@sigildev/sigil 0.1.0

package/dist/discovery/config-parser.js

@@ -0,0 +1,23 @@
+import { readFile } from "node:fs/promises";
+/**
+ * Parse an MCP configuration file (claude_desktop_config.json, .mcp.json)
+ * and extract server entries.
+ */
+export async function parseConfig(configPath) {
+    const raw = await readFile(configPath, "utf-8");
+    const config = JSON.parse(raw);
+    const entries = [];
+    // Handle both { mcpServers: {...} } and { servers: {...} } formats
+    const servers = config.mcpServers ?? config.servers ?? {};
+    for (const [name, value] of Object.entries(servers)) {
+        const server = value;
+        entries.push({
+            name,
+            command: server.command ?? "",
+            args: server.args,
+            env: server.env,
+        });
+    }
+    return entries;
+}
+//# sourceMappingURL=config-parser.js.map

package/dist/discovery/config-parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-parser.js","sourceRoot":"","sources":["../../src/discovery/config-parser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,UAAkB;IAClD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAE/B,MAAM,OAAO,GAAkB,EAAE,CAAC;IAElC,mEAAmE;IACnE,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;IAE1D,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpD,MAAM,MAAM,GAAG,KAAgC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC;YACX,IAAI;YACJ,OAAO,EAAG,MAAM,CAAC,OAAkB,IAAI,EAAE;YACzC,IAAI,EAAE,MAAM,CAAC,IAA4B;YACzC,GAAG,EAAE,MAAM,CAAC,GAAyC;SACtD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/discovery/files.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Discover source files in the target directory based on detected language.
+ * Returns paths relative to rootDir.
+ */
+export declare function discoverFiles(rootDir: string, language: "typescript" | "python" | "unknown"): Promise<string[]>;
+//# sourceMappingURL=files.d.ts.map

package/dist/discovery/files.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"files.d.ts","sourceRoot":"","sources":["../../src/discovery/files.ts"],"names":[],"mappings":"AAsBA;;;GAGG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,YAAY,GAAG,QAAQ,GAAG,SAAS,GAC5C,OAAO,CAAC,MAAM,EAAE,CAAC,CAoBnB"}

package/dist/discovery/files.js

@@ -0,0 +1,43 @@
+import fg from "fast-glob";
+const TS_PATTERNS = ["**/*.ts", "**/*.tsx", "**/*.js", "**/*.mjs"];
+const PY_PATTERNS = ["**/*.py"];
+const IGNORE_PATTERNS = [
+    "**/node_modules/**",
+    "**/dist/**",
+    "**/build/**",
+    "**/__pycache__/**",
+    "**/.venv/**",
+    "**/venv/**",
+    "**/.git/**",
+    "**/coverage/**",
+    "**/*.test.ts",
+    "**/*.test.js",
+    "**/*.spec.ts",
+    "**/*.spec.js",
+    "**/test/**",
+    "**/tests/**",
+];
+/**
+ * Discover source files in the target directory based on detected language.
+ * Returns paths relative to rootDir.
+ */
+export async function discoverFiles(rootDir, language) {
+    let patterns;
+    switch (language) {
+        case "typescript":
+            patterns = TS_PATTERNS;
+            break;
+        case "python":
+            patterns = PY_PATTERNS;
+            break;
+        case "unknown":
+            patterns = [...TS_PATTERNS, ...PY_PATTERNS];
+            break;
+    }
+    return fg(patterns, {
+        cwd: rootDir,
+        ignore: IGNORE_PATTERNS,
+        dot: false,
+    });
+}
+//# sourceMappingURL=files.js.map

package/dist/discovery/files.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"files.js","sourceRoot":"","sources":["../../src/discovery/files.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,WAAW,CAAC;AAE3B,MAAM,WAAW,GAAG,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;AACnE,MAAM,WAAW,GAAG,CAAC,SAAS,CAAC,CAAC;AAEhC,MAAM,eAAe,GAAG;IACtB,oBAAoB;IACpB,YAAY;IACZ,aAAa;IACb,mBAAmB;IACnB,aAAa;IACb,YAAY;IACZ,YAAY;IACZ,gBAAgB;IAChB,cAAc;IACd,cAAc;IACd,cAAc;IACd,cAAc;IACd,YAAY;IACZ,aAAa;CACd,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe,EACf,QAA6C;IAE7C,IAAI,QAAkB,CAAC;IAEvB,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,YAAY;YACf,QAAQ,GAAG,WAAW,CAAC;YACvB,MAAM;QACR,KAAK,QAAQ;YACX,QAAQ,GAAG,WAAW,CAAC;YACvB,MAAM;QACR,KAAK,SAAS;YACZ,QAAQ,GAAG,CAAC,GAAG,WAAW,EAAE,GAAG,WAAW,CAAC,CAAC;YAC5C,MAAM;IACV,CAAC;IAED,OAAO,EAAE,CAAC,QAAQ,EAAE;QAClB,GAAG,EAAE,OAAO;QACZ,MAAM,EAAE,eAAe;QACvB,GAAG,EAAE,KAAK;KACX,CAAC,CAAC;AACL,CAAC"}

package/dist/discovery/manifest.d.ts

@@ -0,0 +1,6 @@
+import type { ManifestInfo } from "../analyzers/types.js";
+/**
+ * Parse package.json or pyproject.toml to extract manifest info.
+ */
+export declare function parseManifest(rootDir: string): Promise<ManifestInfo | undefined>;
+//# sourceMappingURL=manifest.d.ts.map

package/dist/discovery/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../../src/discovery/manifest.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE1D;;GAEG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CAiFnC"}

package/dist/discovery/manifest.js

@@ -0,0 +1,82 @@
+import { readFile } from "node:fs/promises";
+import { resolve } from "node:path";
+/**
+ * Parse package.json or pyproject.toml to extract manifest info.
+ */
+export async function parseManifest(rootDir) {
+    // Try package.json first
+    try {
+        const pkgPath = resolve(rootDir, "package.json");
+        const raw = await readFile(pkgPath, "utf-8");
+        const pkg = JSON.parse(raw);
+        // Check for lockfile
+        let lockfilePath;
+        for (const lockfile of [
+            "package-lock.json",
+            "yarn.lock",
+            "pnpm-lock.yaml",
+        ]) {
+            try {
+                const lp = resolve(rootDir, lockfile);
+                await readFile(lp, "utf-8"); // just check it exists
+                lockfilePath = lp;
+                break;
+            }
+            catch {
+                // try next
+            }
+        }
+        return {
+            name: pkg.name,
+            version: pkg.version,
+            dependencies: pkg.dependencies ?? {},
+            devDependencies: pkg.devDependencies ?? {},
+            lockfilePath,
+        };
+    }
+    catch {
+        // No package.json
+    }
+    // Try pyproject.toml
+    try {
+        const pyPath = resolve(rootDir, "pyproject.toml");
+        const raw = await readFile(pyPath, "utf-8");
+        // Basic TOML parsing for name/version — just regex for MVP
+        const nameMatch = raw.match(/^name\s*=\s*"([^"]+)"/m);
+        const versionMatch = raw.match(/^version\s*=\s*"([^"]+)"/m);
+        // Extract dependencies from [project.dependencies] or [tool.poetry.dependencies]
+        const deps = {};
+        const depSection = raw.match(/\[(?:project\.)?dependencies\]\n([\s\S]*?)(?:\n\[|$)/);
+        if (depSection) {
+            const depLines = depSection[1].matchAll(/^(\S+)\s*=\s*"([^"]+)"/gm);
+            for (const match of depLines) {
+                deps[match[1]] = match[2];
+            }
+        }
+        // Check for lockfile
+        let lockfilePath;
+        for (const lockfile of ["poetry.lock", "uv.lock"]) {
+            try {
+                const lp = resolve(rootDir, lockfile);
+                await readFile(lp, "utf-8");
+                lockfilePath = lp;
+                break;
+            }
+            catch {
+                // try next
+            }
+        }
+        return {
+            name: nameMatch?.[1],
+            version: versionMatch?.[1],
+            dependencies: deps,
+            devDependencies: {},
+            lockfilePath,
+        };
+    }
+    catch {
+        // No pyproject.toml
+    }
+    return undefined;
+}
+//# sourceMappingURL=manifest.js.map

package/dist/discovery/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../../src/discovery/manifest.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe;IAEf,yBAAyB;IACzB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QACjD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE5B,qBAAqB;QACrB,IAAI,YAAgC,CAAC;QACrC,KAAK,MAAM,QAAQ,IAAI;YACrB,mBAAmB;YACnB,WAAW;YACX,gBAAgB;SACjB,EAAE,CAAC;YACF,IAAI,CAAC;gBACH,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;gBACtC,MAAM,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC,CAAC,uBAAuB;gBACpD,YAAY,GAAG,EAAE,CAAC;gBAClB,MAAM;YACR,CAAC;YAAC,MAAM,CAAC;gBACP,WAAW;YACb,CAAC;QACH,CAAC;QAED,OAAO;YACL,IAAI,EAAE,GAAG,CAAC,IAA0B;YACpC,OAAO,EAAE,GAAG,CAAC,OAA6B;YAC1C,YAAY,EAAG,GAAG,CAAC,YAAuC,IAAI,EAAE;YAChE,eAAe,EAAG,GAAG,CAAC,eAA0C,IAAI,EAAE;YACtE,YAAY;SACb,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB;IACpB,CAAC;IAED,qBAAqB;IACrB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;QAClD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAE5C,2DAA2D;QAC3D,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QACtD,MAAM,YAAY,GAAG,GAAG,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAE5D,iFAAiF;QACjF,MAAM,IAAI,GAA2B,EAAE,CAAC;QACxC,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAC1B,sDAAsD,CACvD,CAAC;QACF,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,0BAA0B,CAAC,CAAC;YACpE,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;gBAC7B,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,qBAAqB;QACrB,IAAI,YAAgC,CAAC;QACrC,KAAK,MAAM,QAAQ,IAAI,CAAC,aAAa,EAAE,SAAS,CAAC,EAAE,CAAC;YAClD,IAAI,CAAC;gBACH,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;gBACtC,MAAM,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;gBAC5B,YAAY,GAAG,EAAE,CAAC;gBAClB,MAAM;YACR,CAAC;YAAC,MAAM,CAAC;gBACP,WAAW;YACb,CAAC;QACH,CAAC;QAED,OAAO;YACL,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;YACpB,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;YAC1B,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,EAAE;YACnB,YAAY;SACb,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,oBAAoB;IACtB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import { scan } from "./scanner.js";
+import { formatText } from "./reporters/text.js";
+import { formatJson } from "./reporters/json.js";
+import { formatSarif } from "./reporters/sarif.js";
+const program = new Command();
+program
+    .name("sigil")
+    .description("Security scanner for MCP (Model Context Protocol) servers")
+    .version("0.1.0")
+    .argument("<target>", "Path to MCP server directory, file, or config")
+    .option("-o, --output <format>", "Output format: text, json, sarif", "text")
+    .option("-s, --severity <level>", "Minimum severity to report: low, medium, high, critical", "low")
+    .option("--no-color", "Disable colored output")
+    .option("--config <path>", "Path to scanner config file (.mcp-scanner.yml)")
+    .option("--ignore <rules>", "Comma-separated rule IDs to ignore")
+    .option("-q, --quiet", "Only output findings (no banner, no summary)")
+    .option("-v, --verbose", "Show detailed analysis trace")
+    .action(async (target, opts) => {
+    const format = opts.output;
+    const minSeverity = opts.severity;
+    const ignoreRules = opts.ignore
+        ? opts.ignore.split(",").map((r) => r.trim())
+        : [];
+    try {
+        const result = await scan(target, {
+            minSeverity,
+            ignoreRules,
+            configPath: opts.config,
+            verbose: opts.verbose,
+        });
+        let output;
+        switch (format) {
+            case "json":
+                output = formatJson(result);
+                break;
+            case "sarif":
+                output = formatSarif(result);
+                break;
+            case "text":
+            default:
+                output = formatText(result, {
+                    color: opts.color !== false,
+                    quiet: opts.quiet,
+                });
+                break;
+        }
+        process.stdout.write(output + "\n");
+        // Exit code: 0 if PASS, 1 if FAIL/WARN
+        process.exit(result.score.value >= 70 ? 0 : 1);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`Error: ${message}\n`);
+        process.exit(2);
+    }
+});
+program.parse();
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGnD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,OAAO,CAAC;KACb,WAAW,CAAC,2DAA2D,CAAC;KACxE,OAAO,CAAC,OAAO,CAAC;KAChB,QAAQ,CAAC,UAAU,EAAE,+CAA+C,CAAC;KACrE,MAAM,CAAC,uBAAuB,EAAE,kCAAkC,EAAE,MAAM,CAAC;KAC3E,MAAM,CACL,wBAAwB,EACxB,yDAAyD,EACzD,KAAK,CACN;KACA,MAAM,CAAC,YAAY,EAAE,wBAAwB,CAAC;KAC9C,MAAM,CAAC,iBAAiB,EAAE,gDAAgD,CAAC;KAC3E,MAAM,CAAC,kBAAkB,EAAE,oCAAoC,CAAC;KAChE,MAAM,CAAC,aAAa,EAAE,8CAA8C,CAAC;KACrE,MAAM,CAAC,eAAe,EAAE,8BAA8B,CAAC;KACvD,MAAM,CAAC,KAAK,EAAE,MAAc,EAAE,IAAI,EAAE,EAAE;IACrC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAsB,CAAC;IAC3C,MAAM,WAAW,GAAG,IAAI,CAAC,QAAoB,CAAC;IAC9C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM;QAC7B,CAAC,CAAE,IAAI,CAAC,MAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACjE,CAAC,CAAC,EAAE,CAAC;IAEP,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE;YAChC,WAAW;YACX,WAAW;YACX,UAAU,EAAE,IAAI,CAAC,MAA4B;YAC7C,OAAO,EAAE,IAAI,CAAC,OAAkB;SACjC,CAAC,CAAC;QAEH,IAAI,MAAc,CAAC;QACnB,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,MAAM;gBACT,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;gBAC5B,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;gBAC7B,MAAM;YACR,KAAK,MAAM,CAAC;YACZ;gBACE,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE;oBAC1B,KAAK,EAAE,IAAI,CAAC,KAAK,KAAK,KAAK;oBAC3B,KAAK,EAAE,IAAI,CAAC,KAAgB;iBAC7B,CAAC,CAAC;gBACH,MAAM;QACV,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QAEpC,uCAAuC;QACvC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,OAAO,IAAI,CAAC,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/reporters/json.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from "../analyzers/types.js";
+export declare function formatJson(result: ScanResult): string;
+//# sourceMappingURL=json.d.ts.map

package/dist/reporters/json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../src/reporters/json.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAExD,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAErD"}

package/dist/reporters/json.js

@@ -0,0 +1,4 @@
+export function formatJson(result) {
+    return JSON.stringify(result, null, 2);
+}
+//# sourceMappingURL=json.js.map

package/dist/reporters/json.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.js","sourceRoot":"","sources":["../../src/reporters/json.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,UAAU,CAAC,MAAkB;IAC3C,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC"}

package/dist/reporters/sarif.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from "../analyzers/types.js";
+export declare function formatSarif(result: ScanResult): string;
+//# sourceMappingURL=sarif.d.ts.map

package/dist/reporters/sarif.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/reporters/sarif.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAY,MAAM,uBAAuB,CAAC;AAkDlE,wBAAgB,WAAW,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAoDtD"}

package/dist/reporters/sarif.js

@@ -0,0 +1,57 @@
+const SEVERITY_TO_SARIF_LEVEL = {
+    critical: "error",
+    high: "error",
+    medium: "warning",
+    low: "note",
+};
+export function formatSarif(result) {
+    // Collect unique rules
+    const ruleMap = new Map();
+    for (const finding of result.findings) {
+        if (!ruleMap.has(finding.ruleId)) {
+            ruleMap.set(finding.ruleId, {
+                id: finding.ruleId,
+                name: finding.ruleId.replace(/[^a-zA-Z0-9]/g, ""),
+                shortDescription: { text: finding.title },
+                defaultConfiguration: {
+                    level: SEVERITY_TO_SARIF_LEVEL[finding.severity],
+                },
+            });
+        }
+    }
+    const sarif = {
+        $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+        version: "2.1.0",
+        runs: [
+            {
+                tool: {
+                    driver: {
+                        name: "mcp-scanner",
+                        version: result.scanner.version,
+                        rules: Array.from(ruleMap.values()),
+                    },
+                },
+                results: result.findings.map((f) => ({
+                    ruleId: f.ruleId,
+                    level: SEVERITY_TO_SARIF_LEVEL[f.severity],
+                    message: { text: f.message },
+                    locations: [
+                        {
+                            physicalLocation: {
+                                artifactLocation: { uri: f.location.file },
+                                region: {
+                                    startLine: f.location.startLine,
+                                    startColumn: f.location.startColumn,
+                                    endLine: f.location.endLine,
+                                    endColumn: f.location.endColumn,
+                                },
+                            },
+                        },
+                    ],
+                })),
+            },
+        ],
+    };
+    return JSON.stringify(sarif, null, 2);
+}
+//# sourceMappingURL=sarif.js.map

package/dist/reporters/sarif.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/reporters/sarif.ts"],"names":[],"mappings":"AA2CA,MAAM,uBAAuB,GAA6B;IACxD,QAAQ,EAAE,OAAO;IACjB,IAAI,EAAE,OAAO;IACb,MAAM,EAAE,SAAS;IACjB,GAAG,EAAE,MAAM;CACZ,CAAC;AAEF,MAAM,UAAU,WAAW,CAAC,MAAkB;IAC5C,uBAAuB;IACvB,MAAM,OAAO,GAAG,IAAI,GAAG,EAA+B,CAAC;IACvD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACtC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE;gBAC1B,EAAE,EAAE,OAAO,CAAC,MAAM;gBAClB,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC;gBACjD,gBAAgB,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,EAAE;gBACzC,oBAAoB,EAAE;oBACpB,KAAK,EAAE,uBAAuB,CAAC,OAAO,CAAC,QAAQ,CAAC;iBACjD;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAgB;QACzB,OAAO,EACL,sGAAsG;QACxG,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE;YACJ;gBACE,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,aAAa;wBACnB,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO;wBAC/B,KAAK,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;qBACpC;iBACF;gBACD,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACnC,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,KAAK,EAAE,uBAAuB,CAAC,CAAC,CAAC,QAAQ,CAAC;oBAC1C,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;oBAC5B,SAAS,EAAE;wBACT;4BACE,gBAAgB,EAAE;gCAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE;gCAC1C,MAAM,EAAE;oCACN,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,SAAS;oCAC/B,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW;oCACnC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,OAAO;oCAC3B,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,SAAS;iCAChC;6BACF;yBACF;qBACF;iBACF,CAAC,CAAC;aACJ;SACF;KACF,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACxC,CAAC"}

package/dist/reporters/text.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from "../analyzers/types.js";
+export interface TextFormatOptions {
+    color?: boolean;
+    quiet?: boolean;
+}
+export declare function formatText(result: ScanResult, options?: TextFormatOptions): string;
+//# sourceMappingURL=text.d.ts.map

package/dist/reporters/text.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"text.d.ts","sourceRoot":"","sources":["../../src/reporters/text.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAqB,MAAM,uBAAuB,CAAC;AAE3E,MAAM,WAAW,iBAAiB;IAChC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,wBAAgB,UAAU,CACxB,MAAM,EAAE,UAAU,EAClB,OAAO,GAAE,iBAAsB,GAC9B,MAAM,CAoER"}

package/dist/reporters/text.js

@@ -0,0 +1,89 @@
+import chalk, { Chalk } from "chalk";
+export function formatText(result, options = {}) {
+    const { color = true, quiet = false } = options;
+    const c = color ? chalk : new Chalk({ level: 0 });
+    const lines = [];
+    // ─── Banner ───
+    if (!quiet) {
+        lines.push("");
+        lines.push(c.dim(`  Sigil v${result.scanner.version}`));
+        lines.push("");
+        lines.push(`  Scanning: ${c.bold(result.target.path)}`);
+        lines.push(`  Language: ${result.target.language}` +
+            (result.target.name ? ` (${result.target.name})` : ""));
+        lines.push(`  Tools: ${result.server.tools.length} detected` +
+            ` | Resources: ${result.server.resources.length} detected` +
+            ` | Prompts: ${result.server.prompts.length} detected`);
+        lines.push("");
+    }
+    // ─── Findings ───
+    if (result.findings.length === 0) {
+        lines.push(c.green("  No security findings detected."));
+        lines.push("");
+    }
+    else {
+        for (const finding of result.findings) {
+            lines.push(formatFinding(finding, c));
+            lines.push("");
+        }
+    }
+    // ─── Summary ───
+    if (!quiet) {
+        const sep = c.dim("  " + "─".repeat(50));
+        lines.push(sep);
+        const counts = countBySeverity(result.findings);
+        const countParts = [];
+        if (counts.critical > 0)
+            countParts.push(c.red.bold(`${counts.critical} critical`));
+        if (counts.high > 0)
+            countParts.push(c.yellow(`${counts.high} high`));
+        if (counts.medium > 0)
+            countParts.push(c.blue(`${counts.medium} medium`));
+        if (counts.low > 0)
+            countParts.push(c.dim(`${counts.low} low`));
+        const total = result.findings.length;
+        lines.push(`  ${total} finding${total !== 1 ? "s" : ""}: ${countParts.join(", ")}`);
+        const scoreColor = result.score.label === "PASS"
+            ? c.green
+            : result.score.label === "WARN"
+                ? c.yellow
+                : c.red;
+        lines.push(`  Trust Score: ${scoreColor.bold(`${result.score.value}/100`)} (${scoreColor(result.score.label)})`);
+        lines.push(sep);
+        lines.push("");
+    }
+    return lines.join("\n");
+}
+function formatFinding(finding, c) {
+    const badge = severityBadge(finding.severity, c);
+    const lines = [];
+    lines.push(`  ${badge}  ${c.bold(finding.ruleId)}  ${finding.title}`);
+    lines.push(c.dim(`  │ `) + `${finding.location.file}:${finding.location.startLine}`);
+    lines.push(c.dim(`  │ `) + finding.message);
+    return lines.join("\n");
+}
+function severityBadge(severity, c) {
+    switch (severity) {
+        case "critical":
+            return c.bgRed.white.bold(` CRITICAL `);
+        case "high":
+            return c.bgYellow.black.bold(` HIGH `);
+        case "medium":
+            return c.bgBlue.white(` MEDIUM `);
+        case "low":
+            return c.dim(` LOW `);
+    }
+}
+function countBySeverity(findings) {
+    const counts = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+    };
+    for (const f of findings) {
+        counts[f.severity]++;
+    }
+    return counts;
+}
+//# sourceMappingURL=text.js.map

package/dist/reporters/text.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"text.js","sourceRoot":"","sources":["../../src/reporters/text.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,EAAE,KAAK,EAAsB,MAAM,OAAO,CAAC;AAQzD,MAAM,UAAU,UAAU,CACxB,MAAkB,EAClB,UAA6B,EAAE;IAE/B,MAAM,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAChD,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;IAClD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,iBAAiB;IACjB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CACR,eAAe,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAC5C,CAAC;QACF,KAAK,CAAC,IAAI,CACR,eAAe,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE;YACrC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CACzD,CAAC;QACF,KAAK,CAAC,IAAI,CACR,YAAY,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,WAAW;YAC/C,iBAAiB,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,WAAW;YAC1D,eAAe,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,WAAW,CACzD,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,mBAAmB;IACnB,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;QACzC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEhB,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChD,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC;YACrB,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,WAAW,CAAC,CAAC,CAAC;QAC7D,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC;YAAE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC;QACtE,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;YAAE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,SAAS,CAAC,CAAC,CAAC;QAC1E,IAAI,MAAM,CAAC,GAAG,GAAG,CAAC;YAAE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC;QAEhE,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QACrC,KAAK,CAAC,IAAI,CACR,KAAK,KAAK,WAAW,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACxE,CAAC;QAEF,MAAM,UAAU,GACd,MAAM,CAAC,KAAK,CAAC,KAAK,KAAK,MAAM;YAC3B,CAAC,CAAC,CAAC,CAAC,KAAK;YACT,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,KAAK,MAAM;gBAC7B,CAAC,CAAC,CAAC,CAAC,MAAM;gBACV,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QACd,KAAK,CAAC,IAAI,CACR,kBAAkB,UAAU,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,KAAK,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CACrG,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,aAAa,CAAC,OAAgB,EAAE,CAAgB;IACvD,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IACjD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;IACtE,KAAK,CAAC,IAAI,CACR,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,EAAE,CACzE,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE5C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,aAAa,CAAC,QAAkB,EAAE,CAAgB;IACzD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU;YACb,OAAO,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1C,KAAK,MAAM;YACT,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzC,KAAK,QAAQ;YACX,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACpC,KAAK,KAAK;YACR,OAAO,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAC1B,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,QAAmB;IAC1C,MAAM,MAAM,GAA6B;QACvC,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;KACP,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/rules/auth.d.ts

@@ -0,0 +1,4 @@
+import type { AnalysisContext, Finding } from "../analyzers/types.js";
+export declare function detectHardcodedCredentials(context: AnalysisContext): Finding[];
+export declare function detectSecretsInConfig(context: AnalysisContext): Finding[];
+//# sourceMappingURL=auth.d.ts.map

package/dist/rules/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/rules/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AA2BtE,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,EAAE,CAmC9E;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,EAAE,CAkCzE"}

package/dist/rules/auth.js

@@ -0,0 +1,88 @@
+const CREDENTIAL_PATTERNS = [
+    { pattern: /["'`](sk-[a-zA-Z0-9_-]{20,})["'`]/g, label: "OpenAI API key" },
+    { pattern: /["'`](sk-proj-[a-zA-Z0-9_-]{20,})["'`]/g, label: "OpenAI project key" },
+    { pattern: /["'`](sk-ant-[a-zA-Z0-9_-]{20,})["'`]/g, label: "Anthropic API key" },
+    { pattern: /["'`](ghp_[a-zA-Z0-9]{36,})["'`]/g, label: "GitHub personal access token" },
+    { pattern: /["'`](gho_[a-zA-Z0-9]{36,})["'`]/g, label: "GitHub OAuth token" },
+    { pattern: /["'`](github_pat_[a-zA-Z0-9_]{22,})["'`]/g, label: "GitHub PAT" },
+    { pattern: /["'`](glpat-[a-zA-Z0-9_-]{20,})["'`]/g, label: "GitLab access token" },
+    { pattern: /["'`](xoxb-[a-zA-Z0-9-]+)["'`]/g, label: "Slack bot token" },
+    { pattern: /["'`](xoxp-[a-zA-Z0-9-]+)["'`]/g, label: "Slack user token" },
+    { pattern: /["'`](AKIA[A-Z0-9]{16})["'`]/g, label: "AWS access key ID" },
+    { pattern: /["'`](AIza[a-zA-Z0-9_-]{35})["'`]/g, label: "Google API key" },
+    // Connection strings with embedded passwords
+    { pattern: /["'`](mongodb(?:\+srv)?:\/\/[^"'`\s]*:[^"'`\s]*@[^"'`\s]+)["'`]/g, label: "MongoDB connection string with credentials" },
+    { pattern: /["'`](postgres(?:ql)?:\/\/[^"'`\s]*:[^"'`\s]*@[^"'`\s]+)["'`]/g, label: "PostgreSQL connection string with credentials" },
+    { pattern: /["'`](mysql:\/\/[^"'`\s]*:[^"'`\s]*@[^"'`\s]+)["'`]/g, label: "MySQL connection string with credentials" },
+    { pattern: /["'`](redis:\/\/[^"'`\s]*:[^"'`\s]*@[^"'`\s]+)["'`]/g, label: "Redis connection string with credentials" },
+    // Private keys
+    { pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/g, label: "Private key" },
+];
+function findLineNumber(content, index) {
+    return content.slice(0, index).split("\n").length;
+}
+export function detectHardcodedCredentials(context) {
+    const findings = [];
+    for (const [file, content] of context.sources) {
+        const lines = content.split("\n");
+        for (const { pattern, label } of CREDENTIAL_PATTERNS) {
+            pattern.lastIndex = 0;
+            let match;
+            while ((match = pattern.exec(content)) !== null) {
+                const lineNumber = findLineNumber(content, match.index);
+                const line = lines[lineNumber - 1] || "";
+                const trimmed = line.trimStart();
+                // Skip comments
+                if (trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*"))
+                    continue;
+                // Skip env var references
+                if (/process\.env|os\.environ|getenv|ENV\[/.test(line))
+                    continue;
+                findings.push({
+                    ruleId: "MCS-AUTH-001",
+                    severity: "critical",
+                    title: "Hardcoded Credentials",
+                    message: `${label} found hardcoded in source code. Use environment variables instead.`,
+                    location: { file, startLine: lineNumber, endLine: lineNumber },
+                    fix: {
+                        description: "Move the credential to an environment variable and reference it via process.env or os.environ.",
+                    },
+                });
+            }
+        }
+    }
+    return findings;
+}
+export function detectSecretsInConfig(context) {
+    const findings = [];
+    if (!context.configEntries)
+        return findings;
+    for (const entry of context.configEntries) {
+        if (!entry.env)
+            continue;
+        for (const [key, value] of Object.entries(entry.env)) {
+            const looksLikeSecret = /key|token|secret|password|credential|auth/i.test(key) &&
+                !value.startsWith("$") &&
+                !value.startsWith("${") &&
+                value.length > 8;
+            const isKnownKey = CREDENTIAL_PATTERNS.some((p) => {
+                p.pattern.lastIndex = 0;
+                return p.pattern.test(`"${value}"`);
+            });
+            if (looksLikeSecret || isKnownKey) {
+                findings.push({
+                    ruleId: "MCS-AUTH-002",
+                    severity: "high",
+                    title: "Secrets in MCP Configuration",
+                    message: `MCP config for "${entry.name}" has a hardcoded secret in env var "${key}".`,
+                    location: { file: "mcp-config", startLine: 1, endLine: 1 },
+                    fix: {
+                        description: "Reference the secret from your shell environment instead of hardcoding it in the config file.",
+                    },
+                });
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=auth.js.map

package/dist/rules/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/rules/auth.ts"],"names":[],"mappings":"AAEA,MAAM,mBAAmB,GAA8C;IACrE,EAAE,OAAO,EAAE,oCAAoC,EAAE,KAAK,EAAE,gBAAgB,EAAE;IAC1E,EAAE,OAAO,EAAE,yCAAyC,EAAE,KAAK,EAAE,oBAAoB,EAAE;IACnF,EAAE,OAAO,EAAE,wCAAwC,EAAE,KAAK,EAAE,mBAAmB,EAAE;IACjF,EAAE,OAAO,EAAE,mCAAmC,EAAE,KAAK,EAAE,8BAA8B,EAAE;IACvF,EAAE,OAAO,EAAE,mCAAmC,EAAE,KAAK,EAAE,oBAAoB,EAAE;IAC7E,EAAE,OAAO,EAAE,2CAA2C,EAAE,KAAK,EAAE,YAAY,EAAE;IAC7E,EAAE,OAAO,EAAE,uCAAuC,EAAE,KAAK,EAAE,qBAAqB,EAAE;IAClF,EAAE,OAAO,EAAE,iCAAiC,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACxE,EAAE,OAAO,EAAE,iCAAiC,EAAE,KAAK,EAAE,kBAAkB,EAAE;IACzE,EAAE,OAAO,EAAE,+BAA+B,EAAE,KAAK,EAAE,mBAAmB,EAAE;IACxE,EAAE,OAAO,EAAE,oCAAoC,EAAE,KAAK,EAAE,gBAAgB,EAAE;IAC1E,6CAA6C;IAC7C,EAAE,OAAO,EAAE,kEAAkE,EAAE,KAAK,EAAE,4CAA4C,EAAE;IACpI,EAAE,OAAO,EAAE,gEAAgE,EAAE,KAAK,EAAE,+CAA+C,EAAE;IACrI,EAAE,OAAO,EAAE,sDAAsD,EAAE,KAAK,EAAE,0CAA0C,EAAE;IACtH,EAAE,OAAO,EAAE,sDAAsD,EAAE,KAAK,EAAE,0CAA0C,EAAE;IACtH,eAAe;IACf,EAAE,OAAO,EAAE,gDAAgD,EAAE,KAAK,EAAE,aAAa,EAAE;CACpF,CAAC;AAEF,SAAS,cAAc,CAAC,OAAe,EAAE,KAAa;IACpD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,OAAwB;IACjE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAElC,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,mBAAmB,EAAE,CAAC;YACrD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,KAAK,CAAC;YACV,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAChD,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACxD,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBACzC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;gBAEjC,gBAAgB;gBAChB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAE7F,0BAA0B;gBAC1B,IAAI,uCAAuC,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAEjE,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,cAAc;oBACtB,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,uBAAuB;oBAC9B,OAAO,EAAE,GAAG,KAAK,qEAAqE;oBACtF,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,EAAE;oBAC9D,GAAG,EAAE;wBACH,WAAW,EAAE,gGAAgG;qBAC9G;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAAwB;IAC5D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,CAAC,aAAa;QAAE,OAAO,QAAQ,CAAC;IAE5C,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC1C,IAAI,CAAC,KAAK,CAAC,GAAG;YAAE,SAAS;QACzB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACrD,MAAM,eAAe,GACnB,4CAA4C,CAAC,IAAI,CAAC,GAAG,CAAC;gBACtD,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;gBACtB,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;gBACvB,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;YAEnB,MAAM,UAAU,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;gBAChD,CAAC,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACxB,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC;YACtC,CAAC,CAAC,CAAC;YAEH,IAAI,eAAe,IAAI,UAAU,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,cAAc;oBACtB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,8BAA8B;oBACrC,OAAO,EAAE,mBAAmB,KAAK,CAAC,IAAI,wCAAwC,GAAG,IAAI;oBACrF,QAAQ,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE;oBAC1D,GAAG,EAAE;wBACH,WAAW,EAAE,+FAA+F;qBAC7G;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/rules/config.d.ts

@@ -0,0 +1,5 @@
+import type { AnalysisContext, Finding } from "../analyzers/types.js";
+export declare function detectDebugMode(context: AnalysisContext): Finding[];
+export declare function detectVerboseErrors(context: AnalysisContext): Finding[];
+export declare function detectInsecureTransport(context: AnalysisContext): Finding[];
+//# sourceMappingURL=config.d.ts.map

package/dist/rules/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/rules/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAMtE,wBAAgB,eAAe,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,EAAE,CAyCnE;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,EAAE,CA0DvE;AAED,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,EAAE,CAmC3E"}