@remnux/mcp-server 0.1.0

package/dist/ioc/noise.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"noise.js","sourceRoot":"","sources":["../../src/ioc/noise.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,mBAAmB,EAAE,0BAA0B,EAAE,MAAM,mBAAmB,CAAC;AAEpF,kFAAkF;AAClF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,eAAe;IACf,cAAc;IACd,wBAAwB;IACxB,mBAAmB;IACnB,YAAY;IACZ,YAAY;IACZ,gBAAgB;IAChB,qBAAqB;IACrB,aAAa;IACb,QAAQ;CACT,CAAC,CAAC;AAEH,iDAAiD;AACjD,MAAM,yBAAyB,GAAG;IAChC,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU;IAC5D,KAAK,EAAE,WAAW,EAAE,cAAc;CACnC,CAAC;AAEF,0EAA0E;AAC1E,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,QAAQ,EAAE,oBAAoB,EAAE,WAAW;CAC5C,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC;IAC3B,eAAe;IACf,kCAAkC;IAClC,gBAAgB;IAChB,0CAA0C;IAC1C,kBAAkB;IAClB,kEAAkE;IAClE,YAAY;IACZ,kCAAkC;IAClC,0CAA0C;IAC1C,kEAAkE;CACnE,CAAC,CAAC;AAEH,oDAAoD;AACpD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;IAC1B,kCAAkC;IAClC,qCAAqC;IACrC,qCAAqC;IACrC,mCAAmC;IACnC,kCAAkC;IAClC,mCAAmC;CACpC,CAAC,CAAC;AAEH,6EAA6E;AAC7E,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,QAAQ,EAAE,SAAS,EAAE,SAAS;CAC/B,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,iBAAiB,GAAG,gLAAgL,CAAC;AAE3M;;;;;GAKG;AACH,SAAS,qBAAqB,CAAC,EAAU;IACvC,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,KAAa,EAAE,IAAY;IACjD,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACtE,8EAA8E;QAC9E,IAAI,qBAAqB,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC9C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,2FAA2F;QAC3F,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACpD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAClC,8DAA8D;QAC9D,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAClC,qDAAqD;QACrD,IAAI,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAC1F,6BAA6B;QAC7B,IAAI,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC3C,iDAAiD;QACjD,IAAI,qBAAqB,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAClD,4EAA4E;QAC5E,IAAI,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/C,gGAAgG;QAChG,2DAA2D;QAC3D,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,gDAAgD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACvG,OAAO,0BAA0B,CAAC,IAAI,CACpC,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,KAAK,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,CAC7D,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;YACvD,mBAAmB;YACnB,IAAI,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC;gBAC9B,CAAC,GAAG,gBAAgB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAClE,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,0BAA0B,CAAC,IAAI,CACpC,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,CACnE,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QAChF,OAAO,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI,IAAI,KAAK,uBAAuB,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAClC,OAAO,CAAC,SAAS,EAAE,gBAAgB,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC5E,CAAC;IAED,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;QAC5B,OAAO,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjC,OAAO,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACtD,CAAC;IAED,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAClC,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC3F,CAAC;IAED,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,gDAAgD;QAChD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,iCAAiC;QACjC,IAAI,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACpD,6EAA6E;QAC7E,4DAA4D;QAC5D,uCAAuC;QACvC,IAAI,mCAAmC,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAClE,IAAI,8BAA8B,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC7D,yEAAyE;QACzE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACrC,iCAAiC;QACjC,IAAI,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACpD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/ioc/patterns.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Custom regex patterns for IOC types not covered by ioc-extractor.
+ * Covers registry keys and Windows file paths common in malware analysis.
+ */
+export interface PatternMatch {
+    value: string;
+    type: string;
+}
+export declare function extractCustomPatterns(text: string): PatternMatch[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/ioc/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/ioc/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd;AA4CD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY,EAAE,CAyClE"}

package/dist/ioc/patterns.js

@@ -0,0 +1,65 @@
+/**
+ * Custom regex patterns for IOC types not covered by ioc-extractor.
+ * Covers registry keys and Windows file paths common in malware analysis.
+ */
+// Trailing-punctuation chars that are likely sentence terminators, not part of the IOC
+const TRAIL_CLEAN_RE = /[.)}\]]+$/;
+const REGISTRY_KEY_RE = /\b(HK(?:LM|CU|CR|U|CC|EY_LOCAL_MACHINE|EY_CURRENT_USER|EY_CLASSES_ROOT|EY_USERS|EY_CURRENT_CONFIG)\\[^\s"',;|&<>]+)/gi;
+const WINDOWS_PATH_RE = /\b([A-Z]:\\(?:[^\s"',;|&<>]+\\)*[^\s"',;|&<>]+)/gi;
+const ENV_PATH_RE = /(%[A-Z_]+%\\[^\s"',;|&<>]+)/gi;
+/** Well-known LOLBins and suspicious executables seen in malware. */
+const LOLBINS = new Set([
+    "fodhelper.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe",
+    "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wscript.exe",
+    "cscript.exe", "wmic.exe", "schtasks.exe", "sc.exe",
+    "net.exe", "net1.exe", "netsh.exe", "attrib.exe",
+    "icacls.exe", "bcdedit.exe", "vssadmin.exe",
+    "cmd.exe", "powershell.exe", "pwsh.exe",
+    "mimikatz.exe", "psexec.exe", "procdump.exe",
+]);
+const SUSPICIOUS_EXE_RE = /\b([a-zA-Z0-9_\-]+\.exe)\b/gi;
+/** PowerShell cmdlets commonly abused by malware. */
+const POWERSHELL_CMDLET_RE = /\b(Invoke-Expression|Invoke-WebRequest|Invoke-Mimikatz|Invoke-Command|Start-Process|New-Object|Set-MpPreference|Add-MpPreference|Disable-WindowsOptionalFeature|Set-ExecutionPolicy|ConvertTo-SecureString|Import-Module|Get-WmiObject|Invoke-WmiMethod|New-Service|Set-ItemProperty|Get-Process|Stop-Process|Remove-Item|Get-Credential|IEX|IWR|ICM)\b/g;
+/** Network port patterns: "port 4444", ":4444", etc. */
+const NETWORK_PORT_RE = /\bport\s+(\d{1,5})\b/gi;
+/** PDB paths that reveal developer usernames. */
+const PDB_USERNAME_RE = /[A-Z]:\\Users\\([^\\]+)\\.*\.pdb/gi;
+/** Strip trailing sentence punctuation that regex over-captures. */
+function cleanTrailing(value) {
+    return value.replace(TRAIL_CLEAN_RE, "");
+}
+export function extractCustomPatterns(text) {
+    const results = [];
+    for (const m of text.matchAll(REGISTRY_KEY_RE)) {
+        results.push({ value: cleanTrailing(m[1]), type: "registry_key" });
+    }
+    for (const m of text.matchAll(WINDOWS_PATH_RE)) {
+        results.push({ value: cleanTrailing(m[1]), type: "windows_path" });
+    }
+    for (const m of text.matchAll(ENV_PATH_RE)) {
+        results.push({ value: cleanTrailing(m[1]), type: "windows_path" });
+    }
+    // Suspicious executables (LOLBins + known attack tools)
+    for (const m of text.matchAll(SUSPICIOUS_EXE_RE)) {
+        if (LOLBINS.has(m[1].toLowerCase())) {
+            results.push({ value: m[1].toLowerCase(), type: "suspicious_executable" });
+        }
+    }
+    // PowerShell cmdlets
+    for (const m of text.matchAll(POWERSHELL_CMDLET_RE)) {
+        results.push({ value: m[1], type: "powershell_cmdlet" });
+    }
+    // Network ports
+    for (const m of text.matchAll(NETWORK_PORT_RE)) {
+        const port = parseInt(m[1], 10);
+        if (port > 0 && port <= 65535) {
+            results.push({ value: String(port), type: "network_port" });
+        }
+    }
+    // PDB path usernames
+    for (const m of text.matchAll(PDB_USERNAME_RE)) {
+        results.push({ value: m[1], type: "pdb_username" });
+    }
+    return results;
+}
+//# sourceMappingURL=patterns.js.map

package/dist/ioc/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../src/ioc/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAOH,uFAAuF;AACvF,MAAM,cAAc,GAAG,WAAW,CAAC;AAEnC,MAAM,eAAe,GACnB,uHAAuH,CAAC;AAE1H,MAAM,eAAe,GACnB,mDAAmD,CAAC;AAEtD,MAAM,WAAW,GACf,+BAA+B,CAAC;AAElC,qEAAqE;AACrE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC;IACtB,eAAe,EAAE,WAAW,EAAE,cAAc,EAAE,cAAc;IAC5D,cAAc,EAAE,eAAe,EAAE,aAAa,EAAE,aAAa;IAC7D,aAAa,EAAE,UAAU,EAAE,cAAc,EAAE,QAAQ;IACnD,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY;IAChD,YAAY,EAAE,aAAa,EAAE,cAAc;IAC3C,SAAS,EAAE,gBAAgB,EAAE,UAAU;IACvC,cAAc,EAAE,YAAY,EAAE,cAAc;CAC7C,CAAC,CAAC;AACH,MAAM,iBAAiB,GACrB,8BAA8B,CAAC;AAEjC,qDAAqD;AACrD,MAAM,oBAAoB,GACxB,0VAA0V,CAAC;AAE7V,wDAAwD;AACxD,MAAM,eAAe,GACnB,wBAAwB,CAAC;AAE3B,iDAAiD;AACjD,MAAM,eAAe,GACnB,oCAAoC,CAAC;AAEvC,oEAAoE;AACpE,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,KAAK,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAChD,MAAM,OAAO,GAAmB,EAAE,CAAC;IAEnC,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAC3C,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,wDAAwD;IACxD,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACjD,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,mBAAmB,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,gBAAgB;IAChB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,IAAI,KAAK,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/ioc/scoring.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Simple confidence scoring for extracted IOCs.
+ * Higher scores indicate more specificity / likely malicious relevance.
+ */
+export declare function scoreIOC(value: string, type: string): number;
+//# sourceMappingURL=scoring.d.ts.map

package/dist/ioc/scoring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.d.ts","sourceRoot":"","sources":["../../src/ioc/scoring.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,wBAAgB,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CA2E5D"}

package/dist/ioc/scoring.js

@@ -0,0 +1,69 @@
+/**
+ * Simple confidence scoring for extracted IOCs.
+ * Higher scores indicate more specificity / likely malicious relevance.
+ */
+import { PRIVATE_IP_PREFIXES, KNOWN_GOOD_DOMAIN_SUFFIXES } from "./known-values.js";
+export function scoreIOC(value, type) {
+    switch (type) {
+        case "md5":
+        case "sha1":
+        case "sha256":
+        case "sha512":
+        case "ssdeep":
+            return 0.8;
+        case "url":
+            // URLs with paths are more specific
+            try {
+                const u = new URL(value.startsWith("http") ? value : `http://${value}`);
+                return u.pathname.length > 1 ? 0.6 : 0.4;
+            }
+            catch {
+                return 0.5;
+            }
+        case "domain": {
+            const lower = value.toLowerCase();
+            if (KNOWN_GOOD_DOMAIN_SUFFIXES.some((s) => lower === s || lower.endsWith("." + s))) {
+                return 0.1;
+            }
+            return 0.5;
+        }
+        case "ipv4": {
+            if (PRIVATE_IP_PREFIXES.some((p) => value.startsWith(p))) {
+                return 0.2;
+            }
+            return 0.5;
+        }
+        case "ipv6":
+            return 0.5;
+        case "email":
+            return 0.4;
+        case "cve":
+            return 0.7;
+        case "registry_key":
+            return 0.7;
+        case "windows_path":
+            return 0.5;
+        case "suspicious_executable":
+            return 0.8;
+        case "powershell_cmdlet":
+            return 0.7;
+        case "network_port": {
+            const port = parseInt(value, 10);
+            if ([80, 443, 22, 53, 8080, 8443].includes(port))
+                return 0.3;
+            return 0.6;
+        }
+        case "pdb_username":
+            return 0.7;
+        case "btc":
+        case "eth":
+        case "xmr":
+            return 0.8;
+        case "asn":
+        case "mac":
+            return 0.4;
+        default:
+            return 0.5;
+    }
+}
+//# sourceMappingURL=scoring.js.map

package/dist/ioc/scoring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.js","sourceRoot":"","sources":["../../src/ioc/scoring.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,mBAAmB,EAAE,0BAA0B,EAAE,MAAM,mBAAmB,CAAC;AAEpF,MAAM,UAAU,QAAQ,CAAC,KAAa,EAAE,IAAY;IAClD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,KAAK,CAAC;QACX,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ,CAAC;QACd,KAAK,QAAQ,CAAC;QACd,KAAK,QAAQ;YACX,OAAO,GAAG,CAAC;QAEb,KAAK,KAAK;YACR,oCAAoC;YACpC,IAAI,CAAC;gBACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;gBACxE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YAC3C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,GAAG,CAAC;YACb,CAAC;QAEH,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;YAClC,IAAI,0BAA0B,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACnF,OAAO,GAAG,CAAC;YACb,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACzD,OAAO,GAAG,CAAC;YACb,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,KAAK,MAAM;YACT,OAAO,GAAG,CAAC;QAEb,KAAK,OAAO;YACV,OAAO,GAAG,CAAC;QAEb,KAAK,KAAK;YACR,OAAO,GAAG,CAAC;QAEb,KAAK,cAAc;YACjB,OAAO,GAAG,CAAC;QAEb,KAAK,cAAc;YACjB,OAAO,GAAG,CAAC;QAEb,KAAK,uBAAuB;YAC1B,OAAO,GAAG,CAAC;QAEb,KAAK,mBAAmB;YACtB,OAAO,GAAG,CAAC;QAEb,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACjC,IAAI,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAAE,OAAO,GAAG,CAAC;YAC7D,OAAO,GAAG,CAAC;QACb,CAAC;QAED,KAAK,cAAc;YACjB,OAAO,GAAG,CAAC;QAEb,KAAK,KAAK,CAAC;QACX,KAAK,KAAK,CAAC;QACX,KAAK,KAAK;YACR,OAAO,GAAG,CAAC;QAEb,KAAK,KAAK,CAAC;QACX,KAAK,KAAK;YACR,OAAO,GAAG,CAAC;QAEb;YACE,OAAO,GAAG,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/parsers/capa.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Parser for CAPA JSON output.
+ *
+ * Extracts capabilities and their associated ATT&CK techniques.
+ * Expects JSON output from `capa -j <file>`.
+ */
+import type { ParsedToolOutput } from "./types.js";
+export declare function parseCapaOutput(rawOutput: string): ParsedToolOutput;
+//# sourceMappingURL=capa.d.ts.map

package/dist/parsers/capa.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capa.d.ts","sourceRoot":"","sources":["../../src/parsers/capa.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAW,MAAM,YAAY,CAAC;AAE5D,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,CAmDnE"}

package/dist/parsers/capa.js

@@ -0,0 +1,55 @@
+/**
+ * Parser for CAPA JSON output.
+ *
+ * Extracts capabilities and their associated ATT&CK techniques.
+ * Expects JSON output from `capa -j <file>`.
+ */
+export function parseCapaOutput(rawOutput) {
+    const result = {
+        tool: "capa-json",
+        parsed: false,
+        findings: [],
+        metadata: {},
+        raw: rawOutput,
+    };
+    try {
+        const data = JSON.parse(rawOutput);
+        result.parsed = true;
+        // Extract rules/capabilities
+        const rules = data.rules;
+        if (rules && typeof rules === "object" && !Array.isArray(rules)) {
+            for (const [name, rule] of Object.entries(rules)) {
+                if (!rule || typeof rule !== "object")
+                    continue;
+                const r = rule;
+                const meta = r.meta;
+                const finding = {
+                    description: name,
+                    category: "capability",
+                    severity: "info",
+                };
+                // Extract ATT&CK info if present — validate array structure
+                if (meta && typeof meta === "object" && !Array.isArray(meta)) {
+                    const m = meta;
+                    if (Array.isArray(m.attack) && m.attack.length > 0) {
+                        finding.evidence = m.attack
+                            .filter((a) => a && typeof a === "object")
+                            .map((a) => `${a.technique ?? "?"} (${a.id ?? "?"})`)
+                            .join(", ");
+                    }
+                }
+                result.findings.push(finding);
+            }
+        }
+        // Extract metadata
+        if (data.meta && typeof data.meta === "object") {
+            result.metadata.sample = data.meta.sample;
+            result.metadata.analysis = data.meta.analysis;
+        }
+    }
+    catch {
+        // JSON parse failed — return unparsed
+    }
+    return result;
+}
+//# sourceMappingURL=capa.js.map

package/dist/parsers/capa.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capa.js","sourceRoot":"","sources":["../../src/parsers/capa.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,MAAM,MAAM,GAAqB;QAC/B,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,SAAS;KACf,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;QAErB,6BAA6B;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACzB,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChE,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;oBAAE,SAAS;gBAChD,MAAM,CAAC,GAAG,IAA+B,CAAC;gBAC1C,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,MAAM,OAAO,GAAY;oBACvB,WAAW,EAAE,IAAI;oBACjB,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,MAAM;iBACjB,CAAC;gBAEF,4DAA4D;gBAC5D,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC7D,MAAM,CAAC,GAAG,IAA+B,CAAC;oBAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBACnD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,MAAM;6BACxB,MAAM,CAAC,CAAC,CAAC,EAA+B,EAAE,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,CAAC;6BACtE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,SAAS,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,IAAI,GAAG,GAAG,CAAC;6BACpD,IAAI,CAAC,IAAI,CAAC,CAAC;oBAChB,CAAC;gBACH,CAAC;gBAED,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC/C,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;YAC1C,MAAM,CAAC,QAAQ,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC;QAChD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,sCAAsC;IACxC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/parsers/diec.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Parser for Detect It Easy (diec) JSON output.
+ *
+ * Extracts packer/compiler/linker detections.
+ * Expects JSON output from `diec --json <file>`.
+ */
+import type { ParsedToolOutput } from "./types.js";
+export declare function parseDiecOutput(rawOutput: string): ParsedToolOutput;
+//# sourceMappingURL=diec.d.ts.map

package/dist/parsers/diec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"diec.d.ts","sourceRoot":"","sources":["../../src/parsers/diec.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAW,MAAM,YAAY,CAAC;AAE5D,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,CA8CnE"}

package/dist/parsers/diec.js

@@ -0,0 +1,53 @@
+/**
+ * Parser for Detect It Easy (diec) JSON output.
+ *
+ * Extracts packer/compiler/linker detections.
+ * Expects JSON output from `diec --json <file>`.
+ */
+export function parseDiecOutput(rawOutput) {
+    const result = {
+        tool: "diec",
+        parsed: false,
+        findings: [],
+        metadata: {},
+        raw: rawOutput,
+    };
+    try {
+        const data = JSON.parse(rawOutput);
+        result.parsed = true;
+        // diec JSON has a "detects" array
+        const detects = Array.isArray(data) ? data : data?.detects;
+        if (Array.isArray(detects)) {
+            for (const detect of detects) {
+                if (!detect || typeof detect !== "object")
+                    continue;
+                const values = detect.values;
+                if (Array.isArray(values)) {
+                    for (const v of values) {
+                        if (!v || typeof v !== "object")
+                            continue;
+                        const vType = typeof v.type === "string" ? v.type : "detection";
+                        const vName = typeof v.name === "string" ? v.name : "unknown";
+                        const finding = {
+                            description: `${vType}: ${vName}`,
+                            category: vType.toLowerCase(),
+                            severity: "info",
+                        };
+                        if (typeof v.version === "string") {
+                            finding.evidence = `version: ${v.version}`;
+                        }
+                        result.findings.push(finding);
+                    }
+                }
+            }
+        }
+        if (data && typeof data === "object" && !Array.isArray(data)) {
+            result.metadata.filetype = data.filetype;
+        }
+    }
+    catch {
+        // JSON parse failed — return unparsed
+    }
+    return result;
+}
+//# sourceMappingURL=diec.js.map

package/dist/parsers/diec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diec.js","sourceRoot":"","sources":["../../src/parsers/diec.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,MAAM,MAAM,GAAqB;QAC/B,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,SAAS;KACf,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;QAErB,kCAAkC;QAClC,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC;QAC3D,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;oBAAE,SAAS;gBACpD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;gBAC7B,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC1B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;wBACvB,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;4BAAE,SAAS;wBAC1C,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC;wBAChE,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;wBAC9D,MAAM,OAAO,GAAY;4BACvB,WAAW,EAAE,GAAG,KAAK,KAAK,KAAK,EAAE;4BACjC,QAAQ,EAAE,KAAK,CAAC,WAAW,EAAE;4BAC7B,QAAQ,EAAE,MAAM;yBACjB,CAAC;wBACF,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;4BAClC,OAAO,CAAC,QAAQ,GAAG,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC;wBAC7C,CAAC;wBACD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBAChC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7D,MAAM,CAAC,QAAQ,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC3C,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,sCAAsC;IACxC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/parsers/floss.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Parser for FLOSS (FireEye Labs Obfuscated String Solver) output.
+ *
+ * Sections: FLOSS static strings, FLOSS decoded strings, FLOSS stack strings, FLOSS tight strings.
+ * For packed samples: omit static strings, prioritize decoded/stack/tight.
+ * For unpacked: cap static strings at top 100.
+ */
+import type { ParsedToolOutput } from "./types.js";
+export interface FlossParserOptions {
+    /** Whether the sample was detected as packed (omits static strings). */
+    packed?: boolean;
+}
+export declare function parseFlossOutput(rawOutput: string, options?: FlossParserOptions): ParsedToolOutput;
+//# sourceMappingURL=floss.d.ts.map

package/dist/parsers/floss.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"floss.d.ts","sourceRoot":"","sources":["../../src/parsers/floss.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAenD,MAAM,WAAW,kBAAkB;IACjC,wEAAwE;IACxE,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wBAAgB,gBAAgB,CAC9B,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,kBAAuB,GAC/B,gBAAgB,CA6ElB"}

package/dist/parsers/floss.js

@@ -0,0 +1,89 @@
+/**
+ * Parser for FLOSS (FireEye Labs Obfuscated String Solver) output.
+ *
+ * Sections: FLOSS static strings, FLOSS decoded strings, FLOSS stack strings, FLOSS tight strings.
+ * For packed samples: omit static strings, prioritize decoded/stack/tight.
+ * For unpacked: cap static strings at top 100.
+ */
+const SECTION_HEADERS = {
+    "floss static strings": "static",
+    "floss decoded strings": "decoded",
+    "floss stack strings": "stack",
+    "floss tight strings": "tight",
+    "static strings": "static",
+    "decoded strings": "decoded",
+    "stack strings": "stack",
+    "tight strings": "tight",
+};
+const STATIC_CAP = 100;
+export function parseFlossOutput(rawOutput, options = {}) {
+    const result = {
+        tool: "floss",
+        parsed: false,
+        findings: [],
+        metadata: {},
+        raw: rawOutput,
+    };
+    const sections = {
+        static: [],
+        decoded: [],
+        stack: [],
+        tight: [],
+    };
+    let currentSection = "";
+    const lines = rawOutput.split("\n");
+    for (const line of lines) {
+        const trimmed = line.trim();
+        // Check for section headers (case-insensitive)
+        const lower = trimmed.toLowerCase();
+        // Match "─── FLOSS DECODED STRINGS ───" or "FLOSS DECODED STRINGS" or just "DECODED STRINGS"
+        const stripped = lower.replace(/[─━═\-]/g, "").trim();
+        if (SECTION_HEADERS[stripped]) {
+            currentSection = SECTION_HEADERS[stripped];
+            continue;
+        }
+        // Skip decorative lines
+        if (/^[─━═\-]+$/.test(trimmed))
+            continue;
+        if (!trimmed)
+            continue;
+        if (currentSection && sections[currentSection]) {
+            sections[currentSection].push(trimmed);
+        }
+    }
+    const counts = {};
+    for (const [section, strings] of Object.entries(sections)) {
+        counts[section] = strings.length;
+    }
+    result.metadata.string_counts = counts;
+    // Build findings — prioritize decoded/stack/tight
+    for (const section of ["decoded", "stack", "tight"]) {
+        if (sections[section].length > 0) {
+            result.findings.push({
+                description: `${sections[section].length} ${section} strings extracted`,
+                category: `floss-${section}`,
+                severity: section === "decoded" ? "medium" : "low",
+                evidence: sections[section].slice(0, 50).join("\n"),
+            });
+        }
+    }
+    // Static strings: omit if packed, cap otherwise
+    if (!options.packed && sections.static.length > 0) {
+        const capped = sections.static.length > STATIC_CAP;
+        result.findings.push({
+            description: `${sections.static.length} static strings${capped ? ` (showing first ${STATIC_CAP})` : ""}`,
+            category: "floss-static",
+            severity: "info",
+            evidence: sections.static.slice(0, STATIC_CAP).join("\n"),
+        });
+    }
+    else if (options.packed && sections.static.length > 0) {
+        result.metadata.static_strings_omitted = true;
+        result.metadata.static_strings_omitted_reason = "packed sample — static strings unreliable";
+    }
+    if (result.findings.length > 0) {
+        result.parsed = true;
+    }
+    return result;
+}
+//# sourceMappingURL=floss.js.map

package/dist/parsers/floss.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"floss.js","sourceRoot":"","sources":["../../src/parsers/floss.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,MAAM,eAAe,GAA2B;IAC9C,sBAAsB,EAAE,QAAQ;IAChC,uBAAuB,EAAE,SAAS;IAClC,qBAAqB,EAAE,OAAO;IAC9B,qBAAqB,EAAE,OAAO;IAC9B,gBAAgB,EAAE,QAAQ;IAC1B,iBAAiB,EAAE,SAAS;IAC5B,eAAe,EAAE,OAAO;IACxB,eAAe,EAAE,OAAO;CACzB,CAAC;AAEF,MAAM,UAAU,GAAG,GAAG,CAAC;AAOvB,MAAM,UAAU,gBAAgB,CAC9B,SAAiB,EACjB,UAA8B,EAAE;IAEhC,MAAM,MAAM,GAAqB;QAC/B,IAAI,EAAE,OAAO;QACb,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,SAAS;KACf,CAAC;IAEF,MAAM,QAAQ,GAA6B;QACzC,MAAM,EAAE,EAAE;QACV,OAAO,EAAE,EAAE;QACX,KAAK,EAAE,EAAE;QACT,KAAK,EAAE,EAAE;KACV,CAAC;IAEF,IAAI,cAAc,GAAG,EAAE,CAAC;IACxB,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,+CAA+C;QAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACpC,6FAA6F;QAC7F,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACtD,IAAI,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,cAAc,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;YAC3C,SAAS;QACX,CAAC;QAED,wBAAwB;QACxB,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,SAAS;QACzC,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,IAAI,cAAc,IAAI,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YAC/C,QAAQ,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1D,MAAM,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IACnC,CAAC;IACD,MAAM,CAAC,QAAQ,CAAC,aAAa,GAAG,MAAM,CAAC;IAEvC,kDAAkD;IAClD,KAAK,MAAM,OAAO,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAU,EAAE,CAAC;QAC7D,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACnB,WAAW,EAAE,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,MAAM,IAAI,OAAO,oBAAoB;gBACvE,QAAQ,EAAE,SAAS,OAAO,EAAE;gBAC5B,QAAQ,EAAE,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK;gBAClD,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;aACpD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,GAAG,UAAU,CAAC;QACnD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;YACnB,WAAW,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,kBAAkB,MAAM,CAAC,CAAC,CAAC,mBAAmB,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACxG,QAAQ,EAAE,cAAc;YACxB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;SAC1D,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,MAAM,CAAC,QAAQ,CAAC,sBAAsB,GAAG,IAAI,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,6BAA6B,GAAG,2CAA2C,CAAC;IAC9F,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/parsers/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Parser registry — lookup structured output parsers by tool name.
+ *
+ * Falls back to passthrough for tools without a dedicated parser.
+ */
+import type { ParsedToolOutput } from "./types.js";
+/**
+ * Parse tool output using a registered parser, or passthrough if none exists.
+ */
+export declare function parseToolOutput(toolName: string, rawOutput: string): ParsedToolOutput;
+/**
+ * Check if a dedicated parser exists for the given tool.
+ */
+export declare function hasParser(toolName: string): boolean;
+export type { ParsedToolOutput, ToolOutputParser, Finding } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/parsers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/parsers/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAoB,MAAM,YAAY,CAAC;AA2BrE;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,gBAAgB,CAMrF;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEnD;AAED,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC"}

package/dist/parsers/index.js

@@ -0,0 +1,46 @@
+/**
+ * Parser registry — lookup structured output parsers by tool name.
+ *
+ * Falls back to passthrough for tools without a dedicated parser.
+ */
+import { passthroughParser } from "./passthrough.js";
+import { parseCapaOutput } from "./capa.js";
+import { parseDiecOutput } from "./diec.js";
+import { parsePdfidOutput } from "./pdfid.js";
+import { parseOlevbaOutput } from "./olevba.js";
+import { parsePeframeOutput } from "./peframe.js";
+import { parseOleidOutput } from "./oleid.js";
+import { parseReadelfOutput } from "./readelf.js";
+import { parsePdfParserOutput } from "./pdf-parser.js";
+import { parseFlossOutput } from "./floss.js";
+import { parseYaraOutput } from "./yara.js";
+/** Map of tool name → parser function. */
+const PARSERS = {
+    "capa-json": parseCapaOutput,
+    "diec": parseDiecOutput,
+    "pdfid": parsePdfidOutput,
+    "pdf-parser": parsePdfParserOutput,
+    "olevba": parseOlevbaOutput,
+    "peframe": parsePeframeOutput,
+    "oleid": parseOleidOutput,
+    "readelf-header": parseReadelfOutput,
+    "floss": parseFlossOutput,
+    "yara-rules": parseYaraOutput,
+};
+/**
+ * Parse tool output using a registered parser, or passthrough if none exists.
+ */
+export function parseToolOutput(toolName, rawOutput) {
+    const parser = PARSERS[toolName];
+    if (parser) {
+        return parser(rawOutput);
+    }
+    return passthroughParser(toolName, rawOutput);
+}
+/**
+ * Check if a dedicated parser exists for the given tool.
+ */
+export function hasParser(toolName) {
+    return toolName in PARSERS;
+}
+//# sourceMappingURL=index.js.map

package/dist/parsers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/parsers/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAE5C,0CAA0C;AAC1C,MAAM,OAAO,GAAqC;IAChD,WAAW,EAAE,eAAe;IAC5B,MAAM,EAAE,eAAe;IACvB,OAAO,EAAE,gBAAgB;IACzB,YAAY,EAAE,oBAAoB;IAClC,QAAQ,EAAE,iBAAiB;IAC3B,SAAS,EAAE,kBAAkB;IAC7B,OAAO,EAAE,gBAAgB;IACzB,gBAAgB,EAAE,kBAAkB;IACpC,OAAO,EAAE,gBAAgB;IACzB,YAAY,EAAE,eAAe;CAC9B,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB,EAAE,SAAiB;IACjE,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjC,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC,SAAS,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,iBAAiB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,QAAgB;IACxC,OAAO,QAAQ,IAAI,OAAO,CAAC;AAC7B,CAAC"}

package/dist/parsers/oleid.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Parser for oleid text output.
+ *
+ * Extracts OLE risk indicators (macros, encryption, external links, etc.).
+ */
+import type { ParsedToolOutput } from "./types.js";
+export declare function parseOleidOutput(rawOutput: string): ParsedToolOutput;
+//# sourceMappingURL=oleid.d.ts.map

package/dist/parsers/oleid.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oleid.d.ts","sourceRoot":"","sources":["../../src/parsers/oleid.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAiBnD,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,CAgFpE"}

package/dist/parsers/oleid.js

@@ -0,0 +1,94 @@
+/**
+ * Parser for oleid text output.
+ *
+ * Extracts OLE risk indicators (macros, encryption, external links, etc.).
+ */
+/** Risk levels mapped to finding severities. */
+const RISK_SEVERITY = {
+    "No": "info",
+    "no": "info",
+    "False": "info",
+    "false": "info",
+    "Yes": "high",
+    "yes": "high",
+    "True": "high",
+    "true": "high",
+    "RISK": "high",
+    "WARNING": "medium",
+    "OK": "info",
+};
+export function parseOleidOutput(rawOutput) {
+    const result = {
+        tool: "oleid",
+        parsed: false,
+        findings: [],
+        metadata: {},
+        raw: rawOutput,
+    };
+    const indicators = {};
+    const lines = rawOutput.split("\n");
+    for (const line of lines) {
+        // oleid output format varies but commonly:
+        // "Indicator                Value"
+        // Or table format: "| indicator | value | risk |"
+        const tableMatch = line.match(/^\|\s*(.+?)\s*\|\s*(.+?)\s*\|\s*(.+?)\s*\|/);
+        if (tableMatch) {
+            const [, indicator, value, risk] = tableMatch;
+            if (indicator.includes("---") || indicator.toLowerCase() === "indicator")
+                continue;
+            indicators[indicator.trim()] = value.trim();
+            const riskTrimmed = risk.trim();
+            if (riskTrimmed !== "none" && riskTrimmed !== "-" && riskTrimmed.toLowerCase() !== "ok") {
+                const severity = RISK_SEVERITY[riskTrimmed] ?? "medium";
+                if (severity !== "info") {
+                    result.findings.push({
+                        description: `${indicator.trim()}: ${value.trim()}`,
+                        category: "ole-indicator",
+                        severity,
+                        evidence: line.trim(),
+                    });
+                }
+            }
+            continue;
+        }
+        // Alternative format: "indicator : value"
+        // Only match lines that look like oleid indicators (short key, not error/path lines)
+        const kvMatch = line.match(/^\s{0,4}(\w[\w\s]{1,30}?)\s*:\s*(\S.*?)\s*$/);
+        if (kvMatch && !line.includes("Error") && !line.includes("/")) {
+            const [, key, value] = kvMatch;
+            const keyLower = key.trim().toLowerCase();
+            indicators[key.trim()] = value.trim();
+            // Flag key risk indicators
+            if ((keyLower.includes("macro") || keyLower.includes("vba")) && /yes|true/i.test(value)) {
+                result.findings.push({
+                    description: `VBA Macros present: ${value.trim()}`,
+                    category: "macro",
+                    severity: "high",
+                    evidence: line.trim(),
+                });
+            }
+            if (keyLower.includes("encrypt") && /yes|true/i.test(value)) {
+                result.findings.push({
+                    description: `Encryption detected: ${value.trim()}`,
+                    category: "encryption",
+                    severity: "medium",
+                    evidence: line.trim(),
+                });
+            }
+            if (keyLower.includes("external") && /yes|true/i.test(value)) {
+                result.findings.push({
+                    description: `External relationships: ${value.trim()}`,
+                    category: "external-link",
+                    severity: "high",
+                    evidence: line.trim(),
+                });
+            }
+        }
+    }
+    if (Object.keys(indicators).length > 0) {
+        result.parsed = true;
+        result.metadata.indicators = indicators;
+    }
+    return result;
+}
+//# sourceMappingURL=oleid.js.map

package/dist/parsers/oleid.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oleid.js","sourceRoot":"","sources":["../../src/parsers/oleid.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,gDAAgD;AAChD,MAAM,aAAa,GAAuD;IACxE,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,MAAM;IACZ,OAAO,EAAE,MAAM;IACf,OAAO,EAAE,MAAM;IACf,KAAK,EAAE,MAAM;IACb,KAAK,EAAE,MAAM;IACb,MAAM,EAAE,MAAM;IACd,MAAM,EAAE,MAAM;IACd,MAAM,EAAE,MAAM;IACd,SAAS,EAAE,QAAQ;IACnB,IAAI,EAAE,MAAM;CACb,CAAC;AAEF,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAChD,MAAM,MAAM,GAAqB;QAC/B,IAAI,EAAE,OAAO;QACb,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,SAAS;KACf,CAAC;IAEF,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,2CAA2C;QAC3C,mCAAmC;QACnC,kDAAkD;QAClD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAC5E,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,UAAU,CAAC;YAC9C,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,WAAW,EAAE,KAAK,WAAW;gBAAE,SAAS;YAEnF,UAAU,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC5C,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAEhC,IAAI,WAAW,KAAK,MAAM,IAAI,WAAW,KAAK,GAAG,IAAI,WAAW,CAAC,WAAW,EAAE,KAAK,IAAI,EAAE,CAAC;gBACxF,MAAM,QAAQ,GAAG,aAAa,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC;gBACxD,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;oBACxB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,WAAW,EAAE,GAAG,SAAS,CAAC,IAAI,EAAE,KAAK,KAAK,CAAC,IAAI,EAAE,EAAE;wBACnD,QAAQ,EAAE,eAAe;wBACzB,QAAQ;wBACR,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE;qBACtB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,SAAS;QACX,CAAC;QAED,0CAA0C;QAC1C,qFAAqF;QACrF,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;QAC1E,IAAI,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9D,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,OAAO,CAAC;YAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YAC1C,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAEtC,2BAA2B;YAC3B,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,WAAW,EAAE,uBAAuB,KAAK,CAAC,IAAI,EAAE,EAAE;oBAClD,QAAQ,EAAE,OAAO;oBACjB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE;iBACtB,CAAC,CAAC;YACL,CAAC;YACD,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,WAAW,EAAE,wBAAwB,KAAK,CAAC,IAAI,EAAE,EAAE;oBACnD,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE;iBACtB,CAAC,CAAC;YACL,CAAC;YACD,IAAI,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC7D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,WAAW,EAAE,2BAA2B,KAAK,CAAC,IAAI,EAAE,EAAE;oBACtD,QAAQ,EAAE,eAAe;oBACzB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,MAAM,CAAC,QAAQ,CAAC,UAAU,GAAG,UAAU,CAAC;IAC1C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}