@glassmkr/crucible 0.10.4 → 0.12.0

package/dist/collect/conntrack.js

@@ -1,4 +1,13 @@
+// Conntrack collection.
+//
+// Pre-C9: count + max + percent from /proc/sys/net/netfilter/nf_conntrack_*.
+// C9 (2026-05-19): adds insert_failed_total + drop_total cumulative counters
+// from /proc/net/stat/nf_conntrack plus agent-computed per-second rates,
+// following the vmstat (C3) rate-calculation pattern.
+//
+// Per CC_SPEC_CRUCIBLE_C7_C10_NETWORK_PROCESS_COLLECTION_2026-05-19.md §3.
 import { readProcFile } from "../lib/parse.js";
+let previous = null;
 export function collectConntrack() {
     const countRaw = readProcFile("/proc/sys/net/netfilter/nf_conntrack_count");
     const maxRaw = readProcFile("/proc/sys/net/netfilter/nf_conntrack_max");
@@ -11,6 +20,78 @@ export function collectConntrack() {
         return { available: false, count: 0, max: 0, percent: 0 };
     }
     const percent = Math.round(((count / max) * 100) * 10) / 10;
-    return { available: true, count, max, percent };
+    // Try the C9 enrichment. If /proc/net/stat/nf_conntrack isn't readable
+    // we still return the original ConntrackData shape (older kernels
+    // expose count/max without per-CPU stats).
+    const stat = parseConntrackStat();
+    if (!stat) {
+        return { available: true, count, max, percent };
+    }
+    const nowMs = Date.now();
+    let insertRate = null;
+    let dropRate = null;
+    if (previous) {
+        const elapsedSec = (nowMs - previous.capturedAtMs) / 1000;
+        if (elapsedSec > 0) {
+            const insertDelta = stat.insert_failed - previous.insert_failed;
+            const dropDelta = stat.drop - previous.drop;
+            // Negative delta = counter reset (host reboot, container restart,
+            // or rollover). Treat as a fresh baseline; rates null this tick.
+            if (insertDelta >= 0)
+                insertRate = insertDelta / elapsedSec;
+            if (dropDelta >= 0)
+                dropRate = dropDelta / elapsedSec;
+        }
+    }
+    previous = { ...stat, capturedAtMs: nowMs };
+    return {
+        available: true,
+        count,
+        max,
+        percent,
+        insert_failed_total: stat.insert_failed,
+        drop_total: stat.drop,
+        insert_failed_rate_per_sec: insertRate,
+        drop_rate_per_sec: dropRate,
+    };
+}
+/**
+ * Parse /proc/net/stat/nf_conntrack. Format: tab/space-separated header
+ * + one row per CPU with hex values. Returns sums across all CPUs for
+ * insert_failed and drop columns. Null on read failure or unexpected
+ * format.
+ */
+function parseConntrackStat() {
+    const raw = readProcFile("/proc/net/stat/nf_conntrack");
+    if (!raw)
+        return null;
+    const lines = raw.split("\n").filter((l) => l.trim().length > 0);
+    if (lines.length < 2)
+        return null;
+    const header = lines[0].trim().split(/\s+/);
+    const insertFailedIdx = header.indexOf("insert_failed");
+    const dropIdx = header.indexOf("drop");
+    if (insertFailedIdx === -1 || dropIdx === -1)
+        return null;
+    let insertFailedTotal = 0;
+    let dropTotal = 0;
+    for (let i = 1; i < lines.length; i++) {
+        const parts = lines[i].trim().split(/\s+/);
+        if (parts.length <= Math.max(insertFailedIdx, dropIdx))
+            continue;
+        const insertFailed = parseInt(parts[insertFailedIdx], 16);
+        const drop = parseInt(parts[dropIdx], 16);
+        if (Number.isFinite(insertFailed))
+            insertFailedTotal += insertFailed;
+        if (Number.isFinite(drop))
+            dropTotal += drop;
+    }
+    return { insert_failed: insertFailedTotal, drop: dropTotal };
 }
+export const __test_only = {
+    parseConntrackStat,
+    resetForTests: () => {
+        previous = null;
+    },
+};
 //# sourceMappingURL=conntrack.js.map

package/dist/collect/conntrack.js.map

@@ -1 +1 @@
-{"version":3,"file":"conntrack.js","sourceRoot":"","sources":["../../src/collect/conntrack.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAS/C,MAAM,UAAU,gBAAgB;IAC9B,MAAM,QAAQ,GAAG,YAAY,CAAC,4CAA4C,CAAC,CAAC;IAC5E,MAAM,MAAM,GAAG,YAAY,CAAC,0CAA0C,CAAC,CAAC;IAExE,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IAExC,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC;QAC5C,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC;IAC5D,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;AAClD,CAAC"}
+{"version":3,"file":"conntrack.js","sourceRoot":"","sources":["../../src/collect/conntrack.ts"],"names":[],"mappings":"AAAA,wBAAwB;AACxB,EAAE;AACF,6EAA6E;AAC7E,6EAA6E;AAC7E,yEAAyE;AACzE,sDAAsD;AACtD,EAAE;AACF,2EAA2E;AAE3E,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAuB/C,IAAI,QAAQ,GAA2B,IAAI,CAAC;AAE5C,MAAM,UAAU,gBAAgB;IAC9B,MAAM,QAAQ,GAAG,YAAY,CAAC,4CAA4C,CAAC,CAAC;IAC5E,MAAM,MAAM,GAAG,YAAY,CAAC,0CAA0C,CAAC,CAAC;IAExE,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IAExC,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC;QAC5C,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC;IAE5D,uEAAuE;IACvE,kEAAkE;IAClE,2CAA2C;IAC3C,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC;IAClC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;IAClD,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,IAAI,UAAU,GAAkB,IAAI,CAAC;IACrC,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,UAAU,GAAG,CAAC,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC;QAC1D,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,WAAW,GAAG,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC;YAChE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;YAC5C,kEAAkE;YAClE,iEAAiE;YACjE,IAAI,WAAW,IAAI,CAAC;gBAAE,UAAU,GAAG,WAAW,GAAG,UAAU,CAAC;YAC5D,IAAI,SAAS,IAAI,CAAC;gBAAE,QAAQ,GAAG,SAAS,GAAG,UAAU,CAAC;QACxD,CAAC;IACH,CAAC;IACD,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;IAE5C,OAAO;QACL,SAAS,EAAE,IAAI;QACf,KAAK;QACL,GAAG;QACH,OAAO;QACP,mBAAmB,EAAE,IAAI,CAAC,aAAa;QACvC,UAAU,EAAE,IAAI,CAAC,IAAI;QACrB,0BAA0B,EAAE,UAAU;QACtC,iBAAiB,EAAE,QAAQ;KAC5B,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,YAAY,CAAC,6BAA6B,CAAC,CAAC;IACxD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAElC,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC5C,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,eAAe,KAAK,CAAC,CAAC,IAAI,OAAO,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1D,IAAI,iBAAiB,GAAG,CAAC,CAAC;IAC1B,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC;YAAE,SAAS;QACjE,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1D,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC;YAAE,iBAAiB,IAAI,YAAY,CAAC;QACrE,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,SAAS,IAAI,IAAI,CAAC;IAC/C,CAAC;IACD,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AAC/D,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,kBAAkB;IAClB,aAAa,EAAE,GAAG,EAAE;QAClB,QAAQ,GAAG,IAAI,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/collect/cve.d.ts

@@ -0,0 +1,51 @@
+import type { CveDistro, CveSeverity, CveSnapshot, KernelCve } from "../lib/types.js";
+export declare function collectCve(): Promise<CveSnapshot>;
+declare function detectDistro(): CveDistro;
+/**
+ * Parse the relevant kernel-CVE subset of `pro security-status --format=json`.
+ * The full shape is large; we only need pending CVEs against the
+ * running kernel + a severity histogram.
+ *
+ * Best-effort + defensive: malformed JSON yields zeros and no events.
+ */
+export declare function parseUbuntuProJson(raw: string): {
+    kernel_cves: KernelCve[];
+    critical: number;
+    important: number;
+};
+/**
+ * Parse `dnf updateinfo list --security --quiet` text output.
+ *
+ * Format (one line per advisory; columns vary slightly by dnf version):
+ *   RHSA-2026:1234 Critical/Sec.   kernel-5.14.0-1234.x86_64
+ *   RHBA-2026:5678 Moderate/Sec.   bash-5.1.8-9.el9_4.x86_64
+ *
+ * We only keep advisories whose package name starts with "kernel"
+ * (the kernel meta-package or any kernel-* sub-package).
+ */
+export declare function parseDnfUpdateinfoText(raw: string): {
+    kernel_cves: KernelCve[];
+    critical: number;
+    important: number;
+};
+/**
+ * Parse `zypper list-patches --category=security` table output.
+ *
+ * Format (columns: Repository | Name | Category | Severity | Status):
+ *   SLES15-SP6-Updates | SUSE-SLE-...-1234 | security | critical | needed
+ *
+ * We restrict to security patches whose name contains "kernel" — best
+ * effort; zypper doesn't surface a "package" column the same way dnf
+ * does, so the kernel match is on the patch name itself.
+ */
+export declare function parseZypperListPatchesText(raw: string): {
+    kernel_cves: KernelCve[];
+    critical: number;
+    important: number;
+};
+declare function normaliseSeverity(raw: string): CveSeverity;
+export declare const __test_only: {
+    detectDistro: typeof detectDistro;
+    normaliseSeverity: typeof normaliseSeverity;
+};
+export {};

package/dist/collect/cve.js

@@ -0,0 +1,327 @@
+// Distro-aware CVE collection for the running kernel.
+//
+// Pre-C13 the collector reads /sys/devices/system/cpu/vulnerabilities
+// (Spectre / Meltdown / etc) under SecurityData.kernel_vulns. That's
+// CPU microcode + kernel-mitigation status, not the distro CVE patch
+// queue. C13 ships separate distro-CVE data so Dashboard can REDESIGN
+// the kernel_vulnerabilities rule from a uptime-proxy / kernel-line
+// check into a real CVE-driven signal.
+//
+// Three distro paths:
+//
+//   - Ubuntu / Ubuntu Pro:
+//       Requires `pro security-status --format=json` AND attached pro
+//       subscription. Token comes from GLASSMKR_UBUNTU_PRO_TOKEN env
+//       var per the spec. No token => available: false silently
+//       (legitimate state on non-Pro hosts).
+//
+//   - RHEL / Fedora / Rocky / Alma / CentOS:
+//       `dnf updateinfo --output json` exposes a per-advisory list.
+//       The dnf JSON output is well-defined on modern releases (8+);
+//       older dnf falls back to text scraping which we tag as "stub".
+//
+//   - SUSE / openSUSE:
+//       `zypper list-patches --category=security --severity=critical`
+//       returns one line per patch. Severity is a column.
+//
+// Capability gating: missing CLI => available: false with reason.
+// Distro detection uses snap.system.os_id (Crucible 0.8+ field); but
+// since this collector is called separately from system.ts, we re-
+// derive distro from /etc/os-release inside this module to stay
+// independent.
+//
+// Per CC_SPEC_CRUCIBLE_C11_C18_FULL_BUNDLE_2026-05-19.md §3.
+import { readProcFile } from "../lib/parse.js";
+import { run } from "../lib/exec.js";
+export async function collectCve() {
+    const distro = detectDistro();
+    switch (distro) {
+        case "ubuntu":
+        case "debian":
+            return collectUbuntuPro();
+        case "rhel":
+        case "fedora":
+        case "rocky":
+        case "alma":
+        case "centos":
+            return collectDnf(distro);
+        case "sles":
+        case "opensuse":
+            return collectZypper(distro);
+        default:
+            return {
+                available: false,
+                reason: `distro "${distro}" not supported by CVE collection`,
+                distro,
+                kernel_cves_pending: [],
+                total_critical_pending: 0,
+                total_important_pending: 0,
+                parser_quality: "stub",
+            };
+    }
+}
+function detectDistro() {
+    const raw = readProcFile("/etc/os-release");
+    if (!raw)
+        return "unknown";
+    for (const line of raw.split("\n")) {
+        if (line.startsWith("ID=")) {
+            const id = line.slice(3).trim().replace(/^"|"$/g, "").toLowerCase();
+            if (id === "ubuntu")
+                return "ubuntu";
+            if (id === "debian")
+                return "debian";
+            if (id === "rhel")
+                return "rhel";
+            if (id === "fedora")
+                return "fedora";
+            if (id === "rocky")
+                return "rocky";
+            if (id === "almalinux" || id === "alma")
+                return "alma";
+            if (id === "centos")
+                return "centos";
+            if (id === "sles")
+                return "sles";
+            if (id === "opensuse" || id === "opensuse-leap" || id === "opensuse-tumbleweed") {
+                return "opensuse";
+            }
+        }
+    }
+    return "unknown";
+}
+// === Ubuntu Pro path ===
+async function collectUbuntuPro() {
+    const token = process.env.GLASSMKR_UBUNTU_PRO_TOKEN;
+    if (!token) {
+        return {
+            available: false,
+            reason: "Ubuntu Pro token not set (export GLASSMKR_UBUNTU_PRO_TOKEN to enable CVE collection)",
+            distro: "ubuntu",
+            kernel_cves_pending: [],
+            total_critical_pending: 0,
+            total_important_pending: 0,
+            parser_quality: "fleet-tested",
+        };
+    }
+    const out = await run("pro", ["security-status", "--format=json"]);
+    if (!out) {
+        return {
+            available: false,
+            reason: "`pro security-status` returned no output (Ubuntu Pro CLI missing or not attached?)",
+            distro: "ubuntu",
+            kernel_cves_pending: [],
+            total_critical_pending: 0,
+            total_important_pending: 0,
+            parser_quality: "fleet-tested",
+        };
+    }
+    const parsed = parseUbuntuProJson(out);
+    return {
+        available: true,
+        distro: "ubuntu",
+        kernel_cves_pending: parsed.kernel_cves,
+        total_critical_pending: parsed.critical,
+        total_important_pending: parsed.important,
+        parser_quality: "fleet-tested",
+    };
+}
+/**
+ * Parse the relevant kernel-CVE subset of `pro security-status --format=json`.
+ * The full shape is large; we only need pending CVEs against the
+ * running kernel + a severity histogram.
+ *
+ * Best-effort + defensive: malformed JSON yields zeros and no events.
+ */
+export function parseUbuntuProJson(raw) {
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        return { kernel_cves: [], critical: 0, important: 0 };
+    }
+    // Ubuntu Pro JSON shape (abbreviated; real output has many more fields):
+    //   { "summary": { "kernel-cves": { "pending": [{ "cve": "CVE-2026-1234",
+    //     "severity": "high", "package": "linux-image-...", ... }] } } }
+    // The exact key shape varies by pro CLI version; reach defensively.
+    const root = parsed;
+    const pendingArr = root?.summary?.["kernel-cves"]?.pending ??
+        root?.["kernel-cves"] ??
+        [];
+    const cves = [];
+    let crit = 0;
+    let imp = 0;
+    if (Array.isArray(pendingArr)) {
+        for (const entry of pendingArr) {
+            const e = entry;
+            const cveId = typeof e.cve === "string" ? e.cve : "";
+            if (!cveId)
+                continue;
+            const severity = normaliseSeverity(typeof e.severity === "string" ? e.severity : "");
+            const pkg = typeof e.package === "string" ? e.package : "";
+            const fixed = typeof e.fixed_version === "string" ? e.fixed_version : undefined;
+            cves.push({
+                cve_id: cveId,
+                severity,
+                package_name: pkg,
+                ...(fixed ? { fixed_version: fixed } : {}),
+            });
+            if (severity === "critical")
+                crit++;
+            else if (severity === "important")
+                imp++;
+        }
+    }
+    return { kernel_cves: cves, critical: crit, important: imp };
+}
+// === dnf path (RHEL family) ===
+async function collectDnf(distro) {
+    const out = await run("dnf", [
+        "updateinfo",
+        "list",
+        "--security",
+        "--quiet",
+    ]);
+    if (!out) {
+        return {
+            available: false,
+            reason: "`dnf updateinfo list --security` returned no output (dnf missing or no security advisories?)",
+            distro,
+            kernel_cves_pending: [],
+            total_critical_pending: 0,
+            total_important_pending: 0,
+            parser_quality: "stub",
+        };
+    }
+    const parsed = parseDnfUpdateinfoText(out);
+    return {
+        available: true,
+        distro,
+        kernel_cves_pending: parsed.kernel_cves,
+        total_critical_pending: parsed.critical,
+        total_important_pending: parsed.important,
+        // Text scrape; dnf JSON output is the cleaner path but isn't
+        // universally available across RHEL 8/9/10. Tagging stub so the
+        // dashboard rule shows the right honesty.
+        parser_quality: "stub",
+    };
+}
+/**
+ * Parse `dnf updateinfo list --security --quiet` text output.
+ *
+ * Format (one line per advisory; columns vary slightly by dnf version):
+ *   RHSA-2026:1234 Critical/Sec.   kernel-5.14.0-1234.x86_64
+ *   RHBA-2026:5678 Moderate/Sec.   bash-5.1.8-9.el9_4.x86_64
+ *
+ * We only keep advisories whose package name starts with "kernel"
+ * (the kernel meta-package or any kernel-* sub-package).
+ */
+export function parseDnfUpdateinfoText(raw) {
+    const cves = [];
+    let crit = 0;
+    let imp = 0;
+    for (const line of raw.split("\n")) {
+        const m = line.match(/^([A-Z]+-\d{4}:\d+)\s+(\S+)\/Sec\.\s+(\S+)/i);
+        if (!m)
+            continue;
+        const [, advisory, sevToken, pkg] = m;
+        if (!pkg.toLowerCase().startsWith("kernel"))
+            continue;
+        const severity = normaliseSeverity(sevToken);
+        cves.push({
+            cve_id: advisory, // dnf reports advisory IDs (RHSA-...) not CVE IDs directly
+            severity,
+            package_name: pkg,
+        });
+        if (severity === "critical")
+            crit++;
+        else if (severity === "important")
+            imp++;
+    }
+    return { kernel_cves: cves, critical: crit, important: imp };
+}
+// === zypper path (SUSE family) ===
+async function collectZypper(distro) {
+    const out = await run("zypper", [
+        "--non-interactive",
+        "list-patches",
+        "--category=security",
+    ]);
+    if (!out) {
+        return {
+            available: false,
+            reason: "`zypper list-patches --category=security` returned no output (zypper missing?)",
+            distro,
+            kernel_cves_pending: [],
+            total_critical_pending: 0,
+            total_important_pending: 0,
+            parser_quality: "stub",
+        };
+    }
+    const parsed = parseZypperListPatchesText(out);
+    return {
+        available: true,
+        distro,
+        kernel_cves_pending: parsed.kernel_cves,
+        total_critical_pending: parsed.critical,
+        total_important_pending: parsed.important,
+        parser_quality: "stub",
+    };
+}
+/**
+ * Parse `zypper list-patches --category=security` table output.
+ *
+ * Format (columns: Repository | Name | Category | Severity | Status):
+ *   SLES15-SP6-Updates | SUSE-SLE-...-1234 | security | critical | needed
+ *
+ * We restrict to security patches whose name contains "kernel" — best
+ * effort; zypper doesn't surface a "package" column the same way dnf
+ * does, so the kernel match is on the patch name itself.
+ */
+export function parseZypperListPatchesText(raw) {
+    const cves = [];
+    let crit = 0;
+    let imp = 0;
+    for (const line of raw.split("\n")) {
+        if (!line.includes("|"))
+            continue;
+        const cols = line.split("|").map((c) => c.trim());
+        if (cols.length < 5)
+            continue;
+        const [, name, category, severityRaw] = cols;
+        if (!/security/i.test(category))
+            continue;
+        if (!/kernel/i.test(name))
+            continue;
+        const severity = normaliseSeverity(severityRaw);
+        cves.push({
+            cve_id: name,
+            severity,
+            package_name: name,
+        });
+        if (severity === "critical")
+            crit++;
+        else if (severity === "important")
+            imp++;
+    }
+    return { kernel_cves: cves, critical: crit, important: imp };
+}
+// === shared helpers ===
+function normaliseSeverity(raw) {
+    const v = raw.toLowerCase().trim();
+    if (v === "critical" || v === "crit")
+        return "critical";
+    if (v === "important" || v === "high" || v === "imp")
+        return "important";
+    if (v === "moderate" || v === "medium" || v === "med")
+        return "moderate";
+    if (v === "low" || v === "negligible")
+        return "low";
+    return "unknown";
+}
+export const __test_only = {
+    detectDistro,
+    normaliseSeverity,
+};
+//# sourceMappingURL=cve.js.map

package/dist/collect/cve.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cve.js","sourceRoot":"","sources":["../../src/collect/cve.ts"],"names":[],"mappings":"AAAA,sDAAsD;AACtD,EAAE;AACF,sEAAsE;AACtE,qEAAqE;AACrE,qEAAqE;AACrE,sEAAsE;AACtE,oEAAoE;AACpE,uCAAuC;AACvC,EAAE;AACF,sBAAsB;AACtB,EAAE;AACF,2BAA2B;AAC3B,sEAAsE;AACtE,qEAAqE;AACrE,gEAAgE;AAChE,6CAA6C;AAC7C,EAAE;AACF,6CAA6C;AAC7C,oEAAoE;AACpE,qEAAqE;AACrE,sEAAsE;AACtE,EAAE;AACF,uBAAuB;AACvB,sEAAsE;AACtE,0DAA0D;AAC1D,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,mEAAmE;AACnE,gEAAgE;AAChE,eAAe;AACf,EAAE;AACF,6DAA6D;AAE7D,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAGrC,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,QAAQ,CAAC;QACd,KAAK,QAAQ;YACX,OAAO,gBAAgB,EAAE,CAAC;QAC5B,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ,CAAC;QACd,KAAK,OAAO,CAAC;QACb,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC;QAC5B,KAAK,MAAM,CAAC;QACZ,KAAK,UAAU;YACb,OAAO,aAAa,CAAC,MAAM,CAAC,CAAC;QAC/B;YACE,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,MAAM,EAAE,WAAW,MAAM,mCAAmC;gBAC5D,MAAM;gBACN,mBAAmB,EAAE,EAAE;gBACvB,sBAAsB,EAAE,CAAC;gBACzB,uBAAuB,EAAE,CAAC;gBAC1B,cAAc,EAAE,MAAM;aACvB,CAAC;IACN,CAAC;AACH,CAAC;AAED,SAAS,YAAY;IACnB,MAAM,GAAG,GAAG,YAAY,CAAC,iBAAiB,CAAC,CAAC;IAC5C,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YACpE,IAAI,EAAE,KAAK,QAAQ;gBAAE,OAAO,QAAQ,CAAC;YACrC,IAAI,EAAE,KAAK,QAAQ;gBAAE,OAAO,QAAQ,CAAC;YACrC,IAAI,EAAE,KAAK,MAAM;gBAAE,OAAO,MAAM,CAAC;YACjC,IAAI,EAAE,KAAK,QAAQ;gBAAE,OAAO,QAAQ,CAAC;YACrC,IAAI,EAAE,KAAK,OAAO;gBAAE,OAAO,OAAO,CAAC;YACnC,IAAI,EAAE,KAAK,WAAW,IAAI,EAAE,KAAK,MAAM;gBAAE,OAAO,MAAM,CAAC;YACvD,IAAI,EAAE,KAAK,QAAQ;gBAAE,OAAO,QAAQ,CAAC;YACrC,IAAI,EAAE,KAAK,MAAM;gBAAE,OAAO,MAAM,CAAC;YACjC,IAAI,EAAE,KAAK,UAAU,IAAI,EAAE,KAAK,eAAe,IAAI,EAAE,KAAK,qBAAqB,EAAE,CAAC;gBAChF,OAAO,UAAU,CAAC;YACpB,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,0BAA0B;AAE1B,KAAK,UAAU,gBAAgB;IAC7B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;IACpD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,MAAM,EACJ,sFAAsF;YACxF,MAAM,EAAE,QAAQ;YAChB,mBAAmB,EAAE,EAAE;YACvB,sBAAsB,EAAE,CAAC;YACzB,uBAAuB,EAAE,CAAC;YAC1B,cAAc,EAAE,cAAc;SAC/B,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC,iBAAiB,EAAE,eAAe,CAAC,CAAC,CAAC;IACnE,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,MAAM,EAAE,oFAAoF;YAC5F,MAAM,EAAE,QAAQ;YAChB,mBAAmB,EAAE,EAAE;YACvB,sBAAsB,EAAE,CAAC;YACzB,uBAAuB,EAAE,CAAC;YAC1B,cAAc,EAAE,cAAc;SAC/B,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO;QACL,SAAS,EAAE,IAAI;QACf,MAAM,EAAE,QAAQ;QAChB,mBAAmB,EAAE,MAAM,CAAC,WAAW;QACvC,sBAAsB,EAAE,MAAM,CAAC,QAAQ;QACvC,uBAAuB,EAAE,MAAM,CAAC,SAAS;QACzC,cAAc,EAAE,cAAc;KAC/B,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAK5C,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IACxD,CAAC;IACD,yEAAyE;IACzE,0EAA0E;IAC1E,qEAAqE;IACrE,oEAAoE;IACpE,MAAM,IAAI,GAAG,MAGZ,CAAC;IACF,MAAM,UAAU,GACd,IAAI,EAAE,OAAO,EAAE,CAAC,aAAa,CAAC,EAAE,OAAO;QACtC,IAAI,EAAE,CAAC,aAAa,CAAe;QACpC,EAAE,CAAC;IACL,MAAM,IAAI,GAAgB,EAAE,CAAC;IAC7B,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;YAC/B,MAAM,CAAC,GAAG,KAAgC,CAAC;YAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,IAAI,CAAC,KAAK;gBAAE,SAAS;YACrB,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACrF,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3D,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;YAChF,IAAI,CAAC,IAAI,CAAC;gBACR,MAAM,EAAE,KAAK;gBACb,QAAQ;gBACR,YAAY,EAAE,GAAG;gBACjB,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC3C,CAAC,CAAC;YACH,IAAI,QAAQ,KAAK,UAAU;gBAAE,IAAI,EAAE,CAAC;iBAC/B,IAAI,QAAQ,KAAK,WAAW;gBAAE,GAAG,EAAE,CAAC;QAC3C,CAAC;IACH,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;AAC/D,CAAC;AAED,iCAAiC;AAEjC,KAAK,UAAU,UAAU,CAAC,MAAiB;IACzC,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,KAAK,EAAE;QAC3B,YAAY;QACZ,MAAM;QACN,YAAY;QACZ,SAAS;KACV,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,MAAM,EAAE,8FAA8F;YACtG,MAAM;YACN,mBAAmB,EAAE,EAAE;YACvB,sBAAsB,EAAE,CAAC;YACzB,uBAAuB,EAAE,CAAC;YAC1B,cAAc,EAAE,MAAM;SACvB,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAC3C,OAAO;QACL,SAAS,EAAE,IAAI;QACf,MAAM;QACN,mBAAmB,EAAE,MAAM,CAAC,WAAW;QACvC,sBAAsB,EAAE,MAAM,CAAC,QAAQ;QACvC,uBAAuB,EAAE,MAAM,CAAC,SAAS;QACzC,6DAA6D;QAC7D,gEAAgE;QAChE,0CAA0C;QAC1C,cAAc,EAAE,MAAM;KACvB,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CAAC,GAAW;IAKhD,MAAM,IAAI,GAAgB,EAAE,CAAC;IAC7B,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAClB,6CAA6C,CAC9C,CAAC;QACF,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,MAAM,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,SAAS;QACtD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,CAAC,IAAI,CAAC;YACR,MAAM,EAAE,QAAQ,EAAE,2DAA2D;YAC7E,QAAQ;YACR,YAAY,EAAE,GAAG;SAClB,CAAC,CAAC;QACH,IAAI,QAAQ,KAAK,UAAU;YAAE,IAAI,EAAE,CAAC;aAC/B,IAAI,QAAQ,KAAK,WAAW;YAAE,GAAG,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;AAC/D,CAAC;AAED,oCAAoC;AAEpC,KAAK,UAAU,aAAa,CAAC,MAAiB;IAC5C,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,QAAQ,EAAE;QAC9B,mBAAmB;QACnB,cAAc;QACd,qBAAqB;KACtB,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,MAAM,EAAE,gFAAgF;YACxF,MAAM;YACN,mBAAmB,EAAE,EAAE;YACvB,sBAAsB,EAAE,CAAC;YACzB,uBAAuB,EAAE,CAAC;YAC1B,cAAc,EAAE,MAAM;SACvB,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,0BAA0B,CAAC,GAAG,CAAC,CAAC;IAC/C,OAAO;QACL,SAAS,EAAE,IAAI;QACf,MAAM;QACN,mBAAmB,EAAE,MAAM,CAAC,WAAW;QACvC,sBAAsB,EAAE,MAAM,CAAC,QAAQ;QACvC,uBAAuB,EAAE,MAAM,CAAC,SAAS;QACzC,cAAc,EAAE,MAAM;KACvB,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,0BAA0B,CAAC,GAAW;IAKpD,MAAM,IAAI,GAAgB,EAAE,CAAC;IAC7B,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,SAAS;QAClC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAClD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS;QAC9B,MAAM,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,CAAC,GAAG,IAAI,CAAC;QAC7C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;YAAE,SAAS;QAC1C,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAS;QACpC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;QAChD,IAAI,CAAC,IAAI,CAAC;YACR,MAAM,EAAE,IAAI;YACZ,QAAQ;YACR,YAAY,EAAE,IAAI;SACnB,CAAC,CAAC;QACH,IAAI,QAAQ,KAAK,UAAU;YAAE,IAAI,EAAE,CAAC;aAC/B,IAAI,QAAQ,KAAK,WAAW;YAAE,GAAG,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;AAC/D,CAAC;AAED,yBAAyB;AAEzB,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,CAAC,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,MAAM;QAAE,OAAO,UAAU,CAAC;IACxD,IAAI,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,KAAK;QAAE,OAAO,WAAW,CAAC;IACzE,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,KAAK;QAAE,OAAO,UAAU,CAAC;IACzE,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,YAAY;QAAE,OAAO,KAAK,CAAC;IACpD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,YAAY;IACZ,iBAAiB;CAClB,CAAC"}

package/dist/collect/dmesg-events.d.ts

@@ -0,0 +1,32 @@
+import type { DmesgEventType, DmesgEventsSnapshot, DmesgStructuredEvent } from "../lib/types.js";
+interface DmesgHandler {
+    event_type: DmesgEventType;
+    pattern: RegExp;
+    /** Returns null when the regex matched on accident (rare). */
+    parse(match: RegExpMatchArray, line: string): Omit<DmesgStructuredEvent, "timestamp_iso" | "raw_line"> | null;
+}
+export declare function collectDmesgEvents(): Promise<DmesgEventsSnapshot>;
+/**
+ * Parse a full dmesg output buffer; return structured events whose
+ * inferred timestamp is at or after `cutoffMs`. When the timestamp
+ * cannot be parsed (relative-time fallback), the event is included
+ * unconditionally (fail-open: better to over-report than silently
+ * drop a real hardware fault).
+ */
+export declare function parseDmesgOutput(raw: string, cutoffMs: number): DmesgStructuredEvent[];
+/**
+ * Extract a unix-ms timestamp from a dmesg line. Two shapes:
+ *   ISO:        "2026-05-19T12:34:56,789012+00:00 ..."  (--time-format=iso)
+ *   ctime:      "[Mon May 19 12:34:56 2026] ..."       (--ctime)
+ *
+ * Relative-time format ("[12345.678]") returns null (no absolute
+ * anchor available without `uptime`).
+ */
+export declare function parseDmesgTimestamp(line: string): number | null;
+export declare const __test_only: {
+    parseDmesgOutput: typeof parseDmesgOutput;
+    parseDmesgTimestamp: typeof parseDmesgTimestamp;
+    HANDLERS: DmesgHandler[];
+    WINDOW_SECONDS: number;
+};
+export {};