opc-agent 4.1.0 → 4.1.1

package/src/security/approval.ts

@@ -1,131 +1,131 @@
-import { randomUUID } from 'crypto';
-
-export type ApprovalPolicy = 'always' | 'dangerous' | 'never';
-
-export interface ApprovalRequest {
-  id: string;
-  type: 'shell' | 'file_write' | 'file_delete' | 'network' | 'plugin';
-  command: string;
-  description: string;
-  requestedAt: Date;
-  status: 'pending' | 'approved' | 'denied';
-  approvedBy?: string;
-}
-
-export class ApprovalManager {
-  private policy: ApprovalPolicy;
-  private pendingApprovals: Map<string, ApprovalRequest> = new Map();
-  private allowlist: Set<string> = new Set();
-  private blocklist: Set<string> = new Set();
-
-  private static readonly DANGEROUS_PATTERNS = [
-    /rm\s+-rf/i, /del\s+\/s/i, /format\s+/i,
-    /DROP\s+TABLE/i, /DELETE\s+FROM/i,
-    /curl.*\|.*sh/i, /wget.*\|.*sh/i,
-    /chmod\s+777/i, /sudo\s+/i,
-    /npm\s+publish/i,
-  ];
-
-  constructor(policy: ApprovalPolicy = 'dangerous') {
-    this.policy = policy;
-  }
-
-  getPolicy(): ApprovalPolicy {
-    return this.policy;
-  }
-
-  setPolicy(policy: ApprovalPolicy): void {
-    this.policy = policy;
-  }
-
-  needsApproval(type: string, command: string): boolean {
-    // Blocklist always needs approval (effectively blocked)
-    if (this.isBlocked(command)) return true;
-    // Allowlist never needs approval
-    if (this.isAllowed(command)) return false;
-
-    if (this.policy === 'never') return false;
-    if (this.policy === 'always') return true;
-    // 'dangerous'
-    return this.isDangerous(type, command);
-  }
-
-  private isDangerous(_type: string, command: string): boolean {
-    return ApprovalManager.DANGEROUS_PATTERNS.some(p => p.test(command));
-  }
-
-  private isAllowed(command: string): boolean {
-    for (const pattern of this.allowlist) {
-      if (command.includes(pattern)) return true;
-    }
-    return false;
-  }
-
-  private isBlocked(command: string): boolean {
-    for (const pattern of this.blocklist) {
-      if (command.includes(pattern)) return true;
-    }
-    return false;
-  }
-
-  requestApproval(type: ApprovalRequest['type'], command: string, description: string): ApprovalRequest {
-    const request: ApprovalRequest = {
-      id: randomUUID(),
-      type,
-      command,
-      description,
-      requestedAt: new Date(),
-      status: 'pending',
-    };
-    this.pendingApprovals.set(request.id, request);
-    return request;
-  }
-
-  approve(id: string, approver: string): void {
-    const req = this.pendingApprovals.get(id);
-    if (!req) throw new Error(`Approval request ${id} not found`);
-    if (req.status !== 'pending') throw new Error(`Request ${id} is already ${req.status}`);
-    req.status = 'approved';
-    req.approvedBy = approver;
-  }
-
-  deny(id: string, approver: string): void {
-    const req = this.pendingApprovals.get(id);
-    if (!req) throw new Error(`Approval request ${id} not found`);
-    if (req.status !== 'pending') throw new Error(`Request ${id} is already ${req.status}`);
-    req.status = 'denied';
-    req.approvedBy = approver;
-  }
-
-  getRequest(id: string): ApprovalRequest | undefined {
-    return this.pendingApprovals.get(id);
-  }
-
-  addToAllowlist(pattern: string): void {
-    this.allowlist.add(pattern);
-  }
-
-  removeFromAllowlist(pattern: string): void {
-    this.allowlist.delete(pattern);
-  }
-
-  addToBlocklist(pattern: string): void {
-    this.blocklist.add(pattern);
-  }
-
-  removeFromBlocklist(pattern: string): void {
-    this.blocklist.delete(pattern);
-  }
-
-  getPending(): ApprovalRequest[] {
-    return Array.from(this.pendingApprovals.values()).filter(r => r.status === 'pending');
-  }
-
-  getAllowlist(): string[] {
-    return Array.from(this.allowlist);
-  }
-
-  getBlocklist(): string[] {
-    return Array.from(this.blocklist);
-  }
-}
+import { randomUUID } from 'crypto';
+
+export type ApprovalPolicy = 'always' | 'dangerous' | 'never';
+
+export interface ApprovalRequest {
+  id: string;
+  type: 'shell' | 'file_write' | 'file_delete' | 'network' | 'plugin';
+  command: string;
+  description: string;
+  requestedAt: Date;
+  status: 'pending' | 'approved' | 'denied';
+  approvedBy?: string;
+}
+
+export class ApprovalManager {
+  private policy: ApprovalPolicy;
+  private pendingApprovals: Map<string, ApprovalRequest> = new Map();
+  private allowlist: Set<string> = new Set();
+  private blocklist: Set<string> = new Set();
+
+  private static readonly DANGEROUS_PATTERNS = [
+    /rm\s+-rf/i, /del\s+\/s/i, /format\s+/i,
+    /DROP\s+TABLE/i, /DELETE\s+FROM/i,
+    /curl.*\|.*sh/i, /wget.*\|.*sh/i,
+    /chmod\s+777/i, /sudo\s+/i,
+    /npm\s+publish/i,
+  ];
+
+  constructor(policy: ApprovalPolicy = 'dangerous') {
+    this.policy = policy;
+  }
+
+  getPolicy(): ApprovalPolicy {
+    return this.policy;
+  }
+
+  setPolicy(policy: ApprovalPolicy): void {
+    this.policy = policy;
+  }
+
+  needsApproval(type: string, command: string): boolean {
+    // Blocklist always needs approval (effectively blocked)
+    if (this.isBlocked(command)) return true;
+    // Allowlist never needs approval
+    if (this.isAllowed(command)) return false;
+
+    if (this.policy === 'never') return false;
+    if (this.policy === 'always') return true;
+    // 'dangerous'
+    return this.isDangerous(type, command);
+  }
+
+  private isDangerous(_type: string, command: string): boolean {
+    return ApprovalManager.DANGEROUS_PATTERNS.some(p => p.test(command));
+  }
+
+  private isAllowed(command: string): boolean {
+    for (const pattern of this.allowlist) {
+      if (command.includes(pattern)) return true;
+    }
+    return false;
+  }
+
+  private isBlocked(command: string): boolean {
+    for (const pattern of this.blocklist) {
+      if (command.includes(pattern)) return true;
+    }
+    return false;
+  }
+
+  requestApproval(type: ApprovalRequest['type'], command: string, description: string): ApprovalRequest {
+    const request: ApprovalRequest = {
+      id: randomUUID(),
+      type,
+      command,
+      description,
+      requestedAt: new Date(),
+      status: 'pending',
+    };
+    this.pendingApprovals.set(request.id, request);
+    return request;
+  }
+
+  approve(id: string, approver: string): void {
+    const req = this.pendingApprovals.get(id);
+    if (!req) throw new Error(`Approval request ${id} not found`);
+    if (req.status !== 'pending') throw new Error(`Request ${id} is already ${req.status}`);
+    req.status = 'approved';
+    req.approvedBy = approver;
+  }
+
+  deny(id: string, approver: string): void {
+    const req = this.pendingApprovals.get(id);
+    if (!req) throw new Error(`Approval request ${id} not found`);
+    if (req.status !== 'pending') throw new Error(`Request ${id} is already ${req.status}`);
+    req.status = 'denied';
+    req.approvedBy = approver;
+  }
+
+  getRequest(id: string): ApprovalRequest | undefined {
+    return this.pendingApprovals.get(id);
+  }
+
+  addToAllowlist(pattern: string): void {
+    this.allowlist.add(pattern);
+  }
+
+  removeFromAllowlist(pattern: string): void {
+    this.allowlist.delete(pattern);
+  }
+
+  addToBlocklist(pattern: string): void {
+    this.blocklist.add(pattern);
+  }
+
+  removeFromBlocklist(pattern: string): void {
+    this.blocklist.delete(pattern);
+  }
+
+  getPending(): ApprovalRequest[] {
+    return Array.from(this.pendingApprovals.values()).filter(r => r.status === 'pending');
+  }
+
+  getAllowlist(): string[] {
+    return Array.from(this.allowlist);
+  }
+
+  getBlocklist(): string[] {
+    return Array.from(this.blocklist);
+  }
+}

package/src/security/approvals.ts

@@ -1,143 +1,143 @@
-/**
- * Approvals Module - v1.0.0
- * Policy-based exec approval system with queue, expiry, history, and callbacks.
- */
-
-import { randomUUID } from 'crypto';
-
-export type ExecApprovalPolicy = 'always' | 'elevated-only' | 'never' | 'allowlist';
-
-export interface ExecApprovalRequest {
-  id: string;
-  command: string;
-  elevated: boolean;
-  requestedAt: number;
-  expiresAt: number;
-  status: 'pending' | 'approved' | 'denied' | 'expired';
-  approvedBy?: string;
-  reason?: string;
-}
-
-export interface ExecApprovalHistory {
-  request: ExecApprovalRequest;
-  resolvedAt: number;
-}
-
-export type ApprovalRequestCallback = (request: ExecApprovalRequest) => void;
-
-export class ExecApprovalManager {
-  private policy: ExecApprovalPolicy;
-  private pending: Map<string, ExecApprovalRequest> = new Map();
-  private history: ExecApprovalHistory[] = [];
-  private allowedCommands: Set<string> = new Set();
-  private expiryMs: number;
-  private onRequestCallback?: ApprovalRequestCallback;
-  private expiryTimer?: ReturnType<typeof setInterval>;
-
-  constructor(options: {
-    policy?: ExecApprovalPolicy;
-    expiryMs?: number;
-    allowedCommands?: string[];
-    onRequest?: ApprovalRequestCallback;
-  } = {}) {
-    this.policy = options.policy ?? 'elevated-only';
-    this.expiryMs = options.expiryMs ?? 300_000; // 5 min default
-    this.onRequestCallback = options.onRequest;
-    if (options.allowedCommands) {
-      for (const cmd of options.allowedCommands) this.allowedCommands.add(cmd);
-    }
-    this.expiryTimer = setInterval(() => this.expirePending(), 10_000);
-    if (this.expiryTimer.unref) this.expiryTimer.unref();
-  }
-
-  getPolicy(): ExecApprovalPolicy { return this.policy; }
-  setPolicy(p: ExecApprovalPolicy): void { this.policy = p; }
-
-  addAllowedCommand(cmd: string): void { this.allowedCommands.add(cmd); }
-  removeAllowedCommand(cmd: string): void { this.allowedCommands.delete(cmd); }
-  getAllowedCommands(): string[] { return [...this.allowedCommands]; }
-
-  needsApproval(command: string, elevated: boolean): boolean {
-    switch (this.policy) {
-      case 'never': return false;
-      case 'always': return true;
-      case 'elevated-only': return elevated;
-      case 'allowlist': return !this.isAllowed(command);
-    }
-  }
-
-  private isAllowed(command: string): boolean {
-    for (const allowed of this.allowedCommands) {
-      if (command.startsWith(allowed) || command === allowed) return true;
-    }
-    return false;
-  }
-
-  request(command: string, elevated: boolean = false): ExecApprovalRequest {
-    const now = Date.now();
-    const req: ExecApprovalRequest = {
-      id: randomUUID(),
-      command,
-      elevated,
-      requestedAt: now,
-      expiresAt: now + this.expiryMs,
-      status: 'pending',
-    };
-    this.pending.set(req.id, req);
-    this.onRequestCallback?.(req);
-    return req;
-  }
-
-  approve(id: string, approver: string): ExecApprovalRequest {
-    const req = this.pending.get(id);
-    if (!req) throw new Error(`Request ${id} not found`);
-    if (req.status !== 'pending') throw new Error(`Request ${id} already ${req.status}`);
-    req.status = 'approved';
-    req.approvedBy = approver;
-    this.pending.delete(id);
-    this.history.push({ request: req, resolvedAt: Date.now() });
-    return req;
-  }
-
-  deny(id: string, approver: string, reason?: string): ExecApprovalRequest {
-    const req = this.pending.get(id);
-    if (!req) throw new Error(`Request ${id} not found`);
-    if (req.status !== 'pending') throw new Error(`Request ${id} already ${req.status}`);
-    req.status = 'denied';
-    req.approvedBy = approver;
-    req.reason = reason;
-    this.pending.delete(id);
-    this.history.push({ request: req, resolvedAt: Date.now() });
-    return req;
-  }
-
-  getPending(): ExecApprovalRequest[] {
-    return [...this.pending.values()];
-  }
-
-  getHistory(): ExecApprovalHistory[] {
-    return [...this.history];
-  }
-
-  getRequest(id: string): ExecApprovalRequest | undefined {
-    return this.pending.get(id) ?? this.history.find(h => h.request.id === id)?.request;
-  }
-
-  private expirePending(): void {
-    const now = Date.now();
-    for (const [id, req] of this.pending) {
-      if (now >= req.expiresAt) {
-        req.status = 'expired';
-        this.pending.delete(id);
-        this.history.push({ request: req, resolvedAt: now });
-      }
-    }
-  }
-
-  /** Force expire check (for testing) */
-  checkExpiry(): void { this.expirePending(); }
-
-  destroy(): void {
-    if (this.expiryTimer) clearInterval(this.expiryTimer);
-  }
-}
+/**
+ * Approvals Module - v1.0.0
+ * Policy-based exec approval system with queue, expiry, history, and callbacks.
+ */
+
+import { randomUUID } from 'crypto';
+
+export type ExecApprovalPolicy = 'always' | 'elevated-only' | 'never' | 'allowlist';
+
+export interface ExecApprovalRequest {
+  id: string;
+  command: string;
+  elevated: boolean;
+  requestedAt: number;
+  expiresAt: number;
+  status: 'pending' | 'approved' | 'denied' | 'expired';
+  approvedBy?: string;
+  reason?: string;
+}
+
+export interface ExecApprovalHistory {
+  request: ExecApprovalRequest;
+  resolvedAt: number;
+}
+
+export type ApprovalRequestCallback = (request: ExecApprovalRequest) => void;
+
+export class ExecApprovalManager {
+  private policy: ExecApprovalPolicy;
+  private pending: Map<string, ExecApprovalRequest> = new Map();
+  private history: ExecApprovalHistory[] = [];
+  private allowedCommands: Set<string> = new Set();
+  private expiryMs: number;
+  private onRequestCallback?: ApprovalRequestCallback;
+  private expiryTimer?: ReturnType<typeof setInterval>;
+
+  constructor(options: {
+    policy?: ExecApprovalPolicy;
+    expiryMs?: number;
+    allowedCommands?: string[];
+    onRequest?: ApprovalRequestCallback;
+  } = {}) {
+    this.policy = options.policy ?? 'elevated-only';
+    this.expiryMs = options.expiryMs ?? 300_000; // 5 min default
+    this.onRequestCallback = options.onRequest;
+    if (options.allowedCommands) {
+      for (const cmd of options.allowedCommands) this.allowedCommands.add(cmd);
+    }
+    this.expiryTimer = setInterval(() => this.expirePending(), 10_000);
+    if (this.expiryTimer.unref) this.expiryTimer.unref();
+  }
+
+  getPolicy(): ExecApprovalPolicy { return this.policy; }
+  setPolicy(p: ExecApprovalPolicy): void { this.policy = p; }
+
+  addAllowedCommand(cmd: string): void { this.allowedCommands.add(cmd); }
+  removeAllowedCommand(cmd: string): void { this.allowedCommands.delete(cmd); }
+  getAllowedCommands(): string[] { return [...this.allowedCommands]; }
+
+  needsApproval(command: string, elevated: boolean): boolean {
+    switch (this.policy) {
+      case 'never': return false;
+      case 'always': return true;
+      case 'elevated-only': return elevated;
+      case 'allowlist': return !this.isAllowed(command);
+    }
+  }
+
+  private isAllowed(command: string): boolean {
+    for (const allowed of this.allowedCommands) {
+      if (command.startsWith(allowed) || command === allowed) return true;
+    }
+    return false;
+  }
+
+  request(command: string, elevated: boolean = false): ExecApprovalRequest {
+    const now = Date.now();
+    const req: ExecApprovalRequest = {
+      id: randomUUID(),
+      command,
+      elevated,
+      requestedAt: now,
+      expiresAt: now + this.expiryMs,
+      status: 'pending',
+    };
+    this.pending.set(req.id, req);
+    this.onRequestCallback?.(req);
+    return req;
+  }
+
+  approve(id: string, approver: string): ExecApprovalRequest {
+    const req = this.pending.get(id);
+    if (!req) throw new Error(`Request ${id} not found`);
+    if (req.status !== 'pending') throw new Error(`Request ${id} already ${req.status}`);
+    req.status = 'approved';
+    req.approvedBy = approver;
+    this.pending.delete(id);
+    this.history.push({ request: req, resolvedAt: Date.now() });
+    return req;
+  }
+
+  deny(id: string, approver: string, reason?: string): ExecApprovalRequest {
+    const req = this.pending.get(id);
+    if (!req) throw new Error(`Request ${id} not found`);
+    if (req.status !== 'pending') throw new Error(`Request ${id} already ${req.status}`);
+    req.status = 'denied';
+    req.approvedBy = approver;
+    req.reason = reason;
+    this.pending.delete(id);
+    this.history.push({ request: req, resolvedAt: Date.now() });
+    return req;
+  }
+
+  getPending(): ExecApprovalRequest[] {
+    return [...this.pending.values()];
+  }
+
+  getHistory(): ExecApprovalHistory[] {
+    return [...this.history];
+  }
+
+  getRequest(id: string): ExecApprovalRequest | undefined {
+    return this.pending.get(id) ?? this.history.find(h => h.request.id === id)?.request;
+  }
+
+  private expirePending(): void {
+    const now = Date.now();
+    for (const [id, req] of this.pending) {
+      if (now >= req.expiresAt) {
+        req.status = 'expired';
+        this.pending.delete(id);
+        this.history.push({ request: req, resolvedAt: now });
+      }
+    }
+  }
+
+  /** Force expire check (for testing) */
+  checkExpiry(): void { this.expirePending(); }
+
+  destroy(): void {
+    if (this.expiryTimer) clearInterval(this.expiryTimer);
+  }
+}