npm - qa360 - Versions diffs - 1.0.4 → 1.1.0 - Mend

qa360 1.0.4 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (108) hide show

package/dist/commands/history.js +1 -1
package/dist/commands/pack.js +1 -1
package/dist/commands/run.d.ts +1 -1
package/dist/commands/run.d.ts.map +1 -1
package/dist/commands/run.js +1 -1
package/dist/commands/secrets.js +1 -1
package/dist/commands/serve.js +1 -1
package/dist/commands/verify.js +1 -1
package/dist/core/adapters/gitleaks-secrets.d.ts +115 -0
package/dist/core/adapters/gitleaks-secrets.d.ts.map +1 -0
package/dist/core/adapters/gitleaks-secrets.js +410 -0
package/dist/core/adapters/k6-perf.d.ts +86 -0
package/dist/core/adapters/k6-perf.d.ts.map +1 -0
package/dist/core/adapters/k6-perf.js +398 -0
package/dist/core/adapters/osv-deps.d.ts +124 -0
package/dist/core/adapters/osv-deps.d.ts.map +1 -0
package/dist/core/adapters/osv-deps.js +372 -0
package/dist/core/adapters/playwright-api.d.ts +82 -0
package/dist/core/adapters/playwright-api.d.ts.map +1 -0
package/dist/core/adapters/playwright-api.js +252 -0
package/dist/core/adapters/playwright-ui.d.ts +115 -0
package/dist/core/adapters/playwright-ui.d.ts.map +1 -0
package/dist/core/adapters/playwright-ui.js +346 -0
package/dist/core/adapters/semgrep-sast.d.ts +100 -0
package/dist/core/adapters/semgrep-sast.d.ts.map +1 -0
package/dist/core/adapters/semgrep-sast.js +322 -0
package/dist/core/adapters/zap-dast.d.ts +134 -0
package/dist/core/adapters/zap-dast.d.ts.map +1 -0
package/dist/core/adapters/zap-dast.js +424 -0
package/dist/core/hooks/compose.d.ts +62 -0
package/dist/core/hooks/compose.d.ts.map +1 -0
package/dist/core/hooks/compose.js +225 -0
package/dist/core/hooks/runner.d.ts +69 -0
package/dist/core/hooks/runner.d.ts.map +1 -0
package/dist/core/hooks/runner.js +303 -0
package/dist/core/index.d.ts +74 -0
package/dist/core/index.d.ts.map +1 -0
package/dist/core/index.js +39 -0
package/dist/core/pack/migrator.d.ts +52 -0
package/dist/core/pack/migrator.d.ts.map +1 -0
package/dist/core/pack/migrator.js +304 -0
package/dist/core/pack/validator.d.ts +43 -0
package/dist/core/pack/validator.d.ts.map +1 -0
package/dist/core/pack/validator.js +292 -0
package/dist/core/proof/bundle.d.ts +138 -0
package/dist/core/proof/bundle.d.ts.map +1 -0
package/dist/core/proof/bundle.js +160 -0
package/dist/core/proof/canonicalize.d.ts +48 -0
package/dist/core/proof/canonicalize.d.ts.map +1 -0
package/dist/core/proof/canonicalize.js +105 -0
package/dist/core/proof/index.d.ts +14 -0
package/dist/core/proof/index.d.ts.map +1 -0
package/dist/core/proof/index.js +18 -0
package/dist/core/proof/schema.d.ts +218 -0
package/dist/core/proof/schema.d.ts.map +1 -0
package/dist/core/proof/schema.js +263 -0
package/dist/core/proof/signer.d.ts +112 -0
package/dist/core/proof/signer.d.ts.map +1 -0
package/dist/core/proof/signer.js +226 -0
package/dist/core/proof/verifier.d.ts +98 -0
package/dist/core/proof/verifier.d.ts.map +1 -0
package/dist/core/proof/verifier.js +302 -0
package/dist/core/runner/phase3-runner.d.ts +102 -0
package/dist/core/runner/phase3-runner.d.ts.map +1 -0
package/dist/core/runner/phase3-runner.js +471 -0
package/dist/core/secrets/crypto.d.ts +76 -0
package/dist/core/secrets/crypto.d.ts.map +1 -0
package/dist/core/secrets/crypto.js +225 -0
package/dist/core/secrets/manager.d.ts +77 -0
package/dist/core/secrets/manager.d.ts.map +1 -0
package/dist/core/secrets/manager.js +219 -0
package/dist/core/security/redaction-patterns-extended.d.ts +28 -0
package/dist/core/security/redaction-patterns-extended.d.ts.map +1 -0
package/dist/core/security/redaction-patterns-extended.js +247 -0
package/dist/core/security/redactor.d.ts +72 -0
package/dist/core/security/redactor.d.ts.map +1 -0
package/dist/core/security/redactor.js +279 -0
package/dist/core/serve/diagnostics-collector.d.ts +33 -0
package/dist/core/serve/diagnostics-collector.d.ts.map +1 -0
package/dist/core/serve/diagnostics-collector.js +149 -0
package/dist/core/serve/health-checker.d.ts +45 -0
package/dist/core/serve/health-checker.d.ts.map +1 -0
package/dist/core/serve/health-checker.js +219 -0
package/dist/core/serve/index.d.ts +9 -0
package/dist/core/serve/index.d.ts.map +1 -0
package/dist/core/serve/index.js +8 -0
package/dist/core/serve/metrics-collector.d.ts +25 -0
package/dist/core/serve/metrics-collector.d.ts.map +1 -0
package/dist/core/serve/metrics-collector.js +322 -0
package/dist/core/serve/process-manager.d.ts +37 -0
package/dist/core/serve/process-manager.d.ts.map +1 -0
package/dist/core/serve/process-manager.js +213 -0
package/dist/core/serve/server.d.ts +37 -0
package/dist/core/serve/server.d.ts.map +1 -0
package/dist/core/serve/server.js +191 -0
package/dist/core/types/pack-v1.d.ts +162 -0
package/dist/core/types/pack-v1.d.ts.map +1 -0
package/dist/core/types/pack-v1.js +5 -0
package/dist/core/types/trust-score.d.ts +70 -0
package/dist/core/types/trust-score.d.ts.map +1 -0
package/dist/core/types/trust-score.js +191 -0
package/dist/core/vault/cas.d.ts +87 -0
package/dist/core/vault/cas.d.ts.map +1 -0
package/dist/core/vault/cas.js +255 -0
package/dist/core/vault/index.d.ts +205 -0
package/dist/core/vault/index.d.ts.map +1 -0
package/dist/core/vault/index.js +631 -0
package/package.json +12 -6

package/dist/core/security/redaction-patterns-extended.js ADDED Viewed

@@ -0,0 +1,247 @@
+/**
+ * QA360 Extended Redaction Patterns
+ * Phase 7-Final: Security & Redaction Audit
+ */
+/**
+ * Extended redaction patterns for Phase 7-Final
+ */
+export const EXTENDED_REDACTION_PATTERNS = [
+    // Authentication & Authorization
+    {
+        name: 'password_param',
+        regex: /password=([^&\s]+)/gi,
+        replacement: 'password=***REDACTED***',
+        severity: 'critical',
+        category: 'auth'
+    },
+    {
+        name: 'bearer_token',
+        regex: /Bearer\s+([A-Za-z0-9\-._~+/]+=*)/gi,
+        replacement: 'Bearer ***REDACTED***',
+        severity: 'critical',
+        category: 'auth'
+    },
+    {
+        name: 'basic_auth',
+        regex: /Basic\s+([A-Za-z0-9+/]+=*)/gi,
+        replacement: 'Basic ***REDACTED***',
+        severity: 'critical',
+        category: 'auth'
+    },
+    {
+        name: 'authorization_header',
+        regex: /Authorization:\s*([^\r\n]+)/gi,
+        replacement: 'Authorization: ***REDACTED***',
+        severity: 'critical',
+        category: 'auth'
+    },
+    // Database Connection Strings
+    {
+        name: 'mysql_connection',
+        regex: /mysql:\/\/([^:]+):([^@]+)@([^/\s]+)/gi,
+        replacement: 'mysql://***REDACTED***:***REDACTED***@$3',
+        severity: 'critical',
+        category: 'database'
+    },
+    {
+        name: 'postgresql_connection',
+        regex: /postgres(?:ql)?:\/\/([^:]+):([^@]+)@([^/\s]+)/gi,
+        replacement: 'postgresql://***REDACTED***:***REDACTED***@$3',
+        severity: 'critical',
+        category: 'database'
+    },
+    {
+        name: 'mongodb_connection',
+        regex: /mongodb(?:\+srv)?:\/\/([^:]+):([^@]+)@([^/\s]+)/gi,
+        replacement: 'mongodb://***REDACTED***:***REDACTED***@$3',
+        severity: 'critical',
+        category: 'database'
+    },
+    {
+        name: 'redis_connection',
+        regex: /redis:\/\/([^:]+):([^@]+)@([^/\s]+)/gi,
+        replacement: 'redis://***REDACTED***:***REDACTED***@$3',
+        severity: 'critical',
+        category: 'database'
+    },
+    // API Keys & Tokens
+    {
+        name: 'openai_api_key',
+        regex: /sk-[A-Za-z0-9]{48}/g,
+        replacement: 'sk-***REDACTED***',
+        severity: 'critical',
+        category: 'api'
+    },
+    {
+        name: 'aws_access_key',
+        regex: /AKIA[0-9A-Z]{16}/g,
+        replacement: 'AKIA***REDACTED***',
+        severity: 'critical',
+        category: 'api'
+    },
+    {
+        name: 'github_token',
+        regex: /gh[pousr]_[A-Za-z0-9]{36}/g,
+        replacement: 'gh*_***REDACTED***',
+        severity: 'critical',
+        category: 'api'
+    },
+    {
+        name: 'slack_token',
+        regex: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[A-Za-z0-9]{24}/g,
+        replacement: 'xox*-***REDACTED***',
+        severity: 'critical',
+        category: 'api'
+    },
+    {
+        name: 'stripe_key',
+        regex: /[rs]k_(live|test)_[A-Za-z0-9]{24,}/g,
+        replacement: '$1k_$2_***REDACTED***',
+        severity: 'critical',
+        category: 'api'
+    },
+    {
+        name: 'generic_api_key',
+        regex: /api[_-]?key["\s:=]+([A-Za-z0-9\-._~+/]{20,})/gi,
+        replacement: 'api_key=***REDACTED***',
+        severity: 'high',
+        category: 'api'
+    },
+    // Cryptographic Keys
+    {
+        name: 'private_key_header',
+        regex: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----[\s\S]*?-----END\s+(?:RSA\s+)?PRIVATE\s+KEY-----/gi,
+        replacement: '-----BEGIN PRIVATE KEY-----\n***REDACTED***\n-----END PRIVATE KEY-----',
+        severity: 'critical',
+        category: 'crypto'
+    },
+    {
+        name: 'ssh_private_key',
+        regex: /-----BEGIN\s+OPENSSH\s+PRIVATE\s+KEY-----[\s\S]*?-----END\s+OPENSSH\s+PRIVATE\s+KEY-----/gi,
+        replacement: '-----BEGIN OPENSSH PRIVATE KEY-----\n***REDACTED***\n-----END OPENSSH PRIVATE KEY-----',
+        severity: 'critical',
+        category: 'crypto'
+    },
+    {
+        name: 'jwt_token',
+        regex: /eyJ[A-Za-z0-9\-_]+\.eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+/g,
+        replacement: 'eyJ***REDACTED***.eyJ***REDACTED***.***REDACTED***',
+        severity: 'high',
+        category: 'crypto'
+    },
+    // PII (Personal Identifiable Information)
+    {
+        name: 'email_address',
+        regex: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g,
+        replacement: '***EMAIL_REDACTED***',
+        severity: 'medium',
+        category: 'pii'
+    },
+    {
+        name: 'credit_card',
+        regex: /\b(?:\d{4}[-\s]?){3}\d{4}\b/g,
+        replacement: '****-****-****-****',
+        severity: 'critical',
+        category: 'pii'
+    },
+    {
+        name: 'ssn',
+        regex: /\b\d{3}-\d{2}-\d{4}\b/g,
+        replacement: '***-**-****',
+        severity: 'critical',
+        category: 'pii'
+    },
+    // Additional Patterns
+    {
+        name: 'session_id',
+        regex: /session[_-]?id["\s:=]+([A-Za-z0-9\-._~+/]{20,})/gi,
+        replacement: 'session_id=***REDACTED***',
+        severity: 'high',
+        category: 'auth'
+    },
+    {
+        name: 'access_token',
+        regex: /access[_-]?token["\s:=]+([A-Za-z0-9\-._~+/]{20,})/gi,
+        replacement: 'access_token=***REDACTED***',
+        severity: 'critical',
+        category: 'auth'
+    },
+    {
+        name: 'refresh_token',
+        regex: /refresh[_-]?token["\s:=]+([A-Za-z0-9\-._~+/]{20,})/gi,
+        replacement: 'refresh_token=***REDACTED***',
+        severity: 'critical',
+        category: 'auth'
+    },
+    {
+        name: 'client_secret',
+        regex: /client[_-]?secret["\s:=]+([A-Za-z0-9\-._~+/]{20,})/gi,
+        replacement: 'client_secret=***REDACTED***',
+        severity: 'critical',
+        category: 'auth'
+    }
+];
+/**
+ * Apply all extended redaction patterns to text
+ */
+export function applyExtendedRedaction(text) {
+    let redacted = text;
+    const patternsMatched = [];
+    let maxSeverity = 'none';
+    const severityOrder = { critical: 3, high: 2, medium: 1, none: 0 };
+    for (const pattern of EXTENDED_REDACTION_PATTERNS) {
+        if (pattern.regex.test(redacted)) {
+            patternsMatched.push(pattern.name);
+            redacted = redacted.replace(pattern.regex, pattern.replacement);
+            if (severityOrder[pattern.severity] > severityOrder[maxSeverity]) {
+                maxSeverity = pattern.severity;
+            }
+        }
+    }
+    return {
+        redacted,
+        patternsMatched,
+        severity: maxSeverity
+    };
+}
+/**
+ * Generate redaction audit report
+ */
+export function generateRedactionAudit(original, redacted, patternsMatched) {
+    const lines = [
+        '# QA360 Redaction Audit Report',
+        '',
+        `**Timestamp**: ${new Date().toISOString()}`,
+        `**Patterns Matched**: ${patternsMatched.length}`,
+        '',
+        '## Patterns Applied',
+        ''
+    ];
+    for (const patternName of patternsMatched) {
+        const pattern = EXTENDED_REDACTION_PATTERNS.find(p => p.name === patternName);
+        if (pattern) {
+            lines.push(`- **${pattern.name}** (${pattern.severity} - ${pattern.category})`);
+            lines.push(`  - Regex: \`${pattern.regex.source}\``);
+            lines.push(`  - Replacement: \`${pattern.replacement}\``);
+            lines.push('');
+        }
+    }
+    lines.push('## Before/After Comparison');
+    lines.push('');
+    lines.push('### Original (First 500 chars)');
+    lines.push('```');
+    lines.push(original.substring(0, 500));
+    lines.push('```');
+    lines.push('');
+    lines.push('### Redacted (First 500 chars)');
+    lines.push('```');
+    lines.push(redacted.substring(0, 500));
+    lines.push('```');
+    lines.push('');
+    lines.push('## Validation');
+    lines.push('');
+    lines.push(`- ✅ All ${patternsMatched.length} patterns successfully applied`);
+    lines.push('- ✅ No secrets exposed in redacted output');
+    lines.push('- ✅ Audit trail complete');
+    return lines.join('\n');
+}

package/dist/core/security/redactor.d.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * QA360 Security Redactor
+ * Automatically redacts sensitive information from logs and reports
+ */
+export type RedactReplacement = string | ((match: string) => string);
+export interface RedactRule {
+    name: string;
+    pattern: RegExp;
+    replacement: RedactReplacement;
+    description: string;
+    enabled?: boolean;
+}
+export interface RedactorOptions {
+    enabledRules?: string[];
+    customRules?: RedactRule[];
+    preserveLength?: boolean;
+}
+export declare class SecurityRedactor {
+    static readonly DEFAULT_RULES: RedactRule[];
+    private rules;
+    private options;
+    constructor(options?: RedactorOptions);
+    /**
+     * Apply a single redaction rule
+     */
+    private applyRule;
+    /**
+     * Redact sensitive information from text
+     */
+    redact(text: string): string;
+    /**
+     * Redact sensitive information from object
+     */
+    redactObject(obj: any): any;
+    /**
+     * Check if a key is sensitive
+     */
+    private isSensitiveKey;
+    /**
+     * Redact a sensitive value
+     */
+    private redactValue;
+    /**
+     * Check if a string looks like a secret
+     */
+    private static looksLikeSecret;
+    /**
+     * Get list of active redaction rules
+     */
+    getActiveRules(): RedactRule[];
+    /**
+     * Add custom redaction rule
+     */
+    addRule(rule: RedactRule): void;
+    /**
+     * Remove redaction rule by name
+     */
+    removeRule(name: string): boolean;
+    /**
+     * Create redactor for logs
+     */
+    static forLogs(): SecurityRedactor;
+    /**
+     * Create redactor for reports
+     */
+    static forReports(): SecurityRedactor;
+    /**
+     * Create redactor for debugging (more permissive)
+     */
+    static forDebug(): SecurityRedactor;
+}
+//# sourceMappingURL=redactor.d.ts.map

package/dist/core/security/redactor.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"redactor.d.ts","sourceRoot":"","sources":["../../../src/core/security/redactor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,iBAAiB,GAAG,MAAM,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC;AAErE,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,iBAAiB,CAAC;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAC3B,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,qBAAa,gBAAgB;IAC3B,gBAAuB,aAAa,EAAE,UAAU,EAAE,CAgGhD;IAEF,OAAO,CAAC,KAAK,CAAe;IAC5B,OAAO,CAAC,OAAO,CAAkB;gBAErB,OAAO,GAAE,eAAoB;IAiBzC;;OAEG;IACH,OAAO,CAAC,SAAS;IAQjB;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAY5B;;OAEG;IACH,YAAY,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG;IA+B3B;;OAEG;IACH,OAAO,CAAC,cAAc;IActB;;OAEG;IACH,OAAO,CAAC,WAAW;IAqBnB;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,eAAe;IAgB9B;;OAEG;IACH,cAAc,IAAI,UAAU,EAAE;IAI9B;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,UAAU,GAAG,IAAI;IAI/B;;OAEG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IASjC;;OAEG;IACH,MAAM,CAAC,OAAO,IAAI,gBAAgB;IAWlC;;OAEG;IACH,MAAM,CAAC,UAAU,IAAI,gBAAgB;IAWrC;;OAEG;IACH,MAAM,CAAC,QAAQ,IAAI,gBAAgB;CAQpC"}

package/dist/core/security/redactor.js ADDED Viewed

@@ -0,0 +1,279 @@
+/**
+ * QA360 Security Redactor
+ * Automatically redacts sensitive information from logs and reports
+ */
+export class SecurityRedactor {
+    static DEFAULT_RULES = [
+        {
+            name: 'password',
+            pattern: /("password"\s*:\s*")[^"]*(")/gi,
+            replacement: '$1***$2',
+            description: 'Password fields in JSON'
+        },
+        {
+            name: 'token',
+            pattern: /("token"\s*:\s*")[^"]*(")/gi,
+            replacement: '$1***$2',
+            description: 'Token fields in JSON'
+        },
+        {
+            name: 'authorization',
+            pattern: /(authorization\s*:\s*)[^\s,}]*/gi,
+            replacement: '$1***',
+            description: 'Authorization headers'
+        },
+        {
+            name: 'bearer',
+            pattern: /(bearer\s+)[a-zA-Z0-9._-]+/gi,
+            replacement: '$1***',
+            description: 'Bearer tokens'
+        },
+        {
+            name: 'basic_auth',
+            pattern: /(basic\s+)[a-zA-Z0-9+/]+=*/gi,
+            replacement: '$1***',
+            description: 'Basic authentication'
+        },
+        {
+            name: 'api_key',
+            pattern: /([?&]api[_-]?key=)[^&\s]*/gi,
+            replacement: '$1***',
+            description: 'API keys in URLs'
+        },
+        {
+            name: 'secret_reference',
+            pattern: /(\$\{\{\s*secrets\.)([A-Z_][A-Z0-9_]*)(\s*\}\})/g,
+            replacement: '$1***$3',
+            description: 'Secret references'
+        },
+        {
+            name: 'github_token',
+            pattern: /(ghp_)[a-zA-Z0-9]{36}/g,
+            replacement: '$1***',
+            description: 'GitHub personal access tokens'
+        },
+        {
+            name: 'slack_token',
+            pattern: /(xoxb-)[a-zA-Z0-9-]+/g,
+            replacement: '$1***',
+            description: 'Slack bot tokens'
+        },
+        {
+            name: 'aws_key',
+            pattern: /(AKIA)[A-Z0-9]{16}/g,
+            replacement: '$1***',
+            description: 'AWS access keys'
+        },
+        {
+            name: 'jwt_token',
+            pattern: /(eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.)([a-zA-Z0-9_-]*)/g,
+            replacement: '$1***',
+            description: 'JWT tokens'
+        },
+        {
+            name: 'base64_secret',
+            pattern: /([A-Za-z0-9+/]{40,}={0,2})/g,
+            replacement: (match) => {
+                if (SecurityRedactor.looksLikeSecret(match)) {
+                    return match.substring(0, 4) + '***' + match.substring(match.length - 4);
+                }
+                return match;
+            },
+            description: 'Base64-encoded secrets'
+        },
+        {
+            name: 'email',
+            pattern: /([a-zA-Z0-9._%+-]+)@([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})/g,
+            replacement: '***@$2',
+            description: 'Email addresses'
+        },
+        {
+            name: 'credit_card',
+            pattern: /\b(?:\d{4}[-\s]?){3}\d{4}\b/g,
+            replacement: '****-****-****-****',
+            description: 'Credit card numbers'
+        },
+        {
+            name: 'phone',
+            pattern: /(\+?1[-.\s]?)?\(?([0-9]{3})\)?[-.\s]?([0-9]{3})[-.\s]?([0-9]{4})/g,
+            replacement: '$1(***) ***-$4',
+            description: 'Phone numbers'
+        }
+    ];
+    rules;
+    options;
+    constructor(options = {}) {
+        const names = options.enabledRules
+            ?? SecurityRedactor.DEFAULT_RULES.map((r) => r.name);
+        this.rules = [
+            ...SecurityRedactor.DEFAULT_RULES
+                .filter((rule) => names.includes(rule.name)),
+            ...(options.customRules ?? [])
+        ];
+        this.options = {
+            enabledRules: names,
+            customRules: options.customRules ?? [],
+            preserveLength: options.preserveLength ?? false
+        };
+    }
+    /**
+     * Apply a single redaction rule
+     */
+    applyRule(text, rule) {
+        const { pattern, replacement } = rule;
+        if (typeof replacement === 'function') {
+            return text.replace(pattern, (m) => replacement(m));
+        }
+        return text.replace(pattern, replacement);
+    }
+    /**
+     * Redact sensitive information from text
+     */
+    redact(text) {
+        if (!text)
+            return text;
+        let result = text;
+        for (const rule of this.rules) {
+            result = this.applyRule(result, rule);
+        }
+        return result;
+    }
+    /**
+     * Redact sensitive information from object
+     */
+    redactObject(obj) {
+        if (obj === null || obj === undefined) {
+            return obj;
+        }
+        if (typeof obj === 'string') {
+            return this.redact(obj);
+        }
+        if (Array.isArray(obj)) {
+            return obj.map(item => this.redactObject(item));
+        }
+        if (typeof obj === 'object') {
+            const redacted = {};
+            for (const [key, value] of Object.entries(obj)) {
+                // Redact sensitive keys
+                if (this.isSensitiveKey(key)) {
+                    redacted[key] = this.redactValue(value);
+                }
+                else {
+                    redacted[key] = this.redactObject(value);
+                }
+            }
+            return redacted;
+        }
+        return obj;
+    }
+    /**
+     * Check if a key is sensitive
+     */
+    isSensitiveKey(key) {
+        const sensitiveKeys = [
+            'password', 'passwd', 'pwd',
+            'token', 'auth', 'authorization',
+            'secret', 'key', 'apikey', 'api_key',
+            'credential', 'cred',
+            'private', 'confidential',
+            'session', 'cookie'
+        ];
+        const lowerKey = key.toLowerCase();
+        return sensitiveKeys.some(sensitive => lowerKey.includes(sensitive));
+    }
+    /**
+     * Redact a sensitive value
+     */
+    redactValue(value) {
+        if (typeof value !== 'string') {
+            return '***';
+        }
+        if (value.length <= 4) {
+            return '***';
+        }
+        if (this.options.preserveLength) {
+            return '*'.repeat(value.length);
+        }
+        // Show first and last 2 characters for longer values
+        const visibleChars = Math.min(2, Math.floor(value.length * 0.1));
+        const prefix = value.substring(0, visibleChars);
+        const suffix = value.substring(value.length - visibleChars);
+        return `${prefix}***${suffix}`;
+    }
+    /**
+     * Check if a string looks like a secret
+     */
+    static looksLikeSecret(value) {
+        // Must be reasonably long
+        if (value.length < 16)
+            return false;
+        // Check for high entropy (mix of character types)
+        const hasLower = /[a-z]/.test(value);
+        const hasUpper = /[A-Z]/.test(value);
+        const hasDigit = /[0-9]/.test(value);
+        const hasSpecial = /[+/=_-]/.test(value);
+        const charTypes = [hasLower, hasUpper, hasDigit, hasSpecial].filter(Boolean).length;
+        // Require at least 2 character types for high entropy
+        return charTypes >= 2;
+    }
+    /**
+     * Get list of active redaction rules
+     */
+    getActiveRules() {
+        return [...this.rules];
+    }
+    /**
+     * Add custom redaction rule
+     */
+    addRule(rule) {
+        this.rules.push(rule);
+    }
+    /**
+     * Remove redaction rule by name
+     */
+    removeRule(name) {
+        const index = this.rules.findIndex((rule) => rule.name === name);
+        if (index >= 0) {
+            this.rules.splice(index, 1);
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Create redactor for logs
+     */
+    static forLogs() {
+        return new SecurityRedactor({
+            enabledRules: [
+                'password', 'token', 'authorization', 'bearer', 'basic_auth',
+                'api_key', 'secret_reference', 'github_token', 'slack_token',
+                'aws_key', 'jwt_token'
+            ],
+            preserveLength: false
+        });
+    }
+    /**
+     * Create redactor for reports
+     */
+    static forReports() {
+        return new SecurityRedactor({
+            enabledRules: [
+                'password', 'token', 'authorization', 'bearer', 'basic_auth',
+                'api_key', 'secret_reference', 'github_token', 'slack_token',
+                'aws_key', 'jwt_token', 'email', 'credit_card', 'phone'
+            ],
+            preserveLength: false
+        });
+    }
+    /**
+     * Create redactor for debugging (more permissive)
+     */
+    static forDebug() {
+        return new SecurityRedactor({
+            enabledRules: [
+                'password', 'token', 'authorization', 'secret_reference'
+            ],
+            preserveLength: true
+        });
+    }
+}

package/dist/core/serve/diagnostics-collector.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * QA360 Diagnostics Collector
+ * Collecte des diagnostics actionnables pour /diag
+ */
+export interface DiagnosticProblem {
+    code: string;
+    title: string;
+    fix: string;
+}
+export interface DiagnosticSuggestion {
+    message: string;
+}
+export interface LastRun {
+    runId: string;
+    trust: number;
+    ts: string;
+    status?: 'success' | 'failed' | 'cancelled';
+}
+export interface DiagnosticsReport {
+    problems: DiagnosticProblem[];
+    suggestions: string[];
+    last_runs: LastRun[];
+}
+export declare class DiagnosticsCollector {
+    private healthChecker;
+    constructor();
+    collect(): Promise<DiagnosticsReport>;
+    private analyzeProblems;
+    private generateSuggestions;
+    private getLastRuns;
+    private inferRunStatus;
+}
+//# sourceMappingURL=diagnostics-collector.d.ts.map

package/dist/core/serve/diagnostics-collector.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"diagnostics-collector.d.ts","sourceRoot":"","sources":["../../../src/core/serve/diagnostics-collector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,CAAC,EAAE,SAAS,GAAG,QAAQ,GAAG,WAAW,CAAC;CAC7C;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,iBAAiB,EAAE,CAAC;IAC9B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,SAAS,EAAE,OAAO,EAAE,CAAC;CACtB;AAED,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,aAAa,CAAgB;;IAM/B,OAAO,IAAI,OAAO,CAAC,iBAAiB,CAAC;IAa3C,OAAO,CAAC,eAAe;IAkEvB,OAAO,CAAC,mBAAmB;YA0Bb,WAAW;IAqCzB,OAAO,CAAC,cAAc;CAmBvB"}