@decibelsystems/tools 2.0.0

package/dist/tools/guardian/index.js

@@ -0,0 +1,171 @@
+// ============================================================================
+// Guardian Domain Tools — Security Scanning
+// ============================================================================
+import { toolSuccess, toolError } from '../shared/index.js';
+import { scanDeps, scanSecrets, scanHttp, scanConfig, guardianReport, } from '../guardian.js';
+// ============================================================================
+// scan_deps
+// ============================================================================
+export const guardianScanDepsTool = {
+    definition: {
+        name: 'guardian_scan_deps',
+        description: 'Run npm audit to find dependency vulnerabilities. Returns severity counts and actionable fix suggestions.',
+        annotations: {
+            title: 'Scan Dependencies',
+            readOnlyHint: true,
+            destructiveHint: false,
+        },
+        inputSchema: {
+            type: 'object',
+            properties: {
+                project_id: {
+                    type: 'string',
+                    description: 'Optional project identifier',
+                },
+            },
+        },
+    },
+    handler: async (args) => {
+        try {
+            const result = await scanDeps(args);
+            return toolSuccess(result);
+        }
+        catch (err) {
+            return toolError(err instanceof Error ? err.message : String(err));
+        }
+    },
+};
+// ============================================================================
+// scan_secrets
+// ============================================================================
+export const guardianScanSecretsTool = {
+    definition: {
+        name: 'guardian_scan_secrets',
+        description: 'Scan source files for exposed secrets: API keys, tokens, passwords, private keys. Respects allowlist in .decibel/guardian/allowlist.yaml.',
+        annotations: {
+            title: 'Scan Secrets',
+            readOnlyHint: true,
+            destructiveHint: false,
+        },
+        inputSchema: {
+            type: 'object',
+            properties: {
+                project_id: {
+                    type: 'string',
+                    description: 'Optional project identifier',
+                },
+                directories: {
+                    type: 'array',
+                    items: { type: 'string' },
+                    description: 'Directories to scan (defaults to src/ and extension/src/)',
+                },
+            },
+        },
+    },
+    handler: async (args) => {
+        try {
+            const result = await scanSecrets(args);
+            return toolSuccess(result);
+        }
+        catch (err) {
+            return toolError(err instanceof Error ? err.message : String(err));
+        }
+    },
+};
+// ============================================================================
+// scan_http
+// ============================================================================
+export const guardianScanHttpTool = {
+    definition: {
+        name: 'guardian_scan_http',
+        description: 'Inspect daemon HTTP configuration for security issues: auth token, CORS, rate limiter, host binding, TLS.',
+        annotations: {
+            title: 'Scan HTTP Surface',
+            readOnlyHint: true,
+            destructiveHint: false,
+        },
+        inputSchema: {
+            type: 'object',
+            properties: {},
+        },
+    },
+    handler: async () => {
+        try {
+            const result = await scanHttp();
+            return toolSuccess(result);
+        }
+        catch (err) {
+            return toolError(err instanceof Error ? err.message : String(err));
+        }
+    },
+};
+// ============================================================================
+// scan_config
+// ============================================================================
+export const guardianScanConfigTool = {
+    definition: {
+        name: 'guardian_scan_config',
+        description: 'Check ~/.decibel/config.yaml and environment variables for insecure defaults (no auth token, permissive host binding, etc.).',
+        annotations: {
+            title: 'Scan Configuration',
+            readOnlyHint: true,
+            destructiveHint: false,
+        },
+        inputSchema: {
+            type: 'object',
+            properties: {},
+        },
+    },
+    handler: async () => {
+        try {
+            const result = await scanConfig();
+            return toolSuccess(result);
+        }
+        catch (err) {
+            return toolError(err instanceof Error ? err.message : String(err));
+        }
+    },
+};
+// ============================================================================
+// report
+// ============================================================================
+export const guardianReportTool = {
+    definition: {
+        name: 'guardian_report',
+        description: 'Run all security scans and produce an aggregate report with an overall grade (A–F).',
+        annotations: {
+            title: 'Security Report',
+            readOnlyHint: true,
+            destructiveHint: false,
+        },
+        inputSchema: {
+            type: 'object',
+            properties: {
+                project_id: {
+                    type: 'string',
+                    description: 'Optional project identifier',
+                },
+            },
+        },
+    },
+    handler: async (args) => {
+        try {
+            const result = await guardianReport(args);
+            return toolSuccess(result);
+        }
+        catch (err) {
+            return toolError(err instanceof Error ? err.message : String(err));
+        }
+    },
+};
+// ============================================================================
+// Export All Tools
+// ============================================================================
+export const guardianTools = [
+    guardianScanDepsTool,
+    guardianScanSecretsTool,
+    guardianScanHttpTool,
+    guardianScanConfigTool,
+    guardianReportTool,
+];
+//# sourceMappingURL=index.js.map

package/dist/tools/guardian/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/tools/guardian/index.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,4CAA4C;AAC5C,+EAA+E;AAG/E,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EACL,QAAQ,EACR,WAAW,EACX,QAAQ,EACR,UAAU,EACV,cAAc,GACf,MAAM,gBAAgB,CAAC;AAExB,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,CAAC,MAAM,oBAAoB,GAAa;IAC5C,UAAU,EAAE;QACV,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,2GAA2G;QACxH,WAAW,EAAE;YACX,KAAK,EAAE,mBAAmB;YAC1B,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,KAAK;SACvB;QACD,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,UAAU,EAAE;oBACV,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,6BAA6B;iBAC3C;aACF;SACF;KACF;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACtB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;YACpC,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,SAAS,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;CACF,CAAC;AAEF,+EAA+E;AAC/E,eAAe;AACf,+EAA+E;AAE/E,MAAM,CAAC,MAAM,uBAAuB,GAAa;IAC/C,UAAU,EAAE;QACV,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,2IAA2I;QACxJ,WAAW,EAAE;YACX,KAAK,EAAE,cAAc;YACrB,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,KAAK;SACvB;QACD,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,UAAU,EAAE;oBACV,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,6BAA6B;iBAC3C;gBACD,WAAW,EAAE;oBACX,IAAI,EAAE,OAAO;oBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;oBACzB,WAAW,EAAE,2DAA2D;iBACzE;aACF;SACF;KACF;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACtB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;YACvC,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,SAAS,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;CACF,CAAC;AAEF,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,CAAC,MAAM,oBAAoB,GAAa;IAC5C,UAAU,EAAE;QACV,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,2GAA2G;QACxH,WAAW,EAAE;YACX,KAAK,EAAE,mBAAmB;YAC1B,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,KAAK;SACvB;QACD,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;SACf;KACF;IACD,OAAO,EAAE,KAAK,IAAI,EAAE;QAClB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,EAAE,CAAC;YAChC,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,SAAS,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;CACF,CAAC;AAEF,+EAA+E;AAC/E,cAAc;AACd,+EAA+E;AAE/E,MAAM,CAAC,MAAM,sBAAsB,GAAa;IAC9C,UAAU,EAAE;QACV,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,8HAA8H;QAC3I,WAAW,EAAE;YACX,KAAK,EAAE,oBAAoB;YAC3B,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,KAAK;SACvB;QACD,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;SACf;KACF;IACD,OAAO,EAAE,KAAK,IAAI,EAAE;QAClB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;YAClC,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,SAAS,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;CACF,CAAC;AAEF,+EAA+E;AAC/E,SAAS;AACT,+EAA+E;AAE/E,MAAM,CAAC,MAAM,kBAAkB,GAAa;IAC1C,UAAU,EAAE;QACV,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,qFAAqF;QAClG,WAAW,EAAE;YACX,KAAK,EAAE,iBAAiB;YACxB,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,KAAK;SACvB;QACD,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,UAAU,EAAE;oBACV,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,6BAA6B;iBAC3C;aACF;SACF;KACF;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACtB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,CAAC;YAC1C,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,SAAS,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;CACF,CAAC;AAEF,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,MAAM,CAAC,MAAM,aAAa,GAAe;IACvC,oBAAoB;IACpB,uBAAuB;IACvB,oBAAoB;IACpB,sBAAsB;IACtB,kBAAkB;CACnB,CAAC"}

package/dist/tools/guardian.d.ts

@@ -0,0 +1,62 @@
+export interface ScanDepsInput {
+    project_id?: string;
+}
+export interface ScanDepsOutput {
+    total_advisories: number;
+    by_severity: Record<string, number>;
+    advisories: Array<{
+        name: string;
+        severity: string;
+        title: string;
+        url: string;
+        fix_available: boolean;
+    }>;
+}
+export interface ScanSecretsInput {
+    project_id?: string;
+    directories?: string[];
+}
+export interface ScanSecretsOutput {
+    findings: Array<{
+        file: string;
+        line: number;
+        pattern: string;
+        snippet: string;
+    }>;
+    total_findings: number;
+    allowlisted: number;
+}
+export interface ScanHttpOutput {
+    checks: Array<{
+        name: string;
+        status: 'pass' | 'fail' | 'warn';
+        detail: string;
+    }>;
+    score: string;
+}
+export interface ScanConfigOutput {
+    checks: Array<{
+        name: string;
+        status: 'pass' | 'fail' | 'warn';
+        detail: string;
+    }>;
+    config_path: string;
+}
+export interface GuardianReportOutput {
+    overall_grade: string;
+    sections: {
+        deps: ScanDepsOutput;
+        secrets: ScanSecretsOutput;
+        http: ScanHttpOutput;
+        config: ScanConfigOutput;
+    };
+    generated_at: string;
+}
+export declare function scanDeps(input: ScanDepsInput): Promise<ScanDepsOutput>;
+export declare function scanSecrets(input: ScanSecretsInput): Promise<ScanSecretsOutput>;
+export declare function scanHttp(): Promise<ScanHttpOutput>;
+export declare function scanConfig(): Promise<ScanConfigOutput>;
+export declare function guardianReport(input: {
+    project_id?: string;
+}): Promise<GuardianReportOutput>;
+//# sourceMappingURL=guardian.d.ts.map

package/dist/tools/guardian.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guardian.d.ts","sourceRoot":"","sources":["../../src/tools/guardian.ts"],"names":[],"mappings":"AAqBA,MAAM,WAAW,aAAa;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,CAAC;IACzB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,UAAU,EAAE,KAAK,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,MAAM,CAAC;QACd,GAAG,EAAE,MAAM,CAAC;QACZ,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;IACH,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,KAAK,CAAC;QACZ,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;QACjC,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,KAAK,CAAC;QACZ,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;QACjC,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACnC,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE;QACR,IAAI,EAAE,cAAc,CAAC;QACrB,OAAO,EAAE,iBAAiB,CAAC;QAC3B,IAAI,EAAE,cAAc,CAAC;QACrB,MAAM,EAAE,gBAAgB,CAAC;KAC1B,CAAC;IACF,YAAY,EAAE,MAAM,CAAC;CACtB;AAoDD,wBAAsB,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC,CA2E5E;AAED,wBAAsB,WAAW,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CA8BrF;AA0DD,wBAAsB,QAAQ,IAAI,OAAO,CAAC,cAAc,CAAC,CAqCxD;AAED,wBAAsB,UAAU,IAAI,OAAO,CAAC,gBAAgB,CAAC,CA+C5D;AAED,wBAAsB,cAAc,CAAC,KAAK,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAoClG"}

package/dist/tools/guardian.js

@@ -0,0 +1,332 @@
+// ============================================================================
+// Guardian — Security Scanning Tools
+// ============================================================================
+// Scans for dependency vulnerabilities, exposed secrets, HTTP surface issues,
+// and insecure daemon configuration. Aggregates into a security report.
+// ============================================================================
+import { execSync } from 'child_process';
+import fs from 'fs/promises';
+import { existsSync, readFileSync } from 'fs';
+import path from 'path';
+import { homedir } from 'os';
+import { resolveProjectPaths } from '../projectRegistry.js';
+import { loadConfig } from '../daemonConfig.js';
+import YAML from 'yaml';
+// ============================================================================
+// Secret Detection Patterns
+// ============================================================================
+const SECRET_PATTERNS = [
+    { name: 'api_key', pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"][^'"]{8,}/i },
+    { name: 'secret', pattern: /(?:secret|client_secret)\s*[:=]\s*['"][^'"]{8,}/i },
+    { name: 'password', pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{4,}/i },
+    { name: 'token', pattern: /(?:auth[_-]?token|access[_-]?token|bearer)\s*[:=]\s*['"][^'"]{8,}/i },
+    { name: 'pem_header', pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/ },
+    { name: 'aws_key', pattern: /AKIA[0-9A-Z]{16}/ },
+    { name: 'jwt', pattern: /eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/ },
+];
+// ============================================================================
+// Helpers
+// ============================================================================
+function loadAllowlist(projectId) {
+    try {
+        let allowlistPath;
+        if (projectId) {
+            const resolved = resolveProjectPaths(projectId);
+            allowlistPath = resolved.subPath('guardian/allowlist.yaml');
+        }
+        else {
+            allowlistPath = path.join(homedir(), '.decibel', 'guardian', 'allowlist.yaml');
+        }
+        if (!existsSync(allowlistPath))
+            return [];
+        const content = readFileSync(allowlistPath, 'utf-8');
+        const parsed = YAML.parse(content);
+        return Array.isArray(parsed?.entries) ? parsed.entries : [];
+    }
+    catch {
+        return [];
+    }
+}
+function gradeFromScore(score, total) {
+    const pct = total > 0 ? (score / total) * 100 : 100;
+    if (pct >= 90)
+        return 'A';
+    if (pct >= 75)
+        return 'B';
+    if (pct >= 60)
+        return 'C';
+    if (pct >= 40)
+        return 'D';
+    return 'F';
+}
+// ============================================================================
+// Scan Functions
+// ============================================================================
+export async function scanDeps(input) {
+    let projectPath;
+    try {
+        const resolved = resolveProjectPaths(input.project_id);
+        projectPath = resolved.projectPath;
+    }
+    catch {
+        projectPath = process.cwd();
+    }
+    try {
+        const output = execSync('npm audit --json 2>/dev/null', {
+            cwd: projectPath,
+            encoding: 'utf-8',
+            timeout: 30_000,
+        });
+        const audit = JSON.parse(output);
+        const vulnerabilities = audit.vulnerabilities || {};
+        const bySeverity = {};
+        const advisories = [];
+        for (const [name, vuln] of Object.entries(vulnerabilities)) {
+            const severity = vuln.severity || 'unknown';
+            bySeverity[severity] = (bySeverity[severity] || 0) + 1;
+            advisories.push({
+                name,
+                severity,
+                title: vuln.via?.[0]?.title || vuln.via?.[0] || 'Unknown',
+                url: vuln.via?.[0]?.url || '',
+                fix_available: !!vuln.fixAvailable,
+            });
+        }
+        return {
+            total_advisories: advisories.length,
+            by_severity: bySeverity,
+            advisories: advisories.slice(0, 20), // Limit output
+        };
+    }
+    catch (err) {
+        // npm audit exits non-zero when vulnerabilities are found — parse the output
+        if (err.stdout) {
+            try {
+                const audit = JSON.parse(err.stdout);
+                const vulnerabilities = audit.vulnerabilities || {};
+                const bySeverity = {};
+                const advisories = [];
+                for (const [name, vuln] of Object.entries(vulnerabilities)) {
+                    const severity = vuln.severity || 'unknown';
+                    bySeverity[severity] = (bySeverity[severity] || 0) + 1;
+                    advisories.push({
+                        name,
+                        severity,
+                        title: vuln.via?.[0]?.title || vuln.via?.[0] || 'Unknown',
+                        url: vuln.via?.[0]?.url || '',
+                        fix_available: !!vuln.fixAvailable,
+                    });
+                }
+                return {
+                    total_advisories: advisories.length,
+                    by_severity: bySeverity,
+                    advisories: advisories.slice(0, 20),
+                };
+            }
+            catch {
+                // Couldn't parse output
+            }
+        }
+        return {
+            total_advisories: 0,
+            by_severity: {},
+            advisories: [],
+        };
+    }
+}
+export async function scanSecrets(input) {
+    const allowlist = loadAllowlist(input.project_id);
+    let scanDirs;
+    try {
+        const resolved = resolveProjectPaths(input.project_id);
+        scanDirs = input.directories || [
+            path.join(resolved.projectPath, 'src'),
+            path.join(resolved.projectPath, 'extension', 'src'),
+        ];
+    }
+    catch {
+        scanDirs = input.directories || [path.join(process.cwd(), 'src')];
+    }
+    const findings = [];
+    let allowlisted = 0;
+    for (const dir of scanDirs) {
+        try {
+            await scanDirectory(dir, findings, allowlist, (count) => { allowlisted += count; });
+        }
+        catch {
+            // Directory doesn't exist — skip
+        }
+    }
+    return {
+        findings: findings.slice(0, 50), // Limit output
+        total_findings: findings.length,
+        allowlisted,
+    };
+}
+async function scanDirectory(dir, findings, allowlist, onAllowlisted) {
+    let entries;
+    try {
+        entries = await fs.readdir(dir, { withFileTypes: true });
+    }
+    catch {
+        return;
+    }
+    for (const entry of entries) {
+        const fullPath = path.join(dir, entry.name);
+        if (entry.isDirectory()) {
+            // Skip node_modules, .git, dist
+            if (['node_modules', '.git', 'dist', '.decibel'].includes(entry.name))
+                continue;
+            await scanDirectory(fullPath, findings, allowlist, onAllowlisted);
+            continue;
+        }
+        // Only scan source files
+        if (!/\.(ts|js|tsx|jsx|json|yaml|yml|env|toml|cfg|conf|ini)$/.test(entry.name))
+            continue;
+        try {
+            const content = await fs.readFile(fullPath, 'utf-8');
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                for (const { name, pattern } of SECRET_PATTERNS) {
+                    const match = pattern.exec(line);
+                    if (match) {
+                        // Check allowlist
+                        const snippet = match[0].substring(0, 60);
+                        if (allowlist.some(a => snippet.includes(a) || fullPath.includes(a))) {
+                            onAllowlisted(1);
+                            continue;
+                        }
+                        findings.push({
+                            file: fullPath,
+                            line: i + 1,
+                            pattern: name,
+                            snippet: snippet + (match[0].length > 60 ? '...' : ''),
+                        });
+                    }
+                }
+            }
+        }
+        catch {
+            // Can't read file — skip
+        }
+    }
+}
+export async function scanHttp() {
+    const config = loadConfig();
+    const checks = [];
+    // Check auth token
+    if (config.daemon.auth_token) {
+        checks.push({ name: 'auth_token', status: 'pass', detail: 'Auth token is configured' });
+    }
+    else {
+        checks.push({ name: 'auth_token', status: 'fail', detail: 'No auth token configured — daemon accepts unauthenticated requests' });
+    }
+    // Check host binding
+    if (config.daemon.host === '127.0.0.1' || config.daemon.host === 'localhost') {
+        checks.push({ name: 'host_binding', status: 'pass', detail: `Bound to ${config.daemon.host} (localhost only)` });
+    }
+    else if (config.daemon.host === '0.0.0.0') {
+        checks.push({ name: 'host_binding', status: 'warn', detail: 'Bound to 0.0.0.0 (all interfaces) — accessible from network' });
+    }
+    else {
+        checks.push({ name: 'host_binding', status: 'warn', detail: `Bound to ${config.daemon.host}` });
+    }
+    // Check rate limiter
+    if (config.daemon.rate_limit_rpm > 0) {
+        checks.push({ name: 'rate_limiter', status: 'pass', detail: `Rate limit: ${config.daemon.rate_limit_rpm} req/min` });
+    }
+    else {
+        checks.push({ name: 'rate_limiter', status: 'fail', detail: 'Rate limiter disabled' });
+    }
+    // Body size limit (hardcoded in httpServer.ts)
+    checks.push({ name: 'body_limit', status: 'pass', detail: 'Request body limit: 1MB' });
+    // TLS check (expected to fail — TLS is handled by reverse proxy)
+    checks.push({ name: 'tls', status: 'warn', detail: 'No TLS — use reverse proxy for remote access' });
+    const passCount = checks.filter(c => c.status === 'pass').length;
+    const score = gradeFromScore(passCount, checks.length);
+    return { checks, score };
+}
+export async function scanConfig() {
+    const configPath = path.join(homedir(), '.decibel', 'config.yaml');
+    const checks = [];
+    // Check config file exists
+    if (!existsSync(configPath)) {
+        checks.push({ name: 'config_file', status: 'warn', detail: 'No config file found — using defaults' });
+    }
+    else {
+        checks.push({ name: 'config_file', status: 'pass', detail: 'Config file found' });
+    }
+    // Check env vars
+    if (process.env.DECIBEL_PRO === '1' && process.env.NODE_ENV === 'production') {
+        checks.push({ name: 'pro_env', status: 'warn', detail: 'DECIBEL_PRO=1 set in production — pro features enabled for all' });
+    }
+    else {
+        checks.push({ name: 'pro_env', status: 'pass', detail: 'Pro tier gating is appropriate for environment' });
+    }
+    // Check PID file permissions
+    const pidPath = path.join(homedir(), '.decibel', 'daemon.pid');
+    if (existsSync(pidPath)) {
+        try {
+            const stat = await fs.stat(pidPath);
+            const mode = (stat.mode & 0o777).toString(8);
+            if (parseInt(mode, 8) > 0o644) {
+                checks.push({ name: 'pid_perms', status: 'warn', detail: `PID file is world-writable (${mode})` });
+            }
+            else {
+                checks.push({ name: 'pid_perms', status: 'pass', detail: `PID file permissions: ${mode}` });
+            }
+        }
+        catch {
+            checks.push({ name: 'pid_perms', status: 'pass', detail: 'PID file permissions OK' });
+        }
+    }
+    // Check log directory permissions
+    const logDir = path.join(homedir(), '.decibel', 'logs');
+    if (existsSync(logDir)) {
+        checks.push({ name: 'log_dir', status: 'pass', detail: 'Log directory exists' });
+    }
+    // Check for insecure default host
+    const config = loadConfig();
+    if (config.daemon.host === '0.0.0.0') {
+        checks.push({ name: 'default_host', status: 'warn', detail: 'Config host is 0.0.0.0 — consider 127.0.0.1 for security' });
+    }
+    return { checks, config_path: configPath };
+}
+export async function guardianReport(input) {
+    const [deps, secrets, http, config] = await Promise.all([
+        scanDeps({ project_id: input.project_id }),
+        scanSecrets({ project_id: input.project_id }),
+        scanHttp(),
+        scanConfig(),
+    ]);
+    // Calculate overall grade
+    let score = 0;
+    let total = 0;
+    // Deps scoring
+    total += 3;
+    if (deps.total_advisories === 0)
+        score += 3;
+    else if (!deps.by_severity?.critical && !deps.by_severity?.high)
+        score += 2;
+    else if (!deps.by_severity?.critical)
+        score += 1;
+    // Secrets scoring
+    total += 3;
+    if (secrets.total_findings === 0)
+        score += 3;
+    else if (secrets.total_findings < 3)
+        score += 1;
+    // HTTP scoring
+    total += http.checks.length;
+    score += http.checks.filter(c => c.status === 'pass').length;
+    // Config scoring
+    total += config.checks.length;
+    score += config.checks.filter(c => c.status === 'pass').length;
+    return {
+        overall_grade: gradeFromScore(score, total),
+        sections: { deps, secrets, http, config },
+        generated_at: new Date().toISOString(),
+    };
+}
+//# sourceMappingURL=guardian.js.map

package/dist/tools/guardian.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guardian.js","sourceRoot":"","sources":["../../src/tools/guardian.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,qCAAqC;AACrC,+EAA+E;AAC/E,8EAA8E;AAC9E,wEAAwE;AACxE,+EAA+E;AAE/E,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,MAAM,aAAa,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAC9C,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAE7B,OAAO,EAAE,mBAAmB,EAAwB,MAAM,uBAAuB,CAAC;AAClF,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,IAAI,MAAM,MAAM,CAAC;AAmExB,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E,MAAM,eAAe,GAAG;IACtB,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,gDAAgD,EAAE;IAC9E,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,kDAAkD,EAAE;IAC/E,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,iDAAiD,EAAE;IAChF,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,oEAAoE,EAAE;IAChG,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,+CAA+C,EAAE;IAChF,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,kBAAkB,EAAE;IAChD,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,+DAA+D,EAAE;CAC1F,CAAC;AAEF,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,SAAS,aAAa,CAAC,SAAkB;IACvC,IAAI,CAAC;QACH,IAAI,aAAqB,CAAC;QAC1B,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,QAAQ,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;YAChD,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAC;QAC9D,CAAC;aAAM,CAAC;YACN,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,UAAU,EAAE,gBAAgB,CAAC,CAAC;QACjF,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC;YAAE,OAAO,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAa,EAAE,KAAa;IAClD,MAAM,GAAG,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IACpD,IAAI,GAAG,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC;IAC1B,IAAI,GAAG,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC;IAC1B,IAAI,GAAG,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC;IAC1B,IAAI,GAAG,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC;IAC1B,OAAO,GAAG,CAAC;AACb,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,KAAoB;IACjD,IAAI,WAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,mBAAmB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACvD,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,WAAW,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CAAC,8BAA8B,EAAE;YACtD,GAAG,EAAE,WAAW;YAChB,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,MAAM;SAChB,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,eAAe,GAAG,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC;QACpD,MAAM,UAAU,GAA2B,EAAE,CAAC;QAC9C,MAAM,UAAU,GAAiC,EAAE,CAAC;QAEpD,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAoB,EAAE,CAAC;YAC9E,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,SAAS,CAAC;YAC5C,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACvD,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI;gBACJ,QAAQ;gBACR,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,SAAS;gBACzD,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE;gBAC7B,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY;aACnC,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,gBAAgB,EAAE,UAAU,CAAC,MAAM;YACnC,WAAW,EAAE,UAAU;YACvB,UAAU,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,eAAe;SACrD,CAAC;IACJ,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,6EAA6E;QAC7E,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBACrC,MAAM,eAAe,GAAG,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC;gBACpD,MAAM,UAAU,GAA2B,EAAE,CAAC;gBAC9C,MAAM,UAAU,GAAiC,EAAE,CAAC;gBAEpD,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAoB,EAAE,CAAC;oBAC9E,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,SAAS,CAAC;oBAC5C,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;oBACvD,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI;wBACJ,QAAQ;wBACR,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,SAAS;wBACzD,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE;wBAC7B,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY;qBACnC,CAAC,CAAC;gBACL,CAAC;gBAED,OAAO;oBACL,gBAAgB,EAAE,UAAU,CAAC,MAAM;oBACnC,WAAW,EAAE,UAAU;oBACvB,UAAU,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACpC,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC;QAED,OAAO;YACL,gBAAgB,EAAE,CAAC;YACnB,WAAW,EAAE,EAAE;YACf,UAAU,EAAE,EAAE;SACf,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,KAAuB;IACvD,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAElD,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,mBAAmB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACvD,QAAQ,GAAG,KAAK,CAAC,WAAW,IAAI;YAC9B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC;YACtC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,EAAE,KAAK,CAAC;SACpD,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,QAAQ,GAAG,KAAK,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,QAAQ,GAAkC,EAAE,CAAC;IACnD,IAAI,WAAW,GAAG,CAAC,CAAC;IAEpB,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,KAAK,EAAE,EAAE,GAAG,WAAW,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACtF,CAAC;QAAC,MAAM,CAAC;YACP,iCAAiC;QACnC,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,eAAe;QAChD,cAAc,EAAE,QAAQ,CAAC,MAAM;QAC/B,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,GAAW,EACX,QAAuC,EACvC,SAAmB,EACnB,aAAsC;IAEtC,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;IACT,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAE5C,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,gCAAgC;YAChC,IAAI,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC;gBAAE,SAAS;YAChF,MAAM,aAAa,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;YAClE,SAAS;QACX,CAAC;QAED,yBAAyB;QACzB,IAAI,CAAC,wDAAwD,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,SAAS;QAEzF,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,eAAe,EAAE,CAAC;oBAChD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACjC,IAAI,KAAK,EAAE,CAAC;wBACV,kBAAkB;wBAClB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wBAC1C,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;4BACrE,aAAa,CAAC,CAAC,CAAC,CAAC;4BACjB,SAAS;wBACX,CAAC;wBACD,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,OAAO,EAAE,IAAI;4BACb,OAAO,EAAE,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;yBACvD,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yBAAyB;QAC3B,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ;IAC5B,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,MAAM,MAAM,GAA6B,EAAE,CAAC;IAE5C,mBAAmB;IACnB,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAC1F,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,oEAAoE,EAAE,CAAC,CAAC;IACpI,CAAC;IAED,qBAAqB;IACrB,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAC7E,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,MAAM,CAAC,MAAM,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;IACnH,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,6DAA6D,EAAE,CAAC,CAAC;IAC/H,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAClG,CAAC;IAED,qBAAqB;IACrB,IAAI,MAAM,CAAC,MAAM,CAAC,cAAc,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,MAAM,CAAC,MAAM,CAAC,cAAc,UAAU,EAAE,CAAC,CAAC;IACvH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,+CAA+C;IAC/C,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAEvF,iEAAiE;IACjE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,8CAA8C,EAAE,CAAC,CAAC;IAErG,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IACjE,MAAM,KAAK,GAAG,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IAEvD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;IACnE,MAAM,MAAM,GAA+B,EAAE,CAAC;IAE9C,2BAA2B;IAC3B,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC,CAAC;IACxG,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,iBAAiB;IACjB,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC7E,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,gEAAgE,EAAE,CAAC,CAAC;IAC7H,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,gDAAgD,EAAE,CAAC,CAAC;IAC7G,CAAC;IAED,6BAA6B;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;IAC/D,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpC,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;YAC7C,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,KAAK,EAAE,CAAC;gBAC9B,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,+BAA+B,IAAI,GAAG,EAAE,CAAC,CAAC;YACrG,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,yBAAyB,IAAI,EAAE,EAAE,CAAC,CAAC;YAC9F,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;IACxD,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC,CAAC;IACnF,CAAC;IAED,kCAAkC;IAClC,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,0DAA0D,EAAE,CAAC,CAAC;IAC5H,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAA8B;IACjE,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACtD,QAAQ,CAAC,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,CAAC;QAC1C,WAAW,CAAC,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,CAAC;QAC7C,QAAQ,EAAE;QACV,UAAU,EAAE;KACb,CAAC,CAAC;IAEH,0BAA0B;IAC1B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,eAAe;IACf,KAAK,IAAI,CAAC,CAAC;IACX,IAAI,IAAI,CAAC,gBAAgB,KAAK,CAAC;QAAE,KAAK,IAAI,CAAC,CAAC;SACvC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI;QAAE,KAAK,IAAI,CAAC,CAAC;SACvE,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ;QAAE,KAAK,IAAI,CAAC,CAAC;IAEjD,kBAAkB;IAClB,KAAK,IAAI,CAAC,CAAC;IACX,IAAI,OAAO,CAAC,cAAc,KAAK,CAAC;QAAE,KAAK,IAAI,CAAC,CAAC;SACxC,IAAI,OAAO,CAAC,cAAc,GAAG,CAAC;QAAE,KAAK,IAAI,CAAC,CAAC;IAEhD,eAAe;IACf,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAC5B,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAE7D,iBAAiB;IACjB,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;IAC9B,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAE/D,OAAO;QACL,aAAa,EAAE,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC;QAC3C,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE;QACzC,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACvC,CAAC;AACJ,CAAC"}

package/dist/tools/hygiene/codebase-scanner.d.ts

@@ -0,0 +1,38 @@
+export interface CodebaseFinding {
+    id: string;
+    category: 'structural';
+    severity: 'critical' | 'high' | 'medium' | 'low';
+    type: 'god_script' | 'rule_sprawl' | 'duplication' | 'hardcoded_value' | 'deep_nesting';
+    title: string;
+    description: string;
+    file: string;
+    line?: number;
+    suggestion?: string;
+    metadata?: Record<string, unknown>;
+}
+export interface CodebaseScanInput {
+    projectPath: string;
+    thresholds?: {
+        godScriptLines?: number;
+        ruleSprawlChains?: number;
+        nestingDepth?: number;
+    };
+    includePatterns?: string[];
+    excludePatterns?: string[];
+}
+export interface CodebaseScanResult {
+    findings: CodebaseFinding[];
+    score: number;
+    summary: {
+        totalFiles: number;
+        totalLines: number;
+        godScripts: number;
+        ruleSprawl: number;
+        duplications: number;
+        hardcodedValues: number;
+        deepNesting: number;
+    };
+    scanDuration: number;
+}
+export declare function scanCodebase(input: CodebaseScanInput): Promise<CodebaseScanResult>;
+//# sourceMappingURL=codebase-scanner.d.ts.map

package/dist/tools/hygiene/codebase-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"codebase-scanner.d.ts","sourceRoot":"","sources":["../../../src/tools/hygiene/codebase-scanner.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACjD,IAAI,EAAE,YAAY,GAAG,aAAa,GAAG,aAAa,GAAG,iBAAiB,GAAG,cAAc,CAAC;IACxF,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE;QACX,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE;QACP,UAAU,EAAE,MAAM,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,YAAY,EAAE,MAAM,CAAC;CACtB;AAwYD,wBAAsB,YAAY,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAyExF"}