@omnidev-ai/core 0.11.0 → 0.12.0

package/dist/index.d.ts

@@ -467,16 +467,25 @@ type CapabilitySourceConfig = string | GitCapabilitySourceConfig | FileCapabilit
 * Type guard to check if a source config is a FileCapabilitySourceConfig
 */
 declare function isFileSourceConfig(config: CapabilitySourceConfig): config is FileCapabilitySourceConfig;
+/**
+* Source where the version was detected from.
+* Used for debugging and auditing to understand version provenance.
+*/
+type VersionSource = "capability.toml" | "plugin.json" | "package.json" | "commit" | "content_hash";
 /** Lock file entry for a capability (version tracking) */
 interface CapabilityLockEntry {
 	/** Original source reference */
 	source: string;
-	/** Version from capability.toml or package.json */
+	/** Version from capability.toml, plugin.json, package.json, or fallback */
 	version: string;
+	/** Where the version was detected from (for auditing/debugging) */
+	version_source?: VersionSource;
 	/** For git sources: exact commit hash */
 	commit?: string;
 	/** Pinned ref if specified */
 	ref?: string;
+	/** For file sources: SHA-256 hash of content for reproducibility */
+	content_hash?: string;
 	/** Last update timestamp (ISO 8601) */
 	updated_at: string;
 }
@@ -500,6 +509,37 @@ interface CapabilitiesConfig {
 interface ProfileConfig {
 	capabilities?: string[];
 }
+/**
+* Security scan mode
+* - off: No scanning (default)
+* - warn: Report findings but continue
+* - error: Report findings and fail sync
+*/
+type SecurityMode = "off" | "warn" | "error";
+/**
+* Individual scan toggles for security scanning
+*/
+interface ScanSettings {
+	/** Detect suspicious Unicode characters (bidi overrides, zero-width, control chars) */
+	unicode?: boolean;
+	/** Detect symlinks inside capability directories */
+	symlinks?: boolean;
+	/** Detect suspicious patterns in scripts/hooks */
+	scripts?: boolean;
+	/** Detect binary files in content folders */
+	binaries?: boolean;
+}
+/**
+* Security configuration section in omni.toml
+*/
+interface SecurityConfig {
+	/** Scan mode: off, warn, or error (default: off) */
+	mode?: SecurityMode;
+	/** Trusted source patterns (host/org/repo) that skip scanning */
+	trusted_sources?: string[];
+	/** Individual scan settings */
+	scan?: ScanSettings;
+}
 interface OmniConfig {
 	profiles?: Record<string, ProfileConfig>;
 	providers?: {
@@ -509,6 +549,8 @@ interface OmniConfig {
 	capabilities?: CapabilitiesConfig;
 	/** MCP server definitions that auto-generate capabilities */
 	mcps?: Record<string, McpConfig>;
+	/** Security scanning configuration */
+	security?: SecurityConfig;
 }
 type Provider = "claude" | "codex" | "claude-code" | "cursor" | "opencode";
 interface ProviderConfig {
@@ -652,8 +694,12 @@ interface FetchResult {
 	id: string;
 	path: string;
 	version: string;
+	/** Source where version was detected from */
+	versionSource: VersionSource;
 	/** Git commit hash */
 	commit?: string;
+	/** Content hash for file sources (SHA-256) */
+	contentHash?: string;
 	updated: boolean;
 	wrapped: boolean;
 }
@@ -1086,9 +1132,7 @@ declare function writeMcpJson(config: McpJsonConfig): Promise<void>;
 * Each capability with an [mcp] section is registered using its capability ID.
 * Uses the previous manifest to track which MCPs were managed by OmniDev.
 */
-declare function syncMcpJson(capabilities: LoadedCapability[], previousManifest: ResourceManifest, options?: {
-	silent?: boolean;
-}): Promise<void>;
+declare function syncMcpJson(capabilities: LoadedCapability[], previousManifest: ResourceManifest): Promise<void>;
 /**
 * Read the active profile from state file.
 * Returns null if no active profile is set in state.
@@ -1131,6 +1175,130 @@ declare function disableProvider(providerId: ProviderId): Promise<void>;
 * @param providerId - The provider to check
 */
 declare function isProviderEnabled(providerId: ProviderId): Promise<boolean>;
+/**
+* Severity level for security findings
+*/
+type FindingSeverity = "low" | "medium" | "high" | "critical";
+/**
+* Types of security findings
+*/
+type FindingType = "unicode_bidi" | "unicode_zero_width" | "unicode_control" | "symlink_escape" | "symlink_absolute" | "suspicious_script" | "binary_file";
+/**
+* A security finding (potential issue)
+*/
+interface SecurityFinding {
+	/** Type of finding */
+	type: FindingType;
+	/** Severity level */
+	severity: FindingSeverity;
+	/** File path relative to capability root */
+	file: string;
+	/** Line number (if applicable) */
+	line?: number;
+	/** Column number (if applicable) */
+	column?: number;
+	/** Human-readable description */
+	message: string;
+	/** Additional details (e.g., specific codepoints found) */
+	details?: string;
+}
+/**
+* Result of scanning a capability
+*/
+interface ScanResult {
+	/** Capability ID */
+	capabilityId: string;
+	/** Capability path */
+	path: string;
+	/** List of findings */
+	findings: SecurityFinding[];
+	/** Whether the scan passed (no findings or mode=warn) */
+	passed: boolean;
+	/** Scan duration in milliseconds */
+	duration: number;
+}
+/**
+* Overall scan summary
+*/
+interface ScanSummary {
+	/** Total capabilities scanned */
+	totalCapabilities: number;
+	/** Capabilities with findings */
+	capabilitiesWithFindings: number;
+	/** Total findings */
+	totalFindings: number;
+	/** Findings by type */
+	findingsByType: Record<FindingType, number>;
+	/** Findings by severity */
+	findingsBySeverity: Record<FindingSeverity, number>;
+	/** Individual scan results */
+	results: ScanResult[];
+	/** Whether all scans passed */
+	allPassed: boolean;
+}
+/**
+* Default security configuration
+*/
+declare const DEFAULT_SECURITY_CONFIG: Required<SecurityConfig>;
+/**
+* Default scan settings
+*/
+declare const DEFAULT_SCAN_SETTINGS: Required<ScanSettings>;
+/**
+* Security allows state structure
+*/
+interface SecurityAllowsState {
+	/** Schema version */
+	version: 1;
+	/** Timestamp of last modification */
+	modifiedAt: string;
+	/** Map of capability ID -> array of allowed finding types */
+	allows: Record<string, FindingType[]>;
+}
+/**
+* An individual security allow entry
+*/
+interface SecurityAllow {
+	capabilityId: string;
+	findingType: FindingType;
+}
+/**
+* Read the security allows from local state.
+* Returns empty state if no file exists.
+*/
+declare function readSecurityAllows(): Promise<SecurityAllowsState>;
+/**
+* Write security allows to local state.
+*/
+declare function writeSecurityAllows(state: SecurityAllowsState): Promise<void>;
+/**
+* Add an allow for a specific capability and finding type.
+*/
+declare function addSecurityAllow(capabilityId: string, findingType: FindingType): Promise<boolean>;
+/**
+* Remove an allow for a specific capability and finding type.
+*/
+declare function removeSecurityAllow(capabilityId: string, findingType: FindingType): Promise<boolean>;
+/**
+* Check if a finding type is allowed for a capability.
+*/
+declare function isSecurityAllowed(capabilityId: string, findingType: FindingType): Promise<boolean>;
+/**
+* Get all allows for a capability.
+*/
+declare function getCapabilityAllows(capabilityId: string): Promise<FindingType[]>;
+/**
+* Get all security allows as a flat list.
+*/
+declare function getAllSecurityAllows(): Promise<SecurityAllow[]>;
+/**
+* Clear all allows for a capability.
+*/
+declare function clearCapabilityAllows(capabilityId: string): Promise<boolean>;
+/**
+* Clear all security allows.
+*/
+declare function clearAllSecurityAllows(): Promise<void>;
 interface SyncResult {
 	capabilities: string[];
 	skillCount: number;
@@ -1143,8 +1311,8 @@ interface SyncOptions {
 	adapters?: ProviderAdapter[];
 }
 /**
-* Install dependencies for capabilities in .omni/capabilities/
-* Only installs for capabilities that have a package.json
+* Install dependencies and build TypeScript capabilities in .omni/capabilities/
+* Only processes capabilities that have a package.json
 */
 declare function installCapabilityDependencies(silent: boolean): Promise<void>;
 /**
@@ -1164,6 +1332,21 @@ declare function buildSyncBundle(options?: {
 */
 declare function syncAgentConfiguration(options?: SyncOptions): Promise<SyncResult>;
 /**
+* Scan a single capability directory
+*/
+declare function scanCapability(capabilityId: string, capabilityPath: string, settings?: ScanSettings): Promise<ScanResult>;
+/**
+* Scan multiple capabilities and produce a summary
+*/
+declare function scanCapabilities(capabilities: Array<{
+	id: string;
+	path: string;
+}>, config?: SecurityConfig): Promise<ScanSummary>;
+/**
+* Format scan results for console output
+*/
+declare function formatScanResults(summary: ScanSummary, verbose?: boolean): string;
+/**
 * Template for AGENTS.md (Codex provider)
 * Creates a minimal file - actual content is generated during sync from OMNI.md + instructions
 */
@@ -1214,4 +1397,4 @@ declare function generateOmniMdTemplate(): string;
 declare function debug(message: string, data?: unknown): void;
 declare const version = "0.1.0";
 declare function getVersion(): string;
-export { writeProviderConfig, writeMcpJson, writeEnabledProviders, writeConfig, writeActiveProfileState, version, validateHooksConfig, validateHook, transformToOmnidev, transformToClaude, transformHooksConfig, syncMcpJson, syncAgentConfiguration, sourceToGitUrl, setProfile, setActiveProfile, saveManifest, saveLockFile, resolveEnabledCapabilities, readMcpJson, readEnabledProviders, readCapabilityIdFromPath, readActiveProfileState, patchAddToProfile, patchAddMcp, patchAddCapabilitySource, parseSourceConfig, parseProviderFlag, parseOmniConfig, parseFileSourcePath, parseCapabilityConfig, mergeHooksConfigs, mergeAndDeduplicateHooks, loadSubagents, loadSkills, loadRules, loadProviderConfig, loadProfileConfig, loadManifest, loadLockFile, loadHooksFromCapability, loadDocs, loadConfig, loadCommands, loadCapabilityHooks, loadCapabilityConfig, loadCapability, loadBaseConfig, isValidMatcherPattern, isProviderEnabled, isPromptHookEvent, isMatcherEvent, isHookType, isHookPrompt, isHookEvent, isHookCommand, isGitSource, isFileSourceConfig, isFileSource, installCapabilityDependencies, hasHooks, hasAnyHooks, getVersion, getSourceCapabilityPath, getLockFilePath, getHooksDirectory, getHooksConfigPath, getEventsWithHooks, getEnabledCapabilities, getActiveProviders, getActiveProfile, generateSkillTemplate, generateRuleTemplate, generateOmniMdTemplate, generateHooksTemplate, generateHookScript, generateClaudeTemplate, generateCapabilityToml, generateAgentsTemplate, findDuplicateCommands, fetchCapabilitySource, fetchAllCapabilitySources, enableProvider, enableCapability, discoverCapabilities, disableProvider, disableCapability, debug, createEmptyValidationResult, createEmptyHooksConfig, countHooks, containsOmnidevVariables, containsClaudeVariables, clearActiveProfileState, cleanupStaleResources, checkForUpdates, buildSyncBundle, buildRouteMap, buildManifestFromCapabilities, buildCommand, buildCapabilityRegistry, ValidationSeverity, VARIABLE_MAPPINGS, SyncResult, SyncOptions, SyncConfig, SyncBundle, SubagentPermissionMode, SubagentModel, SubagentHooks, SubagentHookConfig, SubagentExport, Subagent, SourceUpdateInfo, SkillExport, Skill, SessionStartMatcher, SESSION_START_MATCHERS, Rule, ResourceManifest, ProvidersState, ProviderSyncResult, ProviderManifest, ProviderInitResult, ProviderId, ProviderContext, ProviderConfig, ProviderAdapter, Provider, PromptHookEvent, ProfileConfig, PreCompactMatcher, PROMPT_HOOK_EVENTS, PRE_COMPACT_MATCHERS, OmnidevVariable, OmniConfig, NotificationMatcher, NOTIFICATION_MATCHERS, McpTransport, McpToolSchema, McpServerStdioConfig, McpServerSseConfig, McpServerHttpConfig, McpServerConfig, McpJsonConfig, McpConfig, MatcherEvent, MATCHER_EVENTS, LoadedCapability, LoadHooksResult, LoadHooksOptions, HooksDoctorResult, HooksDoctorCheck, HooksConfig, HookValidationResult, HookValidationIssue, HookValidationCode, HookType, HookPrompt, HookMatcher, HookEvent, HookCommand, Hook, HOOK_TYPES, HOOK_EVENTS, HOOKS_DIRECTORY, HOOKS_CONFIG_FILENAME, GitCapabilitySourceConfig, FileContent, FileCapabilitySourceConfig, FetchResult, DoctorCheckStatus, DocExport, Doc, DiscoveredContent, DeduplicateOptions, DEFAULT_PROMPT_TIMEOUT, DEFAULT_COMMAND_TIMEOUT, CommandExport, Command, CliConfig, CleanupResult, ClaudeVariable, CapabilityTemplateOptions, CapabilitySourceType, CapabilitySourceConfig, CapabilitySource, CapabilityResources, CapabilityRegistry, CapabilityMetadata, CapabilityLockEntry, CapabilityHooks, CapabilityExports, CapabilityExport, CapabilityConfig, CapabilitiesLockFile, CapabilitiesConfig, COMMON_TOOL_MATCHERS };
+export { writeSecurityAllows, writeProviderConfig, writeMcpJson, writeEnabledProviders, writeConfig, writeActiveProfileState, version, validateHooksConfig, validateHook, transformToOmnidev, transformToClaude, transformHooksConfig, syncMcpJson, syncAgentConfiguration, sourceToGitUrl, setProfile, setActiveProfile, scanCapability, scanCapabilities, saveManifest, saveLockFile, resolveEnabledCapabilities, removeSecurityAllow, readSecurityAllows, readMcpJson, readEnabledProviders, readCapabilityIdFromPath, readActiveProfileState, patchAddToProfile, patchAddMcp, patchAddCapabilitySource, parseSourceConfig, parseProviderFlag, parseOmniConfig, parseFileSourcePath, parseCapabilityConfig, mergeHooksConfigs, mergeAndDeduplicateHooks, loadSubagents, loadSkills, loadRules, loadProviderConfig, loadProfileConfig, loadManifest, loadLockFile, loadHooksFromCapability, loadDocs, loadConfig, loadCommands, loadCapabilityHooks, loadCapabilityConfig, loadCapability, loadBaseConfig, isValidMatcherPattern, isSecurityAllowed, isProviderEnabled, isPromptHookEvent, isMatcherEvent, isHookType, isHookPrompt, isHookEvent, isHookCommand, isGitSource, isFileSourceConfig, isFileSource, installCapabilityDependencies, hasHooks, hasAnyHooks, getVersion, getSourceCapabilityPath, getLockFilePath, getHooksDirectory, getHooksConfigPath, getEventsWithHooks, getEnabledCapabilities, getCapabilityAllows, getAllSecurityAllows, getActiveProviders, getActiveProfile, generateSkillTemplate, generateRuleTemplate, generateOmniMdTemplate, generateHooksTemplate, generateHookScript, generateClaudeTemplate, generateCapabilityToml, generateAgentsTemplate, formatScanResults, findDuplicateCommands, fetchCapabilitySource, fetchAllCapabilitySources, enableProvider, enableCapability, discoverCapabilities, disableProvider, disableCapability, debug, createEmptyValidationResult, createEmptyHooksConfig, countHooks, containsOmnidevVariables, containsClaudeVariables, clearCapabilityAllows, clearAllSecurityAllows, clearActiveProfileState, cleanupStaleResources, checkForUpdates, buildSyncBundle, buildRouteMap, buildManifestFromCapabilities, buildCommand, buildCapabilityRegistry, addSecurityAllow, VersionSource, ValidationSeverity, VARIABLE_MAPPINGS, SyncResult, SyncOptions, SyncConfig, SyncBundle, SubagentPermissionMode, SubagentModel, SubagentHooks, SubagentHookConfig, SubagentExport, Subagent, SourceUpdateInfo, SkillExport, Skill, SessionStartMatcher, SecurityMode, SecurityFinding, SecurityConfig, SecurityAllowsState, SecurityAllow, ScanSummary, ScanSettings, ScanResult, SESSION_START_MATCHERS, Rule, ResourceManifest, ProvidersState, ProviderSyncResult, ProviderManifest, ProviderInitResult, ProviderId, ProviderContext, ProviderConfig, ProviderAdapter, Provider, PromptHookEvent, ProfileConfig, PreCompactMatcher, PROMPT_HOOK_EVENTS, PRE_COMPACT_MATCHERS, OmnidevVariable, OmniConfig, NotificationMatcher, NOTIFICATION_MATCHERS, McpTransport, McpToolSchema, McpServerStdioConfig, McpServerSseConfig, McpServerHttpConfig, McpServerConfig, McpJsonConfig, McpConfig, MatcherEvent, MATCHER_EVENTS, LoadedCapability, LoadHooksResult, LoadHooksOptions, HooksDoctorResult, HooksDoctorCheck, HooksConfig, HookValidationResult, HookValidationIssue, HookValidationCode, HookType, HookPrompt, HookMatcher, HookEvent, HookCommand, Hook, HOOK_TYPES, HOOK_EVENTS, HOOKS_DIRECTORY, HOOKS_CONFIG_FILENAME, GitCapabilitySourceConfig, FindingType, FindingSeverity, FileContent, FileCapabilitySourceConfig, FetchResult, DoctorCheckStatus, DocExport, Doc, DiscoveredContent, DeduplicateOptions, DEFAULT_SECURITY_CONFIG, DEFAULT_SCAN_SETTINGS, DEFAULT_PROMPT_TIMEOUT, DEFAULT_COMMAND_TIMEOUT, CommandExport, Command, CliConfig, CleanupResult, ClaudeVariable, CapabilityTemplateOptions, CapabilitySourceType, CapabilitySourceConfig, CapabilitySource, CapabilityResources, CapabilityRegistry, CapabilityMetadata, CapabilityLockEntry, CapabilityHooks, CapabilityExports, CapabilityExport, CapabilityConfig, CapabilitiesLockFile, CapabilitiesConfig, COMMON_TOOL_MATCHERS };