23f7624596
ADR-166 MCP Bridge Security Lock / Static-source security lock (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / Compose default binds loopback + Mongo has auth (push) Failing after 2s
CodeQL Advanced / Analyze (rust) (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / plugin-agent-federation bindHost default (push) Failing after 1s
ADR-166 MCP Bridge Security Lock / Runtime behavior — 401 + terminal gate + fail-closed (push) Failing after 4s
business-pods-smoke / smoke (push) Failing after 1s
all-plugins-smoke / smoke-all (push) Failing after 2s
CI/CD Pipeline / Security & Code Quality (push) Failing after 1s
CI/CD Pipeline / Test Suite (ubuntu-latest) (push) Failing after 1s
CI/CD Pipeline / Build & Package (macos-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (ubuntu-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (windows-latest) (push) Has been skipped
CI/CD Pipeline / Documentation & Examples (push) Failing after 1s
Clone Tracker (14-day rolling) / Snapshot clones for ruflo ecosystem (push) Failing after 1s
CodeQL Advanced / Analyze (actions) (push) Failing after 1s
CodeQL Advanced / Analyze (javascript-typescript) (push) Failing after 1s
federation-peer-rust / stable-noop (push) Failing after 1s
metaharness-ci / score (push) Failing after 1s
metaharness-ci / router-compat (push) Failing after 0s
metaharness-ci / similarity-tests (push) Failing after 0s
no-agentbbs-smoke / smoke-without-agentbbs (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (windows-latest) (push) Has been skipped
codex-integration-audit / Codex integration audit (push) Failing after 1s
helpers-manifest-guard / guard (push) Failing after 1s
🔗 Cross-Agent Integration Tests / 🤝 Agent Coordination Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🧠 Memory Sharing Integration (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🛡️ Fault Tolerance Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / ⚡ Performance Integration Tests (push) Has been skipped
metaharness-ci / mcp-scan (push) Failing after 1s
metaharness-ci / eject-dryrun (push) Failing after 1s
metaharness-ci / metaharness-real-data (push) Failing after 0s
no-cli-optdep-bloat-2561 / guard (push) Failing after 1s
no-metaharness-smoke / smoke-without-metaharness (push) Failing after 1s
no-phantom-agentic-flow-subpath / guard (push) Failing after 1s
🔄 Automated Rollback Manager / 🚨 Failure Detection (push) Failing after 1s
V3 CI/CD Pipeline / Plugin hooks smoke / ubuntu-latest / Node 22 (push) Failing after 1s
V3 CI/CD Pipeline / ruflo-graph-intelligence build + test smoke (#2044, ADR-123) (push) Failing after 1s
CVE Audit Gate / Audit root (critical-blocking) (push) Failing after 2s
cost-tracker-smoke / smoke (push) Failing after 3s
oia-audit-weekly / audit (push) Failing after 2s
ruflo-agent-smoke / ruflo-agent structural smoke (push) Failing after 1s
📊 Status Badges Update / 📊 Update Status Badges (push) Failing after 1s
V3 CI/CD Pipeline / Static regression guards (#2267 YAML + (push) Failing after 1s
V3 CI/CD Pipeline / Test V3 Packages (push) Failing after 0s
V3 CI/CD Pipeline / agent_execute provider routing smoke (#2042) (push) Failing after 0s
CVE Audit Gate / Audit v3 (critical-blocking) (push) Failing after 1s
federation-peer-rust / stable-native (push) Failing after 2s
🔗 Cross-Agent Integration Tests / 🚀 Integration Test Setup (push) Failing after 2s
neural-trader-smoke / runtime-smoke (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (macos-latest) (push) Has been skipped
V3 CI/CD Pipeline / Build V3 (ubuntu-latest) (push) Has been skipped
V3 CI/CD Pipeline / Type Check V3 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 24 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 22 (push) Failing after 2s
V3 CI/CD Pipeline / browser rvf create flag smoke (#2015) (push) Failing after 0s
V3 CI/CD Pipeline / Dependency review (#2046) (push) Has been skipped
V3 CI/CD Pipeline / Supply-chain audit (#2046) (push) Failing after 0s
V3 CI/CD Pipeline / witness marker drift smoke (#2021) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader portfolio CG smoke (#2068, ADR-126 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader backtest signing smoke (#2068, ADR-126 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / kg-extract type-import classification smoke (#2049) (push) Failing after 0s
V3 CI/CD Pipeline / witness verify precondition smoke (#1880) (push) Failing after 2s
V3 CI/CD Pipeline / neural-trader pipeline risk-gate smoke (#2068, ADR-126 Phase 5) (push) Failing after 0s
V3 CI/CD Pipeline / neural-trader feature attribution smoke (#2068, ADR-126 Phase 6) (push) Failing after 0s
V3 CI/CD Pipeline / plugin-registry signature verification smoke (#1922, CWE-347) (push) Failing after 4s
V3 CI/CD Pipeline / memory stats legacy-DB smoke (#2120) (push) Failing after 4s
V3 CI/CD Pipeline / github deprecated actions smoke (#2089, ADR-127 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / graph query + pathfinder smoke (ADR-130 P2+P5) (push) Has been skipped
V3 CI/CD Pipeline / graph trajectory hooks smoke (ADR-130 P3) (push) Has been skipped
V3 CI/CD Pipeline / graph plugin adapter smoke (ADR-130 P4) (push) Has been skipped
V3 CI/CD Pipeline / graph benchmark (ADR-130 P6) (push) Has been skipped
V3 CI/CD Pipeline / statusline generator delegation smoke (#2195) (push) Failing after 1s
V3 CI/CD Pipeline / wizard init regression guard (#2206 (push) Failing after 1s
V3 CI/CD Pipeline / memory no-stray-db smoke (ADR-125 P7) (push) Failing after 1s
V3 CI/CD Pipeline / github-safe injection smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github actions pin smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github attribution opt-in smoke (#2089, ADR-127 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / pre-bash hook safety smoke (#2017) (push) Failing after 1s
V3 CI/CD Pipeline / Memory import smoke / ubuntu-latest (push) Failing after 0s
V3 CI/CD Pipeline / MCP protocol smoke / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / ruvllm WASM auto-init smoke (#2086) (push) Failing after 4s
V3 CI/CD Pipeline / MCP paired-tool round-trip smoke (#1889) (push) Failing after 1s
V3 CI/CD Pipeline / Plugin package install-safety (#1902/#1903/#1904) (push) Failing after 1s
V3 CI/CD Pipeline / Tool description discoverability (ADR-112) (push) Failing after 3s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (22) (push) Failing after 1s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (24) (push) Failing after 1s
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Vector-index dimension audit (#1947) (push) Failing after 0s
V3 CI/CD Pipeline / Hook-command install safety (#1921) (push) Failing after 1s
V3 CI/CD Pipeline / ToolOutputGuardrail smoke (ADR-131, (push) Failing after 1s
V3 CI/CD Pipeline / init-bundle invariants smoke (#2095, ADR-128 Phase 5) (push) Failing after 1s
V3 CI/CD Pipeline / wasm provider bridge smoke (ADR-129 P1) (push) Failing after 2s
V3 CI/CD Pipeline / wasm gallery CRUD smoke (ADR-129 P3) (push) Failing after 1s
V3 CI/CD Pipeline / wasm plugin bridge smoke (ADR-129 P4) (push) Failing after 0s
V3 CI/CD Pipeline / wasm compose smoke (ADR-129 P2) (push) Failing after 4s
V3 CI/CD Pipeline / graph schema smoke (ADR-130 P1) (push) Failing after 0s
Validate Marketplace / validate (push) Failing after 1s
🔍 Verification Pipeline / 🚀 Setup Verification (push) Failing after 1s
🔍 Verification Pipeline / 🛡️ Security Verification (push) Has been skipped
🔍 Verification Pipeline / 📝 Code Quality (push) Has been skipped
🔍 Verification Pipeline / 🧪 Test Verification (${{ matrix.os }}, Node ${{ matrix.node }}) (push) Has been skipped
🔍 Verification Pipeline / 🏗️ Build Verification (push) Has been skipped
🔍 Verification Pipeline / 📚 Documentation Verification (push) Has been skipped
CVE Audit Gate / High-severity report (warn only) (push) Has been cancelled
🔄 Automated Rollback Manager / 🔄 Execute Rollback (push) Has been cancelled
🔄 Automated Rollback Manager / ✅ Post-Rollback Verification (push) Has been cancelled
🔄 Automated Rollback Manager / 📊 Rollback Monitoring (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / windows-latest (push) Has been cancelled
🔄 Automated Rollback Manager / ⏳ Manual Rollback Approval (push) Has been cancelled
V3 CI/CD Pipeline / MCP protocol smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Memory import smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / ubuntu-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Publish to npm (alpha) (push) Has been cancelled
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / macos-latest / Node 22 (push) Has been cancelled
V3 CI/CD Pipeline / Plugin hooks smoke / macos-latest / Node 22 (push) Has been cancelled
CI/CD Pipeline / Deploy & Release (push) Has been cancelled
CI/CD Pipeline / CI Status (push) Has been cancelled
🔗 Cross-Agent Integration Tests / 📊 Integration Test Report (push) Has been cancelled
🔄 Automated Rollback Manager / 🔍 Pre-Rollback Validation (push) Has been cancelled
🔍 Verification Pipeline / ⚡ Performance Verification (push) Has been cancelled
🔍 Verification Pipeline / 📊 Verification Report (push) Has been cancelled
293 lines
8.6 KiB
Markdown
293 lines
8.6 KiB
Markdown
# @claude-flow/security
|
|
|
|
[](https://www.npmjs.com/package/@claude-flow/security)
|
|
[](https://www.npmjs.com/package/@claude-flow/security)
|
|
[](https://opensource.org/licenses/MIT)
|
|
[](https://www.typescriptlang.org/)
|
|
[](https://github.com/ruvnet/claude-flow)
|
|
|
|
> Comprehensive security module for Claude Flow V3 - CVE fixes, input validation, path security, and secure credential management.
|
|
|
|
## Features
|
|
|
|
- **CVE Remediation** - Fixes for CVE-2 (Weak Password Hashing), CVE-3 (Hardcoded Credentials), HIGH-1 (Command Injection), HIGH-2 (Path Traversal)
|
|
- **Password Hashing** - Secure bcrypt-based password hashing with configurable rounds (12+ recommended)
|
|
- **Credential Generation** - Cryptographically secure credential and API key generation
|
|
- **Safe Command Execution** - Allowlist-based command execution preventing injection attacks
|
|
- **Path Validation** - Protection against path traversal and symlink attacks
|
|
- **Input Validation** - Zod-based schema validation for all input types
|
|
- **Token Generation** - Secure token creation with HMAC signing
|
|
|
|
## Installation
|
|
|
|
```bash
|
|
npm install @claude-flow/security
|
|
```
|
|
|
|
## Standalone use (without the Ruflo CLI)
|
|
|
|
This is a plain library — every primitive (`PasswordHasher`,
|
|
`PathValidator`, `SafeExecutor`, `InputValidator`, `CredentialGenerator`)
|
|
is independently importable. No CLI, no MCP server, no daemon. The
|
|
primitives close CVE-2 (weak hashing), CVE-3 (default credentials),
|
|
HIGH-1 (command injection), and HIGH-2 (path traversal) — drop them
|
|
into any Node app that needs to validate at a system boundary.
|
|
|
|
### Recipe — Validate input, hash a password, generate an API key
|
|
|
|
```typescript
|
|
// recipe.mjs
|
|
import {
|
|
InputValidator,
|
|
EmailSchema,
|
|
PasswordHasher,
|
|
createCredentialGenerator,
|
|
} from '@claude-flow/security';
|
|
|
|
// 1. Validate user input at the boundary (Zod schemas, no surprises)
|
|
const email = InputValidator.validate(EmailSchema, 'user@example.com');
|
|
// ↳ throws if invalid; returns the typed value otherwise
|
|
|
|
// 2. Hash a password with bcrypt at the recommended cost (CVE-2)
|
|
// Default policy: ≥8 chars, ≥1 upper, ≥1 lower, ≥1 digit.
|
|
// Tune with new PasswordHasher({ rounds, requireUppercase, ... }).
|
|
const hasher = new PasswordHasher({ rounds: 12 });
|
|
const hash = await hasher.hash('CorrectHorseBatteryStaple9');
|
|
const ok = await hasher.verify('CorrectHorseBatteryStaple9', hash); // true
|
|
|
|
// 3. Generate a high-entropy API key (CVE-3) — uses crypto.randomBytes
|
|
// under the hood and refuses to emit keys below 32 bytes of entropy.
|
|
const creds = createCredentialGenerator();
|
|
const apiKey = creds.generateApiKey('ck_live_');
|
|
console.log(apiKey.keyId, apiKey.key.slice(0, 16) + '…');
|
|
// → 7e2b1a9c-… ck_live_xX9aQ…
|
|
```
|
|
|
|
### Recipe — Refuse command injection + path traversal
|
|
|
|
```typescript
|
|
import {
|
|
createDevelopmentExecutor,
|
|
createProjectPathValidator,
|
|
} from '@claude-flow/security';
|
|
|
|
// SafeExecutor — only the allow-listed commands ever run (HIGH-1)
|
|
const exec = createDevelopmentExecutor({ projectRoot: process.cwd() });
|
|
const { stdout } = await exec.execute('git', ['status', '--porcelain']);
|
|
|
|
// PathValidator — refuses traversal and symlinks out of the project (HIGH-2)
|
|
const paths = createProjectPathValidator(process.cwd());
|
|
const result = await paths.validate('../../etc/passwd');
|
|
if (!result.isValid) console.log('blocked:', result.errors.join('; '));
|
|
// → blocked: Path traversal pattern detected
|
|
```
|
|
|
|
## Quick Start
|
|
|
|
```typescript
|
|
import { createSecurityModule } from '@claude-flow/security';
|
|
|
|
// Create a complete security module
|
|
const security = createSecurityModule({
|
|
projectRoot: '/workspaces/project',
|
|
hmacSecret: process.env.HMAC_SECRET!,
|
|
bcryptRounds: 12,
|
|
allowedCommands: ['git', 'npm', 'node']
|
|
});
|
|
|
|
// Hash a password
|
|
const hash = await security.passwordHasher.hash('userPassword123');
|
|
|
|
// Validate a path
|
|
const pathResult = await security.pathValidator.validate('/workspaces/project/src/file.ts');
|
|
|
|
// Execute command safely
|
|
const output = await security.safeExecutor.execute('git', ['status']);
|
|
|
|
// Generate secure credentials
|
|
const creds = await security.credentialGenerator.generate();
|
|
```
|
|
|
|
## API Reference
|
|
|
|
### Password Hashing (CVE-2 Fix)
|
|
|
|
```typescript
|
|
import { PasswordHasher, createPasswordHasher } from '@claude-flow/security';
|
|
|
|
const hasher = createPasswordHasher({ rounds: 12 });
|
|
|
|
// Hash password
|
|
const hash = await hasher.hash('password');
|
|
|
|
// Verify password
|
|
const isValid = await hasher.verify('password', hash);
|
|
|
|
// Check if hash needs rehashing
|
|
const needsRehash = hasher.needsRehash(hash);
|
|
```
|
|
|
|
### Credential Generation (CVE-3 Fix)
|
|
|
|
```typescript
|
|
import { CredentialGenerator, generateCredentials } from '@claude-flow/security';
|
|
|
|
const generator = new CredentialGenerator();
|
|
|
|
// Generate API key
|
|
const apiKey = await generator.generateApiKey({
|
|
prefix: 'cf',
|
|
length: 32
|
|
});
|
|
|
|
// Generate complete credentials
|
|
const creds = generateCredentials({
|
|
includeApiKey: true,
|
|
includeSecret: true
|
|
});
|
|
```
|
|
|
|
### Safe Command Execution (HIGH-1 Fix)
|
|
|
|
```typescript
|
|
import { SafeExecutor, createDevelopmentExecutor } from '@claude-flow/security';
|
|
|
|
const executor = createDevelopmentExecutor();
|
|
|
|
// Execute allowed command
|
|
const result = await executor.execute('git', ['status']);
|
|
|
|
// With timeout
|
|
const result2 = await executor.execute('npm', ['install'], {
|
|
timeout: 60000,
|
|
cwd: '/workspaces/project'
|
|
});
|
|
```
|
|
|
|
### Path Validation (HIGH-2 Fix)
|
|
|
|
```typescript
|
|
import { PathValidator, createProjectPathValidator } from '@claude-flow/security';
|
|
|
|
const validator = createProjectPathValidator('/workspaces/project');
|
|
|
|
// Validate path
|
|
const result = await validator.validate('../../../etc/passwd');
|
|
// { valid: false, reason: 'Path traversal detected' }
|
|
|
|
// Safe path
|
|
const result2 = await validator.validate('/workspaces/project/src/index.ts');
|
|
// { valid: true, normalized: '/workspaces/project/src/index.ts' }
|
|
```
|
|
|
|
### Input Validation
|
|
|
|
```typescript
|
|
import {
|
|
InputValidator,
|
|
SafeStringSchema,
|
|
EmailSchema,
|
|
PasswordSchema,
|
|
SpawnAgentSchema
|
|
} from '@claude-flow/security';
|
|
|
|
// Validate email
|
|
const email = EmailSchema.parse('user@example.com');
|
|
|
|
// Validate password
|
|
const password = PasswordSchema.parse('SecurePass123!');
|
|
|
|
// Validate agent spawn request
|
|
const agentRequest = SpawnAgentSchema.parse({
|
|
type: 'coder',
|
|
name: 'code-agent-1'
|
|
});
|
|
|
|
// Sanitize HTML
|
|
import { sanitizeHtml } from '@claude-flow/security';
|
|
const safe = sanitizeHtml('<script>alert("xss")</script>Hello');
|
|
// 'Hello'
|
|
```
|
|
|
|
### Token Generation
|
|
|
|
```typescript
|
|
import { TokenGenerator, quickGenerate } from '@claude-flow/security';
|
|
|
|
const generator = new TokenGenerator({
|
|
hmacSecret: process.env.HMAC_SECRET!
|
|
});
|
|
|
|
// Generate signed token
|
|
const token = await generator.generate({
|
|
type: 'session',
|
|
expiresIn: 3600
|
|
});
|
|
|
|
// Verify token
|
|
const verified = await generator.verify(token);
|
|
|
|
// Quick generation
|
|
const sessionToken = quickGenerate.sessionToken();
|
|
const verificationCode = quickGenerate.verificationCode();
|
|
```
|
|
|
|
## Security Constants
|
|
|
|
```typescript
|
|
import {
|
|
MIN_BCRYPT_ROUNDS, // 12
|
|
MAX_BCRYPT_ROUNDS, // 14
|
|
MIN_PASSWORD_LENGTH, // 8
|
|
MAX_PASSWORD_LENGTH, // 72 (bcrypt limit)
|
|
DEFAULT_TOKEN_EXPIRATION, // 3600 (1 hour)
|
|
DEFAULT_SESSION_EXPIRATION // 86400 (24 hours)
|
|
} from '@claude-flow/security';
|
|
```
|
|
|
|
## Security Audit
|
|
|
|
```typescript
|
|
import { auditSecurityConfig } from '@claude-flow/security';
|
|
|
|
const warnings = auditSecurityConfig({
|
|
bcryptRounds: 10,
|
|
hmacSecret: 'short'
|
|
});
|
|
|
|
// ['bcryptRounds (10) below recommended minimum (12)',
|
|
// 'hmacSecret should be at least 32 characters']
|
|
```
|
|
|
|
## Validation Schemas
|
|
|
|
| Schema | Description |
|
|
|--------|-------------|
|
|
| `SafeStringSchema` | Basic safe string with length limits |
|
|
| `IdentifierSchema` | Alphanumeric identifiers |
|
|
| `FilenameSchema` | Safe filenames |
|
|
| `EmailSchema` | Email addresses |
|
|
| `PasswordSchema` | Secure passwords |
|
|
| `UUIDSchema` | UUID v4 format |
|
|
| `HttpsUrlSchema` | HTTPS URLs only |
|
|
| `SemverSchema` | Semantic versions |
|
|
| `PortSchema` | Valid port numbers |
|
|
| `IPv4Schema` | IPv4 addresses |
|
|
| `SpawnAgentSchema` | Agent spawn requests |
|
|
| `TaskInputSchema` | Task definitions |
|
|
| `SecurityConfigSchema` | Security configuration |
|
|
|
|
## Dependencies
|
|
|
|
- `bcrypt` - Password hashing
|
|
- `zod` - Schema validation
|
|
|
|
## Related Packages
|
|
|
|
- [@claude-flow/shared](../shared) - Shared types and utilities
|
|
- [@claude-flow/swarm](../swarm) - Swarm coordination (secure agent spawning)
|
|
|
|
## License
|
|
|
|
MIT
|