npm - @expressots/studio-agent - Versions diffs - 4.0.0-preview.1 - Mend

@expressots/studio-agent 4.0.0-preview.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (86) hide show

package/README.md +143 -0
package/dist/agent.d.ts +127 -0
package/dist/agent.d.ts.map +1 -0
package/dist/agent.js +1031 -0
package/dist/agent.js.map +1 -0
package/dist/discovery/index.d.ts +2 -0
package/dist/discovery/index.d.ts.map +1 -0
package/dist/discovery/index.js +2 -0
package/dist/discovery/index.js.map +1 -0
package/dist/discovery/route-scanner.d.ts +35 -0
package/dist/discovery/route-scanner.d.ts.map +1 -0
package/dist/discovery/route-scanner.js +385 -0
package/dist/discovery/route-scanner.js.map +1 -0
package/dist/index.d.ts +15 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +15 -0
package/dist/index.js.map +1 -0
package/dist/instrumentation/index.d.ts +2 -0
package/dist/instrumentation/index.d.ts.map +1 -0
package/dist/instrumentation/index.js +2 -0
package/dist/instrumentation/index.js.map +1 -0
package/dist/instrumentation/tracer.d.ts +40 -0
package/dist/instrumentation/tracer.d.ts.map +1 -0
package/dist/instrumentation/tracer.js +190 -0
package/dist/instrumentation/tracer.js.map +1 -0
package/dist/introspection/container-introspector.d.ts +81 -0
package/dist/introspection/container-introspector.d.ts.map +1 -0
package/dist/introspection/container-introspector.js +251 -0
package/dist/introspection/container-introspector.js.map +1 -0
package/dist/logging/log-capture.d.ts +58 -0
package/dist/logging/log-capture.d.ts.map +1 -0
package/dist/logging/log-capture.js +184 -0
package/dist/logging/log-capture.js.map +1 -0
package/dist/recording/index.d.ts +2 -0
package/dist/recording/index.d.ts.map +1 -0
package/dist/recording/index.js +2 -0
package/dist/recording/index.js.map +1 -0
package/dist/recording/request-recorder.d.ts +43 -0
package/dist/recording/request-recorder.d.ts.map +1 -0
package/dist/recording/request-recorder.js +373 -0
package/dist/recording/request-recorder.js.map +1 -0
package/dist/security/fix-resolver.d.ts +40 -0
package/dist/security/fix-resolver.d.ts.map +1 -0
package/dist/security/fix-resolver.js +283 -0
package/dist/security/fix-resolver.js.map +1 -0
package/dist/security/fix-runner.d.ts +60 -0
package/dist/security/fix-runner.d.ts.map +1 -0
package/dist/security/fix-runner.js +188 -0
package/dist/security/fix-runner.js.map +1 -0
package/dist/security/index.d.ts +140 -0
package/dist/security/index.d.ts.map +1 -0
package/dist/security/index.js +460 -0
package/dist/security/index.js.map +1 -0
package/dist/security/lockfile-graph.d.ts +69 -0
package/dist/security/lockfile-graph.d.ts.map +1 -0
package/dist/security/lockfile-graph.js +245 -0
package/dist/security/lockfile-graph.js.map +1 -0
package/dist/security/npm-audit.d.ts +67 -0
package/dist/security/npm-audit.d.ts.map +1 -0
package/dist/security/npm-audit.js +320 -0
package/dist/security/npm-audit.js.map +1 -0
package/dist/security/osv-cache.d.ts +51 -0
package/dist/security/osv-cache.d.ts.map +1 -0
package/dist/security/osv-cache.js +99 -0
package/dist/security/osv-cache.js.map +1 -0
package/dist/security/osv-client.d.ts +47 -0
package/dist/security/osv-client.d.ts.map +1 -0
package/dist/security/osv-client.js +247 -0
package/dist/security/osv-client.js.map +1 -0
package/dist/security/posture-analyzer.d.ts +44 -0
package/dist/security/posture-analyzer.d.ts.map +1 -0
package/dist/security/posture-analyzer.js +397 -0
package/dist/security/posture-analyzer.js.map +1 -0
package/dist/security/reachability.d.ts +59 -0
package/dist/security/reachability.d.ts.map +1 -0
package/dist/security/reachability.js +302 -0
package/dist/security/reachability.js.map +1 -0
package/dist/security/score.d.ts +36 -0
package/dist/security/score.d.ts.map +1 -0
package/dist/security/score.js +94 -0
package/dist/security/score.js.map +1 -0
package/dist/types/index.d.ts +587 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +14 -0
package/dist/types/index.js.map +1 -0
package/package.json +75 -0

package/dist/security/osv-client.js ADDED Viewed

@@ -0,0 +1,247 @@
+/**
+ * OSV.dev client — supply-chain advisory lookups for installed packages.
+ *
+ * Why OSV: it's an open vulnerability database maintained by Google,
+ * exposes a programmatic JSON API, doesn't require auth, and aggregates
+ * GHSA, npm, OSS-Fuzz and other sources behind one query shape. It's
+ * also the source `npm audit` increasingly delegates to internally, so
+ * we get the same data without scraping anything.
+ *
+ * This client batches per-scan: one POST to `/v1/querybatch` covering
+ * every direct dependency. Results that aren't already in cache are
+ * persisted via `OsvCache` so subsequent scans inside the TTL skip the
+ * network entirely.
+ *
+ * Network failures degrade gracefully: we return an empty findings
+ * array so the engine can still ship a report using only `npm audit`.
+ */
+const OSV_BATCH_URL = 'https://api.osv.dev/v1/querybatch';
+const OSV_VULN_URL = 'https://api.osv.dev/v1/vulns';
+const REQUEST_TIMEOUT_MS = 10_000;
+/** OSV's batch endpoint accepts up to 1000 queries per request. */
+const MAX_BATCH_SIZE = 500;
+export class OsvClient {
+    cache;
+    constructor(cache) {
+        this.cache = cache;
+    }
+    /**
+     * Look up advisories for every (package, version) pair and return
+     * normalised findings. Cache hits are served without touching the
+     * network; the rest are batched into one (or more, if very large)
+     * POSTs to OSV.
+     */
+    async lookup(packages) {
+        if (packages.length === 0)
+            return [];
+        const findings = [];
+        const cacheMisses = [];
+        // Phase 1: serve from cache.
+        for (const pkg of packages) {
+            const cached = this.cache.get('npm', pkg.name, pkg.version);
+            if (cached) {
+                findings.push(...advisoriesToFindings(cached, pkg));
+            }
+            else {
+                cacheMisses.push(pkg);
+            }
+        }
+        if (cacheMisses.length === 0)
+            return findings;
+        // Phase 2: batch-query OSV for the misses.
+        let advisoryIdsByPkg;
+        try {
+            advisoryIdsByPkg = await this.fetchAdvisoryIds(cacheMisses);
+        }
+        catch {
+            // Network failure → cache nothing, fall back to whatever cache hits
+            // we already produced. Better than refusing to ship a report.
+            return findings;
+        }
+        // Phase 3: hydrate each unique advisory id. OSV returns just an id
+        // list from the batch endpoint — we have to fetch full records to
+        // get severity, summary, references etc.
+        const uniqueIds = new Set();
+        for (const ids of advisoryIdsByPkg.values()) {
+            ids.forEach((id) => uniqueIds.add(id));
+        }
+        const fullAdvisories = await this.fetchFullAdvisories([...uniqueIds]);
+        // Phase 4: rebuild per-package advisory lists and store in cache.
+        for (const pkg of cacheMisses) {
+            const ids = advisoryIdsByPkg.get(pkgKey(pkg)) ?? [];
+            const advisories = ids
+                .map((id) => fullAdvisories.get(id))
+                .filter((v) => Boolean(v))
+                .map((v) => fullToCacheAdvisory(v, pkg.name));
+            this.cache.put('npm', pkg.name, pkg.version, advisories);
+            findings.push(...advisoriesToFindings(advisories, pkg));
+        }
+        this.cache.flush();
+        return findings;
+    }
+    /**
+     * POST a batch of queries to OSV's `/v1/querybatch`. Splits oversize
+     * input into multiple requests to stay under the per-call limit.
+     */
+    async fetchAdvisoryIds(queries) {
+        const out = new Map();
+        for (let i = 0; i < queries.length; i += MAX_BATCH_SIZE) {
+            const batch = queries.slice(i, i + MAX_BATCH_SIZE);
+            const body = {
+                queries: batch.map((q) => ({
+                    package: { name: q.name, ecosystem: 'npm' },
+                    version: q.version,
+                })),
+            };
+            const resp = await fetchWithTimeout(OSV_BATCH_URL, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify(body),
+            });
+            if (!resp.ok) {
+                // Treat as empty results for this batch; the caller will simply
+                // produce no findings for these packages.
+                continue;
+            }
+            const parsed = (await resp.json());
+            const results = parsed.results ?? [];
+            for (let j = 0; j < batch.length; j++) {
+                const pkg = batch[j];
+                const ids = (results[j]?.vulns ?? []).map((v) => v.id);
+                out.set(pkgKey(pkg), ids);
+            }
+        }
+        return out;
+    }
+    /**
+     * Hydrate advisory id list into full records. OSV requires one GET
+     * per id (no batch endpoint for full records yet) — we run them in
+     * parallel with a hard concurrency cap so we don't open hundreds of
+     * sockets at once.
+     */
+    async fetchFullAdvisories(ids) {
+        const out = new Map();
+        if (ids.length === 0)
+            return out;
+        const CONCURRENCY = 8;
+        let cursor = 0;
+        const workers = Array.from({ length: Math.min(CONCURRENCY, ids.length) }, async () => {
+            while (cursor < ids.length) {
+                const idx = cursor++;
+                const id = ids[idx];
+                try {
+                    const resp = await fetchWithTimeout(`${OSV_VULN_URL}/${encodeURIComponent(id)}`);
+                    if (!resp.ok)
+                        continue;
+                    const json = (await resp.json());
+                    out.set(id, json);
+                }
+                catch {
+                    // Skip — partial coverage is fine.
+                }
+            }
+        });
+        await Promise.all(workers);
+        return out;
+    }
+}
+function pkgKey(p) {
+    return `${p.name}@${p.version}`;
+}
+/**
+ * Translate the cached / hydrated advisory into our wire-stable
+ * `DependencyFinding` shape. Severity is the trickiest bit — OSV stores
+ * CVSS vectors rather than the npm-style word ("CRITICAL"); we map both.
+ */
+function advisoriesToFindings(advisories, pkg) {
+    return advisories.map((adv) => ({
+        id: adv.id,
+        package: pkg.name,
+        installedVersion: pkg.version,
+        fixedVersion: adv.fixedVersion,
+        severity: numericSeverityToLabel(adv.severity),
+        cvss: adv.severity,
+        title: adv.summary || adv.id,
+        summary: adv.details ?? adv.summary ?? '',
+        references: adv.references,
+        path: [pkg.name],
+    }));
+}
+function fullToCacheAdvisory(full, pkgName) {
+    return {
+        id: full.id,
+        aliases: full.aliases ?? [],
+        summary: full.summary ?? '',
+        details: full.details,
+        severity: extractCvssScore(full),
+        references: (full.references ?? []).map((r) => r.url).filter(Boolean),
+        fixedVersion: extractFixedVersion(full, pkgName),
+    };
+}
+/** Pull a CVSS v3.x base score out of an OSV record, if present. */
+function extractCvssScore(full) {
+    for (const s of full.severity ?? []) {
+        if (s.type === 'CVSS_V3' || s.type === 'CVSS_V4') {
+            // OSV stores the vector string; the base score is the first
+            // numeric value after the vector header. We don't ship a full
+            // CVSS parser — just look for a familiar "/AV:..." vector and
+            // pull the base score from `database_specific` when present.
+            const numeric = Number((full.database_specific?.severity ?? '').match(/(\d+\.\d+)/)?.[1]);
+            if (Number.isFinite(numeric))
+                return numeric;
+        }
+    }
+    return undefined;
+}
+/**
+ * Find the first `fixed` version for the given package across all
+ * `affected` ranges. OSV records list every event (introduced / fixed)
+ * in order; we use the first `fixed` that follows an `introduced`.
+ */
+function extractFixedVersion(full, pkgName) {
+    for (const aff of full.affected ?? []) {
+        if (aff.package?.name !== pkgName)
+            continue;
+        for (const range of aff.ranges ?? []) {
+            for (const ev of range.events ?? []) {
+                if (ev.fixed)
+                    return ev.fixed;
+            }
+        }
+    }
+    return undefined;
+}
+/**
+ * Map a numeric CVSS base score to our severity vocabulary using the
+ * standard NVD bands. Falls back to `MEDIUM` when no score is known so
+ * findings don't all collapse into `INFO`.
+ */
+function numericSeverityToLabel(score) {
+    if (typeof score !== 'number' || !Number.isFinite(score))
+        return 'MEDIUM';
+    if (score >= 9.0)
+        return 'CRITICAL';
+    if (score >= 7.0)
+        return 'HIGH';
+    if (score >= 4.0)
+        return 'MEDIUM';
+    if (score > 0)
+        return 'LOW';
+    return 'INFO';
+}
+/**
+ * `fetch` with an `AbortController` timeout. Centralised here so every
+ * OSV call has the same timeout semantics — a network hang must not be
+ * able to stall the agent's WS event loop.
+ */
+async function fetchWithTimeout(url, init) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+    try {
+        return await fetch(url, { ...init, signal: controller.signal });
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+//# sourceMappingURL=osv-client.js.map

package/dist/security/osv-client.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"osv-client.js","sourceRoot":"","sources":["../../src/security/osv-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAKH,MAAM,aAAa,GAAG,mCAAmC,CAAC;AAC1D,MAAM,YAAY,GAAG,8BAA8B,CAAC;AACpD,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAClC,mEAAmE;AACnE,MAAM,cAAc,GAAG,GAAG,CAAC;AA8B3B,MAAM,OAAO,SAAS;IACS;IAA7B,YAA6B,KAAe;QAAf,UAAK,GAAL,KAAK,CAAU;IAAG,CAAC;IAEhD;;;;;OAKG;IACH,KAAK,CAAC,MAAM,CAAC,QAAwB;QACnC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAErC,MAAM,QAAQ,GAAwB,EAAE,CAAC;QACzC,MAAM,WAAW,GAAmB,EAAE,CAAC;QAEvC,6BAA6B;QAC7B,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAC5D,IAAI,MAAM,EAAE,CAAC;gBACX,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;YACtD,CAAC;iBAAM,CAAC;gBACN,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,QAAQ,CAAC;QAE9C,2CAA2C;QAC3C,IAAI,gBAAuC,CAAC;QAC5C,IAAI,CAAC;YACH,gBAAgB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAC9D,CAAC;QAAC,MAAM,CAAC;YACP,oEAAoE;YACpE,8DAA8D;YAC9D,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,mEAAmE;QACnE,kEAAkE;QAClE,yCAAyC;QACzC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;QACpC,KAAK,MAAM,GAAG,IAAI,gBAAgB,CAAC,MAAM,EAAE,EAAE,CAAC;YAC5C,GAAG,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QACzC,CAAC;QACD,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC;QAEtE,kEAAkE;QAClE,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;YAC9B,MAAM,GAAG,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACpD,MAAM,UAAU,GAAkB,GAAG;iBAClC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;iBACnC,MAAM,CAAC,CAAC,CAAC,EAAoB,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;iBAC3C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;YAEhD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACzD,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,gBAAgB,CAC5B,OAAuB;QAEvB,MAAM,GAAG,GAAG,IAAI,GAAG,EAAoB,CAAC;QAExC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,IAAI,cAAc,EAAE,CAAC;YACxD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,cAAc,CAAC,CAAC;YACnD,MAAM,IAAI,GAAG;gBACX,OAAO,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACzB,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE;oBAC3C,OAAO,EAAE,CAAC,CAAC,OAAO;iBACnB,CAAC,CAAC;aACJ,CAAC;YAEF,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,aAAa,EAAE;gBACjD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;aAC3B,CAAC,CAAC;YAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACb,gEAAgE;gBAChE,0CAA0C;gBAC1C,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAqB,CAAC;YACvD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;YACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACrB,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACvD,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,mBAAmB,CAC/B,GAAa;QAEb,MAAM,GAAG,GAAG,IAAI,GAAG,EAAuB,CAAC;QAC3C,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,GAAG,CAAC;QAEjC,MAAM,WAAW,GAAG,CAAC,CAAC;QACtB,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,IAAI,EAAE;YACnF,OAAO,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;gBAC3B,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;gBACrB,MAAM,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;gBACpB,IAAI,CAAC;oBACH,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,GAAG,YAAY,IAAI,kBAAkB,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;oBACjF,IAAI,CAAC,IAAI,CAAC,EAAE;wBAAE,SAAS;oBACvB,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAgB,CAAC;oBAChD,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;gBACpB,CAAC;gBAAC,MAAM,CAAC;oBACP,mCAAmC;gBACrC,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC3B,OAAO,GAAG,CAAC;IACb,CAAC;CACF;AAED,SAAS,MAAM,CAAC,CAAe;IAC7B,OAAO,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;AAClC,CAAC;AAED;;;;GAIG;AACH,SAAS,oBAAoB,CAC3B,UAAyB,EACzB,GAAiB;IAEjB,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC9B,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,OAAO,EAAE,GAAG,CAAC,IAAI;QACjB,gBAAgB,EAAE,GAAG,CAAC,OAAO;QAC7B,YAAY,EAAE,GAAG,CAAC,YAAY;QAC9B,QAAQ,EAAE,sBAAsB,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC9C,IAAI,EAAE,GAAG,CAAC,QAAQ;QAClB,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,EAAE;QAC5B,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE;QACzC,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,IAAI,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;KACjB,CAAC,CAAC,CAAC;AACN,CAAC;AAED,SAAS,mBAAmB,CAC1B,IAAiB,EACjB,OAAe;IAEf,OAAO;QACL,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,EAAE;QAC3B,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,EAAE;QAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,QAAQ,EAAE,gBAAgB,CAAC,IAAI,CAAC;QAChC,UAAU,EAAE,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QACrE,YAAY,EAAE,mBAAmB,CAAC,IAAI,EAAE,OAAO,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,oEAAoE;AACpE,SAAS,gBAAgB,CAAC,IAAiB;IACzC,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QACpC,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACjD,4DAA4D;YAC5D,8DAA8D;YAC9D,8DAA8D;YAC9D,6DAA6D;YAC7D,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,iBAAiB,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1F,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,OAAO,OAAO,CAAC;QAC/C,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,IAAiB,EAAE,OAAe;IAC7D,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QACtC,IAAI,GAAG,CAAC,OAAO,EAAE,IAAI,KAAK,OAAO;YAAE,SAAS;QAC5C,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YACrC,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;gBACpC,IAAI,EAAE,CAAC,KAAK;oBAAE,OAAO,EAAE,CAAC,KAAK,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAS,sBAAsB,CAAC,KAAyB;IACvD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC1E,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,UAAU,CAAC;IACpC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,QAAQ,CAAC;IAClC,IAAI,KAAK,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,gBAAgB,CAC7B,GAAW,EACX,IAAkB;IAElB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,kBAAkB,CAAC,CAAC;IACvE,IAAI,CAAC;QACH,OAAO,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IAClE,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;AACH,CAAC"}

package/dist/security/posture-analyzer.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * Runtime security posture analyzer.
+ *
+ * This is Studio's unique contribution: Snyk-style scanners only see
+ * `package.json`, but Studio has the recorded traffic, the routes, the
+ * DI graph and live logs. The analyzer turns all of that into a set
+ * of OWASP-mapped findings the user can act on directly from the UI.
+ *
+ * Rules implemented here are intentionally conservative — false
+ * positives erode trust quickly in a security tool. Every rule has
+ * either (a) a high-confidence runtime signal (e.g. literal
+ * `Access-Control-Allow-Origin: *`) or (b) an explicit "advisory"
+ * severity so users know the finding is heuristic.
+ *
+ * All passes are pure functions over a snapshot of in-memory state.
+ * The engine is responsible for debouncing and change detection.
+ */
+import type { AppStructure, PostureFinding, PostureEvidence, RecordedExchange, RouteInfo } from '../types/index.js';
+import type { LogEntry } from '../logging/log-capture.js';
+/**
+ * Inputs the analyzer needs. We accept them as an opaque object so the
+ * engine can compose its in-memory state without exposing the agent
+ * itself to the rules.
+ */
+export interface PostureInputs {
+    routes: RouteInfo[];
+    structure: AppStructure | null;
+    exchanges: RecordedExchange[];
+    logs: LogEntry[];
+    /**
+     * Resolved absolute path to the host project's source root (best-effort).
+     * Some checks (e.g. "missing helmet" / "no validation") want to read
+     * `app.ts` / `main.ts`. We pass it in rather than discovering inside
+     * the analyzer so tests can override it.
+     */
+    srcRoot?: string;
+}
+/**
+ * Run every posture check over the given snapshot. Returns an
+ * unsorted list — the engine aggregates and dedupes by `id`.
+ */
+export declare function analyzePosture(input: PostureInputs): PostureFinding[];
+export type { PostureEvidence };
+//# sourceMappingURL=posture-analyzer.d.ts.map

package/dist/security/posture-analyzer.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"posture-analyzer.d.ts","sourceRoot":"","sources":["../../src/security/posture-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EACV,YAAY,EAEZ,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,SAAS,EAEV,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAG1D;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,EAAE,CAAC;IACpB,SAAS,EAAE,YAAY,GAAG,IAAI,CAAC;IAC/B,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAC9B,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjB;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,GAAG,cAAc,EAAE,CAWrE;AA4ZD,YAAY,EAAE,eAAe,EAAE,CAAC"}