network-ai 3.0.0

package/dist/security.d.ts

@@ -0,0 +1,269 @@
+/**
+ * SwarmOrchestrator Security Module
+ *
+ * This module addresses security vulnerabilities in the multi-agent system:
+ *
+ * 1. Token Security - HMAC-signed tokens with expiration
+ * 2. Input Sanitization - Prevent injection attacks
+ * 3. Rate Limiting - Prevent DoS from rogue agents
+ * 4. Audit Integrity - Cryptographically signed audit logs
+ * 5. Data Encryption - Encrypt sensitive blackboard entries
+ * 6. Permission Hardening - Prevent privilege escalation
+ * 7. Path Traversal Protection - Sanitize file paths
+ *
+ * @module SwarmSecurity
+ * @version 1.0.0
+ */
+interface SecurityConfig {
+    tokenSecret: string;
+    tokenAlgorithm: 'sha256' | 'sha512';
+    maxTokenAge: number;
+    maxRequestsPerMinute: number;
+    maxFailedAuthAttempts: number;
+    lockoutDuration: number;
+    encryptionKey: string;
+    encryptSensitiveData: boolean;
+    signAuditLogs: boolean;
+    auditLogPath: string;
+    allowedBasePath: string;
+}
+declare const DEFAULT_CONFIG: SecurityConfig;
+interface SecureToken {
+    tokenId: string;
+    agentId: string;
+    resourceType: string;
+    scope: string;
+    issuedAt: number;
+    expiresAt: number;
+    signature: string;
+}
+export declare class SecureTokenManager {
+    private config;
+    private revokedTokens;
+    constructor(config?: Partial<SecurityConfig>);
+    /**
+     * Generate a cryptographically signed token
+     */
+    generateToken(agentId: string, resourceType: string, scope: string): SecureToken;
+    /**
+     * Validate a token's authenticity and expiration
+     */
+    validateToken(token: SecureToken): {
+        valid: boolean;
+        reason?: string;
+    };
+    /**
+     * Revoke a token
+     */
+    revokeToken(tokenId: string): void;
+    /**
+     * HMAC sign a payload
+     */
+    private sign;
+    /**
+     * Constant-time string comparison to prevent timing attacks
+     */
+    private constantTimeCompare;
+}
+export declare class InputSanitizer {
+    private static DANGEROUS_PATTERNS;
+    /**
+     * Sanitize a string input
+     */
+    static sanitizeString(input: string, maxLength?: number): string;
+    /**
+     * Sanitize an object recursively
+     */
+    static sanitizeObject(obj: unknown, depth?: number, maxDepth?: number): unknown;
+    /**
+     * Validate and sanitize an agent ID
+     */
+    static sanitizeAgentId(agentId: string): string;
+    /**
+     * Validate and sanitize a file path
+     */
+    static sanitizePath(inputPath: string, basePath: string): string;
+}
+interface RateLimitEntry {
+    count: number;
+    windowStart: number;
+    failedAttempts: number;
+    lockedUntil: number | null;
+}
+export declare class RateLimiter {
+    private limits;
+    private config;
+    constructor(config?: Partial<SecurityConfig>);
+    /**
+     * Check if an agent is rate limited
+     */
+    isRateLimited(agentId: string): {
+        limited: boolean;
+        retryAfter?: number;
+    };
+    /**
+     * Record a failed authentication attempt
+     */
+    recordFailedAuth(agentId: string): {
+        locked: boolean;
+        attemptsRemaining?: number;
+    };
+    /**
+     * Reset failed attempts after successful auth
+     */
+    resetFailedAttempts(agentId: string): void;
+    /**
+     * Get rate limit status for an agent
+     */
+    getStatus(agentId: string): RateLimitEntry | null;
+}
+interface AuditEntry {
+    timestamp: string;
+    eventId: string;
+    eventType: string;
+    agentId: string;
+    action: string;
+    resource?: string;
+    outcome: 'success' | 'failure' | 'denied';
+    details: Record<string, unknown>;
+    signature?: string;
+}
+export declare class SecureAuditLogger {
+    private config;
+    private previousHash;
+    constructor(config?: Partial<SecurityConfig>);
+    private initializeLog;
+    /**
+     * Log a security event with cryptographic integrity
+     */
+    log(eventType: string, agentId: string, action: string, outcome: 'success' | 'failure' | 'denied', details?: Record<string, unknown>, resource?: string): AuditEntry;
+    /**
+     * Log a permission request
+     */
+    logPermissionRequest(agentId: string, resourceType: string, scope: string, granted: boolean, reason?: string): void;
+    /**
+     * Log a security violation
+     */
+    logViolation(agentId: string, violationType: string, details: Record<string, unknown>): void;
+    /**
+     * Verify audit log integrity
+     */
+    verifyLogIntegrity(): {
+        valid: boolean;
+        invalidEntries: number[];
+    };
+}
+export declare class DataEncryptor {
+    private key;
+    private algorithm;
+    constructor(encryptionKey: string);
+    /**
+     * Encrypt sensitive data
+     */
+    encrypt(data: string): string;
+    /**
+     * Decrypt sensitive data
+     */
+    decrypt(encryptedData: string): string;
+    /**
+     * Encrypt an object
+     */
+    encryptObject(obj: unknown): string;
+    /**
+     * Decrypt to object
+     */
+    decryptObject<T = unknown>(encryptedData: string): T;
+}
+interface TrustPolicy {
+    agentId: string;
+    trustLevel: number;
+    allowedResources: string[];
+    maxScope: string[];
+    createdBy: string;
+    immutable: boolean;
+}
+export declare class PermissionHardener {
+    private trustPolicies;
+    private auditLogger;
+    constructor(auditLogger: SecureAuditLogger, defaultPolicies?: Array<{
+        agentId: string;
+        trustLevel: number;
+        allowedResources: string[];
+        maxScope?: string[];
+        immutable?: boolean;
+    }>);
+    private initializeDefaultPolicies;
+    /**
+     * Register or update a trust policy for an agent at runtime.
+     */
+    registerPolicy(policy: {
+        agentId: string;
+        trustLevel: number;
+        allowedResources: string[];
+        maxScope?: string[];
+        immutable?: boolean;
+    }): void;
+    /**
+     * Check if an agent can access a resource
+     */
+    canAccess(agentId: string, resourceType: string, requestedScope: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Attempt to modify trust level (with escalation prevention)
+     */
+    modifyTrustLevel(requestingAgent: string, targetAgent: string, newTrustLevel: number): {
+        success: boolean;
+        reason?: string;
+    };
+    /**
+     * Get policy for an agent
+     */
+    getPolicy(agentId: string): TrustPolicy | undefined;
+}
+export declare class SecurityError extends Error {
+    code: string;
+    constructor(message: string, code: string);
+}
+export declare class SecureSwarmGateway {
+    private tokenManager;
+    private rateLimiter;
+    private auditLogger;
+    private permissionHardener;
+    private encryptor;
+    constructor(config?: Partial<SecurityConfig>);
+    /**
+     * Secure request handler - validates all security requirements
+     */
+    handleSecureRequest(agentId: string, action: string, params: Record<string, unknown>, token?: SecureToken): Promise<{
+        allowed: boolean;
+        reason?: string;
+        sanitizedParams?: Record<string, unknown>;
+    }>;
+    /**
+     * Request a new permission grant
+     */
+    requestPermission(agentId: string, resourceType: string, scope: string, justification: string): Promise<{
+        granted: boolean;
+        token?: SecureToken;
+        reason?: string;
+    }>;
+    /**
+     * Encrypt sensitive data for blackboard storage
+     */
+    encryptSensitiveData(data: unknown): string;
+    /**
+     * Decrypt sensitive data from blackboard
+     */
+    decryptSensitiveData<T>(encryptedData: string): T;
+    /**
+     * Verify audit log integrity
+     */
+    verifyAuditIntegrity(): {
+        valid: boolean;
+        invalidEntries: number[];
+    };
+}
+export { SecurityConfig, SecureToken, AuditEntry, TrustPolicy, DEFAULT_CONFIG, };
+//# sourceMappingURL=security.d.ts.map

package/dist/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAUH,UAAU,cAAc;IAEtB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,QAAQ,GAAG,QAAQ,CAAC;IACpC,WAAW,EAAE,MAAM,CAAC;IAGpB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,eAAe,EAAE,MAAM,CAAC;IAGxB,aAAa,EAAE,MAAM,CAAC;IACtB,oBAAoB,EAAE,OAAO,CAAC;IAG9B,aAAa,EAAE,OAAO,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IAGrB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,QAAA,MAAM,cAAc,EAAE,cAgBrB,CAAC;AAMF,UAAU,WAAW;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,aAAa,CAA0B;gBAEnC,MAAM,GAAE,OAAO,CAAC,cAAc,CAAM;IAIhD;;OAEG;IACH,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,WAAW;IAsBhF;;OAEG;IACH,aAAa,CAAC,KAAK,EAAE,WAAW,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAsBtE;;OAEG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAIlC;;OAEG;IACH,OAAO,CAAC,IAAI;IAMZ;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAS5B;AAMD,qBAAa,cAAc;IAEzB,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAS/B;IAEF;;OAEG;IACH,MAAM,CAAC,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,GAAE,MAAc,GAAG,MAAM;IAwBvE;;OAEG;IACH,MAAM,CAAC,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,GAAE,MAAU,EAAE,QAAQ,GAAE,MAAW,GAAG,OAAO;IAwCtF;;OAEG;IACH,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;IAe/C;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM;CAmBjE;AAMD,UAAU,cAAc;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAA0C;IACxD,OAAO,CAAC,MAAM,CAAiB;gBAEnB,MAAM,GAAE,OAAO,CAAC,cAAc,CAAM;IAIhD;;OAEG;IACH,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE;IA4CzE;;OAEG;IACH,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG;QAAE,MAAM,EAAE,OAAO,CAAC;QAAC,iBAAiB,CAAC,EAAE,MAAM,CAAA;KAAE;IAuBlF;;OAEG;IACH,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAQ1C;;OAEG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI;CAGlD;AAMD,UAAU,UAAU;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAC;IAC1C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,YAAY,CAAc;gBAEtB,MAAM,GAAE,OAAO,CAAC,cAAc,CAAM;IAKhD,OAAO,CAAC,aAAa;IAuBrB;;OAEG;IACH,GAAG,CACD,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,EACzC,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,EACrC,QAAQ,CAAC,EAAE,MAAM,GAChB,UAAU;IAiCb;;OAEG;IACH,oBAAoB,CAClB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,EAAE,MAAM,GACd,IAAI;IAWP;;OAEG;IACH,YAAY,CACV,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,IAAI;IAUP;;OAEG;IACH,kBAAkB,IAAI;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,cAAc,EAAE,MAAM,EAAE,CAAA;KAAE;CAsCnE;AAMD,qBAAa,aAAa;IACxB,OAAO,CAAC,GAAG,CAAS;IACpB,OAAO,CAAC,SAAS,CAA0B;gBAE/B,aAAa,EAAE,MAAM;IAKjC;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAa7B;;OAEG;IACH,OAAO,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM;IAmBtC;;OAEG;IACH,aAAa,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM;IAInC;;OAEG;IACH,aAAa,CAAC,CAAC,GAAG,OAAO,EAAE,aAAa,EAAE,MAAM,GAAG,CAAC;CAGrD;AAMD,UAAU,WAAW;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,aAAa,CAAuC;IAC5D,OAAO,CAAC,WAAW,CAAoB;gBAE3B,WAAW,EAAE,iBAAiB,EAAE,eAAe,CAAC,EAAE,KAAK,CAAC;QAClE,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;QAC3B,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,CAAC,EAAE,OAAO,CAAC;KACrB,CAAC;IAKF,OAAO,CAAC,yBAAyB;IA+BjC;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE;QACrB,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,gBAAgB,EAAE,MAAM,EAAE,CAAC;QAC3B,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,CAAC,EAAE,OAAO,CAAC;KACrB,GAAG,IAAI;IAaR;;OAEG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG;QACxE,OAAO,EAAE,OAAO,CAAC;QACjB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB;IA8BD;;OAEG;IACH,gBAAgB,CACd,eAAe,EAAE,MAAM,EACvB,WAAW,EAAE,MAAM,EACnB,aAAa,EAAE,MAAM,GACpB;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IA6CxC;;OAEG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;CAGpD;AAMD,qBAAa,aAAc,SAAQ,KAAK;IACtC,IAAI,EAAE,MAAM,CAAC;gBAED,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;CAK1C;AAMD,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,YAAY,CAAqB;IACzC,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,WAAW,CAAoB;IACvC,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,OAAO,CAAC,SAAS,CAAgB;gBAErB,MAAM,GAAE,OAAO,CAAC,cAAc,CAAM;IAUhD;;OAEG;IACG,mBAAmB,CACvB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,CAAC,EAAE,WAAW,GAClB,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IA4D5F;;OAEG;IACG,iBAAiB,CACrB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,WAAW,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAkBtE;;OAEG;IACH,oBAAoB,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM;IAI3C;;OAEG;IACH,oBAAoB,CAAC,CAAC,EAAE,aAAa,EAAE,MAAM,GAAG,CAAC;IAIjD;;OAEG;IACH,oBAAoB,IAAI;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,cAAc,EAAE,MAAM,EAAE,CAAA;KAAE;CAGrE;AAMD,OAAO,EACL,cAAc,EACd,WAAW,EACX,UAAU,EACV,WAAW,EACX,cAAc,GACf,CAAC"}