sentinelayer-cli 0.6.2 → 0.8.1

package/src/agents/infrastructure/index.js

@@ -0,0 +1,12 @@
+// Kat (infrastructure persona) — barrel export (#A21).
+
+export {
+  INFRASTRUCTURE_TOOLS,
+  INFRASTRUCTURE_TOOL_IDS,
+  dispatchInfrastructureTool,
+  runAllInfrastructureTools,
+  runCheckovRun,
+  runDriftDetect,
+  runIamLeastPrivCheck,
+  runTflintRun,
+} from "./tools/index.js";

package/src/agents/infrastructure/tools/base.js

@@ -0,0 +1,171 @@
+// Shared helpers for Kat's (infrastructure) domain tools (#A21).
+
+import fsp from "node:fs/promises";
+import path from "node:path";
+import process from "node:process";
+
+import ignore from "ignore";
+
+const DEFAULT_IGNORED_DIRS = new Set([
+  ".git",
+  "node_modules",
+  ".venv",
+  ".next",
+  "dist",
+  "build",
+  "coverage",
+  ".sentinelayer",
+  ".sentinel",
+  ".turbo",
+  ".idea",
+  ".vscode",
+  "__pycache__",
+  ".cache",
+]);
+const MAX_FILE_SIZE_BYTES = 1024 * 1024;
+const SEVERITIES = Object.freeze(["P0", "P1", "P2", "P3"]);
+
+export function toPosix(value) {
+  return String(value || "").replace(/\\/g, "/");
+}
+
+export function createFinding({
+  severity,
+  kind,
+  file,
+  line = 0,
+  evidence = "",
+  rootCause = "",
+  recommendedFix = "",
+  confidence = null,
+  tool = "",
+  persona = "infrastructure",
+} = {}) {
+  const normalizedSeverity = SEVERITIES.includes(String(severity || "").toUpperCase())
+    ? String(severity).toUpperCase()
+    : "P2";
+  return {
+    persona,
+    tool: String(tool || "").trim(),
+    kind: String(kind || "").trim() || "infrastructure",
+    severity: normalizedSeverity,
+    file: toPosix(file || ""),
+    line: Number.isFinite(Number(line)) ? Math.max(0, Math.floor(Number(line))) : 0,
+    evidence: String(evidence || "").trim().slice(0, 400),
+    rootCause: String(rootCause || "").trim(),
+    recommendedFix: String(recommendedFix || "").trim(),
+    confidence:
+      confidence === null || confidence === undefined
+        ? null
+        : Math.max(0, Math.min(1, Number(confidence) || 0)),
+  };
+}
+
+async function readIgnorePatterns(filePath) {
+  try {
+    const raw = await fsp.readFile(filePath, "utf-8");
+    return String(raw || "")
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter((line) => line && !line.startsWith("#"));
+  } catch (err) {
+    if (err && typeof err === "object" && err.code === "ENOENT") {
+      return [];
+    }
+    throw err;
+  }
+}
+
+async function createIgnoreMatcher(rootPath) {
+  const matcher = ignore();
+  const gitignore = await readIgnorePatterns(path.join(rootPath, ".gitignore"));
+  const sentinel = await readIgnorePatterns(
+    path.join(rootPath, ".sentinelayerignore")
+  );
+  matcher.add([...gitignore, ...sentinel]);
+  return (relativePath, isDirectory) => {
+    const normalized = toPosix(relativePath);
+    if (!normalized) {
+      return false;
+    }
+    const candidate = isDirectory ? `${normalized}/` : normalized;
+    return matcher.ignores(candidate);
+  };
+}
+
+export async function* walkRepoFiles({
+  rootPath = process.cwd(),
+  extensions = new Set(),
+  maxFileSize = MAX_FILE_SIZE_BYTES,
+} = {}) {
+  const resolvedRoot = path.resolve(rootPath);
+  const ignoreMatcher = await createIgnoreMatcher(resolvedRoot);
+  const wantedExtensions =
+    extensions instanceof Set
+      ? extensions
+      : new Set(Array.isArray(extensions) ? extensions : []);
+  const stack = [resolvedRoot];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    let entries = [];
+    try {
+      entries = await fsp.readdir(current, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const fullPath = path.join(current, entry.name);
+      const relativePath = toPosix(path.relative(resolvedRoot, fullPath));
+      if (entry.isDirectory()) {
+        if (!relativePath || DEFAULT_IGNORED_DIRS.has(entry.name)) {
+          continue;
+        }
+        if (ignoreMatcher(relativePath, true)) {
+          continue;
+        }
+        stack.push(fullPath);
+        continue;
+      }
+      if (!entry.isFile()) {
+        continue;
+      }
+      if (ignoreMatcher(relativePath, false)) {
+        continue;
+      }
+      const ext = path.extname(entry.name).toLowerCase();
+      if (wantedExtensions.size > 0 && !wantedExtensions.has(ext) && !wantedExtensions.has("")) {
+        continue;
+      }
+      let stat = null;
+      try {
+        stat = await fsp.stat(fullPath);
+      } catch {
+        stat = null;
+      }
+      if (!stat || stat.size > maxFileSize) {
+        continue;
+      }
+      yield { fullPath, relativePath };
+    }
+  }
+}
+
+export function findLineMatches(content, pattern) {
+  const text = String(content || "");
+  const global = new RegExp(
+    pattern.source,
+    pattern.flags.includes("g") ? pattern.flags : `${pattern.flags}g`
+  );
+  const matches = [];
+  let match;
+  while ((match = global.exec(text)) !== null) {
+    const lineIndex = text.slice(0, match.index).split(/\r?\n/).length;
+    matches.push({ index: match.index, line: lineIndex, match: match[0] });
+  }
+  return matches;
+}
+
+export function getLineContent(content, line) {
+  const lines = String(content || "").split(/\r?\n/);
+  return (lines[Math.max(0, (Number(line) || 1) - 1)] || "").trim();
+}

package/src/agents/infrastructure/tools/checkov-run.js

@@ -0,0 +1,32 @@
+// checkov-run — advise when IaC is present but Checkov config is not (#A21).
+
+import path from "node:path";
+
+import { createFinding, toPosix, walkRepoFiles } from "./base.js";
+
+export async function runCheckovRun({ rootPath } = {}) {
+  const resolvedRoot = path.resolve(String(rootPath || "."));
+  let hasIac = false;
+  let hasConfig = false;
+  for await (const { relativePath } of walkRepoFiles({ rootPath: resolvedRoot })) {
+    const rel = toPosix(relativePath);
+    if (/\.tf$/i.test(rel)) hasIac = true;
+    if (/(^|\/)Dockerfile(\.[\w-]+)?$/i.test(rel)) hasIac = true;
+    if (/(^|\/)k8s\/|(^|\/)kubernetes\/|\.ya?ml$/i.test(rel) && /(deploy|statefulset|cronjob|job|daemonset)/i.test(rel)) hasIac = true;
+    if (/(^|\/)\.checkov\.ya?ml$/i.test(rel)) hasConfig = true;
+  }
+  if (!hasIac || hasConfig) return [];
+  return [
+    createFinding({
+      tool: "checkov-run",
+      kind: "infrastructure.no-checkov-config",
+      severity: "P2",
+      file: "",
+      line: 0,
+      evidence: "Terraform / Dockerfile / K8s manifests present but no .checkov.yaml config",
+      rootCause: "Without Checkov (or equivalent IaC scanner), misconfigurations (public S3 buckets, privileged containers) ship to production.",
+      recommendedFix: "Add .checkov.yaml with a baseline skip-list and run `checkov -d .` in CI before apply.",
+      confidence: 0.6,
+    }),
+  ];
+}

package/src/agents/infrastructure/tools/drift-detect.js

@@ -0,0 +1,59 @@
+// drift-detect — flag checked-in tfstate files and missing drift jobs (#A21).
+
+import fsp from "node:fs/promises";
+import path from "node:path";
+
+import { createFinding, toPosix, walkRepoFiles } from "./base.js";
+
+export async function runDriftDetect({ rootPath } = {}) {
+  const resolvedRoot = path.resolve(String(rootPath || "."));
+  const findings = [];
+  let hasTf = false;
+  let hasDriftJob = false;
+
+  for await (const { fullPath, relativePath } of walkRepoFiles({ rootPath: resolvedRoot })) {
+    const rel = toPosix(relativePath);
+    if (/\.tf$/i.test(rel)) hasTf = true;
+    if (/\.tfstate$/i.test(rel)) {
+      findings.push(
+        createFinding({
+          tool: "drift-detect",
+          kind: "infrastructure.tfstate-committed",
+          severity: "P0",
+          file: rel,
+          line: 0,
+          evidence: `.tfstate checked into source: ${rel}`,
+          rootCause: "Terraform state files contain secrets (AWS creds, TLS keys, service account JSON) and should never be in source control.",
+          recommendedFix: "Delete the file, rotate any credentials it contained, and add *.tfstate to .gitignore. Move state to a remote backend (S3 + DynamoDB lock, GCS, Azure Blob).",
+          confidence: 0.98,
+        })
+      );
+    }
+    if (/(^|\/)\.github\/workflows\//.test(rel)) {
+      try {
+        const content = await fsp.readFile(fullPath, "utf-8");
+        if (/terraform\s+plan\s+-detailed-exitcode|drift[-_]detect|tfplan[-_]diff/i.test(content)) {
+          hasDriftJob = true;
+        }
+      } catch {
+        /* ignore */
+      }
+    }
+  }
+  if (hasTf && !hasDriftJob && !findings.some((f) => f.kind === "infrastructure.tfstate-committed")) {
+    findings.push(
+      createFinding({
+        tool: "drift-detect",
+        kind: "infrastructure.no-drift-job",
+        severity: "P3",
+        file: "",
+        line: 0,
+        evidence: "Terraform in repo but no scheduled drift-detection job in .github/workflows/",
+        rootCause: "Without periodic `terraform plan`, infrastructure drifts silently when someone changes things in the console.",
+        recommendedFix: "Add a scheduled workflow (daily is typical) that runs `terraform plan -detailed-exitcode` and opens an issue on non-zero exit.",
+        confidence: 0.5,
+      })
+    );
+  }
+  return findings;
+}

package/src/agents/infrastructure/tools/iam-least-priv-check.js

@@ -0,0 +1,78 @@
+// iam-least-priv-check — flag IAM wildcards (#A21).
+
+import fsp from "node:fs/promises";
+import path from "node:path";
+
+import { createFinding, findLineMatches, getLineContent, toPosix, walkRepoFiles } from "./base.js";
+
+const EXTENSIONS = new Set([".json", ".tf", ".yaml", ".yml"]);
+
+const WILDCARD_RULES = [
+  {
+    pattern: /"Action"\s*:\s*\[?\s*"\*"/,
+    kind: "infrastructure.iam-action-wildcard",
+    severity: "P1",
+    rootCause: "IAM policy grants Action:\"*\" — allows anything the principal can be used for. Privilege escalation path.",
+    recommendedFix: "Enumerate the specific actions required (e.g. \"s3:GetObject\", \"s3:PutObject\"). Use IAM Access Analyzer to derive a least-privilege policy from CloudTrail.",
+  },
+  {
+    pattern: /"Resource"\s*:\s*\[?\s*"\*"/,
+    kind: "infrastructure.iam-resource-wildcard",
+    severity: "P1",
+    rootCause: "IAM policy grants Resource:\"*\" — permission applies to every resource in every account the principal can reach.",
+    recommendedFix: "Scope Resource to specific ARNs (arn:aws:s3:::my-bucket/*). For actions that legitimately need all, document why.",
+  },
+  {
+    pattern: /action\s*=\s*\[[^\]]*"\*"/,
+    kind: "infrastructure.iam-action-wildcard",
+    severity: "P1",
+    rootCause: "Terraform IAM policy block grants action = [\"*\"] — same risk as the JSON form.",
+    recommendedFix: "Enumerate specific actions.",
+  },
+];
+
+export async function runIamLeastPrivCheck({ rootPath, files = null } = {}) {
+  const resolvedRoot = path.resolve(String(rootPath || "."));
+  const iterator =
+    Array.isArray(files) && files.length > 0
+      ? iterateExplicitFiles(resolvedRoot, files)
+      : walkRepoFiles({ rootPath: resolvedRoot, extensions: EXTENSIONS });
+
+  const findings = [];
+  for await (const { fullPath, relativePath } of iterator) {
+    let content;
+    try {
+      content = await fsp.readFile(fullPath, "utf-8");
+    } catch {
+      continue;
+    }
+    for (const rule of WILDCARD_RULES) {
+      for (const match of findLineMatches(content, rule.pattern)) {
+        findings.push(
+          createFinding({
+            tool: "iam-least-priv-check",
+            kind: rule.kind,
+            severity: rule.severity,
+            file: toPosix(relativePath),
+            line: match.line,
+            evidence: getLineContent(content, match.line),
+            rootCause: rule.rootCause,
+            recommendedFix: rule.recommendedFix,
+            confidence: 0.8,
+          })
+        );
+      }
+    }
+  }
+  return findings;
+}
+
+async function* iterateExplicitFiles(resolvedRoot, files) {
+  for (const file of files) {
+    const trimmed = String(file || "").trim();
+    if (!trimmed) continue;
+    const fullPath = path.isAbsolute(trimmed) ? trimmed : path.join(resolvedRoot, trimmed);
+    const relativePath = path.relative(resolvedRoot, fullPath).replace(/\\/g, "/");
+    yield { fullPath, relativePath };
+  }
+}

package/src/agents/infrastructure/tools/index.js

@@ -0,0 +1,52 @@
+// Kat (infrastructure persona) domain-tool registry (#A21).
+
+import { runCheckovRun } from "./checkov-run.js";
+import { runDriftDetect } from "./drift-detect.js";
+import { runIamLeastPrivCheck } from "./iam-least-priv-check.js";
+import { runTflintRun } from "./tflint-run.js";
+
+export const INFRASTRUCTURE_TOOLS = Object.freeze({
+  "tflint-run": {
+    id: "tflint-run",
+    description: "Advise when Terraform files are present but no .tflint.hcl config.",
+    schema: { type: "object", properties: { rootPath: { type: "string" } } },
+    handler: runTflintRun,
+  },
+  "checkov-run": {
+    id: "checkov-run",
+    description: "Advise when IaC (Terraform / Dockerfile / K8s) is present but no .checkov.yaml config.",
+    schema: { type: "object", properties: { rootPath: { type: "string" } } },
+    handler: runCheckovRun,
+  },
+  "drift-detect": {
+    id: "drift-detect",
+    description: "Flag any .tfstate committed to source and advise when no scheduled drift-detection job exists.",
+    schema: { type: "object", properties: { rootPath: { type: "string" } } },
+    handler: runDriftDetect,
+  },
+  "iam-least-priv-check": {
+    id: "iam-least-priv-check",
+    description: "Flag Action:\"*\" / Resource:\"*\" wildcards in IAM policy JSON + Terraform.",
+    schema: { type: "object", properties: { rootPath: { type: "string" }, files: { type: "array", items: { type: "string" } } } },
+    handler: runIamLeastPrivCheck,
+  },
+});
+
+export const INFRASTRUCTURE_TOOL_IDS = Object.freeze(Object.keys(INFRASTRUCTURE_TOOLS));
+
+export async function dispatchInfrastructureTool(toolId, args = {}) {
+  const tool = INFRASTRUCTURE_TOOLS[toolId];
+  if (!tool) throw new Error(`Unknown infrastructure tool: ${toolId}`);
+  return tool.handler(args);
+}
+
+export async function runAllInfrastructureTools({ rootPath, files = null } = {}) {
+  const findings = [];
+  for (const toolId of INFRASTRUCTURE_TOOL_IDS) {
+    const out = await dispatchInfrastructureTool(toolId, { rootPath, files });
+    findings.push(...out);
+  }
+  return findings;
+}
+
+export { runCheckovRun, runDriftDetect, runIamLeastPrivCheck, runTflintRun };

package/src/agents/infrastructure/tools/tflint-run.js

@@ -0,0 +1,31 @@
+// tflint-run — advise when Terraform is present but tflint config is not (#A21).
+
+import fsp from "node:fs/promises";
+import path from "node:path";
+
+import { createFinding, toPosix, walkRepoFiles } from "./base.js";
+
+export async function runTflintRun({ rootPath } = {}) {
+  const resolvedRoot = path.resolve(String(rootPath || "."));
+  let hasTf = false;
+  let hasConfig = false;
+  for await (const { relativePath } of walkRepoFiles({ rootPath: resolvedRoot })) {
+    const rel = toPosix(relativePath);
+    if (/\.tf(vars)?$/i.test(rel)) hasTf = true;
+    if (/(^|\/)\.tflint\.hcl$/i.test(rel)) hasConfig = true;
+  }
+  if (!hasTf || hasConfig) return [];
+  return [
+    createFinding({
+      tool: "tflint-run",
+      kind: "infrastructure.no-tflint-config",
+      severity: "P2",
+      file: "",
+      line: 0,
+      evidence: "Terraform files present but no .tflint.hcl config",
+      rootCause: "Without tflint, Terraform lint issues (invalid attributes, deprecated syntax) make it to production plans.",
+      recommendedFix: "Add .tflint.hcl and run tflint in CI before every terraform plan.",
+      confidence: 0.65,
+    }),
+  ];
+}