npm - @feiyoug/skill-lab - Versions diffs - 0.0.0 → 0.0.2 - Mend

@feiyoug/skill-lab 0.0.0 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (465) hide show

package/README.md +73 -0
package/esm/analyzer/astgrep/client.d.ts +20 -8
package/esm/analyzer/astgrep/client.d.ts.map +1 -1
package/esm/analyzer/astgrep/client.js +58 -31
package/esm/analyzer/config/default.d.ts +8 -0
package/esm/analyzer/config/default.d.ts.map +1 -0
package/esm/analyzer/config/default.js +91 -0
package/esm/analyzer/config/helpers.d.ts +8 -0
package/esm/analyzer/config/helpers.d.ts.map +1 -0
package/esm/analyzer/config/helpers.js +72 -0
package/esm/analyzer/config/mod.d.ts +4 -0
package/esm/analyzer/config/mod.d.ts.map +1 -0
package/esm/analyzer/config/mod.js +3 -0
package/esm/analyzer/config/types.d.ts +58 -0
package/esm/analyzer/config/types.d.ts.map +1 -0
package/esm/analyzer/{config.js → config/types.js} +0 -28
package/esm/analyzer/logging.d.ts +3 -0
package/esm/analyzer/logging.d.ts.map +1 -0
package/esm/analyzer/logging.js +6 -0
package/esm/analyzer/mod.d.ts +12 -5
package/esm/analyzer/mod.d.ts.map +1 -1
package/esm/analyzer/mod.js +25 -12
package/esm/analyzer/result.d.ts +35 -0
package/esm/analyzer/result.d.ts.map +1 -0
package/esm/analyzer/result.js +311 -0
package/esm/analyzer/rules/bash/commands/mod.d.ts +1 -0
package/esm/analyzer/rules/bash/commands/mod.d.ts.map +1 -1
package/esm/analyzer/rules/bash/commands/mod.js +3 -0
package/esm/analyzer/rules/bash/commands/pip.d.ts +3 -0
package/esm/analyzer/rules/bash/commands/pip.d.ts.map +1 -0
package/esm/analyzer/rules/bash/commands/pip.js +14 -0
package/esm/analyzer/rules/bash/extractFileRefs.d.ts +1 -1
package/esm/analyzer/rules/bash/extractFileRefs.d.ts.map +1 -1
package/esm/analyzer/rules/bash/extractFileRefs.js +2 -2
package/esm/analyzer/rules/bash/inline-command-classifier.d.ts +1 -1
package/esm/analyzer/rules/bash/inline-command-classifier.d.ts.map +1 -1
package/esm/analyzer/rules/bash/inline-command-classifier.js +4 -4
package/esm/analyzer/rules/javascript/extractFileRefs.d.ts +3 -4
package/esm/analyzer/rules/javascript/extractFileRefs.d.ts.map +1 -1
package/esm/analyzer/rules/javascript/extractFileRefs.js +3 -4
package/esm/analyzer/rules/markdown/extractCodeBlocks.d.ts.map +1 -1
package/esm/analyzer/rules/markdown/extractCodeBlocks.js +6 -3
package/esm/analyzer/rules/markdown/extractFileRefs.d.ts.map +1 -1
package/esm/analyzer/rules/markdown/extractFileRefs.js +2 -0
package/esm/analyzer/rules/python/extractFileRefs.d.ts +1 -1
package/esm/analyzer/rules/python/extractFileRefs.d.ts.map +1 -1
package/esm/analyzer/rules/python/extractFileRefs.js +2 -2
package/esm/analyzer/steps/001-discovery/discover-files.d.ts +4 -0
package/esm/analyzer/steps/001-discovery/discover-files.d.ts.map +1 -1
package/esm/analyzer/steps/001-discovery/discover-files.js +18 -2
package/esm/analyzer/steps/001-discovery/mod.d.ts.map +1 -1
package/esm/analyzer/steps/001-discovery/mod.js +39 -9
package/esm/analyzer/steps/002-permissions/mod.d.ts.map +1 -1
package/esm/analyzer/steps/002-permissions/mod.js +156 -73
package/esm/analyzer/steps/002-permissions/scan-file.d.ts +1 -1
package/esm/analyzer/steps/002-permissions/scan-file.d.ts.map +1 -1
package/esm/analyzer/steps/002-permissions/scan-file.js +40 -5
package/esm/analyzer/steps/002-permissions/seed-frontmatter.js +2 -2
package/esm/analyzer/steps/003-risks/dep-risks.d.ts +3 -0
package/esm/analyzer/steps/003-risks/dep-risks.d.ts.map +1 -0
package/esm/analyzer/steps/003-risks/dep-risks.js +74 -0
package/esm/analyzer/steps/003-risks/helpers.d.ts +1 -0
package/esm/analyzer/steps/003-risks/helpers.d.ts.map +1 -1
package/esm/analyzer/steps/003-risks/helpers.js +1 -0
package/esm/analyzer/steps/003-risks/mod.d.ts +3 -2
package/esm/analyzer/steps/003-risks/mod.d.ts.map +1 -1
package/esm/analyzer/steps/003-risks/mod.js +41 -4
package/esm/analyzer/steps/003-risks/policy.d.ts +7 -0
package/esm/analyzer/steps/003-risks/policy.d.ts.map +1 -0
package/esm/analyzer/steps/003-risks/policy.js +23 -0
package/esm/analyzer/steps/003-risks/rule-mapped.d.ts +2 -2
package/esm/analyzer/steps/003-risks/rule-mapped.d.ts.map +1 -1
package/esm/analyzer/steps/003-risks/rule-mapped.js +83 -2
package/esm/analyzer/steps/003-risks/scoring.d.ts +9 -1
package/esm/analyzer/steps/003-risks/scoring.d.ts.map +1 -1
package/esm/analyzer/steps/003-risks/scoring.js +55 -42
package/esm/analyzer/treesitter/client.d.ts +31 -0
package/esm/analyzer/treesitter/client.d.ts.map +1 -0
package/esm/analyzer/{treesiter → treesitter}/client.js +43 -39
package/esm/analyzer/treesitter/registry.d.ts +73 -0
package/esm/analyzer/treesitter/registry.d.ts.map +1 -0
package/esm/analyzer/treesitter/registry.js +165 -0
package/esm/analyzer/types.d.ts +14 -28
package/esm/analyzer/types.d.ts.map +1 -1
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts +3 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts.map +1 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.js +3 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts +93 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts.map +1 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.js +297 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts +84 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts.map +1 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.js +268 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts +18 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts.map +1 -0
package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.js +45 -0
package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts +700 -0
package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts.map +1 -0
package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.js +903 -0
package/esm/deps/jsr.io/@std/io/0.225.0/types.d.ts +146 -0
package/esm/deps/jsr.io/@std/io/0.225.0/types.d.ts.map +1 -0
package/esm/deps/jsr.io/@std/io/0.225.0/types.js +15 -0
package/esm/deps/jsr.io/@std/io/0.225.0/write_all.d.ts +51 -0
package/esm/deps/jsr.io/@std/io/0.225.0/write_all.d.ts.map +1 -0
package/esm/deps/jsr.io/@std/io/0.225.0/write_all.js +61 -0
package/esm/shared/deep_merge.d.ts +12 -0
package/esm/shared/deep_merge.d.ts.map +1 -0
package/esm/shared/deep_merge.js +49 -0
package/esm/shared/mod.d.ts +1 -0
package/esm/shared/mod.d.ts.map +1 -1
package/esm/shared/mod.js +1 -0
package/esm/shared/types/filetypes.d.ts +2 -2
package/esm/shared/types/filetypes.d.ts.map +1 -1
package/esm/shared/types/permissions.d.ts +1 -1
package/esm/shared/types/permissions.d.ts.map +1 -1
package/esm/shared/types/risks.d.ts +4 -1
package/esm/shared/types/risks.d.ts.map +1 -1
package/esm/skillreader/types.d.ts +2 -2
package/esm/skillreader/types.d.ts.map +1 -1
package/esm/skillreader/types.js +2 -2
package/package.json +1 -1
package/script/analyzer/astgrep/client.d.ts +20 -8
package/script/analyzer/astgrep/client.d.ts.map +1 -1
package/script/analyzer/astgrep/client.js +58 -64
package/script/analyzer/config/default.d.ts +8 -0
package/script/analyzer/config/default.d.ts.map +1 -0
package/script/analyzer/config/default.js +94 -0
package/script/analyzer/config/helpers.d.ts +8 -0
package/script/analyzer/config/helpers.d.ts.map +1 -0
package/script/analyzer/config/helpers.js +76 -0
package/script/analyzer/config/mod.d.ts +4 -0
package/script/analyzer/config/mod.d.ts.map +1 -0
package/script/analyzer/config/mod.js +21 -0
package/script/analyzer/config/types.d.ts +58 -0
package/script/analyzer/config/types.d.ts.map +1 -0
package/script/analyzer/{config.js → config/types.js} +1 -29
package/script/analyzer/logging.d.ts +3 -0
package/script/analyzer/logging.d.ts.map +1 -0
package/script/analyzer/logging.js +9 -0
package/script/analyzer/mod.d.ts +12 -5
package/script/analyzer/mod.d.ts.map +1 -1
package/script/analyzer/mod.js +35 -20
package/script/analyzer/result.d.ts +35 -0
package/script/analyzer/result.d.ts.map +1 -0
package/script/analyzer/result.js +315 -0
package/script/analyzer/rules/bash/commands/mod.d.ts +1 -0
package/script/analyzer/rules/bash/commands/mod.d.ts.map +1 -1
package/script/analyzer/rules/bash/commands/mod.js +3 -0
package/script/analyzer/rules/bash/commands/pip.d.ts +3 -0
package/script/analyzer/rules/bash/commands/pip.d.ts.map +1 -0
package/script/analyzer/rules/bash/commands/pip.js +17 -0
package/script/analyzer/rules/bash/extractFileRefs.d.ts +1 -1
package/script/analyzer/rules/bash/extractFileRefs.d.ts.map +1 -1
package/script/analyzer/rules/bash/extractFileRefs.js +2 -2
package/script/analyzer/rules/bash/inline-command-classifier.d.ts +1 -1
package/script/analyzer/rules/bash/inline-command-classifier.d.ts.map +1 -1
package/script/analyzer/rules/bash/inline-command-classifier.js +4 -4
package/script/analyzer/rules/javascript/extractFileRefs.d.ts +3 -4
package/script/analyzer/rules/javascript/extractFileRefs.d.ts.map +1 -1
package/script/analyzer/rules/javascript/extractFileRefs.js +3 -4
package/script/analyzer/rules/markdown/extractCodeBlocks.d.ts.map +1 -1
package/script/analyzer/rules/markdown/extractCodeBlocks.js +6 -3
package/script/analyzer/rules/markdown/extractFileRefs.d.ts.map +1 -1
package/script/analyzer/rules/markdown/extractFileRefs.js +2 -0
package/script/analyzer/rules/python/extractFileRefs.d.ts +1 -1
package/script/analyzer/rules/python/extractFileRefs.d.ts.map +1 -1
package/script/analyzer/rules/python/extractFileRefs.js +2 -2
package/script/analyzer/steps/001-discovery/discover-files.d.ts +4 -0
package/script/analyzer/steps/001-discovery/discover-files.d.ts.map +1 -1
package/script/analyzer/steps/001-discovery/discover-files.js +18 -2
package/script/analyzer/steps/001-discovery/mod.d.ts.map +1 -1
package/script/analyzer/steps/001-discovery/mod.js +77 -11
package/script/analyzer/steps/002-permissions/mod.d.ts.map +1 -1
package/script/analyzer/steps/002-permissions/mod.js +194 -75
package/script/analyzer/steps/002-permissions/scan-file.d.ts +1 -1
package/script/analyzer/steps/002-permissions/scan-file.d.ts.map +1 -1
package/script/analyzer/steps/002-permissions/scan-file.js +40 -5
package/script/analyzer/steps/002-permissions/seed-frontmatter.js +3 -3
package/script/analyzer/steps/003-risks/dep-risks.d.ts +3 -0
package/script/analyzer/steps/003-risks/dep-risks.d.ts.map +1 -0
package/script/analyzer/steps/003-risks/dep-risks.js +77 -0
package/script/analyzer/steps/003-risks/helpers.d.ts +1 -0
package/script/analyzer/steps/003-risks/helpers.d.ts.map +1 -1
package/script/analyzer/steps/003-risks/helpers.js +1 -0
package/script/analyzer/steps/003-risks/mod.d.ts +3 -2
package/script/analyzer/steps/003-risks/mod.d.ts.map +1 -1
package/script/analyzer/steps/003-risks/mod.js +77 -4
package/script/analyzer/steps/003-risks/policy.d.ts +7 -0
package/script/analyzer/steps/003-risks/policy.d.ts.map +1 -0
package/script/analyzer/steps/003-risks/policy.js +29 -0
package/script/analyzer/steps/003-risks/rule-mapped.d.ts +2 -2
package/script/analyzer/steps/003-risks/rule-mapped.d.ts.map +1 -1
package/script/analyzer/steps/003-risks/rule-mapped.js +83 -2
package/script/analyzer/steps/003-risks/scoring.d.ts +9 -1
package/script/analyzer/steps/003-risks/scoring.d.ts.map +1 -1
package/script/analyzer/steps/003-risks/scoring.js +55 -42
package/script/analyzer/treesitter/client.d.ts +31 -0
package/script/analyzer/treesitter/client.d.ts.map +1 -0
package/script/analyzer/treesitter/client.js +136 -0
package/script/analyzer/treesitter/registry.d.ts +73 -0
package/script/analyzer/treesitter/registry.d.ts.map +1 -0
package/script/analyzer/treesitter/registry.js +206 -0
package/script/analyzer/types.d.ts +14 -28
package/script/analyzer/types.d.ts.map +1 -1
package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts +3 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts.map +1 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.js +10 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts +93 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts.map +1 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.js +334 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts +84 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts.map +1 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.js +305 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts +18 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts.map +1 -0
package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.js +48 -0
package/script/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts +700 -0
package/script/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts.map +1 -0
package/script/deps/jsr.io/@std/fmt/1.0.3/colors.js +986 -0
package/script/deps/jsr.io/@std/io/0.225.0/types.d.ts +146 -0
package/script/deps/jsr.io/@std/io/0.225.0/types.d.ts.map +1 -0
package/script/deps/jsr.io/@std/io/0.225.0/types.js +18 -0
package/script/deps/jsr.io/@std/io/0.225.0/write_all.d.ts +51 -0
package/script/deps/jsr.io/@std/io/0.225.0/write_all.d.ts.map +1 -0
package/script/deps/jsr.io/@std/io/0.225.0/write_all.js +65 -0
package/script/shared/deep_merge.d.ts +12 -0
package/script/shared/deep_merge.d.ts.map +1 -0
package/script/shared/deep_merge.js +53 -0
package/script/shared/mod.d.ts +1 -0
package/script/shared/mod.d.ts.map +1 -1
package/script/shared/mod.js +1 -0
package/script/shared/types/filetypes.d.ts +2 -2
package/script/shared/types/filetypes.d.ts.map +1 -1
package/script/shared/types/permissions.d.ts +1 -1
package/script/shared/types/permissions.d.ts.map +1 -1
package/script/shared/types/risks.d.ts +4 -1
package/script/shared/types/risks.d.ts.map +1 -1
package/script/skillreader/types.d.ts +2 -2
package/script/skillreader/types.d.ts.map +1 -1
package/script/skillreader/types.js +2 -2
package/src/_dnt.polyfills.ts +27 -0
package/src/_dnt.shims.ts +64 -0
package/src/analyzer/astgrep/client.ts +184 -0
package/src/analyzer/astgrep/mod.ts +2 -0
package/src/analyzer/config/default.ts +98 -0
package/src/analyzer/config/helpers.ts +107 -0
package/src/analyzer/config/mod.ts +3 -0
package/src/analyzer/config/types.ts +103 -0
package/src/analyzer/logging.ts +8 -0
package/src/analyzer/mod.ts +118 -0
package/src/analyzer/result.ts +393 -0
package/src/analyzer/rules/bash/astTypes.ts +5 -0
package/src/analyzer/rules/bash/commands/bd.ts +23 -0
package/src/analyzer/rules/bash/commands/cron.ts +21 -0
package/src/analyzer/rules/bash/commands/docker.ts +37 -0
package/src/analyzer/rules/bash/commands/eval.ts +52 -0
package/src/analyzer/rules/bash/commands/generic.ts +16 -0
package/src/analyzer/rules/bash/commands/gh.ts +21 -0
package/src/analyzer/rules/bash/commands/git.ts +28 -0
package/src/analyzer/rules/bash/commands/mod.ts +38 -0
package/src/analyzer/rules/bash/commands/node.ts +64 -0
package/src/analyzer/rules/bash/commands/openspec.ts +16 -0
package/src/analyzer/rules/bash/commands/pip.ts +16 -0
package/src/analyzer/rules/bash/commands/sudo.ts +21 -0
package/src/analyzer/rules/bash/destructive.ts +28 -0
package/src/analyzer/rules/bash/extractFileRefs.ts +101 -0
package/src/analyzer/rules/bash/filesystem.ts +50 -0
package/src/analyzer/rules/bash/injection.ts +21 -0
package/src/analyzer/rules/bash/inline-command-classifier.ts +94 -0
package/src/analyzer/rules/bash/mod.ts +23 -0
package/src/analyzer/rules/bash/network.ts +64 -0
package/src/analyzer/rules/bash/secret-detection.ts +43 -0
package/src/analyzer/rules/javascript/astTypes.ts +8 -0
package/src/analyzer/rules/javascript/extractFileRefs.ts +131 -0
package/src/analyzer/rules/javascript/filesystem.ts +28 -0
package/src/analyzer/rules/javascript/injection.ts +21 -0
package/src/analyzer/rules/javascript/mod.ts +26 -0
package/src/analyzer/rules/javascript/network.ts +27 -0
package/src/analyzer/rules/javascript/secret-detection.ts +68 -0
package/src/analyzer/rules/javascript/subprocess.ts +16 -0
package/src/analyzer/rules/markdown/astTypes.ts +35 -0
package/src/analyzer/rules/markdown/extractCodeBlocks.ts +101 -0
package/src/analyzer/rules/markdown/extractFileRefs.ts +179 -0
package/src/analyzer/rules/markdown/mod.ts +12 -0
package/src/analyzer/rules/mod.ts +77 -0
package/src/analyzer/rules/python/astTypes.ts +9 -0
package/src/analyzer/rules/python/extractFileRefs.ts +92 -0
package/src/analyzer/rules/python/mod.ts +15 -0
package/src/analyzer/rules/python/network.ts +26 -0
package/src/analyzer/rules/python/secret-detection.ts +30 -0
package/src/analyzer/rules/shared/file-refs.ts +38 -0
package/src/analyzer/rules/shared/network-evaluators.ts +107 -0
package/src/analyzer/rules/shared/prompt-injection.ts +48 -0
package/src/analyzer/rules/shared/secret-evaluators.ts +13 -0
package/src/analyzer/rules/text/mod.ts +12 -0
package/src/analyzer/rules/typescript/mod.ts +7 -0
package/src/analyzer/steps/001-discovery/discover-files.ts +211 -0
package/src/analyzer/steps/001-discovery/filter-files.ts +72 -0
package/src/analyzer/steps/001-discovery/mod.ts +103 -0
package/src/analyzer/steps/002-permissions/mod.ts +329 -0
package/src/analyzer/steps/002-permissions/scan-file.ts +258 -0
package/src/analyzer/steps/002-permissions/seed-frontmatter.ts +66 -0
package/src/analyzer/steps/002-permissions/synthesize.ts +42 -0
package/src/analyzer/steps/003-risks/dep-risks.ts +89 -0
package/src/analyzer/steps/003-risks/helpers.ts +41 -0
package/src/analyzer/steps/003-risks/mod.ts +86 -0
package/src/analyzer/steps/003-risks/policy.ts +38 -0
package/src/analyzer/steps/003-risks/rule-mapped.ts +206 -0
package/src/analyzer/steps/003-risks/scoring.ts +117 -0
package/src/analyzer/steps/mod.ts +3 -0
package/src/analyzer/treesitter/client.ts +120 -0
package/src/analyzer/treesitter/registry.ts +198 -0
package/src/analyzer/types.ts +78 -0
package/src/analyzer/utils/code-block-path.ts +33 -0
package/src/analyzer/utils/id-generator.ts +59 -0
package/src/analyzer/utils/secret-validator.ts +29 -0
package/src/analyzer/utils/url-parser.ts +25 -0
package/src/deps/jsr.io/@deno-library/progress/1.5.1/deps.ts +3 -0
package/src/deps/jsr.io/@deno-library/progress/1.5.1/mod.ts +265 -0
package/src/deps/jsr.io/@deno-library/progress/1.5.1/multi.ts +250 -0
package/src/deps/jsr.io/@deno-library/progress/1.5.1/time.ts +69 -0
package/src/deps/jsr.io/@std/fmt/1.0.3/colors.ts +1004 -0
package/src/deps/jsr.io/@std/internal/1.0.12/_os.ts +15 -0
package/src/deps/jsr.io/@std/internal/1.0.12/os.ts +7 -0
package/src/deps/jsr.io/@std/io/0.225.0/types.ts +157 -0
package/src/deps/jsr.io/@std/io/0.225.0/write_all.ts +65 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/assert_path.ts +10 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/basename.ts +53 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/common.ts +26 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/constants.ts +49 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/dirname.ts +9 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/format.ts +25 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/from_file_url.ts +12 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/glob_to_reg_exp.ts +295 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/normalize.ts +9 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/normalize_string.ts +74 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/relative.ts +10 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/strip_trailing_separators.ts +25 -0
package/src/deps/jsr.io/@std/path/1.1.4/_common/to_file_url.ts +17 -0
package/src/deps/jsr.io/@std/path/1.1.4/basename.ts +37 -0
package/src/deps/jsr.io/@std/path/1.1.4/common.ts +35 -0
package/src/deps/jsr.io/@std/path/1.1.4/constants.ts +18 -0
package/src/deps/jsr.io/@std/path/1.1.4/dirname.ts +30 -0
package/src/deps/jsr.io/@std/path/1.1.4/extname.ts +29 -0
package/src/deps/jsr.io/@std/path/1.1.4/format.ts +30 -0
package/src/deps/jsr.io/@std/path/1.1.4/from_file_url.ts +30 -0
package/src/deps/jsr.io/@std/path/1.1.4/glob_to_regexp.ts +94 -0
package/src/deps/jsr.io/@std/path/1.1.4/is_absolute.ts +30 -0
package/src/deps/jsr.io/@std/path/1.1.4/is_glob.ts +49 -0
package/src/deps/jsr.io/@std/path/1.1.4/join.ts +31 -0
package/src/deps/jsr.io/@std/path/1.1.4/join_globs.ts +42 -0
package/src/deps/jsr.io/@std/path/1.1.4/mod.ts +217 -0
package/src/deps/jsr.io/@std/path/1.1.4/normalize.ts +33 -0
package/src/deps/jsr.io/@std/path/1.1.4/normalize_glob.ts +45 -0
package/src/deps/jsr.io/@std/path/1.1.4/parse.ts +44 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/_util.ts +10 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/basename.ts +62 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/constants.ts +15 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/dirname.ts +72 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/extname.ts +96 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/format.ts +31 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/from_file_url.ts +25 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/glob_to_regexp.ts +94 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/is_absolute.ts +25 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/join.ts +46 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/join_globs.ts +45 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/normalize.ts +63 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/normalize_glob.ts +43 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/parse.ts +121 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/relative.ts +103 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/resolve.ts +71 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/to_file_url.ts +32 -0
package/src/deps/jsr.io/@std/path/1.1.4/posix/to_namespaced_path.ts +21 -0
package/src/deps/jsr.io/@std/path/1.1.4/relative.ts +32 -0
package/src/deps/jsr.io/@std/path/1.1.4/resolve.ts +32 -0
package/src/deps/jsr.io/@std/path/1.1.4/to_file_url.ts +30 -0
package/src/deps/jsr.io/@std/path/1.1.4/to_namespaced_path.ts +31 -0
package/src/deps/jsr.io/@std/path/1.1.4/types.ts +40 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/_util.ts +28 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/basename.ts +54 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/constants.ts +15 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/dirname.ts +118 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/extname.ts +90 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/format.ts +31 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/from_file_url.ts +34 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/glob_to_regexp.ts +92 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/is_absolute.ts +40 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/join.ts +78 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/join_globs.ts +46 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/normalize.ts +136 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/normalize_glob.ts +43 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/parse.ts +184 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/relative.ts +128 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/resolve.ts +178 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/to_file_url.ts +38 -0
package/src/deps/jsr.io/@std/path/1.1.4/windows/to_namespaced_path.ts +60 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_chars.ts +55 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_dumper_state.ts +841 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_loader_state.ts +1780 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_schema.ts +183 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/binary.ts +127 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/bool.ts +37 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/float.ts +112 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/int.ts +174 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/map.ts +17 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/merge.ts +13 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/nil.ts +27 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/omap.ts +30 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/pairs.ts +22 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/regexp.ts +33 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/seq.ts +13 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/set.ts +17 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/str.ts +12 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/timestamp.ts +101 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type/undefined.ts +23 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_type.ts +49 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/_utils.ts +16 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/mod.ts +54 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/parse.ts +128 -0
package/src/deps/jsr.io/@std/yaml/1.0.11/stringify.ts +118 -0
package/src/shared/deep_merge.ts +73 -0
package/src/shared/mod.ts +2 -0
package/src/shared/types/filetypes.ts +101 -0
package/src/shared/types/findings.ts +7 -0
package/src/shared/types/mod.ts +6 -0
package/src/shared/types/permissions.ts +17 -0
package/src/shared/types/references.ts +62 -0
package/src/shared/types/risks.ts +72 -0
package/src/shared/types/syntaxNode.ts +7 -0
package/src/skillreader/cloudStorage/mod.ts +170 -0
package/src/skillreader/factory.ts +71 -0
package/src/skillreader/fs/git.ts +153 -0
package/src/skillreader/fs/mod.ts +84 -0
package/src/skillreader/github/base.ts +162 -0
package/src/skillreader/github/githubApi.ts +40 -0
package/src/skillreader/github/githubRaw.ts +24 -0
package/src/skillreader/github/mod.ts +45 -0
package/src/skillreader/github/utils.ts +40 -0
package/src/skillreader/manifest.ts +67 -0
package/src/skillreader/mod.ts +26 -0
package/src/skillreader/types.ts +150 -0
package/src/skillreader/utils/frontmatter-parser.ts +72 -0
package/src/skillreader/utils/http-range.ts +38 -0
package/src/skillreader/utils/mod.ts +12 -0
package/esm/analyzer/astgrep/registry.d.ts +0 -18
package/esm/analyzer/astgrep/registry.d.ts.map +0 -1
package/esm/analyzer/astgrep/registry.js +0 -71
package/esm/analyzer/config.d.ts +0 -27
package/esm/analyzer/config.d.ts.map +0 -1
package/esm/analyzer/steps/003-risks/output.d.ts +0 -3
package/esm/analyzer/steps/003-risks/output.d.ts.map +0 -1
package/esm/analyzer/steps/003-risks/output.js +0 -16
package/esm/analyzer/treesiter/client.d.ts +0 -26
package/esm/analyzer/treesiter/client.d.ts.map +0 -1
package/script/analyzer/astgrep/registry.d.ts +0 -18
package/script/analyzer/astgrep/registry.d.ts.map +0 -1
package/script/analyzer/astgrep/registry.js +0 -109
package/script/analyzer/config.d.ts +0 -27
package/script/analyzer/config.d.ts.map +0 -1
package/script/analyzer/steps/003-risks/output.d.ts +0 -3
package/script/analyzer/steps/003-risks/output.d.ts.map +0 -1
package/script/analyzer/steps/003-risks/output.js +0 -19
package/script/analyzer/treesiter/client.d.ts +0 -26
package/script/analyzer/treesiter/client.d.ts.map +0 -1
package/script/analyzer/treesiter/client.js +0 -165

package/src/analyzer/rules/mod.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import { BASH_FILETYPE_CONFIS, BASH_RULES } from "./bash/mod.js";
+import {
+    JAVASCRIPT_FILETYPE_CONFIGS,
+    JAVASCRIPT_RULES,
+    TYPESCRIPT_FILETYPE_CONFIGS,
+} from "./javascript/mod.js";
+import { MARKDOWN_FILETYPE_CONFIG, MARKDOWN_RULES } from "./markdown/mod.js";
+import { PYTHON_RULES, PYTHONG_FILETYPE_CONFIGS } from "./python/mod.js";
+import { PROMPT_REGEX_RULES } from "./shared/prompt-injection.js";
+import type { FileRefDiscovery, FileTypeConfig } from "../types.js";
+import { TEXT_FILETYPE_CONFIG, TEXT_RULES } from "./text/mod.js";
+import { TYPESCRIPT_RULES } from "./typescript/mod.js";
+import type { FileType, RuleRiskInput, RuleRiskResult } from "../../shared/mod.js";
+import type { AstGrepRule } from "../astgrep/client.js";
+import type { PromptRegexRule } from "./shared/prompt-injection.js";
+// Single registry used for both file-level scanning and code-block scanning.
+export const RULES_BY_FILETYPE: Partial<Record<FileType, readonly AstGrepRule[]>> = {
+    markdown: MARKDOWN_RULES,
+    text: TEXT_RULES,
+    bash: BASH_RULES,
+    javascript: JAVASCRIPT_RULES,
+    typescript: TYPESCRIPT_RULES,
+    python: PYTHON_RULES,
+} as const;
+export const FILETYPE_CONFIGS: Record<FileType, FileTypeConfig> = {
+    markdown: MARKDOWN_FILETYPE_CONFIG,
+    text: TEXT_FILETYPE_CONFIG,
+    bash: BASH_FILETYPE_CONFIS,
+    javascript: JAVASCRIPT_FILETYPE_CONFIGS,
+    typescript: TYPESCRIPT_FILETYPE_CONFIGS,
+    python: PYTHONG_FILETYPE_CONFIGS,
+    csv: { defaultLanguage: null },
+    json: { defaultLanguage: null },
+    yaml: { defaultLanguage: null },
+    toml: { defaultLanguage: null },
+    config: { defaultLanguage: null },
+    sql: { defaultLanguage: null },
+    xml: { defaultLanguage: null },
+    binary: { defaultLanguage: null },
+    unknown: { defaultLanguage: null },
+} as const;
+export { PROMPT_REGEX_RULES };
+export type { FileRefDiscovery };
+export type RiskRuleDefinition = AstGrepRule | PromptRegexRule;
+export const RULES_BY_ID: Map<string, RiskRuleDefinition> = new Map(
+    [
+        ...Object.values(RULES_BY_FILETYPE).flatMap((rules) => rules ?? []),
+        ...PROMPT_REGEX_RULES,
+    ].map((rule) => [rule.id, rule] as const),
+);
+export function evalRuleRiskMappings(
+    rule: RiskRuleDefinition,
+    input: RuleRiskInput,
+): RuleRiskResult[] {
+    const entries = "permission" in rule
+        ? (rule.permission.mappedRisks ?? [])
+        : (rule.mappedRisks ?? []);
+    const results: RuleRiskResult[] = [];
+    for (const entry of entries) {
+        if (typeof entry === "function") {
+            const value = entry(input);
+            if (!value) continue;
+            results.push(...(Array.isArray(value) ? value : [value]));
+            continue;
+        }
+        results.push(entry);
+    }
+    return results;
+}

package/src/analyzer/rules/python/astTypes.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/** ast-grep node types for Python. */
+export const PYTHON_NODE = {
+    IMPORT_STATEMENT: "import_statement",
+    IMPORT_FROM_STATEMENT: "import_from_statement",
+    CALL: "call",
+    STRING: "string",
+    STRING_CONTENT: "string_content",
+    DOTTED_NAME: "dotted_name",
+} as const;

package/src/analyzer/rules/python/extractFileRefs.ts ADDED Viewed

@@ -0,0 +1,92 @@
+/**
+ * File reference extractor for Python scripts.
+ *
+ * Detects:
+ * - import statements → via: "import"
+ * - from...import statements → via: "import"
+ * - open() calls with host FS paths → via: "bare-path"
+ * - URL string literals (requests.get, urllib, etc.) → via: "url"
+ *
+ * Uses ast-grep AST traversal.
+ */
+import { isHostFsPath, isUrl } from "../shared/file-refs.js";
+import type { AnalyzerContext, FileRefDiscovery } from "../../types.js";
+import { PYTHON_NODE } from "./astTypes.js";
+export async function extractPythonFileRefs(
+    context: AnalyzerContext,
+    content: string,
+): Promise<FileRefDiscovery[]> {
+    const refs: FileRefDiscovery[] = [];
+    const ast = await context.astgrepClient.parse("python", content);
+    const root = ast.root();
+    // ── import_statement (e.g. `import os`, `import os.path`) ───────────────
+    const importNodes = root.findAll({ rule: { kind: PYTHON_NODE.IMPORT_STATEMENT } });
+    for (const node of importNodes) {
+        const nameNode = node.find({ rule: { kind: PYTHON_NODE.DOTTED_NAME } });
+        const pkg = nameNode?.text() ?? "";
+        if (pkg) {
+            refs.push({ path: pkg, line: node.range().start.line + 1, via: "import" });
+        }
+    }
+    // ── import_from_statement (e.g. `from os.path import join`) ─────────────
+    const fromImportNodes = root.findAll({ rule: { kind: PYTHON_NODE.IMPORT_FROM_STATEMENT } });
+    for (const node of fromImportNodes) {
+        const moduleNode = node.field("module_name");
+        const pkg = moduleNode?.text() ?? "";
+        if (pkg) {
+            refs.push({ path: pkg, line: node.range().start.line + 1, via: "import" });
+        }
+    }
+    // ── open("path") ─────────────────────────────────────────────────────────
+    const openCallNodes = root.findAll({
+        rule: {
+            kind: PYTHON_NODE.CALL,
+            has: {
+                field: "function",
+                regex: "^open$",
+                stopBy: "neighbor",
+            },
+        },
+    });
+    for (const node of openCallNodes) {
+        const argsNode = node.field("arguments");
+        if (!argsNode) continue;
+        // string → string_content (Python string has no string_fragment)
+        const strNode = argsNode.find({ rule: { kind: PYTHON_NODE.STRING } });
+        const contentNode = strNode?.find({ rule: { kind: PYTHON_NODE.STRING_CONTENT } });
+        const path = contentNode?.text() ?? "";
+        if (path && isHostFsPath(path)) {
+            refs.push({ path, line: node.range().start.line + 1, via: "bare-path" });
+        }
+    }
+    // ── requests.*/urllib.* URL calls ────────────────────────────────────────
+    const httpCallNodes = root.findAll({
+        rule: {
+            kind: PYTHON_NODE.CALL,
+            has: {
+                field: "function",
+                regex: "^(?:requests|urllib)",
+                stopBy: "neighbor",
+            },
+        },
+    });
+    for (const node of httpCallNodes) {
+        const argsNode = node.field("arguments");
+        if (!argsNode) continue;
+        const strNode = argsNode.find({ rule: { kind: PYTHON_NODE.STRING } });
+        const contentNode = strNode?.find({ rule: { kind: PYTHON_NODE.STRING_CONTENT } });
+        const url = contentNode?.text() ?? "";
+        if (url && isUrl(url)) {
+            refs.push({ path: url, line: node.range().start.line + 1, via: "url" });
+        }
+    }
+    return refs;
+}

package/src/analyzer/rules/python/mod.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { AstGrepRule } from "../../astgrep/client.js";
+import { FileTypeConfig } from "../../types.js";
+import { extractPythonFileRefs } from "./extractFileRefs.js";
+import { PYTHON_NETWORK_RULES } from "./network.js";
+import { PYTHON_SECRET_DETECTION_RULES } from "./secret-detection.js";
+export const PYTHON_RULES: AstGrepRule[] = [
+    ...PYTHON_NETWORK_RULES,
+    ...PYTHON_SECRET_DETECTION_RULES,
+];
+export const PYTHONG_FILETYPE_CONFIGS: FileTypeConfig = {
+    defaultLanguage: "python",
+    extractFileRefs: extractPythonFileRefs,
+};

package/src/analyzer/rules/python/network.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import type { AstGrepRule } from "../../astgrep/client.js";
+import { DETECT_NETWORK_FETCH_RISKS } from "../shared/network-evaluators.js";
+export const PYTHON_NETWORK_RULES: AstGrepRule[] = [
+    {
+        id: "net-requests",
+        description: "Detects Python requests usage",
+        grammar: "python",
+        patterns: [
+            "requests.get($URL)",
+            "requests.post($URL, data=$DATA)",
+            "requests.put($URL, data=$DATA)",
+            "requests.patch($URL, data=$DATA)",
+        ],
+        permission: {
+            tool: "requests",
+            scope: "net",
+            permission: "fetch",
+            metadata: {
+                url: "URL",
+                data: "DATA",
+            },
+            mappedRisks: [DETECT_NETWORK_FETCH_RISKS],
+        },
+    },
+];

package/src/analyzer/rules/python/secret-detection.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import type { AstGrepRule } from "../../astgrep/client.js";
+import { DETECT_SECRET_NAME_RISK } from "../shared/secret-evaluators.js";
+export const PYTHON_SECRET_DETECTION_RULES: AstGrepRule[] = [
+    {
+        id: "secret-python-env-read",
+        description: "Detects Python env reads",
+        grammar: "python",
+        patterns: ["os.environ[$KEY]", "os.environ.get($KEY)", "os.getenv($KEY)"],
+        permission: {
+            tool: "env",
+            scope: "env",
+            permission: "read",
+            metadata: { key: "KEY" },
+            mappedRisks: [DETECT_SECRET_NAME_RISK],
+        },
+    },
+    {
+        id: "secret-python-env-write",
+        description: "Detects Python env writes",
+        grammar: "python",
+        patterns: ["os.environ[$KEY] = $VALUE"],
+        permission: {
+            tool: "env",
+            scope: "env",
+            permission: "write",
+            metadata: { key: "KEY" },
+        },
+    },
+];

package/src/analyzer/rules/shared/file-refs.ts ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Shared types and utilities for file reference discovery across all language extractors.
+ */
+import { getFileType } from "../../../shared/mod.js";
+/**
+ * Patterns that indicate the referenced path targets the host filesystem
+ * rather than the skill package itself.
+ */
+export const HOST_FS_PATTERNS: RegExp[] = [
+    /^~\//, // ~/... (HOME directory expansion)
+    /^\$[A-Z_][A-Z0-9_]*\//, // $HOME/..., $VAR/... (env var expansion)
+    /^\//, // /absolute/path (absolute path)
+];
+/** Returns true if the path targets the host filesystem. */
+export function isHostFsPath(path: string): boolean {
+    return HOST_FS_PATTERNS.some((p) => p.test(path));
+}
+/** Returns true if the string looks like a URL. */
+export function isUrl(value: string): boolean {
+    return /^https?:\/\//i.test(value);
+}
+/**
+ * Regex pattern for bare relative paths (e.g. references/guide.md, ./script.py).
+ * Used by markdown and text extractors for prose scanning.
+ */
+export const BARE_PATH_PATTERN = /(?:\.\.?\/)?[\w./-]+\.[\w-]+/g;
+/** Returns true if the value looks like a file path (not a command or word). */
+export function looksLikePath(value: string): boolean {
+    if (/^\.?\.?\//.test(value)) return true;
+    if (value.includes("/")) return true;
+    return getFileType(value) != "unknown";
+}

package/src/analyzer/rules/shared/network-evaluators.ts ADDED Viewed

@@ -0,0 +1,107 @@
+import type {
+    DynamicRuleRiskMapping,
+    Permission,
+    RuleRiskResult,
+    StaticRuleRiskMapping,
+} from "../../../shared/mod.js";
+import { classifyDestination, parseUrlFromUnknown } from "../../utils/url-parser.js";
+const WRITE_METHODS = new Set(["POST", "PUT", "PATCH"]);
+export const DETECT_NETWORK_FETCH_RISKS: DynamicRuleRiskMapping = ({ permission }) => {
+    if (!permission) return null;
+    const rawUrl = resolveUrl(permission);
+    if (!rawUrl) return null;
+    const parsed = parseUrlFromUnknown(rawUrl);
+    if (!parsed) return null;
+    const method = resolveMethod(permission);
+    const destination = classifyDestination(parsed.host);
+    const hasSecretsInRequest = hasSecretInRequest(permission, rawUrl);
+    const results: RuleRiskResult[] = [];
+    if (destination === "external") {
+        if (WRITE_METHODS.has(method)) {
+            results.push({
+                code: "NETWORK:data_exfiltration",
+                severity: "critical",
+                message: `Writes data to external host ${parsed.host} via ${method}`,
+                metadata: {
+                    host: parsed.host,
+                    method,
+                    destination,
+                    url: parsed.raw,
+                },
+            });
+        } else {
+            results.push({
+                code: "NETWORK:external_network_access",
+                severity: "warning",
+                message: `Reads from external host ${parsed.host}`,
+                metadata: {
+                    host: parsed.host,
+                    method,
+                    destination,
+                    url: parsed.raw,
+                },
+            });
+        }
+    }
+    if (hasSecretsInRequest) {
+        results.push({
+            code: destination === "external"
+                ? "NETWORK:credential_leak"
+                : "NETWORK:localhost_secret_exposure",
+            severity: destination === "external" ? "critical" : "warning",
+            message: `Potential secret transmission detected for ${parsed.host}`,
+            metadata: {
+                host: parsed.host,
+                method,
+                destination,
+                url: parsed.raw,
+            },
+        });
+    }
+    if (results.length === 0) return null;
+    return results;
+};
+export const DETECT_REMOTE_CODE_EXECUTION_RISK: StaticRuleRiskMapping = {
+    code: "NETWORK:remote_code_execution",
+    severity: "critical",
+    message: "Remote output piped to shell",
+};
+function resolveUrl(permission: Permission): string | undefined {
+    const metadata = permission.metadata ?? {};
+    if (typeof metadata.url === "string") return metadata.url;
+    if (!Array.isArray(permission.args) || permission.args.length === 0) return undefined;
+    return permission.args.find((arg) => /\.|localhost|\//.test(arg));
+}
+function resolveMethod(permission: Permission): string {
+    const metadata = permission.metadata ?? {};
+    const raw = typeof metadata.method === "string"
+        ? metadata.method
+        : inferMethodFromArgs(permission.args);
+    return String(raw).toUpperCase();
+}
+function inferMethodFromArgs(args?: string[]): string {
+    if (!args || args.length === 0) return "GET";
+    const explicit = args.find((arg) => /^(get|post|put|patch|delete)$/i.test(arg));
+    return explicit ? explicit.toUpperCase() : "GET";
+}
+function hasSecretInRequest(permission: Permission, rawUrl: string): boolean {
+    const metadata = permission.metadata ?? {};
+    const header = String(metadata.header ?? metadata.headers ?? "");
+    return /token|authorization|bearer|api[_-]?key|secret/i.test(
+        `${header} ${rawUrl} ${JSON.stringify(metadata)}`,
+    );
+}

package/src/analyzer/rules/shared/prompt-injection.ts ADDED Viewed

@@ -0,0 +1,48 @@
+import type { RuleRiskMapping } from "../../../shared/mod.js";
+export type PromptRegexRule = {
+    id: string;
+    pattern: RegExp;
+    mappedRisks?: RuleRiskMapping[];
+};
+export const PROMPT_REGEX_RULES: PromptRegexRule[] = [
+    {
+        id: "prompt-ignore-previous",
+        pattern: /ignore previous instructions?/i,
+        mappedRisks: [{
+            code: "PROMPT:prompt_override",
+            severity: "critical",
+            message: "Prompt override attempt detected",
+        }],
+    },
+    {
+        id: "prompt-forget-rules",
+        pattern: /forget (all )?(previous|earlier) rules/i,
+        mappedRisks: [{
+            code: "PROMPT:prompt_override",
+            severity: "critical",
+            message: "Prompt override attempt detected",
+        }],
+    },
+    {
+        id: "prompt-reveal-system-prompt",
+        pattern:
+            /(reveal|show|print|dump|leak|disclose|output)\b[\s\S]{0,80}\b(system prompt|hidden instructions?)/i,
+        mappedRisks: [{
+            code: "PROMPT:prompt_override",
+            severity: "warning",
+            message: "Prompt override attempt detected",
+        }],
+    },
+    {
+        id: "prompt-ignore-and-reveal",
+        pattern:
+            /\b(ignore|forget)\b[\s\S]{0,80}\b(previous|earlier)\b[\s\S]{0,80}\b(instructions?|rules?|system prompt)/i,
+        mappedRisks: [{
+            code: "PROMPT:prompt_override",
+            severity: "critical",
+            message: "Prompt override attempt detected",
+        }],
+    },
+];

package/src/analyzer/rules/shared/secret-evaluators.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { DynamicRuleRiskMapping } from "../../../shared/mod.js";
+import { isSecretLikeName, normalizeKeyCandidate } from "../../utils/secret-validator.js";
+export const DETECT_SECRET_NAME_RISK: DynamicRuleRiskMapping = ({ finding }) => {
+    const key = normalizeKeyCandidate(finding.extracted.key ?? finding.extracted.var);
+    if (!isSecretLikeName(key)) return null;
+    return {
+        code: "SECRETS:secret_access",
+        severity: "warning",
+        message: `Potential secret or credential access: ${key}`,
+    };
+};

package/src/analyzer/rules/text/mod.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { AstGrepRule } from "../../astgrep/client.js";
+import { FileTypeConfig } from "../../types.js";
+import { extractCodeBlocks } from "../markdown/extractCodeBlocks.js";
+import { extractMarkdownFileRefs } from "../markdown/extractFileRefs.js";
+export const TEXT_RULES: AstGrepRule[] = [];
+export const TEXT_FILETYPE_CONFIG: FileTypeConfig = {
+    extractCodeBlocks,
+    defaultLanguage: "markdown",
+    extractFileRefs: extractMarkdownFileRefs,
+};

package/src/analyzer/rules/typescript/mod.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { AstGrepRule } from "../../astgrep/client.js";
+import { JAVASCRIPT_RULES } from "../javascript/mod.js";
+export const TYPESCRIPT_RULES: AstGrepRule[] = [...JAVASCRIPT_RULES].map((rule) => ({
+    ...rule,
+    language: "typescript",
+}));