feat(security): improve security features, fixes

cli/processor.go

@@ -2,6 +2,7 @@ package cli
 
 import (
 	"context"
+	"fmt"
 	"os"
 	"sync"
 
@@ -14,9 +15,10 @@ import (
 
 // Processor handles the main file processing logic.
 type Processor struct {
-	flags        *Flags
-	backpressure *fileproc.BackpressureManager
-	ui           *UIManager
+	flags           *Flags
+	backpressure    *fileproc.BackpressureManager
+	resourceMonitor *fileproc.ResourceMonitor
+	ui              *UIManager
 }
 
 // NewProcessor creates a new processor with the given flags.
@@ -28,14 +30,19 @@ func NewProcessor(flags *Flags) *Processor {
 	ui.SetProgressOutput(!flags.NoProgress)
 
 	return &Processor{
-		flags:        flags,
-		backpressure: fileproc.NewBackpressureManager(),
-		ui:           ui,
+		flags:           flags,
+		backpressure:    fileproc.NewBackpressureManager(),
+		resourceMonitor: fileproc.NewResourceMonitor(),
+		ui:              ui,
 	}
 }
 
 // Process executes the main file processing workflow.
 func (p *Processor) Process(ctx context.Context) error {
+	// Create overall processing context with timeout
+	overallCtx, overallCancel := p.resourceMonitor.CreateOverallProcessingContext(ctx)
+	defer overallCancel()
+
 	// Configure file type registry
 	p.configureFileTypes()
 
@@ -46,6 +53,10 @@ func (p *Processor) Process(ctx context.Context) error {
 	p.ui.PrintInfo("Destination: %s", p.flags.Destination)
 	p.ui.PrintInfo("Workers: %d", p.flags.Concurrency)
 
+	// Log resource monitoring configuration
+	p.resourceMonitor.LogResourceInfo()
+	p.backpressure.LogBackpressureInfo()
+
 	// Collect files with progress indication
 	p.ui.PrintInfo("📁 Collecting files...")
 	files, err := p.collectFiles()
@@ -56,8 +67,13 @@ func (p *Processor) Process(ctx context.Context) error {
 	// Show collection results
 	p.ui.PrintSuccess("Found %d files to process", len(files))
 
-	// Process files
-	return p.processFiles(ctx, files)
+	// Pre-validate file collection against resource limits
+	if err := p.validateFileCollection(files); err != nil {
+		return err
+	}
+
+	// Process files with overall timeout
+	return p.processFiles(overallCtx, files)
 }
 
 // configureFileTypes configures the file type registry.
@@ -84,6 +100,61 @@ func (p *Processor) collectFiles() ([]string, error) {
 	return files, nil
 }
 
+// validateFileCollection validates the collected files against resource limits.
+func (p *Processor) validateFileCollection(files []string) error {
+	if !config.GetResourceLimitsEnabled() {
+		return nil
+	}
+
+	// Check file count limit
+	maxFiles := config.GetMaxFiles()
+	if len(files) > maxFiles {
+		return utils.NewStructuredError(
+			utils.ErrorTypeValidation,
+			utils.CodeResourceLimitFiles,
+			fmt.Sprintf("file count (%d) exceeds maximum limit (%d)", len(files), maxFiles),
+			"",
+			map[string]interface{}{
+				"file_count": len(files),
+				"max_files":  maxFiles,
+			},
+		)
+	}
+
+	// Check total size limit (estimate)
+	maxTotalSize := config.GetMaxTotalSize()
+	totalSize := int64(0)
+	oversizedFiles := 0
+
+	for _, filePath := range files {
+		if fileInfo, err := os.Stat(filePath); err == nil {
+			totalSize += fileInfo.Size()
+			if totalSize > maxTotalSize {
+				return utils.NewStructuredError(
+					utils.ErrorTypeValidation,
+					utils.CodeResourceLimitTotalSize,
+					fmt.Sprintf("total file size (%d bytes) would exceed maximum limit (%d bytes)", totalSize, maxTotalSize),
+					"",
+					map[string]interface{}{
+						"total_size":     totalSize,
+						"max_total_size": maxTotalSize,
+						"files_checked":  len(files),
+					},
+				)
+			}
+		} else {
+			oversizedFiles++
+		}
+	}
+
+	if oversizedFiles > 0 {
+		logrus.Warnf("Could not stat %d files during pre-validation", oversizedFiles)
+	}
+
+	logrus.Infof("Pre-validation passed: %d files, %d MB total", len(files), totalSize/1024/1024)
+	return nil
+}
+
 // processFiles processes the collected files.
 func (p *Processor) processFiles(ctx context.Context, files []string) error {
 	outFile, err := p.createOutputFile()
@@ -127,7 +198,8 @@ func (p *Processor) processFiles(ctx context.Context, files []string) error {
 
 // createOutputFile creates the output file.
 func (p *Processor) createOutputFile() (*os.File, error) {
-	outFile, err := os.Create(p.flags.Destination) // #nosec G304 - destination is user-provided CLI arg
+	// Destination path has been validated in CLI flags validation for path traversal attempts
+	outFile, err := os.Create(p.flags.Destination) // #nosec G304 - destination is validated in flags.validate()
 	if err != nil {
 		return nil, utils.WrapError(err, utils.ErrorTypeIO, utils.CodeIOFileCreate, "failed to create output file").WithFilePath(p.flags.Destination)
 	}
@@ -153,19 +225,27 @@ func (p *Processor) worker(ctx context.Context, wg *sync.WaitGroup, fileCh chan
 			if !ok {
 				return
 			}
-			p.processFile(filePath, writeCh)
+			p.processFile(ctx, filePath, writeCh)
 		}
 	}
 }
 
-// processFile processes a single file.
-func (p *Processor) processFile(filePath string, writeCh chan fileproc.WriteRequest) {
+// processFile processes a single file with resource monitoring.
+func (p *Processor) processFile(ctx context.Context, filePath string, writeCh chan fileproc.WriteRequest) {
+	// Check for emergency stop
+	if p.resourceMonitor.IsEmergencyStopActive() {
+		logrus.Warnf("Emergency stop active, skipping file: %s", filePath)
+		return
+	}
+
 	absRoot, err := utils.GetAbsolutePath(p.flags.SourceDir)
 	if err != nil {
 		utils.LogError("Failed to get absolute path", err)
 		return
 	}
-	fileproc.ProcessFile(filePath, writeCh, absRoot)
+
+	// Use the resource monitor-aware processing
+	fileproc.ProcessFileWithMonitor(ctx, filePath, writeCh, absRoot, p.resourceMonitor)
 
 	// Update progress bar
 	p.ui.UpdateProgress(1)
@@ -200,11 +280,35 @@ func (p *Processor) waitForCompletion(wg *sync.WaitGroup, writeCh chan fileproc.
 	<-writerDone
 }
 
-// logFinalStats logs the final back-pressure statistics.
+// logFinalStats logs the final back-pressure and resource monitoring statistics.
 func (p *Processor) logFinalStats() {
-	stats := p.backpressure.GetStats()
-	if stats.Enabled {
+	// Log back-pressure stats
+	backpressureStats := p.backpressure.GetStats()
+	if backpressureStats.Enabled {
 		logrus.Infof("Back-pressure stats: processed=%d files, memory=%dMB/%dMB",
-			stats.FilesProcessed, stats.CurrentMemoryUsage/1024/1024, stats.MaxMemoryUsage/1024/1024)
+			backpressureStats.FilesProcessed, backpressureStats.CurrentMemoryUsage/1024/1024, backpressureStats.MaxMemoryUsage/1024/1024)
 	}
+
+	// Log resource monitoring stats
+	resourceStats := p.resourceMonitor.GetMetrics()
+	if config.GetResourceLimitsEnabled() {
+		logrus.Infof("Resource stats: processed=%d files, totalSize=%dMB, avgFileSize=%.2fKB, rate=%.2f files/sec",
+			resourceStats.FilesProcessed, resourceStats.TotalSizeProcessed/1024/1024,
+			resourceStats.AverageFileSize/1024, resourceStats.ProcessingRate)
+
+		if len(resourceStats.ViolationsDetected) > 0 {
+			logrus.Warnf("Resource violations detected: %v", resourceStats.ViolationsDetected)
+		}
+
+		if resourceStats.DegradationActive {
+			logrus.Warnf("Processing completed with degradation mode active")
+		}
+
+		if resourceStats.EmergencyStopActive {
+			logrus.Errorf("Processing completed with emergency stop active")
+		}
+	}
+
+	// Clean up resource monitor
+	p.resourceMonitor.Close()
 }