tlc-claude-code 1.4.9 → 1.5.2

package/server/lib/orchestration-integration.test.js

@@ -0,0 +1,235 @@
+const { describe, it, beforeEach, mock } = require('node:test');
+const assert = require('node:assert');
+const {
+  wrapWithOrchestration,
+  createAgentForCommand,
+  trackCommandCost,
+  applyQualityGate,
+  OrchestrationIntegration,
+} = require('./orchestration-integration.js');
+
+describe('orchestration-integration', () => {
+  describe('OrchestrationIntegration', () => {
+    let integration;
+    let mockRegistry;
+    let mockCostTracker;
+    let mockQualityGate;
+
+    beforeEach(() => {
+      mockRegistry = {
+        agents: [],
+        createAgent: (data) => {
+          const agent = { id: `agent-${Date.now()}`, ...data };
+          mockRegistry.agents.push(agent);
+          return agent;
+        },
+        getAgent: (id) => mockRegistry.agents.find(a => a.id === id),
+        updateAgent: (id, updates) => {
+          const agent = mockRegistry.agents.find(a => a.id === id);
+          if (agent) Object.assign(agent, updates);
+          return agent;
+        },
+      };
+
+      mockCostTracker = {
+        costs: [],
+        track: (cost) => mockCostTracker.costs.push(cost),
+        getTotal: () => mockCostTracker.costs.reduce((s, c) => s + c.amount, 0),
+      };
+
+      mockQualityGate = {
+        evaluate: async (output) => ({ pass: output.quality > 70, score: output.quality }),
+      };
+
+      integration = new OrchestrationIntegration({
+        registry: mockRegistry,
+        costTracker: mockCostTracker,
+        qualityGate: mockQualityGate,
+      });
+    });
+
+    describe('build command', () => {
+      it('creates agents', async () => {
+        const result = await integration.wrapCommand('build', async () => ({
+          success: true,
+          output: 'Built successfully',
+          quality: 85,
+        }));
+
+        assert.ok(mockRegistry.agents.length > 0);
+      });
+
+      it('tracks cost', async () => {
+        await integration.wrapCommand('build', async () => ({
+          success: true,
+          cost: 0.15,
+          quality: 85,
+        }));
+
+        assert.ok(mockCostTracker.costs.length > 0);
+      });
+    });
+
+    describe('review command', () => {
+      it('uses multi-model', async () => {
+        let modelsUsed = [];
+        const result = await integration.wrapCommand('review', async (ctx) => {
+          modelsUsed.push(ctx.model || 'default');
+          return { success: true, quality: 90 };
+        }, { multiModel: true, models: ['claude', 'gpt-4'] });
+
+        assert.ok(result.success);
+      });
+
+      it('applies consensus', async () => {
+        const results = [
+          { score: 80, issues: ['a', 'b'] },
+          { score: 85, issues: ['b', 'c'] },
+        ];
+        const consensus = integration.applyConsensus(results);
+        assert.ok(consensus.score >= 80);
+        assert.ok(consensus.issues.includes('b')); // Common issue
+      });
+    });
+
+    describe('refactor command', () => {
+      it('uses quality gate', async () => {
+        let qualityChecked = false;
+        const customQuality = {
+          evaluate: async (output) => {
+            qualityChecked = true;
+            return { pass: true, score: 90 };
+          },
+        };
+
+        const int = new OrchestrationIntegration({
+          registry: mockRegistry,
+          costTracker: mockCostTracker,
+          qualityGate: customQuality,
+        });
+
+        await int.wrapCommand('refactor', async () => ({
+          success: true,
+          quality: 90,
+        }), { useQualityGate: true });
+
+        assert.ok(qualityChecked);
+      });
+    });
+
+    it('agents appear in registry', async () => {
+      await integration.wrapCommand('test', async () => ({ success: true, quality: 85 }));
+      assert.ok(mockRegistry.agents.length > 0);
+    });
+
+    it('costs appear in tracker', async () => {
+      await integration.wrapCommand('test', async () => ({
+        success: true,
+        cost: 0.25,
+        quality: 85,
+      }));
+      assert.ok(mockCostTracker.costs.some(c => c.amount === 0.25));
+    });
+
+    it('quality scores recorded', async () => {
+      await integration.wrapCommand('test', async () => ({
+        success: true,
+        quality: 92,
+      }));
+      const agent = mockRegistry.agents[0];
+      assert.ok(agent.quality?.score === 92 || agent.qualityScore === 92);
+    });
+
+    it('existing behavior preserved', async () => {
+      const original = async () => ({ custom: 'data', success: true, quality: 85 });
+      const result = await integration.wrapCommand('test', original);
+      assert.strictEqual(result.custom, 'data');
+    });
+
+    it('graceful fallback on error', async () => {
+      const brokenRegistry = {
+        createAgent: () => { throw new Error('Registry error'); },
+      };
+
+      const int = new OrchestrationIntegration({
+        registry: brokenRegistry,
+        costTracker: mockCostTracker,
+        qualityGate: mockQualityGate,
+        fallbackOnError: true,
+      });
+
+      // Should not throw, should fall back
+      const result = await int.wrapCommand('test', async () => ({
+        success: true,
+        quality: 85,
+      }));
+      assert.ok(result.success);
+    });
+  });
+
+  describe('wrapWithOrchestration', () => {
+    it('wraps function with tracking', async () => {
+      let tracked = false;
+      const wrapped = wrapWithOrchestration(
+        async () => ({ result: 'ok' }),
+        { onComplete: () => { tracked = true; } }
+      );
+
+      const result = await wrapped();
+      assert.strictEqual(result.result, 'ok');
+      assert.ok(tracked);
+    });
+
+    it('passes context through', async () => {
+      const wrapped = wrapWithOrchestration(
+        async (ctx) => ({ model: ctx.model }),
+        {}
+      );
+
+      const result = await wrapped({ model: 'claude' });
+      assert.strictEqual(result.model, 'claude');
+    });
+  });
+
+  describe('createAgentForCommand', () => {
+    it('creates agent with command name', () => {
+      const agent = createAgentForCommand('build', { model: 'claude' });
+      assert.strictEqual(agent.command, 'build');
+      assert.strictEqual(agent.model, 'claude');
+    });
+
+    it('sets initial status', () => {
+      const agent = createAgentForCommand('test', {});
+      assert.strictEqual(agent.status, 'queued');
+    });
+  });
+
+  describe('trackCommandCost', () => {
+    it('records cost with command', () => {
+      const tracker = { costs: [], track: (c) => tracker.costs.push(c) };
+      trackCommandCost(tracker, 'build', 0.15);
+      assert.strictEqual(tracker.costs[0].command, 'build');
+      assert.strictEqual(tracker.costs[0].amount, 0.15);
+    });
+  });
+
+  describe('applyQualityGate', () => {
+    it('passes for high quality', async () => {
+      const gate = { evaluate: async () => ({ pass: true, score: 90 }) };
+      const result = await applyQualityGate(gate, { output: 'test' });
+      assert.ok(result.pass);
+    });
+
+    it('fails for low quality', async () => {
+      const gate = { evaluate: async () => ({ pass: false, score: 50 }) };
+      const result = await applyQualityGate(gate, { output: 'test' });
+      assert.strictEqual(result.pass, false);
+    });
+
+    it('returns score', async () => {
+      const gate = { evaluate: async () => ({ pass: true, score: 85 }) };
+      const result = await applyQualityGate(gate, { output: 'test' });
+      assert.strictEqual(result.score, 85);
+    });
+  });
+});

package/server/lib/output-encoder.js

@@ -0,0 +1,308 @@
+/**
+ * Output Encoder Module
+ *
+ * Context-aware output encoding for XSS prevention
+ */
+
+const crypto = require('crypto');
+
+/**
+ * Create an output encoder
+ * @param {Object} options - Encoder options
+ * @returns {Object} Encoder instance
+ */
+function createOutputEncoder(options = {}) {
+  return {
+    contexts: options.contexts || ['html', 'js', 'url', 'css', 'attribute'],
+  };
+}
+
+/**
+ * Encode string for HTML context
+ * @param {string} input - Input to encode
+ * @returns {string} Encoded string
+ */
+function encodeHtml(input) {
+  if (input === null || input === undefined) {
+    return '';
+  }
+
+  return String(input)
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#x27;');
+}
+
+/**
+ * Encode string for JavaScript context
+ * @param {string} input - Input to encode
+ * @param {Object} options - Encoding options
+ * @returns {string} Encoded string
+ */
+function encodeJs(input, options = {}) {
+  if (input === null || input === undefined) {
+    return '';
+  }
+
+  let result = String(input)
+    .replace(/\\/g, '\\\\')
+    .replace(/'/g, "\\'")
+    .replace(/"/g, '\\"')
+    .replace(/\n/g, '\\n')
+    .replace(/\r/g, '\\r')
+    .replace(/\t/g, '\\t')
+    .replace(/<\/script>/gi, '<\\/script>');
+
+  if (options.unicodeEscape) {
+    result = result.replace(/[\u0080-\uffff]/g, (char) => {
+      return '\\u' + ('0000' + char.charCodeAt(0).toString(16)).slice(-4);
+    });
+  }
+
+  return result;
+}
+
+/**
+ * Encode string for URL context
+ * @param {string} input - Input to encode
+ * @returns {string} Encoded string
+ */
+function encodeUrl(input) {
+  if (input === null || input === undefined) {
+    return '';
+  }
+
+  return encodeURIComponent(String(input));
+}
+
+/**
+ * Encode string for CSS context
+ * @param {string} input - Input to encode
+ * @returns {string} Encoded string
+ */
+function encodeCss(input) {
+  if (input === null || input === undefined) {
+    return '';
+  }
+
+  let result = String(input)
+    .replace(/\\/g, '\\\\')
+    .replace(/</g, '\\3c ')
+    .replace(/>/g, '\\3e ')
+    .replace(/expression\s*\(/gi, '')
+    .replace(/url\s*\(\s*javascript:/gi, 'url(blocked:');
+
+  return result;
+}
+
+/**
+ * Encode string for HTML attribute context
+ * @param {string} input - Input to encode
+ * @param {Object} options - Encoding options
+ * @returns {string} Encoded string
+ */
+function encodeAttribute(input, options = {}) {
+  if (input === null || input === undefined) {
+    return '';
+  }
+
+  let result = String(input);
+
+  // Remove event handlers
+  result = result.replace(/on\w+\s*=/gi, '');
+
+  if (options.quoted === false) {
+    // Unquoted attributes need more escaping
+    result = result.replace(/[\s"'=<>`]/g, (char) => {
+      return '&#' + char.charCodeAt(0) + ';';
+    });
+  } else if (options.quoteChar === "'") {
+    result = result.replace(/'/g, '&#39;');
+  } else {
+    result = result.replace(/"/g, '&quot;');
+  }
+
+  return result;
+}
+
+/**
+ * Generate Content Security Policy header
+ * @param {Object} options - CSP options
+ * @returns {string} CSP header value
+ */
+function generateCspHeader(options = {}) {
+  const directives = [];
+
+  // Always include default-src
+  directives.push("default-src 'self'");
+
+  if (options.scriptSrc) {
+    directives.push(`script-src ${options.scriptSrc.join(' ')}`);
+  }
+
+  if (options.styleSrc) {
+    directives.push(`style-src ${options.styleSrc.join(' ')}`);
+  }
+
+  if (options.imgSrc) {
+    directives.push(`img-src ${options.imgSrc.join(' ')}`);
+  }
+
+  if (options.useNonce && options.nonce) {
+    // Replace or add script-src with nonce
+    const nonceValue = `'nonce-${options.nonce}'`;
+    const existingScriptIdx = directives.findIndex(d => d.startsWith('script-src'));
+    if (existingScriptIdx >= 0) {
+      directives[existingScriptIdx] += ` ${nonceValue}`;
+    } else {
+      directives.push(`script-src ${nonceValue}`);
+    }
+  }
+
+  if (options.reportUri) {
+    directives.push(`report-uri ${options.reportUri}`);
+  }
+
+  const headerValue = directives.join('; ');
+
+  // For reportOnly mode, include in the returned string
+  if (options.reportOnly) {
+    return headerValue + ' /* Report-Only */';
+  }
+
+  return headerValue;
+}
+
+/**
+ * Generate Subresource Integrity hash
+ * @param {string} content - Content to hash
+ * @param {Object} options - Hashing options
+ * @returns {string} SRI hash
+ */
+function generateSriHash(content, options = {}) {
+  const algorithm = options.algorithm || 'sha384';
+  const hash = crypto.createHash(algorithm).update(content).digest('base64');
+
+  return `${algorithm}-${hash}`;
+}
+
+/**
+ * Generate encoding code
+ * @param {Object} options - Generation options
+ * @returns {string} Generated code
+ */
+function generateEncodingCode(options = {}) {
+  const { context, language = 'javascript' } = options;
+
+  const generators = {
+    javascript: {
+      html: () => `
+function encodeHtml(input) {
+  if (input === null || input === undefined) return '';
+  return String(input)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#x27;');
+}`,
+      js: () => `
+function encodeJs(input) {
+  if (input === null || input === undefined) return '';
+  return String(input)
+    .replace(/\\\\/g, '\\\\\\\\')
+    .replace(/'/g, "\\\\'")
+    .replace(/"/g, '\\\\"')
+    .replace(/\\n/g, '\\\\n');
+}`,
+      url: () => `
+function encodeUrl(input) {
+  if (input === null || input === undefined) return '';
+  return encodeURIComponent(String(input));
+}`,
+      css: () => `
+function encodeCss(input) {
+  if (input === null || input === undefined) return '';
+  return String(input)
+    .replace(/\\\\/g, '\\\\\\\\')
+    .replace(/</g, '\\\\3c ')
+    .replace(/>/g, '\\\\3e ');
+}`,
+    },
+    typescript: {
+      html: () => `
+function encodeHtml(input: string | null | undefined): string {
+  if (input === null || input === undefined) return '';
+  return String(input)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#x27;');
+}`,
+      js: () => `
+function encodeJs(input: string | null | undefined): string {
+  if (input === null || input === undefined) return '';
+  return String(input)
+    .replace(/\\\\/g, '\\\\\\\\')
+    .replace(/'/g, "\\\\'")
+    .replace(/"/g, '\\\\"');
+}`,
+      url: () => `
+function encodeUrl(input: string | null | undefined): string {
+  if (input === null || input === undefined) return '';
+  return encodeURIComponent(String(input));
+}`,
+      css: () => `
+function encodeCss(input: string | null | undefined): string {
+  if (input === null || input === undefined) return '';
+  return String(input).replace(/</g, '\\\\3c ');
+}`,
+    },
+    python: {
+      html: () => `
+import html
+
+def encode_html(input_str):
+    if input_str is None:
+        return ''
+    return html.escape(str(input_str))`,
+      js: () => `
+def encode_js(input_str):
+    if input_str is None:
+        return ''
+    return str(input_str).replace('\\\\', '\\\\\\\\').replace("'", "\\\\'")`,
+      url: () => `
+from urllib.parse import quote
+
+def encode_url(input_str):
+    if input_str is None:
+        return ''
+    return quote(str(input_str))`,
+      css: () => `
+def encode_css(input_str):
+    if input_str is None:
+        return ''
+    return str(input_str).replace('<', '\\\\3c ')`,
+    },
+  };
+
+  const lang = generators[language] || generators.javascript;
+  const gen = lang[context] || lang.html;
+
+  return gen();
+}
+
+module.exports = {
+  createOutputEncoder,
+  encodeHtml,
+  encodeJs,
+  encodeUrl,
+  encodeCss,
+  encodeAttribute,
+  generateCspHeader,
+  generateSriHash,
+  generateEncodingCode,
+};