@oculum/scanner 1.0.14 → 1.0.15

package/dist/layer1/config-audit.js

@@ -1,311 +0,0 @@
-"use strict";
-/**
- * Layer 1: Configuration Auditing
- * Scans configuration files for security misconfigurations
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.CONFIG_RULES = void 0;
-exports.auditConfiguration = auditConfiguration;
-// Configuration audit rules
-exports.CONFIG_RULES = [
-    // Dockerfile rules
-    {
-        name: 'Docker running as root',
-        filePatterns: ['Dockerfile', '*.dockerfile'],
-        check: (content) => {
-            const violations = [];
-            const lines = content.split('\n');
-            // Check if USER instruction exists
-            const hasUserInstruction = lines.some(line => line.trim().toUpperCase().startsWith('USER '));
-            // Check for explicit root user
-            lines.forEach((line, index) => {
-                if (line.trim().toUpperCase() === 'USER ROOT') {
-                    violations.push({
-                        line: index + 1,
-                        lineContent: line.trim(),
-                        message: 'Container explicitly runs as root user',
-                        severity: 'high',
-                    });
-                }
-            });
-            // If no USER instruction at all, flag it
-            if (!hasUserInstruction && lines.length > 5) {
-                violations.push({
-                    line: 1,
-                    lineContent: 'Dockerfile',
-                    message: 'No USER instruction found - container will run as root by default',
-                    severity: 'medium',
-                });
-            }
-            return violations;
-        },
-    },
-    {
-        name: 'Hardcoded secrets in Docker build args',
-        filePatterns: ['Dockerfile', '*.dockerfile', 'docker-compose.yml', 'docker-compose.yaml'],
-        check: (content) => {
-            const violations = [];
-            const lines = content.split('\n');
-            // Pattern: ARG/ENV VAR_NAME="value" where value is NOT empty or a variable reference
-            // Skip: empty defaults (""), variable expansion ($VAR, ${VAR}), shell variable references
-            const sensitiveArgPattern = /ARG\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*["']([^"'$]+)["']/i;
-            const sensitiveEnvPattern = /ENV\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*["']([^"'$]+)["']/i;
-            const dockerComposePattern = /^\s*(PASSWORD|SECRET|KEY|TOKEN)\s*[:=]\s*["']?([^"'\s${\n]+)/i;
-            lines.forEach((line, index) => {
-                // Check ARG statements
-                const argMatch = line.match(sensitiveArgPattern);
-                if (argMatch) {
-                    const value = argMatch[2];
-                    // Skip if value is empty or looks like a placeholder instruction
-                    if (value && value.length > 0 && !/^(changeme|replace|your[_-]|xxx)/i.test(value)) {
-                        violations.push({
-                            line: index + 1,
-                            lineContent: line.trim(),
-                            message: 'Hardcoded sensitive value in build argument - use build-time secrets or runtime environment variables',
-                            severity: 'medium', // Downgraded from critical - these are defaults that should be overridden
-                        });
-                    }
-                    return;
-                }
-                // Skip ENV statements that just reference ARG variables (ENV VAR="$VAR")
-                if (/ENV\s+\w+\s*=\s*["']\$\w+["']/i.test(line)) {
-                    return;
-                }
-                // Check ENV statements with actual hardcoded values
-                const envMatch = line.match(sensitiveEnvPattern);
-                if (envMatch) {
-                    const value = envMatch[2];
-                    if (value && value.length > 0) {
-                        violations.push({
-                            line: index + 1,
-                            lineContent: line.trim(),
-                            message: 'Hardcoded sensitive value in environment variable',
-                            severity: 'high',
-                        });
-                    }
-                    return;
-                }
-                // Check docker-compose patterns
-                if (dockerComposePattern.test(line)) {
-                    const match = line.match(dockerComposePattern);
-                    if (match && match[2] && match[2].length > 0) {
-                        violations.push({
-                            line: index + 1,
-                            lineContent: line.trim(),
-                            message: 'Hardcoded sensitive value in docker-compose configuration',
-                            severity: 'high',
-                        });
-                    }
-                }
-            });
-            return violations;
-        },
-    },
-    // CORS configuration
-    {
-        name: 'Permissive CORS configuration',
-        filePatterns: ['*.ts', '*.js', '*.tsx', '*.jsx', 'next.config.*', 'vercel.json', '*.yaml', '*.yml'],
-        check: (content) => {
-            const violations = [];
-            const lines = content.split('\n');
-            const corsPatterns = [
-                /['"]Access-Control-Allow-Origin['"]\s*[,:]\s*['"]\*['"]/i,
-                /cors\s*\(\s*\{\s*origin\s*:\s*['"]\*['"]/i,
-                /origin\s*:\s*['"]\*['"]/i,
-                /allowedOrigins?\s*[=:]\s*\[\s*['"]\*['"]/i,
-                /Access-Control-Allow-Origin:\s*\*/i,
-            ];
-            lines.forEach((line, index) => {
-                for (const pattern of corsPatterns) {
-                    if (pattern.test(line)) {
-                        violations.push({
-                            line: index + 1,
-                            lineContent: line.trim(),
-                            message: 'Permissive CORS policy allows requests from any origin (*)',
-                            severity: 'medium',
-                        });
-                        break;
-                    }
-                }
-            });
-            return violations;
-        },
-    },
-    // GitHub Actions secrets exposure
-    {
-        name: 'GitHub Actions security issues',
-        filePatterns: ['.github/workflows/*.yml', '.github/workflows/*.yaml'],
-        check: (content) => {
-            const violations = [];
-            const lines = content.split('\n');
-            // Check for pull_request_target with checkout
-            const hasPRTarget = content.includes('pull_request_target');
-            const hasCheckout = content.includes('actions/checkout');
-            if (hasPRTarget && hasCheckout) {
-                const checkoutLine = lines.findIndex(l => l.includes('actions/checkout'));
-                violations.push({
-                    line: checkoutLine + 1,
-                    lineContent: lines[checkoutLine]?.trim() || '',
-                    message: 'Using actions/checkout with pull_request_target can expose secrets to untrusted code',
-                    severity: 'high',
-                });
-            }
-            // Check for hardcoded secrets
-            lines.forEach((line, index) => {
-                if (/env:\s*\w+\s*=\s*['"][^$]/.test(line) &&
-                    /(SECRET|TOKEN|KEY|PASSWORD)/i.test(line)) {
-                    violations.push({
-                        line: index + 1,
-                        lineContent: line.trim(),
-                        message: 'Potential hardcoded secret in GitHub Actions workflow',
-                        severity: 'critical',
-                    });
-                }
-            });
-            return violations;
-        },
-    },
-    // Next.js security config
-    {
-        name: 'Next.js security configuration',
-        filePatterns: ['next.config.js', 'next.config.ts', 'next.config.mjs'],
-        check: (content) => {
-            const violations = [];
-            const lines = content.split('\n');
-            // Only flag if poweredByHeader is explicitly set to true (not if missing)
-            if (content.includes('poweredByHeader: true') || content.includes('poweredByHeader:true')) {
-                const lineIndex = lines.findIndex(l => l.includes('poweredByHeader'));
-                violations.push({
-                    line: lineIndex >= 0 ? lineIndex + 1 : 1,
-                    lineContent: lines[lineIndex]?.trim() || 'poweredByHeader: true',
-                    message: 'poweredByHeader is enabled - consider setting to false to hide X-Powered-By header',
-                    severity: 'low',
-                });
-            }
-            // Check for exposed source maps in production
-            lines.forEach((line, index) => {
-                if (/productionBrowserSourceMaps\s*:\s*true/.test(line)) {
-                    violations.push({
-                        line: index + 1,
-                        lineContent: line.trim(),
-                        message: 'Production source maps are enabled - this exposes your source code',
-                        severity: 'medium',
-                    });
-                }
-            });
-            return violations;
-        },
-    },
-    // Package.json security
-    {
-        name: 'Package.json security issues',
-        filePatterns: ['package.json'],
-        check: (content) => {
-            const violations = [];
-            try {
-                const pkg = JSON.parse(content);
-                // Check for postinstall scripts that could be malicious
-                if (pkg.scripts?.postinstall || pkg.scripts?.preinstall) {
-                    const lines = content.split('\n');
-                    const scriptLine = lines.findIndex(l => l.includes('"postinstall"') || l.includes('"preinstall"'));
-                    violations.push({
-                        line: scriptLine + 1,
-                        lineContent: lines[scriptLine]?.trim() || '',
-                        message: 'Pre/post install scripts can execute arbitrary code - review carefully',
-                        severity: 'low',
-                    });
-                }
-                // Check for wildcard dependencies
-                const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
-                const lines = content.split('\n');
-                // Get the package's own npm scope to detect internal monorepo deps
-                const ownScope = pkg.name?.startsWith('@') ? pkg.name.split('/')[0] : null;
-                // Also detect common org scope from other dependencies (for packages without scoped names)
-                // If we see @org/foo and @org/bar in deps, @org is likely the monorepo's scope
-                const scopeCounts = {};
-                for (const depName of Object.keys(allDeps)) {
-                    if (depName.startsWith('@')) {
-                        const scope = depName.split('/')[0];
-                        scopeCounts[scope] = (scopeCounts[scope] || 0) + 1;
-                    }
-                }
-                // Find the most common scope (likely the monorepo's org scope)
-                const inferredScope = Object.entries(scopeCounts)
-                    .filter(([, count]) => count >= 2) // At least 2 deps from same scope
-                    .sort((a, b) => b[1] - a[1])[0]?.[0] || null;
-                for (const [name, version] of Object.entries(allDeps)) {
-                    if (version === '*' || version === 'latest') {
-                        // Skip internal monorepo packages:
-                        // 1. Same npm scope as the package itself
-                        // 2. Or same scope as other workspace packages (inferred from multiple deps)
-                        const depScope = name.startsWith('@') ? name.split('/')[0] : null;
-                        // Check if this is a workspace package
-                        const isWorkspacePackage = (ownScope && depScope === ownScope) ||
-                            (inferredScope && depScope === inferredScope && version === '*');
-                        if (isWorkspacePackage) {
-                            continue;
-                        }
-                        const depLine = lines.findIndex(l => l.includes(`"${name}"`));
-                        violations.push({
-                            line: depLine + 1,
-                            lineContent: lines[depLine]?.trim() || '',
-                            message: `Dependency "${name}" uses wildcard/latest version - pin to specific version`,
-                            severity: 'medium',
-                        });
-                    }
-                }
-            }
-            catch {
-                // Invalid JSON, skip
-            }
-            return violations;
-        },
-    },
-];
-// Check if file matches any of the patterns
-function matchesFilePattern(filePath, patterns) {
-    const fileName = filePath.split('/').pop() || '';
-    return patterns.some(pattern => {
-        if (pattern.includes('*')) {
-            const regex = new RegExp('^' + pattern.replace(/\*/g, '.*').replace(/\./g, '\\.') + '$', 'i');
-            return regex.test(fileName) || regex.test(filePath);
-        }
-        return fileName === pattern || filePath.endsWith(pattern);
-    });
-}
-function auditConfiguration(content, filePath, options) {
-    const vulnerabilities = [];
-    for (const rule of exports.CONFIG_RULES) {
-        if (matchesFilePattern(filePath, rule.filePatterns)) {
-            const violations = rule.check(content, filePath);
-            for (const violation of violations) {
-                vulnerabilities.push({
-                    id: `config-${filePath}-${violation.line}-${rule.name}`,
-                    filePath,
-                    lineNumber: violation.line,
-                    lineContent: violation.lineContent,
-                    severity: violation.severity,
-                    category: 'insecure_config',
-                    title: rule.name,
-                    description: violation.message,
-                    suggestedFix: getConfigFix(rule.name, violation),
-                    confidence: 'high',
-                    layer: 1,
-                });
-            }
-        }
-    }
-    return vulnerabilities;
-}
-function getConfigFix(ruleName, violation) {
-    const fixes = {
-        'Docker running as root': 'Add a USER instruction to run as a non-root user: USER node',
-        'Hardcoded secrets in Docker build args': 'Use Docker secrets or pass values at runtime via environment variables',
-        'Permissive CORS configuration': 'Specify allowed origins explicitly instead of using wildcard (*)',
-        'GitHub Actions security issues': 'Use secrets context (${{ secrets.NAME }}) for sensitive values',
-        'Next.js security configuration': 'Review Next.js security best practices and configure headers appropriately',
-        'Package.json security issues': 'Pin dependencies to specific versions and review install scripts',
-    };
-    return fixes[ruleName] || 'Review and fix the security configuration';
-}
-//# sourceMappingURL=config-audit.js.map

package/dist/layer1/config-audit.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"config-audit.js","sourceRoot":"","sources":["../../src/layer1/config-audit.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAwTH,gDA8BC;AAjVD,4BAA4B;AACf,QAAA,YAAY,GAAiB;IACxC,mBAAmB;IACnB;QACE,IAAI,EAAE,wBAAwB;QAC9B,YAAY,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;QAC5C,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,mCAAmC;YACnC,MAAM,kBAAkB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3C,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAC9C,CAAA;YAED,+BAA+B;YAC/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,WAAW,EAAE,CAAC;oBAC9C,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,KAAK,GAAG,CAAC;wBACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,OAAO,EAAE,wCAAwC;wBACjD,QAAQ,EAAE,MAAM;qBACjB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,yCAAyC;YACzC,IAAI,CAAC,kBAAkB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5C,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,CAAC;oBACP,WAAW,EAAE,YAAY;oBACzB,OAAO,EAAE,mEAAmE;oBAC5E,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAA;YACJ,CAAC;YAED,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD;QACE,IAAI,EAAE,wCAAwC;QAC9C,YAAY,EAAE,CAAC,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,qBAAqB,CAAC;QACzF,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,qFAAqF;YACrF,0FAA0F;YAC1F,MAAM,mBAAmB,GAAG,6EAA6E,CAAA;YACzG,MAAM,mBAAmB,GAAG,6EAA6E,CAAA;YACzG,MAAM,oBAAoB,GAAG,+DAA+D,CAAA;YAE5F,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,uBAAuB;gBACvB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;gBAChD,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAA;oBACzB,iEAAiE;oBACjE,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,mCAAmC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;wBAClF,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,uGAAuG;4BAChH,QAAQ,EAAE,QAAQ,EAAG,0EAA0E;yBAChG,CAAC,CAAA;oBACJ,CAAC;oBACD,OAAM;gBACR,CAAC;gBAED,yEAAyE;gBACzE,IAAI,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChD,OAAM;gBACR,CAAC;gBAED,oDAAoD;gBACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;gBAChD,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAA;oBACzB,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC9B,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,mDAAmD;4BAC5D,QAAQ,EAAE,MAAM;yBACjB,CAAC,CAAA;oBACJ,CAAC;oBACD,OAAM;gBACR,CAAC;gBAED,gCAAgC;gBAChC,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;oBAC9C,IAAI,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC7C,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,2DAA2D;4BACpE,QAAQ,EAAE,MAAM;yBACjB,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,qBAAqB;IACrB;QACE,IAAI,EAAE,+BAA+B;QACrC,YAAY,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,CAAC;QACnG,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,MAAM,YAAY,GAAG;gBACnB,0DAA0D;gBAC1D,2CAA2C;gBAC3C,0BAA0B;gBAC1B,2CAA2C;gBAC3C,oCAAoC;aACrC,CAAA;YAED,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;oBACnC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,4DAA4D;4BACrE,QAAQ,EAAE,QAAQ;yBACnB,CAAC,CAAA;wBACF,MAAK;oBACP,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,kCAAkC;IAClC;QACE,IAAI,EAAE,gCAAgC;QACtC,YAAY,EAAE,CAAC,yBAAyB,EAAE,0BAA0B,CAAC;QACrE,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,8CAA8C;YAC9C,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAA;YAC3D,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAA;YAExD,IAAI,WAAW,IAAI,WAAW,EAAE,CAAC;gBAC/B,MAAM,YAAY,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAA;gBACzE,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,YAAY,GAAG,CAAC;oBACtB,WAAW,EAAE,KAAK,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;oBAC9C,OAAO,EAAE,sFAAsF;oBAC/F,QAAQ,EAAE,MAAM;iBACjB,CAAC,CAAA;YACJ,CAAC;YAED,8BAA8B;YAC9B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,IAAI,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;oBACtC,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9C,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,KAAK,GAAG,CAAC;wBACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,OAAO,EAAE,uDAAuD;wBAChE,QAAQ,EAAE,UAAU;qBACrB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,0BAA0B;IAC1B;QACE,IAAI,EAAE,gCAAgC;QACtC,YAAY,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,iBAAiB,CAAC;QACrE,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,0EAA0E;YAC1E,IAAI,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBAC1F,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAA;gBACrE,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACxC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,IAAI,uBAAuB;oBAChE,OAAO,EAAE,oFAAoF;oBAC7F,QAAQ,EAAE,KAAK;iBAChB,CAAC,CAAA;YACJ,CAAC;YAED,8CAA8C;YAC9C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,IAAI,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxD,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,KAAK,GAAG,CAAC;wBACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,OAAO,EAAE,oEAAoE;wBAC7E,QAAQ,EAAE,QAAQ;qBACnB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,wBAAwB;IACxB;QACE,IAAI,EAAE,8BAA8B;QACpC,YAAY,EAAE,CAAC,cAAc,CAAC;QAC9B,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YAExC,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;gBAE/B,wDAAwD;gBACxD,IAAI,GAAG,CAAC,OAAO,EAAE,WAAW,IAAI,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,CAAC;oBACxD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;oBACjC,MAAM,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CACrC,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,CAC1D,CAAA;oBACD,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,UAAU,GAAG,CAAC;wBACpB,WAAW,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;wBAC5C,OAAO,EAAE,wEAAwE;wBACjF,QAAQ,EAAE,KAAK;qBAChB,CAAC,CAAA;gBACJ,CAAC;gBAED,kCAAkC;gBAClC,MAAM,OAAO,GAAG,EAAE,GAAG,GAAG,CAAC,YAAY,EAAE,GAAG,GAAG,CAAC,eAAe,EAAE,CAAA;gBAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAEjC,mEAAmE;gBACnE,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;gBAE1E,2FAA2F;gBAC3F,+EAA+E;gBAC/E,MAAM,WAAW,GAA2B,EAAE,CAAA;gBAC9C,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3C,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC5B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;wBACnC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;oBACpD,CAAC;gBACH,CAAC;gBACD,+DAA+D;gBAC/D,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;qBAC9C,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,kCAAkC;qBACpE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAA;gBAE9C,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtD,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;wBAC5C,mCAAmC;wBACnC,0CAA0C;wBAC1C,6EAA6E;wBAC7E,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;wBAEjE,uCAAuC;wBACvC,MAAM,kBAAkB,GACtB,CAAC,QAAQ,IAAI,QAAQ,KAAK,QAAQ,CAAC;4BACnC,CAAC,aAAa,IAAI,QAAQ,KAAK,aAAa,IAAI,OAAO,KAAK,GAAG,CAAC,CAAA;wBAElE,IAAI,kBAAkB,EAAE,CAAC;4BACvB,SAAQ;wBACV,CAAC;wBAED,MAAM,OAAO,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAA;wBAC7D,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,OAAO,GAAG,CAAC;4BACjB,WAAW,EAAE,KAAK,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;4BACzC,OAAO,EAAE,eAAe,IAAI,0DAA0D;4BACtF,QAAQ,EAAE,QAAQ;yBACnB,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,qBAAqB;YACvB,CAAC;YAED,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;CACF,CAAA;AAED,4CAA4C;AAC5C,SAAS,kBAAkB,CAAC,QAAgB,EAAE,QAAkB;IAC9D,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAA;IAEhD,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QAC7B,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,IAAI,MAAM,CACtB,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,EAC9D,GAAG,CACJ,CAAA;YACD,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACrD,CAAC;QACD,OAAO,QAAQ,KAAK,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;IAC3D,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,KAAK,MAAM,IAAI,IAAI,oBAAY,EAAE,CAAC;QAChC,IAAI,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACpD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;YAEhD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;gBACnC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,UAAU,QAAQ,IAAI,SAAS,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE;oBACvD,QAAQ;oBACR,UAAU,EAAE,SAAS,CAAC,IAAI;oBAC1B,WAAW,EAAE,SAAS,CAAC,WAAW;oBAClC,QAAQ,EAAE,SAAS,CAAC,QAAQ;oBAC5B,QAAQ,EAAE,iBAAiB;oBAC3B,KAAK,EAAE,IAAI,CAAC,IAAI;oBAChB,WAAW,EAAE,SAAS,CAAC,OAAO;oBAC9B,YAAY,EAAE,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC;oBAChD,UAAU,EAAE,MAAM;oBAClB,KAAK,EAAE,CAAC;iBACT,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB,EAAE,SAA0B;IAChE,MAAM,KAAK,GAA2B;QACpC,wBAAwB,EAAE,6DAA6D;QACvF,wCAAwC,EAAE,wEAAwE;QAClH,+BAA+B,EAAE,kEAAkE;QACnG,gCAAgC,EAAE,gEAAgE;QAClG,gCAAgC,EAAE,4EAA4E;QAC9G,8BAA8B,EAAE,kEAAkE;KACnG,CAAA;IAED,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,2CAA2C,CAAA;AACvE,CAAC"}

package/dist/layer1/config-mcp-audit.d.ts

@@ -1,23 +0,0 @@
-/**
- * Layer 1: MCP Configuration Audit
- * Detects security issues in MCP configuration files
- *
- * Scans:
- * - mcp.json, *.mcp.json
- * - .mcp/config.json
- * - mcpServers in package.json
- *
- * Detects:
- * - Secrets in MCP config (API keys, tokens in args)
- * - Overpermissive settings (disabled approval, infinite timeouts)
- * - Insecure transport (http:// instead of https://)
- */
-import type { Vulnerability } from '../types';
-import type { ParsedFile } from '../utils/parsed-file';
-/**
- * Main detection function for MCP configuration audit
- */
-export declare function detectMCPConfigIssues(content: string, filePath: string, options?: {
-    parsed?: ParsedFile;
-}): Vulnerability[];
-//# sourceMappingURL=config-mcp-audit.d.ts.map

package/dist/layer1/config-mcp-audit.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"config-mcp-audit.d.ts","sourceRoot":"","sources":["../../src/layer1/config-mcp-audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAgD,MAAM,UAAU,CAAA;AAC3F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AA4KtD;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CAkFjB"}

package/dist/layer1/config-mcp-audit.js

@@ -1,239 +0,0 @@
-"use strict";
-/**
- * Layer 1: MCP Configuration Audit
- * Detects security issues in MCP configuration files
- *
- * Scans:
- * - mcp.json, *.mcp.json
- * - .mcp/config.json
- * - mcpServers in package.json
- *
- * Detects:
- * - Secrets in MCP config (API keys, tokens in args)
- * - Overpermissive settings (disabled approval, infinite timeouts)
- * - Insecure transport (http:// instead of https://)
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.detectMCPConfigIssues = detectMCPConfigIssues;
-const context_helpers_1 = require("../utils/context-helpers");
-// ============================================================================
-// Configuration File Detection
-// ============================================================================
-/**
- * Check if file is an MCP configuration file
- */
-function isMCPConfigFile(filePath) {
-    const mcpConfigPatterns = [
-        /mcp\.json$/i,
-        /\.mcp\.json$/i,
-        /\.mcp\/config\.json$/i,
-        /mcp[-_]?config\.json$/i,
-        /claude[-_]?desktop[-_]?config\.json$/i,
-    ];
-    return mcpConfigPatterns.some(p => p.test(filePath));
-}
-/**
- * Check if file might contain mcpServers configuration (package.json, etc.)
- */
-function mightContainMCPConfig(filePath, content) {
-    if (filePath.endsWith('package.json')) {
-        return content.includes('mcpServers') || content.includes('mcp');
-    }
-    if (filePath.endsWith('.json')) {
-        return content.includes('mcpServers') || content.includes('"command"') ||
-            content.includes('"args"') || content.includes('"url"');
-    }
-    return false;
-}
-/**
- * MCP Configuration Security Patterns
- */
-const MCP_CONFIG_PATTERNS = [
-    // Secrets in args array
-    {
-        name: 'API key in MCP server args',
-        pattern: /"args"\s*:\s*\[[^\]]*(?:api[_-]?key|API[_-]?KEY|apiKey)[=:]["'][^"']+["'][^\]]*\]/gi,
-        category: 'ai_mcp_config_secrets',
-        baseSeverity: 'critical',
-        description: 'API key found in MCP server arguments. Secrets should not be stored in configuration files.',
-        suggestedFix: 'Use environment variables for secrets: ["--api-key", "${ANTHROPIC_API_KEY}"] or use a secrets manager.',
-    },
-    // Secret/token in args
-    {
-        name: 'Secret token in MCP server args',
-        pattern: /"args"\s*:\s*\[[^\]]*(?:secret|token|password|credential|auth)[=:]["'][^"']+["'][^\]]*\]/gi,
-        category: 'ai_mcp_config_secrets',
-        baseSeverity: 'critical',
-        description: 'Secret or token found in MCP server arguments. This could be exposed in logs or version control.',
-        suggestedFix: 'Move secrets to environment variables or a secrets manager.',
-    },
-    // Hardcoded bearer token
-    {
-        name: 'Bearer token in MCP config',
-        pattern: /"(?:auth|authorization|header)"\s*:\s*["'][Bb]earer\s+[A-Za-z0-9_-]+["']/gi,
-        category: 'ai_mcp_config_secrets',
-        baseSeverity: 'critical',
-        description: 'Bearer token hardcoded in MCP configuration. This is a security risk.',
-        suggestedFix: 'Use environment variable reference: "Bearer ${MCP_TOKEN}"',
-    },
-    // Environment variable with actual value (not reference)
-    {
-        name: 'Environment variable with hardcoded value',
-        pattern: /"env"\s*:\s*\{[^}]*(?:KEY|TOKEN|SECRET|PASSWORD)\s*"\s*:\s*"(?!\$\{)[^"]+"/gi,
-        category: 'ai_mcp_config_secrets',
-        baseSeverity: 'high',
-        description: 'Environment variable set to hardcoded secret value in MCP config.',
-        suggestedFix: 'Set environment variables outside the config file or use a secrets manager.',
-    },
-    // Disabled approval requirement
-    {
-        name: 'Tool approval disabled',
-        pattern: /"requireApproval"\s*:\s*false/gi,
-        category: 'ai_mcp_config_permissions',
-        baseSeverity: 'medium',
-        description: 'Tool approval is disabled. AI can execute tools without user confirmation.',
-        suggestedFix: 'Enable tool approval for sensitive operations: "requireApproval": true',
-    },
-    // Auto-approve all
-    {
-        name: 'Auto-approve all tools',
-        pattern: /"autoApprove"\s*:\s*(?:true|"\*"|"all"|\["\*"\])/gi,
-        category: 'ai_mcp_config_permissions',
-        baseSeverity: 'high',
-        description: 'All tools are auto-approved. This bypasses user confirmation for all operations.',
-        suggestedFix: 'Limit auto-approval to specific safe tools: "autoApprove": ["read_file", "list_files"]',
-    },
-    // Infinite or very long timeout
-    {
-        name: 'Unlimited tool timeout',
-        pattern: /"(?:toolTimeout|timeout)"\s*:\s*(?:0|null|"infinite"|999999+)/gi,
-        category: 'ai_mcp_config_permissions',
-        baseSeverity: 'medium',
-        description: 'Tool timeout is disabled or very long. Tools could run indefinitely.',
-        suggestedFix: 'Set a reasonable timeout: "toolTimeout": 30000 (30 seconds)',
-    },
-    // HTTP URL (not HTTPS)
-    {
-        name: 'Insecure HTTP transport',
-        pattern: /"(?:url|endpoint|server)"\s*:\s*"http:\/\/(?!localhost|127\.0\.0\.1)[^"]+"/gi,
-        category: 'ai_mcp_config_permissions',
-        baseSeverity: 'medium',
-        description: 'MCP server uses insecure HTTP transport. Data could be intercepted.',
-        suggestedFix: 'Use HTTPS for MCP server URLs: "url": "https://..."',
-    },
-    // Wildcard allowed tools
-    {
-        name: 'Wildcard tool permissions',
-        pattern: /"(?:allowedTools|tools|permissions)"\s*:\s*(?:\["\*"\]|"\*"|"all")/gi,
-        category: 'ai_mcp_config_permissions',
-        baseSeverity: 'medium',
-        description: 'All tools are allowed without restriction. Consider limiting to specific tools.',
-        suggestedFix: 'Explicitly list allowed tools: "allowedTools": ["search", "read_file"]',
-    },
-    // Privileged mode enabled
-    {
-        name: 'Privileged mode enabled',
-        pattern: /"(?:privileged|sudo|admin|root)"\s*:\s*true/gi,
-        category: 'ai_mcp_config_permissions',
-        baseSeverity: 'high',
-        description: 'MCP server running in privileged mode. This grants elevated permissions.',
-        suggestedFix: 'Disable privileged mode unless absolutely necessary. Apply principle of least privilege.',
-    },
-    // Disabled security features
-    {
-        name: 'Security feature disabled',
-        pattern: /"(?:secure|tls|verify|validation|sandbox)"\s*:\s*false/gi,
-        category: 'ai_mcp_config_permissions',
-        baseSeverity: 'medium',
-        description: 'Security feature is explicitly disabled in MCP configuration.',
-        suggestedFix: 'Enable security features: "secure": true, "validation": true',
-    },
-    // Command injection risk in args
-    {
-        name: 'Shell command in MCP args',
-        pattern: /"args"\s*:\s*\[[^\]]*(?:sh\s+-c|bash\s+-c|cmd\s+\/c|powershell)[^\]]*\]/gi,
-        category: 'ai_mcp_config_permissions',
-        baseSeverity: 'high',
-        description: 'MCP server args contain shell command execution. This is a command injection risk.',
-        suggestedFix: 'Avoid shell command execution in MCP args. Use direct command invocation.',
-    },
-];
-// ============================================================================
-// Main Detection Function
-// ============================================================================
-/**
- * Main detection function for MCP configuration audit
- */
-function detectMCPConfigIssues(content, filePath, options) {
-    const vulnerabilities = [];
-    // Skip non-applicable files
-    if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
-        return vulnerabilities;
-    if ((0, context_helpers_1.isDocumentationFile)(filePath))
-        return vulnerabilities;
-    // Only scan MCP config files or files that might contain MCP config
-    if (!isMCPConfigFile(filePath) && !mightContainMCPConfig(filePath, content)) {
-        return vulnerabilities;
-    }
-    const lines = options?.parsed?.lines ?? content.split('\n');
-    const isTestFile = (0, context_helpers_1.isTestOrMockFile)(filePath);
-    const isExample = (0, context_helpers_1.isExampleDirectory)(filePath);
-    // Track findings to avoid duplicates
-    const seenFindings = new Set();
-    for (const pattern of MCP_CONFIG_PATTERNS) {
-        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-        let match;
-        while ((match = regex.exec(content)) !== null) {
-            const lineNumber = content.substring(0, match.index).split('\n').length;
-            const lineContent = lines[lineNumber - 1]?.trim() || '';
-            // Skip comments
-            if ((0, context_helpers_1.isComment)(lineContent))
-                continue;
-            // Create dedup key
-            const dedupKey = `${filePath}:${lineNumber}:${pattern.category}`;
-            if (seenFindings.has(dedupKey))
-                continue;
-            seenFindings.add(dedupKey);
-            let severity = pattern.baseSeverity;
-            let description = pattern.description;
-            const notes = [];
-            // Check if value is an environment variable reference (safer)
-            if (/\$\{[A-Z_]+\}|\$[A-Z_]+/.test(lineContent)) {
-                if (pattern.category === 'ai_mcp_config_secrets') {
-                    severity = 'low';
-                    notes.push('Uses environment variable reference (safer pattern)');
-                }
-            }
-            // Downgrade test files
-            if (isTestFile) {
-                severity = 'info';
-                notes.push('in test file');
-            }
-            // Downgrade example/demo directories
-            if (isExample && severity !== 'info') {
-                severity = 'info';
-                notes.push('in example/demo directory');
-            }
-            // Build final description
-            if (notes.length > 0) {
-                description += ` (${notes.join('; ')})`;
-            }
-            vulnerabilities.push({
-                id: `mcp-config-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-                filePath,
-                lineNumber,
-                lineContent,
-                severity,
-                category: pattern.category,
-                title: pattern.name,
-                description,
-                suggestedFix: pattern.suggestedFix,
-                confidence: pattern.category === 'ai_mcp_config_secrets' ? 'high' : 'medium',
-                layer: 1,
-                requiresAIValidation: severity !== 'info' && severity !== 'low',
-            });
-        }
-    }
-    return vulnerabilities;
-}
-//# sourceMappingURL=config-mcp-audit.js.map

package/dist/layer1/config-mcp-audit.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"config-mcp-audit.js","sourceRoot":"","sources":["../../src/layer1/config-mcp-audit.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAkLH,sDAsFC;AApQD,8DAMiC;AAEjC,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E;;GAEG;AACH,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,iBAAiB,GAAG;QACxB,aAAa;QACb,eAAe;QACf,uBAAuB;QACvB,wBAAwB;QACxB,uCAAuC;KACxC,CAAA;IACD,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,QAAgB,EAAE,OAAe;IAC9D,IAAI,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACtC,OAAO,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAClE,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC/D,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;IAChE,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAeD;;GAEG;AACH,MAAM,mBAAmB,GAAuB;IAC9C,wBAAwB;IACxB;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,qFAAqF;QAC9F,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,6FAA6F;QAC1G,YAAY,EAAE,wGAAwG;KACvH;IACD,uBAAuB;IACvB;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,4FAA4F;QACrG,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,kGAAkG;QAC/G,YAAY,EAAE,6DAA6D;KAC5E;IACD,yBAAyB;IACzB;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,4EAA4E;QACrF,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,uEAAuE;QACpF,YAAY,EAAE,2DAA2D;KAC1E;IACD,yDAAyD;IACzD;QACE,IAAI,EAAE,2CAA2C;QACjD,OAAO,EAAE,8EAA8E;QACvF,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,mEAAmE;QAChF,YAAY,EAAE,6EAA6E;KAC5F;IACD,gCAAgC;IAChC;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,iCAAiC;QAC1C,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,4EAA4E;QACzF,YAAY,EAAE,wEAAwE;KACvF;IACD,mBAAmB;IACnB;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,oDAAoD;QAC7D,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,kFAAkF;QAC/F,YAAY,EAAE,wFAAwF;KACvG;IACD,gCAAgC;IAChC;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,sEAAsE;QACnF,YAAY,EAAE,6DAA6D;KAC5E;IACD,uBAAuB;IACvB;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,8EAA8E;QACvF,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,qEAAqE;QAClF,YAAY,EAAE,qDAAqD;KACpE;IACD,yBAAyB;IACzB;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,sEAAsE;QAC/E,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,iFAAiF;QAC9F,YAAY,EAAE,wEAAwE;KACvF;IACD,0BAA0B;IAC1B;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,+CAA+C;QACxD,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,0EAA0E;QACvF,YAAY,EAAE,0FAA0F;KACzG;IACD,6BAA6B;IAC7B;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,0DAA0D;QACnE,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,+DAA+D;QAC5E,YAAY,EAAE,8DAA8D;KAC7E;IACD,iCAAiC;IACjC;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,2EAA2E;QACpF,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,oFAAoF;QACjG,YAAY,EAAE,2EAA2E;KAC1F;CACF,CAAA;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,qBAAqB,CACnC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,4BAA4B;IAC5B,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAC5D,IAAI,IAAA,qCAAmB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAEzD,oEAAoE;IACpE,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,qBAAqB,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;QAC5E,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC3D,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC7C,MAAM,SAAS,GAAG,IAAA,oCAAkB,EAAC,QAAQ,CAAC,CAAA;IAE9C,qCAAqC;IACrC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAA;IAEtC,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QACvE,IAAI,KAAK,CAAA;QAET,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAA;YACvE,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;YAEvD,gBAAgB;YAChB,IAAI,IAAA,2BAAS,EAAC,WAAW,CAAC;gBAAE,SAAQ;YAEpC,mBAAmB;YACnB,MAAM,QAAQ,GAAG,GAAG,QAAQ,IAAI,UAAU,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAA;YAChE,IAAI,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC;gBAAE,SAAQ;YACxC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;YAE1B,IAAI,QAAQ,GAAG,OAAO,CAAC,YAAY,CAAA;YACnC,IAAI,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;YACrC,MAAM,KAAK,GAAa,EAAE,CAAA;YAE1B,8DAA8D;YAC9D,IAAI,yBAAyB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBAChD,IAAI,OAAO,CAAC,QAAQ,KAAK,uBAAuB,EAAE,CAAC;oBACjD,QAAQ,GAAG,KAAK,CAAA;oBAChB,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAA;gBACnE,CAAC;YACH,CAAC;YAED,uBAAuB;YACvB,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,GAAG,MAAM,CAAA;gBACjB,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;YAC5B,CAAC;YAED,qCAAqC;YACrC,IAAI,SAAS,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACrC,QAAQ,GAAG,MAAM,CAAA;gBACjB,KAAK,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAA;YACzC,CAAC;YAED,0BAA0B;YAC1B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrB,WAAW,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAA;YACzC,CAAC;YAED,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,cAAc,QAAQ,IAAI,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE;gBAC/E,QAAQ;gBACR,UAAU;gBACV,WAAW;gBACX,QAAQ;gBACR,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,WAAW;gBACX,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,UAAU,EAAE,OAAO,CAAC,QAAQ,KAAK,uBAAuB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;gBAC5E,KAAK,EAAE,CAAC;gBACR,oBAAoB,EAAE,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,KAAK;aAChE,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/layer1/entropy.d.ts

@@ -1,11 +0,0 @@
-/**
- * Layer 1: High-Entropy String Detection
- * Uses Shannon entropy to detect potential secrets that don't match known patterns
- */
-import type { Vulnerability } from '../types';
-import type { ParsedFile } from '../utils/parsed-file';
-export declare function calculateEntropy(str: string): number;
-export declare function detectHighEntropyStrings(content: string, filePath: string, options?: {
-    parsed?: ParsedFile;
-}): Vulnerability[];
-//# sourceMappingURL=entropy.d.ts.map

package/dist/layer1/entropy.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"entropy.d.ts","sourceRoot":"","sources":["../../src/layer1/entropy.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAC7C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAWtD,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD;AA6oBD,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CAiKjB"}