@apiposture/cli 1.0.1

package/dist/cli/options.js

@@ -0,0 +1,30 @@
+import { parseSecurityClassification } from '../core/models/security-classification.js';
+import { parseHttpMethod } from '../core/models/http-method.js';
+import { parseEndpointType } from '../core/models/endpoint-type.js';
+export const defaultScanOptions = {
+    output: 'terminal',
+    noColor: false,
+    noIcons: false,
+};
+export function parseClassificationList(value) {
+    return value
+        .split(',')
+        .map((v) => parseSecurityClassification(v.trim()))
+        .filter((v) => v !== undefined);
+}
+export function parseMethodList(value) {
+    return value
+        .split(',')
+        .map((v) => parseHttpMethod(v.trim()))
+        .filter((v) => v !== undefined);
+}
+export function parseApiStyleList(value) {
+    return value
+        .split(',')
+        .map((v) => parseEndpointType(v.trim()))
+        .filter((v) => v !== undefined);
+}
+export function parseRuleList(value) {
+    return value.split(',').map((v) => v.trim().toUpperCase());
+}
+//# sourceMappingURL=options.js.map

package/dist/core/analysis/project-analyzer.d.ts

@@ -0,0 +1,16 @@
+import { ScanResult } from '../models/scan-result.js';
+import { EndpointDiscoverer } from '../discovery/discoverer-interface.js';
+import { SecurityRule } from '../../rules/rule-interface.js';
+export declare class ProjectAnalyzer {
+    private sourceLoader;
+    private discoverers;
+    private rules;
+    constructor();
+    registerDiscoverer(discoverer: EndpointDiscoverer): void;
+    registerRule(rule: SecurityRule): void;
+    registerRules(rules: SecurityRule[]): void;
+    analyze(projectPath: string): Promise<ScanResult>;
+    private discoverEndpoints;
+    private evaluateRules;
+}
+//# sourceMappingURL=project-analyzer.d.ts.map

package/dist/core/analysis/project-analyzer.js

@@ -0,0 +1,54 @@
+import { createScanResult } from '../models/scan-result.js';
+import { SourceFileLoader } from './source-file-loader.js';
+export class ProjectAnalyzer {
+    sourceLoader;
+    discoverers = [];
+    rules = [];
+    constructor() {
+        this.sourceLoader = new SourceFileLoader();
+    }
+    registerDiscoverer(discoverer) {
+        this.discoverers.push(discoverer);
+    }
+    registerRule(rule) {
+        this.rules.push(rule);
+    }
+    registerRules(rules) {
+        this.rules.push(...rules);
+    }
+    async analyze(projectPath) {
+        const startTime = Date.now();
+        const sourceFiles = await this.sourceLoader.loadDirectory(projectPath);
+        const endpoints = await this.discoverEndpoints(sourceFiles);
+        const findings = this.evaluateRules(endpoints);
+        const scanDurationMs = Date.now() - startTime;
+        return createScanResult({
+            projectPath,
+            endpoints,
+            findings,
+            filesScanned: sourceFiles.length,
+            scanDurationMs,
+        });
+    }
+    async discoverEndpoints(sourceFiles) {
+        const endpoints = [];
+        for (const discoverer of this.discoverers) {
+            for (const file of sourceFiles) {
+                const discovered = await discoverer.discover(file);
+                endpoints.push(...discovered);
+            }
+        }
+        return endpoints;
+    }
+    evaluateRules(endpoints) {
+        const findings = [];
+        for (const rule of this.rules) {
+            for (const endpoint of endpoints) {
+                const ruleFindings = rule.evaluate(endpoint);
+                findings.push(...ruleFindings);
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=project-analyzer.js.map

package/dist/core/analysis/source-file-loader.d.ts

@@ -0,0 +1,32 @@
+import * as ts from 'typescript';
+export interface LoadedSourceFile {
+    filePath: string;
+    sourceFile: ts.SourceFile;
+    content: string;
+}
+export interface SourceFileLoaderOptions {
+    extensions?: string[];
+    excludePatterns?: string[];
+}
+export declare class SourceFileLoader {
+    private options;
+    private cache;
+    constructor(options?: SourceFileLoaderOptions);
+    loadDirectory(dirPath: string): Promise<LoadedSourceFile[]>;
+    loadFile(filePath: string): Promise<LoadedSourceFile | null>;
+    private getScriptKind;
+    clearCache(): void;
+}
+export declare function getLineAndColumn(sourceFile: ts.SourceFile, position: number): {
+    line: number;
+    column: number;
+};
+export declare function getNodeText(node: ts.Node, sourceFile: ts.SourceFile): string;
+export declare function findNodes<T extends ts.Node>(node: ts.Node, predicate: (node: ts.Node) => node is T): T[];
+export declare function findNodesOfKind<T extends ts.Node>(node: ts.Node, kind: ts.SyntaxKind): T[];
+export declare function getDecorators(node: ts.Node): ts.Decorator[];
+export declare function getDecoratorName(decorator: ts.Decorator): string | null;
+export declare function getDecoratorArguments(decorator: ts.Decorator): ts.Expression[];
+export declare function getStringLiteralValue(node: ts.Node): string | null;
+export declare function getArrayLiteralElements(node: ts.Node): ts.Expression[];
+//# sourceMappingURL=source-file-loader.d.ts.map

package/dist/core/analysis/source-file-loader.js

@@ -0,0 +1,155 @@
+import * as ts from 'typescript';
+import * as fs from 'fs';
+import * as path from 'path';
+import { glob } from 'glob';
+const defaultOptions = {
+    extensions: ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs'],
+    excludePatterns: [
+        '**/node_modules/**',
+        '**/dist/**',
+        '**/build/**',
+        '**/.git/**',
+        '**/coverage/**',
+        '**/*.spec.ts',
+        '**/*.test.ts',
+        '**/*.spec.js',
+        '**/*.test.js',
+    ],
+};
+export class SourceFileLoader {
+    options;
+    cache = new Map();
+    constructor(options = {}) {
+        this.options = { ...defaultOptions, ...options };
+    }
+    async loadDirectory(dirPath) {
+        const absolutePath = path.resolve(dirPath);
+        if (!fs.existsSync(absolutePath)) {
+            throw new Error(`Directory not found: ${absolutePath}`);
+        }
+        const patterns = this.options.extensions.map((ext) => `**/*${ext}`);
+        const files = [];
+        for (const pattern of patterns) {
+            const matches = await glob(pattern, {
+                cwd: absolutePath,
+                ignore: this.options.excludePatterns,
+                absolute: true,
+                nodir: true,
+            });
+            files.push(...matches);
+        }
+        const uniqueFiles = [...new Set(files)];
+        const loadedFiles = [];
+        for (const filePath of uniqueFiles) {
+            try {
+                const loaded = await this.loadFile(filePath);
+                if (loaded) {
+                    loadedFiles.push(loaded);
+                }
+            }
+            catch (error) {
+                // Skip files that can't be loaded/parsed
+                console.warn(`Warning: Could not load ${filePath}: ${error}`);
+            }
+        }
+        return loadedFiles;
+    }
+    async loadFile(filePath) {
+        const absolutePath = path.resolve(filePath);
+        if (this.cache.has(absolutePath)) {
+            return this.cache.get(absolutePath);
+        }
+        if (!fs.existsSync(absolutePath)) {
+            return null;
+        }
+        const content = fs.readFileSync(absolutePath, 'utf-8');
+        const sourceFile = ts.createSourceFile(absolutePath, content, ts.ScriptTarget.Latest, true, this.getScriptKind(absolutePath));
+        const loaded = {
+            filePath: absolutePath,
+            sourceFile,
+            content,
+        };
+        this.cache.set(absolutePath, loaded);
+        return loaded;
+    }
+    getScriptKind(filePath) {
+        const ext = path.extname(filePath).toLowerCase();
+        switch (ext) {
+            case '.ts':
+                return ts.ScriptKind.TS;
+            case '.tsx':
+                return ts.ScriptKind.TSX;
+            case '.js':
+            case '.mjs':
+            case '.cjs':
+                return ts.ScriptKind.JS;
+            case '.jsx':
+                return ts.ScriptKind.JSX;
+            default:
+                return ts.ScriptKind.Unknown;
+        }
+    }
+    clearCache() {
+        this.cache.clear();
+    }
+}
+export function getLineAndColumn(sourceFile, position) {
+    const { line, character } = sourceFile.getLineAndCharacterOfPosition(position);
+    return { line: line + 1, column: character + 1 };
+}
+export function getNodeText(node, sourceFile) {
+    return node.getText(sourceFile);
+}
+export function findNodes(node, predicate) {
+    const results = [];
+    function visit(n) {
+        if (predicate(n)) {
+            results.push(n);
+        }
+        ts.forEachChild(n, visit);
+    }
+    visit(node);
+    return results;
+}
+export function findNodesOfKind(node, kind) {
+    return findNodes(node, (n) => n.kind === kind);
+}
+export function getDecorators(node) {
+    if (ts.canHaveDecorators(node)) {
+        return (ts.getDecorators(node) ?? []);
+    }
+    return [];
+}
+export function getDecoratorName(decorator) {
+    const expression = decorator.expression;
+    if (ts.isIdentifier(expression)) {
+        return expression.text;
+    }
+    if (ts.isCallExpression(expression)) {
+        const callee = expression.expression;
+        if (ts.isIdentifier(callee)) {
+            return callee.text;
+        }
+    }
+    return null;
+}
+export function getDecoratorArguments(decorator) {
+    const expression = decorator.expression;
+    if (ts.isCallExpression(expression)) {
+        return [...expression.arguments];
+    }
+    return [];
+}
+export function getStringLiteralValue(node) {
+    if (ts.isStringLiteral(node) || ts.isNoSubstitutionTemplateLiteral(node)) {
+        return node.text;
+    }
+    return null;
+}
+export function getArrayLiteralElements(node) {
+    if (ts.isArrayLiteralExpression(node)) {
+        return [...node.elements];
+    }
+    return [];
+}
+//# sourceMappingURL=source-file-loader.js.map

package/dist/core/authorization/authorization-extractor.d.ts

@@ -0,0 +1,11 @@
+import { AuthorizationInfo } from '../models/authorization-info.js';
+export interface AuthorizationExtractorContext {
+    isRouter?: boolean;
+    routerMiddlewares?: string[];
+    classGuards?: string[];
+    classRoles?: string[];
+}
+export interface AuthorizationExtractor {
+    extract(middlewares: string[], context?: AuthorizationExtractorContext): AuthorizationInfo;
+}
+//# sourceMappingURL=authorization-extractor.d.ts.map

package/dist/core/authorization/authorization-extractor.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=authorization-extractor.js.map

package/dist/core/authorization/express-auth-extractor.d.ts

@@ -0,0 +1,10 @@
+import { AuthorizationInfo } from '../models/authorization-info.js';
+import { AuthorizationExtractor, AuthorizationExtractorContext } from './authorization-extractor.js';
+export declare class ExpressAuthExtractor implements AuthorizationExtractor {
+    extract(middlewares: string[], context?: AuthorizationExtractorContext): AuthorizationInfo;
+    private processMiddleware;
+    private matchesPatterns;
+    private containsAuthKeyword;
+    private extractRolesFromMiddleware;
+}
+//# sourceMappingURL=express-auth-extractor.d.ts.map

package/dist/core/authorization/express-auth-extractor.js

@@ -0,0 +1,106 @@
+import { createDefaultAuthorizationInfo, determineClassification, } from '../models/authorization-info.js';
+// Common authentication middleware patterns
+const AUTH_MIDDLEWARE_PATTERNS = [
+    /^passport\.authenticate/i,
+    /^jwt$/i,
+    /^expressjwt$/i,
+    /^requireAuth$/i,
+    /^ensureAuthenticated$/i,
+    /^isAuthenticated$/i,
+    /^authenticate$/i,
+    /^authMiddleware$/i,
+    /^checkAuth$/i,
+    /^verifyToken$/i,
+    /^validateToken$/i,
+    /^bearerToken$/i,
+    /^auth$/i,
+    /^protected$/i,
+];
+// Common explicit public/anonymous patterns
+const PUBLIC_PATTERNS = [
+    /^allowAnonymous$/i,
+    /^public$/i,
+    /^skipAuth$/i,
+    /^noAuth$/i,
+    /^optional$/i,
+];
+// Role-based middleware patterns
+const ROLE_PATTERNS = [
+    /^requireRole$/i,
+    /^hasRole$/i,
+    /^roles$/i,
+    /^checkRole$/i,
+    /^authorize$/i,
+    /^can$/i,
+    /^permit$/i,
+];
+export class ExpressAuthExtractor {
+    extract(middlewares, context) {
+        const allMiddlewares = [
+            ...(context?.routerMiddlewares ?? []),
+            ...middlewares,
+        ];
+        const auth = createDefaultAuthorizationInfo();
+        auth.middlewareChain = allMiddlewares;
+        for (const middleware of allMiddlewares) {
+            this.processMiddleware(middleware, auth);
+        }
+        auth.classification = determineClassification(auth);
+        return auth;
+    }
+    processMiddleware(middleware, auth) {
+        const normalizedName = middleware.trim();
+        // Check for explicit public markers
+        if (this.matchesPatterns(normalizedName, PUBLIC_PATTERNS)) {
+            auth.isExplicitlyPublic = true;
+            return;
+        }
+        // Check for authentication middleware
+        if (this.matchesPatterns(normalizedName, AUTH_MIDDLEWARE_PATTERNS)) {
+            auth.isAuthenticated = true;
+            auth.guardNames.push(normalizedName);
+            return;
+        }
+        // Check for role-based middleware
+        if (this.matchesPatterns(normalizedName, ROLE_PATTERNS)) {
+            auth.isAuthenticated = true;
+            // Try to extract role names from common patterns
+            const roles = this.extractRolesFromMiddleware(normalizedName);
+            auth.roles.push(...roles);
+            return;
+        }
+        // Check for common auth patterns in the middleware name
+        if (this.containsAuthKeyword(normalizedName)) {
+            auth.isAuthenticated = true;
+            auth.guardNames.push(normalizedName);
+        }
+    }
+    matchesPatterns(name, patterns) {
+        // Get just the function/method name (strip object prefix)
+        const funcName = name.includes('.') ? name.split('.').pop() : name;
+        return patterns.some((pattern) => pattern.test(funcName));
+    }
+    containsAuthKeyword(name) {
+        const keywords = ['auth', 'jwt', 'token', 'session', 'login', 'secure'];
+        const lower = name.toLowerCase();
+        return keywords.some((kw) => lower.includes(kw));
+    }
+    extractRolesFromMiddleware(middleware) {
+        // Try to extract roles from patterns like:
+        // requireRole('admin'), hasRole(['user', 'admin']), roles('manager')
+        const roleMatch = middleware.match(/\(['"]?([^'")\]]+)['"]?\]/i);
+        if (roleMatch) {
+            return roleMatch[1].split(',').map((r) => r.trim().replace(/['"]/g, ''));
+        }
+        // For patterns like authorize.admin or can.read
+        if (middleware.includes('.')) {
+            const parts = middleware.split('.');
+            const lastPart = parts[parts.length - 1];
+            if (!this.matchesPatterns(lastPart, AUTH_MIDDLEWARE_PATTERNS)) {
+                return [lastPart];
+            }
+        }
+        return [];
+    }
+}
+//# sourceMappingURL=express-auth-extractor.js.map

package/dist/core/authorization/global-auth-analyzer.d.ts

@@ -0,0 +1,12 @@
+import { LoadedSourceFile } from '../analysis/source-file-loader.js';
+export interface GlobalAuthConfig {
+    hasGlobalGuard: boolean;
+    globalGuardName?: string;
+    hasGlobalPrefix: boolean;
+    globalPrefix?: string;
+}
+export declare class GlobalAuthAnalyzer {
+    analyze(files: LoadedSourceFile[]): GlobalAuthConfig;
+    private analyzeFile;
+}
+//# sourceMappingURL=global-auth-analyzer.d.ts.map

package/dist/core/authorization/global-auth-analyzer.js

@@ -0,0 +1,74 @@
+import * as ts from 'typescript';
+import { findNodes } from '../analysis/source-file-loader.js';
+export class GlobalAuthAnalyzer {
+    analyze(files) {
+        const config = {
+            hasGlobalGuard: false,
+            hasGlobalPrefix: false,
+        };
+        for (const file of files) {
+            this.analyzeFile(file, config);
+        }
+        return config;
+    }
+    analyzeFile(file, config) {
+        const { sourceFile } = file;
+        // Look for app.useGlobalGuards() calls
+        const callExpressions = findNodes(sourceFile, ts.isCallExpression);
+        for (const callExpr of callExpressions) {
+            // Check for app.useGlobalGuards(new AuthGuard())
+            if (ts.isPropertyAccessExpression(callExpr.expression)) {
+                const propAccess = callExpr.expression;
+                const methodName = propAccess.name.text;
+                if (methodName === 'useGlobalGuards') {
+                    config.hasGlobalGuard = true;
+                    // Try to extract guard name
+                    if (callExpr.arguments.length > 0) {
+                        const arg = callExpr.arguments[0];
+                        if (ts.isNewExpression(arg) && ts.isIdentifier(arg.expression)) {
+                            config.globalGuardName = arg.expression.text;
+                        }
+                    }
+                }
+                if (methodName === 'setGlobalPrefix') {
+                    config.hasGlobalPrefix = true;
+                    if (callExpr.arguments.length > 0) {
+                        const arg = callExpr.arguments[0];
+                        if (ts.isStringLiteral(arg)) {
+                            config.globalPrefix = arg.text;
+                        }
+                    }
+                }
+            }
+            // Check for APP_GUARD provider pattern
+            // { provide: APP_GUARD, useClass: AuthGuard }
+            if (callExpr.arguments.length > 0 &&
+                ts.isObjectLiteralExpression(callExpr.arguments[0])) {
+                const objLiteral = callExpr.arguments[0];
+                let hasAppGuard = false;
+                let guardName;
+                for (const prop of objLiteral.properties) {
+                    if (ts.isPropertyAssignment(prop) && ts.isIdentifier(prop.name)) {
+                        if (prop.name.text === 'provide') {
+                            if (ts.isIdentifier(prop.initializer)) {
+                                if (prop.initializer.text === 'APP_GUARD') {
+                                    hasAppGuard = true;
+                                }
+                            }
+                        }
+                        if (prop.name.text === 'useClass') {
+                            if (ts.isIdentifier(prop.initializer)) {
+                                guardName = prop.initializer.text;
+                            }
+                        }
+                    }
+                }
+                if (hasAppGuard && guardName) {
+                    config.hasGlobalGuard = true;
+                    config.globalGuardName = guardName;
+                }
+            }
+        }
+    }
+}
+//# sourceMappingURL=global-auth-analyzer.js.map

package/dist/core/authorization/nestjs-auth-extractor.d.ts

@@ -0,0 +1,13 @@
+import * as ts from 'typescript';
+import { AuthorizationInfo } from '../models/authorization-info.js';
+export interface NestJSAuthContext {
+    classGuards?: string[];
+    classRoles?: string[];
+    isPublic?: boolean;
+}
+export declare class NestJSAuthExtractor {
+    extract(decorators: ts.Decorator[], context?: NestJSAuthContext): AuthorizationInfo;
+    private processDecorator;
+    private isAuthGuard;
+}
+//# sourceMappingURL=nestjs-auth-extractor.d.ts.map

package/dist/core/authorization/nestjs-auth-extractor.js

@@ -0,0 +1,142 @@
+import * as ts from 'typescript';
+import { createDefaultAuthorizationInfo, determineClassification, } from '../models/authorization-info.js';
+import { getDecoratorName, getDecoratorArguments, getStringLiteralValue, getArrayLiteralElements, } from '../analysis/source-file-loader.js';
+// Auth guard patterns
+const AUTH_GUARD_PATTERNS = [
+    /AuthGuard/i,
+    /JwtAuthGuard/i,
+    /LocalAuthGuard/i,
+    /SessionGuard/i,
+    /BearerGuard/i,
+    /TokenGuard/i,
+];
+// Public decorator names
+const PUBLIC_DECORATORS = new Set([
+    'Public',
+    'AllowAnonymous',
+    'SkipAuth',
+    'NoAuth',
+    'IsPublic',
+]);
+// Role decorator names
+const ROLE_DECORATORS = new Set(['Roles', 'RequireRoles', 'HasRoles', 'Authorize']);
+// Policy decorator names
+const POLICY_DECORATORS = new Set(['Policies', 'RequirePolicies', 'CheckPolicies']);
+export class NestJSAuthExtractor {
+    extract(decorators, context) {
+        const auth = createDefaultAuthorizationInfo();
+        // Apply class-level auth first
+        if (context?.classGuards) {
+            for (const guard of context.classGuards) {
+                if (this.isAuthGuard(guard)) {
+                    auth.isAuthenticated = true;
+                    auth.guardNames.push(guard);
+                }
+            }
+        }
+        if (context?.classRoles) {
+            auth.roles.push(...context.classRoles);
+            if (context.classRoles.length > 0) {
+                auth.isAuthenticated = true;
+            }
+        }
+        if (context?.isPublic) {
+            auth.isExplicitlyPublic = true;
+        }
+        // Process method-level decorators (can override class-level)
+        for (const decorator of decorators) {
+            this.processDecorator(decorator, auth);
+        }
+        // Method-level @Public overrides class-level guards
+        const hasMethodPublic = decorators.some((d) => {
+            const name = getDecoratorName(d);
+            return name && PUBLIC_DECORATORS.has(name);
+        });
+        if (hasMethodPublic) {
+            auth.isExplicitlyPublic = true;
+            // Don't clear isAuthenticated as it creates the AP003 conflict scenario
+        }
+        auth.classification = determineClassification(auth);
+        return auth;
+    }
+    processDecorator(decorator, auth) {
+        const name = getDecoratorName(decorator);
+        if (!name)
+            return;
+        // Check for @Public or similar
+        if (PUBLIC_DECORATORS.has(name)) {
+            auth.isExplicitlyPublic = true;
+            return;
+        }
+        // Check for @UseGuards
+        if (name === 'UseGuards') {
+            const args = getDecoratorArguments(decorator);
+            for (const arg of args) {
+                if (ts.isIdentifier(arg)) {
+                    const guardName = arg.text;
+                    if (this.isAuthGuard(guardName)) {
+                        auth.isAuthenticated = true;
+                    }
+                    auth.guardNames.push(guardName);
+                }
+                // Handle UseGuards(AuthGuard('jwt'))
+                if (ts.isCallExpression(arg)) {
+                    if (ts.isIdentifier(arg.expression)) {
+                        const guardName = arg.expression.text;
+                        if (this.isAuthGuard(guardName)) {
+                            auth.isAuthenticated = true;
+                        }
+                        auth.guardNames.push(guardName);
+                    }
+                }
+            }
+            return;
+        }
+        // Check for @Roles
+        if (ROLE_DECORATORS.has(name)) {
+            const args = getDecoratorArguments(decorator);
+            for (const arg of args) {
+                // @Roles('admin', 'user')
+                const value = getStringLiteralValue(arg);
+                if (value) {
+                    auth.roles.push(value);
+                    auth.isAuthenticated = true;
+                }
+                // @Roles(['admin', 'user'])
+                const arrayElements = getArrayLiteralElements(arg);
+                for (const elem of arrayElements) {
+                    const elemValue = getStringLiteralValue(elem);
+                    if (elemValue) {
+                        auth.roles.push(elemValue);
+                        auth.isAuthenticated = true;
+                    }
+                }
+            }
+            return;
+        }
+        // Check for @Policies
+        if (POLICY_DECORATORS.has(name)) {
+            const args = getDecoratorArguments(decorator);
+            for (const arg of args) {
+                const value = getStringLiteralValue(arg);
+                if (value) {
+                    auth.policies.push(value);
+                    auth.isAuthenticated = true;
+                }
+                const arrayElements = getArrayLiteralElements(arg);
+                for (const elem of arrayElements) {
+                    const elemValue = getStringLiteralValue(elem);
+                    if (elemValue) {
+                        auth.policies.push(elemValue);
+                        auth.isAuthenticated = true;
+                    }
+                }
+            }
+            return;
+        }
+    }
+    isAuthGuard(guardName) {
+        return AUTH_GUARD_PATTERNS.some((pattern) => pattern.test(guardName));
+    }
+}
+//# sourceMappingURL=nestjs-auth-extractor.js.map