@yoda.digital/iris-gateway 1.13.3

package/dist/security/allowlist-store.js

@@ -0,0 +1,52 @@
+import { readFile, writeFile } from "node:fs/promises";
+import { mkdirSync } from "node:fs";
+import { join } from "node:path";
+import { withFileLock } from "../utils/file-lock.js";
+export class AllowlistStore {
+    filePath;
+    constructor(dataDir) {
+        mkdirSync(dataDir, { recursive: true });
+        this.filePath = join(dataDir, "allowlist.json");
+    }
+    async isAllowed(channelId, senderId) {
+        const entries = await this.readEntries();
+        return entries.some((e) => e.channelId === channelId && e.senderId === senderId);
+    }
+    async add(channelId, senderId, approvedBy) {
+        await withFileLock(this.filePath, async () => {
+            const entries = await this.readEntries();
+            const exists = entries.some((e) => e.channelId === channelId && e.senderId === senderId);
+            if (!exists) {
+                entries.push({ channelId, senderId, approvedBy, approvedAt: Date.now() });
+                await this.writeEntries(entries);
+            }
+        });
+    }
+    async remove(channelId, senderId) {
+        return withFileLock(this.filePath, async () => {
+            const entries = await this.readEntries();
+            const filtered = entries.filter((e) => !(e.channelId === channelId && e.senderId === senderId));
+            const removed = filtered.length < entries.length;
+            if (removed)
+                await this.writeEntries(filtered);
+            return removed;
+        });
+    }
+    async list(channelId) {
+        const entries = await this.readEntries();
+        return entries.filter((e) => e.channelId === channelId);
+    }
+    async readEntries() {
+        try {
+            const raw = await readFile(this.filePath, "utf-8");
+            return JSON.parse(raw);
+        }
+        catch {
+            return [];
+        }
+    }
+    async writeEntries(entries) {
+        await writeFile(this.filePath, JSON.stringify(entries, null, 2));
+    }
+}
+//# sourceMappingURL=allowlist-store.js.map

package/dist/security/allowlist-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowlist-store.js","sourceRoot":"","sources":["../../src/security/allowlist-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AASrD,MAAM,OAAO,cAAc;IACR,QAAQ,CAAS;IAElC,YAAY,OAAe;QACzB,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,SAAiB,EAAE,QAAgB;QACjD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QACzC,OAAO,OAAO,CAAC,IAAI,CACjB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAC5D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,GAAG,CACP,SAAiB,EACjB,QAAgB,EAChB,UAAmB;QAEnB,MAAM,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC3C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CACzB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAC5D,CAAC;YACF,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAC1E,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YACnC,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB,EAAE,QAAgB;QAC9C,OAAO,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;YACzC,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAC7B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAC/D,CAAC;YACF,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YACjD,IAAI,OAAO;gBAAE,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAC/C,OAAO,OAAO,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,SAAiB;QAC1B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QACzC,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,WAAW;QACvB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACnD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,OAAyB;QAClD,MAAM,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACnE,CAAC;CACF"}

package/dist/security/dm-policy.d.ts

@@ -0,0 +1,32 @@
+import type { DmPolicyMode, SecurityConfig } from "../config/types.js";
+import type { AllowlistStore } from "./allowlist-store.js";
+import type { PairingStore } from "./pairing-store.js";
+import type { RateLimiter } from "./rate-limiter.js";
+export interface SecurityCheckParams {
+    readonly channelId: string;
+    readonly senderId: string;
+    readonly senderName: string;
+    readonly chatType: "dm" | "group";
+    readonly channelDmPolicy?: DmPolicyMode;
+}
+export type SecurityCheckResult = {
+    allowed: true;
+} | {
+    allowed: false;
+    reason: "disabled" | "not_allowed" | "rate_limited";
+    message?: string;
+} | {
+    allowed: false;
+    reason: "pairing_required";
+    pairingCode: string;
+    message: string;
+};
+export declare class SecurityGate {
+    private readonly pairingStore;
+    private readonly allowlistStore;
+    private readonly rateLimiter;
+    private readonly config;
+    constructor(pairingStore: PairingStore, allowlistStore: AllowlistStore, rateLimiter: RateLimiter, config: SecurityConfig);
+    check(params: SecurityCheckParams): Promise<SecurityCheckResult>;
+}
+//# sourceMappingURL=dm-policy.d.ts.map

package/dist/security/dm-policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dm-policy.d.ts","sourceRoot":"","sources":["../../src/security/dm-policy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACvE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,IAAI,GAAG,OAAO,CAAC;IAClC,QAAQ,CAAC,eAAe,CAAC,EAAE,YAAY,CAAC;CACzC;AAED,MAAM,MAAM,mBAAmB,GAC3B;IAAE,OAAO,EAAE,IAAI,CAAA;CAAE,GACjB;IACE,OAAO,EAAE,KAAK,CAAC;IACf,MAAM,EAAE,UAAU,GAAG,aAAa,GAAG,cAAc,CAAC;IACpD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GACD;IACE,OAAO,EAAE,KAAK,CAAC;IACf,MAAM,EAAE,kBAAkB,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEN,qBAAa,YAAY;IAErB,OAAO,CAAC,QAAQ,CAAC,YAAY;IAC7B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAC/B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAHN,YAAY,EAAE,YAAY,EAC1B,cAAc,EAAE,cAAc,EAC9B,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE,cAAc;IAGnC,KAAK,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC;CAqEvE"}

package/dist/security/dm-policy.js

@@ -0,0 +1,67 @@
+export class SecurityGate {
+    pairingStore;
+    allowlistStore;
+    rateLimiter;
+    config;
+    constructor(pairingStore, allowlistStore, rateLimiter, config) {
+        this.pairingStore = pairingStore;
+        this.allowlistStore = allowlistStore;
+        this.rateLimiter = rateLimiter;
+        this.config = config;
+    }
+    async check(params) {
+        const policy = params.channelDmPolicy ?? this.config.defaultDmPolicy;
+        // Rate limit check (applies to all modes except disabled)
+        if (policy !== "disabled") {
+            const rateLimitKey = `${params.channelId}:${params.senderId}`;
+            const rateResult = this.rateLimiter.check(rateLimitKey);
+            if (!rateResult.allowed) {
+                return {
+                    allowed: false,
+                    reason: "rate_limited",
+                    message: `Rate limited. Try again in ${Math.ceil((rateResult.retryAfterMs ?? 0) / 1000)}s.`,
+                };
+            }
+            this.rateLimiter.hit(rateLimitKey);
+        }
+        switch (policy) {
+            case "open":
+                return { allowed: true };
+            case "disabled":
+                return {
+                    allowed: false,
+                    reason: "disabled",
+                    message: "This channel is currently disabled.",
+                };
+            case "allowlist": {
+                const isAllowed = await this.allowlistStore.isAllowed(params.channelId, params.senderId);
+                if (isAllowed)
+                    return { allowed: true };
+                return {
+                    allowed: false,
+                    reason: "not_allowed",
+                    message: "You are not on the allowlist for this channel.",
+                };
+            }
+            case "pairing": {
+                const isAllowed = await this.allowlistStore.isAllowed(params.channelId, params.senderId);
+                if (isAllowed)
+                    return { allowed: true };
+                const code = await this.pairingStore.issueCode(params.channelId, params.senderId);
+                return {
+                    allowed: false,
+                    reason: "pairing_required",
+                    pairingCode: code,
+                    message: `Hi ${params.senderName}! To start chatting, ask the owner to approve your pairing code: ${code}`,
+                };
+            }
+            default:
+                return {
+                    allowed: false,
+                    reason: "disabled",
+                    message: "Unknown policy mode.",
+                };
+        }
+    }
+}
+//# sourceMappingURL=dm-policy.js.map

package/dist/security/dm-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dm-policy.js","sourceRoot":"","sources":["../../src/security/dm-policy.ts"],"names":[],"mappings":"AA2BA,MAAM,OAAO,YAAY;IAEJ;IACA;IACA;IACA;IAJnB,YACmB,YAA0B,EAC1B,cAA8B,EAC9B,WAAwB,EACxB,MAAsB;QAHtB,iBAAY,GAAZ,YAAY,CAAc;QAC1B,mBAAc,GAAd,cAAc,CAAgB;QAC9B,gBAAW,GAAX,WAAW,CAAa;QACxB,WAAM,GAAN,MAAM,CAAgB;IACtC,CAAC;IAEJ,KAAK,CAAC,KAAK,CAAC,MAA2B;QACrC,MAAM,MAAM,GACV,MAAM,CAAC,eAAe,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC;QAExD,0DAA0D;QAC1D,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;YAC1B,MAAM,YAAY,GAAG,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YAC9D,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YACxD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;gBACxB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,cAAc;oBACtB,OAAO,EAAE,8BAA8B,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI;iBAC5F,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACrC,CAAC;QAED,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,MAAM;gBACT,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;YAE3B,KAAK,UAAU;gBACb,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,UAAU;oBAClB,OAAO,EAAE,qCAAqC;iBAC/C,CAAC;YAEJ,KAAK,WAAW,CAAC,CAAC,CAAC;gBACjB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,SAAS,CACnD,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,QAAQ,CAChB,CAAC;gBACF,IAAI,SAAS;oBAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;gBACxC,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,aAAa;oBACrB,OAAO,EAAE,gDAAgD;iBAC1D,CAAC;YACJ,CAAC;YAED,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,SAAS,CACnD,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,QAAQ,CAChB,CAAC;gBACF,IAAI,SAAS;oBAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;gBAExC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,CAC5C,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,QAAQ,CAChB,CAAC;gBACF,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,kBAAkB;oBAC1B,WAAW,EAAE,IAAI;oBACjB,OAAO,EAAE,MAAM,MAAM,CAAC,UAAU,oEAAoE,IAAI,EAAE;iBAC3G,CAAC;YACJ,CAAC;YAED;gBACE,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,UAAU;oBAClB,OAAO,EAAE,sBAAsB;iBAChC,CAAC;QACN,CAAC;IACH,CAAC;CACF"}

package/dist/security/pairing-store.d.ts

@@ -0,0 +1,25 @@
+export interface PairingRequest {
+    readonly code: string;
+    readonly channelId: string;
+    readonly senderId: string;
+    readonly createdAt: number;
+    readonly expiresAt: number;
+}
+export declare class PairingStore {
+    private readonly filePath;
+    private readonly ttlMs;
+    private readonly codeLength;
+    constructor(dataDir: string, ttlMs?: number, codeLength?: number);
+    issueCode(channelId: string, senderId: string): Promise<string>;
+    approveCode(code: string): Promise<{
+        channelId: string;
+        senderId: string;
+    } | null>;
+    listPending(): Promise<PairingRequest[]>;
+    revokeCode(code: string): Promise<boolean>;
+    private generateCode;
+    private pruneExpired;
+    private readRequests;
+    private writeRequests;
+}
+//# sourceMappingURL=pairing-store.d.ts.map

package/dist/security/pairing-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pairing-store.d.ts","sourceRoot":"","sources":["../../src/security/pairing-store.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;IAC/B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,OAAO,EAAE,MAAM,EAAE,KAAK,SAAY,EAAE,UAAU,SAAI;IAOxD,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAwB/D,WAAW,CACf,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAkBpD,WAAW,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;IAYxC,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAYhD,OAAO,CAAC,YAAY;IASpB,OAAO,CAAC,YAAY;YAUN,YAAY;YASZ,aAAa;CAG5B"}

package/dist/security/pairing-store.js

@@ -0,0 +1,103 @@
+import { readFile, writeFile } from "node:fs/promises";
+import { mkdirSync } from "node:fs";
+import { randomBytes } from "node:crypto";
+import { join } from "node:path";
+import { withFileLock } from "../utils/file-lock.js";
+const ALPHABET = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"; // No 0O1I
+export class PairingStore {
+    filePath;
+    ttlMs;
+    codeLength;
+    constructor(dataDir, ttlMs = 3_600_000, codeLength = 8) {
+        mkdirSync(dataDir, { recursive: true });
+        this.filePath = join(dataDir, "pairing.json");
+        this.ttlMs = ttlMs;
+        this.codeLength = codeLength;
+    }
+    async issueCode(channelId, senderId) {
+        return withFileLock(this.filePath, async () => {
+            const requests = await this.readRequests();
+            this.pruneExpired(requests);
+            const existing = requests.find((r) => r.channelId === channelId && r.senderId === senderId);
+            if (existing)
+                return existing.code;
+            const code = this.generateCode();
+            const now = Date.now();
+            requests.push({
+                code,
+                channelId,
+                senderId,
+                createdAt: now,
+                expiresAt: now + this.ttlMs,
+            });
+            await this.writeRequests(requests);
+            return code;
+        });
+    }
+    async approveCode(code) {
+        return withFileLock(this.filePath, async () => {
+            const requests = await this.readRequests();
+            this.pruneExpired(requests);
+            const idx = requests.findIndex((r) => r.code === code.toUpperCase());
+            if (idx === -1)
+                return null;
+            const request = requests[idx];
+            const result = { channelId: request.channelId, senderId: request.senderId };
+            requests.splice(idx, 1);
+            await this.writeRequests(requests);
+            return result;
+        });
+    }
+    async listPending() {
+        return withFileLock(this.filePath, async () => {
+            const requests = await this.readRequests();
+            const before = requests.length;
+            this.pruneExpired(requests);
+            if (requests.length !== before) {
+                await this.writeRequests(requests);
+            }
+            return [...requests];
+        });
+    }
+    async revokeCode(code) {
+        return withFileLock(this.filePath, async () => {
+            const requests = await this.readRequests();
+            const idx = requests.findIndex((r) => r.code === code.toUpperCase());
+            if (idx === -1)
+                return false;
+            requests.splice(idx, 1);
+            await this.writeRequests(requests);
+            return true;
+        });
+    }
+    generateCode() {
+        const bytes = randomBytes(this.codeLength);
+        let code = "";
+        for (let i = 0; i < this.codeLength; i++) {
+            code += ALPHABET[bytes[i] % ALPHABET.length];
+        }
+        return code;
+    }
+    pruneExpired(requests) {
+        const now = Date.now();
+        let i = requests.length;
+        while (i--) {
+            if (requests[i].expiresAt <= now) {
+                requests.splice(i, 1);
+            }
+        }
+    }
+    async readRequests() {
+        try {
+            const raw = await readFile(this.filePath, "utf-8");
+            return JSON.parse(raw);
+        }
+        catch {
+            return [];
+        }
+    }
+    async writeRequests(requests) {
+        await writeFile(this.filePath, JSON.stringify(requests, null, 2));
+    }
+}
+//# sourceMappingURL=pairing-store.js.map

package/dist/security/pairing-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pairing-store.js","sourceRoot":"","sources":["../../src/security/pairing-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,MAAM,QAAQ,GAAG,kCAAkC,CAAC,CAAC,UAAU;AAU/D,MAAM,OAAO,YAAY;IACN,QAAQ,CAAS;IACjB,KAAK,CAAS;IACd,UAAU,CAAS;IAEpC,YAAY,OAAe,EAAE,KAAK,GAAG,SAAS,EAAE,UAAU,GAAG,CAAC;QAC5D,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QAC9C,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,SAAiB,EAAE,QAAgB;QACjD,OAAO,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3C,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAE5B,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAC5B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAC5D,CAAC;YACF,IAAI,QAAQ;gBAAE,OAAO,QAAQ,CAAC,IAAI,CAAC;YAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YACjC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI;gBACJ,SAAS;gBACT,QAAQ;gBACR,SAAS,EAAE,GAAG;gBACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,KAAK;aAC5B,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;YACnC,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CACf,IAAY;QAEZ,OAAO,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3C,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAE5B,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAC5B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,WAAW,EAAE,CACrC,CAAC;YACF,IAAI,GAAG,KAAK,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;YAE5B,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC;YAC5E,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YACxB,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;YACnC,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW;QACf,OAAO,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;YAC/B,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAC5B,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC/B,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;YACrC,CAAC;YACD,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC;QACvB,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAY;QAC3B,OAAO,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3C,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YACrE,IAAI,GAAG,KAAK,CAAC,CAAC;gBAAE,OAAO,KAAK,CAAC;YAE7B,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YACxB,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;YACnC,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,YAAY;QAClB,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3C,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;YACzC,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,YAAY,CAAC,QAA0B;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC;QACxB,OAAO,CAAC,EAAE,EAAE,CAAC;YACX,IAAI,QAAQ,CAAC,CAAC,CAAE,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;gBAClC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACnD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,QAA0B;QACpD,MAAM,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACpE,CAAC;CACF"}

package/dist/security/rate-limiter.d.ts

@@ -0,0 +1,17 @@
+export interface RateLimitConfig {
+    readonly perMinute: number;
+    readonly perHour: number;
+}
+export interface RateLimitResult {
+    readonly allowed: boolean;
+    readonly retryAfterMs?: number;
+}
+export declare class RateLimiter {
+    private readonly config;
+    private readonly windows;
+    constructor(config: RateLimitConfig);
+    check(key: string): RateLimitResult;
+    hit(key: string): void;
+    private getTimestamps;
+}
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/security/rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../src/security/rate-limiter.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC;AAED,qBAAa,WAAW;IAGV,OAAO,CAAC,QAAQ,CAAC,MAAM;IAFnC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA+B;gBAE1B,MAAM,EAAE,eAAe;IAEpD,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe;IAsBnC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAOtB,OAAO,CAAC,aAAa;CAWtB"}

package/dist/security/rate-limiter.js

@@ -0,0 +1,43 @@
+export class RateLimiter {
+    config;
+    windows = new Map();
+    constructor(config) {
+        this.config = config;
+    }
+    check(key) {
+        const now = Date.now();
+        const timestamps = this.getTimestamps(key, now);
+        const oneMinuteAgo = now - 60_000;
+        const oneHourAgo = now - 3_600_000;
+        const minuteCount = timestamps.filter((t) => t > oneMinuteAgo).length;
+        if (minuteCount >= this.config.perMinute) {
+            const oldest = timestamps.find((t) => t > oneMinuteAgo);
+            return { allowed: false, retryAfterMs: oldest + 60_000 - now };
+        }
+        const hourCount = timestamps.filter((t) => t > oneHourAgo).length;
+        if (hourCount >= this.config.perHour) {
+            const oldest = timestamps.find((t) => t > oneHourAgo);
+            return { allowed: false, retryAfterMs: oldest + 3_600_000 - now };
+        }
+        return { allowed: true };
+    }
+    hit(key) {
+        const now = Date.now();
+        const timestamps = this.getTimestamps(key, now);
+        timestamps.push(now);
+        this.windows.set(key, timestamps);
+    }
+    getTimestamps(key, now) {
+        const existing = this.windows.get(key) ?? [];
+        const oneHourAgo = now - 3_600_000;
+        const pruned = existing.filter((t) => t > oneHourAgo);
+        if (pruned.length === 0) {
+            this.windows.delete(key);
+        }
+        else {
+            this.windows.set(key, pruned);
+        }
+        return pruned;
+    }
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/security/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../src/security/rate-limiter.ts"],"names":[],"mappings":"AAUA,MAAM,OAAO,WAAW;IAGO;IAFZ,OAAO,GAAG,IAAI,GAAG,EAAoB,CAAC;IAEvD,YAA6B,MAAuB;QAAvB,WAAM,GAAN,MAAM,CAAiB;IAAG,CAAC;IAExD,KAAK,CAAC,GAAW;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAEhD,MAAM,YAAY,GAAG,GAAG,GAAG,MAAM,CAAC;QAClC,MAAM,UAAU,GAAG,GAAG,GAAG,SAAS,CAAC;QAEnC,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,YAAY,CAAC,CAAC,MAAM,CAAC;QACtE,IAAI,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,YAAY,CAAE,CAAC;YACzD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM,GAAG,GAAG,EAAE,CAAC;QACjE,CAAC;QAED,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,UAAU,CAAC,CAAC,MAAM,CAAC;QAClE,IAAI,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,UAAU,CAAE,CAAC;YACvD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,GAAG,SAAS,GAAG,GAAG,EAAE,CAAC;QACpE,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,GAAG,CAAC,GAAW;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAChD,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACpC,CAAC;IAEO,aAAa,CAAC,GAAW,EAAE,GAAW;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC7C,MAAM,UAAU,GAAG,GAAG,GAAG,SAAS,CAAC;QACnC,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,UAAU,CAAC,CAAC;QACtD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAChC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/dist/security/scan-rules.d.ts

@@ -0,0 +1,3 @@
+import type { ScanRule } from "./scan-types.js";
+export declare const SCAN_RULES: readonly ScanRule[];
+//# sourceMappingURL=scan-rules.d.ts.map

package/dist/security/scan-rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-rules.d.ts","sourceRoot":"","sources":["../../src/security/scan-rules.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAEhD,eAAO,MAAM,UAAU,EAAE,SAAS,QAAQ,EA6EhC,CAAC"}

package/dist/security/scan-rules.js

@@ -0,0 +1,79 @@
+export const SCAN_RULES = [
+    {
+        id: "dangerous-exec",
+        severity: "critical",
+        description: "Shell command execution detected",
+        type: "line",
+        pattern: /\b(exec|execSync|spawn|spawnSync|execFile)\s*\(/,
+        context: /child_process/,
+        contextType: "import",
+    },
+    {
+        id: "dynamic-eval",
+        severity: "critical",
+        description: "Dynamic code execution (eval/Function constructor)",
+        type: "line",
+        pattern: /\beval\s*\(|new\s+Function\s*\(/,
+    },
+    {
+        id: "crypto-mining",
+        severity: "critical",
+        description: "Cryptocurrency mining signatures",
+        type: "line",
+        pattern: /stratum\+tcp|coinhive|cryptonight|xmrig/i,
+    },
+    {
+        id: "env-harvesting",
+        severity: "critical",
+        description: "Environment variables accessed near network calls",
+        type: "source",
+        pattern: /process\.env/,
+        context: /\bfetch\b|http\.request|https\.request|axios\b|got\(/,
+        contextType: "source",
+    },
+    {
+        id: "data-exfiltration",
+        severity: "warn",
+        description: "File read combined with network request",
+        type: "source",
+        pattern: /readFileSync|readFile|createReadStream/,
+        context: /\bfetch\b|http\.request|https\.request/,
+        contextType: "source",
+    },
+    {
+        id: "obfuscated-code",
+        severity: "warn",
+        description: "Obfuscated code detected (hex/base64 sequences)",
+        type: "line",
+        pattern: /(\\x[0-9a-fA-F]{2}){6,}|atob\s*\(.*[A-Za-z0-9+/=]{200,}/,
+    },
+    {
+        id: "suspicious-network",
+        severity: "warn",
+        description: "WebSocket connection to non-standard port",
+        type: "line",
+        pattern: /new\s+WebSocket\s*\(\s*['"`]wss?:\/\/[^'"]*:\d{4,5}/,
+    },
+    {
+        id: "global-override",
+        severity: "warn",
+        description: "Global object or prototype manipulation",
+        type: "line",
+        pattern: /globalThis\s*[.[=]|Object\.defineProperty\s*\(\s*global/,
+    },
+    {
+        id: "fs-write",
+        severity: "info",
+        description: "Filesystem write operations",
+        type: "line",
+        pattern: /writeFileSync|writeFile|appendFile|createWriteStream/,
+    },
+    {
+        id: "dns-lookup",
+        severity: "info",
+        description: "DNS resolution calls",
+        type: "line",
+        pattern: /dns\.resolve|dns\.lookup|dns\.reverse/,
+    },
+];
+//# sourceMappingURL=scan-rules.js.map

package/dist/security/scan-rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-rules.js","sourceRoot":"","sources":["../../src/security/scan-rules.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,UAAU,GAAwB;IAC7C;QACE,EAAE,EAAE,gBAAgB;QACpB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,kCAAkC;QAC/C,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,iDAAiD;QAC1D,OAAO,EAAE,eAAe;QACxB,WAAW,EAAE,QAAQ;KACtB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,oDAAoD;QACjE,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,iCAAiC;KAC3C;IACD;QACE,EAAE,EAAE,eAAe;QACnB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,kCAAkC;QAC/C,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,0CAA0C;KACpD;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mDAAmD;QAChE,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,cAAc;QACvB,OAAO,EAAE,sDAAsD;QAC/D,WAAW,EAAE,QAAQ;KACtB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yCAAyC;QACtD,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,wCAAwC;QACjD,OAAO,EAAE,wCAAwC;QACjD,WAAW,EAAE,QAAQ;KACtB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,iDAAiD;QAC9D,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,yDAAyD;KACnE;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2CAA2C;QACxD,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,qDAAqD;KAC/D;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yCAAyC;QACtD,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,yDAAyD;KACnE;IACD;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6BAA6B;QAC1C,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,sDAAsD;KAChE;IACD;QACE,EAAE,EAAE,YAAY;QAChB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sBAAsB;QACnC,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,uCAAuC;KACjD;CACO,CAAC"}

package/dist/security/scan-types.d.ts

@@ -0,0 +1,27 @@
+export type ScanSeverity = "critical" | "warn" | "info";
+export interface ScanRule {
+    readonly id: string;
+    readonly severity: ScanSeverity;
+    readonly description: string;
+    readonly type: "line" | "source";
+    readonly pattern: RegExp;
+    readonly context?: RegExp;
+    readonly contextType?: "import" | "source";
+}
+export interface ScanFinding {
+    readonly ruleId: string;
+    readonly severity: ScanSeverity;
+    readonly file: string;
+    readonly line: number;
+    readonly message: string;
+    readonly evidence: string;
+}
+export interface ScanResult {
+    readonly safe: boolean;
+    readonly scannedFiles: number;
+    readonly findings: ScanFinding[];
+    readonly critical: number;
+    readonly warn: number;
+    readonly info: number;
+}
+//# sourceMappingURL=scan-types.d.ts.map

package/dist/security/scan-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-types.d.ts","sourceRoot":"","sources":["../../src/security/scan-types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,MAAM,GAAG,MAAM,CAAC;AAExD,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,CAAC;IACjC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,CAAC,EAAE,QAAQ,GAAG,QAAQ,CAAC;CAC5C;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC;IACjC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB"}

package/dist/security/scan-types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=scan-types.js.map

package/dist/security/scan-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-types.js","sourceRoot":"","sources":["../../src/security/scan-types.ts"],"names":[],"mappings":""}

package/dist/security/scanner.d.ts

@@ -0,0 +1,8 @@
+import type { ScanFinding, ScanResult } from "./scan-types.js";
+export declare class SecurityScanner {
+    scanSource(source: string, filePath: string): ScanFinding[];
+    buildResult(findings: ScanFinding[], scannedFiles: number): ScanResult;
+    scanDirectory(dir: string): Promise<ScanResult>;
+    private discoverFiles;
+}
+//# sourceMappingURL=scanner.d.ts.map

package/dist/security/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/security/scanner.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAM/D,qBAAa,eAAe;IAC1B,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,WAAW,EAAE;IAsD3D,WAAW,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,YAAY,EAAE,MAAM,GAAG,UAAU;IAOhE,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;YAcvC,aAAa;CAgB5B"}

package/dist/security/scanner.js

@@ -0,0 +1,105 @@
+import { readdir, readFile, stat } from "node:fs/promises";
+import { join, extname } from "node:path";
+import { SCAN_RULES } from "./scan-rules.js";
+const SCANNABLE_EXTENSIONS = new Set([".ts", ".js", ".tsx", ".jsx", ".mjs", ".cjs"]);
+const MAX_FILE_SIZE = 1_048_576; // 1MB
+const MAX_FILES = 500;
+export class SecurityScanner {
+    scanSource(source, filePath) {
+        const findings = [];
+        const lines = source.split("\n");
+        const matchedRules = new Set();
+        // Line rules
+        for (const rule of SCAN_RULES) {
+            if (rule.type !== "line" || matchedRules.has(rule.id))
+                continue;
+            if (rule.context && rule.contextType === "import" && !rule.context.test(source))
+                continue;
+            for (let i = 0; i < lines.length; i++) {
+                if (rule.pattern.test(lines[i])) {
+                    findings.push({
+                        ruleId: rule.id,
+                        severity: rule.severity,
+                        file: filePath,
+                        line: i + 1,
+                        message: rule.description,
+                        evidence: lines[i].trim().slice(0, 200),
+                    });
+                    matchedRules.add(rule.id);
+                    break;
+                }
+            }
+        }
+        // Source rules
+        for (const rule of SCAN_RULES) {
+            if (rule.type !== "source" || matchedRules.has(rule.id))
+                continue;
+            if (!rule.pattern.test(source))
+                continue;
+            if (rule.context && !rule.context.test(source))
+                continue;
+            // Find first matching line for evidence
+            let evidenceLine = 1;
+            let evidence = "";
+            for (let i = 0; i < lines.length; i++) {
+                if (rule.pattern.test(lines[i])) {
+                    evidenceLine = i + 1;
+                    evidence = lines[i].trim().slice(0, 200);
+                    break;
+                }
+            }
+            findings.push({
+                ruleId: rule.id,
+                severity: rule.severity,
+                file: filePath,
+                line: evidenceLine,
+                message: rule.description,
+                evidence,
+            });
+            matchedRules.add(rule.id);
+        }
+        return findings;
+    }
+    buildResult(findings, scannedFiles) {
+        const critical = findings.filter((f) => f.severity === "critical").length;
+        const warn = findings.filter((f) => f.severity === "warn").length;
+        const info = findings.filter((f) => f.severity === "info").length;
+        return { safe: critical === 0, scannedFiles, findings, critical, warn, info };
+    }
+    async scanDirectory(dir) {
+        const files = await this.discoverFiles(dir);
+        const allFindings = [];
+        for (const file of files) {
+            try {
+                const source = await readFile(file, "utf-8");
+                allFindings.push(...this.scanSource(source, file));
+            }
+            catch {
+                // Skip unreadable files
+            }
+        }
+        return this.buildResult(allFindings, files.length);
+    }
+    async discoverFiles(dir, collected = []) {
+        if (collected.length >= MAX_FILES)
+            return collected;
+        const entries = await readdir(dir, { withFileTypes: true });
+        for (const entry of entries) {
+            if (collected.length >= MAX_FILES)
+                break;
+            if (entry.name.startsWith(".") || entry.name === "node_modules")
+                continue;
+            const full = join(dir, entry.name);
+            if (entry.isDirectory()) {
+                await this.discoverFiles(full, collected);
+            }
+            else if (SCANNABLE_EXTENSIONS.has(extname(entry.name))) {
+                const s = await stat(full);
+                if (s.size <= MAX_FILE_SIZE)
+                    collected.push(full);
+            }
+        }
+        return collected;
+    }
+}
+//# sourceMappingURL=scanner.js.map

package/dist/security/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../src/security/scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAG7C,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AACrF,MAAM,aAAa,GAAG,SAAS,CAAC,CAAC,MAAM;AACvC,MAAM,SAAS,GAAG,GAAG,CAAC;AAEtB,MAAM,OAAO,eAAe;IAC1B,UAAU,CAAC,MAAc,EAAE,QAAgB;QACzC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;QAEvC,aAAa;QACb,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBAAE,SAAS;YAChE,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,SAAS;YAC1F,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChC,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,OAAO,EAAE,IAAI,CAAC,WAAW;wBACzB,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;qBACxC,CAAC,CAAC;oBACH,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBAC1B,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAED,eAAe;QACf,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBAAE,SAAS;YAClE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,SAAS;YACzC,IAAI,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,SAAS;YACzD,wCAAwC;YACxC,IAAI,YAAY,GAAG,CAAC,CAAC;YACrB,IAAI,QAAQ,GAAG,EAAE,CAAC;YAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChC,YAAY,GAAG,CAAC,GAAG,CAAC,CAAC;oBACrB,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;oBACzC,MAAM;gBACR,CAAC;YACH,CAAC;YACD,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,IAAI,CAAC,WAAW;gBACzB,QAAQ;aACT,CAAC,CAAC;YACH,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC5B,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,WAAW,CAAC,QAAuB,EAAE,YAAoB;QACvD,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;QAC1E,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;QAClE,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;QAClE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,CAAC,EAAE,YAAY,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAW;QAC7B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,WAAW,GAAkB,EAAE,CAAC;QACtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBAC7C,WAAW,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrD,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,GAAW,EAAE,YAAsB,EAAE;QAC/D,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS;YAAE,OAAO,SAAS,CAAC;QACpD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS;gBAAE,MAAM;YACzC,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc;gBAAE,SAAS;YAC1E,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;YAC5C,CAAC;iBAAM,IAAI,oBAAoB,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;gBACzD,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC3B,IAAI,CAAC,CAAC,IAAI,IAAI,aAAa;oBAAE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF"}