feat: Implement file transfer filtering infrastructure (#164)

* feat: Implement file transfer filtering infrastructure

Add a complete filtering infrastructure for SFTP and SCP file transfer operations:

- TransferFilter trait with check() and check_with_dest() methods
- Operation enum: Upload, Download, Delete, Rename, CreateDir, ListDir, Stat, SetStat, Symlink, ReadLink
- FilterResult: Allow, Deny, Log actions
- FilterPolicy engine with first-match-wins rule evaluation
- Matcher trait for extensible path matching

Built-in matchers:
- GlobMatcher: wildcard patterns (*.key, *.pem)
- RegexMatcher: full regex support
- PrefixMatcher: directory tree matching (/etc/*)
- ExactMatcher: specific file matching
- ComponentMatcher: match path components (.git, .ssh)
- ExtensionMatcher: file extension matching
- CombinedMatcher: OR-combine multiple matchers
- NotMatcher: invert matcher results

Configuration:
- Extended FilterConfig with default_action, rule names, operations, and users
- FilterRule supports per-user and per-operation restrictions
- YAML configuration via existing config loader

Closes #138

* fix(quality): resolve clippy warnings in filter module

Priority: MEDIUM
Issue: Three clippy warnings causing build failures with -D warnings
- Derive Default instead of manual impl for FilterResult
- Remove needless borrow in rule_from_config()
- Rename CombinedMatcher::add() to with_matcher() to avoid confusion with std::ops::Add
Review-Iteration: 1

* fix(security): add ReDoS protection to RegexMatcher

Priority: HIGH
Issue: RegexMatcher accepted arbitrary regex patterns without complexity limits,
allowing potential CPU exhaustion via crafted patterns
- Use RegexBuilder with size_limit and dfa_size_limit (1MB default)
- Add with_size_limit() constructor for custom limits
- Add test for size limit functionality
Review-Iteration: 1

* fix(security): add GlobMatchMode for explicit control over glob matching

Priority: HIGH
Issue: GlobMatcher tried both full path and filename matching, which could
lead to unintended matches in security-sensitive filtering
- Add GlobMatchMode enum (PathOrFilename, FullPathOnly, FilenameOnly)
- Add with_mode() constructor for explicit control
- Document matching behavior and security implications
- Add tests for each match mode
Review-Iteration: 1

* fix(security): add normalize_path for path traversal protection

Priority: CRITICAL
Issue: Path matchers operated on raw paths without normalization, allowing
bypass via path traversal sequences like ../
- Add normalize_path() function for logical path normalization
- Add comprehensive security documentation
- Document that callers should normalize paths before matching
- Add tests demonstrating the security issue and fix
Review-Iteration: 1

* test: add comprehensive test coverage for filter module

- Add tests for FilterPolicy.from_config() with glob patterns and prefixes
- Add tests for FilterPolicy accessor methods (rule_count, default_action)
- Add tests for FilterRule.matches() with all conditions
- Add tests for SharedFilterPolicy (check_with_dest, From impl)
- Add tests for Operation.all() and additional parse/display tests
- Add tests for matcher accessor methods (prefix, path, component, extension)
- Add tests for GlobMatchMode enum and CombinedMatcher len/is_empty
- Fix normalize_path tests placement (move inside test module)
- Update ARCHITECTURE.md with File Transfer Filter module documentation

Author: inureyes

ARCHITECTURE.md

@@ -213,6 +213,107 @@ Security features for the SSH server (`src/server/security/`):
   - Thread-safe with fail-closed behavior on lock contention
   - Configuration via `allowed_ips` and `blocked_ips` in server config
 
+### File Transfer Filter Module
+
+Policy-based filtering infrastructure for SFTP and SCP file transfer operations (`src/server/filter/`):
+
+**Structure**:
+- `mod.rs` - `TransferFilter` trait, `Operation` enum, `FilterResult` enum, `NoOpFilter`
+- `policy.rs` - `FilterPolicy` engine, `FilterRule`, `Matcher` trait, `SharedFilterPolicy`
+- `path.rs` - Path-based matchers: `PrefixMatcher`, `ExactMatcher`, `ComponentMatcher`, `ExtensionMatcher`
+- `pattern.rs` - Pattern-based matchers: `GlobMatcher`, `RegexMatcher`, `CombinedMatcher`, `NotMatcher`
+
+**Key Components**:
+
+- **Operation**: Enum representing file operations
+  - `Upload`, `Download`, `Delete`, `Rename`
+  - `CreateDir`, `ListDir`, `Stat`, `SetStat`
+  - `Symlink`, `ReadLink`
+
+- **FilterResult**: Actions to take on matched operations
+  - `Allow` - Permit the operation (default)
+  - `Deny` - Block the operation
+  - `Log` - Allow but log for auditing
+
+- **TransferFilter Trait**: Interface for custom filter implementations
+  - `check(path, operation, user)` - Check single path operations
+  - `check_with_dest(src, dest, operation, user)` - Check two-path operations (rename, symlink)
+  - `is_enabled()` - Check if filtering is active
+
+- **FilterPolicy**: First-match-wins rule evaluation engine
+  - Ordered rule evaluation
+  - Configurable default action
+  - Enable/disable filtering
+  - Create from YAML configuration via `from_config()`
+
+- **FilterRule**: Combines matcher, action, and optional constraints
+  - Path pattern matcher
+  - Per-operation restrictions
+  - Per-user restrictions
+  - Named rules for debugging
+
+**Built-in Matchers**:
+
+| Matcher | Purpose | Example |
+|---------|---------|---------|
+| `GlobMatcher` | Wildcard patterns | `*.key`, `*.pem` |
+| `RegexMatcher` | Full regex support | `(?i)\.exe$` |
+| `PrefixMatcher` | Directory tree matching | `/etc/` |
+| `ExactMatcher` | Specific file matching | `/etc/shadow` |
+| `ComponentMatcher` | Path component matching | `.git`, `.ssh` |
+| `ExtensionMatcher` | File extension matching | `exe`, `key` |
+| `CombinedMatcher` | OR-combine matchers | Multiple patterns |
+| `NotMatcher` | Invert matcher results | Exclude patterns |
+
+**Security Features**:
+- `normalize_path()` function for path traversal prevention
+- ReDoS protection via regex size limits
+- Case-insensitive extension matching
+
+**Usage Example**:
+```rust
+use bssh::server::filter::{FilterPolicy, FilterResult, Operation};
+use bssh::server::filter::pattern::GlobMatcher;
+use bssh::server::filter::policy::FilterRule;
+use std::path::Path;
+
+// Create policy that blocks *.key files
+let policy = FilterPolicy::new()
+    .with_default(FilterResult::Allow)
+    .add_rule(FilterRule::new(
+        Box::new(GlobMatcher::new("*.key").unwrap()),
+        FilterResult::Deny,
+    ));
+
+// Check if operation is allowed
+let result = policy.check(
+    Path::new("/etc/secret.key"),
+    Operation::Download,
+    "alice"
+);
+assert_eq!(result, FilterResult::Deny);
+```
+
+**Configuration** (YAML):
+```yaml
+filter:
+  enabled: true
+  default_action: allow
+  rules:
+    - name: block-sensitive-keys
+      pattern: "*.{key,pem}"
+      action: deny
+      operations:
+        - download
+        - upload
+    - name: block-hidden-dirs
+      path_prefix: "/home"
+      pattern: ".*"
+      action: deny
+      users:
+        - guest
+```
+
 ### Audit Logging Module
 
 Comprehensive audit logging infrastructure for the SSH server (`src/server/audit/`):

src/server/config/types.rs

@@ -275,6 +275,12 @@ pub struct FilterConfig {
     #[serde(default)]
     pub enabled: bool,
 
+    /// Default action when no rules match.
+    ///
+    /// Default: allow
+    #[serde(default)]
+    pub default_action: Option<FilterAction>,
+
     /// Filter rules to apply.
     ///
     /// Rules are evaluated in order. First matching rule determines action.
@@ -285,25 +291,47 @@ pub struct FilterConfig {
 /// A single file transfer filter rule.
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct FilterRule {
+    /// Rule name (for logging and debugging).
+    ///
+    /// Example: "block-keys"
+    #[serde(default)]
+    pub name: Option<String>,
+
     /// Glob pattern to match against file paths.
     ///
     /// Example: "*.exe" matches all executable files
+    #[serde(default)]
     pub pattern: Option<String>,
 
     /// Path prefix to match.
     ///
     /// Example: "/tmp/" matches all files in /tmp
+    #[serde(default)]
     pub path_prefix: Option<String>,
 
     /// Action to take when rule matches.
     pub action: FilterAction,
+
+    /// Operations this rule applies to.
+    ///
+    /// If not specified, the rule applies to all operations.
+    /// Valid values: upload, download, delete, rename, createdir, listdir
+    #[serde(default)]
+    pub operations: Option<Vec<String>>,
+
+    /// Users this rule applies to.
+    ///
+    /// If not specified, the rule applies to all users.
+    #[serde(default)]
+    pub users: Option<Vec<String>>,
 }
 
 /// Action to take when a filter rule matches.
-#[derive(Debug, Clone, Deserialize, Serialize)]
+#[derive(Debug, Clone, Deserialize, Serialize, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum FilterAction {
     /// Allow the file transfer.
+    #[default]
     Allow,
 
     /// Deny the file transfer.