ferret-scan 2.1.2 → 2.3.0

package/dist/scanner/Scanner.js

@@ -9,18 +9,18 @@ import { discoverFiles } from './FileDiscovery.js';
 import { matchRules } from './PatternMatcher.js';
 import { getRulesForScan } from '../rules/index.js';
 import { loadCustomRules, loadCustomRulesSource } from '../features/customRules.js';
-import { analyzeFile as analyzeFileSemantics, shouldAnalyze as shouldAnalyzeSemantics, getMemoryUsage } from '../analyzers/AstAnalyzer.js';
 import { analyzeCorrelations, shouldAnalyzeCorrelations } from '../analyzers/CorrelationAnalyzer.js';
-import { loadThreatDatabase } from '../intelligence/ThreatFeed.js';
-import { matchIndicators, shouldMatchIndicators } from '../intelligence/IndicatorMatcher.js';
-import { analyzeEntropy, entropyFindingsToFindings } from '../features/entropyAnalysis.js';
-import { validateMcpConfigContent, mcpAssessmentsToFindings } from '../features/mcpValidator.js';
-import { analyzeDependencies, dependencyAssessmentsToFindings } from '../features/dependencyRisk.js';
-import { analyzeCapabilitiesContent, capabilityProfileToFindings } from '../features/capabilityMapping.js';
 import { parseIgnoreComments, shouldIgnoreFinding } from '../features/ignoreComments.js';
 import { annotateFindingsWithMitreAtlas, setMitreAtlasTechniqueCatalog } from '../mitre/atlas.js';
 import { loadMitreAtlasTechniqueCatalog } from '../mitre/atlasCatalog.js';
-import { createLlmProvider, analyzeWithLlm } from '../features/llmAnalysis.js';
+import { createLlmProvider } from '../features/llmAnalysis.js';
+import { EntropyAnalyzer } from './analyzers/EntropyAnalyzer.js';
+import { McpAnalyzer } from './analyzers/McpAnalyzer.js';
+import { DependencyAnalyzer } from './analyzers/DependencyAnalyzer.js';
+import { CapabilityAnalyzer } from './analyzers/CapabilityAnalyzer.js';
+import { LlmAnalyzer } from './analyzers/LlmAnalyzer.js';
+import { SemanticAnalyzer } from './analyzers/SemanticAnalyzer.js';
+import { ThreatIntelAnalyzer } from './analyzers/ThreatIntelAnalyzer.js';
 import logger from '../utils/logger.js';
 import ora from 'ora';
 function looksLikeDocumentationPath(filePath) {
@@ -242,14 +242,27 @@ async function loadCustomRulesForScan(config) {
     }
     return rules.filter(r => r.enabled && config.categories.includes(r.category) && config.severities.includes(r.severity));
 }
+/**
+ * Build the ordered list of analyzers for a scan.
+ */
+function buildAnalyzers(llmProvider, llmRuntime) {
+    return [
+        new EntropyAnalyzer(),
+        new McpAnalyzer(),
+        new DependencyAnalyzer(),
+        new CapabilityAnalyzer(),
+        new LlmAnalyzer(llmProvider, llmRuntime),
+        new SemanticAnalyzer(),
+        new ThreatIntelAnalyzer(),
+    ];
+}
 /**
  * Scan a single file
  */
-async function scanFile(file, config, rules, llmProvider, llmRuntime) {
+async function scanFile(file, config, rules, analyzers) {
     try {
         const content = await readFile(file.path, 'utf-8');
         const allFindings = [];
-        const fileErrors = [];
         let ignoreState;
         if (config.ignoreComments && content.includes('ferret-')) {
             const parsed = parseIgnoreComments(content, file.type);
@@ -262,124 +275,20 @@ async function scanFile(file, config, rules, llmProvider, llmRuntime) {
             contextLines: config.contextLines,
         });
         allFindings.push(...patternFindings);
-        // Entropy analysis (secret detection) if enabled
-        if (config.entropyAnalysis) {
-            try {
-                const entropyFindings = analyzeEntropy(content, file);
-                const converted = entropyFindingsToFindings(entropyFindings, file, content);
-                allFindings.push(...converted);
-            }
-            catch (entropyError) {
-                const entropyMessage = entropyError instanceof Error ? entropyError.message : String(entropyError);
-                logger.warn(`Entropy analysis error for ${file.relativePath}: ${entropyMessage}`);
-            }
-        }
-        // MCP configuration validation if enabled
-        if (config.mcpValidation && file.component === 'mcp' && file.type === 'json') {
-            const mcpResult = validateMcpConfigContent(content);
-            if (mcpResult.valid && mcpResult.assessments.length > 0) {
-                const mcpFindings = mcpAssessmentsToFindings(mcpResult.assessments, file.path);
-                // Normalize relative path (feature module uses basename)
-                for (const f of mcpFindings) {
-                    f.relativePath = file.relativePath;
-                }
-                allFindings.push(...mcpFindings);
-            }
-        }
-        // Dependency analysis if enabled
-        if (config.dependencyAnalysis && basename(file.path).toLowerCase() === 'package.json') {
-            try {
-                const depResult = analyzeDependencies(file.path, config.dependencyAudit);
-                const depFindings = dependencyAssessmentsToFindings(depResult);
-                for (const f of depFindings) {
-                    f.relativePath = file.relativePath;
-                }
-                allFindings.push(...depFindings);
-            }
-            catch (depError) {
-                const depMessage = depError instanceof Error ? depError.message : String(depError);
-                logger.warn(`Dependency analysis error for ${file.relativePath}: ${depMessage}`);
-            }
-        }
-        // Capability mapping if enabled (best-effort, JSON-only)
-        if (config.capabilityMapping && file.type === 'json') {
-            try {
-                const profile = analyzeCapabilitiesContent(file.path, content);
-                if (profile) {
-                    const capFindings = capabilityProfileToFindings(profile);
-                    for (const f of capFindings) {
-                        f.relativePath = file.relativePath;
-                    }
-                    allFindings.push(...capFindings);
-                }
-            }
-            catch (capError) {
-                const capMessage = capError instanceof Error ? capError.message : String(capError);
-                logger.warn(`Capability mapping error for ${file.relativePath}: ${capMessage}`);
-            }
-        }
-        // LLM-assisted analysis (optional; networked)
-        if (config.llmAnalysis && llmProvider && !llmRuntime.disabled && llmRuntime.analyzed < config.llm.maxFiles) {
-            const llmResult = await analyzeWithLlm(llmProvider, config.llm, file, content, allFindings);
-            if (llmResult.ran) {
-                llmRuntime.analyzed += 1;
-            }
-            allFindings.push(...llmResult.findings);
-            if (llmResult.error) {
-                fileErrors.push(`LLM analysis: ${llmResult.error}`);
-                if (!llmRuntime.disabled && /\bHTTP 429\b/i.test(llmResult.error)) {
-                    llmRuntime.disabled = true;
-                    llmRuntime.disabledReason = 'rate limited (HTTP 429)';
-                    logger.warn('LLM disabled for remainder of scan due to rate limiting (HTTP 429)');
-                }
-            }
-        }
-        // Semantic analysis if enabled and applicable
-        if (config.semanticAnalysis && shouldAnalyzeSemantics(file, config)) {
-            // Monitor memory usage
-            const memBefore = getMemoryUsage();
-            if (memBefore.used > 1000) { // More than 1GB used
-                logger.warn(`High memory usage (${memBefore.used}MB) - skipping semantic analysis for ${file.relativePath}`);
-            }
-            else {
-                try {
-                    logger.debug(`Running semantic analysis on ${file.relativePath}`);
-                    const semanticFindings = await analyzeFileSemantics(file, content, rules);
-                    // Convert SemanticFinding to Finding for compatibility
-                    allFindings.push(...semanticFindings);
-                    const memAfter = getMemoryUsage();
-                    logger.debug(`Semantic analysis memory: ${memAfter.used - memBefore.used}MB delta`);
-                }
-                catch (semanticError) {
-                    const semanticMessage = semanticError instanceof Error ? semanticError.message : String(semanticError);
-                    logger.warn(`Semantic analysis error for ${file.relativePath}: ${semanticMessage}`);
-                }
-            }
-        }
-        // Threat intelligence matching if enabled
-        if (config.threatIntel && shouldMatchIndicators(file, config)) {
+        // Run each analyzer in order via the registry
+        const ctx = { file, content, config, rules, existingFindings: allFindings };
+        for (const analyzer of analyzers) {
+            if (!analyzer.shouldRun(ctx))
+                continue;
             try {
-                const threatDB = loadThreatDatabase();
-                logger.debug(`Running threat intelligence matching on ${file.relativePath}`);
-                const threatFindings = matchIndicators(threatDB, file, content, {
-                    minConfidence: 50,
-                    enablePatternMatching: true,
-                    maxMatchesPerFile: 50
-                });
-                allFindings.push(...threatFindings);
-                logger.debug(`Found ${threatFindings.length} threat intelligence matches`);
+                const found = await analyzer.analyze(ctx);
+                allFindings.push(...found);
+                ctx.existingFindings = allFindings;
             }
-            catch (threatError) {
-                const threatMessage = threatError instanceof Error ? threatError.message : String(threatError);
-                logger.warn(`Threat intelligence error for ${file.relativePath}: ${threatMessage}`);
+            catch (err) {
+                logger.warn(`${analyzer.name} error for ${file.relativePath}: ${err instanceof Error ? err.message : String(err)}`);
             }
         }
-        if (fileErrors.length > 0 && ignoreState) {
-            return { findings: allFindings, errors: fileErrors, ignoreState };
-        }
-        if (fileErrors.length > 0) {
-            return { findings: allFindings, errors: fileErrors };
-        }
         if (ignoreState) {
             return { findings: allFindings, ignoreState };
         }
@@ -406,6 +315,30 @@ function isLocalEndpoint(urlStr) {
         return false;
     }
 }
+function buildMcpTrustSummary(trustFindings) {
+    const summary = { total: 0, high: 0, medium: 0, low: 0, critical: 0, lowestScore: 100 };
+    const seen = new Set();
+    for (const f of trustFindings) {
+        const server = String(f.metadata?.['serverName'] ?? f.file);
+        if (seen.has(server))
+            continue;
+        seen.add(server);
+        summary.total++;
+        const score = typeof f.metadata?.['trustScore'] === 'number'
+            ? f.metadata['trustScore']
+            : (f.severity === 'CRITICAL' ? 20 : 45);
+        summary.lowestScore = Math.min(summary.lowestScore, score);
+        if (score >= 80)
+            summary.high++;
+        else if (score >= 60)
+            summary.medium++;
+        else if (score >= 40)
+            summary.low++;
+        else
+            summary.critical++;
+    }
+    return summary;
+}
 /**
  * Main scan function
  */
@@ -459,6 +392,8 @@ export async function scan(config) {
                 'Review privacy/compliance requirements before enabling this feature.');
         }
     }
+    // Build analyzer registry (uses llmProvider + llmRuntime by reference)
+    const analyzers = buildAnalyzers(llmProvider, llmRuntime);
     // Discover files with spinner
     let spinner = null;
     if (showProgress) {
@@ -520,7 +455,7 @@ export async function scan(config) {
                 lastYield = Date.now();
             }
         }
-        const result = await scanFile(file, config, rulesForScan, llmProvider, llmRuntime);
+        const result = await scanFile(file, config, rulesForScan, analyzers);
         if (result.errors && result.errors.length > 0) {
             for (const err of result.errors) {
                 errors.push({
@@ -588,6 +523,9 @@ export async function scan(config) {
     const sortedFindings = sortFindings(filteredFindings);
     const endTime = new Date();
     const duration = endTime.getTime() - startTime.getTime();
+    // Build MCP trust summary from trust-score findings emitted by mcpValidator
+    const mcpTrustFindings = sortedFindings.filter(f => f.metadata?.['issueType'] === 'trust-score');
+    const mcpTrustSummary = mcpTrustFindings.length > 0 ? buildMcpTrustSummary(mcpTrustFindings) : undefined;
     const result = {
         success: true,
         startTime,
@@ -604,6 +542,7 @@ export async function scan(config) {
         summary: calculateSummary(sortedFindings),
         errors,
         ignoredFindings,
+        ...(mcpTrustSummary !== undefined ? { mcpTrustSummary } : {}),
     };
     logger.info(`Scan complete: ${result.summary.total} findings in ${result.analyzedFiles} files (${duration}ms)`);
     return result;

package/dist/scanner/analyzers/CapabilityAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class CapabilityAnalyzer implements IAnalyzer {
+    readonly name = "CapabilityAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=CapabilityAnalyzer.d.ts.map

package/dist/scanner/analyzers/CapabilityAnalyzer.js

@@ -0,0 +1,19 @@
+import { analyzeCapabilitiesContent, capabilityProfileToFindings } from '../../features/capabilityMapping.js';
+export class CapabilityAnalyzer {
+    name = 'CapabilityAnalyzer';
+    shouldRun(ctx) {
+        return ctx.config.capabilityMapping && ctx.file.type === 'json';
+    }
+    async analyze(ctx) {
+        const profile = analyzeCapabilitiesContent(ctx.file.path, ctx.content);
+        if (!profile) {
+            return [];
+        }
+        const capFindings = capabilityProfileToFindings(profile);
+        for (const f of capFindings) {
+            f.relativePath = ctx.file.relativePath;
+        }
+        return capFindings;
+    }
+}
+//# sourceMappingURL=CapabilityAnalyzer.js.map

package/dist/scanner/analyzers/DependencyAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class DependencyAnalyzer implements IAnalyzer {
+    readonly name = "DependencyAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=DependencyAnalyzer.d.ts.map

package/dist/scanner/analyzers/DependencyAnalyzer.js

@@ -0,0 +1,18 @@
+import { basename } from 'node:path';
+import { analyzeDependencies, dependencyAssessmentsToFindings } from '../../features/dependencyRisk.js';
+export class DependencyAnalyzer {
+    name = 'DependencyAnalyzer';
+    shouldRun(ctx) {
+        return (ctx.config.dependencyAnalysis &&
+            basename(ctx.file.path).toLowerCase() === 'package.json');
+    }
+    async analyze(ctx) {
+        const depResult = analyzeDependencies(ctx.file.path, ctx.config.dependencyAudit);
+        const depFindings = dependencyAssessmentsToFindings(depResult);
+        for (const f of depFindings) {
+            f.relativePath = ctx.file.relativePath;
+        }
+        return depFindings;
+    }
+}
+//# sourceMappingURL=DependencyAnalyzer.js.map

package/dist/scanner/analyzers/EntropyAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class EntropyAnalyzer implements IAnalyzer {
+    readonly name = "EntropyAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=EntropyAnalyzer.d.ts.map

package/dist/scanner/analyzers/EntropyAnalyzer.js

@@ -0,0 +1,12 @@
+import { analyzeEntropy, entropyFindingsToFindings } from '../../features/entropyAnalysis.js';
+export class EntropyAnalyzer {
+    name = 'EntropyAnalyzer';
+    shouldRun(ctx) {
+        return ctx.config.entropyAnalysis;
+    }
+    async analyze(ctx) {
+        const entropyFindings = analyzeEntropy(ctx.content, ctx.file);
+        return entropyFindingsToFindings(entropyFindings, ctx.file, ctx.content);
+    }
+}
+//# sourceMappingURL=EntropyAnalyzer.js.map

package/dist/scanner/analyzers/LlmAnalyzer.d.ts

@@ -0,0 +1,17 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+import { type LlmProvider } from '../../features/llmAnalysis.js';
+export interface LlmRuntime {
+    analyzed: number;
+    disabled: boolean;
+    disabledReason?: string;
+}
+export declare class LlmAnalyzer implements IAnalyzer {
+    private readonly llmProvider;
+    private readonly llmRuntime;
+    readonly name = "LlmAnalyzer";
+    constructor(llmProvider: LlmProvider | null, llmRuntime: LlmRuntime);
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=LlmAnalyzer.d.ts.map

package/dist/scanner/analyzers/LlmAnalyzer.js

@@ -0,0 +1,36 @@
+import { analyzeWithLlm } from '../../features/llmAnalysis.js';
+import logger from '../../utils/logger.js';
+export class LlmAnalyzer {
+    llmProvider;
+    llmRuntime;
+    name = 'LlmAnalyzer';
+    constructor(llmProvider, llmRuntime) {
+        this.llmProvider = llmProvider;
+        this.llmRuntime = llmRuntime;
+    }
+    shouldRun(ctx) {
+        return (ctx.config.llmAnalysis &&
+            this.llmProvider !== null &&
+            !this.llmRuntime.disabled &&
+            this.llmRuntime.analyzed < ctx.config.llm.maxFiles);
+    }
+    async analyze(ctx) {
+        // shouldRun already guards llmProvider non-null, but TypeScript needs the cast
+        const provider = this.llmProvider;
+        const llmResult = await analyzeWithLlm(provider, ctx.config.llm, ctx.file, ctx.content, ctx.existingFindings);
+        if (llmResult.ran) {
+            this.llmRuntime.analyzed += 1;
+        }
+        if (llmResult.error) {
+            if (!this.llmRuntime.disabled && /\bHTTP 429\b/i.test(llmResult.error)) {
+                this.llmRuntime.disabled = true;
+                this.llmRuntime.disabledReason = 'rate limited (HTTP 429)';
+                logger.warn('LLM disabled for remainder of scan due to rate limiting (HTTP 429)');
+            }
+            // Re-throw so the caller's catch block records it as a file error
+            throw new Error(`LLM analysis: ${llmResult.error}`);
+        }
+        return llmResult.findings;
+    }
+}
+//# sourceMappingURL=LlmAnalyzer.js.map

package/dist/scanner/analyzers/McpAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class McpAnalyzer implements IAnalyzer {
+    readonly name = "McpAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=McpAnalyzer.d.ts.map

package/dist/scanner/analyzers/McpAnalyzer.js

@@ -0,0 +1,19 @@
+import { validateMcpConfigContent, mcpAssessmentsToFindings } from '../../features/mcpValidator.js';
+export class McpAnalyzer {
+    name = 'McpAnalyzer';
+    shouldRun(ctx) {
+        return ctx.config.mcpValidation && ctx.file.component === 'mcp' && ctx.file.type === 'json';
+    }
+    async analyze(ctx) {
+        const mcpResult = validateMcpConfigContent(ctx.content);
+        if (!mcpResult.valid || mcpResult.assessments.length === 0) {
+            return [];
+        }
+        const mcpFindings = mcpAssessmentsToFindings(mcpResult.assessments, ctx.file.path);
+        for (const f of mcpFindings) {
+            f.relativePath = ctx.file.relativePath;
+        }
+        return mcpFindings;
+    }
+}
+//# sourceMappingURL=McpAnalyzer.js.map

package/dist/scanner/analyzers/SemanticAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class SemanticAnalyzer implements IAnalyzer {
+    readonly name = "SemanticAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=SemanticAnalyzer.d.ts.map

package/dist/scanner/analyzers/SemanticAnalyzer.js

@@ -0,0 +1,21 @@
+import { analyzeFile as analyzeFileSemantics, shouldAnalyze as shouldAnalyzeSemantics, getMemoryUsage, } from '../../analyzers/AstAnalyzer.js';
+import logger from '../../utils/logger.js';
+export class SemanticAnalyzer {
+    name = 'SemanticAnalyzer';
+    shouldRun(ctx) {
+        return ctx.config.semanticAnalysis && shouldAnalyzeSemantics(ctx.file, ctx.config);
+    }
+    async analyze(ctx) {
+        const memBefore = getMemoryUsage();
+        if (memBefore.used > 1000) {
+            logger.warn(`High memory usage (${memBefore.used}MB) - skipping semantic analysis for ${ctx.file.relativePath}`);
+            return [];
+        }
+        logger.debug(`Running semantic analysis on ${ctx.file.relativePath}`);
+        const semanticFindings = await analyzeFileSemantics(ctx.file, ctx.content, ctx.rules);
+        const memAfter = getMemoryUsage();
+        logger.debug(`Semantic analysis memory: ${memAfter.used - memBefore.used}MB delta`);
+        return semanticFindings;
+    }
+}
+//# sourceMappingURL=SemanticAnalyzer.js.map

package/dist/scanner/analyzers/ThreatIntelAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class ThreatIntelAnalyzer implements IAnalyzer {
+    readonly name = "ThreatIntelAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=ThreatIntelAnalyzer.d.ts.map

package/dist/scanner/analyzers/ThreatIntelAnalyzer.js

@@ -0,0 +1,21 @@
+import { loadThreatDatabase } from '../../intelligence/ThreatFeed.js';
+import { matchIndicators, shouldMatchIndicators } from '../../intelligence/IndicatorMatcher.js';
+import logger from '../../utils/logger.js';
+export class ThreatIntelAnalyzer {
+    name = 'ThreatIntelAnalyzer';
+    shouldRun(ctx) {
+        return ctx.config.threatIntel && shouldMatchIndicators(ctx.file, ctx.config);
+    }
+    async analyze(ctx) {
+        const threatDB = loadThreatDatabase();
+        logger.debug(`Running threat intelligence matching on ${ctx.file.relativePath}`);
+        const threatFindings = matchIndicators(threatDB, ctx.file, ctx.content, {
+            minConfidence: 50,
+            enablePatternMatching: true,
+            maxMatchesPerFile: 50,
+        });
+        logger.debug(`Found ${threatFindings.length} threat intelligence matches`);
+        return threatFindings;
+    }
+}
+//# sourceMappingURL=ThreatIntelAnalyzer.js.map

package/dist/types.d.ts

@@ -217,6 +217,23 @@ export interface ScanResult {
     errors: ScanError[];
     /** Findings that were suppressed via inline ignore directives */
     ignoredFindings?: number;
+    /** Aggregate MCP server trust score summary (present when MCP configs were scanned) */
+    mcpTrustSummary?: McpTrustSummary;
+}
+/** Aggregated MCP server trust scores across a scan */
+export interface McpTrustSummary {
+    /** Total number of MCP servers evaluated */
+    total: number;
+    /** Servers with HIGH trust (score 80–100) */
+    high: number;
+    /** Servers with MEDIUM trust (score 60–79) */
+    medium: number;
+    /** Servers with LOW trust (score 40–59) */
+    low: number;
+    /** Servers with CRITICAL trust (score 0–39) */
+    critical: number;
+    /** Lowest individual trust score seen */
+    lowestScore: number;
 }
 /** Summary statistics for a scan */
 export interface ScanSummary {
@@ -304,6 +321,12 @@ export interface ScannerConfig {
     verbose: boolean;
     /** CI mode (simplified output) */
     ci: boolean;
+    /** Maximum wall-clock ms for semantic AST analysis of a single code block (default: 2000) */
+    maxSemanticAnalysisMs?: number;
+    /** Maximum AST node count before aborting semantic analysis of a single code block (default: 50000) */
+    maxAstNodes?: number;
+    /** Per-code-block deadline in ms within the file-scoped budget (default: 500) */
+    maxBlockMs?: number;
 }
 /** Supported output formats */
 export type OutputFormat = 'console' | 'json' | 'sarif' | 'html' | 'csv' | 'atlas';

package/dist/types.js

@@ -8,7 +8,7 @@ export const DEFAULT_CONFIG = {
     configOnly: false,
     marketplaceMode: 'configs',
     docDampening: true,
-    redact: false,
+    redact: true,
     severities: ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'],
     categories: [
         'exfiltration',

package/dist/utils/baseline.d.ts

@@ -14,21 +14,34 @@ export interface BaselineFinding {
     reason?: string;
     expiresDate?: string;
 }
+export interface BaselineIntegrity {
+    algorithm: 'sha256';
+    hash: string;
+}
 export interface Baseline {
     version: string;
     createdDate: string;
     lastUpdated: string;
     description?: string;
     findings: BaselineFinding[];
+    integrity?: BaselineIntegrity;
 }
+/**
+ * Compute integrity hash of a baseline (excluding the integrity field itself)
+ */
+export declare function computeBaselineIntegrity(baseline: Omit<Baseline, 'integrity'>): BaselineIntegrity;
+/**
+ * Verify that a loaded baseline has not been tampered with
+ */
+export declare function verifyBaselineIntegrity(baseline: Baseline): boolean;
 /**
  * Load baseline from file
  */
-export declare function loadBaseline(baselinePath: string): Baseline | null;
+export declare function loadBaseline(baselinePath: string): Promise<Baseline | null>;
 /**
  * Save baseline to file
  */
-export declare function saveBaseline(baseline: Baseline, baselinePath: string): void;
+export declare function saveBaseline(baseline: Baseline, baselinePath: string): Promise<void>;
 /**
  * Create a new baseline from scan results
  */