@nepopsx/cli 0.0.2 → 0.0.4

package/dist/scan/prompt/schema.js

@@ -0,0 +1,52 @@
+// @nepopsx/cli — Embed scan response JSON schema into prompts
+import { readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+// Cache the schema after first load
+let _schema = null;
+function loadSchema() {
+    if (_schema)
+        return _schema;
+    // Resolve candidates from workspace-local paths (monorepo) and installed package paths
+    const candidates = [
+        join(__dirname, '..', '..', '..', '..', '..', 'core', 'dist', 'schema', 'scan-response.schema.json'),
+        join(__dirname, '..', '..', '..', '..', '..', 'core', 'src', 'schema', 'scan-response.schema.json'),
+        join(__dirname, '..', '..', '..', 'node_modules', '@nepopsx', 'core', 'dist', 'schema', 'scan-response.schema.json'),
+    ];
+    for (const p of candidates) {
+        try {
+            _schema = JSON.parse(readFileSync(p, 'utf-8'));
+            return _schema;
+        }
+        catch {
+            // Try next candidate
+        }
+    }
+    throw new Error('Could not locate scan-response.schema.json. Run `pnpm build` in @nepopsx/core first.');
+}
+/** Full ScanResponse JSON schema */
+export function getScanResponseSchema() {
+    return loadSchema();
+}
+/** Per-service subset (ServiceScanResult) */
+export function getServiceScanSchema() {
+    const full = loadSchema();
+    const defs = full.$defs;
+    return {
+        $schema: 'http://json-schema.org/draft-07/schema#',
+        ...(defs?.['ServiceScanResult'] ?? {}),
+        $defs: defs,
+    };
+}
+/** Cross-service subset (CrossServiceScanResult) */
+export function getCrossServiceScanSchema() {
+    const full = loadSchema();
+    const defs = full.$defs;
+    return {
+        $schema: 'http://json-schema.org/draft-07/schema#',
+        ...(defs?.['CrossServiceScanResult'] ?? {}),
+        $defs: defs,
+    };
+}
+//# sourceMappingURL=schema.js.map

package/dist/scan/prompt/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../src/scan/prompt/schema.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAE1D,oCAAoC;AACpC,IAAI,OAAO,GAAmC,IAAI,CAAC;AAEnD,SAAS,UAAU;IACjB,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAE5B,uFAAuF;IACvF,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,2BAA2B,CAAC;QACpG,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,2BAA2B,CAAC;QACnG,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,2BAA2B,CAAC;KACrH,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,EAAE,OAAO,CAAC,CAA4B,CAAC;YAC1E,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC;YACP,qBAAqB;QACvB,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,sFAAsF,CAAC,CAAC;AAC1G,CAAC;AAED,oCAAoC;AACpC,MAAM,UAAU,qBAAqB;IACnC,OAAO,UAAU,EAAE,CAAC;AACtB,CAAC;AAED,6CAA6C;AAC7C,MAAM,UAAU,oBAAoB;IAClC,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;IAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,KAA4C,CAAC;IAC/D,OAAO;QACL,OAAO,EAAE,yCAAyC;QAClD,GAAG,CAAE,IAAI,EAAE,CAAC,mBAAmB,CAA6B,IAAI,EAAE,CAAC;QACnE,KAAK,EAAE,IAAI;KACZ,CAAC;AACJ,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,yBAAyB;IACvC,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;IAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,KAA4C,CAAC;IAC/D,OAAO;QACL,OAAO,EAAE,yCAAyC;QAClD,GAAG,CAAE,IAAI,EAAE,CAAC,wBAAwB,CAA6B,IAAI,EAAE,CAAC;QACxE,KAAK,EAAE,IAAI;KACZ,CAAC;AACJ,CAAC"}

package/dist/security/scanner.d.ts

@@ -1,43 +1,6 @@
 /**
- * Content scanner — detects prompt injection and manipulation patterns
- * in custom instructions, philosophy.custom[], and user-supplied text
- * before it gets injected into agent templates.
+ * Re-exports security scanner from @nepopsx/core.
+ * Kept for backwards-compat across CLI imports.
  */
-export interface ScanThreat {
-    pattern: string;
-    match: string;
-    source: string;
-    severity: 'critical' | 'high' | 'medium';
-}
-export interface ScanResult {
-    safe: boolean;
-    threats: ScanThreat[];
-}
-/**
- * Scan a piece of text for prompt injection patterns.
- */
-export declare function scanForInjection(content: string, source: string): ScanThreat[];
-/**
- * Scan text for accidentally embedded secrets.
- */
-export declare function scanForSecrets(content: string, source: string): ScanThreat[];
-/**
- * Scan custom instructions files for injection + secrets.
- */
-export declare function scanCustomInstructions(customs: Array<{
-    content: string;
-    source: string;
-}>): ScanResult;
-/**
- * Scan philosophy.custom[] entries for injection + secrets.
- */
-export declare function scanPhilosophyCustom(customEntries: string[]): ScanResult;
-/**
- * Scan all string values in the workspace config for secrets.
- */
-export declare function scanConfigForSecrets(config: Record<string, unknown>, path?: string): ScanThreat[];
-/**
- * Format threats for console output.
- */
-export declare function formatThreats(threats: ScanThreat[]): string;
+export { type ScanThreat, type ScanResult, scanForInjection, scanForSecrets, scanCustomInstructions, scanPhilosophyCustom, scanConfigForSecrets, formatThreats, } from "@nepopsx/core";
 //# sourceMappingURL=scanner.d.ts.map

package/dist/security/scanner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/security/scanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;CAC1C;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,UAAU,EAAE,CAAC;CACvB;AAyDD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,UAAU,EAAE,CAgB9E;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,UAAU,EAAE,CAkB5E;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,KAAK,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,GAClD,UAAU,CASZ;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,aAAa,EAAE,MAAM,EAAE,GACtB,UAAU,CAUZ;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,SAAW,GAAG,UAAU,EAAE,CAsBnG;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,MAAM,CAkC3D"}
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/security/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EACL,KAAK,UAAU,EACf,KAAK,UAAU,EACf,gBAAgB,EAChB,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,EACpB,aAAa,GACd,MAAM,eAAe,CAAC"}

package/dist/security/scanner.js

@@ -1,172 +1,6 @@
 /**
- * Content scanner — detects prompt injection and manipulation patterns
- * in custom instructions, philosophy.custom[], and user-supplied text
- * before it gets injected into agent templates.
+ * Re-exports security scanner from @nepopsx/core.
+ * Kept for backwards-compat across CLI imports.
  */
-// ─── Prompt injection detection patterns ────────────────────
-const INJECTION_PATTERNS = [
-    // Direct instruction override attempts
-    { regex: /ignore\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions|rules|guidelines|directives)/i, description: 'Instruction override attempt', severity: 'critical' },
-    { regex: /disregard\s+(all\s+)?(previous|prior|above|earlier|your)\s+(instructions|rules|guidelines|directives)/i, description: 'Instruction disregard attempt', severity: 'critical' },
-    { regex: /override\s+(the\s+)?(constitutional|safety|security|system)\s+(rules|instructions|prompt|guidelines)/i, description: 'Constitutional override attempt', severity: 'critical' },
-    { regex: /forget\s+(all|everything|your)\s+(previous|prior|instructions|rules|training)/i, description: 'Memory wipe attempt', severity: 'critical' },
-    // Role/identity hijacking
-    { regex: /you\s+are\s+now\s+(a|an|the)\s+/i, description: 'Role hijacking attempt', severity: 'critical' },
-    { regex: /pretend\s+(you\s+are|to\s+be|you're)\s+/i, description: 'Role-play injection', severity: 'high' },
-    { regex: /act\s+as\s+(if\s+you\s+are|a|an|the)\s+/i, description: 'Role assumption injection', severity: 'high' },
-    { regex: /from\s+now\s+on,?\s+(you|your|act|behave|respond)/i, description: 'Behavioral override attempt', severity: 'high' },
-    // System prompt extraction
-    { regex: /(?:show|reveal|display|output|print|repeat|echo)\s+(your|the)\s+(system|initial|original)\s+(prompt|instructions|message)/i, description: 'System prompt extraction attempt', severity: 'high' },
-    { regex: /what\s+(are|is)\s+your\s+(system|initial|original)\s+(prompt|instructions|rules)/i, description: 'System prompt probing', severity: 'medium' },
-    // Tool/permission escalation
-    { regex: /(?:run|execute|invoke)\s+(?:any|all|unlimited)\s+(?:commands?|tools?|scripts?)/i, description: 'Permission escalation attempt', severity: 'critical' },
-    { regex: /(?:disable|remove|skip|bypass)\s+(?:the\s+)?(?:safety|security|guard|check|validation|restriction)/i, description: 'Safety bypass attempt', severity: 'critical' },
-    { regex: /--no-verify/i, description: 'Git safety bypass (--no-verify)', severity: 'high' },
-    { regex: /--force\s*(?:push)?/i, description: 'Force operation pattern', severity: 'medium' },
-    // Hidden instruction embedding
-    { regex: /\[SYSTEM\]/i, description: 'Hidden system tag', severity: 'high' },
-    { regex: /\[INST\]/i, description: 'Hidden instruction tag', severity: 'high' },
-    { regex: /<\|im_start\|>system/i, description: 'ChatML injection attempt', severity: 'critical' },
-    { regex: /Human:|Assistant:/i, description: 'Conversation role injection', severity: 'medium' },
-    // Dangerous shell patterns in instruction text
-    { regex: /rm\s+-rf\s+[/~]/i, description: 'Destructive rm -rf command in instructions', severity: 'critical' },
-    { regex: /curl\s+.*\|\s*(?:bash|sh|zsh)/i, description: 'Pipe-to-shell pattern in instructions', severity: 'critical' },
-    { regex: /wget\s+.*&&\s*(?:bash|sh|chmod)/i, description: 'Download-and-execute pattern', severity: 'critical' },
-    { regex: /eval\s*\(\s*["'`]/i, description: 'Eval injection pattern', severity: 'high' },
-];
-// ─── Secrets patterns (also scanned via this module) ────────
-const SECRET_PATTERNS = [
-    { regex: /(?:^|[^a-zA-Z0-9])sk-[a-zA-Z0-9]{20,}/m, description: 'OpenAI API key' },
-    { regex: /(?:^|[^a-zA-Z0-9])ghp_[a-zA-Z0-9]{36,}/m, description: 'GitHub personal access token' },
-    { regex: /(?:^|[^a-zA-Z0-9])gho_[a-zA-Z0-9]{36,}/m, description: 'GitHub OAuth token' },
-    { regex: /(?:^|[^a-zA-Z0-9])github_pat_[a-zA-Z0-9_]{22,}/m, description: 'GitHub fine-grained PAT' },
-    { regex: /AKIA[0-9A-Z]{16}/m, description: 'AWS access key ID' },
-    { regex: /(?:^|[^a-zA-Z0-9])Bearer\s+[a-zA-Z0-9._\-]{20,}/m, description: 'Bearer token' },
-    { regex: /(?:password|passwd|secret|api_key|apikey|access_token)\s*[:=]\s*["'][^"']{6,}["']/i, description: 'Hardcoded credential' },
-    { regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/m, description: 'Private key' },
-    { regex: /(?:^|[^a-zA-Z0-9])xox[bpors]-[a-zA-Z0-9\-]{10,}/m, description: 'Slack token' },
-    { regex: /(?:^|[^a-zA-Z0-9])AIza[0-9A-Za-z\-_]{35}/m, description: 'Google API key' },
-];
-// ─── Public API ─────────────────────────────────────────────
-/**
- * Scan a piece of text for prompt injection patterns.
- */
-export function scanForInjection(content, source) {
-    const threats = [];
-    for (const { regex, description, severity } of INJECTION_PATTERNS) {
-        const match = content.match(regex);
-        if (match) {
-            threats.push({
-                pattern: description,
-                match: match[0].substring(0, 80), // truncate long matches
-                source,
-                severity,
-            });
-        }
-    }
-    return threats;
-}
-/**
- * Scan text for accidentally embedded secrets.
- */
-export function scanForSecrets(content, source) {
-    const threats = [];
-    for (const { regex, description } of SECRET_PATTERNS) {
-        const match = content.match(regex);
-        if (match) {
-            // Redact the match — never show secrets in output
-            const redacted = match[0].substring(0, 8) + '***REDACTED***';
-            threats.push({
-                pattern: description,
-                match: redacted,
-                source,
-                severity: 'high',
-            });
-        }
-    }
-    return threats;
-}
-/**
- * Scan custom instructions files for injection + secrets.
- */
-export function scanCustomInstructions(customs) {
-    const threats = [];
-    for (const ci of customs) {
-        threats.push(...scanForInjection(ci.content, `customs/${ci.source}`));
-        threats.push(...scanForSecrets(ci.content, `customs/${ci.source}`));
-    }
-    return { safe: threats.length === 0, threats };
-}
-/**
- * Scan philosophy.custom[] entries for injection + secrets.
- */
-export function scanPhilosophyCustom(customEntries) {
-    const threats = [];
-    for (let i = 0; i < customEntries.length; i++) {
-        const source = `philosophy.custom[${i}]`;
-        threats.push(...scanForInjection(customEntries[i], source));
-        threats.push(...scanForSecrets(customEntries[i], source));
-    }
-    return { safe: threats.length === 0, threats };
-}
-/**
- * Scan all string values in the workspace config for secrets.
- */
-export function scanConfigForSecrets(config, path = 'config') {
-    const threats = [];
-    for (const [key, value] of Object.entries(config)) {
-        const currentPath = `${path}.${key}`;
-        if (typeof value === 'string') {
-            threats.push(...scanForSecrets(value, currentPath));
-        }
-        else if (Array.isArray(value)) {
-            for (let i = 0; i < value.length; i++) {
-                if (typeof value[i] === 'string') {
-                    threats.push(...scanForSecrets(value[i], `${currentPath}[${i}]`));
-                }
-                else if (typeof value[i] === 'object' && value[i] !== null) {
-                    threats.push(...scanConfigForSecrets(value[i], `${currentPath}[${i}]`));
-                }
-            }
-        }
-        else if (typeof value === 'object' && value !== null) {
-            threats.push(...scanConfigForSecrets(value, currentPath));
-        }
-    }
-    return threats;
-}
-/**
- * Format threats for console output.
- */
-export function formatThreats(threats) {
-    if (threats.length === 0)
-        return '';
-    const lines = [];
-    const bySeverity = {
-        critical: threats.filter((t) => t.severity === 'critical'),
-        high: threats.filter((t) => t.severity === 'high'),
-        medium: threats.filter((t) => t.severity === 'medium'),
-    };
-    if (bySeverity.critical.length > 0) {
-        lines.push('  🔴 CRITICAL:');
-        for (const t of bySeverity.critical) {
-            lines.push(`     ${t.pattern} in ${t.source}`);
-            lines.push(`     → "${t.match}"`);
-        }
-    }
-    if (bySeverity.high.length > 0) {
-        lines.push('  🟠 HIGH:');
-        for (const t of bySeverity.high) {
-            lines.push(`     ${t.pattern} in ${t.source}`);
-            lines.push(`     → "${t.match}"`);
-        }
-    }
-    if (bySeverity.medium.length > 0) {
-        lines.push('  🟡 MEDIUM:');
-        for (const t of bySeverity.medium) {
-            lines.push(`     ${t.pattern} in ${t.source}`);
-        }
-    }
-    return lines.join('\n');
-}
+export { scanForInjection, scanForSecrets, scanCustomInstructions, scanPhilosophyCustom, scanConfigForSecrets, formatThreats, } from "@nepopsx/core";
 //# sourceMappingURL=scanner.js.map

package/dist/security/scanner.js.map

@@ -1 +1 @@
-{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../src/security/scanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAcH,+DAA+D;AAE/D,MAAM,kBAAkB,GAAoF;IAC1G,uCAAuC;IACvC,EAAE,KAAK,EAAE,gGAAgG,EAAE,WAAW,EAAE,8BAA8B,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC9K,EAAE,KAAK,EAAE,wGAAwG,EAAE,WAAW,EAAE,+BAA+B,EAAE,QAAQ,EAAE,UAAU,EAAE;IACvL,EAAE,KAAK,EAAE,uGAAuG,EAAE,WAAW,EAAE,iCAAiC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACxL,EAAE,KAAK,EAAE,gFAAgF,EAAE,WAAW,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAU,EAAE;IAErJ,0BAA0B;IAC1B,EAAE,KAAK,EAAE,kCAAkC,EAAE,WAAW,EAAE,wBAAwB,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC1G,EAAE,KAAK,EAAE,0CAA0C,EAAE,WAAW,EAAE,qBAAqB,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC3G,EAAE,KAAK,EAAE,0CAA0C,EAAE,WAAW,EAAE,2BAA2B,EAAE,QAAQ,EAAE,MAAM,EAAE;IACjH,EAAE,KAAK,EAAE,oDAAoD,EAAE,WAAW,EAAE,6BAA6B,EAAE,QAAQ,EAAE,MAAM,EAAE;IAE7H,2BAA2B;IAC3B,EAAE,KAAK,EAAE,4HAA4H,EAAE,WAAW,EAAE,kCAAkC,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC1M,EAAE,KAAK,EAAE,mFAAmF,EAAE,WAAW,EAAE,uBAAuB,EAAE,QAAQ,EAAE,QAAQ,EAAE;IAExJ,6BAA6B;IAC7B,EAAE,KAAK,EAAE,iFAAiF,EAAE,WAAW,EAAE,+BAA+B,EAAE,QAAQ,EAAE,UAAU,EAAE;IAChK,EAAE,KAAK,EAAE,qGAAqG,EAAE,WAAW,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC5K,EAAE,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iCAAiC,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC3F,EAAE,KAAK,EAAE,sBAAsB,EAAE,WAAW,EAAE,yBAAyB,EAAE,QAAQ,EAAE,QAAQ,EAAE;IAE7F,+BAA+B;IAC/B,EAAE,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC5E,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,wBAAwB,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC/E,EAAE,KAAK,EAAE,uBAAuB,EAAE,WAAW,EAAE,0BAA0B,EAAE,QAAQ,EAAE,UAAU,EAAE;IACjG,EAAE,KAAK,EAAE,oBAAoB,EAAE,WAAW,EAAE,6BAA6B,EAAE,QAAQ,EAAE,QAAQ,EAAE;IAE/F,+CAA+C;IAC/C,EAAE,KAAK,EAAE,kBAAkB,EAAE,WAAW,EAAE,4CAA4C,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC9G,EAAE,KAAK,EAAE,gCAAgC,EAAE,WAAW,EAAE,uCAAuC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACvH,EAAE,KAAK,EAAE,kCAAkC,EAAE,WAAW,EAAE,8BAA8B,EAAE,QAAQ,EAAE,UAAU,EAAE;IAChH,EAAE,KAAK,EAAE,oBAAoB,EAAE,WAAW,EAAE,wBAAwB,EAAE,QAAQ,EAAE,MAAM,EAAE;CACzF,CAAC;AAEF,+DAA+D;AAE/D,MAAM,eAAe,GAAkD;IACrE,EAAE,KAAK,EAAE,wCAAwC,EAAE,WAAW,EAAE,gBAAgB,EAAE;IAClF,EAAE,KAAK,EAAE,yCAAyC,EAAE,WAAW,EAAE,8BAA8B,EAAE;IACjG,EAAE,KAAK,EAAE,yCAAyC,EAAE,WAAW,EAAE,oBAAoB,EAAE;IACvF,EAAE,KAAK,EAAE,iDAAiD,EAAE,WAAW,EAAE,yBAAyB,EAAE;IACpG,EAAE,KAAK,EAAE,mBAAmB,EAAE,WAAW,EAAE,mBAAmB,EAAE;IAChE,EAAE,KAAK,EAAE,kDAAkD,EAAE,WAAW,EAAE,cAAc,EAAE;IAC1F,EAAE,KAAK,EAAE,oFAAoF,EAAE,WAAW,EAAE,sBAAsB,EAAE;IACpI,EAAE,KAAK,EAAE,oDAAoD,EAAE,WAAW,EAAE,aAAa,EAAE;IAC3F,EAAE,KAAK,EAAE,kDAAkD,EAAE,WAAW,EAAE,aAAa,EAAE;IACzF,EAAE,KAAK,EAAE,2CAA2C,EAAE,WAAW,EAAE,gBAAgB,EAAE;CACtF,CAAC;AAEF,+DAA+D;AAE/D;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,MAAc;IAC9D,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,KAAK,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,kBAAkB,EAAE,CAAC;QAClE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACnC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO,EAAE,WAAW;gBACpB,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,wBAAwB;gBAC1D,MAAM;gBACN,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe,EAAE,MAAc;IAC5D,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,KAAK,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,eAAe,EAAE,CAAC;QACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACnC,IAAI,KAAK,EAAE,CAAC;YACV,kDAAkD;YAClD,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,gBAAgB,CAAC;YAC7D,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO,EAAE,WAAW;gBACpB,KAAK,EAAE,QAAQ;gBACf,MAAM;gBACN,QAAQ,EAAE,MAAM;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACpC,OAAmD;IAEnD,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,KAAK,MAAM,EAAE,IAAI,OAAO,EAAE,CAAC;QACzB,OAAO,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,EAAE,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,EAAE,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACtE,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,aAAuB;IAEvB,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9C,MAAM,MAAM,GAAG,qBAAqB,CAAC,GAAG,CAAC;QACzC,OAAO,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;QAC5D,OAAO,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAA+B,EAAE,IAAI,GAAG,QAAQ;IACnF,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,MAAM,WAAW,GAAG,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC;QAErC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC;QACtD,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;oBACjC,OAAO,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,WAAW,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;gBACpE,CAAC;qBAAM,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBAC7D,OAAO,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC,CAA4B,EAAE,GAAG,WAAW,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;gBACrG,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACvD,OAAO,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,KAAgC,EAAE,WAAW,CAAC,CAAC,CAAC;QACvF,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,OAAqB;IACjD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEpC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,UAAU,GAAG;QACjB,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC;QAC1D,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;QAClD,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC;KACvD,CAAC;IAEF,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,OAAO,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;YAC/C,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzB,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;YAChC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,OAAO,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;YAC/C,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC3B,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;YAClC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,OAAO,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../src/security/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAGL,gBAAgB,EAChB,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,EACpB,aAAa,GACd,MAAM,eAAe,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@nepopsx/cli",
-  "version": "0.0.2",
-  "description": "NEPOPSX CLI \u2014 generate AI agent workspaces from configuration",
+  "version": "0.0.4",
+  "description": "NEPOPSX CLI — generate AI agent workspaces from configuration",
   "license": "UNLICENSED",
   "type": "module",
   "bin": {
@@ -12,33 +12,36 @@
   "publishConfig": {
     "access": "public"
   },
-  "scripts": {
-    "build": "tsc",
-    "clean": "rm -rf dist",
-    "dev": "tsc --watch",
-    "lint": "tsc --noEmit",
-    "test": "node --test dist/**/*.test.js"
-  },
   "files": [
     "dist",
     "bin"
   ],
   "dependencies": {
     "@inquirer/prompts": "^8.4.1",
-    "@nepopsx/core": "workspace:*",
+    "archiver": "^7.0.1",
     "chalk": "^5.4.1",
     "commander": "^13.1.0",
     "glob": "^11.0.1",
     "handlebars": "^4.7.8",
+    "ignore": "^7.0.0",
     "inquirer": "^12.3.2",
     "ora": "^8.2.0",
-    "yaml": "^2.7.0"
+    "yaml": "^2.7.0",
+    "@nepopsx/core": "0.0.4"
   },
   "devDependencies": {
+    "@types/archiver": "^7.0.0",
     "@types/node": "^22.0.0",
     "typescript": "^5.7.0"
   },
   "engines": {
     "node": ">=20"
+  },
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist",
+    "dev": "tsc --watch",
+    "lint": "tsc --noEmit",
+    "test": "node --test dist/**/*.test.js"
   }
-}
+}