@expressots/studio-agent 4.0.0-preview.1

package/dist/security/reachability.js

@@ -0,0 +1,302 @@
+/**
+ * Runtime reachability analysis for supply-chain findings.
+ *
+ * This is the single feature that justifies "why Studio over Snyk?". A
+ * static scanner can tell you that `lodash@4.17.10` has CVE-X; only a
+ * tool sitting inside the running app can tell you that:
+ *
+ *   - `src/users/users.service.ts` actually imports lodash
+ *   - that service is wired into `UsersController`, which owns `GET /users`
+ *   - and `GET /users` has been hit 47 times in the last hour
+ *
+ * We combine three signals to land on one of four labels per finding:
+ *
+ *   - **confirmed**: a route that imports (transitively) the vulnerable
+ *     package has been exercised in the current session.
+ *   - **likely**: the package is imported from `src/` but we haven't
+ *     seen a request hit a route that reaches it yet.
+ *   - **unreachable**: we have a complete import graph for `src/` and
+ *     the package doesn't appear anywhere. Usually means it's only
+ *     pulled in by a dev tool or another transitive dep.
+ *   - **unknown**: we can't compute the graph (no src dir, scanning
+ *     disabled). Default for transitive packages with no direct
+ *     imports — we don't follow node_modules → node_modules edges.
+ *
+ * The analyzer is intentionally cheap: regex-based import extraction
+ * over the same source tree the route scanner already walked. We
+ * don't reach for a TypeScript AST — it'd be 100× slower for almost
+ * no precision gain at this granularity (we only need package names,
+ * not symbols).
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { glob } from 'glob';
+const IMPORT_PATTERNS = [
+    // ESM: import ... from 'pkg'  /  import 'pkg'
+    /import\s+(?:[^'"]*?\s+from\s+)?['"]([^'"]+)['"]/g,
+    // Re-exports: export ... from 'pkg'
+    /export\s+(?:[^'"]*?\s+from\s+)?['"]([^'"]+)['"]/g,
+    // Dynamic import: import('pkg')
+    /import\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
+    // CJS: require('pkg')
+    /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
+];
+/**
+ * Build a reachability snapshot for the host project. Returns an empty
+ * snapshot if `srcPath` doesn't exist — callers should treat that as
+ * "always emit `unknown`" rather than failing.
+ *
+ * Safe to call on every full scan; for a 1000-file project it usually
+ * completes in <100 ms.
+ */
+export async function buildReachabilitySnapshot(cwd, structure) {
+    const srcPath = findSrcPath(cwd);
+    const importedByPkg = new Map();
+    const filesByImports = new Map();
+    if (!srcPath) {
+        return { importedByPkg, routesByFile: new Map() };
+    }
+    const files = await glob('**/*.{ts,tsx,js,mjs,cjs}', {
+        cwd: srcPath,
+        ignore: ['**/node_modules/**', '**/*.spec.ts', '**/*.test.ts', '**/*.d.ts'],
+        absolute: true,
+    });
+    for (const file of files) {
+        let content;
+        try {
+            content = fs.readFileSync(file, 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        const pkgs = extractPackageImports(content);
+        if (pkgs.size === 0)
+            continue;
+        filesByImports.set(file, pkgs);
+        for (const pkg of pkgs) {
+            const existing = importedByPkg.get(pkg) ?? new Set();
+            existing.add(file);
+            importedByPkg.set(pkg, existing);
+        }
+    }
+    const routesByFile = buildRoutesByFile(structure, filesByImports);
+    return { importedByPkg, routesByFile };
+}
+/**
+ * Attach a `ReachabilityInfo` block to every finding in `findings`.
+ * Pure given the snapshot + exchanges; same call with the same inputs
+ * always produces the same output, which keeps hashing stable.
+ */
+export function enrichWithReachability(findings, snapshot, exchanges) {
+    // Index exchanges by `method:path` so we can count hits per route
+    // in O(N) over routes regardless of exchange count.
+    const exchangeCountsByRoute = new Map();
+    for (const ex of exchanges) {
+        const method = ex.request.method;
+        const matchPath = ex.request.path || ex.request.url;
+        if (!matchPath)
+            continue;
+        const key = `${method}:${normalisePath(matchPath)}`;
+        exchangeCountsByRoute.set(key, (exchangeCountsByRoute.get(key) ?? 0) + 1);
+    }
+    return findings.map((finding) => {
+        // For transitive findings, prefer the root package — that's the
+        // one the user's source actually imports. We fall back to the
+        // vulnerable package name when no root cause is set (direct dep
+        // or unknown lockfile).
+        const probe = finding.rootCause?.rootPackage ?? finding.package;
+        const info = computeReachability(probe, snapshot, exchangeCountsByRoute, Boolean(finding.rootCause?.isDirect ?? snapshot.importedByPkg.has(probe)));
+        return { ...finding, reachability: info };
+    });
+}
+// ────────────────────────────────────────────────────────────────────────
+// Internals
+// ────────────────────────────────────────────────────────────────────────
+function computeReachability(pkg, snapshot, exchangeCounts, hasGraph) {
+    const importers = snapshot.importedByPkg.get(pkg);
+    if (!importers || importers.size === 0) {
+        if (!hasGraph && snapshot.importedByPkg.size === 0) {
+            // We have no source-graph data at all (e.g. no `src/` dir,
+            // analyzer disabled). Be honest about it rather than calling
+            // every dep "unreachable".
+            return {
+                level: 'unknown',
+                importedBy: [],
+                routes: [],
+                runtimeHits: 0,
+                reason: 'No source graph available — Studio could not analyse `src/`.',
+            };
+        }
+        if (snapshot.importedByPkg.size > 0) {
+            // We scanned src/ successfully and the package never appears.
+            // For transitive packages this is the common case: they're
+            // only used internally by other deps.
+            return {
+                level: 'unreachable',
+                importedBy: [],
+                routes: [],
+                runtimeHits: 0,
+                reason: 'No source files import this package directly.',
+            };
+        }
+        return {
+            level: 'unknown',
+            importedBy: [],
+            routes: [],
+            runtimeHits: 0,
+            reason: 'No matching source files found.',
+        };
+    }
+    const importedBy = Array.from(importers);
+    const routes = new Map();
+    for (const file of importedBy) {
+        const fileRoutes = snapshot.routesByFile.get(file) ?? [];
+        for (const r of fileRoutes) {
+            routes.set(`${r.method}:${r.path}`, r);
+        }
+    }
+    const routesArr = Array.from(routes.values()).map((r) => ({
+        method: r.method,
+        path: r.path,
+    }));
+    let hits = 0;
+    for (const r of routesArr) {
+        hits += exchangeCounts.get(`${r.method}:${normalisePath(r.path)}`) ?? 0;
+    }
+    let level;
+    let reason;
+    if (hits > 0) {
+        level = 'confirmed';
+        reason = `${routesArr.length} route${routesArr.length === 1 ? '' : 's'} reach this package and ${hits} request${hits === 1 ? '' : 's'} hit them in the current session.`;
+    }
+    else if (routesArr.length > 0) {
+        level = 'likely';
+        reason = `${routesArr.length} route${routesArr.length === 1 ? '' : 's'} reach this package, but none have been exercised yet.`;
+    }
+    else {
+        // Imported, but we couldn't tie it back to any route — could be a
+        // utility module, a bootstrap helper, or a worker. Still "likely"
+        // because the package *is* in your code path.
+        level = 'likely';
+        reason = `Imported by ${importedBy.length} file${importedBy.length === 1 ? '' : 's'} but no route reaches it directly.`;
+    }
+    return {
+        level,
+        importedBy,
+        routes: routesArr,
+        runtimeHits: hits,
+        reason,
+    };
+}
+/**
+ * Walk `content` looking for bare-package imports. Bare = not relative
+ * (`./foo`) and not absolute (`/foo`). Returns deduped package names
+ * (scoped packages keep their `@scope/` prefix).
+ */
+function extractPackageImports(content) {
+    const out = new Set();
+    for (const re of IMPORT_PATTERNS) {
+        re.lastIndex = 0;
+        let m;
+        while ((m = re.exec(content)) !== null) {
+            const spec = m[1];
+            if (!spec || spec.startsWith('.') || spec.startsWith('/'))
+                continue;
+            // Strip subpath: `foo/bar/baz` → `foo`, `@scope/pkg/sub` → `@scope/pkg`.
+            const parts = spec.split('/');
+            const name = spec.startsWith('@')
+                ? parts.slice(0, 2).join('/')
+                : parts[0];
+            if (name)
+                out.add(name);
+        }
+    }
+    return out;
+}
+/**
+ * Resolve `src/` for the host project. We try a few common spellings
+ * because not every ExpressoTS app uses literal `./src` (monorepo
+ * roots sometimes don't).
+ */
+function findSrcPath(cwd) {
+    const candidates = ['src', 'lib', 'app'];
+    for (const c of candidates) {
+        const full = path.join(cwd, c);
+        if (fs.existsSync(full) && fs.statSync(full).isDirectory()) {
+            return full;
+        }
+    }
+    return null;
+}
+/**
+ * Reverse-index controllers/services by file so each importing file
+ * can be answered "which routes does this serve?".
+ *
+ * The mapping isn't perfect (an imported util file may not be a
+ * controller itself), so we also fold in transitive reach: if a
+ * service file imports lodash and a controller depends on that
+ * service, the controller's routes are credited.
+ */
+function buildRoutesByFile(structure, filesByImports) {
+    const out = new Map();
+    if (!structure)
+        return out;
+    const controllersByFile = new Map();
+    for (const c of structure.controllers) {
+        controllersByFile.set(normalisePath(c.filePath), c);
+    }
+    const servicesByName = new Map();
+    for (const s of [...structure.services, ...structure.providers]) {
+        servicesByName.set(s.name, s);
+    }
+    // 1. Direct: a controller's own file gets all of its routes.
+    for (const c of structure.controllers) {
+        out.set(c.filePath, c.routes.slice());
+    }
+    // 2. Transitive: walk each controller's dependency graph and credit
+    //    every file reachable through services it imports.
+    for (const c of structure.controllers) {
+        const visited = new Set();
+        const queue = [...c.dependencies];
+        while (queue.length > 0) {
+            const dep = queue.shift();
+            if (visited.has(dep))
+                continue;
+            visited.add(dep);
+            const svc = servicesByName.get(dep);
+            if (!svc)
+                continue;
+            // Credit the service's own file with the controller's routes.
+            const existing = out.get(svc.filePath) ?? [];
+            out.set(svc.filePath, mergeRoutes(existing, c.routes));
+            for (const next of svc.dependencies ?? [])
+                queue.push(next);
+        }
+    }
+    // 3. Mark every other source file we saw imports for as having no
+    //    routes (so `unreachable` becomes the natural label when nothing
+    //    references it).
+    for (const file of filesByImports.keys()) {
+        if (!out.has(file))
+            out.set(file, []);
+    }
+    return out;
+}
+function mergeRoutes(into, add) {
+    const seen = new Set(into.map((r) => `${r.method}:${r.path}`));
+    for (const r of add) {
+        const k = `${r.method}:${r.path}`;
+        if (!seen.has(k)) {
+            into.push(r);
+            seen.add(k);
+        }
+    }
+    return into;
+}
+/** Strip query string / trailing slash so route-key matching is stable. */
+function normalisePath(p) {
+    const noQuery = p.split('?')[0] ?? p;
+    const trimmed = noQuery.replace(/\/+$/, '');
+    return trimmed || '/';
+}
+//# sourceMappingURL=reachability.js.map

package/dist/security/reachability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reachability.js","sourceRoot":"","sources":["../../src/security/reachability.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAyB5B,MAAM,eAAe,GAAa;IAChC,8CAA8C;IAC9C,kDAAkD;IAClD,oCAAoC;IACpC,kDAAkD;IAClD,gCAAgC;IAChC,sCAAsC;IACtC,sBAAsB;IACtB,uCAAuC;CACxC,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,GAAW,EACX,SAA8B;IAE9B,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAuB,CAAC;IACrD,MAAM,cAAc,GAAG,IAAI,GAAG,EAAuB,CAAC;IAEtD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,IAAI,GAAG,EAAE,EAAE,CAAC;IACpD,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,0BAA0B,EAAE;QACnD,GAAG,EAAE,OAAO;QACZ,MAAM,EAAE,CAAC,oBAAoB,EAAE,cAAc,EAAE,cAAc,EAAE,WAAW,CAAC;QAC3E,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC;IAEH,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,MAAM,IAAI,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,IAAI,CAAC,IAAI,KAAK,CAAC;YAAE,SAAS;QAC9B,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;YAC7D,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACnB,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,iBAAiB,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IAClE,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC;AACzC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CACpC,QAA6B,EAC7B,QAA8B,EAC9B,SAA6B;IAE7B,kEAAkE;IAClE,oDAAoD;IACpD,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxD,KAAK,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;QACjC,MAAM,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;QACpD,IAAI,CAAC,SAAS;YAAE,SAAS;QACzB,MAAM,GAAG,GAAG,GAAG,MAAM,IAAI,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC;QACpD,qBAAqB,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5E,CAAC;IAED,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QAC9B,gEAAgE;QAChE,8DAA8D;QAC9D,gEAAgE;QAChE,wBAAwB;QACxB,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,EAAE,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;QAChE,MAAM,IAAI,GAAG,mBAAmB,CAC9B,KAAK,EACL,QAAQ,EACR,qBAAqB,EACrB,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,QAAQ,IAAI,QAAQ,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAC1E,CAAC;QACF,OAAO,EAAE,GAAG,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC;AAED,2EAA2E;AAC3E,YAAY;AACZ,2EAA2E;AAE3E,SAAS,mBAAmB,CAC1B,GAAW,EACX,QAA8B,EAC9B,cAAmC,EACnC,QAAiB;IAEjB,MAAM,SAAS,GAAG,QAAQ,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAElD,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACvC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,aAAa,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YACnD,2DAA2D;YAC3D,6DAA6D;YAC7D,2BAA2B;YAC3B,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,UAAU,EAAE,EAAE;gBACd,MAAM,EAAE,EAAE;gBACV,WAAW,EAAE,CAAC;gBACd,MAAM,EAAE,8DAA8D;aACvE,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,CAAC,aAAa,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACpC,8DAA8D;YAC9D,2DAA2D;YAC3D,sCAAsC;YACtC,OAAO;gBACL,KAAK,EAAE,aAAa;gBACpB,UAAU,EAAE,EAAE;gBACd,MAAM,EAAE,EAAE;gBACV,WAAW,EAAE,CAAC;gBACd,MAAM,EAAE,+CAA+C;aACxD,CAAC;QACJ,CAAC;QACD,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,UAAU,EAAE,EAAE;YACd,MAAM,EAAE,EAAE;YACV,WAAW,EAAE,CAAC;YACd,MAAM,EAAE,iCAAiC;SAC1C,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,MAAM,UAAU,GAAG,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACzD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IACD,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACxD,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,IAAI,EAAE,CAAC,CAAC,IAAI;KACb,CAAC,CAAC,CAAC;IAEJ,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;QAC1B,IAAI,IAAI,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1E,CAAC;IAED,IAAI,KAAmB,CAAC;IACxB,IAAI,MAAc,CAAC;IACnB,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;QACb,KAAK,GAAG,WAAW,CAAC;QACpB,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,SAAS,SAAS,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,2BAA2B,IAAI,WAAW,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,mCAAmC,CAAC;IAC3K,CAAC;SAAM,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,KAAK,GAAG,QAAQ,CAAC;QACjB,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,SAAS,SAAS,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,wDAAwD,CAAC;IACjI,CAAC;SAAM,CAAC;QACN,kEAAkE;QAClE,kEAAkE;QAClE,8CAA8C;QAC9C,KAAK,GAAG,QAAQ,CAAC;QACjB,MAAM,GAAG,eAAe,UAAU,CAAC,MAAM,QAAQ,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,oCAAoC,CAAC;IAC1H,CAAC;IAED,OAAO;QACL,KAAK;QACL,UAAU;QACV,MAAM,EAAE,SAAS;QACjB,WAAW,EAAE,IAAI;QACjB,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,qBAAqB,CAAC,OAAe;IAC5C,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC;QACjC,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;QACjB,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAClB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YACpE,yEAAyE;YACzE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAC/B,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;gBAC7B,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACb,IAAI,IAAI;gBAAE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,UAAU,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IACzC,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAC/B,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,iBAAiB,CACxB,SAA8B,EAC9B,cAAwC;IAExC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC3C,IAAI,CAAC,SAAS;QAAE,OAAO,GAAG,CAAC;IAE3B,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAA0B,CAAC;IAC5D,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;QACtC,iBAAiB,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,cAAc,GAAG,IAAI,GAAG,EAAuB,CAAC;IACtD,KAAK,MAAM,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,EAAE,GAAG,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;QAChE,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAChC,CAAC;IAED,6DAA6D;IAC7D,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;QACtC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,oEAAoE;IACpE,uDAAuD;IACvD,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;QAClC,MAAM,KAAK,GAAa,CAAC,GAAG,CAAC,CAAC,YAAY,CAAC,CAAC;QAC5C,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;YAC3B,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC/B,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACjB,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACpC,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,8DAA8D;YAC9D,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC7C,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;YACvD,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,YAAY,IAAI,EAAE;gBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,qEAAqE;IACrE,qBAAqB;IACrB,KAAK,MAAM,IAAI,IAAI,cAAc,CAAC,IAAI,EAAE,EAAE,CAAC;QACzC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CAAC,IAAiB,EAAE,GAAgB;IACtD,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC/D,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE,CAAC;QACpB,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QAClC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACjB,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,2EAA2E;AAC3E,SAAS,aAAa,CAAC,CAAS;IAC9B,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC5C,OAAO,OAAO,IAAI,GAAG,CAAC;AACxB,CAAC"}

package/dist/security/score.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Aggregate scoring for the security report.
+ *
+ * Distils a heterogeneous list of findings into a single letter grade
+ * (A..F) so the StatusDashboard card can show a tight summary, and the
+ * UI can sort/route on it. Also bundles the per-severity counts that
+ * the Security view consumes for its severity-grouped sections.
+ *
+ * The grading function is *not* CVSS-aware on purpose — a project with
+ * one critical CVE that has no exploit in the wild shouldn't be
+ * indistinguishable from one with ten. We follow these rules instead:
+ *
+ *   F  → any CRITICAL severity finding (supply-chain or posture)
+ *   D  → ≥3 HIGH, or ≥1 HIGH supply-chain
+ *   C  → any HIGH, or ≥5 MEDIUM
+ *   B  → any MEDIUM
+ *   A  → only LOW / INFO (or zero findings)
+ */
+import type { DependencyFinding, FixGroup, PostureFinding, SecurityReport, Severity } from '../types/index.js';
+declare const SEVERITY_KEYS: Severity[];
+export declare function buildSecurityReport(args: {
+    dependencies: DependencyFinding[];
+    posture: PostureFinding[];
+    fixGroups: FixGroup[];
+    scanState: SecurityReport['scanState'];
+}): SecurityReport;
+/**
+ * Hash the set of finding ids. The engine uses this to decide whether
+ * a freshly-built report actually differs from the last one — we only
+ * broadcast on transitions to keep WS traffic flat for stable apps.
+ */
+export declare function hashFindingIds(report: SecurityReport): string;
+/** Empty / "nothing recorded yet" baseline used before the first scan completes. */
+export declare function emptyReport(scanState: SecurityReport['scanState']): SecurityReport;
+export { SEVERITY_KEYS };
+//# sourceMappingURL=score.d.ts.map

package/dist/security/score.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"score.d.ts","sourceRoot":"","sources":["../../src/security/score.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EACV,iBAAiB,EACjB,QAAQ,EACR,cAAc,EACd,cAAc,EACd,QAAQ,EACT,MAAM,mBAAmB,CAAC;AAE3B,QAAA,MAAM,aAAa,EAAE,QAAQ,EAAkD,CAAC;AAEhF,wBAAgB,mBAAmB,CAAC,IAAI,EAAE;IACxC,YAAY,EAAE,iBAAiB,EAAE,CAAC;IAClC,OAAO,EAAE,cAAc,EAAE,CAAC;IAC1B,SAAS,EAAE,QAAQ,EAAE,CAAC;IACtB,SAAS,EAAE,cAAc,CAAC,WAAW,CAAC,CAAC;CACxC,GAAG,cAAc,CAqBjB;AAcD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,CAU7D;AAED,oFAAoF;AACpF,wBAAgB,WAAW,CAAC,SAAS,EAAE,cAAc,CAAC,WAAW,CAAC,GAAG,cAAc,CAiBlF;AAID,OAAO,EAAE,aAAa,EAAE,CAAC"}

package/dist/security/score.js

@@ -0,0 +1,94 @@
+/**
+ * Aggregate scoring for the security report.
+ *
+ * Distils a heterogeneous list of findings into a single letter grade
+ * (A..F) so the StatusDashboard card can show a tight summary, and the
+ * UI can sort/route on it. Also bundles the per-severity counts that
+ * the Security view consumes for its severity-grouped sections.
+ *
+ * The grading function is *not* CVSS-aware on purpose — a project with
+ * one critical CVE that has no exploit in the wild shouldn't be
+ * indistinguishable from one with ten. We follow these rules instead:
+ *
+ *   F  → any CRITICAL severity finding (supply-chain or posture)
+ *   D  → ≥3 HIGH, or ≥1 HIGH supply-chain
+ *   C  → any HIGH, or ≥5 MEDIUM
+ *   B  → any MEDIUM
+ *   A  → only LOW / INFO (or zero findings)
+ */
+const SEVERITY_KEYS = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'];
+export function buildSecurityReport(args) {
+    const counts = {
+        CRITICAL: 0,
+        HIGH: 0,
+        MEDIUM: 0,
+        LOW: 0,
+        INFO: 0,
+    };
+    for (const f of args.dependencies)
+        counts[f.severity]++;
+    for (const f of args.posture)
+        counts[f.severity]++;
+    return {
+        generatedAt: Date.now(),
+        score: gradeFromCounts(counts, args.dependencies),
+        counts,
+        dependencies: args.dependencies,
+        posture: args.posture,
+        fixGroups: args.fixGroups,
+        scanState: args.scanState,
+    };
+}
+function gradeFromCounts(counts, dependencies) {
+    if (counts.CRITICAL > 0)
+        return 'F';
+    const supplyChainHigh = dependencies.filter((d) => d.severity === 'HIGH').length;
+    if (counts.HIGH >= 3 || supplyChainHigh >= 1)
+        return 'D';
+    if (counts.HIGH > 0 || counts.MEDIUM >= 5)
+        return 'C';
+    if (counts.MEDIUM > 0)
+        return 'B';
+    return 'A';
+}
+/**
+ * Hash the set of finding ids. The engine uses this to decide whether
+ * a freshly-built report actually differs from the last one — we only
+ * broadcast on transitions to keep WS traffic flat for stable apps.
+ */
+export function hashFindingIds(report) {
+    // The hash is intentionally simple — sort to get a stable order
+    // (analysis passes may emit findings in non-deterministic order if
+    // they iterate Maps), then join. Avoids the cost of a crypto digest
+    // when we just need a comparable string.
+    const ids = [];
+    for (const f of report.dependencies)
+        ids.push(`d:${f.id}`);
+    for (const f of report.posture)
+        ids.push(`p:${f.id}`);
+    ids.sort();
+    return ids.join('|');
+}
+/** Empty / "nothing recorded yet" baseline used before the first scan completes. */
+export function emptyReport(scanState) {
+    const counts = {
+        CRITICAL: 0,
+        HIGH: 0,
+        MEDIUM: 0,
+        LOW: 0,
+        INFO: 0,
+    };
+    return {
+        generatedAt: Date.now(),
+        score: 'A',
+        counts,
+        dependencies: [],
+        posture: [],
+        fixGroups: [],
+        scanState,
+    };
+}
+// Re-exported so consumers don't have to mention the type module twice
+// when iterating counts.
+export { SEVERITY_KEYS };
+//# sourceMappingURL=score.js.map

package/dist/security/score.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"score.js","sourceRoot":"","sources":["../../src/security/score.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAUH,MAAM,aAAa,GAAe,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;AAEhF,MAAM,UAAU,mBAAmB,CAAC,IAKnC;IACC,MAAM,MAAM,GAA6B;QACvC,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;QACN,IAAI,EAAE,CAAC;KACR,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,YAAY;QAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IACxD,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO;QAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IAEnD,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;QACvB,KAAK,EAAE,eAAe,CAAC,MAAM,EAAE,IAAI,CAAC,YAAY,CAAC;QACjD,MAAM;QACN,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CACtB,MAAgC,EAChC,YAAiC;IAEjC,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IACpC,MAAM,eAAe,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IACjF,IAAI,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,eAAe,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC;IACzD,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC;IACtD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IAClC,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,MAAsB;IACnD,gEAAgE;IAChE,mEAAmE;IACnE,oEAAoE;IACpE,yCAAyC;IACzC,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,YAAY;QAAE,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC3D,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO;QAAE,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACtD,GAAG,CAAC,IAAI,EAAE,CAAC;IACX,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACvB,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,WAAW,CAAC,SAAsC;IAChE,MAAM,MAAM,GAA6B;QACvC,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;QACN,IAAI,EAAE,CAAC;KACR,CAAC;IACF,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;QACvB,KAAK,EAAE,GAAG;QACV,MAAM;QACN,YAAY,EAAE,EAAE;QAChB,OAAO,EAAE,EAAE;QACX,SAAS,EAAE,EAAE;QACb,SAAS;KACV,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,yBAAyB;AACzB,OAAO,EAAE,aAAa,EAAE,CAAC"}