@skillsmith/core 0.9.0 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (404) hide show
  1. package/CHANGELOG.md +16 -0
  2. package/dist/.tsbuildinfo +1 -1
  3. package/dist/src/analysis/tree-sitter/pythonIncremental.d.ts +23 -0
  4. package/dist/src/analysis/tree-sitter/pythonIncremental.d.ts.map +1 -1
  5. package/dist/src/analysis/tree-sitter/pythonIncremental.hardening.test.js +137 -0
  6. package/dist/src/analysis/tree-sitter/pythonIncremental.hardening.test.js.map +1 -1
  7. package/dist/src/analysis/tree-sitter/pythonIncremental.js +83 -10
  8. package/dist/src/analysis/tree-sitter/pythonIncremental.js.map +1 -1
  9. package/dist/src/analysis/tree-sitter/queryExtractionMatchesOrExceedsRegex.test.js +6 -1
  10. package/dist/src/analysis/tree-sitter/queryExtractionMatchesOrExceedsRegex.test.js.map +1 -1
  11. package/dist/src/api/client.d.ts.map +1 -1
  12. package/dist/src/api/client.js +6 -0
  13. package/dist/src/api/client.js.map +1 -1
  14. package/dist/src/api/client.test.d.ts +9 -0
  15. package/dist/src/api/client.test.d.ts.map +1 -0
  16. package/dist/src/api/client.test.js +81 -0
  17. package/dist/src/api/client.test.js.map +1 -0
  18. package/dist/src/config/audit-notify-state.d.ts +46 -0
  19. package/dist/src/config/audit-notify-state.d.ts.map +1 -0
  20. package/dist/src/config/audit-notify-state.js +55 -0
  21. package/dist/src/config/audit-notify-state.js.map +1 -0
  22. package/dist/src/config/audit-notify-state.test.d.ts +9 -0
  23. package/dist/src/config/audit-notify-state.test.d.ts.map +1 -0
  24. package/dist/src/config/audit-notify-state.test.js +63 -0
  25. package/dist/src/config/audit-notify-state.test.js.map +1 -0
  26. package/dist/src/config/index.d.ts +10 -0
  27. package/dist/src/config/index.d.ts.map +1 -1
  28. package/dist/src/config/index.js.map +1 -1
  29. package/dist/src/exports/services.d.ts +3 -1
  30. package/dist/src/exports/services.d.ts.map +1 -1
  31. package/dist/src/exports/services.js +9 -1
  32. package/dist/src/exports/services.js.map +1 -1
  33. package/dist/src/index.d.ts +6 -3
  34. package/dist/src/index.d.ts.map +1 -1
  35. package/dist/src/index.js +11 -2
  36. package/dist/src/index.js.map +1 -1
  37. package/dist/src/install/agent-config-merge.json-array.d.ts +29 -0
  38. package/dist/src/install/agent-config-merge.json-array.d.ts.map +1 -0
  39. package/dist/src/install/agent-config-merge.json-array.js +100 -0
  40. package/dist/src/install/agent-config-merge.json-array.js.map +1 -0
  41. package/dist/src/install/agent-config-merge.json.d.ts +37 -0
  42. package/dist/src/install/agent-config-merge.json.d.ts.map +1 -0
  43. package/dist/src/install/agent-config-merge.json.js +134 -0
  44. package/dist/src/install/agent-config-merge.json.js.map +1 -0
  45. package/dist/src/install/agent-config-merge.toml-block.d.ts +48 -0
  46. package/dist/src/install/agent-config-merge.toml-block.d.ts.map +1 -0
  47. package/dist/src/install/agent-config-merge.toml-block.js +107 -0
  48. package/dist/src/install/agent-config-merge.toml-block.js.map +1 -0
  49. package/dist/src/install/agent-config-merge.types.d.ts +87 -0
  50. package/dist/src/install/agent-config-merge.types.d.ts.map +1 -0
  51. package/dist/src/install/agent-config-merge.types.js +83 -0
  52. package/dist/src/install/agent-config-merge.types.js.map +1 -0
  53. package/dist/src/install/agent-config-merge.yaml.d.ts +46 -0
  54. package/dist/src/install/agent-config-merge.yaml.d.ts.map +1 -0
  55. package/dist/src/install/agent-config-merge.yaml.js +133 -0
  56. package/dist/src/install/agent-config-merge.yaml.js.map +1 -0
  57. package/dist/src/install/agent-config-merge.yaml.test.d.ts +2 -0
  58. package/dist/src/install/agent-config-merge.yaml.test.d.ts.map +1 -0
  59. package/dist/src/install/agent-config-merge.yaml.test.js +210 -0
  60. package/dist/src/install/agent-config-merge.yaml.test.js.map +1 -0
  61. package/dist/src/install/agent-harness-targets.d.ts +98 -0
  62. package/dist/src/install/agent-harness-targets.d.ts.map +1 -0
  63. package/dist/src/install/agent-harness-targets.js +154 -0
  64. package/dist/src/install/agent-harness-targets.js.map +1 -0
  65. package/dist/src/install/agent-home-relocate.d.ts +29 -0
  66. package/dist/src/install/agent-home-relocate.d.ts.map +1 -0
  67. package/dist/src/install/agent-home-relocate.js +38 -0
  68. package/dist/src/install/agent-home-relocate.js.map +1 -0
  69. package/dist/src/install/agent-manifest-path-guard.d.ts +55 -0
  70. package/dist/src/install/agent-manifest-path-guard.d.ts.map +1 -0
  71. package/dist/src/install/agent-manifest-path-guard.js +109 -0
  72. package/dist/src/install/agent-manifest-path-guard.js.map +1 -0
  73. package/dist/src/install/agent-manifest-path-guard.test.d.ts +2 -0
  74. package/dist/src/install/agent-manifest-path-guard.test.d.ts.map +1 -0
  75. package/dist/src/install/agent-manifest-path-guard.test.js +72 -0
  76. package/dist/src/install/agent-manifest-path-guard.test.js.map +1 -0
  77. package/dist/src/install/agent-manifest.d.ts +58 -0
  78. package/dist/src/install/agent-manifest.d.ts.map +1 -0
  79. package/dist/src/install/agent-manifest.js +103 -0
  80. package/dist/src/install/agent-manifest.js.map +1 -0
  81. package/dist/src/install/agent-pack-installer.d.ts +39 -0
  82. package/dist/src/install/agent-pack-installer.d.ts.map +1 -0
  83. package/dist/src/install/agent-pack-installer.entry.d.ts +55 -0
  84. package/dist/src/install/agent-pack-installer.entry.d.ts.map +1 -0
  85. package/dist/src/install/agent-pack-installer.entry.js +90 -0
  86. package/dist/src/install/agent-pack-installer.entry.js.map +1 -0
  87. package/dist/src/install/agent-pack-installer.fs-helpers.d.ts +33 -0
  88. package/dist/src/install/agent-pack-installer.fs-helpers.d.ts.map +1 -0
  89. package/dist/src/install/agent-pack-installer.fs-helpers.js +59 -0
  90. package/dist/src/install/agent-pack-installer.fs-helpers.js.map +1 -0
  91. package/dist/src/install/agent-pack-installer.harness.d.ts +66 -0
  92. package/dist/src/install/agent-pack-installer.harness.d.ts.map +1 -0
  93. package/dist/src/install/agent-pack-installer.harness.js +310 -0
  94. package/dist/src/install/agent-pack-installer.harness.js.map +1 -0
  95. package/dist/src/install/agent-pack-installer.js +221 -0
  96. package/dist/src/install/agent-pack-installer.js.map +1 -0
  97. package/dist/src/install/agent-pack-installer.preserve.test.d.ts +11 -0
  98. package/dist/src/install/agent-pack-installer.preserve.test.d.ts.map +1 -0
  99. package/dist/src/install/agent-pack-installer.preserve.test.js +72 -0
  100. package/dist/src/install/agent-pack-installer.preserve.test.js.map +1 -0
  101. package/dist/src/install/agent-pack-installer.test.d.ts +2 -0
  102. package/dist/src/install/agent-pack-installer.test.d.ts.map +1 -0
  103. package/dist/src/install/agent-pack-installer.test.js +350 -0
  104. package/dist/src/install/agent-pack-installer.test.js.map +1 -0
  105. package/dist/src/install/agent-pack-installer.types.d.ts +51 -0
  106. package/dist/src/install/agent-pack-installer.types.d.ts.map +1 -0
  107. package/dist/src/install/agent-pack-installer.types.js +16 -0
  108. package/dist/src/install/agent-pack-installer.types.js.map +1 -0
  109. package/dist/src/install/agent-pack-uninstaller.d.ts +43 -0
  110. package/dist/src/install/agent-pack-uninstaller.d.ts.map +1 -0
  111. package/dist/src/install/agent-pack-uninstaller.js +113 -0
  112. package/dist/src/install/agent-pack-uninstaller.js.map +1 -0
  113. package/dist/src/install/agent-pack-uninstaller.test.d.ts +2 -0
  114. package/dist/src/install/agent-pack-uninstaller.test.d.ts.map +1 -0
  115. package/dist/src/install/agent-pack-uninstaller.test.js +212 -0
  116. package/dist/src/install/agent-pack-uninstaller.test.js.map +1 -0
  117. package/dist/src/install/index.d.ts +7 -0
  118. package/dist/src/install/index.d.ts.map +1 -1
  119. package/dist/src/install/index.js +7 -0
  120. package/dist/src/install/index.js.map +1 -1
  121. package/dist/src/install/paths.d.ts +1 -1
  122. package/dist/src/install/paths.d.ts.map +1 -1
  123. package/dist/src/install/paths.js +4 -0
  124. package/dist/src/install/paths.js.map +1 -1
  125. package/dist/src/install/paths.test.js +15 -0
  126. package/dist/src/install/paths.test.js.map +1 -1
  127. package/dist/src/journal/hash.d.ts +13 -0
  128. package/dist/src/journal/hash.d.ts.map +1 -0
  129. package/dist/src/journal/hash.js +16 -0
  130. package/dist/src/journal/hash.js.map +1 -0
  131. package/dist/src/journal/index.d.ts +15 -0
  132. package/dist/src/journal/index.d.ts.map +1 -0
  133. package/dist/src/journal/index.js +15 -0
  134. package/dist/src/journal/index.js.map +1 -0
  135. package/dist/src/journal/journal.test.d.ts +16 -0
  136. package/dist/src/journal/journal.test.d.ts.map +1 -0
  137. package/dist/src/journal/journal.test.js +171 -0
  138. package/dist/src/journal/journal.test.js.map +1 -0
  139. package/dist/src/journal/path.d.ts +44 -0
  140. package/dist/src/journal/path.d.ts.map +1 -0
  141. package/dist/src/journal/path.js +61 -0
  142. package/dist/src/journal/path.js.map +1 -0
  143. package/dist/src/journal/reader.d.ts +38 -0
  144. package/dist/src/journal/reader.d.ts.map +1 -0
  145. package/dist/src/journal/reader.js +93 -0
  146. package/dist/src/journal/reader.js.map +1 -0
  147. package/dist/src/journal/types.d.ts +87 -0
  148. package/dist/src/journal/types.d.ts.map +1 -0
  149. package/dist/src/journal/types.js +21 -0
  150. package/dist/src/journal/types.js.map +1 -0
  151. package/dist/src/journal/writer.d.ts +52 -0
  152. package/dist/src/journal/writer.d.ts.map +1 -0
  153. package/dist/src/journal/writer.js +125 -0
  154. package/dist/src/journal/writer.js.map +1 -0
  155. package/dist/src/logging/context.d.ts +58 -0
  156. package/dist/src/logging/context.d.ts.map +1 -0
  157. package/dist/src/logging/context.js +62 -0
  158. package/dist/src/logging/context.js.map +1 -0
  159. package/dist/src/logging/context.test.d.ts +14 -0
  160. package/dist/src/logging/context.test.d.ts.map +1 -0
  161. package/dist/src/logging/context.test.js +88 -0
  162. package/dist/src/logging/context.test.js.map +1 -0
  163. package/dist/src/logging/index.d.ts +13 -0
  164. package/dist/src/logging/index.d.ts.map +1 -0
  165. package/dist/src/logging/index.js +12 -0
  166. package/dist/src/logging/index.js.map +1 -0
  167. package/dist/src/logging/logger.d.ts +71 -0
  168. package/dist/src/logging/logger.d.ts.map +1 -0
  169. package/dist/src/logging/logger.js +264 -0
  170. package/dist/src/logging/logger.js.map +1 -0
  171. package/dist/src/logging/logger.test.d.ts +9 -0
  172. package/dist/src/logging/logger.test.d.ts.map +1 -0
  173. package/dist/src/logging/logger.test.js +320 -0
  174. package/dist/src/logging/logger.test.js.map +1 -0
  175. package/dist/src/logging/redact.d.ts +35 -0
  176. package/dist/src/logging/redact.d.ts.map +1 -0
  177. package/dist/src/logging/redact.js +152 -0
  178. package/dist/src/logging/redact.js.map +1 -0
  179. package/dist/src/logging/redact.test.d.ts +8 -0
  180. package/dist/src/logging/redact.test.d.ts.map +1 -0
  181. package/dist/src/logging/redact.test.js +330 -0
  182. package/dist/src/logging/redact.test.js.map +1 -0
  183. package/dist/src/logging/rotation.d.ts +75 -0
  184. package/dist/src/logging/rotation.d.ts.map +1 -0
  185. package/dist/src/logging/rotation.js +284 -0
  186. package/dist/src/logging/rotation.js.map +1 -0
  187. package/dist/src/logging/rotation.test.d.ts +11 -0
  188. package/dist/src/logging/rotation.test.d.ts.map +1 -0
  189. package/dist/src/logging/rotation.test.js +132 -0
  190. package/dist/src/logging/rotation.test.js.map +1 -0
  191. package/dist/src/logging/types.d.ts +69 -0
  192. package/dist/src/logging/types.d.ts.map +1 -0
  193. package/dist/src/logging/types.js +9 -0
  194. package/dist/src/logging/types.js.map +1 -0
  195. package/dist/src/paywall-triggers/index.d.ts +13 -0
  196. package/dist/src/paywall-triggers/index.d.ts.map +1 -0
  197. package/dist/src/paywall-triggers/index.js +13 -0
  198. package/dist/src/paywall-triggers/index.js.map +1 -0
  199. package/dist/src/paywall-triggers/path.d.ts +47 -0
  200. package/dist/src/paywall-triggers/path.d.ts.map +1 -0
  201. package/dist/src/paywall-triggers/path.js +73 -0
  202. package/dist/src/paywall-triggers/path.js.map +1 -0
  203. package/dist/src/paywall-triggers/store.d.ts +75 -0
  204. package/dist/src/paywall-triggers/store.d.ts.map +1 -0
  205. package/dist/src/paywall-triggers/store.js +122 -0
  206. package/dist/src/paywall-triggers/store.js.map +1 -0
  207. package/dist/src/paywall-triggers/store.test.d.ts +2 -0
  208. package/dist/src/paywall-triggers/store.test.d.ts.map +1 -0
  209. package/dist/src/paywall-triggers/store.test.js +121 -0
  210. package/dist/src/paywall-triggers/store.test.js.map +1 -0
  211. package/dist/src/paywall-triggers/types.d.ts +24 -0
  212. package/dist/src/paywall-triggers/types.d.ts.map +1 -0
  213. package/dist/src/paywall-triggers/types.js +13 -0
  214. package/dist/src/paywall-triggers/types.js.map +1 -0
  215. package/dist/src/security/index.d.ts +2 -0
  216. package/dist/src/security/index.d.ts.map +1 -1
  217. package/dist/src/security/index.js +4 -0
  218. package/dist/src/security/index.js.map +1 -1
  219. package/dist/src/security/scanner/SecurityScanner.compound.d.ts +13 -0
  220. package/dist/src/security/scanner/SecurityScanner.compound.d.ts.map +1 -0
  221. package/dist/src/security/scanner/SecurityScanner.compound.js +127 -0
  222. package/dist/src/security/scanner/SecurityScanner.compound.js.map +1 -0
  223. package/dist/src/security/scanner/SecurityScanner.d.ts.map +1 -1
  224. package/dist/src/security/scanner/SecurityScanner.hostile-update.d.ts +46 -0
  225. package/dist/src/security/scanner/SecurityScanner.hostile-update.d.ts.map +1 -0
  226. package/dist/src/security/scanner/SecurityScanner.hostile-update.js +209 -0
  227. package/dist/src/security/scanner/SecurityScanner.hostile-update.js.map +1 -0
  228. package/dist/src/security/scanner/SecurityScanner.js +10 -1
  229. package/dist/src/security/scanner/SecurityScanner.js.map +1 -1
  230. package/dist/src/security/scanner/SecurityScanner.pii.d.ts +23 -0
  231. package/dist/src/security/scanner/SecurityScanner.pii.d.ts.map +1 -0
  232. package/dist/src/security/scanner/SecurityScanner.pii.js +152 -0
  233. package/dist/src/security/scanner/SecurityScanner.pii.js.map +1 -0
  234. package/dist/src/security/scanner/SecurityScanner.scanners.d.ts +5 -12
  235. package/dist/src/security/scanner/SecurityScanner.scanners.d.ts.map +1 -1
  236. package/dist/src/security/scanner/SecurityScanner.scanners.js +63 -137
  237. package/dist/src/security/scanner/SecurityScanner.scanners.js.map +1 -1
  238. package/dist/src/security/scanner/index.d.ts +2 -1
  239. package/dist/src/security/scanner/index.d.ts.map +1 -1
  240. package/dist/src/security/scanner/index.js +2 -0
  241. package/dist/src/security/scanner/index.js.map +1 -1
  242. package/dist/src/security/scanner/patterns.d.ts +2 -0
  243. package/dist/src/security/scanner/patterns.d.ts.map +1 -1
  244. package/dist/src/security/scanner/patterns.js +79 -11
  245. package/dist/src/security/scanner/patterns.js.map +1 -1
  246. package/dist/src/security/scanner/types.d.ts +23 -0
  247. package/dist/src/security/scanner/types.d.ts.map +1 -1
  248. package/dist/src/services/agent-pack/agent-pack.test.d.ts +18 -0
  249. package/dist/src/services/agent-pack/agent-pack.test.d.ts.map +1 -0
  250. package/dist/src/services/agent-pack/agent-pack.test.js +344 -0
  251. package/dist/src/services/agent-pack/agent-pack.test.js.map +1 -0
  252. package/dist/src/services/agent-pack/hooks.d.ts +29 -0
  253. package/dist/src/services/agent-pack/hooks.d.ts.map +1 -0
  254. package/dist/src/services/agent-pack/hooks.js +139 -0
  255. package/dist/src/services/agent-pack/hooks.js.map +1 -0
  256. package/dist/src/services/agent-pack/index.d.ts +26 -0
  257. package/dist/src/services/agent-pack/index.d.ts.map +1 -0
  258. package/dist/src/services/agent-pack/index.js +109 -0
  259. package/dist/src/services/agent-pack/index.js.map +1 -0
  260. package/dist/src/services/agent-pack/prompt-source.d.ts +47 -0
  261. package/dist/src/services/agent-pack/prompt-source.d.ts.map +1 -0
  262. package/dist/src/services/agent-pack/prompt-source.js +182 -0
  263. package/dist/src/services/agent-pack/prompt-source.js.map +1 -0
  264. package/dist/src/services/agent-pack/shims.d.ts +40 -0
  265. package/dist/src/services/agent-pack/shims.d.ts.map +1 -0
  266. package/dist/src/services/agent-pack/shims.js +96 -0
  267. package/dist/src/services/agent-pack/shims.js.map +1 -0
  268. package/dist/src/services/agent-pack/skill-md.d.ts +35 -0
  269. package/dist/src/services/agent-pack/skill-md.d.ts.map +1 -0
  270. package/dist/src/services/agent-pack/skill-md.js +89 -0
  271. package/dist/src/services/agent-pack/skill-md.js.map +1 -0
  272. package/dist/src/services/agent-pack/types.d.ts +118 -0
  273. package/dist/src/services/agent-pack/types.d.ts.map +1 -0
  274. package/dist/src/services/agent-pack/types.js +61 -0
  275. package/dist/src/services/agent-pack/types.js.map +1 -0
  276. package/dist/src/services/agent-tool-profile.d.ts +59 -0
  277. package/dist/src/services/agent-tool-profile.d.ts.map +1 -0
  278. package/dist/src/services/agent-tool-profile.js +76 -0
  279. package/dist/src/services/agent-tool-profile.js.map +1 -0
  280. package/dist/src/services/agent-tool-profile.test.d.ts +2 -0
  281. package/dist/src/services/agent-tool-profile.test.d.ts.map +1 -0
  282. package/dist/src/services/agent-tool-profile.test.js +28 -0
  283. package/dist/src/services/agent-tool-profile.test.js.map +1 -0
  284. package/dist/src/services/bundled-sibling-scan.d.ts +111 -0
  285. package/dist/src/services/bundled-sibling-scan.d.ts.map +1 -0
  286. package/dist/src/services/bundled-sibling-scan.js +170 -0
  287. package/dist/src/services/bundled-sibling-scan.js.map +1 -0
  288. package/dist/src/services/skill-installation.io.d.ts +16 -5
  289. package/dist/src/services/skill-installation.io.d.ts.map +1 -1
  290. package/dist/src/services/skill-installation.io.js +63 -22
  291. package/dist/src/services/skill-installation.io.js.map +1 -1
  292. package/dist/src/services/skill-installation.policy.d.ts +96 -0
  293. package/dist/src/services/skill-installation.policy.d.ts.map +1 -0
  294. package/dist/src/services/skill-installation.policy.js +144 -0
  295. package/dist/src/services/skill-installation.policy.js.map +1 -0
  296. package/dist/src/services/skill-installation.service.d.ts.map +1 -1
  297. package/dist/src/services/skill-installation.service.js +9 -3
  298. package/dist/src/services/skill-installation.service.js.map +1 -1
  299. package/dist/src/sources/index.d.ts +1 -0
  300. package/dist/src/sources/index.d.ts.map +1 -1
  301. package/dist/src/sources/index.js +4 -0
  302. package/dist/src/sources/index.js.map +1 -1
  303. package/dist/src/sync/access-token.d.ts +27 -0
  304. package/dist/src/sync/access-token.d.ts.map +1 -0
  305. package/dist/src/sync/access-token.js +40 -0
  306. package/dist/src/sync/access-token.js.map +1 -0
  307. package/dist/src/sync/audit-notify-client.d.ts +83 -0
  308. package/dist/src/sync/audit-notify-client.d.ts.map +1 -0
  309. package/dist/src/sync/audit-notify-client.js +126 -0
  310. package/dist/src/sync/audit-notify-client.js.map +1 -0
  311. package/dist/src/sync/audit-notify-client.test.d.ts +14 -0
  312. package/dist/src/sync/audit-notify-client.test.d.ts.map +1 -0
  313. package/dist/src/sync/audit-notify-client.test.js +133 -0
  314. package/dist/src/sync/audit-notify-client.test.js.map +1 -0
  315. package/dist/src/sync/index.d.ts +2 -1
  316. package/dist/src/sync/index.d.ts.map +1 -1
  317. package/dist/src/sync/index.js +3 -1
  318. package/dist/src/sync/index.js.map +1 -1
  319. package/dist/src/sync/inventory-client.d.ts +16 -0
  320. package/dist/src/sync/inventory-client.d.ts.map +1 -1
  321. package/dist/src/sync/inventory-client.js +59 -16
  322. package/dist/src/sync/inventory-client.js.map +1 -1
  323. package/dist/src/sync/inventory-client.test.js +67 -1
  324. package/dist/src/sync/inventory-client.test.js.map +1 -1
  325. package/dist/src/sync/inventory-collector.d.ts.map +1 -1
  326. package/dist/src/sync/inventory-collector.js +32 -5
  327. package/dist/src/sync/inventory-collector.js.map +1 -1
  328. package/dist/src/sync/inventory-collector.test.js +50 -1
  329. package/dist/src/sync/inventory-collector.test.js.map +1 -1
  330. package/dist/src/sync/inventory-types.d.ts +9 -0
  331. package/dist/src/sync/inventory-types.d.ts.map +1 -1
  332. package/dist/src/sync/inventory-types.js +3 -0
  333. package/dist/src/sync/inventory-types.js.map +1 -1
  334. package/dist/src/telemetry/agent-marker.d.ts +137 -0
  335. package/dist/src/telemetry/agent-marker.d.ts.map +1 -0
  336. package/dist/src/telemetry/agent-marker.js +242 -0
  337. package/dist/src/telemetry/agent-marker.js.map +1 -0
  338. package/dist/src/telemetry/agent-marker.test.d.ts +13 -0
  339. package/dist/src/telemetry/agent-marker.test.d.ts.map +1 -0
  340. package/dist/src/telemetry/agent-marker.test.js +202 -0
  341. package/dist/src/telemetry/agent-marker.test.js.map +1 -0
  342. package/dist/src/telemetry/index.d.ts +2 -1
  343. package/dist/src/telemetry/index.d.ts.map +1 -1
  344. package/dist/src/telemetry/index.js +6 -1
  345. package/dist/src/telemetry/index.js.map +1 -1
  346. package/dist/src/telemetry/posthog.d.ts +25 -0
  347. package/dist/src/telemetry/posthog.d.ts.map +1 -1
  348. package/dist/src/telemetry/posthog.js +10 -1
  349. package/dist/src/telemetry/posthog.js.map +1 -1
  350. package/dist/src/telemetry/wrap.bench.js +5 -0
  351. package/dist/src/telemetry/wrap.bench.js.map +1 -1
  352. package/dist/src/telemetry/wrap.correlation.test.d.ts +20 -0
  353. package/dist/src/telemetry/wrap.correlation.test.d.ts.map +1 -0
  354. package/dist/src/telemetry/wrap.correlation.test.js +174 -0
  355. package/dist/src/telemetry/wrap.correlation.test.js.map +1 -0
  356. package/dist/src/telemetry/wrap.d.ts +28 -7
  357. package/dist/src/telemetry/wrap.d.ts.map +1 -1
  358. package/dist/src/telemetry/wrap.gate.test.d.ts +22 -0
  359. package/dist/src/telemetry/wrap.gate.test.d.ts.map +1 -0
  360. package/dist/src/telemetry/wrap.gate.test.js +202 -0
  361. package/dist/src/telemetry/wrap.gate.test.js.map +1 -0
  362. package/dist/src/telemetry/wrap.js +196 -52
  363. package/dist/src/telemetry/wrap.js.map +1 -1
  364. package/dist/src/telemetry/wrap.marker.test.d.ts +16 -0
  365. package/dist/src/telemetry/wrap.marker.test.d.ts.map +1 -0
  366. package/dist/src/telemetry/wrap.marker.test.js +190 -0
  367. package/dist/src/telemetry/wrap.marker.test.js.map +1 -0
  368. package/dist/src/telemetry/wrap.test.js +14 -0
  369. package/dist/src/telemetry/wrap.test.js.map +1 -1
  370. package/dist/src/types.d.ts +6 -0
  371. package/dist/src/types.d.ts.map +1 -1
  372. package/dist/tests/SecurityScanner.exec.test.js +60 -0
  373. package/dist/tests/SecurityScanner.exec.test.js.map +1 -1
  374. package/dist/tests/security/ContinuousSecurity.test.js +10 -4
  375. package/dist/tests/security/ContinuousSecurity.test.js.map +1 -1
  376. package/dist/tests/security/SecurityScanner.chmod-evasion.test.d.ts +2 -0
  377. package/dist/tests/security/SecurityScanner.chmod-evasion.test.d.ts.map +1 -0
  378. package/dist/tests/security/SecurityScanner.chmod-evasion.test.js +126 -0
  379. package/dist/tests/security/SecurityScanner.chmod-evasion.test.js.map +1 -0
  380. package/dist/tests/security/chmod-compound.test.d.ts +2 -0
  381. package/dist/tests/security/chmod-compound.test.d.ts.map +1 -0
  382. package/dist/tests/security/chmod-compound.test.js +188 -0
  383. package/dist/tests/security/chmod-compound.test.js.map +1 -0
  384. package/dist/tests/security/pii-detection.test.js +24 -0
  385. package/dist/tests/security/pii-detection.test.js.map +1 -1
  386. package/dist/tests/security/scanner-regression-guard.test.d.ts +23 -7
  387. package/dist/tests/security/scanner-regression-guard.test.d.ts.map +1 -1
  388. package/dist/tests/security/scanner-regression-guard.test.js +206 -12
  389. package/dist/tests/security/scanner-regression-guard.test.js.map +1 -1
  390. package/dist/tests/security/sensitive-path-fp.test.d.ts +2 -0
  391. package/dist/tests/security/sensitive-path-fp.test.d.ts.map +1 -0
  392. package/dist/tests/security/sensitive-path-fp.test.js +142 -0
  393. package/dist/tests/security/sensitive-path-fp.test.js.map +1 -0
  394. package/dist/tests/services/bundled-sibling-scan.test.d.ts +2 -0
  395. package/dist/tests/services/bundled-sibling-scan.test.d.ts.map +1 -0
  396. package/dist/tests/services/bundled-sibling-scan.test.js +139 -0
  397. package/dist/tests/services/bundled-sibling-scan.test.js.map +1 -0
  398. package/dist/tests/unit/services/skill-installation.io.test.js +166 -0
  399. package/dist/tests/unit/services/skill-installation.io.test.js.map +1 -1
  400. package/dist/tests/unit/services/skill-installation.policy.test.d.ts +8 -0
  401. package/dist/tests/unit/services/skill-installation.policy.test.d.ts.map +1 -0
  402. package/dist/tests/unit/services/skill-installation.policy.test.js +151 -0
  403. package/dist/tests/unit/services/skill-installation.policy.test.js.map +1 -0
  404. package/package.json +28 -3
@@ -0,0 +1,127 @@
1
+ // Extracted from SecurityScanner.scanners.ts (SMI-5434) — previously lines 259–360.
2
+ /**
3
+ * Security Scanner — compound chmod+fetch signal detector
4
+ * @module @skillsmith/core/security/scanner/SecurityScanner.compound
5
+ *
6
+ * SMI-5434: Section 2 of SecurityScanner.scanners.ts extracted so that the
7
+ * upcoming SMI-5433 regex widening (~40 lines) can land without breaching the
8
+ * 500-line audit:standards gate. Pure functions of (content, alreadyFlaggedLines,
9
+ * lineContexts) — no scanner instance state.
10
+ */
11
+ import { analyzeMarkdownContext, isDocumentationContext, isWithinInlineCode, } from './SecurityScanner.helpers.js';
12
+ import { safeRegexTest } from './regex-utils.js';
13
+ /**
14
+ * SMI-5424 PR2: owner-permission chmod is a COMPOUND signal, not standalone —
15
+ * `chmod 755 ./bin/cli` / `chmod +x build.sh` previously false-fired
16
+ * privilege_escalation:critical. It now emits HIGH only when a fetch COMMAND
17
+ * (curl/wget/git-clone/npx-to-URL) is within ±1 line OR the chmod target is the
18
+ * DOWNLOAD DESTINATION of a fetch command anywhere (distance-independent, so filler
19
+ * lines can't evade the ±1 window) — the "download a payload, chmod it, run it" shape.
20
+ * Kills the FP while PRESERVING the chmod co-signal escalateCodeExecution needs (it
21
+ * only accepts high/critical non-doc co-signals). World-writable / setuid chmod stay
22
+ * standalone-critical in PRIVILEGE_ESCALATION_PATTERNS; `alreadyFlaggedLines` prevents
23
+ * double-emit. SMI-5431: "destination" covers explicit (-o/-O/--output<space>/>) AND
24
+ * implicit (wget no -O / git clone / curl --output=) targets; a bare `curl <url>` GET
25
+ * writes to STDOUT so it is NOT correlated (the URL-path-segment FP a prior review caught).
26
+ * The ONLY uncaught residual: a SPACED `curl … | bash` (no filename) + a NON-adjacent chmod.
27
+ */
28
+ // SMI-5433: widened to cover comma-separated symbolic (a+w,o+x), recursive flag (-R/-Rv),
29
+ // and assignment operator (u=rwx,g=rx) evasion forms. The optional `(?:-[A-Za-z]+\s+)?`
30
+ // cluster covers -R, -Rv, -fR and any single-dash letter cluster POSIX chmod supports;
31
+ // `[+\-=]` covers +, -, = operators; `[rwxXstugo]*` (zero-or-more) means `chmod a=`
32
+ // (empty body, clears perms) also matches — intentional TP behavior per plan.
33
+ // FIX (adversarial review SMI-5433): `[ugoa]*` (zero-or-more, not `+` one-or-more) so
34
+ // that bare `chmod +x foo` (no u/g/o/a prefix — the most common make-executable form
35
+ // in install scripts and malicious droppers) still matches.
36
+ const OWNER_PERM_CHMOD = /\bchmod\s+(?:-[A-Za-z]+\s+)?(?:[0-7]{3,4}|[ugoa]*(?:[+\-=][rwxXstugo]+(?:,[ugoa]*[+\-=][rwxXstugo]*)*)+)/i;
37
+ // FIX-1: actual fetch COMMANDS only — bare prose tokens (`# downloaded`, `See https://…`,
38
+ // `npx tool init`) false-fired next to a chmod. curl/wget/git-clone, and npx only with a URL.
39
+ const CHMOD_FETCH_CONTEXT = /\b(?:curl|wget)\b|\bgit\s+clone\b|\bnpx\b[^\n]{0,80}https?:\/\//i;
40
+ // FIX-2: capture the chmod target path so a fetch command anywhere correlates by basename.
41
+ // SMI-5433: prefix widened to match the same extended forms as OWNER_PERM_CHMOD; capture
42
+ // group (\S+) (the target path) is unchanged.
43
+ const CHMOD_TARGET = /\bchmod\s+(?:-[A-Za-z]+\s+)?(?:[0-7]{3,4}|[ugoa]*(?:[+\-=][rwxXstugo]+(?:,[ugoa]*[+\-=][rwxXstugo]*)*)+)\s+(\S+)/i;
44
+ function escapeRegExp(s) {
45
+ return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
46
+ }
47
+ // SMI-5431: the IMPLICIT download destination of a fetch command — the file written with
48
+ // NO explicit -o/-O/--output<space>/> redirect: `wget <url>` (no -O/-o) → URL last segment;
49
+ // `git clone <url>` → repo dir (minus `.git`); `curl --output=<file>` (equals form, missed by
50
+ // the explicit regex). A bare `curl <url>` GET writes to STDOUT → '' (never correlates). ReDoS-safe.
51
+ function implicitDownloadBasename(line) {
52
+ const lastSegment = (urlAfterScheme) => {
53
+ const noFrag = urlAfterScheme.split(/[?#]/)[0];
54
+ const slash = noFrag.indexOf('/'); // first slash = end of host
55
+ if (slash < 0)
56
+ return ''; // host only -> wget writes index.html
57
+ const path = noFrag.slice(slash + 1).replace(/\/+$/, '');
58
+ return path === '' ? '' : (path.split('/').pop() ?? '');
59
+ };
60
+ const wget = line.match(/\bwget\b(?![^\n]{0,200}\s-[oO]\b)[^\n]{0,200}?https?:\/\/(\S{1,400})/i);
61
+ if (wget)
62
+ return lastSegment(wget[1]);
63
+ const clone = line.match(/\bgit\s+clone\b[^\n]{0,200}?https?:\/\/(\S{1,400})/i);
64
+ if (clone)
65
+ return lastSegment(clone[1]).replace(/\.git$/i, '');
66
+ const curlEq = line.match(/\bcurl\b[^\n]{0,200}?--output=['"]?(\S{1,400})/i);
67
+ if (curlEq)
68
+ return curlEq[1].replace(/['"]/g, '').split('/').pop() ?? '';
69
+ return '';
70
+ }
71
+ export function scanChmodFetchCompound(content, alreadyFlaggedLines, lineContexts) {
72
+ const findings = [];
73
+ const lines = content.split('\n');
74
+ const contexts = lineContexts ?? analyzeMarkdownContext(content);
75
+ // FIX-2: lines carrying a fetch command, for distance-independent correlation.
76
+ // H-6 (SMI-5433): route through safeRegexTest so the 10,000-char cap applies uniformly
77
+ // to the per-line filter too (CHMOD_FETCH_CONTEXT is provably linear, so this is
78
+ // defense-in-depth consistency, not a ReDoS fix).
79
+ const fetchLines = lines.filter((l) => safeRegexTest(CHMOD_FETCH_CONTEXT, l) !== null);
80
+ lines.forEach((line, index) => {
81
+ const lineNumber = index + 1;
82
+ // World-writable / setuid already emitted critical for this line — skip.
83
+ if (alreadyFlaggedLines.has(lineNumber))
84
+ return;
85
+ const match = safeRegexTest(OWNER_PERM_CHMOD, line);
86
+ if (!match)
87
+ return;
88
+ // Bounded ±1-line window for the download-then-chmod adjacency.
89
+ const window = [lines[index - 1] ?? '', line, lines[index + 1] ?? ''].join('\n');
90
+ // H-6 (SMI-5433): route through safeRegexTest for the 10,000-char cap.
91
+ const adjacentFetch = safeRegexTest(CHMOD_FETCH_CONTEXT, window) !== null;
92
+ // FIX-2 + SMI-5431: correlate the chmod target basename (≥3 chars) against a fetch
93
+ // command's DOWNLOAD DESTINATION anywhere — explicit (-o/-O/--output<space>/>, with an
94
+ // optional leading path) via regex, OR implicit (wget/git-clone/curl --output=) via
95
+ // exact-token equality. Anchored on the destination, NOT basename-anywhere, so a URL
96
+ // path / query / header value (governance FP class) and a bare curl GET do not correlate.
97
+ let correlated = false;
98
+ // H-6 (SMI-5433): route through safeRegexTest for the 10,000-char cap.
99
+ const tm = safeRegexTest(CHMOD_TARGET, line);
100
+ if (tm) {
101
+ const base = tm[1].replace(/['"]/g, '').split('/').pop() ?? '';
102
+ if (base.length >= 3) {
103
+ const re = new RegExp(`(?:-o|-O|--output|>>?)\\s*['"]?(?:[^\\s'"]*/)?${escapeRegExp(base)}(?:[\\s'"?]|$)`);
104
+ correlated = fetchLines.some((l) => re.test(l) || implicitDownloadBasename(l) === base);
105
+ }
106
+ }
107
+ if (!adjacentFetch && !correlated)
108
+ return; // benign standalone chmod — no finding
109
+ const ctx = contexts[index];
110
+ const inInlineCode = ctx?.isInlineCode && isWithinInlineCode(line, match.index ?? 0);
111
+ const inDocContext = ctx ? isDocumentationContext(ctx) || inInlineCode : false;
112
+ findings.push({
113
+ type: 'privilege_escalation',
114
+ // HIGH (not critical): enough to trip Gate-A AND serve as an
115
+ // escalateCodeExecution co-signal, without re-introducing a critical FP.
116
+ severity: inDocContext ? 'low' : 'high',
117
+ message: `chmod of a fetched/downloaded file (compound with a download verb): "${match[0]}"`,
118
+ location: line.trim().slice(0, 100),
119
+ lineNumber,
120
+ category: 'privilege_escalation',
121
+ inDocumentationContext: inDocContext,
122
+ confidence: inDocContext ? 'low' : 'high',
123
+ });
124
+ });
125
+ return findings;
126
+ }
127
+ //# sourceMappingURL=SecurityScanner.compound.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"SecurityScanner.compound.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.compound.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF;;;;;;;;GAQG;AAIH,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAA;AAEhD;;;;;;;;;;;;;;GAcG;AACH,0FAA0F;AAC1F,wFAAwF;AACxF,uFAAuF;AACvF,oFAAoF;AACpF,8EAA8E;AAC9E,sFAAsF;AACtF,qFAAqF;AACrF,4DAA4D;AAC5D,MAAM,gBAAgB,GACpB,2GAA2G,CAAA;AAC7G,0FAA0F;AAC1F,8FAA8F;AAC9F,MAAM,mBAAmB,GAAG,kEAAkE,CAAA;AAC9F,2FAA2F;AAC3F,yFAAyF;AACzF,8CAA8C;AAC9C,MAAM,YAAY,GAChB,mHAAmH,CAAA;AACrH,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAA;AACjD,CAAC;AACD,yFAAyF;AACzF,4FAA4F;AAC5F,8FAA8F;AAC9F,qGAAqG;AACrG,SAAS,wBAAwB,CAAC,IAAY;IAC5C,MAAM,WAAW,GAAG,CAAC,cAAsB,EAAU,EAAE;QACrD,MAAM,MAAM,GAAG,cAAc,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAA;QAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA,CAAC,4BAA4B;QAC9D,IAAI,KAAK,GAAG,CAAC;YAAE,OAAO,EAAE,CAAA,CAAC,sCAAsC;QAC/D,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;QACxD,OAAO,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAA;IACzD,CAAC,CAAA;IACD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,uEAAuE,CAAC,CAAA;IAChG,IAAI,IAAI;QAAE,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;IACrC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAA;IAC/E,IAAI,KAAK;QAAE,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;IAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAA;IAC5E,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAA;IACxE,OAAO,EAAE,CAAA;AACX,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,OAAe,EACf,mBAAwC,EACxC,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAChE,+EAA+E;IAC/E,uFAAuF;IACvF,iFAAiF;IACjF,kDAAkD;IAClD,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,mBAAmB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAA;IAEtF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAA;QAC5B,yEAAyE;QACzE,IAAI,mBAAmB,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,OAAM;QAC/C,MAAM,KAAK,GAAG,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAA;QACnD,IAAI,CAAC,KAAK;YAAE,OAAM;QAClB,gEAAgE;QAChE,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChF,uEAAuE;QACvE,MAAM,aAAa,GAAG,aAAa,CAAC,mBAAmB,EAAE,MAAM,CAAC,KAAK,IAAI,CAAA;QACzE,mFAAmF;QACnF,uFAAuF;QACvF,oFAAoF;QACpF,qFAAqF;QACrF,0FAA0F;QAC1F,IAAI,UAAU,GAAG,KAAK,CAAA;QACtB,uEAAuE;QACvE,MAAM,EAAE,GAAG,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,CAAA;QAC5C,IAAI,EAAE,EAAE,CAAC;YACP,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAA;YAC9D,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBACrB,MAAM,EAAE,GAAG,IAAI,MAAM,CACnB,iDAAiD,YAAY,CAAC,IAAI,CAAC,gBAAgB,CACpF,CAAA;gBACD,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,wBAAwB,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAA;YACzF,CAAC;QACH,CAAC;QACD,IAAI,CAAC,aAAa,IAAI,CAAC,UAAU;YAAE,OAAM,CAAC,uCAAuC;QAEjF,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAC3B,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;QACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;QAC9E,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,sBAAsB;YAC5B,6DAA6D;YAC7D,yEAAyE;YACzE,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM;YACvC,OAAO,EAAE,wEAAwE,KAAK,CAAC,CAAC,CAAC,GAAG;YAC5F,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YACnC,UAAU;YACV,QAAQ,EAAE,sBAAsB;YAChC,sBAAsB,EAAE,YAAY;YACpC,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM;SAC1C,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"SecurityScanner.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAmB,UAAU,EAAE,cAAc,EAAqB,MAAM,YAAY,CAAA;AAUhG,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAA;AAC/D,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,EAEnB,MAAM,8BAA8B,CAAA;AAGrC,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAqB5D,OAAO,EACL,aAAa,EACb,OAAO,EACP,mBAAmB,EACnB,SAAS,EACV,MAAM,iCAAiC,CAAA;AAGxC,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,GACnB,CAAA;AACD,OAAO,EAAE,gBAAgB,EAAE,CAAA;AAC3B,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAA;AAEjE,qBAAa,eAAe;IAC1B,OAAO,CAAC,cAAc,CAAa;IACnC,OAAO,CAAC,eAAe,CAAU;IACjC,OAAO,CAAC,gBAAgB,CAAQ;IAChC,OAAO,CAAC,aAAa,CAAQ;gBAEjB,OAAO,GAAE,cAAmB;IAOxC,OAAO,CAAC,WAAW;IAenB,OAAO,CAAC,eAAe;IAYvB,OAAO,CAAC,QAAQ;IAmBhB,OAAO,CAAC,qBAAqB;IAa7B,OAAO,CAAC,sBAAsB;IA6D9B,OAAO,CAAC,4BAA4B;IAgBpC,0EAA0E;IAC1E,kBAAkB,4BAAqB;IAEvC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,UAAU;IAkDlD,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAOpC,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAItC,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAKxC,MAAM,CAAC,aAAa,uBAAgB;IACpC,MAAM,CAAC,OAAO,iBAAU;IACxB,MAAM,CAAC,mBAAmB,6BAAsB;IAChD,MAAM,CAAC,SAAS,mBAAY;CAC7B;AAED,eAAe,eAAe,CAAA"}
1
+ {"version":3,"file":"SecurityScanner.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAmB,UAAU,EAAE,cAAc,EAAqB,MAAM,YAAY,CAAA;AAUhG,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAA;AAC/D,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,EAEnB,MAAM,8BAA8B,CAAA;AAGrC,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAsB5D,OAAO,EACL,aAAa,EACb,OAAO,EACP,mBAAmB,EACnB,SAAS,EACV,MAAM,iCAAiC,CAAA;AAGxC,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,GACnB,CAAA;AACD,OAAO,EAAE,gBAAgB,EAAE,CAAA;AAC3B,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAA;AAEjE,qBAAa,eAAe;IAC1B,OAAO,CAAC,cAAc,CAAa;IACnC,OAAO,CAAC,eAAe,CAAU;IACjC,OAAO,CAAC,gBAAgB,CAAQ;IAChC,OAAO,CAAC,aAAa,CAAQ;gBAEjB,OAAO,GAAE,cAAmB;IAOxC,OAAO,CAAC,WAAW;IAenB,OAAO,CAAC,eAAe;IAYvB,OAAO,CAAC,QAAQ;IAmBhB,OAAO,CAAC,qBAAqB;IAa7B,OAAO,CAAC,sBAAsB;IA6D9B,OAAO,CAAC,4BAA4B;IAgBpC,0EAA0E;IAC1E,kBAAkB,4BAAqB;IAEvC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,UAAU;IA6DlD,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAOpC,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAItC,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAKxC,MAAM,CAAC,aAAa,uBAAgB;IACpC,MAAM,CAAC,OAAO,iBAAU;IACxB,MAAM,CAAC,mBAAmB,6BAAsB;IAChD,MAAM,CAAC,SAAS,mBAAY;CAC7B;AAED,eAAe,eAAe,CAAA"}
@@ -0,0 +1,46 @@
1
+ /**
2
+ * Hostile-Update Detection — R0 Wave 2A (SMI-5535)
3
+ * @module @skillsmith/core/security/scanner/SecurityScanner.hostile-update
4
+ *
5
+ * A PURE comparator (no I/O, no clock, no mutation of its inputs) that detects a
6
+ * benign→malicious "rug-pull" between two SecurityScanner scans of the SAME
7
+ * skill. The scanner already blocks a skill that is malicious on first sight;
8
+ * this detector catches the harder case where an initially-clean skill is
9
+ * silently updated to exfiltrate credentials or execute remote payloads.
10
+ *
11
+ * The verdict is delta-based: it never re-scores content, it only reasons about
12
+ * what changed between `previous` and `current`. "hostile" is reserved for the
13
+ * benign→malicious transition — a skill that was ALREADY flagged and merely got
14
+ * worse is a worsening (`suspicious`), not a fresh rug-pull.
15
+ */
16
+ import type { HostileUpdateVerdict, ScanReport } from './types.js';
17
+ /**
18
+ * Default risk-score threshold. Mirrors SecurityScanner's `riskThreshold`
19
+ * default (SMI-5359) so the "crossed the failure bar" signal here lines up with
20
+ * the `passed` computation in `SecurityScanner.scan`.
21
+ */
22
+ export declare const DEFAULT_RISK_THRESHOLD = 40;
23
+ /**
24
+ * Compare two scans of the same skill and classify the transition.
25
+ *
26
+ * Ordering is hostile → suspicious → benign so the strongest signal wins.
27
+ *
28
+ * @param previous Scan of the prior (trusted) version.
29
+ * @param current Scan of the incoming version.
30
+ * @param threshold Risk-score failure bar; defaults to {@link DEFAULT_RISK_THRESHOLD}.
31
+ *
32
+ * CALLER CONTRACT (LOW-2): this value MUST equal the `riskThreshold` the
33
+ * `SecurityScanner` instance used to produce BOTH `previous` and `current`
34
+ * (i.e. the same `ScannerOptions.riskThreshold` — or the scanner's own
35
+ * default of 40, which is why this parameter also defaults to
36
+ * {@link DEFAULT_RISK_THRESHOLD}). `previouslyBenign` below is derived from
37
+ * `previous.passed`, which was computed by the scanner against ITS OWN
38
+ * `riskThreshold` at scan time — if the caller passes a `threshold` here
39
+ * that differs from that value, `crossedThreshold`'s "did the score cross
40
+ * the bar" signal and `previouslyBenign`'s "was it passing" signal are
41
+ * reasoning about two different bars, and the hostile/suspicious/benign
42
+ * verdict can disagree with what `previous.passed` / `current.passed`
43
+ * would say under a freshly-run scan.
44
+ */
45
+ export declare function compareScanReports(previous: ScanReport, current: ScanReport, threshold?: number): HostileUpdateVerdict;
46
+ //# sourceMappingURL=SecurityScanner.hostile-update.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"SecurityScanner.hostile-update.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.hostile-update.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EACV,oBAAoB,EACpB,UAAU,EAIX,MAAM,YAAY,CAAA;AAEnB;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,KAAK,CAAA;AA4GxC;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,UAAU,EACpB,OAAO,EAAE,UAAU,EACnB,SAAS,GAAE,MAA+B,GACzC,oBAAoB,CA+EtB"}
@@ -0,0 +1,209 @@
1
+ /**
2
+ * Hostile-Update Detection — R0 Wave 2A (SMI-5535)
3
+ * @module @skillsmith/core/security/scanner/SecurityScanner.hostile-update
4
+ *
5
+ * A PURE comparator (no I/O, no clock, no mutation of its inputs) that detects a
6
+ * benign→malicious "rug-pull" between two SecurityScanner scans of the SAME
7
+ * skill. The scanner already blocks a skill that is malicious on first sight;
8
+ * this detector catches the harder case where an initially-clean skill is
9
+ * silently updated to exfiltrate credentials or execute remote payloads.
10
+ *
11
+ * The verdict is delta-based: it never re-scores content, it only reasons about
12
+ * what changed between `previous` and `current`. "hostile" is reserved for the
13
+ * benign→malicious transition — a skill that was ALREADY flagged and merely got
14
+ * worse is a worsening (`suspicious`), not a fresh rug-pull.
15
+ */
16
+ /**
17
+ * Default risk-score threshold. Mirrors SecurityScanner's `riskThreshold`
18
+ * default (SMI-5359) so the "crossed the failure bar" signal here lines up with
19
+ * the `passed` computation in `SecurityScanner.scan`.
20
+ */
21
+ export const DEFAULT_RISK_THRESHOLD = 40;
22
+ /**
23
+ * Minimum positive risk jump (short of crossing the threshold) that still counts
24
+ * as a "material" worsening worth a `suspicious` verdict.
25
+ */
26
+ const MATERIAL_RISK_DELTA = 10;
27
+ /**
28
+ * Co-occurrence finding types that, paired with a NEW `code_execution` finding,
29
+ * indicate a supply-chain execution rug-pull. Mirrors the intuition of
30
+ * `escalateCodeExecution`'s CODE_EXECUTION_CO_OCCURRENCE set (SecurityScanner.exec.ts),
31
+ * minus `obfuscated_directive` — a live concealed directive is already critical
32
+ * and self-quarantines on its own, so it needs no code_execution pairing here.
33
+ */
34
+ const SUPPLY_CHAIN_CO_SIGNALS = new Set([
35
+ 'data_exfiltration',
36
+ 'privilege_escalation',
37
+ 'sensitive_path',
38
+ ]);
39
+ const SEVERITY_ORDER = {
40
+ low: 0,
41
+ medium: 1,
42
+ high: 2,
43
+ critical: 3,
44
+ };
45
+ function isHighOrCritical(f) {
46
+ return f.severity === 'high' || f.severity === 'critical';
47
+ }
48
+ /**
49
+ * Normalize free-text so cosmetic churn (whitespace runs, casing) does not make
50
+ * an otherwise-identical finding look "new". lineNumber is deliberately excluded
51
+ * from the key (see `findingKey`) because inserting benign prose above a finding
52
+ * shifts its line without changing the finding itself.
53
+ */
54
+ function normalizeText(text) {
55
+ if (!text)
56
+ return '';
57
+ return text.toLowerCase().replace(/\s+/g, ' ').trim();
58
+ }
59
+ /**
60
+ * Stable identity for a finding: type + severity + normalized message + location.
61
+ * Severity is part of the key on purpose — an escalation (e.g. code_execution
62
+ * medium→critical, which also rewrites the message) is a genuinely NEW hostile
63
+ * signal, not the "same" finding. A finding that got SAFER (higher→lower
64
+ * severity, or disappeared entirely) therefore never shows up in `newFindings`.
65
+ */
66
+ function findingKey(f) {
67
+ return [f.type, f.severity, normalizeText(f.message), normalizeText(f.location)].join('\u0000');
68
+ }
69
+ /** Findings present in `current` whose key is absent from `previous`. */
70
+ function diffNewFindings(previous, current) {
71
+ const previousKeys = new Set(previous.findings.map(findingKey));
72
+ return current.findings.filter((f) => !previousKeys.has(findingKey(f)));
73
+ }
74
+ function highestSeverity(findings) {
75
+ return findings.reduce((worst, f) => SEVERITY_ORDER[f.severity] > SEVERITY_ORDER[worst.severity] ? f : worst);
76
+ }
77
+ /** Compact, one-line, single-number formatting for a (possibly fractional) score. */
78
+ function fmt(n) {
79
+ const rounded = Math.round(n * 10) / 10;
80
+ return Number.isInteger(rounded) ? String(rounded) : rounded.toFixed(1);
81
+ }
82
+ function signed(n) {
83
+ return n > 0 ? `+${fmt(n)}` : fmt(n);
84
+ }
85
+ function describeFinding(f) {
86
+ const msg = f.message.length > 80 ? `${f.message.slice(0, 77)}...` : f.message;
87
+ return `${f.type} (${f.severity}): ${msg}`;
88
+ }
89
+ /**
90
+ * A NEW, non-documentation `code_execution` finding paired with a NEW,
91
+ * non-documentation high/critical exfiltration/privilege/credential-path
92
+ * finding = supply-chain execution. Requiring both to be new (and non-doc)
93
+ * keeps a security-research skill that merely documents these techniques from
94
+ * tripping the strongest signal.
95
+ */
96
+ function detectSupplyChain(newFindings) {
97
+ const codeExec = newFindings.find((f) => f.type === 'code_execution' && f.inDocumentationContext !== true);
98
+ if (!codeExec)
99
+ return null;
100
+ const coSignal = newFindings.find((f) => f !== codeExec &&
101
+ SUPPLY_CHAIN_CO_SIGNALS.has(f.type) &&
102
+ f.inDocumentationContext !== true &&
103
+ isHighOrCritical(f));
104
+ if (!coSignal)
105
+ return null;
106
+ return { codeExec, coSignal };
107
+ }
108
+ /**
109
+ * Compare two scans of the same skill and classify the transition.
110
+ *
111
+ * Ordering is hostile → suspicious → benign so the strongest signal wins.
112
+ *
113
+ * @param previous Scan of the prior (trusted) version.
114
+ * @param current Scan of the incoming version.
115
+ * @param threshold Risk-score failure bar; defaults to {@link DEFAULT_RISK_THRESHOLD}.
116
+ *
117
+ * CALLER CONTRACT (LOW-2): this value MUST equal the `riskThreshold` the
118
+ * `SecurityScanner` instance used to produce BOTH `previous` and `current`
119
+ * (i.e. the same `ScannerOptions.riskThreshold` — or the scanner's own
120
+ * default of 40, which is why this parameter also defaults to
121
+ * {@link DEFAULT_RISK_THRESHOLD}). `previouslyBenign` below is derived from
122
+ * `previous.passed`, which was computed by the scanner against ITS OWN
123
+ * `riskThreshold` at scan time — if the caller passes a `threshold` here
124
+ * that differs from that value, `crossedThreshold`'s "did the score cross
125
+ * the bar" signal and `previouslyBenign`'s "was it passing" signal are
126
+ * reasoning about two different bars, and the hostile/suspicious/benign
127
+ * verdict can disagree with what `previous.passed` / `current.passed`
128
+ * would say under a freshly-run scan.
129
+ */
130
+ export function compareScanReports(previous, current, threshold = DEFAULT_RISK_THRESHOLD) {
131
+ const newFindings = diffNewFindings(previous, current);
132
+ const riskDelta = current.riskScore - previous.riskScore;
133
+ const previouslyBenign = previous.passed === true;
134
+ const crossedThreshold = previous.riskScore < threshold && current.riskScore >= threshold;
135
+ const newHighCritical = newFindings.filter(isHighOrCritical);
136
+ // Mirror escalateCodeExecution's non-doc gate: a new high/critical finding that
137
+ // lives ONLY in a documentation context (a fenced example) is weak rug-pull
138
+ // evidence, so it does not on its own trip `hostile` — it falls to `suspicious`.
139
+ const newHighCriticalNonDoc = newHighCritical.filter((f) => f.inDocumentationContext !== true);
140
+ const newMedium = newFindings.filter((f) => f.severity === 'medium');
141
+ const materialDelta = riskDelta >= MATERIAL_RISK_DELTA;
142
+ // A new medium finding only signals a worsening when the overall risk actually
143
+ // rose. This suppresses the case where an old high finding was DOWNGRADED to
144
+ // medium (its medium variant is technically "new" under the severity-keyed diff,
145
+ // but the net change made the skill safer — riskDelta <= 0).
146
+ const mediumWorsening = newMedium.length > 0 && riskDelta > 0;
147
+ const scoreClause = `risk ${fmt(previous.riskScore)}->${fmt(current.riskScore)}`;
148
+ // ---- hostile: a benign→malicious flip ----------------------------------
149
+ if (previouslyBenign && (newHighCriticalNonDoc.length > 0 || crossedThreshold)) {
150
+ const supplyChain = detectSupplyChain(newFindings);
151
+ let reason;
152
+ if (supplyChain) {
153
+ reason =
154
+ `Rug-pull: previously-benign skill now ships a remote-execution command ` +
155
+ `[${describeFinding(supplyChain.codeExec)}] co-occurring with a fresh ` +
156
+ `${supplyChain.coSignal.type} signal [${describeFinding(supplyChain.coSignal)}] - ` +
157
+ `classic supply-chain execution (${scoreClause}).`;
158
+ }
159
+ else if (newHighCriticalNonDoc.length > 0) {
160
+ const worst = highestSeverity(newHighCriticalNonDoc);
161
+ reason =
162
+ `Rug-pull: previously-benign skill introduced ${newHighCriticalNonDoc.length} new ` +
163
+ `high/critical finding(s), e.g. ${describeFinding(worst)} (${scoreClause}).`;
164
+ }
165
+ else {
166
+ reason =
167
+ `Rug-pull: previously-benign skill's risk score crossed the failure bar ` +
168
+ `(${fmt(previous.riskScore)} -> ${fmt(current.riskScore)} >= ${threshold}).`;
169
+ }
170
+ return { verdict: 'hostile', newFindings, riskDelta, reason };
171
+ }
172
+ // ---- suspicious: a worsening short of a benign→malicious flip -----------
173
+ if (newHighCritical.length > 0 || mediumWorsening || materialDelta) {
174
+ let reason;
175
+ if (newHighCritical.length > 0) {
176
+ const worst = highestSeverity(newHighCritical);
177
+ const base = previouslyBenign
178
+ ? `Update added ${newHighCritical.length} new high/critical finding(s) confined to a documentation context`
179
+ : `Already-flagged skill added ${newHighCritical.length} new high/critical finding(s) - a worsening, not a fresh benign->malicious transition`;
180
+ reason = `${base}, e.g. ${describeFinding(worst)} (${scoreClause}).`;
181
+ }
182
+ else if (newMedium.length > 0) {
183
+ reason =
184
+ `Update introduced ${newMedium.length} new medium finding(s) without reaching the ` +
185
+ `hostile bar (${scoreClause}).`;
186
+ }
187
+ else {
188
+ reason =
189
+ `Risk score rose materially (${scoreClause}, delta ${signed(riskDelta)}) ` +
190
+ `without any new high/critical findings.`;
191
+ }
192
+ return { verdict: 'suspicious', newFindings, riskDelta, reason };
193
+ }
194
+ // ---- benign: unchanged, reduced, or harmless churn ---------------------
195
+ let reason;
196
+ if (newFindings.length === 0) {
197
+ reason =
198
+ riskDelta < 0
199
+ ? `No new findings; risk score fell (${scoreClause}) - a safer revision or benign churn.`
200
+ : `No new findings and no risk increase (${scoreClause}) - content unchanged or benign churn.`;
201
+ }
202
+ else {
203
+ reason =
204
+ `No new high/critical findings and no threshold crossing (${scoreClause}); ` +
205
+ `${newFindings.length} minor new finding(s) below the suspicious bar.`;
206
+ }
207
+ return { verdict: 'benign', newFindings, riskDelta, reason };
208
+ }
209
+ //# sourceMappingURL=SecurityScanner.hostile-update.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"SecurityScanner.hostile-update.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.hostile-update.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAUH;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,EAAE,CAAA;AAExC;;;GAGG;AACH,MAAM,mBAAmB,GAAG,EAAE,CAAA;AAE9B;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAqC,IAAI,GAAG,CAAC;IACxE,mBAAmB;IACnB,sBAAsB;IACtB,gBAAgB;CACjB,CAAC,CAAA;AAEF,MAAM,cAAc,GAAqC;IACvD,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAA;AAED,SAAS,gBAAgB,CAAC,CAAkB;IAC1C,OAAO,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAA;AAC3D,CAAC;AAED;;;;;GAKG;AACH,SAAS,aAAa,CAAC,IAAwB;IAC7C,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAA;IACpB,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;AACvD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,UAAU,CAAC,CAAkB;IACpC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AACjG,CAAC;AAED,yEAAyE;AACzE,SAAS,eAAe,CAAC,QAAoB,EAAE,OAAmB;IAChE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAA;IAC/D,OAAO,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;AACzE,CAAC;AAED,SAAS,eAAe,CAAC,QAA2B;IAClD,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE,CAClC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CACxE,CAAA;AACH,CAAC;AAED,qFAAqF;AACrF,SAAS,GAAG,CAAC,CAAS;IACpB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,CAAA;IACvC,OAAO,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;AACzE,CAAC;AAED,SAAS,MAAM,CAAC,CAAS;IACvB,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;AACtC,CAAC;AAED,SAAS,eAAe,CAAC,CAAkB;IACzC,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAA;IAC9E,OAAO,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,QAAQ,MAAM,GAAG,EAAE,CAAA;AAC5C,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CACxB,WAA8B;IAE9B,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,gBAAgB,IAAI,CAAC,CAAC,sBAAsB,KAAK,IAAI,CACxE,CAAA;IACD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAA;IAE1B,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,KAAK,QAAQ;QACd,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;QACnC,CAAC,CAAC,sBAAsB,KAAK,IAAI;QACjC,gBAAgB,CAAC,CAAC,CAAC,CACtB,CAAA;IACD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAA;IAE1B,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAA;AAC/B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAoB,EACpB,OAAmB,EACnB,YAAoB,sBAAsB;IAE1C,MAAM,WAAW,GAAG,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IACtD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAA;IAExD,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAA;IACjD,MAAM,gBAAgB,GAAG,QAAQ,CAAC,SAAS,GAAG,SAAS,IAAI,OAAO,CAAC,SAAS,IAAI,SAAS,CAAA;IAEzF,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAA;IAC5D,gFAAgF;IAChF,4EAA4E;IAC5E,iFAAiF;IACjF,MAAM,qBAAqB,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,sBAAsB,KAAK,IAAI,CAAC,CAAA;IAC9F,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAA;IACpE,MAAM,aAAa,GAAG,SAAS,IAAI,mBAAmB,CAAA;IACtD,+EAA+E;IAC/E,6EAA6E;IAC7E,iFAAiF;IACjF,6DAA6D;IAC7D,MAAM,eAAe,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,CAAA;IAE7D,MAAM,WAAW,GAAG,QAAQ,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAA;IAEhF,2EAA2E;IAC3E,IAAI,gBAAgB,IAAI,CAAC,qBAAqB,CAAC,MAAM,GAAG,CAAC,IAAI,gBAAgB,CAAC,EAAE,CAAC;QAC/E,MAAM,WAAW,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAA;QAClD,IAAI,MAAc,CAAA;QAClB,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM;gBACJ,yEAAyE;oBACzE,IAAI,eAAe,CAAC,WAAW,CAAC,QAAQ,CAAC,8BAA8B;oBACvE,GAAG,WAAW,CAAC,QAAQ,CAAC,IAAI,YAAY,eAAe,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM;oBACnF,mCAAmC,WAAW,IAAI,CAAA;QACtD,CAAC;aAAM,IAAI,qBAAqB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,KAAK,GAAG,eAAe,CAAC,qBAAqB,CAAC,CAAA;YACpD,MAAM;gBACJ,gDAAgD,qBAAqB,CAAC,MAAM,OAAO;oBACnF,kCAAkC,eAAe,CAAC,KAAK,CAAC,KAAK,WAAW,IAAI,CAAA;QAChF,CAAC;aAAM,CAAC;YACN,MAAM;gBACJ,yEAAyE;oBACzE,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,SAAS,IAAI,CAAA;QAChF,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,CAAA;IAC/D,CAAC;IAED,4EAA4E;IAC5E,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,IAAI,eAAe,IAAI,aAAa,EAAE,CAAC;QACnE,IAAI,MAAc,CAAA;QAClB,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,eAAe,CAAC,eAAe,CAAC,CAAA;YAC9C,MAAM,IAAI,GAAG,gBAAgB;gBAC3B,CAAC,CAAC,gBAAgB,eAAe,CAAC,MAAM,mEAAmE;gBAC3G,CAAC,CAAC,+BAA+B,eAAe,CAAC,MAAM,uFAAuF,CAAA;YAChJ,MAAM,GAAG,GAAG,IAAI,UAAU,eAAe,CAAC,KAAK,CAAC,KAAK,WAAW,IAAI,CAAA;QACtE,CAAC;aAAM,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM;gBACJ,qBAAqB,SAAS,CAAC,MAAM,8CAA8C;oBACnF,gBAAgB,WAAW,IAAI,CAAA;QACnC,CAAC;aAAM,CAAC;YACN,MAAM;gBACJ,+BAA+B,WAAW,WAAW,MAAM,CAAC,SAAS,CAAC,IAAI;oBAC1E,yCAAyC,CAAA;QAC7C,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,CAAA;IAClE,CAAC;IAED,2EAA2E;IAC3E,IAAI,MAAc,CAAA;IAClB,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM;YACJ,SAAS,GAAG,CAAC;gBACX,CAAC,CAAC,qCAAqC,WAAW,uCAAuC;gBACzF,CAAC,CAAC,yCAAyC,WAAW,wCAAwC,CAAA;IACpG,CAAC;SAAM,CAAC;QACN,MAAM;YACJ,4DAA4D,WAAW,KAAK;gBAC5E,GAAG,WAAW,CAAC,MAAM,iDAAiD,CAAA;IAC1E,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,CAAA;AAC9D,CAAC"}
@@ -10,7 +10,7 @@ import { isMultilinePattern, analyzeMarkdownContext, isDocumentationContext, isW
10
10
  import { scanSsrfPatterns } from './SecurityScanner.ssrf.js';
11
11
  // Import per-category scanners (SMI-5359 Wave 4.2: extracted to keep this file
12
12
  // under the 500-line gate; pure functions of content + lineContexts).
13
- import { scanSensitivePaths, scanSocialEngineering, scanPromptLeaking, scanDataExfiltration, scanPrivilegeEscalation, scanPiiPatterns, } from './SecurityScanner.scanners.js';
13
+ import { scanSensitivePaths, scanSocialEngineering, scanPromptLeaking, scanDataExfiltration, scanPrivilegeEscalation, scanChmodFetchCompound, scanPiiPatterns, } from './SecurityScanner.scanners.js';
14
14
  // Import code-execution & obfuscated-directive detectors (SMI-5359 Wave 4.2).
15
15
  import { scanCodeExecution, scanObfuscatedDirective, escalateCodeExecution, } from './SecurityScanner.exec.js';
16
16
  // Import formatters (used for both re-export and static methods)
@@ -159,6 +159,15 @@ export class SecurityScanner {
159
159
  findings.push(...scanPromptLeaking(content, lineContexts));
160
160
  findings.push(...scanDataExfiltration(content, lineContexts));
161
161
  findings.push(...scanPrivilegeEscalation(content, lineContexts));
162
+ // SMI-5424 PR2: owner-perm chmod is a compound signal — emit only when
163
+ // co-located with a fetch/download verb. Pass the lines already flagged by
164
+ // the standalone (world-writable/setuid) privesc patterns so we never
165
+ // double-emit. Runs before escalateCodeExecution so a compound chmod (HIGH)
166
+ // can serve as the code_execution co-signal.
167
+ const privEscLines = new Set(findings
168
+ .filter((f) => f.type === 'privilege_escalation' && f.lineNumber)
169
+ .map((f) => f.lineNumber));
170
+ findings.push(...scanChmodFetchCompound(content, privEscLines, lineContexts));
162
171
  findings.push(...this.scanAIDefenceVulnerabilities(content, lineContexts));
163
172
  findings.push(...scanSsrfPatterns(content, lineContexts));
164
173
  findings.push(...scanPiiPatterns(content, lineContexts));
@@ -1 +1 @@
1
- {"version":3,"file":"SecurityScanner.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,uBAAuB,EACvB,kBAAkB,EAClB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAA;AAIhE,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,8BAA8B,CAAA;AAErC,sBAAsB;AACtB,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAE5D,+EAA+E;AAC/E,sEAAsE;AACtE,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,eAAe,GAChB,MAAM,+BAA+B,CAAA;AAEtC,8EAA8E;AAC9E,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,2BAA2B,CAAA;AAElC,iEAAiE;AACjE,OAAO,EACL,aAAa,EACb,OAAO,EACP,mBAAmB,EACnB,SAAS,GACV,MAAM,iCAAiC,CAAA;AAExC,kDAAkD;AAClD,OAAO,EAEL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,GACnB,CAAA;AACD,OAAO,EAAE,gBAAgB,EAAE,CAAA;AAC3B,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAA;AAEjE,MAAM,OAAO,eAAe;IAClB,cAAc,CAAa;IAC3B,eAAe,CAAU;IACzB,gBAAgB,CAAQ;IACxB,aAAa,CAAQ;IAE7B,YAAY,UAA0B,EAAE;QACtC,IAAI,CAAC,cAAc,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,uBAAuB,CAAC,CAAA;QAChF,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,EAAE,CAAA;QACpD,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,SAAS,CAAA,CAAC,MAAM;QACpE,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,EAAE,CAAA;IAClD,CAAC;IAEO,WAAW,CAAC,OAAe;QACjC,MAAM,UAAU,GAAG,4BAA4B,CAAA;QAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACjC,MAAM,OAAO,GAAyC,EAAE,CAAA;QAExD,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YAC5B,IAAI,KAAK,CAAA;YACT,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAChD,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,GAAG,CAAC,EAAE,CAAC,CAAA;YAClD,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,OAAO,CAAA;IAChB,CAAC;IAEO,eAAe,CAAC,GAAW;QACjC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;YAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAA;YAC9C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CACzC,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,CACnE,CAAA;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAEO,QAAQ,CAAC,OAAe;QAC9B,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;QAEtC,KAAK,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC/B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,KAAK;oBACX,QAAQ,EAAE,QAAQ;oBAClB,OAAO,EAAE,kCAAkC,GAAG,EAAE;oBAChD,QAAQ,EAAE,GAAG;oBACb,UAAU,EAAE,IAAI;iBACjB,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEO,qBAAqB,CAAC,OAAe,EAAE,YAA4B;QACzE,OAAO,gCAAgC,CACrC,OAAO,EACP;YACE,IAAI,EAAE,WAAW;YACjB,aAAa,EAAE,sCAAsC;YACrD,QAAQ,EAAE,kBAAkB;YAC5B,UAAU,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;SACjC,EACD,YAAY,CACb,CAAA;IACH,CAAC;IAEO,sBAAsB,CAAC,OAAe,EAAE,YAA4B;QAC1E,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;QAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;YAE3B,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;gBAC1C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;gBAC1C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;oBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;oBAC9E,oEAAoE;oBACpE,sEAAsE;oBACtE,2EAA2E;oBAC3E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;oBACnE,MAAM,QAAQ,GAAgC,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAA;oBAE7E,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,oBAAoB;wBAC1B,QAAQ;wBACR,OAAO,EAAE,iCAAiC,KAAK,CAAC,CAAC,CAAC,GAAG;wBACrD,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,QAAQ,EAAE,oBAAoB;wBAC9B,sBAAsB,EAAE,YAAY;wBACpC,UAAU;qBACX,CAAC,CAAA;oBACF,MAAK;gBACP,CAAC;YACH,CAAC;YAED,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBAC3C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;gBAC1C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;oBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;oBAC9E,qEAAqE;oBACrE,gEAAgE;oBAChE,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;oBACnE,MAAM,QAAQ,GAAgC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAA;oBAE9E,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,oBAAoB;wBAC1B,QAAQ;wBACR,OAAO,EAAE,8BAA8B,KAAK,CAAC,CAAC,CAAC,GAAG;wBAClD,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,QAAQ,EAAE,oBAAoB;wBAC9B,sBAAsB,EAAE,YAAY;wBACpC,UAAU;qBACX,CAAC,CAAA;oBACF,MAAK;gBACP,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEO,4BAA4B,CAClC,OAAe,EACf,YAA4B;QAE5B,OAAO,gCAAgC,CACrC,OAAO,EACP;YACE,IAAI,EAAE,YAAY;YAClB,aAAa,EAAE,+BAA+B;YAC9C,QAAQ,EAAE,mBAAmB;YAC7B,UAAU,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;SACjC,EACD,YAAY,CACb,CAAA;IACH,CAAC;IAED,0EAA0E;IAC1E,kBAAkB,GAAG,kBAAkB,CAAA;IAEvC,IAAI,CAAC,OAAe,EAAE,OAAe;QACnC,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAA;QACnC,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,YAAY,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAA;QAEpD,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,oBAAoB;gBAC1B,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,mCAAmC,IAAI,CAAC,gBAAgB,SAAS;aAC3E,CAAC,CAAA;QACJ,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAA;QACxC,QAAQ,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACnE,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,sBAAsB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACpE,QAAQ,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC9D,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC7D,QAAQ,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAChE,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,4BAA4B,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1E,QAAQ,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACzD,QAAQ,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC,CAAA;QAElD,iFAAiF;QACjF,gFAAgF;QAChF,2DAA2D;QAC3D,qBAAqB,CAAC,QAAQ,CAAC,CAAA;QAE/B,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,CAAA;QACjC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAA;QAEnF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAA;QACnE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAA;QAC3D,MAAM,gBAAgB,GAAG,SAAS,IAAI,IAAI,CAAC,aAAa,CAAA;QAExD,OAAO;YACL,OAAO;YACP,MAAM,EAAE,CAAC,WAAW,IAAI,CAAC,OAAO,IAAI,CAAC,gBAAgB;YACrD,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,cAAc,EAAE,OAAO,GAAG,SAAS;YACnC,SAAS;YACT,aAAa;SACd,CAAA;IACH,CAAC;IAED,UAAU,CAAC,OAAe;QACxB,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;YACzC,IAAI,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAA;QACpD,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,gBAAgB,CAAC,MAAc;QAC7B,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;IAC/C,CAAC;IAED,iBAAiB,CAAC,OAAe;QAC/B,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IACpC,CAAC;IAED,oEAAoE;IACpE,MAAM,CAAC,aAAa,GAAG,aAAa,CAAA;IACpC,MAAM,CAAC,OAAO,GAAG,OAAO,CAAA;IACxB,MAAM,CAAC,mBAAmB,GAAG,mBAAmB,CAAA;IAChD,MAAM,CAAC,SAAS,GAAG,SAAS,CAAA;;AAG9B,eAAe,eAAe,CAAA"}
1
+ {"version":3,"file":"SecurityScanner.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,uBAAuB,EACvB,kBAAkB,EAClB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAA;AAIhE,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,8BAA8B,CAAA;AAErC,sBAAsB;AACtB,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAE5D,+EAA+E;AAC/E,sEAAsE;AACtE,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,eAAe,GAChB,MAAM,+BAA+B,CAAA;AAEtC,8EAA8E;AAC9E,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,2BAA2B,CAAA;AAElC,iEAAiE;AACjE,OAAO,EACL,aAAa,EACb,OAAO,EACP,mBAAmB,EACnB,SAAS,GACV,MAAM,iCAAiC,CAAA;AAExC,kDAAkD;AAClD,OAAO,EAEL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,GACnB,CAAA;AACD,OAAO,EAAE,gBAAgB,EAAE,CAAA;AAC3B,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAA;AAEjE,MAAM,OAAO,eAAe;IAClB,cAAc,CAAa;IAC3B,eAAe,CAAU;IACzB,gBAAgB,CAAQ;IACxB,aAAa,CAAQ;IAE7B,YAAY,UAA0B,EAAE;QACtC,IAAI,CAAC,cAAc,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,uBAAuB,CAAC,CAAA;QAChF,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,EAAE,CAAA;QACpD,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,SAAS,CAAA,CAAC,MAAM;QACpE,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,EAAE,CAAA;IAClD,CAAC;IAEO,WAAW,CAAC,OAAe;QACjC,MAAM,UAAU,GAAG,4BAA4B,CAAA;QAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACjC,MAAM,OAAO,GAAyC,EAAE,CAAA;QAExD,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YAC5B,IAAI,KAAK,CAAA;YACT,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAChD,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,GAAG,CAAC,EAAE,CAAC,CAAA;YAClD,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,OAAO,CAAA;IAChB,CAAC;IAEO,eAAe,CAAC,GAAW;QACjC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;YAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAA;YAC9C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CACzC,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,CACnE,CAAA;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAEO,QAAQ,CAAC,OAAe;QAC9B,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;QAEtC,KAAK,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC/B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,KAAK;oBACX,QAAQ,EAAE,QAAQ;oBAClB,OAAO,EAAE,kCAAkC,GAAG,EAAE;oBAChD,QAAQ,EAAE,GAAG;oBACb,UAAU,EAAE,IAAI;iBACjB,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEO,qBAAqB,CAAC,OAAe,EAAE,YAA4B;QACzE,OAAO,gCAAgC,CACrC,OAAO,EACP;YACE,IAAI,EAAE,WAAW;YACjB,aAAa,EAAE,sCAAsC;YACrD,QAAQ,EAAE,kBAAkB;YAC5B,UAAU,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;SACjC,EACD,YAAY,CACb,CAAA;IACH,CAAC;IAEO,sBAAsB,CAAC,OAAe,EAAE,YAA4B;QAC1E,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;QAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;YAE3B,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;gBAC1C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;gBAC1C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;oBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;oBAC9E,oEAAoE;oBACpE,sEAAsE;oBACtE,2EAA2E;oBAC3E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;oBACnE,MAAM,QAAQ,GAAgC,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAA;oBAE7E,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,oBAAoB;wBAC1B,QAAQ;wBACR,OAAO,EAAE,iCAAiC,KAAK,CAAC,CAAC,CAAC,GAAG;wBACrD,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,QAAQ,EAAE,oBAAoB;wBAC9B,sBAAsB,EAAE,YAAY;wBACpC,UAAU;qBACX,CAAC,CAAA;oBACF,MAAK;gBACP,CAAC;YACH,CAAC;YAED,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBAC3C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;gBAC1C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;oBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;oBAC9E,qEAAqE;oBACrE,gEAAgE;oBAChE,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;oBACnE,MAAM,QAAQ,GAAgC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAA;oBAE9E,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,oBAAoB;wBAC1B,QAAQ;wBACR,OAAO,EAAE,8BAA8B,KAAK,CAAC,CAAC,CAAC,GAAG;wBAClD,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,QAAQ,EAAE,oBAAoB;wBAC9B,sBAAsB,EAAE,YAAY;wBACpC,UAAU;qBACX,CAAC,CAAA;oBACF,MAAK;gBACP,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEO,4BAA4B,CAClC,OAAe,EACf,YAA4B;QAE5B,OAAO,gCAAgC,CACrC,OAAO,EACP;YACE,IAAI,EAAE,YAAY;YAClB,aAAa,EAAE,+BAA+B;YAC9C,QAAQ,EAAE,mBAAmB;YAC7B,UAAU,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;SACjC,EACD,YAAY,CACb,CAAA;IACH,CAAC;IAED,0EAA0E;IAC1E,kBAAkB,GAAG,kBAAkB,CAAA;IAEvC,IAAI,CAAC,OAAe,EAAE,OAAe;QACnC,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAA;QACnC,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,YAAY,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAA;QAEpD,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,oBAAoB;gBAC1B,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,mCAAmC,IAAI,CAAC,gBAAgB,SAAS;aAC3E,CAAC,CAAA;QACJ,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAA;QACxC,QAAQ,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACnE,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,sBAAsB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACpE,QAAQ,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC9D,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC7D,QAAQ,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAChE,uEAAuE;QACvE,2EAA2E;QAC3E,sEAAsE;QACtE,4EAA4E;QAC5E,6CAA6C;QAC7C,MAAM,YAAY,GAAG,IAAI,GAAG,CAC1B,QAAQ;aACL,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,IAAI,CAAC,CAAC,UAAU,CAAC;aAChE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAoB,CAAC,CACtC,CAAA;QACD,QAAQ,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,OAAO,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC,CAAA;QAC7E,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,4BAA4B,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1E,QAAQ,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACzD,QAAQ,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC,CAAA;QAElD,iFAAiF;QACjF,gFAAgF;QAChF,2DAA2D;QAC3D,qBAAqB,CAAC,QAAQ,CAAC,CAAA;QAE/B,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,CAAA;QACjC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAA;QAEnF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAA;QACnE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAA;QAC3D,MAAM,gBAAgB,GAAG,SAAS,IAAI,IAAI,CAAC,aAAa,CAAA;QAExD,OAAO;YACL,OAAO;YACP,MAAM,EAAE,CAAC,WAAW,IAAI,CAAC,OAAO,IAAI,CAAC,gBAAgB;YACrD,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,cAAc,EAAE,OAAO,GAAG,SAAS;YACnC,SAAS;YACT,aAAa;SACd,CAAA;IACH,CAAC;IAED,UAAU,CAAC,OAAe;QACxB,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;YACzC,IAAI,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAA;QACpD,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,gBAAgB,CAAC,MAAc;QAC7B,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;IAC/C,CAAC;IAED,iBAAiB,CAAC,OAAe;QAC/B,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IACpC,CAAC;IAED,oEAAoE;IACpE,MAAM,CAAC,aAAa,GAAG,aAAa,CAAA;IACpC,MAAM,CAAC,OAAO,GAAG,OAAO,CAAA;IACxB,MAAM,CAAC,mBAAmB,GAAG,mBAAmB,CAAA;IAChD,MAAM,CAAC,SAAS,GAAG,SAAS,CAAA;;AAG9B,eAAe,eAAe,CAAA"}
@@ -0,0 +1,23 @@
1
+ /**
2
+ * Security Scanner — PII pattern scanning + entropy / placeholder filtering
3
+ * @module @skillsmith/core/security/scanner/SecurityScanner.pii
4
+ *
5
+ * SMI-5434: Section 3 of SecurityScanner.scanners.ts extracted to keep the
6
+ * parent file under the 500-line audit:standards gate. Pure functions of
7
+ * (content, lineContexts) — no scanner instance state.
8
+ */
9
+ import type { SecurityFinding } from './types.js';
10
+ import type { LineContext } from './SecurityScanner.helpers.js';
11
+ /** SMI-5420: Shannon entropy (bits per character) of a string. */
12
+ export declare function shannonEntropy(s: string): number;
13
+ /**
14
+ * SMI-5420: a credential match is a documentation placeholder (not a real leaked
15
+ * secret) when it carries a named placeholder marker, is a single repeated
16
+ * character, or its value has sub-secret Shannon entropy. Such matches must NOT
17
+ * emit critical/high severity — the batch trust-scorer (trust-scorer.ts) and the
18
+ * install gate quarantine on severity, so an example secret would falsely flag.
19
+ */
20
+ export declare function looksLikePlaceholderSecret(match: string): boolean;
21
+ /** SMI-3864: Detect PII patterns. Email in YAML frontmatter gets low severity. */
22
+ export declare function scanPiiPatterns(content: string, lineContexts?: LineContext[]): SecurityFinding[];
23
+ //# sourceMappingURL=SecurityScanner.pii.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"SecurityScanner.pii.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.pii.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAqB,MAAM,YAAY,CAAA;AACpE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAA;AAmD/D,kEAAkE;AAClE,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAUhD;AAaD;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAMjE;AAED,kFAAkF;AAClF,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,WAAW,EAAE,GAAG,eAAe,EAAE,CAuDhG"}