@aspect-guard/core 0.1.0

package/dist/index.js

@@ -0,0 +1,1565 @@
+// src/types/severity.ts
+var SEVERITY_ORDER = {
+  critical: 0,
+  high: 1,
+  medium: 2,
+  low: 3,
+  info: 4
+};
+function compareSeverity(a, b) {
+  return SEVERITY_ORDER[a] - SEVERITY_ORDER[b];
+}
+function isAtLeastSeverity(severity, minimum) {
+  return SEVERITY_ORDER[severity] <= SEVERITY_ORDER[minimum];
+}
+
+// src/scanner/scanner.ts
+import * as os2 from "os";
+import { randomUUID as randomUUID2 } from "crypto";
+
+// src/scanner/ide-detector.ts
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+var IDE_PATHS = {
+  "VS Code": ["~/.vscode/extensions"],
+  "VS Code Insiders": ["~/.vscode-insiders/extensions"],
+  Cursor: ["~/.cursor/extensions"],
+  Windsurf: ["~/.windsurf/extensions"],
+  Trae: ["~/.trae/extensions"],
+  VSCodium: ["~/.vscode-oss/extensions"]
+};
+function expandPath(inputPath) {
+  if (inputPath.startsWith("~")) {
+    return path.join(os.homedir(), inputPath.slice(1));
+  }
+  if (inputPath.includes("%USERPROFILE%")) {
+    return inputPath.replace("%USERPROFILE%", os.homedir());
+  }
+  return inputPath;
+}
+function countExtensions(dirPath) {
+  try {
+    const entries = fs.readdirSync(dirPath, { withFileTypes: true });
+    return entries.filter((entry) => entry.isDirectory()).length;
+  } catch {
+    return 0;
+  }
+}
+function detectIDEPaths() {
+  const detected = [];
+  for (const [ideName, paths] of Object.entries(IDE_PATHS)) {
+    for (const idePath of paths) {
+      const expandedPath = expandPath(idePath);
+      if (fs.existsSync(expandedPath)) {
+        detected.push({
+          name: ideName,
+          path: expandedPath,
+          extensionCount: countExtensions(expandedPath)
+        });
+        break;
+      }
+    }
+  }
+  return detected;
+}
+
+// src/scanner/extension-reader.ts
+import * as fs2 from "fs/promises";
+import * as path2 from "path";
+async function readExtension(extensionPath) {
+  try {
+    const packageJsonPath = path2.join(extensionPath, "package.json");
+    const content = await fs2.readFile(packageJsonPath, "utf-8");
+    const manifest = JSON.parse(content);
+    if (!manifest.name || !manifest.publisher || !manifest.version) {
+      return null;
+    }
+    const stats = await getDirectoryStats(extensionPath);
+    const repository = typeof manifest.repository === "string" ? manifest.repository : manifest.repository?.url;
+    return {
+      id: `${manifest.publisher}.${manifest.name}`,
+      displayName: manifest.displayName ?? manifest.name,
+      version: manifest.version,
+      publisher: {
+        name: manifest.publisher,
+        verified: false
+      },
+      description: manifest.description ?? "",
+      categories: manifest.categories ?? [],
+      activationEvents: manifest.activationEvents ?? [],
+      extensionDependencies: manifest.extensionDependencies ?? [],
+      installPath: extensionPath,
+      engines: { vscode: manifest.engines?.vscode ?? "*" },
+      repository,
+      license: manifest.license,
+      fileCount: stats.fileCount,
+      totalSize: stats.totalSize
+    };
+  } catch {
+    return null;
+  }
+}
+async function getDirectoryStats(dirPath) {
+  let fileCount = 0;
+  let totalSize = 0;
+  async function walk(currentPath) {
+    try {
+      const entries = await fs2.readdir(currentPath, { withFileTypes: true });
+      for (const entry of entries) {
+        const fullPath = path2.join(currentPath, entry.name);
+        if (entry.isDirectory()) {
+          if (entry.name !== "node_modules") {
+            await walk(fullPath);
+          }
+        } else {
+          fileCount++;
+          try {
+            const stat3 = await fs2.stat(fullPath);
+            totalSize += stat3.size;
+          } catch {
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  await walk(dirPath);
+  return { fileCount, totalSize };
+}
+async function readExtensionsFromDirectory(directoryPath) {
+  const extensions = [];
+  try {
+    const entries = await fs2.readdir(directoryPath, { withFileTypes: true });
+    const directories = entries.filter((entry) => entry.isDirectory());
+    const results = await Promise.all(
+      directories.map(
+        (dir) => readExtension(path2.join(directoryPath, dir.name))
+      )
+    );
+    for (const result of results) {
+      if (result) {
+        extensions.push(result);
+      }
+    }
+  } catch {
+    return [];
+  }
+  return extensions;
+}
+
+// src/scanner/file-collector.ts
+import * as fs3 from "fs/promises";
+import * as path3 from "path";
+var COLLECTED_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".js",
+  ".ts",
+  ".jsx",
+  ".tsx",
+  ".mjs",
+  ".cjs",
+  ".json"
+]);
+var IGNORED_DIRECTORIES = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  ".svn",
+  ".hg",
+  "__pycache__"
+]);
+var IGNORED_PATTERNS = [/\.min\.js$/, /\.map$/, /\.d\.ts$/];
+var MAX_FILE_SIZE = 1024 * 1024;
+function shouldCollectFile(filePath) {
+  const ext = path3.extname(filePath).toLowerCase();
+  if (!COLLECTED_EXTENSIONS.has(ext)) {
+    return false;
+  }
+  const parts = filePath.split(path3.sep);
+  for (const part of parts) {
+    if (IGNORED_DIRECTORIES.has(part)) {
+      return false;
+    }
+  }
+  for (const pattern of IGNORED_PATTERNS) {
+    if (pattern.test(filePath)) {
+      return false;
+    }
+  }
+  return true;
+}
+async function collectFiles(extensionPath) {
+  const files = /* @__PURE__ */ new Map();
+  async function walk(currentPath, relativePath) {
+    try {
+      const entries = await fs3.readdir(currentPath, { withFileTypes: true });
+      for (const entry of entries) {
+        const fullPath = path3.join(currentPath, entry.name);
+        const relPath = relativePath ? path3.join(relativePath, entry.name) : entry.name;
+        if (entry.isDirectory()) {
+          if (!IGNORED_DIRECTORIES.has(entry.name)) {
+            await walk(fullPath, relPath);
+          }
+        } else if (entry.isFile()) {
+          if (shouldCollectFile(relPath)) {
+            try {
+              const stat3 = await fs3.stat(fullPath);
+              if (stat3.size <= MAX_FILE_SIZE) {
+                const content = await fs3.readFile(fullPath, "utf-8");
+                files.set(relPath, content);
+              }
+            } catch {
+            }
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  await walk(extensionPath, "");
+  return files;
+}
+
+// src/rules/rule-registry.ts
+var RuleRegistry = class {
+  rules = /* @__PURE__ */ new Map();
+  register(rule) {
+    this.rules.set(rule.id, rule);
+  }
+  get(id) {
+    return this.rules.get(id);
+  }
+  getAll() {
+    return Array.from(this.rules.values());
+  }
+  getEnabled() {
+    return this.getAll().filter((rule) => rule.enabled);
+  }
+  getByCategory(category) {
+    return this.getAll().filter((rule) => rule.category === category);
+  }
+  getBySeverity(severity) {
+    return this.getAll().filter((rule) => rule.severity === severity);
+  }
+  clear() {
+    this.rules.clear();
+  }
+};
+var ruleRegistry = new RuleRegistry();
+
+// src/rules/rule-engine.ts
+import { randomUUID } from "crypto";
+var RuleEngine = class {
+  options;
+  constructor(options = {}) {
+    this.options = options;
+  }
+  run(files, manifest) {
+    const findings = [];
+    const rules = this.getApplicableRules();
+    for (const rule of rules) {
+      try {
+        const evidences = rule.detect(files, manifest);
+        for (const evidence of evidences) {
+          findings.push(this.createFinding(rule, evidence));
+        }
+      } catch {
+      }
+    }
+    return findings;
+  }
+  getApplicableRules() {
+    let rules = ruleRegistry.getEnabled();
+    if (this.options.rules && this.options.rules.length > 0) {
+      rules = rules.filter((r) => this.options.rules.includes(r.id));
+    }
+    if (this.options.skipRules && this.options.skipRules.length > 0) {
+      rules = rules.filter((r) => !this.options.skipRules.includes(r.id));
+    }
+    if (this.options.minSeverity) {
+      const minOrder = SEVERITY_ORDER[this.options.minSeverity];
+      rules = rules.filter((r) => SEVERITY_ORDER[r.severity] <= minOrder);
+    }
+    return rules;
+  }
+  createFinding(rule, evidence) {
+    return {
+      id: randomUUID(),
+      ruleId: rule.id,
+      severity: rule.severity,
+      category: rule.category,
+      title: rule.name,
+      description: rule.description,
+      evidence: {
+        filePath: evidence.filePath,
+        lineNumber: evidence.lineNumber,
+        columnNumber: evidence.columnNumber,
+        lineContent: evidence.lineContent,
+        contextBefore: evidence.contextBefore,
+        contextAfter: evidence.contextAfter,
+        matchedPattern: evidence.matchedPattern,
+        snippet: evidence.snippet
+      },
+      mitreAttackId: rule.mitreAttackId
+    };
+  }
+};
+
+// src/rules/built-in/crit-data-exfiltration.ts
+var SYSTEM_INFO_PATTERNS = [
+  { name: "os.hostname", pattern: /os\.hostname\s*\(\)/g },
+  { name: "os.userInfo", pattern: /os\.userInfo\s*\(\)/g },
+  { name: "os.platform", pattern: /os\.platform\s*\(\)/g },
+  { name: "os.arch", pattern: /os\.arch\s*\(\)/g },
+  { name: "os.networkInterfaces", pattern: /os\.networkInterfaces\s*\(\)/g },
+  { name: "os.cpus", pattern: /os\.cpus\s*\(\)/g },
+  { name: "os.homedir", pattern: /os\.homedir\s*\(\)/g },
+  { name: "process.env", pattern: /process\.env(?:\[|\.)/g }
+];
+var HTTP_TO_IP_PATTERN = /(?:https?\.request|fetch|axios\.(?:get|post|put|request))\s*\(\s*['"`]https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g;
+var critDataExfiltration = {
+  id: "EG-CRIT-001",
+  name: "Data Exfiltration Pattern",
+  description: "Detects code that collects system info and sends it to external servers via IP address",
+  severity: "critical",
+  category: "data-exfiltration",
+  mitreAttackId: "T1041",
+  enabled: true,
+  detect(files, _manifest) {
+    const evidences = [];
+    for (const [filePath, content] of files) {
+      if (!filePath.endsWith(".js") && !filePath.endsWith(".ts")) {
+        continue;
+      }
+      const lines = content.split("\n");
+      let hasSystemInfo = false;
+      let systemInfoPatternName = "";
+      let systemInfoLine = 0;
+      for (const { name, pattern } of SYSTEM_INFO_PATTERNS) {
+        pattern.lastIndex = 0;
+        const match = pattern.exec(content);
+        if (match) {
+          hasSystemInfo = true;
+          systemInfoPatternName = name;
+          systemInfoLine = content.slice(0, match.index).split("\n").length;
+          break;
+        }
+      }
+      HTTP_TO_IP_PATTERN.lastIndex = 0;
+      const httpMatch = HTTP_TO_IP_PATTERN.exec(content);
+      if (hasSystemInfo && httpMatch) {
+        const httpToIpLine = content.slice(0, httpMatch.index).split("\n").length;
+        evidences.push({
+          filePath,
+          lineNumber: httpToIpLine,
+          lineContent: lines[httpToIpLine - 1]?.trim(),
+          matchedPattern: `${systemInfoPatternName} + http-to-ip`,
+          snippet: `System info (${systemInfoPatternName}) collected at line ${systemInfoLine}, sent to IP at line ${httpToIpLine}`
+        });
+      }
+    }
+    return evidences;
+  }
+};
+
+// src/rules/built-in/crit-remote-execution.ts
+var DANGEROUS_PATTERNS = [
+  { name: "eval", pattern: /\beval\s*\(/g },
+  { name: "Function-constructor", pattern: /new\s+Function\s*\(/g },
+  { name: "child_process-exec", pattern: /(?:require\s*\(\s*['"]child_process['"]\s*\)|child_process)\.exec\s*\(/g },
+  { name: "child_process-execSync", pattern: /(?:require\s*\(\s*['"]child_process['"]\s*\)|child_process)\.execSync\s*\(/g },
+  { name: "child_process-spawn-shell", pattern: /\.spawn\s*\([^)]*\{[^}]*shell\s*:\s*true/g },
+  { name: "vm-runInContext", pattern: /vm\.run(?:InContext|InNewContext|InThisContext)\s*\(/g },
+  { name: "vm-Script", pattern: /new\s+vm\.Script\s*\(/g }
+];
+var DYNAMIC_REQUIRE = /require\s*\(\s*(?:[^'"`\s)]|`[^`]*\$\{)/g;
+var critRemoteExecution = {
+  id: "EG-CRIT-002",
+  name: "Remote Code Execution",
+  description: "Detects dangerous code execution patterns like eval, exec, or dynamic require",
+  severity: "critical",
+  category: "remote-code-execution",
+  mitreAttackId: "T1059",
+  enabled: true,
+  detect(files, _manifest) {
+    const evidences = [];
+    for (const [filePath, content] of files) {
+      if (!filePath.endsWith(".js") && !filePath.endsWith(".ts")) {
+        continue;
+      }
+      const lines = content.split("\n");
+      for (const { name, pattern } of DANGEROUS_PATTERNS) {
+        pattern.lastIndex = 0;
+        let match2;
+        while ((match2 = pattern.exec(content)) !== null) {
+          const lineNumber = content.slice(0, match2.index).split("\n").length;
+          evidences.push({
+            filePath,
+            lineNumber,
+            lineContent: lines[lineNumber - 1]?.trim(),
+            matchedPattern: name,
+            snippet: match2[0]
+          });
+        }
+      }
+      DYNAMIC_REQUIRE.lastIndex = 0;
+      let match;
+      while ((match = DYNAMIC_REQUIRE.exec(content)) !== null) {
+        const lineNumber = content.slice(0, match.index).split("\n").length;
+        evidences.push({
+          filePath,
+          lineNumber,
+          lineContent: lines[lineNumber - 1]?.trim(),
+          matchedPattern: "dynamic-require",
+          snippet: match[0]
+        });
+      }
+    }
+    return evidences;
+  }
+};
+
+// src/rules/built-in/crit-credential-access.ts
+var SENSITIVE_PATHS = [
+  { name: "ssh-keys", pattern: /['"`][^'"`]*\.ssh[/\\](?:id_rsa|id_ed25519|id_ecdsa|known_hosts|config|authorized_keys)[^'"`]*['"`]/gi },
+  { name: "gnupg", pattern: /['"`][^'"`]*\.gnupg[/\\][^'"`]*['"`]/gi },
+  { name: "aws-credentials", pattern: /['"`][^'"`]*\.aws[/\\]credentials[^'"`]*['"`]/gi },
+  { name: "azure-config", pattern: /['"`][^'"`]*\.azure[/\\][^'"`]*['"`]/gi },
+  { name: "kube-config", pattern: /['"`][^'"`]*\.kube[/\\]config[^'"`]*['"`]/gi },
+  { name: "git-credentials", pattern: /['"`][^'"`]*\.git-credentials[^'"`]*['"`]/gi },
+  { name: "env-file", pattern: /['"`][^'"`]*\.env(?:\.\w+)?['"`]/gi },
+  { name: "npmrc", pattern: /['"`][^'"`]*\.npmrc[^'"`]*['"`]/gi },
+  { name: "docker-config", pattern: /['"`][^'"`]*\.docker[/\\]config\.json[^'"`]*['"`]/gi },
+  { name: "netrc", pattern: /['"`][^'"`]*\.netrc[^'"`]*['"`]/gi }
+];
+var FILE_READ_CONTEXT = /(?:readFile|readFileSync|createReadStream|access|accessSync|exists|existsSync|stat|statSync|open|openSync)/;
+var critCredentialAccess = {
+  id: "EG-CRIT-003",
+  name: "Credential File Access",
+  description: "Detects attempts to read sensitive credential files like SSH keys, AWS credentials, or .env files",
+  severity: "critical",
+  category: "credential-theft",
+  mitreAttackId: "T1552.004",
+  enabled: true,
+  detect(files, _manifest) {
+    const evidences = [];
+    for (const [filePath, content] of files) {
+      if (!filePath.endsWith(".js") && !filePath.endsWith(".ts")) {
+        continue;
+      }
+      const lines = content.split("\n");
+      for (const { name, pattern } of SENSITIVE_PATHS) {
+        pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const startIndex = Math.max(0, match.index - 200);
+          const endIndex = Math.min(content.length, match.index + match[0].length + 200);
+          const context = content.slice(startIndex, endIndex);
+          if (FILE_READ_CONTEXT.test(context)) {
+            const lineNumber = content.slice(0, match.index).split("\n").length;
+            evidences.push({
+              filePath,
+              lineNumber,
+              lineContent: lines[lineNumber - 1]?.trim(),
+              matchedPattern: name,
+              snippet: match[0]
+            });
+          }
+        }
+      }
+    }
+    return evidences;
+  }
+};
+
+// src/rules/built-in/high-suspicious-network.ts
+var HTTP_TO_IP = /(?:fetch|axios(?:\.(?:get|post|put|delete|request))?|https?\.(?:get|post|request)|XMLHttpRequest)\s*\([^)]*['"`]https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g;
+var DYNAMIC_URL = /(?:fetch|axios|https?\.request)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+\s*\w)/g;
+var WEBSOCKET_TO_IP = /new\s+WebSocket\s*\(\s*['"`]wss?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g;
+var UNUSUAL_PORTS = /['"`]https?:\/\/[^'"`:]+:(?!443|80|8080|3000|8443|5000)[0-9]{2,5}/g;
+var highSuspiciousNetwork = {
+  id: "EG-HIGH-002",
+  name: "Suspicious Network Activity",
+  description: "Detects network requests to IP addresses, dynamic URLs, or unusual ports",
+  severity: "high",
+  category: "suspicious-network",
+  mitreAttackId: "T1071",
+  enabled: true,
+  detect(files, _manifest) {
+    const evidences = [];
+    for (const [filePath, content] of files) {
+      if (!filePath.endsWith(".js") && !filePath.endsWith(".ts")) {
+        continue;
+      }
+      const lines = content.split("\n");
+      const patterns = [
+        { pattern: HTTP_TO_IP, name: "http-to-ip" },
+        { pattern: DYNAMIC_URL, name: "dynamic-url" },
+        { pattern: WEBSOCKET_TO_IP, name: "websocket-to-ip" },
+        { pattern: UNUSUAL_PORTS, name: "unusual-port" }
+      ];
+      for (const { pattern, name } of patterns) {
+        pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNumber = content.slice(0, match.index).split("\n").length;
+          evidences.push({
+            filePath,
+            lineNumber,
+            lineContent: lines[lineNumber - 1]?.trim(),
+            matchedPattern: name,
+            snippet: match[0].slice(0, 100)
+          });
+        }
+      }
+    }
+    return evidences;
+  }
+};
+
+// src/rules/built-in/high-obfuscated-code.ts
+var MIN_BASE64_LENGTH = 100;
+var BASE64_PATTERN = /['"`]([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?['"`]/g;
+var HEX_PATTERN = /(?:\\x[0-9a-fA-F]{2}){10,}/g;
+var CHAR_CODE_PATTERN = /String\.fromCharCode\s*\(\s*(?:\d+\s*,?\s*){5,}\)/g;
+var UNICODE_ESCAPE_PATTERN = /(?:\\u[0-9a-fA-F]{4}){10,}/g;
+function calculateEntropy(str) {
+  const len = str.length;
+  if (len === 0) return 0;
+  const freq = {};
+  for (const char of str) {
+    freq[char] = (freq[char] || 0) + 1;
+  }
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+var highObfuscatedCode = {
+  id: "EG-HIGH-001",
+  name: "Code Obfuscation Detected",
+  description: "Detects heavily obfuscated code patterns that may hide malicious behavior",
+  severity: "high",
+  category: "code-obfuscation",
+  mitreAttackId: "T1027",
+  enabled: true,
+  detect(files, _manifest) {
+    const evidences = [];
+    for (const [filePath, content] of files) {
+      if (!filePath.endsWith(".js") && !filePath.endsWith(".ts")) {
+        continue;
+      }
+      const lines = content.split("\n");
+      BASE64_PATTERN.lastIndex = 0;
+      let match;
+      while ((match = BASE64_PATTERN.exec(content)) !== null) {
+        const base64Content = match[0].slice(1, -1);
+        if (base64Content.length >= MIN_BASE64_LENGTH) {
+          const lineNumber = content.slice(0, match.index).split("\n").length;
+          evidences.push({
+            filePath,
+            lineNumber,
+            lineContent: (lines[lineNumber - 1]?.trim() || "").slice(0, 80) + "...",
+            matchedPattern: "large-base64",
+            snippet: `Base64 string of ${base64Content.length} characters`
+          });
+        }
+      }
+      HEX_PATTERN.lastIndex = 0;
+      while ((match = HEX_PATTERN.exec(content)) !== null) {
+        const lineNumber = content.slice(0, match.index).split("\n").length;
+        evidences.push({
+          filePath,
+          lineNumber,
+          lineContent: (lines[lineNumber - 1]?.trim() || "").slice(0, 80) + "...",
+          matchedPattern: "hex-encoded",
+          snippet: match[0].slice(0, 50) + "..."
+        });
+      }
+      CHAR_CODE_PATTERN.lastIndex = 0;
+      while ((match = CHAR_CODE_PATTERN.exec(content)) !== null) {
+        const lineNumber = content.slice(0, match.index).split("\n").length;
+        evidences.push({
+          filePath,
+          lineNumber,
+          lineContent: lines[lineNumber - 1]?.trim(),
+          matchedPattern: "charcode-obfuscation",
+          snippet: match[0].slice(0, 80)
+        });
+      }
+      UNICODE_ESCAPE_PATTERN.lastIndex = 0;
+      while ((match = UNICODE_ESCAPE_PATTERN.exec(content)) !== null) {
+        const lineNumber = content.slice(0, match.index).split("\n").length;
+        evidences.push({
+          filePath,
+          lineNumber,
+          lineContent: (lines[lineNumber - 1]?.trim() || "").slice(0, 80) + "...",
+          matchedPattern: "unicode-escape",
+          snippet: match[0].slice(0, 50) + "..."
+        });
+      }
+      if (content.length > 5e3) {
+        const entropy = calculateEntropy(content);
+        if (entropy > 5.8) {
+          evidences.push({
+            filePath,
+            lineNumber: 1,
+            matchedPattern: "high-entropy",
+            snippet: `File entropy: ${entropy.toFixed(2)} (threshold: 5.8)`
+          });
+        }
+      }
+    }
+    return evidences;
+  }
+};
+
+// src/rules/built-in/high-hardcoded-secret.ts
+var MIN_SECRET_LENGTH = 8;
+var PLACEHOLDER_PATTERNS = [
+  /^your[_-]?/i,
+  /^<[^>]+>$/,
+  /^replace[_-]?me$/i,
+  /^xxx+$/i,
+  /^x{3,}[_-]x{3,}/i,
+  /^todo$/i,
+  /^fixme$/i,
+  /^example$/i,
+  /^placeholder$/i,
+  /^changeme$/i,
+  /^\*+$/,
+  /^\.+$/,
+  /^test$/i,
+  /^demo$/i
+];
+var EXCLUDED_FILE_PATTERNS = [
+  /\.test\.[jt]sx?$/,
+  /\.spec\.[jt]sx?$/,
+  /__tests__\//,
+  /(?:^|\/)test\//,
+  /(?:^|\/)tests\//,
+  /(?:^|\/)examples?\//,
+  /(?:^|\/)demo\//,
+  /\.md$/,
+  /\.txt$/,
+  /\.rst$/
+];
+var CODE_FILE_EXTENSIONS = [".js", ".ts", ".jsx", ".tsx", ".mjs", ".cjs"];
+var SECRET_PATTERNS = [
+  // AWS Access Key ID (starts with AKIA)
+  {
+    name: "aws-access-key",
+    pattern: /AKIA[0-9A-Z]{16}/g
+  },
+  // AWS Secret Access Key
+  {
+    name: "aws-secret-key",
+    pattern: /(?:aws[_-]?secret(?:[_-]?access)?[_-]?key|secret[_-]?access[_-]?key)\s*[:=]\s*['"`]([A-Za-z0-9/+=]{40})['"`]/gi,
+    matchGroup: 1
+  },
+  // GitHub tokens (ghp_, gho_, ghs_, ghr_)
+  {
+    name: "github-token",
+    pattern: /gh[pors]_[A-Za-z0-9]{36,}/g
+  },
+  // Slack tokens (xoxb-, xoxp-, xoxa-, xoxr-)
+  {
+    name: "slack-token",
+    pattern: /xox[bpar]-[0-9]+-[0-9]+-[A-Za-z0-9]+/g
+  },
+  // Private keys
+  {
+    name: "private-key",
+    pattern: /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/g
+  },
+  // Bearer tokens (JWT format)
+  {
+    name: "bearer-token",
+    pattern: /Bearer\s+([A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)/g,
+    matchGroup: 1
+  },
+  // API key assignments
+  {
+    name: "api-key",
+    pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"`]([A-Za-z0-9_-]{16,})['"`]/gi,
+    matchGroup: 1
+  },
+  // Generic secrets (password, secret, token, passwd, pwd)
+  {
+    name: "generic-secret",
+    pattern: /(?:password|passwd|pwd|secret|token)\s*[:=]\s*['"`]([^'"`]{8,})['"`]/gi,
+    matchGroup: 1
+  }
+];
+function isCodeFile(filePath) {
+  return CODE_FILE_EXTENSIONS.some((ext) => filePath.endsWith(ext));
+}
+function isExcludedFile(filePath) {
+  return EXCLUDED_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
+}
+function isPlaceholder(value) {
+  return PLACEHOLDER_PATTERNS.some((pattern) => pattern.test(value));
+}
+function isInComment(content, matchIndex) {
+  const lineStart = content.lastIndexOf("\n", matchIndex) + 1;
+  const lineContent = content.slice(lineStart, matchIndex);
+  if (lineContent.includes("//")) {
+    return true;
+  }
+  const beforeMatch = content.slice(0, matchIndex);
+  const lastBlockStart = beforeMatch.lastIndexOf("/*");
+  const lastBlockEnd = beforeMatch.lastIndexOf("*/");
+  if (lastBlockStart > lastBlockEnd) {
+    return true;
+  }
+  return false;
+}
+function getLineNumber(content, index) {
+  return content.slice(0, index).split("\n").length;
+}
+var highHardcodedSecret = {
+  id: "EG-HIGH-006",
+  name: "Hardcoded Secrets",
+  description: "Detects hardcoded API keys, tokens, passwords, and other secrets in code",
+  severity: "high",
+  category: "hardcoded-secret",
+  mitreAttackId: "T1552.001",
+  enabled: true,
+  detect(files, _manifest) {
+    const evidences = [];
+    for (const [filePath, content] of files) {
+      if (!isCodeFile(filePath)) {
+        continue;
+      }
+      if (isExcludedFile(filePath)) {
+        continue;
+      }
+      if (!content || content.trim().length === 0) {
+        continue;
+      }
+      const lines = content.split("\n");
+      for (const secretPattern of SECRET_PATTERNS) {
+        secretPattern.pattern.lastIndex = 0;
+        let match;
+        while ((match = secretPattern.pattern.exec(content)) !== null) {
+          const matchIndex = match.index;
+          if (isInComment(content, matchIndex)) {
+            continue;
+          }
+          const secretValue = secretPattern.matchGroup !== void 0 ? match[secretPattern.matchGroup] : match[0];
+          if (!secretValue) {
+            continue;
+          }
+          if (secretPattern.name === "generic-secret" && secretValue.length < MIN_SECRET_LENGTH) {
+            continue;
+          }
+          if (isPlaceholder(secretValue)) {
+            continue;
+          }
+          const lineNumber = getLineNumber(content, matchIndex);
+          const lineContent = lines[lineNumber - 1]?.trim() || "";
+          evidences.push({
+            filePath,
+            lineNumber,
+            lineContent: lineContent.length > 100 ? lineContent.slice(0, 100) + "..." : lineContent,
+            matchedPattern: secretPattern.name,
+            snippet: `Detected ${secretPattern.name}: ${secretValue.slice(0, 20)}${secretValue.length > 20 ? "..." : ""}`
+          });
+        }
+      }
+    }
+    return evidences;
+  }
+};
+
+// src/rules/built-in/med-excessive-activation.ts
+var medExcessiveActivation = {
+  id: "EG-MED-001",
+  name: "Excessive Activation Events",
+  description: 'Extension uses "*" activation event which means it activates on every action, potentially for surveillance',
+  severity: "medium",
+  category: "excessive-permission",
+  enabled: true,
+  detect(_files, manifest) {
+    const evidences = [];
+    const activationEvents = manifest.activationEvents ?? [];
+    if (activationEvents.includes("*")) {
+      evidences.push({
+        filePath: "package.json",
+        lineNumber: 1,
+        matchedPattern: "activation-star",
+        snippet: 'activationEvents: ["*"]',
+        lineContent: "Extension activates on every VS Code action"
+      });
+    }
+    if (activationEvents.includes("onStartupFinished")) {
+      evidences.push({
+        filePath: "package.json",
+        lineNumber: 1,
+        matchedPattern: "activation-startup",
+        snippet: 'activationEvents: ["onStartupFinished"]',
+        lineContent: "Extension activates immediately on VS Code startup"
+      });
+    }
+    return evidences;
+  }
+};
+
+// src/rules/built-in/index.ts
+function registerBuiltInRules() {
+  ruleRegistry.register(critDataExfiltration);
+  ruleRegistry.register(critRemoteExecution);
+  ruleRegistry.register(critCredentialAccess);
+  ruleRegistry.register(highSuspiciousNetwork);
+  ruleRegistry.register(highObfuscatedCode);
+  ruleRegistry.register(highHardcodedSecret);
+  ruleRegistry.register(medExcessiveActivation);
+}
+
+// src/scanner/scanner.ts
+var rulesRegistered = false;
+function ensureRulesRegistered() {
+  if (!rulesRegistered) {
+    registerBuiltInRules();
+    rulesRegistered = true;
+  }
+}
+var DEFAULT_OPTIONS = {
+  idePaths: [],
+  autoDetect: true,
+  severity: "info",
+  rules: [],
+  skipRules: [],
+  concurrency: 4,
+  timeout: 3e4
+};
+var SEVERITY_PENALTY = {
+  critical: 35,
+  high: 18,
+  medium: 8,
+  low: 3,
+  info: 1
+};
+var ExtensionGuardScanner = class {
+  options;
+  ruleEngine;
+  constructor(options) {
+    ensureRulesRegistered();
+    this.options = { ...DEFAULT_OPTIONS, ...options };
+    this.ruleEngine = new RuleEngine({
+      rules: this.options.rules.length > 0 ? this.options.rules : void 0,
+      skipRules: this.options.skipRules.length > 0 ? this.options.skipRules : void 0,
+      minSeverity: this.options.severity
+    });
+  }
+  async scan(options) {
+    const startTime = Date.now();
+    const mergedOptions = { ...this.options, ...options };
+    let ides;
+    if (mergedOptions.autoDetect && mergedOptions.idePaths.length === 0) {
+      ides = detectIDEPaths();
+    } else {
+      ides = mergedOptions.idePaths.map((p) => ({
+        name: "Custom",
+        path: p,
+        extensionCount: 0
+      }));
+    }
+    const allExtensions = await Promise.all(
+      ides.map((ide) => readExtensionsFromDirectory(ide.path))
+    );
+    const extensionMap = /* @__PURE__ */ new Map();
+    for (let i = 0; i < ides.length; i++) {
+      const ide = ides[i];
+      for (const ext of allExtensions[i]) {
+        if (!extensionMap.has(ext.id)) {
+          extensionMap.set(ext.id, { ide, ext });
+        }
+      }
+      ide.extensionCount = allExtensions[i].length;
+    }
+    const results = [];
+    for (const { ext } of extensionMap.values()) {
+      const result = await this.scanExtension(ext);
+      results.push(result);
+    }
+    const summary = this.calculateSummary(results);
+    return {
+      scanId: randomUUID2(),
+      version: VERSION,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      environment: {
+        os: `${os2.platform()} ${os2.release()}`,
+        ides
+      },
+      totalExtensions: Array.from(allExtensions).reduce((sum, arr) => sum + arr.length, 0),
+      uniqueExtensions: extensionMap.size,
+      results,
+      summary,
+      scanDurationMs: Date.now() - startTime
+    };
+  }
+  async scanExtension(ext) {
+    const startTime = Date.now();
+    const files = await collectFiles(ext.installPath);
+    const manifestContent = files.get("package.json");
+    let manifest = {
+      name: ext.id.split(".")[1] || ext.id,
+      publisher: ext.publisher.name,
+      version: ext.version
+    };
+    if (manifestContent) {
+      try {
+        manifest = JSON.parse(manifestContent);
+      } catch {
+      }
+    }
+    const findings = this.ruleEngine.run(files, manifest);
+    const trustScore = this.calculateTrustScore(findings);
+    const riskLevel = this.calculateRiskLevel(trustScore, findings);
+    return {
+      extensionId: ext.id,
+      displayName: ext.displayName,
+      version: ext.version,
+      trustScore,
+      riskLevel,
+      findings,
+      metadata: ext,
+      analyzedFiles: files.size,
+      scanDurationMs: Date.now() - startTime
+    };
+  }
+  calculateTrustScore(findings) {
+    let score = 100;
+    for (const finding of findings) {
+      score -= SEVERITY_PENALTY[finding.severity];
+    }
+    return Math.max(0, Math.min(100, score));
+  }
+  calculateRiskLevel(trustScore, findings) {
+    if (findings.some((f) => f.severity === "critical")) {
+      return "critical";
+    }
+    if (findings.some((f) => f.severity === "high")) {
+      return "high";
+    }
+    if (trustScore >= 90) return "safe";
+    if (trustScore >= 70) return "low";
+    if (trustScore >= 45) return "medium";
+    if (trustScore >= 20) return "high";
+    return "critical";
+  }
+  calculateSummary(results) {
+    const byRiskLevel = {
+      critical: 0,
+      high: 0,
+      medium: 0,
+      low: 0,
+      safe: 0
+    };
+    const bySeverity = {
+      critical: 0,
+      high: 0,
+      medium: 0,
+      low: 0,
+      info: 0
+    };
+    const byCategory = {};
+    for (const result of results) {
+      byRiskLevel[result.riskLevel]++;
+      for (const finding of result.findings) {
+        bySeverity[finding.severity]++;
+        byCategory[finding.category] = (byCategory[finding.category] ?? 0) + 1;
+      }
+    }
+    const allFindings = results.flatMap((r) => r.findings);
+    const severityOrder = {
+      critical: 0,
+      high: 1,
+      medium: 2,
+      low: 3,
+      info: 4
+    };
+    const topFindings = allFindings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]).slice(0, 10);
+    const totalExtensions = results.length;
+    const safeCount = byRiskLevel.safe + byRiskLevel.low;
+    const overallHealthScore = totalExtensions > 0 ? Math.round(safeCount / totalExtensions * 100) : 100;
+    return {
+      byRiskLevel,
+      bySeverity,
+      byCategory,
+      topFindings,
+      overallHealthScore
+    };
+  }
+};
+
+// src/reporter/json-reporter.ts
+var SEVERITY_ORDER2 = {
+  critical: 0,
+  high: 1,
+  medium: 2,
+  low: 3,
+  info: 4
+};
+var JsonReporter = class {
+  format = "json";
+  generate(report, options = {}) {
+    const {
+      includeEvidence = true,
+      includeSafe = true,
+      minSeverity = "info"
+    } = options;
+    const filteredResults = this.filterResults(report.results, {
+      includeSafe,
+      minSeverity,
+      includeEvidence
+    });
+    const output = {
+      ...report,
+      results: filteredResults
+    };
+    return JSON.stringify(output, null, 2);
+  }
+  filterResults(results, options) {
+    let filtered = results;
+    if (!options.includeSafe) {
+      filtered = filtered.filter((r) => r.riskLevel !== "safe" && r.riskLevel !== "low");
+    }
+    const minOrder = SEVERITY_ORDER2[options.minSeverity];
+    return filtered.map((result) => {
+      const filteredFindings = result.findings.filter(
+        (f) => SEVERITY_ORDER2[f.severity] <= minOrder
+      );
+      const findingsOutput = options.includeEvidence ? filteredFindings : filteredFindings.map(({ evidence, ...rest }) => rest);
+      return {
+        ...result,
+        findings: findingsOutput
+      };
+    });
+  }
+};
+
+// src/reporter/sarif-reporter.ts
+var SEVERITY_TO_LEVEL = {
+  critical: "error",
+  high: "error",
+  medium: "warning",
+  low: "note",
+  info: "note"
+};
+var SEVERITY_TO_SCORE = {
+  critical: "9.0",
+  high: "7.0",
+  medium: "5.0",
+  low: "3.0",
+  info: "1.0"
+};
+var SarifReporter = class {
+  format = "sarif";
+  generate(report, _options) {
+    const rules = this.extractRules(report);
+    const results = this.extractResults(report, rules);
+    const sarif = {
+      $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+      version: "2.1.0",
+      runs: [
+        {
+          tool: {
+            driver: {
+              name: "Extension Guard",
+              version: report.version,
+              informationUri: "https://github.com/aspect-guard/extension-guard",
+              rules
+            }
+          },
+          results
+        }
+      ]
+    };
+    return JSON.stringify(sarif, null, 2);
+  }
+  extractRules(report) {
+    const ruleMap = /* @__PURE__ */ new Map();
+    for (const result of report.results) {
+      for (const finding of result.findings) {
+        if (!ruleMap.has(finding.ruleId)) {
+          ruleMap.set(finding.ruleId, {
+            id: finding.ruleId,
+            name: finding.title,
+            shortDescription: { text: finding.title },
+            fullDescription: { text: finding.description },
+            defaultConfiguration: { level: SEVERITY_TO_LEVEL[finding.severity] || "note" },
+            properties: {
+              "security-severity": SEVERITY_TO_SCORE[finding.severity] || "1.0",
+              tags: ["security", finding.category]
+            }
+          });
+        }
+      }
+    }
+    return Array.from(ruleMap.values());
+  }
+  extractResults(report, rules) {
+    const results = [];
+    const ruleIndexMap = new Map(rules.map((r, i) => [r.id, i]));
+    for (const scanResult of report.results) {
+      for (const finding of scanResult.findings) {
+        const ruleIndex = ruleIndexMap.get(finding.ruleId) ?? 0;
+        results.push({
+          ruleId: finding.ruleId,
+          ruleIndex,
+          level: SEVERITY_TO_LEVEL[finding.severity] || "note",
+          message: {
+            text: `${finding.title} in ${scanResult.extensionId}: ${finding.description}`
+          },
+          locations: [
+            {
+              physicalLocation: {
+                artifactLocation: {
+                  uri: `${scanResult.extensionId}/${finding.evidence.filePath}`
+                },
+                region: finding.evidence.lineNumber ? {
+                  startLine: finding.evidence.lineNumber,
+                  startColumn: finding.evidence.columnNumber
+                } : void 0
+              }
+            }
+          ],
+          properties: {
+            extensionId: scanResult.extensionId,
+            trustScore: scanResult.trustScore,
+            mitreAttackId: finding.mitreAttackId
+          }
+        });
+      }
+    }
+    return results;
+  }
+};
+
+// src/reporter/markdown-reporter.ts
+var SEVERITY_EMOJI = {
+  critical: "\u{1F534}",
+  high: "\u{1F7E0}",
+  medium: "\u{1F7E1}",
+  low: "\u{1F7E2}",
+  info: "\u26AA"
+};
+var RISK_EMOJI = {
+  critical: "\u26D4",
+  high: "\u{1F534}",
+  medium: "\u{1F7E1}",
+  low: "\u{1F7E2}",
+  safe: "\u2705"
+};
+var MarkdownReporter = class {
+  format = "markdown";
+  generate(report, options = {}) {
+    const { includeSafe = false } = options;
+    const lines = [];
+    lines.push("# Extension Guard Scan Report");
+    lines.push("");
+    lines.push(`**Scan ID:** \`${report.scanId}\``);
+    lines.push(`**Date:** ${new Date(report.timestamp).toLocaleString()}`);
+    lines.push(`**Extension Guard Version:** ${report.version}`);
+    lines.push("");
+    lines.push("## Environment");
+    lines.push("");
+    lines.push(`- **OS:** ${report.environment.os}`);
+    for (const ide of report.environment.ides) {
+      lines.push(`- **${ide.name}:** ${ide.path} (${ide.extensionCount} extensions)`);
+    }
+    lines.push("");
+    lines.push("## Summary");
+    lines.push("");
+    lines.push(`| Metric | Value |`);
+    lines.push(`|--------|-------|`);
+    lines.push(`| Total Extensions | ${report.totalExtensions} |`);
+    lines.push(`| Unique Extensions | ${report.uniqueExtensions} |`);
+    lines.push(`| Health Score | ${report.summary.overallHealthScore}% |`);
+    lines.push(`| Scan Duration | ${(report.scanDurationMs / 1e3).toFixed(2)}s |`);
+    lines.push("");
+    lines.push("### Risk Level Distribution");
+    lines.push("");
+    lines.push("| Risk Level | Count |");
+    lines.push("|------------|-------|");
+    for (const [level, count] of Object.entries(report.summary.byRiskLevel)) {
+      if (count > 0 || includeSafe) {
+        lines.push(`| ${RISK_EMOJI[level] || ""} ${level} | ${count} |`);
+      }
+    }
+    lines.push("");
+    const totalFindings = Object.values(report.summary.bySeverity).reduce((a, b) => a + b, 0);
+    if (totalFindings > 0) {
+      lines.push("### Findings by Severity");
+      lines.push("");
+      lines.push("| Severity | Count |");
+      lines.push("|----------|-------|");
+      for (const [severity, count] of Object.entries(report.summary.bySeverity)) {
+        if (count > 0) {
+          lines.push(`| ${SEVERITY_EMOJI[severity] || ""} ${severity} | ${count} |`);
+        }
+      }
+      lines.push("");
+    }
+    const riskyResults = report.results.filter(
+      (r) => r.riskLevel === "critical" || r.riskLevel === "high"
+    );
+    if (riskyResults.length > 0) {
+      lines.push("## \u26A0\uFE0F High Risk Extensions");
+      lines.push("");
+      for (const result of riskyResults) {
+        lines.push(...this.formatExtensionResult(result));
+      }
+    }
+    const mediumResults = report.results.filter((r) => r.riskLevel === "medium");
+    if (mediumResults.length > 0) {
+      lines.push("## Medium Risk Extensions");
+      lines.push("");
+      for (const result of mediumResults) {
+        lines.push(...this.formatExtensionResult(result));
+      }
+    }
+    if (includeSafe) {
+      const safeResults = report.results.filter(
+        (r) => r.riskLevel === "safe" || r.riskLevel === "low"
+      );
+      if (safeResults.length > 0) {
+        lines.push("## \u2705 Safe Extensions");
+        lines.push("");
+        lines.push("| Extension | Version | Trust Score |");
+        lines.push("|-----------|---------|-------------|");
+        for (const result of safeResults) {
+          lines.push(`| ${result.extensionId} | ${result.version} | ${result.trustScore}/100 |`);
+        }
+        lines.push("");
+      }
+    }
+    lines.push("---");
+    lines.push("");
+    lines.push("*Generated by [Extension Guard](https://github.com/aspect-guard/extension-guard)*");
+    return lines.join("\n");
+  }
+  formatExtensionResult(result) {
+    const lines = [];
+    lines.push(`### ${RISK_EMOJI[result.riskLevel] || ""} ${result.extensionId}`);
+    lines.push("");
+    lines.push(`- **Display Name:** ${result.displayName}`);
+    lines.push(`- **Version:** ${result.version}`);
+    lines.push(`- **Publisher:** ${result.metadata.publisher.name}`);
+    lines.push(`- **Trust Score:** ${result.trustScore}/100`);
+    lines.push(`- **Risk Level:** ${result.riskLevel}`);
+    lines.push("");
+    if (result.findings.length > 0) {
+      lines.push("#### Findings");
+      lines.push("");
+      for (const finding of result.findings) {
+        lines.push(...this.formatFinding(finding));
+      }
+    }
+    return lines;
+  }
+  formatFinding(finding) {
+    const lines = [];
+    const emoji = SEVERITY_EMOJI[finding.severity] || "";
+    lines.push(`- ${emoji} **${finding.severity.toUpperCase()}:** ${finding.title}`);
+    lines.push(`  - ${finding.description}`);
+    if (finding.evidence.filePath) {
+      const location = finding.evidence.lineNumber ? `${finding.evidence.filePath}:${finding.evidence.lineNumber}` : finding.evidence.filePath;
+      lines.push(`  - \u{1F4CD} Location: \`${location}\``);
+    }
+    if (finding.mitreAttackId) {
+      lines.push(`  - \u{1F3AF} MITRE ATT&CK: ${finding.mitreAttackId}`);
+    }
+    lines.push("");
+    return lines;
+  }
+};
+
+// src/policy/policy-loader.ts
+import * as fs4 from "fs/promises";
+import * as path4 from "path";
+var DEFAULT_CONFIG_NAME = ".extension-guard.json";
+async function loadPolicyConfig(configPath) {
+  const resolvedPath = configPath ?? path4.join(process.cwd(), DEFAULT_CONFIG_NAME);
+  try {
+    const content = await fs4.readFile(resolvedPath, "utf-8");
+    const config = JSON.parse(content);
+    validatePolicyConfig(config);
+    return config;
+  } catch (error) {
+    if (isNodeError(error) && error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+function validatePolicyConfig(config) {
+  if (typeof config !== "object" || config === null) {
+    throw new Error("Policy config must be an object");
+  }
+  const obj = config;
+  if (typeof obj.version !== "string") {
+    throw new Error('Policy config must have a "version" field of type string');
+  }
+  if (obj.scanning !== void 0) {
+    validateScanningConfig(obj.scanning);
+  }
+  if (obj.policy !== void 0) {
+    validatePolicySection(obj.policy);
+  }
+}
+function validateScanningConfig(scanning) {
+  if (typeof scanning !== "object" || scanning === null) {
+    throw new Error("scanning must be an object");
+  }
+  const obj = scanning;
+  if (obj.minSeverity !== void 0) {
+    const validSeverities = ["critical", "high", "medium", "low", "info"];
+    if (!validSeverities.includes(obj.minSeverity)) {
+      throw new Error(`scanning.minSeverity must be one of: ${validSeverities.join(", ")}`);
+    }
+  }
+  if (obj.skipRules !== void 0) {
+    if (!Array.isArray(obj.skipRules) || !obj.skipRules.every((r) => typeof r === "string")) {
+      throw new Error("scanning.skipRules must be an array of strings");
+    }
+  }
+  if (obj.timeout !== void 0) {
+    if (typeof obj.timeout !== "number" || obj.timeout <= 0) {
+      throw new Error("scanning.timeout must be a positive number");
+    }
+  }
+}
+function validatePolicySection(policy) {
+  if (typeof policy !== "object" || policy === null) {
+    throw new Error("policy must be an object");
+  }
+  const obj = policy;
+  if (obj.allowlist !== void 0) {
+    if (!Array.isArray(obj.allowlist) || !obj.allowlist.every((id) => typeof id === "string")) {
+      throw new Error("policy.allowlist must be an array of extension ID strings");
+    }
+  }
+  if (obj.blocklist !== void 0) {
+    if (!Array.isArray(obj.blocklist) || !obj.blocklist.every((id) => typeof id === "string")) {
+      throw new Error("policy.blocklist must be an array of extension ID strings");
+    }
+  }
+  if (obj.rules !== void 0) {
+    validatePolicyRules(obj.rules);
+  }
+}
+function validatePolicyRules(rules) {
+  if (typeof rules !== "object" || rules === null) {
+    throw new Error("policy.rules must be an object");
+  }
+  const obj = rules;
+  const validActions = ["block", "warn", "info"];
+  if (obj.minTrustScore !== void 0) {
+    const rule = obj.minTrustScore;
+    if (typeof rule.threshold !== "number" || rule.threshold < 0 || rule.threshold > 100) {
+      throw new Error("minTrustScore.threshold must be a number between 0 and 100");
+    }
+    if (!validActions.includes(rule.action)) {
+      throw new Error(`minTrustScore.action must be one of: ${validActions.join(", ")}`);
+    }
+  }
+  if (obj.requireVerifiedPublisher !== void 0) {
+    const rule = obj.requireVerifiedPublisher;
+    if (typeof rule.enabled !== "boolean") {
+      throw new Error("requireVerifiedPublisher.enabled must be a boolean");
+    }
+    if (!validActions.includes(rule.action)) {
+      throw new Error(`requireVerifiedPublisher.action must be one of: ${validActions.join(", ")}`);
+    }
+    if (rule.exceptions !== void 0) {
+      if (!Array.isArray(rule.exceptions) || !rule.exceptions.every((e) => typeof e === "string")) {
+        throw new Error("requireVerifiedPublisher.exceptions must be an array of strings");
+      }
+    }
+  }
+  if (obj.maxDaysSinceUpdate !== void 0) {
+    const rule = obj.maxDaysSinceUpdate;
+    if (typeof rule.days !== "number" || rule.days <= 0) {
+      throw new Error("maxDaysSinceUpdate.days must be a positive number");
+    }
+    if (!validActions.includes(rule.action)) {
+      throw new Error(`maxDaysSinceUpdate.action must be one of: ${validActions.join(", ")}`);
+    }
+  }
+  if (obj.blockObfuscated !== void 0) {
+    const rule = obj.blockObfuscated;
+    if (typeof rule.enabled !== "boolean") {
+      throw new Error("blockObfuscated.enabled must be a boolean");
+    }
+    if (!validActions.includes(rule.action)) {
+      throw new Error(`blockObfuscated.action must be one of: ${validActions.join(", ")}`);
+    }
+  }
+}
+function isNodeError(error) {
+  return error instanceof Error && "code" in error;
+}
+
+// src/policy/policy-engine.ts
+var OBFUSCATION_RULE_ID = "EG-HIGH-001";
+var MS_PER_DAY = 1e3 * 60 * 60 * 24;
+var PolicyEngine = class {
+  /**
+   * Create a new PolicyEngine instance.
+   *
+   * @param config - The policy configuration to evaluate against
+   */
+  constructor(config) {
+    this.config = config;
+  }
+  violations = [];
+  /**
+   * Evaluate scan results against the configured policy.
+   *
+   * Checks are applied in this order for each extension:
+   * 1. Blocklist - if matched, block immediately and skip other checks
+   * 2. Allowlist - if matched, skip all other checks
+   * 3. Individual rules (minTrustScore, blockObfuscated, etc.)
+   *
+   * @param results - Array of scan results to evaluate
+   * @returns Array of policy violations found
+   */
+  evaluate(results) {
+    this.violations = [];
+    for (const result of results) {
+      const extId = result.extensionId;
+      if (this.config.policy?.blocklist?.includes(extId)) {
+        this.violations.push({
+          extensionId: extId,
+          rule: "blocklist",
+          message: "Extension is blocklisted",
+          action: "block"
+        });
+        continue;
+      }
+      if (this.config.policy?.allowlist?.includes(extId)) {
+        continue;
+      }
+      this.checkMinTrustScore(result);
+      this.checkBlockObfuscated(result);
+      this.checkRequireVerifiedPublisher(result);
+      this.checkMaxDaysSinceUpdate(result);
+    }
+    return this.violations;
+  }
+  /**
+   * Check if there are any violations with 'block' action.
+   *
+   * @returns true if any blocking violations exist
+   */
+  hasBlockingViolations() {
+    return this.violations.some((v) => v.action === "block");
+  }
+  /**
+   * Get all violations from the last evaluation.
+   *
+   * @returns Array of all policy violations
+   */
+  getViolations() {
+    return this.violations;
+  }
+  /**
+   * Check minTrustScore rule.
+   */
+  checkMinTrustScore(result) {
+    const rule = this.config.policy?.rules?.minTrustScore;
+    if (!rule) return;
+    if (result.trustScore < rule.threshold) {
+      this.violations.push({
+        extensionId: result.extensionId,
+        rule: "minTrustScore",
+        message: `Trust score ${result.trustScore} below threshold ${rule.threshold}`,
+        action: rule.action
+      });
+    }
+  }
+  /**
+   * Check blockObfuscated rule.
+   */
+  checkBlockObfuscated(result) {
+    const rule = this.config.policy?.rules?.blockObfuscated;
+    if (!rule?.enabled) return;
+    const hasObfuscation = result.findings.some((f) => f.ruleId === OBFUSCATION_RULE_ID);
+    if (hasObfuscation) {
+      this.violations.push({
+        extensionId: result.extensionId,
+        rule: "blockObfuscated",
+        message: "Extension contains obfuscated code",
+        action: rule.action
+      });
+    }
+  }
+  /**
+   * Check requireVerifiedPublisher rule.
+   */
+  checkRequireVerifiedPublisher(result) {
+    const rule = this.config.policy?.rules?.requireVerifiedPublisher;
+    if (!rule?.enabled) return;
+    const metadata = result.metadata;
+    if (!metadata.publisher.verified) {
+      if (rule.exceptions?.includes(result.extensionId)) {
+        return;
+      }
+      this.violations.push({
+        extensionId: result.extensionId,
+        rule: "requireVerifiedPublisher",
+        message: "Extension publisher is not verified",
+        action: rule.action
+      });
+    }
+  }
+  /**
+   * Check maxDaysSinceUpdate rule.
+   */
+  checkMaxDaysSinceUpdate(result) {
+    const rule = this.config.policy?.rules?.maxDaysSinceUpdate;
+    if (!rule) return;
+    const metadata = result.metadata;
+    if (!metadata.lastUpdated) return;
+    const lastUpdatedDate = new Date(metadata.lastUpdated);
+    const daysSinceUpdate = Math.floor((Date.now() - lastUpdatedDate.getTime()) / MS_PER_DAY);
+    if (daysSinceUpdate > rule.days) {
+      this.violations.push({
+        extensionId: result.extensionId,
+        rule: "maxDaysSinceUpdate",
+        message: `Extension not updated in ${daysSinceUpdate} days (max: ${rule.days})`,
+        action: rule.action
+      });
+    }
+  }
+};
+
+// src/index.ts
+var VERSION = "0.1.0";
+export {
+  ExtensionGuardScanner,
+  IDE_PATHS,
+  JsonReporter,
+  MarkdownReporter,
+  PolicyEngine,
+  RuleEngine,
+  SEVERITY_ORDER,
+  SarifReporter,
+  VERSION,
+  collectFiles,
+  compareSeverity,
+  detectIDEPaths,
+  expandPath,
+  isAtLeastSeverity,
+  loadPolicyConfig,
+  readExtension,
+  readExtensionsFromDirectory,
+  registerBuiltInRules,
+  ruleRegistry,
+  shouldCollectFile
+};
+//# sourceMappingURL=index.js.map