@nahisaho/musubix-security 1.8.0

package/README.md

@@ -0,0 +1,105 @@
+# @nahisaho/musubix-security
+
+MUSUBIX Security Package - セキュリティ分析と脆弱性検出
+
+## 概要
+
+MUSUBIXシステムにセキュリティ特化機能を提供するパッケージです。
+
+### 主な機能
+
+- **脆弱性スキャン**: OWASP Top 10、CWE Top 25対応
+- **テイント分析**: データフロー追跡による汚染検出
+- **自動修正**: LLM（VS Code LM API）+ Z3形式検証による安全な修正
+- **シークレット検出**: APIキー、トークン、パスワードの検出
+- **依存関係監査**: npm依存関係の脆弱性チェック
+
+## インストール
+
+```bash
+npm install @nahisaho/musubix-security
+```
+
+## 使用方法
+
+### CLI
+
+```bash
+# 脆弱性スキャン
+npx musubix-security scan ./src
+
+# 自動修正
+npx musubix-security fix VULN-2026-001
+
+# 依存関係監査
+npx musubix-security audit-deps
+
+# シークレット検出
+npx musubix-security detect-secrets ./src
+
+# コンプライアンスチェック
+npx musubix-security compliance --standard asvs
+```
+
+### Library API
+
+```typescript
+import { 
+  VulnerabilityScanner, 
+  TaintAnalyzer,
+  FixPipeline,
+  SecretsDetector,
+  DependencyAuditor
+} from '@nahisaho/musubix-security';
+
+// 脆弱性スキャン
+const scanner = new VulnerabilityScanner();
+const result = await scanner.scan(['./src/**/*.ts']);
+
+// テイント分析
+const taintAnalyzer = new TaintAnalyzer();
+const taintResult = await taintAnalyzer.analyze(code, 'file.ts');
+
+// 自動修正
+const fixPipeline = new FixPipeline();
+const fixes = await fixPipeline.generateFix(vulnerability);
+const verified = await fixPipeline.verifyFix(fixes[0]);
+```
+
+## 設定
+
+プロジェクトルートに `.musubix-security.yaml` を作成:
+
+```yaml
+version: "1.0"
+
+scan:
+  rulesets:
+    - owasp-top-10
+    - cwe-top-25
+  severity:
+    - critical
+    - high
+  exclude:
+    - "**/node_modules/**"
+    - "**/*.test.ts"
+
+fix:
+  llm:
+    enabled: true
+    model: "copilot"
+  autoApply: false
+
+secrets:
+  entropyThreshold: 4.5
+```
+
+## トレーサビリティ
+
+- **要件定義**: REQ-SEC-001
+- **設計書**: DES-SEC-001
+- **テスト**: TST-SEC-*
+
+## ライセンス
+
+MIT

package/bin/musubix-security-mcp.js

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+/**
+ * @fileoverview MUSUBIX Security MCP Server entry point
+ * @module @nahisaho/musubix-security/bin/mcp
+ */
+
+import { runMCPServer } from '../dist/mcp/index.js';
+
+runMCPServer().catch((error) => {
+  console.error('Fatal error:', error.message);
+  process.exit(1);
+});

package/bin/musubix-security.js

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+/**
+ * @fileoverview MUSUBIX Security CLI entry point
+ * @module @nahisaho/musubix-security/bin
+ */
+
+import { runCLI } from '../dist/cli/index.js';
+
+runCLI().catch((error) => {
+  console.error('Fatal error:', error.message);
+  process.exit(1);
+});

package/dist/analysis/dependency-auditor.d.ts

@@ -0,0 +1,30 @@
+/**
+ * @fileoverview Dependency auditor - check for vulnerable dependencies
+ * @module @nahisaho/musubix-security/analysis/dependency-auditor
+ * @trace REQ-SEC-DEP-001, REQ-SEC-DEP-002, REQ-SEC-DEP-003
+ */
+import type { AuditResult, AuditOptions, SBOM, SBOMOptions } from '../types/index.js';
+/**
+ * Dependency auditor
+ */
+export declare class DependencyAuditor {
+    private options;
+    constructor(options?: AuditOptions);
+    /**
+     * Generate upgrade suggestions
+     */
+    private generateUpgradeSuggestions;
+    /**
+     * Audit dependencies in a project
+     */
+    audit(projectPath: string): Promise<AuditResult>;
+    /**
+     * Generate SBOM for a project
+     */
+    generateSBOM(projectPath: string, options?: SBOMOptions): Promise<SBOM>;
+}
+/**
+ * Create a dependency auditor
+ */
+export declare function createDependencyAuditor(options?: AuditOptions): DependencyAuditor;
+//# sourceMappingURL=dependency-auditor.d.ts.map

package/dist/analysis/dependency-auditor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependency-auditor.d.ts","sourceRoot":"","sources":["../../src/analysis/dependency-auditor.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EAIZ,IAAI,EAEJ,WAAW,EAGZ,MAAM,mBAAmB,CAAC;AA+K3B;;GAEG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,OAAO,CAAe;gBAElB,OAAO,GAAE,YAAiB;IAItC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IA0ClC;;OAEG;IACG,KAAK,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAqFtD;;OAEG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;CAgE9E;AAwBD;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,CAAC,EAAE,YAAY,GAAG,iBAAiB,CAEjF"}

package/dist/analysis/dependency-auditor.js

@@ -0,0 +1,325 @@
+/**
+ * @fileoverview Dependency auditor - check for vulnerable dependencies
+ * @module @nahisaho/musubix-security/analysis/dependency-auditor
+ * @trace REQ-SEC-DEP-001, REQ-SEC-DEP-002, REQ-SEC-DEP-003
+ */
+import { exec } from 'node:child_process';
+import { readFile, access, constants } from 'node:fs/promises';
+import { join } from 'node:path';
+import { promisify } from 'node:util';
+const execAsync = promisify(exec);
+/**
+ * Detect package manager from project
+ */
+async function detectPackageManager(projectPath) {
+    // Check for lock files
+    const checks = [
+        { file: 'pnpm-lock.yaml', manager: 'pnpm' },
+        { file: 'yarn.lock', manager: 'yarn' },
+        { file: 'package-lock.json', manager: 'npm' },
+    ];
+    for (const { file, manager } of checks) {
+        try {
+            await access(join(projectPath, file), constants.R_OK);
+            return manager;
+        }
+        catch {
+            // File doesn't exist, continue checking
+        }
+    }
+    return 'npm'; // Default to npm
+}
+/**
+ * Convert npm severity to our severity
+ */
+function convertSeverity(npmSeverity) {
+    switch (npmSeverity.toLowerCase()) {
+        case 'critical':
+            return 'critical';
+        case 'high':
+            return 'high';
+        case 'moderate':
+        case 'medium':
+            return 'medium';
+        case 'low':
+            return 'low';
+        default:
+            return 'medium';
+    }
+}
+/**
+ * Parse npm audit output to our format
+ */
+function parseNpmAuditOutput(output) {
+    const vulnerabilities = [];
+    const metadata = {
+        total: output.metadata?.dependencies?.total ?? 0,
+        direct: output.metadata?.dependencies?.prod ?? 0,
+        transitive: 0,
+        critical: output.metadata?.vulnerabilities?.critical ?? 0,
+        high: output.metadata?.vulnerabilities?.high ?? 0,
+        moderate: output.metadata?.vulnerabilities?.moderate ?? 0,
+        low: output.metadata?.vulnerabilities?.low ?? 0,
+    };
+    if (!output.vulnerabilities) {
+        return { vulnerabilities, metadata };
+    }
+    for (const [name, vuln] of Object.entries(output.vulnerabilities)) {
+        const depVulns = [];
+        for (const via of vuln.via) {
+            if (typeof via === 'object') {
+                depVulns.push({
+                    id: String(via.source),
+                    cve: undefined, // npm audit doesn't always provide CVE
+                    cwes: via.cwe || [],
+                    severity: convertSeverity(via.severity),
+                    title: via.title,
+                    description: via.title,
+                    affectedVersions: via.range,
+                    source: 'npm-audit',
+                    url: via.url,
+                });
+            }
+        }
+        // Determine dependency type
+        let type = 'production';
+        // Note: npm audit doesn't directly tell us the type, we'd need to cross-reference with package.json
+        // Check fix availability
+        let fixAvailable = false;
+        let patchedVersion;
+        if (typeof vuln.fixAvailable === 'object') {
+            fixAvailable = true;
+            patchedVersion = vuln.fixAvailable.version;
+        }
+        else if (vuln.fixAvailable === true) {
+            fixAvailable = true;
+        }
+        // Update patched version in vulnerabilities
+        if (patchedVersion && depVulns.length > 0) {
+            depVulns[0].patchedVersion = patchedVersion;
+        }
+        vulnerabilities.push({
+            name,
+            installedVersion: vuln.range,
+            type,
+            isDirect: vuln.isDirect,
+            dependencyPath: vuln.effects,
+            vulnerabilities: depVulns,
+            highestSeverity: convertSeverity(vuln.severity),
+            fixAvailable,
+        });
+    }
+    metadata.transitive = metadata.total - metadata.direct;
+    return { vulnerabilities, metadata };
+}
+/**
+ * Dependency auditor
+ */
+export class DependencyAuditor {
+    options;
+    constructor(options = {}) {
+        this.options = options;
+    }
+    /**
+     * Generate upgrade suggestions
+     */
+    generateUpgradeSuggestions(vulnerabilities) {
+        const suggestions = [];
+        for (const vuln of vulnerabilities) {
+            if (!vuln.fixAvailable)
+                continue;
+            const fixedVulns = vuln.vulnerabilities
+                .filter((v) => v.patchedVersion)
+                .map((v) => v.id);
+            if (fixedVulns.length === 0)
+                continue;
+            const patchedVersion = vuln.vulnerabilities[0]?.patchedVersion;
+            if (!patchedVersion)
+                continue;
+            // Determine upgrade type
+            const currentParts = vuln.installedVersion.replace(/[\^~>=<]/g, '').split('.');
+            const targetParts = patchedVersion.split('.');
+            let upgradeType = 'patch';
+            if (currentParts[0] !== targetParts[0]) {
+                upgradeType = 'major';
+            }
+            else if (currentParts[1] !== targetParts[1]) {
+                upgradeType = 'minor';
+            }
+            suggestions.push({
+                packageName: vuln.name,
+                currentVersion: vuln.installedVersion,
+                suggestedVersion: patchedVersion,
+                upgradeType,
+                breaking: upgradeType === 'major',
+                fixesVulnerabilities: fixedVulns,
+                confidence: upgradeType === 'major' ? 0.6 : upgradeType === 'minor' ? 0.8 : 0.95,
+            });
+        }
+        return suggestions;
+    }
+    /**
+     * Audit dependencies in a project
+     */
+    async audit(projectPath) {
+        const startTime = Date.now();
+        // Detect package manager
+        const packageManager = await detectPackageManager(projectPath);
+        // Read lock file path
+        const lockFiles = {
+            npm: 'package-lock.json',
+            yarn: 'yarn.lock',
+            pnpm: 'pnpm-lock.yaml',
+        };
+        const lockFilePath = join(projectPath, lockFiles[packageManager]);
+        // Run audit
+        let auditOutput;
+        try {
+            // For now, we only support npm audit
+            // TODO: Add yarn and pnpm support
+            auditOutput = await runNpmAudit(projectPath);
+        }
+        catch (error) {
+            console.warn(`Warning: Failed to run audit: ${error}`);
+            auditOutput = { vulnerabilities: {}, metadata: undefined };
+        }
+        const { vulnerabilities, metadata } = parseNpmAuditOutput(auditOutput);
+        // Apply filters
+        let filteredVulns = vulnerabilities;
+        // Filter by severity
+        if (this.options.minSeverity) {
+            const severityOrder = ['low', 'medium', 'high', 'critical'];
+            const minIndex = severityOrder.indexOf(this.options.minSeverity);
+            filteredVulns = filteredVulns.filter((v) => {
+                const vulnIndex = severityOrder.indexOf(v.highestSeverity);
+                return vulnIndex >= minIndex;
+            });
+        }
+        // Filter ignored vulnerabilities
+        if (this.options.ignoreVulnerabilities) {
+            filteredVulns = filteredVulns.filter((v) => {
+                return !v.vulnerabilities.some((vuln) => this.options.ignoreVulnerabilities.includes(vuln.id));
+            });
+        }
+        // Filter ignored packages
+        if (this.options.ignorePackages) {
+            filteredVulns = filteredVulns.filter((v) => !this.options.ignorePackages.includes(v.name));
+        }
+        // Generate upgrade suggestions
+        const upgradeSuggestions = this.options.suggestUpgrades
+            ? this.generateUpgradeSuggestions(filteredVulns)
+            : [];
+        const duration = Date.now() - startTime;
+        return {
+            vulnerableDependencies: filteredVulns,
+            upgradeSuggestions,
+            totalDependencies: metadata.total,
+            directDependencies: metadata.direct,
+            transitiveDependencies: metadata.transitive,
+            duration,
+            timestamp: new Date(),
+            packageManager,
+            lockFilePath,
+            summary: {
+                critical: filteredVulns.filter((v) => v.highestSeverity === 'critical').length,
+                high: filteredVulns.filter((v) => v.highestSeverity === 'high').length,
+                medium: filteredVulns.filter((v) => v.highestSeverity === 'medium').length,
+                low: filteredVulns.filter((v) => v.highestSeverity === 'low').length,
+                total: filteredVulns.length,
+                fixable: filteredVulns.filter((v) => v.fixAvailable).length,
+                breaking: upgradeSuggestions.filter((s) => s.breaking).length,
+            },
+        };
+    }
+    /**
+     * Generate SBOM for a project
+     */
+    async generateSBOM(projectPath, options) {
+        const format = options?.format ?? 'cyclonedx';
+        // Read package.json
+        const packageJsonPath = join(projectPath, 'package.json');
+        const packageJson = JSON.parse(await readFile(packageJsonPath, 'utf-8'));
+        // Get audit results for vulnerability info
+        const auditResult = options?.includeVulnerabilities
+            ? await this.audit(projectPath)
+            : null;
+        const components = [];
+        // Add direct dependencies
+        const addDeps = (deps, type) => {
+            if (!deps)
+                return;
+            for (const [name, version] of Object.entries(deps)) {
+                const cleanVersion = version.replace(/[\^~>=<]/g, '');
+                const vuln = auditResult?.vulnerableDependencies.find((v) => v.name === name);
+                components.push({
+                    name,
+                    version: cleanVersion,
+                    type,
+                    isDirect: true,
+                    purl: `pkg:npm/${name}@${cleanVersion}`,
+                    vulnerabilityCount: vuln?.vulnerabilities.length ?? 0,
+                    highestSeverity: vuln?.highestSeverity,
+                });
+            }
+        };
+        addDeps(packageJson.dependencies, 'production');
+        if (options?.includeDevDependencies) {
+            addDeps(packageJson.devDependencies, 'development');
+        }
+        // Get unique licenses
+        const licenses = new Set();
+        for (const comp of components) {
+            if (comp.license)
+                licenses.add(comp.license);
+        }
+        return {
+            formatVersion: '1.4',
+            spec: format,
+            projectName: packageJson.name || 'unknown',
+            projectVersion: packageJson.version || '0.0.0',
+            generatedAt: new Date(),
+            generator: {
+                name: '@nahisaho/musubix-security',
+                version: '1.8.0',
+            },
+            components,
+            summary: {
+                totalComponents: components.length,
+                directDependencies: components.filter((c) => c.isDirect).length,
+                transitiveDependencies: components.filter((c) => !c.isDirect).length,
+                uniqueLicenses: Array.from(licenses),
+                vulnerableComponents: components.filter((c) => c.vulnerabilityCount > 0).length,
+            },
+        };
+    }
+}
+/**
+ * Helper function to run npm audit
+ */
+async function runNpmAudit(projectPath) {
+    try {
+        const { stdout } = await execAsync('npm audit --json', {
+            cwd: projectPath,
+            maxBuffer: 10 * 1024 * 1024,
+        });
+        return JSON.parse(stdout);
+    }
+    catch (error) {
+        if (error.stdout) {
+            try {
+                return JSON.parse(error.stdout);
+            }
+            catch {
+                throw new Error(`Failed to parse npm audit output`);
+            }
+        }
+        throw error;
+    }
+}
+/**
+ * Create a dependency auditor
+ */
+export function createDependencyAuditor(options) {
+    return new DependencyAuditor(options);
+}
+//# sourceMappingURL=dependency-auditor.js.map

package/dist/analysis/dependency-auditor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependency-auditor.js","sourceRoot":"","sources":["../../src/analysis/dependency-auditor.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AActC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AAElC;;GAEG;AACH,KAAK,UAAU,oBAAoB,CACjC,WAAmB;IAEnB,uBAAuB;IACvB,MAAM,MAAM,GAAG;QACb,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAe,EAAE;QACpD,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,MAAe,EAAE;QAC/C,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,KAAc,EAAE;KACvD,CAAC;IAEF,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,MAAM,EAAE,CAAC;QACvC,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;YACtD,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC;YACP,wCAAwC;QAC1C,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,CAAC,iBAAiB;AACjC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,WAAmB;IAC1C,QAAQ,WAAW,CAAC,WAAW,EAAE,EAAE,CAAC;QAClC,KAAK,UAAU;YACb,OAAO,UAAU,CAAC;QACpB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,UAAU,CAAC;QAChB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,KAAK;YACR,OAAO,KAAK,CAAC;QACf;YACE,OAAO,QAAQ,CAAC;IACpB,CAAC;AACH,CAAC;AA4CD;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAsB;IAYjD,MAAM,eAAe,GAA2B,EAAE,CAAC;IACnD,MAAM,QAAQ,GAAG;QACf,KAAK,EAAE,MAAM,CAAC,QAAQ,EAAE,YAAY,EAAE,KAAK,IAAI,CAAC;QAChD,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,IAAI,CAAC;QAChD,UAAU,EAAE,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,eAAe,EAAE,QAAQ,IAAI,CAAC;QACzD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE,eAAe,EAAE,IAAI,IAAI,CAAC;QACjD,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,eAAe,EAAE,QAAQ,IAAI,CAAC;QACzD,GAAG,EAAE,MAAM,CAAC,QAAQ,EAAE,eAAe,EAAE,GAAG,IAAI,CAAC;KAChD,CAAC;IAEF,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;QAC5B,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,CAAC;IACvC,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;QAClE,MAAM,QAAQ,GAA8B,EAAE,CAAC;QAE/C,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YAC3B,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC;oBACtB,GAAG,EAAE,SAAS,EAAE,uCAAuC;oBACvD,IAAI,EAAE,GAAG,CAAC,GAAG,IAAI,EAAE;oBACnB,QAAQ,EAAE,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC;oBACvC,KAAK,EAAE,GAAG,CAAC,KAAK;oBAChB,WAAW,EAAE,GAAG,CAAC,KAAK;oBACtB,gBAAgB,EAAE,GAAG,CAAC,KAAK;oBAC3B,MAAM,EAAE,WAAW;oBACnB,GAAG,EAAE,GAAG,CAAC,GAAG;iBACb,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,IAAI,IAAI,GAAmB,YAAY,CAAC;QACxC,oGAAoG;QAEpG,yBAAyB;QACzB,IAAI,YAAY,GAAG,KAAK,CAAC;QACzB,IAAI,cAAkC,CAAC;QACvC,IAAI,OAAO,IAAI,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;YAC1C,YAAY,GAAG,IAAI,CAAC;YACpB,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC;QAC7C,CAAC;aAAM,IAAI,IAAI,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;YACtC,YAAY,GAAG,IAAI,CAAC;QACtB,CAAC;QAED,4CAA4C;QAC5C,IAAI,cAAc,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1C,QAAQ,CAAC,CAAC,CAAC,CAAC,cAAc,GAAG,cAAc,CAAC;QAC9C,CAAC;QAED,eAAe,CAAC,IAAI,CAAC;YACnB,IAAI;YACJ,gBAAgB,EAAE,IAAI,CAAC,KAAK;YAC5B,IAAI;YACJ,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,cAAc,EAAE,IAAI,CAAC,OAAO;YAC5B,eAAe,EAAE,QAAQ;YACzB,eAAe,EAAE,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC;YAC/C,YAAY;SACb,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,UAAU,GAAG,QAAQ,CAAC,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC;IAEvD,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,iBAAiB;IACpB,OAAO,CAAe;IAE9B,YAAY,UAAwB,EAAE;QACpC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;OAEG;IACK,0BAA0B,CAChC,eAAuC;QAEvC,MAAM,WAAW,GAAwB,EAAE,CAAC;QAE5C,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;YACnC,IAAI,CAAC,IAAI,CAAC,YAAY;gBAAE,SAAS;YAEjC,MAAM,UAAU,GAAG,IAAI,CAAC,eAAe;iBACpC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC;iBAC/B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAEpB,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAEtC,MAAM,cAAc,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC;YAC/D,IAAI,CAAC,cAAc;gBAAE,SAAS;YAE9B,yBAAyB;YACzB,MAAM,YAAY,GAAG,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/E,MAAM,WAAW,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAE9C,IAAI,WAAW,GAAgC,OAAO,CAAC;YACvD,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvC,WAAW,GAAG,OAAO,CAAC;YACxB,CAAC;iBAAM,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9C,WAAW,GAAG,OAAO,CAAC;YACxB,CAAC;YAED,WAAW,CAAC,IAAI,CAAC;gBACf,WAAW,EAAE,IAAI,CAAC,IAAI;gBACtB,cAAc,EAAE,IAAI,CAAC,gBAAgB;gBACrC,gBAAgB,EAAE,cAAc;gBAChC,WAAW;gBACX,QAAQ,EAAE,WAAW,KAAK,OAAO;gBACjC,oBAAoB,EAAE,UAAU;gBAChC,UAAU,EAAE,WAAW,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI;aACjF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK,CAAC,WAAmB;QAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,yBAAyB;QACzB,MAAM,cAAc,GAAG,MAAM,oBAAoB,CAAC,WAAW,CAAC,CAAC;QAE/D,sBAAsB;QACtB,MAAM,SAAS,GAA2B;YACxC,GAAG,EAAE,mBAAmB;YACxB,IAAI,EAAE,WAAW;YACjB,IAAI,EAAE,gBAAgB;SACvB,CAAC;QACF,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC;QAElE,YAAY;QACZ,IAAI,WAA2B,CAAC;QAChC,IAAI,CAAC;YACH,qCAAqC;YACrC,kCAAkC;YAClC,WAAW,GAAG,MAAM,WAAW,CAAC,WAAW,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,iCAAiC,KAAK,EAAE,CAAC,CAAC;YACvD,WAAW,GAAG,EAAE,eAAe,EAAE,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;QAC7D,CAAC;QAED,MAAM,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;QAEvE,gBAAgB;QAChB,IAAI,aAAa,GAAG,eAAe,CAAC;QAEpC,qBAAqB;QACrB,IAAI,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAC7B,MAAM,aAAa,GAAe,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;YACxE,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YACjE,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACzC,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC;gBAC3D,OAAO,SAAS,IAAI,QAAQ,CAAC;YAC/B,CAAC,CAAC,CAAC;QACL,CAAC;QAED,iCAAiC;QACjC,IAAI,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,CAAC;YACvC,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACzC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CACtC,IAAI,CAAC,OAAO,CAAC,qBAAsB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CACtD,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC;QAED,0BAA0B;QAC1B,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;YAChC,aAAa,GAAG,aAAa,CAAC,MAAM,CAClC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,cAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CACtD,CAAC;QACJ,CAAC;QAED,+BAA+B;QAC/B,MAAM,kBAAkB,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe;YACrD,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,aAAa,CAAC;YAChD,CAAC,CAAC,EAAE,CAAC;QAEP,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,OAAO;YACL,sBAAsB,EAAE,aAAa;YACrC,kBAAkB;YAClB,iBAAiB,EAAE,QAAQ,CAAC,KAAK;YACjC,kBAAkB,EAAE,QAAQ,CAAC,MAAM;YACnC,sBAAsB,EAAE,QAAQ,CAAC,UAAU;YAC3C,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,cAAc;YACd,YAAY;YACZ,OAAO,EAAE;gBACP,QAAQ,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,UAAU,CAAC,CAAC,MAAM;gBAC9E,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,MAAM,CAAC,CAAC,MAAM;gBACtE,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,QAAQ,CAAC,CAAC,MAAM;gBAC1E,GAAG,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,KAAK,CAAC,CAAC,MAAM;gBACpE,KAAK,EAAE,aAAa,CAAC,MAAM;gBAC3B,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,MAAM;gBAC3D,QAAQ,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM;aAC9D;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,WAAmB,EAAE,OAAqB;QAC3D,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,WAAW,CAAC;QAE9C,oBAAoB;QACpB,MAAM,eAAe,GAAG,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;QAC1D,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,CAAC;QAEzE,2CAA2C;QAC3C,MAAM,WAAW,GAAG,OAAO,EAAE,sBAAsB;YACjD,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC;YAC/B,CAAC,CAAC,IAAI,CAAC;QAET,MAAM,UAAU,GAAgB,EAAE,CAAC;QAEnC,0BAA0B;QAC1B,MAAM,OAAO,GAAG,CAAC,IAAwC,EAAE,IAAoB,EAAE,EAAE;YACjF,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;gBACtD,MAAM,IAAI,GAAG,WAAW,EAAE,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;gBAE9E,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI;oBACJ,OAAO,EAAE,YAAY;oBACrB,IAAI;oBACJ,QAAQ,EAAE,IAAI;oBACd,IAAI,EAAE,WAAW,IAAI,IAAI,YAAY,EAAE;oBACvC,kBAAkB,EAAE,IAAI,EAAE,eAAe,CAAC,MAAM,IAAI,CAAC;oBACrD,eAAe,EAAE,IAAI,EAAE,eAAe;iBACvC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC;QAEF,OAAO,CAAC,WAAW,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;QAChD,IAAI,OAAO,EAAE,sBAAsB,EAAE,CAAC;YACpC,OAAO,CAAC,WAAW,CAAC,eAAe,EAAE,aAAa,CAAC,CAAC;QACtD,CAAC;QAED,sBAAsB;QACtB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QACnC,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,OAAO;gBAAE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC/C,CAAC;QAED,OAAO;YACL,aAAa,EAAE,KAAK;YACpB,IAAI,EAAE,MAAM;YACZ,WAAW,EAAE,WAAW,CAAC,IAAI,IAAI,SAAS;YAC1C,cAAc,EAAE,WAAW,CAAC,OAAO,IAAI,OAAO;YAC9C,WAAW,EAAE,IAAI,IAAI,EAAE;YACvB,SAAS,EAAE;gBACT,IAAI,EAAE,4BAA4B;gBAClC,OAAO,EAAE,OAAO;aACjB;YACD,UAAU;YACV,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,CAAC,MAAM;gBAClC,kBAAkB,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM;gBAC/D,sBAAsB,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM;gBACpE,cAAc,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;gBACpC,oBAAoB,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,kBAAkB,GAAG,CAAC,CAAC,CAAC,MAAM;aAChF;SACF,CAAC;IACJ,CAAC;CACF;AAED;;GAEG;AACH,KAAK,UAAU,WAAW,CAAC,WAAmB;IAC5C,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,kBAAkB,EAAE;YACrD,GAAG,EAAE,WAAW;YAChB,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAClC,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAsB;IAC5D,OAAO,IAAI,iBAAiB,CAAC,OAAO,CAAC,CAAC;AACxC,CAAC"}

package/dist/analysis/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * @fileoverview Analysis module entry point
+ * @module @nahisaho/musubix-security/analysis
+ */
+export { VulnerabilityScanner, createVulnerabilityScanner, resetVulnCounter, } from './vulnerability-scanner.js';
+export { TaintAnalyzer, createTaintAnalyzer, resetTaintCounters, } from './taint-analyzer.js';
+export { SecretDetector, createSecretDetector, resetSecretCounter, } from './secret-detector.js';
+export { DependencyAuditor, createDependencyAuditor, } from './dependency-auditor.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/analysis/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/analysis/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,aAAa,EACb,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC"}

package/dist/analysis/index.js

@@ -0,0 +1,9 @@
+/**
+ * @fileoverview Analysis module entry point
+ * @module @nahisaho/musubix-security/analysis
+ */
+export { VulnerabilityScanner, createVulnerabilityScanner, resetVulnCounter, } from './vulnerability-scanner.js';
+export { TaintAnalyzer, createTaintAnalyzer, resetTaintCounters, } from './taint-analyzer.js';
+export { SecretDetector, createSecretDetector, resetSecretCounter, } from './secret-detector.js';
+export { DependencyAuditor, createDependencyAuditor, } from './dependency-auditor.js';
+//# sourceMappingURL=index.js.map

package/dist/analysis/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analysis/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,oBAAoB,EACpB,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,aAAa,EACb,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC"}

package/dist/analysis/secret-detector.d.ts

@@ -0,0 +1,44 @@
+/**
+ * @fileoverview Secret detection engine
+ * @module @nahisaho/musubix-security/analysis/secret-detector
+ * @trace REQ-SEC-SECRET-001, REQ-SEC-SECRET-002
+ */
+import type { Secret, SecretPattern, SecretScanOptions, SecretScanResult } from '../types/index.js';
+/**
+ * Reset secret counter (for testing)
+ */
+export declare function resetSecretCounter(): void;
+/**
+ * Secret detector engine
+ */
+export declare class SecretDetector {
+    private patterns;
+    private fileScanner;
+    private options;
+    constructor(options?: SecretScanOptions);
+    /**
+     * Scan file content for secrets
+     */
+    scanContent(content: string, filePath: string): Secret[];
+    /**
+     * Scan a single file
+     */
+    scanFile(filePath: string): Promise<Secret[]>;
+    /**
+     * Scan a directory for secrets
+     */
+    scan(rootPath: string): Promise<SecretScanResult>;
+    /**
+     * Add a custom pattern
+     */
+    addPattern(pattern: SecretPattern): void;
+    /**
+     * Get all patterns
+     */
+    getPatterns(): SecretPattern[];
+}
+/**
+ * Create a secret detector
+ */
+export declare function createSecretDetector(options?: SecretScanOptions): SecretDetector;
+//# sourceMappingURL=secret-detector.d.ts.map

package/dist/analysis/secret-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-detector.d.ts","sourceRoot":"","sources":["../../src/analysis/secret-detector.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EACV,MAAM,EAGN,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAGjB,MAAM,mBAAmB,CAAC;AAa3B;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC;AA0RD;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAkB;IAClC,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,OAAO,CAAoB;gBAEvB,OAAO,GAAE,iBAAsB;IAqB3C;;OAEG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE;IAqExD;;OAEG;IACG,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKnD;;OAEG;IACG,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAsDvD;;OAEG;IACH,UAAU,CAAC,OAAO,EAAE,aAAa,GAAG,IAAI;IAIxC;;OAEG;IACH,WAAW,IAAI,aAAa,EAAE;CAG/B;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,CAAC,EAAE,iBAAiB,GAAG,cAAc,CAEhF"}