@highflame/overwatch 1.0.0

package/dist/rules/pre/command_injection.yar

@@ -0,0 +1,60 @@
+//////////////////////////////////////////
+// Shell/System Command Injection Detection Rule
+// Target: Command injection patterns for MCP environments
+// (Shell operators, dangerous commands, network tools + evasion)
+/////////////////////////////////////////
+
+rule command_injection{
+
+    meta:
+        author = "Ramparts Security Team"
+        description = "Detects command injection patterns related to shell operators, system commands, and network tools"
+        classification = "harmful"
+        threat_type = "INJECTION ATTACK"
+
+    strings:
+
+        // Dangerous system commands
+        $dangerous_system_cmds = /\b(shutdown|reboot|halt)\s+(-[fh]|now|0)\b/
+
+        // Network tools with suspicious usage patterns
+        $malicious_network_tools = /\b(nc|netcat)\s+(-[le]|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/i
+
+        // Reconnaissance tools
+        $reconnaissance_tools = /\b(nmap)\s+(-[sS]|--script|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/i
+
+        // Data exfiltration tools
+        $data_exfiltration_tools = /\b(wget|curl)\s+(http[s]?:\/\/|ftp:\/\/|-[oO]\b|--output\b)/i
+
+        // ANSI escape codes for terminal manipulation
+        $ansi_escape_codes = /\\u001b\[[0-9;]*m/
+
+        // Reverse shell patterns
+        $reverse_shells = /\b(bash\s+-i|sh\s+-i|nc\s+-e|\/dev\/tcp|socat.*exec)\b/i
+
+        // Windows commands
+        $windows_cmds = /\b(cmd\s*\/[ck]|powershell|net\s+user|reg\s+|wmic|rundll32\b)/i
+
+    condition:
+
+        // Dangerous system command patterns
+        $dangerous_system_cmds or
+
+        // Network tool abuse patterns
+        $malicious_network_tools or
+
+        // Reconnaissance tools
+        $reconnaissance_tools or
+
+        // Data exfiltration tools
+        $data_exfiltration_tools or
+
+        // Terminal manipulation
+        $ansi_escape_codes or
+
+        // Reverse shell patterns
+        $reverse_shells or
+
+        // Windows commands
+        $windows_cmds
+}

package/dist/rules/pre/cross_origin_escalation.yar

@@ -0,0 +1,106 @@
+/*
+ * Cross-Origin Escalation Detection Rule
+ * 
+ * This rule detects Cross-Origin Escalation vulnerabilities where an LLM agent
+ * accesses tools hosted on multiple origins (domains), and one of those origins
+ * can inject, override, or hijack context from another.
+ * 
+ * The rule focuses on detecting multiple different domains/origins within
+ * tool and resource configurations, which is the primary indicator of
+ * potential cross-origin escalation attacks.
+ */
+
+rule cross_origin_escalation
+{
+    meta:
+        name = "Cross-Origin Escalation Detection"
+        author = "Ramparts Security Team"
+        date = "2025-01-29"
+        version = "1.0"
+        description = "Detects multiple domains/origins in MCP tool configurations that could lead to cross-origin escalation attacks"
+        severity = "HIGH"
+        category = "cross-origin,escalation,security,multi-domain"
+        confidence = "HIGH"
+        
+    strings:
+        // Multiple HTTP/HTTPS URLs with different domains
+        $multi_domain_1 = /https?:\/\/([a-zA-Z0-9.-]+\.[a-zA-Z]{2,}).*https?:\/\/([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})/
+        
+        // Mixed localhost/IP and external domain patterns
+        $mixed_local_remote_1 = /https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0).*https?:\/\/[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/
+        $mixed_local_remote_2 = /https?:\/\/[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}.*https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)/
+        
+        // Different port numbers on same host (potential port-based escalation)
+        $port_escalation = /https?:\/\/[a-zA-Z0-9.-]+:\d+.*https?:\/\/[a-zA-Z0-9.-]+:\d+/
+        
+        // Mixed secure/insecure schemes
+        $mixed_schemes_1 = /https:\/\/.*http:\/\//
+        $mixed_schemes_2 = /http:\/\/.*https:\/\//
+        $mixed_ws_schemes = /wss:\/\/.*ws:\/\//
+        
+        // Subdomain variations that could indicate takeover
+        $subdomain_variations = /https?:\/\/[a-zA-Z0-9-]+\.[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}.*https?:\/\/[a-zA-Z0-9-]+\.[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/
+        
+        // API endpoint variations across domains
+        $api_multi_domain = /\/api\/.*https?:\/\/[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}.*\/api\//
+        
+        // Proxy or redirect patterns
+        $proxy_patterns = /(proxy|redirect|forward).*https?:\/\/.*https?:\/\//i
+        
+        // URL parameters containing other URLs (potential injection)
+        $url_in_params = /[?&](url|redirect|forward|proxy)=https?:\/\/.*https?:\/\//i
+        
+        // Common domain patterns that suggest different services
+        $service_domains = /(api\.|auth\.|admin\.|secure\.).*\.(com|net|org|io).*\.(com|net|org|io)/i
+        
+        // Tool-specific patterns indicating multi-origin access
+        $tool_multi_origin = /"(baseUrl|endpoint|url|host)".*https?:\/\/.*"(baseUrl|endpoint|url|host)".*https?:\/\//i
+        
+        // Configuration arrays with multiple URLs
+        $url_array = /\[.*"https?:\/\/[^"]*".*,.*"https?:\/\/[^"]*".*\]/
+        
+        // JSON with multiple origin fields
+        $json_multi_origin = /"origin".*:.*"https?:\/\/.*"origin".*:.*"https?:\/\//i
+        
+        // Legitimate patterns to reduce false positives
+        $legitimate_cdn = /(cdn\.|static\.|assets\.|media\.)/i
+        $legitimate_backup = /(backup|fallback|mirror)/i
+        $legitimate_loadbalancer = /(lb\.|loadbalancer|ha\.)/i
+        
+    condition:
+        // Primary detection: Multiple different domains
+        ($multi_domain_1 and not ($legitimate_cdn or $legitimate_backup or $legitimate_loadbalancer)) or
+        
+        // Mixed local/remote origins (high risk)
+        ($mixed_local_remote_1 or $mixed_local_remote_2) or
+        
+        // Port-based escalation
+        $port_escalation or
+        
+        // Mixed security schemes (HTTP/HTTPS mixing)
+        ($mixed_schemes_1 or $mixed_schemes_2 or $mixed_ws_schemes) or
+        
+        // Subdomain variations (potential takeover)
+        $subdomain_variations or
+        
+        // API endpoints across domains
+        $api_multi_domain or
+        
+        // Proxy/redirect patterns
+        $proxy_patterns or
+        
+        // URL injection in parameters
+        $url_in_params or
+        
+        // Service domain mixing
+        $service_domains or
+        
+        // Tool configuration with multiple origins
+        $tool_multi_origin or
+        
+        // URL arrays
+        $url_array or
+        
+        // JSON multi-origin
+        $json_multi_origin
+}

package/dist/rules/pre/mcp_config_risk.yar

@@ -0,0 +1,35 @@
+/*
+ * MCP Config Risk Detection
+ * Detects risky STDIO server definitions that execute inline or external code
+ * via common shells/interpreters combined with dangerous flags/tokens.
+ */
+
+rule mcp_config_risk
+{
+    meta:
+        name = "MCP Config Risk"
+        description = "STDIO server uses risky shell/interpreter with inline code or pipe to shell"
+        severity = "CRITICAL"
+        category = "command-injection,config-risk"
+        author = "Ramparts Security Team"
+        version = "1.0"
+
+    strings:
+        // Command executables we consider dangerous when paired with risky args
+        $cmd_exec = /COMMAND:\s*(bash|sh|cmd|pwsh|powershell|python(\d+(\.\d+)?)?|node)\b/i
+
+        // calc.exe alone is considered risky on Windows
+        $calc_exec = /COMMAND:\s*calc\.exe\b/i
+
+        // Risky inline-exec flags
+        $arg_flag = /ARGS:\s*.*(-c|-e)\b/i
+
+        // Risky tokens in arguments (network fetch, piping to shell, chain)
+        $arg_tokens = /ARGS:\s*.*(curl|wget|base64|nc\s|telnet|\|\s*sh|\|\s*bash|&&)/i
+
+    condition:
+        // Either explicit risky exec with risky args, or calc.exe alone
+        ($cmd_exec and ($arg_flag or $arg_tokens)) or $calc_exec
+}
+
+

package/dist/rules/pre/path_traversal.yar

@@ -0,0 +1,50 @@
+rule path_traversal_low_fp
+{
+    meta:
+        name = "Path Traversal (Low False Positive)"
+        description = "Detects high-confidence path traversal attempts with execution intent"
+        severity = "HIGH"
+        category = "path-traversal,security,file-access"
+        author = "Ramparts Security Team"
+        version = "2.0"
+
+    strings:
+        // Traversal patterns (require repetition or encoding)
+        $traversal_unix = /(\.\.\/){2,}/
+        $traversal_windows = /(\.\.\\){2,}/
+        $traversal_encoded = /(%2e%2e(%2f|%5c)){2,}/i
+        $traversal_double_encoded = /(%252e%252e(%252f|%255c)){2,}/i
+
+        // Sensitive file targets (exact filenames, not directories)
+        $sensitive_unix_files = /\/(etc\/passwd|etc\/shadow|proc\/self\/environ|root\/\.ssh\/id_rsa)/i
+        $sensitive_windows_files = /[Cc]:[\\\/]Windows[\\\/](System32|SysWOW64)[\\\/][a-zA-Z0-9_.-]+/i
+
+        // File access APIs (with path argument)
+        $file_read_ops = /\b(open|fopen|readFile|file_get_contents)\s*\(\s*["']?.*(\.\.|%2e%2e)/i
+        $file_include_ops = /\b(include|require|import)\s*\(?\s*["']?.*(\.\.|%2e%2e)/i
+
+        // URL parameters commonly used for traversal
+        $path_param = /\b(path|file|filename|filepath|doc|template)\s*=\s*["']?.*(\.\.|%2e%2e)/i
+
+    condition:
+        (
+            // Deep traversal attempt
+            $traversal_unix or
+            $traversal_windows or
+            $traversal_encoded or
+            $traversal_double_encoded
+        )
+        and
+        (
+            // Sensitive file targets
+            $sensitive_unix_files or
+            $sensitive_windows_files or
+
+            // Traversal used in file access
+            $file_read_ops or
+            $file_include_ops or
+
+            // Traversal via request parameters
+            $path_param
+        )
+}

package/dist/rules/pre/prompt_injection.yar

@@ -0,0 +1,101 @@
+//////////////////////////////////////////
+// Prompt Injection Detection Rule
+// Target: Instruction override patterns, Tool injection commands
+//////////////////////////////////////////
+
+rule prompt_injection{
+
+    meta:
+
+        author = "Ramparts Security Team"
+        description = "Detects prompt strings used to override or force malicious tool calls"
+        classification = "harmful"
+        threat_type = "PROMPT INJECTION"
+
+    strings:
+
+        // Instruction override patterns
+        $instruction_overrides = /\b(Bypass|Dis\W?regard|Do not (follow|Obey)|Forget|Ignore)\s+((all|any|each|every|most|some)\s+(of\s+)?)?((your|the)\s)?(command|communication|conte[nx]t|conversation|data|guidelines|input|instruction|message|request|response|text)(s)?/i
+
+        // Tool injection commands
+        $tool_injection_commands = /\b(inject tool[_\s]calls?|now call function|use function)\b/i
+
+        // Shadow parameter names
+        $shadow_parameters = /\b(internalOnly|hiddenParam|shadowTool|bypassChecks|sandboxEscape)\b/i
+
+        // Hidden behavior instructions
+        $hidden_behavior = /\b(do\s+not\s+(mention|tell|execute)|tell\s+(the )?user\s+only\s+about|do\s+not\s+mention\s+this\s+to\s+user)\b/i
+
+        // Advanced command override patterns (from advanced analyzer)
+        $advanced_overrides = /\b(disregard\s+(all\s+)?safety\s+guidelines|forget\s+(everything|all)\s+(before|above)|system\s*prompt\s*override)\b/i
+
+        // Role redefinition attempts
+        $role_redefinition = /\bnew\s+(instructions|directive|guidelines)s?\s*:\s*you\s+are\b/i
+
+        // Privilege escalation patterns
+        $privilege_escalation = /\b(grant\s+(me\s+)?admin\s+(access|privileges?)|bypass\s+(all\s+)?security\s+checks?|elevated\s+permissions?\s+required|sudo\s+mode\s+enabled?|developer\s+mode\s+activated?)\b/i
+
+        ////////////////////////////////////////////////
+        // Evasion Techniques - Hidden Instructions
+        ////////////////////////////////////////////////
+
+        // HTML comment evasion - malicious instructions hidden in HTML comments
+        $html_comment_evasion_system = /<!--[^>]*SYSTEM\s+(INSTRUCTION|OVERRIDE)/i
+        $html_comment_evasion_admin = /<!--[^>]*ADMIN\s+OVERRIDE/i
+        $html_comment_evasion_ignore = /<!--[^>]*ignore\s+(all\s+)?(previous\s+)?(safety\s+)?guidelines/i
+        $html_comment_evasion_exec = /<!--[^>]*(execute[:\s]|curl\s|wget\s|nc\s|bash\s)/i
+
+        // Markdown code block evasion
+        $markdown_evasion = /```[^`]*(SYSTEM|ADMIN)\s+(OVERRIDE|INSTRUCTION)/i
+
+        // Triple bracket/pipe markers for hidden instructions
+        $bracket_markers = /(\[\[\[|\|\|\|)(SYSTEM|ADMIN|HIDDEN|INTERNAL)[\s_]?(OVERRIDE|INSTRUCTION|COMMAND)(\]\]\]|\|\|\|)/i
+
+        // Base64 obfuscation attempts
+        $base64_obfuscation = /\b(atob|btoa|base64[_\-]?decode)\s*\(/i
+
+        // Hidden instruction markers
+        $hidden_markers = /\[(HIDDEN|INTERNAL|SECRET|PRIVATE)\s+(INSTRUCTION|DIRECTIVE|COMMAND)\]/i
+
+
+    condition:
+
+        // Instruction overrides
+        $instruction_overrides or
+
+        // Tool injection commands
+        $tool_injection_commands or
+
+        // Shadow parameters
+        $shadow_parameters or
+
+        // Hidden behavior instructions
+        $hidden_behavior or
+
+        // Advanced command override patterns
+        $advanced_overrides or
+
+        // Role redefinition attempts
+        $role_redefinition or
+
+        // Privilege escalation patterns
+        $privilege_escalation or
+
+        // HTML comment evasion
+        $html_comment_evasion_system or
+        $html_comment_evasion_admin or
+        $html_comment_evasion_ignore or
+        $html_comment_evasion_exec or
+
+        // Markdown evasion
+        $markdown_evasion or
+
+        // Bracket markers
+        $bracket_markers or
+
+        // Base64 obfuscation
+        $base64_obfuscation or
+
+        // Hidden markers
+        $hidden_markers
+}

package/dist/rules/pre/secrets_leakage.yar

@@ -0,0 +1,100 @@
+rule secrets_leakage
+{
+    meta:
+        name = "Secrets Leakage Detection"
+        description = "Detects high-confidence exposed secrets with value context"
+        severity = "HIGH"
+        category = "secrets,credentials,data-leakage"
+        author = "Ramparts Security Team"
+        version = "2.0"
+
+    strings:
+        // API key assignments (KEY=VALUE)
+        $api_key_assign = /(?i)\b(api[_-]?key|openai[_-]?api[_-]?key|anthropic[_-]?api[_-]?key)\b\s*[:=]\s*["']?[A-Za-z0-9_\-]{20,}["']?/
+
+        // Bearer tokens
+        $bearer_token = /authorization\s*:\s*bearer\s+[A-Za-z0-9._~+\-\/]{20,}/i
+
+        // AWS Access Key (exact format)
+        $aws_access_key = /AKIA[0-9A-Z]{16}/
+        $aws_secret_key = /(?i)aws_secret_access_key\s*[:=]\s*["']?[A-Za-z0-9\/+=]{40}["']?/
+
+        // GitHub token
+        $github_token = /ghp_[A-Za-z0-9]{36}/
+
+        // Private key headers (strong signal)
+        $private_key = /-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----/
+
+    condition:
+        any of ($aws_access_key, $github_token, $private_key) or
+        2 of ($api_key_assign, $bearer_token, $aws_secret_key)
+}
+
+rule ssh_key_exposure
+{
+    meta:
+        name = "SSH Key Exposure (Low FP)"
+        description = "Detects actual SSH private keys or explicit SSH key file access"
+        severity = "CRITICAL"
+        category = "ssh,credentials"
+        author = "Ramparts Security Team"
+        version = "2.0"
+
+    strings:
+        // Strong signals: private keys
+        $ssh_private_key = /-----BEGIN OPENSSH PRIVATE KEY-----/
+        $ssh_rsa_key = /-----BEGIN RSA PRIVATE KEY-----/
+
+        // Explicit sensitive file paths
+        $ssh_key_path = /\/\.ssh\/(id_rsa|id_ed25519|authorized_keys)\b/
+
+    condition:
+        any of ($ssh_private_key, $ssh_rsa_key, $ssh_key_path)
+}
+
+rule pem_file_access
+{
+    meta:
+        name = "PEM / Certificate Key Exposure (Low FP)"
+        description = "Detects actual PEM private keys or access to key files"
+        severity = "CRITICAL"
+        category = "crypto,certificates"
+        author = "Ramparts Security Team"
+        version = "2.0"
+
+    strings:
+        // Private key headers only (certs are public)
+        $pem_private_key = /-----BEGIN (ENCRYPTED |RSA |EC |DSA )?PRIVATE KEY-----/
+
+        // Key file paths
+        $key_file_path = /\/[A-Za-z0-9_\-\/]+\.(pem|key|p12|pfx)\b/
+
+    condition:
+        any of ($pem_private_key, $key_file_path)
+}
+
+rule environment_variable_leakage
+{
+    meta:
+        name = "Environment Variable Leakage (Low FP)"
+        description = "Detects exposed env vars with high-entropy values"
+        severity = "HIGH"
+        category = "environment,secrets"
+        author = "Ramparts Security Team"
+        version = "2.0"
+
+    strings:
+        // High confidence: ENV=VALUE
+        $env_assignment = /(?i)\b[A-Z_]{3,}(API_KEY|SECRET|TOKEN|PASSWORD)\b\s*=\s*["']?[A-Za-z0-9\/+=_.\-]{16,}["']?/
+
+        // Specific providers
+        $openai_key = /OPENAI_API_KEY\s*=\s*["']?sk-[A-Za-z0-9]{20,}["']?/
+        $hf_token = /HF_TOKEN\s*=\s*["']?hf_[A-Za-z0-9]{30,}["']?/
+
+        // Runtime env dumps
+        $process_env_dump = /process\.env\.[A-Z_]{3,}\s*=/
+
+    condition:
+        any of ($openai_key, $hf_token) or
+        2 of ($env_assignment, $process_env_dump)
+}

package/dist/rules/pre/sql_injection.yar

@@ -0,0 +1,65 @@
+//////////////////////////////////////////
+// SQL Injection Detection Rule
+// Target: SQL keywords and operations, SQL tautologies and bypasses, Database-specific functions
+//////////////////////////////////////////
+
+rule sql_injection{
+
+    meta:
+        author = "Cisco"
+        description = "Detects SQL injection attack patterns including keywords, tautologies, and database functions"
+        classification = "harmful"
+        threat_type = "INJECTION ATTACK"
+
+    strings:
+
+        // SQL injection tautologies and bypasses - focus on actual injection payloads
+        $injection_tautologies = /(\bOR\s+['"]?1['"]?\s*=\s*['"]?1['"]?\s*(--|#|\/\*|;))/i
+
+        // Destructive SQL injections
+        $destructive_injections = /(';\s*DROP\s+TABLE|";\s*DROP\s+TABLE)/i
+
+        // Union-based SQL injection
+        $union_based_attacks = /(UNION\s+(ALL\s+)?SELECT|'\s*UNION\s+SELECT|"\s*UNION\s+SELECT)/i
+
+        // Time-based blind injection techniques
+        $time_based_injections = /\b(SLEEP|WAITFOR\s+DELAY|BENCHMARK|pg_sleep)\s*\(/i
+
+        // Error-based injection methods
+        $error_based_techniques = /\b(EXTRACTVALUE|UPDATEXML|EXP\(~\(SELECT|CAST)\s*\(/i
+
+        // Database-specific system objects in malicious contexts
+        $database_system_objects = /(\bSELECT [^;]*\b(information_schema|mysql\.user|all_tables|user_tables)\b|\bFROM\s+(information_schema|mysql\.user|dual|all_tables|user_tables)\b|LOAD_FILE\s*\(\s*['"][^'"]*\.(config|passwd|shadow|key)\b|INTO\s+OUTFILE\s+['"][^'"]*\.(txt|sql|php)\b|\b(xp_cmdshell|sp_executesql)\s*\(|dbms_[a-z_]+\s*\()/i
+
+        // SQL injection with USER() function in malicious context
+        $malicious_user_functions = /(\bUSER\s*\(\s*\)\s*(SELECT|FROM|WHERE|AND|OR|UNION)\b|CONCAT\s*\(\s*USER\s*\(\s*\))/i
+
+        // Common SQL operation patterns that appear in both legitimate and malicious contexts
+        $common_sql_ops = /(query_builder|sql_builder|orm_query|select_fields|insert_data|update_data|database_query|db_query|execute_query|prepared_statement|parameterized_query)/
+
+        // Common context phrases where these words appear in benign usage
+        $common_context_phrases = /\b(adds?\s+a\s+user|create\s+user|new\s+user|user\s+(account|profile|registration|authentication|permissions?|roles?)|user\s+(who|that)|for\s+user|the\s+user|current\s+user\s+(account|profile)|user\s+(input|data|information)|example:?\s+SELECT\s+USER\(\)|SELECT\s+USER\(\)\s+returns?|built-?in\s+function)\b/i
+
+    condition:
+
+        // SQL injection tautologies
+        ($injection_tautologies and not $common_sql_ops and not $common_context_phrases) or
+
+        // Destructive SQL injections
+        ($destructive_injections and not $common_sql_ops and not $common_context_phrases) or
+
+        // Union-based attacks
+        ($union_based_attacks and not $common_sql_ops and not $common_context_phrases) or
+
+        // Time-based blind injection
+        ($time_based_injections and not $common_sql_ops and not $common_context_phrases) or
+
+        // Error-based injection techniques
+        ($error_based_techniques and not $common_sql_ops and not $common_context_phrases) or
+
+        // Database system object access
+        ($database_system_objects and not $common_sql_ops and not $common_context_phrases) or
+
+        // Malicious USER() function usage
+        ($malicious_user_functions and not $common_sql_ops and not $common_context_phrases)
+}

package/dist/scanner.d.ts

@@ -0,0 +1,80 @@
+/**
+ * MCP Scanner - Runs bundled ramparts binary for MCP config scanning
+ *
+ * Supports running ramparts as a child process for local YARA scanning
+ * of MCP server configurations.
+ *
+ * Uses platform-loader for cross-platform binary discovery.
+ */
+/**
+ * Scan result from ramparts CLI
+ */
+export interface ScanResult {
+    scan_type: string;
+    total_servers: number;
+    results: ScanServerResult[];
+}
+export interface ScanServerResult {
+    server_name: string;
+    url?: string;
+    server_info?: {
+        name?: string;
+        metadata?: {
+            transport?: string;
+        };
+    };
+    tools?: unknown[];
+    prompts?: unknown[];
+    resources?: unknown[];
+    security_issues?: {
+        tool_issues?: unknown[];
+    };
+    yara_results?: YaraResult[];
+}
+export interface YaraResult {
+    status: "ok" | "warning" | "error";
+    target_type?: string;
+    rule_name?: string;
+    rule_metadata?: {
+        severity?: string;
+        description?: string;
+    };
+}
+/**
+ * MCP Scanner that uses bundled ramparts binary
+ */
+export declare class MCPScanner {
+    private rampartsPath;
+    constructor();
+    /**
+     * Find the ramparts binary based on platform
+     * Uses platform-loader for cross-platform discovery.
+     *
+     * Search order:
+     * 1. Platform package (npm optionalDependency)
+     * 2. Local bin/ directory (dev mode)
+     * 3. ~/.overwatch/bin/
+     * 4. System PATH
+     */
+    private findRampartsBinary;
+    /**
+     * Check if scanner is available
+     */
+    isAvailable(): boolean;
+    /**
+     * Get the path to ramparts binary
+     */
+    getBinaryPath(): string | null;
+    /**
+     * Run MCP config scan
+     * @param rulesDir Optional custom YARA rules directory
+     */
+    runScan(rulesDir?: string): Promise<ScanResult>;
+    /**
+     * Parse ramparts CLI output
+     * Handles cases where CLI prints banner/logs before JSON
+     */
+    private parseOutput;
+    private getEmptyResult;
+}
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAWH;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,gBAAgB,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE;QACZ,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,CAAC,EAAE;YACT,SAAS,CAAC,EAAE,MAAM,CAAC;SACpB,CAAC;KACH,CAAC;IACF,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC;IACtB,eAAe,CAAC,EAAE;QAChB,WAAW,CAAC,EAAE,OAAO,EAAE,CAAC;KACzB,CAAC;IACF,YAAY,CAAC,EAAE,UAAU,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,IAAI,GAAG,SAAS,GAAG,OAAO,CAAC;IACnC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE;QACd,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,YAAY,CAAuB;;IAM3C;;;;;;;;;OASG;IACH,OAAO,CAAC,kBAAkB;IAqB1B;;OAEG;IACH,WAAW,IAAI,OAAO;IAItB;;OAEG;IACH,aAAa,IAAI,MAAM,GAAG,IAAI;IAI9B;;;OAGG;IACG,OAAO,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAqFrD;;;OAGG;IACH,OAAO,CAAC,WAAW;IAiJnB,OAAO,CAAC,cAAc;CAOvB"}

package/dist/service.d.ts

@@ -0,0 +1,18 @@
+/**
+ * System Service Manager
+ * Installs Guardian daemon as a system service for auto-start on boot
+ */
+import { ServiceStatus } from "./services/interface";
+/**
+ * Install Guardian as a system service
+ */
+export declare function installService(): Promise<void>;
+/**
+ * Uninstall Guardian system service
+ */
+export declare function uninstallService(): Promise<void>;
+/**
+ * Check system service status
+ */
+export declare function checkServiceStatus(): Promise<ServiceStatus>;
+//# sourceMappingURL=service.d.ts.map

package/dist/service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../src/service.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAiB,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAqBpE;;GAEG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAapD;AAED;;GAEG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC,CAatD;AAED;;GAEG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,aAAa,CAAC,CAcjE"}

package/dist/services/interface.d.ts

@@ -0,0 +1,11 @@
+export interface ServiceStatus {
+    installed: boolean;
+    running: boolean;
+    platform: string;
+}
+export interface SystemService {
+    install(): Promise<void>;
+    uninstall(): Promise<void>;
+    getStatus(): Promise<ServiceStatus>;
+}
+//# sourceMappingURL=interface.d.ts.map

package/dist/services/interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface.d.ts","sourceRoot":"","sources":["../../src/services/interface.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACzB,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,SAAS,IAAI,OAAO,CAAC,aAAa,CAAC,CAAC;CACrC"}

package/dist/services/launchd.d.ts

@@ -0,0 +1,12 @@
+import { SystemService, ServiceStatus } from "./interface";
+export declare class LaunchdService implements SystemService {
+    private readonly daemonPath;
+    private readonly plistPath;
+    private readonly logPath;
+    private readonly errPath;
+    constructor();
+    install(): Promise<void>;
+    uninstall(): Promise<void>;
+    getStatus(): Promise<ServiceStatus>;
+}
+//# sourceMappingURL=launchd.d.ts.map

package/dist/services/launchd.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"launchd.d.ts","sourceRoot":"","sources":["../../src/services/launchd.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE3D,qBAAa,cAAe,YAAW,aAAa;IAClD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;;IAoB3B,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAqDxB,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAmB1B,SAAS,IAAI,OAAO,CAAC,aAAa,CAAC;CAwB1C"}