npm - @feiyoug/skill-lab - Versions diffs - 0.0.0 → 0.0.2 - Mend

@feiyoug/skill-lab 0.0.0 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (465) hide show

package/README.md +73 -0
package/esm/analyzer/astgrep/client.d.ts +20 -8
package/esm/analyzer/astgrep/client.d.ts.map +1 -1
package/esm/analyzer/astgrep/client.js +58 -31
package/esm/analyzer/config/default.d.ts +8 -0
package/esm/analyzer/config/default.d.ts.map +1 -0
package/esm/analyzer/config/default.js +91 -0
package/esm/analyzer/config/helpers.d.ts +8 -0
package/esm/analyzer/config/helpers.d.ts.map +1 -0
package/esm/analyzer/config/helpers.js +72 -0
package/esm/analyzer/config/mod.d.ts +4 -0
package/esm/analyzer/config/mod.d.ts.map +1 -0
package/esm/analyzer/config/mod.js +3 -0
package/esm/analyzer/config/types.d.ts +58 -0
package/esm/analyzer/config/types.d.ts.map +1 -0
package/esm/analyzer/{config.js → config/types.js} +0 -28
package/esm/analyzer/logging.d.ts +3 -0
package/esm/analyzer/logging.d.ts.map +1 -0
package/esm/analyzer/logging.js +6 -0
package/esm/analyzer/mod.d.ts +12 -5
package/esm/analyzer/mod.d.ts.map +1 -1
package/esm/analyzer/mod.js +25 -12
package/esm/analyzer/result.d.ts +35 -0
package/esm/analyzer/result.d.ts.map +1 -0
package/esm/analyzer/result.js +311 -0
package/esm/analyzer/rules/bash/commands/mod.d.ts +1 -0
package/esm/analyzer/rules/bash/commands/mod.d.ts.map +1 -1
package/esm/analyzer/rules/bash/commands/mod.js +3 -0
package/esm/analyzer/rules/bash/commands/pip.d.ts +3 -0
package/esm/analyzer/rules/bash/commands/pip.d.ts.map +1 -0
package/esm/analyzer/rules/bash/commands/pip.js +14 -0
package/esm/analyzer/rules/bash/extractFileRefs.d.ts +1 -1
package/esm/analyzer/rules/bash/extractFileRefs.d.ts.map +1 -1
package/esm/analyzer/rules/bash/extractFileRefs.js +2 -2
package/esm/analyzer/rules/bash/inline-command-classifier.d.ts +1 -1
package/esm/analyzer/rules/bash/inline-command-classifier.d.ts.map +1 -1
package/esm/analyzer/rules/bash/inline-command-classifier.js +4 -4
package/esm/analyzer/rules/javascript/extractFileRefs.d.ts +3 -4
package/esm/analyzer/rules/javascript/extractFileRefs.d.ts.map +1 -1
package/esm/analyzer/rules/javascript/extractFileRefs.js +3 -4
package/esm/analyzer/rules/markdown/extractCodeBlocks.d.ts.map +1 -1
package/esm/analyzer/rules/markdown/extractCodeBlocks.js +6 -3
package/esm/analyzer/rules/markdown/extractFileRefs.d.ts.map +1 -1
package/esm/analyzer/rules/markdown/extractFileRefs.js +2 -0
package/esm/analyzer/rules/python/extractFileRefs.d.ts +1 -1
package/esm/analyzer/rules/python/extractFileRefs.d.ts.map +1 -1
package/esm/analyzer/rules/python/extractFileRefs.js +2 -2
package/esm/analyzer/steps/001-discovery/discover-files.d.ts +4 -0
package/esm/analyzer/steps/001-discovery/discover-files.d.ts.map +1 -1
package/esm/analyzer/steps/001-discovery/discover-files.js +18 -2
package/esm/analyzer/steps/001-discovery/mod.d.ts.map +1 -1
package/esm/analyzer/steps/001-discovery/mod.js +39 -9
package/esm/analyzer/steps/002-permissions/mod.d.ts.map +1 -1
package/esm/analyzer/steps/002-permissions/mod.js +156 -73
package/esm/analyzer/steps/002-permissions/scan-file.d.ts +1 -1
package/esm/analyzer/steps/002-permissions/scan-file.d.ts.map +1 -1
package/esm/analyzer/steps/002-permissions/scan-file.js +40 -5
package/esm/analyzer/steps/002-permissions/seed-frontmatter.js +2 -2
package/esm/analyzer/steps/003-risks/dep-risks.d.ts +3 -0
package/esm/analyzer/steps/003-risks/dep-risks.d.ts.map +1 -0
package/esm/analyzer/steps/003-risks/dep-risks.js +74 -0
package/esm/analyzer/steps/003-risks/helpers.d.ts +1 -0
package/esm/analyzer/steps/003-risks/helpers.d.ts.map +1 -1
package/esm/analyzer/steps/003-risks/helpers.js +1 -0
package/esm/analyzer/steps/003-risks/mod.d.ts +3 -2
package/esm/analyzer/steps/003-risks/mod.d.ts.map +1 -1
package/esm/analyzer/steps/003-risks/mod.js +41 -4
package/esm/analyzer/steps/003-risks/policy.d.ts +7 -0
package/esm/analyzer/steps/003-risks/policy.d.ts.map +1 -0
package/esm/analyzer/steps/003-risks/policy.js +23 -0
package/esm/analyzer/steps/003-risks/rule-mapped.d.ts +2 -2
package/esm/analyzer/steps/003-risks/rule-mapped.d.ts.map +1 -1
package/esm/analyzer/steps/003-risks/rule-mapped.js +83 -2
package/esm/analyzer/steps/003-risks/scoring.d.ts +9 -1
package/esm/analyzer/steps/003-risks/scoring.d.ts.map +1 -1
package/esm/analyzer/steps/003-risks/scoring.js +55 -42
package/esm/analyzer/treesitter/client.d.ts +31 -0
package/esm/analyzer/treesitter/client.d.ts.map +1 -0
package/esm/analyzer/{treesiter → treesitter}/client.js +43 -39
package/esm/analyzer/treesitter/registry.d.ts +73 -0
package/esm/analyzer/treesitter/registry.d.ts.map +1 -0
package/esm/analyzer/treesitter/registry.js +165 -0
package/esm/analyzer/types.d.ts +14 -28
package/esm/analyzer/types.d.ts.map +1 -1
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts +3 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts.map +1 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.js +3 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts +93 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts.map +1 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.js +297 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts +84 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts.map +1 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.js +268 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts +18 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts.map +1 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.js +45 -0
package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts +700 -0
package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts.map +1 -0
package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.js +903 -0
package/esm/deps/jsr.io/@std/io/0.225.0/types.d.ts +146 -0
package/esm/deps/jsr.io/@std/io/0.225.0/types.d.ts.map +1 -0
package/esm/deps/jsr.io/@std/io/0.225.0/types.js +15 -0
package/esm/deps/jsr.io/@std/io/0.225.0/write_all.d.ts +51 -0
package/esm/deps/jsr.io/@std/io/0.225.0/write_all.d.ts.map +1 -0
package/esm/deps/jsr.io/@std/io/0.225.0/write_all.js +61 -0
package/esm/shared/deep_merge.d.ts +12 -0
package/esm/shared/deep_merge.d.ts.map +1 -0
package/esm/shared/deep_merge.js +49 -0
package/esm/shared/mod.d.ts +1 -0
package/esm/shared/mod.d.ts.map +1 -1
package/esm/shared/mod.js +1 -0
package/esm/shared/types/filetypes.d.ts +2 -2
package/esm/shared/types/filetypes.d.ts.map +1 -1
package/esm/shared/types/permissions.d.ts +1 -1
package/esm/shared/types/permissions.d.ts.map +1 -1
package/esm/shared/types/risks.d.ts +4 -1
package/esm/shared/types/risks.d.ts.map +1 -1
package/esm/skillreader/types.d.ts +2 -2
package/esm/skillreader/types.d.ts.map +1 -1
package/esm/skillreader/types.js +2 -2
package/package.json +1 -1
package/script/analyzer/astgrep/client.d.ts +20 -8
package/script/analyzer/astgrep/client.d.ts.map +1 -1
package/script/analyzer/astgrep/client.js +58 -64
package/script/analyzer/config/default.d.ts +8 -0
package/script/analyzer/config/default.d.ts.map +1 -0
package/script/analyzer/config/default.js +94 -0
package/script/analyzer/config/helpers.d.ts +8 -0
package/script/analyzer/config/helpers.d.ts.map +1 -0
package/script/analyzer/config/helpers.js +76 -0
package/script/analyzer/config/mod.d.ts +4 -0
package/script/analyzer/config/mod.d.ts.map +1 -0
package/script/analyzer/config/mod.js +21 -0
package/script/analyzer/config/types.d.ts +58 -0
package/script/analyzer/config/types.d.ts.map +1 -0
package/script/analyzer/{config.js → config/types.js} +1 -29
package/script/analyzer/logging.d.ts +3 -0
package/script/analyzer/logging.d.ts.map +1 -0
package/script/analyzer/logging.js +9 -0
package/script/analyzer/mod.d.ts +12 -5
package/script/analyzer/mod.d.ts.map +1 -1
package/script/analyzer/mod.js +35 -20
package/script/analyzer/result.d.ts +35 -0
package/script/analyzer/result.d.ts.map +1 -0
package/script/analyzer/result.js +315 -0
package/script/analyzer/rules/bash/commands/mod.d.ts +1 -0
package/script/analyzer/rules/bash/commands/mod.d.ts.map +1 -1
package/script/analyzer/rules/bash/commands/mod.js +3 -0
package/script/analyzer/rules/bash/commands/pip.d.ts +3 -0
package/script/analyzer/rules/bash/commands/pip.d.ts.map +1 -0
package/script/analyzer/rules/bash/commands/pip.js +17 -0
package/script/analyzer/rules/bash/extractFileRefs.d.ts +1 -1
package/script/analyzer/rules/bash/extractFileRefs.d.ts.map +1 -1
package/script/analyzer/rules/bash/extractFileRefs.js +2 -2
package/script/analyzer/rules/bash/inline-command-classifier.d.ts +1 -1
package/script/analyzer/rules/bash/inline-command-classifier.d.ts.map +1 -1
package/script/analyzer/rules/bash/inline-command-classifier.js +4 -4
package/script/analyzer/rules/javascript/extractFileRefs.d.ts +3 -4
package/script/analyzer/rules/javascript/extractFileRefs.d.ts.map +1 -1
package/script/analyzer/rules/javascript/extractFileRefs.js +3 -4
package/script/analyzer/rules/markdown/extractCodeBlocks.d.ts.map +1 -1
package/script/analyzer/rules/markdown/extractCodeBlocks.js +6 -3
package/script/analyzer/rules/markdown/extractFileRefs.d.ts.map +1 -1
package/script/analyzer/rules/markdown/extractFileRefs.js +2 -0
package/script/analyzer/rules/python/extractFileRefs.d.ts +1 -1
package/script/analyzer/rules/python/extractFileRefs.d.ts.map +1 -1
package/script/analyzer/rules/python/extractFileRefs.js +2 -2
package/script/analyzer/steps/001-discovery/discover-files.d.ts +4 -0
package/script/analyzer/steps/001-discovery/discover-files.d.ts.map +1 -1
package/script/analyzer/steps/001-discovery/discover-files.js +18 -2
package/script/analyzer/steps/001-discovery/mod.d.ts.map +1 -1
package/script/analyzer/steps/001-discovery/mod.js +77 -11
package/script/analyzer/steps/002-permissions/mod.d.ts.map +1 -1
package/script/analyzer/steps/002-permissions/mod.js +194 -75
package/script/analyzer/steps/002-permissions/scan-file.d.ts +1 -1
package/script/analyzer/steps/002-permissions/scan-file.d.ts.map +1 -1
package/script/analyzer/steps/002-permissions/scan-file.js +40 -5
package/script/analyzer/steps/002-permissions/seed-frontmatter.js +3 -3
package/script/analyzer/steps/003-risks/dep-risks.d.ts +3 -0
package/script/analyzer/steps/003-risks/dep-risks.d.ts.map +1 -0
package/script/analyzer/steps/003-risks/dep-risks.js +77 -0
package/script/analyzer/steps/003-risks/helpers.d.ts +1 -0
package/script/analyzer/steps/003-risks/helpers.d.ts.map +1 -1
package/script/analyzer/steps/003-risks/helpers.js +1 -0
package/script/analyzer/steps/003-risks/mod.d.ts +3 -2
package/script/analyzer/steps/003-risks/mod.d.ts.map +1 -1
package/script/analyzer/steps/003-risks/mod.js +77 -4
package/script/analyzer/steps/003-risks/policy.d.ts +7 -0
package/script/analyzer/steps/003-risks/policy.d.ts.map +1 -0
package/script/analyzer/steps/003-risks/policy.js +29 -0
package/script/analyzer/steps/003-risks/rule-mapped.d.ts +2 -2
package/script/analyzer/steps/003-risks/rule-mapped.d.ts.map +1 -1
package/script/analyzer/steps/003-risks/rule-mapped.js +83 -2
package/script/analyzer/steps/003-risks/scoring.d.ts +9 -1
package/script/analyzer/steps/003-risks/scoring.d.ts.map +1 -1
package/script/analyzer/steps/003-risks/scoring.js +55 -42
package/script/analyzer/treesitter/client.d.ts +31 -0
package/script/analyzer/treesitter/client.d.ts.map +1 -0
package/script/analyzer/treesitter/client.js +136 -0
package/script/analyzer/treesitter/registry.d.ts +73 -0
package/script/analyzer/treesitter/registry.d.ts.map +1 -0
package/script/analyzer/treesitter/registry.js +206 -0
package/script/analyzer/types.d.ts +14 -28
package/script/analyzer/types.d.ts.map +1 -1
package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts +3 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts.map +1 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.js +10 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts +93 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts.map +1 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.js +334 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts +84 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts.map +1 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.js +305 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts +18 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts.map +1 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.js +48 -0
package/script/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts +700 -0
package/script/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts.map +1 -0
package/script/deps/jsr.io/@std/fmt/1.0.3/colors.js +986 -0
package/script/deps/jsr.io/@std/io/0.225.0/types.d.ts +146 -0
package/script/deps/jsr.io/@std/io/0.225.0/types.d.ts.map +1 -0
package/script/deps/jsr.io/@std/io/0.225.0/types.js +18 -0
package/script/deps/jsr.io/@std/io/0.225.0/write_all.d.ts +51 -0
package/script/deps/jsr.io/@std/io/0.225.0/write_all.d.ts.map +1 -0
package/script/deps/jsr.io/@std/io/0.225.0/write_all.js +65 -0
package/script/shared/deep_merge.d.ts +12 -0
package/script/shared/deep_merge.d.ts.map +1 -0
package/script/shared/deep_merge.js +53 -0
package/script/shared/mod.d.ts +1 -0
package/script/shared/mod.d.ts.map +1 -1
package/script/shared/mod.js +1 -0
package/script/shared/types/filetypes.d.ts +2 -2
package/script/shared/types/filetypes.d.ts.map +1 -1
package/script/shared/types/permissions.d.ts +1 -1
package/script/shared/types/permissions.d.ts.map +1 -1
package/script/shared/types/risks.d.ts +4 -1
package/script/shared/types/risks.d.ts.map +1 -1
package/script/skillreader/types.d.ts +2 -2
package/script/skillreader/types.d.ts.map +1 -1
package/script/skillreader/types.js +2 -2
package/src/_dnt.polyfills.ts +27 -0
package/src/_dnt.shims.ts +64 -0
package/src/analyzer/astgrep/client.ts +184 -0
package/src/analyzer/astgrep/mod.ts +2 -0
package/src/analyzer/config/default.ts +98 -0
package/src/analyzer/config/helpers.ts +107 -0
package/src/analyzer/config/mod.ts +3 -0
package/src/analyzer/config/types.ts +103 -0
package/src/analyzer/logging.ts +8 -0
package/src/analyzer/mod.ts +118 -0
package/src/analyzer/result.ts +393 -0
package/src/analyzer/rules/bash/astTypes.ts +5 -0
package/src/analyzer/rules/bash/commands/bd.ts +23 -0
package/src/analyzer/rules/bash/commands/cron.ts +21 -0
package/src/analyzer/rules/bash/commands/docker.ts +37 -0
package/src/analyzer/rules/bash/commands/eval.ts +52 -0
package/src/analyzer/rules/bash/commands/generic.ts +16 -0
package/src/analyzer/rules/bash/commands/gh.ts +21 -0
package/src/analyzer/rules/bash/commands/git.ts +28 -0
package/src/analyzer/rules/bash/commands/mod.ts +38 -0
package/src/analyzer/rules/bash/commands/node.ts +64 -0
package/src/analyzer/rules/bash/commands/openspec.ts +16 -0
package/src/analyzer/rules/bash/commands/pip.ts +16 -0
package/src/analyzer/rules/bash/commands/sudo.ts +21 -0
package/src/analyzer/rules/bash/destructive.ts +28 -0
package/src/analyzer/rules/bash/extractFileRefs.ts +101 -0
package/src/analyzer/rules/bash/filesystem.ts +50 -0
package/src/analyzer/rules/bash/injection.ts +21 -0
package/src/analyzer/rules/bash/inline-command-classifier.ts +94 -0
package/src/analyzer/rules/bash/mod.ts +23 -0
package/src/analyzer/rules/bash/network.ts +64 -0
package/src/analyzer/rules/bash/secret-detection.ts +43 -0
package/src/analyzer/rules/javascript/astTypes.ts +8 -0
package/src/analyzer/rules/javascript/extractFileRefs.ts +131 -0
package/src/analyzer/rules/javascript/filesystem.ts +28 -0
package/src/analyzer/rules/javascript/injection.ts +21 -0
package/src/analyzer/rules/javascript/mod.ts +26 -0
package/src/analyzer/rules/javascript/network.ts +27 -0
package/src/analyzer/rules/javascript/secret-detection.ts +68 -0
package/src/analyzer/rules/javascript/subprocess.ts +16 -0
package/src/analyzer/rules/markdown/astTypes.ts +35 -0
package/src/analyzer/rules/markdown/extractCodeBlocks.ts +101 -0
package/src/analyzer/rules/markdown/extractFileRefs.ts +179 -0
package/src/analyzer/rules/markdown/mod.ts +12 -0
package/src/analyzer/rules/mod.ts +77 -0
package/src/analyzer/rules/python/astTypes.ts +9 -0
package/src/analyzer/rules/python/extractFileRefs.ts +92 -0
package/src/analyzer/rules/python/mod.ts +15 -0
package/src/analyzer/rules/python/network.ts +26 -0
package/src/analyzer/rules/python/secret-detection.ts +30 -0
package/src/analyzer/rules/shared/file-refs.ts +38 -0
package/src/analyzer/rules/shared/network-evaluators.ts +107 -0
package/src/analyzer/rules/shared/prompt-injection.ts +48 -0
package/src/analyzer/rules/shared/secret-evaluators.ts +13 -0
package/src/analyzer/rules/text/mod.ts +12 -0
package/src/analyzer/rules/typescript/mod.ts +7 -0
package/src/analyzer/steps/001-discovery/discover-files.ts +211 -0
package/src/analyzer/steps/001-discovery/filter-files.ts +72 -0
package/src/analyzer/steps/001-discovery/mod.ts +103 -0
package/src/analyzer/steps/002-permissions/mod.ts +329 -0
package/src/analyzer/steps/002-permissions/scan-file.ts +258 -0
package/src/analyzer/steps/002-permissions/seed-frontmatter.ts +66 -0
package/src/analyzer/steps/002-permissions/synthesize.ts +42 -0
package/src/analyzer/steps/003-risks/dep-risks.ts +89 -0
package/src/analyzer/steps/003-risks/helpers.ts +41 -0
package/src/analyzer/steps/003-risks/mod.ts +86 -0
package/src/analyzer/steps/003-risks/policy.ts +38 -0
package/src/analyzer/steps/003-risks/rule-mapped.ts +206 -0
package/src/analyzer/steps/003-risks/scoring.ts +117 -0
package/src/analyzer/steps/mod.ts +3 -0
package/src/analyzer/treesitter/client.ts +120 -0
package/src/analyzer/treesitter/registry.ts +198 -0
package/src/analyzer/types.ts +78 -0
package/src/analyzer/utils/code-block-path.ts +33 -0
package/src/analyzer/utils/id-generator.ts +59 -0
package/src/analyzer/utils/secret-validator.ts +29 -0
package/src/analyzer/utils/url-parser.ts +25 -0
package/src/deps/jsr.io/@deno-library/progress/1.5.1/deps.ts +3 -0
package/src/deps/jsr.io/@deno-library/progress/1.5.1/mod.ts +265 -0
package/src/deps/jsr.io/@deno-library/progress/1.5.1/multi.ts +250 -0
package/src/deps/jsr.io/@deno-library/progress/1.5.1/time.ts +69 -0
package/src/deps/jsr.io/@std/fmt/1.0.3/colors.ts +1004 -0
package/src/deps/jsr.io/@std/internal/1.0.12/_os.ts +15 -0
package/src/deps/jsr.io/@std/internal/1.0.12/os.ts +7 -0
package/src/deps/jsr.io/@std/io/0.225.0/types.ts +157 -0
package/src/deps/jsr.io/@std/io/0.225.0/write_all.ts +65 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/assert_path.ts +10 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/basename.ts +53 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/common.ts +26 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/constants.ts +49 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/dirname.ts +9 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/format.ts +25 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/from_file_url.ts +12 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/glob_to_reg_exp.ts +295 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/normalize.ts +9 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/normalize_string.ts +74 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/relative.ts +10 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/strip_trailing_separators.ts +25 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/to_file_url.ts +17 -0
package/src/deps/jsr.io/@std/path/1.1.4/basename.ts +37 -0
package/src/deps/jsr.io/@std/path/1.1.4/common.ts +35 -0
package/src/deps/jsr.io/@std/path/1.1.4/constants.ts +18 -0
package/src/deps/jsr.io/@std/path/1.1.4/dirname.ts +30 -0
package/src/deps/jsr.io/@std/path/1.1.4/extname.ts +29 -0
package/src/deps/jsr.io/@std/path/1.1.4/format.ts +30 -0
package/src/deps/jsr.io/@std/path/1.1.4/from_file_url.ts +30 -0
package/src/deps/jsr.io/@std/path/1.1.4/glob_to_regexp.ts +94 -0
package/src/deps/jsr.io/@std/path/1.1.4/is_absolute.ts +30 -0
package/src/deps/jsr.io/@std/path/1.1.4/is_glob.ts +49 -0
package/src/deps/jsr.io/@std/path/1.1.4/join.ts +31 -0
package/src/deps/jsr.io/@std/path/1.1.4/join_globs.ts +42 -0
package/src/deps/jsr.io/@std/path/1.1.4/mod.ts +217 -0
package/src/deps/jsr.io/@std/path/1.1.4/normalize.ts +33 -0
package/src/deps/jsr.io/@std/path/1.1.4/normalize_glob.ts +45 -0
package/src/deps/jsr.io/@std/path/1.1.4/parse.ts +44 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/_util.ts +10 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/basename.ts +62 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/constants.ts +15 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/dirname.ts +72 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/extname.ts +96 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/format.ts +31 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/from_file_url.ts +25 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/glob_to_regexp.ts +94 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/is_absolute.ts +25 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/join.ts +46 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/join_globs.ts +45 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/normalize.ts +63 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/normalize_glob.ts +43 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/parse.ts +121 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/relative.ts +103 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/resolve.ts +71 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/to_file_url.ts +32 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/to_namespaced_path.ts +21 -0
package/src/deps/jsr.io/@std/path/1.1.4/relative.ts +32 -0
package/src/deps/jsr.io/@std/path/1.1.4/resolve.ts +32 -0
package/src/deps/jsr.io/@std/path/1.1.4/to_file_url.ts +30 -0
package/src/deps/jsr.io/@std/path/1.1.4/to_namespaced_path.ts +31 -0
package/src/deps/jsr.io/@std/path/1.1.4/types.ts +40 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/_util.ts +28 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/basename.ts +54 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/constants.ts +15 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/dirname.ts +118 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/extname.ts +90 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/format.ts +31 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/from_file_url.ts +34 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/glob_to_regexp.ts +92 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/is_absolute.ts +40 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/join.ts +78 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/join_globs.ts +46 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/normalize.ts +136 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/normalize_glob.ts +43 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/parse.ts +184 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/relative.ts +128 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/resolve.ts +178 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/to_file_url.ts +38 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/to_namespaced_path.ts +60 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_chars.ts +55 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_dumper_state.ts +841 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_loader_state.ts +1780 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_schema.ts +183 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/binary.ts +127 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/bool.ts +37 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/float.ts +112 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/int.ts +174 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/map.ts +17 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/merge.ts +13 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/nil.ts +27 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/omap.ts +30 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/pairs.ts +22 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/regexp.ts +33 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/seq.ts +13 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/set.ts +17 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/str.ts +12 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/timestamp.ts +101 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/undefined.ts +23 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type.ts +49 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_utils.ts +16 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/mod.ts +54 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/parse.ts +128 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/stringify.ts +118 -0
package/src/shared/deep_merge.ts +73 -0
package/src/shared/mod.ts +2 -0
package/src/shared/types/filetypes.ts +101 -0
package/src/shared/types/findings.ts +7 -0
package/src/shared/types/mod.ts +6 -0
package/src/shared/types/permissions.ts +17 -0
package/src/shared/types/references.ts +62 -0
package/src/shared/types/risks.ts +72 -0
package/src/shared/types/syntaxNode.ts +7 -0
package/src/skillreader/cloudStorage/mod.ts +170 -0
package/src/skillreader/factory.ts +71 -0
package/src/skillreader/fs/git.ts +153 -0
package/src/skillreader/fs/mod.ts +84 -0
package/src/skillreader/github/base.ts +162 -0
package/src/skillreader/github/githubApi.ts +40 -0
package/src/skillreader/github/githubRaw.ts +24 -0
package/src/skillreader/github/mod.ts +45 -0
package/src/skillreader/github/utils.ts +40 -0
package/src/skillreader/manifest.ts +67 -0
package/src/skillreader/mod.ts +26 -0
package/src/skillreader/types.ts +150 -0
package/src/skillreader/utils/frontmatter-parser.ts +72 -0
package/src/skillreader/utils/http-range.ts +38 -0
package/src/skillreader/utils/mod.ts +12 -0
package/esm/analyzer/astgrep/registry.d.ts +0 -18
package/esm/analyzer/astgrep/registry.d.ts.map +0 -1
package/esm/analyzer/astgrep/registry.js +0 -71
package/esm/analyzer/config.d.ts +0 -27
package/esm/analyzer/config.d.ts.map +0 -1
package/esm/analyzer/steps/003-risks/output.d.ts +0 -3
package/esm/analyzer/steps/003-risks/output.d.ts.map +0 -1
package/esm/analyzer/steps/003-risks/output.js +0 -16
package/esm/analyzer/treesiter/client.d.ts +0 -26
package/esm/analyzer/treesiter/client.d.ts.map +0 -1
package/script/analyzer/astgrep/registry.d.ts +0 -18
package/script/analyzer/astgrep/registry.d.ts.map +0 -1
package/script/analyzer/astgrep/registry.js +0 -109
package/script/analyzer/config.d.ts +0 -27
package/script/analyzer/config.d.ts.map +0 -1
package/script/analyzer/steps/003-risks/output.d.ts +0 -3
package/script/analyzer/steps/003-risks/output.d.ts.map +0 -1
package/script/analyzer/steps/003-risks/output.js +0 -19
package/script/analyzer/treesiter/client.d.ts +0 -26
package/script/analyzer/treesiter/client.d.ts.map +0 -1
package/script/analyzer/treesiter/client.js +0 -165

package/src/analyzer/rules/bash/commands/node.ts ADDED Viewed

@@ -0,0 +1,64 @@
+import type { AstGrepRule } from "../../../astgrep/client.js";
+export const NODE_ECOSYSTEM_RULES: AstGrepRule[] = [
+    {
+        id: "shell-npm",
+        description: "Detects npm commands",
+        grammar: "bash",
+        patterns: ["npm $SUB $$$ARGS"],
+        permission: {
+            tool: "npm",
+            scope: "sys",
+            permission: "shell",
+            metadata: { subcommand: "SUB" },
+        },
+    },
+    {
+        id: "shell-pnpm",
+        description: "Detects pnpm commands",
+        grammar: "bash",
+        patterns: ["pnpm $SUB $$$ARGS"],
+        permission: {
+            tool: "pnpm",
+            scope: "sys",
+            permission: "shell",
+            metadata: { subcommand: "SUB" },
+        },
+    },
+    {
+        id: "shell-yarn",
+        description: "Detects yarn commands",
+        grammar: "bash",
+        patterns: ["yarn $SUB $$$ARGS"],
+        permission: {
+            tool: "yarn",
+            scope: "sys",
+            permission: "shell",
+            metadata: { subcommand: "SUB" },
+        },
+    },
+    {
+        id: "shell-deno",
+        description: "Detects deno commands",
+        grammar: "bash",
+        patterns: ["deno $SUB $$$ARGS"],
+        permission: {
+            tool: "deno",
+            scope: "sys",
+            permission: "shell",
+            metadata: { subcommand: "SUB" },
+        },
+    },
+    {
+        id: "shell-node",
+        description: "Detects node commands",
+        grammar: "bash",
+        patterns: ["node $FILE $$$ARGS"],
+        permission: {
+            tool: "node",
+            scope: "sys",
+            permission: "shell",
+            metadata: { file: "FILE" },
+        },
+    },
+];

package/src/analyzer/rules/bash/commands/openspec.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import type { AstGrepRule } from "../../../astgrep/client.js";
+export const OPENSPEC_RULES: AstGrepRule[] = [
+    {
+        id: "shell-openspec",
+        description: "Detects openspec commands",
+        grammar: "bash",
+        patterns: ["openspec $SUB $$$ARGS"],
+        permission: {
+            tool: "openspec",
+            scope: "sys",
+            permission: "shell",
+            metadata: { subcommand: "SUB" },
+        },
+    },
+];

package/src/analyzer/rules/bash/commands/pip.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import type { AstGrepRule } from "../../../astgrep/client.js";
+export const PIP_RULES: AstGrepRule[] = [
+    {
+        id: "shell-pip",
+        description: "Detects pip commands",
+        grammar: "bash",
+        patterns: ["pip $SUB $$$ARGS", "pip3 $SUB $$$ARGS"],
+        permission: {
+            tool: "pip",
+            scope: "sys",
+            permission: "shell",
+            metadata: { subcommand: "SUB" },
+        },
+    },
+];

package/src/analyzer/rules/bash/commands/sudo.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { AstGrepRule } from "../../../astgrep/client.js";
+export const SUDO_RULES: AstGrepRule[] = [
+    {
+        id: "shell-sudo",
+        description: "Detects sudo usage",
+        grammar: "bash",
+        patterns: ["sudo $CMD $$$ARGS"],
+        permission: {
+            tool: "sudo",
+            scope: "sys",
+            permission: "sudo",
+            metadata: { command: "CMD" },
+            mappedRisks: [{
+                code: "PRIVILEGE:privilege_escalation",
+                severity: "critical",
+                message: "Privilege escalation via sudo",
+            }],
+        },
+    },
+];

package/src/analyzer/rules/bash/destructive.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { AstGrepRule } from "../../astgrep/client.js";
+export const BASH_DESTRUCTIVE_RULES: AstGrepRule[] = [
+    {
+        id: "destructive-format",
+        description: "Detects disk format commands",
+        grammar: "bash",
+        patterns: ["mkfs $DEVICE", "format $DEVICE"],
+        permission: {
+            tool: "format",
+            scope: "fs",
+            permission: "write",
+            metadata: { device: "DEVICE" },
+        },
+    },
+    {
+        id: "destructive-config-write",
+        description: "Detects config file overwrite",
+        grammar: "bash",
+        patterns: ["echo $VALUE > $FILE"],
+        permission: {
+            tool: "write",
+            scope: "fs",
+            permission: "write",
+            metadata: { file: "FILE" },
+        },
+    },
+];

package/src/analyzer/rules/bash/extractFileRefs.ts ADDED Viewed

@@ -0,0 +1,101 @@
+/**
+ * File reference extractor for Bash/shell scripts.
+ *
+ * Detects:
+ * - External URLs referenced via curl/wget → via: "url"
+ * - Local file includes via source/. → via: "source"
+ * - Host filesystem paths in command arguments → via: "bare-path"
+ *
+ * Uses ast-grep AST traversal on `command` nodes.
+ */
+import { isHostFsPath, isUrl, looksLikePath } from "../shared/file-refs.js";
+import type { AnalyzerContext, FileRefDiscovery } from "../../types.js";
+import { BASH_NODE } from "./astTypes.js";
+export async function extractBashFileRefs(
+    context: AnalyzerContext,
+    content: string,
+): Promise<FileRefDiscovery[]> {
+    const refs: FileRefDiscovery[] = [];
+    const ast = await context.astgrepClient.parse("bash", content);
+    const root = ast.root();
+    const commandNodes = root.findAll({ rule: { kind: BASH_NODE.COMMAND } });
+    for (const node of commandNodes) {
+        const line = node.range().start.line + 1;
+        const nameNode = node.field("name");
+        const commandName = nameNode?.text() ?? "";
+        // ── source / . includes ──────────────────────────────────────────────
+        if (commandName === "source" || commandName === ".") {
+            const argNode = node.field("argument");
+            const path = argNode?.text() ?? "";
+            if (path && looksLikePath(path)) {
+                refs.push({ path, line, via: "source" });
+            }
+            continue;
+        }
+        // ── curl / wget URLs ─────────────────────────────────────────────────
+        if (commandName === "curl" || commandName === "wget") {
+            // All word children — find URL args
+            const wordNodes = node.findAll({ rule: { kind: BASH_NODE.WORD } });
+            for (const word of wordNodes) {
+                const text = word.text();
+                if (isUrl(text)) {
+                    refs.push({ path: text, line, via: "url" });
+                }
+            }
+            continue;
+        }
+        // ── file operation commands ──────────────────────────────────────────
+        const FILE_CMDS = new Set([
+            "cat",
+            "cp",
+            "mv",
+            "ln",
+            "touch",
+            "mkdir",
+            "rm",
+            "chmod",
+            "chown",
+            "open",
+            "exec",
+            "read",
+        ]);
+        if (FILE_CMDS.has(commandName)) {
+            const wordNodes = node.findAll({ rule: { kind: BASH_NODE.WORD } });
+            for (const word of wordNodes) {
+                const text = word.text();
+                // Skip flags and the command name itself
+                if (text === commandName || text.startsWith("-")) continue;
+                if (isHostFsPath(text)) {
+                    refs.push({ path: text, line, via: "bare-path" });
+                }
+            }
+            continue;
+        }
+        // ── command itself is a script path (e.g. `scripts/run.py`) ─────────
+        if (looksLikePath(commandName) && !isUrl(commandName)) {
+            refs.push({ path: commandName, line, via: "bare-path" });
+        }
+        // ── default: check first argument for path-like value ────────────────
+        const argNode = node.field("argument");
+        if (argNode) {
+            const text = argNode.text();
+            if (looksLikePath(text) && !isUrl(text)) {
+                refs.push({ path: text, line, via: "bare-path" });
+            }
+        }
+    }
+    return refs;
+}

package/src/analyzer/rules/bash/filesystem.ts ADDED Viewed

@@ -0,0 +1,50 @@
+import type { AstGrepRule } from "../../astgrep/client.js";
+export const BASH_FILESYSTEM_RULES: AstGrepRule[] = [
+    {
+        id: "fs-read-cat",
+        description: "Detects cat file reads",
+        grammar: "bash",
+        patterns: ["cat $FILE", "less $FILE", "head $FILE", "tail $FILE"],
+        permission: {
+            tool: "cat",
+            scope: "fs",
+            permission: "read",
+            metadata: { file: "FILE" },
+        },
+    },
+    {
+        id: "fs-rm-rf",
+        description: "Detects recursive delete",
+        grammar: "bash",
+        patterns: ["rm -rf $PATH", "rm -fr $PATH"],
+        permission: {
+            tool: "rm",
+            scope: "fs",
+            permission: "write",
+            metadata: { path: "PATH" },
+            mappedRisks: [{
+                code: "DESTRUCTIVE:destructive_behavior",
+                severity: "critical",
+                message: "Recursive delete detected",
+            }],
+        },
+    },
+    {
+        id: "fs-chmod-777",
+        description: "Detects permissive chmod",
+        grammar: "bash",
+        patterns: ["chmod 777 $PATH", "chmod -R 777 $PATH"],
+        permission: {
+            tool: "chmod",
+            scope: "fs",
+            permission: "write",
+            metadata: { path: "PATH" },
+            mappedRisks: [{
+                code: "DESTRUCTIVE:permission_weakening",
+                severity: "warning",
+                message: "Overly permissive chmod detected",
+            }],
+        },
+    },
+];

package/src/analyzer/rules/bash/injection.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { AstGrepRule } from "../../astgrep/client.js";
+export const BASH_INJECTION_RULES: AstGrepRule[] = [
+    {
+        id: "inject-substitution",
+        description: "Detects shell command substitution",
+        grammar: "bash",
+        patterns: ["$($CMD)", "`$CMD`"],
+        permission: {
+            tool: "bash",
+            scope: "sys",
+            permission: "shell",
+            metadata: { command: "CMD" },
+            mappedRisks: [{
+                code: "INJECTION:command_injection",
+                severity: "warning",
+                message: "Command substitution can enable injection",
+            }],
+        },
+    },
+];

package/src/analyzer/rules/bash/inline-command-classifier.ts ADDED Viewed

@@ -0,0 +1,94 @@
+import type { AnalyzerContext } from "../../types.js";
+import { looksLikePath } from "../shared/file-refs.js";
+import { BASH_COMMAND_RULES } from "./commands/mod.js";
+const GENERIC_COMMAND_RULE_ID = "shell-generic-command";
+const CONTEXT_VERB_PATTERN =
+    /\b(run|execute|invoke|call|terminal|shell|command|cmd|bash|zsh|sh)\b/i;
+const CONTEXT_COMMAND_ALLOWLIST = new Set([
+    "git",
+    "gh",
+    "npm",
+    "pnpm",
+    "yarn",
+    "bun",
+    "deno",
+    "node",
+    "python",
+    "python3",
+    "pip",
+    "pip3",
+    "docker",
+    "docker-compose",
+    "kubectl",
+    "curl",
+    "wget",
+    "bd",
+    "slab",
+    "bash",
+    "sh",
+    "zsh",
+]);
+const SPECIFIC_COMMAND_RULES = BASH_COMMAND_RULES.filter((rule) =>
+    rule.id !== GENERIC_COMMAND_RULE_ID
+);
+const KNOWN_COMMAND_TOOLS = new Set(
+    SPECIFIC_COMMAND_RULES
+        .map((rule) => String(rule.permission.tool ?? "").toLowerCase())
+        .filter((tool) => tool && tool !== "detected"),
+);
+export async function isLikelyInlineBashCommand(
+    context: AnalyzerContext,
+    input: { snippet: string; lineContext?: string },
+): Promise<boolean> {
+    const snippet = normalizeInlineSnippet(input.snippet);
+    if (!snippet) return false;
+    if (looksLikeFormattingToken(snippet)) return false;
+    const tokens = snippet.split(/\s+/).filter(Boolean);
+    if (tokens.length === 1 && looksLikePath(snippet)) return false;
+    if (await matchesSpecificBashCommandRule(context, snippet)) return true;
+    const firstToken = tokens[0]?.toLowerCase() ?? "";
+    const hasContextVerb = CONTEXT_VERB_PATTERN.test(input.lineContext ?? "");
+    const knownTool = firstToken &&
+        (CONTEXT_COMMAND_ALLOWLIST.has(firstToken) || KNOWN_COMMAND_TOOLS.has(firstToken));
+    if (tokens.length >= 2 && knownTool) {
+        return true;
+    }
+    if (tokens.length === 1 && knownTool && hasContextVerb) {
+        return true;
+    }
+    return false;
+}
+async function matchesSpecificBashCommandRule(
+    context: AnalyzerContext,
+    snippet: string,
+): Promise<boolean> {
+    const matches = await context.astgrepClient.scanWithRules(
+        snippet,
+        "bash",
+        SPECIFIC_COMMAND_RULES,
+    );
+    return matches.length > 0;
+}
+function normalizeInlineSnippet(raw: string): string {
+    return raw.trim().replace(/^`+/, "").replace(/`+$/, "").trim();
+}
+function looksLikeFormattingToken(snippet: string): boolean {
+    if (!snippet) return true;
+    if (/^[*]{1,2}[^*]+[*]{1,2}$/.test(snippet)) return true;
+    if (/^[A-Z][a-z]+(?:\s+[A-Z][a-z]+)*$/.test(snippet)) return true;
+    return false;
+}

package/src/analyzer/rules/bash/mod.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import type { AstGrepRule } from "../../astgrep/client.js";
+import { FileTypeConfig } from "../../types.js";
+import { BASH_COMMAND_RULES } from "./commands/mod.js";
+import { BASH_DESTRUCTIVE_RULES } from "./destructive.js";
+import { extractBashFileRefs } from "./extractFileRefs.js";
+import { BASH_FILESYSTEM_RULES } from "./filesystem.js";
+import { BASH_INJECTION_RULES } from "./injection.js";
+import { BASH_NETWORK_RULES } from "./network.js";
+import { BASH_SECRET_DETECTION_RULES } from "./secret-detection.js";
+export const BASH_RULES: AstGrepRule[] = [
+    ...BASH_NETWORK_RULES,
+    ...BASH_FILESYSTEM_RULES,
+    ...BASH_COMMAND_RULES,
+    ...BASH_DESTRUCTIVE_RULES,
+    ...BASH_INJECTION_RULES,
+    ...BASH_SECRET_DETECTION_RULES,
+];
+export const BASH_FILETYPE_CONFIS: FileTypeConfig = {
+    defaultLanguage: "bash",
+    extractFileRefs: extractBashFileRefs,
+};

package/src/analyzer/rules/bash/network.ts ADDED Viewed

@@ -0,0 +1,64 @@
+import type { AstGrepRule } from "../../astgrep/client.js";
+import {
+    DETECT_NETWORK_FETCH_RISKS,
+    DETECT_REMOTE_CODE_EXECUTION_RISK,
+} from "../shared/network-evaluators.js";
+export const BASH_NETWORK_RULES: AstGrepRule[] = [
+    {
+        id: "net-curl",
+        description: "Detects curl usage",
+        grammar: "bash",
+        patterns: [
+            "curl $URL",
+            "curl -X $METHOD $URL",
+            "curl --request $METHOD $URL",
+            "curl $$$FLAGS -H $HEADER $$$REST",
+            "curl $$$FLAGS --header $HEADER $$$REST",
+            "curl $$$FLAGS $URL?token=$TOKEN",
+        ],
+        permission: {
+            tool: "curl",
+            scope: "net",
+            permission: "fetch",
+            metadata: {
+                method: "METHOD",
+                url: "URL",
+                header: "HEADER",
+                token: "TOKEN",
+            },
+            mappedRisks: [DETECT_NETWORK_FETCH_RISKS],
+        },
+    },
+    {
+        id: "net-wget",
+        description: "Detects wget usage",
+        grammar: "bash",
+        patterns: ["wget $URL", "wget --post-data=$DATA $URL"],
+        permission: {
+            tool: "wget",
+            scope: "net",
+            permission: "fetch",
+            metadata: {
+                url: "URL",
+                data: "DATA",
+            },
+            mappedRisks: [DETECT_NETWORK_FETCH_RISKS],
+        },
+    },
+    {
+        id: "net-pipe-shell",
+        description: "Detects network pipe to shell",
+        grammar: "bash",
+        patterns: ["curl $$$ARGS | bash", "curl $$$ARGS | sh", "wget $$$ARGS | bash"],
+        permission: {
+            tool: "bash",
+            scope: "sys",
+            permission: "shell",
+            metadata: {
+                command: "ARGS",
+            },
+            mappedRisks: [DETECT_REMOTE_CODE_EXECUTION_RISK],
+        },
+    },
+];

package/src/analyzer/rules/bash/secret-detection.ts ADDED Viewed

@@ -0,0 +1,43 @@
+import type { AstGrepRule } from "../../astgrep/client.js";
+import { DETECT_SECRET_NAME_RISK } from "../shared/secret-evaluators.js";
+export const BASH_SECRET_DETECTION_RULES: AstGrepRule[] = [
+    {
+        id: "secret-bash-env-read-plain",
+        description: "Detects bash env var read with $VAR",
+        grammar: "bash",
+        patterns: ["echo \\$$VAR", "printf \\$$VAR"],
+        permission: {
+            tool: "env",
+            scope: "env",
+            permission: "read",
+            metadata: { key: "VAR" },
+            mappedRisks: [DETECT_SECRET_NAME_RISK],
+        },
+    },
+    {
+        id: "secret-bash-env-read-braced",
+        description: "Detects bash env var read with ${VAR}",
+        grammar: "bash",
+        patterns: ["echo \\${$VAR}", "printf \\${$VAR}"],
+        permission: {
+            tool: "env",
+            scope: "env",
+            permission: "read",
+            metadata: { key: "VAR" },
+            mappedRisks: [DETECT_SECRET_NAME_RISK],
+        },
+    },
+    {
+        id: "secret-bash-env-write",
+        description: "Detects export env var write",
+        grammar: "bash",
+        patterns: ["export $KEY=$VALUE"],
+        permission: {
+            tool: "env",
+            scope: "env",
+            permission: "write",
+            metadata: { key: "KEY" },
+        },
+    },
+];

package/src/analyzer/rules/javascript/astTypes.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/** ast-grep node types for JavaScript and TypeScript. */
+export const JS_NODE = {
+    IMPORT_STATEMENT: "import_statement",
+    EXPORT_STATEMENT: "export_statement",
+    CALL_EXPRESSION: "call_expression",
+    STRING: "string",
+    STRING_FRAGMENT: "string_fragment",
+} as const;