npm - @guava-parity/guard-scanner - Versions diffs - 15.0.0 → 16.0.0 - Mend

@guava-parity/guard-scanner 15.0.0 → 16.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/README.md +208 -42
package/README_ja.md +252 -0
package/SKILL.md +40 -11
package/dist/cli.cjs +5997 -0
package/dist/cli.d.mts +1 -0
package/dist/cli.d.ts +1 -0
package/dist/cli.mjs +6003 -0
package/dist/index.cjs +4825 -0
package/dist/index.d.mts +17 -0
package/dist/index.d.ts +17 -0
package/dist/index.mjs +4798 -0
package/dist/mcp-server.cjs +4756 -0
package/dist/mcp-server.d.mts +1 -0
package/dist/mcp-server.d.ts +1 -0
package/dist/mcp-server.mjs +4767 -0
package/dist/openclaw-plugin.cjs +4863 -0
package/dist/openclaw-plugin.d.mts +11 -0
package/dist/openclaw-plugin.d.ts +11 -0
package/dist/openclaw-plugin.mjs +4847 -34
package/dist/types.cjs +18 -0
package/dist/types.d.mts +215 -0
package/dist/types.d.ts +215 -0
package/dist/types.mjs +1 -0
package/docs/data/benchmark-ledger.json +1428 -0
package/docs/data/corpus-metrics.json +3 -3
package/docs/data/fp-ledger.json +18 -0
package/docs/data/quality-contract.json +36 -0
package/docs/generated/openclaw-upstream-status.json +13 -13
package/docs/openclaw-compatibility-audit.md +3 -2
package/docs/openclaw-continuous-compatibility-plan.md +2 -1
package/docs/spec/capabilities.json +137 -5
package/docs/spec/plugin-trust.json +11 -0
package/hooks/{context.js → context.ts} +1 -0
package/openclaw-plugin.mts +21 -5
package/openclaw.plugin.json +2 -2
package/package.json +58 -20
package/src/asset-auditor.js +0 -508
package/src/ci-reporter.js +0 -135
package/src/cli.js +0 -434
package/src/core/content-loader.js +0 -42
package/src/core/inventory.js +0 -73
package/src/core/report-adapters.js +0 -171
package/src/core/risk-engine.js +0 -93
package/src/core/rule-registry.js +0 -73
package/src/core/semantic-validators.js +0 -85
package/src/finding-schema.js +0 -191
package/src/hooks/context.ts +0 -49
package/src/html-template.js +0 -239
package/src/ioc-db.js +0 -54
package/src/mcp-server.js +0 -653
package/src/openclaw-upstream.js +0 -128
package/src/patterns.js +0 -629
package/src/policy-engine.js +0 -32
package/src/quarantine.js +0 -41
package/src/runtime-guard.js +0 -384
package/src/scanner.js +0 -1042
package/src/skill-crawler.js +0 -254
package/src/threat-model.js +0 -50
package/src/validation-layer.js +0 -39
package/src/vt-client.js +0 -202
package/src/watcher.js +0 -170

package/dist/types.cjs ADDED Viewed

@@ -0,0 +1,18 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/types.ts
+var types_exports = {};
+module.exports = __toCommonJS(types_exports);

package/dist/types.d.mts ADDED Viewed

@@ -0,0 +1,215 @@
+type Severity = "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+type GuardMode = "monitor" | "enforce" | "strict";
+type RuntimeAction = "blocked" | "warned";
+interface EvidenceSpan {
+    file?: string;
+    start_line: number;
+    end_line: number;
+}
+interface FindingEvidence {
+    file?: string;
+    line?: number | null;
+    sample?: string;
+    match_count?: number;
+    tool_name?: string;
+    params_preview?: string;
+    layer?: number;
+    layer_name?: string;
+    owasp_asi?: string[];
+    protocol_surface?: string[];
+}
+interface Finding {
+    schema_version?: string;
+    source?: "static" | "runtime";
+    id: string;
+    rule_id?: string;
+    cat?: string;
+    category: string;
+    severity: Severity;
+    desc?: string;
+    description: string;
+    file?: string;
+    line?: number | null;
+    matchCount?: number;
+    sample?: string;
+    rationale: string;
+    preconditions: string;
+    remediation_hint: string;
+    false_positive_scenarios: string[];
+    validation_state: string;
+    validation_status: string;
+    confidence: number;
+    attack_chain_id: string | null;
+    evidence: FindingEvidence;
+    evidence_spans: EvidenceSpan[];
+    layer?: number;
+    layer_name?: string;
+    owasp_asi?: string[];
+    protocol_surface?: string[];
+    action?: RuntimeAction;
+}
+interface SkillFindingResult {
+    skill: string;
+    risk: number;
+    verdict: string;
+    findings: Finding[];
+}
+interface ThresholdBand {
+    suspicious: number;
+    malicious: number;
+}
+interface ScanStats {
+    scanned: number;
+    clean: number;
+    low: number;
+    suspicious: number;
+    malicious: number;
+}
+interface Recommendation {
+    skill: string;
+    actions: string[];
+}
+interface ScanReport {
+    schema_version: string;
+    timestamp: string;
+    scanner: string;
+    finding_schema_version: string;
+    mode: "normal" | "strict";
+    compliance_mode?: "owasp-asi" | null;
+    stats: ScanStats;
+    thresholds: ThresholdBand;
+    findings: SkillFindingResult[];
+    recommendations: Recommendation[];
+    layer_summary?: Array<Record<string, unknown>>;
+    owasp_asi_coverage?: Array<Record<string, unknown>>;
+    threat_model?: Record<string, unknown>;
+    iocVersion: string;
+}
+interface TextScanResult {
+    safe: boolean;
+    risk: number;
+    detections: Finding[];
+}
+interface ScannerOptions {
+    verbose?: boolean;
+    selfExclude?: boolean;
+    strict?: boolean;
+    summaryOnly?: boolean;
+    quiet?: boolean;
+    checkDeps?: boolean;
+    soulLock?: boolean;
+    plugins?: string[];
+    rulesFile?: string;
+    compliance?: "owasp-asi";
+}
+interface CustomRule {
+    id: string;
+    cat: string;
+    regex: RegExp;
+    severity: Severity;
+    desc: string;
+    codeOnly?: boolean;
+    docOnly?: boolean;
+    all?: boolean;
+    soulLock?: boolean;
+}
+interface PluginConfig {
+    mode?: GuardMode;
+    auditLog?: boolean;
+    customRules?: string;
+}
+interface RuntimeDecision {
+    blocked: boolean;
+    blockReason: string | null;
+    detections: Finding[];
+    mode: GuardMode;
+    toolName?: string;
+    matchedPolicyId?: string | null;
+    policyRationale?: string | null;
+    riskAmplificationReasons?: string[];
+    remediationSuggestion?: string | null;
+    policyDecision?: RuntimePolicyDecision | null;
+}
+interface McpRequest {
+    method: string;
+    params?: Record<string, unknown>;
+    id?: string | number | null;
+}
+interface SarifReport {
+    version: string;
+    $schema?: string;
+    runs: Array<Record<string, unknown>>;
+}
+interface CapabilityMetrics {
+    static_pattern_count: number;
+    runtime_check_count?: number;
+    threat_category_count: number;
+    runtime_layer_count?: number;
+    runtime_layers?: number;
+    benchmark_corpus_version?: string;
+    explainability_completeness_rate?: number;
+    runtime_check_latency_budget_ms?: number;
+    quality_targets?: QualityTargets;
+    [key: string]: unknown;
+}
+interface RuntimeCheckStats {
+    total: number;
+    byLayer: Record<number, number>;
+    bySeverity: Partial<Record<Severity, number>>;
+}
+interface QualityTargets {
+    precision_min: number;
+    recall_min: number;
+    false_positive_rate_max: number;
+    false_negative_rate_max: number;
+    explainability_completeness_rate_min: number;
+    runtime_check_latency_budget_ms: number;
+    false_positive_budget_by_category: Record<string, number>;
+}
+interface RuntimePolicyContract {
+    id?: string;
+    allowed_tools?: string[];
+    blocked_tools?: string[];
+    max_network_scope?: "none" | "internal-only" | "external-ok";
+    secret_bearing_context?: boolean;
+    memory_write_permission?: boolean;
+}
+interface RuntimePolicyDecision {
+    action: "allow" | "block";
+    reason: string;
+    policyId: string;
+    amplificationReasons: string[];
+    remediationSuggestion: string;
+}
+interface ThreatModel {
+    timestamp: string;
+    surface: Record<string, boolean>;
+    summary: string;
+    owasp_asi?: string[];
+    layer_summary?: Array<Record<string, unknown>>;
+    protocol_surfaces?: string[];
+}
+interface GuardScannerInstance {
+    verbose: boolean;
+    strict: boolean;
+    summaryOnly: boolean;
+    quiet: boolean;
+    checkDeps: boolean;
+    soulLock: boolean;
+    thresholds: ThresholdBand;
+    findings: SkillFindingResult[];
+    stats: ScanStats;
+    scanText(text: string): TextScanResult;
+    scanDirectory(dir: string): SkillFindingResult[];
+    scanTarget(targetPath: string): ScanReport;
+    toJSON(): ScanReport;
+    toSARIF(scanDir: string): SarifReport;
+    toHTML(): string;
+    generateThreatModel(findings: Finding[]): ThreatModel;
+}
+interface GuardScannerConstructor {
+    new (options?: ScannerOptions): GuardScannerInstance;
+}
+type ScanResult = SkillFindingResult;
+export type { CapabilityMetrics, CustomRule, EvidenceSpan, Finding, FindingEvidence, GuardMode, GuardScannerConstructor, GuardScannerInstance, McpRequest, PluginConfig, QualityTargets, Recommendation, RuntimeAction, RuntimeCheckStats, RuntimeDecision, RuntimePolicyContract, RuntimePolicyDecision, SarifReport, ScanReport, ScanResult, ScanStats, ScannerOptions, Severity, SkillFindingResult, TextScanResult, ThreatModel, ThresholdBand };

package/dist/types.d.ts ADDED Viewed

@@ -0,0 +1,215 @@
+type Severity = "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+type GuardMode = "monitor" | "enforce" | "strict";
+type RuntimeAction = "blocked" | "warned";
+interface EvidenceSpan {
+    file?: string;
+    start_line: number;
+    end_line: number;
+}
+interface FindingEvidence {
+    file?: string;
+    line?: number | null;
+    sample?: string;
+    match_count?: number;
+    tool_name?: string;
+    params_preview?: string;
+    layer?: number;
+    layer_name?: string;
+    owasp_asi?: string[];
+    protocol_surface?: string[];
+}
+interface Finding {
+    schema_version?: string;
+    source?: "static" | "runtime";
+    id: string;
+    rule_id?: string;
+    cat?: string;
+    category: string;
+    severity: Severity;
+    desc?: string;
+    description: string;
+    file?: string;
+    line?: number | null;
+    matchCount?: number;
+    sample?: string;
+    rationale: string;
+    preconditions: string;
+    remediation_hint: string;
+    false_positive_scenarios: string[];
+    validation_state: string;
+    validation_status: string;
+    confidence: number;
+    attack_chain_id: string | null;
+    evidence: FindingEvidence;
+    evidence_spans: EvidenceSpan[];
+    layer?: number;
+    layer_name?: string;
+    owasp_asi?: string[];
+    protocol_surface?: string[];
+    action?: RuntimeAction;
+}
+interface SkillFindingResult {
+    skill: string;
+    risk: number;
+    verdict: string;
+    findings: Finding[];
+}
+interface ThresholdBand {
+    suspicious: number;
+    malicious: number;
+}
+interface ScanStats {
+    scanned: number;
+    clean: number;
+    low: number;
+    suspicious: number;
+    malicious: number;
+}
+interface Recommendation {
+    skill: string;
+    actions: string[];
+}
+interface ScanReport {
+    schema_version: string;
+    timestamp: string;
+    scanner: string;
+    finding_schema_version: string;
+    mode: "normal" | "strict";
+    compliance_mode?: "owasp-asi" | null;
+    stats: ScanStats;
+    thresholds: ThresholdBand;
+    findings: SkillFindingResult[];
+    recommendations: Recommendation[];
+    layer_summary?: Array<Record<string, unknown>>;
+    owasp_asi_coverage?: Array<Record<string, unknown>>;
+    threat_model?: Record<string, unknown>;
+    iocVersion: string;
+}
+interface TextScanResult {
+    safe: boolean;
+    risk: number;
+    detections: Finding[];
+}
+interface ScannerOptions {
+    verbose?: boolean;
+    selfExclude?: boolean;
+    strict?: boolean;
+    summaryOnly?: boolean;
+    quiet?: boolean;
+    checkDeps?: boolean;
+    soulLock?: boolean;
+    plugins?: string[];
+    rulesFile?: string;
+    compliance?: "owasp-asi";
+}
+interface CustomRule {
+    id: string;
+    cat: string;
+    regex: RegExp;
+    severity: Severity;
+    desc: string;
+    codeOnly?: boolean;
+    docOnly?: boolean;
+    all?: boolean;
+    soulLock?: boolean;
+}
+interface PluginConfig {
+    mode?: GuardMode;
+    auditLog?: boolean;
+    customRules?: string;
+}
+interface RuntimeDecision {
+    blocked: boolean;
+    blockReason: string | null;
+    detections: Finding[];
+    mode: GuardMode;
+    toolName?: string;
+    matchedPolicyId?: string | null;
+    policyRationale?: string | null;
+    riskAmplificationReasons?: string[];
+    remediationSuggestion?: string | null;
+    policyDecision?: RuntimePolicyDecision | null;
+}
+interface McpRequest {
+    method: string;
+    params?: Record<string, unknown>;
+    id?: string | number | null;
+}
+interface SarifReport {
+    version: string;
+    $schema?: string;
+    runs: Array<Record<string, unknown>>;
+}
+interface CapabilityMetrics {
+    static_pattern_count: number;
+    runtime_check_count?: number;
+    threat_category_count: number;
+    runtime_layer_count?: number;
+    runtime_layers?: number;
+    benchmark_corpus_version?: string;
+    explainability_completeness_rate?: number;
+    runtime_check_latency_budget_ms?: number;
+    quality_targets?: QualityTargets;
+    [key: string]: unknown;
+}
+interface RuntimeCheckStats {
+    total: number;
+    byLayer: Record<number, number>;
+    bySeverity: Partial<Record<Severity, number>>;
+}
+interface QualityTargets {
+    precision_min: number;
+    recall_min: number;
+    false_positive_rate_max: number;
+    false_negative_rate_max: number;
+    explainability_completeness_rate_min: number;
+    runtime_check_latency_budget_ms: number;
+    false_positive_budget_by_category: Record<string, number>;
+}
+interface RuntimePolicyContract {
+    id?: string;
+    allowed_tools?: string[];
+    blocked_tools?: string[];
+    max_network_scope?: "none" | "internal-only" | "external-ok";
+    secret_bearing_context?: boolean;
+    memory_write_permission?: boolean;
+}
+interface RuntimePolicyDecision {
+    action: "allow" | "block";
+    reason: string;
+    policyId: string;
+    amplificationReasons: string[];
+    remediationSuggestion: string;
+}
+interface ThreatModel {
+    timestamp: string;
+    surface: Record<string, boolean>;
+    summary: string;
+    owasp_asi?: string[];
+    layer_summary?: Array<Record<string, unknown>>;
+    protocol_surfaces?: string[];
+}
+interface GuardScannerInstance {
+    verbose: boolean;
+    strict: boolean;
+    summaryOnly: boolean;
+    quiet: boolean;
+    checkDeps: boolean;
+    soulLock: boolean;
+    thresholds: ThresholdBand;
+    findings: SkillFindingResult[];
+    stats: ScanStats;
+    scanText(text: string): TextScanResult;
+    scanDirectory(dir: string): SkillFindingResult[];
+    scanTarget(targetPath: string): ScanReport;
+    toJSON(): ScanReport;
+    toSARIF(scanDir: string): SarifReport;
+    toHTML(): string;
+    generateThreatModel(findings: Finding[]): ThreatModel;
+}
+interface GuardScannerConstructor {
+    new (options?: ScannerOptions): GuardScannerInstance;
+}
+type ScanResult = SkillFindingResult;
+export type { CapabilityMetrics, CustomRule, EvidenceSpan, Finding, FindingEvidence, GuardMode, GuardScannerConstructor, GuardScannerInstance, McpRequest, PluginConfig, QualityTargets, Recommendation, RuntimeAction, RuntimeCheckStats, RuntimeDecision, RuntimePolicyContract, RuntimePolicyDecision, SarifReport, ScanReport, ScanResult, ScanStats, ScannerOptions, Severity, SkillFindingResult, TextScanResult, ThreatModel, ThresholdBand };

package/dist/types.mjs ADDED Viewed

	@@ -0,0 +1 @@
1	+ import { createRequire as __createRequire } from "node:module"; const require = __createRequire(import.meta.url);