agentlint 0.1.0

package/dist/rules/network.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Network Rules (NET)
+ * Rules for detecting network access risks
+ */
+import { Finding } from '../ir/types';
+import { BaseRule } from './base';
+import { RuleContext } from './types';
+/**
+ * NET-001: Undeclared Network Access
+ * Network calls detected without explicit declaration
+ */
+export declare class UndeclaredNetworkAccessRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+}
+/**
+ * NET-002: Remote Script Fetch
+ * Network call that fetches executable content
+ */
+export declare class RemoteScriptFetchRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+}
+/**
+ * NET-003: Broad Network Access
+ * Outbound network access without domain restriction
+ */
+export declare class BroadNetworkAccessRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+}
+export declare const networkRules: (UndeclaredNetworkAccessRule | RemoteScriptFetchRule | BroadNetworkAccessRule)[];
+//# sourceMappingURL=network.d.ts.map

package/dist/rules/network.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network.d.ts","sourceRoot":"","sources":["../../src/rules/network.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAClC,OAAO,EAAE,WAAW,EAAkB,MAAM,SAAS,CAAC;AAEtD;;;GAGG;AACH,qBAAa,2BAA4B,SAAQ,QAAQ;;IAevD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;CA+C1C;AAED;;;GAGG;AACH,qBAAa,qBAAsB,SAAQ,QAAQ;;IAejD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;CAgC1C;AAED;;;GAGG;AACH,qBAAa,sBAAuB,SAAQ,QAAQ;;IAelD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;CAuC1C;AAGD,eAAO,MAAM,YAAY,kFAIxB,CAAC"}

package/dist/rules/network.js

@@ -0,0 +1,145 @@
+"use strict";
+/**
+ * Network Rules (NET)
+ * Rules for detecting network access risks
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.networkRules = exports.BroadNetworkAccessRule = exports.RemoteScriptFetchRule = exports.UndeclaredNetworkAccessRule = void 0;
+const base_1 = require("./base");
+/**
+ * NET-001: Undeclared Network Access
+ * Network calls detected without explicit declaration
+ */
+class UndeclaredNetworkAccessRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'NET-001',
+            group: 'network',
+            severity: 'high',
+            title: 'Undeclared Network Access',
+            description: 'Network calls detected without explicit capability declaration. This poses a silent exfiltration risk.',
+            recommendation: 'Explicitly declare network access in the permission manifest, or disable network access if not required.',
+            tags: ['network', 'exfiltration', 'undeclared'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, capabilitySummary, minConfidence } = context;
+        // Check if network capability is declared
+        const hasNetworkCapability = capabilitySummary.network.outbound || capabilitySummary.network.inbound;
+        for (const action of document.actions) {
+            if (action.type !== 'network_call')
+                continue;
+            const confidence = action.evidence[0]?.confidence || 0.9;
+            if (confidence < minConfidence)
+                continue;
+            // If network actions exist but capability is not declared
+            const urls = action.network?.urls || [];
+            const domains = action.network?.domains || [];
+            // Check if this specific domain/URL is allowed
+            const isAllowed = hasNetworkCapability &&
+                domains.every(d => capabilitySummary.network.allowed_domains.includes(d));
+            if (!hasNetworkCapability || !isAllowed) {
+                const finding = this.createFinding(document, action.anchors, `Network access to ${urls.join(', ') || domains.join(', ')} detected without explicit declaration.`, action.evidence, confidence);
+                finding.related_actions.push({
+                    action_type: action.type,
+                    context: action.context,
+                    summary: action.summary,
+                    anchors: action.anchors,
+                });
+                findings.push(finding);
+            }
+        }
+        return findings;
+    }
+}
+exports.UndeclaredNetworkAccessRule = UndeclaredNetworkAccessRule;
+/**
+ * NET-002: Remote Script Fetch
+ * Network call that fetches executable content
+ */
+class RemoteScriptFetchRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'NET-002',
+            group: 'network',
+            severity: 'high',
+            title: 'Remote Script Fetch',
+            description: 'Network call that fetches executable content such as scripts or binaries. This is a major supply-chain risk.',
+            recommendation: 'Avoid fetching executable content from the network. Use pinned, verified artifacts from trusted sources.',
+            tags: ['network', 'executable', 'supply-chain'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, minConfidence } = context;
+        for (const action of document.actions) {
+            if (action.type !== 'network_call')
+                continue;
+            if (!action.network?.fetches_executable)
+                continue;
+            const confidence = action.evidence[0]?.confidence || 0.95;
+            if (confidence < minConfidence)
+                continue;
+            const urls = action.network?.urls || [];
+            const finding = this.createFinding(document, action.anchors, `Remote executable content fetched from: ${urls.join(', ')}. This is a supply-chain attack vector.`, action.evidence, confidence);
+            finding.related_actions.push({
+                action_type: action.type,
+                context: action.context,
+                summary: action.summary,
+                anchors: action.anchors,
+            });
+            findings.push(finding);
+        }
+        return findings;
+    }
+}
+exports.RemoteScriptFetchRule = RemoteScriptFetchRule;
+/**
+ * NET-003: Broad Network Access
+ * Outbound network access without domain restriction
+ */
+class BroadNetworkAccessRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'NET-003',
+            group: 'network',
+            severity: 'medium',
+            title: 'Broad Network Access',
+            description: 'Outbound network access is enabled without domain restrictions. This allows data exfiltration to any destination.',
+            recommendation: 'Restrict network access to specific, trusted domains using an allowlist.',
+            tags: ['network', 'outbound', 'least-privilege'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, capabilitySummary } = context;
+        // Check if outbound network is enabled without domain restrictions
+        if (!capabilitySummary.network.outbound) {
+            return findings;
+        }
+        const hasRestrictions = capabilitySummary.network.allowed_domains.length > 0;
+        if (!hasRestrictions) {
+            // Find the first network action for location reference
+            const networkAction = document.actions.find(a => a.type === 'network_call');
+            const anchors = networkAction?.anchors || { start_line: 1, end_line: 1 };
+            const finding = this.createFinding(document, anchors, 'Outbound network access enabled without domain restrictions.', [
+                {
+                    kind: 'heuristic',
+                    value: 'network.outbound: true without allowed_domains',
+                    confidence: 0.8,
+                },
+            ], 0.8);
+            findings.push(finding);
+        }
+        return findings;
+    }
+}
+exports.BroadNetworkAccessRule = BroadNetworkAccessRule;
+// Export all network rules
+exports.networkRules = [
+    new UndeclaredNetworkAccessRule(),
+    new RemoteScriptFetchRule(),
+    new BroadNetworkAccessRule(),
+];
+//# sourceMappingURL=network.js.map

package/dist/rules/network.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"network.js","sourceRoot":"","sources":["../../src/rules/network.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAGH,iCAAkC;AAGlC;;;GAGG;AACH,MAAa,2BAA4B,SAAQ,eAAQ;IACvD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,SAAS;YACb,KAAK,EAAE,SAAS;YAChB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,2BAA2B;YAClC,WAAW,EACT,wGAAwG;YAC1G,cAAc,EACZ,0GAA0G;YAC5G,IAAI,EAAE,CAAC,SAAS,EAAE,cAAc,EAAE,YAAY,CAAC;SAChD,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE/D,0CAA0C;QAC1C,MAAM,oBAAoB,GACxB,iBAAiB,CAAC,OAAO,CAAC,QAAQ,IAAI,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC;QAE1E,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc;gBAAE,SAAS;YAE7C,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,GAAG,CAAC;YACzD,IAAI,UAAU,GAAG,aAAa;gBAAE,SAAS;YAEzC,0DAA0D;YAC1D,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC;YACxC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;YAE9C,+CAA+C;YAC/C,MAAM,SAAS,GACb,oBAAoB;gBACpB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAChB,iBAAiB,CAAC,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CACtD,CAAC;YAEJ,IAAI,CAAC,oBAAoB,IAAI,CAAC,SAAS,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,qBAAqB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,yCAAyC,EACnG,MAAM,CAAC,QAAQ,EACf,UAAU,CACX,CAAC;gBAEF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC;oBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI;oBACxB,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;iBACxB,CAAC,CAAC;gBAEH,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AA9DD,kEA8DC;AAED;;;GAGG;AACH,MAAa,qBAAsB,SAAQ,eAAQ;IACjD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,SAAS;YACb,KAAK,EAAE,SAAS;YAChB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,qBAAqB;YAC5B,WAAW,EACT,8GAA8G;YAChH,cAAc,EACZ,0GAA0G;YAC5G,IAAI,EAAE,CAAC,SAAS,EAAE,YAAY,EAAE,cAAc,CAAC;SAChD,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE5C,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc;gBAAE,SAAS;YAC7C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,kBAAkB;gBAAE,SAAS;YAElD,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,IAAI,CAAC;YAC1D,IAAI,UAAU,GAAG,aAAa;gBAAE,SAAS;YAEzC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC;YACxC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,2CAA2C,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,yCAAyC,EACnG,MAAM,CAAC,QAAQ,EACf,UAAU,CACX,CAAC;YAEF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC;gBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI;gBACxB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB,CAAC,CAAC;YAEH,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AA/CD,sDA+CC;AAED;;;GAGG;AACH,MAAa,sBAAuB,SAAQ,eAAQ;IAClD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,SAAS;YACb,KAAK,EAAE,SAAS;YAChB,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,sBAAsB;YAC7B,WAAW,EACT,mHAAmH;YACrH,cAAc,EACZ,0EAA0E;YAC5E,IAAI,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,iBAAiB,CAAC;SACjD,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,OAAO,CAAC;QAEhD,mEAAmE;QACnE,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YACxC,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,eAAe,GACnB,iBAAiB,CAAC,OAAO,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC;QAEvD,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,uDAAuD;YACvD,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CACzC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,cAAc,CAC/B,CAAC;YAEF,MAAM,OAAO,GAAG,aAAa,EAAE,OAAO,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;YAEzE,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,OAAO,EACP,8DAA8D,EAC9D;gBACE;oBACE,IAAI,EAAE,WAAW;oBACjB,KAAK,EAAE,gDAAgD;oBACvD,UAAU,EAAE,GAAG;iBAChB;aACF,EACD,GAAG,CACJ,CAAC;YAEF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAtDD,wDAsDC;AAED,2BAA2B;AACd,QAAA,YAAY,GAAG;IAC1B,IAAI,2BAA2B,EAAE;IACjC,IAAI,qBAAqB,EAAE;IAC3B,IAAI,sBAAsB,EAAE;CAC7B,CAAC"}

package/dist/rules/observability.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Observability & Audit Rules (OBS)
+ * Rules for ensuring visibility and auditability
+ */
+import { Finding } from '../ir/types';
+import { BaseRule } from './base';
+import { RuleContext } from './types';
+/**
+ * OBS-001: Missing Capability Declaration
+ * Actions present without declared capabilities
+ */
+export declare class MissingCapabilityDeclarationRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+}
+/**
+ * OBS-002: No Permission Manifest
+ * Agent config exists without explicit permission declaration
+ */
+export declare class NoPermissionManifestRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+}
+export declare const observabilityRules: (MissingCapabilityDeclarationRule | NoPermissionManifestRule)[];
+//# sourceMappingURL=observability.d.ts.map

package/dist/rules/observability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"observability.d.ts","sourceRoot":"","sources":["../../src/rules/observability.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAClC,OAAO,EAAE,WAAW,EAAkB,MAAM,SAAS,CAAC;AAEtD;;;GAGG;AACH,qBAAa,gCAAiC,SAAQ,QAAQ;;IAe5D,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;CA2C1C;AAED;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;;IAepD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;CAkC1C;AAGD,eAAO,MAAM,kBAAkB,iEAG9B,CAAC"}

package/dist/rules/observability.js

@@ -0,0 +1,105 @@
+"use strict";
+/**
+ * Observability & Audit Rules (OBS)
+ * Rules for ensuring visibility and auditability
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.observabilityRules = exports.NoPermissionManifestRule = exports.MissingCapabilityDeclarationRule = void 0;
+const base_1 = require("./base");
+/**
+ * OBS-001: Missing Capability Declaration
+ * Actions present without declared capabilities
+ */
+class MissingCapabilityDeclarationRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'OBS-001',
+            group: 'observability',
+            severity: 'medium',
+            title: 'Missing Capability Declaration',
+            description: 'Actions are present without corresponding capability declarations. This creates opaque behavior that is difficult to audit.',
+            recommendation: 'Declare all capabilities explicitly in the permission manifest. This improves visibility and enables policy enforcement.',
+            tags: ['observability', 'capabilities', 'audit'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, capabilitySummary } = context;
+        // Check for undeclared action types
+        const actionTypes = new Set(document.actions.map(a => a.type));
+        const declaredCapabilities = new Set(document.capabilities.map(c => c.type));
+        // Map action types to expected capability types
+        const actionToCapability = {
+            shell_exec: 'shell_exec',
+            network_call: 'network',
+            file_write: 'filesystem',
+            file_read: 'filesystem',
+            git_operation: 'git',
+        };
+        for (const actionType of actionTypes) {
+            const expectedCap = actionToCapability[actionType];
+            if (expectedCap && !declaredCapabilities.has(expectedCap)) {
+                // Find an action of this type for location
+                const action = document.actions.find(a => a.type === actionType);
+                if (action) {
+                    const finding = this.createFinding(document, action.anchors, `Action "${actionType}" performed without declared capability.`, [
+                        {
+                            kind: 'heuristic',
+                            value: `Action type ${actionType} without ${expectedCap} capability`,
+                            confidence: 0.75,
+                        },
+                    ], 0.75);
+                    findings.push(finding);
+                }
+            }
+        }
+        return findings;
+    }
+}
+exports.MissingCapabilityDeclarationRule = MissingCapabilityDeclarationRule;
+/**
+ * OBS-002: No Permission Manifest
+ * Agent config exists without explicit permission declaration
+ */
+class NoPermissionManifestRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'OBS-002',
+            group: 'observability',
+            severity: 'low',
+            title: 'No Permission Manifest',
+            description: 'Agent configuration exists without an explicit permission declaration. This encourages good hygiene and auditability.',
+            recommendation: 'Add an explicit permission manifest to the agent configuration. This documents expected capabilities and enables policy enforcement.',
+            tags: ['observability', 'manifest', 'documentation'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document } = context;
+        // Check if document has any capabilities but no manifest
+        if (document.capabilities.length > 0) {
+            // Check if there's a permission declaration in instruction blocks
+            const hasPermissionBlock = document.instruction_blocks.some(b => b.text.toLowerCase().includes('permission') ||
+                b.text.toLowerCase().includes('capability') ||
+                b.text.toLowerCase().includes('allowed'));
+            if (!hasPermissionBlock) {
+                const finding = this.createFinding(document, { start_line: 1, end_line: 1 }, 'Agent configuration has capabilities but no explicit permission manifest.', [
+                    {
+                        kind: 'heuristic',
+                        value: 'No permission declaration found in document',
+                        confidence: 0.6,
+                    },
+                ], 0.6);
+                findings.push(finding);
+            }
+        }
+        return findings;
+    }
+}
+exports.NoPermissionManifestRule = NoPermissionManifestRule;
+// Export all observability rules
+exports.observabilityRules = [
+    new MissingCapabilityDeclarationRule(),
+    new NoPermissionManifestRule(),
+];
+//# sourceMappingURL=observability.js.map

package/dist/rules/observability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"observability.js","sourceRoot":"","sources":["../../src/rules/observability.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAGH,iCAAkC;AAGlC;;;GAGG;AACH,MAAa,gCAAiC,SAAQ,eAAQ;IAC5D;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,SAAS;YACb,KAAK,EAAE,eAAe;YACtB,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,gCAAgC;YACvC,WAAW,EACT,6HAA6H;YAC/H,cAAc,EACZ,0HAA0H;YAC5H,IAAI,EAAE,CAAC,eAAe,EAAE,cAAc,EAAE,OAAO,CAAC;SACjD,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,OAAO,CAAC;QAEhD,oCAAoC;QACpC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QAC/D,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QAE7E,gDAAgD;QAChD,MAAM,kBAAkB,GAA2B;YACjD,UAAU,EAAE,YAAY;YACxB,YAAY,EAAE,SAAS;YACvB,UAAU,EAAE,YAAY;YACxB,SAAS,EAAE,YAAY;YACvB,aAAa,EAAE,KAAK;SACrB,CAAC;QAEF,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;YACrC,MAAM,WAAW,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;YACnD,IAAI,WAAW,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,WAAkB,CAAC,EAAE,CAAC;gBACjE,2CAA2C;gBAC3C,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;gBACjE,IAAI,MAAM,EAAE,CAAC;oBACX,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,WAAW,UAAU,0CAA0C,EAC/D;wBACE;4BACE,IAAI,EAAE,WAAW;4BACjB,KAAK,EAAE,eAAe,UAAU,YAAY,WAAW,aAAa;4BACpE,UAAU,EAAE,IAAI;yBACjB;qBACF,EACD,IAAI,CACL,CAAC;oBACF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AA1DD,4EA0DC;AAED;;;GAGG;AACH,MAAa,wBAAyB,SAAQ,eAAQ;IACpD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,SAAS;YACb,KAAK,EAAE,eAAe;YACtB,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,wBAAwB;YAC/B,WAAW,EACT,uHAAuH;YACzH,cAAc,EACZ,sIAAsI;YACxI,IAAI,EAAE,CAAC,eAAe,EAAE,UAAU,EAAE,eAAe,CAAC;SACrD,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAE7B,yDAAyD;QACzD,IAAI,QAAQ,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrC,kEAAkE;YAClE,MAAM,kBAAkB,GAAG,QAAQ,CAAC,kBAAkB,CAAC,IAAI,CACzD,CAAC,CAAC,EAAE,CACF,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC;gBAC3C,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC;gBAC3C,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAC3C,CAAC;YAEF,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAC9B,2EAA2E,EAC3E;oBACE;wBACE,IAAI,EAAE,WAAW;wBACjB,KAAK,EAAE,6CAA6C;wBACpD,UAAU,EAAE,GAAG;qBAChB;iBACF,EACD,GAAG,CACJ,CAAC;gBACF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAjDD,4DAiDC;AAED,iCAAiC;AACpB,QAAA,kBAAkB,GAAG;IAChC,IAAI,gCAAgC,EAAE;IACtC,IAAI,wBAAwB,EAAE;CAC/B,CAAC"}

package/dist/rules/scope.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Scope Expansion Rules (SCOPE)
+ * Rules for detecting capability and scope expansion
+ * Note: These rules are primarily used in diff mode
+ */
+import { Finding, CapabilitySummary } from '../ir/types';
+import { BaseRule } from './base';
+import { RuleContext } from './types';
+/**
+ * SCOPE-001: Capability Expansion Between Versions
+ * Diff detects new capabilities added
+ */
+export declare class CapabilityExpansionRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+    /**
+     * Compare two capability summaries for expansion (used by diff engine)
+     */
+    static detectExpansion(base: CapabilitySummary, target: CapabilitySummary): string[];
+}
+/**
+ * SCOPE-002: Write Scope Widening
+ * File write paths have been broadened
+ */
+export declare class WriteScopeWideningRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+    /**
+     * Compare two write scopes for widening (used by diff engine)
+     */
+    static detectWidening(baseWrites: string[], targetWrites: string[]): {
+        widened: boolean;
+        changes: string[];
+    };
+}
+export declare const scopeRules: (CapabilityExpansionRule | WriteScopeWideningRule)[];
+//# sourceMappingURL=scope.d.ts.map

package/dist/rules/scope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope.d.ts","sourceRoot":"","sources":["../../src/rules/scope.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAClC,OAAO,EAAE,WAAW,EAAkB,MAAM,SAAS,CAAC;AAGtD;;;GAGG;AACH,qBAAa,uBAAwB,SAAQ,QAAQ;;IAenD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;IAiDzC;;OAEG;IACH,MAAM,CAAC,eAAe,CACpB,IAAI,EAAE,iBAAiB,EACvB,MAAM,EAAE,iBAAiB,GACxB,MAAM,EAAE;CAoDZ;AAED;;;GAGG;AACH,qBAAa,sBAAuB,SAAQ,QAAQ;;IAelD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;IAiCzC;;OAEG;IACH,MAAM,CAAC,cAAc,CACnB,UAAU,EAAE,MAAM,EAAE,EACpB,YAAY,EAAE,MAAM,EAAE,GACrB;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE;CA0B3C;AAGD,eAAO,MAAM,UAAU,sDAGtB,CAAC"}

package/dist/rules/scope.js

@@ -0,0 +1,173 @@
+"use strict";
+/**
+ * Scope Expansion Rules (SCOPE)
+ * Rules for detecting capability and scope expansion
+ * Note: These rules are primarily used in diff mode
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scopeRules = exports.WriteScopeWideningRule = exports.CapabilityExpansionRule = void 0;
+const base_1 = require("./base");
+/**
+ * SCOPE-001: Capability Expansion Between Versions
+ * Diff detects new capabilities added
+ */
+class CapabilityExpansionRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'SCOPE-001',
+            group: 'scope',
+            severity: 'high',
+            title: 'Capability Expansion Between Versions',
+            description: 'New capabilities have been added, equivalent to permission escalation. This includes shell execution, network access, or sensitive file operations.',
+            recommendation: 'Review the capability expansion carefully. Ensure new capabilities are intentional and follow least-privilege principles.',
+            tags: ['scope', 'expansion', 'diff', 'permissions'],
+        });
+    }
+    evaluate(context) {
+        // This rule is primarily for diff mode
+        // In scan mode, we report on detected high-risk capabilities
+        const findings = [];
+        const { document, capabilitySummary } = context;
+        // Report if dynamic shell execution is detected (capability expansion indicator)
+        if (capabilitySummary.shell_exec.dynamic_detected) {
+            const finding = this.createFinding(document, { start_line: 1, end_line: 1 }, 'Dynamic shell execution capability detected. This is a high-risk capability.', [
+                {
+                    kind: 'heuristic',
+                    value: 'shell_exec.dynamic_detected: true',
+                    confidence: 0.9,
+                },
+            ], 0.9);
+            findings.push(finding);
+        }
+        // Report if network + shell combination is detected
+        if (capabilitySummary.network.outbound &&
+            capabilitySummary.shell_exec.enabled &&
+            capabilitySummary.network.fetches_executable) {
+            const finding = this.createFinding(document, { start_line: 1, end_line: 1 }, 'Remote code execution capability pattern detected: network + shell + executable fetch.', [
+                {
+                    kind: 'heuristic',
+                    value: 'RCE pattern: network.outbound + shell_exec + fetches_executable',
+                    confidence: 0.95,
+                },
+            ], 0.95);
+            findings.push(finding);
+        }
+        return findings;
+    }
+    /**
+     * Compare two capability summaries for expansion (used by diff engine)
+     */
+    static detectExpansion(base, target) {
+        const expansions = [];
+        // Shell execution expansion
+        if (!base.shell_exec.enabled && target.shell_exec.enabled) {
+            expansions.push('shell_exec: false → true');
+        }
+        if (!base.shell_exec.dynamic_detected && target.shell_exec.dynamic_detected) {
+            expansions.push('shell_exec.dynamic: false → true');
+        }
+        // Network expansion
+        if (!base.network.outbound && target.network.outbound) {
+            expansions.push('network.outbound: false → true');
+        }
+        if (!base.network.inbound && target.network.inbound) {
+            expansions.push('network.inbound: false → true');
+        }
+        if (!base.network.fetches_executable && target.network.fetches_executable) {
+            expansions.push('network.fetches_executable: false → true');
+        }
+        // Secrets expansion
+        const newSecretVars = target.secrets.env_vars_referenced.filter(v => !base.secrets.env_vars_referenced.includes(v));
+        if (newSecretVars.length > 0) {
+            expansions.push(`secrets.env_vars: added ${newSecretVars.join(', ')}`);
+        }
+        if (!base.secrets.propagation_detected && target.secrets.propagation_detected) {
+            expansions.push('secrets.propagation: false → true');
+        }
+        // Context expansion
+        if (!base.contexts.has_hooks && target.contexts.has_hooks) {
+            expansions.push('context.hooks: false → true');
+        }
+        if (!base.contexts.has_ci_context && target.contexts.has_ci_context) {
+            expansions.push('context.ci: false → true');
+        }
+        // Sensitive paths expansion
+        const newSensitivePaths = target.filesystem.touches_sensitive_paths.filter(p => !base.filesystem.touches_sensitive_paths.includes(p));
+        if (newSensitivePaths.length > 0) {
+            expansions.push(`filesystem.sensitive_paths: added ${newSensitivePaths.join(', ')}`);
+        }
+        return expansions;
+    }
+}
+exports.CapabilityExpansionRule = CapabilityExpansionRule;
+/**
+ * SCOPE-002: Write Scope Widening
+ * File write paths have been broadened
+ */
+class WriteScopeWideningRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'SCOPE-002',
+            group: 'scope',
+            severity: 'medium',
+            title: 'Write Scope Widening',
+            description: 'File write access scope has been widened, potentially allowing writes to more locations.',
+            recommendation: 'Verify that expanded write scope is intentional. Keep write access as narrow as possible.',
+            tags: ['scope', 'filesystem', 'write', 'diff'],
+        });
+    }
+    evaluate(context) {
+        // This rule is primarily for diff mode
+        // In scan mode, we check for broad write scopes
+        const findings = [];
+        const { document, capabilitySummary } = context;
+        // Check for overly broad write patterns
+        const broadPatterns = ['**/*', '**', '*', './'];
+        const writePaths = capabilitySummary.filesystem.write;
+        for (const path of writePaths) {
+            if (broadPatterns.some(p => path === p || path.startsWith(p + '/'))) {
+                const finding = this.createFinding(document, { start_line: 1, end_line: 1 }, `Broad write scope detected: "${path}". This allows writes to many locations.`, [
+                    {
+                        kind: 'heuristic',
+                        value: `filesystem.write includes broad pattern: ${path}`,
+                        confidence: 0.85,
+                    },
+                ], 0.85);
+                findings.push(finding);
+                break; // Report once per document
+            }
+        }
+        return findings;
+    }
+    /**
+     * Compare two write scopes for widening (used by diff engine)
+     */
+    static detectWidening(baseWrites, targetWrites) {
+        const changes = [];
+        let widened = false;
+        // Check for new broad patterns
+        const broadPatterns = ['**/*', '**', '*'];
+        // Check if target has broad patterns that base didn't have
+        for (const pattern of broadPatterns) {
+            const targetHas = targetWrites.some(w => w === pattern || w.includes(pattern));
+            const baseHad = baseWrites.some(w => w === pattern || w.includes(pattern));
+            if (targetHas && !baseHad) {
+                widened = true;
+                changes.push(`Write scope widened to include: ${pattern}`);
+            }
+        }
+        // Check for new write paths
+        const newPaths = targetWrites.filter(p => !baseWrites.includes(p));
+        if (newPaths.length > 0) {
+            changes.push(`New write paths added: ${newPaths.join(', ')}`);
+        }
+        return { widened, changes };
+    }
+}
+exports.WriteScopeWideningRule = WriteScopeWideningRule;
+// Export all scope rules
+exports.scopeRules = [
+    new CapabilityExpansionRule(),
+    new WriteScopeWideningRule(),
+];
+//# sourceMappingURL=scope.js.map

package/dist/rules/scope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope.js","sourceRoot":"","sources":["../../src/rules/scope.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAGH,iCAAkC;AAIlC;;;GAGG;AACH,MAAa,uBAAwB,SAAQ,eAAQ;IACnD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,WAAW;YACf,KAAK,EAAE,OAAO;YACd,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,uCAAuC;YAC9C,WAAW,EACT,qJAAqJ;YACvJ,cAAc,EACZ,2HAA2H;YAC7H,IAAI,EAAE,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,CAAC;SACpD,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,uCAAuC;QACvC,6DAA6D;QAC7D,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,OAAO,CAAC;QAEhD,iFAAiF;QACjF,IAAI,iBAAiB,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;YAClD,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAC9B,8EAA8E,EAC9E;gBACE;oBACE,IAAI,EAAE,WAAW;oBACjB,KAAK,EAAE,mCAAmC;oBAC1C,UAAU,EAAE,GAAG;iBAChB;aACF,EACD,GAAG,CACJ,CAAC;YACF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,oDAAoD;QACpD,IACE,iBAAiB,CAAC,OAAO,CAAC,QAAQ;YAClC,iBAAiB,CAAC,UAAU,CAAC,OAAO;YACpC,iBAAiB,CAAC,OAAO,CAAC,kBAAkB,EAC5C,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAC9B,wFAAwF,EACxF;gBACE;oBACE,IAAI,EAAE,WAAW;oBACjB,KAAK,EAAE,iEAAiE;oBACxE,UAAU,EAAE,IAAI;iBACjB;aACF,EACD,IAAI,CACL,CAAC;YACF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,eAAe,CACpB,IAAuB,EACvB,MAAyB;QAEzB,MAAM,UAAU,GAAa,EAAE,CAAC;QAEhC,4BAA4B;QAC5B,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YAC1D,UAAU,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,gBAAgB,IAAI,MAAM,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;YAC5E,UAAU,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QAED,oBAAoB;QACpB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YACtD,UAAU,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YACpD,UAAU,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,kBAAkB,IAAI,MAAM,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;YAC1E,UAAU,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QAED,oBAAoB;QACpB,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,MAAM,CAC7D,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC,CACnD,CAAC;QACF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,UAAU,CAAC,IAAI,CAAC,2BAA2B,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,oBAAoB,IAAI,MAAM,CAAC,OAAO,CAAC,oBAAoB,EAAE,CAAC;YAC9E,UAAU,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QAED,oBAAoB;QACpB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YAC1D,UAAU,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,IAAI,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YACpE,UAAU,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QAED,4BAA4B;QAC5B,MAAM,iBAAiB,GAAG,MAAM,CAAC,UAAU,CAAC,uBAAuB,CAAC,MAAM,CACxE,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,uBAAuB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAC1D,CAAC;QACF,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjC,UAAU,CAAC,IAAI,CAAC,qCAAqC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACvF,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;CACF;AA1HD,0DA0HC;AAED;;;GAGG;AACH,MAAa,sBAAuB,SAAQ,eAAQ;IAClD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,WAAW;YACf,KAAK,EAAE,OAAO;YACd,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,sBAAsB;YAC7B,WAAW,EACT,0FAA0F;YAC5F,cAAc,EACZ,2FAA2F;YAC7F,IAAI,EAAE,CAAC,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;SAC/C,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,uCAAuC;QACvC,gDAAgD;QAChD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,OAAO,CAAC;QAEhD,wCAAwC;QACxC,MAAM,aAAa,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QAChD,MAAM,UAAU,GAAG,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC;QAEtD,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC;gBACpE,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAC9B,gCAAgC,IAAI,0CAA0C,EAC9E;oBACE;wBACE,IAAI,EAAE,WAAW;wBACjB,KAAK,EAAE,4CAA4C,IAAI,EAAE;wBACzD,UAAU,EAAE,IAAI;qBACjB;iBACF,EACD,IAAI,CACL,CAAC;gBACF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACvB,MAAM,CAAC,2BAA2B;YACpC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,cAAc,CACnB,UAAoB,EACpB,YAAsB;QAEtB,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,+BAA+B;QAC/B,MAAM,aAAa,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;QAE1C,2DAA2D;QAC3D,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;YACpC,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAC/E,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAE3E,IAAI,SAAS,IAAI,CAAC,OAAO,EAAE,CAAC;gBAC1B,OAAO,GAAG,IAAI,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,MAAM,QAAQ,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QACnE,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,IAAI,CAAC,0BAA0B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAChE,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IAC9B,CAAC;CACF;AAhFD,wDAgFC;AAED,yBAAyB;AACZ,QAAA,UAAU,GAAG;IACxB,IAAI,uBAAuB,EAAE;IAC7B,IAAI,sBAAsB,EAAE;CAC7B,CAAC"}

package/dist/rules/secrets.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Credential & Secret Rules (SEC)
+ * Rules for detecting credential and secret access risks
+ */
+import { Finding } from '../ir/types';
+import { BaseRule } from './base';
+import { RuleContext } from './types';
+/**
+ * SEC-001: Environment Secret Reference
+ * References to known secret environment variables
+ */
+export declare class EnvironmentSecretReferenceRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+    private isKnownSecretVar;
+}
+/**
+ * SEC-002: Implicit Secret Access
+ * Access to .env or config files likely containing secrets
+ */
+export declare class ImplicitSecretAccessRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+    private isSecretFile;
+}
+/**
+ * SEC-003: Secret Propagation
+ * Secrets used in shell commands, network calls, or file writes
+ */
+export declare class SecretPropagationRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+}
+export declare const secretRules: (EnvironmentSecretReferenceRule | ImplicitSecretAccessRule | SecretPropagationRule)[];
+//# sourceMappingURL=secrets.d.ts.map

package/dist/rules/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../src/rules/secrets.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAClC,OAAO,EAAE,WAAW,EAAkB,MAAM,SAAS,CAAC;AAwEtD;;;GAGG;AACH,qBAAa,8BAA+B,SAAQ,QAAQ;;IAe1D,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;IAgEzC,OAAO,CAAC,gBAAgB;CAMzB;AAED;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;;IAepD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;IAuEzC,OAAO,CAAC,YAAY;CAQrB;AAED;;;GAGG;AACH,qBAAa,qBAAsB,SAAQ,QAAQ;;IAejD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;CAwD1C;AAGD,eAAO,MAAM,WAAW,uFAIvB,CAAC"}