Contract bearbeiten

Aktuelle Version: 2.0

Neue Version * Muss sich von der aktuellen Version unterscheiden.

Änderungsbeschreibung

YAML-Inhalt *

contract:
  name: "db-access-security-protocol"
  version: "2.0"
  status: "active"
  description: "Mehrstufiges Sicherheitsprotokoll gegen direkte DB-Zugriffe"
  created: "2025-12-20"
  author: "mcp-contracts"

scope:
    paths:
      - "/src/**/*.php"
      - "/app/**/*.php"
      - "/opt/scripts/**/*.py"
      - "/opt/scripts/**/*.sh"
    excludes:
      - "/tests/**"

rules:
    # Bash-Befehle blockieren
    - id: "no-mysql-user"
      check_type: "forbidden_pattern"
      patterns:
        - "mysql -u"
        - "mysql -p"
        - "mysql --user"
        - "mysql --password"
      in_files: "**/*.sh"
      severity: "critical"
      description: "Keine direkten mysql-Befehle mit User/Passwort"

- id: "no-mariadb-user"
      check_type: "forbidden_pattern"
      patterns:
        - "mariadb -u"
        - "mariadb -p"
        - "mariadb --user"
        - "mariadb --password"
      in_files: "**/*.sh"
      severity: "critical"
      description: "Keine direkten mariadb-Befehle mit User/Passwort"

- id: "no-mysqldump"
      check_type: "forbidden_pattern"
      patterns:
        - "mysqldump"
        - "mysqlimport"
        - "mysqladmin"
      in_files: "**/*.sh"
      severity: "critical"
      description: "Keine mysql-Admin-Tools direkt ausführen"

- id: "no-password-in-command"
      check_type: "forbidden_pattern"
      patterns:
        - "--password="
        - "-p'"
        - '-p"'
      in_files: "**/*"
      severity: "critical"
      description: "Niemals Passwörter in Befehlen"

# PHP-Zugriffe
    - id: "no-pdo-in-controller"
      check_type: "forbidden_pattern"
      patterns:
        - "new PDO("
        - "->query("
        - "->prepare("
      in_files: "Controller/**/*.php"
      severity: "critical"
      description: "Controller dürfen kein direktes PDO verwenden"

- id: "pdo-only-in-infrastructure"
      check_type: "dependency_check"
      forbidden_imports:
        - "PDO"
      in_files: "Domain/**/*.php"
      severity: "critical"
      description: "Domain-Layer darf keine PDO-Abhängigkeit haben"

enforcement:
    on_violation: "block"
    hook: "/var/www/tools/ki-protokoll/claude-hook/block_direct_db.py"

alternatives:
    mcp_tools:
      - tool: "mcp__mcp-db__db_select"
        use_for: "SELECT-Abfragen"
      - tool: "mcp__mcp-db__db_schema"
        use_for: "Tabellenstruktur"
      - tool: "mcp__mcp-db__db_insert"
        use_for: "INSERT-Operationen"
      - tool: "mcp__mcp-db__db_update"
        use_for: "UPDATE-Operationen"
      - tool: "mcp__mcp-db__db_delete"
        use_for: "DELETE-Operationen"
    allowed_databases:
      - ki_dev
      - ki_content

pass_threshold:
    critical_max: 0
    major_max: 0
    minor_max: 0

Abbrechen