@xrift/code-security 0.1.0

package/README.md

@@ -0,0 +1,100 @@
+# @xrift/code-security
+
+JavaScript コードの静的セキュリティ解析パッケージ。acorn ベースの AST 解析により、危険な API 使用や難読化パターンを検出します。
+
+## インストール
+
+```bash
+npm install @xrift/code-security
+```
+
+## 使い方
+
+### CodeSecurityService（推奨）
+
+```typescript
+import { CodeSecurityService } from '@xrift/code-security'
+
+const service = new CodeSecurityService()
+
+const result = service.validate({
+  code: 'const x = 1;',
+  packageJson: {
+    dependencies: {}
+  }
+})
+
+console.log(result.valid)          // true
+console.log(result.securityScore)  // 0
+console.log(result.violations)     // { critical: [], warnings: [] }
+```
+
+### analyzeCodeSecurity（低レベル API）
+
+```typescript
+import { analyzeCodeSecurity } from '@xrift/code-security'
+
+const signals = analyzeCodeSecurity('eval("alert(1)")')
+
+console.log(signals.hasEval)              // true
+console.log(signals.detectedViolations)   // [{ rule: 'no-eval', ... }]
+```
+
+### ネットワーク権限の付与
+
+```typescript
+const result = service.validate({
+  code: `fetch('https://api.example.com/data')`,
+  packageJson: { dependencies: {} },
+  manifestConfig: {
+    permissions: {
+      network: {
+        allowedDomains: ['api.example.com']
+      }
+    }
+  }
+})
+```
+
+## 検出ルール
+
+| ルール | 説明 | 重大度 |
+|--------|------|--------|
+| `no-eval` | `eval()` の使用 | critical |
+| `no-string-timeout` | `setTimeout/setInterval` への文字列引数 | critical |
+| `no-storage-access` | `localStorage/sessionStorage` アクセス | critical |
+| `no-cookie-access` | `document.cookie` アクセス | critical |
+| `no-indexeddb-access` | `indexedDB` アクセス | critical |
+| `no-storage-event` | `addEventListener('storage')` / `onstorage` | critical |
+| `no-navigator-access` | `navigator.*` アクセス | critical |
+| `no-dangerous-dom` | `innerHTML` 代入 / `createElement('script')` | critical |
+| `no-global-override` | `window/document/navigator` の改ざん | critical |
+| `no-prototype-pollution` | `Object.prototype` 汚染 | critical |
+| `no-obfuscation` | `atob/btoa/String.fromCharCode` 等 | critical |
+| `no-external-import` | 外部 URL からの `import` | critical |
+| `no-network-without-permission` | 未許可ドメインへの通信 | critical |
+
+## API リファレンス
+
+### クラス
+
+- **`CodeSecurityService`** - セキュリティ解析サービス
+  - `validate(request: ValidateCodeRequest): ValidateCodeResponse`
+
+### 関数
+
+- **`analyzeCodeSecurity(code, permissions?)`** - コードの AST 解析を実行
+- **`calculateSecurityScore(signals)`** - セキュリティスコアを算出（0-100）
+- **`getSecurityVerdict(score)`** - スコアから判定結果を返す（`APPROVE` / `REVIEW` / `REJECT`）
+- **`determineFileContext(filePath)`** - ファイルパスからコンテキストを判定
+- **`adjustViolationSeverity(rule, severity, context)`** - コンテキストに基づき重大度を調整
+
+### 型
+
+- `ValidateCodeRequest` / `ValidateCodeResponse`
+- `SecuritySignals` / `Violation`
+- `CodePermissions` / `FileContext`
+
+## License
+
+MIT

package/dist/analyzer.d.ts

@@ -0,0 +1,6 @@
+import type { SecuritySignals, CodePermissions } from './types.js';
+/**
+ * コードのセキュリティ解析を実行
+ */
+export declare function analyzeCodeSecurity(code: string, permissions?: CodePermissions): SecuritySignals;
+//# sourceMappingURL=analyzer.d.ts.map

package/dist/analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,eAAe,EACf,eAAe,EAChB,MAAM,YAAY,CAAA;AAkCnB;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,MAAM,EACZ,WAAW,CAAC,EAAE,eAAe,GAC5B,eAAe,CAqajB"}

package/dist/analyzer.js

@@ -0,0 +1,278 @@
+import * as acorn from 'acorn';
+import * as walk from 'acorn-walk';
+import { calculateEntropy, calculateAverageEntropy, extractDomains, getCalleeName, getLocation, ALLOWED_DOMAINS } from './utils/helpers.js';
+/**
+ * エントロピー閾値
+ * GLSLシェーダーや複雑な正規のコードを許容するため7.0に設定
+ */
+const ENTROPY_THRESHOLD = 7.0;
+/**
+ * Violationオブジェクトを作成するヘルパー関数
+ */
+function createViolation(rule, severity, message, node) {
+    const location = node ? getLocation(node) : undefined;
+    return {
+        rule,
+        severity,
+        message,
+        ...(location && { location }),
+    };
+}
+/**
+ * コードのセキュリティ解析を実行
+ */
+export function analyzeCodeSecurity(code, permissions) {
+    const ast = acorn.parse(code, {
+        ecmaVersion: 'latest',
+        sourceType: 'module',
+        locations: true,
+    });
+    const signals = {
+        hasEval: false,
+        hasDynamicCodeExecution: false,
+        hasNetworkAPI: false,
+        hasNetworkWithoutPermission: false,
+        hasDynamicURLConstruction: false,
+        hasObfuscatedCode: false,
+        hasGlobalVariableOverride: false,
+        hasStorageAccess: false,
+        hasNavigatorAccess: false,
+        hasDangerousDOMManipulation: false,
+        entropy: 0,
+        suspiciousVariableNames: false,
+        importedPackages: [],
+        referencedDomains: [],
+        detectedViolations: [],
+    };
+    const urlStrings = [];
+    const stringLiterals = [];
+    const variableNames = [];
+    walk.ancestor(ast, {
+        // 1. コード実行系
+        CallExpression(node, ancestors) {
+            const calleeName = getCalleeName(node.callee);
+            // eval検出
+            if (calleeName === 'eval') {
+                signals.hasEval = true;
+                signals.detectedViolations.push(createViolation('no-eval', 'critical', 'eval()の使用は禁止されています', node));
+            }
+            // setTimeout/setInterval の文字列引数
+            if (['setTimeout', 'setInterval'].includes(calleeName || '')) {
+                const firstArg = node.arguments[0];
+                if (firstArg?.type === 'Literal' && typeof firstArg.value === 'string') {
+                    signals.hasDynamicCodeExecution = true;
+                    signals.detectedViolations.push(createViolation('no-string-timeout', 'critical', `${calleeName}に文字列を渡すことは禁止されています`, node));
+                }
+            }
+            // ネットワークAPI検出
+            if (['fetch', 'XMLHttpRequest'].includes(calleeName || '')) {
+                signals.hasNetworkAPI = true;
+                // 引数からURL抽出
+                const urlArg = node.arguments[0];
+                if (urlArg?.type === 'Literal' && typeof urlArg.value === 'string') {
+                    urlStrings.push(urlArg.value);
+                }
+                else {
+                    // 動的URL構築の疑い
+                    signals.hasDynamicURLConstruction = true;
+                }
+            }
+            // WebSocket検出
+            if (calleeName === 'WebSocket') {
+                signals.hasNetworkAPI = true;
+                const urlArg = node.arguments[0];
+                if (urlArg?.type === 'Literal' && typeof urlArg.value === 'string') {
+                    urlStrings.push(urlArg.value);
+                }
+            }
+            // navigator.sendBeacon検出
+            if (node.callee.type === 'MemberExpression') {
+                const obj = node.callee.object;
+                const prop = node.callee.property;
+                if (obj?.type === 'Identifier' &&
+                    obj.name === 'navigator' &&
+                    prop?.type === 'Identifier' &&
+                    prop.name === 'sendBeacon') {
+                    signals.hasNetworkAPI = true;
+                    signals.hasNavigatorAccess = true;
+                    signals.detectedViolations.push(createViolation('no-navigator-access', 'critical', 'navigator.sendBeacon()の使用は禁止されています', node));
+                }
+            }
+            // 危険なDOM操作メソッド検出
+            if (['insertAdjacentHTML'].includes(calleeName || '')) {
+                signals.hasDangerousDOMManipulation = true;
+                signals.detectedViolations.push(createViolation('no-dangerous-dom', 'critical', `${calleeName}()の使用は禁止されています（XSS攻撃のリスク）`, node));
+            }
+            // document.createElement('script') / document.createElement('iframe')
+            if (calleeName === 'createElement' && node.callee.type === 'MemberExpression') {
+                const obj = node.callee.object;
+                if (obj?.type === 'Identifier' && obj.name === 'document') {
+                    const tagArg = node.arguments[0];
+                    if (tagArg?.type === 'Literal' && typeof tagArg.value === 'string') {
+                        const tagName = tagArg.value.toLowerCase();
+                        if (['script', 'iframe'].includes(tagName)) {
+                            signals.hasDangerousDOMManipulation = true;
+                            signals.detectedViolations.push(createViolation('no-dangerous-dom', 'critical', `document.createElement('${tagName}')の使用は禁止されています`, node));
+                        }
+                    }
+                }
+            }
+            // 難読化検出（Critical）
+            if (['atob', 'btoa', 'unescape', 'decodeURIComponent'].includes(calleeName || '')) {
+                signals.hasObfuscatedCode = true;
+                signals.detectedViolations.push(createViolation('no-obfuscation', 'critical', `難読化関数 ${calleeName}() の使用は禁止されています`, node));
+            }
+            // String.fromCharCode検出
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.object.type === 'Identifier' &&
+                node.callee.object.name === 'String' &&
+                node.callee.property.type === 'Identifier' &&
+                node.callee.property.name === 'fromCharCode') {
+                signals.hasObfuscatedCode = true;
+                signals.detectedViolations.push(createViolation('no-obfuscation', 'critical', 'String.fromCharCode()の使用は禁止されています', node));
+            }
+            // addEventListener('storage', ...) 検出
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property.type === 'Identifier' &&
+                node.callee.property.name === 'addEventListener') {
+                const firstArg = node.arguments[0];
+                if (firstArg?.type === 'Literal' && typeof firstArg.value === 'string' && firstArg.value === 'storage') {
+                    signals.hasStorageAccess = true;
+                    signals.detectedViolations.push(createViolation('no-storage-event', 'critical', "addEventListener('storage', ...)の使用は禁止されています（トークン傍受のリスク）", node));
+                }
+            }
+        },
+        // 2. グローバル変数改ざん
+        AssignmentExpression(node, _ancestors) {
+            const left = node.left;
+            // window.xxx = ... 検出
+            if (left.type === 'MemberExpression' &&
+                left.object.type === 'Identifier' &&
+                ['window', 'globalThis', 'document', 'navigator'].includes(left.object.name)) {
+                signals.hasGlobalVariableOverride = true;
+                if (left.object.name === 'navigator') {
+                    signals.hasNavigatorAccess = true;
+                }
+                signals.detectedViolations.push(createViolation('no-global-override', 'critical', `グローバルオブジェクト ${left.object.name} の改ざんは禁止されています`, node));
+            }
+            // Object.prototype.xxx = ... 検出
+            if (left.type === 'MemberExpression' &&
+                left.object.type === 'MemberExpression' &&
+                left.object.property.type === 'Identifier' &&
+                left.object.property.name === 'prototype') {
+                signals.hasGlobalVariableOverride = true;
+                signals.detectedViolations.push(createViolation('no-prototype-pollution', 'critical', 'プロトタイプ汚染は禁止されています', node));
+            }
+            // onstorage への代入検出
+            if (left.type === 'MemberExpression' &&
+                left.property.type === 'Identifier' &&
+                left.property.name === 'onstorage') {
+                signals.hasStorageAccess = true;
+                signals.detectedViolations.push(createViolation('no-storage-event', 'critical', 'onstorageへの代入は禁止されています（トークン傍受のリスク）', node));
+            }
+        },
+        // 3. ストレージアクセス & Navigator アクセス & DOM操作
+        MemberExpression(node, ancestors) {
+            const objectName = node.object.type === 'Identifier'
+                ? node.object.name
+                : null;
+            const propertyName = node.property.type === 'Identifier'
+                ? node.property.name
+                : null;
+            // localStorage/sessionStorage検出
+            if (['localStorage', 'sessionStorage'].includes(objectName || '')) {
+                signals.hasStorageAccess = true;
+                signals.detectedViolations.push(createViolation('no-storage-access', 'critical', `${objectName}へのアクセスは禁止されています`, node));
+            }
+            // document.cookie検出
+            if (objectName === 'document' && propertyName === 'cookie') {
+                signals.hasStorageAccess = true;
+                signals.detectedViolations.push(createViolation('no-cookie-access', 'critical', 'Cookieへのアクセスは禁止されています', node));
+            }
+            // indexedDB検出
+            if (objectName === 'indexedDB') {
+                signals.hasStorageAccess = true;
+                signals.detectedViolations.push(createViolation('no-indexeddb-access', 'critical', 'IndexedDBへのアクセスは禁止されています', node));
+            }
+            // navigator.* すべてを禁止
+            if (objectName === 'navigator') {
+                signals.hasNavigatorAccess = true;
+                signals.detectedViolations.push(createViolation('no-navigator-access', 'critical', `navigator.${propertyName || '*'}へのアクセスは禁止されています（フィンガープリンティング防止）`, node));
+            }
+            // innerHTML / outerHTML への書き込み検出
+            if (['innerHTML', 'outerHTML'].includes(propertyName || '')) {
+                // 親がAssignmentExpressionで、leftがこのMemberExpressionの場合
+                const parent = ancestors[ancestors.length - 2];
+                if (parent?.type === 'AssignmentExpression' && parent.left === node) {
+                    signals.hasDangerousDOMManipulation = true;
+                    signals.detectedViolations.push(createViolation('no-dangerous-dom', 'critical', `${propertyName}への代入は禁止されています（XSS攻撃のリスク）`, node));
+                }
+            }
+            // document.head への要素追加検出
+            if (objectName === 'document' && propertyName === 'head') {
+                signals.hasDangerousDOMManipulation = true;
+                signals.detectedViolations.push(createViolation('no-dangerous-dom', 'critical', 'document.headへのアクセスは禁止されています（スクリプト注入のリスク）', node));
+            }
+        },
+        // 4. インポート解析
+        ImportDeclaration(node, _ancestors) {
+            const source = node.source.value;
+            signals.importedPackages.push(source);
+            // 外部URL import検出
+            if (source.startsWith('http://') || source.startsWith('https://')) {
+                signals.detectedViolations.push(createViolation('no-external-import', 'critical', '外部URLからのimportは禁止されています', node));
+            }
+        },
+        // 5. 変数名収集
+        Identifier(node, ancestors) {
+            variableNames.push(node.name);
+            // navigator 変数への直接参照も検出
+            if (node.name === 'navigator') {
+                const parent = ancestors[ancestors.length - 2];
+                if (parent?.type !== 'MemberExpression' || parent.object !== node) {
+                    signals.hasNavigatorAccess = true;
+                    signals.detectedViolations.push(createViolation('no-navigator-access', 'critical', 'navigatorオブジェクトへのアクセスは禁止されています', node));
+                }
+            }
+        },
+        // 6. 文字列リテラル収集（StringLiteral → Literal + string ガード）
+        Literal(node, _ancestors) {
+            if (typeof node.value !== 'string')
+                return;
+            stringLiterals.push(node.value);
+            // 16進数エスケープ・Unicodeエスケープの検出
+            const value = node.value;
+            if (/\\x[0-9a-fA-F]{2}/.test(value) || /\\u[0-9a-fA-F]{4}/.test(value)) {
+                signals.hasObfuscatedCode = true;
+                signals.detectedViolations.push(createViolation('no-obfuscation', 'critical', '16進数/Unicodeエスケープによる難読化は禁止されています', node));
+            }
+        },
+    });
+    // エントロピー計算
+    signals.entropy = calculateAverageEntropy(stringLiterals);
+    // 高エントロピー文字列の検出（Critical）
+    if (signals.entropy > ENTROPY_THRESHOLD) {
+        signals.hasObfuscatedCode = true;
+        signals.detectedViolations.push(createViolation('no-obfuscation', 'critical', `文字列のエントロピーが異常に高い（${signals.entropy.toFixed(2)}）- 難読化の疑い`));
+    }
+    // 疑わしい変数名チェック（Critical）
+    const suspiciousVars = variableNames.filter(name => /^[_$][a-zA-Z0-9_$]{4,}$/.test(name) && calculateEntropy(name) > 3.5);
+    if (suspiciousVars.length > 0) {
+        signals.hasObfuscatedCode = true;
+        signals.suspiciousVariableNames = true;
+        signals.detectedViolations.push(createViolation('no-obfuscation', 'critical', `疑わしい変数名が検出されました: ${suspiciousVars.slice(0, 3).join(', ')}...`));
+    }
+    // URL解析
+    signals.referencedDomains = extractDomains(urlStrings);
+    // 権限チェック
+    if (signals.hasNetworkAPI) {
+        const allowedDomains = permissions?.network?.allowedDomains || [];
+        const hasUnauthorizedDomain = signals.referencedDomains.some(domain => !allowedDomains.includes(domain) && !ALLOWED_DOMAINS.includes(domain));
+        if (hasUnauthorizedDomain || signals.hasDynamicURLConstruction) {
+            signals.hasNetworkWithoutPermission = true;
+            signals.detectedViolations.push(createViolation('no-network-without-permission', 'critical', 'ネットワーク通信にはxrift.config.tsでの権限宣言が必要です'));
+        }
+    }
+    return signals;
+}
+//# sourceMappingURL=analyzer.js.map

package/dist/analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.js","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAA;AAC9B,OAAO,KAAK,IAAI,MAAM,YAAY,CAAA;AAKlC,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,cAAc,EACd,aAAa,EACb,WAAW,EACX,eAAe,EAChB,MAAM,oBAAoB,CAAA;AAE3B;;;GAGG;AACH,MAAM,iBAAiB,GAAG,GAAG,CAAA;AAE7B;;GAEG;AACH,SAAS,eAAe,CACtB,IAAY,EACZ,QAAgC,EAChC,OAAe,EACf,IAAiB;IAEjB,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IACrD,OAAO;QACL,IAAI;QACJ,QAAQ;QACR,OAAO;QACP,GAAG,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,CAAC;KAC9B,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAAY,EACZ,WAA6B;IAE7B,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE;QAC5B,WAAW,EAAE,QAAQ;QACrB,UAAU,EAAE,QAAQ;QACpB,SAAS,EAAE,IAAI;KAChB,CAAC,CAAA;IAEF,MAAM,OAAO,GAAoB;QAC/B,OAAO,EAAE,KAAK;QACd,uBAAuB,EAAE,KAAK;QAC9B,aAAa,EAAE,KAAK;QACpB,2BAA2B,EAAE,KAAK;QAClC,yBAAyB,EAAE,KAAK;QAChC,iBAAiB,EAAE,KAAK;QACxB,yBAAyB,EAAE,KAAK;QAChC,gBAAgB,EAAE,KAAK;QACvB,kBAAkB,EAAE,KAAK;QACzB,2BAA2B,EAAE,KAAK;QAClC,OAAO,EAAE,CAAC;QACV,uBAAuB,EAAE,KAAK;QAC9B,gBAAgB,EAAE,EAAE;QACpB,iBAAiB,EAAE,EAAE;QACrB,kBAAkB,EAAE,EAAE;KACvB,CAAA;IAED,MAAM,UAAU,GAAa,EAAE,CAAA;IAC/B,MAAM,cAAc,GAAa,EAAE,CAAA;IACnC,MAAM,aAAa,GAAa,EAAE,CAAA;IAElC,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE;QACjB,YAAY;QACZ,cAAc,CAAC,IAAS,EAAE,SAAuB;YAC/C,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;YAE7C,SAAS;YACT,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;gBAC1B,OAAO,CAAC,OAAO,GAAG,IAAI,CAAA;gBACtB,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,SAAS,EACT,UAAU,EACV,oBAAoB,EACpB,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;YAED,gCAAgC;YAChC,IAAI,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;gBAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;gBAClC,IAAI,QAAQ,EAAE,IAAI,KAAK,SAAS,IAAI,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACvE,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAA;oBACtC,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,mBAAmB,EACnB,UAAU,EACV,GAAG,UAAU,oBAAoB,EACjC,IAAI,CACL,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;YAED,cAAc;YACd,IAAI,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;gBAC3D,OAAO,CAAC,aAAa,GAAG,IAAI,CAAA;gBAE5B,YAAY;gBACZ,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;gBAChC,IAAI,MAAM,EAAE,IAAI,KAAK,SAAS,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACnE,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;gBAC/B,CAAC;qBAAM,CAAC;oBACN,aAAa;oBACb,OAAO,CAAC,yBAAyB,GAAG,IAAI,CAAA;gBAC1C,CAAC;YACH,CAAC;YAED,cAAc;YACd,IAAI,UAAU,KAAK,WAAW,EAAE,CAAC;gBAC/B,OAAO,CAAC,aAAa,GAAG,IAAI,CAAA;gBAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;gBAChC,IAAI,MAAM,EAAE,IAAI,KAAK,SAAS,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACnE,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;gBAC/B,CAAC;YACH,CAAC;YAED,yBAAyB;YACzB,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;gBAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAA;gBAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAA;gBAEjC,IACE,GAAG,EAAE,IAAI,KAAK,YAAY;oBAC1B,GAAG,CAAC,IAAI,KAAK,WAAW;oBACxB,IAAI,EAAE,IAAI,KAAK,YAAY;oBAC3B,IAAI,CAAC,IAAI,KAAK,YAAY,EAC1B,CAAC;oBACD,OAAO,CAAC,aAAa,GAAG,IAAI,CAAA;oBAC5B,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAA;oBACjC,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,qBAAqB,EACrB,UAAU,EACV,oCAAoC,EACpC,IAAI,CACL,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;YAED,iBAAiB;YACjB,IAAI,CAAC,oBAAoB,CAAC,CAAC,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;gBACtD,OAAO,CAAC,2BAA2B,GAAG,IAAI,CAAA;gBAC1C,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,kBAAkB,EAClB,UAAU,EACV,GAAG,UAAU,2BAA2B,EACxC,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;YAED,sEAAsE;YACtE,IAAI,UAAU,KAAK,eAAe,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;gBAC9E,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAA;gBAC9B,IAAI,GAAG,EAAE,IAAI,KAAK,YAAY,IAAI,GAAG,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;oBAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;oBAChC,IAAI,MAAM,EAAE,IAAI,KAAK,SAAS,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;wBACnE,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,CAAA;wBAC1C,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;4BAC3C,OAAO,CAAC,2BAA2B,GAAG,IAAI,CAAA;4BAC1C,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,kBAAkB,EAClB,UAAU,EACV,2BAA2B,OAAO,gBAAgB,EAClD,IAAI,CACL,CAAC,CAAA;wBACJ,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,kBAAkB;YAClB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,oBAAoB,CAAC,CAAC,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;gBAClF,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAA;gBAChC,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,gBAAgB,EAChB,UAAU,EACV,SAAS,UAAU,iBAAiB,EACpC,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;YAED,wBAAwB;YACxB,IACE,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBACvC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;gBACxC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ;gBACpC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,cAAc,EAC5C,CAAC;gBACD,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAA;gBAChC,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,gBAAgB,EAChB,UAAU,EACV,mCAAmC,EACnC,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;YAED,sCAAsC;YACtC,IACE,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBACvC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,kBAAkB,EAChD,CAAC;gBACD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;gBAClC,IAAI,QAAQ,EAAE,IAAI,KAAK,SAAS,IAAI,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;oBACvG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAA;oBAC/B,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,kBAAkB,EAClB,UAAU,EACV,0DAA0D,EAC1D,IAAI,CACL,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,gBAAgB;QAChB,oBAAoB,CAAC,IAAS,EAAE,UAAwB;YACtD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAA;YAEtB,sBAAsB;YACtB,IACE,IAAI,CAAC,IAAI,KAAK,kBAAkB;gBAChC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;gBACjC,CAAC,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAC5E,CAAC;gBACD,OAAO,CAAC,yBAAyB,GAAG,IAAI,CAAA;gBAExC,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;oBACrC,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAA;gBACnC,CAAC;gBAED,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,oBAAoB,EACpB,UAAU,EACV,eAAe,IAAI,CAAC,MAAM,CAAC,IAAI,gBAAgB,EAC/C,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;YAED,gCAAgC;YAChC,IACE,IAAI,CAAC,IAAI,KAAK,kBAAkB;gBAChC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBACvC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,WAAW,EACzC,CAAC;gBACD,OAAO,CAAC,yBAAyB,GAAG,IAAI,CAAA;gBACxC,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,wBAAwB,EACxB,UAAU,EACV,mBAAmB,EACnB,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;YAED,mBAAmB;YACnB,IACE,IAAI,CAAC,IAAI,KAAK,kBAAkB;gBAChC,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,WAAW,EAClC,CAAC;gBACD,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAA;gBAC/B,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,kBAAkB,EAClB,UAAU,EACV,oCAAoC,EACpC,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,wCAAwC;QACxC,gBAAgB,CAAC,IAAS,EAAE,SAAuB;YACjD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;gBAClD,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI;gBAClB,CAAC,CAAC,IAAI,CAAA;YACR,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBACtD,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI;gBACpB,CAAC,CAAC,IAAI,CAAA;YAER,gCAAgC;YAChC,IAAI,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAAC,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE,CAAC;gBAClE,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAA;gBAC/B,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,mBAAmB,EACnB,UAAU,EACV,GAAG,UAAU,iBAAiB,EAC9B,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;YAED,oBAAoB;YACpB,IAAI,UAAU,KAAK,UAAU,IAAI,YAAY,KAAK,QAAQ,EAAE,CAAC;gBAC3D,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAA;gBAC/B,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,kBAAkB,EAClB,UAAU,EACV,uBAAuB,EACvB,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;YAED,cAAc;YACd,IAAI,UAAU,KAAK,WAAW,EAAE,CAAC;gBAC/B,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAA;gBAC/B,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,qBAAqB,EACrB,UAAU,EACV,0BAA0B,EAC1B,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;YAED,qBAAqB;YACrB,IAAI,UAAU,KAAK,WAAW,EAAE,CAAC;gBAC/B,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAA;gBACjC,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,qBAAqB,EACrB,UAAU,EACV,aAAa,YAAY,IAAI,GAAG,iCAAiC,EACjE,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;YAED,iCAAiC;YACjC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE,CAAC;gBAC5D,qDAAqD;gBACrD,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;gBAC9C,IAAI,MAAM,EAAE,IAAI,KAAK,sBAAsB,IAAK,MAAc,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;oBAC7E,OAAO,CAAC,2BAA2B,GAAG,IAAI,CAAA;oBAC1C,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,kBAAkB,EAClB,UAAU,EACV,GAAG,YAAY,0BAA0B,EACzC,IAAI,CACL,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;YAED,yBAAyB;YACzB,IAAI,UAAU,KAAK,UAAU,IAAI,YAAY,KAAK,MAAM,EAAE,CAAC;gBACzD,OAAO,CAAC,2BAA2B,GAAG,IAAI,CAAA;gBAC1C,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,kBAAkB,EAClB,UAAU,EACV,2CAA2C,EAC3C,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,aAAa;QACb,iBAAiB,CAAC,IAAS,EAAE,UAAwB;YACnD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAA;YAChC,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;YAErC,iBAAiB;YACjB,IAAI,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAClE,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,oBAAoB,EACpB,UAAU,EACV,yBAAyB,EACzB,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,WAAW;QACX,UAAU,CAAC,IAAS,EAAE,SAAuB;YAC3C,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAE7B,wBAAwB;YACxB,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;gBAC9B,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;gBAC9C,IAAI,MAAM,EAAE,IAAI,KAAK,kBAAkB,IAAK,MAAc,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;oBAC3E,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAA;oBACjC,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,qBAAqB,EACrB,UAAU,EACV,gCAAgC,EAChC,IAAI,CACL,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,qDAAqD;QACrD,OAAO,CAAC,IAAS,EAAE,UAAwB;YACzC,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;gBAAE,OAAM;YAE1C,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAE/B,4BAA4B;YAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAA;YACxB,IAAI,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBACvE,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAA;gBAChC,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,gBAAgB,EAChB,UAAU,EACV,kCAAkC,EAClC,IAAI,CACL,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;KACF,CAAC,CAAA;IAEF,WAAW;IACX,OAAO,CAAC,OAAO,GAAG,uBAAuB,CAAC,cAAc,CAAC,CAAA;IAEzD,0BAA0B;IAC1B,IAAI,OAAO,CAAC,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACxC,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAA;QAChC,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,gBAAgB,EAChB,UAAU,EACV,oBAAoB,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAC1D,CAAC,CAAA;IACJ,CAAC;IAED,wBAAwB;IACxB,MAAM,cAAc,GAAG,aAAa,CAAC,MAAM,CACzC,IAAI,CAAC,EAAE,CAAC,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,GAAG,CAC7E,CAAA;IACD,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAA;QAChC,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAA;QACtC,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,gBAAgB,EAChB,UAAU,EACV,oBAAoB,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAC/D,CAAC,CAAA;IACJ,CAAC;IAED,QAAQ;IACR,OAAO,CAAC,iBAAiB,GAAG,cAAc,CAAC,UAAU,CAAC,CAAA;IAEtD,SAAS;IACT,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC1B,MAAM,cAAc,GAAG,WAAW,EAAE,OAAO,EAAE,cAAc,IAAI,EAAE,CAAA;QACjE,MAAM,qBAAqB,GAAG,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAC1D,MAAM,CAAC,EAAE,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,CAChF,CAAA;QAED,IAAI,qBAAqB,IAAI,OAAO,CAAC,yBAAyB,EAAE,CAAC;YAC/D,OAAO,CAAC,2BAA2B,GAAG,IAAI,CAAA;YAC1C,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,eAAe,CAC7C,+BAA+B,EAC/B,UAAU,EACV,sCAAsC,CACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,15 @@
+import type { ValidateCodeRequest, ValidateCodeResponse } from './types.js';
+/**
+ * コードセキュリティ解析サービス
+ */
+export declare class CodeSecurityService {
+    /**
+     * コードを検証
+     */
+    validate(request: ValidateCodeRequest): ValidateCodeResponse;
+}
+export { analyzeCodeSecurity } from './analyzer.js';
+export { calculateSecurityScore, getSecurityVerdict } from './scoring.js';
+export { determineFileContext, adjustViolationSeverity } from './utils/file-context.js';
+export * from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,mBAAmB,EACnB,oBAAoB,EAErB,MAAM,YAAY,CAAA;AAOnB;;GAEG;AACH,qBAAa,mBAAmB;IAC9B;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,mBAAmB,GAAG,oBAAoB;CA+E7D;AAED,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAA;AACnD,OAAO,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AACzE,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAA;AACvF,cAAc,YAAY,CAAA"}

package/dist/index.js

@@ -0,0 +1,91 @@
+import { analyzeCodeSecurity } from './analyzer.js';
+import { calculateSecurityScore } from './scoring.js';
+import { adjustViolationSeverity, determineFileContext } from './utils/file-context.js';
+/**
+ * エントロピー閾値（analyzer.ts, scoring.tsと同じ値）
+ */
+const ENTROPY_THRESHOLD = 7.0;
+/**
+ * コードセキュリティ解析サービス
+ */
+export class CodeSecurityService {
+    /**
+     * コードを検証
+     */
+    validate(request) {
+        // ファイルコンテキストを判定（指定されていない場合は自動判定）
+        const fileContext = request.fileContext || determineFileContext(request.code);
+        // セキュリティ解析実行
+        const signals = analyzeCodeSecurity(request.code, request.manifestConfig?.permissions);
+        // ファイルコンテキストに基づいて違反の重大度を調整
+        const adjustedViolations = signals.detectedViolations.map(violation => {
+            const adjustedSeverity = adjustViolationSeverity(violation.rule, violation.severity, fileContext);
+            return {
+                ...violation,
+                severity: adjustedSeverity
+            };
+        });
+        // セキュリティスコア計算
+        const securityScore = calculateSecurityScore(signals);
+        // 違反を分類（調整後の重大度で）
+        const critical = [];
+        const warnings = [];
+        for (const violation of adjustedViolations) {
+            if (violation.severity === 'critical') {
+                critical.push(violation);
+            }
+            else {
+                warnings.push(violation);
+            }
+        }
+        // 検出されたAPI一覧
+        const detectedAPIs = [];
+        if (signals.hasEval)
+            detectedAPIs.push('eval');
+        if (signals.hasDynamicCodeExecution)
+            detectedAPIs.push('setTimeout/setInterval(string)');
+        if (signals.hasNetworkAPI)
+            detectedAPIs.push('fetch/WebSocket/XMLHttpRequest');
+        if (signals.hasStorageAccess)
+            detectedAPIs.push('localStorage/sessionStorage/indexedDB/cookie');
+        if (signals.hasNavigatorAccess)
+            detectedAPIs.push('navigator');
+        if (signals.hasDangerousDOMManipulation)
+            detectedAPIs.push('innerHTML/outerHTML/createElement');
+        if (signals.hasObfuscatedCode)
+            detectedAPIs.push('obfuscation (atob/btoa/fromCharCode)');
+        // 疑わしいパターン
+        const suspiciousPatterns = [];
+        if (signals.hasDynamicURLConstruction)
+            suspiciousPatterns.push('動的URL構築');
+        if (signals.hasGlobalVariableOverride)
+            suspiciousPatterns.push('グローバル変数改ざん');
+        if (signals.entropy > ENTROPY_THRESHOLD)
+            suspiciousPatterns.push(`高エントロピー文字列 (${signals.entropy.toFixed(2)})`);
+        if (signals.suspiciousVariableNames)
+            suspiciousPatterns.push('疑わしい変数名');
+        // 外部依存パッケージ
+        const externalDependencies = signals.importedPackages.filter(pkg => pkg.startsWith('http://') || pkg.startsWith('https://'));
+        // Critical違反の有無のみで判定
+        const valid = critical.length === 0;
+        return {
+            valid,
+            securityScore,
+            violations: {
+                critical,
+                warnings
+            },
+            analysis: {
+                entropy: signals.entropy,
+                suspiciousPatterns,
+                detectedAPIs,
+                externalDependencies
+            }
+        };
+    }
+}
+export { analyzeCodeSecurity } from './analyzer.js';
+export { calculateSecurityScore, getSecurityVerdict } from './scoring.js';
+export { determineFileContext, adjustViolationSeverity } from './utils/file-context.js';
+export * from './types.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAA;AACnD,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AACrD,OAAO,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAA;AAOvF;;GAEG;AACH,MAAM,iBAAiB,GAAG,GAAG,CAAA;AAE7B;;GAEG;AACH,MAAM,OAAO,mBAAmB;IAC9B;;OAEG;IACH,QAAQ,CAAC,OAA4B;QACnC,iCAAiC;QACjC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;QAE7E,aAAa;QACb,MAAM,OAAO,GAAG,mBAAmB,CACjC,OAAO,CAAC,IAAI,EACZ,OAAO,CAAC,cAAc,EAAE,WAAW,CACpC,CAAA;QAED,2BAA2B;QAC3B,MAAM,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE;YACpE,MAAM,gBAAgB,GAAG,uBAAuB,CAC9C,SAAS,CAAC,IAAI,EACd,SAAS,CAAC,QAAQ,EAClB,WAAW,CACZ,CAAA;YAED,OAAO;gBACL,GAAG,SAAS;gBACZ,QAAQ,EAAE,gBAAgB;aAC3B,CAAA;QACH,CAAC,CAAC,CAAA;QAEF,cAAc;QACd,MAAM,aAAa,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAA;QAErD,kBAAkB;QAClB,MAAM,QAAQ,GAAgB,EAAE,CAAA;QAChC,MAAM,QAAQ,GAAgB,EAAE,CAAA;QAEhC,KAAK,MAAM,SAAS,IAAI,kBAAkB,EAAE,CAAC;YAC3C,IAAI,SAAS,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;gBACtC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YAC1B,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YAC1B,CAAC;QACH,CAAC;QAED,aAAa;QACb,MAAM,YAAY,GAAa,EAAE,CAAA;QACjC,IAAI,OAAO,CAAC,OAAO;YAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAC9C,IAAI,OAAO,CAAC,uBAAuB;YAAE,YAAY,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAA;QACxF,IAAI,OAAO,CAAC,aAAa;YAAE,YAAY,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAA;QAC9E,IAAI,OAAO,CAAC,gBAAgB;YAAE,YAAY,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAA;QAC/F,IAAI,OAAO,CAAC,kBAAkB;YAAE,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAC9D,IAAI,OAAO,CAAC,2BAA2B;YAAE,YAAY,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAA;QAC/F,IAAI,OAAO,CAAC,iBAAiB;YAAE,YAAY,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAA;QAExF,WAAW;QACX,MAAM,kBAAkB,GAAa,EAAE,CAAA;QACvC,IAAI,OAAO,CAAC,yBAAyB;YAAE,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QACzE,IAAI,OAAO,CAAC,yBAAyB;YAAE,kBAAkB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAC5E,IAAI,OAAO,CAAC,OAAO,GAAG,iBAAiB;YAAE,kBAAkB,CAAC,IAAI,CAAC,eAAe,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;QAC9G,IAAI,OAAO,CAAC,uBAAuB;YAAE,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QAEvE,YAAY;QACZ,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAC1D,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAC/D,CAAA;QAED,qBAAqB;QACrB,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAA;QAEnC,OAAO;YACL,KAAK;YACL,aAAa;YACb,UAAU,EAAE;gBACV,QAAQ;gBACR,QAAQ;aACT;YACD,QAAQ,EAAE;gBACR,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,kBAAkB;gBAClB,YAAY;gBACZ,oBAAoB;aACrB;SACF,CAAA;IACH,CAAC;CACF;AAED,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAA;AACnD,OAAO,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AACzE,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAA;AACvF,cAAc,YAAY,CAAA"}

package/dist/scoring.d.ts

@@ -0,0 +1,13 @@
+import type { SecuritySignals } from './types.js';
+/**
+ * セキュリティスコアを計算（0-100、高いほど危険）
+ */
+export declare function calculateSecurityScore(signals: SecuritySignals): number;
+/**
+ * 判定基準:
+ * - score >= 70: 拒否
+ * - 50 <= score < 70: 要人的レビュー
+ * - score < 50: 自動承認
+ */
+export declare function getSecurityVerdict(score: number): 'REJECT' | 'REVIEW' | 'APPROVE';
+//# sourceMappingURL=scoring.d.ts.map

package/dist/scoring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.d.ts","sourceRoot":"","sources":["../src/scoring.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAQjD;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,eAAe,GAAG,MAAM,CAoCvE;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,CAIjF"}

package/dist/scoring.js

@@ -0,0 +1,58 @@
+import { ALLOWED_PACKAGES } from './utils/helpers.js';
+/**
+ * エントロピー閾値（analyzer.tsと同じ値）
+ */
+const ENTROPY_THRESHOLD = 7.0;
+/**
+ * セキュリティスコアを計算（0-100、高いほど危険）
+ */
+export function calculateSecurityScore(signals) {
+    let score = 0;
+    // Critical violations（即100点 = 拒否）
+    if (signals.hasEval)
+        return 100;
+    if (signals.hasDynamicCodeExecution)
+        return 100;
+    if (signals.hasNetworkWithoutPermission)
+        return 100;
+    if (signals.hasGlobalVariableOverride)
+        return 100;
+    if (signals.hasStorageAccess)
+        return 100;
+    if (signals.hasNavigatorAccess)
+        return 100;
+    if (signals.hasDangerousDOMManipulation)
+        return 100;
+    if (signals.hasObfuscatedCode)
+        return 100;
+    // 疑わしいパターンの組み合わせ
+    if (signals.hasDynamicURLConstruction && signals.hasNetworkAPI) {
+        score += 40;
+    }
+    if (signals.entropy > ENTROPY_THRESHOLD) {
+        score += 15;
+    }
+    if (signals.suspiciousVariableNames) {
+        score += 10;
+    }
+    // 未許可パッケージ
+    const unknownPackages = signals.importedPackages.filter(pkg => !ALLOWED_PACKAGES.some(allowed => pkg.startsWith(allowed)));
+    score += unknownPackages.length * 20;
+    // 外部ドメイン参照（許可リスト外）
+    score += signals.referencedDomains.length * 25;
+    return Math.min(score, 100);
+}
+/**
+ * 判定基準:
+ * - score >= 70: 拒否
+ * - 50 <= score < 70: 要人的レビュー
+ * - score < 50: 自動承認
+ */
+export function getSecurityVerdict(score) {
+    if (score >= 70)
+        return 'REJECT';
+    if (score >= 50)
+        return 'REVIEW';
+    return 'APPROVE';
+}
+//# sourceMappingURL=scoring.js.map

package/dist/scoring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.js","sourceRoot":"","sources":["../src/scoring.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAErD;;GAEG;AACH,MAAM,iBAAiB,GAAG,GAAG,CAAA;AAE7B;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAwB;IAC7D,IAAI,KAAK,GAAG,CAAC,CAAA;IAEb,kCAAkC;IAClC,IAAI,OAAO,CAAC,OAAO;QAAE,OAAO,GAAG,CAAA;IAC/B,IAAI,OAAO,CAAC,uBAAuB;QAAE,OAAO,GAAG,CAAA;IAC/C,IAAI,OAAO,CAAC,2BAA2B;QAAE,OAAO,GAAG,CAAA;IACnD,IAAI,OAAO,CAAC,yBAAyB;QAAE,OAAO,GAAG,CAAA;IACjD,IAAI,OAAO,CAAC,gBAAgB;QAAE,OAAO,GAAG,CAAA;IACxC,IAAI,OAAO,CAAC,kBAAkB;QAAE,OAAO,GAAG,CAAA;IAC1C,IAAI,OAAO,CAAC,2BAA2B;QAAE,OAAO,GAAG,CAAA;IACnD,IAAI,OAAO,CAAC,iBAAiB;QAAE,OAAO,GAAG,CAAA;IAEzC,iBAAiB;IACjB,IAAI,OAAO,CAAC,yBAAyB,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC/D,KAAK,IAAI,EAAE,CAAA;IACb,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACxC,KAAK,IAAI,EAAE,CAAA;IACb,CAAC;IAED,IAAI,OAAO,CAAC,uBAAuB,EAAE,CAAC;QACpC,KAAK,IAAI,EAAE,CAAA;IACb,CAAC;IAED,WAAW;IACX,MAAM,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CACrD,GAAG,CAAC,EAAE,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAClE,CAAA;IACD,KAAK,IAAI,eAAe,CAAC,MAAM,GAAG,EAAE,CAAA;IAEpC,mBAAmB;IACnB,KAAK,IAAI,OAAO,CAAC,iBAAiB,CAAC,MAAM,GAAG,EAAE,CAAA;IAE9C,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;AAC7B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAA;IAChC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAA;IAChC,OAAO,SAAS,CAAA;AAClB,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,82 @@
+/**
+ * セキュリティ解析の違反情報
+ */
+export interface Violation {
+    rule: string;
+    severity: 'critical' | 'warning';
+    message: string;
+    location?: {
+        line: number;
+        column: number;
+        code: string;
+    };
+}
+/**
+ * セキュリティシグナル（検出された脅威の情報）
+ */
+export interface SecuritySignals {
+    hasEval: boolean;
+    hasDynamicCodeExecution: boolean;
+    hasNetworkAPI: boolean;
+    hasNetworkWithoutPermission: boolean;
+    hasDynamicURLConstruction: boolean;
+    hasObfuscatedCode: boolean;
+    hasGlobalVariableOverride: boolean;
+    hasStorageAccess: boolean;
+    hasNavigatorAccess: boolean;
+    hasDangerousDOMManipulation: boolean;
+    entropy: number;
+    suspiciousVariableNames: boolean;
+    importedPackages: string[];
+    referencedDomains: string[];
+    detectedViolations: Violation[];
+}
+/**
+ * コードの権限設定
+ */
+export interface CodePermissions {
+    network?: {
+        allowedDomains: string[];
+    };
+}
+/**
+ * ファイルコンテキスト（検証ルールの調整に使用）
+ */
+export interface FileContext {
+    filePath: string;
+    isUserCode: boolean;
+    isSharedLibrary: boolean;
+    isBundledDependency: boolean;
+}
+/**
+ * コード検証リクエスト
+ */
+export interface ValidateCodeRequest {
+    code: string;
+    sourceMap?: string;
+    packageJson: {
+        dependencies: Record<string, string>;
+    };
+    manifestConfig?: {
+        permissions?: CodePermissions;
+    };
+    fileContext?: FileContext;
+}
+/**
+ * コード検証レスポンス
+ */
+export interface ValidateCodeResponse {
+    valid: boolean;
+    securityScore: number;
+    violations: {
+        critical: Violation[];
+        warnings: Violation[];
+    };
+    analysis: {
+        entropy: number;
+        suspiciousPatterns: string[];
+        detectedAPIs: string[];
+        externalDependencies: string[];
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,UAAU,GAAG,SAAS,CAAA;IAChC,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE;QACT,IAAI,EAAE,MAAM,CAAA;QACZ,MAAM,EAAE,MAAM,CAAA;QACd,IAAI,EAAE,MAAM,CAAA;KACb,CAAA;CACF;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAA;IAChB,uBAAuB,EAAE,OAAO,CAAA;IAChC,aAAa,EAAE,OAAO,CAAA;IACtB,2BAA2B,EAAE,OAAO,CAAA;IACpC,yBAAyB,EAAE,OAAO,CAAA;IAClC,iBAAiB,EAAE,OAAO,CAAA;IAC1B,yBAAyB,EAAE,OAAO,CAAA;IAClC,gBAAgB,EAAE,OAAO,CAAA;IACzB,kBAAkB,EAAE,OAAO,CAAA;IAC3B,2BAA2B,EAAE,OAAO,CAAA;IACpC,OAAO,EAAE,MAAM,CAAA;IACf,uBAAuB,EAAE,OAAO,CAAA;IAChC,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,iBAAiB,EAAE,MAAM,EAAE,CAAA;IAC3B,kBAAkB,EAAE,SAAS,EAAE,CAAA;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,CAAC,EAAE;QACR,cAAc,EAAE,MAAM,EAAE,CAAA;KACzB,CAAA;CACF;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,EAAE,OAAO,CAAA;IACnB,eAAe,EAAE,OAAO,CAAA;IACxB,mBAAmB,EAAE,OAAO,CAAA;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE;QACX,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KACrC,CAAA;IACD,cAAc,CAAC,EAAE;QACf,WAAW,CAAC,EAAE,eAAe,CAAA;KAC9B,CAAA;IACD,WAAW,CAAC,EAAE,WAAW,CAAA;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,OAAO,CAAA;IACd,aAAa,EAAE,MAAM,CAAA;IACrB,UAAU,EAAE;QACV,QAAQ,EAAE,SAAS,EAAE,CAAA;QACrB,QAAQ,EAAE,SAAS,EAAE,CAAA;KACtB,CAAA;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,MAAM,CAAA;QACf,kBAAkB,EAAE,MAAM,EAAE,CAAA;QAC5B,YAAY,EAAE,MAAM,EAAE,CAAA;QACtB,oBAAoB,EAAE,MAAM,EAAE,CAAA;KAC/B,CAAA;CACF"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/utils/file-context.d.ts

@@ -0,0 +1,21 @@
+import type { FileContext } from '../types.js';
+/**
+ * ファイルパスからコンテキストを判定
+ *
+ * 判定ロジック:
+ * - __federation_expose_World: ユーザーコード (最も厳格)
+ * - __federation_shared_: 共有ライブラリ (Module Federationが自動生成、緩和可能)
+ * - __federation_fn_import: Module Federationインフラ (厳格)
+ * - remoteEntry.js: Module Federationエントリーポイント (Module Federationが自動生成、緩和可能)
+ * - その他: バンドルされた依存ライブラリ (緩和可能)
+ */
+export declare function determineFileContext(filePath: string): FileContext;
+/**
+ * ファイルコンテキストに基づいて違反の重大度を調整
+ */
+export declare function adjustViolationSeverity(rule: string, originalSeverity: 'critical' | 'warning', context: FileContext): 'critical' | 'warning';
+/**
+ * ファイルコンテキストの説明を生成（デバッグ用）
+ */
+export declare function describeFileContext(context: FileContext): string;
+//# sourceMappingURL=file-context.d.ts.map

package/dist/utils/file-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-context.d.ts","sourceRoot":"","sources":["../../src/utils/file-context.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAE9C;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,CAwBlE;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,MAAM,EACZ,gBAAgB,EAAE,UAAU,GAAG,SAAS,EACxC,OAAO,EAAE,WAAW,GACnB,UAAU,GAAG,SAAS,CAwCxB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CAkBhE"}

package/dist/utils/file-context.js

@@ -0,0 +1,90 @@
+/**
+ * ファイルパスからコンテキストを判定
+ *
+ * 判定ロジック:
+ * - __federation_expose_World: ユーザーコード (最も厳格)
+ * - __federation_shared_: 共有ライブラリ (Module Federationが自動生成、緩和可能)
+ * - __federation_fn_import: Module Federationインフラ (厳格)
+ * - remoteEntry.js: Module Federationエントリーポイント (Module Federationが自動生成、緩和可能)
+ * - その他: バンドルされた依存ライブラリ (緩和可能)
+ */
+export function determineFileContext(filePath) {
+    const fileName = filePath.split('/').pop() || filePath;
+    // 1. ユーザーコード（__federation_expose_World-*.js）
+    const isUserCode = fileName.includes('__federation_expose_World-') && fileName.endsWith('.js');
+    // 2. 共有ライブラリ（__federation_shared_*/*.js）
+    const isSharedLibrary = fileName.startsWith('__federation_shared_') ||
+        filePath.includes('__federation_shared_');
+    // 3. バンドルされた依存ライブラリ（その他の*.js）
+    const isBundledDependency = !isUserCode &&
+        !isSharedLibrary &&
+        !fileName.includes('__federation_fn_import') &&
+        fileName !== 'remoteEntry.js';
+    return {
+        filePath: fileName,
+        isUserCode,
+        isSharedLibrary,
+        isBundledDependency
+    };
+}
+/**
+ * ファイルコンテキストに基づいて違反の重大度を調整
+ */
+export function adjustViolationSeverity(rule, originalSeverity, context) {
+    // ユーザーコードは常に厳格
+    if (context.isUserCode) {
+        return originalSeverity;
+    }
+    // __federation_fn_import は常に厳格
+    const fileName = context.filePath;
+    if (fileName.includes('__federation_fn_import')) {
+        return originalSeverity;
+    }
+    // 共有ライブラリ、バンドル依存、remoteEntryは一部のルールを緩和
+    const isRemoteEntry = fileName === 'remoteEntry.js';
+    if (context.isSharedLibrary || context.isBundledDependency || isRemoteEntry) {
+        const technicalViolations = [
+            'no-obfuscation',
+            'no-dangerous-dom',
+            'no-navigator-access',
+            'no-prototype-pollution',
+            'no-global-override',
+            'no-network-without-permission',
+        ];
+        if (technicalViolations.includes(rule)) {
+            return 'warning';
+        }
+        const criticalViolations = [
+            'no-eval',
+            'no-storage-access',
+            'no-storage-event',
+        ];
+        if (criticalViolations.includes(rule)) {
+            return 'critical';
+        }
+    }
+    return originalSeverity;
+}
+/**
+ * ファイルコンテキストの説明を生成（デバッグ用）
+ */
+export function describeFileContext(context) {
+    if (context.isUserCode) {
+        return 'ユーザーコード（最も厳格に検証）';
+    }
+    if (context.isSharedLibrary) {
+        return '共有ライブラリ（Module Federation自動生成、一部ルールを緩和）';
+    }
+    if (context.isBundledDependency) {
+        return 'バンドルされた依存ライブラリ（技術的違反を緩和）';
+    }
+    const fileName = context.filePath;
+    if (fileName === 'remoteEntry.js') {
+        return 'Module Federationエントリーポイント（Module Federation自動生成、一部ルールを緩和）';
+    }
+    if (fileName.includes('__federation_fn_import')) {
+        return 'Module Federation動的インポート（厳格に検証）';
+    }
+    return 'その他のファイル（標準的な検証）';
+}
+//# sourceMappingURL=file-context.js.map

package/dist/utils/file-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-context.js","sourceRoot":"","sources":["../../src/utils/file-context.ts"],"names":[],"mappings":"AAEA;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB;IACnD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAA;IAEtD,6CAA6C;IAC7C,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,4BAA4B,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAE9F,yCAAyC;IACzC,MAAM,eAAe,GACnB,QAAQ,CAAC,UAAU,CAAC,sBAAsB,CAAC;QAC3C,QAAQ,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;IAE3C,8BAA8B;IAC9B,MAAM,mBAAmB,GACvB,CAAC,UAAU;QACX,CAAC,eAAe;QAChB,CAAC,QAAQ,CAAC,QAAQ,CAAC,wBAAwB,CAAC;QAC5C,QAAQ,KAAK,gBAAgB,CAAA;IAE/B,OAAO;QACL,QAAQ,EAAE,QAAQ;QAClB,UAAU;QACV,eAAe;QACf,mBAAmB;KACpB,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CACrC,IAAY,EACZ,gBAAwC,EACxC,OAAoB;IAEpB,eAAe;IACf,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,OAAO,gBAAgB,CAAA;IACzB,CAAC;IAED,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;IACjC,IAAI,QAAQ,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,CAAC;QAChD,OAAO,gBAAgB,CAAA;IACzB,CAAC;IAED,uCAAuC;IACvC,MAAM,aAAa,GAAG,QAAQ,KAAK,gBAAgB,CAAA;IACnD,IAAI,OAAO,CAAC,eAAe,IAAI,OAAO,CAAC,mBAAmB,IAAI,aAAa,EAAE,CAAC;QAC5E,MAAM,mBAAmB,GAAG;YAC1B,gBAAgB;YAChB,kBAAkB;YAClB,qBAAqB;YACrB,wBAAwB;YACxB,oBAAoB;YACpB,+BAA+B;SAChC,CAAA;QAED,IAAI,mBAAmB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,MAAM,kBAAkB,GAAG;YACzB,SAAS;YACT,mBAAmB;YACnB,kBAAkB;SACnB,CAAA;QAED,IAAI,kBAAkB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACtC,OAAO,UAAU,CAAA;QACnB,CAAC;IACH,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAoB;IACtD,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IACD,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QAC5B,OAAO,yCAAyC,CAAA;IAClD,CAAC;IACD,IAAI,OAAO,CAAC,mBAAmB,EAAE,CAAC;QAChC,OAAO,0BAA0B,CAAA;IACnC,CAAC;IACD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;IACjC,IAAI,QAAQ,KAAK,gBAAgB,EAAE,CAAC;QAClC,OAAO,4DAA4D,CAAA;IACrE,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,CAAC;QAChD,OAAO,iCAAiC,CAAA;IAC1C,CAAC;IACD,OAAO,kBAAkB,CAAA;AAC3B,CAAC"}

package/dist/utils/helpers.d.ts

@@ -0,0 +1,34 @@
+import type { Node } from 'acorn';
+/**
+ * シャノンエントロピーを計算（0-8の範囲）
+ */
+export declare function calculateEntropy(str: string): number;
+/**
+ * 文字列配列の平均エントロピーを計算
+ */
+export declare function calculateAverageEntropy(strings: string[]): number;
+/**
+ * URL文字列からドメイン名を抽出
+ */
+export declare function extractDomains(urls: string[]): string[];
+/**
+ * CallExpressionの呼び出し先名を取得
+ */
+export declare function getCalleeName(callee: any): string | null;
+/**
+ * ASTノードから位置情報を取得
+ */
+export declare function getLocation(node: Node): {
+    line: number;
+    column: number;
+    code: string;
+} | undefined;
+/**
+ * 許可されたパッケージリスト
+ */
+export declare const ALLOWED_PACKAGES: string[];
+/**
+ * 許可されたドメイン（CDN）
+ */
+export declare const ALLOWED_DOMAINS: string[];
+//# sourceMappingURL=helpers.d.ts.map

package/dist/utils/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../src/utils/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,OAAO,CAAA;AAEjC;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAepD;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,CAUjE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAUvD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,GAAG,GAAG,MAAM,GAAG,IAAI,CAWxD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,IAAI,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAQlG;AAED;;GAEG;AACH,eAAO,MAAM,gBAAgB,UAQ5B,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,eAAe,UAI3B,CAAA"}

package/dist/utils/helpers.js

@@ -0,0 +1,93 @@
+/**
+ * シャノンエントロピーを計算（0-8の範囲）
+ */
+export function calculateEntropy(str) {
+    if (str.length === 0)
+        return 0;
+    const frequency = {};
+    for (const char of str) {
+        frequency[char] = (frequency[char] || 0) + 1;
+    }
+    let entropy = 0;
+    for (const char in frequency) {
+        const p = frequency[char] / str.length;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+}
+/**
+ * 文字列配列の平均エントロピーを計算
+ */
+export function calculateAverageEntropy(strings) {
+    if (strings.length === 0)
+        return 0;
+    const entropies = strings
+        .filter(s => s.length > 20) // 20文字以上の文字列のみ対象
+        .map(calculateEntropy);
+    return entropies.length > 0
+        ? entropies.reduce((a, b) => a + b, 0) / entropies.length
+        : 0;
+}
+/**
+ * URL文字列からドメイン名を抽出
+ */
+export function extractDomains(urls) {
+    return urls
+        .map(url => {
+        try {
+            return new URL(url).hostname;
+        }
+        catch {
+            return null;
+        }
+    })
+        .filter((domain) => domain !== null);
+}
+/**
+ * CallExpressionの呼び出し先名を取得
+ */
+export function getCalleeName(callee) {
+    if (callee.type === 'Identifier') {
+        return callee.name;
+    }
+    if (callee.type === 'MemberExpression') {
+        const property = callee.property;
+        if (property.type === 'Identifier') {
+            return property.name;
+        }
+    }
+    return null;
+}
+/**
+ * ASTノードから位置情報を取得
+ */
+export function getLocation(node) {
+    if (!node.loc)
+        return undefined;
+    return {
+        line: node.loc.start.line,
+        column: node.loc.start.column,
+        code: '(code snippet)'
+    };
+}
+/**
+ * 許可されたパッケージリスト
+ */
+export const ALLOWED_PACKAGES = [
+    'react',
+    'react-dom',
+    'three',
+    '@react-three/fiber',
+    '@react-three/rapier',
+    '@react-three/drei',
+    '@xrift/world-sdk',
+];
+/**
+ * 許可されたドメイン（CDN）
+ */
+export const ALLOWED_DOMAINS = [
+    'cdn.jsdelivr.net',
+    'unpkg.com',
+    'esm.sh',
+];
+//# sourceMappingURL=helpers.js.map

package/dist/utils/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../src/utils/helpers.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAA;IAE9B,MAAM,SAAS,GAA2B,EAAE,CAAA;IAC5C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;IAC9C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAA;IACf,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,MAAM,CAAA;QACtC,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IAC7B,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAiB;IACvD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAA;IAElC,MAAM,SAAS,GAAG,OAAO;SACtB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,iBAAiB;SAC5C,GAAG,CAAC,gBAAgB,CAAC,CAAA;IAExB,OAAO,SAAS,CAAC,MAAM,GAAG,CAAC;QACzB,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,SAAS,CAAC,MAAM;QACzD,CAAC,CAAC,CAAC,CAAA;AACP,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,IAAc;IAC3C,OAAO,IAAI;SACR,GAAG,CAAC,GAAG,CAAC,EAAE;QACT,IAAI,CAAC;YACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAA;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,MAAM,EAAoB,EAAE,CAAC,MAAM,KAAK,IAAI,CAAC,CAAA;AAC1D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAAW;IACvC,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAA;QAChC,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACnC,OAAO,QAAQ,CAAC,IAAI,CAAA;QACtB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAU;IACpC,IAAI,CAAC,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAA;IAE/B,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI;QACzB,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM;QAC7B,IAAI,EAAE,gBAAgB;KACvB,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,OAAO;IACP,WAAW;IACX,OAAO;IACP,oBAAoB;IACpB,qBAAqB;IACrB,mBAAmB;IACnB,kBAAkB;CACnB,CAAA;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,kBAAkB;IAClB,WAAW;IACX,QAAQ;CACT,CAAA"}

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "@xrift/code-security",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "Code security analyzer powered by acorn",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "clean": "rm -rf dist",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "security",
+    "code-analysis",
+    "acorn"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "acorn": "^8.14.0",
+    "acorn-walk": "^8.3.4"
+  },
+  "devDependencies": {
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0"
+  }
+}