@aspect-guard/core 0.1.0 → 0.4.0

package/dist/index.js

@@ -24,6 +24,7 @@ import * as path from "path";
 var IDE_PATHS = {
   "VS Code": ["~/.vscode/extensions"],
   "VS Code Insiders": ["~/.vscode-insiders/extensions"],
+  "VS Code Server": ["~/.vscode-server/extensions"],
   Cursor: ["~/.cursor/extensions"],
   Windsurf: ["~/.windsurf/extensions"],
   Trae: ["~/.trae/extensions"],
@@ -133,9 +134,7 @@ async function readExtensionsFromDirectory(directoryPath) {
     const entries = await fs2.readdir(directoryPath, { withFileTypes: true });
     const directories = entries.filter((entry) => entry.isDirectory());
     const results = await Promise.all(
-      directories.map(
-        (dir) => readExtension(path2.join(directoryPath, dir.name))
-      )
+      directories.map((dir) => readExtension(path2.join(directoryPath, dir.name)))
     );
     for (const result of results) {
       if (result) {
@@ -151,22 +150,8 @@ async function readExtensionsFromDirectory(directoryPath) {
 // src/scanner/file-collector.ts
 import * as fs3 from "fs/promises";
 import * as path3 from "path";
-var COLLECTED_EXTENSIONS = /* @__PURE__ */ new Set([
-  ".js",
-  ".ts",
-  ".jsx",
-  ".tsx",
-  ".mjs",
-  ".cjs",
-  ".json"
-]);
-var IGNORED_DIRECTORIES = /* @__PURE__ */ new Set([
-  "node_modules",
-  ".git",
-  ".svn",
-  ".hg",
-  "__pycache__"
-]);
+var COLLECTED_EXTENSIONS = /* @__PURE__ */ new Set([".js", ".ts", ".jsx", ".tsx", ".mjs", ".cjs", ".json"]);
+var IGNORED_DIRECTORIES = /* @__PURE__ */ new Set(["node_modules", ".git", ".svn", ".hg", "__pycache__"]);
 var IGNORED_PATTERNS = [/\.min\.js$/, /\.map$/, /\.d\.ts$/];
 var MAX_FILE_SIZE = 1024 * 1024;
 function shouldCollectFile(filePath) {
@@ -304,6 +289,617 @@ var RuleEngine = class {
   }
 };
 
+// src/data/trusted-publishers.ts
+var TRUSTED_PUBLISHERS = [
+  // Microsoft official
+  "ms-python",
+  "ms-vscode",
+  "ms-dotnettools",
+  "ms-azuretools",
+  "ms-toolsai",
+  "microsoft",
+  "vscode",
+  // GitHub
+  "github",
+  // Major language support
+  "golang",
+  "rust-lang",
+  "redhat",
+  "oracle",
+  "julialang",
+  // Major tool vendors
+  "esbenp",
+  // Prettier
+  "dbaeumer",
+  // ESLint
+  "eamodio",
+  // GitLens
+  // Cloud providers
+  "amazonwebservices",
+  "googlecloudtools",
+  "hashicorp",
+  // Other major vendors
+  "jetbrains",
+  "docker",
+  "mongodb",
+  "prisma",
+  "vscjava",
+  // Microsoft Java
+  // Popular developer tool vendors
+  "formulahendry",
+  // Code Runner (10M+ downloads)
+  "ritwickdey",
+  // Live Server (50M+ downloads)
+  "humao",
+  // REST Client (5M+ downloads)
+  "rangav",
+  // Thunder Client (3M+ downloads)
+  "mtxr",
+  // SQLTools
+  "cweijan",
+  // Database Client
+  // Remote development
+  "ms-vscode-remote",
+  // Remote-SSH, Dev Containers, WSL
+  // Testing
+  "hbenl",
+  // Test Explorer UI
+  "firsttris",
+  // Jest Runner
+  "orta",
+  // vscode-jest
+  // Notebooks
+  "ms-toolsai"
+  // Jupyter
+];
+var TRUSTED_EXTENSION_IDS = [
+  // These are explicitly trusted extension IDs
+  "github.copilot",
+  "github.copilot-chat",
+  "ms-python.python",
+  "ms-python.vscode-pylance",
+  "ms-vscode.cpptools",
+  "golang.go",
+  "rust-lang.rust-analyzer"
+];
+function isTrustedPublisher(publisher) {
+  const normalized = publisher.toLowerCase();
+  return TRUSTED_PUBLISHERS.some((p) => normalized === p.toLowerCase());
+}
+function isTrustedExtension(extensionId) {
+  const normalized = extensionId.toLowerCase();
+  return TRUSTED_EXTENSION_IDS.some((id) => normalized === id.toLowerCase());
+}
+
+// src/data/verified-publishers.ts
+var VERIFIED_PUBLISHERS = [
+  // Microsoft & GitHub (already trusted, but also verified)
+  "microsoft",
+  "ms-python",
+  "ms-vscode",
+  "ms-dotnettools",
+  "ms-azuretools",
+  "ms-toolsai",
+  "ms-vscode-remote",
+  "ms-kubernetes-tools",
+  "ms-playwright",
+  "vscode",
+  "github",
+  "vscjava",
+  // Major cloud providers (verified)
+  "amazonwebservices",
+  "googlecloudtools",
+  "hashicorp",
+  // Major language/framework vendors (verified)
+  "golang",
+  "rust-lang",
+  "redhat",
+  "oracle",
+  "julialang",
+  "dart-code",
+  "flutter",
+  "svelte",
+  "vue",
+  "angular",
+  "astro-build",
+  // Major tool vendors (verified)
+  "jetbrains",
+  "docker",
+  "mongodb",
+  "prisma",
+  "atlassian",
+  "gitlab",
+  "sourcegraph",
+  "snyk-security",
+  "sonarqube",
+  "datadog",
+  // Popular extension vendors (verified)
+  "davidanson",
+  // markdownlint
+  "esbenp",
+  // Prettier
+  "dbaeumer",
+  // ESLint
+  "eamodio",
+  // GitLens
+  "streetsidesoftware",
+  // Code Spell Checker
+  "editorconfig",
+  "christian-kohler",
+  // Path Intellisense
+  "visualstudioexptteam",
+  // IntelliCode
+  "bierner",
+  // Markdown Preview
+  "jock",
+  // SVG Viewer
+  "pkief",
+  // Material Icon Theme
+  "zhuangtongfa",
+  // One Dark Pro
+  "mechatroner"
+  // Rainbow CSV
+];
+function isVerifiedPublisher(publisher) {
+  const normalized = publisher.toLowerCase();
+  return VERIFIED_PUBLISHERS.some((p) => normalized === p.toLowerCase());
+}
+
+// src/data/popular-extensions.ts
+var MEGA_POPULAR_EXTENSIONS = [
+  // Python ecosystem
+  { id: "ms-python.python", downloads: 12e7, tier: "mega" },
+  { id: "ms-python.vscode-pylance", downloads: 8e7, tier: "mega" },
+  // C/C++
+  { id: "ms-vscode.cpptools", downloads: 6e7, tier: "mega" },
+  // GitHub Copilot
+  { id: "github.copilot", downloads: 5e7, tier: "mega" },
+  { id: "github.copilot-chat", downloads: 3e7, tier: "mega" },
+  // ESLint & Prettier
+  { id: "dbaeumer.vscode-eslint", downloads: 45e6, tier: "mega" },
+  { id: "esbenp.prettier-vscode", downloads: 5e7, tier: "mega" },
+  // Live Server
+  { id: "ritwickdey.liveserver", downloads: 6e7, tier: "mega" },
+  // GitLens
+  { id: "eamodio.gitlens", downloads: 4e7, tier: "mega" },
+  // Docker
+  { id: "ms-azuretools.vscode-docker", downloads: 35e6, tier: "mega" },
+  // Remote Development
+  { id: "ms-vscode-remote.remote-ssh", downloads: 25e6, tier: "mega" },
+  { id: "ms-vscode-remote.remote-containers", downloads: 2e7, tier: "mega" },
+  { id: "ms-vscode-remote.remote-wsl", downloads: 2e7, tier: "mega" },
+  // IntelliCode
+  { id: "visualstudioexptteam.vscodeintellicode", downloads: 4e7, tier: "mega" },
+  // Path Intellisense
+  { id: "christian-kohler.path-intellisense", downloads: 2e7, tier: "mega" },
+  // Material Icon Theme
+  { id: "pkief.material-icon-theme", downloads: 3e7, tier: "mega" },
+  // One Dark Pro
+  { id: "zhuangtongfa.material-theme", downloads: 15e6, tier: "mega" },
+  // Bracket Pair Colorizer (now built-in but still installed)
+  { id: "coenraads.bracket-pair-colorizer-2", downloads: 12e6, tier: "mega" },
+  // Code Runner
+  { id: "formulahendry.code-runner", downloads: 2e7, tier: "mega" },
+  // Auto Rename Tag
+  { id: "formulahendry.auto-rename-tag", downloads: 18e6, tier: "mega" },
+  // Code Spell Checker
+  { id: "streetsidesoftware.code-spell-checker", downloads: 15e6, tier: "mega" },
+  // Markdown All in One
+  { id: "yzhang.markdown-all-in-one", downloads: 12e6, tier: "mega" },
+  // Debugger for Chrome (deprecated but still installed)
+  { id: "msjsdiag.debugger-for-chrome", downloads: 25e6, tier: "mega" },
+  // Go
+  { id: "golang.go", downloads: 15e6, tier: "mega" },
+  // Java
+  { id: "redhat.java", downloads: 2e7, tier: "mega" },
+  { id: "vscjava.vscode-java-debug", downloads: 15e6, tier: "mega" },
+  { id: "vscjava.vscode-java-pack", downloads: 18e6, tier: "mega" },
+  // C#
+  { id: "ms-dotnettools.csharp", downloads: 25e6, tier: "mega" }
+];
+var POPULAR_EXTENSIONS = [
+  // REST Clients
+  { id: "humao.rest-client", downloads: 5e6, tier: "popular" },
+  { id: "rangav.vscode-thunder-client", downloads: 3e6, tier: "popular" },
+  // Database
+  { id: "mtxr.sqltools", downloads: 4e6, tier: "popular" },
+  { id: "cweijan.vscode-database-client2", downloads: 2e6, tier: "popular" },
+  // Jupyter
+  { id: "ms-toolsai.jupyter", downloads: 8e6, tier: "popular" },
+  { id: "ms-toolsai.jupyter-keymap", downloads: 5e6, tier: "popular" },
+  // Kubernetes
+  { id: "ms-kubernetes-tools.vscode-kubernetes-tools", downloads: 4e6, tier: "popular" },
+  // Vue / React / Angular
+  { id: "vue.volar", downloads: 8e6, tier: "popular" },
+  { id: "dsznajder.es7-react-js-snippets", downloads: 9e6, tier: "popular" },
+  { id: "angular.ng-template", downloads: 5e6, tier: "popular" },
+  // Svelte
+  { id: "svelte.svelte-vscode", downloads: 3e6, tier: "popular" },
+  // Astro
+  { id: "astro-build.astro-vscode", downloads: 2e6, tier: "popular" },
+  // Tailwind CSS
+  { id: "bradlc.vscode-tailwindcss", downloads: 8e6, tier: "popular" },
+  // YAML
+  { id: "redhat.vscode-yaml", downloads: 9e6, tier: "popular" },
+  // XML
+  { id: "redhat.vscode-xml", downloads: 6e6, tier: "popular" },
+  // Rust
+  { id: "rust-lang.rust-analyzer", downloads: 5e6, tier: "popular" },
+  // PowerShell
+  { id: "ms-vscode.powershell", downloads: 8e6, tier: "popular" },
+  // Terraform
+  { id: "hashicorp.terraform", downloads: 9e6, tier: "popular" },
+  // TODO Highlight
+  { id: "wayou.vscode-todo-highlight", downloads: 6e6, tier: "popular" },
+  // Bookmarks
+  { id: "alefragnani.bookmarks", downloads: 5e6, tier: "popular" },
+  // Project Manager
+  { id: "alefragnani.project-manager", downloads: 4e6, tier: "popular" },
+  // Rainbow CSV
+  { id: "mechatroner.rainbow-csv", downloads: 4e6, tier: "popular" },
+  // Markdown Preview
+  { id: "bierner.markdown-preview-github-styles", downloads: 3e6, tier: "popular" },
+  // markdownlint
+  { id: "davidanson.vscode-markdownlint", downloads: 6e6, tier: "popular" },
+  // Error Lens
+  { id: "usernamehw.errorlens", downloads: 5e6, tier: "popular" },
+  // Playwright
+  { id: "ms-playwright.playwright", downloads: 2e6, tier: "popular" },
+  // Jest
+  { id: "orta.vscode-jest", downloads: 3e6, tier: "popular" },
+  // Swagger / OpenAPI
+  { id: "arjun.swagger-viewer", downloads: 2e6, tier: "popular" },
+  // Figma
+  { id: "figma.figma-vscode-extension", downloads: 1e6, tier: "popular" },
+  // Atlassian
+  { id: "atlassian.atlascode", downloads: 2e6, tier: "popular" }
+];
+var ALL_POPULAR_EXTENSIONS = [
+  ...MEGA_POPULAR_EXTENSIONS,
+  ...POPULAR_EXTENSIONS
+];
+function getPopularityTier(extensionId) {
+  const normalized = extensionId.toLowerCase();
+  const ext = ALL_POPULAR_EXTENSIONS.find((e) => e.id.toLowerCase() === normalized);
+  return ext?.tier ?? null;
+}
+function isMegaPopular(extensionId) {
+  return getPopularityTier(extensionId) === "mega";
+}
+function isPopular(extensionId) {
+  return getPopularityTier(extensionId) !== null;
+}
+
+// src/rules/finding-adjuster.ts
+var DOWNGRADE_MAP = {
+  critical: "medium",
+  high: "low",
+  medium: "info",
+  low: "info",
+  info: "info"
+};
+var EXPECTED_BEHAVIORS = {
+  "ai-assistant": [
+    {
+      // AI tools legitimately use child_process, eval for code execution
+      ruleIds: ["EG-CRIT-002"],
+      matchedPatterns: [
+        "child_process-exec",
+        "child_process-execSync",
+        "child_process-spawn-shell",
+        "eval",
+        "Function-constructor",
+        "dynamic-require"
+      ]
+    },
+    {
+      // AI tools legitimately make network requests
+      ruleIds: ["EG-HIGH-002"],
+      matchedPatterns: ["dynamic-url", "unusual-port"]
+    },
+    {
+      // AI tools often read .env for API keys
+      ruleIds: ["EG-CRIT-003"],
+      matchedPatterns: ["env-file"]
+    },
+    {
+      // AI tools collect system info for telemetry / model context
+      // This includes os.hostname, os.platform, os.userInfo, process.env, etc.
+      ruleIds: ["EG-CRIT-001"]
+    },
+    {
+      // AI tools may have obfuscated/minified bundled code
+      ruleIds: ["EG-HIGH-001"],
+      matchedPatterns: ["high-entropy", "large-base64"]
+    }
+  ],
+  theme: [
+    {
+      // Theme extensions with bundled JS may trigger obfuscation (false positive)
+      ruleIds: ["EG-HIGH-001"],
+      matchedPatterns: ["high-entropy", "large-base64"]
+    }
+  ],
+  language: [
+    {
+      // Grammar extensions often have high-entropy bundled code or regex-heavy files
+      ruleIds: ["EG-HIGH-001"],
+      matchedPatterns: ["high-entropy", "large-base64"]
+    },
+    {
+      // Grammar files use words like "token", "secret" in syntax definitions
+      ruleIds: ["EG-HIGH-006"],
+      matchedPatterns: ["generic-secret"]
+    }
+  ],
+  scm: [
+    {
+      // SCM extensions legitimately access git credentials
+      ruleIds: ["EG-CRIT-003"],
+      matchedPatterns: ["git-credentials"]
+    },
+    {
+      // SCM extensions may spawn git processes
+      ruleIds: ["EG-CRIT-002"],
+      matchedPatterns: ["child_process-exec", "child_process-execSync", "child_process-spawn-shell"]
+    }
+  ],
+  debugger: [
+    {
+      // Debuggers legitimately spawn processes
+      ruleIds: ["EG-CRIT-002"],
+      matchedPatterns: [
+        "child_process-exec",
+        "child_process-execSync",
+        "child_process-spawn-shell"
+      ]
+    },
+    {
+      // Debuggers may use dynamic require for adapter loading
+      ruleIds: ["EG-CRIT-002"],
+      matchedPatterns: ["dynamic-require"]
+    }
+  ],
+  linter: [
+    {
+      // Linters legitimately spawn processes (eslint, prettier, etc.)
+      ruleIds: ["EG-CRIT-002"],
+      matchedPatterns: [
+        "child_process-exec",
+        "child_process-execSync",
+        "child_process-spawn-shell"
+      ]
+    }
+  ],
+  "language-support": [
+    {
+      // Language servers spawn interpreters/compilers (python, go, rustc, javac)
+      ruleIds: ["EG-CRIT-002"],
+      matchedPatterns: [
+        "child_process-exec",
+        "child_process-execSync",
+        "child_process-spawn-shell",
+        "dynamic-require"
+      ]
+    },
+    {
+      // Language servers may collect system info for environment detection
+      ruleIds: ["EG-CRIT-001"]
+    },
+    {
+      // Language servers may have bundled code with high entropy
+      ruleIds: ["EG-HIGH-001"],
+      matchedPatterns: ["high-entropy", "large-base64"]
+    },
+    {
+      // Language servers may make network requests for package management
+      ruleIds: ["EG-HIGH-002"],
+      matchedPatterns: ["dynamic-url"]
+    }
+  ],
+  "developer-tools": [
+    {
+      // Code runners spawn processes to execute code (python, node, bash, etc.)
+      ruleIds: ["EG-CRIT-002"],
+      matchedPatterns: [
+        "child_process-exec",
+        "child_process-execSync",
+        "child_process-spawn-shell",
+        "eval",
+        "Function-constructor"
+      ]
+    },
+    {
+      // REST clients, API testers make network requests by design
+      ruleIds: ["EG-HIGH-002"],
+      matchedPatterns: ["dynamic-url", "http-to-ip", "unusual-port"]
+    },
+    {
+      // Live servers spawn HTTP servers on various ports
+      ruleIds: ["EG-HIGH-002"],
+      matchedPatterns: ["unusual-port"]
+    },
+    {
+      // Developer tools may collect system info for environment detection
+      ruleIds: ["EG-CRIT-001"]
+    },
+    {
+      // Developer tools may have bundled code with high entropy
+      ruleIds: ["EG-HIGH-001"],
+      matchedPatterns: ["high-entropy", "large-base64"]
+    }
+  ],
+  "remote-development": [
+    {
+      // Remote extensions spawn SSH, docker, WSL processes
+      ruleIds: ["EG-CRIT-002"],
+      matchedPatterns: [
+        "child_process-exec",
+        "child_process-execSync",
+        "child_process-spawn-shell"
+      ]
+    },
+    {
+      // Remote extensions make network connections by design
+      ruleIds: ["EG-HIGH-002"],
+      matchedPatterns: ["dynamic-url", "http-to-ip", "unusual-port"]
+    },
+    {
+      // Remote extensions collect system info for environment detection
+      ruleIds: ["EG-CRIT-001"]
+    },
+    {
+      // Remote extensions may access SSH keys and credentials legitimately
+      ruleIds: ["EG-CRIT-003"],
+      matchedPatterns: ["ssh-keys", "ssh-config"]
+    },
+    {
+      // Remote extensions may have bundled code
+      ruleIds: ["EG-HIGH-001"],
+      matchedPatterns: ["high-entropy", "large-base64"]
+    }
+  ],
+  testing: [
+    {
+      // Test runners spawn test processes
+      ruleIds: ["EG-CRIT-002"],
+      matchedPatterns: [
+        "child_process-exec",
+        "child_process-execSync",
+        "child_process-spawn-shell"
+      ]
+    },
+    {
+      // Test runners may collect system info for environment detection
+      ruleIds: ["EG-CRIT-001"]
+    },
+    {
+      // Test runners may have bundled code
+      ruleIds: ["EG-HIGH-001"],
+      matchedPatterns: ["high-entropy", "large-base64"]
+    }
+  ],
+  notebook: [
+    {
+      // Notebook extensions spawn kernels (Python, Julia, etc.)
+      ruleIds: ["EG-CRIT-002"],
+      matchedPatterns: [
+        "child_process-exec",
+        "child_process-execSync",
+        "child_process-spawn-shell",
+        "dynamic-require"
+      ]
+    },
+    {
+      // Notebook extensions make network connections for package management
+      ruleIds: ["EG-HIGH-002"],
+      matchedPatterns: ["dynamic-url", "unusual-port"]
+    },
+    {
+      // Notebook extensions collect system info for environment detection
+      ruleIds: ["EG-CRIT-001"]
+    },
+    {
+      // Notebook extensions may read environment files for kernel config
+      ruleIds: ["EG-CRIT-003"],
+      matchedPatterns: ["env-file"]
+    },
+    {
+      // Notebook extensions may have bundled code
+      ruleIds: ["EG-HIGH-001"],
+      matchedPatterns: ["high-entropy", "large-base64"]
+    }
+  ]
+};
+function matchesExpectedBehavior(finding, behavior) {
+  if (behavior.ruleIds && !behavior.ruleIds.includes(finding.ruleId)) {
+    return false;
+  }
+  if (behavior.matchedPatterns && behavior.matchedPatterns.length > 0) {
+    const pattern = finding.evidence.matchedPattern ?? "";
+    if (!behavior.matchedPatterns.some((p) => pattern.includes(p))) {
+      return false;
+    }
+  }
+  if (behavior.categories && behavior.categories.length > 0) {
+    if (!behavior.categories.includes(finding.category)) {
+      return false;
+    }
+  }
+  return true;
+}
+var DOUBLE_DOWNGRADE_MAP = {
+  critical: "low",
+  high: "info",
+  medium: "info",
+  low: "info",
+  info: "info"
+};
+function adjustFindings(findings, category, options = {}) {
+  const { publisher, extensionId, strictMode = false } = options;
+  const behaviors = EXPECTED_BEHAVIORS[category];
+  const isTrusted = !strictMode && (publisher && isTrustedPublisher(publisher) || extensionId && isTrustedExtension(extensionId));
+  const isVerified = !strictMode && publisher && isVerifiedPublisher(publisher);
+  const popularityTier = !strictMode && extensionId ? getPopularityTier(extensionId) : null;
+  return findings.map((finding) => {
+    let adjustedFinding = finding;
+    let reasons = [];
+    if (behaviors && behaviors.length > 0) {
+      for (const behavior of behaviors) {
+        if (matchesExpectedBehavior(finding, behavior)) {
+          const downgraded = DOWNGRADE_MAP[adjustedFinding.severity];
+          adjustedFinding = {
+            ...adjustedFinding,
+            severity: downgraded
+          };
+          reasons.push(`expected behavior for ${category} extension`);
+          break;
+        }
+      }
+    }
+    if (isTrusted && adjustedFinding.severity !== "info") {
+      const downgraded = DOWNGRADE_MAP[adjustedFinding.severity];
+      adjustedFinding = {
+        ...adjustedFinding,
+        severity: downgraded
+      };
+      reasons.push(`trusted publisher`);
+    }
+    if (!isTrusted && isVerified && adjustedFinding.severity !== "info") {
+      const downgraded = DOWNGRADE_MAP[adjustedFinding.severity];
+      adjustedFinding = {
+        ...adjustedFinding,
+        severity: downgraded
+      };
+      reasons.push(`verified publisher`);
+    }
+    if (popularityTier && adjustedFinding.severity !== "info") {
+      if (popularityTier === "mega") {
+        const downgraded = DOUBLE_DOWNGRADE_MAP[adjustedFinding.severity];
+        adjustedFinding = {
+          ...adjustedFinding,
+          severity: downgraded
+        };
+        reasons.push(`mega popular (10M+ downloads)`);
+      } else if (popularityTier === "popular") {
+        const downgraded = DOWNGRADE_MAP[adjustedFinding.severity];
+        adjustedFinding = {
+          ...adjustedFinding,
+          severity: downgraded
+        };
+        reasons.push(`popular (1M+ downloads)`);
+      }
+    }
+    if (reasons.length > 0) {
+      adjustedFinding = {
+        ...adjustedFinding,
+        description: `${finding.description} [Downgraded: ${reasons.join(" + ")}]`
+      };
+    }
+    return adjustedFinding;
+  });
+}
+
 // src/rules/built-in/crit-data-exfiltration.ts
 var SYSTEM_INFO_PATTERNS = [
   { name: "os.hostname", pattern: /os\.hostname\s*\(\)/g },
@@ -365,8 +961,14 @@ var critDataExfiltration = {
 var DANGEROUS_PATTERNS = [
   { name: "eval", pattern: /\beval\s*\(/g },
   { name: "Function-constructor", pattern: /new\s+Function\s*\(/g },
-  { name: "child_process-exec", pattern: /(?:require\s*\(\s*['"]child_process['"]\s*\)|child_process)\.exec\s*\(/g },
-  { name: "child_process-execSync", pattern: /(?:require\s*\(\s*['"]child_process['"]\s*\)|child_process)\.execSync\s*\(/g },
+  {
+    name: "child_process-exec",
+    pattern: /(?:require\s*\(\s*['"]child_process['"]\s*\)|child_process)\.exec\s*\(/g
+  },
+  {
+    name: "child_process-execSync",
+    pattern: /(?:require\s*\(\s*['"]child_process['"]\s*\)|child_process)\.execSync\s*\(/g
+  },
   { name: "child_process-spawn-shell", pattern: /\.spawn\s*\([^)]*\{[^}]*shell\s*:\s*true/g },
   { name: "vm-runInContext", pattern: /vm\.run(?:InContext|InNewContext|InThisContext)\s*\(/g },
   { name: "vm-Script", pattern: /new\s+vm\.Script\s*\(/g }
@@ -420,7 +1022,10 @@ var critRemoteExecution = {
 
 // src/rules/built-in/crit-credential-access.ts
 var SENSITIVE_PATHS = [
-  { name: "ssh-keys", pattern: /['"`][^'"`]*\.ssh[/\\](?:id_rsa|id_ed25519|id_ecdsa|known_hosts|config|authorized_keys)[^'"`]*['"`]/gi },
+  {
+    name: "ssh-keys",
+    pattern: /['"`][^'"`]*\.ssh[/\\](?:id_rsa|id_ed25519|id_ecdsa|known_hosts|config|authorized_keys)[^'"`]*['"`]/gi
+  },
   { name: "gnupg", pattern: /['"`][^'"`]*\.gnupg[/\\][^'"`]*['"`]/gi },
   { name: "aws-credentials", pattern: /['"`][^'"`]*\.aws[/\\]credentials[^'"`]*['"`]/gi },
   { name: "azure-config", pattern: /['"`][^'"`]*\.azure[/\\][^'"`]*['"`]/gi },
@@ -522,6 +1127,8 @@ var BASE64_PATTERN = /['"`]([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{
 var HEX_PATTERN = /(?:\\x[0-9a-fA-F]{2}){10,}/g;
 var CHAR_CODE_PATTERN = /String\.fromCharCode\s*\(\s*(?:\d+\s*,?\s*){5,}\)/g;
 var UNICODE_ESCAPE_PATTERN = /(?:\\u[0-9a-fA-F]{4}){10,}/g;
+var BUNDLED_FILE_PATTERN = /(?:^|\/)(?:dist|out|build|bundle)\//;
+var BUNDLED_FILE_SIZE_THRESHOLD = 100 * 1024;
 function calculateEntropy(str) {
   const len = str.length;
   if (len === 0) return 0;
@@ -599,14 +1206,15 @@ var highObfuscatedCode = {
           snippet: match[0].slice(0, 50) + "..."
         });
       }
-      if (content.length > 5e3) {
+      const isBundled = BUNDLED_FILE_PATTERN.test(filePath) && content.length > BUNDLED_FILE_SIZE_THRESHOLD;
+      if (!isBundled && content.length > 5e3) {
         const entropy = calculateEntropy(content);
-        if (entropy > 5.8) {
+        if (entropy > 6.2) {
           evidences.push({
             filePath,
             lineNumber: 1,
             matchedPattern: "high-entropy",
-            snippet: `File entropy: ${entropy.toFixed(2)} (threshold: 5.8)`
+            snippet: `File entropy: ${entropy.toFixed(2)} (threshold: 6.2)`
           });
         }
       }
@@ -617,6 +1225,7 @@ var highObfuscatedCode = {
 
 // src/rules/built-in/high-hardcoded-secret.ts
 var MIN_SECRET_LENGTH = 8;
+var MIN_GENERIC_SECRET_ENTROPY = 3;
 var PLACEHOLDER_PATTERNS = [
   /^your[_-]?/i,
   /^<[^>]+>$/,
@@ -633,6 +1242,22 @@ var PLACEHOLDER_PATTERNS = [
   /^test$/i,
   /^demo$/i
 ];
+var FALSE_POSITIVE_VALUES = [
+  /^(?:true|false|null|undefined|none)$/i,
+  /^(?:string|number|boolean|object|array|function)$/i,
+  /^(?:keyword|identifier|operator|punctuation|comment|variable|constant)$/i,
+  // TextMate token types
+  /^(?:bearer|basic|digest)\s/i,
+  // Auth scheme names, not actual tokens
+  /^(?:process\.env|os\.environ)/i,
+  // Env access patterns
+  /^https?:\/\//i,
+  // URLs
+  /^\$\{/,
+  // Template literals
+  /^%[sd]/
+  // Format strings
+];
 var EXCLUDED_FILE_PATTERNS = [
   /\.test\.[jt]sx?$/,
   /\.spec\.[jt]sx?$/,
@@ -701,6 +1326,23 @@ function isExcludedFile(filePath) {
 function isPlaceholder(value) {
   return PLACEHOLDER_PATTERNS.some((pattern) => pattern.test(value));
 }
+function isFalsePositiveValue(value) {
+  return FALSE_POSITIVE_VALUES.some((pattern) => pattern.test(value));
+}
+function calculateSecretEntropy(str) {
+  const len = str.length;
+  if (len === 0) return 0;
+  const freq = {};
+  for (const char of str) {
+    freq[char] = (freq[char] || 0) + 1;
+  }
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
 function isInComment(content, matchIndex) {
   const lineStart = content.lastIndexOf("\n", matchIndex) + 1;
   const lineContent = content.slice(lineStart, matchIndex);
@@ -757,6 +1399,15 @@ var highHardcodedSecret = {
           if (isPlaceholder(secretValue)) {
             continue;
           }
+          if (isFalsePositiveValue(secretValue)) {
+            continue;
+          }
+          if (secretPattern.name === "generic-secret") {
+            const entropy = calculateSecretEntropy(secretValue);
+            if (entropy < MIN_GENERIC_SECRET_ENTROPY) {
+              continue;
+            }
+          }
           const lineNumber = getLineNumber(content, matchIndex);
           const lineContent = lines[lineNumber - 1]?.trim() || "";
           evidences.push({
@@ -816,6 +1467,495 @@ function registerBuiltInRules() {
   ruleRegistry.register(highHardcodedSecret);
   ruleRegistry.register(medExcessiveActivation);
 }
+var DETECTION_RULES = [
+  critDataExfiltration,
+  critRemoteExecution,
+  critCredentialAccess,
+  highSuspiciousNetwork,
+  highObfuscatedCode,
+  highHardcodedSecret,
+  medExcessiveActivation
+];
+
+// src/scanner/extension-categorizer.ts
+var LANGUAGE_SUPPORT_PUBLISHERS = [
+  "ms-python",
+  "ms-vscode",
+  "golang",
+  "rust-lang",
+  "microsoft",
+  "redhat",
+  "oracle",
+  "julialang",
+  "haskell",
+  // Additional language support publishers
+  "zigtools",
+  "elixir-lsp",
+  "dart-code",
+  "scala-lang",
+  "vscjava",
+  "crystal-lang-tools",
+  "nim-lang",
+  "vlang-vscode"
+];
+var DEVELOPER_TOOL_KEYWORDS = [
+  // Code execution
+  "code runner",
+  "coderunner",
+  "run code",
+  "execute code",
+  "run script",
+  "script runner",
+  // REST/API clients
+  "rest client",
+  "api client",
+  "http client",
+  "thunder client",
+  "postman",
+  "insomnia",
+  "api tester",
+  "http request",
+  // Live servers
+  "live server",
+  "liveserver",
+  "live preview",
+  "browser sync",
+  "browsersync",
+  "local server",
+  "dev server",
+  "http server",
+  // Terminal/Shell
+  "terminal",
+  "shell",
+  "integrated terminal",
+  // Task runners
+  "task runner",
+  "npm scripts",
+  "gulp",
+  "grunt",
+  // Database clients
+  "database client",
+  "sql client",
+  "mongodb client",
+  "redis client"
+];
+var DEVELOPER_TOOL_PUBLISHERS = [
+  "formulahendry",
+  // Code Runner
+  "rangav",
+  // Thunder Client
+  "humao",
+  // REST Client
+  "ritwickdey",
+  // Live Server
+  "techer",
+  // Live Server (alternative)
+  "negokaz",
+  // Live Server (alternative)
+  "qwtel",
+  // HTTP/S Server
+  "hediet",
+  // Debug Visualizer
+  "mtxr",
+  // SQLTools
+  "cweijan"
+  // Database Client
+];
+var REMOTE_DEV_KEYWORDS = [
+  "remote-ssh",
+  "remote ssh",
+  "remote - ssh",
+  "dev container",
+  "devcontainer",
+  "dev-container",
+  "docker container",
+  "wsl",
+  "windows subsystem",
+  "remote development",
+  "remote explorer",
+  "ssh remote",
+  "ssh connection",
+  "container development",
+  "codespace",
+  "github codespaces",
+  "tunnel",
+  "remote tunnels"
+];
+var REMOTE_DEV_PUBLISHERS = [
+  "ms-vscode-remote",
+  // Remote-SSH, Dev Containers, WSL
+  "ms-azuretools"
+  // Azure (containers, etc.)
+];
+var TESTING_KEYWORDS = [
+  "test runner",
+  "test explorer",
+  "test adapter",
+  "jest runner",
+  "mocha test",
+  "pytest",
+  "vitest",
+  "karma",
+  "jasmine",
+  "cypress",
+  "playwright",
+  "selenium",
+  "unit test",
+  "integration test",
+  "e2e test",
+  "end-to-end test",
+  "test coverage",
+  "code coverage"
+];
+var TESTING_PUBLISHERS = [
+  "hbenl",
+  // Test Explorer UI
+  "firsttris",
+  // Jest Runner
+  "orta",
+  // Jest (vscode-jest)
+  "ms-playwright"
+  // Playwright
+];
+var NOTEBOOK_KEYWORDS = [
+  "jupyter",
+  "notebook",
+  "ipynb",
+  "kernel",
+  "jupyter notebook",
+  "jupyter lab",
+  "ipython",
+  "data science",
+  "interactive python"
+];
+var NOTEBOOK_PUBLISHERS = [
+  "ms-toolsai"
+  // Jupyter
+];
+var AI_KEYWORDS = [
+  "copilot",
+  "ai",
+  "gpt",
+  "llm",
+  "chatbot",
+  "assistant",
+  "autocomplete",
+  "code completion",
+  "machine learning",
+  "neural",
+  "openai",
+  "anthropic",
+  "gemini",
+  "claude",
+  "codeium",
+  "tabnine",
+  "kilo",
+  "continue",
+  "cursor",
+  "supermaven",
+  // Additional AI tools
+  "aider",
+  "codestral",
+  "mistral",
+  "deepseek",
+  "qwen",
+  "sourcery",
+  "codewhisperer",
+  "amazon q",
+  "bito",
+  "blackbox",
+  "codegpt",
+  "cody"
+  // Sourcegraph
+];
+function categorizeExtension(manifest) {
+  const categories = (manifest.categories ?? []).map((c) => c.toLowerCase());
+  const contributes = manifest.contributes ?? {};
+  const contributeKeys = Object.keys(contributes);
+  const keywords = manifest.keywords ?? [];
+  const displayName = (manifest.displayName ?? "").toLowerCase();
+  const description = (manifest.description ?? "").toLowerCase();
+  const name = (manifest.name ?? "").toLowerCase();
+  if (categories.includes("themes") || categories.includes("icon themes") || isThemeOnlyExtension(contributeKeys, contributes)) {
+    return "theme";
+  }
+  if (isLanguageExtension(contributeKeys, contributes)) {
+    return "language";
+  }
+  if (isRemoteDevelopment(manifest, displayName, description, name)) {
+    return "remote-development";
+  }
+  if (isAIAssistant(categories, keywords, displayName, description, name)) {
+    return "ai-assistant";
+  }
+  if (isLanguageSupport(manifest, categories)) {
+    return "language-support";
+  }
+  if (categories.includes("scm providers") || contributeKeys.includes("scm")) {
+    return "scm";
+  }
+  if (categories.includes("debuggers") || contributeKeys.includes("debuggers")) {
+    return "debugger";
+  }
+  if (categories.includes("linters") || categories.includes("formatters") || displayName.includes("lint") || displayName.includes("format") || displayName.includes("prettier") || displayName.includes("eslint")) {
+    return "linter";
+  }
+  if (isDeveloperTool(manifest, displayName, description, name)) {
+    return "developer-tools";
+  }
+  if (isTesting(manifest, categories, displayName, description, name)) {
+    return "testing";
+  }
+  if (isNotebook(manifest, categories, displayName, description, name, contributeKeys)) {
+    return "notebook";
+  }
+  return "general";
+}
+function isThemeOnlyExtension(contributeKeys, _contributes) {
+  const hasThemes = contributeKeys.includes("themes") || contributeKeys.includes("iconThemes");
+  if (!hasThemes) return false;
+  const functionalKeys = contributeKeys.filter(
+    (k) => k !== "themes" && k !== "iconThemes" && k !== "colors"
+  );
+  return functionalKeys.length === 0;
+}
+function isLanguageExtension(contributeKeys, contributes) {
+  const hasGrammars = contributeKeys.includes("grammars") || contributeKeys.includes("languages");
+  if (!hasGrammars) return false;
+  const commands = contributes.commands;
+  if (Array.isArray(commands) && commands.length > 3) {
+    return false;
+  }
+  return true;
+}
+function isAIAssistant(categories, keywords, displayName, description, name) {
+  if (categories.includes("machine learning") || categories.includes("data science")) {
+    return true;
+  }
+  const searchableText = [
+    ...keywords.map((k) => k.toLowerCase()),
+    displayName,
+    description,
+    name
+  ].join(" ");
+  return AI_KEYWORDS.some((kw) => {
+    if (kw.includes(" ")) {
+      return searchableText.includes(kw);
+    }
+    const regex = new RegExp(`\\b${kw}\\b`, "i");
+    return regex.test(searchableText);
+  });
+}
+function isLanguageSupport(manifest, categories) {
+  const publisher = (manifest.publisher ?? "").toLowerCase();
+  if (LANGUAGE_SUPPORT_PUBLISHERS.some((p) => publisher.includes(p))) {
+    return true;
+  }
+  if (categories.includes("programming languages")) {
+    return true;
+  }
+  return false;
+}
+function isDeveloperTool(manifest, displayName, description, name) {
+  const publisher = (manifest.publisher ?? "").toLowerCase();
+  if (DEVELOPER_TOOL_PUBLISHERS.some((p) => publisher === p)) {
+    return true;
+  }
+  const searchableText = [displayName, description, name].join(" ");
+  return DEVELOPER_TOOL_KEYWORDS.some((kw) => searchableText.includes(kw));
+}
+function isRemoteDevelopment(manifest, displayName, description, name) {
+  const publisher = (manifest.publisher ?? "").toLowerCase();
+  if (REMOTE_DEV_PUBLISHERS.some((p) => publisher === p)) {
+    return true;
+  }
+  const searchableText = [displayName, description, name].join(" ");
+  return REMOTE_DEV_KEYWORDS.some((kw) => searchableText.includes(kw));
+}
+function isTesting(manifest, categories, displayName, description, name) {
+  const publisher = (manifest.publisher ?? "").toLowerCase();
+  if (TESTING_PUBLISHERS.some((p) => publisher === p)) {
+    return true;
+  }
+  if (categories.includes("testing")) {
+    return true;
+  }
+  const searchableText = [displayName, description, name].join(" ");
+  return TESTING_KEYWORDS.some((kw) => searchableText.includes(kw));
+}
+function isNotebook(manifest, categories, displayName, description, name, contributeKeys) {
+  const publisher = (manifest.publisher ?? "").toLowerCase();
+  if (NOTEBOOK_PUBLISHERS.some((p) => publisher === p)) {
+    return true;
+  }
+  if (categories.includes("notebooks")) {
+    return true;
+  }
+  if (contributeKeys.includes("notebooks") || contributeKeys.includes("notebookRenderer")) {
+    return true;
+  }
+  const searchableText = [displayName, description, name].join(" ");
+  return NOTEBOOK_KEYWORDS.some((kw) => searchableText.includes(kw));
+}
+
+// src/integrity/integrity-verifier.ts
+import { createHash } from "crypto";
+function sha256(content) {
+  return createHash("sha256").update(content, "utf8").digest("hex");
+}
+function computeExtensionHashes(extensionId, version, files) {
+  const manifestContent = files.get("package.json") ?? "";
+  const manifestHash = sha256(manifestContent);
+  const jsFiles = Array.from(files.entries()).filter(([path6]) => path6.endsWith(".js") || path6.endsWith(".ts")).sort(([a], [b]) => a.localeCompare(b));
+  const contentHash = sha256(jsFiles.map(([, content]) => content).join("\n"));
+  const sortedPaths = Array.from(files.keys()).sort();
+  const structureHash = sha256(sortedPaths.join("\n"));
+  const combinedHash = sha256(`${manifestHash}:${contentHash}:${structureHash}`);
+  return {
+    extensionId,
+    version,
+    manifestHash,
+    contentHash,
+    structureHash,
+    combinedHash
+  };
+}
+function verifyIntegrity(extensionId, version, files, knownHashes) {
+  try {
+    const computed = computeExtensionHashes(extensionId, version, files);
+    const key = `${extensionId}@${version}`;
+    const expected = knownHashes.get(key);
+    if (!expected) {
+      return {
+        extensionId,
+        version,
+        status: "unknown",
+        computedHashes: {
+          ...computed
+        }
+      };
+    }
+    const manifestModified = computed.manifestHash !== expected.manifestHash;
+    const contentModified = computed.contentHash !== expected.contentHash;
+    const structureModified = computed.structureHash !== expected.structureHash;
+    if (manifestModified || contentModified || structureModified) {
+      return {
+        extensionId,
+        version,
+        status: "modified",
+        modifications: {
+          manifest: manifestModified,
+          content: contentModified,
+          structure: structureModified
+        },
+        computedHashes: {
+          ...computed
+        },
+        expectedHashes: expected
+      };
+    }
+    return {
+      extensionId,
+      version,
+      status: "verified",
+      computedHashes: {
+        ...computed
+      },
+      expectedHashes: expected
+    };
+  } catch (error) {
+    return {
+      extensionId,
+      version,
+      status: "error",
+      error: error instanceof Error ? error.message : String(error)
+    };
+  }
+}
+function createHashRecord(extensionId, version, files, source = "manual") {
+  const hashes = computeExtensionHashes(extensionId, version, files);
+  return {
+    ...hashes,
+    recordedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    source
+  };
+}
+
+// src/integrity/hash-database.ts
+import * as fs4 from "fs";
+import * as path4 from "path";
+var hashCache = null;
+function getDefaultDatabasePath() {
+  const homeDir = process.env.HOME || process.env.USERPROFILE || "";
+  return path4.join(homeDir, ".extension-guard", "hash-database.json");
+}
+function loadHashDatabase(filePath) {
+  const dbPath = filePath || getDefaultDatabasePath();
+  if (hashCache && !filePath) {
+    return hashCache;
+  }
+  const hashes = /* @__PURE__ */ new Map();
+  try {
+    if (fs4.existsSync(dbPath)) {
+      const content = fs4.readFileSync(dbPath, "utf8");
+      const db = JSON.parse(content);
+      for (const hash of db.hashes) {
+        const key = `${hash.extensionId}@${hash.version}`;
+        hashes.set(key, hash);
+      }
+    }
+  } catch {
+  }
+  const bundled = getBundledHashes();
+  for (const [key, hash] of bundled) {
+    if (!hashes.has(key)) {
+      hashes.set(key, hash);
+    }
+  }
+  if (!filePath) {
+    hashCache = hashes;
+  }
+  return hashes;
+}
+function saveHashDatabase(hashes, filePath) {
+  const dbPath = filePath || getDefaultDatabasePath();
+  const dir = path4.dirname(dbPath);
+  if (!fs4.existsSync(dir)) {
+    fs4.mkdirSync(dir, { recursive: true });
+  }
+  const db = {
+    version: "1.0",
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    hashes: Array.from(hashes.values())
+  };
+  fs4.writeFileSync(dbPath, JSON.stringify(db, null, 2));
+  if (!filePath) {
+    hashCache = hashes;
+  }
+}
+function addHash(hash, filePath) {
+  const hashes = loadHashDatabase(filePath);
+  const key = `${hash.extensionId}@${hash.version}`;
+  hashes.set(key, hash);
+  saveHashDatabase(hashes, filePath);
+}
+function getHash(extensionId, version, filePath) {
+  const hashes = loadHashDatabase(filePath);
+  return hashes.get(`${extensionId}@${version}`);
+}
+function clearHashCache() {
+  hashCache = null;
+}
+function getBundledHashes() {
+  const hashes = /* @__PURE__ */ new Map();
+  return hashes;
+}
+async function generateBaseline(_extensionPaths, _outputPath) {
+  return {
+    generated: 0,
+    errors: ["Use CLI baseline command instead"]
+  };
+}
 
 // src/scanner/scanner.ts
 var rulesRegistered = false;
@@ -832,7 +1972,9 @@ var DEFAULT_OPTIONS = {
   rules: [],
   skipRules: [],
   concurrency: 4,
-  timeout: 3e4
+  timeout: 3e4,
+  verifyIntegrity: false,
+  hashDatabasePath: ""
 };
 var SEVERITY_PENALTY = {
   critical: 35,
@@ -844,6 +1986,7 @@ var SEVERITY_PENALTY = {
 var ExtensionGuardScanner = class {
   options;
   ruleEngine;
+  hashDatabase = null;
   constructor(options) {
     ensureRulesRegistered();
     this.options = { ...DEFAULT_OPTIONS, ...options };
@@ -852,6 +1995,11 @@ var ExtensionGuardScanner = class {
       skipRules: this.options.skipRules.length > 0 ? this.options.skipRules : void 0,
       minSeverity: this.options.severity
     });
+    if (this.options.verifyIntegrity) {
+      this.hashDatabase = loadHashDatabase(
+        this.options.hashDatabasePath || void 0
+      );
+    }
   }
   async scan(options) {
     const startTime = Date.now();
@@ -915,9 +2063,41 @@ var ExtensionGuardScanner = class {
       } catch {
       }
     }
-    const findings = this.ruleEngine.run(files, manifest);
+    const rawFindings = this.ruleEngine.run(files, manifest);
+    const category = categorizeExtension(manifest);
+    const findings = adjustFindings(rawFindings, category, {
+      publisher: ext.publisher.name,
+      extensionId: ext.id
+    });
     const trustScore = this.calculateTrustScore(findings);
-    const riskLevel = this.calculateRiskLevel(trustScore, findings);
+    let riskLevel = this.calculateRiskLevel(trustScore, findings);
+    let integrity;
+    if (this.options.verifyIntegrity && this.hashDatabase) {
+      const result = verifyIntegrity(ext.id, ext.version, files, this.hashDatabase);
+      integrity = {
+        status: result.status,
+        modifications: result.modifications,
+        hash: result.computedHashes?.combinedHash
+      };
+      if (result.status === "modified") {
+        riskLevel = "critical";
+        findings.unshift({
+          id: `integrity-${ext.id}`,
+          ruleId: "EG-CRIT-100",
+          severity: "critical",
+          category: "supply-chain",
+          title: "Extension Integrity Compromised",
+          description: `Extension files have been modified from known-good version. Modifications: ${result.modifications?.manifest ? "manifest " : ""}${result.modifications?.content ? "content " : ""}${result.modifications?.structure ? "structure" : ""}`.trim(),
+          evidence: {
+            filePath: ext.installPath,
+            matchedPattern: "integrity-violation"
+          },
+          remediation: "Reinstall the extension from the official marketplace. If this persists, report to the extension author."
+        });
+      }
+    } else if (this.options.verifyIntegrity) {
+      integrity = { status: "skipped" };
+    }
     return {
       extensionId: ext.id,
       displayName: ext.displayName,
@@ -927,21 +2107,30 @@ var ExtensionGuardScanner = class {
       findings,
       metadata: ext,
       analyzedFiles: files.size,
-      scanDurationMs: Date.now() - startTime
+      scanDurationMs: Date.now() - startTime,
+      integrity
     };
   }
   calculateTrustScore(findings) {
     let score = 100;
+    const findingsByRule = /* @__PURE__ */ new Map();
     for (const finding of findings) {
-      score -= SEVERITY_PENALTY[finding.severity];
+      const count = findingsByRule.get(finding.ruleId) ?? 0;
+      if (count < 5) {
+        score -= SEVERITY_PENALTY[finding.severity];
+        findingsByRule.set(finding.ruleId, count + 1);
+      }
     }
     return Math.max(0, Math.min(100, score));
   }
   calculateRiskLevel(trustScore, findings) {
-    if (findings.some((f) => f.severity === "critical")) {
+    const realFindings = findings.filter(
+      (f) => !f.description?.includes("[Downgraded:")
+    );
+    if (realFindings.some((f) => f.severity === "critical")) {
       return "critical";
     }
-    if (findings.some((f) => f.severity === "high")) {
+    if (realFindings.some((f) => f.severity === "high")) {
       return "high";
     }
     if (trustScore >= 90) return "safe";
@@ -995,6 +2184,129 @@ var ExtensionGuardScanner = class {
   }
 };
 
+// src/analyzers/bundle-detector.ts
+var BUNDLER_SIGNATURES = {
+  webpack: [
+    /\/\*{3}\/ var __webpack_/,
+    /\/\*! For license information /,
+    /webpackChunk/,
+    /__webpack_require__/,
+    /\/\*\*\*\/ \(/
+  ],
+  esbuild: [
+    /\/\/ src\//,
+    /__esm\s*\(/,
+    /__export\s*\(/,
+    /var __defProp\s*=/,
+    /var __getOwnPropDesc\s*=/
+  ],
+  rollup: [
+    /\/\*\* @license/,
+    /\(function \(global, factory\)/,
+    /typeof exports === 'object'/,
+    /define\(\['exports'/
+  ],
+  parcel: [/parcelRequire/, /@parcel\/transformer/],
+  vite: [/vite\/modulepreload-polyfill/, /import\.meta\.hot/],
+  browserify: [/require=\(function e\(t,n,r\)/, /typeof require=="function"/]
+};
+var CHUNK_PATTERNS = [
+  /\d+\.chunk\.js$/i,
+  /chunk-[a-f0-9]+\.js$/i,
+  /\.bundle\.js$/i,
+  /\.min\.js$/i,
+  /\.prod\.js$/i,
+  /vendor[\.\-]/i,
+  /runtime[\.\-][a-f0-9]+\.js$/i
+];
+function detectBundle(filePath, content) {
+  const reasons = [];
+  let detectedBundler;
+  const filename = filePath.split("/").pop() || filePath;
+  for (const pattern of CHUNK_PATTERNS) {
+    if (pattern.test(filename)) {
+      reasons.push(`Filename matches chunk pattern: ${filename}`);
+      break;
+    }
+  }
+  for (const [bundler, patterns] of Object.entries(BUNDLER_SIGNATURES)) {
+    for (const pattern of patterns) {
+      if (pattern.test(content)) {
+        reasons.push(`Contains ${bundler} signature`);
+        detectedBundler = bundler;
+        break;
+      }
+    }
+    if (detectedBundler) break;
+  }
+  const lines = content.split("\n");
+  const longLineCount = lines.filter((line) => line.length > 500).length;
+  const totalLines = lines.length;
+  if (totalLines > 0 && longLineCount / totalLines > 0.1) {
+    reasons.push(`High percentage of long lines (${longLineCount}/${totalLines})`);
+  }
+  const totalChars = content.length;
+  const avgLineLength = totalChars / Math.max(totalLines, 1);
+  if (avgLineLength > 200) {
+    reasons.push(`High average line length (${Math.round(avgLineLength)} chars)`);
+  }
+  if (/\/\/# sourceMappingURL=/.test(content)) {
+    reasons.push("Contains source map reference");
+  }
+  if (/\(self\["webpackChunk/.test(content)) {
+    reasons.push("Contains webpack chunk pattern");
+    if (!detectedBundler) detectedBundler = "webpack";
+  }
+  const exportCount = (content.match(/export\s*\{|exports\./g) || []).length;
+  if (exportCount > 20) {
+    reasons.push(`Many export statements (${exportCount})`);
+  }
+  let confidence = "low";
+  if (detectedBundler || reasons.length >= 3) {
+    confidence = "high";
+  } else if (reasons.length >= 2) {
+    confidence = "medium";
+  }
+  return {
+    isBundled: reasons.length > 0,
+    confidence,
+    reasons,
+    bundler: detectedBundler
+  };
+}
+function isBundleOutputPath(filePath) {
+  const bundleOutputDirs = [
+    "/dist/",
+    "/build/",
+    "/out/",
+    "/lib/",
+    "/.output/",
+    "/bundle/",
+    "/packed/",
+    "/compiled/"
+  ];
+  const normalizedPath = filePath.toLowerCase();
+  return bundleOutputDirs.some((dir) => normalizedPath.includes(dir));
+}
+function shouldReduceSeverityForBundle(filePath, content) {
+  if (isBundleOutputPath(filePath)) {
+    const result = detectBundle(filePath, content);
+    if (result.isBundled && result.confidence !== "low") {
+      return {
+        reduce: true,
+        reason: `Bundled file (${result.bundler || "detected"}, ${result.confidence} confidence)`
+      };
+    }
+  }
+  if (/\.(bundle|min|prod|chunk)\.js$/i.test(filePath)) {
+    return {
+      reduce: true,
+      reason: "Bundle filename pattern"
+    };
+  }
+  return { reduce: false };
+}
+
 // src/reporter/json-reporter.ts
 var SEVERITY_ORDER2 = {
   critical: 0,
@@ -1006,11 +2318,7 @@ var SEVERITY_ORDER2 = {
 var JsonReporter = class {
   format = "json";
   generate(report, options = {}) {
-    const {
-      includeEvidence = true,
-      includeSafe = true,
-      minSeverity = "info"
-    } = options;
+    const { includeEvidence = true, includeSafe = true, minSeverity = "info" } = options;
     const filteredResults = this.filterResults(report.results, {
       includeSafe,
       minSeverity,
@@ -1279,13 +2587,13 @@ var MarkdownReporter = class {
 };
 
 // src/policy/policy-loader.ts
-import * as fs4 from "fs/promises";
-import * as path4 from "path";
+import * as fs5 from "fs/promises";
+import * as path5 from "path";
 var DEFAULT_CONFIG_NAME = ".extension-guard.json";
 async function loadPolicyConfig(configPath) {
-  const resolvedPath = configPath ?? path4.join(process.cwd(), DEFAULT_CONFIG_NAME);
+  const resolvedPath = configPath ?? path5.join(process.cwd(), DEFAULT_CONFIG_NAME);
   try {
-    const content = await fs4.readFile(resolvedPath, "utf-8");
+    const content = await fs5.readFile(resolvedPath, "utf-8");
     const config = JSON.parse(content);
     validatePolicyConfig(config);
     return config;
@@ -1539,27 +2847,56 @@ var PolicyEngine = class {
 };
 
 // src/index.ts
-var VERSION = "0.1.0";
+var VERSION = "0.4.0";
 export {
+  ALL_POPULAR_EXTENSIONS,
+  DETECTION_RULES,
   ExtensionGuardScanner,
   IDE_PATHS,
   JsonReporter,
+  MEGA_POPULAR_EXTENSIONS,
   MarkdownReporter,
+  POPULAR_EXTENSIONS,
   PolicyEngine,
   RuleEngine,
   SEVERITY_ORDER,
   SarifReporter,
+  TRUSTED_EXTENSION_IDS,
+  TRUSTED_PUBLISHERS,
+  VERIFIED_PUBLISHERS,
   VERSION,
+  addHash,
+  adjustFindings,
+  categorizeExtension,
+  clearHashCache,
   collectFiles,
   compareSeverity,
+  computeExtensionHashes,
+  createHashRecord,
+  detectBundle,
   detectIDEPaths,
   expandPath,
+  generateBaseline,
+  getDefaultDatabasePath,
+  getHash,
+  getPopularityTier,
   isAtLeastSeverity,
+  isBundleOutputPath,
+  isMegaPopular,
+  isPopular,
+  isTrustedExtension,
+  isTrustedPublisher,
+  isVerifiedPublisher,
+  loadHashDatabase,
   loadPolicyConfig,
   readExtension,
   readExtensionsFromDirectory,
   registerBuiltInRules,
   ruleRegistry,
-  shouldCollectFile
+  saveHashDatabase,
+  sha256,
+  shouldCollectFile,
+  shouldReduceSeverityForBundle,
+  verifyIntegrity
 };
 //# sourceMappingURL=index.js.map