npm - @dcyfr/ai - Versions diffs - 2.1.3 → 3.0.0 - Mend

@dcyfr/ai 2.1.3 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (468) hide show

package/dist/ai/src/plugins/security/malware-scanner.js ADDED Viewed

@@ -0,0 +1,121 @@
+/**
+ * Malware Scanner
+ *
+ * Scans plugin files for known malware signatures using ClamAV (clamscan).
+ * Also performs a lightweight pattern check for dangerous shell script patterns.
+ *
+ * @module plugins/security/malware-scanner
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { readdirSync, readFileSync, statSync } from 'node:fs';
+import { join, extname } from 'node:path';
+const execFileAsync = promisify(execFile);
+// ---------------------------------------------------------------------------
+// Dangerous script pattern heuristics
+// ---------------------------------------------------------------------------
+const DANGEROUS_PATTERNS = [
+    /rm\s+-rf\s+[/~]/,
+    /curl\s+.*\|\s*(ba)?sh/,
+    /wget\s+.*\|\s*(ba)?sh/,
+    /eval\s*\(.*base64/i,
+    /nc\s+-e\s+\/bin\/(ba)?sh/,
+];
+const SCRIPT_EXTENSIONS = new Set(['.sh', '.bash', '.zsh', '.ps1', '.bat', '.cmd']);
+function collectScriptFiles(dir, acc = []) {
+    try {
+        for (const entry of readdirSync(dir)) {
+            const fullPath = join(dir, entry);
+            const st = statSync(fullPath);
+            if (st.isDirectory()) {
+                collectScriptFiles(fullPath, acc);
+            }
+            else if (SCRIPT_EXTENSIONS.has(extname(entry).toLowerCase())) {
+                acc.push(fullPath);
+            }
+        }
+    }
+    catch {
+        // ignore unreadable directories
+    }
+    return acc;
+}
+function findSuspiciousPatterns(pluginPath) {
+    const scripts = collectScriptFiles(pluginPath);
+    const flagged = [];
+    for (const scriptPath of scripts) {
+        try {
+            const content = readFileSync(scriptPath, 'utf8');
+            const hasDangerous = DANGEROUS_PATTERNS.some((re) => re.test(content));
+            if (hasDangerous)
+                flagged.push(scriptPath);
+        }
+        catch {
+            // ignore unreadable files
+        }
+    }
+    return flagged;
+}
+// ---------------------------------------------------------------------------
+// ClamAV output parsing
+// ---------------------------------------------------------------------------
+const CLAMSCAN_INFECTED_RE = /^(.+):\s+(.+)\s+FOUND$/;
+function parseClamScanOutput(stdout) {
+    const signatures = [];
+    for (const line of stdout.split('\n')) {
+        const m = CLAMSCAN_INFECTED_RE.exec(line);
+        if (m) {
+            const signatureName = m[2] ?? 'unknown';
+            const sig = signatureName.toLowerCase();
+            let category = 'suspicious';
+            if (sig.includes('trojan'))
+                category = 'trojan';
+            else if (sig.includes('virus'))
+                category = 'virus';
+            signatures.push({ file: m[1] ?? 'unknown', signatureName, category });
+        }
+    }
+    return signatures;
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Scan a plugin directory for malware using ClamAV.
+ *
+ * @param pluginPath Absolute path to the extracted plugin directory
+ */
+export async function scanMalware(pluginPath) {
+    const suspiciousPatterns = findSuspiciousPatterns(pluginPath);
+    let signatures = [];
+    try {
+        const { stdout, stderr } = await execFileAsync('clamscan', [
+            '--recursive',
+            '--no-summary',
+            pluginPath,
+        ]).catch((err) => ({
+            stdout: err.stdout ?? '',
+            stderr: err.stderr ?? '',
+        }));
+        signatures = parseClamScanOutput(stdout + '\n' + (stderr ?? ''));
+    }
+    catch (err) {
+        return {
+            success: false,
+            detected: false,
+            signatures: [],
+            suspiciousPatterns,
+            error: `clamscan unavailable: ${String(err)}`,
+        };
+    }
+    return {
+        success: true,
+        detected: signatures.length > 0,
+        signatures,
+        suspiciousPatterns,
+    };
+}
+//# sourceMappingURL=malware-scanner.js.map

package/dist/ai/src/plugins/security/malware-scanner.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"malware-scanner.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/security/malware-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAG1C,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E,MAAM,kBAAkB,GAAG;IACzB,iBAAiB;IACjB,uBAAuB;IACvB,uBAAuB;IACvB,oBAAoB;IACpB,0BAA0B;CAC3B,CAAC;AAEF,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAEpF,SAAS,kBAAkB,CAAC,GAAW,EAAE,MAAgB,EAAE;IACzD,IAAI,CAAC;QACH,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAClC,MAAM,EAAE,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC9B,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;gBACrB,kBAAkB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YACpC,CAAC;iBAAM,IAAI,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBAC/D,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,gCAAgC;IAClC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,sBAAsB,CAAC,UAAkB;IAChD,MAAM,OAAO,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,UAAU,IAAI,OAAO,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YACjD,MAAM,YAAY,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YACvE,IAAI,YAAY;gBAAE,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,0BAA0B;QAC5B,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E,MAAM,oBAAoB,GAAG,wBAAwB,CAAC;AAEtD,SAAS,mBAAmB,CAAC,MAAc;IACzC,MAAM,UAAU,GAAuB,EAAE,CAAC;IAC1C,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,CAAC,GAAG,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,EAAE,CAAC;YACN,MAAM,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;YACxC,MAAM,GAAG,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC;YACxC,IAAI,QAAQ,GAAiC,YAAY,CAAC;YAC1D,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAAE,QAAQ,GAAG,QAAQ,CAAC;iBAC3C,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,QAAQ,GAAG,OAAO,CAAC;YACnD,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,UAAkB;IAElB,MAAM,kBAAkB,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;IAC9D,IAAI,UAAU,GAAuB,EAAE,CAAC;IAExC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE;YACzD,aAAa;YACb,cAAc;YACd,UAAU;SACX,CAAC,CAAC,KAAK,CAAC,CAAC,GAAyC,EAAE,EAAE,CAAC,CAAC;YACvD,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,EAAE;SACzB,CAAC,CAAC,CAAC;QAEJ,UAAU,GAAG,mBAAmB,CAAC,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;IACnE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,EAAE;YACd,kBAAkB;YAClB,KAAK,EAAE,yBAAyB,MAAM,CAAC,GAAG,CAAC,EAAE;SAC9C,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC;QAC/B,UAAU;QACV,kBAAkB;KACnB,CAAC;AACJ,CAAC"}

package/dist/ai/src/plugins/security/plugin-security-scanner.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * Plugin Security Scanner Orchestrator
+ *
+ * Coordinates all security scanning tools (SBOM, vulnerabilities, secrets,
+ * code quality, malware, signatures, licenses) in parallel and produces a
+ * single consolidated PluginSecurityReport with an overall trust score.
+ *
+ * @module plugins/security/plugin-security-scanner
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import type { PluginScanInput, PluginSecurityReport } from './types.js';
+import type { CommunityInput, MaintenanceInput } from './trust-score.js';
+/** Optional context inputs not derived from scanning */
+export interface ScanContext {
+    /** SonarCloud project key (defaults to `dcyfr_<pluginId>`) */
+    sonarcloudProjectKey?: string;
+    /** Path to DCYFR cosign public key */
+    cosignPublicKeyPath?: string;
+    /** Community data from reputation DB */
+    community?: CommunityInput;
+    /** Maintenance data from reputation DB */
+    maintenance?: MaintenanceInput;
+}
+/**
+ * Run all security scans for a plugin and return a consolidated report.
+ *
+ * All scan phases run in parallel (except SBOM→vulnerability which is
+ * sequential since Grype can consume the generated SBOM).
+ *
+ * @param input   Plugin scan parameters
+ * @param context Optional external context (SonarCloud key, cosign key, etc.)
+ */
+export declare function scanPlugin(input: PluginScanInput, context?: ScanContext): Promise<PluginSecurityReport>;
+//# sourceMappingURL=plugin-security-scanner.d.ts.map

package/dist/ai/src/plugins/security/plugin-security-scanner.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"plugin-security-scanner.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/security/plugin-security-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAUH,OAAO,KAAK,EACV,eAAe,EACf,oBAAoB,EAQrB,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAyFzE,wDAAwD;AACxD,MAAM,WAAW,WAAW;IAC1B,8DAA8D;IAC9D,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,sCAAsC;IACtC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,wCAAwC;IACxC,SAAS,CAAC,EAAE,cAAc,CAAC;IAC3B,0CAA0C;IAC1C,WAAW,CAAC,EAAE,gBAAgB,CAAC;CAChC;AAED;;;;;;;;GAQG;AACH,wBAAsB,UAAU,CAC9B,KAAK,EAAE,eAAe,EACtB,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,oBAAoB,CAAC,CAoF/B"}

package/dist/ai/src/plugins/security/plugin-security-scanner.js ADDED Viewed

@@ -0,0 +1,160 @@
+/**
+ * Plugin Security Scanner Orchestrator
+ *
+ * Coordinates all security scanning tools (SBOM, vulnerabilities, secrets,
+ * code quality, malware, signatures, licenses) in parallel and produces a
+ * single consolidated PluginSecurityReport with an overall trust score.
+ *
+ * @module plugins/security/plugin-security-scanner
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import { generateSBOM } from './sbom-generator.js';
+import { scanVulnerabilities } from './vulnerability-scanner.js';
+import { detectSecrets } from './secret-detector.js';
+import { fetchCodeQuality } from './sonarcloud-client.js';
+import { scanMalware } from './malware-scanner.js';
+import { verifySignature } from './signature-verifier.js';
+import { checkLicenses } from './license-checker.js';
+import { calculateTrustScore } from './trust-score.js';
+// ---------------------------------------------------------------------------
+// Null-safe fallback results (used when a scanner is skipped)
+// ---------------------------------------------------------------------------
+const SKIPPED_SBOM = {
+    success: true,
+    usedFallback: false,
+    format: 'npm-ls',
+    components: [],
+};
+const SKIPPED_VULNS = {
+    success: true,
+    vulnerabilities: { critical: 0, high: 0, medium: 0, low: 0, negligible: 0, unknown: 0 },
+    findings: [],
+    recommendation: 'approve',
+};
+const SKIPPED_SECRETS = {
+    success: true,
+    found: false,
+    locations: [],
+};
+const SKIPPED_CODE_QUALITY = {
+    success: true,
+    requiresManualReview: false,
+    qualityGate: 'NONE',
+};
+const SKIPPED_MALWARE = {
+    success: true,
+    detected: false,
+    signatures: [],
+    suspiciousPatterns: [],
+};
+const SKIPPED_SIGNATURE = {
+    success: true,
+    verified: false,
+};
+const SKIPPED_LICENSE = {
+    success: true,
+    compliant: true,
+    detected: [],
+    incompatible: [],
+    unknown: [],
+};
+const REC_RANK = {
+    approve: 0,
+    'approve-with-warnings': 1,
+    'require-review': 2,
+    reject: 3,
+};
+function mostRestrictive(...recs) {
+    return recs.reduce((acc, r) => (REC_RANK[r] > REC_RANK[acc] ? r : acc), 'approve');
+}
+function deriveOverallRecommendation(report) {
+    const recs = [
+        report.vulnerabilities.recommendation,
+        report.malware.detected ? 'reject' : 'approve',
+        report.secrets.locations.some((l) => !l.inTestFixture) ? 'reject' : 'approve',
+        report.codeQuality.requiresManualReview ? 'require-review' : 'approve',
+        (report.license.incompatible.length > 0) ? 'approve-with-warnings' : 'approve',
+    ];
+    return mostRestrictive(...recs);
+}
+/**
+ * Run all security scans for a plugin and return a consolidated report.
+ *
+ * All scan phases run in parallel (except SBOM→vulnerability which is
+ * sequential since Grype can consume the generated SBOM).
+ *
+ * @param input   Plugin scan parameters
+ * @param context Optional external context (SonarCloud key, cosign key, etc.)
+ */
+export async function scanPlugin(input, context = {}) {
+    const startMs = Date.now();
+    const skip = input.skip ?? {};
+    // -------------------------------------------------------------------------
+    // Phase A: SBOM (must complete before vulnerability scan)
+    // -------------------------------------------------------------------------
+    const sbom = skip.sbom
+        ? SKIPPED_SBOM
+        : await generateSBOM(input.pluginId, input.version, input.pluginPath);
+    // -------------------------------------------------------------------------
+    // Phase B: All remaining scans run in parallel
+    // -------------------------------------------------------------------------
+    const sonarKey = context.sonarcloudProjectKey ?? `dcyfr_${input.pluginId}`;
+    const cosignKey = context.cosignPublicKeyPath ?? '';
+    const artifactPath = input.artifactPath ?? '';
+    const [vulns, secrets, codeQuality, malware, signature, license] = await Promise.all([
+        skip.vulnerabilities
+            ? Promise.resolve(SKIPPED_VULNS)
+            : scanVulnerabilities(input.pluginPath, sbom.storagePath),
+        skip.secrets
+            ? Promise.resolve(SKIPPED_SECRETS)
+            : detectSecrets(input.pluginPath),
+        skip.codeQuality
+            ? Promise.resolve(SKIPPED_CODE_QUALITY)
+            : fetchCodeQuality(sonarKey),
+        skip.malware
+            ? Promise.resolve(SKIPPED_MALWARE)
+            : scanMalware(input.pluginPath),
+        skip.signature || !artifactPath || !cosignKey
+            ? Promise.resolve(SKIPPED_SIGNATURE)
+            : verifySignature(artifactPath, cosignKey),
+        skip.license
+            ? Promise.resolve(SKIPPED_LICENSE)
+            : checkLicenses(input.pluginPath),
+    ]);
+    // -------------------------------------------------------------------------
+    // Phase C: Trust score + overall recommendation
+    // -------------------------------------------------------------------------
+    const trustScore = calculateTrustScore({
+        vulns,
+        secrets,
+        malware,
+        codeQuality,
+        sbom,
+        signature,
+        license,
+        maintenance: context.maintenance,
+        community: context.community,
+    });
+    const partialReport = {
+        pluginId: input.pluginId,
+        version: input.version,
+        scannedAt: new Date().toISOString(),
+        sbom,
+        vulnerabilities: vulns,
+        secrets,
+        codeQuality,
+        malware,
+        signature,
+        license,
+    };
+    const overallRecommendation = mostRestrictive(trustScore.recommendation, deriveOverallRecommendation(partialReport));
+    return {
+        ...partialReport,
+        trustScore,
+        overallRecommendation,
+        durationMs: Date.now() - startMs,
+    };
+}
+//# sourceMappingURL=plugin-security-scanner.js.map

package/dist/ai/src/plugins/security/plugin-security-scanner.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"plugin-security-scanner.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/security/plugin-security-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAcvD,8EAA8E;AAC9E,8DAA8D;AAC9D,8EAA8E;AAE9E,MAAM,YAAY,GAAe;IAC/B,OAAO,EAAE,IAAI;IACb,YAAY,EAAE,KAAK;IACnB,MAAM,EAAE,QAAQ;IAChB,UAAU,EAAE,EAAE;CACf,CAAC;AAEF,MAAM,aAAa,GAA4B;IAC7C,OAAO,EAAE,IAAI;IACb,eAAe,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE;IACvF,QAAQ,EAAE,EAAE;IACZ,cAAc,EAAE,SAAS;CAC1B,CAAC;AAEF,MAAM,eAAe,GAA0B;IAC7C,OAAO,EAAE,IAAI;IACb,KAAK,EAAE,KAAK;IACZ,SAAS,EAAE,EAAE;CACd,CAAC;AAEF,MAAM,oBAAoB,GAAsB;IAC9C,OAAO,EAAE,IAAI;IACb,oBAAoB,EAAE,KAAK;IAC3B,WAAW,EAAE,MAAM;CACpB,CAAC;AAEF,MAAM,eAAe,GAAsB;IACzC,OAAO,EAAE,IAAI;IACb,QAAQ,EAAE,KAAK;IACf,UAAU,EAAE,EAAE;IACd,kBAAkB,EAAE,EAAE;CACvB,CAAC;AAEF,MAAM,iBAAiB,GAAgC;IACrD,OAAO,EAAE,IAAI;IACb,QAAQ,EAAE,KAAK;CAChB,CAAC;AAEF,MAAM,eAAe,GAA4B;IAC/C,OAAO,EAAE,IAAI;IACb,SAAS,EAAE,IAAI;IACf,QAAQ,EAAE,EAAE;IACZ,YAAY,EAAE,EAAE;IAChB,OAAO,EAAE,EAAE;CACZ,CAAC;AAQF,MAAM,QAAQ,GAAmC;IAC/C,OAAO,EAAE,CAAC;IACV,uBAAuB,EAAE,CAAC;IAC1B,gBAAgB,EAAE,CAAC;IACnB,MAAM,EAAE,CAAC;CACV,CAAC;AAEF,SAAS,eAAe,CAAC,GAAG,IAAsB;IAChD,OAAO,IAAI,CAAC,MAAM,CAChB,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EACnD,SAAS,CACV,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAClC,MAAyF;IAEzF,MAAM,IAAI,GAAqB;QAC7B,MAAM,CAAC,eAAe,CAAC,cAAc;QACrC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QAC9C,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QAC7E,MAAM,CAAC,WAAW,CAAC,oBAAoB,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS;QACtE,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,SAAS;KAC/E,CAAC;IACF,OAAO,eAAe,CAAC,GAAG,IAAI,CAAC,CAAC;AAClC,CAAC;AAkBD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,KAAsB,EACtB,UAAuB,EAAE;IAEzB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;IAE9B,4EAA4E;IAC5E,0DAA0D;IAC1D,4EAA4E;IAC5E,MAAM,IAAI,GAAe,IAAI,CAAC,IAAI;QAChC,CAAC,CAAC,YAAY;QACd,CAAC,CAAC,MAAM,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;IAExE,4EAA4E;IAC5E,+CAA+C;IAC/C,4EAA4E;IAC5E,MAAM,QAAQ,GAAG,OAAO,CAAC,oBAAoB,IAAI,SAAS,KAAK,CAAC,QAAQ,EAAE,CAAC;IAC3E,MAAM,SAAS,GAAG,OAAO,CAAC,mBAAmB,IAAI,EAAE,CAAC;IACpD,MAAM,YAAY,GAAG,KAAK,CAAC,YAAY,IAAI,EAAE,CAAC;IAE9C,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,GAC9D,MAAM,OAAO,CAAC,GAAG,CAAC;QAChB,IAAI,CAAC,eAAe;YAClB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;YAChC,CAAC,CAAC,mBAAmB,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC;QAE3D,IAAI,CAAC,OAAO;YACV,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC;YAClC,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,UAAU,CAAC;QAEnC,IAAI,CAAC,WAAW;YACd,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC;YACvC,CAAC,CAAC,gBAAgB,CAAC,QAAQ,CAAC;QAE9B,IAAI,CAAC,OAAO;YACV,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC;YAClC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,UAAU,CAAC;QAEjC,IAAI,CAAC,SAAS,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS;YAC3C,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC;YACpC,CAAC,CAAC,eAAe,CAAC,YAAY,EAAE,SAAS,CAAC;QAE5C,IAAI,CAAC,OAAO;YACV,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC;YAClC,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,UAAU,CAAC;KACpC,CAAC,CAAC;IAEL,4EAA4E;IAC5E,gDAAgD;IAChD,4EAA4E;IAC5E,MAAM,UAAU,GAAG,mBAAmB,CAAC;QACrC,KAAK;QACL,OAAO;QACP,OAAO;QACP,WAAW;QACX,IAAI;QACJ,SAAS;QACT,OAAO;QACP,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,SAAS,EAAE,OAAO,CAAC,SAAS;KAC7B,CAAC,CAAC;IAEH,MAAM,aAAa,GAAG;QACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,IAAI;QACJ,eAAe,EAAE,KAAK;QACtB,OAAO;QACP,WAAW;QACX,OAAO;QACP,SAAS;QACT,OAAO;KACR,CAAC;IAEF,MAAM,qBAAqB,GAAG,eAAe,CAC3C,UAAU,CAAC,cAAc,EACzB,2BAA2B,CAAC,aAAa,CAAC,CAC3C,CAAC;IAEF,OAAO;QACL,GAAG,aAAa;QAChB,UAAU;QACV,qBAAqB;QACrB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;KACjC,CAAC;AACJ,CAAC"}

package/dist/ai/src/plugins/security/sbom-generator.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+ * SBOM Generator
+ *
+ * Generates Software Bill of Materials in CycloneDX format using Syft CLI.
+ * Falls back to `npm ls --all --json` when Syft is unavailable.
+ *
+ * @module plugins/security/sbom-generator
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import type { SBOMResult } from './types.js';
+/**
+ * Generate an SBOM for a plugin.
+ *
+ * Tries Syft first; falls back to `npm ls` if Syft is unavailable.
+ *
+ * @param pluginId  Unique plugin identifier used in storage path
+ * @param version   Plugin version string
+ * @param pluginPath Absolute path to the extracted plugin directory
+ */
+export declare function generateSBOM(pluginId: string, version: string, pluginPath: string): Promise<SBOMResult>;
+//# sourceMappingURL=sbom-generator.d.ts.map

package/dist/ai/src/plugins/security/sbom-generator.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"sbom-generator.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/security/sbom-generator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,OAAO,KAAK,EAAE,UAAU,EAAiB,MAAM,YAAY,CAAC;AA4H5D;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,UAAU,CAAC,CAqBrB"}

package/dist/ai/src/plugins/security/sbom-generator.js ADDED Viewed

@@ -0,0 +1,115 @@
+/**
+ * SBOM Generator
+ *
+ * Generates Software Bill of Materials in CycloneDX format using Syft CLI.
+ * Falls back to `npm ls --all --json` when Syft is unavailable.
+ *
+ * @module plugins/security/sbom-generator
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+const execFileAsync = promisify(execFile);
+/** Directory where SBOMs are persisted */
+const SBOM_STORAGE_DIR = join(homedir(), '.dcyfr', 'plugin-sboms');
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+function ensureStorageDir() {
+    if (!existsSync(SBOM_STORAGE_DIR)) {
+        mkdirSync(SBOM_STORAGE_DIR, { recursive: true });
+    }
+}
+function buildStoragePath(pluginId, version) {
+    const safeId = pluginId.replaceAll(/[^a-zA-Z0-9._-]/g, '_');
+    return join(SBOM_STORAGE_DIR, `${safeId}-${version}.json`);
+}
+async function generateWithSyft(pluginPath, storagePath) {
+    const { stdout } = await execFileAsync('syft', [
+        pluginPath,
+        '--output',
+        'cyclonedx-json',
+    ]);
+    const parsed = JSON.parse(stdout);
+    const components = (parsed.components ?? []).map((c) => ({
+        name: c.name ?? 'unknown',
+        version: c.version ?? 'unknown',
+        license: c.licenses?.[0]?.expression,
+        cpe: c.cpe,
+        purl: c.purl,
+        ecosystem: c.type,
+    }));
+    writeFileSync(storagePath, JSON.stringify({ components, format: 'cyclonedx', generatedAt: new Date().toISOString() }, null, 2));
+    return {
+        success: true,
+        usedFallback: false,
+        format: 'cyclonedx',
+        components,
+        storagePath,
+    };
+}
+function flattenNpmLsDeps(deps, acc) {
+    if (!deps)
+        return;
+    for (const [name, entry] of Object.entries(deps)) {
+        acc.push({ name, version: entry.version ?? 'unknown', ecosystem: 'npm' });
+        flattenNpmLsDeps(entry.dependencies, acc);
+    }
+}
+async function generateWithNpmLs(pluginPath, storagePath) {
+    const { stdout } = await execFileAsync('npm', ['ls', '--all', '--json'], {
+        cwd: pluginPath,
+    });
+    const parsed = JSON.parse(stdout);
+    const components = [];
+    flattenNpmLsDeps(parsed.dependencies, components);
+    writeFileSync(storagePath, JSON.stringify({ components, format: 'npm-ls', generatedAt: new Date().toISOString() }, null, 2));
+    return {
+        success: true,
+        usedFallback: true,
+        format: 'npm-ls',
+        components,
+        storagePath,
+    };
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Generate an SBOM for a plugin.
+ *
+ * Tries Syft first; falls back to `npm ls` if Syft is unavailable.
+ *
+ * @param pluginId  Unique plugin identifier used in storage path
+ * @param version   Plugin version string
+ * @param pluginPath Absolute path to the extracted plugin directory
+ */
+export async function generateSBOM(pluginId, version, pluginPath) {
+    ensureStorageDir();
+    const storagePath = buildStoragePath(pluginId, version);
+    try {
+        return await generateWithSyft(pluginPath, storagePath);
+    }
+    catch (syftError) {
+        // Syft unavailable or parsing failed — try npm ls fallback
+        try {
+            const result = await generateWithNpmLs(pluginPath, storagePath);
+            return result;
+        }
+        catch (npmError) {
+            return {
+                success: false,
+                usedFallback: true,
+                format: 'npm-ls',
+                components: [],
+                error: `Syft: ${String(syftError)} | npm ls: ${String(npmError)}`,
+            };
+        }
+    }
+}
+//# sourceMappingURL=sbom-generator.js.map

package/dist/ai/src/plugins/security/sbom-generator.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sbom-generator.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/security/sbom-generator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAGlC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,0CAA0C;AAC1C,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;AAEnE,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,SAAS,gBAAgB;IACvB,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClC,SAAS,CAAC,gBAAgB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB,EAAE,OAAe;IACzD,MAAM,MAAM,GAAG,QAAQ,CAAC,UAAU,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;IAC5D,OAAO,IAAI,CAAC,gBAAgB,EAAE,GAAG,MAAM,IAAI,OAAO,OAAO,CAAC,CAAC;AAC7D,CAAC;AAmBD,KAAK,UAAU,gBAAgB,CAC7B,UAAkB,EAClB,WAAmB;IAEnB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE;QAC7C,UAAU;QACV,UAAU;QACV,gBAAgB;KACjB,CAAC,CAAC;IAEH,MAAM,MAAM,GAAe,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9C,MAAM,UAAU,GAAoB,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACxE,IAAI,EAAE,CAAC,CAAC,IAAI,IAAI,SAAS;QACzB,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,SAAS;QAC/B,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,UAAU;QACpC,GAAG,EAAE,CAAC,CAAC,GAAG;QACV,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,SAAS,EAAE,CAAC,CAAC,IAAI;KAClB,CAAC,CAAC,CAAC;IAEJ,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAEhI,OAAO;QACL,OAAO,EAAE,IAAI;QACb,YAAY,EAAE,KAAK;QACnB,MAAM,EAAE,WAAW;QACnB,UAAU;QACV,WAAW;KACZ,CAAC;AACJ,CAAC;AAkBD,SAAS,gBAAgB,CACvB,IAA4C,EAC5C,GAAoB;IAEpB,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACjD,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1E,gBAAgB,CAAC,KAAK,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,UAAkB,EAClB,WAAmB;IAEnB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE;QACvE,GAAG,EAAE,UAAU;KAChB,CAAC,CAAC;IAEH,MAAM,MAAM,GAAgB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAoB,EAAE,CAAC;IACvC,gBAAgB,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;IAElD,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAE7H,OAAO;QACL,OAAO,EAAE,IAAI;QACb,YAAY,EAAE,IAAI;QAClB,MAAM,EAAE,QAAQ;QAChB,UAAU;QACV,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,OAAe,EACf,UAAkB;IAElB,gBAAgB,EAAE,CAAC;IACnB,MAAM,WAAW,GAAG,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAExD,IAAI,CAAC;QACH,OAAO,MAAM,gBAAgB,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACzD,CAAC;IAAC,OAAO,SAAS,EAAE,CAAC;QACnB,2DAA2D;QAC3D,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;YAChE,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,QAAQ,EAAE,CAAC;YAClB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,YAAY,EAAE,IAAI;gBAClB,MAAM,EAAE,QAAQ;gBAChB,UAAU,EAAE,EAAE;gBACd,KAAK,EAAE,SAAS,MAAM,CAAC,SAAS,CAAC,cAAc,MAAM,CAAC,QAAQ,CAAC,EAAE;aAClE,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/ai/src/plugins/security/secret-detector.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Secret Detector
+ *
+ * Checks plugin source code for hardcoded secrets using Gitleaks CLI.
+ * Test fixtures in __tests__/fixtures/ are flagged as warnings, not blockers.
+ *
+ * @module plugins/security/secret-detector
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import type { SecretDetectionResult } from './types.js';
+/**
+ * Scan a plugin directory for hardcoded secrets using Gitleaks.
+ *
+ * @param pluginPath Absolute path to the extracted plugin directory
+ */
+export declare function detectSecrets(pluginPath: string): Promise<SecretDetectionResult>;
+//# sourceMappingURL=secret-detector.d.ts.map

package/dist/ai/src/plugins/security/secret-detector.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"secret-detector.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/security/secret-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,KAAK,EAAE,qBAAqB,EAAkB,MAAM,YAAY,CAAC;AAiIxE;;;;GAIG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,qBAAqB,CAAC,CA6EhC"}