    },
+    copyleft: {
+        name: 'Copyleft Allowed',
+        description: 'Allow copyleft licenses (for open source projects)',
+        allowed: [
+            'MIT', 'ISC', 'BSD-2-Clause', 'BSD-3-Clause', 'Apache-2.0',
+            'GPL-2.0', 'GPL-3.0', 'LGPL-2.1', 'LGPL-3.0', 'MPL-2.0',
+            'GPL-2.0-only', 'GPL-3.0-only', 'LGPL-2.1-only', 'LGPL-3.0-only'
+        ],
+        denied: ['AGPL-3.0', 'AGPL-3.0-only', 'SSPL-1.0'],
+        unknown: 'warn'
+    }
+};
+// ============ License Detection ============
+function isToolAvailable(tool) {
+    try {
+        const result = spawnSync(tool, ['--version'], { encoding: 'utf-8', timeout: 5000 });
+        return result.status === 0;
+    }
+    catch {
+        return false;
+    }
+}
+// Run license-checker for Node.js projects
+function runLicenseChecker(targetPath) {
+    const licenses = [];
+    if (!existsSync(join(targetPath, 'package.json'))) {
+        return licenses;
+    }
+    // Try license-checker (npm package)
+    if (isToolAvailable('npx')) {
+        try {
+            const result = spawnSync('npx', ['license-checker', '--json', '--production'], {
+                cwd: targetPath,
+                encoding: 'utf-8',
+                timeout: 60000,
+                maxBuffer: 10 * 1024 * 1024
+            });
+            if (result.stdout) {
+                try {
+                    const data = JSON.parse(result.stdout);
+                    for (const [pkgKey, info] of Object.entries(data)) {
+                        const match = pkgKey.match(/^(.+)@([^@]+)$/);
+                        if (match) {
+                            licenses.push({
+                                package: match[1],
+                                version: match[2],
+                                license: info.licenses || 'UNKNOWN',
+                                repository: info.repository,
+                                licenseFile: info.licenseFile
+                            });
+                        }
+                    }
+                }
+                catch { }
+            }
+        }
+        catch { }
+    }
+    // Fallback: read from package-lock.json
+    if (licenses.length === 0) {
+        const lockPath = join(targetPath, 'package-lock.json');
+        if (existsSync(lockPath)) {
+            try {
+                const lock = JSON.parse(readFileSync(lockPath, 'utf-8'));
+                const packages = lock.packages || {};
+                for (const [path, info] of Object.entries(packages)) {
+                    if (path === '' || !path.includes('node_modules/'))
+                        continue;
+                    const pkgInfo = info;
+                    const name = path.replace(/^node_modules\//, '').replace(/.*node_modules\//, '');
+                    if (name && pkgInfo.version) {
+                        licenses.push({
+                            package: name,
+                            version: pkgInfo.version,
+                            license: pkgInfo.license || 'UNKNOWN'
+                        });
+                    }
+                }
+            }
+            catch { }
+        }
+    }
+    return licenses;
+}
+// Run pip-licenses for Python projects
+function runPipLicenses(targetPath) {
+    const licenses = [];
+    if (!existsSync(join(targetPath, 'requirements.txt')) &&
+        !existsSync(join(targetPath, 'pyproject.toml'))) {
+        return licenses;
+    }
+    if (isToolAvailable('pip-licenses')) {
+        try {
+            const result = spawnSync('pip-licenses', ['--format=json'], {
+                cwd: targetPath,
+                encoding: 'utf-8',
+                timeout: 60000
+            });
+            if (result.stdout) {
+                try {
+                    const data = JSON.parse(result.stdout);
+                    for (const pkg of data) {
+                        licenses.push({
+                            package: pkg.Name,
+                            version: pkg.Version,
+                            license: pkg.License || 'UNKNOWN'
+                        });
+                    }
+                }
+                catch { }
+            }
+        }
+        catch { }
+    }
+    return licenses;
+}
+// Normalize license identifier to SPDX format
+function normalizeLicense(license) {
+    const normalized = license.trim().toUpperCase();
+    // Common mappings
+    const mappings = {
+        'MIT LICENSE': 'MIT',
+        'APACHE LICENSE 2.0': 'Apache-2.0',
+        'APACHE-2.0': 'Apache-2.0',
+        'APACHE 2.0': 'Apache-2.0',
+        'BSD': 'BSD-3-Clause',
+        'BSD LICENSE': 'BSD-3-Clause',
+        'BSD-2': 'BSD-2-Clause',
+        'BSD-3': 'BSD-3-Clause',
+        'ISC LICENSE': 'ISC',
+        'GPL': 'GPL-3.0',
+        'GPL V2': 'GPL-2.0',
+        'GPL V3': 'GPL-3.0',
+        'LGPL': 'LGPL-3.0',
+        'MPL': 'MPL-2.0',
+        'UNLICENSED': 'UNLICENSED',
+        'UNKNOWN': 'UNKNOWN',
+        '(MIT OR APACHE-2.0)': 'MIT', // Take first option for OR
+        'MIT AND CC-BY-3.0': 'MIT' // Take first option for AND
+    };
+    return mappings[normalized] || license;
+}
+// Check if a license matches the policy
+function checkLicense(license, policy) {
+    const normalized = normalizeLicense(license);
+    // Check denied list first
+    for (const denied of policy.denied) {
+        if (normalized.includes(denied.toUpperCase()) || denied.toUpperCase().includes(normalized)) {
+            return {
+                compliant: false,
+                reason: `License "${license}" is explicitly denied`,
+                severity: 'high'
+            };
+        }
+    }
+    // Check allowed list
+    for (const allowed of policy.allowed) {
+        if (normalized.includes(allowed.toUpperCase()) || allowed.toUpperCase().includes(normalized)) {
+            return { compliant: true };
+        }
+    }
+    // Handle unknown licenses
+    if (normalized === 'UNKNOWN' || normalized === 'UNLICENSED') {
+        switch (policy.unknown) {
+            case 'allow':
+                return { compliant: true };
+            case 'deny':
+                return {
+                    compliant: false,
+                    reason: `Unknown license not allowed by policy`,
+                    severity: 'high'
+                };
+            case 'warn':
+            default:
+                return {
+                    compliant: false,
+                    reason: `Unknown license requires manual review`,
+                    severity: 'low'
+                };
+        }
+    }
+    // License not in allowed list
+    switch (policy.unknown) {
+        case 'allow':
+            return { compliant: true };
+        case 'deny':
+            return {
+                compliant: false,
+                reason: `License "${license}" is not in the allowed list`,
+                severity: 'medium'
+            };
+        case 'warn':
+        default:
+            return {
+                compliant: false,
+                reason: `License "${license}" requires review (not in allowed list)`,
+                severity: 'low'
+            };
+    }
+}
+export function checkLicenses(targetPath, options = {}) {
+    // Determine policy
+    let policy;
+    if (typeof options.policy === 'string') {
+        policy = POLICIES[options.policy] || POLICIES.permissive;
+    }
+    else if (options.policy) {
+        policy = options.policy;
+    }
+    else {
+        policy = { ...POLICIES.permissive };
+    }
+    // Apply custom allowed/denied overrides
+    if (options.allowedLicenses) {
+        policy = { ...policy, allowed: [...policy.allowed, ...options.allowedLicenses] };
+    }
+    if (options.deniedLicenses) {
+        policy = { ...policy, denied: [...policy.denied, ...options.deniedLicenses] };
+    }
+    // Collect licenses from all sources
+    const licenses = [
+        ...runLicenseChecker(targetPath),
+        ...runPipLicenses(targetPath)
+    ];
+    // Check each license
+    const violations = [];
+    let compliant = 0;
+    let unknown = 0;
+    for (const info of licenses) {
+        const result = checkLicense(info.license, policy);
+        if (result.compliant) {
+            compliant++;
+        }
+        else {
+            if (info.license === 'UNKNOWN') {
+                unknown++;
+            }
+            violations.push({
+                package: info.package,
+                version: info.version,
+                license: info.license,
+                violation: result.reason || 'License not compliant',
+                severity: result.severity || 'medium'
+            });
+        }
+    }
+    return {
+        policy: policy.name,
+        licenses,
+        violations,
+        summary: {
+            total: licenses.length,
+            compliant,
+            violations: violations.length,
+            unknown
+        }
+    };
+}
+// Export policy names for CLI
+export const POLICY_NAMES = Object.keys(POLICIES);

package/dist/database/index.d.ts

@@ -0,0 +1,77 @@
+/**
+ * SQLite Database for aurasecurity
+ *
+ * Provides persistent storage for:
+ * - Audit history
+ * - Configuration settings
+ * - Scan results
+ * - Notification history
+ */
+import type { AuditorOutput } from '../types/events.js';
+import type { LocalScanResult } from '../integrations/local-scanner.js';
+import type { AWSScanResult } from '../integrations/aws-scanner.js';
+export interface AuditRecord {
+    id: string;
+    type: 'code' | 'aws' | 'audit';
+    timestamp: string;
+    target: string;
+    summary: {
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+    };
+    data: string;
+}
+export interface SettingsRecord {
+    key: string;
+    value: string;
+    updated_at: string;
+}
+export interface NotificationRecord {
+    id: number;
+    type: 'slack' | 'discord' | 'webhook';
+    audit_id: string;
+    status: 'sent' | 'failed' | 'pending';
+    message: string;
+    timestamp: string;
+    error?: string;
+}
+export declare class AuditorDatabase {
+    private db;
+    private dbPath;
+    constructor(dbPath?: string);
+    private initTables;
+    saveAudit(type: 'code' | 'aws' | 'audit', target: string, result: LocalScanResult | AWSScanResult | AuditorOutput): string;
+    getAudit(id: string): AuditRecord | null;
+    getAudits(limit?: number, offset?: number, type?: string): AuditRecord[];
+    getAuditCount(type?: string): number;
+    deleteAudit(id: string): boolean;
+    getSetting(key: string): string | null;
+    getSettings(prefix?: string): Record<string, string>;
+    getAllSettings(): Record<string, string>;
+    setSetting(key: string, value: string): void;
+    setSettings(settings: Record<string, string>): void;
+    saveNotification(type: 'slack' | 'discord' | 'webhook', auditId: string, status: 'sent' | 'failed' | 'pending', message: string, error?: string): number;
+    recordNotification(auditId: string, channels: string, success: boolean, error?: string): void;
+    getNotifications(auditId?: string, limit?: number): NotificationRecord[];
+    getStats(): {
+        totalAudits: number;
+        byType: Record<string, number>;
+        byDay: Array<{
+            date: string;
+            count: number;
+        }>;
+        severityCounts: {
+            critical: number;
+            high: number;
+            medium: number;
+            low: number;
+        };
+    };
+    close(): void;
+    vacuum(): void;
+    deleteOldAudits(daysToKeep?: number): number;
+}
+export declare function getDatabase(dbPath?: string): AuditorDatabase;
+export declare function closeDatabase(): void;