npm - @obfuscan/core - Versions diffs - 0.1.0 - Mend

@obfuscan/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (131) hide show

package/LICENSE +201 -0
package/README.md +224 -0
package/dist/allowlist.d.ts +25 -0
package/dist/allowlist.d.ts.map +1 -0
package/dist/allowlist.js +138 -0
package/dist/allowlist.js.map +1 -0
package/dist/detectors/bidi-control.d.ts +14 -0
package/dist/detectors/bidi-control.d.ts.map +1 -0
package/dist/detectors/bidi-control.js +67 -0
package/dist/detectors/bidi-control.js.map +1 -0
package/dist/detectors/cargo-build-rs-network.d.ts +12 -0
package/dist/detectors/cargo-build-rs-network.d.ts.map +1 -0
package/dist/detectors/cargo-build-rs-network.js +54 -0
package/dist/detectors/cargo-build-rs-network.js.map +1 -0
package/dist/detectors/decode-then-exec.d.ts +20 -0
package/dist/detectors/decode-then-exec.d.ts.map +1 -0
package/dist/detectors/decode-then-exec.js +189 -0
package/dist/detectors/decode-then-exec.js.map +1 -0
package/dist/detectors/deserializer-untrusted.d.ts +15 -0
package/dist/detectors/deserializer-untrusted.d.ts.map +1 -0
package/dist/detectors/deserializer-untrusted.js +99 -0
package/dist/detectors/deserializer-untrusted.js.map +1 -0
package/dist/detectors/dockerfile-curl-pipe-shell.d.ts +10 -0
package/dist/detectors/dockerfile-curl-pipe-shell.d.ts.map +1 -0
package/dist/detectors/dockerfile-curl-pipe-shell.js +42 -0
package/dist/detectors/dockerfile-curl-pipe-shell.js.map +1 -0
package/dist/detectors/dynamic-exec-non-literal.d.ts +17 -0
package/dist/detectors/dynamic-exec-non-literal.d.ts.map +1 -0
package/dist/detectors/dynamic-exec-non-literal.js +104 -0
package/dist/detectors/dynamic-exec-non-literal.js.map +1 -0
package/dist/detectors/encoded-array-fingerprint.d.ts +11 -0
package/dist/detectors/encoded-array-fingerprint.d.ts.map +1 -0
package/dist/detectors/encoded-array-fingerprint.js +60 -0
package/dist/detectors/encoded-array-fingerprint.js.map +1 -0
package/dist/detectors/gha-curl-pipe-shell.d.ts +11 -0
package/dist/detectors/gha-curl-pipe-shell.d.ts.map +1 -0
package/dist/detectors/gha-curl-pipe-shell.js +42 -0
package/dist/detectors/gha-curl-pipe-shell.js.map +1 -0
package/dist/detectors/high-entropy-literal.d.ts +19 -0
package/dist/detectors/high-entropy-literal.d.ts.map +1 -0
package/dist/detectors/high-entropy-literal.js +90 -0
package/dist/detectors/high-entropy-literal.js.map +1 -0
package/dist/detectors/homoglyph-identifier.d.ts +16 -0
package/dist/detectors/homoglyph-identifier.d.ts.map +1 -0
package/dist/detectors/homoglyph-identifier.js +76 -0
package/dist/detectors/homoglyph-identifier.js.map +1 -0
package/dist/detectors/index.d.ts +31 -0
package/dist/detectors/index.d.ts.map +1 -0
package/dist/detectors/index.js +60 -0
package/dist/detectors/index.js.map +1 -0
package/dist/detectors/library-load-non-literal.d.ts +10 -0
package/dist/detectors/library-load-non-literal.d.ts.map +1 -0
package/dist/detectors/library-load-non-literal.js +72 -0
package/dist/detectors/library-load-non-literal.js.map +1 -0
package/dist/detectors/long-line.d.ts +12 -0
package/dist/detectors/long-line.d.ts.map +1 -0
package/dist/detectors/long-line.js +53 -0
package/dist/detectors/long-line.js.map +1 -0
package/dist/detectors/manifest-install-script.d.ts +54 -0
package/dist/detectors/manifest-install-script.d.ts.map +1 -0
package/dist/detectors/manifest-install-script.js +272 -0
package/dist/detectors/manifest-install-script.js.map +1 -0
package/dist/detectors/network-then-exec.d.ts +17 -0
package/dist/detectors/network-then-exec.d.ts.map +1 -0
package/dist/detectors/network-then-exec.js +140 -0
package/dist/detectors/network-then-exec.js.map +1 -0
package/dist/detectors/perl-makefile-side-effect.d.ts +17 -0
package/dist/detectors/perl-makefile-side-effect.d.ts.map +1 -0
package/dist/detectors/perl-makefile-side-effect.js +72 -0
package/dist/detectors/perl-makefile-side-effect.js.map +1 -0
package/dist/detectors/python-setup-side-effect.d.ts +10 -0
package/dist/detectors/python-setup-side-effect.d.ts.map +1 -0
package/dist/detectors/python-setup-side-effect.js +87 -0
package/dist/detectors/python-setup-side-effect.js.map +1 -0
package/dist/detectors/shell-untrusted-input.d.ts +10 -0
package/dist/detectors/shell-untrusted-input.d.ts.map +1 -0
package/dist/detectors/shell-untrusted-input.js +76 -0
package/dist/detectors/shell-untrusted-input.js.map +1 -0
package/dist/detectors/string-array-decoder.d.ts +15 -0
package/dist/detectors/string-array-decoder.d.ts.map +1 -0
package/dist/detectors/string-array-decoder.js +70 -0
package/dist/detectors/string-array-decoder.js.map +1 -0
package/dist/detectors/suspicious-io-cluster.d.ts +11 -0
package/dist/detectors/suspicious-io-cluster.d.ts.map +1 -0
package/dist/detectors/suspicious-io-cluster.js +86 -0
package/dist/detectors/suspicious-io-cluster.js.map +1 -0
package/dist/diff.d.ts +23 -0
package/dist/diff.d.ts.map +1 -0
package/dist/diff.js +144 -0
package/dist/diff.js.map +1 -0
package/dist/directives.d.ts +33 -0
package/dist/directives.d.ts.map +1 -0
package/dist/directives.js +60 -0
package/dist/directives.js.map +1 -0
package/dist/errors.d.ts +19 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +16 -0
package/dist/errors.js.map +1 -0
package/dist/grammar/query.d.ts +44 -0
package/dist/grammar/query.d.ts.map +1 -0
package/dist/grammar/query.js +24 -0
package/dist/grammar/query.js.map +1 -0
package/dist/index.d.ts +101 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +106 -0
package/dist/index.js.map +1 -0
package/dist/internal/patterns.d.ts +48 -0
package/dist/internal/patterns.d.ts.map +1 -0
package/dist/internal/patterns.js +95 -0
package/dist/internal/patterns.js.map +1 -0
package/dist/internal/text.d.ts +14 -0
package/dist/internal/text.d.ts.map +1 -0
package/dist/internal/text.js +20 -0
package/dist/internal/text.js.map +1 -0
package/dist/rules.d.ts +25 -0
package/dist/rules.d.ts.map +1 -0
package/dist/rules.js +195 -0
package/dist/rules.js.map +1 -0
package/dist/scan.d.ts +26 -0
package/dist/scan.d.ts.map +1 -0
package/dist/scan.js +287 -0
package/dist/scan.js.map +1 -0
package/dist/types.d.ts +215 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +8 -0
package/dist/types.js.map +1 -0
package/dist/version.d.ts +10 -0
package/dist/version.d.ts.map +1 -0
package/dist/version.js +50 -0
package/dist/version.js.map +1 -0
package/package.json +74 -0

package/dist/detectors/suspicious-io-cluster.js ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * obf.suspicious-io-cluster.<lang> — Layer B.
+ *
+ * Fires when a single file *both* reads from a known-secrets path
+ * (~/.npmrc, ~/.aws/credentials, ~/.ssh/id_*, etc.) *and* makes an
+ * outbound network call. The cluster is the signal — either alone is
+ * usually benign.
+ */
+import { lineAtOffset, MAX_FINDINGS_PER_DETECTOR, MAX_SOURCE_BYTES, namedCallAlternation, } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+// Path fragments that strongly indicate a secrets read.
+const SECRET_PATH_RE = /(\.npmrc|\.aws[\/\\]credentials|\.aws[\/\\]config|\.ssh[\/\\]id_[a-z0-9_]+|\.docker[\/\\]config|\.gitconfig|\.netrc|GITHUB_TOKEN|NPM_TOKEN|AWS_ACCESS_KEY)/g;
+const cache = new WeakMap();
+function compile(config) {
+    const cached = cache.get(config);
+    if (cached)
+        return cached;
+    const net = config.network_io ?? [];
+    const sec = config.secrets_io ?? [];
+    const shell = config.shell_exec ?? [];
+    const compiled = {
+        network: net.length ? new RegExp(`(?:${namedCallAlternation(net)})\\s*\\(`, "g") : null,
+        secretsIo: sec.length ? new RegExp(`(?:${namedCallAlternation(sec)})\\s*\\(`, "g") : null,
+        shellExec: shell.length ? new RegExp(`(?:${namedCallAlternation(shell)})\\s*\\(`, "g") : null,
+    };
+    cache.set(config, compiled);
+    return compiled;
+}
+export const suspiciousIoCluster = {
+    id: "obf.suspicious-io-cluster",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfsuspicious-io-cluster",
+    applies(ctx) {
+        return (ctx.config !== null &&
+            ctx.source.length > 0 &&
+            ctx.source.length < MAX_SOURCE_BYTES);
+    },
+    run(ctx) {
+        if (!ctx.config)
+            return [];
+        const cfg = ctx.config;
+        const src = ctx.source;
+        const { network, shellExec } = compile(cfg);
+        if (!network)
+            return [];
+        // 1. Find at least one secret-path reference.
+        const secretPathMatch = SECRET_PATH_RE.exec(src);
+        SECRET_PATH_RE.lastIndex = 0;
+        const hasSecretPath = !!secretPathMatch;
+        // 2. Find at least one network call.
+        const netRe = new RegExp(network.source, network.flags);
+        const netMatch = netRe.exec(src);
+        if (!netMatch)
+            return [];
+        // Secondary cluster: shell + network in the same file. This catches
+        // setup.py and similar install-time droppers that fetch and execute.
+        const shellMatch = shellExec ? new RegExp(shellExec.source, shellExec.flags).exec(src) : null;
+        if (!hasSecretPath && !shellMatch)
+            return [];
+        const findings = [];
+        if (findings.length >= MAX_FINDINGS_PER_DETECTOR)
+            return findings;
+        // Anchor the finding on whichever appears earlier — gives the user a
+        // single jump-to location for the cluster.
+        const offset = hasSecretPath
+            ? Math.min(secretPathMatch.index, netMatch.index)
+            : Math.min(shellMatch.index, netMatch.index);
+        findings.push({
+            ruleId: `obf.suspicious-io-cluster.${cfg.id}`,
+            severity: "warn",
+            score: 8,
+            file: ctx.path,
+            line: lineAtOffset(src, offset),
+            snippet: truncateSnippet(src.slice(offset, Math.min(src.length, offset + 200))),
+            reason: `File reads from a known secrets location AND makes a network call. ` +
+                `This is the data-exfil cluster shape that defines supply-chain malware.`,
+            evidence: {
+                language: cfg.id,
+                secretMarker: secretPathMatch?.[0] ?? null,
+                shellCall: shellMatch?.[0] ?? null,
+                networkCall: netMatch[0],
+            },
+        });
+        return findings;
+    },
+};
+//# sourceMappingURL=suspicious-io-cluster.js.map

package/dist/detectors/suspicious-io-cluster.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"suspicious-io-cluster.js","sourceRoot":"","sources":["../../src/detectors/suspicious-io-cluster.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EACL,YAAY,EACZ,yBAAyB,EACzB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,wDAAwD;AACxD,MAAM,cAAc,GAClB,6JAA6J,CAAC;AAQhK,MAAM,KAAK,GAAG,IAAI,OAAO,EAA4B,CAAC;AAEtD,SAAS,OAAO,CAAC,MAAsB;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;IACpC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAa;QACzB,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,oBAAoB,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;QACvF,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,oBAAoB,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;QACzF,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,oBAAoB,CAAC,KAAK,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;KAC9F,CAAC;IACF,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC5B,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAa;IAC3C,EAAE,EAAE,2BAA2B;IAC/B,OAAO,EAAE,8FAA8F;IAEvG,OAAO,CAAC,GAAgB;QACtB,OAAO,CACL,GAAG,CAAC,MAAM,KAAK,IAAI;YACnB,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CACrC,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QAExB,8CAA8C;QAC9C,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjD,cAAc,CAAC,SAAS,GAAG,CAAC,CAAC;QAC7B,MAAM,aAAa,GAAG,CAAC,CAAC,eAAe,CAAC;QAExC,qCAAqC;QACrC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,QAAQ;YAAE,OAAO,EAAE,CAAC;QAEzB,oEAAoE;QACpE,qEAAqE;QACrE,MAAM,UAAU,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9F,IAAI,CAAC,aAAa,IAAI,CAAC,UAAU;YAAE,OAAO,EAAE,CAAC;QAE7C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,IAAI,QAAQ,CAAC,MAAM,IAAI,yBAAyB;YAAE,OAAO,QAAQ,CAAC;QAElE,qEAAqE;QACrE,2CAA2C;QAC3C,MAAM,MAAM,GAAG,aAAa;YAC1B,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,eAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC;YAClD,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,UAAW,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;QAChD,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,6BAA6B,GAAG,CAAC,EAAE,EAAE;YAC7C,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC;YACR,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC;YAC/B,OAAO,EAAE,eAAe,CACtB,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC,CAAC,CACtD;YACD,MAAM,EACJ,qEAAqE;gBACrE,yEAAyE;YAC3E,QAAQ,EAAE;gBACR,QAAQ,EAAE,GAAG,CAAC,EAAE;gBAChB,YAAY,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI;gBAC1C,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI;gBAClC,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAC;aACzB;SACF,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/diff.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+ * Unified-diff parser → DiffFile[].
+ *
+ * Pure, dependency-free, line-based parser. Handles:
+ *   - added / modified / deleted file headers (`new file mode`, `deleted file mode`, `/dev/null`)
+ *   - hunk headers `@@ -a,b +c,d @@`
+ *   - paths normalized to forward slashes (no Windows backslashes leak through)
+ *
+ * `addedRanges` is a list of inclusive 1-based [startLine, endLine] tuples
+ * pointing into the *post-image* (the file as it exists after the diff is
+ * applied), covering only the lines marked with `+` in each hunk.
+ */
+export interface DiffFile {
+    /** Workspace-relative POSIX path. */
+    path: string;
+    status: "added" | "modified" | "deleted";
+    /** 1-based inclusive line ranges of added lines in the post-image. Empty for deleted files. */
+    addedRanges: ReadonlyArray<readonly [number, number]>;
+}
+export declare function parseDiffToFiles(diff: string): DiffFile[];
+/** True if `line` (1-based) falls within any of the given inclusive ranges. */
+export declare function lineInRanges(line: number, ranges: ReadonlyArray<readonly [number, number]>): boolean;
+//# sourceMappingURL=diff.d.ts.map

package/dist/diff.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../src/diff.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,MAAM,WAAW,QAAQ;IACvB,qCAAqC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,GAAG,UAAU,GAAG,SAAS,CAAC;IACzC,+FAA+F;IAC/F,WAAW,EAAE,aAAa,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACvD;AAUD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,EAAE,CAmHzD;AAED,+EAA+E;AAC/E,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,aAAa,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,GAC/C,OAAO,CAKT"}

package/dist/diff.js ADDED Viewed

@@ -0,0 +1,144 @@
+/**
+ * Unified-diff parser → DiffFile[].
+ *
+ * Pure, dependency-free, line-based parser. Handles:
+ *   - added / modified / deleted file headers (`new file mode`, `deleted file mode`, `/dev/null`)
+ *   - hunk headers `@@ -a,b +c,d @@`
+ *   - paths normalized to forward slashes (no Windows backslashes leak through)
+ *
+ * `addedRanges` is a list of inclusive 1-based [startLine, endLine] tuples
+ * pointing into the *post-image* (the file as it exists after the diff is
+ * applied), covering only the lines marked with `+` in each hunk.
+ */
+const FILE_HEADER = /^diff --git a\/(.+?) b\/(.+?)$/;
+const HUNK_HEADER = /^@@ -\d+(?:,\d+)? \+(\d+)(?:,(\d+))? @@/;
+export function parseDiffToFiles(diff) {
+    if (!diff || diff.length === 0)
+        return [];
+    const out = [];
+    const lines = diff.split(/\r?\n/);
+    let i = 0;
+    while (i < lines.length) {
+        const line = lines[i] ?? "";
+        const header = FILE_HEADER.exec(line);
+        if (!header) {
+            i++;
+            continue;
+        }
+        // Default to the b-side path; overridden below if /dev/null appears.
+        let path = (header[2] ?? "").replace(/\\/g, "/");
+        let status = "modified";
+        const addedRanges = [];
+        i++;
+        // Parse meta lines until we hit the first hunk or the next file header.
+        while (i < lines.length) {
+            const meta = lines[i] ?? "";
+            if (FILE_HEADER.test(meta))
+                break;
+            if (meta.startsWith("@@"))
+                break;
+            if (meta.startsWith("new file mode"))
+                status = "added";
+            else if (meta.startsWith("deleted file mode"))
+                status = "deleted";
+            else if (meta.startsWith("--- ")) {
+                // No-op; b-side path drives reporting.
+            }
+            else if (meta.startsWith("+++ ")) {
+                const rhs = meta.slice(4).trim();
+                if (rhs === "/dev/null")
+                    status = "deleted";
+                else if (rhs.startsWith("b/"))
+                    path = rhs.slice(2).replace(/\\/g, "/");
+                else if (rhs !== "/dev/null")
+                    path = rhs.replace(/\\/g, "/");
+            }
+            i++;
+        }
+        // Parse hunks.
+        while (i < lines.length) {
+            const hunkLine = lines[i] ?? "";
+            if (FILE_HEADER.test(hunkLine))
+                break;
+            if (!hunkLine.startsWith("@@")) {
+                i++;
+                continue;
+            }
+            const m = HUNK_HEADER.exec(hunkLine);
+            if (!m) {
+                i++;
+                continue;
+            }
+            const hunk = {
+                postStart: parseInt(m[1] ?? "0", 10) || 0,
+            };
+            i++;
+            // Walk hunk body. Lines starting with "+" advance the post-image cursor
+            // and contribute to addedRanges. " " lines advance both. "-" lines do
+            // not advance the post cursor. "" is ignored.
+            let postCursor = hunk.postStart;
+            let runStart = null;
+            while (i < lines.length) {
+                const body = lines[i] ?? "";
+                if (FILE_HEADER.test(body) || body.startsWith("@@"))
+                    break;
+                if (body.startsWith("+")) {
+                    if (runStart === null)
+                        runStart = postCursor;
+                    postCursor++;
+                    i++;
+                }
+                else if (body.startsWith(" ")) {
+                    if (runStart !== null) {
+                        addedRanges.push([runStart, postCursor - 1]);
+                        runStart = null;
+                    }
+                    postCursor++;
+                    i++;
+                }
+                else if (body.startsWith("-")) {
+                    if (runStart !== null) {
+                        addedRanges.push([runStart, postCursor - 1]);
+                        runStart = null;
+                    }
+                    i++;
+                }
+                else if (body.startsWith("\\")) {
+                    // "" — skip.
+                    i++;
+                }
+                else if (body === "") {
+                    // Blank line: treat as context unless it's the trailing blank from split.
+                    if (i + 1 >= lines.length) {
+                        i++;
+                        break;
+                    }
+                    if (runStart !== null) {
+                        addedRanges.push([runStart, postCursor - 1]);
+                        runStart = null;
+                    }
+                    postCursor++;
+                    i++;
+                }
+                else {
+                    break;
+                }
+            }
+            if (runStart !== null)
+                addedRanges.push([runStart, postCursor - 1]);
+        }
+        if (status !== "deleted") {
+            out.push({ path, status, addedRanges });
+        }
+    }
+    return out;
+}
+/** True if `line` (1-based) falls within any of the given inclusive ranges. */
+export function lineInRanges(line, ranges) {
+    for (const [start, end] of ranges) {
+        if (line >= start && line <= end)
+            return true;
+    }
+    return false;
+}
+//# sourceMappingURL=diff.js.map

package/dist/diff.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"diff.js","sourceRoot":"","sources":["../src/diff.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAUH,MAAM,WAAW,GAAG,gCAAgC,CAAC;AACrD,MAAM,WAAW,GAAG,yCAAyC,CAAC;AAO9D,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE1C,MAAM,GAAG,GAAe,EAAE,CAAC;IAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAElC,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,CAAC,EAAE,CAAC;YACJ,SAAS;QACX,CAAC;QAED,qEAAqE;QACrE,IAAI,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACjD,IAAI,MAAM,GAAuB,UAAU,CAAC;QAC5C,MAAM,WAAW,GAA4B,EAAE,CAAC;QAEhD,CAAC,EAAE,CAAC;QAEJ,wEAAwE;QACxE,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;YACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,MAAM;YAClC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;gBAAE,MAAM;YAEjC,IAAI,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC;gBAAE,MAAM,GAAG,OAAO,CAAC;iBAClD,IAAI,IAAI,CAAC,UAAU,CAAC,mBAAmB,CAAC;gBAAE,MAAM,GAAG,SAAS,CAAC;iBAC7D,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,uCAAuC;YACzC,CAAC;iBAAM,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACjC,IAAI,GAAG,KAAK,WAAW;oBAAE,MAAM,GAAG,SAAS,CAAC;qBACvC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;oBAAE,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;qBAClE,IAAI,GAAG,KAAK,WAAW;oBAAE,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC/D,CAAC;YACD,CAAC,EAAE,CAAC;QACN,CAAC;QAED,eAAe;QACf,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;YACxB,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAChC,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,MAAM;YACtC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/B,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YAED,MAAM,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrC,IAAI,CAAC,CAAC,EAAE,CAAC;gBACP,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YACD,MAAM,IAAI,GAAS;gBACjB,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC;aAC1C,CAAC;YACF,CAAC,EAAE,CAAC;YAEJ,wEAAwE;YACxE,sEAAsE;YACtE,yEAAyE;YACzE,IAAI,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;YAChC,IAAI,QAAQ,GAAkB,IAAI,CAAC;YAEnC,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;oBAAE,MAAM;gBAE3D,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBACzB,IAAI,QAAQ,KAAK,IAAI;wBAAE,QAAQ,GAAG,UAAU,CAAC;oBAC7C,UAAU,EAAE,CAAC;oBACb,CAAC,EAAE,CAAC;gBACN,CAAC;qBAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBAChC,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;wBACtB,WAAW,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC;wBAC7C,QAAQ,GAAG,IAAI,CAAC;oBAClB,CAAC;oBACD,UAAU,EAAE,CAAC;oBACb,CAAC,EAAE,CAAC;gBACN,CAAC;qBAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBAChC,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;wBACtB,WAAW,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC;wBAC7C,QAAQ,GAAG,IAAI,CAAC;oBAClB,CAAC;oBACD,CAAC,EAAE,CAAC;gBACN,CAAC;qBAAM,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBACjC,wCAAwC;oBACxC,CAAC,EAAE,CAAC;gBACN,CAAC;qBAAM,IAAI,IAAI,KAAK,EAAE,EAAE,CAAC;oBACvB,0EAA0E;oBAC1E,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;wBAC1B,CAAC,EAAE,CAAC;wBACJ,MAAM;oBACR,CAAC;oBACD,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;wBACtB,WAAW,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC;wBAC7C,QAAQ,GAAG,IAAI,CAAC;oBAClB,CAAC;oBACD,UAAU,EAAE,CAAC;oBACb,CAAC,EAAE,CAAC;gBACN,CAAC;qBAAM,CAAC;oBACN,MAAM;gBACR,CAAC;YACH,CAAC;YACD,IAAI,QAAQ,KAAK,IAAI;gBAAE,WAAW,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC;QACtE,CAAC;QAED,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,YAAY,CAC1B,IAAY,EACZ,MAAgD;IAEhD,KAAK,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,MAAM,EAAE,CAAC;QAClC,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,GAAG;YAAE,OAAO,IAAI,CAAC;IAChD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/directives.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * In-source suppression directives.
+ *
+ * Three forms recognized, mirroring eslint's syntax. Comment style is
+ * autodetected — anything between `#`, `//`, `/* ... *\/`, `--`, `;`, or `'`
+ * is treated as a comment context.
+ *
+ *   // obfuscan-disable-next-line obf.high-entropy-literal
+ *   const k = "...";
+ *
+ *   const k = "..."; // obfuscan-disable-line obf.high-entropy-literal
+ *
+ *   /* obfuscan-disable-line obf.foo, obf.bar *\/
+ *
+ * Multiple rule ids may be comma-separated. Omitting the ids disables ALL
+ * detectors for that line — discouraged, but supported.
+ *
+ * The aggregator calls `extractDisableDirectives(source)` once per file and
+ * filters findings whose `(line, ruleId)` matches.
+ */
+export interface DisableDirective {
+    /** 1-based line number that this directive suppresses. */
+    line: number;
+    /** Empty array means "all rules". */
+    ruleIds: readonly string[];
+}
+export declare function extractDisableDirectives(source: string): DisableDirective[];
+/**
+ * True if `(line, ruleId)` is suppressed by any directive in `directives`.
+ * A directive with an empty ruleIds array suppresses every rule on its line.
+ */
+export declare function isSuppressedByDirectives(line: number, ruleId: string, directives: readonly DisableDirective[]): boolean;
+//# sourceMappingURL=directives.d.ts.map

package/dist/directives.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"directives.d.ts","sourceRoot":"","sources":["../src/directives.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,0DAA0D;IAC1D,IAAI,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5B;AAKD,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,EAAE,CAsB3E;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,SAAS,gBAAgB,EAAE,GACtC,OAAO,CAST"}

package/dist/directives.js ADDED Viewed

@@ -0,0 +1,60 @@
+/**
+ * In-source suppression directives.
+ *
+ * Three forms recognized, mirroring eslint's syntax. Comment style is
+ * autodetected — anything between `#`, `//`, `/* ... *\/`, `--`, `;`, or `'`
+ * is treated as a comment context.
+ *
+ *   // obfuscan-disable-next-line obf.high-entropy-literal
+ *   const k = "...";
+ *
+ *   const k = "..."; // obfuscan-disable-line obf.high-entropy-literal
+ *
+ *   /* obfuscan-disable-line obf.foo, obf.bar *\/
+ *
+ * Multiple rule ids may be comma-separated. Omitting the ids disables ALL
+ * detectors for that line — discouraged, but supported.
+ *
+ * The aggregator calls `extractDisableDirectives(source)` once per file and
+ * filters findings whose `(line, ruleId)` matches.
+ */
+const DIRECTIVE_RE = /obfuscan-disable-(next-line|line)\b\s*([A-Za-z0-9_.,\- *]*)/g;
+export function extractDisableDirectives(source) {
+    const out = [];
+    if (!source)
+        return out;
+    const lines = source.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i] ?? "";
+        DIRECTIVE_RE.lastIndex = 0;
+        let m;
+        while ((m = DIRECTIVE_RE.exec(line)) !== null) {
+            const kind = m[1];
+            const idsRaw = (m[2] ?? "").trim();
+            const ruleIds = idsRaw
+                .split(/[\s,]+/)
+                .map(s => s.trim())
+                .filter(s => s.length > 0 && /^[A-Za-z0-9_.\-]+$/.test(s));
+            const targetLine = kind === "next-line" ? i + 2 : i + 1;
+            out.push({ line: targetLine, ruleIds });
+        }
+    }
+    return out;
+}
+/**
+ * True if `(line, ruleId)` is suppressed by any directive in `directives`.
+ * A directive with an empty ruleIds array suppresses every rule on its line.
+ */
+export function isSuppressedByDirectives(line, ruleId, directives) {
+    for (const d of directives) {
+        if (d.line !== line)
+            continue;
+        if (d.ruleIds.length === 0)
+            return true;
+        if (d.ruleIds.some(id => ruleId === id || ruleId.startsWith(id + "."))) {
+            return true;
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=directives.js.map

package/dist/directives.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"directives.js","sourceRoot":"","sources":["../src/directives.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AASH,MAAM,YAAY,GAChB,8DAA8D,CAAC;AAEjE,MAAM,UAAU,wBAAwB,CAAC,MAAc;IACrD,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,GAAG,CAAC;IACxB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5B,YAAY,CAAC,SAAS,GAAG,CAAC,CAAC;QAC3B,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAClB,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,MAAM;iBACnB,KAAK,CAAC,QAAQ,CAAC;iBACf,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBAClB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAE7D,MAAM,UAAU,GAAG,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACxD,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,IAAY,EACZ,MAAc,EACd,UAAuC;IAEvC,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI;YAAE,SAAS;QAC9B,IAAI,CAAC,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACxC,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,EAAE,IAAI,MAAM,CAAC,UAAU,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC;YACvE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/errors.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Error classes — hoisted to a separate module to avoid circular imports
+ * between rules.ts, scan.ts, and index.ts.
+ */
+export declare class InvalidScanInputError extends Error {
+    readonly name = "InvalidScanInputError";
+}
+export declare class InvalidRuleSetError extends Error {
+    readonly details: ReadonlyArray<{
+        file: string;
+        problem: string;
+    }>;
+    readonly name = "InvalidRuleSetError";
+    constructor(message: string, details: ReadonlyArray<{
+        file: string;
+        problem: string;
+    }>);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,qBAAa,qBAAsB,SAAQ,KAAK;IAC9C,SAAkB,IAAI,2BAA2B;CAClD;AAED,qBAAa,mBAAoB,SAAQ,KAAK;IAI1C,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IAHpE,SAAkB,IAAI,yBAAyB;gBAE7C,OAAO,EAAE,MAAM,EACN,OAAO,EAAE,aAAa,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAIrE"}

package/dist/errors.js ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * Error classes — hoisted to a separate module to avoid circular imports
+ * between rules.ts, scan.ts, and index.ts.
+ */
+export class InvalidScanInputError extends Error {
+    name = "InvalidScanInputError";
+}
+export class InvalidRuleSetError extends Error {
+    details;
+    name = "InvalidRuleSetError";
+    constructor(message, details) {
+        super(message);
+        this.details = details;
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAC5B,IAAI,GAAG,uBAAuB,CAAC;CAClD;AAED,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAIjC;IAHO,IAAI,GAAG,qBAAqB,CAAC;IAC/C,YACE,OAAe,EACN,OAAyD;QAElE,KAAK,CAAC,OAAO,CAAC,CAAC;QAFN,YAAO,GAAP,OAAO,CAAkD;IAGpE,CAAC;CACF"}

package/dist/grammar/query.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * Tree-sitter query runner — internal facade.
+ *
+ * STATUS: stub. The real implementation will:
+ *   1. Resolve the per-grammar query file `queries/per-grammar/<lang>.scm`
+ *   2. Concatenate it with the shared template `queries/shared/<name>.scm`
+ *   3. Compile via `web-tree-sitter` Query, cached per (grammar, name)
+ *   4. Run against the parsed tree and yield captures
+ *
+ * Detectors depend only on the `QueryMatch` / `QueryNode` shapes below, so
+ * the engine implementation can evolve without rewriting detectors.
+ */
+import type { GrammarHandle } from "../types.js";
+/** A captured node from a tree-sitter query. */
+export interface QueryNode {
+    /** Source text of the node. */
+    readonly text: string;
+    /** 0-based byte offset of the node start in the source. */
+    readonly startIndex: number;
+    /** 0-based byte offset of the node end (exclusive). */
+    readonly endIndex: number;
+    /** 0-based row/column of node start. */
+    readonly startPosition: {
+        readonly row: number;
+        readonly column: number;
+    };
+    /** 0-based row/column of node end. */
+    readonly endPosition: {
+        readonly row: number;
+        readonly column: number;
+    };
+}
+/** A single match from a query — a map from capture name to node. */
+export interface QueryMatch {
+    readonly captures: ReadonlyMap<string, QueryNode>;
+}
+/**
+ * Run a named query against a parsed tree and return all matches.
+ *
+ * Throws if the query name is unknown for this grammar — detectors should
+ * catch and treat as "this language hasn't been ported to this query yet".
+ */
+export declare function runQuery(_grammar: GrammarHandle, _tree: unknown, _queryName: string): readonly QueryMatch[];
+//# sourceMappingURL=query.d.ts.map

package/dist/grammar/query.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"query.d.ts","sourceRoot":"","sources":["../../src/grammar/query.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD,gDAAgD;AAChD,MAAM,WAAW,SAAS;IACxB,+BAA+B;IAC/B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,2DAA2D;IAC3D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,uDAAuD;IACvD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,wCAAwC;IACxC,QAAQ,CAAC,aAAa,EAAE;QAAE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1E,sCAAsC;IACtC,QAAQ,CAAC,WAAW,EAAE;QAAE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;CACzE;AAED,qEAAqE;AACrE,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;CACnD;AAED;;;;;GAKG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,aAAa,EACvB,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM,GACjB,SAAS,UAAU,EAAE,CAIvB"}

package/dist/grammar/query.js ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * Tree-sitter query runner — internal facade.
+ *
+ * STATUS: stub. The real implementation will:
+ *   1. Resolve the per-grammar query file `queries/per-grammar/<lang>.scm`
+ *   2. Concatenate it with the shared template `queries/shared/<name>.scm`
+ *   3. Compile via `web-tree-sitter` Query, cached per (grammar, name)
+ *   4. Run against the parsed tree and yield captures
+ *
+ * Detectors depend only on the `QueryMatch` / `QueryNode` shapes below, so
+ * the engine implementation can evolve without rewriting detectors.
+ */
+/**
+ * Run a named query against a parsed tree and return all matches.
+ *
+ * Throws if the query name is unknown for this grammar — detectors should
+ * catch and treat as "this language hasn't been ported to this query yet".
+ */
+export function runQuery(_grammar, _tree, _queryName) {
+    // Reference stub: returns no matches. Replace with a real implementation
+    // that compiles `.scm` files and walks the tree.
+    return [];
+}
+//# sourceMappingURL=query.js.map

package/dist/grammar/query.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"query.js","sourceRoot":"","sources":["../../src/grammar/query.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAuBH;;;;;GAKG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAuB,EACvB,KAAc,EACd,UAAkB;IAElB,yEAAyE;IACzE,iDAAiD;IACjD,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,101 @@
+/**
+ * @obfuscan/core — public entry point.
+ *
+ * Stable API surface. Anything not re-exported here is internal and may
+ * change without a major version bump.
+ *
+ * ## Quick start
+ *
+ * ```ts
+ * import { scan } from "@obfuscan/core";
+ * import * as fs from "node:fs/promises";
+ *
+ * const result = await scan(
+ *   { diff: await fs.readFile("pr.diff", "utf8") },
+ *   { fileResolver: (p) => fs.readFile(p, "utf8") },
+ * );
+ *
+ * for (const f of result.findings) {
+ *   console.log(`${f.severity.toUpperCase()} ${f.file}:${f.line} ${f.reason}`);
+ * }
+ * ```
+ *
+ * ## Custom rules
+ *
+ * ```ts
+ * import { scan, loadRuleSet } from "@obfuscan/core";
+ *
+ * const rules = await loadRuleSet({
+ *   languageDir: "./my-rules/languages",
+ *   queryDir:    "./my-rules/queries",
+ * });
+ *
+ * const result = await scan({ dir: "./src" }, { fileResolver, rules });
+ * ```
+ *
+ * ## Custom detectors
+ *
+ * ```ts
+ * import { scan, defaultDetectors, Detector } from "@obfuscan/core";
+ *
+ * const myDetector: Detector = {
+ *   id: "my-org.no-fetch-in-tests",
+ *   applies: (ctx) => /\.test\./.test(ctx.path),
+ *   run: (ctx) => /* ... *\/ [],
+ * };
+ *
+ * const result = await scan(input, {
+ *   fileResolver,
+ *   detectors: [...defaultDetectors(), myDetector],
+ * });
+ * ```
+ */
+export { scan } from "./scan.js";
+export type { Severity, Finding, LanguageConfig, RuleSet, GrammarHandle, PathAllowlistEntry, SnippetAllowlistEntry, Allowlist, ScanInput, ScanOptions, ScanProgress, ScanResult, FileResolver, SymbolResolver, Logger, Detector, FileContext, } from "./types.js";
+/**
+ * Load a custom rule set from disk. Use this to point obfuscan at a fork of
+ * `@obfuscan/rules` or at an internal extension. If you only need the
+ * defaults, omit `rules` from `ScanOptions` and the built-in pack is used.
+ */
+export { loadRuleSet, defaultRuleSet } from "./rules.js";
+/**
+ * The shipped detector set. Use this as a base when you want to add or
+ * filter detectors:
+ *
+ * ```ts
+ * const dets = defaultDetectors().filter(d => d.id !== "obf.high-entropy-literal");
+ * ```
+ */
+export { defaultDetectors } from "./detectors/index.js";
+/**
+ * Read/write `.obfuscan/allowlist.json`. The CLI uses these directly.
+ * Programmatic users typically pass an inline `allowlist` to `scan()`
+ * instead of touching disk.
+ */
+export { loadAllowlist, saveAllowlist, hashSnippet, matchesAllowlist, } from "./allowlist.js";
+/**
+ * Parse a unified diff into the shape `scan()` consumes internally.
+ * Exposed for hosts (e.g. a Git client) that already have a structured diff
+ * representation and want to skip re-serializing.
+ */
+export { parseDiffToFiles } from "./diff.js";
+export type { DiffFile } from "./diff.js";
+/**
+ * Parses `// obfuscan-disable-next-line <ruleId>` and similar comment
+ * directives. Returns the set of (line, ruleId) pairs to suppress.
+ * Used internally by the aggregator; exposed for tooling that wants to
+ * surface them in a UI.
+ */
+export { extractDisableDirectives } from "./directives.js";
+export type { DisableDirective } from "./directives.js";
+/** SemVer of the engine. Replaced at build time via `__ENGINE_VERSION__`. */
+export { ENGINE_VERSION } from "./version.js";
+/**
+ * `InvalidScanInputError` — thrown when `ScanInput` is missing all of
+ * `diff`, `paths`, `dir`, or specifies more than one.
+ *
+ * `InvalidRuleSetError` — thrown when a custom rule set fails validation.
+ * Includes a `details` array describing each problem.
+ */
+export { InvalidScanInputError, InvalidRuleSetError } from "./errors.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;AAIH,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAIjC,YAAY,EAEV,QAAQ,EACR,OAAO,EAEP,cAAc,EACd,OAAO,EACP,aAAa,EACb,kBAAkB,EAClB,qBAAqB,EACrB,SAAS,EAET,SAAS,EACT,WAAW,EACX,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,cAAc,EACd,MAAM,EAEN,QAAQ,EACR,WAAW,GACZ,MAAM,YAAY,CAAC;AAIpB;;;;GAIG;AACH,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAIzD;;;;;;;GAOG;AACH,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAIxD;;;;GAIG;AACH,OAAO,EACL,aAAa,EACb,aAAa,EACb,WAAW,EACX,gBAAgB,GACjB,MAAM,gBAAgB,CAAC;AAIxB;;;;GAIG;AACH,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAC7C,YAAY,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAI1C;;;;;GAKG;AACH,OAAO,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAC;AAC3D,YAAY,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAIxD,6EAA6E;AAC7E,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAI9C;;;;;;GAMG;AACH,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC"}