@hongmaple0820/scale-engine 0.23.0 → 0.24.0

package/dist/guardrails/ActiveRedTeam.d.ts

@@ -0,0 +1,46 @@
+export type ActiveRedTeamSeverity = 'HIGH' | 'MEDIUM' | 'LOW';
+export type ActiveRedTeamStatus = 'SKIPPED' | 'PASSED' | 'FAILED';
+export interface ActiveRedTeamConfig {
+    enabled?: boolean;
+    baseUrl?: string;
+    startCommand?: string;
+    targets?: string[];
+    payloads?: string[];
+    timeoutMs?: number;
+    maxRequests?: number;
+}
+export interface ActiveRedTeamFinding {
+    ruleId: string;
+    severity: ActiveRedTeamSeverity;
+    target: string;
+    message: string;
+    evidence?: string;
+}
+export interface ActiveRedTeamProbe {
+    target: string;
+    url: string;
+    status?: number;
+    passed: boolean;
+    findingIds?: string[];
+    error?: string;
+}
+export interface ActiveRedTeamReport {
+    ok: boolean;
+    status: ActiveRedTeamStatus;
+    evidence: string;
+    findings: ActiveRedTeamFinding[];
+    probes: ActiveRedTeamProbe[];
+    blockers: string[];
+    summary: {
+        targets: number;
+        requests: number;
+        findings: number;
+    };
+}
+export interface ActiveRedTeamRuntime {
+    fetch?: (url: string, init?: RequestInit) => Promise<{
+        status: number;
+        text(): Promise<string>;
+    }>;
+}
+export declare function runActiveRedTeam(config?: ActiveRedTeamConfig, runtime?: ActiveRedTeamRuntime): Promise<ActiveRedTeamReport>;

package/dist/guardrails/ActiveRedTeam.js

@@ -0,0 +1,203 @@
+const DEFAULT_PAYLOADS = [
+    '<scale-probe>',
+    '"\'<scale-probe>',
+];
+const DEFAULT_TIMEOUT_MS = 5000;
+const DEFAULT_MAX_REQUESTS = 20;
+export async function runActiveRedTeam(config, runtime = {}) {
+    if (!config?.enabled) {
+        return createReport({
+            ok: true,
+            status: 'SKIPPED',
+            evidence: 'Active security not enabled or not configured.',
+        });
+    }
+    const resolved = resolveConfig(config);
+    if (resolved.blockers.length > 0 || !resolved.config) {
+        return createReport({
+            ok: false,
+            status: 'FAILED',
+            evidence: `Active security configuration invalid: ${resolved.blockers.join('; ')}`,
+            blockers: resolved.blockers,
+        });
+    }
+    const fetchImpl = runtime.fetch ?? globalThis.fetch;
+    if (!fetchImpl) {
+        return createReport({
+            ok: false,
+            status: 'FAILED',
+            evidence: 'Active security requires fetch support in the current runtime.',
+            blockers: ['fetch runtime is unavailable'],
+            summary: {
+                targets: resolved.config.targets.length,
+                requests: 0,
+                findings: 0,
+            },
+        });
+    }
+    const probes = [];
+    const findings = [];
+    const requests = buildRequests(resolved.config);
+    for (const request of requests) {
+        const probe = {
+            target: request.target,
+            url: request.url,
+            passed: true,
+            findingIds: [],
+        };
+        try {
+            const response = await fetchWithTimeout(fetchImpl, request.url, resolved.config.timeoutMs);
+            const text = await response.text();
+            probe.status = response.status;
+            if (text.includes(request.payload)) {
+                const finding = {
+                    ruleId: 'active.reflected-payload',
+                    severity: 'HIGH',
+                    target: request.target,
+                    message: `Probe payload was reflected by ${request.target}.`,
+                    evidence: request.payload,
+                };
+                findings.push(finding);
+                probe.passed = false;
+                probe.findingIds?.push(finding.ruleId);
+            }
+            if (response.status >= 500) {
+                const finding = {
+                    ruleId: 'active.server-error',
+                    severity: 'MEDIUM',
+                    target: request.target,
+                    message: `Probe returned HTTP ${response.status} for ${request.target}.`,
+                    evidence: `status=${response.status}`,
+                };
+                findings.push(finding);
+                probe.passed = false;
+                probe.findingIds?.push(finding.ruleId);
+            }
+        }
+        catch (error) {
+            probe.passed = false;
+            probe.error = error instanceof Error ? error.message : String(error);
+            findings.push({
+                ruleId: 'active.probe-error',
+                severity: 'MEDIUM',
+                target: request.target,
+                message: `Active security probe failed for ${request.target}.`,
+                evidence: probe.error,
+            });
+            probe.findingIds?.push('active.probe-error');
+        }
+        probes.push(probe);
+    }
+    const blockers = findings
+        .filter(finding => finding.severity === 'HIGH')
+        .map(finding => `${finding.ruleId}: ${finding.message}`);
+    const ok = blockers.length === 0;
+    const evidence = ok
+        ? `Active security probes passed (${probes.length} requests, ${findings.length} findings).`
+        : `Active security found blockers: ${blockers.join('; ')}`;
+    return createReport({
+        ok,
+        status: ok ? 'PASSED' : 'FAILED',
+        evidence,
+        findings,
+        probes,
+        blockers,
+        summary: {
+            targets: resolved.config.targets.length,
+            requests: probes.length,
+            findings: findings.length,
+        },
+    });
+}
+function resolveConfig(input) {
+    const blockers = [];
+    if (!input.baseUrl) {
+        blockers.push('security.active.baseUrl is required');
+    }
+    else {
+        try {
+            const url = new URL(input.baseUrl);
+            if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+                blockers.push('security.active.baseUrl must use http or https');
+            }
+        }
+        catch {
+            blockers.push('security.active.baseUrl must be a valid URL');
+        }
+    }
+    const targets = input.targets?.filter(Boolean) ?? [];
+    if (targets.length === 0) {
+        blockers.push('security.active.targets must contain at least one target');
+    }
+    const payloads = input.payloads?.filter(Boolean) ?? DEFAULT_PAYLOADS;
+    if (payloads.length === 0) {
+        blockers.push('security.active.payloads must contain at least one payload');
+    }
+    const timeoutMs = input.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) {
+        blockers.push('security.active.timeoutMs must be greater than zero');
+    }
+    const maxRequests = Math.min(input.maxRequests ?? DEFAULT_MAX_REQUESTS, DEFAULT_MAX_REQUESTS);
+    if (!Number.isFinite(maxRequests) || maxRequests <= 0) {
+        blockers.push('security.active.maxRequests must be greater than zero');
+    }
+    if (blockers.length > 0 || !input.baseUrl) {
+        return { blockers };
+    }
+    return {
+        blockers,
+        config: {
+            baseUrl: input.baseUrl,
+            targets,
+            payloads,
+            timeoutMs,
+            maxRequests,
+        },
+    };
+}
+function buildRequests(config) {
+    const requests = [];
+    for (const target of config.targets) {
+        for (const payload of config.payloads) {
+            const url = new URL(target, config.baseUrl);
+            url.searchParams.set('scale_probe', payload);
+            requests.push({
+                target,
+                payload,
+                url: url.toString(),
+            });
+            if (requests.length >= config.maxRequests) {
+                return requests;
+            }
+        }
+    }
+    return requests;
+}
+async function fetchWithTimeout(fetchImpl, url, timeoutMs) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        return await fetchImpl(url, { signal: controller.signal });
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+function createReport(input) {
+    const findings = input.findings ?? [];
+    const probes = input.probes ?? [];
+    return {
+        ok: input.ok,
+        status: input.status,
+        evidence: input.evidence,
+        findings,
+        probes,
+        blockers: input.blockers ?? [],
+        summary: input.summary ?? {
+            targets: 0,
+            requests: probes.length,
+            findings: findings.length,
+        },
+    };
+}
+//# sourceMappingURL=ActiveRedTeam.js.map

package/dist/guardrails/ActiveRedTeam.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ActiveRedTeam.js","sourceRoot":"","sources":["../../src/guardrails/ActiveRedTeam.ts"],"names":[],"mappings":"AA2DA,MAAM,gBAAgB,GAAG;IACvB,eAAe;IACf,kBAAkB;CACnB,CAAA;AAED,MAAM,kBAAkB,GAAG,IAAI,CAAA;AAC/B,MAAM,oBAAoB,GAAG,EAAE,CAAA;AAE/B,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAA4B,EAC5B,UAAgC,EAAE;IAElC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;QACrB,OAAO,YAAY,CAAC;YAClB,EAAE,EAAE,IAAI;YACR,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,gDAAgD;SAC3D,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAA;IACtC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;QACrD,OAAO,YAAY,CAAC;YAClB,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,0CAA0C,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAClF,QAAQ,EAAE,QAAQ,CAAC,QAAQ;SAC5B,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAA;IACnD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,YAAY,CAAC;YAClB,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,gEAAgE;YAC1E,QAAQ,EAAE,CAAC,8BAA8B,CAAC;YAC1C,OAAO,EAAE;gBACP,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM;gBACvC,QAAQ,EAAE,CAAC;gBACX,QAAQ,EAAE,CAAC;aACZ;SACF,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,MAAM,GAAyB,EAAE,CAAA;IACvC,MAAM,QAAQ,GAA2B,EAAE,CAAA;IAC3C,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;IAE/C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAuB;YAChC,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,MAAM,EAAE,IAAI;YACZ,UAAU,EAAE,EAAE;SACf,CAAA;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,SAAS,EAAE,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;YAC1F,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;YAClC,KAAK,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAA;YAE9B,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnC,MAAM,OAAO,GAAG;oBACd,MAAM,EAAE,0BAA0B;oBAClC,QAAQ,EAAE,MAAM;oBAChB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,kCAAkC,OAAO,CAAC,MAAM,GAAG;oBAC5D,QAAQ,EAAE,OAAO,CAAC,OAAO;iBACK,CAAA;gBAChC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;gBACtB,KAAK,CAAC,MAAM,GAAG,KAAK,CAAA;gBACpB,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;YACxC,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBAC3B,MAAM,OAAO,GAAG;oBACd,MAAM,EAAE,qBAAqB;oBAC7B,QAAQ,EAAE,QAAQ;oBAClB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,uBAAuB,QAAQ,CAAC,MAAM,QAAQ,OAAO,CAAC,MAAM,GAAG;oBACxE,QAAQ,EAAE,UAAU,QAAQ,CAAC,MAAM,EAAE;iBACP,CAAA;gBAChC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;gBACtB,KAAK,CAAC,MAAM,GAAG,KAAK,CAAA;gBACpB,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;YACxC,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,KAAK,CAAC,MAAM,GAAG,KAAK,CAAA;YACpB,KAAK,CAAC,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;YACpE,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,oBAAoB;gBAC5B,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,OAAO,EAAE,oCAAoC,OAAO,CAAC,MAAM,GAAG;gBAC9D,QAAQ,EAAE,KAAK,CAAC,KAAK;aACtB,CAAC,CAAA;YACF,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,oBAAoB,CAAC,CAAA;QAC9C,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACpB,CAAC;IAED,MAAM,QAAQ,GAAG,QAAQ;SACtB,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,KAAK,MAAM,CAAC;SAC9C,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC,CAAA;IAE1D,MAAM,EAAE,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAA;IAChC,MAAM,QAAQ,GAAG,EAAE;QACjB,CAAC,CAAC,kCAAkC,MAAM,CAAC,MAAM,cAAc,QAAQ,CAAC,MAAM,aAAa;QAC3F,CAAC,CAAC,mCAAmC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAA;IAE5D,OAAO,YAAY,CAAC;QAClB,EAAE;QACF,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ;QAChC,QAAQ;QACR,QAAQ;QACR,MAAM;QACN,QAAQ;QACR,OAAO,EAAE;YACP,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM;YACvC,QAAQ,EAAE,MAAM,CAAC,MAAM;YACvB,QAAQ,EAAE,QAAQ,CAAC,MAAM;SAC1B;KACF,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,KAA0B;IAC/C,MAAM,QAAQ,GAAa,EAAE,CAAA;IAE7B,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QACnB,QAAQ,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAA;IACtD,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;YAClC,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC1D,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAA;YACjE,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAA;QAC9D,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAA;IACpD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,QAAQ,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAA;IAC3E,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,gBAAgB,CAAA;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,QAAQ,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAA;IAC7E,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,kBAAkB,CAAA;IACvD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;QAClD,QAAQ,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI,oBAAoB,EAAE,oBAAoB,CAAC,CAAA;IAC7F,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;QACtD,QAAQ,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAA;IACxE,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QAC1C,OAAO,EAAE,QAAQ,EAAE,CAAA;IACrB,CAAC;IAED,OAAO;QACL,QAAQ;QACR,MAAM,EAAE;YACN,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,OAAO;YACP,QAAQ;YACR,SAAS;YACT,WAAW;SACZ;KACF,CAAA;AACH,CAAC;AAED,SAAS,aAAa,CAAC,MAAmC;IACxD,MAAM,QAAQ,GAA4D,EAAE,CAAA;IAE5E,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACpC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;YAC3C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA;YAC5C,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM;gBACN,OAAO;gBACP,GAAG,EAAE,GAAG,CAAC,QAAQ,EAAE;aACpB,CAAC,CAAA;YAEF,IAAI,QAAQ,CAAC,MAAM,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC1C,OAAO,QAAQ,CAAA;YACjB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,SAAqD,EACrD,GAAW,EACX,SAAiB;IAEjB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAA;IACxC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAA;IAE/D,IAAI,CAAC;QACH,OAAO,MAAM,SAAS,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAA;IAC5D,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,OAAO,CAAC,CAAA;IACvB,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,KAA6F;IACjH,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAA;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,IAAI,EAAE,CAAA;IAEjC,OAAO;QACL,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,QAAQ;QACR,MAAM;QACN,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,EAAE;QAC9B,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI;YACxB,OAAO,EAAE,CAAC;YACV,QAAQ,EAAE,MAAM,CAAC,MAAM;YACvB,QAAQ,EAAE,QAAQ,CAAC,MAAM;SAC1B;KACF,CAAA;AACH,CAAC"}

package/dist/guardrails/DependencyAuditor.d.ts

@@ -0,0 +1,68 @@
+export type DependencyAuditSeverity = 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW';
+export type DependencyAuditMode = 'compatibility' | 'strict' | 'offline';
+export interface DependencyAuditPolicyFile {
+    version?: number;
+    mode?: DependencyAuditMode;
+    maxPackages?: number;
+    maxPackageFiles?: number;
+    allowPackages?: string[];
+    baselineFindings?: Array<{
+        packageName: string;
+        version?: string;
+        ruleId: string;
+        reason?: string;
+    }>;
+}
+export interface ResolvedDependencyAuditPolicy {
+    version: number;
+    mode: DependencyAuditMode;
+    maxPackages: number;
+    maxPackageFiles: number;
+    allowPackages: string[];
+    baselineFindings: Array<{
+        packageName: string;
+        version?: string;
+        ruleId: string;
+        reason?: string;
+    }>;
+    warnings: string[];
+}
+export interface DependencyAuditFinding {
+    packageName: string;
+    version?: string;
+    ruleId: string;
+    severity: DependencyAuditSeverity;
+    path?: string;
+    message: string;
+    evidence?: string;
+    fix?: string;
+}
+export interface DependencyAuditSummary {
+    packagesAudited: number;
+    totalFindings: number;
+    bySeverity: Record<DependencyAuditSeverity, number>;
+}
+export interface DependencyAuditReport {
+    ok: boolean;
+    projectDir: string;
+    lockfilePath?: string;
+    policyPath: string;
+    mode: DependencyAuditMode;
+    packagesAudited: string[];
+    findings: DependencyAuditFinding[];
+    blockers: string[];
+    summary: DependencyAuditSummary;
+    warnings: string[];
+}
+export interface DependencyAuditOptions {
+    projectDir?: string;
+    scaleDir?: string;
+    mode?: DependencyAuditMode;
+    changedPackages?: string[];
+    maxPackages?: number;
+    maxPackageFiles?: number;
+}
+export declare function dependencyAuditPolicyTemplate(): string;
+export declare function dependencyAuditPolicyPath(projectDir?: string, scaleDir?: string): string;
+export declare function loadDependencyAuditPolicy(projectDir?: string, scaleDir?: string): ResolvedDependencyAuditPolicy;
+export declare function auditDependencies(options?: DependencyAuditOptions): DependencyAuditReport;

package/dist/guardrails/DependencyAuditor.js

@@ -0,0 +1,331 @@
+import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs';
+import { basename, join, relative, sep } from 'node:path';
+const SOURCE_EXTENSIONS = new Set(['.js', '.cjs', '.mjs']);
+const DEFAULT_MAX_PACKAGES = 50;
+const DEFAULT_MAX_PACKAGE_FILES = 25;
+export function dependencyAuditPolicyTemplate() {
+    return JSON.stringify({
+        version: 1,
+        mode: 'compatibility',
+        maxPackages: DEFAULT_MAX_PACKAGES,
+        maxPackageFiles: DEFAULT_MAX_PACKAGE_FILES,
+        allowPackages: [],
+        baselineFindings: [],
+    }, null, 2) + '\n';
+}
+export function dependencyAuditPolicyPath(projectDir = process.cwd(), scaleDir = '.scale') {
+    const scaleRoot = scaleDir.includes(':') || scaleDir.startsWith('/') || scaleDir.startsWith('\\\\')
+        ? scaleDir
+        : join(projectDir, scaleDir);
+    return join(scaleRoot, 'security', 'dependency-policy.json');
+}
+export function loadDependencyAuditPolicy(projectDir = process.cwd(), scaleDir = '.scale') {
+    const path = dependencyAuditPolicyPath(projectDir, scaleDir);
+    const warnings = [];
+    let parsed = {};
+    if (existsSync(path)) {
+        try {
+            parsed = JSON.parse(readFileSync(path, 'utf-8'));
+        }
+        catch (error) {
+            warnings.push(`Failed to read ${path}: ${error instanceof Error ? error.message : String(error)}; using built-in defaults.`);
+        }
+    }
+    return {
+        version: typeof parsed.version === 'number' ? parsed.version : 1,
+        mode: normalizeMode(parsed.mode) ?? 'compatibility',
+        maxPackages: positiveNumber(parsed.maxPackages) ?? DEFAULT_MAX_PACKAGES,
+        maxPackageFiles: positiveNumber(parsed.maxPackageFiles) ?? DEFAULT_MAX_PACKAGE_FILES,
+        allowPackages: Array.isArray(parsed.allowPackages)
+            ? parsed.allowPackages.filter(item => typeof item === 'string' && item.length > 0)
+            : [],
+        baselineFindings: Array.isArray(parsed.baselineFindings)
+            ? parsed.baselineFindings.filter(item => typeof item.packageName === 'string' &&
+                typeof item.ruleId === 'string')
+            : [],
+        warnings,
+    };
+}
+export function auditDependencies(options = {}) {
+    const projectDir = options.projectDir ?? process.cwd();
+    const scaleDir = options.scaleDir ?? '.scale';
+    const policy = loadDependencyAuditPolicy(projectDir, scaleDir);
+    const mode = options.mode ?? policy.mode;
+    const lockfilePath = join(projectDir, 'package-lock.json');
+    const warnings = [...policy.warnings];
+    if (!existsSync(lockfilePath)) {
+        warnings.push('No package-lock.json found; dependency audit skipped.');
+        return createReport({
+            projectDir,
+            policyPath: dependencyAuditPolicyPath(projectDir, scaleDir),
+            mode,
+            packagesAudited: [],
+            findings: [],
+            warnings,
+        });
+    }
+    let lockfile;
+    try {
+        lockfile = JSON.parse(readFileSync(lockfilePath, 'utf-8'));
+    }
+    catch (error) {
+        warnings.push(`Failed to parse package-lock.json: ${error instanceof Error ? error.message : String(error)}`);
+        return createReport({
+            projectDir,
+            lockfilePath,
+            policyPath: dependencyAuditPolicyPath(projectDir, scaleDir),
+            mode,
+            packagesAudited: [],
+            findings: [{
+                    packageName: 'package-lock.json',
+                    ruleId: 'dependency.lockfile-invalid',
+                    severity: mode === 'strict' ? 'HIGH' : 'LOW',
+                    path: 'package-lock.json',
+                    message: 'package-lock.json could not be parsed.',
+                }],
+            warnings,
+        });
+    }
+    const packages = selectPackages(lockfile, {
+        changedPackages: options.changedPackages,
+        maxPackages: options.maxPackages ?? policy.maxPackages,
+    }).filter(pkg => !policy.allowPackages.includes(pkg.name));
+    const rawFindings = packages.flatMap(pkg => scanPackage(projectDir, pkg, options.maxPackageFiles ?? policy.maxPackageFiles));
+    const findings = rawFindings.filter(finding => !isBaselineFinding(finding, policy));
+    return createReport({
+        projectDir,
+        lockfilePath,
+        policyPath: dependencyAuditPolicyPath(projectDir, scaleDir),
+        mode,
+        packagesAudited: packages.map(pkg => pkg.name),
+        findings,
+        warnings,
+    });
+}
+function createReport(input) {
+    const blockers = input.findings
+        .filter(finding => shouldBlock(finding.severity, input.mode))
+        .map(finding => `${finding.severity} ${finding.ruleId} in ${finding.packageName}${finding.version ? `@${finding.version}` : ''} - ${finding.message}`);
+    return {
+        ok: blockers.length === 0,
+        projectDir: input.projectDir,
+        lockfilePath: input.lockfilePath,
+        policyPath: input.policyPath,
+        mode: input.mode,
+        packagesAudited: input.packagesAudited,
+        findings: input.findings,
+        blockers,
+        summary: summarize(input.packagesAudited.length, input.findings),
+        warnings: input.warnings,
+    };
+}
+function selectPackages(lockfile, options) {
+    const packages = lockfile.packages ?? {};
+    const root = packages[''] ?? {};
+    const direct = new Set([
+        ...Object.keys(root.dependencies ?? {}),
+        ...Object.keys(root.devDependencies ?? {}),
+        ...Object.keys(root.optionalDependencies ?? {}),
+    ]);
+    const requested = new Set(options.changedPackages?.length ? options.changedPackages : [...direct]);
+    return Object.entries(packages)
+        .filter(([path]) => isTopLevelNodeModulePath(path))
+        .map(([path, metadata]) => ({ name: packageNameFromLockPath(path), path, metadata }))
+        .filter(pkg => requested.has(pkg.name))
+        .sort((a, b) => a.name.localeCompare(b.name))
+        .slice(0, Math.max(0, options.maxPackages));
+}
+function scanPackage(projectDir, pkg, maxPackageFiles) {
+    const findings = [];
+    if (pkg.metadata.hasInstallScript) {
+        findings.push({
+            packageName: pkg.name,
+            version: pkg.metadata.version,
+            ruleId: 'dependency.install-script',
+            severity: 'HIGH',
+            path: pkg.path,
+            message: 'Dependency declares an install lifecycle script.',
+            evidence: 'hasInstallScript=true',
+            fix: 'Review package provenance, pin the version, or replace the dependency.',
+        });
+    }
+    if (pkg.metadata.bin) {
+        findings.push({
+            packageName: pkg.name,
+            version: pkg.metadata.version,
+            ruleId: 'dependency.bin-script',
+            severity: 'MEDIUM',
+            path: pkg.path,
+            message: 'Dependency exposes executable bin scripts.',
+            evidence: typeof pkg.metadata.bin === 'string' ? pkg.metadata.bin : Object.keys(pkg.metadata.bin).join(', '),
+            fix: 'Verify the command is intentionally used and comes from a trusted package.',
+        });
+    }
+    if (pkg.metadata.deprecated) {
+        findings.push({
+            packageName: pkg.name,
+            version: pkg.metadata.version,
+            ruleId: 'dependency.deprecated',
+            severity: 'HIGH',
+            path: pkg.path,
+            message: 'Dependency is marked deprecated.',
+            evidence: pkg.metadata.deprecated,
+            fix: 'Upgrade or replace the deprecated dependency.',
+        });
+    }
+    findings.push(...scanPackageSource(projectDir, pkg, maxPackageFiles));
+    return findings;
+}
+function scanPackageSource(projectDir, pkg, maxPackageFiles) {
+    const root = join(projectDir, ...pkg.path.split('/'));
+    if (!existsSync(root))
+        return [];
+    const files = [];
+    walkPackage(root, files, maxPackageFiles);
+    const findings = [];
+    for (const file of files) {
+        let content = '';
+        try {
+            content = readFileSync(file, 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        if (content.includes('\u0000'))
+            continue;
+        const relativePath = normalizePath(relative(projectDir, file));
+        const lines = content.split(/\r?\n/);
+        for (let index = 0; index < lines.length; index += 1) {
+            const line = lines[index];
+            const finding = sourceFindingForLine(pkg, relativePath, index + 1, line);
+            if (finding)
+                findings.push(finding);
+        }
+    }
+    return findings;
+}
+function sourceFindingForLine(pkg, path, lineNumber, line) {
+    const trimmed = line.trim();
+    if (trimmed === '' || trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*'))
+        return null;
+    if (/\beval\s*\(|new\s+Function\s*\(/.test(trimmed)) {
+        return {
+            packageName: pkg.name,
+            version: pkg.metadata.version,
+            ruleId: 'dependency.eval',
+            severity: 'CRITICAL',
+            path,
+            message: 'Dependency source uses dynamic code execution.',
+            evidence: `line ${lineNumber}: ${trimmed.slice(0, 180)}`,
+            fix: 'Replace the dependency or pin and review a safe version.',
+        };
+    }
+    if (/\bexecSync\s*\(|\bchild_process\.exec\s*\(|\bshell\s*:\s*true\b|\bspawn\s*\([^,\n]+,\s*[^,\n]+,\s*\{[^}]*shell\s*:\s*true/.test(trimmed)) {
+        return {
+            packageName: pkg.name,
+            version: pkg.metadata.version,
+            ruleId: 'dependency.shell-exec',
+            severity: 'HIGH',
+            path,
+            message: 'Dependency source performs shell execution.',
+            evidence: `line ${lineNumber}: ${trimmed.slice(0, 180)}`,
+            fix: 'Review whether the dependency can execute user-controlled input.',
+        };
+    }
+    if (/\b(?:fetch|axios|request|http\.request|https\.request)\s*\(/.test(trimmed)) {
+        return {
+            packageName: pkg.name,
+            version: pkg.metadata.version,
+            ruleId: 'dependency.network-access',
+            severity: 'MEDIUM',
+            path,
+            message: 'Dependency source performs network access.',
+            evidence: `line ${lineNumber}: ${trimmed.slice(0, 180)}`,
+            fix: 'Confirm the network behavior is expected and documented.',
+        };
+    }
+    return null;
+}
+function walkPackage(dir, files, maxFiles) {
+    if (files.length >= maxFiles)
+        return;
+    let entries;
+    try {
+        entries = readdirSync(dir, { withFileTypes: true });
+    }
+    catch {
+        return;
+    }
+    for (const entry of entries) {
+        if (files.length >= maxFiles)
+            return;
+        const fullPath = join(dir, entry.name);
+        if (entry.isDirectory()) {
+            if (['node_modules', 'test', 'tests', '__tests__', 'coverage', 'dist', 'docs', 'example', 'examples', 'benchmark', 'benchmarks'].includes(entry.name))
+                continue;
+            walkPackage(fullPath, files, maxFiles);
+        }
+        else if (entry.isFile() && SOURCE_EXTENSIONS.has(extension(entry.name))) {
+            try {
+                if (statSync(fullPath).size <= 300_000)
+                    files.push(fullPath);
+            }
+            catch {
+                // Ignore files that disappear during scanning.
+            }
+        }
+    }
+}
+function packageNameFromLockPath(path) {
+    const parts = path.split('/');
+    if (parts[1]?.startsWith('@'))
+        return `${parts[1]}/${parts[2] ?? ''}`;
+    return parts[1] ?? basename(path);
+}
+function isTopLevelNodeModulePath(path) {
+    const parts = path.split('/');
+    if (parts[0] !== 'node_modules')
+        return false;
+    if (parts[1]?.startsWith('@'))
+        return parts.length === 3;
+    return parts.length === 2;
+}
+function isBaselineFinding(finding, policy) {
+    return policy.baselineFindings.some(item => item.packageName === finding.packageName &&
+        item.ruleId === finding.ruleId &&
+        (item.version === undefined || item.version === finding.version));
+}
+function shouldBlock(severity, mode) {
+    if (severity === 'CRITICAL')
+        return true;
+    return mode === 'strict' && severity === 'HIGH';
+}
+function summarize(packagesAudited, findings) {
+    const bySeverity = {
+        CRITICAL: 0,
+        HIGH: 0,
+        MEDIUM: 0,
+        LOW: 0,
+    };
+    for (const finding of findings)
+        bySeverity[finding.severity] += 1;
+    return {
+        packagesAudited,
+        totalFindings: findings.length,
+        bySeverity,
+    };
+}
+function normalizeMode(value) {
+    return value === 'compatibility' || value === 'strict' || value === 'offline' ? value : undefined;
+}
+function positiveNumber(value) {
+    return typeof value === 'number' && Number.isFinite(value) && value > 0 ? value : undefined;
+}
+function extension(path) {
+    const index = path.lastIndexOf('.');
+    return index >= 0 ? path.slice(index).toLowerCase() : '';
+}
+function normalizePath(path) {
+    return path.split(sep).join('/');
+}
+//# sourceMappingURL=DependencyAuditor.js.map