docs: enterprise refactor plan with ralph specs

dist/plugins/fuzzers/FuzzingEngine.js

@@ -0,0 +1,139 @@
+"use strict";
+/**
+ * FuzzingEngine — orchestrates fuzzing strategies for form inputs.
+ * Implements IFuzzingPlugin so ExplorationEngine doesn't need to import it directly.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FuzzingEngine = void 0;
+const crypto = __importStar(require("crypto"));
+const InputTypeDetector_1 = require("./InputTypeDetector");
+const EmptyValueStrategy_1 = require("./strategies/EmptyValueStrategy");
+const OversizedStringStrategy_1 = require("./strategies/OversizedStringStrategy");
+const SpecialCharsStrategy_1 = require("./strategies/SpecialCharsStrategy");
+const TypeMismatchStrategy_1 = require("./strategies/TypeMismatchStrategy");
+const BoundaryValueStrategy_1 = require("./strategies/BoundaryValueStrategy");
+/** Regex to match basic input elements in an HTML string */
+const INPUT_RE = /<(input|textarea|select)[^>]*>/gi;
+const ATTR_RE = (name) => new RegExp(`${name}="([^"]*)"`, 'i');
+function extractFields(domSnapshot) {
+    const fields = [];
+    let match;
+    while ((match = INPUT_RE.exec(domSnapshot)) !== null) {
+        const tag = match[0] ?? '';
+        const tagName = match[1] ?? 'input';
+        const idMatch = ATTR_RE('id').exec(tag);
+        const nameMatch = ATTR_RE('name').exec(tag);
+        const typeMatch = ATTR_RE('type').exec(tag);
+        const placeholderMatch = ATTR_RE('placeholder').exec(tag);
+        const ariaMatch = ATTR_RE('aria-label').exec(tag);
+        const selector = idMatch?.[1]
+            ? `#${idMatch[1]}`
+            : nameMatch?.[1]
+                ? `[name="${nameMatch[1]}"]`
+                : tagName;
+        fields.push({
+            selector,
+            tagName,
+            inputType: typeMatch?.[1],
+            name: nameMatch?.[1],
+            placeholder: placeholderMatch?.[1],
+            ariaLabel: ariaMatch?.[1],
+        });
+    }
+    return fields;
+}
+class FuzzingEngine {
+    constructor(config) {
+        this.intensity = config.intensity;
+        this.seed = config.seed;
+    }
+    /** IFuzzingPlugin implementation — parses fields from DOM snapshot */
+    generateFuzzActions(domSnapshot, state) {
+        const fields = extractFields(domSnapshot);
+        return this.generateFuzzActionsForFields(fields, state);
+    }
+    /** Generate fuzz actions from explicit field descriptors */
+    generateFuzzActionsForFields(fields, state) {
+        const actions = [];
+        const now = Date.now();
+        const strategies = this.selectStrategies();
+        for (const field of fields) {
+            const detectedType = (0, InputTypeDetector_1.detectInputType)({
+                tagName: field.tagName,
+                inputType: field.inputType,
+                name: field.name,
+                placeholder: field.placeholder,
+                ariaLabel: field.ariaLabel,
+            });
+            for (const strategy of strategies) {
+                const values = this.getValuesFromStrategy(strategy, detectedType);
+                for (const value of values) {
+                    actions.push({
+                        id: crypto.randomUUID(),
+                        type: 'fill',
+                        selector: field.selector,
+                        value,
+                        timestamp: now,
+                        seed: this.seed,
+                        stateId: state.id,
+                    });
+                }
+            }
+        }
+        return actions;
+    }
+    selectStrategies() {
+        const empty = new EmptyValueStrategy_1.EmptyValueStrategy();
+        const typeMismatch = new TypeMismatchStrategy_1.TypeMismatchStrategy();
+        const oversized = new OversizedStringStrategy_1.OversizedStringStrategy(this.intensity);
+        const boundary = new BoundaryValueStrategy_1.BoundaryValueStrategy();
+        const special = new SpecialCharsStrategy_1.SpecialCharsStrategy();
+        switch (this.intensity) {
+            case 'low':
+                return [empty, typeMismatch];
+            case 'medium':
+                return [empty, typeMismatch, oversized, boundary];
+            case 'high':
+                return [empty, typeMismatch, oversized, boundary, special];
+        }
+    }
+    getValuesFromStrategy(strategy, type) {
+        if (!strategy.appliesTo(type))
+            return [];
+        return strategy.values(type);
+    }
+}
+exports.FuzzingEngine = FuzzingEngine;

dist/plugins/fuzzers/InputTypeDetector.js

@@ -0,0 +1,52 @@
+"use strict";
+/**
+ * InputTypeDetector — detects field type from DOM attributes.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectInputType = detectInputType;
+/** Detect type from input[type], name, placeholder, aria-label */
+function detectInputType(attrs) {
+    const tag = (attrs.tagName ?? '').toLowerCase();
+    if (tag === 'textarea')
+        return 'textarea';
+    if (tag === 'select')
+        return 'select';
+    const inputType = (attrs.inputType ?? '').toLowerCase();
+    if (inputType === 'email')
+        return 'email';
+    if (inputType === 'password')
+        return 'password';
+    if (inputType === 'number')
+        return 'number';
+    if (inputType === 'date')
+        return 'date';
+    if (inputType === 'tel')
+        return 'phone';
+    if (inputType === 'url')
+        return 'url';
+    if (inputType === 'search')
+        return 'search';
+    if (inputType === 'file')
+        return 'file';
+    // Infer from name/placeholder/aria-label
+    const hints = [
+        (attrs.name ?? '').toLowerCase(),
+        (attrs.placeholder ?? '').toLowerCase(),
+        (attrs.ariaLabel ?? '').toLowerCase(),
+    ].join(' ');
+    if (/email/.test(hints))
+        return 'email';
+    if (/password|pass/.test(hints))
+        return 'password';
+    if (/phone|tel|mobile/.test(hints))
+        return 'phone';
+    if (/date|birth|dob/.test(hints))
+        return 'date';
+    if (/number|qty|quantity|age/.test(hints))
+        return 'number';
+    if (/search/.test(hints))
+        return 'search';
+    if (/url|website|link/.test(hints))
+        return 'url';
+    return 'text';
+}

dist/plugins/fuzzers/strategies/BoundaryValueStrategy.js

@@ -0,0 +1,26 @@
+"use strict";
+/**
+ * BoundaryValueStrategy — tests values at the edges of expected ranges.
+ * Applies to: number, date.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BoundaryValueStrategy = void 0;
+class BoundaryValueStrategy {
+    constructor() {
+        this.name = 'BoundaryValueStrategy';
+    }
+    appliesTo(type) {
+        return type === 'number' || type === 'date';
+    }
+    values(type) {
+        switch (type) {
+            case 'number':
+                return ['0', '-1', '2147483647', '2147483648', '-2147483648'];
+            case 'date':
+                return ['1900-01-01', '2099-12-31', '1970-01-01'];
+            default:
+                return [];
+        }
+    }
+}
+exports.BoundaryValueStrategy = BoundaryValueStrategy;

dist/plugins/fuzzers/strategies/EmptyValueStrategy.js

@@ -0,0 +1,19 @@
+"use strict";
+/**
+ * EmptyValueStrategy — submits empty/whitespace values to catch missing server-side validation.
+ * Applies to: all input types.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EmptyValueStrategy = void 0;
+class EmptyValueStrategy {
+    constructor() {
+        this.name = 'EmptyValueStrategy';
+    }
+    appliesTo(_type) {
+        return true;
+    }
+    values() {
+        return ['', ' ', '\t'];
+    }
+}
+exports.EmptyValueStrategy = EmptyValueStrategy;

dist/plugins/fuzzers/strategies/OversizedStringStrategy.js

@@ -0,0 +1,28 @@
+"use strict";
+/**
+ * OversizedStringStrategy — submits strings far beyond expected length.
+ * Applies to: text, email, password, textarea.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OversizedStringStrategy = void 0;
+const APPLICABLE_TYPES = ['text', 'email', 'password', 'textarea'];
+class OversizedStringStrategy {
+    constructor(intensity) {
+        this.intensity = intensity;
+        this.name = 'OversizedStringStrategy';
+    }
+    appliesTo(type) {
+        return APPLICABLE_TYPES.includes(type);
+    }
+    values() {
+        switch (this.intensity) {
+            case 'low':
+                return ['A'.repeat(256)];
+            case 'medium':
+                return ['A'.repeat(1024)];
+            case 'high':
+                return ['A'.repeat(10000) + '日本語テスト𠮷野家'];
+        }
+    }
+}
+exports.OversizedStringStrategy = OversizedStringStrategy;

dist/plugins/fuzzers/strategies/SpecialCharsStrategy.js

@@ -0,0 +1,26 @@
+"use strict";
+/**
+ * SpecialCharsStrategy — injects characters that break SQL, HTML, and shell contexts.
+ * Applies to: text, email, search, textarea.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SpecialCharsStrategy = void 0;
+const APPLICABLE_TYPES = ['text', 'email', 'search', 'textarea'];
+class SpecialCharsStrategy {
+    constructor() {
+        this.name = 'SpecialCharsStrategy';
+    }
+    appliesTo(type) {
+        return APPLICABLE_TYPES.includes(type);
+    }
+    values() {
+        return [
+            "' OR 1=1 --",
+            '<script>alert(1)</script>',
+            '../../etc/passwd',
+            '${7*7}',
+            '\x00\x01\x02',
+        ];
+    }
+}
+exports.SpecialCharsStrategy = SpecialCharsStrategy;

dist/plugins/fuzzers/strategies/TypeMismatchStrategy.js

@@ -0,0 +1,31 @@
+"use strict";
+/**
+ * TypeMismatchStrategy — submits wrong data types for the detected field type.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TypeMismatchStrategy = void 0;
+class TypeMismatchStrategy {
+    constructor() {
+        this.name = 'TypeMismatchStrategy';
+    }
+    appliesTo(type) {
+        return ['email', 'number', 'date', 'url', 'phone'].includes(type);
+    }
+    values(type) {
+        switch (type) {
+            case 'email':
+                return ['not-an-email', '12345', '@@@'];
+            case 'number':
+                return ['abc', '-999999', '9.9.9', 'NaN'];
+            case 'date':
+                return ['yesterday', '32/13/2025', '0000-00-00'];
+            case 'url':
+                return ['javascript:alert(1)', 'not a url'];
+            case 'phone':
+                return ['000', '++++', 'abcdefghij'];
+            default:
+                return [];
+        }
+    }
+}
+exports.TypeMismatchStrategy = TypeMismatchStrategy;