ferret-scan 2.2.0 → 2.3.0

package/dist/scanner/Scanner.js

@@ -9,18 +9,18 @@ import { discoverFiles } from './FileDiscovery.js';
 import { matchRules } from './PatternMatcher.js';
 import { getRulesForScan } from '../rules/index.js';
 import { loadCustomRules, loadCustomRulesSource } from '../features/customRules.js';
-import { analyzeFile as analyzeFileSemantics, shouldAnalyze as shouldAnalyzeSemantics, getMemoryUsage } from '../analyzers/AstAnalyzer.js';
 import { analyzeCorrelations, shouldAnalyzeCorrelations } from '../analyzers/CorrelationAnalyzer.js';
-import { loadThreatDatabase } from '../intelligence/ThreatFeed.js';
-import { matchIndicators, shouldMatchIndicators } from '../intelligence/IndicatorMatcher.js';
-import { analyzeEntropy, entropyFindingsToFindings } from '../features/entropyAnalysis.js';
-import { validateMcpConfigContent, mcpAssessmentsToFindings } from '../features/mcpValidator.js';
-import { analyzeDependencies, dependencyAssessmentsToFindings } from '../features/dependencyRisk.js';
-import { analyzeCapabilitiesContent, capabilityProfileToFindings } from '../features/capabilityMapping.js';
 import { parseIgnoreComments, shouldIgnoreFinding } from '../features/ignoreComments.js';
 import { annotateFindingsWithMitreAtlas, setMitreAtlasTechniqueCatalog } from '../mitre/atlas.js';
 import { loadMitreAtlasTechniqueCatalog } from '../mitre/atlasCatalog.js';
-import { createLlmProvider, analyzeWithLlm } from '../features/llmAnalysis.js';
+import { createLlmProvider } from '../features/llmAnalysis.js';
+import { EntropyAnalyzer } from './analyzers/EntropyAnalyzer.js';
+import { McpAnalyzer } from './analyzers/McpAnalyzer.js';
+import { DependencyAnalyzer } from './analyzers/DependencyAnalyzer.js';
+import { CapabilityAnalyzer } from './analyzers/CapabilityAnalyzer.js';
+import { LlmAnalyzer } from './analyzers/LlmAnalyzer.js';
+import { SemanticAnalyzer } from './analyzers/SemanticAnalyzer.js';
+import { ThreatIntelAnalyzer } from './analyzers/ThreatIntelAnalyzer.js';
 import logger from '../utils/logger.js';
 import ora from 'ora';
 function looksLikeDocumentationPath(filePath) {
@@ -242,14 +242,27 @@ async function loadCustomRulesForScan(config) {
     }
     return rules.filter(r => r.enabled && config.categories.includes(r.category) && config.severities.includes(r.severity));
 }
+/**
+ * Build the ordered list of analyzers for a scan.
+ */
+function buildAnalyzers(llmProvider, llmRuntime) {
+    return [
+        new EntropyAnalyzer(),
+        new McpAnalyzer(),
+        new DependencyAnalyzer(),
+        new CapabilityAnalyzer(),
+        new LlmAnalyzer(llmProvider, llmRuntime),
+        new SemanticAnalyzer(),
+        new ThreatIntelAnalyzer(),
+    ];
+}
 /**
  * Scan a single file
  */
-async function scanFile(file, config, rules, llmProvider, llmRuntime) {
+async function scanFile(file, config, rules, analyzers) {
     try {
         const content = await readFile(file.path, 'utf-8');
         const allFindings = [];
-        const fileErrors = [];
         let ignoreState;
         if (config.ignoreComments && content.includes('ferret-')) {
             const parsed = parseIgnoreComments(content, file.type);
@@ -262,124 +275,20 @@ async function scanFile(file, config, rules, llmProvider, llmRuntime) {
             contextLines: config.contextLines,
         });
         allFindings.push(...patternFindings);
-        // Entropy analysis (secret detection) if enabled
-        if (config.entropyAnalysis) {
-            try {
-                const entropyFindings = analyzeEntropy(content, file);
-                const converted = entropyFindingsToFindings(entropyFindings, file, content);
-                allFindings.push(...converted);
-            }
-            catch (entropyError) {
-                const entropyMessage = entropyError instanceof Error ? entropyError.message : String(entropyError);
-                logger.warn(`Entropy analysis error for ${file.relativePath}: ${entropyMessage}`);
-            }
-        }
-        // MCP configuration validation if enabled
-        if (config.mcpValidation && file.component === 'mcp' && file.type === 'json') {
-            const mcpResult = validateMcpConfigContent(content);
-            if (mcpResult.valid && mcpResult.assessments.length > 0) {
-                const mcpFindings = mcpAssessmentsToFindings(mcpResult.assessments, file.path);
-                // Normalize relative path (feature module uses basename)
-                for (const f of mcpFindings) {
-                    f.relativePath = file.relativePath;
-                }
-                allFindings.push(...mcpFindings);
-            }
-        }
-        // Dependency analysis if enabled
-        if (config.dependencyAnalysis && basename(file.path).toLowerCase() === 'package.json') {
-            try {
-                const depResult = analyzeDependencies(file.path, config.dependencyAudit);
-                const depFindings = dependencyAssessmentsToFindings(depResult);
-                for (const f of depFindings) {
-                    f.relativePath = file.relativePath;
-                }
-                allFindings.push(...depFindings);
-            }
-            catch (depError) {
-                const depMessage = depError instanceof Error ? depError.message : String(depError);
-                logger.warn(`Dependency analysis error for ${file.relativePath}: ${depMessage}`);
-            }
-        }
-        // Capability mapping if enabled (best-effort, JSON-only)
-        if (config.capabilityMapping && file.type === 'json') {
-            try {
-                const profile = analyzeCapabilitiesContent(file.path, content);
-                if (profile) {
-                    const capFindings = capabilityProfileToFindings(profile);
-                    for (const f of capFindings) {
-                        f.relativePath = file.relativePath;
-                    }
-                    allFindings.push(...capFindings);
-                }
-            }
-            catch (capError) {
-                const capMessage = capError instanceof Error ? capError.message : String(capError);
-                logger.warn(`Capability mapping error for ${file.relativePath}: ${capMessage}`);
-            }
-        }
-        // LLM-assisted analysis (optional; networked)
-        if (config.llmAnalysis && llmProvider && !llmRuntime.disabled && llmRuntime.analyzed < config.llm.maxFiles) {
-            const llmResult = await analyzeWithLlm(llmProvider, config.llm, file, content, allFindings);
-            if (llmResult.ran) {
-                llmRuntime.analyzed += 1;
-            }
-            allFindings.push(...llmResult.findings);
-            if (llmResult.error) {
-                fileErrors.push(`LLM analysis: ${llmResult.error}`);
-                if (!llmRuntime.disabled && /\bHTTP 429\b/i.test(llmResult.error)) {
-                    llmRuntime.disabled = true;
-                    llmRuntime.disabledReason = 'rate limited (HTTP 429)';
-                    logger.warn('LLM disabled for remainder of scan due to rate limiting (HTTP 429)');
-                }
-            }
-        }
-        // Semantic analysis if enabled and applicable
-        if (config.semanticAnalysis && shouldAnalyzeSemantics(file, config)) {
-            // Monitor memory usage
-            const memBefore = getMemoryUsage();
-            if (memBefore.used > 1000) { // More than 1GB used
-                logger.warn(`High memory usage (${memBefore.used}MB) - skipping semantic analysis for ${file.relativePath}`);
-            }
-            else {
-                try {
-                    logger.debug(`Running semantic analysis on ${file.relativePath}`);
-                    const semanticFindings = await analyzeFileSemantics(file, content, rules);
-                    // Convert SemanticFinding to Finding for compatibility
-                    allFindings.push(...semanticFindings);
-                    const memAfter = getMemoryUsage();
-                    logger.debug(`Semantic analysis memory: ${memAfter.used - memBefore.used}MB delta`);
-                }
-                catch (semanticError) {
-                    const semanticMessage = semanticError instanceof Error ? semanticError.message : String(semanticError);
-                    logger.warn(`Semantic analysis error for ${file.relativePath}: ${semanticMessage}`);
-                }
-            }
-        }
-        // Threat intelligence matching if enabled
-        if (config.threatIntel && shouldMatchIndicators(file, config)) {
+        // Run each analyzer in order via the registry
+        const ctx = { file, content, config, rules, existingFindings: allFindings };
+        for (const analyzer of analyzers) {
+            if (!analyzer.shouldRun(ctx))
+                continue;
             try {
-                const threatDB = loadThreatDatabase();
-                logger.debug(`Running threat intelligence matching on ${file.relativePath}`);
-                const threatFindings = matchIndicators(threatDB, file, content, {
-                    minConfidence: 50,
-                    enablePatternMatching: true,
-                    maxMatchesPerFile: 50
-                });
-                allFindings.push(...threatFindings);
-                logger.debug(`Found ${threatFindings.length} threat intelligence matches`);
+                const found = await analyzer.analyze(ctx);
+                allFindings.push(...found);
+                ctx.existingFindings = allFindings;
             }
-            catch (threatError) {
-                const threatMessage = threatError instanceof Error ? threatError.message : String(threatError);
-                logger.warn(`Threat intelligence error for ${file.relativePath}: ${threatMessage}`);
+            catch (err) {
+                logger.warn(`${analyzer.name} error for ${file.relativePath}: ${err instanceof Error ? err.message : String(err)}`);
             }
         }
-        if (fileErrors.length > 0 && ignoreState) {
-            return { findings: allFindings, errors: fileErrors, ignoreState };
-        }
-        if (fileErrors.length > 0) {
-            return { findings: allFindings, errors: fileErrors };
-        }
         if (ignoreState) {
             return { findings: allFindings, ignoreState };
         }
@@ -406,6 +315,30 @@ function isLocalEndpoint(urlStr) {
         return false;
     }
 }
+function buildMcpTrustSummary(trustFindings) {
+    const summary = { total: 0, high: 0, medium: 0, low: 0, critical: 0, lowestScore: 100 };
+    const seen = new Set();
+    for (const f of trustFindings) {
+        const server = String(f.metadata?.['serverName'] ?? f.file);
+        if (seen.has(server))
+            continue;
+        seen.add(server);
+        summary.total++;
+        const score = typeof f.metadata?.['trustScore'] === 'number'
+            ? f.metadata['trustScore']
+            : (f.severity === 'CRITICAL' ? 20 : 45);
+        summary.lowestScore = Math.min(summary.lowestScore, score);
+        if (score >= 80)
+            summary.high++;
+        else if (score >= 60)
+            summary.medium++;
+        else if (score >= 40)
+            summary.low++;
+        else
+            summary.critical++;
+    }
+    return summary;
+}
 /**
  * Main scan function
  */
@@ -459,6 +392,8 @@ export async function scan(config) {
                 'Review privacy/compliance requirements before enabling this feature.');
         }
     }
+    // Build analyzer registry (uses llmProvider + llmRuntime by reference)
+    const analyzers = buildAnalyzers(llmProvider, llmRuntime);
     // Discover files with spinner
     let spinner = null;
     if (showProgress) {
@@ -520,7 +455,7 @@ export async function scan(config) {
                 lastYield = Date.now();
             }
         }
-        const result = await scanFile(file, config, rulesForScan, llmProvider, llmRuntime);
+        const result = await scanFile(file, config, rulesForScan, analyzers);
         if (result.errors && result.errors.length > 0) {
             for (const err of result.errors) {
                 errors.push({
@@ -588,6 +523,9 @@ export async function scan(config) {
     const sortedFindings = sortFindings(filteredFindings);
     const endTime = new Date();
     const duration = endTime.getTime() - startTime.getTime();
+    // Build MCP trust summary from trust-score findings emitted by mcpValidator
+    const mcpTrustFindings = sortedFindings.filter(f => f.metadata?.['issueType'] === 'trust-score');
+    const mcpTrustSummary = mcpTrustFindings.length > 0 ? buildMcpTrustSummary(mcpTrustFindings) : undefined;
     const result = {
         success: true,
         startTime,
@@ -604,6 +542,7 @@ export async function scan(config) {
         summary: calculateSummary(sortedFindings),
         errors,
         ignoredFindings,
+        ...(mcpTrustSummary !== undefined ? { mcpTrustSummary } : {}),
     };
     logger.info(`Scan complete: ${result.summary.total} findings in ${result.analyzedFiles} files (${duration}ms)`);
     return result;

package/dist/scanner/analyzers/CapabilityAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class CapabilityAnalyzer implements IAnalyzer {
+    readonly name = "CapabilityAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=CapabilityAnalyzer.d.ts.map

package/dist/scanner/analyzers/CapabilityAnalyzer.js

@@ -0,0 +1,19 @@
+import { analyzeCapabilitiesContent, capabilityProfileToFindings } from '../../features/capabilityMapping.js';
+export class CapabilityAnalyzer {
+    name = 'CapabilityAnalyzer';
+    shouldRun(ctx) {
+        return ctx.config.capabilityMapping && ctx.file.type === 'json';
+    }
+    async analyze(ctx) {
+        const profile = analyzeCapabilitiesContent(ctx.file.path, ctx.content);
+        if (!profile) {
+            return [];
+        }
+        const capFindings = capabilityProfileToFindings(profile);
+        for (const f of capFindings) {
+            f.relativePath = ctx.file.relativePath;
+        }
+        return capFindings;
+    }
+}
+//# sourceMappingURL=CapabilityAnalyzer.js.map

package/dist/scanner/analyzers/DependencyAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class DependencyAnalyzer implements IAnalyzer {
+    readonly name = "DependencyAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=DependencyAnalyzer.d.ts.map

package/dist/scanner/analyzers/DependencyAnalyzer.js

@@ -0,0 +1,18 @@
+import { basename } from 'node:path';
+import { analyzeDependencies, dependencyAssessmentsToFindings } from '../../features/dependencyRisk.js';
+export class DependencyAnalyzer {
+    name = 'DependencyAnalyzer';
+    shouldRun(ctx) {
+        return (ctx.config.dependencyAnalysis &&
+            basename(ctx.file.path).toLowerCase() === 'package.json');
+    }
+    async analyze(ctx) {
+        const depResult = analyzeDependencies(ctx.file.path, ctx.config.dependencyAudit);
+        const depFindings = dependencyAssessmentsToFindings(depResult);
+        for (const f of depFindings) {
+            f.relativePath = ctx.file.relativePath;
+        }
+        return depFindings;
+    }
+}
+//# sourceMappingURL=DependencyAnalyzer.js.map

package/dist/scanner/analyzers/EntropyAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class EntropyAnalyzer implements IAnalyzer {
+    readonly name = "EntropyAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=EntropyAnalyzer.d.ts.map

package/dist/scanner/analyzers/EntropyAnalyzer.js

@@ -0,0 +1,12 @@
+import { analyzeEntropy, entropyFindingsToFindings } from '../../features/entropyAnalysis.js';
+export class EntropyAnalyzer {
+    name = 'EntropyAnalyzer';
+    shouldRun(ctx) {
+        return ctx.config.entropyAnalysis;
+    }
+    async analyze(ctx) {
+        const entropyFindings = analyzeEntropy(ctx.content, ctx.file);
+        return entropyFindingsToFindings(entropyFindings, ctx.file, ctx.content);
+    }
+}
+//# sourceMappingURL=EntropyAnalyzer.js.map

package/dist/scanner/analyzers/LlmAnalyzer.d.ts

@@ -0,0 +1,17 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+import { type LlmProvider } from '../../features/llmAnalysis.js';
+export interface LlmRuntime {
+    analyzed: number;
+    disabled: boolean;
+    disabledReason?: string;
+}
+export declare class LlmAnalyzer implements IAnalyzer {
+    private readonly llmProvider;
+    private readonly llmRuntime;
+    readonly name = "LlmAnalyzer";
+    constructor(llmProvider: LlmProvider | null, llmRuntime: LlmRuntime);
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=LlmAnalyzer.d.ts.map

package/dist/scanner/analyzers/LlmAnalyzer.js

@@ -0,0 +1,36 @@
+import { analyzeWithLlm } from '../../features/llmAnalysis.js';
+import logger from '../../utils/logger.js';
+export class LlmAnalyzer {
+    llmProvider;
+    llmRuntime;
+    name = 'LlmAnalyzer';
+    constructor(llmProvider, llmRuntime) {
+        this.llmProvider = llmProvider;
+        this.llmRuntime = llmRuntime;
+    }
+    shouldRun(ctx) {
+        return (ctx.config.llmAnalysis &&
+            this.llmProvider !== null &&
+            !this.llmRuntime.disabled &&
+            this.llmRuntime.analyzed < ctx.config.llm.maxFiles);
+    }
+    async analyze(ctx) {
+        // shouldRun already guards llmProvider non-null, but TypeScript needs the cast
+        const provider = this.llmProvider;
+        const llmResult = await analyzeWithLlm(provider, ctx.config.llm, ctx.file, ctx.content, ctx.existingFindings);
+        if (llmResult.ran) {
+            this.llmRuntime.analyzed += 1;
+        }
+        if (llmResult.error) {
+            if (!this.llmRuntime.disabled && /\bHTTP 429\b/i.test(llmResult.error)) {
+                this.llmRuntime.disabled = true;
+                this.llmRuntime.disabledReason = 'rate limited (HTTP 429)';
+                logger.warn('LLM disabled for remainder of scan due to rate limiting (HTTP 429)');
+            }
+            // Re-throw so the caller's catch block records it as a file error
+            throw new Error(`LLM analysis: ${llmResult.error}`);
+        }
+        return llmResult.findings;
+    }
+}
+//# sourceMappingURL=LlmAnalyzer.js.map

package/dist/scanner/analyzers/McpAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class McpAnalyzer implements IAnalyzer {
+    readonly name = "McpAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=McpAnalyzer.d.ts.map

package/dist/scanner/analyzers/McpAnalyzer.js

@@ -0,0 +1,19 @@
+import { validateMcpConfigContent, mcpAssessmentsToFindings } from '../../features/mcpValidator.js';
+export class McpAnalyzer {
+    name = 'McpAnalyzer';
+    shouldRun(ctx) {
+        return ctx.config.mcpValidation && ctx.file.component === 'mcp' && ctx.file.type === 'json';
+    }
+    async analyze(ctx) {
+        const mcpResult = validateMcpConfigContent(ctx.content);
+        if (!mcpResult.valid || mcpResult.assessments.length === 0) {
+            return [];
+        }
+        const mcpFindings = mcpAssessmentsToFindings(mcpResult.assessments, ctx.file.path);
+        for (const f of mcpFindings) {
+            f.relativePath = ctx.file.relativePath;
+        }
+        return mcpFindings;
+    }
+}
+//# sourceMappingURL=McpAnalyzer.js.map

package/dist/scanner/analyzers/SemanticAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class SemanticAnalyzer implements IAnalyzer {
+    readonly name = "SemanticAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=SemanticAnalyzer.d.ts.map

package/dist/scanner/analyzers/SemanticAnalyzer.js

@@ -0,0 +1,21 @@
+import { analyzeFile as analyzeFileSemantics, shouldAnalyze as shouldAnalyzeSemantics, getMemoryUsage, } from '../../analyzers/AstAnalyzer.js';
+import logger from '../../utils/logger.js';
+export class SemanticAnalyzer {
+    name = 'SemanticAnalyzer';
+    shouldRun(ctx) {
+        return ctx.config.semanticAnalysis && shouldAnalyzeSemantics(ctx.file, ctx.config);
+    }
+    async analyze(ctx) {
+        const memBefore = getMemoryUsage();
+        if (memBefore.used > 1000) {
+            logger.warn(`High memory usage (${memBefore.used}MB) - skipping semantic analysis for ${ctx.file.relativePath}`);
+            return [];
+        }
+        logger.debug(`Running semantic analysis on ${ctx.file.relativePath}`);
+        const semanticFindings = await analyzeFileSemantics(ctx.file, ctx.content, ctx.rules);
+        const memAfter = getMemoryUsage();
+        logger.debug(`Semantic analysis memory: ${memAfter.used - memBefore.used}MB delta`);
+        return semanticFindings;
+    }
+}
+//# sourceMappingURL=SemanticAnalyzer.js.map

package/dist/scanner/analyzers/ThreatIntelAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import type { Finding } from '../../types.js';
+import type { IAnalyzer, AnalyzerContext } from '../IAnalyzer.js';
+export declare class ThreatIntelAnalyzer implements IAnalyzer {
+    readonly name = "ThreatIntelAnalyzer";
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=ThreatIntelAnalyzer.d.ts.map

package/dist/scanner/analyzers/ThreatIntelAnalyzer.js

@@ -0,0 +1,21 @@
+import { loadThreatDatabase } from '../../intelligence/ThreatFeed.js';
+import { matchIndicators, shouldMatchIndicators } from '../../intelligence/IndicatorMatcher.js';
+import logger from '../../utils/logger.js';
+export class ThreatIntelAnalyzer {
+    name = 'ThreatIntelAnalyzer';
+    shouldRun(ctx) {
+        return ctx.config.threatIntel && shouldMatchIndicators(ctx.file, ctx.config);
+    }
+    async analyze(ctx) {
+        const threatDB = loadThreatDatabase();
+        logger.debug(`Running threat intelligence matching on ${ctx.file.relativePath}`);
+        const threatFindings = matchIndicators(threatDB, ctx.file, ctx.content, {
+            minConfidence: 50,
+            enablePatternMatching: true,
+            maxMatchesPerFile: 50,
+        });
+        logger.debug(`Found ${threatFindings.length} threat intelligence matches`);
+        return threatFindings;
+    }
+}
+//# sourceMappingURL=ThreatIntelAnalyzer.js.map

package/dist/types.d.ts

@@ -217,6 +217,23 @@ export interface ScanResult {
     errors: ScanError[];
     /** Findings that were suppressed via inline ignore directives */
     ignoredFindings?: number;
+    /** Aggregate MCP server trust score summary (present when MCP configs were scanned) */
+    mcpTrustSummary?: McpTrustSummary;
+}
+/** Aggregated MCP server trust scores across a scan */
+export interface McpTrustSummary {
+    /** Total number of MCP servers evaluated */
+    total: number;
+    /** Servers with HIGH trust (score 80–100) */
+    high: number;
+    /** Servers with MEDIUM trust (score 60–79) */
+    medium: number;
+    /** Servers with LOW trust (score 40–59) */
+    low: number;
+    /** Servers with CRITICAL trust (score 0–39) */
+    critical: number;
+    /** Lowest individual trust score seen */
+    lowestScore: number;
 }
 /** Summary statistics for a scan */
 export interface ScanSummary {

package/dist/types.js

@@ -8,7 +8,7 @@ export const DEFAULT_CONFIG = {
     configOnly: false,
     marketplaceMode: 'configs',
     docDampening: true,
-    redact: false,
+    redact: true,
     severities: ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'],
     categories: [
         'exfiltration',

package/dist/utils/safeRegex.d.ts

@@ -1,6 +1,8 @@
 /**
- * Safe regex runtime utilities with bounded runtime and match limits
+ * Safe regex runtime utilities with bounded runtime and match limits.
  *
+ * Uses Google RE2 (linear-time engine) when available for categorically
+ * safe pattern execution. Falls back to the screened native JS engine.
  * Prevents ReDoS attacks and runaway regex matching in user-controlled patterns.
  */
 export interface BoundedOptions {
@@ -16,19 +18,19 @@ export interface BoundedResult {
     truncated: boolean;
 }
 /**
- * Compile a pattern string into a RegExp, rejecting obviously dangerous patterns.
+ * Compile a pattern string into a RegExp (or RE2 instance when available).
  *
- * This function screens for common ReDoS patterns and syntax errors before
- * compilation, returning null for unsafe inputs.
+ * Tries RE2 first — it is a linear-time engine that categorically eliminates
+ * ReDoS. If RE2 is unavailable or rejects the pattern (e.g. lookaheads), falls
+ * back to the static ReDoS screener + native RegExp.
  *
  * @param raw The raw pattern string
  * @param flags Regex flags (default: 'gi')
- * @returns Compiled RegExp or null if pattern is unsafe
+ * @returns Compiled RegExp/RE2 or null if pattern is unsafe/invalid
  *
  * @example
  * ```typescript
  * const safe = compileSafePattern('test\\d+');   // OK
- * const unsafe = compileSafePattern('(a+)+b');   // null - ReDoS risk
  * const invalid = compileSafePattern('[unclosed'); // null - syntax error
  * ```
  */
@@ -36,59 +38,18 @@ export declare function compileSafePattern(raw: string, flags?: string): RegExp
 /**
  * Run a regex against content with bounded runtime and match limits.
  *
- * This function wraps RegExp for each step with timeout and match count protection
- * to prevent runaway regex operations from hanging the application.
- *
- * @param pattern The compiled RegExp to run
- * @param content The content to search
- * @param options Runtime limits
- * @returns Result containing matches and truncation status
- *
- * @example
- * ```typescript
- * const pattern = /test\d+/g;
- * const { matches, truncated } = runBounded(pattern, content, { maxMs: 500 });
- * if (truncated) {
- *   console.warn('Regex operation was truncated');
- * }
- * ```
+ * When RE2 is active the time budget is largely redundant (RE2 is linear),
+ * but the match-count ceiling still prevents unbounded result arrays.
  */
 export declare function runBounded(pattern: RegExp, content: string, options?: BoundedOptions): BoundedResult;
 /**
  * Safe pattern matching that combines compilation and bounded runtime.
- *
- * This is a convenience wrapper that safely compiles a pattern and runs
- * it with bounds, handling both compilation failures and runtime limits.
- *
- * @param rawPattern The raw pattern string
- * @param content The content to search
- * @param flags Regex flags (default: 'gi')
- * @param options Runtime limits
- * @returns Match result or null if pattern is unsafe
- *
- * @example
- * ```typescript
- * const result = safeMatch('test\\d+', content);
- * if (result === null) {
- *   console.warn('Unsafe or invalid pattern');
- * } else if (result.truncated) {
- *   console.warn('Pattern operation was bounded');
- * } else {
- *   console.log(`Found ${result.matches.length} matches`);
- * }
- * ```
  */
 export declare function safeMatch(rawPattern: string, content: string, flags?: string, options?: BoundedOptions): BoundedResult | null;
 /**
  * Test if a pattern matches content safely, returning boolean result.
- *
- * This is equivalent to RegExp.test() but with safety checks and bounds.
- * Returns false for unsafe patterns or bounded operations.
- *
- * @param rawPattern The raw pattern string
- * @param content The content to test
- * @param flags Regex flags (default: 'i')
- * @returns True if pattern matches safely, false otherwise
  */
 export declare function safeTest(rawPattern: string, content: string, flags?: string): boolean;
+/** Returns true when RE2 is active (linear-time engine). */
+export declare function isRE2Active(): boolean;
 //# sourceMappingURL=safeRegex.d.ts.map