@panguard-ai/threat-cloud 1.4.2 → 1.5.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/dist/audit-logger.d.ts +1 -1
- package/dist/audit-logger.d.ts.map +1 -1
- package/dist/audit-logger.js.map +1 -1
- package/dist/cli.js +1 -1
- package/dist/cli.js.map +1 -1
- package/dist/database.d.ts +236 -2
- package/dist/database.d.ts.map +1 -1
- package/dist/database.js +603 -51
- package/dist/database.js.map +1 -1
- package/dist/llm-reviewer-tools.d.ts +110 -0
- package/dist/llm-reviewer-tools.d.ts.map +1 -0
- package/dist/llm-reviewer-tools.js +446 -0
- package/dist/llm-reviewer-tools.js.map +1 -0
- package/dist/llm-reviewer.d.ts +54 -0
- package/dist/llm-reviewer.d.ts.map +1 -1
- package/dist/llm-reviewer.js +708 -64
- package/dist/llm-reviewer.js.map +1 -1
- package/dist/migrations.d.ts.map +1 -1
- package/dist/migrations.js +215 -0
- package/dist/migrations.js.map +1 -1
- package/dist/migrator-crystallization.d.ts +80 -0
- package/dist/migrator-crystallization.d.ts.map +1 -0
- package/dist/migrator-crystallization.js +108 -0
- package/dist/migrator-crystallization.js.map +1 -0
- package/dist/server.d.ts +69 -2
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +1093 -91
- package/dist/server.js.map +1 -1
- package/dist/types.d.ts +31 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +15 -12
package/dist/server.d.ts
CHANGED
|
@@ -9,6 +9,7 @@
|
|
|
9
9
|
* - GET /api/stats Get threat statistics
|
|
10
10
|
* - POST /api/atr-proposals Submit or confirm ATR rule proposal
|
|
11
11
|
* - POST /api/atr-feedback Submit feedback on ATR rule
|
|
12
|
+
* - POST /api/rule-feedback Submit rule feedback with auto-quarantine
|
|
12
13
|
* - POST /api/skill-threats Submit skill threat from audit
|
|
13
14
|
* - GET /api/atr-rules Fetch confirmed ATR rules (?since= filter)
|
|
14
15
|
* - GET /api/feeds/ip-blocklist IP blocklist feed (text/plain, ?minReputation=)
|
|
@@ -19,6 +20,7 @@
|
|
|
19
20
|
* - POST /api/telemetry Record anonymous telemetry event from CLI
|
|
20
21
|
* - POST /api/scan-events Report scan event from any source (bulk/CLI/web)
|
|
21
22
|
* - GET /api/metrics Aggregated metrics across all sources (public, cached 60s)
|
|
23
|
+
* - GET /api/version Build/deploy info: version, commit, uptime (public, cached 30s)
|
|
22
24
|
* - GET /api/badge/:author/:skill ATR Scanned SVG badge for a skill
|
|
23
25
|
* - GET /api/badge/stats Badge statistics (JSON)
|
|
24
26
|
* - GET /health Health check
|
|
@@ -38,6 +40,7 @@ export declare class ThreatCloudServer {
|
|
|
38
40
|
private readonly badgeRouter;
|
|
39
41
|
private promotionTimer;
|
|
40
42
|
private rateLimits;
|
|
43
|
+
private registrationRateLimits;
|
|
41
44
|
private rateLimitCleanupTimer;
|
|
42
45
|
private statsCache;
|
|
43
46
|
/** Promotion interval: 2 minutes / 推廣間隔:2 分鐘 */
|
|
@@ -52,6 +55,25 @@ export declare class ThreatCloudServer {
|
|
|
52
55
|
private handleRequest;
|
|
53
56
|
/** POST /api/telemetry - Record anonymous telemetry event from CLI */
|
|
54
57
|
private handlePostTelemetry;
|
|
58
|
+
/**
|
|
59
|
+
* POST /api/migrator/telemetry — record a Migrator run summary.
|
|
60
|
+
* Body shape matches MigratorTelemetryEvent from
|
|
61
|
+
* @panguard/migrator/telemetry/tc-reporter:
|
|
62
|
+
* { schema_version, install_id, migrator_version, run, rules[], frameworks }
|
|
63
|
+
* One event yields N rows in migrator_telemetry (one per rule).
|
|
64
|
+
* Carries fingerprints only — never rule body, never customer ID.
|
|
65
|
+
*/
|
|
66
|
+
private handlePostMigratorTelemetry;
|
|
67
|
+
/** GET /api/migrator/telemetry — admin stats. */
|
|
68
|
+
private handleGetMigratorTelemetryStats;
|
|
69
|
+
/**
|
|
70
|
+
* GET /api/migrator/crystallization-candidates — admin only.
|
|
71
|
+
* Query params:
|
|
72
|
+
* - minTenants (default 3): minimum distinct install_ids on a fingerprint
|
|
73
|
+
* - windowDays (default 30): observation window
|
|
74
|
+
* - limit (default 100)
|
|
75
|
+
*/
|
|
76
|
+
private handleGetMigratorCrystallizationCandidates;
|
|
55
77
|
/** POST /api/usage - Record usage event (scan, cli_install, etc.) */
|
|
56
78
|
private handlePostUsageEvent;
|
|
57
79
|
/** POST /api/threats - Upload anonymized threat data (single or batch) */
|
|
@@ -60,6 +82,18 @@ export declare class ThreatCloudServer {
|
|
|
60
82
|
private handleGetRules;
|
|
61
83
|
/** POST /api/rules - Publish rules (single or batch) */
|
|
62
84
|
private handlePostRule;
|
|
85
|
+
/**
|
|
86
|
+
* POST /api/rules/sync — Admin-only endpoint for ATR repo CI to sync rules.
|
|
87
|
+
* Requires admin API key. Only accepts source='atr' (community rules use POST /api/rules).
|
|
88
|
+
* Body: { rules: [{ ruleId, ruleContent, source }] }. Max 200 per request.
|
|
89
|
+
*/
|
|
90
|
+
private handleSyncATRRules;
|
|
91
|
+
/** POST /api/rules/bulk-delete — Admin-only delete by rule IDs */
|
|
92
|
+
private handleBulkDeleteRules;
|
|
93
|
+
/** DELETE /api/rules/by-source?source=yara — Admin-only bulk purge */
|
|
94
|
+
/** POST /api/devices/heartbeat — Guard sends periodic device metadata */
|
|
95
|
+
private handleDeviceHeartbeat;
|
|
96
|
+
private handleDeleteRulesBySource;
|
|
63
97
|
/** GET /api/stats (cached 60s) */
|
|
64
98
|
private handleGetStats;
|
|
65
99
|
/** GET /api/threats?page=1&limit=50 (admin-only, paginated) */
|
|
@@ -68,11 +102,29 @@ export declare class ThreatCloudServer {
|
|
|
68
102
|
private handleGetATRProposals;
|
|
69
103
|
/** GET /api/skill-threats?limit=50 (admin-only) */
|
|
70
104
|
private handleGetSkillThreats;
|
|
105
|
+
/**
|
|
106
|
+
* POST /api/atr-proposals/from-payload — drafter endpoint for external
|
|
107
|
+
* red-team input. Runs the TC tool-use drafter on the supplied attack
|
|
108
|
+
* payload and returns the generated ATR YAML. Admin or static key only.
|
|
109
|
+
*/
|
|
110
|
+
private handleDraftProposalFromPayload;
|
|
71
111
|
/** POST /api/atr-proposals - Submit or confirm an ATR rule proposal */
|
|
72
112
|
private handlePostATRProposal;
|
|
73
113
|
/** POST /api/atr-feedback - Submit feedback on an ATR rule */
|
|
74
114
|
private handlePostATRFeedback;
|
|
115
|
+
/** POST /api/rule-feedback - Submit negative feedback on a canary/active rule, auto-quarantine at threshold */
|
|
116
|
+
private handlePostRuleFeedback;
|
|
75
117
|
/** POST /api/skill-threats - Submit skill threat from audit */
|
|
118
|
+
/** POST /api/clients/register — auto-provision client API key */
|
|
119
|
+
private handleClientRegister;
|
|
120
|
+
/** POST /api/admin/client-keys/revoke — revoke client keys */
|
|
121
|
+
private handleClientKeyRevoke;
|
|
122
|
+
/**
|
|
123
|
+
* Admin-only: issue a partner-tier client key for L5 live-sync access.
|
|
124
|
+
* Body: { partnerName: string, issuedBy?: string }
|
|
125
|
+
* Returns raw key once — never retrievable again.
|
|
126
|
+
*/
|
|
127
|
+
private handlePartnerKeyIssue;
|
|
76
128
|
private handlePostSkillThreat;
|
|
77
129
|
/**
|
|
78
130
|
* Bridge skill_threats → atr_proposals when consensus is reached.
|
|
@@ -80,7 +132,7 @@ export declare class ThreatCloudServer {
|
|
|
80
132
|
* auto-scaffold an ATR proposal from the aggregated findings.
|
|
81
133
|
*/
|
|
82
134
|
private maybeGenerateATRFromSkillThreats;
|
|
83
|
-
/** GET /api/atr-rules?since=<ISO> - Fetch
|
|
135
|
+
/** GET /api/atr-rules?since=<ISO> - Fetch promoted ATR rules (+ canary for 10% of clients) */
|
|
84
136
|
private handleGetATRRules;
|
|
85
137
|
/** GET /api/feeds/ip-blocklist?minReputation=70 - IP blocklist feed (plain text) */
|
|
86
138
|
private handleGetIPBlocklist;
|
|
@@ -88,7 +140,7 @@ export declare class ThreatCloudServer {
|
|
|
88
140
|
private handleGetDomainBlocklist;
|
|
89
141
|
/** POST /api/skill-whitelist - Report a safe skill (audit passed) */
|
|
90
142
|
private handlePostSkillWhitelist;
|
|
91
|
-
/** GET /api/skill-whitelist
|
|
143
|
+
/** GET /api/skill-whitelist?since=ISO — Fetch community-confirmed safe skills (incremental) */
|
|
92
144
|
private handleGetSkillWhitelist;
|
|
93
145
|
/**
|
|
94
146
|
* GET /api/skill-blacklist?minReports=3&minAvgRisk=70
|
|
@@ -124,6 +176,21 @@ export declare class ThreatCloudServer {
|
|
|
124
176
|
private handlePostScanEvent;
|
|
125
177
|
/** GET /api/metrics - Aggregated metrics across all sources (public, cached 60s) */
|
|
126
178
|
private handleGetMetrics;
|
|
179
|
+
/**
|
|
180
|
+
* GET /api/version — public deploy verification endpoint.
|
|
181
|
+
*
|
|
182
|
+
* Reports the package version, server start time, uptime, Node version,
|
|
183
|
+
* and (if running on Railway) the Railway deployment metadata. The
|
|
184
|
+
* commit SHA is read from `RAILWAY_GIT_COMMIT_SHA` if Railway sets it,
|
|
185
|
+
* or `APP_COMMIT_SHA` if the build pipeline injects it manually.
|
|
186
|
+
*
|
|
187
|
+
* Used by external tooling and CI to verify which commit is actually
|
|
188
|
+
* running in production. Without this endpoint, deploy verification
|
|
189
|
+
* relied on inspecting Railway's dashboard, which is not scriptable.
|
|
190
|
+
*
|
|
191
|
+
* Public, no auth, no rate-limit. Cached for 30 seconds.
|
|
192
|
+
*/
|
|
193
|
+
private handleGetVersion;
|
|
127
194
|
/** GET /api/contributors - Public leaderboard (hashed IDs, no PII) */
|
|
128
195
|
private handleGetContributors;
|
|
129
196
|
/** Anonymize IP by zeroing last octet / 匿名化 IP */
|
package/dist/server.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAgCH,OAAO,KAAK,EACV,YAAY,EAMb,MAAM,YAAY,CAAC;AA4BpB;;;GAGG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAgD;IAC9D,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAgB;IACnC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAe;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAqB;IACjD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAc;IAC1C,OAAO,CAAC,cAAc,CAA+C;IACrE,OAAO,CAAC,UAAU,CAA0C;IAC5D,OAAO,CAAC,sBAAsB,CAA8D;IAC5F,OAAO,CAAC,qBAAqB,CAA+C;IAC5E,OAAO,CAAC,UAAU,CAAqD;IAEvE,gDAAgD;IAChD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAAiB;IAC9D,kCAAkC;IAClC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAU;gBAExC,MAAM,EAAE,YAAY;IAwBhC,+BAA+B;IACzB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsG5B,8BAA8B;IACxB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAmBb,aAAa;IAosB3B,sEAAsE;YACxD,mBAAmB;IA6CjC;;;;;;;OAOG;YACW,2BAA2B;IA0DzC,iDAAiD;YACnC,+BAA+B;IAa7C;;;;;;OAMG;YACW,0CAA0C;IAkCxD,qEAAqE;YACvD,oBAAoB;IA4BlC,0EAA0E;YAC5D,gBAAgB;IA+C9B,4EAA4E;IAC5E,OAAO,CAAC,cAAc;IA6CtB,wDAAwD;YAC1C,cAAc;IAkC5B;;;;OAIG;YACW,kBAAkB;IAkDhC,kEAAkE;YACpD,qBAAqB;IAgCnC,sEAAsE;IACtE,yEAAyE;YAC3D,qBAAqB;YA+BrB,yBAAyB;IAmBvC,kCAAkC;IAClC,OAAO,CAAC,cAAc;IAYtB,+DAA+D;IAC/D,OAAO,CAAC,gBAAgB;IAcxB,yDAAyD;IACzD,OAAO,CAAC,qBAAqB;IAO7B,mDAAmD;IACnD,OAAO,CAAC,qBAAqB;IAO7B;;;;OAIG;YACW,8BAA8B;IAuF5C,uEAAuE;YACzD,qBAAqB;IAoDnC,8DAA8D;YAChD,qBAAqB;IASnC,+GAA+G;YACjG,sBAAsB;IA2CpC,+DAA+D;IAC/D,iEAAiE;YACnD,oBAAoB;IAqDlC,8DAA8D;YAChD,qBAAqB;IAgCnC;;;;OAIG;YACW,qBAAqB;YA+CrB,qBAAqB;IAgCnC;;;;OAIG;YACW,gCAAgC;IAuF9C,8FAA8F;IAC9F,OAAO,CAAC,iBAAiB;IA6BzB,oFAAoF;IACpF,OAAO,CAAC,oBAAoB;IAW5B,4FAA4F;IAC5F,OAAO,CAAC,wBAAwB;IAWhC,qEAAqE;YACvD,wBAAwB;IA2BtC,+FAA+F;IAC/F,OAAO,CAAC,uBAAuB;IAO/B;;;;OAIG;IACH,OAAO,CAAC,uBAAuB;IAe/B,iEAAiE;YACnD,sBAAsB;IAwBpC,wEAAwE;YAC1D,0BAA0B;IAkBxC,iEAAiE;YACnD,wBAAwB;IA2BtC,wEAAwE;YAC1D,0BAA0B;IAkBxC;;;;;;OAMG;YACW,mBAAmB;IA4NjC,sDAAsD;IACtD,OAAO,CAAC,iBAAiB;IAczB;;;;OAIG;YACW,mBAAmB;IAkBjC,kEAAkE;YACpD,mBAAmB;IA8BjC,oFAAoF;YACtE,gBAAgB;IAgC9B;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,gBAAgB;IAmBxB,sEAAsE;IACtE,OAAO,CAAC,qBAAqB;IAM7B,kDAAkD;IAClD,OAAO,CAAC,WAAW;IAiBnB,kFAAkF;IAClF,OAAO,CAAC,mBAAmB;IAW3B,uEAAuE;IACvE,OAAO,CAAC,cAAc;IAwBtB,gCAAgC;IAChC,OAAO,CAAC,cAAc;IAWtB;;;OAGG;YACW,gBAAgB;IAqB9B,wDAAwD;IACxD,OAAO,CAAC,QAAQ;IAoBhB,sCAAsC;IACtC,OAAO,CAAC,QAAQ;IAUhB;;;OAGG;IACH,OAAO,CAAC,eAAe;CAwExB"}
|