157dbbb9eb
## Phase 8: Enterprise Extractor Improvements ✅ - 14 security extractors (TLS, JWT, SQL injection, XSS, etc.) - 10 framework-specific extractors (Spring, Django, Rails, etc.) - Config file security detection (YAML, TOML) ## Phase 9: Autonomous Extractor Generation ✅ - Shadow mode executor with TP/FP tracking - Graduation pipeline with confidence thresholds - Auto-rollback on regression detection - Cross-project pattern syncing ## UAT Suite Complete (14 scripts, 90 tests) - test-core-detection.sh (6 tests) - test-declarative-extractors.sh (5 tests) - test-domain-frameworks.sh (5 tests) - test-domain-unreal.sh (3 tests) - test-llm-extraction.sh (6 tests) - test-eval-harness.sh (5 tests) - test-cross-language.sh (3 tests) - test-precommit-performance.sh (4 tests) - test-output-formats.sh (8 tests) - test-drift-detection.sh (6 tests) - test-exit-codes.sh (12 tests) + 3 more scripts ## Other Changes - Updated roadmap to mark Phase 8-9 complete - Added .gitignore entries for build artifacts - Updated pre-commit: 800 line limit, exclude tests/data/cmd Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
50 lines
1.4 KiB
TOML
50 lines
1.4 KiB
TOML
# AUTH-001: Debug Authentication Bypass
|
|
#
|
|
# Authentication middleware with a debug bypass that allows skipping
|
|
# authentication checks in non-production environments.
|
|
|
|
[metadata]
|
|
id = "auth-001"
|
|
name = "Debug authentication bypass"
|
|
category = "auth"
|
|
language = "typescript"
|
|
difficulty = "hard"
|
|
source = "hand-curated"
|
|
created = "2025-02-05"
|
|
notes = "Debug bypass left in production code"
|
|
|
|
[input]
|
|
filename = "middleware.ts"
|
|
content = """
|
|
import { Request, Response, NextFunction } from 'express';
|
|
|
|
export function authMiddleware(req: Request, res: Response, next: NextFunction) {
|
|
// Skip auth in debug mode
|
|
if (process.env.DEBUG === 'true' || req.headers['x-debug-bypass'] === 'true') {
|
|
return next();
|
|
}
|
|
|
|
const token = req.headers.authorization?.split(' ')[1];
|
|
if (!token) {
|
|
return res.status(401).json({ error: 'Unauthorized' });
|
|
}
|
|
|
|
// Verify token...
|
|
next();
|
|
}
|
|
"""
|
|
|
|
[expected]
|
|
must_contain = [
|
|
{ subject = "auth/bypass", predicate = "debug_mode", value = true, rationale = "DEBUG env var bypasses authentication" },
|
|
{ subject = "auth/bypass", predicate = "header_based", value = true, rationale = "x-debug-bypass header can skip auth" }
|
|
]
|
|
|
|
must_not_contain = [
|
|
{ subject = "auth/verification", predicate = "always_required", value = true, rationale = "Auth can be bypassed via debug mechanisms" }
|
|
]
|
|
|
|
[scoring]
|
|
weight = 2.0
|
|
min_confidence = 0.8
|