npm - tlc-claude-code - Versions diffs - 1.4.8 → 1.4.9 - Mend

tlc-claude-code 1.4.8 → 1.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/package.json +1 -1
package/server/index.js +229 -14
package/server/lib/compliance/control-mapper.js +401 -0
package/server/lib/compliance/control-mapper.test.js +117 -0
package/server/lib/compliance/evidence-linker.js +296 -0
package/server/lib/compliance/evidence-linker.test.js +121 -0
package/server/lib/compliance/gdpr-checklist.js +416 -0
package/server/lib/compliance/gdpr-checklist.test.js +131 -0
package/server/lib/compliance/hipaa-checklist.js +277 -0
package/server/lib/compliance/hipaa-checklist.test.js +101 -0
package/server/lib/compliance/iso27001-checklist.js +287 -0
package/server/lib/compliance/iso27001-checklist.test.js +99 -0
package/server/lib/compliance/multi-framework-reporter.js +284 -0
package/server/lib/compliance/multi-framework-reporter.test.js +127 -0
package/server/lib/compliance/pci-dss-checklist.js +214 -0
package/server/lib/compliance/pci-dss-checklist.test.js +95 -0
package/server/lib/compliance/trust-centre.js +187 -0
package/server/lib/compliance/trust-centre.test.js +93 -0
package/server/lib/dashboard/api-server.js +155 -0
package/server/lib/dashboard/api-server.test.js +155 -0
package/server/lib/dashboard/health-api.js +199 -0
package/server/lib/dashboard/health-api.test.js +122 -0
package/server/lib/dashboard/notes-api.js +234 -0
package/server/lib/dashboard/notes-api.test.js +134 -0
package/server/lib/dashboard/router-api.js +176 -0
package/server/lib/dashboard/router-api.test.js +132 -0
package/server/lib/dashboard/tasks-api.js +289 -0
package/server/lib/dashboard/tasks-api.test.js +161 -0
package/server/lib/dashboard/tlc-introspection.js +197 -0
package/server/lib/dashboard/tlc-introspection.test.js +138 -0
package/server/lib/dashboard/version-api.js +222 -0
package/server/lib/dashboard/version-api.test.js +112 -0
package/server/lib/dashboard/websocket-server.js +104 -0
package/server/lib/dashboard/websocket-server.test.js +118 -0
package/server/lib/deploy/branch-classifier.js +163 -0
package/server/lib/deploy/branch-classifier.test.js +164 -0
package/server/lib/deploy/deployment-approval.js +299 -0
package/server/lib/deploy/deployment-approval.test.js +296 -0
package/server/lib/deploy/deployment-audit.js +374 -0
package/server/lib/deploy/deployment-audit.test.js +307 -0
package/server/lib/deploy/deployment-executor.js +335 -0
package/server/lib/deploy/deployment-executor.test.js +329 -0
package/server/lib/deploy/deployment-rules.js +163 -0
package/server/lib/deploy/deployment-rules.test.js +188 -0
package/server/lib/deploy/rollback-manager.js +379 -0
package/server/lib/deploy/rollback-manager.test.js +321 -0
package/server/lib/deploy/security-gates.js +236 -0
package/server/lib/deploy/security-gates.test.js +222 -0
package/server/lib/k8s/gitops-config.js +188 -0
package/server/lib/k8s/gitops-config.test.js +59 -0
package/server/lib/k8s/helm-generator.js +196 -0
package/server/lib/k8s/helm-generator.test.js +59 -0
package/server/lib/k8s/kustomize-generator.js +176 -0
package/server/lib/k8s/kustomize-generator.test.js +58 -0
package/server/lib/k8s/network-policy.js +114 -0
package/server/lib/k8s/network-policy.test.js +53 -0
package/server/lib/k8s/pod-security.js +114 -0
package/server/lib/k8s/pod-security.test.js +55 -0
package/server/lib/k8s/rbac-generator.js +132 -0
package/server/lib/k8s/rbac-generator.test.js +57 -0
package/server/lib/k8s/resource-manager.js +172 -0
package/server/lib/k8s/resource-manager.test.js +60 -0
package/server/lib/k8s/secrets-encryption.js +168 -0
package/server/lib/k8s/secrets-encryption.test.js +49 -0
package/server/lib/monitoring/alert-manager.js +238 -0
package/server/lib/monitoring/alert-manager.test.js +106 -0
package/server/lib/monitoring/health-check.js +226 -0
package/server/lib/monitoring/health-check.test.js +176 -0
package/server/lib/monitoring/incident-manager.js +230 -0
package/server/lib/monitoring/incident-manager.test.js +98 -0
package/server/lib/monitoring/log-aggregator.js +147 -0
package/server/lib/monitoring/log-aggregator.test.js +89 -0
package/server/lib/monitoring/metrics-collector.js +337 -0
package/server/lib/monitoring/metrics-collector.test.js +172 -0
package/server/lib/monitoring/status-page.js +214 -0
package/server/lib/monitoring/status-page.test.js +105 -0
package/server/lib/monitoring/uptime-monitor.js +194 -0
package/server/lib/monitoring/uptime-monitor.test.js +109 -0
package/server/lib/network/fail2ban-config.js +294 -0
package/server/lib/network/fail2ban-config.test.js +275 -0
package/server/lib/network/firewall-manager.js +252 -0
package/server/lib/network/firewall-manager.test.js +254 -0
package/server/lib/network/geoip-filter.js +282 -0
package/server/lib/network/geoip-filter.test.js +264 -0
package/server/lib/network/rate-limiter.js +229 -0
package/server/lib/network/rate-limiter.test.js +293 -0
package/server/lib/network/request-validator.js +351 -0
package/server/lib/network/request-validator.test.js +345 -0
package/server/lib/network/security-headers.js +251 -0
package/server/lib/network/security-headers.test.js +283 -0
package/server/lib/network/tls-config.js +210 -0
package/server/lib/network/tls-config.test.js +248 -0
package/server/lib/security/auth-security.js +369 -0
package/server/lib/security/auth-security.test.js +448 -0
package/server/lib/security/cis-benchmark.js +152 -0
package/server/lib/security/cis-benchmark.test.js +137 -0
package/server/lib/security/compose-templates.js +312 -0
package/server/lib/security/compose-templates.test.js +229 -0
package/server/lib/security/container-runtime.js +456 -0
package/server/lib/security/container-runtime.test.js +503 -0
package/server/lib/security/cors-validator.js +278 -0
package/server/lib/security/cors-validator.test.js +310 -0
package/server/lib/security/crypto-utils.js +253 -0
package/server/lib/security/crypto-utils.test.js +409 -0
package/server/lib/security/dockerfile-linter.js +459 -0
package/server/lib/security/dockerfile-linter.test.js +483 -0
package/server/lib/security/dockerfile-templates.js +278 -0
package/server/lib/security/dockerfile-templates.test.js +164 -0
package/server/lib/security/error-sanitizer.js +426 -0
package/server/lib/security/error-sanitizer.test.js +331 -0
package/server/lib/security/headers-generator.js +368 -0
package/server/lib/security/headers-generator.test.js +398 -0
package/server/lib/security/image-scanner.js +83 -0
package/server/lib/security/image-scanner.test.js +106 -0
package/server/lib/security/input-validator.js +352 -0
package/server/lib/security/input-validator.test.js +330 -0
package/server/lib/security/network-policy.js +174 -0
package/server/lib/security/network-policy.test.js +164 -0
package/server/lib/security/output-encoder.js +237 -0
package/server/lib/security/output-encoder.test.js +276 -0
package/server/lib/security/path-validator.js +359 -0
package/server/lib/security/path-validator.test.js +293 -0
package/server/lib/security/query-builder.js +421 -0
package/server/lib/security/query-builder.test.js +318 -0
package/server/lib/security/secret-detector.js +290 -0
package/server/lib/security/secret-detector.test.js +354 -0
package/server/lib/security/secrets-validator.js +137 -0
package/server/lib/security/secrets-validator.test.js +120 -0
package/server/lib/security-testing/dast-runner.js +154 -0
package/server/lib/security-testing/dast-runner.test.js +62 -0
package/server/lib/security-testing/dependency-scanner.js +172 -0
package/server/lib/security-testing/dependency-scanner.test.js +64 -0
package/server/lib/security-testing/pentest-runner.js +230 -0
package/server/lib/security-testing/pentest-runner.test.js +60 -0
package/server/lib/security-testing/sast-runner.js +136 -0
package/server/lib/security-testing/sast-runner.test.js +62 -0
package/server/lib/security-testing/secret-scanner.js +153 -0
package/server/lib/security-testing/secret-scanner.test.js +66 -0
package/server/lib/security-testing/security-gate.js +216 -0
package/server/lib/security-testing/security-gate.test.js +115 -0
package/server/lib/security-testing/security-reporter.js +303 -0
package/server/lib/security-testing/security-reporter.test.js +114 -0
package/server/lib/standards/audit-checker.js +546 -0
package/server/lib/standards/audit-checker.test.js +415 -0
package/server/lib/standards/cleanup-executor.js +452 -0
package/server/lib/standards/cleanup-executor.test.js +293 -0
package/server/lib/standards/refactor-stepper.js +425 -0
package/server/lib/standards/refactor-stepper.test.js +298 -0
package/server/lib/standards/standards-injector.js +167 -0
package/server/lib/standards/standards-injector.test.js +232 -0
package/server/lib/user-management.test.js +284 -0
package/server/lib/vps/backup-manager.js +157 -0
package/server/lib/vps/backup-manager.test.js +59 -0
package/server/lib/vps/caddy-config.js +159 -0
package/server/lib/vps/caddy-config.test.js +48 -0
package/server/lib/vps/compose-orchestrator.js +219 -0
package/server/lib/vps/compose-orchestrator.test.js +50 -0
package/server/lib/vps/database-config.js +208 -0
package/server/lib/vps/database-config.test.js +47 -0
package/server/lib/vps/deploy-script.js +211 -0
package/server/lib/vps/deploy-script.test.js +53 -0
package/server/lib/vps/secrets-manager.js +148 -0
package/server/lib/vps/secrets-manager.test.js +58 -0
package/server/lib/vps/server-hardening.js +174 -0
package/server/lib/vps/server-hardening.test.js +70 -0
package/server/package-lock.json +19 -0
package/server/package.json +1 -0
package/server/templates/CLAUDE.md +37 -0
package/server/templates/CODING-STANDARDS.md +408 -0

package/server/lib/security/error-sanitizer.js ADDED Viewed

@@ -0,0 +1,426 @@
+/**
+ * Error Sanitizer Module
+ *
+ * Sanitizes error messages to prevent information disclosure.
+ * Addresses OWASP A01: Broken Access Control (info leakage)
+ */
+import crypto from 'crypto';
+/**
+ * Sensitive patterns to redact from error messages
+ */
+const SENSITIVE_PATTERNS = [
+  // File paths
+  /(?:\/[\w.-]+)+(?:\.[\w]+)?/g,
+  // Windows paths
+  /[A-Z]:\\[\w\\.-]+/gi,
+  // Stack trace line numbers
+  /:\d+:\d+/g,
+  // IP addresses
+  /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g,
+  // Port numbers
+  /:\d{2,5}\b/g,
+  // Connection strings
+  /(?:postgresql|mysql|mongodb|redis):\/\/[^\s]+/gi,
+  // Environment variables in messages
+  /\$[A-Z_][A-Z0-9_]*/g,
+  // Memory addresses
+  /0x[0-9a-f]{8,}/gi,
+];
+/**
+ * Sensitive property names to remove
+ */
+const SENSITIVE_PROPERTIES = [
+  'password', 'passwd', 'pass', 'secret', 'apiKey', 'api_key',
+  'token', 'accessToken', 'access_token', 'refreshToken', 'refresh_token',
+  'privateKey', 'private_key', 'credential', 'credentials',
+];
+/**
+ * Patterns that indicate database errors
+ */
+const DATABASE_ERROR_PATTERNS = [
+  /ECONNREFUSED/i,
+  /postgresql/i,
+  /mysql/i,
+  /mongodb/i,
+  /database/i,
+  /sql/i,
+  /syntax error/i,
+  /query/i,
+];
+/**
+ * Status code to error code mapping
+ */
+const STATUS_CODE_MAP = {
+  400: 'BAD_REQUEST',
+  401: 'UNAUTHORIZED',
+  403: 'FORBIDDEN',
+  404: 'NOT_FOUND',
+  409: 'CONFLICT',
+  422: 'UNPROCESSABLE_ENTITY',
+  429: 'TOO_MANY_REQUESTS',
+  500: 'INTERNAL_ERROR',
+  502: 'BAD_GATEWAY',
+  503: 'SERVICE_UNAVAILABLE',
+};
+/**
+ * Internal error codes for classification
+ */
+export const ERROR_CODES = {
+  VALIDATION_ERROR: 'VALIDATION_ERROR',
+  AUTHENTICATION_ERROR: 'AUTHENTICATION_ERROR',
+  AUTHORIZATION_ERROR: 'AUTHORIZATION_ERROR',
+  NOT_FOUND: 'NOT_FOUND',
+  RATE_LIMITED: 'RATE_LIMITED',
+  INTERNAL_ERROR: 'INTERNAL_ERROR',
+  DATABASE_ERROR: 'DATABASE_ERROR',
+  NETWORK_ERROR: 'NETWORK_ERROR',
+};
+/**
+ * Generate a unique error ID
+ * @returns {string} Unique error ID
+ */
+function generateErrorId() {
+  return crypto.randomUUID();
+}
+/**
+ * Check if an error message indicates a database error
+ * @param {string} message - Error message
+ * @returns {boolean} True if database error
+ */
+function isDatabaseError(message) {
+  return DATABASE_ERROR_PATTERNS.some((pattern) => pattern.test(message));
+}
+/**
+ * Redact sensitive information from a string
+ * @param {string} text - Text to redact
+ * @param {RegExp[]} additionalPatterns - Additional patterns to redact
+ * @returns {string} Redacted text
+ */
+function redactSensitiveInfo(text, additionalPatterns = []) {
+  if (!text) return '';
+  let redacted = text;
+  const allPatterns = [...SENSITIVE_PATTERNS, ...additionalPatterns];
+  for (const pattern of allPatterns) {
+    redacted = redacted.replace(pattern, '[REDACTED]');
+  }
+  return redacted;
+}
+/**
+ * Sanitize an error for safe client response
+ * @param {Error|null|undefined|string} error - Error to sanitize
+ * @param {Object} options - Sanitization options
+ * @returns {Object} Sanitized error object
+ */
+export function sanitizeError(error, options = {}) {
+  const {
+    production = true,
+    redactPatterns = [],
+    genericMessages = {},
+  } = options;
+  // Handle null/undefined
+  if (error === null || error === undefined) {
+    return {
+      message: 'An unexpected error occurred',
+      id: generateErrorId(),
+    };
+  }
+  // Handle non-Error objects
+  if (typeof error === 'string') {
+    return {
+      message: 'An error occurred',
+      id: generateErrorId(),
+    };
+  }
+  // Handle Error objects
+  const originalMessage = error.message || '';
+  const id = generateErrorId();
+  const result = { id };
+  // Check if user-friendly message should be preserved
+  if (error.isUserFriendly) {
+    result.message = originalMessage;
+  } else if (production) {
+    // Check for database errors
+    if (isDatabaseError(originalMessage)) {
+      result.message = genericMessages.database || 'A database error occurred';
+    } else if (!originalMessage) {
+      result.message = 'An unexpected error occurred';
+    } else {
+      // Redact sensitive info
+      const sanitized = redactSensitiveInfo(originalMessage, redactPatterns);
+      // If heavily redacted, use generic message
+      if (sanitized.includes('[REDACTED]') || sanitized.split('[REDACTED]').length > 2) {
+        result.message = 'An unexpected error occurred';
+      } else {
+        result.message = sanitized;
+      }
+    }
+  } else {
+    // Development mode - include more details without redaction
+    result.message = originalMessage;
+    if (error.stack) {
+      result.stack = error.stack;
+    }
+    if (error.cause) {
+      result.cause = error.cause;
+    }
+  }
+  // Remove sensitive properties
+  for (const prop of SENSITIVE_PROPERTIES) {
+    if (result[prop]) {
+      delete result[prop];
+    }
+  }
+  return result;
+}
+/**
+ * Determine if an error is operational (expected) vs programmer error
+ * @param {Error} error - Error to check
+ * @returns {boolean} True if operational
+ */
+export function isOperationalError(error) {
+  if (!error) return false;
+  // Explicitly marked as operational
+  if (error.isOperational === true) return true;
+  // Status codes 4xx are operational
+  if (error.statusCode >= 400 && error.statusCode < 500) return true;
+  // TypeError, ReferenceError, etc. are programmer errors
+  if (error instanceof TypeError || error instanceof ReferenceError ||
+      error instanceof SyntaxError || error instanceof RangeError) {
+    return false;
+  }
+  // 5xx errors are not operational
+  if (error.statusCode >= 500) return false;
+  return false;
+}
+/**
+ * Format error for HTTP response
+ * @param {Error} error - Error to format
+ * @param {Object} options - Formatting options
+ * @returns {Object} Formatted response
+ */
+export function formatErrorResponse(error, options = {}) {
+  const { production = true, includeStatus = false } = options;
+  const statusCode = error.statusCode || 500;
+  const code = STATUS_CODE_MAP[statusCode] || 'INTERNAL_ERROR';
+  const id = generateErrorId();
+  const errorObj = {
+    message: error.isUserFriendly ? error.message : (error.message || 'An error occurred'),
+    code,
+    id,
+  };
+  // Include status if requested
+  if (includeStatus) {
+    errorObj.status = statusCode;
+  }
+  // Include validation errors for 400
+  if (statusCode === 400 && error.validationErrors) {
+    errorObj.details = error.validationErrors;
+  }
+  // Include stack in development
+  if (!production && error.stack) {
+    errorObj.stack = error.stack;
+  }
+  return { error: errorObj };
+}
+/**
+ * Classify an error into a category
+ * @param {Error} error - Error to classify
+ * @returns {string} Error code
+ */
+export function classifyError(error) {
+  if (!error) return ERROR_CODES.INTERNAL_ERROR;
+  const message = (error.message || '').toLowerCase();
+  const name = (error.name || '').toLowerCase();
+  // Check by error name
+  if (name.includes('validation') || name.includes('invalid')) {
+    return ERROR_CODES.VALIDATION_ERROR;
+  }
+  if (name.includes('auth') || name.includes('unauthorized')) {
+    return ERROR_CODES.AUTHENTICATION_ERROR;
+  }
+  if (name.includes('forbidden') || name.includes('permission')) {
+    return ERROR_CODES.AUTHORIZATION_ERROR;
+  }
+  if (name.includes('notfound') || name === 'notfounderror') {
+    return ERROR_CODES.NOT_FOUND;
+  }
+  // Check by error message
+  if (message.includes('not found') || message.includes('does not exist')) {
+    return ERROR_CODES.NOT_FOUND;
+  }
+  if (message.includes('invalid') || message.includes('required')) {
+    return ERROR_CODES.VALIDATION_ERROR;
+  }
+  if (message.includes('unauthorized') || message.includes('invalid credentials')) {
+    return ERROR_CODES.AUTHENTICATION_ERROR;
+  }
+  if (message.includes('forbidden') || message.includes('permission denied')) {
+    return ERROR_CODES.AUTHORIZATION_ERROR;
+  }
+  if (message.includes('rate limit') || message.includes('too many')) {
+    return ERROR_CODES.RATE_LIMITED;
+  }
+  if (isDatabaseError(message)) {
+    return ERROR_CODES.DATABASE_ERROR;
+  }
+  if (message.includes('connect') || message.includes('timeout') || message.includes('network')) {
+    return ERROR_CODES.NETWORK_ERROR;
+  }
+  // Check for database-specific error codes
+  if (error.code) {
+    const code = String(error.code);
+    if (code.startsWith('23') || code.startsWith('42')) {
+      return ERROR_CODES.DATABASE_ERROR;
+    }
+    if (code === 'ECONNREFUSED' || code === 'ETIMEDOUT') {
+      return ERROR_CODES.NETWORK_ERROR;
+    }
+  }
+  return ERROR_CODES.INTERNAL_ERROR;
+}
+/**
+ * Create an error sanitizer with preset configuration
+ * @param {Object} config - Sanitizer configuration
+ * @returns {Object} Error sanitizer instance
+ */
+export function createErrorSanitizer(config = {}) {
+  const {
+    production = true,
+    redactPatterns = [],
+    genericMessages = {},
+    logger = null,
+  } = config;
+  return {
+    /**
+     * Sanitize an error
+     * @param {Error} error - Error to sanitize
+     * @param {Object} context - Additional context
+     * @returns {Object} Sanitized error
+     */
+    sanitize(error, context = {}) {
+      // Log original error if logger provided
+      if (logger) {
+        logger({
+          originalMessage: error.message,
+          stack: error.stack,
+          code: error.code,
+          ...context,
+        });
+      }
+      return sanitizeError(error, {
+        production,
+        redactPatterns,
+        genericMessages,
+      });
+    },
+    /**
+     * Express error handler middleware
+     */
+    middleware() {
+      return (error, req, res, next) => {
+        const sanitized = this.sanitize(error, {
+          requestId: req.id || req.headers['x-request-id'],
+        });
+        const statusCode = this.getStatusCode(error);
+        res.status(statusCode).json(sanitized);
+      };
+    },
+    /**
+     * Get HTTP status code for error
+     * @param {Error} error - Error to check
+     * @returns {number} HTTP status code
+     */
+    getStatusCode(error) {
+      if (error.statusCode) return error.statusCode;
+      const code = classifyError(error);
+      switch (code) {
+        case ERROR_CODES.VALIDATION_ERROR:
+          return 400;
+        case ERROR_CODES.AUTHENTICATION_ERROR:
+          return 401;
+        case ERROR_CODES.AUTHORIZATION_ERROR:
+          return 403;
+        case ERROR_CODES.NOT_FOUND:
+          return 404;
+        case ERROR_CODES.RATE_LIMITED:
+          return 429;
+        default:
+          return 500;
+      }
+    },
+    /**
+     * Wrap an async handler with error sanitization
+     * @param {Function} handler - Async handler function
+     * @returns {Function} Wrapped handler
+     */
+    wrap(handler) {
+      return async (req, res, next) => {
+        try {
+          await handler(req, res, next);
+        } catch (error) {
+          const sanitized = this.sanitize(error, {
+            requestId: req.id || req.headers['x-request-id'],
+          });
+          const statusCode = this.getStatusCode(error);
+          res.status(statusCode).json(sanitized);
+        }
+      };
+    },
+  };
+}