chainwall 2.1.0 → 2.2.2

package/dist/monitor/clipboard-scanner.js

@@ -0,0 +1,49 @@
+import { execFileSync } from 'node:child_process';
+import { platform } from 'node:os';
+import { createRuleEngine } from '../scanner/rule-engine.js';
+import { allRules } from '../rules/index.js';
+import { loadConfig } from '../config.js';
+import { SIGNAL_WEIGHTS } from './types.js';
+const CLIPBOARD_HIJACKER_PATTERNS = [/xclip.*-selection.*-o.*loop/i, /pbpaste.*while/i, /clipboard.*monitor/i, /clipjack/i];
+export function scanClipboard(config) {
+    const start = Date.now();
+    const findings = [];
+    if (!config.clipboardScanEnabled) {
+        return { category: 'clipboard', findings: [], durationMs: Date.now() - start };
+    }
+    let clipContent = '';
+    try {
+        if (platform() === 'darwin') {
+            clipContent = execFileSync('pbpaste', [], { timeout: 3000, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+        }
+        else {
+            clipContent = execFileSync('xclip', ['-selection', 'clipboard', '-o'], { timeout: 3000, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+        }
+    }
+    catch {
+        return { category: 'clipboard', findings, durationMs: Date.now() - start };
+    }
+    if (!clipContent.trim()) {
+        return { category: 'clipboard', findings, durationMs: Date.now() - start };
+    }
+    // Scan clipboard content through rule engine
+    const ruleConfig = loadConfig();
+    const engine = createRuleEngine({ rules: allRules, config: ruleConfig });
+    const scanFindings = engine.scanFile('clipboard', clipContent);
+    for (const f of scanFindings) {
+        const signals = [
+            { type: 'sensitive-file-access', weight: SIGNAL_WEIGHTS['sensitive-file-access'], detail: `${f.category}: ${f.ruleName}` },
+        ];
+        findings.push({
+            id: `clipboard-${f.ruleId}`,
+            category: 'clipboard',
+            severity: f.severity,
+            title: `Secret in clipboard: ${f.ruleName}`,
+            description: `Clipboard contains ${f.description}`,
+            signals,
+            detail: f.matchedText.slice(0, 20) + '...',
+        });
+    }
+    return { category: 'clipboard', findings, durationMs: Date.now() - start };
+}
+//# sourceMappingURL=clipboard-scanner.js.map

package/dist/monitor/clipboard-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"clipboard-scanner.js","sourceRoot":"","sources":["../../src/monitor/clipboard-scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5C,MAAM,2BAA2B,GAAG,CAAC,8BAA8B,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,WAAW,CAAC,CAAC;AAE5H,MAAM,UAAU,aAAa,CAAC,MAAqB;IACjD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAqB,EAAE,CAAC;IAEtC,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;QACjC,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;IACjF,CAAC;IAED,IAAI,WAAW,GAAG,EAAE,CAAC;IACrB,IAAI,CAAC;QACH,IAAI,QAAQ,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC5B,WAAW,GAAG,YAAY,CAAC,SAAS,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QACnH,CAAC;aAAM,CAAC;YACN,WAAW,GAAG,YAAY,CAAC,OAAO,EAAE,CAAC,YAAY,EAAE,WAAW,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QAChJ,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;IAC7E,CAAC;IAED,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC;QACxB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;IAC7E,CAAC;IAED,6CAA6C;IAC7C,MAAM,UAAU,GAAG,UAAU,EAAE,CAAC;IAChC,MAAM,MAAM,GAAG,gBAAgB,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;IACzE,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAE/D,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAwB;YACnC,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,cAAc,CAAC,uBAAuB,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,QAAQ,EAAE,EAAE;SAC3H,CAAC;QACF,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,aAAa,CAAC,CAAC,MAAM,EAAE;YAC3B,QAAQ,EAAE,WAAW;YACrB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,KAAK,EAAE,wBAAwB,CAAC,CAAC,QAAQ,EAAE;YAC3C,WAAW,EAAE,sBAAsB,CAAC,CAAC,WAAW,EAAE;YAClD,OAAO;YACP,MAAM,EAAE,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;SAC3C,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;AAC7E,CAAC"}

package/dist/monitor/correlation.d.ts

@@ -0,0 +1,9 @@
+import type { MonitorFinding, MonitorResult, ScannerResult, BaselineState } from './types.js';
+import type { ScanFinding } from '../rules/types.js';
+import type { KnownGoodList } from './known-good.js';
+export declare function correlateFindings(scannerResults: ScannerResult[], scanFindings?: ScanFinding[], baseline?: BaselineState | null, knownGood?: KnownGoodList): MonitorResult;
+export declare function calculateMonitorRiskScore(findings: MonitorFinding[]): {
+    score: number;
+    label: string;
+};
+//# sourceMappingURL=correlation.d.ts.map

package/dist/monitor/correlation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"correlation.d.ts","sourceRoot":"","sources":["../../src/monitor/correlation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,aAAa,EAAE,aAAa,EAAoC,MAAM,YAAY,CAAC;AAChI,OAAO,KAAK,EAAE,WAAW,EAAY,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAgBrD,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,aAAa,EAAE,EAC/B,YAAY,CAAC,EAAE,WAAW,EAAE,EAC5B,QAAQ,CAAC,EAAE,aAAa,GAAG,IAAI,EAC/B,SAAS,CAAC,EAAE,aAAa,GACxB,aAAa,CAuFf;AAMD,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAiBtG"}

package/dist/monitor/correlation.js

@@ -0,0 +1,117 @@
+import { diffBaseline } from './baseline.js';
+const SEVERITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3 };
+function elevateSeverity(severity) {
+    if (severity === 'low')
+        return 'medium';
+    if (severity === 'medium')
+        return 'high';
+    if (severity === 'high')
+        return 'critical';
+    return 'critical';
+}
+function totalSignalWeight(signals) {
+    return signals.reduce((sum, s) => sum + s.weight, 0);
+}
+export function correlateFindings(scannerResults, scanFindings, baseline, knownGood) {
+    const start = Date.now();
+    const allFindings = [];
+    // Collect all findings from scanners
+    for (const sr of scannerResults) {
+        allFindings.push(...sr.findings);
+    }
+    // Cross-reference process + network findings (same PID = correlated)
+    const processFindings = allFindings.filter(f => f.category === 'process' && f.pid);
+    const networkFindings = allFindings.filter(f => f.category === 'network' && f.pid);
+    for (const netFinding of networkFindings) {
+        const matchingProc = processFindings.find(p => p.pid === netFinding.pid);
+        if (matchingProc) {
+            // Boost both findings
+            netFinding.signals.push({ type: 'ai-child-process', weight: 0.4, detail: `Same PID as process finding: ${matchingProc.title}` });
+            matchingProc.signals.push({ type: 'suspicious-destination', weight: 0.4, detail: `Same PID as network finding: ${netFinding.title}` });
+        }
+    }
+    // Baseline diff: tag new items
+    let baselineDelta;
+    if (baseline) {
+        const currentBaseline = {
+            capturedAt: new Date().toISOString(),
+            processes: allFindings.filter(f => f.category === 'process').map(f => ({ name: f.processName ?? '', command: f.title })),
+            connections: allFindings.filter(f => f.category === 'network').map(f => ({ remoteAddress: f.title, processName: f.processName ?? '' })),
+            extensions: allFindings.filter(f => f.category === 'browser').map(f => f.id),
+            persistence: allFindings.filter(f => f.category === 'persistence').map(f => f.id),
+        };
+        baselineDelta = diffBaseline(currentBaseline, baseline);
+        // Add new-since-baseline signal to relevant findings
+        const newIds = new Set([...baselineDelta.newExtensions, ...baselineDelta.newPersistence]);
+        for (const finding of allFindings) {
+            const isNew = newIds.has(finding.id) ||
+                (finding.category === 'process' && baselineDelta.newProcesses.includes(finding.processName ?? '')) ||
+                (finding.category === 'network' && baselineDelta.newConnections.includes(finding.title));
+            if (isNew) {
+                finding.signals.push({ type: 'new-since-baseline', weight: 0.5, detail: 'Not present in baseline' });
+            }
+        }
+    }
+    // Apply correlation scoring
+    for (const finding of allFindings) {
+        const weight = totalSignalWeight(finding.signals);
+        const signalCount = finding.signals.length;
+        if (signalCount <= 1 && weight < 0.8) {
+            // Cap at low (info-like, hidden by default)
+            if (SEVERITY_ORDER[finding.severity] < SEVERITY_ORDER['low']) {
+                finding.severity = 'low';
+            }
+        }
+        else if (signalCount >= 3) {
+            // Elevate severity
+            finding.severity = elevateSeverity(finding.severity);
+        }
+        // signalCount === 2: keep as-reported
+    }
+    // Dedup by PID + category
+    const dedupMap = new Map();
+    for (const f of allFindings) {
+        const key = f.pid ? `${f.pid}:${f.category}:${f.title}` : f.id;
+        if (!dedupMap.has(key)) {
+            dedupMap.set(key, f);
+        }
+    }
+    const dedupedFindings = Array.from(dedupMap.values());
+    // Sort by severity
+    dedupedFindings.sort((a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]);
+    // Calculate risk score
+    const riskResult = calculateMonitorRiskScore(dedupedFindings);
+    return {
+        findings: dedupedFindings,
+        scannerResults,
+        riskScore: riskResult.score,
+        riskLabel: riskResult.label,
+        durationMs: Date.now() - start,
+        baselineDelta,
+    };
+}
+const MONITOR_MULTIPLIER = 2.0;
+const SEVERITY_POINTS = { critical: 3, high: 2, medium: 1, low: 0.5 };
+const MAX_RAW = 30;
+export function calculateMonitorRiskScore(findings) {
+    if (findings.length === 0)
+        return { score: 0, label: 'CLEAN' };
+    let raw = 0;
+    for (const f of findings) {
+        let points = SEVERITY_POINTS[f.severity] ?? 0;
+        points *= MONITOR_MULTIPLIER;
+        raw += points;
+    }
+    const score = Math.min(10, Math.round((raw / MAX_RAW) * 10 * 10) / 10);
+    let label = 'CLEAN';
+    if (score > 0 && score <= 2)
+        label = 'LOW';
+    else if (score > 2 && score <= 5)
+        label = 'MODERATE';
+    else if (score > 5 && score <= 8)
+        label = 'HIGH';
+    else if (score > 8)
+        label = 'CRITICAL';
+    return { score, label };
+}
+//# sourceMappingURL=correlation.js.map

package/dist/monitor/correlation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"correlation.js","sourceRoot":"","sources":["../../src/monitor/correlation.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,MAAM,cAAc,GAA6B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAE7F,SAAS,eAAe,CAAC,QAAkB;IACzC,IAAI,QAAQ,KAAK,KAAK;QAAE,OAAO,QAAQ,CAAC;IACxC,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC;IACzC,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,UAAU,CAAC;IAC3C,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,iBAAiB,CAAC,OAA4B;IACrD,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,cAA+B,EAC/B,YAA4B,EAC5B,QAA+B,EAC/B,SAAyB;IAEzB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,WAAW,GAAqB,EAAE,CAAC;IAEzC,qCAAqC;IACrC,KAAK,MAAM,EAAE,IAAI,cAAc,EAAE,CAAC;QAChC,WAAW,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,CAAC;IACnC,CAAC;IAED,qEAAqE;IACrE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACnF,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAEnF,KAAK,MAAM,UAAU,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,UAAU,CAAC,GAAG,CAAC,CAAC;QACzE,IAAI,YAAY,EAAE,CAAC;YACjB,sBAAsB;YACtB,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,gCAAgC,YAAY,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACjI,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,wBAAwB,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,gCAAgC,UAAU,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACzI,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,IAAI,aAAwC,CAAC;IAC7C,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,eAAe,GAAkB;YACrC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACpC,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,WAAW,IAAI,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;YACxH,WAAW,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC,CAAC;YACvI,UAAU,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5E,WAAW,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,aAAa,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAClF,CAAC;QACF,aAAa,GAAG,YAAY,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAExD,qDAAqD;QACrD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,aAAa,CAAC,aAAa,EAAE,GAAG,aAAa,CAAC,cAAc,CAAC,CAAC,CAAC;QAC1F,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,CAAC,OAAO,CAAC,QAAQ,KAAK,SAAS,IAAI,aAAa,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;gBAClG,CAAC,OAAO,CAAC,QAAQ,KAAK,SAAS,IAAI,aAAa,CAAC,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;YAC3F,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,oBAAoB,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC,CAAC;YACvG,CAAC;QACH,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC;QAE3C,IAAI,WAAW,IAAI,CAAC,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;YACrC,4CAA4C;YAC5C,IAAI,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC7D,OAAO,CAAC,QAAQ,GAAG,KAAK,CAAC;YAC3B,CAAC;QACH,CAAC;aAAM,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;YAC5B,mBAAmB;YACnB,OAAO,CAAC,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACvD,CAAC;QACD,sCAAsC;IACxC,CAAC;IAED,0BAA0B;IAC1B,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA0B,CAAC;IACnD,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IACD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAEtD,mBAAmB;IACnB,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAExF,uBAAuB;IACvB,MAAM,UAAU,GAAG,yBAAyB,CAAC,eAAe,CAAC,CAAC;IAE9D,OAAO;QACL,QAAQ,EAAE,eAAe;QACzB,cAAc;QACd,SAAS,EAAE,UAAU,CAAC,KAAK;QAC3B,SAAS,EAAE,UAAU,CAAC,KAAK;QAC3B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;QAC9B,aAAa;KACd,CAAC;AACJ,CAAC;AAED,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAC/B,MAAM,eAAe,GAA6B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAChG,MAAM,OAAO,GAAG,EAAE,CAAC;AAEnB,MAAM,UAAU,yBAAyB,CAAC,QAA0B;IAClE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAE/D,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,MAAM,GAAG,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,IAAI,kBAAkB,CAAC;QAC7B,GAAG,IAAI,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;IACvE,IAAI,KAAK,GAAG,OAAO,CAAC;IACpB,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,IAAI,CAAC;QAAE,KAAK,GAAG,KAAK,CAAC;SACtC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,IAAI,CAAC;QAAE,KAAK,GAAG,UAAU,CAAC;SAChD,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,IAAI,CAAC;QAAE,KAAK,GAAG,MAAM,CAAC;SAC5C,IAAI,KAAK,GAAG,CAAC;QAAE,KAAK,GAAG,UAAU,CAAC;IACvC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;AAC1B,CAAC"}

package/dist/monitor/index.d.ts

@@ -0,0 +1,13 @@
+export type { MonitorCategory, MonitorFinding, MonitorResult, MonitorConfig, ScannerResult, ProcessInfo, NetworkConnection, CorrelationSignal, SignalType, BaselineState, BaselineDelta, } from './types.js';
+export { SIGNAL_WEIGHTS } from './types.js';
+export { DEFAULT_KNOWN_GOOD, isKnownGoodProcess, isKnownGoodEndpoint, isKnownGoodChain } from './known-good.js';
+export type { KnownGoodList } from './known-good.js';
+export { scanProcesses } from './process-scanner.js';
+export { scanNetwork } from './network-scanner.js';
+export { scanBrowserExtensions } from './browser-scanner.js';
+export { scanShadowAI } from './shadow-ai-scanner.js';
+export { scanClipboard } from './clipboard-scanner.js';
+export { scanPersistence } from './persistence-scanner.js';
+export { correlateFindings } from './correlation.js';
+export { captureBaseline, saveBaseline, loadBaseline, diffBaseline } from './baseline.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/monitor/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/monitor/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,eAAe,EAAE,cAAc,EAAE,aAAa,EAAE,aAAa,EAC7D,aAAa,EAAE,WAAW,EAAE,iBAAiB,EAAE,iBAAiB,EAChE,UAAU,EAAE,aAAa,EAAE,aAAa,GACzC,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAChH,YAAY,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC"}

package/dist/monitor/index.js

@@ -0,0 +1,11 @@
+export { SIGNAL_WEIGHTS } from './types.js';
+export { DEFAULT_KNOWN_GOOD, isKnownGoodProcess, isKnownGoodEndpoint, isKnownGoodChain } from './known-good.js';
+export { scanProcesses } from './process-scanner.js';
+export { scanNetwork } from './network-scanner.js';
+export { scanBrowserExtensions } from './browser-scanner.js';
+export { scanShadowAI } from './shadow-ai-scanner.js';
+export { scanClipboard } from './clipboard-scanner.js';
+export { scanPersistence } from './persistence-scanner.js';
+export { correlateFindings } from './correlation.js';
+export { captureBaseline, saveBaseline, loadBaseline, diffBaseline } from './baseline.js';
+//# sourceMappingURL=index.js.map

package/dist/monitor/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/monitor/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAEhH,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC"}

package/dist/monitor/known-good.d.ts

@@ -0,0 +1,24 @@
+/** Built-in known-good allowlists for runtime monitor. Items here generate no findings. */
+export interface KnownGoodList {
+    /** Process name patterns that are always safe (lowercase). */
+    processes: string[];
+    /** Process parent-child chains that are always safe. */
+    processChains: Array<{
+        parent: string;
+        child: string;
+    }>;
+    /** Network destinations that are known AI tool endpoints. */
+    networkEndpoints: string[];
+    /** Browser extension IDs that are well-known and safe. */
+    browserExtensions: string[];
+    /** Persistence entries that are expected OS/tool items. */
+    persistenceEntries: string[];
+}
+export declare const DEFAULT_KNOWN_GOOD: KnownGoodList;
+/** Check if a process name is in the known-good list (case-insensitive). */
+export declare function isKnownGoodProcess(name: string, list: KnownGoodList): boolean;
+/** Check if a network destination is known-good. */
+export declare function isKnownGoodEndpoint(dest: string, list: KnownGoodList): boolean;
+/** Check if a process chain (parent->child) is known-good. */
+export declare function isKnownGoodChain(parentName: string, childName: string, list: KnownGoodList): boolean;
+//# sourceMappingURL=known-good.d.ts.map

package/dist/monitor/known-good.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"known-good.d.ts","sourceRoot":"","sources":["../../src/monitor/known-good.ts"],"names":[],"mappings":"AAAA,2FAA2F;AAE3F,MAAM,WAAW,aAAa;IAC5B,8DAA8D;IAC9D,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,wDAAwD;IACxD,aAAa,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACxD,6DAA6D;IAC7D,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,0DAA0D;IAC1D,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,2DAA2D;IAC3D,kBAAkB,EAAE,MAAM,EAAE,CAAC;CAC9B;AAED,eAAO,MAAM,kBAAkB,EAAE,aA8DhC,CAAC;AAEF,4EAA4E;AAC5E,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAG7E;AAED,oDAAoD;AACpD,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAG9E;AAED,8DAA8D;AAC9D,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAOpG"}

package/dist/monitor/known-good.js

@@ -0,0 +1,82 @@
+/** Built-in known-good allowlists for runtime monitor. Items here generate no findings. */
+export const DEFAULT_KNOWN_GOOD = {
+    processes: [
+        'node', 'npm', 'npx', 'git', 'tsc', 'esbuild', 'vite',
+        'python', 'python3', 'pip', 'pip3',
+        'bash', 'zsh', 'sh', 'fish',
+        'code', 'code-insiders', 'cursor', 'cursor-helper',
+        'electron', 'chrome', 'firefox', 'safari',
+        'ls', 'cat', 'grep', 'find', 'sed', 'awk',
+        'docker', 'kubectl', 'terraform',
+        'vim', 'nvim', 'nano', 'emacs',
+        'ssh', 'ssh-agent', 'gpg-agent',
+        'launchd', 'loginwindow', 'WindowServer', 'systemd',
+    ],
+    processChains: [
+        { parent: 'node', child: 'git' },
+        { parent: 'node', child: 'npm' },
+        { parent: 'node', child: 'npx' },
+        { parent: 'node', child: 'tsc' },
+        { parent: 'node', child: 'esbuild' },
+        { parent: 'cursor', child: 'cursor-helper' },
+        { parent: 'cursor', child: 'node' },
+        { parent: 'code', child: 'node' },
+        { parent: 'code-insiders', child: 'node' },
+        { parent: 'zsh', child: 'node' },
+        { parent: 'bash', child: 'node' },
+    ],
+    networkEndpoints: [
+        // Anthropic
+        'api.anthropic.com',
+        'claude.ai',
+        // OpenAI
+        'api.openai.com',
+        'chat.openai.com',
+        // Google
+        'generativelanguage.googleapis.com',
+        'aistudio.google.com',
+        // GitHub Copilot
+        'copilot-proxy.githubusercontent.com',
+        'api.github.com',
+        'github.com',
+        // Cursor
+        'api2.cursor.sh',
+        'cursor.sh',
+        // Common package registries
+        'registry.npmjs.org',
+        'pypi.org',
+        'rubygems.org',
+        // CDNs
+        'cdn.jsdelivr.net',
+        'unpkg.com',
+        // Local
+        'localhost',
+        '127.0.0.1',
+        '::1',
+    ],
+    browserExtensions: [],
+    persistenceEntries: [
+        'com.apple.terminal.plist',
+        'com.googlecode.iterm2.plist',
+        'com.microsoft.VSCode.plist',
+        'homebrew.mxcl.',
+    ],
+};
+/** Check if a process name is in the known-good list (case-insensitive). */
+export function isKnownGoodProcess(name, list) {
+    const lower = name.toLowerCase();
+    return list.processes.some((p) => lower === p || lower.endsWith('/' + p));
+}
+/** Check if a network destination is known-good. */
+export function isKnownGoodEndpoint(dest, list) {
+    const lower = dest.toLowerCase();
+    return list.networkEndpoints.some((e) => lower === e || lower.endsWith('.' + e));
+}
+/** Check if a process chain (parent->child) is known-good. */
+export function isKnownGoodChain(parentName, childName, list) {
+    const pLower = parentName.toLowerCase();
+    const cLower = childName.toLowerCase();
+    return list.processChains.some((c) => (pLower === c.parent || pLower.endsWith('/' + c.parent)) &&
+        (cLower === c.child || cLower.endsWith('/' + c.child)));
+}
+//# sourceMappingURL=known-good.js.map

package/dist/monitor/known-good.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"known-good.js","sourceRoot":"","sources":["../../src/monitor/known-good.ts"],"names":[],"mappings":"AAAA,2FAA2F;AAe3F,MAAM,CAAC,MAAM,kBAAkB,GAAkB;IAC/C,SAAS,EAAE;QACT,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM;QACrD,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM;QAClC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM;QAC3B,MAAM,EAAE,eAAe,EAAE,QAAQ,EAAE,eAAe;QAClD,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ;QACzC,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;QACzC,QAAQ,EAAE,SAAS,EAAE,WAAW;QAChC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO;QAC9B,KAAK,EAAE,WAAW,EAAE,WAAW;QAC/B,SAAS,EAAE,aAAa,EAAE,cAAc,EAAE,SAAS;KACpD;IACD,aAAa,EAAE;QACb,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE;QAChC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE;QAChC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE;QAChC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE;QAChC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;QACpC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE;QAC5C,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE;QACnC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;QACjC,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,MAAM,EAAE;QAC1C,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE;QAChC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE;KAClC;IACD,gBAAgB,EAAE;QAChB,YAAY;QACZ,mBAAmB;QACnB,WAAW;QACX,SAAS;QACT,gBAAgB;QAChB,iBAAiB;QACjB,SAAS;QACT,mCAAmC;QACnC,qBAAqB;QACrB,iBAAiB;QACjB,qCAAqC;QACrC,gBAAgB;QAChB,YAAY;QACZ,SAAS;QACT,gBAAgB;QAChB,WAAW;QACX,4BAA4B;QAC5B,oBAAoB;QACpB,UAAU;QACV,cAAc;QACd,OAAO;QACP,kBAAkB;QAClB,WAAW;QACX,QAAQ;QACR,WAAW;QACX,WAAW;QACX,KAAK;KACN;IACD,iBAAiB,EAAE,EAAE;IACrB,kBAAkB,EAAE;QAClB,0BAA0B;QAC1B,6BAA6B;QAC7B,4BAA4B;QAC5B,gBAAgB;KACjB;CACF,CAAC;AAEF,4EAA4E;AAC5E,MAAM,UAAU,kBAAkB,CAAC,IAAY,EAAE,IAAmB;IAClE,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,mBAAmB,CAAC,IAAY,EAAE,IAAmB;IACnE,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,OAAO,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;AACnF,CAAC;AAED,8DAA8D;AAC9D,MAAM,UAAU,gBAAgB,CAAC,UAAkB,EAAE,SAAiB,EAAE,IAAmB;IACzF,MAAM,MAAM,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IACxC,MAAM,MAAM,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;IACvC,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,CAC5B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;QACxD,CAAC,MAAM,KAAK,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAC9D,CAAC;AACJ,CAAC"}

package/dist/monitor/network-scanner.d.ts

@@ -0,0 +1,4 @@
+import { type KnownGoodList } from './known-good.js';
+import type { ScannerResult, ProcessInfo, MonitorConfig } from './types.js';
+export declare function scanNetwork(config: MonitorConfig, knownGood: KnownGoodList, processMap: Map<number, ProcessInfo>): ScannerResult;
+//# sourceMappingURL=network-scanner.d.ts.map

package/dist/monitor/network-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-scanner.d.ts","sourceRoot":"","sources":["../../src/monitor/network-scanner.ts"],"names":[],"mappings":"AAEA,OAAO,EAAuB,KAAK,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC1E,OAAO,KAAK,EAAkB,aAAa,EAAE,WAAW,EAAqB,aAAa,EAAqB,MAAM,YAAY,CAAC;AAoElI,wBAAgB,WAAW,CAAC,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,aAAa,CAsDhI"}

package/dist/monitor/network-scanner.js

@@ -0,0 +1,123 @@
+import { execFileSync } from 'node:child_process';
+import { platform } from 'node:os';
+import { isKnownGoodEndpoint } from './known-good.js';
+import { SIGNAL_WEIGHTS } from './types.js';
+const SUSPICIOUS_DESTINATIONS = [
+    /pastebin\.com/i, /hastebin\.com/i, /paste\.ee/i,
+    /webhook\.site/i, /requestbin/i, /hookbin\.com/i,
+    /ngrok\.io/i, /ngrok-free\.app/i, /localhost\.run/i, /bore\.digital/i,
+    /transfer\.sh/i, /file\.io/i,
+    /discord(?:app)?\.com\/api\/webhooks/i,
+    /api\.telegram\.org\/bot/i,
+    /hooks\.slack\.com/i,
+];
+const RAW_IP_PATTERN = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/;
+function parseLsofOutput(output) {
+    const connections = [];
+    let currentPid = 0;
+    let currentName = '';
+    for (const line of output.split('\n')) {
+        if (!line)
+            continue;
+        const field = line[0];
+        const value = line.slice(1);
+        if (field === 'p') {
+            currentPid = parseInt(value, 10) || 0;
+        }
+        else if (field === 'c') {
+            currentName = value;
+        }
+        else if (field === 'n') {
+            // Format: "host:port->remote:port" or just "host:port"
+            const parts = value.split('->');
+            const local = parts[0] ?? '';
+            const remote = parts[1] ?? '';
+            if (remote) {
+                const remoteHost = remote.replace(/:\d+$/, '');
+                connections.push({
+                    pid: currentPid,
+                    protocol: 'tcp',
+                    localAddress: local,
+                    remoteAddress: remote,
+                    state: 'ESTABLISHED',
+                    processName: currentName,
+                });
+            }
+        }
+    }
+    return connections;
+}
+function parseSsOutput(output) {
+    const connections = [];
+    const lines = output.split('\n');
+    for (let i = 1; i < lines.length; i++) {
+        const parts = lines[i].trim().split(/\s+/);
+        if (parts.length < 6)
+            continue;
+        const proto = parts[0];
+        const state = parts[1];
+        const local = parts[4];
+        const remote = parts[5];
+        // Extract PID from users column if present
+        const usersMatch = lines[i].match(/pid=(\d+)/);
+        const pid = usersMatch ? parseInt(usersMatch[1], 10) : 0;
+        if (remote && remote !== '*:*') {
+            connections.push({ pid, protocol: proto, localAddress: local, remoteAddress: remote, state, processName: '' });
+        }
+    }
+    return connections;
+}
+export function scanNetwork(config, knownGood, processMap) {
+    const start = Date.now();
+    const findings = [];
+    let connections = [];
+    try {
+        if (platform() === 'darwin') {
+            const output = execFileSync('lsof', ['-i', '-nP', '-F', 'pcn'], {
+                timeout: 10000, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'],
+            });
+            connections = parseLsofOutput(output);
+        }
+        else {
+            const output = execFileSync('ss', ['-tunp'], {
+                timeout: 5000, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'],
+            });
+            connections = parseSsOutput(output);
+        }
+    }
+    catch {
+        return { category: 'network', findings: [], durationMs: Date.now() - start };
+    }
+    const userAllowed = new Set((config.networkAllowlist ?? []).map(s => s.toLowerCase()));
+    const seen = new Set();
+    for (const conn of connections) {
+        const remoteHost = conn.remoteAddress.replace(/:\d+$/, '').replace(/^\[/, '').replace(/\]$/, '');
+        const dedupKey = `${conn.pid}:${remoteHost}`;
+        if (seen.has(dedupKey))
+            continue;
+        seen.add(dedupKey);
+        if (isKnownGoodEndpoint(remoteHost, knownGood))
+            continue;
+        if (userAllowed.has(remoteHost.toLowerCase()))
+            continue;
+        if (remoteHost === '*' || remoteHost === '0.0.0.0' || remoteHost === '::')
+            continue;
+        const proc = processMap.get(conn.pid);
+        const procName = proc?.name ?? conn.processName ?? `PID ${conn.pid}`;
+        const signals = [];
+        // Check suspicious destinations
+        const isSuspicious = SUSPICIOUS_DESTINATIONS.some(p => p.test(conn.remoteAddress));
+        if (isSuspicious) {
+            signals.push({ type: 'suspicious-destination', weight: SIGNAL_WEIGHTS['suspicious-destination'], detail: `Connection to ${remoteHost}` });
+            findings.push({ id: `net-suspicious-${conn.pid}-${remoteHost}`, category: 'network', severity: 'high', title: `Suspicious destination: ${remoteHost}`, description: `${procName} (PID ${conn.pid}) connected to suspicious endpoint`, signals: [...signals], pid: conn.pid, processName: procName, target: conn.remoteAddress });
+            continue;
+        }
+        // Check raw IP connections (non-local)
+        if (RAW_IP_PATTERN.test(remoteHost) && !remoteHost.startsWith('127.') && !remoteHost.startsWith('10.') && !remoteHost.startsWith('192.168.') && !remoteHost.startsWith('172.')) {
+            signals.push({ type: 'unknown-destination', weight: SIGNAL_WEIGHTS['unknown-destination'], detail: `Raw IP: ${remoteHost}` });
+            findings.push({ id: `net-rawip-${conn.pid}-${remoteHost}`, category: 'network', severity: 'low', title: `Connection to raw IP: ${remoteHost}`, description: `${procName} connected to non-local IP address`, signals: [...signals], pid: conn.pid, processName: procName, target: conn.remoteAddress });
+        }
+    }
+    return { category: 'network', findings, durationMs: Date.now() - start };
+}
+//# sourceMappingURL=network-scanner.js.map

package/dist/monitor/network-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-scanner.js","sourceRoot":"","sources":["../../src/monitor/network-scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,mBAAmB,EAAsB,MAAM,iBAAiB,CAAC;AAE1E,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5C,MAAM,uBAAuB,GAAG;IAC9B,gBAAgB,EAAE,gBAAgB,EAAE,YAAY;IAChD,gBAAgB,EAAE,aAAa,EAAE,eAAe;IAChD,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,gBAAgB;IACrE,eAAe,EAAE,WAAW;IAC5B,sCAAsC;IACtC,0BAA0B;IAC1B,oBAAoB;CACrB,CAAC;AAEF,MAAM,cAAc,GAAG,sCAAsC,CAAC;AAE9D,SAAS,eAAe,CAAC,MAAc;IACrC,MAAM,WAAW,GAAwB,EAAE,CAAC;IAC5C,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,WAAW,GAAG,EAAE,CAAC;IAErB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAE5B,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;YAAC,UAAU,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QAAC,CAAC;aACxD,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;YAAC,WAAW,GAAG,KAAK,CAAC;QAAC,CAAC;aAC3C,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;YACvB,uDAAuD;YACvD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAChC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC9B,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBAC/C,WAAW,CAAC,IAAI,CAAC;oBACf,GAAG,EAAE,UAAU;oBACf,QAAQ,EAAE,KAAK;oBACf,YAAY,EAAE,KAAK;oBACnB,aAAa,EAAE,MAAM;oBACrB,KAAK,EAAE,aAAa;oBACpB,WAAW,EAAE,WAAW;iBACzB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAS,aAAa,CAAC,MAAc;IACnC,MAAM,WAAW,GAAwB,EAAE,CAAC;IAC5C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS;QAC/B,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACxB,2CAA2C;QAC3C,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAC/C,MAAM,GAAG,GAAG,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACzD,IAAI,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC/B,WAAW,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC;QACjH,CAAC;IACH,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,MAAqB,EAAE,SAAwB,EAAE,UAAoC;IAC/G,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,IAAI,WAAW,GAAwB,EAAE,CAAC;IAE1C,IAAI,CAAC;QACH,IAAI,QAAQ,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,EAAE;gBAC9D,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aACnE,CAAC,CAAC;YACH,WAAW,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;QACxC,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,EAAE;gBAC3C,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAClE,CAAC,CAAC;YACH,WAAW,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;IAC/E,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACvF,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjG,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7C,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,SAAS;QACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEnB,IAAI,mBAAmB,CAAC,UAAU,EAAE,SAAS,CAAC;YAAE,SAAS;QACzD,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;YAAE,SAAS;QACxD,IAAI,UAAU,KAAK,GAAG,IAAI,UAAU,KAAK,SAAS,IAAI,UAAU,KAAK,IAAI;YAAE,SAAS;QAEpF,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC,WAAW,IAAI,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;QACrE,MAAM,OAAO,GAAwB,EAAE,CAAC;QAExC,gCAAgC;QAChC,MAAM,YAAY,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC;QACnF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,wBAAwB,EAAE,MAAM,EAAE,cAAc,CAAC,wBAAwB,CAAC,EAAE,MAAM,EAAE,iBAAiB,UAAU,EAAE,EAAE,CAAC,CAAC;YAC1I,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,kBAAkB,IAAI,CAAC,GAAG,IAAI,UAAU,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,2BAA2B,UAAU,EAAE,EAAE,WAAW,EAAE,GAAG,QAAQ,SAAS,IAAI,CAAC,GAAG,oCAAoC,EAAE,OAAO,EAAE,CAAC,GAAG,OAAO,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;YACjU,SAAS;QACX,CAAC;QAED,uCAAuC;QACvC,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/K,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,qBAAqB,EAAE,MAAM,EAAE,cAAc,CAAC,qBAAqB,CAAC,EAAE,MAAM,EAAE,WAAW,UAAU,EAAE,EAAE,CAAC,CAAC;YAC9H,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,aAAa,IAAI,CAAC,GAAG,IAAI,UAAU,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,UAAU,EAAE,EAAE,WAAW,EAAE,GAAG,QAAQ,oCAAoC,EAAE,OAAO,EAAE,CAAC,GAAG,OAAO,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;QAC1S,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;AAC3E,CAAC"}

package/dist/monitor/persistence-scanner.d.ts

@@ -0,0 +1,4 @@
+import type { KnownGoodList } from './known-good.js';
+import type { ScannerResult, MonitorConfig } from './types.js';
+export declare function scanPersistence(config: MonitorConfig, knownGood: KnownGoodList): ScannerResult;
+//# sourceMappingURL=persistence-scanner.d.ts.map

package/dist/monitor/persistence-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"persistence-scanner.d.ts","sourceRoot":"","sources":["../../src/monitor/persistence-scanner.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,KAAK,EAAkB,aAAa,EAAE,aAAa,EAAqB,MAAM,YAAY,CAAC;AAWlG,wBAAgB,eAAe,CAAC,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,aAAa,GAAG,aAAa,CA0H9F"}