@rexymayderio/sentinel 0.1.0

package/dist/cli/index.js

@@ -0,0 +1,176 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import { readFile } from 'node:fs/promises';
+import kleur from 'kleur';
+import { createDefaultSentinel } from '../factory.js';
+import { startSpinner } from './spinner.js';
+const program = new Command();
+const TARGET_TYPES_HELP = `
+Target types:
+  npm            npm package (e.g. express, lodash@4.17.21)
+  github         GitHub repository (e.g. owner/repo)
+  skill          Local AI skill directory or SKILL.md path
+  local          Any local directory to scan
+
+Exit codes:
+  0  Verification passed (decision is not BLOCK)
+  1  Runtime error or install denied/failed
+  2  Policy BLOCK — do not install
+`;
+const VERIFY_EXAMPLES = `
+Examples:
+  sentinel verify npm express
+  sentinel verify npm lodash@4.17.21
+  sentinel verify github expressjs/express
+  sentinel verify skill ./my-skill
+  sentinel verify local ./my-project
+  sentinel verify npm express --json
+  sentinel verify npm express --markdown
+  sentinel verify npm express --policy ./policy.json
+`;
+const INSTALL_EXAMPLES = `
+Examples:
+  sentinel install npm express
+  sentinel install github owner/repo
+  sentinel install skill ./my-skill
+  sentinel install npm express --yes
+  sentinel install npm express --json
+  sentinel install npm express --policy ./policy.json
+
+Approval:
+  Runs verification first, then prompts [y/N] unless auto-approved.
+  --yes skips the prompt for non-BLOCK decisions (WARN, REQUIRE_APPROVAL, APPROVE).
+  BLOCK decisions cannot be overridden.
+`;
+program
+    .name('sentinel')
+    .description('Universal Security Verification Framework for AI Agent Installations')
+    .version('0.1.0')
+    .addHelpText('after', `
+Commands:
+  verify     Analyze a target without installing (read-only)
+  install    Verify, prompt for approval, then install
+
+Quick start:
+  sentinel verify npm express
+  sentinel verify github owner/repo
+  sentinel install skill ./my-skill --yes
+
+Run "sentinel <command> --help" for command-specific options and examples.
+${TARGET_TYPES_HELP}`);
+program
+    .command('verify')
+    .description('Verify a package, repository, skill, or other target without installing')
+    .argument('<type>', 'Target ecosystem: npm, github, skill, or local')
+    .argument('<target>', 'Package name, owner/repo, or filesystem path')
+    .option('--json', 'Output the full verification report as JSON (machine-readable)')
+    .option('--markdown', 'Output the report as Markdown')
+    .option('--policy <file>', 'Path to a JSON policy file (overrides default thresholds and lists)')
+    .option('--score-tests', 'Score findings in test/fixture files at full severity (default: down-weighted)')
+    .addHelpText('after', `${VERIFY_EXAMPLES}
+Options (default output is a colored terminal report):
+  --json          Structured JSON with findings, risk, policy, permissions, evidence
+  --markdown      Markdown table suitable for docs or PR comments
+  --policy        Custom policy: blockThreshold, warnThreshold, minConfidence,
+                  trustedPublishers, corporateWhitelist, corporateBlacklist, etc.
+  --score-tests   Treat dangerous code in test/fixture files at full weight
+                  (by default such findings are shown but down-weighted)
+
+${TARGET_TYPES_HELP}`)
+    .action(async (type, target, opts) => {
+    try {
+        const format = opts.json ? 'json' : opts.markdown ? 'markdown' : 'terminal';
+        const policyConfig = await resolvePolicyConfig(opts.policy, opts.scoreTests);
+        const sentinel = createDefaultSentinel({ policyConfig, reportFormat: format });
+        const spinner = startSpinner(`Verifying ${type}:${target}...`);
+        let report;
+        try {
+            report = await sentinel.verify(type, target);
+        }
+        finally {
+            spinner.stop();
+        }
+        const output = sentinel.generateReport(report, format);
+        console.log(output);
+        if (report.policy.decision === 'BLOCK') {
+            process.exit(2);
+        }
+    }
+    catch (error) {
+        console.error(kleur.red(`Error: ${error instanceof Error ? error.message : String(error)}`));
+        process.exit(1);
+    }
+});
+program
+    .command('install')
+    .description('Verify and install a target (requires approval unless auto-approved)')
+    .argument('<type>', 'Target ecosystem: npm, github, skill, or local')
+    .argument('<target>', 'Package name, owner/repo, or filesystem path')
+    .option('--json', 'Output the verification report as JSON instead of terminal format')
+    .option('--yes', 'Auto-approve installation after verification (cannot override BLOCK)')
+    .option('--policy <file>', 'Path to a JSON policy file (overrides default thresholds and lists)')
+    .option('--score-tests', 'Score findings in test/fixture files at full severity (default: down-weighted)')
+    .addHelpText('after', `${INSTALL_EXAMPLES}
+Options:
+  --json          Output report as JSON (terminal format is default)
+  --yes           Skip the interactive [y/N] approval prompt when policy allows it
+  --policy        Custom policy file (same fields as verify --policy)
+  --score-tests   Treat dangerous code in test/fixture files at full weight
+
+Install behavior by ecosystem:
+  npm      npm install <name> --ignore-scripts
+  github   git clone https://github.com/<owner>/<repo>.git
+  skill    Verified locally — no file copy (MVP)
+  local    Verified locally — no installation step (MVP)
+
+${TARGET_TYPES_HELP}`)
+    .action(async (type, target, opts) => {
+    try {
+        const format = opts.json ? 'json' : 'terminal';
+        const policyConfig = await resolvePolicyConfig(opts.policy, opts.scoreTests);
+        const sentinel = createDefaultSentinel({
+            policyConfig,
+            reportFormat: format,
+            autoApprove: opts.yes,
+        });
+        const spinner = startSpinner(`Verifying ${type}:${target}...`);
+        let spinnerStopped = false;
+        const stopSpinner = () => {
+            if (!spinnerStopped) {
+                spinner.stop();
+                spinnerStopped = true;
+            }
+        };
+        let result;
+        try {
+            result = await sentinel.install(type, target, { onVerified: stopSpinner });
+        }
+        finally {
+            stopSpinner();
+        }
+        const output = sentinel.generateReport(result.report, format);
+        console.log(output);
+        if (!result.success) {
+            console.error(kleur.red(`\n${result.message}`));
+            process.exit(result.report.policy.decision === 'BLOCK' ? 2 : 1);
+        }
+        console.log(kleur.green(`\n${result.message}`));
+    }
+    catch (error) {
+        console.error(kleur.red(`Error: ${error instanceof Error ? error.message : String(error)}`));
+        process.exit(1);
+    }
+});
+async function loadPolicyFile(path) {
+    const content = await readFile(path, 'utf-8');
+    return JSON.parse(content);
+}
+async function resolvePolicyConfig(policyPath, scoreTests) {
+    const fromFile = policyPath ? await loadPolicyFile(policyPath) : undefined;
+    if (!scoreTests) {
+        return fromFile;
+    }
+    return { ...fromFile, scoreTestCodeFully: true };
+}
+program.parse();
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAGtD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,MAAM,iBAAiB,GAAG;;;;;;;;;;;CAWzB,CAAC;AAEF,MAAM,eAAe,GAAG;;;;;;;;;;CAUvB,CAAC;AAEF,MAAM,gBAAgB,GAAG;;;;;;;;;;;;;CAaxB,CAAC;AAEF,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CAAC,sEAAsE,CAAC;KACnF,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,OAAO,EAAE;;;;;;;;;;;EAWtB,iBAAiB,EAAE,CAAC,CAAC;AAEvB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,yEAAyE,CAAC;KACtF,QAAQ,CAAC,QAAQ,EAAE,gDAAgD,CAAC;KACpE,QAAQ,CAAC,UAAU,EAAE,8CAA8C,CAAC;KACpE,MAAM,CAAC,QAAQ,EAAE,gEAAgE,CAAC;KAClF,MAAM,CAAC,YAAY,EAAE,+BAA+B,CAAC;KACrD,MAAM,CAAC,iBAAiB,EAAE,qEAAqE,CAAC;KAChG,MAAM,CAAC,eAAe,EAAE,gFAAgF,CAAC;KACzG,WAAW,CAAC,OAAO,EAAE,GAAG,eAAe;;;;;;;;;EASxC,iBAAiB,EAAE,CAAC;KACnB,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,MAAc,EAAE,IAAmF,EAAE,EAAE;IAClI,IAAI,CAAC;QACH,MAAM,MAAM,GAAiB,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;QAC1F,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7E,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC,CAAC;QAE/E,MAAM,OAAO,GAAG,YAAY,CAAC,aAAa,IAAI,IAAI,MAAM,KAAK,CAAC,CAAC;QAC/D,IAAI,MAAM,CAAC;QACX,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC/C,CAAC;gBAAS,CAAC;YACT,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,CAAC;QACD,MAAM,MAAM,GAAG,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAEpB,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACvC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;QAC7F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,sEAAsE,CAAC;KACnF,QAAQ,CAAC,QAAQ,EAAE,gDAAgD,CAAC;KACpE,QAAQ,CAAC,UAAU,EAAE,8CAA8C,CAAC;KACpE,MAAM,CAAC,QAAQ,EAAE,mEAAmE,CAAC;KACrF,MAAM,CAAC,OAAO,EAAE,sEAAsE,CAAC;KACvF,MAAM,CAAC,iBAAiB,EAAE,qEAAqE,CAAC;KAChG,MAAM,CAAC,eAAe,EAAE,gFAAgF,CAAC;KACzG,WAAW,CAAC,OAAO,EAAE,GAAG,gBAAgB;;;;;;;;;;;;;EAazC,iBAAiB,EAAE,CAAC;KACnB,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,MAAc,EAAE,IAA8E,EAAE,EAAE;IAC7H,IAAI,CAAC;QACH,MAAM,MAAM,GAAiB,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7D,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7E,MAAM,QAAQ,GAAG,qBAAqB,CAAC;YACrC,YAAY;YACZ,YAAY,EAAE,MAAM;YACpB,WAAW,EAAE,IAAI,CAAC,GAAG;SACtB,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,YAAY,CAAC,aAAa,IAAI,IAAI,MAAM,KAAK,CAAC,CAAC;QAC/D,IAAI,cAAc,GAAG,KAAK,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAS,EAAE;YAC7B,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,OAAO,CAAC,IAAI,EAAE,CAAC;gBACf,cAAc,GAAG,IAAI,CAAC;YACxB,CAAC;QACH,CAAC,CAAC;QACF,IAAI,MAAM,CAAC;QACX,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,CAAC;QAC7E,CAAC;gBAAS,CAAC;YACT,WAAW,EAAE,CAAC;QAChB,CAAC;QACD,MAAM,MAAM,GAAG,QAAQ,CAAC,cAAc,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAEpB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAChD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAClE,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;QAC7F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,KAAK,UAAU,cAAc,CAAC,IAAY;IACxC,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAA0B,CAAC;AACtD,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,UAA8B,EAC9B,UAA+B;IAE/B,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC3E,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,OAAO,EAAE,GAAG,QAAQ,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC;AACnD,CAAC;AAED,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/cli/spinner.d.ts

@@ -0,0 +1,5 @@
+export interface Spinner {
+    stop(finalMessage?: string): void;
+}
+export declare function startSpinner(message: string): Spinner;
+//# sourceMappingURL=spinner.d.ts.map

package/dist/cli/spinner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"spinner.d.ts","sourceRoot":"","sources":["../../src/cli/spinner.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,OAAO;IACtB,IAAI,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnC;AAkCD,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAKrD"}

package/dist/cli/spinner.js

@@ -0,0 +1,39 @@
+import kleur from 'kleur';
+const FRAMES = ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏'];
+const FRAME_INTERVAL_MS = 80;
+class TtySpinner {
+    message;
+    frameIndex = 0;
+    timer;
+    startedAt = Date.now();
+    constructor(message) {
+        this.message = message;
+        process.stderr.write('\x1B[?25l');
+        this.render();
+        this.timer = setInterval(() => this.render(), FRAME_INTERVAL_MS);
+        if (typeof this.timer.unref === 'function') {
+            this.timer.unref();
+        }
+    }
+    render() {
+        const frame = FRAMES[this.frameIndex] ?? FRAMES[0];
+        this.frameIndex = (this.frameIndex + 1) % FRAMES.length;
+        const elapsed = ((Date.now() - this.startedAt) / 1000).toFixed(1);
+        process.stderr.write(`\r${kleur.cyan(frame)} ${this.message} ${kleur.dim(`(${elapsed}s)`)}`);
+    }
+    stop() {
+        clearInterval(this.timer);
+        process.stderr.write('\r\x1B[K');
+        process.stderr.write('\x1B[?25h');
+    }
+}
+class NoopSpinner {
+    stop() { }
+}
+export function startSpinner(message) {
+    if (!process.stderr.isTTY) {
+        return new NoopSpinner();
+    }
+    return new TtySpinner(message);
+}
+//# sourceMappingURL=spinner.js.map

package/dist/cli/spinner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"spinner.js","sourceRoot":"","sources":["../../src/cli/spinner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,MAAM,MAAM,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;AAClE,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAM7B,MAAM,UAAU;IAKe;IAJrB,UAAU,GAAG,CAAC,CAAC;IACN,KAAK,CAAiB;IACtB,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAExC,YAA6B,OAAe;QAAf,YAAO,GAAP,OAAO,CAAQ;QAC1C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAClC,IAAI,CAAC,MAAM,EAAE,CAAC;QACd,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC;QACjE,IAAI,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAEO,MAAM;QACZ,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,CAAC,CAAE,CAAC;QACpD,IAAI,CAAC,UAAU,GAAG,CAAC,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC;QACxD,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAClE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/F,CAAC;IAED,IAAI;QACF,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACjC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACpC,CAAC;CACF;AAED,MAAM,WAAW;IACf,IAAI,KAAU,CAAC;CAChB;AAED,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAC1B,OAAO,IAAI,WAAW,EAAE,CAAC;IAC3B,CAAC;IACD,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC"}

package/dist/core/index.d.ts

@@ -0,0 +1,3 @@
+export * from './sentinel.js';
+export * from './permissions.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/core/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAC;AAC9B,cAAc,kBAAkB,CAAC"}

package/dist/core/index.js

@@ -0,0 +1,3 @@
+export * from './sentinel.js';
+export * from './permissions.js';
+//# sourceMappingURL=index.js.map

package/dist/core/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAC;AAC9B,cAAc,kBAAkB,CAAC"}

package/dist/core/permissions.d.ts

@@ -0,0 +1,4 @@
+import type { Finding } from '../domain/finding.js';
+import type { Permission } from '../domain/permission.js';
+export declare function buildPermissionGraph(findings: Finding[]): Permission[];
+//# sourceMappingURL=permissions.d.ts.map

package/dist/core/permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../src/core/permissions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,EAAE,UAAU,EAAkB,MAAM,yBAAyB,CAAC;AAW1E,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,UAAU,EAAE,CAoBtE"}

package/dist/core/permissions.js

@@ -0,0 +1,28 @@
+const PERMISSION_RULE_MAP = [
+    { ruleIds: ['spawn', 'exec', 'child-process', 'os-system', 'subprocess', 'powershell'], type: 'shell', description: 'Shell command execution' },
+    { ruleIds: ['hardcoded-ip', 'discord-webhook', 'telegram-bot', 'ngrok', 'cloudflare-tunnel'], type: 'network-internet', description: 'Internet network access' },
+    { ruleIds: ['private-ip'], type: 'network-localhost', description: 'Localhost/private network access' },
+    { ruleIds: ['aws-key', 'openai-key', 'anthropic-key', 'private-key', 'github-token'], type: 'secrets', description: 'Secret/credential access' },
+    { ruleIds: ['rm-rf'], type: 'filesystem-delete', description: 'Filesystem deletion' },
+    { ruleIds: ['chmod-x', 'registry-edit', 'cron', 'startup-folder'], type: 'filesystem-write', description: 'Filesystem modification' },
+];
+export function buildPermissionGraph(findings) {
+    const permissions = [];
+    const seen = new Set();
+    for (const finding of findings) {
+        if (finding.positive || !finding.ruleId)
+            continue;
+        for (const mapping of PERMISSION_RULE_MAP) {
+            if (mapping.ruleIds.includes(finding.ruleId) && !seen.has(mapping.type)) {
+                seen.add(mapping.type);
+                permissions.push({
+                    type: mapping.type,
+                    description: mapping.description,
+                    source: finding.file ?? finding.ruleId,
+                });
+            }
+        }
+    }
+    return permissions;
+}
+//# sourceMappingURL=permissions.js.map

package/dist/core/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../src/core/permissions.ts"],"names":[],"mappings":"AAGA,MAAM,mBAAmB,GAA4E;IACnG,EAAE,OAAO,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,yBAAyB,EAAE;IAC/I,EAAE,OAAO,EAAE,CAAC,cAAc,EAAE,iBAAiB,EAAE,cAAc,EAAE,OAAO,EAAE,mBAAmB,CAAC,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,yBAAyB,EAAE;IAChK,EAAE,OAAO,EAAE,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,kCAAkC,EAAE;IACvG,EAAE,OAAO,EAAE,CAAC,SAAS,EAAE,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,cAAc,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,0BAA0B,EAAE;IAChJ,EAAE,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,qBAAqB,EAAE;IACrF,EAAE,OAAO,EAAE,CAAC,SAAS,EAAE,eAAe,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,yBAAyB,EAAE;CACtI,CAAC;AAEF,MAAM,UAAU,oBAAoB,CAAC,QAAmB;IACtD,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEvC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC,OAAO,CAAC,MAAM;YAAE,SAAS;QAElD,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;YAC1C,IAAI,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxE,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBACvB,WAAW,CAAC,IAAI,CAAC;oBACf,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,MAAM,EAAE,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,MAAM;iBACvC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC"}

package/dist/core/sentinel.d.ts

@@ -0,0 +1,32 @@
+import type { AcquirerRegistry } from '../acquire/acquirer.js';
+import type { Analyzer } from '../analyzers/analyzer.js';
+import type { ReportFormat, InstallResult, VerificationReport } from '../domain/report.js';
+import type { PolicyConfig } from '../engine/default-policy.js';
+import type { ApprovalPrompt } from '../ports/approval-prompt.js';
+import type { ProcessRunner } from '../ports/process-runner.js';
+export interface SentinelOptions {
+    readonly acquirerRegistry: AcquirerRegistry;
+    readonly analyzers: Analyzer[];
+    readonly policyConfig?: Partial<PolicyConfig>;
+    readonly approvalPrompt: ApprovalPrompt;
+    readonly processRunner: ProcessRunner;
+    readonly reportFormat?: ReportFormat;
+}
+export declare class Sentinel {
+    private readonly options;
+    private readonly riskCalculator;
+    private readonly policyEngine;
+    private readonly reportGenerator;
+    private readonly policyConfig;
+    constructor(options: SentinelOptions);
+    verify(ecosystem: string, raw: string): Promise<VerificationReport>;
+    private buildUnverifiableReport;
+    install(ecosystem: string, raw: string, options?: {
+        forceApprove?: boolean;
+        onVerified?: () => void;
+    }): Promise<InstallResult>;
+    generateReport(report: VerificationReport, format?: ReportFormat): string;
+    private runInstaller;
+}
+export declare function createSentinel(options: SentinelOptions): Sentinel;
+//# sourceMappingURL=sentinel.d.ts.map

package/dist/core/sentinel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sentinel.d.ts","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAIzD,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAgB,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAIzG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAKhE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAGhE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAC5C,QAAQ,CAAC,SAAS,EAAE,QAAQ,EAAE,CAAC;IAC/B,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAC9C,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;CACtC;AAED,qBAAa,QAAQ;IAMP,OAAO,CAAC,QAAQ,CAAC,OAAO;IALpC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAwB;IACvD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAC5C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAyB;IACzD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;gBAEf,OAAO,EAAE,eAAe;IAO/C,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA8CzE,OAAO,CAAC,uBAAuB;IA6BzB,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,IAAI,CAAA;KAAE,GAC5D,OAAO,CAAC,aAAa,CAAC;IAoCzB,cAAc,CAAC,MAAM,EAAE,kBAAkB,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,MAAM;YAI3D,YAAY;CAmB3B;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,eAAe,GAAG,QAAQ,CAEjE"}

package/dist/core/sentinel.js

@@ -0,0 +1,164 @@
+import { cleanupArtifact } from '../acquire/acquirer.js';
+import { runAnalyzers } from '../analyzers/analyzer.js';
+import { isTestPath } from '../analyzers/test-path.js';
+import { buildPermissionGraph } from './permissions.js';
+import { parseTarget } from '../domain/target.js';
+import { DEFAULT_POLICY } from '../engine/default-policy.js';
+import { assessData, hasMeaningfulMetadata, unverifiableAssessment } from '../engine/data-assessment.js';
+import { PolicyEngine } from '../engine/policy-engine.js';
+import { RiskCalculator, TEST_FINDING_WEIGHT } from '../engine/risk-calculator.js';
+import { ReportGenerator } from '../report/report-generator.js';
+export class Sentinel {
+    options;
+    riskCalculator = new RiskCalculator();
+    policyEngine;
+    reportGenerator = new ReportGenerator();
+    policyConfig;
+    constructor(options) {
+        this.options = options;
+        this.policyConfig = options.policyConfig
+            ? { ...DEFAULT_POLICY, ...options.policyConfig }
+            : DEFAULT_POLICY;
+        this.policyEngine = new PolicyEngine(this.policyConfig);
+    }
+    async verify(ecosystem, raw) {
+        const start = Date.now();
+        const target = parseTarget(ecosystem, raw);
+        const acquirer = this.options.acquirerRegistry.get(target.ecosystem);
+        let artifact;
+        try {
+            artifact = await acquirer.acquire(target);
+        }
+        catch (error) {
+            const reason = error instanceof Error ? error.message : String(error);
+            return this.buildUnverifiableReport(target, reason, start);
+        }
+        try {
+            const rawFindings = await runAnalyzers(this.options.analyzers, { artifact, target });
+            const findings = tagTestFindings(rawFindings);
+            const permissions = buildPermissionGraph(findings.filter((f) => !f.isTest));
+            const evidence = {
+                hasMetadata: hasMeaningfulMetadata(artifact.metadata),
+                fileCount: artifact.files.length,
+            };
+            const testFindingWeight = this.policyConfig.scoreTestCodeFully ? 1 : TEST_FINDING_WEIGHT;
+            const risk = this.riskCalculator.calculate(findings, evidence, { testFindingWeight });
+            const dataAssessment = assessData(target, artifact, findings, risk, this.policyConfig);
+            const policy = this.policyEngine.evaluate(target, risk, findings, permissions, dataAssessment);
+            const criticalCount = findings.filter((f) => f.severity === 'CRITICAL' && !f.positive).length;
+            const summary = `${risk.level} risk (${risk.score}/100) - ${criticalCount} critical findings`;
+            return {
+                target,
+                findings,
+                risk,
+                policy,
+                permissions,
+                dataAssessment,
+                summary,
+                recommendedAction: recommendedActionFor(policy.decision),
+                scannedAt: new Date().toISOString(),
+                durationMs: Date.now() - start,
+            };
+        }
+        finally {
+            await cleanupArtifact(artifact);
+        }
+    }
+    buildUnverifiableReport(target, reason, start) {
+        const dataAssessment = unverifiableAssessment(`Could not acquire target: ${reason}`);
+        const risk = {
+            score: 0,
+            level: 'LOW',
+            confidence: 0,
+            positiveSignals: 0,
+            negativeSignals: 0,
+        };
+        const policy = {
+            decision: 'REQUIRE_APPROVAL',
+            reasons: ['Not enough data was gathered to verify this target automatically', ...dataAssessment.reasons],
+            overrides: [],
+        };
+        return {
+            target,
+            findings: [],
+            risk,
+            policy,
+            permissions: [],
+            dataAssessment,
+            summary: 'Could not gather data - manual review required',
+            recommendedAction: recommendedActionFor(policy.decision),
+            scannedAt: new Date().toISOString(),
+            durationMs: Date.now() - start,
+        };
+    }
+    async install(ecosystem, raw, options) {
+        const report = await this.verify(ecosystem, raw);
+        options?.onVerified?.();
+        if (report.policy.decision === 'BLOCK') {
+            return {
+                success: false,
+                message: 'Installation blocked by policy',
+                report,
+            };
+        }
+        const approved = options?.forceApprove
+            ? true
+            : await this.options.approvalPrompt.requestApproval(report);
+        if (!approved) {
+            return {
+                success: false,
+                message: 'Installation denied by user',
+                report,
+            };
+        }
+        const target = report.target;
+        const installResult = await this.runInstaller(target);
+        return {
+            success: installResult.exitCode === 0,
+            message: installResult.exitCode === 0
+                ? `Successfully installed ${target.ecosystem}:${target.name}`
+                : `Installation failed: ${installResult.stderr || installResult.stdout}`,
+            report,
+        };
+    }
+    generateReport(report, format) {
+        return this.reportGenerator.generate(report, format ?? this.options.reportFormat ?? 'terminal');
+    }
+    async runInstaller(target) {
+        const { processRunner } = this.options;
+        switch (target.ecosystem) {
+            case 'npm':
+                return processRunner.run('npm', ['install', target.name, '--ignore-scripts'], {
+                    env: { npm_config_ignore_scripts: 'true' },
+                });
+            case 'github': {
+                const [owner, repo] = target.name.split('/');
+                return processRunner.run('git', ['clone', `https://github.com/${owner}/${repo}.git`]);
+            }
+            case 'skill':
+            case 'local':
+                return { exitCode: 0, stdout: 'Local skill/directory verified - no installation needed', stderr: '' };
+            default:
+                return { exitCode: 1, stdout: '', stderr: `No installer for ecosystem: ${target.ecosystem}` };
+        }
+    }
+}
+export function createSentinel(options) {
+    return new Sentinel(options);
+}
+function tagTestFindings(findings) {
+    return findings.map((finding) => finding.file && isTestPath(finding.file) ? { ...finding, isTest: true } : finding);
+}
+function recommendedActionFor(decision) {
+    switch (decision) {
+        case 'BLOCK':
+            return 'DO NOT INSTALL';
+        case 'REQUIRE_APPROVAL':
+            return 'REVIEW AND APPROVE BEFORE INSTALLING';
+        case 'WARN':
+            return 'PROCEED WITH CAUTION';
+        default:
+            return 'SAFE TO INSTALL';
+    }
+}
+//# sourceMappingURL=sentinel.js.map

package/dist/core/sentinel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sentinel.js","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAEvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAExD,OAAO,EAAE,WAAW,EAAe,MAAM,qBAAqB,CAAC;AAI/D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,UAAU,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AACzG,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAGnF,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAWhE,MAAM,OAAO,QAAQ;IAMU;IALZ,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC;IACtC,YAAY,CAAe;IAC3B,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;IACxC,YAAY,CAAe;IAE5C,YAA6B,OAAwB;QAAxB,YAAO,GAAP,OAAO,CAAiB;QACnD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY;YACtC,CAAC,CAAC,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE;YAChD,CAAC,CAAC,cAAc,CAAC;QACnB,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB,EAAE,GAAW;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAErE,IAAI,QAA8B,CAAC;QACnC,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACtE,OAAO,IAAI,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;YACrF,MAAM,QAAQ,GAAG,eAAe,CAAC,WAAW,CAAC,CAAC;YAC9C,MAAM,WAAW,GAAG,oBAAoB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5E,MAAM,QAAQ,GAAG;gBACf,WAAW,EAAE,qBAAqB,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACrD,SAAS,EAAE,QAAQ,CAAC,KAAK,CAAC,MAAM;aACjC,CAAC;YACF,MAAM,iBAAiB,GAAG,IAAI,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC;YACzF,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,EAAE,EAAE,iBAAiB,EAAE,CAAC,CAAC;YACtF,MAAM,cAAc,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;YACvF,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;YAE/F,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;YAC9F,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,WAAW,aAAa,oBAAoB,CAAC;YAE9F,OAAO;gBACL,MAAM;gBACN,QAAQ;gBACR,IAAI;gBACJ,MAAM;gBACN,WAAW;gBACX,cAAc;gBACd,OAAO;gBACP,iBAAiB,EAAE,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC;gBACxD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;aAC/B,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAEO,uBAAuB,CAAC,MAAc,EAAE,MAAc,EAAE,KAAa;QAC3E,MAAM,cAAc,GAAG,sBAAsB,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;QACrF,MAAM,IAAI,GAAc;YACtB,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,KAAK;YACZ,UAAU,EAAE,CAAC;YACb,eAAe,EAAE,CAAC;YAClB,eAAe,EAAE,CAAC;SACnB,CAAC;QACF,MAAM,MAAM,GAAiB;YAC3B,QAAQ,EAAE,kBAAkB;YAC5B,OAAO,EAAE,CAAC,kEAAkE,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC;YACxG,SAAS,EAAE,EAAE;SACd,CAAC;QAEF,OAAO;YACL,MAAM;YACN,QAAQ,EAAE,EAAE;YACZ,IAAI;YACJ,MAAM;YACN,WAAW,EAAE,EAAE;YACf,cAAc;YACd,OAAO,EAAE,gDAAgD;YACzD,iBAAiB,EAAE,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC;YACxD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAC/B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CACX,SAAiB,EACjB,GAAW,EACX,OAA6D;QAE7D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACjD,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC;QAExB,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACvC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,gCAAgC;gBACzC,MAAM;aACP,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,EAAE,YAAY;YACpC,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAE9D,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,6BAA6B;gBACtC,MAAM;aACP,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC7B,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAEtD,OAAO;YACL,OAAO,EAAE,aAAa,CAAC,QAAQ,KAAK,CAAC;YACrC,OAAO,EAAE,aAAa,CAAC,QAAQ,KAAK,CAAC;gBACnC,CAAC,CAAC,0BAA0B,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,IAAI,EAAE;gBAC7D,CAAC,CAAC,wBAAwB,aAAa,CAAC,MAAM,IAAI,aAAa,CAAC,MAAM,EAAE;YAC1E,MAAM;SACP,CAAC;IACJ,CAAC;IAED,cAAc,CAAC,MAA0B,EAAE,MAAqB;QAC9D,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,UAAU,CAAC,CAAC;IAClG,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,MAAc;QACvC,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAEvC,QAAQ,MAAM,CAAC,SAAS,EAAE,CAAC;YACzB,KAAK,KAAK;gBACR,OAAO,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE,kBAAkB,CAAC,EAAE;oBAC5E,GAAG,EAAE,EAAE,yBAAyB,EAAE,MAAM,EAAE;iBAC3C,CAAC,CAAC;YACL,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC7C,OAAO,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,sBAAsB,KAAK,IAAI,IAAI,MAAM,CAAC,CAAC,CAAC;YACxF,CAAC;YACD,KAAK,OAAO,CAAC;YACb,KAAK,OAAO;gBACV,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,yDAAyD,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;YACxG;gBACE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,+BAA+B,MAAM,CAAC,SAAS,EAAE,EAAE,CAAC;QAClG,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,cAAc,CAAC,OAAwB;IACrD,OAAO,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,eAAe,CAAC,QAAmB;IAC1C,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAC9B,OAAO,CAAC,IAAI,IAAI,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAClF,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAkC;IAC9D,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,gBAAgB,CAAC;QAC1B,KAAK,kBAAkB;YACrB,OAAO,sCAAsC,CAAC;QAChD,KAAK,MAAM;YACT,OAAO,sBAAsB,CAAC;QAChC;YACE,OAAO,iBAAiB,CAAC;IAC7B,CAAC;AACH,CAAC"}

package/dist/domain/artifact.d.ts

@@ -0,0 +1,34 @@
+export interface FileEntry {
+    readonly path: string;
+    readonly content: string;
+    readonly size: number;
+}
+export interface PackageMetadata {
+    readonly name?: string;
+    readonly version?: string;
+    readonly author?: string;
+    readonly maintainers?: string[];
+    readonly repository?: string;
+    readonly homepage?: string;
+    readonly license?: string;
+    readonly publishDate?: string;
+    readonly firstPublishDate?: string;
+    readonly downloadCount?: number;
+    readonly keywords?: string[];
+    readonly verifiedPublisher?: boolean;
+    readonly signedRelease?: boolean;
+    readonly scripts?: Record<string, string>;
+    readonly dependencies?: Record<string, string>;
+    readonly devDependencies?: Record<string, string>;
+    readonly optionalDependencies?: Record<string, string>;
+    readonly sourceUrl?: string;
+    readonly description?: string;
+}
+export interface Artifact {
+    readonly target: import('./target.js').Target;
+    readonly rootPath: string;
+    readonly files: FileEntry[];
+    readonly metadata: PackageMetadata;
+    readonly manifest?: Record<string, unknown>;
+}
+//# sourceMappingURL=artifact.d.ts.map

package/dist/domain/artifact.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"artifact.d.ts","sourceRoot":"","sources":["../../src/domain/artifact.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,QAAQ,CAAC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IACrC,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IACjC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/C,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClD,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,MAAM,EAAE,OAAO,aAAa,EAAE,MAAM,CAAC;IAC9C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,SAAS,EAAE,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC7C"}

package/dist/domain/artifact.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=artifact.js.map

package/dist/domain/artifact.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"artifact.js","sourceRoot":"","sources":["../../src/domain/artifact.ts"],"names":[],"mappings":""}

package/dist/domain/finding.d.ts

@@ -0,0 +1,22 @@
+export declare const SEVERITIES: readonly ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"];
+export type Severity = (typeof SEVERITIES)[number];
+export declare const CATEGORIES: readonly ["metadata", "source", "repository", "static-code", "dependency", "install-script", "ai-prompt", "permission", "network", "secret", "binary", "reputation", "behavioral"];
+export type Category = (typeof CATEGORIES)[number];
+export declare const SEVERITY_WEIGHTS: Record<Severity, number>;
+export interface Finding {
+    readonly id: string;
+    readonly category: Category;
+    readonly severity: Severity;
+    readonly title: string;
+    readonly description: string;
+    readonly evidence?: string;
+    readonly file?: string;
+    readonly line?: number;
+    readonly ruleId?: string;
+    readonly positive?: boolean;
+    readonly isTest?: boolean;
+}
+export declare function createFinding(partial: Omit<Finding, 'id'> & {
+    id?: string;
+}): Finding;
+//# sourceMappingURL=finding.d.ts.map

package/dist/domain/finding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"finding.d.ts","sourceRoot":"","sources":["../../src/domain/finding.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,UAAU,wDAAyD,CAAC;AACjF,MAAM,MAAM,QAAQ,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC;AAEnD,eAAO,MAAM,UAAU,oLAcb,CAAC;AACX,MAAM,MAAM,QAAQ,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC;AAEnD,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAMrD,CAAC;AAEF,MAAM,WAAW,OAAO;IACtB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;IAC5B,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,wBAAgB,aAAa,CAC3B,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG;IAAE,EAAE,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7C,OAAO,CAKT"}

package/dist/domain/finding.js

@@ -0,0 +1,30 @@
+export const SEVERITIES = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'];
+export const CATEGORIES = [
+    'metadata',
+    'source',
+    'repository',
+    'static-code',
+    'dependency',
+    'install-script',
+    'ai-prompt',
+    'permission',
+    'network',
+    'secret',
+    'binary',
+    'reputation',
+    'behavioral',
+];
+export const SEVERITY_WEIGHTS = {
+    CRITICAL: 50,
+    HIGH: 20,
+    MEDIUM: 10,
+    LOW: 2,
+    INFO: 0,
+};
+export function createFinding(partial) {
+    return {
+        id: partial.id ?? `${partial.category}-${partial.ruleId ?? partial.title}`.replace(/\s+/g, '-').toLowerCase(),
+        ...partial,
+    };
+}
+//# sourceMappingURL=finding.js.map

package/dist/domain/finding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"finding.js","sourceRoot":"","sources":["../../src/domain/finding.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAU,CAAC;AAGjF,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,UAAU;IACV,QAAQ;IACR,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,gBAAgB;IAChB,WAAW;IACX,YAAY;IACZ,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,YAAY;IACZ,YAAY;CACJ,CAAC;AAGX,MAAM,CAAC,MAAM,gBAAgB,GAA6B;IACxD,QAAQ,EAAE,EAAE;IACZ,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,EAAE;IACV,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAgBF,MAAM,UAAU,aAAa,CAC3B,OAA8C;IAE9C,OAAO;QACL,EAAE,EAAE,OAAO,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE;QAC7G,GAAG,OAAO;KACX,CAAC;AACJ,CAAC"}

package/dist/domain/index.d.ts

@@ -0,0 +1,7 @@
+export * from './target.js';
+export * from './finding.js';
+export * from './risk.js';
+export * from './artifact.js';
+export * from './permission.js';
+export * from './report.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/domain/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/domain/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC"}