@obfuscan/core 0.1.0

package/dist/detectors/dynamic-exec-non-literal.js

@@ -0,0 +1,104 @@
+/**
+ * obf.dynamic-exec-with-non-literal.<lang> — Layer B.
+ *
+ * Fires when a dynamic-exec sink is called with an argument that is not a
+ * string/numeric literal. `eval("1+1")` is uninteresting; `eval(s)` is.
+ *
+ * The "is the argument a literal?" check is a syntactic approximation: we
+ * peek at the first non-whitespace character after the sink's `(`. If it's
+ * a quote or a digit, we treat the call as literal. Anything else — including
+ * template strings with `${}` interpolation — is non-literal.
+ *
+ * Pure template strings without interpolation (e.g. `eval(\`1+1\`)`) are
+ * treated as literal and not flagged.
+ */
+import { lineAtOffset, MAX_FINDINGS_PER_DETECTOR, MAX_SOURCE_BYTES, namedCallAlternation, } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+const cache = new WeakMap();
+function compile(config) {
+    const cached = cache.get(config);
+    if (cached)
+        return cached;
+    const sinks = namedCallAlternation(config.dynamic_exec_sinks);
+    // Capture the sink name and the first ~6 chars after `(` to inspect.
+    const call = new RegExp(`(?:^|[^A-Za-z0-9_$])((?:${sinks}))\\s*\\(([\\s\\S]{0,12})`, "g");
+    const compiled = { call };
+    cache.set(config, compiled);
+    return compiled;
+}
+function isLiteralPeek(peek) {
+    const trimmed = peek.replace(/^\s+/, "");
+    if (trimmed.length === 0)
+        return false;
+    const c = trimmed[0];
+    // Numeric, single/double quote — definitely literal
+    if (c === '"' || c === "'")
+        return true;
+    if (c >= "0" && c <= "9")
+        return true;
+    if (c === "-" && trimmed[1] && trimmed[1] >= "0" && trimmed[1] <= "9")
+        return true;
+    // Pure template literal with no `${`: still literal.
+    if (c === "`") {
+        return !trimmed.includes("${");
+    }
+    return false;
+}
+export const dynamicExecNonLiteral = {
+    id: "obf.dynamic-exec-with-non-literal",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfdynamic-exec-with-non-literal",
+    applies(ctx) {
+        return (ctx.config !== null &&
+            ctx.config.dynamic_exec_sinks.length > 0 &&
+            ctx.source.length > 0 &&
+            ctx.source.length < MAX_SOURCE_BYTES);
+    },
+    run(ctx) {
+        if (!ctx.config)
+            return [];
+        const cfg = ctx.config;
+        const src = ctx.source;
+        const { call } = compile(cfg);
+        const findings = [];
+        const seen = new Set();
+        const re = new RegExp(call.source, call.flags);
+        let m;
+        while ((m = re.exec(src)) !== null) {
+            if (findings.length >= MAX_FINDINGS_PER_DETECTOR)
+                break;
+            const sinkName = m[1] ?? "";
+            const peek = m[2] ?? "";
+            if (isLiteralPeek(peek))
+                continue;
+            // Skip when the next thing looks like another decoder call — that's
+            // the decode-then-exec detector's job.
+            if (/^[A-Za-z_$][\w$.]*\s*\(/.test(peek.replace(/^\s+/, ""))) {
+                // It's a function call argument; only flag if the function name is
+                // not in this language's decoders list (otherwise decode-then-exec
+                // owns the finding).
+                const fnNameMatch = /^([A-Za-z_$][\w$.]*)/.exec(peek.replace(/^\s+/, ""));
+                const fnName = fnNameMatch?.[1] ?? "";
+                if (cfg.decoders.some(d => fnName === d || fnName.endsWith("." + d)))
+                    continue;
+            }
+            const offset = m.index + (m[0].length - peek.length);
+            const line = lineAtOffset(src, offset);
+            if (seen.has(line))
+                continue;
+            seen.add(line);
+            findings.push({
+                ruleId: `obf.dynamic-exec-with-non-literal.${cfg.id}`,
+                severity: "warn",
+                score: 7,
+                file: ctx.path,
+                line,
+                snippet: truncateSnippet(`${sinkName}(${peek}`),
+                reason: `Dynamic-exec sink \`${sinkName}\` called with a non-literal argument. ` +
+                    `Confirm the input cannot be attacker-influenced.`,
+                evidence: { language: cfg.id, sink: sinkName },
+            });
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=dynamic-exec-non-literal.js.map

package/dist/detectors/dynamic-exec-non-literal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dynamic-exec-non-literal.js","sourceRoot":"","sources":["../../src/detectors/dynamic-exec-non-literal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EACL,YAAY,EACZ,yBAAyB,EACzB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAMtD,MAAM,KAAK,GAAG,IAAI,OAAO,EAA4B,CAAC;AAEtD,SAAS,OAAO,CAAC,MAAsB;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,KAAK,GAAG,oBAAoB,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAC9D,qEAAqE;IACrE,MAAM,IAAI,GAAG,IAAI,MAAM,CAAC,2BAA2B,KAAK,2BAA2B,EAAE,GAAG,CAAC,CAAC;IAC1F,MAAM,QAAQ,GAAa,EAAE,IAAI,EAAE,CAAC;IACpC,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC5B,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACzC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;IACtB,oDAAoD;IACpD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,CAAC,KAAK,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IACnF,qDAAqD;IACrD,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAa;IAC7C,EAAE,EAAE,mCAAmC;IACvC,OAAO,EAAE,sGAAsG;IAE/G,OAAO,CAAC,GAAgB;QACtB,OAAO,CACL,GAAG,CAAC,MAAM,KAAK,IAAI;YACnB,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC;YACxC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CACrC,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAE9B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAC/C,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACnC,IAAI,QAAQ,CAAC,MAAM,IAAI,yBAAyB;gBAAE,MAAM;YACxD,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACxB,IAAI,aAAa,CAAC,IAAI,CAAC;gBAAE,SAAS;YAClC,oEAAoE;YACpE,uCAAuC;YACvC,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;gBAC7D,mEAAmE;gBACnE,mEAAmE;gBACnE,qBAAqB;gBACrB,MAAM,WAAW,GAAG,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC;gBAC1E,MAAM,MAAM,GAAG,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACtC,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;oBAAE,SAAS;YACjF,CAAC;YAED,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YACrD,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YACvC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAC7B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,qCAAqC,GAAG,CAAC,EAAE,EAAE;gBACrD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,CAAC;gBACR,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI;gBACJ,OAAO,EAAE,eAAe,CAAC,GAAG,QAAQ,IAAI,IAAI,EAAE,CAAC;gBAC/C,MAAM,EACJ,uBAAuB,QAAQ,yCAAyC;oBACxE,kDAAkD;gBACpD,QAAQ,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;aAC/C,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/encoded-array-fingerprint.d.ts

@@ -0,0 +1,11 @@
+/**
+ * obf.encoded-array-fingerprint — Layer A.
+ *
+ * Detects the lexical fingerprint of obfuscator.io / javascript-obfuscator
+ * output: a long array of high-entropy strings, often assigned to a hex-style
+ * identifier (`_0xabc12`). This fires before any AST analysis and is one of
+ * the strongest single signals for packed JS payloads.
+ */
+import type { Detector } from "../types.js";
+export declare const encodedArrayFingerprint: Detector;
+//# sourceMappingURL=encoded-array-fingerprint.d.ts.map

package/dist/detectors/encoded-array-fingerprint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoded-array-fingerprint.d.ts","sourceRoot":"","sources":["../../src/detectors/encoded-array-fingerprint.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwB,MAAM,aAAa,CAAC;AAkBlE,eAAO,MAAM,uBAAuB,EAAE,QAuCrC,CAAC"}

package/dist/detectors/encoded-array-fingerprint.js

@@ -0,0 +1,60 @@
+/**
+ * obf.encoded-array-fingerprint — Layer A.
+ *
+ * Detects the lexical fingerprint of obfuscator.io / javascript-obfuscator
+ * output: a long array of high-entropy strings, often assigned to a hex-style
+ * identifier (`_0xabc12`). This fires before any AST analysis and is one of
+ * the strongest single signals for packed JS payloads.
+ */
+import { lineAtOffset, MAX_SOURCE_BYTES } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+// `[ "...", "...", ... ]` arrays with at least N quoted-string elements.
+// Backquotes excluded — template literals don't show up in obfuscator arrays.
+const ARRAY_RE = /\[\s*((?:"[^"\n]{4,}"|'[^'\n]{4,}')(?:\s*,\s*(?:"[^"\n]{4,}"|'[^'\n]{4,}')){15,})\s*\]/g;
+const MIN_BASE64_RATIO = 0.6;
+const BASE64_CHAR = /[A-Za-z0-9+/=]/;
+function looksBase64ish(s) {
+    if (s.length < 8)
+        return false;
+    let hits = 0;
+    for (const c of s)
+        if (BASE64_CHAR.test(c))
+            hits++;
+    return hits / s.length >= MIN_BASE64_RATIO;
+}
+export const encodedArrayFingerprint = {
+    id: "obf.encoded-array-fingerprint",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfencoded-array-fingerprint",
+    applies(ctx) {
+        return ctx.source.length > 0 && ctx.source.length < MAX_SOURCE_BYTES;
+    },
+    run(ctx) {
+        const findings = [];
+        const src = ctx.source;
+        const re = new RegExp(ARRAY_RE.source, ARRAY_RE.flags);
+        let m;
+        while ((m = re.exec(src)) !== null) {
+            const elements = (m[1] ?? "")
+                .split(/,/)
+                .map(s => s.trim().replace(/^["']|["']$/g, ""));
+            const base64ish = elements.filter(looksBase64ish).length;
+            if (base64ish / elements.length < MIN_BASE64_RATIO)
+                continue;
+            const line = lineAtOffset(src, m.index);
+            findings.push({
+                ruleId: encodedArrayFingerprint.id,
+                severity: "warn",
+                score: 7,
+                file: ctx.path,
+                line,
+                snippet: truncateSnippet(m[0]),
+                reason: `Large array of encoded-looking strings (${elements.length} entries, ` +
+                    `${base64ish} base64-shaped). This is the obfuscator.io / ` +
+                    `javascript-obfuscator string-table fingerprint.`,
+                evidence: { length: elements.length, base64ishCount: base64ish },
+            });
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=encoded-array-fingerprint.js.map

package/dist/detectors/encoded-array-fingerprint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoded-array-fingerprint.js","sourceRoot":"","sources":["../../src/detectors/encoded-array-fingerprint.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AACzE,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,yEAAyE;AACzE,8EAA8E;AAC9E,MAAM,QAAQ,GAAG,yFAAyF,CAAC;AAE3G,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAC7B,MAAM,WAAW,GAAG,gBAAgB,CAAC;AAErC,SAAS,cAAc,CAAC,CAAS;IAC/B,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,CAAC;QAAE,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,IAAI,EAAE,CAAC;IACnD,OAAO,IAAI,GAAG,CAAC,CAAC,MAAM,IAAI,gBAAgB,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,MAAM,uBAAuB,GAAa;IAC/C,EAAE,EAAE,+BAA+B;IACnC,OAAO,EAAE,kGAAkG;IAE3G,OAAO,CAAC,GAAgB;QACtB,OAAO,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CAAC;IACvE,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEvD,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACnC,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBAC1B,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,CAAC;YAElD,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC;YACzD,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,GAAG,gBAAgB;gBAAE,SAAS;YAE7D,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACxC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,uBAAuB,CAAC,EAAE;gBAClC,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,CAAC;gBACR,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI;gBACJ,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC9B,MAAM,EACJ,2CAA2C,QAAQ,CAAC,MAAM,YAAY;oBACtE,GAAG,SAAS,+CAA+C;oBAC3D,iDAAiD;gBACnD,QAAQ,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,cAAc,EAAE,SAAS,EAAE;aACjE,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/gha-curl-pipe-shell.d.ts

@@ -0,0 +1,11 @@
+/**
+ * obf.gha-curl-pipe-shell — Manifest detector for GitHub Actions YAML.
+ *
+ * Flags any `run:` step in `.github/workflows/*.yml|yaml` whose command
+ * pipes a network download directly into a shell. This is one of the
+ * highest-yield supply-chain attack vectors — a CI run pulling and
+ * executing remote code on every push.
+ */
+import type { Detector } from "../types.js";
+export declare const ghaCurlPipeShell: Detector;
+//# sourceMappingURL=gha-curl-pipe-shell.d.ts.map

package/dist/detectors/gha-curl-pipe-shell.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gha-curl-pipe-shell.d.ts","sourceRoot":"","sources":["../../src/detectors/gha-curl-pipe-shell.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwB,MAAM,aAAa,CAAC;AAWlE,eAAO,MAAM,gBAAgB,EAAE,QA6B9B,CAAC"}

package/dist/detectors/gha-curl-pipe-shell.js

@@ -0,0 +1,42 @@
+/**
+ * obf.gha-curl-pipe-shell — Manifest detector for GitHub Actions YAML.
+ *
+ * Flags any `run:` step in `.github/workflows/*.yml|yaml` whose command
+ * pipes a network download directly into a shell. This is one of the
+ * highest-yield supply-chain attack vectors — a CI run pulling and
+ * executing remote code on every push.
+ */
+import { lineAtOffset } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+function isWorkflow(p) {
+    return /(^|\/)\.github\/workflows\/[^/]+\.ya?ml$/.test(p);
+}
+const CURL_PIPE_SHELL_RE = /(?:curl|wget|fetch)\b[^\n]{0,200}\|\s*(?:bash|sh|zsh|python|node|perl|powershell|pwsh)\b/g;
+export const ghaCurlPipeShell = {
+    id: "obf.gha-curl-pipe-shell",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfgha-curl-pipe-shell",
+    applies(ctx) {
+        return isWorkflow(ctx.path);
+    },
+    run(ctx) {
+        const findings = [];
+        const src = ctx.source;
+        const re = new RegExp(CURL_PIPE_SHELL_RE.source, CURL_PIPE_SHELL_RE.flags);
+        let m;
+        while ((m = re.exec(src)) !== null) {
+            findings.push({
+                ruleId: ghaCurlPipeShell.id,
+                severity: "block",
+                score: 9,
+                file: ctx.path,
+                line: lineAtOffset(src, m.index),
+                snippet: truncateSnippet(m[0]),
+                reason: `GitHub Actions step pipes a network download into a shell. ` +
+                    `Pin the artifact (sha256) or fetch + verify before executing.`,
+                evidence: { command: m[0] },
+            });
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=gha-curl-pipe-shell.js.map

package/dist/detectors/gha-curl-pipe-shell.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gha-curl-pipe-shell.js","sourceRoot":"","sources":["../../src/detectors/gha-curl-pipe-shell.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,0CAA0C,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,kBAAkB,GACtB,2FAA2F,CAAC;AAE9F,MAAM,CAAC,MAAM,gBAAgB,GAAa;IACxC,EAAE,EAAE,yBAAyB;IAC7B,OAAO,EAAE,4FAA4F;IAErG,OAAO,CAAC,GAAgB;QACtB,OAAO,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC3E,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACnC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,gBAAgB,CAAC,EAAE;gBAC3B,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,CAAC;gBACR,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI,EAAE,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC;gBAChC,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC9B,MAAM,EACJ,6DAA6D;oBAC7D,+DAA+D;gBACjE,QAAQ,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE;aAC5B,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/high-entropy-literal.d.ts

@@ -0,0 +1,19 @@
+/**
+ * obf.high-entropy-literal — Layer A (source-level regex).
+ *
+ * Flags long string literals whose Shannon entropy exceeds a threshold tuned
+ * against the Datadog malicious-packages corpus. Packed payloads, base64
+ * blobs, and hex-encoded shellcode all surface here.
+ *
+ * Known false positives:
+ *   - Hex-encoded SHA-256 hashes in tests (mean ~4.0 bits/char, length 64)
+ *   - Base64 SVG data URIs in CSS-in-JS (often legitimate)
+ *   - Long license keys / JWTs in fixtures
+ *
+ * Tune via the `MIN_LEN` and `ENTROPY_THRESHOLD` constants. Per-project
+ * suppression should be done via `.obfuscan/allowlist.json`, not by
+ * lowering the threshold globally.
+ */
+import type { Detector } from "../types.js";
+export declare const highEntropyLiteral: Detector;
+//# sourceMappingURL=high-entropy-literal.d.ts.map

package/dist/detectors/high-entropy-literal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"high-entropy-literal.d.ts","sourceRoot":"","sources":["../../src/detectors/high-entropy-literal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwB,MAAM,aAAa,CAAC;AAiClE,eAAO,MAAM,kBAAkB,EAAE,QAiDhC,CAAC"}

package/dist/detectors/high-entropy-literal.js

@@ -0,0 +1,90 @@
+/**
+ * obf.high-entropy-literal — Layer A (source-level regex).
+ *
+ * Flags long string literals whose Shannon entropy exceeds a threshold tuned
+ * against the Datadog malicious-packages corpus. Packed payloads, base64
+ * blobs, and hex-encoded shellcode all surface here.
+ *
+ * Known false positives:
+ *   - Hex-encoded SHA-256 hashes in tests (mean ~4.0 bits/char, length 64)
+ *   - Base64 SVG data URIs in CSS-in-JS (often legitimate)
+ *   - Long license keys / JWTs in fixtures
+ *
+ * Tune via the `MIN_LEN` and `ENTROPY_THRESHOLD` constants. Per-project
+ * suppression should be done via `.obfuscan/allowlist.json`, not by
+ * lowering the threshold globally.
+ */
+import { truncateSnippet } from "../internal/text.js";
+/** Matches `"..."`, `'...'`, or backtick strings of at least MIN_LEN chars. */
+const STRING_LITERAL_RE = /(["'`])((?:\\.|(?!\1).){40,}?)\1/g;
+const MIN_LEN = 40;
+const ENTROPY_THRESHOLD = 4.5; // bits/char
+const MAX_SOURCE_BYTES = 2_000_000; // skip files larger than 2 MB
+const MAX_FINDINGS_PER_FILE = 50; // protect the report from minified bundles
+/** Shannon entropy in bits/char. */
+function shannon(s) {
+    if (s.length === 0)
+        return 0;
+    const freq = new Map();
+    for (const c of s)
+        freq.set(c, (freq.get(c) ?? 0) + 1);
+    let h = 0;
+    for (const n of freq.values()) {
+        const p = n / s.length;
+        h -= p * Math.log2(p);
+    }
+    return h;
+}
+/** Convert a 0-based character offset to a 1-based line number. */
+function lineAt(source, offset) {
+    let line = 1;
+    for (let i = 0; i < offset && i < source.length; i++) {
+        if (source.charCodeAt(i) === 10 /* \n */)
+            line++;
+    }
+    return line;
+}
+export const highEntropyLiteral = {
+    id: "obf.high-entropy-literal",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfhigh-entropy-literal",
+    applies(ctx) {
+        // Source-level — runs on any text file under the size cap.
+        return ctx.source.length > 0 && ctx.source.length < MAX_SOURCE_BYTES;
+    },
+    run(ctx) {
+        const findings = [];
+        const src = ctx.source;
+        let match;
+        // Local regex copy so we don't share lastIndex across calls.
+        const re = new RegExp(STRING_LITERAL_RE.source, STRING_LITERAL_RE.flags);
+        while ((match = re.exec(src)) !== null) {
+            if (findings.length >= MAX_FINDINGS_PER_FILE)
+                break;
+            const body = match[2];
+            if (!body || body.length < MIN_LEN)
+                continue;
+            const entropy = shannon(body);
+            if (entropy < ENTROPY_THRESHOLD)
+                continue;
+            const line = lineAt(src, match.index);
+            const score = Math.min(10, Math.round(entropy * 1.5));
+            findings.push({
+                ruleId: highEntropyLiteral.id,
+                severity: "warn",
+                score,
+                file: ctx.path,
+                line,
+                snippet: truncateSnippet(body),
+                reason: `High-entropy string literal ` +
+                    `(Shannon ${entropy.toFixed(2)} bits/char, length ${body.length}) — ` +
+                    `possible packed payload.`,
+                evidence: {
+                    entropy: Number(entropy.toFixed(3)),
+                    length: body.length,
+                },
+            });
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=high-entropy-literal.js.map

package/dist/detectors/high-entropy-literal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"high-entropy-literal.js","sourceRoot":"","sources":["../../src/detectors/high-entropy-literal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,+EAA+E;AAC/E,MAAM,iBAAiB,GAAG,mCAAmC,CAAC;AAE9D,MAAM,OAAO,GAAG,EAAE,CAAC;AACnB,MAAM,iBAAiB,GAAG,GAAG,CAAC,CAAC,YAAY;AAC3C,MAAM,gBAAgB,GAAG,SAAS,CAAC,CAAC,8BAA8B;AAClE,MAAM,qBAAqB,GAAG,EAAE,CAAC,CAAC,2CAA2C;AAE7E,oCAAoC;AACpC,SAAS,OAAO,CAAC,CAAS;IACxB,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAC7B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,CAAC;QAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACvD,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;QACvB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,mEAAmE;AACnE,SAAS,MAAM,CAAC,MAAc,EAAE,MAAc;IAC5C,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrD,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,QAAQ;YAAE,IAAI,EAAE,CAAC;IACnD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,MAAM,kBAAkB,GAAa;IAC1C,EAAE,EAAE,0BAA0B;IAC9B,OAAO,EAAE,6FAA6F;IAEtG,OAAO,CAAC,GAAgB;QACtB,2DAA2D;QAC3D,OAAO,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CAAC;IACvE,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,IAAI,KAA6B,CAAC;QAElC,6DAA6D;QAC7D,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,iBAAiB,CAAC,MAAM,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAEzE,OAAO,CAAC,KAAK,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACvC,IAAI,QAAQ,CAAC,MAAM,IAAI,qBAAqB;gBAAE,MAAM;YAEpD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,OAAO;gBAAE,SAAS;YAE7C,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;YAC9B,IAAI,OAAO,GAAG,iBAAiB;gBAAE,SAAS;YAE1C,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACtC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC;YAEtD,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,kBAAkB,CAAC,EAAE;gBAC7B,QAAQ,EAAE,MAAM;gBAChB,KAAK;gBACL,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI;gBACJ,OAAO,EAAE,eAAe,CAAC,IAAI,CAAC;gBAC9B,MAAM,EACJ,8BAA8B;oBAC9B,YAAY,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,sBAAsB,IAAI,CAAC,MAAM,MAAM;oBACrE,0BAA0B;gBAC5B,QAAQ,EAAE;oBACR,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBACnC,MAAM,EAAE,IAAI,CAAC,MAAM;iBACpB;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/homoglyph-identifier.d.ts

@@ -0,0 +1,16 @@
+/**
+ * obf.homoglyph-identifier — Layer A.
+ *
+ * Flags identifiers that mix scripts in a way associated with homoglyph
+ * attacks. The narrow definition: an identifier with a *majority* of ASCII
+ * Latin letters but containing at least one confusable from another script.
+ *
+ * Negative cases:
+ *   - Pure non-ASCII identifiers (e.g. all Cyrillic, all CJK) — legitimate
+ *     non-English code.
+ *   - Pure ASCII identifiers — by construction.
+ *   - Strings, comments — not identifier contexts.
+ */
+import type { Detector } from "../types.js";
+export declare const homoglyphIdentifier: Detector;
+//# sourceMappingURL=homoglyph-identifier.d.ts.map

package/dist/detectors/homoglyph-identifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"homoglyph-identifier.d.ts","sourceRoot":"","sources":["../../src/detectors/homoglyph-identifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwB,MAAM,aAAa,CAAC;AAgBlE,eAAO,MAAM,mBAAmB,EAAE,QAkDjC,CAAC"}

package/dist/detectors/homoglyph-identifier.js

@@ -0,0 +1,76 @@
+/**
+ * obf.homoglyph-identifier — Layer A.
+ *
+ * Flags identifiers that mix scripts in a way associated with homoglyph
+ * attacks. The narrow definition: an identifier with a *majority* of ASCII
+ * Latin letters but containing at least one confusable from another script.
+ *
+ * Negative cases:
+ *   - Pure non-ASCII identifiers (e.g. all Cyrillic, all CJK) — legitimate
+ *     non-English code.
+ *   - Pure ASCII identifiers — by construction.
+ *   - Strings, comments — not identifier contexts.
+ */
+import { lineAtOffset, MAX_SOURCE_BYTES } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+// Identifier tokenizer: ASCII-letter or non-space, non-punct unicode letters.
+// We use a Unicode property escape here; supported in Node 12+.
+const IDENT_RE = /[A-Za-z_$][\p{L}\p{N}_$]{2,}/gu;
+// "Confusable script ranges" — characters that visually resemble Latin but
+// belong to other scripts. Subset focused on Cyrillic + Greek which produce
+// the highest-yield homoglyphs.
+const CONFUSABLE_RE = /[\u0400-\u04FF\u0370-\u03FF]/;
+// ASCII letters
+const ASCII_LETTER_RE = /[A-Za-z]/;
+export const homoglyphIdentifier = {
+    id: "obf.homoglyph-identifier",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfhomoglyph-identifier",
+    applies(ctx) {
+        return ctx.source.length > 0 && ctx.source.length < MAX_SOURCE_BYTES;
+    },
+    run(ctx) {
+        const findings = [];
+        const src = ctx.source;
+        const seen = new Set();
+        const re = new RegExp(IDENT_RE.source, IDENT_RE.flags);
+        let m;
+        while ((m = re.exec(src)) !== null) {
+            const ident = m[0];
+            if (seen.has(ident))
+                continue;
+            if (!CONFUSABLE_RE.test(ident))
+                continue;
+            // Count ASCII vs confusable letters
+            let ascii = 0;
+            let confusable = 0;
+            for (const c of ident) {
+                if (ASCII_LETTER_RE.test(c))
+                    ascii++;
+                else if (CONFUSABLE_RE.test(c))
+                    confusable++;
+            }
+            if (ascii === 0)
+                continue; // pure non-ASCII identifier
+            if (confusable === 0)
+                continue;
+            // Only flag mixed identifiers where ASCII is the majority.
+            if (ascii < confusable)
+                continue;
+            seen.add(ident);
+            const line = lineAtOffset(src, m.index);
+            findings.push({
+                ruleId: homoglyphIdentifier.id,
+                severity: "block",
+                score: 9,
+                file: ctx.path,
+                line,
+                snippet: truncateSnippet(ident),
+                reason: `Identifier mixes Latin letters with confusable characters from ` +
+                    `another script (Cyrillic/Greek). This is a homoglyph attack pattern.`,
+                evidence: { identifier: ident, asciiCount: ascii, confusableCount: confusable },
+            });
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=homoglyph-identifier.js.map

package/dist/detectors/homoglyph-identifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"homoglyph-identifier.js","sourceRoot":"","sources":["../../src/detectors/homoglyph-identifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AACzE,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,8EAA8E;AAC9E,gEAAgE;AAChE,MAAM,QAAQ,GAAG,gCAAgC,CAAC;AAElD,2EAA2E;AAC3E,4EAA4E;AAC5E,gCAAgC;AAChC,MAAM,aAAa,GAAG,8BAA8B,CAAC;AAErD,gBAAgB;AAChB,MAAM,eAAe,GAAG,UAAU,CAAC;AAEnC,MAAM,CAAC,MAAM,mBAAmB,GAAa;IAC3C,EAAE,EAAE,0BAA0B;IAC9B,OAAO,EAAE,6FAA6F;IAEtG,OAAO,CAAC,GAAgB;QACtB,OAAO,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CAAC;IACvE,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEvD,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACnB,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,SAAS;YAE9B,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,SAAS;YAEzC,oCAAoC;YACpC,IAAI,KAAK,GAAG,CAAC,CAAC;YACd,IAAI,UAAU,GAAG,CAAC,CAAC;YACnB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC;oBAAE,KAAK,EAAE,CAAC;qBAChC,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC;oBAAE,UAAU,EAAE,CAAC;YAC/C,CAAC;YACD,IAAI,KAAK,KAAK,CAAC;gBAAE,SAAS,CAAC,4BAA4B;YACvD,IAAI,UAAU,KAAK,CAAC;gBAAE,SAAS;YAC/B,2DAA2D;YAC3D,IAAI,KAAK,GAAG,UAAU;gBAAE,SAAS;YAEjC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAChB,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACxC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,mBAAmB,CAAC,EAAE;gBAC9B,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,CAAC;gBACR,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI;gBACJ,OAAO,EAAE,eAAe,CAAC,KAAK,CAAC;gBAC/B,MAAM,EACJ,iEAAiE;oBACjE,sEAAsE;gBACxE,QAAQ,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE;aAChF,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/index.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Built-in detector registry.
+ *
+ * `defaultDetectors()` returns the canonical, ordered list shipped with
+ * `@obfuscan/core`. Order is meaningful for stable output: when two detectors
+ * fire on the same line and severity, the earlier-listed one's finding sorts
+ * first.
+ */
+import type { Detector } from "../types.js";
+import { highEntropyLiteral } from "./high-entropy-literal.js";
+import { bidiControlChar } from "./bidi-control.js";
+import { homoglyphIdentifier } from "./homoglyph-identifier.js";
+import { longLine } from "./long-line.js";
+import { encodedArrayFingerprint } from "./encoded-array-fingerprint.js";
+import { decodeThenExec } from "./decode-then-exec.js";
+import { dynamicExecNonLiteral } from "./dynamic-exec-non-literal.js";
+import { networkThenExec } from "./network-then-exec.js";
+import { deserializerUntrusted } from "./deserializer-untrusted.js";
+import { suspiciousIoCluster } from "./suspicious-io-cluster.js";
+import { stringArrayDecoder } from "./string-array-decoder.js";
+import { shellUntrustedInput } from "./shell-untrusted-input.js";
+import { libraryLoadNonLiteral } from "./library-load-non-literal.js";
+import { manifestInstallScript } from "./manifest-install-script.js";
+import { pythonSetupSideEffect } from "./python-setup-side-effect.js";
+import { perlMakefileSideEffect } from "./perl-makefile-side-effect.js";
+import { cargoBuildRsNetwork } from "./cargo-build-rs-network.js";
+import { ghaCurlPipeShell } from "./gha-curl-pipe-shell.js";
+import { dockerfileCurlPipeShell } from "./dockerfile-curl-pipe-shell.js";
+export declare function defaultDetectors(): readonly Detector[];
+export { highEntropyLiteral, bidiControlChar, homoglyphIdentifier, longLine, encodedArrayFingerprint, decodeThenExec, dynamicExecNonLiteral, networkThenExec, deserializerUntrusted, suspiciousIoCluster, stringArrayDecoder, shellUntrustedInput, libraryLoadNonLiteral, manifestInstallScript, pythonSetupSideEffect, perlMakefileSideEffect, cargoBuildRsNetwork, ghaCurlPipeShell, dockerfileCurlPipeShell, };
+//# sourceMappingURL=index.d.ts.map

package/dist/detectors/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/detectors/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAG5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAGzE,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAGtE,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAE1E,wBAAgB,gBAAgB,IAAI,SAAS,QAAQ,EAAE,CAEtD;AA8BD,OAAO,EACL,kBAAkB,EAClB,eAAe,EACf,mBAAmB,EACnB,QAAQ,EACR,uBAAuB,EACvB,cAAc,EACd,qBAAqB,EACrB,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,qBAAqB,EACrB,qBAAqB,EACrB,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,uBAAuB,GACxB,CAAC"}

package/dist/detectors/index.js

@@ -0,0 +1,60 @@
+/**
+ * Built-in detector registry.
+ *
+ * `defaultDetectors()` returns the canonical, ordered list shipped with
+ * `@obfuscan/core`. Order is meaningful for stable output: when two detectors
+ * fire on the same line and severity, the earlier-listed one's finding sorts
+ * first.
+ */
+// Layer A — universal source-level detectors
+import { highEntropyLiteral } from "./high-entropy-literal.js";
+import { bidiControlChar } from "./bidi-control.js";
+import { homoglyphIdentifier } from "./homoglyph-identifier.js";
+import { longLine } from "./long-line.js";
+import { encodedArrayFingerprint } from "./encoded-array-fingerprint.js";
+// Layer B — config-driven semantic detectors
+import { decodeThenExec } from "./decode-then-exec.js";
+import { dynamicExecNonLiteral } from "./dynamic-exec-non-literal.js";
+import { networkThenExec } from "./network-then-exec.js";
+import { deserializerUntrusted } from "./deserializer-untrusted.js";
+import { suspiciousIoCluster } from "./suspicious-io-cluster.js";
+import { stringArrayDecoder } from "./string-array-decoder.js";
+import { shellUntrustedInput } from "./shell-untrusted-input.js";
+import { libraryLoadNonLiteral } from "./library-load-non-literal.js";
+// Manifest — ecosystem-specific detectors
+import { manifestInstallScript } from "./manifest-install-script.js";
+import { pythonSetupSideEffect } from "./python-setup-side-effect.js";
+import { perlMakefileSideEffect } from "./perl-makefile-side-effect.js";
+import { cargoBuildRsNetwork } from "./cargo-build-rs-network.js";
+import { ghaCurlPipeShell } from "./gha-curl-pipe-shell.js";
+import { dockerfileCurlPipeShell } from "./dockerfile-curl-pipe-shell.js";
+export function defaultDetectors() {
+    return DEFAULTS;
+}
+const DEFAULTS = Object.freeze([
+    // Layer A
+    highEntropyLiteral,
+    bidiControlChar,
+    homoglyphIdentifier,
+    longLine,
+    encodedArrayFingerprint,
+    // Layer B
+    decodeThenExec,
+    networkThenExec,
+    dynamicExecNonLiteral,
+    deserializerUntrusted,
+    suspiciousIoCluster,
+    stringArrayDecoder,
+    shellUntrustedInput,
+    libraryLoadNonLiteral,
+    // Manifest
+    manifestInstallScript,
+    pythonSetupSideEffect,
+    perlMakefileSideEffect,
+    cargoBuildRsNetwork,
+    ghaCurlPipeShell,
+    dockerfileCurlPipeShell,
+]);
+// Named re-exports for tests and advanced consumers.
+export { highEntropyLiteral, bidiControlChar, homoglyphIdentifier, longLine, encodedArrayFingerprint, decodeThenExec, dynamicExecNonLiteral, networkThenExec, deserializerUntrusted, suspiciousIoCluster, stringArrayDecoder, shellUntrustedInput, libraryLoadNonLiteral, manifestInstallScript, pythonSetupSideEffect, perlMakefileSideEffect, cargoBuildRsNetwork, ghaCurlPipeShell, dockerfileCurlPipeShell, };
+//# sourceMappingURL=index.js.map

package/dist/detectors/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/detectors/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,6CAA6C;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAEzE,6CAA6C;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAEtE,0CAA0C;AAC1C,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAE1E,MAAM,UAAU,gBAAgB;IAC9B,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,QAAQ,GAAwB,MAAM,CAAC,MAAM,CAAC;IAClD,UAAU;IACV,kBAAkB;IAClB,eAAe;IACf,mBAAmB;IACnB,QAAQ;IACR,uBAAuB;IAEvB,UAAU;IACV,cAAc;IACd,eAAe;IACf,qBAAqB;IACrB,qBAAqB;IACrB,mBAAmB;IACnB,kBAAkB;IAClB,mBAAmB;IACnB,qBAAqB;IAErB,WAAW;IACX,qBAAqB;IACrB,qBAAqB;IACrB,sBAAsB;IACtB,mBAAmB;IACnB,gBAAgB;IAChB,uBAAuB;CACxB,CAAC,CAAC;AAEH,qDAAqD;AACrD,OAAO,EACL,kBAAkB,EAClB,eAAe,EACf,mBAAmB,EACnB,QAAQ,EACR,uBAAuB,EACvB,cAAc,EACd,qBAAqB,EACrB,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,qBAAqB,EACrB,qBAAqB,EACrB,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,uBAAuB,GACxB,CAAC"}

package/dist/detectors/library-load-non-literal.d.ts

@@ -0,0 +1,10 @@
+/**
+ * obf.library-load-non-literal.<lang> — Layer B.
+ *
+ * Fires when a dynamic-library-load function (`require`, `importlib.import_module`,
+ * `Assembly.Load`, `libloading::Library::new`, …) is called with a non-literal
+ * argument.
+ */
+import type { Detector } from "../types.js";
+export declare const libraryLoadNonLiteral: Detector;
+//# sourceMappingURL=library-load-non-literal.d.ts.map

package/dist/detectors/library-load-non-literal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"library-load-non-literal.d.ts","sourceRoot":"","sources":["../../src/detectors/library-load-non-literal.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwC,MAAM,aAAa,CAAC;AAiClF,eAAO,MAAM,qBAAqB,EAAE,QA4CnC,CAAC"}