tlc-claude-code 1.4.8 → 1.4.9

package/server/lib/security/cis-benchmark.test.js

@@ -0,0 +1,137 @@
+/**
+ * CIS Docker Benchmark Tests
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  checkDockerfileCompliance,
+  checkComposeCompliance,
+  checkRuntimeCompliance,
+  generateComplianceReport,
+  createCisBenchmark,
+  CIS_CHECKS,
+} from './cis-benchmark.js';
+
+describe('cis-benchmark', () => {
+  describe('checkDockerfileCompliance', () => {
+    it('checks for USER directive (CIS 4.1)', () => {
+      const dockerfile = 'FROM node:20\nCMD ["node", "app.js"]';
+      const result = checkDockerfileCompliance(dockerfile);
+      expect(result.findings.some(f => f.cis === '4.1')).toBe(true);
+    });
+
+    it('passes with USER directive', () => {
+      const dockerfile = 'FROM node:20\nUSER node\nCMD ["node", "app.js"]';
+      const result = checkDockerfileCompliance(dockerfile);
+      expect(result.findings.some(f => f.cis === '4.1')).toBe(false);
+    });
+
+    it('checks for HEALTHCHECK (CIS 4.6)', () => {
+      const dockerfile = 'FROM node:20\nUSER node';
+      const result = checkDockerfileCompliance(dockerfile);
+      expect(result.findings.some(f => f.cis === '4.6')).toBe(true);
+    });
+
+    it('checks for content trust labels', () => {
+      const dockerfile = 'FROM node:20\nUSER node';
+      const result = checkDockerfileCompliance(dockerfile);
+      expect(result.findings.some(f => f.cis === '4.8')).toBe(true);
+    });
+  });
+
+  describe('checkComposeCompliance', () => {
+    it('checks privileged mode (CIS 5.4)', () => {
+      const compose = { services: { app: { privileged: true } } };
+      const result = checkComposeCompliance(compose);
+      expect(result.findings.some(f => f.cis === '5.4')).toBe(true);
+    });
+
+    it('checks capabilities (CIS 5.3)', () => {
+      const compose = { services: { app: { image: 'node:20' } } };
+      const result = checkComposeCompliance(compose);
+      expect(result.findings.some(f => f.cis === '5.3')).toBe(true);
+    });
+
+    it('checks resource limits (CIS 5.10)', () => {
+      const compose = { services: { app: { image: 'node:20', cap_drop: ['ALL'] } } };
+      const result = checkComposeCompliance(compose);
+      expect(result.findings.some(f => f.cis === '5.10')).toBe(true);
+    });
+
+    it('passes with proper security config', () => {
+      const compose = {
+        services: {
+          app: {
+            image: 'node:20',
+            cap_drop: ['ALL'],
+            read_only: true,
+            user: '1000:1000',
+            security_opt: ['no-new-privileges:true'],
+            deploy: { resources: { limits: { memory: '512M' } } },
+          },
+        },
+      };
+      const result = checkComposeCompliance(compose);
+      expect(result.findings.filter(f => f.severity === 'high').length).toBe(0);
+    });
+  });
+
+  describe('checkRuntimeCompliance', () => {
+    it('checks for PID limits (CIS 5.11)', () => {
+      const compose = { services: { app: { image: 'node:20' } } };
+      const result = checkRuntimeCompliance(compose);
+      expect(result.findings.some(f => f.cis === '5.11')).toBe(true);
+    });
+
+    it('checks network mode (CIS 5.13)', () => {
+      const compose = { services: { app: { network_mode: 'host' } } };
+      const result = checkRuntimeCompliance(compose);
+      expect(result.findings.some(f => f.cis === '5.13')).toBe(true);
+    });
+
+    it('checks for restart policy (CIS 5.14)', () => {
+      const compose = { services: { app: { restart: 'always' } } };
+      const result = checkRuntimeCompliance(compose);
+      expect(result.findings.some(f => f.cis === '5.14')).toBe(true);
+    });
+  });
+
+  describe('generateComplianceReport', () => {
+    it('generates Level 1 compliance report', () => {
+      const dockerfile = 'FROM node:20\nUSER node\nHEALTHCHECK CMD curl -f http://localhost/';
+      const compose = {
+        services: { app: { cap_drop: ['ALL'], user: '1000', deploy: { resources: { limits: { memory: '512M' } } } } },
+      };
+      const report = generateComplianceReport({ dockerfile, compose });
+      expect(report.level1Score).toBeDefined();
+      expect(report.level1Score).toBeGreaterThan(0);
+    });
+
+    it('categorizes findings by CIS section', () => {
+      const dockerfile = 'FROM node:20';
+      const compose = { services: { app: { privileged: true } } };
+      const report = generateComplianceReport({ dockerfile, compose });
+      expect(report.bySection).toBeDefined();
+      expect(report.bySection['4']).toBeDefined();
+      expect(report.bySection['5']).toBeDefined();
+    });
+  });
+
+  describe('createCisBenchmark', () => {
+    it('creates benchmark checker', () => {
+      const checker = createCisBenchmark();
+      expect(checker.checkDockerfile).toBeDefined();
+      expect(checker.checkCompose).toBeDefined();
+      expect(checker.generateReport).toBeDefined();
+    });
+
+    it('calculates overall score', () => {
+      const checker = createCisBenchmark();
+      const dockerfile = 'FROM node:20\nUSER node\nHEALTHCHECK CMD true';
+      const compose = { services: { app: { cap_drop: ['ALL'] } } };
+      const result = checker.audit({ dockerfile, compose });
+      expect(result.score).toBeDefined();
+      expect(result.score).toBeGreaterThanOrEqual(0);
+      expect(result.score).toBeLessThanOrEqual(100);
+    });
+  });
+});

package/server/lib/security/compose-templates.js

@@ -0,0 +1,312 @@
+/**
+ * Hardened Docker Compose Templates
+ *
+ * CIS Docker Benchmark compliant compose configurations.
+ */
+
+/**
+ * Default security settings for all services
+ */
+export const SECURITY_DEFAULTS = {
+  cap_drop: ['ALL'],
+  security_opt: ['no-new-privileges:true'],
+  read_only: true,
+  restart: 'on-failure:5',
+  deploy: {
+    resources: {
+      limits: {
+        memory: '512M',
+        cpus: '0.5',
+      },
+      reservations: {
+        memory: '128M',
+      },
+    },
+  },
+};
+
+/**
+ * Generate production-ready docker-compose configuration
+ */
+export function generateProductionCompose(options = {}) {
+  const {
+    serverImage = 'tlc-server:latest',
+    dashboardImage = 'tlc-dashboard:latest',
+    includeDb = false,
+    includeRedis = false,
+    domain = 'localhost',
+  } = options;
+
+  const compose = {
+    version: '3.8',
+    services: {
+      server: {
+        image: serverImage,
+        ...SECURITY_DEFAULTS,
+        cap_add: ['NET_BIND_SERVICE'],
+        environment: {
+          NODE_ENV: 'production',
+          PORT: '5001',
+        },
+        networks: ['frontend', 'backend'],
+        healthcheck: {
+          test: ['CMD', 'node', '-e', "require('http').get('http://localhost:5001/health')"],
+          interval: '30s',
+          timeout: '10s',
+          retries: 3,
+        },
+        tmpfs: ['/tmp'],
+      },
+      dashboard: {
+        image: dashboardImage,
+        ...SECURITY_DEFAULTS,
+        cap_add: ['CHOWN', 'SETGID', 'SETUID'],
+        ports: ['80:80', '443:443'],
+        networks: ['frontend'],
+        depends_on: ['server'],
+        healthcheck: {
+          test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:80/'],
+          interval: '30s',
+          timeout: '10s',
+          retries: 3,
+        },
+      },
+    },
+    networks: {
+      frontend: {
+        driver: 'bridge',
+      },
+      backend: {
+        driver: 'bridge',
+        internal: true,
+      },
+    },
+  };
+
+  if (includeDb) {
+    compose.services.postgres = {
+      image: 'postgres:16-alpine',
+      cap_drop: ['ALL'],
+      cap_add: ['CHOWN', 'SETGID', 'SETUID', 'DAC_OVERRIDE', 'FOWNER'],
+      security_opt: ['no-new-privileges:true'],
+      read_only: false, // Database needs write access
+      restart: 'on-failure:5',
+      environment: {
+        POSTGRES_DB: '${POSTGRES_DB}',
+        POSTGRES_USER: '${POSTGRES_USER}',
+        POSTGRES_PASSWORD_FILE: '/run/secrets/db_password',
+      },
+      volumes: ['postgres_data:/var/lib/postgresql/data'],
+      networks: ['internal'],
+      deploy: {
+        resources: {
+          limits: {
+            memory: '1G',
+          },
+        },
+      },
+      healthcheck: {
+        test: ['CMD-SHELL', 'pg_isready -U ${POSTGRES_USER}'],
+        interval: '10s',
+        timeout: '5s',
+        retries: 5,
+      },
+    };
+    compose.networks.internal = {
+      driver: 'bridge',
+      internal: true,
+    };
+    compose.volumes = { postgres_data: {} };
+    compose.services.server.networks.push('internal');
+  }
+
+  if (includeRedis) {
+    compose.services.redis = {
+      image: 'redis:7-alpine',
+      cap_drop: ['ALL'],
+      security_opt: ['no-new-privileges:true'],
+      read_only: true,
+      restart: 'on-failure:5',
+      command: ['redis-server', '--appendonly', 'yes', '--maxmemory', '256mb'],
+      volumes: ['redis_data:/data'],
+      networks: ['internal'],
+      deploy: {
+        resources: {
+          limits: {
+            memory: '512M',
+          },
+        },
+      },
+    };
+    if (!compose.networks.internal) {
+      compose.networks.internal = { driver: 'bridge', internal: true };
+    }
+    if (!compose.volumes) compose.volumes = {};
+    compose.volumes.redis_data = {};
+    if (!compose.services.server.networks.includes('internal')) {
+      compose.services.server.networks.push('internal');
+    }
+  }
+
+  return compose;
+}
+
+/**
+ * Generate security overlay for additional hardening
+ */
+export function generateSecurityCompose(options = {}) {
+  const { apparmor = false, seccompProfile = 'default' } = options;
+
+  const securityOpt = ['no-new-privileges:true', `seccomp:${seccompProfile}`];
+  if (apparmor) {
+    securityOpt.push('apparmor:docker-default');
+  }
+
+  return {
+    version: '3.8',
+    services: {
+      server: {
+        security_opt: securityOpt,
+        pids_limit: 100,
+        ulimits: {
+          nofile: {
+            soft: 65535,
+            hard: 65535,
+          },
+          nproc: {
+            soft: 1024,
+            hard: 2048,
+          },
+        },
+        privileged: false,
+      },
+      dashboard: {
+        security_opt: securityOpt,
+        pids_limit: 50,
+        ulimits: {
+          nofile: {
+            soft: 32768,
+            hard: 32768,
+          },
+        },
+        privileged: false,
+      },
+    },
+  };
+}
+
+/**
+ * Generate development docker-compose configuration
+ */
+export function generateDevCompose(options = {}) {
+  const { serverPort = 5001, dashboardPort = 3000 } = options;
+
+  return {
+    version: '3.8',
+    services: {
+      server: {
+        build: {
+          context: './server',
+          dockerfile: 'Dockerfile.dev',
+        },
+        cap_drop: ['ALL'],
+        cap_add: ['NET_BIND_SERVICE'],
+        security_opt: ['no-new-privileges:true'],
+        ports: [`${serverPort}:5001`],
+        volumes: ['./server:/app:cached', '/app/node_modules'],
+        environment: {
+          NODE_ENV: 'development',
+          DEBUG: '*',
+        },
+        networks: ['dev'],
+      },
+      dashboard: {
+        build: {
+          context: './dashboard-web',
+          dockerfile: 'Dockerfile.dev',
+        },
+        cap_drop: ['ALL'],
+        security_opt: ['no-new-privileges:true'],
+        ports: [`${dashboardPort}:3000`],
+        volumes: ['./dashboard-web:/app:cached', '/app/node_modules'],
+        environment: {
+          NODE_ENV: 'development',
+          VITE_API_URL: `http://localhost:${serverPort}`,
+        },
+        networks: ['dev'],
+        depends_on: ['server'],
+      },
+    },
+    networks: {
+      dev: {
+        driver: 'bridge',
+      },
+    },
+  };
+}
+
+/**
+ * Deep merge compose files (overlay pattern)
+ */
+export function mergeComposeFiles(base, overlay) {
+  const result = JSON.parse(JSON.stringify(base));
+
+  // Merge services
+  if (overlay.services) {
+    for (const [name, svc] of Object.entries(overlay.services)) {
+      if (result.services[name]) {
+        result.services[name] = mergeService(result.services[name], svc);
+      } else {
+        result.services[name] = svc;
+      }
+    }
+  }
+
+  // Merge networks
+  if (overlay.networks) {
+    result.networks = { ...result.networks, ...overlay.networks };
+  }
+
+  // Merge volumes
+  if (overlay.volumes) {
+    result.volumes = { ...result.volumes, ...overlay.volumes };
+  }
+
+  // Merge secrets
+  if (overlay.secrets) {
+    result.secrets = { ...result.secrets, ...overlay.secrets };
+  }
+
+  return result;
+}
+
+/**
+ * Merge a single service configuration
+ */
+function mergeService(base, overlay) {
+  const result = { ...base };
+
+  for (const [key, value] of Object.entries(overlay)) {
+    if (Array.isArray(value)) {
+      // Arrays from overlay replace base arrays
+      result[key] = value;
+    } else if (typeof value === 'object' && value !== null) {
+      // Objects are deep merged
+      result[key] = mergeService(result[key] || {}, value);
+    } else {
+      // Primitives are replaced
+      result[key] = value;
+    }
+  }
+
+  return result;
+}
+
+/**
+ * Generate complete production stack
+ */
+export function generateFullStack(options = {}) {
+  const base = generateProductionCompose(options);
+  const security = generateSecurityCompose(options);
+  return mergeComposeFiles(base, security);
+}

package/server/lib/security/compose-templates.test.js

@@ -0,0 +1,229 @@
+/**
+ * Hardened Docker Compose Templates Tests
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  generateProductionCompose,
+  generateSecurityCompose,
+  generateDevCompose,
+  mergeComposeFiles,
+  SECURITY_DEFAULTS,
+} from './compose-templates.js';
+import { checkComposeCompliance, checkRuntimeCompliance } from './cis-benchmark.js';
+describe('compose-templates', () => {
+  describe('generateProductionCompose', () => {
+    it('generates valid compose structure', () => {
+      const compose = generateProductionCompose();
+      expect(compose.version).toBeDefined();
+      expect(compose.services).toBeDefined();
+    });
+
+    it('includes server service', () => {
+      const compose = generateProductionCompose();
+      expect(compose.services.server).toBeDefined();
+    });
+
+    it('includes dashboard service', () => {
+      const compose = generateProductionCompose();
+      expect(compose.services.dashboard).toBeDefined();
+    });
+
+    it('sets resource limits on all services', () => {
+      const compose = generateProductionCompose();
+      for (const [name, svc] of Object.entries(compose.services)) {
+        const hasLimits = svc.deploy?.resources?.limits || svc.mem_limit;
+        expect(hasLimits, `Service ${name} should have memory limits`).toBeTruthy();
+      }
+    });
+
+    it('uses read_only filesystem where applicable', () => {
+      const compose = generateProductionCompose();
+      // Non-database services should be read-only
+      expect(compose.services.server.read_only).toBe(true);
+      expect(compose.services.dashboard.read_only).toBe(true);
+    });
+
+    it('drops ALL capabilities', () => {
+      const compose = generateProductionCompose();
+      for (const [name, svc] of Object.entries(compose.services)) {
+        expect(svc.cap_drop, `Service ${name} should drop ALL`).toContain('ALL');
+      }
+    });
+
+    it('sets no-new-privileges', () => {
+      const compose = generateProductionCompose();
+      for (const [name, svc] of Object.entries(compose.services)) {
+        const hasNoNewPriv = svc.security_opt?.some(o => o.includes('no-new-privileges'));
+        expect(hasNoNewPriv, `Service ${name} should set no-new-privileges`).toBe(true);
+      }
+    });
+
+    it('uses internal network for database', () => {
+      const compose = generateProductionCompose({ includeDb: true });
+      if (compose.services.postgres) {
+        const networks = compose.services.postgres.networks || [];
+        expect(networks).toContain('internal');
+      }
+    });
+
+    it('does not expose database ports to host', () => {
+      const compose = generateProductionCompose({ includeDb: true });
+      if (compose.services.postgres) {
+        expect(compose.services.postgres.ports).toBeUndefined();
+      }
+    });
+
+    it('passes CIS compliance checks', () => {
+      const compose = generateProductionCompose();
+      const result = checkComposeCompliance(compose);
+      const criticalFindings = result.findings.filter(f => f.severity === 'critical');
+      expect(criticalFindings.length).toBe(0);
+    });
+
+    it('passes runtime compliance checks', () => {
+      const compose = generateProductionCompose();
+      const result = checkRuntimeCompliance(compose);
+      const highFindings = result.findings.filter(f => f.severity === 'high');
+      expect(highFindings.length).toBe(0);
+    });
+  });
+
+  describe('generateSecurityCompose', () => {
+    it('generates overlay for security hardening', () => {
+      const compose = generateSecurityCompose();
+      expect(compose.version).toBeDefined();
+      expect(compose.services).toBeDefined();
+    });
+
+    it('adds seccomp profiles', () => {
+      const compose = generateSecurityCompose();
+      for (const [name, svc] of Object.entries(compose.services)) {
+        const hasSeccomp = svc.security_opt?.some(o => o.includes('seccomp'));
+        expect(hasSeccomp, `Service ${name} should have seccomp`).toBe(true);
+      }
+    });
+
+    it('adds AppArmor profiles when specified', () => {
+      const compose = generateSecurityCompose({ apparmor: true });
+      for (const [name, svc] of Object.entries(compose.services)) {
+        const hasApparmor = svc.security_opt?.some(o => o.includes('apparmor'));
+        expect(hasApparmor, `Service ${name} should have apparmor`).toBe(true);
+      }
+    });
+
+    it('sets PID limits', () => {
+      const compose = generateSecurityCompose();
+      for (const [name, svc] of Object.entries(compose.services)) {
+        expect(svc.pids_limit, `Service ${name} should have pids_limit`).toBeDefined();
+      }
+    });
+
+    it('sets ulimits', () => {
+      const compose = generateSecurityCompose();
+      for (const [name, svc] of Object.entries(compose.services)) {
+        expect(svc.ulimits, `Service ${name} should have ulimits`).toBeDefined();
+      }
+    });
+
+    it('disables privileged mode', () => {
+      const compose = generateSecurityCompose();
+      for (const [name, svc] of Object.entries(compose.services)) {
+        expect(svc.privileged, `Service ${name} should not be privileged`).toBeFalsy();
+      }
+    });
+  });
+
+  describe('generateDevCompose', () => {
+    it('generates development configuration', () => {
+      const compose = generateDevCompose();
+      expect(compose.services).toBeDefined();
+    });
+
+    it('mounts source code volumes', () => {
+      const compose = generateDevCompose();
+      expect(compose.services.server.volumes).toBeDefined();
+      expect(compose.services.server.volumes.some(v => v.includes(':'))).toBe(true);
+    });
+
+    it('exposes ports for development', () => {
+      const compose = generateDevCompose();
+      expect(compose.services.server.ports).toBeDefined();
+    });
+
+    it('still maintains basic security', () => {
+      const compose = generateDevCompose();
+      // Even dev should drop ALL capabilities
+      for (const [name, svc] of Object.entries(compose.services)) {
+        if (svc.cap_drop) {
+          expect(svc.cap_drop).toContain('ALL');
+        }
+      }
+    });
+  });
+
+  describe('mergeComposeFiles', () => {
+    it('merges base and overlay', () => {
+      const base = {
+        version: '3.8',
+        services: { app: { image: 'node:20' } },
+      };
+      const overlay = {
+        services: { app: { read_only: true } },
+      };
+      const merged = mergeComposeFiles(base, overlay);
+      expect(merged.services.app.image).toBe('node:20');
+      expect(merged.services.app.read_only).toBe(true);
+    });
+
+    it('overlay arrays replace base arrays', () => {
+      const base = {
+        services: { app: { cap_drop: ['NET_RAW'] } },
+      };
+      const overlay = {
+        services: { app: { cap_drop: ['ALL'] } },
+      };
+      const merged = mergeComposeFiles(base, overlay);
+      expect(merged.services.app.cap_drop).toEqual(['ALL']);
+    });
+
+    it('merges networks', () => {
+      const base = {
+        networks: { frontend: {} },
+      };
+      const overlay = {
+        networks: { backend: { internal: true } },
+      };
+      const merged = mergeComposeFiles(base, overlay);
+      expect(merged.networks.frontend).toBeDefined();
+      expect(merged.networks.backend).toBeDefined();
+    });
+  });
+
+  describe('SECURITY_DEFAULTS', () => {
+    it('defines default security settings', () => {
+      expect(SECURITY_DEFAULTS.cap_drop).toContain('ALL');
+      expect(SECURITY_DEFAULTS.security_opt).toBeDefined();
+      expect(SECURITY_DEFAULTS.read_only).toBe(true);
+    });
+
+    it('includes memory limits', () => {
+      expect(SECURITY_DEFAULTS.deploy.resources.limits.memory).toBeDefined();
+    });
+
+    it('includes restart policy', () => {
+      expect(SECURITY_DEFAULTS.restart).toBe('on-failure:5');
+    });
+  });
+
+  describe('integration with validators', () => {
+    it('production compose passes all CIS checks', () => {
+      const compose = generateProductionCompose();
+      const composeResult = checkComposeCompliance(compose);
+      const runtimeResult = checkRuntimeCompliance(compose);
+
+      const allFindings = [...composeResult.findings, ...runtimeResult.findings];
+      const criticalFindings = allFindings.filter(f => f.severity === 'critical');
+      expect(criticalFindings.length).toBe(0);
+    });
+  });
+});