@q32/signal-scanner 0.1.0 → 0.1.1

package/dist/rules/packs/source-code.js

@@ -0,0 +1,179 @@
+export const sourceCodeRules = [
+    {
+        id: "hardcoded_secret_candidate",
+        pack: "source-code",
+        severity: "high",
+        confidence: "medium",
+        title: "Hardcoded secret candidate",
+        description: "Source text matched a risky secret-like token pattern.",
+        locationType: "source",
+        pattern: /(?:AKIA[0-9A-Z]{16}|xox[baprs]-[a-zA-Z0-9-]{20,}|ghp_[a-zA-Z0-9]{20,})/,
+        score: { base: 62, tags: ["source"] }
+    },
+    {
+        id: "webhook_url_candidate",
+        pack: "source-code",
+        severity: "medium",
+        confidence: "medium",
+        title: "Webhook URL candidate",
+        description: "Source text contains a webhook URL candidate.",
+        locationType: "source",
+        pattern: /https:\/\/(?:hooks\.slack\.com\/services\/|discord(?:app)?\.com\/api\/webhooks\/|api\.telegram\.org\/bot)[A-Za-z0-9/_:.-]+/,
+        score: { base: 35, tags: ["source", "url"] }
+    },
+    {
+        id: "dangerous_child_process",
+        pack: "source-code",
+        severity: "high",
+        confidence: "medium",
+        title: "Dangerous child process use",
+        description: "Source text references command execution through child_process.",
+        locationType: "source",
+        pattern: /\bchild_process\.(?:exec|execSync|spawn|spawnSync|execFile|execFileSync)\b|require\s*\(\s*['"]child_process['"]\s*\)\s*\.\s*(?:exec|execSync|spawn|spawnSync|execFile|execFileSync)\b|import\s*\{[^}]*\b(?:exec|execSync|spawn|spawnSync|execFile|execFileSync)\b[^}]*\}\s*from\s*['"]node:child_process['"]/,
+        score: { base: 50, tags: ["source"] }
+    },
+    {
+        id: "shell_execution_import",
+        pack: "source-code",
+        severity: "medium",
+        confidence: "medium",
+        title: "Shell execution import",
+        description: "Source text imports Node child_process command execution APIs.",
+        locationType: "source",
+        pattern: /\b(?:import|require)\b[^;\n]{0,120}\bchild_process\b/,
+        score: { base: 24, tags: ["source"] }
+    },
+    {
+        id: "curl_pipe_shell",
+        pack: "source-code",
+        severity: "high",
+        confidence: "medium",
+        title: "curl pipe shell",
+        description: "Source text pipes a downloaded script into a shell.",
+        locationType: "source",
+        pattern: /\bcurl\b[^|]{0,120}\|\s*(?:sh|bash)/,
+        score: { base: 70, tags: ["source", "url"] }
+    },
+    {
+        id: "postinstall_script",
+        pack: "source-code",
+        severity: "medium",
+        confidence: "medium",
+        title: "Postinstall script",
+        description: "Package metadata defines a postinstall script.",
+        locationType: "source",
+        pattern: /"postinstall"\s*:/,
+        score: { base: 20, tags: ["source"] }
+    },
+    {
+        id: "preinstall_script",
+        pack: "source-code",
+        severity: "medium",
+        confidence: "medium",
+        title: "Preinstall script",
+        description: "Package metadata defines a preinstall script.",
+        locationType: "source",
+        pattern: /"preinstall"\s*:/,
+        score: { base: 20, tags: ["source"] }
+    },
+    {
+        id: "install_script_network_fetch",
+        pack: "source-code",
+        severity: "high",
+        confidence: "medium",
+        title: "Install script performs network fetch",
+        description: "Install lifecycle script appears to fetch network content.",
+        locationType: "source",
+        pattern: /"(?:preinstall|install|postinstall)"\s*:\s*"[^"]*(?:curl|wget|fetch|https?:\/\/)/,
+        score: { base: 66, tags: ["source", "url"] }
+    },
+    {
+        id: "non_literal_require",
+        pack: "source-code",
+        severity: "medium",
+        confidence: "medium",
+        title: "Non-literal require candidate",
+        description: "Source text calls require() with an expression instead of a string literal.",
+        locationType: "source",
+        pattern: /\brequire\s*\(\s*(?!['"`])/,
+        score: { base: 18, tags: ["source"] }
+    },
+    {
+        id: "non_literal_regexp",
+        pack: "source-code",
+        severity: "medium",
+        confidence: "medium",
+        title: "Non-literal RegExp candidate",
+        description: "Source text constructs a RegExp from a non-literal expression.",
+        locationType: "source",
+        pattern: /\bnew\s+RegExp\s*\(\s*(?!['"`])|\bRegExp\s*\(\s*(?!['"`])/,
+        score: { base: 16, tags: ["source"] }
+    },
+    {
+        id: "new_buffer_constructor",
+        pack: "source-code",
+        severity: "medium",
+        confidence: "medium",
+        title: "New Buffer constructor",
+        description: "Source text uses the legacy Buffer constructor.",
+        locationType: "source",
+        pattern: /\bnew\s+Buffer\s*\(/,
+        score: { base: 12, tags: ["source"] }
+    },
+    {
+        id: "weak_crypto_hash",
+        pack: "source-code",
+        severity: "medium",
+        confidence: "medium",
+        title: "Weak crypto hash",
+        description: "Source text references weak hash algorithms.",
+        locationType: "source",
+        pattern: /\bcreateHash\s*\(\s*['"](?:md5|sha1)['"]\s*\)/,
+        score: { base: 16, tags: ["source"] }
+    },
+    {
+        id: "pseudo_random_bytes",
+        pack: "source-code",
+        severity: "medium",
+        confidence: "medium",
+        title: "Pseudo-random bytes",
+        description: "Source text references crypto.pseudoRandomBytes().",
+        locationType: "source",
+        pattern: /\bpseudoRandomBytes\s*\(/,
+        score: { base: 16, tags: ["source"] }
+    },
+    {
+        id: "template_escape_disabled",
+        pack: "source-code",
+        severity: "medium",
+        confidence: "medium",
+        title: "Template escaping disabled",
+        description: "Source text appears to disable template escaping.",
+        locationType: "source",
+        pattern: /\bescapeMarkup\s*=\s*false\b/,
+        score: { base: 22, tags: ["source"] }
+    },
+    {
+        id: "sensitive_file_read",
+        pack: "source-code",
+        severity: "high",
+        confidence: "medium",
+        title: "Sensitive file read candidate",
+        description: "Source text references filesystem reads of sensitive paths or environment files.",
+        locationType: "source",
+        pattern: /\b(?:readFileSync|readFile)\s*\([^)]*(?:\/etc\/passwd|\.env|id_rsa|credentials)/,
+        score: { base: 48, tags: ["source"] }
+    },
+    {
+        id: "private_key_material",
+        pack: "source-code",
+        severity: "critical",
+        confidence: "high",
+        title: "Private key material",
+        description: "Source text contains a private key header.",
+        locationType: "source",
+        pattern: /-----BEGIN (?:RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----/,
+        score: { base: 95, tags: ["source"] }
+    }
+];
+//# sourceMappingURL=source-code.js.map

package/dist/rules/packs/source-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"source-code.js","sourceRoot":"","sources":["../../../src/rules/packs/source-code.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,eAAe,GAAkB;IAC5C;QACE,EAAE,EAAE,4BAA4B;QAChC,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,wDAAwD;QACrE,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,wEAAwE;QACjF,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EAAE,+CAA+C;QAC5D,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,4HAA4H;QACrI,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE;KAC7C;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,6BAA6B;QACpC,WAAW,EAAE,iEAAiE;QAC9E,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,8SAA8S;QACvT,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,gEAAgE;QAC7E,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,sDAAsD;QAC/D,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,iBAAiB;QACxB,WAAW,EAAE,qDAAqD;QAClE,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,qCAAqC;QAC9C,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE;KAC7C;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,gDAAgD;QAC7D,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,mBAAmB;QAC5B,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,mBAAmB;QAC1B,WAAW,EAAE,+CAA+C;QAC5D,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,kBAAkB;QAC3B,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,8BAA8B;QAClC,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,uCAAuC;QAC9C,WAAW,EAAE,4DAA4D;QACzE,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,kFAAkF;QAC3F,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE;KAC7C;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,+BAA+B;QACtC,WAAW,EAAE,6EAA6E;QAC1F,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,4BAA4B;QACrC,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,gEAAgE;QAC7E,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,2DAA2D;QACpE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,iDAAiD;QAC9D,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,qBAAqB;QAC9B,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,kBAAkB;QACzB,WAAW,EAAE,8CAA8C;QAC3D,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,+CAA+C;QACxD,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EAAE,oDAAoD;QACjE,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,0BAA0B;QACnC,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,mDAAmD;QAChE,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,8BAA8B;QACvC,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,+BAA+B;QACtC,WAAW,EAAE,kFAAkF;QAC/F,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,iFAAiF;QAC1F,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,wDAAwD;QACjE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;CACF,CAAC"}

package/dist/rules/packs/urls.d.ts

@@ -0,0 +1,3 @@
+import type { RuleDefinition } from "../types.js";
+export declare const urlRules: Record<"punycode_login_url" | "redirect_to_url_shortener" | "final_url_offsite_redirect" | "private_ip_url" | "ip_literal_url" | "suspicious_tld_url" | "download_like_external_url" | "malware_download_like_url" | "shared_hosting_subdomain_url" | "brand_impersonation_url" | "credential_path_on_suspicious_host" | "generated_landing_url", RuleDefinition>;
+//# sourceMappingURL=urls.d.ts.map

package/dist/rules/packs/urls.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"urls.d.ts","sourceRoot":"","sources":["../../../src/rules/packs/urls.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,eAAO,MAAM,QAAQ,EAAE,MAAM,CACzB,oBAAoB,GACpB,2BAA2B,GAC3B,4BAA4B,GAC5B,gBAAgB,GAChB,gBAAgB,GAChB,oBAAoB,GACpB,4BAA4B,GAC5B,2BAA2B,GAC3B,8BAA8B,GAC9B,yBAAyB,GACzB,oCAAoC,GACpC,uBAAuB,EACzB,cAAc,CA0Hf,CAAC"}

package/dist/rules/packs/urls.js

@@ -0,0 +1,123 @@
+export const urlRules = {
+    punycode_login_url: {
+        id: "punycode_login_url",
+        pack: "phishing",
+        severity: "high",
+        confidence: "high",
+        title: "Punycode login URL",
+        description: "A login-like URL uses punycode.",
+        locationType: "url",
+        score: { base: 70, tags: ["phishing", "url"] }
+    },
+    redirect_to_url_shortener: {
+        id: "redirect_to_url_shortener",
+        pack: "redirects",
+        severity: "medium",
+        confidence: "medium",
+        title: "URL shortener destination",
+        description: "The scanned URL is, or redirects through, a known URL shortener (a common cloaking step).",
+        locationType: "url",
+        score: { base: 20, tags: ["redirect", "url"] }
+    },
+    final_url_offsite_redirect: {
+        id: "final_url_offsite_redirect",
+        pack: "redirects",
+        severity: "medium",
+        confidence: "high",
+        title: "Final URL redirects off-site",
+        description: "The fetched URL resolves to a different registrable domain than the submitted URL.",
+        locationType: "url",
+        score: { base: 25, tags: ["redirect", "url"] }
+    },
+    private_ip_url: {
+        id: "private_ip_url",
+        pack: "url-risk",
+        severity: "medium",
+        confidence: "high",
+        title: "Private or local network URL",
+        description: "Content references a localhost or private-network URL.",
+        locationType: "url",
+        score: { base: 25, tags: ["url"] }
+    },
+    ip_literal_url: {
+        id: "ip_literal_url",
+        pack: "url-risk",
+        severity: "medium",
+        confidence: "medium",
+        title: "IP literal URL",
+        description: "Content references a URL by IP address instead of a hostname.",
+        locationType: "url",
+        score: { base: 22, tags: ["url"] }
+    },
+    suspicious_tld_url: {
+        id: "suspicious_tld_url",
+        pack: "url-risk",
+        severity: "low",
+        confidence: "medium",
+        title: "Suspicious TLD URL",
+        description: "Content references a URL with a TLD commonly seen in abuse investigations.",
+        locationType: "url",
+        score: { base: 8, tags: ["url"] }
+    },
+    download_like_external_url: {
+        id: "download_like_external_url",
+        pack: "url-risk",
+        severity: "medium",
+        confidence: "medium",
+        title: "Download-like external URL",
+        description: "Content references an off-site URL with download or payload path terms.",
+        locationType: "url",
+        score: { base: 18, tags: ["url"], repeatMultiplier: 0.25, maxRepeats: 3 }
+    },
+    malware_download_like_url: {
+        id: "malware_download_like_url",
+        pack: "url-risk",
+        severity: "high",
+        confidence: "medium",
+        title: "Malware-download-like URL path",
+        description: "URL path resembles common malware download naming for scripts, botnet payloads, or architecture-specific binaries.",
+        locationType: "url",
+        score: { base: 55, tags: ["binary", "url"] }
+    },
+    shared_hosting_subdomain_url: {
+        id: "shared_hosting_subdomain_url",
+        pack: "url-risk",
+        severity: "low",
+        confidence: "medium",
+        title: "Shared-hosting subdomain",
+        description: "The target URL is hosted on a shared/free-hosting subdomain rather than an independently controlled registrable domain.",
+        locationType: "url",
+        score: { base: 6, tags: ["hosting", "url"] }
+    },
+    brand_impersonation_url: {
+        id: "brand_impersonation_url",
+        pack: "phishing",
+        severity: "high",
+        confidence: "high",
+        title: "Brand name in host of an unrelated domain",
+        description: "A well-known brand appears in the hostname while the registrable domain does not belong to that brand — a hallmark of credential-phishing lookalike hosts.",
+        locationType: "url",
+        score: { base: 68, tags: ["phishing", "url"] }
+    },
+    credential_path_on_suspicious_host: {
+        id: "credential_path_on_suspicious_host",
+        pack: "phishing",
+        severity: "high",
+        confidence: "high",
+        title: "Login/account path on a suspicious host",
+        description: "A login, sign-in, account, or verification path is served from a free-hosting subdomain, generated host label, suspicious TLD, punycode, IP literal, or URL shortener — where legitimate brands do not host credentials.",
+        locationType: "url",
+        score: { base: 66, tags: ["credential", "phishing", "url"] }
+    },
+    generated_landing_url: {
+        id: "generated_landing_url",
+        pack: "url-risk",
+        severity: "high",
+        confidence: "medium",
+        title: "Generated suspicious landing URL",
+        description: "URL has generated-looking host/path structure commonly seen in injected landing pages and fake-update campaigns.",
+        locationType: "url",
+        score: { base: 78, tags: ["phishing", "url"] }
+    }
+};
+//# sourceMappingURL=urls.js.map

package/dist/rules/packs/urls.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"urls.js","sourceRoot":"","sources":["../../../src/rules/packs/urls.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,QAAQ,GAcjB;IACF,kBAAkB,EAAE;QAClB,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,iCAAiC;QAC9C,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE;KAC/C;IACD,yBAAyB,EAAE;QACzB,EAAE,EAAE,2BAA2B;QAC/B,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,2FAA2F;QACxG,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE;KAC/C;IACD,0BAA0B,EAAE;QAC1B,EAAE,EAAE,4BAA4B;QAChC,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,oFAAoF;QACjG,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE;KAC/C;IACD,cAAc,EAAE;QACd,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,wDAAwD;QACrE,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE;KACnC;IACD,cAAc,EAAE;QACd,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,gBAAgB;QACvB,WAAW,EAAE,+DAA+D;QAC5E,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE;KACnC;IACD,kBAAkB,EAAE;QAClB,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,4EAA4E;QACzF,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE;KAClC;IACD,0BAA0B,EAAE;QAC1B,EAAE,EAAE,4BAA4B;QAChC,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,yEAAyE;QACtF,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,gBAAgB,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE;KAC1E;IACD,yBAAyB,EAAE;QACzB,EAAE,EAAE,2BAA2B;QAC/B,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,oHAAoH;QACjI,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE;KAC7C;IACD,4BAA4B,EAAE;QAC5B,EAAE,EAAE,8BAA8B;QAClC,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EAAE,yHAAyH;QACtI,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE;KAC7C;IACD,uBAAuB,EAAE;QACvB,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,2CAA2C;QAClD,WAAW,EAAE,4JAA4J;QACzK,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE;KAC/C;IACD,kCAAkC,EAAE;QAClC,EAAE,EAAE,oCAAoC;QACxC,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,yCAAyC;QAChD,WAAW,EAAE,0NAA0N;QACvO,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,YAAY,EAAE,UAAU,EAAE,KAAK,CAAC,EAAE;KAC7D;IACD,qBAAqB,EAAE;QACrB,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kHAAkH;QAC/H,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE;KAC/C;CACF,CAAC"}

package/dist/rules/types.d.ts

@@ -0,0 +1,34 @@
+export type Severity = "info" | "low" | "medium" | "high" | "critical";
+export type Confidence = "low" | "medium" | "high";
+export type FindingLocationType = "url" | "html" | "javascript" | "css" | "source" | "binary" | "decoded_artifact" | "aggregate";
+export type ScoreTag = "binary" | "credential" | "decoded" | "dependency" | "exfiltration" | "hosting" | "obfuscation" | "payment" | "phishing" | "redirect" | "seo" | "script" | "source" | "technology" | "url" | "wallet";
+export interface RuleScoreModel {
+    base: number;
+    tags: ScoreTag[];
+    repeatMultiplier?: number;
+    maxRepeats?: number;
+    maxGroup?: string;
+}
+export interface PatternRule {
+    id: string;
+    pack: string;
+    severity: Severity;
+    confidence: Confidence;
+    title: string;
+    description: string;
+    locationType: FindingLocationType;
+    pattern: RegExp;
+    counter?: string;
+    score: RuleScoreModel;
+}
+export interface RuleDefinition {
+    id: string;
+    pack: string;
+    severity: Severity;
+    confidence: Confidence;
+    title: string;
+    description: string;
+    locationType: FindingLocationType;
+    score: RuleScoreModel;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/rules/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/rules/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AACvE,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AACnD,MAAM,MAAM,mBAAmB,GAAG,KAAK,GAAG,MAAM,GAAG,YAAY,GAAG,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,kBAAkB,GAAG,WAAW,CAAC;AACjI,MAAM,MAAM,QAAQ,GAChB,QAAQ,GACR,YAAY,GACZ,SAAS,GACT,YAAY,GACZ,cAAc,GACd,SAAS,GACT,aAAa,GACb,SAAS,GACT,UAAU,GACV,UAAU,GACV,KAAK,GACL,QAAQ,GACR,QAAQ,GACR,YAAY,GACZ,KAAK,GACL,QAAQ,CAAC;AAEb,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IAKpB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,UAAU,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,mBAAmB,CAAC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,cAAc,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,UAAU,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,mBAAmB,CAAC;IAClC,KAAK,EAAE,cAAc,CAAC;CACvB"}

package/dist/rules/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/rules/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/rules/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@q32/signal-scanner",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "type": "module",
   "description": "Static web signal scanner with bounded streaming analyzers, URL extraction, rule packs, scoring, and normalized reports.",
   "license": "MIT",
@@ -10,10 +10,12 @@
   },
   "files": [
     "README.md",
-    "src/",
+    "dist/",
     "scripts/"
   ],
   "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "prepack": "npm run build",
     "test": "bun test",
     "coverage": "bun test --coverage --coverage-reporter=lcov --coverage-dir=coverage && bun scripts/check-coverage.ts coverage/lcov.info 80",
     "coverage:report": "bun test --coverage",
@@ -22,28 +24,28 @@
   },
   "exports": {
     ".": {
-      "types": "./src/index.ts",
-      "default": "./src/index.ts"
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
     },
     "./node-tls": {
-      "types": "./src/node-tls.ts",
-      "default": "./src/node-tls.ts"
+      "types": "./dist/node-tls.d.ts",
+      "default": "./dist/node-tls.js"
     },
     "./intel": {
-      "types": "./src/intel.ts",
-      "default": "./src/intel.ts"
+      "types": "./dist/intel.d.ts",
+      "default": "./dist/intel.js"
     },
     "./feeds": {
-      "types": "./src/feeds.ts",
-      "default": "./src/feeds.ts"
+      "types": "./dist/feeds.d.ts",
+      "default": "./dist/feeds.js"
     },
     "./dynamic": {
-      "types": "./src/dynamic.ts",
-      "default": "./src/dynamic.ts"
+      "types": "./dist/dynamic.d.ts",
+      "default": "./dist/dynamic.js"
     },
     "./render": {
-      "types": "./src/render.ts",
-      "default": "./src/render.ts"
+      "types": "./dist/render.d.ts",
+      "default": "./dist/render.js"
     }
   },
   "sideEffects": false,
@@ -57,6 +59,8 @@
     "esbuild": "^0.28.0",
     "fast-text-encoding": "^1.0.6",
     "isolated-vm": "^6.1.2",
+    "typescript": "^5.9.3",
+    "@types/node": "^24.0.0",
     "whatwg-url-without-unicode": "^8.0.0-3"
   }
 }