avorelo 0.1.0 → 0.3.0

package/scripts/lib/security-risk-classifier.js

@@ -1,511 +0,0 @@
-"use strict";
-
-const path = require("path");
-const { URL } = require("url");
-const { scanInstructionRisk, sanitizeInstructionLikeContent } = require("./agent-security/instruction-risk");
-
-const RISK_LEVELS = Object.freeze(["low", "medium", "high", "critical"]);
-const RISK_ORDER = Object.freeze({
-  low: 1,
-  medium: 2,
-  high: 3,
-  critical: 4,
-});
-
-const SENSITIVE_PATH_PATTERNS = Object.freeze([
-  { pattern: /(^|[\\/])\.env(\.[A-Za-z0-9._-]+)?$/i, reason: "SENSITIVE_ENV_FILE", risk: "critical" },
-  { pattern: /(^|[\\/])(secrets?|credentials?|private[_ -]?keys?|\.ssh|tokens?)([\\/]|$)/i, reason: "SECRET_LIKE_TARGET", risk: "critical" },
-  { pattern: /(auth|oauth|sso|billing|payment|stripe|checkout|subscription|invoice)/i, reason: "AUTH_OR_BILLING_SCOPE", risk: "high" },
-  { pattern: /(deploy|release|production|prod|docker|k8s|terraform|vercel|netlify|railway|render)/i, reason: "DEPLOYMENT_CONFIG", risk: "high" },
-  { pattern: /(^|[\\/])\.github[\\/]workflows[\\/]|(^|[\\/])(ci|cd)([\\/]|$)/i, reason: "CI_CONFIG", risk: "high" },
-]);
-
-const LOCAL_BROWSER_HOSTS = new Set(["localhost", "127.0.0.1", "::1"]);
-
-function unique(values) {
-  return [...new Set((values || []).filter(Boolean))];
-}
-
-function maxRisk(left, right) {
-  return (RISK_ORDER[left] || 0) >= (RISK_ORDER[right] || 0) ? left : right;
-}
-
-function makeResult(riskLevel = "low", reasonCodes = [], extras = {}) {
-  return {
-    riskLevel,
-    reasonCodes: unique(reasonCodes),
-    explanation: extras.explanation || "",
-    recommendedAction: extras.recommendedAction || "",
-    findings: extras.findings || [],
-    safeSummary: extras.safeSummary || null,
-    matched: extras.matched || [],
-  };
-}
-
-function mergeResults(...results) {
-  return results.filter(Boolean).reduce((merged, current) => {
-    return {
-      riskLevel: maxRisk(merged.riskLevel, current.riskLevel || "low"),
-      reasonCodes: unique([...(merged.reasonCodes || []), ...(current.reasonCodes || [])]),
-      explanation: unique([merged.explanation, current.explanation]).filter(Boolean).join(" ").trim(),
-      recommendedAction: unique([merged.recommendedAction, current.recommendedAction]).filter(Boolean).join(" ").trim(),
-      findings: [...(merged.findings || []), ...(current.findings || [])],
-      safeSummary: merged.safeSummary || current.safeSummary || null,
-      matched: [...(merged.matched || []), ...(current.matched || [])],
-    };
-  }, makeResult("low"));
-}
-
-function normalizePathValue(value) {
-  return String(value || "").replace(/\\/g, "/").trim();
-}
-
-function normalizePathList(paths) {
-  if (!paths) return [];
-  const list = Array.isArray(paths) ? paths : [paths];
-  return list.map(normalizePathValue).filter(Boolean);
-}
-
-function parseUrl(input) {
-  const raw = String(input || "").trim();
-  if (!raw) return null;
-  try {
-    if (/^https?:\/\//i.test(raw)) return new URL(raw);
-    if (/^(localhost|127\.0\.0\.1|::1)(:\d+)?(\/|$)/i.test(raw)) {
-      return new URL(`http://${raw}`);
-    }
-  } catch {
-    return null;
-  }
-  return null;
-}
-
-function classifyPathRisk(paths, options = {}) {
-  const normalized = normalizePathList(paths);
-  if (!normalized.length) {
-    return makeResult("low", [], {
-      explanation: "No file or path target was provided.",
-      recommendedAction: "Keep the action scoped to the smallest necessary repo slice.",
-    });
-  }
-
-  let riskLevel = "low";
-  const reasonCodes = [];
-  const matched = [];
-
-  normalized.forEach((value) => {
-    SENSITIVE_PATH_PATTERNS.forEach((rule) => {
-      if (!rule.pattern.test(value)) return;
-      riskLevel = maxRisk(riskLevel, rule.risk);
-      reasonCodes.push(rule.reason);
-      matched.push(value);
-    });
-  });
-
-  if (riskLevel === "low" && normalized.every((value) => /^(docs|src\/landing-page|deferred\/site-implementation|tests|src\/)/i.test(value))) {
-    return makeResult("low", [], {
-      explanation: "The target stays inside normal project files.",
-      recommendedAction: "Keep the edit bounded to the requested product slice.",
-      matched: normalized,
-    });
-  }
-
-  return makeResult(riskLevel, reasonCodes, {
-    explanation: reasonCodes.length
-      ? "Sensitive file scope was detected."
-      : "The target path is not obviously sensitive.",
-    recommendedAction: riskLevel === "critical"
-      ? "Avoid direct writes to secrets or env files. Use a reviewed template or ask for explicit approval."
-      : riskLevel === "high"
-        ? "Double-check that the target path is in scope for the requested task."
-        : "Keep the action scoped to the requested files only.",
-    matched,
-  });
-}
-
-function classifyCommandRisk(command) {
-  const text = String(command || "").trim();
-  if (!text) {
-    return makeResult("low", [], {
-      explanation: "No shell command was provided.",
-      recommendedAction: "Prefer a scoped local command when execution is needed.",
-    });
-  }
-
-  const lower = text.toLowerCase();
-  const reasonCodes = [];
-  let riskLevel = "low";
-
-  if (/^(npm test|npm run test\b|npm run build\b|node --test\b|vitest\b|pytest\b|cargo test\b|go test\b)/i.test(text)) {
-    return makeResult("low", ["SAFE_STATUS_ACTION"], {
-      explanation: "The command looks like a normal local verification command.",
-      recommendedAction: "Run the narrowest relevant local verification only.",
-    });
-  }
-
-  if (/\brm\s+-rf\b|\bdel\s+\/s\s+\/q\b|\bformat\b|\bremove-item\b[^\n]*-recurse\b|\bgit reset --hard\b/i.test(lower)) {
-    reasonCodes.push("DESTRUCTIVE_COMMAND");
-    riskLevel = "critical";
-  }
-
-  if (/\bgit push\b[^\n]*--force\b|\bgit push --mirror\b|\bgit branch -d\b|\bgit tag -d\b/i.test(lower)) {
-    reasonCodes.push("FORCE_PUSH_OR_HISTORY_REWRITE");
-    riskLevel = maxRisk(riskLevel, "critical");
-  }
-
-  if (/\b(curl|wget)\b[^\n]*(upload|form|post|put)|\bscp\b|\brsync\b[^\n]*@/i.test(lower)) {
-    reasonCodes.push("EXTERNAL_REPO_EXPORT");
-    riskLevel = maxRisk(riskLevel, "critical");
-  }
-
-  if (/\b(curl|wget|invoke-webrequest|invoke-restmethod)\b/i.test(lower)) {
-    reasonCodes.push("EXTERNAL_NETWORK_REQUEST");
-    riskLevel = maxRisk(riskLevel, "high");
-  }
-
-  if (/\b(deploy|release|publish|shipit|npm publish)\b/i.test(lower)) {
-    reasonCodes.push("DEPLOYMENT_CONFIG");
-    riskLevel = maxRisk(riskLevel, "high");
-  }
-
-  return makeResult(riskLevel, reasonCodes, {
-    explanation: reasonCodes.length
-      ? "The command includes risky or high-impact behavior."
-      : "The command is not obviously destructive, but it still executes local changes.",
-    recommendedAction: riskLevel === "critical"
-      ? "Block destructive or external export commands unless they are explicitly reviewed and scoped."
-      : riskLevel === "high"
-        ? "Require explicit approval before running commands that deploy, publish, or reach external networks."
-        : "Keep shell commands narrow, local, and task-scoped.",
-  });
-}
-
-function classifyToolRisk(input = {}) {
-  const toolName = String(input.toolName || "").trim();
-  const mcpServer = String(input.mcpServer || "").trim();
-  const label = [mcpServer, toolName].filter(Boolean).join(":") || "unknown-tool";
-  const metadata = input.metadata && typeof input.metadata === "object" ? input.metadata : {};
-  const reasonCodes = [];
-  let riskLevel = "low";
-
-  if (!toolName && !mcpServer) {
-    return makeResult("low", [], {
-      explanation: "No tool or MCP target was provided.",
-      recommendedAction: "Keep tool access limited to trusted local capabilities.",
-    });
-  }
-
-  if (metadata.unknown === true || (!metadata.trusted && (toolName || mcpServer))) {
-    reasonCodes.push("UNKNOWN_MCP_TOOL");
-    riskLevel = maxRisk(riskLevel, "medium");
-  }
-  if (metadata.writeCapable === true) {
-    reasonCodes.push("WRITE_CAPABLE_TOOL");
-    riskLevel = maxRisk(riskLevel, "high");
-  }
-  if (metadata.networkCapable === true) {
-    reasonCodes.push("EXTERNAL_NETWORK_REQUEST");
-    riskLevel = maxRisk(riskLevel, "high");
-  }
-  if (metadata.secretSensitive === true) {
-    reasonCodes.push("SECRET_LIKE_TARGET");
-    riskLevel = maxRisk(riskLevel, "high");
-  }
-
-  return makeResult(riskLevel, reasonCodes, {
-    explanation: reasonCodes.length
-      ? `Tool risk signals were detected for ${label}.`
-      : `${label} looks like a normal local tool.`,
-    recommendedAction: riskLevel === "high"
-      ? "Require approval for write-capable, network-capable, or secret-sensitive tools."
-      : riskLevel === "medium"
-        ? "Review unknown tool trust before relying on it."
-        : "Keep tool access limited to trusted local tooling.",
-  });
-}
-
-function classifyBrowserRisk(input = {}) {
-  const urlValue = input.url || input.target || input.domain || "";
-  const parsed = parseUrl(urlValue);
-  const host = String(input.domain || parsed?.hostname || "").trim().toLowerCase();
-  const boundaryReady = input.domainBoundaryReady === true || input.allowedDomain === true;
-  const hasSessionRisk = input.cookieAccess === true || input.sessionAccess === true || input.secretAccess === true;
-
-  if (!host && !urlValue) {
-    return makeResult("low", [], {
-      explanation: "No browser target was provided.",
-      recommendedAction: "Keep browser actions limited to the named local preview when possible.",
-    });
-  }
-
-  if (hasSessionRisk) {
-    return makeResult("critical", ["BROWSER_COOKIE_OR_SESSION_RISK"], {
-      explanation: "The browser action could touch cookies, authenticated sessions, or other secret-bearing state.",
-      recommendedAction: "Block browser actions that need cookies, session reuse, or secret access.",
-    });
-  }
-
-  if (LOCAL_BROWSER_HOSTS.has(host)) {
-    return makeResult("low", ["VISUAL_QA_LOCAL_TARGET"], {
-      explanation: "The browser target stays on a local preview.",
-      recommendedAction: "Keep Visual QA scoped to local preview URLs when possible.",
-    });
-  }
-
-  return makeResult(boundaryReady ? "medium" : "high", ["BROWSER_EXTERNAL_DOMAIN"], {
-    explanation: boundaryReady
-      ? "The browser target is external, but a domain boundary is present."
-      : "The browser target is external and no domain boundary was provided.",
-    recommendedAction: boundaryReady
-      ? "Require approval before leaving the local preview scope."
-      : "Add an explicit domain boundary or require approval before touching external sites.",
-  });
-}
-
-function classifyInstructionRisk(input = {}) {
-  const text = String(input.instructionText || input.text || "").trim();
-  if (!text) {
-    return makeResult("low", [], {
-      explanation: "No instruction text was provided.",
-      recommendedAction: "Keep instructions explicit, scoped, and task-bound.",
-    });
-  }
-
-  const scan = scanInstructionRisk(text, {
-    sourceType: input.sourceType || input.sourceTrust || "unknown_external",
-  });
-  const reasonCodes = [];
-  let riskLevel = scan.instructionRisk || "low";
-
-  if (scan.signals.length > 0) {
-    reasonCodes.push("PROMPT_INJECTION_SIGNAL");
-  }
-  if (/\b(reveal|upload|send|exfiltrat|print)\b[^\n]{0,80}\b(secrets?|tokens?|credentials?|repo|repository|codebase)\b/i.test(text)) {
-    reasonCodes.push("PROMPT_INJECTION_SIGNAL", "SECRET_LIKE_TARGET");
-    riskLevel = maxRisk(riskLevel, "critical");
-  }
-  if (/\b(ignore|bypass|disable)\b[^\n]{0,80}\b(approval|security|guard|evidence|logs?)\b/i.test(text)) {
-    reasonCodes.push("PROMPT_INJECTION_SIGNAL");
-    riskLevel = maxRisk(riskLevel, "high");
-  }
-  if (/\b(always allow|allow all)\b[^\n]{0,40}\b(tool|command|browser|mcp)\b/i.test(text)) {
-    reasonCodes.push("PROMPT_INJECTION_SIGNAL");
-    riskLevel = maxRisk(riskLevel, "high");
-  }
-  if (/\b(delete|remove|wipe)\b[^\n]{0,80}\b(evidence|audit|logs?)\b/i.test(text)) {
-    reasonCodes.push("PROMPT_INJECTION_SIGNAL");
-    riskLevel = maxRisk(riskLevel, "high");
-  }
-  if (/\b(unrelated|outside scope|ignore scope)\b[^\n]{0,120}\b(auth|billing|deploy|workflow|secrets?)\b/i.test(text)) {
-    reasonCodes.push("INTENT_MISMATCH");
-    riskLevel = maxRisk(riskLevel, "high");
-  }
-
-  return makeResult(riskLevel, reasonCodes, {
-    explanation: scan.findings.length
-      ? "Instruction-risk or prompt-injection-like signals were detected."
-      : "No obvious prompt-injection patterns were detected.",
-    recommendedAction: riskLevel === "critical"
-      ? "Treat the content as untrusted, do not execute it, and keep it out of tool decisions."
-      : riskLevel === "high"
-        ? "Require review before allowing the instruction to influence tools or sensitive actions."
-        : scan.recommendation === "use_sanitized_copy"
-          ? "Use a sanitized summary instead of the raw instruction text."
-          : "Keep the instruction scoped to the requested task only.",
-    findings: scan.findings,
-    safeSummary: sanitizeInstructionLikeContent(text),
-  });
-}
-
-function classifyPromptInjectionRisk(input = {}) {
-  const base = classifyInstructionRisk(input);
-  if (!base.reasonCodes.includes("PROMPT_INJECTION_SIGNAL")) {
-    return base;
-  }
-  return mergeResults(base, makeResult(base.riskLevel === "low" ? "medium" : base.riskLevel, ["PROMPT_INJECTION_SIGNAL"], {
-    explanation: "Prompt-injection-like signals were detected in instruction content.",
-    recommendedAction: "Treat the content as data first and require review before it can influence tools or sensitive actions.",
-    safeSummary: base.safeSummary,
-  }));
-}
-
-function classifySourceTrustRisk(input = {}) {
-  const rawTrust = input.sourceTrust || input.trustLevel || input.sourceType || "";
-  const trust = String(rawTrust).trim().toLowerCase();
-  if (!trust) {
-    return makeResult("low", [], {
-      explanation: "No external source-trust signal was provided.",
-      recommendedAction: "Prefer reviewed local sources when a task includes discovered instructions.",
-    });
-  }
-  if (trust === "trusted" || trust === "project_local" || trust === "local") {
-    return makeResult("low", [], {
-      explanation: "The source looks local or trusted.",
-      recommendedAction: "Keep trusted local sources scoped to the requested task.",
-    });
-  }
-
-  const highRisk = ["external_untrusted", "tool_returned_untrusted", "unknown_external", "unknown"].includes(trust);
-  return makeResult(highRisk ? "high" : "medium", ["UNTRUSTED_SOURCE"], {
-    explanation: "The source should not be trusted as an instruction source.",
-    recommendedAction: "Treat untrusted or tool-returned content as data only unless it is explicitly reviewed.",
-  });
-}
-
-function classifyIntentMismatchRisk(input = {}) {
-  const task = String(input.userIntent || input.taskType || input.intendedTask || "").toLowerCase();
-  const targets = normalizePathList(input.targetPaths || input.target || []);
-  const command = String(input.command || "").toLowerCase();
-  const toolName = String(input.toolName || "").toLowerCase();
-  const domain = String(input.domain || input.url || "").toLowerCase();
-
-  if (!task) {
-    return makeResult("low", [], {
-      explanation: "No task intent was provided.",
-      recommendedAction: "Capture the user intent before approving broader actions.",
-    });
-  }
-
-  const taskLooksMarketing = /\b(landing|pricing|copy|homepage|docs?)\b/.test(task);
-  const targetLooksSensitive = targets.some((value) => /(auth|billing|payment|deploy|release|workflow|\.env|secret|credential)/i.test(value));
-  const commandLooksSensitive = /(deploy|publish|release|rm -rf|curl|wget|npm install|git push --force)/.test(command);
-  const toolLooksSensitive = /(delete|deploy|publish|secret|credential|billing|admin)/.test(toolName);
-  const domainLooksExternal = Boolean(domain) && !parseUrl(domain)?.hostname?.match(/^(localhost|127\.0\.0\.1|::1)$/i);
-
-  if (taskLooksMarketing && (targetLooksSensitive || commandLooksSensitive || toolLooksSensitive || domainLooksExternal)) {
-    return makeResult("high", ["INTENT_MISMATCH", "OUT_OF_SCOPE_FILE_CHANGE"], {
-      explanation: "The requested action does not match the stated marketing or docs task.",
-      recommendedAction: "Keep pricing, landing, or docs tasks out of auth, billing, deploy, workflow, and secret-bearing areas.",
-    });
-  }
-
-  return makeResult("low", [], {
-    explanation: "No strong intent mismatch signal was detected.",
-    recommendedAction: "Keep the action aligned with the named task.",
-  });
-}
-
-function classifySecretExposureRisk(input = {}) {
-  const combined = [
-    ...normalizePathList(input.targetPaths || input.target || []),
-    String(input.command || ""),
-    typeof input.content === "string" ? input.content : "",
-  ].join("\n");
-
-  const reasonCodes = [];
-  let riskLevel = "low";
-  if (/sk-[A-Za-z0-9]{16,}|ghp_[A-Za-z0-9]{20,}|api[_ -]?key\s*[:=]|bearer\s+[A-Za-z0-9._-]{12,}|-----BEGIN [A-Z ]+-----/i.test(combined)) {
-    reasonCodes.push("SECRET_LIKE_TARGET");
-    riskLevel = "critical";
-  }
-  if (/\.env(\.|$)|token|credential|private[_ -]?key|password/i.test(combined)) {
-    reasonCodes.push("SECRET_LIKE_TARGET");
-    riskLevel = maxRisk(riskLevel, "high");
-  }
-
-  return makeResult(riskLevel, reasonCodes, {
-    explanation: reasonCodes.length
-      ? "The action could expose secret-bearing material."
-      : "No clear secret-exposure signal was detected.",
-    recommendedAction: riskLevel === "critical"
-      ? "Block direct secret access or output and redact any token-like material from evidence."
-      : "Avoid printing, copying, or exporting secrets and env values.",
-  });
-}
-
-function classifyExternalExportRisk(input = {}) {
-  const text = [
-    String(input.command || ""),
-    String(input.url || ""),
-    String(input.target || ""),
-    String(input.toolName || ""),
-  ].join("\n").toLowerCase();
-
-  if (/\b(upload|paste|post|put|send|export)\b[^\n]{0,120}\b(repo|repository|codebase|artifact|zip|tar|bundle)\b/i.test(text)) {
-    return makeResult("critical", ["EXTERNAL_REPO_EXPORT"], {
-      explanation: "The action looks like it could export repository contents externally.",
-      recommendedAction: "Block repository export or require a narrowly reviewed, explicit approval path.",
-    });
-  }
-
-  if (/\b(curl|wget|invoke-webrequest|invoke-restmethod)\b/i.test(text)) {
-    return makeResult("high", ["EXTERNAL_NETWORK_REQUEST"], {
-      explanation: "The action reaches an external network target.",
-      recommendedAction: "Require review before sending project data or making external requests.",
-    });
-  }
-
-  return makeResult("low", [], {
-    explanation: "No external export signal was detected.",
-    recommendedAction: "Keep the action local-first by default.",
-  });
-}
-
-function classifyActionRisk(input = {}) {
-  const parts = [];
-  const actionType = String(input.actionType || "unknown").trim().toLowerCase();
-
-  if (actionType === "prompt_compile") {
-    return makeResult("low", ["SAFE_PROMPT_COMPILE"], {
-      explanation: "Prompt compilation is a local planning action.",
-      recommendedAction: "Keep the task scoped before editing code.",
-    });
-  }
-
-  if (actionType === "file_read" || actionType === "file_write" || actionType === "config_change") {
-    parts.push(classifyPathRisk(input.targetPaths || input.target || [], input));
-  }
-
-  if (actionType === "command_run" || actionType === "git_operation" || actionType === "deploy_operation") {
-    parts.push(classifyCommandRisk(input.command || input.target || ""));
-  }
-
-  if (actionType === "tool_call" || actionType === "mcp_tool_call") {
-    parts.push(classifyToolRisk({
-      toolName: input.toolName,
-      mcpServer: input.mcpServer,
-      metadata: input.toolMetadata,
-    }));
-  }
-
-  if (actionType === "browser_action" || actionType === "visual_qa_run") {
-    parts.push(classifyBrowserRisk({
-      url: input.url || input.target,
-      domain: input.domain,
-      domainBoundaryReady: input.domainBoundaryReady,
-      cookieAccess: input.cookieAccess,
-      sessionAccess: input.sessionAccess,
-      secretAccess: input.secretAccess,
-    }));
-  }
-
-  parts.push(classifyInstructionRisk({
-    text: input.instructionText,
-    sourceTrust: input.sourceTrust,
-    sourceType: input.sourceType,
-  }));
-  parts.push(classifySourceTrustRisk(input));
-  parts.push(classifyIntentMismatchRisk(input));
-  parts.push(classifySecretExposureRisk(input));
-  parts.push(classifyExternalExportRisk(input));
-
-  return mergeResults(...parts);
-}
-
-module.exports = {
-  RISK_LEVELS,
-  RISK_ORDER,
-  maxRisk,
-  mergeResults,
-  classifyPathRisk,
-  classifyCommandRisk,
-  classifyToolRisk,
-  classifyBrowserRisk,
-  classifyInstructionRisk,
-  classifyPromptInjectionRisk,
-  classifySourceTrustRisk,
-  classifyIntentMismatchRisk,
-  classifySecretExposureRisk,
-  classifyExternalExportRisk,
-  classifyActionRisk,
-};