@apiposture/cli 1.0.1

package/dist/core/configuration/config-loader.d.ts

@@ -0,0 +1,27 @@
+import { RuleConfig } from '../../rules/rule-interface.js';
+export interface ApiPostureConfig {
+    rules?: Record<string, RuleConfig>;
+    suppressions?: SuppressionConfig[];
+    output?: {
+        format?: 'terminal' | 'json' | 'markdown';
+        noColor?: boolean;
+        noIcons?: boolean;
+    };
+    scan?: {
+        excludePatterns?: string[];
+        includePatterns?: string[];
+    };
+}
+export interface SuppressionConfig {
+    ruleId?: string;
+    route?: string;
+    routePattern?: string;
+    method?: string;
+    reason: string;
+}
+export declare class ConfigLoader {
+    load(configPath?: string): Promise<ApiPostureConfig>;
+    private findConfigFile;
+    private validateConfig;
+}
+//# sourceMappingURL=config-loader.d.ts.map

package/dist/core/configuration/config-loader.js

@@ -0,0 +1,72 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import { parseSeverity } from '../models/severity.js';
+const CONFIG_FILE_NAMES = [
+    '.apiposture.json',
+    'apiposture.json',
+    '.apiposture.config.json',
+];
+export class ConfigLoader {
+    async load(configPath) {
+        let filePath = configPath ?? null;
+        // If no path specified, search for config file
+        if (!filePath) {
+            filePath = this.findConfigFile(process.cwd());
+        }
+        if (!filePath) {
+            return {};
+        }
+        try {
+            const content = fs.readFileSync(filePath, 'utf-8');
+            const config = JSON.parse(content);
+            return this.validateConfig(config);
+        }
+        catch (error) {
+            if (configPath) {
+                // Only throw if user explicitly specified a config path
+                throw new Error(`Failed to load config from ${filePath}: ${error}`);
+            }
+            return {};
+        }
+    }
+    findConfigFile(startDir) {
+        let currentDir = startDir;
+        let parentDir = path.dirname(currentDir);
+        while (currentDir !== parentDir) {
+            for (const fileName of CONFIG_FILE_NAMES) {
+                const filePath = path.join(currentDir, fileName);
+                if (fs.existsSync(filePath)) {
+                    return filePath;
+                }
+            }
+            currentDir = parentDir;
+            parentDir = path.dirname(currentDir);
+        }
+        return null;
+    }
+    validateConfig(config) {
+        // Validate rules config
+        if (config.rules) {
+            for (const [ruleId, ruleConfig] of Object.entries(config.rules)) {
+                if (ruleConfig.severity) {
+                    const parsed = parseSeverity(ruleConfig.severity);
+                    if (!parsed) {
+                        console.warn(`Invalid severity "${ruleConfig.severity}" for rule ${ruleId}`);
+                    }
+                }
+            }
+        }
+        // Validate suppressions
+        if (config.suppressions) {
+            config.suppressions = config.suppressions.filter((s) => {
+                if (!s.reason) {
+                    console.warn('Suppression missing required "reason" field, skipping');
+                    return false;
+                }
+                return true;
+            });
+        }
+        return config;
+    }
+}
+//# sourceMappingURL=config-loader.js.map

package/dist/core/configuration/suppression-matcher.d.ts

@@ -0,0 +1,14 @@
+import { Finding } from '../models/finding.js';
+import { Endpoint } from '../models/endpoint.js';
+import { SuppressionConfig } from './config-loader.js';
+export declare class SuppressionMatcher {
+    private suppressions;
+    constructor(suppressions?: SuppressionConfig[]);
+    applySuppressionsToFindings(findings: Finding[]): Finding[];
+    isEndpointSuppressed(endpoint: Endpoint, ruleId: string): SuppressionConfig | null;
+    private findMatchingSuppression;
+    private matchesFinding;
+    private matchesEndpoint;
+    private matchesRoutePattern;
+}
+//# sourceMappingURL=suppression-matcher.d.ts.map

package/dist/core/configuration/suppression-matcher.js

@@ -0,0 +1,79 @@
+export class SuppressionMatcher {
+    suppressions;
+    constructor(suppressions = []) {
+        this.suppressions = suppressions;
+    }
+    applySuppressionsToFindings(findings) {
+        return findings.map((finding) => {
+            const suppression = this.findMatchingSuppression(finding);
+            if (suppression) {
+                return {
+                    ...finding,
+                    suppressed: true,
+                    suppressionReason: suppression.reason,
+                };
+            }
+            return finding;
+        });
+    }
+    isEndpointSuppressed(endpoint, ruleId) {
+        for (const suppression of this.suppressions) {
+            if (this.matchesEndpoint(suppression, endpoint, ruleId)) {
+                return suppression;
+            }
+        }
+        return null;
+    }
+    findMatchingSuppression(finding) {
+        for (const suppression of this.suppressions) {
+            if (this.matchesFinding(suppression, finding)) {
+                return suppression;
+            }
+        }
+        return null;
+    }
+    matchesFinding(suppression, finding) {
+        return this.matchesEndpoint(suppression, finding.endpoint, finding.ruleId);
+    }
+    matchesEndpoint(suppression, endpoint, ruleId) {
+        // Check rule ID
+        if (suppression.ruleId && suppression.ruleId !== ruleId) {
+            return false;
+        }
+        // Check HTTP method
+        if (suppression.method && suppression.method.toUpperCase() !== endpoint.method) {
+            return false;
+        }
+        // Check exact route match
+        if (suppression.route && suppression.route !== endpoint.route) {
+            return false;
+        }
+        // Check route pattern (regex or glob-like)
+        if (suppression.routePattern) {
+            if (!this.matchesRoutePattern(suppression.routePattern, endpoint.route)) {
+                return false;
+            }
+        }
+        return true;
+    }
+    matchesRoutePattern(pattern, route) {
+        // Convert glob-like pattern to regex
+        // * matches any segment, ** matches any path
+        let regexPattern = pattern
+            .replace(/\*\*/g, '<<<DOUBLE_STAR>>>')
+            .replace(/\*/g, '[^/]+')
+            .replace(/<<<DOUBLE_STAR>>>/g, '.*');
+        // Escape regex special chars except those we converted
+        regexPattern = regexPattern.replace(/[.+^${}()|[\]\\]/g, '\\$&');
+        // Anchor the pattern
+        regexPattern = `^${regexPattern}$`;
+        try {
+            const regex = new RegExp(regexPattern);
+            return regex.test(route);
+        }
+        catch {
+            return false;
+        }
+    }
+}
+//# sourceMappingURL=suppression-matcher.js.map

package/dist/core/discovery/discoverer-interface.d.ts

@@ -0,0 +1,7 @@
+import { Endpoint } from '../models/endpoint.js';
+import { LoadedSourceFile } from '../analysis/source-file-loader.js';
+export interface EndpointDiscoverer {
+    readonly name: string;
+    discover(file: LoadedSourceFile): Promise<Endpoint[]>;
+}
+//# sourceMappingURL=discoverer-interface.d.ts.map

package/dist/core/discovery/discoverer-interface.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=discoverer-interface.js.map

package/dist/core/discovery/express-discoverer.d.ts

@@ -0,0 +1,20 @@
+import { EndpointDiscoverer } from './discoverer-interface.js';
+import { LoadedSourceFile } from '../analysis/source-file-loader.js';
+import { Endpoint } from '../models/endpoint.js';
+export declare class ExpressDiscoverer implements EndpointDiscoverer {
+    readonly name = "Express.js";
+    private registry;
+    private authExtractor;
+    constructor();
+    discover(file: LoadedSourceFile): Promise<Endpoint[]>;
+    private collectRouterMounts;
+    private processCallExpression;
+    private getCallerName;
+    private isExpressIdentifier;
+    private extractRoutePath;
+    private extractMiddlewares;
+    private extractMiddlewareName;
+    private extractHandlerName;
+    private normalizePath;
+}
+//# sourceMappingURL=express-discoverer.d.ts.map

package/dist/core/discovery/express-discoverer.js

@@ -0,0 +1,223 @@
+import * as ts from 'typescript';
+import { getLineAndColumn, findNodes } from '../analysis/source-file-loader.js';
+import { createEndpoint } from '../models/endpoint.js';
+import { EndpointType } from '../models/endpoint-type.js';
+import { HttpMethod, parseHttpMethod } from '../models/http-method.js';
+import { RouteGroupRegistry } from './route-group-registry.js';
+import { ExpressAuthExtractor } from '../authorization/express-auth-extractor.js';
+const EXPRESS_HTTP_METHODS = new Set([
+    'get', 'post', 'put', 'delete', 'patch', 'options', 'head', 'all'
+]);
+const EXPRESS_IDENTIFIERS = new Set(['app', 'router', 'express']);
+export class ExpressDiscoverer {
+    name = 'Express.js';
+    registry;
+    authExtractor;
+    constructor() {
+        this.registry = new RouteGroupRegistry();
+        this.authExtractor = new ExpressAuthExtractor();
+    }
+    async discover(file) {
+        const endpoints = [];
+        const { sourceFile, filePath } = file;
+        // First pass: collect router mounts and route groups
+        this.collectRouterMounts(sourceFile, filePath);
+        // Second pass: find route definitions
+        const callExpressions = findNodes(sourceFile, ts.isCallExpression);
+        for (const callExpr of callExpressions) {
+            const endpoint = this.processCallExpression(callExpr, sourceFile, filePath);
+            if (endpoint) {
+                endpoints.push(endpoint);
+            }
+        }
+        return endpoints;
+    }
+    collectRouterMounts(sourceFile, filePath) {
+        const callExpressions = findNodes(sourceFile, ts.isCallExpression);
+        for (const callExpr of callExpressions) {
+            // Look for app.use('/prefix', router)
+            if (!ts.isPropertyAccessExpression(callExpr.expression))
+                continue;
+            const propAccess = callExpr.expression;
+            const methodName = propAccess.name.text;
+            if (methodName !== 'use')
+                continue;
+            const args = callExpr.arguments;
+            if (args.length < 2)
+                continue;
+            const firstArg = args[0];
+            const secondArg = args[1];
+            // Check for app.use('/prefix', router)
+            if (ts.isStringLiteral(firstArg) && ts.isIdentifier(secondArg)) {
+                const prefix = firstArg.text;
+                const routerName = secondArg.text;
+                const appName = ts.isIdentifier(propAccess.expression)
+                    ? propAccess.expression.text
+                    : '';
+                if (appName) {
+                    this.registry.registerRouterMount(filePath, appName, prefix, routerName);
+                }
+            }
+        }
+    }
+    processCallExpression(callExpr, sourceFile, filePath) {
+        // Check for pattern: app.get('/path', handler) or router.post('/path', handler)
+        if (!ts.isPropertyAccessExpression(callExpr.expression)) {
+            return null;
+        }
+        const propAccess = callExpr.expression;
+        const methodName = propAccess.name.text.toLowerCase();
+        // Check if this is an HTTP method call
+        if (!EXPRESS_HTTP_METHODS.has(methodName)) {
+            return null;
+        }
+        // Check if caller is an Express identifier
+        const callerName = this.getCallerName(propAccess.expression);
+        if (!callerName || !this.isExpressIdentifier(callerName)) {
+            return null;
+        }
+        // Get route path from first argument
+        const args = callExpr.arguments;
+        if (args.length === 0) {
+            return null;
+        }
+        const routePath = this.extractRoutePath(args[0]);
+        if (!routePath) {
+            return null;
+        }
+        // Get prefix if this is a router
+        const prefix = this.registry.getRouterPrefix(filePath, callerName);
+        const fullRoute = this.normalizePath(prefix + routePath);
+        // Extract middleware chain (all arguments except last handler)
+        const middlewares = this.extractMiddlewares(args, sourceFile);
+        // Get handler name
+        const handlerName = this.extractHandlerName(args[args.length - 1], sourceFile);
+        // Get location
+        const location = getLineAndColumn(sourceFile, callExpr.getStart(sourceFile));
+        // Extract authorization info
+        const authorization = this.authExtractor.extract(middlewares, {
+            isRouter: callerName !== 'app',
+            routerMiddlewares: this.registry.getAllMiddlewares(filePath, callerName),
+        });
+        return createEndpoint({
+            route: fullRoute,
+            method: parseHttpMethod(methodName.toUpperCase()) ?? HttpMethod.GET,
+            handlerName,
+            type: EndpointType.Express,
+            location: {
+                filePath,
+                line: location.line,
+                column: location.column,
+            },
+            authorization,
+        });
+    }
+    getCallerName(expression) {
+        if (ts.isIdentifier(expression)) {
+            return expression.text;
+        }
+        return null;
+    }
+    isExpressIdentifier(name) {
+        // Common Express variable names
+        if (EXPRESS_IDENTIFIERS.has(name)) {
+            return true;
+        }
+        // Also match common patterns like userRouter, apiRouter, etc.
+        if (name.toLowerCase().includes('router') || name.toLowerCase().includes('app')) {
+            return true;
+        }
+        return false;
+    }
+    extractRoutePath(node) {
+        if (ts.isStringLiteral(node) || ts.isNoSubstitutionTemplateLiteral(node)) {
+            return node.text;
+        }
+        // Handle template literals with embedded expressions (extract just the static parts)
+        if (ts.isTemplateExpression(node)) {
+            let path = node.head.text;
+            for (const span of node.templateSpans) {
+                path += ':param' + span.literal.text;
+            }
+            return path;
+        }
+        return null;
+    }
+    extractMiddlewares(args, sourceFile) {
+        const middlewares = [];
+        // All arguments except possibly the last one (the main handler) could be middleware
+        for (let i = 0; i < args.length - 1; i++) {
+            const arg = args[i];
+            // Skip the route path (first arg if it's a string)
+            if (i === 0 && (ts.isStringLiteral(arg) || ts.isTemplateExpression(arg))) {
+                continue;
+            }
+            const middlewareName = this.extractMiddlewareName(arg, sourceFile);
+            if (middlewareName) {
+                middlewares.push(middlewareName);
+            }
+        }
+        return middlewares;
+    }
+    extractMiddlewareName(node, sourceFile) {
+        // Direct identifier: requireAuth
+        if (ts.isIdentifier(node)) {
+            return node.text;
+        }
+        // Call expression: passport.authenticate('jwt')
+        if (ts.isCallExpression(node)) {
+            if (ts.isPropertyAccessExpression(node.expression)) {
+                const obj = node.expression.expression;
+                const method = node.expression.name;
+                if (ts.isIdentifier(obj) && ts.isIdentifier(method)) {
+                    return `${obj.text}.${method.text}`;
+                }
+            }
+            if (ts.isIdentifier(node.expression)) {
+                return node.expression.text;
+            }
+        }
+        // Property access: auth.requireRole
+        if (ts.isPropertyAccessExpression(node)) {
+            const text = node.getText(sourceFile);
+            return text;
+        }
+        // Array of middleware: [auth, validate]
+        if (ts.isArrayLiteralExpression(node)) {
+            return node.elements
+                .map((el) => this.extractMiddlewareName(el, sourceFile))
+                .filter(Boolean)
+                .join(',');
+        }
+        return null;
+    }
+    extractHandlerName(node, sourceFile) {
+        // Direct identifier
+        if (ts.isIdentifier(node)) {
+            return node.text;
+        }
+        // Property access: controller.method
+        if (ts.isPropertyAccessExpression(node)) {
+            return node.getText(sourceFile);
+        }
+        // Arrow function or function expression
+        if (ts.isArrowFunction(node) || ts.isFunctionExpression(node)) {
+            return 'anonymous';
+        }
+        return 'unknown';
+    }
+    normalizePath(path) {
+        // Ensure path starts with /
+        if (!path.startsWith('/')) {
+            path = '/' + path;
+        }
+        // Remove duplicate slashes
+        path = path.replace(/\/+/g, '/');
+        // Remove trailing slash (except for root)
+        if (path.length > 1 && path.endsWith('/')) {
+            path = path.slice(0, -1);
+        }
+        return path;
+    }
+}
+//# sourceMappingURL=express-discoverer.js.map

package/dist/core/discovery/fastify-discoverer.d.ts

@@ -0,0 +1,19 @@
+import { EndpointDiscoverer } from './discoverer-interface.js';
+import { LoadedSourceFile } from '../analysis/source-file-loader.js';
+import { Endpoint } from '../models/endpoint.js';
+export declare class FastifyDiscoverer implements EndpointDiscoverer {
+    readonly name = "Fastify";
+    discover(file: LoadedSourceFile): Promise<Endpoint[]>;
+    private processShorthandRoute;
+    private processRouteMethod;
+    private extractAuthFromOptions;
+    private extractHooksAuth;
+    private extractHookName;
+    private isAuthHook;
+    private getCallerName;
+    private isFastifyIdentifier;
+    private extractStringValue;
+    private extractHandlerName;
+    private normalizePath;
+}
+//# sourceMappingURL=fastify-discoverer.d.ts.map