@oculum/scanner 1.0.0

package/dist/layer2/ai-agent-tools.js

@@ -0,0 +1,528 @@
+"use strict";
+/**
+ * Layer 2: AI Agent Tool Permission Detection
+ * Detects overly permissive agent tools and missing authorization checks
+ *
+ * Covers B4: Agent/tool orchestration logic
+ *
+ * Issues detected:
+ * - Tools with unrestricted file system access
+ * - Tools with unrestricted network access
+ * - Tools with shell/code execution capability
+ * - Tools without user/tenant context verification
+ * - Database tools without proper scoping
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectAIAgentTools = detectAIAgentTools;
+const context_helpers_1 = require("../utils/context-helpers");
+// ============================================================================
+// Agent/Tool Context Detection
+// ============================================================================
+/**
+ * Check if file contains agent or tool definitions
+ */
+function isAgentOrToolFile(filePath, content) {
+    // File path indicators
+    const agentPathPatterns = [
+        /\/(agents?|tools?|functions?|actions?)\//i,
+        /\/(mcp|langchain|llamaindex|autogen)\//i,
+        /(agent|tool|function|action).*\.(ts|js|py)$/i,
+    ];
+    if (agentPathPatterns.some(p => p.test(filePath))) {
+        return true;
+    }
+    // Content patterns indicating tool/agent definitions
+    const toolDefinitionPatterns = [
+        /@tool/i, // Python decorator
+        /def\s+\w+_tool\s*\(/i, // Python tool function
+        /defineTool\s*\(/i, // JS/TS tool definition
+        /createTool\s*\(/i, // Tool creation
+        /\.registerTool\s*\(/i, // Tool registration
+        /\.addTool\s*\(/i, // Adding tool to agent
+        /tools\s*:\s*\[/i, // Tools array
+        /FunctionTool|StructuredTool/i, // LangChain tools
+        /tool_choice|function_call/i, // OpenAI function calling
+        /Tool\s*\(\s*\{/i, // Tool configuration object
+        /type:\s*['"`]function['"`]/i, // OpenAI function type
+        /mcpServer|McpServer/i, // MCP server
+    ];
+    return toolDefinitionPatterns.some(p => p.test(content));
+}
+/**
+ * Find tool definition boundaries (start and end lines)
+ */
+function findToolDefinitionContext(content, lineNumber, windowSize = 30) {
+    const lines = content.split('\n');
+    const startLine = Math.max(0, lineNumber - windowSize);
+    const endLine = Math.min(lines.length, lineNumber + windowSize);
+    return {
+        context: lines.slice(startLine, endLine).join('\n'),
+        startLine,
+        endLine,
+    };
+}
+// ============================================================================
+// Authorization Detection
+// ============================================================================
+/**
+ * Check if user context is verified in tool
+ */
+function hasUserContextVerification(context) {
+    const userContextPatterns = [
+        /user[_.]?id/i,
+        /userId/i,
+        /currentUser/i,
+        /req\.user/i,
+        /request\.user/i,
+        /session\.user/i,
+        /getUser\s*\(/i,
+        /getCurrentUser\s*\(/i,
+        /authenticatedUser/i,
+        /ctx\.user/i,
+        /context\.user/i,
+    ];
+    return userContextPatterns.some(p => p.test(context));
+}
+/**
+ * Check if tenant/organization context is verified
+ */
+function hasTenantContextVerification(context) {
+    const tenantContextPatterns = [
+        /tenant[_.]?id/i,
+        /tenantId/i,
+        /org[_.]?id/i,
+        /orgId/i,
+        /organization[_.]?id/i,
+        /workspace[_.]?id/i,
+        /workspaceId/i,
+        /team[_.]?id/i,
+        /teamId/i,
+        /account[_.]?id/i,
+        /accountId/i,
+    ];
+    return tenantContextPatterns.some(p => p.test(context));
+}
+/**
+ * Patterns indicating strong/verified restrictions (actual implementation)
+ */
+const STRONG_RESTRICTION_PATTERNS = [
+    // Sandboxing libraries and environments
+    /\bvm2\b/i,
+    /\bisolated-vm\b/i,
+    /\bquickjs\b/i,
+    /\bsandboxed\b/i,
+    /\bRestrictedPython\b/i,
+    /\bnsjail\b/i,
+    /\bfirejail\b/i,
+    /\bgvisor\b/i,
+    // Explicit path/resource restrictions with arrays
+    /allowed(?:Paths|Files|Dirs|Hosts|Urls|Commands)\s*[=:]\s*\[/i,
+    /(?:white|allow)list\s*[=:]\s*\[/i,
+    /(?:blocked|denied|forbidden)(?:Paths|Hosts|Commands)\s*[=:]\s*\[/i,
+    // Path validation functions
+    /validatePath\s*\(/i,
+    /isAllowedPath\s*\(/i,
+    /checkPathAccess\s*\(/i,
+    /resolvePath.*allowed/i,
+    /path\.resolve.*includes/i,
+    // Sandbox configuration objects
+    /sandbox\s*[=:]\s*(?:true|\{)/i,
+    /readonly\s*[=:]\s*true/i,
+    /readOnly\s*[=:]\s*true/i,
+    // Container/isolation patterns
+    /\b(?:docker|podman)\s+run\b.*--read-only/i,
+    /seccomp/i,
+    /capabilities\s*[=:]\s*\[\s*\]/i, // Empty capabilities = restricted
+    // Permission checking code
+    /if\s*\(\s*!?\s*(?:allowed|permitted|authorized)/i,
+    /(?:check|verify|validate)(?:Access|Permission|Capability)\s*\(/i,
+];
+/**
+ * Patterns indicating weak/unverified restriction mentions (comments, TODOs)
+ */
+const WEAK_RESTRICTION_PATTERNS = [
+    // Comments mentioning restrictions without implementation
+    /\/\/.*(?:sandbox|restrict|allowlist|whitelist|todo)/i,
+    /\/\*.*(?:sandbox|restrict|allowlist|whitelist|todo).*\*\//i,
+    /#.*(?:sandbox|restrict|allowlist|whitelist|todo)/i,
+    // TODOs and FIXMEs
+    /TODO.*(?:add|implement|enable).*(?:sandbox|restrict|allowlist)/i,
+    /FIXME.*(?:sandbox|restrict|security)/i,
+    // Variable names without assignment
+    /const\s+(?:sandbox|allowlist|whitelist)\s*;/i,
+];
+/**
+ * Check if tool has strong/verified access restrictions
+ * These are actual implementations, not just mentions
+ */
+function hasStrongRestrictions(context) {
+    // Check for strong patterns
+    const hasStrong = STRONG_RESTRICTION_PATTERNS.some(p => p.test(context));
+    if (!hasStrong)
+        return false;
+    // Verify it's not just a weak mention
+    const isWeak = WEAK_RESTRICTION_PATTERNS.some(p => p.test(context));
+    return !isWeak;
+}
+/**
+ * Check if tool has any access restrictions/allowlists (including weak mentions)
+ */
+function hasAccessRestrictions(context) {
+    const restrictionPatterns = [
+        /allowedPaths/i,
+        /allowedFiles/i,
+        /allowedDirs/i,
+        /allowedHosts/i,
+        /allowedUrls/i,
+        /allowedCommands/i,
+        /allowedOperations/i,
+        /whitelist/i,
+        /allowlist/i,
+        /permissions?:/i,
+        /capabilities:/i,
+        /restrictions?:/i,
+        /constraints?:/i,
+        /sandbox/i,
+        /readonly/i,
+        /readOnly/i,
+    ];
+    return restrictionPatterns.some(p => p.test(context));
+}
+const OVERPERMISSIVE_TOOL_PATTERNS = [
+    // ========== Filesystem Access Tools ==========
+    {
+        name: 'Unrestricted file read tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:read|get).*file|(?:fs|filesystem).*(?:read|get)/gi,
+        riskType: 'filesystem',
+        baseSeverity: 'high',
+        description: 'Tool provides file system read access. Without restrictions, agents can access any file the process can read.',
+        suggestedFix: 'Add allowedPaths restriction. Example: { allowedPaths: ["/data/user-uploads"] }. Validate paths stay within allowed directories.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'Unrestricted file write tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:write|create|save).*file|(?:fs|filesystem).*(?:write|create)/gi,
+        riskType: 'filesystem',
+        baseSeverity: 'high',
+        description: 'Tool provides file system write access. Agents could overwrite critical files or create malicious files.',
+        suggestedFix: 'Restrict to specific directories. Validate file extensions. Implement size limits. Consider using signed URLs instead of direct file access.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'File deletion tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:delete|remove).*file|(?:fs|filesystem).*(?:delete|unlink|remove)/gi,
+        riskType: 'filesystem',
+        baseSeverity: 'high',
+        description: 'Tool provides file deletion capability. High risk of data loss if misused.',
+        suggestedFix: 'Implement soft-delete instead of hard delete. Require confirmation. Restrict to user-owned files only.',
+        requiresRestrictions: true,
+        requiresUserContext: true,
+    },
+    // ========== Network Access Tools ==========
+    {
+        name: 'Unrestricted HTTP/fetch tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:http|fetch|request|api)|tool.*(?:fetch|request)\s*\(/gi,
+        riskType: 'network',
+        baseSeverity: 'medium',
+        description: 'Tool provides network/HTTP access. Without restrictions, agents could make requests to internal services (SSRF) or exfiltrate data.',
+        suggestedFix: 'Add allowedHosts configuration. Block internal/private IP ranges. Implement request signing for sensitive operations.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'Web scraping tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:scrape|crawl|browse)/gi,
+        riskType: 'network',
+        baseSeverity: 'medium',
+        description: 'Tool provides web scraping capability. Could be used for SSRF or accessing internal resources.',
+        suggestedFix: 'Restrict to allowed domains. Block internal IP ranges. Implement rate limiting.',
+        requiresRestrictions: true,
+    },
+    // ========== Code Execution Tools ==========
+    {
+        name: 'Code execution tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:execute|run|eval).*(?:code|script)|tool.*(?:eval|exec)\s*\(/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'Tool provides code execution capability. This is extremely dangerous without sandboxing.',
+        suggestedFix: 'Use vm2, isolated-vm, or similar sandboxing. Implement timeout and memory limits. Restrict available APIs/modules.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'Python interpreter tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*python.*(?:exec|run|interpret)|PythonREPL|python_repl/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'Tool provides Python execution capability. Can execute arbitrary system commands.',
+        suggestedFix: 'Use RestrictedPython or sandboxed environments. Block dangerous modules (os, subprocess, socket). Implement resource limits.',
+        requiresRestrictions: true,
+    },
+    // ========== Shell/Command Tools ==========
+    {
+        name: 'Shell command tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:shell|command|terminal|bash)|ShellTool|BashTool/gi,
+        riskType: 'shell',
+        baseSeverity: 'critical',
+        description: 'Tool provides shell command execution. Allows arbitrary system commands.',
+        suggestedFix: 'Implement strict command allowlisting. Use parameterized commands (execFile, not exec). Consider removing this capability entirely.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'System command tool',
+        pattern: /(?:@tool|defineTool|createTool)[^)]*(?:system|exec|spawn|subprocess)/gi,
+        riskType: 'shell',
+        baseSeverity: 'critical',
+        description: 'Tool with system command execution capability.',
+        suggestedFix: 'Restrict to specific commands via allowlist. Validate all arguments. Log all command executions.',
+        requiresRestrictions: true,
+    },
+    // ========== Database Tools ==========
+    {
+        name: 'Database query tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:query|sql|database)|tool.*(?:query|execute)\s*\(/gi,
+        riskType: 'database',
+        baseSeverity: 'high',
+        description: 'Tool provides database query access. Without scoping, agents could access any data.',
+        suggestedFix: 'Always scope queries to current user/tenant. Use row-level security (RLS). Implement read-only mode for most operations.',
+        requiresUserContext: true,
+        requiresTenantContext: true,
+    },
+    {
+        name: 'Raw SQL tool',
+        pattern: /(?:@tool|defineTool|createTool)[^)]*(?:raw.*sql|execute.*sql)/gi,
+        riskType: 'database',
+        baseSeverity: 'critical',
+        description: 'Tool allows raw SQL execution. High risk of SQL injection and unauthorized data access.',
+        suggestedFix: 'Use parameterized queries only. Implement query validation. Consider using an ORM instead of raw SQL.',
+        requiresUserContext: true,
+        requiresTenantContext: true,
+    },
+    // ========== M5: MCP Server Tools ==========
+    {
+        name: 'MCP server tool registration',
+        pattern: /(?:McpServer|Server)\s*\([^)]*\).*(?:setRequestHandler|tool|registerTool)|server\.tool\s*\(/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'high',
+        description: 'MCP (Model Context Protocol) server registering tools. Verify tool capabilities are appropriately restricted.',
+        suggestedFix: 'Add capability restrictions to MCP server. Implement allowlists for file paths, network hosts, and commands.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'MCP tool with shell access',
+        pattern: /server\.tool\s*\([^)]*(?:name:\s*['"`](?:run|exec|shell|command)[^)]*|(?:exec|spawn|shell)\s*\()/gi,
+        riskType: 'shell',
+        baseSeverity: 'critical',
+        description: 'MCP tool with shell command execution capability. Extremely dangerous without restrictions.',
+        suggestedFix: 'Use allowlist of permitted commands. Never allow arbitrary command execution. Consider read-only alternatives.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'MCP file system tool',
+        pattern: /server\.tool\s*\([^)]*(?:name:\s*['"`](?:read|write|create|delete|list).*(?:file|dir)[^)]*|fs\.|readFile|writeFile)/gi,
+        riskType: 'filesystem',
+        baseSeverity: 'high',
+        description: 'MCP tool with file system access. Agents could access or modify arbitrary files.',
+        suggestedFix: 'Restrict to specific directories with allowedPaths. Implement path validation. Consider read-only access.',
+        requiresRestrictions: true,
+    },
+    // ========== M5: Vercel AI SDK Tools ==========
+    {
+        name: 'Vercel AI SDK tool definition',
+        pattern: /tool\s*\(\s*\{[^}]*(?:execute|parameters)/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'medium',
+        description: 'Vercel AI SDK tool definition. Review the execute function for dangerous operations.',
+        suggestedFix: 'Validate tool parameters against expected schema. Implement proper access controls within execute function.',
+        requiresUserContext: true,
+    },
+    {
+        name: 'AI SDK tool with dangerous execute',
+        pattern: /tool\s*\(\s*\{[^}]*execute\s*:\s*async[^}]*(?:exec|spawn|eval|fs\.|fetch\s*\()[^}]*\}/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'high',
+        description: 'Vercel AI SDK tool with potentially dangerous execute function (shell, eval, fs, or network access).',
+        suggestedFix: 'Add validation and restrictions in execute function. Implement allowlists for external operations.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'StreamableUI tool action',
+        pattern: /createStreamableUI.*tool.*\{.*action/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'medium',
+        description: 'Streamable UI tool with server action. Ensure proper authorization before state mutations.',
+        suggestedFix: 'Verify user authentication and authorization before executing actions. Validate all inputs.',
+        requiresUserContext: true,
+    },
+];
+/**
+ * Patterns for missing authorization in tools
+ */
+const MISSING_AUTH_PATTERNS = [
+    {
+        name: 'Tool without user context',
+        pattern: /(?:@tool|defineTool|createTool|\.registerTool|\.addTool)\s*\([^)]*(?:async\s+)?(?:function|\().*(?:create|update|delete|modify|write|send)/gi,
+        riskType: 'database',
+        baseSeverity: 'medium',
+        description: 'Tool performs write operations but may not verify user context. Actions could be performed as wrong user.',
+        suggestedFix: 'Pass userId as required parameter. Verify user owns/can access the resource before modification.',
+        requiresUserContext: true,
+    },
+];
+// ============================================================================
+// Main Detection Function
+// ============================================================================
+/**
+ * Main detection function for AI agent tool permission issues
+ */
+function detectAIAgentTools(content, filePath) {
+    const vulnerabilities = [];
+    // Skip non-applicable files
+    if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    // Only scan files that appear to have agent/tool definitions
+    if (!isAgentOrToolFile(filePath, content)) {
+        return vulnerabilities;
+    }
+    const lines = content.split('\n');
+    const isTestFile = (0, context_helpers_1.isTestOrMockFile)(filePath);
+    const isExample = (0, context_helpers_1.isExampleDirectory)(filePath);
+    const isLibrary = (0, context_helpers_1.isLibraryCode)(filePath);
+    // Scan for overly permissive tool patterns
+    for (const pattern of OVERPERMISSIVE_TOOL_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, context_helpers_1.isComment)(lineContent))
+                continue;
+            // Get tool context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for mitigations (strong vs weak)
+            const hasStrong = hasStrongRestrictions(context);
+            const hasWeak = hasAccessRestrictions(context);
+            const hasUserContext = hasUserContextVerification(context);
+            const hasTenantContext = hasTenantContextVerification(context);
+            // Determine if issue is fully mitigated
+            let isMitigated = true;
+            let hasPartialMitigation = false;
+            const missingMitigations = [];
+            if (pattern.requiresRestrictions) {
+                if (hasStrong) {
+                    // Strong restrictions = fully mitigated for this requirement
+                }
+                else if (hasWeak) {
+                    // Weak restrictions = partial mitigation
+                    hasPartialMitigation = true;
+                    missingMitigations.push('verified access restrictions (found mentions but not implementation)');
+                    isMitigated = false;
+                }
+                else {
+                    isMitigated = false;
+                    missingMitigations.push('access restrictions');
+                }
+            }
+            if (pattern.requiresUserContext && !hasUserContext) {
+                isMitigated = false;
+                missingMitigations.push('user context verification');
+            }
+            if (pattern.requiresTenantContext && !hasTenantContext) {
+                isMitigated = false;
+                missingMitigations.push('tenant/org context verification');
+            }
+            // Skip if all required mitigations are present with strong verification
+            if (isMitigated)
+                continue;
+            // Calculate severity
+            let severity = pattern.baseSeverity;
+            if (isTestFile) {
+                severity = 'info';
+            }
+            else if (isExample) {
+                // Example/demo code - downgrade to info
+                severity = 'info';
+            }
+            else if (isLibrary) {
+                // Library code - tool definitions are intentionally flexible
+                // Consumers add restrictions when they use the tools
+                severity = 'info';
+            }
+            else if (hasPartialMitigation || hasUserContext || hasTenantContext) {
+                // Partial mitigation - downgrade
+                if (severity === 'critical')
+                    severity = 'high';
+                else if (severity === 'high')
+                    severity = 'medium';
+            }
+            // Build description
+            let description = pattern.description;
+            if (missingMitigations.length > 0) {
+                description += ` Missing: ${missingMitigations.join(', ')}.`;
+            }
+            if (isTestFile) {
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                description += ' (In example/demo directory - not production code.)';
+            }
+            else if (isLibrary) {
+                description += ' (Library code - tool definitions are generic; consumers add restrictions.)';
+            }
+            vulnerabilities.push({
+                id: `ai-tool-${filePath}-${lineNumber}-${pattern.riskType}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_overpermissive_tool',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'medium',
+                layer: 2,
+                requiresAIValidation: true, // Always validate - context dependent
+            });
+        }
+    }
+    // Scan for missing authorization patterns
+    for (const pattern of MISSING_AUTH_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, context_helpers_1.isComment)(lineContent))
+                continue;
+            // Get tool context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check if user context is verified
+            const hasUserContext = hasUserContextVerification(context);
+            // Skip if user context is present
+            if (hasUserContext)
+                continue;
+            let severity = pattern.baseSeverity;
+            let description = pattern.description;
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            vulnerabilities.push({
+                id: `ai-tool-auth-${filePath}-${lineNumber}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_overpermissive_tool',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'low', // Lower confidence - needs context
+                layer: 2,
+                requiresAIValidation: true,
+            });
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=ai-agent-tools.js.map

package/dist/layer2/ai-agent-tools.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai-agent-tools.js","sourceRoot":"","sources":["../../src/layer2/ai-agent-tools.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;AAwaH,gDAoKC;AAzkBD,8DAMiC;AAEjC,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E;;GAEG;AACH,SAAS,iBAAiB,CAAC,QAAgB,EAAE,OAAe;IAC1D,uBAAuB;IACvB,MAAM,iBAAiB,GAAG;QACxB,2CAA2C;QAC3C,yCAAyC;QACzC,8CAA8C;KAC/C,CAAA;IAED,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAClD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,qDAAqD;IACrD,MAAM,sBAAsB,GAAG;QAC7B,QAAQ,EAA8B,mBAAmB;QACzD,sBAAsB,EAAe,uBAAuB;QAC5D,kBAAkB,EAAoB,wBAAwB;QAC9D,kBAAkB,EAAoB,gBAAgB;QACtD,sBAAsB,EAAgB,oBAAoB;QAC1D,iBAAiB,EAAqB,uBAAuB;QAC7D,iBAAiB,EAAqB,cAAc;QACpD,8BAA8B,EAAQ,kBAAkB;QACxD,4BAA4B,EAAU,0BAA0B;QAChE,iBAAiB,EAAqB,4BAA4B;QAClE,6BAA6B,EAAS,uBAAuB;QAC7D,sBAAsB,EAAgB,aAAa;KACpD,CAAA;IAED,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AAC1D,CAAC;AAED;;GAEG;AACH,SAAS,yBAAyB,CAChC,OAAe,EACf,UAAkB,EAClB,aAAqB,EAAE;IAEvB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,UAAU,CAAC,CAAA;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC,CAAA;IAE/D,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;QACnD,SAAS;QACT,OAAO;KACR,CAAA;AACH,CAAC;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;GAEG;AACH,SAAS,0BAA0B,CAAC,OAAe;IACjD,MAAM,mBAAmB,GAAG;QAC1B,cAAc;QACd,SAAS;QACT,cAAc;QACd,YAAY;QACZ,gBAAgB;QAChB,gBAAgB;QAChB,eAAe;QACf,sBAAsB;QACtB,oBAAoB;QACpB,YAAY;QACZ,gBAAgB;KACjB,CAAA;IAED,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACvD,CAAC;AAED;;GAEG;AACH,SAAS,4BAA4B,CAAC,OAAe;IACnD,MAAM,qBAAqB,GAAG;QAC5B,gBAAgB;QAChB,WAAW;QACX,aAAa;QACb,QAAQ;QACR,sBAAsB;QACtB,mBAAmB;QACnB,cAAc;QACd,cAAc;QACd,SAAS;QACT,iBAAiB;QACjB,YAAY;KACb,CAAA;IAED,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACzD,CAAC;AAED;;GAEG;AACH,MAAM,2BAA2B,GAAG;IAClC,wCAAwC;IACxC,UAAU;IACV,kBAAkB;IAClB,cAAc;IACd,gBAAgB;IAChB,uBAAuB;IACvB,aAAa;IACb,eAAe;IACf,aAAa;IAEb,kDAAkD;IAClD,8DAA8D;IAC9D,kCAAkC;IAClC,mEAAmE;IAEnE,4BAA4B;IAC5B,oBAAoB;IACpB,qBAAqB;IACrB,uBAAuB;IACvB,uBAAuB;IACvB,0BAA0B;IAE1B,gCAAgC;IAChC,+BAA+B;IAC/B,yBAAyB;IACzB,yBAAyB;IAEzB,+BAA+B;IAC/B,2CAA2C;IAC3C,UAAU;IACV,gCAAgC,EAAG,kCAAkC;IAErE,2BAA2B;IAC3B,kDAAkD;IAClD,iEAAiE;CAClE,CAAA;AAED;;GAEG;AACH,MAAM,yBAAyB,GAAG;IAChC,0DAA0D;IAC1D,sDAAsD;IACtD,4DAA4D;IAC5D,mDAAmD;IAEnD,mBAAmB;IACnB,iEAAiE;IACjE,uCAAuC;IAEvC,oCAAoC;IACpC,8CAA8C;CAC/C,CAAA;AAED;;;GAGG;AACH,SAAS,qBAAqB,CAAC,OAAe;IAC5C,4BAA4B;IAC5B,MAAM,SAAS,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;IACxE,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAA;IAE5B,sCAAsC;IACtC,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;IACnE,OAAO,CAAC,MAAM,CAAA;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,OAAe;IAC5C,MAAM,mBAAmB,GAAG;QAC1B,eAAe;QACf,eAAe;QACf,cAAc;QACd,eAAe;QACf,cAAc;QACd,kBAAkB;QAClB,oBAAoB;QACpB,YAAY;QACZ,YAAY;QACZ,gBAAgB;QAChB,gBAAgB;QAChB,iBAAiB;QACjB,gBAAgB;QAChB,UAAU;QACV,WAAW;QACX,WAAW;KACZ,CAAA;IAED,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACvD,CAAC;AAoBD,MAAM,4BAA4B,GAAkB;IAClD,gDAAgD;IAChD;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,oGAAoG;QAC7G,QAAQ,EAAE,YAAY;QACtB,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,+GAA+G;QAC5H,YAAY,EAAE,kIAAkI;QAChJ,oBAAoB,EAAE,IAAI;KAC3B;IACD;QACE,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,iHAAiH;QAC1H,QAAQ,EAAE,YAAY;QACtB,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,0GAA0G;QACvH,YAAY,EAAE,8IAA8I;QAC5J,oBAAoB,EAAE,IAAI;KAC3B;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,qHAAqH;QAC9H,QAAQ,EAAE,YAAY;QACtB,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,4EAA4E;QACzF,YAAY,EAAE,wGAAwG;QACtH,oBAAoB,EAAE,IAAI;QAC1B,mBAAmB,EAAE,IAAI;KAC1B;IAED,6CAA6C;IAC7C;QACE,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,yGAAyG;QAClH,QAAQ,EAAE,SAAS;QACnB,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,qIAAqI;QAClJ,YAAY,EAAE,uHAAuH;QACrI,oBAAoB,EAAE,IAAI;KAC3B;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,yEAAyE;QAClF,QAAQ,EAAE,SAAS;QACnB,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,gGAAgG;QAC7G,YAAY,EAAE,iFAAiF;QAC/F,oBAAoB,EAAE,IAAI;KAC3B;IAED,6CAA6C;IAC7C;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,gHAAgH;QACzH,QAAQ,EAAE,gBAAgB;QAC1B,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,0FAA0F;QACvG,YAAY,EAAE,oHAAoH;QAClI,oBAAoB,EAAE,IAAI;KAC3B;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,uGAAuG;QAChH,QAAQ,EAAE,gBAAgB;QAC1B,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,mFAAmF;QAChG,YAAY,EAAE,8HAA8H;QAC5I,oBAAoB,EAAE,IAAI;KAC3B;IAED,4CAA4C;IAC5C;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,oGAAoG;QAC7G,QAAQ,EAAE,OAAO;QACjB,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,0EAA0E;QACvF,YAAY,EAAE,qIAAqI;QACnJ,oBAAoB,EAAE,IAAI;KAC3B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,wEAAwE;QACjF,QAAQ,EAAE,OAAO;QACjB,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,gDAAgD;QAC7D,YAAY,EAAE,kGAAkG;QAChH,oBAAoB,EAAE,IAAI;KAC3B;IAED,uCAAuC;IACvC;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,qGAAqG;QAC9G,QAAQ,EAAE,UAAU;QACpB,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,qFAAqF;QAClG,YAAY,EAAE,0HAA0H;QACxI,mBAAmB,EAAE,IAAI;QACzB,qBAAqB,EAAE,IAAI;KAC5B;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE,UAAU;QACpB,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,yFAAyF;QACtG,YAAY,EAAE,uGAAuG;QACrH,mBAAmB,EAAE,IAAI;QACzB,qBAAqB,EAAE,IAAI;KAC5B;IAED,6CAA6C;IAC7C;QACE,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,+FAA+F;QACxG,QAAQ,EAAE,gBAAgB;QAC1B,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,+GAA+G;QAC5H,YAAY,EAAE,8GAA8G;QAC5H,oBAAoB,EAAE,IAAI;KAC3B;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,oGAAoG;QAC7G,QAAQ,EAAE,OAAO;QACjB,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,6FAA6F;QAC1G,YAAY,EAAE,gHAAgH;QAC9H,oBAAoB,EAAE,IAAI;KAC3B;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,uHAAuH;QAChI,QAAQ,EAAE,YAAY;QACtB,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,kFAAkF;QAC/F,YAAY,EAAE,2GAA2G;QACzH,oBAAoB,EAAE,IAAI;KAC3B;IAED,gDAAgD;IAChD;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,gBAAgB;QAC1B,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,sFAAsF;QACnG,YAAY,EAAE,6GAA6G;QAC3H,mBAAmB,EAAE,IAAI;KAC1B;IACD;QACE,IAAI,EAAE,oCAAoC;QAC1C,OAAO,EAAE,yFAAyF;QAClG,QAAQ,EAAE,gBAAgB;QAC1B,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,sGAAsG;QACnH,YAAY,EAAE,oGAAoG;QAClH,oBAAoB,EAAE,IAAI;KAC3B;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,wCAAwC;QACjD,QAAQ,EAAE,gBAAgB;QAC1B,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,4FAA4F;QACzG,YAAY,EAAE,6FAA6F;QAC3G,mBAAmB,EAAE,IAAI;KAC1B;CACF,CAAA;AAED;;GAEG;AACH,MAAM,qBAAqB,GAAkB;IAC3C;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,8IAA8I;QACvJ,QAAQ,EAAE,UAAU;QACpB,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,2GAA2G;QACxH,YAAY,EAAE,kGAAkG;QAChH,mBAAmB,EAAE,IAAI;KAC1B;CACF,CAAA;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB;IAEhB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,4BAA4B;IAC5B,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,6DAA6D;IAC7D,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;QAC1C,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC7C,MAAM,SAAS,GAAG,IAAA,oCAAkB,EAAC,QAAQ,CAAC,CAAA;IAC9C,MAAM,SAAS,GAAG,IAAA,+BAAa,EAAC,QAAQ,CAAC,CAAA;IAEzC,2CAA2C;IAC3C,KAAK,MAAM,OAAO,IAAI,4BAA4B,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QACvE,IAAI,KAAK,CAAA;QAET,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAA;YACvE,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;YAEvD,gBAAgB;YAChB,IAAI,IAAA,2BAAS,EAAC,WAAW,CAAC;gBAAE,SAAQ;YAEpC,mBAAmB;YACnB,MAAM,EAAE,OAAO,EAAE,GAAG,yBAAyB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAA;YAElE,yCAAyC;YACzC,MAAM,SAAS,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAChD,MAAM,OAAO,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAC9C,MAAM,cAAc,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAA;YAC1D,MAAM,gBAAgB,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAA;YAE9D,wCAAwC;YACxC,IAAI,WAAW,GAAG,IAAI,CAAA;YACtB,IAAI,oBAAoB,GAAG,KAAK,CAAA;YAChC,MAAM,kBAAkB,GAAa,EAAE,CAAA;YAEvC,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;gBACjC,IAAI,SAAS,EAAE,CAAC;oBACd,6DAA6D;gBAC/D,CAAC;qBAAM,IAAI,OAAO,EAAE,CAAC;oBACnB,yCAAyC;oBACzC,oBAAoB,GAAG,IAAI,CAAA;oBAC3B,kBAAkB,CAAC,IAAI,CAAC,sEAAsE,CAAC,CAAA;oBAC/F,WAAW,GAAG,KAAK,CAAA;gBACrB,CAAC;qBAAM,CAAC;oBACN,WAAW,GAAG,KAAK,CAAA;oBACnB,kBAAkB,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;gBAChD,CAAC;YACH,CAAC;YACD,IAAI,OAAO,CAAC,mBAAmB,IAAI,CAAC,cAAc,EAAE,CAAC;gBACnD,WAAW,GAAG,KAAK,CAAA;gBACnB,kBAAkB,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAA;YACtD,CAAC;YACD,IAAI,OAAO,CAAC,qBAAqB,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACvD,WAAW,GAAG,KAAK,CAAA;gBACnB,kBAAkB,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAA;YAC5D,CAAC;YAED,wEAAwE;YACxE,IAAI,WAAW;gBAAE,SAAQ;YAEzB,qBAAqB;YACrB,IAAI,QAAQ,GAAG,OAAO,CAAC,YAAY,CAAA;YACnC,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,GAAG,MAAM,CAAA;YACnB,CAAC;iBAAM,IAAI,SAAS,EAAE,CAAC;gBACrB,wCAAwC;gBACxC,QAAQ,GAAG,MAAM,CAAA;YACnB,CAAC;iBAAM,IAAI,SAAS,EAAE,CAAC;gBACrB,6DAA6D;gBAC7D,qDAAqD;gBACrD,QAAQ,GAAG,MAAM,CAAA;YACnB,CAAC;iBAAM,IAAI,oBAAoB,IAAI,cAAc,IAAI,gBAAgB,EAAE,CAAC;gBACtE,iCAAiC;gBACjC,IAAI,QAAQ,KAAK,UAAU;oBAAE,QAAQ,GAAG,MAAM,CAAA;qBACzC,IAAI,QAAQ,KAAK,MAAM;oBAAE,QAAQ,GAAG,QAAQ,CAAA;YACnD,CAAC;YAED,oBAAoB;YACpB,IAAI,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;YACrC,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,WAAW,IAAI,aAAa,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAA;YAC9D,CAAC;YACD,IAAI,UAAU,EAAE,CAAC;gBACf,WAAW,IAAI,kBAAkB,CAAA;YACnC,CAAC;iBAAM,IAAI,SAAS,EAAE,CAAC;gBACrB,WAAW,IAAI,qDAAqD,CAAA;YACtE,CAAC;iBAAM,IAAI,SAAS,EAAE,CAAC;gBACrB,WAAW,IAAI,6EAA6E,CAAA;YAC9F,CAAC;YAED,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,WAAW,QAAQ,IAAI,UAAU,IAAI,OAAO,CAAC,QAAQ,EAAE;gBAC3D,QAAQ;gBACR,UAAU;gBACV,WAAW;gBACX,QAAQ;gBACR,QAAQ,EAAE,wBAAwB;gBAClC,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,WAAW;gBACX,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,UAAU,EAAE,QAAQ;gBACpB,KAAK,EAAE,CAAC;gBACR,oBAAoB,EAAE,IAAI,EAAE,sCAAsC;aACnE,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,0CAA0C;IAC1C,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC5C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QACvE,IAAI,KAAK,CAAA;QAET,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAA;YACvE,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;YAEvD,gBAAgB;YAChB,IAAI,IAAA,2BAAS,EAAC,WAAW,CAAC;gBAAE,SAAQ;YAEpC,mBAAmB;YACnB,MAAM,EAAE,OAAO,EAAE,GAAG,yBAAyB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAA;YAElE,oCAAoC;YACpC,MAAM,cAAc,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAA;YAE1D,kCAAkC;YAClC,IAAI,cAAc;gBAAE,SAAQ;YAE5B,IAAI,QAAQ,GAAG,OAAO,CAAC,YAAY,CAAA;YACnC,IAAI,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;YAErC,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,GAAG,MAAM,CAAA;gBACjB,WAAW,IAAI,kBAAkB,CAAA;YACnC,CAAC;YAED,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,gBAAgB,QAAQ,IAAI,UAAU,EAAE;gBAC5C,QAAQ;gBACR,UAAU;gBACV,WAAW;gBACX,QAAQ;gBACR,QAAQ,EAAE,wBAAwB;gBAClC,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,WAAW;gBACX,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,UAAU,EAAE,KAAK,EAAE,mCAAmC;gBACtD,KAAK,EAAE,CAAC;gBACR,oBAAoB,EAAE,IAAI;aAC3B,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/layer2/ai-endpoint-protection.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Layer 2: AI Endpoint Protection Detection
+ * Detects AI/LLM endpoints without proper authentication or rate limiting
+ *
+ * Covers:
+ * - M5.2: AI endpoints without auth/rate limiting
+ * - Cost-bearing AI endpoints exposed publicly
+ * - Missing rate limiting on AI routes
+ */
+import type { Vulnerability } from '../types';
+import type { MiddlewareAuthConfig } from '../utils/middleware-detector';
+/**
+ * Check if file is a route/API handler
+ */
+declare function isRouteFile(filePath: string): boolean;
+/**
+ * Check if content contains AI/LLM API calls
+ */
+declare function hasAIApiCalls(content: string): boolean;
+/**
+ * Check if there's authentication in the route
+ */
+declare function hasAuthentication(content: string): boolean;
+/**
+ * Check if there's rate limiting
+ */
+declare function hasRateLimiting(content: string): boolean;
+export interface EndpointProtectionOptions {
+    middlewareConfig?: MiddlewareAuthConfig;
+}
+/**
+ * Main detection function for AI endpoint protection issues
+ */
+export declare function detectAIEndpointProtection(content: string, filePath: string, options?: EndpointProtectionOptions): Vulnerability[];
+export { isRouteFile, hasAIApiCalls, hasAuthentication, hasRateLimiting };
+//# sourceMappingURL=ai-endpoint-protection.d.ts.map

package/dist/layer2/ai-endpoint-protection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai-endpoint-protection.d.ts","sourceRoot":"","sources":["../../src/layer2/ai-endpoint-protection.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,UAAU,CAAA;AACpE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAA;AAaxE;;GAEG;AACH,iBAAS,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAU9C;AAED;;GAEG;AACH,iBAAS,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CA0B/C;AAED;;GAEG;AACH,iBAAS,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAwBnD;AAED;;GAEG;AACH,iBAAS,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAqBjD;AA8HD,MAAM,WAAW,yBAAyB;IACxC,gBAAgB,CAAC,EAAE,oBAAoB,CAAA;CACxC;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,yBAA8B,GACtC,aAAa,EAAE,CA2HjB;AAGD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,iBAAiB,EAAE,eAAe,EAAE,CAAA"}