ferret-scan 2.2.0 → 2.4.0

package/dist/__tests__/webhooks.extra.test.js

@@ -0,0 +1,144 @@
+/**
+ * Additional Webhook Tests
+ * Covers sendWebhook with slack/discord/teams includeDetails formatting
+ */
+import { sendWebhook } from '../features/webhooks.js';
+function makeFinding(overrides = {}) {
+    return {
+        ruleId: 'INJ-001',
+        ruleName: 'Test Rule',
+        severity: 'HIGH',
+        category: 'injection',
+        file: '/test.md',
+        relativePath: 'test.md',
+        line: 5,
+        match: 'bad content',
+        context: [],
+        remediation: 'fix it',
+        timestamp: new Date(),
+        riskScore: 50,
+        ...overrides,
+    };
+}
+function makeScanResult(findings = [], overrides = {}) {
+    return {
+        success: true,
+        startTime: new Date(),
+        endTime: new Date(),
+        duration: 1000,
+        scannedPaths: ['/project'],
+        totalFiles: 5,
+        analyzedFiles: 4,
+        skippedFiles: 1,
+        findings,
+        findingsBySeverity: {
+            CRITICAL: findings.filter(f => f.severity === 'CRITICAL'),
+            HIGH: findings.filter(f => f.severity === 'HIGH'),
+            MEDIUM: findings.filter(f => f.severity === 'MEDIUM'),
+            LOW: findings.filter(f => f.severity === 'LOW'),
+            INFO: findings.filter(f => f.severity === 'INFO'),
+        },
+        findingsByCategory: {},
+        overallRiskScore: 50,
+        summary: {
+            critical: findings.filter(f => f.severity === 'CRITICAL').length,
+            high: findings.filter(f => f.severity === 'HIGH').length,
+            medium: findings.filter(f => f.severity === 'MEDIUM').length,
+            low: findings.filter(f => f.severity === 'LOW').length,
+            info: 0,
+            total: findings.length,
+        },
+        errors: [],
+        ...overrides,
+    };
+}
+describe('sendWebhook with includeDetails', () => {
+    let originalFetch;
+    beforeEach(() => {
+        originalFetch = globalThis.fetch;
+        globalThis.fetch = jest.fn().mockResolvedValue({
+            ok: true,
+            status: 200,
+            text: () => Promise.resolve(''),
+        });
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+    });
+    it('sends slack with includeDetails and CRITICAL findings', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'CRITICAL' })]), {
+            url: 'https://hooks.slack.com/services/xxx',
+            type: 'slack',
+            includeDetails: true,
+        });
+        expect(result.success).toBe(true);
+        expect(globalThis.fetch).toHaveBeenCalled();
+        const body = JSON.parse(globalThis.fetch.mock.calls[0][1]?.body);
+        expect(body.attachments).toBeDefined();
+    });
+    it('sends discord with includeDetails', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'HIGH' })]), {
+            url: 'https://discord.com/api/webhooks/x/y',
+            type: 'discord',
+            includeDetails: true,
+        });
+        expect(result.success).toBe(true);
+        const body = JSON.parse(globalThis.fetch.mock.calls[0][1]?.body);
+        expect(body.embeds).toBeDefined();
+    });
+    it('sends teams with includeDetails', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'MEDIUM' })]), {
+            url: 'https://org.webhook.office.com/webhook',
+            type: 'teams',
+            includeDetails: true,
+        });
+        expect(result.success).toBe(true);
+        const body = JSON.parse(globalThis.fetch.mock.calls[0][1]?.body);
+        expect(body['@type']).toBe('MessageCard');
+    });
+    it('sends generic webhook without error', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding()]), {
+            url: 'https://custom-webhook.example.com/hook',
+            type: 'generic',
+            includeDetails: true,
+            headers: { 'X-Custom-Token': 'abc123' },
+        });
+        expect(result.success).toBe(true);
+        const [, options] = globalThis.fetch.mock.calls[0];
+        expect(options.headers['X-Custom-Token']).toBe('abc123');
+    });
+    it('sends with medium severity findings triggering yellow color', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'MEDIUM' })]), {
+            url: 'https://hooks.slack.com/services/xxx',
+            type: 'slack',
+            includeDetails: false,
+        });
+        expect(result.success).toBe(true);
+    });
+    it('sends with no findings (green color path)', async () => {
+        const result = await sendWebhook(makeScanResult([]), {
+            url: 'https://hooks.slack.com/services/xxx',
+            type: 'slack',
+            includeDetails: false,
+        });
+        expect(result.success).toBe(true);
+    });
+    it('respects custom timeout option', async () => {
+        const result = await sendWebhook(makeScanResult(), {
+            url: 'https://hooks.slack.com/services/xxx',
+            type: 'slack',
+            timeout: 5000,
+        });
+        expect(result.success).toBe(true);
+    });
+    it('skips sending when all findings are below minSeverity', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'LOW' }), makeFinding({ severity: 'INFO' })]), {
+            url: 'https://hooks.slack.com/services/xxx',
+            type: 'slack',
+            minSeverity: 'HIGH',
+        });
+        expect(result.success).toBe(true);
+        expect(globalThis.fetch).not.toHaveBeenCalled();
+    });
+});
+//# sourceMappingURL=webhooks.extra.test.js.map

package/dist/__tests__/webhooks.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Webhooks Tests
+ * Tests for detectWebhookType and sendWebhook (mocking fetch).
+ */
+export {};
+//# sourceMappingURL=webhooks.test.d.ts.map

package/dist/__tests__/webhooks.test.js

@@ -0,0 +1,154 @@
+/**
+ * Webhooks Tests
+ * Tests for detectWebhookType and sendWebhook (mocking fetch).
+ */
+import { detectWebhookType, sendWebhook, } from '../features/webhooks.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function makeFinding(overrides = {}) {
+    return {
+        ruleId: 'INJ-001',
+        ruleName: 'Test Rule',
+        severity: 'HIGH',
+        category: 'injection',
+        file: '/test.md',
+        relativePath: 'test.md',
+        line: 5,
+        match: 'bad content',
+        context: [],
+        remediation: 'fix it',
+        timestamp: new Date(),
+        riskScore: 50,
+        ...overrides,
+    };
+}
+function makeScanResult(findings = []) {
+    return {
+        success: true,
+        startTime: new Date(),
+        endTime: new Date(),
+        duration: 1000,
+        scannedPaths: ['/project'],
+        totalFiles: 5,
+        analyzedFiles: 4,
+        skippedFiles: 1,
+        findings,
+        findingsBySeverity: {
+            CRITICAL: findings.filter(f => f.severity === 'CRITICAL'),
+            HIGH: findings.filter(f => f.severity === 'HIGH'),
+            MEDIUM: findings.filter(f => f.severity === 'MEDIUM'),
+            LOW: findings.filter(f => f.severity === 'LOW'),
+            INFO: findings.filter(f => f.severity === 'INFO'),
+        },
+        findingsByCategory: {},
+        overallRiskScore: 50,
+        summary: {
+            critical: 0,
+            high: findings.filter(f => f.severity === 'HIGH').length,
+            medium: 0, low: 0, info: 0,
+            total: findings.length,
+        },
+        errors: [],
+    };
+}
+function makeWebhookConfig(overrides = {}) {
+    return {
+        url: 'https://hooks.example.com/webhook',
+        type: 'generic',
+        ...overrides,
+    };
+}
+// ---------------------------------------------------------------------------
+// detectWebhookType
+// ---------------------------------------------------------------------------
+describe('detectWebhookType', () => {
+    it('detects Slack URL', () => {
+        expect(detectWebhookType('https://hooks.slack.com/services/xxx')).toBe('slack');
+    });
+    it('detects Discord URL', () => {
+        expect(detectWebhookType('https://discord.com/api/webhooks/123/abc')).toBe('discord');
+    });
+    it('detects Teams from webhook.office.com', () => {
+        expect(detectWebhookType('https://myorg.webhook.office.com/webhookb2/xxx')).toBe('teams');
+    });
+    it('detects Teams from outlook.office.com', () => {
+        expect(detectWebhookType('https://myorg.outlook.office.com/webhook/xxx')).toBe('teams');
+    });
+    it('returns generic for unknown URLs', () => {
+        expect(detectWebhookType('https://my-custom-webhook.example.com/hook')).toBe('generic');
+    });
+    it('returns generic for empty string', () => {
+        expect(detectWebhookType('')).toBe('generic');
+    });
+});
+// ---------------------------------------------------------------------------
+// sendWebhook — with mocked fetch
+// ---------------------------------------------------------------------------
+describe('sendWebhook', () => {
+    let originalFetch;
+    beforeEach(() => {
+        originalFetch = globalThis.fetch;
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+    });
+    function mockFetch(status, ok, body = '') {
+        globalThis.fetch = jest.fn().mockResolvedValue({
+            ok,
+            status,
+            text: () => Promise.resolve(body),
+        });
+    }
+    it('returns success when fetch succeeds with 200', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult(), makeWebhookConfig());
+        expect(result.success).toBe(true);
+        expect(result.statusCode).toBe(200);
+    });
+    it('returns failure when fetch returns non-ok status', async () => {
+        mockFetch(500, false, 'Internal Server Error');
+        const result = await sendWebhook(makeScanResult(), makeWebhookConfig());
+        expect(result.success).toBe(false);
+        expect(result.statusCode).toBe(500);
+    });
+    it('returns failure when fetch throws', async () => {
+        globalThis.fetch = jest.fn().mockRejectedValue(new Error('network error'));
+        const result = await sendWebhook(makeScanResult(), makeWebhookConfig());
+        expect(result.success).toBe(false);
+        expect(result.error).toContain('network error');
+    });
+    it('sends to slack type without error', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding()]), makeWebhookConfig({ type: 'slack', url: 'https://hooks.slack.com/services/xxx' }));
+        expect(result.success).toBe(true);
+    });
+    it('sends to discord type without error', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding()]), makeWebhookConfig({ type: 'discord', url: 'https://discord.com/api/webhooks/x/y' }));
+        expect(result.success).toBe(true);
+    });
+    it('sends to teams type without error', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding()]), makeWebhookConfig({ type: 'teams', url: 'https://org.webhook.office.com/webhook' }));
+        expect(result.success).toBe(true);
+    });
+    it('skips when minSeverity not met and findings exist', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'LOW' })]), makeWebhookConfig({ minSeverity: 'HIGH' }));
+        // Should return success=true without sending
+        expect(result.success).toBe(true);
+    });
+    it('sends when minSeverity is met', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'CRITICAL' })]), makeWebhookConfig({ minSeverity: 'HIGH' }));
+        expect(result.success).toBe(true);
+        expect(globalThis.fetch).toHaveBeenCalled();
+    });
+    it('includes details when includeDetails is true', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding()]), makeWebhookConfig({ includeDetails: true }));
+        expect(result.success).toBe(true);
+    });
+});
+//# sourceMappingURL=webhooks.test.js.map

package/dist/features/customRules.js

@@ -7,6 +7,7 @@ import { createHash } from 'node:crypto';
 import { resolve, extname } from 'node:path';
 import { parse as parseYaml } from 'yaml';
 import { z } from 'zod';
+import { compileSafePattern } from '../utils/safeRegex.js';
 import logger from '../utils/logger.js';
 /**
  * Schema for custom rule definition in YAML/JSON
@@ -139,14 +140,15 @@ function parseCustomRulesContent(content, sourceExt, sourceLabel) {
  * Convert custom rule definition to Rule object
  */
 function definitionToRule(def) {
-    // Compile regex patterns with error handling
+    // Compile regex patterns — reject unsafe patterns via compileSafePattern
     const patterns = [];
     for (const pattern of def.patterns) {
-        try {
-            patterns.push(new RegExp(pattern, 'gi'));
+        const compiled = compileSafePattern(pattern, 'gi');
+        if (compiled === null) {
+            logger.warn(`Unsafe or invalid regex pattern in rule ${def.id} (skipped): ${pattern}`);
         }
-        catch {
-            logger.warn(`Invalid regex pattern in rule ${def.id}: ${pattern}`);
+        else {
+            patterns.push(compiled);
         }
     }
     if (patterns.length === 0) {
@@ -154,33 +156,27 @@ function definitionToRule(def) {
     }
     // Compile exclude patterns
     const excludePatterns = def.excludePatterns?.map((p) => {
-        try {
-            return new RegExp(p, 'gi');
-        }
-        catch {
-            logger.warn(`Invalid exclude pattern in rule ${def.id}: ${p}`);
-            return null;
+        const compiled = compileSafePattern(p, 'gi');
+        if (compiled === null) {
+            logger.warn(`Unsafe or invalid exclude pattern in rule ${def.id} (skipped): ${p}`);
         }
+        return compiled;
     }).filter((p) => p !== null);
     // Compile require context patterns
     const requireContext = def.requireContext?.map((p) => {
-        try {
-            return new RegExp(p, 'gi');
-        }
-        catch {
-            logger.warn(`Invalid requireContext pattern in rule ${def.id}: ${p}`);
-            return null;
+        const compiled = compileSafePattern(p, 'gi');
+        if (compiled === null) {
+            logger.warn(`Unsafe or invalid requireContext pattern in rule ${def.id} (skipped): ${p}`);
         }
+        return compiled;
     }).filter((p) => p !== null);
     // Compile exclude context patterns
     const excludeContext = def.excludeContext?.map((p) => {
-        try {
-            return new RegExp(p, 'gi');
-        }
-        catch {
-            logger.warn(`Invalid excludeContext pattern in rule ${def.id}: ${p}`);
-            return null;
+        const compiled = compileSafePattern(p, 'gi');
+        if (compiled === null) {
+            logger.warn(`Unsafe or invalid excludeContext pattern in rule ${def.id} (skipped): ${p}`);
         }
+        return compiled;
     }).filter((p) => p !== null);
     const rule = {
         id: def.id,
@@ -458,14 +454,11 @@ export function validateCustomRulesFile(filePath) {
                 warnings,
             };
         }
-        // Validate regex patterns
+        // Validate regex patterns — also screen for ReDoS risks
         for (const rule of result.data.rules) {
             for (const pattern of rule.patterns) {
-                try {
-                    void new RegExp(pattern, 'gi');
-                }
-                catch {
-                    errors.push(`Rule ${rule.id}: Invalid regex pattern "${pattern}"`);
+                if (compileSafePattern(pattern, 'gi') === null) {
+                    errors.push(`Rule ${rule.id}: Unsafe or invalid regex pattern "${pattern}"`);
                 }
             }
         }

package/dist/features/mcpTrustScore.d.ts

@@ -0,0 +1,17 @@
+/**
+ * MCP Server Trust Scoring
+ * Evaluates the security posture of an MCP server configuration.
+ */
+export interface McpTrustResult {
+    score: number;
+    trustLevel: 'HIGH' | 'MEDIUM' | 'LOW' | 'CRITICAL';
+    flags: string[];
+}
+/**
+ * Score an MCP server configuration entry.
+ *
+ * @param serverConfig - A single MCP server config object (value from `mcpServers` map)
+ * @returns Trust score (0-100), trust level, and list of flags
+ */
+export declare function scoreMcpServer(serverConfig: unknown): McpTrustResult;
+//# sourceMappingURL=mcpTrustScore.d.ts.map

package/dist/features/mcpTrustScore.js

@@ -0,0 +1,74 @@
+/**
+ * MCP Server Trust Scoring
+ * Evaluates the security posture of an MCP server configuration.
+ */
+// Known suspicious package names / name fragments
+const SUSPICIOUS_NAMES = [
+    'shadow', 'stealer', 'exfil', 'beacon', 'c2-', '-c2',
+    'keylog', 'implant', 'dropper', 'exploit',
+];
+/**
+ * Score an MCP server configuration entry.
+ *
+ * @param serverConfig - A single MCP server config object (value from `mcpServers` map)
+ * @returns Trust score (0-100), trust level, and list of flags
+ */
+export function scoreMcpServer(serverConfig) {
+    const flags = [];
+    let score = 100;
+    if (typeof serverConfig !== 'object' || serverConfig === null) {
+        return { score: 0, trustLevel: 'CRITICAL', flags: ['Invalid config object'] };
+    }
+    const cfg = serverConfig;
+    // Insecure transport
+    const transport = cfg['transport'];
+    if (transport === 'http' || transport === 'sse') {
+        score -= 30;
+        flags.push(`Insecure transport: '${transport}' — prefer stdio or wss`);
+    }
+    // Plain HTTP URL
+    const url = typeof cfg['url'] === 'string' ? cfg['url'] : '';
+    if (url.startsWith('http://')) {
+        score -= 25;
+        flags.push('Plain HTTP URL — credentials and tool calls are transmitted in cleartext');
+    }
+    // Unpinned npx command
+    const command = typeof cfg['command'] === 'string' ? cfg['command'] : '';
+    if (command === 'npx' || command.endsWith('/npx')) {
+        const args = Array.isArray(cfg['args']) ? cfg['args'] : [];
+        const firstArg = args[0] ?? '';
+        if (firstArg && !firstArg.includes('@') && !firstArg.startsWith('-')) {
+            score -= 20;
+            flags.push(`Unpinned npx package '${firstArg}' — pin to a specific version to prevent rug pulls`);
+        }
+    }
+    // Dangerous flags in args
+    const args = Array.isArray(cfg['args']) ? cfg['args'] : [];
+    for (const arg of args) {
+        if (typeof arg === 'string' && (arg.includes('--allow-all') || arg.includes('--dangerously-skip'))) {
+            score -= 30;
+            flags.push(`Dangerous arg '${arg}' — bypasses MCP safety checks`);
+        }
+    }
+    // Suspicious name
+    const name = typeof cfg['name'] === 'string' ? cfg['name'].toLowerCase() : '';
+    const pkg = args.find(a => typeof a === 'string' && !a.startsWith('-')) ?? '';
+    const combined = `${name} ${pkg}`.toLowerCase();
+    for (const pattern of SUSPICIOUS_NAMES) {
+        if (combined.includes(pattern)) {
+            score -= 50;
+            flags.push(`Name matches suspicious pattern '${pattern}'`);
+            break;
+        }
+    }
+    const clampedScore = Math.max(0, Math.min(100, score));
+    return {
+        score: clampedScore,
+        trustLevel: clampedScore >= 80 ? 'HIGH'
+            : clampedScore >= 60 ? 'MEDIUM'
+                : clampedScore >= 40 ? 'LOW'
+                    : 'CRITICAL',
+        flags,
+    };
+}
+//# sourceMappingURL=mcpTrustScore.js.map

package/dist/features/mcpValidator.d.ts

@@ -3,6 +3,7 @@
  * Validates .mcp.json files for dangerous permissions, untrusted sources, etc.
  */
 import type { Finding, Severity } from '../types.js';
+import { type McpTrustResult } from './mcpTrustScore.js';
 /**
  * Risk assessment for MCP servers
  */
@@ -18,6 +19,7 @@ export interface McpRiskAssessment {
     capabilities: string[];
     command?: string | undefined;
     url?: string | undefined;
+    trustScore?: McpTrustResult | undefined;
 }
 /**
  * Validate MCP configuration JSON content

package/dist/features/mcpValidator.js

@@ -7,6 +7,7 @@
 import { readFileSync, existsSync } from 'node:fs';
 import { resolve, basename } from 'node:path';
 import { z } from 'zod';
+import { scoreMcpServer } from './mcpTrustScore.js';
 /**
  * MCP Server configuration schema
  */
@@ -282,6 +283,18 @@ export function validateMcpConfigContent(content) {
         for (const [name, config] of Object.entries(servers)) {
             if (typeof config === 'object' && config !== null) {
                 const assessment = analyzeServer(name, config);
+                // Augment with trust score; surface CRITICAL/LOW trust as issues
+                assessment.trustScore = scoreMcpServer({ ...config, name });
+                if (assessment.trustScore.trustLevel === 'CRITICAL' || assessment.trustScore.trustLevel === 'LOW') {
+                    for (const flag of assessment.trustScore.flags) {
+                        assessment.issues.push({
+                            type: 'trust-score',
+                            severity: assessment.trustScore.trustLevel === 'CRITICAL' ? 'CRITICAL' : 'HIGH',
+                            description: `Trust score ${assessment.trustScore.score}/100: ${flag}`,
+                            remediation: 'Review MCP server configuration and address the flagged concern.',
+                        });
+                    }
+                }
                 assessments.push(assessment);
             }
         }

package/dist/features/policyEnforcement.d.ts

@@ -24,17 +24,17 @@ declare const PolicyRuleSchema: z.ZodObject<{
         minRiskScore: z.ZodOptional<z.ZodNumber>;
         maxFindings: z.ZodOptional<z.ZodNumber>;
     }, "strip", z.ZodTypeAny, {
-        categories?: string[] | undefined;
         ruleIds?: string[] | undefined;
-        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+        categories?: string[] | undefined;
         filePatterns?: string[] | undefined;
+        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
         minRiskScore?: number | undefined;
         maxFindings?: number | undefined;
     }, {
-        categories?: string[] | undefined;
         ruleIds?: string[] | undefined;
-        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+        categories?: string[] | undefined;
         filePatterns?: string[] | undefined;
+        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
         minRiskScore?: number | undefined;
         maxFindings?: number | undefined;
     }>;
@@ -44,10 +44,10 @@ declare const PolicyRuleSchema: z.ZodObject<{
     enabled: boolean;
     action: "warn" | "ignore" | "block";
     conditions: {
-        categories?: string[] | undefined;
         ruleIds?: string[] | undefined;
-        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+        categories?: string[] | undefined;
         filePatterns?: string[] | undefined;
+        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
         minRiskScore?: number | undefined;
         maxFindings?: number | undefined;
     };
@@ -56,10 +56,10 @@ declare const PolicyRuleSchema: z.ZodObject<{
 }, {
     id: string;
     conditions: {
-        categories?: string[] | undefined;
         ruleIds?: string[] | undefined;
-        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+        categories?: string[] | undefined;
         filePatterns?: string[] | undefined;
+        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
         minRiskScore?: number | undefined;
         maxFindings?: number | undefined;
     };
@@ -88,17 +88,17 @@ declare const PolicyConfigSchema: z.ZodObject<{
             minRiskScore: z.ZodOptional<z.ZodNumber>;
             maxFindings: z.ZodOptional<z.ZodNumber>;
         }, "strip", z.ZodTypeAny, {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         }, {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         }>;
@@ -108,10 +108,10 @@ declare const PolicyConfigSchema: z.ZodObject<{
         enabled: boolean;
         action: "warn" | "ignore" | "block";
         conditions: {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         };
@@ -120,10 +120,10 @@ declare const PolicyConfigSchema: z.ZodObject<{
     }, {
         id: string;
         conditions: {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         };
@@ -182,10 +182,10 @@ declare const PolicyConfigSchema: z.ZodObject<{
         enabled: boolean;
         action: "warn" | "ignore" | "block";
         conditions: {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         };
@@ -198,10 +198,10 @@ declare const PolicyConfigSchema: z.ZodObject<{
     rules: {
         id: string;
         conditions: {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         };
@@ -313,10 +313,10 @@ declare const _default: {
             enabled: boolean;
             action: "warn" | "ignore" | "block";
             conditions: {
-                categories?: string[] | undefined;
                 ruleIds?: string[] | undefined;
-                severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+                categories?: string[] | undefined;
                 filePatterns?: string[] | undefined;
+                severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
                 minRiskScore?: number | undefined;
                 maxFindings?: number | undefined;
             };