npm - dravix-agent - Versions diffs - 0.1.0 - Mend

dravix-agent 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (208) hide show

package/.claude/settings.example.json +30 -0
package/ARCHITECTURE.md +410 -0
package/LICENSE +21 -0
package/README.md +153 -0
package/ROADMAP.md +117 -0
package/data/vulnkb.json +666 -0
package/dist/bin/aegis.d.ts +3 -0
package/dist/bin/aegis.d.ts.map +1 -0
package/dist/bin/aegis.js +489 -0
package/dist/bin/aegis.js.map +1 -0
package/dist/cache.d.ts +9 -0
package/dist/cache.d.ts.map +1 -0
package/dist/cache.js +146 -0
package/dist/cache.js.map +1 -0
package/dist/engines/ai-sinks.d.ts +52 -0
package/dist/engines/ai-sinks.d.ts.map +1 -0
package/dist/engines/ai-sinks.js +204 -0
package/dist/engines/ai-sinks.js.map +1 -0
package/dist/engines/eslint.d.ts +9 -0
package/dist/engines/eslint.d.ts.map +1 -0
package/dist/engines/eslint.js +245 -0
package/dist/engines/eslint.js.map +1 -0
package/dist/engines/joern.d.ts +3 -0
package/dist/engines/joern.d.ts.map +1 -0
package/dist/engines/joern.js +98 -0
package/dist/engines/joern.js.map +1 -0
package/dist/engines/js-sinks.d.ts +70 -0
package/dist/engines/js-sinks.d.ts.map +1 -0
package/dist/engines/js-sinks.js +370 -0
package/dist/engines/js-sinks.js.map +1 -0
package/dist/engines/llm-critic.d.ts +130 -0
package/dist/engines/llm-critic.d.ts.map +1 -0
package/dist/engines/llm-critic.js +551 -0
package/dist/engines/llm-critic.js.map +1 -0
package/dist/engines/pragma.d.ts +20 -0
package/dist/engines/pragma.d.ts.map +1 -0
package/dist/engines/pragma.js +83 -0
package/dist/engines/pragma.js.map +1 -0
package/dist/engines/property-test.d.ts +3 -0
package/dist/engines/property-test.d.ts.map +1 -0
package/dist/engines/property-test.js +134 -0
package/dist/engines/property-test.js.map +1 -0
package/dist/engines/pyright.d.ts +10 -0
package/dist/engines/pyright.d.ts.map +1 -0
package/dist/engines/pyright.js +143 -0
package/dist/engines/pyright.js.map +1 -0
package/dist/engines/pysa.d.ts +3 -0
package/dist/engines/pysa.d.ts.map +1 -0
package/dist/engines/pysa.js +83 -0
package/dist/engines/pysa.js.map +1 -0
package/dist/engines/python-sinks.d.ts +82 -0
package/dist/engines/python-sinks.d.ts.map +1 -0
package/dist/engines/python-sinks.js +459 -0
package/dist/engines/python-sinks.js.map +1 -0
package/dist/engines/registry.d.ts +26 -0
package/dist/engines/registry.d.ts.map +1 -0
package/dist/engines/registry.js +70 -0
package/dist/engines/registry.js.map +1 -0
package/dist/engines/secret-scan.d.ts +22 -0
package/dist/engines/secret-scan.d.ts.map +1 -0
package/dist/engines/secret-scan.js +179 -0
package/dist/engines/secret-scan.js.map +1 -0
package/dist/engines/semgrep.d.ts +10 -0
package/dist/engines/semgrep.d.ts.map +1 -0
package/dist/engines/semgrep.js +200 -0
package/dist/engines/semgrep.js.map +1 -0
package/dist/engines/treesitter.d.ts +18 -0
package/dist/engines/treesitter.d.ts.map +1 -0
package/dist/engines/treesitter.js +135 -0
package/dist/engines/treesitter.js.map +1 -0
package/dist/engines/tsc.d.ts +10 -0
package/dist/engines/tsc.d.ts.map +1 -0
package/dist/engines/tsc.js +142 -0
package/dist/engines/tsc.js.map +1 -0
package/dist/engines/types.d.ts +47 -0
package/dist/engines/types.d.ts.map +1 -0
package/dist/engines/types.js +27 -0
package/dist/engines/types.js.map +1 -0
package/dist/findings.d.ts +121 -0
package/dist/findings.d.ts.map +1 -0
package/dist/findings.js +98 -0
package/dist/findings.js.map +1 -0
package/dist/hooks/claude-code.d.ts +3 -0
package/dist/hooks/claude-code.d.ts.map +1 -0
package/dist/hooks/claude-code.js +187 -0
package/dist/hooks/claude-code.js.map +1 -0
package/dist/index/context.d.ts +127 -0
package/dist/index/context.d.ts.map +1 -0
package/dist/index/context.js +267 -0
package/dist/index/context.js.map +1 -0
package/dist/index/embeddings.d.ts +68 -0
package/dist/index/embeddings.d.ts.map +1 -0
package/dist/index/embeddings.js +570 -0
package/dist/index/embeddings.js.map +1 -0
package/dist/index/graph_routing.d.ts +36 -0
package/dist/index/graph_routing.d.ts.map +1 -0
package/dist/index/graph_routing.js +170 -0
package/dist/index/graph_routing.js.map +1 -0
package/dist/index/joern.d.ts +76 -0
package/dist/index/joern.d.ts.map +1 -0
package/dist/index/joern.js +782 -0
package/dist/index/joern.js.map +1 -0
package/dist/index/property-test.d.ts +88 -0
package/dist/index/property-test.d.ts.map +1 -0
package/dist/index/property-test.js +466 -0
package/dist/index/property-test.js.map +1 -0
package/dist/index/proto/scip.proto +897 -0
package/dist/index/pysa.d.ts +91 -0
package/dist/index/pysa.d.ts.map +1 -0
package/dist/index/pysa.js +617 -0
package/dist/index/pysa.js.map +1 -0
package/dist/index/scip.d.ts +76 -0
package/dist/index/scip.d.ts.map +1 -0
package/dist/index/scip.js +541 -0
package/dist/index/scip.js.map +1 -0
package/dist/index/vulrag.d.ts +86 -0
package/dist/index/vulrag.d.ts.map +1 -0
package/dist/index/vulrag.js +242 -0
package/dist/index/vulrag.js.map +1 -0
package/dist/index.d.ts +9 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +8 -0
package/dist/index.js.map +1 -0
package/dist/install/claude-code.d.ts +31 -0
package/dist/install/claude-code.d.ts.map +1 -0
package/dist/install/claude-code.js +447 -0
package/dist/install/claude-code.js.map +1 -0
package/dist/lang.d.ts +5 -0
package/dist/lang.d.ts.map +1 -0
package/dist/lang.js +52 -0
package/dist/lang.js.map +1 -0
package/dist/learning/suppressions.d.ts +70 -0
package/dist/learning/suppressions.d.ts.map +1 -0
package/dist/learning/suppressions.js +179 -0
package/dist/learning/suppressions.js.map +1 -0
package/dist/mcp/server.d.ts +2 -0
package/dist/mcp/server.d.ts.map +1 -0
package/dist/mcp/server.js +187 -0
package/dist/mcp/server.js.map +1 -0
package/dist/mcp/tools/explain.d.ts +58 -0
package/dist/mcp/tools/explain.d.ts.map +1 -0
package/dist/mcp/tools/explain.js +60 -0
package/dist/mcp/tools/explain.js.map +1 -0
package/dist/mcp/tools/precheck.d.ts +29 -0
package/dist/mcp/tools/precheck.d.ts.map +1 -0
package/dist/mcp/tools/precheck.js +42 -0
package/dist/mcp/tools/precheck.js.map +1 -0
package/dist/mcp/tools/validate.d.ts +73 -0
package/dist/mcp/tools/validate.d.ts.map +1 -0
package/dist/mcp/tools/validate.js +66 -0
package/dist/mcp/tools/validate.js.map +1 -0
package/dist/mcp/warm.d.ts +88 -0
package/dist/mcp/warm.d.ts.map +1 -0
package/dist/mcp/warm.js +331 -0
package/dist/mcp/warm.js.map +1 -0
package/dist/orchestrator.d.ts +46 -0
package/dist/orchestrator.d.ts.map +1 -0
package/dist/orchestrator.js +596 -0
package/dist/orchestrator.js.map +1 -0
package/dist/policy.d.ts +51 -0
package/dist/policy.d.ts.map +1 -0
package/dist/policy.js +201 -0
package/dist/policy.js.map +1 -0
package/dist/risk.d.ts +31 -0
package/dist/risk.d.ts.map +1 -0
package/dist/risk.js +92 -0
package/dist/risk.js.map +1 -0
package/dist/stats.d.ts +72 -0
package/dist/stats.d.ts.map +1 -0
package/dist/stats.js +217 -0
package/dist/stats.js.map +1 -0
package/dist/telemetry/collector.d.ts +10 -0
package/dist/telemetry/collector.d.ts.map +1 -0
package/dist/telemetry/collector.js +75 -0
package/dist/telemetry/collector.js.map +1 -0
package/dist/telemetry/consent.d.ts +9 -0
package/dist/telemetry/consent.d.ts.map +1 -0
package/dist/telemetry/consent.js +42 -0
package/dist/telemetry/consent.js.map +1 -0
package/dist/telemetry/installation.d.ts +2 -0
package/dist/telemetry/installation.d.ts.map +1 -0
package/dist/telemetry/installation.js +32 -0
package/dist/telemetry/installation.js.map +1 -0
package/dist/telemetry/sanitizer.d.ts +5 -0
package/dist/telemetry/sanitizer.d.ts.map +1 -0
package/dist/telemetry/sanitizer.js +60 -0
package/dist/telemetry/sanitizer.js.map +1 -0
package/dist/telemetry/types.d.ts +39 -0
package/dist/telemetry/types.d.ts.map +1 -0
package/dist/telemetry/types.js +4 -0
package/dist/telemetry/types.js.map +1 -0
package/dist/telemetry/uploader.d.ts +12 -0
package/dist/telemetry/uploader.d.ts.map +1 -0
package/dist/telemetry/uploader.js +92 -0
package/dist/telemetry/uploader.js.map +1 -0
package/dist/util/logger.d.ts +19 -0
package/dist/util/logger.d.ts.map +1 -0
package/dist/util/logger.js +58 -0
package/dist/util/logger.js.map +1 -0
package/dist/util/safe-paths.d.ts +8 -0
package/dist/util/safe-paths.d.ts.map +1 -0
package/dist/util/safe-paths.js +102 -0
package/dist/util/safe-paths.js.map +1 -0
package/dist/util/subprocess.d.ts +32 -0
package/dist/util/subprocess.d.ts.map +1 -0
package/dist/util/subprocess.js +137 -0
package/dist/util/subprocess.js.map +1 -0
package/package.json +93 -0

package/dist/index/graph_routing.js ADDED Viewed

@@ -0,0 +1,170 @@
+/**
+ * Graph-aware routing — surfaces "this file is the CALLER of a module that
+ * already has security/logic findings in cache".
+ *
+ * Without this, the orchestrator's ``decideStage2`` can miss real cross-file
+ * bugs (V2-14 eval found 2/7): the route file looks clean in isolation
+ * (no SQL, no obvious patterns) but it imports a function from db.py that
+ * Joern already flagged with CWE-89. The critic on the route file alone
+ * never gets invoked.
+ *
+ * **What this module does (v1, Python-only):**
+ *   1. Parse top-level imports from the source: ``from X import …`` and
+ *      ``import X``.
+ *   2. Resolve each module name to a file inside the project root.
+ *   3. Cross-reference against the Joern + Pysa findings.jsonl caches.
+ *   4. Return one ``CallerSideRiskHit`` per (import, finding) pair so the
+ *      critic can be both ROUTED to AND informed about which import is
+ *      the risky one ("you're calling db.get_user_by_name which Joern
+ *      flagged as CWE-89 — review THIS file's usage carefully").
+ *
+ * **What this module is NOT:**
+ *   - It is not full call-graph analysis (no SCIP traversal yet — that's
+ *     Phase 4). We only look at imports at the import statement, not at
+ *     transitive calls.
+ *   - It is not JS/TS-aware in v1. The ``jsImports`` parser is here as a
+ *     stub for the next iteration but ``resolveImportToFile`` returns
+ *     null for non-Python.
+ *   - It is heuristic over import strings — does NOT understand aliasing
+ *     (``from db import foo as bar`` is fine, ``import db as x; x.foo()``
+ *     also handled because we key on the IMPORT not the call site).
+ *
+ * **Performance:**
+ *   - Regex pass over ``content`` (≤ MB-scale typical): sub-ms.
+ *   - readJoernFindings/readPysaFindings hit disk once per scan; both
+ *     parse JSONL line-by-line (~10K findings = ~5 ms cold; both
+ *     functions are call-site cached at the index module level).
+ *   - ``findCallerSideRiskSignals`` is therefore ~10 ms p95 on a typical
+ *     project — cheap enough for every gate call.
+ */
+import { existsSync } from "node:fs";
+import { join, resolve as resolvePath } from "node:path";
+import { readJoernFindings } from "./joern.js";
+import { readPysaFindings } from "./pysa.js";
+// ── Import parsers ───────────────────────────────────────────────────────-
+/** Top-level Python imports — both ``from X import Y`` and ``import X``
+ * (and dotted forms like ``import services.pricing``). Aliases via ``as``
+ * are intentionally ignored — we care about the SOURCE module, not the
+ * local binding. */
+export function parsePythonImports(content) {
+    const out = new Set();
+    // from <module> import …
+    for (const m of content.matchAll(/^\s*from\s+([a-zA-Z_][\w.]*)\s+import\s+/gm)) {
+        out.add(m[1]);
+    }
+    // import <module>[, <module>, …]
+    for (const m of content.matchAll(/^\s*import\s+([a-zA-Z_][\w.]*(?:\s*,\s*[a-zA-Z_][\w.]*)*)/gm)) {
+        for (const mod of m[1].split(",")) {
+            out.add(mod.trim());
+        }
+    }
+    // Drop stdlib-ish prefixes that obviously aren't project files (cheap
+    // pruning so we don't probe the filesystem for them). We DON'T do an
+    // exhaustive stdlib list — false positives here just waste a filesystem
+    // probe, never produce a wrong routing decision.
+    const STDLIB_PREFIX_BLOCKLIST = new Set([
+        "os", "sys", "json", "re", "math", "typing", "pathlib", "subprocess",
+        "asyncio", "datetime", "time", "collections", "itertools", "functools",
+        "dataclasses", "abc", "enum", "logging", "io", "string", "hashlib",
+        "base64", "uuid", "random", "warnings", "weakref", "copy", "pickle",
+        "sqlite3", "urllib", "http", "socket", "ssl", "secrets",
+    ]);
+    return [...out].filter((m) => {
+        const head = m.split(".")[0];
+        return !STDLIB_PREFIX_BLOCKLIST.has(head);
+    });
+}
+/** Top-level JS/TS imports — `import … from "…"` and `require("…")`.
+ * Currently parsed for future use; ``resolveImportToFile`` returns null
+ * for JS so these don't yet contribute to routing. */
+export function parseJsImports(content) {
+    const out = new Set();
+    for (const m of content.matchAll(/(?:from|require\s*\()\s*['"]([^'"]+)['"]/g)) {
+        out.add(m[1]);
+    }
+    return [...out];
+}
+// ── Resolution ────────────────────────────────────────────────────────────
+/** Resolve a Python module name to a file inside ``projectRoot``. Returns
+ * the absolute path or null when not found. */
+export function resolveImportToFile(importStr, projectRoot, lang) {
+    if (lang === "python") {
+        // Dotted module → path-with-slashes; either <path>.py or <path>/__init__.py.
+        const path = importStr.replace(/\./g, "/");
+        const candidates = [
+            join(projectRoot, path + ".py"),
+            join(projectRoot, path, "__init__.py"),
+        ];
+        for (const c of candidates) {
+            if (existsSync(c))
+                return c;
+        }
+        return null;
+    }
+    // JS/TS resolution would need to honor moduleResolution, "./db" relative
+    // paths, package.json "exports", etc. Out of scope for v1 — the routing
+    // skips JS files cleanly (returning [] from findCallerSideRiskSignals).
+    return null;
+}
+// ── Public entry ─────────────────────────────────────────────────────────-
+/** Inspect ``content``'s imports + the project's cached findings; return
+ * one hit per (import, finding) pair when the imported module already has
+ * a cached finding. */
+export function findCallerSideRiskSignals(content, projectRoot, lang) {
+    if (lang !== "python")
+        return []; // v1: Python only
+    const imports = parsePythonImports(content);
+    if (imports.length === 0)
+        return [];
+    // Load caches once per call. Both readers are tolerant of a missing
+    // file (return []) so a project that hasn't been indexed yet just
+    // produces zero hits.
+    const root = resolvePath(projectRoot);
+    const joernFindings = readJoernFindings(root);
+    const pysaFindings = readPysaFindings(root);
+    if (joernFindings.length === 0 && pysaFindings.length === 0)
+        return [];
+    // Pre-build a per-file index so each import lookup is O(1).
+    const byFile = new Map();
+    for (const f of joernFindings) {
+        const arr = byFile.get(f.file) ?? [];
+        arr.push({ f, engine: "joern" });
+        byFile.set(f.file, arr);
+    }
+    for (const f of pysaFindings) {
+        const arr = byFile.get(f.file) ?? [];
+        arr.push({ f, engine: "pysa" });
+        byFile.set(f.file, arr);
+    }
+    const hits = [];
+    for (const imp of imports) {
+        const resolved = resolveImportToFile(imp, root, lang);
+        if (!resolved)
+            continue;
+        // Convert absolute → project-relative POSIX (Joern/Pysa store paths
+        // that way). The compare is case-insensitive on Windows since
+        // joern/pysa may produce mixed-case relative paths through the WSL
+        // bridge.
+        const rel = (resolved.startsWith(root)
+            ? resolved.slice(root.length + 1)
+            : resolved).replace(/\\/g, "/");
+        const matches = byFile.get(rel) ?? [];
+        for (const m of matches) {
+            hits.push({
+                importedModule: imp,
+                resolvedFile: rel,
+                finding: m.f,
+                sourceEngine: m.engine,
+            });
+        }
+    }
+    return hits;
+}
+// Test-friendly exports
+export const _testing = {
+    parsePythonImports,
+    parseJsImports,
+    resolveImportToFile,
+    findCallerSideRiskSignals,
+};
+//# sourceMappingURL=graph_routing.js.map

package/dist/index/graph_routing.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"graph_routing.js","sourceRoot":"","sources":["../../src/index/graph_routing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,WAAW,CAAC;AAGzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAiB7C,6EAA6E;AAE7E;;;oBAGoB;AACpB,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,yBAAyB;IACzB,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,4CAA4C,CAAC,EAAE,CAAC;QAC/E,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;IACjB,CAAC;IACD,iCAAiC;IACjC,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,6DAA6D,CAAC,EAAE,CAAC;QAChG,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IACD,sEAAsE;IACtE,qEAAqE;IACrE,wEAAwE;IACxE,iDAAiD;IACjD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;QACtC,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,YAAY;QACpE,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,WAAW,EAAE,WAAW;QACtE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS;QAClE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ;QACnE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS;KACxD,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QAC9B,OAAO,CAAC,uBAAuB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;sDAEsD;AACtD,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,2CAA2C,CAAC,EAAE,CAAC;QAC9E,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC;AAClB,CAAC;AAED,6EAA6E;AAE7E;+CAC+C;AAC/C,MAAM,UAAU,mBAAmB,CACjC,SAAiB,EACjB,WAAmB,EACnB,IAAY;IAEZ,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,6EAA6E;QAC7E,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC3C,MAAM,UAAU,GAAG;YACjB,IAAI,CAAC,WAAW,EAAE,IAAI,GAAG,KAAK,CAAC;YAC/B,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,aAAa,CAAC;SACvC,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,UAAU,CAAC,CAAC,CAAC;gBAAE,OAAO,CAAC,CAAC;QAC9B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,yEAAyE;IACzE,wEAAwE;IACxE,wEAAwE;IACxE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,6EAA6E;AAE7E;;uBAEuB;AACvB,MAAM,UAAU,yBAAyB,CACvC,OAAe,EACf,WAAmB,EACnB,IAAY;IAEZ,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,EAAE,CAAC,CAAC,kBAAkB;IACpD,MAAM,OAAO,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC5C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEpC,oEAAoE;IACpE,kEAAkE;IAClE,sBAAsB;IACtB,MAAM,IAAI,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACtC,MAAM,aAAa,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC9C,MAAM,YAAY,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAC5C,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEvE,4DAA4D;IAC5D,MAAM,MAAM,GAAG,IAAI,GAAG,EAA2D,CAAC;IAClF,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACrC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QACjC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1B,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACrC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAChC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,IAAI,GAAwB,EAAE,CAAC;IACrC,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACtD,IAAI,CAAC,QAAQ;YAAE,SAAS;QACxB,oEAAoE;QACpE,8DAA8D;QAC9D,mEAAmE;QACnE,UAAU;QACV,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC;YACpC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;YACjC,CAAC,CAAC,QAAQ,CACX,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACtB,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACtC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC;gBACR,cAAc,EAAE,GAAG;gBACnB,YAAY,EAAE,GAAG;gBACjB,OAAO,EAAE,CAAC,CAAC,CAAC;gBACZ,YAAY,EAAE,CAAC,CAAC,MAAM;aACvB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wBAAwB;AACxB,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB,kBAAkB;IAClB,cAAc;IACd,mBAAmB;IACnB,yBAAyB;CAC1B,CAAC"}

package/dist/index/joern.d.ts ADDED Viewed

@@ -0,0 +1,76 @@
+import { Finding } from "../findings.js";
+export interface JoernBuildReport {
+    ok: boolean;
+    /** Per-project cache directory the build wrote into. */
+    cacheDir: string;
+    /** Absolute path to the findings.jsonl produced by the query. */
+    findingsPath: string;
+    /** Number of findings written. */
+    findingsCount: number;
+    /** Wall-clock total. */
+    durationMs: number;
+    /** Reason if !ok (e.g. "joern not installed", "JDK 11-21 missing"). */
+    reason?: string;
+}
+export interface JoernInfo {
+    built_at: number;
+    query_version: string;
+    joern_path: string;
+    jdk_path: string;
+    n_findings: number;
+    files_indexed: number;
+}
+/** Locate the joern-cli directory containing ``joern-parse`` + ``joern``. */
+export declare function findJoernDir(): string | null;
+/** Locate a JDK in the 11..21 range. ``AEGIS_JOERN_JDK`` env wins. */
+export declare function findJoernJdk(): string | null;
+export declare function joernFindingsPath(projectRoot: string): string;
+export declare function joernInfoPath(projectRoot: string): string;
+/** Read the Joern info.json — returns null if missing / unreadable. */
+export declare function readJoernInfo(projectRoot: string): JoernInfo | null;
+/** Read cached findings as Finding[]. Returns [] on missing / unreadable. */
+export declare function readJoernFindings(projectRoot: string): Finding[];
+/** sink-call → (CWE, severity, title) used by the parsed-line converter.
+ * Mirrors the table in argus/engines/joern.py. */
+type SinkSeverity = "low" | "medium" | "high" | "critical";
+interface SinkMeta {
+    cwe: string;
+    severity: SinkSeverity;
+    title: string;
+}
+interface LogicMeta {
+    cwe: string;
+    severity: SinkSeverity;
+    title: string;
+}
+/** RacerD-inspired race / concurrency detectors. Each kind maps to a CWE
+ * + human label that mirrors the LOGIC table's shape. They're tracked
+ * separately so the AEGIS_RACE prefix in CPGQL output is parse-time
+ * obvious and we never accidentally classify a sink as a race. */
+interface RaceMeta {
+    cwe: string;
+    severity: SinkSeverity;
+    title: string;
+}
+declare function buildCpgqlScript(cpgPath: string): string;
+/** Convert a Joern stdout dump to deduped Finding[]. */
+declare function parseJoernOutput(stdout: string, projectRoot: string): Finding[];
+declare function toRelPosix(absPath: string, projectRoot: string): string;
+/** Build the CPG for a project, run the security+logic query, write the
+ * findings cache. Returns a structured report. Never throws — failures
+ * produce ``{ok:false, reason}``. */
+export declare function buildJoernCpg(projectRoot: string, opts?: {
+    force?: boolean;
+    timeoutMs?: number;
+}): Promise<JoernBuildReport>;
+export declare const _testing: {
+    buildCpgqlScript: typeof buildCpgqlScript;
+    parseJoernOutput: typeof parseJoernOutput;
+    toRelPosix: typeof toRelPosix;
+    SINKS: Record<string, SinkMeta>;
+    LOGIC: Record<string, LogicMeta>;
+    RACES: Record<string, RaceMeta>;
+    QUERY_VERSION: string;
+};
+export {};
+//# sourceMappingURL=joern.d.ts.map

package/dist/index/joern.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"joern.d.ts","sourceRoot":"","sources":["../../src/index/joern.ts"],"names":[],"mappings":"AA+CA,OAAO,EAAE,OAAO,EAAgC,MAAM,gBAAgB,CAAC;AA0CvE,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,OAAO,CAAC;IACZ,wDAAwD;IACxD,QAAQ,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,YAAY,EAAE,MAAM,CAAC;IACrB,kCAAkC;IAClC,aAAa,EAAE,MAAM,CAAC;IACtB,wBAAwB;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,uEAAuE;IACvE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IAGnB,aAAa,EAAE,MAAM,CAAC;CACvB;AASD,6EAA6E;AAC7E,wBAAgB,YAAY,IAAI,MAAM,GAAG,IAAI,CAe5C;AA4BD,sEAAsE;AACtE,wBAAgB,YAAY,IAAI,MAAM,GAAG,IAAI,CAe5C;AAaD,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAE7D;AAED,wBAAgB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAEzD;AAED,uEAAuE;AACvE,wBAAgB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAQnE;AAED,6EAA6E;AAC7E,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,EAAE,CAiBhE;AAID;kDACkD;AAClD,KAAK,YAAY,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAC3D,UAAU,QAAQ;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,YAAY,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;CACf;AAiBD,UAAU,SAAS;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,YAAY,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;CACf;AAUD;;;kEAGkE;AAClE,UAAU,QAAQ;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,YAAY,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;CACf;AAuBD,iBAAS,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAyEjD;AAID,wDAAwD;AACxD,iBAAS,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,EAAE,CAiBxE;AAED,iBAAS,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,CAahE;AAoLD;;qCAEqC;AACrC,wBAAsB,aAAa,CACjC,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7C,OAAO,CAAC,gBAAgB,CAAC,CA8O3B;AAGD,eAAO,MAAM,QAAQ;;;;;;;;CAQpB,CAAC"}