119 lines
4.6 KiB
TypeScript
119 lines
4.6 KiB
TypeScript
/**
|
|
* V3 Security Module
|
|
*
|
|
* Comprehensive security module addressing all identified vulnerabilities:
|
|
* - CVE-2: Weak Password Hashing (password-hasher.ts)
|
|
* - CVE-3: Hardcoded Default Credentials (credential-generator.ts)
|
|
* - HIGH-1: Command Injection (safe-executor.ts)
|
|
* - HIGH-2: Path Traversal (path-validator.ts)
|
|
*
|
|
* Also provides:
|
|
* - Input validation with Zod schemas
|
|
* - Secure token generation
|
|
*
|
|
* @module v3/security
|
|
*/
|
|
export { PasswordHasher, PasswordHashError, createPasswordHasher, type PasswordHasherConfig, type PasswordValidationResult, } from './password-hasher.js';
|
|
export { CredentialGenerator, CredentialGeneratorError, createCredentialGenerator, generateCredentials, type CredentialConfig, type GeneratedCredentials, type ApiKeyCredential, } from './credential-generator.js';
|
|
export { SafeExecutor, SafeExecutorError, createDevelopmentExecutor, createReadOnlyExecutor, type ExecutorConfig, type ExecutionResult, type StreamingExecutor, } from './safe-executor.js';
|
|
export { PathValidator, PathValidatorError, createProjectPathValidator, createFullProjectPathValidator, type PathValidatorConfig, type PathValidationResult, } from './path-validator.js';
|
|
export { InputValidator, sanitizeString, sanitizeHtml, sanitizePath, SafeStringSchema, IdentifierSchema, FilenameSchema, EmailSchema, PasswordSchema, UUIDSchema, HttpsUrlSchema, UrlSchema, SemverSchema, PortSchema, IPv4Schema, IPSchema, UserRoleSchema, PermissionSchema, LoginRequestSchema, CreateUserSchema, CreateApiKeySchema, AgentTypeSchema, SpawnAgentSchema, TaskInputSchema, CommandArgumentSchema, PathSchema, SecurityConfigSchema, ExecutorConfigSchema, PATTERNS, LIMITS, z, } from './input-validator.js';
|
|
export { TokenGenerator, TokenGeneratorError, createTokenGenerator, getDefaultGenerator, quickGenerate, type TokenConfig, type Token, type SignedToken, type VerificationCode, } from './token-generator.js';
|
|
import { PasswordHasher } from './password-hasher.js';
|
|
import { CredentialGenerator } from './credential-generator.js';
|
|
import { SafeExecutor } from './safe-executor.js';
|
|
import { PathValidator } from './path-validator.js';
|
|
import { TokenGenerator } from './token-generator.js';
|
|
/**
|
|
* Security module configuration
|
|
*/
|
|
export interface SecurityModuleConfig {
|
|
/**
|
|
* Project root directory for path validation
|
|
*/
|
|
projectRoot: string;
|
|
/**
|
|
* HMAC secret for token signing
|
|
*/
|
|
hmacSecret: string;
|
|
/**
|
|
* Bcrypt rounds for password hashing
|
|
* Default: 12
|
|
*/
|
|
bcryptRounds?: number;
|
|
/**
|
|
* Allowed commands for safe executor
|
|
* Default: ['git', 'npm', 'npx', 'node']
|
|
*/
|
|
allowedCommands?: string[];
|
|
}
|
|
/**
|
|
* Complete security module instance
|
|
*/
|
|
export interface SecurityModule {
|
|
passwordHasher: PasswordHasher;
|
|
credentialGenerator: CredentialGenerator;
|
|
safeExecutor: SafeExecutor;
|
|
pathValidator: PathValidator;
|
|
tokenGenerator: TokenGenerator;
|
|
}
|
|
/**
|
|
* Creates a complete security module with all components configured.
|
|
*
|
|
* @param config - Module configuration
|
|
* @returns Complete security module
|
|
*
|
|
* @example
|
|
* ```typescript
|
|
* const security = createSecurityModule({
|
|
* projectRoot: '/workspaces/project',
|
|
* hmacSecret: process.env.HMAC_SECRET!,
|
|
* });
|
|
*
|
|
* // Hash password
|
|
* const hash = await security.passwordHasher.hash('password');
|
|
*
|
|
* // Validate path
|
|
* const result = await security.pathValidator.validate('/workspaces/project/src/file.ts');
|
|
*
|
|
* // Execute command safely
|
|
* const output = await security.safeExecutor.execute('git', ['status']);
|
|
* ```
|
|
*/
|
|
export declare function createSecurityModule(config: SecurityModuleConfig): SecurityModule;
|
|
/**
|
|
* Minimum recommended bcrypt rounds for production
|
|
*/
|
|
export declare const MIN_BCRYPT_ROUNDS = 12;
|
|
/**
|
|
* Maximum recommended bcrypt rounds (performance consideration)
|
|
*/
|
|
export declare const MAX_BCRYPT_ROUNDS = 14;
|
|
/**
|
|
* Minimum password length
|
|
*/
|
|
export declare const MIN_PASSWORD_LENGTH = 8;
|
|
/**
|
|
* Maximum password length (bcrypt limitation)
|
|
*/
|
|
export declare const MAX_PASSWORD_LENGTH = 72;
|
|
/**
|
|
* Default token expiration in seconds (1 hour)
|
|
*/
|
|
export declare const DEFAULT_TOKEN_EXPIRATION = 3600;
|
|
/**
|
|
* Default session expiration in seconds (24 hours)
|
|
*/
|
|
export declare const DEFAULT_SESSION_EXPIRATION = 86400;
|
|
/**
|
|
* Checks security configuration for common issues.
|
|
*
|
|
* @param config - Configuration to audit
|
|
* @returns Array of security warnings
|
|
*/
|
|
export declare function auditSecurityConfig(config: Partial<SecurityModuleConfig>): string[];
|
|
/**
|
|
* Security module version
|
|
*/
|
|
export declare const SECURITY_MODULE_VERSION = "3.0.0-alpha.1";
|
|
//# sourceMappingURL=index.d.ts.map
|