agentlint 0.1.0

package/dist/policy/loader.js

@@ -0,0 +1,252 @@
+"use strict";
+/**
+ * Policy configuration loader
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadPolicy = loadPolicy;
+exports.validatePolicy = validatePolicy;
+exports.generateDefaultConfig = generateDefaultConfig;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const YAML = __importStar(require("yaml"));
+const types_1 = require("./types");
+const CONFIG_FILE_NAMES = [
+    'agentlint.yaml',
+    'agentlint.yml',
+    '.agentlint.yaml',
+    '.agentlint.yml',
+    '.agentlint/agentlint.yaml',
+    '.agentlint/agentlint.yml',
+];
+/**
+ * Load policy configuration from file or defaults
+ */
+function loadPolicy(configPath, workingDir) {
+    const errors = [];
+    const warnings = [];
+    const cwd = workingDir || process.cwd();
+    // If explicit config path provided
+    if (configPath) {
+        const absolutePath = path.isAbsolute(configPath) ? configPath : path.join(cwd, configPath);
+        if (!fs.existsSync(absolutePath)) {
+            errors.push(`Configuration file not found: ${absolutePath}`);
+            return { config: types_1.DEFAULT_POLICY, path: null, errors, warnings };
+        }
+        try {
+            const content = fs.readFileSync(absolutePath, 'utf-8');
+            const parsed = YAML.parse(content);
+            const config = mergeWithDefaults(parsed, warnings);
+            return { config, path: absolutePath, errors, warnings };
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            errors.push(`Failed to parse configuration file: ${msg}`);
+            return { config: types_1.DEFAULT_POLICY, path: null, errors, warnings };
+        }
+    }
+    // Search for config file
+    for (const fileName of CONFIG_FILE_NAMES) {
+        const filePath = path.join(cwd, fileName);
+        if (fs.existsSync(filePath)) {
+            try {
+                const content = fs.readFileSync(filePath, 'utf-8');
+                const parsed = YAML.parse(content);
+                const config = mergeWithDefaults(parsed, warnings);
+                return { config, path: filePath, errors, warnings };
+            }
+            catch (e) {
+                const msg = e instanceof Error ? e.message : String(e);
+                errors.push(`Failed to parse configuration file ${filePath}: ${msg}`);
+                return { config: types_1.DEFAULT_POLICY, path: null, errors, warnings };
+            }
+        }
+    }
+    // No config file found, use defaults
+    return { config: types_1.DEFAULT_POLICY, path: null, errors, warnings };
+}
+/**
+ * Merge user configuration with defaults
+ */
+function mergeWithDefaults(userConfig, warnings) {
+    const config = JSON.parse(JSON.stringify(types_1.DEFAULT_POLICY));
+    if (!userConfig) {
+        return config;
+    }
+    // Validate version
+    if (userConfig.version !== undefined && userConfig.version !== 1) {
+        warnings.push(`Unknown policy version: ${userConfig.version}. Using defaults for unknown fields.`);
+    }
+    // Merge scan section
+    if (userConfig.scan) {
+        Object.assign(config.scan, userConfig.scan);
+    }
+    // Merge policy section
+    if (userConfig.policy) {
+        Object.assign(config.policy, userConfig.policy);
+        if (userConfig.policy.tags) {
+            Object.assign(config.policy.tags, userConfig.policy.tags);
+        }
+    }
+    // Merge rules section
+    if (userConfig.rules) {
+        if (userConfig.rules.enable) {
+            config.rules.enable = userConfig.rules.enable;
+        }
+        if (userConfig.rules.disable) {
+            config.rules.disable = userConfig.rules.disable;
+        }
+        if (userConfig.rules.severity_overrides) {
+            Object.assign(config.rules.severity_overrides, userConfig.rules.severity_overrides);
+        }
+        if (userConfig.rules.group_overrides) {
+            Object.assign(config.rules.group_overrides, userConfig.rules.group_overrides);
+        }
+        if (userConfig.rules.confidence_overrides) {
+            Object.assign(config.rules.confidence_overrides, userConfig.rules.confidence_overrides);
+        }
+    }
+    // Merge capabilities section
+    if (userConfig.capabilities) {
+        Object.assign(config.capabilities, userConfig.capabilities);
+    }
+    // Merge diff section
+    if (userConfig.diff) {
+        Object.assign(config.diff, userConfig.diff);
+        if (userConfig.diff.compare) {
+            Object.assign(config.diff.compare, userConfig.diff.compare);
+        }
+    }
+    // Merge baseline section
+    if (userConfig.baseline) {
+        Object.assign(config.baseline, userConfig.baseline);
+    }
+    // Merge output section
+    if (userConfig.output) {
+        Object.assign(config.output, userConfig.output);
+    }
+    // Merge meta section
+    if (userConfig.meta) {
+        Object.assign(config.meta, userConfig.meta);
+    }
+    return config;
+}
+/**
+ * Validate policy configuration
+ */
+function validatePolicy(config) {
+    const errors = [];
+    // Validate severity values
+    const validSeverities = ['low', 'medium', 'high', 'none'];
+    if (!validSeverities.includes(config.policy.fail_on)) {
+        errors.push(`Invalid fail_on value: ${config.policy.fail_on}`);
+    }
+    if (!validSeverities.includes(config.policy.warn_on)) {
+        errors.push(`Invalid warn_on value: ${config.policy.warn_on}`);
+    }
+    // Validate confidence thresholds
+    if (config.policy.min_finding_confidence < 0 || config.policy.min_finding_confidence > 1) {
+        errors.push(`min_finding_confidence must be between 0 and 1`);
+    }
+    if (config.scan.min_parse_confidence < 0 || config.scan.min_parse_confidence > 1) {
+        errors.push(`min_parse_confidence must be between 0 and 1`);
+    }
+    // Validate tool mode
+    const validToolModes = ['auto', 'claude', 'cursor'];
+    if (!validToolModes.includes(config.scan.tool_mode)) {
+        errors.push(`Invalid tool_mode: ${config.scan.tool_mode}`);
+    }
+    // Validate output format
+    const validFormats = ['text', 'json', 'sarif'];
+    if (!validFormats.includes(config.output.format)) {
+        errors.push(`Invalid output format: ${config.output.format}`);
+    }
+    return errors;
+}
+/**
+ * Generate default configuration file content
+ */
+function generateDefaultConfig() {
+    return `# AgentLint Configuration
+# https://github.com/agentlint/agentlint
+
+version: 1
+
+scan:
+  include:
+    - ".claude/**"
+    - ".cursorrules"
+    - "CLAUDE.md"
+    - "AGENTS.md"
+  exclude:
+    - "**/.git/**"
+    - "**/node_modules/**"
+  tool_mode: auto
+  max_files: 2000
+
+policy:
+  fail_on: high
+  warn_on: medium
+  min_finding_confidence: 0.6
+  strict: false
+
+rules:
+  disable: []
+  # severity_overrides:
+  #   FS-001: high
+
+capabilities:
+  fail_on_new_dynamic_shell: true
+  fail_on_sensitive_path_write: true
+  sensitive_paths:
+    - ".github/workflows/**"
+    - ".git/**"
+    - ".env"
+
+diff:
+  enabled: true
+  fail_on:
+    - capability_expansion
+    - shell_dynamic_introduced
+    - context_change_to_hook
+
+output:
+  format: text
+  color: auto
+  include_recommendations: true
+  include_permission_manifest: true
+`;
+}
+//# sourceMappingURL=loader.js.map

package/dist/policy/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/policy/loader.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0BH,gCA8CC;AAmFD,wCAiCC;AAKD,sDAkDC;AAjPD,uCAAyB;AACzB,2CAA6B;AAC7B,2CAA6B;AAC7B,mCAAuD;AAEvD,MAAM,iBAAiB,GAAG;IACxB,gBAAgB;IAChB,eAAe;IACf,iBAAiB;IACjB,gBAAgB;IAChB,2BAA2B;IAC3B,0BAA0B;CAC3B,CAAC;AASF;;GAEG;AACH,SAAgB,UAAU,CAAC,UAAmB,EAAE,UAAmB;IACjE,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,GAAG,GAAG,UAAU,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAExC,mCAAmC;IACnC,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QAE3F,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACjC,MAAM,CAAC,IAAI,CAAC,iCAAiC,YAAY,EAAE,CAAC,CAAC;YAC7D,OAAO,EAAE,MAAM,EAAE,sBAAc,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QAClE,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;YACvD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnC,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACnD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QAC1D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,MAAM,CAAC,IAAI,CAAC,uCAAuC,GAAG,EAAE,CAAC,CAAC;YAC1D,OAAO,EAAE,MAAM,EAAE,sBAAc,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QAClE,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,KAAK,MAAM,QAAQ,IAAI,iBAAiB,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAE1C,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBACnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBACnC,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBACnD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;YACtD,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACvD,MAAM,CAAC,IAAI,CAAC,sCAAsC,QAAQ,KAAK,GAAG,EAAE,CAAC,CAAC;gBACtE,OAAO,EAAE,MAAM,EAAE,sBAAc,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;YAClE,CAAC;QACH,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,OAAO,EAAE,MAAM,EAAE,sBAAc,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAClE,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,UAAiC,EAAE,QAAkB;IAC9E,MAAM,MAAM,GAAiB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,sBAAc,CAAC,CAAC,CAAC;IAExE,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,mBAAmB;IACnB,IAAI,UAAU,CAAC,OAAO,KAAK,SAAS,IAAI,UAAU,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;QACjE,QAAQ,CAAC,IAAI,CAAC,2BAA2B,UAAU,CAAC,OAAO,sCAAsC,CAAC,CAAC;IACrG,CAAC;IAED,qBAAqB;IACrB,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;QACpB,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAuB;IACvB,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;QAChD,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC3B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;QACrB,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YAC5B,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC;QAChD,CAAC;QACD,IAAI,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YAC7B,MAAM,CAAC,KAAK,CAAC,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC;QAClD,CAAC;QACD,IAAI,UAAU,CAAC,KAAK,CAAC,kBAAkB,EAAE,CAAC;YACxC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,UAAU,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACtF,CAAC;QACD,IAAI,UAAU,CAAC,KAAK,CAAC,eAAe,EAAE,CAAC;YACrC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,UAAU,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAChF,CAAC;QACD,IAAI,UAAU,CAAC,KAAK,CAAC,oBAAoB,EAAE,CAAC;YAC1C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,EAAE,UAAU,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,IAAI,UAAU,CAAC,YAAY,EAAE,CAAC;QAC5B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;IAC9D,CAAC;IAED,qBAAqB;IACrB,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;QACpB,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;QACxB,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC;IACtD,CAAC;IAED,uBAAuB;IACvB,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;IAED,qBAAqB;IACrB,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;QACpB,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,MAAoB;IACjD,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,2BAA2B;IAC3B,MAAM,eAAe,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1D,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACjE,CAAC;IACD,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,iCAAiC;IACjC,IAAI,MAAM,CAAC,MAAM,CAAC,sBAAsB,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,sBAAsB,GAAG,CAAC,EAAE,CAAC;QACzF,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,oBAAoB,GAAG,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,oBAAoB,GAAG,CAAC,EAAE,CAAC;QACjF,MAAM,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;IAC9D,CAAC;IAED,qBAAqB;IACrB,MAAM,cAAc,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACpD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,sBAAsB,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,yBAAyB;IACzB,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/C,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QACjD,MAAM,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB;IACnC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgDR,CAAC;AACF,CAAC"}

package/dist/policy/types.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Policy configuration types
+ */
+import { Severity } from '../ir/types';
+export interface PolicyConfig {
+    version: number;
+    scan: {
+        root?: string;
+        include: string[];
+        exclude: string[];
+        tool_mode: 'auto' | 'claude' | 'cursor';
+        max_files: number;
+        timeout: string;
+        min_parse_confidence: number;
+    };
+    policy: {
+        ci_mode: boolean;
+        fail_on: Severity | 'none';
+        warn_on: Severity | 'none';
+        min_finding_confidence: number;
+        treat_parse_failed_as: 'pass' | 'warn' | 'fail';
+        no_supported_files_as: 'pass' | 'warn' | 'fail';
+        strict: boolean;
+        tags: {
+            fail_if_any: string[];
+            warn_if_any: string[];
+            ignore_if_any: string[];
+        };
+    };
+    rules: {
+        enable: string[];
+        disable: string[];
+        severity_overrides: Record<string, Severity>;
+        group_overrides: Record<string, Severity>;
+        confidence_overrides: Record<string, number>;
+    };
+    capabilities: {
+        fail_on_expansion: boolean;
+        fail_on_new_dynamic_shell: boolean;
+        fail_on_new_network_outbound: boolean;
+        fail_on_sensitive_path_write: boolean;
+        sensitive_paths: string[];
+        allowed_write_scopes: string[];
+        disallowed_write_scopes: string[];
+        allowed_network_domains: string[];
+        disallowed_network_domains: string[];
+    };
+    diff: {
+        enabled: boolean;
+        fail_on: string[];
+        warn_on: string[];
+        compare: {
+            normalize_globs: boolean;
+            normalize_domains: boolean;
+            normalize_commands: boolean;
+        };
+    };
+    baseline: {
+        enabled: boolean;
+        file: string;
+        mode: 'suppress_known' | 'require_no_new';
+        fingerprint: 'stable' | 'location' | 'content';
+        expires_days: number;
+    };
+    output: {
+        format: 'text' | 'json' | 'sarif';
+        color: 'auto' | 'always' | 'never';
+        include_recommendations: boolean;
+        include_permission_manifest: boolean;
+        include_ir: boolean;
+    };
+    meta: {
+        policy_name: string;
+        owner: string;
+        last_reviewed: string;
+    };
+}
+export declare const DEFAULT_POLICY: PolicyConfig;
+//# sourceMappingURL=types.d.ts.map

package/dist/policy/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/policy/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAEhB,IAAI,EAAE;QACJ,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,SAAS,EAAE,MAAM,GAAG,QAAQ,GAAG,QAAQ,CAAC;QACxC,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC;QAChB,oBAAoB,EAAE,MAAM,CAAC;KAC9B,CAAC;IAEF,MAAM,EAAE;QACN,OAAO,EAAE,OAAO,CAAC;QACjB,OAAO,EAAE,QAAQ,GAAG,MAAM,CAAC;QAC3B,OAAO,EAAE,QAAQ,GAAG,MAAM,CAAC;QAC3B,sBAAsB,EAAE,MAAM,CAAC;QAC/B,qBAAqB,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;QAChD,qBAAqB,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;QAChD,MAAM,EAAE,OAAO,CAAC;QAChB,IAAI,EAAE;YACJ,WAAW,EAAE,MAAM,EAAE,CAAC;YACtB,WAAW,EAAE,MAAM,EAAE,CAAC;YACtB,aAAa,EAAE,MAAM,EAAE,CAAC;SACzB,CAAC;KACH,CAAC;IAEF,KAAK,EAAE;QACL,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC7C,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC1C,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC9C,CAAC;IAEF,YAAY,EAAE;QACZ,iBAAiB,EAAE,OAAO,CAAC;QAC3B,yBAAyB,EAAE,OAAO,CAAC;QACnC,4BAA4B,EAAE,OAAO,CAAC;QACtC,4BAA4B,EAAE,OAAO,CAAC;QACtC,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,oBAAoB,EAAE,MAAM,EAAE,CAAC;QAC/B,uBAAuB,EAAE,MAAM,EAAE,CAAC;QAClC,uBAAuB,EAAE,MAAM,EAAE,CAAC;QAClC,0BAA0B,EAAE,MAAM,EAAE,CAAC;KACtC,CAAC;IAEF,IAAI,EAAE;QACJ,OAAO,EAAE,OAAO,CAAC;QACjB,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,OAAO,EAAE;YACP,eAAe,EAAE,OAAO,CAAC;YACzB,iBAAiB,EAAE,OAAO,CAAC;YAC3B,kBAAkB,EAAE,OAAO,CAAC;SAC7B,CAAC;KACH,CAAC;IAEF,QAAQ,EAAE;QACR,OAAO,EAAE,OAAO,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,gBAAgB,GAAG,gBAAgB,CAAC;QAC1C,WAAW,EAAE,QAAQ,GAAG,UAAU,GAAG,SAAS,CAAC;QAC/C,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF,MAAM,EAAE;QACN,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;QAClC,KAAK,EAAE,MAAM,GAAG,QAAQ,GAAG,OAAO,CAAC;QACnC,uBAAuB,EAAE,OAAO,CAAC;QACjC,2BAA2B,EAAE,OAAO,CAAC;QACrC,UAAU,EAAE,OAAO,CAAC;KACrB,CAAC;IAEF,IAAI,EAAE;QACJ,WAAW,EAAE,MAAM,CAAC;QACpB,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC;CACH;AAED,eAAO,MAAM,cAAc,EAAE,YAmG5B,CAAC"}

package/dist/policy/types.js

@@ -0,0 +1,99 @@
+"use strict";
+/**
+ * Policy configuration types
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_POLICY = void 0;
+exports.DEFAULT_POLICY = {
+    version: 1,
+    scan: {
+        root: '.',
+        include: [
+            '.claude/**',
+            '.cursorrules',
+            'CLAUDE.md',
+            'AGENTS.md',
+        ],
+        exclude: [
+            '**/.git/**',
+            '**/node_modules/**',
+        ],
+        tool_mode: 'auto',
+        max_files: 2000,
+        timeout: '10s',
+        min_parse_confidence: 0.5,
+    },
+    policy: {
+        ci_mode: false,
+        fail_on: 'high',
+        warn_on: 'medium',
+        min_finding_confidence: 0.6,
+        treat_parse_failed_as: 'warn',
+        no_supported_files_as: 'pass',
+        strict: false,
+        tags: {
+            fail_if_any: [],
+            warn_if_any: [],
+            ignore_if_any: [],
+        },
+    },
+    rules: {
+        enable: [],
+        disable: [],
+        severity_overrides: {},
+        group_overrides: {},
+        confidence_overrides: {},
+    },
+    capabilities: {
+        fail_on_expansion: true,
+        fail_on_new_dynamic_shell: true,
+        fail_on_new_network_outbound: false,
+        fail_on_sensitive_path_write: true,
+        sensitive_paths: [
+            '.github/workflows/**',
+            '.git/**',
+            '.env',
+            '~/.ssh/**',
+        ],
+        allowed_write_scopes: [],
+        disallowed_write_scopes: [],
+        allowed_network_domains: [],
+        disallowed_network_domains: [],
+    },
+    diff: {
+        enabled: true,
+        fail_on: [
+            'capability_expansion',
+            'context_change_to_hook',
+            'write_scope_widening_to_all',
+        ],
+        warn_on: [
+            'new_medium_findings',
+        ],
+        compare: {
+            normalize_globs: true,
+            normalize_domains: true,
+            normalize_commands: true,
+        },
+    },
+    baseline: {
+        enabled: false,
+        file: '.agentlint/baseline.json',
+        mode: 'suppress_known',
+        fingerprint: 'stable',
+        expires_days: 30,
+    },
+    output: {
+        format: 'text',
+        color: 'auto',
+        include_recommendations: true,
+        include_permission_manifest: true,
+        include_ir: false,
+    },
+    meta: {
+        policy_name: 'default',
+        owner: '',
+        last_reviewed: '',
+    },
+};
+//# sourceMappingURL=types.js.map

package/dist/policy/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/policy/types.ts"],"names":[],"mappings":";AAAA;;GAEG;;;AAsFU,QAAA,cAAc,GAAiB;IAC1C,OAAO,EAAE,CAAC;IAEV,IAAI,EAAE;QACJ,IAAI,EAAE,GAAG;QACT,OAAO,EAAE;YACP,YAAY;YACZ,cAAc;YACd,WAAW;YACX,WAAW;SACZ;QACD,OAAO,EAAE;YACP,YAAY;YACZ,oBAAoB;SACrB;QACD,SAAS,EAAE,MAAM;QACjB,SAAS,EAAE,IAAI;QACf,OAAO,EAAE,KAAK;QACd,oBAAoB,EAAE,GAAG;KAC1B;IAED,MAAM,EAAE;QACN,OAAO,EAAE,KAAK;QACd,OAAO,EAAE,MAAM;QACf,OAAO,EAAE,QAAQ;QACjB,sBAAsB,EAAE,GAAG;QAC3B,qBAAqB,EAAE,MAAM;QAC7B,qBAAqB,EAAE,MAAM;QAC7B,MAAM,EAAE,KAAK;QACb,IAAI,EAAE;YACJ,WAAW,EAAE,EAAE;YACf,WAAW,EAAE,EAAE;YACf,aAAa,EAAE,EAAE;SAClB;KACF;IAED,KAAK,EAAE;QACL,MAAM,EAAE,EAAE;QACV,OAAO,EAAE,EAAE;QACX,kBAAkB,EAAE,EAAE;QACtB,eAAe,EAAE,EAAE;QACnB,oBAAoB,EAAE,EAAE;KACzB;IAED,YAAY,EAAE;QACZ,iBAAiB,EAAE,IAAI;QACvB,yBAAyB,EAAE,IAAI;QAC/B,4BAA4B,EAAE,KAAK;QACnC,4BAA4B,EAAE,IAAI;QAClC,eAAe,EAAE;YACf,sBAAsB;YACtB,SAAS;YACT,MAAM;YACN,WAAW;SACZ;QACD,oBAAoB,EAAE,EAAE;QACxB,uBAAuB,EAAE,EAAE;QAC3B,uBAAuB,EAAE,EAAE;QAC3B,0BAA0B,EAAE,EAAE;KAC/B;IAED,IAAI,EAAE;QACJ,OAAO,EAAE,IAAI;QACb,OAAO,EAAE;YACP,sBAAsB;YACtB,wBAAwB;YACxB,6BAA6B;SAC9B;QACD,OAAO,EAAE;YACP,qBAAqB;SACtB;QACD,OAAO,EAAE;YACP,eAAe,EAAE,IAAI;YACrB,iBAAiB,EAAE,IAAI;YACvB,kBAAkB,EAAE,IAAI;SACzB;KACF;IAED,QAAQ,EAAE;QACR,OAAO,EAAE,KAAK;QACd,IAAI,EAAE,0BAA0B;QAChC,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,QAAQ;QACrB,YAAY,EAAE,EAAE;KACjB;IAED,MAAM,EAAE;QACN,MAAM,EAAE,MAAM;QACd,KAAK,EAAE,MAAM;QACb,uBAAuB,EAAE,IAAI;QAC7B,2BAA2B,EAAE,IAAI;QACjC,UAAU,EAAE,KAAK;KAClB;IAED,IAAI,EAAE;QACJ,WAAW,EAAE,SAAS;QACtB,KAAK,EAAE,EAAE;QACT,aAAa,EAAE,EAAE;KAClB;CACF,CAAC"}

package/dist/reports/index.d.ts

@@ -0,0 +1,14 @@
+export * from './types';
+export * from './text';
+export * from './json';
+export * from './sarif';
+import { ReportData, ReportOptions } from './types';
+/**
+ * Generate a report in the specified format
+ */
+export declare function generateReport(data: ReportData, options: ReportOptions): string;
+/**
+ * Generate a diff report in the specified format
+ */
+export declare function generateDiffReport(data: ReportData, options: ReportOptions): string;
+//# sourceMappingURL=index.d.ts.map

package/dist/reports/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/reports/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,QAAQ,CAAC;AACvB,cAAc,QAAQ,CAAC;AACvB,cAAc,SAAS,CAAC;AAExB,OAAO,EAAE,UAAU,EAAE,aAAa,EAAgB,MAAM,SAAS,CAAC;AAKlE;;GAEG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,GAAG,MAAM,CAU/E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,GAAG,MAAM,CAUnF"}

package/dist/reports/index.js

@@ -0,0 +1,54 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateReport = generateReport;
+exports.generateDiffReport = generateDiffReport;
+__exportStar(require("./types"), exports);
+__exportStar(require("./text"), exports);
+__exportStar(require("./json"), exports);
+__exportStar(require("./sarif"), exports);
+const text_1 = require("./text");
+const json_1 = require("./json");
+const sarif_1 = require("./sarif");
+/**
+ * Generate a report in the specified format
+ */
+function generateReport(data, options) {
+    switch (options.format) {
+        case 'json':
+            return new json_1.JsonReportGenerator(options).generate(data);
+        case 'sarif':
+            return new sarif_1.SarifReportGenerator(options).generate(data);
+        case 'text':
+        default:
+            return new text_1.TextReportGenerator(options).generate(data);
+    }
+}
+/**
+ * Generate a diff report in the specified format
+ */
+function generateDiffReport(data, options) {
+    switch (options.format) {
+        case 'json':
+            return (0, json_1.generateDiffJsonReport)(data);
+        case 'sarif':
+            return (0, sarif_1.generateDiffSarifReport)(data);
+        case 'text':
+        default:
+            return (0, text_1.generateDiffTextReport)(data, options);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/reports/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/reports/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAaA,wCAUC;AAKD,gDAUC;AAtCD,0CAAwB;AACxB,yCAAuB;AACvB,yCAAuB;AACvB,0CAAwB;AAGxB,iCAAqE;AACrE,iCAAqE;AACrE,mCAAwE;AAExE;;GAEG;AACH,SAAgB,cAAc,CAAC,IAAgB,EAAE,OAAsB;IACrE,QAAQ,OAAO,CAAC,MAAM,EAAE,CAAC;QACvB,KAAK,MAAM;YACT,OAAO,IAAI,0BAAmB,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACzD,KAAK,OAAO;YACV,OAAO,IAAI,4BAAoB,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC1D,KAAK,MAAM,CAAC;QACZ;YACE,OAAO,IAAI,0BAAmB,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,IAAgB,EAAE,OAAsB;IACzE,QAAQ,OAAO,CAAC,MAAM,EAAE,CAAC;QACvB,KAAK,MAAM;YACT,OAAO,IAAA,6BAAsB,EAAC,IAAI,CAAC,CAAC;QACtC,KAAK,OAAO;YACV,OAAO,IAAA,+BAAuB,EAAC,IAAI,CAAC,CAAC;QACvC,KAAK,MAAM,CAAC;QACZ;YACE,OAAO,IAAA,6BAAsB,EAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;AACH,CAAC"}

package/dist/reports/json.d.ts

@@ -0,0 +1,16 @@
+/**
+ * JSON Report Generator
+ * Machine-readable output for CI/CD and dashboards
+ */
+import { ReportData, ReportOptions } from './types';
+export declare class JsonReportGenerator {
+    private options;
+    constructor(options: ReportOptions);
+    generate(data: ReportData): string;
+    private buildReport;
+}
+/**
+ * Generate JSON diff report
+ */
+export declare function generateDiffJsonReport(data: ReportData): string;
+//# sourceMappingURL=json.d.ts.map

package/dist/reports/json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../src/reports/json.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAOpD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,OAAO,CAAgB;gBAEnB,OAAO,EAAE,aAAa;IAIlC,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM;IAKlC,OAAO,CAAC,WAAW;CA4CpB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,CA0B/D"}

package/dist/reports/json.js

@@ -0,0 +1,126 @@
+"use strict";
+/**
+ * JSON Report Generator
+ * Machine-readable output for CI/CD and dashboards
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JsonReportGenerator = void 0;
+exports.generateDiffJsonReport = generateDiffJsonReport;
+const types_1 = require("../ir/types");
+const os = __importStar(require("os"));
+// Package version (would normally come from package.json)
+const TOOL_VERSION = '0.1.0';
+class JsonReportGenerator {
+    options;
+    constructor(options) {
+        this.options = options;
+    }
+    generate(data) {
+        const report = this.buildReport(data);
+        return JSON.stringify(report, null, 2);
+    }
+    buildReport(data) {
+        const report = {
+            report_version: types_1.REPORT_VERSION,
+            schema_version: types_1.IR_SCHEMA_VERSION,
+            generated_at: new Date().toISOString(),
+            tool: {
+                name: 'agentlint',
+                version: TOOL_VERSION,
+                build: {
+                    os: os.platform(),
+                    arch: os.arch(),
+                },
+            },
+            inputs: data.report.inputs,
+            policy: data.report.policy,
+            summary: data.report.summary,
+            documents: data.documents,
+            capability_summary: data.capabilitySummary,
+            recommended_permissions: data.recommendedPermissions,
+            findings: data.findings,
+            diff: data.diff || null,
+            errors: data.report.errors || [],
+            annotations: data.report.annotations || {},
+        };
+        // Remove IR data if not requested
+        if (!this.options.includeIR) {
+            // The documents array already contains summaries, not full IR
+        }
+        // Remove recommendations if not requested
+        if (!this.options.includeRecommendations) {
+            for (const finding of report.findings) {
+                finding.recommendation = '';
+            }
+        }
+        // Remove permission manifest if not requested
+        if (!this.options.includePermissionManifest) {
+            delete report.recommended_permissions;
+        }
+        return report;
+    }
+}
+exports.JsonReportGenerator = JsonReportGenerator;
+/**
+ * Generate JSON diff report
+ */
+function generateDiffJsonReport(data) {
+    const report = {
+        report_version: types_1.REPORT_VERSION,
+        schema_version: types_1.IR_SCHEMA_VERSION,
+        generated_at: new Date().toISOString(),
+        tool: {
+            name: 'agentlint',
+            version: TOOL_VERSION,
+            build: {
+                os: os.platform(),
+                arch: os.arch(),
+            },
+        },
+        diff: data.diff,
+        summary: {
+            status: data.diff?.summary.status || 'pass',
+            exit_code: data.diff?.summary.exit_code || 0,
+            capability_expansion: data.diff?.summary.capability_expansion || false,
+            new_high_findings: data.diff?.summary.new_high_findings || 0,
+            changes_count: data.diff?.changes.length || 0,
+            new_findings_count: data.diff?.new_findings.length || 0,
+            resolved_findings_count: data.diff?.resolved_findings.length || 0,
+        },
+    };
+    return JSON.stringify(report, null, 2);
+}
+//# sourceMappingURL=json.js.map