@q32/signal-scanner 0.1.0 → 0.2.0

package/src/rules/packs/index.ts

@@ -1,76 +0,0 @@
-export { binaryRules, binaryStringRules } from "./binary";
-export { cssRules } from "./css";
-export { decodedArtifactRules } from "./decoders";
-export { htmlRules } from "./html";
-export { htmlTechnologyRules } from "./html";
-export { scriptCompositeRules, scriptRiskRules } from "./script-risk";
-export { sourceCodeRules } from "./source-code";
-export { urlRules } from "./urls";
-
-import { binaryRules, binaryStringRules } from "./binary";
-import { cssRules } from "./css";
-import { decodedArtifactRules } from "./decoders";
-import { htmlRules, htmlTechnologyRules } from "./html";
-import { scriptCompositeRules, scriptRiskRules } from "./script-risk";
-import { sourceCodeRules } from "./source-code";
-import { urlRules } from "./urls";
-
-export const rulePacks = {
-  phishing: [
-    htmlRules.credential_form_posts_off_origin,
-    htmlRules.password_form_without_https,
-    htmlRules.hidden_iframe_off_origin,
-    htmlRules.excessive_external_scripts_on_login_page,
-    htmlRules.login_page_with_punycode_links,
-    htmlRules.credential_ui_rendered_as_image,
-    htmlRules.crypto_wallet_login_language,
-    htmlRules.crypto_trading_landing_language,
-    htmlRules.seo_trademark_stuffing,
-    htmlRules.credential_form_on_suspicious_host,
-    htmlRules.brand_impersonation_content,
-    urlRules.punycode_login_url,
-    urlRules.brand_impersonation_url
-  ],
-  redirects: [htmlRules.meta_refresh_external, urlRules.redirect_to_url_shortener, urlRules.final_url_offsite_redirect, ...scriptRiskRules.filter((rule) => rule.pack === "redirects")],
-  "url-risk": [
-    urlRules.private_ip_url,
-    urlRules.ip_literal_url,
-    urlRules.suspicious_tld_url,
-    urlRules.download_like_external_url,
-    urlRules.malware_download_like_url,
-    urlRules.shared_hosting_subdomain_url,
-    urlRules.brand_impersonation_url,
-    urlRules.generated_landing_url
-  ],
-  "technology-fingerprint": [
-    htmlTechnologyRules.wordpress_surface_reference,
-    htmlTechnologyRules.drupal_surface_reference,
-    htmlTechnologyRules.phpmyadmin_surface_reference
-  ],
-  "dependency-fingerprint": [
-    htmlTechnologyRules.legacy_jquery_reference,
-    htmlTechnologyRules.legacy_angularjs_reference,
-    htmlTechnologyRules.legacy_bootstrap_reference,
-    htmlTechnologyRules.legacy_lodash_reference
-  ],
-  "script-risk": [
-    htmlRules.external_script_from_unrelated_domain,
-    htmlRules.mixed_content_script,
-    ...scriptRiskRules.filter((rule) => rule.pack === "script-risk")
-  ],
-  obfuscation: [
-    ...Object.values(decodedArtifactRules),
-    ...scriptRiskRules.filter((rule) => rule.pack === "obfuscation"),
-    scriptCompositeRules.decoded_dynamic_execution,
-    cssRules.unicode_bidi_trick
-  ],
-  exfiltration: [
-    ...scriptRiskRules.filter((rule) => rule.pack === "exfiltration"),
-    scriptCompositeRules.credential_exfil_candidate
-  ],
-  wallet: scriptRiskRules.filter((rule) => rule.pack === "wallet"),
-  payment: [htmlRules.card_fields_plus_external_script, scriptCompositeRules.payment_input_event_hooks],
-  "seo-spam": [cssRules.hidden_link_cluster],
-  "source-code": sourceCodeRules,
-  "binary-static": [...Object.values(binaryRules), ...binaryStringRules]
-} as const;

package/src/rules/packs/script-risk.ts

@@ -1,236 +0,0 @@
-import type { PatternRule, RuleDefinition } from "../types";
-
-export const scriptRiskRules: PatternRule[] = [
-  {
-    id: "dynamic_code_execution",
-    pack: "script-risk",
-    severity: "low",
-    confidence: "medium",
-    title: "Dynamic code execution",
-    description: "JavaScript calls eval().",
-    locationType: "javascript",
-    pattern: /\beval\s*\(/,
-    counter: "dynamic_code_execution",
-    // eval() is ubiquitous in legitimate minified bundles; weak signal alone.
-    score: { base: 12, tags: ["script"], maxGroup: "dynamic-code" }
-  },
-  {
-    id: "function_constructor_with_string",
-    pack: "script-risk",
-    severity: "low",
-    confidence: "medium",
-    title: "Function constructor with string",
-    description: "JavaScript constructs code from a string.",
-    locationType: "javascript",
-    pattern: /\bnew\s+Function\s*\(/,
-    // new Function() is ubiquitous in legitimate minified bundles (framework
-    // template compilers, lodash, etc.) — weak signal alone, like eval().
-    score: { base: 15, tags: ["script"], maxGroup: "dynamic-code" }
-  },
-  {
-    id: "string_timer_execution",
-    pack: "script-risk",
-    severity: "medium",
-    confidence: "high",
-    title: "String-based timer execution",
-    description: "JavaScript passes a string to a timer execution API.",
-    locationType: "javascript",
-    pattern: /\bset(?:Timeout|Interval)\s*\(\s*['"`]/,
-    counter: "dynamic_code_execution",
-    score: { base: 24, tags: ["script"], maxGroup: "dynamic-code" }
-  },
-  {
-    id: "document_write_script",
-    pack: "script-risk",
-    severity: "low",
-    confidence: "high",
-    title: "document.write usage",
-    description: "JavaScript writes dynamic HTML into the document.",
-    locationType: "javascript",
-    pattern: /\bdocument\.write\s*\(/,
-    score: { base: 8, tags: ["script"] }
-  },
-  {
-    id: "innerhtml_script_injection",
-    pack: "script-risk",
-    severity: "low",
-    confidence: "high",
-    title: "HTML injection sink",
-    description: "JavaScript assigns to an HTML injection sink.",
-    locationType: "javascript",
-    pattern: /\.(?:innerHTML|outerHTML)\s*=/,
-    score: { base: 10, tags: ["script"] }
-  },
-  {
-    id: "insert_adjacent_html",
-    pack: "script-risk",
-    severity: "low",
-    confidence: "high",
-    title: "insertAdjacentHTML usage",
-    description: "JavaScript inserts HTML through insertAdjacentHTML().",
-    locationType: "javascript",
-    pattern: /\.insertAdjacentHTML\s*\(/,
-    score: { base: 8, tags: ["script"] }
-  },
-  {
-    id: "dynamic_script_src",
-    pack: "script-risk",
-    severity: "medium",
-    confidence: "high",
-    title: "Dynamic script creation",
-    description: "JavaScript creates a script element dynamically.",
-    locationType: "javascript",
-    pattern: /\bcreateElement\s*\(\s*['"]script['"]\s*\)/,
-    score: { base: 18, tags: ["script"] }
-  },
-  {
-    id: "script_src_assignment",
-    pack: "script-risk",
-    severity: "medium",
-    confidence: "high",
-    title: "Dynamic script src assignment",
-    description: "JavaScript assigns to a script source dynamically.",
-    locationType: "javascript",
-    pattern: /\.src\s*=|setAttribute\s*\(\s*['"]src['"]/,
-    score: { base: 18, tags: ["script"] }
-  },
-  {
-    id: "append_child_script",
-    pack: "script-risk",
-    severity: "low",
-    confidence: "medium",
-    title: "Dynamic script append",
-    description: "JavaScript appends a dynamically created script element.",
-    locationType: "javascript",
-    pattern: /\.appendChild\s*\(\s*(?:script|s|el|node)\s*\)/,
-    score: { base: 6, tags: ["script"] }
-  },
-  {
-    id: "external_request_api_seen",
-    pack: "script-risk",
-    severity: "low",
-    confidence: "medium",
-    title: "External request API",
-    description: "JavaScript references an outbound request API.",
-    locationType: "javascript",
-    pattern: /\b(?:fetch|XMLHttpRequest|sendBeacon|WebSocket)\b/,
-    score: { base: 6, tags: ["script"] }
-  },
-  {
-    id: "js_location_external",
-    pack: "redirects",
-    severity: "medium",
-    confidence: "high",
-    title: "JavaScript redirect logic",
-    description: "JavaScript references browser redirect APIs.",
-    locationType: "javascript",
-    pattern: /\b(?:location\.href|location\.assign|location\.replace|window\.open)\b/,
-    score: { base: 20, tags: ["redirect", "script"] }
-  },
-  {
-    id: "decoder_seen",
-    pack: "obfuscation",
-    severity: "low",
-    confidence: "medium",
-    title: "Decoder API seen",
-    description: "JavaScript references a common string decoder API.",
-    locationType: "javascript",
-    pattern: /\b(?:atob|btoa|unescape|String\.fromCharCode)\b/,
-    counter: "decoder_seen",
-    score: { base: 6, tags: ["decoded", "script"] }
-  },
-  {
-    id: "charcodeat_decoder_loop",
-    pack: "obfuscation",
-    severity: "medium",
-    confidence: "medium",
-    title: "charCodeAt decoder loop",
-    description: "JavaScript uses charCodeAt in loop-like code, a common lightweight decoder pattern.",
-    locationType: "javascript",
-    pattern: /(?:for|while)\s*\([^)]*\)[\s\S]{0,300}\.charCodeAt\s*\(/,
-    score: { base: 22, tags: ["decoded", "obfuscation", "script"] }
-  },
-  {
-    id: "browser_storage_or_clipboard_seen",
-    pack: "exfiltration",
-    severity: "medium",
-    confidence: "medium",
-    title: "Storage or clipboard access",
-    description: "JavaScript references browser storage, cookies, or clipboard APIs.",
-    locationType: "javascript",
-    pattern: /\b(?:localStorage|sessionStorage|document\.cookie|navigator\.clipboard)\b/,
-    score: { base: 14, tags: ["exfiltration", "script"] }
-  },
-  {
-    id: "wallet_interaction_with_obfuscation",
-    pack: "wallet",
-    severity: "medium",
-    confidence: "medium",
-    title: "Wallet API reference",
-    description: "JavaScript references wallet or approval APIs.",
-    locationType: "javascript",
-    pattern: /\b(?:window\.ethereum|WalletConnect|ethereum\.request)\b|\.(?:approve|permit)\s*\(|\bmethod\s*:\s*['"]eth_/i,
-    score: { base: 20, tags: ["script", "wallet"] }
-  }
-];
-
-export const scriptCompositeRules: Record<
-  "credential_exfil_candidate" | "decoded_dynamic_execution" | "form_action_changed_by_javascript" | "wallet_api_plus_external_beacon" | "payment_input_event_hooks",
-  RuleDefinition
-> = {
-  credential_exfil_candidate: {
-    id: "credential_exfil_candidate",
-    pack: "exfiltration",
-    severity: "high",
-    confidence: "medium",
-    title: "Credential or storage exfiltration candidate",
-    description: "JavaScript combines credential/storage signals with outbound request APIs.",
-    locationType: "javascript",
-    score: { base: 72, tags: ["credential", "exfiltration", "script"] }
-  },
-  decoded_dynamic_execution: {
-    id: "decoded_dynamic_execution",
-    pack: "obfuscation",
-    severity: "high",
-    confidence: "high",
-    title: "Decoded dynamic execution",
-    description: "JavaScript combines decoder APIs with dynamic execution.",
-    locationType: "javascript",
-    score: { base: 76, tags: ["decoded", "obfuscation", "script"] }
-  },
-  form_action_changed_by_javascript: {
-    id: "form_action_changed_by_javascript",
-    pack: "phishing",
-    severity: "low",
-    confidence: "medium",
-    title: "Form action changed by JavaScript",
-    description: "JavaScript appears to change a form action target.",
-    locationType: "javascript",
-    // Legitimate SPAs/SSO flows rewrite form actions; weak on its own, and the
-    // "credential"/"phishing" tags were escalating the score multiplier.
-    score: { base: 12, tags: ["script"] }
-  },
-  wallet_api_plus_external_beacon: {
-    id: "wallet_api_plus_external_beacon",
-    pack: "wallet",
-    severity: "high",
-    confidence: "medium",
-    title: "Wallet API plus external request",
-    description: "JavaScript combines wallet APIs with outbound request APIs.",
-    locationType: "javascript",
-    score: { base: 72, tags: ["exfiltration", "script", "wallet"] }
-  },
-  payment_input_event_hooks: {
-    id: "payment_input_event_hooks",
-    pack: "payment",
-    severity: "low",
-    confidence: "medium",
-    title: "Payment input event hooks",
-    description: "JavaScript attaches input/change listeners near payment-card fields.",
-    locationType: "javascript",
-    // Every legitimate checkout/login listens to its own input fields — weak
-    // signal alone. The real skimmer pattern is this PLUS off-site exfil of the
-    // captured values, which the exfil/credential-form rules score on their own.
-    score: { base: 15, tags: ["payment", "script"] }
-  }
-};

package/src/rules/packs/source-code.ts

@@ -1,180 +0,0 @@
-import type { PatternRule } from "../types";
-
-export const sourceCodeRules: PatternRule[] = [
-  {
-    id: "hardcoded_secret_candidate",
-    pack: "source-code",
-    severity: "high",
-    confidence: "medium",
-    title: "Hardcoded secret candidate",
-    description: "Source text matched a risky secret-like token pattern.",
-    locationType: "source",
-    pattern: /(?:AKIA[0-9A-Z]{16}|xox[baprs]-[a-zA-Z0-9-]{20,}|ghp_[a-zA-Z0-9]{20,})/,
-    score: { base: 62, tags: ["source"] }
-  },
-  {
-    id: "webhook_url_candidate",
-    pack: "source-code",
-    severity: "medium",
-    confidence: "medium",
-    title: "Webhook URL candidate",
-    description: "Source text contains a webhook URL candidate.",
-    locationType: "source",
-    pattern: /https:\/\/(?:hooks\.slack\.com\/services\/|discord(?:app)?\.com\/api\/webhooks\/|api\.telegram\.org\/bot)[A-Za-z0-9/_:.-]+/,
-    score: { base: 35, tags: ["source", "url"] }
-  },
-  {
-    id: "dangerous_child_process",
-    pack: "source-code",
-    severity: "high",
-    confidence: "medium",
-    title: "Dangerous child process use",
-    description: "Source text references command execution through child_process.",
-    locationType: "source",
-    pattern: /\bchild_process\.(?:exec|execSync|spawn|spawnSync|execFile|execFileSync)\b|require\s*\(\s*['"]child_process['"]\s*\)\s*\.\s*(?:exec|execSync|spawn|spawnSync|execFile|execFileSync)\b|import\s*\{[^}]*\b(?:exec|execSync|spawn|spawnSync|execFile|execFileSync)\b[^}]*\}\s*from\s*['"]node:child_process['"]/,
-    score: { base: 50, tags: ["source"] }
-  },
-  {
-    id: "shell_execution_import",
-    pack: "source-code",
-    severity: "medium",
-    confidence: "medium",
-    title: "Shell execution import",
-    description: "Source text imports Node child_process command execution APIs.",
-    locationType: "source",
-    pattern: /\b(?:import|require)\b[^;\n]{0,120}\bchild_process\b/,
-    score: { base: 24, tags: ["source"] }
-  },
-  {
-    id: "curl_pipe_shell",
-    pack: "source-code",
-    severity: "high",
-    confidence: "medium",
-    title: "curl pipe shell",
-    description: "Source text pipes a downloaded script into a shell.",
-    locationType: "source",
-    pattern: /\bcurl\b[^|]{0,120}\|\s*(?:sh|bash)/,
-    score: { base: 70, tags: ["source", "url"] }
-  },
-  {
-    id: "postinstall_script",
-    pack: "source-code",
-    severity: "medium",
-    confidence: "medium",
-    title: "Postinstall script",
-    description: "Package metadata defines a postinstall script.",
-    locationType: "source",
-    pattern: /"postinstall"\s*:/,
-    score: { base: 20, tags: ["source"] }
-  },
-  {
-    id: "preinstall_script",
-    pack: "source-code",
-    severity: "medium",
-    confidence: "medium",
-    title: "Preinstall script",
-    description: "Package metadata defines a preinstall script.",
-    locationType: "source",
-    pattern: /"preinstall"\s*:/,
-    score: { base: 20, tags: ["source"] }
-  },
-  {
-    id: "install_script_network_fetch",
-    pack: "source-code",
-    severity: "high",
-    confidence: "medium",
-    title: "Install script performs network fetch",
-    description: "Install lifecycle script appears to fetch network content.",
-    locationType: "source",
-    pattern: /"(?:preinstall|install|postinstall)"\s*:\s*"[^"]*(?:curl|wget|fetch|https?:\/\/)/,
-    score: { base: 66, tags: ["source", "url"] }
-  },
-  {
-    id: "non_literal_require",
-    pack: "source-code",
-    severity: "medium",
-    confidence: "medium",
-    title: "Non-literal require candidate",
-    description: "Source text calls require() with an expression instead of a string literal.",
-    locationType: "source",
-    pattern: /\brequire\s*\(\s*(?!['"`])/,
-    score: { base: 18, tags: ["source"] }
-  },
-  {
-    id: "non_literal_regexp",
-    pack: "source-code",
-    severity: "medium",
-    confidence: "medium",
-    title: "Non-literal RegExp candidate",
-    description: "Source text constructs a RegExp from a non-literal expression.",
-    locationType: "source",
-    pattern: /\bnew\s+RegExp\s*\(\s*(?!['"`])|\bRegExp\s*\(\s*(?!['"`])/,
-    score: { base: 16, tags: ["source"] }
-  },
-  {
-    id: "new_buffer_constructor",
-    pack: "source-code",
-    severity: "medium",
-    confidence: "medium",
-    title: "New Buffer constructor",
-    description: "Source text uses the legacy Buffer constructor.",
-    locationType: "source",
-    pattern: /\bnew\s+Buffer\s*\(/,
-    score: { base: 12, tags: ["source"] }
-  },
-  {
-    id: "weak_crypto_hash",
-    pack: "source-code",
-    severity: "medium",
-    confidence: "medium",
-    title: "Weak crypto hash",
-    description: "Source text references weak hash algorithms.",
-    locationType: "source",
-    pattern: /\bcreateHash\s*\(\s*['"](?:md5|sha1)['"]\s*\)/,
-    score: { base: 16, tags: ["source"] }
-  },
-  {
-    id: "pseudo_random_bytes",
-    pack: "source-code",
-    severity: "medium",
-    confidence: "medium",
-    title: "Pseudo-random bytes",
-    description: "Source text references crypto.pseudoRandomBytes().",
-    locationType: "source",
-    pattern: /\bpseudoRandomBytes\s*\(/,
-    score: { base: 16, tags: ["source"] }
-  },
-  {
-    id: "template_escape_disabled",
-    pack: "source-code",
-    severity: "medium",
-    confidence: "medium",
-    title: "Template escaping disabled",
-    description: "Source text appears to disable template escaping.",
-    locationType: "source",
-    pattern: /\bescapeMarkup\s*=\s*false\b/,
-    score: { base: 22, tags: ["source"] }
-  },
-  {
-    id: "sensitive_file_read",
-    pack: "source-code",
-    severity: "high",
-    confidence: "medium",
-    title: "Sensitive file read candidate",
-    description: "Source text references filesystem reads of sensitive paths or environment files.",
-    locationType: "source",
-    pattern: /\b(?:readFileSync|readFile)\s*\([^)]*(?:\/etc\/passwd|\.env|id_rsa|credentials)/,
-    score: { base: 48, tags: ["source"] }
-  },
-  {
-    id: "private_key_material",
-    pack: "source-code",
-    severity: "critical",
-    confidence: "high",
-    title: "Private key material",
-    description: "Source text contains a private key header.",
-    locationType: "source",
-    pattern: /-----BEGIN (?:RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----/,
-    score: { base: 95, tags: ["source"] }
-  }
-];

package/src/rules/packs/urls.ts

@@ -1,138 +0,0 @@
-import type { RuleDefinition } from "../types";
-
-export const urlRules: Record<
-  | "punycode_login_url"
-  | "redirect_to_url_shortener"
-  | "final_url_offsite_redirect"
-  | "private_ip_url"
-  | "ip_literal_url"
-  | "suspicious_tld_url"
-  | "download_like_external_url"
-  | "malware_download_like_url"
-  | "shared_hosting_subdomain_url"
-  | "brand_impersonation_url"
-  | "credential_path_on_suspicious_host"
-  | "generated_landing_url",
-  RuleDefinition
-> = {
-  punycode_login_url: {
-    id: "punycode_login_url",
-    pack: "phishing",
-    severity: "high",
-    confidence: "high",
-    title: "Punycode login URL",
-    description: "A login-like URL uses punycode.",
-    locationType: "url",
-    score: { base: 70, tags: ["phishing", "url"] }
-  },
-  redirect_to_url_shortener: {
-    id: "redirect_to_url_shortener",
-    pack: "redirects",
-    severity: "medium",
-    confidence: "medium",
-    title: "URL shortener destination",
-    description: "The scanned URL is, or redirects through, a known URL shortener (a common cloaking step).",
-    locationType: "url",
-    score: { base: 20, tags: ["redirect", "url"] }
-  },
-  final_url_offsite_redirect: {
-    id: "final_url_offsite_redirect",
-    pack: "redirects",
-    severity: "medium",
-    confidence: "high",
-    title: "Final URL redirects off-site",
-    description: "The fetched URL resolves to a different registrable domain than the submitted URL.",
-    locationType: "url",
-    score: { base: 25, tags: ["redirect", "url"] }
-  },
-  private_ip_url: {
-    id: "private_ip_url",
-    pack: "url-risk",
-    severity: "medium",
-    confidence: "high",
-    title: "Private or local network URL",
-    description: "Content references a localhost or private-network URL.",
-    locationType: "url",
-    score: { base: 25, tags: ["url"] }
-  },
-  ip_literal_url: {
-    id: "ip_literal_url",
-    pack: "url-risk",
-    severity: "medium",
-    confidence: "medium",
-    title: "IP literal URL",
-    description: "Content references a URL by IP address instead of a hostname.",
-    locationType: "url",
-    score: { base: 22, tags: ["url"] }
-  },
-  suspicious_tld_url: {
-    id: "suspicious_tld_url",
-    pack: "url-risk",
-    severity: "low",
-    confidence: "medium",
-    title: "Suspicious TLD URL",
-    description: "Content references a URL with a TLD commonly seen in abuse investigations.",
-    locationType: "url",
-    score: { base: 8, tags: ["url"] }
-  },
-  download_like_external_url: {
-    id: "download_like_external_url",
-    pack: "url-risk",
-    severity: "medium",
-    confidence: "medium",
-    title: "Download-like external URL",
-    description: "Content references an off-site URL with download or payload path terms.",
-    locationType: "url",
-    score: { base: 18, tags: ["url"], repeatMultiplier: 0.25, maxRepeats: 3 }
-  },
-  malware_download_like_url: {
-    id: "malware_download_like_url",
-    pack: "url-risk",
-    severity: "high",
-    confidence: "medium",
-    title: "Malware-download-like URL path",
-    description: "URL path resembles common malware download naming for scripts, botnet payloads, or architecture-specific binaries.",
-    locationType: "url",
-    score: { base: 55, tags: ["binary", "url"] }
-  },
-  shared_hosting_subdomain_url: {
-    id: "shared_hosting_subdomain_url",
-    pack: "url-risk",
-    severity: "low",
-    confidence: "medium",
-    title: "Shared-hosting subdomain",
-    description: "The target URL is hosted on a shared/free-hosting subdomain rather than an independently controlled registrable domain.",
-    locationType: "url",
-    score: { base: 6, tags: ["hosting", "url"] }
-  },
-  brand_impersonation_url: {
-    id: "brand_impersonation_url",
-    pack: "phishing",
-    severity: "high",
-    confidence: "high",
-    title: "Brand name in host of an unrelated domain",
-    description: "A well-known brand appears in the hostname while the registrable domain does not belong to that brand — a hallmark of credential-phishing lookalike hosts.",
-    locationType: "url",
-    score: { base: 68, tags: ["phishing", "url"] }
-  },
-  credential_path_on_suspicious_host: {
-    id: "credential_path_on_suspicious_host",
-    pack: "phishing",
-    severity: "high",
-    confidence: "high",
-    title: "Login/account path on a suspicious host",
-    description: "A login, sign-in, account, or verification path is served from a free-hosting subdomain, generated host label, suspicious TLD, punycode, IP literal, or URL shortener — where legitimate brands do not host credentials.",
-    locationType: "url",
-    score: { base: 66, tags: ["credential", "phishing", "url"] }
-  },
-  generated_landing_url: {
-    id: "generated_landing_url",
-    pack: "url-risk",
-    severity: "high",
-    confidence: "medium",
-    title: "Generated suspicious landing URL",
-    description: "URL has generated-looking host/path structure commonly seen in injected landing pages and fake-update campaigns.",
-    locationType: "url",
-    score: { base: 78, tags: ["phishing", "url"] }
-  }
-};

package/src/rules/types.ts

@@ -1,56 +0,0 @@
-export type Severity = "info" | "low" | "medium" | "high" | "critical";
-export type Confidence = "low" | "medium" | "high";
-export type FindingLocationType = "url" | "html" | "javascript" | "css" | "source" | "binary" | "decoded_artifact" | "aggregate";
-export type ScoreTag =
-  | "binary"
-  | "credential"
-  | "decoded"
-  | "dependency"
-  | "exfiltration"
-  | "hosting"
-  | "obfuscation"
-  | "payment"
-  | "phishing"
-  | "redirect"
-  | "seo"
-  | "script"
-  | "source"
-  | "technology"
-  | "url"
-  | "wallet";
-
-export interface RuleScoreModel {
-  base: number;
-  tags: ScoreTag[];
-  repeatMultiplier?: number;
-  maxRepeats?: number;
-  // Rules sharing a maxGroup describe the same underlying behaviour observed
-  // different ways (e.g. eval / new Function / runtime eval all = "uses dynamic
-  // code"). Only the single highest-scoring member of a maxGroup contributes to
-  // the total, so a legit page isn't charged N times for one behaviour.
-  maxGroup?: string;
-}
-
-export interface PatternRule {
-  id: string;
-  pack: string;
-  severity: Severity;
-  confidence: Confidence;
-  title: string;
-  description: string;
-  locationType: FindingLocationType;
-  pattern: RegExp;
-  counter?: string;
-  score: RuleScoreModel;
-}
-
-export interface RuleDefinition {
-  id: string;
-  pack: string;
-  severity: Severity;
-  confidence: Confidence;
-  title: string;
-  description: string;
-  locationType: FindingLocationType;
-  score: RuleScoreModel;
-}