@elliotllliu/agent-shield 0.3.1

package/dist/rules/typosquatting.js

@@ -0,0 +1,56 @@
+/**
+ * Rule: typosquatting
+ * Detects potentially typosquatted npm package names.
+ */
+// Known popular packages and their common typos
+const TYPOSQUAT_MAP = {
+    lodash: ["1odash", "lodsh", "lodashs", "lodahs"],
+    express: ["expresss", "expres", "exress", "exppress"],
+    axios: ["axois", "axio", "axioss", "axiso"],
+    react: ["raect", "reacct", "reactt"],
+    chalk: ["chalks", "chalkk", "chak"],
+    commander: ["comander", "commanderr", "commmander"],
+    "node-fetch": ["node-ftch", "nodefetch", "node-fetchh"],
+    request: ["reqeust", "requets", "reuqest"],
+    mongoose: ["mongose", "mongosse", "mongooose"],
+    webpack: ["webpck", "webpackk", "weback"],
+    eslint: ["eslintt", "eslnt", "elint"],
+    typescript: ["typscript", "typescipt", "typesript"],
+};
+export const typosquattingRule = {
+    id: "typosquatting",
+    name: "Dependency Typosquatting",
+    description: "Detects potentially typosquatted package names in dependencies",
+    run(files) {
+        const findings = [];
+        const pkgJson = files.find((f) => f.relativePath === "package.json" || f.relativePath.endsWith("/package.json"));
+        if (!pkgJson)
+            return findings;
+        try {
+            const pkg = JSON.parse(pkgJson.content);
+            const allDeps = {
+                ...pkg.dependencies,
+                ...pkg.devDependencies,
+                ...pkg.peerDependencies,
+                ...pkg.optionalDependencies,
+            };
+            for (const depName of Object.keys(allDeps)) {
+                for (const [legitimate, typos] of Object.entries(TYPOSQUAT_MAP)) {
+                    if (typos.includes(depName.toLowerCase())) {
+                        findings.push({
+                            rule: "typosquatting",
+                            severity: "critical",
+                            file: pkgJson.relativePath,
+                            message: `Suspicious package "${depName}" — possible typosquat of "${legitimate}"`,
+                        });
+                    }
+                }
+            }
+        }
+        catch {
+            // ignore parse errors
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=typosquatting.js.map

package/dist/rules/typosquatting.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"typosquatting.js","sourceRoot":"","sources":["../../src/rules/typosquatting.ts"],"names":[],"mappings":"AAEA;;;GAGG;AAEH,gDAAgD;AAChD,MAAM,aAAa,GAA6B;IAC9C,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;IAChD,OAAO,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,CAAC;IACrD,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC;IAC3C,KAAK,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC;IACpC,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC;IACnC,SAAS,EAAE,CAAC,UAAU,EAAE,YAAY,EAAE,YAAY,CAAC;IACnD,YAAY,EAAE,CAAC,WAAW,EAAE,WAAW,EAAE,aAAa,CAAC;IACvD,OAAO,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;IAC1C,QAAQ,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC;IAC9C,OAAO,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC;IACzC,MAAM,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC;IACrC,UAAU,EAAE,CAAC,WAAW,EAAE,WAAW,EAAE,WAAW,CAAC;CACpD,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAS;IACrC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,0BAA0B;IAChC,WAAW,EAAE,gEAAgE;IAE7E,GAAG,CAAC,KAAoB;QACtB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CACxB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,cAAc,IAAI,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,eAAe,CAAC,CACrF,CAAC;QACF,IAAI,CAAC,OAAO;YAAE,OAAO,QAAQ,CAAC;QAE9B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YACxC,MAAM,OAAO,GAAG;gBACd,GAAG,GAAG,CAAC,YAAY;gBACnB,GAAG,GAAG,CAAC,eAAe;gBACtB,GAAG,GAAG,CAAC,gBAAgB;gBACvB,GAAG,GAAG,CAAC,oBAAoB;aAC5B,CAAC;YAEF,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC3C,KAAK,MAAM,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;oBAChE,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;wBAC1C,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,eAAe;4BACrB,QAAQ,EAAE,UAAU;4BACpB,IAAI,EAAE,OAAO,CAAC,YAAY;4BAC1B,OAAO,EAAE,uBAAuB,OAAO,8BAA8B,UAAU,GAAG;yBACnF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sBAAsB;QACxB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/scanner/files.d.ts

@@ -0,0 +1,5 @@
+import type { ScannedFile } from "../types.js";
+/** Recursively collect scannable files from a directory */
+export declare function collectFiles(dir: string, base?: string): ScannedFile[];
+/** Count total lines across files */
+export declare function totalLines(files: ScannedFile[]): number;

package/dist/scanner/files.js

@@ -0,0 +1,105 @@
+import { readFileSync, statSync, readdirSync } from "fs";
+import { join, relative, extname, dirname } from "path";
+const SKIP_DIRS = new Set([
+    "node_modules", ".git", "dist", "build", "__pycache__", ".venv", "venv",
+]);
+const CODE_EXTS = new Set([
+    ".ts", ".js", ".mjs", ".cjs", ".tsx", ".jsx",
+    ".py", ".sh", ".bash", ".zsh",
+    ".json", ".yaml", ".yml", ".toml",
+    ".md",
+]);
+const MAX_FILE_SIZE = 512 * 1024; // 512 KB
+/** Recursively collect scannable files from a directory */
+export function collectFiles(dir, base) {
+    const root = base ?? dir;
+    const files = [];
+    let entries;
+    try {
+        entries = readdirSync(dir);
+    }
+    catch {
+        return files;
+    }
+    for (const name of entries) {
+        if (name.startsWith(".") && name !== ".env")
+            continue;
+        if (SKIP_DIRS.has(name))
+            continue;
+        const fullPath = join(dir, name);
+        let stat;
+        try {
+            stat = statSync(fullPath);
+        }
+        catch {
+            continue;
+        }
+        if (stat.isDirectory()) {
+            files.push(...collectFiles(fullPath, root));
+        }
+        else if (stat.isFile()) {
+            const ext = extname(name).toLowerCase();
+            if (!CODE_EXTS.has(ext) && name !== "SKILL.md")
+                continue;
+            if (stat.size > MAX_FILE_SIZE)
+                continue;
+            try {
+                const content = readFileSync(fullPath, "utf-8");
+                const relPath = relative(root, fullPath);
+                files.push({
+                    path: fullPath,
+                    relativePath: relPath,
+                    content,
+                    lines: content.split("\n"),
+                    ext,
+                    context: detectFileContext(relPath, name),
+                });
+            }
+            catch {
+                // skip unreadable files
+            }
+        }
+    }
+    return files;
+}
+/** Count total lines across files */
+export function totalLines(files) {
+    return files.reduce((sum, f) => sum + f.lines.length, 0);
+}
+/** Detect file context for false positive reduction */
+function detectFileContext(relativePath, fileName) {
+    const lowerPath = relativePath.toLowerCase();
+    const lowerName = fileName.toLowerCase();
+    const dirName = dirname(lowerPath).toLowerCase();
+    // Test files
+    if (lowerName.includes(".test.") || lowerName.includes(".spec.") ||
+        lowerName.includes("_test.") || lowerName.includes("_spec.") ||
+        lowerPath.includes("__tests__") || lowerPath.includes("/tests/") ||
+        lowerPath.startsWith("tests/") || lowerPath.startsWith("test/") ||
+        lowerName === "jest.config.js" || lowerName === "vitest.config.ts") {
+        return "test";
+    }
+    // Deploy / CI scripts
+    if (lowerPath.includes("deploy") || lowerPath.includes("ci/") ||
+        lowerPath.includes(".github/") || lowerPath.includes("scripts/") ||
+        lowerPath.includes("infra/") || lowerPath.includes("ops/") ||
+        lowerName.includes("deploy") || lowerName.includes("release") ||
+        lowerName === "dockerfile" || lowerName === "makefile") {
+        return "deploy";
+    }
+    // Config files
+    if ([".json", ".yaml", ".yml", ".toml"].includes(extname(lowerName)) &&
+        !lowerName.includes("skill")) {
+        return "config";
+    }
+    // Documentation
+    if (extname(lowerName) === ".md") {
+        return "docs";
+    }
+    // Shell scripts (standalone)
+    if ([".sh", ".bash", ".zsh"].includes(extname(lowerName))) {
+        return "script";
+    }
+    return "source";
+}
+//# sourceMappingURL=files.js.map

package/dist/scanner/files.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"files.js","sourceRoot":"","sources":["../../src/scanner/files.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,IAAI,CAAC;AACzD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAY,OAAO,EAAE,MAAM,MAAM,CAAC;AAGlE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;IACxB,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM;CACxE,CAAC,CAAC;AAEH,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;IACxB,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAC5C,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM;IAC7B,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO;IACjC,KAAK;CACN,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,SAAS;AAE3C,2DAA2D;AAC3D,MAAM,UAAU,YAAY,CAAC,GAAW,EAAE,IAAa;IACrD,MAAM,IAAI,GAAG,IAAI,IAAI,GAAG,CAAC;IACzB,MAAM,KAAK,GAAkB,EAAE,CAAC;IAEhC,IAAI,OAAiB,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,KAAK,MAAM;YAAE,SAAS;QACtD,IAAI,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAElC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACjC,IAAI,IAAI,CAAC;QACT,IAAI,CAAC;YACH,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACvB,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACzB,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YACxC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,KAAK,UAAU;gBAAE,SAAS;YACzD,IAAI,IAAI,CAAC,IAAI,GAAG,aAAa;gBAAE,SAAS;YAExC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAChD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;gBACzC,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,QAAQ;oBACd,YAAY,EAAE,OAAO;oBACrB,OAAO;oBACP,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC;oBAC1B,GAAG;oBACH,OAAO,EAAE,iBAAiB,CAAC,OAAO,EAAE,IAAI,CAAC;iBAC1C,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,qCAAqC;AACrC,MAAM,UAAU,UAAU,CAAC,KAAoB;IAC7C,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,uDAAuD;AACvD,SAAS,iBAAiB,CAAC,YAAoB,EAAE,QAAgB;IAC/D,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,EAAE,CAAC;IAC7C,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;IAEjD,aAAa;IACb,IACE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5D,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5D,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAChE,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC;QAC/D,SAAS,KAAK,gBAAgB,IAAI,SAAS,KAAK,kBAAkB,EAClE,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,sBAAsB;IACtB,IACE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QACzD,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;QAChE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC1D,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC7D,SAAS,KAAK,YAAY,IAAI,SAAS,KAAK,UAAU,EACtD,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,eAAe;IACf,IACE,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAChE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAC5B,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,gBAAgB;IAChB,IAAI,OAAO,CAAC,SAAS,CAAC,KAAK,KAAK,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,6BAA6B;IAC7B,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAC1D,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/scanner/index.d.ts

@@ -0,0 +1,6 @@
+import type { ScanResult, ScanConfig } from "../types.js";
+import type { LlmProvider } from "../llm/types.js";
+/** Run all rules against a target directory */
+export declare function scan(targetDir: string, configOverride?: Partial<ScanConfig>): ScanResult;
+/** Run all rules + optional LLM deep analysis */
+export declare function scanWithLlm(targetDir: string, llmProvider: LlmProvider, configOverride?: Partial<ScanConfig>): Promise<ScanResult>;

package/dist/scanner/index.js

@@ -0,0 +1,198 @@
+import { collectFiles, totalLines } from "./files.js";
+import { rules } from "../rules/index.js";
+import { computeScore } from "../score.js";
+import { loadConfig, loadIgnorePatterns, isIgnored } from "../config.js";
+/** Context types where findings are likely false positives */
+const FP_CONTEXTS = {
+    test: "Test file — assertions and mocks commonly trigger security patterns",
+    deploy: "Deploy/CI script — HTTP requests and credential access are expected",
+    docs: "Documentation file — code examples and descriptions commonly trigger patterns",
+    config: "Config file — expected to contain URLs, paths, and credential references",
+};
+/** Rules most likely to false-positive in specific contexts */
+const CONTEXT_FP_RULES = {
+    test: new Set(["data-exfil", "env-leak", "backdoor", "network-ssrf", "sensitive-read", "phone-home", "obfuscation", "crypto-mining", "reverse-shell", "credential-hardcode", "skill-risks"]),
+    deploy: new Set(["data-exfil", "env-leak", "backdoor", "network-ssrf", "credential-hardcode", "sensitive-read", "skill-risks"]),
+    docs: new Set(["data-exfil", "env-leak", "backdoor", "network-ssrf", "sensitive-read", "obfuscation", "crypto-mining", "reverse-shell", "credential-hardcode", "skill-risks"]),
+    config: new Set(["data-exfil", "env-leak", "credential-hardcode", "network-ssrf"]),
+};
+/** Run all rules against a target directory */
+export function scan(targetDir, configOverride) {
+    const start = Date.now();
+    // Load config
+    const fileConfig = loadConfig(targetDir);
+    const config = { ...fileConfig, ...configOverride };
+    // Load ignore patterns
+    const ignorePatterns = loadIgnorePatterns(targetDir);
+    if (config.ignore) {
+        ignorePatterns.push(...config.ignore);
+    }
+    // Collect and filter files
+    let files = collectFiles(targetDir);
+    if (ignorePatterns.length > 0) {
+        files = files.filter((f) => !isIgnored(f.relativePath, ignorePatterns));
+    }
+    // Filter rules based on config
+    let activeRules = [...rules];
+    if (config.rules?.enable) {
+        activeRules = activeRules.filter((r) => config.rules.enable.includes(r.id));
+    }
+    if (config.rules?.disable) {
+        activeRules = activeRules.filter((r) => !config.rules.disable.includes(r.id));
+    }
+    // Run rules
+    const findings = [];
+    for (const rule of activeRules) {
+        findings.push(...rule.run(files));
+    }
+    // Post-process: false positive detection, severity overrides, sorting
+    postProcess(findings, files, config);
+    return {
+        target: targetDir,
+        filesScanned: files.length,
+        linesScanned: totalLines(files),
+        findings,
+        score: computeScore(findings),
+        duration: Date.now() - start,
+    };
+}
+/** Common post-processing: false positive detection, severity overrides, sorting */
+function postProcess(findings, files, config) {
+    for (const finding of findings) {
+        const file = files.find((f) => f.relativePath === finding.file || f.path === finding.file);
+        // Context-based FP detection
+        if (file && FP_CONTEXTS[file.context]) {
+            const fpRules = CONTEXT_FP_RULES[file.context];
+            if (fpRules?.has(finding.rule)) {
+                finding.possibleFalsePositive = true;
+                finding.falsePositiveReason = FP_CONTEXTS[file.context];
+                if (finding.severity === "critical") {
+                    finding.severity = "warning";
+                }
+                else if (finding.severity === "warning") {
+                    finding.severity = "info";
+                }
+            }
+        }
+        // Security tool self-reference detection:
+        // If a file is a rule definition (contains regex patterns as data),
+        // its matches on code-analysis rules are likely false positives
+        if (file) {
+            const isRuleFile = file.relativePath.includes("rules/") && file.ext === ".ts";
+            const isSecurityToolCode = file.relativePath.includes("llm/") ||
+                file.relativePath.includes("llm-analyzer") ||
+                file.relativePath.includes("scanner/") ||
+                file.relativePath.includes("reporter/") ||
+                file.relativePath.includes("score.");
+            if (isRuleFile || isSecurityToolCode) {
+                const codeAnalysisRules = new Set([
+                    "data-exfil", "backdoor", "obfuscation", "env-leak",
+                    "crypto-mining", "reverse-shell", "sensitive-read",
+                    "network-ssrf", "credential-hardcode", "mcp-manifest",
+                    "skill-risks",
+                ]);
+                if (codeAnalysisRules.has(finding.rule)) {
+                    finding.possibleFalsePositive = true;
+                    finding.falsePositiveReason = "Security tool source code — pattern definitions are not actual vulnerabilities";
+                    if (finding.severity === "critical") {
+                        finding.severity = "info";
+                    }
+                    else if (finding.severity === "warning") {
+                        finding.severity = "info";
+                    }
+                }
+            }
+        }
+        // Evidence-based FP: regex pattern strings (common in security tools)
+        if (finding.evidence) {
+            const isRegexDef = /(?:pattern|RegExp|\/[^/]+\/[gimsuy]*|new RegExp)\s*[:=(]/.test(finding.evidence);
+            const isStringDef = /(?:const|let|var)\s+\w+\s*=\s*["'`]/.test(finding.evidence);
+            if (isRegexDef && !finding.possibleFalsePositive) {
+                finding.possibleFalsePositive = true;
+                finding.falsePositiveReason = "Pattern definition — regex/string constant, not executable code";
+                if (finding.severity !== "info")
+                    finding.severity = "info";
+            }
+        }
+    }
+    if (config.severity) {
+        for (const finding of findings) {
+            if (config.severity[finding.rule]) {
+                finding.severity = config.severity[finding.rule];
+            }
+        }
+    }
+    const severityOrder = { critical: 0, warning: 1, info: 2 };
+    findings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+}
+/** LLM-capable file extensions for deep analysis */
+const LLM_SCAN_EXTS = new Set([".md", ".json", ".yaml", ".yml", ".py"]);
+/** Run all rules + optional LLM deep analysis */
+export async function scanWithLlm(targetDir, llmProvider, configOverride) {
+    const start = Date.now();
+    const fileConfig = loadConfig(targetDir);
+    const config = { ...fileConfig, ...configOverride };
+    const ignorePatterns = loadIgnorePatterns(targetDir);
+    if (config.ignore)
+        ignorePatterns.push(...config.ignore);
+    let files = collectFiles(targetDir);
+    if (ignorePatterns.length > 0) {
+        files = files.filter((f) => !isIgnored(f.relativePath, ignorePatterns));
+    }
+    let activeRules = [...rules];
+    if (config.rules?.enable) {
+        activeRules = activeRules.filter((r) => config.rules.enable.includes(r.id));
+    }
+    if (config.rules?.disable) {
+        activeRules = activeRules.filter((r) => !config.rules.disable.includes(r.id));
+    }
+    // Phase 1: static regex rules
+    const findings = [];
+    for (const rule of activeRules) {
+        findings.push(...rule.run(files));
+    }
+    // Phase 2: LLM deep analysis on markdown, config, and Python files
+    const llmTargets = files.filter((f) => LLM_SCAN_EXTS.has(f.ext));
+    let totalTokens = 0;
+    for (const file of llmTargets) {
+        try {
+            const result = await llmProvider.analyze(file.content, file.relativePath);
+            totalTokens += result.tokensUsed || 0;
+            for (const llmFinding of result.findings) {
+                // Deduplicate: skip if regex already found a similar issue on the same line
+                const isDuplicate = findings.some((f) => f.file === file.relativePath &&
+                    f.line === llmFinding.line &&
+                    f.rule === "prompt-injection");
+                if (!isDuplicate) {
+                    findings.push({
+                        rule: "prompt-injection-llm",
+                        severity: llmFinding.severity,
+                        file: file.relativePath,
+                        line: llmFinding.line,
+                        message: `[LLM] ${llmFinding.description}`,
+                        evidence: llmFinding.evidence,
+                    });
+                }
+            }
+        }
+        catch (err) {
+            // LLM failure is non-fatal — fallback to regex-only
+            findings.push({
+                rule: "prompt-injection-llm",
+                severity: "info",
+                file: file.relativePath,
+                message: `LLM analysis skipped: ${err.message?.slice(0, 80) || "unknown error"}`,
+            });
+        }
+    }
+    postProcess(findings, files, config);
+    return {
+        target: targetDir,
+        filesScanned: files.length,
+        linesScanned: totalLines(files),
+        findings,
+        score: computeScore(findings),
+        duration: Date.now() - start,
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/scanner/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/scanner/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACtD,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAIzE,8DAA8D;AAC9D,MAAM,WAAW,GAA2B;IAC1C,IAAI,EAAE,qEAAqE;IAC3E,MAAM,EAAE,qEAAqE;IAC7E,IAAI,EAAE,+EAA+E;IACrF,MAAM,EAAE,0EAA0E;CACnF,CAAC;AAEF,+DAA+D;AAC/D,MAAM,gBAAgB,GAAgC;IACpD,IAAI,EAAE,IAAI,GAAG,CAAC,CAAC,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,gBAAgB,EAAE,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,eAAe,EAAE,qBAAqB,EAAE,aAAa,CAAC,CAAC;IAC5L,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC/H,IAAI,EAAE,IAAI,GAAG,CAAC,CAAC,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,gBAAgB,EAAE,aAAa,EAAE,eAAe,EAAE,eAAe,EAAE,qBAAqB,EAAE,aAAa,CAAC,CAAC;IAC9K,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,YAAY,EAAE,UAAU,EAAE,qBAAqB,EAAE,cAAc,CAAC,CAAC;CACnF,CAAC;AAEF,+CAA+C;AAC/C,MAAM,UAAU,IAAI,CAAC,SAAiB,EAAE,cAAoC;IAC1E,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzB,cAAc;IACd,MAAM,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,MAAM,GAAe,EAAE,GAAG,UAAU,EAAE,GAAG,cAAc,EAAE,CAAC;IAEhE,uBAAuB;IACvB,MAAM,cAAc,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,cAAc,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IAED,2BAA2B;IAC3B,IAAI,KAAK,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACpC,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC,CAAC;IAC1E,CAAC;IAED,+BAA+B;IAC/B,IAAI,WAAW,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IAC7B,IAAI,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC;QACzB,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,KAAM,CAAC,MAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAChF,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;QAC1B,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,KAAM,CAAC,OAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAClF,CAAC;IAED,YAAY;IACZ,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IACpC,CAAC;IAED,sEAAsE;IACtE,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAErC,OAAO;QACL,MAAM,EAAE,SAAS;QACjB,YAAY,EAAE,KAAK,CAAC,MAAM;QAC1B,YAAY,EAAE,UAAU,CAAC,KAAK,CAAC;QAC/B,QAAQ;QACR,KAAK,EAAE,YAAY,CAAC,QAAQ,CAAC;QAC7B,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;KAC7B,CAAC;AACJ,CAAC;AAED,oFAAoF;AACpF,SAAS,WAAW,CAAC,QAAmB,EAAE,KAAoB,EAAE,MAAkB;IAChF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CACrB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAClE,CAAC;QAEF,6BAA6B;QAC7B,IAAI,IAAI,IAAI,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC/C,IAAI,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC;gBACrC,OAAO,CAAC,mBAAmB,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAE,CAAC;gBACzD,IAAI,OAAO,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;oBACpC,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC;gBAC/B,CAAC;qBAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;oBAC1C,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC;gBAC5B,CAAC;YACH,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,oEAAoE;QACpE,gEAAgE;QAChE,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,GAAG,KAAK,KAAK,CAAC;YAC9E,MAAM,kBAAkB,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAC3D,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,cAAc,CAAC;gBAC1C,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC;gBACtC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC;gBACvC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACvC,IAAI,UAAU,IAAI,kBAAkB,EAAE,CAAC;gBACrC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;oBAChC,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,UAAU;oBACnD,eAAe,EAAE,eAAe,EAAE,gBAAgB;oBAClD,cAAc,EAAE,qBAAqB,EAAE,cAAc;oBACrD,aAAa;iBACd,CAAC,CAAC;gBACH,IAAI,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxC,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC;oBACrC,OAAO,CAAC,mBAAmB,GAAG,gFAAgF,CAAC;oBAC/G,IAAI,OAAO,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;wBACpC,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC;oBAC5B,CAAC;yBAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;wBAC1C,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC;oBAC5B,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,sEAAsE;QACtE,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,UAAU,GAAG,0DAA0D,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACrG,MAAM,WAAW,GAAG,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACjF,IAAI,UAAU,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,CAAC;gBACjD,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC;gBACrC,OAAO,CAAC,mBAAmB,GAAG,iEAAiE,CAAC;gBAChG,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM;oBAAE,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC;YAC7D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClC,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAE,CAAC;YACpD,CAAC;QACH,CAAC;IACH,CAAC;IACD,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IAC3D,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;AACjF,CAAC;AAED,oDAAoD;AACpD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;AAExE,iDAAiD;AACjD,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAAiB,EACjB,WAAwB,EACxB,cAAoC;IAEpC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzB,MAAM,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,MAAM,GAAe,EAAE,GAAG,UAAU,EAAE,GAAG,cAAc,EAAE,CAAC;IAChE,MAAM,cAAc,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,MAAM,CAAC,MAAM;QAAE,cAAc,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IAEzD,IAAI,KAAK,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACpC,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC,CAAC;IAC1E,CAAC;IAED,IAAI,WAAW,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IAC7B,IAAI,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC;QACzB,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,KAAM,CAAC,MAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAChF,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;QAC1B,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,KAAM,CAAC,OAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAClF,CAAC;IAED,8BAA8B;IAC9B,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IACpC,CAAC;IAED,mEAAmE;IACnE,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACjE,IAAI,WAAW,GAAG,CAAC,CAAC;IAEpB,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;YAC1E,WAAW,IAAI,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC;YAEtC,KAAK,MAAM,UAAU,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACzC,4EAA4E;gBAC5E,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,YAAY;oBAC5B,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,IAAI;oBAC1B,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAChC,CAAC;gBACF,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,sBAAsB;wBAC5B,QAAQ,EAAE,UAAU,CAAC,QAAQ;wBAC7B,IAAI,EAAE,IAAI,CAAC,YAAY;wBACvB,IAAI,EAAE,UAAU,CAAC,IAAI;wBACrB,OAAO,EAAE,SAAS,UAAU,CAAC,WAAW,EAAE;wBAC1C,QAAQ,EAAE,UAAU,CAAC,QAAQ;qBAC9B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,oDAAoD;YACpD,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,sBAAsB;gBAC5B,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,IAAI,CAAC,YAAY;gBACvB,OAAO,EAAE,yBAA0B,GAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,eAAe,EAAE;aAC5F,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAErC,OAAO;QACL,MAAM,EAAE,SAAS;QACjB,YAAY,EAAE,KAAK,CAAC,MAAM;QAC1B,YAAY,EAAE,UAAU,CAAC,KAAK,CAAC;QAC/B,QAAQ;QACR,KAAK,EAAE,YAAY,CAAC,QAAQ,CAAC;QAC7B,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;KAC7B,CAAC;AACJ,CAAC"}

package/dist/score.d.ts

@@ -0,0 +1,14 @@
+import type { Finding } from "./types.js";
+/**
+ * Compute a security score from 0-100.
+ *
+ * Starts at 100, deducts points per finding:
+ *   critical: -25
+ *   warning:  -10
+ *   info:      -0
+ *
+ * Minimum score is 0.
+ */
+export declare function computeScore(findings: Finding[]): number;
+/** Human-readable risk label */
+export declare function riskLabel(score: number): string;

package/dist/score.js

@@ -0,0 +1,35 @@
+/**
+ * Compute a security score from 0-100.
+ *
+ * Starts at 100, deducts points per finding:
+ *   critical: -25
+ *   warning:  -10
+ *   info:      -0
+ *
+ * Minimum score is 0.
+ */
+export function computeScore(findings) {
+    let score = 100;
+    for (const f of findings) {
+        switch (f.severity) {
+            case "critical":
+                score -= 25;
+                break;
+            case "warning":
+                score -= 10;
+                break;
+        }
+    }
+    return Math.max(0, score);
+}
+/** Human-readable risk label */
+export function riskLabel(score) {
+    if (score >= 90)
+        return "Low Risk";
+    if (score >= 70)
+        return "Moderate Risk";
+    if (score >= 40)
+        return "High Risk";
+    return "Critical Risk";
+}
+//# sourceMappingURL=score.js.map

package/dist/score.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"score.js","sourceRoot":"","sources":["../src/score.ts"],"names":[],"mappings":"AAEA;;;;;;;;;GASG;AACH,MAAM,UAAU,YAAY,CAAC,QAAmB;IAC9C,IAAI,KAAK,GAAG,GAAG,CAAC;IAChB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;YACnB,KAAK,UAAU;gBACb,KAAK,IAAI,EAAE,CAAC;gBACZ,MAAM;YACR,KAAK,SAAS;gBACZ,KAAK,IAAI,EAAE,CAAC;gBACZ,MAAM;QACV,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;AAC5B,CAAC;AAED,gCAAgC;AAChC,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,eAAe,CAAC;IACxC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,WAAW,CAAC;IACpC,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,60 @@
+/** Severity levels for findings */
+export type Severity = "critical" | "warning" | "info";
+/** File context hints for reducing false positives */
+export type FileContext = "test" | "deploy" | "config" | "docs" | "script" | "source";
+/** A single security finding */
+export interface Finding {
+    rule: string;
+    severity: Severity;
+    file: string;
+    line?: number;
+    message: string;
+    evidence?: string;
+    /** If true, the finding is likely a false positive due to file context */
+    possibleFalsePositive?: boolean;
+    /** Why it might be a false positive */
+    falsePositiveReason?: string;
+}
+/** Scan result for a directory */
+export interface ScanResult {
+    target: string;
+    filesScanned: number;
+    linesScanned: number;
+    findings: Finding[];
+    score: number;
+    duration: number;
+}
+/** A scanner rule */
+export interface Rule {
+    id: string;
+    name: string;
+    description: string;
+    run(files: ScannedFile[]): Finding[];
+}
+/** A file loaded for scanning */
+export interface ScannedFile {
+    path: string;
+    relativePath: string;
+    content: string;
+    lines: string[];
+    ext: string;
+    /** Detected file context for false positive reduction */
+    context: FileContext;
+}
+/** Parsed SKILL.md metadata */
+export interface SkillMetadata {
+    name?: string;
+    description?: string;
+    permissions?: string[];
+    [key: string]: unknown;
+}
+/** Scan configuration from .agentshield.yml */
+export interface ScanConfig {
+    rules?: {
+        enable?: string[];
+        disable?: string[];
+    };
+    severity?: Record<string, "critical" | "warning" | "info">;
+    failUnder?: number;
+    ignore?: string[];
+}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/yaml-simple.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Minimal YAML parser for simple config files.
+ * Supports: scalars, lists, nested objects (2 levels deep).
+ * For complex YAML, use the 'yaml' package.
+ */
+export declare function parse(input: string): Record<string, unknown>;

package/dist/yaml-simple.js

@@ -0,0 +1,98 @@
+/**
+ * Minimal YAML parser for simple config files.
+ * Supports: scalars, lists, nested objects (2 levels deep).
+ * For complex YAML, use the 'yaml' package.
+ */
+export function parse(input) {
+    const result = {};
+    const lines = input.split("\n");
+    let currentKey = "";
+    let currentSubKey = "";
+    let currentList = null;
+    for (const rawLine of lines) {
+        // Skip comments and empty lines
+        const line = rawLine.replace(/#.*$/, "");
+        if (!line.trim())
+            continue;
+        const indent = rawLine.search(/\S/);
+        // List item
+        if (line.trim().startsWith("- ")) {
+            const value = line.trim().slice(2).trim().replace(/^["']|["']$/g, "");
+            if (currentList) {
+                currentList.push(value);
+            }
+            continue;
+        }
+        // Key: value
+        const match = line.match(/^(\s*)(\w+)\s*:\s*(.*)/);
+        if (!match)
+            continue;
+        const [, , key, rawValue] = match;
+        const value = rawValue.trim().replace(/^["']|["']$/g, "");
+        if (indent === 0) {
+            // Top-level key
+            if (currentList && currentKey) {
+                // Save previous list
+                if (currentSubKey) {
+                    result[currentKey][currentSubKey] = currentList;
+                }
+                else {
+                    result[currentKey] = currentList;
+                }
+                currentList = null;
+                currentSubKey = "";
+            }
+            currentKey = key;
+            if (value) {
+                // Scalar value
+                result[currentKey] = parseScalar(value);
+            }
+            else {
+                // Object or list follows
+                if (!result[currentKey] || typeof result[currentKey] !== "object") {
+                    result[currentKey] = {};
+                }
+            }
+        }
+        else if (indent === 2 && currentKey) {
+            // Sub-key
+            if (currentList && currentSubKey) {
+                result[currentKey][currentSubKey] = currentList;
+                currentList = null;
+            }
+            currentSubKey = key;
+            if (value) {
+                if (typeof result[currentKey] !== "object")
+                    result[currentKey] = {};
+                result[currentKey][currentSubKey] = parseScalar(value);
+            }
+            else {
+                // List follows
+                currentList = [];
+            }
+        }
+    }
+    // Save trailing list
+    if (currentList) {
+        if (currentSubKey && currentKey) {
+            if (typeof result[currentKey] !== "object")
+                result[currentKey] = {};
+            result[currentKey][currentSubKey] = currentList;
+        }
+        else if (currentKey) {
+            result[currentKey] = currentList;
+        }
+    }
+    return result;
+}
+function parseScalar(value) {
+    if (value === "true")
+        return true;
+    if (value === "false")
+        return false;
+    const num = Number(value);
+    if (!isNaN(num) && value !== "")
+        return num;
+    return value;
+}
+//# sourceMappingURL=yaml-simple.js.map

package/dist/yaml-simple.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"yaml-simple.js","sourceRoot":"","sources":["../src/yaml-simple.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,UAAU,KAAK,CAAC,KAAa;IACjC,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,UAAU,GAAG,EAAE,CAAC;IACpB,IAAI,aAAa,GAAG,EAAE,CAAC;IACvB,IAAI,WAAW,GAAoB,IAAI,CAAC;IAExC,KAAK,MAAM,OAAO,IAAI,KAAK,EAAE,CAAC;QAC5B,gCAAgC;QAChC,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;YAAE,SAAS;QAE3B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAEpC,YAAY;QACZ,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;YACtE,IAAI,WAAW,EAAE,CAAC;gBAChB,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC1B,CAAC;YACD,SAAS;QACX,CAAC;QAED,aAAa;QACb,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QACnD,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,MAAM,CAAC,EAAE,AAAD,EAAG,GAAG,EAAE,QAAQ,CAAC,GAAG,KAAK,CAAC;QAClC,MAAM,KAAK,GAAG,QAAS,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QAE3D,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;YACjB,gBAAgB;YAChB,IAAI,WAAW,IAAI,UAAU,EAAE,CAAC;gBAC9B,qBAAqB;gBACrB,IAAI,aAAa,EAAE,CAAC;oBACjB,MAAM,CAAC,UAAU,CAA6B,CAAC,aAAa,CAAC,GAAG,WAAW,CAAC;gBAC/E,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,UAAU,CAAC,GAAG,WAAW,CAAC;gBACnC,CAAC;gBACD,WAAW,GAAG,IAAI,CAAC;gBACnB,aAAa,GAAG,EAAE,CAAC;YACrB,CAAC;YAED,UAAU,GAAG,GAAI,CAAC;YAClB,IAAI,KAAK,EAAE,CAAC;gBACV,eAAe;gBACf,MAAM,CAAC,UAAU,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;YAC1C,CAAC;iBAAM,CAAC;gBACN,yBAAyB;gBACzB,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,OAAO,MAAM,CAAC,UAAU,CAAC,KAAK,QAAQ,EAAE,CAAC;oBAClE,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;gBAC1B,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,MAAM,KAAK,CAAC,IAAI,UAAU,EAAE,CAAC;YACtC,UAAU;YACV,IAAI,WAAW,IAAI,aAAa,EAAE,CAAC;gBAChC,MAAM,CAAC,UAAU,CAA6B,CAAC,aAAa,CAAC,GAAG,WAAW,CAAC;gBAC7E,WAAW,GAAG,IAAI,CAAC;YACrB,CAAC;YAED,aAAa,GAAG,GAAI,CAAC;YACrB,IAAI,KAAK,EAAE,CAAC;gBACV,IAAI,OAAO,MAAM,CAAC,UAAU,CAAC,KAAK,QAAQ;oBAAE,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;gBACnE,MAAM,CAAC,UAAU,CAA6B,CAAC,aAAa,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;YACtF,CAAC;iBAAM,CAAC;gBACN,eAAe;gBACf,WAAW,GAAG,EAAE,CAAC;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,aAAa,IAAI,UAAU,EAAE,CAAC;YAChC,IAAI,OAAO,MAAM,CAAC,UAAU,CAAC,KAAK,QAAQ;gBAAE,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YACnE,MAAM,CAAC,UAAU,CAA6B,CAAC,aAAa,CAAC,GAAG,WAAW,CAAC;QAC/E,CAAC;aAAM,IAAI,UAAU,EAAE,CAAC;YACtB,MAAM,CAAC,UAAU,CAAC,GAAG,WAAW,CAAC;QACnC,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,KAAK,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAClC,IAAI,KAAK,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IACpC,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO,GAAG,CAAC;IAC5C,OAAO,KAAK,CAAC;AACf,CAAC"}