tribunal-kit 4.2.0 → 4.3.0

package/.agent/scripts/schema_validator.js

@@ -0,0 +1,297 @@
+#!/usr/bin/env node
+/**
+ * schema_validator.js — Database schema validator for the Tribunal Agent Kit.
+ *
+ * Usage:
+ *   node .agent/scripts/schema_validator.js .
+ *   node .agent/scripts/schema_validator.js . --type prisma
+ *   node .agent/scripts/schema_validator.js . --file prisma/schema.prisma
+ */
+
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const { RED, GREEN, YELLOW, BLUE, BOLD, RESET } = require('./colors.js');
+
+function header(title) {
+    console.log(`\n${BOLD}${BLUE}━━━ ${title} ━━━${RESET}`);
+}
+
+function ok(msg) {
+    console.log(`  ${GREEN}✅ ${msg}${RESET}`);
+}
+
+function fail(msg) {
+    console.log(`  ${RED}❌ ${msg}${RESET}`);
+}
+
+function warn(msg) {
+    console.log(`  ${YELLOW}⚠️  ${msg}${RESET}`);
+}
+
+function skip(msg) {
+    console.log(`  ${YELLOW}⏭️  ${msg}${RESET}`);
+}
+
+function detectOrm(projectRoot) {
+    if (fs.existsSync(path.join(projectRoot, "prisma", "schema.prisma"))) {
+        return "prisma";
+    }
+
+    function searchFor(dir, patterns) {
+        let items;
+        try {
+            items = fs.readdirSync(dir, { withFileTypes: true });
+        } catch {
+            return false;
+        }
+
+        for (const item of items) {
+            if (item.isDirectory() && !["node_modules", ".git"].includes(item.name)) {
+                if (searchFor(path.join(dir, item.name), patterns)) return true;
+                if (item.name === "migrations") {
+                    try {
+                        const mFiles = fs.readdirSync(path.join(dir, item.name));
+                        if (mFiles.some(f => f.endsWith(".sql"))) return "sql";
+                    } catch {}
+                }
+            } else {
+                for (const p of patterns) {
+                    if (p.test(item.name)) return p.type;
+                }
+            }
+        }
+        return null;
+    }
+
+    const type = searchFor(projectRoot, [{ test: name => name.startsWith("drizzle.config."), type: "drizzle" }]);
+    if (type) return type;
+
+    if (fs.existsSync(path.join(projectRoot, "knexfile.js")) || fs.existsSync(path.join(projectRoot, "knexfile.ts"))) {
+        return "knex";
+    }
+
+    return null;
+}
+
+function validatePrisma(filepath) {
+    const issues = [];
+    let lines;
+    try {
+        lines = fs.readFileSync(filepath, 'utf8').split('\n');
+    } catch {
+        return [["error", `Cannot read file: ${filepath}`, 0]];
+    }
+
+    let currentModel = "";
+    let hasCreatedAt = false;
+    let hasUpdatedAt = false;
+    let modelStartLine = 0;
+    let fieldsWithRelation = [];
+    let indexedFields = new Set();
+    let hasIdField = false;
+
+    for (let i = 0; i < lines.length; i++) {
+        const lineNum = i + 1;
+        const line = lines[i];
+        const stripped = line.trim();
+
+        const modelMatch = stripped.match(/^model\s+(\w+)\s*\{/);
+        if (modelMatch) {
+            if (currentModel) {
+                if (!hasCreatedAt) issues.push(["warn", `Model '${currentModel}' missing createdAt timestamp`, modelStartLine]);
+                if (!hasUpdatedAt) issues.push(["warn", `Model '${currentModel}' missing updatedAt timestamp`, modelStartLine]);
+                if (!hasIdField) issues.push(["warn", `Model '${currentModel}' has no @id field`, modelStartLine]);
+                for (const [fieldName, fieldLine] of fieldsWithRelation) {
+                    if (!indexedFields.has(fieldName)) {
+                        issues.push(["warn", `Model '${currentModel}': foreign key '${fieldName}' has no @@index`, fieldLine]);
+                    }
+                }
+            }
+
+            currentModel = modelMatch[1];
+            modelStartLine = lineNum;
+            hasCreatedAt = false;
+            hasUpdatedAt = false;
+            hasIdField = false;
+            fieldsWithRelation = [];
+            indexedFields.clear();
+
+            if (currentModel[0] !== currentModel[0].toUpperCase()) {
+                issues.push(["warn", `Model '${currentModel}' should use PascalCase`, lineNum]);
+            }
+        }
+
+        if (currentModel) {
+            if (stripped.includes("createdAt") || stripped.includes("created_at")) hasCreatedAt = true;
+            if (stripped.includes("updatedAt") || stripped.includes("updated_at")) hasUpdatedAt = true;
+            if (stripped.includes("@id")) hasIdField = true;
+
+            const fkMatch = stripped.match(/^\s*(\w+Id)\s+(Int|String|BigInt)/);
+            if (fkMatch && !stripped.includes("@relation")) {
+                fieldsWithRelation.push([fkMatch[1], lineNum]);
+            }
+
+            const indexMatch = stripped.match(/@@index\(\[([^\]]+)\]/);
+            if (indexMatch) {
+                for (const field of indexMatch[1].split(",")) {
+                    indexedFields.add(field.trim());
+                }
+            }
+        }
+    }
+
+    if (currentModel) {
+        if (!hasCreatedAt) issues.push(["warn", `Model '${currentModel}' missing createdAt timestamp`, modelStartLine]);
+        if (!hasUpdatedAt) issues.push(["warn", `Model '${currentModel}' missing updatedAt timestamp`, modelStartLine]);
+        if (!hasIdField) issues.push(["warn", `Model '${currentModel}' has no @id field`, modelStartLine]);
+        for (const [fieldName, fieldLine] of fieldsWithRelation) {
+            if (!indexedFields.has(fieldName)) {
+                issues.push(["warn", `Model '${currentModel}': foreign key '${fieldName}' may need @@index`, fieldLine]);
+            }
+        }
+    }
+
+    return issues;
+}
+
+function validateSqlMigration(filepath) {
+    const issues = [];
+    let lines;
+    try {
+        lines = fs.readFileSync(filepath, 'utf8').split('\n');
+    } catch {
+        return [["error", `Cannot read file: ${filepath}`, 0]];
+    }
+
+    for (let i = 0; i < lines.length; i++) {
+        const lineNum = i + 1;
+        const stripped = lines[i].trim().toUpperCase();
+
+        if (stripped.includes("DROP TABLE") && !stripped.includes("IF EXISTS")) {
+            issues.push(["warn", "DROP TABLE without IF EXISTS — may fail on clean databases", lineNum]);
+        }
+        if (stripped.includes("REFERENCES") && !stripped.includes("NOT NULL") && !stripped.includes("NULL")) {
+            issues.push(["warn", "Foreign key without explicit NULL/NOT NULL constraint", lineNum]);
+        }
+        if (stripped.includes("CREATE TABLE")) {
+            issues.push(["info", "Verify this table includes created_at / updated_at columns", lineNum]);
+        }
+    }
+
+    return issues;
+}
+
+function main() {
+    const args = process.argv.slice(2);
+    let targetPath = null;
+    let typeArg = "auto";
+    let fileArg = null;
+
+    let i = 0;
+    while (i < args.length) {
+        if (args[i] === '--type' && i + 1 < args.length) typeArg = args[++i];
+        else if (args[i] === '--file' && i + 1 < args.length) fileArg = args[++i];
+        else if (!targetPath && !args[i].startsWith('-')) targetPath = args[i];
+        i++;
+    }
+
+    if (!targetPath) {
+        console.log("Usage: node schema_validator.js <path> [--type <prisma|drizzle|sql>] [--file <filepath>]");
+        process.exit(1);
+    }
+
+    const projectRoot = path.resolve(targetPath);
+    if (!fs.existsSync(projectRoot) || !fs.statSync(projectRoot).isDirectory()) {
+        fail(`Directory not found: ${projectRoot}`);
+        process.exit(1);
+    }
+
+    console.log(`${BOLD}Tribunal — schema_validator.js${RESET}`);
+    console.log(`Project: ${projectRoot}`);
+
+    const ormType = typeArg !== "auto" ? typeArg : detectOrm(projectRoot);
+    if (!ormType && !fileArg) {
+        skip("No schema files detected — skipping validation");
+        process.exit(0);
+    }
+
+    let issuesCount = 0;
+
+    if (fileArg) {
+        header(`Validating: ${fileArg}`);
+        const filepath = path.isAbsolute(fileArg) ? fileArg : path.join(projectRoot, fileArg);
+        let issues = [];
+        if (filepath.endsWith(".prisma")) issues = validatePrisma(filepath);
+        else if (filepath.endsWith(".sql")) issues = validateSqlMigration(filepath);
+        else {
+            skip(`Unknown schema file type: ${fileArg}`);
+            process.exit(0);
+        }
+
+        for (const [severity, message, line] of issues) {
+            if (severity === "error") { fail(`L${line}: ${message}`); issuesCount++; }
+            else if (severity === "warn") { warn(`L${line}: ${message}`); issuesCount++; }
+            else console.log(`  ${BLUE}ℹ️  L${line}: ${message}${RESET}`);
+        }
+    } else if (ormType === "prisma") {
+        const schemaPath = path.join(projectRoot, "prisma", "schema.prisma");
+        if (fs.existsSync(schemaPath)) {
+            header("Prisma Schema Validation");
+            const issues = validatePrisma(schemaPath);
+            for (const [severity, message, line] of issues) {
+                if (severity === "error") { fail(`L${line}: ${message}`); issuesCount++; }
+                else if (severity === "warn") { warn(`L${line}: ${message}`); issuesCount++; }
+                else console.log(`  ${BLUE}ℹ️  L${line}: ${message}${RESET}`);
+            }
+        } else {
+            skip(`Prisma schema not found at ${schemaPath}`);
+        }
+    } else if (ormType === "sql") {
+        header("SQL Migration Validation");
+        // Very basic recursion for migrations dir
+        function findMigrations(dir) {
+            let res = [];
+            try {
+                const items = fs.readdirSync(dir, { withFileTypes: true });
+                for (const item of items) {
+                    if (item.isDirectory() && !["node_modules", ".git"].includes(item.name)) {
+                        if (item.name === "migrations") {
+                            const sqls = fs.readdirSync(path.join(dir, item.name)).filter(f => f.endsWith(".sql")).map(f => path.join(dir, item.name, f));
+                            res.push(...sqls);
+                        } else {
+                            res.push(...findMigrations(path.join(dir, item.name)));
+                        }
+                    }
+                }
+            } catch {}
+            return res;
+        }
+
+        const mFiles = findMigrations(projectRoot).sort();
+        for (const sqlFile of mFiles) {
+            console.log(`\n  📄 ${path.basename(sqlFile)}`);
+            const issues = validateSqlMigration(sqlFile);
+            for (const [severity, message, line] of issues) {
+                if (severity === "error") { fail(`  L${line}: ${message}`); issuesCount++; }
+                else if (severity === "warn") { warn(`  L${line}: ${message}`); issuesCount++; }
+                else console.log(`    ${BLUE}ℹ️  L${line}: ${message}${RESET}`);
+            }
+        }
+    } else if (ormType === "drizzle") {
+        header("Drizzle Schema");
+        skip("Drizzle validation not yet implemented — validate manually");
+    }
+
+    console.log(`\n${BOLD}━━━ Schema Validation Summary ━━━${RESET}`);
+    if (issuesCount === 0) ok("No schema issues found");
+    else warn(`${issuesCount} issue(s) found — review above`);
+
+    process.exit(0);
+}
+
+if (require.main === module) {
+    main();
+}

package/.agent/scripts/security_scan.js

@@ -0,0 +1,303 @@
+#!/usr/bin/env node
+/**
+ * security_scan.js — Deep security scanner for the Tribunal Agent Kit.
+ *
+ * Checks for OWASP Top 10 patterns in source code:
+ *   - Hardcoded secrets and credentials
+ *   - SQL injection patterns (string concatenation in queries)
+ *   - XSS-prone code (innerHTML, dangerouslySetInnerHTML)
+ *   - Insecure eval() usage
+ *   - Missing auth patterns
+ *   - Insecure crypto usage
+ *
+ * ⚠️  DISCLAIMER: This is a heuristic regex-based pattern scanner, NOT a
+ * full static analysis tool. It may produce false positives (e.g., test
+ * fixtures containing 'password') and cannot detect indirect vulnerabilities
+ * (e.g., SQL injection via variable indirection). For production security
+ * auditing, supplement with dedicated tools like Semgrep, CodeQL, or Snyk.
+ *
+ * Usage:
+ *   node .agent/scripts/security_scan.js .
+ *   node .agent/scripts/security_scan.js . --severity high
+ *   node .agent/scripts/security_scan.js . --files src/auth.ts src/db.ts
+ */
+
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+
+// ━━━ ANSI colors ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+const RED     = '\x1b[91m';
+const GREEN   = '\x1b[92m';
+const YELLOW  = '\x1b[93m';
+const BLUE    = '\x1b[94m';
+const MAGENTA = '\x1b[95m';
+const BOLD    = '\x1b[1m';
+const RESET   = '\x1b[0m';
+
+const SOURCE_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.jsx', '.py', '.go', '.java', '.rb']);
+const SKIP_DIRS = new Set([
+    'node_modules', '.git', 'dist', 'build', '__pycache__', '.agent',
+    '.next', 'vendor', 'coverage', 'lcov-report', '.nyc_output',
+    'test-results', '.jest-cache',
+]);
+
+const SEVERITY_COLORS = {
+    critical: RED + BOLD,
+    high:     RED,
+    medium:   YELLOW,
+    low:      BLUE,
+};
+
+const SEVERITY_RANK = { critical: 0, high: 1, medium: 2, low: 3 };
+
+// Pattern definitions: [regex, severity, category, message]
+const PATTERNS = [
+    // Secrets
+    [/(?:password|passwd|pwd)\s*=\s*["'][^"']+["']/i, 'critical', 'Hardcoded Secret', 'Hardcoded password detected'],
+    [/(?:api_key|apikey|api_secret)\s*=\s*["'][^"']+["']/i, 'critical', 'Hardcoded Secret', 'Hardcoded API key detected'],
+    [/(?:secret|token|auth_token)\s*=\s*["'][A-Za-z0-9+/=]{16,}["']/i, 'critical', 'Hardcoded Secret', 'Hardcoded secret/token detected'],
+    [/(?:PRIVATE_KEY|private_key)\s*=\s*["']/i, 'critical', 'Hardcoded Secret', 'Hardcoded private key detected'],
+
+    // SQL Injection
+    [/(?:query|execute|raw)\s*\(\s*[`"'].*\$\{/i, 'high', 'SQL Injection', 'String interpolation in SQL query — use parameterized queries'],
+    [/(?:query|execute|raw)\s*\(\s*["'].*\+\s*(?:req|input|params|body)/i, 'high', 'SQL Injection', 'String concatenation with user input in SQL'],
+    [/\.raw\s*\(\s*`/, 'medium', 'SQL Injection', 'Raw query with template literal — verify inputs are sanitized'],
+
+    // XSS
+    [/\.innerHTML\s*=/, 'high', 'XSS', 'Direct innerHTML assignment — use textContent or a sanitizer'],
+    [/dangerouslySetInnerHTML/, 'medium', 'XSS', 'dangerouslySetInnerHTML used — ensure input is sanitized'],
+    [/document\.write\s*\(/, 'high', 'XSS', 'document.write() is an XSS vector'],
+
+    // Insecure Functions
+    [/\beval\s*\(/, 'high', 'Code Injection', 'eval() is a code injection vector — avoid entirely'],
+    [/new\s+Function\s*\(/, 'high', 'Code Injection', 'new Function() is equivalent to eval()'],
+    [/child_process\.exec\s*\(/, 'medium', 'Command Injection', 'exec() with unsanitized input is a command injection vector'],
+    [/subprocess\.call\s*\(\s*[^,\]]*\bshell\s*=\s*True/, 'high', 'Command Injection', 'subprocess with shell=True — use shell=False and pass args as list'],
+
+    // Crypto
+    [/createHash\s*\(\s*["']md5["']/, 'medium', 'Weak Crypto', 'MD5 is cryptographically broken — use SHA-256+'],
+    [/createHash\s*\(\s*["']sha1["']/, 'medium', 'Weak Crypto', 'SHA-1 is deprecated — use SHA-256+'],
+    [/Math\.random\s*\(/, 'low', 'Weak Randomness', 'Math.random() is not cryptographically secure — use crypto.randomBytes()'],
+
+    // Auth Issues
+    [/algorithms\s*:\s*\[\s*["']none["']/, 'critical', 'Auth Bypass', "JWT 'none' algorithm allows auth bypass"],
+    [/verify\s*:\s*false/, 'high', 'Auth Bypass', 'SSL/TLS verification disabled'],
+    [/rejectUnauthorized\s*:\s*false/, 'high', 'Auth Bypass', 'TLS certificate validation disabled'],
+
+    // Information Disclosure
+    [/console\.log\s*\(.*(?:password|secret|token|key)/i, 'medium', 'Info Disclosure', 'Sensitive data logged to console'],
+    [/\.env(?:\.local|\.production)/, 'low', 'Info Disclosure', 'Env file reference — ensure not committed to git'],
+];
+
+
+/**
+ * Scan a single file for security patterns.
+ * @param {string} filepath - Absolute path to the file.
+ * @param {string} projectRoot - Project root for relative path computation.
+ * @returns {Array<{severity:string, category:string, file:string, line:number, message:string, snippet:string}>}
+ */
+function scanFile(filepath, projectRoot) {
+    const findings = [];
+    const relPath = path.relative(projectRoot, filepath);
+
+    let content;
+    try {
+        content = fs.readFileSync(filepath, 'utf8');
+    } catch {
+        return findings;
+    }
+
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const stripped = lines[i].trim();
+        // Skip comments
+        if (stripped.startsWith('//') || stripped.startsWith('#') || stripped.startsWith('*')) {
+            continue;
+        }
+
+        for (const [pattern, severity, category, message] of PATTERNS) {
+            if (pattern.test(stripped)) {
+                findings.push({
+                    severity,
+                    category,
+                    file: relPath,
+                    line: i + 1,
+                    message,
+                    snippet: stripped.slice(0, 120),
+                });
+            }
+        }
+    }
+
+    return findings;
+}
+
+
+/**
+ * Recursively walk a directory yield file paths.
+ * @param {string} dir - Directory to walk.
+ * @param {Set<string>} skipDirs - Directory names to skip.
+ * @returns {string[]} Array of file paths.
+ */
+function walkDir(dir, skipDirs) {
+    const results = [];
+    let entries;
+    try {
+        entries = fs.readdirSync(dir, { withFileTypes: true });
+    } catch {
+        return results;
+    }
+
+    for (const entry of entries) {
+        if (entry.isDirectory()) {
+            if (!skipDirs.has(entry.name)) {
+                results.push(...walkDir(path.join(dir, entry.name), skipDirs));
+            }
+        } else if (entry.isFile()) {
+            results.push(path.join(dir, entry.name));
+        }
+    }
+    return results;
+}
+
+
+/**
+ * Scan all source files in a directory.
+ * @param {string} projectRoot - Root directory to scan.
+ * @param {string[]|null} targetFiles - Specific files to scan, or null for full scan.
+ * @returns {Array} Array of finding objects.
+ */
+function scanDirectory(projectRoot, targetFiles) {
+    const allFindings = [];
+
+    if (targetFiles && targetFiles.length > 0) {
+        for (const fpath of targetFiles) {
+            const absPath = path.isAbsolute(fpath) ? fpath : path.join(projectRoot, fpath);
+            if (fs.existsSync(absPath) && fs.statSync(absPath).isFile()) {
+                allFindings.push(...scanFile(absPath, projectRoot));
+            }
+        }
+        return allFindings;
+    }
+
+    const files = walkDir(projectRoot, SKIP_DIRS);
+    for (const filepath of files) {
+        const ext = path.extname(filepath);
+        if (!SOURCE_EXTENSIONS.has(ext)) continue;
+        allFindings.push(...scanFile(filepath, projectRoot));
+    }
+
+    return allFindings;
+}
+
+
+/**
+ * Print findings filtered by minimum severity. Returns count of displayed findings.
+ */
+function printFindings(findings, minSeverity) {
+    const minRank = SEVERITY_RANK[minSeverity] ?? 3;
+    const filtered = findings
+        .filter(f => (SEVERITY_RANK[f.severity] ?? 3) <= minRank)
+        .sort((a, b) => (SEVERITY_RANK[a.severity] ?? 3) - (SEVERITY_RANK[b.severity] ?? 3));
+
+    if (filtered.length === 0) {
+        console.log(`\n  ${GREEN}✅ No security issues found at severity '${minSeverity}' or above${RESET}`);
+        return 0;
+    }
+
+    let currentCategory = '';
+    for (const finding of filtered) {
+        if (finding.category !== currentCategory) {
+            currentCategory = finding.category;
+            console.log(`\n  ${BOLD}${currentCategory}${RESET}`);
+        }
+        const color = SEVERITY_COLORS[finding.severity] || '';
+        console.log(`    ${color}[${finding.severity.toUpperCase()}]${RESET} ${finding.file}:${finding.line}`);
+        console.log(`      ${finding.message}`);
+        console.log(`      ${MAGENTA}→ ${finding.snippet}${RESET}`);
+    }
+
+    return filtered.length;
+}
+
+
+/**
+ * Parse CLI arguments manually (no external dependencies).
+ */
+function parseArgs(argv) {
+    const args = { path: null, severity: 'low', files: null };
+    const raw = argv.slice(2);
+
+    for (let i = 0; i < raw.length; i++) {
+        if (raw[i] === '--severity' && raw[i + 1]) {
+            args.severity = raw[++i];
+        } else if (raw[i] === '--files') {
+            args.files = [];
+            while (i + 1 < raw.length && !raw[i + 1].startsWith('--')) {
+                args.files.push(raw[++i]);
+            }
+        } else if (!raw[i].startsWith('--') && !args.path) {
+            args.path = raw[i];
+        }
+    }
+    return args;
+}
+
+
+function main() {
+    const args = parseArgs(process.argv);
+
+    if (!args.path) {
+        console.error(`Usage: node security_scan.js <path> [--severity critical|high|medium|low] [--files ...]`);
+        process.exit(1);
+    }
+
+    const projectRoot = path.resolve(args.path);
+    if (!fs.existsSync(projectRoot) || !fs.statSync(projectRoot).isDirectory()) {
+        console.error(`  ${RED}❌ Directory not found: ${projectRoot}${RESET}`);
+        process.exit(1);
+    }
+
+    console.log(`${BOLD}Tribunal — security_scan.js${RESET}`);
+    console.log(`Project: ${projectRoot}`);
+    console.log(`Severity filter: ${args.severity}+`);
+
+    const findings = scanDirectory(projectRoot, args.files);
+    const count = printFindings(findings, args.severity);
+
+    // Summary
+    console.log(`\n${BOLD}━━━ Security Scan Summary ━━━${RESET}`);
+    const bySeverity = {};
+    for (const f of findings) {
+        bySeverity[f.severity] = (bySeverity[f.severity] || 0) + 1;
+    }
+
+    for (const sev of ['critical', 'high', 'medium', 'low']) {
+        const c = bySeverity[sev] || 0;
+        if (c > 0) {
+            const color = SEVERITY_COLORS[sev] || '';
+            console.log(`  ${color}${sev.toUpperCase()}: ${c}${RESET}`);
+        }
+    }
+
+    if (count === 0) {
+        console.log(`  ${GREEN}✅ No issues found — scan passed${RESET}`);
+    } else {
+        const criticalHigh = (bySeverity.critical || 0) + (bySeverity.high || 0);
+        if (criticalHigh > 0) {
+            console.log(`\n  ${RED}${BOLD}⚠️  ${criticalHigh} critical/high issue(s) require immediate attention${RESET}`);
+        }
+    }
+
+    process.exit((bySeverity.critical || 0) > 0 ? 1 : 0);
+}
+
+
+// ━━━ Exports for testing & programmatic use ━━━
+module.exports = { scanFile, scanDirectory, printFindings, PATTERNS, SEVERITY_RANK };
+
+if (require.main === module) {
+    main();
+}