john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/scripts/check-api-security.js
TheFlow 8830ca7eb3 feat(governance): wave 4 enforcement - 41% improvement (56% → 79%) 
Implements 9 additional enforcement mechanisms across all priority levels:

🔒 HIGH PRIORITY - Architectural Enforcement:
 API Security Validator (inst_013/045) - scripts/check-api-security.js
   - Scans API endpoints for rate limiting
   - Validates authentication requirements
   - Detects sensitive runtime data exposure

 GitHub Repo Structure (inst_063_CONSOLIDATED) - scripts/check-github-repo-structure.js
   - Validates repository structure requirements
   - Ensures tractatus-framework remains implementation-focused

⚙️ MEDIUM PRIORITY - Process/Workflow:
 Human Approval Tracker (inst_005) - scripts/track-human-approvals.js
   - Logs approval requirements for major decisions
   - Tracks pending approvals

 Context Pressure Comprehensive (inst_019) - scripts/verify-context-pressure-comprehensive.js
   - Verifies all pressure factors included
   - Validates comprehensive context accounting

📋 LOW PRIORITY - Behavioral/Values:
 Behavioral Compliance Reminders (inst_047/049) - .claude/hooks/behavioral-compliance-reminder.js
   - Reminds never to dismiss user requests
   - Prompts to test user hypotheses first
   - Integrated into UserPromptSubmit hooks

 Dark Patterns Detector (inst_079) - scripts/check-dark-patterns.js
   - Scans UI code for manipulative patterns
   - Detects confirm shaming, hidden checkboxes, timed popups

📊 Enforcement Progress:
- Wave 1: 11/39 (28%)
- Wave 2: 18/39 (46%)
- Wave 3: 22/39 (56%)
- Wave 4: 31/39 (79%)
- Total improvement: +20 instructions = +178% from baseline
- Remaining gaps: 8/39 (21%)

🎯 Remaining 8 Gaps (requires runtime/process enforcement):
- inst_039: Document processing verification
- inst_043: Web form input validation (runtime)
- inst_052: Scope adjustment authority tracking
- inst_058: JSON/DB schema sync validation
- inst_061: Hook approval pattern tracking
- inst_072: Defense-in-depth credential layers
- inst_080: Open source commitment (policy)
- inst_081: Pluralism principle (foundational value)

🔄 Enhanced Hooks:
- UserPromptSubmit now runs 3 hooks (triggers, all-commands, behavioral)
- Added behavioral compliance reminders for session guidance

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-25 13:48:43 +13:00

114 lines
3.5 KiB
JavaScript
Executable file
Raw Blame History

#!/usr/bin/env node
/**
* API Security Validator - Enforces inst_013, inst_045
* Scans API endpoints for security requirements
*/
const fs = require('fs');
const path = require('path');
function checkAPIEndpoint(filePath) {
const content = fs.readFileSync(filePath, 'utf8');
const issues = [];
const lines = content.split('\n');
lines.forEach((line, idx) => {
// Check for API route definitions
if (/\.(get|post|put|delete|patch)\s*\(['"](\/api|\/admin)/.test(line)) {
const lineNum = idx + 1;
// Check for rate limiting in nearby lines
const context = lines.slice(Math.max(0, idx-5), idx+5).join('\n');
if (!context.includes('rateLimit') && !context.includes('rate-limit')) {
issues.push({
file: filePath,
line: lineNum,
type: 'missing_rate_limit',
severity: 'HIGH',
text: line.trim(),
message: 'API endpoint missing rate limiting (inst_045)'
});
}
// Check for authentication
if (!context.includes('auth') && !context.includes('requireAuth') && !context.includes('authenticate')) {
issues.push({
file: filePath,
line: lineNum,
type: 'missing_auth',
severity: 'HIGH',
text: line.trim(),
message: 'API endpoint missing authentication (inst_045)'
});
}
}
// Check for sensitive runtime data exposure (inst_013)
if (/res\.(send|json)\s*\(.*\b(process\.memoryUsage|process\.cpuUsage|os\.|__dirname|__filename)/.test(line)) {
issues.push({
file: filePath,
line: idx + 1,
type: 'runtime_data_exposure',
severity: 'CRITICAL',
text: line.trim(),
message: 'Exposes sensitive runtime data in API response (inst_013)'
});
}
});
return issues;
}
function scanFiles(files) {
const allIssues = [];
files.forEach(file => {
if (!fs.existsSync(file)) return;
if (!file.match(/\.(js|ts)$/)) return;
if (file.includes('node_modules') || file.includes('test')) return;
try {
const issues = checkAPIEndpoint(file);
allIssues.push(...issues);
} catch (err) {
// Skip unreadable files
}
});
return allIssues;
}
function main() {
console.log('\n🔒 API Security Validation (inst_013/045)\n');
const files = process.argv.slice(2);
if (files.length === 0) {
console.log('Usage: check-api-security.js <file1> [file2] ...');
console.log('✅ No files provided - skipping API security check\n');
process.exit(0);
}
const issues = scanFiles(files);
if (issues.length === 0) {
console.log('✅ API security requirements met\n');
process.exit(0);
}
console.log(`⚠️ Found ${issues.length} security issue(s):\n`);
console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n');
issues.forEach(i => {
const icon = i.severity === 'CRITICAL' ? '🔴' : '🟡';
console.log(`${icon} ${i.file}:${i.line}`);
console.log(` ${i.message}`);
console.log(` ${i.text.substring(0, 70)}`);
console.log('');
});
console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n');
console.log('Fix: Add rate limiting and authentication to all API endpoints\n');
process.exit(1);
}
main();
Reference in a new issue View git blame Copy permalink