@cyclonedx/cdxgen 12.3.1 → 12.3.3

package/lib/stages/postgen/postgen.js

@@ -4,6 +4,11 @@ import process from "node:process";
 
 import { PackageURL } from "packageurl-js";
 
+import {
+  AI_INVENTORY_PROJECT_TYPES,
+  matchesAiInventoryExcludeType,
+  optionIncludesAiInventoryProjectType,
+} from "../../helpers/aiInventory.js";
 import { mergeDependencies, mergeServices } from "../../helpers/depsUtils.js";
 import { addFormulationSection } from "../../helpers/formulationParsers.js";
 import { thoughtLog } from "../../helpers/logger.js";
@@ -104,6 +109,189 @@ function applyFormulation(bomJson, options, filePath, formulationList) {
   return bomJson;
 }
 
+const WEAK_TLP_CLASSIFICATIONS = new Set(["CLEAR", "GREEN", "AMBER"]);
+const SENSITIVE_PROPERTY_NAMES = new Set([
+  "cdx:agent:description",
+  "cdx:agent:hiddenMcpUrls",
+  "cdx:agent:permission",
+  "cdx:mcp:command",
+  "cdx:mcp:configuredEndpoints",
+  "cdx:mcp:description",
+  "cdx:mcp:resourceUri",
+  "cdx:skill:metadata",
+]);
+const SENSITIVE_PROPERTY_PREFIXES = ["cdx:crewai:", "cdx:mcp:auth:"];
+const SECRET_ASSIGNMENT_PATTERN =
+  /(?:^|[\s,{\[])(?:authorization|password|passwd|pwd|token|access[_-]?token|id[_-]?token|refresh[_-]?token|api[_-]?key|client[_-]?secret|secret|session(?:id)?|cookie)\s*(?:[:=]|=>)\s*["'`]?[^"'`\s,}\]]{4,}/iu;
+const ENV_SECRET_PATTERN =
+  /\b[A-Z0-9_]*(?:TOKEN|PASSWORD|SECRET|API_KEY|CLIENT_SECRET|SESSION|COOKIE)[A-Z0-9_]*=\S+/u;
+const AUTH_HEADER_PATTERN =
+  /\bAuthorization\s*:\s*(?:Bearer|Basic)\s+[A-Za-z0-9._~+/=-]{8,}/iu;
+const BEARER_TOKEN_PATTERN = /\b(?:Bearer|Basic)\s+[A-Za-z0-9._~+/=-]{12,}/u;
+const PRIVATE_KEY_PATTERN =
+  /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/u;
+const SIGNED_URL_PARAM_NAMES = new Set([
+  "access_token",
+  "api_key",
+  "client_secret",
+  "id_token",
+  "signature",
+  "sig",
+  "token",
+  "x-amz-signature",
+  "x-goog-signature",
+]);
+
+function normalizeSpecVersion(specVersion) {
+  return Number.parseFloat(String(specVersion || 0));
+}
+
+function normalizeTlpClassification(tlpClassification) {
+  return String(tlpClassification || "")
+    .trim()
+    .toUpperCase();
+}
+
+function hasSensitivePropertyName(propertyName) {
+  if (SENSITIVE_PROPERTY_NAMES.has(propertyName)) {
+    return true;
+  }
+  return SENSITIVE_PROPERTY_PREFIXES.some((prefix) =>
+    propertyName.startsWith(prefix),
+  );
+}
+
+function extractUrlCandidates(value) {
+  return Array.from(value.matchAll(/https?:\/\/[^\s]+/gu), (match) =>
+    match[0].replace(/[),.;]+$/u, ""),
+  );
+}
+
+function hasSensitiveUrlValue(value) {
+  for (const candidate of extractUrlCandidates(value)) {
+    if (!URL.canParse(candidate)) {
+      continue;
+    }
+    const parsedUrl = new URL(candidate);
+    if (parsedUrl.username || parsedUrl.password || parsedUrl.hash) {
+      return true;
+    }
+    for (const [paramName] of parsedUrl.searchParams) {
+      if (SIGNED_URL_PARAM_NAMES.has(paramName.toLowerCase())) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+function hasKnownSensitiveText(value) {
+  return (
+    SECRET_ASSIGNMENT_PATTERN.test(value) ||
+    ENV_SECRET_PATTERN.test(value) ||
+    AUTH_HEADER_PATTERN.test(value) ||
+    BEARER_TOKEN_PATTERN.test(value) ||
+    PRIVATE_KEY_PATTERN.test(value)
+  );
+}
+
+function propertyContainsSensitiveValue(propertyName, propertyValue) {
+  if (!hasSensitivePropertyName(propertyName) || !propertyValue?.trim()) {
+    return false;
+  }
+  return (
+    hasSensitiveUrlValue(propertyValue) || hasKnownSensitiveText(propertyValue)
+  );
+}
+
+function collectSensitivePropertyViolations(
+  subject,
+  violations = [],
+  location = "bom",
+  seen = new Set(),
+) {
+  if (!subject || typeof subject !== "object" || seen.has(subject)) {
+    return violations;
+  }
+  seen.add(subject);
+  if (Array.isArray(subject.properties)) {
+    const subjectLabel = subject["bom-ref"] || subject.name || location;
+    for (const property of subject.properties) {
+      if (
+        typeof property?.name === "string" &&
+        typeof property?.value === "string" &&
+        propertyContainsSensitiveValue(property.name, property.value)
+      ) {
+        violations.push({
+          propertyName: property.name,
+          subjectLabel,
+        });
+      }
+    }
+  }
+  if (Array.isArray(subject)) {
+    subject.forEach((entry, index) => {
+      collectSensitivePropertyViolations(
+        entry,
+        violations,
+        `${location}[${index}]`,
+        seen,
+      );
+    });
+    return violations;
+  }
+  for (const [key, value] of Object.entries(subject)) {
+    if (key === "properties") {
+      continue;
+    }
+    collectSensitivePropertyViolations(
+      value,
+      violations,
+      `${location}.${key}`,
+      seen,
+    );
+  }
+  return violations;
+}
+
+function validateTlpClassification(bomJson, options) {
+  const specVersion = normalizeSpecVersion(
+    bomJson?.specVersion || options?.specVersion,
+  );
+  if (specVersion < 1.7) {
+    return bomJson;
+  }
+  const tlpClassification = normalizeTlpClassification(
+    bomJson?.metadata?.distributionConstraints?.tlp ||
+      bomJson?.metadata?.distribution ||
+      options?.tlpClassification,
+  );
+  if (!WEAK_TLP_CLASSIFICATIONS.has(tlpClassification)) {
+    return bomJson;
+  }
+  const violations = collectSensitivePropertyViolations(bomJson);
+  if (!violations.length) {
+    return bomJson;
+  }
+  const uniqueViolations = [
+    ...new Set(
+      violations.map(
+        ({ propertyName, subjectLabel }) =>
+          `${propertyName} on ${subjectLabel}`,
+      ),
+    ),
+  ];
+  const errorMessage =
+    `CycloneDX 1.7+ BOMs with TLP classification '${tlpClassification}' must not include known sensitive property values. ` +
+    "Redact the values or raise the TLP classification to AMBER_AND_STRICT or RED. " +
+    `Found: ${uniqueViolations.slice(0, 5).join("; ")}${uniqueViolations.length > 5 ? `; and ${uniqueViolations.length - 5} more` : ""}`;
+  if (options?.failOnError) {
+    throw new Error(errorMessage);
+  }
+  console.warn(errorMessage);
+  return bomJson;
+}
+
 /**
  * Filter and enhance BOM post generation.
  *
@@ -131,6 +319,7 @@ export function postProcess(bomNSData, options, filePath) {
     bomNSData.formulationList,
   );
   bomNSData.bomJson = applyReleaseNotes(bomNSData.bomJson, options, filePath);
+  bomNSData.bomJson = validateTlpClassification(bomNSData.bomJson, options);
   // Support for automatic annotations
   if (options.specVersion >= 1.6) {
     bomNSData.bomJson = annotate(bomNSData.bomJson, options);
@@ -431,12 +620,17 @@ function getIdentityTechniques(comp) {
  */
 export function filterBom(bomJson, options) {
   const newPkgMap = {};
+  const newServices = [];
   let filtered = false;
   let anyFiltered = false;
   if (!bomJson?.components) {
     return bomJson;
   }
   for (const comp of bomJson.components) {
+    if (shouldExcludeInventoryType(comp, options)) {
+      filtered = true;
+      continue;
+    }
     // minimum confidence filter
     if (options?.minConfidence > 0) {
       const confidence = Math.min(options.minConfidence, 1);
@@ -470,6 +664,7 @@ export function filterBom(bomJson, options) {
     ) {
       filtered = true;
     } else if (options.only?.length) {
+      const componentPurl = comp.purl?.toLowerCase?.() || "";
       if (!Array.isArray(options.only)) {
         options.only = [options.only];
       }
@@ -478,7 +673,7 @@ export function filterBom(bomJson, options) {
       for (const filterstr of options.only) {
         if (
           filterstr.length &&
-          comp.purl.toLowerCase().includes(filterstr.toLowerCase())
+          componentPurl.includes(filterstr.toLowerCase())
         ) {
           filtered = true;
           purlfiltered = false;
@@ -493,11 +688,12 @@ export function filterBom(bomJson, options) {
         options.filter = [options.filter];
       }
       let purlfiltered = false;
+      const componentPurl = comp.purl?.toLowerCase?.() || "";
       for (const filterstr of options.filter) {
         // Check the purl
         if (
           filterstr.length &&
-          comp.purl.toLowerCase().includes(filterstr.toLowerCase())
+          componentPurl.includes(filterstr.toLowerCase())
         ) {
           filtered = true;
           purlfiltered = true;
@@ -522,40 +718,59 @@ export function filterBom(bomJson, options) {
       newPkgMap[comp["bom-ref"]] = comp;
     }
   }
+  for (const service of bomJson.services || []) {
+    if (shouldExcludeInventoryType(service, options)) {
+      filtered = true;
+      continue;
+    }
+    newServices.push(service);
+  }
   if (filtered) {
     if (!anyFiltered) {
       anyFiltered = true;
     }
     const newcomponents = [];
     const newdependencies = [];
+    const retainedRefs = new Set();
     for (const aref of Object.keys(newPkgMap).sort()) {
       newcomponents.push(newPkgMap[aref]);
+      retainedRefs.add(aref);
+    }
+    for (const service of newServices) {
+      if (service?.["bom-ref"]) {
+        retainedRefs.add(service["bom-ref"]);
+      }
     }
     if (bomJson.metadata?.component?.["bom-ref"]) {
       newPkgMap[bomJson.metadata.component["bom-ref"]] =
         bomJson.metadata.component;
+      retainedRefs.add(bomJson.metadata.component["bom-ref"]);
     }
     if (bomJson.metadata?.component?.components) {
       for (const comp of bomJson.metadata.component.components) {
         newPkgMap[comp["bom-ref"]] = comp;
+        retainedRefs.add(comp["bom-ref"]);
       }
     }
-    for (const adep of bomJson.dependencies) {
-      if (newPkgMap[adep.ref]) {
-        const newdepson = (adep.dependsOn || []).filter((d) => newPkgMap[d]);
+    for (const adep of bomJson.dependencies || []) {
+      if (retainedRefs.has(adep.ref)) {
+        const newdepson = (adep.dependsOn || []).filter((d) =>
+          retainedRefs.has(d),
+        );
         const obj = {
           ref: adep.ref,
           dependsOn: newdepson,
         };
         // Filter provides array if needed
         if (adep.provides?.length) {
-          obj.provides = adep.provides.filter((d) => newPkgMap[d]);
+          obj.provides = adep.provides.filter((d) => retainedRefs.has(d));
         }
         newdependencies.push(obj);
       }
     }
     bomJson.components = newcomponents;
     bomJson.dependencies = newdependencies;
+    bomJson.services = newServices;
     // We set the compositions.aggregate to incomplete by default
     if (
       options.specVersion >= 1.5 &&
@@ -593,6 +808,14 @@ export function filterBom(bomJson, options) {
   return bomJson;
 }
 
+function shouldExcludeInventoryType(subject, options) {
+  return AI_INVENTORY_PROJECT_TYPES.some(
+    (type) =>
+      optionIncludesAiInventoryProjectType(options?.excludeType, type) &&
+      matchesAiInventoryExcludeType(subject, type),
+  );
+}
+
 /**
  * Clean up
  */

package/lib/stages/postgen/postgen.poku.js

@@ -88,6 +88,70 @@ it("filter bom tests2", () => {
   ]);
 });
 
+it("exclude-type mcp removes inventory artifacts but retains MCP SDK packages", () => {
+  const bomJson = {
+    components: [
+      {
+        "bom-ref": "pkg:npm/%40modelcontextprotocol/server-filesystem@1.0.0",
+        name: "@modelcontextprotocol/server-filesystem",
+        purl: "pkg:npm/%40modelcontextprotocol/server-filesystem@1.0.0",
+      },
+      {
+        "bom-ref": "file:/repo/.vscode/mcp.json",
+        name: "mcp.json",
+        properties: [{ name: "cdx:file:kind", value: "mcp-config" }],
+        type: "file",
+      },
+      {
+        "bom-ref": "urn:mcp:tool:docs:search",
+        name: "search",
+        properties: [
+          { name: "cdx:mcp:role", value: "tool" },
+          {
+            name: "cdx:mcp:serviceRef",
+            value: "urn:service:mcp:docs:latest",
+          },
+        ],
+        type: "application",
+      },
+    ],
+    dependencies: [
+      {
+        dependsOn: ["urn:mcp:tool:docs:search"],
+        ref: "urn:service:mcp:docs:latest",
+      },
+      {
+        provides: ["urn:mcp:tool:docs:search"],
+        ref: "pkg:npm/%40modelcontextprotocol/server-filesystem@1.0.0",
+      },
+    ],
+    metadata: { properties: [] },
+    services: [
+      {
+        "bom-ref": "urn:service:mcp:docs:latest",
+        group: "mcp",
+        name: "docs",
+        properties: [{ name: "cdx:mcp:inventorySource", value: "config-file" }],
+      },
+    ],
+  };
+
+  const filteredBom = filterBom(bomJson, { excludeType: ["mcp"] });
+
+  assert.deepStrictEqual(
+    filteredBom.components.map((component) => component["bom-ref"]),
+    ["pkg:npm/%40modelcontextprotocol/server-filesystem@1.0.0"],
+  );
+  assert.deepStrictEqual(filteredBom.services, []);
+  assert.deepStrictEqual(filteredBom.dependencies, [
+    {
+      dependsOn: [],
+      provides: [],
+      ref: "pkg:npm/%40modelcontextprotocol/server-filesystem@1.0.0",
+    },
+  ]);
+});
+
 it("postProcess adds formulation exactly once when includeFormulation is true", () => {
   const bomNSData = {
     bomJson: {
@@ -308,6 +372,122 @@ it("postProcess attaches releaseNotes to cdxgen metadata tool component", () =>
   }
 });
 
+it("postProcess fails for weak TLP when sensitive property values are present", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      components: [
+        {
+          "bom-ref": "urn:service:mcp:gateway:latest",
+          name: "gateway",
+          properties: [
+            {
+              name: "cdx:mcp:configuredEndpoints",
+              value:
+                "https://user:pass@example.com/mcp?access_token=abc123456789",
+            },
+          ],
+          type: "application",
+        },
+      ],
+      dependencies: [],
+      metadata: {
+        distributionConstraints: { tlp: "CLEAR" },
+        properties: [],
+        tools: {
+          components: [
+            { group: "@cyclonedx", name: "cdxgen", version: "test" },
+          ],
+        },
+      },
+    },
+  };
+  assert.throws(
+    () => postProcess(bomNSData, { failOnError: true, specVersion: 1.7 }),
+    /TLP classification 'CLEAR'/,
+  );
+});
+
+it("postProcess allows sensitive property values when TLP is strong", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      components: [
+        {
+          "bom-ref": "urn:service:mcp:gateway:latest",
+          name: "gateway",
+          properties: [
+            {
+              name: "cdx:mcp:command",
+              value: "Authorization: Bearer super-secret-token-value",
+            },
+          ],
+          type: "application",
+        },
+      ],
+      dependencies: [],
+      metadata: {
+        distributionConstraints: { tlp: "RED" },
+        properties: [],
+        tools: {
+          components: [
+            { group: "@cyclonedx", name: "cdxgen", version: "test" },
+          ],
+        },
+      },
+    },
+  };
+  const result = postProcess(bomNSData, {
+    failOnError: true,
+    specVersion: 1.7,
+  });
+  assert.strictEqual(
+    result.bomJson.metadata.distributionConstraints.tlp,
+    "RED",
+  );
+});
+
+it("postProcess does not enforce TLP validation when no TLP is set", () => {
+  const bomNSData = {
+    bomJson: {
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      components: [
+        {
+          "bom-ref": "urn:service:mcp:gateway:latest",
+          name: "gateway",
+          properties: [
+            {
+              name: "cdx:mcp:resourceUri",
+              value: "https://user:pass@example.com/private#fragment",
+            },
+          ],
+          type: "application",
+        },
+      ],
+      dependencies: [],
+      metadata: {
+        properties: [],
+        tools: {
+          components: [
+            { group: "@cyclonedx", name: "cdxgen", version: "test" },
+          ],
+        },
+      },
+    },
+  };
+  const result = postProcess(bomNSData, {
+    failOnError: true,
+    specVersion: 1.7,
+  });
+  assert.strictEqual(
+    result.bomJson.metadata.distributionConstraints,
+    undefined,
+  );
+});
+
 it("cleanup helpers do not delete directories in dry-run mode", () => {
   const pipTarget = join(tmpdir(), `cdxgen-pip-${Date.now()}`);
   const tmpDir = join(tmpdir(), `cdxgen-tmp-${Date.now()}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "12.3.1",
+  "version": "12.3.3",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "keywords": [
     "sbom",
@@ -98,6 +98,7 @@
   "files": [
     "*.js",
     "lib/**",
+    "!lib/**/*.poku.js",
     "bin/",
     "data/",
     "types/",

package/types/lib/cli/index.d.ts

@@ -297,4 +297,5 @@ export function createBom(path: string, options: Object): Promise<Object>;
 export function submitBom(args: Object, bomContents: Object): Promise<{
     token: string;
 } | undefined>;
+export { summarizeAiInventory } from "../helpers/aiInventory.js";
 //# sourceMappingURL=index.d.ts.map

package/types/lib/cli/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/cli/index.js"],"names":[],"mappings":"AA+2BA;;;;;;;;;GASG;AACH,wCANW,MAAM,cACN,MAAM,OACN,MAAM,UACN,MAAM,GACJ,MAAM,EAAE,CAcpB;AAwbD;;;;;;;GAOG;AACH,mCALW,MAAM,WACN,MAAM,GAEJ,MAAM,CA0ElB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,GAAC,SAAS,CAI5B;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,GAAC,SAAS,CAiB5B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA+tC3B;AAgCD,0EA86BC;AAgFD;;;;;;;;;;;GAWG;AACH,qDAHW,MAAM,GACJ,MAAM,GAAG,IAAI,CAwEzB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA2iB3B;AAED;;;;;;GAMG;AACH,kCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAoavC;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CAmJrC;AA2FD;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAiE3B;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA6MlB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA+GlB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CAyBlB;AAED;;;;;;GAMG;AACH,0CAJW,MAAM,WACN,MAAM,GACJ,MAAM,CAsBlB;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAoD3B;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA2C3B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA0I3B;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAgKvC;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAoH3B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA6C3B;AAED;;;;;;GAMG;AACH,iDAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAkU3B;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA4JlB;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA0P3B;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CAkbrC;AAED;;;;;;;;;GASG;AACH,+CAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA2F3B;AAED;;;;;;GAMG;AACH,+CAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAgD3B;AA2FD;;;;;;GAMG;AACH,2CAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAmC3B;AAED;;;;;;;;;GASG;AACH,mCAPW,MAAM,sCAEN,MAAM,wBAGJ,MAAM,CAyClB;AAED;;;;;;GAMG;AACH,0CAJW,MAAM,EAAE,WACR,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAg6B3B;AAED;;;;;;GAMG;AACH,iCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CAmWrC;AAED;;;;;;GAMG;AACH,gCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA8R3B;AAED;;;;;;;GAOG;AACH,gCALW,MAAM,eACN,MAAM,GACL,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAAC,CAwGjD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/cli/index.js"],"names":[],"mappings":"AAy5BA;;;;;;;;;GASG;AACH,wCANW,MAAM,cACN,MAAM,OACN,MAAM,UACN,MAAM,GACJ,MAAM,EAAE,CAcpB;AAwbD;;;;;;;GAOG;AACH,mCALW,MAAM,WACN,MAAM,GAEJ,MAAM,CA8ElB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,GAAC,SAAS,CAI5B;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,GAAC,SAAS,CAwB5B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAouC3B;AAqID,0EAkgCC;AAgFD;;;;;;;;;;;GAWG;AACH,qDAHW,MAAM,GACJ,MAAM,GAAG,IAAI,CAwEzB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAgmB3B;AAED;;;;;;GAMG;AACH,kCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAoavC;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CAmJrC;AA2FD;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAiE3B;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CAmPlB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA+GlB;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CAyBlB;AAED;;;;;;GAMG;AACH,0CAJW,MAAM,WACN,MAAM,GACJ,MAAM,CAsBlB;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAoD3B;AAED;;;;;;GAMG;AACH,uCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA2C3B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA0BlB;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA0I3B;AAED;;;;;;GAMG;AACH,qCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAgKvC;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAoH3B;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA6C3B;AAED;;;;;;GAMG;AACH,iDAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAkU3B;AAED;;;;;;GAMG;AACH,mCAJW,MAAM,WACN,MAAM,GACJ,MAAM,CA8JlB;AAED;;;;;;GAMG;AACH,oCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA0P3B;AAED;;;;;;GAMG;AACH,sCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CAkbrC;AAED;;;;;;;;;GASG;AACH,+CAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CA2F3B;AAED;;;;;;GAMG;AACH,+CAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAgD3B;AA2FD;;;;;;GAMG;AACH,2CAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAmC3B;AAED;;;;;;;;;GASG;AACH,mCAPW,MAAM,sCAEN,MAAM,wBAGJ,MAAM,CAyClB;AAED;;;;;;GAMG;AACH,0CAJW,MAAM,EAAE,WACR,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAy7B3B;AAED;;;;;;GAMG;AACH,iCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,GAAC,SAAS,CAAC,CAyWrC;AAED;;;;;;GAMG;AACH,gCAJW,MAAM,WACN,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,CAyS3B;AAED;;;;;;;GAOG;AACH,gCALW,MAAM,eACN,MAAM,GACL,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAAC,CA0GjD"}

package/types/lib/helpers/agentFormulationParser.d.ts

@@ -0,0 +1,19 @@
+export namespace agentFormulationParser {
+    export let id: string;
+    export { AGENT_FILE_PATTERNS as patterns };
+    export function parse(files: any, _options?: {}): {
+        components: {
+            "bom-ref": string;
+            name: any;
+            properties: {
+                name: string;
+                value: any;
+            }[];
+            type: string;
+        }[];
+        services: any[];
+    };
+}
+declare const AGENT_FILE_PATTERNS: string[];
+export {};
+//# sourceMappingURL=agentFormulationParser.d.ts.map

package/types/lib/helpers/agentFormulationParser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agentFormulationParser.d.ts","sourceRoot":"","sources":["../../../lib/helpers/agentFormulationParser.js"],"names":[],"mappings":";;;IA8IE;;;;;;;;;;;MAkLC;;AApTH,4CASE"}

package/types/lib/helpers/aiInventory.d.ts

@@ -0,0 +1,23 @@
+export function inventoryPropertyValue(subject: any, name: any): any;
+export function optionIncludesAiInventoryProjectType(optionValue: any, type: any): boolean;
+export function inventoryTypesForSubject(subject: any): any[];
+export function matchesAiInventoryType(subject: any, type: any): boolean;
+export function matchesAiInventoryExcludeType(subject: any, type: any): boolean;
+export function filterInventorySubjectsByTypes(subjects: any, types: any): any;
+export function filterInventoryDependencies(dependencies: any, components: any, services: any): any;
+export function collectAiInventory(discoveryPath: any, options: any, types: any): {
+    components: any[];
+    dependencies: any;
+    services: Object[];
+};
+export function summarizeAiInventory(inventory: any): {
+    instructionCount: any;
+    mcpConfigCount: any;
+    mcpServiceCount: any;
+    skillCount: any;
+};
+export const AI_INVENTORY_PROJECT_TYPES: string[];
+export const AI_INSTRUCTION_FILE_KINDS: Set<string>;
+export const AI_SKILL_FILE_KIND: "skill-file";
+export const MCP_CONFIG_FILE_KIND: "mcp-config";
+//# sourceMappingURL=aiInventory.d.ts.map

package/types/lib/helpers/aiInventory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aiInventory.d.ts","sourceRoot":"","sources":["../../../lib/helpers/aiInventory.js"],"names":[],"mappings":"AA2DA,qEAEC;AAYD,2FAaC;AAED,8DA2BC;AAED,yEAEC;AAED,gFAYC;AAED,+EAUC;AAED,oGA8BC;AAED;;;;EA2DC;AAED;;;;;EAqBC;AA9PD,kDAA8D;AAC9D,oDAaG;AACH,iCAAkC,YAAY,CAAC;AAC/C,mCAAoC,YAAY,CAAC"}

package/types/lib/helpers/analyzer.d.ts

@@ -15,6 +15,11 @@ export function detectExtensionCapabilities(src: string, deep?: boolean): {
         [x: string]: string[];
     };
 };
+export function detectPythonMcpInventory(src: string, deep?: boolean): {
+    components: Object[];
+    dependencies: Object[];
+    services: Object[];
+};
 export function detectMcpInventory(src: string, deep?: boolean): {
     components: Object[];
     dependencies: Object[];

package/types/lib/helpers/analyzer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../../../lib/helpers/analyzer.js"],"names":[],"mappings":"AA+3BA,gEAQE;AAmUK;;;GAiBN;AASM,kDAHI,MAAM,GACJ;IAAC,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAAC,UAAU,EAAE,MAAM,EAAE,CAAC;IAAC,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAAC,qBAAqB,EAAE,MAAM,EAAE,CAAA;CAAC,CAe/H;AAWM,iDANI,MAAM,SACN,OAAO,GACL;IAAC,YAAY,EAAE,MAAM,EAAE,CAAC;IAAC,UAAU,EAAE;YAAO,MAAM,GAAE,MAAM,EAAE;KAAC,CAAA;CAAC,CAwF1E;AA2sBM,wCAJI,MAAM,SACN,OAAO,GACL;IAAC,UAAU,EAAE,MAAM,EAAE,CAAC;IAAC,YAAY,EAAE,MAAM,EAAE,CAAC;IAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;CAAC,CAktB9E"}
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../../../lib/helpers/analyzer.js"],"names":[],"mappings":"AAm4BA,gEAQE;AAmUK;;;GAiBN;AASM,kDAHI,MAAM,GACJ;IAAC,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAAC,UAAU,EAAE,MAAM,EAAE,CAAC;IAAC,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAAC,qBAAqB,EAAE,MAAM,EAAE,CAAA;CAAC,CAe/H;AAWM,iDANI,MAAM,SACN,OAAO,GACL;IAAC,YAAY,EAAE,MAAM,EAAE,CAAC;IAAC,UAAU,EAAE;YAAO,MAAM,GAAE,MAAM,EAAE;KAAC,CAAA;CAAC,CAwF1E;AA68BM,8CAJI,MAAM,SACN,OAAO,GACL;IAAC,UAAU,EAAE,MAAM,EAAE,CAAC;IAAC,YAAY,EAAE,MAAM,EAAE,CAAC;IAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;CAAC,CAsI9E;AASM,wCAJI,MAAM,SACN,OAAO,GACL;IAAC,UAAU,EAAE,MAAM,EAAE,CAAC;IAAC,YAAY,EAAE,MAAM,EAAE,CAAC;IAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;CAAC,CAsqB9E"}

package/types/lib/helpers/auditCategories.d.ts

@@ -0,0 +1,12 @@
+export function normalizeBomAuditCategories(categories: any): any[];
+export function expandBomAuditCategories(categories: any): any[];
+export function availableBomAuditCategories(rules: any): any[];
+export function validateBomAuditCategories(categories: any, rules: any): {
+    categories: any[];
+    expandedCategories: any[];
+    validCategories: any[];
+};
+export const BOM_AUDIT_CATEGORY_ALIASES: Readonly<{
+    "ai-inventory": string[];
+}>;
+//# sourceMappingURL=auditCategories.d.ts.map

package/types/lib/helpers/auditCategories.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditCategories.d.ts","sourceRoot":"","sources":["../../../lib/helpers/auditCategories.js"],"names":[],"mappings":"AAQA,oEAeC;AAED,iEAWC;AAED,+DAIC;AAUD;;;;EAuBC;AA3ED;;GAEG"}

package/types/lib/helpers/chromextutils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"chromextutils.d.ts","sourceRoot":"","sources":["../../../lib/helpers/chromextutils.js"],"names":[],"mappings":"AAsLA;;;;GAIG;AACH,4CAFa,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAC,CAAC,CAoMlE;AAED;;;;GAIG;AACH,iDAFa,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAC,CAAC,CAYlE;AAED;;;;;;GAMG;AACH,8DAJW,MAAM,gBACN,MAAM,GACJ,MAAM,CAwBlB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,GACJ,MAAM,EAAE,CA8CpB;AAED;;;;;GAKG;AACH,6DAHW,MAAM,GACJ,MAAM,GAAC,SAAS,CAuK5B;AAED;;;;;GAKG;AACH,+DAHW,MAAM,GACJ;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAC,CA4BxF;AAuFD;;;;;;;;;;;;;;;GAeG;AACH,+DAHW,MAAM,GACJ;IAAC,UAAU,EAAE,MAAM,EAAE,CAAC;IAAC,aAAa,EAAE,MAAM,EAAE,CAAA;CAAC,CAuC3D;AAED;;;;;GAKG;AACH,qCAHW,MAAM,GACJ,MAAM,GAAC,SAAS,CA+M5B;AAED;;;;;GAKG;AACH,8DAHW,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAC,CAAC,GACpD,MAAM,EAAE,CAyGpB;AAnnCD;;GAEG;AACH,yCAA0C,kBAAkB,CAAC"}
+{"version":3,"file":"chromextutils.d.ts","sourceRoot":"","sources":["../../../lib/helpers/chromextutils.js"],"names":[],"mappings":"AAuLA;;;;GAIG;AACH,4CAFa,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAC,CAAC,CAoMlE;AAED;;;;GAIG;AACH,iDAFa,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAC,CAAC,CAYlE;AAED;;;;;;GAMG;AACH,8DAJW,MAAM,gBACN,MAAM,GACJ,MAAM,CAwBlB;AAED;;;;;GAKG;AACH,iDAHW,MAAM,GACJ,MAAM,EAAE,CA8CpB;AAED;;;;;GAKG;AACH,6DAHW,MAAM,GACJ,MAAM,GAAC,SAAS,CAuK5B;AAED;;;;;GAKG;AACH,+DAHW,MAAM,GACJ;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAC,CA4BxF;AAuFD;;;;;;;;;;;;;;;GAeG;AACH,+DAHW,MAAM,GACJ;IAAC,UAAU,EAAE,MAAM,EAAE,CAAC;IAAC,aAAa,EAAE,MAAM,EAAE,CAAA;CAAC,CAuC3D;AAED;;;;;GAKG;AACH,qCAHW,MAAM,GACJ,MAAM,GAAC,SAAS,CAoO5B;AAED;;;;;GAKG;AACH,8DAHW,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAC,CAAC,GACpD,MAAM,EAAE,CAyGpB;AAxoCD;;GAEG;AACH,yCAA0C,kBAAkB,CAAC"}

package/types/lib/helpers/ciParsers/githubActions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"githubActions.d.ts","sourceRoot":"","sources":["../../../../lib/helpers/ciParsers/githubActions.js"],"names":[],"mappings":"AA6sDA;;;;;;GAMG;AAEH,qCALW,MAAM,WACN,MAAM,GACJ;IAAE,SAAS,EAAE,MAAM,EAAE,CAAC;IAAC,UAAU,EAAE,MAAM,EAAE,CAAC;IAAC,YAAY,EAAE,MAAM,EAAE,CAAA;CAAE,CAgjBjF;;;;IAeC;;;;OAIG;IACH,sBAJW,MAAM,EAAE,WACR,MAAM,GACJ;QAAE,SAAS,EAAE,MAAM,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,EAAE,CAAC;QAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,EAAE,CAAC;QAAC,YAAY,EAAE,MAAM,EAAE,CAAA;KAAE,CAqB3H"}
+{"version":3,"file":"githubActions.d.ts","sourceRoot":"","sources":["../../../../lib/helpers/ciParsers/githubActions.js"],"names":[],"mappings":"AA2xDA;;;;;;GAMG;AAEH,qCALW,MAAM,WACN,MAAM,GACJ;IAAE,SAAS,EAAE,MAAM,EAAE,CAAC;IAAC,UAAU,EAAE,MAAM,EAAE,CAAC;IAAC,YAAY,EAAE,MAAM,EAAE,CAAA;CAAE,CAijBjF;;;;IAeC;;;;OAIG;IACH,sBAJW,MAAM,EAAE,WACR,MAAM,GACJ;QAAE,SAAS,EAAE,MAAM,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,EAAE,CAAC;QAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,EAAE,CAAC;QAAC,YAAY,EAAE,MAAM,EAAE,CAAA;KAAE,CAqB3H"}