fivosense 0.1.0

package/dist/engine/sinks.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Catalog of dangerous sinks (vulnerability endpoints)
+ * These are operations that can cause security issues if fed untrusted data
+ */
+export interface SinkPattern {
+    pattern: string;
+    category: 'sql' | 'nosql' | 'command' | 'code' | 'xss' | 'path' | 'xxe';
+    description: string;
+    severity: 'critical' | 'high' | 'medium';
+    cwe?: string;
+}
+/**
+ * SQL injection sinks
+ */
+export declare const SQL_SINKS: SinkPattern[];
+/**
+ * NoSQL injection sinks
+ */
+export declare const NOSQL_SINKS: SinkPattern[];
+/**
+ * Command injection sinks
+ */
+export declare const COMMAND_SINKS: SinkPattern[];
+/**
+ * Code injection sinks
+ */
+export declare const CODE_SINKS: SinkPattern[];
+/**
+ * XSS sinks
+ */
+export declare const XSS_SINKS: SinkPattern[];
+/**
+ * Path traversal sinks
+ */
+export declare const PATH_SINKS: SinkPattern[];
+/**
+ * All sinks combined
+ */
+export declare const ALL_SINKS: SinkPattern[];
+/**
+ * Check if a code string matches any sink pattern
+ */
+export declare function isSink(code: string): SinkPattern | null;
+/**
+ * Get all sinks matching a category
+ */
+export declare function getSinksByCategory(category: SinkPattern['category']): SinkPattern[];
+/**
+ * Get sinks by severity
+ */
+export declare function getSinksBySeverity(severity: SinkPattern['severity']): SinkPattern[];
+//# sourceMappingURL=sinks.d.ts.map

package/dist/engine/sinks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sinks.d.ts","sourceRoot":"","sources":["../../src/engine/sinks.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,KAAK,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,CAAC;IACxE,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,eAAO,MAAM,SAAS,EAAE,WAAW,EAMlC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,WAAW,EAAE,WAAW,EAKpC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,WAAW,EAMtC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,UAAU,EAAE,WAAW,EAKnC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,SAAS,EAAE,WAAW,EAMlC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,UAAU,EAAE,WAAW,EAKnC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,SAAS,eAOrB,CAAC;AAEF;;GAEG;AACH,wBAAgB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAOvD;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,WAAW,CAAC,UAAU,CAAC,GAAG,WAAW,EAAE,CAEnF;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,WAAW,CAAC,UAAU,CAAC,GAAG,WAAW,EAAE,CAEnF"}

package/dist/engine/sinks.js

@@ -0,0 +1,96 @@
+/**
+ * Catalog of dangerous sinks (vulnerability endpoints)
+ * These are operations that can cause security issues if fed untrusted data
+ */
+/**
+ * SQL injection sinks
+ */
+export const SQL_SINKS = [
+    { pattern: 'db.execute', category: 'sql', description: 'SQL execution', severity: 'critical', cwe: 'CWE-89' },
+    { pattern: 'db.query', category: 'sql', description: 'SQL query', severity: 'critical', cwe: 'CWE-89' },
+    { pattern: 'connection.query', category: 'sql', description: 'MySQL query', severity: 'critical', cwe: 'CWE-89' },
+    { pattern: 'pool.query', category: 'sql', description: 'Connection pool query', severity: 'critical', cwe: 'CWE-89' },
+    { pattern: 'executeQuery', category: 'sql', description: 'Generic SQL exec', severity: 'critical', cwe: 'CWE-89' },
+];
+/**
+ * NoSQL injection sinks
+ */
+export const NOSQL_SINKS = [
+    { pattern: 'find', category: 'nosql', description: 'MongoDB find', severity: 'high', cwe: 'CWE-943' },
+    { pattern: 'findOne', category: 'nosql', description: 'MongoDB findOne', severity: 'high', cwe: 'CWE-943' },
+    { pattern: 'updateOne', category: 'nosql', description: 'MongoDB update', severity: 'high', cwe: 'CWE-943' },
+    { pattern: 'deleteOne', category: 'nosql', description: 'MongoDB delete', severity: 'high', cwe: 'CWE-943' },
+];
+/**
+ * Command injection sinks
+ */
+export const COMMAND_SINKS = [
+    { pattern: 'exec', category: 'command', description: 'Command execution', severity: 'critical', cwe: 'CWE-78' },
+    { pattern: 'execSync', category: 'command', description: 'Sync command exec', severity: 'critical', cwe: 'CWE-78' },
+    { pattern: 'spawn', category: 'command', description: 'Process spawn', severity: 'critical', cwe: 'CWE-78' },
+    { pattern: 'spawnSync', category: 'command', description: 'Sync process spawn', severity: 'critical', cwe: 'CWE-78' },
+    { pattern: 'execFile', category: 'command', description: 'File execution', severity: 'critical', cwe: 'CWE-78' },
+];
+/**
+ * Code injection sinks
+ */
+export const CODE_SINKS = [
+    { pattern: 'eval', category: 'code', description: 'Code evaluation', severity: 'critical', cwe: 'CWE-94' },
+    { pattern: 'Function', category: 'code', description: 'Dynamic function creation', severity: 'critical', cwe: 'CWE-94' },
+    { pattern: 'setTimeout', category: 'code', description: 'Delayed code exec', severity: 'high', cwe: 'CWE-94' },
+    { pattern: 'setInterval', category: 'code', description: 'Repeated code exec', severity: 'high', cwe: 'CWE-94' },
+];
+/**
+ * XSS sinks
+ */
+export const XSS_SINKS = [
+    { pattern: 'res.send', category: 'xss', description: 'HTTP response', severity: 'high', cwe: 'CWE-79' },
+    { pattern: 'res.write', category: 'xss', description: 'HTTP write', severity: 'high', cwe: 'CWE-79' },
+    { pattern: 'innerHTML', category: 'xss', description: 'DOM innerHTML', severity: 'critical', cwe: 'CWE-79' },
+    { pattern: 'outerHTML', category: 'xss', description: 'DOM outerHTML', severity: 'critical', cwe: 'CWE-79' },
+    { pattern: 'document.write', category: 'xss', description: 'Document write', severity: 'critical', cwe: 'CWE-79' },
+];
+/**
+ * Path traversal sinks
+ */
+export const PATH_SINKS = [
+    { pattern: 'fs.readFile', category: 'path', description: 'File read', severity: 'high', cwe: 'CWE-22' },
+    { pattern: 'fs.writeFile', category: 'path', description: 'File write', severity: 'critical', cwe: 'CWE-22' },
+    { pattern: 'fs.unlink', category: 'path', description: 'File delete', severity: 'critical', cwe: 'CWE-22' },
+    { pattern: 'fs.readFileSync', category: 'path', description: 'Sync file read', severity: 'high', cwe: 'CWE-22' },
+];
+/**
+ * All sinks combined
+ */
+export const ALL_SINKS = [
+    ...SQL_SINKS,
+    ...NOSQL_SINKS,
+    ...COMMAND_SINKS,
+    ...CODE_SINKS,
+    ...XSS_SINKS,
+    ...PATH_SINKS,
+];
+/**
+ * Check if a code string matches any sink pattern
+ */
+export function isSink(code) {
+    for (const sink of ALL_SINKS) {
+        if (code.includes(sink.pattern)) {
+            return sink;
+        }
+    }
+    return null;
+}
+/**
+ * Get all sinks matching a category
+ */
+export function getSinksByCategory(category) {
+    return ALL_SINKS.filter(s => s.category === category);
+}
+/**
+ * Get sinks by severity
+ */
+export function getSinksBySeverity(severity) {
+    return ALL_SINKS.filter(s => s.severity === severity);
+}
+//# sourceMappingURL=sinks.js.map

package/dist/engine/sinks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sinks.js","sourceRoot":"","sources":["../../src/engine/sinks.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAUH;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAkB;IACtC,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IAC7G,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IACvG,EAAE,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IACjH,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IACrH,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;CACnH,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAkB;IACxC,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE;IACrG,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE;IAC3G,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE;IAC5G,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE;CAC7G,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAkB;IAC1C,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,mBAAmB,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IAC/G,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,mBAAmB,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IACnH,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IAC5G,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,oBAAoB,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IACrH,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;CACjH,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAkB;IACvC,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,iBAAiB,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IAC1G,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,2BAA2B,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IACxH,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE;IAC9G,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,oBAAoB,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE;CACjH,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAkB;IACtC,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE;IACvG,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE;IACrG,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IAC5G,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IAC5G,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;CACnH,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAkB;IACvC,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE;IACvG,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IAC7G,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE;IAC3G,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE;CACjH,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAG;IACvB,GAAG,SAAS;IACZ,GAAG,WAAW;IACd,GAAG,aAAa;IAChB,GAAG,UAAU;IACb,GAAG,SAAS;IACZ,GAAG,UAAU;CACd,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,MAAM,CAAC,IAAY;IACjC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAiC;IAClE,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAiC;IAClE,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AACxD,CAAC"}

package/dist/engine/sources.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Catalog of untrusted input sources (taint origins)
+ * These represent user-controlled data that could be malicious
+ */
+export interface SourcePattern {
+    pattern: string;
+    category: 'http' | 'file' | 'env' | 'cli' | 'external';
+    description: string;
+    severity: 'critical' | 'high' | 'medium';
+}
+/**
+ * HTTP/API sources - user input from web requests
+ */
+export declare const HTTP_SOURCES: SourcePattern[];
+/**
+ * File system sources - external file content
+ */
+export declare const FILE_SOURCES: SourcePattern[];
+/**
+ * Environment/config sources - potentially untrusted config
+ */
+export declare const ENV_SOURCES: SourcePattern[];
+/**
+ * All sources combined
+ */
+export declare const ALL_SOURCES: SourcePattern[];
+/**
+ * Check if a code string matches any source pattern
+ */
+export declare function isSource(code: string): SourcePattern | null;
+/**
+ * Get all sources matching a category
+ */
+export declare function getSourcesByCategory(category: SourcePattern['category']): SourcePattern[];
+//# sourceMappingURL=sources.d.ts.map

package/dist/engine/sources.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sources.d.ts","sourceRoot":"","sources":["../../src/engine/sources.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,KAAK,GAAG,KAAK,GAAG,UAAU,CAAC;IACvD,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;CAC1C;AAED;;GAEG;AACH,eAAO,MAAM,YAAY,EAAE,aAAa,EAUvC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,YAAY,EAAE,aAAa,EAIvC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,WAAW,EAAE,aAAa,EAGtC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,WAAW,iBAIvB,CAAC;AAEF;;GAEG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAO3D;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,aAAa,CAAC,UAAU,CAAC,GAAG,aAAa,EAAE,CAEzF"}

package/dist/engine/sources.js

@@ -0,0 +1,59 @@
+/**
+ * Catalog of untrusted input sources (taint origins)
+ * These represent user-controlled data that could be malicious
+ */
+/**
+ * HTTP/API sources - user input from web requests
+ */
+export const HTTP_SOURCES = [
+    { pattern: 'req.query', category: 'http', description: 'URL query parameters', severity: 'critical' },
+    { pattern: 'req.params', category: 'http', description: 'Route parameters', severity: 'critical' },
+    { pattern: 'req.body', category: 'http', description: 'Request body', severity: 'critical' },
+    { pattern: 'req.headers', category: 'http', description: 'HTTP headers', severity: 'high' },
+    { pattern: 'req.cookies', category: 'http', description: 'Cookies', severity: 'high' },
+    { pattern: 'request.query', category: 'http', description: 'Query string', severity: 'critical' },
+    { pattern: 'request.body', category: 'http', description: 'Request body', severity: 'critical' },
+    { pattern: 'ctx.request.body', category: 'http', description: 'Koa/context body', severity: 'critical' },
+    { pattern: 'ctx.query', category: 'http', description: 'Koa query', severity: 'critical' },
+];
+/**
+ * File system sources - external file content
+ */
+export const FILE_SOURCES = [
+    { pattern: 'fs.readFileSync', category: 'file', description: 'File content', severity: 'high' },
+    { pattern: 'fs.readFile', category: 'file', description: 'File content async', severity: 'high' },
+    { pattern: 'readFileSync', category: 'file', description: 'File read', severity: 'high' },
+];
+/**
+ * Environment/config sources - potentially untrusted config
+ */
+export const ENV_SOURCES = [
+    { pattern: 'process.env', category: 'env', description: 'Environment variables', severity: 'medium' },
+    { pattern: 'process.argv', category: 'cli', description: 'Command-line arguments', severity: 'high' },
+];
+/**
+ * All sources combined
+ */
+export const ALL_SOURCES = [
+    ...HTTP_SOURCES,
+    ...FILE_SOURCES,
+    ...ENV_SOURCES,
+];
+/**
+ * Check if a code string matches any source pattern
+ */
+export function isSource(code) {
+    for (const source of ALL_SOURCES) {
+        if (code.includes(source.pattern)) {
+            return source;
+        }
+    }
+    return null;
+}
+/**
+ * Get all sources matching a category
+ */
+export function getSourcesByCategory(category) {
+    return ALL_SOURCES.filter(s => s.category === category);
+}
+//# sourceMappingURL=sources.js.map

package/dist/engine/sources.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sources.js","sourceRoot":"","sources":["../../src/engine/sources.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAoB;IAC3C,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,sBAAsB,EAAE,QAAQ,EAAE,UAAU,EAAE;IACrG,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,kBAAkB,EAAE,QAAQ,EAAE,UAAU,EAAE;IAClG,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC5F,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC3F,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE;IACtF,EAAE,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE;IACjG,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE;IAChG,EAAE,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,kBAAkB,EAAE,QAAQ,EAAE,UAAU,EAAE;IACxG,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE;CAC3F,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAoB;IAC3C,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC/F,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,oBAAoB,EAAE,QAAQ,EAAE,MAAM,EAAE;IACjG,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE;CAC1F,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAoB;IAC1C,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,uBAAuB,EAAE,QAAQ,EAAE,QAAQ,EAAE;IACrG,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,wBAAwB,EAAE,QAAQ,EAAE,MAAM,EAAE;CACtG,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,GAAG,YAAY;IACf,GAAG,YAAY;IACf,GAAG,WAAW;CACf,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAY;IACnC,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAmC;IACtE,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AAC1D,CAAC"}

package/dist/engine/taint.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Taint Analysis - tracks data flow from sources to sinks
+ * Generates taint-trace proofs for each vulnerability
+ */
+import { DataFlowGraph } from './graph.js';
+export interface TaintTrace {
+    finding: string;
+    severity: 'critical' | 'high' | 'medium';
+    category: string;
+    cwe?: string;
+    path: string;
+    evidence: string[];
+    location: {
+        file: string;
+        line: number;
+        column: number;
+    };
+    sanitized: boolean;
+    confidence: number;
+}
+/**
+ * Generate taint traces from data-flow graph
+ */
+export declare function generateTaintTraces(graph: DataFlowGraph, filename: string): TaintTrace[];
+/**
+ * Filter traces by severity
+ */
+export declare function filterBySeverity(traces: TaintTrace[], severity: 'critical' | 'high' | 'medium'): TaintTrace[];
+/**
+ * Get only vulnerable (unsanitized) traces
+ */
+export declare function getVulnerableTraces(traces: TaintTrace[]): TaintTrace[];
+/**
+ * Format trace for display
+ */
+export declare function formatTrace(trace: TaintTrace): string;
+//# sourceMappingURL=taint.d.ts.map

package/dist/engine/taint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint.d.ts","sourceRoot":"","sources":["../../src/engine/taint.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAA8B,MAAM,YAAY,CAAC;AAEvE,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,EAAE,CASxF;AA6CD;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,UAAU,EAAE,EACpB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GACvC,UAAU,EAAE,CAEd;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,UAAU,EAAE,GAAG,UAAU,EAAE,CAEtE;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAgBrD"}

package/dist/engine/taint.js

@@ -0,0 +1,83 @@
+/**
+ * Taint Analysis - tracks data flow from sources to sinks
+ * Generates taint-trace proofs for each vulnerability
+ */
+import { formatTaintPath } from './graph.js';
+/**
+ * Generate taint traces from data-flow graph
+ */
+export function generateTaintTraces(graph, filename) {
+    const traces = [];
+    for (const taintPath of graph.taintPaths) {
+        const trace = buildTaintTrace(taintPath, filename);
+        traces.push(trace);
+    }
+    return traces;
+}
+/**
+ * Build a single taint trace from a taint path
+ */
+function buildTaintTrace(path, filename) {
+    const source = path.source;
+    const sink = path.sink;
+    const evidence = [];
+    // Build evidence chain
+    evidence.push(`Source: ${source.value} at line ${source.loc?.start.line || '?'}`);
+    evidence.push(`  Type: ${source.sourcePattern?.description || 'untrusted input'}`);
+    if (path.sanitized) {
+        evidence.push('  ✅ Sanitized');
+    }
+    else {
+        evidence.push('  ❌ NOT sanitized');
+    }
+    evidence.push(`Sink: ${sink.name} at line ${sink.loc?.start.line || '?'}`);
+    evidence.push(`  Type: ${sink.sinkPattern?.description || 'dangerous operation'}`);
+    const finding = path.sanitized
+        ? `Sanitized ${sink.sinkPattern?.category || 'data flow'}`
+        : `Potential ${sink.sinkPattern?.category || 'vulnerability'}`;
+    return {
+        finding,
+        severity: sink.sinkPattern?.severity || 'medium',
+        category: sink.sinkPattern?.category || 'unknown',
+        cwe: sink.sinkPattern?.cwe,
+        path: formatTaintPath(path),
+        evidence,
+        location: {
+            file: filename,
+            line: sink.loc?.start.line || 0,
+            column: sink.loc?.start.column || 0,
+        },
+        sanitized: path.sanitized,
+        confidence: path.confidence,
+    };
+}
+/**
+ * Filter traces by severity
+ */
+export function filterBySeverity(traces, severity) {
+    return traces.filter(t => t.severity === severity);
+}
+/**
+ * Get only vulnerable (unsanitized) traces
+ */
+export function getVulnerableTraces(traces) {
+    return traces.filter(t => !t.sanitized);
+}
+/**
+ * Format trace for display
+ */
+export function formatTrace(trace) {
+    const icon = trace.sanitized ? '✅' : '❌';
+    const lines = [
+        `${icon} [${trace.severity.toUpperCase()}] ${trace.finding}`,
+        `   ${trace.location.file}:${trace.location.line}:${trace.location.column}`,
+        `   ${trace.path}`,
+    ];
+    if (trace.cwe) {
+        lines.push(`   CWE: ${trace.cwe}`);
+    }
+    lines.push('   Evidence:');
+    trace.evidence.forEach(e => lines.push(`     ${e}`));
+    return lines.join('\n');
+}
+//# sourceMappingURL=taint.js.map

package/dist/engine/taint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint.js","sourceRoot":"","sources":["../../src/engine/taint.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAA4B,eAAe,EAAE,MAAM,YAAY,CAAC;AAkBvE;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAoB,EAAE,QAAgB;IACxE,MAAM,MAAM,GAAiB,EAAE,CAAC;IAEhC,KAAK,MAAM,SAAS,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACnD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAe,EAAE,QAAgB;IACxD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAEvB,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,uBAAuB;IACvB,QAAQ,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,KAAK,YAAY,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;IAClF,QAAQ,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,aAAa,EAAE,WAAW,IAAI,iBAAiB,EAAE,CAAC,CAAC;IAEnF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACjC,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACrC,CAAC;IAED,QAAQ,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,YAAY,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;IAC3E,QAAQ,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,WAAW,EAAE,WAAW,IAAI,qBAAqB,EAAE,CAAC,CAAC;IAEnF,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS;QAC5B,CAAC,CAAC,aAAa,IAAI,CAAC,WAAW,EAAE,QAAQ,IAAI,WAAW,EAAE;QAC1D,CAAC,CAAC,aAAa,IAAI,CAAC,WAAW,EAAE,QAAQ,IAAI,eAAe,EAAE,CAAC;IAEjE,OAAO;QACL,OAAO;QACP,QAAQ,EAAE,IAAI,CAAC,WAAW,EAAE,QAAQ,IAAI,QAAQ;QAChD,QAAQ,EAAE,IAAI,CAAC,WAAW,EAAE,QAAQ,IAAI,SAAS;QACjD,GAAG,EAAE,IAAI,CAAC,WAAW,EAAE,GAAG;QAC1B,IAAI,EAAE,eAAe,CAAC,IAAI,CAAC;QAC3B,QAAQ;QACR,QAAQ,EAAE;YACR,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;YAC/B,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;SACpC;QACD,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,UAAU,EAAE,IAAI,CAAC,UAAU;KAC5B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,MAAoB,EACpB,QAAwC;IAExC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAoB;IACtD,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAiB;IAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IACzC,MAAM,KAAK,GAAG;QACZ,GAAG,IAAI,KAAK,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,OAAO,EAAE;QAC5D,MAAM,KAAK,CAAC,QAAQ,CAAC,IAAI,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,EAAE;QAC3E,MAAM,KAAK,CAAC,IAAI,EAAE;KACnB,CAAC;IAEF,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;QACd,KAAK,CAAC,IAAI,CAAC,WAAW,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC3B,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;IAErD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/engine/verify.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Fix Verification - Re-analyze code after fix to check for regressions
+ */
+export interface VerificationResult {
+    success: boolean;
+    originalIssues: number;
+    remainingIssues: number;
+    newIssues: number;
+    regression: boolean;
+    message: string;
+}
+/**
+ * Verify that a fix actually resolved the vulnerability
+ */
+export declare function verifyFix(originalCode: string, fixedCode: string, targetLine: number): VerificationResult;
+/**
+ * Verify multiple fixes
+ */
+export declare function verifyMultipleFixes(originalCode: string, fixedCode: string): VerificationResult;
+//# sourceMappingURL=verify.d.ts.map

package/dist/engine/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/engine/verify.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,OAAO,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,wBAAgB,SAAS,CACvB,YAAY,EAAE,MAAM,EACpB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,GACjB,kBAAkB,CA0CpB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,MAAM,EACpB,SAAS,EAAE,MAAM,GAChB,kBAAkB,CAoBpB"}

package/dist/engine/verify.js

@@ -0,0 +1,65 @@
+/**
+ * Fix Verification - Re-analyze code after fix to check for regressions
+ */
+import { buildDataFlowGraph } from './graph.js';
+import { generateTaintTraces } from './taint.js';
+/**
+ * Verify that a fix actually resolved the vulnerability
+ */
+export function verifyFix(originalCode, fixedCode, targetLine) {
+    // Analyze original code
+    const originalGraph = buildDataFlowGraph(originalCode);
+    const originalTraces = generateTaintTraces(originalGraph, 'original.js');
+    const originalVulns = originalTraces.filter(t => !t.sanitized);
+    // Analyze fixed code
+    const fixedGraph = buildDataFlowGraph(fixedCode);
+    const fixedTraces = generateTaintTraces(fixedGraph, 'fixed.js');
+    const fixedVulns = fixedTraces.filter(t => !t.sanitized);
+    // Check for target vulnerability
+    const targetVuln = originalVulns.find(v => v.location.line === targetLine);
+    const targetFixed = !fixedVulns.find(v => v.location.line === targetLine);
+    // Check for regressions (new vulnerabilities introduced)
+    const newIssues = fixedVulns.filter(fv => !originalVulns.some(ov => ov.location.line === fv.location.line &&
+        ov.category === fv.category)).length;
+    const regression = newIssues > 0;
+    let message = '';
+    if (targetFixed && !regression) {
+        message = '✅ Fix verified: vulnerability resolved, no regressions';
+    }
+    else if (targetFixed && regression) {
+        message = `⚠️ Fix applied but introduced ${newIssues} new issue(s)`;
+    }
+    else if (!targetFixed) {
+        message = '❌ Fix failed: vulnerability still present';
+    }
+    return {
+        success: targetFixed && !regression,
+        originalIssues: originalVulns.length,
+        remainingIssues: fixedVulns.length,
+        newIssues,
+        regression,
+        message,
+    };
+}
+/**
+ * Verify multiple fixes
+ */
+export function verifyMultipleFixes(originalCode, fixedCode) {
+    const originalGraph = buildDataFlowGraph(originalCode);
+    const originalTraces = generateTaintTraces(originalGraph, 'original.js');
+    const originalVulns = originalTraces.filter(t => !t.sanitized);
+    const fixedGraph = buildDataFlowGraph(fixedCode);
+    const fixedTraces = generateTaintTraces(fixedGraph, 'fixed.js');
+    const fixedVulns = fixedTraces.filter(t => !t.sanitized);
+    const resolved = originalVulns.length - fixedVulns.length;
+    const newIssues = Math.max(0, fixedVulns.length - originalVulns.length);
+    return {
+        success: fixedVulns.length < originalVulns.length && newIssues === 0,
+        originalIssues: originalVulns.length,
+        remainingIssues: fixedVulns.length,
+        newIssues,
+        regression: newIssues > 0,
+        message: `Resolved ${resolved} issue(s), ${newIssues} new issue(s) introduced`,
+    };
+}
+//# sourceMappingURL=verify.js.map

package/dist/engine/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/engine/verify.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,kBAAkB,EAAsB,MAAM,YAAY,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAWjD;;GAEG;AACH,MAAM,UAAU,SAAS,CACvB,YAAoB,EACpB,SAAiB,EACjB,UAAkB;IAElB,wBAAwB;IACxB,MAAM,aAAa,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;IACvD,MAAM,cAAc,GAAG,mBAAmB,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;IACzE,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAE/D,qBAAqB;IACrB,MAAM,UAAU,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,WAAW,GAAG,mBAAmB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAChE,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEzD,iCAAiC;IACjC,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;IAC3E,MAAM,WAAW,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;IAE1E,yDAAyD;IACzD,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CACvC,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CACvB,EAAE,CAAC,QAAQ,CAAC,IAAI,KAAK,EAAE,CAAC,QAAQ,CAAC,IAAI;QACrC,EAAE,CAAC,QAAQ,KAAK,EAAE,CAAC,QAAQ,CAC5B,CACF,CAAC,MAAM,CAAC;IAET,MAAM,UAAU,GAAG,SAAS,GAAG,CAAC,CAAC;IAEjC,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;QAC/B,OAAO,GAAG,wDAAwD,CAAC;IACrE,CAAC;SAAM,IAAI,WAAW,IAAI,UAAU,EAAE,CAAC;QACrC,OAAO,GAAG,iCAAiC,SAAS,eAAe,CAAC;IACtE,CAAC;SAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QACxB,OAAO,GAAG,2CAA2C,CAAC;IACxD,CAAC;IAED,OAAO;QACL,OAAO,EAAE,WAAW,IAAI,CAAC,UAAU;QACnC,cAAc,EAAE,aAAa,CAAC,MAAM;QACpC,eAAe,EAAE,UAAU,CAAC,MAAM;QAClC,SAAS;QACT,UAAU;QACV,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,YAAoB,EACpB,SAAiB;IAEjB,MAAM,aAAa,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;IACvD,MAAM,cAAc,GAAG,mBAAmB,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;IACzE,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAE/D,MAAM,UAAU,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,WAAW,GAAG,mBAAmB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAChE,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEzD,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;IAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAExE,OAAO;QACL,OAAO,EAAE,UAAU,CAAC,MAAM,GAAG,aAAa,CAAC,MAAM,IAAI,SAAS,KAAK,CAAC;QACpE,cAAc,EAAE,aAAa,CAAC,MAAM;QACpC,eAAe,EAAE,UAAU,CAAC,MAAM;QAClC,SAAS;QACT,UAAU,EAAE,SAAS,GAAG,CAAC;QACzB,OAAO,EAAE,YAAY,QAAQ,cAAc,SAAS,0BAA0B;KAC/E,CAAC;AACJ,CAAC"}

package/dist/features/badge.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Security Badge Generator - Creates shareable security report cards
+ */
+import { AuditResult } from '../index.js';
+export interface SecurityBadge {
+    grade: string;
+    score: number;
+    color: string;
+    markdown: string;
+    shield: string;
+}
+/**
+ * Generate security badge
+ */
+export declare function generateBadge(result: AuditResult): SecurityBadge;
+/**
+ * Generate badge markdown for README
+ */
+export declare function generateBadgeMarkdown(result: AuditResult): string;
+//# sourceMappingURL=badge.d.ts.map

package/dist/features/badge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"badge.d.ts","sourceRoot":"","sources":["../../src/features/badge.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,WAAW,GAAG,aAAa,CA+BhE;AA+CD;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,WAAW,GAAG,MAAM,CAGjE"}

package/dist/features/badge.js

@@ -0,0 +1,86 @@
+/**
+ * Security Badge Generator - Creates shareable security report cards
+ */
+/**
+ * Generate security badge
+ */
+export function generateBadge(result) {
+    const grade = calculateGrade(result);
+    const score = calculateScore(result);
+    const color = getGradeColor(grade);
+    const shield = `https://img.shields.io/badge/security-${grade}-${color}`;
+    const markdown = `## 🛡️ Security Report Card
+
+![Security Grade](${shield})
+
+**Grade:** ${grade}  
+**Score:** ${score}/100
+
+### Summary
+- Total Issues: ${result.summary.total}
+- Critical: ${result.summary.critical}
+- High: ${result.summary.high}
+- Medium: ${result.summary.medium}
+
+---
+Scanned by [FivoSense](https://github.com/fivosense) — Neuro-symbolic AI security scanner
+`;
+    return {
+        grade,
+        score,
+        color,
+        markdown,
+        shield,
+    };
+}
+/**
+ * Calculate security grade (A+ to F)
+ */
+function calculateGrade(result) {
+    const { summary } = result;
+    if (summary.total === 0)
+        return 'A+';
+    if (summary.critical === 0 && summary.high === 0)
+        return 'A';
+    if (summary.critical === 0 && summary.high <= 2)
+        return 'B';
+    if (summary.critical === 0 && summary.high <= 5)
+        return 'C';
+    if (summary.critical <= 1)
+        return 'D';
+    return 'F';
+}
+/**
+ * Calculate numeric security score (0-100)
+ */
+function calculateScore(result) {
+    const { summary } = result;
+    // Start at 100, deduct for issues
+    let score = 100;
+    score -= summary.critical * 20; // -20 per critical
+    score -= summary.high * 10; // -10 per high
+    score -= summary.medium * 5; // -5 per medium
+    return Math.max(0, score);
+}
+/**
+ * Get color for grade
+ */
+function getGradeColor(grade) {
+    const colors = {
+        'A+': 'brightgreen',
+        'A': 'green',
+        'B': 'yellowgreen',
+        'C': 'yellow',
+        'D': 'orange',
+        'F': 'red',
+    };
+    return colors[grade] || 'lightgrey';
+}
+/**
+ * Generate badge markdown for README
+ */
+export function generateBadgeMarkdown(result) {
+    const badge = generateBadge(result);
+    return badge.markdown;
+}
+//# sourceMappingURL=badge.js.map

package/dist/features/badge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"badge.js","sourceRoot":"","sources":["../../src/features/badge.ts"],"names":[],"mappings":"AAAA;;GAEG;AAYH;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAAmB;IAC/C,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IAEnC,MAAM,MAAM,GAAG,yCAAyC,KAAK,IAAI,KAAK,EAAE,CAAC;IAEzE,MAAM,QAAQ,GAAG;;oBAEC,MAAM;;aAEb,KAAK;aACL,KAAK;;;kBAGA,MAAM,CAAC,OAAO,CAAC,KAAK;cACxB,MAAM,CAAC,OAAO,CAAC,QAAQ;UAC3B,MAAM,CAAC,OAAO,CAAC,IAAI;YACjB,MAAM,CAAC,OAAO,CAAC,MAAM;;;;CAIhC,CAAC;IAEA,OAAO;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,QAAQ;QACR,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,MAAmB;IACzC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IAE3B,IAAI,OAAO,CAAC,KAAK,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACrC,IAAI,OAAO,CAAC,QAAQ,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,GAAG,CAAC;IAC7D,IAAI,OAAO,CAAC,QAAQ,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC;IAC5D,IAAI,OAAO,CAAC,QAAQ,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC;IAC5D,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC;IACtC,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,MAAmB;IACzC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IAE3B,kCAAkC;IAClC,IAAI,KAAK,GAAG,GAAG,CAAC;IAChB,KAAK,IAAI,OAAO,CAAC,QAAQ,GAAG,EAAE,CAAC,CAAE,mBAAmB;IACpD,KAAK,IAAI,OAAO,CAAC,IAAI,GAAG,EAAE,CAAC,CAAM,eAAe;IAChD,KAAK,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAK,gBAAgB;IAEjD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,KAAa;IAClC,MAAM,MAAM,GAA2B;QACrC,IAAI,EAAE,aAAa;QACnB,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,aAAa;QAClB,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,KAAK;KACX,CAAC;IAEF,OAAO,MAAM,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAmB;IACvD,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,KAAK,CAAC,QAAQ,CAAC;AACxB,CAAC"}

package/dist/features/fix.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Auto-fix Generator - Suggests and applies security fixes
+ */
+import { TaintTrace } from '../engine/taint.js';
+export interface SecurityFix {
+    original: string;
+    fixed: string;
+    explanation: string;
+    confidence: number;
+    type: 'sanitize' | 'parameterize' | 'encode' | 'validate';
+}
+/**
+ * Generate fix for a vulnerability
+ */
+export declare function generateFix(trace: TaintTrace, code: string): SecurityFix | null;
+/**
+ * Apply fix to code
+ */
+export declare function applyFix(code: string, fix: SecurityFix, lineNumber: number): string;
+//# sourceMappingURL=fix.d.ts.map

package/dist/features/fix.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fix.d.ts","sourceRoot":"","sources":["../../src/features/fix.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,UAAU,GAAG,cAAc,GAAG,QAAQ,GAAG,UAAU,CAAC;CAC3D;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAa/E;AAgGD;;GAEG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAQnF"}