qa360 1.0.3 → 1.1.0

package/dist/core/runner/phase3-runner.js

@@ -0,0 +1,471 @@
+/**
+ * QA360 Phase 3 Runner
+ * Orchestrates hooks, adapters, and proof generation
+ */
+import { existsSync, writeFileSync, mkdirSync } from 'fs';
+import { join } from 'path';
+import { createHash } from 'crypto';
+import chalk from 'chalk';
+import { HooksRunner } from '../hooks/runner.js';
+import { PlaywrightApiAdapter } from '../adapters/playwright-api.js';
+import { PlaywrightUiAdapter } from '../adapters/playwright-ui.js';
+import { K6PerfAdapter } from '../adapters/k6-perf.js';
+import { SemgrepSastAdapter } from '../adapters/semgrep-sast.js';
+import { SecurityRedactor } from '../security/redactor.js';
+import { initializeKeys, sign } from '../proof/signer.js';
+import { canonicalize } from '../proof/canonicalize.js';
+import { EvidenceVault } from '../vault/index.js';
+export class Phase3Runner {
+    workingDir;
+    pack;
+    outputDir;
+    redactor;
+    hooksRunner;
+    keyPair;
+    vault;
+    constructor(options) {
+        this.workingDir = options.workingDir;
+        this.pack = options.pack;
+        this.outputDir = options.outputDir || join(this.workingDir, '.qa360', 'runs');
+        this.redactor = SecurityRedactor.forLogs();
+        this.hooksRunner = new HooksRunner({
+            workingDir: this.workingDir,
+            hooks: this.pack.hooks || {},
+            execution: this.pack.execution,
+            redactor: this.redactor
+        });
+    }
+    /**
+     * Execute complete Phase 3 workflow
+     */
+    async run() {
+        const startTime = Date.now();
+        console.log(chalk.bold.blue(`\n🚀 QA360 Phase 3 Runner - ${this.pack.name}`));
+        console.log(chalk.gray(`Gates: ${this.pack.gates.join(', ')}`));
+        try {
+            // Ensure output directory exists
+            this.ensureOutputDir();
+            // Initialize cryptographic keys
+            console.log(chalk.blue('\n🔑 Initializing Ed25519 keys...'));
+            this.keyPair = await initializeKeys();
+            console.log(chalk.green('   ✅ Keys ready'));
+            // Initialize Evidence Vault
+            console.log(chalk.blue('\n🗄️  Initializing Evidence Vault...'));
+            const vaultDir = join(this.workingDir, '.qa360');
+            this.vault = await EvidenceVault.open(vaultDir);
+            console.log(chalk.green('   ✅ Vault ready'));
+            // Execute beforeAll hooks
+            console.log(chalk.blue('\n🔗 Phase 1: Setup Hooks'));
+            const beforeAllResults = await this.hooksRunner.executeHooks('beforeAll');
+            // Check if setup failed and should stop
+            const setupFailed = beforeAllResults.some(r => !r.success);
+            if (setupFailed && this.pack.execution?.on_failure === 'stop') {
+                throw new Error('Setup hooks failed, stopping execution');
+            }
+            // Execute gates
+            console.log(chalk.blue('\n🎯 Phase 2: Quality Gates'));
+            const gateResults = [];
+            for (const gate of this.pack.gates) {
+                const gateResult = await this.executeGate(gate);
+                gateResults.push(gateResult);
+                // Check if gate failed and should stop
+                if (!gateResult.success && this.pack.execution?.on_failure === 'stop') {
+                    console.log(chalk.yellow(`🛑 Gate ${gate} failed, stopping execution`));
+                    break;
+                }
+            }
+            // Execute afterAll hooks
+            console.log(chalk.blue('\n🔗 Phase 3: Cleanup Hooks'));
+            const afterAllResults = await this.hooksRunner.executeHooks('afterAll');
+            // Calculate results
+            const duration = Date.now() - startTime;
+            const summary = this.calculateSummary(gateResults);
+            const success = summary.failed === 0;
+            // Generate proof
+            console.log(chalk.blue('\n📋 Phase 4: Proof Generation'));
+            const proofPath = await this.generateProof({
+                success,
+                pack: this.pack,
+                duration,
+                gates: gateResults,
+                hooks: {
+                    beforeAll: beforeAllResults,
+                    beforeEach: [],
+                    afterEach: [],
+                    afterAll: afterAllResults
+                },
+                summary
+            });
+            // Save to Evidence Vault
+            console.log(chalk.blue('\n💾 Phase 5: Evidence Storage'));
+            const runId = proofPath.split('/').pop()?.replace('-proof.json', '') || 'unknown';
+            await this.saveToVault(runId, {
+                success,
+                pack: this.pack,
+                duration,
+                gates: gateResults,
+                hooks: {
+                    beforeAll: beforeAllResults,
+                    beforeEach: [],
+                    afterEach: [],
+                    afterAll: afterAllResults
+                },
+                summary,
+                proofPath
+            }, proofPath);
+            // Final summary
+            console.log(chalk.blue('\n📊 Execution Summary'));
+            console.log(`  Duration: ${duration}ms`);
+            console.log(`  Gates: ${summary.passed}/${summary.total} passed`);
+            console.log(`  Trust Score: ${summary.trustScore}%`);
+            console.log(`  Proof: ${proofPath}`);
+            if (success) {
+                console.log(chalk.green('\n✅ All quality gates passed!'));
+            }
+            else {
+                console.log(chalk.red(`\n❌ ${summary.failed} quality gate(s) failed`));
+            }
+            return {
+                success,
+                pack: this.pack,
+                duration,
+                gates: gateResults,
+                hooks: {
+                    beforeAll: beforeAllResults,
+                    beforeEach: [],
+                    afterEach: [],
+                    afterAll: afterAllResults
+                },
+                summary,
+                proofPath
+            };
+        }
+        catch (error) {
+            const duration = Date.now() - startTime;
+            // Ensure cleanup even on error
+            try {
+                await this.hooksRunner.executeHooks('afterAll');
+            }
+            catch {
+                // Ignore cleanup errors
+            }
+            return {
+                success: false,
+                pack: this.pack,
+                duration,
+                gates: [],
+                hooks: { beforeAll: [], beforeEach: [], afterEach: [], afterAll: [] },
+                summary: { total: 0, passed: 0, failed: 0, trustScore: 0 },
+                error: this.redactor.redact(error instanceof Error ? error.message : 'Unknown error')
+            };
+        }
+    }
+    /**
+     * Execute a single quality gate
+     */
+    async executeGate(gate) {
+        const startTime = Date.now();
+        console.log(chalk.cyan(`\n  🎯 Gate: ${gate}`));
+        try {
+            let result;
+            let adapter;
+            switch (gate) {
+                case 'api_smoke':
+                    adapter = 'playwright-api';
+                    result = await this.runApiSmokeGate();
+                    break;
+                case 'ui':
+                    adapter = 'playwright-ui';
+                    result = await this.runUiGate();
+                    break;
+                case 'a11y':
+                    adapter = 'playwright-ui';
+                    result = await this.runA11yGate();
+                    break;
+                case 'perf':
+                    adapter = 'k6';
+                    result = await this.runPerfGate();
+                    break;
+                case 'sast':
+                    adapter = 'semgrep';
+                    result = await this.runSastGate();
+                    break;
+                case 'dast':
+                    adapter = 'zap';
+                    result = await this.runDastGate();
+                    break;
+                default:
+                    throw new Error(`Unknown gate: ${gate}`);
+            }
+            const duration = Date.now() - startTime;
+            if (result.success) {
+                console.log(chalk.green(`    ✅ ${gate} passed (${duration}ms)`));
+            }
+            else {
+                console.log(chalk.red(`    ❌ ${gate} failed (${duration}ms)`));
+                if (result.error) {
+                    console.log(chalk.red(`    🔍 ${result.error}`));
+                }
+            }
+            return {
+                gate,
+                success: result.success,
+                duration,
+                adapter,
+                results: result,
+                junit: result.junit,
+                error: result.error
+            };
+        }
+        catch (error) {
+            const duration = Date.now() - startTime;
+            const errorMessage = this.redactor.redact(error instanceof Error ? error.message : 'Unknown error');
+            console.log(chalk.red(`    💥 ${gate} crashed (${duration}ms): ${errorMessage}`));
+            return {
+                gate,
+                success: false,
+                duration,
+                adapter: 'unknown',
+                results: null,
+                error: errorMessage
+            };
+        }
+    }
+    /**
+     * Run API smoke gate
+     */
+    async runApiSmokeGate() {
+        if (!this.pack.targets?.api) {
+            throw new Error('API smoke gate requires targets.api configuration');
+        }
+        const adapter = new PlaywrightApiAdapter();
+        return await adapter.runSmokeTests({
+            target: this.pack.targets.api,
+            budgets: this.pack.budgets,
+            timeout: this.pack.execution?.timeout || 10000,
+            retries: this.pack.execution?.max_retries || 1
+        });
+    }
+    /**
+     * Run UI gate (includes basic accessibility)
+     */
+    async runUiGate() {
+        if (!this.pack.targets?.web) {
+            throw new Error('UI gate requires targets.web configuration');
+        }
+        const adapter = new PlaywrightUiAdapter();
+        return await adapter.runSmokeTests({
+            target: this.pack.targets.web,
+            budgets: this.pack.budgets,
+            timeout: this.pack.execution?.timeout || 30000
+        });
+    }
+    /**
+     * Run A11y gate (focused accessibility testing)
+     */
+    async runA11yGate() {
+        // Same as UI gate but focused on accessibility
+        return await this.runUiGate();
+    }
+    /**
+     * Run performance gate
+     */
+    async runPerfGate() {
+        const baseUrl = this.pack.targets?.web?.baseUrl || this.pack.targets?.api?.baseUrl;
+        if (!baseUrl) {
+            throw new Error('Performance gate requires web or api target');
+        }
+        const adapter = new K6PerfAdapter(this.workingDir);
+        return await adapter.runPerfTest({
+            baseUrl,
+            budgets: this.pack.budgets,
+            duration: '30s',
+            vus: 5,
+            timeout: 120000
+        });
+    }
+    /**
+     * Run SAST gate
+     */
+    async runSastGate() {
+        const adapter = new SemgrepSastAdapter();
+        return await adapter.runSastScan({
+            workingDir: this.workingDir,
+            security: this.pack.security,
+            rules: ['auto'],
+            paths: ['src/', 'lib/', '.'],
+            timeout: 120000
+        });
+    }
+    /**
+     * Run DAST gate (mock implementation)
+     */
+    async runDastGate() {
+        // Mock DAST implementation for Phase 3
+        console.log(chalk.yellow('    ⚠️  DAST gate: Mock implementation (ZAP integration in Phase 4)'));
+        return {
+            success: true,
+            findings: [],
+            summary: { total: 0, high: 0, medium: 0, low: 0 },
+            junit: `<?xml version="1.0" encoding="UTF-8"?>
+<testsuite name="DAST Mock" tests="1" failures="0" time="0">
+  <testcase name="Mock DAST Scan" time="0"></testcase>
+</testsuite>`
+        };
+    }
+    /**
+     * Calculate execution summary
+     */
+    calculateSummary(gateResults) {
+        const total = gateResults.length;
+        const passed = gateResults.filter(g => g.success).length;
+        const failed = total - passed;
+        // Calculate trust score (weighted by gate importance)
+        const gateWeights = {
+            'api_smoke': 20,
+            'ui': 15,
+            'perf': 15,
+            'sast': 20,
+            'dast': 20,
+            'a11y': 10
+        };
+        let totalWeight = 0;
+        let passedWeight = 0;
+        for (const gate of gateResults) {
+            const weight = gateWeights[gate.gate] || 10;
+            totalWeight += weight;
+            if (gate.success) {
+                passedWeight += weight;
+            }
+        }
+        const trustScore = totalWeight > 0 ? Math.round((passedWeight / totalWeight) * 100) : 0;
+        return { total, passed, failed, trustScore };
+    }
+    /**
+     * Generate cryptographically signed proof document
+     */
+    async generateProof(result) {
+        const timestamp = new Date().toISOString();
+        const runId = `run-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
+        // Build proof payload (without signature)
+        const proofPayload = {
+            version: '3.0.0',
+            runId,
+            timestamp,
+            pack: {
+                name: result.pack.name,
+                version: result.pack.version,
+                gates: result.pack.gates
+            },
+            execution: {
+                duration: result.duration,
+                success: result.success,
+                trustScore: result.summary.trustScore
+            },
+            gates: result.gates.map(g => ({
+                gate: g.gate,
+                adapter: g.adapter,
+                success: g.success,
+                duration: g.duration,
+                error: g.error
+            })),
+            hooks: {
+                beforeAll: result.hooks.beforeAll.length,
+                afterAll: result.hooks.afterAll.length
+            }
+        };
+        // Canonicalize the payload for signing
+        const canonicalPayload = canonicalize(proofPayload);
+        // Sign with Ed25519
+        let signatureValue;
+        let algorithm;
+        let publicKeyB64;
+        if (this.keyPair) {
+            signatureValue = sign(canonicalPayload, this.keyPair.secretKey);
+            algorithm = 'ed25519';
+            publicKeyB64 = Buffer.from(this.keyPair.publicKey).toString('base64');
+            console.log(chalk.green('   🔏 Proof signed with Ed25519'));
+        }
+        else {
+            signatureValue = `unsigned-${runId}`;
+            algorithm = 'none';
+            publicKeyB64 = '';
+            console.log(chalk.yellow('   ⚠️  Proof unsigned (no keys available)'));
+        }
+        // Build complete proof with signature
+        const proof = {
+            ...proofPayload,
+            signature: {
+                algorithm,
+                publicKey: publicKeyB64,
+                value: signatureValue,
+                timestamp
+            }
+        };
+        // Save proof
+        const proofPath = join(this.outputDir, `${runId}-proof.json`);
+        writeFileSync(proofPath, JSON.stringify(proof, null, 2));
+        return proofPath;
+    }
+    /**
+     * Save run results to Evidence Vault
+     */
+    async saveToVault(runId, result, proofPath) {
+        if (!this.vault) {
+            console.log(chalk.yellow('   ⚠️  Vault not initialized, skipping storage'));
+            return;
+        }
+        try {
+            // Begin run in vault (returns actual runId used)
+            const { runId: vaultRunId } = await this.vault.beginRun({
+                pack_path: 'test-pack.yaml',
+                pack_hash: this.hashPack(result.pack)
+            });
+            // Finish run with final status
+            await this.vault.finishRun(vaultRunId, {
+                status: result.success ? 'passed' : 'failed',
+                trust_score: result.summary.trustScore,
+                signature: this.keyPair ? 'ed25519-signed' : undefined
+            });
+            // Record gate executions
+            for (const gate of result.gates) {
+                await this.vault.recordGate(runId, {
+                    name: gate.gate,
+                    status: gate.success ? 'passed' : 'failed',
+                    duration_ms: gate.duration,
+                    metrics_json: JSON.stringify(gate.results?.summary || {})
+                });
+                // Record finding if gate has error
+                if (gate.error) {
+                    await this.vault.recordFinding(runId, {
+                        gate: gate.gate,
+                        severity: 'high',
+                        rule: 'gate-failure',
+                        message: gate.error
+                    });
+                }
+            }
+            console.log(chalk.green('   💾 Run saved to Evidence Vault'));
+        }
+        catch (error) {
+            console.log(chalk.yellow(`   ⚠️  Failed to save to vault: ${error}`));
+        }
+    }
+    /**
+     * Generate hash of pack configuration
+     */
+    hashPack(pack) {
+        return createHash('sha256')
+            .update(JSON.stringify(pack))
+            .digest('hex')
+            .substring(0, 16);
+    }
+    /**
+     * Ensure output directory exists
+     */
+    ensureOutputDir() {
+        if (!existsSync(this.outputDir)) {
+            mkdirSync(this.outputDir, { recursive: true });
+        }
+    }
+}

package/dist/core/secrets/crypto.d.ts

@@ -0,0 +1,76 @@
+/**
+ * QA360 Secrets Cryptography
+ * AES-256-GCM encryption with PBKDF2 key derivation
+ */
+export interface EncryptedData {
+    data: string;
+    iv: string;
+    salt: string;
+    tag: string;
+    algorithm: 'aes-256-gcm';
+    iterations: number;
+}
+export interface SecretEntry {
+    name: string;
+    value: string;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface SecretsStore {
+    version: string;
+    encrypted: EncryptedData;
+    checksum: string;
+}
+export declare class SecretsCrypto {
+    private static readonly ALGORITHM;
+    private static readonly KEY_LENGTH;
+    private static readonly IV_LENGTH;
+    private static readonly SALT_LENGTH;
+    private static readonly TAG_LENGTH;
+    private static readonly ITERATIONS;
+    /**
+     * Encrypt secrets with password-derived key
+     */
+    static encrypt(secrets: Record<string, SecretEntry>, password: string): SecretsStore;
+    /**
+     * Decrypt secrets with password
+     */
+    static decrypt(store: SecretsStore, password: string): Record<string, SecretEntry>;
+    /**
+     * Generate a secure random password
+     */
+    static generatePassword(length?: number): string;
+    /**
+     * Derive password from system keychain or environment
+     */
+    static deriveSystemPassword(): Promise<string>;
+    /**
+     * Get password from macOS Keychain
+     */
+    private static getMacOSKeychainPassword;
+    /**
+     * Get password from Linux keyring (using secret-tool)
+     */
+    private static getLinuxKeychainPassword;
+    /**
+     * Get password from Windows Credential Manager
+     */
+    private static getWindowsCredentialPassword;
+    /**
+     * Generate machine-specific password as fallback
+     */
+    private static generateMachinePassword;
+    /**
+     * Calculate checksum for integrity verification
+     */
+    private static calculateChecksum;
+    /**
+     * Redact secret value for logging
+     */
+    static redactSecret(value: string): string;
+    /**
+     * Check if a string looks like a secret
+     */
+    static looksLikeSecret(value: string): boolean;
+}
+//# sourceMappingURL=crypto.d.ts.map

package/dist/core/secrets/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../src/core/secrets/crypto.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,aAAa,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,aAAa,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAiB;IAClD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAM;IACxC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAM;IACvC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAM;IACzC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAM;IACxC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAU;IAE5C;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,YAAY;IA6CpF;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC;IAqClF;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAE,MAAW,GAAG,MAAM;IAYpD;;OAEG;WACU,oBAAoB,IAAI,OAAO,CAAC,MAAM,CAAC;IAyBpD;;OAEG;mBACkB,wBAAwB;IAqB7C;;OAEG;mBACkB,wBAAwB;IAqB7C;;OAEG;mBACkB,4BAA4B;IAqBjD;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,uBAAuB;IAmBtC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,iBAAiB;IAKhC;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAO1C;;OAEG;IACH,MAAM,CAAC,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAW/C"}