infernoflow 0.32.8 → 0.32.9

package/dist/lib/commands/audit.mjs

@@ -1,204 +1,6 @@
-/**
- * infernoflow audit
- *
- * Classify capabilities by security sensitivity and generate a surface map.
- * Tags each capability with one or more sensitivity labels:
- *   auth      — authentication / authorization / sessions / tokens
- *   payment   — billing, subscriptions, pricing, invoices
- *   pii       — personal data, email, address, phone, GDPR scope
- *   admin     — privileged operations, configuration, user management
- *   public    — read-only, no auth required
- *
- * Stores results in inferno/audit.json (git-trackable).
- *
- * Usage:
- *   infernoflow audit                   Run audit, print summary
- *   infernoflow audit --format json     Machine-readable JSON to stdout
- *   infernoflow audit --format html     Write HTML report
- *   infernoflow audit --out audit.html  Custom output path
- *   infernoflow audit --fail-on high    Exit 1 if any HIGH caps are unreviewed
- *   infernoflow audit --json            Alias for --format json
- */
-
-import * as fs   from "node:fs";
-import * as path from "node:path";
-import { done, warn, info, bold, cyan, gray, green, yellow, red } from "../ui/output.mjs";
-
-const AUDIT_FILE = "audit.json";
-
-// ── Sensitivity keyword maps ──────────────────────────────────────────────────
-
-const SENSITIVITY_RULES = [
-  {
-    tag:      "auth",
-    severity: "high",
-    label:    "Authentication / Authorization",
-    keywords: [
-      "auth", "login", "logout", "signin", "signout", "signup",
-      "password", "credential", "token", "session", "oauth",
-      "jwt", "permission", "role", "access", "privilege", "2fa",
-      "mfa", "sso", "saml", "openid", "verify", "authenticate",
-    ],
-  },
-  {
-    tag:      "payment",
-    severity: "high",
-    label:    "Payment / Billing",
-    keywords: [
-      "payment", "billing", "invoice", "charge", "subscription",
-      "checkout", "stripe", "card", "credit", "debit", "price",
-      "plan", "tier", "coupon", "refund", "transaction", "purchase",
-      "order", "cart", "paypal", "wallet",
-    ],
-  },
-  {
-    tag:      "pii",
-    severity: "high",
-    label:    "Personal / PII Data",
-    keywords: [
-      "pii", "personal", "profile", "email", "phone", "address",
-      "name", "user", "account", "gdpr", "privacy", "data",
-      "export", "download", "delete account", "identity", "dob",
-      "birthday", "ssn", "passport", "tax",
-    ],
-  },
-  {
-    tag:      "admin",
-    severity: "medium",
-    label:    "Admin / Privileged",
-    keywords: [
-      "admin", "manage", "config", "setting", "system", "deploy",
-      "migration", "seed", "reset", "purge", "archive", "batch",
-      "bulk", "impersonate", "override", "feature flag",
-    ],
-  },
-  {
-    tag:      "public",
-    severity: "low",
-    label:    "Public / Read-only",
-    keywords: [
-      "list", "search", "view", "read", "fetch", "get", "show",
-      "display", "browse", "filter", "sort", "paginate",
-    ],
-  },
-];
-
-const SEVERITY_ORDER = { high: 3, medium: 2, low: 1, unknown: 0 };
-
-// ── Classification ────────────────────────────────────────────────────────────
-
-function classifyCapability(cap) {
-  const text = [
-    typeof cap === "string" ? cap : "",
-    cap?.id     || "",
-    cap?.name   || "",
-    cap?.description || "",
-    (cap?.tags  || []).join(" "),
-  ].join(" ").toLowerCase();
-
-  const matched = [];
-  for (const rule of SENSITIVITY_RULES) {
-    if (rule.keywords.some(kw => text.includes(kw))) {
-      matched.push(rule);
-    }
-  }
-
-  // Remove "public" if any higher-severity tag also matched
-  const hasHigher = matched.some(r => r.tag !== "public" && r.severity !== "low");
-  const filtered  = hasHigher ? matched.filter(r => r.tag !== "public") : matched;
-
-  if (!filtered.length) {
-    return { tags: ["unknown"], severity: "unknown", labels: ["Unclassified"] };
-  }
-
-  const severity = filtered.reduce((best, r) => {
-    return SEVERITY_ORDER[r.severity] > SEVERITY_ORDER[best] ? r.severity : best;
-  }, "low");
-
-  return {
-    tags:     filtered.map(r => r.tag),
-    severity,
-    labels:   filtered.map(r => r.label),
-  };
-}
-
-// ── Storage ───────────────────────────────────────────────────────────────────
-
-function readAudit(infernoDir) {
-  const p = path.join(infernoDir, AUDIT_FILE);
-  if (!fs.existsSync(p)) return {};
-  try { return JSON.parse(fs.readFileSync(p, "utf8")); } catch { return {}; }
-}
-
-function writeAudit(infernoDir, data) {
-  fs.writeFileSync(path.join(infernoDir, AUDIT_FILE), JSON.stringify(data, null, 2) + "\n");
-}
-
-function readContract(infernoDir) {
-  for (const f of ["contract.json", "capabilities.json"]) {
-    const p = path.join(infernoDir, f);
-    if (fs.existsSync(p)) {
-      try { return JSON.parse(fs.readFileSync(p, "utf8")); } catch {}
-    }
-  }
-  return null;
-}
-
-// ── Formatters ────────────────────────────────────────────────────────────────
-
-function severityColor(sev) {
-  if (sev === "high")    return red;
-  if (sev === "medium")  return yellow;
-  if (sev === "low")     return green;
-  return gray;
-}
-
-function severityIcon(sev) {
-  if (sev === "high")   return "🔴";
-  if (sev === "medium") return "🟡";
-  if (sev === "low")    return "🟢";
-  return "⚪";
-}
-
-function printTextReport(results, stats) {
-  const bySeverity = { high: [], medium: [], low: [], unknown: [] };
-  for (const r of results) (bySeverity[r.severity] || bySeverity.unknown).push(r);
-
-  console.log();
-  console.log(`  ${bold("🔥 infernoflow audit — Security Surface Map")}`);
-  console.log();
-  console.log(`  ${bold(String(results.length))} capabilities scanned`);
-  console.log(`  ${red(String(stats.high))} high · ${yellow(String(stats.medium))} medium · ${green(String(stats.low))} low · ${gray(String(stats.unknown))} unclassified`);
-  console.log();
-
-  for (const [sev, items] of Object.entries(bySeverity)) {
-    if (!items.length) continue;
-    const col = severityColor(sev);
-    console.log(`  ${col(bold(`${sev.toUpperCase()} (${items.length})`))}`);
-    for (const item of items) {
-      const tagStr = item.tags.join(", ");
-      console.log(`  ${col("▸")} ${bold(item.id.padEnd(30))} ${gray(tagStr)}`);
-      if (item.description) console.log(`    ${gray(item.description.slice(0, 72))}`);
-    }
-    console.log();
-  }
-
-  if (stats.unknown > 0) {
-    console.log(`  ${gray("Tip: Add descriptions to unclassified capabilities for better detection.")}`);
-    console.log();
-  }
-}
-
-function buildHtmlReport(results, stats, runAt) {
-  const rows = results.map(r => {
-    const sev  = r.severity;
-    const cls  = sev === "high" ? "high" : sev === "medium" ? "med" : sev === "low" ? "low" : "unk";
-    const tags = r.tags.join(", ");
-    const icon = severityIcon(sev);
-    return `<tr class="${cls}"><td>${icon} ${sev}</td><td><strong>${escHtml(r.id)}</strong></td><td>${escHtml(tags)}</td><td>${escHtml(r.description || "")}</td></tr>`;
-  }).join("\n");
-
-  return `<!DOCTYPE html>
+import*as d from"node:fs";import*as u from"node:path";import{done as I,warn as N,bold as g,gray as m,green as T,yellow as C,red as b}from"../ui/output.mjs";const x="audit.json",A=[{tag:"auth",severity:"high",label:"Authentication / Authorization",keywords:["auth","login","logout","signin","signout","signup","password","credential","token","session","oauth","jwt","permission","role","access","privilege","2fa","mfa","sso","saml","openid","verify","authenticate"]},{tag:"payment",severity:"high",label:"Payment / Billing",keywords:["payment","billing","invoice","charge","subscription","checkout","stripe","card","credit","debit","price","plan","tier","coupon","refund","transaction","purchase","order","cart","paypal","wallet"]},{tag:"pii",severity:"high",label:"Personal / PII Data",keywords:["pii","personal","profile","email","phone","address","name","user","account","gdpr","privacy","data","export","download","delete account","identity","dob","birthday","ssn","passport","tax"]},{tag:"admin",severity:"medium",label:"Admin / Privileged",keywords:["admin","manage","config","setting","system","deploy","migration","seed","reset","purge","archive","batch","bulk","impersonate","override","feature flag"]},{tag:"public",severity:"low",label:"Public / Read-only",keywords:["list","search","view","read","fetch","get","show","display","browse","filter","sort","paginate"]}],p={high:3,medium:2,low:1,unknown:0};function R(o){const t=[typeof o=="string"?o:"",o?.id||"",o?.name||"",o?.description||"",(o?.tags||[]).join(" ")].join(" ").toLowerCase(),n=[];for(const e of A)e.keywords.some(l=>t.includes(l))&&n.push(e);const s=n.some(e=>e.tag!=="public"&&e.severity!=="low")?n.filter(e=>e.tag!=="public"):n;if(!s.length)return{tags:["unknown"],severity:"unknown",labels:["Unclassified"]};const r=s.reduce((e,l)=>p[l.severity]>p[e]?l.severity:e,"low");return{tags:s.map(e=>e.tag),severity:r,labels:s.map(e=>e.label)}}function _(o){const t=u.join(o,x);if(!d.existsSync(t))return{};try{return JSON.parse(d.readFileSync(t,"utf8"))}catch{return{}}}function H(o,t){d.writeFileSync(u.join(o,x),JSON.stringify(t,null,2)+`
+`)}function P(o){for(const t of["contract.json","capabilities.json"]){const n=u.join(o,t);if(d.existsSync(n))try{return JSON.parse(d.readFileSync(n,"utf8"))}catch{}}return null}function U(o){return o==="high"?b:o==="medium"?C:o==="low"?T:m}function F(o){return o==="high"?"\u{1F534}":o==="medium"?"\u{1F7E1}":o==="low"?"\u{1F7E2}":"\u26AA"}function J(o,t){const n={high:[],medium:[],low:[],unknown:[]};for(const c of o)(n[c.severity]||n.unknown).push(c);console.log(),console.log(`  ${g("\u{1F525} infernoflow audit \u2014 Security Surface Map")}`),console.log(),console.log(`  ${g(String(o.length))} capabilities scanned`),console.log(`  ${b(String(t.high))} high \xB7 ${C(String(t.medium))} medium \xB7 ${T(String(t.low))} low \xB7 ${m(String(t.unknown))} unclassified`),console.log();for(const[c,s]of Object.entries(n)){if(!s.length)continue;const r=U(c);console.log(`  ${r(g(`${c.toUpperCase()} (${s.length})`))}`);for(const e of s){const l=e.tags.join(", ");console.log(`  ${r("\u25B8")} ${g(e.id.padEnd(30))} ${m(l)}`),e.description&&console.log(`    ${m(e.description.slice(0,72))}`)}console.log()}t.unknown>0&&(console.log(`  ${m("Tip: Add descriptions to unclassified capabilities for better detection.")}`),console.log())}function z(o,t,n){const c=o.map(s=>{const r=s.severity,e=r==="high"?"high":r==="medium"?"med":r==="low"?"low":"unk",l=s.tags.join(", "),y=F(r);return`<tr class="${e}"><td>${y} ${r}</td><td><strong>${k(s.id)}</strong></td><td>${k(l)}</td><td>${k(s.description||"")}</td></tr>`}).join(`
+`);return`<!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
@@ -226,110 +28,21 @@ function buildHtmlReport(results, stats, runAt) {
 </style>
 </head>
 <body>
-<h1>🔥 infernoflow audit</h1>
-<p class="meta">Generated ${runAt}</p>
+<h1>\u{1F525} infernoflow audit</h1>
+<p class="meta">Generated ${n}</p>
 <div class="stats">
-  <div class="stat high"><div class="n">${stats.high}</div><div class="l">HIGH</div></div>
-  <div class="stat med"><div class="n">${stats.medium}</div><div class="l">MEDIUM</div></div>
-  <div class="stat low"><div class="n">${stats.low}</div><div class="l">LOW</div></div>
-  <div class="stat unk"><div class="n">${stats.unknown}</div><div class="l">UNKNOWN</div></div>
+  <div class="stat high"><div class="n">${t.high}</div><div class="l">HIGH</div></div>
+  <div class="stat med"><div class="n">${t.medium}</div><div class="l">MEDIUM</div></div>
+  <div class="stat low"><div class="n">${t.low}</div><div class="l">LOW</div></div>
+  <div class="stat unk"><div class="n">${t.unknown}</div><div class="l">UNKNOWN</div></div>
 </div>
 <table>
 <thead><tr><th>Severity</th><th>Capability</th><th>Tags</th><th>Description</th></tr></thead>
 <tbody>
-${rows}
+${c}
 </tbody>
 </table>
 </body>
-</html>`;
-}
-
-function escHtml(str) {
-  return String(str).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
-}
-
-// ── Entry ─────────────────────────────────────────────────────────────────────
-
-export async function auditCommand(rawArgs) {
-  const args      = rawArgs.slice(1);
-  const jsonMode  = args.includes("--json") || args.includes("--format") && args[args.indexOf("--format") + 1] === "json";
-  const cwd       = process.cwd();
-  const infernoDir = path.join(cwd, "inferno");
-
-  if (!fs.existsSync(infernoDir)) {
-    const msg = "inferno/ not found. Run: infernoflow init";
-    if (jsonMode) { console.log(JSON.stringify({ ok: false, error: msg })); }
-    else { warn(msg); }
-    process.exit(1);
-  }
-
-  // Parse flags
-  const fmtIdx    = args.indexOf("--format");
-  const format    = fmtIdx !== -1 ? args[fmtIdx + 1] : (jsonMode ? "json" : "text");
-  const outIdx    = args.indexOf("--out");
-  const outPath   = outIdx !== -1 ? args[outIdx + 1] : null;
-  const failOnIdx = args.indexOf("--fail-on");
-  const failOn    = failOnIdx !== -1 ? args[failOnIdx + 1] : null;
-
-  const contract = readContract(infernoDir);
-  if (!contract) {
-    const msg = "No contract.json or capabilities.json found.";
-    if (jsonMode) { console.log(JSON.stringify({ ok: false, error: msg })); }
-    else { warn(msg); }
-    process.exit(1);
-  }
-
-  const rawCaps = contract.capabilities || [];
-  const runAt   = new Date().toISOString();
-
-  // Classify every capability
-  const results = rawCaps.map(cap => {
-    const id          = typeof cap === "string" ? cap : (cap.id || cap.name || "unknown");
-    const description = typeof cap === "string" ? "" : (cap.description || "");
-    const cls         = classifyCapability(cap);
-    return { id, description, ...cls };
-  });
-
-  // Sort by severity descending
-  results.sort((a, b) => (SEVERITY_ORDER[b.severity] || 0) - (SEVERITY_ORDER[a.severity] || 0));
-
-  // Stats
-  const stats = { high: 0, medium: 0, low: 0, unknown: 0 };
-  for (const r of results) {
-    const key = r.severity in stats ? r.severity : "unknown";
-    stats[key]++;
-  }
-
-  // Persist to audit.json
-  const auditData = {
-    runAt,
-    stats,
-    capabilities: results,
-  };
-  writeAudit(infernoDir, auditData);
-
-  // Output
-  if (format === "json" || jsonMode) {
-    console.log(JSON.stringify({ ok: true, ...auditData }));
-  } else if (format === "html") {
-    const html = buildHtmlReport(results, stats, runAt);
-    const dest = outPath || path.join(infernoDir, "audit.html");
-    fs.writeFileSync(dest, html);
-    if (!jsonMode) done(`HTML audit report written to ${bold(dest)}`);
-  } else {
-    printTextReport(results, stats);
-    if (!jsonMode) done(`Saved to ${bold(path.join(infernoDir, AUDIT_FILE))}`);
-  }
-
-  // Exit code enforcement
-  if (failOn) {
-    const threshold = SEVERITY_ORDER[failOn] || 0;
-    const violations = results.filter(r => (SEVERITY_ORDER[r.severity] || 0) >= threshold);
-    if (violations.length > 0) {
-      if (!jsonMode) {
-        console.error(red(`\n  ✗  ${violations.length} capability/capabilities at or above "${failOn}" severity — review required.\n`));
-      }
-      process.exit(1);
-    }
-  }
-}
+</html>`}function k(o){return String(o).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;")}async function G(o){const t=o.slice(1),n=t.includes("--json")||t.includes("--format")&&t[t.indexOf("--format")+1]==="json",c=process.cwd(),s=u.join(c,"inferno");if(!d.existsSync(s)){const i="inferno/ not found. Run: infernoflow init";n?console.log(JSON.stringify({ok:!1,error:i})):N(i),process.exit(1)}const r=t.indexOf("--format"),e=r!==-1?t[r+1]:n?"json":"text",l=t.indexOf("--out"),y=l!==-1?t[l+1]:null,S=t.indexOf("--fail-on"),v=S!==-1?t[S+1]:null,$=P(s);if(!$){const i="No contract.json or capabilities.json found.";n?console.log(JSON.stringify({ok:!1,error:i})):N(i),process.exit(1)}const D=$.capabilities||[],j=new Date().toISOString(),f=D.map(i=>{const a=typeof i=="string"?i:i.id||i.name||"unknown",w=typeof i=="string"?"":i.description||"",E=R(i);return{id:a,description:w,...E}});f.sort((i,a)=>(p[a.severity]||0)-(p[i.severity]||0));const h={high:0,medium:0,low:0,unknown:0};for(const i of f){const a=i.severity in h?i.severity:"unknown";h[a]++}const O={runAt:j,stats:h,capabilities:f};if(H(s,O),e==="json"||n)console.log(JSON.stringify({ok:!0,...O}));else if(e==="html"){const i=z(f,h,j),a=y||u.join(s,"audit.html");d.writeFileSync(a,i),n||I(`HTML audit report written to ${g(a)}`)}else J(f,h),n||I(`Saved to ${g(u.join(s,x))}`);if(v){const i=p[v]||0,a=f.filter(w=>(p[w.severity]||0)>=i);a.length>0&&(n||console.error(b(`
+  \u2717  ${a.length} capability/capabilities at or above "${v}" severity \u2014 review required.
+`)),process.exit(1))}}export{G as auditCommand};