npm - fivosense - Versions diffs - 0.1.5 → 0.2.0 - Mend

fivosense 0.1.5 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

package/.kilo/skill/fivosense/skill.json +5 -5
package/COMPLETE_SUMMARY.md +412 -0
package/DEPLOYMENT_GUIDE.md +2 -2
package/FINAL_VERIFICATION.md +316 -0
package/GITHUB_PUSH.md +4 -4
package/LICENSE +1 -1
package/README.md +290 -208
package/RELEASE_READY.md +3 -3
package/bin/fivosense.mjs +6 -0
package/dist/ai/client.d.ts +33 -0
package/dist/ai/client.d.ts.map +1 -0
package/dist/ai/client.js +170 -0
package/dist/ai/client.js.map +1 -0
package/dist/ai/judge.d.ts +9 -3
package/dist/ai/judge.d.ts.map +1 -1
package/dist/ai/judge.js +49 -14
package/dist/ai/judge.js.map +1 -1
package/dist/cli/index.d.ts +3 -1
package/dist/cli/index.d.ts.map +1 -1
package/dist/cli/index.js +6 -1
package/dist/cli/index.js.map +1 -1
package/dist/core/orchestrator.d.ts +34 -0
package/dist/core/orchestrator.d.ts.map +1 -0
package/dist/core/orchestrator.js +211 -0
package/dist/core/orchestrator.js.map +1 -0
package/dist/core/scope.d.ts +32 -0
package/dist/core/scope.d.ts.map +1 -0
package/dist/core/scope.js +149 -0
package/dist/core/scope.js.map +1 -0
package/dist/editors/vscode.d.ts +4 -2
package/dist/editors/vscode.d.ts.map +1 -1
package/dist/editors/vscode.js +6 -0
package/dist/editors/vscode.js.map +1 -1
package/dist/engine/adversary.d.ts +9 -2
package/dist/engine/adversary.d.ts.map +1 -1
package/dist/engine/adversary.js +47 -13
package/dist/engine/adversary.js.map +1 -1
package/dist/engine/graph.d.ts +4 -1
package/dist/engine/graph.d.ts.map +1 -1
package/dist/engine/graph.js +6 -0
package/dist/engine/graph.js.map +1 -1
package/dist/engine/poc.d.ts +26 -0
package/dist/engine/poc.d.ts.map +1 -0
package/dist/engine/poc.js +179 -0
package/dist/engine/poc.js.map +1 -0
package/dist/engine/reach.d.ts +4 -2
package/dist/engine/reach.d.ts.map +1 -1
package/dist/engine/reach.js +6 -0
package/dist/engine/reach.js.map +1 -1
package/dist/engine/sinks.d.ts +22 -32
package/dist/engine/sinks.d.ts.map +1 -1
package/dist/engine/sinks.js +338 -44
package/dist/engine/sinks.js.map +1 -1
package/dist/engine/sources.d.ts +11 -19
package/dist/engine/sources.d.ts.map +1 -1
package/dist/engine/sources.js +100 -24
package/dist/engine/sources.js.map +1 -1
package/dist/engine/taint.d.ts +6 -0
package/dist/engine/taint.d.ts.map +1 -1
package/dist/engine/taint.js +6 -0
package/dist/engine/taint.js.map +1 -1
package/dist/engine/verify.d.ts +4 -1
package/dist/engine/verify.d.ts.map +1 -1
package/dist/engine/verify.js +6 -0
package/dist/engine/verify.js.map +1 -1
package/dist/features/badge.d.ts +6 -0
package/dist/features/badge.d.ts.map +1 -1
package/dist/features/badge.js +4 -1
package/dist/features/badge.js.map +1 -1
package/dist/features/fix.d.ts +6 -0
package/dist/features/fix.d.ts.map +1 -1
package/dist/features/fix.js +4 -1
package/dist/features/fix.js.map +1 -1
package/dist/features/index.d.ts +6 -0
package/dist/features/index.d.ts.map +1 -1
package/dist/features/index.js +6 -0
package/dist/features/index.js.map +1 -1
package/dist/features/roast.d.ts +6 -0
package/dist/features/roast.d.ts.map +1 -1
package/dist/features/roast.js +4 -1
package/dist/features/roast.js.map +1 -1
package/dist/hooks/agent.d.ts +4 -1
package/dist/hooks/agent.d.ts.map +1 -1
package/dist/hooks/agent.js +6 -0
package/dist/hooks/agent.js.map +1 -1
package/dist/hooks/git.d.ts +34 -0
package/dist/hooks/git.d.ts.map +1 -0
package/dist/hooks/git.js +161 -0
package/dist/hooks/git.js.map +1 -0
package/dist/index.d.ts +4 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +6 -0
package/dist/index.js.map +1 -1
package/dist/rules/destructive.d.ts +12 -21
package/dist/rules/destructive.d.ts.map +1 -1
package/dist/rules/destructive.js +306 -24
package/dist/rules/destructive.js.map +1 -1
package/dist/rules/secrets.d.ts +8 -10
package/dist/rules/secrets.d.ts.map +1 -1
package/dist/rules/secrets.js +294 -17
package/dist/rules/secrets.js.map +1 -1
package/mcp/index.js +55 -20
package/mcp/package-lock.json +382 -0
package/mcp/package.json +21 -4
package/package.json +5 -5
package/src/ai/client.ts +226 -0
package/src/ai/judge.ts +58 -14
package/src/cli/index.ts +7 -1
package/src/core/orchestrator.ts +266 -0
package/src/core/scope.ts +175 -0
package/src/editors/vscode.ts +7 -0
package/src/engine/adversary.ts +55 -12
package/src/engine/graph.ts +7 -0
package/src/engine/poc.ts +219 -0
package/src/engine/reach.ts +7 -0
package/src/engine/sinks.ts +358 -45
package/src/engine/sources.ts +109 -24
package/src/engine/taint.ts +7 -0
package/src/engine/verify.ts +7 -0
package/src/features/badge.ts +7 -0
package/src/features/fix.ts +7 -0
package/src/features/index.ts +7 -0
package/src/features/roast.ts +7 -0
package/src/hooks/agent.ts +7 -0
package/src/hooks/git.ts +194 -0
package/src/index.ts +7 -0
package/src/rules/destructive.ts +316 -26
package/src/rules/secrets.ts +306 -17
package/vscode-extension/CHANGELOG.md +14 -2
package/vscode-extension/LICENSE +1 -1
package/vscode-extension/README.md +28 -23
package/vscode-extension/fivosense-vscode-0.1.0.vsix +0 -0
package/vscode-extension/fivosense-vscode-0.1.1.vsix +0 -0
package/vscode-extension/package-lock.json +6 -6
package/vscode-extension/package.json +7 -5
package/vscode-extension/src/extension.ts +65 -11

package/src/rules/destructive.ts CHANGED Viewed

@@ -1,18 +1,23 @@
 /**
- * Destructive command detection
- * Blocks dangerous operations: rm -rf, DROP TABLE, mass deletes, etc.
+ * FivoSense - AI Security Scanner
+ * Copyright (c) 2026 thevinsoni
+ * Licensed under the MIT License
+ * https://github.com/thevinsoni/sense
+ */
+/**
+ * Destructive command detection — blocks dangerous operations
+ * 35+ patterns covering filesystem, database, system, network, and privilege escalation
  */
 export interface DestructivePattern {
   pattern: RegExp;
   description: string;
   severity: 'critical' | 'high';
-  category: 'filesystem' | 'database' | 'system';
+  category: 'filesystem' | 'database' | 'system' | 'network' | 'container' | 'privilege';
 }
-/**
- * Filesystem destructive patterns
- */
+// === Filesystem Destructive ===
 export const FS_DESTRUCTIVE: DestructivePattern[] = [
   {
     pattern: /rm\s+-rf\s+[\/~]/,
@@ -26,6 +31,12 @@ export const FS_DESTRUCTIVE: DestructivePattern[] = [
     severity: 'critical',
     category: 'filesystem',
   },
+  {
+    pattern: /rm\s+-rf\s+["']?\//,
+    description: 'Recursive force delete from absolute path',
+    severity: 'critical',
+    category: 'filesystem',
+  },
   {
     pattern: /unlink\s*\(\s*['"]\/['"]\s*\)/,
     description: 'Unlink root directory',
@@ -38,11 +49,57 @@ export const FS_DESTRUCTIVE: DestructivePattern[] = [
     severity: 'critical',
     category: 'filesystem',
   },
+  {
+    pattern: /shred\s+/,
+    description: 'Secure file deletion (shred)',
+    severity: 'critical',
+    category: 'filesystem',
+  },
+  {
+    pattern: /mkfs\./,
+    description: 'Format filesystem',
+    severity: 'critical',
+    category: 'filesystem',
+  },
+  {
+    pattern: /dd\s+if=.*of=\/dev\//,
+    description: 'dd write to device',
+    severity: 'critical',
+    category: 'filesystem',
+  },
+  {
+    pattern: />\s*\/dev\/sd[a-z]/,
+    description: 'Write directly to disk device',
+    severity: 'critical',
+    category: 'filesystem',
+  },
+  {
+    pattern: /wipefs\s+/,
+    description: 'Wipe filesystem signatures',
+    severity: 'critical',
+    category: 'filesystem',
+  },
+  {
+    pattern: /truncate\s+-s\s+0/,
+    description: 'Truncate file to zero bytes',
+    severity: 'high',
+    category: 'filesystem',
+  },
+  {
+    pattern: /del\s+\/[sfq]/i,
+    description: 'Windows force delete',
+    severity: 'critical',
+    category: 'filesystem',
+  },
+  {
+    pattern: /rmdir\s+\/s\s+\/q/i,
+    description: 'Windows recursive directory delete',
+    severity: 'critical',
+    category: 'filesystem',
+  },
 ];
-/**
- * Database destructive patterns
- */
+// === Database Destructive ===
 export const DB_DESTRUCTIVE: DestructivePattern[] = [
   {
     pattern: /DROP\s+TABLE/i,
@@ -56,10 +113,16 @@ export const DB_DESTRUCTIVE: DestructivePattern[] = [
     severity: 'critical',
     category: 'database',
   },
+  {
+    pattern: /DROP\s+SCHEMA/i,
+    description: 'SQL DROP SCHEMA',
+    severity: 'critical',
+    category: 'database',
+  },
   {
     pattern: /TRUNCATE\s+TABLE/i,
     description: 'SQL TRUNCATE TABLE',
-    severity: 'high',
+    severity: 'critical',
     category: 'database',
   },
   {
@@ -68,44 +131,274 @@ export const DB_DESTRUCTIVE: DestructivePattern[] = [
     severity: 'critical',
     category: 'database',
   },
+  {
+    pattern: /UPDATE\s+\w+\s+SET.*WHERE\s+1\s*=\s*1/i,
+    description: 'SQL UPDATE all rows',
+    severity: 'critical',
+    category: 'database',
+  },
+  {
+    pattern: /db\.dropDatabase/,
+    description: 'MongoDB drop database',
+    severity: 'critical',
+    category: 'database',
+  },
   {
     pattern: /db\.collection\(\w+\)\.drop\(\)/,
     description: 'MongoDB collection drop',
+    severity: 'critical',
+    category: 'database',
+  },
+  {
+    pattern: /FLUSH\s+(PRIVILEGES|TABLES|LOGS)/i,
+    description: 'MySQL FLUSH command',
+    severity: 'high',
+    category: 'database',
+  },
+  {
+    pattern: /ALTER\s+TABLE.*DROP\s+COLUMN/i,
+    description: 'SQL DROP COLUMN',
     severity: 'high',
     category: 'database',
   },
+  {
+    pattern: /db\.users\.remove/,
+    description: 'MongoDB mass remove',
+    severity: 'critical',
+    category: 'database',
+  },
+  {
+    pattern: /\.remove\(\{\}\)/,
+    description: 'MongoDB remove all documents',
+    severity: 'critical',
+    category: 'database',
+  },
 ];
-/**
- * System destructive patterns
- */
+// === System Destructive ===
 export const SYSTEM_DESTRUCTIVE: DestructivePattern[] = [
   {
-    pattern: /shutdown|reboot|halt/i,
+    pattern: /shutdown\s+(-[hprs])?\s*(now|\+[0-9])/i,
     description: 'System shutdown command',
     severity: 'critical',
     category: 'system',
   },
   {
-    pattern: /kill\s+-9\s+1/,
-    description: 'Kill init process',
+    pattern: /reboot\s*(-[f])?/i,
+    description: 'System reboot',
+    severity: 'critical',
+    category: 'system',
+  },
+  {
+    pattern: /halt\s*(-[f])?/i,
+    description: 'System halt',
+    severity: 'critical',
+    category: 'system',
+  },
+  {
+    pattern: /poweroff/i,
+    description: 'System power off',
+    severity: 'critical',
+    category: 'system',
+  },
+  {
+    pattern: /kill\s+-9\s+1\b/,
+    description: 'Kill init process (PID 1)',
+    severity: 'critical',
+    category: 'system',
+  },
+  {
+    pattern: /killall\s+-9/,
+    description: 'Force kill all processes',
+    severity: 'critical',
+    category: 'system',
+  },
+  {
+    pattern: /:(){ :\|:& };:/,
+    description: 'Fork bomb',
+    severity: 'critical',
+    category: 'system',
+  },
+  {
+    pattern: /init\s+0/,
+    description: 'Init shutdown',
     severity: 'critical',
     category: 'system',
   },
+  {
+    pattern: /systemctl\s+(stop|disable)\s+/,
+    description: 'Stop/disable systemd service',
+    severity: 'high',
+    category: 'system',
+  },
+  {
+    pattern: /service\s+\w+\s+stop/,
+    description: 'Stop system service',
+    severity: 'high',
+    category: 'system',
+  },
 ];
-/**
- * All destructive patterns
- */
-export const ALL_DESTRUCTIVE = [
+// === Network Destructive ===
+export const NETWORK_DESTRUCTIVE: DestructivePattern[] = [
+  {
+    pattern: /iptables\s+-F/,
+    description: 'Flush all firewall rules',
+    severity: 'critical',
+    category: 'network',
+  },
+  {
+    pattern: /iptables\s+--flush/,
+    description: 'Flush firewall rules',
+    severity: 'critical',
+    category: 'network',
+  },
+  {
+    pattern: /ufw\s+disable/,
+    description: 'Disable UFW firewall',
+    severity: 'critical',
+    category: 'network',
+  },
+  {
+    pattern: /netsh\s+firewall\s+set\s+opmode\s+disable/i,
+    description: 'Windows disable firewall',
+    severity: 'critical',
+    category: 'network',
+  },
+  {
+    pattern: /ip\s+link\s+set\s+\w+\s+down/,
+    description: 'Disable network interface',
+    severity: 'high',
+    category: 'network',
+  },
+  {
+    pattern: /ifconfig\s+\w+\s+down/,
+    description: 'Disable network interface (ifconfig)',
+    severity: 'high',
+    category: 'network',
+  },
+  {
+    pattern: /route\s+(del|flush)/,
+    description: 'Delete/flush routing table',
+    severity: 'high',
+    category: 'network',
+  },
+  {
+    pattern: /curl\s+.*\|\s*(bash|sh)/,
+    description: 'Remote code execution via curl pipe',
+    severity: 'critical',
+    category: 'network',
+  },
+  {
+    pattern: /wget\s+.*\|\s*(bash|sh)/,
+    description: 'Remote code execution via wget pipe',
+    severity: 'critical',
+    category: 'network',
+  },
+];
+// === Container / Cloud Destructive ===
+export const CONTAINER_DESTRUCTIVE: DestructivePattern[] = [
+  {
+    pattern: /docker\s+rm\s+-f\s+\$\(docker\s+ps/,
+    description: 'Force remove all Docker containers',
+    severity: 'critical',
+    category: 'container',
+  },
+  {
+    pattern: /docker\s+rmi\s+-f\s+\$\(docker\s+images/,
+    description: 'Force remove all Docker images',
+    severity: 'critical',
+    category: 'container',
+  },
+  {
+    pattern: /docker\s+system\s+prune\s+-a/,
+    description: 'Prune all Docker data',
+    severity: 'high',
+    category: 'container',
+  },
+  {
+    pattern: /kubectl\s+delete\s+(pods|deployment|namespace)\s+--all/,
+    description: 'Delete all Kubernetes resources',
+    severity: 'critical',
+    category: 'container',
+  },
+  {
+    pattern: /kubectl\s+delete\s+namespace/,
+    description: 'Delete Kubernetes namespace',
+    severity: 'critical',
+    category: 'container',
+  },
+];
+// === Privilege Escalation ===
+export const PRIVILEGE_DESTRUCTIVE: DestructivePattern[] = [
+  {
+    pattern: /chmod\s+777\s+[\/~]/,
+    description: 'Set full permissions (chmod 777)',
+    severity: 'critical',
+    category: 'privilege',
+  },
+  {
+    pattern: /chmod\s+-R\s+777/,
+    description: 'Recursive full permissions',
+    severity: 'critical',
+    category: 'privilege',
+  },
+  {
+    pattern: /chown\s+-R\s+root/,
+    description: 'Recursive ownership to root',
+    severity: 'critical',
+    category: 'privilege',
+  },
+  {
+    pattern: /chmod\s+\+s/,
+    description: 'Set SUID/SGID bit',
+    severity: 'critical',
+    category: 'privilege',
+  },
+  {
+    pattern: /chmod\s+u\+s/,
+    description: 'Set SUID bit',
+    severity: 'critical',
+    category: 'privilege',
+  },
+  {
+    pattern: /visudo/,
+    description: 'Edit sudoers file',
+    severity: 'critical',
+    category: 'privilege',
+  },
+  {
+    pattern: /echo\s+.*>>\s*\/etc\/sudoers/,
+    description: 'Append to sudoers file',
+    severity: 'critical',
+    category: 'privilege',
+  },
+  {
+    pattern: /usermod\s+-aG\s+sudo/,
+    description: 'Add user to sudo group',
+    severity: 'high',
+    category: 'privilege',
+  },
+  {
+    pattern: /passwd\s+(root|-e)/,
+    description: 'Change root password or expire',
+    severity: 'critical',
+    category: 'privilege',
+  },
+];
+// === All destructive patterns combined ===
+export const ALL_DESTRUCTIVE: DestructivePattern[] = [
   ...FS_DESTRUCTIVE,
   ...DB_DESTRUCTIVE,
   ...SYSTEM_DESTRUCTIVE,
+  ...NETWORK_DESTRUCTIVE,
+  ...CONTAINER_DESTRUCTIVE,
+  ...PRIVILEGE_DESTRUCTIVE,
 ];
-/**
- * Check if code contains destructive patterns
- */
 export function detectDestructive(code: string): DestructivePattern[] {
   const matches: DestructivePattern[] = [];
@@ -118,9 +411,6 @@ export function detectDestructive(code: string): DestructivePattern[] {
   return matches;
 }
-/**
- * Check if specific line contains destructive command
- */
 export function isDestructiveLine(line: string): DestructivePattern | null {
   for (const pattern of ALL_DESTRUCTIVE) {
     if (pattern.pattern.test(line)) {