tlc-claude-code 1.4.7 → 1.4.9

package/docker-compose.dev.yml

@@ -101,9 +101,12 @@ services:
     working_dir: /project
     command: >
       sh -c "
-        npm install -g tlc-claude-code &&
-        TLC_DIR=$$(npm root -g)/tlc-claude-code &&
-        cd /project && node $$TLC_DIR/server/index.js --proxy-only
+        echo 'Installing TLC...' &&
+        npm install -g tlc-claude-code@latest &&
+        TLC_DIR=/usr/local/lib/node_modules/tlc-claude-code &&
+        echo 'TLC installed at:' $$TLC_DIR &&
+        ls -la $$TLC_DIR/server/ &&
+        cd /project && node $$TLC_DIR/server/index.js --proxy-only --skip-db
       "
     environment:
       - TLC_PORT=3147

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tlc-claude-code",
-  "version": "1.4.7",
+  "version": "1.4.9",
   "description": "TLC - Test Led Coding for Claude Code",
   "bin": {
     "tlc": "./bin/tlc.js",

package/server/index.js

@@ -19,6 +19,8 @@ const {
   verifyJWT,
   hashPassword,
   verifyPassword,
+  hasPermission,
+  USER_ROLES,
 } = require('./lib/auth-system');
 
 // Handle PGlite WASM crashes gracefully
@@ -66,39 +68,102 @@ const userStore = createUserStore();
 const JWT_SECRET = process.env.TLC_JWT_SECRET || 'tlc-dashboard-secret-change-in-production';
 const AUTH_ENABLED = process.env.TLC_AUTH !== 'false';
 
-// Initialize admin user from config or environment
+// Initialize users from config or environment
 async function initializeAuth() {
   const tlcConfigPath = path.join(PROJECT_DIR, '.tlc.json');
-  let adminEmail = process.env.TLC_ADMIN_EMAIL || 'admin@localhost';
-  let adminPassword = process.env.TLC_ADMIN_PASSWORD;
+  let users = [];
 
   // Try to read from .tlc.json
   if (fs.existsSync(tlcConfigPath)) {
     try {
       const config = JSON.parse(fs.readFileSync(tlcConfigPath, 'utf-8'));
-      if (config.auth?.adminEmail) adminEmail = config.auth.adminEmail;
-      if (config.auth?.adminPassword) adminPassword = config.auth.adminPassword;
+
+      // Support new multi-user format: auth.users array
+      if (config.auth?.users && Array.isArray(config.auth.users)) {
+        users = config.auth.users;
+      }
+      // Also support legacy single admin format for backwards compatibility
+      else if (config.auth?.adminEmail && config.auth?.adminPassword) {
+        users.push({
+          email: config.auth.adminEmail,
+          password: config.auth.adminPassword,
+          name: config.auth.adminName || 'Admin',
+          role: 'admin',
+        });
+      }
     } catch (e) {
-      // Ignore parse errors
+      console.error('[TLC] Failed to parse .tlc.json:', e.message);
     }
   }
 
-  // Create admin user if password is set
-  if (adminPassword) {
+  // Also check environment variables for admin
+  if (process.env.TLC_ADMIN_EMAIL && process.env.TLC_ADMIN_PASSWORD) {
+    const envAdmin = {
+      email: process.env.TLC_ADMIN_EMAIL,
+      password: process.env.TLC_ADMIN_PASSWORD,
+      name: process.env.TLC_ADMIN_NAME || 'Admin',
+      role: 'admin',
+    };
+    // Don't duplicate if already in config
+    if (!users.find(u => u.email === envAdmin.email)) {
+      users.push(envAdmin);
+    }
+  }
+
+  // Create all users
+  for (const userData of users) {
+    if (!userData.email || !userData.password) {
+      console.warn('[TLC] Skipping user without email or password');
+      continue;
+    }
+
     try {
       await userStore.createUser({
-        email: adminEmail,
-        password: adminPassword,
-        name: 'Admin',
-        role: 'admin',
+        email: userData.email,
+        password: userData.password,
+        name: userData.name || userData.email.split('@')[0],
+        role: userData.role || 'engineer',
       }, { skipValidation: true }); // Dev tool - allow simple passwords
-      console.log(`[TLC] Admin user initialized: ${adminEmail}`);
+      console.log(`[TLC] User initialized: ${userData.email} (${userData.role || 'engineer'})`);
     } catch (e) {
       if (!e.message.includes('already registered')) {
-        console.error('[TLC] Failed to create admin user:', e.message);
+        console.error(`[TLC] Failed to create user ${userData.email}:`, e.message);
       }
     }
   }
+
+  const userCount = await userStore.getUserCount();
+  if (userCount === 0) {
+    console.log('[TLC] No users configured. Add users to .tlc.json:');
+    console.log('[TLC]   "auth": { "users": [{ "email": "...", "password": "...", "role": "admin" }] }');
+  }
+}
+
+// Role-based permission middleware
+function requireRole(...allowedRoles) {
+  return (req, res, next) => {
+    if (!req.user) {
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+    if (!allowedRoles.includes(req.user.role) && req.user.role !== 'admin') {
+      return res.status(403).json({ error: 'Insufficient permissions' });
+    }
+    next();
+  };
+}
+
+// Permission-based middleware
+function requirePermission(permission) {
+  return async (req, res, next) => {
+    if (!req.user) {
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+    const user = await userStore.findUserById(req.user.sub);
+    if (!user || !hasPermission(user, permission)) {
+      return res.status(403).json({ error: 'Permission denied' });
+    }
+    next();
+  };
 }
 
 // Auth middleware for protected routes
@@ -198,6 +263,156 @@ app.get('/api/auth/me', (req, res) => {
   res.json({ user: req.user });
 });
 
+// ============================================
+// User Management API (Admin only)
+// ============================================
+
+// List all users
+app.get('/api/users', requireRole('admin'), async (req, res) => {
+  try {
+    const users = await userStore.listUsers();
+    res.json({ users });
+  } catch (e) {
+    res.status(500).json({ error: e.message });
+  }
+});
+
+// Get single user
+app.get('/api/users/:id', requireRole('admin'), async (req, res) => {
+  try {
+    const user = await userStore.findUserById(req.params.id);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    // Don't return password hash
+    const { passwordHash, passwordSalt, ...safeUser } = user;
+    res.json({ user: safeUser });
+  } catch (e) {
+    res.status(500).json({ error: e.message });
+  }
+});
+
+// Create new user
+app.post('/api/users', requireRole('admin'), async (req, res) => {
+  const { email, password, name, role } = req.body;
+
+  if (!email || !password) {
+    return res.status(400).json({ error: 'Email and password required' });
+  }
+
+  // Validate role
+  const validRoles = ['admin', 'engineer', 'qa', 'po'];
+  if (role && !validRoles.includes(role)) {
+    return res.status(400).json({ error: `Invalid role. Valid roles: ${validRoles.join(', ')}` });
+  }
+
+  try {
+    const user = await userStore.createUser({
+      email,
+      password,
+      name: name || email.split('@')[0],
+      role: role || 'engineer',
+    }, { skipValidation: true }); // Allow simple passwords for dev
+
+    res.status(201).json({ user });
+  } catch (e) {
+    if (e.message.includes('already registered')) {
+      return res.status(409).json({ error: 'Email already registered' });
+    }
+    res.status(500).json({ error: e.message });
+  }
+});
+
+// Update user
+app.put('/api/users/:id', requireRole('admin'), async (req, res) => {
+  const { name, role, active } = req.body;
+
+  // Validate role if provided
+  const validRoles = ['admin', 'engineer', 'qa', 'po'];
+  if (role && !validRoles.includes(role)) {
+    return res.status(400).json({ error: `Invalid role. Valid roles: ${validRoles.join(', ')}` });
+  }
+
+  try {
+    const updates = {};
+    if (name !== undefined) updates.name = name;
+    if (role !== undefined) updates.role = role;
+    if (active !== undefined) updates.active = active;
+
+    const user = await userStore.updateUser(req.params.id, updates);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+
+    res.json({ user });
+  } catch (e) {
+    res.status(500).json({ error: e.message });
+  }
+});
+
+// Delete user
+app.delete('/api/users/:id', requireRole('admin'), async (req, res) => {
+  // Prevent self-deletion
+  if (req.user.sub === req.params.id) {
+    return res.status(400).json({ error: 'Cannot delete your own account' });
+  }
+
+  try {
+    const deleted = await userStore.deleteUser(req.params.id);
+    if (!deleted) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+
+    // Also invalidate their sessions
+    await userStore.invalidateUserSessions(req.params.id);
+
+    res.json({ success: true });
+  } catch (e) {
+    res.status(500).json({ error: e.message });
+  }
+});
+
+// Reset user password (admin only)
+app.post('/api/users/:id/reset-password', requireRole('admin'), async (req, res) => {
+  const { newPassword } = req.body;
+
+  if (!newPassword) {
+    return res.status(400).json({ error: 'New password required' });
+  }
+
+  try {
+    const user = await userStore.findUserById(req.params.id);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+
+    // Use the internal hash function
+    const { hash, salt } = hashPassword(newPassword);
+    user.passwordHash = hash;
+    user.passwordSalt = salt;
+    user.updatedAt = new Date().toISOString();
+
+    // Invalidate all sessions for security
+    await userStore.invalidateUserSessions(req.params.id);
+
+    res.json({ success: true, message: 'Password reset successfully' });
+  } catch (e) {
+    res.status(500).json({ error: e.message });
+  }
+});
+
+// Get available roles
+app.get('/api/roles', (req, res) => {
+  res.json({
+    roles: [
+      { id: 'admin', name: 'Admin', description: 'Full access to all features' },
+      { id: 'engineer', name: 'Engineer', description: 'Can read, write, deploy, and claim tasks' },
+      { id: 'qa', name: 'QA', description: 'Can read, verify, report bugs, and run tests' },
+      { id: 'po', name: 'Product Owner', description: 'Can read, plan, verify, and approve' },
+    ],
+  });
+});
+
 // Serve static files (after auth middleware)
 app.use(express.static(path.join(__dirname, 'dashboard')));
 

package/server/lib/compliance/control-mapper.js

@@ -0,0 +1,401 @@
+/**
+ * Control Mapper - Cross-framework control mapping
+ */
+
+// Default control mappings between frameworks
+const DEFAULT_MAPPINGS = [
+  {
+    source: { framework: 'pci-dss', control: 'req-1.1' },
+    target: { framework: 'iso27001', control: 'A.13.1' },
+    theme: 'network-security',
+    confidence: 0.85
+  },
+  {
+    source: { framework: 'pci-dss', control: 'req-3.4' },
+    target: { framework: 'iso27001', control: 'A.8.24' },
+    theme: 'encryption',
+    confidence: 0.95
+  },
+  {
+    source: { framework: 'pci-dss', control: 'req-3.4' },
+    target: { framework: 'hipaa', control: '164.312(a)(2)(iv)' },
+    theme: 'encryption',
+    confidence: 0.90
+  },
+  {
+    source: { framework: 'pci-dss', control: 'req-8.1' },
+    target: { framework: 'iso27001', control: 'A.5.15' },
+    theme: 'access-control',
+    confidence: 0.90
+  },
+  {
+    source: { framework: 'pci-dss', control: 'req-8.1' },
+    target: { framework: 'hipaa', control: '164.312(d)' },
+    theme: 'access-control',
+    confidence: 0.85
+  },
+  {
+    source: { framework: 'hipaa', control: '164.312(a)(1)' },
+    target: { framework: 'iso27001', control: 'A.5.15' },
+    theme: 'access-control',
+    confidence: 0.85
+  },
+  {
+    source: { framework: 'hipaa', control: '164.312(e)(1)' },
+    target: { framework: 'iso27001', control: 'A.8.24' },
+    theme: 'encryption',
+    confidence: 0.90
+  },
+  {
+    source: { framework: 'hipaa', control: '164.312(e)(1)' },
+    target: { framework: 'pci-dss', control: 'req-3.4' },
+    theme: 'encryption',
+    confidence: 0.85
+  }
+];
+
+// Framework-specific control themes and keywords
+const FRAMEWORK_THEMES = {
+  'pci-dss': {
+    encryption: ['req-3.4', 'req-3.5', 'req-4.1'],
+    'access-control': ['req-7.1', 'req-7.2', 'req-8.1', 'req-8.2'],
+    'network-security': ['req-1.1', 'req-1.2', 'req-1.3'],
+    logging: ['req-10.1', 'req-10.2', 'req-10.3']
+  },
+  'iso27001': {
+    encryption: ['A.8.24', 'A.10.1'],
+    'access-control': ['A.5.15', 'A.5.16', 'A.5.17', 'A.5.18'],
+    'network-security': ['A.13.1', 'A.13.2'],
+    logging: ['A.8.15', 'A.8.16']
+  },
+  'hipaa': {
+    encryption: ['164.312(a)(2)(iv)', '164.312(e)(1)', '164.312(e)(2)(ii)'],
+    'access-control': ['164.312(a)(1)', '164.312(d)'],
+    'network-security': ['164.312(e)(1)'],
+    logging: ['164.312(b)']
+  }
+};
+
+// Unique requirements per framework
+const UNIQUE_REQUIREMENTS = {
+  'pci-dss': [
+    'Payment card industry specific requirements',
+    'PAN masking and truncation',
+    'Quarterly vulnerability scans'
+  ],
+  'hipaa': [
+    'Protected Health Information (PHI) handling',
+    'Business Associate Agreements',
+    'Patient rights documentation'
+  ],
+  'iso27001': [
+    'Information Security Management System (ISMS)',
+    'Risk assessment methodology',
+    'Continuous improvement process'
+  ]
+};
+
+// Custom frameworks storage
+const customFrameworks = new Map();
+
+/**
+ * Create a control mapper instance
+ */
+export function createControlMapper(options = {}) {
+  const mappings = options.loadDefaults ? [...DEFAULT_MAPPINGS] : [];
+
+  return {
+    map: (source, target) => mapControl({ source, target }),
+    findOverlaps: (frameworks) => findOverlaps(frameworks),
+    getMappings: () => mappings,
+    addMapping: (mapping) => mappings.push(mapping)
+  };
+}
+
+/**
+ * Map a control from one framework to another
+ */
+export function mapControl({ source, target }) {
+  const result = {
+    sourceFramework: source.framework,
+    sourceControl: source.control,
+    targetFramework: target.framework,
+    targetControls: [],
+    confidence: 0,
+    unmapped: false
+  };
+
+  // Find direct mappings
+  const directMappings = DEFAULT_MAPPINGS.filter(m =>
+    m.source.framework === source.framework &&
+    m.source.control === source.control &&
+    m.target.framework === target.framework
+  );
+
+  if (directMappings.length > 0) {
+    result.targetControls = directMappings.map(m => m.target.control);
+    result.confidence = Math.max(...directMappings.map(m => m.confidence));
+    return result;
+  }
+
+  // Try reverse mappings
+  const reverseMappings = DEFAULT_MAPPINGS.filter(m =>
+    m.target.framework === source.framework &&
+    m.target.control === source.control &&
+    m.source.framework === target.framework
+  );
+
+  if (reverseMappings.length > 0) {
+    result.targetControls = reverseMappings.map(m => m.source.control);
+    result.confidence = Math.max(...reverseMappings.map(m => m.confidence)) * 0.9; // Slightly lower confidence for reverse
+    return result;
+  }
+
+  // Try theme-based mapping
+  const sourceThemes = FRAMEWORK_THEMES[source.framework] || {};
+  let sourceTheme = null;
+
+  for (const [theme, controls] of Object.entries(sourceThemes)) {
+    if (controls.includes(source.control)) {
+      sourceTheme = theme;
+      break;
+    }
+  }
+
+  if (sourceTheme && FRAMEWORK_THEMES[target.framework]) {
+    const targetControls = FRAMEWORK_THEMES[target.framework][sourceTheme];
+    if (targetControls && targetControls.length > 0) {
+      result.targetControls = targetControls;
+      result.confidence = 0.6; // Lower confidence for theme-based
+      return result;
+    }
+  }
+
+  // No mapping found
+  result.unmapped = true;
+  return result;
+}
+
+/**
+ * Find overlapping controls between frameworks
+ */
+export function findOverlaps(frameworks) {
+  const overlaps = [];
+  const themes = ['encryption', 'access-control', 'network-security', 'logging'];
+
+  for (const theme of themes) {
+    const frameworkControls = {};
+    let count = 0;
+
+    for (const framework of frameworks) {
+      const controls = FRAMEWORK_THEMES[framework]?.[theme];
+      if (controls && controls.length > 0) {
+        frameworkControls[framework] = controls;
+        count++;
+      }
+    }
+
+    if (count >= 2) {
+      const totalControls = Object.values(frameworkControls).reduce((sum, c) => sum + c.length, 0);
+      const avgControlsPerFramework = totalControls / count;
+
+      overlaps.push({
+        theme,
+        frameworks: Object.keys(frameworkControls),
+        controls: frameworkControls,
+        overlapPercentage: Math.round((count / frameworks.length) * 100)
+      });
+    }
+  }
+
+  return overlaps;
+}
+
+/**
+ * Generate a cross-reference matrix between frameworks
+ */
+export function generateCrossReference(frameworks, options = {}) {
+  if (options.format === 'markdown') {
+    return generateMarkdownMatrix(frameworks);
+  }
+
+  if (options.format === 'csv') {
+    return generateCsvMatrix(frameworks);
+  }
+
+  // Return object matrix by default
+  const matrix = {};
+
+  for (const source of frameworks) {
+    matrix[source] = {};
+    for (const target of frameworks) {
+      if (source !== target) {
+        const mappings = DEFAULT_MAPPINGS.filter(m =>
+          (m.source.framework === source && m.target.framework === target) ||
+          (m.target.framework === source && m.source.framework === target)
+        );
+        matrix[source][target] = mappings.length;
+      }
+    }
+  }
+
+  return matrix;
+}
+
+/**
+ * Generate markdown cross-reference matrix
+ */
+function generateMarkdownMatrix(frameworks) {
+  const frameworkNames = {
+    'pci-dss': 'PCI DSS',
+    'iso27001': 'ISO 27001',
+    'hipaa': 'HIPAA'
+  };
+
+  let md = '| Framework |';
+  for (const f of frameworks) {
+    md += ` ${frameworkNames[f] || f} |`;
+  }
+  md += '\n|---|';
+  for (let i = 0; i < frameworks.length; i++) {
+    md += '---|';
+  }
+  md += '\n';
+
+  for (const source of frameworks) {
+    md += `| ${frameworkNames[source] || source} |`;
+    for (const target of frameworks) {
+      if (source === target) {
+        md += ' - |';
+      } else {
+        const count = DEFAULT_MAPPINGS.filter(m =>
+          (m.source.framework === source && m.target.framework === target) ||
+          (m.target.framework === source && m.source.framework === target)
+        ).length;
+        md += ` ${count} |`;
+      }
+    }
+    md += '\n';
+  }
+
+  return md;
+}
+
+/**
+ * Generate CSV cross-reference matrix
+ */
+function generateCsvMatrix(frameworks) {
+  const frameworkNames = {
+    'pci-dss': 'PCI DSS',
+    'iso27001': 'ISO 27001',
+    'hipaa': 'HIPAA'
+  };
+
+  let csv = 'Framework,' + frameworks.map(f => frameworkNames[f] || f).join(',') + '\n';
+
+  for (const source of frameworks) {
+    csv += frameworkNames[source] || source;
+    for (const target of frameworks) {
+      if (source === target) {
+        csv += ',-';
+      } else {
+        const count = DEFAULT_MAPPINGS.filter(m =>
+          (m.source.framework === source && m.target.framework === target) ||
+          (m.target.framework === source && m.source.framework === target)
+        ).length;
+        csv += `,${count}`;
+      }
+    }
+    csv += '\n';
+  }
+
+  return csv;
+}
+
+/**
+ * Import a custom framework
+ */
+export function importFramework(framework, options = {}) {
+  // Validate required fields
+  if (!framework.id) {
+    throw new Error('Framework id is required');
+  }
+
+  if (!framework.name) {
+    throw new Error('Framework name is required');
+  }
+
+  const result = {
+    imported: true,
+    frameworkId: framework.id,
+    controlCount: framework.controls?.length || 0,
+    mappingsCreated: 0
+  };
+
+  // Store the framework
+  customFrameworks.set(framework.id, framework);
+
+  // Auto-map to existing frameworks if requested
+  if (options.autoMap && framework.controls) {
+    for (const control of framework.controls) {
+      // Check for explicit mappings
+      if (control.mappings) {
+        for (const mapping of control.mappings) {
+          const [targetFramework, targetControl] = mapping.split(':');
+          DEFAULT_MAPPINGS.push({
+            source: { framework: framework.id, control: control.id },
+            target: { framework: targetFramework, control: targetControl },
+            theme: 'custom',
+            confidence: 0.9
+          });
+          result.mappingsCreated++;
+        }
+      }
+
+      // Check for keyword-based mappings
+      if (control.keywords) {
+        for (const keyword of control.keywords) {
+          const keywordLower = keyword.toLowerCase();
+          // Map to encryption controls
+          if (keywordLower.includes('encrypt') || keywordLower.includes('data protection')) {
+            for (const [fw, themes] of Object.entries(FRAMEWORK_THEMES)) {
+              if (themes.encryption) {
+                DEFAULT_MAPPINGS.push({
+                  source: { framework: framework.id, control: control.id },
+                  target: { framework: fw, control: themes.encryption[0] },
+                  theme: 'encryption',
+                  confidence: 0.7
+                });
+                result.mappingsCreated++;
+              }
+            }
+          }
+          // Map to access control
+          if (keywordLower.includes('access')) {
+            for (const [fw, themes] of Object.entries(FRAMEWORK_THEMES)) {
+              if (themes['access-control']) {
+                DEFAULT_MAPPINGS.push({
+                  source: { framework: framework.id, control: control.id },
+                  target: { framework: fw, control: themes['access-control'][0] },
+                  theme: 'access-control',
+                  confidence: 0.7
+                });
+                result.mappingsCreated++;
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+
+  return result;
+}
+
+export default {
+  createControlMapper,
+  mapControl,
+  findOverlaps,
+  generateCrossReference,
+  importFramework
+};