@devshub198211/devguard 2.0.1

package/dist/security.cjs

@@ -0,0 +1,654 @@
+'use strict';
+
+var fs = require('fs');
+var crypto = require('crypto');
+var path = require('path');
+var os = require('os');
+var https = require('https');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var fs__namespace = /*#__PURE__*/_interopNamespace(fs);
+var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
+var path__namespace = /*#__PURE__*/_interopNamespace(path);
+var os__namespace = /*#__PURE__*/_interopNamespace(os);
+var https__namespace = /*#__PURE__*/_interopNamespace(https);
+
+// src/security/lockfile-guardian.ts
+var LOCKFILES = ["package-lock.json", "yarn.lock", "pnpm-lock.yaml", "bun.lockb"];
+var MAX_LOCKFILE_SIZE = 100 * 1024 * 1024;
+function safeResolve(root, ...segments) {
+  const resolvedRoot = path__namespace.resolve(root);
+  const resolved = path__namespace.resolve(resolvedRoot, ...segments);
+  if (!resolved.startsWith(resolvedRoot + path__namespace.sep) && resolved !== resolvedRoot) {
+    throw new Error(`Path traversal detected: ${segments.join("/")} escapes root ${resolvedRoot}`);
+  }
+  return resolved;
+}
+function hashFile(filePath) {
+  const stat = fs__namespace.statSync(filePath);
+  if (stat.size > MAX_LOCKFILE_SIZE) {
+    throw new Error(`File too large to hash (${stat.size} bytes, max ${MAX_LOCKFILE_SIZE}): ${filePath}`);
+  }
+  const buf = fs__namespace.readFileSync(filePath);
+  return "sha512-" + crypto__namespace.createHash("sha512").update(buf).digest("base64");
+}
+function verifyLockfile(root = process.cwd(), snapshotPath) {
+  const resolvedRoot = path__namespace.resolve(root);
+  const snap = snapshotPath ? path__namespace.resolve(snapshotPath) : path__namespace.join(resolvedRoot, ".lockguard-snapshot.json");
+  let snapshot = null;
+  if (fs__namespace.existsSync(snap)) {
+    try {
+      const raw = JSON.parse(fs__namespace.readFileSync(snap, "utf-8"));
+      if (raw && typeof raw === "object" && raw.version === 2 && typeof raw.entries === "object" && raw.entries !== null) {
+        snapshot = raw;
+      }
+    } catch {
+    }
+  }
+  const tampered = [];
+  const missing = [];
+  const added = [];
+  const entries = [];
+  const known = new Set(Object.keys(snapshot?.entries ?? {}));
+  for (const lf of LOCKFILES) {
+    const full = safeResolve(resolvedRoot, lf);
+    if (!fs__namespace.existsSync(full)) {
+      if (known.has(lf)) missing.push(lf);
+      continue;
+    }
+    try {
+      const stat = fs__namespace.statSync(full);
+      if (!stat.isFile()) continue;
+      const hash = hashFile(full);
+      entries.push({ file: lf, hash, size: stat.size, mtime: stat.mtimeMs });
+      if (snapshot) {
+        const prev = snapshot.entries[lf];
+        if (!prev) {
+          added.push(lf);
+        } else if (prev.hash !== hash) {
+          tampered.push(lf);
+        }
+      }
+    } catch {
+    }
+  }
+  return {
+    valid: tampered.length === 0 && missing.length === 0,
+    tampered,
+    missing,
+    added,
+    entries,
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function createSnapshot(root = process.cwd(), snapshotPath) {
+  const resolvedRoot = path__namespace.resolve(root);
+  const snap = snapshotPath ? path__namespace.resolve(snapshotPath) : path__namespace.join(resolvedRoot, ".lockguard-snapshot.json");
+  const entries = {};
+  for (const lf of LOCKFILES) {
+    const full = safeResolve(resolvedRoot, lf);
+    if (!fs__namespace.existsSync(full)) continue;
+    try {
+      const stat = fs__namespace.statSync(full);
+      if (!stat.isFile()) continue;
+      entries[lf] = { hash: hashFile(full), size: stat.size };
+    } catch {
+    }
+  }
+  const snapshot = {
+    version: 2,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    host: os__namespace.hostname(),
+    entries
+  };
+  const tmpPath = snap + ".tmp." + crypto__namespace.randomBytes(4).toString("hex");
+  try {
+    fs__namespace.writeFileSync(tmpPath, JSON.stringify(snapshot, null, 2));
+    fs__namespace.renameSync(tmpPath, snap);
+  } catch (e) {
+    try {
+      fs__namespace.unlinkSync(tmpPath);
+    } catch {
+    }
+    throw e;
+  }
+  return snapshot;
+}
+function extractTransitiveDeps(root = process.cwd()) {
+  const resolvedRoot = path__namespace.resolve(root);
+  const pkgLock = path__namespace.join(resolvedRoot, "package-lock.json");
+  if (!fs__namespace.existsSync(pkgLock)) return {};
+  try {
+    const lock = JSON.parse(fs__namespace.readFileSync(pkgLock, "utf-8"));
+    const deps = {};
+    const packages = lock.packages;
+    if (typeof packages !== "object" || packages === null) return {};
+    for (const [k, v] of Object.entries(packages)) {
+      if (k && typeof v === "object" && v !== null && typeof v.version === "string") {
+        const name = k.replace(/^node_modules\//, "");
+        if (name === "__proto__" || name === "constructor" || name === "prototype") continue;
+        deps[name] = v.version;
+      }
+    }
+    return deps;
+  } catch {
+    return {};
+  }
+}
+var MAX_PKG_JSON_SIZE = 2 * 1024 * 1024;
+var MAX_SCRIPT_LENGTH = 1e4;
+var MAX_SCAN_DEPTH = 5;
+var RULES = [
+  { id: "R001", label: "Curl-to-shell pipe", severity: "critical", test: (s) => /curl\s+.+\|.*(ba)?sh/i.test(s) },
+  { id: "R002", label: "Wget-to-shell pipe", severity: "critical", test: (s) => /wget\s+.+\|.*(ba)?sh/i.test(s) },
+  { id: "R003", label: "Netcat reverse shell", severity: "critical", test: (s) => /\bnc(at)?\b.+-e\b|\bncat\b.+\bsh\b/i.test(s) },
+  { id: "R004", label: "System credential access", severity: "critical", test: (s) => /\/etc\/(passwd|shadow|sudoers)/i.test(s) },
+  { id: "R005", label: "SSH key exfiltration", severity: "critical", test: (s) => /\.ssh\/(id_rsa|authorized_keys|config)/i.test(s) },
+  { id: "R006", label: "Crypto miner binary", severity: "critical", test: (s) => /\b(xmrig|minerd|cpuminer|ethminer|claymore)\b/i.test(s) },
+  { id: "R007", label: "Stratum mining pool URL", severity: "critical", test: (s) => /stratum\+tcp:\/\//i.test(s) },
+  { id: "R008", label: "eval() usage", severity: "high", test: (s) => /\beval\s*\(/.test(s) },
+  { id: "R009", label: "Base64 decode + exec", severity: "high", test: (s) => /base64.*(decode|--decode|-d).*exec|exec.*base64.*(decode|--decode|-d)/i.test(s) },
+  { id: "R010", label: "Dynamic require from URL", severity: "high", test: (s) => /require\s*\(\s*['"]https?:/i.test(s) },
+  { id: "R011", label: "child_process exec in hook", severity: "high", test: (s) => /child_process.*\.(exec|spawn|execSync|spawnSync)/i.test(s) },
+  { id: "R012", label: "Function constructor exec", severity: "high", test: (s) => /new\s+Function\s*\(/.test(s) },
+  { id: "R013", label: "setTimeout with string arg", severity: "high", test: (s) => /setTimeout\s*\(\s*['"`]/.test(s) },
+  { id: "R014", label: "Unauthorized npm publish", severity: "high", test: (s) => /npm\s+(publish|adduser|login)/.test(s) },
+  { id: "R015", label: "HOME/USERPROFILE exfiltration", severity: "medium", test: (s) => /process\.env\.(HOME|USERPROFILE|APPDATA)/i.test(s) },
+  { id: "R016", label: "PATH env manipulation", severity: "medium", test: (s) => /process\.env\.PATH\s*=/.test(s) },
+  { id: "R017", label: "Outbound HTTP in hook", severity: "medium", test: (s) => /https?\.get|axios\.|fetch\s*\(|request\s*\(/i.test(s) },
+  { id: "R018", label: "Filesystem write in hook", severity: "medium", test: (s) => /fs\.(writeFile|writeFileSync|appendFile|unlink|rmdir|rm\b)/i.test(s) },
+  { id: "R019", label: "Registry credential file read", severity: "medium", test: (s) => /\.npmrc|\.yarnrc|\.gradle|\.m2\/settings/i.test(s) },
+  { id: "R020", label: "Hex string obfuscation", severity: "high", test: (s) => /(\\x[0-9a-f]{2}){6,}/i.test(s) },
+  { id: "R021", label: "Unicode escape obfuscation", severity: "high", test: (s) => /(\\u[0-9a-f]{4}){4,}/i.test(s) },
+  { id: "R022", label: "String.fromCharCode array", severity: "high", test: (s) => /String\.fromCharCode\s*\(.{20,}\)/i.test(s) },
+  { id: "R023", label: "Excessive base64 payload", severity: "high", test: (_s, d) => d !== void 0 && d.length > 200 }
+];
+var HOOK_NAMES = ["preinstall", "install", "postinstall", "preuninstall", "postuninstall", "prepare", "prepublish", "prepack", "postpack"];
+function tryDecodeBase64(script) {
+  const match = script.match(/[A-Za-z0-9+/]{60,}={0,2}/);
+  if (!match) return void 0;
+  try {
+    return Buffer.from(match[0], "base64").toString("utf-8");
+  } catch {
+    return void 0;
+  }
+}
+function safeTruncate(script) {
+  return script.length > MAX_SCRIPT_LENGTH ? script.slice(0, MAX_SCRIPT_LENGTH) : script;
+}
+function scanPackage(pkgJsonPath) {
+  if (!fs__namespace.existsSync(pkgJsonPath)) return [];
+  try {
+    const stat = fs__namespace.statSync(pkgJsonPath);
+    if (!stat.isFile()) return [];
+    if (stat.size > MAX_PKG_JSON_SIZE) return [];
+  } catch {
+    return [];
+  }
+  let pkg;
+  try {
+    pkg = JSON.parse(fs__namespace.readFileSync(pkgJsonPath, "utf-8"));
+  } catch {
+    return [];
+  }
+  if (typeof pkg !== "object" || pkg === null) return [];
+  const scripts = pkg.scripts ?? {};
+  if (typeof scripts !== "object" || scripts === null) return [];
+  const findings = [];
+  const pkgName = typeof pkg.name === "string" ? pkg.name : path__namespace.dirname(pkgJsonPath);
+  const version = typeof pkg.version === "string" ? pkg.version : "unknown";
+  for (const hook of HOOK_NAMES) {
+    const script = scripts[hook];
+    if (!script || typeof script !== "string") continue;
+    const truncated = safeTruncate(script);
+    const decoded = tryDecodeBase64(truncated);
+    for (const rule of RULES) {
+      if (rule.test(truncated, decoded) || decoded && rule.test(decoded, void 0)) {
+        findings.push({
+          package: pkgName,
+          version,
+          script: hook,
+          ruleId: rule.id,
+          pattern: rule.label,
+          severity: rule.severity,
+          raw: script.slice(0, 300),
+          deobfuscated: decoded?.slice(0, 300)
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanNodeModules(root = process.cwd()) {
+  const resolvedRoot = path__namespace.resolve(root);
+  const nmPath = path__namespace.join(resolvedRoot, "node_modules");
+  if (!fs__namespace.existsSync(nmPath)) return [];
+  if (!nmPath.startsWith(resolvedRoot + path__namespace.sep) && nmPath !== resolvedRoot) return [];
+  const all = [];
+  function scanDir(dir, depth) {
+    if (depth > MAX_SCAN_DEPTH) return;
+    let entries;
+    try {
+      entries = fs__namespace.readdirSync(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const e of entries) {
+      if (e.isSymbolicLink()) continue;
+      if (!e.isDirectory()) continue;
+      const full = path__namespace.join(dir, e.name);
+      const resolvedFull = path__namespace.resolve(full);
+      if (!resolvedFull.startsWith(nmPath)) continue;
+      if (e.name.startsWith("@")) {
+        scanDir(full, depth + 1);
+        continue;
+      }
+      const pkgJson = path__namespace.join(full, "package.json");
+      if (fs__namespace.existsSync(pkgJson)) all.push(...scanPackage(pkgJson));
+    }
+  }
+  scanDir(nmPath, 0);
+  return all;
+}
+function scanProject(root = process.cwd()) {
+  const resolvedRoot = path__namespace.resolve(root);
+  return [...scanPackage(path__namespace.join(resolvedRoot, "package.json")), ...scanNodeModules(resolvedRoot)];
+}
+var MAX_RESPONSE_SIZE = 1 * 1024 * 1024;
+var ALLOWED_HOSTS = /* @__PURE__ */ new Set(["api.github.com", "registry.npmjs.org"]);
+function validateHost(url) {
+  const parsed = new URL(url);
+  if (parsed.protocol !== "https:") {
+    throw new Error("Only HTTPS URLs are allowed");
+  }
+  if (!ALLOWED_HOSTS.has(parsed.hostname)) {
+    throw new Error(`Host not allowed: ${parsed.hostname}`);
+  }
+  return parsed;
+}
+function httpsGet(url, headers) {
+  return new Promise((resolve4, reject) => {
+    const u = validateHost(url);
+    const req = https__namespace.request({ hostname: u.hostname, path: u.pathname + u.search, headers, method: "GET" }, (res) => {
+      let body = "";
+      let size = 0;
+      res.on("data", (d) => {
+        size += typeof d === "string" ? d.length : d.length;
+        if (size > MAX_RESPONSE_SIZE) {
+          req.destroy();
+          reject(new Error("Response too large"));
+          return;
+        }
+        body += d;
+      });
+      res.on("end", () => resolve4({ status: res.statusCode ?? 0, body }));
+    });
+    req.on("error", (e) => reject(new Error(`Network error: ${e.message}`)));
+    req.setTimeout(8e3, () => {
+      req.destroy();
+      reject(new Error("Request timeout"));
+    });
+    req.end();
+  });
+}
+function httpsPost(url, headers, payload) {
+  return new Promise((resolve4, reject) => {
+    const u = validateHost(url);
+    const body = Buffer.from(payload);
+    if (body.length > MAX_RESPONSE_SIZE) {
+      reject(new Error("Payload too large"));
+      return;
+    }
+    const req = https__namespace.request({
+      hostname: u.hostname,
+      path: u.pathname + u.search,
+      method: "POST",
+      headers: { ...headers, "Content-Length": String(body.length) }
+    }, (res) => {
+      let b = "";
+      let size = 0;
+      res.on("data", (d) => {
+        size += typeof d === "string" ? d.length : d.length;
+        if (size > MAX_RESPONSE_SIZE) {
+          req.destroy();
+          reject(new Error("Response too large"));
+          return;
+        }
+        b += d;
+      });
+      res.on("end", () => resolve4({ status: res.statusCode ?? 0, body: b }));
+    });
+    req.on("error", (e) => reject(new Error(`Network error: ${e.message}`)));
+    req.setTimeout(1e4, () => {
+      req.destroy();
+      reject(new Error("Request timeout"));
+    });
+    req.write(body);
+    req.end();
+  });
+}
+async function inspectGitHubToken(token, name = "GITHUB_TOKEN") {
+  if (!token || typeof token !== "string" || token.length < 4) {
+    return { name, provider: "github", status: "invalid", ageDays: null, maxAgeDays: 90, message: "Token is empty or too short" };
+  }
+  try {
+    const res = await httpsGet("https://api.github.com/user", {
+      "Authorization": `Bearer ${token}`,
+      "User-Agent": "devguard/2.0",
+      "Accept": "application/vnd.github+json",
+      "X-GitHub-Api-Version": "2022-11-28"
+    });
+    if (res.status === 401) return { name, provider: "github", status: "invalid", ageDays: null, maxAgeDays: 90, message: "Token is invalid or revoked" };
+    if (res.status !== 200) return { name, provider: "github", status: "unknown", ageDays: null, maxAgeDays: 90, message: `API returned ${res.status}` };
+    return { name, provider: "github", status: "ok", ageDays: null, maxAgeDays: 90, message: "Token valid \u2014 use fine-grained PATs with expiry for age tracking" };
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : "Unknown error";
+    return { name, provider: "github", status: "unknown", ageDays: null, maxAgeDays: 90, message: `Check failed: ${msg}` };
+  }
+}
+async function inspectNpmToken(token, name = "NPM_TOKEN") {
+  if (!token || typeof token !== "string" || token.length < 4) {
+    return { name, provider: "npm", status: "invalid", ageDays: null, maxAgeDays: 90, message: "Token is empty or too short" };
+  }
+  try {
+    const res = await httpsGet("https://registry.npmjs.org/-/npm/v1/tokens", { "Authorization": `Bearer ${token}`, "Accept": "application/json" });
+    if (res.status === 401) return { name, provider: "npm", status: "invalid", ageDays: null, maxAgeDays: 90, message: "Token invalid or revoked" };
+    if (res.status === 200) {
+      let data;
+      try {
+        data = JSON.parse(res.body);
+      } catch {
+        return { name, provider: "npm", status: "unknown", ageDays: null, maxAgeDays: 90, message: "Invalid JSON response from registry" };
+      }
+      const tokens = Array.isArray(data.objects) ? data.objects : [];
+      const prefix = token.slice(0, 6);
+      const found = tokens.find((t) => t.key?.startsWith(prefix) || t.token?.startsWith(prefix));
+      const extra = [found?.readonly ? "read-only" : "", found?.cidr_whitelist?.length ? "CIDR-restricted" : ""].filter(Boolean).join(", ");
+      return { name, provider: "npm", status: "ok", ageDays: null, maxAgeDays: 90, message: `Valid npm token${extra ? " (" + extra + ")" : ""}` };
+    }
+    return { name, provider: "npm", status: "unknown", ageDays: null, maxAgeDays: 90, message: `Registry returned ${res.status}` };
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : "Unknown error";
+    return { name, provider: "npm", status: "unknown", ageDays: null, maxAgeDays: 90, message: `Check failed: ${msg}` };
+  }
+}
+async function createNpmToken(existingToken, opts) {
+  if (!existingToken || typeof existingToken !== "string") {
+    return { success: false, error: "Token is required" };
+  }
+  try {
+    const payload = JSON.stringify({ password: existingToken, readonly: opts?.readonly ?? false, cidr_whitelist: opts?.cidr ?? [] });
+    const res = await httpsPost("https://registry.npmjs.org/-/npm/v1/tokens", { "Authorization": `Bearer ${existingToken}`, "Content-Type": "application/json" }, payload);
+    if (res.status === 200 || res.status === 201) {
+      let parsed;
+      try {
+        parsed = JSON.parse(res.body);
+      } catch {
+        return { success: false, error: "Invalid JSON in npm response" };
+      }
+      if (typeof parsed.token !== "string") return { success: false, error: "No token in response" };
+      return { success: true, newToken: parsed.token };
+    }
+    return { success: false, error: `npm registry returned ${res.status}` };
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : "Unknown error";
+    return { success: false, error: msg };
+  }
+}
+function checkTokenAge(configs) {
+  return configs.map((cfg) => {
+    const maxAgeDays = cfg.maxAgeDays ?? 90;
+    if (!cfg.createdAt) return { name: cfg.name, provider: cfg.provider, status: "unknown", ageDays: null, maxAgeDays, message: "Creation date unknown \u2014 set createdAt to enable age tracking" };
+    if (typeof cfg.createdAt !== "number" || cfg.createdAt < 0) return { name: cfg.name, provider: cfg.provider, status: "unknown", ageDays: null, maxAgeDays, message: "Invalid createdAt timestamp" };
+    const ageDays = Math.floor((Date.now() - cfg.createdAt) / 864e5);
+    if (ageDays < 0) return { name: cfg.name, provider: cfg.provider, status: "unknown", ageDays: null, maxAgeDays, message: "Token creation date is in the future" };
+    const status = ageDays >= maxAgeDays ? "stale" : ageDays >= maxAgeDays * 0.8 ? "expiring_soon" : "ok";
+    return { name: cfg.name, provider: cfg.provider, status, ageDays, maxAgeDays, message: `${ageDays}/${maxAgeDays} days old` };
+  });
+}
+function maskToken(token) {
+  if (!token || typeof token !== "string") return "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
+  if (token.length <= 8) return "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
+  return token.slice(0, 4) + "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022" + token.slice(-4);
+}
+function loadTokensFromEnv(names, maxAgeDays = 90) {
+  if (!Array.isArray(names)) return [];
+  return names.filter((n) => typeof n === "string" && n.length > 0 && process.env[n]).map((n) => {
+    const value = process.env[n];
+    const provider = /github|gh_/i.test(n) ? "github" : /npm/i.test(n) ? "npm" : "generic";
+    return { name: n, value, provider, maxAgeDays };
+  });
+}
+var RANGE_CHARS = /^[\^~*]|^latest$|^next$|^>=|^>/;
+var DEP_FIELDS = ["dependencies", "devDependencies", "peerDependencies", "optionalDependencies"];
+var MAX_PKG_JSON_SIZE2 = 5 * 1024 * 1024;
+var MAX_RESPONSE_SIZE2 = 2 * 1024 * 1024;
+var MAX_REDIRECTS = 3;
+function enforceExactPins(pkgJsonPath) {
+  const resolved = path__namespace.resolve(pkgJsonPath);
+  if (!fs__namespace.existsSync(resolved)) return [];
+  try {
+    const stat = fs__namespace.statSync(resolved);
+    if (!stat.isFile() || stat.size > MAX_PKG_JSON_SIZE2) return [];
+  } catch {
+    return [];
+  }
+  let pkg;
+  try {
+    pkg = JSON.parse(fs__namespace.readFileSync(resolved, "utf-8"));
+  } catch {
+    return [];
+  }
+  if (typeof pkg !== "object" || pkg === null) return [];
+  const violations = [];
+  for (const field of DEP_FIELDS) {
+    const deps = pkg[field];
+    if (!deps || typeof deps !== "object") continue;
+    for (const [name, ver] of Object.entries(deps)) {
+      if (typeof ver !== "string") continue;
+      if (RANGE_CHARS.test(ver.trim())) {
+        const suggestion = resolveExactVersion(path__namespace.dirname(resolved), name) ?? ver.replace(/^[\^~]/, "");
+        violations.push({ name, specifier: ver, field, suggestion });
+      }
+    }
+  }
+  return violations;
+}
+function resolveExactVersion(root, pkgName) {
+  const lockPath = path__namespace.join(root, "package-lock.json");
+  if (!fs__namespace.existsSync(lockPath)) return null;
+  try {
+    const stat = fs__namespace.statSync(lockPath);
+    if (stat.size > MAX_PKG_JSON_SIZE2 * 10) return null;
+    const lock = JSON.parse(fs__namespace.readFileSync(lockPath, "utf-8"));
+    const packages = lock.packages;
+    if (typeof packages !== "object" || packages === null) return null;
+    const entry = packages["node_modules/" + pkgName];
+    return typeof entry?.version === "string" ? entry.version : null;
+  } catch {
+    return null;
+  }
+}
+function extractLockfileSRI(root = process.cwd()) {
+  const resolvedRoot = path__namespace.resolve(root);
+  const lockPath = path__namespace.join(resolvedRoot, "package-lock.json");
+  if (!fs__namespace.existsSync(lockPath)) return {};
+  try {
+    const lock = JSON.parse(fs__namespace.readFileSync(lockPath, "utf-8"));
+    const packages = lock.packages;
+    if (typeof packages !== "object" || packages === null) return {};
+    const result = {};
+    for (const [key, val] of Object.entries(packages)) {
+      if (key && typeof val === "object" && val !== null && typeof val.version === "string" && typeof val.integrity === "string") {
+        const name = key.replace(/^node_modules\//, "");
+        if (name === "__proto__" || name === "constructor" || name === "prototype") continue;
+        result[name] = { version: val.version, integrity: val.integrity };
+      }
+    }
+    return result;
+  } catch {
+    return {};
+  }
+}
+function httpsGet2(url, redirectCount = 0) {
+  return new Promise((resolve4, reject) => {
+    if (redirectCount > MAX_REDIRECTS) {
+      reject(new Error("Too many redirects"));
+      return;
+    }
+    let parsed;
+    try {
+      parsed = new URL(url);
+    } catch {
+      reject(new Error("Invalid URL"));
+      return;
+    }
+    if (parsed.protocol !== "https:") {
+      reject(new Error("Only HTTPS URLs are allowed"));
+      return;
+    }
+    if (parsed.hostname !== "registry.npmjs.org") {
+      reject(new Error(`Host not allowed: ${parsed.hostname}`));
+      return;
+    }
+    const req = https__namespace.get(url, { headers: { "Accept": "application/json", "User-Agent": "devguard/2.0" } }, (res) => {
+      if ((res.statusCode === 301 || res.statusCode === 302) && res.headers.location) {
+        try {
+          const redirectUrl = new URL(res.headers.location);
+          if (redirectUrl.protocol !== "https:" || redirectUrl.hostname !== "registry.npmjs.org") {
+            reject(new Error("Redirect to disallowed host"));
+            return;
+          }
+        } catch {
+          reject(new Error("Invalid redirect URL"));
+          return;
+        }
+        httpsGet2(res.headers.location, redirectCount + 1).then(resolve4).catch(reject);
+        return;
+      }
+      let body = "";
+      let size = 0;
+      res.on("data", (d) => {
+        size += typeof d === "string" ? d.length : d.length;
+        if (size > MAX_RESPONSE_SIZE2) {
+          req.destroy();
+          reject(new Error("Response too large"));
+          return;
+        }
+        body += d;
+      });
+      res.on("end", () => resolve4(body));
+    });
+    req.on("error", (e) => reject(new Error(`Network error: ${e.message}`)));
+    req.setTimeout(8e3, () => {
+      req.destroy();
+      reject(new Error("Request timeout"));
+    });
+  });
+}
+async function fetchRegistrySRI(name, version) {
+  if (!name || !version || typeof name !== "string" || typeof version !== "string") return null;
+  try {
+    const encoded = encodeURIComponent(name).replace(/%40/g, "@").replace(/%2F/gi, "/");
+    const encodedVersion = encodeURIComponent(version);
+    const body = await httpsGet2(`https://registry.npmjs.org/${encoded}/${encodedVersion}`);
+    const parsed = JSON.parse(body);
+    const integrity = parsed?.dist?.integrity;
+    return typeof integrity === "string" ? integrity : null;
+  } catch {
+    return null;
+  }
+}
+async function verifySRI(root = process.cwd(), sampleSize = 20) {
+  const lockEntries = extractLockfileSRI(root);
+  const names = Object.keys(lockEntries).sort();
+  const toCheck = sampleSize < names.length ? names.slice(0, sampleSize) : names;
+  return Promise.all(toCheck.map(async (name) => {
+    const { version, integrity } = lockEntries[name];
+    const registryHash = await fetchRegistrySRI(name, version);
+    return { name, version, lockfileHash: integrity, registryHash, match: registryHash === null ? null : registryHash === integrity };
+  }));
+}
+function autoPin(pkgJsonPath, dryRun = false) {
+  const resolved = path__namespace.resolve(pkgJsonPath);
+  let rawContent;
+  try {
+    rawContent = fs__namespace.readFileSync(resolved, "utf-8");
+  } catch {
+    return { fixed: 0 };
+  }
+  let pkg;
+  try {
+    pkg = JSON.parse(rawContent);
+  } catch {
+    return { fixed: 0 };
+  }
+  if (typeof pkg !== "object" || pkg === null) return { fixed: 0 };
+  const root = path__namespace.dirname(resolved);
+  let fixed = 0;
+  for (const field of DEP_FIELDS) {
+    const deps = pkg[field];
+    if (!deps || typeof deps !== "object") continue;
+    for (const [name, ver] of Object.entries(deps)) {
+      if (typeof ver !== "string") continue;
+      if (RANGE_CHARS.test(ver.trim())) {
+        const exact = resolveExactVersion(root, name);
+        if (exact) {
+          deps[name] = exact;
+          fixed++;
+        }
+      }
+    }
+  }
+  const content = JSON.stringify(pkg, null, 2) + "\n";
+  if (!dryRun && fixed > 0) {
+    const tmpPath = resolved + ".tmp." + crypto__namespace.randomBytes(4).toString("hex");
+    try {
+      fs__namespace.writeFileSync(tmpPath, content);
+      fs__namespace.renameSync(tmpPath, resolved);
+    } catch (e) {
+      try {
+        fs__namespace.unlinkSync(tmpPath);
+      } catch {
+      }
+      throw e;
+    }
+  }
+  return { fixed, content };
+}
+
+exports.autoPin = autoPin;
+exports.checkTokenAge = checkTokenAge;
+exports.createNpmToken = createNpmToken;
+exports.createSnapshot = createSnapshot;
+exports.enforceExactPins = enforceExactPins;
+exports.extractLockfileSRI = extractLockfileSRI;
+exports.extractTransitiveDeps = extractTransitiveDeps;
+exports.fetchRegistrySRI = fetchRegistrySRI;
+exports.hashFile = hashFile;
+exports.inspectGitHubToken = inspectGitHubToken;
+exports.inspectNpmToken = inspectNpmToken;
+exports.loadTokensFromEnv = loadTokensFromEnv;
+exports.maskToken = maskToken;
+exports.scanNodeModules = scanNodeModules;
+exports.scanPackage = scanPackage;
+exports.scanProject = scanProject;
+exports.verifyLockfile = verifyLockfile;
+exports.verifySRI = verifySRI;