npm - tlc-claude-code - Versions diffs - 1.4.7 → 1.4.9 - Mend

tlc-claude-code 1.4.7 → 1.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/docker-compose.dev.yml +6 -3
package/package.json +1 -1
package/server/index.js +229 -14
package/server/lib/compliance/control-mapper.js +401 -0
package/server/lib/compliance/control-mapper.test.js +117 -0
package/server/lib/compliance/evidence-linker.js +296 -0
package/server/lib/compliance/evidence-linker.test.js +121 -0
package/server/lib/compliance/gdpr-checklist.js +416 -0
package/server/lib/compliance/gdpr-checklist.test.js +131 -0
package/server/lib/compliance/hipaa-checklist.js +277 -0
package/server/lib/compliance/hipaa-checklist.test.js +101 -0
package/server/lib/compliance/iso27001-checklist.js +287 -0
package/server/lib/compliance/iso27001-checklist.test.js +99 -0
package/server/lib/compliance/multi-framework-reporter.js +284 -0
package/server/lib/compliance/multi-framework-reporter.test.js +127 -0
package/server/lib/compliance/pci-dss-checklist.js +214 -0
package/server/lib/compliance/pci-dss-checklist.test.js +95 -0
package/server/lib/compliance/trust-centre.js +187 -0
package/server/lib/compliance/trust-centre.test.js +93 -0
package/server/lib/dashboard/api-server.js +155 -0
package/server/lib/dashboard/api-server.test.js +155 -0
package/server/lib/dashboard/health-api.js +199 -0
package/server/lib/dashboard/health-api.test.js +122 -0
package/server/lib/dashboard/notes-api.js +234 -0
package/server/lib/dashboard/notes-api.test.js +134 -0
package/server/lib/dashboard/router-api.js +176 -0
package/server/lib/dashboard/router-api.test.js +132 -0
package/server/lib/dashboard/tasks-api.js +289 -0
package/server/lib/dashboard/tasks-api.test.js +161 -0
package/server/lib/dashboard/tlc-introspection.js +197 -0
package/server/lib/dashboard/tlc-introspection.test.js +138 -0
package/server/lib/dashboard/version-api.js +222 -0
package/server/lib/dashboard/version-api.test.js +112 -0
package/server/lib/dashboard/websocket-server.js +104 -0
package/server/lib/dashboard/websocket-server.test.js +118 -0
package/server/lib/deploy/branch-classifier.js +163 -0
package/server/lib/deploy/branch-classifier.test.js +164 -0
package/server/lib/deploy/deployment-approval.js +299 -0
package/server/lib/deploy/deployment-approval.test.js +296 -0
package/server/lib/deploy/deployment-audit.js +374 -0
package/server/lib/deploy/deployment-audit.test.js +307 -0
package/server/lib/deploy/deployment-executor.js +335 -0
package/server/lib/deploy/deployment-executor.test.js +329 -0
package/server/lib/deploy/deployment-rules.js +163 -0
package/server/lib/deploy/deployment-rules.test.js +188 -0
package/server/lib/deploy/rollback-manager.js +379 -0
package/server/lib/deploy/rollback-manager.test.js +321 -0
package/server/lib/deploy/security-gates.js +236 -0
package/server/lib/deploy/security-gates.test.js +222 -0
package/server/lib/k8s/gitops-config.js +188 -0
package/server/lib/k8s/gitops-config.test.js +59 -0
package/server/lib/k8s/helm-generator.js +196 -0
package/server/lib/k8s/helm-generator.test.js +59 -0
package/server/lib/k8s/kustomize-generator.js +176 -0
package/server/lib/k8s/kustomize-generator.test.js +58 -0
package/server/lib/k8s/network-policy.js +114 -0
package/server/lib/k8s/network-policy.test.js +53 -0
package/server/lib/k8s/pod-security.js +114 -0
package/server/lib/k8s/pod-security.test.js +55 -0
package/server/lib/k8s/rbac-generator.js +132 -0
package/server/lib/k8s/rbac-generator.test.js +57 -0
package/server/lib/k8s/resource-manager.js +172 -0
package/server/lib/k8s/resource-manager.test.js +60 -0
package/server/lib/k8s/secrets-encryption.js +168 -0
package/server/lib/k8s/secrets-encryption.test.js +49 -0
package/server/lib/monitoring/alert-manager.js +238 -0
package/server/lib/monitoring/alert-manager.test.js +106 -0
package/server/lib/monitoring/health-check.js +226 -0
package/server/lib/monitoring/health-check.test.js +176 -0
package/server/lib/monitoring/incident-manager.js +230 -0
package/server/lib/monitoring/incident-manager.test.js +98 -0
package/server/lib/monitoring/log-aggregator.js +147 -0
package/server/lib/monitoring/log-aggregator.test.js +89 -0
package/server/lib/monitoring/metrics-collector.js +337 -0
package/server/lib/monitoring/metrics-collector.test.js +172 -0
package/server/lib/monitoring/status-page.js +214 -0
package/server/lib/monitoring/status-page.test.js +105 -0
package/server/lib/monitoring/uptime-monitor.js +194 -0
package/server/lib/monitoring/uptime-monitor.test.js +109 -0
package/server/lib/network/fail2ban-config.js +294 -0
package/server/lib/network/fail2ban-config.test.js +275 -0
package/server/lib/network/firewall-manager.js +252 -0
package/server/lib/network/firewall-manager.test.js +254 -0
package/server/lib/network/geoip-filter.js +282 -0
package/server/lib/network/geoip-filter.test.js +264 -0
package/server/lib/network/rate-limiter.js +229 -0
package/server/lib/network/rate-limiter.test.js +293 -0
package/server/lib/network/request-validator.js +351 -0
package/server/lib/network/request-validator.test.js +345 -0
package/server/lib/network/security-headers.js +251 -0
package/server/lib/network/security-headers.test.js +283 -0
package/server/lib/network/tls-config.js +210 -0
package/server/lib/network/tls-config.test.js +248 -0
package/server/lib/security/auth-security.js +369 -0
package/server/lib/security/auth-security.test.js +448 -0
package/server/lib/security/cis-benchmark.js +152 -0
package/server/lib/security/cis-benchmark.test.js +137 -0
package/server/lib/security/compose-templates.js +312 -0
package/server/lib/security/compose-templates.test.js +229 -0
package/server/lib/security/container-runtime.js +456 -0
package/server/lib/security/container-runtime.test.js +503 -0
package/server/lib/security/cors-validator.js +278 -0
package/server/lib/security/cors-validator.test.js +310 -0
package/server/lib/security/crypto-utils.js +253 -0
package/server/lib/security/crypto-utils.test.js +409 -0
package/server/lib/security/dockerfile-linter.js +459 -0
package/server/lib/security/dockerfile-linter.test.js +483 -0
package/server/lib/security/dockerfile-templates.js +278 -0
package/server/lib/security/dockerfile-templates.test.js +164 -0
package/server/lib/security/error-sanitizer.js +426 -0
package/server/lib/security/error-sanitizer.test.js +331 -0
package/server/lib/security/headers-generator.js +368 -0
package/server/lib/security/headers-generator.test.js +398 -0
package/server/lib/security/image-scanner.js +83 -0
package/server/lib/security/image-scanner.test.js +106 -0
package/server/lib/security/input-validator.js +352 -0
package/server/lib/security/input-validator.test.js +330 -0
package/server/lib/security/network-policy.js +174 -0
package/server/lib/security/network-policy.test.js +164 -0
package/server/lib/security/output-encoder.js +237 -0
package/server/lib/security/output-encoder.test.js +276 -0
package/server/lib/security/path-validator.js +359 -0
package/server/lib/security/path-validator.test.js +293 -0
package/server/lib/security/query-builder.js +421 -0
package/server/lib/security/query-builder.test.js +318 -0
package/server/lib/security/secret-detector.js +290 -0
package/server/lib/security/secret-detector.test.js +354 -0
package/server/lib/security/secrets-validator.js +137 -0
package/server/lib/security/secrets-validator.test.js +120 -0
package/server/lib/security-testing/dast-runner.js +154 -0
package/server/lib/security-testing/dast-runner.test.js +62 -0
package/server/lib/security-testing/dependency-scanner.js +172 -0
package/server/lib/security-testing/dependency-scanner.test.js +64 -0
package/server/lib/security-testing/pentest-runner.js +230 -0
package/server/lib/security-testing/pentest-runner.test.js +60 -0
package/server/lib/security-testing/sast-runner.js +136 -0
package/server/lib/security-testing/sast-runner.test.js +62 -0
package/server/lib/security-testing/secret-scanner.js +153 -0
package/server/lib/security-testing/secret-scanner.test.js +66 -0
package/server/lib/security-testing/security-gate.js +216 -0
package/server/lib/security-testing/security-gate.test.js +115 -0
package/server/lib/security-testing/security-reporter.js +303 -0
package/server/lib/security-testing/security-reporter.test.js +114 -0
package/server/lib/standards/audit-checker.js +546 -0
package/server/lib/standards/audit-checker.test.js +415 -0
package/server/lib/standards/cleanup-executor.js +452 -0
package/server/lib/standards/cleanup-executor.test.js +293 -0
package/server/lib/standards/refactor-stepper.js +425 -0
package/server/lib/standards/refactor-stepper.test.js +298 -0
package/server/lib/standards/standards-injector.js +167 -0
package/server/lib/standards/standards-injector.test.js +232 -0
package/server/lib/user-management.test.js +284 -0
package/server/lib/vps/backup-manager.js +157 -0
package/server/lib/vps/backup-manager.test.js +59 -0
package/server/lib/vps/caddy-config.js +159 -0
package/server/lib/vps/caddy-config.test.js +48 -0
package/server/lib/vps/compose-orchestrator.js +219 -0
package/server/lib/vps/compose-orchestrator.test.js +50 -0
package/server/lib/vps/database-config.js +208 -0
package/server/lib/vps/database-config.test.js +47 -0
package/server/lib/vps/deploy-script.js +211 -0
package/server/lib/vps/deploy-script.test.js +53 -0
package/server/lib/vps/secrets-manager.js +148 -0
package/server/lib/vps/secrets-manager.test.js +58 -0
package/server/lib/vps/server-hardening.js +174 -0
package/server/lib/vps/server-hardening.test.js +70 -0
package/server/package-lock.json +19 -0
package/server/package.json +1 -0
package/server/templates/CLAUDE.md +37 -0
package/server/templates/CODING-STANDARDS.md +408 -0

package/server/lib/network/firewall-manager.js ADDED Viewed

@@ -0,0 +1,252 @@
+/**
+ * Firewall Manager - UFW rules generation and management
+ */
+/**
+ * UFW policy constants
+ */
+export const UFW_POLICIES = {
+  ALLOW: 'allow',
+  DENY: 'deny',
+  REJECT: 'reject',
+};
+/**
+ * Generate UFW enable command
+ * @param {Object} options - Options
+ * @param {boolean} options.force - Include --force flag
+ * @returns {string} UFW enable command
+ */
+export function generateUfwEnableCommand(options = {}) {
+  const { force = false } = options;
+  if (force) {
+    return 'ufw --force enable';
+  }
+  return 'ufw enable';
+}
+/**
+ * Set default policy
+ * @param {Object} options - Options
+ * @param {string} options.direction - 'incoming' or 'outgoing'
+ * @param {string} options.policy - 'allow', 'deny', or 'reject'
+ * @returns {string} UFW default policy command
+ */
+export function setDefaultPolicy(options) {
+  const { direction, policy } = options;
+  return `ufw default ${policy} ${direction}`;
+}
+/**
+ * Generate allow rule for port
+ * @param {Object} options - Options
+ * @param {number|string} options.port - Port number, range, or service name
+ * @param {string} options.protocol - Protocol (tcp, udp)
+ * @returns {string} UFW allow rule
+ */
+export function allowPort(options) {
+  const { port, protocol } = options;
+  if (protocol) {
+    return `ufw allow ${port}/${protocol}`;
+  }
+  return `ufw allow ${port}`;
+}
+/**
+ * Generate allow rule for IP
+ * @param {Object} options - Options
+ * @param {string} options.ip - IP address or CIDR range
+ * @param {number} options.port - Port number (optional)
+ * @returns {string} UFW allow from IP rule
+ */
+export function allowFromIp(options) {
+  const { ip, port } = options;
+  if (port) {
+    return `ufw allow from ${ip} to any port ${port}`;
+  }
+  return `ufw allow from ${ip}`;
+}
+/**
+ * Generate deny rule for port
+ * @param {Object} options - Options
+ * @param {number|string} options.port - Port number
+ * @param {string} options.protocol - Protocol (tcp, udp)
+ * @returns {string} UFW deny rule
+ */
+export function denyPort(options) {
+  const { port, protocol } = options;
+  if (protocol) {
+    return `ufw deny ${port}/${protocol}`;
+  }
+  return `ufw deny ${port}`;
+}
+/**
+ * Validate UFW rule syntax
+ * @param {string} rule - UFW rule to validate
+ * @returns {Object} Validation result with valid and error properties
+ */
+export function validateRule(rule) {
+  // Check for port numbers
+  const portMatch = rule.match(/(?:port\s+|allow\s+|deny\s+)(\d+)/);
+  if (portMatch) {
+    const port = parseInt(portMatch[1], 10);
+    if (port < 1 || port > 65535) {
+      return { valid: false, error: 'Invalid port number' };
+    }
+  }
+  // Check for IP addresses
+  const ipMatch = rule.match(/from\s+([\d.]+(?:\/\d+)?)/);
+  if (ipMatch) {
+    const ipPart = ipMatch[1];
+    const [ip, cidr] = ipPart.split('/');
+    // Validate IP octets
+    const octets = ip.split('.');
+    if (octets.length !== 4) {
+      return { valid: false, error: 'Invalid IP address format' };
+    }
+    for (const octet of octets) {
+      const num = parseInt(octet, 10);
+      if (isNaN(num) || num < 0 || num > 255) {
+        return { valid: false, error: 'Invalid IP address' };
+      }
+    }
+    // Validate CIDR if present
+    if (cidr !== undefined) {
+      const cidrNum = parseInt(cidr, 10);
+      if (isNaN(cidrNum) || cidrNum < 0 || cidrNum > 32) {
+        return { valid: false, error: 'Invalid CIDR notation' };
+      }
+    }
+  }
+  return { valid: true };
+}
+/**
+ * Generate complete UFW rules configuration
+ * @param {Object} options - Options
+ * @param {number[]} options.allowPorts - Ports to allow
+ * @param {number} options.sshPort - SSH port
+ * @param {string[]} options.adminIps - Admin IP addresses
+ * @param {boolean} options.rateLimit - Enable rate limiting
+ * @param {string} options.format - Output format ('rules' or 'script')
+ * @returns {string} UFW rules or script
+ */
+export function generateUfwRules(options) {
+  const {
+    allowPorts = [],
+    sshPort = 22,
+    adminIps = [],
+    rateLimit = false,
+    format = 'rules',
+  } = options;
+  const lines = [];
+  if (format === 'script') {
+    lines.push('#!/bin/bash');
+    lines.push('');
+  }
+  // Default policies
+  lines.push('ufw default deny incoming');
+  lines.push('ufw default allow outgoing');
+  // SSH rule
+  if (rateLimit) {
+    lines.push(`ufw limit ${sshPort}`);
+  } else {
+    lines.push(`ufw allow ${sshPort}`);
+  }
+  // Allowed ports
+  for (const port of allowPorts) {
+    lines.push(`ufw allow ${port}`);
+  }
+  // Admin IPs
+  for (const ip of adminIps) {
+    lines.push(`ufw allow from ${ip}`);
+  }
+  return lines.join('\n');
+}
+/**
+ * Create a firewall manager instance
+ * @param {Object} options - Initial options
+ * @returns {Object} Firewall manager object
+ */
+export function createFirewallManager(options = {}) {
+  const { sshPort = 22 } = options;
+  const rules = [];
+  return {
+    /**
+     * Generate rules using the current configuration
+     */
+    generateRules(opts = {}) {
+      return generateUfwRules({ ...opts, sshPort });
+    },
+    /**
+     * Add an allow port rule
+     */
+    allowPort(opts) {
+      const rule = allowPort(opts);
+      rules.push(rule);
+      return rule;
+    },
+    /**
+     * Add a deny port rule
+     */
+    denyPort(opts) {
+      const rule = denyPort(opts);
+      rules.push(rule);
+      return rule;
+    },
+    /**
+     * Add an allow from IP rule
+     */
+    allowFromIp(opts) {
+      const rule = allowFromIp(opts);
+      rules.push(rule);
+      return rule;
+    },
+    /**
+     * Validate a rule
+     */
+    validate(rule) {
+      return validateRule(rule);
+    },
+    /**
+     * Get all added rules
+     */
+    getRules() {
+      return [...rules];
+    },
+    /**
+     * Generate complete configuration
+     */
+    generateConfig() {
+      const lines = [
+        'ufw default deny incoming',
+        'ufw default allow outgoing',
+        `ufw allow ${sshPort}`,
+        ...rules,
+      ];
+      return lines.join('\n');
+    },
+  };
+}

package/server/lib/network/firewall-manager.test.js ADDED Viewed

@@ -0,0 +1,254 @@
+/**
+ * Firewall Manager Tests
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  generateUfwRules,
+  generateUfwEnableCommand,
+  setDefaultPolicy,
+  allowPort,
+  allowFromIp,
+  denyPort,
+  validateRule,
+  UFW_POLICIES,
+  createFirewallManager,
+} from './firewall-manager.js';
+describe('firewall-manager', () => {
+  describe('UFW_POLICIES', () => {
+    it('defines policy constants', () => {
+      expect(UFW_POLICIES.ALLOW).toBe('allow');
+      expect(UFW_POLICIES.DENY).toBe('deny');
+      expect(UFW_POLICIES.REJECT).toBe('reject');
+    });
+  });
+  describe('generateUfwEnableCommand', () => {
+    it('generates enable command', () => {
+      const command = generateUfwEnableCommand();
+      expect(command).toContain('ufw');
+      expect(command).toContain('enable');
+    });
+    it('includes force flag', () => {
+      const command = generateUfwEnableCommand({ force: true });
+      expect(command).toContain('--force');
+    });
+  });
+  describe('setDefaultPolicy', () => {
+    it('sets default deny incoming', () => {
+      const command = setDefaultPolicy({
+        direction: 'incoming',
+        policy: 'deny',
+      });
+      expect(command).toContain('default deny incoming');
+    });
+    it('sets default allow outgoing', () => {
+      const command = setDefaultPolicy({
+        direction: 'outgoing',
+        policy: 'allow',
+      });
+      expect(command).toContain('default allow outgoing');
+    });
+  });
+  describe('allowPort', () => {
+    it('generates allow rule for port', () => {
+      const rule = allowPort({ port: 443 });
+      expect(rule).toContain('allow');
+      expect(rule).toContain('443');
+    });
+    it('supports protocol specification', () => {
+      const rule = allowPort({ port: 443, protocol: 'tcp' });
+      expect(rule).toContain('443/tcp');
+    });
+    it('supports port ranges', () => {
+      const rule = allowPort({ port: '3000:3010' });
+      expect(rule).toContain('3000:3010');
+    });
+    it('supports named services', () => {
+      const rule = allowPort({ port: 'ssh' });
+      expect(rule).toContain('ssh');
+    });
+  });
+  describe('allowFromIp', () => {
+    it('generates allow rule for IP', () => {
+      const rule = allowFromIp({
+        ip: '192.168.1.100',
+        port: 22,
+      });
+      expect(rule).toContain('from 192.168.1.100');
+      expect(rule).toContain('22');
+    });
+    it('supports CIDR notation', () => {
+      const rule = allowFromIp({
+        ip: '10.0.0.0/8',
+        port: 22,
+      });
+      expect(rule).toContain('from 10.0.0.0/8');
+    });
+    it('supports any destination', () => {
+      const rule = allowFromIp({
+        ip: '192.168.1.100',
+      });
+      expect(rule).toContain('from 192.168.1.100');
+    });
+  });
+  describe('denyPort', () => {
+    it('generates deny rule for port', () => {
+      const rule = denyPort({ port: 23 });
+      expect(rule).toContain('deny');
+      expect(rule).toContain('23');
+    });
+    it('supports protocol specification', () => {
+      const rule = denyPort({ port: 23, protocol: 'tcp' });
+      expect(rule).toContain('23/tcp');
+    });
+  });
+  describe('validateRule', () => {
+    it('validates correct rule syntax', () => {
+      const result = validateRule('ufw allow 443/tcp');
+      expect(result.valid).toBe(true);
+    });
+    it('rejects invalid port numbers', () => {
+      const result = validateRule('ufw allow 99999');
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('port');
+    });
+    it('rejects invalid IP addresses', () => {
+      const result = validateRule('ufw allow from 999.999.999.999');
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('IP');
+    });
+    it('validates CIDR notation', () => {
+      const validResult = validateRule('ufw allow from 10.0.0.0/8');
+      expect(validResult.valid).toBe(true);
+      const invalidResult = validateRule('ufw allow from 10.0.0.0/33');
+      expect(invalidResult.valid).toBe(false);
+    });
+  });
+  describe('generateUfwRules', () => {
+    it('generates complete UFW configuration', () => {
+      const rules = generateUfwRules({
+        allowPorts: [80, 443],
+        sshPort: 22,
+      });
+      expect(rules).toContain('default deny incoming');
+      expect(rules).toContain('default allow outgoing');
+      expect(rules).toContain('allow 80');
+      expect(rules).toContain('allow 443');
+      expect(rules).toContain('allow 22');
+    });
+    it('supports custom SSH port', () => {
+      const rules = generateUfwRules({
+        allowPorts: [80, 443],
+        sshPort: 2222,
+      });
+      expect(rules).toContain('allow 2222');
+      expect(rules).not.toContain('allow 22/tcp');
+    });
+    it('includes IP allowlist for admin', () => {
+      const rules = generateUfwRules({
+        allowPorts: [80, 443],
+        sshPort: 22,
+        adminIps: ['192.168.1.100', '10.0.0.50'],
+      });
+      expect(rules).toContain('from 192.168.1.100');
+      expect(rules).toContain('from 10.0.0.50');
+    });
+    it('supports rate limiting', () => {
+      const rules = generateUfwRules({
+        allowPorts: [80, 443],
+        sshPort: 22,
+        rateLimit: true,
+      });
+      expect(rules).toContain('limit');
+    });
+    it('generates script format', () => {
+      const rules = generateUfwRules({
+        allowPorts: [80, 443],
+        sshPort: 22,
+        format: 'script',
+      });
+      expect(rules).toContain('#!/bin/bash');
+      expect(rules).toContain('ufw');
+    });
+  });
+  describe('createFirewallManager', () => {
+    it('creates manager with methods', () => {
+      const manager = createFirewallManager();
+      expect(manager.generateRules).toBeDefined();
+      expect(manager.allowPort).toBeDefined();
+      expect(manager.denyPort).toBeDefined();
+      expect(manager.allowFromIp).toBeDefined();
+      expect(manager.validate).toBeDefined();
+    });
+    it('tracks added rules', () => {
+      const manager = createFirewallManager();
+      manager.allowPort({ port: 80 });
+      manager.allowPort({ port: 443 });
+      const rules = manager.getRules();
+      expect(rules.length).toBe(2);
+    });
+    it('generates complete config', () => {
+      const manager = createFirewallManager({
+        sshPort: 22,
+      });
+      manager.allowPort({ port: 80 });
+      manager.allowPort({ port: 443 });
+      const config = manager.generateConfig();
+      expect(config).toContain('80');
+      expect(config).toContain('443');
+      expect(config).toContain('22');
+    });
+  });
+});