@skillsmith/core 0.9.0 → 0.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +16 -0
- package/dist/.tsbuildinfo +1 -1
- package/dist/src/analysis/tree-sitter/pythonIncremental.d.ts +23 -0
- package/dist/src/analysis/tree-sitter/pythonIncremental.d.ts.map +1 -1
- package/dist/src/analysis/tree-sitter/pythonIncremental.hardening.test.js +137 -0
- package/dist/src/analysis/tree-sitter/pythonIncremental.hardening.test.js.map +1 -1
- package/dist/src/analysis/tree-sitter/pythonIncremental.js +83 -10
- package/dist/src/analysis/tree-sitter/pythonIncremental.js.map +1 -1
- package/dist/src/analysis/tree-sitter/queryExtractionMatchesOrExceedsRegex.test.js +6 -1
- package/dist/src/analysis/tree-sitter/queryExtractionMatchesOrExceedsRegex.test.js.map +1 -1
- package/dist/src/api/client.d.ts.map +1 -1
- package/dist/src/api/client.js +6 -0
- package/dist/src/api/client.js.map +1 -1
- package/dist/src/api/client.test.d.ts +9 -0
- package/dist/src/api/client.test.d.ts.map +1 -0
- package/dist/src/api/client.test.js +81 -0
- package/dist/src/api/client.test.js.map +1 -0
- package/dist/src/config/audit-notify-state.d.ts +46 -0
- package/dist/src/config/audit-notify-state.d.ts.map +1 -0
- package/dist/src/config/audit-notify-state.js +55 -0
- package/dist/src/config/audit-notify-state.js.map +1 -0
- package/dist/src/config/audit-notify-state.test.d.ts +9 -0
- package/dist/src/config/audit-notify-state.test.d.ts.map +1 -0
- package/dist/src/config/audit-notify-state.test.js +63 -0
- package/dist/src/config/audit-notify-state.test.js.map +1 -0
- package/dist/src/config/index.d.ts +10 -0
- package/dist/src/config/index.d.ts.map +1 -1
- package/dist/src/config/index.js.map +1 -1
- package/dist/src/exports/services.d.ts +3 -1
- package/dist/src/exports/services.d.ts.map +1 -1
- package/dist/src/exports/services.js +9 -1
- package/dist/src/exports/services.js.map +1 -1
- package/dist/src/index.d.ts +6 -3
- package/dist/src/index.d.ts.map +1 -1
- package/dist/src/index.js +11 -2
- package/dist/src/index.js.map +1 -1
- package/dist/src/install/agent-config-merge.json-array.d.ts +29 -0
- package/dist/src/install/agent-config-merge.json-array.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.json-array.js +100 -0
- package/dist/src/install/agent-config-merge.json-array.js.map +1 -0
- package/dist/src/install/agent-config-merge.json.d.ts +37 -0
- package/dist/src/install/agent-config-merge.json.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.json.js +134 -0
- package/dist/src/install/agent-config-merge.json.js.map +1 -0
- package/dist/src/install/agent-config-merge.toml-block.d.ts +48 -0
- package/dist/src/install/agent-config-merge.toml-block.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.toml-block.js +107 -0
- package/dist/src/install/agent-config-merge.toml-block.js.map +1 -0
- package/dist/src/install/agent-config-merge.types.d.ts +87 -0
- package/dist/src/install/agent-config-merge.types.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.types.js +83 -0
- package/dist/src/install/agent-config-merge.types.js.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.d.ts +46 -0
- package/dist/src/install/agent-config-merge.yaml.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.js +133 -0
- package/dist/src/install/agent-config-merge.yaml.js.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.test.d.ts +2 -0
- package/dist/src/install/agent-config-merge.yaml.test.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.test.js +210 -0
- package/dist/src/install/agent-config-merge.yaml.test.js.map +1 -0
- package/dist/src/install/agent-harness-targets.d.ts +98 -0
- package/dist/src/install/agent-harness-targets.d.ts.map +1 -0
- package/dist/src/install/agent-harness-targets.js +154 -0
- package/dist/src/install/agent-harness-targets.js.map +1 -0
- package/dist/src/install/agent-home-relocate.d.ts +29 -0
- package/dist/src/install/agent-home-relocate.d.ts.map +1 -0
- package/dist/src/install/agent-home-relocate.js +38 -0
- package/dist/src/install/agent-home-relocate.js.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.d.ts +55 -0
- package/dist/src/install/agent-manifest-path-guard.d.ts.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.js +109 -0
- package/dist/src/install/agent-manifest-path-guard.js.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.test.d.ts +2 -0
- package/dist/src/install/agent-manifest-path-guard.test.d.ts.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.test.js +72 -0
- package/dist/src/install/agent-manifest-path-guard.test.js.map +1 -0
- package/dist/src/install/agent-manifest.d.ts +58 -0
- package/dist/src/install/agent-manifest.d.ts.map +1 -0
- package/dist/src/install/agent-manifest.js +103 -0
- package/dist/src/install/agent-manifest.js.map +1 -0
- package/dist/src/install/agent-pack-installer.d.ts +39 -0
- package/dist/src/install/agent-pack-installer.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.entry.d.ts +55 -0
- package/dist/src/install/agent-pack-installer.entry.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.entry.js +90 -0
- package/dist/src/install/agent-pack-installer.entry.js.map +1 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.d.ts +33 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.js +59 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.js.map +1 -0
- package/dist/src/install/agent-pack-installer.harness.d.ts +66 -0
- package/dist/src/install/agent-pack-installer.harness.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.harness.js +310 -0
- package/dist/src/install/agent-pack-installer.harness.js.map +1 -0
- package/dist/src/install/agent-pack-installer.js +221 -0
- package/dist/src/install/agent-pack-installer.js.map +1 -0
- package/dist/src/install/agent-pack-installer.preserve.test.d.ts +11 -0
- package/dist/src/install/agent-pack-installer.preserve.test.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.preserve.test.js +72 -0
- package/dist/src/install/agent-pack-installer.preserve.test.js.map +1 -0
- package/dist/src/install/agent-pack-installer.test.d.ts +2 -0
- package/dist/src/install/agent-pack-installer.test.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.test.js +350 -0
- package/dist/src/install/agent-pack-installer.test.js.map +1 -0
- package/dist/src/install/agent-pack-installer.types.d.ts +51 -0
- package/dist/src/install/agent-pack-installer.types.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.types.js +16 -0
- package/dist/src/install/agent-pack-installer.types.js.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.d.ts +43 -0
- package/dist/src/install/agent-pack-uninstaller.d.ts.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.js +113 -0
- package/dist/src/install/agent-pack-uninstaller.js.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.test.d.ts +2 -0
- package/dist/src/install/agent-pack-uninstaller.test.d.ts.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.test.js +212 -0
- package/dist/src/install/agent-pack-uninstaller.test.js.map +1 -0
- package/dist/src/install/index.d.ts +7 -0
- package/dist/src/install/index.d.ts.map +1 -1
- package/dist/src/install/index.js +7 -0
- package/dist/src/install/index.js.map +1 -1
- package/dist/src/install/paths.d.ts +1 -1
- package/dist/src/install/paths.d.ts.map +1 -1
- package/dist/src/install/paths.js +4 -0
- package/dist/src/install/paths.js.map +1 -1
- package/dist/src/install/paths.test.js +15 -0
- package/dist/src/install/paths.test.js.map +1 -1
- package/dist/src/journal/hash.d.ts +13 -0
- package/dist/src/journal/hash.d.ts.map +1 -0
- package/dist/src/journal/hash.js +16 -0
- package/dist/src/journal/hash.js.map +1 -0
- package/dist/src/journal/index.d.ts +15 -0
- package/dist/src/journal/index.d.ts.map +1 -0
- package/dist/src/journal/index.js +15 -0
- package/dist/src/journal/index.js.map +1 -0
- package/dist/src/journal/journal.test.d.ts +16 -0
- package/dist/src/journal/journal.test.d.ts.map +1 -0
- package/dist/src/journal/journal.test.js +171 -0
- package/dist/src/journal/journal.test.js.map +1 -0
- package/dist/src/journal/path.d.ts +44 -0
- package/dist/src/journal/path.d.ts.map +1 -0
- package/dist/src/journal/path.js +61 -0
- package/dist/src/journal/path.js.map +1 -0
- package/dist/src/journal/reader.d.ts +38 -0
- package/dist/src/journal/reader.d.ts.map +1 -0
- package/dist/src/journal/reader.js +93 -0
- package/dist/src/journal/reader.js.map +1 -0
- package/dist/src/journal/types.d.ts +87 -0
- package/dist/src/journal/types.d.ts.map +1 -0
- package/dist/src/journal/types.js +21 -0
- package/dist/src/journal/types.js.map +1 -0
- package/dist/src/journal/writer.d.ts +52 -0
- package/dist/src/journal/writer.d.ts.map +1 -0
- package/dist/src/journal/writer.js +125 -0
- package/dist/src/journal/writer.js.map +1 -0
- package/dist/src/logging/context.d.ts +58 -0
- package/dist/src/logging/context.d.ts.map +1 -0
- package/dist/src/logging/context.js +62 -0
- package/dist/src/logging/context.js.map +1 -0
- package/dist/src/logging/context.test.d.ts +14 -0
- package/dist/src/logging/context.test.d.ts.map +1 -0
- package/dist/src/logging/context.test.js +88 -0
- package/dist/src/logging/context.test.js.map +1 -0
- package/dist/src/logging/index.d.ts +13 -0
- package/dist/src/logging/index.d.ts.map +1 -0
- package/dist/src/logging/index.js +12 -0
- package/dist/src/logging/index.js.map +1 -0
- package/dist/src/logging/logger.d.ts +71 -0
- package/dist/src/logging/logger.d.ts.map +1 -0
- package/dist/src/logging/logger.js +264 -0
- package/dist/src/logging/logger.js.map +1 -0
- package/dist/src/logging/logger.test.d.ts +9 -0
- package/dist/src/logging/logger.test.d.ts.map +1 -0
- package/dist/src/logging/logger.test.js +320 -0
- package/dist/src/logging/logger.test.js.map +1 -0
- package/dist/src/logging/redact.d.ts +35 -0
- package/dist/src/logging/redact.d.ts.map +1 -0
- package/dist/src/logging/redact.js +152 -0
- package/dist/src/logging/redact.js.map +1 -0
- package/dist/src/logging/redact.test.d.ts +8 -0
- package/dist/src/logging/redact.test.d.ts.map +1 -0
- package/dist/src/logging/redact.test.js +330 -0
- package/dist/src/logging/redact.test.js.map +1 -0
- package/dist/src/logging/rotation.d.ts +75 -0
- package/dist/src/logging/rotation.d.ts.map +1 -0
- package/dist/src/logging/rotation.js +284 -0
- package/dist/src/logging/rotation.js.map +1 -0
- package/dist/src/logging/rotation.test.d.ts +11 -0
- package/dist/src/logging/rotation.test.d.ts.map +1 -0
- package/dist/src/logging/rotation.test.js +132 -0
- package/dist/src/logging/rotation.test.js.map +1 -0
- package/dist/src/logging/types.d.ts +69 -0
- package/dist/src/logging/types.d.ts.map +1 -0
- package/dist/src/logging/types.js +9 -0
- package/dist/src/logging/types.js.map +1 -0
- package/dist/src/paywall-triggers/index.d.ts +13 -0
- package/dist/src/paywall-triggers/index.d.ts.map +1 -0
- package/dist/src/paywall-triggers/index.js +13 -0
- package/dist/src/paywall-triggers/index.js.map +1 -0
- package/dist/src/paywall-triggers/path.d.ts +47 -0
- package/dist/src/paywall-triggers/path.d.ts.map +1 -0
- package/dist/src/paywall-triggers/path.js +73 -0
- package/dist/src/paywall-triggers/path.js.map +1 -0
- package/dist/src/paywall-triggers/store.d.ts +75 -0
- package/dist/src/paywall-triggers/store.d.ts.map +1 -0
- package/dist/src/paywall-triggers/store.js +122 -0
- package/dist/src/paywall-triggers/store.js.map +1 -0
- package/dist/src/paywall-triggers/store.test.d.ts +2 -0
- package/dist/src/paywall-triggers/store.test.d.ts.map +1 -0
- package/dist/src/paywall-triggers/store.test.js +121 -0
- package/dist/src/paywall-triggers/store.test.js.map +1 -0
- package/dist/src/paywall-triggers/types.d.ts +24 -0
- package/dist/src/paywall-triggers/types.d.ts.map +1 -0
- package/dist/src/paywall-triggers/types.js +13 -0
- package/dist/src/paywall-triggers/types.js.map +1 -0
- package/dist/src/security/index.d.ts +2 -0
- package/dist/src/security/index.d.ts.map +1 -1
- package/dist/src/security/index.js +4 -0
- package/dist/src/security/index.js.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.compound.d.ts +13 -0
- package/dist/src/security/scanner/SecurityScanner.compound.d.ts.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.compound.js +127 -0
- package/dist/src/security/scanner/SecurityScanner.compound.js.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.d.ts.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.hostile-update.d.ts +46 -0
- package/dist/src/security/scanner/SecurityScanner.hostile-update.d.ts.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.hostile-update.js +209 -0
- package/dist/src/security/scanner/SecurityScanner.hostile-update.js.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.js +10 -1
- package/dist/src/security/scanner/SecurityScanner.js.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.pii.d.ts +23 -0
- package/dist/src/security/scanner/SecurityScanner.pii.d.ts.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.pii.js +152 -0
- package/dist/src/security/scanner/SecurityScanner.pii.js.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.scanners.d.ts +5 -12
- package/dist/src/security/scanner/SecurityScanner.scanners.d.ts.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.scanners.js +63 -137
- package/dist/src/security/scanner/SecurityScanner.scanners.js.map +1 -1
- package/dist/src/security/scanner/index.d.ts +2 -1
- package/dist/src/security/scanner/index.d.ts.map +1 -1
- package/dist/src/security/scanner/index.js +2 -0
- package/dist/src/security/scanner/index.js.map +1 -1
- package/dist/src/security/scanner/patterns.d.ts +2 -0
- package/dist/src/security/scanner/patterns.d.ts.map +1 -1
- package/dist/src/security/scanner/patterns.js +79 -11
- package/dist/src/security/scanner/patterns.js.map +1 -1
- package/dist/src/security/scanner/types.d.ts +23 -0
- package/dist/src/security/scanner/types.d.ts.map +1 -1
- package/dist/src/services/agent-pack/agent-pack.test.d.ts +18 -0
- package/dist/src/services/agent-pack/agent-pack.test.d.ts.map +1 -0
- package/dist/src/services/agent-pack/agent-pack.test.js +344 -0
- package/dist/src/services/agent-pack/agent-pack.test.js.map +1 -0
- package/dist/src/services/agent-pack/hooks.d.ts +29 -0
- package/dist/src/services/agent-pack/hooks.d.ts.map +1 -0
- package/dist/src/services/agent-pack/hooks.js +139 -0
- package/dist/src/services/agent-pack/hooks.js.map +1 -0
- package/dist/src/services/agent-pack/index.d.ts +26 -0
- package/dist/src/services/agent-pack/index.d.ts.map +1 -0
- package/dist/src/services/agent-pack/index.js +109 -0
- package/dist/src/services/agent-pack/index.js.map +1 -0
- package/dist/src/services/agent-pack/prompt-source.d.ts +47 -0
- package/dist/src/services/agent-pack/prompt-source.d.ts.map +1 -0
- package/dist/src/services/agent-pack/prompt-source.js +182 -0
- package/dist/src/services/agent-pack/prompt-source.js.map +1 -0
- package/dist/src/services/agent-pack/shims.d.ts +40 -0
- package/dist/src/services/agent-pack/shims.d.ts.map +1 -0
- package/dist/src/services/agent-pack/shims.js +96 -0
- package/dist/src/services/agent-pack/shims.js.map +1 -0
- package/dist/src/services/agent-pack/skill-md.d.ts +35 -0
- package/dist/src/services/agent-pack/skill-md.d.ts.map +1 -0
- package/dist/src/services/agent-pack/skill-md.js +89 -0
- package/dist/src/services/agent-pack/skill-md.js.map +1 -0
- package/dist/src/services/agent-pack/types.d.ts +118 -0
- package/dist/src/services/agent-pack/types.d.ts.map +1 -0
- package/dist/src/services/agent-pack/types.js +61 -0
- package/dist/src/services/agent-pack/types.js.map +1 -0
- package/dist/src/services/agent-tool-profile.d.ts +59 -0
- package/dist/src/services/agent-tool-profile.d.ts.map +1 -0
- package/dist/src/services/agent-tool-profile.js +76 -0
- package/dist/src/services/agent-tool-profile.js.map +1 -0
- package/dist/src/services/agent-tool-profile.test.d.ts +2 -0
- package/dist/src/services/agent-tool-profile.test.d.ts.map +1 -0
- package/dist/src/services/agent-tool-profile.test.js +28 -0
- package/dist/src/services/agent-tool-profile.test.js.map +1 -0
- package/dist/src/services/bundled-sibling-scan.d.ts +111 -0
- package/dist/src/services/bundled-sibling-scan.d.ts.map +1 -0
- package/dist/src/services/bundled-sibling-scan.js +170 -0
- package/dist/src/services/bundled-sibling-scan.js.map +1 -0
- package/dist/src/services/skill-installation.io.d.ts +16 -5
- package/dist/src/services/skill-installation.io.d.ts.map +1 -1
- package/dist/src/services/skill-installation.io.js +63 -22
- package/dist/src/services/skill-installation.io.js.map +1 -1
- package/dist/src/services/skill-installation.policy.d.ts +96 -0
- package/dist/src/services/skill-installation.policy.d.ts.map +1 -0
- package/dist/src/services/skill-installation.policy.js +144 -0
- package/dist/src/services/skill-installation.policy.js.map +1 -0
- package/dist/src/services/skill-installation.service.d.ts.map +1 -1
- package/dist/src/services/skill-installation.service.js +9 -3
- package/dist/src/services/skill-installation.service.js.map +1 -1
- package/dist/src/sources/index.d.ts +1 -0
- package/dist/src/sources/index.d.ts.map +1 -1
- package/dist/src/sources/index.js +4 -0
- package/dist/src/sources/index.js.map +1 -1
- package/dist/src/sync/access-token.d.ts +27 -0
- package/dist/src/sync/access-token.d.ts.map +1 -0
- package/dist/src/sync/access-token.js +40 -0
- package/dist/src/sync/access-token.js.map +1 -0
- package/dist/src/sync/audit-notify-client.d.ts +83 -0
- package/dist/src/sync/audit-notify-client.d.ts.map +1 -0
- package/dist/src/sync/audit-notify-client.js +126 -0
- package/dist/src/sync/audit-notify-client.js.map +1 -0
- package/dist/src/sync/audit-notify-client.test.d.ts +14 -0
- package/dist/src/sync/audit-notify-client.test.d.ts.map +1 -0
- package/dist/src/sync/audit-notify-client.test.js +133 -0
- package/dist/src/sync/audit-notify-client.test.js.map +1 -0
- package/dist/src/sync/index.d.ts +2 -1
- package/dist/src/sync/index.d.ts.map +1 -1
- package/dist/src/sync/index.js +3 -1
- package/dist/src/sync/index.js.map +1 -1
- package/dist/src/sync/inventory-client.d.ts +16 -0
- package/dist/src/sync/inventory-client.d.ts.map +1 -1
- package/dist/src/sync/inventory-client.js +59 -16
- package/dist/src/sync/inventory-client.js.map +1 -1
- package/dist/src/sync/inventory-client.test.js +67 -1
- package/dist/src/sync/inventory-client.test.js.map +1 -1
- package/dist/src/sync/inventory-collector.d.ts.map +1 -1
- package/dist/src/sync/inventory-collector.js +32 -5
- package/dist/src/sync/inventory-collector.js.map +1 -1
- package/dist/src/sync/inventory-collector.test.js +50 -1
- package/dist/src/sync/inventory-collector.test.js.map +1 -1
- package/dist/src/sync/inventory-types.d.ts +9 -0
- package/dist/src/sync/inventory-types.d.ts.map +1 -1
- package/dist/src/sync/inventory-types.js +3 -0
- package/dist/src/sync/inventory-types.js.map +1 -1
- package/dist/src/telemetry/agent-marker.d.ts +137 -0
- package/dist/src/telemetry/agent-marker.d.ts.map +1 -0
- package/dist/src/telemetry/agent-marker.js +242 -0
- package/dist/src/telemetry/agent-marker.js.map +1 -0
- package/dist/src/telemetry/agent-marker.test.d.ts +13 -0
- package/dist/src/telemetry/agent-marker.test.d.ts.map +1 -0
- package/dist/src/telemetry/agent-marker.test.js +202 -0
- package/dist/src/telemetry/agent-marker.test.js.map +1 -0
- package/dist/src/telemetry/index.d.ts +2 -1
- package/dist/src/telemetry/index.d.ts.map +1 -1
- package/dist/src/telemetry/index.js +6 -1
- package/dist/src/telemetry/index.js.map +1 -1
- package/dist/src/telemetry/posthog.d.ts +25 -0
- package/dist/src/telemetry/posthog.d.ts.map +1 -1
- package/dist/src/telemetry/posthog.js +10 -1
- package/dist/src/telemetry/posthog.js.map +1 -1
- package/dist/src/telemetry/wrap.bench.js +5 -0
- package/dist/src/telemetry/wrap.bench.js.map +1 -1
- package/dist/src/telemetry/wrap.correlation.test.d.ts +20 -0
- package/dist/src/telemetry/wrap.correlation.test.d.ts.map +1 -0
- package/dist/src/telemetry/wrap.correlation.test.js +174 -0
- package/dist/src/telemetry/wrap.correlation.test.js.map +1 -0
- package/dist/src/telemetry/wrap.d.ts +28 -7
- package/dist/src/telemetry/wrap.d.ts.map +1 -1
- package/dist/src/telemetry/wrap.gate.test.d.ts +22 -0
- package/dist/src/telemetry/wrap.gate.test.d.ts.map +1 -0
- package/dist/src/telemetry/wrap.gate.test.js +202 -0
- package/dist/src/telemetry/wrap.gate.test.js.map +1 -0
- package/dist/src/telemetry/wrap.js +196 -52
- package/dist/src/telemetry/wrap.js.map +1 -1
- package/dist/src/telemetry/wrap.marker.test.d.ts +16 -0
- package/dist/src/telemetry/wrap.marker.test.d.ts.map +1 -0
- package/dist/src/telemetry/wrap.marker.test.js +190 -0
- package/dist/src/telemetry/wrap.marker.test.js.map +1 -0
- package/dist/src/telemetry/wrap.test.js +14 -0
- package/dist/src/telemetry/wrap.test.js.map +1 -1
- package/dist/src/types.d.ts +6 -0
- package/dist/src/types.d.ts.map +1 -1
- package/dist/tests/SecurityScanner.exec.test.js +60 -0
- package/dist/tests/SecurityScanner.exec.test.js.map +1 -1
- package/dist/tests/security/ContinuousSecurity.test.js +10 -4
- package/dist/tests/security/ContinuousSecurity.test.js.map +1 -1
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.d.ts +2 -0
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.d.ts.map +1 -0
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.js +126 -0
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.js.map +1 -0
- package/dist/tests/security/chmod-compound.test.d.ts +2 -0
- package/dist/tests/security/chmod-compound.test.d.ts.map +1 -0
- package/dist/tests/security/chmod-compound.test.js +188 -0
- package/dist/tests/security/chmod-compound.test.js.map +1 -0
- package/dist/tests/security/pii-detection.test.js +24 -0
- package/dist/tests/security/pii-detection.test.js.map +1 -1
- package/dist/tests/security/scanner-regression-guard.test.d.ts +23 -7
- package/dist/tests/security/scanner-regression-guard.test.d.ts.map +1 -1
- package/dist/tests/security/scanner-regression-guard.test.js +206 -12
- package/dist/tests/security/scanner-regression-guard.test.js.map +1 -1
- package/dist/tests/security/sensitive-path-fp.test.d.ts +2 -0
- package/dist/tests/security/sensitive-path-fp.test.d.ts.map +1 -0
- package/dist/tests/security/sensitive-path-fp.test.js +142 -0
- package/dist/tests/security/sensitive-path-fp.test.js.map +1 -0
- package/dist/tests/services/bundled-sibling-scan.test.d.ts +2 -0
- package/dist/tests/services/bundled-sibling-scan.test.d.ts.map +1 -0
- package/dist/tests/services/bundled-sibling-scan.test.js +139 -0
- package/dist/tests/services/bundled-sibling-scan.test.js.map +1 -0
- package/dist/tests/unit/services/skill-installation.io.test.js +166 -0
- package/dist/tests/unit/services/skill-installation.io.test.js.map +1 -1
- package/dist/tests/unit/services/skill-installation.policy.test.d.ts +8 -0
- package/dist/tests/unit/services/skill-installation.policy.test.d.ts.map +1 -0
- package/dist/tests/unit/services/skill-installation.policy.test.js +151 -0
- package/dist/tests/unit/services/skill-installation.policy.test.js.map +1 -0
- package/package.json +28 -3
|
@@ -0,0 +1,127 @@
|
|
|
1
|
+
// Extracted from SecurityScanner.scanners.ts (SMI-5434) — previously lines 259–360.
|
|
2
|
+
/**
|
|
3
|
+
* Security Scanner — compound chmod+fetch signal detector
|
|
4
|
+
* @module @skillsmith/core/security/scanner/SecurityScanner.compound
|
|
5
|
+
*
|
|
6
|
+
* SMI-5434: Section 2 of SecurityScanner.scanners.ts extracted so that the
|
|
7
|
+
* upcoming SMI-5433 regex widening (~40 lines) can land without breaching the
|
|
8
|
+
* 500-line audit:standards gate. Pure functions of (content, alreadyFlaggedLines,
|
|
9
|
+
* lineContexts) — no scanner instance state.
|
|
10
|
+
*/
|
|
11
|
+
import { analyzeMarkdownContext, isDocumentationContext, isWithinInlineCode, } from './SecurityScanner.helpers.js';
|
|
12
|
+
import { safeRegexTest } from './regex-utils.js';
|
|
13
|
+
/**
|
|
14
|
+
* SMI-5424 PR2: owner-permission chmod is a COMPOUND signal, not standalone —
|
|
15
|
+
* `chmod 755 ./bin/cli` / `chmod +x build.sh` previously false-fired
|
|
16
|
+
* privilege_escalation:critical. It now emits HIGH only when a fetch COMMAND
|
|
17
|
+
* (curl/wget/git-clone/npx-to-URL) is within ±1 line OR the chmod target is the
|
|
18
|
+
* DOWNLOAD DESTINATION of a fetch command anywhere (distance-independent, so filler
|
|
19
|
+
* lines can't evade the ±1 window) — the "download a payload, chmod it, run it" shape.
|
|
20
|
+
* Kills the FP while PRESERVING the chmod co-signal escalateCodeExecution needs (it
|
|
21
|
+
* only accepts high/critical non-doc co-signals). World-writable / setuid chmod stay
|
|
22
|
+
* standalone-critical in PRIVILEGE_ESCALATION_PATTERNS; `alreadyFlaggedLines` prevents
|
|
23
|
+
* double-emit. SMI-5431: "destination" covers explicit (-o/-O/--output<space>/>) AND
|
|
24
|
+
* implicit (wget no -O / git clone / curl --output=) targets; a bare `curl <url>` GET
|
|
25
|
+
* writes to STDOUT so it is NOT correlated (the URL-path-segment FP a prior review caught).
|
|
26
|
+
* The ONLY uncaught residual: a SPACED `curl … | bash` (no filename) + a NON-adjacent chmod.
|
|
27
|
+
*/
|
|
28
|
+
// SMI-5433: widened to cover comma-separated symbolic (a+w,o+x), recursive flag (-R/-Rv),
|
|
29
|
+
// and assignment operator (u=rwx,g=rx) evasion forms. The optional `(?:-[A-Za-z]+\s+)?`
|
|
30
|
+
// cluster covers -R, -Rv, -fR and any single-dash letter cluster POSIX chmod supports;
|
|
31
|
+
// `[+\-=]` covers +, -, = operators; `[rwxXstugo]*` (zero-or-more) means `chmod a=`
|
|
32
|
+
// (empty body, clears perms) also matches — intentional TP behavior per plan.
|
|
33
|
+
// FIX (adversarial review SMI-5433): `[ugoa]*` (zero-or-more, not `+` one-or-more) so
|
|
34
|
+
// that bare `chmod +x foo` (no u/g/o/a prefix — the most common make-executable form
|
|
35
|
+
// in install scripts and malicious droppers) still matches.
|
|
36
|
+
const OWNER_PERM_CHMOD = /\bchmod\s+(?:-[A-Za-z]+\s+)?(?:[0-7]{3,4}|[ugoa]*(?:[+\-=][rwxXstugo]+(?:,[ugoa]*[+\-=][rwxXstugo]*)*)+)/i;
|
|
37
|
+
// FIX-1: actual fetch COMMANDS only — bare prose tokens (`# downloaded`, `See https://…`,
|
|
38
|
+
// `npx tool init`) false-fired next to a chmod. curl/wget/git-clone, and npx only with a URL.
|
|
39
|
+
const CHMOD_FETCH_CONTEXT = /\b(?:curl|wget)\b|\bgit\s+clone\b|\bnpx\b[^\n]{0,80}https?:\/\//i;
|
|
40
|
+
// FIX-2: capture the chmod target path so a fetch command anywhere correlates by basename.
|
|
41
|
+
// SMI-5433: prefix widened to match the same extended forms as OWNER_PERM_CHMOD; capture
|
|
42
|
+
// group (\S+) (the target path) is unchanged.
|
|
43
|
+
const CHMOD_TARGET = /\bchmod\s+(?:-[A-Za-z]+\s+)?(?:[0-7]{3,4}|[ugoa]*(?:[+\-=][rwxXstugo]+(?:,[ugoa]*[+\-=][rwxXstugo]*)*)+)\s+(\S+)/i;
|
|
44
|
+
function escapeRegExp(s) {
|
|
45
|
+
return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
|
|
46
|
+
}
|
|
47
|
+
// SMI-5431: the IMPLICIT download destination of a fetch command — the file written with
|
|
48
|
+
// NO explicit -o/-O/--output<space>/> redirect: `wget <url>` (no -O/-o) → URL last segment;
|
|
49
|
+
// `git clone <url>` → repo dir (minus `.git`); `curl --output=<file>` (equals form, missed by
|
|
50
|
+
// the explicit regex). A bare `curl <url>` GET writes to STDOUT → '' (never correlates). ReDoS-safe.
|
|
51
|
+
function implicitDownloadBasename(line) {
|
|
52
|
+
const lastSegment = (urlAfterScheme) => {
|
|
53
|
+
const noFrag = urlAfterScheme.split(/[?#]/)[0];
|
|
54
|
+
const slash = noFrag.indexOf('/'); // first slash = end of host
|
|
55
|
+
if (slash < 0)
|
|
56
|
+
return ''; // host only -> wget writes index.html
|
|
57
|
+
const path = noFrag.slice(slash + 1).replace(/\/+$/, '');
|
|
58
|
+
return path === '' ? '' : (path.split('/').pop() ?? '');
|
|
59
|
+
};
|
|
60
|
+
const wget = line.match(/\bwget\b(?![^\n]{0,200}\s-[oO]\b)[^\n]{0,200}?https?:\/\/(\S{1,400})/i);
|
|
61
|
+
if (wget)
|
|
62
|
+
return lastSegment(wget[1]);
|
|
63
|
+
const clone = line.match(/\bgit\s+clone\b[^\n]{0,200}?https?:\/\/(\S{1,400})/i);
|
|
64
|
+
if (clone)
|
|
65
|
+
return lastSegment(clone[1]).replace(/\.git$/i, '');
|
|
66
|
+
const curlEq = line.match(/\bcurl\b[^\n]{0,200}?--output=['"]?(\S{1,400})/i);
|
|
67
|
+
if (curlEq)
|
|
68
|
+
return curlEq[1].replace(/['"]/g, '').split('/').pop() ?? '';
|
|
69
|
+
return '';
|
|
70
|
+
}
|
|
71
|
+
export function scanChmodFetchCompound(content, alreadyFlaggedLines, lineContexts) {
|
|
72
|
+
const findings = [];
|
|
73
|
+
const lines = content.split('\n');
|
|
74
|
+
const contexts = lineContexts ?? analyzeMarkdownContext(content);
|
|
75
|
+
// FIX-2: lines carrying a fetch command, for distance-independent correlation.
|
|
76
|
+
// H-6 (SMI-5433): route through safeRegexTest so the 10,000-char cap applies uniformly
|
|
77
|
+
// to the per-line filter too (CHMOD_FETCH_CONTEXT is provably linear, so this is
|
|
78
|
+
// defense-in-depth consistency, not a ReDoS fix).
|
|
79
|
+
const fetchLines = lines.filter((l) => safeRegexTest(CHMOD_FETCH_CONTEXT, l) !== null);
|
|
80
|
+
lines.forEach((line, index) => {
|
|
81
|
+
const lineNumber = index + 1;
|
|
82
|
+
// World-writable / setuid already emitted critical for this line — skip.
|
|
83
|
+
if (alreadyFlaggedLines.has(lineNumber))
|
|
84
|
+
return;
|
|
85
|
+
const match = safeRegexTest(OWNER_PERM_CHMOD, line);
|
|
86
|
+
if (!match)
|
|
87
|
+
return;
|
|
88
|
+
// Bounded ±1-line window for the download-then-chmod adjacency.
|
|
89
|
+
const window = [lines[index - 1] ?? '', line, lines[index + 1] ?? ''].join('\n');
|
|
90
|
+
// H-6 (SMI-5433): route through safeRegexTest for the 10,000-char cap.
|
|
91
|
+
const adjacentFetch = safeRegexTest(CHMOD_FETCH_CONTEXT, window) !== null;
|
|
92
|
+
// FIX-2 + SMI-5431: correlate the chmod target basename (≥3 chars) against a fetch
|
|
93
|
+
// command's DOWNLOAD DESTINATION anywhere — explicit (-o/-O/--output<space>/>, with an
|
|
94
|
+
// optional leading path) via regex, OR implicit (wget/git-clone/curl --output=) via
|
|
95
|
+
// exact-token equality. Anchored on the destination, NOT basename-anywhere, so a URL
|
|
96
|
+
// path / query / header value (governance FP class) and a bare curl GET do not correlate.
|
|
97
|
+
let correlated = false;
|
|
98
|
+
// H-6 (SMI-5433): route through safeRegexTest for the 10,000-char cap.
|
|
99
|
+
const tm = safeRegexTest(CHMOD_TARGET, line);
|
|
100
|
+
if (tm) {
|
|
101
|
+
const base = tm[1].replace(/['"]/g, '').split('/').pop() ?? '';
|
|
102
|
+
if (base.length >= 3) {
|
|
103
|
+
const re = new RegExp(`(?:-o|-O|--output|>>?)\\s*['"]?(?:[^\\s'"]*/)?${escapeRegExp(base)}(?:[\\s'"?]|$)`);
|
|
104
|
+
correlated = fetchLines.some((l) => re.test(l) || implicitDownloadBasename(l) === base);
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
if (!adjacentFetch && !correlated)
|
|
108
|
+
return; // benign standalone chmod — no finding
|
|
109
|
+
const ctx = contexts[index];
|
|
110
|
+
const inInlineCode = ctx?.isInlineCode && isWithinInlineCode(line, match.index ?? 0);
|
|
111
|
+
const inDocContext = ctx ? isDocumentationContext(ctx) || inInlineCode : false;
|
|
112
|
+
findings.push({
|
|
113
|
+
type: 'privilege_escalation',
|
|
114
|
+
// HIGH (not critical): enough to trip Gate-A AND serve as an
|
|
115
|
+
// escalateCodeExecution co-signal, without re-introducing a critical FP.
|
|
116
|
+
severity: inDocContext ? 'low' : 'high',
|
|
117
|
+
message: `chmod of a fetched/downloaded file (compound with a download verb): "${match[0]}"`,
|
|
118
|
+
location: line.trim().slice(0, 100),
|
|
119
|
+
lineNumber,
|
|
120
|
+
category: 'privilege_escalation',
|
|
121
|
+
inDocumentationContext: inDocContext,
|
|
122
|
+
confidence: inDocContext ? 'low' : 'high',
|
|
123
|
+
});
|
|
124
|
+
});
|
|
125
|
+
return findings;
|
|
126
|
+
}
|
|
127
|
+
//# sourceMappingURL=SecurityScanner.compound.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"SecurityScanner.compound.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.compound.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF;;;;;;;;GAQG;AAIH,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAA;AAEhD;;;;;;;;;;;;;;GAcG;AACH,0FAA0F;AAC1F,wFAAwF;AACxF,uFAAuF;AACvF,oFAAoF;AACpF,8EAA8E;AAC9E,sFAAsF;AACtF,qFAAqF;AACrF,4DAA4D;AAC5D,MAAM,gBAAgB,GACpB,2GAA2G,CAAA;AAC7G,0FAA0F;AAC1F,8FAA8F;AAC9F,MAAM,mBAAmB,GAAG,kEAAkE,CAAA;AAC9F,2FAA2F;AAC3F,yFAAyF;AACzF,8CAA8C;AAC9C,MAAM,YAAY,GAChB,mHAAmH,CAAA;AACrH,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAA;AACjD,CAAC;AACD,yFAAyF;AACzF,4FAA4F;AAC5F,8FAA8F;AAC9F,qGAAqG;AACrG,SAAS,wBAAwB,CAAC,IAAY;IAC5C,MAAM,WAAW,GAAG,CAAC,cAAsB,EAAU,EAAE;QACrD,MAAM,MAAM,GAAG,cAAc,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAA;QAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA,CAAC,4BAA4B;QAC9D,IAAI,KAAK,GAAG,CAAC;YAAE,OAAO,EAAE,CAAA,CAAC,sCAAsC;QAC/D,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;QACxD,OAAO,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAA;IACzD,CAAC,CAAA;IACD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,uEAAuE,CAAC,CAAA;IAChG,IAAI,IAAI;QAAE,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;IACrC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAA;IAC/E,IAAI,KAAK;QAAE,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;IAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAA;IAC5E,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAA;IACxE,OAAO,EAAE,CAAA;AACX,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,OAAe,EACf,mBAAwC,EACxC,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAChE,+EAA+E;IAC/E,uFAAuF;IACvF,iFAAiF;IACjF,kDAAkD;IAClD,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,mBAAmB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAA;IAEtF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAA;QAC5B,yEAAyE;QACzE,IAAI,mBAAmB,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,OAAM;QAC/C,MAAM,KAAK,GAAG,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAA;QACnD,IAAI,CAAC,KAAK;YAAE,OAAM;QAClB,gEAAgE;QAChE,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChF,uEAAuE;QACvE,MAAM,aAAa,GAAG,aAAa,CAAC,mBAAmB,EAAE,MAAM,CAAC,KAAK,IAAI,CAAA;QACzE,mFAAmF;QACnF,uFAAuF;QACvF,oFAAoF;QACpF,qFAAqF;QACrF,0FAA0F;QAC1F,IAAI,UAAU,GAAG,KAAK,CAAA;QACtB,uEAAuE;QACvE,MAAM,EAAE,GAAG,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,CAAA;QAC5C,IAAI,EAAE,EAAE,CAAC;YACP,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAA;YAC9D,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBACrB,MAAM,EAAE,GAAG,IAAI,MAAM,CACnB,iDAAiD,YAAY,CAAC,IAAI,CAAC,gBAAgB,CACpF,CAAA;gBACD,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,wBAAwB,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAA;YACzF,CAAC;QACH,CAAC;QACD,IAAI,CAAC,aAAa,IAAI,CAAC,UAAU;YAAE,OAAM,CAAC,uCAAuC;QAEjF,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAC3B,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;QACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;QAC9E,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,sBAAsB;YAC5B,6DAA6D;YAC7D,yEAAyE;YACzE,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM;YACvC,OAAO,EAAE,wEAAwE,KAAK,CAAC,CAAC,CAAC,GAAG;YAC5F,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YACnC,UAAU;YACV,QAAQ,EAAE,sBAAsB;YAChC,sBAAsB,EAAE,YAAY;YACpC,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM;SAC1C,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SecurityScanner.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAmB,UAAU,EAAE,cAAc,EAAqB,MAAM,YAAY,CAAA;AAUhG,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAA;AAC/D,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,EAEnB,MAAM,8BAA8B,CAAA;AAGrC,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;
|
|
1
|
+
{"version":3,"file":"SecurityScanner.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAmB,UAAU,EAAE,cAAc,EAAqB,MAAM,YAAY,CAAA;AAUhG,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAA;AAC/D,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,EAEnB,MAAM,8BAA8B,CAAA;AAGrC,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAsB5D,OAAO,EACL,aAAa,EACb,OAAO,EACP,mBAAmB,EACnB,SAAS,EACV,MAAM,iCAAiC,CAAA;AAGxC,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,GACnB,CAAA;AACD,OAAO,EAAE,gBAAgB,EAAE,CAAA;AAC3B,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAA;AAEjE,qBAAa,eAAe;IAC1B,OAAO,CAAC,cAAc,CAAa;IACnC,OAAO,CAAC,eAAe,CAAU;IACjC,OAAO,CAAC,gBAAgB,CAAQ;IAChC,OAAO,CAAC,aAAa,CAAQ;gBAEjB,OAAO,GAAE,cAAmB;IAOxC,OAAO,CAAC,WAAW;IAenB,OAAO,CAAC,eAAe;IAYvB,OAAO,CAAC,QAAQ;IAmBhB,OAAO,CAAC,qBAAqB;IAa7B,OAAO,CAAC,sBAAsB;IA6D9B,OAAO,CAAC,4BAA4B;IAgBpC,0EAA0E;IAC1E,kBAAkB,4BAAqB;IAEvC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,UAAU;IA6DlD,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAOpC,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAItC,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAKxC,MAAM,CAAC,aAAa,uBAAgB;IACpC,MAAM,CAAC,OAAO,iBAAU;IACxB,MAAM,CAAC,mBAAmB,6BAAsB;IAChD,MAAM,CAAC,SAAS,mBAAY;CAC7B;AAED,eAAe,eAAe,CAAA"}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Hostile-Update Detection — R0 Wave 2A (SMI-5535)
|
|
3
|
+
* @module @skillsmith/core/security/scanner/SecurityScanner.hostile-update
|
|
4
|
+
*
|
|
5
|
+
* A PURE comparator (no I/O, no clock, no mutation of its inputs) that detects a
|
|
6
|
+
* benign→malicious "rug-pull" between two SecurityScanner scans of the SAME
|
|
7
|
+
* skill. The scanner already blocks a skill that is malicious on first sight;
|
|
8
|
+
* this detector catches the harder case where an initially-clean skill is
|
|
9
|
+
* silently updated to exfiltrate credentials or execute remote payloads.
|
|
10
|
+
*
|
|
11
|
+
* The verdict is delta-based: it never re-scores content, it only reasons about
|
|
12
|
+
* what changed between `previous` and `current`. "hostile" is reserved for the
|
|
13
|
+
* benign→malicious transition — a skill that was ALREADY flagged and merely got
|
|
14
|
+
* worse is a worsening (`suspicious`), not a fresh rug-pull.
|
|
15
|
+
*/
|
|
16
|
+
import type { HostileUpdateVerdict, ScanReport } from './types.js';
|
|
17
|
+
/**
|
|
18
|
+
* Default risk-score threshold. Mirrors SecurityScanner's `riskThreshold`
|
|
19
|
+
* default (SMI-5359) so the "crossed the failure bar" signal here lines up with
|
|
20
|
+
* the `passed` computation in `SecurityScanner.scan`.
|
|
21
|
+
*/
|
|
22
|
+
export declare const DEFAULT_RISK_THRESHOLD = 40;
|
|
23
|
+
/**
|
|
24
|
+
* Compare two scans of the same skill and classify the transition.
|
|
25
|
+
*
|
|
26
|
+
* Ordering is hostile → suspicious → benign so the strongest signal wins.
|
|
27
|
+
*
|
|
28
|
+
* @param previous Scan of the prior (trusted) version.
|
|
29
|
+
* @param current Scan of the incoming version.
|
|
30
|
+
* @param threshold Risk-score failure bar; defaults to {@link DEFAULT_RISK_THRESHOLD}.
|
|
31
|
+
*
|
|
32
|
+
* CALLER CONTRACT (LOW-2): this value MUST equal the `riskThreshold` the
|
|
33
|
+
* `SecurityScanner` instance used to produce BOTH `previous` and `current`
|
|
34
|
+
* (i.e. the same `ScannerOptions.riskThreshold` — or the scanner's own
|
|
35
|
+
* default of 40, which is why this parameter also defaults to
|
|
36
|
+
* {@link DEFAULT_RISK_THRESHOLD}). `previouslyBenign` below is derived from
|
|
37
|
+
* `previous.passed`, which was computed by the scanner against ITS OWN
|
|
38
|
+
* `riskThreshold` at scan time — if the caller passes a `threshold` here
|
|
39
|
+
* that differs from that value, `crossedThreshold`'s "did the score cross
|
|
40
|
+
* the bar" signal and `previouslyBenign`'s "was it passing" signal are
|
|
41
|
+
* reasoning about two different bars, and the hostile/suspicious/benign
|
|
42
|
+
* verdict can disagree with what `previous.passed` / `current.passed`
|
|
43
|
+
* would say under a freshly-run scan.
|
|
44
|
+
*/
|
|
45
|
+
export declare function compareScanReports(previous: ScanReport, current: ScanReport, threshold?: number): HostileUpdateVerdict;
|
|
46
|
+
//# sourceMappingURL=SecurityScanner.hostile-update.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"SecurityScanner.hostile-update.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.hostile-update.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EACV,oBAAoB,EACpB,UAAU,EAIX,MAAM,YAAY,CAAA;AAEnB;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,KAAK,CAAA;AA4GxC;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,UAAU,EACpB,OAAO,EAAE,UAAU,EACnB,SAAS,GAAE,MAA+B,GACzC,oBAAoB,CA+EtB"}
|
|
@@ -0,0 +1,209 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Hostile-Update Detection — R0 Wave 2A (SMI-5535)
|
|
3
|
+
* @module @skillsmith/core/security/scanner/SecurityScanner.hostile-update
|
|
4
|
+
*
|
|
5
|
+
* A PURE comparator (no I/O, no clock, no mutation of its inputs) that detects a
|
|
6
|
+
* benign→malicious "rug-pull" between two SecurityScanner scans of the SAME
|
|
7
|
+
* skill. The scanner already blocks a skill that is malicious on first sight;
|
|
8
|
+
* this detector catches the harder case where an initially-clean skill is
|
|
9
|
+
* silently updated to exfiltrate credentials or execute remote payloads.
|
|
10
|
+
*
|
|
11
|
+
* The verdict is delta-based: it never re-scores content, it only reasons about
|
|
12
|
+
* what changed between `previous` and `current`. "hostile" is reserved for the
|
|
13
|
+
* benign→malicious transition — a skill that was ALREADY flagged and merely got
|
|
14
|
+
* worse is a worsening (`suspicious`), not a fresh rug-pull.
|
|
15
|
+
*/
|
|
16
|
+
/**
|
|
17
|
+
* Default risk-score threshold. Mirrors SecurityScanner's `riskThreshold`
|
|
18
|
+
* default (SMI-5359) so the "crossed the failure bar" signal here lines up with
|
|
19
|
+
* the `passed` computation in `SecurityScanner.scan`.
|
|
20
|
+
*/
|
|
21
|
+
export const DEFAULT_RISK_THRESHOLD = 40;
|
|
22
|
+
/**
|
|
23
|
+
* Minimum positive risk jump (short of crossing the threshold) that still counts
|
|
24
|
+
* as a "material" worsening worth a `suspicious` verdict.
|
|
25
|
+
*/
|
|
26
|
+
const MATERIAL_RISK_DELTA = 10;
|
|
27
|
+
/**
|
|
28
|
+
* Co-occurrence finding types that, paired with a NEW `code_execution` finding,
|
|
29
|
+
* indicate a supply-chain execution rug-pull. Mirrors the intuition of
|
|
30
|
+
* `escalateCodeExecution`'s CODE_EXECUTION_CO_OCCURRENCE set (SecurityScanner.exec.ts),
|
|
31
|
+
* minus `obfuscated_directive` — a live concealed directive is already critical
|
|
32
|
+
* and self-quarantines on its own, so it needs no code_execution pairing here.
|
|
33
|
+
*/
|
|
34
|
+
const SUPPLY_CHAIN_CO_SIGNALS = new Set([
|
|
35
|
+
'data_exfiltration',
|
|
36
|
+
'privilege_escalation',
|
|
37
|
+
'sensitive_path',
|
|
38
|
+
]);
|
|
39
|
+
const SEVERITY_ORDER = {
|
|
40
|
+
low: 0,
|
|
41
|
+
medium: 1,
|
|
42
|
+
high: 2,
|
|
43
|
+
critical: 3,
|
|
44
|
+
};
|
|
45
|
+
function isHighOrCritical(f) {
|
|
46
|
+
return f.severity === 'high' || f.severity === 'critical';
|
|
47
|
+
}
|
|
48
|
+
/**
|
|
49
|
+
* Normalize free-text so cosmetic churn (whitespace runs, casing) does not make
|
|
50
|
+
* an otherwise-identical finding look "new". lineNumber is deliberately excluded
|
|
51
|
+
* from the key (see `findingKey`) because inserting benign prose above a finding
|
|
52
|
+
* shifts its line without changing the finding itself.
|
|
53
|
+
*/
|
|
54
|
+
function normalizeText(text) {
|
|
55
|
+
if (!text)
|
|
56
|
+
return '';
|
|
57
|
+
return text.toLowerCase().replace(/\s+/g, ' ').trim();
|
|
58
|
+
}
|
|
59
|
+
/**
|
|
60
|
+
* Stable identity for a finding: type + severity + normalized message + location.
|
|
61
|
+
* Severity is part of the key on purpose — an escalation (e.g. code_execution
|
|
62
|
+
* medium→critical, which also rewrites the message) is a genuinely NEW hostile
|
|
63
|
+
* signal, not the "same" finding. A finding that got SAFER (higher→lower
|
|
64
|
+
* severity, or disappeared entirely) therefore never shows up in `newFindings`.
|
|
65
|
+
*/
|
|
66
|
+
function findingKey(f) {
|
|
67
|
+
return [f.type, f.severity, normalizeText(f.message), normalizeText(f.location)].join('\u0000');
|
|
68
|
+
}
|
|
69
|
+
/** Findings present in `current` whose key is absent from `previous`. */
|
|
70
|
+
function diffNewFindings(previous, current) {
|
|
71
|
+
const previousKeys = new Set(previous.findings.map(findingKey));
|
|
72
|
+
return current.findings.filter((f) => !previousKeys.has(findingKey(f)));
|
|
73
|
+
}
|
|
74
|
+
function highestSeverity(findings) {
|
|
75
|
+
return findings.reduce((worst, f) => SEVERITY_ORDER[f.severity] > SEVERITY_ORDER[worst.severity] ? f : worst);
|
|
76
|
+
}
|
|
77
|
+
/** Compact, one-line, single-number formatting for a (possibly fractional) score. */
|
|
78
|
+
function fmt(n) {
|
|
79
|
+
const rounded = Math.round(n * 10) / 10;
|
|
80
|
+
return Number.isInteger(rounded) ? String(rounded) : rounded.toFixed(1);
|
|
81
|
+
}
|
|
82
|
+
function signed(n) {
|
|
83
|
+
return n > 0 ? `+${fmt(n)}` : fmt(n);
|
|
84
|
+
}
|
|
85
|
+
function describeFinding(f) {
|
|
86
|
+
const msg = f.message.length > 80 ? `${f.message.slice(0, 77)}...` : f.message;
|
|
87
|
+
return `${f.type} (${f.severity}): ${msg}`;
|
|
88
|
+
}
|
|
89
|
+
/**
|
|
90
|
+
* A NEW, non-documentation `code_execution` finding paired with a NEW,
|
|
91
|
+
* non-documentation high/critical exfiltration/privilege/credential-path
|
|
92
|
+
* finding = supply-chain execution. Requiring both to be new (and non-doc)
|
|
93
|
+
* keeps a security-research skill that merely documents these techniques from
|
|
94
|
+
* tripping the strongest signal.
|
|
95
|
+
*/
|
|
96
|
+
function detectSupplyChain(newFindings) {
|
|
97
|
+
const codeExec = newFindings.find((f) => f.type === 'code_execution' && f.inDocumentationContext !== true);
|
|
98
|
+
if (!codeExec)
|
|
99
|
+
return null;
|
|
100
|
+
const coSignal = newFindings.find((f) => f !== codeExec &&
|
|
101
|
+
SUPPLY_CHAIN_CO_SIGNALS.has(f.type) &&
|
|
102
|
+
f.inDocumentationContext !== true &&
|
|
103
|
+
isHighOrCritical(f));
|
|
104
|
+
if (!coSignal)
|
|
105
|
+
return null;
|
|
106
|
+
return { codeExec, coSignal };
|
|
107
|
+
}
|
|
108
|
+
/**
|
|
109
|
+
* Compare two scans of the same skill and classify the transition.
|
|
110
|
+
*
|
|
111
|
+
* Ordering is hostile → suspicious → benign so the strongest signal wins.
|
|
112
|
+
*
|
|
113
|
+
* @param previous Scan of the prior (trusted) version.
|
|
114
|
+
* @param current Scan of the incoming version.
|
|
115
|
+
* @param threshold Risk-score failure bar; defaults to {@link DEFAULT_RISK_THRESHOLD}.
|
|
116
|
+
*
|
|
117
|
+
* CALLER CONTRACT (LOW-2): this value MUST equal the `riskThreshold` the
|
|
118
|
+
* `SecurityScanner` instance used to produce BOTH `previous` and `current`
|
|
119
|
+
* (i.e. the same `ScannerOptions.riskThreshold` — or the scanner's own
|
|
120
|
+
* default of 40, which is why this parameter also defaults to
|
|
121
|
+
* {@link DEFAULT_RISK_THRESHOLD}). `previouslyBenign` below is derived from
|
|
122
|
+
* `previous.passed`, which was computed by the scanner against ITS OWN
|
|
123
|
+
* `riskThreshold` at scan time — if the caller passes a `threshold` here
|
|
124
|
+
* that differs from that value, `crossedThreshold`'s "did the score cross
|
|
125
|
+
* the bar" signal and `previouslyBenign`'s "was it passing" signal are
|
|
126
|
+
* reasoning about two different bars, and the hostile/suspicious/benign
|
|
127
|
+
* verdict can disagree with what `previous.passed` / `current.passed`
|
|
128
|
+
* would say under a freshly-run scan.
|
|
129
|
+
*/
|
|
130
|
+
export function compareScanReports(previous, current, threshold = DEFAULT_RISK_THRESHOLD) {
|
|
131
|
+
const newFindings = diffNewFindings(previous, current);
|
|
132
|
+
const riskDelta = current.riskScore - previous.riskScore;
|
|
133
|
+
const previouslyBenign = previous.passed === true;
|
|
134
|
+
const crossedThreshold = previous.riskScore < threshold && current.riskScore >= threshold;
|
|
135
|
+
const newHighCritical = newFindings.filter(isHighOrCritical);
|
|
136
|
+
// Mirror escalateCodeExecution's non-doc gate: a new high/critical finding that
|
|
137
|
+
// lives ONLY in a documentation context (a fenced example) is weak rug-pull
|
|
138
|
+
// evidence, so it does not on its own trip `hostile` — it falls to `suspicious`.
|
|
139
|
+
const newHighCriticalNonDoc = newHighCritical.filter((f) => f.inDocumentationContext !== true);
|
|
140
|
+
const newMedium = newFindings.filter((f) => f.severity === 'medium');
|
|
141
|
+
const materialDelta = riskDelta >= MATERIAL_RISK_DELTA;
|
|
142
|
+
// A new medium finding only signals a worsening when the overall risk actually
|
|
143
|
+
// rose. This suppresses the case where an old high finding was DOWNGRADED to
|
|
144
|
+
// medium (its medium variant is technically "new" under the severity-keyed diff,
|
|
145
|
+
// but the net change made the skill safer — riskDelta <= 0).
|
|
146
|
+
const mediumWorsening = newMedium.length > 0 && riskDelta > 0;
|
|
147
|
+
const scoreClause = `risk ${fmt(previous.riskScore)}->${fmt(current.riskScore)}`;
|
|
148
|
+
// ---- hostile: a benign→malicious flip ----------------------------------
|
|
149
|
+
if (previouslyBenign && (newHighCriticalNonDoc.length > 0 || crossedThreshold)) {
|
|
150
|
+
const supplyChain = detectSupplyChain(newFindings);
|
|
151
|
+
let reason;
|
|
152
|
+
if (supplyChain) {
|
|
153
|
+
reason =
|
|
154
|
+
`Rug-pull: previously-benign skill now ships a remote-execution command ` +
|
|
155
|
+
`[${describeFinding(supplyChain.codeExec)}] co-occurring with a fresh ` +
|
|
156
|
+
`${supplyChain.coSignal.type} signal [${describeFinding(supplyChain.coSignal)}] - ` +
|
|
157
|
+
`classic supply-chain execution (${scoreClause}).`;
|
|
158
|
+
}
|
|
159
|
+
else if (newHighCriticalNonDoc.length > 0) {
|
|
160
|
+
const worst = highestSeverity(newHighCriticalNonDoc);
|
|
161
|
+
reason =
|
|
162
|
+
`Rug-pull: previously-benign skill introduced ${newHighCriticalNonDoc.length} new ` +
|
|
163
|
+
`high/critical finding(s), e.g. ${describeFinding(worst)} (${scoreClause}).`;
|
|
164
|
+
}
|
|
165
|
+
else {
|
|
166
|
+
reason =
|
|
167
|
+
`Rug-pull: previously-benign skill's risk score crossed the failure bar ` +
|
|
168
|
+
`(${fmt(previous.riskScore)} -> ${fmt(current.riskScore)} >= ${threshold}).`;
|
|
169
|
+
}
|
|
170
|
+
return { verdict: 'hostile', newFindings, riskDelta, reason };
|
|
171
|
+
}
|
|
172
|
+
// ---- suspicious: a worsening short of a benign→malicious flip -----------
|
|
173
|
+
if (newHighCritical.length > 0 || mediumWorsening || materialDelta) {
|
|
174
|
+
let reason;
|
|
175
|
+
if (newHighCritical.length > 0) {
|
|
176
|
+
const worst = highestSeverity(newHighCritical);
|
|
177
|
+
const base = previouslyBenign
|
|
178
|
+
? `Update added ${newHighCritical.length} new high/critical finding(s) confined to a documentation context`
|
|
179
|
+
: `Already-flagged skill added ${newHighCritical.length} new high/critical finding(s) - a worsening, not a fresh benign->malicious transition`;
|
|
180
|
+
reason = `${base}, e.g. ${describeFinding(worst)} (${scoreClause}).`;
|
|
181
|
+
}
|
|
182
|
+
else if (newMedium.length > 0) {
|
|
183
|
+
reason =
|
|
184
|
+
`Update introduced ${newMedium.length} new medium finding(s) without reaching the ` +
|
|
185
|
+
`hostile bar (${scoreClause}).`;
|
|
186
|
+
}
|
|
187
|
+
else {
|
|
188
|
+
reason =
|
|
189
|
+
`Risk score rose materially (${scoreClause}, delta ${signed(riskDelta)}) ` +
|
|
190
|
+
`without any new high/critical findings.`;
|
|
191
|
+
}
|
|
192
|
+
return { verdict: 'suspicious', newFindings, riskDelta, reason };
|
|
193
|
+
}
|
|
194
|
+
// ---- benign: unchanged, reduced, or harmless churn ---------------------
|
|
195
|
+
let reason;
|
|
196
|
+
if (newFindings.length === 0) {
|
|
197
|
+
reason =
|
|
198
|
+
riskDelta < 0
|
|
199
|
+
? `No new findings; risk score fell (${scoreClause}) - a safer revision or benign churn.`
|
|
200
|
+
: `No new findings and no risk increase (${scoreClause}) - content unchanged or benign churn.`;
|
|
201
|
+
}
|
|
202
|
+
else {
|
|
203
|
+
reason =
|
|
204
|
+
`No new high/critical findings and no threshold crossing (${scoreClause}); ` +
|
|
205
|
+
`${newFindings.length} minor new finding(s) below the suspicious bar.`;
|
|
206
|
+
}
|
|
207
|
+
return { verdict: 'benign', newFindings, riskDelta, reason };
|
|
208
|
+
}
|
|
209
|
+
//# sourceMappingURL=SecurityScanner.hostile-update.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"SecurityScanner.hostile-update.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.hostile-update.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAUH;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,EAAE,CAAA;AAExC;;;GAGG;AACH,MAAM,mBAAmB,GAAG,EAAE,CAAA;AAE9B;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAqC,IAAI,GAAG,CAAC;IACxE,mBAAmB;IACnB,sBAAsB;IACtB,gBAAgB;CACjB,CAAC,CAAA;AAEF,MAAM,cAAc,GAAqC;IACvD,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAA;AAED,SAAS,gBAAgB,CAAC,CAAkB;IAC1C,OAAO,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAA;AAC3D,CAAC;AAED;;;;;GAKG;AACH,SAAS,aAAa,CAAC,IAAwB;IAC7C,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAA;IACpB,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;AACvD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,UAAU,CAAC,CAAkB;IACpC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AACjG,CAAC;AAED,yEAAyE;AACzE,SAAS,eAAe,CAAC,QAAoB,EAAE,OAAmB;IAChE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAA;IAC/D,OAAO,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;AACzE,CAAC;AAED,SAAS,eAAe,CAAC,QAA2B;IAClD,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE,CAClC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CACxE,CAAA;AACH,CAAC;AAED,qFAAqF;AACrF,SAAS,GAAG,CAAC,CAAS;IACpB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,CAAA;IACvC,OAAO,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;AACzE,CAAC;AAED,SAAS,MAAM,CAAC,CAAS;IACvB,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;AACtC,CAAC;AAED,SAAS,eAAe,CAAC,CAAkB;IACzC,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAA;IAC9E,OAAO,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,QAAQ,MAAM,GAAG,EAAE,CAAA;AAC5C,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CACxB,WAA8B;IAE9B,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,gBAAgB,IAAI,CAAC,CAAC,sBAAsB,KAAK,IAAI,CACxE,CAAA;IACD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAA;IAE1B,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,KAAK,QAAQ;QACd,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;QACnC,CAAC,CAAC,sBAAsB,KAAK,IAAI;QACjC,gBAAgB,CAAC,CAAC,CAAC,CACtB,CAAA;IACD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAA;IAE1B,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAA;AAC/B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAoB,EACpB,OAAmB,EACnB,YAAoB,sBAAsB;IAE1C,MAAM,WAAW,GAAG,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IACtD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAA;IAExD,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAA;IACjD,MAAM,gBAAgB,GAAG,QAAQ,CAAC,SAAS,GAAG,SAAS,IAAI,OAAO,CAAC,SAAS,IAAI,SAAS,CAAA;IAEzF,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAA;IAC5D,gFAAgF;IAChF,4EAA4E;IAC5E,iFAAiF;IACjF,MAAM,qBAAqB,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,sBAAsB,KAAK,IAAI,CAAC,CAAA;IAC9F,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAA;IACpE,MAAM,aAAa,GAAG,SAAS,IAAI,mBAAmB,CAAA;IACtD,+EAA+E;IAC/E,6EAA6E;IAC7E,iFAAiF;IACjF,6DAA6D;IAC7D,MAAM,eAAe,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,CAAA;IAE7D,MAAM,WAAW,GAAG,QAAQ,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAA;IAEhF,2EAA2E;IAC3E,IAAI,gBAAgB,IAAI,CAAC,qBAAqB,CAAC,MAAM,GAAG,CAAC,IAAI,gBAAgB,CAAC,EAAE,CAAC;QAC/E,MAAM,WAAW,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAA;QAClD,IAAI,MAAc,CAAA;QAClB,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM;gBACJ,yEAAyE;oBACzE,IAAI,eAAe,CAAC,WAAW,CAAC,QAAQ,CAAC,8BAA8B;oBACvE,GAAG,WAAW,CAAC,QAAQ,CAAC,IAAI,YAAY,eAAe,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM;oBACnF,mCAAmC,WAAW,IAAI,CAAA;QACtD,CAAC;aAAM,IAAI,qBAAqB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,KAAK,GAAG,eAAe,CAAC,qBAAqB,CAAC,CAAA;YACpD,MAAM;gBACJ,gDAAgD,qBAAqB,CAAC,MAAM,OAAO;oBACnF,kCAAkC,eAAe,CAAC,KAAK,CAAC,KAAK,WAAW,IAAI,CAAA;QAChF,CAAC;aAAM,CAAC;YACN,MAAM;gBACJ,yEAAyE;oBACzE,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,SAAS,IAAI,CAAA;QAChF,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,CAAA;IAC/D,CAAC;IAED,4EAA4E;IAC5E,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,IAAI,eAAe,IAAI,aAAa,EAAE,CAAC;QACnE,IAAI,MAAc,CAAA;QAClB,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,eAAe,CAAC,eAAe,CAAC,CAAA;YAC9C,MAAM,IAAI,GAAG,gBAAgB;gBAC3B,CAAC,CAAC,gBAAgB,eAAe,CAAC,MAAM,mEAAmE;gBAC3G,CAAC,CAAC,+BAA+B,eAAe,CAAC,MAAM,uFAAuF,CAAA;YAChJ,MAAM,GAAG,GAAG,IAAI,UAAU,eAAe,CAAC,KAAK,CAAC,KAAK,WAAW,IAAI,CAAA;QACtE,CAAC;aAAM,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM;gBACJ,qBAAqB,SAAS,CAAC,MAAM,8CAA8C;oBACnF,gBAAgB,WAAW,IAAI,CAAA;QACnC,CAAC;aAAM,CAAC;YACN,MAAM;gBACJ,+BAA+B,WAAW,WAAW,MAAM,CAAC,SAAS,CAAC,IAAI;oBAC1E,yCAAyC,CAAA;QAC7C,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,CAAA;IAClE,CAAC;IAED,2EAA2E;IAC3E,IAAI,MAAc,CAAA;IAClB,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM;YACJ,SAAS,GAAG,CAAC;gBACX,CAAC,CAAC,qCAAqC,WAAW,uCAAuC;gBACzF,CAAC,CAAC,yCAAyC,WAAW,wCAAwC,CAAA;IACpG,CAAC;SAAM,CAAC;QACN,MAAM;YACJ,4DAA4D,WAAW,KAAK;gBAC5E,GAAG,WAAW,CAAC,MAAM,iDAAiD,CAAA;IAC1E,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,CAAA;AAC9D,CAAC"}
|
|
@@ -10,7 +10,7 @@ import { isMultilinePattern, analyzeMarkdownContext, isDocumentationContext, isW
|
|
|
10
10
|
import { scanSsrfPatterns } from './SecurityScanner.ssrf.js';
|
|
11
11
|
// Import per-category scanners (SMI-5359 Wave 4.2: extracted to keep this file
|
|
12
12
|
// under the 500-line gate; pure functions of content + lineContexts).
|
|
13
|
-
import { scanSensitivePaths, scanSocialEngineering, scanPromptLeaking, scanDataExfiltration, scanPrivilegeEscalation, scanPiiPatterns, } from './SecurityScanner.scanners.js';
|
|
13
|
+
import { scanSensitivePaths, scanSocialEngineering, scanPromptLeaking, scanDataExfiltration, scanPrivilegeEscalation, scanChmodFetchCompound, scanPiiPatterns, } from './SecurityScanner.scanners.js';
|
|
14
14
|
// Import code-execution & obfuscated-directive detectors (SMI-5359 Wave 4.2).
|
|
15
15
|
import { scanCodeExecution, scanObfuscatedDirective, escalateCodeExecution, } from './SecurityScanner.exec.js';
|
|
16
16
|
// Import formatters (used for both re-export and static methods)
|
|
@@ -159,6 +159,15 @@ export class SecurityScanner {
|
|
|
159
159
|
findings.push(...scanPromptLeaking(content, lineContexts));
|
|
160
160
|
findings.push(...scanDataExfiltration(content, lineContexts));
|
|
161
161
|
findings.push(...scanPrivilegeEscalation(content, lineContexts));
|
|
162
|
+
// SMI-5424 PR2: owner-perm chmod is a compound signal — emit only when
|
|
163
|
+
// co-located with a fetch/download verb. Pass the lines already flagged by
|
|
164
|
+
// the standalone (world-writable/setuid) privesc patterns so we never
|
|
165
|
+
// double-emit. Runs before escalateCodeExecution so a compound chmod (HIGH)
|
|
166
|
+
// can serve as the code_execution co-signal.
|
|
167
|
+
const privEscLines = new Set(findings
|
|
168
|
+
.filter((f) => f.type === 'privilege_escalation' && f.lineNumber)
|
|
169
|
+
.map((f) => f.lineNumber));
|
|
170
|
+
findings.push(...scanChmodFetchCompound(content, privEscLines, lineContexts));
|
|
162
171
|
findings.push(...this.scanAIDefenceVulnerabilities(content, lineContexts));
|
|
163
172
|
findings.push(...scanSsrfPatterns(content, lineContexts));
|
|
164
173
|
findings.push(...scanPiiPatterns(content, lineContexts));
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SecurityScanner.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,uBAAuB,EACvB,kBAAkB,EAClB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAA;AAIhE,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,8BAA8B,CAAA;AAErC,sBAAsB;AACtB,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAE5D,+EAA+E;AAC/E,sEAAsE;AACtE,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,eAAe,GAChB,MAAM,+BAA+B,CAAA;AAEtC,8EAA8E;AAC9E,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,2BAA2B,CAAA;AAElC,iEAAiE;AACjE,OAAO,EACL,aAAa,EACb,OAAO,EACP,mBAAmB,EACnB,SAAS,GACV,MAAM,iCAAiC,CAAA;AAExC,kDAAkD;AAClD,OAAO,EAEL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,GACnB,CAAA;AACD,OAAO,EAAE,gBAAgB,EAAE,CAAA;AAC3B,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAA;AAEjE,MAAM,OAAO,eAAe;IAClB,cAAc,CAAa;IAC3B,eAAe,CAAU;IACzB,gBAAgB,CAAQ;IACxB,aAAa,CAAQ;IAE7B,YAAY,UAA0B,EAAE;QACtC,IAAI,CAAC,cAAc,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,uBAAuB,CAAC,CAAA;QAChF,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,EAAE,CAAA;QACpD,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,SAAS,CAAA,CAAC,MAAM;QACpE,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,EAAE,CAAA;IAClD,CAAC;IAEO,WAAW,CAAC,OAAe;QACjC,MAAM,UAAU,GAAG,4BAA4B,CAAA;QAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACjC,MAAM,OAAO,GAAyC,EAAE,CAAA;QAExD,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YAC5B,IAAI,KAAK,CAAA;YACT,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAChD,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,GAAG,CAAC,EAAE,CAAC,CAAA;YAClD,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,OAAO,CAAA;IAChB,CAAC;IAEO,eAAe,CAAC,GAAW;QACjC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;YAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAA;YAC9C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CACzC,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,CACnE,CAAA;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAEO,QAAQ,CAAC,OAAe;QAC9B,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;QAEtC,KAAK,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC/B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,KAAK;oBACX,QAAQ,EAAE,QAAQ;oBAClB,OAAO,EAAE,kCAAkC,GAAG,EAAE;oBAChD,QAAQ,EAAE,GAAG;oBACb,UAAU,EAAE,IAAI;iBACjB,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEO,qBAAqB,CAAC,OAAe,EAAE,YAA4B;QACzE,OAAO,gCAAgC,CACrC,OAAO,EACP;YACE,IAAI,EAAE,WAAW;YACjB,aAAa,EAAE,sCAAsC;YACrD,QAAQ,EAAE,kBAAkB;YAC5B,UAAU,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;SACjC,EACD,YAAY,CACb,CAAA;IACH,CAAC;IAEO,sBAAsB,CAAC,OAAe,EAAE,YAA4B;QAC1E,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;QAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;YAE3B,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;gBAC1C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;gBAC1C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;oBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;oBAC9E,oEAAoE;oBACpE,sEAAsE;oBACtE,2EAA2E;oBAC3E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;oBACnE,MAAM,QAAQ,GAAgC,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAA;oBAE7E,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,oBAAoB;wBAC1B,QAAQ;wBACR,OAAO,EAAE,iCAAiC,KAAK,CAAC,CAAC,CAAC,GAAG;wBACrD,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,QAAQ,EAAE,oBAAoB;wBAC9B,sBAAsB,EAAE,YAAY;wBACpC,UAAU;qBACX,CAAC,CAAA;oBACF,MAAK;gBACP,CAAC;YACH,CAAC;YAED,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBAC3C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;gBAC1C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;oBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;oBAC9E,qEAAqE;oBACrE,gEAAgE;oBAChE,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;oBACnE,MAAM,QAAQ,GAAgC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAA;oBAE9E,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,oBAAoB;wBAC1B,QAAQ;wBACR,OAAO,EAAE,8BAA8B,KAAK,CAAC,CAAC,CAAC,GAAG;wBAClD,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,QAAQ,EAAE,oBAAoB;wBAC9B,sBAAsB,EAAE,YAAY;wBACpC,UAAU;qBACX,CAAC,CAAA;oBACF,MAAK;gBACP,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEO,4BAA4B,CAClC,OAAe,EACf,YAA4B;QAE5B,OAAO,gCAAgC,CACrC,OAAO,EACP;YACE,IAAI,EAAE,YAAY;YAClB,aAAa,EAAE,+BAA+B;YAC9C,QAAQ,EAAE,mBAAmB;YAC7B,UAAU,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;SACjC,EACD,YAAY,CACb,CAAA;IACH,CAAC;IAED,0EAA0E;IAC1E,kBAAkB,GAAG,kBAAkB,CAAA;IAEvC,IAAI,CAAC,OAAe,EAAE,OAAe;QACnC,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAA;QACnC,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,YAAY,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAA;QAEpD,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,oBAAoB;gBAC1B,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,mCAAmC,IAAI,CAAC,gBAAgB,SAAS;aAC3E,CAAC,CAAA;QACJ,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAA;QACxC,QAAQ,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACnE,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,sBAAsB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACpE,QAAQ,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC9D,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC7D,QAAQ,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAChE,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,4BAA4B,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1E,QAAQ,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACzD,QAAQ,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC,CAAA;QAElD,iFAAiF;QACjF,gFAAgF;QAChF,2DAA2D;QAC3D,qBAAqB,CAAC,QAAQ,CAAC,CAAA;QAE/B,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,CAAA;QACjC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAA;QAEnF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAA;QACnE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAA;QAC3D,MAAM,gBAAgB,GAAG,SAAS,IAAI,IAAI,CAAC,aAAa,CAAA;QAExD,OAAO;YACL,OAAO;YACP,MAAM,EAAE,CAAC,WAAW,IAAI,CAAC,OAAO,IAAI,CAAC,gBAAgB;YACrD,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,cAAc,EAAE,OAAO,GAAG,SAAS;YACnC,SAAS;YACT,aAAa;SACd,CAAA;IACH,CAAC;IAED,UAAU,CAAC,OAAe;QACxB,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;YACzC,IAAI,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAA;QACpD,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,gBAAgB,CAAC,MAAc;QAC7B,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;IAC/C,CAAC;IAED,iBAAiB,CAAC,OAAe;QAC/B,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IACpC,CAAC;IAED,oEAAoE;IACpE,MAAM,CAAC,aAAa,GAAG,aAAa,CAAA;IACpC,MAAM,CAAC,OAAO,GAAG,OAAO,CAAA;IACxB,MAAM,CAAC,mBAAmB,GAAG,mBAAmB,CAAA;IAChD,MAAM,CAAC,SAAS,GAAG,SAAS,CAAA;;AAG9B,eAAe,eAAe,CAAA"}
|
|
1
|
+
{"version":3,"file":"SecurityScanner.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,uBAAuB,EACvB,kBAAkB,EAClB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAA;AAIhE,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,8BAA8B,CAAA;AAErC,sBAAsB;AACtB,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAE5D,+EAA+E;AAC/E,sEAAsE;AACtE,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,eAAe,GAChB,MAAM,+BAA+B,CAAA;AAEtC,8EAA8E;AAC9E,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,2BAA2B,CAAA;AAElC,iEAAiE;AACjE,OAAO,EACL,aAAa,EACb,OAAO,EACP,mBAAmB,EACnB,SAAS,GACV,MAAM,iCAAiC,CAAA;AAExC,kDAAkD;AAClD,OAAO,EAEL,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,GACnB,CAAA;AACD,OAAO,EAAE,gBAAgB,EAAE,CAAA;AAC3B,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,CAAA;AAEjE,MAAM,OAAO,eAAe;IAClB,cAAc,CAAa;IAC3B,eAAe,CAAU;IACzB,gBAAgB,CAAQ;IACxB,aAAa,CAAQ;IAE7B,YAAY,UAA0B,EAAE;QACtC,IAAI,CAAC,cAAc,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,uBAAuB,CAAC,CAAA;QAChF,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,EAAE,CAAA;QACpD,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,SAAS,CAAA,CAAC,MAAM;QACpE,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,EAAE,CAAA;IAClD,CAAC;IAEO,WAAW,CAAC,OAAe;QACjC,MAAM,UAAU,GAAG,4BAA4B,CAAA;QAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACjC,MAAM,OAAO,GAAyC,EAAE,CAAA;QAExD,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YAC5B,IAAI,KAAK,CAAA;YACT,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAChD,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,GAAG,CAAC,EAAE,CAAC,CAAA;YAClD,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,OAAO,CAAA;IAChB,CAAC;IAEO,eAAe,CAAC,GAAW;QACjC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;YAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAA;YAC9C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CACzC,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,CACnE,CAAA;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAEO,QAAQ,CAAC,OAAe;QAC9B,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;QAEtC,KAAK,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC/B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,KAAK;oBACX,QAAQ,EAAE,QAAQ;oBAClB,OAAO,EAAE,kCAAkC,GAAG,EAAE;oBAChD,QAAQ,EAAE,GAAG;oBACb,UAAU,EAAE,IAAI;iBACjB,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEO,qBAAqB,CAAC,OAAe,EAAE,YAA4B;QACzE,OAAO,gCAAgC,CACrC,OAAO,EACP;YACE,IAAI,EAAE,WAAW;YACjB,aAAa,EAAE,sCAAsC;YACrD,QAAQ,EAAE,kBAAkB;YAC5B,UAAU,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;SACjC,EACD,YAAY,CACb,CAAA;IACH,CAAC;IAEO,sBAAsB,CAAC,OAAe,EAAE,YAA4B;QAC1E,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;QAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;YAE3B,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;gBAC1C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;gBAC1C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;oBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;oBAC9E,oEAAoE;oBACpE,sEAAsE;oBACtE,2EAA2E;oBAC3E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;oBACnE,MAAM,QAAQ,GAAgC,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAA;oBAE7E,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,oBAAoB;wBAC1B,QAAQ;wBACR,OAAO,EAAE,iCAAiC,KAAK,CAAC,CAAC,CAAC,GAAG;wBACrD,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,QAAQ,EAAE,oBAAoB;wBAC9B,sBAAsB,EAAE,YAAY;wBACpC,UAAU;qBACX,CAAC,CAAA;oBACF,MAAK;gBACP,CAAC;YACH,CAAC;YAED,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBAC3C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;gBAC1C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;oBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;oBAC9E,qEAAqE;oBACrE,gEAAgE;oBAChE,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;oBACnE,MAAM,QAAQ,GAAgC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAA;oBAE9E,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,oBAAoB;wBAC1B,QAAQ;wBACR,OAAO,EAAE,8BAA8B,KAAK,CAAC,CAAC,CAAC,GAAG;wBAClD,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,QAAQ,EAAE,oBAAoB;wBAC9B,sBAAsB,EAAE,YAAY;wBACpC,UAAU;qBACX,CAAC,CAAA;oBACF,MAAK;gBACP,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEO,4BAA4B,CAClC,OAAe,EACf,YAA4B;QAE5B,OAAO,gCAAgC,CACrC,OAAO,EACP;YACE,IAAI,EAAE,YAAY;YAClB,aAAa,EAAE,+BAA+B;YAC9C,QAAQ,EAAE,mBAAmB;YAC7B,UAAU,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;SACjC,EACD,YAAY,CACb,CAAA;IACH,CAAC;IAED,0EAA0E;IAC1E,kBAAkB,GAAG,kBAAkB,CAAA;IAEvC,IAAI,CAAC,OAAe,EAAE,OAAe;QACnC,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAA;QACnC,MAAM,QAAQ,GAAsB,EAAE,CAAA;QACtC,MAAM,YAAY,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAA;QAEpD,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,oBAAoB;gBAC1B,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,mCAAmC,IAAI,CAAC,gBAAgB,SAAS;aAC3E,CAAC,CAAA;QACJ,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAA;QACxC,QAAQ,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACnE,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,sBAAsB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACpE,QAAQ,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC9D,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC7D,QAAQ,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAChE,uEAAuE;QACvE,2EAA2E;QAC3E,sEAAsE;QACtE,4EAA4E;QAC5E,6CAA6C;QAC7C,MAAM,YAAY,GAAG,IAAI,GAAG,CAC1B,QAAQ;aACL,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,IAAI,CAAC,CAAC,UAAU,CAAC;aAChE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAoB,CAAC,CACtC,CAAA;QACD,QAAQ,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,OAAO,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC,CAAA;QAC7E,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,4BAA4B,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1E,QAAQ,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACzD,QAAQ,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAA;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC,CAAA;QAElD,iFAAiF;QACjF,gFAAgF;QAChF,2DAA2D;QAC3D,qBAAqB,CAAC,QAAQ,CAAC,CAAA;QAE/B,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,CAAA;QACjC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAA;QAEnF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAA;QACnE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAA;QAC3D,MAAM,gBAAgB,GAAG,SAAS,IAAI,IAAI,CAAC,aAAa,CAAA;QAExD,OAAO;YACL,OAAO;YACP,MAAM,EAAE,CAAC,WAAW,IAAI,CAAC,OAAO,IAAI,CAAC,gBAAgB;YACrD,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,cAAc,EAAE,OAAO,GAAG,SAAS;YACnC,SAAS;YACT,aAAa;SACd,CAAA;IACH,CAAC;IAED,UAAU,CAAC,OAAe;QACxB,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;YACzC,IAAI,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAA;QACpD,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,gBAAgB,CAAC,MAAc;QAC7B,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;IAC/C,CAAC;IAED,iBAAiB,CAAC,OAAe;QAC/B,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IACpC,CAAC;IAED,oEAAoE;IACpE,MAAM,CAAC,aAAa,GAAG,aAAa,CAAA;IACpC,MAAM,CAAC,OAAO,GAAG,OAAO,CAAA;IACxB,MAAM,CAAC,mBAAmB,GAAG,mBAAmB,CAAA;IAChD,MAAM,CAAC,SAAS,GAAG,SAAS,CAAA;;AAG9B,eAAe,eAAe,CAAA"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Security Scanner — PII pattern scanning + entropy / placeholder filtering
|
|
3
|
+
* @module @skillsmith/core/security/scanner/SecurityScanner.pii
|
|
4
|
+
*
|
|
5
|
+
* SMI-5434: Section 3 of SecurityScanner.scanners.ts extracted to keep the
|
|
6
|
+
* parent file under the 500-line audit:standards gate. Pure functions of
|
|
7
|
+
* (content, lineContexts) — no scanner instance state.
|
|
8
|
+
*/
|
|
9
|
+
import type { SecurityFinding } from './types.js';
|
|
10
|
+
import type { LineContext } from './SecurityScanner.helpers.js';
|
|
11
|
+
/** SMI-5420: Shannon entropy (bits per character) of a string. */
|
|
12
|
+
export declare function shannonEntropy(s: string): number;
|
|
13
|
+
/**
|
|
14
|
+
* SMI-5420: a credential match is a documentation placeholder (not a real leaked
|
|
15
|
+
* secret) when it carries a named placeholder marker, is a single repeated
|
|
16
|
+
* character, or its value has sub-secret Shannon entropy. Such matches must NOT
|
|
17
|
+
* emit critical/high severity — the batch trust-scorer (trust-scorer.ts) and the
|
|
18
|
+
* install gate quarantine on severity, so an example secret would falsely flag.
|
|
19
|
+
*/
|
|
20
|
+
export declare function looksLikePlaceholderSecret(match: string): boolean;
|
|
21
|
+
/** SMI-3864: Detect PII patterns. Email in YAML frontmatter gets low severity. */
|
|
22
|
+
export declare function scanPiiPatterns(content: string, lineContexts?: LineContext[]): SecurityFinding[];
|
|
23
|
+
//# sourceMappingURL=SecurityScanner.pii.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"SecurityScanner.pii.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.pii.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAqB,MAAM,YAAY,CAAA;AACpE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAA;AAmD/D,kEAAkE;AAClE,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAUhD;AAaD;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAMjE;AAED,kFAAkF;AAClF,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,WAAW,EAAE,GAAG,eAAe,EAAE,CAuDhG"}
|