npm - forgeos - Versions diffs - 0.1.0-alpha.2 → 0.1.0-alpha.4 - Mend

forgeos 0.1.0-alpha.2 → 0.1.0-alpha.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (180) hide show

package/AGENTS.md +38 -3
package/CHANGELOG.md +29 -0
package/README.md +25 -10
package/package.json +8 -5
package/src/forge/_generated/actionSubscriptions.json +2 -2
package/src/forge/_generated/actionSubscriptions.ts +3 -3
package/src/forge/_generated/agentAdapterManifest.json +2 -2
package/src/forge/_generated/agentAdapterManifest.ts +3 -3
package/src/forge/_generated/agentContract.json +2 -2
package/src/forge/_generated/agentContract.ts +183 -50
package/src/forge/_generated/agentQuickstart.md +3 -1
package/src/forge/_generated/agentTools.json +2 -0
package/src/forge/_generated/agentTools.md +16 -0
package/src/forge/_generated/agentTools.ts +12 -0
package/src/forge/_generated/aiContext.ts +67 -1
package/src/forge/_generated/aiModels.json +2 -2
package/src/forge/_generated/aiModels.ts +17 -1
package/src/forge/_generated/aiProviders.json +1 -1
package/src/forge/_generated/aiProviders.ts +1 -1
package/src/forge/_generated/aiRegistry.json +2 -2
package/src/forge/_generated/aiRegistry.ts +7 -5
package/src/forge/_generated/api.json +2 -2
package/src/forge/_generated/api.ts +1 -1
package/src/forge/_generated/appGraph.json +2 -2
package/src/forge/_generated/appGraph.ts +512 -260
package/src/forge/_generated/appMap.md +21 -1
package/src/forge/_generated/artifactManifest.json +2 -2
package/src/forge/_generated/artifactManifest.ts +2 -2
package/src/forge/_generated/authClaims.json +1 -1
package/src/forge/_generated/authClaims.ts +1 -1
package/src/forge/_generated/authConfig.json +1 -1
package/src/forge/_generated/authConfig.ts +1 -1
package/src/forge/_generated/authContext.ts +1 -1
package/src/forge/_generated/authRegistry.json +1 -1
package/src/forge/_generated/authRegistry.ts +1 -1
package/src/forge/_generated/buildInfo.json +2 -2
package/src/forge/_generated/buildInfo.ts +4 -4
package/src/forge/_generated/capabilityMap.json +2 -2
package/src/forge/_generated/capabilityMap.md +1 -1
package/src/forge/_generated/capabilityMap.ts +2 -2
package/src/forge/_generated/client.ts +1 -1
package/src/forge/_generated/clientApi.ts +1 -1
package/src/forge/_generated/clientManifest.json +2 -2
package/src/forge/_generated/clientManifest.ts +3 -3
package/src/forge/_generated/clientTypes.ts +1 -1
package/src/forge/_generated/configRegistry.json +1 -1
package/src/forge/_generated/configRegistry.ts +1 -1
package/src/forge/_generated/dataGraph.json +2 -2
package/src/forge/_generated/dataGraph.ts +3 -3
package/src/forge/_generated/db.json +1 -1
package/src/forge/_generated/db.ts +1 -1
package/src/forge/_generated/dbSecurityManifest.json +1 -1
package/src/forge/_generated/dbSecurityManifest.ts +1 -1
package/src/forge/_generated/dbSessionContext.json +1 -1
package/src/forge/_generated/dbSessionContext.ts +1 -1
package/src/forge/_generated/deployManifest.json +2 -2
package/src/forge/_generated/deployManifest.ts +7 -7
package/src/forge/_generated/devManifest.json +2 -2
package/src/forge/_generated/devManifest.ts +18 -3
package/src/forge/_generated/envSchema.json +1 -1
package/src/forge/_generated/envSchema.ts +1 -1
package/src/forge/_generated/frontendGraph.json +1 -1
package/src/forge/_generated/frontendGraph.ts +1 -1
package/src/forge/_generated/importGuards.json +1 -1
package/src/forge/_generated/importGuards.ts +1 -1
package/src/forge/_generated/index.ts +2 -1
package/src/forge/_generated/liveProductionManifest.json +1 -1
package/src/forge/_generated/liveProductionManifest.ts +1 -1
package/src/forge/_generated/liveProtocol.json +1 -1
package/src/forge/_generated/liveProtocol.ts +1 -1
package/src/forge/_generated/liveQueryRegistry.json +2 -2
package/src/forge/_generated/liveQueryRegistry.ts +3 -3
package/src/forge/_generated/liveTransportConfig.json +1 -1
package/src/forge/_generated/liveTransportConfig.ts +1 -1
package/src/forge/_generated/makeRegistry.json +2 -2
package/src/forge/_generated/makeRegistry.ts +16 -2
package/src/forge/_generated/makeTemplates.json +2 -2
package/src/forge/_generated/makeTemplates.ts +6 -1
package/src/forge/_generated/mockMap.json +1 -1
package/src/forge/_generated/mockMap.ts +1 -1
package/src/forge/_generated/operationPlaybooks.md +34 -14
package/src/forge/_generated/packageGraph.json +2 -2
package/src/forge/_generated/packageGraph.ts +8808 -4723
package/src/forge/_generated/packageUpgradeRegistry.json +2 -2
package/src/forge/_generated/packageUpgradeRegistry.ts +2 -2
package/src/forge/_generated/permissionMatrix.json +2 -2
package/src/forge/_generated/permissionMatrix.ts +3 -3
package/src/forge/_generated/policyRegistry.json +2 -2
package/src/forge/_generated/policyRegistry.ts +3 -3
package/src/forge/_generated/queryRegistry.json +2 -2
package/src/forge/_generated/queryRegistry.ts +3 -3
package/src/forge/_generated/react.d.ts +1 -1
package/src/forge/_generated/react.ts +1 -1
package/src/forge/_generated/reactManifest.json +2 -2
package/src/forge/_generated/reactManifest.ts +3 -3
package/src/forge/_generated/releaseManifest.json +2 -2
package/src/forge/_generated/releaseManifest.ts +3 -3
package/src/forge/_generated/rlsPolicies.json +1 -1
package/src/forge/_generated/rlsPolicies.sql +1 -1
package/src/forge/_generated/rlsPolicies.ts +1 -1
package/src/forge/_generated/runtimeGraph.json +2 -2
package/src/forge/_generated/runtimeGraph.ts +3 -3
package/src/forge/_generated/runtimeMatrix.json +2 -2
package/src/forge/_generated/runtimeMatrix.ts +8684 -1939
package/src/forge/_generated/runtimeRegistry.ts +1 -1
package/src/forge/_generated/runtimeRules.md +13 -1
package/src/forge/_generated/secretRegistry.json +1 -1
package/src/forge/_generated/secretRegistry.ts +1 -1
package/src/forge/_generated/secretsContext.ts +1 -1
package/src/forge/_generated/serverApi.ts +1 -1
package/src/forge/_generated/sourceMapManifest.json +2 -2
package/src/forge/_generated/sourceMapManifest.ts +2 -2
package/src/forge/_generated/sqlPlan.json +1 -1
package/src/forge/_generated/sqlPlan.ts +1 -1
package/src/forge/_generated/subscriptionManifest.json +2 -2
package/src/forge/_generated/subscriptionManifest.ts +3 -3
package/src/forge/_generated/symbolicationManifest.json +2 -2
package/src/forge/_generated/symbolicationManifest.ts +2 -2
package/src/forge/_generated/telemetryRegistry.json +2 -2
package/src/forge/_generated/telemetryRegistry.ts +3 -3
package/src/forge/_generated/telemetrySinks.json +2 -2
package/src/forge/_generated/telemetrySinks.ts +2 -2
package/src/forge/_generated/tenantScope.json +2 -2
package/src/forge/_generated/tenantScope.ts +3 -3
package/src/forge/_generated/testGraph.json +2 -2
package/src/forge/_generated/testGraph.ts +339 -17
package/src/forge/_generated/testPlanRegistry.json +2 -2
package/src/forge/_generated/testPlanRegistry.ts +2 -2
package/src/forge/_generated/uiRoutes.json +1 -1
package/src/forge/_generated/uiRoutes.ts +1 -1
package/src/forge/_generated/uiScenarios.json +1 -1
package/src/forge/_generated/uiScenarios.ts +1 -1
package/src/forge/_generated/uiTestManifest.json +2 -2
package/src/forge/_generated/uiTestManifest.ts +2 -2
package/src/forge/_generated/workflowRegistry.json +2 -2
package/src/forge/_generated/workflowRegistry.ts +3 -3
package/src/forge/_generated/workflowSubscriptions.json +2 -2
package/src/forge/_generated/workflowSubscriptions.ts +3 -3
package/src/forge/cli/ai.ts +351 -1
package/src/forge/cli/auth.ts +36 -1
package/src/forge/cli/commands.ts +19 -0
package/src/forge/cli/parse.ts +67 -8
package/src/forge/cli/rls.ts +529 -17
package/src/forge/cli/secrets.ts +46 -1
package/src/forge/cli/security.ts +269 -0
package/src/forge/compiler/agent-contract/build.ts +289 -8
package/src/forge/compiler/agent-contract/types.ts +43 -0
package/src/forge/compiler/ai-registry/build.ts +62 -1
package/src/forge/compiler/ai-registry/constants.ts +1 -1
package/src/forge/compiler/ai-registry/parse.ts +98 -4
package/src/forge/compiler/app-graph/forge-apis.ts +1 -0
package/src/forge/compiler/dev-manifest/build.ts +3 -0
package/src/forge/compiler/diagnostics/codes.ts +15 -0
package/src/forge/compiler/diagnostics/create.ts +1 -1
package/src/forge/compiler/make-registry/build.ts +13 -0
package/src/forge/compiler/orchestrator/plan.ts +11 -0
package/src/forge/compiler/orchestrator/serialize.ts +68 -0
package/src/forge/compiler/package-graph/compiler.ts +13 -3
package/src/forge/compiler/types/ai-registry.ts +25 -1
package/src/forge/compiler/types/app-graph.ts +1 -0
package/src/forge/compiler/types/cli.ts +1 -0
package/src/forge/compiler/types/dev-manifest.ts +3 -0
package/src/forge/dev/server.ts +508 -1
package/src/forge/make/index.ts +126 -3
package/src/forge/make/templates.ts +188 -0
package/src/forge/make/types.ts +1 -0
package/src/forge/runtime/ai/context.ts +210 -5
package/src/forge/runtime/ai/types.ts +70 -0
package/src/forge/runtime/auth/claims.ts +32 -0
package/src/forge/runtime/auth/errors.ts +2 -0
package/src/forge/runtime/context/create-context.ts +30 -6
package/src/forge/runtime/db/memory-adapter.ts +2 -2
package/src/forge/runtime/telemetry/scrubber.ts +56 -5
package/src/forge/runtime/webhooks/security.ts +184 -0
package/src/forge/server.ts +93 -0
package/src/forge/version.ts +1 -1
package/templates/b2b-support-web/package.json +1 -0
package/templates/b2b-support-web/tsconfig.json +4 -1
package/templates/minimal-web/package.json +1 -0
package/templates/minimal-web/tsconfig.json +3 -1

package/src/forge/cli/security.ts ADDED Viewed

@@ -0,0 +1,269 @@
+import type { DbAdapterKind } from "../runtime/db/adapter.ts";
+import type { AuthCommandResult } from "./auth.ts";
+import { runAuthCommand } from "./auth.ts";
+import type { RlsCommandResult } from "./rls.ts";
+import { runRlsCommand } from "./rls.ts";
+import type { SecretsCommandResult } from "./secrets.ts";
+import { runSecretsCommand } from "./secrets.ts";
+import type { AiCommandResult } from "./ai.ts";
+import { runAiCommand } from "./ai.ts";
+import { runCheckCommand } from "./commands.ts";
+import type { GenerateResult } from "../compiler/types/cli.ts";
+export type SecuritySubcommand = "prove";
+export interface SecurityInvariantEvidence {
+  id: string;
+  artifact: string;
+  level: "checked" | "tested" | "proved";
+  summary: string;
+  tests: string[];
+  commands: string[];
+}
+export interface SecurityCommandOptions {
+  subcommand: SecuritySubcommand;
+  workspaceRoot: string;
+  json: boolean;
+  db: DbAdapterKind;
+  databaseUrl?: string;
+}
+export interface SecurityProofResult {
+  ok: boolean;
+  schemaVersion: "0.1.0";
+  kind: "security-proof";
+  assurance: "structural-only" | "postgres-proved";
+  proofs: {
+    forgeCheck: GenerateResult;
+    auth: AuthCommandResult;
+    secrets: SecretsCommandResult;
+    rls: RlsCommandResult;
+    rlsMutation: RlsCommandResult;
+    agentRedteam: AiCommandResult;
+  };
+  evidence: {
+    invariants: SecurityInvariantEvidence[];
+  };
+  summary: {
+    passed: string[];
+    failed: string[];
+    warnings: string[];
+  };
+  exitCode: 0 | 1;
+}
+function invariantEvidence(): SecurityInvariantEvidence[] {
+  return [
+    {
+      id: "INV-001",
+      artifact: "auth-negative",
+      level: "tested",
+      summary: "Production auth rejects invalid JWT/OIDC tokens and ignores dev headers in jwt mode.",
+      tests: ["tests/security/auth-negative.test.ts"],
+      commands: ["node ./bin/forge-bun.mjs test tests/security/auth-negative.test.ts --timeout 120000"],
+    },
+    {
+      id: "INV-002",
+      artifact: "tenant-isolation",
+      level: "tested",
+      summary: "Runtime and HTTP APIs block cross-tenant reads, writes, tenant spoofing, and unsafe tenant filters.",
+      tests: [
+        "tests/security/tenant-isolation/runtime-api.test.ts",
+        "tests/security/tenant-isolation/http-runtime.test.ts",
+      ],
+      commands: ["node ./bin/forge-bun.mjs test tests/security/tenant-isolation --timeout 120000"],
+    },
+    {
+      id: "INV-003",
+      artifact: "rls-test",
+      level: "proved",
+      summary: "Postgres RLS probes and structural mutation checks protect tenant-scoped tables.",
+      tests: [
+        "tests/security/rls-postgres-adversarial.test.ts",
+        "tests/security/rls-mutation.test.ts",
+      ],
+      commands: [
+        "node ./bin/forge.mjs rls test --db postgres --json",
+        "node ./bin/forge.mjs rls mutate-test --json",
+      ],
+    },
+    {
+      id: "INV-004",
+      artifact: "runtime-boundaries",
+      level: "tested",
+      summary: "Commands reject forbidden AI, agent, network, secret, filesystem, and process.env usage.",
+      tests: ["tests/security/runtime-boundaries.test.ts"],
+      commands: ["node ./bin/forge-bun.mjs test tests/security/runtime-boundaries.test.ts --timeout 120000"],
+    },
+    {
+      id: "INV-005",
+      artifact: "runtime-boundaries",
+      level: "tested",
+      summary: "Queries and liveQueries remain read-only and side-effect free.",
+      tests: ["tests/security/runtime-boundaries.test.ts"],
+      commands: ["node ./bin/forge-bun.mjs test tests/security/runtime-boundaries.test.ts --timeout 120000"],
+    },
+    {
+      id: "INV-006",
+      artifact: "agent-tools",
+      level: "tested",
+      summary: "Generated agent tools carry Forge auth, tenant, policy, runtime, and risk metadata.",
+      tests: ["tests/security/agent-tools.test.ts"],
+      commands: ["node ./bin/forge-bun.mjs test tests/security/agent-tools.test.ts --timeout 120000"],
+    },
+    {
+      id: "INV-007",
+      artifact: "agent-tools",
+      level: "tested",
+      summary: "Write, destructive, and external agent tools require approval metadata.",
+      tests: ["tests/security/agent-tools.test.ts"],
+      commands: ["node ./bin/forge-bun.mjs test tests/security/agent-tools.test.ts --timeout 120000"],
+    },
+    {
+      id: "INV-008",
+      artifact: "secret-redaction",
+      level: "tested",
+      summary: "Generated artifacts and telemetry scrub secret names and known secret values.",
+      tests: ["tests/security/secret-redaction.test.ts"],
+      commands: ["node ./bin/forge-bun.mjs test tests/security/secret-redaction.test.ts --timeout 120000"],
+    },
+    {
+      id: "INV-009",
+      artifact: "webhooks",
+      level: "tested",
+      summary: "Webhook helpers reject invalid signatures, stale timestamps, tampered payloads, and replayed event IDs.",
+      tests: ["tests/security/webhooks/webhook-security.test.ts"],
+      commands: ["node ./bin/forge-bun.mjs test tests/security/webhooks --timeout 120000"],
+    },
+    {
+      id: "INV-010",
+      artifact: "release-supply-chain",
+      level: "checked",
+      summary: "Release workflow uses Trusted Publishing, provenance, smoke tests, security proof, and generated release evidence.",
+      tests: ["tests/ci/publish-workflow.test.ts"],
+      commands: ["npm run release:smoke", "npm run release:evidence"],
+    },
+  ];
+}
+function passed(name: string, ok: boolean, summary: SecurityProofResult["summary"]): void {
+  if (ok) {
+    summary.passed.push(name);
+  } else {
+    summary.failed.push(name);
+  }
+}
+export async function runSecurityCommand(
+  options: SecurityCommandOptions,
+): Promise<SecurityProofResult> {
+  const forgeCheck = await runCheckCommand(options.workspaceRoot, { strictSecrets: true });
+  const auth = await runAuthCommand({
+    subcommand: "prove",
+    workspaceRoot: options.workspaceRoot,
+    json: true,
+  });
+  const secrets = await runSecretsCommand({
+    subcommand: "prove",
+    workspaceRoot: options.workspaceRoot,
+    json: true,
+    redacted: true,
+  });
+  const rls = await runRlsCommand({
+    subcommand: "test",
+    workspaceRoot: options.workspaceRoot,
+    db: options.db,
+    databaseUrl: options.databaseUrl,
+    json: true,
+  });
+  const rlsMutation = await runRlsCommand({
+    subcommand: "mutate-test",
+    workspaceRoot: options.workspaceRoot,
+    db: options.db,
+    databaseUrl: options.databaseUrl,
+    json: true,
+  });
+  const agentRedteam = await runAiCommand({
+    subcommand: "redteam",
+    workspaceRoot: options.workspaceRoot,
+    json: true,
+  });
+  const summary: SecurityProofResult["summary"] = {
+    passed: [],
+    failed: [],
+    warnings: [],
+  };
+  passed("forge-check", forgeCheck.exitCode === 0, summary);
+  passed("auth-proof", auth.exitCode === 0, summary);
+  passed("secrets-proof", secrets.exitCode === 0, summary);
+  passed("rls-proof", rls.exitCode === 0, summary);
+  passed("rls-mutation-proof", rlsMutation.exitCode === 0, summary);
+  passed("agent-redteam", agentRedteam.exitCode === 0, summary);
+  if (auth.mode === "dev-headers") {
+    summary.warnings.push("auth-proof uses local-only dev-headers mode");
+  }
+  for (const diagnostic of rls.diagnostics) {
+    if (diagnostic.severity === "warning") {
+      summary.warnings.push(`${diagnostic.code}: ${diagnostic.message}`);
+    }
+  }
+  for (const diagnostic of rlsMutation.diagnostics) {
+    if (diagnostic.severity === "warning") {
+      summary.warnings.push(`${diagnostic.code}: ${diagnostic.message}`);
+    }
+  }
+  for (const diagnostic of agentRedteam.diagnostics ?? []) {
+    if (diagnostic.severity === "warning") {
+      summary.warnings.push(`${diagnostic.code}: ${diagnostic.message}`);
+    }
+  }
+  const ok = summary.failed.length === 0;
+  const assurance =
+    options.db === "postgres" &&
+    rls.exitCode === 0 &&
+    Boolean((rls.data as { skipped?: boolean } | undefined)?.skipped) === false
+      ? "postgres-proved"
+      : "structural-only";
+  return {
+    ok,
+    schemaVersion: "0.1.0",
+    kind: "security-proof",
+    assurance,
+    proofs: {
+      forgeCheck,
+      auth,
+      secrets,
+      rls,
+      rlsMutation,
+      agentRedteam,
+    },
+    evidence: {
+      invariants: invariantEvidence(),
+    },
+    summary,
+    exitCode: ok ? 0 : 1,
+  };
+}
+export function formatSecurityJson(result: SecurityProofResult): string {
+  return `${JSON.stringify(result, null, 2)}\n`;
+}
+export function formatSecurityHuman(result: SecurityProofResult): string {
+  const lines = [
+    "Forge Security Proof",
+    "",
+    `Status: ${result.ok ? "ok" : "failed"}`,
+    `Assurance: ${result.assurance}`,
+    `Passed: ${result.summary.passed.join(", ") || "none"}`,
+    `Failed: ${result.summary.failed.join(", ") || "none"}`,
+  ];
+  if (result.summary.warnings.length > 0) {
+    lines.push("", "Warnings:", ...result.summary.warnings.map((warning) => `- ${warning}`));
+  }
+  return `${lines.join("\n")}\n`;
+}