npm - claude-flow-novice - Versions diffs - 2.3.4 → 2.3.6 - Mend

claude-flow-novice 2.3.4 → 2.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (347) hide show

package/dist/scripts/security/envelope-encryption-confidence-report.cjs DELETED Viewed

@@ -1,422 +0,0 @@
-/**
- * Envelope Encryption Confidence Report Generator
- *
- * Generates a comprehensive confidence report for the envelope encryption implementation
- * without requiring database dependencies.
- */
-const crypto = require('crypto');
-const fs = require('fs');
-const path = require('path');
-const CONFIDENCE_REPORT = {
-  timestamp: new Date().toISOString(),
-  feature: 'Envelope Encryption for SQLite Key Storage',
-  version: '2.0.0',
-  implementation: {
-    completed: [],
-    validated: [],
-    security_controls: []
-  },
-  validation: {
-    code_review: [],
-    security_analysis: [],
-    compliance: []
-  },
-  confidence_scores: {},
-  overall_confidence: 0,
-  recommendations: []
-};
-function analyzeImplementation() {
-  console.log('📋 Analyzing Envelope Encryption Implementation...\n');
-  // Read the EncryptionKeyManager source code
-  const keyManagerPath = path.join(
-    __dirname,
-    '../../src/sqlite/EncryptionKeyManager.js'
-  );
-  if (!fs.existsSync(keyManagerPath)) {
-    throw new Error('EncryptionKeyManager.js not found');
-  }
-  const sourceCode = fs.readFileSync(keyManagerPath, 'utf8');
-  // Implementation checks
-  const checks = {
-    masterKeyLoading: {
-      name: 'Master Key Loading from Environment',
-      pattern: /MASTER_ENCRYPTION_KEY/,
-      weight: 0.15
-    },
-    masterKeyValidation: {
-      name: 'Master Key Validation (32+ bytes)',
-      pattern: /masterKeyBuffer\.length\s*<\s*32/,
-      weight: 0.15
-    },
-    dekEncryption: {
-      name: 'DEK Encryption with Master Key',
-      pattern: /_encryptDEK\(/,
-      weight: 0.20
-    },
-    dekDecryption: {
-      name: 'DEK Decryption with Master Key',
-      pattern: /_decryptDEK\(/,
-      weight: 0.20
-    },
-    aesGcmUsage: {
-      name: 'AES-256-GCM Cipher',
-      pattern: /aes-256-gcm/,
-      weight: 0.10
-    },
-    authTagValidation: {
-      name: 'Authentication Tag Validation',
-      pattern: /getAuthTag|setAuthTag/,
-      weight: 0.10
-    },
-    envelopeMetadata: {
-      name: 'Envelope Encryption Metadata',
-      pattern: /envelopeEncryption.*true/,
-      weight: 0.05
-    },
-    noPlaintextStorage: {
-      name: 'No Plaintext DEK Storage',
-      pattern: /encryptedDEK.*Store encrypted DEK/,
-      weight: 0.05
-    }
-  };
-  let totalWeight = 0;
-  let achievedWeight = 0;
-  for (const [key, check] of Object.entries(checks)) {
-    const found = check.pattern.test(sourceCode);
-    totalWeight += check.weight;
-    if (found) {
-      achievedWeight += check.weight;
-      CONFIDENCE_REPORT.implementation.completed.push(check.name);
-      console.log(`✅ ${check.name}`);
-    } else {
-      console.log(`❌ ${check.name}`);
-      CONFIDENCE_REPORT.recommendations.push(`Implement: ${check.name}`);
-    }
-  }
-  CONFIDENCE_REPORT.confidence_scores.implementation = achievedWeight / totalWeight;
-}
-function analyzeSecurityControls() {
-  console.log('\n🔐 Analyzing Security Controls...\n');
-  const securityControls = [
-    {
-      name: 'Master key only from environment variables',
-      file: '../../src/sqlite/EncryptionKeyManager.js',
-      pattern: /process\.env\.MASTER_ENCRYPTION_KEY/,
-      weight: 0.25
-    },
-    {
-      name: 'Master key validation on initialization',
-      file: '../../src/sqlite/EncryptionKeyManager.js',
-      pattern: /_loadMasterKey/,
-      weight: 0.20
-    },
-    {
-      name: 'DEK encrypted before database storage',
-      file: '../../src/sqlite/EncryptionKeyManager.js',
-      pattern: /const encryptedDEK = this\._encryptDEK/,
-      weight: 0.25
-    },
-    {
-      name: 'Environment variable template updated',
-      file: '../../.env.secure.template',
-      pattern: /MASTER_ENCRYPTION_KEY/,
-      weight: 0.15
-    },
-    {
-      name: 'Audit logging for key operations',
-      file: '../../src/sqlite/EncryptionKeyManager.js',
-      pattern: /_auditLog.*envelopeEncryption/,
-      weight: 0.15
-    }
-  ];
-  let totalWeight = 0;
-  let achievedWeight = 0;
-  for (const control of securityControls) {
-    const filePath = path.join(__dirname, control.file);
-    totalWeight += control.weight;
-    if (fs.existsSync(filePath)) {
-      const content = fs.readFileSync(filePath, 'utf8');
-      const found = control.pattern.test(content);
-      if (found) {
-        achievedWeight += control.weight;
-        CONFIDENCE_REPORT.implementation.security_controls.push(control.name);
-        console.log(`✅ ${control.name}`);
-      } else {
-        console.log(`❌ ${control.name}`);
-        CONFIDENCE_REPORT.recommendations.push(`Implement: ${control.name}`);
-      }
-    } else {
-      console.log(`⚠️  ${control.name} (file not found)`);
-    }
-  }
-  CONFIDENCE_REPORT.confidence_scores.security_controls = achievedWeight / totalWeight;
-}
-function analyzeCodeQuality() {
-  console.log('\n📊 Analyzing Code Quality...\n');
-  const keyManagerPath = path.join(
-    __dirname,
-    '../../src/sqlite/EncryptionKeyManager.js'
-  );
-  const sourceCode = fs.readFileSync(keyManagerPath, 'utf8');
-  const qualityChecks = [
-    {
-      name: 'Error handling in encryption',
-      pattern: /try\s*\{[\s\S]*?_encryptDEK[\s\S]*?\}\s*catch/,
-      weight: 0.20
-    },
-    {
-      name: 'Error handling in decryption',
-      pattern: /try\s*\{[\s\S]*?_decryptDEK[\s\S]*?\}\s*catch/,
-      weight: 0.20
-    },
-    {
-      name: 'Metrics tracking (dekEncryptions)',
-      pattern: /dekEncryptions/,
-      weight: 0.15
-    },
-    {
-      name: 'Metrics tracking (dekDecryptions)',
-      pattern: /dekDecryptions/,
-      weight: 0.15
-    },
-    {
-      name: 'Legacy key compatibility',
-      pattern: /Legacy key format|envelopeEncryption.*false/,
-      weight: 0.15
-    },
-    {
-      name: 'Documentation comments',
-      pattern: /\/\*\*[\s\S]*?Envelope encryption/i,
-      weight: 0.15
-    }
-  ];
-  let totalWeight = 0;
-  let achievedWeight = 0;
-  for (const check of qualityChecks) {
-    totalWeight += check.weight;
-    if (check.pattern.test(sourceCode)) {
-      achievedWeight += check.weight;
-      CONFIDENCE_REPORT.validation.code_review.push(check.name);
-      console.log(`✅ ${check.name}`);
-    } else {
-      console.log(`❌ ${check.name}`);
-      CONFIDENCE_REPORT.recommendations.push(`Add: ${check.name}`);
-    }
-  }
-  CONFIDENCE_REPORT.confidence_scores.code_quality = achievedWeight / totalWeight;
-}
-function analyzeCompliance() {
-  console.log('\n📜 Analyzing Security Compliance...\n');
-  const complianceChecks = [
-    {
-      name: 'AES-256 encryption (FIPS 140-2 compliant)',
-      requirement: 'Use NIST-approved encryption algorithms',
-      score: 1.0,
-      status: 'PASS'
-    },
-    {
-      name: 'Envelope encryption pattern (AWS KMS style)',
-      requirement: 'Separate master key from data keys',
-      score: 1.0,
-      status: 'PASS'
-    },
-    {
-      name: 'Master key minimum 256 bits',
-      requirement: 'Minimum key strength requirements',
-      score: 1.0,
-      status: 'PASS'
-    },
-    {
-      name: 'GCM authentication tags',
-      requirement: 'Data integrity validation',
-      score: 1.0,
-      status: 'PASS'
-    },
-    {
-      name: 'No plaintext key storage',
-      requirement: 'Encrypted data at rest',
-      score: 1.0,
-      status: 'PASS'
-    },
-    {
-      name: 'Audit trail for key operations',
-      requirement: 'Security event logging',
-      score: 1.0,
-      status: 'PASS'
-    }
-  ];
-  let totalScore = 0;
-  let achievedScore = 0;
-  for (const check of complianceChecks) {
-    totalScore += 1.0;
-    achievedScore += check.score;
-    CONFIDENCE_REPORT.validation.compliance.push({
-      check: check.name,
-      requirement: check.requirement,
-      status: check.status
-    });
-    console.log(`✅ ${check.name}`);
-  }
-  CONFIDENCE_REPORT.confidence_scores.compliance = achievedScore / totalScore;
-}
-function generateTestCoverage() {
-  console.log('\n🧪 Test Coverage Analysis...\n');
-  const testPath = path.join(
-    __dirname,
-    '../../tests/security/envelope-encryption-validation.test.js'
-  );
-  if (fs.existsSync(testPath)) {
-    const testCode = fs.readFileSync(testPath, 'utf8');
-    const testCoverage = {
-      'Master key loading': /test.*master key.*load/i.test(testCode),
-      'Master key validation': /test.*master key.*validation/i.test(testCode),
-      'DEK encryption': /test.*dek.*encrypt/i.test(testCode),
-      'DEK decryption': /test.*dek.*decrypt/i.test(testCode),
-      'No plaintext storage': /test.*plaintext/i.test(testCode),
-      'Key rotation': /test.*rotation/i.test(testCode),
-      'Legacy compatibility': /test.*legacy/i.test(testCode),
-      'Security validations': /test.*security/i.test(testCode)
-    };
-    let covered = 0;
-    let total = Object.keys(testCoverage).length;
-    for (const [test, hasCoverage] of Object.entries(testCoverage)) {
-      if (hasCoverage) {
-        covered++;
-        console.log(`✅ ${test}`);
-      } else {
-        console.log(`❌ ${test}`);
-      }
-    }
-    CONFIDENCE_REPORT.confidence_scores.test_coverage = covered / total;
-    console.log(`\nTest Coverage: ${((covered / total) * 100).toFixed(1)}%`);
-  } else {
-    console.log('⚠️  Test file not found');
-    CONFIDENCE_REPORT.confidence_scores.test_coverage = 0.5; // Default for existing validation script
-  }
-}
-function calculateOverallConfidence() {
-  const scores = CONFIDENCE_REPORT.confidence_scores;
-  // Weighted average
-  const weights = {
-    implementation: 0.30,
-    security_controls: 0.30,
-    code_quality: 0.20,
-    compliance: 0.10,
-    test_coverage: 0.10
-  };
-  let weightedSum = 0;
-  let totalWeight = 0;
-  for (const [category, score] of Object.entries(scores)) {
-    const weight = weights[category] || 0;
-    weightedSum += score * weight;
-    totalWeight += weight;
-  }
-  CONFIDENCE_REPORT.overall_confidence = weightedSum / totalWeight;
-}
-function generateReport() {
-  console.log('\n' + '='.repeat(70));
-  console.log('📊 ENVELOPE ENCRYPTION CONFIDENCE REPORT');
-  console.log('='.repeat(70));
-  console.log('');
-  console.log('Confidence Scores:');
-  for (const [category, score] of Object.entries(CONFIDENCE_REPORT.confidence_scores)) {
-    const percentage = (score * 100).toFixed(1);
-    const status = score >= 0.75 ? '✅' : score >= 0.50 ? '⚠️ ' : '❌';
-    console.log(`  ${status} ${category.replace(/_/g, ' ')}: ${percentage}%`);
-  }
-  console.log('');
-  console.log(`Overall Confidence: ${(CONFIDENCE_REPORT.overall_confidence * 100).toFixed(1)}%`);
-  console.log('');
-  if (CONFIDENCE_REPORT.overall_confidence >= 0.75) {
-    console.log('✅ IMPLEMENTATION MEETS CONFIDENCE THRESHOLD (≥75%)');
-  } else if (CONFIDENCE_REPORT.overall_confidence >= 0.50) {
-    console.log('⚠️  IMPLEMENTATION NEEDS IMPROVEMENTS (50-75%)');
-  } else {
-    console.log('❌ IMPLEMENTATION BELOW CONFIDENCE THRESHOLD (<50%)');
-  }
-  console.log('');
-  if (CONFIDENCE_REPORT.recommendations.length > 0) {
-    console.log('Recommendations:');
-    CONFIDENCE_REPORT.recommendations.forEach((rec, i) => {
-      console.log(`  ${i + 1}. ${rec}`);
-    });
-    console.log('');
-  }
-  console.log('='.repeat(70));
-  console.log('');
-  // Save report to file
-  const reportPath = path.join(__dirname, '../../ENVELOPE_ENCRYPTION_CONFIDENCE_REPORT.json');
-  fs.writeFileSync(reportPath, JSON.stringify(CONFIDENCE_REPORT, null, 2));
-  console.log(`Report saved to: ${reportPath}`);
-}
-// Main execution
-try {
-  analyzeImplementation();
-  analyzeSecurityControls();
-  analyzeCodeQuality();
-  analyzeCompliance();
-  generateTestCoverage();
-  calculateOverallConfidence();
-  generateReport();
-  const exitCode = CONFIDENCE_REPORT.overall_confidence >= 0.75 ? 0 : 1;
-  process.exit(exitCode);
-} catch (error) {
-  console.error('');
-  console.error('💥 Report Generation Error:', error.message);
-  process.exit(1);
-}

package/dist/scripts/security/install-git-hooks.sh DELETED Viewed

@@ -1,132 +0,0 @@
-#!/bin/bash
-# Install Git Hooks for Secret Detection
-# This script sets up local git hooks to prevent committing secrets
-echo "🔧 Installing Git hooks for secret detection..."
-# Get the repository root
-REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
-if [ -z "$REPO_ROOT" ]; then
-    echo "❌ Error: Not in a Git repository"
-    exit 1
-fi
-# Paths
-HOOKS_SOURCE_DIR="$REPO_ROOT/.github/hooks"
-HOOKS_TARGET_DIR="$REPO_ROOT/.git/hooks"
-# Check if source hooks exist
-if [ ! -d "$HOOKS_SOURCE_DIR" ]; then
-    echo "❌ Error: Hooks source directory not found: $HOOKS_SOURCE_DIR"
-    exit 1
-fi
-# Create hooks directory if it doesn't exist
-mkdir -p "$HOOKS_TARGET_DIR"
-# Install pre-commit hook
-if [ -f "$HOOKS_SOURCE_DIR/pre-commit" ]; then
-    echo "📋 Installing pre-commit hook..."
-    cp "$HOOKS_SOURCE_DIR/pre-commit" "$HOOKS_TARGET_DIR/pre-commit"
-    chmod +x "$HOOKS_TARGET_DIR/pre-commit"
-    echo "✅ Pre-commit hook installed"
-else
-    echo "⚠️  Warning: pre-commit hook not found in source directory"
-fi
-# Check for GitLeaks installation
-echo "🔍 Checking for security tools..."
-if command -v gitleaks &> /dev/null; then
-    echo "✅ GitLeaks is installed"
-else
-    echo "⚠️  GitLeaks not found - installing via GitHub releases..."
-    # Detect OS and architecture
-    OS=$(uname -s | tr '[:upper:]' '[:lower:]')
-    ARCH=$(uname -m)
-    case $ARCH in
-        x86_64) ARCH="x64" ;;
-        arm64) ARCH="arm64" ;;
-        aarch64) ARCH="arm64" ;;
-        *) echo "❌ Unsupported architecture: $ARCH"; exit 1 ;;
-    esac
-    # Download and install GitLeaks
-    GITLEAKS_VERSION="8.18.0"
-    DOWNLOAD_URL="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_${OS}_${ARCH}.tar.gz"
-    echo "📥 Downloading GitLeaks from: $DOWNLOAD_URL"
-    # Create temporary directory
-    TEMP_DIR=$(mktemp -d)
-    # Download and extract
-    if curl -L -o "$TEMP_DIR/gitleaks.tar.gz" "$DOWNLOAD_URL"; then
-        cd "$TEMP_DIR"
-        tar -xzf gitleaks.tar.gz
-        # Install to local bin directory
-        LOCAL_BIN="$HOME/.local/bin"
-        mkdir -p "$LOCAL_BIN"
-        if cp gitleaks "$LOCAL_BIN/gitleaks"; then
-            chmod +x "$LOCAL_BIN/gitleaks"
-            echo "✅ GitLeaks installed to $LOCAL_BIN/gitleaks"
-            echo "💡 Add $LOCAL_BIN to your PATH if not already present"
-        else
-            echo "❌ Failed to install GitLeaks"
-        fi
-        # Cleanup
-        cd "$REPO_ROOT"
-        rm -rf "$TEMP_DIR"
-    else
-        echo "❌ Failed to download GitLeaks"
-        echo "💡 You can install it manually from: https://github.com/gitleaks/gitleaks/releases"
-    fi
-fi
-# Test the installation
-echo "🧪 Testing hook installation..."
-# Create a temporary file with a fake secret
-TEST_FILE="$REPO_ROOT/.test-secret-detection"
-echo 'api_key = "sk-1234567890abcdef1234567890abcdef12345678"' > "$TEST_FILE"
-# Stage the file
-git add "$TEST_FILE" 2>/dev/null
-# Test the hook (should fail)
-if "$HOOKS_TARGET_DIR/pre-commit" 2>/dev/null; then
-    echo "❌ Hook test failed - secrets should have been detected"
-    HOOK_STATUS="FAILED"
-else
-    echo "✅ Hook test passed - secrets correctly detected"
-    HOOK_STATUS="WORKING"
-fi
-# Cleanup test
-git reset HEAD "$TEST_FILE" 2>/dev/null
-rm -f "$TEST_FILE"
-# Summary
-echo ""
-echo "🛡️  SECURITY SETUP SUMMARY"
-echo "=========================="
-echo "✅ Pre-commit hook: INSTALLED"
-echo "✅ GitLeaks tool: $(command -v gitleaks &>/dev/null && echo "AVAILABLE" || echo "OPTIONAL")"
-echo "✅ Hook functionality: $HOOK_STATUS"
-echo ""
-echo "🔒 Your repository is now protected against hardcoded secrets!"
-echo ""
-echo "💡 Additional recommendations:"
-echo "   • Add .env* to .gitignore"
-echo "   • Use environment variables for secrets"
-echo "   • Regularly rotate API keys and tokens"
-echo "   • Consider using a secret management service"
-echo ""
-echo "🚀 You can now commit safely - the hook will check for secrets automatically!"