@skillsmith/core 0.5.4 → 0.5.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/dist/.tsbuildinfo +1 -1
- package/dist/src/api/client.d.ts +4 -66
- package/dist/src/api/client.d.ts.map +1 -1
- package/dist/src/api/client.events.d.ts.map +1 -1
- package/dist/src/api/client.events.js +10 -1
- package/dist/src/api/client.events.js.map +1 -1
- package/dist/src/api/client.js +40 -66
- package/dist/src/api/client.js.map +1 -1
- package/dist/src/api/client.token-refresh.d.ts +3 -0
- package/dist/src/api/client.token-refresh.d.ts.map +1 -0
- package/dist/src/api/client.token-refresh.js +19 -0
- package/dist/src/api/client.token-refresh.js.map +1 -0
- package/dist/src/api/client.token-refresh.test.d.ts +2 -0
- package/dist/src/api/client.token-refresh.test.d.ts.map +1 -0
- package/dist/src/api/client.token-refresh.test.js +73 -0
- package/dist/src/api/client.token-refresh.test.js.map +1 -0
- package/dist/src/api/client.types.d.ts +2 -0
- package/dist/src/api/client.types.d.ts.map +1 -1
- package/dist/src/api/index.d.ts +1 -1
- package/dist/src/api/index.d.ts.map +1 -1
- package/dist/src/api/index.js +1 -1
- package/dist/src/api/index.js.map +1 -1
- package/dist/src/api/schemas.d.ts +319 -70
- package/dist/src/config/index.d.ts +4 -0
- package/dist/src/config/index.d.ts.map +1 -1
- package/dist/src/config/index.js +6 -0
- package/dist/src/config/index.js.map +1 -1
- package/dist/src/config/token-credentials.d.ts +13 -0
- package/dist/src/config/token-credentials.d.ts.map +1 -0
- package/dist/src/config/token-credentials.js +126 -0
- package/dist/src/config/token-credentials.js.map +1 -0
- package/dist/src/config/token-credentials.test.d.ts +10 -0
- package/dist/src/config/token-credentials.test.d.ts.map +1 -0
- package/dist/src/config/token-credentials.test.js +91 -0
- package/dist/src/config/token-credentials.test.js.map +1 -0
- package/dist/src/index.d.ts +4 -2
- package/dist/src/index.d.ts.map +1 -1
- package/dist/src/index.js +5 -2
- package/dist/src/index.js.map +1 -1
- package/dist/src/scripts/__tests__/scan-imported-skills.test.js +34 -5
- package/dist/src/scripts/__tests__/scan-imported-skills.test.js.map +1 -1
- package/dist/src/scripts/github-import/blocklist.d.ts +65 -0
- package/dist/src/scripts/github-import/blocklist.d.ts.map +1 -0
- package/dist/src/scripts/github-import/blocklist.js +124 -0
- package/dist/src/scripts/github-import/blocklist.js.map +1 -0
- package/dist/src/scripts/github-import/index.d.ts +1 -0
- package/dist/src/scripts/github-import/index.d.ts.map +1 -1
- package/dist/src/scripts/github-import/index.js +3 -0
- package/dist/src/scripts/github-import/index.js.map +1 -1
- package/dist/src/scripts/github-import/signal-of-intent.d.ts +87 -0
- package/dist/src/scripts/github-import/signal-of-intent.d.ts.map +1 -0
- package/dist/src/scripts/github-import/signal-of-intent.js +213 -0
- package/dist/src/scripts/github-import/signal-of-intent.js.map +1 -0
- package/dist/src/scripts/github-import/types.d.ts +22 -0
- package/dist/src/scripts/github-import/types.d.ts.map +1 -1
- package/dist/src/scripts/github-import/types.js.map +1 -1
- package/dist/src/scripts/import-github-skills.js +73 -3
- package/dist/src/scripts/import-github-skills.js.map +1 -1
- package/dist/src/scripts/skill-scanner/allowlist.d.ts +38 -0
- package/dist/src/scripts/skill-scanner/allowlist.d.ts.map +1 -0
- package/dist/src/scripts/skill-scanner/allowlist.js +178 -0
- package/dist/src/scripts/skill-scanner/allowlist.js.map +1 -0
- package/dist/src/scripts/skill-scanner/scanner.d.ts +10 -2
- package/dist/src/scripts/skill-scanner/scanner.d.ts.map +1 -1
- package/dist/src/scripts/skill-scanner/scanner.js +15 -3
- package/dist/src/scripts/skill-scanner/scanner.js.map +1 -1
- package/dist/src/scripts/skill-scanner/trust-scorer.d.ts +20 -6
- package/dist/src/scripts/skill-scanner/trust-scorer.d.ts.map +1 -1
- package/dist/src/scripts/skill-scanner/trust-scorer.js +28 -9
- package/dist/src/scripts/skill-scanner/trust-scorer.js.map +1 -1
- package/dist/src/scripts/skill-scanner/types.d.ts +50 -0
- package/dist/src/scripts/skill-scanner/types.d.ts.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.helpers.d.ts +18 -0
- package/dist/src/security/scanner/SecurityScanner.helpers.d.ts.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.helpers.js +54 -6
- package/dist/src/security/scanner/SecurityScanner.helpers.js.map +1 -1
- package/dist/src/security/scanner/patterns.d.ts.map +1 -1
- package/dist/src/security/scanner/patterns.js +45 -5
- package/dist/src/security/scanner/patterns.js.map +1 -1
- package/dist/tests/api/client.events.test.d.ts +10 -0
- package/dist/tests/api/client.events.test.d.ts.map +1 -0
- package/dist/tests/api/client.events.test.js +85 -0
- package/dist/tests/api/client.events.test.js.map +1 -0
- package/dist/tests/github-import/blocklist.test.d.ts +15 -0
- package/dist/tests/github-import/blocklist.test.d.ts.map +1 -0
- package/dist/tests/github-import/blocklist.test.js +182 -0
- package/dist/tests/github-import/blocklist.test.js.map +1 -0
- package/dist/tests/github-import/signal-of-intent.test.d.ts +15 -0
- package/dist/tests/github-import/signal-of-intent.test.d.ts.map +1 -0
- package/dist/tests/github-import/signal-of-intent.test.js +171 -0
- package/dist/tests/github-import/signal-of-intent.test.js.map +1 -0
- package/dist/tests/security/scanner-regression-guard.test.d.ts +12 -0
- package/dist/tests/security/scanner-regression-guard.test.d.ts.map +1 -1
- package/dist/tests/security/scanner-regression-guard.test.js +15 -3
- package/dist/tests/security/scanner-regression-guard.test.js.map +1 -1
- package/dist/tests/security/scanner-wave2-fixtures.test.d.ts +12 -0
- package/dist/tests/security/scanner-wave2-fixtures.test.d.ts.map +1 -0
- package/dist/tests/security/scanner-wave2-fixtures.test.js +173 -0
- package/dist/tests/security/scanner-wave2-fixtures.test.js.map +1 -0
- package/dist/tests/security.test.js +1 -0
- package/dist/tests/security.test.js.map +1 -1
- package/dist/tests/skill-scanner/allowlist.test.d.ts +16 -0
- package/dist/tests/skill-scanner/allowlist.test.d.ts.map +1 -0
- package/dist/tests/skill-scanner/allowlist.test.js +332 -0
- package/dist/tests/skill-scanner/allowlist.test.js.map +1 -0
- package/package.json +1 -1
|
@@ -1,28 +1,47 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* SMI-1189: Trust Scorer
|
|
3
|
+
* SMI-4396: Allowlist-aware quarantine predicate.
|
|
3
4
|
*
|
|
4
5
|
* Trust score calculation and quarantine decision logic.
|
|
5
6
|
*/
|
|
7
|
+
import { calculateRiskScore } from '../../security/scanner/SecurityScanner.helpers.js';
|
|
6
8
|
/** Default trust scorer configuration */
|
|
7
9
|
export const DEFAULT_TRUST_CONFIG = {
|
|
8
10
|
quarantineThreshold: 40,
|
|
9
11
|
};
|
|
10
12
|
/**
|
|
11
|
-
* Determines if a skill should be quarantined based on findings
|
|
13
|
+
* Determines if a skill should be quarantined based on findings.
|
|
12
14
|
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
15
|
+
* SMI-4396: when an allowlist matcher is provided, findings the matcher
|
|
16
|
+
* approves are removed BEFORE the quarantine check runs, and the risk score
|
|
17
|
+
* is recomputed from the filtered set rather than trusting report.riskScore
|
|
18
|
+
* (which was computed pre-allowlist inside SecurityScanner.scan).
|
|
19
|
+
*
|
|
20
|
+
* !report.passed is intentionally NOT part of the predicate: `passed` is
|
|
21
|
+
* also computed pre-allowlist, so keeping it here would re-quarantine every
|
|
22
|
+
* allowlisted skill whose raw scan had critical/high findings — defeating
|
|
23
|
+
* the allowlist's purpose. The new two-clause predicate still covers the old
|
|
24
|
+
* semantics: any scan that was `passed: false` must have had at least one
|
|
25
|
+
* critical/high finding OR score >= threshold, both of which are still caught.
|
|
26
|
+
*
|
|
27
|
+
* A skill is quarantined if ANY of:
|
|
28
|
+
* 1. Post-allowlist findings contain a critical or high severity entry
|
|
29
|
+
* 2. Post-allowlist risk score >= quarantineThreshold
|
|
17
30
|
*
|
|
18
31
|
* @param report - The scan report for the skill
|
|
19
32
|
* @param config - Trust scorer configuration
|
|
33
|
+
* @param allowlist - Optional per-skill allowlist (SMI-4396)
|
|
20
34
|
* @returns true if the skill should be quarantined
|
|
21
35
|
*/
|
|
22
|
-
export function shouldQuarantine(report, config = DEFAULT_TRUST_CONFIG) {
|
|
23
|
-
|
|
24
|
-
report.
|
|
25
|
-
report.findings
|
|
36
|
+
export function shouldQuarantine(report, config = DEFAULT_TRUST_CONFIG, allowlist) {
|
|
37
|
+
const effectiveFindings = allowlist
|
|
38
|
+
? report.findings.filter((f) => !allowlist.isAllowed(report.skillId, f))
|
|
39
|
+
: report.findings;
|
|
40
|
+
if (effectiveFindings.some((f) => f.severity === 'critical' || f.severity === 'high')) {
|
|
41
|
+
return true;
|
|
42
|
+
}
|
|
43
|
+
const effectiveRisk = calculateRiskScore(effectiveFindings).total;
|
|
44
|
+
return effectiveRisk >= config.quarantineThreshold;
|
|
26
45
|
}
|
|
27
46
|
/**
|
|
28
47
|
* Calculate average risk score from results
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"trust-scorer.js","sourceRoot":"","sources":["../../../../src/scripts/skill-scanner/trust-scorer.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"trust-scorer.js","sourceRoot":"","sources":["../../../../src/scripts/skill-scanner/trust-scorer.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,mDAAmD,CAAA;AAWtF,yCAAyC;AACzC,MAAM,CAAC,MAAM,oBAAoB,GAAsB;IACrD,mBAAmB,EAAE,EAAE;CACxB,CAAA;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,UAAU,gBAAgB,CAC9B,MAAkB,EAClB,SAA4B,oBAAoB,EAChD,SAA4B;IAE5B,MAAM,iBAAiB,GAAG,SAAS;QACjC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACxE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAA;IAEnB,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,CAAC;QACtF,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,aAAa,GAAG,kBAAkB,CAAC,iBAAiB,CAAC,CAAC,KAAK,CAAA;IACjE,OAAO,aAAa,IAAI,MAAM,CAAC,mBAAmB,CAAA;AACpD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CAAC,OAA0C;IAClF,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAA;IAC5B,IAAI,KAAK,KAAK,CAAC;QAAE,OAAO,CAAC,CAAA;IAEzB,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC,CAAC,CAAA;IACvE,OAAO,GAAG,GAAG,KAAK,CAAA;AACpB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAA0C;IAC9E,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAA;IAClC,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAA;AAChE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAA0C;IAIzE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,MAAM,CAAA;IAC7D,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,MAAM,CAAA;IAEjE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;AAChC,CAAC"}
|
|
@@ -138,5 +138,55 @@ export interface JsonOutput {
|
|
|
138
138
|
safe: string;
|
|
139
139
|
};
|
|
140
140
|
}
|
|
141
|
+
/**
|
|
142
|
+
* SMI-4396: Allowlist entry for per-skill, per-finding-type exemptions.
|
|
143
|
+
*
|
|
144
|
+
* Entries are loaded from data/skills-security-allowlist.json. Each entry
|
|
145
|
+
* exempts a specific (skillId, findingType, messagePattern) triple from
|
|
146
|
+
* triggering quarantine. Genuine new attacks on an allowlisted skill still
|
|
147
|
+
* quarantine because the match is per-finding, not per-skill.
|
|
148
|
+
*/
|
|
149
|
+
export interface AllowlistEntry {
|
|
150
|
+
/** Exact skill identifier (no wildcards). Must match SecurityFinding context. */
|
|
151
|
+
skillId: string;
|
|
152
|
+
/** Finding type to exempt (must match SecurityFinding.type). */
|
|
153
|
+
findingType: string;
|
|
154
|
+
/**
|
|
155
|
+
* Which field of the finding the pattern matches against.
|
|
156
|
+
* - `message` (default): the finding's human-readable message string
|
|
157
|
+
* - `location`: the raw line / location where the finding occurred (use for
|
|
158
|
+
* matching raw UTF-8 bytes like CJK full-width spaces that don't survive
|
|
159
|
+
* escape-sequence round-tripping through finding.message)
|
|
160
|
+
*/
|
|
161
|
+
matchField?: 'message' | 'location';
|
|
162
|
+
/** Regex pattern (ReDoS-validated at load time). */
|
|
163
|
+
messagePattern: string;
|
|
164
|
+
/** Human-readable justification (required). */
|
|
165
|
+
reason: string;
|
|
166
|
+
/** GitHub username or team who reviewed the entry (required). */
|
|
167
|
+
reviewedBy: string;
|
|
168
|
+
/** YYYY-MM-DD when the entry was reviewed. */
|
|
169
|
+
reviewedAt: string;
|
|
170
|
+
/** YYYY-MM-DD after which the entry stops applying (fail-safe toward quarantine). */
|
|
171
|
+
expiresAt: string;
|
|
172
|
+
}
|
|
173
|
+
/**
|
|
174
|
+
* SMI-4396: Root shape of data/skills-security-allowlist.json.
|
|
175
|
+
*/
|
|
176
|
+
export interface AllowlistFile {
|
|
177
|
+
version: number;
|
|
178
|
+
generatedAt: string;
|
|
179
|
+
allowlist: AllowlistEntry[];
|
|
180
|
+
}
|
|
181
|
+
/**
|
|
182
|
+
* SMI-4396: Matcher interface consumed by shouldQuarantine and scanSkill.
|
|
183
|
+
*
|
|
184
|
+
* An empty matcher (no entries loaded) returns false for every check — callers
|
|
185
|
+
* can always pass one regardless of whether allowlist data exists, keeping the
|
|
186
|
+
* quarantine path backward-compatible.
|
|
187
|
+
*/
|
|
188
|
+
export interface AllowlistMatcher {
|
|
189
|
+
isAllowed(skillId: string, finding: SecurityFinding, today?: Date): boolean;
|
|
190
|
+
}
|
|
141
191
|
export type { ScanReport, SecurityFinding, SecuritySeverity };
|
|
142
192
|
//# sourceMappingURL=types.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/scripts/skill-scanner/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAE5F;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;IACf,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACnC;AAED;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAA;AAErE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,CAAA;IACd,UAAU,EAAE,UAAU,CAAA;IACtB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,aAAa,EAAE,OAAO,CAAA;IACtB,aAAa,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE;QACP,YAAY,EAAE,MAAM,CAAA;QACpB,MAAM,EAAE,MAAM,CAAA;QACd,WAAW,EAAE,MAAM,CAAA;QACnB,UAAU,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAA;QAC5C,gBAAgB,EAAE,MAAM,CAAA;QACxB,YAAY,EAAE,MAAM,CAAA;KACrB,CAAA;IACD,OAAO,EAAE,eAAe,EAAE,CAAA;IAC1B,WAAW,EAAE,KAAK,CAAC;QACjB,IAAI,EAAE,MAAM,CAAA;QACZ,KAAK,EAAE,MAAM,CAAA;QACb,QAAQ,EAAE,gBAAgB,CAAA;KAC3B,CAAC,CAAA;CACH;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,KAAK,CAAC;QACZ,OAAO,EAAE,MAAM,CAAA;QACf,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,SAAS,EAAE,MAAM,CAAA;QACjB,gBAAgB,EAAE,gBAAgB,CAAA;QAClC,WAAW,EAAE,MAAM,EAAE,CAAA;KACtB,CAAC,CAAA;CACH;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAA;IACnB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,KAAK,CAAC;QACZ,OAAO,EAAE,MAAM,CAAA;QACf,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,MAAM,EAAE,MAAM,CAAA;QACd,SAAS,EAAE,MAAM,CAAA;KAClB,CAAC,CAAA;CACH;AAED;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,eAAe;IACzD,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,qDAAqD;IACrD,IAAI,EAAE,OAAO,CAAA;IACb,0BAA0B;IAC1B,OAAO,EAAE,OAAO,CAAA;IAChB,kCAAkC;IAClC,KAAK,EAAE,OAAO,CAAA;IACd,sBAAsB;IACtB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAA;IAChB,OAAO,EAAE;QACP,YAAY,EAAE,MAAM,CAAA;QACpB,MAAM,EAAE,MAAM,CAAA;QACd,WAAW,EAAE,MAAM,CAAA;QACnB,UAAU,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAA;QAC5C,gBAAgB,EAAE,MAAM,CAAA;QACxB,YAAY,EAAE,MAAM,CAAA;QACpB,QAAQ,EAAE,MAAM,CAAA;QAChB,eAAe,EAAE,MAAM,CAAA;KACxB,CAAA;IACD,WAAW,EAAE,KAAK,CAAC;QACjB,OAAO,EAAE,MAAM,CAAA;QACf,SAAS,EAAE,MAAM,CAAA;QACjB,QAAQ,EAAE,gBAAgB,CAAA;QAC1B,UAAU,EAAE,MAAM,CAAA;KACnB,CAAC,CAAA;IACF,IAAI,EAAE,KAAK,CAAC;QACV,OAAO,EAAE,MAAM,CAAA;QACf,SAAS,EAAE,MAAM,CAAA;KAClB,CAAC,CAAA;IACF,WAAW,EAAE;QACX,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,MAAM,CAAA;QAClB,IAAI,EAAE,MAAM,CAAA;KACb,CAAA;CACF;AAGD,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,gBAAgB,EAAE,CAAA"}
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/scripts/skill-scanner/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAE5F;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;IACf,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACnC;AAED;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAA;AAErE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,CAAA;IACd,UAAU,EAAE,UAAU,CAAA;IACtB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,aAAa,EAAE,OAAO,CAAA;IACtB,aAAa,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE;QACP,YAAY,EAAE,MAAM,CAAA;QACpB,MAAM,EAAE,MAAM,CAAA;QACd,WAAW,EAAE,MAAM,CAAA;QACnB,UAAU,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAA;QAC5C,gBAAgB,EAAE,MAAM,CAAA;QACxB,YAAY,EAAE,MAAM,CAAA;KACrB,CAAA;IACD,OAAO,EAAE,eAAe,EAAE,CAAA;IAC1B,WAAW,EAAE,KAAK,CAAC;QACjB,IAAI,EAAE,MAAM,CAAA;QACZ,KAAK,EAAE,MAAM,CAAA;QACb,QAAQ,EAAE,gBAAgB,CAAA;KAC3B,CAAC,CAAA;CACH;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,KAAK,CAAC;QACZ,OAAO,EAAE,MAAM,CAAA;QACf,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,SAAS,EAAE,MAAM,CAAA;QACjB,gBAAgB,EAAE,gBAAgB,CAAA;QAClC,WAAW,EAAE,MAAM,EAAE,CAAA;KACtB,CAAC,CAAA;CACH;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAA;IACnB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,KAAK,CAAC;QACZ,OAAO,EAAE,MAAM,CAAA;QACf,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,MAAM,EAAE,MAAM,CAAA;QACd,SAAS,EAAE,MAAM,CAAA;KAClB,CAAC,CAAA;CACH;AAED;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,eAAe;IACzD,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,qDAAqD;IACrD,IAAI,EAAE,OAAO,CAAA;IACb,0BAA0B;IAC1B,OAAO,EAAE,OAAO,CAAA;IAChB,kCAAkC;IAClC,KAAK,EAAE,OAAO,CAAA;IACd,sBAAsB;IACtB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAA;IAChB,OAAO,EAAE;QACP,YAAY,EAAE,MAAM,CAAA;QACpB,MAAM,EAAE,MAAM,CAAA;QACd,WAAW,EAAE,MAAM,CAAA;QACnB,UAAU,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAA;QAC5C,gBAAgB,EAAE,MAAM,CAAA;QACxB,YAAY,EAAE,MAAM,CAAA;QACpB,QAAQ,EAAE,MAAM,CAAA;QAChB,eAAe,EAAE,MAAM,CAAA;KACxB,CAAA;IACD,WAAW,EAAE,KAAK,CAAC;QACjB,OAAO,EAAE,MAAM,CAAA;QACf,SAAS,EAAE,MAAM,CAAA;QACjB,QAAQ,EAAE,gBAAgB,CAAA;QAC1B,UAAU,EAAE,MAAM,CAAA;KACnB,CAAC,CAAA;IACF,IAAI,EAAE,KAAK,CAAC;QACV,OAAO,EAAE,MAAM,CAAA;QACf,SAAS,EAAE,MAAM,CAAA;KAClB,CAAC,CAAA;IACF,WAAW,EAAE;QACX,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,MAAM,CAAA;QAClB,IAAI,EAAE,MAAM,CAAA;KACb,CAAA;CACF;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,cAAc;IAC7B,iFAAiF;IACjF,OAAO,EAAE,MAAM,CAAA;IACf,gEAAgE;IAChE,WAAW,EAAE,MAAM,CAAA;IACnB;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,SAAS,GAAG,UAAU,CAAA;IACnC,oDAAoD;IACpD,cAAc,EAAE,MAAM,CAAA;IACtB,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,iEAAiE;IACjE,UAAU,EAAE,MAAM,CAAA;IAClB,8CAA8C;IAC9C,UAAU,EAAE,MAAM,CAAA;IAClB,qFAAqF;IACrF,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAA;IACf,WAAW,EAAE,MAAM,CAAA;IACnB,SAAS,EAAE,cAAc,EAAE,CAAA;CAC5B;AAED;;;;;;GAMG;AACH,MAAM,WAAW,gBAAgB;IAC/B,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,IAAI,GAAG,OAAO,CAAA;CAC5E;AAGD,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,gBAAgB,EAAE,CAAA"}
|
|
@@ -12,6 +12,14 @@ export interface LineContext {
|
|
|
12
12
|
inTable: boolean;
|
|
13
13
|
isIndentedCode: boolean;
|
|
14
14
|
isInlineCode: boolean;
|
|
15
|
+
/**
|
|
16
|
+
* SMI-4396 Wave 2: line falls within a YAML frontmatter block
|
|
17
|
+
* (between opening `---` at file start and the next `---`). SKILL.md
|
|
18
|
+
* authors legitimately include domain keywords (`password`, `secrets`,
|
|
19
|
+
* `privilege escalation`) in `description:` fields — findings in
|
|
20
|
+
* this context are documentation, not code.
|
|
21
|
+
*/
|
|
22
|
+
inFrontmatter: boolean;
|
|
15
23
|
}
|
|
16
24
|
/**
|
|
17
25
|
* SMI-1532: Check if a regex pattern requires multi-line matching
|
|
@@ -22,6 +30,12 @@ export declare function isMultilinePattern(pattern: RegExp): boolean;
|
|
|
22
30
|
/**
|
|
23
31
|
* Analyze markdown content and return context for each line
|
|
24
32
|
* Used to reduce false positives in documentation/examples
|
|
33
|
+
*
|
|
34
|
+
* SMI-4396 Wave 2: tracks YAML frontmatter context (the `---`-fenced block
|
|
35
|
+
* at the top of a SKILL.md). Opening `---` must be at line 0 (ignoring
|
|
36
|
+
* leading blank lines); closing `---` ends the block. Lines within are
|
|
37
|
+
* marked inFrontmatter=true so their keyword matches downgrade to
|
|
38
|
+
* documentation severity.
|
|
25
39
|
*/
|
|
26
40
|
export declare function analyzeMarkdownContext(content: string): LineContext[];
|
|
27
41
|
/**
|
|
@@ -29,6 +43,10 @@ export declare function analyzeMarkdownContext(content: string): LineContext[];
|
|
|
29
43
|
* Note: isInlineCode is intentionally excluded — it marks the entire line,
|
|
30
44
|
* but only specific match positions within backtick spans should reduce severity.
|
|
31
45
|
* Use isWithinInlineCode() for per-span granularity (SMI-3521).
|
|
46
|
+
*
|
|
47
|
+
* SMI-4396 Wave 2: inFrontmatter also counts as documentation context.
|
|
48
|
+
* SKILL.md authors legitimately include domain keywords in description:
|
|
49
|
+
* fields (1Password integrations, security-research skills, etc.).
|
|
32
50
|
*/
|
|
33
51
|
export declare function isDocumentationContext(ctx: LineContext): boolean;
|
|
34
52
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SecurityScanner.helpers.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.helpers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EACV,eAAe,EACf,mBAAmB,EACnB,kBAAkB,EAElB,gBAAgB,EACjB,MAAM,YAAY,CAAA;AAQnB;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE,OAAO,CAAA;IACpB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,EAAE,OAAO,CAAA;IACvB,YAAY,EAAE,OAAO,CAAA;
|
|
1
|
+
{"version":3,"file":"SecurityScanner.helpers.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.helpers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EACV,eAAe,EACf,mBAAmB,EACnB,kBAAkB,EAElB,gBAAgB,EACjB,MAAM,YAAY,CAAA;AAQnB;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE,OAAO,CAAA;IACpB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,EAAE,OAAO,CAAA;IACvB,YAAY,EAAE,OAAO,CAAA;IACrB;;;;;;OAMG;IACH,aAAa,EAAE,OAAO,CAAA;CACvB;AAMD;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAK3D;AAMD;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,EAAE,CA0ErE;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAEhE;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAW5E;AAMD,UAAU,mBAAmB;IAC3B,IAAI,EAAE,mBAAmB,CAAA;IACzB,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE,MAAM,EAAE,CAAA;IAClB,mDAAmD;IACnD,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC,CAAA;CACjD;AAED;;;GAGG;AACH,wBAAgB,gCAAgC,CAC9C,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,mBAAmB,EAC3B,YAAY,CAAC,EAAE,WAAW,EAAE,GAC3B,eAAe,EAAE,CAoEnB;AAMD;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,eAAe,EAAE,GAAG;IAC/D,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,kBAAkB,CAAA;CAC9B,CA+FA"}
|
|
@@ -22,35 +22,79 @@ export function isMultilinePattern(pattern) {
|
|
|
22
22
|
/**
|
|
23
23
|
* Analyze markdown content and return context for each line
|
|
24
24
|
* Used to reduce false positives in documentation/examples
|
|
25
|
+
*
|
|
26
|
+
* SMI-4396 Wave 2: tracks YAML frontmatter context (the `---`-fenced block
|
|
27
|
+
* at the top of a SKILL.md). Opening `---` must be at line 0 (ignoring
|
|
28
|
+
* leading blank lines); closing `---` ends the block. Lines within are
|
|
29
|
+
* marked inFrontmatter=true so their keyword matches downgrade to
|
|
30
|
+
* documentation severity.
|
|
25
31
|
*/
|
|
26
32
|
export function analyzeMarkdownContext(content) {
|
|
27
33
|
const lines = content.split('\n');
|
|
28
34
|
const contexts = [];
|
|
29
35
|
let inFencedCodeBlock = false;
|
|
36
|
+
// SMI-4396 Wave 2: frontmatter state machine
|
|
37
|
+
// frontmatterState: 'pending' (before any non-blank line), 'open' (inside), 'closed' (after second fence).
|
|
38
|
+
let frontmatterState = 'pending';
|
|
39
|
+
let frontmatterOpenedAtLine = -1;
|
|
30
40
|
for (let i = 0; i < lines.length; i++) {
|
|
31
41
|
const line = lines[i];
|
|
32
42
|
const trimmedLine = line.trim();
|
|
33
|
-
//
|
|
34
|
-
|
|
43
|
+
// SMI-4396 Wave 2: detect opening/closing frontmatter fence.
|
|
44
|
+
// Opening must be at file start (only blank lines precede); closing is
|
|
45
|
+
// the next `---` on its own line after the opening.
|
|
46
|
+
let lineInFrontmatter = false;
|
|
47
|
+
if (trimmedLine === '---') {
|
|
48
|
+
if (frontmatterState === 'pending') {
|
|
49
|
+
// Opening fence: only valid if no content lines have preceded.
|
|
50
|
+
frontmatterState = 'open';
|
|
51
|
+
frontmatterOpenedAtLine = i;
|
|
52
|
+
lineInFrontmatter = true; // the fence itself is part of frontmatter
|
|
53
|
+
}
|
|
54
|
+
else if (frontmatterState === 'open') {
|
|
55
|
+
frontmatterState = 'closed';
|
|
56
|
+
lineInFrontmatter = true; // the closing fence too
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
else if (frontmatterState === 'pending' && trimmedLine.length > 0) {
|
|
60
|
+
// First non-blank non-fence line: frontmatter never opened. Abort the pending state.
|
|
61
|
+
frontmatterState = 'closed';
|
|
62
|
+
}
|
|
63
|
+
else if (frontmatterState === 'open') {
|
|
64
|
+
lineInFrontmatter = true;
|
|
65
|
+
}
|
|
66
|
+
// Check for fenced code block boundaries (``` or ~~~). Frontmatter lines
|
|
67
|
+
// never participate — YAML is not markdown code fences.
|
|
68
|
+
if (!lineInFrontmatter && /^(`{3,}|~{3,})/.test(trimmedLine)) {
|
|
35
69
|
inFencedCodeBlock = !inFencedCodeBlock;
|
|
36
70
|
}
|
|
37
71
|
// Check for table row (starts with |)
|
|
38
|
-
const inTable = trimmedLine.startsWith('|');
|
|
72
|
+
const inTable = !lineInFrontmatter && trimmedLine.startsWith('|');
|
|
39
73
|
// Check for indented code block (4+ spaces or tab at start, not in list)
|
|
40
|
-
const isIndentedCode =
|
|
74
|
+
const isIndentedCode = !lineInFrontmatter &&
|
|
75
|
+
/^( {4,}|\t)/.test(line) &&
|
|
41
76
|
!inFencedCodeBlock &&
|
|
42
77
|
!trimmedLine.startsWith('-') &&
|
|
43
78
|
!trimmedLine.startsWith('*');
|
|
44
79
|
// Check for inline code (content between backticks on same line)
|
|
45
|
-
const isInlineCode = /`[^`]+`/.test(line) && !inFencedCodeBlock;
|
|
80
|
+
const isInlineCode = !lineInFrontmatter && /`[^`]+`/.test(line) && !inFencedCodeBlock;
|
|
46
81
|
contexts.push({
|
|
47
82
|
lineNumber: i + 1,
|
|
48
83
|
inCodeBlock: inFencedCodeBlock,
|
|
49
84
|
inTable,
|
|
50
85
|
isIndentedCode,
|
|
51
86
|
isInlineCode,
|
|
87
|
+
inFrontmatter: lineInFrontmatter,
|
|
52
88
|
});
|
|
53
89
|
}
|
|
90
|
+
// If we opened frontmatter but never closed it, unwind — do NOT mark the
|
|
91
|
+
// whole file as frontmatter. This is defensive against malformed files
|
|
92
|
+
// where a bare `---` sneaks in without a close.
|
|
93
|
+
if (frontmatterState === 'open' && frontmatterOpenedAtLine >= 0) {
|
|
94
|
+
for (let i = frontmatterOpenedAtLine; i < contexts.length; i++) {
|
|
95
|
+
contexts[i].inFrontmatter = false;
|
|
96
|
+
}
|
|
97
|
+
}
|
|
54
98
|
return contexts;
|
|
55
99
|
}
|
|
56
100
|
/**
|
|
@@ -58,9 +102,13 @@ export function analyzeMarkdownContext(content) {
|
|
|
58
102
|
* Note: isInlineCode is intentionally excluded — it marks the entire line,
|
|
59
103
|
* but only specific match positions within backtick spans should reduce severity.
|
|
60
104
|
* Use isWithinInlineCode() for per-span granularity (SMI-3521).
|
|
105
|
+
*
|
|
106
|
+
* SMI-4396 Wave 2: inFrontmatter also counts as documentation context.
|
|
107
|
+
* SKILL.md authors legitimately include domain keywords in description:
|
|
108
|
+
* fields (1Password integrations, security-research skills, etc.).
|
|
61
109
|
*/
|
|
62
110
|
export function isDocumentationContext(ctx) {
|
|
63
|
-
return ctx.inCodeBlock || ctx.inTable || ctx.isIndentedCode;
|
|
111
|
+
return ctx.inCodeBlock || ctx.inTable || ctx.isIndentedCode || ctx.inFrontmatter;
|
|
64
112
|
}
|
|
65
113
|
/**
|
|
66
114
|
* SMI-3521: Check if a match position falls within an inline code span (backtick-delimited).
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SecurityScanner.helpers.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.helpers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAA;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAA;
|
|
1
|
+
{"version":3,"file":"SecurityScanner.helpers.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.helpers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAA;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAA;AAyBhD,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAA;IACjC,OAAO,CACL,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,WAAW,CAAC,CAC/F,CAAA;AACH,CAAC;AAED,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAkB,EAAE,CAAA;IAClC,IAAI,iBAAiB,GAAG,KAAK,CAAA;IAC7B,6CAA6C;IAC7C,2GAA2G;IAC3G,IAAI,gBAAgB,GAAkC,SAAS,CAAA;IAC/D,IAAI,uBAAuB,GAAG,CAAC,CAAC,CAAA;IAEhC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;QAE/B,6DAA6D;QAC7D,uEAAuE;QACvE,oDAAoD;QACpD,IAAI,iBAAiB,GAAG,KAAK,CAAA;QAC7B,IAAI,WAAW,KAAK,KAAK,EAAE,CAAC;YAC1B,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;gBACnC,+DAA+D;gBAC/D,gBAAgB,GAAG,MAAM,CAAA;gBACzB,uBAAuB,GAAG,CAAC,CAAA;gBAC3B,iBAAiB,GAAG,IAAI,CAAA,CAAC,0CAA0C;YACrE,CAAC;iBAAM,IAAI,gBAAgB,KAAK,MAAM,EAAE,CAAC;gBACvC,gBAAgB,GAAG,QAAQ,CAAA;gBAC3B,iBAAiB,GAAG,IAAI,CAAA,CAAC,wBAAwB;YACnD,CAAC;QACH,CAAC;aAAM,IAAI,gBAAgB,KAAK,SAAS,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpE,qFAAqF;YACrF,gBAAgB,GAAG,QAAQ,CAAA;QAC7B,CAAC;aAAM,IAAI,gBAAgB,KAAK,MAAM,EAAE,CAAC;YACvC,iBAAiB,GAAG,IAAI,CAAA;QAC1B,CAAC;QAED,yEAAyE;QACzE,wDAAwD;QACxD,IAAI,CAAC,iBAAiB,IAAI,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC7D,iBAAiB,GAAG,CAAC,iBAAiB,CAAA;QACxC,CAAC;QAED,sCAAsC;QACtC,MAAM,OAAO,GAAG,CAAC,iBAAiB,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QAEjE,yEAAyE;QACzE,MAAM,cAAc,GAClB,CAAC,iBAAiB;YAClB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC;YACxB,CAAC,iBAAiB;YAClB,CAAC,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC;YAC5B,CAAC,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QAE9B,iEAAiE;QACjE,MAAM,YAAY,GAAG,CAAC,iBAAiB,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAA;QAErF,QAAQ,CAAC,IAAI,CAAC;YACZ,UAAU,EAAE,CAAC,GAAG,CAAC;YACjB,WAAW,EAAE,iBAAiB;YAC9B,OAAO;YACP,cAAc;YACd,YAAY;YACZ,aAAa,EAAE,iBAAiB;SACjC,CAAC,CAAA;IACJ,CAAC;IAED,yEAAyE;IACzE,uEAAuE;IACvE,gDAAgD;IAChD,IAAI,gBAAgB,KAAK,MAAM,IAAI,uBAAuB,IAAI,CAAC,EAAE,CAAC;QAChE,KAAK,IAAI,CAAC,GAAG,uBAAuB,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC/D,QAAQ,CAAC,CAAC,CAAC,CAAC,aAAa,GAAG,KAAK,CAAA;QACnC,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CAAC,GAAgB;IACrD,OAAO,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,cAAc,IAAI,GAAG,CAAC,aAAa,CAAA;AAClF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY,EAAE,UAAkB;IACjE,MAAM,aAAa,GAAG,YAAY,CAAA;IAClC,IAAI,KAAK,CAAA;IACT,OAAO,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAA;QAC7B,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAA;QAC7C,IAAI,UAAU,IAAI,SAAS,IAAI,UAAU,GAAG,OAAO,EAAE,CAAC;YACpD,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAcD;;;GAGG;AACH,MAAM,UAAU,gCAAgC,CAC9C,OAAe,EACf,MAA2B,EAC3B,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAChE,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAA;IAEtC,uDAAuD;IACvD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACtC,IAAI,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC;YAChC,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;YAC7C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;gBAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAA;gBAClE,MAAM,GAAG,GAAG,QAAQ,CAAC,UAAU,GAAG,CAAC,CAAC,CAAA;gBACpC,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;gBAC7C,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,IAAI,EAAE,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,CAAA;gBAChE,MAAM,QAAQ,GAAG,UAAU,GAAG,UAAU,CAAA;gBACxC,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAA;gBACjF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;gBAC9E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;gBACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;gBAC3E,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;gBAEvC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,QAAQ;oBACR,OAAO,EAAE,GAAG,MAAM,CAAC,aAAa,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG;oBACtF,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACvC,UAAU;oBACV,QAAQ,EAAE,MAAM,CAAC,IAAI;oBACrB,sBAAsB,EAAE,YAAY;oBACpC,UAAU;iBACX,CAAC,CAAA;gBACF,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;YAC9B,CAAC;QACH,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,IAAI,YAAY,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC;YAAE,OAAM;QACvC,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAE3B,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,IAAI,kBAAkB,CAAC,OAAO,CAAC;gBAAE,SAAQ;YACzC,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;gBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;gBAC9E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;gBACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;gBAE3E,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,QAAQ;oBACR,OAAO,EAAE,GAAG,MAAM,CAAC,aAAa,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG;oBAClG,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,QAAQ,EAAE,MAAM,CAAC,IAAI;oBACrB,sBAAsB,EAAE,YAAY;oBACpC,UAAU;iBACX,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAA2B;IAI5D,MAAM,SAAS,GAAuB;QACpC,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,aAAa,EAAE,CAAC;QAChB,gBAAgB,EAAE,CAAC;QACnB,mBAAmB,EAAE,CAAC;QACtB,cAAc,EAAE,CAAC;QACjB,cAAc,EAAE,CAAC;QACjB,YAAY,EAAE,CAAC;QACf,SAAS,EAAE,CAAC;QACZ,IAAI,EAAE,CAAC;QACP,GAAG,EAAE,CAAC;KACP,CAAA;IAED,MAAM,iBAAiB,GAAsC;QAC3D,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,GAAG;QACX,GAAG,EAAE,GAAG;KACT,CAAA;IAED,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,cAAc,GAAG,gBAAgB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;QACzD,MAAM,cAAc,GAAG,gBAAgB,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,GAAG,CAAA;QAC5D,MAAM,gBAAgB,GAAG,iBAAiB,CAAC,OAAO,CAAC,UAAU,IAAI,MAAM,CAAC,CAAA;QACxE,MAAM,KAAK,GAAG,cAAc,GAAG,cAAc,GAAG,gBAAgB,CAAA;QAEhE,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;YACrB,KAAK,WAAW;gBACd,SAAS,CAAC,SAAS,IAAI,KAAK,CAAA;gBAC5B,MAAK;YACP,KAAK,oBAAoB;gBACvB,SAAS,CAAC,iBAAiB,IAAI,KAAK,CAAA;gBACpC,MAAK;YACP,KAAK,gBAAgB;gBACnB,SAAS,CAAC,aAAa,IAAI,KAAK,CAAA;gBAChC,MAAK;YACP,KAAK,mBAAmB;gBACtB,SAAS,CAAC,gBAAgB,IAAI,KAAK,CAAA;gBACnC,MAAK;YACP,KAAK,sBAAsB;gBACzB,SAAS,CAAC,mBAAmB,IAAI,KAAK,CAAA;gBACtC,MAAK;YACP,KAAK,oBAAoB;gBACvB,SAAS,CAAC,cAAc,IAAI,KAAK,CAAA;gBACjC,MAAK;YACP,KAAK,gBAAgB;gBACnB,SAAS,CAAC,cAAc,IAAI,KAAK,CAAA;gBACjC,MAAK;YACP,KAAK,KAAK;gBACR,SAAS,CAAC,YAAY,IAAI,KAAK,CAAA;gBAC/B,MAAK;YACP,KAAK,YAAY;gBACf,SAAS,CAAC,SAAS,IAAI,KAAK,CAAA;gBAC5B,MAAK;YACP,KAAK,MAAM;gBACT,SAAS,CAAC,IAAI,IAAI,KAAK,CAAA;gBACvB,MAAK;YACP,KAAK,KAAK;gBACR,SAAS,CAAC,GAAG,IAAI,KAAK,CAAA;gBACtB,MAAK;QACT,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,SAAS,CAAC,CAAA;IACxD,SAAS,CAAC,iBAAiB,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,iBAAiB,CAAC,CAAA;IACxE,SAAS,CAAC,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,aAAa,CAAC,CAAA;IAChE,SAAS,CAAC,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,gBAAgB,CAAC,CAAA;IACtE,SAAS,CAAC,mBAAmB,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,mBAAmB,CAAC,CAAA;IAC5E,SAAS,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,cAAc,CAAC,CAAA;IAClE,SAAS,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,cAAc,CAAC,CAAA;IAClE,SAAS,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,YAAY,CAAC,CAAA;IAC9D,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,SAAS,CAAC,CAAA;IACxD,SAAS,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,IAAI,CAAC,CAAA;IAC9C,SAAS,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,GAAG,CAAC,CAAA;IAE5C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CACpB,GAAG,EACH,IAAI,CAAC,KAAK,CACR,SAAS,CAAC,SAAS,GAAG,GAAG;QACvB,SAAS,CAAC,iBAAiB,GAAG,IAAI;QAClC,SAAS,CAAC,aAAa,GAAG,IAAI;QAC9B,SAAS,CAAC,gBAAgB,GAAG,IAAI;QACjC,SAAS,CAAC,mBAAmB,GAAG,IAAI;QACpC,SAAS,CAAC,cAAc,GAAG,IAAI;QAC/B,SAAS,CAAC,cAAc,GAAG,IAAI;QAC/B,SAAS,CAAC,YAAY,GAAG,IAAI;QAC7B,SAAS,CAAC,SAAS,GAAG,IAAI;QAC1B,SAAS,CAAC,IAAI,GAAG,IAAI;QACrB,SAAS,CAAC,GAAG,GAAG,IAAI,CACvB,CACF,CAAA;IAED,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAA;AAC7B,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,eAAO,MAAM,uBAAuB,UAanC,CAAA;
|
|
1
|
+
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,eAAO,MAAM,uBAAuB,UAanC,CAAA;AAOD,eAAO,MAAM,uBAAuB,UAsBnC,CAAA;AAGD,eAAO,MAAM,kBAAkB,UAkB9B,CAAA;AAGD,eAAO,MAAM,mBAAmB,UAY/B,CAAA;AAGD,eAAO,MAAM,2BAA2B,UAavC,CAAA;AAGD,eAAO,MAAM,uBAAuB,UAenC,CAAA;AAGD,eAAO,MAAM,0BAA0B,UAuCtC,CAAA;AAGD,eAAO,MAAM,6BAA6B,UAkCzC,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,UAuBrC,CAAA;AAED;;;;;;;;;;;GAWG;AACH;;;;GAIG;AACH,eAAO,MAAM,YAAY,UAwBxB,CAAA;AAED,eAAO,MAAM,mBAAmB,UAwD/B,CAAA"}
|
|
@@ -19,19 +19,32 @@ export const DEFAULT_ALLOWED_DOMAINS = [
|
|
|
19
19
|
'typescriptlang.org',
|
|
20
20
|
];
|
|
21
21
|
// Sensitive file path patterns
|
|
22
|
+
// SMI-4396 Wave 2: bare-keyword variants (credentials, secrets?, password) tightened
|
|
23
|
+
// to require assignment/path/file-extension context. Without this tuning,
|
|
24
|
+
// documentation keywords in SKILL.md frontmatter and prose (1Password integration
|
|
25
|
+
// guides, security-research skill domain vocabulary) tripped HIGH severity.
|
|
22
26
|
export const SENSITIVE_PATH_PATTERNS = [
|
|
23
27
|
/\.env/i,
|
|
24
|
-
|
|
25
|
-
/
|
|
28
|
+
// Contextual credentials: filename or assignment, not bare prose
|
|
29
|
+
/credentials\.(?:json|ya?ml|env|toml|txt)/i,
|
|
30
|
+
/credentials\s*[:=]/i,
|
|
31
|
+
// Contextual secrets: assignment or path, not bare word
|
|
32
|
+
/\bsecrets?\s*[:=]/i,
|
|
33
|
+
/\bsecrets?\/[a-z0-9_.-]+/i,
|
|
26
34
|
/\.pem$/i,
|
|
27
35
|
/\.key$/i,
|
|
28
36
|
/\.crt$/i,
|
|
29
|
-
|
|
37
|
+
// Contextual password: assignment or URL (postgres://user:pass@host) only
|
|
38
|
+
/password\s*[:=]/i,
|
|
30
39
|
/api[_-]?key/i,
|
|
31
40
|
/auth[_-]?token/i,
|
|
32
41
|
/~\/\.ssh/i,
|
|
33
42
|
/~\/\.aws/i,
|
|
34
43
|
/~\/\.config/i,
|
|
44
|
+
// SMI-4396 Wave 2: explicit system-file paths. Added so that tightening
|
|
45
|
+
// bare /credentials/i and /password/i into assignment-context variants
|
|
46
|
+
// doesn't drop coverage of obvious sensitive references like /etc/passwd.
|
|
47
|
+
/\/etc\/(?:passwd|shadow|sudoers|hosts)\b/i,
|
|
35
48
|
];
|
|
36
49
|
// Jailbreak attempt patterns
|
|
37
50
|
export const JAILBREAK_PATTERNS = [
|
|
@@ -117,9 +130,27 @@ export const DATA_EXFILTRATION_PATTERNS = [
|
|
|
117
130
|
/data\s*:\s*['"]/i, // Data URLs
|
|
118
131
|
/\.writeFile.*https?:\/\//i,
|
|
119
132
|
/send\s+.*(to|the)\s+(external|remote)/i,
|
|
120
|
-
|
|
133
|
+
// SMI-4396 Wave 2: word-boundary \bcloud\b + bounded wildcard.
|
|
134
|
+
// Previous /upload\s+.*(to|the)\s+(server|cloud|remote)/i matched
|
|
135
|
+
// "upload to Cloudinary" (the Cloud prefix substring-matches) —
|
|
136
|
+
// triggered skill-image-pipeline as data_exfiltration FP. The
|
|
137
|
+
// bounded [\w\s]{0,30}? prevents ReDoS; \bcloud\b excludes
|
|
138
|
+
// Cloudinary/cloudfront/cloudflare/iCloud/cloudstorage.
|
|
139
|
+
/upload\s+[\w\s]{0,30}?\s*(?:to|the)\s+(?:server|\bcloud\b|remote)/i,
|
|
140
|
+
// SMI-4396 Wave 2: explicit key/secret/credential/token upload detector.
|
|
141
|
+
// Ensures "upload private keys to our cdn bucket" still triggers even
|
|
142
|
+
// though \bcloud\b word-boundary now excludes "cdn bucket" prose.
|
|
143
|
+
/upload\s+[\w\s]{0,50}?\s*(?:private\s+)?(?:key|secret|credential|token)s?\b/i,
|
|
121
144
|
/post\s+data\s+to/i,
|
|
122
145
|
/to\s+external\s+(api|server|endpoint)/i,
|
|
146
|
+
// SMI-4396 Wave 2: restore prose coverage dropped by tightening bare /password/i
|
|
147
|
+
// and /credentials/i to assignment-context only. These unambiguous exfiltration
|
|
148
|
+
// verbs (send/transmit/leak/dump/steal/extract) + credential noun preserve detection
|
|
149
|
+
// of "send the user's passwords to attacker.com" and similar imperative instructions
|
|
150
|
+
// without re-introducing FPs on "This skill handles passwords" or
|
|
151
|
+
// "Never expose the password to Claude Code" (expose excluded: weak intent signal
|
|
152
|
+
// + negation-context FP in 1Password-style SKILL.md fixtures).
|
|
153
|
+
/(?:send|transmit|leak|dump|steal|extract)\s+[\w\s']{0,40}(?:passwords?|credentials?|secrets?)\b/i,
|
|
123
154
|
];
|
|
124
155
|
// SMI-685: Privilege escalation patterns
|
|
125
156
|
export const PRIVILEGE_ESCALATION_PATTERNS = [
|
|
@@ -138,7 +169,16 @@ export const PRIVILEGE_ESCALATION_PATTERNS = [
|
|
|
138
169
|
/setuid/i,
|
|
139
170
|
/setgid/i,
|
|
140
171
|
/capability\s+cap_/i,
|
|
141
|
-
|
|
172
|
+
// SMI-4396 Wave 2: contextual privilege_escalation patterns.
|
|
173
|
+
// Previous bare /escalat(e|ion)/i matched documentation prose in
|
|
174
|
+
// security-research and prompt-injection-scanner skills that legitimately
|
|
175
|
+
// enumerate "privilege escalation" as an adversarial technique they
|
|
176
|
+
// detect — triggered 3/5 CRITICAL FPs. Bare pattern removed; these three
|
|
177
|
+
// contextual variants preserve real coverage (exploit-escalate calls,
|
|
178
|
+
// attack/vector noun phrases, to-root/to-admin targets).
|
|
179
|
+
/privilege[_\s-]+escalat(?:e|ion)/i,
|
|
180
|
+
/escalat(?:e|ion)\s+(?:attack|vector|(?:to|as)\s+(?:root|admin|superuser))/i,
|
|
181
|
+
/exploit\s+[\w\s]{0,30}?\s*escalat(?:e|ion)/i,
|
|
142
182
|
/privilege[ds]?\s+(elevat|escal)/i,
|
|
143
183
|
/run\s+.*as\s+root/i,
|
|
144
184
|
/(run|execute)\s+as\s+(root|admin)/i,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../../src/security/scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,0BAA0B;AAC1B,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,YAAY;IACZ,uBAAuB;IACvB,2BAA2B;IAC3B,WAAW;IACX,WAAW;IACX,oBAAoB;IACpB,eAAe;IACf,WAAW;IACX,iBAAiB;IACjB,uBAAuB;IACvB,YAAY;IACZ,oBAAoB;CACrB,CAAA;AAED,+BAA+B;AAC/B,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,QAAQ;IACR,
|
|
1
|
+
{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../../src/security/scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,0BAA0B;AAC1B,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,YAAY;IACZ,uBAAuB;IACvB,2BAA2B;IAC3B,WAAW;IACX,WAAW;IACX,oBAAoB;IACpB,eAAe;IACf,WAAW;IACX,iBAAiB;IACjB,uBAAuB;IACvB,YAAY;IACZ,oBAAoB;CACrB,CAAA;AAED,+BAA+B;AAC/B,qFAAqF;AACrF,0EAA0E;AAC1E,kFAAkF;AAClF,4EAA4E;AAC5E,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,QAAQ;IACR,iEAAiE;IACjE,2CAA2C;IAC3C,qBAAqB;IACrB,wDAAwD;IACxD,oBAAoB;IACpB,2BAA2B;IAC3B,SAAS;IACT,SAAS;IACT,SAAS;IACT,0EAA0E;IAC1E,kBAAkB;IAClB,cAAc;IACd,iBAAiB;IACjB,WAAW;IACX,WAAW;IACX,cAAc;IACd,wEAAwE;IACxE,uEAAuE;IACvE,0EAA0E;IAC1E,2CAA2C;CAC5C,CAAA;AAED,6BAA6B;AAC7B,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,6EAA6E;IAC7E,2EAA2E;IAC3E,mBAAmB;IACnB,SAAS;IACT,sBAAsB;IACtB,YAAY;IACZ,oDAAoD;IACpD,+DAA+D;IAC/D,iDAAiD;IACjD,mDAAmD;IACnD,0DAA0D;IAC1D,8CAA8C;IAE9C,2EAA2E;IAC3E,2FAA2F;IAC3F,yFAAyF;IACzF,gEAAgE;CACjE,CAAA;AAED,2DAA2D;AAC3D,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,YAAY;IACZ,YAAY;IACZ,gBAAgB;IAChB,eAAe,EAAE,uBAAuB;IACxC,uBAAuB;IACvB,yBAAyB;IACzB,qCAAqC;IACrC,gCAAgC;IAChC,eAAe;IACf,0BAA0B,EAAE,qBAAqB;IACjD,0BAA0B;CAC3B,CAAA;AAED,+CAA+C;AAC/C,MAAM,CAAC,MAAM,2BAA2B,GAAG;IACzC,2CAA2C;IAC3C,gBAAgB;IAChB,0CAA0C,EAAE,6BAA6B;IACzE,kDAAkD;IAClD,sBAAsB;IACtB,oCAAoC;IACpC,4BAA4B;IAC5B,2BAA2B;IAC3B,8BAA8B;IAC9B,iCAAiC;IACjC,4BAA4B;IAC5B,sBAAsB;CACvB,CAAA;AAED,2CAA2C;AAC3C,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,2DAA2D;IAC3D,qCAAqC;IACrC,qCAAqC;IACrC,8CAA8C;IAC9C,qCAAqC;IACrC,2CAA2C;IAC3C,+CAA+C;IAC/C,wDAAwD;IACxD,4CAA4C;IAC5C,+CAA+C;IAC/C,mDAAmD;IACnD,wCAAwC;IACxC,uDAAuD;IACvD,8CAA8C;CAC/C,CAAA;AAED,sCAAsC;AACtC,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,YAAY,EAAE,sBAAsB;IACpC,YAAY,EAAE,sBAAsB;IACpC,2CAA2C;IAC3C,wCAAwC;IACxC,0BAA0B;IAC1B,iCAAiC,EAAE,0BAA0B;IAC7D,iBAAiB;IACjB,wBAAwB;IACxB,gBAAgB;IAChB,mBAAmB;IACnB,iBAAiB;IACjB,uBAAuB;IACvB,iBAAiB;IACjB,QAAQ;IACR,kBAAkB,EAAE,YAAY;IAChC,2BAA2B;IAC3B,wCAAwC;IACxC,+DAA+D;IAC/D,kEAAkE;IAClE,gEAAgE;IAChE,8DAA8D;IAC9D,2DAA2D;IAC3D,wDAAwD;IACxD,oEAAoE;IACpE,yEAAyE;IACzE,sEAAsE;IACtE,kEAAkE;IAClE,8EAA8E;IAC9E,mBAAmB;IACnB,wCAAwC;IACxC,iFAAiF;IACjF,gFAAgF;IAChF,qFAAqF;IACrF,qFAAqF;IACrF,kEAAkE;IAClE,kFAAkF;IAClF,+DAA+D;IAC/D,kGAAkG;CACnG,CAAA;AAED,yCAAyC;AACzC,MAAM,CAAC,MAAM,6BAA6B,GAAG;IAC3C,wBAAwB,EAAE,gCAAgC;IAC1D,qBAAqB,EAAE,wBAAwB;IAC/C,YAAY;IACZ,oCAAoC,EAAE,2BAA2B;IACjE,kBAAkB,EAAE,eAAe;IACnC,kBAAkB,EAAE,iBAAiB;IACrC,kBAAkB,EAAE,0BAA0B;IAC9C,iBAAiB;IACjB,iBAAiB;IACjB,SAAS;IACT,iBAAiB;IACjB,WAAW;IACX,SAAS;IACT,SAAS;IACT,oBAAoB;IACpB,6DAA6D;IAC7D,iEAAiE;IACjE,0EAA0E;IAC1E,oEAAoE;IACpE,yEAAyE;IACzE,sEAAsE;IACtE,yDAAyD;IACzD,mCAAmC;IACnC,4EAA4E;IAC5E,6CAA6C;IAC7C,kCAAkC;IAClC,oBAAoB;IACpB,oCAAoC;IACpC,4BAA4B;IAC5B,uBAAuB;IACvB,mBAAmB;IACnB,gBAAgB;IAChB,gBAAgB;CACjB,CAAA;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG;IACvC,mDAAmD;IACnD,yEAAyE;IACzE,2EAA2E;IAC3E,yEAAyE;IACzE,yEAAyE;IAEzE,gDAAgD;IAChD,qFAAqF;IACrF,0FAA0F;IAC1F,sFAAsF;IAEtF,mCAAmC;IACnC,oBAAoB;IAEpB,sEAAsE;IACtE,0CAA0C;IAC1C,uBAAuB;IAEvB,0DAA0D;IAC1D,oGAAoG;IACpG,mIAAmI;IACnI,sGAAsG;CACvG,CAAA;AAED;;;;;;;;;;;GAWG;AACH;;;;GAIG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,yCAAyC;IACzC,+DAA+D;IAC/D,qEAAqE;IACrE,yEAAyE;IAEzE,gCAAgC;IAChC,yCAAyC,EAAE,SAAS;IACpD,0CAA0C,EAAE,aAAa;IACzD,iCAAiC,EAAE,kBAAkB;IACrD,kBAAkB,EAAE,iBAAiB;IAErC,4EAA4E;IAC5E,+EAA+E;IAC/E,gDAAgD;IAEhD,6BAA6B;IAC7B,uBAAuB;IAEvB,eAAe;IACf,4CAA4C;IAE5C,+BAA+B;IAC/B,qDAAqD;CACtD,CAAA;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,2EAA2E;IAC3E,6EAA6E;IAC7E,mEAAmE;IACnE,mDAAmD;IAEnD,oDAAoD;IACpD,4BAA4B;IAE5B,6DAA6D;IAC7D,mFAAmF;IAEnF,0DAA0D;IAC1D,gEAAgE;IAChE,uEAAuE;IAEvE,iFAAiF;IACjF,gFAAgF;IAChF,mIAAmI;IAEnI,yDAAyD;IACzD,iEAAiE;IAEjE,yDAAyD;IACzD,6DAA6D;IAE7D,0DAA0D;IAC1D,uEAAuE;IAEvE,sCAAsC;IACtC,uEAAuE;IACvE,kFAAkF;IAClF,uGAAuG;IAEvG,4BAA4B;IAC5B,kDAAkD;IAElD,yCAAyC;IACzC,kFAAkF;IAElF,6BAA6B;IAC7B,8CAA8C;IAE9C,6CAA6C;IAC7C,+EAA+E;IAC/E,4HAA4H;IAE5H,kDAAkD;IAClD,wEAAwE;IAExE,wBAAwB;IACxB,4CAA4C;IAE5C,+EAA+E;IAC/E,6DAA6D;IAC7D,qBAAqB;CACtB,CAAA"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SMI-4244: buildClientEventBatcher test-environment detection
|
|
3
|
+
*
|
|
4
|
+
* Verifies that EventBatcher instances created via buildClientEventBatcher
|
|
5
|
+
* do NOT attach process-exit listeners when running under vitest (detected
|
|
6
|
+
* via process.env.VITEST === 'true'). This prevents MaxListenersExceededWarning
|
|
7
|
+
* and the racy SIGTERM delivery observed in publish.yml Validate job test runs.
|
|
8
|
+
*/
|
|
9
|
+
export {};
|
|
10
|
+
//# sourceMappingURL=client.events.test.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"client.events.test.d.ts","sourceRoot":"","sources":["../../../tests/api/client.events.test.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG"}
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SMI-4244: buildClientEventBatcher test-environment detection
|
|
3
|
+
*
|
|
4
|
+
* Verifies that EventBatcher instances created via buildClientEventBatcher
|
|
5
|
+
* do NOT attach process-exit listeners when running under vitest (detected
|
|
6
|
+
* via process.env.VITEST === 'true'). This prevents MaxListenersExceededWarning
|
|
7
|
+
* and the racy SIGTERM delivery observed in publish.yml Validate job test runs.
|
|
8
|
+
*/
|
|
9
|
+
import { describe, it, expect, beforeEach, afterEach } from 'vitest';
|
|
10
|
+
import { buildClientEventBatcher } from '../../src/api/client.events.js';
|
|
11
|
+
describe('SMI-4244: buildClientEventBatcher exit handler suppression', () => {
|
|
12
|
+
const originalVitest = process.env.VITEST;
|
|
13
|
+
const ctx = () => ({
|
|
14
|
+
baseUrl: 'https://example.test',
|
|
15
|
+
anonKey: 'anon',
|
|
16
|
+
apiKey: undefined,
|
|
17
|
+
timeout: 1_000,
|
|
18
|
+
});
|
|
19
|
+
beforeEach(() => {
|
|
20
|
+
// Snapshot restored by afterEach; each test sets VITEST explicitly.
|
|
21
|
+
});
|
|
22
|
+
afterEach(() => {
|
|
23
|
+
if (originalVitest === undefined) {
|
|
24
|
+
delete process.env.VITEST;
|
|
25
|
+
}
|
|
26
|
+
else {
|
|
27
|
+
process.env.VITEST = originalVitest;
|
|
28
|
+
}
|
|
29
|
+
});
|
|
30
|
+
it('does NOT attach SIGTERM/SIGINT/beforeExit listeners when VITEST=true', () => {
|
|
31
|
+
process.env.VITEST = 'true';
|
|
32
|
+
const before = {
|
|
33
|
+
sigterm: process.listenerCount('SIGTERM'),
|
|
34
|
+
sigint: process.listenerCount('SIGINT'),
|
|
35
|
+
beforeExit: process.listenerCount('beforeExit'),
|
|
36
|
+
};
|
|
37
|
+
const batcher = buildClientEventBatcher(ctx);
|
|
38
|
+
const after = {
|
|
39
|
+
sigterm: process.listenerCount('SIGTERM'),
|
|
40
|
+
sigint: process.listenerCount('SIGINT'),
|
|
41
|
+
beforeExit: process.listenerCount('beforeExit'),
|
|
42
|
+
};
|
|
43
|
+
expect(after.sigterm).toBe(before.sigterm);
|
|
44
|
+
expect(after.sigint).toBe(before.sigint);
|
|
45
|
+
expect(after.beforeExit).toBe(before.beforeExit);
|
|
46
|
+
// Dispose is a no-op when no handlers were attached, but call it for hygiene.
|
|
47
|
+
batcher.dispose();
|
|
48
|
+
});
|
|
49
|
+
it('DOES attach SIGTERM/SIGINT/beforeExit listeners when VITEST is unset', () => {
|
|
50
|
+
delete process.env.VITEST;
|
|
51
|
+
const before = {
|
|
52
|
+
sigterm: process.listenerCount('SIGTERM'),
|
|
53
|
+
sigint: process.listenerCount('SIGINT'),
|
|
54
|
+
beforeExit: process.listenerCount('beforeExit'),
|
|
55
|
+
};
|
|
56
|
+
const batcher = buildClientEventBatcher(ctx);
|
|
57
|
+
const after = {
|
|
58
|
+
sigterm: process.listenerCount('SIGTERM'),
|
|
59
|
+
sigint: process.listenerCount('SIGINT'),
|
|
60
|
+
beforeExit: process.listenerCount('beforeExit'),
|
|
61
|
+
};
|
|
62
|
+
expect(after.sigterm).toBe(before.sigterm + 1);
|
|
63
|
+
expect(after.sigint).toBe(before.sigint + 1);
|
|
64
|
+
expect(after.beforeExit).toBe(before.beforeExit + 1);
|
|
65
|
+
// Clean up so we don't pollute other tests' listener counts.
|
|
66
|
+
batcher.dispose();
|
|
67
|
+
const cleaned = {
|
|
68
|
+
sigterm: process.listenerCount('SIGTERM'),
|
|
69
|
+
sigint: process.listenerCount('SIGINT'),
|
|
70
|
+
beforeExit: process.listenerCount('beforeExit'),
|
|
71
|
+
};
|
|
72
|
+
expect(cleaned.sigterm).toBe(before.sigterm);
|
|
73
|
+
expect(cleaned.sigint).toBe(before.sigint);
|
|
74
|
+
expect(cleaned.beforeExit).toBe(before.beforeExit);
|
|
75
|
+
});
|
|
76
|
+
it('DOES attach listeners when VITEST is set to a non-"true" value', () => {
|
|
77
|
+
process.env.VITEST = '1';
|
|
78
|
+
const before = process.listenerCount('SIGTERM');
|
|
79
|
+
const batcher = buildClientEventBatcher(ctx);
|
|
80
|
+
const after = process.listenerCount('SIGTERM');
|
|
81
|
+
expect(after).toBe(before + 1);
|
|
82
|
+
batcher.dispose();
|
|
83
|
+
});
|
|
84
|
+
});
|
|
85
|
+
//# sourceMappingURL=client.events.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"client.events.test.js","sourceRoot":"","sources":["../../../tests/api/client.events.test.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAA;AACpE,OAAO,EAAE,uBAAuB,EAAyB,MAAM,gCAAgC,CAAA;AAE/F,QAAQ,CAAC,4DAA4D,EAAE,GAAG,EAAE;IAC1E,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAA;IAEzC,MAAM,GAAG,GAAG,GAAqB,EAAE,CAAC,CAAC;QACnC,OAAO,EAAE,sBAAsB;QAC/B,OAAO,EAAE,MAAM;QACf,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE,KAAK;KACf,CAAC,CAAA;IAEF,UAAU,CAAC,GAAG,EAAE;QACd,oEAAoE;IACtE,CAAC,CAAC,CAAA;IAEF,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YACjC,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,CAAA;QAC3B,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,MAAM,GAAG,cAAc,CAAA;QACrC,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,OAAO,CAAC,GAAG,CAAC,MAAM,GAAG,MAAM,CAAA;QAE3B,MAAM,MAAM,GAAG;YACb,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC;YACzC,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC;YACvC,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,YAAY,CAAC;SAChD,CAAA;QAED,MAAM,OAAO,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAA;QAE5C,MAAM,KAAK,GAAG;YACZ,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC;YACzC,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC;YACvC,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,YAAY,CAAC;SAChD,CAAA;QAED,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAC1C,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QACxC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;QAEhD,8EAA8E;QAC9E,OAAO,CAAC,OAAO,EAAE,CAAA;IACnB,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,CAAA;QAEzB,MAAM,MAAM,GAAG;YACb,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC;YACzC,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC;YACvC,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,YAAY,CAAC;SAChD,CAAA;QAED,MAAM,OAAO,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAA;QAE5C,MAAM,KAAK,GAAG;YACZ,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC;YACzC,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC;YACvC,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,YAAY,CAAC;SAChD,CAAA;QAED,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;QAC9C,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QAC5C,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,GAAG,CAAC,CAAC,CAAA;QAEpD,6DAA6D;QAC7D,OAAO,CAAC,OAAO,EAAE,CAAA;QAEjB,MAAM,OAAO,GAAG;YACd,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC;YACzC,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC;YACvC,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,YAAY,CAAC;SAChD,CAAA;QACD,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAC5C,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC1C,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IACpD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,OAAO,CAAC,GAAG,CAAC,MAAM,GAAG,GAAG,CAAA;QAExB,MAAM,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;QAC/C,MAAM,OAAO,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAA;QAC5C,MAAM,KAAK,GAAG,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;QAE9C,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QAE9B,OAAO,CAAC,OAAO,EAAE,CAAA;IACnB,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SMI-4408: Indexer blocklist tests.
|
|
3
|
+
*
|
|
4
|
+
* Covers:
|
|
5
|
+
* - Exact-match blocking (owner/name, case-sensitive)
|
|
6
|
+
* - Non-blocklisted repos pass through
|
|
7
|
+
* - Empty/missing blocklist file returns EMPTY_BLOCKLIST (no-op)
|
|
8
|
+
* - Schema validation: version=1, required fields, valid repo format, valid dates
|
|
9
|
+
* - Duplicate entries rejected at load
|
|
10
|
+
* - Malformed JSON rejected at load
|
|
11
|
+
* - Ship-it sanity check: data/indexer-blocklist.json parses and contains
|
|
12
|
+
* the 2 known-bad entries from SMI-4396 Wave 2 residuals.
|
|
13
|
+
*/
|
|
14
|
+
export {};
|
|
15
|
+
//# sourceMappingURL=blocklist.test.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"blocklist.test.d.ts","sourceRoot":"","sources":["../../../tests/github-import/blocklist.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG"}
|