@queno/agent-node 0.1.2

package/dist/db-hooks/instrument.js

@@ -0,0 +1,194 @@
+/**
+ * Database driver instrumentation.
+ *
+ * Monkey-patches the query entry point of common Node.js database drivers so
+ * that every query issued while handling an HTTP request is recorded into the
+ * active {@link RequestContext}. This is the data source for BOLA-via-DB
+ * correlation (Addendum A.4 / OWASP API #1).
+ *
+ * Design constraints:
+ *  - **Never break the host app.** Every patch is wrapped in try/catch; if a
+ *    driver is absent or its shape is unexpected, instrumentation is skipped.
+ *  - **Never change query behaviour.** Patches record metadata then delegate to
+ *    the original method with the original arguments and `this`.
+ *  - **Idempotent.** Re-patching is guarded by a marker symbol.
+ *
+ * Supported drivers (best-effort): pg, mysql2, mongoose, sequelize, knex.
+ * Prisma is instrumented separately via {@link instrumentPrismaClient} because
+ * it requires the client instance.
+ */
+import { createRequire } from "node:module";
+import { recordDbQuery, extractIdLiterals } from "../runtime-context.js";
+const PATCHED = Symbol.for("rasp.dbHook.patched");
+const nodeRequire = createRequire(import.meta.url);
+function isPatched(fn) {
+    return Boolean(fn[PATCHED]);
+}
+function markPatched(fn) {
+    fn[PATCHED] = true;
+}
+const hookRegistry = [];
+/**
+ * Verify every installed DB hook is still in place (same wrapper reference and
+ * carrying the PATCHED marker). Returns the list of tampered hooks; empty when
+ * integrity is intact.
+ */
+export function verifyHookIntegrity() {
+    const tampered = [];
+    for (const h of hookRegistry) {
+        const current = h.proto[h.method];
+        if (current !== h.wrapped || !isPatched(current)) {
+            tampered.push({ driver: h.driver, method: h.method });
+        }
+    }
+    return tampered;
+}
+/** Number of hooks currently registered (diagnostics / tests). */
+export function installedHookCount() {
+    return hookRegistry.length;
+}
+function record(driver, op) {
+    try {
+        const text = typeof op === "string" ? op : safeStringify(op);
+        if (!text)
+            return;
+        recordDbQuery({ driver, op: text.slice(0, 500), ids: extractIdLiterals(text) });
+    }
+    catch {
+        // Never throw from the hot path.
+    }
+}
+function safeStringify(op) {
+    if (op && typeof op === "object") {
+        const o = op;
+        if (typeof o.text === "string")
+            return o.text;
+        if (typeof o.sql === "string")
+            return o.sql;
+        try {
+            return JSON.stringify(op);
+        }
+        catch {
+            return "";
+        }
+    }
+    return String(op ?? "");
+}
+function tryRequire(name) {
+    try {
+        return nodeRequire(name);
+    }
+    catch {
+        return null;
+    }
+}
+function patchMethod(proto, method, driver) {
+    if (!proto || typeof proto[method] !== "function")
+        return;
+    const fn = proto[method];
+    if (isPatched(fn))
+        return;
+    const wrapped = function (...args) {
+        record(driver, args[0]);
+        return fn.apply(this, args);
+    };
+    markPatched(wrapped);
+    proto[method] = wrapped;
+    hookRegistry.push({ driver, method, proto, wrapped });
+}
+let done = false;
+/**
+ * Instrument all detectable database drivers. Safe to call multiple times.
+ *
+ * @param requireFn - Optional resolver (used in tests). Defaults to the
+ *   ambient CommonJS `require` when available.
+ */
+export function instrumentDatabaseDrivers(requireFn = tryRequire) {
+    if (done)
+        return;
+    done = true;
+    // pg - Client.prototype.query and Pool.prototype.query.
+    try {
+        const pg = requireFn("pg");
+        if (pg) {
+            patchMethod(pg.Client?.prototype, "query", "pg");
+            patchMethod(pg.Pool?.prototype, "query", "pg");
+        }
+    }
+    catch {
+        /* skip */
+    }
+    // mysql2 - Connection.prototype.query / execute.
+    try {
+        const conn = requireFn("mysql2/lib/connection.js");
+        if (conn) {
+            patchMethod(conn.prototype, "query", "mysql2");
+            patchMethod(conn.prototype, "execute", "mysql2");
+        }
+    }
+    catch {
+        /* skip */
+    }
+    // sequelize - Sequelize.prototype.query.
+    try {
+        const seq = requireFn("sequelize");
+        if (seq?.Sequelize) {
+            patchMethod(seq.Sequelize.prototype, "query", "sequelize");
+        }
+    }
+    catch {
+        /* skip */
+    }
+    // mongoose - Query.prototype.exec (covers find/findOne/update/etc).
+    try {
+        const mongoose = requireFn("mongoose");
+        if (mongoose?.Query) {
+            const proto = mongoose.Query.prototype;
+            if (typeof proto.exec === "function" && !isPatched(proto.exec)) {
+                const orig = proto.exec;
+                const wrapped = function (...args) {
+                    record("mongoose", { op: this.op, model: this.model?.modelName, filter: this._conditions });
+                    return orig.apply(this, args);
+                };
+                markPatched(wrapped);
+                proto.exec = wrapped;
+                hookRegistry.push({ driver: "mongoose", method: "exec", proto, wrapped });
+            }
+        }
+    }
+    catch {
+        /* skip */
+    }
+    // knex - client.prototype.query (knex/lib/client).
+    try {
+        const Client = requireFn("knex/lib/client.js");
+        if (Client) {
+            patchMethod(Client.prototype, "query", "knex");
+        }
+    }
+    catch {
+        /* skip */
+    }
+}
+/**
+ * Instrument a Prisma Client instance. Prisma cannot be patched at the module
+ * level, so the integrator passes the client (created with
+ * `new PrismaClient({ log: [{ emit: 'event', level: 'query' }] })`).
+ */
+export function instrumentPrismaClient(client) {
+    try {
+        const c = client;
+        if (typeof c.$on === "function") {
+            c.$on("query", (e) => record("prisma", e.query ?? ""));
+        }
+    }
+    catch {
+        /* skip */
+    }
+}
+/** Reset the one-shot guard (tests only). */
+export function __resetInstrumentationForTests() {
+    done = false;
+    hookRegistry.length = 0;
+}
+//# sourceMappingURL=instrument.js.map

package/dist/db-hooks/instrument.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"instrument.js","sourceRoot":"","sources":["../../src/db-hooks/instrument.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAEzE,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;AAElD,MAAM,WAAW,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAEnD,SAAS,SAAS,CAAC,EAAW;IAC5B,OAAO,OAAO,CAAE,EAA8B,CAAC,OAAO,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,SAAS,WAAW,CAAC,EAAW;IAC7B,EAA8B,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC;AAClD,CAAC;AAcD,MAAM,YAAY,GAAiB,EAAE,CAAC;AAEtC;;;;GAIG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,QAAQ,GAAyC,EAAE,CAAC;IAC1D,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAClC,IAAI,OAAO,KAAK,CAAC,CAAC,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;YACjD,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,kBAAkB;IAChC,OAAO,YAAY,CAAC,MAAM,CAAC;AAC7B,CAAC;AAED,SAAS,MAAM,CAAC,MAAc,EAAE,EAAW;IACzC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,OAAO,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QAC7D,IAAI,CAAC,IAAI;YAAE,OAAO;QAClB,aAAa,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,GAAG,EAAE,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;IAAC,MAAM,CAAC;QACP,iCAAiC;IACnC,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,EAAW;IAChC,IAAI,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,EAA6B,CAAC;QACxC,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC,IAAI,CAAC;QAC9C,IAAI,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC,GAAG,CAAC;QAC5C,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,IAAI,CAAC;QACH,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAClB,KAAiD,EACjD,MAAc,EACd,MAAc;IAEd,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,CAAC,MAAM,CAAC,KAAK,UAAU;QAAE,OAAO;IAC1D,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAoC,CAAC;IAC5D,IAAI,SAAS,CAAC,EAAE,CAAC;QAAE,OAAO;IAC1B,MAAM,OAAO,GAAG,UAAyB,GAAG,IAAe;QACzD,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACxB,OAAO,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC9B,CAAC,CAAC;IACF,WAAW,CAAC,OAAO,CAAC,CAAC;IACrB,KAAK,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC;IACxB,YAAY,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,IAAI,IAAI,GAAG,KAAK,CAAC;AAEjB;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CAAC,YAAuC,UAAU;IACzF,IAAI,IAAI;QAAE,OAAO;IACjB,IAAI,GAAG,IAAI,CAAC;IAEZ,wDAAwD;IACxD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,SAAS,CAAC,IAAI,CAA8G,CAAC;QACxI,IAAI,EAAE,EAAE,CAAC;YACP,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,UAAU;IACZ,CAAC;IAED,iDAAiD;IACjD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,SAAS,CAAC,0BAA0B,CAAkD,CAAC;QACpG,IAAI,IAAI,EAAE,CAAC;YACT,WAAW,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YAC/C,WAAW,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,UAAU;IACZ,CAAC;IAED,yCAAyC;IACzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,CAAkE,CAAC;QACpG,IAAI,GAAG,EAAE,SAAS,EAAE,CAAC;YACnB,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,UAAU;IACZ,CAAC;IAED,oEAAoE;IACpE,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,SAAS,CAAC,UAAU,CAA8D,CAAC;QACpG,IAAI,QAAQ,EAAE,KAAK,EAAE,CAAC;YACpB,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC;YACvC,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,UAAU,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/D,MAAM,IAAI,GAAG,KAAK,CAAC,IAAoC,CAAC;gBACxD,MAAM,OAAO,GAAG,UAAyC,GAAG,IAAe;oBACzE,MAAM,CAAC,UAAU,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAG,IAAI,CAAC,KAA4C,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;oBACpI,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;gBAChC,CAAC,CAAC;gBACF,WAAW,CAAC,OAAO,CAAC,CAAC;gBACrB,KAAK,CAAC,IAAI,GAAG,OAAO,CAAC;gBACrB,YAAY,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,UAAU;IACZ,CAAC;IAED,mDAAmD;IACnD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,SAAS,CAAC,oBAAoB,CAAkD,CAAC;QAChG,IAAI,MAAM,EAAE,CAAC;YACX,WAAW,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,UAAU;IACZ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAe;IACpD,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAgF,CAAC;QAC3F,IAAI,OAAO,CAAC,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;YAChC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,UAAU;IACZ,CAAC;AACH,CAAC;AAED,6CAA6C;AAC7C,MAAM,UAAU,8BAA8B;IAC5C,IAAI,GAAG,KAAK,CAAC;IACb,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;AAC1B,CAAC"}

package/dist/detectors/base.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Shared contract and helpers for all detectors.
+ *
+ * A detector inspects a {@link NormalizedRequest} and reports a single
+ * {@link DetectionResult} when a signature matches. Detectors are intentionally
+ * stateless or near-stateless (e.g. {@link BolaDetector} keeps a per-IP window)
+ * so they can be reordered, disabled, or stress-tested in isolation.
+ *
+ * Hard contract:
+ *  - `detect` must be cheap (it runs in the request hot path).
+ *  - `detect` must **never** throw. The agent catches anyway as a safety net,
+ *    but a thrown error short-circuits the detector for the request and is a
+ *    silent loss of coverage.
+ */
+import type { DetectionResult, NormalizedRequest } from "../types.js";
+/**
+ * Implementation contract for a single detector.
+ */
+export interface Detector {
+    /** Unique identifier, surfaced in `DetectionResult.detectorName`. */
+    readonly name: string;
+    /**
+     * Inspect a request.
+     *
+     * @returns A {@link DetectionResult} on the first match, or `null` if the
+     *   request looks clean to this detector.
+     */
+    detect(req: NormalizedRequest): DetectionResult | null;
+}
+/**
+ * Recursively flatten an arbitrary value into the list of string-castable
+ * leaves it contains.
+ *
+ * Used by signature-based detectors to obtain a flat list of values to run
+ * regexes against, regardless of whether the input is a string, an array, or
+ * a deeply nested object.
+ *
+ * @param value - The value to flatten. Objects and arrays are traversed.
+ * @param depth - Internal recursion guard. Defaults to 0.
+ * @returns The list of leaf string values. Numbers and booleans are coerced;
+ *   `null`, `undefined`, functions and other non-stringifiable values are
+ *   skipped.
+ *
+ * @remarks Recursion depth is capped at 6 to bound CPU/memory in case the
+ *   request contains an attacker-controlled deeply nested object.
+ */
+export declare function flattenValues(value: unknown, depth?: number): string[];
+/**
+ * Like {@link flattenValues}, but also exposes the dotted path leading to
+ * each string leaf.
+ *
+ * Used when a detector needs to match against **keys** as well as values
+ * (NoSQL `$gt`, prototype-pollution `__proto__`, …).
+ *
+ * @returns A list of `[dottedPath, leafStringValue]` tuples. Non-string
+ *   leaves are dropped.
+ *
+ * @remarks Depth is capped at 6, same rationale as {@link flattenValues}.
+ */
+export declare function flattenEntries(value: unknown, depth?: number, prefix?: string): Array<[key: string, value: string]>;
+//# sourceMappingURL=base.d.ts.map

package/dist/detectors/base.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.d.ts","sourceRoot":"","sources":["../../src/detectors/base.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEtE;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,qEAAqE;IACrE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,MAAM,CAAC,GAAG,EAAE,iBAAiB,GAAG,eAAe,GAAG,IAAI,CAAC;CACxD;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,SAAI,GAAG,MAAM,EAAE,CAWjE;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,OAAO,EACd,KAAK,SAAI,EACT,MAAM,SAAK,GACV,KAAK,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,CAWrC"}

package/dist/detectors/base.js

@@ -0,0 +1,57 @@
+/**
+ * Recursively flatten an arbitrary value into the list of string-castable
+ * leaves it contains.
+ *
+ * Used by signature-based detectors to obtain a flat list of values to run
+ * regexes against, regardless of whether the input is a string, an array, or
+ * a deeply nested object.
+ *
+ * @param value - The value to flatten. Objects and arrays are traversed.
+ * @param depth - Internal recursion guard. Defaults to 0.
+ * @returns The list of leaf string values. Numbers and booleans are coerced;
+ *   `null`, `undefined`, functions and other non-stringifiable values are
+ *   skipped.
+ *
+ * @remarks Recursion depth is capped at 6 to bound CPU/memory in case the
+ *   request contains an attacker-controlled deeply nested object.
+ */
+export function flattenValues(value, depth = 0) {
+    if (depth > 6)
+        return [];
+    if (typeof value === "string")
+        return [value];
+    if (typeof value === "number" || typeof value === "boolean")
+        return [String(value)];
+    if (Array.isArray(value))
+        return value.flatMap((v) => flattenValues(v, depth + 1));
+    if (value !== null && typeof value === "object") {
+        return Object.values(value).flatMap((v) => flattenValues(v, depth + 1));
+    }
+    return [];
+}
+/**
+ * Like {@link flattenValues}, but also exposes the dotted path leading to
+ * each string leaf.
+ *
+ * Used when a detector needs to match against **keys** as well as values
+ * (NoSQL `$gt`, prototype-pollution `__proto__`, …).
+ *
+ * @returns A list of `[dottedPath, leafStringValue]` tuples. Non-string
+ *   leaves are dropped.
+ *
+ * @remarks Depth is capped at 6, same rationale as {@link flattenValues}.
+ */
+export function flattenEntries(value, depth = 0, prefix = "") {
+    if (depth > 6)
+        return [];
+    if (value !== null && typeof value === "object" && !Array.isArray(value)) {
+        return Object.entries(value).flatMap(([k, v]) => {
+            const fullKey = prefix ? `${prefix}.${k}` : k;
+            const nested = flattenEntries(v, depth + 1, fullKey);
+            const self = typeof v === "string" ? [[fullKey, v]] : [];
+            return [...self, ...nested];
+        });
+    }
+    return [];
+}
+//# sourceMappingURL=base.js.map

package/dist/detectors/base.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.js","sourceRoot":"","sources":["../../src/detectors/base.ts"],"names":[],"mappings":"AA+BA;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,aAAa,CAAC,KAAc,EAAE,KAAK,GAAG,CAAC;IACrD,IAAI,KAAK,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IACzB,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,SAAS;QAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACpF,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;IACnF,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,OAAO,MAAM,CAAC,MAAM,CAAC,KAAgC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACnE,aAAa,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAC5B,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAC5B,KAAc,EACd,KAAK,GAAG,CAAC,EACT,MAAM,GAAG,EAAE;IAEX,IAAI,KAAK,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IACzB,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzE,OAAO,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE;YACzE,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,MAAM,GAAG,cAAc,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;YACrD,MAAM,IAAI,GAA4B,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAClF,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,MAAM,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/detectors/bola.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Broken Object Level Authorization (BOLA / IDOR) detector.
+ *
+ * OWASP API Security Top-10 #1. Two complementary heuristics:
+ *
+ * 1. **JWT-sub mismatch** - if the `Authorization: Bearer …` header carries
+ *    a JWT whose `sub` claim does not match the resource ID present in the
+ *    URL path, the request is flagged. This catches user A trying to read
+ *    user B's resource by directly tampering with the URL.
+ *
+ * 2. **High-velocity ID enumeration** - per source IP, the detector tracks
+ *    distinct resource IDs seen in the path over a rolling
+ *    {@link WINDOW_MS} window. More than {@link DISTINCT_ID_THRESHOLD}
+ *    distinct IDs in that window triggers an alert: behaviour consistent
+ *    with a scripted scrape.
+ *
+ * Both heuristics rely on the path containing a recognisable object ID -
+ * the detector looks for short numeric segments or RFC 4122 UUIDs.
+ *
+ * Severity: `high`.
+ *
+ * State note: per-IP windows are stored in memory; {@link prune} drops
+ * entries older than `2 * WINDOW_MS` and should be called periodically by
+ * the host process to bound memory.
+ */
+import type { Detector } from "./base.js";
+import type { DetectionResult, NormalizedRequest } from "../types.js";
+export declare class BolaDetector implements Detector {
+    readonly name = "bola";
+    private readonly ipState;
+    detect(req: NormalizedRequest): DetectionResult | null;
+    /**
+     * Record an `(ip, id)` observation and flag the IP when too many distinct
+     * IDs have been seen within {@link WINDOW_MS}.
+     */
+    private trackIpId;
+    /**
+     * Drop per-IP state older than `2 * WINDOW_MS`.
+     *
+     * Safe to call at any time; the host process should invoke this on a
+     * timer (e.g. once a minute) to prevent unbounded memory growth on
+     * long-lived processes.
+     */
+    prune(): void;
+}
+/**
+ * Return the first path segment that looks like a resource ID, or `null` if
+ * no segment matches.
+ */
+export declare function extractPathId(path: string): string | null;
+/**
+ * Decode the `sub` claim of a `Bearer <jwt>` header **without verifying the
+ * signature**.
+ *
+ * This is acceptable here because the value is only used as a heuristic
+ * cross-check (BOLA), never for authentication decisions. Returns `null`
+ * for any malformed input.
+ */
+export declare function extractJwtSub(authHeader: string | string[] | undefined): string | null;
+//# sourceMappingURL=bola.d.ts.map

package/dist/detectors/bola.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bola.d.ts","sourceRoot":"","sources":["../../src/detectors/bola.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAiBtE,qBAAa,YAAa,YAAW,QAAQ;IAC3C,QAAQ,CAAC,IAAI,UAAU;IAEvB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA8B;IAEtD,MAAM,CAAC,GAAG,EAAE,iBAAiB,GAAG,eAAe,GAAG,IAAI;IAuBtD;;;OAGG;IACH,OAAO,CAAC,SAAS;IAwBjB;;;;;;OAMG;IACH,KAAK,IAAI,IAAI;CAQd;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQzD;AAED;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAYtF"}

package/dist/detectors/bola.js

@@ -0,0 +1,108 @@
+/** Rolling window length used by the enumeration heuristic, in ms. */
+const WINDOW_MS = 60_000;
+/** Distinct-ID count above which an IP is treated as enumerating. */
+const DISTINCT_ID_THRESHOLD = 20;
+/** Short numeric IDs (typical `GET /users/42` style). */
+const NUMERIC_ID_RE = /^\d{1,12}$/;
+/** Canonical RFC 4122 UUID, case-insensitive. */
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+export class BolaDetector {
+    name = "bola";
+    ipState = new Map();
+    detect(req) {
+        const pathId = extractPathId(req.path);
+        const jwtSub = extractJwtSub(req.headers["authorization"]);
+        if (jwtSub && pathId && pathId !== jwtSub) {
+            return {
+                detectorName: this.name,
+                eventType: "bola",
+                severity: "high",
+                description: "Path resource ID does not match authenticated user (JWT sub)",
+                matchedValue: pathId,
+                location: "path",
+            };
+        }
+        if (pathId && req.sourceIp) {
+            const result = this.trackIpId(req.sourceIp, pathId);
+            if (result)
+                return result;
+        }
+        return null;
+    }
+    /**
+     * Record an `(ip, id)` observation and flag the IP when too many distinct
+     * IDs have been seen within {@link WINDOW_MS}.
+     */
+    trackIpId(sourceIp, id) {
+        const now = Date.now();
+        let state = this.ipState.get(sourceIp);
+        if (!state || now - state.windowStart > WINDOW_MS) {
+            state = { ids: new Set(), windowStart: now };
+            this.ipState.set(sourceIp, state);
+        }
+        state.ids.add(id);
+        if (state.ids.size > DISTINCT_ID_THRESHOLD) {
+            return {
+                detectorName: this.name,
+                eventType: "bola",
+                severity: "high",
+                description: `BOLA enumeration: ${state.ids.size} distinct resource IDs accessed from ${sourceIp} within 60s`,
+                location: "path",
+            };
+        }
+        return null;
+    }
+    /**
+     * Drop per-IP state older than `2 * WINDOW_MS`.
+     *
+     * Safe to call at any time; the host process should invoke this on a
+     * timer (e.g. once a minute) to prevent unbounded memory growth on
+     * long-lived processes.
+     */
+    prune() {
+        const cutoff = Date.now() - WINDOW_MS * 2;
+        for (const [ip, state] of this.ipState) {
+            if (state.windowStart < cutoff) {
+                this.ipState.delete(ip);
+            }
+        }
+    }
+}
+/**
+ * Return the first path segment that looks like a resource ID, or `null` if
+ * no segment matches.
+ */
+export function extractPathId(path) {
+    const segments = path.split("/").filter(Boolean);
+    for (const seg of segments) {
+        if (NUMERIC_ID_RE.test(seg) || UUID_RE.test(seg)) {
+            return seg;
+        }
+    }
+    return null;
+}
+/**
+ * Decode the `sub` claim of a `Bearer <jwt>` header **without verifying the
+ * signature**.
+ *
+ * This is acceptable here because the value is only used as a heuristic
+ * cross-check (BOLA), never for authentication decisions. Returns `null`
+ * for any malformed input.
+ */
+export function extractJwtSub(authHeader) {
+    const header = Array.isArray(authHeader) ? authHeader[0] : authHeader;
+    if (!header?.startsWith("Bearer "))
+        return null;
+    const token = header.slice(7);
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        return null;
+    try {
+        const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf8"));
+        return typeof payload["sub"] === "string" ? payload["sub"] : null;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=bola.js.map

package/dist/detectors/bola.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bola.js","sourceRoot":"","sources":["../../src/detectors/bola.ts"],"names":[],"mappings":"AAiCA,sEAAsE;AACtE,MAAM,SAAS,GAAG,MAAM,CAAC;AACzB,qEAAqE;AACrE,MAAM,qBAAqB,GAAG,EAAE,CAAC;AAEjC,yDAAyD;AACzD,MAAM,aAAa,GAAG,YAAY,CAAC;AACnC,iDAAiD;AACjD,MAAM,OAAO,GAAG,iEAAiE,CAAC;AAElF,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,MAAM,CAAC;IAEN,OAAO,GAAG,IAAI,GAAG,EAAmB,CAAC;IAEtD,MAAM,CAAC,GAAsB;QAC3B,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAEvC,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC;QAC3D,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1C,OAAO;gBACL,YAAY,EAAE,IAAI,CAAC,IAAI;gBACvB,SAAS,EAAE,MAAM;gBACjB,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,8DAA8D;gBAC3E,YAAY,EAAE,MAAM;gBACpB,QAAQ,EAAE,MAAM;aACjB,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACpD,IAAI,MAAM;gBAAE,OAAO,MAAM,CAAC;QAC5B,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACK,SAAS,CAAC,QAAgB,EAAE,EAAU;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEvC,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,WAAW,GAAG,SAAS,EAAE,CAAC;YAClD,KAAK,GAAG,EAAE,GAAG,EAAE,IAAI,GAAG,EAAE,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;YAC7C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACpC,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAElB,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,qBAAqB,EAAE,CAAC;YAC3C,OAAO;gBACL,YAAY,EAAE,IAAI,CAAC,IAAI;gBACvB,SAAS,EAAE,MAAM;gBACjB,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,qBAAqB,KAAK,CAAC,GAAG,CAAC,IAAI,wCAAwC,QAAQ,aAAa;gBAC7G,QAAQ,EAAE,MAAM;aACjB,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;OAMG;IACH,KAAK;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,CAAC,CAAC;QAC1C,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACvC,IAAI,KAAK,CAAC,WAAW,GAAG,MAAM,EAAE,CAAC;gBAC/B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjD,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACjD,OAAO,GAAG,CAAC;QACb,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,aAAa,CAAC,UAAyC;IACrE,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IACtE,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAA4B,CAAC;QAC5G,OAAO,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACpE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/detectors/command-injection.d.ts

@@ -0,0 +1,22 @@
+/**
+ * OS command injection signature detector.
+ *
+ * Scans `query`, `body` and `path` for shell metacharacters chained with
+ * common reconnaissance binaries (`ls`, `cat`, `id`, `whoami`, `curl`,
+ * `wget`, `nc`, …), `$(…)` / backtick command substitution, pipes into
+ * shells, redirection into `/dev/tcp`, references to `/etc/passwd` and
+ * `/proc/self`, and the language-level eval gadgets (`exec()`, `eval()`,
+ * `system()`, `popen()`).
+ *
+ * Severity: `critical` - successful OS command injection is full RCE.
+ *
+ * Known limits: pattern-based; obfuscation via env-var assembly (`a=ls;$a`)
+ * or base64 piped into `sh` may evade signatures.
+ */
+import type { Detector } from "./base.js";
+import type { DetectionResult, NormalizedRequest } from "../types.js";
+export declare class CommandInjectionDetector implements Detector {
+    readonly name = "command-injection";
+    detect(req: NormalizedRequest): DetectionResult | null;
+}
+//# sourceMappingURL=command-injection.d.ts.map

package/dist/detectors/command-injection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-injection.d.ts","sourceRoot":"","sources":["../../src/detectors/command-injection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAiBtE,qBAAa,wBAAyB,YAAW,QAAQ;IACvD,QAAQ,CAAC,IAAI,uBAAuB;IAEpC,MAAM,CAAC,GAAG,EAAE,iBAAiB,GAAG,eAAe,GAAG,IAAI;CAuBvD"}

package/dist/detectors/command-injection.js

@@ -0,0 +1,41 @@
+import { flattenValues } from "./base.js";
+const CMD_PATTERNS = [
+    /[;&|`]\s*(ls|cat|id|whoami|pwd|uname|curl|wget|bash|sh|python|perl|ruby|nc|netcat)\b/i,
+    /\$\(.*\)/,
+    /`[^`]+`/,
+    /\|\s*(bash|sh|cmd|powershell)/i,
+    />\s*\/dev\/(null|tcp|udp)/i,
+    /\d+\.\d+\.\d+\.\d+\s*[\d]+/,
+    /\/etc\/(passwd|shadow|hosts|crontab)/i,
+    /\/proc\/self/i,
+    /\bexec\s*\(/i,
+    /\beval\s*\(/i,
+    /\bsystem\s*\(/i,
+    /\bpopen\s*\(/i,
+];
+export class CommandInjectionDetector {
+    name = "command-injection";
+    detect(req) {
+        const values = [
+            ...flattenValues(req.query),
+            ...flattenValues(req.body),
+            req.path,
+        ];
+        for (const val of values) {
+            for (const pattern of CMD_PATTERNS) {
+                if (pattern.test(val)) {
+                    return {
+                        detectorName: this.name,
+                        eventType: "command_injection",
+                        severity: "critical",
+                        description: "Command injection pattern detected",
+                        matchedValue: val.slice(0, 200),
+                        location: "query/body/path",
+                    };
+                }
+            }
+        }
+        return null;
+    }
+}
+//# sourceMappingURL=command-injection.js.map

package/dist/detectors/command-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-injection.js","sourceRoot":"","sources":["../../src/detectors/command-injection.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAG1C,MAAM,YAAY,GAAG;IACnB,uFAAuF;IACvF,UAAU;IACV,SAAS;IACT,gCAAgC;IAChC,4BAA4B;IAC5B,4BAA4B;IAC5B,uCAAuC;IACvC,eAAe;IACf,cAAc;IACd,cAAc;IACd,gBAAgB;IAChB,eAAe;CAChB,CAAC;AAEF,MAAM,OAAO,wBAAwB;IAC1B,IAAI,GAAG,mBAAmB,CAAC;IAEpC,MAAM,CAAC,GAAsB;QAC3B,MAAM,MAAM,GAAG;YACb,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC;YAC3B,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC;YAC1B,GAAG,CAAC,IAAI;SACT,CAAC;QAEF,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;YACzB,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;gBACnC,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACtB,OAAO;wBACL,YAAY,EAAE,IAAI,CAAC,IAAI;wBACvB,SAAS,EAAE,mBAAmB;wBAC9B,QAAQ,EAAE,UAAU;wBACpB,WAAW,EAAE,oCAAoC;wBACjD,YAAY,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBAC/B,QAAQ,EAAE,iBAAiB;qBAC5B,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/dist/detectors/custom-rule.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Customer-defined rule detector.
+ *
+ * Evaluates {@link CustomRuleSpec}s pushed by the control plane via a signed
+ * policy. This is the codeable form of the Addendum requirement that customers
+ * can author detection rules that run inside the RASP agent. Rules are compiled
+ * from regex source strings and matched against the chosen request target.
+ *
+ * Safety: rule compilation and matching are wrapped so a malformed pattern can
+ * never crash the request hot path - a bad rule is simply skipped.
+ */
+import type { Detector } from "./base.js";
+import type { DetectionResult, NormalizedRequest } from "../types.js";
+import type { CustomRuleSpec } from "../policy/types.js";
+export declare class CustomRuleDetector implements Detector {
+    readonly name = "custom-rule";
+    private readonly rules;
+    constructor(specs: CustomRuleSpec[]);
+    /** Number of active compiled rules (useful for diagnostics/tests). */
+    get size(): number;
+    private valuesFor;
+    detect(req: NormalizedRequest): DetectionResult | null;
+}
+//# sourceMappingURL=custom-rule.d.ts.map

package/dist/detectors/custom-rule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"custom-rule.d.ts","sourceRoot":"","sources":["../../src/detectors/custom-rule.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACtE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAOzD,qBAAa,kBAAmB,YAAW,QAAQ;IACjD,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAiB;gBAE3B,KAAK,EAAE,cAAc,EAAE;IAanC,sEAAsE;IACtE,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,OAAO,CAAC,SAAS;IAqBjB,MAAM,CAAC,GAAG,EAAE,iBAAiB,GAAG,eAAe,GAAG,IAAI;CAmBvD"}