agentlint 0.1.0

package/dist/rules/secrets.js

@@ -0,0 +1,273 @@
+"use strict";
+/**
+ * Credential & Secret Rules (SEC)
+ * Rules for detecting credential and secret access risks
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secretRules = exports.SecretPropagationRule = exports.ImplicitSecretAccessRule = exports.EnvironmentSecretReferenceRule = void 0;
+const base_1 = require("./base");
+// Known secret environment variables
+const KNOWN_SECRET_VARS = [
+    'GITHUB_TOKEN',
+    'GH_TOKEN',
+    'GITLAB_TOKEN',
+    'AWS_SECRET_ACCESS_KEY',
+    'AWS_ACCESS_KEY_ID',
+    'AWS_SESSION_TOKEN',
+    'AZURE_CLIENT_SECRET',
+    'AZURE_CLIENT_ID',
+    'AZURE_TENANT_ID',
+    'AZURE_SUBSCRIPTION_ID',
+    'GOOGLE_APPLICATION_CREDENTIALS',
+    'GCP_SERVICE_ACCOUNT',
+    'GCLOUD_SERVICE_KEY',
+    'API_KEY',
+    'API_SECRET',
+    'SECRET_KEY',
+    'PRIVATE_KEY',
+    'DATABASE_PASSWORD',
+    'DATABASE_URL',
+    'DB_PASSWORD',
+    'DB_HOST',
+    'REDIS_PASSWORD',
+    'MONGODB_URI',
+    'PASSWORD',
+    'TOKEN',
+    'NPM_TOKEN',
+    'NPM_AUTH_TOKEN',
+    'PYPI_TOKEN',
+    'PYPI_PASSWORD',
+    'DOCKER_PASSWORD',
+    'DOCKER_AUTH',
+    'SSH_PRIVATE_KEY',
+    'SSH_KEY',
+    'SLACK_TOKEN',
+    'SLACK_WEBHOOK',
+    'DISCORD_TOKEN',
+    'SENDGRID_API_KEY',
+    'STRIPE_SECRET_KEY',
+    'TWILIO_AUTH_TOKEN',
+    'OPENAI_API_KEY',
+    'ANTHROPIC_API_KEY',
+    'ENCRYPTION_KEY',
+    'JWT_SECRET',
+    'SESSION_SECRET',
+    'COOKIE_SECRET',
+];
+// Secret file patterns
+const SECRET_FILE_PATTERNS = [
+    '.env',
+    '.env.local',
+    '.env.production',
+    '.env.development',
+    'credentials.json',
+    'secrets.json',
+    'service-account.json',
+    '.npmrc',
+    '.pypirc',
+    '.netrc',
+    '.docker/config.json',
+    '.aws/credentials',
+    '.kube/config',
+    'id_rsa',
+    'id_ed25519',
+    'id_ecdsa',
+    '.ssh/config',
+];
+/**
+ * SEC-001: Environment Secret Reference
+ * References to known secret environment variables
+ */
+class EnvironmentSecretReferenceRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'SEC-001',
+            group: 'secrets',
+            severity: 'high',
+            title: 'Environment Secret Reference',
+            description: 'References to known secret environment variables such as GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, or API_KEY. Agents should not touch secrets by default.',
+            recommendation: 'Remove secret references from agent configurations. Use secure secret management practices.',
+            tags: ['secrets', 'credentials', 'environment'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, minConfidence } = context;
+        for (const action of document.actions) {
+            const secretVars = action.secrets?.reads_env_vars || [];
+            for (const varName of secretVars) {
+                if (this.isKnownSecretVar(varName)) {
+                    const confidence = action.evidence[0]?.confidence || 0.9;
+                    if (confidence < minConfidence)
+                        continue;
+                    const finding = this.createFinding(document, action.anchors, `Reference to secret environment variable: $${varName}. Agents should not access secrets directly.`, [
+                        {
+                            kind: 'regex',
+                            value: `$${varName}`,
+                            confidence,
+                        },
+                    ], confidence);
+                    finding.related_actions.push({
+                        action_type: action.type,
+                        context: action.context,
+                        summary: action.summary,
+                        anchors: action.anchors,
+                    });
+                    findings.push(finding);
+                }
+            }
+        }
+        // Also check capability summary
+        for (const varName of context.capabilitySummary.secrets.env_vars_referenced) {
+            if (this.isKnownSecretVar(varName) &&
+                !findings.some(f => f.message.includes(varName))) {
+                const finding = this.createFinding(document, { start_line: 1, end_line: 1 }, `Reference to secret environment variable: $${varName}.`, [
+                    {
+                        kind: 'heuristic',
+                        value: `Secret variable referenced: ${varName}`,
+                        confidence: 0.8,
+                    },
+                ], 0.8);
+                findings.push(finding);
+            }
+        }
+        return findings;
+    }
+    isKnownSecretVar(varName) {
+        const upperVar = varName.toUpperCase();
+        return KNOWN_SECRET_VARS.some(secret => upperVar === secret || upperVar.includes(secret));
+    }
+}
+exports.EnvironmentSecretReferenceRule = EnvironmentSecretReferenceRule;
+/**
+ * SEC-002: Implicit Secret Access
+ * Access to .env or config files likely containing secrets
+ */
+class ImplicitSecretAccessRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'SEC-002',
+            group: 'secrets',
+            severity: 'medium',
+            title: 'Implicit Secret Access',
+            description: 'Access to .env files or configuration files that commonly contain secrets.',
+            recommendation: 'Avoid accessing secret-containing files. Use environment variables or secure secret stores instead.',
+            tags: ['secrets', 'files', 'configuration'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, minConfidence } = context;
+        // Check actions for file access to secret files
+        for (const action of document.actions) {
+            const secretFiles = action.secrets?.reads_files || [];
+            const paths = action.filesystem?.paths || [];
+            const allPaths = [...secretFiles, ...paths];
+            for (const path of allPaths) {
+                if (this.isSecretFile(path)) {
+                    const confidence = action.evidence[0]?.confidence || 0.85;
+                    if (confidence < minConfidence)
+                        continue;
+                    // Avoid duplicate findings
+                    if (findings.some(f => f.message.includes(path)))
+                        continue;
+                    const finding = this.createFinding(document, action.anchors, `Access to secret-containing file: "${path}".`, [
+                        {
+                            kind: 'heuristic',
+                            value: `Secret file pattern: ${path}`,
+                            confidence,
+                        },
+                    ], confidence);
+                    finding.related_actions.push({
+                        action_type: action.type,
+                        context: action.context,
+                        summary: action.summary,
+                        anchors: action.anchors,
+                    });
+                    findings.push(finding);
+                }
+            }
+        }
+        // Check capability summary for secret file references
+        for (const file of context.capabilitySummary.secrets.files_referenced) {
+            if (this.isSecretFile(file) &&
+                !findings.some(f => f.message.includes(file))) {
+                const finding = this.createFinding(document, { start_line: 1, end_line: 1 }, `Access to secret-containing file: "${file}".`, [
+                    {
+                        kind: 'heuristic',
+                        value: `Secret file referenced: ${file}`,
+                        confidence: 0.75,
+                    },
+                ], 0.75);
+                findings.push(finding);
+            }
+        }
+        return findings;
+    }
+    isSecretFile(path) {
+        const normalizedPath = path.toLowerCase();
+        return SECRET_FILE_PATTERNS.some(pattern => normalizedPath.endsWith(pattern.toLowerCase()) ||
+            normalizedPath.includes(pattern.toLowerCase()));
+    }
+}
+exports.ImplicitSecretAccessRule = ImplicitSecretAccessRule;
+/**
+ * SEC-003: Secret Propagation
+ * Secrets used in shell commands, network calls, or file writes
+ */
+class SecretPropagationRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'SEC-003',
+            group: 'secrets',
+            severity: 'high',
+            title: 'Secret Propagation',
+            description: 'Secrets are propagated to shell commands, network calls, or file writes. This creates exfiltration and logging risks.',
+            recommendation: 'Never propagate secrets through agent actions. Use secure API authentication methods.',
+            tags: ['secrets', 'propagation', 'exfiltration'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, minConfidence } = context;
+        for (const action of document.actions) {
+            const propagatesTo = action.secrets?.propagates_to || [];
+            if (propagatesTo.length === 0)
+                continue;
+            const confidence = action.evidence[0]?.confidence || 0.9;
+            if (confidence < minConfidence)
+                continue;
+            const destinations = propagatesTo.join(', ');
+            const secretVars = action.secrets?.reads_env_vars?.join(', ') || 'secrets';
+            const finding = this.createFinding(document, action.anchors, `Secret propagation detected: ${secretVars} propagated to ${destinations}.`, action.evidence, confidence);
+            finding.related_actions.push({
+                action_type: action.type,
+                context: action.context,
+                summary: action.summary,
+                anchors: action.anchors,
+            });
+            findings.push(finding);
+        }
+        // Check capability summary for propagation
+        if (context.capabilitySummary.secrets.propagation_detected &&
+            findings.length === 0) {
+            const finding = this.createFinding(document, { start_line: 1, end_line: 1 }, 'Secret propagation detected in document capabilities.', [
+                {
+                    kind: 'heuristic',
+                    value: 'secrets.propagation_detected: true',
+                    confidence: 0.8,
+                },
+            ], 0.8);
+            findings.push(finding);
+        }
+        return findings;
+    }
+}
+exports.SecretPropagationRule = SecretPropagationRule;
+// Export all secret rules
+exports.secretRules = [
+    new EnvironmentSecretReferenceRule(),
+    new ImplicitSecretAccessRule(),
+    new SecretPropagationRule(),
+];
+//# sourceMappingURL=secrets.js.map

package/dist/rules/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../src/rules/secrets.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAGH,iCAAkC;AAGlC,qCAAqC;AACrC,MAAM,iBAAiB,GAAG;IACxB,cAAc;IACd,UAAU;IACV,cAAc;IACd,uBAAuB;IACvB,mBAAmB;IACnB,mBAAmB;IACnB,qBAAqB;IACrB,iBAAiB;IACjB,iBAAiB;IACjB,uBAAuB;IACvB,gCAAgC;IAChC,qBAAqB;IACrB,oBAAoB;IACpB,SAAS;IACT,YAAY;IACZ,YAAY;IACZ,aAAa;IACb,mBAAmB;IACnB,cAAc;IACd,aAAa;IACb,SAAS;IACT,gBAAgB;IAChB,aAAa;IACb,UAAU;IACV,OAAO;IACP,WAAW;IACX,gBAAgB;IAChB,YAAY;IACZ,eAAe;IACf,iBAAiB;IACjB,aAAa;IACb,iBAAiB;IACjB,SAAS;IACT,aAAa;IACb,eAAe;IACf,eAAe;IACf,kBAAkB;IAClB,mBAAmB;IACnB,mBAAmB;IACnB,gBAAgB;IAChB,mBAAmB;IACnB,gBAAgB;IAChB,YAAY;IACZ,gBAAgB;IAChB,eAAe;CAChB,CAAC;AAEF,uBAAuB;AACvB,MAAM,oBAAoB,GAAG;IAC3B,MAAM;IACN,YAAY;IACZ,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;IAClB,cAAc;IACd,sBAAsB;IACtB,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,qBAAqB;IACrB,kBAAkB;IAClB,cAAc;IACd,QAAQ;IACR,YAAY;IACZ,UAAU;IACV,aAAa;CACd,CAAC;AAEF;;;GAGG;AACH,MAAa,8BAA+B,SAAQ,eAAQ;IAC1D;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,SAAS;YACb,KAAK,EAAE,SAAS;YAChB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,8BAA8B;YACrC,WAAW,EACT,uJAAuJ;YACzJ,cAAc,EACZ,6FAA6F;YAC/F,IAAI,EAAE,CAAC,SAAS,EAAE,aAAa,EAAE,aAAa,CAAC;SAChD,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE5C,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,EAAE,cAAc,IAAI,EAAE,CAAC;YAExD,KAAK,MAAM,OAAO,IAAI,UAAU,EAAE,CAAC;gBACjC,IAAI,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;oBACnC,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,GAAG,CAAC;oBACzD,IAAI,UAAU,GAAG,aAAa;wBAAE,SAAS;oBAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,8CAA8C,OAAO,8CAA8C,EACnG;wBACE;4BACE,IAAI,EAAE,OAAO;4BACb,KAAK,EAAE,IAAI,OAAO,EAAE;4BACpB,UAAU;yBACX;qBACF,EACD,UAAU,CACX,CAAC;oBAEF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC;wBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI;wBACxB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;qBACxB,CAAC,CAAC;oBAEH,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QAED,gCAAgC;QAChC,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,iBAAiB,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC;YAC5E,IACE,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC;gBAC9B,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAChD,CAAC;gBACD,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAC9B,8CAA8C,OAAO,GAAG,EACxD;oBACE;wBACE,IAAI,EAAE,WAAW;wBACjB,KAAK,EAAE,+BAA+B,OAAO,EAAE;wBAC/C,UAAU,EAAE,GAAG;qBAChB;iBACF,EACD,GAAG,CACJ,CAAC;gBACF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,gBAAgB,CAAC,OAAe;QACtC,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACvC,OAAO,iBAAiB,CAAC,IAAI,CAC3B,MAAM,CAAC,EAAE,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAC3D,CAAC;IACJ,CAAC;CACF;AArFD,wEAqFC;AAED;;;GAGG;AACH,MAAa,wBAAyB,SAAQ,eAAQ;IACpD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,SAAS;YACb,KAAK,EAAE,SAAS;YAChB,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,wBAAwB;YAC/B,WAAW,EACT,4EAA4E;YAC9E,cAAc,EACZ,qGAAqG;YACvG,IAAI,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,eAAe,CAAC;SAC5C,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE5C,gDAAgD;QAChD,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,CAAC;YACtD,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC;YAE7C,MAAM,QAAQ,GAAG,CAAC,GAAG,WAAW,EAAE,GAAG,KAAK,CAAC,CAAC;YAE5C,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;gBAC5B,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC5B,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,IAAI,CAAC;oBAC1D,IAAI,UAAU,GAAG,aAAa;wBAAE,SAAS;oBAEzC,2BAA2B;oBAC3B,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;wBAAE,SAAS;oBAE3D,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,sCAAsC,IAAI,IAAI,EAC9C;wBACE;4BACE,IAAI,EAAE,WAAW;4BACjB,KAAK,EAAE,wBAAwB,IAAI,EAAE;4BACrC,UAAU;yBACX;qBACF,EACD,UAAU,CACX,CAAC;oBAEF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC;wBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI;wBACxB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;qBACxB,CAAC,CAAC;oBAEH,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QAED,sDAAsD;QACtD,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,iBAAiB,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC;YACtE,IACE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;gBACvB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAC7C,CAAC;gBACD,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAC9B,sCAAsC,IAAI,IAAI,EAC9C;oBACE;wBACE,IAAI,EAAE,WAAW;wBACjB,KAAK,EAAE,2BAA2B,IAAI,EAAE;wBACxC,UAAU,EAAE,IAAI;qBACjB;iBACF,EACD,IAAI,CACL,CAAC;gBACF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,YAAY,CAAC,IAAY;QAC/B,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,OAAO,oBAAoB,CAAC,IAAI,CAC9B,OAAO,CAAC,EAAE,CACR,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAC9C,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CACjD,CAAC;IACJ,CAAC;CACF;AA9FD,4DA8FC;AAED;;;GAGG;AACH,MAAa,qBAAsB,SAAQ,eAAQ;IACjD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,SAAS;YACb,KAAK,EAAE,SAAS;YAChB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,oBAAoB;YAC3B,WAAW,EACT,uHAAuH;YACzH,cAAc,EACZ,uFAAuF;YACzF,IAAI,EAAE,CAAC,SAAS,EAAE,aAAa,EAAE,cAAc,CAAC;SACjD,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE5C,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,MAAM,YAAY,GAAG,MAAM,CAAC,OAAO,EAAE,aAAa,IAAI,EAAE,CAAC;YAEzD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAExC,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,GAAG,CAAC;YACzD,IAAI,UAAU,GAAG,aAAa;gBAAE,SAAS;YAEzC,MAAM,YAAY,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,EAAE,cAAc,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;YAE3E,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,gCAAgC,UAAU,kBAAkB,YAAY,GAAG,EAC3E,MAAM,CAAC,QAAQ,EACf,UAAU,CACX,CAAC;YAEF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC;gBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI;gBACxB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB,CAAC,CAAC;YAEH,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,2CAA2C;QAC3C,IACE,OAAO,CAAC,iBAAiB,CAAC,OAAO,CAAC,oBAAoB;YACtD,QAAQ,CAAC,MAAM,KAAK,CAAC,EACrB,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAC9B,uDAAuD,EACvD;gBACE;oBACE,IAAI,EAAE,WAAW;oBACjB,KAAK,EAAE,oCAAoC;oBAC3C,UAAU,EAAE,GAAG;iBAChB;aACF,EACD,GAAG,CACJ,CAAC;YACF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAvED,sDAuEC;AAED,0BAA0B;AACb,QAAA,WAAW,GAAG;IACzB,IAAI,8BAA8B,EAAE;IACpC,IAAI,wBAAwB,EAAE;IAC9B,IAAI,qBAAqB,EAAE;CAC5B,CAAC"}

package/dist/rules/types.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Rule types and interfaces
+ */
+import { AgentDocument, Finding, Severity, CapabilitySummary } from '../ir/types';
+/**
+ * Rule groups as defined in the taxonomy
+ */
+export type RuleGroup = 'execution' | 'filesystem' | 'network' | 'secrets' | 'hook' | 'instruction' | 'scope' | 'observability';
+/**
+ * Rule definition metadata
+ */
+export interface RuleDefinition {
+    id: string;
+    group: RuleGroup;
+    severity: Severity;
+    title: string;
+    description: string;
+    recommendation: string;
+    tags: string[];
+}
+/**
+ * Rule evaluation context
+ */
+export interface RuleContext {
+    document: AgentDocument;
+    allDocuments: AgentDocument[];
+    capabilitySummary: CapabilitySummary;
+    minConfidence: number;
+}
+/**
+ * Rule evaluation result
+ */
+export interface RuleResult {
+    rule: RuleDefinition;
+    findings: Finding[];
+}
+/**
+ * Base rule interface
+ */
+export interface Rule {
+    /**
+     * Get rule definition/metadata
+     */
+    getDefinition(): RuleDefinition;
+    /**
+     * Evaluate the rule against a document
+     */
+    evaluate(context: RuleContext): Finding[];
+}
+/**
+ * Rule engine options
+ */
+export interface RuleEngineOptions {
+    minConfidence: number;
+    disabledRules: string[];
+    severityOverrides: Record<string, Severity>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/rules/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/rules/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAElF;;GAEG;AACH,MAAM,MAAM,SAAS,GACjB,WAAW,GACX,YAAY,GACZ,SAAS,GACT,SAAS,GACT,MAAM,GACN,aAAa,GACb,OAAO,GACP,eAAe,CAAC;AAEpB;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,SAAS,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,aAAa,CAAC;IACxB,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,EAAE,OAAO,EAAE,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB;;OAEG;IACH,aAAa,IAAI,cAAc,CAAC;IAEhC;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE,CAAC;CAC3C;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;CAC7C"}

package/dist/rules/types.js

@@ -0,0 +1,6 @@
+"use strict";
+/**
+ * Rule types and interfaces
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/rules/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/rules/types.ts"],"names":[],"mappings":";AAAA;;GAEG"}

package/dist/scanner.d.ts

@@ -0,0 +1,61 @@
+/**
+ * AgentLint Scanner
+ * Core orchestration for parsing, rule evaluation, and report generation
+ */
+import { AgentDocument, CapabilitySummary, Finding, PermissionManifest, ScanStatus } from './ir/types';
+import { PolicyConfig } from './policy/types';
+import { ReportData } from './reports/types';
+export interface ScanOptions {
+    root: string;
+    include: string[];
+    exclude: string[];
+    policy: PolicyConfig;
+    ciMode: boolean;
+}
+export interface ScanResult {
+    documents: AgentDocument[];
+    findings: Finding[];
+    capabilitySummary: CapabilitySummary;
+    recommendedPermissions: PermissionManifest;
+    status: ScanStatus;
+    exitCode: number;
+    errors: string[];
+}
+/**
+ * Main scanner class
+ */
+export declare class Scanner {
+    private parserFactory;
+    private ruleEngine;
+    private options;
+    constructor(options?: Partial<ScanOptions>);
+    /**
+     * Run the scan
+     */
+    scan(): Promise<ScanResult>;
+    /**
+     * Find files matching the include/exclude patterns
+     */
+    private findFiles;
+    /**
+     * Compute capability summary from all documents
+     */
+    private computeCapabilitySummary;
+    /**
+     * Generate recommended permission manifest based on detected capabilities
+     */
+    private generateRecommendedPermissions;
+    private isBroadPath;
+    private isDynamicCommand;
+    /**
+     * Determine scan status and exit code based on findings
+     */
+    private determineStatus;
+    private createEmptyCapabilitySummary;
+    private createEmptyPermissionManifest;
+    /**
+     * Create report data for output generation
+     */
+    createReportData(result: ScanResult): ReportData;
+}
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,EACL,aAAa,EAEb,iBAAiB,EAEjB,OAAO,EACP,kBAAkB,EAElB,UAAU,EAIX,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,YAAY,EAAkB,MAAM,gBAAgB,CAAC;AAE9D,OAAO,EAAE,UAAU,EAAiB,MAAM,iBAAiB,CAAC;AAE5D,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,EAAE,YAAY,CAAC;IACrB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,aAAa,EAAE,CAAC;IAC3B,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,sBAAsB,EAAE,kBAAkB,CAAC;IAC3C,MAAM,EAAE,UAAU,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,qBAAa,OAAO;IAClB,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,OAAO,CAAc;gBAEjB,OAAO,GAAE,OAAO,CAAC,WAAW,CAAM;IAsB9C;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,UAAU,CAAC;IAiEjC;;OAEG;YACW,SAAS;IAuBvB;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAwHhC;;OAEG;IACH,OAAO,CAAC,8BAA8B;IAkCtC,OAAO,CAAC,WAAW;IAInB,OAAO,CAAC,gBAAgB;IAMxB;;OAEG;IACH,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,4BAA4B;IAWpC,OAAO,CAAC,6BAA6B;IAarC;;OAEG;IACH,gBAAgB,CAAC,MAAM,EAAE,UAAU,GAAG,UAAU;CAkFjD"}