defense-mcp-server 0.9.1 → 0.9.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/core/auto-installer.js +31 -31
- package/build/core/command-allowlist.js +1 -1
- package/build/core/config.d.ts +16 -0
- package/build/core/config.d.ts.map +1 -1
- package/build/core/config.js +6 -0
- package/build/core/dependency-validator.js +9 -9
- package/build/core/distro-adapter.d.ts +0 -5
- package/build/core/distro-adapter.d.ts.map +1 -1
- package/build/core/distro-adapter.js +0 -7
- package/build/core/distro.d.ts +0 -11
- package/build/core/distro.d.ts.map +1 -1
- package/build/core/distro.js +0 -48
- package/build/core/encrypted-state.d.ts +0 -7
- package/build/core/encrypted-state.d.ts.map +1 -1
- package/build/core/encrypted-state.js +0 -7
- package/build/core/executor.d.ts.map +1 -1
- package/build/core/executor.js +13 -0
- package/build/core/logger.js +1 -1
- package/build/core/output-redactor.d.ts +26 -0
- package/build/core/output-redactor.d.ts.map +1 -0
- package/build/core/output-redactor.js +96 -0
- package/build/core/pam-utils.js +1 -1
- package/build/core/parsers.js +1 -1
- package/build/core/preflight.d.ts +4 -4
- package/build/core/preflight.js +13 -13
- package/build/core/progress.js +20 -20
- package/build/core/run-command.d.ts +14 -0
- package/build/core/run-command.d.ts.map +1 -0
- package/build/core/run-command.js +46 -0
- package/build/core/spawn-safe.d.ts +6 -6
- package/build/core/spawn-safe.d.ts.map +1 -1
- package/build/core/sudo-guard.js +4 -4
- package/build/core/third-party-installer.js +4 -4
- package/build/core/tool-annotations.d.ts +13 -0
- package/build/core/tool-annotations.d.ts.map +1 -0
- package/build/core/tool-annotations.js +49 -0
- package/build/core/tool-wrapper.d.ts.map +1 -1
- package/build/core/tool-wrapper.js +21 -3
- package/build/tools/access-control.js +6 -6
- package/build/tools/api-security.d.ts.map +1 -1
- package/build/tools/api-security.js +5 -51
- package/build/tools/app-hardening.d.ts.map +1 -1
- package/build/tools/app-hardening.js +23 -25
- package/build/tools/cloud-security.d.ts.map +1 -1
- package/build/tools/cloud-security.js +5 -51
- package/build/tools/compliance.d.ts.map +1 -1
- package/build/tools/compliance.js +9 -13
- package/build/tools/container-security.d.ts.map +1 -1
- package/build/tools/container-security.js +51 -52
- package/build/tools/deception.d.ts.map +1 -1
- package/build/tools/deception.js +8 -54
- package/build/tools/dns-security.d.ts.map +1 -1
- package/build/tools/dns-security.js +2 -48
- package/build/tools/encryption.d.ts.map +1 -1
- package/build/tools/encryption.js +86 -87
- package/build/tools/firewall.d.ts.map +1 -1
- package/build/tools/firewall.js +324 -30
- package/build/tools/hardening.d.ts.map +1 -1
- package/build/tools/hardening.js +12 -13
- package/build/tools/incident-response.d.ts.map +1 -1
- package/build/tools/incident-response.js +3 -3
- package/build/tools/logging.d.ts.map +1 -1
- package/build/tools/logging.js +17 -59
- package/build/tools/malware.js +2 -2
- package/build/tools/meta.d.ts.map +1 -1
- package/build/tools/meta.js +222 -166
- package/build/tools/network-defense.d.ts.map +1 -1
- package/build/tools/network-defense.js +3 -3
- package/build/tools/patch-management.js +8 -8
- package/build/tools/process-security.d.ts.map +1 -1
- package/build/tools/process-security.js +38 -92
- package/build/tools/sudo-management.js +36 -36
- package/build/tools/threat-intel.d.ts.map +1 -1
- package/build/tools/threat-intel.js +2 -48
- package/build/tools/vulnerability-management.d.ts.map +1 -1
- package/build/tools/vulnerability-management.js +3 -49
- package/build/tools/waf.d.ts.map +1 -1
- package/build/tools/waf.js +47 -93
- package/build/tools/wireless-security.d.ts.map +1 -1
- package/build/tools/wireless-security.js +9 -55
- package/package.json +4 -2
|
@@ -275,7 +275,7 @@ function verifyInstalledBinary(binary) {
|
|
|
275
275
|
stdio: ["pipe", "pipe", "pipe"],
|
|
276
276
|
});
|
|
277
277
|
if (!pattern.test(stdout ?? "")) {
|
|
278
|
-
console.error(`[auto-installer]
|
|
278
|
+
console.error(`[auto-installer] WARNING: Installed '${binary}' but --version output doesn't match ` +
|
|
279
279
|
`expected pattern /${pattern.source}/. The package may be a name collision, not the security tool.`);
|
|
280
280
|
return false;
|
|
281
281
|
}
|
|
@@ -283,7 +283,7 @@ function verifyInstalledBinary(binary) {
|
|
|
283
283
|
}
|
|
284
284
|
catch {
|
|
285
285
|
// Can't verify — warn but don't block
|
|
286
|
-
console.error(`[auto-installer]
|
|
286
|
+
console.error(`[auto-installer] WARNING: Could not verify '${binary}' identity via --version (non-fatal)`);
|
|
287
287
|
return false;
|
|
288
288
|
}
|
|
289
289
|
}
|
|
@@ -319,7 +319,7 @@ export class AutoInstaller {
|
|
|
319
319
|
AutoInstaller._instance = new AutoInstaller();
|
|
320
320
|
// Fix E: Warn when auto-install is enabled
|
|
321
321
|
if (AutoInstaller._instance.isEnabled()) {
|
|
322
|
-
console.error("[auto-install]
|
|
322
|
+
console.error("[auto-install] WARNING: Auto-installation is ENABLED. Packages will be installed with sudo when missing dependencies are detected.");
|
|
323
323
|
}
|
|
324
324
|
}
|
|
325
325
|
return AutoInstaller._instance;
|
|
@@ -457,7 +457,7 @@ export class AutoInstaller {
|
|
|
457
457
|
const toolReq = lookup.get(binary);
|
|
458
458
|
if (!toolReq) {
|
|
459
459
|
// Binary not in approved package list — refuse to install
|
|
460
|
-
console.error(`[auto-install]
|
|
460
|
+
console.error(`[auto-install] WARNING: Binary "${binary}" not in approved package list — skipping auto-install`);
|
|
461
461
|
return {
|
|
462
462
|
dependency: binary,
|
|
463
463
|
type: "binary",
|
|
@@ -496,7 +496,7 @@ export class AutoInstaller {
|
|
|
496
496
|
}
|
|
497
497
|
// Third-party install not enabled — return verified instructions (NOT curl|sh hints)
|
|
498
498
|
const instructions = getVerifiedInstallInstructions(binary);
|
|
499
|
-
console.error(`[auto-install]
|
|
499
|
+
console.error(`[auto-install] WARNING: Binary "${binary}" requires third-party installation (not in standard repos).\n` +
|
|
500
500
|
` Set DEFENSE_MCP_THIRD_PARTY_INSTALL=true to enable verified auto-install.`);
|
|
501
501
|
return {
|
|
502
502
|
dependency: binary,
|
|
@@ -511,7 +511,7 @@ export class AutoInstaller {
|
|
|
511
511
|
}
|
|
512
512
|
// Check if this is a package-only dependency (e.g. PAM module, not a binary)
|
|
513
513
|
if (toolReq.isPackageOnly) {
|
|
514
|
-
console.error(`[auto-install]
|
|
514
|
+
console.error(`[auto-install] INFO: "${binary}" is a package-only dependency (e.g. PAM module), not a standalone binary. ` +
|
|
515
515
|
`Will attempt to install the package "${toolReq.packages.debian ?? toolReq.packages.fallback}".`);
|
|
516
516
|
}
|
|
517
517
|
// Check for package conflicts (e.g. ufw vs iptables-persistent)
|
|
@@ -519,7 +519,7 @@ export class AutoInstaller {
|
|
|
519
519
|
for (const conflictPkg of toolReq.conflictsWith) {
|
|
520
520
|
const checkResult = execSimple("dpkg", ["-l", conflictPkg], { timeoutMs: 10_000 });
|
|
521
521
|
if (checkResult.success && checkResult.stdout.includes("ii")) {
|
|
522
|
-
console.error(`[auto-install]
|
|
522
|
+
console.error(`[auto-install] WARNING: CONFLICT: Cannot install "${binary}" — conflicting package "${conflictPkg}" is already installed. ` +
|
|
523
523
|
`${toolReq.availabilityNote ?? ""}`);
|
|
524
524
|
return {
|
|
525
525
|
dependency: binary,
|
|
@@ -538,7 +538,7 @@ export class AutoInstaller {
|
|
|
538
538
|
toolReq.packages.fallback ??
|
|
539
539
|
"";
|
|
540
540
|
if (!packageName) {
|
|
541
|
-
console.error(`[auto-install]
|
|
541
|
+
console.error(`[auto-install] WARNING: No package mapping for binary "${binary}" on ${distro.family} — skipping`);
|
|
542
542
|
return {
|
|
543
543
|
dependency: binary,
|
|
544
544
|
type: "binary",
|
|
@@ -550,7 +550,7 @@ export class AutoInstaller {
|
|
|
550
550
|
}
|
|
551
551
|
// Validate package name for safe characters
|
|
552
552
|
if (!validatePackageName(packageName)) {
|
|
553
|
-
console.error(`[auto-install]
|
|
553
|
+
console.error(`[auto-install] WARNING: Invalid package name "${packageName}" for binary "${binary}" — skipping`);
|
|
554
554
|
return {
|
|
555
555
|
dependency: binary,
|
|
556
556
|
type: "binary",
|
|
@@ -562,7 +562,7 @@ export class AutoInstaller {
|
|
|
562
562
|
}
|
|
563
563
|
// Verify package is in the approved allowlist
|
|
564
564
|
if (!getApprovedPackages().has(packageName)) {
|
|
565
|
-
console.error(`[auto-install]
|
|
565
|
+
console.error(`[auto-install] WARNING: Package "${packageName}" not in approved allowlist — skipping`);
|
|
566
566
|
return {
|
|
567
567
|
dependency: binary,
|
|
568
568
|
type: "binary",
|
|
@@ -589,7 +589,7 @@ export class AutoInstaller {
|
|
|
589
589
|
const useSudo = distro.packageManager !== "brew";
|
|
590
590
|
const result = execWithSudo(installArgs, { useSudo, timeoutMs: 300_000 });
|
|
591
591
|
if (!result.success) {
|
|
592
|
-
console.error(`[auto-installer]
|
|
592
|
+
console.error(`[auto-installer] FAIL Failed to install '${binary}' (package: ${packageName}): ${result.stderr.slice(0, 200)}`);
|
|
593
593
|
return {
|
|
594
594
|
dependency: binary,
|
|
595
595
|
type: "binary",
|
|
@@ -606,13 +606,13 @@ export class AutoInstaller {
|
|
|
606
606
|
if (installed) {
|
|
607
607
|
const verified = verifyInstalledBinary(binary);
|
|
608
608
|
if (!verified) {
|
|
609
|
-
console.error(`[auto-installer]
|
|
609
|
+
console.error(`[auto-installer] WARNING: Binary '${binary}' installed but identity verification failed. ` +
|
|
610
610
|
`The package may be a name collision (not the expected security tool). ` +
|
|
611
611
|
`Trivy, Grype, Syft, and Cosign require third-party repositories.`);
|
|
612
612
|
}
|
|
613
613
|
}
|
|
614
614
|
if (installed) {
|
|
615
|
-
console.error(`[auto-installer]
|
|
615
|
+
console.error(`[auto-installer] OK Installed '${binary}' via ${distro.packageManager} (${elapsed}s)`);
|
|
616
616
|
// Log successful installation to the audit changelog
|
|
617
617
|
logChange(createChangeEntry({
|
|
618
618
|
tool: "auto-installer",
|
|
@@ -625,7 +625,7 @@ export class AutoInstaller {
|
|
|
625
625
|
}));
|
|
626
626
|
}
|
|
627
627
|
else {
|
|
628
|
-
console.error(`[auto-installer]
|
|
628
|
+
console.error(`[auto-installer] WARNING: Package '${packageName}' installed but binary '${binary}' not found in PATH`);
|
|
629
629
|
}
|
|
630
630
|
return {
|
|
631
631
|
dependency: binary,
|
|
@@ -651,7 +651,7 @@ export class AutoInstaller {
|
|
|
651
651
|
// Determine pip command
|
|
652
652
|
const pip = binaryAvailable("pip3") ? "pip3" : binaryAvailable("pip") ? "pip" : null;
|
|
653
653
|
if (!pip) {
|
|
654
|
-
console.error(`[auto-installer]
|
|
654
|
+
console.error(`[auto-installer] FAIL Cannot install Python module '${module}': pip not found`);
|
|
655
655
|
return {
|
|
656
656
|
dependency: module,
|
|
657
657
|
type: "python-module",
|
|
@@ -663,7 +663,7 @@ export class AutoInstaller {
|
|
|
663
663
|
}
|
|
664
664
|
// Validate module name for safe characters
|
|
665
665
|
if (!validateModuleName(module)) {
|
|
666
|
-
console.error(`[auto-install]
|
|
666
|
+
console.error(`[auto-install] WARNING: Invalid Python module name "${module}" — skipping`);
|
|
667
667
|
return {
|
|
668
668
|
dependency: module,
|
|
669
669
|
type: "python-module",
|
|
@@ -675,7 +675,7 @@ export class AutoInstaller {
|
|
|
675
675
|
}
|
|
676
676
|
// SECURITY (CORE-008): Verify pip package is in the allowed packages list
|
|
677
677
|
if (!ALLOWED_PIP_PACKAGES.has(module)) {
|
|
678
|
-
console.error(`[auto-install]
|
|
678
|
+
console.error(`[auto-install] WARNING: REJECTED: pip package "${module}" is not in the allowed packages list`);
|
|
679
679
|
return {
|
|
680
680
|
dependency: module,
|
|
681
681
|
type: "python-module",
|
|
@@ -694,7 +694,7 @@ export class AutoInstaller {
|
|
|
694
694
|
result = execWithSudo([pip, "install", module], { timeoutMs: 120_000 });
|
|
695
695
|
}
|
|
696
696
|
if (!result.success) {
|
|
697
|
-
console.error(`[auto-installer]
|
|
697
|
+
console.error(`[auto-installer] FAIL Failed to install Python module '${module}': ${result.stderr.slice(0, 200)}`);
|
|
698
698
|
return {
|
|
699
699
|
dependency: module,
|
|
700
700
|
type: "python-module",
|
|
@@ -710,7 +710,7 @@ export class AutoInstaller {
|
|
|
710
710
|
const verifyResult = execSimple(python, ["-c", `import ${importName}`], { timeoutMs: 10_000 });
|
|
711
711
|
const elapsed = ((Date.now() - start) / 1000).toFixed(1);
|
|
712
712
|
if (verifyResult.success) {
|
|
713
|
-
console.error(`[auto-installer]
|
|
713
|
+
console.error(`[auto-installer] OK Installed Python module '${module}' (${elapsed}s)`);
|
|
714
714
|
// Log successful installation to the audit changelog
|
|
715
715
|
logChange(createChangeEntry({
|
|
716
716
|
tool: "auto-installer",
|
|
@@ -723,7 +723,7 @@ export class AutoInstaller {
|
|
|
723
723
|
}));
|
|
724
724
|
}
|
|
725
725
|
else {
|
|
726
|
-
console.error(`[auto-installer]
|
|
726
|
+
console.error(`[auto-installer] WARNING: pip install succeeded for '${module}' but import verification failed`);
|
|
727
727
|
}
|
|
728
728
|
return {
|
|
729
729
|
dependency: module,
|
|
@@ -746,7 +746,7 @@ export class AutoInstaller {
|
|
|
746
746
|
async installNpmPackage(pkg) {
|
|
747
747
|
const start = Date.now();
|
|
748
748
|
if (!binaryAvailable("npm")) {
|
|
749
|
-
console.error(`[auto-installer]
|
|
749
|
+
console.error(`[auto-installer] FAIL Cannot install npm package '${pkg}': npm not found`);
|
|
750
750
|
return {
|
|
751
751
|
dependency: pkg,
|
|
752
752
|
type: "npm-package",
|
|
@@ -758,7 +758,7 @@ export class AutoInstaller {
|
|
|
758
758
|
}
|
|
759
759
|
// Validate npm package name for safe characters
|
|
760
760
|
if (!validateModuleName(pkg)) {
|
|
761
|
-
console.error(`[auto-install]
|
|
761
|
+
console.error(`[auto-install] WARNING: Invalid npm package name "${pkg}" — skipping`);
|
|
762
762
|
return {
|
|
763
763
|
dependency: pkg,
|
|
764
764
|
type: "npm-package",
|
|
@@ -770,7 +770,7 @@ export class AutoInstaller {
|
|
|
770
770
|
}
|
|
771
771
|
// SECURITY (CORE-008): Verify npm package is in the allowed packages list
|
|
772
772
|
if (!ALLOWED_NPM_PACKAGES.has(pkg)) {
|
|
773
|
-
console.error(`[auto-install]
|
|
773
|
+
console.error(`[auto-install] WARNING: REJECTED: npm package "${pkg}" is not in the allowed packages list`);
|
|
774
774
|
return {
|
|
775
775
|
dependency: pkg,
|
|
776
776
|
type: "npm-package",
|
|
@@ -790,7 +790,7 @@ export class AutoInstaller {
|
|
|
790
790
|
}
|
|
791
791
|
const elapsed = ((Date.now() - start) / 1000).toFixed(1);
|
|
792
792
|
if (!result.success) {
|
|
793
|
-
console.error(`[auto-installer]
|
|
793
|
+
console.error(`[auto-installer] FAIL Failed to install npm package '${pkg}': ${result.stderr.slice(0, 200)}`);
|
|
794
794
|
return {
|
|
795
795
|
dependency: pkg,
|
|
796
796
|
type: "npm-package",
|
|
@@ -803,11 +803,11 @@ export class AutoInstaller {
|
|
|
803
803
|
// Verify — many npm packages provide a binary with the same name
|
|
804
804
|
const installed = binaryAvailable(pkg);
|
|
805
805
|
if (installed) {
|
|
806
|
-
console.error(`[auto-installer]
|
|
806
|
+
console.error(`[auto-installer] OK Installed npm package '${pkg}' (${elapsed}s)`);
|
|
807
807
|
}
|
|
808
808
|
else {
|
|
809
809
|
// Package installed but binary might have a different name
|
|
810
|
-
console.error(`[auto-installer]
|
|
810
|
+
console.error(`[auto-installer] OK npm package '${pkg}' installed (binary may differ from package name)`);
|
|
811
811
|
}
|
|
812
812
|
// Log successful npm installation to the audit changelog
|
|
813
813
|
logChange(createChangeEntry({
|
|
@@ -860,7 +860,7 @@ export class AutoInstaller {
|
|
|
860
860
|
for (const candidate of candidates) {
|
|
861
861
|
// Validate candidate package name for safe characters
|
|
862
862
|
if (!validatePackageName(candidate)) {
|
|
863
|
-
console.error(`[auto-install]
|
|
863
|
+
console.error(`[auto-install] WARNING: Invalid library package name "${candidate}" — skipping candidate`);
|
|
864
864
|
continue;
|
|
865
865
|
}
|
|
866
866
|
const installArgs = getInstallArgs(distro.packageManager, candidate);
|
|
@@ -870,7 +870,7 @@ export class AutoInstaller {
|
|
|
870
870
|
const result = execWithSudo(installArgs, { useSudo, timeoutMs: 120_000 });
|
|
871
871
|
if (result.success) {
|
|
872
872
|
installed = true;
|
|
873
|
-
console.error(`[auto-installer]
|
|
873
|
+
console.error(`[auto-installer] OK Installed library '${lib}' (package: ${candidate})`);
|
|
874
874
|
// Log successful library installation to the audit changelog
|
|
875
875
|
logChange(createChangeEntry({
|
|
876
876
|
tool: "auto-installer",
|
|
@@ -886,7 +886,7 @@ export class AutoInstaller {
|
|
|
886
886
|
lastError = result.stderr.slice(0, 200);
|
|
887
887
|
}
|
|
888
888
|
if (!installed) {
|
|
889
|
-
console.error(`[auto-installer]
|
|
889
|
+
console.error(`[auto-installer] FAIL Failed to install library '${lib}': ${lastError}`);
|
|
890
890
|
return {
|
|
891
891
|
dependency: lib,
|
|
892
892
|
type: "library",
|
|
@@ -900,10 +900,10 @@ export class AutoInstaller {
|
|
|
900
900
|
const verified = this.verifyLibrary(lib);
|
|
901
901
|
const elapsed = ((Date.now() - start) / 1000).toFixed(1);
|
|
902
902
|
if (verified) {
|
|
903
|
-
console.error(`[auto-installer]
|
|
903
|
+
console.error(`[auto-installer] OK Library '${lib}' verified (${elapsed}s)`);
|
|
904
904
|
}
|
|
905
905
|
else {
|
|
906
|
-
console.error(`[auto-installer]
|
|
906
|
+
console.error(`[auto-installer] WARNING: Library package installed but '${lib}' not found via ldconfig/pkg-config`);
|
|
907
907
|
}
|
|
908
908
|
return {
|
|
909
909
|
dependency: lib,
|
|
@@ -880,7 +880,7 @@ export async function verifyAllBinaries() {
|
|
|
880
880
|
}
|
|
881
881
|
else {
|
|
882
882
|
warnings++;
|
|
883
|
-
console.error(`[binary-integrity]
|
|
883
|
+
console.error(`[binary-integrity] WARNING: ${result.message}`);
|
|
884
884
|
}
|
|
885
885
|
}
|
|
886
886
|
console.error(`[binary-integrity] Checked ${results.length} critical binaries: ` +
|
package/build/core/config.d.ts
CHANGED
|
@@ -59,6 +59,22 @@ export interface DefenseConfig {
|
|
|
59
59
|
commandTimeout: number;
|
|
60
60
|
/** Network operation timeout in ms (default: 30s; env: DEFENSE_MCP_NETWORK_TIMEOUT) */
|
|
61
61
|
networkTimeout: number;
|
|
62
|
+
/**
|
|
63
|
+
* SECURITY: Redact sensitive data (passwords, tokens, keys) from command
|
|
64
|
+
* output before returning to the LLM. Defaults to `true`.
|
|
65
|
+
* Env: DEFENSE_MCP_REDACT_OUTPUT (set to "false" to disable)
|
|
66
|
+
*/
|
|
67
|
+
redactOutput: boolean;
|
|
68
|
+
/**
|
|
69
|
+
* When true, only register tools with readOnlyHint: true annotations.
|
|
70
|
+
* Env: DEFENSE_MCP_READ_ONLY (default: false)
|
|
71
|
+
*/
|
|
72
|
+
readOnly: boolean;
|
|
73
|
+
/**
|
|
74
|
+
* Comma-separated list of tool names to register. Empty means all tools.
|
|
75
|
+
* Env: DEFENSE_MCP_ALLOWED_TOOLS (default: "")
|
|
76
|
+
*/
|
|
77
|
+
allowedTools: string[];
|
|
62
78
|
}
|
|
63
79
|
/**
|
|
64
80
|
* Returns the current configuration by reading environment variables.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,eAAO,MAAM,WAAW,iKAed,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC;AAErD;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,8CAA8C;IAC9C,cAAc,EAAE,MAAM,CAAC;IACvB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,oBAAoB;IACpB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C;;;;;OAKG;IACH,MAAM,EAAE,OAAO,CAAC;IAChB,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;OAKG;IACH,aAAa,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,WAAW,EAAE,OAAO,CAAC;IACrB,wCAAwC;IACxC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;OAMG;IACH,mBAAmB,EAAE,OAAO,CAAC;IAC7B,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,iEAAiE;IACjE,kBAAkB,EAAE,MAAM,CAAC;IAC3B,uGAAuG;IACvG,cAAc,EAAE,MAAM,CAAC;IACvB,uFAAuF;IACvF,cAAc,EAAE,MAAM,CAAC;CACxB;AAmGD;;;;GAIG;AACH,wBAAgB,SAAS,IAAI,aAAa,CAQzC;
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,eAAO,MAAM,WAAW,iKAed,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC;AAErD;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,8CAA8C;IAC9C,cAAc,EAAE,MAAM,CAAC;IACvB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,oBAAoB;IACpB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C;;;;;OAKG;IACH,MAAM,EAAE,OAAO,CAAC;IAChB,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;OAKG;IACH,aAAa,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,WAAW,EAAE,OAAO,CAAC;IACrB,wCAAwC;IACxC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;OAMG;IACH,mBAAmB,EAAE,OAAO,CAAC;IAC7B,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,iEAAiE;IACjE,kBAAkB,EAAE,MAAM,CAAC;IAC3B,uGAAuG;IACvG,cAAc,EAAE,MAAM,CAAC;IACvB,uFAAuF;IACvF,cAAc,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,YAAY,EAAE,OAAO,CAAC;IACtB;;;OAGG;IACH,QAAQ,EAAE,OAAO,CAAC;IAClB;;;OAGG;IACH,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAmGD;;;;GAIG;AACH,wBAAgB,SAAS,IAAI,aAAa,CAQzC;AA8FD;;;GAGG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CAG5C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,CAIR;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,CAkBR"}
|
package/build/core/config.js
CHANGED
|
@@ -168,6 +168,12 @@ function buildConfigFromEnv() {
|
|
|
168
168
|
const sec = parseInt(process.env.DEFENSE_MCP_NETWORK_TIMEOUT ?? "30", 10);
|
|
169
169
|
return isNaN(sec) || sec <= 0 ? 30_000 : sec * 1000;
|
|
170
170
|
})(),
|
|
171
|
+
redactOutput: process.env.DEFENSE_MCP_REDACT_OUTPUT !== "false",
|
|
172
|
+
readOnly: process.env.DEFENSE_MCP_READ_ONLY === "true",
|
|
173
|
+
allowedTools: (() => {
|
|
174
|
+
const raw = process.env.DEFENSE_MCP_ALLOWED_TOOLS ?? "";
|
|
175
|
+
return raw.split(",").map(s => s.trim()).filter(s => s.length > 0);
|
|
176
|
+
})(),
|
|
171
177
|
};
|
|
172
178
|
// Warn when dry-run is active so operators know no changes will be applied
|
|
173
179
|
if (config.dryRun) {
|
|
@@ -162,7 +162,7 @@ export async function validateAllDependencies() {
|
|
|
162
162
|
if (recheck.available) {
|
|
163
163
|
installed.push(binary);
|
|
164
164
|
available.push(binary);
|
|
165
|
-
console.error(`[dep-validator]
|
|
165
|
+
console.error(`[dep-validator] Installed: ${binary}`);
|
|
166
166
|
}
|
|
167
167
|
else {
|
|
168
168
|
missing.push(binary);
|
|
@@ -170,7 +170,7 @@ export async function validateAllDependencies() {
|
|
|
170
170
|
binary,
|
|
171
171
|
error: "Package installed but binary not found in PATH",
|
|
172
172
|
});
|
|
173
|
-
console.error(`[dep-validator]
|
|
173
|
+
console.error(`[dep-validator] WARNING: Package installed but binary '${binary}' not found`);
|
|
174
174
|
}
|
|
175
175
|
}
|
|
176
176
|
else {
|
|
@@ -179,7 +179,7 @@ export async function validateAllDependencies() {
|
|
|
179
179
|
binary,
|
|
180
180
|
error: result?.message ?? "No package mapping found",
|
|
181
181
|
});
|
|
182
|
-
console.error(`[dep-validator]
|
|
182
|
+
console.error(`[dep-validator] Failed to install: ${binary}`);
|
|
183
183
|
}
|
|
184
184
|
}
|
|
185
185
|
}
|
|
@@ -212,7 +212,7 @@ export async function validateAllDependencies() {
|
|
|
212
212
|
(installed.length > 0 ? `, ${installed.length} auto-installed` : "") +
|
|
213
213
|
(installFailed.length > 0 ? `, ${installFailed.length} install failures` : ""));
|
|
214
214
|
if (criticalMissing.length > 0) {
|
|
215
|
-
console.error(`[dep-validator]
|
|
215
|
+
console.error(`[dep-validator] WARNING: CRITICAL: ${criticalMissing.length} critical tools have missing dependencies:`);
|
|
216
216
|
for (const cm of criticalMissing) {
|
|
217
217
|
console.error(`[dep-validator] - ${cm.toolName}: needs ${cm.missingBinaries.join(", ")}`);
|
|
218
218
|
}
|
|
@@ -340,13 +340,13 @@ export function formatValidationReport(report) {
|
|
|
340
340
|
if (report.installed.length > 0) {
|
|
341
341
|
lines.push(` Auto-installed: ${report.installed.length}`);
|
|
342
342
|
for (const bin of report.installed) {
|
|
343
|
-
lines.push(`
|
|
343
|
+
lines.push(` PASS: ${bin}`);
|
|
344
344
|
}
|
|
345
345
|
}
|
|
346
346
|
if (report.installFailed.length > 0) {
|
|
347
347
|
lines.push(` Install failures: ${report.installFailed.length}`);
|
|
348
348
|
for (const fail of report.installFailed) {
|
|
349
|
-
lines.push(`
|
|
349
|
+
lines.push(` ${fail.binary}: ${fail.error}`);
|
|
350
350
|
}
|
|
351
351
|
}
|
|
352
352
|
if (report.missing.length > 0) {
|
|
@@ -360,15 +360,15 @@ export function formatValidationReport(report) {
|
|
|
360
360
|
}
|
|
361
361
|
if (report.criticalMissing.length > 0) {
|
|
362
362
|
lines.push("");
|
|
363
|
-
lines.push("
|
|
363
|
+
lines.push(" WARNING: CRITICAL tools with missing dependencies:");
|
|
364
364
|
for (const cm of report.criticalMissing) {
|
|
365
|
-
lines.push(`
|
|
365
|
+
lines.push(` CRITICAL: ${cm.toolName}: needs ${cm.missingBinaries.join(", ")}`);
|
|
366
366
|
}
|
|
367
367
|
}
|
|
368
368
|
lines.push("");
|
|
369
369
|
lines.push(` Auto-install: ${report.autoInstallEnabled ? "ENABLED" : "DISABLED"}`);
|
|
370
370
|
if (!report.autoInstallEnabled && report.missing.length > 0) {
|
|
371
|
-
lines.push("
|
|
371
|
+
lines.push(" Set DEFENSE_MCP_AUTO_INSTALL=true to auto-install missing tools");
|
|
372
372
|
}
|
|
373
373
|
lines.push(` Duration: ${report.durationMs}ms`);
|
|
374
374
|
return lines.join("\n");
|
|
@@ -169,9 +169,4 @@ export declare class DistroAdapter {
|
|
|
169
169
|
* Subsequent calls return the cached instance.
|
|
170
170
|
*/
|
|
171
171
|
export declare function getDistroAdapter(): Promise<DistroAdapter>;
|
|
172
|
-
/**
|
|
173
|
-
* Returns the cached adapter if already initialized, or null.
|
|
174
|
-
* Use when you can't await (synchronous contexts).
|
|
175
|
-
*/
|
|
176
|
-
export declare function getDistroAdapterSync(): DistroAdapter | null;
|
|
177
172
|
//# sourceMappingURL=distro-adapter.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"distro-adapter.d.ts","sourceRoot":"","sources":["../../src/core/distro-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAKL,KAAK,UAAU,EACf,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC7B,MAAM,aAAa,CAAC;AAIrB,mDAAmD;AACnD,MAAM,WAAW,WAAW;IAC1B,0BAA0B;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,yBAAyB;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,gDAAgD;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,sDAAsD;IACtD,WAAW,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,+DAA+D;IAC/D,gBAAgB,EAAE,MAAM,CAAC;IACzB,+BAA+B;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,+BAA+B;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,uCAAuC;IACvC,yBAAyB,EAAE,MAAM,CAAC;IAClC,gCAAgC;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,mCAAmC;IACnC,gBAAgB,EAAE,MAAM,CAAC;IACzB,sCAAsC;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,yBAAyB;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,0BAA0B;IAC1B,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,6CAA6C;AAC7C,MAAM,WAAW,oBAAoB;IACnC,8CAA8C;IAC9C,SAAS,EAAE,OAAO,CAAC;IACnB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,8CAA8C;IAC9C,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IAC3C,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,uCAAuC;AACvC,MAAM,WAAW,gBAAgB;IAC/B,wDAAwD;IACxD,SAAS,EAAE,OAAO,CAAC;IACnB,oCAAoC;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,4BAA4B;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,4BAA4B;IAC5B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACnC,kCAAkC;IAClC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,sDAAsD;IACtD,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IAC3C,8BAA8B;IAC9B,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,gCAAgC;IAChC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,iCAAiC;IACjC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,6BAA6B;IAC7B,YAAY,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IACxC,+BAA+B;IAC/B,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IACrC,+CAA+C;IAC/C,cAAc,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IAC1C,qCAAqC;IACrC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,wCAAwC;IACxC,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,qCAAqC;AACrC,MAAM,WAAW,yBAAyB;IACxC,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,8CAA8C;IAC9C,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,yBAAyB;IACzB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,8BAA8B;IAC9B,aAAa,EAAE,MAAM,CAAC;CACvB;AAID,qBAAa,aAAa;IACxB,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B,QAAQ,CAAC,GAAG,EAAE,sBAAsB,CAAC;IACrC,QAAQ,CAAC,GAAG,EAAE,sBAAsB,CAAC;IACrC,QAAQ,CAAC,EAAE,EAAE,uBAAuB,CAAC;IACrC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,oBAAoB,CAAC;IACzC,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,oBAAoB,CAAC;IACxC,QAAQ,CAAC,aAAa,EAAE,yBAAyB,CAAC;gBAGhD,MAAM,EAAE,UAAU,EAClB,GAAG,EAAE,sBAAsB,EAC3B,GAAG,EAAE,sBAAsB,EAC3B,EAAE,EAAE,uBAAuB;IAa7B,0DAA0D;IAC1D,IAAI,OAAO,IAAI,MAAM,CAMpB;IAED,iDAAiD;IACjD,IAAI,QAAQ,IAAI,OAAO,CAA4C;IAEnE,+CAA+C;IAC/C,IAAI,MAAM,IAAI,OAAO,CAA0C;IAE/D,+CAA+C;IAC/C,IAAI,MAAM,IAAI,OAAO,CAA0C;IAE/D,+CAA+C;IAC/C,IAAI,MAAM,IAAI,OAAO,CAA0C;IAE/D,2CAA2C;IAC3C,IAAI,QAAQ,IAAI,OAAO,CAA4C;IAEnE,oFAAoF;IACpF,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;IAK5D,mFAAmF;IACnF,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;CAI5D;AA0ZD;;;;GAIG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,aAAa,CAAC,CAa/D
|
|
1
|
+
{"version":3,"file":"distro-adapter.d.ts","sourceRoot":"","sources":["../../src/core/distro-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAKL,KAAK,UAAU,EACf,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC7B,MAAM,aAAa,CAAC;AAIrB,mDAAmD;AACnD,MAAM,WAAW,WAAW;IAC1B,0BAA0B;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,yBAAyB;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,gDAAgD;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,sDAAsD;IACtD,WAAW,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,+DAA+D;IAC/D,gBAAgB,EAAE,MAAM,CAAC;IACzB,+BAA+B;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,+BAA+B;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,uCAAuC;IACvC,yBAAyB,EAAE,MAAM,CAAC;IAClC,gCAAgC;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,mCAAmC;IACnC,gBAAgB,EAAE,MAAM,CAAC;IACzB,sCAAsC;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,yBAAyB;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,0BAA0B;IAC1B,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,6CAA6C;AAC7C,MAAM,WAAW,oBAAoB;IACnC,8CAA8C;IAC9C,SAAS,EAAE,OAAO,CAAC;IACnB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,8CAA8C;IAC9C,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IAC3C,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,uCAAuC;AACvC,MAAM,WAAW,gBAAgB;IAC/B,wDAAwD;IACxD,SAAS,EAAE,OAAO,CAAC;IACnB,oCAAoC;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,4BAA4B;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,4BAA4B;IAC5B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACnC,kCAAkC;IAClC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,sDAAsD;IACtD,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IAC3C,8BAA8B;IAC9B,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,gCAAgC;IAChC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,iCAAiC;IACjC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,6BAA6B;IAC7B,YAAY,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IACxC,+BAA+B;IAC/B,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IACrC,+CAA+C;IAC/C,cAAc,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IAC1C,qCAAqC;IACrC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,wCAAwC;IACxC,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,qCAAqC;AACrC,MAAM,WAAW,yBAAyB;IACxC,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,8CAA8C;IAC9C,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,yBAAyB;IACzB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,8BAA8B;IAC9B,aAAa,EAAE,MAAM,CAAC;CACvB;AAID,qBAAa,aAAa;IACxB,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B,QAAQ,CAAC,GAAG,EAAE,sBAAsB,CAAC;IACrC,QAAQ,CAAC,GAAG,EAAE,sBAAsB,CAAC;IACrC,QAAQ,CAAC,EAAE,EAAE,uBAAuB,CAAC;IACrC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,oBAAoB,CAAC;IACzC,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,oBAAoB,CAAC;IACxC,QAAQ,CAAC,aAAa,EAAE,yBAAyB,CAAC;gBAGhD,MAAM,EAAE,UAAU,EAClB,GAAG,EAAE,sBAAsB,EAC3B,GAAG,EAAE,sBAAsB,EAC3B,EAAE,EAAE,uBAAuB;IAa7B,0DAA0D;IAC1D,IAAI,OAAO,IAAI,MAAM,CAMpB;IAED,iDAAiD;IACjD,IAAI,QAAQ,IAAI,OAAO,CAA4C;IAEnE,+CAA+C;IAC/C,IAAI,MAAM,IAAI,OAAO,CAA0C;IAE/D,+CAA+C;IAC/C,IAAI,MAAM,IAAI,OAAO,CAA0C;IAE/D,+CAA+C;IAC/C,IAAI,MAAM,IAAI,OAAO,CAA0C;IAE/D,2CAA2C;IAC3C,IAAI,QAAQ,IAAI,OAAO,CAA4C;IAEnE,oFAAoF;IACpF,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;IAK5D,mFAAmF;IACnF,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;CAI5D;AA0ZD;;;;GAIG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,aAAa,CAAC,CAa/D"}
|
|
@@ -472,10 +472,3 @@ export async function getDistroAdapter() {
|
|
|
472
472
|
console.error(`[distro-adapter] Initialized: ${cachedAdapter.summary}`);
|
|
473
473
|
return cachedAdapter;
|
|
474
474
|
}
|
|
475
|
-
/**
|
|
476
|
-
* Returns the cached adapter if already initialized, or null.
|
|
477
|
-
* Use when you can't await (synchronous contexts).
|
|
478
|
-
*/
|
|
479
|
-
export function getDistroAdapterSync() {
|
|
480
|
-
return cachedAdapter;
|
|
481
|
-
}
|
package/build/core/distro.d.ts
CHANGED
|
@@ -8,8 +8,6 @@ export type DistroFamily = "debian" | "rhel" | "arch" | "alpine" | "suse" | "unk
|
|
|
8
8
|
export type SpecificDistro = "debian" | "ubuntu" | "kali" | "fedora" | "rhel" | "centos" | "arch" | "alpine" | "opensuse" | "macos" | "unknown";
|
|
9
9
|
/** Package manager identifiers (extended with brew). */
|
|
10
10
|
export type PackageManagerName = "apt" | "dnf" | "yum" | "pacman" | "brew" | "apk" | "zypper" | "unknown";
|
|
11
|
-
/** @deprecated Use PackageManagerName. Kept for backwards compatibility. */
|
|
12
|
-
export type PackageManager = PackageManagerName;
|
|
13
11
|
export type InitSystem = "systemd" | "openrc" | "launchd" | "sysvinit" | "unknown";
|
|
14
12
|
export interface PackageManagerCommands {
|
|
15
13
|
installCmd(pkg: string): string[];
|
|
@@ -52,15 +50,6 @@ export declare function detectDistro(): Promise<DistroInfo>;
|
|
|
52
50
|
export declare function getPackageManager(nameOrDistro?: string): PackageManagerCommands;
|
|
53
51
|
export declare function getServiceManager(initSystem?: InitSystem): ServiceManagerCommands;
|
|
54
52
|
export declare function getFirewallBackend(): Promise<FirewallBackendCommands>;
|
|
55
|
-
export declare function canUseAppArmor(): Promise<boolean>;
|
|
56
|
-
export declare function canUseSELinux(): Promise<boolean>;
|
|
57
|
-
export declare function canUseAuditd(): Promise<boolean>;
|
|
58
|
-
export declare function canUseSystemd(): Promise<boolean>;
|
|
59
|
-
export declare function canUseIPTables(): Promise<boolean>;
|
|
60
|
-
export declare function canUseNFTables(): Promise<boolean>;
|
|
61
|
-
export declare function canUseBPF(): Promise<boolean>;
|
|
62
|
-
export declare function hasTPM(): Promise<boolean>;
|
|
63
|
-
export declare function hasSecureBoot(): Promise<boolean>;
|
|
64
53
|
/** @deprecated Prefer getPackageManager(pkgManager).installCmd(pkg) */
|
|
65
54
|
export declare function getInstallCommand(pkgManager: PackageManagerName, pkg: string): string[];
|
|
66
55
|
/** @deprecated Prefer getPackageManager(pkgManager).updateCmd() */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"distro.d.ts","sourceRoot":"","sources":["../../src/core/distro.ts"],"names":[],"mappings":"AAMA;;;GAGG;AACH,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,KAAK,CAAC;AAIlD,6CAA6C;AAC7C,MAAM,MAAM,YAAY,GACpB,QAAQ,GACR,MAAM,GACN,MAAM,GACN,QAAQ,GACR,MAAM,GACN,SAAS,CAAC;AAId,MAAM,MAAM,cAAc,GACtB,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAC3D,MAAM,GAAG,QAAQ,GAAG,UAAU,GAAG,OAAO,GAAG,SAAS,CAAC;AAIzD,wDAAwD;AACxD,MAAM,MAAM,kBAAkB,GAC1B,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"distro.d.ts","sourceRoot":"","sources":["../../src/core/distro.ts"],"names":[],"mappings":"AAMA;;;GAGG;AACH,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,KAAK,CAAC;AAIlD,6CAA6C;AAC7C,MAAM,MAAM,YAAY,GACpB,QAAQ,GACR,MAAM,GACN,MAAM,GACN,QAAQ,GACR,MAAM,GACN,SAAS,CAAC;AAId,MAAM,MAAM,cAAc,GACtB,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAC3D,MAAM,GAAG,QAAQ,GAAG,UAAU,GAAG,OAAO,GAAG,SAAS,CAAC;AAIzD,wDAAwD;AACxD,MAAM,MAAM,kBAAkB,GAC1B,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,SAAS,CAAC;AAK7E,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;AAInF,MAAM,WAAW,sBAAsB;IACrC,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,SAAS,IAAI,MAAM,EAAE,CAAC;IACtB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClC,gBAAgB,IAAI,MAAM,EAAE,CAAC;CAC9B;AAID,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAChC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC/B,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,eAAe,IAAI,MAAM,EAAE,CAAC;CAC7B;AAID,MAAM,MAAM,mBAAmB,GAC3B,UAAU,GAAG,UAAU,GAAG,KAAK,GAAG,WAAW,GAAG,IAAI,GAAG,SAAS,CAAC;AAErE,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,mBAAmB,CAAC;IACnC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjD,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAChD,OAAO,IAAI,MAAM,EAAE,CAAC;IACpB,QAAQ,IAAI,MAAM,EAAE,CAAC;CACtB;AAID,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,cAAc,EAAE,cAAc,CAAC;IAC/B,MAAM,EAAE,YAAY,CAAC;IACrB,cAAc,EAAE,kBAAkB,CAAC;IACnC,UAAU,EAAE,UAAU,CAAC;IACvB,YAAY,EAAE,OAAO,CAAC;IACtB,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,OAAO,CAAC;IACpB,WAAW,EAAE,OAAO,CAAC;CACtB;AAgFD,wBAAsB,YAAY,IAAI,OAAO,CAAC,UAAU,CAAC,CAmHxD;AAID,wBAAgB,iBAAiB,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,sBAAsB,CA4D/E;AA4BD,wBAAgB,iBAAiB,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,sBAAsB,CAoCjF;AAmDD,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,uBAAuB,CAAC,CAc3E;AAID,uEAAuE;AACvE,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,kBAAkB,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAEvF;AAED,mEAAmE;AACnE,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,kBAAkB,GAAG,MAAM,EAAE,CAEzE"}
|
package/build/core/distro.js
CHANGED
|
@@ -398,54 +398,6 @@ export async function getFirewallBackend() {
|
|
|
398
398
|
return buildFirewallBackend("pf");
|
|
399
399
|
return buildFirewallBackend("unknown");
|
|
400
400
|
}
|
|
401
|
-
// ── Capability detection ─────────────────────────────────────────────────────
|
|
402
|
-
async function safeCap(fn) {
|
|
403
|
-
try {
|
|
404
|
-
return await fn();
|
|
405
|
-
}
|
|
406
|
-
catch {
|
|
407
|
-
return false;
|
|
408
|
-
}
|
|
409
|
-
}
|
|
410
|
-
async function fileReadable(path) {
|
|
411
|
-
try {
|
|
412
|
-
await readFile(path, "utf-8");
|
|
413
|
-
return true;
|
|
414
|
-
}
|
|
415
|
-
catch {
|
|
416
|
-
return false;
|
|
417
|
-
}
|
|
418
|
-
}
|
|
419
|
-
export async function canUseAppArmor() {
|
|
420
|
-
return safeCap(async () => (await binaryExists("apparmor_status")) || (await fileReadable("/sys/kernel/security/apparmor")));
|
|
421
|
-
}
|
|
422
|
-
export async function canUseSELinux() {
|
|
423
|
-
return safeCap(async () => (await binaryExists("getenforce")) || (await fileReadable("/sys/fs/selinux")));
|
|
424
|
-
}
|
|
425
|
-
export async function canUseAuditd() {
|
|
426
|
-
return safeCap(() => binaryExists("auditctl"));
|
|
427
|
-
}
|
|
428
|
-
export async function canUseSystemd() {
|
|
429
|
-
return safeCap(async () => existsSync("/run/systemd/system"));
|
|
430
|
-
}
|
|
431
|
-
export async function canUseIPTables() {
|
|
432
|
-
return safeCap(() => binaryExists("iptables"));
|
|
433
|
-
}
|
|
434
|
-
export async function canUseNFTables() {
|
|
435
|
-
return safeCap(() => binaryExists("nft"));
|
|
436
|
-
}
|
|
437
|
-
export async function canUseBPF() {
|
|
438
|
-
return safeCap(async () => (await binaryExists("bpftool")) || existsSync("/sys/fs/bpf"));
|
|
439
|
-
}
|
|
440
|
-
export async function hasTPM() {
|
|
441
|
-
return safeCap(async () => existsSync("/dev/tpm0") || existsSync("/dev/tpmrm0"));
|
|
442
|
-
}
|
|
443
|
-
export async function hasSecureBoot() {
|
|
444
|
-
return safeCap(async () => {
|
|
445
|
-
const r = await executeCommand({ toolName: "_internal", command: "mokutil", args: ["--sb-state"], timeout: 5000 });
|
|
446
|
-
return r.exitCode === 0 && r.stdout.toLowerCase().includes("secureboot enabled");
|
|
447
|
-
});
|
|
448
|
-
}
|
|
449
401
|
// ── Legacy helpers (backwards compatibility) ─────────────────────────────────
|
|
450
402
|
/** @deprecated Prefer getPackageManager(pkgManager).installCmd(pkg) */
|
|
451
403
|
export function getInstallCommand(pkgManager, pkg) {
|
|
@@ -66,11 +66,4 @@ export declare class SecureStateStore {
|
|
|
66
66
|
*/
|
|
67
67
|
private decrypt;
|
|
68
68
|
}
|
|
69
|
-
/**
|
|
70
|
-
* Default singleton SecureStateStore instance.
|
|
71
|
-
*
|
|
72
|
-
* Uses the default state directory and reads the encryption key from
|
|
73
|
-
* the `DEFENSE_MCP_STATE_KEY` environment variable.
|
|
74
|
-
*/
|
|
75
|
-
export declare const secureState: SecureStateStore;
|
|
76
69
|
//# sourceMappingURL=encrypted-state.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"encrypted-state.d.ts","sourceRoot":"","sources":["../../src/core/encrypted-state.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AA4DH;;;;;GAKG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IAEvC;;;;OAIG;gBACS,QAAQ,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM;IAwB9C;;OAEG;IACH,IAAI,SAAS,IAAI,OAAO,CAEvB;IAED;;;;;OAKG;IACH,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IAmBpC;;;;;OAKG;IACH,IAAI,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAiB/B;;;;OAIG;IACH,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAcxB,+CAA+C;IAC/C,OAAO,CAAC,QAAQ;IAMhB,iEAAiE;IACjE,OAAO,CAAC,cAAc;IAOtB,wDAAwD;IACxD,OAAO,CAAC,SAAS;IAajB;;;OAGG;IACH,OAAO,CAAC,OAAO;IAgBf;;;OAGG;IACH,OAAO,CAAC,OAAO;CAoChB
|
|
1
|
+
{"version":3,"file":"encrypted-state.d.ts","sourceRoot":"","sources":["../../src/core/encrypted-state.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AA4DH;;;;;GAKG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IAEvC;;;;OAIG;gBACS,QAAQ,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM;IAwB9C;;OAEG;IACH,IAAI,SAAS,IAAI,OAAO,CAEvB;IAED;;;;;OAKG;IACH,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IAmBpC;;;;;OAKG;IACH,IAAI,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAiB/B;;;;OAIG;IACH,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAcxB,+CAA+C;IAC/C,OAAO,CAAC,QAAQ;IAMhB,iEAAiE;IACjE,OAAO,CAAC,cAAc;IAOtB,wDAAwD;IACxD,OAAO,CAAC,SAAS;IAajB;;;OAGG;IACH,OAAO,CAAC,OAAO;IAgBf;;;OAGG;IACH,OAAO,CAAC,OAAO;CAoChB"}
|
|
@@ -200,10 +200,3 @@ export class SecureStateStore {
|
|
|
200
200
|
}
|
|
201
201
|
}
|
|
202
202
|
// ── Singleton Export ─────────────────────────────────────────────────────────
|
|
203
|
-
/**
|
|
204
|
-
* Default singleton SecureStateStore instance.
|
|
205
|
-
*
|
|
206
|
-
* Uses the default state directory and reads the encryption key from
|
|
207
|
-
* the `DEFENSE_MCP_STATE_KEY` environment variable.
|
|
208
|
-
*/
|
|
209
|
-
export const secureState = new SecureStateStore();
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../src/core/executor.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../src/core/executor.ts"],"names":[],"mappings":"AAmFA;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,0CAA0C;IAC1C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gEAAgE;IAChE,QAAQ,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,QAAQ,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AA0FD;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,aAAa,CAAC,CAoPxB"}
|
package/build/core/executor.js
CHANGED
|
@@ -6,6 +6,7 @@ import { getConfig, getToolTimeout } from "./config.js";
|
|
|
6
6
|
import { SudoSession } from "./sudo-session.js";
|
|
7
7
|
import { SudoGuard } from "./sudo-guard.js";
|
|
8
8
|
import { resolveCommand, resolveSudoCommand } from "./command-allowlist.js";
|
|
9
|
+
import { redactOutput } from "./output-redactor.js";
|
|
9
10
|
// ── Askpass helper detection ─────────────────────────────────────────────────
|
|
10
11
|
/**
|
|
11
12
|
* Ordered list of known graphical sudo/SSH askpass helpers.
|
|
@@ -328,6 +329,18 @@ export async function executeCommand(options) {
|
|
|
328
329
|
const exitCode = timedOut ? 124 : (code ?? 1);
|
|
329
330
|
let stdout = Buffer.concat(stdoutChunks).toString("utf-8");
|
|
330
331
|
let stderr = Buffer.concat(stderrChunks).toString("utf-8");
|
|
332
|
+
// ── Output sanitization: redact credentials before returning to LLM ──
|
|
333
|
+
if (getConfig().redactOutput) {
|
|
334
|
+
const stdoutR = redactOutput(stdout);
|
|
335
|
+
const stderrR = redactOutput(stderr);
|
|
336
|
+
stdout = stdoutR.text;
|
|
337
|
+
stderr = stderrR.text;
|
|
338
|
+
const total = stdoutR.redactionCount + stderrR.redactionCount;
|
|
339
|
+
if (total > 0) {
|
|
340
|
+
const patterns = [...new Set([...stdoutR.matchedPatterns, ...stderrR.matchedPatterns])];
|
|
341
|
+
console.error(`[output-redactor] Redacted ${total} sensitive pattern(s) from '${options.toolName}': ${patterns.join(", ")}`);
|
|
342
|
+
}
|
|
343
|
+
}
|
|
331
344
|
if (stdoutCapped) {
|
|
332
345
|
stdout += "\n[OUTPUT TRUNCATED - exceeded max buffer]";
|
|
333
346
|
}
|
package/build/core/logger.js
CHANGED
|
@@ -99,7 +99,7 @@ export class Logger {
|
|
|
99
99
|
}
|
|
100
100
|
catch {
|
|
101
101
|
// Fall back to stderr-only if directory creation fails
|
|
102
|
-
process.stderr.write(`[logger]
|
|
102
|
+
process.stderr.write(`[logger] Cannot create log directory for ${this.logFile}, falling back to stderr-only\n`);
|
|
103
103
|
this.logFile = null;
|
|
104
104
|
}
|
|
105
105
|
}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* output-redactor.ts — Post-execution output sanitization.
|
|
3
|
+
*
|
|
4
|
+
* Scans command stdout/stderr for sensitive data patterns and replaces
|
|
5
|
+
* them with [REDACTED] before returning results to the LLM.
|
|
6
|
+
*
|
|
7
|
+
* SECURITY: Over-redacting is preferred to under-redacting.
|
|
8
|
+
*
|
|
9
|
+
* @module output-redactor
|
|
10
|
+
*/
|
|
11
|
+
export interface RedactionResult {
|
|
12
|
+
/** The sanitized text */
|
|
13
|
+
text: string;
|
|
14
|
+
/** Number of redactions applied */
|
|
15
|
+
redactionCount: number;
|
|
16
|
+
/** Labels of patterns that matched */
|
|
17
|
+
matchedPatterns: string[];
|
|
18
|
+
}
|
|
19
|
+
/**
|
|
20
|
+
* Redact sensitive data from command output.
|
|
21
|
+
*
|
|
22
|
+
* @param text - Raw stdout or stderr text
|
|
23
|
+
* @returns Sanitized text with redaction metadata
|
|
24
|
+
*/
|
|
25
|
+
export declare function redactOutput(text: string): RedactionResult;
|
|
26
|
+
//# sourceMappingURL=output-redactor.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"output-redactor.d.ts","sourceRoot":"","sources":["../../src/core/output-redactor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAmFH,MAAM,WAAW,eAAe;IAC9B,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,sCAAsC;IACtC,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAmB1D"}
|