@hookwarden/engine 0.0.1 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapters/django.d.ts +4 -0
- package/dist/adapters/django.d.ts.map +1 -0
- package/dist/adapters/django.js +148 -0
- package/dist/adapters/django.js.map +1 -0
- package/dist/adapters/fastapi.d.ts +4 -0
- package/dist/adapters/fastapi.d.ts.map +1 -0
- package/dist/adapters/fastapi.js +118 -0
- package/dist/adapters/fastapi.js.map +1 -0
- package/dist/adapters/index.d.ts +9 -0
- package/dist/adapters/index.d.ts.map +1 -0
- package/dist/adapters/index.js +10 -0
- package/dist/adapters/index.js.map +1 -0
- package/dist/adapters/nextjs.d.ts +4 -0
- package/dist/adapters/nextjs.d.ts.map +1 -0
- package/dist/adapters/nextjs.js +82 -0
- package/dist/adapters/nextjs.js.map +1 -0
- package/dist/evaluate.d.ts +6 -0
- package/dist/evaluate.d.ts.map +1 -0
- package/dist/evaluate.js +108 -0
- package/dist/evaluate.js.map +1 -0
- package/dist/evaluator/index.d.ts +4 -0
- package/dist/evaluator/index.d.ts.map +1 -0
- package/dist/evaluator/index.js +4 -0
- package/dist/evaluator/index.js.map +1 -0
- package/dist/evaluator/matchers.d.ts +13 -0
- package/dist/evaluator/matchers.d.ts.map +1 -0
- package/dist/evaluator/matchers.js +124 -0
- package/dist/evaluator/matchers.js.map +1 -0
- package/dist/evaluator/parse-error.d.ts +4 -0
- package/dist/evaluator/parse-error.d.ts.map +1 -0
- package/dist/evaluator/parse-error.js +46 -0
- package/dist/evaluator/parse-error.js.map +1 -0
- package/dist/evaluator/path-severity-overrides.d.ts +4 -0
- package/dist/evaluator/path-severity-overrides.d.ts.map +1 -0
- package/dist/evaluator/path-severity-overrides.js +29 -0
- package/dist/evaluator/path-severity-overrides.js.map +1 -0
- package/dist/evaluator/visit.d.ts +16 -0
- package/dist/evaluator/visit.d.ts.map +1 -0
- package/dist/evaluator/visit.js +96 -0
- package/dist/evaluator/visit.js.map +1 -0
- package/dist/findings/fingerprint.d.ts +22 -0
- package/dist/findings/fingerprint.d.ts.map +1 -0
- package/dist/findings/fingerprint.js +39 -0
- package/dist/findings/fingerprint.js.map +1 -0
- package/dist/findings/index.d.ts +3 -0
- package/dist/findings/index.d.ts.map +1 -0
- package/dist/findings/index.js +4 -0
- package/dist/findings/index.js.map +1 -0
- package/dist/findings/webcrypto.d.ts +2 -0
- package/dist/findings/webcrypto.d.ts.map +1 -0
- package/dist/findings/webcrypto.js +15 -0
- package/dist/findings/webcrypto.js.map +1 -0
- package/dist/index.d.ts +8 -8
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -4
- package/dist/index.js.map +1 -1
- package/dist/model/build.d.ts +12 -0
- package/dist/model/build.d.ts.map +1 -0
- package/dist/model/build.js +186 -0
- package/dist/model/build.js.map +1 -0
- package/dist/model/catalog.d.ts +17 -0
- package/dist/model/catalog.d.ts.map +1 -0
- package/dist/model/catalog.js +303 -0
- package/dist/model/catalog.js.map +1 -0
- package/dist/model/evidence.d.ts +18 -0
- package/dist/model/evidence.d.ts.map +1 -0
- package/dist/model/evidence.js +114 -0
- package/dist/model/evidence.js.map +1 -0
- package/dist/model/index.d.ts +6 -0
- package/dist/model/index.d.ts.map +1 -0
- package/dist/model/index.js +7 -0
- package/dist/model/index.js.map +1 -0
- package/dist/model/middleware.d.ts +10 -0
- package/dist/model/middleware.d.ts.map +1 -0
- package/dist/model/middleware.js +140 -0
- package/dist/model/middleware.js.map +1 -0
- package/dist/model/reachability.d.ts +11 -0
- package/dist/model/reachability.d.ts.map +1 -0
- package/dist/model/reachability.js +260 -0
- package/dist/model/reachability.js.map +1 -0
- package/dist/parsers/babel.d.ts +11 -0
- package/dist/parsers/babel.d.ts.map +1 -0
- package/dist/parsers/babel.js +121 -0
- package/dist/parsers/babel.js.map +1 -0
- package/dist/parsers/index.d.ts +6 -0
- package/dist/parsers/index.d.ts.map +1 -0
- package/dist/parsers/index.js +7 -0
- package/dist/parsers/index.js.map +1 -0
- package/dist/parsers/literals.d.ts +4 -0
- package/dist/parsers/literals.d.ts.map +1 -0
- package/dist/parsers/literals.js +37 -0
- package/dist/parsers/literals.js.map +1 -0
- package/dist/parsers/python-literals.d.ts +5 -0
- package/dist/parsers/python-literals.d.ts.map +1 -0
- package/dist/parsers/python-literals.js +62 -0
- package/dist/parsers/python-literals.js.map +1 -0
- package/dist/parsers/python-loader.d.ts +9 -0
- package/dist/parsers/python-loader.d.ts.map +1 -0
- package/dist/parsers/python-loader.js +16 -0
- package/dist/parsers/python-loader.js.map +1 -0
- package/dist/parsers/python.d.ts +8 -0
- package/dist/parsers/python.d.ts.map +1 -0
- package/dist/parsers/python.js +125 -0
- package/dist/parsers/python.js.map +1 -0
- package/dist/parsers/walk.d.ts +15 -0
- package/dist/parsers/walk.d.ts.map +1 -0
- package/dist/parsers/walk.js +66 -0
- package/dist/parsers/walk.js.map +1 -0
- package/dist/redaction/index.d.ts +3 -0
- package/dist/redaction/index.d.ts.map +1 -0
- package/dist/redaction/index.js +2 -0
- package/dist/redaction/index.js.map +1 -0
- package/dist/redaction/structural.d.ts +14 -0
- package/dist/redaction/structural.d.ts.map +1 -0
- package/dist/redaction/structural.js +37 -0
- package/dist/redaction/structural.js.map +1 -0
- package/dist/types/config.d.ts +7 -0
- package/dist/types/config.d.ts.map +1 -0
- package/dist/types/config.js +6 -0
- package/dist/types/config.js.map +1 -0
- package/dist/types/finding.d.ts +32 -0
- package/dist/types/finding.d.ts.map +1 -0
- package/dist/types/finding.js +12 -0
- package/dist/types/finding.js.map +1 -0
- package/dist/types/handler.d.ts +39 -0
- package/dist/types/handler.d.ts.map +1 -0
- package/dist/types/handler.js +7 -0
- package/dist/types/handler.js.map +1 -0
- package/dist/types/index.d.ts +7 -0
- package/dist/types/index.d.ts.map +1 -0
- package/dist/types/index.js +4 -0
- package/dist/types/index.js.map +1 -0
- package/dist/types/project-model.d.ts +42 -0
- package/dist/types/project-model.d.ts.map +1 -0
- package/dist/types/project-model.js +5 -0
- package/dist/types/project-model.js.map +1 -0
- package/dist/types/rule-set.d.ts +42 -0
- package/dist/types/rule-set.d.ts.map +1 -0
- package/dist/types/rule-set.js +6 -0
- package/dist/types/rule-set.js.map +1 -0
- package/dist/types/scan-result.d.ts +19 -0
- package/dist/types/scan-result.d.ts.map +1 -0
- package/dist/types/scan-result.js +8 -0
- package/dist/types/scan-result.js.map +1 -0
- package/dist/version.d.ts +2 -0
- package/dist/version.d.ts.map +1 -0
- package/dist/version.js +5 -0
- package/dist/version.js.map +1 -0
- package/package.json +18 -4
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
// D-39: structural snippet redaction. Literals → typed placeholders; identifiers preserved.
|
|
2
|
+
// Browser-safe: pure string transformation, no Node built-ins.
|
|
3
|
+
// Property-tested: every string literal becomes <STRING:N>; every identifier is unchanged.
|
|
4
|
+
// Sort spans descending by start so we can splice without shifting indices.
|
|
5
|
+
function sortSpans(spans) {
|
|
6
|
+
return [...spans].sort((a, b) => b.start - a.start);
|
|
7
|
+
}
|
|
8
|
+
function placeholderFor(span, secretPrefixes) {
|
|
9
|
+
if (span.kind === "secret")
|
|
10
|
+
return "<SECRET_LITERAL>";
|
|
11
|
+
if (span.kind === "string") {
|
|
12
|
+
for (const prefix of secretPrefixes) {
|
|
13
|
+
if (span.value.startsWith(prefix))
|
|
14
|
+
return "<SECRET_LITERAL>";
|
|
15
|
+
}
|
|
16
|
+
return `<STRING:${span.value.length}>`;
|
|
17
|
+
}
|
|
18
|
+
if (span.kind === "number")
|
|
19
|
+
return "<NUMBER>";
|
|
20
|
+
if (span.kind === "template")
|
|
21
|
+
return "<TEMPLATE>";
|
|
22
|
+
if (span.kind === "regex")
|
|
23
|
+
return "<REGEX>";
|
|
24
|
+
// Exhaustiveness: every LiteralKind covered above.
|
|
25
|
+
const _exhaustive = span.kind;
|
|
26
|
+
return `<UNKNOWN:${_exhaustive}>`;
|
|
27
|
+
}
|
|
28
|
+
export function redactSnippet(input) {
|
|
29
|
+
const secretPrefixes = input.secret_literal_prefixes ?? [];
|
|
30
|
+
let out = input.source_text;
|
|
31
|
+
for (const span of sortSpans(input.literals)) {
|
|
32
|
+
const placeholder = placeholderFor(span, secretPrefixes);
|
|
33
|
+
out = out.slice(0, span.start) + placeholder + out.slice(span.end);
|
|
34
|
+
}
|
|
35
|
+
return out;
|
|
36
|
+
}
|
|
37
|
+
//# sourceMappingURL=structural.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"structural.js","sourceRoot":"","sources":["../../src/redaction/structural.ts"],"names":[],"mappings":"AAAA,4FAA4F;AAC5F,+DAA+D;AAC/D,2FAA2F;AAwB3F,4EAA4E;AAC5E,SAAS,SAAS,CAAC,KAAiC;IAClD,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,cAAc,CAAC,IAAiB,EAAE,cAAqC;IAC9E,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,kBAAkB,CAAC;IACtD,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC3B,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;gBAAE,OAAO,kBAAkB,CAAC;QAC/D,CAAC;QACD,OAAO,WAAW,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;IACzC,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,UAAU,CAAC;IAC9C,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU;QAAE,OAAO,YAAY,CAAC;IAClD,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO;QAAE,OAAO,SAAS,CAAC;IAC5C,mDAAmD;IACnD,MAAM,WAAW,GAAU,IAAI,CAAC,IAAI,CAAC;IACrC,OAAO,YAAY,WAAqB,GAAG,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAqB;IACjD,MAAM,cAAc,GAAG,KAAK,CAAC,uBAAuB,IAAI,EAAE,CAAC;IAC3D,IAAI,GAAG,GAAG,KAAK,CAAC,WAAW,CAAC;IAC5B,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7C,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;QACzD,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,WAAW,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,MAAM;IAErB,QAAQ,CAAC,sBAAsB,EAAE,MAAM,CAAC;IAExC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAE5B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1C,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;CACpC"}
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
// D-01: Engine is pure — caller supplies wall clock and git context, engine never reads them.
|
|
2
|
+
// D-34: reachability_max_depth bounds handler reachability walk (default 3 hops).
|
|
3
|
+
// D-38: engine_commit_sha and total_files_count flow through Config into ScanMetadata.
|
|
4
|
+
// ENGINE-06: bounded reachability depth keeps the 30s/50KLOC perf budget achievable.
|
|
5
|
+
export {};
|
|
6
|
+
//# sourceMappingURL=config.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA,8FAA8F;AAC9F,kFAAkF;AAClF,uFAAuF;AACvF,qFAAqF"}
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
export type Severity = "critical" | "high" | "medium" | "low" | "info";
|
|
2
|
+
export type SuppressionSource = "inline" | "ignore" | "baseline";
|
|
3
|
+
export interface SuppressedPayload {
|
|
4
|
+
readonly source: SuppressionSource;
|
|
5
|
+
readonly pattern?: string;
|
|
6
|
+
readonly comment?: string;
|
|
7
|
+
readonly baselined_at?: string;
|
|
8
|
+
}
|
|
9
|
+
export type Verdict = "verified" | "not-verified" | "manual-review";
|
|
10
|
+
export type FindingId = string;
|
|
11
|
+
export interface SourceLocation {
|
|
12
|
+
readonly line: number;
|
|
13
|
+
readonly col: number;
|
|
14
|
+
readonly end_line: number;
|
|
15
|
+
readonly end_col: number;
|
|
16
|
+
}
|
|
17
|
+
export interface Finding {
|
|
18
|
+
readonly id: FindingId;
|
|
19
|
+
readonly rule_id: string;
|
|
20
|
+
readonly provider: string;
|
|
21
|
+
readonly severity: Severity;
|
|
22
|
+
readonly state: Verdict;
|
|
23
|
+
readonly file_path: string;
|
|
24
|
+
readonly location: SourceLocation;
|
|
25
|
+
readonly snippet: string;
|
|
26
|
+
readonly handler_id: string | null;
|
|
27
|
+
readonly primary_location_line_hash: string;
|
|
28
|
+
readonly message: string;
|
|
29
|
+
readonly metadata: Readonly<Record<string, string | number | boolean | null>>;
|
|
30
|
+
readonly suppressed?: SuppressedPayload | null;
|
|
31
|
+
}
|
|
32
|
+
//# sourceMappingURL=finding.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"finding.d.ts","sourceRoot":"","sources":["../../src/types/finding.ts"],"names":[],"mappings":"AAWA,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAIvE,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEjE,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,MAAM,EAAE,iBAAiB,CAAC;IACnC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC;AAGD,MAAM,MAAM,OAAO,GAAG,UAAU,GAAG,cAAc,GAAG,eAAe,CAAC;AAGpE,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,OAAO;IACtB,QAAQ,CAAC,EAAE,EAAE,SAAS,CAAC;IACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,QAAQ,CAAC,0BAA0B,EAAE,MAAM,CAAC;IAC5C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;IAC9E,QAAQ,CAAC,UAAU,CAAC,EAAE,iBAAiB,GAAG,IAAI,CAAC;CAChD"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
// D-29: Verdict three-state output.
|
|
2
|
+
// D-30: FindingId is a stable composite hash string.
|
|
3
|
+
// D-37: Composite stable id is sha256 hex from WebCrypto.
|
|
4
|
+
// D-39: snippet is the structurally redacted slice.
|
|
5
|
+
// D-63: Suppressed findings stay in findings[] with a payload describing the source.
|
|
6
|
+
// Engine emits suppressed = null/undefined; the CLI Phase 4 suppression annotator
|
|
7
|
+
// populates non-null values. The field is optional so existing engine emit sites
|
|
8
|
+
// compile unchanged.
|
|
9
|
+
// ENGINE-04: Finding carries fingerprint, file path, line:col, severity, provider,
|
|
10
|
+
// three-state state field, and redacted snippet.
|
|
11
|
+
export {};
|
|
12
|
+
//# sourceMappingURL=finding.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"finding.js","sourceRoot":"","sources":["../../src/types/finding.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,qDAAqD;AACrD,0DAA0D;AAC1D,oDAAoD;AACpD,qFAAqF;AACrF,wFAAwF;AACxF,uFAAuF;AACvF,2BAA2B;AAC3B,mFAAmF;AACnF,4DAA4D"}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
import type { FindingId, SourceLocation, Verdict } from "./finding.ts";
|
|
2
|
+
export type Framework = "express" | "hono" | "fastify" | "nextjs" | "flask" | "fastapi" | "django";
|
|
3
|
+
export type WebhookEvidenceKind = "path_pattern_match" | "signature_header_read" | "sdk_import" | "sdk_verify_call" | "body_as_bytes_or_buffer" | "secret_env_var_reference" | "secret_literal_match";
|
|
4
|
+
export interface WebhookEvidence {
|
|
5
|
+
readonly kind: WebhookEvidenceKind;
|
|
6
|
+
readonly provider: string;
|
|
7
|
+
readonly location: SourceLocation;
|
|
8
|
+
readonly detail: string;
|
|
9
|
+
}
|
|
10
|
+
export interface ResolvedMiddleware {
|
|
11
|
+
readonly name: string;
|
|
12
|
+
readonly import_source: string | null;
|
|
13
|
+
readonly position: number;
|
|
14
|
+
readonly location: SourceLocation;
|
|
15
|
+
}
|
|
16
|
+
export interface ReachableSymbol {
|
|
17
|
+
readonly qualified_name: string;
|
|
18
|
+
readonly import_source: string | null;
|
|
19
|
+
readonly hops: number;
|
|
20
|
+
readonly via: string;
|
|
21
|
+
}
|
|
22
|
+
export interface WebhookHandler {
|
|
23
|
+
readonly id: string;
|
|
24
|
+
readonly framework: Framework;
|
|
25
|
+
readonly framework_version: string | null;
|
|
26
|
+
readonly route_pattern: string;
|
|
27
|
+
readonly http_methods: ReadonlyArray<string>;
|
|
28
|
+
readonly file_path: string;
|
|
29
|
+
readonly location: SourceLocation;
|
|
30
|
+
readonly handler_function_name: string | null;
|
|
31
|
+
readonly provider: string;
|
|
32
|
+
readonly verification_state: Verdict;
|
|
33
|
+
readonly evidence: ReadonlyArray<WebhookEvidence>;
|
|
34
|
+
readonly middleware_chain: ReadonlyArray<ResolvedMiddleware>;
|
|
35
|
+
readonly reachable_symbols: ReadonlyArray<ReachableSymbol>;
|
|
36
|
+
readonly findings_ref: ReadonlyArray<FindingId>;
|
|
37
|
+
readonly redacted_snippet: string;
|
|
38
|
+
}
|
|
39
|
+
//# sourceMappingURL=handler.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../src/types/handler.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvE,MAAM,MAAM,SAAS,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,OAAO,GAAG,SAAS,GAAG,QAAQ,CAAC;AAGnG,MAAM,MAAM,mBAAmB,GAC3B,oBAAoB,GACpB,uBAAuB,GACvB,YAAY,GACZ,iBAAiB,GACjB,yBAAyB,GACzB,0BAA0B,GAC1B,sBAAsB,CAAC;AAE3B,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,IAAI,EAAE,mBAAmB,CAAC;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;CACnC;AAGD,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAGD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC7C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,qBAAqB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAC;IACrC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAClD,QAAQ,CAAC,gBAAgB,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;IAC7D,QAAQ,CAAC,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC3D,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAChD,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;CACnC"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
// D-32: WebhookEvidence multi-signal model — engine computes, rules query thresholds.
|
|
2
|
+
// D-34: ReachableSymbol bounded-depth reachability set per WebhookHandler.
|
|
3
|
+
// D-36: WebhookHandler shape — every field used by Phase 3 CLI inventory + Phase 8 SaaS dashboard.
|
|
4
|
+
// D-37: WebhookHandler.id derivation locked.
|
|
5
|
+
// D-39: redacted_snippet is structurally redacted.
|
|
6
|
+
export {};
|
|
7
|
+
//# sourceMappingURL=handler.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../src/types/handler.ts"],"names":[],"mappings":"AAAA,sFAAsF;AACtF,2EAA2E;AAC3E,mGAAmG;AACnG,6CAA6C;AAC7C,mDAAmD"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
export type { Config } from "./config.ts";
|
|
2
|
+
export type { Finding, FindingId, Severity, SourceLocation, SuppressedPayload, SuppressionSource, Verdict, } from "./finding.ts";
|
|
3
|
+
export type { Framework, ReachableSymbol, ResolvedMiddleware, WebhookEvidence, WebhookEvidenceKind, WebhookHandler, } from "./handler.ts";
|
|
4
|
+
export type { ImportEdge, MiddlewareRegistration, ParsedFile, ParseErrorRecord, ProjectModel, } from "./project-model.ts";
|
|
5
|
+
export type { DeclarativeMatcher, MatcherName, PathSeverityOverride, ProviderCatalog, ProviderCatalogEntry, RuleDefinition, RulePredicate, RuleSet, } from "./rule-set.ts";
|
|
6
|
+
export type { ScanMetadata, ScanResult } from "./scan-result.ts";
|
|
7
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAGA,YAAY,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,YAAY,EACV,OAAO,EACP,SAAS,EACT,QAAQ,EACR,cAAc,EACd,iBAAiB,EACjB,iBAAiB,EACjB,OAAO,GACR,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,SAAS,EACT,eAAe,EACf,kBAAkB,EAClB,eAAe,EACf,mBAAmB,EACnB,cAAc,GACf,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,UAAU,EACV,sBAAsB,EACtB,UAAU,EACV,gBAAgB,EAChB,YAAY,GACb,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,kBAAkB,EAClB,WAAW,EACX,oBAAoB,EACpB,eAAe,EACf,oBAAoB,EACpB,cAAc,EACd,aAAa,EACb,OAAO,GACR,MAAM,eAAe,CAAC;AACvB,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,sFAAsF;AACtF,mFAAmF"}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
import type { WebhookHandler } from "./handler.ts";
|
|
2
|
+
export interface ParsedFile {
|
|
3
|
+
readonly file_path: string;
|
|
4
|
+
readonly language: "javascript" | "typescript" | "python";
|
|
5
|
+
readonly dialect: "babel" | "tree-sitter-python";
|
|
6
|
+
readonly source_text: string;
|
|
7
|
+
readonly raw_ast: unknown;
|
|
8
|
+
readonly imports: ReadonlyArray<ImportEdge>;
|
|
9
|
+
readonly parse_error: ParseErrorRecord | null;
|
|
10
|
+
}
|
|
11
|
+
export interface ParseErrorRecord {
|
|
12
|
+
readonly message: string;
|
|
13
|
+
readonly location: {
|
|
14
|
+
readonly line: number;
|
|
15
|
+
readonly col: number;
|
|
16
|
+
};
|
|
17
|
+
readonly source: "babel" | "tree-sitter";
|
|
18
|
+
}
|
|
19
|
+
export interface ImportEdge {
|
|
20
|
+
readonly from_file: string;
|
|
21
|
+
readonly to_module: string;
|
|
22
|
+
readonly imported_names: ReadonlyArray<{
|
|
23
|
+
readonly local: string;
|
|
24
|
+
readonly source: string;
|
|
25
|
+
}>;
|
|
26
|
+
readonly is_default: boolean;
|
|
27
|
+
}
|
|
28
|
+
export interface MiddlewareRegistration {
|
|
29
|
+
readonly file_path: string;
|
|
30
|
+
readonly framework: WebhookHandler["framework"];
|
|
31
|
+
readonly app_symbol: string;
|
|
32
|
+
readonly call_site_position: number;
|
|
33
|
+
readonly middleware_name: string;
|
|
34
|
+
readonly import_source: string | null;
|
|
35
|
+
}
|
|
36
|
+
export interface ProjectModel {
|
|
37
|
+
readonly parsed_files: ReadonlyArray<ParsedFile>;
|
|
38
|
+
readonly handlers: ReadonlyArray<WebhookHandler>;
|
|
39
|
+
readonly middleware_registrations: ReadonlyArray<MiddlewareRegistration>;
|
|
40
|
+
readonly import_graph: ReadonlyArray<ImportEdge>;
|
|
41
|
+
}
|
|
42
|
+
//# sourceMappingURL=project-model.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"project-model.d.ts","sourceRoot":"","sources":["../../src/types/project-model.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAInD,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,YAAY,GAAG,YAAY,GAAG,QAAQ,CAAC;IAC1D,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,oBAAoB,CAAC;IACjD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;IAC5C,QAAQ,CAAC,WAAW,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC/C;AAGD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE;QAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IACnE,QAAQ,CAAC,MAAM,EAAE,OAAO,GAAG,aAAa,CAAC;CAC1C;AAGD,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,aAAa,CAAC;QAAE,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC5F,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;CAC9B;AAGD,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,cAAc,CAAC,WAAW,CAAC,CAAC;IAChD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;CACvC;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;IACjD,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IACjD,QAAQ,CAAC,wBAAwB,EAAE,aAAa,CAAC,sBAAsB,CAAC,CAAC;IACzE,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;CAClD"}
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
// D-25: Hybrid normalization layer — ParsedFile retains raw AST plus normalized concepts.
|
|
2
|
+
// D-26: Normalized layer = WebhookHandler + MiddlewareChain + ImportEdge ONLY in v1.
|
|
3
|
+
// D-27: Parse errors are all-or-nothing — one parse-error Finding per failed file.
|
|
4
|
+
export {};
|
|
5
|
+
//# sourceMappingURL=project-model.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"project-model.js","sourceRoot":"","sources":["../../src/types/project-model.ts"],"names":[],"mappings":"AAAA,0FAA0F;AAC1F,qFAAqF;AACrF,mFAAmF"}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
import type { Severity, Verdict } from "./finding.ts";
|
|
2
|
+
import type { WebhookHandler } from "./handler.ts";
|
|
3
|
+
import type { ProjectModel } from "./project-model.ts";
|
|
4
|
+
export interface ProviderCatalogEntry {
|
|
5
|
+
readonly signature_header: ReadonlyArray<string>;
|
|
6
|
+
readonly sdk_packages: ReadonlyArray<string>;
|
|
7
|
+
readonly sdk_verify_calls: ReadonlyArray<string>;
|
|
8
|
+
readonly secret_env_prefix: ReadonlyArray<string>;
|
|
9
|
+
readonly secret_literal_prefix: ReadonlyArray<string>;
|
|
10
|
+
readonly conventional_paths: ReadonlyArray<string>;
|
|
11
|
+
}
|
|
12
|
+
export type ProviderCatalog = Readonly<Record<string, ProviderCatalogEntry>>;
|
|
13
|
+
export type MatcherName = "importMissing" | "callMatches" | "argumentEquals" | "middlewareOrder" | "secretLiteralPrefix" | "signatureHeaderRead";
|
|
14
|
+
export interface DeclarativeMatcher {
|
|
15
|
+
readonly name: MatcherName;
|
|
16
|
+
readonly args: Readonly<Record<string, string | number | boolean | ReadonlyArray<string>>>;
|
|
17
|
+
}
|
|
18
|
+
export type RulePredicate = (handler: WebhookHandler, model: ProjectModel) => Promise<Verdict | null>;
|
|
19
|
+
export interface PathSeverityOverride {
|
|
20
|
+
readonly patterns: ReadonlyArray<string>;
|
|
21
|
+
readonly severity: Severity;
|
|
22
|
+
}
|
|
23
|
+
export interface RuleDefinition {
|
|
24
|
+
readonly rule_id: string;
|
|
25
|
+
readonly provider: string;
|
|
26
|
+
readonly severity: Severity;
|
|
27
|
+
readonly emits_state: Verdict;
|
|
28
|
+
readonly message: string;
|
|
29
|
+
readonly matcher: DeclarativeMatcher | null;
|
|
30
|
+
readonly predicate_name: string | null;
|
|
31
|
+
readonly applies_to: ReadonlyArray<WebhookHandler["framework"]> | "all";
|
|
32
|
+
readonly provider_docs_url: string;
|
|
33
|
+
readonly path_severity_overrides: ReadonlyArray<PathSeverityOverride> | null;
|
|
34
|
+
}
|
|
35
|
+
export interface RuleSet {
|
|
36
|
+
readonly schema_version: number;
|
|
37
|
+
readonly rule_pack_version: string;
|
|
38
|
+
readonly providers: ProviderCatalog;
|
|
39
|
+
readonly rules: ReadonlyArray<RuleDefinition>;
|
|
40
|
+
readonly predicates: Readonly<Record<string, RulePredicate>>;
|
|
41
|
+
}
|
|
42
|
+
//# sourceMappingURL=rule-set.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rule-set.d.ts","sourceRoot":"","sources":["../../src/types/rule-set.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGvD,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,gBAAgB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACjD,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC7C,QAAQ,CAAC,gBAAgB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACjD,QAAQ,CAAC,iBAAiB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAClD,QAAQ,CAAC,qBAAqB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtD,QAAQ,CAAC,kBAAkB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CACpD;AAED,MAAM,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC,CAAC;AAG7E,MAAM,MAAM,WAAW,GACnB,eAAe,GACf,aAAa,GACb,gBAAgB,GAChB,iBAAiB,GACjB,qBAAqB,GACrB,qBAAqB,CAAC;AAE1B,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;CAC5F;AAGD,MAAM,MAAM,aAAa,GAAG,CAC1B,OAAO,EAAE,cAAc,EACvB,KAAK,EAAE,YAAY,KAChB,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;AAI7B,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;CAC7B;AAGD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,kBAAkB,GAAG,IAAI,CAAC;IAC5C,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IACvC,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC,GAAG,KAAK,CAAC;IAGxE,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IAEnC,QAAQ,CAAC,uBAAuB,EAAE,aAAa,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAAC;CAC9E;AAED,MAAM,WAAW,OAAO;IACtB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IAC9C,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC;CAC9D"}
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
// D-03: RuleSet is pre-parsed by the caller; engine never reads YAML.
|
|
2
|
+
// D-28: Declarative matchers + signed TS predicate escape hatch.
|
|
3
|
+
// D-29: Rule emits state directly.
|
|
4
|
+
// D-33: ProviderCatalog ships in @hookwarden/rules; consumed via RuleSet.
|
|
5
|
+
export {};
|
|
6
|
+
//# sourceMappingURL=rule-set.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rule-set.js","sourceRoot":"","sources":["../../src/types/rule-set.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,iEAAiE;AACjE,mCAAmC;AACnC,0EAA0E"}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import type { Finding } from "./finding.ts";
|
|
2
|
+
import type { WebhookHandler } from "./handler.ts";
|
|
3
|
+
export interface ScanMetadata {
|
|
4
|
+
readonly engine_version: string;
|
|
5
|
+
readonly engine_commit_sha: string | null;
|
|
6
|
+
readonly rule_pack_version: string;
|
|
7
|
+
readonly rule_pack_content_hash: string;
|
|
8
|
+
readonly scanned_at: string;
|
|
9
|
+
readonly parse_errors_count: number;
|
|
10
|
+
readonly parsed_files_count: number;
|
|
11
|
+
readonly total_files_count: number;
|
|
12
|
+
readonly parse_candidates_count: number;
|
|
13
|
+
}
|
|
14
|
+
export interface ScanResult {
|
|
15
|
+
readonly findings: ReadonlyArray<Finding>;
|
|
16
|
+
readonly inventory: ReadonlyArray<WebhookHandler>;
|
|
17
|
+
readonly metadata: ScanMetadata;
|
|
18
|
+
}
|
|
19
|
+
//# sourceMappingURL=scan-result.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scan-result.d.ts","sourceRoot":"","sources":["../../src/types/scan-result.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1C,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,sBAAsB,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,sBAAsB,EAAE,MAAM,CAAC;CACzC;AAGD,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,OAAO,CAAC,CAAC;IAC1C,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IAClD,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;CACjC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
// D-35: ScanResult bundle shape — atomic snapshot of findings + inventory + metadata.
|
|
2
|
+
// D-38: ScanMetadata fields — every field surfaced through CLI/SaaS for ENGINE-08.
|
|
3
|
+
// D-64: parse_candidates_count is the extension-allowlisted denominator for the CLI-side parse-coverage gate.
|
|
4
|
+
// Population happens in Plan 09 (packages/cli/src/pipeline.ts) by overriding ScanResult.metadata
|
|
5
|
+
// after engine.evaluate(...) returns. This preserves engine purity (D-01): the engine never
|
|
6
|
+
// imports from packages/cli/, never reads the walker's allowlist, never knows the candidate count.
|
|
7
|
+
export {};
|
|
8
|
+
//# sourceMappingURL=scan-result.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scan-result.js","sourceRoot":"","sources":["../../src/types/scan-result.ts"],"names":[],"mappings":"AAAA,sFAAsF;AACtF,mFAAmF;AACnF,8GAA8G;AAC9G,uGAAuG;AACvG,kGAAkG;AAClG,yGAAyG"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../src/version.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,cAAc,UAAU,CAAC"}
|
package/dist/version.js
ADDED
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
// Single source of truth for engine version. Changesets keeps this in lockstep with
|
|
2
|
+
// package.json (D-05). Update both fields at the same commit. Plan 02-09 adds a CI gate
|
|
3
|
+
// that asserts they match.
|
|
4
|
+
export const ENGINE_VERSION = "0.0.1";
|
|
5
|
+
//# sourceMappingURL=version.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"version.js","sourceRoot":"","sources":["../src/version.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,wFAAwF;AACxF,2BAA2B;AAC3B,MAAM,CAAC,MAAM,cAAc,GAAG,OAAO,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@hookwarden/engine",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.1.1",
|
|
4
4
|
"description": "hookwarden audit engine — browser-safe, pure-functional. Performs zero I/O.",
|
|
5
5
|
"license": "Apache-2.0",
|
|
6
6
|
"type": "module",
|
|
@@ -18,13 +18,27 @@
|
|
|
18
18
|
"LICENSE"
|
|
19
19
|
],
|
|
20
20
|
"publishConfig": {
|
|
21
|
-
"access": "public"
|
|
22
|
-
|
|
21
|
+
"access": "public"
|
|
22
|
+
},
|
|
23
|
+
"repository": {
|
|
24
|
+
"type": "git",
|
|
25
|
+
"url": "https://github.com/Hookwarden/hookwarden.git",
|
|
26
|
+
"directory": "packages/engine"
|
|
23
27
|
},
|
|
24
|
-
"repository": "github:hookwarden/hookwarden",
|
|
25
28
|
"engines": {
|
|
26
29
|
"node": ">=22.0.0"
|
|
27
30
|
},
|
|
31
|
+
"dependencies": {
|
|
32
|
+
"@babel/parser": "^7.29.3",
|
|
33
|
+
"picomatch": "^4.0.4",
|
|
34
|
+
"web-tree-sitter": "^0.26.8"
|
|
35
|
+
},
|
|
36
|
+
"devDependencies": {
|
|
37
|
+
"@babel/types": "^7.29.0",
|
|
38
|
+
"@types/picomatch": "^4.0.3",
|
|
39
|
+
"fast-check": "^3.23.0",
|
|
40
|
+
"tree-sitter-python": "^0.25.0"
|
|
41
|
+
},
|
|
28
42
|
"scripts": {
|
|
29
43
|
"test": "vitest run"
|
|
30
44
|
}
|