kratos-mcp 1.1.0

package/dist/security/encryption.js

@@ -0,0 +1,131 @@
+import crypto from 'crypto';
+import fs from 'fs-extra';
+import path from 'path';
+import { MCPLogger as Logger } from '../utils/mcp-logger.js';
+const logger = new Logger('Encryption');
+/**
+ * At-rest encryption using AES-256-GCM
+ * Per-project keys stored securely
+ */
+export class EncryptionManager {
+    projectId;
+    key;
+    keyPath;
+    algorithm = 'aes-256-gcm';
+    constructor(projectRoot, projectId) {
+        this.projectId = projectId;
+        this.keyPath = path.join(projectRoot, '.kratos', '.keys', `${projectId}.key`);
+        this.key = this.loadOrCreateKey();
+    }
+    /**
+     * Load existing key or create new one
+     */
+    loadOrCreateKey() {
+        try {
+            if (fs.existsSync(this.keyPath)) {
+                const keyData = fs.readFileSync(this.keyPath);
+                logger.info(`Loaded encryption key for project ${this.projectId}`);
+                return keyData;
+            }
+        }
+        catch (error) {
+            logger.warn('Failed to load key, creating new one:', error);
+        }
+        // Generate new key
+        const key = crypto.randomBytes(32); // 256 bits
+        this.saveKey(key);
+        logger.info(`Generated new encryption key for project ${this.projectId}`);
+        return key;
+    }
+    /**
+     * Save key securely (restricted permissions)
+     */
+    saveKey(key) {
+        fs.ensureDirSync(path.dirname(this.keyPath));
+        fs.writeFileSync(this.keyPath, key);
+        // Set restrictive permissions (owner read/write only)
+        try {
+            fs.chmodSync(this.keyPath, 0o600);
+        }
+        catch (error) {
+            logger.warn('Could not set key file permissions:', error);
+        }
+    }
+    /**
+     * Encrypt data
+     */
+    encrypt(text) {
+        const iv = crypto.randomBytes(16);
+        const cipher = crypto.createCipheriv(this.algorithm, this.key, iv);
+        let encrypted = cipher.update(text, 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+        const tag = cipher.getAuthTag();
+        return {
+            encrypted,
+            iv: iv.toString('hex'),
+            tag: tag.toString('hex')
+        };
+    }
+    /**
+     * Decrypt data
+     */
+    decrypt(encrypted, iv, tag) {
+        const decipher = crypto.createDecipheriv(this.algorithm, this.key, Buffer.from(iv, 'hex'));
+        decipher.setAuthTag(Buffer.from(tag, 'hex'));
+        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    /**
+     * Encrypt JSON object
+     */
+    encryptJSON(obj) {
+        const json = JSON.stringify(obj);
+        const { encrypted, iv, tag } = this.encrypt(json);
+        // Combine into single string
+        return `${iv}:${tag}:${encrypted}`;
+    }
+    /**
+     * Decrypt JSON object
+     */
+    decryptJSON(encryptedData) {
+        const [iv, tag, encrypted] = encryptedData.split(':');
+        const json = this.decrypt(encrypted, iv, tag);
+        return JSON.parse(json);
+    }
+    /**
+     * Rotate encryption key
+     */
+    async rotateKey(reencryptCallback) {
+        const oldKey = this.key;
+        const oldDecrypt = (data) => {
+            const [iv, tag, encrypted] = data.split(':');
+            const decipher = crypto.createDecipheriv(this.algorithm, oldKey, Buffer.from(iv, 'hex'));
+            decipher.setAuthTag(Buffer.from(tag, 'hex'));
+            let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+            decrypted += decipher.final('utf8');
+            return JSON.parse(decrypted);
+        };
+        // Generate new key
+        this.key = crypto.randomBytes(32);
+        this.saveKey(this.key);
+        // Re-encrypt all data
+        await reencryptCallback(oldDecrypt, (data) => this.encryptJSON(data));
+        logger.info('Key rotation completed');
+    }
+    /**
+     * Destroy key (for secure deletion)
+     */
+    destroyKey() {
+        // Overwrite key in memory
+        this.key.fill(0);
+        // Overwrite key file
+        if (fs.existsSync(this.keyPath)) {
+            const randomData = crypto.randomBytes(32);
+            fs.writeFileSync(this.keyPath, randomData);
+            fs.unlinkSync(this.keyPath);
+        }
+        logger.info('Encryption key destroyed');
+    }
+}
+//# sourceMappingURL=encryption.js.map

package/dist/security/encryption.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/security/encryption.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,MAAM,UAAU,CAAC;AAC1B,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,SAAS,IAAI,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAE7D,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC;AAExC;;;GAGG;AACH,MAAM,OAAO,iBAAiB;IACpB,SAAS,CAAS;IAClB,GAAG,CAAS;IACZ,OAAO,CAAS;IAChB,SAAS,GAAG,aAAa,CAAC;IAElC,YAAY,WAAmB,EAAE,SAAiB;QAChD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,OAAO,EAAE,GAAG,SAAS,MAAM,CAAC,CAAC;QAC9E,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;IACpC,CAAC;IAED;;OAEG;IACK,eAAe;QACrB,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC9C,MAAM,CAAC,IAAI,CAAC,qCAAqC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;gBACnE,OAAO,OAAO,CAAC;YACjB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,uCAAuC,EAAE,KAAK,CAAC,CAAC;QAC9D,CAAC;QAED,mBAAmB;QACnB,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW;QAC/C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,4CAA4C,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;QAC1E,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;OAEG;IACK,OAAO,CAAC,GAAW;QACzB,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAC7C,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAEpC,sDAAsD;QACtD,IAAI,CAAC;YACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,IAAY;QAClB,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAqB,CAAC;QAEvF,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QACnD,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAEjC,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEhC,OAAO;YACL,SAAS;YACT,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;YACtB,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;SACzB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,SAAiB,EAAE,EAAU,EAAE,GAAW;QAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CACtC,IAAI,CAAC,SAAS,EACd,IAAI,CAAC,GAAG,EACR,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,CACD,CAAC;QAExB,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;QAE7C,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC1D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,GAAQ;QAClB,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAElD,6BAA6B;QAC7B,OAAO,GAAG,EAAE,IAAI,GAAG,IAAI,SAAS,EAAE,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,aAAqB;QAC/B,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACtD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;QAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,iBAA0G;QACxH,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC;QACxB,MAAM,UAAU,GAAG,CAAC,IAAY,EAAE,EAAE;YAClC,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7C,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,CAAuB,CAAC;YAC/G,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;YAC7C,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YAC1D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YACpC,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/B,CAAC,CAAC;QAEF,mBAAmB;QACnB,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAClC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEvB,sBAAsB;QACtB,MAAM,iBAAiB,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;QAEtE,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,UAAU;QACR,0BAA0B;QAC1B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAEjB,qBAAqB;QACrB,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAChC,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAC1C,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YAC3C,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9B,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IAC1C,CAAC;CACF"}

package/dist/security/pii-detector.d.ts

@@ -0,0 +1,61 @@
+export interface DetectionResult {
+    hasPII: boolean;
+    hasSecrets: boolean;
+    redactedText: string;
+    findings: Finding[];
+}
+export interface Finding {
+    type: 'pii' | 'secret' | 'high-entropy';
+    pattern: string;
+    confidence: number;
+    redacted: string;
+}
+/**
+ * PII and Secret Detection with entropy analysis
+ */
+export declare class PIIDetector {
+    private piiPatterns;
+    private secretPatterns;
+    private allowlist;
+    constructor(allowlist?: string[]);
+    /**
+     * Detect PII and secrets in text
+     */
+    detect(text: string): DetectionResult;
+    /**
+     * Calculate Shannon entropy
+     */
+    private calculateEntropy;
+    /**
+     * Check if string has high entropy (likely random/secret)
+     */
+    private hasHighEntropy;
+    /**
+     * Find high entropy strings in text
+     */
+    private findHighEntropyStrings;
+    /**
+     * Redact sensitive information
+     */
+    private redact;
+    /**
+     * Add items to allowlist
+     */
+    addToAllowlist(items: string[]): void;
+    /**
+     * Remove items from allowlist
+     */
+    removeFromAllowlist(items: string[]): void;
+    /**
+     * Get current allowlist
+     */
+    getAllowlist(): string[];
+    /**
+     * Scan and report (without redaction)
+     */
+    scan(text: string): {
+        findings: Finding[];
+        riskScore: number;
+    };
+}
+//# sourceMappingURL=pii-detector.d.ts.map

package/dist/security/pii-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-detector.d.ts","sourceRoot":"","sources":["../../src/security/pii-detector.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,OAAO,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,KAAK,GAAG,QAAQ,GAAG,cAAc,CAAC;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,qBAAa,WAAW;IAEtB,OAAO,CAAC,WAAW,CAajB;IAGF,OAAO,CAAC,cAAc,CAqBpB;IAEF,OAAO,CAAC,SAAS,CAA0B;gBAE/B,SAAS,CAAC,EAAE,MAAM,EAAE;IAMhC;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe;IA2ErC;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAkBxB;;OAEG;IACH,OAAO,CAAC,cAAc;IAKtB;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAe9B;;OAEG;IACH,OAAO,CAAC,MAAM;IAkBd;;OAEG;IACH,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI;IAOrC;;OAEG;IACH,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI;IAO1C;;OAEG;IACH,YAAY,IAAI,MAAM,EAAE;IAIxB;;OAEG;IACH,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE;CAkB/D"}

package/dist/security/pii-detector.js

@@ -0,0 +1,220 @@
+import { MCPLogger as Logger } from '../utils/mcp-logger.js';
+const logger = new Logger('PIIDetector');
+/**
+ * PII and Secret Detection with entropy analysis
+ */
+export class PIIDetector {
+    // PII Patterns
+    piiPatterns = [
+        // SSN
+        { name: 'SSN', regex: /\b\d{3}-\d{2}-\d{4}\b/g, type: 'pii' },
+        // Credit Card
+        { name: 'Credit Card', regex: /\b(?:\d[ -]*?){13,16}\b/g, type: 'pii' },
+        // Email
+        { name: 'Email', regex: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, type: 'pii' },
+        // Phone
+        { name: 'Phone', regex: /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/g, type: 'pii' },
+        // IP Address
+        { name: 'IP Address', regex: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g, type: 'pii' },
+        // Date of Birth (various formats)
+        { name: 'DOB', regex: /\b(?:\d{1,2}[-/]\d{1,2}[-/]\d{2,4}|\d{4}[-/]\d{1,2}[-/]\d{1,2})\b/g, type: 'pii' },
+    ];
+    // Secret Patterns
+    secretPatterns = [
+        // API Keys (generic)
+        { name: 'API Key', regex: /\b[A-Za-z0-9]{32,}\b/g, type: 'secret' },
+        // AWS Keys
+        { name: 'AWS Access Key', regex: /AKIA[0-9A-Z]{16}/g, type: 'secret' },
+        { name: 'AWS Secret Key', regex: /[0-9a-zA-Z/+=]{40}/g, type: 'secret', entropyCheck: true },
+        // GitHub Token
+        { name: 'GitHub Token', regex: /ghp_[0-9a-zA-Z]{36}/g, type: 'secret' },
+        { name: 'GitHub Token', regex: /gho_[0-9a-zA-Z]{36}/g, type: 'secret' },
+        // JWT
+        { name: 'JWT', regex: /eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+/g, type: 'secret' },
+        // Private Key
+        { name: 'Private Key', regex: /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/g, type: 'secret' },
+        // Password in config
+        { name: 'Password', regex: /(?:password|passwd|pwd|pass)[\s]*[:=][\s]*["']?([^"'\s]+)["']?/gi, type: 'secret' },
+        // Bearer Token
+        { name: 'Bearer Token', regex: /Bearer\s+[A-Za-z0-9-._~+/]+=*/g, type: 'secret' },
+        // Slack Token
+        { name: 'Slack Token', regex: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,34}/g, type: 'secret' },
+        // Stripe Key
+        { name: 'Stripe Key', regex: /(?:sk|pk)_(?:test|live)_[0-9a-zA-Z]{24,}/g, type: 'secret' },
+    ];
+    allowlist = new Set();
+    constructor(allowlist) {
+        if (allowlist) {
+            this.allowlist = new Set(allowlist);
+        }
+    }
+    /**
+     * Detect PII and secrets in text
+     */
+    detect(text) {
+        const findings = [];
+        let redactedText = text;
+        // Check PII patterns
+        for (const pattern of this.piiPatterns) {
+            const matches = text.matchAll(pattern.regex);
+            for (const match of matches) {
+                const value = match[0];
+                // Skip if in allowlist
+                if (this.allowlist.has(value))
+                    continue;
+                const redacted = this.redact(value, pattern.type);
+                findings.push({
+                    type: pattern.type,
+                    pattern: pattern.name,
+                    confidence: 0.9,
+                    redacted
+                });
+                redactedText = redactedText.replace(value, redacted);
+            }
+        }
+        // Check secret patterns
+        for (const pattern of this.secretPatterns) {
+            const matches = text.matchAll(pattern.regex);
+            for (const match of matches) {
+                const value = match[0];
+                // Skip if in allowlist
+                if (this.allowlist.has(value))
+                    continue;
+                // Check entropy if required
+                if (pattern.entropyCheck && !this.hasHighEntropy(value)) {
+                    continue;
+                }
+                const redacted = this.redact(value, pattern.type);
+                findings.push({
+                    type: pattern.type,
+                    pattern: pattern.name,
+                    confidence: pattern.entropyCheck ? 0.7 : 0.9,
+                    redacted
+                });
+                redactedText = redactedText.replace(value, redacted);
+            }
+        }
+        // Entropy-based detection for unknown secrets
+        const highEntropyStrings = this.findHighEntropyStrings(text);
+        for (const str of highEntropyStrings) {
+            if (this.allowlist.has(str))
+                continue;
+            const redacted = this.redact(str, 'secret');
+            findings.push({
+                type: 'high-entropy',
+                pattern: 'High Entropy String',
+                confidence: 0.6,
+                redacted
+            });
+            redactedText = redactedText.replace(str, redacted);
+        }
+        return {
+            hasPII: findings.some(f => f.type === 'pii'),
+            hasSecrets: findings.some(f => f.type === 'secret' || f.type === 'high-entropy'),
+            redactedText,
+            findings
+        };
+    }
+    /**
+     * Calculate Shannon entropy
+     */
+    calculateEntropy(str) {
+        const frequencies = new Map();
+        for (const char of str) {
+            frequencies.set(char, (frequencies.get(char) || 0) + 1);
+        }
+        let entropy = 0;
+        const len = str.length;
+        for (const freq of frequencies.values()) {
+            const p = freq / len;
+            entropy -= p * Math.log2(p);
+        }
+        return entropy;
+    }
+    /**
+     * Check if string has high entropy (likely random/secret)
+     */
+    hasHighEntropy(str, threshold = 4.5) {
+        if (str.length < 10)
+            return false;
+        return this.calculateEntropy(str) > threshold;
+    }
+    /**
+     * Find high entropy strings in text
+     */
+    findHighEntropyStrings(text) {
+        const results = [];
+        // Find continuous alphanumeric strings
+        const candidates = text.match(/[A-Za-z0-9+/=_-]{20,}/g) || [];
+        for (const candidate of candidates) {
+            if (this.hasHighEntropy(candidate)) {
+                results.push(candidate);
+            }
+        }
+        return results;
+    }
+    /**
+     * Redact sensitive information
+     */
+    redact(value, type) {
+        if (type === 'pii') {
+            // Show partial for PII
+            if (value.includes('@')) {
+                // Email - show domain
+                const parts = value.split('@');
+                return `[REDACTED_EMAIL]@${parts[1]}`;
+            }
+            if (value.length > 4) {
+                // Show last 4 chars
+                return `[REDACTED_${type.toUpperCase()}...${value.slice(-4)}]`;
+            }
+        }
+        // Complete redaction for secrets
+        return `[REDACTED_${type.toUpperCase()}]`;
+    }
+    /**
+     * Add items to allowlist
+     */
+    addToAllowlist(items) {
+        for (const item of items) {
+            this.allowlist.add(item);
+        }
+        logger.info(`Added ${items.length} items to allowlist`);
+    }
+    /**
+     * Remove items from allowlist
+     */
+    removeFromAllowlist(items) {
+        for (const item of items) {
+            this.allowlist.delete(item);
+        }
+        logger.info(`Removed ${items.length} items from allowlist`);
+    }
+    /**
+     * Get current allowlist
+     */
+    getAllowlist() {
+        return Array.from(this.allowlist);
+    }
+    /**
+     * Scan and report (without redaction)
+     */
+    scan(text) {
+        const result = this.detect(text);
+        // Calculate risk score
+        let riskScore = 0;
+        for (const finding of result.findings) {
+            if (finding.type === 'secret' || finding.type === 'high-entropy') {
+                riskScore += finding.confidence * 10;
+            }
+            else if (finding.type === 'pii') {
+                riskScore += finding.confidence * 5;
+            }
+        }
+        return {
+            findings: result.findings,
+            riskScore: Math.min(riskScore, 100)
+        };
+    }
+}
+//# sourceMappingURL=pii-detector.js.map

package/dist/security/pii-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-detector.js","sourceRoot":"","sources":["../../src/security/pii-detector.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,IAAI,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAE7D,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,aAAa,CAAC,CAAC;AAgBzC;;GAEG;AACH,MAAM,OAAO,WAAW;IACtB,eAAe;IACP,WAAW,GAAG;QACpB,MAAM;QACN,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,EAAE,IAAI,EAAE,KAAK,EAAE;QAC7D,cAAc;QACd,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,0BAA0B,EAAE,IAAI,EAAE,KAAK,EAAE;QACvE,QAAQ;QACR,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,sDAAsD,EAAE,IAAI,EAAE,KAAK,EAAE;QAC7F,QAAQ;QACR,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,0DAA0D,EAAE,IAAI,EAAE,KAAK,EAAE;QACjG,aAAa;QACb,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,8BAA8B,EAAE,IAAI,EAAE,KAAK,EAAE;QAC1E,kCAAkC;QAClC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,oEAAoE,EAAE,IAAI,EAAE,KAAK,EAAE;KAC1G,CAAC;IAEF,kBAAkB;IACV,cAAc,GAAG;QACvB,qBAAqB;QACrB,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,uBAAuB,EAAE,IAAI,EAAE,QAAQ,EAAE;QACnE,WAAW;QACX,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,mBAAmB,EAAE,IAAI,EAAE,QAAQ,EAAE;QACtE,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,qBAAqB,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,IAAI,EAAE;QAC5F,eAAe;QACf,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,sBAAsB,EAAE,IAAI,EAAE,QAAQ,EAAE;QACvE,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,sBAAsB,EAAE,IAAI,EAAE,QAAQ,EAAE;QACvE,MAAM;QACN,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,uDAAuD,EAAE,IAAI,EAAE,QAAQ,EAAE;QAC/F,cAAc;QACd,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,2CAA2C,EAAE,IAAI,EAAE,QAAQ,EAAE;QAC3F,qBAAqB;QACrB,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,kEAAkE,EAAE,IAAI,EAAE,QAAQ,EAAE;QAC/G,eAAe;QACf,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,gCAAgC,EAAE,IAAI,EAAE,QAAQ,EAAE;QACjF,cAAc;QACd,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,0DAA0D,EAAE,IAAI,EAAE,QAAQ,EAAE;QAC1G,aAAa;QACb,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,2CAA2C,EAAE,IAAI,EAAE,QAAQ,EAAE;KAC3F,CAAC;IAEM,SAAS,GAAgB,IAAI,GAAG,EAAE,CAAC;IAE3C,YAAY,SAAoB;QAC9B,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,SAAS,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAY;QACjB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,IAAI,YAAY,GAAG,IAAI,CAAC;QAExB,qBAAqB;QACrB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACvC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC7C,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEvB,uBAAuB;gBACvB,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC;oBAAE,SAAS;gBAExC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,IAAwB,CAAC,CAAC;gBACtE,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,OAAO,CAAC,IAAwB;oBACtC,OAAO,EAAE,OAAO,CAAC,IAAI;oBACrB,UAAU,EAAE,GAAG;oBACf,QAAQ;iBACT,CAAC,CAAC;gBAEH,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;QAED,wBAAwB;QACxB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC7C,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEvB,uBAAuB;gBACvB,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC;oBAAE,SAAS;gBAExC,4BAA4B;gBAC5B,IAAI,OAAO,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;oBACxD,SAAS;gBACX,CAAC;gBAED,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,IAAwB,CAAC,CAAC;gBACtE,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,OAAO,CAAC,IAAwB;oBACtC,OAAO,EAAE,OAAO,CAAC,IAAI;oBACrB,UAAU,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;oBAC5C,QAAQ;iBACT,CAAC,CAAC;gBAEH,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,MAAM,kBAAkB,GAAG,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC;QAC7D,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;YACrC,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEtC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YAC5C,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,qBAAqB;gBAC9B,UAAU,EAAE,GAAG;gBACf,QAAQ;aACT,CAAC,CAAC;YAEH,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACrD,CAAC;QAED,OAAO;YACL,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC;YAC5C,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,KAAK,cAAc,CAAC;YAChF,YAAY;YACZ,QAAQ;SACT,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,GAAW;QAClC,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;QAE9C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;YACvB,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QAEvB,KAAK,MAAM,IAAI,IAAI,WAAW,CAAC,MAAM,EAAE,EAAE,CAAC;YACxC,MAAM,CAAC,GAAG,IAAI,GAAG,GAAG,CAAC;YACrB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,GAAW,EAAE,YAAoB,GAAG;QACzD,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE;YAAE,OAAO,KAAK,CAAC;QAClC,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;IAChD,CAAC;IAED;;OAEG;IACK,sBAAsB,CAAC,IAAY;QACzC,MAAM,OAAO,GAAa,EAAE,CAAC;QAE7B,uCAAuC;QACvC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,IAAI,EAAE,CAAC;QAE9D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC;gBACnC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,KAAa,EAAE,IAAuC;QACnE,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;YACnB,uBAAuB;YACvB,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,sBAAsB;gBACtB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC/B,OAAO,oBAAoB,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YACxC,CAAC;YACD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrB,oBAAoB;gBACpB,OAAO,aAAa,IAAI,CAAC,WAAW,EAAE,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YACjE,CAAC;QACH,CAAC;QAED,iCAAiC;QACjC,OAAO,aAAa,IAAI,CAAC,WAAW,EAAE,GAAG,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,KAAe;QAC5B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,MAAM,qBAAqB,CAAC,CAAC;IAC1D,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,KAAe;QACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC9B,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,WAAW,KAAK,CAAC,MAAM,uBAAuB,CAAC,CAAC;IAC9D,CAAC;IAED;;OAEG;IACH,YAAY;QACV,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,IAAY;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAEjC,uBAAuB;QACvB,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;gBACjE,SAAS,IAAI,OAAO,CAAC,UAAU,GAAG,EAAE,CAAC;YACvC,CAAC;iBAAM,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;gBAClC,SAAS,IAAI,OAAO,CAAC,UAAU,GAAG,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC;SACpC,CAAC;IACJ,CAAC;CACF"}

package/dist/tools/ci-hooks.d.ts

@@ -0,0 +1,48 @@
+#!/usr/bin/env node
+/**
+ * CI/CD Integration Hooks for Kratos Protocol
+ *
+ * These hooks can be integrated into your CI/CD pipeline to:
+ * - Run leak detection tests
+ * - Perform TTL cleanup
+ * - Validate project configurations
+ * - Generate memory reports
+ */
+declare class KratosCIHooks {
+    /**
+     * Pre-commit hook: Run leak detection tests
+     */
+    static preCommitHook(): Promise<boolean>;
+    /**
+     * Pre-push hook: Validate all project configurations
+     */
+    static prePushHook(): Promise<boolean>;
+    /**
+     * Nightly cleanup: Remove expired memories and compact databases
+     */
+    static nightlyCleanup(): Promise<void>;
+    /**
+     * Security audit: Check for potential data leaks and vulnerabilities
+     */
+    static securityAudit(): Promise<{
+        passed: boolean;
+        report: any;
+    }>;
+    /**
+     * Memory report: Generate statistics about memory usage across projects
+     */
+    static generateMemoryReport(): Promise<any>;
+    private static findKratosProjects;
+    private static validateProject;
+    private static cleanupProject;
+    private static auditProject;
+    private static auditConceptStore;
+    private static getProjectStats;
+    private static getConceptStats;
+    private static generateSecurityRecommendations;
+    private static generateMemoryRecommendations;
+    private static generateCleanupReport;
+    private static runCommand;
+}
+export { KratosCIHooks };
+//# sourceMappingURL=ci-hooks.d.ts.map

package/dist/tools/ci-hooks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ci-hooks.d.ts","sourceRoot":"","sources":["../../src/tools/ci-hooks.ts"],"names":[],"mappings":";AAQA;;;;;;;;GAQG;AAEH,cAAM,aAAa;IAEjB;;OAEG;WACU,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC;IAsB9C;;OAEG;WACU,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAgC5C;;OAEG;WACU,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IAqB5C;;OAEG;WACU,aAAa,IAAI,OAAO,CAAC;QAAE,MAAM,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,CAAC;IAuDvE;;OAEG;WACU,oBAAoB,IAAI,OAAO,CAAC,GAAG,CAAC;mBA4D5B,kBAAkB;mBAqBlB,eAAe;mBA2Bf,cAAc;mBAcd,YAAY;mBAuCZ,iBAAiB;mBA+BjB,eAAe;mBAiCf,eAAe;IA6BpC,OAAO,CAAC,MAAM,CAAC,+BAA+B;IAgB9C,OAAO,CAAC,MAAM,CAAC,6BAA6B;mBAkBvB,qBAAqB;mBAcrB,UAAU;CA+BhC;AAsDD,OAAO,EAAE,aAAa,EAAE,CAAC"}