agentlint 0.1.0

package/dist/cli/index.js

@@ -0,0 +1,351 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * AgentLint CLI
+ * Static analysis and security scanner for AI agent configuration files
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const scanner_1 = require("../scanner");
+const loader_1 = require("../policy/loader");
+const engine_1 = require("../rules/engine");
+const reports_1 = require("../reports");
+const diff_1 = require("../diff");
+const VERSION = '0.1.0';
+const program = new commander_1.Command();
+program
+    .name('agentlint')
+    .description('Static analysis and security scanner for AI agent configuration files')
+    .version(VERSION);
+// Global options
+program
+    .option('--config <path>', 'Path to agentlint config file')
+    .option('--format <fmt>', 'Output format: text|json|sarif', 'text')
+    .option('--output <path>', 'Write output to file instead of stdout')
+    .option('--no-color', 'Disable ANSI colors')
+    .option('--quiet', 'Only print errors')
+    .option('--verbose', 'Extra parsing/evidence details')
+    .option('--fail-on <level>', 'Severity threshold for failure: none|low|medium|high', 'high')
+    .option('--warn-on <level>', 'Severity threshold for warning: none|low|medium|high', 'medium')
+    .option('--timeout <duration>', 'Timeout duration (e.g., 2s, 5s)', '10s');
+// Scan command
+program
+    .command('scan [path]')
+    .description('Scan a directory for agent configuration files')
+    .option('--ci', 'CI mode: no prompts, stable output, enforce gating')
+    .option('--include <glob>', 'Include extra files (repeatable)', collect, [])
+    .option('--exclude <glob>', 'Exclude files/paths (repeatable)', collect, [])
+    .option('--tool <tool>', 'Tool mode: claude|cursor|auto', 'auto')
+    .option('--emit-ir', 'Include IR in JSON output')
+    .option('--permissions-only', 'Output only recommended permission manifest')
+    .action(async (scanPath, options) => {
+    const globalOpts = program.opts();
+    const targetPath = scanPath || process.cwd();
+    // Load policy
+    const policyResult = (0, loader_1.loadPolicy)(globalOpts.config, targetPath);
+    if (policyResult.errors.length > 0) {
+        console.error('Configuration errors:');
+        policyResult.errors.forEach(e => console.error(`  ${e}`));
+        process.exit(3);
+    }
+    const policy = policyResult.config;
+    // Apply CLI overrides
+    if (globalOpts.failOn) {
+        policy.policy.fail_on = globalOpts.failOn;
+    }
+    if (globalOpts.warnOn) {
+        policy.policy.warn_on = globalOpts.warnOn;
+    }
+    if (options.ci) {
+        policy.policy.ci_mode = true;
+    }
+    if (options.include.length > 0) {
+        policy.scan.include.push(...options.include);
+    }
+    if (options.exclude.length > 0) {
+        policy.scan.exclude.push(...options.exclude);
+    }
+    if (options.tool !== 'auto') {
+        policy.scan.tool_mode = options.tool;
+    }
+    // Validate policy
+    const validationErrors = (0, loader_1.validatePolicy)(policy);
+    if (validationErrors.length > 0) {
+        console.error('Policy validation errors:');
+        validationErrors.forEach(e => console.error(`  ${e}`));
+        process.exit(3);
+    }
+    // Run scanner
+    const scanner = new scanner_1.Scanner({
+        root: path.resolve(targetPath),
+        include: policy.scan.include,
+        exclude: policy.scan.exclude,
+        policy,
+        ciMode: options.ci || false,
+    });
+    try {
+        const result = await scanner.scan();
+        // Handle permissions-only mode
+        if (options.permissionsOnly) {
+            const output = JSON.stringify(result.recommendedPermissions, null, 2);
+            writeOutput(output, globalOpts.output);
+            process.exit(result.exitCode);
+        }
+        // Generate report
+        const reportData = scanner.createReportData(result);
+        const reportOptions = {
+            format: globalOpts.format,
+            color: globalOpts.color !== false && !options.ci,
+            includeRecommendations: policy.output.include_recommendations,
+            includePermissionManifest: policy.output.include_permission_manifest,
+            includeIR: options.emitIr || false,
+            verbose: globalOpts.verbose || false,
+        };
+        const output = (0, reports_1.generateReport)(reportData, reportOptions);
+        if (!globalOpts.quiet) {
+            writeOutput(output, globalOpts.output);
+        }
+        process.exit(result.exitCode);
+    }
+    catch (error) {
+        console.error('Scan failed:', error instanceof Error ? error.message : String(error));
+        process.exit(5);
+    }
+});
+// Diff command
+program
+    .command('diff <base> <target>')
+    .description('Compare two versions and report behavioral changes')
+    .option('--fail-on-change <type>', 'Change types that trigger failure (repeatable)', collect, [])
+    .action(async (baseRef, targetRef, options) => {
+    const globalOpts = program.opts();
+    // Load policy
+    const policyResult = (0, loader_1.loadPolicy)(globalOpts.config);
+    if (policyResult.errors.length > 0) {
+        console.error('Configuration errors:');
+        policyResult.errors.forEach(e => console.error(`  ${e}`));
+        process.exit(3);
+    }
+    const policy = policyResult.config;
+    // For now, we only support directory-based diff
+    // Git ref support would require additional implementation
+    if (!fs.existsSync(baseRef) || !fs.existsSync(targetRef)) {
+        console.error('Error: Both base and target must be existing directories');
+        console.error('Git ref support is planned for a future version.');
+        process.exit(2);
+    }
+    try {
+        // Scan both directories
+        const baseScanner = new scanner_1.Scanner({
+            root: path.resolve(baseRef),
+            policy,
+            ciMode: true,
+        });
+        const targetScanner = new scanner_1.Scanner({
+            root: path.resolve(targetRef),
+            policy,
+            ciMode: true,
+        });
+        const baseResult = await baseScanner.scan();
+        const targetResult = await targetScanner.scan();
+        // Compare results
+        const failOn = options.failOnChange.length > 0
+            ? options.failOnChange
+            : policy.diff.fail_on;
+        const diffResult = (0, diff_1.compareScanResults)(baseResult, targetResult, baseRef, targetRef, {
+            policy,
+            failOn,
+            warnOn: policy.diff.warn_on,
+        });
+        // Generate report
+        const reportData = targetScanner.createReportData(targetResult);
+        reportData.diff = diffResult;
+        reportData.status = diffResult.summary.status;
+        reportData.exitCode = diffResult.summary.exit_code;
+        const reportOptions = {
+            format: globalOpts.format,
+            color: globalOpts.color !== false,
+            includeRecommendations: true,
+            includePermissionManifest: false,
+            includeIR: false,
+            verbose: globalOpts.verbose || false,
+        };
+        const output = (0, reports_1.generateDiffReport)(reportData, reportOptions);
+        if (!globalOpts.quiet) {
+            writeOutput(output, globalOpts.output);
+        }
+        process.exit(diffResult.summary.exit_code);
+    }
+    catch (error) {
+        console.error('Diff failed:', error instanceof Error ? error.message : String(error));
+        process.exit(5);
+    }
+});
+// Rules command with subcommands
+const rulesCommand = program
+    .command('rules')
+    .description('List and explain available rules');
+rulesCommand
+    .command('list')
+    .description('List all available rules')
+    .option('--group <group>', 'Filter by rule group')
+    .action((options) => {
+    const globalOpts = program.opts();
+    const engine = new engine_1.RuleEngine();
+    let rules = engine.getAllRules();
+    if (options.group) {
+        rules = rules.filter(r => r.group === options.group);
+    }
+    if (globalOpts.format === 'json') {
+        console.log(JSON.stringify(rules, null, 2));
+    }
+    else {
+        console.log('Available rules:\n');
+        for (const rule of rules) {
+            const severity = rule.severity.toUpperCase().padEnd(6);
+            console.log(`  ${severity} ${rule.id.padEnd(10)} ${rule.title}`);
+        }
+        console.log(`\nTotal: ${rules.length} rules`);
+    }
+});
+rulesCommand
+    .command('explain <ruleId>')
+    .description('Show detailed information about a rule')
+    .action((ruleId) => {
+    const globalOpts = program.opts();
+    const engine = new engine_1.RuleEngine();
+    const rule = engine.getRuleDefinition(ruleId.toUpperCase());
+    if (!rule) {
+        console.error(`Rule not found: ${ruleId}`);
+        process.exit(2);
+    }
+    if (globalOpts.format === 'json') {
+        console.log(JSON.stringify(rule, null, 2));
+    }
+    else {
+        console.log(`Rule: ${rule.id}`);
+        console.log(`Title: ${rule.title}`);
+        console.log(`Group: ${rule.group}`);
+        console.log(`Severity: ${rule.severity.toUpperCase()}`);
+        console.log(`\nDescription:`);
+        console.log(`  ${rule.description}`);
+        console.log(`\nRecommendation:`);
+        console.log(`  ${rule.recommendation}`);
+        console.log(`\nTags: ${rule.tags.join(', ')}`);
+    }
+});
+// Init command
+program
+    .command('init')
+    .description('Create a default configuration file')
+    .option('--ci <platform>', 'Include CI configuration (github)', '')
+    .action((options) => {
+    const configPath = 'agentlint.yaml';
+    if (fs.existsSync(configPath)) {
+        console.error(`Configuration file already exists: ${configPath}`);
+        process.exit(2);
+    }
+    const config = (0, loader_1.generateDefaultConfig)();
+    fs.writeFileSync(configPath, config);
+    console.log(`Created configuration file: ${configPath}`);
+    if (options.ci === 'github') {
+        const workflowDir = '.github/workflows';
+        const workflowPath = path.join(workflowDir, 'agentlint.yaml');
+        if (!fs.existsSync(workflowDir)) {
+            fs.mkdirSync(workflowDir, { recursive: true });
+        }
+        const workflow = `name: AgentLint
+
+on:
+  pull_request:
+    paths:
+      - ".claude/**"
+      - ".cursorrules"
+      - "CLAUDE.md"
+      - "AGENTS.md"
+
+jobs:
+  agentlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install agentlint
+        run: npm install -g agentlint
+
+      - name: Scan
+        run: agentlint scan --ci --format sarif --output agentlint.sarif
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: agentlint.sarif
+`;
+        fs.writeFileSync(workflowPath, workflow);
+        console.log(`Created GitHub Actions workflow: ${workflowPath}`);
+    }
+});
+// Version command (explicit)
+program
+    .command('version')
+    .description('Show version information')
+    .action(() => {
+    console.log(`agentlint ${VERSION}`);
+    console.log(`Node.js ${process.version}`);
+    console.log(`Platform: ${process.platform} ${process.arch}`);
+});
+// Helper functions
+function collect(value, previous) {
+    return previous.concat([value]);
+}
+function writeOutput(content, outputPath) {
+    if (outputPath) {
+        fs.writeFileSync(outputPath, content);
+    }
+    else {
+        console.log(content);
+    }
+}
+// Parse and execute
+program.parse();
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";;AACA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,yCAAoC;AACpC,uCAAyB;AACzB,2CAA6B;AAC7B,wCAAqC;AACrC,6CAAqF;AACrF,4CAA6C;AAC7C,wCAAgE;AAEhE,kCAA6C;AAE7C,MAAM,OAAO,GAAG,OAAO,CAAC;AAExB,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,WAAW,CAAC;KACjB,WAAW,CAAC,uEAAuE,CAAC;KACpF,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,iBAAiB;AACjB,OAAO;KACJ,MAAM,CAAC,iBAAiB,EAAE,+BAA+B,CAAC;KAC1D,MAAM,CAAC,gBAAgB,EAAE,gCAAgC,EAAE,MAAM,CAAC;KAClE,MAAM,CAAC,iBAAiB,EAAE,wCAAwC,CAAC;KACnE,MAAM,CAAC,YAAY,EAAE,qBAAqB,CAAC;KAC3C,MAAM,CAAC,SAAS,EAAE,mBAAmB,CAAC;KACtC,MAAM,CAAC,WAAW,EAAE,gCAAgC,CAAC;KACrD,MAAM,CAAC,mBAAmB,EAAE,sDAAsD,EAAE,MAAM,CAAC;KAC3F,MAAM,CAAC,mBAAmB,EAAE,sDAAsD,EAAE,QAAQ,CAAC;KAC7F,MAAM,CAAC,sBAAsB,EAAE,iCAAiC,EAAE,KAAK,CAAC,CAAC;AAE5E,eAAe;AACf,OAAO;KACJ,OAAO,CAAC,aAAa,CAAC;KACtB,WAAW,CAAC,gDAAgD,CAAC;KAC7D,MAAM,CAAC,MAAM,EAAE,oDAAoD,CAAC;KACpE,MAAM,CAAC,kBAAkB,EAAE,kCAAkC,EAAE,OAAO,EAAE,EAAE,CAAC;KAC3E,MAAM,CAAC,kBAAkB,EAAE,kCAAkC,EAAE,OAAO,EAAE,EAAE,CAAC;KAC3E,MAAM,CAAC,eAAe,EAAE,+BAA+B,EAAE,MAAM,CAAC;KAChE,MAAM,CAAC,WAAW,EAAE,2BAA2B,CAAC;KAChD,MAAM,CAAC,oBAAoB,EAAE,6CAA6C,CAAC;KAC3E,MAAM,CAAC,KAAK,EAAE,QAA4B,EAAE,OAAO,EAAE,EAAE;IACtD,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAClC,MAAM,UAAU,GAAG,QAAQ,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAE7C,cAAc;IACd,MAAM,YAAY,GAAG,IAAA,mBAAU,EAAC,UAAU,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAC/D,IAAI,YAAY,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACvC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC;IAEnC,sBAAsB;IACtB,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,MAAM,CAAC,MAAM,CAAC,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC;IAC5C,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,MAAM,CAAC,MAAM,CAAC,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC;IAC5C,CAAC;IACD,IAAI,OAAO,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,CAAC,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;IAC/B,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;IACvC,CAAC;IAED,kBAAkB;IAClB,MAAM,gBAAgB,GAAG,IAAA,uBAAc,EAAC,MAAM,CAAC,CAAC;IAChD,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC3C,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;QACvD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,cAAc;IACd,MAAM,OAAO,GAAG,IAAI,iBAAO,CAAC;QAC1B,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;QAC9B,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO;QAC5B,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO;QAC5B,MAAM;QACN,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,KAAK;KAC5B,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;QAEpC,+BAA+B;QAC/B,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,sBAAsB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YACtE,WAAW,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;YACvC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;QAED,kBAAkB;QAClB,MAAM,UAAU,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACpD,MAAM,aAAa,GAAkB;YACnC,MAAM,EAAE,UAAU,CAAC,MAAsB;YACzC,KAAK,EAAE,UAAU,CAAC,KAAK,KAAK,KAAK,IAAI,CAAC,OAAO,CAAC,EAAE;YAChD,sBAAsB,EAAE,MAAM,CAAC,MAAM,CAAC,uBAAuB;YAC7D,yBAAyB,EAAE,MAAM,CAAC,MAAM,CAAC,2BAA2B;YACpE,SAAS,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;YAClC,OAAO,EAAE,UAAU,CAAC,OAAO,IAAI,KAAK;SACrC,CAAC;QAEF,MAAM,MAAM,GAAG,IAAA,wBAAc,EAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QAEzD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACtB,WAAW,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACtF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,eAAe;AACf,OAAO;KACJ,OAAO,CAAC,sBAAsB,CAAC;KAC/B,WAAW,CAAC,oDAAoD,CAAC;KACjE,MAAM,CAAC,yBAAyB,EAAE,gDAAgD,EAAE,OAAO,EAAE,EAAE,CAAC;KAChG,MAAM,CAAC,KAAK,EAAE,OAAe,EAAE,SAAiB,EAAE,OAAO,EAAE,EAAE;IAC5D,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAElC,cAAc;IACd,MAAM,YAAY,GAAG,IAAA,mBAAU,EAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACnD,IAAI,YAAY,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACvC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC;IAEnC,gDAAgD;IAChD,0DAA0D;IAC1D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACzD,OAAO,CAAC,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAC1E,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QAClE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC;QACH,wBAAwB;QACxB,MAAM,WAAW,GAAG,IAAI,iBAAO,CAAC;YAC9B,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;YAC3B,MAAM;YACN,MAAM,EAAE,IAAI;SACb,CAAC,CAAC;QACH,MAAM,aAAa,GAAG,IAAI,iBAAO,CAAC;YAChC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;YAC7B,MAAM;YACN,MAAM,EAAE,IAAI;SACb,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,CAAC;QAC5C,MAAM,YAAY,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC;QAEhD,kBAAkB;QAClB,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC;YAC5C,CAAC,CAAC,OAAO,CAAC,YAAY;YACtB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;QAExB,MAAM,UAAU,GAAG,IAAA,yBAAkB,EACnC,UAAU,EACV,YAAY,EACZ,OAAO,EACP,SAAS,EACT;YACE,MAAM;YACN,MAAM;YACN,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO;SAC5B,CACF,CAAC;QAEF,kBAAkB;QAClB,MAAM,UAAU,GAAG,aAAa,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;QAChE,UAAU,CAAC,IAAI,GAAG,UAAU,CAAC;QAC7B,UAAU,CAAC,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC;QAC9C,UAAU,CAAC,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC;QAEnD,MAAM,aAAa,GAAkB;YACnC,MAAM,EAAE,UAAU,CAAC,MAAsB;YACzC,KAAK,EAAE,UAAU,CAAC,KAAK,KAAK,KAAK;YACjC,sBAAsB,EAAE,IAAI;YAC5B,yBAAyB,EAAE,KAAK;YAChC,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,UAAU,CAAC,OAAO,IAAI,KAAK;SACrC,CAAC;QAEF,MAAM,MAAM,GAAG,IAAA,4BAAkB,EAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QAE7D,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACtB,WAAW,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC7C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACtF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,iCAAiC;AACjC,MAAM,YAAY,GAAG,OAAO;KACzB,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,kCAAkC,CAAC,CAAC;AAEnD,YAAY;KACT,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,0BAA0B,CAAC;KACvC,MAAM,CAAC,iBAAiB,EAAE,sBAAsB,CAAC;KACjD,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE;IAClB,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,IAAI,mBAAU,EAAE,CAAC;IAChC,IAAI,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAEjC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC;IACvD,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAClC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACnE,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,CAAC,MAAM,QAAQ,CAAC,CAAC;IAChD,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,YAAY;KACT,OAAO,CAAC,kBAAkB,CAAC;KAC3B,WAAW,CAAC,wCAAwC,CAAC;KACrD,MAAM,CAAC,CAAC,MAAc,EAAE,EAAE;IACzB,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,IAAI,mBAAU,EAAE,CAAC;IAChC,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IAE5D,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,KAAK,CAAC,mBAAmB,MAAM,EAAE,CAAC,CAAC;QAC3C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QAChC,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjD,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,eAAe;AACf,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,qCAAqC,CAAC;KAClD,MAAM,CAAC,iBAAiB,EAAE,mCAAmC,EAAE,EAAE,CAAC;KAClE,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE;IAClB,MAAM,UAAU,GAAG,gBAAgB,CAAC;IAEpC,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,sCAAsC,UAAU,EAAE,CAAC,CAAC;QAClE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,8BAAqB,GAAE,CAAC;IACvC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,+BAA+B,UAAU,EAAE,CAAC,CAAC;IAEzD,IAAI,OAAO,CAAC,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,WAAW,GAAG,mBAAmB,CAAC;QACxC,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;QAE9D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAChC,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,QAAQ,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+BtB,CAAC;QAEI,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,oCAAoC,YAAY,EAAE,CAAC,CAAC;IAClE,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,6BAA6B;AAC7B,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,0BAA0B,CAAC;KACvC,MAAM,CAAC,GAAG,EAAE;IACX,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,EAAE,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;AAC/D,CAAC,CAAC,CAAC;AAEL,mBAAmB;AACnB,SAAS,OAAO,CAAC,KAAa,EAAE,QAAkB;IAChD,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,WAAW,CAAC,OAAe,EAAE,UAAmB;IACvD,IAAI,UAAU,EAAE,CAAC;QACf,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC;AACH,CAAC;AAED,oBAAoB;AACpB,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/diff/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Diff functionality for comparing agent configuration versions
+ */
+import { DiffResult } from '../ir/types';
+import { ScanResult } from '../scanner';
+import { PolicyConfig } from '../policy/types';
+export interface DiffOptions {
+    policy: PolicyConfig;
+    failOn: string[];
+    warnOn: string[];
+}
+/**
+ * Compare two scan results and generate a diff
+ */
+export declare function compareScanResults(base: ScanResult, target: ScanResult, baseRef: string, targetRef: string, options: DiffOptions): DiffResult;
+//# sourceMappingURL=index.d.ts.map

package/dist/diff/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/diff/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAiC,UAAU,EAAiC,MAAM,aAAa,CAAC;AACvG,OAAO,EAAE,UAAU,EAAwB,MAAM,YAAY,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAG/C,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,YAAY,CAAC;IACrB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,UAAU,EAChB,MAAM,EAAE,UAAU,EAClB,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,WAAW,GACnB,UAAU,CAkDZ"}

package/dist/diff/index.js

@@ -0,0 +1,204 @@
+"use strict";
+/**
+ * Diff functionality for comparing agent configuration versions
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.compareScanResults = compareScanResults;
+const hash_1 = require("../utils/hash");
+/**
+ * Compare two scan results and generate a diff
+ */
+function compareScanResults(base, target, baseRef, targetRef, options) {
+    const changes = [];
+    // Detect capability expansions
+    const capabilityChanges = detectCapabilityChanges(base.capabilitySummary, target.capabilitySummary);
+    changes.push(...capabilityChanges);
+    // Detect new findings
+    const newFindings = findNewFindings(base.findings, target.findings);
+    const resolvedFindings = findNewFindings(target.findings, base.findings);
+    // Count new high findings
+    const newHighFindings = newFindings.filter(f => f.severity === 'high').length;
+    // Determine if capability expansion occurred
+    const capabilityExpansion = capabilityChanges.some(c => c.type === 'capability_expansion' ||
+        c.type === 'network_new_outbound' ||
+        c.type === 'shell_dynamic_introduced');
+    // Determine status based on changes
+    const { status, exitCode } = determineDiffStatus(changes, newFindings, options);
+    return {
+        base: {
+            ref: baseRef,
+            tree_hash: (0, hash_1.generateId)('hash'),
+        },
+        target: {
+            ref: targetRef,
+            tree_hash: (0, hash_1.generateId)('hash'),
+        },
+        summary: {
+            capability_expansion: capabilityExpansion,
+            new_high_findings: newHighFindings,
+            status,
+            exit_code: exitCode,
+        },
+        changes,
+        new_findings: newFindings,
+        resolved_findings: resolvedFindings,
+    };
+}
+/**
+ * Detect capability changes between two summaries
+ */
+function detectCapabilityChanges(base, target) {
+    const changes = [];
+    // Shell execution changes
+    if (!base.shell_exec.enabled && target.shell_exec.enabled) {
+        changes.push({
+            change_id: (0, hash_1.generateId)('change'),
+            type: 'capability_expansion',
+            severity: 'high',
+            message: 'shell_exec.enabled: false → true',
+            details: { field: 'shell_exec.enabled', from: false, to: true },
+        });
+    }
+    if (!base.shell_exec.dynamic_detected && target.shell_exec.dynamic_detected) {
+        changes.push({
+            change_id: (0, hash_1.generateId)('change'),
+            type: 'shell_dynamic_introduced',
+            severity: 'high',
+            message: 'shell_exec.dynamic: false → true',
+            details: { field: 'shell_exec.dynamic_detected', from: false, to: true },
+        });
+    }
+    // Network changes
+    if (!base.network.outbound && target.network.outbound) {
+        changes.push({
+            change_id: (0, hash_1.generateId)('change'),
+            type: 'network_new_outbound',
+            severity: 'high',
+            message: 'network.outbound: false → true',
+            details: { field: 'network.outbound', from: false, to: true },
+        });
+    }
+    if (!base.network.inbound && target.network.inbound) {
+        changes.push({
+            change_id: (0, hash_1.generateId)('change'),
+            type: 'network_expansion',
+            severity: 'medium',
+            message: 'network.inbound: false → true',
+            details: { field: 'network.inbound', from: false, to: true },
+        });
+    }
+    if (!base.network.fetches_executable && target.network.fetches_executable) {
+        changes.push({
+            change_id: (0, hash_1.generateId)('change'),
+            type: 'capability_expansion',
+            severity: 'high',
+            message: 'network.fetches_executable: false → true',
+            details: { field: 'network.fetches_executable', from: false, to: true },
+        });
+    }
+    // Context changes
+    if (!base.contexts.has_hooks && target.contexts.has_hooks) {
+        changes.push({
+            change_id: (0, hash_1.generateId)('change'),
+            type: 'context_change_to_hook',
+            severity: 'high',
+            message: 'Hooks added to configuration',
+            details: { field: 'contexts.has_hooks', from: false, to: true },
+        });
+    }
+    if (!base.contexts.has_ci_context && target.contexts.has_ci_context) {
+        changes.push({
+            change_id: (0, hash_1.generateId)('change'),
+            type: 'context_change_to_ci',
+            severity: 'medium',
+            message: 'CI context added to configuration',
+            details: { field: 'contexts.has_ci_context', from: false, to: true },
+        });
+    }
+    // Filesystem changes
+    const newSensitivePaths = target.filesystem.touches_sensitive_paths.filter(p => !base.filesystem.touches_sensitive_paths.includes(p));
+    if (newSensitivePaths.length > 0) {
+        changes.push({
+            change_id: (0, hash_1.generateId)('change'),
+            type: 'sensitive_path_newly_touched',
+            severity: 'high',
+            message: `New sensitive paths touched: ${newSensitivePaths.join(', ')}`,
+            details: { new_paths: newSensitivePaths },
+        });
+    }
+    // Write scope widening
+    const broadPatterns = ['**/*', '**', '*'];
+    const targetHasBroad = target.filesystem.write.some(w => broadPatterns.includes(w));
+    const baseHadBroad = base.filesystem.write.some(w => broadPatterns.includes(w));
+    if (targetHasBroad && !baseHadBroad) {
+        changes.push({
+            change_id: (0, hash_1.generateId)('change'),
+            type: 'write_scope_widening_to_all',
+            severity: 'high',
+            message: 'Write scope widened to include all files',
+            details: {
+                base_writes: base.filesystem.write,
+                target_writes: target.filesystem.write,
+            },
+        });
+    }
+    // Secrets changes
+    const newSecretVars = target.secrets.env_vars_referenced.filter(v => !base.secrets.env_vars_referenced.includes(v));
+    if (newSecretVars.length > 0) {
+        changes.push({
+            change_id: (0, hash_1.generateId)('change'),
+            type: 'capability_expansion',
+            severity: 'high',
+            message: `New secret variables referenced: ${newSecretVars.join(', ')}`,
+            details: { new_secret_vars: newSecretVars },
+        });
+    }
+    if (!base.secrets.propagation_detected && target.secrets.propagation_detected) {
+        changes.push({
+            change_id: (0, hash_1.generateId)('change'),
+            type: 'capability_expansion',
+            severity: 'high',
+            message: 'Secret propagation detected',
+            details: { field: 'secrets.propagation_detected', from: false, to: true },
+        });
+    }
+    return changes;
+}
+/**
+ * Find findings that exist in target but not in base
+ */
+function findNewFindings(base, target) {
+    const baseFingerprints = new Set(base.map(f => f.fingerprints.stable));
+    return target.filter(f => !baseFingerprints.has(f.fingerprints.stable));
+}
+/**
+ * Determine diff status based on changes and new findings
+ */
+function determineDiffStatus(changes, newFindings, options) {
+    // Check fail conditions
+    for (const changeType of options.failOn) {
+        if (changes.some(c => c.type === changeType)) {
+            return { status: 'fail', exitCode: 1 };
+        }
+    }
+    // Check if new high findings
+    if (options.failOn.includes('new_high_findings')) {
+        if (newFindings.some(f => f.severity === 'high')) {
+            return { status: 'fail', exitCode: 1 };
+        }
+    }
+    // Check warn conditions
+    for (const changeType of options.warnOn) {
+        if (changes.some(c => c.type === changeType)) {
+            return { status: 'warn', exitCode: 0 };
+        }
+    }
+    // Check if new medium findings
+    if (options.warnOn.includes('new_medium_findings')) {
+        if (newFindings.some(f => f.severity === 'medium')) {
+            return { status: 'warn', exitCode: 0 };
+        }
+    }
+    return { status: 'pass', exitCode: 0 };
+}
+//# sourceMappingURL=index.js.map

package/dist/diff/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/diff/index.ts"],"names":[],"mappings":";AAAA;;GAEG;;AAgBH,gDAwDC;AAnED,wCAA2C;AAQ3C;;GAEG;AACH,SAAgB,kBAAkB,CAChC,IAAgB,EAChB,MAAkB,EAClB,OAAe,EACf,SAAiB,EACjB,OAAoB;IAEpB,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,+BAA+B;IAC/B,MAAM,iBAAiB,GAAG,uBAAuB,CAC/C,IAAI,CAAC,iBAAiB,EACtB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAC;IAEnC,sBAAsB;IACtB,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpE,MAAM,gBAAgB,GAAG,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IAEzE,0BAA0B;IAC1B,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAE9E,6CAA6C;IAC7C,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACrD,CAAC,CAAC,IAAI,KAAK,sBAAsB;QACjC,CAAC,CAAC,IAAI,KAAK,sBAAsB;QACjC,CAAC,CAAC,IAAI,KAAK,0BAA0B,CACtC,CAAC;IAEF,oCAAoC;IACpC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,mBAAmB,CAC9C,OAAO,EACP,WAAW,EACX,OAAO,CACR,CAAC;IAEF,OAAO;QACL,IAAI,EAAE;YACJ,GAAG,EAAE,OAAO;YACZ,SAAS,EAAE,IAAA,iBAAU,EAAC,MAAM,CAAC;SAC9B;QACD,MAAM,EAAE;YACN,GAAG,EAAE,SAAS;YACd,SAAS,EAAE,IAAA,iBAAU,EAAC,MAAM,CAAC;SAC9B;QACD,OAAO,EAAE;YACP,oBAAoB,EAAE,mBAAmB;YACzC,iBAAiB,EAAE,eAAe;YAClC,MAAM;YACN,SAAS,EAAE,QAAQ;SACpB;QACD,OAAO;QACP,YAAY,EAAE,WAAW;QACzB,iBAAiB,EAAE,gBAAgB;KACpC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAC9B,IAAuB,EACvB,MAAyB;IAEzB,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,0BAA0B;IAC1B,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,IAAA,iBAAU,EAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,sBAAsB;YAC5B,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,kCAAkC;YAC3C,OAAO,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE;SAChE,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,gBAAgB,IAAI,MAAM,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;QAC5E,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,IAAA,iBAAU,EAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,0BAA0B;YAChC,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,kCAAkC;YAC3C,OAAO,EAAE,EAAE,KAAK,EAAE,6BAA6B,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE;SACzE,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACtD,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,IAAA,iBAAU,EAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,sBAAsB;YAC5B,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,gCAAgC;YACzC,OAAO,EAAE,EAAE,KAAK,EAAE,kBAAkB,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE;SAC9D,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,IAAA,iBAAU,EAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,mBAAmB;YACzB,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,+BAA+B;YACxC,OAAO,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE;SAC7D,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,kBAAkB,IAAI,MAAM,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC1E,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,IAAA,iBAAU,EAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,sBAAsB;YAC5B,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,0CAA0C;YACnD,OAAO,EAAE,EAAE,KAAK,EAAE,4BAA4B,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE;SACxE,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,IAAA,iBAAU,EAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,wBAAwB;YAC9B,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,8BAA8B;YACvC,OAAO,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE;SAChE,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,IAAI,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QACpE,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,IAAA,iBAAU,EAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,sBAAsB;YAC5B,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,mCAAmC;YAC5C,OAAO,EAAE,EAAE,KAAK,EAAE,yBAAyB,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE;SACrE,CAAC,CAAC;IACL,CAAC;IAED,qBAAqB;IACrB,MAAM,iBAAiB,GAAG,MAAM,CAAC,UAAU,CAAC,uBAAuB,CAAC,MAAM,CACxE,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,uBAAuB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAC1D,CAAC;IACF,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,IAAA,iBAAU,EAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,8BAA8B;YACpC,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,gCAAgC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACvE,OAAO,EAAE,EAAE,SAAS,EAAE,iBAAiB,EAAE;SAC1C,CAAC,CAAC;IACL,CAAC;IAED,uBAAuB;IACvB,MAAM,aAAa,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACpF,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAEhF,IAAI,cAAc,IAAI,CAAC,YAAY,EAAE,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,IAAA,iBAAU,EAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,6BAA6B;YACnC,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,0CAA0C;YACnD,OAAO,EAAE;gBACP,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK;gBAClC,aAAa,EAAE,MAAM,CAAC,UAAU,CAAC,KAAK;aACvC;SACF,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,MAAM,CAC7D,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC,CACnD,CAAC;IACF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,IAAA,iBAAU,EAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,sBAAsB;YAC5B,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,oCAAoC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACvE,OAAO,EAAE,EAAE,eAAe,EAAE,aAAa,EAAE;SAC5C,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,oBAAoB,IAAI,MAAM,CAAC,OAAO,CAAC,oBAAoB,EAAE,CAAC;QAC9E,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,IAAA,iBAAU,EAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,sBAAsB;YAC5B,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,6BAA6B;YACtC,OAAO,EAAE,EAAE,KAAK,EAAE,8BAA8B,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE;SAC1E,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAe,EAAE,MAAiB;IACzD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;IACvE,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAC1B,OAAqB,EACrB,WAAsB,EACtB,OAAoB;IAEpB,wBAAwB;IACxB,KAAK,MAAM,UAAU,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,EAAE,CAAC;YAC7C,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,IAAI,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACjD,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,CAAC;YACjD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,KAAK,MAAM,UAAU,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,EAAE,CAAC;YAC7C,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,IAAI,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC;QACnD,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,EAAE,CAAC;YACnD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;AACzC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,21 @@
+/**
+ * AgentLint - Static analysis and security scanner for AI agent configuration files
+ *
+ * @packageDocumentation
+ */
+export * from './ir/types';
+export * from './parsers';
+export * from './rules';
+export { generateReport, generateDiffReport } from './reports';
+export { TextReportGenerator, generateDiffTextReport } from './reports/text';
+export { JsonReportGenerator, generateDiffJsonReport } from './reports/json';
+export { SarifReportGenerator, generateDiffSarifReport } from './reports/sarif';
+export type { ReportOptions, ReportData, ReportFormat } from './reports/types';
+export { loadPolicy, validatePolicy, generateDefaultConfig } from './policy/loader';
+export { DEFAULT_POLICY } from './policy/types';
+export type { PolicyConfig as AgentLintPolicyConfig } from './policy/types';
+export { Scanner } from './scanner';
+export type { ScanOptions, ScanResult } from './scanner';
+export { compareScanResults } from './diff';
+export type { DiffOptions } from './diff';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,cAAc,YAAY,CAAC;AAG3B,cAAc,WAAW,CAAC;AAG1B,cAAc,SAAS,CAAC;AAGxB,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAC/D,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAC7E,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAC7E,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAChF,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAG/E,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AACpF,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,YAAY,EAAE,YAAY,IAAI,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAG5E,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAGzD,OAAO,EAAE,kBAAkB,EAAE,MAAM,QAAQ,CAAC;AAC5C,YAAY,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC"}