@rexymayderio/sentinel 0.1.0

package/dist/adapters/index.d.ts

@@ -0,0 +1,5 @@
+export * from './npm-registry-client.js';
+export * from './github-repo-client.js';
+export * from './node-process-runner.js';
+export * from './cli-approval-prompt.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/adapters/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/adapters/index.ts"],"names":[],"mappings":"AAAA,cAAc,0BAA0B,CAAC;AACzC,cAAc,yBAAyB,CAAC;AACxC,cAAc,0BAA0B,CAAC;AACzC,cAAc,0BAA0B,CAAC"}

package/dist/adapters/index.js

@@ -0,0 +1,5 @@
+export * from './npm-registry-client.js';
+export * from './github-repo-client.js';
+export * from './node-process-runner.js';
+export * from './cli-approval-prompt.js';
+//# sourceMappingURL=index.js.map

package/dist/adapters/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/adapters/index.ts"],"names":[],"mappings":"AAAA,cAAc,0BAA0B,CAAC;AACzC,cAAc,yBAAyB,CAAC;AACxC,cAAc,0BAA0B,CAAC;AACzC,cAAc,0BAA0B,CAAC"}

package/dist/adapters/node-process-runner.d.ts

@@ -0,0 +1,8 @@
+import type { ProcessResult, ProcessRunner } from '../ports/process-runner.js';
+export declare class NodeProcessRunner implements ProcessRunner {
+    run(command: string, args: string[], options?: {
+        cwd?: string;
+        env?: Record<string, string>;
+    }): Promise<ProcessResult>;
+}
+//# sourceMappingURL=node-process-runner.d.ts.map

package/dist/adapters/node-process-runner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-process-runner.d.ts","sourceRoot":"","sources":["../../src/adapters/node-process-runner.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAE/E,qBAAa,iBAAkB,YAAW,aAAa;IAC/C,GAAG,CACP,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACvD,OAAO,CAAC,aAAa,CAAC;CAoB1B"}

package/dist/adapters/node-process-runner.js

@@ -0,0 +1,21 @@
+import { spawn } from 'node:child_process';
+export class NodeProcessRunner {
+    async run(command, args, options) {
+        return new Promise((resolve, reject) => {
+            const child = spawn(command, args, {
+                cwd: options?.cwd,
+                env: { ...process.env, ...options?.env },
+                shell: false,
+            });
+            let stdout = '';
+            let stderr = '';
+            child.stdout?.on('data', (data) => { stdout += data.toString(); });
+            child.stderr?.on('data', (data) => { stderr += data.toString(); });
+            child.on('error', reject);
+            child.on('close', (code) => {
+                resolve({ exitCode: code ?? 1, stdout, stderr });
+            });
+        });
+    }
+}
+//# sourceMappingURL=node-process-runner.js.map

package/dist/adapters/node-process-runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-process-runner.js","sourceRoot":"","sources":["../../src/adapters/node-process-runner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAG3C,MAAM,OAAO,iBAAiB;IAC5B,KAAK,CAAC,GAAG,CACP,OAAe,EACf,IAAc,EACd,OAAwD;QAExD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE;gBACjC,GAAG,EAAE,OAAO,EAAE,GAAG;gBACjB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,EAAE;gBACxC,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;YAEH,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,MAAM,GAAG,EAAE,CAAC;YAEhB,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE,GAAG,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3E,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE,GAAG,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YAE3E,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC1B,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACzB,OAAO,CAAC,EAAE,QAAQ,EAAE,IAAI,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;YACnD,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/adapters/npm-registry-client.d.ts

@@ -0,0 +1,8 @@
+import type { NpmPackageInfo, OsvVulnerability, RegistryClient } from '../ports/registry-client.js';
+export declare class NpmRegistryClient implements RegistryClient {
+    private readonly registryUrl;
+    constructor(registryUrl?: string);
+    getNpmPackage(name: string, version?: string): Promise<NpmPackageInfo>;
+    checkOsv(packageName: string, version: string, ecosystem: string): Promise<OsvVulnerability[]>;
+}
+//# sourceMappingURL=npm-registry-client.d.ts.map

package/dist/adapters/npm-registry-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm-registry-client.d.ts","sourceRoot":"","sources":["../../src/adapters/npm-registry-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AA2BpG,qBAAa,iBAAkB,YAAW,cAAc;IACtD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;gBAEzB,WAAW,SAA+B;IAIhD,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IA8CtE,QAAQ,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC;CAmBrG"}

package/dist/adapters/npm-registry-client.js

@@ -0,0 +1,66 @@
+export class NpmRegistryClient {
+    registryUrl;
+    constructor(registryUrl = 'https://registry.npmjs.org') {
+        this.registryUrl = registryUrl;
+    }
+    async getNpmPackage(name, version) {
+        const encoded = encodeURIComponent(name).replace('%40', '@');
+        const url = `${this.registryUrl}/${encoded}`;
+        const response = await fetch(url);
+        if (!response.ok) {
+            throw new Error(`npm package not found: ${name} (${response.status})`);
+        }
+        const data = (await response.json());
+        const resolvedVersion = version ?? data['dist-tags'].latest;
+        const versionInfo = data.versions[resolvedVersion];
+        if (!versionInfo) {
+            throw new Error(`Version ${resolvedVersion} not found for ${name}`);
+        }
+        const author = typeof versionInfo.author === 'string'
+            ? versionInfo.author
+            : versionInfo.author?.name;
+        const repository = typeof versionInfo.repository === 'string'
+            ? versionInfo.repository
+            : versionInfo.repository?.url?.replace(/^git\+/, '').replace(/\.git$/, '');
+        return {
+            name: versionInfo.name,
+            version: versionInfo.version,
+            author,
+            maintainers: versionInfo.maintainers?.map((m) => m.name),
+            repository,
+            homepage: versionInfo.homepage,
+            license: versionInfo.license,
+            publishDate: data.time?.[resolvedVersion],
+            firstPublishDate: data.time?.created,
+            keywords: versionInfo.keywords,
+            verifiedPublisher: false,
+            scripts: versionInfo.scripts,
+            dependencies: versionInfo.dependencies,
+            devDependencies: versionInfo.devDependencies,
+            optionalDependencies: versionInfo.optionalDependencies,
+            description: versionInfo.description,
+            sourceUrl: repository,
+            tarballUrl: versionInfo.dist.tarball,
+            signedRelease: !!versionInfo.dist.integrity,
+        };
+    }
+    async checkOsv(packageName, version, ecosystem) {
+        const response = await fetch('https://api.osv.dev/v1/query', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                package: { name: packageName, ecosystem },
+                version,
+            }),
+        });
+        if (!response.ok)
+            return [];
+        const data = (await response.json());
+        return (data.vulns ?? []).map((v) => ({
+            id: v.id,
+            summary: v.summary,
+            severity: v.database_specific?.severity,
+        }));
+    }
+}
+//# sourceMappingURL=npm-registry-client.js.map

package/dist/adapters/npm-registry-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm-registry-client.js","sourceRoot":"","sources":["../../src/adapters/npm-registry-client.ts"],"names":[],"mappings":"AA2BA,MAAM,OAAO,iBAAiB;IACX,WAAW,CAAS;IAErC,YAAY,WAAW,GAAG,4BAA4B;QACpD,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,IAAY,EAAE,OAAgB;QAChD,MAAM,OAAO,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC7D,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,OAAO,EAAE,CAAC;QAC7C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,KAAK,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QACzE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;QAC5D,MAAM,eAAe,GAAG,OAAO,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;QAC5D,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;QACnD,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,WAAW,eAAe,kBAAkB,IAAI,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,WAAW,CAAC,MAAM,KAAK,QAAQ;YACnD,CAAC,CAAC,WAAW,CAAC,MAAM;YACpB,CAAC,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC;QAE7B,MAAM,UAAU,GAAG,OAAO,WAAW,CAAC,UAAU,KAAK,QAAQ;YAC3D,CAAC,CAAC,WAAW,CAAC,UAAU;YACxB,CAAC,CAAC,WAAW,CAAC,UAAU,EAAE,GAAG,EAAE,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAE7E,OAAO;YACL,IAAI,EAAE,WAAW,CAAC,IAAI;YACtB,OAAO,EAAE,WAAW,CAAC,OAAO;YAC5B,MAAM;YACN,WAAW,EAAE,WAAW,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;YACxD,UAAU;YACV,QAAQ,EAAE,WAAW,CAAC,QAAQ;YAC9B,OAAO,EAAE,WAAW,CAAC,OAAO;YAC5B,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,eAAe,CAAC;YACzC,gBAAgB,EAAE,IAAI,CAAC,IAAI,EAAE,OAAO;YACpC,QAAQ,EAAE,WAAW,CAAC,QAAQ;YAC9B,iBAAiB,EAAE,KAAK;YACxB,OAAO,EAAE,WAAW,CAAC,OAAO;YAC5B,YAAY,EAAE,WAAW,CAAC,YAAY;YACtC,eAAe,EAAE,WAAW,CAAC,eAAe;YAC5C,oBAAoB,EAAE,WAAW,CAAC,oBAAoB;YACtD,WAAW,EAAE,WAAW,CAAC,WAAW;YACpC,SAAS,EAAE,UAAU;YACrB,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO;YACpC,aAAa,EAAE,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS;SAC5C,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,WAAmB,EAAE,OAAe,EAAE,SAAiB;QACpE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,8BAA8B,EAAE;YAC3D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,OAAO,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE;gBACzC,OAAO;aACR,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,EAAE,CAAC;QAE5B,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkG,CAAC;QACtI,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACpC,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,QAAQ,EAAE,CAAC,CAAC,iBAAiB,EAAE,QAAQ;SACxC,CAAC,CAAC,CAAC;IACN,CAAC;CACF"}

package/dist/analyzers/ai-prompt-analyzer.d.ts

@@ -0,0 +1,7 @@
+import type { AnalysisContext, Analyzer } from './analyzer.js';
+export declare class AiPromptAnalyzer implements Analyzer {
+    readonly id = "ai-prompt";
+    supports(ctx: AnalysisContext): boolean;
+    analyze(ctx: AnalysisContext): Promise<import("../domain/finding.js").Finding[]>;
+}
+//# sourceMappingURL=ai-prompt-analyzer.d.ts.map

package/dist/analyzers/ai-prompt-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai-prompt-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/ai-prompt-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AA8B/D,qBAAa,gBAAiB,YAAW,QAAQ;IAC/C,QAAQ,CAAC,EAAE,eAAe;IAE1B,QAAQ,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO;IAIjC,OAAO,CAAC,GAAG,EAAE,eAAe;CAgEnC"}

package/dist/analyzers/ai-prompt-analyzer.js

@@ -0,0 +1,88 @@
+import { createFinding } from '../domain/finding.js';
+import { findMatchingLine } from './match-evidence.js';
+import { AI_INJECTION_RULES, INVISIBLE_UNICODE, ZERO_WIDTH_CHARS } from './rules/index.js';
+const PROMPT_EXTENSIONS = ['.md', '.txt', '.yaml', '.yml', '.json'];
+const SKILL_FILE_PATTERN = /(?:^|\/)SKILL\.md$/i;
+const GENERIC_PACKAGE_DOC_PATTERN = /(?:^|\/)(?:README|CHANGELOG|HISTORY|CONTRIBUTING|LICENSE)(?:\.\w+)?$/i;
+const EXPLICIT_PROMPT_FILE_PATTERN = /(?:^|\/)(?:prompt|system-prompt|instructions)(?:\.\w+)?$|\.(?:prompt|skill)\.(?:md|txt|yaml|yml)$/i;
+function isSkillTarget(ecosystem) {
+    return ecosystem === 'skill' || ecosystem === 'local';
+}
+function isPromptFile(path, ecosystem) {
+    if (SKILL_FILE_PATTERN.test(path) || path.toUpperCase().includes('SKILL')) {
+        return true;
+    }
+    if (isSkillTarget(ecosystem)) {
+        return PROMPT_EXTENSIONS.some((ext) => path.endsWith(ext));
+    }
+    if (GENERIC_PACKAGE_DOC_PATTERN.test(path)) {
+        return false;
+    }
+    return EXPLICIT_PROMPT_FILE_PATTERN.test(path);
+}
+export class AiPromptAnalyzer {
+    id = 'ai-prompt';
+    supports(ctx) {
+        return ctx.artifact.files.some((f) => isPromptFile(f.path, ctx.target.ecosystem));
+    }
+    async analyze(ctx) {
+        const findings = [];
+        const promptFiles = ctx.artifact.files.filter((f) => isPromptFile(f.path, ctx.target.ecosystem));
+        for (const file of promptFiles) {
+            for (const rule of AI_INJECTION_RULES) {
+                rule.pattern.lastIndex = 0;
+                if (rule.pattern.test(file.content)) {
+                    const match = findMatchingLine(file.content, rule.pattern);
+                    findings.push(createFinding({
+                        category: 'ai-prompt',
+                        severity: rule.severity,
+                        title: rule.title,
+                        description: rule.description,
+                        ruleId: rule.id,
+                        file: file.path,
+                        line: match?.line,
+                        evidence: match?.evidence,
+                    }));
+                }
+            }
+            if (ZERO_WIDTH_CHARS.test(file.content)) {
+                findings.push(createFinding({
+                    category: 'ai-prompt',
+                    severity: 'CRITICAL',
+                    title: 'Zero-width characters',
+                    description: 'Hidden zero-width Unicode characters detected in prompt content',
+                    ruleId: 'zero-width',
+                    file: file.path,
+                }));
+            }
+            if (INVISIBLE_UNICODE.test(file.content)) {
+                findings.push(createFinding({
+                    category: 'ai-prompt',
+                    severity: 'HIGH',
+                    title: 'Invisible Unicode characters',
+                    description: 'Invisible Unicode characters detected in prompt content',
+                    ruleId: 'invisible-unicode',
+                    file: file.path,
+                }));
+            }
+            const htmlComments = file.content.match(/<!--[\s\S]*?-->/g);
+            if (htmlComments && htmlComments.length > 0) {
+                for (const comment of htmlComments) {
+                    if (comment.length > 50) {
+                        findings.push(createFinding({
+                            category: 'ai-prompt',
+                            severity: 'MEDIUM',
+                            title: 'Hidden HTML comment',
+                            description: 'Large HTML comment that may contain hidden instructions',
+                            ruleId: 'html-comment',
+                            file: file.path,
+                            evidence: comment.slice(0, 100),
+                        }));
+                    }
+                }
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=ai-prompt-analyzer.js.map

package/dist/analyzers/ai-prompt-analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai-prompt-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/ai-prompt-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAE3F,MAAM,iBAAiB,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAEpE,MAAM,kBAAkB,GAAG,qBAAqB,CAAC;AACjD,MAAM,2BAA2B,GAAG,uEAAuE,CAAC;AAC5G,MAAM,4BAA4B,GAAG,oGAAoG,CAAC;AAE1I,SAAS,aAAa,CAAC,SAAiB;IACtC,OAAO,SAAS,KAAK,OAAO,IAAI,SAAS,KAAK,OAAO,CAAC;AACxD,CAAC;AAED,SAAS,YAAY,CAAC,IAAY,EAAE,SAAiB;IACnD,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7B,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,OAAO,gBAAgB;IAClB,EAAE,GAAG,WAAW,CAAC;IAE1B,QAAQ,CAAC,GAAoB;QAC3B,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACpF,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAoB;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;QACpB,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QAEjG,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,KAAK,MAAM,IAAI,IAAI,kBAAkB,EAAE,CAAC;gBACtC,IAAI,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC3B,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACpC,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;oBAC3D,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;wBAC1B,QAAQ,EAAE,WAAW;wBACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,KAAK,EAAE,IAAI,CAAC,KAAK;wBACjB,WAAW,EAAE,IAAI,CAAC,WAAW;wBAC7B,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,KAAK,EAAE,IAAI;wBACjB,QAAQ,EAAE,KAAK,EAAE,QAAQ;qBAC1B,CAAC,CAAC,CAAC;gBACN,CAAC;YACH,CAAC;YAED,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,WAAW;oBACrB,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,uBAAuB;oBAC9B,WAAW,EAAE,iEAAiE;oBAC9E,MAAM,EAAE,YAAY;oBACpB,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC,CAAC;YACN,CAAC;YAED,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,WAAW;oBACrB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,8BAA8B;oBACrC,WAAW,EAAE,yDAAyD;oBACtE,MAAM,EAAE,mBAAmB;oBAC3B,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC,CAAC;YACN,CAAC;YAED,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;YAC5D,IAAI,YAAY,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5C,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;oBACnC,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;wBACxB,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;4BAC1B,QAAQ,EAAE,WAAW;4BACrB,QAAQ,EAAE,QAAQ;4BAClB,KAAK,EAAE,qBAAqB;4BAC5B,WAAW,EAAE,yDAAyD;4BACtE,MAAM,EAAE,cAAc;4BACtB,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;yBAChC,CAAC,CAAC,CAAC;oBACN,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/analyzer.d.ts

@@ -0,0 +1,14 @@
+import type { Artifact } from '../domain/artifact.js';
+import type { Finding } from '../domain/finding.js';
+import type { Target } from '../domain/target.js';
+export interface AnalysisContext {
+    readonly artifact: Artifact;
+    readonly target: Target;
+}
+export interface Analyzer {
+    readonly id: string;
+    supports(ctx: AnalysisContext): boolean;
+    analyze(ctx: AnalysisContext): Promise<Finding[]>;
+}
+export declare function runAnalyzers(analyzers: Analyzer[], ctx: AnalysisContext): Promise<Finding[]>;
+//# sourceMappingURL=analyzer.d.ts.map

package/dist/analyzers/analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAElD,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC;IACxC,OAAO,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;CACnD;AAED,wBAAsB,YAAY,CAChC,SAAS,EAAE,QAAQ,EAAE,EACrB,GAAG,EAAE,eAAe,GACnB,OAAO,CAAC,OAAO,EAAE,CAAC,CASpB"}

package/dist/analyzers/analyzer.js

@@ -0,0 +1,11 @@
+export async function runAnalyzers(analyzers, ctx) {
+    const findings = [];
+    for (const analyzer of analyzers) {
+        if (analyzer.supports(ctx)) {
+            const result = await analyzer.analyze(ctx);
+            findings.push(...result);
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=analyzer.js.map

package/dist/analyzers/analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.js","sourceRoot":"","sources":["../../src/analyzers/analyzer.ts"],"names":[],"mappings":"AAeA,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAqB,EACrB,GAAoB;IAEpB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/analyzers/dependency-analyzer.d.ts

@@ -0,0 +1,10 @@
+import type { AnalysisContext, Analyzer } from './analyzer.js';
+import type { RegistryClient } from '../ports/registry-client.js';
+export declare class DependencyAnalyzer implements Analyzer {
+    private readonly registry?;
+    readonly id = "dependency";
+    constructor(registry?: RegistryClient | undefined);
+    supports(ctx: AnalysisContext): boolean;
+    analyze(ctx: AnalysisContext): Promise<import("../domain/finding.js").Finding[]>;
+}
+//# sourceMappingURL=dependency-analyzer.d.ts.map

package/dist/analyzers/dependency-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependency-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/dependency-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAC/D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAKlE,qBAAa,kBAAmB,YAAW,QAAQ;IAGrC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAFtC,QAAQ,CAAC,EAAE,gBAAgB;gBAEE,QAAQ,CAAC,EAAE,cAAc,YAAA;IAEtD,QAAQ,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO;IAIjC,OAAO,CAAC,GAAG,EAAE,eAAe;CAyEnC"}

package/dist/analyzers/dependency-analyzer.js

@@ -0,0 +1,79 @@
+import { createFinding } from '../domain/finding.js';
+const DEPENDENCY_WARNING_THRESHOLD = 50;
+const DEPENDENCY_CRITICAL_THRESHOLD = 200;
+export class DependencyAnalyzer {
+    registry;
+    id = 'dependency';
+    constructor(registry) {
+        this.registry = registry;
+    }
+    supports(ctx) {
+        return !!(ctx.artifact.metadata.dependencies || ctx.artifact.manifest);
+    }
+    async analyze(ctx) {
+        const findings = [];
+        const manifestDeps = ctx.artifact.manifest?.dependencies;
+        const deps = {
+            ...(ctx.artifact.metadata.dependencies ?? {}),
+            ...(manifestDeps ?? {}),
+        };
+        const depCount = Object.keys(deps).length;
+        if (depCount > DEPENDENCY_CRITICAL_THRESHOLD) {
+            findings.push(createFinding({
+                category: 'dependency',
+                severity: 'HIGH',
+                title: 'Excessive dependencies',
+                description: `Package has ${depCount} dependencies`,
+                ruleId: 'excessive-deps',
+            }));
+        }
+        else if (depCount > DEPENDENCY_WARNING_THRESHOLD) {
+            findings.push(createFinding({
+                category: 'dependency',
+                severity: 'MEDIUM',
+                title: 'Many dependencies',
+                description: `Package has ${depCount} dependencies`,
+                ruleId: 'many-deps',
+            }));
+        }
+        for (const [name, version] of Object.entries(deps)) {
+            if (version.includes('http://') || version.includes('git+http')) {
+                findings.push(createFinding({
+                    category: 'dependency',
+                    severity: 'HIGH',
+                    title: 'Non-HTTPS dependency source',
+                    description: `Dependency ${name} uses non-HTTPS source: ${version}`,
+                    ruleId: 'insecure-dep-source',
+                }));
+            }
+            if (version.startsWith('file:') || version.startsWith('../')) {
+                findings.push(createFinding({
+                    category: 'dependency',
+                    severity: 'MEDIUM',
+                    title: 'Local file dependency',
+                    description: `Dependency ${name} references local file: ${version}`,
+                    ruleId: 'local-dep',
+                }));
+            }
+        }
+        if (this.registry && ctx.artifact.metadata.name && ctx.artifact.metadata.version) {
+            try {
+                const vulns = await this.registry.checkOsv(ctx.artifact.metadata.name, ctx.artifact.metadata.version, 'npm');
+                for (const vuln of vulns) {
+                    findings.push(createFinding({
+                        category: 'dependency',
+                        severity: vuln.severity === 'CRITICAL' ? 'CRITICAL' : 'HIGH',
+                        title: `Known vulnerability: ${vuln.id}`,
+                        description: vuln.summary,
+                        ruleId: 'cve',
+                    }));
+                }
+            }
+            catch {
+                // OSV lookup is best-effort
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=dependency-analyzer.js.map

package/dist/analyzers/dependency-analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependency-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/dependency-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAIrD,MAAM,4BAA4B,GAAG,EAAE,CAAC;AACxC,MAAM,6BAA6B,GAAG,GAAG,CAAC;AAE1C,MAAM,OAAO,kBAAkB;IAGA;IAFpB,EAAE,GAAG,YAAY,CAAC;IAE3B,YAA6B,QAAyB;QAAzB,aAAQ,GAAR,QAAQ,CAAiB;IAAG,CAAC;IAE1D,QAAQ,CAAC,GAAoB;QAC3B,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAoB;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;QACpB,MAAM,YAAY,GAAG,GAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,YAAkD,CAAC;QAC/F,MAAM,IAAI,GAAG;YACX,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,IAAI,EAAE,CAAC;YAC7C,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;SACxB,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;QAE1C,IAAI,QAAQ,GAAG,6BAA6B,EAAE,CAAC;YAC7C,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;gBAC1B,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,wBAAwB;gBAC/B,WAAW,EAAE,eAAe,QAAQ,eAAe;gBACnD,MAAM,EAAE,gBAAgB;aACzB,CAAC,CAAC,CAAC;QACN,CAAC;aAAM,IAAI,QAAQ,GAAG,4BAA4B,EAAE,CAAC;YACnD,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;gBAC1B,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,mBAAmB;gBAC1B,WAAW,EAAE,eAAe,QAAQ,eAAe;gBACnD,MAAM,EAAE,WAAW;aACpB,CAAC,CAAC,CAAC;QACN,CAAC;QAED,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAChE,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,6BAA6B;oBACpC,WAAW,EAAE,cAAc,IAAI,2BAA2B,OAAO,EAAE;oBACnE,MAAM,EAAE,qBAAqB;iBAC9B,CAAC,CAAC,CAAC;YACN,CAAC;YAED,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC7D,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,uBAAuB;oBAC9B,WAAW,EAAE,cAAc,IAAI,2BAA2B,OAAO,EAAE;oBACnE,MAAM,EAAE,WAAW;iBACpB,CAAC,CAAC,CAAC;YACN,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACjF,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CACxC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAC1B,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAC7B,KAAK,CACN,CAAC;gBACF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;oBACzB,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;wBAC1B,QAAQ,EAAE,YAAY;wBACtB,QAAQ,EAAE,IAAI,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;wBAC5D,KAAK,EAAE,wBAAwB,IAAI,CAAC,EAAE,EAAE;wBACxC,WAAW,EAAE,IAAI,CAAC,OAAO;wBACzB,MAAM,EAAE,KAAK;qBACd,CAAC,CAAC,CAAC;gBACN,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,4BAA4B;YAC9B,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/index.d.ts

@@ -0,0 +1,13 @@
+import type { Analyzer } from './analyzer.js';
+import type { RegistryClient } from '../ports/registry-client.js';
+export declare function createDefaultAnalyzers(registry?: RegistryClient): Analyzer[];
+export * from './analyzer.js';
+export * from './metadata-analyzer.js';
+export * from './source-analyzer.js';
+export * from './static-code-analyzer.js';
+export * from './install-script-analyzer.js';
+export * from './ai-prompt-analyzer.js';
+export * from './secret-analyzer.js';
+export * from './dependency-analyzer.js';
+export * from './network-analyzer.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/analyzers/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAS9C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAElE,wBAAgB,sBAAsB,CAAC,QAAQ,CAAC,EAAE,cAAc,GAAG,QAAQ,EAAE,CAW5E;AAED,cAAc,eAAe,CAAC;AAC9B,cAAc,wBAAwB,CAAC;AACvC,cAAc,sBAAsB,CAAC;AACrC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,0BAA0B,CAAC;AACzC,cAAc,uBAAuB,CAAC"}

package/dist/analyzers/index.js

@@ -0,0 +1,30 @@
+import { AiPromptAnalyzer } from './ai-prompt-analyzer.js';
+import { DependencyAnalyzer } from './dependency-analyzer.js';
+import { InstallScriptAnalyzer } from './install-script-analyzer.js';
+import { MetadataAnalyzer } from './metadata-analyzer.js';
+import { NetworkAnalyzer } from './network-analyzer.js';
+import { SecretAnalyzer } from './secret-analyzer.js';
+import { SourceAnalyzer } from './source-analyzer.js';
+import { StaticCodeAnalyzer } from './static-code-analyzer.js';
+export function createDefaultAnalyzers(registry) {
+    return [
+        new MetadataAnalyzer(),
+        new SourceAnalyzer(),
+        new StaticCodeAnalyzer(),
+        new InstallScriptAnalyzer(),
+        new AiPromptAnalyzer(),
+        new SecretAnalyzer(),
+        new DependencyAnalyzer(registry),
+        new NetworkAnalyzer(),
+    ];
+}
+export * from './analyzer.js';
+export * from './metadata-analyzer.js';
+export * from './source-analyzer.js';
+export * from './static-code-analyzer.js';
+export * from './install-script-analyzer.js';
+export * from './ai-prompt-analyzer.js';
+export * from './secret-analyzer.js';
+export * from './dependency-analyzer.js';
+export * from './network-analyzer.js';
+//# sourceMappingURL=index.js.map

package/dist/analyzers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analyzers/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAG/D,MAAM,UAAU,sBAAsB,CAAC,QAAyB;IAC9D,OAAO;QACL,IAAI,gBAAgB,EAAE;QACtB,IAAI,cAAc,EAAE;QACpB,IAAI,kBAAkB,EAAE;QACxB,IAAI,qBAAqB,EAAE;QAC3B,IAAI,gBAAgB,EAAE;QACtB,IAAI,cAAc,EAAE;QACpB,IAAI,kBAAkB,CAAC,QAAQ,CAAC;QAChC,IAAI,eAAe,EAAE;KACtB,CAAC;AACJ,CAAC;AAED,cAAc,eAAe,CAAC;AAC9B,cAAc,wBAAwB,CAAC;AACvC,cAAc,sBAAsB,CAAC;AACrC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,0BAA0B,CAAC;AACzC,cAAc,uBAAuB,CAAC"}

package/dist/analyzers/install-script-analyzer.d.ts

@@ -0,0 +1,7 @@
+import type { AnalysisContext, Analyzer } from './analyzer.js';
+export declare class InstallScriptAnalyzer implements Analyzer {
+    readonly id = "install-script";
+    supports(ctx: AnalysisContext): boolean;
+    analyze(ctx: AnalysisContext): Promise<import("../domain/finding.js").Finding[]>;
+}
+//# sourceMappingURL=install-script-analyzer.d.ts.map

package/dist/analyzers/install-script-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"install-script-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/install-script-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAgB/D,qBAAa,qBAAsB,YAAW,QAAQ;IACpD,QAAQ,CAAC,EAAE,oBAAoB;IAE/B,QAAQ,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO;IAIjC,OAAO,CAAC,GAAG,EAAE,eAAe;CA+CnC"}

package/dist/analyzers/install-script-analyzer.js

@@ -0,0 +1,64 @@
+import { createFinding } from '../domain/finding.js';
+const INSTALL_SCRIPT_KEYS = ['postinstall', 'preinstall', 'prepare', 'install', 'prepublish'];
+const DANGEROUS_INSTALL_PATTERNS = [
+    { pattern: /curl\s+[^|]+\|\s*(?:bash|sh)/gi, severity: 'CRITICAL', title: 'curl pipe to shell in install script' },
+    { pattern: /wget\s+[^|]+\|\s*(?:bash|sh)/gi, severity: 'CRITICAL', title: 'wget pipe to shell in install script' },
+    { pattern: /Invoke-WebRequest|Invoke-RestMethod/gi, severity: 'HIGH', title: 'PowerShell web request in install script' },
+    { pattern: /\bsudo\s+/g, severity: 'HIGH', title: 'sudo in install script' },
+    { pattern: /chmod\s+\+x/g, severity: 'MEDIUM', title: 'chmod +x in install script' },
+    { pattern: /rm\s+-rf/g, severity: 'HIGH', title: 'rm -rf in install script' },
+    { pattern: /npx\s+/g, severity: 'MEDIUM', title: 'npx in install script' },
+    { pattern: /npm\s+exec/g, severity: 'MEDIUM', title: 'npm exec in install script' },
+    { pattern: /docker\s+pull/g, severity: 'MEDIUM', title: 'docker pull in install script' },
+    { pattern: /pip\s+install/g, severity: 'MEDIUM', title: 'pip install in install script' },
+];
+export class InstallScriptAnalyzer {
+    id = 'install-script';
+    supports(ctx) {
+        return !!ctx.artifact.metadata.scripts;
+    }
+    async analyze(ctx) {
+        const findings = [];
+        const scripts = ctx.artifact.metadata.scripts ?? {};
+        for (const key of INSTALL_SCRIPT_KEYS) {
+            const script = scripts[key];
+            if (!script)
+                continue;
+            findings.push(createFinding({
+                category: 'install-script',
+                severity: 'MEDIUM',
+                title: `Install script: ${key}`,
+                description: `Package defines a ${key} script`,
+                ruleId: `script-${key}`,
+                evidence: script,
+            }));
+            for (const check of DANGEROUS_INSTALL_PATTERNS) {
+                check.pattern.lastIndex = 0;
+                if (check.pattern.test(script)) {
+                    findings.push(createFinding({
+                        category: 'install-script',
+                        severity: check.severity,
+                        title: check.title,
+                        description: `Dangerous pattern in ${key} script: ${check.title}`,
+                        ruleId: `dangerous-${key}`,
+                        evidence: script,
+                    }));
+                }
+            }
+        }
+        for (const file of ctx.artifact.files) {
+            if (file.path.match(/postinstall\.(sh|ps1|js)$/i)) {
+                findings.push(createFinding({
+                    category: 'install-script',
+                    severity: 'HIGH',
+                    title: 'Standalone install script file',
+                    description: `Found install script file: ${file.path}`,
+                    ruleId: 'standalone-script',
+                    file: file.path,
+                }));
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=install-script-analyzer.js.map

package/dist/analyzers/install-script-analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"install-script-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/install-script-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAGrD,MAAM,mBAAmB,GAAG,CAAC,aAAa,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;AAC9F,MAAM,0BAA0B,GAAG;IACjC,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,UAAmB,EAAE,KAAK,EAAE,sCAAsC,EAAE;IAC3H,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,UAAmB,EAAE,KAAK,EAAE,sCAAsC,EAAE;IAC3H,EAAE,OAAO,EAAE,uCAAuC,EAAE,QAAQ,EAAE,MAAe,EAAE,KAAK,EAAE,0CAA0C,EAAE;IAClI,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAe,EAAE,KAAK,EAAE,wBAAwB,EAAE;IACrF,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,4BAA4B,EAAE;IAC7F,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAe,EAAE,KAAK,EAAE,0BAA0B,EAAE;IACtF,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,uBAAuB,EAAE;IACnF,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,4BAA4B,EAAE;IAC5F,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,+BAA+B,EAAE;IAClG,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,+BAA+B,EAAE;CACnG,CAAC;AAEF,MAAM,OAAO,qBAAqB;IACvB,EAAE,GAAG,gBAAgB,CAAC;IAE/B,QAAQ,CAAC,GAAoB;QAC3B,OAAO,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAoB;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC;QAEpD,KAAK,MAAM,GAAG,IAAI,mBAAmB,EAAE,CAAC;YACtC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,CAAC,MAAM;gBAAE,SAAS;YAEtB,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;gBAC1B,QAAQ,EAAE,gBAAgB;gBAC1B,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,mBAAmB,GAAG,EAAE;gBAC/B,WAAW,EAAE,qBAAqB,GAAG,SAAS;gBAC9C,MAAM,EAAE,UAAU,GAAG,EAAE;gBACvB,QAAQ,EAAE,MAAM;aACjB,CAAC,CAAC,CAAC;YAEJ,KAAK,MAAM,KAAK,IAAI,0BAA0B,EAAE,CAAC;gBAC/C,KAAK,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC5B,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC/B,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;wBAC1B,QAAQ,EAAE,gBAAgB;wBAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;wBACxB,KAAK,EAAE,KAAK,CAAC,KAAK;wBAClB,WAAW,EAAE,wBAAwB,GAAG,YAAY,KAAK,CAAC,KAAK,EAAE;wBACjE,MAAM,EAAE,aAAa,GAAG,EAAE;wBAC1B,QAAQ,EAAE,MAAM;qBACjB,CAAC,CAAC,CAAC;gBACN,CAAC;YACH,CAAC;QACH,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACtC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,4BAA4B,CAAC,EAAE,CAAC;gBAClD,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,gBAAgB;oBAC1B,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,gCAAgC;oBACvC,WAAW,EAAE,8BAA8B,IAAI,CAAC,IAAI,EAAE;oBACtD,MAAM,EAAE,mBAAmB;oBAC3B,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC,CAAC;YACN,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/match-evidence.d.ts

@@ -0,0 +1,6 @@
+export declare const MAX_EVIDENCE_LENGTH = 120;
+export declare function findMatchingLine(content: string, pattern: RegExp): {
+    line: number;
+    evidence: string;
+} | undefined;
+//# sourceMappingURL=match-evidence.d.ts.map

package/dist/analyzers/match-evidence.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"match-evidence.d.ts","sourceRoot":"","sources":["../../src/analyzers/match-evidence.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,mBAAmB,MAAM,CAAC;AAEvC,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAYhD"}

package/dist/analyzers/match-evidence.js

@@ -0,0 +1,15 @@
+export const MAX_EVIDENCE_LENGTH = 120;
+export function findMatchingLine(content, pattern) {
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        pattern.lastIndex = 0;
+        if (pattern.test(lines[i])) {
+            return {
+                line: i + 1,
+                evidence: lines[i].trim().slice(0, MAX_EVIDENCE_LENGTH),
+            };
+        }
+    }
+    return undefined;
+}
+//# sourceMappingURL=match-evidence.js.map

package/dist/analyzers/match-evidence.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"match-evidence.js","sourceRoot":"","sources":["../../src/analyzers/match-evidence.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAEvC,MAAM,UAAU,gBAAgB,CAC9B,OAAe,EACf,OAAe;IAEf,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,EAAE,CAAC;YAC5B,OAAO;gBACL,IAAI,EAAE,CAAC,GAAG,CAAC;gBACX,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,mBAAmB,CAAC;aACzD,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/analyzers/metadata-analyzer.d.ts

@@ -0,0 +1,7 @@
+import type { AnalysisContext, Analyzer } from './analyzer.js';
+export declare class MetadataAnalyzer implements Analyzer {
+    readonly id = "metadata";
+    supports(): boolean;
+    analyze(ctx: AnalysisContext): Promise<import("../domain/finding.js").Finding[]>;
+}
+//# sourceMappingURL=metadata-analyzer.d.ts.map

package/dist/analyzers/metadata-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/metadata-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAS/D,qBAAa,gBAAiB,YAAW,QAAQ;IAC/C,QAAQ,CAAC,EAAE,cAAc;IAEzB,QAAQ,IAAI,OAAO;IAIb,OAAO,CAAC,GAAG,EAAE,eAAe;CAmGnC"}