@dotsetlabs/tollgate 0.1.0

package/dist/analyzers/filesystem.d.ts

@@ -0,0 +1,26 @@
+import type { AnalysisResult, ContentAnalyzer, AnalyzerContext } from './types.js';
+/**
+ * Filesystem Path Analyzer
+ *
+ * Classifies filesystem operations by risk level based on:
+ * - Path location (system dirs, home dir, project dirs)
+ * - File type (sensitive files like .env, .ssh)
+ * - Operation type (read vs write vs delete)
+ */
+export declare class FilesystemAnalyzer implements ContentAnalyzer {
+    readonly name = "filesystem";
+    private readonly FORBIDDEN_PATHS;
+    private readonly DANGEROUS_PATHS;
+    private readonly SENSITIVE_PATTERNS;
+    private readonly IMPORTANT_PATTERNS;
+    analyze(path: string, context?: AnalyzerContext): AnalysisResult;
+    private inferOperation;
+    private normalizePath;
+    private hasPathTraversal;
+    private hasDangerousGlob;
+    private matchesForbiddenPath;
+    private matchesDangerousPath;
+    private matchesSensitivePattern;
+    private matchesImportantPattern;
+}
+//# sourceMappingURL=filesystem.d.ts.map

package/dist/analyzers/filesystem.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"filesystem.d.ts","sourceRoot":"","sources":["../../src/analyzers/filesystem.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAEnF;;;;;;;GAOG;AACH,qBAAa,kBAAmB,YAAW,eAAe;IACxD,QAAQ,CAAC,IAAI,gBAAgB;IAG7B,OAAO,CAAC,QAAQ,CAAC,eAAe,CAgB9B;IAGF,OAAO,CAAC,QAAQ,CAAC,eAAe,CAS9B;IAGF,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAgBjC;IAGF,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAajC;IAEF,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,cAAc;IA6GhE,OAAO,CAAC,cAAc;IAgBtB,OAAO,CAAC,aAAa;IAsBrB,OAAO,CAAC,gBAAgB;IAkBxB,OAAO,CAAC,gBAAgB;IAmBxB,OAAO,CAAC,oBAAoB;IAc5B,OAAO,CAAC,oBAAoB;IAkB5B,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,uBAAuB;CAQhC"}

package/dist/analyzers/filesystem.js

@@ -0,0 +1,284 @@
+import { homedir } from 'node:os';
+import { normalize, isAbsolute } from 'node:path';
+/**
+ * Filesystem Path Analyzer
+ *
+ * Classifies filesystem operations by risk level based on:
+ * - Path location (system dirs, home dir, project dirs)
+ * - File type (sensitive files like .env, .ssh)
+ * - Operation type (read vs write vs delete)
+ */
+export class FilesystemAnalyzer {
+    name = 'filesystem';
+    // Paths that should NEVER be modified
+    FORBIDDEN_PATHS = [
+        '/',
+        '/etc',
+        '/usr',
+        '/bin',
+        '/sbin',
+        '/var',
+        '/boot',
+        '/lib',
+        '/lib64',
+        '/System', // macOS
+        '/Applications', // macOS (system apps)
+        '/Windows', // Windows
+        '/Program Files', // Windows
+        'C:\\Windows', // Windows
+        'C:\\Program Files', // Windows
+    ];
+    // Paths that are dangerous to modify
+    DANGEROUS_PATHS = [
+        homedir(), // Home directory root
+        `${homedir()}/.ssh`,
+        `${homedir()}/.gnupg`,
+        `${homedir()}/.aws`,
+        `${homedir()}/.kube`,
+        `${homedir()}/.config`,
+        '/tmp',
+        '/var/tmp',
+    ];
+    // Sensitive file patterns
+    SENSITIVE_PATTERNS = [
+        /\.env($|\.)/, // .env, .env.local, .env.production
+        /\.pem$/, // SSL certificates
+        /\.key$/, // Private keys
+        /\.crt$/, // Certificates
+        /id_rsa/, // SSH keys
+        /id_ed25519/, // SSH keys
+        /\.gitconfig$/,
+        /\.npmrc$/,
+        /\.pypirc$/,
+        /credentials/i,
+        /secrets?\.ya?ml$/i,
+        /password/i,
+        /\.htpasswd$/,
+        /shadow$/, // Unix password file
+        /authorized_keys$/,
+    ];
+    // Files that are important but less sensitive
+    IMPORTANT_PATTERNS = [
+        /\.git\//, // Git directory
+        /\.gitignore$/,
+        /package\.json$/,
+        /package-lock\.json$/,
+        /yarn\.lock$/,
+        /Cargo\.toml$/,
+        /go\.mod$/,
+        /requirements\.txt$/,
+        /Dockerfile$/,
+        /docker-compose\.ya?ml$/,
+        /\.github\//,
+        /\.gitlab-ci\.yml$/,
+    ];
+    analyze(path, context) {
+        const operation = this.inferOperation(context?.tool);
+        const normalizedPath = this.normalizePath(path);
+        // Check for path traversal attempts
+        if (this.hasPathTraversal(path)) {
+            return {
+                risk: 'dangerous',
+                reason: 'Path traversal detected (..) - potential escape attempt',
+                triggers: ['path traversal'],
+            };
+        }
+        // Check for glob patterns that could match too much
+        if (this.hasDangerousGlob(path)) {
+            return {
+                risk: operation === 'read' ? 'write' : 'dangerous',
+                reason: 'Glob pattern could match many files',
+                triggers: ['dangerous glob'],
+            };
+        }
+        // Check forbidden paths
+        const forbiddenMatch = this.matchesForbiddenPath(normalizedPath);
+        if (forbiddenMatch) {
+            return {
+                risk: 'dangerous',
+                reason: `Path is in forbidden system directory: ${forbiddenMatch}`,
+                triggers: [forbiddenMatch],
+            };
+        }
+        // Check dangerous paths (stricter for write/delete)
+        const dangerousMatch = this.matchesDangerousPath(normalizedPath);
+        if (dangerousMatch) {
+            if (operation === 'delete') {
+                return {
+                    risk: 'dangerous',
+                    reason: `Cannot delete from protected directory: ${dangerousMatch}`,
+                    triggers: [dangerousMatch],
+                };
+            }
+            if (operation === 'write') {
+                return {
+                    risk: 'destructive',
+                    reason: `Writing to protected directory: ${dangerousMatch}`,
+                    triggers: [dangerousMatch],
+                };
+            }
+            // Read is allowed but noted
+            return {
+                risk: 'read',
+                reason: `Reading from protected directory: ${dangerousMatch}`,
+                triggers: [dangerousMatch],
+            };
+        }
+        // Check sensitive file patterns
+        const sensitiveMatch = this.matchesSensitivePattern(normalizedPath);
+        if (sensitiveMatch) {
+            if (operation === 'delete') {
+                return {
+                    risk: 'dangerous',
+                    reason: `Cannot delete sensitive file matching: ${sensitiveMatch}`,
+                    triggers: [sensitiveMatch],
+                };
+            }
+            return {
+                risk: operation === 'read' ? 'write' : 'destructive',
+                reason: `${operation === 'read' ? 'Reading' : 'Modifying'} sensitive file: ${sensitiveMatch}`,
+                triggers: [sensitiveMatch],
+            };
+        }
+        // Check important file patterns
+        const importantMatch = this.matchesImportantPattern(normalizedPath);
+        if (importantMatch && operation !== 'read') {
+            return {
+                risk: 'write',
+                reason: `Modifying important project file: ${importantMatch}`,
+                triggers: [importantMatch],
+            };
+        }
+        // Default based on operation
+        switch (operation) {
+            case 'read':
+                return {
+                    risk: 'safe',
+                    reason: 'Reading from unrestricted path',
+                };
+            case 'write':
+                return {
+                    risk: 'write',
+                    reason: 'Writing to unrestricted path',
+                };
+            case 'delete':
+                return {
+                    risk: 'destructive',
+                    reason: 'Deleting from unrestricted path',
+                };
+            default:
+                return {
+                    risk: 'write',
+                    reason: 'Unknown filesystem operation',
+                };
+        }
+    }
+    inferOperation(tool) {
+        if (!tool)
+            return 'write'; // Conservative default
+        const lowerTool = tool.toLowerCase();
+        if (lowerTool.includes('delete') || lowerTool.includes('remove') || lowerTool.includes('rm')) {
+            return 'delete';
+        }
+        if (lowerTool.includes('read') || lowerTool.includes('get') || lowerTool.includes('list') ||
+            lowerTool.includes('search') || lowerTool.includes('find')) {
+            return 'read';
+        }
+        return 'write';
+    }
+    normalizePath(path) {
+        // Expand home directory
+        let expanded = path;
+        if (path.startsWith('~/')) {
+            expanded = path.replace(/^~/, homedir());
+        }
+        else if (path === '~') {
+            expanded = homedir();
+        }
+        // Handle $HOME and other env vars
+        expanded = expanded.replace(/\$HOME/g, homedir());
+        expanded = expanded.replace(/\$\{HOME\}/g, homedir());
+        // Normalize the path
+        if (isAbsolute(expanded)) {
+            return normalize(expanded);
+        }
+        // For relative paths, just normalize
+        return normalize(expanded);
+    }
+    hasPathTraversal(path) {
+        // Check for .. that escapes current directory
+        const normalized = normalize(path);
+        // If normalization changes the path significantly and contains .., be suspicious
+        if (path.includes('..') && !normalized.includes('..')) {
+            // The .. was resolved - check if it escaped
+            return true;
+        }
+        // Direct check for suspicious patterns
+        if (/\.\.\/.*\.\./.test(path)) {
+            return true; // Multiple traversals
+        }
+        return false;
+    }
+    hasDangerousGlob(path) {
+        // Single * at root or home
+        if (path === '*' || path === '/*' || path === '~/*') {
+            return true;
+        }
+        // ** without restriction
+        if (path === '**' || path === '/**' || path === '~/**') {
+            return true;
+        }
+        // * in sensitive locations
+        if (/^(\/etc|\/var|~\/\.)\/*\*/.test(path)) {
+            return true;
+        }
+        return false;
+    }
+    matchesForbiddenPath(path) {
+        for (const forbidden of this.FORBIDDEN_PATHS) {
+            const normalizedForbidden = normalize(forbidden);
+            if (path === normalizedForbidden || path.startsWith(normalizedForbidden + '/')) {
+                // Exception: allow if it's deeper in a user project
+                if (path.includes('/node_modules/') || path.includes('/vendor/')) {
+                    continue;
+                }
+                return forbidden;
+            }
+        }
+        return null;
+    }
+    matchesDangerousPath(path) {
+        for (const dangerous of this.DANGEROUS_PATHS) {
+            const normalizedDangerous = normalize(dangerous);
+            if (path === normalizedDangerous) {
+                return dangerous;
+            }
+            // Only flag if directly in the dangerous path (not a subdirectory of a project)
+            if (path.startsWith(normalizedDangerous + '/')) {
+                // Allow if it looks like a project path
+                const remainder = path.slice(normalizedDangerous.length + 1);
+                if (!remainder.includes('/') || remainder.split('/')[0]?.startsWith('.')) {
+                    return dangerous;
+                }
+            }
+        }
+        return null;
+    }
+    matchesSensitivePattern(path) {
+        for (const pattern of this.SENSITIVE_PATTERNS) {
+            if (pattern.test(path)) {
+                return pattern.source;
+            }
+        }
+        return null;
+    }
+    matchesImportantPattern(path) {
+        for (const pattern of this.IMPORTANT_PATTERNS) {
+            if (pattern.test(path)) {
+                return pattern.source;
+            }
+        }
+        return null;
+    }
+}
+//# sourceMappingURL=filesystem.js.map

package/dist/analyzers/filesystem.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"filesystem.js","sourceRoot":"","sources":["../../src/analyzers/filesystem.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAGlD;;;;;;;GAOG;AACH,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,YAAY,CAAC;IAE7B,sCAAsC;IACrB,eAAe,GAAG;QACjC,GAAG;QACH,MAAM;QACN,MAAM;QACN,MAAM;QACN,OAAO;QACP,MAAM;QACN,OAAO;QACP,MAAM;QACN,QAAQ;QACR,SAAS,EAAY,QAAQ;QAC7B,eAAe,EAAM,sBAAsB;QAC3C,UAAU,EAAW,UAAU;QAC/B,gBAAgB,EAAK,UAAU;QAC/B,aAAa,EAAQ,UAAU;QAC/B,mBAAmB,EAAE,UAAU;KAChC,CAAC;IAEF,qCAAqC;IACpB,eAAe,GAAG;QACjC,OAAO,EAAE,EAAY,sBAAsB;QAC3C,GAAG,OAAO,EAAE,OAAO;QACnB,GAAG,OAAO,EAAE,SAAS;QACrB,GAAG,OAAO,EAAE,OAAO;QACnB,GAAG,OAAO,EAAE,QAAQ;QACpB,GAAG,OAAO,EAAE,UAAU;QACtB,MAAM;QACN,UAAU;KACX,CAAC;IAEF,0BAA0B;IACT,kBAAkB,GAAG;QACpC,aAAa,EAAe,oCAAoC;QAChE,QAAQ,EAAoB,mBAAmB;QAC/C,QAAQ,EAAoB,eAAe;QAC3C,QAAQ,EAAoB,eAAe;QAC3C,QAAQ,EAAoB,WAAW;QACvC,YAAY,EAAgB,WAAW;QACvC,cAAc;QACd,UAAU;QACV,WAAW;QACX,cAAc;QACd,mBAAmB;QACnB,WAAW;QACX,aAAa;QACb,SAAS,EAAmB,qBAAqB;QACjD,kBAAkB;KACnB,CAAC;IAEF,8CAA8C;IAC7B,kBAAkB,GAAG;QACpC,SAAS,EAAmB,gBAAgB;QAC5C,cAAc;QACd,gBAAgB;QAChB,qBAAqB;QACrB,aAAa;QACb,cAAc;QACd,UAAU;QACV,oBAAoB;QACpB,aAAa;QACb,wBAAwB;QACxB,YAAY;QACZ,mBAAmB;KACpB,CAAC;IAEF,OAAO,CAAC,IAAY,EAAE,OAAyB;QAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACrD,MAAM,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;QAEhD,oCAAoC;QACpC,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;YAChC,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,yDAAyD;gBACjE,QAAQ,EAAE,CAAC,gBAAgB,CAAC;aAC7B,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;YAChC,OAAO;gBACL,IAAI,EAAE,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW;gBAClD,MAAM,EAAE,qCAAqC;gBAC7C,QAAQ,EAAE,CAAC,gBAAgB,CAAC;aAC7B,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,cAAc,GAAG,IAAI,CAAC,oBAAoB,CAAC,cAAc,CAAC,CAAC;QACjE,IAAI,cAAc,EAAE,CAAC;YACnB,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,0CAA0C,cAAc,EAAE;gBAClE,QAAQ,EAAE,CAAC,cAAc,CAAC;aAC3B,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,MAAM,cAAc,GAAG,IAAI,CAAC,oBAAoB,CAAC,cAAc,CAAC,CAAC;QACjE,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAC3B,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,2CAA2C,cAAc,EAAE;oBACnE,QAAQ,EAAE,CAAC,cAAc,CAAC;iBAC3B,CAAC;YACJ,CAAC;YACD,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;gBAC1B,OAAO;oBACL,IAAI,EAAE,aAAa;oBACnB,MAAM,EAAE,mCAAmC,cAAc,EAAE;oBAC3D,QAAQ,EAAE,CAAC,cAAc,CAAC;iBAC3B,CAAC;YACJ,CAAC;YACD,4BAA4B;YAC5B,OAAO;gBACL,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,qCAAqC,cAAc,EAAE;gBAC7D,QAAQ,EAAE,CAAC,cAAc,CAAC;aAC3B,CAAC;QACJ,CAAC;QAED,gCAAgC;QAChC,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,cAAc,CAAC,CAAC;QACpE,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAC3B,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,0CAA0C,cAAc,EAAE;oBAClE,QAAQ,EAAE,CAAC,cAAc,CAAC;iBAC3B,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,IAAI,EAAE,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa;gBACpD,MAAM,EAAE,GAAG,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,oBAAoB,cAAc,EAAE;gBAC7F,QAAQ,EAAE,CAAC,cAAc,CAAC;aAC3B,CAAC;QACJ,CAAC;QAED,gCAAgC;QAChC,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,cAAc,CAAC,CAAC;QACpE,IAAI,cAAc,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YAC3C,OAAO;gBACL,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,qCAAqC,cAAc,EAAE;gBAC7D,QAAQ,EAAE,CAAC,cAAc,CAAC;aAC3B,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,QAAQ,SAAS,EAAE,CAAC;YAClB,KAAK,MAAM;gBACT,OAAO;oBACL,IAAI,EAAE,MAAM;oBACZ,MAAM,EAAE,gCAAgC;iBACzC,CAAC;YACJ,KAAK,OAAO;gBACV,OAAO;oBACL,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,8BAA8B;iBACvC,CAAC;YACJ,KAAK,QAAQ;gBACX,OAAO;oBACL,IAAI,EAAE,aAAa;oBACnB,MAAM,EAAE,iCAAiC;iBAC1C,CAAC;YACJ;gBACE,OAAO;oBACL,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,8BAA8B;iBACvC,CAAC;QACN,CAAC;IACH,CAAC;IAEO,cAAc,CAAC,IAAa;QAClC,IAAI,CAAC,IAAI;YAAE,OAAO,OAAO,CAAC,CAAC,uBAAuB;QAElD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAErC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7F,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;YACrF,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/D,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,aAAa,CAAC,IAAY;QAChC,wBAAwB;QACxB,IAAI,QAAQ,GAAG,IAAI,CAAC;QACpB,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAC3C,CAAC;aAAM,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACxB,QAAQ,GAAG,OAAO,EAAE,CAAC;QACvB,CAAC;QAED,kCAAkC;QAClC,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;QAClD,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,EAAE,CAAC,CAAC;QAEtD,qBAAqB;QACrB,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,OAAO,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;QAED,qCAAqC;QACrC,OAAO,SAAS,CAAC,QAAQ,CAAC,CAAC;IAC7B,CAAC;IAEO,gBAAgB,CAAC,IAAY;QACnC,8CAA8C;QAC9C,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QAEnC,iFAAiF;QACjF,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACtD,4CAA4C;YAC5C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,uCAAuC;QACvC,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,CAAC,sBAAsB;QACrC,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,gBAAgB,CAAC,IAAY;QACnC,2BAA2B;QAC3B,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,yBAAyB;QACzB,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;YACvD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,2BAA2B;QAC3B,IAAI,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,oBAAoB,CAAC,IAAY;QACvC,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YAC7C,MAAM,mBAAmB,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;YACjD,IAAI,IAAI,KAAK,mBAAmB,IAAI,IAAI,CAAC,UAAU,CAAC,mBAAmB,GAAG,GAAG,CAAC,EAAE,CAAC;gBAC/E,oDAAoD;gBACpD,IAAI,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;oBACjE,SAAS;gBACX,CAAC;gBACD,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,oBAAoB,CAAC,IAAY;QACvC,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YAC7C,MAAM,mBAAmB,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;YACjD,IAAI,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACjC,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,gFAAgF;YAChF,IAAI,IAAI,CAAC,UAAU,CAAC,mBAAmB,GAAG,GAAG,CAAC,EAAE,CAAC;gBAC/C,wCAAwC;gBACxC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBAC7D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBACzE,OAAO,SAAS,CAAC;gBACnB,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,uBAAuB,CAAC,IAAY;QAC1C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC9C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,OAAO,OAAO,CAAC,MAAM,CAAC;YACxB,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,uBAAuB,CAAC,IAAY;QAC1C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC9C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,OAAO,OAAO,CAAC,MAAM,CAAC;YACxB,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/dist/analyzers/http.d.ts

@@ -0,0 +1,90 @@
+/**
+ * HTTP/API Request Analyzer
+ *
+ * Classifies HTTP requests by risk level based on:
+ * - HTTP method (GET = read, POST/PUT = write, DELETE = destructive)
+ * - Target host (internal IPs, localhost, cloud metadata = dangerous)
+ * - Sensitive headers (Authorization, Cookie, API keys)
+ * - Dangerous protocols (file://, ftp://)
+ *
+ * This analyzer is designed to prevent:
+ * - Server-Side Request Forgery (SSRF) attacks
+ * - Unauthorized access to internal services
+ * - Credential leakage
+ *
+ * @example
+ * ```typescript
+ * const analyzer = new HttpAnalyzer();
+ *
+ * // Analyze a URL string
+ * analyzer.analyze('https://api.example.com/users');
+ * // → { risk: 'read', reason: 'GET request to external host' }
+ *
+ * // Analyze a JSON-encoded request
+ * analyzer.analyze(JSON.stringify({
+ *   url: 'https://api.example.com/users',
+ *   method: 'POST',
+ *   headers: { 'Content-Type': 'application/json' }
+ * }));
+ * // → { risk: 'write', reason: 'POST request to external host' }
+ *
+ * // Dangerous request detection
+ * analyzer.analyze('http://169.254.169.254/latest/meta-data/');
+ * // → { risk: 'dangerous', reason: 'SSRF: AWS metadata endpoint' }
+ * ```
+ */
+import type { AnalysisResult, ContentAnalyzer, AnalyzerContext } from './types.js';
+/**
+ * HTTP/API Request Analyzer
+ *
+ * Analyzes HTTP requests and URLs to determine risk levels.
+ * Prevents SSRF attacks, credential leakage, and unauthorized access.
+ */
+export declare class HttpAnalyzer implements ContentAnalyzer {
+    readonly name = "http";
+    /**
+     * Cloud metadata endpoints - critical SSRF targets
+     */
+    private readonly METADATA_ENDPOINTS;
+    /**
+     * Internal/private IP ranges - SSRF and network access control
+     */
+    private readonly INTERNAL_IP_PATTERNS;
+    private readonly DANGEROUS_PROTOCOLS;
+    /**
+     * Headers that indicate sensitive operations.
+     * These don't block the request but elevate risk level.
+     */
+    private readonly SENSITIVE_HEADERS;
+    /**
+     * Maps HTTP methods to their base risk level.
+     */
+    private readonly METHOD_RISK;
+    analyze(input: string, context?: AnalyzerContext): AnalysisResult;
+    /**
+     * Parses input into a structured request object.
+     * Accepts either a URL string or a JSON-encoded request object.
+     */
+    private parseInput;
+    /**
+     * Normalizes headers object to lowercase keys.
+     */
+    private normalizeHeaders;
+    /**
+     * Infers HTTP method from tool name.
+     */
+    private inferMethod;
+    /**
+     * Detects sensitive headers in the request.
+     */
+    private detectSensitiveHeaders;
+    /**
+     * Extracts host from URL for display.
+     */
+    private extractHost;
+    /**
+     * Sanitizes URL for safe logging (removes credentials).
+     */
+    private sanitizeUrl;
+}
+//# sourceMappingURL=http.d.ts.map

package/dist/analyzers/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/analyzers/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AA8BnF;;;;;GAKG;AACH,qBAAa,YAAa,YAAW,eAAe;IAChD,QAAQ,CAAC,IAAI,UAAU;IAMvB;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAyBjC;IAEF;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAuFnC;IAMF,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CA+BlC;IAMF;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAQhC;IAMF;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,WAAW,CAgB1B;IAMF,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,cAAc;IA0FjE;;;OAGG;IACH,OAAO,CAAC,UAAU;IA6BlB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAYxB;;OAEG;IACH,OAAO,CAAC,WAAW;IAqBnB;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAa9B;;OAEG;IACH,OAAO,CAAC,WAAW;IAWnB;;OAEG;IACH,OAAO,CAAC,WAAW;CAYtB"}