npm - @7nsane/zift - Versions diffs - 2.2.1 → 4.0.0 - Mend

@7nsane/zift 2.2.1 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -1,103 +1,53 @@
-# 🛡️ Zift (v2.0.0)
+# 🛡️ Zift (v4.0.0)
 [![npm version](https://img.shields.io/npm/v/@7nsane/zift.svg?style=flat-square)](https://www.npmjs.com/package/@7nsane/zift)
 [![License](https://img.shields.io/npm/l/@7nsane/zift.svg?style=flat-square)](https://www.npmjs.com/package/@7nsane/zift)
 [![Build Status](https://img.shields.io/badge/CI-passing-brightgreen?style=flat-square)](https://github.com/7nsane/zift)
-**The Deterministic Pre-install Security Gate for JavaScript Projects.** By using deterministic AST analysis and lightweight variable propagation, Zift identifies potential credential exfiltration, malicious persistence, and obfuscated execution with extreme precision.
+**The Deeply Hardened Ecosystem Security Engine for JavaScript.**
-## Installation
+Zift v4.0 is the "Deep Hardening" release, featuring **Immutable Runtime Guards** and **Opaque Payload Detection**, specifically designed to resist active attacker bypasses.
-```bash
-# Install globally to use the 'zift' command anywhere
-npm install -g @7nsane/zift
-```
+## 🚀 Key Advancements (v4.0.0)
-## 🛡️ Secure Your Workflow (Recommended)
+- **🛡️ Immutable Zift Shield**: Runtime sinks (`http`, `child_process`) are now immutable. Attackers cannot delete or re-assign them to bypass protection.
+- **🧩 Opaque Payload Detection**: Automatically flags compiled native binaries (`.node`) as high-risk.
+- **🧵 Universal Protection**: Zift Shield now automatically propagates into `worker_threads`.
+- **🕵️ Evasion Tracking**: Detects non-deterministic sink construction (e.g., using `Date.now()` or `Math.random()` to hide strings).
+- **🌍 Cross-File Intelligence**: Full multi-pass taint tracking for ESM and CommonJS.
-Set up the **Secure npm Wrapper** to audit packages automatically every time you install something.
+## 📦 Quick Start
 ```bash
-# 1. Run the setup
-zift setup
-# 2. Reload your terminal (or run the command provided by setup)
-# 3. Use the --zift flag with your normal npm commands
-npm install <package-name> --zift
-```
-## 🔍 Limitations & Blind Spots (v2.0.0)
-To maintain a zero-false-positive baseline and high performance, Zift v2 focus on **deterministic behavioral patterns**. It does NOT currently cover:
-- **Cross-file Taint**: Taint tracking is limited to intra-file propagation.
-- **Runtime Decryption**: Logic that decrypts and executes memory-only payloads at runtime.
-- **VM-based Execution**: Malicious payloads executed inside isolated virtual machine environments.
-- **Multi-stage Loaders**: Sophisticated multi-hop obfuscation that reconstructs logic over several cycles.
-- **Post-install Generation**: Malicious code generated or downloaded *after* the initial install/preinstall phase.
-**Positioning**: Zift is a *Deterministic Pre-install Behavioral Security Gate*. It is designed to catch the most common and damaging malware patterns instantly, not to serve as a complete, multi-layer supply-chain defense.
-## License
-MIT
-## Usage
-### 🚀 Secure Installer Mode
-Use Zift as a security gate. It will pre-audit the package source into a sandbox, show you the risk score, and ask for permission before the official installation begins.
-```bash
-# With the --zift alias (Recommended)
-npm install axios --zift
-# Directly using Zift
-zift install gsap
-```
+# 1. Install Zift
+npm install -g @7nsane/zift
-### 🔍 Advanced Scanning
-Scan local directories or existing dependencies in your `node_modules`.
+# 2. Setup Secure Wrappers (adds --zift flag to npm/bun/pnpm)
+zift setup
-```bash
-# Scan current directory
+# 3. Audit a local project
 zift .
-# Scan a specific folder or dependency
-zift ./node_modules/example-pkg
-# CI/CD Mode (JSON output + Non-zero exit on high risk)
-zift . --format json
+# 4. Run your application with Active Shield
+zift protect index.js
 ```
-## Rule Transparency
-Zift uses a multi-phase engine:
-1. **Collection**: Single-pass AST traversal to gather facts (sources, sinks, flows).
-2. **Evaluation**: Deterministic rule matching against collected facts.
-### Rule IDs:
-- **ZFT-001 (ENV_EXFILTRATION)**: Detection of environment variables being read and sent over the network.
-- **ZFT-002 (SENSITIVE_FILE_EXFILTRATION)**: Detection of sensitive files (e.g., `.ssh`, `.env`) being read and sent over the network.
-- **ZFT-003 (PERSISTENCE_ATTEMPT)**: Detection of attempts to write to startup directories.
-- **ZFT-004 (OBFUSCATED_EXECUTION)**: Detection of high-entropy strings executed via dynamic constructors.
-## Key Features
-- **Deterministic AST Analysis**: O(n) complexity, single-pass scanner.
-- **Zero False Positives**: Verified against React, Express, and ESLint (0.0% FP rate).
-- **Lifecycle Awareness**: Identifies if suspicious code is slated to run during `postinstall`.
-- **Credential Protection**: Detects exfiltration of `process.env` (AWS, SSH keys, etc.) over network sinks.
-## Limitations
+## 🔍 How It Works
-Transparency is key to trust. As a V1 static analysis tool, Zift has the following scope boundaries:
+Zift uses a **Deterministic AST Analysis** engine. Unlike regex-based scanners, Zift understands the structure of your code. It tracks the flow of data from sensitive **Sources** (like `process.env`) to dangerous **Sinks** (like `fetch` or `child_process.exec`).
-- **No Interprocedural Flow**: Variable tracking is restricted to function scope; it does not track data across function boundaries.
-- **No Cross-File Propagation**: Analysis is performed on a per-file basis.
-- **No Dynamic Runtime Analysis**: Zift does not execute code; it cannot detect evasion techniques that only trigger during execution.
+- **Collection**: Single-pass O(n) traversal.
+- **Evaluation**: Priority-based rule matching.
+- **Intelligence**: Cross-file propagation and VM-based reveal.
-## Performance Guarantees
+## 🛠️ Commands
-- **File Cap**: Files larger than **512KB** are skipped to ensure predictable scan times.
-- **String Cap**: Entropy calculation is skipped for literal strings longer than **2048 characters**.
+| Command | Description |
+| --- | --- |
+| `zift .` | Deep scan of the current directory |
+| `zift install <pkg>` | Pre-audit and install a package securely |
+| `zift protect <app>` | Launch application with **Zift Shield** runtime auditing |
+| `zift setup` | Configure shell aliases for secure package management |
 ---
-**Build with confidence. Scan with Zift.** 🛡️
+**Build with confidence. Secure with Zift.** 🛡️

package/bin/zift.js CHANGED Viewed

@@ -23,6 +23,10 @@ async function main() {
     runInit();
     return;
   }
+  if (args[0] === 'protect') {
+    runShield(args.slice(1));
+    return;
+  }
   // 2. Detection for bun/pnpm usage
   if (args.includes('--bun')) installer = 'bun';
@@ -238,10 +242,11 @@ function runInit() {
 }
 function showHelp() {
-  console.log(chalk.blue.bold('\n🛡️  Zift v2.0.0 - Intelligent Pre-install Security Gate\n'));
+  console.log(chalk.blue.bold('\n🛡️  Zift v3.0.0 - Intelligent Ecosystem Security\n'));
   console.log('Usage:');
   console.log('  zift setup           Secure npm, bun, and pnpm');
   console.log('  zift init            Initialize configuration');
+  console.log('  zift protect <app>   Run application with Zift Shield');
   console.log('  zift install <pkg>   Scan and install package');
   console.log('  zift .               Scan current directory');
   console.log('\nOptions:');
@@ -272,4 +277,18 @@ function printSummary(findings) {
   console.log(chalk.red(`  Critical: ${s.Critical}\n  High:     ${s.High}`));
 }
+function runShield(appArgs) {
+  if (appArgs.length === 0) {
+    console.error(chalk.red('❌ Error: Specify an application to protect (e.g., zift protect main.js)'));
+    process.exit(1);
+  }
+  const shieldPath = path.join(__dirname, '../src/shield.js');
+  const nodeArgs = ['-r', shieldPath, ...appArgs];
+  console.log(chalk.blue(`\n🛡️  Launching with Zift Shield...`));
+  const child = cp.spawn('node', nodeArgs, { stdio: 'inherit' });
+  child.on('exit', (code) => process.exit(code));
+}
 main();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@7nsane/zift",
-  "version": "2.2.1",
+  "version": "4.0.0",
   "description": "A high-performance, deterministic security scanner for npm packages.",
   "main": "src/scanner.js",
   "bin": {

package/src/collector.js CHANGED Viewed

@@ -1,5 +1,6 @@
 const acorn = require('acorn');
 const walk = require('acorn-walk');
+const vm = require('node:vm');
 const { calculateEntropy } = require('./utils/entropy');
 class ASTCollector {
@@ -24,7 +25,11 @@ class ASTCollector {
             SHELL_EXECUTION: [],
             ENCODER_USE: [],
             REMOTE_FETCH_SIGNAL: [],
-            PIPE_TO_SHELL_SIGNAL: []
+            PIPE_TO_SHELL_SIGNAL: [],
+            EXPORTS: [],
+            IMPORTS: [],
+            OPAQUE_STRING_SKIP: [],
+            NON_DETERMINISTIC_SINK: []
         };
         const flows = [];
         const sourceCode = code;
@@ -43,7 +48,20 @@ class ASTCollector {
         walk.ancestor(ast, {
             Literal: (node) => {
-                if (typeof node.value === 'string' && node.value.length > 20 && node.value.length < this.maxStringLengthForEntropy) {
+                if (typeof node.value === 'string' && node.value.length > 20) {
+                    if (node.value.length > this.maxStringLengthForEntropy) {
+                        // High Entropy Skip Warning
+                        const sample = node.value.substring(0, 100);
+                        const sampleEntropy = calculateEntropy(sample);
+                        if (sampleEntropy > this.entropyThreshold) {
+                            facts.OPAQUE_STRING_SKIP.push({
+                                file: filePath,
+                                line: node.loc.start.line,
+                                reason: `Large string skipped (>2KB) but sample has high entropy (${sampleEntropy.toFixed(2)})`
+                            });
+                        }
+                        return;
+                    }
                     const entropy = calculateEntropy(node.value);
                     if (entropy > this.entropyThreshold) {
                         facts.OBFUSCATION.push({
@@ -55,6 +73,57 @@ class ASTCollector {
                     }
                 }
             },
+            ImportDeclaration: (node) => {
+                const source = node.source.value;
+                node.specifiers.forEach(spec => {
+                    facts.IMPORTS.push({
+                        file: filePath,
+                        line: node.loc.start.line,
+                        source,
+                        local: spec.local.name,
+                        imported: spec.type === 'ImportDefaultSpecifier' ? 'default' : (spec.imported ? spec.imported.name : null)
+                    });
+                });
+            },
+            ExportNamedDeclaration: (node) => {
+                if (node.declaration) {
+                    if (node.declaration.type === 'VariableDeclaration') {
+                        node.declaration.declarations.forEach(decl => {
+                            facts.EXPORTS.push({
+                                file: filePath,
+                                line: node.loc.start.line,
+                                name: decl.id.name,
+                                type: 'named'
+                            });
+                        });
+                    } else if (node.declaration.id) {
+                        facts.EXPORTS.push({
+                            file: filePath,
+                            line: node.loc.start.line,
+                            name: node.declaration.id.name,
+                            type: 'named'
+                        });
+                    }
+                }
+                node.specifiers.forEach(spec => {
+                    facts.EXPORTS.push({
+                        file: filePath,
+                        line: node.loc.start.line,
+                        name: spec.exported.name,
+                        local: spec.local.name,
+                        type: 'named'
+                    });
+                });
+            },
+            ExportDefaultDeclaration: (node) => {
+                facts.EXPORTS.push({
+                    file: filePath,
+                    line: node.loc.start.line,
+                    name: 'default',
+                    local: (node.declaration.id ? node.declaration.id.name : (node.declaration.name || null)),
+                    type: 'default'
+                });
+            },
             CallExpression: (node, state, ancestors) => {
                 const calleeCode = sourceCode.substring(node.callee.start, node.callee.end);
@@ -66,12 +135,38 @@ class ASTCollector {
                     });
                 }
-                if (calleeCode === 'require' && node.arguments.length > 0 && node.arguments[0].type !== 'Literal') {
-                    facts.DYNAMIC_REQUIRE.push({
-                        file: filePath,
-                        line: node.loc.start.line,
-                        variable: sourceCode.substring(node.arguments[0].start, node.arguments[0].end)
-                    });
+                if (calleeCode === 'require' && node.arguments.length > 0) {
+                    if (node.arguments[0].type !== 'Literal') {
+                        facts.DYNAMIC_REQUIRE.push({
+                            file: filePath,
+                            line: node.loc.start.line,
+                            variable: sourceCode.substring(node.arguments[0].start, node.arguments[0].end)
+                        });
+                    } else {
+                        const source = node.arguments[0].value;
+                        const parent = ancestors[ancestors.length - 2];
+                        if (parent && parent.type === 'VariableDeclarator' && parent.id.type === 'Identifier') {
+                            facts.IMPORTS.push({
+                                file: filePath, line: node.loc.start.line, source, local: parent.id.name, imported: 'default'
+                            });
+                        }
+                    }
+                }
+                // De-obfuscation Trigger
+                const evaluated = this.tryEvaluate(node, sourceCode);
+                if (evaluated) {
+                    if (this.getNetworkType(evaluated) || this.isShellSink(evaluated) || evaluated === 'eval' || evaluated === 'Function') {
+                        facts.OBFUSCATION.push({
+                            file: filePath,
+                            line: node.loc.start.line,
+                            reason: `De-obfuscated to: ${evaluated}`,
+                            revealed: evaluated
+                        });
+                        if (evaluated === 'eval' || evaluated === 'Function') {
+                            facts.DYNAMIC_EXECUTION.push({ file: filePath, line: node.loc.start.line, type: evaluated });
+                        }
+                    }
                 }
                 const netType = this.getNetworkType(calleeCode);
@@ -90,7 +185,6 @@ class ASTCollector {
                         callee: calleeCode
                     });
-                    // Signal Analysis: Dropper Patterns
                     node.arguments.forEach(arg => {
                         if (arg.type === 'Literal' && typeof arg.value === 'string') {
                             const val = arg.value.toLowerCase();
@@ -147,6 +241,18 @@ class ASTCollector {
                             });
                         }
                     }
+                    // v4.0 Hardening: Non-deterministic constructor
+                    if (['Math.random', 'Date.now', 'Date()'].some(t => argCode.includes(t))) {
+                        if (evaluated === 'eval' || evaluated === 'Function' || this.isShellSink(calleeCode)) {
+                            facts.NON_DETERMINISTIC_SINK.push({
+                                file: filePath,
+                                line: node.loc.start.line,
+                                callee: calleeCode,
+                                reason: `Sink uses non-deterministic argument (${argCode})`
+                            });
+                        }
+                    }
                 });
             },
             MemberExpression: (node) => {
@@ -180,6 +286,17 @@ class ASTCollector {
                 }
             },
             AssignmentExpression: (node) => {
+                const leftCode = sourceCode.substring(node.left.start, node.left.end);
+                if (leftCode === 'module.exports' || leftCode.startsWith('exports.')) {
+                    facts.EXPORTS.push({
+                        file: filePath,
+                        line: node.loc.start.line,
+                        name: leftCode === 'module.exports' ? 'default' : leftCode.replace('exports.', ''),
+                        local: (node.right.type === 'Identifier' ? node.right.name : null),
+                        type: leftCode === 'module.exports' ? 'default' : 'named'
+                    });
+                }
                 if (node.left.type === 'MemberExpression' && node.right.type === 'Identifier') {
                     const from = sourceCode.substring(node.right.start, node.right.end);
                     const to = sourceCode.substring(node.left.start, node.left.end);
@@ -216,6 +333,7 @@ class ASTCollector {
     }
     getNetworkType(calleeCode) {
+        if (typeof calleeCode !== 'string') return null;
         const dnsSinks = ['dns.lookup', 'dns.resolve', 'dns.resolve4', 'dns.resolve6'];
         const rawSocketSinks = ['net.connect', 'net.createConnection'];
         const networkSinks = ['http.request', 'https.request', 'http.get', 'https.get', 'fetch', 'axios', 'request'];
@@ -233,6 +351,7 @@ class ASTCollector {
     }
     isShellSink(calleeCode) {
+        if (typeof calleeCode !== 'string') return false;
         const shellSinks = ['child_process.exec', 'child_process.spawn', 'child_process.execSync', 'exec', 'spawn', 'execSync'];
         return shellSinks.some(sink => {
             if (calleeCode === sink) return true;
@@ -243,6 +362,7 @@ class ASTCollector {
     }
     isEncoder(calleeCode) {
+        if (typeof calleeCode !== 'string') return false;
         const encoders = ['Buffer.from', 'btoa', 'atob', 'zlib.deflate', 'zlib.gzip', 'crypto.createCipheriv'];
         return encoders.some(enc => calleeCode === enc || calleeCode.endsWith('.' + enc));
     }
@@ -263,6 +383,7 @@ class ASTCollector {
     }
     isSensitiveFileRead(calleeCode, node, sourceCode) {
+        if (typeof calleeCode !== 'string') return false;
         if (!calleeCode.includes('fs.readFile') && !calleeCode.includes('fs.readFileSync') &&
             !calleeCode.includes('fs.promises.readFile')) return false;
@@ -275,6 +396,7 @@ class ASTCollector {
     }
     isStartupFileWrite(calleeCode, node, sourceCode) {
+        if (typeof calleeCode !== 'string') return false;
         if (!calleeCode.includes('fs.writeFile') && !calleeCode.includes('fs.writeFileSync') &&
             !calleeCode.includes('fs.appendFile')) return false;
@@ -286,8 +408,19 @@ class ASTCollector {
         return false;
     }
-    getSourceCode(node) {
-        return this.sourceCode.substring(node.start, node.end);
+    tryEvaluate(node, sourceCode) {
+        try {
+            const code = sourceCode.substring(node.start, node.end);
+            if (code.includes('process') || code.includes('require') || code.includes('fs') || code.includes('child_process')) return null;
+            if (!code.includes('[') && !code.includes('+') && !code.includes('join') && !code.includes('reverse')) return null;
+            const script = new vm.Script(code);
+            const context = vm.createContext({});
+            const result = script.runInContext(context, { timeout: 50 });
+            return typeof result === 'string' ? result : null;
+        } catch (e) {
+            return null;
+        }
     }
 }

package/src/rules/definitions.js CHANGED Viewed

@@ -110,13 +110,40 @@ const RULES = [
         priority: 2,
         baseScore: 60,
         description: 'Detection of attempts to modify package.json scripts or npm configuration.'
+    },
+    {
+        id: 'ZFT-013',
+        alias: 'OPAQUE_BINARY_PAYLOAD',
+        name: 'Opaque Binary Payload',
+        requires: ['NATIVE_BINARY_DETECTED'],
+        priority: 2,
+        baseScore: 40,
+        description: 'Detection of compiled native binaries (.node) which are opaque to static analysis.'
+    },
+    {
+        id: 'ZFT-014',
+        alias: 'EVASIVE_SINK_CONSTRUCTION',
+        name: 'Evasive Sink Construction',
+        requires: ['NON_DETERMINISTIC_SINK'],
+        priority: 3,
+        baseScore: 50,
+        description: 'Detection of dangerous sinks using non-deterministic construction (Date.now, Math.random) to evade analysis.'
+    },
+    {
+        id: 'ZFT-015',
+        alias: 'HIGH_ENTROPY_OPAQUE_STRING',
+        name: 'High Entropy Opaque String',
+        requires: ['OPAQUE_STRING_SKIP'],
+        priority: 1,
+        baseScore: 25,
+        description: 'Detection of very large high-entropy strings that exceed scanning limits.'
     }
 ];
 const CATEGORIES = {
     SOURCES: ['ENV_READ', 'FILE_READ_SENSITIVE', 'MASS_ENV_ACCESS'],
     SINKS: ['NETWORK_SINK', 'DNS_SINK', 'RAW_SOCKET_SINK', 'DYNAMIC_EXECUTION', 'SHELL_EXECUTION', 'DYNAMIC_REQUIRE'],
-    SIGNALS: ['OBFUSCATION', 'ENCODER_USE', 'REMOTE_FETCH_SIGNAL', 'PIPE_TO_SHELL_SIGNAL'],
+    SIGNALS: ['OBFUSCATION', 'ENCODER_USE', 'REMOTE_FETCH_SIGNAL', 'PIPE_TO_SHELL_SIGNAL', 'NATIVE_BINARY_DETECTED', 'OPAQUE_STRING_SKIP', 'NON_DETERMINISTIC_SINK'],
     PERSISTENCE: ['FILE_WRITE_STARTUP'],
     CONTEXT: ['LIFECYCLE_CONTEXT']
 };

package/src/scanner.js CHANGED Viewed

@@ -24,6 +24,7 @@ class PackageScanner {
             try { fs.mkdirSync(cacheDir, { recursive: true }); } catch (e) { }
         }
+        // Initialize fact storage
         let allFacts = {
             facts: {
                 ENV_READ: [],
@@ -40,18 +41,29 @@ class PackageScanner {
                 ENCODER_USE: [],
                 REMOTE_FETCH_SIGNAL: [],
                 PIPE_TO_SHELL_SIGNAL: [],
-                LIFECYCLE_CONTEXT: []
+                LIFECYCLE_CONTEXT: [],
+                EXPORTS: [],
+                IMPORTS: [],
+                NATIVE_BINARY_DETECTED: [],
+                OPAQUE_STRING_SKIP: []
             },
             flows: []
         };
         const pkgVersion = require('../package.json').version;
-        // Parallel processing with limited concurrency (8 files at a time)
+        // Pass 1: Collection
         const concurrency = 8;
         for (let i = 0; i < files.length; i += concurrency) {
             const chunk = files.slice(i, i + concurrency);
             await Promise.all(chunk.map(async (file) => {
+                if (file.endsWith('.node')) {
+                    allFacts.facts.NATIVE_BINARY_DETECTED.push({
+                        file,
+                        reason: 'Compiled native binary detected (Opaque Payload)'
+                    });
+                    return;
+                }
                 const stats = fs.statSync(file);
                 if (stats.size > 512 * 1024) return;
@@ -62,47 +74,84 @@ class PackageScanner {
                 let facts = {}, flows = [];
                 if (fs.existsSync(cachePath)) {
-                    // Cache hit: Load metadata
                     try {
                         const cached = JSON.parse(fs.readFileSync(cachePath, 'utf8'));
                         facts = cached.facts || {};
                         flows = cached.flows || [];
                     } catch (e) {
-                        // Corrupt cache: re-scan
                         const result = this.collector.collect(code, file);
                         facts = result.facts;
                         flows = result.flows;
                     }
                 } else {
-                    // Cache miss: Scan and save
                     const result = this.collector.collect(code, file);
                     facts = result.facts;
                     flows = result.flows;
-                    try {
-                        fs.writeFileSync(cachePath, JSON.stringify({ facts, flows }));
-                    } catch (e) { }
+                    try { fs.writeFileSync(cachePath, JSON.stringify({ facts, flows })); } catch (e) { }
                 }
-                // Merge facts (Synchronized)
                 if (lifecycleFiles.has(file)) {
                     facts.LIFECYCLE_CONTEXT = facts.LIFECYCLE_CONTEXT || [];
                     facts.LIFECYCLE_CONTEXT.push({ file, reason: 'Lifecycle script context detected' });
                 }
                 for (const category in facts) {
-                    if (allFacts.facts[category]) {
-                        allFacts.facts[category].push(...facts[category]);
-                    }
+                    if (allFacts.facts[category]) allFacts.facts[category].push(...facts[category]);
                 }
                 allFacts.flows.push(...flows);
             }));
         }
+        // Pass 2: Cross-File Taint Resolution
+        this.resolveCrossFileTaint(allFacts);
         const findings = this.engine.evaluate(allFacts, lifecycleFiles);
         return this.formatFindings(findings);
     }
+    resolveCrossFileTaint(allFacts) {
+        const { facts, flows } = allFacts;
+        const exportMap = new Map(); // file -> exportName -> localName/isTainted
+        // 1. Build Export Map
+        facts.EXPORTS.forEach(exp => {
+            if (!exportMap.has(exp.file)) exportMap.set(exp.file, new Map());
+            // Check if localName is tainted in this file
+            const isLocalTainted = flows.some(f => f.file === exp.file && f.toVar === exp.local && f.fromVar.includes('process.env'));
+            const isNamedTainted = flows.some(f => f.file === exp.file && f.toVar === exp.name && f.fromVar.includes('process.env'));
+            exportMap.get(exp.file).set(exp.name, {
+                local: exp.local,
+                isTainted: isLocalTainted || isNamedTainted
+            });
+        });
+        // 2. Propagate to Imports
+        facts.IMPORTS.forEach(imp => {
+            let resolvedPath;
+            if (imp.source.startsWith('.')) {
+                resolvedPath = path.resolve(path.dirname(imp.file), imp.source);
+                if (!resolvedPath.endsWith('.js')) resolvedPath += '.js';
+            }
+            if (resolvedPath && exportMap.has(resolvedPath)) {
+                const targetExports = exportMap.get(resolvedPath);
+                const matchedExport = targetExports.get(imp.imported);
+                if (matchedExport && matchedExport.isTainted) {
+                    // Mark as a virtual ENV_READ in the importing file
+                    facts.ENV_READ.push({
+                        file: imp.file,
+                        line: imp.line,
+                        variable: `[Cross-File] ${imp.local} (from ${imp.source})`,
+                        isCrossFile: true
+                    });
+                }
+            }
+        });
+    }
     async getFiles() {
         // Load .ziftignore
         const ziftIgnorePath = path.join(this.packageDir, '.ziftignore');
@@ -126,7 +175,7 @@ class PackageScanner {
                 const stat = fs.statSync(fullPath);
                 if (stat && stat.isDirectory()) {
                     results.push(...getJsFiles(fullPath));
-                } else if (file.endsWith('.js')) {
+                } else if (file.endsWith('.js') || file.endsWith('.node')) {
                     results.push(fullPath);
                 }
             }

package/src/shield.js ADDED Viewed

@@ -0,0 +1,98 @@
+const diagnostics = require('node:diagnostics_channel');
+/**
+ * Zift Shield Runtime Guard
+ * Intercepts network and shell activity at runtime for security auditing.
+ */
+function setupShield() {
+    console.warn('🛡️ ZIFT SHIELD ACTIVE: Monitoring suspicious runtime activity...');
+    // 1. Monitor Network Activity via diagnostics_channel
+    const netChannel = diagnostics.channel('net.client.socket.request.start');
+    netChannel.subscribe(({ address, port }) => {
+        console.warn(`[ZIFT-SHIELD] 🌐 Outbound Connection: ${address}:${port}`);
+    });
+    // 2. Wrap Child Process (for shell command execution) - IMMUTABLE
+    const cp = require('node:child_process');
+    ['exec', 'spawn', 'execSync', 'spawnSync'].forEach(method => {
+        const original = cp[method];
+        if (!original) return;
+        const wrapper = function (...args) {
+            const command = args[0];
+            const cmdStr = typeof command === 'string' ? command : (Array.isArray(args[1]) ? args[1].join(' ') : String(command));
+            console.warn(`[ZIFT-SHIELD] 🐚 Shell Execution: ${cmdStr}`);
+            if (cmdStr.includes('curl') || cmdStr.includes('wget') || cmdStr.includes('| sh') || cmdStr.includes('| bash')) {
+                console.error(`[ZIFT-SHIELD] ⚠️  CRITICAL: Potential Remote Dropper detected in shell execution!`);
+            }
+            return original.apply(this, args);
+        };
+        try {
+            Object.defineProperty(cp, method, { value: wrapper, writable: false, configurable: false });
+        } catch (e) {
+            cp[method] = wrapper; // Fallback
+        }
+    });
+    // 3. Monitor HTTP/HTTPS - IMMUTABLE
+    const http = require('node:http');
+    const https = require('node:https');
+    [http, https].forEach(mod => {
+        ['request', 'get'].forEach(method => {
+            const original = mod[method];
+            const wrapper = function (...args) {
+                let url = args[0];
+                if (typeof url === 'object' && url.href) url = url.href;
+                else if (typeof url === 'string') url = url;
+                else url = `${args[0].host || args[0].hostname}${args[0].path || ''}`;
+                console.warn(`[ZIFT-SHIELD] 📡 HTTP Request: ${url}`);
+                return original.apply(this, args);
+            };
+            try {
+                Object.defineProperty(mod, method, { value: wrapper, writable: false, configurable: false });
+            } catch (e) {
+                mod[method] = wrapper;
+            }
+        });
+    });
+    // 4. Propagate to Worker Threads
+    try {
+        const { Worker } = require('node:worker_threads');
+        const originalWorker = Worker;
+        const shieldPath = __filename;
+        const WorkerWrapper = class extends originalWorker {
+            constructor(filename, options = {}) {
+                options.workerData = options.workerData || {};
+                options.execArgv = options.execArgv || [];
+                if (!options.execArgv.includes('-r')) {
+                    options.execArgv.push('-r', shieldPath);
+                }
+                super(filename, options);
+            }
+        };
+        Object.defineProperty(require('node:worker_threads'), 'Worker', { value: WorkerWrapper, writable: false, configurable: false });
+    } catch (e) { }
+    // 5. Undici (Modern Fetch) support
+    try {
+        const undiciChannel = diagnostics.channel('undici:request:create');
+        undiciChannel.subscribe(({ request }) => {
+            console.warn(`[ZIFT-SHIELD] 🚀 Undici/Fetch Request: ${request.origin}${request.path}`);
+        });
+    } catch (e) { }
+}
+// Auto-activate if required via node -r
+setupShield();
+module.exports = { setupShield };