npm - blackveil-dns - Versions diffs - 2.0.10 → 2.1.0 - Mend

blackveil-dns 2.0.10 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -24,6 +24,10 @@ Open-source DNS & email security scanner for Claude, Cursor, VS Code, and MCP cl
 ## Try it in 30 seconds
+**Claude Desktop** (one-click install):
+Download the [Blackveil DNS extension](https://github.com/MadaBurns/bv-claude-dns/releases/latest/download/bv-claude-dns.mcpb) and open it — all 33 tools available instantly.
 **Claude Code** (one command):
 ```bash
@@ -361,6 +365,20 @@ Enforce DNS security grades in your pipeline with the [Blackveil DNS GitHub Acti
 The action outputs `score`, `grade`, `maturity`, `scoring-profile`, and `passed` for downstream steps.
+### Package Release Controls
+`blackveil-dns` npm publishing is gated by `.github/workflows/publish.yml`.
+On `v*` tags, the workflow enforces:
+- `npm run validate:internal-deps`
+- Typecheck (`npx tsc --noEmit`)
+- Lint (`npm run lint`)
+- Test (`npm test`)
+- Security audit (`npm audit --audit-level=high`)
+- Changelog presence for the target version
+Publish only proceeds after all gates pass.
 ## Monitoring
 Get weekly DNS security reports in Slack or Discord. See [`examples/slack-discord-webhook/`](examples/slack-discord-webhook/) for a ready-to-deploy Cloudflare Cron Trigger recipe.

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { CheckResult, ScoringConfig, ScanScore, DomainContext } from '@blackveil/dns-checks/scoring';
 export { CATEGORY_DISPLAY_WEIGHTS, CheckCategory, CheckResult, DomainContext, DomainProfile, Finding, FindingConfidence, SEVERITY_PENALTIES, ScanScore, Severity, buildCheckResult, computeCategoryScore, computeScanScore, createFinding, detectDomainContext, getProfileWeights, inferFindingConfidence, scoreToGrade } from '@blackveil/dns-checks/scoring';
+import { z } from 'zod';
 export { parseDmarcTags } from '@blackveil/dns-checks';
 /** Standard DNS record type codes */
@@ -52,7 +53,7 @@ interface DohResponse {
 }
 /** Configuration for a custom secondary DoH resolver (e.g., bv-dns on Oracle Cloud). */
 interface SecondaryDohConfig {
-    /** DoH endpoint URL (e.g. https://harlan.blackveilsecurity.com/dns-query) */
+    /** DoH endpoint URL (e.g. https://doh.example.com/dns-query) */
     endpoint: string;
     /** Optional auth token sent as X-BV-Token header */
     token?: string;
@@ -159,7 +160,7 @@ declare function sanitizeDomain(input: string): string;
 declare function sanitizeInput(input: string, maxLength?: number): string;
 /** Server version — keep in sync with package.json */
-declare const SERVER_VERSION = "2.0.10";
+declare const SERVER_VERSION = "2.1.0";
 /**
  * Check BIMI records for a domain.
@@ -246,7 +247,12 @@ declare function checkSubdomainTakeover(domain: string, dnsOptions?: QueryDnsOpt
  */
 declare function checkTlsrpt(domain: string, dnsOptions?: QueryDnsOptions): Promise<CheckResult>;
-type OutputFormat = 'full' | 'compact';
+/** Output format. Trims and lowercases input before validation. */
+declare const FormatSchema: z.ZodPipe<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>, z.ZodEnum<{
+    full: "full";
+    compact: "compact";
+}>>;
+type OutputFormat = z.infer<typeof FormatSchema>;
 interface ImpactNarrative {
     impact?: string;

package/dist/index.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { z } from 'zod';
 import * as punycode from 'punycode/';
 // src/lib/dns-types.ts
@@ -57,6 +58,40 @@ var DOH_EDGE_CACHE_TTL = 300;
 var INFLIGHT_CLEANUP_MS = 3e4;
 var DNS_RETRY_BASE_DELAY_MS = 75;
 var DNS_CONFIRM_WITH_SECONDARY_ON_EMPTY = true;
+var DnsAnswerSchema = z.object({
+  name: z.string(),
+  type: z.number(),
+  TTL: z.number().optional(),
+  data: z.string()
+});
+var DnsAuthoritySchema = z.object({
+  name: z.string(),
+  type: z.number(),
+  TTL: z.number().optional(),
+  data: z.string()
+});
+var DohResponseSchema = z.object({
+  Status: z.number().finite(),
+  TC: z.boolean().optional(),
+  RD: z.boolean().optional(),
+  RA: z.boolean().optional(),
+  AD: z.boolean().optional(),
+  CD: z.boolean().optional(),
+  Question: z.array(z.object({ name: z.string(), type: z.unknown() })).optional(),
+  Answer: z.array(DnsAnswerSchema).optional(),
+  Authority: z.array(DnsAuthoritySchema).optional()
+}).passthrough();
+var CaaRecordSchema = z.object({
+  flags: z.number(),
+  tag: z.string(),
+  value: z.string()
+});
+z.object({
+  usage: z.number(),
+  selector: z.number(),
+  matchingType: z.number(),
+  certData: z.string()
+});
 // src/lib/dns-transport.ts
 var DOH_ENDPOINT = "https://cloudflare-dns.com/dns-query";
@@ -84,8 +119,9 @@ async function fetchDohResponse(url, timeoutMs) {
     });
     if (!response.ok) return null;
     const data = await response.json();
-    if (typeof data !== "object" || data === null || typeof data.Status !== "number" || !Number.isFinite(data.Status)) return null;
-    return data;
+    const parsed = DohResponseSchema.safeParse(data);
+    if (!parsed.success) return null;
+    return parsed.data;
   } catch {
     return null;
   } finally {
@@ -108,8 +144,9 @@ async function fetchDohWithAuth(url, timeoutMs, token) {
     });
     if (!response.ok) return null;
     const data = await response.json();
-    if (typeof data !== "object" || data === null || typeof data.Status !== "number" || !Number.isFinite(data.Status)) return null;
-    return data;
+    const parsed = DohResponseSchema.safeParse(data);
+    if (!parsed.success) return null;
+    return parsed.data;
   } catch {
     return null;
   } finally {
@@ -180,10 +217,11 @@ async function queryDnsUncached(domain, type, dnssecCheck = false, opts) {
       throw new DnsQueryError(`DoH returned HTTP ${response.status}`, domain, type, response.status);
     }
     const raw = await response.json();
-    if (typeof raw !== "object" || raw === null || typeof raw.Status !== "number" || !Number.isFinite(raw.Status)) {
+    const validated = DohResponseSchema.safeParse(raw);
+    if (!validated.success) {
       throw new DnsQueryError("Invalid DoH response format", domain, type);
     }
-    const data = raw;
+    const data = validated.data;
     if (confirmWithSecondaryOnEmpty && !opts?.skipSecondaryConfirmation && !hasTypedAnswers(data, type)) {
       if (opts?.secondaryDoh?.endpoint) {
         const bvDns = await fetchDohWithAuth(
@@ -245,15 +283,17 @@ function parseCaaRecord(data) {
     if (isNaN(flags) || isNaN(tagLen) || hexBytes.length < 2 + tagLen) return null;
     const tag = hexBytes.slice(2, 2 + tagLen).map((hexByte) => String.fromCharCode(parseInt(hexByte, 16))).join("");
     const value = hexBytes.slice(2 + tagLen).map((hexByte) => String.fromCharCode(parseInt(hexByte, 16))).join("");
-    return { flags, tag: tag.toLowerCase(), value };
+    const record = { flags, tag: tag.toLowerCase(), value };
+    return CaaRecordSchema.safeParse(record).success ? record : null;
   }
   const match = data.match(/^(\d+)\s+(\S+)\s+"?([^"]*)"?\s*$/);
   if (match) {
-    return {
+    const record = {
       flags: parseInt(match[1], 10),
       tag: match[2].toLowerCase(),
       value: match[3]
     };
+    return CaaRecordSchema.safeParse(record).success ? record : null;
   }
   return null;
 }
@@ -1125,9 +1165,7 @@ function sanitizeInput(input, maxLength = 500) {
 }
 // src/lib/server-version.ts
-var SERVER_VERSION = "2.0.10";
-// packages/dns-checks/dist/index.js
+var SERVER_VERSION = "2.1.0";
 var SEVERITY_PENALTIES2 = {
   critical: 40,
   high: 25,
@@ -4214,6 +4252,53 @@ async function checkHTTPSecurity(domain, fetchFn, options) {
   }
   return buildCheckResult2("http_security", findings);
 }
+var CheckCategorySchema = z.enum([
+  "spf",
+  "dmarc",
+  "dkim",
+  "dnssec",
+  "ssl",
+  "mta_sts",
+  "ns",
+  "caa",
+  "subdomain_takeover",
+  "mx",
+  "bimi",
+  "tlsrpt",
+  "lookalikes",
+  "shadow_domains",
+  "txt_hygiene",
+  "http_security",
+  "dane",
+  "mx_reputation",
+  "srv",
+  "zone_hygiene",
+  "dane_https",
+  "svcb_https"
+]);
+var SeveritySchema = z.enum(["critical", "high", "medium", "low", "info"]);
+z.enum(["deterministic", "heuristic", "verified"]);
+z.enum(["core", "protective", "hardening"]);
+var FindingSchema = z.object({
+  category: CheckCategorySchema,
+  title: z.string(),
+  severity: SeveritySchema,
+  detail: z.string(),
+  metadata: z.record(z.string(), z.unknown()).optional()
+});
+z.object({
+  category: CheckCategorySchema,
+  passed: z.boolean(),
+  score: z.number(),
+  findings: z.array(FindingSchema)
+});
+z.object({
+  overall: z.number(),
+  grade: z.string(),
+  categoryScores: z.record(z.string(), z.number()),
+  findings: z.array(FindingSchema),
+  summary: z.string()
+});
 // src/tools/check-bimi.ts
 function makeQueryDNS(dnsOptions) {