@feiyoug/skill-lab 0.0.0 → 0.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +73 -0
- package/esm/analyzer/astgrep/client.d.ts +20 -8
- package/esm/analyzer/astgrep/client.d.ts.map +1 -1
- package/esm/analyzer/astgrep/client.js +58 -31
- package/esm/analyzer/config/default.d.ts +8 -0
- package/esm/analyzer/config/default.d.ts.map +1 -0
- package/esm/analyzer/config/default.js +91 -0
- package/esm/analyzer/config/helpers.d.ts +8 -0
- package/esm/analyzer/config/helpers.d.ts.map +1 -0
- package/esm/analyzer/config/helpers.js +72 -0
- package/esm/analyzer/config/mod.d.ts +4 -0
- package/esm/analyzer/config/mod.d.ts.map +1 -0
- package/esm/analyzer/config/mod.js +3 -0
- package/esm/analyzer/config/types.d.ts +58 -0
- package/esm/analyzer/config/types.d.ts.map +1 -0
- package/esm/analyzer/{config.js → config/types.js} +0 -28
- package/esm/analyzer/logging.d.ts +3 -0
- package/esm/analyzer/logging.d.ts.map +1 -0
- package/esm/analyzer/logging.js +6 -0
- package/esm/analyzer/mod.d.ts +12 -5
- package/esm/analyzer/mod.d.ts.map +1 -1
- package/esm/analyzer/mod.js +25 -12
- package/esm/analyzer/result.d.ts +35 -0
- package/esm/analyzer/result.d.ts.map +1 -0
- package/esm/analyzer/result.js +311 -0
- package/esm/analyzer/rules/bash/commands/mod.d.ts +1 -0
- package/esm/analyzer/rules/bash/commands/mod.d.ts.map +1 -1
- package/esm/analyzer/rules/bash/commands/mod.js +3 -0
- package/esm/analyzer/rules/bash/commands/pip.d.ts +3 -0
- package/esm/analyzer/rules/bash/commands/pip.d.ts.map +1 -0
- package/esm/analyzer/rules/bash/commands/pip.js +14 -0
- package/esm/analyzer/rules/bash/extractFileRefs.d.ts +1 -1
- package/esm/analyzer/rules/bash/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/bash/extractFileRefs.js +2 -2
- package/esm/analyzer/rules/bash/inline-command-classifier.d.ts +1 -1
- package/esm/analyzer/rules/bash/inline-command-classifier.d.ts.map +1 -1
- package/esm/analyzer/rules/bash/inline-command-classifier.js +4 -4
- package/esm/analyzer/rules/javascript/extractFileRefs.d.ts +3 -4
- package/esm/analyzer/rules/javascript/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/javascript/extractFileRefs.js +3 -4
- package/esm/analyzer/rules/markdown/extractCodeBlocks.d.ts.map +1 -1
- package/esm/analyzer/rules/markdown/extractCodeBlocks.js +6 -3
- package/esm/analyzer/rules/markdown/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/markdown/extractFileRefs.js +2 -0
- package/esm/analyzer/rules/python/extractFileRefs.d.ts +1 -1
- package/esm/analyzer/rules/python/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/python/extractFileRefs.js +2 -2
- package/esm/analyzer/steps/001-discovery/discover-files.d.ts +4 -0
- package/esm/analyzer/steps/001-discovery/discover-files.d.ts.map +1 -1
- package/esm/analyzer/steps/001-discovery/discover-files.js +18 -2
- package/esm/analyzer/steps/001-discovery/mod.d.ts.map +1 -1
- package/esm/analyzer/steps/001-discovery/mod.js +39 -9
- package/esm/analyzer/steps/002-permissions/mod.d.ts.map +1 -1
- package/esm/analyzer/steps/002-permissions/mod.js +156 -73
- package/esm/analyzer/steps/002-permissions/scan-file.d.ts +1 -1
- package/esm/analyzer/steps/002-permissions/scan-file.d.ts.map +1 -1
- package/esm/analyzer/steps/002-permissions/scan-file.js +40 -5
- package/esm/analyzer/steps/002-permissions/seed-frontmatter.js +2 -2
- package/esm/analyzer/steps/003-risks/dep-risks.d.ts +3 -0
- package/esm/analyzer/steps/003-risks/dep-risks.d.ts.map +1 -0
- package/esm/analyzer/steps/003-risks/dep-risks.js +74 -0
- package/esm/analyzer/steps/003-risks/helpers.d.ts +1 -0
- package/esm/analyzer/steps/003-risks/helpers.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/helpers.js +1 -0
- package/esm/analyzer/steps/003-risks/mod.d.ts +3 -2
- package/esm/analyzer/steps/003-risks/mod.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/mod.js +41 -4
- package/esm/analyzer/steps/003-risks/policy.d.ts +7 -0
- package/esm/analyzer/steps/003-risks/policy.d.ts.map +1 -0
- package/esm/analyzer/steps/003-risks/policy.js +23 -0
- package/esm/analyzer/steps/003-risks/rule-mapped.d.ts +2 -2
- package/esm/analyzer/steps/003-risks/rule-mapped.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/rule-mapped.js +83 -2
- package/esm/analyzer/steps/003-risks/scoring.d.ts +9 -1
- package/esm/analyzer/steps/003-risks/scoring.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/scoring.js +55 -42
- package/esm/analyzer/treesitter/client.d.ts +31 -0
- package/esm/analyzer/treesitter/client.d.ts.map +1 -0
- package/esm/analyzer/{treesiter → treesitter}/client.js +43 -39
- package/esm/analyzer/treesitter/registry.d.ts +73 -0
- package/esm/analyzer/treesitter/registry.d.ts.map +1 -0
- package/esm/analyzer/treesitter/registry.js +165 -0
- package/esm/analyzer/types.d.ts +14 -28
- package/esm/analyzer/types.d.ts.map +1 -1
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts +3 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.js +3 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts +93 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.js +297 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts +84 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.js +268 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts +18 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.js +45 -0
- package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts +700 -0
- package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts.map +1 -0
- package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.js +903 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/types.d.ts +146 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/types.d.ts.map +1 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/types.js +15 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/write_all.d.ts +51 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/write_all.d.ts.map +1 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/write_all.js +61 -0
- package/esm/shared/deep_merge.d.ts +12 -0
- package/esm/shared/deep_merge.d.ts.map +1 -0
- package/esm/shared/deep_merge.js +49 -0
- package/esm/shared/mod.d.ts +1 -0
- package/esm/shared/mod.d.ts.map +1 -1
- package/esm/shared/mod.js +1 -0
- package/esm/shared/types/filetypes.d.ts +2 -2
- package/esm/shared/types/filetypes.d.ts.map +1 -1
- package/esm/shared/types/permissions.d.ts +1 -1
- package/esm/shared/types/permissions.d.ts.map +1 -1
- package/esm/shared/types/risks.d.ts +4 -1
- package/esm/shared/types/risks.d.ts.map +1 -1
- package/esm/skillreader/types.d.ts +2 -2
- package/esm/skillreader/types.d.ts.map +1 -1
- package/esm/skillreader/types.js +2 -2
- package/package.json +1 -1
- package/script/analyzer/astgrep/client.d.ts +20 -8
- package/script/analyzer/astgrep/client.d.ts.map +1 -1
- package/script/analyzer/astgrep/client.js +58 -64
- package/script/analyzer/config/default.d.ts +8 -0
- package/script/analyzer/config/default.d.ts.map +1 -0
- package/script/analyzer/config/default.js +94 -0
- package/script/analyzer/config/helpers.d.ts +8 -0
- package/script/analyzer/config/helpers.d.ts.map +1 -0
- package/script/analyzer/config/helpers.js +76 -0
- package/script/analyzer/config/mod.d.ts +4 -0
- package/script/analyzer/config/mod.d.ts.map +1 -0
- package/script/analyzer/config/mod.js +21 -0
- package/script/analyzer/config/types.d.ts +58 -0
- package/script/analyzer/config/types.d.ts.map +1 -0
- package/script/analyzer/{config.js → config/types.js} +1 -29
- package/script/analyzer/logging.d.ts +3 -0
- package/script/analyzer/logging.d.ts.map +1 -0
- package/script/analyzer/logging.js +9 -0
- package/script/analyzer/mod.d.ts +12 -5
- package/script/analyzer/mod.d.ts.map +1 -1
- package/script/analyzer/mod.js +35 -20
- package/script/analyzer/result.d.ts +35 -0
- package/script/analyzer/result.d.ts.map +1 -0
- package/script/analyzer/result.js +315 -0
- package/script/analyzer/rules/bash/commands/mod.d.ts +1 -0
- package/script/analyzer/rules/bash/commands/mod.d.ts.map +1 -1
- package/script/analyzer/rules/bash/commands/mod.js +3 -0
- package/script/analyzer/rules/bash/commands/pip.d.ts +3 -0
- package/script/analyzer/rules/bash/commands/pip.d.ts.map +1 -0
- package/script/analyzer/rules/bash/commands/pip.js +17 -0
- package/script/analyzer/rules/bash/extractFileRefs.d.ts +1 -1
- package/script/analyzer/rules/bash/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/bash/extractFileRefs.js +2 -2
- package/script/analyzer/rules/bash/inline-command-classifier.d.ts +1 -1
- package/script/analyzer/rules/bash/inline-command-classifier.d.ts.map +1 -1
- package/script/analyzer/rules/bash/inline-command-classifier.js +4 -4
- package/script/analyzer/rules/javascript/extractFileRefs.d.ts +3 -4
- package/script/analyzer/rules/javascript/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/javascript/extractFileRefs.js +3 -4
- package/script/analyzer/rules/markdown/extractCodeBlocks.d.ts.map +1 -1
- package/script/analyzer/rules/markdown/extractCodeBlocks.js +6 -3
- package/script/analyzer/rules/markdown/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/markdown/extractFileRefs.js +2 -0
- package/script/analyzer/rules/python/extractFileRefs.d.ts +1 -1
- package/script/analyzer/rules/python/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/python/extractFileRefs.js +2 -2
- package/script/analyzer/steps/001-discovery/discover-files.d.ts +4 -0
- package/script/analyzer/steps/001-discovery/discover-files.d.ts.map +1 -1
- package/script/analyzer/steps/001-discovery/discover-files.js +18 -2
- package/script/analyzer/steps/001-discovery/mod.d.ts.map +1 -1
- package/script/analyzer/steps/001-discovery/mod.js +77 -11
- package/script/analyzer/steps/002-permissions/mod.d.ts.map +1 -1
- package/script/analyzer/steps/002-permissions/mod.js +194 -75
- package/script/analyzer/steps/002-permissions/scan-file.d.ts +1 -1
- package/script/analyzer/steps/002-permissions/scan-file.d.ts.map +1 -1
- package/script/analyzer/steps/002-permissions/scan-file.js +40 -5
- package/script/analyzer/steps/002-permissions/seed-frontmatter.js +3 -3
- package/script/analyzer/steps/003-risks/dep-risks.d.ts +3 -0
- package/script/analyzer/steps/003-risks/dep-risks.d.ts.map +1 -0
- package/script/analyzer/steps/003-risks/dep-risks.js +77 -0
- package/script/analyzer/steps/003-risks/helpers.d.ts +1 -0
- package/script/analyzer/steps/003-risks/helpers.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/helpers.js +1 -0
- package/script/analyzer/steps/003-risks/mod.d.ts +3 -2
- package/script/analyzer/steps/003-risks/mod.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/mod.js +77 -4
- package/script/analyzer/steps/003-risks/policy.d.ts +7 -0
- package/script/analyzer/steps/003-risks/policy.d.ts.map +1 -0
- package/script/analyzer/steps/003-risks/policy.js +29 -0
- package/script/analyzer/steps/003-risks/rule-mapped.d.ts +2 -2
- package/script/analyzer/steps/003-risks/rule-mapped.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/rule-mapped.js +83 -2
- package/script/analyzer/steps/003-risks/scoring.d.ts +9 -1
- package/script/analyzer/steps/003-risks/scoring.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/scoring.js +55 -42
- package/script/analyzer/treesitter/client.d.ts +31 -0
- package/script/analyzer/treesitter/client.d.ts.map +1 -0
- package/script/analyzer/treesitter/client.js +136 -0
- package/script/analyzer/treesitter/registry.d.ts +73 -0
- package/script/analyzer/treesitter/registry.d.ts.map +1 -0
- package/script/analyzer/treesitter/registry.js +206 -0
- package/script/analyzer/types.d.ts +14 -28
- package/script/analyzer/types.d.ts.map +1 -1
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts +3 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.js +10 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts +93 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.js +334 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts +84 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.js +305 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts +18 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.js +48 -0
- package/script/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts +700 -0
- package/script/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts.map +1 -0
- package/script/deps/jsr.io/@std/fmt/1.0.3/colors.js +986 -0
- package/script/deps/jsr.io/@std/io/0.225.0/types.d.ts +146 -0
- package/script/deps/jsr.io/@std/io/0.225.0/types.d.ts.map +1 -0
- package/script/deps/jsr.io/@std/io/0.225.0/types.js +18 -0
- package/script/deps/jsr.io/@std/io/0.225.0/write_all.d.ts +51 -0
- package/script/deps/jsr.io/@std/io/0.225.0/write_all.d.ts.map +1 -0
- package/script/deps/jsr.io/@std/io/0.225.0/write_all.js +65 -0
- package/script/shared/deep_merge.d.ts +12 -0
- package/script/shared/deep_merge.d.ts.map +1 -0
- package/script/shared/deep_merge.js +53 -0
- package/script/shared/mod.d.ts +1 -0
- package/script/shared/mod.d.ts.map +1 -1
- package/script/shared/mod.js +1 -0
- package/script/shared/types/filetypes.d.ts +2 -2
- package/script/shared/types/filetypes.d.ts.map +1 -1
- package/script/shared/types/permissions.d.ts +1 -1
- package/script/shared/types/permissions.d.ts.map +1 -1
- package/script/shared/types/risks.d.ts +4 -1
- package/script/shared/types/risks.d.ts.map +1 -1
- package/script/skillreader/types.d.ts +2 -2
- package/script/skillreader/types.d.ts.map +1 -1
- package/script/skillreader/types.js +2 -2
- package/src/_dnt.polyfills.ts +27 -0
- package/src/_dnt.shims.ts +64 -0
- package/src/analyzer/astgrep/client.ts +184 -0
- package/src/analyzer/astgrep/mod.ts +2 -0
- package/src/analyzer/config/default.ts +98 -0
- package/src/analyzer/config/helpers.ts +107 -0
- package/src/analyzer/config/mod.ts +3 -0
- package/src/analyzer/config/types.ts +103 -0
- package/src/analyzer/logging.ts +8 -0
- package/src/analyzer/mod.ts +118 -0
- package/src/analyzer/result.ts +393 -0
- package/src/analyzer/rules/bash/astTypes.ts +5 -0
- package/src/analyzer/rules/bash/commands/bd.ts +23 -0
- package/src/analyzer/rules/bash/commands/cron.ts +21 -0
- package/src/analyzer/rules/bash/commands/docker.ts +37 -0
- package/src/analyzer/rules/bash/commands/eval.ts +52 -0
- package/src/analyzer/rules/bash/commands/generic.ts +16 -0
- package/src/analyzer/rules/bash/commands/gh.ts +21 -0
- package/src/analyzer/rules/bash/commands/git.ts +28 -0
- package/src/analyzer/rules/bash/commands/mod.ts +38 -0
- package/src/analyzer/rules/bash/commands/node.ts +64 -0
- package/src/analyzer/rules/bash/commands/openspec.ts +16 -0
- package/src/analyzer/rules/bash/commands/pip.ts +16 -0
- package/src/analyzer/rules/bash/commands/sudo.ts +21 -0
- package/src/analyzer/rules/bash/destructive.ts +28 -0
- package/src/analyzer/rules/bash/extractFileRefs.ts +101 -0
- package/src/analyzer/rules/bash/filesystem.ts +50 -0
- package/src/analyzer/rules/bash/injection.ts +21 -0
- package/src/analyzer/rules/bash/inline-command-classifier.ts +94 -0
- package/src/analyzer/rules/bash/mod.ts +23 -0
- package/src/analyzer/rules/bash/network.ts +64 -0
- package/src/analyzer/rules/bash/secret-detection.ts +43 -0
- package/src/analyzer/rules/javascript/astTypes.ts +8 -0
- package/src/analyzer/rules/javascript/extractFileRefs.ts +131 -0
- package/src/analyzer/rules/javascript/filesystem.ts +28 -0
- package/src/analyzer/rules/javascript/injection.ts +21 -0
- package/src/analyzer/rules/javascript/mod.ts +26 -0
- package/src/analyzer/rules/javascript/network.ts +27 -0
- package/src/analyzer/rules/javascript/secret-detection.ts +68 -0
- package/src/analyzer/rules/javascript/subprocess.ts +16 -0
- package/src/analyzer/rules/markdown/astTypes.ts +35 -0
- package/src/analyzer/rules/markdown/extractCodeBlocks.ts +101 -0
- package/src/analyzer/rules/markdown/extractFileRefs.ts +179 -0
- package/src/analyzer/rules/markdown/mod.ts +12 -0
- package/src/analyzer/rules/mod.ts +77 -0
- package/src/analyzer/rules/python/astTypes.ts +9 -0
- package/src/analyzer/rules/python/extractFileRefs.ts +92 -0
- package/src/analyzer/rules/python/mod.ts +15 -0
- package/src/analyzer/rules/python/network.ts +26 -0
- package/src/analyzer/rules/python/secret-detection.ts +30 -0
- package/src/analyzer/rules/shared/file-refs.ts +38 -0
- package/src/analyzer/rules/shared/network-evaluators.ts +107 -0
- package/src/analyzer/rules/shared/prompt-injection.ts +48 -0
- package/src/analyzer/rules/shared/secret-evaluators.ts +13 -0
- package/src/analyzer/rules/text/mod.ts +12 -0
- package/src/analyzer/rules/typescript/mod.ts +7 -0
- package/src/analyzer/steps/001-discovery/discover-files.ts +211 -0
- package/src/analyzer/steps/001-discovery/filter-files.ts +72 -0
- package/src/analyzer/steps/001-discovery/mod.ts +103 -0
- package/src/analyzer/steps/002-permissions/mod.ts +329 -0
- package/src/analyzer/steps/002-permissions/scan-file.ts +258 -0
- package/src/analyzer/steps/002-permissions/seed-frontmatter.ts +66 -0
- package/src/analyzer/steps/002-permissions/synthesize.ts +42 -0
- package/src/analyzer/steps/003-risks/dep-risks.ts +89 -0
- package/src/analyzer/steps/003-risks/helpers.ts +41 -0
- package/src/analyzer/steps/003-risks/mod.ts +86 -0
- package/src/analyzer/steps/003-risks/policy.ts +38 -0
- package/src/analyzer/steps/003-risks/rule-mapped.ts +206 -0
- package/src/analyzer/steps/003-risks/scoring.ts +117 -0
- package/src/analyzer/steps/mod.ts +3 -0
- package/src/analyzer/treesitter/client.ts +120 -0
- package/src/analyzer/treesitter/registry.ts +198 -0
- package/src/analyzer/types.ts +78 -0
- package/src/analyzer/utils/code-block-path.ts +33 -0
- package/src/analyzer/utils/id-generator.ts +59 -0
- package/src/analyzer/utils/secret-validator.ts +29 -0
- package/src/analyzer/utils/url-parser.ts +25 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/deps.ts +3 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/mod.ts +265 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/multi.ts +250 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/time.ts +69 -0
- package/src/deps/jsr.io/@std/fmt/1.0.3/colors.ts +1004 -0
- package/src/deps/jsr.io/@std/internal/1.0.12/_os.ts +15 -0
- package/src/deps/jsr.io/@std/internal/1.0.12/os.ts +7 -0
- package/src/deps/jsr.io/@std/io/0.225.0/types.ts +157 -0
- package/src/deps/jsr.io/@std/io/0.225.0/write_all.ts +65 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/assert_path.ts +10 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/basename.ts +53 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/common.ts +26 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/constants.ts +49 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/dirname.ts +9 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/format.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/from_file_url.ts +12 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/glob_to_reg_exp.ts +295 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/normalize.ts +9 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/normalize_string.ts +74 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/relative.ts +10 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/strip_trailing_separators.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/to_file_url.ts +17 -0
- package/src/deps/jsr.io/@std/path/1.1.4/basename.ts +37 -0
- package/src/deps/jsr.io/@std/path/1.1.4/common.ts +35 -0
- package/src/deps/jsr.io/@std/path/1.1.4/constants.ts +18 -0
- package/src/deps/jsr.io/@std/path/1.1.4/dirname.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/extname.ts +29 -0
- package/src/deps/jsr.io/@std/path/1.1.4/format.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/from_file_url.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/glob_to_regexp.ts +94 -0
- package/src/deps/jsr.io/@std/path/1.1.4/is_absolute.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/is_glob.ts +49 -0
- package/src/deps/jsr.io/@std/path/1.1.4/join.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/join_globs.ts +42 -0
- package/src/deps/jsr.io/@std/path/1.1.4/mod.ts +217 -0
- package/src/deps/jsr.io/@std/path/1.1.4/normalize.ts +33 -0
- package/src/deps/jsr.io/@std/path/1.1.4/normalize_glob.ts +45 -0
- package/src/deps/jsr.io/@std/path/1.1.4/parse.ts +44 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/_util.ts +10 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/basename.ts +62 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/constants.ts +15 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/dirname.ts +72 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/extname.ts +96 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/format.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/from_file_url.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/glob_to_regexp.ts +94 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/is_absolute.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/join.ts +46 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/join_globs.ts +45 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/normalize.ts +63 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/normalize_glob.ts +43 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/parse.ts +121 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/relative.ts +103 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/resolve.ts +71 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/to_file_url.ts +32 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/to_namespaced_path.ts +21 -0
- package/src/deps/jsr.io/@std/path/1.1.4/relative.ts +32 -0
- package/src/deps/jsr.io/@std/path/1.1.4/resolve.ts +32 -0
- package/src/deps/jsr.io/@std/path/1.1.4/to_file_url.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/to_namespaced_path.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/types.ts +40 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/_util.ts +28 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/basename.ts +54 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/constants.ts +15 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/dirname.ts +118 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/extname.ts +90 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/format.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/from_file_url.ts +34 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/glob_to_regexp.ts +92 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/is_absolute.ts +40 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/join.ts +78 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/join_globs.ts +46 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/normalize.ts +136 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/normalize_glob.ts +43 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/parse.ts +184 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/relative.ts +128 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/resolve.ts +178 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/to_file_url.ts +38 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/to_namespaced_path.ts +60 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_chars.ts +55 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_dumper_state.ts +841 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_loader_state.ts +1780 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_schema.ts +183 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/binary.ts +127 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/bool.ts +37 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/float.ts +112 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/int.ts +174 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/map.ts +17 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/merge.ts +13 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/nil.ts +27 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/omap.ts +30 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/pairs.ts +22 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/regexp.ts +33 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/seq.ts +13 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/set.ts +17 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/str.ts +12 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/timestamp.ts +101 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/undefined.ts +23 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type.ts +49 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_utils.ts +16 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/mod.ts +54 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/parse.ts +128 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/stringify.ts +118 -0
- package/src/shared/deep_merge.ts +73 -0
- package/src/shared/mod.ts +2 -0
- package/src/shared/types/filetypes.ts +101 -0
- package/src/shared/types/findings.ts +7 -0
- package/src/shared/types/mod.ts +6 -0
- package/src/shared/types/permissions.ts +17 -0
- package/src/shared/types/references.ts +62 -0
- package/src/shared/types/risks.ts +72 -0
- package/src/shared/types/syntaxNode.ts +7 -0
- package/src/skillreader/cloudStorage/mod.ts +170 -0
- package/src/skillreader/factory.ts +71 -0
- package/src/skillreader/fs/git.ts +153 -0
- package/src/skillreader/fs/mod.ts +84 -0
- package/src/skillreader/github/base.ts +162 -0
- package/src/skillreader/github/githubApi.ts +40 -0
- package/src/skillreader/github/githubRaw.ts +24 -0
- package/src/skillreader/github/mod.ts +45 -0
- package/src/skillreader/github/utils.ts +40 -0
- package/src/skillreader/manifest.ts +67 -0
- package/src/skillreader/mod.ts +26 -0
- package/src/skillreader/types.ts +150 -0
- package/src/skillreader/utils/frontmatter-parser.ts +72 -0
- package/src/skillreader/utils/http-range.ts +38 -0
- package/src/skillreader/utils/mod.ts +12 -0
- package/esm/analyzer/astgrep/registry.d.ts +0 -18
- package/esm/analyzer/astgrep/registry.d.ts.map +0 -1
- package/esm/analyzer/astgrep/registry.js +0 -71
- package/esm/analyzer/config.d.ts +0 -27
- package/esm/analyzer/config.d.ts.map +0 -1
- package/esm/analyzer/steps/003-risks/output.d.ts +0 -3
- package/esm/analyzer/steps/003-risks/output.d.ts.map +0 -1
- package/esm/analyzer/steps/003-risks/output.js +0 -16
- package/esm/analyzer/treesiter/client.d.ts +0 -26
- package/esm/analyzer/treesiter/client.d.ts.map +0 -1
- package/script/analyzer/astgrep/registry.d.ts +0 -18
- package/script/analyzer/astgrep/registry.d.ts.map +0 -1
- package/script/analyzer/astgrep/registry.js +0 -109
- package/script/analyzer/config.d.ts +0 -27
- package/script/analyzer/config.d.ts.map +0 -1
- package/script/analyzer/steps/003-risks/output.d.ts +0 -3
- package/script/analyzer/steps/003-risks/output.d.ts.map +0 -1
- package/script/analyzer/steps/003-risks/output.js +0 -19
- package/script/analyzer/treesiter/client.d.ts +0 -26
- package/script/analyzer/treesiter/client.d.ts.map +0 -1
- package/script/analyzer/treesiter/client.js +0 -165
|
@@ -0,0 +1,184 @@
|
|
|
1
|
+
import { initializeTreeSitter, parse, registerDynamicLanguage } from "../../.npm-build-vendor/ast-grep-wasm/mod.js";
|
|
2
|
+
import type {
|
|
3
|
+
Finding,
|
|
4
|
+
PermissionScope,
|
|
5
|
+
Reference,
|
|
6
|
+
ReferenceType,
|
|
7
|
+
RuleRiskMapping,
|
|
8
|
+
} from "../../shared/mod.js";
|
|
9
|
+
import { ensureGrammar } from "../treesitter/registry.js";
|
|
10
|
+
import type { TreesitterGrammar } from "../treesitter/registry.js";
|
|
11
|
+
import type { AnalyzerLogger } from "../types.js";
|
|
12
|
+
import { NO_OP_LOGGER } from "../logging.js";
|
|
13
|
+
|
|
14
|
+
export type AstGrepGrammar = Exclude<TreesitterGrammar, "markdown" | "markdown-inline" | "tsx">;
|
|
15
|
+
|
|
16
|
+
export type AstGrepRule = {
|
|
17
|
+
id: string;
|
|
18
|
+
description: string;
|
|
19
|
+
grammar: AstGrepGrammar;
|
|
20
|
+
patterns: string[];
|
|
21
|
+
permission: {
|
|
22
|
+
tool: string;
|
|
23
|
+
scope: PermissionScope;
|
|
24
|
+
permission: string;
|
|
25
|
+
metadata?: Record<string, string>;
|
|
26
|
+
mappedRisks?: RuleRiskMapping[];
|
|
27
|
+
};
|
|
28
|
+
};
|
|
29
|
+
|
|
30
|
+
export type AstGrepMatch = {
|
|
31
|
+
ruleId: string;
|
|
32
|
+
line: number;
|
|
33
|
+
lineEnd?: number;
|
|
34
|
+
extracted: Record<string, unknown>;
|
|
35
|
+
};
|
|
36
|
+
|
|
37
|
+
type SgRoot = ReturnType<typeof parse>;
|
|
38
|
+
type SgRootCache = Map<number, Map<number, SgRoot>>;
|
|
39
|
+
|
|
40
|
+
export class AstGrepClient {
|
|
41
|
+
private REGISTERED_GRAMMARS = new Set<AstGrepGrammar>();
|
|
42
|
+
private SG_ROOT_CACHE_BY_CONTENT: Partial<Record<AstGrepGrammar, SgRootCache>> = {};
|
|
43
|
+
|
|
44
|
+
/** Lazy runtime init promise — created on first use, shared across all calls. */
|
|
45
|
+
private parserInitialized: boolean = false;
|
|
46
|
+
|
|
47
|
+
constructor(
|
|
48
|
+
private readonly logger: AnalyzerLogger = NO_OP_LOGGER,
|
|
49
|
+
private readonly showProgressBar: boolean = false,
|
|
50
|
+
) {}
|
|
51
|
+
|
|
52
|
+
/** Parse content for direct AST traversal using kind/composite rules. */
|
|
53
|
+
public async parse(
|
|
54
|
+
language: AstGrepGrammar,
|
|
55
|
+
content: string,
|
|
56
|
+
): Promise<SgRoot> {
|
|
57
|
+
await this.ensureLanguageRegistered(language);
|
|
58
|
+
const sgRootByLen = this.getSgRootCache(language);
|
|
59
|
+
const len = content.length;
|
|
60
|
+
const rootByHash = sgRootByLen.get(len);
|
|
61
|
+
if (rootByHash) {
|
|
62
|
+
const hash = this.hashContent(content);
|
|
63
|
+
const cached = rootByHash.get(hash);
|
|
64
|
+
if (cached) return cached;
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
const sgRoot = parse(language, content);
|
|
68
|
+
const hash = this.hashContent(content);
|
|
69
|
+
const bucket = sgRootByLen.get(len) ?? new Map<number, SgRoot>();
|
|
70
|
+
bucket.set(hash, sgRoot);
|
|
71
|
+
sgRootByLen.set(len, bucket);
|
|
72
|
+
|
|
73
|
+
return sgRoot;
|
|
74
|
+
}
|
|
75
|
+
|
|
76
|
+
public async scanWithRules(
|
|
77
|
+
content: string,
|
|
78
|
+
language: AstGrepGrammar,
|
|
79
|
+
rules: AstGrepRule[],
|
|
80
|
+
): Promise<AstGrepMatch[]> {
|
|
81
|
+
await this.ensureLanguageRegistered(language);
|
|
82
|
+
const matches: AstGrepMatch[] = [];
|
|
83
|
+
|
|
84
|
+
try {
|
|
85
|
+
const ast = await this.parse(language, content);
|
|
86
|
+
const root = ast.root();
|
|
87
|
+
|
|
88
|
+
for (const rule of rules) {
|
|
89
|
+
for (const pattern of rule.patterns) {
|
|
90
|
+
const nodes = root.findAll(pattern);
|
|
91
|
+
|
|
92
|
+
for (const node of nodes) {
|
|
93
|
+
const range = node.range();
|
|
94
|
+
const extracted: Record<string, unknown> = { pattern };
|
|
95
|
+
|
|
96
|
+
if (rule.permission.metadata) {
|
|
97
|
+
for (const [key, metaVar] of Object.entries(rule.permission.metadata)) {
|
|
98
|
+
const varNode = node.getMatch(metaVar);
|
|
99
|
+
if (varNode) {
|
|
100
|
+
extracted[key] = this.stripQuotes(varNode.text());
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
matches.push({
|
|
106
|
+
ruleId: rule.id,
|
|
107
|
+
line: range.start.line + 1,
|
|
108
|
+
lineEnd: range.end.line + 1,
|
|
109
|
+
extracted,
|
|
110
|
+
});
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
} catch (error) {
|
|
115
|
+
throw new Error(`Failed to match rules: ${error}`);
|
|
116
|
+
}
|
|
117
|
+
|
|
118
|
+
return matches;
|
|
119
|
+
}
|
|
120
|
+
|
|
121
|
+
public matchesToFindings(
|
|
122
|
+
file: string,
|
|
123
|
+
type: ReferenceType,
|
|
124
|
+
matches: AstGrepMatch[],
|
|
125
|
+
referencedBy?: Reference,
|
|
126
|
+
): Finding[] {
|
|
127
|
+
return matches.map((match) => ({
|
|
128
|
+
ruleId: match.ruleId,
|
|
129
|
+
reference: {
|
|
130
|
+
file,
|
|
131
|
+
line: match.line,
|
|
132
|
+
lineEnd: match.lineEnd,
|
|
133
|
+
type,
|
|
134
|
+
referencedBy,
|
|
135
|
+
},
|
|
136
|
+
extracted: match.extracted,
|
|
137
|
+
}));
|
|
138
|
+
}
|
|
139
|
+
|
|
140
|
+
/** Initializes the ast-grep runtime once (without registering grammars yet). */
|
|
141
|
+
private async ensureRuntimeInit() {
|
|
142
|
+
if (this.parserInitialized) return;
|
|
143
|
+
|
|
144
|
+
await initializeTreeSitter();
|
|
145
|
+
}
|
|
146
|
+
|
|
147
|
+
/** Lazily register a single grammar the first time it is needed. */
|
|
148
|
+
private async ensureLanguageRegistered(language: AstGrepGrammar) {
|
|
149
|
+
if (this.REGISTERED_GRAMMARS.has(language)) return;
|
|
150
|
+
|
|
151
|
+
await this.ensureRuntimeInit();
|
|
152
|
+
const wasmPath = await ensureGrammar(language, {
|
|
153
|
+
logger: this.logger,
|
|
154
|
+
showProgressBar: this.showProgressBar,
|
|
155
|
+
});
|
|
156
|
+
await registerDynamicLanguage({ [language]: { libraryPath: wasmPath } });
|
|
157
|
+
this.REGISTERED_GRAMMARS.add(language);
|
|
158
|
+
}
|
|
159
|
+
|
|
160
|
+
private stripQuotes(value: string): string {
|
|
161
|
+
return value
|
|
162
|
+
.replace(/^['"`]/, "")
|
|
163
|
+
.replace(/['"`]$/, "")
|
|
164
|
+
.replace(/[;,)]+$/, "")
|
|
165
|
+
.trim();
|
|
166
|
+
}
|
|
167
|
+
|
|
168
|
+
private getSgRootCache(language: AstGrepGrammar): SgRootCache {
|
|
169
|
+
if (!this.SG_ROOT_CACHE_BY_CONTENT[language]) {
|
|
170
|
+
this.SG_ROOT_CACHE_BY_CONTENT[language] = new Map<number, Map<number, SgRoot>>();
|
|
171
|
+
}
|
|
172
|
+
return this.SG_ROOT_CACHE_BY_CONTENT[language]!;
|
|
173
|
+
}
|
|
174
|
+
|
|
175
|
+
private hashContent(content: string): number {
|
|
176
|
+
// FNV-1a 32-bit (fast, non-cryptographic)
|
|
177
|
+
let hash = 0x811c9dc5;
|
|
178
|
+
for (let i = 0; i < content.length; i++) {
|
|
179
|
+
hash ^= content.charCodeAt(i);
|
|
180
|
+
hash = Math.imul(hash, 0x01000193);
|
|
181
|
+
}
|
|
182
|
+
return hash >>> 0;
|
|
183
|
+
}
|
|
184
|
+
}
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
import type { TreesitterGrammar } from "../treesitter/registry.js";
|
|
2
|
+
import type { AnalyzerConfig, LanguagePolicy, RiskReportConfig } from "./types.js";
|
|
3
|
+
|
|
4
|
+
export const NODE_BUILTIN_IMPORTS = [
|
|
5
|
+
"buffer",
|
|
6
|
+
"child_process",
|
|
7
|
+
"crypto",
|
|
8
|
+
"events",
|
|
9
|
+
"fs",
|
|
10
|
+
"fs/promises",
|
|
11
|
+
"http",
|
|
12
|
+
"https",
|
|
13
|
+
"os",
|
|
14
|
+
"path",
|
|
15
|
+
"stream",
|
|
16
|
+
"timers",
|
|
17
|
+
"url",
|
|
18
|
+
"util",
|
|
19
|
+
"node:buffer",
|
|
20
|
+
"node:child_process",
|
|
21
|
+
"node:crypto",
|
|
22
|
+
"node:events",
|
|
23
|
+
"node:fs",
|
|
24
|
+
"node:fs/promises",
|
|
25
|
+
"node:http",
|
|
26
|
+
"node:https",
|
|
27
|
+
"node:os",
|
|
28
|
+
"node:path",
|
|
29
|
+
"node:stream",
|
|
30
|
+
"node:timers",
|
|
31
|
+
"node:url",
|
|
32
|
+
"node:util",
|
|
33
|
+
] as const;
|
|
34
|
+
|
|
35
|
+
export const PYTHON_BUILTIN_IMPORTS = [
|
|
36
|
+
"argparse",
|
|
37
|
+
"collections",
|
|
38
|
+
"datetime",
|
|
39
|
+
"functools",
|
|
40
|
+
"hashlib",
|
|
41
|
+
"itertools",
|
|
42
|
+
"json",
|
|
43
|
+
"logging",
|
|
44
|
+
"math",
|
|
45
|
+
"os",
|
|
46
|
+
"os.path",
|
|
47
|
+
"pathlib",
|
|
48
|
+
"re",
|
|
49
|
+
"shutil",
|
|
50
|
+
"subprocess",
|
|
51
|
+
"sys",
|
|
52
|
+
"tempfile",
|
|
53
|
+
"typing",
|
|
54
|
+
"urllib",
|
|
55
|
+
"urllib.parse",
|
|
56
|
+
"urllib.request",
|
|
57
|
+
] as const;
|
|
58
|
+
|
|
59
|
+
export const DEFAULT_ALLOWLIST_LANGUAGES: Partial<Record<TreesitterGrammar, LanguagePolicy>> = {
|
|
60
|
+
javascript: { imports: [...NODE_BUILTIN_IMPORTS] },
|
|
61
|
+
typescript: { imports: [...NODE_BUILTIN_IMPORTS] },
|
|
62
|
+
tsx: { imports: [...NODE_BUILTIN_IMPORTS] },
|
|
63
|
+
python: { imports: [...PYTHON_BUILTIN_IMPORTS] },
|
|
64
|
+
};
|
|
65
|
+
|
|
66
|
+
export const DEFAULT_RISK_REPORT_CONFIG: Required<RiskReportConfig> = {
|
|
67
|
+
baseScore: {
|
|
68
|
+
info: 0,
|
|
69
|
+
warning: 1,
|
|
70
|
+
critical: 5,
|
|
71
|
+
},
|
|
72
|
+
uplift: {
|
|
73
|
+
"NETWORK:data_exfiltration": 5,
|
|
74
|
+
"NETWORK:remote_code_execution": 5,
|
|
75
|
+
"NETWORK:credential_leak": 7,
|
|
76
|
+
"NETWORK:localhost_secret_exposure": 2,
|
|
77
|
+
},
|
|
78
|
+
thresholds: {
|
|
79
|
+
safe: 0,
|
|
80
|
+
caution: 1,
|
|
81
|
+
attention: 3,
|
|
82
|
+
risky: 5,
|
|
83
|
+
avoid: 7,
|
|
84
|
+
},
|
|
85
|
+
};
|
|
86
|
+
|
|
87
|
+
export const DEFAULT_ANALYZER_CONFIG: AnalyzerConfig = {
|
|
88
|
+
scan: {
|
|
89
|
+
maxFileSize: 1_000_000,
|
|
90
|
+
maxFileCount: 100,
|
|
91
|
+
maxScanDepth: 5,
|
|
92
|
+
},
|
|
93
|
+
allowlist: {
|
|
94
|
+
languages: DEFAULT_ALLOWLIST_LANGUAGES,
|
|
95
|
+
},
|
|
96
|
+
denylist: undefined,
|
|
97
|
+
riskReport: DEFAULT_RISK_REPORT_CONFIG,
|
|
98
|
+
};
|
|
@@ -0,0 +1,107 @@
|
|
|
1
|
+
import type { TreesitterGrammar } from "../treesitter/registry.js";
|
|
2
|
+
import { DEFAULT_ANALYZER_CONFIG } from "./default.js";
|
|
3
|
+
import type { Allowlist, AnalyzerConfig, LanguagePolicy, NetworkPolicy } from "./types.js";
|
|
4
|
+
|
|
5
|
+
type DeepPartial<T> = {
|
|
6
|
+
[K in keyof T]?: T[K] extends Array<infer U> ? Array<U>
|
|
7
|
+
: T[K] extends Record<string, unknown> ? DeepPartial<T[K]>
|
|
8
|
+
: T[K];
|
|
9
|
+
};
|
|
10
|
+
|
|
11
|
+
export function resolveConfig(partial?: Partial<AnalyzerConfig>): AnalyzerConfig {
|
|
12
|
+
const defaultScan = DEFAULT_ANALYZER_CONFIG.scan ?? {};
|
|
13
|
+
const partialScan = partial?.scan ?? {};
|
|
14
|
+
const defaultRiskReport = DEFAULT_ANALYZER_CONFIG.riskReport ?? {};
|
|
15
|
+
const partialRiskReport = partial?.riskReport ?? {};
|
|
16
|
+
|
|
17
|
+
return {
|
|
18
|
+
scan: deepMergeJson(defaultScan, partialScan),
|
|
19
|
+
allowlist: mergeAllowlist(DEFAULT_ANALYZER_CONFIG.allowlist, partial?.allowlist),
|
|
20
|
+
denylist: mergeAllowlist(DEFAULT_ANALYZER_CONFIG.denylist, partial?.denylist),
|
|
21
|
+
riskReport: deepMergeJson(defaultRiskReport, partialRiskReport),
|
|
22
|
+
};
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
export function deepMergeJson<T extends Record<string, unknown>>(
|
|
26
|
+
base: T,
|
|
27
|
+
override: DeepPartial<T>,
|
|
28
|
+
): T {
|
|
29
|
+
const result: Record<string, unknown> = { ...base };
|
|
30
|
+
|
|
31
|
+
for (const key of Object.keys(override)) {
|
|
32
|
+
const baseValue = result[key];
|
|
33
|
+
const overrideValue = override[key as keyof T];
|
|
34
|
+
|
|
35
|
+
if (overrideValue === undefined) continue;
|
|
36
|
+
|
|
37
|
+
if (isPlainObject(baseValue) && isPlainObject(overrideValue)) {
|
|
38
|
+
result[key] = deepMergeJson(
|
|
39
|
+
baseValue as Record<string, unknown>,
|
|
40
|
+
overrideValue as Record<string, unknown>,
|
|
41
|
+
);
|
|
42
|
+
continue;
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
result[key] = overrideValue;
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
return result as T;
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
function isPlainObject(value: unknown): value is Record<string, unknown> {
|
|
52
|
+
if (typeof value !== "object" || value === null) return false;
|
|
53
|
+
if (Array.isArray(value)) return false;
|
|
54
|
+
return Object.getPrototypeOf(value) === Object.prototype;
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
function mergeAllowlist(
|
|
58
|
+
base: Allowlist | undefined,
|
|
59
|
+
override: Allowlist | undefined,
|
|
60
|
+
): Allowlist | undefined {
|
|
61
|
+
if (!base && !override) return undefined;
|
|
62
|
+
|
|
63
|
+
const languages = mergeLanguagePolicies(base?.languages, override?.languages);
|
|
64
|
+
const network = mergeNetworkPolicy(base?.network, override?.network);
|
|
65
|
+
|
|
66
|
+
if (!languages && !network) return undefined;
|
|
67
|
+
return { languages, network };
|
|
68
|
+
}
|
|
69
|
+
|
|
70
|
+
function mergeLanguagePolicies(
|
|
71
|
+
base: Partial<Record<TreesitterGrammar, LanguagePolicy>> | undefined,
|
|
72
|
+
override: Partial<Record<TreesitterGrammar, LanguagePolicy>> | undefined,
|
|
73
|
+
): Partial<Record<TreesitterGrammar, LanguagePolicy>> | undefined {
|
|
74
|
+
if (!base && !override) return undefined;
|
|
75
|
+
|
|
76
|
+
const keys = new Set<TreesitterGrammar>([
|
|
77
|
+
...Object.keys(base ?? {}) as TreesitterGrammar[],
|
|
78
|
+
...Object.keys(override ?? {}) as TreesitterGrammar[],
|
|
79
|
+
]);
|
|
80
|
+
|
|
81
|
+
const result: Partial<Record<TreesitterGrammar, LanguagePolicy>> = {};
|
|
82
|
+
for (const key of keys) {
|
|
83
|
+
const imports = mergeStringList(base?.[key]?.imports, override?.[key]?.imports);
|
|
84
|
+
if (!imports) continue;
|
|
85
|
+
result[key] = { imports };
|
|
86
|
+
}
|
|
87
|
+
|
|
88
|
+
return Object.keys(result).length > 0 ? result : undefined;
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
function mergeNetworkPolicy(
|
|
92
|
+
base: NetworkPolicy | undefined,
|
|
93
|
+
override: NetworkPolicy | undefined,
|
|
94
|
+
): NetworkPolicy | undefined {
|
|
95
|
+
if (!base && !override) return undefined;
|
|
96
|
+
const domains = mergeStringList(base?.domains, override?.domains);
|
|
97
|
+
return domains ? { domains } : undefined;
|
|
98
|
+
}
|
|
99
|
+
|
|
100
|
+
function mergeStringList(
|
|
101
|
+
base: string[] | undefined,
|
|
102
|
+
override: string[] | undefined,
|
|
103
|
+
): string[] | undefined {
|
|
104
|
+
if (!base && !override) return undefined;
|
|
105
|
+
const values = new Set<string>([...(base ?? []), ...(override ?? [])]);
|
|
106
|
+
return values.size > 0 ? [...values] : undefined;
|
|
107
|
+
}
|
|
@@ -0,0 +1,103 @@
|
|
|
1
|
+
import type { RiskCode } from "../../shared/mod.js";
|
|
2
|
+
import { PermissionScope } from "../../shared/mod.js";
|
|
3
|
+
import type { TreesitterGrammar } from "../treesitter/registry.js";
|
|
4
|
+
|
|
5
|
+
export const DEFAULT_SKILL_VERSION = "0.0.1";
|
|
6
|
+
|
|
7
|
+
export type LanguagePolicy = {
|
|
8
|
+
imports?: string[];
|
|
9
|
+
};
|
|
10
|
+
|
|
11
|
+
export type NetworkPolicy = {
|
|
12
|
+
domains?: string[];
|
|
13
|
+
};
|
|
14
|
+
|
|
15
|
+
export type ScanConfig = {
|
|
16
|
+
maxFileSize?: number;
|
|
17
|
+
maxFileCount?: number;
|
|
18
|
+
maxScanDepth?: number;
|
|
19
|
+
};
|
|
20
|
+
|
|
21
|
+
export type Allowlist = {
|
|
22
|
+
languages?: Partial<Record<TreesitterGrammar, LanguagePolicy>>;
|
|
23
|
+
network?: NetworkPolicy;
|
|
24
|
+
};
|
|
25
|
+
|
|
26
|
+
export type Denylist = {
|
|
27
|
+
languages?: Partial<Record<TreesitterGrammar, LanguagePolicy>>;
|
|
28
|
+
network?: NetworkPolicy;
|
|
29
|
+
};
|
|
30
|
+
|
|
31
|
+
export type AnalyzerConfig = {
|
|
32
|
+
scan?: ScanConfig;
|
|
33
|
+
allowlist?: Allowlist;
|
|
34
|
+
denylist?: Denylist;
|
|
35
|
+
riskReport?: RiskReportConfig;
|
|
36
|
+
};
|
|
37
|
+
|
|
38
|
+
export type RiskUpliftConfig = Partial<Record<RiskCode, number>>;
|
|
39
|
+
|
|
40
|
+
export type RiskThresholdConfig = {
|
|
41
|
+
safe: number;
|
|
42
|
+
caution: number;
|
|
43
|
+
attention: number;
|
|
44
|
+
risky: number;
|
|
45
|
+
avoid: number;
|
|
46
|
+
};
|
|
47
|
+
|
|
48
|
+
export type RiskReportConfig = {
|
|
49
|
+
baseScore?: {
|
|
50
|
+
info?: number;
|
|
51
|
+
warning?: number;
|
|
52
|
+
critical?: number;
|
|
53
|
+
};
|
|
54
|
+
uplift?: RiskUpliftConfig;
|
|
55
|
+
thresholds?: Partial<RiskThresholdConfig>;
|
|
56
|
+
};
|
|
57
|
+
|
|
58
|
+
export const ALLOWED_TOOLS_MAPPING: Record<
|
|
59
|
+
string,
|
|
60
|
+
{ tool: string; scope: PermissionScope; permission: string }
|
|
61
|
+
> = {
|
|
62
|
+
Bash: { tool: "bash", scope: "sys", permission: "shell" },
|
|
63
|
+
Read: { tool: "read", scope: "fs", permission: "read" },
|
|
64
|
+
Write: { tool: "write", scope: "fs", permission: "write" },
|
|
65
|
+
Edit: { tool: "edit", scope: "fs", permission: "write" },
|
|
66
|
+
WebFetch: { tool: "webfetch", scope: "net", permission: "fetch" },
|
|
67
|
+
Fetch: { tool: "fetch", scope: "net", permission: "fetch" },
|
|
68
|
+
Subprocess: { tool: "subprocess", scope: "sys", permission: "subprocess" },
|
|
69
|
+
};
|
|
70
|
+
|
|
71
|
+
export const TOOLS_MAPPING: Record<string, { scope: PermissionScope; permission: string }> = {
|
|
72
|
+
gh: { scope: "sys", permission: "shell" },
|
|
73
|
+
git: { scope: "sys", permission: "shell" },
|
|
74
|
+
jq: { scope: "sys", permission: "shell" },
|
|
75
|
+
curl: { scope: "net", permission: "fetch" },
|
|
76
|
+
wget: { scope: "net", permission: "fetch" },
|
|
77
|
+
npm: { scope: "sys", permission: "shell" },
|
|
78
|
+
pnpm: { scope: "sys", permission: "shell" },
|
|
79
|
+
yarn: { scope: "sys", permission: "shell" },
|
|
80
|
+
python: { scope: "sys", permission: "shell" },
|
|
81
|
+
node: { scope: "sys", permission: "shell" },
|
|
82
|
+
deno: { scope: "sys", permission: "shell" },
|
|
83
|
+
docker: { scope: "sys", permission: "shell" },
|
|
84
|
+
};
|
|
85
|
+
|
|
86
|
+
export const UNSUPPORTED_SKILL_FRONTMATTER_FIELDS = [
|
|
87
|
+
"argument-hint",
|
|
88
|
+
"disable-model-invocation",
|
|
89
|
+
"user-invocable",
|
|
90
|
+
"model",
|
|
91
|
+
"context",
|
|
92
|
+
"agent",
|
|
93
|
+
"hooks",
|
|
94
|
+
] as const;
|
|
95
|
+
|
|
96
|
+
export const FRONTMATTER_SUPPORTED_FIELDS = [
|
|
97
|
+
"name",
|
|
98
|
+
"description",
|
|
99
|
+
"license",
|
|
100
|
+
"compatibility",
|
|
101
|
+
"metadata",
|
|
102
|
+
"allowed-tools",
|
|
103
|
+
] as const;
|
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
import { DEFAULT_ANALYZER_CONFIG, DEFAULT_SKILL_VERSION, resolveConfig } from "./config/mod.js";
|
|
2
|
+
import { NO_OP_LOGGER } from "./logging.js";
|
|
3
|
+
import { SkillAnalyzerResult } from "./result.js";
|
|
4
|
+
import { run001Discovery, run002Permissions, run003Risks } from "./steps/mod.js";
|
|
5
|
+
import type { AnalyzerConfig, AnalyzerLogger, AnalyzerState } from "./types.js";
|
|
6
|
+
import type { SkillReaderFactoryOptions } from "../skillreader/factory.js";
|
|
7
|
+
import { SkillReaderFactory } from "../skillreader/factory.js";
|
|
8
|
+
import { TreesitterClient } from "./treesitter/client.js";
|
|
9
|
+
import { AstGrepClient } from "./astgrep/mod.js";
|
|
10
|
+
|
|
11
|
+
export type { AnalyzerConfig, AnalyzerLogger, AnalyzerState } from "./types.js";
|
|
12
|
+
export type {
|
|
13
|
+
Allowlist,
|
|
14
|
+
Denylist,
|
|
15
|
+
LanguagePolicy,
|
|
16
|
+
NetworkPolicy,
|
|
17
|
+
RiskReportConfig,
|
|
18
|
+
ScanConfig,
|
|
19
|
+
} from "./config/mod.js";
|
|
20
|
+
|
|
21
|
+
export { SkillAnalyzerResult } from "./result.js";
|
|
22
|
+
export { DEFAULT_ANALYZER_CONFIG, DEFAULT_SKILL_VERSION, resolveConfig } from "./config/mod.js";
|
|
23
|
+
|
|
24
|
+
export type AnalyzerAnalyzeInput = SkillReaderFactoryOptions & {
|
|
25
|
+
skillId?: string;
|
|
26
|
+
skillVersionId?: string;
|
|
27
|
+
config?: Partial<AnalyzerConfig>;
|
|
28
|
+
logger?: AnalyzerLogger;
|
|
29
|
+
showProgressBar?: boolean;
|
|
30
|
+
};
|
|
31
|
+
|
|
32
|
+
export class Analyzer {
|
|
33
|
+
analyze(input: AnalyzerAnalyzeInput): Promise<SkillAnalyzerResult> {
|
|
34
|
+
return runAnalysis({
|
|
35
|
+
options: {
|
|
36
|
+
source: input.source,
|
|
37
|
+
subDir: input.subDir,
|
|
38
|
+
gitRef: input.gitRef,
|
|
39
|
+
githubToken: input.githubToken,
|
|
40
|
+
},
|
|
41
|
+
skillId: input.skillId,
|
|
42
|
+
skillVersionId: input.skillVersionId,
|
|
43
|
+
config: input.config,
|
|
44
|
+
logger: input.logger,
|
|
45
|
+
showProgressBar: input.showProgressBar,
|
|
46
|
+
});
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
export async function runAnalysis(input: {
|
|
51
|
+
options: SkillReaderFactoryOptions;
|
|
52
|
+
skillId?: string;
|
|
53
|
+
skillVersionId?: string;
|
|
54
|
+
config?: Partial<AnalyzerConfig>;
|
|
55
|
+
logger?: AnalyzerLogger;
|
|
56
|
+
showProgressBar?: boolean;
|
|
57
|
+
}): Promise<SkillAnalyzerResult> {
|
|
58
|
+
const config = resolveConfig(input.config);
|
|
59
|
+
|
|
60
|
+
let state = createInitialState({
|
|
61
|
+
skillId: input.skillId,
|
|
62
|
+
skillVersionId: input.skillVersionId,
|
|
63
|
+
config,
|
|
64
|
+
});
|
|
65
|
+
|
|
66
|
+
const skillReader = await SkillReaderFactory.create(input.options);
|
|
67
|
+
|
|
68
|
+
const validation = await skillReader.validate();
|
|
69
|
+
if (!validation.ok) {
|
|
70
|
+
throw new Error(validation.reason ?? "Invalid skill repository");
|
|
71
|
+
}
|
|
72
|
+
|
|
73
|
+
const logger = input.logger ?? NO_OP_LOGGER;
|
|
74
|
+
const showProgressBar = input.showProgressBar ?? false;
|
|
75
|
+
|
|
76
|
+
const context = {
|
|
77
|
+
skillReader,
|
|
78
|
+
treesitterClient: new TreesitterClient(logger, showProgressBar),
|
|
79
|
+
astgrepClient: new AstGrepClient(logger, showProgressBar),
|
|
80
|
+
logger,
|
|
81
|
+
showProgressBar,
|
|
82
|
+
config,
|
|
83
|
+
};
|
|
84
|
+
|
|
85
|
+
state = await run001Discovery(state, context);
|
|
86
|
+
state = await run002Permissions(state, context);
|
|
87
|
+
return await run003Risks(state, context);
|
|
88
|
+
}
|
|
89
|
+
|
|
90
|
+
export function createInitialState(input?: {
|
|
91
|
+
skillId?: string;
|
|
92
|
+
skillVersionId?: string;
|
|
93
|
+
config?: Partial<AnalyzerConfig>;
|
|
94
|
+
}): AnalyzerState {
|
|
95
|
+
const resolvedConfig = resolveConfig(input?.config);
|
|
96
|
+
const scan = resolvedConfig.scan ?? DEFAULT_ANALYZER_CONFIG.scan ?? {
|
|
97
|
+
maxFileSize: 1_000_000,
|
|
98
|
+
maxFileCount: 100,
|
|
99
|
+
maxScanDepth: 5,
|
|
100
|
+
};
|
|
101
|
+
return {
|
|
102
|
+
skillId: input?.skillId ?? "unknown",
|
|
103
|
+
skillVersionId: input?.skillVersionId ?? DEFAULT_SKILL_VERSION,
|
|
104
|
+
files: [],
|
|
105
|
+
frontmatter: {},
|
|
106
|
+
scanQueue: [],
|
|
107
|
+
permissions: [],
|
|
108
|
+
findings: [],
|
|
109
|
+
risks: [],
|
|
110
|
+
warnings: [],
|
|
111
|
+
metadata: {
|
|
112
|
+
scannedFiles: new Set<string>(),
|
|
113
|
+
skippedFiles: [],
|
|
114
|
+
rulesUsed: [],
|
|
115
|
+
config: scan,
|
|
116
|
+
},
|
|
117
|
+
};
|
|
118
|
+
}
|