@remnux/mcp-server 0.1.0

package/dist/parsers/olevba.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Parser for olevba text output.
+ *
+ * Extracts VBA macro indicators, suspicious keywords, and auto-execute triggers.
+ */
+import type { ParsedToolOutput } from "./types.js";
+export declare function parseOlevbaOutput(rawOutput: string): ParsedToolOutput;
+//# sourceMappingURL=olevba.d.ts.map

package/dist/parsers/olevba.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"olevba.d.ts","sourceRoot":"","sources":["../../src/parsers/olevba.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAgBnD,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,CAuErE"}

package/dist/parsers/olevba.js

@@ -0,0 +1,83 @@
+/**
+ * Parser for olevba text output.
+ *
+ * Extracts VBA macro indicators, suspicious keywords, and auto-execute triggers.
+ */
+/** Keywords indicating suspicious VBA behavior. */
+const SUSPICIOUS_PATTERNS = [
+    { pattern: /AutoOpen|Document_Open|Auto_Open|Workbook_Open/i, category: "auto-execute", severity: "high" },
+    { pattern: /Shell|WScript\.Shell|CreateObject/i, category: "execution", severity: "high" },
+    { pattern: /PowerShell|cmd\.exe|command/i, category: "execution", severity: "high" },
+    { pattern: /URLDownloadToFile|XMLHTTP|WinHttp/i, category: "download", severity: "high" },
+    { pattern: /Environ|GetTempPath|AppData/i, category: "environment", severity: "medium" },
+    { pattern: /Chr\(|Asc\(|StrReverse/i, category: "obfuscation", severity: "medium" },
+    { pattern: /Base64|Decode|Encode/i, category: "encoding", severity: "medium" },
+    { pattern: /RegWrite|RegRead|Registry/i, category: "registry", severity: "medium" },
+    { pattern: /FileSystemObject|CopyFile|DeleteFile/i, category: "file-ops", severity: "medium" },
+    { pattern: /CallByName|GetProcAddress|VirtualAlloc/i, category: "api-call", severity: "critical" },
+];
+export function parseOlevbaOutput(rawOutput) {
+    const result = {
+        tool: "olevba",
+        parsed: false,
+        findings: [],
+        metadata: {},
+        raw: rawOutput,
+    };
+    const lines = rawOutput.split("\n");
+    let hasMacros = false;
+    let macroCount = 0;
+    const suspiciousKeywords = [];
+    // Detect macro presence from olevba summary table
+    for (const line of lines) {
+        if (/VBA MACRO/i.test(line)) {
+            hasMacros = true;
+            macroCount++;
+        }
+        // olevba summary table: "| Type | Keyword | Description |"
+        // Keywords can be multi-word (e.g. "Attribute VB_Name"), so capture until next pipe
+        const tableMatch = line.match(/^\|\s*Suspicious\s*\|\s*(.+?)\s*\|/i);
+        if (tableMatch) {
+            suspiciousKeywords.push(tableMatch[1].trim());
+        }
+        // Also catch "| AutoExec |" and "| IOC |" rows
+        const autoExecMatch = line.match(/^\|\s*AutoExec\s*\|\s*(.+?)\s*\|/i);
+        if (autoExecMatch) {
+            result.findings.push({
+                description: `Auto-execute trigger: ${autoExecMatch[1].trim()}`,
+                category: "auto-execute",
+                severity: "high",
+                evidence: line.trim(),
+            });
+        }
+        const iocMatch = line.match(/^\|\s*IOC\s*\|\s*(.+?)\s*\|/i);
+        if (iocMatch) {
+            result.findings.push({
+                description: `IOC detected: ${iocMatch[1].trim()}`,
+                category: "ioc",
+                severity: "high",
+                evidence: line.trim(),
+            });
+        }
+    }
+    // Pattern-based detection across full output
+    for (const { pattern, category, severity } of SUSPICIOUS_PATTERNS) {
+        const matches = rawOutput.match(new RegExp(pattern.source, "gi"));
+        if (matches) {
+            result.findings.push({
+                description: `Suspicious pattern: ${matches[0]}`,
+                category,
+                severity,
+                evidence: matches.slice(0, 3).join(", "),
+            });
+        }
+    }
+    if (hasMacros || result.findings.length > 0) {
+        result.parsed = true;
+        result.metadata.has_macros = hasMacros;
+        result.metadata.macro_count = macroCount;
+        result.metadata.suspicious_keywords = suspiciousKeywords;
+    }
+    return result;
+}
+//# sourceMappingURL=olevba.js.map

package/dist/parsers/olevba.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"olevba.js","sourceRoot":"","sources":["../../src/parsers/olevba.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,mDAAmD;AACnD,MAAM,mBAAmB,GAA4G;IACnI,EAAE,OAAO,EAAE,iDAAiD,EAAE,QAAQ,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC1G,EAAE,OAAO,EAAE,oCAAoC,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC1F,EAAE,OAAO,EAAE,8BAA8B,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE;IACpF,EAAE,OAAO,EAAE,oCAAoC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE;IACzF,EAAE,OAAO,EAAE,8BAA8B,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE;IACxF,EAAE,OAAO,EAAE,yBAAyB,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE;IACnF,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;IAC9E,EAAE,OAAO,EAAE,4BAA4B,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;IACnF,EAAE,OAAO,EAAE,uCAAuC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;IAC9F,EAAE,OAAO,EAAE,yCAAyC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE;CACnG,CAAC;AAEF,MAAM,UAAU,iBAAiB,CAAC,SAAiB;IACjD,MAAM,MAAM,GAAqB;QAC/B,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,SAAS;KACf,CAAC;IAEF,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpC,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,MAAM,kBAAkB,GAAa,EAAE,CAAC;IAExC,kDAAkD;IAClD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,SAAS,GAAG,IAAI,CAAC;YACjB,UAAU,EAAE,CAAC;QACf,CAAC;QAED,2DAA2D;QAC3D,oFAAoF;QACpF,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACrE,IAAI,UAAU,EAAE,CAAC;YACf,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;QAED,+CAA+C;QAC/C,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACtE,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACnB,WAAW,EAAE,yBAAyB,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC/D,QAAQ,EAAE,cAAc;gBACxB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE;aACtB,CAAC,CAAC;QACL,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAC5D,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACnB,WAAW,EAAE,iBAAiB,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE;gBAClD,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE;aACtB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,KAAK,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,mBAAmB,EAAE,CAAC;QAClE,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;QAClE,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACnB,WAAW,EAAE,uBAAuB,OAAO,CAAC,CAAC,CAAC,EAAE;gBAChD,QAAQ;gBACR,QAAQ;gBACR,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;aACzC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,SAAS,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,MAAM,CAAC,QAAQ,CAAC,UAAU,GAAG,SAAS,CAAC;QACvC,MAAM,CAAC,QAAQ,CAAC,WAAW,GAAG,UAAU,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,GAAG,kBAAkB,CAAC;IAC3D,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/parsers/passthrough.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Default passthrough parser — returns raw output with no structured parsing.
+ */
+import type { ParsedToolOutput } from "./types.js";
+export declare function passthroughParser(toolName: string, rawOutput: string): ParsedToolOutput;
+//# sourceMappingURL=passthrough.d.ts.map

package/dist/parsers/passthrough.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"passthrough.d.ts","sourceRoot":"","sources":["../../src/parsers/passthrough.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEnD,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,gBAAgB,CAQvF"}

package/dist/parsers/passthrough.js

@@ -0,0 +1,13 @@
+/**
+ * Default passthrough parser — returns raw output with no structured parsing.
+ */
+export function passthroughParser(toolName, rawOutput) {
+    return {
+        tool: toolName,
+        parsed: false,
+        findings: [],
+        metadata: {},
+        raw: rawOutput,
+    };
+}
+//# sourceMappingURL=passthrough.js.map

package/dist/parsers/passthrough.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"passthrough.js","sourceRoot":"","sources":["../../src/parsers/passthrough.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,SAAiB;IACnE,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,SAAS;KACf,CAAC;AACJ,CAAC"}

package/dist/parsers/pdf-parser.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Parser for pdf-parser.py --stats output.
+ *
+ * Extracts keyword counts with object IDs from the "Search keywords" section,
+ * and structural summary lines (e.g., "Indirect object: 49").
+ */
+import type { ParsedToolOutput } from "./types.js";
+export declare function parsePdfParserOutput(rawOutput: string): ParsedToolOutput;
+//# sourceMappingURL=pdf-parser.d.ts.map

package/dist/parsers/pdf-parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pdf-parser.d.ts","sourceRoot":"","sources":["../../src/parsers/pdf-parser.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAsBnD,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,CA4DxE"}

package/dist/parsers/pdf-parser.js

@@ -0,0 +1,76 @@
+/**
+ * Parser for pdf-parser.py --stats output.
+ *
+ * Extracts keyword counts with object IDs from the "Search keywords" section,
+ * and structural summary lines (e.g., "Indirect object: 49").
+ */
+/** Keywords that indicate potentially malicious content. */
+const SUSPICIOUS_KEYWORDS = new Set([
+    "/JS",
+    "/JavaScript",
+    "/AA",
+    "/OpenAction",
+    "/AcroForm",
+    "/JBIG2Decode",
+    "/RichMedia",
+    "/Launch",
+    "/EmbeddedFile",
+    "/XFA",
+    "/URI",
+]);
+export function parsePdfParserOutput(rawOutput) {
+    const result = {
+        tool: "pdf-parser",
+        parsed: false,
+        findings: [],
+        metadata: {},
+        raw: rawOutput,
+    };
+    const keywords = {};
+    const structure = {};
+    const lines = rawOutput.split("\n");
+    for (const line of lines) {
+        // Keyword line: " /URI 13: 10, 17, 18, ..."
+        const kwMatch = line.match(/^\s*(\/\w+)\s+(\d+):\s*([\d,\s]+)/);
+        if (kwMatch) {
+            const keyword = kwMatch[1];
+            const count = parseInt(kwMatch[2], 10);
+            if (isNaN(count))
+                continue;
+            const objects = kwMatch[3]
+                .split(",")
+                .map((s) => parseInt(s.trim(), 10))
+                .filter((n) => !isNaN(n));
+            keywords[keyword] = { count, objects };
+            if (count > 0 && SUSPICIOUS_KEYWORDS.has(keyword)) {
+                result.findings.push({
+                    description: `Suspicious keyword ${keyword} found (count: ${count})`,
+                    category: "suspicious-keyword",
+                    severity: keyword === "/JS" || keyword === "/JavaScript" ? "high" : "medium",
+                    evidence: line.trim(),
+                });
+            }
+            continue;
+        }
+        // Structure line: "Comment: 5" or "Indirect object: 49"
+        const structMatch = line.match(/^\s*([A-Za-z][A-Za-z ]*\w):\s+(\d+)\s*$/);
+        if (structMatch) {
+            const label = structMatch[1];
+            const value = parseInt(structMatch[2], 10);
+            if (!isNaN(value)) {
+                structure[label] = value;
+            }
+        }
+    }
+    if (Object.keys(keywords).length > 0 || Object.keys(structure).length > 0) {
+        result.parsed = true;
+    }
+    if (Object.keys(keywords).length > 0) {
+        result.metadata.keywords = keywords;
+    }
+    if (Object.keys(structure).length > 0) {
+        result.metadata.structure = structure;
+    }
+    return result;
+}
+//# sourceMappingURL=pdf-parser.js.map

package/dist/parsers/pdf-parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pdf-parser.js","sourceRoot":"","sources":["../../src/parsers/pdf-parser.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,4DAA4D;AAC5D,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,KAAK;IACL,aAAa;IACb,KAAK;IACL,aAAa;IACb,WAAW;IACX,cAAc;IACd,YAAY;IACZ,SAAS;IACT,eAAe;IACf,MAAM;IACN,MAAM;CACP,CAAC,CAAC;AAOH,MAAM,UAAU,oBAAoB,CAAC,SAAiB;IACpD,MAAM,MAAM,GAAqB;QAC/B,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,SAAS;KACf,CAAC;IAEF,MAAM,QAAQ,GAAiC,EAAE,CAAC;IAClD,MAAM,SAAS,GAA2B,EAAE,CAAC;IAC7C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,4CAA4C;QAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;QAChE,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACvC,IAAI,KAAK,CAAC,KAAK,CAAC;gBAAE,SAAS;YAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;iBACvB,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;iBAClC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAE5B,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;YAEvC,IAAI,KAAK,GAAG,CAAC,IAAI,mBAAmB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,WAAW,EAAE,sBAAsB,OAAO,kBAAkB,KAAK,GAAG;oBACpE,QAAQ,EAAE,oBAAoB;oBAC9B,QAAQ,EAAE,OAAO,KAAK,KAAK,IAAI,OAAO,KAAK,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;oBAC5E,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE;iBACtB,CAAC,CAAC;YACL,CAAC;YACD,SAAS;QACX,CAAC;QAED,wDAAwD;QACxD,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC1E,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAC7B,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAClB,SAAS,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1E,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,CAAC,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC;IACtC,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtC,MAAM,CAAC,QAAQ,CAAC,SAAS,GAAG,SAAS,CAAC;IACxC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/parsers/pdfid.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Parser for pdfid.py text output.
+ *
+ * Extracts keyword counts (e.g., /JS, /JavaScript, /OpenAction, /AA).
+ * Expects text output from `pdfid.py <file>`.
+ */
+import type { ParsedToolOutput } from "./types.js";
+export declare function parsePdfidOutput(rawOutput: string): ParsedToolOutput;
+//# sourceMappingURL=pdfid.d.ts.map

package/dist/parsers/pdfid.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pdfid.d.ts","sourceRoot":"","sources":["../../src/parsers/pdfid.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAiBnD,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,CAsCpE"}

package/dist/parsers/pdfid.js

@@ -0,0 +1,56 @@
+/**
+ * Parser for pdfid.py text output.
+ *
+ * Extracts keyword counts (e.g., /JS, /JavaScript, /OpenAction, /AA).
+ * Expects text output from `pdfid.py <file>`.
+ */
+/** Keywords that indicate potentially malicious content. */
+const SUSPICIOUS_KEYWORDS = new Set([
+    "/JS",
+    "/JavaScript",
+    "/AA",
+    "/OpenAction",
+    "/AcroForm",
+    "/JBIG2Decode",
+    "/RichMedia",
+    "/Launch",
+    "/EmbeddedFile",
+    "/XFA",
+    "/URI",
+]);
+export function parsePdfidOutput(rawOutput) {
+    const result = {
+        tool: "pdfid",
+        parsed: false,
+        findings: [],
+        metadata: {},
+        raw: rawOutput,
+    };
+    const keywords = {};
+    const lines = rawOutput.split("\n");
+    for (const line of lines) {
+        // pdfid output format: " /Keyword            count"
+        const match = line.match(/^\s*(\/\w+)\s+(\d+)/);
+        if (match) {
+            const keyword = match[1];
+            const count = parseInt(match[2], 10);
+            if (isNaN(count))
+                continue;
+            keywords[keyword] = count;
+            if (count > 0 && SUSPICIOUS_KEYWORDS.has(keyword)) {
+                result.findings.push({
+                    description: `Suspicious keyword ${keyword} found (count: ${count})`,
+                    category: "suspicious-keyword",
+                    severity: keyword === "/JS" || keyword === "/JavaScript" ? "high" : "medium",
+                    evidence: line.trim(),
+                });
+            }
+        }
+    }
+    if (Object.keys(keywords).length > 0) {
+        result.parsed = true;
+        result.metadata.keywords = keywords;
+    }
+    return result;
+}
+//# sourceMappingURL=pdfid.js.map

package/dist/parsers/pdfid.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pdfid.js","sourceRoot":"","sources":["../../src/parsers/pdfid.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,4DAA4D;AAC5D,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,KAAK;IACL,aAAa;IACb,KAAK;IACL,aAAa;IACb,WAAW;IACX,cAAc;IACd,YAAY;IACZ,SAAS;IACT,eAAe;IACf,MAAM;IACN,MAAM;CACP,CAAC,CAAC;AAEH,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAChD,MAAM,MAAM,GAAqB;QAC/B,IAAI,EAAE,OAAO;QACb,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,SAAS;KACf,CAAC;IAEF,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,oDAAoD;QACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAChD,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACrC,IAAI,KAAK,CAAC,KAAK,CAAC;gBAAE,SAAS;YAC3B,QAAQ,CAAC,OAAO,CAAC,GAAG,KAAK,CAAC;YAE1B,IAAI,KAAK,GAAG,CAAC,IAAI,mBAAmB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,WAAW,EAAE,sBAAsB,OAAO,kBAAkB,KAAK,GAAG;oBACpE,QAAQ,EAAE,oBAAoB;oBAC9B,QAAQ,EAAE,OAAO,KAAK,KAAK,IAAI,OAAO,KAAK,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;oBAC5E,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,MAAM,CAAC,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC;IACtC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/parsers/peframe.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Parser for peframe text output.
+ *
+ * Extracts packer info, suspicious imports/sections, and file metadata.
+ */
+import type { ParsedToolOutput } from "./types.js";
+export declare function parsePeframeOutput(rawOutput: string): ParsedToolOutput;
+//# sourceMappingURL=peframe.d.ts.map

package/dist/parsers/peframe.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"peframe.d.ts","sourceRoot":"","sources":["../../src/parsers/peframe.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAWnD,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,CAoEtE"}

package/dist/parsers/peframe.js

@@ -0,0 +1,76 @@
+/**
+ * Parser for peframe text output.
+ *
+ * Extracts packer info, suspicious imports/sections, and file metadata.
+ */
+/** Imports commonly associated with malicious behavior. */
+const SUSPICIOUS_IMPORTS = new Set([
+    "VirtualAlloc", "VirtualProtect", "WriteProcessMemory", "CreateRemoteThread",
+    "NtUnmapViewOfSection", "IsDebuggerPresent", "CheckRemoteDebuggerPresent",
+    "GetProcAddress", "LoadLibrary", "URLDownloadToFile", "InternetOpen",
+    "WinExec", "ShellExecute", "CreateProcess", "RegSetValueEx",
+    "CryptDecrypt", "CryptEncrypt",
+]);
+export function parsePeframeOutput(rawOutput) {
+    const result = {
+        tool: "peframe",
+        parsed: false,
+        findings: [],
+        metadata: {},
+        raw: rawOutput,
+    };
+    const lines = rawOutput.split("\n");
+    let currentSection = "";
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        // Skip peframe section dividers: ASCII "--- Packer ---" and Unicode "━━━━━━━━"
+        if (/^[-━─═]{3,}(\s.*[-━─═]*)?$/.test(trimmed))
+            continue;
+        // Section headers in peframe output
+        if (/^(file|hashes|packer|strings|imports|sections|metadata)/i.test(trimmed)) {
+            currentSection = trimmed.toLowerCase().replace(/:.*/, "").trim();
+            continue;
+        }
+        // Packer detection — only within the packer section, skip metadata lines
+        if (currentSection === "packer") {
+            if (trimmed !== "None" && trimmed !== "packer" && !/^features\b/i.test(trimmed)) {
+                result.findings.push({
+                    description: `Packer detected: ${trimmed}`,
+                    category: "packer",
+                    severity: "medium",
+                    evidence: trimmed,
+                });
+                result.metadata.packer = trimmed;
+            }
+        }
+        // Suspicious imports
+        for (const imp of SUSPICIOUS_IMPORTS) {
+            if (trimmed.includes(imp)) {
+                result.findings.push({
+                    description: `Suspicious import: ${imp}`,
+                    category: "suspicious-import",
+                    severity: "medium",
+                    evidence: trimmed,
+                });
+            }
+        }
+        // Suspicious strings (URLs, IPs, paths)
+        if (currentSection === "strings" || currentSection === "suspicious") {
+            if (/https?:\/\/|\\\\[0-9]|\.exe|\.dll|\.bat|\.ps1/i.test(trimmed)) {
+                result.findings.push({
+                    description: `Suspicious string: ${trimmed.slice(0, 100)}`,
+                    category: "suspicious-string",
+                    severity: "low",
+                    evidence: trimmed.slice(0, 200),
+                });
+            }
+        }
+    }
+    if (result.findings.length > 0) {
+        result.parsed = true;
+    }
+    return result;
+}
+//# sourceMappingURL=peframe.js.map

package/dist/parsers/peframe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"peframe.js","sourceRoot":"","sources":["../../src/parsers/peframe.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,2DAA2D;AAC3D,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,cAAc,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,oBAAoB;IAC5E,sBAAsB,EAAE,mBAAmB,EAAE,4BAA4B;IACzE,gBAAgB,EAAE,aAAa,EAAE,mBAAmB,EAAE,cAAc;IACpE,SAAS,EAAE,cAAc,EAAE,eAAe,EAAE,eAAe;IAC3D,cAAc,EAAE,cAAc;CAC/B,CAAC,CAAC;AAEH,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAClD,MAAM,MAAM,GAAqB;QAC/B,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,SAAS;KACf,CAAC;IAEF,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpC,IAAI,cAAc,GAAG,EAAE,CAAC;IAExB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,+EAA+E;QAC/E,IAAI,4BAA4B,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,SAAS;QAEzD,oCAAoC;QACpC,IAAI,0DAA0D,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7E,cAAc,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACjE,SAAS;QACX,CAAC;QAED,yEAAyE;QACzE,IAAI,cAAc,KAAK,QAAQ,EAAE,CAAC;YAChC,IAAI,OAAO,KAAK,MAAM,IAAI,OAAO,KAAK,QAAQ,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,WAAW,EAAE,oBAAoB,OAAO,EAAE;oBAC1C,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;gBACH,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,OAAO,CAAC;YACnC,CAAC;QACH,CAAC;QAED,qBAAqB;QACrB,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;YACrC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,WAAW,EAAE,sBAAsB,GAAG,EAAE;oBACxC,QAAQ,EAAE,mBAAmB;oBAC7B,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,wCAAwC;QACxC,IAAI,cAAc,KAAK,SAAS,IAAI,cAAc,KAAK,YAAY,EAAE,CAAC;YACpE,IAAI,gDAAgD,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,WAAW,EAAE,sBAAsB,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBAC1D,QAAQ,EAAE,mBAAmB;oBAC7B,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBAChC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/parsers/readelf.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Parser for readelf -h (header) output.
+ *
+ * Extracts ELF header fields: type, machine, entry point, etc.
+ */
+import type { ParsedToolOutput } from "./types.js";
+export declare function parseReadelfOutput(rawOutput: string): ParsedToolOutput;
+//# sourceMappingURL=readelf.d.ts.map

package/dist/parsers/readelf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"readelf.d.ts","sourceRoot":"","sources":["../../src/parsers/readelf.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEnD,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,CAiDtE"}

package/dist/parsers/readelf.js

@@ -0,0 +1,50 @@
+/**
+ * Parser for readelf -h (header) output.
+ *
+ * Extracts ELF header fields: type, machine, entry point, etc.
+ */
+export function parseReadelfOutput(rawOutput) {
+    const result = {
+        tool: "readelf-header",
+        parsed: false,
+        findings: [],
+        metadata: {},
+        raw: rawOutput,
+    };
+    const header = {};
+    const lines = rawOutput.split("\n");
+    for (const line of lines) {
+        // readelf -h format: "  Key:                           Value"
+        const match = line.match(/^\s*(.+?):\s+(.+)\s*$/);
+        if (match) {
+            const key = match[1].trim();
+            const value = match[2].trim();
+            header[key] = value;
+        }
+    }
+    if (Object.keys(header).length > 0) {
+        result.parsed = true;
+        result.metadata.header = header;
+        // Flag interesting attributes
+        if (header["Type"]) {
+            result.metadata.elf_type = header["Type"];
+        }
+        if (header["Machine"]) {
+            result.metadata.machine = header["Machine"];
+        }
+        if (header["Entry point address"]) {
+            result.metadata.entry_point = header["Entry point address"];
+        }
+        // Flag unusual entry point (0x0 may indicate shared lib or corrupt binary)
+        if (header["Entry point address"] === "0x0") {
+            result.findings.push({
+                description: "Entry point is 0x0 (shared library or unusual binary)",
+                category: "binary-info",
+                severity: "info",
+                evidence: "Entry point address: 0x0",
+            });
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=readelf.js.map

package/dist/parsers/readelf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"readelf.js","sourceRoot":"","sources":["../../src/parsers/readelf.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAClD,MAAM,MAAM,GAAqB;QAC/B,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,SAAS;KACf,CAAC;IAEF,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,8DAA8D;QAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAClD,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC;QAEhC,8BAA8B;QAC9B,IAAI,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;YACnB,MAAM,CAAC,QAAQ,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;YACtB,MAAM,CAAC,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;QAC9C,CAAC;QACD,IAAI,MAAM,CAAC,qBAAqB,CAAC,EAAE,CAAC;YAClC,MAAM,CAAC,QAAQ,CAAC,WAAW,GAAG,MAAM,CAAC,qBAAqB,CAAC,CAAC;QAC9D,CAAC;QAED,2EAA2E;QAC3E,IAAI,MAAM,CAAC,qBAAqB,CAAC,KAAK,KAAK,EAAE,CAAC;YAC5C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACnB,WAAW,EAAE,uDAAuD;gBACpE,QAAQ,EAAE,aAAa;gBACvB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,0BAA0B;aACrC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/parsers/types.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Common types for structured tool output parsing.
+ */
+/** A single finding extracted from tool output. */
+export interface Finding {
+    /** What was found (e.g., "UPX packer detected", "VBA macro present") */
+    description: string;
+    /** Severity: info, low, medium, high, critical */
+    severity?: "info" | "low" | "medium" | "high" | "critical";
+    /** Optional category (e.g., "packer", "capability", "indicator") */
+    category?: string;
+    /** Raw evidence from tool output */
+    evidence?: string;
+}
+/** Structured metadata extracted from tool output. */
+export interface ParsedToolOutput {
+    /** Tool that produced this output */
+    tool: string;
+    /** Whether parsing succeeded (false = fell back to passthrough) */
+    parsed: boolean;
+    /** Structured findings, if any */
+    findings: Finding[];
+    /** Key-value metadata extracted from output */
+    metadata: Record<string, unknown>;
+    /** Raw output preserved for reference */
+    raw: string;
+}
+/** A parser function: takes raw output, returns structured data. */
+export type ToolOutputParser = (rawOutput: string) => ParsedToolOutput;
+//# sourceMappingURL=types.d.ts.map

package/dist/parsers/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/parsers/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,mDAAmD;AACnD,MAAM,WAAW,OAAO;IACtB,wEAAwE;IACxE,WAAW,EAAE,MAAM,CAAC;IACpB,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IAC3D,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,sDAAsD;AACtD,MAAM,WAAW,gBAAgB;IAC/B,qCAAqC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,mEAAmE;IACnE,MAAM,EAAE,OAAO,CAAC;IAChB,kCAAkC;IAClC,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;CACb;AAED,oEAAoE;AACpE,MAAM,MAAM,gBAAgB,GAAG,CAAC,SAAS,EAAE,MAAM,KAAK,gBAAgB,CAAC"}

package/dist/parsers/types.js

@@ -0,0 +1,5 @@
+/**
+ * Common types for structured tool output parsing.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/parsers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/parsers/types.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/parsers/yara.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Parser for yara-rules output.
+ *
+ * Deduplicates packer-family rule variants (e.g., 24 PECompact rules → 1 finding with count).
+ */
+import type { ParsedToolOutput } from "./types.js";
+export declare function parseYaraOutput(rawOutput: string): ParsedToolOutput;
+//# sourceMappingURL=yara.d.ts.map

package/dist/parsers/yara.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"yara.d.ts","sourceRoot":"","sources":["../../src/parsers/yara.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAwBnD,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,CAkEnE"}

package/dist/parsers/yara.js

@@ -0,0 +1,88 @@
+/**
+ * Parser for yara-rules output.
+ *
+ * Deduplicates packer-family rule variants (e.g., 24 PECompact rules → 1 finding with count).
+ */
+/** Patterns that indicate packer-family rule variants. */
+const PACKER_FAMILY_PATTERNS = [
+    /^(PECompact)[\s_]?v?\d/i,
+    /^(UPX)[\s_]?v?\d/i,
+    /^(ASPack)[\s_]?v?\d/i,
+    /^(Themida)[\s_]?v?\d/i,
+    /^(MPRESS)[\s_]?v?\d/i,
+    /^(Armadillo)[\s_]?v?\d/i,
+    /^(Petite)[\s_]?v?\d/i,
+    /^(FSG)[\s_]?v?\d/i,
+    /^(MEW)[\s_]?v?\d/i,
+    /^(nspack)[\s_]?v?\d/i,
+];
+function getPackerFamily(ruleName) {
+    for (const pattern of PACKER_FAMILY_PATTERNS) {
+        const match = ruleName.match(pattern);
+        if (match)
+            return match[1];
+    }
+    return null;
+}
+export function parseYaraOutput(rawOutput) {
+    const result = {
+        tool: "yara-rules",
+        parsed: false,
+        findings: [],
+        metadata: {},
+        raw: rawOutput,
+    };
+    const lines = rawOutput.split("\n").filter((l) => l.trim());
+    if (lines.length === 0)
+        return result;
+    // YARA output format: "RuleName filePath" per line
+    const ruleNames = [];
+    for (const line of lines) {
+        const match = line.match(/^(\S+)\s+/);
+        if (match)
+            ruleNames.push(match[1]);
+    }
+    if (ruleNames.length === 0)
+        return result;
+    // Group by packer family for deduplication
+    const packerGroups = new Map();
+    const nonPackerRules = [];
+    for (const name of ruleNames) {
+        const family = getPackerFamily(name);
+        if (family) {
+            const existing = packerGroups.get(family) ?? [];
+            existing.push(name);
+            packerGroups.set(family, existing);
+        }
+        else {
+            nonPackerRules.push(name);
+        }
+    }
+    // Emit deduplicated packer findings
+    for (const [family, variants] of packerGroups) {
+        result.findings.push({
+            description: variants.length > 1
+                ? `Packer: ${family} (${variants.length} rule variants matched)`
+                : `Packer: ${family}`,
+            category: "packer",
+            severity: "medium",
+            evidence: variants.length <= 3 ? variants.join(", ") : `${variants.slice(0, 3).join(", ")} +${variants.length - 3} more`,
+        });
+    }
+    // Emit individual non-packer rules
+    for (const name of nonPackerRules) {
+        result.findings.push({
+            description: `YARA match: ${name}`,
+            category: "yara-match",
+            severity: "low",
+            evidence: name,
+        });
+    }
+    result.metadata.total_rules_matched = ruleNames.length;
+    result.metadata.deduplicated_findings = result.findings.length;
+    if (result.findings.length > 0) {
+        result.parsed = true;
+    }
+    return result;
+}
+//# sourceMappingURL=yara.js.map

package/dist/parsers/yara.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"yara.js","sourceRoot":"","sources":["../../src/parsers/yara.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,0DAA0D;AAC1D,MAAM,sBAAsB,GAAG;IAC7B,yBAAyB;IACzB,mBAAmB;IACnB,sBAAsB;IACtB,uBAAuB;IACvB,sBAAsB;IACtB,yBAAyB;IACzB,sBAAsB;IACtB,mBAAmB;IACnB,mBAAmB;IACnB,sBAAsB;CACvB,CAAC;AAEF,SAAS,eAAe,CAAC,QAAgB;IACvC,KAAK,MAAM,OAAO,IAAI,sBAAsB,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,MAAM,MAAM,GAAqB;QAC/B,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,SAAS;KACf,CAAC;IAEF,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAEtC,mDAAmD;IACnD,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACtC,IAAI,KAAK;YAAE,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE1C,2CAA2C;IAC3C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAoB,CAAC;IACjD,MAAM,cAAc,GAAa,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAChD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpB,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,KAAK,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,YAAY,EAAE,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;YACnB,WAAW,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC;gBAC9B,CAAC,CAAC,WAAW,MAAM,KAAK,QAAQ,CAAC,MAAM,yBAAyB;gBAChE,CAAC,CAAC,WAAW,MAAM,EAAE;YACvB,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,QAAQ,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,QAAQ,CAAC,MAAM,GAAG,CAAC,OAAO;SACzH,CAAC,CAAC;IACL,CAAC;IAED,mCAAmC;IACnC,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;YACnB,WAAW,EAAE,eAAe,IAAI,EAAE;YAClC,QAAQ,EAAE,YAAY;YACtB,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,IAAI;SACf,CAAC,CAAC;IACL,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,mBAAmB,GAAG,SAAS,CAAC,MAAM,CAAC;IACvD,MAAM,CAAC,QAAQ,CAAC,qBAAqB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;IAE/D,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}