@trust-assurance-protocol/owaspscan 1.0.0

package/dist/rules/registry.js

@@ -0,0 +1,142 @@
+// ============================================================
+// Rule Registry — central loader for all security rules
+// Supports plugin rules via registerRules()
+// ============================================================
+// OWASP A01 — Broken Access Control
+import { MissingAuthMiddleware } from './owasp-a01/missing-auth-middleware.js';
+import { PathTraversal } from './owasp-a01/path-traversal.js';
+import { InsecureDirectObjectRef } from './owasp-a01/idor.js';
+// OWASP A02 — Cryptographic Failures
+import { WeakHash } from './owasp-a02/weak-hash.js';
+import { HardcodedSecrets } from './owasp-a02/hardcoded-secrets.js';
+import { WeakRandom } from './owasp-a02/weak-random.js';
+import { InsecureTLS } from './owasp-a02/insecure-tls.js';
+// OWASP A03 — Injection
+import { SqlInjection } from './owasp-a03/sql-injection.js';
+import { CommandInjection } from './owasp-a03/command-injection.js';
+import { NoSqlInjection } from './owasp-a03/nosql-injection.js';
+import { XssReflected } from './owasp-a03/xss.js';
+import { TemplateInjection } from './owasp-a03/template-injection.js';
+import { LdapInjection } from './owasp-a03/ldap-injection.js';
+// OWASP A04 — Insecure Design
+import { MissingRateLimit } from './owasp-a04/missing-rate-limit.js';
+import { MassAssignment } from './owasp-a04/mass-assignment.js';
+// OWASP A05 — Security Misconfiguration
+import { DebugMode } from './owasp-a05/debug-mode.js';
+import { CorsWildcard } from './owasp-a05/cors-wildcard.js';
+import { ErrorDisclosure } from './owasp-a05/error-disclosure.js';
+import { DefaultCredentials } from './owasp-a05/default-credentials.js';
+// OWASP A06 — Vulnerable & Outdated Components
+import { OutdatedPackages } from './owasp-a06/outdated-packages.js';
+// OWASP A07 — Identification & Authentication Failures
+import { JwtNoneAlgorithm } from './owasp-a07/jwt-none-alg.js';
+import { NoPasswordHashing } from './owasp-a07/no-password-hashing.js';
+import { WeakSessionConfig } from './owasp-a07/weak-session.js';
+import { InsecureCookies } from './owasp-a07/insecure-cookies.js';
+// OWASP A08 — Software & Data Integrity Failures
+import { UnsafeEval } from './owasp-a08/unsafe-eval.js';
+import { UnsafeDeserialization } from './owasp-a08/unsafe-deserialization.js';
+// OWASP A09 — Security Logging & Monitoring Failures
+import { LogSensitiveData } from './owasp-a09/log-sensitive-data.js';
+import { MissingErrorHandling } from './owasp-a09/missing-error-handling.js';
+// OWASP A10 — Server-Side Request Forgery
+import { UnvalidatedFetch } from './owasp-a10/unvalidated-fetch.js';
+import { OpenRedirect } from './owasp-a10/open-redirect.js';
+// Core OWASP Top 10 rules (public/open-source)
+const CORE_RULES = [
+    // A01 — Broken Access Control
+    MissingAuthMiddleware,
+    PathTraversal,
+    InsecureDirectObjectRef,
+    // A02 — Cryptographic Failures
+    HardcodedSecrets,
+    WeakHash,
+    WeakRandom,
+    InsecureTLS,
+    // A03 — Injection
+    SqlInjection,
+    CommandInjection,
+    NoSqlInjection,
+    XssReflected,
+    TemplateInjection,
+    LdapInjection,
+    // A04 — Insecure Design
+    MissingRateLimit,
+    MassAssignment,
+    // A05 — Security Misconfiguration
+    DebugMode,
+    CorsWildcard,
+    ErrorDisclosure,
+    DefaultCredentials,
+    // A06 — Vulnerable Components
+    OutdatedPackages,
+    // A07 — Auth Failures
+    JwtNoneAlgorithm,
+    NoPasswordHashing,
+    WeakSessionConfig,
+    InsecureCookies,
+    // A08 — Data Integrity
+    UnsafeEval,
+    UnsafeDeserialization,
+    // A09 — Logging Failures
+    LogSensitiveData,
+    MissingErrorHandling,
+    // A10 — SSRF
+    UnvalidatedFetch,
+    OpenRedirect,
+];
+export class RuleRegistry {
+    rules;
+    _proRulesLoaded = false;
+    constructor(rules = CORE_RULES) {
+        this.rules = new Map();
+        for (const rule of rules) {
+            this.rules.set(rule.id, rule);
+        }
+    }
+    /** Register additional rules (e.g., from @owaspscan/rules-pro) */
+    registerRules(rules) {
+        for (const rule of rules) {
+            this.rules.set(rule.id, rule);
+        }
+        this._proRulesLoaded = true;
+    }
+    get proRulesLoaded() {
+        return this._proRulesLoaded;
+    }
+    get coreRuleCount() {
+        return CORE_RULES.length;
+    }
+    getAll() {
+        return Array.from(this.rules.values());
+    }
+    getById(id) {
+        return this.rules.get(id);
+    }
+    getByCategory(category) {
+        return this.getAll().filter((r) => r.owasp === category);
+    }
+    getByLanguage(language) {
+        return this.getAll().filter((r) => r.languages.includes('all') || r.languages.includes(language));
+    }
+    filterByCategories(categoryPrefixes) {
+        return this.getAll().filter((rule) => {
+            // e.g., 'A01' matches 'A01:2021', 'LLM01' matches 'LLM01:2025'
+            return categoryPrefixes.some((prefix) => rule.owasp.startsWith(prefix.toUpperCase()));
+        });
+    }
+    size() {
+        return this.rules.size;
+    }
+}
+/** Create a fresh registry, optionally with extra rules */
+export function createRegistry(extraRules) {
+    const reg = new RuleRegistry();
+    if (extraRules) {
+        reg.registerRules(extraRules);
+    }
+    return reg;
+}
+// Singleton instance
+export const registry = new RuleRegistry();
+//# sourceMappingURL=registry.js.map

package/dist/rules/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/rules/registry.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,wDAAwD;AACxD,4CAA4C;AAC5C,+DAA+D;AAI/D,oCAAoC;AACpC,OAAO,EAAE,qBAAqB,EAAE,MAAM,wCAAwC,CAAC;AAC/E,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAC9D,OAAO,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAE9D,qCAAqC;AACrC,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAC;AAE1D,wBAAwB;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAChE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAE9D,8BAA8B;AAC9B,OAAO,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrE,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAEhE,wCAAwC;AACxC,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AAExE,+CAA+C;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AAEpE,uDAAuD;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAElE,iDAAiD;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,qBAAqB,EAAE,MAAM,uCAAuC,CAAC;AAE9E,qDAAqD;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,uCAAuC,CAAC;AAE7E,0CAA0C;AAC1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAE5D,+CAA+C;AAC/C,MAAM,UAAU,GAAW;IACzB,8BAA8B;IAC9B,qBAAqB;IACrB,aAAa;IACb,uBAAuB;IAEvB,+BAA+B;IAC/B,gBAAgB;IAChB,QAAQ;IACR,UAAU;IACV,WAAW;IAEX,kBAAkB;IAClB,YAAY;IACZ,gBAAgB;IAChB,cAAc;IACd,YAAY;IACZ,iBAAiB;IACjB,aAAa;IAEb,wBAAwB;IACxB,gBAAgB;IAChB,cAAc;IAEd,kCAAkC;IAClC,SAAS;IACT,YAAY;IACZ,eAAe;IACf,kBAAkB;IAElB,8BAA8B;IAC9B,gBAAgB;IAEhB,sBAAsB;IACtB,gBAAgB;IAChB,iBAAiB;IACjB,iBAAiB;IACjB,eAAe;IAEf,uBAAuB;IACvB,UAAU;IACV,qBAAqB;IAErB,yBAAyB;IACzB,gBAAgB;IAChB,oBAAoB;IAEpB,aAAa;IACb,gBAAgB;IAChB,YAAY;CACb,CAAC;AAEF,MAAM,OAAO,YAAY;IACf,KAAK,CAAoB;IACzB,eAAe,GAAG,KAAK,CAAC;IAEhC,YAAY,QAAgB,UAAU;QACpC,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,aAAa,CAAC,KAAa;QACzB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;IAC9B,CAAC;IAED,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;IAED,IAAI,aAAa;QACf,OAAO,UAAU,CAAC,MAAM,CAAC;IAC3B,CAAC;IAED,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,OAAO,CAAC,EAAU;QAChB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC5B,CAAC;IAED,aAAa,CAAC,QAAuB;QACnC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC;IAC3D,CAAC;IAED,aAAa,CAAC,QAA2B;QACvC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,CACzB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CACrE,CAAC;IACJ,CAAC;IAED,kBAAkB,CAAC,gBAA0B;QAC3C,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;YACnC,+DAA+D;YAC/D,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAC5C,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,IAAI;QACF,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;CACF;AAED,2DAA2D;AAC3D,MAAM,UAAU,cAAc,CAAC,UAAmB;IAChD,MAAM,GAAG,GAAG,IAAI,YAAY,EAAE,CAAC;IAC/B,IAAI,UAAU,EAAE,CAAC;QACf,GAAG,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,qBAAqB;AACrB,MAAM,CAAC,MAAM,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC"}

package/dist/scanner/engine.d.ts

@@ -0,0 +1,21 @@
+import type { Rule, FileResult, ScanResult, SupportedLanguage, ScanOptions, FailOnLevel } from '../types/index.js';
+import type { TaintMap } from '../analysis/ast-analyzer.js';
+import { sortFindings } from '../utils/scoring.js';
+import { registry } from '../rules/registry.js';
+export interface EngineOptions {
+    rules?: string[];
+    exclude?: string[];
+    recursive: boolean;
+    failOn: FailOnLevel;
+    verbose: boolean;
+    maxFindings?: number;
+    sca?: boolean;
+}
+export declare function scanFile(filePath: string, rules: Rule[], crossFileSources?: TaintMap): Promise<FileResult>;
+export declare function scanDirectory(targetPath: string, options: EngineOptions, onProgress?: (current: number, total: number, filePath: string) => void): Promise<ScanResult>;
+export declare function scanCode(code: string, language: SupportedLanguage, filename?: string, ruleCategories?: string[]): Promise<ScanResult>;
+export declare function buildScanOptions(partial: Partial<ScanOptions> & {
+    target: string;
+}): EngineOptions;
+export { registry, sortFindings };
+//# sourceMappingURL=engine.d.ts.map

package/dist/scanner/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/scanner/engine.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EACV,IAAI,EAEJ,UAAU,EACV,UAAU,EACV,iBAAiB,EACjB,WAAW,EACX,WAAW,EACZ,MAAM,mBAAmB,CAAC;AAG3B,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;AAM5D,OAAO,EAAmB,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEpE,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAiBhD,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,EAAE,WAAW,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED,wBAAsB,QAAQ,CAC5B,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,IAAI,EAAE,EACb,gBAAgB,CAAC,EAAE,QAAQ,GAC1B,OAAO,CAAC,UAAU,CAAC,CAuFrB;AAED,wBAAsB,aAAa,CACjC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,aAAa,EACtB,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,IAAI,GACtE,OAAO,CAAC,UAAU,CAAC,CA6FrB;AAED,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,iBAAiB,EAC3B,QAAQ,SAAa,EACrB,cAAc,CAAC,EAAE,MAAM,EAAE,GACxB,OAAO,CAAC,UAAU,CAAC,CA6ErB;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,aAAa,CASlG;AAED,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC"}

package/dist/scanner/engine.js

@@ -0,0 +1,260 @@
+// ============================================================
+// Scan Engine — orchestrates file walking, rule application, reporting
+// ============================================================
+import { analyzeTaint } from '../analysis/taint-engine.js';
+import { analyzeAST } from '../analysis/ast-analyzer.js';
+import { parseCode } from '../parsers/ast-parser.js';
+import { collectExportedTaintSources } from '../parsers/ast-queries.js';
+import { detectLanguage, languageMatches } from './language-detect.js';
+import { walkFiles, readFileSafe } from './file-walker.js';
+import { applyPatterns } from '../utils/pattern-matcher.js';
+import { buildScanResult, sortFindings } from '../utils/scoring.js';
+import { runSCA } from './sca-scanner.js';
+import { registry } from '../rules/registry.js';
+// Auto-discover and load @trust-assurance-protocol/rules-pro if installed
+let _proDiscoveryDone = false;
+async function loadProRules() {
+    if (_proDiscoveryDone)
+        return;
+    _proDiscoveryDone = true;
+    try {
+        // @ts-ignore — @trust-assurance-protocol/rules-pro is an optional dependency, may not be installed
+        const mod = await import('@trust-assurance-protocol/rules-pro');
+        if (mod.proRules && Array.isArray(mod.proRules)) {
+            registry.registerRules(mod.proRules);
+        }
+    }
+    catch {
+        // @trust-assurance-protocol/rules-pro not installed — run with core rules only
+    }
+}
+export async function scanFile(filePath, rules, crossFileSources) {
+    const startTime = Date.now();
+    const content = readFileSafe(filePath);
+    if (content === null) {
+        return {
+            filePath,
+            language: 'all',
+            findings: [],
+            linesScanned: 0,
+            rulesApplied: 0,
+            scanDurationMs: 0,
+        };
+    }
+    const lines = content.split('\n');
+    const firstLine = lines[0] ?? '';
+    const language = detectLanguage(filePath, firstLine) ?? 'all';
+    const applicableRules = rules.filter((rule) => languageMatches(rule.languages, language));
+    const findings = [];
+    // --- Tier 2: AST analysis (runs first — highest structural confidence) ---
+    if (language === 'javascript' || language === 'typescript' || language === 'python') {
+        const astFindings = analyzeAST(content, language, filePath, rules, crossFileSources);
+        findings.push(...astFindings);
+    }
+    // --- Tier 1: Regex (covers languages without AST + rules not covered by AST) ---
+    for (const rule of applicableRules) {
+        const matches = applyPatterns(content, rule.patterns);
+        for (const match of matches) {
+            // Skip if AST already found this rule at this line (AST is higher quality)
+            const isDupe = findings.some((f) => f.ruleId === rule.id && Math.abs(f.line - match.line) <= 2);
+            if (isDupe)
+                continue;
+            findings.push({
+                ruleId: rule.id,
+                ruleName: rule.name,
+                owasp: rule.owasp,
+                cwe: rule.cwe,
+                severity: rule.severity,
+                filePath,
+                line: match.line,
+                column: match.column,
+                snippet: match.snippet,
+                message: `${rule.name} — ${rule.description.slice(0, 150)}`,
+                fix: rule.fix,
+                references: rule.references,
+                confidence: 'MEDIUM',
+                analysisMethod: 'regex',
+            });
+        }
+    }
+    // --- Tier 3: Regex taint (fallback for languages without AST support) ---
+    // For JS/TS/Python the AST already handles both direct and indirect taint detection.
+    // Regex taint runs only for other languages (Go, Java, PHP, etc.).
+    if (language !== 'javascript' && language !== 'typescript' && language !== 'python') {
+        const taintFindings = analyzeTaint(content, language, filePath, rules);
+        for (const tf of taintFindings) {
+            const isDupe = findings.some((f) => f.ruleId === tf.ruleId && Math.abs(f.line - tf.line) <= 2);
+            if (!isDupe) {
+                findings.push(tf);
+            }
+        }
+    }
+    // Sort findings by line number
+    findings.sort((a, b) => a.line - b.line);
+    return {
+        filePath,
+        language: language,
+        findings,
+        linesScanned: lines.length,
+        rulesApplied: applicableRules.length,
+        scanDurationMs: Date.now() - startTime,
+    };
+}
+export async function scanDirectory(targetPath, options, onProgress) {
+    await loadProRules();
+    const startTime = Date.now();
+    // Determine which rules to apply
+    let rules;
+    if (options.rules && options.rules.length > 0) {
+        rules = registry.filterByCategories(options.rules);
+    }
+    else {
+        rules = registry.getAll();
+    }
+    // Discover all files
+    const files = await walkFiles(targetPath, {
+        recursive: options.recursive,
+        exclude: options.exclude,
+    });
+    if (options.verbose) {
+        process.stderr.write(`Found ${files.length} files to scan with ${rules.length} rules\n`);
+    }
+    // --- Cross-file taint pre-pass (JS/TS only) ---
+    // Collect exported functions that return tainted values so downstream files
+    // can treat calls to those functions as taint sources.
+    const crossFileSources = new Map();
+    for (const filePath of files) {
+        const ext = filePath.split('.').pop() ?? '';
+        if (ext !== 'js' && ext !== 'ts' && ext !== 'jsx' && ext !== 'tsx' && ext !== 'mjs' && ext !== 'cjs')
+            continue;
+        const content = readFileSafe(filePath);
+        if (!content)
+            continue;
+        const firstLine = content.split('\n')[0] ?? '';
+        const lang = detectLanguage(filePath, firstLine);
+        if (lang !== 'javascript' && lang !== 'typescript')
+            continue;
+        const tree = parseCode(content, lang);
+        if (!tree)
+            continue;
+        const exported = collectExportedTaintSources(tree.rootNode, lang);
+        for (const [k, v] of exported) {
+            crossFileSources.set(k, v);
+        }
+    }
+    if (options.verbose && crossFileSources.size > 0) {
+        process.stderr.write(`Cross-file taint sources found: ${crossFileSources.size}\n`);
+    }
+    // Scan each file
+    const fileResults = [];
+    let totalFindings = 0;
+    for (let i = 0; i < files.length; i++) {
+        const filePath = files[i];
+        if (onProgress) {
+            onProgress(i + 1, files.length, filePath);
+        }
+        const result = await scanFile(filePath, rules, crossFileSources);
+        fileResults.push(result);
+        totalFindings += result.findings.length;
+        // Early exit if maxFindings exceeded
+        if (options.maxFindings && totalFindings >= options.maxFindings) {
+            if (options.verbose) {
+                process.stderr.write(`Max findings limit (${options.maxFindings}) reached. Stopping.\n`);
+            }
+            break;
+        }
+    }
+    // SCA dependency scanning (opt-in)
+    if (options.sca) {
+        const scaFindings = await runSCA(targetPath);
+        if (scaFindings.length > 0) {
+            // Attach SCA findings to a synthetic "manifest" file result
+            const manifestResult = {
+                filePath: targetPath,
+                language: 'all',
+                findings: scaFindings,
+                linesScanned: 0,
+                rulesApplied: 1,
+                scanDurationMs: 0,
+            };
+            fileResults.push(manifestResult);
+        }
+    }
+    return buildScanResult(targetPath, fileResults, Date.now() - startTime, options.failOn);
+}
+export async function scanCode(code, language, filename = '<inline>', ruleCategories) {
+    await loadProRules();
+    const startTime = Date.now();
+    let rules;
+    if (ruleCategories && ruleCategories.length > 0) {
+        rules = registry.filterByCategories(ruleCategories);
+    }
+    else {
+        rules = registry.getAll();
+    }
+    const applicableRules = rules.filter((rule) => languageMatches(rule.languages, language));
+    const lines = code.split('\n');
+    const findings = [];
+    // --- Tier 2: AST (runs first — highest structural confidence) ---
+    if (language === 'javascript' || language === 'typescript' || language === 'python') {
+        const astFindings = analyzeAST(code, language, filename, applicableRules);
+        findings.push(...astFindings);
+    }
+    // --- Tier 1: Regex (fallback for rules not covered by AST) ---
+    for (const rule of applicableRules) {
+        const matches = applyPatterns(code, rule.patterns);
+        for (const match of matches) {
+            const isDupe = findings.some((f) => f.ruleId === rule.id && Math.abs(f.line - match.line) <= 2);
+            if (isDupe)
+                continue;
+            findings.push({
+                ruleId: rule.id,
+                ruleName: rule.name,
+                owasp: rule.owasp,
+                cwe: rule.cwe,
+                severity: rule.severity,
+                filePath: filename,
+                line: match.line,
+                column: match.column,
+                snippet: match.snippet,
+                message: `${rule.name} — ${rule.description.slice(0, 150)}`,
+                fix: rule.fix,
+                references: rule.references,
+                confidence: 'MEDIUM',
+                analysisMethod: 'regex',
+            });
+        }
+    }
+    // --- Tier 3: Regex taint (fallback for non-AST languages only) ---
+    if (language !== 'javascript' && language !== 'typescript' && language !== 'python') {
+        const taintFindings = analyzeTaint(code, language, filename, applicableRules);
+        for (const tf of taintFindings) {
+            const isDupe = findings.some((f) => f.ruleId === tf.ruleId && Math.abs(f.line - tf.line) <= 2);
+            if (!isDupe) {
+                findings.push(tf);
+            }
+        }
+    }
+    findings.sort((a, b) => a.line - b.line);
+    const fileResult = {
+        filePath: filename,
+        language,
+        findings,
+        linesScanned: lines.length,
+        rulesApplied: applicableRules.length,
+        scanDurationMs: Date.now() - startTime,
+    };
+    return buildScanResult(filename, [fileResult], Date.now() - startTime, 'never');
+}
+export function buildScanOptions(partial) {
+    return {
+        rules: partial.rules,
+        exclude: partial.exclude,
+        recursive: partial.recursive ?? true,
+        failOn: partial.failOn ?? 'never',
+        verbose: partial.verbose ?? false,
+        maxFindings: partial.maxFindings,
+    };
+}
+export { registry, sortFindings };
+//# sourceMappingURL=engine.js.map

package/dist/scanner/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/scanner/engine.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,uEAAuE;AACvE,+DAA+D;AAW/D,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAEzD,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,2BAA2B,EAAE,MAAM,2BAA2B,CAAC;AACxE,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACpE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,0EAA0E;AAC1E,IAAI,iBAAiB,GAAG,KAAK,CAAC;AAC9B,KAAK,UAAU,YAAY;IACzB,IAAI,iBAAiB;QAAE,OAAO;IAC9B,iBAAiB,GAAG,IAAI,CAAC;IACzB,IAAI,CAAC;QACH,mGAAmG;QACnG,MAAM,GAAG,GAA0B,MAAM,MAAM,CAAC,qCAAqC,CAAC,CAAC;QACvF,IAAI,GAAG,CAAC,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChD,QAAQ,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,+EAA+E;IACjF,CAAC;AACH,CAAC;AAYD,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,QAAgB,EAChB,KAAa,EACb,gBAA2B;IAE3B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IAEvC,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,OAAO;YACL,QAAQ;YACR,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,EAAE;YACZ,YAAY,EAAE,CAAC;YACf,YAAY,EAAE,CAAC;YACf,cAAc,EAAE,CAAC;SAClB,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACjC,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,KAAK,CAAC;IAE9D,MAAM,eAAe,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAC5C,eAAe,CAAC,IAAI,CAAC,SAAS,EAAE,QAA6B,CAAC,CAC/D,CAAC;IAEF,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,4EAA4E;IAC5E,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACpF,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,EAAE,QAAkD,EAAE,QAAQ,EAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAC/H,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;IAChC,CAAC;IAED,kFAAkF;IAClF,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEtD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,2EAA2E;YAC3E,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAC1B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAClE,CAAC;YACF,IAAI,MAAM;gBAAE,SAAS;YAErB,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ;gBACR,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,OAAO,EAAE,GAAG,IAAI,CAAC,IAAI,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBAC3D,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,UAAU,EAAE,QAAQ;gBACpB,cAAc,EAAE,OAAO;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,qFAAqF;IACrF,mEAAmE;IACnE,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACpF,MAAM,aAAa,GAAG,YAAY,CAAC,OAAO,EAAE,QAAkD,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QACjH,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAC1B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,EAAE,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CACjE,CAAC;YACF,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;IAEzC,OAAO;QACL,QAAQ;QACR,QAAQ,EAAE,QAA6B;QACvC,QAAQ;QACR,YAAY,EAAE,KAAK,CAAC,MAAM;QAC1B,YAAY,EAAE,eAAe,CAAC,MAAM;QACpC,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;KACvC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,UAAkB,EAClB,OAAsB,EACtB,UAAuE;IAEvE,MAAM,YAAY,EAAE,CAAC;IACrB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,iCAAiC;IACjC,IAAI,KAAa,CAAC;IAClB,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,KAAK,GAAG,QAAQ,CAAC,kBAAkB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,KAAK,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC;IAC5B,CAAC;IAED,qBAAqB;IACrB,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE;QACxC,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;KACzB,CAAC,CAAC;IAEH,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,KAAK,CAAC,MAAM,uBAAuB,KAAK,CAAC,MAAM,UAAU,CAAC,CAAC;IAC3F,CAAC;IAED,iDAAiD;IACjD,4EAA4E;IAC5E,uDAAuD;IACvD,MAAM,gBAAgB,GAAa,IAAI,GAAG,EAAE,CAAC;IAC7C,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;QAC5C,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,KAAK,IAAI,GAAG,KAAK,KAAK,IAAI,GAAG,KAAK,KAAK,IAAI,GAAG,KAAK,KAAK;YAAE,SAAS;QAC/G,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;QACvC,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC/C,MAAM,IAAI,GAAG,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACjD,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,YAAY;YAAE,SAAS;QAC7D,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,MAAM,QAAQ,GAAG,2BAA2B,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAClE,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,QAAQ,EAAE,CAAC;YAC9B,gBAAgB,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,IAAI,gBAAgB,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACjD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,gBAAgB,CAAC,IAAI,IAAI,CAAC,CAAC;IACrF,CAAC;IAED,iBAAiB;IACjB,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QAE3B,IAAI,UAAU,EAAE,CAAC;YACf,UAAU,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC5C,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACjE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACzB,aAAa,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QAExC,qCAAqC;QACrC,IAAI,OAAO,CAAC,WAAW,IAAI,aAAa,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YAChE,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,OAAO,CAAC,WAAW,wBAAwB,CAAC,CAAC;YAC3F,CAAC;YACD,MAAM;QACR,CAAC;IACH,CAAC;IAED,mCAAmC;IACnC,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QAC7C,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,4DAA4D;YAC5D,MAAM,cAAc,GAAe;gBACjC,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,WAAW;gBACrB,YAAY,EAAE,CAAC;gBACf,YAAY,EAAE,CAAC;gBACf,cAAc,EAAE,CAAC;aAClB,CAAC;YACF,WAAW,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CACpB,UAAU,EACV,WAAW,EACX,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EACtB,OAAO,CAAC,MAAM,CACf,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,IAAY,EACZ,QAA2B,EAC3B,QAAQ,GAAG,UAAU,EACrB,cAAyB;IAEzB,MAAM,YAAY,EAAE,CAAC;IACrB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,KAAa,CAAC;IAClB,IAAI,cAAc,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,KAAK,GAAG,QAAQ,CAAC,kBAAkB,CAAC,cAAc,CAAC,CAAC;IACtD,CAAC;SAAM,CAAC;QACN,KAAK,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC;IAC5B,CAAC;IAED,MAAM,eAAe,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAC5C,eAAe,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAC1C,CAAC;IAEF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,mEAAmE;IACnE,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACpF,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,EAAE,QAAkD,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;QACpH,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;IAChC,CAAC;IAED,gEAAgE;IAChE,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAC1B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAClE,CAAC;YACF,IAAI,MAAM;gBAAE,SAAS;YAErB,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,OAAO,EAAE,GAAG,IAAI,CAAC,IAAI,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBAC3D,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,UAAU,EAAE,QAAQ;gBACpB,cAAc,EAAE,OAAO;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACpF,MAAM,aAAa,GAAG,YAAY,CAAC,IAAI,EAAE,QAAkD,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;QACxH,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAC1B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,EAAE,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CACjE,CAAC;YACF,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;IACH,CAAC;IAED,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;IAEzC,MAAM,UAAU,GAAe;QAC7B,QAAQ,EAAE,QAAQ;QAClB,QAAQ;QACR,QAAQ;QACR,YAAY,EAAE,KAAK,CAAC,MAAM;QAC1B,YAAY,EAAE,eAAe,CAAC,MAAM;QACpC,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;KACvC,CAAC;IAEF,OAAO,eAAe,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EAAE,OAAO,CAAC,CAAC;AAClF,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,OAAkD;IACjF,OAAO;QACL,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,IAAI;QACpC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,OAAO;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,KAAK;QACjC,WAAW,EAAE,OAAO,CAAC,WAAW;KACjC,CAAC;AACJ,CAAC;AAED,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC"}

package/dist/scanner/file-walker.d.ts

@@ -0,0 +1,7 @@
+export interface WalkOptions {
+    recursive: boolean;
+    exclude?: string[] | undefined;
+}
+export declare function walkFiles(targetPath: string, options: WalkOptions): Promise<string[]>;
+export declare function readFileSafe(filePath: string): string | null;
+//# sourceMappingURL=file-walker.d.ts.map

package/dist/scanner/file-walker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-walker.d.ts","sourceRoot":"","sources":["../../src/scanner/file-walker.ts"],"names":[],"mappings":"AAmCA,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;CAChC;AAgBD,wBAAsB,SAAS,CAC7B,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,MAAM,EAAE,CAAC,CAyCnB;AAED,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAM5D"}

package/dist/scanner/file-walker.js

@@ -0,0 +1,81 @@
+// ============================================================
+// File Walker — discovers scannable files respecting .gitignore
+// ============================================================
+import fs from 'fs';
+import path from 'path';
+import { createRequire } from 'module';
+import { glob } from 'glob';
+import { isSupportedFile } from './language-detect.js';
+const require = createRequire(import.meta.url);
+// ignore is a CJS-only package — use createRequire for ESM compatibility
+const ignoreLib = require('ignore');
+const ALWAYS_IGNORED = [
+    'node_modules/**',
+    'dist/**',
+    'build/**',
+    '.git/**',
+    'coverage/**',
+    '**/*.min.js',
+    '**/*.bundle.js',
+    '**/*.map',
+    '**/__pycache__/**',
+    '**/*.pyc',
+    '**/.venv/**',
+    '**/venv/**',
+    '**/.tox/**',
+    '**/vendor/**',
+    '**/.cache/**',
+];
+function loadGitignore(dir) {
+    const ig = ignoreLib();
+    const gitignorePath = path.join(dir, '.gitignore');
+    if (fs.existsSync(gitignorePath)) {
+        const content = fs.readFileSync(gitignorePath, 'utf8');
+        ig.add(content);
+    }
+    return ig;
+}
+export async function walkFiles(targetPath, options) {
+    const stat = fs.statSync(targetPath);
+    // Single file — validate and return
+    if (stat.isFile()) {
+        if (isSupportedFile(targetPath)) {
+            return [path.resolve(targetPath)];
+        }
+        return [];
+    }
+    if (!stat.isDirectory()) {
+        throw new Error(`Target path is not a file or directory: ${targetPath}`);
+    }
+    const baseDir = path.resolve(targetPath);
+    const pattern = options.recursive ? '**/*' : '*';
+    const ignorePatterns = [
+        ...ALWAYS_IGNORED,
+        ...(options.exclude ?? []),
+    ];
+    const gitignore = loadGitignore(baseDir);
+    const allFiles = await glob(pattern, {
+        cwd: baseDir,
+        ignore: ignorePatterns,
+        nodir: true,
+        absolute: false,
+        dot: false,
+    });
+    const filteredFiles = allFiles.filter((relPath) => {
+        // Apply .gitignore rules
+        if (gitignore.ignores(relPath))
+            return false;
+        const absPath = path.join(baseDir, relPath);
+        return isSupportedFile(absPath);
+    });
+    return filteredFiles.map((relPath) => path.join(baseDir, relPath));
+}
+export function readFileSafe(filePath) {
+    try {
+        return fs.readFileSync(filePath, 'utf8');
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=file-walker.js.map

package/dist/scanner/file-walker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-walker.js","sourceRoot":"","sources":["../../src/scanner/file-walker.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,gEAAgE;AAChE,+DAA+D;AAE/D,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,yEAAyE;AACzE,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAGjC,CAAC;AAEF,MAAM,cAAc,GAAG;IACrB,iBAAiB;IACjB,SAAS;IACT,UAAU;IACV,SAAS;IACT,aAAa;IACb,aAAa;IACb,gBAAgB;IAChB,UAAU;IACV,mBAAmB;IACnB,UAAU;IACV,aAAa;IACb,YAAY;IACZ,YAAY;IACZ,cAAc;IACd,cAAc;CACf,CAAC;AASF,SAAS,aAAa,CAAC,GAAW;IAChC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;IACvB,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAEnD,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QACvD,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,UAAkB,EAClB,OAAoB;IAEpB,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAErC,oCAAoC;IACpC,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClB,IAAI,eAAe,CAAC,UAAU,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;QACpC,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,2CAA2C,UAAU,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC;IAEjD,MAAM,cAAc,GAAG;QACrB,GAAG,cAAc;QACjB,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC;KAC3B,CAAC;IAEF,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAEzC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE;QACnC,GAAG,EAAE,OAAO;QACZ,MAAM,EAAE,cAAc;QACtB,KAAK,EAAE,IAAI;QACX,QAAQ,EAAE,KAAK;QACf,GAAG,EAAE,KAAK;KACX,CAAC,CAAC;IAEH,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE;QAChD,yBAAyB;QACzB,IAAI,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC;YAAE,OAAO,KAAK,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC5C,OAAO,eAAe,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,OAAO,aAAa,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,QAAgB;IAC3C,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/scanner/language-detect.d.ts

@@ -0,0 +1,5 @@
+import type { SupportedLanguage } from '../types/index.js';
+export declare function detectLanguage(filePath: string, firstLine?: string): SupportedLanguage | null;
+export declare function isSupportedFile(filePath: string, firstLine?: string): boolean;
+export declare function languageMatches(ruleLangs: SupportedLanguage[], fileLang: SupportedLanguage): boolean;
+//# sourceMappingURL=language-detect.d.ts.map

package/dist/scanner/language-detect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"language-detect.d.ts","sourceRoot":"","sources":["../../src/scanner/language-detect.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AA+D3D,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,MAAM,GACjB,iBAAiB,GAAG,IAAI,CAsB1B;AAED,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAE7E;AAGD,wBAAgB,eAAe,CAC7B,SAAS,EAAE,iBAAiB,EAAE,EAC9B,QAAQ,EAAE,iBAAiB,GAC1B,OAAO,CAOT"}

package/dist/scanner/language-detect.js

@@ -0,0 +1,91 @@
+// ============================================================
+// Language Detection — maps file extensions to SupportedLanguage
+// ============================================================
+import path from 'path';
+const EXTENSION_MAP = {
+    // JavaScript / TypeScript
+    '.js': 'javascript',
+    '.mjs': 'javascript',
+    '.cjs': 'javascript',
+    '.jsx': 'javascript',
+    '.ts': 'typescript',
+    '.tsx': 'typescript',
+    '.mts': 'typescript',
+    '.cts': 'typescript',
+    // Python
+    '.py': 'python',
+    '.pyw': 'python',
+    '.pyi': 'python',
+    // Java
+    '.java': 'java',
+    // Go
+    '.go': 'go',
+    // PHP
+    '.php': 'php',
+    '.php3': 'php',
+    '.php4': 'php',
+    '.php5': 'php',
+    '.phtml': 'php',
+    // Ruby
+    '.rb': 'ruby',
+    '.rake': 'ruby',
+    '.gemspec': 'ruby',
+    // C#
+    '.cs': 'csharp',
+    // C / C++
+    '.c': 'cpp',
+    '.cc': 'cpp',
+    '.cpp': 'cpp',
+    '.cxx': 'cpp',
+    '.h': 'cpp',
+    '.hpp': 'cpp',
+    // Rust
+    '.rs': 'rust',
+};
+const SHEBANG_MAP = {
+    'node': 'javascript',
+    'nodejs': 'javascript',
+    'ts-node': 'typescript',
+    'tsx': 'typescript',
+    'python': 'python',
+    'python3': 'python',
+    'python2': 'python',
+    'ruby': 'ruby',
+    'php': 'php',
+};
+export function detectLanguage(filePath, firstLine) {
+    const ext = path.extname(filePath).toLowerCase();
+    // Extension-based detection (fast path)
+    if (ext in EXTENSION_MAP) {
+        return EXTENSION_MAP[ext];
+    }
+    // Shebang-based detection for extensionless files
+    if (firstLine?.startsWith('#!')) {
+        const parts = firstLine.split(/\s+/);
+        const interpreter = path.basename(parts[0].replace('#!', ''));
+        if (interpreter in SHEBANG_MAP) {
+            return SHEBANG_MAP[interpreter];
+        }
+        // Handle /usr/bin/env python style shebangs
+        if (parts[1] && path.basename(parts[1]) in SHEBANG_MAP) {
+            return SHEBANG_MAP[path.basename(parts[1])];
+        }
+    }
+    return null;
+}
+export function isSupportedFile(filePath, firstLine) {
+    return detectLanguage(filePath, firstLine) !== null;
+}
+// Languages where JS/TS patterns also apply (superset check)
+export function languageMatches(ruleLangs, fileLang) {
+    if (ruleLangs.includes('all'))
+        return true;
+    if (ruleLangs.includes(fileLang))
+        return true;
+    // TypeScript is a superset of JavaScript — JS rules apply to TS files
+    if (fileLang === 'typescript' && ruleLangs.includes('javascript'))
+        return true;
+    // JSX/TSX handled by javascript/typescript rules
+    return false;
+}
+//# sourceMappingURL=language-detect.js.map