safepropel 1.0.1

package/LICENSE

@@ -0,0 +1,15 @@
+ISC License
+
+Copyright (c) 2024
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -0,0 +1,161 @@
+# SafePropel Framework
+
+Unified Protection System for AI Workflow Execution with 4-layer security architecture.
+
+## Features
+
+- **4-Layer Security Architecture**
+  - Approach 1: Prompt Compilation (binary format)
+  - Approach 2: Encryption (AES-256-GCM)
+  - Approach 3: Runtime Prompt Engine (access control)
+  - Approach 4: Prompt Firewall (injection/extraction protection)
+
+- **35+ Built-in Workflows**
+  - Specification & Requirements (create-spec, create-user-stories, create-epics)
+  - Architecture & Design (design-architecture, design-model)
+  - Development Planning (plan-development-tasks, plan-unit-test, plan-bug-resolution)
+  - DevOps & Infrastructure (plan-cicd-pipeline, plan-cloud-infrastructure, create-iac)
+  - Testing & Validation (create-test-plan, generate-playwright-scripts, validation-agent)
+  - Code Review & Quality (review-code, review-devops-security, analyze-codebase)
+  - Agent Orchestration (discovery-agent, backlog-agent, build-feature-agent, bug-fixing-agent)
+
+## Installation
+
+```bash
+npm install -g safepropel
+```
+
+## Quick Start
+
+### Basic Usage
+
+```bash
+# Run a workflow
+safepropel create-spec BRD.txt
+
+# Run without input file
+safepropel design-architecture
+
+# Show help
+safepropel --help
+```
+
+### With Encrypted Bundle
+
+If using an encrypted bundle, provide a license key:
+
+```bash
+# Via command line
+safepropel create-spec BRD.txt --license-key=your-key-here
+
+# Via environment variable
+export SAFEPROPEL_LICENSE_KEY=your-key-here
+safepropel create-spec BRD.txt
+```
+
+### Custom Bundle Path
+
+```bash
+# Via command line
+safepropel create-spec BRD.txt --bundle=./custom/bundle.enc
+
+# Via environment variable
+export SAFEPROPEL_BUNDLE_PATH=./custom/bundle.enc
+safepropel create-spec BRD.txt
+```
+
+## Available Workflows
+
+### Specification & Requirements
+- `create-spec` - Generate functional requirements from feature specifications
+- `create-figma-spec` - Generate UX requirements and screen specifications
+- `create-user-stories` - Generate detailed user stories from epics
+- `create-epics` - Generate epic decomposition from specifications
+- `create-project-plan` - Generate comprehensive project plan
+- `create-sprint-plan` - Generate sprint plan with dependency mapping
+
+### Architecture & Design
+- `design-architecture` - Generate architecture design documents
+- `design-model` - Generate UML diagrams and architectural models
+- `analyze-codebase` - Comprehensive codebase analysis
+- `analyze-implementation` - Review completed code changes
+- `analyze-ux` - UI/UX analysis with Playwright automation
+
+### Development Planning
+- `plan-development-tasks` - Generate implementation tasks
+- `plan-unit-test` - Generate unit test plans
+- `plan-bug-resolution` - Bug triage and resolution planning
+- `implement-tasks` - Execute development tasks
+
+### DevOps & Infrastructure
+- `plan-cicd-pipeline` - Design CI/CD pipeline architecture
+- `plan-cloud-infrastructure` - Generate infrastructure specifications
+- `create-iac` - Generate Terraform Infrastructure as Code
+- `create-pipeline-scripts` - Generate CI/CD pipeline scripts
+- `devops-agent` - Orchestrate DevOps phase
+
+### Testing & Validation
+- `create-test-plan` - Generate comprehensive test plans
+- `create-automation-test` - Create test workflow specifications
+- `generate-playwright-scripts` - Generate Playwright automation scripts
+- `validation-agent` - Orchestrate test automation
+
+### Code Review & Quality
+- `review-code` - Comprehensive code review
+- `review-devops-security` - Security review of DevOps artifacts
+- `pull-request` - Create pull requests with validation
+
+### Prototyping & Design
+- `build-prototype` - Transform business hypotheses into prototypes
+- `generate-figma` - Generate Figma artifacts
+- `generate-wireframe` - Generate wireframes from requirements
+
+### Agent Orchestration
+- `discovery-agent` - Orchestrate technical discovery
+- `backlog-agent` - Transform specs into backlog
+- `build-feature-agent` - Orchestrate implementation phase
+- `bug-fixing-agent` - Orchestrate bug resolution
+
+### Evaluation
+- `evaluate-output` - Validate workflow outputs
+
+## Environment Variables
+
+- `SAFEPROPEL_LICENSE_KEY` - License key for encrypted bundles
+- `SAFEPROPEL_BUNDLE_PATH` - Custom bundle path (default: ./engine/prompt_bundle.enc)
+
+## Security Features
+
+### Prompt Protection
+- Prompts never exposed in readable form
+- Binary compilation prevents reverse engineering
+- AES-256-GCM encryption for additional security
+- Runtime access control and audit logging
+
+### Input Validation
+- Prompt injection detection and prevention
+- Extraction attempt blocking
+- Input sanitization with configurable strictness
+- Threat pattern recognition
+
+### Access Control
+- Controlled content access through runtime engine
+- Audit logging for all bundle accesses
+- License-based access for encrypted bundles
+
+## Output
+
+Workflows generate output in `.propel/context/docs/` directory with structured documentation following predefined templates.
+
+## Requirements
+
+- Node.js >= 14.0.0
+- No external dependencies (uses only Node.js built-in modules)
+
+## License
+
+ISC
+
+## Support
+
+For issues, questions, or feature requests, please contact the maintainer.

package/engine/runtime.js

@@ -0,0 +1,406 @@
+/**
+ * SafePropel Runtime Prompt Engine
+ *
+ * Loads a compiled prompt bundle (.bin) and reconstructs prompts
+ * in memory on demand. Prompts never touch disk in readable form.
+ *
+ * IP PROTECTION: By default, only metadata (paths) is exposed.
+ * Content is accessible only through explicit getContent() call.
+ *
+ * Usage:
+ *   const runtime = new PromptRuntime();
+ *   runtime.load('path/to/prompt_bundle.bin');
+ *   
+ *   // Get metadata only (safe)
+ *   const meta = runtime.get('.windsurf/workflows/create-spec.md');
+ *   console.log(meta.path);  // OK - path only
+ *   
+ *   // Get content only when needed (keep in memory)
+ *   const content = runtime.getContent('.windsurf/workflows/create-spec.md');
+ *   // NEVER log or expose content
+ */
+
+'use strict';
+
+const fs = require('fs');
+const zlib = require('zlib');
+const crypto = require('crypto');
+
+// --- Integrated Encryption (Approach 2) ---
+const ENCRYPTION_ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const SALT_LENGTH = 32;
+const PBKDF2_ITERATIONS = 100000;
+
+// --- Integrated Firewall (Approach 4) ---
+const INJECTION_PATTERNS = [
+  /ignore\s+(all\s+)?(previous|prior|above|system)\s+(instructions?|prompts?|rules?)/i,
+  /disregard\s+(all\s+)?(previous|prior|above|system)\s+(instructions?|prompts?|rules?)/i,
+  /forget\s+(all\s+)?(previous|prior|above|system)\s+(instructions?|prompts?|rules?)/i,
+  /you\s+are\s+now\s+(a|an)\s+/i,
+  /act\s+as\s+(if\s+)?(you\s+are|a|an)\s+/i,
+  /show\s+(me\s+)?(your|the)\s+(system\s+)?(prompt|instruction|rule)/i,
+  /print\s+(your|the)\s+(system\s+)?(prompt|instruction|rule)/i,
+  /reveal\s+(your|the)\s+(system\s+)?(prompt|instruction|rule)/i,
+  /repeat\s+(everything|all)\s+(above|before)/i,
+];
+
+// --- Constants ---------------------------------------------------------------
+
+const MAGIC_COMPILED = Buffer.from('SPBL');
+const MAGIC_ENCRYPTED = Buffer.from('SPEC');
+const HEADER_SIZE_COMPILED = 16; // 4 magic + 4 version + 4 count + 4 payload size
+
+// --- Runtime Engine ----------------------------------------------------------
+
+class PromptRuntime {
+  constructor(options = {}) {
+    this._manifest = null;
+    this._index = new Map();   // path  → entry
+    this._typeIndex = new Map(); // type → [entry]
+    this._licenseKey = null;
+    this._isEncrypted = false;
+    
+    // Integrated Firewall (Approach 4)
+    this.firewallEnabled = options.firewallEnabled !== false;
+    this.firewallStrictMode = options.firewallStrictMode || false;
+    this.maxInputLength = options.maxInputLength || 50000;
+    
+    // Access Control (Approach 3)
+    this.accessControl = {
+      allowContentAccess: options.allowContentAccess !== false,
+      logAccess: options.logAccess !== false
+    };
+    
+    // Security metrics
+    this.metrics = {
+      bundleLoads: 0,
+      contentAccesses: 0,
+      firewallBlocks: 0,
+      decryptionAttempts: 0
+    };
+  }
+
+  /**
+   * Derives encryption key from license key.
+   */
+  _deriveKey(licenseKey, salt) {
+    return crypto.pbkdf2Sync(
+      licenseKey,
+      salt,
+      PBKDF2_ITERATIONS,
+      KEY_LENGTH,
+      'sha256'
+    );
+  }
+
+  /**
+   * Decrypts encrypted bundle (Approach 2).
+   */
+  _decryptBundle(encryptedData, licenseKey) {
+    let offset = 0;
+    
+    const magic = encryptedData.subarray(offset, offset + 4);
+    offset += 4;
+    if (!magic.equals(MAGIC_ENCRYPTED)) {
+      throw new Error('Invalid encrypted bundle: bad magic marker');
+    }
+    
+    const version = encryptedData.readUInt32LE(offset);
+    offset += 4;
+    
+    const saltLength = encryptedData.readUInt32LE(offset);
+    offset += 4;
+    const salt = encryptedData.subarray(offset, offset + saltLength);
+    offset += saltLength;
+    
+    const ivLength = encryptedData.readUInt32LE(offset);
+    offset += 4;
+    const iv = encryptedData.subarray(offset, offset + ivLength);
+    offset += ivLength;
+    
+    const authTagLength = encryptedData.readUInt32LE(offset);
+    offset += 4;
+    const authTag = encryptedData.subarray(offset, offset + authTagLength);
+    offset += authTagLength;
+    
+    const payloadLength = encryptedData.readUInt32LE(offset);
+    offset += 4;
+    const encrypted = encryptedData.subarray(offset, offset + payloadLength);
+    
+    const key = this._deriveKey(licenseKey, salt);
+    const decipher = crypto.createDecipheriv(ENCRYPTION_ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    
+    try {
+      return Buffer.concat([
+        decipher.update(encrypted),
+        decipher.final()
+      ]);
+    } catch (error) {
+      throw new Error('Decryption failed: invalid license key or corrupted bundle');
+    }
+  }
+
+  /**
+   * Validates input through integrated firewall (Approach 4).
+   */
+  validateInput(input) {
+    if (!this.firewallEnabled) {
+      return { allowed: true, sanitized: input, threats: [] };
+    }
+    
+    const threats = [];
+    let sanitized = input;
+    
+    // Length check
+    if (input.length > this.maxInputLength) {
+      threats.push('input_too_long');
+      if (this.firewallStrictMode) {
+        this.metrics.firewallBlocks++;
+        return {
+          allowed: false,
+          sanitized: '',
+          threats,
+          message: `Input exceeds maximum length of ${this.maxInputLength} characters.`
+        };
+      }
+      sanitized = sanitized.substring(0, this.maxInputLength);
+    }
+    
+    // Injection/extraction detection
+    for (const pattern of INJECTION_PATTERNS) {
+      if (pattern.test(sanitized)) {
+        threats.push('prompt_injection_or_extraction');
+        if (this.firewallStrictMode) {
+          this.metrics.firewallBlocks++;
+          return {
+            allowed: false,
+            sanitized: '',
+            threats,
+            message: 'Potential prompt injection/extraction detected. Request blocked.'
+          };
+        }
+        // Sanitize in permissive mode
+        sanitized = sanitized.replace(pattern, '[REMOVED]');
+        break;
+      }
+    }
+    
+    return {
+      allowed: true,
+      sanitized,
+      threats,
+      message: threats.length > 0 ? 'Input sanitized for security.' : 'Input validated successfully.'
+    };
+  }
+
+  /**
+   * Loads and validates a bundle (encrypted or compiled).
+   * Automatically detects format and decrypts if needed.
+   * Prompts are decompressed into memory — nothing is written to disk.
+   *
+   * @param {string} bundlePath  Absolute path to the bundle file.
+   * @param {string} [licenseKey]  License key for encrypted bundles.
+   */
+  load(bundlePath, licenseKey = null) {
+    const raw = fs.readFileSync(bundlePath);
+    
+    // Detect bundle format
+    const magic = raw.subarray(0, 4);
+    let compiledData;
+    
+    if (magic.equals(MAGIC_ENCRYPTED)) {
+      // Encrypted bundle - decrypt first (Approach 2)
+      if (!licenseKey) {
+        throw new Error('License key required for encrypted bundle');
+      }
+      this._licenseKey = licenseKey;
+      this._isEncrypted = true;
+      this.metrics.decryptionAttempts++;
+      
+      compiledData = this._decryptBundle(raw, licenseKey);
+    } else if (magic.equals(MAGIC_COMPILED)) {
+      // Compiled bundle - use directly
+      compiledData = raw;
+      this._isEncrypted = false;
+    } else {
+      throw new Error('Invalid bundle format: unrecognized magic marker');
+    }
+    
+    // Load compiled bundle (Approach 1)
+    this._loadCompiled(compiledData);
+    this.metrics.bundleLoads++;
+  }
+
+  /**
+   * Loads compiled bundle data.
+   */
+  _loadCompiled(raw) {
+
+    // --- Validate header ---
+    if (raw.length < HEADER_SIZE_COMPILED) {
+      throw new Error('Invalid bundle: file too small.');
+    }
+
+    const magic = raw.subarray(0, 4);
+    if (!magic.equals(MAGIC_COMPILED)) {
+      throw new Error('Invalid bundle: bad magic marker.');
+    }
+
+    const version = raw.readUInt32LE(4);
+    const entryCount = raw.readUInt32LE(8);
+    const payloadSize = raw.readUInt32LE(12);
+
+    if (raw.length < HEADER_SIZE_COMPILED + payloadSize) {
+      throw new Error('Invalid bundle: truncated payload.');
+    }
+
+    // --- Decompress ---
+    const compressed = raw.subarray(HEADER_SIZE_COMPILED, HEADER_SIZE_COMPILED + payloadSize);
+    const jsonBuf = zlib.inflateSync(compressed);
+    const manifest = JSON.parse(jsonBuf.toString('utf-8'));
+
+    if (manifest.entry_count !== entryCount) {
+      throw new Error('Bundle integrity error: entry count mismatch.');
+    }
+
+    this._manifest = manifest;
+
+    // --- Build indexes ---
+    this._index.clear();
+    this._typeIndex.clear();
+
+    for (const entry of manifest.entries) {
+      this._index.set(entry.path, entry);
+
+      if (!this._typeIndex.has(entry.type)) {
+        this._typeIndex.set(entry.type, []);
+      }
+      this._typeIndex.get(entry.type).push(entry);
+    }
+  }
+
+  /**
+   * Returns bundle metadata (without exposing prompt contents).
+   */
+  info() {
+    if (!this._manifest) throw new Error('No bundle loaded.');
+    return {
+      version: this._manifest.version,
+      compiled_at: this._manifest.compiled_at,
+      framework: this._manifest.framework_root,
+      entry_count: this._manifest.entry_count,
+      encrypted: this._isEncrypted,
+      firewallEnabled: this.firewallEnabled,
+      types: Object.fromEntries(
+        [...this._typeIndex.entries()].map(([t, arr]) => [t, arr.length])
+      ),
+    };
+  }
+
+  /**
+   * Lists all entries in the bundle.
+   * Returns metadata only (paths, types) - NO CONTENT.
+   * 
+   * @param {string} [type]  Optional filter by entry type.
+   * @returns {Array<{ path: string, type: string, id: string }>}
+   */
+  list(type) {
+    if (!this._manifest) throw new Error('No bundle loaded.');
+
+    let entries = this._manifest.entries;
+    if (type) {
+      entries = this._typeIndex.get(type) || [];
+    }
+    // Return metadata only - NO CONTENT
+    return entries.map((e) => ({ path: e.path, type: e.type, id: e.id }));
+  }
+
+  /**
+   * Retrieves a single prompt/instruction by its relative path.
+   * Content is reconstructed in memory from the compiled bundle.
+   * Includes access control (Approach 3).
+   *
+   * @param {string} relativePath  e.g. ".windsurf/workflows/create-spec.md"
+   * @returns {{ path: string, type: string, frontmatter: string|null, content: string }}
+   */
+  get(relativePath) {
+    if (!this._manifest) throw new Error('No bundle loaded.');
+
+    // Access control check
+    if (!this.accessControl.allowContentAccess) {
+      throw new Error('Content access is disabled');
+    }
+
+    const entry = this._index.get(relativePath);
+    if (!entry) {
+      throw new Error('Entry not found in bundle: ' + relativePath);
+    }
+
+    // Reconstruct content from base64 — exists only in memory.
+    const content = Buffer.from(entry.content, 'base64').toString('utf-8');
+    
+    this.metrics.contentAccesses++;
+
+    return {
+      path: entry.path,
+      type: entry.type,
+      frontmatter: entry.frontmatter,
+      content,
+    };
+  }
+
+  /**
+   * Retrieves all entries of a given type with their reconstructed content.
+   *
+   * @param {string} type  One of: agent, instruction, prompt, template, context, config
+   * @returns {Array<{ path: string, type: string, frontmatter: string|null, content: string }>}
+   */
+  getByType(type) {
+    if (!this._manifest) throw new Error('No bundle loaded.');
+
+    const entries = this._typeIndex.get(type) || [];
+    return entries.map((entry) => ({
+      path: entry.path,
+      type: entry.type,
+      frontmatter: entry.frontmatter,
+      content: Buffer.from(entry.content, 'base64').toString('utf-8'),
+    }));
+  }
+
+  /**
+   * Verifies bundle integrity by comparing stored entry count with actual.
+   * @returns {{ valid: boolean, encrypted: boolean, details: string }}
+   */
+  verify() {
+    if (!this._manifest) throw new Error('No bundle loaded.');
+
+    const expected = this._manifest.entry_count;
+    const actual = this._manifest.entries.length;
+    const valid = expected === actual;
+
+    return {
+      valid,
+      encrypted: this._isEncrypted,
+      details: valid
+        ? `Bundle OK — ${actual} entries verified.`
+        : `MISMATCH — header says ${expected}, manifest has ${actual}.`,
+    };
+  }
+  
+  /**
+   * Gets security metrics.
+   */
+  getMetrics() {
+    return {
+      ...this.metrics,
+      firewallEnabled: this.firewallEnabled,
+      firewallStrictMode: this.firewallStrictMode
+    };
+  }
+}
+
+module.exports = { PromptRuntime };