qa360 1.0.3 → 1.1.0

package/dist/core/secrets/crypto.js

@@ -0,0 +1,225 @@
+/**
+ * QA360 Secrets Cryptography
+ * AES-256-GCM encryption with PBKDF2 key derivation
+ */
+import { createCipheriv, createDecipheriv, randomBytes, pbkdf2Sync, createHash } from 'crypto';
+export class SecretsCrypto {
+    static ALGORITHM = 'aes-256-gcm';
+    static KEY_LENGTH = 32; // 256 bits
+    static IV_LENGTH = 16; // 128 bits
+    static SALT_LENGTH = 32; // 256 bits
+    static TAG_LENGTH = 16; // 128 bits
+    static ITERATIONS = 100000; // PBKDF2 iterations
+    /**
+     * Encrypt secrets with password-derived key
+     */
+    static encrypt(secrets, password) {
+        try {
+            // Generate random salt and IV
+            const salt = randomBytes(this.SALT_LENGTH);
+            const iv = randomBytes(this.IV_LENGTH);
+            // Derive key from password using PBKDF2
+            const key = pbkdf2Sync(password, salt, this.ITERATIONS, this.KEY_LENGTH, 'sha256');
+            // Serialize secrets
+            const plaintext = JSON.stringify(secrets);
+            // Encrypt using AES-256-GCM
+            const cipher = createCipheriv(this.ALGORITHM, key, iv);
+            cipher.setAAD(Buffer.from('qa360-secrets-v1'));
+            let encrypted = cipher.update(plaintext, 'utf8', 'hex');
+            encrypted += cipher.final('hex');
+            const tag = cipher.getAuthTag();
+            // Create encrypted data structure
+            const encryptedData = {
+                data: encrypted,
+                iv: iv.toString('hex'),
+                salt: salt.toString('hex'),
+                tag: tag.toString('hex'),
+                algorithm: this.ALGORITHM,
+                iterations: this.ITERATIONS
+            };
+            // Calculate checksum for integrity
+            const checksum = this.calculateChecksum(encryptedData);
+            return {
+                version: '1.0.0',
+                encrypted: encryptedData,
+                checksum
+            };
+        }
+        catch (error) {
+            throw new Error(`Encryption failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        }
+    }
+    /**
+     * Decrypt secrets with password
+     */
+    static decrypt(store, password) {
+        try {
+            // Verify checksum
+            const expectedChecksum = this.calculateChecksum(store.encrypted);
+            if (store.checksum !== expectedChecksum) {
+                throw new Error('Secrets store integrity check failed');
+            }
+            const { data, iv, salt, tag, algorithm, iterations } = store.encrypted;
+            // Verify algorithm
+            if (algorithm !== this.ALGORITHM) {
+                throw new Error(`Unsupported encryption algorithm: ${algorithm}`);
+            }
+            // Derive key from password
+            const key = pbkdf2Sync(password, Buffer.from(salt, 'hex'), iterations, this.KEY_LENGTH, 'sha256');
+            // Decrypt using AES-256-GCM
+            const decipher = createDecipheriv(algorithm, key, Buffer.from(iv, 'hex'));
+            decipher.setAAD(Buffer.from('qa360-secrets-v1'));
+            decipher.setAuthTag(Buffer.from(tag, 'hex'));
+            let decrypted = decipher.update(data, 'hex', 'utf8');
+            decrypted += decipher.final('utf8');
+            // Parse secrets
+            return JSON.parse(decrypted);
+        }
+        catch (error) {
+            if (error instanceof Error && /unsupported state|authenticity|bad decrypt|unable to decrypt/i.test(error.message)) {
+                throw new Error('Invalid password or corrupted secrets store');
+            }
+            throw new Error(`Decryption failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        }
+    }
+    /**
+     * Generate a secure random password
+     */
+    static generatePassword(length = 32) {
+        const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*';
+        let password = '';
+        for (let i = 0; i < length; i++) {
+            const randomIndex = Math.floor(Math.random() * charset.length);
+            password += charset[randomIndex];
+        }
+        return password;
+    }
+    /**
+     * Derive password from system keychain or environment
+     */
+    static async deriveSystemPassword() {
+        // Try to get from environment first (for CI/CD)
+        const envPassword = process.env.QA360_SECRETS_PASSWORD;
+        if (envPassword) {
+            return envPassword;
+        }
+        // Try to get from system keychain (macOS/Linux)
+        try {
+            if (process.platform === 'darwin') {
+                return await this.getMacOSKeychainPassword();
+            }
+            else if (process.platform === 'linux') {
+                return await this.getLinuxKeychainPassword();
+            }
+            else if (process.platform === 'win32') {
+                return await this.getWindowsCredentialPassword();
+            }
+        }
+        catch (error) {
+            // Fallback to machine-specific derived password
+            console.warn('System keychain unavailable, using machine-derived password');
+        }
+        // Generate machine-specific password as fallback
+        return this.generateMachinePassword();
+    }
+    /**
+     * Get password from macOS Keychain
+     */
+    static async getMacOSKeychainPassword() {
+        const { execSync } = require('child_process');
+        try {
+            // Try to get existing password
+            const result = execSync('security find-generic-password -a qa360 -s "QA360 Secrets" -w', { encoding: 'utf8', stdio: 'pipe' });
+            return result.trim();
+        }
+        catch (error) {
+            // Create new password if not found
+            const password = this.generatePassword();
+            execSync(`security add-generic-password -a qa360 -s "QA360 Secrets" -w "${password}"`, { stdio: 'pipe' });
+            return password;
+        }
+    }
+    /**
+     * Get password from Linux keyring (using secret-tool)
+     */
+    static async getLinuxKeychainPassword() {
+        const { execSync } = require('child_process');
+        try {
+            // Try to get existing password
+            const result = execSync('secret-tool lookup application qa360 service secrets', { encoding: 'utf8', stdio: 'pipe' });
+            return result.trim();
+        }
+        catch (error) {
+            // Create new password if not found
+            const password = this.generatePassword();
+            execSync(`echo "${password}" | secret-tool store --label="QA360 Secrets" application qa360 service secrets`, { stdio: 'pipe' });
+            return password;
+        }
+    }
+    /**
+     * Get password from Windows Credential Manager
+     */
+    static async getWindowsCredentialPassword() {
+        const { execSync } = require('child_process');
+        try {
+            // Try to get existing password
+            const result = execSync('powershell -Command "Get-StoredCredential -Target QA360-Secrets | Select-Object -ExpandProperty Password"', { encoding: 'utf8', stdio: 'pipe' });
+            return result.trim();
+        }
+        catch (error) {
+            // Create new password if not found
+            const password = this.generatePassword();
+            execSync(`powershell -Command "New-StoredCredential -Target QA360-Secrets -UserName qa360 -Password '${password}'"`, { stdio: 'pipe' });
+            return password;
+        }
+    }
+    /**
+     * Generate machine-specific password as fallback
+     */
+    static generateMachinePassword() {
+        const os = require('os');
+        // Collect machine-specific data
+        const machineData = [
+            os.hostname(),
+            os.platform(),
+            os.arch(),
+            os.userInfo().username,
+            process.env.HOME || process.env.USERPROFILE || '',
+        ].join('|');
+        // Hash machine data to create consistent password
+        const hash = createHash('sha256').update(machineData + 'qa360-secrets-salt').digest('hex');
+        // Convert to password format
+        return hash.substring(0, 32);
+    }
+    /**
+     * Calculate checksum for integrity verification
+     */
+    static calculateChecksum(data) {
+        const content = `${data.data}${data.iv}${data.salt}${data.tag}${data.algorithm}${data.iterations}`;
+        return createHash('sha256').update(content).digest('hex');
+    }
+    /**
+     * Redact secret value for logging
+     */
+    static redactSecret(value) {
+        const n = value.length;
+        if (n <= 4)
+            return '***';
+        if (n <= 8)
+            return value.slice(0, 2) + '***' + value.slice(-2);
+        return value.slice(0, 3) + '***' + value.slice(-3);
+    }
+    /**
+     * Check if a string looks like a secret
+     */
+    static looksLikeSecret(value) {
+        if (value.length < 8)
+            return false;
+        const RX_BASE64 = /^(?:[A-Za-z0-9+/]{16,}={0,2})$/;
+        const RX_OPENAI = /^sk-[A-Za-z0-9]{20,}$/;
+        const RX_GH = /^ghp_[A-Za-z0-9]{36,}$/;
+        const RX_SLACK = /^xox[baprs]-\d{10,}-\d{10,}-[A-Za-z0-9]{10,}$/;
+        const RX_HEX = /^(?:[A-Fa-f0-9]{32,})$/;
+        return RX_OPENAI.test(value) || RX_GH.test(value) || RX_SLACK.test(value) || RX_BASE64.test(value) || RX_HEX.test(value);
+    }
+}

package/dist/core/secrets/manager.d.ts

@@ -0,0 +1,77 @@
+/**
+ * QA360 Secrets Manager
+ * Manages encrypted secrets storage and retrieval
+ */
+export interface SecretsManagerOptions {
+    qa360Dir?: string;
+    password?: string;
+}
+export declare class SecretsManager {
+    private qa360Dir;
+    private secretsPath;
+    private password;
+    private cache;
+    constructor(options?: SecretsManagerOptions);
+    /**
+     * Initialize secrets manager with password
+     */
+    initialize(password?: string): Promise<void>;
+    /**
+     * Add or update a secret
+     */
+    addSecret(name: string, value: string): Promise<void>;
+    /**
+     * Get a secret value
+     */
+    getSecret(name: string): Promise<string | null>;
+    /**
+     * List all secret names (without values)
+     */
+    listSecrets(): Promise<Array<{
+        name: string;
+        createdAt: string;
+        updatedAt: string;
+    }>>;
+    /**
+     * Remove a secret
+     */
+    removeSecret(name: string): Promise<boolean>;
+    /**
+     * Check if secrets store exists and is accessible
+     */
+    doctor(): Promise<{
+        exists: boolean;
+        accessible: boolean;
+        count: number;
+        errors: string[];
+    }>;
+    /**
+     * Export secrets in redacted format for debugging
+     */
+    exportRedacted(): Promise<Record<string, string>>;
+    /**
+     * Interpolate secrets in a string
+     */
+    interpolateSecrets(text: string): Promise<string>;
+    /**
+     * Find secret references in text
+     */
+    findSecretReferences(text: string): string[];
+    /**
+     * Validate that all referenced secrets exist
+     */
+    validateSecretReferences(text: string): Promise<string[]>;
+    /**
+     * Load secrets from encrypted store
+     */
+    private loadSecrets;
+    /**
+     * Save secrets to encrypted store
+     */
+    private saveSecrets;
+    /**
+     * Ensure manager is initialized
+     */
+    private ensureInitialized;
+}
+//# sourceMappingURL=manager.d.ts.map

package/dist/core/secrets/manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../../src/core/secrets/manager.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAuB;IACvC,OAAO,CAAC,KAAK,CAA4C;gBAE7C,OAAO,GAAE,qBAA0B;IAU/C;;OAEG;IACG,UAAU,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQlD;;OAEG;IACG,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA0B3D;;OAEG;IACG,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAOrD;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAW3F;;OAEG;IACG,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAkBlD;;OAEG;IACG,MAAM,IAAI,OAAO,CAAC;QACtB,MAAM,EAAE,OAAO,CAAC;QAChB,UAAU,EAAE,OAAO,CAAC;QACpB,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IAsBF;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAavD;;OAEG;IACG,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA8BvD;;OAEG;IACH,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE;IAU5C;;OAEG;IACG,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAU/D;;OAEG;YACW,WAAW;IAqBzB;;OAEG;YACW,WAAW;IAgBzB;;OAEG;YACW,iBAAiB;CAKhC"}

package/dist/core/secrets/manager.js

@@ -0,0 +1,219 @@
+/**
+ * QA360 Secrets Manager
+ * Manages encrypted secrets storage and retrieval
+ */
+import { readFileSync, writeFileSync, existsSync, mkdirSync, chmodSync } from 'fs';
+import { join } from 'path';
+import { SecretsCrypto } from './crypto.js';
+export class SecretsManager {
+    qa360Dir;
+    secretsPath;
+    password = null;
+    cache = null;
+    constructor(options = {}) {
+        this.qa360Dir = options.qa360Dir || join(process.cwd(), '.qa360');
+        this.secretsPath = join(this.qa360Dir, 'secrets.enc');
+        // Ensure .qa360 directory exists
+        if (!existsSync(this.qa360Dir)) {
+            mkdirSync(this.qa360Dir, { recursive: true });
+        }
+    }
+    /**
+     * Initialize secrets manager with password
+     */
+    async initialize(password) {
+        if (password) {
+            this.password = password;
+        }
+        else {
+            this.password = await SecretsCrypto.deriveSystemPassword();
+        }
+    }
+    /**
+     * Add or update a secret
+     */
+    async addSecret(name, value) {
+        await this.ensureInitialized();
+        // Validate secret name
+        if (!/^[A-Z_][A-Z0-9_]*$/.test(name)) {
+            throw new Error('Secret name must be uppercase with underscores only (e.g., API_TOKEN)');
+        }
+        // Load existing secrets
+        const secrets = await this.loadSecrets();
+        // Add or update secret
+        secrets[name] = {
+            name,
+            value,
+            createdAt: secrets[name]?.createdAt || new Date().toISOString(),
+            updatedAt: new Date().toISOString()
+        };
+        // Save encrypted secrets
+        await this.saveSecrets(secrets);
+        // Clear cache
+        this.cache = null;
+    }
+    /**
+     * Get a secret value
+     */
+    async getSecret(name) {
+        await this.ensureInitialized();
+        const secrets = await this.loadSecrets();
+        return secrets[name]?.value || null;
+    }
+    /**
+     * List all secret names (without values)
+     */
+    async listSecrets() {
+        await this.ensureInitialized();
+        const secrets = await this.loadSecrets();
+        return Object.values(secrets).map(({ name, createdAt, updatedAt }) => ({
+            name,
+            createdAt,
+            updatedAt
+        }));
+    }
+    /**
+     * Remove a secret
+     */
+    async removeSecret(name) {
+        await this.ensureInitialized();
+        const secrets = await this.loadSecrets();
+        if (!secrets[name]) {
+            return false;
+        }
+        delete secrets[name];
+        await this.saveSecrets(secrets);
+        // Clear cache
+        this.cache = null;
+        return true;
+    }
+    /**
+     * Check if secrets store exists and is accessible
+     */
+    async doctor() {
+        const errors = [];
+        let exists = false;
+        let accessible = false;
+        let count = 0;
+        try {
+            exists = existsSync(this.secretsPath);
+            if (exists) {
+                await this.ensureInitialized();
+                const secrets = await this.loadSecrets();
+                accessible = true;
+                count = Object.keys(secrets).length;
+            }
+        }
+        catch (error) {
+            errors.push(error instanceof Error ? error.message : 'Unknown error');
+        }
+        return { exists, accessible, count, errors };
+    }
+    /**
+     * Export secrets in redacted format for debugging
+     */
+    async exportRedacted() {
+        await this.ensureInitialized();
+        const secrets = await this.loadSecrets();
+        const redacted = {};
+        for (const [name, entry] of Object.entries(secrets)) {
+            redacted[name] = SecretsCrypto.redactSecret(entry.value);
+        }
+        return redacted;
+    }
+    /**
+     * Interpolate secrets in a string
+     */
+    async interpolateSecrets(text) {
+        await this.ensureInitialized();
+        // Find all secret references: ${{ secrets.SECRET_NAME }}
+        const secretRefs = text.match(/\$\{\{\s*secrets\.([A-Z_][A-Z0-9_]*)\s*\}\}/g);
+        if (!secretRefs) {
+            return text;
+        }
+        const secrets = await this.loadSecrets();
+        let result = text;
+        for (const ref of secretRefs) {
+            const match = ref.match(/\$\{\{\s*secrets\.([A-Z_][A-Z0-9_]*)\s*\}\}/);
+            if (match) {
+                const secretName = match[1];
+                const secretValue = secrets[secretName]?.value;
+                if (secretValue) {
+                    result = result.replace(ref, secretValue);
+                }
+                else {
+                    throw new Error(`Secret not found: ${secretName}`);
+                }
+            }
+        }
+        return result;
+    }
+    /**
+     * Find secret references in text
+     */
+    findSecretReferences(text) {
+        const matches = text.match(/\$\{\{\s*secrets\.([A-Z_][A-Z0-9_]*)\s*\}\}/g);
+        if (!matches)
+            return [];
+        return matches.map(match => {
+            const secretMatch = match.match(/\$\{\{\s*secrets\.([A-Z_][A-Z0-9_]*)\s*\}\}/);
+            return secretMatch ? secretMatch[1] : '';
+        }).filter(Boolean);
+    }
+    /**
+     * Validate that all referenced secrets exist
+     */
+    async validateSecretReferences(text) {
+        const references = this.findSecretReferences(text);
+        if (references.length === 0)
+            return [];
+        await this.ensureInitialized();
+        const secrets = await this.loadSecrets();
+        return references.filter(ref => !secrets[ref]);
+    }
+    /**
+     * Load secrets from encrypted store
+     */
+    async loadSecrets() {
+        if (this.cache) {
+            return this.cache;
+        }
+        if (!existsSync(this.secretsPath)) {
+            this.cache = {};
+            return this.cache;
+        }
+        try {
+            const encryptedContent = readFileSync(this.secretsPath, 'utf8');
+            const store = JSON.parse(encryptedContent);
+            this.cache = SecretsCrypto.decrypt(store, this.password);
+            return this.cache;
+        }
+        catch (error) {
+            throw new Error(`Failed to load secrets: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        }
+    }
+    /**
+     * Save secrets to encrypted store
+     */
+    async saveSecrets(secrets) {
+        try {
+            const store = SecretsCrypto.encrypt(secrets, this.password);
+            const encryptedContent = JSON.stringify(store, null, 2);
+            writeFileSync(this.secretsPath, encryptedContent, 'utf8');
+            // Set restrictive permissions (owner read/write only)
+            chmodSync(this.secretsPath, 0o600);
+            this.cache = secrets;
+        }
+        catch (error) {
+            throw new Error(`Failed to save secrets: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        }
+    }
+    /**
+     * Ensure manager is initialized
+     */
+    async ensureInitialized() {
+        if (!this.password) {
+            await this.initialize();
+        }
+    }
+}

package/dist/core/security/redaction-patterns-extended.d.ts

@@ -0,0 +1,28 @@
+/**
+ * QA360 Extended Redaction Patterns
+ * Phase 7-Final: Security & Redaction Audit
+ */
+export interface RedactionPattern {
+    name: string;
+    regex: RegExp;
+    replacement: string;
+    severity: 'critical' | 'high' | 'medium';
+    category: 'auth' | 'database' | 'api' | 'crypto' | 'pii';
+}
+/**
+ * Extended redaction patterns for Phase 7-Final
+ */
+export declare const EXTENDED_REDACTION_PATTERNS: RedactionPattern[];
+/**
+ * Apply all extended redaction patterns to text
+ */
+export declare function applyExtendedRedaction(text: string): {
+    redacted: string;
+    patternsMatched: string[];
+    severity: 'critical' | 'high' | 'medium' | 'none';
+};
+/**
+ * Generate redaction audit report
+ */
+export declare function generateRedactionAudit(original: string, redacted: string, patternsMatched: string[]): string;
+//# sourceMappingURL=redaction-patterns-extended.d.ts.map

package/dist/core/security/redaction-patterns-extended.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redaction-patterns-extended.d.ts","sourceRoot":"","sources":["../../../src/core/security/redaction-patterns-extended.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,QAAQ,EAAE,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,QAAQ,GAAG,KAAK,CAAC;CAC1D;AAED;;GAEG;AACH,eAAO,MAAM,2BAA2B,EAAE,gBAAgB,EAoLzD,CAAC;AAEF;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG;IACpD,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC;CACnD,CAuBA;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,MAAM,EAAE,GACxB,MAAM,CAwCR"}