@offgridsec/kira-lite-mcp 0.1.2

package/README.md

@@ -0,0 +1,370 @@
+# Kira-Lite MCP Server
+
+**Real-time security scanning for AI coding assistants** — by [Offgrid Security](https://offgridsec.com)
+
+Kira-Lite catches vulnerabilities **before code is written to disk**. It integrates into your AI coding assistant via MCP (Model Context Protocol) and scans every code change for OWASP Top 10, CWEs, hardcoded secrets, and insecure patterns.
+
+## Why Kira-Lite
+
+Security tools shouldn't live in a separate tab. Kira-Lite runs **inside your AI coding assistant** — the same place you write code. No context switching, no separate dashboards, no CI pipeline to wait for.
+
+- **Scans before code hits disk** — vulnerabilities are caught and fixed in the same conversation
+- **Works where you already are** — Claude Code, Cursor, Windsurf, or any MCP-compatible editor
+- **Zero config to start** — one `npx` command, no API keys, no accounts
+- **Your code stays local** — nothing is sent to external servers; all scanning happens on your machine
+
+## Quick Start
+
+```bash
+# Install globally
+npm install -g @offgridsec/kira-lite-mcp
+
+# Or run directly
+npx @offgridsec/kira-lite-mcp
+```
+
+## Setup
+
+### 1. Register MCP Server (one-time, global)
+
+**Claude Code:**
+
+```bash
+claude mcp add --scope user kira-lite -- npx -y @offgridsec/kira-lite-mcp
+```
+
+**Cursor / Windsurf / Other MCP Clients:**
+
+Add to your MCP configuration:
+
+```json
+{
+  "kira-lite": {
+    "command": "npx",
+    "args": ["-y", "@offgridsec/kira-lite-mcp"]
+  }
+}
+```
+
+### 2. Per-Project Setup (Claude Code only)
+
+After registering the MCP server, you also need to copy **two files** into each project where you want automatic scanning:
+
+| File | What it does |
+|------|-------------|
+| `CLAUDE.md` | Tells Claude to call `scan_code` before every Edit/Write — without this, Claude won't scan automatically |
+| `.claude/settings.local.json` | Auto-allows the kira-lite MCP tools (no approval prompts) and adds a post-write hook as a safety net |
+
+**Without these files**, the MCP tools are still available but Claude won't use them unless you ask manually.
+
+**New project (no existing CLAUDE.md or settings):**
+
+```bash
+# macOS / Linux
+cp $(npm root -g)/@offgridsec/kira-lite-mcp/config/CLAUDE.md .
+mkdir -p .claude
+cp $(npm root -g)/@offgridsec/kira-lite-mcp/config/settings.local.json .claude/settings.local.json
+```
+
+```powershell
+# Windows (PowerShell)
+$pkg = (npm root -g) + "\@offgridsec\kira-lite-mcp"
+Copy-Item "$pkg\config\CLAUDE.md" .
+New-Item -ItemType Directory -Force .claude | Out-Null
+Copy-Item "$pkg\config\settings.local.json" .claude\settings.local.json
+```
+
+**Already have a CLAUDE.md or settings?** See [INSTALL.md](INSTALL.md) for merge instructions (Scenarios B, C, D).
+
+> **Cursor / Windsurf users:** You do **not** need to copy these files. Those editors handle MCP tool instructions differently.
+
+## MCP Tools
+
+| Tool | Description |
+|------|-------------|
+| `scan_code` | Scan a code snippet before writing to disk |
+| `scan_file` | Scan an existing file on disk. Auto-triggers dependency vulnerability scanning on lockfiles |
+| `scan_diff` | Compare original vs modified code — reports only NEW vulnerabilities |
+| `scan_dependencies` | Scan project dependencies for known CVEs via OSV.dev (supports 13 lockfile formats across 11 ecosystems) |
+| `fix_vulnerability` | Get fix guidance for a specific vulnerability ID or CWE |
+| `get_config` | View current Kira-Lite configuration |
+| `set_config` | Change scan frequency and other settings |
+
+## Configuration
+
+Kira-Lite supports user-configurable scan frequency via `~/.kira-lite/config.json`.
+
+### Scan Modes
+
+| Mode | Behavior |
+|------|----------|
+| `"every-edit"` | Scan on every `scan_code` / `scan_diff` / `scan_file` call **(default)** |
+| `"on-save"` | Only scan via `scan_file` (file on disk); `scan_code` / `scan_diff` return instantly |
+| `"manual"` | All scans are skipped — you must explicitly request scans |
+
+### Change scan mode
+
+Use the `set_config` MCP tool:
+
+```
+set_config({ scanMode: "on-save" })
+```
+
+Or create/edit `~/.kira-lite/config.json` manually:
+
+```json
+{
+  "scanMode": "on-save"
+}
+```
+
+### Check current mode
+
+```
+get_config()
+```
+
+> **Note:** The default mode is `"every-edit"`, which preserves the original behavior when no config file exists.
+
+## How It Works
+
+Kira-Lite ships with **Kira-Core**, a compiled Go binary that includes all 376 security rules and runs entirely on your machine. No external tools required.
+
+| Platform | Kira-Core Support |
+|----------|------------------|
+| macOS (arm64, x64) | Bundled |
+| Linux (x64, arm64) | Bundled |
+| Windows (x64) | Bundled |
+
+If Kira-Core is not available for your platform, Kira-Lite falls back to its built-in regex engine, which provides the same rule coverage.
+
+## Dependency Vulnerability Scanning
+
+Kira-Lite scans your project's third-party dependencies for known CVEs using the [OSV.dev](https://osv.dev) database — the same data source behind Google's `osv-scanner`. No API keys, no accounts, no external tools required.
+
+### How It Works
+
+1. **Automatic** — When `scan_file` is called on a lockfile, dependency scanning triggers automatically alongside the code scan
+2. **Manual** — Call `scan_dependencies` with a `project_path` or `lockfile_path` for on-demand full scans
+
+### Supported Lockfiles
+
+| Ecosystem | Lockfile | Languages |
+|-----------|----------|-----------|
+| **npm** | `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml` | JavaScript, TypeScript |
+| **PyPI** | `requirements.txt`, `Pipfile.lock` | Python |
+| **Go** | `go.sum` | Go |
+| **Maven** | `gradle.lockfile` | Java, Kotlin |
+| **crates.io** | `Cargo.lock` | Rust |
+| **RubyGems** | `Gemfile.lock` | Ruby |
+| **Packagist** | `composer.lock` | PHP |
+| **NuGet** | `packages.lock.json` | C#, .NET, F# |
+| **Pub** | `pubspec.lock` | Dart, Flutter |
+| **Hex** | `mix.lock` | Elixir, Erlang |
+
+### What You Get
+
+For each vulnerable dependency, Kira-Lite reports:
+
+- **Severity** — Critical / High / Medium / Low (mapped from CVSS scores)
+- **Advisory ID** — GHSA or OSV identifier
+- **CVE aliases** — Associated CVE numbers
+- **Installed version** — The version in your lockfile
+- **Fixed version** — The minimum version that resolves the vulnerability
+- **Description** — What the vulnerability is and how it can be exploited
+- **Remediation** — Specific upgrade command to fix it
+
+### Example Output
+
+```
+## Kira-Lite Dependency Scan Results
+
+**Packages scanned:** 142
+**Vulnerable packages:** 2
+
+#### [HIGH] lodash@4.17.20 — Command Injection
+- Advisory: GHSA-35jh-r3h4-6jhm (CVE-2021-23337)
+- Fixed version: 4.17.21
+- Fix: Upgrade lodash to >=4.17.21
+
+#### [MEDIUM] axios@0.21.1 — Cross-Site Request Forgery
+- Advisory: GHSA-wf5p-g6vw-rhxx (CVE-2023-45857)
+- Fixed version: 1.6.0
+- Fix: Upgrade axios to >=1.6.0
+```
+
+## What It Detects
+
+**376 built-in rules** across **15 languages/formats** and **19 security categories**, covering **45+ distinct CWEs**.
+
+### At a Glance
+
+| Metric | Count |
+|--------|-------|
+| Built-in regex rules | 376 |
+| Languages & formats | 15 |
+| Security categories | 19 |
+| CWEs covered | 45+ |
+| Secret detectors | 92 (30 core + 62 extended) |
+| Dependency ecosystems | 11 (npm, PyPI, Go, Maven, crates.io, RubyGems, Packagist, NuGet, Pub, Hex) |
+| Lockfile formats | 13 |
+
+### Severity Distribution
+
+| Severity | Rules | Action |
+|----------|-------|--------|
+| **Critical** | ~145 | Block — do not write code (RCE, SQLi, hardcoded secrets, command injection) |
+| **High** | ~155 | Block — do not write code (XSS, SSRF, path traversal, privilege escalation) |
+| **Medium** | ~60 | Warn user (missing rate limiting, CORS issues, unpinned dependencies) |
+| **Low** | ~16 | Inform user (missing logging, verbose errors, debug flags) |
+
+### Standards Compliance
+
+**OWASP Top 10:2025**
+
+| OWASP ID | Category | Kira Coverage |
+|----------|----------|---------------|
+| A01 | Broken Access Control | BOLA/IDOR patterns, missing CSRF, mass assignment, CORS misconfiguration |
+| A02 | Security Misconfiguration | Debug mode, verbose errors, permissive CORS, default credentials |
+| A03 | Vulnerable & Outdated Components | **Dependency CVE scanning via OSV.dev** (13 lockfile formats, 11 ecosystems), unpinned dependencies, missing lockfile integrity, suspicious install scripts |
+| A04 | Cryptographic Failures | MD5/SHA1, ECB mode, hardcoded keys, Math.random for security, weak TLS |
+| A05 | Injection | SQL, command, XSS, SSTI, NoSQL, LDAP, header, log, ReDoS, SpEL injection |
+| A06 | Insecure Design | Fail-open patterns, missing auth checks, unrestricted file uploads |
+| A07 | Authentication Failures | Hardcoded credentials, missing rate limiting, JWT alg:none, insecure sessions |
+| A08 | Software & Data Integrity | Missing SRI hashes, unsigned CI/CD artifacts, unpinned GitHub Actions |
+| A09 | Logging & Monitoring Failures | Empty catch blocks, swallowed exceptions, sensitive data in logs |
+| A10 | Server-Side Request Forgery | User-controlled URLs in fetch/requests/axios without allowlist validation |
+
+**OWASP API Security Top 10**
+
+| API ID | Category | Kira Coverage |
+|--------|----------|---------------|
+| API1 | Broken Object Level Authorization | Direct object references without ownership validation |
+| API2 | Broken Authentication | Missing rate limiting on login, insecure token storage |
+| API3 | Broken Object Property Level Authorization | Mass assignment (Object.assign/spread from req.body) |
+| API4 | Unrestricted Resource Consumption | Missing pagination, GraphQL depth/complexity limits |
+| API5 | Broken Function Level Authorization | Missing auth middleware on endpoints |
+| API6 | Unrestricted Access to Sensitive Business Flows | Missing rate limiting on API routes |
+| API7 | Server-Side Request Forgery | SSRF via user-controlled URLs |
+| API8 | Security Misconfiguration | CORS wildcards, GraphQL introspection in production |
+| API9 | Improper Inventory Management | API keys in URLs instead of headers |
+| API10 | Unsafe Consumption of APIs | Disabled TLS verification, missing certificate validation |
+
+**OWASP LLM Top 10:2025**
+
+| LLM ID | Category | Kira Coverage |
+|--------|----------|---------------|
+| LLM01 | Prompt Injection | User input concatenated into prompt templates |
+| LLM02 | Insecure Output Handling | LLM output passed to eval/exec/SQL/shell, rendered as raw HTML |
+| LLM04 | Data and Model Poisoning | Unvalidated external content in embeddings |
+| LLM06 | Excessive Agency | Unrestricted tool access in function-calling agents |
+
+> Ref: CVE-2025-53773 (GitHub Copilot RCE, CVSS 9.6)
+
+### Security Categories
+
+| Category | Rules | What It Catches |
+|----------|-------|-----------------|
+| **Injection** | 45 | SQL injection, command injection, XSS, SSTI, NoSQL injection, LDAP injection, header injection, log injection, ReDoS, Expression Language injection |
+| **Secrets & Credentials** | 93 | AWS, GitHub, GitLab, Slack, Stripe, Google, SendGrid, Twilio, npm, PyPI, Docker Hub, OpenAI, Anthropic, Azure (Storage, DevOps, SAS, App Config), Heroku, Supabase, Firebase, private keys, JWTs, connection strings, generic API keys, **+ 63 extended detectors**: Groq, HuggingFace, Replicate, xAI/Grok, DeepSeek, ElevenLabs, Cohere (AI/ML); GCP Service Account, DigitalOcean, Fly.io, Vercel, Netlify, Alibaba Cloud (Cloud); CircleCI, Buildkite, Terraform Cloud, Pulumi, Drone, Travis (CI/CD); Discord, Telegram, Teams, Postmark, MessageBird, Vonage (Comms); PayPal, Square, Razorpay (Payments); Datadog, New Relic, Grafana, Sentry, PagerDuty, Splunk, Honeycomb, Logz.io (Monitoring); HashiCorp Vault, Portainer, ngrok (Infra); Shopify, Atlassian/Jira, Confluent, Okta, Auth0, Linear, Notion, Figma, Asana, Airtable, Bitbucket, NuGet, RubyGems (SaaS) |
+| **Cryptography** | 22 | MD5, SHA1, DES, ECB mode, Math.random/rand() for security, disabled TLS verification, weak TLS versions, timing attacks on secret comparison, hardcoded keys/IVs |
+| **Deserialization** | 15 | pickle, yaml.load, Marshal, shelve, dill, Java ObjectInputStream, XMLDecoder, PHP unserialize, BinaryFormatter (.NET), node-serialize |
+| **Authentication & Sessions** | 12 | JWT alg:none, missing cookie flags (HttpOnly/Secure/SameSite), OAuth implicit flow, missing CSRF protection, missing rate limiting on login, insecure random for tokens |
+| **Supply Chain** | 13 + OSV | Unpinned GitHub Actions (CVE-2025-30066), suspicious postinstall scripts, obfuscated install hooks, lockfile manipulation, unpinned dependencies, self-hosted runner risks, **+ dependency CVE scanning via OSV.dev across 11 ecosystems** |
+| **CI/CD Pipeline** | 13 | Missing SHA pinning, pwn requests (pull_request_target), secrets in logs, script injection via github.event, curl\|bash, overly permissive permissions, unsafe GITHUB_ENV writes, cache poisoning |
+| **Container Security** | 13 | Unpinned base images, running as root, ADD vs COPY, secrets in ENV/ARG, Docker socket mounts, privileged mode, missing HEALTHCHECK, sensitive port exposure |
+| **Kubernetes** | 18 | Privileged containers, host namespaces, dangerous capabilities (ALL/SYS_ADMIN/NET_RAW), missing resource limits, sensitive hostPath mounts, cluster-admin RBAC, wildcard permissions, hardcoded secrets in pod specs |
+| **Infrastructure as Code** | 18 | Public S3 buckets, open security groups, IAM wildcards, missing encryption (EBS/RDS/state), publicly accessible databases, hardcoded provider credentials, overly permissive Lambda roles |
+| **API Security** | 10 | BOLA/IDOR patterns, mass assignment, CORS misconfiguration, GraphQL introspection/depth/complexity, missing pagination, API keys in URLs |
+| **AI/LLM Security** | 4 | LLM output executed as code (ref: CVE-2025-53773), XSS via AI output, SQL injection via AI output, prompt injection |
+| **Frontend & Browser** | 10 | postMessage without origin check, localStorage for tokens, open redirects, Vue v-html, clickjacking, WebSocket hijacking (CSWSH), double encoding bypass, Unicode normalization |
+| **File Operations** | 8 | Path traversal, unrestricted file upload, symlink attacks, predictable temp files, world-writable permissions (chmod 777) |
+| **Memory Safety (C/C++)** | 17 | Buffer overflow (gets/strcpy/strcat/sprintf/scanf), format string vulnerabilities, integer overflow, use-after-free, dangerous functions, TOCTOU race conditions |
+| **Encoding & Canonicalization** | 3 | Double URL encoding bypass, Unicode normalization attacks, HTTP parameter pollution |
+| **Race Conditions** | 4 | TOCTOU in file operations, goroutine data races, check-then-act without locking |
+| **Error Handling** | 4 | Empty catch blocks, swallowed exceptions, missing set -e in shell, discarded error returns in Go |
+| **Information Disclosure** | 5 | Debug mode in production (Flask/Django/Rails), phpinfo(), verbose error pages, logging sensitive data |
+
+### Framework-Specific Coverage
+
+Kira-Lite includes rules tailored to popular frameworks, catching misconfigurations that generic scanners miss:
+
+| Framework | Key Detections |
+|-----------|---------------|
+| **Django** | DEBUG=True in production, hardcoded SECRET_KEY, CSRF exemptions, mass assignment (exclude vs fields), ALLOWED_HOSTS wildcard |
+| **Flask** | Debug mode enabled, hardcoded secret key, missing CSRF protection |
+| **Spring** | CSRF disabled, permitAll on sensitive endpoints, SpEL injection |
+| **Rails** | Hardcoded secret_key_base, debug breakpoints (binding.pry, byebug), permit! mass assignment |
+| **Express.js** | Missing helmet/CORS middleware, prototype pollution, NoSQL injection via req.body |
+| **ASP.NET** | Html.Raw XSS, BinaryFormatter deserialization, SqlCommand injection, disabled request validation |
+| **Vue.js** | v-html directive with dynamic content (XSS) |
+| **React** | dangerouslySetInnerHTML with unsanitized input |
+
+### Languages & Formats
+
+| Language | Built-in Rules | Key Detections |
+|----------|---------------|----------------|
+| **JavaScript / TypeScript** | 144 | SQLi, XSS, command injection, prototype pollution, JWT misconfig, SSRF, NoSQL injection, CORS, eval, insecure random, timing attacks, GraphQL, OAuth, WebSocket, LLM output execution, prompt injection, supply chain, 93 secret detectors |
+| **Python** | 134 | SQLi, command injection, eval/exec, pickle/yaml/marshal deserialization, SSTI, SSRF, Django (CSRF, mass assignment, DEBUG, SECRET_KEY), Flask debug/secret, disabled TLS (verify=False), insecure random, XXE, temp file races, CORS, 93 secret detectors |
+| **YAML** (K8s, CI/CD, Docker Compose) | 124 | Privileged containers, host namespaces, dangerous capabilities, RBAC wildcards, hostPath mounts, unpinned GitHub Actions, pwn requests, secrets in logs, script injection, permissions, 93 secret detectors |
+| **Java** | 112 | SQLi, XXE, deserialization (ObjectInputStream, XMLDecoder), command injection, SSRF, weak crypto, LDAP injection, Spring Security (CSRF, permitAll), SpEL injection, disabled TLS, log injection, 93 secret detectors |
+| **Ruby** | 110 | SQLi, command injection, eval/send/constantize, mass assignment (permit!), YAML.load/Marshal.load, XSS (html_safe, raw), SSRF, CSRF skip, open redirect, hardcoded secret_key_base, 93 secret detectors |
+| **Go** | 109 | SQLi, command injection, path traversal, SSRF, weak crypto, insecure random, disabled TLS (InsecureSkipVerify), template injection, race conditions, unchecked errors, unsafe pointer, 93 secret detectors |
+| **C#** | 109 | SQLi (SqlCommand, EF Core), XSS (Html.Raw), command injection, path traversal, XXE, BinaryFormatter deserialization, weak crypto, disabled TLS, LDAP injection, CORS, mass assignment, open redirect, 93 secret detectors |
+| **PHP** | 106 | SQLi, command injection (system/exec/backticks), eval, LFI/RFI (include with user input), XSS, unserialize, extract(), file upload, deprecated mysql_*, SSRF, XXE, phpinfo(), 93 secret detectors |
+| **Shell / Bash** | 105 | eval injection, unquoted variables, curl\|bash, chmod 777, predictable temp files, hardcoded credentials, SSH host key bypass, SQL in shell, missing set -e, 93 secret detectors |
+| **JSON** | 95 | Hardcoded secrets, IAM policy wildcards, suspicious install scripts in package.json, 93 secret detectors |
+| **Terraform / HCL** | 85 | Public S3 buckets, open security groups, IAM wildcards, missing encryption, publicly accessible RDS, hardcoded credentials in provider blocks, 93 secret detectors |
+| **C / C++** | 84 | Buffer overflow (gets, strcpy, sprintf, scanf), format string, integer overflow, use-after-free, command injection (system, popen), insecure random, TOCTOU, 93 secret detectors |
+| **Dockerfile** | 78 | Unpinned base images, running as root, ADD vs COPY, secrets in ENV/ARG, Docker socket mount, curl\|bash, sensitive ports, 93 secret detectors |
+| **Rust** | 67 | Secrets detection (93 detectors: API keys, private keys, connection strings, credentials, AI/ML tokens, cloud provider keys, CI/CD tokens, SaaS tokens) |
+| **HTML** | 1 | Hardcoded Google API keys |
+
+### CWE Coverage
+
+The built-in rules map to **50+ distinct CWEs**, including:
+
+| CWE | Description | Rules |
+|-----|-------------|-------|
+| CWE-798 | Hardcoded Credentials | 90+ |
+| CWE-89 | SQL Injection | 15+ |
+| CWE-78 | OS Command Injection | 14+ |
+| CWE-327 | Weak Cryptography | 12+ |
+| CWE-502 | Insecure Deserialization | 12+ |
+| CWE-250 | Execution with Unnecessary Privileges | 10+ |
+| CWE-79 | Cross-Site Scripting (XSS) | 8+ |
+| CWE-94 | Code Injection | 8+ |
+| CWE-295 | Improper Certificate Validation | 7+ |
+| CWE-918 | Server-Side Request Forgery (SSRF) | 7+ |
+| CWE-22 | Path Traversal | 6+ |
+| CWE-829 | Inclusion of Untrusted Functionality | 6+ |
+| CWE-338 | Insecure PRNG | 5+ |
+| CWE-120 | Buffer Overflow | 5+ |
+| CWE-269 | Improper Privilege Management | 5+ |
+| CWE-284 | Improper Access Control | 5+ |
+| CWE-611 | XML External Entity (XXE) | 4+ |
+| CWE-352 | Cross-Site Request Forgery (CSRF) | 3+ |
+| CWE-1321 | Prototype Pollution | 2+ |
+| CWE-134 | Format String Vulnerability | 1+ |
+| CWE-190 | Integer Overflow | 1+ |
+| CWE-416 | Use After Free | 1+ |
+
+## Development
+
+```bash
+npm install
+npm run build
+npm run dev    # watch mode
+```
+
+## Privacy
+
+Kira-Lite collects **anonymous, non-personalized** telemetry (tool usage stats, rule IDs, scan durations). No source code, file paths, or personal data is ever collected.
+
+**Opt out** by setting `KIRA_TELEMETRY=off` in your environment.
+
+See [PRIVACY.md](PRIVACY.md) for full details.
+
+## License
+
+Elastic License 2.0 (ELv2) — [Offgrid Security](https://offgridsec.com)

package/config/CLAUDE.md

@@ -0,0 +1,26 @@
+# SECURITY SCANNING — REQUIRED ON EVERY CODE CHANGE
+
+You MUST call the `scan_code` MCP tool before EVERY single Edit or Write tool call. No exceptions. This is not optional.
+
+## How it works
+
+1. Before you use Edit or Write, call `scan_code` with the code you are about to write
+2. If findings are returned, fix them and call `scan_code` again
+3. Only write the code after scan returns clean
+4. For edits to existing files, use `scan_diff` with original and new code
+
+## Example
+
+WRONG (never do this):
+- Think about code → Write file
+
+RIGHT (always do this):
+- Think about code → scan_code(code) → clean? → Write file
+- Think about code → scan_code(code) → findings → fix → scan_code(fixed) → clean → Write file
+
+## Rules
+
+- EVERY Edit/Write MUST be preceded by a scan_code call
+- If scan returns critical or high findings, DO NOT write the code
+- Tell the user what you found and what you fixed
+- This applies to ALL files: .js, .ts, .py, .go, .java, .rb, .php, .yaml, .tf, Dockerfile, etc.

package/config/settings.local.json

@@ -0,0 +1,25 @@
+{
+  "permissions": {
+    "allow": [
+      "mcp__kira-lite__scan_code",
+      "mcp__kira-lite__scan_file",
+      "mcp__kira-lite__scan_diff",
+      "mcp__kira-lite__fix_vulnerability",
+      "mcp__kira-lite__get_config",
+      "mcp__kira-lite__set_config"
+    ]
+  },
+  "hooks": {
+    "PostToolCall": [
+      {
+        "matcher": "Write|Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node /path/to/kira-lite-mcp/hook.mjs"
+          }
+        ]
+      }
+    ]
+  }
+}

package/dist/config.d.ts

@@ -0,0 +1,6 @@
+import type { ScanMode } from "./core/types.js";
+export interface KiraConfig {
+    scanMode: ScanMode;
+}
+export declare function loadConfig(): KiraConfig;
+export declare function saveConfig(config: KiraConfig): void;

package/dist/config.js

@@ -0,0 +1 @@
+function _0x9439a(_0x2b990b,_0x2cdcf0){return _0x48bd(_0x2b990b- -0x292,_0x2cdcf0);}(function(_0x5dc2fa,_0x2862e5){const _0xf9287f={_0xe22d6e:0x19b,_0x3869cf:0x1a2,_0x315ada:0x196,_0x500200:0x1a1,_0x56fd98:0x180,_0xc2cf4c:0x18c,_0x4fc907:0x18a,_0x50b4ff:0x18e,_0x2c7ecd:0x1da,_0x1d9398:0x1dd,_0x4bfb03:0x1d0,_0x1a5f9d:0x1ed,_0x509edf:0x1e4,_0x1f0ab9:0x1ca},_0x5ab6bf={_0x4fec6f:0x67};function _0x1c6af6(_0x5ed2b6,_0x54d76a){return _0x48bd(_0x54d76a- -0xe,_0x5ed2b6);}function _0x1a6d2b(_0x3aed2b,_0x560551){return _0x48bd(_0x3aed2b- -_0x5ab6bf._0x4fec6f,_0x560551);}const _0x3a9a7d=_0x5dc2fa();while(!![]){try{const _0x47e799=parseInt(_0x1a6d2b(_0xf9287f._0xe22d6e,_0xf9287f._0x3869cf))/(0x1*-0x1fb2+-0x103c*-0x1+-0x1*-0xf77)*(parseInt(_0x1a6d2b(_0xf9287f._0x315ada,_0xf9287f._0x500200))/(0x1874+-0x1c6*0x1+-0x16ac))+parseInt(_0x1a6d2b(0x193,_0xf9287f._0x56fd98))/(-0xc3e+0xb*0x388+-0x1a97)*(parseInt(_0x1a6d2b(_0xf9287f._0xc2cf4c,0x188))/(-0x1*0x175e+0x418*-0x6+-0x143*-0x26))+-parseInt(_0x1a6d2b(0x194,_0xf9287f._0x4fc907))/(0x64*-0xf+-0x21f*-0xa+-0xf55)*(-parseInt(_0x1a6d2b(_0xf9287f._0x50b4ff,0x1a1))/(0x1a07+-0xd*0x296+0x79d))+-parseInt(_0x1a6d2b(0x17b,0x16d))/(0x22dd+-0x176c+-0x3*0x3ce)+parseInt(_0x1c6af6(0x1cf,_0xf9287f._0x2c7ecd))/(-0x9*0xd4+-0x75b+0x1d*0x83)*(parseInt(_0x1c6af6(_0xf9287f._0x1d9398,_0xf9287f._0x4bfb03))/(0xf7f*-0x2+0x108f+0xe78))+parseInt(_0x1c6af6(_0xf9287f._0x1a5f9d,_0xf9287f._0x509edf))/(0x22c*0x10+-0x84*0x6+0xfcf*-0x2)+-parseInt(_0x1c6af6(_0xf9287f._0x1f0ab9,0x1db))/(-0x1e6d*-0x1+-0x115+0x1d4d*-0x1);if(_0x47e799===_0x2862e5)break;else _0x3a9a7d['push'](_0x3a9a7d['shift']());}catch(_0x245e55){_0x3a9a7d['push'](_0x3a9a7d['shift']());}}}(_0x2d37,-0x30b1d*0x1+-0x11cbf+0x62776));import{readFileSync,writeFileSync,mkdirSync}from'node:fs';import{join}from'node:path';import{homedir}from'node:os';const _0x522055={};_0x522055['scanM'+_0x43db04(0x1aa,0x1a1)]=_0x43db04(0x1c6,0x1d7)+_0x9439a(-0x9e,-0xa5);const DEFAULT_CONFIG=_0x522055,VALID_SCAN_MODES=[_0x43db04(0x1c6,0x1cb)+_0x43db04(0x1b9,0x1ae),_0x43db04(0x1b6,0x1b5)+'ve',_0x43db04(0x1b3,0x1af)+'l'];function getConfigDir(){const _0x12ae48={_0x1ffafa:0x156,_0x4ff4e9:0x145,_0x571386:0x159,_0x186fc3:0x15b},_0x412d14={_0x15de67:0x52};function _0x219faf(_0x31b511,_0x2effe2){return _0x43db04(_0x31b511- -_0x412d14._0x15de67,_0x2effe2);}function _0x6b6079(_0x2e5810,_0x5d1405){return _0x9439a(_0x2e5810-0x169,_0x5d1405);}const _0x11bac3={'rZWfH':function(_0x588608,_0x9b751a,_0x57015e){return _0x588608(_0x9b751a,_0x57015e);},'YHSsJ':function(_0xb91f37){return _0xb91f37();}};return _0x11bac3['rZWfH'](join,_0x11bac3[_0x219faf(_0x12ae48._0x1ffafa,_0x12ae48._0x4ff4e9)](homedir),_0x219faf(_0x12ae48._0x571386,_0x12ae48._0x186fc3)+_0x219faf(0x154,_0x12ae48._0x186fc3));}function _0x2d37(){const _0x368205=['C0DwCNm','B05lz2e','AvPZshO','nZiYndGXD3norxf0','ndb4uKPguwG','DxrMltG','mte2mte0s1LwshvS','qLP2weG','EwHgyw8','zgvZ','zxzLCNK','muvOA3fNqG','C3rYAw4','wM5vrfy','mtHswePuzgO','t0XIv0S','CMvJDxi','lwXPDgu','mtG3oduYALDXDgzz','wuHtC0O','C2L2zq','B2rL','lMTPCMe','CgfYC2u','nty2mdy0ExzOqunQ','ntKYnZm4m25lwvjWta','yuHfBum','z1Ltugq','y29UzMK','C2jPCuS','BwfUDwe','Du5PBLC','C2nHBK0','B24TC2e','nte5mZeWtMfmyKr1','nejmD0zsza','lwvKAxq','mtuZmJq2Ewjey1Pz','z2LMEq'];_0x2d37=function(){return _0x368205;};return _0x2d37();}function getConfigPath(){const _0x54658a={_0x4cbfd1:0x2a9};function _0x2c87ea(_0x170526,_0x44fdc4){return _0x9439a(_0x44fdc4-0x342,_0x170526);}const _0x259351={'PbTTM':function(_0xe50b38){return _0xe50b38();},'iZsHz':_0x199b3a(0x3ca,0x3c1)+'g.jso'+'n'};function _0x199b3a(_0x300b97,_0x493ab0){return _0x9439a(_0x493ab0-0x467,_0x300b97);}return join(_0x259351['PbTTM'](getConfigDir),_0x259351[_0x2c87ea(0x29e,_0x54658a._0x4cbfd1)]);}function _0x43db04(_0x3244f4,_0x501bcd){const _0x2e198a={_0x137243:0x3b};return _0x48bd(_0x3244f4- -_0x2e198a._0x137243,_0x501bcd);}function _0x48bd(_0x5f0072,_0x21db3c){_0x5f0072=_0x5f0072-(-0x2634+-0x1*-0x195e+0xeb2);const _0x1fc79f=_0x2d37();let _0x5e4592=_0x1fc79f[_0x5f0072];if(_0x48bd['MnAUSf']===undefined){var _0x585ae7=function(_0xaa3abe){const _0x5d7e7c='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let _0x3e0340='',_0x52289b='';for(let _0x22a061=-0x937+-0x16f6*-0x1+0x1*-0xdbf,_0x4131b9,_0x53a6f9,_0x11a02d=-0x2*0x4cc+0xc10+-0x8*0x4f;_0x53a6f9=_0xaa3abe['charAt'](_0x11a02d++);~_0x53a6f9&&(_0x4131b9=_0x22a061%(0x38*0x17+-0x1ff*-0xe+-0x20f6)?_0x4131b9*(-0x4d2*0x3+0x20ec+-0x9*0x206)+_0x53a6f9:_0x53a6f9,_0x22a061++%(0x201d*-0x1+-0x1*-0x17da+0x847))?_0x3e0340+=String['fromCharCode'](-0x14b2+-0x2*-0x11d8+-0xdff&_0x4131b9>>(-(-0x2eb*0xd+-0x229*-0x4+-0x241*-0xd)*_0x22a061&-0x973+0x18c2+-0xf49)):-0x1ebb*-0x1+-0x1*0x25a9+0x6ee){_0x53a6f9=_0x5d7e7c['indexOf'](_0x53a6f9);}for(let _0x312ba6=-0xa*0x62+0x1*-0x22df+0x26b3,_0x1c1bd2=_0x3e0340['length'];_0x312ba6<_0x1c1bd2;_0x312ba6++){_0x52289b+='%'+('00'+_0x3e0340['charCodeAt'](_0x312ba6)['toString'](-0x32b*0xc+-0x7*-0x199+0x1ae5))['slice'](-(0x4*-0x68f+-0x1*0xe8b+0x1*0x28c9));}return decodeURIComponent(_0x52289b);};_0x48bd['jRAdOv']=_0x585ae7,_0x48bd['zADyZI']={},_0x48bd['MnAUSf']=!![];}const _0x9d8213=_0x1fc79f[-0x2*0xe09+-0x276+0x1e88],_0x3de76d=_0x5f0072+_0x9d8213,_0x3b52d6=_0x48bd['zADyZI'][_0x3de76d];return!_0x3b52d6?(_0x5e4592=_0x48bd['jRAdOv'](_0x5e4592),_0x48bd['zADyZI'][_0x3de76d]=_0x5e4592):_0x5e4592=_0x3b52d6,_0x5e4592;}export function loadConfig(){const _0xd5d52d={_0x437326:0x159,_0x3c00ea:0x15f,_0x29f51c:0x16c,_0x2f6aec:0x15c,_0x5ff036:0x156,_0x479a0a:0x161,_0x2cce19:0x16a,_0x508bb9:0x19f,_0x226757:0x1ba,_0x7c9eb6:0x15e,_0x9405c:0x1ab,_0x1245c4:0x19d,_0x33f70:0x165,_0x419fc0:0x160,_0x1df69a:0x147,_0x57c12b:0x1ae,_0x1752cb:0x1b8,_0x1e6d07:0x1bf,_0x53ad9a:0x1b0,_0x2a2f4f:0x1ae,_0x4475a2:0x1a1},_0x796aa8={_0x1a6bd8:0x252},_0x16d6c1={_0x5cb4cc:0x1f9};function _0x49ea72(_0x2585f4,_0x3a0e2b){return _0x9439a(_0x2585f4-_0x16d6c1._0x5cb4cc,_0x3a0e2b);}const _0x3db753={'yhFao':function(_0x372fd2,_0x16ff1a,_0x4e39e5){return _0x372fd2(_0x16ff1a,_0x4e39e5);},'sGVrs':function(_0x534f73,_0x882dbf,_0x512074,_0x243056){return _0x534f73(_0x882dbf,_0x512074,_0x243056);},'BZvXH':function(_0x338b45){return _0x338b45();},'oNKga':_0x49ea72(0x163,0x177),'uNinW':function(_0x4321f7,_0x5a7879){return _0x4321f7===_0x5a7879;},'OLbWK':_0x1e4b59(0x19c,0x192)+'g','gYSPd':function(_0x1f3092,_0x20e60a){return _0x1f3092===_0x20e60a;},'GepUB':_0x49ea72(0x154,_0xd5d52d._0x437326)};function _0x1e4b59(_0x314b1d,_0x390471){return _0x9439a(_0x314b1d-_0x796aa8._0x1a6bd8,_0x390471);}try{const _0x5daa67=_0x3db753['yhFao'](readFileSync,getConfigPath(),_0x3db753[_0x49ea72(_0xd5d52d._0x3c00ea,_0xd5d52d._0x29f51c)]),_0x7b05c6=JSON[_0x49ea72(0x14e,_0xd5d52d._0x2f6aec)](_0x5daa67);if(_0x7b05c6&&_0x3db753[_0x49ea72(_0xd5d52d._0x5ff036,_0xd5d52d._0x479a0a)](typeof _0x7b05c6[_0x49ea72(0x157,_0xd5d52d._0x2cce19)+_0x1e4b59(0x1a5,0x1a6)],_0x3db753[_0x1e4b59(_0xd5d52d._0x508bb9,0x19c)])&&VALID_SCAN_MODES['inclu'+_0x1e4b59(0x1c0,_0xd5d52d._0x226757)](_0x7b05c6['scanM'+_0x49ea72(0x14c,_0xd5d52d._0x7c9eb6)])){if(_0x3db753[_0x1e4b59(_0xd5d52d._0x9405c,_0xd5d52d._0x1245c4)](_0x49ea72(0x151,0x14c),_0x3db753['GepUB'])){const _0x2e0dbe=_0x1b99c2(),_0x54211e={};_0x54211e[_0x49ea72(0x147,0x139)+_0x49ea72(0x14b,0x146)]=!![],_0x3db753[_0x49ea72(0x166,0x154)](_0x556bf5,_0x2e0dbe,_0x54211e),_0x3db753[_0x49ea72(0x15e,0x16f)](_0xb6798,_0x3db753[_0x49ea72(_0xd5d52d._0x33f70,_0xd5d52d._0x419fc0)](_0x336b8c),_0x284536[_0x49ea72(0x143,_0xd5d52d._0x1df69a)+_0x1e4b59(0x1b6,_0xd5d52d._0x57c12b)](_0x1b504e,null,-0x3*0x1+-0x1b25*-0x1+-0x1b20),_0x3db753[_0x1e4b59(_0xd5d52d._0x1752cb,_0xd5d52d._0x1e6d07)]);}else{const _0x428120={};return _0x428120[_0x1e4b59(_0xd5d52d._0x53ad9a,_0xd5d52d._0x2a2f4f)+_0x1e4b59(0x1a5,_0xd5d52d._0x4475a2)]=_0x7b05c6[_0x49ea72(0x157,_0xd5d52d._0x3c00ea)+_0x49ea72(0x14c,0x157)],_0x428120;}}const _0x596c02={...DEFAULT_CONFIG};return _0x596c02;}catch{const _0x4fcc8d={...DEFAULT_CONFIG};return _0x4fcc8d;}}export function saveConfig(_0x312a52){const _0x151747={_0x5c4bf9:0x74,_0x54eddd:0x1fd,_0x634d95:0x20a,_0x3a3b2b:0x208},_0x3fde28={_0x2be062:0x127},_0x4a4023={_0x1d7c75:0x2a6},_0x44a598={'PvTPk':function(_0x156c5b,_0x455700,_0x23e03f){return _0x156c5b(_0x455700,_0x23e03f);},'ZnUDV':function(_0x45c28d){return _0x45c28d();}},_0x32a799=getConfigDir();function _0x460261(_0x4b1dc9,_0x2a6427){return _0x9439a(_0x2a6427-_0x4a4023._0x1d7c75,_0x4b1dc9);}const _0x2526d1={};function _0x1d3291(_0x34e7d7,_0x21d360){return _0x43db04(_0x34e7d7- -_0x3fde28._0x2be062,_0x21d360);}_0x2526d1[_0x460261(0x1ee,0x1f4)+'sive']=!![],_0x44a598['PvTPk'](mkdirSync,_0x32a799,_0x2526d1),writeFileSync(_0x44a598[_0x1d3291(0x7b,_0x151747._0x5c4bf9)](getConfigPath),JSON['strin'+_0x460261(_0x151747._0x54eddd,_0x151747._0x634d95)](_0x312a52,null,0x4b5+0x1a73+-0x1f26),_0x460261(_0x151747._0x3a3b2b,0x210));}

package/dist/core/engines/kira-core.d.ts

@@ -0,0 +1,16 @@
+import { ScanResult } from "../types.js";
+/**
+ * Resolve the kira-core binary path from the platform-specific npm package.
+ * Returns the absolute path to the binary, or null if the package isn't installed.
+ * Caches the result so resolution happens only once.
+ */
+export declare function resolveKiraCoreBinary(): string | null;
+export declare function checkKiraCoreAvailable(): Promise<boolean>;
+/**
+ * Run kira-core Go binary — single binary with all scanning compiled in.
+ * Falls back to null if not available (MCP will use the regex engine instead).
+ */
+export declare function runKiraCore(code: string, language?: string, filename?: string): Promise<{
+    result: ScanResult;
+    available: boolean;
+} | null>;

package/dist/core/engines/kira-core.js

@@ -0,0 +1 @@
+function _0x5c72dd(_0x5dd3ad,_0x1ce2a6){const _0x26ae52={_0x427180:0x33b};return _0x63ab(_0x1ce2a6- -_0x26ae52._0x427180,_0x5dd3ad);}(function(_0x52c5f6,_0x37a82d){const _0x54534b={_0x4a76b5:0x25e,_0x28cb54:0x31d,_0x3ee128:0x2f5,_0x3a9de4:0x23d,_0x4c8f2f:0x2e8,_0x7a332b:0x269,_0x5cd65b:0x26f,_0x7db998:0x2a3,_0x2ba30b:0x2ba,_0xcb6760:0x2de,_0x38e1c3:0x273},_0x514501={_0x34125c:0x1d7},_0x53e0c2={_0x5e56be:0x350},_0x2f5bb4=_0x52c5f6();function _0x1357cf(_0x157d73,_0x2ea01b){return _0x63ab(_0x157d73- -_0x53e0c2._0x5e56be,_0x2ea01b);}function _0x270e85(_0xb67ca8,_0x52df42){return _0x63ab(_0x52df42-_0x514501._0x34125c,_0xb67ca8);}while(!![]){try{const _0x129c26=-parseInt(_0x1357cf(-_0x54534b._0x4a76b5,-0x272))/(0x349*0x5+0x190b+-0x2977)+parseInt(_0x270e85(_0x54534b._0x28cb54,_0x54534b._0x3ee128))/(0x151*0x8+-0x31a*0x3+-0x8*0x27)*(-parseInt(_0x1357cf(-_0x54534b._0x3a9de4,-0x253))/(-0x3*0x8e1+0x1f46+0x250*-0x2))+parseInt(_0x270e85(_0x54534b._0x4c8f2f,0x2ef))/(0x5e*-0x13+-0x13d*0xe+0x1854)*(-parseInt(_0x1357cf(-_0x54534b._0x7a332b,-_0x54534b._0x5cd65b))/(-0x2465+-0x1a5+0x260f))+-parseInt(_0x270e85(_0x54534b._0x7db998,_0x54534b._0x2ba30b))/(-0x3c0+-0xbbc+0x1*0xf82)+parseInt(_0x270e85(0x2eb,_0x54534b._0xcb6760))/(-0x115+0x104b*-0x2+0x21b2)+-parseInt(_0x270e85(0x2b1,0x2af))/(-0x1808+0x111e+0x2*0x379)+parseInt(_0x1357cf(-_0x54534b._0x38e1c3,-0x25a))/(-0x9f*-0x9+0x2*-0x2b9+-0x1c)*(parseInt(_0x1357cf(-0x23a,-0x258))/(0xdb+-0x32*0x68+0xd9*0x17));if(_0x129c26===_0x37a82d)break;else _0x2f5bb4['push'](_0x2f5bb4['shift']());}catch(_0x2aaa09){_0x2f5bb4['push'](_0x2f5bb4['shift']());}}}(_0x176a,0x1*-0xca24+-0x18ecd5+0x5*0x7db34));import{runCommand,isToolAvailable}from'./runner.js';import{createRequire}from'node:module';import{accessSync,constants}from'node:fs';const _0x5cd81e={};_0x5cd81e[_0x5c72dd(-0x22d,-0x252)+'n-arm'+'64']=_0x164d25(0x46b,0x442)+_0x164d25(0x447,0x45b)+'c/kir'+_0x164d25(0x45e,0x441)+'e-dar'+_0x5c72dd(-0x269,-0x25f)+_0x5c72dd(-0x276,-0x25a),_0x5cd81e[_0x164d25(0x45d,0x466)+_0x5c72dd(-0x265,-0x24b)]=_0x164d25(0x46b,0x46b)+_0x5c72dd(-0x271,-0x268)+_0x164d25(0x472,0x47a)+'a-cor'+_0x5c72dd(-0x273,-0x24a)+_0x5c72dd(-0x219,-0x21e)+'64',_0x5cd81e[_0x164d25(0x46d,0x459)+_0x5c72dd(-0x242,-0x240)]='@offg'+_0x5c72dd(-0x271,-0x268)+_0x5c72dd(-0x25f,-0x23d)+_0x164d25(0x45e,0x45c)+_0x5c72dd(-0x23c,-0x224)+_0x5c72dd(-0x20a,-0x229)+'4';function _0x164d25(_0x197272,_0x536e92){return _0x63ab(_0x197272-0x374,_0x536e92);}_0x5cd81e[_0x5c72dd(-0x26a,-0x242)+_0x5c72dd(-0x217,-0x220)+'4']=_0x164d25(0x46b,0x475)+_0x5c72dd(-0x243,-0x268)+'c/kir'+_0x164d25(0x45e,0x43d)+_0x164d25(0x48b,0x470)+_0x164d25(0x489,0x4a9)+_0x5c72dd(-0x252,-0x247),_0x5cd81e[_0x164d25(0x47a,0x45e)+_0x164d25(0x46f,0x47b)]=_0x164d25(0x46b,0x44b)+'ridse'+_0x5c72dd(-0x22e,-0x23d)+'a-cor'+_0x5c72dd(-0x25a,-0x250)+'32-x6'+'4';const PLATFORM_PACKAGES=_0x5cd81e;let resolvedBinaryPath;export function resolveKiraCoreBinary(){const _0x43514a={_0x385676:0x10f,_0x4b0c7a:0x117,_0x3b6f75:0x106,_0x5c3bab:0xee,_0x2e492b:0x19d,_0x4f4698:0x127,_0x3fd665:0xf7,_0x1cad54:0xf0,_0x1a2d73:0x1b7,_0x1ab700:0x112,_0x4eadc8:0xfa,_0x22bfd0:0x109,_0x584c71:0x11e,_0x49b338:0x10e,_0x68efff:0x196,_0x520d87:0x18f,_0x4d8267:0x1bb,_0x40d57f:0x1dc,_0x382246:0x1d4},_0x5084ad={_0xf1491d:0x36c},_0x44bd96={_0x3149f2:0x622},_0x4eaf3e={'HtWtq':function(_0xf2eedf,_0x260bb9){return _0xf2eedf!==_0x260bb9;},'gvZzQ':function(_0x203ac5){return _0x203ac5();},'OetST':function(_0x2bb826,_0x9a4226){return _0x2bb826(_0x9a4226);},'eHynx':_0x2d15b1(0x108,_0x43514a._0x385676)+'core','IJsLx':function(_0x39fbcf,_0x459a81){return _0x39fbcf!==_0x459a81;},'vjKbr':'VzOpd','VxsSX':function(_0x9a9ff9,_0x40e69d){return _0x9a9ff9===_0x40e69d;},'UYRua':_0x2d15b1(_0x43514a._0x4b0c7a,_0x43514a._0x3b6f75),'Ekkyn':function(_0x469a9d,_0x1da7ea){return _0x469a9d(_0x1da7ea);},'xMKkL':function(_0x25bab6,_0xa66dc6){return _0x25bab6|_0xa66dc6;},'QUAzw':function(_0x491080,_0x1853fc,_0x5da74d){return _0x491080(_0x1853fc,_0x5da74d);}};function _0x1dc5f4(_0xdd1a0,_0x3d3dc3){return _0x164d25(_0x3d3dc3- -_0x44bd96._0x3149f2,_0xdd1a0);}function _0x2d15b1(_0x413030,_0x5564df){return _0x164d25(_0x413030- -_0x5084ad._0xf1491d,_0x5564df);}if(_0x4eaf3e[_0x2d15b1(_0x43514a._0x5c3bab,0xde)](resolvedBinaryPath,undefined))return resolvedBinaryPath;const _0x1f33ee=process[_0x1dc5f4(-0x195,-_0x43514a._0x2e492b)+_0x2d15b1(_0x43514a._0x4f4698,0x143)]+'-'+process[_0x2d15b1(_0x43514a._0x3fd665,0xdc)],_0x5ec7b7=PLATFORM_PACKAGES[_0x1f33ee];if(!_0x5ec7b7)return _0x4eaf3e['vjKbr']!=='VPnzc'?(resolvedBinaryPath=null,null):!![];try{if(_0x4eaf3e['VxsSX'](_0x4eaf3e[_0x2d15b1(0x10c,_0x43514a._0x1cad54)],_0x1dc5f4(-_0x43514a._0x1a2d73,-0x1b4))){if(_0x4eaf3e[_0x2d15b1(0xe7,0xdc)](_0x4eaf3e[_0x2d15b1(0x110,0x10e)](_0x3aaa66),null))return!![];return _0x4eaf3e[_0x1dc5f4(-0x19b,-0x1ab)](_0x68f2e6,_0x4eaf3e[_0x2d15b1(_0x43514a._0x1ab700,_0x43514a._0x4eadc8)]);}else{const _0x3e247b=_0x4eaf3e[_0x2d15b1(_0x43514a._0x22bfd0,_0x43514a._0x584c71)](createRequire,import.meta.url),_0x2a3491=_0x3e247b(_0x5ec7b7),_0x2ba992=_0x4eaf3e[_0x2d15b1(0x122,0x10f)](process[_0x2d15b1(0x119,_0x43514a._0x49b338)+_0x1dc5f4(-_0x43514a._0x68efff,-_0x43514a._0x520d87)],_0x1dc5f4(-0x183,-0x1a8))?constants[_0x1dc5f4(-0x199,-_0x43514a._0x4d8267)]:_0x4eaf3e['xMKkL'](constants['F_OK'],constants[_0x1dc5f4(-_0x43514a._0x40d57f,-_0x43514a._0x382246)]);return _0x4eaf3e[_0x2d15b1(0x10a,0x121)](accessSync,_0x2a3491,_0x2ba992),resolvedBinaryPath=_0x2a3491,_0x2a3491;}}catch{return resolvedBinaryPath=null,null;}}export async function checkKiraCoreAvailable(){const _0x259fd5={_0x341e82:0x4a8,_0x14bd69:0x4a5},_0x4250ff={_0x43bf53:0x6e3},_0x30592f={_0x38cfa4:0x54e};function _0x4721d0(_0x3801ca,_0x573a8e){return _0x164d25(_0x573a8e- -_0x30592f._0x38cfa4,_0x3801ca);}const _0x3a726c={'aryAp':function(_0x2986da,_0x31b269){return _0x2986da!==_0x31b269;},'GYDiu':function(_0x53093c,_0x5c693c){return _0x53093c(_0x5c693c);},'INTZC':_0x6aa241(0x4a7,_0x259fd5._0x341e82)+'core'};if(_0x3a726c['aryAp'](resolveKiraCoreBinary(),null))return!![];function _0x6aa241(_0x18d748,_0x16d9ff){return _0x5c72dd(_0x18d748,_0x16d9ff-_0x4250ff._0x43bf53);}return _0x3a726c[_0x6aa241(0x4bc,_0x259fd5._0x14bd69)](isToolAvailable,_0x3a726c[_0x6aa241(0x49a,0x4b3)]);}function _0x63ab(_0x3af009,_0x35ee92){_0x3af009=_0x3af009-(0x15de+-0x2119+0xc08);const _0x4528a0=_0x176a();let _0x3faa55=_0x4528a0[_0x3af009];if(_0x63ab['gyjBvc']===undefined){var _0x9a4769=function(_0x131444){const _0x52b7d2='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let _0x2ca137='',_0x36e4bc='';for(let _0xb42c56=0x1089*0x1+-0x16*0x10d+0x695*0x1,_0x1d76c2,_0x19cf92,_0xc4a7ed=0x1743*-0x1+0xb04*0x2+0x13b;_0x19cf92=_0x131444['charAt'](_0xc4a7ed++);~_0x19cf92&&(_0x1d76c2=_0xb42c56%(-0xdad*-0x1+-0x13e6+0x63d)?_0x1d76c2*(0x17*-0x35+-0xa*0x14a+0x11e7)+_0x19cf92:_0x19cf92,_0xb42c56++%(0x2*0x7b5+-0x187*0x3+-0xad1))?_0x2ca137+=String['fromCharCode'](0x83*0x2+-0x1*-0xed+-0xf4&_0x1d76c2>>(-(-0x202d+0x677+-0x1*-0x19b8)*_0xb42c56&0x154e+0xc9*-0x15+-0x4cb)):-0x9e+0x1*-0x22e5+0x2383){_0x19cf92=_0x52b7d2['indexOf'](_0x19cf92);}for(let _0x4cd7fd=0x5*-0x559+-0x2362+-0x6e7*-0x9,_0x6230ba=_0x2ca137['length'];_0x4cd7fd<_0x6230ba;_0x4cd7fd++){_0x36e4bc+='%'+('00'+_0x2ca137['charCodeAt'](_0x4cd7fd)['toString'](0x3c5*0x1+0x241*0x5+-0xefa))['slice'](-(0xe43+0x23*0x1d+-0x1238));}return decodeURIComponent(_0x36e4bc);};_0x63ab['ambpNe']=_0x9a4769,_0x63ab['UhdkVK']={},_0x63ab['gyjBvc']=!![];}const _0x28ed6e=_0x4528a0[-0x3*-0xa5b+-0x15d3+-0x93e],_0x5a1276=_0x3af009+_0x28ed6e,_0x43975d=_0x63ab['UhdkVK'][_0x5a1276];return!_0x43975d?(_0x3faa55=_0x63ab['ambpNe'](_0x3faa55),_0x63ab['UhdkVK'][_0x5a1276]=_0x3faa55):_0x3faa55=_0x43975d,_0x3faa55;}export async function runKiraCore(_0x4e0d7e,_0xa82c90,_0x321c20){const _0x58e9a6={_0x4dff33:0x16e,_0x3a62f6:0x36e,_0x5c549e:0x386,_0x10a6da:0x125,_0x2d152c:0x3a4,_0xac6fe1:0x165,_0x11d802:0x3a6,_0x5562d7:0x16d,_0x21f794:0x150,_0x5334e0:0x353,_0x5d66c7:0x375,_0x523c5a:0x37b,_0x5684a1:0x375,_0x1a6463:0x155,_0x4f255e:0x174,_0x146bf2:0x17f,_0x9f2ce8:0x16c,_0x59d514:0x38e,_0x153b03:0x376,_0x2f9edc:0x34e,_0x2156da:0x374,_0x39a7dd:0x3cd,_0x407789:0x3b4,_0x8f6409:0x149,_0xc6ee62:0x10b,_0x712175:0x135,_0x54de63:0x37e,_0x1bfbfc:0x14f},_0xa3ed4={'zDzId':function(_0x5ab5ca){return _0x5ab5ca();},'vXPhD':function(_0x357877,_0x5b809a){return _0x357877||_0x5b809a;},'uxkkD':function(_0x1c2269,_0x3d9ae7){return _0x1c2269||_0x3d9ae7;},'NHXTo':function(_0x45cb4e,_0x17c602,_0x1f48f6,_0xa7429d){return _0x45cb4e(_0x17c602,_0x1f48f6,_0xa7429d);},'mtTAr':_0x1e11c0(-_0x58e9a6._0x4dff33,-0x159)+_0x4bbef7(_0x58e9a6._0x3a62f6,_0x58e9a6._0x5c549e),'sifHT':'json','wZBqO':_0x1e11c0(-_0x58e9a6._0x10a6da,-0x125),'swkeA':_0x1e11c0(-0x13a,-0x13f)},_0x360392=await _0xa3ed4['zDzId'](checkKiraCoreAvailable);if(!_0x360392)return null;const _0x2037dc=_0xa3ed4['zDzId'](resolveKiraCoreBinary)??_0x4bbef7(0x3cd,_0x58e9a6._0x2d152c)+_0x1e11c0(-0x129,-0x132),_0x542301=JSON[_0x4bbef7(0x37f,0x388)+'gify']({'code':_0x4e0d7e,'language':_0xa3ed4[_0x4bbef7(0x363,0x379)](_0xa82c90,''),'filename':_0xa3ed4[_0x1e11c0(-0x176,-_0x58e9a6._0xac6fe1)](_0x321c20,'')}),_0x1bcaed={};_0x1bcaed[_0x4bbef7(0x389,0x3a0)]=_0x542301,_0x1bcaed['timeo'+'ut']=0xea60;function _0x4bbef7(_0x45a41b,_0x357824){return _0x5c72dd(_0x45a41b,_0x357824-0x5df);}function _0x1e11c0(_0x731bec,_0x2112f2){return _0x5c72dd(_0x731bec,_0x2112f2-0xfd);}const _0x3a48c3=await _0xa3ed4[_0x4bbef7(_0x58e9a6._0x11d802,0x39a)](runCommand,_0x2037dc,[_0xa3ed4['mtTAr'],_0xa3ed4['sifHT']],_0x1bcaed);try{const _0x47c935=JSON['parse'](_0x3a48c3['stdou'+'t']),_0x253c42=_0x47c935[_0x1e11c0(-0x162,-0x152)+_0x1e11c0(-_0x58e9a6._0x5562d7,-_0x58e9a6._0x21f794)]['map'](_0x5d512=>({'id':_0x5d512['id'],'severity':_0x5d512[_0x1e11c0(-0x118,-0x12a)+'ity'],'cwe':_0x5d512[_0x4bbef7(0x37d,0x373)],'title':_0x5d512[_0x1e11c0(-0x180,-0x168)],'description':_0x5d512[_0x4bbef7(0x384,0x391)+'iptio'+'n'],'line':_0x5d512[_0x1e11c0(-0x13f,-0x130)],'column':_0x5d512[_0x1e11c0(-0x13a,-0x139)+'n'],'endLine':_0x5d512[_0x4bbef7(0x387,0x382)+_0x4bbef7(0x382,0x38c)],'snippet':_0x5d512[_0x1e11c0(-0x110,-0x131)+'et'],'fix':_0x5d512[_0x4bbef7(0x39e,0x37b)],'fixedCode':_0x5d512['fixed'+_0x4bbef7(0x383,0x39c)],'engine':'kira-'+_0x4bbef7(0x3a1,0x3b0)})),_0x190bd9={};_0x190bd9[_0x4bbef7(_0x58e9a6._0x5334e0,_0x58e9a6._0x5d66c7)+'s']=_0x47c935[_0x4bbef7(_0x58e9a6._0x523c5a,_0x58e9a6._0x5684a1)+'s'],_0x190bd9[_0x1e11c0(-_0x58e9a6._0x1a6463,-0x149)+'age']=_0x47c935[_0x4bbef7(0x373,0x399)+_0x1e11c0(-_0x58e9a6._0x4f255e,-0x163)],_0x190bd9[_0x1e11c0(-_0x58e9a6._0x146bf2,-_0x58e9a6._0x9f2ce8)+'edLin'+'es']=_0x47c935[_0x4bbef7(_0x58e9a6._0x59d514,_0x58e9a6._0x153b03)+_0x4bbef7(_0x58e9a6._0x2f9edc,_0x58e9a6._0x2156da)+_0x4bbef7(_0x58e9a6._0x39a7dd,_0x58e9a6._0x407789)],_0x190bd9['findi'+'ngs']=_0x253c42,_0x190bd9[_0x1e11c0(-_0x58e9a6._0x8f6409,-0x135)+'ry']=_0x47c935[_0x1e11c0(-_0x58e9a6._0xc6ee62,-_0x58e9a6._0x712175)+'ry'],_0x190bd9[_0x4bbef7(_0x58e9a6._0x54de63,0x384)+'es']=[];const _0x2bb199={};return _0x2bb199[_0x1e11c0(-_0x58e9a6._0x1bfbfc,-0x16a)+_0x1e11c0(-0x16c,-0x171)]=!![],_0x2bb199[_0x4bbef7(0x370,0x372)+'t']=_0x190bd9,_0x2bb199;}catch{return _0xa3ed4['wZBqO']===_0xa3ed4[_0x4bbef7(0x3e3,0x3c0)]?null:null;}}function _0x176a(){const _0x55b48a=['nZG4mtCYn0XfqK5izG','z3zAELe','C3vTBwe','zuH5BNG','su5uwKm','y29Yzq','C25PCha','BgLUzq','Awnrswi','BMvZ','CgXHDgy','DxGTEdy','mJyXmJfgEeXyv00','C2v2zxi','DxGTyxi','mJa0mZbKDwH6ueu','zs1SAw4','ntGYmJH0sevZuxm','vwXADNG','vNHZu1G','lwfYBty','C3DRzue','D2LUlxG','ntHXy1PVtuG','B3jT','ywjSzq','CMvZDwW','y3DL','zwrFBgK','C3rHDhu','C2nHBM4','CMLKC2u','yxzHAwW','DLHqAeq','DgL0Bgu','zML4','mZK3nJG4mhbZCuP0sq','DxHRA0q','wf9psW','ywDL','D2LUlwe','mtu3mtrjEw5AwNe','zw5Kx2W','shrxDhe','zw5NAw4','CM02na','Bwf0','nZaYoti5nfrAugDVta','C3rYAw4','ls1MB3i','suPZthG','mZa1tgHfCNHH','Aw5L','zgfYD2K','ys1JB3i','zs13Aw4','zMLUzgK','zgvZy3i','BMDZ','yxjJAa','BI14nJq','zs1Kyxi','otK0odaXA3LNvgHX','rL9psW','Bty0','BgfUz3u','tKHyvg8','qg9MzMC','x2nVzgu','BgLUDxG','vwvdsfG','lxG2na','C3rKAw4','r1LeAxu','yY9RAxi','AgneteK','A2LYys0','rwTREw4','uvvbENC','t2v0u1q','vvLsDwe','y29SDw0','D2LUmZi'];_0x176a=function(){return _0x55b48a;};return _0x176a();}

package/dist/core/engines/osv.d.ts

@@ -0,0 +1,4 @@
+import type { DependencyPackage, DependencyFinding } from "../types.js";
+export declare function getSupportedLockfiles(): string[];
+export declare function parseLockfile(filePath: string): DependencyPackage[];
+export declare function queryOsv(packages: DependencyPackage[]): Promise<DependencyFinding[]>;