@surfinguard/core-engine 0.1.0 → 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Surfinguard
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/analyzers/agent-comm.d.ts

@@ -0,0 +1,22 @@
+import type { AgentCommPatternDatabase } from '@surfinguard/types';
+import type { Analyzer, AnalyzerResult } from './base.js';
+/**
+ * Agent Communication Analyzer — detects dangerous inter-agent operations.
+ *
+ * Detects 4 threat patterns (MA01-MA04) mapped to ESCALATION and MANIPULATION primitives.
+ * Input: value = agent communication action description, metadata = { agent_id?, target_agent?, tool? }
+ */
+export declare class AgentCommAnalyzer implements Analyzer {
+    readonly actionType: "agent_comm";
+    private readonly taskDelegationPatterns;
+    private readonly contextPoisoningPatterns;
+    private readonly toolSharingPatterns;
+    private readonly mcpAbusePatterns;
+    private readonly sensitiveTools;
+    private readonly safePatterns;
+    constructor(patterns: AgentCommPatternDatabase);
+    analyze(value: string, metadata?: Record<string, unknown>): AnalyzerResult;
+    private hasDangerousPattern;
+    private detectSensitiveTool;
+}
+//# sourceMappingURL=agent-comm.d.ts.map

package/dist/analyzers/agent-comm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-comm.d.ts","sourceRoot":"","sources":["../../src/analyzers/agent-comm.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAE,QAAQ,EAAmB,cAAc,EAAE,MAAM,WAAW,CAAC;AAE3E;;;;;GAKG;AACH,qBAAa,iBAAkB,YAAW,QAAQ;IAChD,QAAQ,CAAC,UAAU,EAAG,YAAY,CAAU;IAE5C,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAW;IAClD,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAW;IACpD,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAW;IAC/C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAW;IAC5C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAW;IAC1C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAW;gBAE5B,QAAQ,EAAE,wBAAwB;IAW9C,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,cAAc;IA6E1E,OAAO,CAAC,mBAAmB;IAS3B,OAAO,CAAC,mBAAmB;CAO5B"}

package/dist/analyzers/agent-comm.js

@@ -0,0 +1,79 @@
+/**
+ * Agent Communication Analyzer — detects dangerous inter-agent operations.
+ *
+ * Detects 4 threat patterns (MA01-MA04) mapped to ESCALATION and MANIPULATION primitives.
+ * Input: value = agent communication action description, metadata = { agent_id?, target_agent?, tool? }
+ */
+export class AgentCommAnalyzer {
+    actionType = 'agent_comm';
+    taskDelegationPatterns;
+    contextPoisoningPatterns;
+    toolSharingPatterns;
+    mcpAbusePatterns;
+    sensitiveTools;
+    safePatterns;
+    constructor(patterns) {
+        this.taskDelegationPatterns = patterns.taskDelegationPatterns.map((p) => new RegExp(p, 'i'));
+        this.contextPoisoningPatterns = patterns.contextPoisoningPatterns.map((p) => new RegExp(p, 'i'));
+        this.toolSharingPatterns = patterns.toolSharingPatterns.map((p) => new RegExp(p, 'i'));
+        this.mcpAbusePatterns = patterns.mcpAbusePatterns.map((p) => new RegExp(p, 'i'));
+        this.sensitiveTools = patterns.sensitiveTools.map((t) => t.toLowerCase());
+        this.safePatterns = patterns.safePatterns.map((p) => new RegExp(p, 'i'));
+    }
+    analyze(value, metadata) {
+        const action = value.trim();
+        if (!action) {
+            return {
+                actionType: 'agent_comm',
+                findings: [],
+                shortCircuit: { safe: true, reason: 'Empty action' },
+            };
+        }
+        const lower = action.toLowerCase();
+        // Safe short-circuit
+        if (this.safePatterns.some((p) => p.test(lower)) && !this.hasDangerousPattern(lower)) {
+            return {
+                actionType: 'agent_comm',
+                findings: [],
+                shortCircuit: { safe: true, reason: 'Safe agent communication pattern' },
+            };
+        }
+        const findings = [];
+        const add = (primitive, score, reason, threatId) => {
+            findings.push({ primitive, score, reason, threatId });
+        };
+        const hasSensitiveTool = this.detectSensitiveTool(lower, metadata);
+        const toolBoost = hasSensitiveTool ? 2 : 0;
+        // MA01: Malicious task delegation
+        if (this.taskDelegationPatterns.some((p) => p.test(lower))) {
+            add('ESCALATION', Math.min(10, 8 + toolBoost), 'Malicious task delegation — spawning or delegating tasks to agents', 'MA01');
+        }
+        // MA02: Context poisoning across agents
+        if (this.contextPoisoningPatterns.some((p) => p.test(lower))) {
+            add('MANIPULATION', Math.min(10, 8 + toolBoost), 'Context poisoning — injecting or modifying agent context/memory', 'MA02');
+        }
+        // MA03: Tool sharing escalation
+        if (this.toolSharingPatterns.some((p) => p.test(lower))) {
+            add('ESCALATION', Math.min(10, 8 + toolBoost), 'Tool sharing escalation — sharing sensitive tools with agents', 'MA03');
+        }
+        // MA04: MCP tool abuse
+        if (this.mcpAbusePatterns.some((p) => p.test(lower))) {
+            add('ESCALATION', Math.min(10, 8 + toolBoost), 'MCP tool abuse — connecting to untrusted MCP servers or invoking arbitrary tools', 'MA04');
+        }
+        return { actionType: 'agent_comm', findings };
+    }
+    hasDangerousPattern(text) {
+        return (this.taskDelegationPatterns.some((p) => p.test(text)) ||
+            this.contextPoisoningPatterns.some((p) => p.test(text)) ||
+            this.toolSharingPatterns.some((p) => p.test(text)) ||
+            this.mcpAbusePatterns.some((p) => p.test(text)));
+    }
+    detectSensitiveTool(text, metadata) {
+        const tool = (metadata?.tool ?? '').toLowerCase();
+        if (tool && this.sensitiveTools.some((t) => tool.includes(t))) {
+            return true;
+        }
+        return this.sensitiveTools.some((t) => text.includes(t));
+    }
+}
+//# sourceMappingURL=agent-comm.js.map

package/dist/analyzers/agent-comm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-comm.js","sourceRoot":"","sources":["../../src/analyzers/agent-comm.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AACH,MAAM,OAAO,iBAAiB;IACnB,UAAU,GAAG,YAAqB,CAAC;IAE3B,sBAAsB,CAAW;IACjC,wBAAwB,CAAW;IACnC,mBAAmB,CAAW;IAC9B,gBAAgB,CAAW;IAC3B,cAAc,CAAW;IACzB,YAAY,CAAW;IAExC,YAAY,QAAkC;QAC5C,IAAI,CAAC,sBAAsB,GAAG,QAAQ,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QAC7F,IAAI,CAAC,wBAAwB,GAAG,QAAQ,CAAC,wBAAwB,CAAC,GAAG,CACnE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAC1B,CAAC;QACF,IAAI,CAAC,mBAAmB,GAAG,QAAQ,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QACvF,IAAI,CAAC,gBAAgB,GAAG,QAAQ,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QACjF,IAAI,CAAC,cAAc,GAAG,QAAQ,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QAC1E,IAAI,CAAC,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IAC3E,CAAC;IAED,OAAO,CAAC,KAAa,EAAE,QAAkC;QACvD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,UAAU,EAAE,YAAY;gBACxB,QAAQ,EAAE,EAAE;gBACZ,YAAY,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,cAAc,EAAE;aACrD,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QAEnC,qBAAqB;QACrB,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,UAAU,EAAE,YAAY;gBACxB,QAAQ,EAAE,EAAE;gBACZ,YAAY,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,kCAAkC,EAAE;aACzE,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAsB,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,CACV,SAAuC,EACvC,KAAa,EACb,MAAc,EACd,QAAgB,EAChB,EAAE;YACF,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;QACxD,CAAC,CAAC;QAEF,MAAM,gBAAgB,GAAG,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACnE,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAE3C,kCAAkC;QAClC,IAAI,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAC3D,GAAG,CACD,YAAY,EACZ,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,SAAS,CAAC,EAC3B,oEAAoE,EACpE,MAAM,CACP,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,IAAI,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAC7D,GAAG,CACD,cAAc,EACd,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,SAAS,CAAC,EAC3B,iEAAiE,EACjE,MAAM,CACP,CAAC;QACJ,CAAC;QAED,gCAAgC;QAChC,IAAI,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACxD,GAAG,CACD,YAAY,EACZ,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,SAAS,CAAC,EAC3B,+DAA+D,EAC/D,MAAM,CACP,CAAC;QACJ,CAAC;QAED,uBAAuB;QACvB,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CACD,YAAY,EACZ,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,SAAS,CAAC,EAC3B,kFAAkF,EAClF,MAAM,CACP,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC;IAChD,CAAC;IAEO,mBAAmB,CAAC,IAAY;QACtC,OAAO,CACL,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrD,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACvD,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClD,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAChD,CAAC;IACJ,CAAC;IAEO,mBAAmB,CAAC,IAAY,EAAE,QAAkC;QAC1E,MAAM,IAAI,GAAG,CAAE,QAAQ,EAAE,IAAe,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAC9D,IAAI,IAAI,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,CAAC;CACF"}

package/dist/analyzers/api-call.d.ts

@@ -0,0 +1,21 @@
+import type { ApiCallPatternDatabase } from '@surfinguard/types';
+import type { Analyzer, AnalyzerResult } from './base.js';
+/**
+ * API Call Analyzer — detects dangerous API call patterns.
+ *
+ * Detects 10 threat patterns (A01-A10) mapped to 4 risk primitives.
+ * Input: value = URL, metadata = { method, headers?, body? }
+ */
+export declare class ApiCallAnalyzer implements Analyzer {
+    readonly actionType: "api_call";
+    private readonly safeEndpoints;
+    private readonly destructiveEndpoints;
+    private readonly ssrfTargets;
+    private readonly sensitiveHeaders;
+    private readonly exfiltrationPatterns;
+    private readonly webhookPatterns;
+    private readonly transactionEndpoints;
+    constructor(patterns: ApiCallPatternDatabase);
+    analyze(value: string, metadata?: Record<string, unknown>): AnalyzerResult;
+}
+//# sourceMappingURL=api-call.d.ts.map

package/dist/analyzers/api-call.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-call.d.ts","sourceRoot":"","sources":["../../src/analyzers/api-call.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,KAAK,EAAE,QAAQ,EAAmB,cAAc,EAAE,MAAM,WAAW,CAAC;AAE3E;;;;;GAKG;AACH,qBAAa,eAAgB,YAAW,QAAQ;IAC9C,QAAQ,CAAC,UAAU,EAAG,UAAU,CAAU;IAE1C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAW;IACzC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAW;IAChD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAW;IACvC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAW;IAC5C,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAW;IAChD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAW;IAC3C,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAW;gBAEpC,QAAQ,EAAE,sBAAsB;IAU5C,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,cAAc;CAwK3E"}

package/dist/analyzers/api-call.js

@@ -0,0 +1,134 @@
+/**
+ * API Call Analyzer — detects dangerous API call patterns.
+ *
+ * Detects 10 threat patterns (A01-A10) mapped to 4 risk primitives.
+ * Input: value = URL, metadata = { method, headers?, body? }
+ */
+export class ApiCallAnalyzer {
+    actionType = 'api_call';
+    safeEndpoints;
+    destructiveEndpoints;
+    ssrfTargets;
+    sensitiveHeaders;
+    exfiltrationPatterns;
+    webhookPatterns;
+    transactionEndpoints;
+    constructor(patterns) {
+        this.safeEndpoints = patterns.safeEndpoints.map((p) => p.toLowerCase());
+        this.destructiveEndpoints = patterns.destructiveEndpoints.map((p) => p.toLowerCase());
+        this.ssrfTargets = patterns.ssrfTargets;
+        this.sensitiveHeaders = patterns.sensitiveHeaders.map((h) => h.toLowerCase());
+        this.exfiltrationPatterns = patterns.exfiltrationPatterns.map((p) => p.toLowerCase());
+        this.webhookPatterns = patterns.webhookPatterns.map((p) => p.toLowerCase());
+        this.transactionEndpoints = patterns.transactionEndpoints.map((p) => p.toLowerCase());
+    }
+    analyze(value, metadata) {
+        const urlStr = value.trim();
+        if (!urlStr) {
+            return {
+                actionType: 'api_call',
+                findings: [],
+                shortCircuit: { safe: true, reason: 'Empty URL' },
+            };
+        }
+        const method = (metadata?.method ?? 'GET').toUpperCase();
+        const headers = metadata?.headers ?? {};
+        const body = metadata?.body ?? '';
+        // Parse URL
+        let parsedUrl = null;
+        try {
+            parsedUrl = new URL(urlStr);
+        }
+        catch {
+            // not a valid URL, analyze raw string
+        }
+        const hostname = parsedUrl?.hostname?.toLowerCase() ?? '';
+        const pathname = parsedUrl?.pathname?.toLowerCase() ?? urlStr.toLowerCase();
+        const findings = [];
+        const add = (primitive, score, reason, threatId) => {
+            findings.push({ primitive, score, reason, threatId });
+        };
+        // ── Safe short-circuit: GET to known safe endpoints ──
+        if (method === 'GET' &&
+            this.safeEndpoints.some((ep) => pathname === ep || pathname.endsWith(ep))) {
+            return {
+                actionType: 'api_call',
+                findings: [],
+                shortCircuit: { safe: true, reason: 'Safe endpoint' },
+            };
+        }
+        // ── A03: SSRF detection — cloud metadata, internal IPs ──
+        if (this.ssrfTargets.some((target) => hostname.includes(target) || urlStr.includes(target))) {
+            add('ESCALATION', 9, 'SSRF — request targets cloud metadata or internal service', 'A03');
+        }
+        // ── A04: Internal service access ──
+        const internalPaths = ['/admin', '/internal', '/management', '/actuator', '/_debug', '/debug'];
+        if (internalPaths.some((p) => pathname.startsWith(p))) {
+            add('ESCALATION', 6, 'Internal service access — targeting admin or management endpoint', 'A04');
+        }
+        // ── A01: Destructive API calls ──
+        if (method === 'DELETE') {
+            add('DESTRUCTION', 8, `Destructive API call — DELETE ${pathname}`, 'A01');
+        }
+        else if (this.destructiveEndpoints.some((ep) => pathname.includes(ep))) {
+            if (method === 'POST' || method === 'PUT') {
+                add('DESTRUCTION', 7, `Destructive API call — ${method} to destructive endpoint ${pathname}`, 'A01');
+            }
+        }
+        // ── A05: Sensitive header forwarding ──
+        const lowerHeaders = Object.fromEntries(Object.entries(headers).map(([k, v]) => [k.toLowerCase(), v]));
+        const forwardedSensitive = this.sensitiveHeaders.filter((h) => h in lowerHeaders);
+        if (forwardedSensitive.length > 0) {
+            add('EXFILTRATION', 9, `Token/credential forwarding — sensitive headers: ${forwardedSensitive.join(', ')}`, 'A05');
+        }
+        // ── A02: Body contains sensitive data ──
+        if (body) {
+            const lowerBody = body.toLowerCase();
+            const bodyExfil = this.exfiltrationPatterns.filter((p) => lowerBody.includes(p));
+            if (bodyExfil.length > 0) {
+                add('EXFILTRATION', 7, `Unauthorized data send — body contains sensitive data: ${bodyExfil.join(', ')}`, 'A02');
+            }
+        }
+        // ── A06: Webhook manipulation ──
+        if (this.webhookPatterns.some((p) => pathname.includes(p))) {
+            if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+                add('EXFILTRATION', 6, 'Webhook manipulation — registering or modifying webhook/callback URL', 'A06');
+            }
+        }
+        // ── A07: DNS exfiltration ──
+        if (hostname) {
+            const subdomains = hostname.split('.');
+            // Check for encoded data in subdomains (long hex strings or very long labels)
+            const hasEncodedData = subdomains.some((sub) => sub.length > 20 || /^[a-f0-9]{16,}$/i.test(sub));
+            if (hasEncodedData) {
+                add('EXFILTRATION', 8, 'DNS exfiltration — long or encoded subdomain patterns detected', 'A07');
+            }
+        }
+        // ── A08: Rate limit abuse ──
+        const abuseKeywords = ['/batch', '/bulk', '/mass', '/flood'];
+        if (abuseKeywords.some((kw) => pathname.includes(kw)) && method === 'POST') {
+            add('DESTRUCTION', 4, 'Rate limit abuse pattern — batch/bulk endpoint access', 'A08');
+        }
+        // ── A09: Transaction endpoints ──
+        if (this.transactionEndpoints.some((ep) => pathname.includes(ep))) {
+            if (method === 'POST' || method === 'PUT') {
+                add('DESTRUCTION', 8, `Unauthorized transaction — ${method} to financial endpoint`, 'A09');
+            }
+        }
+        // ── A10: Email/message sending ──
+        const messagePaths = [
+            '/send-email',
+            '/send-message',
+            '/email/send',
+            '/mail/send',
+            '/notify',
+            '/sms/send',
+            '/messages',
+        ];
+        if (messagePaths.some((p) => pathname.includes(p)) && method === 'POST') {
+            add('EXFILTRATION', 6, 'Email/message sending — could exfiltrate data via email or messaging', 'A10');
+        }
+        return { actionType: 'api_call', findings };
+    }
+}
+//# sourceMappingURL=api-call.js.map

package/dist/analyzers/api-call.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-call.js","sourceRoot":"","sources":["../../src/analyzers/api-call.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AACH,MAAM,OAAO,eAAe;IACjB,UAAU,GAAG,UAAmB,CAAC;IAEzB,aAAa,CAAW;IACxB,oBAAoB,CAAW;IAC/B,WAAW,CAAW;IACtB,gBAAgB,CAAW;IAC3B,oBAAoB,CAAW;IAC/B,eAAe,CAAW;IAC1B,oBAAoB,CAAW;IAEhD,YAAY,QAAgC;QAC1C,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACxE,IAAI,CAAC,oBAAoB,GAAG,QAAQ,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACtF,IAAI,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;QACxC,IAAI,CAAC,gBAAgB,GAAG,QAAQ,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QAC9E,IAAI,CAAC,oBAAoB,GAAG,QAAQ,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACtF,IAAI,CAAC,eAAe,GAAG,QAAQ,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5E,IAAI,CAAC,oBAAoB,GAAG,QAAQ,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACxF,CAAC;IAED,OAAO,CAAC,KAAa,EAAE,QAAkC;QACvD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,UAAU,EAAE,UAAU;gBACtB,QAAQ,EAAE,EAAE;gBACZ,YAAY,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE;aAClD,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,CAAE,QAAQ,EAAE,MAAiB,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACrE,MAAM,OAAO,GAAI,QAAQ,EAAE,OAAkC,IAAI,EAAE,CAAC;QACpE,MAAM,IAAI,GAAI,QAAQ,EAAE,IAAe,IAAI,EAAE,CAAC;QAE9C,YAAY;QACZ,IAAI,SAAS,GAAe,IAAI,CAAC;QACjC,IAAI,CAAC;YACH,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,sCAAsC;QACxC,CAAC;QAED,MAAM,QAAQ,GAAG,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;QAC1D,MAAM,QAAQ,GAAG,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QAE5E,MAAM,QAAQ,GAAsB,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,CACV,SAAuC,EACvC,KAAa,EACb,MAAc,EACd,QAAgB,EAChB,EAAE;YACF,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;QACxD,CAAC,CAAC;QAEF,wDAAwD;QACxD,IACE,MAAM,KAAK,KAAK;YAChB,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,QAAQ,KAAK,EAAE,IAAI,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,EACzE,CAAC;YACD,OAAO;gBACL,UAAU,EAAE,UAAU;gBACtB,QAAQ,EAAE,EAAE;gBACZ,YAAY,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE;aACtD,CAAC;QACJ,CAAC;QAED,2DAA2D;QAC3D,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YAC5F,GAAG,CAAC,YAAY,EAAE,CAAC,EAAE,2DAA2D,EAAE,KAAK,CAAC,CAAC;QAC3F,CAAC;QAED,qCAAqC;QACrC,MAAM,aAAa,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC/F,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,GAAG,CACD,YAAY,EACZ,CAAC,EACD,kEAAkE,EAClE,KAAK,CACN,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,GAAG,CAAC,aAAa,EAAE,CAAC,EAAE,iCAAiC,QAAQ,EAAE,EAAE,KAAK,CAAC,CAAC;QAC5E,CAAC;aAAM,IAAI,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YACzE,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBAC1C,GAAG,CACD,aAAa,EACb,CAAC,EACD,0BAA0B,MAAM,4BAA4B,QAAQ,EAAE,EACtE,KAAK,CACN,CAAC;YACJ,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CACrC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CAAC,CAC9D,CAAC;QACF,MAAM,kBAAkB,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,YAAY,CAAC,CAAC;QAClF,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,GAAG,CACD,cAAc,EACd,CAAC,EACD,oDAAoD,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EACnF,KAAK,CACN,CAAC;QACJ,CAAC;QAED,0CAA0C;QAC1C,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACrC,MAAM,SAAS,GAAG,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACjF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACzB,GAAG,CACD,cAAc,EACd,CAAC,EACD,0DAA0D,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAChF,KAAK,CACN,CAAC;YACJ,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3D,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBAChE,GAAG,CACD,cAAc,EACd,CAAC,EACD,sEAAsE,EACtE,KAAK,CACN,CAAC;YACJ,CAAC;QACH,CAAC;QAED,8BAA8B;QAC9B,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACvC,8EAA8E;YAC9E,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CACpC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,GAAG,EAAE,IAAI,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CACzD,CAAC;YACF,IAAI,cAAc,EAAE,CAAC;gBACnB,GAAG,CACD,cAAc,EACd,CAAC,EACD,gEAAgE,EAChE,KAAK,CACN,CAAC;YACJ,CAAC;QACH,CAAC;QAED,8BAA8B;QAC9B,MAAM,aAAa,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC7D,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC3E,GAAG,CAAC,aAAa,EAAE,CAAC,EAAE,uDAAuD,EAAE,KAAK,CAAC,CAAC;QACxF,CAAC;QAED,mCAAmC;QACnC,IAAI,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YAClE,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBAC1C,GAAG,CAAC,aAAa,EAAE,CAAC,EAAE,8BAA8B,MAAM,wBAAwB,EAAE,KAAK,CAAC,CAAC;YAC7F,CAAC;QACH,CAAC;QAED,mCAAmC;QACnC,MAAM,YAAY,GAAG;YACnB,aAAa;YACb,eAAe;YACf,aAAa;YACb,YAAY;YACZ,SAAS;YACT,WAAW;YACX,WAAW;SACZ,CAAC;QACF,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACxE,GAAG,CACD,cAAc,EACd,CAAC,EACD,sEAAsE,EACtE,KAAK,CACN,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;IAC9C,CAAC;CACF"}

package/dist/analyzers/auth.d.ts

@@ -0,0 +1,22 @@
+import type { AuthPatternDatabase } from '@surfinguard/types';
+import type { Analyzer, AnalyzerResult } from './base.js';
+/**
+ * Auth Analyzer — detects dangerous authentication and identity patterns.
+ *
+ * Detects 6 threat patterns (ID01-ID06) mapped to 3 risk primitives.
+ * Input: value = auth action description/API call, metadata = { scope?, role?, target? }
+ */
+export declare class AuthAnalyzer implements Analyzer {
+    readonly actionType: "auth";
+    private readonly accountCreationPatterns;
+    private readonly permissionPatterns;
+    private readonly credentialPatterns;
+    private readonly oauthPatterns;
+    private readonly mfaPatterns;
+    private readonly legalPatterns;
+    private readonly safePatterns;
+    constructor(patterns: AuthPatternDatabase);
+    analyze(value: string, metadata?: Record<string, unknown>): AnalyzerResult;
+    private hasDangerousPattern;
+}
+//# sourceMappingURL=auth.d.ts.map

package/dist/analyzers/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/analyzers/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,KAAK,EAAE,QAAQ,EAAmB,cAAc,EAAE,MAAM,WAAW,CAAC;AAE3E;;;;;GAKG;AACH,qBAAa,YAAa,YAAW,QAAQ;IAC3C,QAAQ,CAAC,UAAU,EAAG,MAAM,CAAU;IAEtC,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAW;IACnD,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAW;IAC9C,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAW;IAC9C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAW;IACzC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAW;IACvC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAW;IACzC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAW;gBAE5B,QAAQ,EAAE,mBAAmB;IAUzC,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,cAAc;IA8F1E,OAAO,CAAC,mBAAmB;CAU5B"}

package/dist/analyzers/auth.js

@@ -0,0 +1,97 @@
+/**
+ * Auth Analyzer — detects dangerous authentication and identity patterns.
+ *
+ * Detects 6 threat patterns (ID01-ID06) mapped to 3 risk primitives.
+ * Input: value = auth action description/API call, metadata = { scope?, role?, target? }
+ */
+export class AuthAnalyzer {
+    actionType = 'auth';
+    accountCreationPatterns;
+    permissionPatterns;
+    credentialPatterns;
+    oauthPatterns;
+    mfaPatterns;
+    legalPatterns;
+    safePatterns;
+    constructor(patterns) {
+        this.accountCreationPatterns = patterns.accountCreationPatterns.map((p) => new RegExp(p, 'i'));
+        this.permissionPatterns = patterns.permissionPatterns.map((p) => new RegExp(p, 'i'));
+        this.credentialPatterns = patterns.credentialPatterns.map((p) => new RegExp(p, 'i'));
+        this.oauthPatterns = patterns.oauthPatterns.map((p) => new RegExp(p, 'i'));
+        this.mfaPatterns = patterns.mfaPatterns.map((p) => new RegExp(p, 'i'));
+        this.legalPatterns = patterns.legalPatterns.map((p) => new RegExp(p, 'i'));
+        this.safePatterns = patterns.safePatterns.map((p) => new RegExp(p, 'i'));
+    }
+    analyze(value, metadata) {
+        const action = value.trim();
+        if (!action) {
+            return {
+                actionType: 'auth',
+                findings: [],
+                shortCircuit: { safe: true, reason: 'Empty action' },
+            };
+        }
+        const scope = (metadata?.scope ?? '').toLowerCase();
+        const role = (metadata?.role ?? '').toLowerCase();
+        const lower = action.toLowerCase();
+        // Safe short-circuit
+        if (this.safePatterns.some((p) => p.test(lower)) && !this.hasDangerousPattern(lower)) {
+            return {
+                actionType: 'auth',
+                findings: [],
+                shortCircuit: { safe: true, reason: 'Safe auth pattern' },
+            };
+        }
+        const findings = [];
+        const add = (primitive, score, reason, threatId) => {
+            findings.push({ primitive, score, reason, threatId });
+        };
+        // ── ID01: Rogue account creation ──
+        if (this.accountCreationPatterns.some((p) => p.test(lower))) {
+            add('MANIPULATION', 6, 'Rogue account creation — agent creating user accounts', 'ID01');
+        }
+        // ── ID02: Permission granting ──
+        if (this.permissionPatterns.some((p) => p.test(lower))) {
+            let score = 8;
+            let reason = 'Permission granting — agent modifying permissions or roles';
+            if (role.includes('admin') || role.includes('owner') || /admin|owner/i.test(lower)) {
+                score = 10;
+                reason = 'Permission granting — agent assigning admin/owner role';
+            }
+            add('ESCALATION', score, reason, 'ID02');
+        }
+        // ── ID03: Credential sharing/rotation ──
+        if (this.credentialPatterns.some((p) => p.test(lower))) {
+            add('EXFILTRATION', 8, 'Credential sharing/rotation — agent exporting or sharing credentials', 'ID03');
+        }
+        // ── ID04: OAuth over-permissioning ──
+        if (this.oauthPatterns.some((p) => p.test(lower))) {
+            let score = 7;
+            let reason = 'OAuth over-permissioning — agent authorizing OAuth scopes';
+            const sensitiveScopes = ['write', 'admin', 'delete', 'manage', 'full_access'];
+            if (sensitiveScopes.some((s) => scope.includes(s) || lower.includes(s))) {
+                score = 9;
+                reason = 'OAuth over-permissioning — agent granting broad/sensitive scopes';
+            }
+            add('ESCALATION', score, reason, 'ID04');
+        }
+        // ── ID05: MFA disabling ──
+        if (this.mfaPatterns.some((p) => p.test(lower))) {
+            add('ESCALATION', 9, 'MFA disabling — agent attempting to disable multi-factor authentication', 'ID05');
+        }
+        // ── ID06: Terms of service acceptance ──
+        if (this.legalPatterns.some((p) => p.test(lower))) {
+            add('MANIPULATION', 5, 'Terms of service acceptance — agent accepting legal agreements', 'ID06');
+        }
+        return { actionType: 'auth', findings };
+    }
+    hasDangerousPattern(text) {
+        return (this.accountCreationPatterns.some((p) => p.test(text)) ||
+            this.permissionPatterns.some((p) => p.test(text)) ||
+            this.credentialPatterns.some((p) => p.test(text)) ||
+            this.oauthPatterns.some((p) => p.test(text)) ||
+            this.mfaPatterns.some((p) => p.test(text)) ||
+            this.legalPatterns.some((p) => p.test(text)));
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/analyzers/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/analyzers/auth.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AACH,MAAM,OAAO,YAAY;IACd,UAAU,GAAG,MAAe,CAAC;IAErB,uBAAuB,CAAW;IAClC,kBAAkB,CAAW;IAC7B,kBAAkB,CAAW;IAC7B,aAAa,CAAW;IACxB,WAAW,CAAW;IACtB,aAAa,CAAW;IACxB,YAAY,CAAW;IAExC,YAAY,QAA6B;QACvC,IAAI,CAAC,uBAAuB,GAAG,QAAQ,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QAC/F,IAAI,CAAC,kBAAkB,GAAG,QAAQ,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QACrF,IAAI,CAAC,kBAAkB,GAAG,QAAQ,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QACrF,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QAC3E,IAAI,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QACvE,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QAC3E,IAAI,CAAC,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IAC3E,CAAC;IAED,OAAO,CAAC,KAAa,EAAE,QAAkC;QACvD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,UAAU,EAAE,MAAM;gBAClB,QAAQ,EAAE,EAAE;gBACZ,YAAY,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,cAAc,EAAE;aACrD,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,CAAE,QAAQ,EAAE,KAAgB,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAChE,MAAM,IAAI,GAAG,CAAE,QAAQ,EAAE,IAAe,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAC9D,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QAEnC,qBAAqB;QACrB,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,UAAU,EAAE,MAAM;gBAClB,QAAQ,EAAE,EAAE;gBACZ,YAAY,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,mBAAmB,EAAE;aAC1D,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAsB,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,CACV,SAAuC,EACvC,KAAa,EACb,MAAc,EACd,QAAgB,EAChB,EAAE;YACF,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;QACxD,CAAC,CAAC;QAEF,qCAAqC;QACrC,IAAI,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAC5D,GAAG,CAAC,cAAc,EAAE,CAAC,EAAE,uDAAuD,EAAE,MAAM,CAAC,CAAC;QAC1F,CAAC;QAED,kCAAkC;QAClC,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACvD,IAAI,KAAK,GAAG,CAAC,CAAC;YACd,IAAI,MAAM,GAAG,4DAA4D,CAAC;YAC1E,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBACnF,KAAK,GAAG,EAAE,CAAC;gBACX,MAAM,GAAG,wDAAwD,CAAC;YACpE,CAAC;YACD,GAAG,CAAC,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QAED,0CAA0C;QAC1C,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACvD,GAAG,CACD,cAAc,EACd,CAAC,EACD,sEAAsE,EACtE,MAAM,CACP,CAAC;QACJ,CAAC;QAED,uCAAuC;QACvC,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAClD,IAAI,KAAK,GAAG,CAAC,CAAC;YACd,IAAI,MAAM,GAAG,2DAA2D,CAAC;YACzE,MAAM,eAAe,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;YAC9E,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxE,KAAK,GAAG,CAAC,CAAC;gBACV,MAAM,GAAG,kEAAkE,CAAC;YAC9E,CAAC;YACD,GAAG,CAAC,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QAED,4BAA4B;QAC5B,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAChD,GAAG,CACD,YAAY,EACZ,CAAC,EACD,yEAAyE,EACzE,MAAM,CACP,CAAC;QACJ,CAAC;QAED,0CAA0C;QAC1C,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAClD,GAAG,CACD,cAAc,EACd,CAAC,EACD,gEAAgE,EAChE,MAAM,CACP,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAC1C,CAAC;IAEO,mBAAmB,CAAC,IAAY;QACtC,OAAO,CACL,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjD,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1C,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAC7C,CAAC;IACJ,CAAC;CACF"}

package/dist/analyzers/code.d.ts

@@ -0,0 +1,32 @@
+import type { CodePatternDatabase } from '@surfinguard/types';
+import type { Analyzer, AnalyzerResult } from './base.js';
+/**
+ * Code Analyzer — detects malicious code generation patterns.
+ *
+ * Detects 8 threat patterns (G01-G08) mapped to 5 risk primitives.
+ * Input: value = code string, metadata.language optional.
+ */
+export declare class CodeAnalyzer implements Analyzer {
+    readonly actionType: "code_eval";
+    private readonly safePatterns;
+    private readonly backdoorPatterns;
+    private readonly backdoorRegexes;
+    private readonly vulnerabilityPatterns;
+    private readonly vulnerabilityRegexes;
+    private readonly dependencyConfusion;
+    private readonly obfuscationPatterns;
+    private readonly obfuscationRegexes;
+    private readonly phoneHomeRegexes;
+    private readonly insecureDefaults;
+    private readonly insecureRegexes;
+    private readonly logicBombRegexes;
+    private readonly cryptoRegexes;
+    constructor(patterns: CodePatternDatabase);
+    analyze(value: string, metadata?: Record<string, unknown>): AnalyzerResult;
+    private isRegexPattern;
+    private detectLanguage;
+    private isTestCode;
+    private isCommentOrDefinition;
+    private extractPackageNames;
+}
+//# sourceMappingURL=code.d.ts.map

package/dist/analyzers/code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"code.d.ts","sourceRoot":"","sources":["../../src/analyzers/code.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,KAAK,EAAE,QAAQ,EAAmB,cAAc,EAAE,MAAM,WAAW,CAAC;AAE3E;;;;;GAKG;AACH,qBAAa,YAAa,YAAW,QAAQ;IAC3C,QAAQ,CAAC,UAAU,EAAG,WAAW,CAAU;IAE3C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAW;IACxC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAW;IAC5C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAW;IAC3C,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAW;IACjD,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAW;IAChD,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAc;IAClD,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAW;IAC/C,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAW;IAC9C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAW;IAC5C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAW;IAC5C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAW;IAC3C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAW;IAC5C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAW;gBAE7B,QAAQ,EAAE,mBAAmB;IA0FzC,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,cAAc;IA8K1E,OAAO,CAAC,cAAc;IAItB,OAAO,CAAC,cAAc;IAWtB,OAAO,CAAC,UAAU;IAelB,OAAO,CAAC,qBAAqB;IAsB7B,OAAO,CAAC,mBAAmB;CAqB5B"}