@sentinel-atl/scanner 0.3.0

package/dist/permission-scanner.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Permission scanner — detects what system resources an MCP server accesses.
+ *
+ * Analyzes imports and API usage to determine permission scope:
+ * - filesystem: fs, path operations
+ * - network: http, https, net, tls, dns, fetch
+ * - process: child_process, exec, spawn
+ * - crypto: crypto operations (generally safe, but noted)
+ * - environment: process.env access
+ */
+import type { Finding } from './scanner.js';
+export type PermissionKind = 'filesystem' | 'network' | 'process' | 'crypto' | 'environment' | 'native';
+export interface DetectedPermission {
+    kind: PermissionKind;
+    source: string;
+    file: string;
+    line: number;
+    evidence: string;
+}
+export interface PermissionScanResult {
+    /** Unique permission kinds detected */
+    kinds: PermissionKind[];
+    /** All detected permission usages */
+    detections: DetectedPermission[];
+    findings: Finding[];
+}
+export declare function scanPermissions(packagePath: string, extensions: string[]): Promise<PermissionScanResult>;
+//# sourceMappingURL=permission-scanner.d.ts.map

package/dist/permission-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-scanner.d.ts","sourceRoot":"","sources":["../src/permission-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,MAAM,cAAc,GACtB,YAAY,GACZ,SAAS,GACT,SAAS,GACT,QAAQ,GACR,aAAa,GACb,QAAQ,CAAC;AAEb,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,cAAc,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,oBAAoB;IACnC,uCAAuC;IACvC,KAAK,EAAE,cAAc,EAAE,CAAC;IACxB,qCAAqC;IACrC,UAAU,EAAE,kBAAkB,EAAE,CAAC;IACjC,QAAQ,EAAE,OAAO,EAAE,CAAC;CACrB;AAwCD,wBAAsB,eAAe,CACnC,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,MAAM,EAAE,GACnB,OAAO,CAAC,oBAAoB,CAAC,CA6C/B"}

package/dist/permission-scanner.js

@@ -0,0 +1,100 @@
+/**
+ * Permission scanner — detects what system resources an MCP server accesses.
+ *
+ * Analyzes imports and API usage to determine permission scope:
+ * - filesystem: fs, path operations
+ * - network: http, https, net, tls, dns, fetch
+ * - process: child_process, exec, spawn
+ * - crypto: crypto operations (generally safe, but noted)
+ * - environment: process.env access
+ */
+import { readFile, readdir } from 'node:fs/promises';
+import { join, relative } from 'node:path';
+const PERMISSION_RULES = [
+    // Filesystem
+    { kind: 'filesystem', pattern: /(?:from|require\s*\()\s*['"](?:node:)?fs(?:\/promises)?['"]/g, source: 'fs module', severity: 'medium' },
+    { kind: 'filesystem', pattern: /(?:readFile|writeFile|readdir|mkdir|rmdir|unlink|rename|copyFile|stat|access)\s*\(/g, source: 'fs operation', severity: 'medium' },
+    { kind: 'filesystem', pattern: /(?:createReadStream|createWriteStream)\s*\(/g, source: 'fs stream', severity: 'medium' },
+    // Network
+    { kind: 'network', pattern: /(?:from|require\s*\()\s*['"](?:node:)?(?:http|https|net|tls|dgram)['"]/g, source: 'network module', severity: 'high' },
+    { kind: 'network', pattern: /(?:from|require\s*\()\s*['"](?:node-fetch|axios|got|undici)['"]/g, source: 'http client library', severity: 'high' },
+    { kind: 'network', pattern: /\bfetch\s*\(/g, source: 'global fetch', severity: 'medium' },
+    // Process/Shell
+    { kind: 'process', pattern: /(?:from|require\s*\()\s*['"](?:node:)?child_process['"]/g, source: 'child_process module', severity: 'critical' },
+    { kind: 'process', pattern: /(?:exec|execFile|execSync|spawn|spawnSync|fork)\s*\(/g, source: 'process execution', severity: 'critical' },
+    { kind: 'process', pattern: /process\.(?:kill|exit|abort)\s*\(/g, source: 'process control', severity: 'high' },
+    // Crypto (generally safe but noted)
+    { kind: 'crypto', pattern: /(?:from|require\s*\()\s*['"](?:node:)?crypto['"]/g, source: 'crypto module', severity: 'info' },
+    // Environment
+    { kind: 'environment', pattern: /process\.env(?:\.|(?:\[))/g, source: 'environment variable', severity: 'low' },
+    // Native modules
+    { kind: 'native', pattern: /(?:from|require\s*\()\s*['"].*\.node['"]/g, source: 'native addon', severity: 'high' },
+    { kind: 'native', pattern: /(?:from|require\s*\()\s*['"](?:node:)?(?:v8|vm|worker_threads)['"]/g, source: 'low-level module', severity: 'high' },
+];
+// ─── Scanner ─────────────────────────────────────────────────────────
+export async function scanPermissions(packagePath, extensions) {
+    const files = await collectSourceFiles(packagePath, extensions);
+    const detections = [];
+    const findings = [];
+    for (const filePath of files) {
+        const content = await readFile(filePath, 'utf-8');
+        const lines = content.split('\n');
+        const relPath = relative(packagePath, filePath);
+        for (const rule of PERMISSION_RULES) {
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                rule.pattern.lastIndex = 0;
+                if (rule.pattern.test(line)) {
+                    const trimmed = line.trim();
+                    if (trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*')) {
+                        continue;
+                    }
+                    detections.push({
+                        kind: rule.kind,
+                        source: rule.source,
+                        file: relPath,
+                        line: i + 1,
+                        evidence: trimmed.slice(0, 120),
+                    });
+                    findings.push({
+                        severity: rule.severity,
+                        category: 'permission',
+                        title: `${rule.kind}: ${rule.source} in ${relPath}:${i + 1}`,
+                        description: `Detected ${rule.kind} access via ${rule.source}`,
+                        file: relPath,
+                        line: i + 1,
+                        evidence: trimmed.slice(0, 120),
+                    });
+                }
+            }
+        }
+    }
+    const kinds = [...new Set(detections.map(d => d.kind))];
+    return { kinds, detections, findings };
+}
+// ─── File Collection ─────────────────────────────────────────────────
+async function collectSourceFiles(dir, extensions, basePath) {
+    basePath ??= dir;
+    const files = [];
+    let entries;
+    try {
+        entries = await readdir(dir, { withFileTypes: true });
+    }
+    catch {
+        return files;
+    }
+    for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
+        const fullPath = join(dir, entry.name);
+        if (entry.isDirectory()) {
+            if (['node_modules', 'dist', '.git', '.turbo', 'coverage', '__pycache__'].includes(entry.name)) {
+                continue;
+            }
+            files.push(...await collectSourceFiles(fullPath, extensions, basePath));
+        }
+        else if (entry.isFile() && extensions.some(ext => entry.name.endsWith(ext))) {
+            files.push(fullPath);
+        }
+    }
+    return files;
+}
+//# sourceMappingURL=permission-scanner.js.map

package/dist/permission-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-scanner.js","sourceRoot":"","sources":["../src/permission-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAoC3C,MAAM,gBAAgB,GAAqB;IACzC,aAAa;IACb,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,8DAA8D,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE;IACxI,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,qFAAqF,EAAE,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE;IAClK,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,8CAA8C,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE;IAExH,UAAU;IACV,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,yEAAyE,EAAE,MAAM,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE;IACnJ,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,kEAAkE,EAAE,MAAM,EAAE,qBAAqB,EAAE,QAAQ,EAAE,MAAM,EAAE;IACjJ,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE;IAEzF,gBAAgB;IAChB,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,0DAA0D,EAAE,MAAM,EAAE,sBAAsB,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC9I,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,uDAAuD,EAAE,MAAM,EAAE,mBAAmB,EAAE,QAAQ,EAAE,UAAU,EAAE;IACxI,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,oCAAoC,EAAE,MAAM,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAM,EAAE;IAE/G,oCAAoC;IACpC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,mDAAmD,EAAE,MAAM,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,EAAE;IAE3H,cAAc;IACd,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,4BAA4B,EAAE,MAAM,EAAE,sBAAsB,EAAE,QAAQ,EAAE,KAAK,EAAE;IAE/G,iBAAiB;IACjB,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,2CAA2C,EAAE,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE;IAClH,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,qEAAqE,EAAE,MAAM,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAM,EAAE;CACjJ,CAAC;AAEF,wEAAwE;AAExE,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,WAAmB,EACnB,UAAoB;IAEpB,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IAChE,MAAM,UAAU,GAAyB,EAAE,CAAC;IAC5C,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,OAAO,GAAG,QAAQ,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAEhD,KAAK,MAAM,IAAI,IAAI,gBAAgB,EAAE,CAAC;YACpC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC3B,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;oBAC5B,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;wBACpF,SAAS;oBACX,CAAC;oBAED,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,MAAM,EAAE,IAAI,CAAC,MAAM;wBACnB,IAAI,EAAE,OAAO;wBACb,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;qBAChC,CAAC,CAAC;oBAEH,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,QAAQ,EAAE,YAAY;wBACtB,KAAK,EAAE,GAAG,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,MAAM,OAAO,OAAO,IAAI,CAAC,GAAG,CAAC,EAAE;wBAC5D,WAAW,EAAE,YAAY,IAAI,CAAC,IAAI,eAAe,IAAI,CAAC,MAAM,EAAE;wBAC9D,IAAI,EAAE,OAAO;wBACb,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;qBAChC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAExD,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AACzC,CAAC;AAED,wEAAwE;AAExE,KAAK,UAAU,kBAAkB,CAC/B,GAAW,EACX,UAAoB,EACpB,QAAiB;IAEjB,QAAQ,KAAK,GAAG,CAAC;IACjB,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QACzE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,IAAI,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/F,SAAS;YACX,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,kBAAkB,CAAC,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC1E,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC9E,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/publisher-scanner.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Publisher verifier — checks npm registry for package publisher identity signals.
+ *
+ * Checks:
+ * 1. Package exists on npm registry
+ * 2. Publisher/maintainer count and identities
+ * 3. Whether the publisher has 2FA enabled (npm provenance)
+ * 4. Package age (how long has it existed?)
+ * 5. Download count (popularity signal)
+ * 6. Repository link presence and match
+ * 7. npm provenance attestation (sigstore)
+ */
+import type { Finding } from './scanner.js';
+export interface PublisherInfo {
+    /** npm package name */
+    packageName: string;
+    /** Whether the package exists on npm */
+    existsOnNpm: boolean;
+    /** npm publisher username */
+    publisher?: string;
+    /** npm publisher email */
+    publisherEmail?: string;
+    /** Number of maintainers */
+    maintainerCount: number;
+    /** Maintainer usernames */
+    maintainers: string[];
+    /** Package creation date */
+    createdAt?: string;
+    /** Last publish date */
+    lastPublishedAt?: string;
+    /** Package age in days */
+    ageDays: number;
+    /** Weekly downloads */
+    weeklyDownloads: number;
+    /** Whether the package has a repository link */
+    hasRepository: boolean;
+    /** Repository URL */
+    repositoryUrl?: string;
+    /** Whether npm provenance attestation is present */
+    hasProvenance: boolean;
+    /** License */
+    license?: string;
+    /** Number of published versions */
+    versionCount: number;
+}
+export interface PublisherScanResult {
+    info: PublisherInfo;
+    findings: Finding[];
+    /** Publisher trust score 0-100 */
+    score: number;
+}
+/**
+ * Verify publisher identity by checking the npm registry.
+ */
+export declare function scanPublisher(packageName: string): Promise<PublisherScanResult>;
+//# sourceMappingURL=publisher-scanner.d.ts.map

package/dist/publisher-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"publisher-scanner.d.ts","sourceRoot":"","sources":["../src/publisher-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAI5C,MAAM,WAAW,aAAa;IAC5B,uBAAuB;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,wCAAwC;IACxC,WAAW,EAAE,OAAO,CAAC;IACrB,6BAA6B;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,4BAA4B;IAC5B,eAAe,EAAE,MAAM,CAAC;IACxB,2BAA2B;IAC3B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,4BAA4B;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wBAAwB;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,0BAA0B;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,uBAAuB;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,aAAa,EAAE,OAAO,CAAC;IACvB,qBAAqB;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,aAAa,EAAE,OAAO,CAAC;IACvB,cAAc;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,aAAa,CAAC;IACpB,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,kCAAkC;IAClC,KAAK,EAAE,MAAM,CAAC;CACf;AAiCD;;GAEG;AACH,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAiJrF"}

package/dist/publisher-scanner.js

@@ -0,0 +1,238 @@
+/**
+ * Publisher verifier — checks npm registry for package publisher identity signals.
+ *
+ * Checks:
+ * 1. Package exists on npm registry
+ * 2. Publisher/maintainer count and identities
+ * 3. Whether the publisher has 2FA enabled (npm provenance)
+ * 4. Package age (how long has it existed?)
+ * 5. Download count (popularity signal)
+ * 6. Repository link presence and match
+ * 7. npm provenance attestation (sigstore)
+ */
+// ─── Registry Fetcher ─────────────────────────────────────────────────
+async function fetchRegistryData(packageName) {
+    const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+    const response = await fetch(url, {
+        headers: { 'Accept': 'application/json' },
+        signal: AbortSignal.timeout(10_000),
+    });
+    if (!response.ok) {
+        if (response.status === 404)
+            return null;
+        throw new Error(`npm registry returned ${response.status}`);
+    }
+    return response.json();
+}
+async function fetchDownloadCount(packageName) {
+    try {
+        const url = `https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(packageName)}`;
+        const response = await fetch(url, {
+            signal: AbortSignal.timeout(5_000),
+        });
+        if (!response.ok)
+            return 0;
+        const data = await response.json();
+        return data.downloads ?? 0;
+    }
+    catch {
+        return 0;
+    }
+}
+// ─── Scanner ─────────────────────────────────────────────────────────
+/**
+ * Verify publisher identity by checking the npm registry.
+ */
+export async function scanPublisher(packageName) {
+    const findings = [];
+    // Skip for local-only / unknown packages
+    if (!packageName || packageName === 'unknown' || packageName.startsWith('/')) {
+        return {
+            info: emptyInfo(packageName),
+            findings,
+            score: 50, // neutral for local packages
+        };
+    }
+    try {
+        const [registryData, weeklyDownloads] = await Promise.all([
+            fetchRegistryData(packageName),
+            fetchDownloadCount(packageName),
+        ]);
+        if (!registryData) {
+            findings.push({
+                severity: 'medium',
+                category: 'publisher',
+                title: 'Package not found on npm',
+                description: `"${packageName}" does not exist on the npm registry`,
+            });
+            return { info: { ...emptyInfo(packageName), existsOnNpm: false }, findings, score: 20 };
+        }
+        // Extract publisher info
+        const timeData = registryData.time ?? {};
+        const createdAt = timeData.created;
+        const lastPublishedAt = timeData.modified;
+        const maintainers = registryData.maintainers ?? [];
+        const latestVersion = registryData['dist-tags']?.latest;
+        const latestData = latestVersion ? registryData.versions?.[latestVersion] : undefined;
+        const ageDays = createdAt
+            ? Math.floor((Date.now() - new Date(createdAt).getTime()) / 86_400_000)
+            : 0;
+        const repositoryUrl = latestData?.repository?.url ?? registryData.repository?.url;
+        const hasRepository = !!repositoryUrl;
+        const license = latestData?.license ?? registryData.license;
+        const hasProvenance = !!latestData?.dist?.attestations || !!latestData?.dist?.signatures?.length;
+        const versionCount = Object.keys(registryData.versions ?? {}).length;
+        // Determine publisher from _npmUser on latest version
+        const npmUser = latestData?._npmUser;
+        const info = {
+            packageName,
+            existsOnNpm: true,
+            publisher: npmUser?.name,
+            publisherEmail: npmUser?.email,
+            maintainerCount: maintainers.length,
+            maintainers: maintainers.map(m => m.name),
+            createdAt,
+            lastPublishedAt,
+            ageDays,
+            weeklyDownloads,
+            hasRepository,
+            repositoryUrl,
+            hasProvenance,
+            license,
+            versionCount,
+        };
+        // Generate findings
+        if (ageDays < 30) {
+            findings.push({
+                severity: 'medium',
+                category: 'publisher',
+                title: `New package: ${ageDays} days old`,
+                description: 'Package was published less than 30 days ago — limited track record',
+            });
+        }
+        if (weeklyDownloads < 100) {
+            findings.push({
+                severity: 'low',
+                category: 'publisher',
+                title: `Low popularity: ${weeklyDownloads} downloads/week`,
+                description: 'Low download count suggests limited community vetting',
+            });
+        }
+        if (maintainers.length === 1) {
+            findings.push({
+                severity: 'low',
+                category: 'publisher',
+                title: 'Single maintainer',
+                description: 'Package has only one maintainer — single point of failure for supply chain',
+            });
+        }
+        if (!hasRepository) {
+            findings.push({
+                severity: 'medium',
+                category: 'publisher',
+                title: 'No repository link',
+                description: 'Package does not link to a source code repository',
+            });
+        }
+        if (!license) {
+            findings.push({
+                severity: 'medium',
+                category: 'publisher',
+                title: 'No license specified',
+                description: 'Package does not specify a license',
+            });
+        }
+        if (!hasProvenance) {
+            findings.push({
+                severity: 'info',
+                category: 'publisher',
+                title: 'No npm provenance',
+                description: 'Package does not have npm provenance attestation (sigstore)',
+            });
+        }
+        if (maintainers.length > 10) {
+            findings.push({
+                severity: 'low',
+                category: 'publisher',
+                title: `Many maintainers: ${maintainers.length}`,
+                description: 'Large number of maintainers increases attack surface',
+            });
+        }
+        // Compute publisher score
+        const score = computePublisherScore(info);
+        return { info, findings, score };
+    }
+    catch (err) {
+        // Network failure — return neutral score
+        findings.push({
+            severity: 'info',
+            category: 'publisher',
+            title: 'Could not check npm registry',
+            description: err.message,
+        });
+        return { info: emptyInfo(packageName), findings, score: 50 };
+    }
+}
+// ─── Scoring ──────────────────────────────────────────────────────────
+function computePublisherScore(info) {
+    let score = 0;
+    // Exists on npm: +20
+    if (info.existsOnNpm)
+        score += 20;
+    // Age bonus: up to +20
+    if (info.ageDays > 365)
+        score += 20;
+    else if (info.ageDays > 180)
+        score += 15;
+    else if (info.ageDays > 30)
+        score += 10;
+    else
+        score += 2;
+    // Downloads: up to +20
+    if (info.weeklyDownloads > 10_000)
+        score += 20;
+    else if (info.weeklyDownloads > 1_000)
+        score += 15;
+    else if (info.weeklyDownloads > 100)
+        score += 10;
+    else
+        score += 2;
+    // Repository: +10
+    if (info.hasRepository)
+        score += 10;
+    // License: +5
+    if (info.license)
+        score += 5;
+    // Provenance: +10
+    if (info.hasProvenance)
+        score += 10;
+    // Multiple maintainers but not too many: +5
+    if (info.maintainerCount >= 2 && info.maintainerCount <= 10)
+        score += 5;
+    else if (info.maintainerCount === 1)
+        score += 2;
+    // Multiple versions (established): +10
+    if (info.versionCount > 10)
+        score += 10;
+    else if (info.versionCount > 3)
+        score += 7;
+    else if (info.versionCount > 1)
+        score += 4;
+    else
+        score += 1;
+    return Math.min(100, score);
+}
+function emptyInfo(packageName) {
+    return {
+        packageName,
+        existsOnNpm: false,
+        maintainerCount: 0,
+        maintainers: [],
+        ageDays: 0,
+        weeklyDownloads: 0,
+        hasRepository: false,
+        hasProvenance: false,
+        versionCount: 0,
+    };
+}
+//# sourceMappingURL=publisher-scanner.js.map

package/dist/publisher-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"publisher-scanner.js","sourceRoot":"","sources":["../src/publisher-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AA8CH,yEAAyE;AAEzE,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IAClD,MAAM,GAAG,GAAG,8BAA8B,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAAC;IAC5E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,OAAO,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QACzC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACpC,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,WAAmB;IACnD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,mDAAmD,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAAC;QACjG,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,CAAC,CAAC;QAC3B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA4B,CAAC;QAC7D,OAAO,IAAI,CAAC,SAAS,IAAI,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC;AAED,wEAAwE;AAExE;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,WAAmB;IACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,yCAAyC;IACzC,IAAI,CAAC,WAAW,IAAI,WAAW,KAAK,SAAS,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7E,OAAO;YACL,IAAI,EAAE,SAAS,CAAC,WAAW,CAAC;YAC5B,QAAQ;YACR,KAAK,EAAE,EAAE,EAAE,6BAA6B;SACzC,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACxD,iBAAiB,CAAC,WAAW,CAAC;YAC9B,kBAAkB,CAAC,WAAW,CAAC;SAChC,CAAC,CAAC;QAEH,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,0BAA0B;gBACjC,WAAW,EAAE,IAAI,WAAW,sCAAsC;aACnE,CAAC,CAAC;YACH,OAAO,EAAE,IAAI,EAAE,EAAE,GAAG,SAAS,CAAC,WAAW,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAC1F,CAAC;QAED,yBAAyB;QACzB,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,IAAI,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC;QACnC,MAAM,eAAe,GAAG,QAAQ,CAAC,QAAQ,CAAC;QAC1C,MAAM,WAAW,GAA4C,YAAY,CAAC,WAAW,IAAI,EAAE,CAAC;QAC5F,MAAM,aAAa,GAAG,YAAY,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;QACxD,MAAM,UAAU,GAAG,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEtF,MAAM,OAAO,GAAG,SAAS;YACvB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,GAAG,UAAU,CAAC;YACvE,CAAC,CAAC,CAAC,CAAC;QAEN,MAAM,aAAa,GAAG,UAAU,EAAE,UAAU,EAAE,GAAG,IAAI,YAAY,CAAC,UAAU,EAAE,GAAG,CAAC;QAClF,MAAM,aAAa,GAAG,CAAC,CAAC,aAAa,CAAC;QACtC,MAAM,OAAO,GAAG,UAAU,EAAE,OAAO,IAAI,YAAY,CAAC,OAAO,CAAC;QAC5D,MAAM,aAAa,GAAG,CAAC,CAAC,UAAU,EAAE,IAAI,EAAE,YAAY,IAAI,CAAC,CAAC,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC;QACjG,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QAErE,sDAAsD;QACtD,MAAM,OAAO,GAAG,UAAU,EAAE,QAAQ,CAAC;QAErC,MAAM,IAAI,GAAkB;YAC1B,WAAW;YACX,WAAW,EAAE,IAAI;YACjB,SAAS,EAAE,OAAO,EAAE,IAAI;YACxB,cAAc,EAAE,OAAO,EAAE,KAAK;YAC9B,eAAe,EAAE,WAAW,CAAC,MAAM;YACnC,WAAW,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;YACzC,SAAS;YACT,eAAe;YACf,OAAO;YACP,eAAe;YACf,aAAa;YACb,aAAa;YACb,aAAa;YACb,OAAO;YACP,YAAY;SACb,CAAC;QAEF,oBAAoB;QACpB,IAAI,OAAO,GAAG,EAAE,EAAE,CAAC;YACjB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,gBAAgB,OAAO,WAAW;gBACzC,WAAW,EAAE,oEAAoE;aAClF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,eAAe,GAAG,GAAG,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,mBAAmB,eAAe,iBAAiB;gBAC1D,WAAW,EAAE,uDAAuD;aACrE,CAAC,CAAC;QACL,CAAC;QAED,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,mBAAmB;gBAC1B,WAAW,EAAE,4EAA4E;aAC1F,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,oBAAoB;gBAC3B,WAAW,EAAE,mDAAmD;aACjE,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,sBAAsB;gBAC7B,WAAW,EAAE,oCAAoC;aAClD,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,mBAAmB;gBAC1B,WAAW,EAAE,6DAA6D;aAC3E,CAAC,CAAC;QACL,CAAC;QAED,IAAI,WAAW,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,qBAAqB,WAAW,CAAC,MAAM,EAAE;gBAChD,WAAW,EAAE,sDAAsD;aACpE,CAAC,CAAC;QACL,CAAC;QAED,0BAA0B;QAC1B,MAAM,KAAK,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;QAE1C,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,yCAAyC;QACzC,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,WAAW;YACrB,KAAK,EAAE,8BAA8B;YACrC,WAAW,EAAG,GAAa,CAAC,OAAO;SACpC,CAAC,CAAC;QACH,OAAO,EAAE,IAAI,EAAE,SAAS,CAAC,WAAW,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IAC/D,CAAC;AACH,CAAC;AAED,yEAAyE;AAEzE,SAAS,qBAAqB,CAAC,IAAmB;IAChD,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,qBAAqB;IACrB,IAAI,IAAI,CAAC,WAAW;QAAE,KAAK,IAAI,EAAE,CAAC;IAElC,uBAAuB;IACvB,IAAI,IAAI,CAAC,OAAO,GAAG,GAAG;QAAE,KAAK,IAAI,EAAE,CAAC;SAC/B,IAAI,IAAI,CAAC,OAAO,GAAG,GAAG;QAAE,KAAK,IAAI,EAAE,CAAC;SACpC,IAAI,IAAI,CAAC,OAAO,GAAG,EAAE;QAAE,KAAK,IAAI,EAAE,CAAC;;QACnC,KAAK,IAAI,CAAC,CAAC;IAEhB,uBAAuB;IACvB,IAAI,IAAI,CAAC,eAAe,GAAG,MAAM;QAAE,KAAK,IAAI,EAAE,CAAC;SAC1C,IAAI,IAAI,CAAC,eAAe,GAAG,KAAK;QAAE,KAAK,IAAI,EAAE,CAAC;SAC9C,IAAI,IAAI,CAAC,eAAe,GAAG,GAAG;QAAE,KAAK,IAAI,EAAE,CAAC;;QAC5C,KAAK,IAAI,CAAC,CAAC;IAEhB,kBAAkB;IAClB,IAAI,IAAI,CAAC,aAAa;QAAE,KAAK,IAAI,EAAE,CAAC;IAEpC,cAAc;IACd,IAAI,IAAI,CAAC,OAAO;QAAE,KAAK,IAAI,CAAC,CAAC;IAE7B,kBAAkB;IAClB,IAAI,IAAI,CAAC,aAAa;QAAE,KAAK,IAAI,EAAE,CAAC;IAEpC,4CAA4C;IAC5C,IAAI,IAAI,CAAC,eAAe,IAAI,CAAC,IAAI,IAAI,CAAC,eAAe,IAAI,EAAE;QAAE,KAAK,IAAI,CAAC,CAAC;SACnE,IAAI,IAAI,CAAC,eAAe,KAAK,CAAC;QAAE,KAAK,IAAI,CAAC,CAAC;IAEhD,uCAAuC;IACvC,IAAI,IAAI,CAAC,YAAY,GAAG,EAAE;QAAE,KAAK,IAAI,EAAE,CAAC;SACnC,IAAI,IAAI,CAAC,YAAY,GAAG,CAAC;QAAE,KAAK,IAAI,CAAC,CAAC;SACtC,IAAI,IAAI,CAAC,YAAY,GAAG,CAAC;QAAE,KAAK,IAAI,CAAC,CAAC;;QACtC,KAAK,IAAI,CAAC,CAAC;IAEhB,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,SAAS,CAAC,WAAmB;IACpC,OAAO;QACL,WAAW;QACX,WAAW,EAAE,KAAK;QAClB,eAAe,EAAE,CAAC;QAClB,WAAW,EAAE,EAAE;QACf,OAAO,EAAE,CAAC;QACV,eAAe,EAAE,CAAC;QAClB,aAAa,EAAE,KAAK;QACpB,aAAa,EAAE,KAAK;QACpB,YAAY,EAAE,CAAC;KAChB,CAAC;AACJ,CAAC"}

package/dist/scanner.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Core scanner — orchestrates all sub-scanners and produces a unified ScanReport.
+ */
+import { type DependencyScanResult } from './dependency-scanner.js';
+import { type PatternScanResult } from './pattern-scanner.js';
+import { type PermissionScanResult } from './permission-scanner.js';
+import { type PublisherScanResult } from './publisher-scanner.js';
+import { type ScoreBreakdown } from './trust-score.js';
+export type FindingSeverity = 'critical' | 'high' | 'medium' | 'low' | 'info';
+export type FindingCategory = 'vulnerability' | 'dangerous-pattern' | 'obfuscation' | 'permission' | 'exfiltration' | 'publisher';
+export interface Finding {
+    severity: FindingSeverity;
+    category: FindingCategory;
+    title: string;
+    description: string;
+    file?: string;
+    line?: number;
+    evidence?: string;
+}
+export interface TrustScore {
+    /** Overall score 0-100 (100 = fully trusted) */
+    overall: number;
+    /** Per-category breakdown */
+    breakdown: ScoreBreakdown;
+    /** Human-readable grade: A, B, C, D, F */
+    grade: string;
+}
+export interface ScanReport {
+    /** Package name */
+    packageName: string;
+    /** Package version */
+    packageVersion: string;
+    /** When scan was performed */
+    scannedAt: string;
+    /** Scanner version */
+    scannerVersion: string;
+    /** Trust score */
+    trustScore: TrustScore;
+    /** All findings */
+    findings: Finding[];
+    /** Dependency scan results */
+    dependencies: DependencyScanResult;
+    /** Code pattern scan results */
+    patterns: PatternScanResult;
+    /** Permission scan results */
+    permissions: PermissionScanResult;
+    /** Publisher identity results */
+    publisher?: PublisherScanResult;
+    /** Scan duration in ms */
+    durationMs: number;
+}
+export interface ScanOptions {
+    /** Path to the package directory to scan */
+    packagePath: string;
+    /** Skip dependency scanning (useful when npm not available) */
+    skipDependencies?: boolean;
+    /** Additional file extensions to scan (default: .ts, .js, .mjs, .cjs) */
+    extensions?: string[];
+}
+export declare function scan(options: ScanOptions): Promise<ScanReport>;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAoB,KAAK,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AACtF,OAAO,EAAoB,KAAK,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAChF,OAAO,EAAmB,KAAK,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AACrF,OAAO,EAAiB,KAAK,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AACjF,OAAO,EAAqB,KAAK,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAM1E,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAE9E,MAAM,MAAM,eAAe,GACvB,eAAe,GACf,mBAAmB,GACnB,aAAa,GACb,YAAY,GACZ,cAAc,GACd,WAAW,CAAC;AAEhB,MAAM,WAAW,OAAO;IACtB,QAAQ,EAAE,eAAe,CAAC;IAC1B,QAAQ,EAAE,eAAe,CAAC;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,UAAU;IACzB,gDAAgD;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,6BAA6B;IAC7B,SAAS,EAAE,cAAc,CAAC;IAC1B,0CAA0C;IAC1C,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,sBAAsB;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,sBAAsB;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB;IAClB,UAAU,EAAE,UAAU,CAAC;IACvB,mBAAmB;IACnB,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,8BAA8B;IAC9B,YAAY,EAAE,oBAAoB,CAAC;IACnC,gCAAgC;IAChC,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,8BAA8B;IAC9B,WAAW,EAAE,oBAAoB,CAAC;IAClC,iCAAiC;IACjC,SAAS,CAAC,EAAE,mBAAmB,CAAC;IAChC,0BAA0B;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,yEAAyE;IACzE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAMD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAkEpE"}

package/dist/scanner.js

@@ -0,0 +1,71 @@
+/**
+ * Core scanner — orchestrates all sub-scanners and produces a unified ScanReport.
+ */
+import { scanDependencies } from './dependency-scanner.js';
+import { scanCodePatterns } from './pattern-scanner.js';
+import { scanPermissions } from './permission-scanner.js';
+import { scanPublisher } from './publisher-scanner.js';
+import { computeTrustScore } from './trust-score.js';
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+// ─── Main Scan Function ──────────────────────────────────────────────
+const SCANNER_VERSION = '0.3.0';
+export async function scan(options) {
+    const startTime = Date.now();
+    const { packagePath, skipDependencies = false } = options;
+    const extensions = options.extensions ?? ['.ts', '.js', '.mjs', '.cjs'];
+    // Read package.json
+    const pkgJsonPath = join(packagePath, 'package.json');
+    let packageName = 'unknown';
+    let packageVersion = '0.0.0';
+    try {
+        const pkgJson = JSON.parse(await readFile(pkgJsonPath, 'utf-8'));
+        packageName = pkgJson.name ?? 'unknown';
+        packageVersion = pkgJson.version ?? '0.0.0';
+    }
+    catch {
+        // No package.json — we can still scan the code
+    }
+    // Run all sub-scanners
+    const [dependencies, patterns, permissions, publisher] = await Promise.all([
+        skipDependencies
+            ? { vulnerabilities: [], totalDependencies: 0, findings: [] }
+            : scanDependencies(packagePath),
+        scanCodePatterns(packagePath, extensions),
+        scanPermissions(packagePath, extensions),
+        scanPublisher(packageName),
+    ]);
+    // Aggregate findings
+    const findings = [
+        ...dependencies.findings,
+        ...patterns.findings,
+        ...permissions.findings,
+        ...publisher.findings,
+    ];
+    // Compute trust score
+    const breakdown = computeTrustScore(findings, dependencies, patterns, permissions, publisher);
+    const overall = Math.round(breakdown.dependencies * 0.25 +
+        breakdown.codePatterns * 0.30 +
+        breakdown.permissions * 0.25 +
+        breakdown.publisher * 0.20);
+    const grade = overall >= 90 ? 'A'
+        : overall >= 75 ? 'B'
+            : overall >= 60 ? 'C'
+                : overall >= 40 ? 'D'
+                    : 'F';
+    const trustScore = { overall, breakdown, grade };
+    return {
+        packageName,
+        packageVersion,
+        scannedAt: new Date().toISOString(),
+        scannerVersion: SCANNER_VERSION,
+        trustScore,
+        findings,
+        dependencies,
+        patterns,
+        permissions,
+        publisher,
+        durationMs: Date.now() - startTime,
+    };
+}
+//# sourceMappingURL=scanner.js.map

package/dist/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,gBAAgB,EAA6B,MAAM,yBAAyB,CAAC;AACtF,OAAO,EAAE,gBAAgB,EAA0B,MAAM,sBAAsB,CAAC;AAChF,OAAO,EAAE,eAAe,EAA6B,MAAM,yBAAyB,CAAC;AACrF,OAAO,EAAE,aAAa,EAA4B,MAAM,wBAAwB,CAAC;AACjF,OAAO,EAAE,iBAAiB,EAAuB,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,QAAQ,EAAQ,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAmEjC,wEAAwE;AAExE,MAAM,eAAe,GAAG,OAAO,CAAC;AAEhC,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,OAAoB;IAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,EAAE,WAAW,EAAE,gBAAgB,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAExE,oBAAoB;IACpB,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IACtD,IAAI,WAAW,GAAG,SAAS,CAAC;IAC5B,IAAI,cAAc,GAAG,OAAO,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;QACjE,WAAW,GAAG,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC;QACxC,cAAc,GAAG,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,+CAA+C;IACjD,CAAC;IAED,uBAAuB;IACvB,MAAM,CAAC,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACzE,gBAAgB;YACd,CAAC,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,iBAAiB,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAe,EAAE;YAC1E,CAAC,CAAC,gBAAgB,CAAC,WAAW,CAAC;QACjC,gBAAgB,CAAC,WAAW,EAAE,UAAU,CAAC;QACzC,eAAe,CAAC,WAAW,EAAE,UAAU,CAAC;QACxC,aAAa,CAAC,WAAW,CAAC;KAC3B,CAAC,CAAC;IAEH,qBAAqB;IACrB,MAAM,QAAQ,GAAc;QAC1B,GAAG,YAAY,CAAC,QAAQ;QACxB,GAAG,QAAQ,CAAC,QAAQ;QACpB,GAAG,WAAW,CAAC,QAAQ;QACvB,GAAG,SAAS,CAAC,QAAQ;KACtB,CAAC;IAEF,sBAAsB;IACtB,MAAM,SAAS,GAAG,iBAAiB,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;IAC9F,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,SAAS,CAAC,YAAY,GAAG,IAAI;QAC7B,SAAS,CAAC,YAAY,GAAG,IAAI;QAC7B,SAAS,CAAC,WAAW,GAAG,IAAI;QAC5B,SAAS,CAAC,SAAS,GAAG,IAAI,CAC3B,CAAC;IAEF,MAAM,KAAK,GAAG,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG;QAC/B,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG;YACrB,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG;gBACrB,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG;oBACrB,CAAC,CAAC,GAAG,CAAC;IAER,MAAM,UAAU,GAAe,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IAE7D,OAAO;QACL,WAAW;QACX,cAAc;QACd,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,cAAc,EAAE,eAAe;QAC/B,UAAU;QACV,QAAQ;QACR,YAAY;QACZ,QAAQ;QACR,WAAW;QACX,SAAS;QACT,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;KACnC,CAAC;AACJ,CAAC"}