@phuetz/code-buddy 0.1.13 → 0.1.15

package/dist/security/dangerous-patterns.d.ts

@@ -0,0 +1,68 @@
+/**
+ * Centralized Dangerous Patterns Registry
+ *
+ * Single source of truth for all dangerous pattern detection across:
+ * - Bash command validation (bash tool, command-validator)
+ * - Skill scanner (static analysis of SKILL.md files)
+ * - Input validators (validators.ts)
+ * - Bash parser (containsDangerousCommand)
+ * - Code validator (generated code checks)
+ *
+ * Consolidates patterns previously scattered across 4+ files.
+ */
+export type PatternSeverity = 'critical' | 'high' | 'medium' | 'low' | 'info';
+export type PatternCategory = 'filesystem_destruction' | 'remote_code_execution' | 'command_injection' | 'privilege_escalation' | 'network_exfiltration' | 'encoding_bypass' | 'code_execution' | 'dynamic_import' | 'prototype_pollution' | 'secret_exposure' | 'shell_injection' | 'system_control' | 'credential_access';
+export interface DangerousPattern {
+    /** Regex to match */
+    pattern: RegExp;
+    /** Severity level */
+    severity: PatternSeverity;
+    /** Human-readable description */
+    description: string;
+    /** Short identifier */
+    name: string;
+    /** Classification category */
+    category: PatternCategory;
+    /** Which subsystems use this pattern */
+    appliesTo: Array<'bash' | 'skill' | 'code' | 'command'>;
+}
+/**
+ * Commands that are always dangerous regardless of arguments.
+ * Used by bash-parser's containsDangerousCommand() and bash tool's BLOCKED_COMMANDS.
+ */
+export declare const DANGEROUS_COMMANDS: ReadonlySet<string>;
+/**
+ * Patterns that should block command execution.
+ * Merged from bash tool's BLOCKED_PATTERNS + validators DANGEROUS_COMMAND_PATTERNS.
+ */
+export declare const DANGEROUS_BASH_PATTERNS: DangerousPattern[];
+/**
+ * Patterns for scanning code content (skill files, LLM output).
+ * Merged from skill-scanner's DANGEROUS_PATTERNS + new additions.
+ */
+export declare const DANGEROUS_CODE_PATTERNS: DangerousPattern[];
+/**
+ * Get all patterns applicable to a specific subsystem.
+ */
+export declare function getPatternsFor(subsystem: 'bash' | 'skill' | 'code' | 'command'): DangerousPattern[];
+/**
+ * Get patterns at or above a given severity level.
+ */
+export declare function getPatternsBySeverity(minSeverity: PatternSeverity, patterns?: DangerousPattern[]): DangerousPattern[];
+/**
+ * Get patterns by category.
+ */
+export declare function getPatternsByCategory(category: PatternCategory, patterns?: DangerousPattern[]): DangerousPattern[];
+/**
+ * Check if a string matches any dangerous pattern for the given subsystem.
+ * Returns the first matching pattern or null.
+ */
+export declare function matchDangerousPattern(text: string, subsystem: 'bash' | 'skill' | 'code' | 'command'): DangerousPattern | null;
+/**
+ * Check if a string matches any dangerous patterns, returning all matches.
+ */
+export declare function matchAllDangerousPatterns(text: string, subsystem: 'bash' | 'skill' | 'code' | 'command'): DangerousPattern[];
+/**
+ * Check if a command name is in the dangerous commands set.
+ */
+export declare function isDangerousCommand(commandName: string): boolean;

package/dist/security/dangerous-patterns.js

@@ -0,0 +1,218 @@
+/**
+ * Centralized Dangerous Patterns Registry
+ *
+ * Single source of truth for all dangerous pattern detection across:
+ * - Bash command validation (bash tool, command-validator)
+ * - Skill scanner (static analysis of SKILL.md files)
+ * - Input validators (validators.ts)
+ * - Bash parser (containsDangerousCommand)
+ * - Code validator (generated code checks)
+ *
+ * Consolidates patterns previously scattered across 4+ files.
+ */
+// ============================================================================
+// Dangerous Commands (for parsed command name matching)
+// ============================================================================
+/**
+ * Commands that are always dangerous regardless of arguments.
+ * Used by bash-parser's containsDangerousCommand() and bash tool's BLOCKED_COMMANDS.
+ */
+export const DANGEROUS_COMMANDS = new Set([
+    // Destructive file operations
+    'rm', 'shred', 'wipefs', 'rmdir',
+    // Disk operations
+    'mkfs', 'fdisk', 'parted', 'dd',
+    // Permission changes
+    'chmod', 'chown', 'chgrp',
+    // Privilege escalation
+    'sudo', 'su', 'doas',
+    // Network tools (dangerous modes)
+    'nc', 'netcat', 'ncat', 'socat',
+    // Insecure protocols
+    'telnet', 'ftp',
+    // Port scanning / packet capture
+    'nmap', 'masscan', 'tcpdump', 'wireshark', 'tshark',
+    // Process tracing / debugging
+    'strace', 'ltrace', 'ptrace', 'gdb', 'lldb',
+    // System control
+    'reboot', 'shutdown', 'poweroff', 'halt',
+    'init', 'systemctl', 'service',
+    // Firewall
+    'iptables', 'ip6tables', 'nft', 'firewall-cmd',
+    // Mount operations
+    'mount', 'umount',
+    // Kernel modules
+    'insmod', 'rmmod', 'modprobe', 'sysctl',
+    // Scheduled tasks
+    'crontab', 'at',
+    // User management
+    'useradd', 'userdel', 'usermod', 'groupadd',
+    'passwd', 'chpasswd', 'visudo',
+    // SSH / GPG / certs
+    'ssh-keygen', 'ssh-add', 'gpg', 'openssl',
+    // Kill (process control)
+    'kill', 'killall', 'pkill',
+]);
+// ============================================================================
+// Dangerous Bash Patterns (regex-based, for full command strings)
+// ============================================================================
+/**
+ * Patterns that should block command execution.
+ * Merged from bash tool's BLOCKED_PATTERNS + validators DANGEROUS_COMMAND_PATTERNS.
+ */
+export const DANGEROUS_BASH_PATTERNS = [
+    // --- Filesystem destruction ---
+    { pattern: /rm\s+(-rf?|--recursive)\s+[/~]/i, severity: 'critical', description: 'Recursive force delete from root or home', name: 'rm-rf-root', category: 'filesystem_destruction', appliesTo: ['bash', 'command'] },
+    { pattern: /rm\s+.*\/\s*$/i, severity: 'high', description: 'Delete ending with directory path', name: 'rm-dir-path', category: 'filesystem_destruction', appliesTo: ['bash', 'command'] },
+    { pattern: />\s*\/dev\/sd[a-z]/i, severity: 'critical', description: 'Write to disk device', name: 'write-disk-device', category: 'filesystem_destruction', appliesTo: ['bash', 'command'] },
+    { pattern: /dd\s+.*if=.*of=\/dev/i, severity: 'critical', description: 'dd to disk device', name: 'dd-device', category: 'filesystem_destruction', appliesTo: ['bash', 'command'] },
+    { pattern: /mkfs/i, severity: 'critical', description: 'Format filesystem', name: 'mkfs', category: 'filesystem_destruction', appliesTo: ['bash', 'command'] },
+    { pattern: /:\(\)\s*\{\s*:\|:&\s*\};:/, severity: 'critical', description: 'Fork bomb', name: 'fork-bomb', category: 'filesystem_destruction', appliesTo: ['bash', 'command'] },
+    { pattern: /chmod\s+-R\s+777\s+\//i, severity: 'critical', description: 'chmod 777 on root', name: 'chmod-777-root', category: 'filesystem_destruction', appliesTo: ['bash', 'command'] },
+    { pattern: />\s*\/etc\/(passwd|shadow|sudoers)/i, severity: 'critical', description: 'Overwrite system files', name: 'overwrite-sys-files', category: 'filesystem_destruction', appliesTo: ['bash', 'command'] },
+    // --- Remote code execution via pipe to shell ---
+    { pattern: /wget.*\|\s*(ba)?sh/i, severity: 'critical', description: 'wget | sh (remote code execution)', name: 'wget-pipe-sh', category: 'remote_code_execution', appliesTo: ['bash', 'command'] },
+    { pattern: /curl.*\|\s*(ba)?sh/i, severity: 'critical', description: 'curl | sh (remote code execution)', name: 'curl-pipe-sh', category: 'remote_code_execution', appliesTo: ['bash', 'command'] },
+    { pattern: /sudo\s+(rm|dd|mkfs)/i, severity: 'critical', description: 'Sudo with dangerous command', name: 'sudo-dangerous', category: 'privilege_escalation', appliesTo: ['bash', 'command'] },
+    // --- Command injection via substitution ---
+    { pattern: /\$\([^)]*(?:rm|dd|mkfs|chmod|chown|curl|wget|nc|netcat|bash|sh|eval|exec)/i, severity: 'high', description: 'Dangerous command in $() substitution', name: 'subst-dangerous', category: 'command_injection', appliesTo: ['bash'] },
+    { pattern: /`[^`]*(?:rm|dd|mkfs|chmod|chown|curl|wget|nc|netcat|bash|sh|eval|exec)/i, severity: 'high', description: 'Dangerous command in backtick substitution', name: 'backtick-dangerous', category: 'command_injection', appliesTo: ['bash'] },
+    // --- Secret variable expansion ---
+    { pattern: /\$\{?(?:GROK_API_KEY|AWS_SECRET|AWS_ACCESS_KEY|AWS_SESSION_TOKEN|GITHUB_TOKEN|NPM_TOKEN|MORPH_API_KEY|DATABASE_URL|DB_PASSWORD|SECRET_KEY|PRIVATE_KEY|API_KEY|API_SECRET|AUTH_TOKEN|ACCESS_TOKEN|OPENAI_API_KEY|ANTHROPIC_API_KEY|SLACK_TOKEN|DISCORD_TOKEN)\}?/i, severity: 'high', description: 'Secret variable expansion', name: 'secret-var-expand', category: 'secret_exposure', appliesTo: ['bash'] },
+    // --- Eval and exec injection ---
+    { pattern: /\beval\s+.*\$/i, severity: 'high', description: 'eval with variable expansion', name: 'eval-var', category: 'code_execution', appliesTo: ['bash', 'command'] },
+    { pattern: /\bexec\s+\d*[<>]/i, severity: 'high', description: 'exec with redirections', name: 'exec-redirect', category: 'code_execution', appliesTo: ['bash', 'command'] },
+    // --- Encoding bypass attempts ---
+    { pattern: /\\x[0-9a-f]{2}/i, severity: 'high', description: 'Hex escape sequences', name: 'hex-escape', category: 'encoding_bypass', appliesTo: ['bash'] },
+    { pattern: /\\[0-7]{3}/, severity: 'high', description: 'Octal escape sequences', name: 'octal-escape', category: 'encoding_bypass', appliesTo: ['bash'] },
+    { pattern: /\$'\\x/i, severity: 'high', description: 'ANSI-C quoting with hex', name: 'ansi-c-hex', category: 'encoding_bypass', appliesTo: ['bash'] },
+    { pattern: /\$'\\[0-7]/, severity: 'high', description: 'ANSI-C quoting with octal', name: 'ansi-c-octal', category: 'encoding_bypass', appliesTo: ['bash'] },
+    { pattern: /\$'[^']*\\[nrtbfv]/i, severity: 'medium', description: 'ANSI-C with special escape sequences', name: 'ansi-c-special', category: 'encoding_bypass', appliesTo: ['bash'] },
+    { pattern: /base64\s+(-d|--decode).*\|\s*(ba)?sh/i, severity: 'critical', description: 'Base64 decode piped to shell', name: 'base64-pipe-sh', category: 'encoding_bypass', appliesTo: ['bash', 'command'] },
+    // --- Network exfiltration ---
+    { pattern: /\|\s*(nc|netcat|curl|wget)\s+[^|]*(>|>>)/i, severity: 'high', description: 'Pipe to network tool with redirect', name: 'net-redirect', category: 'network_exfiltration', appliesTo: ['bash'] },
+    { pattern: />\s*\/dev\/(tcp|udp)\//i, severity: 'critical', description: 'Bash network redirection', name: 'dev-tcp', category: 'network_exfiltration', appliesTo: ['bash'] },
+    { pattern: /\bnc\s+-[elp]/i, severity: 'high', description: 'Netcat listen/exec modes', name: 'nc-listen', category: 'network_exfiltration', appliesTo: ['bash'] },
+    { pattern: /\bbash\s+-i\s+>&?\s*\/dev\/(tcp|udp)/i, severity: 'critical', description: 'Bash reverse shell', name: 'bash-reverse-shell', category: 'network_exfiltration', appliesTo: ['bash'] },
+    { pattern: /nc\s+.*-e\s+.*sh/i, severity: 'critical', description: 'Netcat reverse shell', name: 'nc-reverse-shell', category: 'network_exfiltration', appliesTo: ['bash', 'command'] },
+    // --- Additional bypass patterns ---
+    { pattern: /\bprintf\s+['"]%b['"].*\\x/i, severity: 'high', description: 'printf %b with hex (bypass attempt)', name: 'printf-hex', category: 'encoding_bypass', appliesTo: ['bash'] },
+    { pattern: /\becho\s+-e\s+.*\\x/i, severity: 'high', description: 'echo -e with hex', name: 'echo-hex', category: 'encoding_bypass', appliesTo: ['bash'] },
+    { pattern: /\becho\s+\$'\\x/i, severity: 'high', description: 'echo with ANSI-C quoting', name: 'echo-ansi', category: 'encoding_bypass', appliesTo: ['bash'] },
+    { pattern: /\bxxd\s+-r.*\|\s*(ba)?sh/i, severity: 'critical', description: 'xxd decode to shell', name: 'xxd-pipe-sh', category: 'encoding_bypass', appliesTo: ['bash'] },
+    { pattern: /\bpython[23]?\s+-c\s+['"].*(?:exec|eval|os\.system|subprocess|__import__)/i, severity: 'high', description: 'Python code execution', name: 'python-exec', category: 'code_execution', appliesTo: ['bash'] },
+    { pattern: /\bperl\s+-e\s+['"].*(?:system|exec|`)/i, severity: 'high', description: 'Perl code execution', name: 'perl-exec', category: 'code_execution', appliesTo: ['bash'] },
+    { pattern: /\bruby\s+-e\s+['"].*(?:system|exec|`)/i, severity: 'high', description: 'Ruby code execution', name: 'ruby-exec', category: 'code_execution', appliesTo: ['bash'] },
+    { pattern: /\bnode\s+-e\s+['"].*(?:exec|spawn|child_process)/i, severity: 'high', description: 'Node.js code execution', name: 'node-exec', category: 'code_execution', appliesTo: ['bash'] },
+    { pattern: /\bawk\s+.*\bsystem\s*\(/i, severity: 'high', description: 'awk system() call', name: 'awk-system', category: 'code_execution', appliesTo: ['bash'] },
+    { pattern: /\bsed\s+.*e\b/i, severity: 'medium', description: 'sed with e flag (exec)', name: 'sed-exec', category: 'code_execution', appliesTo: ['bash'] },
+];
+// ============================================================================
+// Code Scanning Patterns (for skill files and generated code)
+// ============================================================================
+/**
+ * Patterns for scanning code content (skill files, LLM output).
+ * Merged from skill-scanner's DANGEROUS_PATTERNS + new additions.
+ */
+export const DANGEROUS_CODE_PATTERNS = [
+    // --- Code execution ---
+    { pattern: /\beval\s*\(/, severity: 'critical', description: 'Dynamic code execution via eval()', name: 'eval', category: 'code_execution', appliesTo: ['skill', 'code'] },
+    { pattern: /\bnew\s+Function\s*\(/, severity: 'critical', description: 'Dynamic function creation', name: 'new-function', category: 'code_execution', appliesTo: ['skill', 'code'] },
+    { pattern: /\bchild_process\b/, severity: 'high', description: 'Child process module usage', name: 'child_process', category: 'code_execution', appliesTo: ['skill', 'code'] },
+    { pattern: /\bexecSync\s*\(/, severity: 'high', description: 'Synchronous command execution', name: 'execSync', category: 'code_execution', appliesTo: ['skill', 'code'] },
+    { pattern: /\bexecFile\s*\(/, severity: 'high', description: 'File execution', name: 'execFile', category: 'code_execution', appliesTo: ['skill', 'code'] },
+    { pattern: /\bspawn\s*\(/, severity: 'medium', description: 'Process spawning', name: 'spawn', category: 'code_execution', appliesTo: ['skill', 'code'] },
+    { pattern: /\bexec\s*\(/, severity: 'high', description: 'Command execution', name: 'exec', category: 'code_execution', appliesTo: ['skill', 'code'] },
+    // --- Filesystem dangers ---
+    { pattern: /\brm\s+-rf\b/, severity: 'critical', description: 'Recursive force delete', name: 'rm-rf', category: 'filesystem_destruction', appliesTo: ['skill', 'code'] },
+    { pattern: /\bunlinkSync\s*\(/, severity: 'medium', description: 'Synchronous file deletion', name: 'unlinkSync', category: 'filesystem_destruction', appliesTo: ['skill', 'code'] },
+    { pattern: /\bwriteFileSync\s*\(/, severity: 'low', description: 'Synchronous file write', name: 'writeFileSync', category: 'filesystem_destruction', appliesTo: ['skill'] },
+    { pattern: /\brmdirSync\s*\(/, severity: 'medium', description: 'Directory removal', name: 'rmdirSync', category: 'filesystem_destruction', appliesTo: ['skill', 'code'] },
+    // --- Network ---
+    { pattern: /\bfetch\s*\(\s*['"`]http/, severity: 'medium', description: 'External HTTP request', name: 'fetch-http', category: 'network_exfiltration', appliesTo: ['skill'] },
+    { pattern: /\baxios\b/, severity: 'low', description: 'HTTP client library usage', name: 'axios', category: 'network_exfiltration', appliesTo: ['skill'] },
+    { pattern: /\brequire\s*\(\s*['"`]https?['"`]\s*\)/, severity: 'medium', description: 'HTTP module import', name: 'http-require', category: 'network_exfiltration', appliesTo: ['skill'] },
+    { pattern: /\bWebSocket\b/, severity: 'medium', description: 'WebSocket usage', name: 'websocket', category: 'network_exfiltration', appliesTo: ['skill'] },
+    // --- Dynamic imports ---
+    { pattern: /\brequire\s*\(\s*[a-zA-Z_$\[]/, severity: 'high', description: 'Dynamic require with variable', name: 'dynamic-require', category: 'dynamic_import', appliesTo: ['skill', 'code'] },
+    { pattern: /\bimport\s*\(\s*[a-zA-Z_$\[]/, severity: 'high', description: 'Dynamic import with variable', name: 'dynamic-import', category: 'dynamic_import', appliesTo: ['skill', 'code'] },
+    // --- Environment/secrets ---
+    { pattern: /process\.env\[/, severity: 'low', description: 'Dynamic environment variable access', name: 'env-dynamic', category: 'secret_exposure', appliesTo: ['skill'] },
+    { pattern: /\b(API_KEY|SECRET|PASSWORD|TOKEN)\b/i, severity: 'info', description: 'Possible secret reference', name: 'secret-ref', category: 'secret_exposure', appliesTo: ['skill'] },
+    // --- Prototype pollution ---
+    { pattern: /__proto__/, severity: 'high', description: 'Prototype pollution risk', name: 'proto', category: 'prototype_pollution', appliesTo: ['skill', 'code'] },
+    { pattern: /\bconstructor\s*\[/, severity: 'high', description: 'Constructor access via bracket notation', name: 'constructor-bracket', category: 'prototype_pollution', appliesTo: ['skill', 'code'] },
+    // --- Shell injection in code ---
+    { pattern: /`\$\{.*\}`/, severity: 'medium', description: 'Template literal with interpolation (potential injection)', name: 'template-injection', category: 'shell_injection', appliesTo: ['skill', 'code'] },
+    { pattern: /\$\(.*\)/, severity: 'medium', description: 'Shell command substitution', name: 'shell-subst', category: 'shell_injection', appliesTo: ['skill'] },
+    // --- SQL injection patterns (for generated code) ---
+    { pattern: /['"`]\s*\+\s*\w+\s*\+\s*['"`].*(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE)\b/i, severity: 'high', description: 'SQL string concatenation (injection risk)', name: 'sql-concat', category: 'command_injection', appliesTo: ['code'] },
+    { pattern: /\b(?:query|execute|exec)\s*\(\s*['"`].*\$\{/i, severity: 'high', description: 'SQL template literal interpolation', name: 'sql-template', category: 'command_injection', appliesTo: ['code'] },
+    { pattern: /\b(?:query|execute|exec)\s*\(\s*\w+\s*\+/i, severity: 'medium', description: 'SQL with string concatenation', name: 'sql-string-concat', category: 'command_injection', appliesTo: ['code'] },
+    // --- XSS patterns (for generated code) ---
+    { pattern: /\.innerHTML\s*=\s*(?!\s*['"`]\s*['"`])/, severity: 'high', description: 'innerHTML assignment (XSS risk)', name: 'innerHTML', category: 'command_injection', appliesTo: ['code'] },
+    { pattern: /document\.write\s*\(/, severity: 'high', description: 'document.write (XSS risk)', name: 'document-write', category: 'command_injection', appliesTo: ['code'] },
+    { pattern: /\bdangerouslySetInnerHTML\b/, severity: 'medium', description: 'React dangerouslySetInnerHTML', name: 'react-dangerous-html', category: 'command_injection', appliesTo: ['code'] },
+    // --- Hardcoded secrets ---
+    { pattern: /(?:password|passwd|pwd|secret|token|api_key|apikey)\s*[:=]\s*['"][^'"]{8,}['"]/i, severity: 'high', description: 'Hardcoded secret in code', name: 'hardcoded-secret', category: 'secret_exposure', appliesTo: ['code'] },
+    { pattern: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/, severity: 'critical', description: 'Private key in code', name: 'private-key', category: 'secret_exposure', appliesTo: ['code', 'skill'] },
+    // --- Unsafe deserialization ---
+    { pattern: /\bpickle\.loads?\b/, severity: 'high', description: 'Python pickle deserialization', name: 'pickle-loads', category: 'code_execution', appliesTo: ['code'] },
+    { pattern: /\byaml\.load\s*\((?!.*Loader)/, severity: 'medium', description: 'Unsafe YAML load (no Loader specified)', name: 'yaml-unsafe-load', category: 'code_execution', appliesTo: ['code'] },
+    { pattern: /\bJSON\.parse\s*\(.*\bthen\b/, severity: 'low', description: 'JSON.parse in promise chain (may swallow errors)', name: 'json-parse-promise', category: 'code_execution', appliesTo: ['code'] },
+];
+// ============================================================================
+// Helper functions
+// ============================================================================
+/**
+ * Get all patterns applicable to a specific subsystem.
+ */
+export function getPatternsFor(subsystem) {
+    return [
+        ...DANGEROUS_BASH_PATTERNS.filter(p => p.appliesTo.includes(subsystem)),
+        ...DANGEROUS_CODE_PATTERNS.filter(p => p.appliesTo.includes(subsystem)),
+    ];
+}
+/**
+ * Get patterns at or above a given severity level.
+ */
+export function getPatternsBySeverity(minSeverity, patterns) {
+    const severityOrder = ['info', 'low', 'medium', 'high', 'critical'];
+    const minIndex = severityOrder.indexOf(minSeverity);
+    const source = patterns ?? [...DANGEROUS_BASH_PATTERNS, ...DANGEROUS_CODE_PATTERNS];
+    return source.filter(p => severityOrder.indexOf(p.severity) >= minIndex);
+}
+/**
+ * Get patterns by category.
+ */
+export function getPatternsByCategory(category, patterns) {
+    const source = patterns ?? [...DANGEROUS_BASH_PATTERNS, ...DANGEROUS_CODE_PATTERNS];
+    return source.filter(p => p.category === category);
+}
+/**
+ * Check if a string matches any dangerous pattern for the given subsystem.
+ * Returns the first matching pattern or null.
+ */
+export function matchDangerousPattern(text, subsystem) {
+    const patterns = getPatternsFor(subsystem);
+    for (const p of patterns) {
+        if (p.pattern.test(text)) {
+            return p;
+        }
+    }
+    return null;
+}
+/**
+ * Check if a string matches any dangerous patterns, returning all matches.
+ */
+export function matchAllDangerousPatterns(text, subsystem) {
+    const patterns = getPatternsFor(subsystem);
+    return patterns.filter(p => p.pattern.test(text));
+}
+/**
+ * Check if a command name is in the dangerous commands set.
+ */
+export function isDangerousCommand(commandName) {
+    return DANGEROUS_COMMANDS.has(commandName.toLowerCase());
+}
+//# sourceMappingURL=dangerous-patterns.js.map

package/dist/security/dangerous-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dangerous-patterns.js","sourceRoot":"","sources":["../../src/security/dangerous-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAkCH,+EAA+E;AAC/E,wDAAwD;AACxD,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IAC7D,8BAA8B;IAC9B,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO;IAChC,kBAAkB;IAClB,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI;IAC/B,qBAAqB;IACrB,OAAO,EAAE,OAAO,EAAE,OAAO;IACzB,uBAAuB;IACvB,MAAM,EAAE,IAAI,EAAE,MAAM;IACpB,kCAAkC;IAClC,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO;IAC/B,qBAAqB;IACrB,QAAQ,EAAE,KAAK;IACf,iCAAiC;IACjC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ;IACnD,8BAA8B;IAC9B,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM;IAC3C,iBAAiB;IACjB,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM;IACxC,MAAM,EAAE,WAAW,EAAE,SAAS;IAC9B,WAAW;IACX,UAAU,EAAE,WAAW,EAAE,KAAK,EAAE,cAAc;IAC9C,mBAAmB;IACnB,OAAO,EAAE,QAAQ;IACjB,iBAAiB;IACjB,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ;IACvC,kBAAkB;IAClB,SAAS,EAAE,IAAI;IACf,kBAAkB;IAClB,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU;IAC3C,QAAQ,EAAE,UAAU,EAAE,QAAQ;IAC9B,oBAAoB;IACpB,YAAY,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS;IACzC,yBAAyB;IACzB,MAAM,EAAE,SAAS,EAAE,OAAO;CAC3B,CAAC,CAAC;AAEH,+EAA+E;AAC/E,kEAAkE;AAClE,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAuB;IACzD,iCAAiC;IACjC,EAAE,OAAO,EAAE,iCAAiC,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,0CAA0C,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IACrN,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,mCAAmC,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IAC1L,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,sBAAsB,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IAC5L,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,mBAAmB,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IACnL,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,mBAAmB,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IAC9J,EAAE,OAAO,EAAE,2BAA2B,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IAC/K,EAAE,OAAO,EAAE,wBAAwB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,mBAAmB,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IACzL,EAAE,OAAO,EAAE,qCAAqC,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,wBAAwB,EAAE,IAAI,EAAE,qBAAqB,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IAEhN,kDAAkD;IAClD,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,mCAAmC,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,uBAAuB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IACnM,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,mCAAmC,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,uBAAuB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IACnM,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,6BAA6B,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,sBAAsB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IAE/L,6CAA6C;IAC7C,EAAE,OAAO,EAAE,4EAA4E,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,uCAAuC,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC9O,EAAE,OAAO,EAAE,yEAAyE,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,4CAA4C,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAEnP,oCAAoC;IACpC,EAAE,OAAO,EAAE,kQAAkQ,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,2BAA2B,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAExZ,kCAAkC;IAClC,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,8BAA8B,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IAC1K,EAAE,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,wBAAwB,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IAE5K,mCAAmC;IACnC,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,sBAAsB,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC3J,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,wBAAwB,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC1J,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,yBAAyB,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IACtJ,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,2BAA2B,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC7J,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,sCAAsC,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IACrL,EAAE,OAAO,EAAE,uCAAuC,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,8BAA8B,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IAE5M,+BAA+B;IAC/B,EAAE,OAAO,EAAE,2CAA2C,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,oCAAoC,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,sBAAsB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC1M,EAAE,OAAO,EAAE,yBAAyB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,0BAA0B,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,sBAAsB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC7K,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,0BAA0B,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,sBAAsB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAClK,EAAE,OAAO,EAAE,uCAAuC,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,oBAAoB,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,sBAAsB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAChM,EAAE,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,sBAAsB,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,sBAAsB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE;IAEvL,qCAAqC;IACrC,EAAE,OAAO,EAAE,6BAA6B,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,qCAAqC,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IACtL,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,kBAAkB,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC1J,EAAE,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,0BAA0B,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC/J,EAAE,OAAO,EAAE,2BAA2B,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,qBAAqB,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IACzK,EAAE,OAAO,EAAE,4EAA4E,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,uBAAuB,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IACvN,EAAE,OAAO,EAAE,wCAAwC,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,qBAAqB,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC/K,EAAE,OAAO,EAAE,wCAAwC,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,qBAAqB,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC/K,EAAE,OAAO,EAAE,mDAAmD,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,wBAAwB,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC7L,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,mBAAmB,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAChK,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,wBAAwB,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;CAC5J,CAAC;AAEF,+EAA+E;AAC/E,8DAA8D;AAC9D,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAuB;IACzD,yBAAyB;IACzB,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,mCAAmC,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IAC1K,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,2BAA2B,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IACpL,EAAE,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,4BAA4B,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IAC9K,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,+BAA+B,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IAC1K,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,gBAAgB,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IAC3J,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,kBAAkB,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IACzJ,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,mBAAmB,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IAEtJ,6BAA6B;IAC7B,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,wBAAwB,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IACzK,EAAE,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,2BAA2B,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IACpL,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,wBAAwB,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC,EAAE;IAC5K,EAAE,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,mBAAmB,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IAE1K,kBAAkB;IAClB,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,uBAAuB,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,sBAAsB,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC,EAAE;IAC7K,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,2BAA2B,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,sBAAsB,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC,EAAE;IAC1J,EAAE,OAAO,EAAE,wCAAwC,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,oBAAoB,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,sBAAsB,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC,EAAE;IAC1L,EAAE,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,iBAAiB,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,sBAAsB,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC,EAAE;IAE3J,0BAA0B;IAC1B,EAAE,OAAO,EAAE,+BAA+B,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,+BAA+B,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IAC/L,EAAE,OAAO,EAAE,8BAA8B,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,8BAA8B,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IAE5L,8BAA8B;IAC9B,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,qCAAqC,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC,EAAE;IAC1K,EAAE,OAAO,EAAE,sCAAsC,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,2BAA2B,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC,EAAE;IAEtL,8BAA8B;IAC9B,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,0BAA0B,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,qBAAqB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IACjK,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,yCAAyC,EAAE,IAAI,EAAE,qBAAqB,EAAE,QAAQ,EAAE,qBAAqB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IAEvM,kCAAkC;IAClC,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,2DAA2D,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE;IAC9M,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,4BAA4B,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC,EAAE;IAE9J,sDAAsD;IACtD,EAAE,OAAO,EAAE,qFAAqF,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,2CAA2C,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IACtP,EAAE,OAAO,EAAE,8CAA8C,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,oCAAoC,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC1M,EAAE,OAAO,EAAE,2CAA2C,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,+BAA+B,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAEzM,4CAA4C;IAC5C,EAAE,OAAO,EAAE,wCAAwC,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,iCAAiC,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC9L,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,2BAA2B,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAC3K,EAAE,OAAO,EAAE,6BAA6B,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,+BAA+B,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAE9L,4BAA4B;IAC5B,EAAE,OAAO,EAAE,iFAAiF,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,0BAA0B,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IACrO,EAAE,OAAO,EAAE,4CAA4C,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,qBAAqB,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;IAEnM,iCAAiC;IACjC,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,+BAA+B,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IACxK,EAAE,OAAO,EAAE,+BAA+B,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,wCAAwC,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;IAClM,EAAE,OAAO,EAAE,8BAA8B,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,kDAAkD,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;CAC3M,CAAC;AAEF,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,SAAgD;IAC7E,OAAO;QACL,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACvE,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;KACxE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,WAA4B,EAC5B,QAA6B;IAE7B,MAAM,aAAa,GAAsB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IACvF,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,QAAQ,IAAI,CAAC,GAAG,uBAAuB,EAAE,GAAG,uBAAuB,CAAC,CAAC;IACpF,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAyB,EACzB,QAA6B;IAE7B,MAAM,MAAM,GAAG,QAAQ,IAAI,CAAC,GAAG,uBAAuB,EAAE,GAAG,uBAAuB,CAAC,CAAC;IACpF,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AACrD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CACnC,IAAY,EACZ,SAAgD;IAEhD,MAAM,QAAQ,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CACvC,IAAY,EACZ,SAAgD;IAEhD,MAAM,QAAQ,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAC3C,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,WAAmB;IACpD,OAAO,kBAAkB,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC;AAC3D,CAAC"}

package/dist/security/remote-approval.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Remote Approval Forwarding
+ *
+ * Forward tool execution approval requests to messaging channels
+ * (Telegram, Discord, Slack) for remote /approve or /deny.
+ * OpenClaw-inspired remote authorization flow.
+ */
+import { EventEmitter } from 'events';
+export interface ApprovalRequest {
+    /** Unique request ID */
+    id: string;
+    /** Tool name requiring approval */
+    toolName: string;
+    /** Human-readable summary of what's being approved */
+    summary: string;
+    /** When the request was created */
+    requestedAt: Date;
+    /** When the request expires */
+    expiresAt: Date;
+    /** Current status */
+    status: 'pending' | 'approved' | 'denied' | 'expired';
+}
+export type ChannelSendFn = (message: string) => Promise<void>;
+export declare class RemoteApprovalService extends EventEmitter {
+    private pending;
+    private resolvers;
+    private channels;
+    private nextId;
+    private defaultTimeoutMs;
+    /**
+     * Register a messaging channel for forwarding approvals
+     */
+    registerChannel(channelType: string, sendFn: ChannelSendFn): void;
+    /**
+     * Unregister a channel
+     */
+    unregisterChannel(channelType: string): void;
+    /**
+     * Check if any channels are registered
+     */
+    hasChannels(): boolean;
+    /**
+     * Request approval via remote channels.
+     * Returns a promise that resolves to true (approved) or false (denied/expired).
+     */
+    requestApproval(req: {
+        toolName: string;
+        summary: string;
+        timeoutMs?: number;
+    }): Promise<boolean>;
+    /**
+     * Handle an approval response (called when user sends /approve or /deny)
+     */
+    handleResponse(requestId: string, approved: boolean): void;
+    /**
+     * Get all pending approval requests
+     */
+    getPending(): ApprovalRequest[];
+    /**
+     * Format the approval message for channels
+     */
+    private formatApprovalMessage;
+}
+export declare function getRemoteApprovalService(): RemoteApprovalService;
+export declare function resetRemoteApprovalService(): void;

package/dist/security/remote-approval.js

@@ -0,0 +1,138 @@
+/**
+ * Remote Approval Forwarding
+ *
+ * Forward tool execution approval requests to messaging channels
+ * (Telegram, Discord, Slack) for remote /approve or /deny.
+ * OpenClaw-inspired remote authorization flow.
+ */
+import { EventEmitter } from 'events';
+import { logger } from '../utils/logger.js';
+// ============================================================================
+// Remote Approval Service
+// ============================================================================
+export class RemoteApprovalService extends EventEmitter {
+    pending = new Map();
+    resolvers = new Map();
+    channels = new Map();
+    nextId = 1;
+    defaultTimeoutMs = 120_000; // 2 minutes
+    /**
+     * Register a messaging channel for forwarding approvals
+     */
+    registerChannel(channelType, sendFn) {
+        this.channels.set(channelType, sendFn);
+        logger.debug(`Remote approval channel registered: ${channelType}`);
+    }
+    /**
+     * Unregister a channel
+     */
+    unregisterChannel(channelType) {
+        this.channels.delete(channelType);
+    }
+    /**
+     * Check if any channels are registered
+     */
+    hasChannels() {
+        return this.channels.size > 0;
+    }
+    /**
+     * Request approval via remote channels.
+     * Returns a promise that resolves to true (approved) or false (denied/expired).
+     */
+    async requestApproval(req) {
+        const id = `approval-${this.nextId++}`;
+        const timeoutMs = req.timeoutMs ?? this.defaultTimeoutMs;
+        const request = {
+            id,
+            toolName: req.toolName,
+            summary: req.summary,
+            requestedAt: new Date(),
+            expiresAt: new Date(Date.now() + timeoutMs),
+            status: 'pending',
+        };
+        this.pending.set(id, request);
+        // Broadcast to all registered channels
+        const message = this.formatApprovalMessage(request);
+        const sendPromises = Array.from(this.channels.entries()).map(async ([type, send]) => {
+            try {
+                await send(message);
+            }
+            catch (err) {
+                logger.warn(`Failed to send approval to ${type}`, { error: err });
+            }
+        });
+        await Promise.allSettled(sendPromises);
+        this.emit('approval-requested', request);
+        // Wait for response or timeout
+        return new Promise((resolve) => {
+            this.resolvers.set(id, resolve);
+            // Timeout handler
+            const timer = setTimeout(() => {
+                if (request.status === 'pending') {
+                    request.status = 'expired';
+                    this.resolvers.delete(id);
+                    this.pending.delete(id);
+                    this.emit('approval-expired', request);
+                    resolve(false);
+                }
+            }, timeoutMs);
+            // Clean up timer if resolved early
+            const originalResolve = resolve;
+            this.resolvers.set(id, (approved) => {
+                clearTimeout(timer);
+                originalResolve(approved);
+            });
+        });
+    }
+    /**
+     * Handle an approval response (called when user sends /approve or /deny)
+     */
+    handleResponse(requestId, approved) {
+        const request = this.pending.get(requestId);
+        const resolver = this.resolvers.get(requestId);
+        if (!request || !resolver) {
+            logger.warn(`Unknown or expired approval request: ${requestId}`);
+            return;
+        }
+        request.status = approved ? 'approved' : 'denied';
+        this.pending.delete(requestId);
+        this.resolvers.delete(requestId);
+        this.emit(approved ? 'approval-approved' : 'approval-denied', request);
+        resolver(approved);
+    }
+    /**
+     * Get all pending approval requests
+     */
+    getPending() {
+        return Array.from(this.pending.values());
+    }
+    /**
+     * Format the approval message for channels
+     */
+    formatApprovalMessage(request) {
+        const expiresIn = Math.round((request.expiresAt.getTime() - Date.now()) / 1000);
+        return [
+            `🔐 **Approval Required**`,
+            `Tool: \`${request.toolName}\``,
+            `Summary: ${request.summary}`,
+            `Request ID: \`${request.id}\``,
+            `Expires in: ${expiresIn}s`,
+            ``,
+            `Reply with \`/approve ${request.id}\` or \`/deny ${request.id}\``,
+        ].join('\n');
+    }
+}
+// ============================================================================
+// Singleton
+// ============================================================================
+let remoteApprovalInstance = null;
+export function getRemoteApprovalService() {
+    if (!remoteApprovalInstance) {
+        remoteApprovalInstance = new RemoteApprovalService();
+    }
+    return remoteApprovalInstance;
+}
+export function resetRemoteApprovalService() {
+    remoteApprovalInstance = null;
+}
+//# sourceMappingURL=remote-approval.js.map

package/dist/security/remote-approval.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"remote-approval.js","sourceRoot":"","sources":["../../src/security/remote-approval.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAuB5C,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E,MAAM,OAAO,qBAAsB,SAAQ,YAAY;IAC7C,OAAO,GAAG,IAAI,GAAG,EAA2B,CAAC;IAC7C,SAAS,GAAG,IAAI,GAAG,EAAuC,CAAC;IAC3D,QAAQ,GAAG,IAAI,GAAG,EAAyB,CAAC;IAC5C,MAAM,GAAG,CAAC,CAAC;IACX,gBAAgB,GAAG,OAAO,CAAC,CAAC,YAAY;IAEhD;;OAEG;IACH,eAAe,CAAC,WAAmB,EAAE,MAAqB;QACxD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,uCAAuC,WAAW,EAAE,CAAC,CAAC;IACrE,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,WAAmB;QACnC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC;IAChC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,eAAe,CAAC,GAIrB;QACC,MAAM,EAAE,GAAG,YAAY,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QACvC,MAAM,SAAS,GAAG,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,gBAAgB,CAAC;QAEzD,MAAM,OAAO,GAAoB;YAC/B,EAAE;YACF,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,WAAW,EAAE,IAAI,IAAI,EAAE;YACvB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC3C,MAAM,EAAE,SAAS;SAClB,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAE9B,uCAAuC;QACvC,MAAM,OAAO,GAAG,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;QACpD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CAC1D,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE;YACrB,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,OAAO,CAAC,CAAC;YACtB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,IAAI,CAAC,8BAA8B,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YACpE,CAAC;QACH,CAAC,CACF,CAAC;QACF,MAAM,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QAEvC,IAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAC;QAEzC,+BAA+B;QAC/B,OAAO,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,EAAE;YACtC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;YAEhC,kBAAkB;YAClB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;oBACjC,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;oBAC3B,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;oBAC1B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;oBACxB,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAC;oBACvC,OAAO,CAAC,KAAK,CAAC,CAAC;gBACjB,CAAC;YACH,CAAC,EAAE,SAAS,CAAC,CAAC;YAEd,mCAAmC;YACnC,MAAM,eAAe,GAAG,OAAO,CAAC;YAChC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,QAAiB,EAAE,EAAE;gBAC3C,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,eAAe,CAAC,QAAQ,CAAC,CAAC;YAC5B,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,SAAiB,EAAE,QAAiB;QACjD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAE/C,IAAI,CAAC,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,wCAAwC,SAAS,EAAE,CAAC,CAAC;YACjE,OAAO;QACT,CAAC;QAED,OAAO,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC;QAClD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC/B,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEjC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QACvE,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACK,qBAAqB,CAAC,OAAwB;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QAChF,OAAO;YACL,0BAA0B;YAC1B,WAAW,OAAO,CAAC,QAAQ,IAAI;YAC/B,YAAY,OAAO,CAAC,OAAO,EAAE;YAC7B,iBAAiB,OAAO,CAAC,EAAE,IAAI;YAC/B,eAAe,SAAS,GAAG;YAC3B,EAAE;YACF,yBAAyB,OAAO,CAAC,EAAE,iBAAiB,OAAO,CAAC,EAAE,IAAI;SACnE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;CACF;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,IAAI,sBAAsB,GAAiC,IAAI,CAAC;AAEhE,MAAM,UAAU,wBAAwB;IACtC,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,sBAAsB,GAAG,IAAI,qBAAqB,EAAE,CAAC;IACvD,CAAC;IACD,OAAO,sBAAsB,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,0BAA0B;IACxC,sBAAsB,GAAG,IAAI,CAAC;AAChC,CAAC"}

package/dist/security/security-audit.d.ts

@@ -70,6 +70,13 @@ export declare class SecurityAuditor {
     private checkNetwork;
     private checkBrowser;
     private deepScan;
+    /**
+     * Auto-fix file permission findings (chmod 700/600 for sensitive paths)
+     */
+    fix(result: AuditResult): Promise<{
+        fixed: number;
+        errors: string[];
+    }>;
     private addFinding;
     /**
      * Format audit result for console output

package/dist/security/security-audit.js

@@ -546,6 +546,29 @@ export class SecurityAuditor {
     // ==========================================================================
     // Helpers
     // ==========================================================================
+    /**
+     * Auto-fix file permission findings (chmod 700/600 for sensitive paths)
+     */
+    async fix(result) {
+        let fixed = 0;
+        const errors = [];
+        for (const finding of result.findings) {
+            if ((finding.category === 'filesystem' || finding.category === 'credentials') &&
+                finding.details?.path &&
+                typeof finding.details.path === 'string' &&
+                finding.details.expected) {
+                try {
+                    const targetMode = parseInt(finding.details.expected, 8);
+                    await fs.chmod(finding.details.path, targetMode);
+                    fixed++;
+                }
+                catch (err) {
+                    errors.push(`Failed to fix ${finding.details.path}: ${err instanceof Error ? err.message : String(err)}`);
+                }
+            }
+        }
+        return { fixed, errors };
+    }
     addFinding(finding) {
         this.findings.push({
             ...finding,