@blacksandscyber/mcp-server-bursar 0.5.0

package/build/shield/discovery/environmentScanner.js

@@ -0,0 +1,545 @@
+"use strict";
+/**
+ * macOS environment scanner — Phase 1, READ-ONLY host inspection.
+ *
+ * Produces the raw infra-plane material (host + networks + containers + volumes
+ * + candidate service nodes) that {@link topologyNormalizer} folds into the
+ * frozen topology envelope. The vocabulary here is deliberately neutral; the
+ * normalizer is responsible for conforming to the viz contract.
+ *
+ * SECURITY MODEL (hard requirements):
+ *   - Only the three allowlisted binaries below are ever executed.
+ *   - Every spawn uses execFile with an ARGUMENT ARRAY — never a shell string,
+ *     never string-interpolation of any value. There is nothing untrusted to
+ *     interpolate (all args are literals), but we keep the discipline anyway.
+ *   - Every spawn has a timeout. A missing binary, a non-zero exit, malformed
+ *     output, or a timeout DEGRADES GRACEFULLY: we return whatever we have plus
+ *     a human-readable note. The tool must never crash.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanMacEnvironment = scanMacEnvironment;
+const node_child_process_1 = require("node:child_process");
+const os = __importStar(require("node:os"));
+const logger_1 = require("../../shared/logger");
+// ── Binary allowlist ────────────────────────────────────────────────────────
+// Apple Containerization CLI, plus two read-only port inspectors.
+const ALLOWED_BINARIES = ["container", "lsof", "netstat"];
+const EXEC_TIMEOUT_MS = 8_000;
+const MAX_BUFFER = 8 * 1024 * 1024; // 8 MB — container inspect on a busy host
+function runAllowed(binary, args) {
+    // Defensive: the type system already constrains `binary`, but assert at
+    // runtime so a future refactor can't smuggle in an arbitrary command.
+    if (!ALLOWED_BINARIES.includes(binary)) {
+        return Promise.resolve({ ok: false, stdout: "", stderr: "", error: `binary not allowlisted: ${binary}` });
+    }
+    return new Promise((resolve) => {
+        (0, node_child_process_1.execFile)(binary, args, { timeout: EXEC_TIMEOUT_MS, maxBuffer: MAX_BUFFER, windowsHide: true }, (err, stdout, stderr) => {
+            if (err) {
+                // ENOENT → binary absent. Other errors → ran but failed/timed out.
+                const isMissing = err.code === "ENOENT";
+                resolve({
+                    ok: false,
+                    stdout: stdout ?? "",
+                    stderr: stderr ?? "",
+                    error: isMissing ? "missing" : err.message,
+                });
+                return;
+            }
+            resolve({ ok: true, stdout: stdout ?? "", stderr: stderr ?? "", error: null });
+        });
+    });
+}
+/** Best-effort JSON parse; returns null instead of throwing. */
+function tryParseJson(text) {
+    const trimmed = text.trim();
+    if (!trimmed)
+        return null;
+    try {
+        return JSON.parse(trimmed);
+    }
+    catch {
+        // Some CLIs emit newline-delimited JSON objects (one per line). Try that.
+        const lines = trimmed.split("\n").map((l) => l.trim()).filter(Boolean);
+        const out = [];
+        for (const line of lines) {
+            try {
+                out.push(JSON.parse(line));
+            }
+            catch {
+                return null; // not NDJSON either — caller falls back to text parsing
+            }
+        }
+        return out.length ? out : null;
+    }
+}
+// Pull a string field by trying several candidate key names (CLIs differ).
+function pick(obj, keys) {
+    for (const k of keys) {
+        const v = obj[k];
+        if (typeof v === "string" && v.length)
+            return v;
+        if (typeof v === "number")
+            return String(v);
+    }
+    return null;
+}
+function asRecord(v) {
+    return v && typeof v === "object" && !Array.isArray(v) ? v : null;
+}
+// ── Host facts (pure Node, no subprocess) ────────────────────────────────────
+function collectHostFacts(containerCliPresent) {
+    const cpus = os.cpus() ?? [];
+    const totalMemBytes = os.totalmem();
+    const ifaces = os.networkInterfaces();
+    const interfaces = [];
+    for (const [name, addrs] of Object.entries(ifaces)) {
+        for (const a of addrs ?? []) {
+            if (a.internal)
+                continue; // skip loopback
+            const fam = a.family;
+            interfaces.push({
+                name,
+                address: a.address,
+                family: typeof fam === "number" ? `IPv${fam}` : fam,
+                cidr: a.cidr ?? null,
+            });
+        }
+    }
+    return {
+        hostname: os.hostname(),
+        arch: os.arch(),
+        platform: os.platform(),
+        release: os.release(),
+        vcpu: cpus.length,
+        cpuModel: cpus[0]?.model?.trim() ?? "unknown",
+        totalMemBytes,
+        totalMemGB: `${Math.round(totalMemBytes / 1024 ** 3)} GB`,
+        interfaces,
+        containerCliPresent,
+    };
+}
+// ── Apple `container` CLI parsing ────────────────────────────────────────────
+//
+// The Apple Containerization `container` CLI is young and its `--format json`
+// support varies by version, so each parser tries JSON first and falls back to
+// whitespace-delimited text. We never assume a fixed column layout beyond the
+// first token being an id/name.
+async function listContainers(notes) {
+    // `--all` so stopped containers appear (the viz shows stopped nodes).
+    const json = await runAllowed("container", ["ls", "--all", "--format", "json"]);
+    if (json.ok) {
+        const parsed = tryParseJson(json.stdout);
+        const arr = Array.isArray(parsed) ? parsed : parsed != null ? [parsed] : [];
+        if (arr.length) {
+            const out = [];
+            for (const raw of arr) {
+                const rec = asRecord(raw);
+                if (!rec)
+                    continue;
+                const id = pick(rec, ["id", "ID", "Id"]) ?? pick(rec, ["name", "Name"]) ?? "";
+                if (!id)
+                    continue;
+                const name = pick(rec, ["name", "Name"]) ?? id;
+                const statusText = (pick(rec, ["status", "Status", "state", "State"]) ?? "unknown").toLowerCase();
+                out.push({
+                    id,
+                    name,
+                    image: pick(rec, ["image", "Image"]),
+                    status: statusText,
+                    running: statusText.includes("run") || statusText.includes("up"),
+                    ip: pick(rec, ["ip", "IP", "address", "Address"]),
+                    networks: extractNetworkNames(rec),
+                    volumes: [],
+                    ports: extractPorts(rec),
+                    command: pick(rec, ["command", "Command", "cmd"]),
+                });
+            }
+            if (out.length) {
+                await enrichContainers(out, notes);
+                return out;
+            }
+        }
+        // JSON requested but unparseable — fall through to text mode.
+        notes.push("container ls --format json returned unparseable output; used text fallback");
+    }
+    else if (json.error === "missing") {
+        notes.push("`container` CLI not found — container/network/volume discovery skipped");
+        return [];
+    }
+    else {
+        notes.push(`container ls failed (${json.error}); attempting text fallback`);
+    }
+    // Text fallback: `container ls --all` columnar output. First column = id/name.
+    const text = await runAllowed("container", ["ls", "--all"]);
+    if (!text.ok) {
+        if (text.error === "missing") {
+            notes.push("`container` CLI not found — container discovery skipped");
+        }
+        else {
+            notes.push(`container ls (text) failed (${text.error}); no containers discovered`);
+        }
+        return [];
+    }
+    const containers = parseContainerTable(text.stdout);
+    await enrichContainers(containers, notes);
+    return containers;
+}
+function extractNetworkNames(rec) {
+    const v = rec["networks"] ?? rec["Networks"] ?? rec["network"] ?? rec["Network"];
+    if (Array.isArray(v)) {
+        return v.map((n) => (typeof n === "string" ? n : asRecord(n) ? pick(asRecord(n), ["name", "Name"]) : null))
+            .filter((x) => !!x);
+    }
+    if (typeof v === "string" && v)
+        return [v];
+    return [];
+}
+function extractPorts(rec) {
+    const v = rec["ports"] ?? rec["Ports"] ?? rec["portMappings"] ?? rec["PortMappings"];
+    if (Array.isArray(v)) {
+        return v.map((p) => (typeof p === "string" ? p : asRecord(p) ? JSON.stringify(p) : null))
+            .filter((x) => !!x);
+    }
+    if (typeof v === "string" && v)
+        return [v];
+    return [];
+}
+function parseContainerTable(stdout) {
+    const lines = stdout.split("\n").map((l) => l.trimEnd()).filter((l) => l.trim().length);
+    if (lines.length === 0)
+        return [];
+    // Drop a header row if the first token looks like a column label.
+    const startIdx = /^(id|name|container)\b/i.test(lines[0]) ? 1 : 0;
+    const out = [];
+    for (let i = startIdx; i < lines.length; i++) {
+        const cols = lines[i].split(/\s{2,}|\t/).map((c) => c.trim()).filter(Boolean);
+        if (!cols.length)
+            continue;
+        const id = cols[0];
+        // Heuristic: find an image-looking token (contains ':' or '/') and a
+        // status-looking token (running/stopped/exited/created).
+        const image = cols.find((c) => /[:/]/.test(c) && c !== id) ?? null;
+        const statusTok = cols.find((c) => /^(running|stopped|exited|created|paused|up)/i.test(c)) ?? "unknown";
+        const status = statusTok.toLowerCase();
+        out.push({
+            id,
+            name: cols[cols.length - 1] && cols[cols.length - 1] !== id ? cols[cols.length - 1] : id,
+            image,
+            status,
+            running: status.includes("run") || status.includes("up"),
+            ip: cols.find((c) => /^\d{1,3}(\.\d{1,3}){3}$/.test(c)) ?? null,
+            networks: [],
+            volumes: [],
+            ports: [],
+            command: null,
+        });
+    }
+    return out;
+}
+/**
+ * Best-effort per-container enrichment via `container inspect <id>`. Fills in
+ * networks/volumes/ip/command/ports when the list view didn't. Failures are
+ * silent per-container (we already have a node from the list).
+ */
+async function enrichContainers(containers, notes) {
+    let inspectFailures = 0;
+    for (const c of containers) {
+        // c.id is derived from CLI output. With execFile there is no shell, so this
+        // is not command injection — but an id beginning with "-" would be parsed as
+        // a flag by `container`. Reject such ids and terminate option parsing with --.
+        if (!c.id || /^-/.test(c.id)) {
+            inspectFailures++;
+            continue;
+        }
+        const res = await runAllowed("container", ["inspect", "--", c.id]);
+        if (!res.ok) {
+            inspectFailures++;
+            continue;
+        }
+        const parsed = tryParseJson(res.stdout);
+        const rec = Array.isArray(parsed) ? asRecord(parsed[0]) : asRecord(parsed);
+        if (!rec)
+            continue;
+        const config = asRecord(rec["config"] ?? rec["Config"]) ?? rec;
+        const networkSettings = asRecord(rec["networks"] ?? rec["Networks"] ?? rec["NetworkSettings"]);
+        if (!c.image)
+            c.image = pick(config, ["image", "Image"]);
+        if (!c.command)
+            c.command = pick(config, ["command", "Command", "cmd", "Cmd"]) ?? c.command;
+        if (!c.ip)
+            c.ip = pick(rec, ["ip", "IP", "address", "Address"]);
+        const nets = extractNetworkNames(rec);
+        if (nets.length)
+            c.networks = nets;
+        else if (networkSettings) {
+            const keys = Object.keys(networkSettings);
+            if (keys.length)
+                c.networks = keys;
+        }
+        const vols = rec["volumes"] ?? rec["Volumes"] ?? rec["Mounts"] ?? rec["mounts"];
+        if (Array.isArray(vols)) {
+            c.volumes = vols
+                .map((v) => {
+                if (typeof v === "string")
+                    return v;
+                const vr = asRecord(v);
+                return vr ? pick(vr, ["name", "Name", "source", "Source", "destination", "Destination"]) : null;
+            })
+                .filter((x) => !!x);
+        }
+        const ports = extractPorts(rec);
+        if (ports.length)
+            c.ports = ports;
+    }
+    if (inspectFailures && inspectFailures === containers.length) {
+        notes.push("container inspect unavailable for all containers; node detail is partial");
+    }
+}
+async function listNetworks(notes, containerCliPresent) {
+    if (!containerCliPresent)
+        return [];
+    const json = await runAllowed("container", ["network", "ls", "--format", "json"]);
+    let arr = [];
+    if (json.ok) {
+        const parsed = tryParseJson(json.stdout);
+        arr = Array.isArray(parsed) ? parsed : parsed != null ? [parsed] : [];
+    }
+    if (arr.length) {
+        const out = [];
+        for (const raw of arr) {
+            const rec = asRecord(raw);
+            if (!rec)
+                continue;
+            const name = pick(rec, ["name", "Name"]) ?? pick(rec, ["id", "ID"]);
+            if (!name)
+                continue;
+            out.push({
+                id: pick(rec, ["id", "ID"]) ?? name,
+                name,
+                subnet: pick(rec, ["subnet", "Subnet", "cidr", "CIDR"]),
+                gateway: pick(rec, ["gateway", "Gateway"]),
+                driver: pick(rec, ["driver", "Driver", "mode", "Mode"]),
+            });
+        }
+        if (out.length)
+            return out;
+    }
+    // Text fallback.
+    const text = await runAllowed("container", ["network", "ls"]);
+    if (!text.ok) {
+        if (text.error !== "missing")
+            notes.push(`container network ls failed (${text.error})`);
+        return [];
+    }
+    const lines = text.stdout.split("\n").map((l) => l.trim()).filter(Boolean);
+    const start = /^(name|id|network)\b/i.test(lines[0] ?? "") ? 1 : 0;
+    const out = [];
+    for (let i = start; i < lines.length; i++) {
+        const cols = lines[i].split(/\s{2,}|\t/).map((c) => c.trim()).filter(Boolean);
+        if (!cols.length)
+            continue;
+        out.push({
+            id: cols[0],
+            name: cols[0],
+            subnet: cols.find((c) => /\d+\.\d+\.\d+\.\d+\/\d+/.test(c)) ?? null,
+            gateway: null,
+            driver: null,
+        });
+    }
+    return out;
+}
+async function listVolumes(notes, containerCliPresent) {
+    if (!containerCliPresent)
+        return [];
+    const json = await runAllowed("container", ["volume", "ls", "--format", "json"]);
+    let arr = [];
+    if (json.ok) {
+        const parsed = tryParseJson(json.stdout);
+        arr = Array.isArray(parsed) ? parsed : parsed != null ? [parsed] : [];
+    }
+    if (arr.length) {
+        const out = [];
+        for (const raw of arr) {
+            const rec = asRecord(raw);
+            if (!rec)
+                continue;
+            const name = pick(rec, ["name", "Name"]) ?? pick(rec, ["id", "ID"]);
+            if (!name)
+                continue;
+            out.push({
+                id: pick(rec, ["id", "ID"]) ?? name,
+                name,
+                driver: pick(rec, ["driver", "Driver"]),
+                source: pick(rec, ["source", "Source", "mountpoint", "Mountpoint"]),
+            });
+        }
+        if (out.length)
+            return out;
+    }
+    const text = await runAllowed("container", ["volume", "ls"]);
+    if (!text.ok) {
+        if (text.error !== "missing")
+            notes.push(`container volume ls failed (${text.error})`);
+        return [];
+    }
+    const lines = text.stdout.split("\n").map((l) => l.trim()).filter(Boolean);
+    const start = /^(name|id|volume|driver)\b/i.test(lines[0] ?? "") ? 1 : 0;
+    const out = [];
+    for (let i = start; i < lines.length; i++) {
+        const cols = lines[i].split(/\s{2,}|\t/).map((c) => c.trim()).filter(Boolean);
+        if (!cols.length)
+            continue;
+        out.push({ id: cols[0], name: cols[cols.length - 1] || cols[0], driver: null, source: null });
+    }
+    return out;
+}
+// ── Listening ports (lsof primary, netstat fallback) ─────────────────────────
+async function listListeningPorts(notes) {
+    // -nP: numeric host+port (no DNS / service-name resolution, faster + safer).
+    const lsofRes = await runAllowed("lsof", ["-iTCP", "-sTCP:LISTEN", "-nP"]);
+    if (lsofRes.ok) {
+        return parseLsof(lsofRes.stdout);
+    }
+    if (lsofRes.error !== "missing") {
+        notes.push(`lsof failed (${lsofRes.error}); trying netstat`);
+    }
+    const netRes = await runAllowed("netstat", ["-anv", "-p", "tcp"]);
+    if (!netRes.ok) {
+        notes.push(netRes.error === "missing"
+            ? "neither lsof nor netstat available — listening ports not discovered"
+            : `netstat failed (${netRes.error}) — listening ports not discovered`);
+        return [];
+    }
+    return parseNetstat(netRes.stdout);
+}
+function parseLsof(stdout) {
+    // Columns: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
+    const lines = stdout.split("\n").map((l) => l.trim()).filter(Boolean);
+    const seen = new Set();
+    const out = [];
+    for (const line of lines) {
+        if (/^COMMAND\b/i.test(line))
+            continue;
+        const cols = line.split(/\s+/);
+        if (cols.length < 9)
+            continue;
+        const name = cols[cols.length - 1]; // e.g. "127.0.0.1:5432" or "*:8080"
+        const m = name.match(/^(.*):(\d+)$/);
+        if (!m)
+            continue;
+        const port = Number(m[2]);
+        if (!Number.isInteger(port))
+            continue;
+        const address = m[1] || "*";
+        const key = `${address}:${port}`;
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        const pid = Number(cols[1]);
+        out.push({
+            port,
+            proto: "tcp",
+            address,
+            process: cols[0] || null,
+            pid: Number.isInteger(pid) ? pid : null,
+        });
+    }
+    return out;
+}
+function parseNetstat(stdout) {
+    // macOS netstat -anv -p tcp: ... Local Address ... state. LISTEN rows only.
+    const lines = stdout.split("\n");
+    const seen = new Set();
+    const out = [];
+    for (const line of lines) {
+        if (!/\bLISTEN\b/.test(line))
+            continue;
+        const cols = line.trim().split(/\s+/);
+        // Local address is typically column index 3 on macOS (tcp4/tcp6 layouts).
+        const localCol = cols.find((c) => /\.\d+$/.test(c)) ?? cols[3];
+        if (!localCol)
+            continue;
+        const m = localCol.match(/^(.*)\.(\d+)$/); // macOS uses host.port notation
+        if (!m)
+            continue;
+        const port = Number(m[2]);
+        if (!Number.isInteger(port))
+            continue;
+        const address = m[1] || "*";
+        const key = `${address}:${port}`;
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        out.push({ port, proto: "tcp", address, process: null, pid: null });
+    }
+    return out;
+}
+// ── Public entry point ───────────────────────────────────────────────────────
+/**
+ * Inspect the local macOS host READ-ONLY and return the raw environment. Never
+ * throws: any failure is captured in `notes` and the corresponding section is
+ * returned empty/partial.
+ */
+async function scanMacEnvironment() {
+    const notes = [];
+    // Probe `container` once so host facts and the list calls agree on presence.
+    const probe = await runAllowed("container", ["--version"]);
+    const containerCliPresent = probe.ok;
+    if (!containerCliPresent && probe.error === "missing") {
+        notes.push("Apple `container` CLI not installed — infra plane limited to host + listening services");
+    }
+    const host = collectHostFacts(containerCliPresent);
+    // Run the independent inspections; each is internally graceful.
+    let containers = [];
+    let networks = [];
+    let volumes = [];
+    let listeningPorts = [];
+    try {
+        [containers, networks, volumes, listeningPorts] = await Promise.all([
+            listContainers(notes),
+            listNetworks(notes, containerCliPresent),
+            listVolumes(notes, containerCliPresent),
+            listListeningPorts(notes),
+        ]);
+    }
+    catch (err) {
+        // Belt-and-suspenders: the helpers already swallow their own errors.
+        logger_1.logger.warn("scanMacEnvironment: unexpected error during inspection", { err: String(err) });
+        notes.push(`environment scan partially failed: ${String(err)}`);
+    }
+    return { host, networks, containers, volumes, listeningPorts, notes };
+}
+//# sourceMappingURL=environmentScanner.js.map

package/build/shield/discovery/externalServiceDetector.d.ts

@@ -0,0 +1,3 @@
+import type { ExternalService } from "../types";
+export declare function detectExternalServices(projectPath: string): Promise<ExternalService[]>;
+//# sourceMappingURL=externalServiceDetector.d.ts.map

package/build/shield/discovery/externalServiceDetector.js

@@ -0,0 +1,98 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectExternalServices = detectExternalServices;
+/** Detect external third-party service integrations. */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const glob_1 = require("glob");
+const SERVICE_SIGNATURES = {
+    stripe: { name: "Stripe", domain: "api.stripe.com", port: 443, protocol: "https", purpose: "payments" },
+    "@stripe/stripe-js": { name: "Stripe", domain: "api.stripe.com", port: 443, protocol: "https", purpose: "payments" },
+    twilio: { name: "Twilio", domain: "api.twilio.com", port: 443, protocol: "https", purpose: "communications" },
+    sendgrid: { name: "SendGrid", domain: "api.sendgrid.com", port: 443, protocol: "https", purpose: "email" },
+    "@sendgrid/mail": { name: "SendGrid", domain: "api.sendgrid.com", port: 443, protocol: "https", purpose: "email" },
+    "@aws-sdk": { name: "AWS", domain: "amazonaws.com", port: 443, protocol: "https", purpose: "cloud_services" },
+    boto3: { name: "AWS", domain: "amazonaws.com", port: 443, protocol: "https", purpose: "cloud_services" },
+    firebase: { name: "Firebase", domain: "firebaseio.com", port: 443, protocol: "https", purpose: "backend_services" },
+    openai: { name: "OpenAI", domain: "api.openai.com", port: 443, protocol: "https", purpose: "ai_services" },
+    "@anthropic-ai/sdk": { name: "Anthropic", domain: "api.anthropic.com", port: 443, protocol: "https", purpose: "ai_services" },
+    resend: { name: "Resend", domain: "api.resend.com", port: 443, protocol: "https", purpose: "email" },
+    plaid: { name: "Plaid", domain: "production.plaid.com", port: 443, protocol: "https", purpose: "fintech" },
+};
+async function detectExternalServices(projectPath) {
+    const services = new Map();
+    // package.json
+    const pkgPath = path.join(projectPath, "package.json");
+    if (fs.existsSync(pkgPath)) {
+        try {
+            const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+            const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+            for (const [dep, svc] of Object.entries(SERVICE_SIGNATURES)) {
+                if (allDeps[dep])
+                    services.set(svc.name, { ...svc, detectedFrom: "package.json" });
+            }
+        }
+        catch { /* ignore */ }
+    }
+    // requirements.txt
+    const reqPath = path.join(projectPath, "requirements.txt");
+    if (fs.existsSync(reqPath)) {
+        const content = fs.readFileSync(reqPath, "utf8").toLowerCase();
+        for (const [dep, svc] of Object.entries(SERVICE_SIGNATURES)) {
+            if (content.includes(dep.toLowerCase()))
+                services.set(svc.name, { ...svc, detectedFrom: "requirements.txt" });
+        }
+    }
+    // Source code URL patterns
+    const files = await (0, glob_1.glob)("**/*.{js,ts,py,jsx,tsx}", {
+        cwd: projectPath,
+        ignore: ["node_modules/**", "venv/**", ".venv/**", "dist/**", "build/**"],
+        absolute: true,
+    });
+    const urlPattern = /https?:\/\/([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})/g;
+    for (const file of files.slice(0, 100)) {
+        const content = fs.readFileSync(file, "utf8");
+        let match;
+        while ((match = urlPattern.exec(content)) !== null) {
+            const domain = match[1];
+            if (!domain.includes("localhost") && !domain.includes("127.0.0.1") && !domain.includes("example.com") && !services.has(domain)) {
+                services.set(domain, { name: domain, domain, port: 443, protocol: "https", purpose: "external_api", detectedFrom: path.relative(projectPath, file) });
+            }
+        }
+    }
+    return Array.from(services.values());
+}
+//# sourceMappingURL=externalServiceDetector.js.map

package/build/shield/discovery/frameworkDetector.d.ts

@@ -0,0 +1,3 @@
+import type { FrameworkInfo } from "../types";
+export declare function detectFramework(projectPath: string): Promise<FrameworkInfo>;
+//# sourceMappingURL=frameworkDetector.d.ts.map