erosolar-cli 1.7.54 → 1.7.56

package/dist/bin/alpha-zero/security/core.js

@@ -1,269 +0,0 @@
-/**
- * Core Security Research Framework
- *
- * Base authorization system and reconnaissance capabilities.
- * All operations require explicit authorization.
- *
- * Principal Investigator: Bo Shang
- * Framework: erosolar-cli
- */
-import * as dns from 'dns/promises';
-import * as net from 'net';
-/**
- * Scope of authorization for security testing
- */
-export var AuthorizationScope;
-(function (AuthorizationScope) {
-    AuthorizationScope["OWNED_SYSTEMS"] = "owned_systems";
-    AuthorizationScope["BUG_BOUNTY"] = "bug_bounty";
-    AuthorizationScope["PENTEST_ENGAGEMENT"] = "pentest_engagement";
-    AuthorizationScope["CTF_COMPETITION"] = "ctf_competition";
-    AuthorizationScope["RED_TEAM"] = "red_team";
-    AuthorizationScope["EDUCATIONAL"] = "educational";
-})(AuthorizationScope || (AuthorizationScope = {}));
-const DEFAULT_CONFIG = {
-    dataDir: '.security_research',
-    verbose: false,
-};
-/**
- * Security Research Engine
- *
- * All operations require explicit authorization records.
- */
-export class SecurityResearchEngine {
-    constructor(config = {}) {
-        this.authorization = null;
-        this.findings = [];
-        this.reconResults = [];
-        this.config = { ...DEFAULT_CONFIG, ...config };
-    }
-    /**
-     * Set authorization for testing
-     */
-    setAuthorization(authorization) {
-        this.authorization = authorization;
-        if (this.config.verbose) {
-            console.log(`[Authorization] Set for ${authorization.targetDomain}`);
-        }
-    }
-    /**
-     * Check if authorization is valid
-     */
-    checkAuthorization(target) {
-        if (!this.authorization) {
-            throw new Error('No authorization record set.');
-        }
-        // Check expiration
-        if (this.authorization.expirationDate) {
-            const exp = new Date(this.authorization.expirationDate);
-            if (new Date() > exp) {
-                throw new Error('Authorization has expired.');
-            }
-        }
-        // Check scope
-        const inScope = this.authorization.targetDomain.includes(target) ||
-            target.endsWith(this.authorization.targetDomain);
-        const outOfScope = this.authorization.outOfScope.some(oos => target.includes(oos));
-        if (!inScope || outOfScope) {
-            throw new Error(`Target ${target} is not within authorized scope.`);
-        }
-    }
-    /**
-     * Perform passive reconnaissance
-     */
-    async passiveRecon(target) {
-        this.checkAuthorization(target);
-        if (this.config.verbose) {
-            console.log(`[Recon] Starting passive recon on ${target}`);
-        }
-        const result = {
-            target,
-            timestamp: Date.now(),
-            dnsRecords: {},
-            openPorts: [],
-            sslInfo: {},
-            httpHeaders: {},
-            technologies: [],
-            subdomains: [],
-            potentialVectors: [],
-        };
-        // DNS lookup
-        try {
-            result.dnsRecords['A'] = await dns.resolve4(target);
-        }
-        catch { /* ignore */ }
-        try {
-            result.dnsRecords['MX'] = (await dns.resolveMx(target)).map(r => r.exchange);
-        }
-        catch { /* ignore */ }
-        try {
-            result.dnsRecords['TXT'] = await dns.resolveTxt(target).then(r => r.flat());
-        }
-        catch { /* ignore */ }
-        // Common subdomain patterns
-        const prefixes = ['www', 'mail', 'api', 'dev', 'staging', 'admin'];
-        result.subdomains = prefixes.map(p => `${p}.${target}`);
-        this.reconResults.push(result);
-        return result;
-    }
-    /**
-     * Perform active reconnaissance (requires stronger authorization)
-     */
-    async activeRecon(target, ports = [80, 443, 8080, 8443]) {
-        this.checkAuthorization(target);
-        // Active recon requires stronger authorization
-        const allowed = [
-            AuthorizationScope.OWNED_SYSTEMS,
-            AuthorizationScope.PENTEST_ENGAGEMENT,
-            AuthorizationScope.RED_TEAM,
-            AuthorizationScope.CTF_COMPETITION,
-        ];
-        if (!allowed.includes(this.authorization.scope)) {
-            throw new Error('Active recon requires stronger authorization.');
-        }
-        const result = await this.passiveRecon(target);
-        // Port scan
-        result.openPorts = await this.scanPorts(target, ports);
-        // Identify vectors
-        result.potentialVectors = this.identifyVectors(result);
-        return result;
-    }
-    /**
-     * Scan ports
-     */
-    async scanPorts(host, ports) {
-        const checkPort = (port) => {
-            return new Promise(resolve => {
-                const socket = new net.Socket();
-                socket.setTimeout(2000);
-                socket.on('connect', () => {
-                    socket.destroy();
-                    resolve(true);
-                });
-                socket.on('error', () => {
-                    socket.destroy();
-                    resolve(false);
-                });
-                socket.on('timeout', () => {
-                    socket.destroy();
-                    resolve(false);
-                });
-                socket.connect(port, host);
-            });
-        };
-        const results = await Promise.all(ports.map(async (port) => {
-            const isOpen = await checkPort(port);
-            return isOpen ? port : null;
-        }));
-        return results.filter((p) => p !== null);
-    }
-    /**
-     * Identify potential attack vectors
-     */
-    identifyVectors(recon) {
-        const vectors = [];
-        // Missing security headers (would need HTTP request to determine)
-        // Placeholder for now
-        vectors.push('Check for missing security headers');
-        // Open ports analysis
-        if (recon.openPorts.includes(21)) {
-            vectors.push('FTP port open - check for anonymous access');
-        }
-        if (recon.openPorts.includes(22)) {
-            vectors.push('SSH port open - check for weak credentials');
-        }
-        return vectors;
-    }
-    /**
-     * Analyze for vulnerabilities
-     */
-    analyzeForVulnerabilities(recon) {
-        this.checkAuthorization(recon.target);
-        const findings = [];
-        // Example: missing HSTS (would need actual HTTP response)
-        findings.push({
-            title: 'Missing HSTS Header (Verify Required)',
-            severity: 'medium',
-            category: 'config',
-            description: 'Verify HSTS header is present.',
-            evidence: 'Requires HTTP response analysis',
-            remediation: 'Add Strict-Transport-Security header',
-            cweId: 'CWE-319',
-        });
-        this.findings.push(...findings);
-        return findings;
-    }
-    /**
-     * Generate report
-     */
-    generateReport(format = 'text') {
-        if (format === 'json') {
-            return JSON.stringify({
-                generated: new Date().toISOString(),
-                authorization: this.authorization,
-                findings: this.findings,
-                reconResults: this.reconResults,
-            }, null, 2);
-        }
-        const lines = [
-            '='.repeat(60),
-            'SECURITY RESEARCH REPORT',
-            '='.repeat(60),
-            `Generated: ${new Date().toISOString()}`,
-        ];
-        if (this.authorization) {
-            lines.push(`Target: ${this.authorization.targetDomain}`);
-            lines.push(`Scope: ${this.authorization.scope}`);
-        }
-        if (this.findings.length > 0) {
-            lines.push('', `Findings: ${this.findings.length}`);
-            for (const f of this.findings) {
-                lines.push(`  [${f.severity.toUpperCase()}] ${f.title}`);
-            }
-        }
-        return lines.join('\n');
-    }
-}
-/**
- * Create bug bounty authorization
- */
-export function createBugBountyAuthorization(targetDomain, programName, scopeLimitations = [], outOfScope = []) {
-    return {
-        scope: AuthorizationScope.BUG_BOUNTY,
-        targetDomain,
-        authorizedBy: `Bug Bounty: ${programName}`,
-        authorizationDate: new Date().toISOString(),
-        scopeLimitations,
-        outOfScope,
-        notes: 'Testing authorized under bug bounty program terms',
-    };
-}
-/**
- * Create pentest authorization
- */
-export function createPentestAuthorization(targetDomain, clientName, engagementId, expirationDate) {
-    return {
-        scope: AuthorizationScope.PENTEST_ENGAGEMENT,
-        targetDomain,
-        authorizedBy: `Client: ${clientName} (${engagementId})`,
-        authorizationDate: new Date().toISOString(),
-        expirationDate,
-        scopeLimitations: [],
-        outOfScope: [],
-        notes: 'Testing authorized under penetration testing agreement',
-    };
-}
-/**
- * Create CTF authorization
- */
-export function createCtfAuthorization(targetDomain, ctfName) {
-    return {
-        scope: AuthorizationScope.CTF_COMPETITION,
-        targetDomain,
-        authorizedBy: `CTF: ${ctfName}`,
-        authorizationDate: new Date().toISOString(),
-        scopeLimitations: [],
-        outOfScope: [],
-        notes: 'CTF competition testing',
-    };
-}

package/dist/bin/alpha-zero/security/google.js

@@ -1,308 +0,0 @@
-/**
- * Google Infrastructure Persistence Vector Research
- *
- * OPTIONAL MODULE - Only loaded when Google security research is enabled.
- *
- * Provides research tools for identifying persistence mechanisms
- * in Google Cloud Platform and Google Workspace environments.
- *
- * AUTHORIZATION: Designed for authorized red team engagements and
- * penetration testing of Google infrastructure under contract.
- *
- * Principal Investigator: Bo Shang
- * Framework: erosolar-cli
- */
-import { AuthorizationScope } from './core.js';
-/**
- * Google services for persistence research
- */
-export var GoogleService;
-(function (GoogleService) {
-    // Google Cloud Platform
-    GoogleService["GCP_COMPUTE"] = "gcp_compute_engine";
-    GoogleService["GCP_GKE"] = "gcp_kubernetes_engine";
-    GoogleService["GCP_CLOUD_FUNCTIONS"] = "gcp_cloud_functions";
-    GoogleService["GCP_IAM"] = "gcp_iam";
-    GoogleService["GCP_SERVICE_ACCOUNTS"] = "gcp_service_accounts";
-    GoogleService["GCP_CLOUD_STORAGE"] = "gcp_cloud_storage";
-    GoogleService["GCP_SECRETS_MANAGER"] = "gcp_secrets_manager";
-    // Google Workspace
-    GoogleService["WORKSPACE_GMAIL"] = "workspace_gmail";
-    GoogleService["WORKSPACE_DRIVE"] = "workspace_drive";
-    GoogleService["WORKSPACE_ADMIN"] = "workspace_admin";
-    GoogleService["WORKSPACE_APPS_SCRIPT"] = "workspace_apps_script";
-    // Google Identity
-    GoogleService["GOOGLE_OAUTH"] = "google_oauth";
-})(GoogleService || (GoogleService = {}));
-/**
- * Categories of persistence mechanisms
- */
-export var PersistenceCategory;
-(function (PersistenceCategory) {
-    PersistenceCategory["SERVICE_ACCOUNT_ABUSE"] = "service_account_abuse";
-    PersistenceCategory["IAM_POLICY_MODIFICATION"] = "iam_policy_modification";
-    PersistenceCategory["OAUTH_APP_CONSENT"] = "oauth_app_consent";
-    PersistenceCategory["API_KEYS"] = "api_keys";
-    PersistenceCategory["CLOUD_FUNCTION_TRIGGER"] = "cloud_function_trigger";
-    PersistenceCategory["APPS_SCRIPT_TRIGGER"] = "apps_script_trigger";
-    PersistenceCategory["DELEGATION_ABUSE"] = "delegation_abuse";
-})(PersistenceCategory || (PersistenceCategory = {}));
-/**
- * GCP Persistence Vectors
- */
-export const GCP_PERSISTENCE_VECTORS = {
-    sa_key_creation: {
-        name: 'Service Account Key Creation',
-        service: GoogleService.GCP_SERVICE_ACCOUNTS,
-        category: PersistenceCategory.SERVICE_ACCOUNT_ABUSE,
-        description: 'Create keys for service accounts to maintain API access',
-        techniqueId: 'T1098.001',
-        requiredPermissions: ['iam.serviceAccountKeys.create'],
-        detectionMethods: ['Cloud Audit Logs', 'Security Command Center'],
-        mitigations: ['Use Workload Identity', 'Key rotation policies'],
-        stealthRating: 2,
-    },
-    iam_binding: {
-        name: 'IAM Policy Binding',
-        service: GoogleService.GCP_IAM,
-        category: PersistenceCategory.IAM_POLICY_MODIFICATION,
-        description: 'Add IAM bindings for persistent access',
-        techniqueId: 'T1098.001',
-        requiredPermissions: ['resourcemanager.projects.setIamPolicy'],
-        detectionMethods: ['IAM audit logs', 'Policy monitoring'],
-        mitigations: ['IAM Recommender', 'Least privilege'],
-        stealthRating: 1,
-    },
-    cloud_function_backdoor: {
-        name: 'Cloud Function Backdoor',
-        service: GoogleService.GCP_CLOUD_FUNCTIONS,
-        category: PersistenceCategory.CLOUD_FUNCTION_TRIGGER,
-        description: 'Deploy function as persistent callback',
-        techniqueId: 'T1059',
-        requiredPermissions: ['cloudfunctions.functions.create'],
-        detectionMethods: ['Function deployment logs', 'Network monitoring'],
-        mitigations: ['Function allowlisting', 'Binary authorization'],
-        stealthRating: 3,
-    },
-};
-/**
- * Workspace Persistence Vectors
- */
-export const WORKSPACE_PERSISTENCE_VECTORS = {
-    oauth_consent: {
-        name: 'OAuth App Consent Persistence',
-        service: GoogleService.GOOGLE_OAUTH,
-        category: PersistenceCategory.OAUTH_APP_CONSENT,
-        description: 'Persist via OAuth app with broad scope consent',
-        techniqueId: 'T1550.001',
-        requiredPermissions: ['OAuth consent grant'],
-        detectionMethods: ['OAuth audit logs', 'App access reviews'],
-        mitigations: ['OAuth app restrictions', 'Consent monitoring'],
-        stealthRating: 4,
-    },
-    apps_script_trigger: {
-        name: 'Apps Script Trigger Persistence',
-        service: GoogleService.WORKSPACE_APPS_SCRIPT,
-        category: PersistenceCategory.APPS_SCRIPT_TRIGGER,
-        description: 'Create time/event triggers in Apps Script',
-        techniqueId: 'T1053',
-        requiredPermissions: ['Script Editor access'],
-        detectionMethods: ['Apps Script audit logs', 'Trigger inventory'],
-        mitigations: ['Apps Script restrictions', 'Trigger monitoring'],
-        stealthRating: 4,
-    },
-    drive_sharing: {
-        name: 'Drive Sharing Persistence',
-        service: GoogleService.WORKSPACE_DRIVE,
-        category: PersistenceCategory.DELEGATION_ABUSE,
-        description: 'Maintain access via shared drive permissions',
-        techniqueId: 'T1213',
-        requiredPermissions: ['Drive sharing permissions'],
-        detectionMethods: ['Drive audit logs', 'Sharing reports'],
-        mitigations: ['External sharing restrictions', 'DLP policies'],
-        stealthRating: 3,
-    },
-};
-/**
- * Google Persistence Researcher
- */
-export class GooglePersistenceResearcher {
-    constructor(authorization, verbose = false) {
-        this.testResults = [];
-        this.authorization = authorization;
-        this.verbose = verbose;
-    }
-    /**
-     * Check authorization
-     */
-    checkAuthorization() {
-        if (!this.authorization) {
-            throw new Error('No authorization record.');
-        }
-        const allowed = [
-            AuthorizationScope.OWNED_SYSTEMS,
-            AuthorizationScope.PENTEST_ENGAGEMENT,
-            AuthorizationScope.RED_TEAM,
-            AuthorizationScope.BUG_BOUNTY,
-        ];
-        if (!allowed.includes(this.authorization.scope)) {
-            throw new Error('Google research requires pentest/red team authorization.');
-        }
-    }
-    /**
-     * Get all Google persistence vectors
-     */
-    getAllVectors() {
-        return { ...GCP_PERSISTENCE_VECTORS, ...WORKSPACE_PERSISTENCE_VECTORS };
-    }
-    /**
-     * Get vectors by service
-     */
-    getVectorsByService(service) {
-        const all = this.getAllVectors();
-        return Object.values(all).filter(v => v.service === service);
-    }
-    /**
-     * Get vectors by category
-     */
-    getVectorsByCategory(category) {
-        const all = this.getAllVectors();
-        return Object.values(all).filter(v => v.category === category);
-    }
-    /**
-     * Get stealthy vectors
-     */
-    getStealthyVectors(minRating = 3) {
-        const all = this.getAllVectors();
-        return Object.values(all).filter(v => v.stealthRating >= minRating);
-    }
-    /**
-     * Analyze a persistence vector
-     */
-    analyzeVector(vectorId, targetProject) {
-        this.checkAuthorization();
-        const allVectors = this.getAllVectors();
-        if (!(vectorId in allVectors)) {
-            throw new Error(`Unknown vector: ${vectorId}`);
-        }
-        const vector = allVectors[vectorId];
-        if (!vector) {
-            throw new Error(`Unknown vector ID: ${vectorId}`);
-        }
-        const result = {
-            vector,
-            targetProject,
-            timestamp: Date.now(),
-            testable: true,
-            permissionsVerified: [],
-            missingPermissions: [],
-            detectionRisk: vector.stealthRating < 3 ? 'medium' : 'low',
-            notes: `Analysis for ${vector.name}`,
-        };
-        if (this.verbose) {
-            console.log(`[Google] Analyzing ${vector.name}`);
-            console.log(`  Service: ${vector.service}`);
-            console.log(`  Stealth: ${vector.stealthRating}/5`);
-        }
-        this.testResults.push(result);
-        return result;
-    }
-    /**
-     * Generate attack playbook
-     */
-    generateAttackPlaybook(targetProject, vectors) {
-        this.checkAuthorization();
-        const useVectors = vectors || Object.values(this.getAllVectors());
-        // Sort by stealth rating (stealthiest first)
-        const sorted = [...useVectors].sort((a, b) => b.stealthRating - a.stealthRating);
-        return {
-            target: targetProject,
-            generated: new Date().toISOString(),
-            authorization: {
-                scope: this.authorization.scope,
-                authorizedBy: this.authorization.authorizedBy,
-            },
-            vectors: sorted.map(v => ({
-                name: v.name,
-                service: v.service,
-                category: v.category,
-                stealthRating: v.stealthRating,
-                requiredPermissions: v.requiredPermissions,
-                detectionMethods: v.detectionMethods,
-            })),
-            recommendedOrder: sorted.map(v => v.name),
-            detectionCoverage: Array.from(new Set(sorted.flatMap(v => v.detectionMethods))),
-        };
-    }
-    /**
-     * Generate detection report (blue team)
-     */
-    generateDetectionReport() {
-        this.checkAuthorization();
-        const allVectors = this.getAllVectors();
-        const lines = [
-            '# Google Infrastructure Detection Guide',
-            '',
-            `Generated: ${new Date().toISOString()}`,
-            '',
-            '## Overview',
-            '',
-            `This guide covers ${Object.keys(allVectors).length} persistence vectors.`,
-            '',
-            '## Detection Methods',
-            '',
-        ];
-        // Group by detection method
-        const detectionMap = {};
-        for (const vector of Object.values(allVectors)) {
-            for (const method of vector.detectionMethods) {
-                if (!detectionMap[method]) {
-                    detectionMap[method] = [];
-                }
-                detectionMap[method].push(vector.name);
-            }
-        }
-        for (const [method, vectorNames] of Object.entries(detectionMap).sort()) {
-            lines.push(`### ${method}`);
-            lines.push('');
-            lines.push('Detects:');
-            for (const name of vectorNames) {
-                lines.push(`- ${name}`);
-            }
-            lines.push('');
-        }
-        lines.push('## Vectors by Stealth Rating');
-        lines.push('');
-        for (let rating = 5; rating >= 1; rating--) {
-            const vectorsAtRating = Object.values(allVectors).filter(v => v.stealthRating === rating);
-            if (vectorsAtRating.length > 0) {
-                lines.push(`### Stealth ${rating}/5`);
-                for (const v of vectorsAtRating) {
-                    lines.push(`- ${v.name} (${v.service})`);
-                }
-                lines.push('');
-            }
-        }
-        return lines.join('\n');
-    }
-}
-/**
- * Create Google authorization
- */
-export function createGoogleAuthorization(engagementType, authorizedBy, targetProject = '*', scopeNotes = '') {
-    const scopeMap = {
-        bug_bounty: AuthorizationScope.BUG_BOUNTY,
-        pentest: AuthorizationScope.PENTEST_ENGAGEMENT,
-        red_team: AuthorizationScope.RED_TEAM,
-        owned: AuthorizationScope.OWNED_SYSTEMS,
-    };
-    return {
-        scope: scopeMap[engagementType] || AuthorizationScope.PENTEST_ENGAGEMENT,
-        targetDomain: `*.googleapis.com,${targetProject}.iam.gserviceaccount.com`,
-        authorizedBy,
-        authorizationDate: new Date().toISOString(),
-        scopeLimitations: [],
-        outOfScope: [],
-        notes: scopeNotes || `Google ${engagementType} engagement`,
-    };
-}

package/dist/bin/alpha-zero/security/googleLoader.js

@@ -1,40 +0,0 @@
-/**
- * Google Security Module Loader
- *
- * Provides lazy loading for the optional Google security research module.
- *
- * Principal Investigator: Bo Shang
- * Framework: erosolar-cli
- */
-let googleModule = null;
-/**
- * Check if Google security research module is available
- */
-export function isGoogleEnabled() {
-    if (googleModule !== null) {
-        return true;
-    }
-    try {
-        // Dynamic import check would go here
-        // For now, return true since we're creating the module
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
-/**
- * Get the Google security research module (lazy load)
- */
-export async function getGoogleModule() {
-    if (googleModule === null) {
-        try {
-            googleModule = await import('./google.js');
-        }
-        catch (error) {
-            throw new Error('Google security research module not available. ' +
-                'Ensure google.ts is built and available.');
-        }
-    }
-    return googleModule;
-}

package/dist/bin/alpha-zero/security/index.js

@@ -1,31 +0,0 @@
-/**
- * Security Research Module for Alpha Zero 2
- *
- * OPTIONAL MODULE - Only loaded when security research is enabled.
- *
- * A modular security research framework with optional provider-specific extensions.
- * All capabilities require explicit authorization.
- *
- * LEGAL NOTICE:
- * These tools are intended for:
- * - Authorized penetration testing engagements
- * - Bug bounty programs with explicit scope
- * - CTF competitions and security training
- * - Red team exercises with written authorization
- * - Security research on systems you own or have permission to test
- *
- * Structure:
- * - core: Base authorization and reconnaissance (always available)
- * - simulation: Attack simulation framework (always available)
- * - google: Google Cloud/Workspace persistence research (optional)
- *
- * Principal Investigator: Bo Shang
- * Framework: erosolar-cli
- */
-// Re-export core security components
-export { AuthorizationScope, SecurityResearchEngine, createBugBountyAuthorization, createPentestAuthorization, createCtfAuthorization, } from './core.js';
-// Re-export simulation components
-export { AttackCategory, AttackPhase, AttackSimulator, PayloadGenerator, ATTACK_VECTORS, } from './simulation.js';
-// Google module is optional - export checker function
-export { isGoogleEnabled, getGoogleModule } from './googleLoader.js';
-export const SECURITY_VERSION = '1.0.0';