@skillsmith/core 0.9.0 → 0.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +16 -0
- package/dist/.tsbuildinfo +1 -1
- package/dist/src/analysis/tree-sitter/pythonIncremental.d.ts +23 -0
- package/dist/src/analysis/tree-sitter/pythonIncremental.d.ts.map +1 -1
- package/dist/src/analysis/tree-sitter/pythonIncremental.hardening.test.js +137 -0
- package/dist/src/analysis/tree-sitter/pythonIncremental.hardening.test.js.map +1 -1
- package/dist/src/analysis/tree-sitter/pythonIncremental.js +83 -10
- package/dist/src/analysis/tree-sitter/pythonIncremental.js.map +1 -1
- package/dist/src/analysis/tree-sitter/queryExtractionMatchesOrExceedsRegex.test.js +6 -1
- package/dist/src/analysis/tree-sitter/queryExtractionMatchesOrExceedsRegex.test.js.map +1 -1
- package/dist/src/api/client.d.ts.map +1 -1
- package/dist/src/api/client.js +6 -0
- package/dist/src/api/client.js.map +1 -1
- package/dist/src/api/client.test.d.ts +9 -0
- package/dist/src/api/client.test.d.ts.map +1 -0
- package/dist/src/api/client.test.js +81 -0
- package/dist/src/api/client.test.js.map +1 -0
- package/dist/src/config/audit-notify-state.d.ts +46 -0
- package/dist/src/config/audit-notify-state.d.ts.map +1 -0
- package/dist/src/config/audit-notify-state.js +55 -0
- package/dist/src/config/audit-notify-state.js.map +1 -0
- package/dist/src/config/audit-notify-state.test.d.ts +9 -0
- package/dist/src/config/audit-notify-state.test.d.ts.map +1 -0
- package/dist/src/config/audit-notify-state.test.js +63 -0
- package/dist/src/config/audit-notify-state.test.js.map +1 -0
- package/dist/src/config/index.d.ts +10 -0
- package/dist/src/config/index.d.ts.map +1 -1
- package/dist/src/config/index.js.map +1 -1
- package/dist/src/exports/services.d.ts +3 -1
- package/dist/src/exports/services.d.ts.map +1 -1
- package/dist/src/exports/services.js +9 -1
- package/dist/src/exports/services.js.map +1 -1
- package/dist/src/index.d.ts +6 -3
- package/dist/src/index.d.ts.map +1 -1
- package/dist/src/index.js +11 -2
- package/dist/src/index.js.map +1 -1
- package/dist/src/install/agent-config-merge.json-array.d.ts +29 -0
- package/dist/src/install/agent-config-merge.json-array.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.json-array.js +100 -0
- package/dist/src/install/agent-config-merge.json-array.js.map +1 -0
- package/dist/src/install/agent-config-merge.json.d.ts +37 -0
- package/dist/src/install/agent-config-merge.json.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.json.js +134 -0
- package/dist/src/install/agent-config-merge.json.js.map +1 -0
- package/dist/src/install/agent-config-merge.toml-block.d.ts +48 -0
- package/dist/src/install/agent-config-merge.toml-block.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.toml-block.js +107 -0
- package/dist/src/install/agent-config-merge.toml-block.js.map +1 -0
- package/dist/src/install/agent-config-merge.types.d.ts +87 -0
- package/dist/src/install/agent-config-merge.types.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.types.js +83 -0
- package/dist/src/install/agent-config-merge.types.js.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.d.ts +46 -0
- package/dist/src/install/agent-config-merge.yaml.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.js +133 -0
- package/dist/src/install/agent-config-merge.yaml.js.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.test.d.ts +2 -0
- package/dist/src/install/agent-config-merge.yaml.test.d.ts.map +1 -0
- package/dist/src/install/agent-config-merge.yaml.test.js +210 -0
- package/dist/src/install/agent-config-merge.yaml.test.js.map +1 -0
- package/dist/src/install/agent-harness-targets.d.ts +98 -0
- package/dist/src/install/agent-harness-targets.d.ts.map +1 -0
- package/dist/src/install/agent-harness-targets.js +154 -0
- package/dist/src/install/agent-harness-targets.js.map +1 -0
- package/dist/src/install/agent-home-relocate.d.ts +29 -0
- package/dist/src/install/agent-home-relocate.d.ts.map +1 -0
- package/dist/src/install/agent-home-relocate.js +38 -0
- package/dist/src/install/agent-home-relocate.js.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.d.ts +55 -0
- package/dist/src/install/agent-manifest-path-guard.d.ts.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.js +109 -0
- package/dist/src/install/agent-manifest-path-guard.js.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.test.d.ts +2 -0
- package/dist/src/install/agent-manifest-path-guard.test.d.ts.map +1 -0
- package/dist/src/install/agent-manifest-path-guard.test.js +72 -0
- package/dist/src/install/agent-manifest-path-guard.test.js.map +1 -0
- package/dist/src/install/agent-manifest.d.ts +58 -0
- package/dist/src/install/agent-manifest.d.ts.map +1 -0
- package/dist/src/install/agent-manifest.js +103 -0
- package/dist/src/install/agent-manifest.js.map +1 -0
- package/dist/src/install/agent-pack-installer.d.ts +39 -0
- package/dist/src/install/agent-pack-installer.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.entry.d.ts +55 -0
- package/dist/src/install/agent-pack-installer.entry.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.entry.js +90 -0
- package/dist/src/install/agent-pack-installer.entry.js.map +1 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.d.ts +33 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.js +59 -0
- package/dist/src/install/agent-pack-installer.fs-helpers.js.map +1 -0
- package/dist/src/install/agent-pack-installer.harness.d.ts +66 -0
- package/dist/src/install/agent-pack-installer.harness.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.harness.js +310 -0
- package/dist/src/install/agent-pack-installer.harness.js.map +1 -0
- package/dist/src/install/agent-pack-installer.js +221 -0
- package/dist/src/install/agent-pack-installer.js.map +1 -0
- package/dist/src/install/agent-pack-installer.preserve.test.d.ts +11 -0
- package/dist/src/install/agent-pack-installer.preserve.test.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.preserve.test.js +72 -0
- package/dist/src/install/agent-pack-installer.preserve.test.js.map +1 -0
- package/dist/src/install/agent-pack-installer.test.d.ts +2 -0
- package/dist/src/install/agent-pack-installer.test.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.test.js +350 -0
- package/dist/src/install/agent-pack-installer.test.js.map +1 -0
- package/dist/src/install/agent-pack-installer.types.d.ts +51 -0
- package/dist/src/install/agent-pack-installer.types.d.ts.map +1 -0
- package/dist/src/install/agent-pack-installer.types.js +16 -0
- package/dist/src/install/agent-pack-installer.types.js.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.d.ts +43 -0
- package/dist/src/install/agent-pack-uninstaller.d.ts.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.js +113 -0
- package/dist/src/install/agent-pack-uninstaller.js.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.test.d.ts +2 -0
- package/dist/src/install/agent-pack-uninstaller.test.d.ts.map +1 -0
- package/dist/src/install/agent-pack-uninstaller.test.js +212 -0
- package/dist/src/install/agent-pack-uninstaller.test.js.map +1 -0
- package/dist/src/install/index.d.ts +7 -0
- package/dist/src/install/index.d.ts.map +1 -1
- package/dist/src/install/index.js +7 -0
- package/dist/src/install/index.js.map +1 -1
- package/dist/src/install/paths.d.ts +1 -1
- package/dist/src/install/paths.d.ts.map +1 -1
- package/dist/src/install/paths.js +4 -0
- package/dist/src/install/paths.js.map +1 -1
- package/dist/src/install/paths.test.js +15 -0
- package/dist/src/install/paths.test.js.map +1 -1
- package/dist/src/journal/hash.d.ts +13 -0
- package/dist/src/journal/hash.d.ts.map +1 -0
- package/dist/src/journal/hash.js +16 -0
- package/dist/src/journal/hash.js.map +1 -0
- package/dist/src/journal/index.d.ts +15 -0
- package/dist/src/journal/index.d.ts.map +1 -0
- package/dist/src/journal/index.js +15 -0
- package/dist/src/journal/index.js.map +1 -0
- package/dist/src/journal/journal.test.d.ts +16 -0
- package/dist/src/journal/journal.test.d.ts.map +1 -0
- package/dist/src/journal/journal.test.js +171 -0
- package/dist/src/journal/journal.test.js.map +1 -0
- package/dist/src/journal/path.d.ts +44 -0
- package/dist/src/journal/path.d.ts.map +1 -0
- package/dist/src/journal/path.js +61 -0
- package/dist/src/journal/path.js.map +1 -0
- package/dist/src/journal/reader.d.ts +38 -0
- package/dist/src/journal/reader.d.ts.map +1 -0
- package/dist/src/journal/reader.js +93 -0
- package/dist/src/journal/reader.js.map +1 -0
- package/dist/src/journal/types.d.ts +87 -0
- package/dist/src/journal/types.d.ts.map +1 -0
- package/dist/src/journal/types.js +21 -0
- package/dist/src/journal/types.js.map +1 -0
- package/dist/src/journal/writer.d.ts +52 -0
- package/dist/src/journal/writer.d.ts.map +1 -0
- package/dist/src/journal/writer.js +125 -0
- package/dist/src/journal/writer.js.map +1 -0
- package/dist/src/logging/context.d.ts +58 -0
- package/dist/src/logging/context.d.ts.map +1 -0
- package/dist/src/logging/context.js +62 -0
- package/dist/src/logging/context.js.map +1 -0
- package/dist/src/logging/context.test.d.ts +14 -0
- package/dist/src/logging/context.test.d.ts.map +1 -0
- package/dist/src/logging/context.test.js +88 -0
- package/dist/src/logging/context.test.js.map +1 -0
- package/dist/src/logging/index.d.ts +13 -0
- package/dist/src/logging/index.d.ts.map +1 -0
- package/dist/src/logging/index.js +12 -0
- package/dist/src/logging/index.js.map +1 -0
- package/dist/src/logging/logger.d.ts +71 -0
- package/dist/src/logging/logger.d.ts.map +1 -0
- package/dist/src/logging/logger.js +264 -0
- package/dist/src/logging/logger.js.map +1 -0
- package/dist/src/logging/logger.test.d.ts +9 -0
- package/dist/src/logging/logger.test.d.ts.map +1 -0
- package/dist/src/logging/logger.test.js +320 -0
- package/dist/src/logging/logger.test.js.map +1 -0
- package/dist/src/logging/redact.d.ts +35 -0
- package/dist/src/logging/redact.d.ts.map +1 -0
- package/dist/src/logging/redact.js +152 -0
- package/dist/src/logging/redact.js.map +1 -0
- package/dist/src/logging/redact.test.d.ts +8 -0
- package/dist/src/logging/redact.test.d.ts.map +1 -0
- package/dist/src/logging/redact.test.js +330 -0
- package/dist/src/logging/redact.test.js.map +1 -0
- package/dist/src/logging/rotation.d.ts +75 -0
- package/dist/src/logging/rotation.d.ts.map +1 -0
- package/dist/src/logging/rotation.js +284 -0
- package/dist/src/logging/rotation.js.map +1 -0
- package/dist/src/logging/rotation.test.d.ts +11 -0
- package/dist/src/logging/rotation.test.d.ts.map +1 -0
- package/dist/src/logging/rotation.test.js +132 -0
- package/dist/src/logging/rotation.test.js.map +1 -0
- package/dist/src/logging/types.d.ts +69 -0
- package/dist/src/logging/types.d.ts.map +1 -0
- package/dist/src/logging/types.js +9 -0
- package/dist/src/logging/types.js.map +1 -0
- package/dist/src/paywall-triggers/index.d.ts +13 -0
- package/dist/src/paywall-triggers/index.d.ts.map +1 -0
- package/dist/src/paywall-triggers/index.js +13 -0
- package/dist/src/paywall-triggers/index.js.map +1 -0
- package/dist/src/paywall-triggers/path.d.ts +47 -0
- package/dist/src/paywall-triggers/path.d.ts.map +1 -0
- package/dist/src/paywall-triggers/path.js +73 -0
- package/dist/src/paywall-triggers/path.js.map +1 -0
- package/dist/src/paywall-triggers/store.d.ts +75 -0
- package/dist/src/paywall-triggers/store.d.ts.map +1 -0
- package/dist/src/paywall-triggers/store.js +122 -0
- package/dist/src/paywall-triggers/store.js.map +1 -0
- package/dist/src/paywall-triggers/store.test.d.ts +2 -0
- package/dist/src/paywall-triggers/store.test.d.ts.map +1 -0
- package/dist/src/paywall-triggers/store.test.js +121 -0
- package/dist/src/paywall-triggers/store.test.js.map +1 -0
- package/dist/src/paywall-triggers/types.d.ts +24 -0
- package/dist/src/paywall-triggers/types.d.ts.map +1 -0
- package/dist/src/paywall-triggers/types.js +13 -0
- package/dist/src/paywall-triggers/types.js.map +1 -0
- package/dist/src/security/index.d.ts +2 -0
- package/dist/src/security/index.d.ts.map +1 -1
- package/dist/src/security/index.js +4 -0
- package/dist/src/security/index.js.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.compound.d.ts +13 -0
- package/dist/src/security/scanner/SecurityScanner.compound.d.ts.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.compound.js +127 -0
- package/dist/src/security/scanner/SecurityScanner.compound.js.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.d.ts.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.hostile-update.d.ts +46 -0
- package/dist/src/security/scanner/SecurityScanner.hostile-update.d.ts.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.hostile-update.js +209 -0
- package/dist/src/security/scanner/SecurityScanner.hostile-update.js.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.js +10 -1
- package/dist/src/security/scanner/SecurityScanner.js.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.pii.d.ts +23 -0
- package/dist/src/security/scanner/SecurityScanner.pii.d.ts.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.pii.js +152 -0
- package/dist/src/security/scanner/SecurityScanner.pii.js.map +1 -0
- package/dist/src/security/scanner/SecurityScanner.scanners.d.ts +5 -12
- package/dist/src/security/scanner/SecurityScanner.scanners.d.ts.map +1 -1
- package/dist/src/security/scanner/SecurityScanner.scanners.js +63 -137
- package/dist/src/security/scanner/SecurityScanner.scanners.js.map +1 -1
- package/dist/src/security/scanner/index.d.ts +2 -1
- package/dist/src/security/scanner/index.d.ts.map +1 -1
- package/dist/src/security/scanner/index.js +2 -0
- package/dist/src/security/scanner/index.js.map +1 -1
- package/dist/src/security/scanner/patterns.d.ts +2 -0
- package/dist/src/security/scanner/patterns.d.ts.map +1 -1
- package/dist/src/security/scanner/patterns.js +79 -11
- package/dist/src/security/scanner/patterns.js.map +1 -1
- package/dist/src/security/scanner/types.d.ts +23 -0
- package/dist/src/security/scanner/types.d.ts.map +1 -1
- package/dist/src/services/agent-pack/agent-pack.test.d.ts +18 -0
- package/dist/src/services/agent-pack/agent-pack.test.d.ts.map +1 -0
- package/dist/src/services/agent-pack/agent-pack.test.js +344 -0
- package/dist/src/services/agent-pack/agent-pack.test.js.map +1 -0
- package/dist/src/services/agent-pack/hooks.d.ts +29 -0
- package/dist/src/services/agent-pack/hooks.d.ts.map +1 -0
- package/dist/src/services/agent-pack/hooks.js +139 -0
- package/dist/src/services/agent-pack/hooks.js.map +1 -0
- package/dist/src/services/agent-pack/index.d.ts +26 -0
- package/dist/src/services/agent-pack/index.d.ts.map +1 -0
- package/dist/src/services/agent-pack/index.js +109 -0
- package/dist/src/services/agent-pack/index.js.map +1 -0
- package/dist/src/services/agent-pack/prompt-source.d.ts +47 -0
- package/dist/src/services/agent-pack/prompt-source.d.ts.map +1 -0
- package/dist/src/services/agent-pack/prompt-source.js +182 -0
- package/dist/src/services/agent-pack/prompt-source.js.map +1 -0
- package/dist/src/services/agent-pack/shims.d.ts +40 -0
- package/dist/src/services/agent-pack/shims.d.ts.map +1 -0
- package/dist/src/services/agent-pack/shims.js +96 -0
- package/dist/src/services/agent-pack/shims.js.map +1 -0
- package/dist/src/services/agent-pack/skill-md.d.ts +35 -0
- package/dist/src/services/agent-pack/skill-md.d.ts.map +1 -0
- package/dist/src/services/agent-pack/skill-md.js +89 -0
- package/dist/src/services/agent-pack/skill-md.js.map +1 -0
- package/dist/src/services/agent-pack/types.d.ts +118 -0
- package/dist/src/services/agent-pack/types.d.ts.map +1 -0
- package/dist/src/services/agent-pack/types.js +61 -0
- package/dist/src/services/agent-pack/types.js.map +1 -0
- package/dist/src/services/agent-tool-profile.d.ts +59 -0
- package/dist/src/services/agent-tool-profile.d.ts.map +1 -0
- package/dist/src/services/agent-tool-profile.js +76 -0
- package/dist/src/services/agent-tool-profile.js.map +1 -0
- package/dist/src/services/agent-tool-profile.test.d.ts +2 -0
- package/dist/src/services/agent-tool-profile.test.d.ts.map +1 -0
- package/dist/src/services/agent-tool-profile.test.js +28 -0
- package/dist/src/services/agent-tool-profile.test.js.map +1 -0
- package/dist/src/services/bundled-sibling-scan.d.ts +111 -0
- package/dist/src/services/bundled-sibling-scan.d.ts.map +1 -0
- package/dist/src/services/bundled-sibling-scan.js +170 -0
- package/dist/src/services/bundled-sibling-scan.js.map +1 -0
- package/dist/src/services/skill-installation.io.d.ts +16 -5
- package/dist/src/services/skill-installation.io.d.ts.map +1 -1
- package/dist/src/services/skill-installation.io.js +63 -22
- package/dist/src/services/skill-installation.io.js.map +1 -1
- package/dist/src/services/skill-installation.policy.d.ts +96 -0
- package/dist/src/services/skill-installation.policy.d.ts.map +1 -0
- package/dist/src/services/skill-installation.policy.js +144 -0
- package/dist/src/services/skill-installation.policy.js.map +1 -0
- package/dist/src/services/skill-installation.service.d.ts.map +1 -1
- package/dist/src/services/skill-installation.service.js +9 -3
- package/dist/src/services/skill-installation.service.js.map +1 -1
- package/dist/src/sources/index.d.ts +1 -0
- package/dist/src/sources/index.d.ts.map +1 -1
- package/dist/src/sources/index.js +4 -0
- package/dist/src/sources/index.js.map +1 -1
- package/dist/src/sync/access-token.d.ts +27 -0
- package/dist/src/sync/access-token.d.ts.map +1 -0
- package/dist/src/sync/access-token.js +40 -0
- package/dist/src/sync/access-token.js.map +1 -0
- package/dist/src/sync/audit-notify-client.d.ts +83 -0
- package/dist/src/sync/audit-notify-client.d.ts.map +1 -0
- package/dist/src/sync/audit-notify-client.js +126 -0
- package/dist/src/sync/audit-notify-client.js.map +1 -0
- package/dist/src/sync/audit-notify-client.test.d.ts +14 -0
- package/dist/src/sync/audit-notify-client.test.d.ts.map +1 -0
- package/dist/src/sync/audit-notify-client.test.js +133 -0
- package/dist/src/sync/audit-notify-client.test.js.map +1 -0
- package/dist/src/sync/index.d.ts +2 -1
- package/dist/src/sync/index.d.ts.map +1 -1
- package/dist/src/sync/index.js +3 -1
- package/dist/src/sync/index.js.map +1 -1
- package/dist/src/sync/inventory-client.d.ts +16 -0
- package/dist/src/sync/inventory-client.d.ts.map +1 -1
- package/dist/src/sync/inventory-client.js +59 -16
- package/dist/src/sync/inventory-client.js.map +1 -1
- package/dist/src/sync/inventory-client.test.js +67 -1
- package/dist/src/sync/inventory-client.test.js.map +1 -1
- package/dist/src/sync/inventory-collector.d.ts.map +1 -1
- package/dist/src/sync/inventory-collector.js +32 -5
- package/dist/src/sync/inventory-collector.js.map +1 -1
- package/dist/src/sync/inventory-collector.test.js +50 -1
- package/dist/src/sync/inventory-collector.test.js.map +1 -1
- package/dist/src/sync/inventory-types.d.ts +9 -0
- package/dist/src/sync/inventory-types.d.ts.map +1 -1
- package/dist/src/sync/inventory-types.js +3 -0
- package/dist/src/sync/inventory-types.js.map +1 -1
- package/dist/src/telemetry/agent-marker.d.ts +137 -0
- package/dist/src/telemetry/agent-marker.d.ts.map +1 -0
- package/dist/src/telemetry/agent-marker.js +242 -0
- package/dist/src/telemetry/agent-marker.js.map +1 -0
- package/dist/src/telemetry/agent-marker.test.d.ts +13 -0
- package/dist/src/telemetry/agent-marker.test.d.ts.map +1 -0
- package/dist/src/telemetry/agent-marker.test.js +202 -0
- package/dist/src/telemetry/agent-marker.test.js.map +1 -0
- package/dist/src/telemetry/index.d.ts +2 -1
- package/dist/src/telemetry/index.d.ts.map +1 -1
- package/dist/src/telemetry/index.js +6 -1
- package/dist/src/telemetry/index.js.map +1 -1
- package/dist/src/telemetry/posthog.d.ts +25 -0
- package/dist/src/telemetry/posthog.d.ts.map +1 -1
- package/dist/src/telemetry/posthog.js +10 -1
- package/dist/src/telemetry/posthog.js.map +1 -1
- package/dist/src/telemetry/wrap.bench.js +5 -0
- package/dist/src/telemetry/wrap.bench.js.map +1 -1
- package/dist/src/telemetry/wrap.correlation.test.d.ts +20 -0
- package/dist/src/telemetry/wrap.correlation.test.d.ts.map +1 -0
- package/dist/src/telemetry/wrap.correlation.test.js +174 -0
- package/dist/src/telemetry/wrap.correlation.test.js.map +1 -0
- package/dist/src/telemetry/wrap.d.ts +28 -7
- package/dist/src/telemetry/wrap.d.ts.map +1 -1
- package/dist/src/telemetry/wrap.gate.test.d.ts +22 -0
- package/dist/src/telemetry/wrap.gate.test.d.ts.map +1 -0
- package/dist/src/telemetry/wrap.gate.test.js +202 -0
- package/dist/src/telemetry/wrap.gate.test.js.map +1 -0
- package/dist/src/telemetry/wrap.js +196 -52
- package/dist/src/telemetry/wrap.js.map +1 -1
- package/dist/src/telemetry/wrap.marker.test.d.ts +16 -0
- package/dist/src/telemetry/wrap.marker.test.d.ts.map +1 -0
- package/dist/src/telemetry/wrap.marker.test.js +190 -0
- package/dist/src/telemetry/wrap.marker.test.js.map +1 -0
- package/dist/src/telemetry/wrap.test.js +14 -0
- package/dist/src/telemetry/wrap.test.js.map +1 -1
- package/dist/src/types.d.ts +6 -0
- package/dist/src/types.d.ts.map +1 -1
- package/dist/tests/SecurityScanner.exec.test.js +60 -0
- package/dist/tests/SecurityScanner.exec.test.js.map +1 -1
- package/dist/tests/security/ContinuousSecurity.test.js +10 -4
- package/dist/tests/security/ContinuousSecurity.test.js.map +1 -1
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.d.ts +2 -0
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.d.ts.map +1 -0
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.js +126 -0
- package/dist/tests/security/SecurityScanner.chmod-evasion.test.js.map +1 -0
- package/dist/tests/security/chmod-compound.test.d.ts +2 -0
- package/dist/tests/security/chmod-compound.test.d.ts.map +1 -0
- package/dist/tests/security/chmod-compound.test.js +188 -0
- package/dist/tests/security/chmod-compound.test.js.map +1 -0
- package/dist/tests/security/pii-detection.test.js +24 -0
- package/dist/tests/security/pii-detection.test.js.map +1 -1
- package/dist/tests/security/scanner-regression-guard.test.d.ts +23 -7
- package/dist/tests/security/scanner-regression-guard.test.d.ts.map +1 -1
- package/dist/tests/security/scanner-regression-guard.test.js +206 -12
- package/dist/tests/security/scanner-regression-guard.test.js.map +1 -1
- package/dist/tests/security/sensitive-path-fp.test.d.ts +2 -0
- package/dist/tests/security/sensitive-path-fp.test.d.ts.map +1 -0
- package/dist/tests/security/sensitive-path-fp.test.js +142 -0
- package/dist/tests/security/sensitive-path-fp.test.js.map +1 -0
- package/dist/tests/services/bundled-sibling-scan.test.d.ts +2 -0
- package/dist/tests/services/bundled-sibling-scan.test.d.ts.map +1 -0
- package/dist/tests/services/bundled-sibling-scan.test.js +139 -0
- package/dist/tests/services/bundled-sibling-scan.test.js.map +1 -0
- package/dist/tests/unit/services/skill-installation.io.test.js +166 -0
- package/dist/tests/unit/services/skill-installation.io.test.js.map +1 -1
- package/dist/tests/unit/services/skill-installation.policy.test.d.ts +8 -0
- package/dist/tests/unit/services/skill-installation.policy.test.d.ts.map +1 -0
- package/dist/tests/unit/services/skill-installation.policy.test.js +151 -0
- package/dist/tests/unit/services/skill-installation.policy.test.js.map +1 -0
- package/package.json +28 -3
|
@@ -0,0 +1,152 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Security Scanner — PII pattern scanning + entropy / placeholder filtering
|
|
3
|
+
* @module @skillsmith/core/security/scanner/SecurityScanner.pii
|
|
4
|
+
*
|
|
5
|
+
* SMI-5434: Section 3 of SecurityScanner.scanners.ts extracted to keep the
|
|
6
|
+
* parent file under the 500-line audit:standards gate. Pure functions of
|
|
7
|
+
* (content, lineContexts) — no scanner instance state.
|
|
8
|
+
*/
|
|
9
|
+
import { analyzeMarkdownContext, isDocumentationContext, isWithinInlineCode, } from './SecurityScanner.helpers.js';
|
|
10
|
+
import { safeRegexTest } from './regex-utils.js';
|
|
11
|
+
import { PII_PATTERNS } from './patterns.js';
|
|
12
|
+
/**
|
|
13
|
+
* SMI-5420: credential PII pattern indices (api/secret/access key, provider
|
|
14
|
+
* tokens, password) whose matched VALUE can be a documentation placeholder.
|
|
15
|
+
* Excludes email (7), SSN (8), and the private-key marker (9) — those have no
|
|
16
|
+
* placeholder-secret failure mode.
|
|
17
|
+
*/
|
|
18
|
+
const CREDENTIAL_PII_INDICES = new Set([0, 1, 2, 3, 4, 5, 6, 10]);
|
|
19
|
+
/**
|
|
20
|
+
* SMI-5420: named-placeholder markers that indicate an example, not a real
|
|
21
|
+
* secret. Intentionally NO `X{4,}` rule — it would test the raw match string and
|
|
22
|
+
* short-circuit before the entropy check, downgrading a REAL high-entropy secret
|
|
23
|
+
* that coincidentally contains `xxxx` (governance FN). An all-repeated-char value
|
|
24
|
+
* (e.g. `xxxx…`) is caught by the `/^(.)\1+$/` check in looksLikePlaceholderSecret
|
|
25
|
+
* instead, and partial-repeat low-variety values by the entropy floor.
|
|
26
|
+
*
|
|
27
|
+
* SMI-5423: the SHORT markers (FAKE/DUMMY/SAMPLE/YOUR, ≤6 chars) are guarded with
|
|
28
|
+
* a negative lookbehind `(?<![A-Za-z0-9])` so they only match as a delimited token
|
|
29
|
+
* (`FAKE_KEY`, `<FAKE>`, value-start) — NOT mid-random-string (`k7FAKE1abc`), which
|
|
30
|
+
* is the same raw-match short-circuit FN class as the removed `X{4,}`. Longer
|
|
31
|
+
* markers (EXAMPLE/PLACEHOLDER/CHANGEME/REDACTED, 7+ chars) stay unbounded: their
|
|
32
|
+
* coincidence probability is negligible AND `AKIA…7EXAMPLE` needs EXAMPLE to match
|
|
33
|
+
* mid-token.
|
|
34
|
+
*
|
|
35
|
+
* Accepted tradeoff (SMI-5423 governance): a digit-immediately-prefixed token like
|
|
36
|
+
* `1FAKE_KEY` fails the lookbehind and scores critical rather than low. This is the
|
|
37
|
+
* FP-SAFE direction (over-flag a rare contrived placeholder) — strictly preferable
|
|
38
|
+
* in a security scanner to the FN it replaces (a real secret downgraded); and a
|
|
39
|
+
* longer such value falls under the entropy floor anyway.
|
|
40
|
+
*/
|
|
41
|
+
const PLACEHOLDER_SECRET_RE = /EXAMPLE|(?<![A-Za-z0-9])YOUR[_-]?|PLACEHOLDER|CHANGE[_-]?ME|(?<![A-Za-z0-9])DUMMY|(?<![A-Za-z0-9])FAKE|(?<![A-Za-z0-9])SAMPLE|REDACTED|INSERT[_-]|\.\.\.|<[^>]+>/i;
|
|
42
|
+
/**
|
|
43
|
+
* SMI-5420: minimum Shannon entropy (bits/char) for a value to read as a real secret.
|
|
44
|
+
* SMI-5424 PR2 (accepted tradeoff): a hardcoded credential value shorter than ~8 chars
|
|
45
|
+
* cannot reach 3.0 bits/char (its max entropy is log2(len) < 3.0), so it falls below
|
|
46
|
+
* this floor and is treated as a placeholder by design — a sub-8-char literal is not a
|
|
47
|
+
* credible credential, and the 20+char PII_PATTERNS rule is the real-credential detector.
|
|
48
|
+
*/
|
|
49
|
+
const SECRET_ENTROPY_FLOOR = 3.0;
|
|
50
|
+
/** SMI-5420: Shannon entropy (bits per character) of a string. */
|
|
51
|
+
export function shannonEntropy(s) {
|
|
52
|
+
if (!s)
|
|
53
|
+
return 0;
|
|
54
|
+
const freq = new Map();
|
|
55
|
+
for (const ch of s)
|
|
56
|
+
freq.set(ch, (freq.get(ch) ?? 0) + 1);
|
|
57
|
+
let h = 0;
|
|
58
|
+
for (const c of freq.values()) {
|
|
59
|
+
const p = c / s.length;
|
|
60
|
+
h -= p * Math.log2(p);
|
|
61
|
+
}
|
|
62
|
+
return h;
|
|
63
|
+
}
|
|
64
|
+
/**
|
|
65
|
+
* SMI-5420: extract the secret token from a credential match by stripping a
|
|
66
|
+
* leading `<key>:`/`<key>=` assignment prefix and surrounding quotes.
|
|
67
|
+
*/
|
|
68
|
+
function extractSecretValue(match) {
|
|
69
|
+
return match
|
|
70
|
+
.replace(/^[^:=]*[:=]\s*/, '')
|
|
71
|
+
.replace(/^['"]|['"]$/g, '')
|
|
72
|
+
.trim();
|
|
73
|
+
}
|
|
74
|
+
/**
|
|
75
|
+
* SMI-5420: a credential match is a documentation placeholder (not a real leaked
|
|
76
|
+
* secret) when it carries a named placeholder marker, is a single repeated
|
|
77
|
+
* character, or its value has sub-secret Shannon entropy. Such matches must NOT
|
|
78
|
+
* emit critical/high severity — the batch trust-scorer (trust-scorer.ts) and the
|
|
79
|
+
* install gate quarantine on severity, so an example secret would falsely flag.
|
|
80
|
+
*/
|
|
81
|
+
export function looksLikePlaceholderSecret(match) {
|
|
82
|
+
if (PLACEHOLDER_SECRET_RE.test(match))
|
|
83
|
+
return true;
|
|
84
|
+
const value = extractSecretValue(match);
|
|
85
|
+
if (value.length === 0)
|
|
86
|
+
return false;
|
|
87
|
+
if (/^(.)\1+$/.test(value))
|
|
88
|
+
return true;
|
|
89
|
+
return shannonEntropy(value) < SECRET_ENTROPY_FLOOR;
|
|
90
|
+
}
|
|
91
|
+
/** SMI-3864: Detect PII patterns. Email in YAML frontmatter gets low severity. */
|
|
92
|
+
export function scanPiiPatterns(content, lineContexts) {
|
|
93
|
+
const findings = [];
|
|
94
|
+
const lines = content.split('\n');
|
|
95
|
+
const contexts = lineContexts ?? analyzeMarkdownContext(content);
|
|
96
|
+
let frontmatterEnd = -1;
|
|
97
|
+
if (lines[0]?.trim() === '---') {
|
|
98
|
+
for (let i = 1; i < lines.length; i++) {
|
|
99
|
+
if (lines[i].trim() === '---') {
|
|
100
|
+
frontmatterEnd = i;
|
|
101
|
+
break;
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
}
|
|
105
|
+
const emailPatternIndex = 7;
|
|
106
|
+
lines.forEach((line, index) => {
|
|
107
|
+
const ctx = contexts[index];
|
|
108
|
+
const inFrontmatter = index > 0 && index < frontmatterEnd;
|
|
109
|
+
for (let pi = 0; pi < PII_PATTERNS.length; pi++) {
|
|
110
|
+
const pattern = PII_PATTERNS[pi];
|
|
111
|
+
const match = safeRegexTest(pattern, line);
|
|
112
|
+
if (match) {
|
|
113
|
+
const inInlineCode = ctx?.isInlineCode && isWithinInlineCode(line, match.index ?? 0);
|
|
114
|
+
const inDocContext = ctx ? isDocumentationContext(ctx) || inInlineCode : false;
|
|
115
|
+
const isEmailPattern = pi === emailPatternIndex;
|
|
116
|
+
const isAuthorLine = /^\s*(?:author|contact|support|email)\s*:/i.test(line);
|
|
117
|
+
const inEmailSafeContext = isEmailPattern && (inFrontmatter || isAuthorLine);
|
|
118
|
+
let severity;
|
|
119
|
+
if (inEmailSafeContext)
|
|
120
|
+
severity = 'low';
|
|
121
|
+
else if (inDocContext)
|
|
122
|
+
severity = 'medium';
|
|
123
|
+
else if (pi <= 2 || pi === 9)
|
|
124
|
+
severity = 'critical';
|
|
125
|
+
else
|
|
126
|
+
severity = 'high';
|
|
127
|
+
let confidence = inDocContext || inEmailSafeContext ? 'low' : 'high';
|
|
128
|
+
// SMI-5420: a credential match that reads as a documentation placeholder
|
|
129
|
+
// (named placeholder, repeated char, or low entropy) must not emit
|
|
130
|
+
// critical/high — the batch trust-scorer quarantines on severity, so an
|
|
131
|
+
// example secret like `api_key: "YOUR_API_KEY_HERE"` would falsely flag.
|
|
132
|
+
if (CREDENTIAL_PII_INDICES.has(pi) && looksLikePlaceholderSecret(match[0])) {
|
|
133
|
+
severity = 'low';
|
|
134
|
+
confidence = 'low';
|
|
135
|
+
}
|
|
136
|
+
findings.push({
|
|
137
|
+
type: 'pii',
|
|
138
|
+
severity,
|
|
139
|
+
message: `PII detected: ${match[0].slice(0, 40)}${match[0].length > 40 ? '...' : ''}`,
|
|
140
|
+
location: line.trim().slice(0, 100),
|
|
141
|
+
lineNumber: index + 1,
|
|
142
|
+
category: 'pii',
|
|
143
|
+
inDocumentationContext: inDocContext || inEmailSafeContext,
|
|
144
|
+
confidence,
|
|
145
|
+
});
|
|
146
|
+
break;
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
});
|
|
150
|
+
return findings;
|
|
151
|
+
}
|
|
152
|
+
//# sourceMappingURL=SecurityScanner.pii.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"SecurityScanner.pii.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.pii.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAA;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAA;AAE5C;;;;;GAKG;AACH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAA;AAEjE;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,qBAAqB,GACzB,mKAAmK,CAAA;AAErK;;;;;;GAMG;AACH,MAAM,oBAAoB,GAAG,GAAG,CAAA;AAEhC,kEAAkE;AAClE,MAAM,UAAU,cAAc,CAAC,CAAS;IACtC,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAA;IAChB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAA;IACtC,KAAK,MAAM,EAAE,IAAI,CAAC;QAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;IACzD,IAAI,CAAC,GAAG,CAAC,CAAA;IACT,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAA;QACtB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACvB,CAAC;IACD,OAAO,CAAC,CAAA;AACV,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CAAC,KAAa;IACvC,OAAO,KAAK;SACT,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC;SAC7B,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC;SAC3B,IAAI,EAAE,CAAA;AACX,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,KAAa;IACtD,IAAI,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAClD,MAAM,KAAK,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAA;IACvC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IACpC,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACvC,OAAO,cAAc,CAAC,KAAK,CAAC,GAAG,oBAAoB,CAAA;AACrD,CAAC;AAED,kFAAkF;AAClF,MAAM,UAAU,eAAe,CAAC,OAAe,EAAE,YAA4B;IAC3E,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAChE,IAAI,cAAc,GAAG,CAAC,CAAC,CAAA;IACvB,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;gBAC9B,cAAc,GAAG,CAAC,CAAA;gBAClB,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC;IACD,MAAM,iBAAiB,GAAG,CAAC,CAAA;IAC3B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAC3B,MAAM,aAAa,GAAG,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,cAAc,CAAA;QACzD,KAAK,IAAI,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,YAAY,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,YAAY,CAAC,EAAE,CAAC,CAAA;YAChC,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;gBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;gBAC9E,MAAM,cAAc,GAAG,EAAE,KAAK,iBAAiB,CAAA;gBAC/C,MAAM,YAAY,GAAG,2CAA2C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBAC3E,MAAM,kBAAkB,GAAG,cAAc,IAAI,CAAC,aAAa,IAAI,YAAY,CAAC,CAAA;gBAC5E,IAAI,QAAgD,CAAA;gBACpD,IAAI,kBAAkB;oBAAE,QAAQ,GAAG,KAAK,CAAA;qBACnC,IAAI,YAAY;oBAAE,QAAQ,GAAG,QAAQ,CAAA;qBACrC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC;oBAAE,QAAQ,GAAG,UAAU,CAAA;;oBAC9C,QAAQ,GAAG,MAAM,CAAA;gBACtB,IAAI,UAAU,GAAsB,YAAY,IAAI,kBAAkB,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;gBACvF,yEAAyE;gBACzE,mEAAmE;gBACnE,wEAAwE;gBACxE,yEAAyE;gBACzE,IAAI,sBAAsB,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,0BAA0B,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3E,QAAQ,GAAG,KAAK,CAAA;oBAChB,UAAU,GAAG,KAAK,CAAA;gBACpB,CAAC;gBACD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,KAAK;oBACX,QAAQ;oBACR,OAAO,EAAE,iBAAiB,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;oBACrF,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,QAAQ,EAAE,KAAK;oBACf,sBAAsB,EAAE,YAAY,IAAI,kBAAkB;oBAC1D,UAAU;iBACX,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IACF,OAAO,QAAQ,CAAA;AACjB,CAAC"}
|
|
@@ -12,21 +12,14 @@
|
|
|
12
12
|
*/
|
|
13
13
|
import type { SecurityFinding } from './types.js';
|
|
14
14
|
import type { LineContext } from './SecurityScanner.helpers.js';
|
|
15
|
+
import { looksLikePlaceholderSecret, shannonEntropy, scanPiiPatterns } from './SecurityScanner.pii.js';
|
|
15
16
|
export declare function scanSensitivePaths(content: string, lineContexts?: LineContext[]): SecurityFinding[];
|
|
16
17
|
export declare function scanSocialEngineering(content: string, lineContexts?: LineContext[]): SecurityFinding[];
|
|
17
18
|
export declare function scanPromptLeaking(content: string, lineContexts?: LineContext[]): SecurityFinding[];
|
|
18
19
|
export declare function scanDataExfiltration(content: string, lineContexts?: LineContext[]): SecurityFinding[];
|
|
19
20
|
export declare function scanPrivilegeEscalation(content: string, lineContexts?: LineContext[]): SecurityFinding[];
|
|
20
|
-
/**
|
|
21
|
-
export
|
|
22
|
-
/**
|
|
23
|
-
|
|
24
|
-
* secret) when it carries a named placeholder marker, is a single repeated
|
|
25
|
-
* character, or its value has sub-secret Shannon entropy. Such matches must NOT
|
|
26
|
-
* emit critical/high severity — the batch trust-scorer (trust-scorer.ts) and the
|
|
27
|
-
* install gate quarantine on severity, so an example secret would falsely flag.
|
|
28
|
-
*/
|
|
29
|
-
export declare function looksLikePlaceholderSecret(match: string): boolean;
|
|
30
|
-
/** SMI-3864: Detect PII patterns. Email in YAML frontmatter gets low severity. */
|
|
31
|
-
export declare function scanPiiPatterns(content: string, lineContexts?: LineContext[]): SecurityFinding[];
|
|
21
|
+
/** Implementation in SecurityScanner.compound.ts (SMI-5434 split). */
|
|
22
|
+
export { scanChmodFetchCompound } from './SecurityScanner.compound.js';
|
|
23
|
+
/** Implementation in SecurityScanner.pii.ts (SMI-5434 split). */
|
|
24
|
+
export { shannonEntropy, looksLikePlaceholderSecret, scanPiiPatterns };
|
|
32
25
|
//# sourceMappingURL=SecurityScanner.scanners.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SecurityScanner.scanners.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.scanners.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAqB,MAAM,YAAY,CAAA;
|
|
1
|
+
{"version":3,"file":"SecurityScanner.scanners.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.scanners.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAqB,MAAM,YAAY,CAAA;AAWpE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAA;AAM/D,OAAO,EACL,0BAA0B,EAC1B,cAAc,EACd,eAAe,EAChB,MAAM,0BAA0B,CAAA;AAuBjC,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,YAAY,CAAC,EAAE,WAAW,EAAE,GAC3B,eAAe,EAAE,CAoDnB;AAED,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,EACf,YAAY,CAAC,EAAE,WAAW,EAAE,GAC3B,eAAe,EAAE,CAgCnB;AAED,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,EACf,YAAY,CAAC,EAAE,WAAW,EAAE,GAC3B,eAAe,EAAE,CAgCnB;AAED,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,MAAM,EACf,YAAY,CAAC,EAAE,WAAW,EAAE,GAC3B,eAAe,EAAE,CAgCnB;AAED,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,MAAM,EACf,YAAY,CAAC,EAAE,WAAW,EAAE,GAC3B,eAAe,EAAE,CAgCnB;AAED,sEAAsE;AACtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAA;AACtE,iEAAiE;AACjE,OAAO,EAAE,cAAc,EAAE,0BAA0B,EAAE,eAAe,EAAE,CAAA"}
|
|
@@ -10,9 +10,28 @@
|
|
|
10
10
|
* them out is behaviour-preserving (guarded by the scoring + regression-guard
|
|
11
11
|
* + ai-defence test suites).
|
|
12
12
|
*/
|
|
13
|
-
import { SENSITIVE_PATH_PATTERNS, SOCIAL_ENGINEERING_PATTERNS, PROMPT_LEAKING_PATTERNS, DATA_EXFILTRATION_PATTERNS, PRIVILEGE_ESCALATION_PATTERNS,
|
|
13
|
+
import { SENSITIVE_PATH_PATTERNS, ENV_PATH_PATTERN, VALUE_GATED_KEYWORD_PATTERNS, SOCIAL_ENGINEERING_PATTERNS, PROMPT_LEAKING_PATTERNS, DATA_EXFILTRATION_PATTERNS, PRIVILEGE_ESCALATION_PATTERNS, } from './patterns.js';
|
|
14
14
|
import { safeRegexTest, safeRegexCheck } from './regex-utils.js';
|
|
15
15
|
import { analyzeMarkdownContext, isDocumentationContext, isWithinInlineCode, } from './SecurityScanner.helpers.js';
|
|
16
|
+
import { looksLikePlaceholderSecret, shannonEntropy, scanPiiPatterns, } from './SecurityScanner.pii.js';
|
|
17
|
+
/**
|
|
18
|
+
* SMI-5359 Wave 4 (MF-2): a `.env` reference is an active read/exfiltration only when
|
|
19
|
+
* it co-occurs with a read/copy/transfer verb or a shell pipe/redirect on the same line
|
|
20
|
+
* (`cat .env | curl …`, `cp .env /tmp`, `source .env`). A lone reference
|
|
21
|
+
* (`see the .env file`) stays MEDIUM so it can't single-handedly trip the Gate-A
|
|
22
|
+
* high/critical short-circuit. Bounded alternation + single-char class → ReDoS-safe.
|
|
23
|
+
*/
|
|
24
|
+
const ENV_EXFIL_CONTEXT = /\b(?:cat|cp|mv|scp|rsync|source|curl|wget|fetch|less|more|head|tail|tee|upload|tar|zip|gzip|base64|xxd|dd|nc|netcat)\b|[|>]/i;
|
|
25
|
+
/**
|
|
26
|
+
* SMI-5359 Wave 4 (MF-1): a bare api_key/auth_token keyword is a credential leak only
|
|
27
|
+
* when the line ASSIGNS a value to it. The full match is handed to
|
|
28
|
+
* looksLikePlaceholderSecret, which strips the `<key>=`/`<key>:` prefix and rejects
|
|
29
|
+
* named placeholders, single-repeated-char, and sub-entropy values — so
|
|
30
|
+
* `export API_KEY=$1`, `apiKey: <YOUR_KEY>`, and `auth_token: YOUR_TOKEN_HERE` are
|
|
31
|
+
* suppressed while a real `apiKey = "sk_live_…"` still scores HIGH. Bounded, single
|
|
32
|
+
* `.+` quantifier → ReDoS-safe.
|
|
33
|
+
*/
|
|
34
|
+
const CREDENTIAL_ASSIGNMENT = /(?:api[_-]?key|apikey|auth[_-]?token|authtoken)\s*[:=]\s*.+$/i;
|
|
16
35
|
export function scanSensitivePaths(content, lineContexts) {
|
|
17
36
|
const findings = [];
|
|
18
37
|
const lines = content.split('\n');
|
|
@@ -20,23 +39,46 @@ export function scanSensitivePaths(content, lineContexts) {
|
|
|
20
39
|
lines.forEach((line, index) => {
|
|
21
40
|
const ctx = contexts[index];
|
|
22
41
|
for (const pattern of SENSITIVE_PATH_PATTERNS) {
|
|
23
|
-
if (safeRegexCheck(pattern, line))
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
42
|
+
if (!safeRegexCheck(pattern, line))
|
|
43
|
+
continue;
|
|
44
|
+
const match = safeRegexTest(pattern, line);
|
|
45
|
+
const inInlineCode = ctx?.isInlineCode && isWithinInlineCode(line, match?.index ?? 0);
|
|
46
|
+
const inDocContext = ctx ? isDocumentationContext(ctx) || inInlineCode : false;
|
|
47
|
+
// MF-1: value-gate the bare credential keywords. A bare/placeholder mention is
|
|
48
|
+
// suppressed — keep scanning later patterns rather than emitting. The real-secret
|
|
49
|
+
// leak still surfaces at PII; the `$VAR`-in-curl exfil at DATA_EXFILTRATION.
|
|
50
|
+
if (VALUE_GATED_KEYWORD_PATTERNS.has(pattern)) {
|
|
51
|
+
const assign = safeRegexTest(CREDENTIAL_ASSIGNMENT, line);
|
|
52
|
+
if (!assign || looksLikePlaceholderSecret(assign[0]))
|
|
53
|
+
continue;
|
|
54
|
+
}
|
|
55
|
+
// MF-2: lone `.env` → MEDIUM; `.env` + read/exfil verb or pipe/redirect → HIGH.
|
|
56
|
+
// Doc-context keeps the existing MEDIUM downgrade for every pattern.
|
|
57
|
+
let severity;
|
|
58
|
+
if (inDocContext) {
|
|
59
|
+
severity = 'medium';
|
|
60
|
+
}
|
|
61
|
+
else if (pattern === ENV_PATH_PATTERN) {
|
|
62
|
+
severity = safeRegexCheck(ENV_EXFIL_CONTEXT, line) ? 'high' : 'medium';
|
|
39
63
|
}
|
|
64
|
+
else {
|
|
65
|
+
severity = 'high';
|
|
66
|
+
}
|
|
67
|
+
const confidence = inDocContext
|
|
68
|
+
? 'low'
|
|
69
|
+
: severity === 'high'
|
|
70
|
+
? 'high'
|
|
71
|
+
: 'medium';
|
|
72
|
+
findings.push({
|
|
73
|
+
type: 'sensitive_path',
|
|
74
|
+
severity,
|
|
75
|
+
message: `Reference to potentially sensitive path: ${pattern.source}`,
|
|
76
|
+
location: line.trim().slice(0, 100),
|
|
77
|
+
lineNumber: index + 1,
|
|
78
|
+
inDocumentationContext: inDocContext,
|
|
79
|
+
confidence,
|
|
80
|
+
});
|
|
81
|
+
break;
|
|
40
82
|
}
|
|
41
83
|
});
|
|
42
84
|
return findings;
|
|
@@ -157,124 +199,8 @@ export function scanPrivilegeEscalation(content, lineContexts) {
|
|
|
157
199
|
});
|
|
158
200
|
return findings;
|
|
159
201
|
}
|
|
160
|
-
/**
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
* placeholder-secret failure mode.
|
|
165
|
-
*/
|
|
166
|
-
const CREDENTIAL_PII_INDICES = new Set([0, 1, 2, 3, 4, 5, 6, 10]);
|
|
167
|
-
/**
|
|
168
|
-
* SMI-5420: named-placeholder markers that indicate an example, not a real
|
|
169
|
-
* secret. Intentionally NO `X{4,}` rule — it would test the raw match string and
|
|
170
|
-
* short-circuit before the entropy check, downgrading a REAL high-entropy secret
|
|
171
|
-
* that coincidentally contains `xxxx` (governance FN). An all-repeated-char value
|
|
172
|
-
* (e.g. `xxxx…`) is caught by the `/^(.)\1+$/` check in looksLikePlaceholderSecret
|
|
173
|
-
* instead, and partial-repeat low-variety values by the entropy floor.
|
|
174
|
-
*/
|
|
175
|
-
const PLACEHOLDER_SECRET_RE = /EXAMPLE|YOUR[_-]?|PLACEHOLDER|CHANGE[_-]?ME|DUMMY|FAKE|SAMPLE|REDACTED|INSERT[_-]|\.\.\.|<[^>]+>/i;
|
|
176
|
-
/** SMI-5420: minimum Shannon entropy (bits/char) for a value to read as a real secret. */
|
|
177
|
-
const SECRET_ENTROPY_FLOOR = 3.0;
|
|
178
|
-
/** SMI-5420: Shannon entropy (bits per character) of a string. */
|
|
179
|
-
export function shannonEntropy(s) {
|
|
180
|
-
if (!s)
|
|
181
|
-
return 0;
|
|
182
|
-
const freq = new Map();
|
|
183
|
-
for (const ch of s)
|
|
184
|
-
freq.set(ch, (freq.get(ch) ?? 0) + 1);
|
|
185
|
-
let h = 0;
|
|
186
|
-
for (const c of freq.values()) {
|
|
187
|
-
const p = c / s.length;
|
|
188
|
-
h -= p * Math.log2(p);
|
|
189
|
-
}
|
|
190
|
-
return h;
|
|
191
|
-
}
|
|
192
|
-
/**
|
|
193
|
-
* SMI-5420: extract the secret token from a credential match by stripping a
|
|
194
|
-
* leading `<key>:`/`<key>=` assignment prefix and surrounding quotes.
|
|
195
|
-
*/
|
|
196
|
-
function extractSecretValue(match) {
|
|
197
|
-
return match
|
|
198
|
-
.replace(/^[^:=]*[:=]\s*/, '')
|
|
199
|
-
.replace(/^['"]|['"]$/g, '')
|
|
200
|
-
.trim();
|
|
201
|
-
}
|
|
202
|
-
/**
|
|
203
|
-
* SMI-5420: a credential match is a documentation placeholder (not a real leaked
|
|
204
|
-
* secret) when it carries a named placeholder marker, is a single repeated
|
|
205
|
-
* character, or its value has sub-secret Shannon entropy. Such matches must NOT
|
|
206
|
-
* emit critical/high severity — the batch trust-scorer (trust-scorer.ts) and the
|
|
207
|
-
* install gate quarantine on severity, so an example secret would falsely flag.
|
|
208
|
-
*/
|
|
209
|
-
export function looksLikePlaceholderSecret(match) {
|
|
210
|
-
if (PLACEHOLDER_SECRET_RE.test(match))
|
|
211
|
-
return true;
|
|
212
|
-
const value = extractSecretValue(match);
|
|
213
|
-
if (value.length === 0)
|
|
214
|
-
return false;
|
|
215
|
-
if (/^(.)\1+$/.test(value))
|
|
216
|
-
return true;
|
|
217
|
-
return shannonEntropy(value) < SECRET_ENTROPY_FLOOR;
|
|
218
|
-
}
|
|
219
|
-
/** SMI-3864: Detect PII patterns. Email in YAML frontmatter gets low severity. */
|
|
220
|
-
export function scanPiiPatterns(content, lineContexts) {
|
|
221
|
-
const findings = [];
|
|
222
|
-
const lines = content.split('\n');
|
|
223
|
-
const contexts = lineContexts ?? analyzeMarkdownContext(content);
|
|
224
|
-
let frontmatterEnd = -1;
|
|
225
|
-
if (lines[0]?.trim() === '---') {
|
|
226
|
-
for (let i = 1; i < lines.length; i++) {
|
|
227
|
-
if (lines[i].trim() === '---') {
|
|
228
|
-
frontmatterEnd = i;
|
|
229
|
-
break;
|
|
230
|
-
}
|
|
231
|
-
}
|
|
232
|
-
}
|
|
233
|
-
const emailPatternIndex = 7;
|
|
234
|
-
lines.forEach((line, index) => {
|
|
235
|
-
const ctx = contexts[index];
|
|
236
|
-
const inFrontmatter = index > 0 && index < frontmatterEnd;
|
|
237
|
-
for (let pi = 0; pi < PII_PATTERNS.length; pi++) {
|
|
238
|
-
const pattern = PII_PATTERNS[pi];
|
|
239
|
-
const match = safeRegexTest(pattern, line);
|
|
240
|
-
if (match) {
|
|
241
|
-
const inInlineCode = ctx?.isInlineCode && isWithinInlineCode(line, match.index ?? 0);
|
|
242
|
-
const inDocContext = ctx ? isDocumentationContext(ctx) || inInlineCode : false;
|
|
243
|
-
const isEmailPattern = pi === emailPatternIndex;
|
|
244
|
-
const isAuthorLine = /^\s*(?:author|contact|support|email)\s*:/i.test(line);
|
|
245
|
-
const inEmailSafeContext = isEmailPattern && (inFrontmatter || isAuthorLine);
|
|
246
|
-
let severity;
|
|
247
|
-
if (inEmailSafeContext)
|
|
248
|
-
severity = 'low';
|
|
249
|
-
else if (inDocContext)
|
|
250
|
-
severity = 'medium';
|
|
251
|
-
else if (pi <= 2 || pi === 9)
|
|
252
|
-
severity = 'critical';
|
|
253
|
-
else
|
|
254
|
-
severity = 'high';
|
|
255
|
-
let confidence = inDocContext || inEmailSafeContext ? 'low' : 'high';
|
|
256
|
-
// SMI-5420: a credential match that reads as a documentation placeholder
|
|
257
|
-
// (named placeholder, repeated char, or low entropy) must not emit
|
|
258
|
-
// critical/high — the batch trust-scorer quarantines on severity, so an
|
|
259
|
-
// example secret like `api_key: "YOUR_API_KEY_HERE"` would falsely flag.
|
|
260
|
-
if (CREDENTIAL_PII_INDICES.has(pi) && looksLikePlaceholderSecret(match[0])) {
|
|
261
|
-
severity = 'low';
|
|
262
|
-
confidence = 'low';
|
|
263
|
-
}
|
|
264
|
-
findings.push({
|
|
265
|
-
type: 'pii',
|
|
266
|
-
severity,
|
|
267
|
-
message: `PII detected: ${match[0].slice(0, 40)}${match[0].length > 40 ? '...' : ''}`,
|
|
268
|
-
location: line.trim().slice(0, 100),
|
|
269
|
-
lineNumber: index + 1,
|
|
270
|
-
category: 'pii',
|
|
271
|
-
inDocumentationContext: inDocContext || inEmailSafeContext,
|
|
272
|
-
confidence,
|
|
273
|
-
});
|
|
274
|
-
break;
|
|
275
|
-
}
|
|
276
|
-
}
|
|
277
|
-
});
|
|
278
|
-
return findings;
|
|
279
|
-
}
|
|
202
|
+
/** Implementation in SecurityScanner.compound.ts (SMI-5434 split). */
|
|
203
|
+
export { scanChmodFetchCompound } from './SecurityScanner.compound.js';
|
|
204
|
+
/** Implementation in SecurityScanner.pii.ts (SMI-5434 split). */
|
|
205
|
+
export { shannonEntropy, looksLikePlaceholderSecret, scanPiiPatterns };
|
|
280
206
|
//# sourceMappingURL=SecurityScanner.scanners.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SecurityScanner.scanners.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.scanners.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EACL,uBAAuB,EACvB,2BAA2B,EAC3B,uBAAuB,EACvB,0BAA0B,EAC1B,6BAA6B,
|
|
1
|
+
{"version":3,"file":"SecurityScanner.scanners.js","sourceRoot":"","sources":["../../../../src/security/scanner/SecurityScanner.scanners.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAChB,4BAA4B,EAC5B,2BAA2B,EAC3B,uBAAuB,EACvB,0BAA0B,EAC1B,6BAA6B,GAC9B,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAA;AAEhE,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EACL,0BAA0B,EAC1B,cAAc,EACd,eAAe,GAChB,MAAM,0BAA0B,CAAA;AAEjC;;;;;;GAMG;AACH,MAAM,iBAAiB,GACrB,8HAA8H,CAAA;AAEhI;;;;;;;;GAQG;AACH,MAAM,qBAAqB,GAAG,+DAA+D,CAAA;AAE7F,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAE3B,KAAK,MAAM,OAAO,IAAI,uBAAuB,EAAE,CAAC;YAC9C,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC;gBAAE,SAAQ;YAC5C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,IAAI,CAAC,CAAC,CAAA;YACrF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;YAE9E,+EAA+E;YAC/E,kFAAkF;YAClF,6EAA6E;YAC7E,IAAI,4BAA4B,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9C,MAAM,MAAM,GAAG,aAAa,CAAC,qBAAqB,EAAE,IAAI,CAAC,CAAA;gBACzD,IAAI,CAAC,MAAM,IAAI,0BAA0B,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;oBAAE,SAAQ;YAChE,CAAC;YAED,gFAAgF;YAChF,qEAAqE;YACrE,IAAI,QAAqC,CAAA;YACzC,IAAI,YAAY,EAAE,CAAC;gBACjB,QAAQ,GAAG,QAAQ,CAAA;YACrB,CAAC;iBAAM,IAAI,OAAO,KAAK,gBAAgB,EAAE,CAAC;gBACxC,QAAQ,GAAG,cAAc,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;YACxE,CAAC;iBAAM,CAAC;gBACN,QAAQ,GAAG,MAAM,CAAA;YACnB,CAAC;YACD,MAAM,UAAU,GAAsB,YAAY;gBAChD,CAAC,CAAC,KAAK;gBACP,CAAC,CAAC,QAAQ,KAAK,MAAM;oBACnB,CAAC,CAAC,MAAM;oBACR,CAAC,CAAC,QAAQ,CAAA;YAEd,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,QAAQ;gBACR,OAAO,EAAE,4CAA4C,OAAO,CAAC,MAAM,EAAE;gBACrE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;gBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;gBACrB,sBAAsB,EAAE,YAAY;gBACpC,UAAU;aACX,CAAC,CAAA;YACF,MAAK;QACP,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,OAAe,EACf,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAE3B,KAAK,MAAM,OAAO,IAAI,2BAA2B,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;gBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;gBAC9E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;gBACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAA;gBAEjD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,oBAAoB;oBAC1B,QAAQ;oBACR,OAAO,EAAE,yCAAyC,KAAK,CAAC,CAAC,CAAC,GAAG;oBAC7D,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,QAAQ,EAAE,oBAAoB;oBAC9B,sBAAsB,EAAE,YAAY;oBACpC,UAAU;iBACX,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,OAAe,EACf,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAE3B,KAAK,MAAM,OAAO,IAAI,uBAAuB,EAAE,CAAC;YAC9C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;gBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;gBAC9E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;gBACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAA;gBAEnD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,gBAAgB;oBACtB,QAAQ;oBACR,OAAO,EAAE,qCAAqC,KAAK,CAAC,CAAC,CAAC,GAAG;oBACzD,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,QAAQ,EAAE,gBAAgB;oBAC1B,sBAAsB,EAAE,YAAY;oBACpC,UAAU;iBACX,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,OAAe,EACf,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAE3B,KAAK,MAAM,OAAO,IAAI,0BAA0B,EAAE,CAAC;YACjD,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;gBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;gBAC9E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;gBACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAA;gBAEjD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,mBAAmB;oBACzB,QAAQ;oBACR,OAAO,EAAE,yCAAyC,KAAK,CAAC,CAAC,CAAC,GAAG;oBAC7D,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,QAAQ,EAAE,mBAAmB;oBAC7B,sBAAsB,EAAE,YAAY;oBACpC,UAAU;iBACX,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,OAAe,EACf,YAA4B;IAE5B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAEhE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;QAE3B,KAAK,MAAM,OAAO,IAAI,6BAA6B,EAAE,CAAC;YACpD,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,YAAY,GAAG,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAAA;gBACpF,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,CAAA;gBAC9E,MAAM,UAAU,GAAsB,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;gBACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAA;gBAEnD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,sBAAsB;oBAC5B,QAAQ;oBACR,OAAO,EAAE,2CAA2C,KAAK,CAAC,CAAC,CAAC,GAAG;oBAC/D,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACnC,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,QAAQ,EAAE,sBAAsB;oBAChC,sBAAsB,EAAE,YAAY;oBACpC,UAAU;iBACX,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,sEAAsE;AACtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAA;AACtE,iEAAiE;AACjE,OAAO,EAAE,cAAc,EAAE,0BAA0B,EAAE,eAAe,EAAE,CAAA"}
|
|
@@ -3,9 +3,10 @@
|
|
|
3
3
|
*
|
|
4
4
|
* Re-exports for security scanning functionality.
|
|
5
5
|
*/
|
|
6
|
-
export type { SecurityFindingType, SecuritySeverity, SecurityFinding, RiskScoreBreakdown, ScanReport, ScannerOptions, } from './types.js';
|
|
6
|
+
export type { SecurityFindingType, SecuritySeverity, SecurityFinding, RiskScoreBreakdown, ScanReport, ScannerOptions, HostileUpdateVerdict, } from './types.js';
|
|
7
7
|
export { DEFAULT_ALLOWED_DOMAINS, SENSITIVE_PATH_PATTERNS, JAILBREAK_PATTERNS, SUSPICIOUS_PATTERNS, SOCIAL_ENGINEERING_PATTERNS, PROMPT_LEAKING_PATTERNS, DATA_EXFILTRATION_PATTERNS, PRIVILEGE_ESCALATION_PATTERNS, AI_DEFENCE_PATTERNS, SSRF_INSTRUCTION_PATTERNS, PII_PATTERNS, CODE_EXECUTION_PATTERNS, } from './patterns.js';
|
|
8
8
|
export { SEVERITY_WEIGHTS, CATEGORY_WEIGHTS } from './weights.js';
|
|
9
9
|
export { MAX_LINE_LENGTH_FOR_REGEX, safeRegexTest, safeRegexCheck } from './regex-utils.js';
|
|
10
10
|
export { SecurityScanner, default } from './SecurityScanner.js';
|
|
11
|
+
export { compareScanReports, DEFAULT_RISK_THRESHOLD } from './SecurityScanner.hostile-update.js';
|
|
11
12
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,YAAY,EACV,mBAAmB,EACnB,gBAAgB,EAChB,eAAe,EACf,kBAAkB,EAClB,UAAU,EACV,cAAc,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,YAAY,EACV,mBAAmB,EACnB,gBAAgB,EAChB,eAAe,EACf,kBAAkB,EAClB,UAAU,EACV,cAAc,EACd,oBAAoB,GACrB,MAAM,YAAY,CAAA;AAGnB,OAAO,EACL,uBAAuB,EACvB,uBAAuB,EACvB,kBAAkB,EAClB,mBAAmB,EACnB,2BAA2B,EAC3B,uBAAuB,EACvB,0BAA0B,EAC1B,6BAA6B,EAC7B,mBAAmB,EACnB,yBAAyB,EACzB,YAAY,EACZ,uBAAuB,GACxB,MAAM,eAAe,CAAA;AAGtB,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAA;AAGjE,OAAO,EAAE,yBAAyB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAA;AAG3F,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAA;AAG/D,OAAO,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,qCAAqC,CAAA"}
|
|
@@ -11,4 +11,6 @@ export { SEVERITY_WEIGHTS, CATEGORY_WEIGHTS } from './weights.js';
|
|
|
11
11
|
export { MAX_LINE_LENGTH_FOR_REGEX, safeRegexTest, safeRegexCheck } from './regex-utils.js';
|
|
12
12
|
// Main class
|
|
13
13
|
export { SecurityScanner, default } from './SecurityScanner.js';
|
|
14
|
+
// Hostile-update comparator (SMI-5535, R0 Wave 2A)
|
|
15
|
+
export { compareScanReports, DEFAULT_RISK_THRESHOLD } from './SecurityScanner.hostile-update.js';
|
|
14
16
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/security/scanner/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/security/scanner/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAaH,mCAAmC;AACnC,OAAO,EACL,uBAAuB,EACvB,uBAAuB,EACvB,kBAAkB,EAClB,mBAAmB,EACnB,2BAA2B,EAC3B,uBAAuB,EACvB,0BAA0B,EAC1B,6BAA6B,EAC7B,mBAAmB,EACnB,yBAAyB,EACzB,YAAY,EACZ,uBAAuB,GACxB,MAAM,eAAe,CAAA;AAEtB,kCAAkC;AAClC,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAA;AAEjE,0CAA0C;AAC1C,OAAO,EAAE,yBAAyB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAA;AAE3F,aAAa;AACb,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAA;AAE/D,mDAAmD;AACnD,OAAO,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,qCAAqC,CAAA"}
|
|
@@ -4,7 +4,9 @@
|
|
|
4
4
|
* Pattern definitions for security scanning.
|
|
5
5
|
*/
|
|
6
6
|
export declare const DEFAULT_ALLOWED_DOMAINS: string[];
|
|
7
|
+
export declare const ENV_PATH_PATTERN: RegExp;
|
|
7
8
|
export declare const SENSITIVE_PATH_PATTERNS: RegExp[];
|
|
9
|
+
export declare const VALUE_GATED_KEYWORD_PATTERNS: ReadonlySet<RegExp>;
|
|
8
10
|
export declare const JAILBREAK_PATTERNS: RegExp[];
|
|
9
11
|
export declare const SUSPICIOUS_PATTERNS: RegExp[];
|
|
10
12
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,eAAO,MAAM,uBAAuB,UAanC,CAAA;
|
|
1
|
+
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../../src/security/scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,eAAO,MAAM,uBAAuB,UAanC,CAAA;AA4BD,eAAO,MAAM,gBAAgB,QAAoE,CAAA;AAMjG,eAAO,MAAM,uBAAuB,UAsBnC,CAAA;AAID,eAAO,MAAM,4BAA4B,EAAE,WAAW,CAAC,MAAM,CAG3D,CAAA;AAGF,eAAO,MAAM,kBAAkB,UAkB9B,CAAA;AAGD,eAAO,MAAM,mBAAmB,UAY/B,CAAA;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,uBAAuB,UAmBnC,CAAA;AAGD,eAAO,MAAM,2BAA2B,UAavC,CAAA;AAGD,eAAO,MAAM,uBAAuB,UAenC,CAAA;AAGD,eAAO,MAAM,0BAA0B,UA2DtC,CAAA;AAGD,eAAO,MAAM,6BAA6B,UA8CzC,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,UAuBrC,CAAA;AAED;;;;;;;;;;;GAWG;AACH;;;;GAIG;AACH,eAAO,MAAM,YAAY,UAwBxB,CAAA;AAED,eAAO,MAAM,mBAAmB,UAwD/B,CAAA"}
|