@tracelane/report 0.1.0-alpha.17 → 0.1.0-alpha.18

package/dist/_security/detectors/insecure-cookies.d.ts

@@ -0,0 +1,4 @@
+import type { SecurityFinding } from '../index.js';
+import type { ResponseMeta } from '../response-meta.js';
+export declare function detectInsecureCookies(metas: readonly ResponseMeta[]): SecurityFinding[];
+//# sourceMappingURL=insecure-cookies.d.ts.map

package/dist/_security/detectors/insecure-cookies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-cookies.d.ts","sourceRoot":"","sources":["../../../src/_security/detectors/insecure-cookies.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAY,MAAM,aAAa,CAAC;AAC7D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAQxD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,SAAS,YAAY,EAAE,GAAG,eAAe,EAAE,CAuBvF"}

package/dist/_security/detectors/insecure-cookies.js

@@ -0,0 +1,32 @@
+const FLAGS = [
+    { key: 'secure', label: 'Secure', severity: 'medium' },
+    { key: 'httpOnly', label: 'HttpOnly', severity: 'low' },
+    { key: 'sameSite', label: 'SameSite', severity: 'low' },
+];
+export function detectInsecureCookies(metas) {
+    const out = [];
+    const seen = new Set();
+    for (const m of metas) {
+        for (const c of m.setCookies) {
+            for (const f of FLAGS) {
+                if (c[f.key])
+                    continue;
+                const id = `insecure-cookie:${c.name}:${f.label}`;
+                if (seen.has(id))
+                    continue;
+                seen.add(id);
+                out.push({
+                    id,
+                    signal: 'insecure-cookie',
+                    severity: f.severity,
+                    title: `Cookie '${c.name}' missing ${f.label}`,
+                    detail: `Set-Cookie '${c.name}' did not set the ${f.label} attribute.`,
+                    evidence: `${c.name}:${f.label}`,
+                    advisory: true,
+                });
+            }
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=insecure-cookies.js.map

package/dist/_security/detectors/insecure-cookies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-cookies.js","sourceRoot":"","sources":["../../../src/_security/detectors/insecure-cookies.ts"],"names":[],"mappings":"AAGA,MAAM,KAAK,GAAqF;IAC9F,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE;IACtD,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE;IACvD,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE;CACxD,CAAC;AAEF,MAAM,UAAU,qBAAqB,CAAC,KAA8B;IAClE,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC;YAC7B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;oBAAE,SAAS;gBACvB,MAAM,EAAE,GAAG,mBAAmB,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;gBAClD,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBAAE,SAAS;gBAC3B,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC;oBACP,EAAE;oBACF,MAAM,EAAE,iBAAiB;oBACzB,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,KAAK,EAAE,WAAW,CAAC,CAAC,IAAI,aAAa,CAAC,CAAC,KAAK,EAAE;oBAC9C,MAAM,EAAE,eAAe,CAAC,CAAC,IAAI,qBAAqB,CAAC,CAAC,KAAK,aAAa;oBACtE,QAAQ,EAAE,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE;oBAChC,QAAQ,EAAE,IAAI;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/_security/detectors/missing-headers.d.ts

@@ -0,0 +1,4 @@
+import type { SecurityFinding } from '../index.js';
+import type { ResponseMeta } from '../response-meta.js';
+export declare function detectMissingHeaders(metas: readonly ResponseMeta[]): SecurityFinding[];
+//# sourceMappingURL=missing-headers.d.ts.map

package/dist/_security/detectors/missing-headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-headers.d.ts","sourceRoot":"","sources":["../../../src/_security/detectors/missing-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAY,MAAM,aAAa,CAAC;AAC7D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAcxD,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,SAAS,YAAY,EAAE,GAAG,eAAe,EAAE,CAoBtF"}

package/dist/_security/detectors/missing-headers.js

@@ -0,0 +1,36 @@
+const HEADERS = [
+    { name: 'content-security-policy', severity: 'high', label: 'Content-Security-Policy' },
+    {
+        name: 'strict-transport-security',
+        severity: 'medium',
+        label: 'Strict-Transport-Security (HSTS)',
+    },
+    { name: 'x-frame-options', severity: 'medium', label: 'X-Frame-Options' },
+    { name: 'x-content-type-options', severity: 'medium', label: 'X-Content-Type-Options' },
+    { name: 'referrer-policy', severity: 'low', label: 'Referrer-Policy' },
+];
+export function detectMissingHeaders(metas) {
+    const main = metas.find((m) => m.isMainDocument);
+    if (!main)
+        return [];
+    // HTTPS gate: header/HSTS checks are moot + noisy on non-HTTPS (localhost/non-prod).
+    if (!main.url.startsWith('https://'))
+        return [];
+    const present = new Set(main.presentSecurityHeaders.map((h) => h.toLowerCase()));
+    const out = [];
+    for (const h of HEADERS) {
+        if (present.has(h.name))
+            continue;
+        out.push({
+            id: `missing-security-header:${h.name}`,
+            signal: 'missing-security-header',
+            severity: h.severity,
+            title: `Missing ${h.label} header`,
+            detail: `The main document response did not set the ${h.label} header.`,
+            evidence: h.name,
+            advisory: true,
+        });
+    }
+    return out;
+}
+//# sourceMappingURL=missing-headers.js.map

package/dist/_security/detectors/missing-headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-headers.js","sourceRoot":"","sources":["../../../src/_security/detectors/missing-headers.ts"],"names":[],"mappings":"AAGA,MAAM,OAAO,GAA0D;IACrE,EAAE,IAAI,EAAE,yBAAyB,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,yBAAyB,EAAE;IACvF;QACE,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;KAC1C;IACD,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACzE,EAAE,IAAI,EAAE,wBAAwB,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,wBAAwB,EAAE;IACvF,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE;CACvE,CAAC;AAEF,MAAM,UAAU,oBAAoB,CAAC,KAA8B;IACjE,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IACjD,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,qFAAqF;IACrF,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACjF,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;YAAE,SAAS;QAClC,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,2BAA2B,CAAC,CAAC,IAAI,EAAE;YACvC,MAAM,EAAE,yBAAyB;YACjC,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,KAAK,EAAE,WAAW,CAAC,CAAC,KAAK,SAAS;YAClC,MAAM,EAAE,8CAA8C,CAAC,CAAC,KAAK,UAAU;YACvE,QAAQ,EAAE,CAAC,CAAC,IAAI;YAChB,QAAQ,EAAE,IAAI;SACf,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/_security/detectors/mixed-content.d.ts

@@ -0,0 +1,5 @@
+import type { eventWithTime } from '@cubenest/rrweb-core';
+import type { SecurityFinding } from '../index.js';
+import type { ResponseMeta } from '../response-meta.js';
+export declare function detectMixedContent(events: readonly eventWithTime[], metas: readonly ResponseMeta[]): SecurityFinding[];
+//# sourceMappingURL=mixed-content.d.ts.map

package/dist/_security/detectors/mixed-content.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mixed-content.d.ts","sourceRoot":"","sources":["../../../src/_security/detectors/mixed-content.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AA0CxD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,SAAS,aAAa,EAAE,EAChC,KAAK,EAAE,SAAS,YAAY,EAAE,GAC7B,eAAe,EAAE,CA8BnB"}

package/dist/_security/detectors/mixed-content.js

@@ -0,0 +1,74 @@
+import { collectRoots, walk } from '../serialized-dom.js';
+/**
+ * Walks rrweb serialized DOM snapshots for subresource-loading attributes that
+ * point at `http://` on an HTTPS page — the mixed-content risk. Re-sourced from
+ * the DOM (like reverse-tabnabbing) because the capture layer only emits a
+ * `[tracelane.sec]` meta for the MAIN DOCUMENT, so subresource URLs never reach
+ * the meta stream. The HTTPS gate comes from the main-document meta.
+ *
+ * Scope (kept tight to limit false positives for the MVP):
+ *   - the `src` attribute on ANY element (img, script, iframe, video, audio,
+ *     source, …),
+ *   - the `href` attribute ONLY on a `<link>` whose `rel` actually fetches a
+ *     subresource (stylesheet/preload/icon/…). A `<link rel="canonical">` or
+ *     `<a href>` is a navigation/metadata hint, not a subresource, so it is NOT
+ *     flagged.
+ *   - `srcset` is not parsed.
+ * Dedupes by url; advisory, never an audit result.
+ */
+// `<link rel>` values that actually fetch a resource over the wire (so an
+// `http://` href is genuine mixed content). Excludes metadata/hint rels like
+// canonical, alternate, author, license, and the connection-only hints
+// dns-prefetch/preconnect (which establish a connection but load no content).
+const SUBRESOURCE_LINK_RELS = new Set([
+    'stylesheet',
+    'preload',
+    'modulepreload',
+    'prefetch',
+    'prerender',
+    'icon',
+    'manifest',
+]);
+function linkLoadsSubresource(rel) {
+    if (typeof rel !== 'string')
+        return false;
+    return rel
+        .toLowerCase()
+        .split(/\s+/)
+        .some((token) => SUBRESOURCE_LINK_RELS.has(token));
+}
+export function detectMixedContent(events, metas) {
+    const main = metas.find((mt) => mt.isMainDocument);
+    // Mixed content is only meaningful on an HTTPS page.
+    if (!main || !main.url.startsWith('https://'))
+        return [];
+    const out = [];
+    const seen = new Set();
+    for (const root of collectRoots(events)) {
+        for (const n of walk(root)) {
+            if (n.type !== 2)
+                continue;
+            const attrs = n.attributes ?? {};
+            const tag = n.tagName?.toLowerCase();
+            const urls = [attrs.src];
+            if (tag === 'link' && linkLoadsSubresource(attrs.rel))
+                urls.push(attrs.href);
+            for (const u of urls) {
+                if (typeof u !== 'string' || !u.startsWith('http://') || seen.has(u))
+                    continue;
+                seen.add(u);
+                out.push({
+                    id: `mixed-content:${u}`,
+                    signal: 'mixed-content',
+                    severity: 'high',
+                    title: 'Mixed content (HTTP resource on an HTTPS page)',
+                    detail: `An HTTP resource (${u}) was loaded by the HTTPS page ${main.url}.`,
+                    evidence: u,
+                    advisory: true,
+                });
+            }
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=mixed-content.js.map

package/dist/_security/detectors/mixed-content.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mixed-content.js","sourceRoot":"","sources":["../../../src/_security/detectors/mixed-content.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;;;;;;;;;;;;;;;GAgBG;AAEH,0EAA0E;AAC1E,6EAA6E;AAC7E,uEAAuE;AACvE,8EAA8E;AAC9E,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,YAAY;IACZ,SAAS;IACT,eAAe;IACf,UAAU;IACV,WAAW;IACX,MAAM;IACN,UAAU;CACX,CAAC,CAAC;AAEH,SAAS,oBAAoB,CAAC,GAAY;IACxC,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,GAAG;SACP,WAAW,EAAE;SACb,KAAK,CAAC,KAAK,CAAC;SACZ,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,qBAAqB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;AACvD,CAAC;AACD,MAAM,UAAU,kBAAkB,CAChC,MAAgC,EAChC,KAA8B;IAE9B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,cAAc,CAAC,CAAC;IACnD,qDAAqD;IACrD,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,EAAE,CAAC;IAEzD,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC;gBAAE,SAAS;YAC3B,MAAM,KAAK,GAAG,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC;YACjC,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC;YACrC,MAAM,IAAI,GAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACpC,IAAI,GAAG,KAAK,MAAM,IAAI,oBAAoB,CAAC,KAAK,CAAC,GAAG,CAAC;gBAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC7E,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;oBAAE,SAAS;gBAC/E,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBACZ,GAAG,CAAC,IAAI,CAAC;oBACP,EAAE,EAAE,iBAAiB,CAAC,EAAE;oBACxB,MAAM,EAAE,eAAe;oBACvB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,gDAAgD;oBACvD,MAAM,EAAE,qBAAqB,CAAC,kCAAkC,IAAI,CAAC,GAAG,GAAG;oBAC3E,QAAQ,EAAE,CAAC;oBACX,QAAQ,EAAE,IAAI;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/_security/detectors/reverse-tabnabbing.d.ts

@@ -0,0 +1,10 @@
+import type { eventWithTime } from '@cubenest/rrweb-core';
+import type { SecurityFinding } from '../index.js';
+/**
+ * Walks rrweb serialized DOM snapshots (FullSnapshot trees + IncrementalSnapshot
+ * `adds`) for `<a target="_blank">` links lacking a `rel` of `noopener`/
+ * `noreferrer` — the classic reverse-tabnabbing risk. Pure over plain serialized
+ * node objects; no DOM API. Dedupes by href; advisory, never an audit result.
+ */
+export declare function detectReverseTabnabbing(events: readonly eventWithTime[]): SecurityFinding[];
+//# sourceMappingURL=reverse-tabnabbing.d.ts.map

package/dist/_security/detectors/reverse-tabnabbing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reverse-tabnabbing.d.ts","sourceRoot":"","sources":["../../../src/_security/detectors/reverse-tabnabbing.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AASnD;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,SAAS,aAAa,EAAE,GAAG,eAAe,EAAE,CA0B3F"}

package/dist/_security/detectors/reverse-tabnabbing.js

@@ -0,0 +1,44 @@
+import { collectRoots, walk } from '../serialized-dom.js';
+function relIsSafe(rel) {
+    if (typeof rel !== 'string')
+        return false;
+    const tokens = rel.toLowerCase().split(/\s+/);
+    return tokens.includes('noopener') || tokens.includes('noreferrer');
+}
+/**
+ * Walks rrweb serialized DOM snapshots (FullSnapshot trees + IncrementalSnapshot
+ * `adds`) for `<a target="_blank">` links lacking a `rel` of `noopener`/
+ * `noreferrer` — the classic reverse-tabnabbing risk. Pure over plain serialized
+ * node objects; no DOM API. Dedupes by href; advisory, never an audit result.
+ */
+export function detectReverseTabnabbing(events) {
+    const roots = collectRoots(events);
+    const out = [];
+    const seen = new Set();
+    for (const root of roots) {
+        for (const n of walk(root)) {
+            if (n.type !== 2 || n.tagName?.toLowerCase() !== 'a')
+                continue;
+            const attrs = n.attributes ?? {};
+            const target = typeof attrs.target === 'string' ? attrs.target.toLowerCase() : '';
+            if (target !== '_blank' || relIsSafe(attrs.rel))
+                continue;
+            const href = typeof attrs.href === 'string' ? attrs.href : '(no href)';
+            const id = `reverse-tabnabbing:${href}`;
+            if (seen.has(id))
+                continue;
+            seen.add(id);
+            out.push({
+                id,
+                signal: 'reverse-tabnabbing',
+                severity: 'medium',
+                title: 'Reverse tabnabbing risk (target="_blank" without rel="noopener")',
+                detail: `An <a target="_blank"> link (${href}) is missing rel="noopener"/"noreferrer".`,
+                evidence: href,
+                advisory: true,
+            });
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=reverse-tabnabbing.js.map

package/dist/_security/detectors/reverse-tabnabbing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reverse-tabnabbing.js","sourceRoot":"","sources":["../../../src/_security/detectors/reverse-tabnabbing.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAE1D,SAAS,SAAS,CAAC,GAAY;IAC7B,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,MAAM,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;AACtE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAgC;IACtE,MAAM,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACnC,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,WAAW,EAAE,KAAK,GAAG;gBAAE,SAAS;YAC/D,MAAM,KAAK,GAAG,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC;YACjC,MAAM,MAAM,GAAG,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClF,IAAI,MAAM,KAAK,QAAQ,IAAI,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC1D,MAAM,IAAI,GAAG,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC;YACvE,MAAM,EAAE,GAAG,sBAAsB,IAAI,EAAE,CAAC;YACxC,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBAAE,SAAS;YAC3B,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACb,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE;gBACF,MAAM,EAAE,oBAAoB;gBAC5B,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,kEAAkE;gBACzE,MAAM,EAAE,gCAAgC,IAAI,2CAA2C;gBACvF,QAAQ,EAAE,IAAI;gBACd,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/_security/index.d.ts

@@ -0,0 +1,29 @@
+import type { eventWithTime } from '@cubenest/rrweb-core';
+import { type Suppression } from './suppress.js';
+export type { Suppression };
+/** console.error prefix the capture layer uses for privacy-safe response metadata. */
+export declare const SEC_CONSOLE_PREFIX = "[tracelane.sec]";
+/** rrweb Custom event tag the capture layer uses for privacy-safe response metadata. */
+export declare const SEC_EVENT_TAG = "tracelane.sec";
+export type SecuritySignal = 'missing-security-header' | 'mixed-content' | 'insecure-cookie' | 'reverse-tabnabbing';
+export type Severity = 'low' | 'medium' | 'high';
+export interface SecurityFinding {
+    /** stable id, e.g. `${signal}:${evidence}` */
+    readonly id: string;
+    readonly signal: SecuritySignal;
+    readonly severity: Severity;
+    readonly title: string;
+    readonly detail: string;
+    readonly evidence: string;
+    /** framing invariant — always true; these are advisory, not audit results */
+    readonly advisory: true;
+}
+/**
+ * Derive advisory security-hygiene findings from a captured event stream.
+ * Pure + total: never throws (a failing detector contributes nothing). Findings
+ * are advisory only — NOT a security audit/scan/guarantee.
+ */
+export declare function analyze(events: readonly eventWithTime[], opts?: {
+    suppress?: readonly Suppression[];
+}): SecurityFinding[];
+//# sourceMappingURL=index.d.ts.map

package/dist/_security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/_security/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAO1D,OAAO,EAAE,KAAK,WAAW,EAAqB,MAAM,eAAe,CAAC;AAEpE,YAAY,EAAE,WAAW,EAAE,CAAC;AAE5B,sFAAsF;AACtF,eAAO,MAAM,kBAAkB,oBAAoB,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,aAAa,kBAAkB,CAAC;AAE7C,MAAM,MAAM,cAAc,GACtB,yBAAyB,GACzB,eAAe,GACf,iBAAiB,GACjB,oBAAoB,CAAC;AAEzB,MAAM,MAAM,QAAQ,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AAEjD,MAAM,WAAW,eAAe;IAC9B,8CAA8C;IAC9C,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,6EAA6E;IAC7E,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;CACzB;AAYD;;;;GAIG;AACH,wBAAgB,OAAO,CACrB,MAAM,EAAE,SAAS,aAAa,EAAE,EAChC,IAAI,GAAE;IAAE,QAAQ,CAAC,EAAE,SAAS,WAAW,EAAE,CAAA;CAAO,GAC/C,eAAe,EAAE,CAanB"}

package/dist/_security/index.js

@@ -0,0 +1,36 @@
+import { detectInsecureCookies } from './detectors/insecure-cookies.js';
+import { detectMissingHeaders } from './detectors/missing-headers.js';
+import { detectMixedContent } from './detectors/mixed-content.js';
+import { detectReverseTabnabbing } from './detectors/reverse-tabnabbing.js';
+import { scrapeResponseMeta } from './response-meta.js';
+import { applySuppressions } from './suppress.js';
+/** console.error prefix the capture layer uses for privacy-safe response metadata. */
+export const SEC_CONSOLE_PREFIX = '[tracelane.sec]';
+/** rrweb Custom event tag the capture layer uses for privacy-safe response metadata. */
+export const SEC_EVENT_TAG = 'tracelane.sec';
+const SEVERITY_RANK = { high: 0, medium: 1, low: 2 };
+function safe(fn, fallback) {
+    try {
+        return fn();
+    }
+    catch {
+        return fallback;
+    }
+}
+/**
+ * Derive advisory security-hygiene findings from a captured event stream.
+ * Pure + total: never throws (a failing detector contributes nothing). Findings
+ * are advisory only — NOT a security audit/scan/guarantee.
+ */
+export function analyze(events, opts = {}) {
+    const metas = safe(() => scrapeResponseMeta(events), []);
+    const findings = [
+        ...safe(() => detectMissingHeaders(metas), []),
+        ...safe(() => detectMixedContent(events, metas), []),
+        ...safe(() => detectInsecureCookies(metas), []),
+        ...safe(() => detectReverseTabnabbing(events), []),
+    ];
+    const kept = applySuppressions(findings, opts.suppress ?? []);
+    return [...kept].sort((a, b) => SEVERITY_RANK[a.severity] - SEVERITY_RANK[b.severity] || a.signal.localeCompare(b.signal));
+}
+//# sourceMappingURL=index.js.map

package/dist/_security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/_security/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,iCAAiC,CAAC;AACxE,OAAO,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AAE5E,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAoB,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAIpE,sFAAsF;AACtF,MAAM,CAAC,MAAM,kBAAkB,GAAG,iBAAiB,CAAC;AAEpD,wFAAwF;AACxF,MAAM,CAAC,MAAM,aAAa,GAAG,eAAe,CAAC;AAsB7C,MAAM,aAAa,GAA6B,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAE/E,SAAS,IAAI,CAAI,EAAW,EAAE,QAAW;IACvC,IAAI,CAAC;QACH,OAAO,EAAE,EAAE,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,OAAO,CACrB,MAAgC,EAChC,OAA8C,EAAE;IAEhD,MAAM,KAAK,GAAG,IAAI,CAAiB,GAAG,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;IACzE,MAAM,QAAQ,GAAsB;QAClC,GAAG,IAAI,CAAoB,GAAG,EAAE,CAAC,oBAAoB,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACjE,GAAG,IAAI,CAAoB,GAAG,EAAE,CAAC,kBAAkB,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;QACvE,GAAG,IAAI,CAAoB,GAAG,EAAE,CAAC,qBAAqB,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QAClE,GAAG,IAAI,CAAoB,GAAG,EAAE,CAAC,uBAAuB,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;KACtE,CAAC;IACF,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,CACnB,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAC5F,CAAC;AACJ,CAAC"}

package/dist/_security/response-meta.d.ts

@@ -0,0 +1,28 @@
+import type { eventWithTime } from '@cubenest/rrweb-core';
+/**
+ * Privacy-safe response metadata recovered from a `tracelane.sec` Custom event.
+ * Carries only header NAMES (never values), per-cookie flag presence
+ * booleans, and the cookie name — never header values or cookie values.
+ */
+export interface ResponseMeta {
+    url: string;
+    status: number;
+    isMainDocument: boolean;
+    /** lowercased header NAMES that were present (never values) */
+    presentSecurityHeaders: string[];
+    /** per-cookie flag presence (never names/values beyond the cookie name) */
+    setCookies: {
+        name: string;
+        secure: boolean;
+        httpOnly: boolean;
+        sameSite: boolean;
+    }[];
+}
+/**
+ * Read privacy-safe response metadata out of the rrweb Custom events the
+ * capture layer injects (tag `tracelane.sec`, payload = the meta object).
+ * Replaces the old console-scrape channel, which raced navigation. Malformed
+ * payloads are skipped.
+ */
+export declare function scrapeResponseMeta(events: readonly eventWithTime[]): ResponseMeta[];
+//# sourceMappingURL=response-meta.d.ts.map

package/dist/_security/response-meta.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"response-meta.d.ts","sourceRoot":"","sources":["../../src/_security/response-meta.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAG1D;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,OAAO,CAAC;IACxB,+DAA+D;IAC/D,sBAAsB,EAAE,MAAM,EAAE,CAAC;IACjC,2EAA2E;IAC3E,UAAU,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAA;KAAE,EAAE,CAAC;CACvF;AAkCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,SAAS,aAAa,EAAE,GAAG,YAAY,EAAE,CASnF"}

package/dist/_security/response-meta.js

@@ -0,0 +1,50 @@
+import { EventType } from '@cubenest/rrweb-core';
+import { SEC_EVENT_TAG } from './index.js';
+function isCookieFlags(c) {
+    if (!c || typeof c !== 'object')
+        return false;
+    const k = c;
+    return (typeof k.name === 'string' &&
+        typeof k.secure === 'boolean' &&
+        typeof k.httpOnly === 'boolean' &&
+        typeof k.sameSite === 'boolean');
+}
+/**
+ * Full structural validation of a `tracelane.sec` Custom-event payload, including
+ * array ELEMENT types. A page can't forge a Node-side Custom event, but a
+ * shape-malformed object (e.g. `presentSecurityHeaders: [123]` or
+ * `setCookies: [{}]`) must still be rejected to honor the "malformed payloads
+ * are skipped" contract and protect downstream consumers from runtime errors.
+ */
+function isResponseMeta(parsed) {
+    if (!parsed || typeof parsed !== 'object')
+        return false;
+    const m = parsed;
+    return (typeof m.url === 'string' &&
+        typeof m.status === 'number' &&
+        typeof m.isMainDocument === 'boolean' &&
+        Array.isArray(m.presentSecurityHeaders) &&
+        m.presentSecurityHeaders.every((h) => typeof h === 'string') &&
+        Array.isArray(m.setCookies) &&
+        m.setCookies.every(isCookieFlags));
+}
+/**
+ * Read privacy-safe response metadata out of the rrweb Custom events the
+ * capture layer injects (tag `tracelane.sec`, payload = the meta object).
+ * Replaces the old console-scrape channel, which raced navigation. Malformed
+ * payloads are skipped.
+ */
+export function scrapeResponseMeta(events) {
+    const out = [];
+    for (const e of events) {
+        if (e.type !== EventType.Custom)
+            continue;
+        const data = e.data;
+        if (data.tag !== SEC_EVENT_TAG)
+            continue;
+        if (isResponseMeta(data.payload))
+            out.push(data.payload);
+    }
+    return out;
+}
+//# sourceMappingURL=response-meta.js.map

package/dist/_security/response-meta.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"response-meta.js","sourceRoot":"","sources":["../../src/_security/response-meta.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEjD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAiB3C,SAAS,aAAa,CAAC,CAAU;IAC/B,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9C,MAAM,CAAC,GAAG,CAA4B,CAAC;IACvC,OAAO,CACL,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;QAC1B,OAAO,CAAC,CAAC,MAAM,KAAK,SAAS;QAC7B,OAAO,CAAC,CAAC,QAAQ,KAAK,SAAS;QAC/B,OAAO,CAAC,CAAC,QAAQ,KAAK,SAAS,CAChC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,cAAc,CAAC,MAAe;IACrC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,CAAC,GAAG,MAAiC,CAAC;IAC5C,OAAO,CACL,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;QACzB,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ;QAC5B,OAAO,CAAC,CAAC,cAAc,KAAK,SAAS;QACrC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,sBAAsB,CAAC;QACvC,CAAC,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QAC5D,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC;QAC3B,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,aAAa,CAAC,CAClC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAgC;IACjE,MAAM,GAAG,GAAmB,EAAE,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,MAAM;YAAE,SAAS;QAC1C,MAAM,IAAI,GAAG,CAAC,CAAC,IAA4C,CAAC;QAC5D,IAAI,IAAI,CAAC,GAAG,KAAK,aAAa;YAAE,SAAS;QACzC,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/_security/serialized-dom.d.ts

@@ -0,0 +1,20 @@
+import type { eventWithTime } from '@cubenest/rrweb-core';
+/**
+ * Minimal shape of an rrweb serialized DOM node. `type === 2` is an Element.
+ * Pure plain-object view — no DOM API, no rrweb internals beyond this shape.
+ */
+export interface SNode {
+    type?: number;
+    tagName?: string;
+    attributes?: Record<string, unknown>;
+    childNodes?: SNode[];
+}
+/** Depth-first walk: yields `node`, then recurses into `childNodes`. */
+export declare function walk(node: SNode | undefined): Generator<SNode>;
+/**
+ * Collect serialized-DOM roots from a captured event stream: the `data.node`
+ * tree of each FullSnapshot plus each `data.adds[].node` from an
+ * IncrementalSnapshot mutation. Shared by the DOM-walking detectors.
+ */
+export declare function collectRoots(events: readonly eventWithTime[]): SNode[];
+//# sourceMappingURL=serialized-dom.d.ts.map

package/dist/_security/serialized-dom.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"serialized-dom.d.ts","sourceRoot":"","sources":["../../src/_security/serialized-dom.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;;GAGG;AACH,MAAM,WAAW,KAAK;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC;CACtB;AAED,wEAAwE;AACxE,wBAAiB,IAAI,CAAC,IAAI,EAAE,KAAK,GAAG,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAI/D;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,SAAS,aAAa,EAAE,GAAG,KAAK,EAAE,CAatE"}

package/dist/_security/serialized-dom.js

@@ -0,0 +1,32 @@
+import { EventType } from '@cubenest/rrweb-core';
+/** Depth-first walk: yields `node`, then recurses into `childNodes`. */
+export function* walk(node) {
+    if (!node)
+        return;
+    yield node;
+    for (const child of node.childNodes ?? [])
+        yield* walk(child);
+}
+/**
+ * Collect serialized-DOM roots from a captured event stream: the `data.node`
+ * tree of each FullSnapshot plus each `data.adds[].node` from an
+ * IncrementalSnapshot mutation. Shared by the DOM-walking detectors.
+ */
+export function collectRoots(events) {
+    const roots = [];
+    for (const e of events) {
+        if (e.type === EventType.FullSnapshot) {
+            roots.push(e.data.node);
+        }
+        else if (e.type === EventType.IncrementalSnapshot) {
+            const adds = e.data.adds;
+            if (Array.isArray(adds)) {
+                for (const a of adds)
+                    if (a.node)
+                        roots.push(a.node);
+            }
+        }
+    }
+    return roots;
+}
+//# sourceMappingURL=serialized-dom.js.map

package/dist/_security/serialized-dom.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"serialized-dom.js","sourceRoot":"","sources":["../../src/_security/serialized-dom.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAcjD,wEAAwE;AACxE,MAAM,SAAS,CAAC,CAAC,IAAI,CAAC,IAAuB;IAC3C,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,MAAM,IAAI,CAAC;IACX,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,UAAU,IAAI,EAAE;QAAE,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAChE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,MAAgC;IAC3D,MAAM,KAAK,GAAY,EAAE,CAAC;IAC1B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,YAAY,EAAE,CAAC;YACtC,KAAK,CAAC,IAAI,CAAE,CAAC,CAAC,IAAwB,CAAC,IAAI,CAAC,CAAC;QAC/C,CAAC;aAAM,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,mBAAmB,EAAE,CAAC;YACpD,MAAM,IAAI,GAAI,CAAC,CAAC,IAAsC,CAAC,IAAI,CAAC;YAC5D,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,KAAK,MAAM,CAAC,IAAI,IAAI;oBAAE,IAAI,CAAC,CAAC,IAAI;wBAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/_security/suppress.d.ts

@@ -0,0 +1,7 @@
+import type { SecurityFinding, SecuritySignal } from './index.js';
+export interface Suppression {
+    signal?: SecuritySignal;
+    evidence?: string;
+}
+export declare function applySuppressions(findings: readonly SecurityFinding[], rules: readonly Suppression[]): SecurityFinding[];
+//# sourceMappingURL=suppress.d.ts.map

package/dist/_security/suppress.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"suppress.d.ts","sourceRoot":"","sources":["../../src/_security/suppress.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAElE,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,SAAS,eAAe,EAAE,EACpC,KAAK,EAAE,SAAS,WAAW,EAAE,GAC5B,eAAe,EAAE,CAWnB"}

package/dist/_security/suppress.js

@@ -0,0 +1,8 @@
+export function applySuppressions(findings, rules) {
+    if (rules.length === 0)
+        return [...findings];
+    return findings.filter((f) => !rules.some((r) => (r.signal !== undefined || r.evidence !== undefined) &&
+        (r.signal === undefined || r.signal === f.signal) &&
+        (r.evidence === undefined || r.evidence === f.evidence)));
+}
+//# sourceMappingURL=suppress.js.map

package/dist/_security/suppress.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"suppress.js","sourceRoot":"","sources":["../../src/_security/suppress.ts"],"names":[],"mappings":"AAOA,MAAM,UAAU,iBAAiB,CAC/B,QAAoC,EACpC,KAA6B;IAE7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC;IAC7C,OAAO,QAAQ,CAAC,MAAM,CACpB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,KAAK,CAAC,IAAI,CACT,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC;QACpD,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,CAAC;QACjD,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,QAAQ,CAAC,CAC1D,CACJ,CAAC;AACJ,CAAC"}

package/dist/build-report.d.ts

@@ -1,5 +1,5 @@
 import type { eventWithTime } from '@cubenest/rrweb-core';
-import type { Suppression } from '@tracelane/security';
+import type { Suppression } from './_security/index.js';
 import type { ReportMeta } from './types.js';
 /** Options for {@link buildReport}. */
 export interface BuildReportOptions {

package/dist/build-report.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"build-report.d.ts","sourceRoot":"","sources":["../src/build-report.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAG1D,OAAO,KAAK,EAAmB,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAMxE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,uCAAuC;AACvC,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;;OAIG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,WAAW,EAAE,CAAC;CAClC;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,MAAM,EAAE,aAAa,EAAE,EACvB,IAAI,EAAE,UAAU,EAChB,OAAO,GAAE,kBAAuB,GAC/B,MAAM,CA6CR"}
+{"version":3,"file":"build-report.d.ts","sourceRoot":"","sources":["../src/build-report.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAG1D,OAAO,KAAK,EAAmB,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAMzE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,uCAAuC;AACvC,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;;OAIG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,WAAW,EAAE,CAAC;CAClC;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,MAAM,EAAE,aAAa,EAAE,EACvB,IAAI,EAAE,UAAU,EAChB,OAAO,GAAE,kBAAuB,GAC/B,MAAM,CA6CR"}

package/dist/build-report.js

@@ -14,7 +14,7 @@
 // exceeds the 25 MB budget (ADR-0005); the report renders a banner when a prune
 // fired so the truncation is visible to the user.
 import { pruneToSizeBudget } from '@tracelane/core';
-import { analyze } from '@tracelane/security';
+import { analyze } from './_security/index.js';
 import { encodeEventsBlob } from './embed.js';
 import { buildMarkdown, extractActionLog } from './markdown.js';
 import { resolveCiMetadata } from './metadata.js';

package/dist/build-report.js.map

@@ -1 +1 @@
-{"version":3,"file":"build-report.js","sourceRoot":"","sources":["../src/build-report.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,yEAAyE;AACzE,8EAA8E;AAC9E,wCAAwC;AACxC,yEAAyE;AACzE,gEAAgE;AAChE,iEAAiE;AACjE,iEAAiE;AACjE,iEAAiE;AACjE,iDAAiD;AACjD,EAAE;AACF,gFAAgF;AAChF,gFAAgF;AAChF,kDAAkD;AAGlD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAE9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAChE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AA8BjD;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,MAAuB,EACvB,IAAgB,EAChB,UAA8B,EAAE;IAEhC,MAAM,EACJ,iBAAiB,GAAG,IAAI,EACxB,MAAM,GAAG,IAAI,EACb,QAAQ,GAAG,IAAI,EACf,gBAAgB,GAAG,EAAE,GACtB,GAAG,OAAO,CAAC;IAEZ,2EAA2E;IAC3E,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,iBAAiB;QACjD,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC;QAC3B,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAE9B,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,WAAW,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACxC,sEAAsE;IACtE,0EAA0E;IAC1E,MAAM,gBAAgB,GAAsB,QAAQ;QAClD,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;QAChD,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC;IAElG,yEAAyE;IACzE,uEAAuE;IACvE,oEAAoE;IACpE,qEAAqE;IACrE,gEAAgE;IAChE,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,EAAE,SAAS,IAAI,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,SAAS,IAAI,CAAC,CAAC;IAEvD,OAAO,gBAAgB,CAAC;QACtB,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,gBAAgB,CAAC,KAAK,CAAC;QACpC,OAAO,EAAE,WAAW;QACpB,OAAO,EAAE,WAAW;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,QAAQ;QACR,MAAM;QACN,UAAU,EAAE,KAAK,CAAC,MAAM;QACxB,OAAO;QACP,MAAM;QACN,MAAM;KACP,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"build-report.js","sourceRoot":"","sources":["../src/build-report.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,yEAAyE;AACzE,8EAA8E;AAC9E,wCAAwC;AACxC,yEAAyE;AACzE,gEAAgE;AAChE,iEAAiE;AACjE,iEAAiE;AACjE,iEAAiE;AACjE,iDAAiD;AACjD,EAAE;AACF,gFAAgF;AAChF,gFAAgF;AAChF,kDAAkD;AAGlD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAE/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAChE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AA8BjD;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,MAAuB,EACvB,IAAgB,EAChB,UAA8B,EAAE;IAEhC,MAAM,EACJ,iBAAiB,GAAG,IAAI,EACxB,MAAM,GAAG,IAAI,EACb,QAAQ,GAAG,IAAI,EACf,gBAAgB,GAAG,EAAE,GACtB,GAAG,OAAO,CAAC;IAEZ,2EAA2E;IAC3E,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,iBAAiB;QACjD,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC;QAC3B,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAE9B,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,WAAW,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACxC,sEAAsE;IACtE,0EAA0E;IAC1E,MAAM,gBAAgB,GAAsB,QAAQ;QAClD,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;QAChD,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC;IAElG,yEAAyE;IACzE,uEAAuE;IACvE,oEAAoE;IACpE,qEAAqE;IACrE,gEAAgE;IAChE,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,EAAE,SAAS,IAAI,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,SAAS,IAAI,CAAC,CAAC;IAEvD,OAAO,gBAAgB,CAAC;QACtB,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,gBAAgB,CAAC,KAAK,CAAC;QACpC,OAAO,EAAE,WAAW;QACpB,OAAO,EAAE,WAAW;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,QAAQ;QACR,MAAM;QACN,UAAU,EAAE,KAAK,CAAC,MAAM;QACxB,OAAO;QACP,MAAM;QACN,MAAM;KACP,CAAC,CAAC;AACL,CAAC"}

package/dist/index.d.ts

@@ -9,4 +9,5 @@ export type { ConsoleEntry, NetworkEntry } from './panels.js';
 export { resolveCiMetadata } from './metadata.js';
 export { buildMarkdown, extractActionLog, MAX_CONSOLE_MESSAGES, MAX_ACTIONS } from './markdown.js';
 export type { ActionEntry } from './markdown.js';
+export type { SecurityFinding, Severity, SecuritySignal, Suppression } from './_security/index.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,YAAY,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAG5D,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAIrE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACpF,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAG3D,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAGhE,OAAO,EACL,cAAc,EACd,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,sBAAsB,GACvB,MAAM,aAAa,CAAC;AACrB,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlD,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACnG,YAAY,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,YAAY,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAG5D,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAIrE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACpF,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAG3D,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAGhE,OAAO,EACL,cAAc,EACd,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,sBAAsB,GACvB,MAAM,aAAa,CAAC;AACrB,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlD,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACnG,YAAY,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAKjD,YAAY,EAAE,eAAe,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/markdown.d.ts

@@ -1,5 +1,5 @@
 import type { eventWithTime } from '@cubenest/rrweb-core';
-import type { SecurityFinding } from '@tracelane/security';
+import type { SecurityFinding } from './_security/index.js';
 import type { ConsoleEntry, NetworkEntry } from './panels.js';
 import type { ReportMeta } from './types.js';
 /** Max console messages included in the prompt (P1 PRD §F.3: "last 30"). */

package/dist/markdown.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"markdown.d.ts","sourceRoot":"","sources":["../src/markdown.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,4EAA4E;AAC5E,eAAO,MAAM,oBAAoB,KAAK,CAAC;AACvC,uEAAuE;AACvE,eAAO,MAAM,WAAW,KAAK,CAAC;AAE9B,oEAAoE;AACpE,MAAM,WAAW,WAAW;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAqBD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,aAAa,EAAE,GAAG,WAAW,EAAE,CAsBhF;AAMD,+CAA+C;AAC/C,wBAAgB,aAAa,CAC3B,IAAI,EAAE,UAAU,EAChB,WAAW,EAAE,SAAS,YAAY,EAAE,EACpC,WAAW,EAAE,SAAS,YAAY,EAAE,EACpC,OAAO,EAAE,SAAS,WAAW,EAAE,EAC/B,gBAAgB,GAAE,SAAS,eAAe,EAAO,GAChD,MAAM,CAuDR"}
+{"version":3,"file":"markdown.d.ts","sourceRoot":"","sources":["../src/markdown.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,4EAA4E;AAC5E,eAAO,MAAM,oBAAoB,KAAK,CAAC;AACvC,uEAAuE;AACvE,eAAO,MAAM,WAAW,KAAK,CAAC;AAE9B,oEAAoE;AACpE,MAAM,WAAW,WAAW;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAqBD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,aAAa,EAAE,GAAG,WAAW,EAAE,CAsBhF;AAMD,+CAA+C;AAC/C,wBAAgB,aAAa,CAC3B,IAAI,EAAE,UAAU,EAChB,WAAW,EAAE,SAAS,YAAY,EAAE,EACpC,WAAW,EAAE,SAAS,YAAY,EAAE,EACpC,OAAO,EAAE,SAAS,WAAW,EAAE,EAC/B,gBAAgB,GAAE,SAAS,eAAe,EAAO,GAChD,MAAM,CAuDR"}

package/dist/report-writer.d.ts

@@ -1,5 +1,5 @@
 import type { eventWithTime } from '@cubenest/rrweb-core';
-import type { Suppression } from '@tracelane/security';
+import type { Suppression } from './_security/index.js';
 import type { ReportMeta } from './types.js';
 /** Inputs for {@link writeReport}. */
 export interface WriteReportInput {

package/dist/report-writer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"report-writer.d.ts","sourceRoot":"","sources":["../src/report-writer.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,sCAAsC;AACtC,MAAM,WAAW,gBAAgB;IAC/B,6CAA6C;IAC7C,MAAM,EAAE,MAAM,CAAC;IACf,qHAAqH;IACrH,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACzB,mCAAmC;IACnC,MAAM,EAAE,aAAa,EAAE,CAAC;IACxB,kEAAkE;IAClE,IAAI,EAAE,UAAU,CAAC;IACjB,yEAAyE;IACzE,MAAM,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IAC7B,8EAA8E;IAC9E,QAAQ,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IAC/B,gFAAgF;IAChF,gBAAgB,CAAC,EAAE,WAAW,EAAE,GAAG,SAAS,CAAC;CAC9C;AAED;;;GAGG;AACH,wBAAgB,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAO7C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAKrE;AAED;;;;;GAKG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAG7C;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,gBAAgB,GAAG,MAAM,CAa3D"}
+{"version":3,"file":"report-writer.d.ts","sourceRoot":"","sources":["../src/report-writer.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAExD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,sCAAsC;AACtC,MAAM,WAAW,gBAAgB;IAC/B,6CAA6C;IAC7C,MAAM,EAAE,MAAM,CAAC;IACf,qHAAqH;IACrH,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACzB,mCAAmC;IACnC,MAAM,EAAE,aAAa,EAAE,CAAC;IACxB,kEAAkE;IAClE,IAAI,EAAE,UAAU,CAAC;IACjB,yEAAyE;IACzE,MAAM,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IAC7B,8EAA8E;IAC9E,QAAQ,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IAC/B,gFAAgF;IAChF,gBAAgB,CAAC,EAAE,WAAW,EAAE,GAAG,SAAS,CAAC;CAC9C;AAED;;;GAGG;AACH,wBAAgB,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAO7C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAKrE;AAED;;;;;GAKG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAG7C;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,gBAAgB,GAAG,MAAM,CAa3D"}

package/dist/template.d.ts

@@ -1,4 +1,4 @@
-import type { SecurityFinding } from '@tracelane/security';
+import type { SecurityFinding } from './_security/index.js';
 import type { ConsoleEntry, NetworkEntry } from './panels.js';
 import type { ReportMeta } from './types.js';
 /** Everything `renderReportHtml` needs; build-report.ts prepares it. */

package/dist/template.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"template.d.ts","sourceRoot":"","sources":["../src/template.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAW3D,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,wEAAwE;AACxE,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,UAAU,CAAC;IACjB,kEAAkE;IAClE,WAAW,EAAE,MAAM,CAAC;IACpB,gDAAgD;IAChD,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,gDAAgD;IAChD,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB;;;;OAIG;IACH,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,wEAAwE;IACxE,QAAQ,EAAE,MAAM,CAAC;IACjB,+EAA+E;IAC/E,MAAM,EAAE,OAAO,CAAC;IAChB,uDAAuD;IACvD,UAAU,EAAE,MAAM,CAAC;IACnB,kEAAkE;IAClE,OAAO,EAAE,MAAM,CAAC;IAChB;yEACqE;IACrE,MAAM,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AA86BD,qDAAqD;AACrD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,kBAAkB,GAAG,MAAM,CAqJjE"}
+{"version":3,"file":"template.d.ts","sourceRoot":"","sources":["../src/template.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAW5D,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,wEAAwE;AACxE,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,UAAU,CAAC;IACjB,kEAAkE;IAClE,WAAW,EAAE,MAAM,CAAC;IACpB,gDAAgD;IAChD,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,gDAAgD;IAChD,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB;;;;OAIG;IACH,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,wEAAwE;IACxE,QAAQ,EAAE,MAAM,CAAC;IACjB,+EAA+E;IAC/E,MAAM,EAAE,OAAO,CAAC;IAChB,uDAAuD;IACvD,UAAU,EAAE,MAAM,CAAC;IACnB,kEAAkE;IAClE,OAAO,EAAE,MAAM,CAAC;IAChB;yEACqE;IACrE,MAAM,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AA86BD,qDAAqD;AACrD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,kBAAkB,GAAG,MAAM,CAqJjE"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tracelane/report",
-  "version": "0.1.0-alpha.17",
+  "version": "0.1.0-alpha.18",
   "description": "Self-contained, offline HTML report builder for tracelane. Embeds the rrweb player and a gzipped event blob into a single .html file.",
   "keywords": [
     "tracelane",
@@ -35,11 +35,11 @@
     "fflate": "^0.8.2",
     "rrweb-player": "1.0.0-alpha.4",
     "@cubenest/rrweb-core": "0.1.0-alpha.6",
-    "@tracelane/core": "0.1.0-alpha.15",
-    "@tracelane/security": "0.1.0-alpha.1"
+    "@tracelane/core": "0.1.0-alpha.15"
   },
   "devDependencies": {
-    "jsdom": "^25.0.1"
+    "jsdom": "^25.0.1",
+    "@tracelane/security": "0.1.0-alpha.1"
   },
   "publishConfig": {
     "access": "public",
@@ -58,8 +58,8 @@
     "node": ">=22"
   },
   "scripts": {
-    "build": "tsc -p tsconfig.json",
-    "typecheck": "tsc -p tsconfig.json --noEmit",
-    "test": "vitest run --passWithNoTests"
+    "build": "node scripts/vendor-security.mjs && tsc -p tsconfig.json",
+    "typecheck": "node scripts/vendor-security.mjs && tsc -p tsconfig.json --noEmit",
+    "test": "node scripts/vendor-security.mjs && vitest run --passWithNoTests"
   }
 }