npm - tlc-claude-code - Versions diffs - 1.4.8 → 1.4.9 - Mend

tlc-claude-code 1.4.8 → 1.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/package.json +1 -1
package/server/index.js +229 -14
package/server/lib/compliance/control-mapper.js +401 -0
package/server/lib/compliance/control-mapper.test.js +117 -0
package/server/lib/compliance/evidence-linker.js +296 -0
package/server/lib/compliance/evidence-linker.test.js +121 -0
package/server/lib/compliance/gdpr-checklist.js +416 -0
package/server/lib/compliance/gdpr-checklist.test.js +131 -0
package/server/lib/compliance/hipaa-checklist.js +277 -0
package/server/lib/compliance/hipaa-checklist.test.js +101 -0
package/server/lib/compliance/iso27001-checklist.js +287 -0
package/server/lib/compliance/iso27001-checklist.test.js +99 -0
package/server/lib/compliance/multi-framework-reporter.js +284 -0
package/server/lib/compliance/multi-framework-reporter.test.js +127 -0
package/server/lib/compliance/pci-dss-checklist.js +214 -0
package/server/lib/compliance/pci-dss-checklist.test.js +95 -0
package/server/lib/compliance/trust-centre.js +187 -0
package/server/lib/compliance/trust-centre.test.js +93 -0
package/server/lib/dashboard/api-server.js +155 -0
package/server/lib/dashboard/api-server.test.js +155 -0
package/server/lib/dashboard/health-api.js +199 -0
package/server/lib/dashboard/health-api.test.js +122 -0
package/server/lib/dashboard/notes-api.js +234 -0
package/server/lib/dashboard/notes-api.test.js +134 -0
package/server/lib/dashboard/router-api.js +176 -0
package/server/lib/dashboard/router-api.test.js +132 -0
package/server/lib/dashboard/tasks-api.js +289 -0
package/server/lib/dashboard/tasks-api.test.js +161 -0
package/server/lib/dashboard/tlc-introspection.js +197 -0
package/server/lib/dashboard/tlc-introspection.test.js +138 -0
package/server/lib/dashboard/version-api.js +222 -0
package/server/lib/dashboard/version-api.test.js +112 -0
package/server/lib/dashboard/websocket-server.js +104 -0
package/server/lib/dashboard/websocket-server.test.js +118 -0
package/server/lib/deploy/branch-classifier.js +163 -0
package/server/lib/deploy/branch-classifier.test.js +164 -0
package/server/lib/deploy/deployment-approval.js +299 -0
package/server/lib/deploy/deployment-approval.test.js +296 -0
package/server/lib/deploy/deployment-audit.js +374 -0
package/server/lib/deploy/deployment-audit.test.js +307 -0
package/server/lib/deploy/deployment-executor.js +335 -0
package/server/lib/deploy/deployment-executor.test.js +329 -0
package/server/lib/deploy/deployment-rules.js +163 -0
package/server/lib/deploy/deployment-rules.test.js +188 -0
package/server/lib/deploy/rollback-manager.js +379 -0
package/server/lib/deploy/rollback-manager.test.js +321 -0
package/server/lib/deploy/security-gates.js +236 -0
package/server/lib/deploy/security-gates.test.js +222 -0
package/server/lib/k8s/gitops-config.js +188 -0
package/server/lib/k8s/gitops-config.test.js +59 -0
package/server/lib/k8s/helm-generator.js +196 -0
package/server/lib/k8s/helm-generator.test.js +59 -0
package/server/lib/k8s/kustomize-generator.js +176 -0
package/server/lib/k8s/kustomize-generator.test.js +58 -0
package/server/lib/k8s/network-policy.js +114 -0
package/server/lib/k8s/network-policy.test.js +53 -0
package/server/lib/k8s/pod-security.js +114 -0
package/server/lib/k8s/pod-security.test.js +55 -0
package/server/lib/k8s/rbac-generator.js +132 -0
package/server/lib/k8s/rbac-generator.test.js +57 -0
package/server/lib/k8s/resource-manager.js +172 -0
package/server/lib/k8s/resource-manager.test.js +60 -0
package/server/lib/k8s/secrets-encryption.js +168 -0
package/server/lib/k8s/secrets-encryption.test.js +49 -0
package/server/lib/monitoring/alert-manager.js +238 -0
package/server/lib/monitoring/alert-manager.test.js +106 -0
package/server/lib/monitoring/health-check.js +226 -0
package/server/lib/monitoring/health-check.test.js +176 -0
package/server/lib/monitoring/incident-manager.js +230 -0
package/server/lib/monitoring/incident-manager.test.js +98 -0
package/server/lib/monitoring/log-aggregator.js +147 -0
package/server/lib/monitoring/log-aggregator.test.js +89 -0
package/server/lib/monitoring/metrics-collector.js +337 -0
package/server/lib/monitoring/metrics-collector.test.js +172 -0
package/server/lib/monitoring/status-page.js +214 -0
package/server/lib/monitoring/status-page.test.js +105 -0
package/server/lib/monitoring/uptime-monitor.js +194 -0
package/server/lib/monitoring/uptime-monitor.test.js +109 -0
package/server/lib/network/fail2ban-config.js +294 -0
package/server/lib/network/fail2ban-config.test.js +275 -0
package/server/lib/network/firewall-manager.js +252 -0
package/server/lib/network/firewall-manager.test.js +254 -0
package/server/lib/network/geoip-filter.js +282 -0
package/server/lib/network/geoip-filter.test.js +264 -0
package/server/lib/network/rate-limiter.js +229 -0
package/server/lib/network/rate-limiter.test.js +293 -0
package/server/lib/network/request-validator.js +351 -0
package/server/lib/network/request-validator.test.js +345 -0
package/server/lib/network/security-headers.js +251 -0
package/server/lib/network/security-headers.test.js +283 -0
package/server/lib/network/tls-config.js +210 -0
package/server/lib/network/tls-config.test.js +248 -0
package/server/lib/security/auth-security.js +369 -0
package/server/lib/security/auth-security.test.js +448 -0
package/server/lib/security/cis-benchmark.js +152 -0
package/server/lib/security/cis-benchmark.test.js +137 -0
package/server/lib/security/compose-templates.js +312 -0
package/server/lib/security/compose-templates.test.js +229 -0
package/server/lib/security/container-runtime.js +456 -0
package/server/lib/security/container-runtime.test.js +503 -0
package/server/lib/security/cors-validator.js +278 -0
package/server/lib/security/cors-validator.test.js +310 -0
package/server/lib/security/crypto-utils.js +253 -0
package/server/lib/security/crypto-utils.test.js +409 -0
package/server/lib/security/dockerfile-linter.js +459 -0
package/server/lib/security/dockerfile-linter.test.js +483 -0
package/server/lib/security/dockerfile-templates.js +278 -0
package/server/lib/security/dockerfile-templates.test.js +164 -0
package/server/lib/security/error-sanitizer.js +426 -0
package/server/lib/security/error-sanitizer.test.js +331 -0
package/server/lib/security/headers-generator.js +368 -0
package/server/lib/security/headers-generator.test.js +398 -0
package/server/lib/security/image-scanner.js +83 -0
package/server/lib/security/image-scanner.test.js +106 -0
package/server/lib/security/input-validator.js +352 -0
package/server/lib/security/input-validator.test.js +330 -0
package/server/lib/security/network-policy.js +174 -0
package/server/lib/security/network-policy.test.js +164 -0
package/server/lib/security/output-encoder.js +237 -0
package/server/lib/security/output-encoder.test.js +276 -0
package/server/lib/security/path-validator.js +359 -0
package/server/lib/security/path-validator.test.js +293 -0
package/server/lib/security/query-builder.js +421 -0
package/server/lib/security/query-builder.test.js +318 -0
package/server/lib/security/secret-detector.js +290 -0
package/server/lib/security/secret-detector.test.js +354 -0
package/server/lib/security/secrets-validator.js +137 -0
package/server/lib/security/secrets-validator.test.js +120 -0
package/server/lib/security-testing/dast-runner.js +154 -0
package/server/lib/security-testing/dast-runner.test.js +62 -0
package/server/lib/security-testing/dependency-scanner.js +172 -0
package/server/lib/security-testing/dependency-scanner.test.js +64 -0
package/server/lib/security-testing/pentest-runner.js +230 -0
package/server/lib/security-testing/pentest-runner.test.js +60 -0
package/server/lib/security-testing/sast-runner.js +136 -0
package/server/lib/security-testing/sast-runner.test.js +62 -0
package/server/lib/security-testing/secret-scanner.js +153 -0
package/server/lib/security-testing/secret-scanner.test.js +66 -0
package/server/lib/security-testing/security-gate.js +216 -0
package/server/lib/security-testing/security-gate.test.js +115 -0
package/server/lib/security-testing/security-reporter.js +303 -0
package/server/lib/security-testing/security-reporter.test.js +114 -0
package/server/lib/standards/audit-checker.js +546 -0
package/server/lib/standards/audit-checker.test.js +415 -0
package/server/lib/standards/cleanup-executor.js +452 -0
package/server/lib/standards/cleanup-executor.test.js +293 -0
package/server/lib/standards/refactor-stepper.js +425 -0
package/server/lib/standards/refactor-stepper.test.js +298 -0
package/server/lib/standards/standards-injector.js +167 -0
package/server/lib/standards/standards-injector.test.js +232 -0
package/server/lib/user-management.test.js +284 -0
package/server/lib/vps/backup-manager.js +157 -0
package/server/lib/vps/backup-manager.test.js +59 -0
package/server/lib/vps/caddy-config.js +159 -0
package/server/lib/vps/caddy-config.test.js +48 -0
package/server/lib/vps/compose-orchestrator.js +219 -0
package/server/lib/vps/compose-orchestrator.test.js +50 -0
package/server/lib/vps/database-config.js +208 -0
package/server/lib/vps/database-config.test.js +47 -0
package/server/lib/vps/deploy-script.js +211 -0
package/server/lib/vps/deploy-script.test.js +53 -0
package/server/lib/vps/secrets-manager.js +148 -0
package/server/lib/vps/secrets-manager.test.js +58 -0
package/server/lib/vps/server-hardening.js +174 -0
package/server/lib/vps/server-hardening.test.js +70 -0
package/server/package-lock.json +19 -0
package/server/package.json +1 -0
package/server/templates/CLAUDE.md +37 -0
package/server/templates/CODING-STANDARDS.md +408 -0

package/server/lib/deploy/deployment-executor.test.js ADDED Viewed

@@ -0,0 +1,329 @@
+/**
+ * Deployment Executor Tests
+ */
+import { describe, it, expect, vi } from 'vitest';
+import {
+  createDeployment,
+  executeDeployment,
+  runHealthChecks,
+  switchTraffic,
+  cleanupOldDeployment,
+  DEPLOYMENT_STATES,
+  DEPLOYMENT_STRATEGIES,
+  createDeploymentExecutor,
+} from './deployment-executor.js';
+describe('deployment-executor', () => {
+  describe('DEPLOYMENT_STATES', () => {
+    it('defines all state constants', () => {
+      expect(DEPLOYMENT_STATES.PENDING).toBe('pending');
+      expect(DEPLOYMENT_STATES.BUILDING).toBe('building');
+      expect(DEPLOYMENT_STATES.DEPLOYING).toBe('deploying');
+      expect(DEPLOYMENT_STATES.HEALTH_CHECK).toBe('health_check');
+      expect(DEPLOYMENT_STATES.SWITCHING).toBe('switching');
+      expect(DEPLOYMENT_STATES.COMPLETED).toBe('completed');
+      expect(DEPLOYMENT_STATES.FAILED).toBe('failed');
+      expect(DEPLOYMENT_STATES.ROLLED_BACK).toBe('rolled_back');
+    });
+  });
+  describe('DEPLOYMENT_STRATEGIES', () => {
+    it('defines all strategy constants', () => {
+      expect(DEPLOYMENT_STRATEGIES.ROLLING).toBe('rolling');
+      expect(DEPLOYMENT_STRATEGIES.BLUE_GREEN).toBe('blue-green');
+      expect(DEPLOYMENT_STRATEGIES.CANARY).toBe('canary');
+      expect(DEPLOYMENT_STRATEGIES.RECREATE).toBe('recreate');
+    });
+  });
+  describe('createDeployment', () => {
+    it('creates deployment with required fields', () => {
+      const deployment = createDeployment({
+        branch: 'main',
+        commitSha: 'abc123',
+        strategy: 'blue-green',
+      });
+      expect(deployment.id).toBeDefined();
+      expect(deployment.branch).toBe('main');
+      expect(deployment.commitSha).toBe('abc123');
+      expect(deployment.strategy).toBe('blue-green');
+      expect(deployment.state).toBe('pending');
+      expect(deployment.createdAt).toBeDefined();
+    });
+    it('defaults to rolling strategy', () => {
+      const deployment = createDeployment({
+        branch: 'feature/x',
+        commitSha: 'abc123',
+      });
+      expect(deployment.strategy).toBe('rolling');
+    });
+    it('tracks state transitions', () => {
+      const deployment = createDeployment({
+        branch: 'main',
+        commitSha: 'abc123',
+      });
+      expect(deployment.stateHistory).toEqual([
+        expect.objectContaining({ state: 'pending' }),
+      ]);
+    });
+  });
+  describe('executeDeployment', () => {
+    it('executes rolling deployment', async () => {
+      const mockBuild = vi.fn().mockResolvedValue({ success: true });
+      const mockDeploy = vi.fn().mockResolvedValue({ success: true });
+      const mockHealth = vi.fn().mockResolvedValue({ healthy: true });
+      const deployment = createDeployment({
+        branch: 'feature/x',
+        commitSha: 'abc123',
+        strategy: 'rolling',
+      });
+      const result = await executeDeployment(deployment, {
+        build: mockBuild,
+        deploy: mockDeploy,
+        healthCheck: mockHealth,
+      });
+      expect(result.state).toBe('completed');
+      expect(mockBuild).toHaveBeenCalled();
+      expect(mockDeploy).toHaveBeenCalled();
+      expect(mockHealth).toHaveBeenCalled();
+    });
+    it('executes blue-green deployment', async () => {
+      const mockBuild = vi.fn().mockResolvedValue({ success: true });
+      const mockDeploy = vi.fn().mockResolvedValue({ success: true, slot: 'green' });
+      const mockHealth = vi.fn().mockResolvedValue({ healthy: true });
+      const mockSwitch = vi.fn().mockResolvedValue({ success: true });
+      const deployment = createDeployment({
+        branch: 'main',
+        commitSha: 'abc123',
+        strategy: 'blue-green',
+      });
+      const result = await executeDeployment(deployment, {
+        build: mockBuild,
+        deploy: mockDeploy,
+        healthCheck: mockHealth,
+        switchTraffic: mockSwitch,
+      });
+      expect(result.state).toBe('completed');
+      expect(mockSwitch).toHaveBeenCalled();
+    });
+    it('fails on build error', async () => {
+      const mockBuild = vi.fn().mockResolvedValue({ success: false, error: 'Build failed' });
+      const deployment = createDeployment({
+        branch: 'main',
+        commitSha: 'abc123',
+      });
+      const result = await executeDeployment(deployment, {
+        build: mockBuild,
+      });
+      expect(result.state).toBe('failed');
+      expect(result.error).toContain('Build failed');
+    });
+    it('fails on health check failure', async () => {
+      const mockBuild = vi.fn().mockResolvedValue({ success: true });
+      const mockDeploy = vi.fn().mockResolvedValue({ success: true });
+      const mockHealth = vi.fn().mockResolvedValue({ healthy: false, reason: 'Timeout' });
+      const deployment = createDeployment({
+        branch: 'main',
+        commitSha: 'abc123',
+      });
+      const result = await executeDeployment(deployment, {
+        build: mockBuild,
+        deploy: mockDeploy,
+        healthCheck: mockHealth,
+      });
+      expect(result.state).toBe('failed');
+    });
+    it('emits state change events', async () => {
+      const mockBuild = vi.fn().mockResolvedValue({ success: true });
+      const mockDeploy = vi.fn().mockResolvedValue({ success: true });
+      const mockHealth = vi.fn().mockResolvedValue({ healthy: true });
+      const onStateChange = vi.fn();
+      const deployment = createDeployment({
+        branch: 'main',
+        commitSha: 'abc123',
+      });
+      await executeDeployment(deployment, {
+        build: mockBuild,
+        deploy: mockDeploy,
+        healthCheck: mockHealth,
+        onStateChange,
+      });
+      expect(onStateChange).toHaveBeenCalledWith(expect.objectContaining({ state: 'building' }));
+      expect(onStateChange).toHaveBeenCalledWith(expect.objectContaining({ state: 'deploying' }));
+      expect(onStateChange).toHaveBeenCalledWith(expect.objectContaining({ state: 'completed' }));
+    });
+  });
+  describe('runHealthChecks', () => {
+    it('runs multiple health check endpoints', async () => {
+      const mockFetch = vi.fn().mockResolvedValue({ ok: true, status: 200 });
+      const result = await runHealthChecks({
+        endpoints: ['http://localhost:3000/health', 'http://localhost:3000/ready'],
+        fetch: mockFetch,
+      });
+      expect(result.healthy).toBe(true);
+      expect(mockFetch).toHaveBeenCalledTimes(2);
+    });
+    it('fails if any endpoint unhealthy', async () => {
+      const mockFetch = vi.fn()
+        .mockResolvedValueOnce({ ok: true, status: 200 })
+        .mockResolvedValueOnce({ ok: false, status: 503 });
+      const result = await runHealthChecks({
+        endpoints: ['http://localhost:3000/health', 'http://localhost:3000/ready'],
+        fetch: mockFetch,
+      });
+      expect(result.healthy).toBe(false);
+    });
+    it('retries failed checks', async () => {
+      const mockFetch = vi.fn()
+        .mockResolvedValueOnce({ ok: false, status: 503 })
+        .mockResolvedValueOnce({ ok: true, status: 200 });
+      const result = await runHealthChecks({
+        endpoints: ['http://localhost:3000/health'],
+        fetch: mockFetch,
+        retries: 2,
+        retryDelay: 10,
+      });
+      expect(result.healthy).toBe(true);
+      expect(mockFetch).toHaveBeenCalledTimes(2);
+    });
+    it('times out slow health checks', async () => {
+      const mockFetch = vi.fn().mockImplementation(() =>
+        new Promise((resolve) => setTimeout(() => resolve({ ok: true }), 1000))
+      );
+      const result = await runHealthChecks({
+        endpoints: ['http://localhost:3000/health'],
+        fetch: mockFetch,
+        timeout: 50,
+      });
+      expect(result.healthy).toBe(false);
+      expect(result.reason).toContain('timeout');
+    });
+  });
+  describe('switchTraffic', () => {
+    it('switches traffic to new slot', async () => {
+      const mockSwitch = vi.fn().mockResolvedValue({ success: true });
+      const result = await switchTraffic({
+        fromSlot: 'blue',
+        toSlot: 'green',
+        switchFn: mockSwitch,
+      });
+      expect(result.success).toBe(true);
+      expect(mockSwitch).toHaveBeenCalledWith('blue', 'green');
+    });
+    it('handles switch failure', async () => {
+      const mockSwitch = vi.fn().mockRejectedValue(new Error('Switch failed'));
+      const result = await switchTraffic({
+        fromSlot: 'blue',
+        toSlot: 'green',
+        switchFn: mockSwitch,
+      });
+      expect(result.success).toBe(false);
+      expect(result.error).toContain('Switch failed');
+    });
+  });
+  describe('cleanupOldDeployment', () => {
+    it('removes old deployment resources', async () => {
+      const mockCleanup = vi.fn().mockResolvedValue({ success: true });
+      const result = await cleanupOldDeployment({
+        slot: 'blue',
+        cleanupFn: mockCleanup,
+      });
+      expect(result.success).toBe(true);
+      expect(mockCleanup).toHaveBeenCalledWith('blue');
+    });
+    it('handles cleanup failure gracefully', async () => {
+      const mockCleanup = vi.fn().mockRejectedValue(new Error('Cleanup failed'));
+      const result = await cleanupOldDeployment({
+        slot: 'blue',
+        cleanupFn: mockCleanup,
+      });
+      // Should not throw, just log warning
+      expect(result.success).toBe(false);
+    });
+  });
+  describe('createDeploymentExecutor', () => {
+    it('creates executor with config', () => {
+      const executor = createDeploymentExecutor();
+      expect(executor.execute).toBeDefined();
+      expect(executor.getDeployment).toBeDefined();
+      expect(executor.cancel).toBeDefined();
+    });
+    it('tracks active deployments', async () => {
+      const executor = createDeploymentExecutor({
+        build: vi.fn().mockResolvedValue({ success: true }),
+        deploy: vi.fn().mockResolvedValue({ success: true }),
+        healthCheck: vi.fn().mockResolvedValue({ healthy: true }),
+      });
+      const deployment = await executor.start({
+        branch: 'main',
+        commitSha: 'abc123',
+      });
+      expect(executor.getDeployment(deployment.id)).toBeDefined();
+    });
+    it('lists all deployments', async () => {
+      const executor = createDeploymentExecutor({
+        build: vi.fn().mockResolvedValue({ success: true }),
+        deploy: vi.fn().mockResolvedValue({ success: true }),
+        healthCheck: vi.fn().mockResolvedValue({ healthy: true }),
+      });
+      await executor.start({ branch: 'main', commitSha: 'abc123' });
+      await executor.start({ branch: 'dev', commitSha: 'def456' });
+      const deployments = executor.list();
+      expect(deployments).toHaveLength(2);
+    });
+  });
+});

package/server/lib/deploy/deployment-rules.js ADDED Viewed

@@ -0,0 +1,163 @@
+/**
+ * Deployment Rules
+ *
+ * Defines and manages deployment rules for different tiers (feature, dev, stable).
+ */
+/**
+ * Default deployment rules for each tier
+ */
+export const DEFAULT_RULES = {
+  feature: {
+    autoDeploy: true,
+    securityGates: ['sast', 'dependencies'],
+    deploymentStrategy: 'rolling',
+    requiresApproval: false,
+    requires2FA: false,
+  },
+  dev: {
+    autoDeploy: true,
+    securityGates: ['sast', 'dast', 'container', 'dependencies'],
+    deploymentStrategy: 'rolling',
+    requiresApproval: false,
+    requires2FA: false,
+  },
+  stable: {
+    autoDeploy: false,
+    securityGates: ['sast', 'dast', 'container', 'dependencies', 'pentest'],
+    deploymentStrategy: 'blue-green',
+    requiresApproval: true,
+    requires2FA: true,
+  },
+};
+/**
+ * Valid deployment strategies
+ */
+const VALID_STRATEGIES = ['rolling', 'blue-green', 'canary', 'recreate'];
+/**
+ * Load deployment rules from config object
+ * @param {object} config - Configuration object with optional deployment.rules
+ * @returns {object} Merged rules with defaults
+ */
+export function loadDeploymentRules(config) {
+  if (!config || !config.deployment || !config.deployment.rules) {
+    return DEFAULT_RULES;
+  }
+  return mergeWithDefaults(config.deployment.rules);
+}
+/**
+ * Validate rules schema
+ * @param {object} rules - Rules object to validate
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+export function validateRules(rules) {
+  const errors = [];
+  for (const [tier, tierRules] of Object.entries(rules)) {
+    if (tierRules.autoDeploy !== undefined && typeof tierRules.autoDeploy !== 'boolean') {
+      errors.push(`${tier}.autoDeploy must be a boolean`);
+    }
+    if (tierRules.securityGates !== undefined && !Array.isArray(tierRules.securityGates)) {
+      errors.push(`${tier}.securityGates must be an array`);
+    }
+    if (
+      tierRules.deploymentStrategy !== undefined &&
+      !VALID_STRATEGIES.includes(tierRules.deploymentStrategy)
+    ) {
+      errors.push(
+        `${tier}.deploymentStrategy must be one of: ${VALID_STRATEGIES.join(', ')}`
+      );
+    }
+    if (tierRules.requiresApproval !== undefined && typeof tierRules.requiresApproval !== 'boolean') {
+      errors.push(`${tier}.requiresApproval must be a boolean`);
+    }
+    if (tierRules.requires2FA !== undefined && typeof tierRules.requires2FA !== 'boolean') {
+      errors.push(`${tier}.requires2FA must be a boolean`);
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    errors,
+  };
+}
+/**
+ * Get rules for a specific tier
+ * @param {string} tier - Tier name (feature, dev, stable)
+ * @param {object} customRules - Optional custom rules to use instead of defaults
+ * @returns {object} Rules for the specified tier
+ */
+export function getRulesForTier(tier, customRules = null) {
+  const rules = customRules ? mergeWithDefaults(customRules) : DEFAULT_RULES;
+  return rules[tier] || DEFAULT_RULES.feature;
+}
+/**
+ * Merge custom rules with defaults
+ * @param {object} custom - Custom rules to merge
+ * @returns {object} Merged rules
+ */
+export function mergeWithDefaults(custom) {
+  if (!custom || Object.keys(custom).length === 0) {
+    return DEFAULT_RULES;
+  }
+  const merged = {};
+  for (const tier of Object.keys(DEFAULT_RULES)) {
+    if (custom[tier]) {
+      merged[tier] = {
+        ...DEFAULT_RULES[tier],
+        ...custom[tier],
+      };
+    } else {
+      merged[tier] = { ...DEFAULT_RULES[tier] };
+    }
+  }
+  return merged;
+}
+/**
+ * Factory function to create a deployment rules manager
+ * @param {object} config - Optional configuration object
+ * @returns {{ getRules: Function, validate: Function, getForTier: Function }}
+ */
+export function createDeploymentRules(config = null) {
+  const rules = loadDeploymentRules(config);
+  return {
+    /**
+     * Get all rules
+     * @returns {object} All deployment rules
+     */
+    getRules() {
+      return rules;
+    },
+    /**
+     * Validate the current rules
+     * @returns {{ valid: boolean, errors: string[] }}
+     */
+    validate() {
+      return validateRules(rules);
+    },
+    /**
+     * Get rules for a specific tier
+     * @param {string} tier - Tier name
+     * @returns {object} Rules for the tier
+     */
+    getForTier(tier) {
+      return rules[tier] || DEFAULT_RULES.feature;
+    },
+  };
+}

package/server/lib/deploy/deployment-rules.test.js ADDED Viewed

@@ -0,0 +1,188 @@
+/**
+ * Deployment Rules Tests
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  loadDeploymentRules,
+  validateRules,
+  getRulesForTier,
+  mergeWithDefaults,
+  DEFAULT_RULES,
+  createDeploymentRules,
+} from './deployment-rules.js';
+describe('deployment-rules', () => {
+  describe('DEFAULT_RULES', () => {
+    it('defines rules for all tiers', () => {
+      expect(DEFAULT_RULES.feature).toBeDefined();
+      expect(DEFAULT_RULES.dev).toBeDefined();
+      expect(DEFAULT_RULES.stable).toBeDefined();
+    });
+    it('feature tier auto-deploys with basic checks', () => {
+      expect(DEFAULT_RULES.feature.autoDeploy).toBe(true);
+      expect(DEFAULT_RULES.feature.securityGates).toContain('sast');
+      expect(DEFAULT_RULES.feature.securityGates).toContain('dependencies');
+    });
+    it('dev tier auto-deploys with full checks', () => {
+      expect(DEFAULT_RULES.dev.autoDeploy).toBe(true);
+      expect(DEFAULT_RULES.dev.securityGates).toContain('sast');
+      expect(DEFAULT_RULES.dev.securityGates).toContain('dast');
+      expect(DEFAULT_RULES.dev.securityGates).toContain('container');
+    });
+    it('stable tier requires approval', () => {
+      expect(DEFAULT_RULES.stable.autoDeploy).toBe(false);
+      expect(DEFAULT_RULES.stable.requiresApproval).toBe(true);
+      expect(DEFAULT_RULES.stable.requires2FA).toBe(true);
+    });
+  });
+  describe('loadDeploymentRules', () => {
+    it('loads rules from config object', () => {
+      const config = {
+        deployment: {
+          rules: {
+            feature: { autoDeploy: false },
+          },
+        },
+      };
+      const rules = loadDeploymentRules(config);
+      expect(rules.feature.autoDeploy).toBe(false);
+    });
+    it('returns defaults when no config', () => {
+      const rules = loadDeploymentRules({});
+      expect(rules).toEqual(DEFAULT_RULES);
+    });
+    it('returns defaults for null config', () => {
+      const rules = loadDeploymentRules(null);
+      expect(rules).toEqual(DEFAULT_RULES);
+    });
+  });
+  describe('validateRules', () => {
+    it('validates correct rule structure', () => {
+      const rules = {
+        feature: {
+          autoDeploy: true,
+          securityGates: ['sast'],
+          deploymentStrategy: 'rolling',
+        },
+      };
+      const result = validateRules(rules);
+      expect(result.valid).toBe(true);
+      expect(result.errors).toHaveLength(0);
+    });
+    it('rejects invalid autoDeploy type', () => {
+      const rules = {
+        feature: { autoDeploy: 'yes' },
+      };
+      const result = validateRules(rules);
+      expect(result.valid).toBe(false);
+      expect(result.errors.some(e => e.includes('autoDeploy'))).toBe(true);
+    });
+    it('rejects invalid security gates', () => {
+      const rules = {
+        feature: { securityGates: 'sast' },
+      };
+      const result = validateRules(rules);
+      expect(result.valid).toBe(false);
+    });
+    it('rejects unknown deployment strategy', () => {
+      const rules = {
+        feature: { deploymentStrategy: 'teleport' },
+      };
+      const result = validateRules(rules);
+      expect(result.valid).toBe(false);
+    });
+    it('allows valid deployment strategies', () => {
+      const strategies = ['rolling', 'blue-green', 'canary', 'recreate'];
+      for (const strategy of strategies) {
+        const rules = { feature: { deploymentStrategy: strategy } };
+        const result = validateRules(rules);
+        expect(result.valid).toBe(true);
+      }
+    });
+  });
+  describe('getRulesForTier', () => {
+    it('returns rules for specified tier', () => {
+      const rules = getRulesForTier('stable');
+      expect(rules.requiresApproval).toBe(true);
+    });
+    it('returns feature rules for unknown tier', () => {
+      const rules = getRulesForTier('unknown');
+      expect(rules).toEqual(DEFAULT_RULES.feature);
+    });
+    it('accepts custom rules', () => {
+      const customRules = {
+        dev: { autoDeploy: false },
+      };
+      const rules = getRulesForTier('dev', customRules);
+      expect(rules.autoDeploy).toBe(false);
+    });
+  });
+  describe('mergeWithDefaults', () => {
+    it('merges custom rules with defaults', () => {
+      const custom = {
+        feature: { autoDeploy: false },
+      };
+      const merged = mergeWithDefaults(custom);
+      expect(merged.feature.autoDeploy).toBe(false);
+      expect(merged.feature.securityGates).toEqual(DEFAULT_RULES.feature.securityGates);
+      expect(merged.dev).toEqual(DEFAULT_RULES.dev);
+    });
+    it('preserves nested arrays', () => {
+      const custom = {
+        dev: { securityGates: ['sast'] },
+      };
+      const merged = mergeWithDefaults(custom);
+      expect(merged.dev.securityGates).toEqual(['sast']);
+    });
+    it('handles empty custom rules', () => {
+      const merged = mergeWithDefaults({});
+      expect(merged).toEqual(DEFAULT_RULES);
+    });
+  });
+  describe('createDeploymentRules', () => {
+    it('creates rules manager', () => {
+      const manager = createDeploymentRules();
+      expect(manager.getRules).toBeDefined();
+      expect(manager.validate).toBeDefined();
+      expect(manager.getForTier).toBeDefined();
+    });
+    it('loads rules on creation', () => {
+      const config = {
+        deployment: {
+          rules: {
+            feature: { autoDeploy: false },
+          },
+        },
+      };
+      const manager = createDeploymentRules(config);
+      expect(manager.getForTier('feature').autoDeploy).toBe(false);
+    });
+    it('exposes all rules', () => {
+      const manager = createDeploymentRules();
+      const rules = manager.getRules();
+      expect(rules.feature).toBeDefined();
+      expect(rules.dev).toBeDefined();
+      expect(rules.stable).toBeDefined();
+    });
+  });
+});