npm - tlc-claude-code - Versions diffs - 1.4.8 → 1.4.9 - Mend

tlc-claude-code 1.4.8 → 1.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/package.json +1 -1
package/server/index.js +229 -14
package/server/lib/compliance/control-mapper.js +401 -0
package/server/lib/compliance/control-mapper.test.js +117 -0
package/server/lib/compliance/evidence-linker.js +296 -0
package/server/lib/compliance/evidence-linker.test.js +121 -0
package/server/lib/compliance/gdpr-checklist.js +416 -0
package/server/lib/compliance/gdpr-checklist.test.js +131 -0
package/server/lib/compliance/hipaa-checklist.js +277 -0
package/server/lib/compliance/hipaa-checklist.test.js +101 -0
package/server/lib/compliance/iso27001-checklist.js +287 -0
package/server/lib/compliance/iso27001-checklist.test.js +99 -0
package/server/lib/compliance/multi-framework-reporter.js +284 -0
package/server/lib/compliance/multi-framework-reporter.test.js +127 -0
package/server/lib/compliance/pci-dss-checklist.js +214 -0
package/server/lib/compliance/pci-dss-checklist.test.js +95 -0
package/server/lib/compliance/trust-centre.js +187 -0
package/server/lib/compliance/trust-centre.test.js +93 -0
package/server/lib/dashboard/api-server.js +155 -0
package/server/lib/dashboard/api-server.test.js +155 -0
package/server/lib/dashboard/health-api.js +199 -0
package/server/lib/dashboard/health-api.test.js +122 -0
package/server/lib/dashboard/notes-api.js +234 -0
package/server/lib/dashboard/notes-api.test.js +134 -0
package/server/lib/dashboard/router-api.js +176 -0
package/server/lib/dashboard/router-api.test.js +132 -0
package/server/lib/dashboard/tasks-api.js +289 -0
package/server/lib/dashboard/tasks-api.test.js +161 -0
package/server/lib/dashboard/tlc-introspection.js +197 -0
package/server/lib/dashboard/tlc-introspection.test.js +138 -0
package/server/lib/dashboard/version-api.js +222 -0
package/server/lib/dashboard/version-api.test.js +112 -0
package/server/lib/dashboard/websocket-server.js +104 -0
package/server/lib/dashboard/websocket-server.test.js +118 -0
package/server/lib/deploy/branch-classifier.js +163 -0
package/server/lib/deploy/branch-classifier.test.js +164 -0
package/server/lib/deploy/deployment-approval.js +299 -0
package/server/lib/deploy/deployment-approval.test.js +296 -0
package/server/lib/deploy/deployment-audit.js +374 -0
package/server/lib/deploy/deployment-audit.test.js +307 -0
package/server/lib/deploy/deployment-executor.js +335 -0
package/server/lib/deploy/deployment-executor.test.js +329 -0
package/server/lib/deploy/deployment-rules.js +163 -0
package/server/lib/deploy/deployment-rules.test.js +188 -0
package/server/lib/deploy/rollback-manager.js +379 -0
package/server/lib/deploy/rollback-manager.test.js +321 -0
package/server/lib/deploy/security-gates.js +236 -0
package/server/lib/deploy/security-gates.test.js +222 -0
package/server/lib/k8s/gitops-config.js +188 -0
package/server/lib/k8s/gitops-config.test.js +59 -0
package/server/lib/k8s/helm-generator.js +196 -0
package/server/lib/k8s/helm-generator.test.js +59 -0
package/server/lib/k8s/kustomize-generator.js +176 -0
package/server/lib/k8s/kustomize-generator.test.js +58 -0
package/server/lib/k8s/network-policy.js +114 -0
package/server/lib/k8s/network-policy.test.js +53 -0
package/server/lib/k8s/pod-security.js +114 -0
package/server/lib/k8s/pod-security.test.js +55 -0
package/server/lib/k8s/rbac-generator.js +132 -0
package/server/lib/k8s/rbac-generator.test.js +57 -0
package/server/lib/k8s/resource-manager.js +172 -0
package/server/lib/k8s/resource-manager.test.js +60 -0
package/server/lib/k8s/secrets-encryption.js +168 -0
package/server/lib/k8s/secrets-encryption.test.js +49 -0
package/server/lib/monitoring/alert-manager.js +238 -0
package/server/lib/monitoring/alert-manager.test.js +106 -0
package/server/lib/monitoring/health-check.js +226 -0
package/server/lib/monitoring/health-check.test.js +176 -0
package/server/lib/monitoring/incident-manager.js +230 -0
package/server/lib/monitoring/incident-manager.test.js +98 -0
package/server/lib/monitoring/log-aggregator.js +147 -0
package/server/lib/monitoring/log-aggregator.test.js +89 -0
package/server/lib/monitoring/metrics-collector.js +337 -0
package/server/lib/monitoring/metrics-collector.test.js +172 -0
package/server/lib/monitoring/status-page.js +214 -0
package/server/lib/monitoring/status-page.test.js +105 -0
package/server/lib/monitoring/uptime-monitor.js +194 -0
package/server/lib/monitoring/uptime-monitor.test.js +109 -0
package/server/lib/network/fail2ban-config.js +294 -0
package/server/lib/network/fail2ban-config.test.js +275 -0
package/server/lib/network/firewall-manager.js +252 -0
package/server/lib/network/firewall-manager.test.js +254 -0
package/server/lib/network/geoip-filter.js +282 -0
package/server/lib/network/geoip-filter.test.js +264 -0
package/server/lib/network/rate-limiter.js +229 -0
package/server/lib/network/rate-limiter.test.js +293 -0
package/server/lib/network/request-validator.js +351 -0
package/server/lib/network/request-validator.test.js +345 -0
package/server/lib/network/security-headers.js +251 -0
package/server/lib/network/security-headers.test.js +283 -0
package/server/lib/network/tls-config.js +210 -0
package/server/lib/network/tls-config.test.js +248 -0
package/server/lib/security/auth-security.js +369 -0
package/server/lib/security/auth-security.test.js +448 -0
package/server/lib/security/cis-benchmark.js +152 -0
package/server/lib/security/cis-benchmark.test.js +137 -0
package/server/lib/security/compose-templates.js +312 -0
package/server/lib/security/compose-templates.test.js +229 -0
package/server/lib/security/container-runtime.js +456 -0
package/server/lib/security/container-runtime.test.js +503 -0
package/server/lib/security/cors-validator.js +278 -0
package/server/lib/security/cors-validator.test.js +310 -0
package/server/lib/security/crypto-utils.js +253 -0
package/server/lib/security/crypto-utils.test.js +409 -0
package/server/lib/security/dockerfile-linter.js +459 -0
package/server/lib/security/dockerfile-linter.test.js +483 -0
package/server/lib/security/dockerfile-templates.js +278 -0
package/server/lib/security/dockerfile-templates.test.js +164 -0
package/server/lib/security/error-sanitizer.js +426 -0
package/server/lib/security/error-sanitizer.test.js +331 -0
package/server/lib/security/headers-generator.js +368 -0
package/server/lib/security/headers-generator.test.js +398 -0
package/server/lib/security/image-scanner.js +83 -0
package/server/lib/security/image-scanner.test.js +106 -0
package/server/lib/security/input-validator.js +352 -0
package/server/lib/security/input-validator.test.js +330 -0
package/server/lib/security/network-policy.js +174 -0
package/server/lib/security/network-policy.test.js +164 -0
package/server/lib/security/output-encoder.js +237 -0
package/server/lib/security/output-encoder.test.js +276 -0
package/server/lib/security/path-validator.js +359 -0
package/server/lib/security/path-validator.test.js +293 -0
package/server/lib/security/query-builder.js +421 -0
package/server/lib/security/query-builder.test.js +318 -0
package/server/lib/security/secret-detector.js +290 -0
package/server/lib/security/secret-detector.test.js +354 -0
package/server/lib/security/secrets-validator.js +137 -0
package/server/lib/security/secrets-validator.test.js +120 -0
package/server/lib/security-testing/dast-runner.js +154 -0
package/server/lib/security-testing/dast-runner.test.js +62 -0
package/server/lib/security-testing/dependency-scanner.js +172 -0
package/server/lib/security-testing/dependency-scanner.test.js +64 -0
package/server/lib/security-testing/pentest-runner.js +230 -0
package/server/lib/security-testing/pentest-runner.test.js +60 -0
package/server/lib/security-testing/sast-runner.js +136 -0
package/server/lib/security-testing/sast-runner.test.js +62 -0
package/server/lib/security-testing/secret-scanner.js +153 -0
package/server/lib/security-testing/secret-scanner.test.js +66 -0
package/server/lib/security-testing/security-gate.js +216 -0
package/server/lib/security-testing/security-gate.test.js +115 -0
package/server/lib/security-testing/security-reporter.js +303 -0
package/server/lib/security-testing/security-reporter.test.js +114 -0
package/server/lib/standards/audit-checker.js +546 -0
package/server/lib/standards/audit-checker.test.js +415 -0
package/server/lib/standards/cleanup-executor.js +452 -0
package/server/lib/standards/cleanup-executor.test.js +293 -0
package/server/lib/standards/refactor-stepper.js +425 -0
package/server/lib/standards/refactor-stepper.test.js +298 -0
package/server/lib/standards/standards-injector.js +167 -0
package/server/lib/standards/standards-injector.test.js +232 -0
package/server/lib/user-management.test.js +284 -0
package/server/lib/vps/backup-manager.js +157 -0
package/server/lib/vps/backup-manager.test.js +59 -0
package/server/lib/vps/caddy-config.js +159 -0
package/server/lib/vps/caddy-config.test.js +48 -0
package/server/lib/vps/compose-orchestrator.js +219 -0
package/server/lib/vps/compose-orchestrator.test.js +50 -0
package/server/lib/vps/database-config.js +208 -0
package/server/lib/vps/database-config.test.js +47 -0
package/server/lib/vps/deploy-script.js +211 -0
package/server/lib/vps/deploy-script.test.js +53 -0
package/server/lib/vps/secrets-manager.js +148 -0
package/server/lib/vps/secrets-manager.test.js +58 -0
package/server/lib/vps/server-hardening.js +174 -0
package/server/lib/vps/server-hardening.test.js +70 -0
package/server/package-lock.json +19 -0
package/server/package.json +1 -0
package/server/templates/CLAUDE.md +37 -0
package/server/templates/CODING-STANDARDS.md +408 -0

package/server/lib/security/container-runtime.js ADDED Viewed

@@ -0,0 +1,456 @@
+/**
+ * Container Runtime Security Validator Module
+ *
+ * Validates docker-compose and container runtime configurations.
+ * Based on CIS Docker Benchmark and OWASP Docker Security guidelines.
+ */
+import yaml from 'js-yaml';
+/**
+ * Severity levels for findings
+ */
+export const SEVERITY = {
+  CRITICAL: 'critical',
+  HIGH: 'high',
+  MEDIUM: 'medium',
+  LOW: 'low',
+  INFO: 'info',
+};
+/**
+ * Dangerous Linux capabilities
+ */
+const DANGEROUS_CAPABILITIES = [
+  'SYS_ADMIN',
+  'NET_ADMIN',
+  'SYS_PTRACE',
+  'SYS_MODULE',
+  'DAC_READ_SEARCH',
+  'SYS_RAWIO',
+  'SYS_BOOT',
+  'SYS_TIME',
+  'MKNOD',
+];
+/**
+ * Safe capabilities that can be added
+ */
+const SAFE_CAPABILITIES = [
+  'NET_BIND_SERVICE',
+  'CHOWN',
+  'SETUID',
+  'SETGID',
+  'FOWNER',
+  'DAC_OVERRIDE',
+];
+/**
+ * Database image patterns
+ */
+const DATABASE_IMAGES = [
+  /postgres/i,
+  /mysql/i,
+  /mariadb/i,
+  /mongo/i,
+  /redis/i,
+  /elasticsearch/i,
+  /memcached/i,
+];
+/**
+ * Patterns for secrets in environment values
+ */
+const SECRET_PATTERNS = [
+  /password\s*[=:]\s*[^$\s{][^\s]*/i,
+  /secret\s*[=:]\s*[^$\s{][^\s]*/i,
+  /api[_-]?key\s*[=:]\s*[^$\s{][^\s]*/i,
+  /token\s*[=:]\s*[^$\s{][^\s]*/i,
+];
+/**
+ * Check if a service is a database
+ * @param {string} name - Service name
+ * @param {Object} service - Service config
+ * @returns {boolean} True if database
+ */
+function isDatabase(name, service) {
+  if (DATABASE_IMAGES.some(p => p.test(service.image || ''))) return true;
+  if (/db|database|postgres|mysql|mongo|redis/i.test(name)) return true;
+  return false;
+}
+/**
+ * Parse docker-compose YAML content
+ * @param {string} content - YAML content
+ * @returns {Object} Parsed compose config
+ */
+export function parseCompose(content) {
+  try {
+    const parsed = yaml.load(content);
+    return {
+      version: parsed.version || null,
+      services: parsed.services || {},
+      networks: parsed.networks || {},
+      volumes: parsed.volumes || {},
+      secrets: parsed.secrets || {},
+    };
+  } catch (e) {
+    throw new Error(`Failed to parse docker-compose: ${e.message}`);
+  }
+}
+/**
+ * Validate a single service configuration
+ * @param {string} name - Service name
+ * @param {Object} service - Service configuration
+ * @param {Object} options - Validation options
+ * @returns {Object} Validation result
+ */
+export function validateService(name, service, options = {}) {
+  const findings = [];
+  const isDb = isDatabase(name, service);
+  // Check privileged mode
+  if (service.privileged === true) {
+    findings.push({
+      rule: 'no-privileged',
+      severity: SEVERITY.CRITICAL,
+      service: name,
+      message: `Service '${name}' uses privileged mode. This grants full root access.`,
+      fix: 'Remove privileged: true. Use specific capabilities instead.',
+    });
+  }
+  // Check capabilities
+  const capDrop = service.cap_drop || [];
+  const capAdd = service.cap_add || [];
+  if (!capDrop.includes('ALL')) {
+    findings.push({
+      rule: 'require-cap-drop-all',
+      severity: SEVERITY.HIGH,
+      service: name,
+      message: `Service '${name}' should drop all capabilities and add only required ones.`,
+      fix: "Add 'cap_drop: [ALL]' to the service.",
+    });
+  }
+  // Check for dangerous capabilities
+  const dangerousCaps = capAdd.filter(cap => DANGEROUS_CAPABILITIES.includes(cap));
+  if (dangerousCaps.length > 0) {
+    findings.push({
+      rule: 'dangerous-capabilities',
+      severity: SEVERITY.HIGH,
+      service: name,
+      message: `Service '${name}' adds dangerous capabilities: ${dangerousCaps.join(', ')}`,
+      fix: 'Remove dangerous capabilities or document why they are required.',
+    });
+  }
+  // Check network mode
+  if (service.network_mode === 'host') {
+    findings.push({
+      rule: 'no-host-network',
+      severity: SEVERITY.HIGH,
+      service: name,
+      message: `Service '${name}' uses host network mode. This bypasses network isolation.`,
+      fix: 'Use custom bridge networks instead of host network.',
+    });
+  }
+  // Check read-only filesystem
+  if (!isDb && service.read_only !== true) {
+    findings.push({
+      rule: 'recommend-read-only',
+      severity: SEVERITY.MEDIUM,
+      service: name,
+      message: `Service '${name}' should use read-only root filesystem.`,
+      fix: "Add 'read_only: true' and mount writable volumes for needed paths.",
+    });
+  }
+  // Check user
+  if (!service.user) {
+    findings.push({
+      rule: 'recommend-user',
+      severity: SEVERITY.MEDIUM,
+      service: name,
+      message: `Service '${name}' should specify a non-root user.`,
+      fix: "Add 'user: \"1000:1000\"' or similar non-root user.",
+    });
+  } else if (service.user === 'root' || service.user === '0' || service.user === '0:0') {
+    findings.push({
+      rule: 'no-root-user',
+      severity: SEVERITY.HIGH,
+      service: name,
+      message: `Service '${name}' runs as root user.`,
+      fix: 'Change to a non-root user.',
+    });
+  }
+  // Check security_opt
+  const securityOpt = service.security_opt || [];
+  const hasNoNewPrivileges = securityOpt.some(opt =>
+    opt.includes('no-new-privileges')
+  );
+  const hasSeccomp = securityOpt.some(opt =>
+    opt.includes('seccomp')
+  );
+  if (!hasNoNewPrivileges) {
+    findings.push({
+      rule: 'recommend-no-new-privileges',
+      severity: SEVERITY.MEDIUM,
+      service: name,
+      message: `Service '${name}' should prevent privilege escalation.`,
+      fix: "Add 'security_opt: [no-new-privileges:true]'.",
+    });
+  }
+  if (!hasSeccomp) {
+    findings.push({
+      rule: 'recommend-seccomp',
+      severity: SEVERITY.LOW,
+      service: name,
+      message: `Service '${name}' should use seccomp profile.`,
+      fix: "Add 'security_opt: [seccomp:default]' or custom profile.",
+    });
+  }
+  // Check resource limits
+  const hasDeployLimits = service.deploy?.resources?.limits;
+  const hasMemLimit = service.mem_limit || service.memory;
+  if (!hasDeployLimits && !hasMemLimit) {
+    findings.push({
+      rule: 'recommend-resource-limits',
+      severity: SEVERITY.MEDIUM,
+      service: name,
+      message: `Service '${name}' should have resource limits.`,
+      fix: 'Add deploy.resources.limits or mem_limit to prevent resource exhaustion.',
+    });
+  }
+  return { findings };
+}
+/**
+ * Validate a full docker-compose configuration
+ * @param {string} content - YAML content
+ * @param {Object} options - Validation options
+ * @returns {Object} Validation result
+ */
+export function validateCompose(content, options = {}) {
+  const parsed = parseCompose(content);
+  const findings = [];
+  const recommendations = [];
+  // Validate each service
+  for (const [name, service] of Object.entries(parsed.services)) {
+    const serviceResult = validateService(name, service, options);
+    findings.push(...serviceResult.findings);
+  }
+  // Check for custom networks
+  const hasCustomNetworks = Object.keys(parsed.networks).length > 0;
+  const servicesUseNetworks = Object.values(parsed.services).some(s => s.networks);
+  if (!hasCustomNetworks && !servicesUseNetworks) {
+    findings.push({
+      rule: 'use-custom-networks',
+      severity: SEVERITY.MEDIUM,
+      message: 'No custom networks defined. Services will use default bridge network.',
+      fix: 'Define custom networks for network segmentation.',
+    });
+  }
+  // Check database network isolation
+  for (const [name, service] of Object.entries(parsed.services)) {
+    if (isDatabase(name, service)) {
+      const serviceNetworks = service.networks || [];
+      let hasInternalNetwork = false;
+      for (const netName of serviceNetworks) {
+        const netConfig = parsed.networks[netName];
+        if (netConfig?.internal === true) {
+          hasInternalNetwork = true;
+          break;
+        }
+      }
+      if (serviceNetworks.length > 0 && !hasInternalNetwork) {
+        findings.push({
+          rule: 'database-internal-network',
+          severity: SEVERITY.MEDIUM,
+          service: name,
+          message: `Database '${name}' should use internal network (not externally accessible).`,
+          fix: 'Add "internal: true" to database network configuration.',
+        });
+      }
+    }
+  }
+  // Check for secrets in environment
+  for (const [name, service] of Object.entries(parsed.services)) {
+    const env = service.environment || {};
+    const envList = Array.isArray(env) ? env : Object.entries(env).map(([k, v]) => `${k}=${v}`);
+    for (const envVar of envList) {
+      // Check for hardcoded secrets
+      if (SECRET_PATTERNS.some(p => p.test(envVar))) {
+        findings.push({
+          rule: 'no-secrets-in-env',
+          severity: SEVERITY.CRITICAL,
+          service: name,
+          message: `Service '${name}' has possible hardcoded secret in environment.`,
+          fix: 'Use Docker secrets or external secret management.',
+        });
+      }
+    }
+    // Recommend Docker secrets for password-like vars
+    const hasPasswordEnv = envList.some(e =>
+      /password|secret|key|token/i.test(e)
+    );
+    const hasSecretsDefined = Object.keys(parsed.secrets || {}).length > 0;
+    if (hasPasswordEnv && !hasSecretsDefined) {
+      const existingRec = recommendations.find(r => r.rule === 'recommend-docker-secrets');
+      if (!existingRec) {
+        findings.push({
+          rule: 'recommend-docker-secrets',
+          severity: SEVERITY.LOW,
+          message: 'Sensitive environment variables detected. Consider using Docker secrets.',
+          fix: 'Define secrets in docker-compose and mount them in services.',
+        });
+        recommendations.push({ rule: 'recommend-docker-secrets' });
+      }
+    }
+  }
+  // Calculate score
+  const score = calculateScore(findings);
+  // Generate recommendations
+  const allRecommendations = generateRecommendations(findings);
+  return {
+    findings,
+    parsed,
+    score,
+    recommendations: allRecommendations,
+    summary: {
+      total: findings.length,
+      critical: findings.filter(f => f.severity === SEVERITY.CRITICAL).length,
+      high: findings.filter(f => f.severity === SEVERITY.HIGH).length,
+      medium: findings.filter(f => f.severity === SEVERITY.MEDIUM).length,
+      low: findings.filter(f => f.severity === SEVERITY.LOW).length,
+    },
+  };
+}
+/**
+ * Calculate security score (0-100)
+ * @param {Array} findings - Validation findings
+ * @returns {number} Security score
+ */
+function calculateScore(findings) {
+  let score = 100;
+  for (const finding of findings) {
+    switch (finding.severity) {
+      case SEVERITY.CRITICAL:
+        score -= 25;
+        break;
+      case SEVERITY.HIGH:
+        score -= 15;
+        break;
+      case SEVERITY.MEDIUM:
+        score -= 10;
+        break;
+      case SEVERITY.LOW:
+        score -= 5;
+        break;
+    }
+  }
+  return Math.max(0, score);
+}
+/**
+ * Generate recommendations from findings
+ * @param {Array} findings - Validation findings
+ * @returns {Array} Recommendations
+ */
+function generateRecommendations(findings) {
+  const recommendations = [];
+  const seenRules = new Set();
+  for (const finding of findings) {
+    if (!seenRules.has(finding.rule) && finding.fix) {
+      recommendations.push({
+        rule: finding.rule,
+        severity: finding.severity,
+        message: finding.message,
+        fix: finding.fix,
+      });
+      seenRules.add(finding.rule);
+    }
+  }
+  return recommendations.sort((a, b) => {
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+    return severityOrder[a.severity] - severityOrder[b.severity];
+  });
+}
+/**
+ * Create a configurable runtime validator
+ * @param {Object} config - Validator configuration
+ * @returns {Object} Validator instance
+ */
+export function createRuntimeValidator(config = {}) {
+  const { rules = {} } = config;
+  return {
+    /**
+     * Validate docker-compose content
+     * @param {string} content - YAML content
+     * @returns {Object} Validation result
+     */
+    validate(content) {
+      const result = validateCompose(content);
+      // Filter findings based on rule configuration
+      result.findings = result.findings.filter(finding => {
+        const ruleConfig = rules[finding.rule];
+        if (ruleConfig === 'off' || ruleConfig === false) {
+          return false;
+        }
+        return true;
+      });
+      // Recalculate score
+      result.score = calculateScore(result.findings);
+      result.summary = {
+        total: result.findings.length,
+        critical: result.findings.filter(f => f.severity === SEVERITY.CRITICAL).length,
+        high: result.findings.filter(f => f.severity === SEVERITY.HIGH).length,
+        medium: result.findings.filter(f => f.severity === SEVERITY.MEDIUM).length,
+        low: result.findings.filter(f => f.severity === SEVERITY.LOW).length,
+      };
+      return result;
+    },
+    /**
+     * Validate from file path
+     * @param {string} filePath - Path to docker-compose.yml
+     * @param {Function} readFile - File reader function
+     * @returns {Promise<Object>} Validation result
+     */
+    async validateFile(filePath, readFile) {
+      const content = await readFile(filePath, 'utf8');
+      return this.validate(content);
+    },
+  };
+}