claude-flow-novice 2.2.4 → 2.2.5

package/scripts/security/README.md

@@ -0,0 +1,339 @@
+# Security Scripts
+
+This directory contains security-related scripts for the Claude Flow project, including security validation, audit tools, and safety mechanisms.
+
+## Scripts
+
+### Security Validation
+
+#### `ruv-swarm-safe.js` - Swarm Safety Validator
+Validates swarm operations for security compliance and safe execution patterns.
+
+```bash
+# Basic security validation
+node scripts/security/ruv-swarm-safe.js
+
+# Comprehensive security audit
+node scripts/security/ruv-swarm-safe.js --audit
+
+# Check specific swarm configuration
+node scripts/security/ruv-swarm-safe.js --config path/to/swarm-config.json
+```
+
+**Features:**
+- Validates swarm configuration security
+- Checks for unsafe agent spawn patterns
+- Audits coordination protocol security
+- Verifies authentication mechanisms
+- Validates input sanitization
+
+## Security Categories
+
+### 1. Swarm Security
+Scripts that ensure secure swarm operations and agent coordination.
+
+**Security Checks:**
+- Agent authentication validation
+- Secure communication protocols
+- Resource access controls
+- Execution boundary validation
+- Inter-agent communication security
+
+### 2. Input Validation
+Scripts that validate and sanitize inputs across the system.
+
+**Validation Areas:**
+- User input sanitization
+- Configuration file validation
+- API parameter validation
+- File path sanitization
+- Command injection prevention
+
+### 3. Access Control
+Scripts that manage and validate access controls.
+
+**Access Control Features:**
+- Permission validation
+- Role-based access control
+- Resource access auditing
+- Privilege escalation detection
+- Unauthorized access prevention
+
+### 4. Cryptographic Security
+Scripts that handle cryptographic operations and validation.
+
+**Cryptographic Features:**
+- Key management validation
+- Encryption/decryption verification
+- Digital signature validation
+- Hash function verification
+- Secure random generation
+
+## Usage Patterns
+
+### Security Audit Workflow
+```bash
+# 1. Run basic security validation
+node scripts/security/ruv-swarm-safe.js
+
+# 2. Comprehensive security audit
+node scripts/security/ruv-swarm-safe.js --audit --verbose
+
+# 3. Generate security report
+node scripts/security/ruv-swarm-safe.js --report --output security-audit.json
+
+# 4. Validate specific components
+node scripts/security/ruv-swarm-safe.js --component swarm-coordination
+```
+
+### Continuous Security Monitoring
+```bash
+# Monitor swarm operations
+node scripts/security/ruv-swarm-safe.js --monitor --interval 30s
+
+# Real-time security alerts
+node scripts/security/ruv-swarm-safe.js --alerts --webhook https://alerts.example.com
+```
+
+### Pre-deployment Security Checks
+```bash
+# Validate deployment security
+node scripts/security/ruv-swarm-safe.js --deployment --environment production
+
+# Check configuration security
+node scripts/security/ruv-swarm-safe.js --config-audit --strict
+```
+
+## Security Standards
+
+### Compliance Requirements
+- **OWASP Top 10** - Protection against common vulnerabilities
+- **Zero Trust** - Never trust, always verify principle
+- **Least Privilege** - Minimal access rights for components
+- **Defense in Depth** - Multiple layers of security controls
+- **Secure by Default** - Default configurations prioritize security
+
+### Security Validation Criteria
+
+#### 1. Authentication & Authorization
+- Multi-factor authentication support
+- Role-based access control (RBAC)
+- Session management security
+- Token validation and expiration
+- Privilege escalation prevention
+
+#### 2. Input Validation & Sanitization
+- SQL injection prevention
+- Cross-site scripting (XSS) protection
+- Command injection prevention
+- Path traversal protection
+- Input length and format validation
+
+#### 3. Data Protection
+- Data encryption at rest and in transit
+- Secure key management
+- Personal data protection (GDPR compliance)
+- Data integrity verification
+- Secure data disposal
+
+#### 4. Communication Security
+- TLS/SSL encryption enforcement
+- Certificate validation
+- Secure protocol selection
+- Message integrity verification
+- Replay attack prevention
+
+#### 5. Error Handling & Logging
+- Secure error message handling
+- Comprehensive security logging
+- Log integrity protection
+- Sensitive data masking
+- Audit trail maintenance
+
+## Integration with CI/CD
+
+Security scripts integrate with the CI/CD pipeline:
+
+```yaml
+# .github/workflows/security.yml
+name: Security Validation
+on: [push, pull_request]
+
+jobs:
+  security-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Security Validation
+        run: |
+          node scripts/security/ruv-swarm-safe.js --audit
+          node scripts/security/ruv-swarm-safe.js --report --format junit
+```
+
+### Package.json Integration
+```json
+{
+  "scripts": {
+    "security:audit": "node scripts/security/ruv-swarm-safe.js --audit",
+    "security:validate": "node scripts/security/ruv-swarm-safe.js",
+    "security:report": "node scripts/security/ruv-swarm-safe.js --report",
+    "presecurity": "npm audit",
+    "postsecurity": "npm run security:validate"
+  }
+}
+```
+
+## Security Configuration
+
+### Default Security Settings
+```javascript
+// Security configuration example
+const securityConfig = {
+  swarm: {
+    maxAgents: 50,
+    authenticationRequired: true,
+    encryptCommunication: true,
+    validateAgentCode: true,
+    resourceLimits: {
+      memory: "512MB",
+      cpu: "50%",
+      diskSpace: "1GB"
+    }
+  },
+  validation: {
+    strictMode: true,
+    validateInputs: true,
+    sanitizeOutputs: true,
+    auditTrail: true
+  }
+};
+```
+
+### Environment-Specific Security
+```bash
+# Development environment
+export CLAUDE_FLOW_SECURITY_LEVEL=development
+export CLAUDE_FLOW_AUDIT_ENABLED=false
+
+# Staging environment
+export CLAUDE_FLOW_SECURITY_LEVEL=staging
+export CLAUDE_FLOW_AUDIT_ENABLED=true
+
+# Production environment
+export CLAUDE_FLOW_SECURITY_LEVEL=production
+export CLAUDE_FLOW_AUDIT_ENABLED=true
+export CLAUDE_FLOW_STRICT_MODE=true
+```
+
+## Security Incident Response
+
+### Incident Detection
+```bash
+# Check for security incidents
+node scripts/security/ruv-swarm-safe.js --incident-check
+
+# Monitor for suspicious activity
+node scripts/security/ruv-swarm-safe.js --monitor --alerts
+```
+
+### Incident Response Workflow
+1. **Immediate containment** - Isolate affected components
+2. **Evidence collection** - Gather logs and audit data
+3. **Impact assessment** - Determine scope and severity
+4. **Remediation** - Fix vulnerabilities and restore service
+5. **Post-incident review** - Learn and improve security measures
+
+### Security Logging
+```bash
+# Security event logging
+tail -f /var/log/claude-flow-security.log
+
+# Audit trail review
+node scripts/security/ruv-swarm-safe.js --audit-trail --since "2024-01-01"
+```
+
+## Best Practices
+
+### Development Security
+1. **Security-first design** - Consider security from the beginning
+2. **Regular security reviews** - Code and configuration audits
+3. **Automated security testing** - Integration with CI/CD
+4. **Security training** - Keep team updated on security practices
+5. **Incident preparedness** - Have response procedures ready
+
+### Operational Security
+1. **Regular updates** - Keep dependencies and systems updated
+2. **Access monitoring** - Monitor and audit access patterns
+3. **Backup security** - Secure backup and recovery procedures
+4. **Network security** - Implement network-level protections
+5. **Compliance monitoring** - Regular compliance assessments
+
+### Secure Coding Practices
+1. **Input validation** - Validate all inputs rigorously
+2. **Output encoding** - Encode outputs appropriately
+3. **Error handling** - Handle errors securely without information leakage
+4. **Authentication** - Implement strong authentication mechanisms
+5. **Authorization** - Enforce proper access controls
+
+## Troubleshooting
+
+### Security Validation Failures
+```bash
+# Debug security validation
+node scripts/security/ruv-swarm-safe.js --debug --verbose
+
+# Check specific security rules
+node scripts/security/ruv-swarm-safe.js --rule authentication --test
+```
+
+### Performance Impact
+```bash
+# Monitor security overhead
+node scripts/security/ruv-swarm-safe.js --performance-monitor
+
+# Optimize security checks
+node scripts/security/ruv-swarm-safe.js --optimize
+```
+
+### False Positives
+```bash
+# Configure security exceptions
+node scripts/security/ruv-swarm-safe.js --configure-exceptions
+
+# Whitelist known good patterns
+node scripts/security/ruv-swarm-safe.js --whitelist path/to/whitelist.json
+```
+
+## Contributing Security Scripts
+
+When adding new security scripts:
+
+1. **Follow security-first principles**
+2. **Include comprehensive validation**
+3. **Implement proper error handling**
+4. **Add detailed logging and auditing**
+5. **Write security-focused documentation**
+6. **Test with security scenarios**
+7. **Review with security team**
+
+## Security Resources
+
+### Documentation
+- OWASP Security Guidelines
+- Claude Flow Security Architecture
+- Threat Modeling Documentation
+- Security Incident Response Procedures
+
+### Tools & Libraries
+- Security scanning tools
+- Vulnerability databases
+- Security testing frameworks
+- Compliance checking tools
+
+### Monitoring & Alerting
+- Security information and event management (SIEM)
+- Intrusion detection systems (IDS)
+- Security metrics and dashboards
+- Automated security alerting
+
+For legacy security scripts, see `../legacy/` directory.

package/scripts/security/deployment-validation.cjs

@@ -0,0 +1,279 @@
+#!/usr/bin/env node
+
+/**
+ * Security Deployment Validation
+ * Phase 0 Security Debt Resolution - Loop 3 Retry
+ *
+ * Validates that all security tools are properly deployed and functional
+ */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+// ANSI colors
+const colors = {
+  reset: '\x1b[0m',
+  green: '\x1b[32m',
+  red: '\x1b[31m',
+  yellow: '\x1b[33m',
+  blue: '\x1b[34m',
+  cyan: '\x1b[36m'
+};
+
+const results = {
+  passed: [],
+  failed: [],
+  warnings: [],
+  score: 0
+};
+
+function log(message, color = 'reset') {
+  console.log(`${colors[color]}${message}${colors.reset}`);
+}
+
+function testSection(name) {
+  log(`\n🔍 Testing ${name}...`, 'cyan');
+}
+
+function testPass(message) {
+  log(`✅ ${message}`, 'green');
+  results.passed.push(message);
+}
+
+function testFail(message) {
+  log(`❌ ${message}`, 'red');
+  results.failed.push(message);
+}
+
+function testWarn(message) {
+  log(`⚠️  ${message}`, 'yellow');
+  results.warnings.push(message);
+}
+
+// Test 1: git-secrets installation
+testSection('git-secrets Installation');
+try {
+  const gitSecretsPath = path.join(process.env.HOME, '.local', 'bin', 'git-secrets');
+  if (fs.existsSync(gitSecretsPath)) {
+    testPass('git-secrets binary found');
+
+    // Test git hooks
+    const hooksDir = path.join(process.cwd(), '.git', 'hooks');
+    const requiredHooks = ['pre-commit', 'commit-msg', 'prepare-commit-msg'];
+    let hooksInstalled = true;
+
+    for (const hook of requiredHooks) {
+      const hookPath = path.join(hooksDir, hook);
+      if (fs.existsSync(hookPath)) {
+        const content = fs.readFileSync(hookPath, 'utf8');
+        if (content.includes('git-secrets') || content.includes('git secrets')) {
+          testPass(`git-secrets ${hook} hook installed`);
+        } else {
+          testWarn(`${hook} hook exists but may not include git-secrets`);
+          hooksInstalled = false;
+        }
+      } else {
+        testFail(`git-secrets ${hook} hook not found`);
+        hooksInstalled = false;
+      }
+    }
+
+    // Test patterns
+    try {
+      const patterns = execSync(`${gitSecretsPath} --list`, { encoding: 'utf8' });
+      if (patterns.includes('sk-ant-api03')) {
+        testPass('Anthropic API key pattern configured');
+      } else {
+        testWarn('Anthropic API key pattern not found');
+      }
+
+      if (patterns.includes('AWS')) {
+        testPass('AWS patterns configured');
+      } else {
+        testWarn('AWS patterns not configured');
+      }
+    } catch (err) {
+      testWarn('Could not verify git-secrets patterns');
+    }
+  } else {
+    testFail('git-secrets not found in ~/.local/bin');
+  }
+} catch (err) {
+  testFail(`git-secrets test failed: ${err.message}`);
+}
+
+// Test 2: Redis Authentication
+testSection('Redis Authentication');
+try {
+  // Check .env for REDIS_PASSWORD
+  const envPath = path.join(process.cwd(), '.env');
+  if (fs.existsSync(envPath)) {
+    const envContent = fs.readFileSync(envPath, 'utf8');
+    const redisPasswordMatch = envContent.match(/^REDIS_PASSWORD=(.+)$/m);
+
+    if (redisPasswordMatch && redisPasswordMatch[1].trim().length >= 32) {
+      testPass(`REDIS_PASSWORD configured (${redisPasswordMatch[1].trim().length} chars)`);
+
+      // Test Redis connection with auth
+      try {
+        const redisPassword = redisPasswordMatch[1].trim();
+        execSync(`redis-cli -a "${redisPassword}" ping`, { encoding: 'utf8', stdio: 'pipe' });
+        testPass('Redis authentication working');
+      } catch (err) {
+        testFail('Redis authentication failed - password may not be set in Redis');
+      }
+    } else if (redisPasswordMatch) {
+      testFail(`REDIS_PASSWORD too weak (${redisPasswordMatch[1].trim().length} chars, need ≥32)`);
+    } else {
+      testFail('REDIS_PASSWORD not found in .env');
+    }
+  } else {
+    testFail('.env file not found');
+  }
+} catch (err) {
+  testFail(`Redis authentication test failed: ${err.message}`);
+}
+
+// Test 3: File Permissions (WSL-aware)
+testSection('File Permissions');
+try {
+  const sensitiveFiles = ['.env', '.env.keys'];
+
+  // Detect WSL
+  let isWSL = false;
+  try {
+    const unameResult = execSync('uname -r', { encoding: 'utf8' });
+    isWSL = unameResult.toLowerCase().includes('microsoft') || unameResult.toLowerCase().includes('wsl');
+  } catch (err) {
+    // Not WSL
+  }
+
+  if (isWSL) {
+    testWarn('Running on WSL - file permissions may be limited by Windows');
+    testWarn('Ensure .env files are not in version control instead');
+  }
+
+  for (const file of sensitiveFiles) {
+    const filePath = path.join(process.cwd(), file);
+    if (fs.existsSync(filePath)) {
+      try {
+        const stats = fs.statSync(filePath);
+        const mode = (stats.mode & parseInt('777', 8)).toString(8);
+
+        if (isWSL) {
+          // On WSL, just check it exists and warn
+          testWarn(`${file} permissions: ${mode} (WSL limitation - ensure not in git)`);
+
+          // Check .gitignore
+          const gitignorePath = path.join(process.cwd(), '.gitignore');
+          if (fs.existsSync(gitignorePath)) {
+            const gitignore = fs.readFileSync(gitignorePath, 'utf8');
+            if (gitignore.includes(file)) {
+              testPass(`${file} is in .gitignore`);
+            } else {
+              testFail(`${file} NOT in .gitignore - CRITICAL`);
+            }
+          }
+        } else {
+          // On native Linux/macOS, enforce permissions
+          if (mode === '600') {
+            testPass(`${file} has secure permissions (600)`);
+          } else {
+            testFail(`${file} has insecure permissions: ${mode} (expected 600)`);
+          }
+        }
+      } catch (err) {
+        testWarn(`Could not check permissions for ${file}`);
+      }
+    }
+  }
+} catch (err) {
+  testFail(`File permissions test failed: ${err.message}`);
+}
+
+// Test 4: Security Audit Script
+testSection('Security Audit Script');
+try {
+  const auditScriptPath = path.join(process.cwd(), 'scripts', 'security', 'security-audit.cjs');
+  if (fs.existsSync(auditScriptPath)) {
+    testPass('security-audit.cjs exists');
+
+    // Try to run it
+    try {
+      execSync('node scripts/security/security-audit.cjs --json', {
+        encoding: 'utf8',
+        stdio: 'pipe',
+        timeout: 30000
+      });
+      testPass('security-audit.cjs executes successfully');
+    } catch (err) {
+      testWarn('security-audit.cjs runs but may report issues (expected)');
+    }
+  } else {
+    testFail('security-audit.cjs not found');
+  }
+} catch (err) {
+  testFail(`Security audit script test failed: ${err.message}`);
+}
+
+// Test 5: Documentation
+testSection('Security Documentation');
+const docs = [
+  'docs/security/GIT_SECRETS_SETUP.md',
+  'docs/security/REDIS_AUTHENTICATION.md'
+];
+
+for (const doc of docs) {
+  const docPath = path.join(process.cwd(), doc);
+  if (fs.existsSync(docPath)) {
+    testPass(`${doc} exists`);
+  } else {
+    testWarn(`${doc} not found`);
+  }
+}
+
+// Calculate Score
+const totalTests = results.passed.length + results.failed.length;
+const passedTests = results.passed.length;
+results.score = totalTests > 0 ? (passedTests / totalTests) : 0;
+
+// Summary Report
+log('\n' + '═'.repeat(60), 'blue');
+log('SECURITY DEPLOYMENT VALIDATION REPORT', 'blue');
+log('═'.repeat(60), 'blue');
+
+log(`\n📊 Results:`, 'cyan');
+log(`   ✅ Passed: ${results.passed.length}`, 'green');
+log(`   ❌ Failed: ${results.failed.length}`, 'red');
+log(`   ⚠️  Warnings: ${results.warnings.length}`, 'yellow');
+log(`   📈 Score: ${(results.score * 100).toFixed(0)}%`, results.score >= 0.9 ? 'green' : results.score >= 0.75 ? 'yellow' : 'red');
+
+if (results.failed.length > 0) {
+  log(`\n❌ Failed Tests:`, 'red');
+  results.failed.forEach((fail, i) => log(`   ${i + 1}. ${fail}`, 'red'));
+}
+
+if (results.warnings.length > 0) {
+  log(`\n⚠️  Warnings:`, 'yellow');
+  results.warnings.forEach((warn, i) => log(`   ${i + 1}. ${warn}`, 'yellow'));
+}
+
+// Recommendations
+log(`\n💡 Next Steps:`, 'cyan');
+if (results.score >= 0.9) {
+  log('   ✅ Security deployment complete - ready for production', 'green');
+  log('   🔄 Run npm run security:full-audit for comprehensive check', 'blue');
+} else if (results.score >= 0.75) {
+  log('   ⚠️  Security deployment mostly complete - address warnings', 'yellow');
+  log('   🔍 Review failed tests and warnings above', 'yellow');
+} else {
+  log('   ❌ Security deployment incomplete - address failures', 'red');
+  log('   📚 Review security documentation', 'red');
+  log('   🔧 Re-run deployment scripts', 'red');
+}
+
+log('\n' + '═'.repeat(60), 'blue');
+
+// Exit with appropriate code
+process.exit(results.score >= 0.75 ? 0 : 1);