@bouncesecurity/aghast 0.0.13

package/dist/logging.js

@@ -0,0 +1,79 @@
+const LOG_PRIORITY = {
+    silent: 0,
+    info: 1,
+    debug: 2,
+};
+let cachedLogLevel;
+export function getLogLevel() {
+    if (cachedLogLevel)
+        return cachedLogLevel;
+    cachedLogLevel = 'info';
+    return cachedLogLevel;
+}
+/**
+ * Programmatically set the log level (avoids env var race conditions with --debug flag).
+ */
+export function setLogLevel(level) {
+    cachedLogLevel = level;
+}
+function formatTimestamp() {
+    return new Date().toISOString().replace('T', ' ').replace('Z', '');
+}
+/**
+ * Log a progress/activity message at info level.
+ */
+export function logProgress(tag, message, details) {
+    if (LOG_PRIORITY['info'] <= LOG_PRIORITY[getLogLevel()]) {
+        const timestamp = formatTimestamp();
+        const detailStr = details ? ` ${JSON.stringify(details)}` : '';
+        console.log(`${timestamp} [${tag}] ${message}${detailStr}`);
+    }
+}
+/**
+ * Create a timer for measuring elapsed time.
+ */
+export function createTimer() {
+    const start = Date.now();
+    return {
+        elapsed: () => Date.now() - start,
+        elapsedStr: () => {
+            const ms = Date.now() - start;
+            if (ms < 1000)
+                return `${ms}ms`;
+            if (ms < 60000)
+                return `${(ms / 1000).toFixed(1)}s`;
+            return `${(ms / 60000).toFixed(1)}m`;
+        },
+    };
+}
+/**
+ * Log debug information (single line, compact).
+ */
+export function logDebug(tag, message, data) {
+    if (getLogLevel() !== 'debug')
+        return;
+    const timestamp = formatTimestamp();
+    if (data === undefined) {
+        console.log(`${timestamp} [${tag}][debug] ${message}`);
+    }
+    else {
+        const formatted = typeof data === 'string' ? data : JSON.stringify(data);
+        const truncated = formatted.length > 200 ? formatted.slice(0, 200) + '...' : formatted;
+        console.log(`${timestamp} [${tag}][debug] ${message}: ${truncated}`);
+    }
+}
+/**
+ * Log debug information without truncation (for full prompts and responses).
+ */
+export function logDebugFull(tag, message, data) {
+    if (getLogLevel() !== 'debug')
+        return;
+    const timestamp = formatTimestamp();
+    if (data === undefined) {
+        console.log(`${timestamp} [${tag}][debug] ${message}`);
+    }
+    else {
+        console.log(`${timestamp} [${tag}][debug] ${message}:\n${data}`);
+    }
+}
+//# sourceMappingURL=logging.js.map

package/dist/logging.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logging.js","sourceRoot":"","sources":["../src/logging.ts"],"names":[],"mappings":"AAEA,MAAM,YAAY,GAA6B;IAC7C,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,IAAI,cAAoC,CAAC;AAEzC,MAAM,UAAU,WAAW;IACzB,IAAI,cAAc;QAAE,OAAO,cAAc,CAAC;IAC1C,cAAc,GAAG,MAAM,CAAC;IACxB,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAe;IACzC,cAAc,GAAG,KAAK,CAAC;AACzB,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW,EAAE,OAAe,EAAE,OAAiC;IACzF,IAAI,YAAY,CAAC,MAAM,CAAC,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACxD,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,OAAO,CAAC,GAAG,CAAC,GAAG,SAAS,KAAK,GAAG,KAAK,OAAO,GAAG,SAAS,EAAE,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW;IACzB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,OAAO;QACL,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;QACjC,UAAU,EAAE,GAAG,EAAE;YACf,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;YAC9B,IAAI,EAAE,GAAG,IAAI;gBAAE,OAAO,GAAG,EAAE,IAAI,CAAC;YAChC,IAAI,EAAE,GAAG,KAAK;gBAAE,OAAO,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;YACpD,OAAO,GAAG,CAAC,EAAE,GAAG,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;QACvC,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,GAAW,EAAE,OAAe,EAAE,IAAc;IACnE,IAAI,WAAW,EAAE,KAAK,OAAO;QAAE,OAAO;IAEtC,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;IACpC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,GAAG,SAAS,KAAK,GAAG,YAAY,OAAO,EAAE,CAAC,CAAC;IACzD,CAAC;SAAM,CAAC;QACN,MAAM,SAAS,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACzE,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QACvF,OAAO,CAAC,GAAG,CAAC,GAAG,SAAS,KAAK,GAAG,YAAY,OAAO,KAAK,SAAS,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,GAAW,EAAE,OAAe,EAAE,IAAa;IACtE,IAAI,WAAW,EAAE,KAAK,OAAO;QAAE,OAAO;IAEtC,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;IACpC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,GAAG,SAAS,KAAK,GAAG,YAAY,OAAO,EAAE,CAAC,CAAC;IACzD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,GAAG,SAAS,KAAK,GAAG,YAAY,OAAO,MAAM,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC;AACH,CAAC"}

package/dist/mock-ai-provider.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Lightweight mock AI provider for CLI `AGHAST_MOCK_AI` mode.
+ *
+ * Returns a fixed raw response without calling any AI API.
+ * This is shipped with the package (unlike the full test mock in tests/mocks/).
+ */
+import type { AIProvider, AIResponse, ProviderConfig } from './types.js';
+export declare class MockAIProvider implements AIProvider {
+    private rawResponse;
+    constructor(options: {
+        rawResponse: string;
+    });
+    initialize(_config: ProviderConfig): Promise<void>;
+    executeCheck(_instructions: string, _repositoryPath: string, _logPrefix?: string): Promise<AIResponse>;
+    validateConfig(): Promise<boolean>;
+    enableDebug(): void;
+}
+//# sourceMappingURL=mock-ai-provider.d.ts.map

package/dist/mock-ai-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mock-ai-provider.d.ts","sourceRoot":"","sources":["../src/mock-ai-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEzE,qBAAa,cAAe,YAAW,UAAU;IAC/C,OAAO,CAAC,WAAW,CAAS;gBAEhB,OAAO,EAAE;QAAE,WAAW,EAAE,MAAM,CAAA;KAAE;IAItC,UAAU,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IAIlD,YAAY,CAChB,aAAa,EAAE,MAAM,EACrB,eAAe,EAAE,MAAM,EACvB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,UAAU,CAAC;IAOhB,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;IAIxC,WAAW,IAAI,IAAI;CAGpB"}

package/dist/mock-ai-provider.js

@@ -0,0 +1,28 @@
+/**
+ * Lightweight mock AI provider for CLI `AGHAST_MOCK_AI` mode.
+ *
+ * Returns a fixed raw response without calling any AI API.
+ * This is shipped with the package (unlike the full test mock in tests/mocks/).
+ */
+export class MockAIProvider {
+    rawResponse;
+    constructor(options) {
+        this.rawResponse = options.rawResponse;
+    }
+    async initialize(_config) {
+        // No-op
+    }
+    async executeCheck(_instructions, _repositoryPath, _logPrefix) {
+        return {
+            raw: this.rawResponse,
+            parsed: undefined,
+        };
+    }
+    async validateConfig() {
+        return true;
+    }
+    enableDebug() {
+        // No-op
+    }
+}
+//# sourceMappingURL=mock-ai-provider.js.map

package/dist/mock-ai-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mock-ai-provider.js","sourceRoot":"","sources":["../src/mock-ai-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,OAAO,cAAc;IACjB,WAAW,CAAS;IAE5B,YAAY,OAAgC;QAC1C,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAAuB;QACtC,QAAQ;IACV,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,aAAqB,EACrB,eAAuB,EACvB,UAAmB;QAEnB,OAAO;YACL,GAAG,EAAE,IAAI,CAAC,WAAW;YACrB,MAAM,EAAE,SAAS;SAClB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,WAAW;QACT,QAAQ;IACV,CAAC;CACF"}

package/dist/new-check.d.ts

@@ -0,0 +1,13 @@
+/**
+ * CLI utility for scaffolding new security checks.
+ * Creates a check folder with check.json (Layer 2), instructions.md,
+ * and optionally rule.yaml + tests/ for Semgrep checks.
+ * Appends a registry entry to checks-config.json (Layer 1).
+ *
+ * Usage:
+ *   pnpm exec tsx src/new-check.ts                    # Interactive mode
+ *   pnpm exec tsx src/new-check.ts --id aghast-xss    # Mixed mode (prompts for missing)
+ *   pnpm exec tsx src/new-check.ts --id ... --name ... # Full flag mode (no prompts)
+ */
+export declare function runNewCheck(args: string[]): Promise<void>;
+//# sourceMappingURL=new-check.d.ts.map

package/dist/new-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"new-check.d.ts","sourceRoot":"","sources":["../src/new-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AA2YH,wBAAsB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAyF/D"}

package/dist/new-check.js

@@ -0,0 +1,405 @@
+/**
+ * CLI utility for scaffolding new security checks.
+ * Creates a check folder with check.json (Layer 2), instructions.md,
+ * and optionally rule.yaml + tests/ for Semgrep checks.
+ * Appends a registry entry to checks-config.json (Layer 1).
+ *
+ * Usage:
+ *   pnpm exec tsx src/new-check.ts                    # Interactive mode
+ *   pnpm exec tsx src/new-check.ts --id aghast-xss    # Mixed mode (prompts for missing)
+ *   pnpm exec tsx src/new-check.ts --id ... --name ... # Full flag mode (no prompts)
+ */
+import { readFile, writeFile, access, mkdir } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import { createInterface } from 'node:readline/promises';
+import { stdin, stdout } from 'node:process';
+import { createRequire } from 'node:module';
+import { ERROR_CODES, formatError, formatFatalError } from './error-codes.js';
+const ID_PREFIX = 'aghast-';
+const SUPPORTED_LANGUAGES = {
+    python: { semgrepId: 'python', extension: '.py', commentPrefix: '#' },
+    py: { semgrepId: 'python', extension: '.py', commentPrefix: '#' },
+    javascript: { semgrepId: 'javascript', extension: '.js', commentPrefix: '//' },
+    js: { semgrepId: 'javascript', extension: '.js', commentPrefix: '//' },
+    typescript: { semgrepId: 'typescript', extension: '.ts', commentPrefix: '//' },
+    ts: { semgrepId: 'typescript', extension: '.ts', commentPrefix: '//' },
+};
+// Canonical names for display in prompts
+const LANGUAGE_CHOICES = ['python', 'javascript', 'typescript'];
+const CLI_FLAG_MAP = {
+    '--id': 'id',
+    '--name': 'name',
+    '--severity': 'severity',
+    '--confidence': 'confidence',
+    '--repositories': 'repositories',
+    '--check-overview': 'checkOverview',
+    '--check-items': 'checkItems',
+    '--pass-condition': 'passCondition',
+    '--fail-condition': 'failCondition',
+    '--flag-condition': 'flagCondition',
+    '--check-type': 'checkType',
+    '--semgrep-rules': 'semgrepRules',
+    '--max-targets': 'maxTargets',
+    '--language': 'language',
+    '--config-dir': 'configDir',
+};
+function parseFlags(args) {
+    const flags = {};
+    for (let i = 0; i < args.length; i++) {
+        const key = CLI_FLAG_MAP[args[i]];
+        if (key) {
+            const value = args[i + 1];
+            if (value === undefined || value.startsWith('--')) {
+                console.error(formatError(ERROR_CODES.E1001, `${args[i]} requires a value`));
+                process.exit(1);
+            }
+            flags[key] = value;
+            i++; // skip value
+        }
+    }
+    return flags;
+}
+// --- Interactive Prompts ---
+async function promptForMissing(flags) {
+    const needsPrompt = !flags.id || !flags.name ||
+        !flags.checkOverview || !flags.checkItems ||
+        !flags.passCondition || !flags.failCondition ||
+        !flags.checkType;
+    let rl;
+    if (needsPrompt) {
+        rl = createInterface({ input: stdin, output: stdout });
+    }
+    async function ask(label, existing) {
+        if (existing !== undefined)
+            return existing;
+        if (!rl)
+            throw new Error('Unexpected: readline not initialized');
+        const maxAttempts = 3;
+        for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+            const answer = await rl.question(`${label}: `);
+            if (answer.trim())
+                return answer.trim();
+            const remaining = maxAttempts - attempt;
+            if (remaining > 0) {
+                console.error(formatError(ERROR_CODES.E1003, `${label} is required (${remaining} ${remaining === 1 ? 'attempt' : 'attempts'} remaining)`));
+            }
+        }
+        console.error(formatError(ERROR_CODES.E1003, `${label} is required — no valid input after ${maxAttempts} attempts`));
+        rl.close();
+        process.exit(1);
+    }
+    async function askOptional(label, existing) {
+        if (existing !== undefined)
+            return existing;
+        if (!rl)
+            return '';
+        const answer = await rl.question(`${label} (optional, press Enter to skip): `);
+        return answer.trim();
+    }
+    async function askWithDefault(label, defaultValue, existing) {
+        if (existing !== undefined)
+            return existing;
+        if (!rl)
+            return defaultValue;
+        const answer = await rl.question(`${label} [${defaultValue}]: `);
+        return answer.trim() || defaultValue;
+    }
+    const result = {
+        id: await ask('Check ID (e.g. aghast-xss)', flags.id),
+        name: await ask('Check name (e.g. XSS Prevention)', flags.name),
+        severity: await askOptional('Severity (critical/high/medium/low/informational)', flags.severity),
+        confidence: await askOptional('Confidence (high/medium/low)', flags.confidence),
+        repositories: flags.repositories !== undefined ? flags.repositories : await askOptional('Repositories (comma-separated URLs, or empty for all)', undefined),
+        checkOverview: await ask('Check overview / description', flags.checkOverview),
+        checkItems: await ask('Check items (comma-separated)', flags.checkItems),
+        passCondition: await ask('PASS condition', flags.passCondition),
+        failCondition: await ask('FAIL condition', flags.failCondition),
+        flagCondition: await askOptional('FLAG condition (requires human investigation)', flags.flagCondition),
+        checkType: await askWithDefault('Check type (repository/semgrep/semgrep-only)', 'repository', flags.checkType),
+        semgrepRules: '',
+        maxTargets: '',
+        language: '',
+    };
+    if (result.checkType === 'semgrep' || result.checkType === 'semgrep-only') {
+        result.semgrepRules = flags.semgrepRules !== undefined
+            ? flags.semgrepRules
+            : await askOptional('Semgrep rule file paths (comma-separated, or press Enter to generate template)', undefined);
+        result.maxTargets = await askOptional('Max targets', flags.maxTargets);
+        if (!result.semgrepRules) {
+            // Language is required when generating a rule template + test file
+            result.language = await ask(`Language (${LANGUAGE_CHOICES.join('/')})`, flags.language);
+        }
+        else {
+            result.language = flags.language ?? '';
+        }
+    }
+    if (rl)
+        rl.close();
+    return result;
+}
+// --- ID Prefix ---
+function ensurePrefix(id) {
+    if (id.startsWith(ID_PREFIX))
+        return id;
+    return ID_PREFIX + id;
+}
+async function loadExistingRegistry(registryPath) {
+    const raw = await readFile(registryPath, 'utf-8');
+    return JSON.parse(raw);
+}
+function validateInputs(inputs, registry) {
+    const errors = [];
+    if (!inputs.id) {
+        errors.push('Check ID is required');
+    }
+    if (registry.checks.some((c) => c.id === inputs.id)) {
+        errors.push(`Check ID "${inputs.id}" already exists in config`);
+    }
+    const validSeverities = ['critical', 'high', 'medium', 'low', 'informational'];
+    if (inputs.severity && !validSeverities.includes(inputs.severity)) {
+        errors.push(`Invalid severity "${inputs.severity}". Must be one of: ${validSeverities.join(', ')}`);
+    }
+    const validConfidences = ['high', 'medium', 'low'];
+    if (inputs.confidence && !validConfidences.includes(inputs.confidence)) {
+        errors.push(`Invalid confidence "${inputs.confidence}". Must be one of: ${validConfidences.join(', ')}`);
+    }
+    const validCheckTypes = ['repository', 'semgrep', 'semgrep-only', ''];
+    if (!validCheckTypes.includes(inputs.checkType)) {
+        errors.push(`Invalid check type "${inputs.checkType}". Must be one of: repository, semgrep, semgrep-only`);
+    }
+    if (inputs.maxTargets) {
+        const parsed = parseInt(inputs.maxTargets, 10);
+        if (isNaN(parsed) || parsed <= 0) {
+            errors.push(`Invalid maxTargets "${inputs.maxTargets}". Must be a positive integer`);
+        }
+    }
+    if ((inputs.checkType === 'semgrep' || inputs.checkType === 'semgrep-only') && inputs.language && !SUPPORTED_LANGUAGES[inputs.language]) {
+        errors.push(`Invalid language "${inputs.language}". Must be one of: ${Object.keys(SUPPORTED_LANGUAGES).join(', ')}`);
+    }
+    return errors;
+}
+async function checkFileExists(path) {
+    try {
+        await access(path);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+// --- Semgrep Rule Template ---
+function generateSemgrepRule(checkId, language) {
+    const langInfo = SUPPORTED_LANGUAGES[language];
+    const semgrepLang = langInfo ? langInfo.semgrepId : 'javascript';
+    return `rules:
+  - id: ${checkId}
+    pattern: |
+      # TODO: Replace with your Semgrep pattern
+      ...
+    message: >
+      TODO: Describe the issue this rule detects.
+    languages: [${semgrepLang}]
+    severity: WARNING
+`;
+}
+function generateSemgrepTestFile(checkId, language) {
+    const langInfo = SUPPORTED_LANGUAGES[language];
+    const comment = langInfo ? langInfo.commentPrefix : '#';
+    return `${comment} ruleid: ${checkId}
+${comment} TODO: Add code that SHOULD be matched by the rule
+
+${comment} ok: ${checkId}
+${comment} TODO: Add code that should NOT be matched by the rule
+`;
+}
+// --- File Generation ---
+function generateMarkdown(inputs) {
+    const items = inputs.checkItems
+        .split(',')
+        .map((item) => item.trim())
+        .filter(Boolean);
+    const itemLines = items.map((item, i) => `${i + 1}. ${item}`).join('\n');
+    let resultLines = `- **PASS**: ${inputs.passCondition}\n- **FAIL**: ${inputs.failCondition}`;
+    if (inputs.flagCondition) {
+        resultLines += `\n- **FLAG**: ${inputs.flagCondition}`;
+    }
+    return `### ${inputs.name}
+
+#### Overview
+${inputs.checkOverview}
+
+#### What to Check
+${itemLines}
+
+#### Result
+${resultLines}
+`;
+}
+function generateCheckDefinition(inputs) {
+    const def = {
+        id: inputs.id,
+        name: inputs.name,
+    };
+    // semgrep-only checks don't have an instructionsFile
+    if (inputs.checkType !== 'semgrep-only') {
+        def.instructionsFile = `${inputs.id}.md`;
+    }
+    if (inputs.severity) {
+        def.severity = inputs.severity;
+    }
+    if (inputs.confidence) {
+        def.confidence = inputs.confidence;
+    }
+    if (inputs.checkType === 'semgrep' || inputs.checkType === 'semgrep-only') {
+        const checkTarget = { type: inputs.checkType };
+        if (inputs.semgrepRules) {
+            const rules = inputs.semgrepRules.split(',').map((r) => r.trim()).filter(Boolean);
+            checkTarget.rules = rules.length === 1 ? rules[0] : rules;
+        }
+        else {
+            checkTarget.rules = `${inputs.id}.yaml`;
+        }
+        if (inputs.maxTargets) {
+            checkTarget.maxTargets = parseInt(inputs.maxTargets, 10);
+        }
+        def.checkTarget = checkTarget;
+    }
+    return def;
+}
+function generateRegistryEntry(inputs) {
+    return {
+        id: inputs.id,
+        repositories: inputs.repositories
+            ? inputs.repositories.split(',').map((r) => r.trim()).filter(Boolean)
+            : [],
+        enabled: true,
+    };
+}
+// --- Main ---
+const NEW_CHECK_HELP = `Usage: aghast new-check --config-dir <path> [options]
+
+Scaffold a new security check. Runs interactively by default, prompting for any
+values not provided via flags. If the config directory does not exist, it will be
+created with an empty checks-config.json.
+
+Options:
+  --config-dir <path>        Config directory containing checks-config.json and
+                             checks/ folder. Created if it does not exist.
+                             Required unless AGHAST_CONFIG_DIR is set.
+  --id <id>                  Check ID (will be prefixed with "aghast-" if needed)
+  --name <name>              Human-readable check name (e.g. "XSS Prevention")
+  --severity <level>         Severity: critical, high, medium, low, informational
+  --confidence <level>       Confidence: high, medium, low
+  --repositories <urls>      Comma-separated repository URLs (empty = all repos)
+  --check-overview <text>    Description of what this check does
+  --check-items <items>      Comma-separated list of things to check
+  --pass-condition <text>    Condition for a PASS result
+  --fail-condition <text>    Condition for a FAIL result
+  --flag-condition <text>    Condition for a FLAG result (optional)
+  --check-type <type>        Check type: repository (default), semgrep, semgrep-only
+  --semgrep-rules <paths>    Comma-separated Semgrep rule file paths
+  --max-targets <n>          Maximum number of Semgrep targets to analyze
+  --language <lang>          Language for Semgrep template: python, javascript, typescript
+  -h, --help                 Show this help message
+
+Environment variables:
+  AGHAST_CONFIG_DIR           Default config directory (CLI --config-dir takes precedence)
+
+Check types:
+  repository     AI analyzes the whole repository (no Semgrep)
+  semgrep        Semgrep finds targets, AI analyzes each one
+  semgrep-only   Semgrep findings mapped directly to issues (no AI)
+
+Examples:
+  aghast new-check --config-dir ./my-checks
+  aghast new-check --config-dir ./my-checks --id xss --name "XSS Prevention"
+  aghast new-check --config-dir ./my-checks --check-type semgrep --language typescript`;
+export async function runNewCheck(args) {
+    if (args.includes('--help') || args.includes('-h')) {
+        console.log(NEW_CHECK_HELP);
+        process.exit(0);
+    }
+    const flags = parseFlags(args);
+    // --config-dir is required (CLI flag > AGHAST_CONFIG_DIR env var)
+    const rawConfigDir = flags.configDir || process.env.AGHAST_CONFIG_DIR;
+    if (!rawConfigDir) {
+        console.error(formatError(ERROR_CODES.E2001, '--config-dir is required (or set AGHAST_CONFIG_DIR).'));
+        process.exit(1);
+    }
+    const configDir = resolve(rawConfigDir);
+    const checksDir = resolve(configDir, 'checks');
+    const registryPath = resolve(configDir, 'checks-config.json');
+    const inputs = await promptForMissing(flags);
+    // Ensure aghast- prefix
+    inputs.id = ensurePrefix(inputs.id);
+    // Bootstrap: create checks-config.json if it doesn't exist
+    let registry;
+    if (await checkFileExists(registryPath)) {
+        registry = await loadExistingRegistry(registryPath);
+    }
+    else {
+        await mkdir(configDir, { recursive: true });
+        const emptyRegistry = { checks: [] };
+        await writeFile(registryPath, JSON.stringify(emptyRegistry, null, 2) + '\n', 'utf-8');
+        console.log(`Created new config: ${registryPath}`);
+        registry = emptyRegistry;
+    }
+    const validationErrors = validateInputs(inputs, registry);
+    if (validationErrors.length > 0) {
+        for (const err of validationErrors) {
+            console.error(formatError(ERROR_CODES.E2004, err));
+        }
+        process.exit(1);
+    }
+    // Create check folder
+    const checkFolder = resolve(checksDir, inputs.id);
+    if (await checkFileExists(checkFolder)) {
+        console.error(formatError(ERROR_CODES.E2004, `Check folder already exists: ${checkFolder}`));
+        process.exit(1);
+    }
+    await mkdir(checkFolder, { recursive: true });
+    // Generate and write check.json (Layer 2)
+    const checkDef = generateCheckDefinition(inputs);
+    await writeFile(resolve(checkFolder, `${inputs.id}.json`), JSON.stringify(checkDef, null, 2) + '\n', 'utf-8');
+    console.log(`Created: ${checkFolder}/${inputs.id}.json`);
+    // Generate and write instructions.md (skipped for semgrep-only)
+    if (inputs.checkType !== 'semgrep-only') {
+        const markdown = generateMarkdown(inputs);
+        await writeFile(resolve(checkFolder, `${inputs.id}.md`), markdown, 'utf-8');
+        console.log(`Created: ${checkFolder}/${inputs.id}.md`);
+    }
+    // Generate Semgrep rule template and test file if needed
+    if ((inputs.checkType === 'semgrep' || inputs.checkType === 'semgrep-only') && !inputs.semgrepRules) {
+        const rulePath = resolve(checkFolder, `${inputs.id}.yaml`);
+        await writeFile(rulePath, generateSemgrepRule(inputs.id, inputs.language), 'utf-8');
+        console.log(`Created: ${checkFolder}/${inputs.id}.yaml (template — edit before running)`);
+        // Create corresponding test file
+        const langInfo = SUPPORTED_LANGUAGES[inputs.language];
+        if (langInfo) {
+            const testsDir = resolve(checkFolder, 'tests');
+            await mkdir(testsDir, { recursive: true });
+            const testFileName = `${inputs.id}${langInfo.extension}`;
+            const testPath = resolve(testsDir, testFileName);
+            await writeFile(testPath, generateSemgrepTestFile(inputs.id, inputs.language), 'utf-8');
+            console.log(`Created: ${checkFolder}/tests/${testFileName} (test scaffold — edit before running)`);
+        }
+    }
+    // Update registry (Layer 1)
+    const registryEntry = generateRegistryEntry(inputs);
+    registry.checks.push(registryEntry);
+    await writeFile(registryPath, JSON.stringify(registry, null, 2) + '\n', 'utf-8');
+    console.log(`Updated: ${registryPath}`);
+    console.log(`\nNew check "${inputs.id}" created successfully.`);
+}
+// Auto-run when executed directly (pnpm new-check / tsx src/new-check.ts), but not when imported by cli.ts.
+if (!process.env._AGHAST_CLI) {
+    await import('dotenv/config');
+    runNewCheck(process.argv.slice(2)).catch((err) => {
+        const require = createRequire(import.meta.url);
+        const pkg = require('../package.json');
+        console.error('');
+        console.error(formatFatalError(err instanceof Error ? err.message : String(err), pkg.version));
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=new-check.js.map

package/dist/new-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"new-check.js","sourceRoot":"","sources":["../src/new-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAE9E,MAAM,SAAS,GAAG,SAAS,CAAC;AAU5B,MAAM,mBAAmB,GAAiC;IACxD,MAAM,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,EAAE;IACrE,EAAE,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,EAAE;IACjE,UAAU,EAAE,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE;IAC9E,EAAE,EAAE,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE;IACtE,UAAU,EAAE,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE;IAC9E,EAAE,EAAE,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE;CACvE,CAAC;AAEF,yCAAyC;AACzC,MAAM,gBAAgB,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;AAsBhE,MAAM,YAAY,GAAsC;IACtD,MAAM,EAAE,IAAI;IACZ,QAAQ,EAAE,MAAM;IAChB,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,YAAY;IAC5B,gBAAgB,EAAE,cAAc;IAChC,kBAAkB,EAAE,eAAe;IACnC,eAAe,EAAE,YAAY;IAC7B,kBAAkB,EAAE,eAAe;IACnC,kBAAkB,EAAE,eAAe;IACnC,kBAAkB,EAAE,eAAe;IACnC,cAAc,EAAE,WAAW;IAC3B,iBAAiB,EAAE,cAAc;IACjC,eAAe,EAAE,YAAY;IAC7B,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,WAAW;CAC5B,CAAC;AAEF,SAAS,UAAU,CAAC,IAAc;IAChC,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1B,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClD,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC;gBAC7E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,KAAK,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACnB,CAAC,EAAE,CAAC,CAAC,aAAa;QACpB,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8BAA8B;AAE9B,KAAK,UAAU,gBAAgB,CAAC,KAAkB;IAChD,MAAM,WAAW,GACf,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI;QACxB,CAAC,KAAK,CAAC,aAAa,IAAI,CAAC,KAAK,CAAC,UAAU;QACzC,CAAC,KAAK,CAAC,aAAa,IAAI,CAAC,KAAK,CAAC,aAAa;QAC5C,CAAC,KAAK,CAAC,SAAS,CAAC;IAEnB,IAAI,EAAkD,CAAC;IACvD,IAAI,WAAW,EAAE,CAAC;QAChB,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,UAAU,GAAG,CAAC,KAAa,EAAE,QAAiB;QACjD,IAAI,QAAQ,KAAK,SAAS;YAAE,OAAO,QAAQ,CAAC;QAC5C,IAAI,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QACjE,MAAM,WAAW,GAAG,CAAC,CAAC;QACtB,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,WAAW,EAAE,OAAO,EAAE,EAAE,CAAC;YACxD,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,GAAG,KAAK,IAAI,CAAC,CAAC;YAC/C,IAAI,MAAM,CAAC,IAAI,EAAE;gBAAE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;YACxC,MAAM,SAAS,GAAG,WAAW,GAAG,OAAO,CAAC;YACxC,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE,GAAG,KAAK,iBAAiB,SAAS,IAAI,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,aAAa,CAAC,CAAC,CAAC;YAC7I,CAAC;QACH,CAAC;QACD,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE,GAAG,KAAK,uCAAuC,WAAW,WAAW,CAAC,CAAC,CAAC;QACrH,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,KAAK,UAAU,WAAW,CAAC,KAAa,EAAE,QAAiB;QACzD,IAAI,QAAQ,KAAK,SAAS;YAAE,OAAO,QAAQ,CAAC;QAC5C,IAAI,CAAC,EAAE;YAAE,OAAO,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,GAAG,KAAK,oCAAoC,CAAC,CAAC;QAC/E,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;IACvB,CAAC;IAED,KAAK,UAAU,cAAc,CAAC,KAAa,EAAE,YAAoB,EAAE,QAAiB;QAClF,IAAI,QAAQ,KAAK,SAAS;YAAE,OAAO,QAAQ,CAAC;QAC5C,IAAI,CAAC,EAAE;YAAE,OAAO,YAAY,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,GAAG,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC;QACjE,OAAO,MAAM,CAAC,IAAI,EAAE,IAAI,YAAY,CAAC;IACvC,CAAC;IAED,MAAM,MAAM,GAAG;QACb,EAAE,EAAE,MAAM,GAAG,CAAC,4BAA4B,EAAE,KAAK,CAAC,EAAE,CAAC;QACrD,IAAI,EAAE,MAAM,GAAG,CAAC,kCAAkC,EAAE,KAAK,CAAC,IAAI,CAAC;QAC/D,QAAQ,EAAE,MAAM,WAAW,CAAC,mDAAmD,EAAE,KAAK,CAAC,QAAQ,CAAC;QAChG,UAAU,EAAE,MAAM,WAAW,CAAC,8BAA8B,EAAE,KAAK,CAAC,UAAU,CAAC;QAC/E,YAAY,EAAE,KAAK,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,WAAW,CAAC,uDAAuD,EAAE,SAAS,CAAC;QAC3J,aAAa,EAAE,MAAM,GAAG,CAAC,8BAA8B,EAAE,KAAK,CAAC,aAAa,CAAC;QAC7E,UAAU,EAAE,MAAM,GAAG,CAAC,+BAA+B,EAAE,KAAK,CAAC,UAAU,CAAC;QACxE,aAAa,EAAE,MAAM,GAAG,CAAC,gBAAgB,EAAE,KAAK,CAAC,aAAa,CAAC;QAC/D,aAAa,EAAE,MAAM,GAAG,CAAC,gBAAgB,EAAE,KAAK,CAAC,aAAa,CAAC;QAC/D,aAAa,EAAE,MAAM,WAAW,CAAC,+CAA+C,EAAE,KAAK,CAAC,aAAa,CAAC;QACtG,SAAS,EAAE,MAAM,cAAc,CAAC,8CAA8C,EAAE,YAAY,EAAE,KAAK,CAAC,SAAS,CAAC;QAC9G,YAAY,EAAE,EAAE;QAChB,UAAU,EAAE,EAAE;QACd,QAAQ,EAAE,EAAE;KACb,CAAC;IAEF,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,IAAI,MAAM,CAAC,SAAS,KAAK,cAAc,EAAE,CAAC;QAC1E,MAAM,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,KAAK,SAAS;YACpD,CAAC,CAAC,KAAK,CAAC,YAAY;YACpB,CAAC,CAAC,MAAM,WAAW,CAAC,gFAAgF,EAAE,SAAS,CAAC,CAAC;QACnH,MAAM,CAAC,UAAU,GAAG,MAAM,WAAW,CAAC,aAAa,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;QACvE,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACzB,mEAAmE;YACnE,MAAM,CAAC,QAAQ,GAAG,MAAM,GAAG,CAAC,aAAa,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC1F,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;IAED,IAAI,EAAE;QAAE,EAAE,CAAC,KAAK,EAAE,CAAC;IACnB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,oBAAoB;AAEpB,SAAS,YAAY,CAAC,EAAU;IAC9B,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,CAAC;IACxC,OAAO,SAAS,GAAG,EAAE,CAAC;AACxB,CAAC;AAQD,KAAK,UAAU,oBAAoB,CAAC,YAAoB;IACtD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAClD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;AACzC,CAAC;AAED,SAAS,cAAc,CACrB,MAAqH,EACrH,QAAsB;IAEtB,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,EAAE,4BAA4B,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,eAAe,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;IAC/E,IAAI,MAAM,CAAC,QAAQ,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClE,MAAM,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,QAAQ,sBAAsB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtG,CAAC;IAED,MAAM,gBAAgB,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IACnD,IAAI,MAAM,CAAC,UAAU,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QACvE,MAAM,CAAC,IAAI,CAAC,uBAAuB,MAAM,CAAC,UAAU,sBAAsB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3G,CAAC;IAED,MAAM,eAAe,GAAG,CAAC,YAAY,EAAE,SAAS,EAAE,cAAc,EAAE,EAAE,CAAC,CAAC;IACtE,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;QAChD,MAAM,CAAC,IAAI,CAAC,uBAAuB,MAAM,CAAC,SAAS,sDAAsD,CAAC,CAAC;IAC7G,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAC/C,IAAI,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,CAAC;YACjC,MAAM,CAAC,IAAI,CAAC,uBAAuB,MAAM,CAAC,UAAU,+BAA+B,CAAC,CAAC;QACvF,CAAC;IACH,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,SAAS,IAAI,MAAM,CAAC,SAAS,KAAK,cAAc,CAAC,IAAI,MAAM,CAAC,QAAQ,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxI,MAAM,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,QAAQ,sBAAsB,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACvH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,IAAY;IACzC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,gCAAgC;AAEhC,SAAS,mBAAmB,CAAC,OAAe,EAAE,QAAgB;IAC5D,MAAM,QAAQ,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,WAAW,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC;IACjE,OAAO;UACC,OAAO;;;;;;kBAMC,WAAW;;CAE5B,CAAC;AACF,CAAC;AAED,SAAS,uBAAuB,CAAC,OAAe,EAAE,QAAgB;IAChE,MAAM,QAAQ,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC;IACxD,OAAO,GAAG,OAAO,YAAY,OAAO;EACpC,OAAO;;EAEP,OAAO,QAAQ,OAAO;EACtB,OAAO;CACR,CAAC;AACF,CAAC;AAED,0BAA0B;AAE1B,SAAS,gBAAgB,CAAC,MAOzB;IACC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU;SAC5B,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SAC1B,MAAM,CAAC,OAAO,CAAC,CAAC;IAEnB,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEzE,IAAI,WAAW,GAAG,eAAe,MAAM,CAAC,aAAa,iBAAiB,MAAM,CAAC,aAAa,EAAE,CAAC;IAC7F,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,WAAW,IAAI,iBAAiB,MAAM,CAAC,aAAa,EAAE,CAAC;IACzD,CAAC;IAED,OAAO,OAAO,MAAM,CAAC,IAAI;;;EAGzB,MAAM,CAAC,aAAa;;;EAGpB,SAAS;;;EAGT,WAAW;CACZ,CAAC;AACF,CAAC;AAED,SAAS,uBAAuB,CAAC,MAQhC;IACC,MAAM,GAAG,GAA4B;QACnC,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAC;IAEF,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,KAAK,cAAc,EAAE,CAAC;QACxC,GAAG,CAAC,gBAAgB,GAAG,GAAG,MAAM,CAAC,EAAE,KAAK,CAAC;IAC3C,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IACjC,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,GAAG,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;IACrC,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,IAAI,MAAM,CAAC,SAAS,KAAK,cAAc,EAAE,CAAC;QAC1E,MAAM,WAAW,GAA4B,EAAE,IAAI,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC;QACxE,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACxB,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAClF,WAAW,CAAC,KAAK,GAAG,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,WAAW,CAAC,KAAK,GAAG,GAAG,MAAM,CAAC,EAAE,OAAO,CAAC;QAC1C,CAAC;QACD,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,WAAW,CAAC,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAC3D,CAAC;QACD,GAAG,CAAC,WAAW,GAAG,WAAW,CAAC;IAChC,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,qBAAqB,CAAC,MAG9B;IACC,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,YAAY,EAAE,MAAM,CAAC,YAAY;YAC/B,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;YACrE,CAAC,CAAC,EAAE;QACN,OAAO,EAAE,IAAI;KACd,CAAC;AACJ,CAAC;AAED,eAAe;AAEf,MAAM,cAAc,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;uFAqCgE,CAAC;AAExF,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAc;IAC9C,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAE/B,kEAAkE;IAClE,MAAM,YAAY,GAAG,KAAK,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IACtE,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE,sDAAsD,CAAC,CAAC,CAAC;QACtG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACxC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAC/C,MAAM,YAAY,GAAG,OAAO,CAAC,SAAS,EAAE,oBAAoB,CAAC,CAAC;IAE9D,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAE7C,wBAAwB;IACxB,MAAM,CAAC,EAAE,GAAG,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAEpC,2DAA2D;IAC3D,IAAI,QAAsB,CAAC;IAC3B,IAAI,MAAM,eAAe,CAAC,YAAY,CAAC,EAAE,CAAC;QACxC,QAAQ,GAAG,MAAM,oBAAoB,CAAC,YAAY,CAAC,CAAC;IACtD,CAAC;SAAM,CAAC;QACN,MAAM,KAAK,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,MAAM,aAAa,GAAiB,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QACnD,MAAM,SAAS,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;QACtF,OAAO,CAAC,GAAG,CAAC,uBAAuB,YAAY,EAAE,CAAC,CAAC;QACnD,QAAQ,GAAG,aAAa,CAAC;IAC3B,CAAC;IAED,MAAM,gBAAgB,GAAG,cAAc,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC1D,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,KAAK,MAAM,GAAG,IAAI,gBAAgB,EAAE,CAAC;YACnC,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;QACrD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,sBAAsB;IACtB,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;IAClD,IAAI,MAAM,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC;QACvC,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE,gCAAgC,WAAW,EAAE,CAAC,CAAC,CAAC;QAC7F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,KAAK,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE9C,0CAA0C;IAC1C,MAAM,QAAQ,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,SAAS,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,MAAM,CAAC,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IAC9G,OAAO,CAAC,GAAG,CAAC,YAAY,WAAW,IAAI,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;IAEzD,gEAAgE;IAChE,IAAI,MAAM,CAAC,SAAS,KAAK,cAAc,EAAE,CAAC;QACxC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,SAAS,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,MAAM,CAAC,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC5E,OAAO,CAAC,GAAG,CAAC,YAAY,WAAW,IAAI,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC;IACzD,CAAC;IAED,yDAAyD;IACzD,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,SAAS,IAAI,MAAM,CAAC,SAAS,KAAK,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACpG,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,GAAG,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;QAC3D,MAAM,SAAS,CAAC,QAAQ,EAAE,mBAAmB,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC;QACpF,OAAO,CAAC,GAAG,CAAC,YAAY,WAAW,IAAI,MAAM,CAAC,EAAE,wCAAwC,CAAC,CAAC;QAE1F,iCAAiC;QACjC,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACtD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YAC/C,MAAM,KAAK,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3C,MAAM,YAAY,GAAG,GAAG,MAAM,CAAC,EAAE,GAAG,QAAQ,CAAC,SAAS,EAAE,CAAC;YACzD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YACjD,MAAM,SAAS,CAAC,QAAQ,EAAE,uBAAuB,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC;YACxF,OAAO,CAAC,GAAG,CAAC,YAAY,WAAW,UAAU,YAAY,wCAAwC,CAAC,CAAC;QACrG,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,aAAa,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IACpD,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,aAA+C,CAAC,CAAC;IACtE,MAAM,SAAS,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACjF,OAAO,CAAC,GAAG,CAAC,YAAY,YAAY,EAAE,CAAC,CAAC;IAExC,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,EAAE,yBAAyB,CAAC,CAAC;AAClE,CAAC;AAED,4GAA4G;AAC5G,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;IAC7B,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;IAC9B,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QAC/C,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAwB,CAAC;QAC9D,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;QAC/F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/prompt-template.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Generic prompt template prepended to all check executions.
+ * Based on SPECIFICATION.md Appendix C.1.
+ */
+/**
+ * Build the full prompt by prepending generic instructions to check-specific markdown.
+ * @param checkInstructions - The check-specific markdown content.
+ * @param configDir - Optional config directory containing prompts/ subdirectory.
+ * @param genericPrompt - Optional generic prompt template filename (default: 'generic-instructions.md').
+ */
+export declare function buildPrompt(checkInstructions: string, configDir?: string, genericPrompt?: string): Promise<string>;
+//# sourceMappingURL=prompt-template.d.ts.map

package/dist/prompt-template.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-template.d.ts","sourceRoot":"","sources":["../src/prompt-template.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA2BH;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,iBAAiB,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAGxH"}

package/dist/prompt-template.js

@@ -0,0 +1,35 @@
+/**
+ * Generic prompt template prepended to all check executions.
+ * Based on SPECIFICATION.md Appendix C.1.
+ */
+import { readFile } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const DEFAULT_PROMPTS_DIR = resolve(__dirname, '..', 'config', 'prompts');
+function getGenericPromptPath(configDir, genericPrompt) {
+    const filename = genericPrompt ?? 'generic-instructions.md';
+    if (filename.includes('/') || filename.includes('\\') || filename.includes('..')) {
+        throw new Error(`Invalid generic prompt filename: must not contain path separators or "..". Got: "${filename}"`);
+    }
+    // Try config-dir prompts first, fall back to built-in prompts
+    if (configDir) {
+        const configPromptPath = resolve(configDir, 'prompts', filename);
+        if (existsSync(configPromptPath)) {
+            return configPromptPath;
+        }
+    }
+    return resolve(DEFAULT_PROMPTS_DIR, filename);
+}
+/**
+ * Build the full prompt by prepending generic instructions to check-specific markdown.
+ * @param checkInstructions - The check-specific markdown content.
+ * @param configDir - Optional config directory containing prompts/ subdirectory.
+ * @param genericPrompt - Optional generic prompt template filename (default: 'generic-instructions.md').
+ */
+export async function buildPrompt(checkInstructions, configDir, genericPrompt) {
+    const genericPromptContent = await readFile(getGenericPromptPath(configDir, genericPrompt), 'utf-8');
+    return genericPromptContent + checkInstructions;
+}
+//# sourceMappingURL=prompt-template.js.map

package/dist/prompt-template.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-template.js","sourceRoot":"","sources":["../src/prompt-template.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC1D,MAAM,mBAAmB,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;AAE1E,SAAS,oBAAoB,CAAC,SAAkB,EAAE,aAAsB;IACtE,MAAM,QAAQ,GAAG,aAAa,IAAI,yBAAyB,CAAC;IAC5D,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACjF,MAAM,IAAI,KAAK,CACb,oFAAoF,QAAQ,GAAG,CAChG,CAAC;IACJ,CAAC;IACD,8DAA8D;IAC9D,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,gBAAgB,GAAG,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;QACjE,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACjC,OAAO,gBAAgB,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC,mBAAmB,EAAE,QAAQ,CAAC,CAAC;AAChD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,iBAAyB,EAAE,SAAkB,EAAE,aAAsB;IACrG,MAAM,oBAAoB,GAAG,MAAM,QAAQ,CAAC,oBAAoB,CAAC,SAAS,EAAE,aAAa,CAAC,EAAE,OAAO,CAAC,CAAC;IACrG,OAAO,oBAAoB,GAAG,iBAAiB,CAAC;AAClD,CAAC"}