/** * SecurityValidator - Comprehensive security validation system * * Enforces: * - NFR-SEC-001: Zero external API calls (100% offline operation) * - NFR-SEC-002: 100% rollback safety * - NFR-SEC-003: File permissions validation (644/755) * - NFR-SEC-004: 100% secret detection * - NFR-SEC-PERF-001: Security scan <10s for 100 files * * Features: * - External API call detection with whitelist support * - Secret detection (API keys, passwords, tokens, private keys) * - File permission validation * - Dependency vulnerability scanning * - Security gate enforcement for Construction/Production phases */ export type SecurityIssueSeverity = 'critical' | 'high' | 'medium' | 'low'; export type SecurityIssueCategory = 'external-api-call' | 'secret-exposure' | 'file-permission' | 'vulnerability' | 'insecure-dependency'; export interface SecurityIssue { severity: SecurityIssueSeverity; category: SecurityIssueCategory; file: string; lineNumber?: number; description: string; recommendation: string; cve?: string; } export interface SecurityScanResult { passed: boolean; issues: SecurityIssue[]; summary: { critical: number; high: number; medium: number; low: number; }; checkedFiles: number; scanDuration: number; } export interface DetectedSecret { type: 'api-key' | 'password' | 'token' | 'private-key' | 'credential'; file: string; lineNumber: number; snippet: string; confidence: number; } export interface SecretDetectionResult { foundSecrets: boolean; secrets: DetectedSecret[]; falsePositiveRate: number; } export interface ExternalAPICall { file: string; lineNumber: number; url: string; method: 'fetch' | 'axios' | 'http' | 'https' | 'XMLHttpRequest'; reason: string; } export interface PermissionViolation { file: string; actual: string; expected: string; reason: string; } export interface PermissionValidationResult { passed: boolean; violations: PermissionViolation[]; checkedFiles: number; } export interface DependencyVulnerability { package: string; version: string; severity: SecurityIssueSeverity; cve?: string; description: string; recommendation: string; } export interface DependencyScanResult { vulnerabilities: DependencyVulnerability[]; passed: boolean; } export interface VulnerabilityReport { dependencies: DependencyScanResult; summary: { critical: number; high: number; medium: number; low: number; }; } export interface GateEnforcementResult { passed: boolean; gate: 'construction' | 'production'; blockingIssues: SecurityIssue[]; warnings: SecurityIssue[]; timestamp: string; } export interface SecurityConfig { excludePaths?: string[]; customWhitelist?: RegExp[]; permissionRules?: Record; failOnWarnings?: boolean; } export interface ScanOptions { checkExternalAPIs?: boolean; checkSecrets?: boolean; checkPermissions?: boolean; checkDependencies?: boolean; parallel?: boolean; } export declare class SecurityValidator { private projectPath; private config; constructor(projectPath: string, config?: SecurityConfig); /** * Comprehensive security scan */ scan(options?: ScanOptions): Promise; /** * Scan single file for security issues */ scanFile(filePath: string): Promise; /** * Scan directory recursively */ scanDirectory(dirPath: string, recursive?: boolean): Promise; /** * Detect external API calls in code path */ detectExternalAPICalls(codePath: string): Promise; /** * Detect external API calls in content string */ private detectExternalAPICallsInContent; /** * Validate offline operation (no external API calls) */ validateOfflineOperation(codePath: string): Promise; /** * Check if API URL is whitelisted */ isWhitelistedAPI(url: string): boolean; /** * Detect secrets in files */ detectSecrets(files: string[]): Promise; /** * Detect secrets in single file */ detectSecretsInFile(filePath: string): Promise; /** * Validate no secrets committed */ validateNoSecretsCommitted(): Promise; /** * Categorize secret type */ private categorizeSecret; /** * Mask secret value for display */ private maskSecret; /** * Validate file permissions in directory */ validateFilePermissions(dirPath: string): Promise; /** * Check single file permission */ checkPermission(filePath: string, expected: string): Promise; /** * Fix file permissions */ fixPermissions(filePath: string, target: string): Promise; /** * Check file permission and return issue if invalid */ private checkFilePermission; /** * Get expected permission for file */ private getExpectedPermission; /** * Scan dependencies for vulnerabilities */ scanDependencies(): Promise; /** * Check for known vulnerabilities */ checkKnownVulnerabilities(): Promise; /** * Enforce security gate (auto-detect phase) */ enforceSecurityGate(): Promise; /** * Validate Construction gate * * Requirements: * - Zero critical security issues * - Zero external API calls (except whitelisted) * - Zero committed secrets * - All file permissions valid */ validateConstructionGate(): Promise; /** * Validate Production gate (stricter) * * Requirements: * - Zero critical or high security issues * - Zero external API calls (except whitelisted) * - Zero committed secrets * - All file permissions valid * - All dependencies patched */ validateProductionGate(): Promise; /** * Generate security report */ generateSecurityReport(): Promise; /** * Export report in different formats */ exportReport(format: 'markdown' | 'json' | 'html'): Promise; /** * Generate remediation plan */ generateRemediationPlan(issues: SecurityIssue[]): Promise; /** * Get files to scan */ private getFilesToScan; /** * Find line number from string index */ private findLineNumber; /** * Group issues by category */ private groupIssuesByCategory; /** * Generate HTML report */ private generateHTMLReport; /** * Check external APIs in multiple files */ private checkExternalAPIsInFiles; /** * Check secrets in multiple files */ private checkSecretsInFiles; /** * Check permissions in multiple files */ private checkPermissionsInFiles; /** * Check dependencies issues */ private checkDependenciesIssues; } //# sourceMappingURL=security-validator.d.ts.map