npm - codehere - Versions diffs - 0.1.1 - Mend

codehere 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (991) hide show

package/dist/infrastructure/security/docker-sandbox.d.ts ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Infrastructure: Docker Sandbox Executor
+ * Executes code in isolated Docker containers for security
+ *
+ * MANDATORY: All code execution must use this for security
+ */
+export interface SandboxOptions {
+    timeout?: number;
+    memoryLimit?: string;
+    cpuLimit?: string;
+    networkAccess?: boolean;
+    allowedPaths?: string[];
+}
+export interface SandboxResult {
+    success: boolean;
+    output: string;
+    error?: string;
+    exitCode?: number;
+    duration: number;
+}
+export declare class DockerSandbox {
+    private readonly DEFAULT_TIMEOUT;
+    private readonly DEFAULT_MEMORY;
+    private readonly DEFAULT_CPU;
+    private readonly SANDBOX_IMAGE;
+    private readonly TEMP_DIR;
+    constructor();
+    /**
+     * Execute code in isolated Docker container
+     */
+    execute(code: string, language?: 'javascript' | 'typescript' | 'python' | 'bash', options?: SandboxOptions): Promise<SandboxResult>;
+    /**
+     * Execute bash command in sandbox
+     */
+    executeBash(command: string, options?: SandboxOptions): Promise<SandboxResult>;
+    /**
+     * Build Docker command with security restrictions
+     */
+    private buildDockerCommand;
+    /**
+     * Get file extension for language
+     */
+    private getFileExtension;
+    /**
+     * Create timeout promise
+     */
+    private createTimeout;
+    /**
+     * Cleanup container and temp files
+     */
+    private cleanup;
+    /**
+     * Check if Docker is available
+     */
+    isAvailable(): Promise<boolean>;
+}
+//# sourceMappingURL=docker-sandbox.d.ts.map

package/dist/infrastructure/security/docker-sandbox.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"docker-sandbox.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/security/docker-sandbox.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;IACzC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAU;IACzC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAoB;IAClD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA2B;;IASpD;;OAEG;IACG,OAAO,CACX,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,YAAY,GAAG,YAAY,GAAG,QAAQ,GAAG,MAAe,EAClE,OAAO,GAAE,cAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC;IAyDzB;;OAEG;IACG,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,cAAmB,GAAG,OAAO,CAAC,aAAa,CAAC;IAKxF;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA8C1B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAUxB;;OAEG;IACH,OAAO,CAAC,aAAa;IAMrB;;OAEG;YACW,OAAO;IAmBrB;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;CAQtC"}

package/dist/infrastructure/security/docker-sandbox.js ADDED Viewed

@@ -0,0 +1,178 @@
+/**
+ * Infrastructure: Docker Sandbox Executor
+ * Executes code in isolated Docker containers for security
+ *
+ * MANDATORY: All code execution must use this for security
+ */
+import { exec } from 'child_process';
+import { promisify } from 'util';
+import { randomUUID } from 'crypto';
+import { writeFileSync, unlinkSync, existsSync, mkdirSync } from 'fs';
+import { join } from 'path';
+const execAsync = promisify(exec);
+export class DockerSandbox {
+    DEFAULT_TIMEOUT = 30000; // 30 seconds
+    DEFAULT_MEMORY = '512m';
+    DEFAULT_CPU = '0.5';
+    SANDBOX_IMAGE = 'node:18-alpine'; // Lightweight Node.js image
+    TEMP_DIR = '/tmp/codehere-sandbox';
+    constructor() {
+        // Ensure temp directory exists
+        if (!existsSync(this.TEMP_DIR)) {
+            mkdirSync(this.TEMP_DIR, { recursive: true });
+        }
+    }
+    /**
+     * Execute code in isolated Docker container
+     */
+    async execute(code, language = 'bash', options = {}) {
+        const startTime = Date.now();
+        const containerId = randomUUID().substring(0, 8);
+        const timeout = options.timeout || this.DEFAULT_TIMEOUT;
+        try {
+            // Create temporary file with code
+            const tempFile = join(this.TEMP_DIR, `${containerId}.${this.getFileExtension(language)}`);
+            writeFileSync(tempFile, code, 'utf-8');
+            // Build Docker run command with security restrictions
+            const dockerCommand = this.buildDockerCommand(containerId, tempFile, language, options);
+            // Execute in Docker container with timeout
+            const { stdout, stderr } = await Promise.race([
+                execAsync(dockerCommand, { timeout }),
+                this.createTimeout(timeout),
+            ]);
+            // Cleanup
+            this.cleanup(containerId, tempFile);
+            const duration = Date.now() - startTime;
+            return {
+                success: !stderr || stderr.length === 0,
+                output: stdout,
+                error: stderr || undefined,
+                exitCode: 0,
+                duration,
+            };
+        }
+        catch (error) {
+            // Cleanup on error
+            this.cleanup(containerId, join(this.TEMP_DIR, `${containerId}.${this.getFileExtension(language)}`));
+            const duration = Date.now() - startTime;
+            if (error.code === 'ETIMEDOUT' || error.signal === 'SIGTERM') {
+                return {
+                    success: false,
+                    output: '',
+                    error: `Execution timed out after ${timeout}ms`,
+                    exitCode: 124,
+                    duration,
+                };
+            }
+            return {
+                success: false,
+                output: '',
+                error: error.message || String(error),
+                exitCode: error.code || 1,
+                duration,
+            };
+        }
+    }
+    /**
+     * Execute bash command in sandbox
+     */
+    async executeBash(command, options = {}) {
+        // Use execute method with bash language
+        return await this.execute(command, 'bash', options);
+    }
+    /**
+     * Build Docker command with security restrictions
+     */
+    buildDockerCommand(containerId, codeFile, language, options) {
+        const memory = options.memoryLimit || this.DEFAULT_MEMORY;
+        const cpu = options.cpuLimit || this.DEFAULT_CPU;
+        const network = options.networkAccess ? '' : '--network none';
+        const readOnly = '--read-only';
+        const tmpfs = '--tmpfs /tmp:rw,noexec,nosuid,size=100m';
+        // Determine execution command based on language
+        let execCommand;
+        switch (language) {
+            case 'javascript':
+            case 'typescript':
+                execCommand = `node /code/${containerId}.js`;
+                break;
+            case 'python':
+                execCommand = `python /code/${containerId}.py`;
+                break;
+            case 'bash':
+            default:
+                execCommand = `sh /code/${containerId}.sh`;
+                break;
+        }
+        // Copy code file into container and execute
+        const dockerCommand = `docker run --rm \
+      --name codehere-sandbox-${containerId} \
+      --memory ${memory} \
+      --cpus ${cpu} \
+      ${network} \
+      ${readOnly} \
+      ${tmpfs} \
+      --security-opt no-new-privileges:true \
+      --cap-drop ALL \
+      --user 1000:1000 \
+      -v ${codeFile}:/code/${containerId}.${this.getFileExtension(language)}:ro \
+      ${this.SANDBOX_IMAGE} \
+      ${execCommand}`;
+        return dockerCommand;
+    }
+    /**
+     * Get file extension for language
+     */
+    getFileExtension(language) {
+        const extensions = {
+            javascript: 'js',
+            typescript: 'ts',
+            python: 'py',
+            bash: 'sh',
+        };
+        return extensions[language] || 'sh';
+    }
+    /**
+     * Create timeout promise
+     */
+    createTimeout(ms) {
+        return new Promise((_, reject) => {
+            setTimeout(() => reject(new Error('Timeout')), ms);
+        });
+    }
+    /**
+     * Cleanup container and temp files
+     */
+    async cleanup(containerId, tempFile) {
+        try {
+            // Try to stop container if still running
+            try {
+                await execAsync(`docker stop codehere-sandbox-${containerId} 2>/dev/null || true`);
+            }
+            catch {
+                // Container already stopped or doesn't exist
+            }
+            // Remove temp file
+            if (existsSync(tempFile)) {
+                unlinkSync(tempFile);
+            }
+        }
+        catch (error) {
+            // Log but don't fail on cleanup errors
+            console.warn('Sandbox cleanup warning:', error);
+        }
+    }
+    /**
+     * Check if Docker is available
+     */
+    async isAvailable() {
+        try {
+            await execAsync('docker --version');
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+//# sourceMappingURL=docker-sandbox.js.map

package/dist/infrastructure/security/docker-sandbox.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"docker-sandbox.js","sourceRoot":"","sources":["../../../src/infrastructure/security/docker-sandbox.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACtE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAG5B,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AAkBlC,MAAM,OAAO,aAAa;IACP,eAAe,GAAG,KAAK,CAAC,CAAC,aAAa;IACtC,cAAc,GAAG,MAAM,CAAC;IACxB,WAAW,GAAG,KAAK,CAAC;IACpB,aAAa,GAAG,gBAAgB,CAAC,CAAC,4BAA4B;IAC9D,QAAQ,GAAG,uBAAuB,CAAC;IAEpD;QACE,+BAA+B;QAC/B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/B,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CACX,IAAY,EACZ,WAA4D,MAAM,EAClE,UAA0B,EAAE;QAE5B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,WAAW,GAAG,UAAU,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,eAAe,CAAC;QAExD,IAAI,CAAC;YACH,kCAAkC;YAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,WAAW,IAAI,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC1F,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;YAEvC,sDAAsD;YACtD,MAAM,aAAa,GAAG,IAAI,CAAC,kBAAkB,CAAC,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAExF,2CAA2C;YAC3C,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAC5C,SAAS,CAAC,aAAa,EAAE,EAAE,OAAO,EAAE,CAAC;gBACrC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC;aAC5B,CAAuC,CAAC;YAEzC,UAAU;YACV,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;YAEpC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAExC,OAAO;gBACL,OAAO,EAAE,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;gBACvC,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,MAAM,IAAI,SAAS;gBAC1B,QAAQ,EAAE,CAAC;gBACX,QAAQ;aACT,CAAC;QACJ,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,mBAAmB;YACnB,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,WAAW,IAAI,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;YAEpG,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAExC,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC7D,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,EAAE;oBACV,KAAK,EAAE,6BAA6B,OAAO,IAAI;oBAC/C,QAAQ,EAAE,GAAG;oBACb,QAAQ;iBACT,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,EAAE;gBACV,KAAK,EAAE,KAAK,CAAC,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC;gBACrC,QAAQ,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;gBACzB,QAAQ;aACT,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,OAAe,EAAE,UAA0B,EAAE;QAC7D,wCAAwC;QACxC,OAAO,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACK,kBAAkB,CACxB,WAAmB,EACnB,QAAgB,EAChB,QAAgB,EAChB,OAAuB;QAEvB,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC,cAAc,CAAC;QAC1D,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC;QACjD,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,gBAAgB,CAAC;QAC9D,MAAM,QAAQ,GAAG,aAAa,CAAC;QAC/B,MAAM,KAAK,GAAG,yCAAyC,CAAC;QAExD,gDAAgD;QAChD,IAAI,WAAmB,CAAC;QACxB,QAAQ,QAAQ,EAAE,CAAC;YACjB,KAAK,YAAY,CAAC;YAClB,KAAK,YAAY;gBACf,WAAW,GAAG,cAAc,WAAW,KAAK,CAAC;gBAC7C,MAAM;YACR,KAAK,QAAQ;gBACX,WAAW,GAAG,gBAAgB,WAAW,KAAK,CAAC;gBAC/C,MAAM;YACR,KAAK,MAAM,CAAC;YACZ;gBACE,WAAW,GAAG,YAAY,WAAW,KAAK,CAAC;gBAC3C,MAAM;QACV,CAAC;QAED,4CAA4C;QAC5C,MAAM,aAAa,GAAG;gCACM,WAAW;iBAC1B,MAAM;eACR,GAAG;QACV,OAAO;QACP,QAAQ;QACR,KAAK;;;;WAIF,QAAQ,UAAU,WAAW,IAAI,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC;QACnE,IAAI,CAAC,aAAa;QAClB,WAAW,EAAE,CAAC;QAElB,OAAO,aAAa,CAAC;IACvB,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,QAAgB;QACvC,MAAM,UAAU,GAA2B;YACzC,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,IAAI;YAChB,MAAM,EAAE,IAAI;YACZ,IAAI,EAAE,IAAI;SACX,CAAC;QACF,OAAO,UAAU,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;IACtC,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,EAAU;QAC9B,OAAO,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE;YAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,OAAO,CAAC,WAAmB,EAAE,QAAgB;QACzD,IAAI,CAAC;YACH,yCAAyC;YACzC,IAAI,CAAC;gBACH,MAAM,SAAS,CAAC,gCAAgC,WAAW,sBAAsB,CAAC,CAAC;YACrF,CAAC;YAAC,MAAM,CAAC;gBACP,6CAA6C;YAC/C,CAAC;YAED,mBAAmB;YACnB,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACzB,UAAU,CAAC,QAAQ,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,uCAAuC;YACvC,OAAO,CAAC,IAAI,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,kBAAkB,CAAC,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF"}

package/dist/infrastructure/security/enhanced-security-gate.d.ts ADDED Viewed

@@ -0,0 +1,66 @@
+/**
+ * Infrastructure: Enhanced Security Gate
+ * Comprehensive security validation combining all security scanners
+ *
+ * Research-Driven Security:
+ * - AI SAST Scanner (existing) - 45% of AI code has flaws
+ * - License Scanner - 35% license contamination risk
+ * - Provider Bias Detector - Vendor lock-in prevention
+ * - Uncertainty Quantifier - Hallucination risk
+ *
+ * All checks must pass before code generation/editing
+ */
+import { AISASTScanner, type SASTResult } from './ai-sast-scanner.js';
+import { LicenseScanner, type LicenseScanResult } from './license-scanner.js';
+import { ProviderBiasDetector, type ProviderBiasResult } from './provider-bias-detector.js';
+import { UncertaintyQuantifier, type UncertaintyResult } from '../xai/uncertainty-quantifier.js';
+export interface EnhancedSecurityResult {
+    passed: boolean;
+    sast: SASTResult;
+    license: LicenseScanResult;
+    providerBias: ProviderBiasResult;
+    uncertainty?: UncertaintyResult;
+    errors: string[];
+    warnings: string[];
+}
+/**
+ * Enhanced Security Gate
+ * Orchestrates all security scanners
+ */
+export declare class EnhancedSecurityGate {
+    private sastScanner;
+    private licenseScanner;
+    private providerBiasDetector;
+    private uncertaintyQuantifier?;
+    private scanCache;
+    constructor(sastScanner: AISASTScanner, licenseScanner: LicenseScanner, providerBiasDetector: ProviderBiasDetector, uncertaintyQuantifier?: UncertaintyQuantifier | undefined);
+    /**
+     * Comprehensive security scan
+     * PERFORMANCE OPTIMIZATION: Parallelizes independent scans for ~3x speedup
+     */
+    scan(filepath: string, code: string, instruction?: string, context?: {
+        query?: string;
+        chunks?: any[];
+    }): Promise<EnhancedSecurityResult>;
+    /**
+     * Fast pre-check on instruction (before expensive operations)
+     * Enhanced with prompt injection detection
+     */
+    fastCheck(instruction: string): Promise<{
+        allowed: boolean;
+        findings: string[];
+    }>;
+    /**
+     * Validate LLM output before code execution
+     * P0 Security: Enhanced output validation
+     */
+    validateOutput(output: string, context?: {
+        query?: string;
+        operation?: string;
+    }): Promise<{
+        allowed: boolean;
+        findings: string[];
+        sanitized?: string;
+    }>;
+}
+//# sourceMappingURL=enhanced-security-gate.d.ts.map

package/dist/infrastructure/security/enhanced-security-gate.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"enhanced-security-gate.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/security/enhanced-security-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,aAAa,EAAE,KAAK,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,KAAK,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,EAAE,oBAAoB,EAAE,KAAK,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAC5F,OAAO,EAAE,qBAAqB,EAAE,KAAK,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AAIjG,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,OAAO,CAAC;IAChB,IAAI,EAAE,UAAU,CAAC;IACjB,OAAO,EAAE,iBAAiB,CAAC;IAC3B,YAAY,EAAE,kBAAkB,CAAC;IACjC,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED;;;GAGG;AACH,qBAAa,oBAAoB;IAI7B,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,oBAAoB;IAC5B,OAAO,CAAC,qBAAqB,CAAC;IANhC,OAAO,CAAC,SAAS,CAA0B;gBAGjC,WAAW,EAAE,aAAa,EAC1B,cAAc,EAAE,cAAc,EAC9B,oBAAoB,EAAE,oBAAoB,EAC1C,qBAAqB,CAAC,EAAE,qBAAqB,YAAA;IAGvD;;;OAGG;IACG,IAAI,CACR,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,WAAW,CAAC,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,GAAG,EAAE,CAAA;KAAE,GAC3C,OAAO,CAAC,sBAAsB,CAAC;IAqIlC;;;OAGG;IACG,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IA+BvF;;;OAGG;IACG,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC;QAC9F,OAAO,EAAE,OAAO,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC;CA2CH"}

package/dist/infrastructure/security/enhanced-security-gate.js ADDED Viewed

@@ -0,0 +1,210 @@
+/**
+ * Infrastructure: Enhanced Security Gate
+ * Comprehensive security validation combining all security scanners
+ *
+ * Research-Driven Security:
+ * - AI SAST Scanner (existing) - 45% of AI code has flaws
+ * - License Scanner - 35% license contamination risk
+ * - Provider Bias Detector - Vendor lock-in prevention
+ * - Uncertainty Quantifier - Hallucination risk
+ *
+ * All checks must pass before code generation/editing
+ */
+import { createHash } from 'crypto';
+import { getSecurityScanCache } from '../cache/security-scan-cache.js';
+import { detectPromptInjection } from './input-validator.js';
+/**
+ * Enhanced Security Gate
+ * Orchestrates all security scanners
+ */
+export class EnhancedSecurityGate {
+    sastScanner;
+    licenseScanner;
+    providerBiasDetector;
+    uncertaintyQuantifier;
+    scanCache = getSecurityScanCache();
+    constructor(sastScanner, licenseScanner, providerBiasDetector, uncertaintyQuantifier) {
+        this.sastScanner = sastScanner;
+        this.licenseScanner = licenseScanner;
+        this.providerBiasDetector = providerBiasDetector;
+        this.uncertaintyQuantifier = uncertaintyQuantifier;
+    }
+    /**
+     * Comprehensive security scan
+     * PERFORMANCE OPTIMIZATION: Parallelizes independent scans for ~3x speedup
+     */
+    async scan(filepath, code, instruction, context) {
+        const errors = [];
+        const warnings = [];
+        // PERFORMANCE: Check cache first (bypasses expensive scans for unchanged files)
+        // CRITICAL FIX: Hash code before cache lookup (cache expects hash, not raw code)
+        const contentHash = createHash('sha256').update(code).digest('hex');
+        const cachedResults = this.scanCache.get(filepath, contentHash);
+        if (cachedResults) {
+            // Return cached results (skip expensive scans)
+            const passed = cachedResults.sast.passed && cachedResults.license.passed;
+            if (!cachedResults.sast.passed) {
+                errors.push(`Security vulnerabilities: ${cachedResults.sast.criticalCount} critical, ${cachedResults.sast.highCount} high`);
+            }
+            if (!cachedResults.license.passed) {
+                errors.push(`License conflicts: ${cachedResults.license.criticalCount} critical issues`);
+            }
+            if (!cachedResults.providerBias.passed) {
+                warnings.push(`Provider bias detected: ${cachedResults.providerBias.criticalCount} critical issues`);
+            }
+            // Still run uncertainty quantification if needed (it's fast and context-dependent)
+            let uncertainty;
+            if (this.uncertaintyQuantifier && context?.query && code) {
+                uncertainty = await this.uncertaintyQuantifier.quantifyUncertainty(context.query, code, { chunks: context.chunks }).catch(() => undefined);
+                if (uncertainty?.isHallucinationRisk) {
+                    warnings.push(`High epistemic uncertainty detected: Possible hallucination risk`);
+                }
+            }
+            return {
+                passed: errors.length === 0,
+                sast: cachedResults.sast,
+                license: cachedResults.license,
+                providerBias: cachedResults.providerBias,
+                uncertainty,
+                errors,
+                warnings,
+            };
+        }
+        // PERFORMANCE: Parallelize independent scans (SAST, License, Provider Bias)
+        // These scans are independent and can run concurrently
+        const scanPromises = [
+            // 1. Fast security check on instruction (if provided)
+            instruction
+                ? this.sastScanner.scanInstruction(instruction).catch(err => {
+                    console.warn(`[EnhancedSecurityGate] Instruction scan failed: ${err instanceof Error ? err.message : String(err)}`);
+                    return null;
+                })
+                : Promise.resolve(null),
+            // 2. SAST scan on code
+            this.sastScanner.scan(filepath, code).catch(err => {
+                console.warn(`[EnhancedSecurityGate] SAST scan failed: ${err instanceof Error ? err.message : String(err)}`);
+                return { passed: true, findings: [], criticalCount: 0, highCount: 0 };
+            }),
+            // 3. License scan
+            this.licenseScanner.scan(filepath, code).catch(err => {
+                console.warn(`[EnhancedSecurityGate] License scan failed: ${err instanceof Error ? err.message : String(err)}`);
+                return { passed: true, findings: [], criticalCount: 0 };
+            }),
+            // 4. Provider bias detection
+            this.providerBiasDetector.scan(filepath, code).catch(err => {
+                console.warn(`[EnhancedSecurityGate] Provider bias scan failed: ${err instanceof Error ? err.message : String(err)}`);
+                return { passed: true, findings: [], criticalCount: 0 };
+            }),
+        ];
+        // Execute all scans in parallel
+        const [instructionSast, sast, license, providerBias] = await Promise.all(scanPromises);
+        // Process results
+        if (instructionSast && !instructionSast.passed) {
+            errors.push(`Security vulnerabilities in instruction: ${instructionSast.findings.length} findings`);
+        }
+        if (!sast.passed) {
+            errors.push(`Security vulnerabilities: ${sast.criticalCount} critical, ${sast.highCount} high`);
+        }
+        if (!license.passed) {
+            errors.push(`License conflicts: ${license.criticalCount} critical issues`);
+        }
+        if (!providerBias.passed) {
+            warnings.push(`Provider bias detected: ${providerBias.criticalCount} critical issues`);
+            // Provider bias is a warning, not blocking (unless policy enforces)
+        }
+        // 5. Uncertainty quantification (runs after parallel scans, depends on context)
+        // This is independent but typically faster, so can run in parallel with scans if needed
+        let uncertainty;
+        if (this.uncertaintyQuantifier && context?.query && code) {
+            uncertainty = await this.uncertaintyQuantifier.quantifyUncertainty(context.query, code, { chunks: context.chunks }).catch(err => {
+                console.warn(`[EnhancedSecurityGate] Uncertainty quantification failed: ${err instanceof Error ? err.message : String(err)}`);
+                return undefined;
+            });
+            if (uncertainty?.isHallucinationRisk) {
+                warnings.push(`High epistemic uncertainty detected: Possible hallucination risk`);
+            }
+        }
+        const passed = errors.length === 0; // Only fail on critical errors
+        // Cache results for future use (performance optimization)
+        // Note: cache.set() accepts code string and hashes internally
+        this.scanCache.set(filepath, code, sast, license, providerBias);
+        return {
+            passed,
+            sast,
+            license,
+            providerBias,
+            uncertainty,
+            errors,
+            warnings,
+        };
+    }
+    /**
+     * Fast pre-check on instruction (before expensive operations)
+     * Enhanced with prompt injection detection
+     */
+    async fastCheck(instruction) {
+        const findings = [];
+        // P0 Security: Check for prompt injection first (fast, synchronous)
+        const injectionResult = detectPromptInjection(instruction);
+        if (injectionResult) {
+            if (injectionResult.severity === 'critical' || injectionResult.severity === 'high') {
+                findings.push(`Prompt injection (${injectionResult.severity}): ${injectionResult.description}`);
+            }
+            else {
+                findings.push(`Prompt injection (${injectionResult.severity}): ${injectionResult.description}`);
+            }
+        }
+        // SAST scan on instruction
+        const sastResult = await this.sastScanner.scanInstruction(instruction);
+        if (sastResult && !sastResult.passed) {
+            findings.push(...sastResult.findings.map(f => `${f.severity}: ${f.description}`));
+        }
+        // Block if critical/high severity findings
+        const hasCriticalFindings = findings.some(f => f.includes('critical') || f.includes('high') ||
+            (injectionResult && (injectionResult.severity === 'critical' || injectionResult.severity === 'high')));
+        return {
+            allowed: !hasCriticalFindings,
+            findings,
+        };
+    }
+    /**
+     * Validate LLM output before code execution
+     * P0 Security: Enhanced output validation
+     */
+    async validateOutput(output, context) {
+        const findings = [];
+        let sanitized = output;
+        // Check for prompt injection in output (LLM may have been manipulated)
+        const injectionResult = detectPromptInjection(output);
+        if (injectionResult && (injectionResult.severity === 'critical' || injectionResult.severity === 'high')) {
+            findings.push(`Output contains prompt injection (${injectionResult.severity}): ${injectionResult.description}`);
+        }
+        // Check for dangerous code patterns in output
+        const dangerousPatterns = [
+            { pattern: /eval\s*\(/i, description: 'eval() function detected' },
+            { pattern: /Function\s*\(/i, description: 'Function constructor detected' },
+            { pattern: /exec\s*\(|execSync|spawn|execFile/i, description: 'Process execution detected' },
+            { pattern: /require\s*\([^)]*process/i, description: 'Process module access detected' },
+            { pattern: /child_process/i, description: 'Child process module detected' },
+            { pattern: /fs\.(writeFile|unlink|rmdir|rm)/i, description: 'File system write operation detected' },
+            { pattern: /__dirname|__filename/i, description: 'File system path access detected' },
+        ];
+        for (const { pattern, description } of dangerousPatterns) {
+            if (pattern.test(output)) {
+                findings.push(`Dangerous pattern: ${description}`);
+            }
+        }
+        // Check for suspicious encoding attempts
+        if (/base64|hex|binary|decode/i.test(output) && /eval|exec|Function/i.test(output)) {
+            findings.push('Suspicious encoding with code execution detected');
+        }
+        // If critical findings, don't sanitize - reject entirely
+        const hasCriticalFindings = findings.some(f => f.includes('critical') || f.includes('high') || f.includes('Prompt injection'));
+        return {
+            allowed: !hasCriticalFindings,
+            findings,
+            sanitized: hasCriticalFindings ? undefined : (sanitized || output),
+        };
+    }
+}
+//# sourceMappingURL=enhanced-security-gate.js.map

package/dist/infrastructure/security/enhanced-security-gate.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"enhanced-security-gate.js","sourceRoot":"","sources":["../../../src/infrastructure/security/enhanced-security-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAKpC,OAAO,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAY7D;;;GAGG;AACH,MAAM,OAAO,oBAAoB;IAIrB;IACA;IACA;IACA;IANF,SAAS,GAAG,oBAAoB,EAAE,CAAC;IAE3C,YACU,WAA0B,EAC1B,cAA8B,EAC9B,oBAA0C,EAC1C,qBAA6C;QAH7C,gBAAW,GAAX,WAAW,CAAe;QAC1B,mBAAc,GAAd,cAAc,CAAgB;QAC9B,yBAAoB,GAApB,oBAAoB,CAAsB;QAC1C,0BAAqB,GAArB,qBAAqB,CAAwB;IACpD,CAAC;IAEJ;;;OAGG;IACH,KAAK,CAAC,IAAI,CACR,QAAgB,EAChB,IAAY,EACZ,WAAoB,EACpB,OAA4C;QAE5C,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,gFAAgF;QAChF,iFAAiF;QACjF,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACpE,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QAChE,IAAI,aAAa,EAAE,CAAC;YAClB,+CAA+C;YAC/C,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,IAAI,aAAa,CAAC,OAAO,CAAC,MAAM,CAAC;YAEzE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBAC/B,MAAM,CAAC,IAAI,CAAC,6BAA6B,aAAa,CAAC,IAAI,CAAC,aAAa,cAAc,aAAa,CAAC,IAAI,CAAC,SAAS,OAAO,CAAC,CAAC;YAC9H,CAAC;YACD,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;gBAClC,MAAM,CAAC,IAAI,CAAC,sBAAsB,aAAa,CAAC,OAAO,CAAC,aAAa,kBAAkB,CAAC,CAAC;YAC3F,CAAC;YACD,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC;gBACvC,QAAQ,CAAC,IAAI,CAAC,2BAA2B,aAAa,CAAC,YAAY,CAAC,aAAa,kBAAkB,CAAC,CAAC;YACvG,CAAC;YAED,mFAAmF;YACnF,IAAI,WAA0C,CAAC;YAC/C,IAAI,IAAI,CAAC,qBAAqB,IAAI,OAAO,EAAE,KAAK,IAAI,IAAI,EAAE,CAAC;gBACzD,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,mBAAmB,CAChE,OAAO,CAAC,KAAK,EACb,IAAI,EACJ,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAC3B,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;gBAEzB,IAAI,WAAW,EAAE,mBAAmB,EAAE,CAAC;oBACrC,QAAQ,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;gBACpF,CAAC;YACH,CAAC;YAED,OAAO;gBACL,MAAM,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;gBAC3B,IAAI,EAAE,aAAa,CAAC,IAAI;gBACxB,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,YAAY,EAAE,aAAa,CAAC,YAAY;gBACxC,WAAW;gBACX,MAAM;gBACN,QAAQ;aACT,CAAC;QACJ,CAAC;QAED,4EAA4E;QAC5E,uDAAuD;QACvD,MAAM,YAAY,GAAmB;YACnC,sDAAsD;YACtD,WAAW;gBACT,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;oBACxD,OAAO,CAAC,IAAI,CAAC,mDAAmD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;oBACpH,OAAO,IAAI,CAAC;gBACd,CAAC,CAAC;gBACJ,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC;YAEzB,uBAAuB;YACvB,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;gBAChD,OAAO,CAAC,IAAI,CAAC,4CAA4C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC7G,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,aAAa,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;YACxE,CAAC,CAAC;YAEF,kBAAkB;YAClB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;gBACnD,OAAO,CAAC,IAAI,CAAC,+CAA+C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChH,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,aAAa,EAAE,CAAC,EAAE,CAAC;YAC1D,CAAC,CAAC;YAEF,6BAA6B;YAC7B,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;gBACzD,OAAO,CAAC,IAAI,CAAC,qDAAqD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACtH,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,aAAa,EAAE,CAAC,EAAE,CAAC;YAC1D,CAAC,CAAC;SACH,CAAC;QAEF,gCAAgC;QAChC,MAAM,CAAC,eAAe,EAAE,IAAI,EAAE,OAAO,EAAE,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAEvF,kBAAkB;QAClB,IAAI,eAAe,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,4CAA4C,eAAe,CAAC,QAAQ,CAAC,MAAM,WAAW,CAAC,CAAC;QACtG,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC,6BAA6B,IAAI,CAAC,aAAa,cAAc,IAAI,CAAC,SAAS,OAAO,CAAC,CAAC;QAClG,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,aAAa,kBAAkB,CAAC,CAAC;QAC7E,CAAC;QAED,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC;YACzB,QAAQ,CAAC,IAAI,CAAC,2BAA2B,YAAY,CAAC,aAAa,kBAAkB,CAAC,CAAC;YACvF,oEAAoE;QACtE,CAAC;QAED,gFAAgF;QAChF,wFAAwF;QACxF,IAAI,WAA0C,CAAC;QAC/C,IAAI,IAAI,CAAC,qBAAqB,IAAI,OAAO,EAAE,KAAK,IAAI,IAAI,EAAE,CAAC;YACzD,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,mBAAmB,CAChE,OAAO,CAAC,KAAK,EACb,IAAI,EACJ,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAC3B,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;gBACZ,OAAO,CAAC,IAAI,CAAC,6DAA6D,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC9H,OAAO,SAAS,CAAC;YACnB,CAAC,CAAC,CAAC;YAEH,IAAI,WAAW,EAAE,mBAAmB,EAAE,CAAC;gBACrC,QAAQ,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;YACpF,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,+BAA+B;QAEnE,0DAA0D;QAC1D,8DAA8D;QAC9D,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;QAEhE,OAAO;YACL,MAAM;YACN,IAAI;YACJ,OAAO;YACP,YAAY;YACZ,WAAW;YACX,MAAM;YACN,QAAQ;SACT,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,SAAS,CAAC,WAAmB;QACjC,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,oEAAoE;QACpE,MAAM,eAAe,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAC3D,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,eAAe,CAAC,QAAQ,KAAK,UAAU,IAAI,eAAe,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACnF,QAAQ,CAAC,IAAI,CAAC,qBAAqB,eAAe,CAAC,QAAQ,MAAM,eAAe,CAAC,WAAW,EAAE,CAAC,CAAC;YAClG,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC,qBAAqB,eAAe,CAAC,QAAQ,MAAM,eAAe,CAAC,WAAW,EAAE,CAAC,CAAC;YAClG,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QACvE,IAAI,UAAU,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;YACrC,QAAQ,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;QACpF,CAAC;QAED,2CAA2C;QAC3C,MAAM,mBAAmB,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC5C,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC5C,CAAC,eAAe,IAAI,CAAC,eAAe,CAAC,QAAQ,KAAK,UAAU,IAAI,eAAe,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CACtG,CAAC;QAEF,OAAO;YACL,OAAO,EAAE,CAAC,mBAAmB;YAC7B,QAAQ;SACT,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,cAAc,CAAC,MAAc,EAAE,OAAgD;QAKnF,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,IAAI,SAAS,GAAG,MAAM,CAAC;QAEvB,uEAAuE;QACvE,MAAM,eAAe,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QACtD,IAAI,eAAe,IAAI,CAAC,eAAe,CAAC,QAAQ,KAAK,UAAU,IAAI,eAAe,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,CAAC;YACxG,QAAQ,CAAC,IAAI,CAAC,qCAAqC,eAAe,CAAC,QAAQ,MAAM,eAAe,CAAC,WAAW,EAAE,CAAC,CAAC;QAClH,CAAC;QAED,8CAA8C;QAC9C,MAAM,iBAAiB,GAAG;YACxB,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,0BAA0B,EAAE;YAClE,EAAE,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,+BAA+B,EAAE;YAC3E,EAAE,OAAO,EAAE,oCAAoC,EAAE,WAAW,EAAE,4BAA4B,EAAE;YAC5F,EAAE,OAAO,EAAE,2BAA2B,EAAE,WAAW,EAAE,gCAAgC,EAAE;YACvF,EAAE,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,+BAA+B,EAAE;YAC3E,EAAE,OAAO,EAAE,kCAAkC,EAAE,WAAW,EAAE,sCAAsC,EAAE;YACpG,EAAE,OAAO,EAAE,uBAAuB,EAAE,WAAW,EAAE,kCAAkC,EAAE;SACtF,CAAC;QAEF,KAAK,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,iBAAiB,EAAE,CAAC;YACzD,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzB,QAAQ,CAAC,IAAI,CAAC,sBAAsB,WAAW,EAAE,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,IAAI,2BAA2B,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACnF,QAAQ,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;QACpE,CAAC;QAED,yDAAyD;QACzD,MAAM,mBAAmB,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC5C,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAC/E,CAAC;QAEF,OAAO;YACL,OAAO,EAAE,CAAC,mBAAmB;YAC7B,QAAQ;YACR,SAAS,EAAE,mBAAmB,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,IAAI,MAAM,CAAC;SACnE,CAAC;IACJ,CAAC;CACF"}

package/dist/infrastructure/security/input-validator.d.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * Infrastructure: Input Validator
+ * Enterprise-grade input validation and sanitization
+ *
+ * Clean Architecture: Infrastructure Layer
+ * Security: Prevents injection attacks, validates user input
+ */
+export interface ValidationResult {
+    valid: boolean;
+    errors: string[];
+    sanitized?: string;
+}
+/**
+ * Validate file path to prevent directory traversal
+ */
+export declare function validateFilePath(filepath: string): ValidationResult;
+/**
+ * Detect prompt injection patterns
+ * Based on OWASP LLM Top 10, HackAPrompt, and real-world attack patterns
+ */
+export interface PromptInjectionResult {
+    detected: boolean;
+    severity: 'critical' | 'high' | 'medium' | 'low';
+    category: string;
+    pattern: string;
+    description: string;
+}
+/**
+ * Comprehensive prompt injection detection
+ * Detects: instruction injection, role-playing, jailbreaks, context manipulation, etc.
+ */
+export declare function detectPromptInjection(input: string): PromptInjectionResult | null;
+/**
+ * Validate query string to prevent injection
+ * Enhanced with prompt injection detection
+ */
+export declare function validateQuery(query: string): ValidationResult;
+/**
+ * Validate API key format
+ */
+export declare function validateAPIKey(apiKey: string): ValidationResult;
+/**
+ * Validate file content before processing
+ */
+export declare function validateFileContent(content: string, maxSize?: number): ValidationResult;
+//# sourceMappingURL=input-validator.d.ts.map

package/dist/infrastructure/security/input-validator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"input-validator.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/security/input-validator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,gBAAgB,CAuCnE;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACjD,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,qBAAqB,GAAG,IAAI,CA8HjF;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,gBAAgB,CA0D7D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,CA2B/D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,MAAyB,GAAG,gBAAgB,CAkBzG"}