npm - avorelo - Versions diffs - 0.1.0 - Mend

avorelo 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

package/LICENSE +21 -0
package/README.md +56 -0
package/bin/avorelo +9 -0
package/package.json +135 -0
package/scripts/README.md +40 -0
package/scripts/cco-dashboard.js +252 -0
package/scripts/cco-status.js +430 -0
package/scripts/lib/activation/account-state.js +37 -0
package/scripts/lib/activation/activation-runner.js +546 -0
package/scripts/lib/activation/activation-self-healing.js +480 -0
package/scripts/lib/activation/activation-state.js +83 -0
package/scripts/lib/activation/activation-summary.js +191 -0
package/scripts/lib/activation/adapters/claude-code.js +77 -0
package/scripts/lib/activation/adapters/codex-cli.js +52 -0
package/scripts/lib/activation/adapters/cursor.js +37 -0
package/scripts/lib/activation/adapters/github-agent.js +39 -0
package/scripts/lib/activation/adapters/terminal.js +42 -0
package/scripts/lib/activation/adapters/vscode.js +39 -0
package/scripts/lib/activation/adapters/windsurf.js +37 -0
package/scripts/lib/activation/ai-surface-detector.js +151 -0
package/scripts/lib/activation/connect-account.js +145 -0
package/scripts/lib/activation/detect-environment.js +75 -0
package/scripts/lib/activation/detect-hosts.js +62 -0
package/scripts/lib/activation/format-activation-output.js +109 -0
package/scripts/lib/activation/next-action.js +43 -0
package/scripts/lib/activation/repair-engine.js +219 -0
package/scripts/lib/activation-distribution-readiness.js +507 -0
package/scripts/lib/adapter-conformance.js +176 -0
package/scripts/lib/adapter-readiness.js +417 -0
package/scripts/lib/adapter-safety-boundaries.js +335 -0
package/scripts/lib/adapter-technical-readiness-gate.js +205 -0
package/scripts/lib/agent-access-governance.js +455 -0
package/scripts/lib/agent-enforcement.js +765 -0
package/scripts/lib/agent-policy-profile.js +210 -0
package/scripts/lib/agent-security/action-evaluator.js +507 -0
package/scripts/lib/agent-security/adapter-registry.js +98 -0
package/scripts/lib/agent-security/auto-policy.js +139 -0
package/scripts/lib/agent-security/bounded-scan.js +93 -0
package/scripts/lib/agent-security/enforcement-adapter.js +174 -0
package/scripts/lib/agent-security/enforcement-engine.js +1129 -0
package/scripts/lib/agent-security/file-write-adapter.js +183 -0
package/scripts/lib/agent-security/file-write-rules.js +178 -0
package/scripts/lib/agent-security/index.js +3342 -0
package/scripts/lib/agent-security/instruction-risk.js +181 -0
package/scripts/lib/agent-security/mcp-action-adapter.js +185 -0
package/scripts/lib/agent-security/mcp-action-rules.js +184 -0
package/scripts/lib/agent-security/package-action-adapter.js +175 -0
package/scripts/lib/agent-security/package-action-rules.js +233 -0
package/scripts/lib/agent-security/performance.js +148 -0
package/scripts/lib/agent-security/permission-minimizer.js +403 -0
package/scripts/lib/agent-security/scan-cache.js +74 -0
package/scripts/lib/agent-security/source-trust.js +146 -0
package/scripts/lib/ai-install-prompt.js +288 -0
package/scripts/lib/ai-workspace-hygiene.js +1499 -0
package/scripts/lib/alpha-activation.js +520 -0
package/scripts/lib/alpha-feedback.js +263 -0
package/scripts/lib/alpha-readiness-gate.js +332 -0
package/scripts/lib/anti-gaming.js +169 -0
package/scripts/lib/artifact-health.js +431 -0
package/scripts/lib/attribution.js +180 -0
package/scripts/lib/audit.js +289 -0
package/scripts/lib/avorelo-skill-registry.js +810 -0
package/scripts/lib/batch-jobs.js +71 -0
package/scripts/lib/brain-pack.js +578 -0
package/scripts/lib/brand-boundary.js +424 -0
package/scripts/lib/brand.js +74 -0
package/scripts/lib/browser-capability.js +1048 -0
package/scripts/lib/browser-proof-preflight.js +321 -0
package/scripts/lib/cache-readiness.js +187 -0
package/scripts/lib/canonical-reentry.js +162 -0
package/scripts/lib/capability-packs.js +314 -0
package/scripts/lib/capability-recommender.js +512 -0
package/scripts/lib/capability-registry.js +1059 -0
package/scripts/lib/carry-forward-surfacing.js +194 -0
package/scripts/lib/ccusage-adapter.js +188 -0
package/scripts/lib/company-loop.js +1149 -0
package/scripts/lib/config.js +637 -0
package/scripts/lib/context-acquisition-plan.js +287 -0
package/scripts/lib/context-budget-guard.js +170 -0
package/scripts/lib/context-budget-scanner.js +257 -0
package/scripts/lib/context-optimizer.js +715 -0
package/scripts/lib/context-reduction-plan.js +178 -0
package/scripts/lib/context-safety.js +88 -0
package/scripts/lib/context-savings-engine.js +158 -0
package/scripts/lib/cost-evidence.js +254 -0
package/scripts/lib/cross-host-install-plan.js +308 -0
package/scripts/lib/cross-host-install-readiness.js +237 -0
package/scripts/lib/cross-host-value-flow.js +268 -0
package/scripts/lib/dashboard.js +900 -0
package/scripts/lib/design-partner-feedback.js +346 -0
package/scripts/lib/entitlements.js +100 -0
package/scripts/lib/execution-packet.js +559 -0
package/scripts/lib/experimentation-events.js +547 -0
package/scripts/lib/external-capability-compliance.js +107 -0
package/scripts/lib/external-user-simulation.js +166 -0
package/scripts/lib/failure-recovery-readiness.js +81 -0
package/scripts/lib/failure-recovery.js +419 -0
package/scripts/lib/feedback-intelligence.js +537 -0
package/scripts/lib/feedback-signals.js +205 -0
package/scripts/lib/file-integrity.js +68 -0
package/scripts/lib/fsx.js +127 -0
package/scripts/lib/full-readiness-gate.js +451 -0
package/scripts/lib/guidance-builder.js +174 -0
package/scripts/lib/hook-apply.js +1019 -0
package/scripts/lib/hook-baseline.js +310 -0
package/scripts/lib/hook-config-preview.js +275 -0
package/scripts/lib/hook-contracts.js +290 -0
package/scripts/lib/hook-safety-boundary-readiness.js +80 -0
package/scripts/lib/host-capability-matrix.js +351 -0
package/scripts/lib/host-support-context.js +254 -0
package/scripts/lib/http-hook-action.js +538 -0
package/scripts/lib/install-ai-readiness.js +84 -0
package/scripts/lib/install-intake-risk.js +1037 -0
package/scripts/lib/install-journey-intelligence.js +329 -0
package/scripts/lib/intervention-guidance.js +57 -0
package/scripts/lib/known-limitations.js +115 -0
package/scripts/lib/l8-path-truth.js +146 -0
package/scripts/lib/launch-hardening-gate.js +436 -0
package/scripts/lib/launch-readiness.js +628 -0
package/scripts/lib/learning-memory.js +686 -0
package/scripts/lib/lifecycle-hooks.js +802 -0
package/scripts/lib/local-package-smoke.js +423 -0
package/scripts/lib/local-pricing.js +299 -0
package/scripts/lib/mcp-enforcement.js +311 -0
package/scripts/lib/mcp-least-privilege-policy.js +303 -0
package/scripts/lib/mcp-tool-inventory.js +388 -0
package/scripts/lib/mcp-tool-risk.js +0 -0
package/scripts/lib/memory.js +335 -0
package/scripts/lib/metrics.js +699 -0
package/scripts/lib/micro-proof.js +133 -0
package/scripts/lib/next-run-context.js +436 -0
package/scripts/lib/operating-value.js +1648 -0
package/scripts/lib/optimization-v3.js +122 -0
package/scripts/lib/orchestration/adapters/_shared.js +49 -0
package/scripts/lib/orchestration/adapters/aider.js +18 -0
package/scripts/lib/orchestration/adapters/claude-code.js +35 -0
package/scripts/lib/orchestration/adapters/codex.js +35 -0
package/scripts/lib/orchestration/adapters/gemini-cli.js +18 -0
package/scripts/lib/orchestration/adapters/git.js +25 -0
package/scripts/lib/orchestration/adapters/index.js +31 -0
package/scripts/lib/orchestration/adapters/lm-studio.js +18 -0
package/scripts/lib/orchestration/adapters/ollama.js +18 -0
package/scripts/lib/orchestration/adapters/opencode.js +18 -0
package/scripts/lib/orchestration/adapters/openrouter.js +18 -0
package/scripts/lib/orchestration/adapters/test-runner.js +25 -0
package/scripts/lib/orchestration/cli.js +438 -0
package/scripts/lib/orchestration/execution-manager.js +279 -0
package/scripts/lib/orchestration/handoff.js +314 -0
package/scripts/lib/orchestration/index.js +456 -0
package/scripts/lib/orchestration/inventory.js +47 -0
package/scripts/lib/orchestration/model-discovery.js +498 -0
package/scripts/lib/orchestration/model-profiler.js +170 -0
package/scripts/lib/orchestration/model-profiles.js +252 -0
package/scripts/lib/orchestration/model-refresh-policy.js +72 -0
package/scripts/lib/orchestration/proof-writer.js +349 -0
package/scripts/lib/orchestration/provider-discovery/aider.js +49 -0
package/scripts/lib/orchestration/provider-discovery/claude-code.js +56 -0
package/scripts/lib/orchestration/provider-discovery/codex.js +49 -0
package/scripts/lib/orchestration/provider-discovery/common.js +186 -0
package/scripts/lib/orchestration/provider-discovery/gemini.js +106 -0
package/scripts/lib/orchestration/provider-discovery/lm-studio.js +118 -0
package/scripts/lib/orchestration/provider-discovery/models-dev.js +12 -0
package/scripts/lib/orchestration/provider-discovery/ollama.js +100 -0
package/scripts/lib/orchestration/provider-discovery/opencode.js +47 -0
package/scripts/lib/orchestration/provider-discovery/openrouter.js +44 -0
package/scripts/lib/orchestration/risk-classifier.js +130 -0
package/scripts/lib/orchestration/routing-policy.js +486 -0
package/scripts/lib/orchestration/settings.js +112 -0
package/scripts/lib/orchestration/state.js +165 -0
package/scripts/lib/orchestration/verification-manager.js +138 -0
package/scripts/lib/output-profiles.js +146 -0
package/scripts/lib/package-content-audit.js +368 -0
package/scripts/lib/package-runtime.js +278 -0
package/scripts/lib/plan-surface.js +53 -0
package/scripts/lib/plans.js +2318 -0
package/scripts/lib/policy-provider.js +27 -0
package/scripts/lib/prelaunch-activation-readiness.js +409 -0
package/scripts/lib/prelaunch-evidence-store.js +816 -0
package/scripts/lib/prelaunch-intelligence.js +869 -0
package/scripts/lib/pricing-experiment.js +118 -0
package/scripts/lib/pro-moment-events.js +77 -0
package/scripts/lib/pro-moment-state.js +227 -0
package/scripts/lib/pro-moments.js +1216 -0
package/scripts/lib/product-learning-events.js +629 -0
package/scripts/lib/project-profile.js +555 -0
package/scripts/lib/prompt-compiler.js +280 -0
package/scripts/lib/prompt-lint.js +32 -0
package/scripts/lib/prompt-suggestions.js +52 -0
package/scripts/lib/proof-canonical.js +398 -0
package/scripts/lib/proof-drilldown.js +383 -0
package/scripts/lib/proof-events.js +342 -0
package/scripts/lib/proof-history.js +243 -0
package/scripts/lib/proof-metrics.js +296 -0
package/scripts/lib/proof-outcome-evidence.js +134 -0
package/scripts/lib/proof-receipt.js +335 -0
package/scripts/lib/proof-record.js +461 -0
package/scripts/lib/public-activation-distribution-gate.js +258 -0
package/scripts/lib/public-cli.js +3891 -0
package/scripts/lib/public-distribution-truth.js +211 -0
package/scripts/lib/public-install-claim-checker.js +294 -0
package/scripts/lib/publish-provenance-readiness.js +283 -0
package/scripts/lib/readiness-delta.js +218 -0
package/scripts/lib/readiness-evidence-closure.js +196 -0
package/scripts/lib/reentry-memory-capture.js +241 -0
package/scripts/lib/reentry-memory-retrieval.js +302 -0
package/scripts/lib/reentry-memory-status.js +146 -0
package/scripts/lib/reentry-memory-store.js +178 -0
package/scripts/lib/reentry-state.js +66 -0
package/scripts/lib/release-candidate-bundle.js +166 -0
package/scripts/lib/remediation.js +81 -0
package/scripts/lib/repo-map.js +391 -0
package/scripts/lib/run-improvements-lifecycle.js +330 -0
package/scripts/lib/run-improvements.js +789 -0
package/scripts/lib/runtime-decision-policy.js +387 -0
package/scripts/lib/safe-path-engine.js +705 -0
package/scripts/lib/safe-run-controller.js +887 -0
package/scripts/lib/score.js +262 -0
package/scripts/lib/seamless-enforcement.js +329 -0
package/scripts/lib/seamless-outcome.js +689 -0
package/scripts/lib/seamless-reality-gate.js +5043 -0
package/scripts/lib/security-risk-classifier.js +511 -0
package/scripts/lib/security-scan.js +384 -0
package/scripts/lib/session-context-optimizer.js +1211 -0
package/scripts/lib/session-timing.js +315 -0
package/scripts/lib/skill-hygiene.js +805 -0
package/scripts/lib/skill-packs.js +161 -0
package/scripts/lib/skills-operating-layer.js +580 -0
package/scripts/lib/smart-work-routing.js +768 -0
package/scripts/lib/source-catalog.js +700 -0
package/scripts/lib/status-value-summary.js +32 -0
package/scripts/lib/support-bundle.js +578 -0
package/scripts/lib/task-continuation.js +440 -0
package/scripts/lib/test-helpers.js +15 -0
package/scripts/lib/tier.js +38 -0
package/scripts/lib/token-context-quality-gate.js +370 -0
package/scripts/lib/token-cost-capture.js +187 -0
package/scripts/lib/token-cost-intelligence.js +358 -0
package/scripts/lib/token-efficiency-evidence.js +213 -0
package/scripts/lib/token-evidence.js +699 -0
package/scripts/lib/tokenish.js +17 -0
package/scripts/lib/tool-output-sandbox.js +304 -0
package/scripts/lib/trust-audit.js +136 -0
package/scripts/lib/unified-events.js +396 -0
package/scripts/lib/upgrade-interruption-recovery.js +407 -0
package/scripts/lib/usage-ledger.js +201 -0
package/scripts/lib/value-ledger.js +130 -0
package/scripts/lib/value-proof-calibration.js +531 -0
package/scripts/lib/visual-qa.js +231 -0
package/scripts/lib/voice-alpha.js +29 -0
package/scripts/lib/work-aware-orchestration.js +976 -0
package/scripts/lib/work-control-receipts.js +577 -0
package/scripts/lib/work-ledger.js +1123 -0
package/scripts/lib/work-panel-preview.js +352 -0
package/scripts/lib/workflow-discipline.js +280 -0
package/scripts/lib/workflow-signals.js +419 -0
package/scripts/lib/workspace-map.js +281 -0
package/scripts/lib/workspace-registry.js +1367 -0
package/scripts/lib/workspace-resolver.js +480 -0

package/scripts/lib/security-scan.js ADDED Viewed

@@ -0,0 +1,384 @@
+"use strict";
+const fs = require("fs");
+const path = require("path");
+const BIDI_CHARS = ["\u202A", "\u202B", "\u202D", "\u202E", "\u202C", "\u2066", "\u2067", "\u2068", "\u2069"];
+function detectRiskyBash(cmd) {
+  const c = String(cmd || "").toLowerCase();
+  if (/(curl|wget).*(\||&&|;)\s*(bash|sh)/i.test(c) || /(curl|wget)\s+\S+\s*\|\s*(bash|sh)/i.test(c)) {
+    return { code: "SEC_CURL_PIPE_SH", severity: "high", message: "Blocked: piping remote script into shell is high risk." };
+  }
+  if (/rm\s+-rf\s+\/(\s|$)/i.test(c) || /^rm\s+-rf\s+\/$/i.test(c)) {
+    return { code: "SEC_RM_RF_ROOT", severity: "high", message: "Blocked: destructive rm -rf / pattern." };
+  }
+  if (/chmod\s+777/i.test(c)) {
+    return { code: "SEC_CHMOD_777", severity: "medium", message: "Warning: chmod 777 is often unsafe. Consider least privilege." };
+  }
+  return null;
+}
+function sourceTypeForPath(pathHint) {
+  const p = String(pathHint || "").replace(/\\/g, "/");
+  if (p.startsWith("skills/")) return "skill";
+  if (p.startsWith("agents/")) return "agent";
+  if (p.startsWith("hooks/")) return "hook";
+  if (p.startsWith("scripts/")) return "script";
+  return "config";
+}
+function clamp(value, min, max) {
+  return Math.max(min, Math.min(max, value));
+}
+function isLikelyCommentLine(line) {
+  return /^\s*(#|\/\/|\/\*|\*|<!--)/.test(String(line || ""));
+}
+function hasPinnedGitRef(line) {
+  return /#[0-9a-f]{40}\b/i.test(String(line || ""));
+}
+function withVerificationRationale(message, verifyHint) {
+  return `${message}. Verify: ${verifyHint}`;
+}
+function mkFinding(id, severity, file, line, snippet, confidence, rationale) {
+  return {
+    id,
+    severity,
+    file,
+    line,
+    snippet,
+    confidence: clamp(Number.isFinite(Number(confidence)) ? Number(confidence) : 0.5, 0.05, 1),
+    rationale,
+    sourceType: sourceTypeForPath(file),
+    trustLevel: "unknown",
+    remediationState: "detected",
+    suppressed: false,
+    suppressedBy: null,
+  };
+}
+function pathMatches(pathHint, pattern) {
+  if (!pattern) return false;
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`, "i").test(pathHint.replace(/\\/g, "/"));
+}
+function applyAllowlist(findings, allowlist = { reasonCodes: [], pathPatterns: [] }) {
+  return findings.map((f) => {
+    const byCode = (allowlist.reasonCodes || []).find((c) => c === f.id);
+    if (byCode) {
+      return {
+        ...f,
+        suppressed: true,
+        suppressedBy: { type: "reasonCode", value: byCode },
+        rationale: `${f.rationale}; suppressed by allowlist reason code`,
+      };
+    }
+    const byPath = (allowlist.pathPatterns || []).find((p) => pathMatches(f.file || "", p));
+    if (byPath) {
+      return {
+        ...f,
+        suppressed: true,
+        suppressedBy: { type: "pathPattern", value: byPath },
+        rationale: `${f.rationale}; suppressed by allowlist path pattern`,
+      };
+    }
+    return f;
+  });
+}
+function toHighlights(findings) {
+  return findings.slice(0, 10).map((f) => ({
+    id: f.id,
+    severity: f.severity,
+    confidence: f.confidence,
+    path: f.file,
+    line: f.line,
+    snippet: f.snippet,
+    rationale: f.rationale,
+    sourceType: f.sourceType,
+    trustLevel: f.trustLevel,
+    remediationState: f.remediationState,
+    suppressed: f.suppressed,
+    suppressedBy: f.suppressedBy,
+  }));
+}
+function suppressionAuditFromFindings(findings) {
+  return findings
+    .filter((f) => f.suppressed)
+    .map((f) => ({
+      findingId: f.id,
+      file: f.file,
+      line: f.line,
+      source: f.suppressedBy,
+      rationale: f.rationale,
+    }));
+}
+function weightedRiskScore(activeFindings) {
+  if (!activeFindings.length) return 0;
+  const severityPoints = { high: 55, medium: 30, low: 15 };
+  let score = activeFindings.reduce((sum, f) => {
+    const base = severityPoints[f.severity] || severityPoints.low;
+    const confidence = clamp(Number(f.confidence || 0.5), 0.1, 1);
+    return sum + base * confidence;
+  }, 0);
+  if (activeFindings.some((f) => f.severity === "high")) score += 15;
+  const uniqueReasons = new Set(activeFindings.map((f) => f.id)).size;
+  if (uniqueReasons >= 3) score += 8;
+  if (activeFindings.some((f) => ["SEC_PRIVATE_KEY", "SEC_CURL_PIPE_SH"].includes(f.id))) {
+    score = Math.max(score, 90);
+  }
+  return Math.min(98, Math.round(score));
+}
+function scanTextForSecurity({ text, pathHint, allowlist }) {
+  const lines = String(text || "").split("\n");
+  let findings = [];
+  lines.forEach((ln, idx) => {
+    const n = idx + 1;
+    const lower = String(ln || "").toLowerCase();
+    const snip = String(ln || "").trim().slice(0, 160);
+    const commentLine = isLikelyCommentLine(ln);
+    if (lower.includes("eval(") || lower.includes("new function(")) {
+      const confidence = commentLine ? 0.55 : 0.95;
+      const severity = commentLine ? "medium" : "high";
+      findings.push(
+        mkFinding(
+          "SEC_EVAL",
+          severity,
+          pathHint,
+          n,
+          snip,
+          confidence,
+          withVerificationRationale("Dynamic code execution pattern", "confirm whether untrusted input can reach this call")
+        )
+      );
+    }
+    if (/(curl|wget).*(\||&&|;)\s*(bash|sh)/i.test(ln)) {
+      findings.push(
+        mkFinding(
+          "SEC_CURL_PIPE_SH",
+          "high",
+          pathHint,
+          n,
+          snip,
+          commentLine ? 0.62 : 0.99,
+          withVerificationRationale("Remote script piped into shell", "replace with downloaded and checksum-verified local script")
+        )
+      );
+    }
+    const hasRemoteFetch =
+      /(fetch|axios(\.(get|post|request))?|invoke-webrequest|invoke-restmethod|curl|wget)\s*\(?\s*["']?https?:\/\//i.test(ln) ||
+      /(curl|wget)\s+https?:\/\//i.test(ln);
+    if (hasRemoteFetch) {
+      findings.push(
+        mkFinding(
+          "SEC_REMOTE_FETCH",
+          "medium",
+          pathHint,
+          n,
+          snip,
+          commentLine ? 0.45 : 0.78,
+          withVerificationRationale("Remote fetch pattern detected", "ensure source is trusted, pinned, and checksum-verified")
+        )
+      );
+    }
+    const hasRemoteInclude =
+      /(source|include|require|import)\s+.*https?:\/\//i.test(ln) || /(from\s+["']https?:\/\/)/i.test(ln);
+    if (hasRemoteInclude) {
+      findings.push(
+        mkFinding(
+          "SEC_REMOTE_INCLUDE",
+          commentLine ? "medium" : "high",
+          pathHint,
+          n,
+          snip,
+          commentLine ? 0.52 : 0.9,
+          withVerificationRationale("Remote include/import pattern", "vendor locally or pin immutable artifact reference")
+        )
+      );
+    }
+    const hasGitDep = /git\+https?:\/\//i.test(ln) || /github\.com\/.+\/(main|master)\.zip/i.test(ln);
+    const movingRef = /#(main|master|head|latest)\b/i.test(ln) || (!/#/.test(ln) && /git\+https?:\/\//i.test(ln));
+    if (hasGitDep && movingRef && !hasPinnedGitRef(ln)) {
+      findings.push(
+        mkFinding(
+          "SEC_UNPINNED_GIT_DEP",
+          "medium",
+          pathHint,
+          n,
+          snip,
+          commentLine ? 0.5 : 0.84,
+          withVerificationRationale("Unpinned git dependency pattern", "pin to immutable commit SHA")
+        )
+      );
+    }
+    if (/(permissions?|permission_budget)\s*:\s*(\*|all|full|write|network|shell)\b/i.test(ln)) {
+      findings.push(
+        mkFinding(
+          "SEC_OVERBROAD_PERMISSION",
+          "medium",
+          pathHint,
+          n,
+          snip,
+          commentLine ? 0.5 : 0.82,
+          withVerificationRationale("Overbroad permission budget pattern", "narrow to least privilege needed for this task")
+        )
+      );
+    }
+    if (ln.includes("BEGIN PRIVATE KEY")) {
+      findings.push(
+        mkFinding(
+          "SEC_PRIVATE_KEY",
+          "high",
+          pathHint,
+          n,
+          "BEGIN PRIVATE KEY",
+          0.99,
+          withVerificationRationale("Private key material detected", "remove key material and rotate affected credentials")
+        )
+      );
+    }
+    if (BIDI_CHARS.some((ch) => ln.includes(ch))) {
+      findings.push(
+        mkFinding(
+          "SEC_BIDI_UNICODE",
+          "medium",
+          pathHint,
+          n,
+          snip,
+          0.88,
+          withVerificationRationale("Bidirectional Unicode control character", "inspect hidden characters and normalize text")
+        )
+      );
+    }
+    if (/ghp_[A-Za-z0-9]{20,}/.test(ln)) {
+      findings.push(
+        mkFinding(
+          "SEC_GH_TOKEN",
+          "high",
+          pathHint,
+          n,
+          "Possible GitHub token pattern",
+          0.92,
+          withVerificationRationale("Likely GitHub token", "remove token and rotate immediately")
+        )
+      );
+    }
+  });
+  findings = applyAllowlist(findings, allowlist);
+  const activeFindings = findings.filter((f) => !f.suppressed);
+  const reasonCounts = {};
+  activeFindings.forEach((f) => {
+    reasonCounts[f.id] = (reasonCounts[f.id] || 0) + 1;
+  });
+  const topReasons = Object.keys(reasonCounts)
+    .sort((a, b) => {
+      if (reasonCounts[b] !== reasonCounts[a]) return reasonCounts[b] - reasonCounts[a];
+      return a.localeCompare(b);
+    })
+    .slice(0, 3);
+  const riskScore = weightedRiskScore(activeFindings);
+  return {
+    riskScore,
+    topReasons,
+    highlights: toHighlights(findings),
+    findingsCount: findings.length,
+    activeFindingsCount: activeFindings.length,
+    suppressionAudit: suppressionAuditFromFindings(findings),
+  };
+}
+function runBaselineSecurityScan({ cwd, allowlist }) {
+  const targets = [".claude-plugin/plugin.json", "hooks/hooks.json"];
+  const skillRoot = path.join(cwd, "skills");
+  if (fs.existsSync(skillRoot)) targets.push("skills");
+  const agentRoot = path.join(cwd, "agents");
+  if (fs.existsSync(agentRoot)) targets.push("agents");
+  const scriptsRoot = path.join(cwd, "scripts");
+  if (fs.existsSync(scriptsRoot)) targets.push("scripts");
+  let findings = [];
+  function scanFile(rel) {
+    const abs = path.join(cwd, rel);
+    try {
+      const txt = fs.readFileSync(abs, "utf8");
+      const rep = scanTextForSecurity({ text: txt, pathHint: rel.replace(/\\/g, "/"), allowlist });
+      rep.highlights.forEach((h) => findings.push({ ...h }));
+    } catch {
+      // fail-open
+    }
+  }
+  function walk(relDir) {
+    const absDir = path.join(cwd, relDir);
+    const entries = fs.readdirSync(absDir, { withFileTypes: true });
+    entries.forEach((e) => {
+      const rel = path.join(relDir, e.name);
+      if (e.isDirectory()) return walk(rel);
+      if (e.isFile() && (rel.endsWith(".md") || rel.endsWith(".json") || rel.endsWith(".js") || rel.endsWith(".ts"))) {
+        scanFile(rel);
+      }
+    });
+  }
+  targets.forEach((t) => {
+    const abs = path.join(cwd, t);
+    if (!fs.existsSync(abs)) return;
+    const st = fs.statSync(abs);
+    if (st.isDirectory()) walk(t);
+    else scanFile(t);
+  });
+  const active = findings.filter((f) => !f.suppressed);
+  const reasonCounts = {};
+  active.forEach((f) => {
+    reasonCounts[f.id] = (reasonCounts[f.id] || 0) + 1;
+  });
+  const topReasons = Object.keys(reasonCounts)
+    .sort((a, b) => {
+      if (reasonCounts[b] !== reasonCounts[a]) return reasonCounts[b] - reasonCounts[a];
+      return a.localeCompare(b);
+    })
+    .slice(0, 3);
+  const riskScore = weightedRiskScore(active);
+  return { riskScore, topReasons, highlights: findings.slice(0, 10) };
+}
+module.exports = {
+  detectRiskyBash,
+  scanTextForSecurity,
+  runBaselineSecurityScan,
+  weightedRiskScore,
+};