aegis-ast 1.0.0

package/README.md

@@ -0,0 +1,138 @@
+# 🛡️ Aegis
+
+### Secure Package Installation via Static Code Verification
+
+---
+
+## One-Line Pitch
+
+> **Aegis-AST verifies code truth before execution, stopping supply-chain attacks at install time.**
+
+---
+
+## 🚀 Quick Start
+
+```bash
+# 1. Install dependencies
+npm install
+
+# 2. Build
+npm run build
+
+# 3. Run in development mode
+npm run dev
+
+# 4. Or run the CLI directly
+npx ts-node src/main.ts install axios
+```
+
+---
+
+## 📁 Project Structure
+
+```
+aegis/
+├── src/
+│   ├── main.ts                 # CLI entry point (Person 4)
+│   ├── types/
+│   │   └── index.ts            # 🔒 Shared type contracts (DO NOT modify alone)
+│   ├── core/
+│   │   ├── index.ts            # Barrel export
+│   │   ├── fetcher.ts          # Package fetcher (Person 1)
+│   │   ├── imports.ts          # Import extractor (Person 1)
+│   │   ├── comparator.ts       # Dependency comparator (Person 1)
+│   │   ├── risk_engine.ts      # Risk scoring (Person 3)
+│   │   └── policy.ts           # Decision engine (Person 3)
+│   ├── scanner/
+│   │   ├── index.ts            # Barrel export
+│   │   ├── scripts.ts          # Script scanner (Person 2)
+│   │   ├── network.ts          # Network detection (Person 2)
+│   │   ├── entropy.ts          # Entropy detection (Person 2)
+│   │   ├── fs_access.ts        # FS access detection (Person 2)
+│   │   ├── exec.ts             # Exec detection (Person 2)
+│   │   └── eval.ts             # Eval detection (Person 2)
+│   └── utils/
+│       ├── index.ts            # Barrel export
+│       ├── logger.ts           # MongoDB logger (Person 3)
+│       └── file_walker.ts      # 🔧 Shared file walker (IMPLEMENTED)
+├── tests/
+│   └── comparator.test.ts      # Example test
+├── package.json
+├── tsconfig.json
+├── jest.config.js
+├── .env.example
+├── .gitignore
+└── README.md
+```
+
+---
+
+## 👥 Team Ownership
+
+| Person | Role | Files |
+|--------|------|-------|
+| **P1** | Core Engine | `fetcher.ts`, `imports.ts`, `comparator.ts` |
+| **P2** | Security Detection | `scripts.ts`, `network.ts`, `entropy.ts`, `fs_access.ts`, `exec.ts`, `eval.ts` |
+| **P3** | Risk Engine + Backend | `risk_engine.ts`, `policy.ts`, `logger.ts` |
+| **P4** | CLI + Demo + UX | `main.ts`, demo setup, dashboard |
+
+---
+
+## 🔗 Integration Contract
+
+### Input to Risk Engine (all signals merged)
+
+```json
+{
+  "phantom": [],
+  "scripts": [],
+  "network": [],
+  "entropy": [],
+  "fs": [],
+  "exec": [],
+  "eval": []
+}
+```
+
+### Output from Policy Engine
+
+```json
+{
+  "score": 85,
+  "decision": "BLOCK",
+  "reasons": ["Phantom dependencies detected: evil-pkg"]
+}
+```
+
+---
+
+## ⚙️ Environment Variables
+
+Copy `.env.example` to `.env` and configure:
+
+```bash
+cp .env.example .env
+```
+
+| Variable | Description |
+|----------|-------------|
+| `MONGODB_URI` | MongoDB Atlas connection string |
+| `GEMINI_API_KEY` | (Optional) Gemini API key |
+| `NPM_REGISTRY_URL` | npm registry URL (default: registry.npmjs.org) |
+
+---
+
+## 🧪 Testing
+
+```bash
+npm test
+```
+
+---
+
+## 🎤 Demo Flow
+
+1. `npm install axios` → compromised package gets through
+2. `aegis install axios` → **BLOCKED** by Aegis
+3. Show scan reasons and risk breakdown
+4. (Optional) View dashboard

package/dist/core/comparator.d.ts

@@ -0,0 +1,32 @@
+/**
+ * ═══════════════════════════════════════════════════════════
+ *  AEGIS-AST — Dependency Comparator
+ *  Owner: Person 1 (Core Engine)
+ *
+ *  Responsibilities:
+ *  - Compare declared dependencies (package.json) vs used (imports)
+ *  - Identify PHANTOM dependencies (declared but NOT used)
+ *  - Identify MISSING dependencies (used but NOT declared)
+ *
+ *  ⚠️ PHANTOM DEPENDENCIES = MALICIOUS SIGNAL
+ *     Declared ≠ Used → suspicious
+ * ═══════════════════════════════════════════════════════════
+ */
+import { ComparatorResult, PackageMetadata, ImportScanResult } from '../types';
+/**
+ * Compares declared dependencies against actually used imports.
+ *
+ * @param metadata - Parsed package.json with declared dependencies
+ * @param imports  - Extracted imports from source code
+ * @returns ComparatorResult with phantom, used, and missing deps
+ *
+ * @example
+ * ```ts
+ * const result = compareDependencies(metadata, imports);
+ * if (result.phantom.length > 0) {
+ *   console.warn('🚨 PHANTOM DEPENDENCIES DETECTED:', result.phantom);
+ * }
+ * ```
+ */
+export declare function compareDependencies(metadata: PackageMetadata, imports: ImportScanResult): ComparatorResult;
+//# sourceMappingURL=comparator.d.ts.map

package/dist/core/comparator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"comparator.d.ts","sourceRoot":"","sources":["../../src/core/comparator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAE/E;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,eAAe,EACzB,OAAO,EAAE,gBAAgB,GACxB,gBAAgB,CA6BlB"}

package/dist/core/comparator.js

@@ -0,0 +1,57 @@
+"use strict";
+/**
+ * ═══════════════════════════════════════════════════════════
+ *  AEGIS-AST — Dependency Comparator
+ *  Owner: Person 1 (Core Engine)
+ *
+ *  Responsibilities:
+ *  - Compare declared dependencies (package.json) vs used (imports)
+ *  - Identify PHANTOM dependencies (declared but NOT used)
+ *  - Identify MISSING dependencies (used but NOT declared)
+ *
+ *  ⚠️ PHANTOM DEPENDENCIES = MALICIOUS SIGNAL
+ *     Declared ≠ Used → suspicious
+ * ═══════════════════════════════════════════════════════════
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.compareDependencies = compareDependencies;
+/**
+ * Compares declared dependencies against actually used imports.
+ *
+ * @param metadata - Parsed package.json with declared dependencies
+ * @param imports  - Extracted imports from source code
+ * @returns ComparatorResult with phantom, used, and missing deps
+ *
+ * @example
+ * ```ts
+ * const result = compareDependencies(metadata, imports);
+ * if (result.phantom.length > 0) {
+ *   console.warn('🚨 PHANTOM DEPENDENCIES DETECTED:', result.phantom);
+ * }
+ * ```
+ */
+function compareDependencies(metadata, imports) {
+    // 1. Get all declared deps from metadata.dependencies
+    const declaredDeps = Object.keys(metadata.dependencies || {});
+    // 2. Get all used deps from imports.usedDependencies
+    const usedDeps = imports.usedDependencies || [];
+    // 3. Collect optional & peer deps — these are NOT phantoms.
+    //    They are dynamically loaded at runtime by design (e.g. vite uses picomatch, postcss).
+    const optionalDeps = new Set([
+        ...Object.keys(metadata.optionalDependencies || {}),
+        ...Object.keys(metadata.peerDependencies || {}),
+    ]);
+    // Convert arrays to Sets for O(1) lookup efficiency
+    const declaredSet = new Set(declaredDeps);
+    const usedSet = new Set(usedDeps);
+    // 4. phantom = declared - used - optional/peer - @types/* (TS type packages, never require()'d)
+    const phantom = declaredDeps.filter(dep => !usedSet.has(dep) &&
+        !optionalDeps.has(dep) &&
+        !dep.startsWith('@types/'));
+    // 5. missing = used - declared
+    const missing = usedDeps.filter(dep => !declaredSet.has(dep));
+    // 6. usedDependencies = declared ∩ used
+    const usedDependencies = declaredDeps.filter(dep => usedSet.has(dep));
+    return { usedDependencies, phantom, missing };
+}
+//# sourceMappingURL=comparator.js.map

package/dist/core/comparator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"comparator.js","sourceRoot":"","sources":["../../src/core/comparator.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAmBH,kDAgCC;AA/CD;;;;;;;;;;;;;;GAcG;AACH,SAAgB,mBAAmB,CACjC,QAAyB,EACzB,OAAyB;IAEzB,sDAAsD;IACtD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC;IAC9D,qDAAqD;IACrD,MAAM,QAAQ,GAAG,OAAO,CAAC,gBAAgB,IAAI,EAAE,CAAC;IAEhD,4DAA4D;IAC5D,2FAA2F;IAC3F,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC;QAC3B,GAAG,MAAM,CAAC,IAAI,CAAE,QAAgB,CAAC,oBAAoB,IAAI,EAAE,CAAC;QAC5D,GAAG,MAAM,CAAC,IAAI,CAAE,QAAgB,CAAC,gBAAgB,IAAI,EAAE,CAAC;KACzD,CAAC,CAAC;IAEH,oDAAoD;IACpD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;IAElC,gGAAgG;IAChG,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACxC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;QACjB,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC;QACtB,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,CAC3B,CAAC;IACF,+BAA+B;IAC/B,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9D,wCAAwC;IACxC,MAAM,gBAAgB,GAAG,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IAEtE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAChD,CAAC"}

package/dist/core/fetcher.d.ts

@@ -0,0 +1,37 @@
+/**
+ * ═══════════════════════════════════════════════════════════
+ *  AEGIS-AST — Package Fetcher
+ *  Owner: Person 1 (Core Engine)
+ *
+ *  Responsibilities:
+ *  - Download package tarball from npm registry
+ *  - Extract to /tmp/aegis/<package-name>
+ *  - Parse and return package.json metadata
+ * ═══════════════════════════════════════════════════════════
+ */
+import { FetchResult, PackageMetadata } from '../types';
+/**
+ * Fetches a package from the npm registry, downloads the tarball,
+ * and extracts it to a temporary directory.
+ *
+ * @param packageName - Name of the npm package (e.g., "axios")
+ * @param version - Specific version or "latest"
+ * @returns FetchResult with extractedPath and metadata
+ *
+ * @example
+ * ```ts
+ * const result = await fetchPackage("axios", "latest");
+ * console.log(result.extractedPath);  // /tmp/aegis/axios
+ * console.log(result.metadata.dependencies);
+ * ```
+ */
+export declare function fetchPackage(packageName: string, version?: string): Promise<FetchResult>;
+/**
+ * Parses package.json from an extracted package directory.
+ */
+export declare function parsePackageJson(extractedPath: string): PackageMetadata;
+/**
+ * Cleans up the temporary extraction directory.
+ */
+export declare function cleanup(extractedPath: string): Promise<void>;
+//# sourceMappingURL=fetcher.d.ts.map

package/dist/core/fetcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetcher.d.ts","sourceRoot":"","sources":["../../src/core/fetcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAUxD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,YAAY,CAChC,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,MAAiB,GACzB,OAAO,CAAC,WAAW,CAAC,CAoDtB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,aAAa,EAAE,MAAM,GAAG,eAAe,CAcvE;AAED;;GAEG;AACH,wBAAsB,OAAO,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAMlE"}

package/dist/core/fetcher.js

@@ -0,0 +1,144 @@
+"use strict";
+/**
+ * ═══════════════════════════════════════════════════════════
+ *  AEGIS-AST — Package Fetcher
+ *  Owner: Person 1 (Core Engine)
+ *
+ *  Responsibilities:
+ *  - Download package tarball from npm registry
+ *  - Extract to /tmp/aegis/<package-name>
+ *  - Parse and return package.json metadata
+ * ═══════════════════════════════════════════════════════════
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchPackage = fetchPackage;
+exports.parsePackageJson = parsePackageJson;
+exports.cleanup = cleanup;
+const fs = __importStar(require("fs"));
+const fsp = __importStar(require("fs/promises"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const child_process_1 = require("child_process");
+const util_1 = require("util");
+const execAsync = (0, util_1.promisify)(child_process_1.exec);
+/**
+ * Fetches a package from the npm registry, downloads the tarball,
+ * and extracts it to a temporary directory.
+ *
+ * @param packageName - Name of the npm package (e.g., "axios")
+ * @param version - Specific version or "latest"
+ * @returns FetchResult with extractedPath and metadata
+ *
+ * @example
+ * ```ts
+ * const result = await fetchPackage("axios", "latest");
+ * console.log(result.extractedPath);  // /tmp/aegis/axios
+ * console.log(result.metadata.dependencies);
+ * ```
+ */
+async function fetchPackage(packageName, version = 'latest') {
+    const registryUrl = process.env.NPM_REGISTRY_URL || 'https://registry.npmjs.org';
+    const packageUrl = `${registryUrl}/${packageName}/${version}`;
+    try {
+        // 1. GET package metadata from registry
+        const res = await fetch(packageUrl);
+        if (!res.ok) {
+            throw new Error(`Failed to fetch metadata for ${packageName}@${version}: ${res.statusText}`);
+        }
+        const data = (await res.json());
+        // 2. Extract tarball URL
+        const tarballUrl = data.dist?.tarball;
+        if (!tarballUrl) {
+            throw new Error(`No tarball URL found for ${packageName}@${version}`);
+        }
+        // Prepare temp directories
+        const tmpBase = path.join(os.tmpdir(), 'aegis');
+        const extractPath = path.join(tmpBase, packageName);
+        const tarballPath = path.join(tmpBase, `${packageName.replace(/\//g, '-')}.tgz`);
+        await fsp.mkdir(extractPath, { recursive: true });
+        // 3. Download tarball
+        const tarRes = await fetch(tarballUrl);
+        if (!tarRes.ok) {
+            throw new Error(`Failed to download tarball: ${tarRes.statusText}`);
+        }
+        const arrayBuffer = await tarRes.arrayBuffer();
+        await fsp.writeFile(tarballPath, Buffer.from(arrayBuffer));
+        // 4. Extract tarball
+        // Note: NPM tarballs always wrap their contents in a 'package/' directory.
+        // We use --strip-components=1 to dump the files directly into our target folder.
+        await execAsync(`tar -xzf ${tarballPath} -C ${extractPath} --strip-components=1`);
+        // Clean up the raw .tgz file now that we've extracted it
+        await fsp.rm(tarballPath, { force: true });
+        // 5. Parse package.json
+        const metadata = parsePackageJson(extractPath);
+        // 6. Return FetchResult
+        return {
+            extractedPath: extractPath,
+            metadata
+        };
+    }
+    catch (error) {
+        throw new Error(`Fetcher Error [${packageName}]: ${error.message}`);
+    }
+}
+/**
+ * Parses package.json from an extracted package directory.
+ */
+function parsePackageJson(extractedPath) {
+    const pkgPath = path.join(extractedPath, 'package.json');
+    if (!fs.existsSync(pkgPath)) {
+        throw new Error(`package.json not found at ${pkgPath}`);
+    }
+    const fileContent = fs.readFileSync(pkgPath, 'utf-8');
+    try {
+        return JSON.parse(fileContent);
+    }
+    catch (error) {
+        throw new Error(`Failed to parse package.json at ${pkgPath}`);
+    }
+}
+/**
+ * Cleans up the temporary extraction directory.
+ */
+async function cleanup(extractedPath) {
+    try {
+        await fsp.rm(extractedPath, { recursive: true, force: true });
+    }
+    catch (error) {
+        console.error(`Cleanup failed for ${extractedPath}:`, error);
+    }
+}
+//# sourceMappingURL=fetcher.js.map

package/dist/core/fetcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetcher.js","sourceRoot":"","sources":["../../src/core/fetcher.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BH,oCAuDC;AAKD,4CAcC;AAKD,0BAMC;AA7GD,uCAAyB;AACzB,iDAAmC;AACnC,2CAA6B;AAC7B,uCAAyB;AACzB,iDAAqC;AACrC,+BAAiC;AAEjC,MAAM,SAAS,GAAG,IAAA,gBAAS,EAAC,oBAAI,CAAC,CAAC;AAElC;;;;;;;;;;;;;;GAcG;AACI,KAAK,UAAU,YAAY,CAChC,WAAmB,EACnB,UAAkB,QAAQ;IAE5B,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,4BAA4B,CAAC;IACjF,MAAM,UAAU,GAAG,GAAG,WAAW,IAAI,WAAW,IAAI,OAAO,EAAE,CAAC;IAE5D,IAAI,CAAC;QACH,wCAAwC;QACxC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;QACpC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,gCAAgC,WAAW,IAAI,OAAO,KAAK,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;QAC/F,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoC,CAAC;QAEnE,yBAAyB;QACzB,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC;QACtC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,4BAA4B,WAAW,IAAI,OAAO,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,2BAA2B;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,OAAO,CAAC,CAAC;QAChD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QACpD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;QAEjF,MAAM,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAElD,sBAAsB;QACtB,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,+BAA+B,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;QACtE,CAAC;QACD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;QAC/C,MAAM,GAAG,CAAC,SAAS,CAAC,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;QAE3D,qBAAqB;QACrB,2EAA2E;QAC3E,iFAAiF;QACjF,MAAM,SAAS,CAAC,YAAY,WAAW,OAAO,WAAW,uBAAuB,CAAC,CAAC;QAElF,yDAAyD;QACzD,MAAM,GAAG,CAAC,EAAE,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAE3C,wBAAwB;QACxB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAE/C,wBAAwB;QACxB,OAAO;YACL,aAAa,EAAE,WAAW;YAC1B,QAAQ;SACT,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,kBAAkB,WAAW,MAAO,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IACjF,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,aAAqB;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;IAEzD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,WAAW,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAEtD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAoB,CAAC;IACpD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,OAAO,CAAC,aAAqB;IACjD,IAAI,CAAC;QACH,MAAM,GAAG,CAAC,EAAE,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAChE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,sBAAsB,aAAa,GAAG,EAAE,KAAK,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC"}

package/dist/core/imports.d.ts

@@ -0,0 +1,27 @@
+/**
+ * ═══════════════════════════════════════════════════════════
+ * AEGIS-AST — Import Extractor
+ * Owner: Person 1 (Core Engine)
+ * * Responsibilities:
+ * - Walk all .js/.ts files in extracted package
+ * - Extract require() and import statements via AST (Primary)
+ * - Fallback to regex extraction if AST parsing fails
+ * - Return deduplicated list of used dependencies
+ * ═══════════════════════════════════════════════════════════
+ */
+import { ImportScanResult } from '../types';
+/**
+ * Regex patterns for extracting imports from JavaScript/TypeScript files.
+ * Used strictly as a fallback if AST parsing fails.
+ */
+export declare const IMPORT_PATTERNS: {
+    REQUIRE: RegExp;
+    ES_IMPORT: RegExp;
+    DYNAMIC_IMPORT: RegExp;
+};
+export declare function extractImports(extractedPath: string): Promise<ImportScanResult>;
+/**
+ * Normalizes a raw import string to a package name.
+ */
+export declare function normalizeImport(rawImport: string): string | null;
+//# sourceMappingURL=imports.d.ts.map

package/dist/core/imports.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"imports.d.ts","sourceRoot":"","sources":["../../src/core/imports.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAa5C;;;GAGG;AACH,eAAO,MAAM,eAAe;;;;CAI3B,CAAC;AAEF,wBAAsB,cAAc,CAClC,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,gBAAgB,CAAC,CA0H3B;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAgBhE"}

package/dist/core/imports.js

@@ -0,0 +1,200 @@
+"use strict";
+/**
+ * ═══════════════════════════════════════════════════════════
+ * AEGIS-AST — Import Extractor
+ * Owner: Person 1 (Core Engine)
+ * * Responsibilities:
+ * - Walk all .js/.ts files in extracted package
+ * - Extract require() and import statements via AST (Primary)
+ * - Fallback to regex extraction if AST parsing fails
+ * - Return deduplicated list of used dependencies
+ * ═══════════════════════════════════════════════════════════
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IMPORT_PATTERNS = void 0;
+exports.extractImports = extractImports;
+exports.normalizeImport = normalizeImport;
+const file_walker_1 = require("../utils/file_walker");
+const module_1 = require("module");
+const path = __importStar(require("path"));
+const parser = __importStar(require("@babel/parser"));
+const DEBUG = process.env.AEGIS_DEBUG === 'true';
+// Safely import Babel traverse for TypeScript environments
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const traverse = typeof traverse_1.default === 'function' ? traverse_1.default : traverse_1.default.default;
+/**
+ * Regex patterns for extracting imports from JavaScript/TypeScript files.
+ * Used strictly as a fallback if AST parsing fails.
+ */
+exports.IMPORT_PATTERNS = {
+    REQUIRE: /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
+    ES_IMPORT: /import\s+(?:(?:[\w*{}\s,]+)\s+from\s+)?['"]([^'"]+)['"]/g,
+    DYNAMIC_IMPORT: /import\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
+};
+async function extractImports(extractedPath) {
+    const usedDependencies = new Set();
+    const rawImports = [];
+    // Helper to process, normalize, and store a found import (used by both AST and Regex)
+    function processImportRecord(rawImport, line, file) {
+        rawImports.push({
+            filePath: file,
+            importName: rawImport,
+            line: line,
+        });
+        const normalized = normalizeImport(rawImport);
+        if (normalized) {
+            usedDependencies.add(normalized);
+        }
+    }
+    // Helper to calculate the line number of a regex match
+    function getLineNumber(content, matchIndex) {
+        return content.substring(0, matchIndex).split('\n').length;
+    }
+    try {
+        // Uses your existing utils/file_walker.ts implementation
+        const files = (0, file_walker_1.walkSourceFiles)(extractedPath);
+        for (const sourceFile of files) {
+            const file = sourceFile.absolutePath;
+            const content = sourceFile.content;
+            try {
+                // ==========================================
+                // PRIMARY ENGINE: Babel AST Parsing
+                // ==========================================
+                const ast = parser.parse(content, {
+                    sourceType: 'unambiguous', // Auto-detects ESM vs CommonJS
+                    plugins: [
+                        'typescript',
+                        'jsx',
+                        ['decorators', { decoratorsBeforeExport: true }] // Prevents crashes on NestJS/Angular files
+                    ],
+                });
+                if (DEBUG)
+                    console.log(`🟢 [AST] Successfully parsed: ${path.basename(file)}`);
+                traverse(ast, {
+                    // Catch: import { x } from 'y'
+                    ImportDeclaration(astPath) {
+                        if (astPath.node.source && astPath.node.source.value) {
+                            const line = astPath.node.loc?.start.line || 1;
+                            processImportRecord(astPath.node.source.value, line, file);
+                        }
+                    },
+                    // Catch: export { x } from 'y'
+                    ExportNamedDeclaration(astPath) {
+                        if (astPath.node.source && astPath.node.source.value) {
+                            const line = astPath.node.loc?.start.line || 1;
+                            processImportRecord(astPath.node.source.value, line, file);
+                        }
+                    },
+                    // Catch: export * from 'y'
+                    ExportAllDeclaration(astPath) {
+                        if (astPath.node.source && astPath.node.source.value) {
+                            const line = astPath.node.loc?.start.line || 1;
+                            processImportRecord(astPath.node.source.value, line, file);
+                        }
+                    },
+                    // Catch: require('y') and import('y')
+                    CallExpression(astPath) {
+                        const callee = astPath.node.callee;
+                        const args = astPath.node.arguments;
+                        if (args.length > 0 && args[0].type === 'StringLiteral') {
+                            // Handle require()
+                            if (callee.type === 'Identifier' && callee.name === 'require') {
+                                const line = astPath.node.loc?.start.line || 1;
+                                processImportRecord(args[0].value, line, file);
+                            }
+                            // Handle dynamic import()
+                            else if (callee.type === 'Import') {
+                                const line = astPath.node.loc?.start.line || 1;
+                                processImportRecord(args[0].value, line, file);
+                            }
+                        }
+                    }
+                });
+            }
+            catch (astError) {
+                // ==========================================
+                // BACKUP ENGINE: Regex Parsing
+                // Executes if file contains syntax errors / heavily obfuscated code
+                // ==========================================
+                const extractWithRegex = (pattern) => {
+                    let match;
+                    pattern.lastIndex = 0; // Reset global regex state
+                    while ((match = pattern.exec(content)) !== null) {
+                        const rawImport = match[1];
+                        const lineNumber = getLineNumber(content, match.index);
+                        processImportRecord(rawImport, lineNumber, file);
+                    }
+                };
+                if (DEBUG)
+                    console.log(`🟠 [REGEX] AST failed. Regex fallback triggered for: ${path.basename(file)}`);
+                extractWithRegex(exports.IMPORT_PATTERNS.REQUIRE);
+                extractWithRegex(exports.IMPORT_PATTERNS.ES_IMPORT);
+                extractWithRegex(exports.IMPORT_PATTERNS.DYNAMIC_IMPORT);
+            }
+        }
+        return {
+            usedDependencies: Array.from(usedDependencies),
+            rawImports,
+        };
+    }
+    catch (error) {
+        throw new Error(`Failed to extract imports from ${extractedPath}: ${error.message}`);
+    }
+}
+/**
+ * Normalizes a raw import string to a package name.
+ */
+function normalizeImport(rawImport) {
+    if (rawImport.startsWith('.') || rawImport.startsWith('/')) {
+        return null;
+    }
+    const cleanImport = rawImport.startsWith('node:') ? rawImport.substring(5) : rawImport;
+    if (module_1.builtinModules.includes(cleanImport)) {
+        return null;
+    }
+    if (cleanImport.startsWith('@')) {
+        const parts = cleanImport.split('/');
+        if (parts.length >= 2) {
+            return `${parts[0]}/${parts[1]}`;
+        }
+        return cleanImport;
+    }
+    return cleanImport.split('/')[0];
+}
+//# sourceMappingURL=imports.js.map