0e6be3eaf1
CRITICAL FIX: Server would CRASH ON STARTUP (multiple import errors)
REMOVED (2 scripts):
1. scripts/framework-watchdog.js
- Monitored .claude/session-state.json (OUR Claude Code setup)
- Monitored .claude/token-checkpoints.json (OUR file structure)
- Implementers won't have our .claude/ directory
2. scripts/init-db.js
- Created website collections: blog_posts, media_inquiries, case_submissions
- Created website collections: resources, moderation_queue, users, citations
- Created website collections: translations, koha_donations
- Next steps referenced deleted scripts (npm run seed:admin)
REWRITTEN (2 files):
src/models/index.js (29 lines → 27 lines)
- REMOVED imports: Document, BlogPost, MediaInquiry, CaseSubmission, Resource
- REMOVED imports: ModerationQueue, User (all deleted in Phase 2)
- KEPT imports: AuditLog, DeliberationSession, GovernanceLog, GovernanceRule
- KEPT imports: Precedent, Project, SessionState, VariableValue, VerificationLog
- Result: Only framework models exported
src/server.js (284 lines → 163 lines, 43% reduction)
- REMOVED: Imports to deleted middleware (csrf-protection, response-sanitization)
- REMOVED: Stripe webhook handling (/api/koha/webhook)
- REMOVED: Static file caching (for deleted public/ directory)
- REMOVED: Static file serving (public/ deleted in Phase 6)
- REMOVED: CSRF token endpoint
- REMOVED: Website homepage with "auth, documents, blog, admin" references
- REMOVED: Instruction sync (scripts/sync-instructions-to-db.js reference)
- REMOVED: Hardcoded log path (${process.env.HOME}/var/log/tractatus/...)
- REMOVED: Website-specific security middleware
- KEPT: Security headers, rate limiting, CORS, body parsers
- KEPT: API routes, governance services, MongoDB connections
- RESULT: Clean framework-only server
RESULT: Repository can now start without crashes, all imports resolve
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
154 lines
5.3 KiB
JavaScript
Executable file
154 lines
5.3 KiB
JavaScript
Executable file
#!/usr/bin/env node
|
|
|
|
/**
|
|
* Document Security Validation Script
|
|
* Validates that documents being deployed are appropriate for their visibility level
|
|
*
|
|
* This script is called before document import/deployment to prevent
|
|
* accidental exposure of sensitive internal documentation.
|
|
*/
|
|
|
|
const SECURITY_KEYWORDS = {
|
|
credentials: ['password', 'api_key', 'secret', 'token', 'mongodb_uri', 'stripe_secret', 'auth'],
|
|
financial: ['stripe', 'payment', 'pricing', 'revenue', 'cost', 'billing'],
|
|
vulnerability: ['security audit', 'vulnerability', 'exploit', 'cve-', 'penetration test'],
|
|
infrastructure: ['deployment', 'server', 'ssh', 'production environment', 'database credentials']
|
|
};
|
|
|
|
/**
|
|
* Classify document security level based on content and metadata
|
|
*/
|
|
function classifyDocumentSecurity(docConfig, contentMarkdown) {
|
|
const classification = {
|
|
contains_credentials: false,
|
|
contains_financial_info: false,
|
|
contains_vulnerability_info: false,
|
|
contains_infrastructure_details: false,
|
|
recommended_visibility: 'public'
|
|
};
|
|
|
|
const lowerContent = contentMarkdown.toLowerCase();
|
|
const lowerTitle = docConfig.title.toLowerCase();
|
|
|
|
// Check for credentials
|
|
if (SECURITY_KEYWORDS.credentials.some(kw => lowerContent.includes(kw) || lowerTitle.includes(kw))) {
|
|
classification.contains_credentials = true;
|
|
}
|
|
|
|
// Check for financial information
|
|
if (SECURITY_KEYWORDS.financial.some(kw => lowerContent.includes(kw) || lowerTitle.includes(kw))) {
|
|
classification.contains_financial_info = true;
|
|
}
|
|
|
|
// Check for vulnerability information
|
|
if (SECURITY_KEYWORDS.vulnerability.some(kw => lowerContent.includes(kw) || lowerTitle.includes(kw))) {
|
|
classification.contains_vulnerability_info = true;
|
|
}
|
|
|
|
// Check for infrastructure details
|
|
if (SECURITY_KEYWORDS.infrastructure.some(kw => lowerContent.includes(kw) || lowerTitle.includes(kw))) {
|
|
classification.contains_infrastructure_details = true;
|
|
}
|
|
|
|
// Determine recommended visibility
|
|
if (classification.contains_credentials || classification.contains_vulnerability_info) {
|
|
classification.recommended_visibility = 'confidential';
|
|
} else if (classification.contains_financial_info || classification.contains_infrastructure_details) {
|
|
classification.recommended_visibility = 'internal';
|
|
}
|
|
|
|
return classification;
|
|
}
|
|
|
|
/**
|
|
* Validate document configuration before deployment
|
|
*/
|
|
function validateDocumentSecurity(docConfig, contentMarkdown) {
|
|
const classification = classifyDocumentSecurity(docConfig, contentMarkdown);
|
|
const visibility = docConfig.visibility || 'public';
|
|
|
|
const issues = [];
|
|
const warnings = [];
|
|
|
|
// CRITICAL: Credentials or vulnerabilities marked as public
|
|
if (visibility === 'public') {
|
|
if (classification.contains_credentials) {
|
|
issues.push('❌ BLOCKED: Document contains credentials but is marked public');
|
|
}
|
|
if (classification.contains_vulnerability_info) {
|
|
issues.push('❌ BLOCKED: Document contains vulnerability information but is marked public');
|
|
}
|
|
if (classification.contains_financial_info) {
|
|
warnings.push('⚠️ WARNING: Document contains financial information but is marked public');
|
|
}
|
|
if (classification.contains_infrastructure_details) {
|
|
warnings.push('⚠️ WARNING: Document contains infrastructure details but is marked public');
|
|
}
|
|
}
|
|
|
|
// Recommendations
|
|
if (classification.recommended_visibility !== visibility) {
|
|
warnings.push(`⚠️ RECOMMEND: Change visibility from '${visibility}' to '${classification.recommended_visibility}'`);
|
|
}
|
|
|
|
return {
|
|
valid: issues.length === 0,
|
|
issues,
|
|
warnings,
|
|
classification,
|
|
recommended_visibility: classification.recommended_visibility
|
|
};
|
|
}
|
|
|
|
module.exports = {
|
|
classifyDocumentSecurity,
|
|
validateDocumentSecurity,
|
|
SECURITY_KEYWORDS
|
|
};
|
|
|
|
// CLI usage
|
|
if (require.main === module) {
|
|
const args = process.argv.slice(2);
|
|
if (args.length < 2) {
|
|
console.log('Usage: node validate-document-security.js <title> <markdown-file>');
|
|
process.exit(1);
|
|
}
|
|
|
|
const fs = require('fs');
|
|
const title = args[0];
|
|
const filePath = args[1];
|
|
|
|
if (!fs.existsSync(filePath)) {
|
|
console.error(`File not found: ${filePath}`);
|
|
process.exit(1);
|
|
}
|
|
|
|
const content = fs.readFileSync(filePath, 'utf-8');
|
|
const result = validateDocumentSecurity({ title, visibility: 'public' }, content);
|
|
|
|
console.log(`\n🔒 Security Validation: ${title}`);
|
|
console.log('─'.repeat(60));
|
|
|
|
if (result.issues.length > 0) {
|
|
console.log('\nISSUES:');
|
|
result.issues.forEach(issue => console.log(` ${issue}`));
|
|
}
|
|
|
|
if (result.warnings.length > 0) {
|
|
console.log('\nWARNINGS:');
|
|
result.warnings.forEach(warning => console.log(` ${warning}`));
|
|
}
|
|
|
|
console.log('\nCLASSIFICATION:');
|
|
console.log(` Credentials: ${result.classification.contains_credentials}`);
|
|
console.log(` Financial Info: ${result.classification.contains_financial_info}`);
|
|
console.log(` Vulnerabilities: ${result.classification.contains_vulnerability_info}`);
|
|
console.log(` Infrastructure: ${result.classification.contains_infrastructure_details}`);
|
|
console.log(` Recommended: ${result.classification.recommended_visibility}`);
|
|
|
|
console.log('\n' + '─'.repeat(60));
|
|
console.log(result.valid ? '✅ VALIDATION PASSED' : '❌ VALIDATION FAILED');
|
|
console.log();
|
|
|
|
process.exit(result.valid ? 0 : 1);
|
|
}
|