@fourteensystems/shipguard 0.1.0

package/dist/engine/run.js

@@ -0,0 +1,101 @@
+import { DEFAULT_CONFIG, loadConfigIfExists } from "./config.js";
+import { buildNextIndex } from "../next/index.js";
+import { runAllRules } from "../rules/index.js";
+import { loadWaivers, applyWaivers } from "./waivers.js";
+import { computeScore, summarizeFindings } from "./score.js";
+import { SHIPGUARD_VERSION, INDEX_VERSION, hashConfig } from "./version.js";
+export async function runScan(opts) {
+    const userConfig = loadConfigIfExists(opts.rootDir);
+    const config = {
+        ...DEFAULT_CONFIG,
+        ...userConfig,
+        ...opts.configOverrides,
+        scoring: {
+            ...DEFAULT_CONFIG.scoring,
+            ...userConfig?.scoring,
+            ...opts.configOverrides?.scoring,
+            penalties: {
+                ...DEFAULT_CONFIG.scoring.penalties,
+                ...userConfig?.scoring?.penalties,
+                ...opts.configOverrides?.scoring?.penalties,
+            },
+        },
+        hints: {
+            auth: {
+                functions: userConfig?.hints?.auth?.functions ?? DEFAULT_CONFIG.hints.auth.functions,
+                middlewareFiles: userConfig?.hints?.auth?.middlewareFiles ?? DEFAULT_CONFIG.hints.auth.middlewareFiles,
+                allowlistPaths: userConfig?.hints?.auth?.allowlistPaths ?? DEFAULT_CONFIG.hints.auth.allowlistPaths,
+            },
+            rateLimit: {
+                wrappers: userConfig?.hints?.rateLimit?.wrappers ?? DEFAULT_CONFIG.hints.rateLimit.wrappers,
+                allowlistPaths: userConfig?.hints?.rateLimit?.allowlistPaths ?? DEFAULT_CONFIG.hints.rateLimit.allowlistPaths,
+            },
+            tenancy: {
+                orgFieldNames: userConfig?.hints?.tenancy?.orgFieldNames ?? DEFAULT_CONFIG.hints.tenancy.orgFieldNames,
+            },
+        },
+        ci: {
+            ...DEFAULT_CONFIG.ci,
+            ...userConfig?.ci,
+            ...opts.configOverrides?.ci,
+        },
+        rules: opts.configOverrides?.rules ?? {
+            ...DEFAULT_CONFIG.rules,
+            ...userConfig?.rules,
+        },
+    };
+    // Merge additional excludes from CLI flags
+    if (opts.additionalExclude?.length) {
+        config.exclude = [...config.exclude, ...opts.additionalExclude];
+    }
+    // Build Next.js index
+    const index = await buildNextIndex(opts.rootDir, config.exclude);
+    // Merge auto-detected hints with user config
+    const mergedHints = mergeHints(config.hints, index.hints);
+    // Run rules
+    const rawFindings = runAllRules(index, { ...config, hints: mergedHints });
+    // Apply waivers
+    const waivers = loadWaivers(opts.rootDir, config.waiversFile);
+    const { active, waived } = applyWaivers(rawFindings, waivers);
+    // Score
+    const score = computeScore(active, config.scoring);
+    const counts = summarizeFindings(active);
+    return {
+        version: 1,
+        shipguardVersion: SHIPGUARD_VERSION,
+        configHash: hashConfig(config),
+        indexVersion: INDEX_VERSION,
+        timestamp: new Date().toISOString(),
+        framework: index.framework,
+        detected: {
+            deps: index.deps,
+            trpc: index.trpc.detected,
+            middleware: index.middleware.authLikely || index.middleware.rateLimitLikely,
+        },
+        score,
+        findings: active,
+        waivedFindings: waived,
+        summary: {
+            total: active.length,
+            ...counts,
+            waived: waived.length,
+        },
+    };
+}
+function mergeHints(userHints, detectedHints) {
+    return {
+        auth: {
+            functions: [...new Set([...(userHints.auth?.functions ?? []), ...(detectedHints.auth?.functions ?? [])])],
+            middlewareFiles: [...new Set([...(userHints.auth?.middlewareFiles ?? []), ...(detectedHints.auth?.middlewareFiles ?? [])])],
+            allowlistPaths: [...new Set([...(userHints.auth?.allowlistPaths ?? []), ...(detectedHints.auth?.allowlistPaths ?? [])])],
+        },
+        rateLimit: {
+            wrappers: [...new Set([...(userHints.rateLimit?.wrappers ?? []), ...(detectedHints.rateLimit?.wrappers ?? [])])],
+            allowlistPaths: [...new Set([...(userHints.rateLimit?.allowlistPaths ?? []), ...(detectedHints.rateLimit?.allowlistPaths ?? [])])],
+        },
+        tenancy: {
+            orgFieldNames: [...new Set([...(userHints.tenancy?.orgFieldNames ?? []), ...(detectedHints.tenancy?.orgFieldNames ?? [])])],
+        },
+    };
+}
+//# sourceMappingURL=run.js.map

package/dist/engine/run.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../../src/engine/run.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAS5E,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAgB;IAC5C,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,MAAM,GAAoB;QAC9B,GAAG,cAAc;QACjB,GAAG,UAAU;QACb,GAAG,IAAI,CAAC,eAAe;QACvB,OAAO,EAAE;YACP,GAAG,cAAc,CAAC,OAAO;YACzB,GAAG,UAAU,EAAE,OAAO;YACtB,GAAG,IAAI,CAAC,eAAe,EAAE,OAAO;YAChC,SAAS,EAAE;gBACT,GAAG,cAAc,CAAC,OAAO,CAAC,SAAS;gBACnC,GAAG,UAAU,EAAE,OAAO,EAAE,SAAS;gBACjC,GAAG,IAAI,CAAC,eAAe,EAAE,OAAO,EAAE,SAAS;aAC5C;SACF;QACD,KAAK,EAAE;YACL,IAAI,EAAE;gBACJ,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,IAAI,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS;gBACpF,eAAe,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,eAAe,IAAI,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe;gBACtG,cAAc,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,IAAI,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc;aACpG;YACD,SAAS,EAAE;gBACT,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,IAAI,cAAc,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ;gBAC3F,cAAc,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,IAAI,cAAc,CAAC,KAAK,CAAC,SAAS,CAAC,cAAc;aAC9G;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,aAAa,IAAI,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa;aACvG;SACF;QACD,EAAE,EAAE;YACF,GAAG,cAAc,CAAC,EAAE;YACpB,GAAG,UAAU,EAAE,EAAE;YACjB,GAAG,IAAI,CAAC,eAAe,EAAE,EAAE;SAC5B;QACD,KAAK,EAAE,IAAI,CAAC,eAAe,EAAE,KAAK,IAAI;YACpC,GAAG,cAAc,CAAC,KAAK;YACvB,GAAG,UAAU,EAAE,KAAK;SACrB;KACF,CAAC;IAEF,2CAA2C;IAC3C,IAAI,IAAI,CAAC,iBAAiB,EAAE,MAAM,EAAE,CAAC;QACnC,MAAM,CAAC,OAAO,GAAG,CAAC,GAAG,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAClE,CAAC;IAED,sBAAsB;IACtB,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IAEjE,6CAA6C;IAC7C,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;IAE1D,YAAY;IACZ,MAAM,WAAW,GAAG,WAAW,CAAC,KAAK,EAAE,EAAE,GAAG,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IAE1E,gBAAgB;IAChB,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IAC9D,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAE9D,QAAQ;IACR,MAAM,KAAK,GAAG,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAEzC,OAAO;QACL,OAAO,EAAE,CAAC;QACV,gBAAgB,EAAE,iBAAiB;QACnC,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC;QAC9B,YAAY,EAAE,aAAa;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,QAAQ,EAAE;YACR,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ;YACzB,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,UAAU,IAAI,KAAK,CAAC,UAAU,CAAC,eAAe;SAC5E;QACD,KAAK;QACL,QAAQ,EAAE,MAAM;QAChB,cAAc,EAAE,MAAM;QACtB,OAAO,EAAE;YACP,KAAK,EAAE,MAAM,CAAC,MAAM;YACpB,GAAG,MAAM;YACT,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB;KACF,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CACjB,SAAmC,EACnC,aAAuC;IAEvC,OAAO;QACL,IAAI,EAAE;YACJ,SAAS,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,SAAS,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACzG,eAAe,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,eAAe,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,eAAe,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC3H,cAAc,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,cAAc,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,cAAc,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;SACzH;QACD,SAAS,EAAE;YACT,QAAQ,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,QAAQ,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAChH,cAAc,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,cAAc,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,EAAE,cAAc,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;SACnI;QACD,OAAO,EAAE;YACP,aAAa,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,aAAa,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO,EAAE,aAAa,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;SAC5H;KACF,CAAC;AACJ,CAAC"}

package/dist/engine/sarif.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from "./types.js";
+export declare function formatSarif(result: ScanResult): string;
+//# sourceMappingURL=sarif.d.ts.map

package/dist/engine/sarif.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/engine/sarif.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAW,MAAM,YAAY,CAAC;AAwCtD,wBAAgB,WAAW,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAiCtD"}

package/dist/engine/sarif.js

@@ -0,0 +1,58 @@
+import { SHIPGUARD_VERSION } from "./version.js";
+const SEVERITY_TO_SARIF_LEVEL = {
+    critical: "error",
+    high: "warning",
+    med: "note",
+    low: "note",
+};
+export function formatSarif(result) {
+    const ruleMap = new Map();
+    for (const f of result.findings) {
+        if (!ruleMap.has(f.ruleId)) {
+            ruleMap.set(f.ruleId, {
+                id: f.ruleId,
+                shortDescription: { text: f.message },
+                defaultConfiguration: { level: SEVERITY_TO_SARIF_LEVEL[f.severity] ?? "note" },
+            });
+        }
+    }
+    const sarifResults = result.findings.map(findingToSarif);
+    const log = {
+        $schema: "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json",
+        version: "2.1.0",
+        runs: [
+            {
+                tool: {
+                    driver: {
+                        name: "Shipguard",
+                        version: SHIPGUARD_VERSION,
+                        rules: [...ruleMap.values()],
+                    },
+                },
+                results: sarifResults,
+            },
+        ],
+    };
+    return JSON.stringify(log, null, 2);
+}
+function findingToSarif(f) {
+    return {
+        ruleId: f.ruleId,
+        level: SEVERITY_TO_SARIF_LEVEL[f.severity] ?? "note",
+        message: { text: f.message },
+        locations: [
+            {
+                physicalLocation: {
+                    artifactLocation: { uri: f.file },
+                    ...(f.line ? { region: { startLine: f.line, ...(f.column ? { startColumn: f.column } : {}) } } : {}),
+                },
+            },
+        ],
+        properties: {
+            confidence: f.confidence,
+            evidence: f.evidence,
+            remediation: f.remediation,
+        },
+    };
+}
+//# sourceMappingURL=sarif.js.map

package/dist/engine/sarif.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/engine/sarif.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAgCjD,MAAM,uBAAuB,GAA2B;IACtD,QAAQ,EAAE,OAAO;IACjB,IAAI,EAAE,SAAS;IACf,GAAG,EAAE,MAAM;IACX,GAAG,EAAE,MAAM;CACZ,CAAC;AAEF,MAAM,UAAU,WAAW,CAAC,MAAkB;IAC5C,MAAM,OAAO,GAAG,IAAI,GAAG,EAAqB,CAAC;IAE7C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE;gBACpB,EAAE,EAAE,CAAC,CAAC,MAAM;gBACZ,gBAAgB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;gBACrC,oBAAoB,EAAE,EAAE,KAAK,EAAE,uBAAuB,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,MAAM,EAAE;aAC/E,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAkB,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAExE,MAAM,GAAG,GAAa;QACpB,OAAO,EAAE,sFAAsF;QAC/F,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE;YACJ;gBACE,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,WAAW;wBACjB,OAAO,EAAE,iBAAiB;wBAC1B,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;qBAC7B;iBACF;gBACD,OAAO,EAAE,YAAY;aACtB;SACF;KACF,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,cAAc,CAAC,CAAU;IAChC,OAAO;QACL,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,KAAK,EAAE,uBAAuB,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,MAAM;QACpD,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QAC5B,SAAS,EAAE;YACT;gBACE,gBAAgB,EAAE;oBAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,EAAE;oBACjC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBACrG;aACF;SACF;QACD,UAAU,EAAE;YACV,UAAU,EAAE,CAAC,CAAC,UAAU;YACxB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,WAAW,EAAE,CAAC,CAAC,WAAW;SAC3B;KACF,CAAC;AACJ,CAAC"}

package/dist/engine/score.d.ts

@@ -0,0 +1,13 @@
+import type { Finding, ScoringConfig, ScanResult } from "./types.js";
+import type { Severity, Confidence } from "../next/types.js";
+export declare function computeScore(findings: Finding[], config?: ScoringConfig): number;
+export declare function summarizeFindings(findings: Finding[]): Record<Severity, number>;
+export declare function parseConfidence(input: string): Confidence;
+export declare function parseSeverity(input: string): Severity;
+export declare function parseIntOrThrow(input: string, name: string): number;
+export declare function confidenceLevel(c: Confidence): number;
+export declare function severityLevel(s: Severity): number;
+export type ScoreStatus = "PASS" | "WARN" | "FAIL";
+export declare function scoreStatus(score: number): ScoreStatus;
+export declare function buildDetectedList(result: ScanResult): string[];
+//# sourceMappingURL=score.d.ts.map

package/dist/engine/score.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"score.d.ts","sourceRoot":"","sources":["../../src/engine/score.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACrE,OAAO,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAO7D,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,OAAO,EAAE,EACnB,MAAM,GAAE,aAA+B,GACtC,MAAM,CASR;AAED,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAM/E;AAKD,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,CAGzD;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAGrD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAInE;AAED,wBAAgB,eAAe,CAAC,CAAC,EAAE,UAAU,GAAG,MAAM,CAOrD;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,QAAQ,GAAG,MAAM,CAQjD;AAED,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAEnD,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,CAEtD;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,EAAE,CAqB9D"}

package/dist/engine/score.js

@@ -0,0 +1,97 @@
+const DEFAULT_SCORING = {
+    start: 100,
+    penalties: { critical: 25, high: 10, med: 3, low: 1 },
+};
+export function computeScore(findings, config = DEFAULT_SCORING) {
+    let score = config.start;
+    for (const f of findings) {
+        const penalty = config.penalties[f.severity] ?? 0;
+        score -= penalty;
+    }
+    return Math.max(0, score);
+}
+export function summarizeFindings(findings) {
+    const counts = { critical: 0, high: 0, med: 0, low: 0 };
+    for (const f of findings) {
+        counts[f.severity]++;
+    }
+    return counts;
+}
+const VALID_CONFIDENCES = new Set(["high", "med", "low"]);
+const VALID_SEVERITIES = new Set(["critical", "high", "med", "low"]);
+export function parseConfidence(input) {
+    if (VALID_CONFIDENCES.has(input))
+        return input;
+    throw new Error(`Invalid confidence level: "${input}". Valid values: high, med, low`);
+}
+export function parseSeverity(input) {
+    if (VALID_SEVERITIES.has(input))
+        return input;
+    throw new Error(`Invalid severity level: "${input}". Valid values: critical, high, med, low`);
+}
+export function parseIntOrThrow(input, name) {
+    const n = parseInt(input, 10);
+    if (isNaN(n))
+        throw new Error(`Invalid ${name}: "${input}" is not a number`);
+    return n;
+}
+export function confidenceLevel(c) {
+    switch (c) {
+        case "high": return 3;
+        case "med": return 2;
+        case "low": return 1;
+        default: return 1;
+    }
+}
+export function severityLevel(s) {
+    switch (s) {
+        case "critical": return 4;
+        case "high": return 3;
+        case "med": return 2;
+        case "low": return 1;
+        default: return 1;
+    }
+}
+export function scoreStatus(score) {
+    return score >= 80 ? "PASS" : score >= 50 ? "WARN" : "FAIL";
+}
+export function buildDetectedList(result) {
+    const detected = ["next-app-router"];
+    const d = result.detected.deps;
+    if (d.hasNextAuth)
+        detected.push("next-auth");
+    if (d.hasClerk)
+        detected.push("clerk");
+    if (d.hasSupabase)
+        detected.push("supabase");
+    if (d.hasKinde)
+        detected.push("kinde");
+    if (d.hasWorkOS)
+        detected.push("workos");
+    if (d.hasBetterAuth)
+        detected.push("better-auth");
+    if (d.hasLucia)
+        detected.push("lucia");
+    if (d.hasAuth0)
+        detected.push("auth0");
+    if (d.hasIronSession)
+        detected.push("iron-session");
+    if (d.hasFirebaseAuth)
+        detected.push("firebase-auth");
+    if (d.hasPrisma)
+        detected.push("prisma");
+    if (d.hasDrizzle)
+        detected.push("drizzle");
+    if (d.hasTrpc)
+        detected.push("trpc");
+    if (d.hasUpstashRatelimit)
+        detected.push("upstash");
+    if (d.hasArcjet)
+        detected.push("arcjet");
+    if (d.hasUnkey)
+        detected.push("unkey");
+    if (result.detected.middleware)
+        detected.push("middleware");
+    return detected;
+}
+//# sourceMappingURL=score.js.map

package/dist/engine/score.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"score.js","sourceRoot":"","sources":["../../src/engine/score.ts"],"names":[],"mappings":"AAGA,MAAM,eAAe,GAAkB;IACrC,KAAK,EAAE,GAAG;IACV,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE;CACtD,CAAC;AAEF,MAAM,UAAU,YAAY,CAC1B,QAAmB,EACnB,SAAwB,eAAe;IAEvC,IAAI,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;IAEzB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAClD,KAAK,IAAI,OAAO,CAAC;IACnB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,QAAmB;IACnD,MAAM,MAAM,GAA6B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAClF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAS,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAClE,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAS,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAE7E,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,IAAI,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,KAAmB,CAAC;IAC7D,MAAM,IAAI,KAAK,CAAC,8BAA8B,KAAK,iCAAiC,CAAC,CAAC;AACxF,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,IAAI,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,KAAiB,CAAC;IAC1D,MAAM,IAAI,KAAK,CAAC,4BAA4B,KAAK,2CAA2C,CAAC,CAAC;AAChG,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAa,EAAE,IAAY;IACzD,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,WAAW,IAAI,MAAM,KAAK,mBAAmB,CAAC,CAAC;IAC7E,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,CAAa;IAC3C,QAAQ,CAAC,EAAE,CAAC;QACV,KAAK,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC;QACtB,KAAK,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC;QACrB,KAAK,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC;QACrB,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC;IACpB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,CAAW;IACvC,QAAQ,CAAC,EAAE,CAAC;QACV,KAAK,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC;QAC1B,KAAK,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC;QACtB,KAAK,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC;QACrB,KAAK,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC;QACrB,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC;IACpB,CAAC;AACH,CAAC;AAID,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,OAAO,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAkB;IAClD,MAAM,QAAQ,GAAa,CAAC,iBAAiB,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC/B,IAAI,CAAC,CAAC,WAAW;QAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC9C,IAAI,CAAC,CAAC,QAAQ;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,IAAI,CAAC,CAAC,WAAW;QAAE,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7C,IAAI,CAAC,CAAC,QAAQ;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,IAAI,CAAC,CAAC,SAAS;QAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC,aAAa;QAAE,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAClD,IAAI,CAAC,CAAC,QAAQ;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,IAAI,CAAC,CAAC,QAAQ;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,IAAI,CAAC,CAAC,cAAc;QAAE,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACpD,IAAI,CAAC,CAAC,eAAe;QAAE,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACtD,IAAI,CAAC,CAAC,SAAS;QAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC,UAAU;QAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC3C,IAAI,CAAC,CAAC,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACrC,IAAI,CAAC,CAAC,mBAAmB;QAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACpD,IAAI,CAAC,CAAC,SAAS;QAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC,QAAQ;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU;QAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC5D,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/engine/types.d.ts

@@ -0,0 +1,119 @@
+import type { Severity, Confidence, NextDepsIndex } from "../next/types.js";
+export interface Finding {
+    ruleId: string;
+    severity: Severity;
+    confidence: Confidence;
+    message: string;
+    file: string;
+    line?: number;
+    column?: number;
+    endLine?: number;
+    endColumn?: number;
+    snippet?: string;
+    evidence: string[];
+    confidenceRationale: string;
+    remediation: string[];
+    tags: string[];
+}
+export interface Waiver {
+    ruleId: string;
+    file: string;
+    reason: string;
+    expiry?: string;
+    createdAt: string;
+}
+export interface WaiversFile {
+    version: 1;
+    waivers: Waiver[];
+}
+export interface Baseline {
+    version: 1;
+    shipguardVersion: string;
+    configHash: string;
+    indexVersion: number;
+    createdAt: string;
+    score: number;
+    findingKeys: string[];
+}
+export interface ScanResult {
+    version: 1;
+    shipguardVersion: string;
+    configHash: string;
+    indexVersion: number;
+    timestamp: string;
+    framework: string;
+    detected: {
+        deps: NextDepsIndex;
+        trpc: boolean;
+        middleware: boolean;
+    };
+    score: number;
+    findings: Finding[];
+    waivedFindings: Finding[];
+    summary: {
+        total: number;
+        critical: number;
+        high: number;
+        med: number;
+        low: number;
+        waived: number;
+    };
+}
+export interface ScoringConfig {
+    start: number;
+    penalties: Record<Severity, number>;
+}
+export interface ShipguardConfig {
+    framework: "next-app-router";
+    include: string[];
+    exclude: string[];
+    ci: {
+        failOn: Severity;
+        minConfidence: Confidence;
+        minScore: number;
+        maxNewCritical: number;
+        maxNewHigh?: number;
+    };
+    scoring: ScoringConfig;
+    hints: {
+        auth: {
+            functions: string[];
+            middlewareFiles: string[];
+            allowlistPaths: string[];
+        };
+        rateLimit: {
+            wrappers: string[];
+            allowlistPaths: string[];
+        };
+        tenancy: {
+            orgFieldNames: string[];
+        };
+    };
+    rules: Record<string, {
+        severity: Severity;
+    }>;
+    waiversFile: string;
+    license?: {
+        key?: string;
+    };
+    /** Reserved for governance module. Ignored by OSS core if governance not loaded. */
+    governance?: {
+        enabled?: boolean;
+        requiredRules?: string[];
+        waiver?: {
+            requireReason?: boolean;
+            requireExpiry?: boolean;
+            maxDays?: number;
+        };
+        thresholds?: {
+            minScore?: number;
+            maxCritical?: number;
+        };
+        report?: {
+            preAudit?: boolean;
+            format?: "md" | "json" | "pdf";
+            outputDir?: string;
+        };
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/engine/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/engine/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAE5E,MAAM,WAAW,OAAO;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,UAAU,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAED,MAAM,WAAW,MAAM;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,CAAC,CAAC;IACX,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,CAAC,CAAC;IACX,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE;QACR,IAAI,EAAE,aAAa,CAAC;QACpB,IAAI,EAAE,OAAO,CAAC;QACd,UAAU,EAAE,OAAO,CAAC;KACrB,CAAC;IACF,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,cAAc,EAAE,OAAO,EAAE,CAAC;IAC1B,OAAO,EAAE;QACP,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;QACZ,GAAG,EAAE,MAAM,CAAC;QACZ,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;CACrC;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,iBAAiB,CAAC;IAC7B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,EAAE,EAAE;QACF,MAAM,EAAE,QAAQ,CAAC;QACjB,aAAa,EAAE,UAAU,CAAC;QAC1B,QAAQ,EAAE,MAAM,CAAC;QACjB,cAAc,EAAE,MAAM,CAAC;QACvB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,OAAO,EAAE,aAAa,CAAC;IACvB,KAAK,EAAE;QACL,IAAI,EAAE;YAAE,SAAS,EAAE,MAAM,EAAE,CAAC;YAAC,eAAe,EAAE,MAAM,EAAE,CAAC;YAAC,cAAc,EAAE,MAAM,EAAE,CAAA;SAAE,CAAC;QACnF,SAAS,EAAE;YAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;YAAC,cAAc,EAAE,MAAM,EAAE,CAAA;SAAE,CAAC;QAC5D,OAAO,EAAE;YAAE,aAAa,EAAE,MAAM,EAAE,CAAA;SAAE,CAAC;KACtC,CAAC;IACF,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,QAAQ,CAAA;KAAE,CAAC,CAAC;IAC9C,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAE3B,oFAAoF;IACpF,UAAU,CAAC,EAAE;QACX,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,MAAM,CAAC,EAAE;YACP,aAAa,CAAC,EAAE,OAAO,CAAC;YACxB,aAAa,CAAC,EAAE,OAAO,CAAC;YACxB,OAAO,CAAC,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,UAAU,CAAC,EAAE;YACX,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,WAAW,CAAC,EAAE,MAAM,CAAC;SACtB,CAAC;QACF,MAAM,CAAC,EAAE;YACP,QAAQ,CAAC,EAAE,OAAO,CAAC;YACnB,MAAM,CAAC,EAAE,IAAI,GAAG,MAAM,GAAG,KAAK,CAAC;YAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;SACpB,CAAC;KACH,CAAC;CACH"}

package/dist/engine/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/engine/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/engine/types.ts"],"names":[],"mappings":""}

package/dist/engine/version.d.ts

@@ -0,0 +1,5 @@
+import type { ShipguardConfig } from "./types.js";
+export declare const SHIPGUARD_VERSION = "0.1.0";
+export declare const INDEX_VERSION = 1;
+export declare function hashConfig(config: ShipguardConfig): string;
+//# sourceMappingURL=version.d.ts.map

package/dist/engine/version.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../../src/engine/version.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,eAAO,MAAM,iBAAiB,UAAU,CAAC;AACzC,eAAO,MAAM,aAAa,IAAI,CAAC;AAE/B,wBAAgB,UAAU,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,CAU1D"}

package/dist/engine/version.js

@@ -0,0 +1,15 @@
+import { createHash } from "node:crypto";
+export const SHIPGUARD_VERSION = "0.1.0";
+export const INDEX_VERSION = 1;
+export function hashConfig(config) {
+    const normalized = JSON.stringify({
+        framework: config.framework,
+        include: config.include,
+        exclude: config.exclude,
+        hints: config.hints,
+        rules: config.rules,
+        scoring: config.scoring,
+    });
+    return createHash("sha256").update(normalized).digest("hex").slice(0, 12);
+}
+//# sourceMappingURL=version.js.map

package/dist/engine/version.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.js","sourceRoot":"","sources":["../../src/engine/version.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,MAAM,CAAC,MAAM,iBAAiB,GAAG,OAAO,CAAC;AACzC,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,CAAC;AAE/B,MAAM,UAAU,UAAU,CAAC,MAAuB;IAChD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC;IACH,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC5E,CAAC"}

package/dist/engine/waivers.d.ts

@@ -0,0 +1,9 @@
+import type { Finding, Waiver } from "./types.js";
+export declare function loadWaivers(rootDir: string, waiversFile: string): Waiver[];
+export declare function saveWaivers(rootDir: string, waiversFile: string, waivers: Waiver[]): void;
+export declare function addWaiver(rootDir: string, waiversFile: string, waiver: Omit<Waiver, "createdAt">): Waiver;
+export declare function applyWaivers(findings: Finding[], waivers: Waiver[]): {
+    active: Finding[];
+    waived: Finding[];
+};
+//# sourceMappingURL=waivers.d.ts.map

package/dist/engine/waivers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"waivers.d.ts","sourceRoot":"","sources":["../../src/engine/waivers.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,EAAe,MAAM,YAAY,CAAC;AAE/D,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,EAAE,CAY1E;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAIzF;AAED,wBAAgB,SAAS,CACvB,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,GAChC,MAAM,CASR;AAED,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,OAAO,EAAE,EACnB,OAAO,EAAE,MAAM,EAAE,GAChB;IAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAAC,MAAM,EAAE,OAAO,EAAE,CAAA;CAAE,CAmB1C"}

package/dist/engine/waivers.js

@@ -0,0 +1,55 @@
+import path from "node:path";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+export function loadWaivers(rootDir, waiversFile) {
+    const abs = path.join(rootDir, waiversFile);
+    if (!existsSync(abs))
+        return [];
+    let raw;
+    try {
+        raw = JSON.parse(readFileSync(abs, "utf8"));
+    }
+    catch (err) {
+        throw new Error(`Failed to parse ${abs}: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    // Support both legacy array format and versioned format
+    if (Array.isArray(raw))
+        return raw;
+    return raw.waivers ?? [];
+}
+export function saveWaivers(rootDir, waiversFile, waivers) {
+    const abs = path.join(rootDir, waiversFile);
+    const file = { version: 1, waivers };
+    writeFileSync(abs, JSON.stringify(file, null, 2) + "\n");
+}
+export function addWaiver(rootDir, waiversFile, waiver) {
+    const waivers = loadWaivers(rootDir, waiversFile);
+    const full = {
+        ...waiver,
+        createdAt: new Date().toISOString(),
+    };
+    waivers.push(full);
+    saveWaivers(rootDir, waiversFile, waivers);
+    return full;
+}
+export function applyWaivers(findings, waivers) {
+    const active = [];
+    const waived = [];
+    for (const f of findings) {
+        const hasWaiver = waivers.some((w) => w.ruleId === f.ruleId &&
+            w.file === f.file &&
+            !isExpired(w));
+        if (hasWaiver) {
+            waived.push(f);
+        }
+        else {
+            active.push(f);
+        }
+    }
+    return { active, waived };
+}
+function isExpired(w) {
+    if (!w.expiry)
+        return false;
+    return new Date(w.expiry) < new Date();
+}
+//# sourceMappingURL=waivers.js.map

package/dist/engine/waivers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"waivers.js","sourceRoot":"","sources":["../../src/engine/waivers.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAGlE,MAAM,UAAU,WAAW,CAAC,OAAe,EAAE,WAAmB;IAC9D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAC5C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAChC,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,mBAAmB,GAAG,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACjG,CAAC;IACD,wDAAwD;IACxD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAe,CAAC;IAC/C,OAAQ,GAAmB,CAAC,OAAO,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,OAAe,EAAE,WAAmB,EAAE,OAAiB;IACjF,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAgB,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC;IAClD,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,SAAS,CACvB,OAAe,EACf,WAAmB,EACnB,MAAiC;IAEjC,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAClD,MAAM,IAAI,GAAW;QACnB,GAAG,MAAM;QACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnB,WAAW,CAAC,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IAC3C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,YAAY,CAC1B,QAAmB,EACnB,OAAiB;IAEjB,MAAM,MAAM,GAAc,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAc,EAAE,CAAC;IAE7B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAC5B,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;YACrB,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI;YACjB,CAAC,SAAS,CAAC,CAAC,CAAC,CAChB,CAAC;QACF,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AAC5B,CAAC;AAED,SAAS,SAAS,CAAC,CAAS;IAC1B,IAAI,CAAC,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC5B,OAAO,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;AACzC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,12 @@
+export { runScan } from "./engine/run.js";
+export { buildNextIndex } from "./next/index.js";
+export { RULE_REGISTRY, runAllRules } from "./rules/index.js";
+export { computeScore, confidenceLevel, severityLevel, scoreStatus, buildDetectedList, parseConfidence, parseSeverity, parseIntOrThrow } from "./engine/score.js";
+export { formatPretty, formatJson } from "./engine/report.js";
+export { formatSarif } from "./engine/sarif.js";
+export { writeBaseline, loadBaseline, diffBaseline, type BaselineDiff } from "./engine/baseline.js";
+export { loadWaivers, applyWaivers, addWaiver } from "./engine/waivers.js";
+export { DEFAULT_CONFIG } from "./engine/config.js";
+export type { ShipguardConfig, ScanResult, Finding, Waiver, Baseline } from "./engine/types.js";
+export type { NextIndex, NextRoute, NextServerAction, Severity, Confidence } from "./next/types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAClK,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,EAAE,KAAK,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpG,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAGpD,YAAY,EAAE,eAAe,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAChG,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/index.js

@@ -0,0 +1,11 @@
+// Public API for programmatic usage
+export { runScan } from "./engine/run.js";
+export { buildNextIndex } from "./next/index.js";
+export { RULE_REGISTRY, runAllRules } from "./rules/index.js";
+export { computeScore, confidenceLevel, severityLevel, scoreStatus, buildDetectedList, parseConfidence, parseSeverity, parseIntOrThrow } from "./engine/score.js";
+export { formatPretty, formatJson } from "./engine/report.js";
+export { formatSarif } from "./engine/sarif.js";
+export { writeBaseline, loadBaseline, diffBaseline } from "./engine/baseline.js";
+export { loadWaivers, applyWaivers, addWaiver } from "./engine/waivers.js";
+export { DEFAULT_CONFIG } from "./engine/config.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAClK,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,EAAqB,MAAM,sBAAsB,CAAC;AACpG,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/next/deps.d.ts

@@ -0,0 +1,4 @@
+import type { NextDepsIndex, NextHints } from "./types.js";
+export declare function readDeps(rootDir: string): NextDepsIndex;
+export declare function defaultHintsFromDeps(deps: NextDepsIndex, hasMiddlewareTs: boolean): NextHints;
+//# sourceMappingURL=deps.d.ts.map

package/dist/next/deps.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deps.d.ts","sourceRoot":"","sources":["../../src/next/deps.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE3D,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,CA4BvD;AAED,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,aAAa,EAAE,eAAe,EAAE,OAAO,GAAG,SAAS,CAwE7F"}