npm - ghostpatch - Versions diffs - 1.0.0 - Mend

ghostpatch 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

package/LICENSE +21 -0
package/README.md +213 -0
package/__tests__/detectors.test.ts +224 -0
package/__tests__/rules.test.ts +117 -0
package/__tests__/scanner.test.ts +222 -0
package/dist/ai/anthropic.d.ts +11 -0
package/dist/ai/anthropic.d.ts.map +1 -0
package/dist/ai/anthropic.js +76 -0
package/dist/ai/anthropic.js.map +1 -0
package/dist/ai/huggingface.d.ts +12 -0
package/dist/ai/huggingface.d.ts.map +1 -0
package/dist/ai/huggingface.js +95 -0
package/dist/ai/huggingface.js.map +1 -0
package/dist/ai/openai.d.ts +11 -0
package/dist/ai/openai.d.ts.map +1 -0
package/dist/ai/openai.js +71 -0
package/dist/ai/openai.js.map +1 -0
package/dist/ai/prompts.d.ts +5 -0
package/dist/ai/prompts.d.ts.map +1 -0
package/dist/ai/prompts.js +101 -0
package/dist/ai/prompts.js.map +1 -0
package/dist/ai/provider.d.ts +9 -0
package/dist/ai/provider.d.ts.map +1 -0
package/dist/ai/provider.js +66 -0
package/dist/ai/provider.js.map +1 -0
package/dist/cli/index.d.ts +3 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +318 -0
package/dist/cli/index.js.map +1 -0
package/dist/core/reporter.d.ts +7 -0
package/dist/core/reporter.d.ts.map +1 -0
package/dist/core/reporter.js +366 -0
package/dist/core/reporter.js.map +1 -0
package/dist/core/rules.d.ts +8 -0
package/dist/core/rules.d.ts.map +1 -0
package/dist/core/rules.js +1077 -0
package/dist/core/rules.js.map +1 -0
package/dist/core/scanner.d.ts +6 -0
package/dist/core/scanner.d.ts.map +1 -0
package/dist/core/scanner.js +217 -0
package/dist/core/scanner.js.map +1 -0
package/dist/core/severity.d.ts +100 -0
package/dist/core/severity.d.ts.map +1 -0
package/dist/core/severity.js +52 -0
package/dist/core/severity.js.map +1 -0
package/dist/detectors/auth.d.ts +3 -0
package/dist/detectors/auth.d.ts.map +1 -0
package/dist/detectors/auth.js +138 -0
package/dist/detectors/auth.js.map +1 -0
package/dist/detectors/crypto.d.ts +3 -0
package/dist/detectors/crypto.d.ts.map +1 -0
package/dist/detectors/crypto.js +128 -0
package/dist/detectors/crypto.js.map +1 -0
package/dist/detectors/dependency.d.ts +4 -0
package/dist/detectors/dependency.d.ts.map +1 -0
package/dist/detectors/dependency.js +267 -0
package/dist/detectors/dependency.js.map +1 -0
package/dist/detectors/deserialize.d.ts +3 -0
package/dist/detectors/deserialize.d.ts.map +1 -0
package/dist/detectors/deserialize.js +107 -0
package/dist/detectors/deserialize.js.map +1 -0
package/dist/detectors/injection.d.ts +3 -0
package/dist/detectors/injection.d.ts.map +1 -0
package/dist/detectors/injection.js +158 -0
package/dist/detectors/injection.js.map +1 -0
package/dist/detectors/misconfig.d.ts +3 -0
package/dist/detectors/misconfig.d.ts.map +1 -0
package/dist/detectors/misconfig.js +153 -0
package/dist/detectors/misconfig.js.map +1 -0
package/dist/detectors/pathtraversal.d.ts +3 -0
package/dist/detectors/pathtraversal.d.ts.map +1 -0
package/dist/detectors/pathtraversal.js +90 -0
package/dist/detectors/pathtraversal.js.map +1 -0
package/dist/detectors/prototype.d.ts +3 -0
package/dist/detectors/prototype.d.ts.map +1 -0
package/dist/detectors/prototype.js +79 -0
package/dist/detectors/prototype.js.map +1 -0
package/dist/detectors/secrets.d.ts +4 -0
package/dist/detectors/secrets.d.ts.map +1 -0
package/dist/detectors/secrets.js +137 -0
package/dist/detectors/secrets.js.map +1 -0
package/dist/detectors/ssrf.d.ts +3 -0
package/dist/detectors/ssrf.d.ts.map +1 -0
package/dist/detectors/ssrf.js +78 -0
package/dist/detectors/ssrf.js.map +1 -0
package/dist/detectors/zeroday.d.ts +9 -0
package/dist/detectors/zeroday.d.ts.map +1 -0
package/dist/detectors/zeroday.js +77 -0
package/dist/detectors/zeroday.js.map +1 -0
package/dist/index.d.ts +10 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +42 -0
package/dist/index.js.map +1 -0
package/dist/mcp/server.d.ts +2 -0
package/dist/mcp/server.d.ts.map +1 -0
package/dist/mcp/server.js +358 -0
package/dist/mcp/server.js.map +1 -0
package/dist/utils/config.d.ts +4 -0
package/dist/utils/config.d.ts.map +1 -0
package/dist/utils/config.js +97 -0
package/dist/utils/config.js.map +1 -0
package/dist/utils/fingerprint.d.ts +5 -0
package/dist/utils/fingerprint.d.ts.map +1 -0
package/dist/utils/fingerprint.js +55 -0
package/dist/utils/fingerprint.js.map +1 -0
package/dist/utils/languages.d.ts +8 -0
package/dist/utils/languages.d.ts.map +1 -0
package/dist/utils/languages.js +128 -0
package/dist/utils/languages.js.map +1 -0
package/package.json +53 -0
package/src/ai/anthropic.ts +82 -0
package/src/ai/huggingface.ts +111 -0
package/src/ai/openai.ts +75 -0
package/src/ai/prompts.ts +100 -0
package/src/ai/provider.ts +68 -0
package/src/cli/index.ts +314 -0
package/src/core/reporter.ts +356 -0
package/src/core/rules.ts +1089 -0
package/src/core/scanner.ts +201 -0
package/src/core/severity.ts +140 -0
package/src/detectors/auth.ts +152 -0
package/src/detectors/crypto.ts +128 -0
package/src/detectors/dependency.ts +240 -0
package/src/detectors/deserialize.ts +106 -0
package/src/detectors/injection.ts +172 -0
package/src/detectors/misconfig.ts +152 -0
package/src/detectors/pathtraversal.ts +89 -0
package/src/detectors/prototype.ts +77 -0
package/src/detectors/secrets.ts +138 -0
package/src/detectors/ssrf.ts +77 -0
package/src/detectors/zeroday.ts +93 -0
package/src/index.ts +24 -0
package/src/mcp/server.ts +379 -0
package/src/utils/config.ts +64 -0
package/src/utils/fingerprint.ts +21 -0
package/src/utils/languages.ts +95 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +8 -0

package/__tests__/scanner.test.ts ADDED Viewed

@@ -0,0 +1,222 @@
+import { describe, it, expect } from 'vitest';
+import * as path from 'path';
+import * as fs from 'fs';
+import * as os from 'os';
+import { scan, scanFile } from '../src/core/scanner';
+import { generateReport } from '../src/core/reporter';
+import { Severity } from '../src/core/severity';
+import { detectLanguage, isSupportedFile } from '../src/utils/languages';
+import { generateFingerprint, deduplicateFindings } from '../src/utils/fingerprint';
+describe('Scanner', () => {
+  it('should scan a single file', () => {
+    const code = `
+const password = "admin";
+eval(userInput);
+db.query("SELECT * FROM users WHERE id=" + userId);
+`;
+    const findings = scanFile('test.js', code, 'javascript');
+    expect(findings.length).toBeGreaterThan(0);
+  });
+  it('should detect multiple vulnerability types', () => {
+    const code = `
+eval(userInput);
+db.query("SELECT * FROM users WHERE id=" + userId);
+element.innerHTML = userData;
+const key = "AKIAIOSFODNN7EXAMPLE";
+`;
+    const findings = scanFile('test.js', code, 'javascript');
+    const ruleIds = new Set(findings.map(f => f.ruleId));
+    expect(ruleIds.size).toBeGreaterThanOrEqual(3);
+  });
+  it('should scan a directory', async () => {
+    // Create temp dir with test files
+    const tmpDir = path.join(os.tmpdir(), 'ghostpatch-test-' + Date.now());
+    fs.mkdirSync(tmpDir, { recursive: true });
+    fs.writeFileSync(path.join(tmpDir, 'test.js'), `
+const password = "admin";
+eval(userInput);
+`);
+    fs.writeFileSync(path.join(tmpDir, 'safe.js'), `
+const x = 1 + 2;
+console.log(x);
+`);
+    try {
+      const result = await scan(tmpDir, { severity: Severity.LOW });
+      expect(result.filesScanned).toBeGreaterThanOrEqual(2);
+      expect(result.findings.length).toBeGreaterThan(0);
+      expect(result.summary.total).toBe(result.findings.length);
+      expect(result.durationMs).toBeGreaterThanOrEqual(0);
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+  it('should filter by severity', async () => {
+    const code = `
+const password = "admin";
+eval(userInput);
+element.innerHTML = userData;
+const x = Math.random();
+const opts = { secure: false, httpOnly: false };
+`;
+    const allFindings = scanFile('test.js', code, 'javascript');
+    const criticalFindings = allFindings.filter(f => f.severity === Severity.CRITICAL);
+    expect(allFindings.length).toBeGreaterThan(0);
+    expect(criticalFindings.length).toBeGreaterThan(0);
+    expect(criticalFindings.length).toBeLessThanOrEqual(allFindings.length);
+  });
+  it('should include code snippets', () => {
+    const code = `line1
+line2
+eval(userInput);
+line4
+line5`;
+    const findings = scanFile('test.js', code, 'javascript');
+    const evalFinding = findings.find(f => f.ruleId.includes('EVAL'));
+    if (evalFinding) {
+      expect(evalFinding.codeSnippet).toContain('eval');
+      expect(evalFinding.line).toBe(3);
+    }
+  });
+  it('should produce valid fingerprints', () => {
+    const code = 'eval(userInput);';
+    const findings = scanFile('test.js', code, 'javascript');
+    for (const f of findings) {
+      expect(f.fingerprint).toBeTruthy();
+      expect(f.fingerprint.length).toBe(16);
+    }
+  });
+});
+describe('Reporter', () => {
+  it('should generate terminal report', async () => {
+    const tmpDir = path.join(os.tmpdir(), 'ghostpatch-report-test-' + Date.now());
+    fs.mkdirSync(tmpDir, { recursive: true });
+    fs.writeFileSync(path.join(tmpDir, 'test.js'), 'eval(userInput);');
+    try {
+      const result = await scan(tmpDir);
+      const report = generateReport(result, 'terminal');
+      expect(report).toContain('GhostPatch');
+      expect(report).toContain('CRITICAL');
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+  it('should generate JSON report', async () => {
+    const tmpDir = path.join(os.tmpdir(), 'ghostpatch-json-test-' + Date.now());
+    fs.mkdirSync(tmpDir, { recursive: true });
+    fs.writeFileSync(path.join(tmpDir, 'test.js'), 'eval(userInput);');
+    try {
+      const result = await scan(tmpDir);
+      const json = generateReport(result, 'json');
+      const parsed = JSON.parse(json);
+      expect(parsed.ghostpatch.version).toBe('1.0.0');
+      expect(Array.isArray(parsed.findings)).toBe(true);
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+  it('should generate SARIF report', async () => {
+    const tmpDir = path.join(os.tmpdir(), 'ghostpatch-sarif-test-' + Date.now());
+    fs.mkdirSync(tmpDir, { recursive: true });
+    fs.writeFileSync(path.join(tmpDir, 'test.js'), 'eval(userInput);');
+    try {
+      const result = await scan(tmpDir);
+      const sarif = generateReport(result, 'sarif');
+      const parsed = JSON.parse(sarif);
+      expect(parsed.version).toBe('2.1.0');
+      expect(parsed.runs).toBeDefined();
+      expect(parsed.runs[0].tool.driver.name).toBe('GhostPatch');
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+  it('should generate HTML report', async () => {
+    const tmpDir = path.join(os.tmpdir(), 'ghostpatch-html-test-' + Date.now());
+    fs.mkdirSync(tmpDir, { recursive: true });
+    fs.writeFileSync(path.join(tmpDir, 'test.js'), 'eval(userInput);');
+    try {
+      const result = await scan(tmpDir);
+      const html = generateReport(result, 'html');
+      expect(html).toContain('<!DOCTYPE html>');
+      expect(html).toContain('GhostPatch');
+      expect(html).toContain('Security Report');
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+});
+describe('Language Detection', () => {
+  it('should detect JavaScript', () => {
+    expect(detectLanguage('test.js')).toBe('javascript');
+    expect(detectLanguage('test.jsx')).toBe('javascript');
+    expect(detectLanguage('test.mjs')).toBe('javascript');
+  });
+  it('should detect TypeScript', () => {
+    expect(detectLanguage('test.ts')).toBe('typescript');
+    expect(detectLanguage('test.tsx')).toBe('typescript');
+  });
+  it('should detect Python', () => {
+    expect(detectLanguage('test.py')).toBe('python');
+  });
+  it('should detect Java', () => {
+    expect(detectLanguage('Test.java')).toBe('java');
+  });
+  it('should detect Go', () => {
+    expect(detectLanguage('main.go')).toBe('go');
+  });
+  it('should return null for unsupported files', () => {
+    expect(detectLanguage('test.txt')).toBeNull();
+    expect(detectLanguage('image.png')).toBeNull();
+  });
+  it('should identify supported files', () => {
+    expect(isSupportedFile('test.ts')).toBe(true);
+    expect(isSupportedFile('test.py')).toBe(true);
+    expect(isSupportedFile('test.txt')).toBe(false);
+  });
+});
+describe('Fingerprinting', () => {
+  it('should generate consistent fingerprints', () => {
+    const fp1 = generateFingerprint('rule1', 'file1', 'content');
+    const fp2 = generateFingerprint('rule1', 'file1', 'content');
+    expect(fp1).toBe(fp2);
+  });
+  it('should generate different fingerprints for different inputs', () => {
+    const fp1 = generateFingerprint('rule1', 'file1', 'content1');
+    const fp2 = generateFingerprint('rule1', 'file1', 'content2');
+    expect(fp1).not.toBe(fp2);
+  });
+  it('should deduplicate findings', () => {
+    const findings = [
+      { fingerprint: 'aaa', title: 'Finding 1' },
+      { fingerprint: 'bbb', title: 'Finding 2' },
+      { fingerprint: 'aaa', title: 'Finding 1 duplicate' },
+    ];
+    const deduped = deduplicateFindings(findings);
+    expect(deduped.length).toBe(2);
+  });
+});

package/dist/ai/anthropic.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { AIFinding } from '../core/severity';
+import { AIProvider } from './provider';
+export declare class AnthropicProvider implements AIProvider {
+    name: string;
+    private apiKey;
+    constructor();
+    isAvailable(): boolean;
+    analyze(code: string, context: string): Promise<AIFinding[]>;
+    private callDirectAPI;
+}
+//# sourceMappingURL=anthropic.d.ts.map

package/dist/ai/anthropic.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"anthropic.d.ts","sourceRoot":"","sources":["../../src/ai/anthropic.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAmB,MAAM,YAAY,CAAC;AAGzD,qBAAa,iBAAkB,YAAW,UAAU;IAClD,IAAI,SAAe;IACnB,OAAO,CAAC,MAAM,CAAqB;;IAMnC,WAAW,IAAI,OAAO;IAIhB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;YAmCpD,aAAa;CA8B5B"}

package/dist/ai/anthropic.js ADDED Viewed

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AnthropicProvider = void 0;
+const provider_1 = require("./provider");
+const prompts_1 = require("./prompts");
+class AnthropicProvider {
+    name = 'anthropic';
+    apiKey;
+    constructor() {
+        this.apiKey = process.env.ANTHROPIC_API_KEY;
+    }
+    isAvailable() {
+        return !!this.apiKey;
+    }
+    async analyze(code, context) {
+        if (!this.apiKey)
+            return [];
+        const prompt = (0, prompts_1.buildAnalysisPrompt)(code, context, 'security');
+        try {
+            // Try to use the SDK if available
+            const Anthropic = require('@anthropic-ai/sdk');
+            const client = new Anthropic({ apiKey: this.apiKey });
+            const response = await client.messages.create({
+                model: 'claude-sonnet-4-5-20250929',
+                max_tokens: 4096,
+                messages: [{
+                        role: 'user',
+                        content: prompt,
+                    }],
+            });
+            const text = response.content
+                .filter((c) => c.type === 'text')
+                .map((c) => c.text)
+                .join('');
+            return (0, provider_1.parseAIResponse)(text);
+        }
+        catch (sdkError) {
+            // Fallback to direct API call
+            try {
+                return await this.callDirectAPI(prompt);
+            }
+            catch {
+                return [];
+            }
+        }
+    }
+    async callDirectAPI(prompt) {
+        const response = await fetch('https://api.anthropic.com/v1/messages', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'x-api-key': this.apiKey,
+                'anthropic-version': '2023-06-01',
+            },
+            body: JSON.stringify({
+                model: 'claude-sonnet-4-5-20250929',
+                max_tokens: 4096,
+                messages: [{
+                        role: 'user',
+                        content: prompt,
+                    }],
+            }),
+        });
+        if (!response.ok) {
+            throw new Error(`Anthropic API error: ${response.status}`);
+        }
+        const data = await response.json();
+        const text = data.content
+            ?.filter((c) => c.type === 'text')
+            ?.map((c) => c.text)
+            ?.join('') || '';
+        return (0, provider_1.parseAIResponse)(text);
+    }
+}
+exports.AnthropicProvider = AnthropicProvider;
+//# sourceMappingURL=anthropic.js.map

package/dist/ai/anthropic.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"anthropic.js","sourceRoot":"","sources":["../../src/ai/anthropic.ts"],"names":[],"mappings":";;;AACA,yCAAyD;AACzD,uCAAgD;AAEhD,MAAa,iBAAiB;IAC5B,IAAI,GAAG,WAAW,CAAC;IACX,MAAM,CAAqB;IAEnC;QACE,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC9C,CAAC;IAED,WAAW;QACT,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,IAAY,EAAE,OAAe;QACzC,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAE5B,MAAM,MAAM,GAAG,IAAA,6BAAmB,EAAC,IAAI,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QAE9D,IAAI,CAAC;YACH,kCAAkC;YAClC,MAAM,SAAS,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;YAC/C,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YAEtD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAC5C,KAAK,EAAE,4BAA4B;gBACnC,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,CAAC;wBACT,IAAI,EAAE,MAAM;wBACZ,OAAO,EAAE,MAAM;qBAChB,CAAC;aACH,CAAC,CAAC;YAEH,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO;iBAC1B,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;iBACrC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;iBACvB,IAAI,CAAC,EAAE,CAAC,CAAC;YAEZ,OAAO,IAAA,0BAAe,EAAC,IAAI,CAAC,CAAC;QAC/B,CAAC;QAAC,OAAO,QAAQ,EAAE,CAAC;YAClB,8BAA8B;YAC9B,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,MAAc;QACxC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,uCAAuC,EAAE;YACpE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,WAAW,EAAE,IAAI,CAAC,MAAO;gBACzB,mBAAmB,EAAE,YAAY;aAClC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,4BAA4B;gBACnC,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,CAAC;wBACT,IAAI,EAAE,MAAM;wBACZ,OAAO,EAAE,MAAM;qBAChB,CAAC;aACH,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,wBAAwB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,IAAI,GAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO;YACvB,EAAE,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;YACvC,EAAE,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;YACzB,EAAE,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QAEnB,OAAO,IAAA,0BAAe,EAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;CACF;AA7ED,8CA6EC"}

package/dist/ai/huggingface.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { AIFinding } from '../core/severity';
+import { AIProvider } from './provider';
+export declare class HuggingFaceProvider implements AIProvider {
+    name: string;
+    private token;
+    private model;
+    constructor(model?: string);
+    isAvailable(): boolean;
+    analyze(code: string, context: string): Promise<AIFinding[]>;
+    private callAPI;
+}
+//# sourceMappingURL=huggingface.d.ts.map

package/dist/ai/huggingface.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"huggingface.d.ts","sourceRoot":"","sources":["../../src/ai/huggingface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAmB,MAAM,YAAY,CAAC;AAOzD,qBAAa,mBAAoB,YAAW,UAAU;IACpD,IAAI,SAAiB;IACrB,OAAO,CAAC,KAAK,CAAqB;IAClC,OAAO,CAAC,KAAK,CAAS;gBAEV,KAAK,CAAC,EAAE,MAAM;IAK1B,WAAW,IAAI,OAAO;IAIhB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;YAiBpD,OAAO;CAoCtB"}

package/dist/ai/huggingface.js ADDED Viewed

@@ -0,0 +1,95 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HuggingFaceProvider = void 0;
+const provider_1 = require("./provider");
+const prompts_1 = require("./prompts");
+const DEFAULT_MODEL = 'Qwen/Qwen2.5-Coder-32B-Instruct';
+const FALLBACK_MODEL = 'bigcode/starcoder2-15b';
+const HF_API_URL = 'https://api-inference.huggingface.co/models';
+class HuggingFaceProvider {
+    name = 'huggingface';
+    token;
+    model;
+    constructor(model) {
+        this.token = process.env.HF_TOKEN || process.env.HUGGINGFACE_TOKEN;
+        this.model = model || DEFAULT_MODEL;
+    }
+    isAvailable() {
+        return true; // HuggingFace free tier doesn't require a token for some models
+    }
+    async analyze(code, context) {
+        const prompt = (0, prompts_1.buildAnalysisPrompt)(code, context, 'security');
+        try {
+            const response = await this.callAPI(this.model, prompt);
+            return (0, provider_1.parseAIResponse)(response);
+        }
+        catch {
+            try {
+                // Fallback to secondary model
+                const response = await this.callAPI(FALLBACK_MODEL, prompt);
+                return (0, provider_1.parseAIResponse)(response);
+            }
+            catch {
+                return [];
+            }
+        }
+    }
+    async callAPI(model, prompt) {
+        const headers = {
+            'Content-Type': 'application/json',
+        };
+        if (this.token) {
+            headers['Authorization'] = `Bearer ${this.token}`;
+        }
+        const body = JSON.stringify({
+            inputs: prompt,
+            parameters: {
+                max_new_tokens: 2048,
+                temperature: 0.1,
+                return_full_text: false,
+            },
+        });
+        const response = await fetchWithRetry(`${HF_API_URL}/${model}`, {
+            method: 'POST',
+            headers,
+            body,
+        });
+        if (!response.ok) {
+            throw new Error(`HuggingFace API error: ${response.status}`);
+        }
+        const data = await response.json();
+        if (Array.isArray(data) && data[0]?.generated_text) {
+            return data[0].generated_text;
+        }
+        return JSON.stringify(data);
+    }
+}
+exports.HuggingFaceProvider = HuggingFaceProvider;
+async function fetchWithRetry(url, options, retries = 3, delay = 1000) {
+    for (let i = 0; i < retries; i++) {
+        try {
+            const response = await fetch(url, options);
+            // If model is loading, wait and retry
+            if (response.status === 503) {
+                const body = await response.json().catch(() => ({}));
+                const estimatedTime = body?.estimated_time || 20;
+                const waitTime = Math.min(estimatedTime * 1000, 30000);
+                await new Promise(resolve => setTimeout(resolve, waitTime));
+                continue;
+            }
+            // Rate limited
+            if (response.status === 429) {
+                await new Promise(resolve => setTimeout(resolve, delay * (i + 1)));
+                continue;
+            }
+            return response;
+        }
+        catch (err) {
+            if (i === retries - 1)
+                throw err;
+            await new Promise(resolve => setTimeout(resolve, delay * (i + 1)));
+        }
+    }
+    throw new Error('Max retries exceeded');
+}
+//# sourceMappingURL=huggingface.js.map

package/dist/ai/huggingface.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"huggingface.js","sourceRoot":"","sources":["../../src/ai/huggingface.ts"],"names":[],"mappings":";;;AACA,yCAAyD;AACzD,uCAAgD;AAEhD,MAAM,aAAa,GAAG,iCAAiC,CAAC;AACxD,MAAM,cAAc,GAAG,wBAAwB,CAAC;AAChD,MAAM,UAAU,GAAG,6CAA6C,CAAC;AAEjE,MAAa,mBAAmB;IAC9B,IAAI,GAAG,aAAa,CAAC;IACb,KAAK,CAAqB;IAC1B,KAAK,CAAS;IAEtB,YAAY,KAAc;QACxB,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QACnE,IAAI,CAAC,KAAK,GAAG,KAAK,IAAI,aAAa,CAAC;IACtC,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,CAAC,gEAAgE;IAC/E,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,IAAY,EAAE,OAAe;QACzC,MAAM,MAAM,GAAG,IAAA,6BAAmB,EAAC,IAAI,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QAE9D,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YACxD,OAAO,IAAA,0BAAe,EAAC,QAAQ,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC;gBACH,8BAA8B;gBAC9B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;gBAC5D,OAAO,IAAA,0BAAe,EAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO,CAAC,KAAa,EAAE,MAAc;QACjD,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,kBAAkB;SACnC,CAAC;QAEF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,IAAI,CAAC,KAAK,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;YAC1B,MAAM,EAAE,MAAM;YACd,UAAU,EAAE;gBACV,cAAc,EAAE,IAAI;gBACpB,WAAW,EAAE,GAAG;gBAChB,gBAAgB,EAAE,KAAK;aACxB;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,GAAG,UAAU,IAAI,KAAK,EAAE,EAAE;YAC9D,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI;SACL,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC;YACnD,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC;QAChC,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;CACF;AAnED,kDAmEC;AAED,KAAK,UAAU,cAAc,CAC3B,GAAW,EACX,OAAoB,EACpB,UAAkB,CAAC,EACnB,QAAgB,IAAI;IAEpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAE3C,sCAAsC;YACtC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBACrD,MAAM,aAAa,GAAI,IAAY,EAAE,cAAc,IAAI,EAAE,CAAC;gBAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,aAAa,GAAG,IAAI,EAAE,KAAK,CAAC,CAAC;gBACvD,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;gBAC5D,SAAS;YACX,CAAC;YAED,eAAe;YACf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACnE,SAAS;YACX,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,KAAK,OAAO,GAAG,CAAC;gBAAE,MAAM,GAAG,CAAC;YACjC,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;AAC1C,CAAC"}

package/dist/ai/openai.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { AIFinding } from '../core/severity';
+import { AIProvider } from './provider';
+export declare class OpenAIProvider implements AIProvider {
+    name: string;
+    private apiKey;
+    constructor();
+    isAvailable(): boolean;
+    analyze(code: string, context: string): Promise<AIFinding[]>;
+    private callDirectAPI;
+}
+//# sourceMappingURL=openai.d.ts.map

package/dist/ai/openai.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"openai.d.ts","sourceRoot":"","sources":["../../src/ai/openai.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAmB,MAAM,YAAY,CAAC;AAGzD,qBAAa,cAAe,YAAW,UAAU;IAC/C,IAAI,SAAY;IAChB,OAAO,CAAC,MAAM,CAAqB;;IAMnC,WAAW,IAAI,OAAO;IAIhB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;YAgCpD,aAAa;CA0B5B"}

package/dist/ai/openai.js ADDED Viewed

@@ -0,0 +1,71 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OpenAIProvider = void 0;
+const provider_1 = require("./provider");
+const prompts_1 = require("./prompts");
+class OpenAIProvider {
+    name = 'openai';
+    apiKey;
+    constructor() {
+        this.apiKey = process.env.OPENAI_API_KEY;
+    }
+    isAvailable() {
+        return !!this.apiKey;
+    }
+    async analyze(code, context) {
+        if (!this.apiKey)
+            return [];
+        const prompt = (0, prompts_1.buildAnalysisPrompt)(code, context, 'security');
+        try {
+            // Try to use the SDK if available
+            const OpenAI = require('openai');
+            const client = new OpenAI({ apiKey: this.apiKey });
+            const response = await client.chat.completions.create({
+                model: 'gpt-4o',
+                messages: [{
+                        role: 'user',
+                        content: prompt,
+                    }],
+                temperature: 0.1,
+                max_tokens: 4096,
+            });
+            const text = response.choices[0]?.message?.content || '';
+            return (0, provider_1.parseAIResponse)(text);
+        }
+        catch (sdkError) {
+            // Fallback to direct API call
+            try {
+                return await this.callDirectAPI(prompt);
+            }
+            catch {
+                return [];
+            }
+        }
+    }
+    async callDirectAPI(prompt) {
+        const response = await fetch('https://api.openai.com/v1/chat/completions', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${this.apiKey}`,
+            },
+            body: JSON.stringify({
+                model: 'gpt-4o',
+                messages: [{
+                        role: 'user',
+                        content: prompt,
+                    }],
+                temperature: 0.1,
+                max_tokens: 4096,
+            }),
+        });
+        if (!response.ok) {
+            throw new Error(`OpenAI API error: ${response.status}`);
+        }
+        const data = await response.json();
+        const text = data.choices?.[0]?.message?.content || '';
+        return (0, provider_1.parseAIResponse)(text);
+    }
+}
+exports.OpenAIProvider = OpenAIProvider;
+//# sourceMappingURL=openai.js.map

package/dist/ai/openai.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"openai.js","sourceRoot":"","sources":["../../src/ai/openai.ts"],"names":[],"mappings":";;;AACA,yCAAyD;AACzD,uCAAgD;AAEhD,MAAa,cAAc;IACzB,IAAI,GAAG,QAAQ,CAAC;IACR,MAAM,CAAqB;IAEnC;QACE,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAC3C,CAAC;IAED,WAAW;QACT,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,IAAY,EAAE,OAAe;QACzC,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAE5B,MAAM,MAAM,GAAG,IAAA,6BAAmB,EAAC,IAAI,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QAE9D,IAAI,CAAC;YACH,kCAAkC;YAClC,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;YACjC,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YAEnD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC;gBACpD,KAAK,EAAE,QAAQ;gBACf,QAAQ,EAAE,CAAC;wBACT,IAAI,EAAE,MAAM;wBACZ,OAAO,EAAE,MAAM;qBAChB,CAAC;gBACF,WAAW,EAAE,GAAG;gBAChB,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;YAEH,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;YACzD,OAAO,IAAA,0BAAe,EAAC,IAAI,CAAC,CAAC;QAC/B,CAAC;QAAC,OAAO,QAAQ,EAAE,CAAC;YAClB,8BAA8B;YAC9B,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,MAAc;QACxC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,4CAA4C,EAAE;YACzE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,eAAe,EAAE,UAAU,IAAI,CAAC,MAAM,EAAE;aACzC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,QAAQ;gBACf,QAAQ,EAAE,CAAC;wBACT,IAAI,EAAE,MAAM;wBACZ,OAAO,EAAE,MAAM;qBAChB,CAAC;gBACF,WAAW,EAAE,GAAG;gBAChB,UAAU,EAAE,IAAI;aACjB,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,qBAAqB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,IAAI,GAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACvD,OAAO,IAAA,0BAAe,EAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;CACF;AAtED,wCAsEC"}

package/dist/ai/prompts.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export declare const SECURITY_ANALYSIS_PROMPT = "You are a senior application security engineer performing a code review. Analyze the following code for security vulnerabilities.\n\nLook for:\n1. **Injection flaws** \u2014 SQL injection, command injection, XSS, LDAP injection, template injection\n2. **Authentication/Authorization bugs** \u2014 bypass conditions, privilege escalation, session issues\n3. **Cryptographic weaknesses** \u2014 weak algorithms, hardcoded keys, insecure randomness\n4. **Business logic vulnerabilities** \u2014 race conditions, TOCTOU, integer overflow, logic bypasses\n5. **Data exposure** \u2014 sensitive data in logs, responses, URLs, or error messages\n6. **Insecure configurations** \u2014 debug modes, permissive CORS, missing security headers\n7. **Novel attack vectors** \u2014 unusual patterns that could be exploited\n\nFor each vulnerability found, respond in this exact JSON format:\n{\n  \"findings\": [\n    {\n      \"title\": \"Brief vulnerability title\",\n      \"description\": \"Detailed explanation of the vulnerability and its impact\",\n      \"severity\": \"critical|high|medium|low|info\",\n      \"confidence\": \"high|medium|low\",\n      \"line\": <line_number_or_null>,\n      \"cwe\": \"CWE-XXX\",\n      \"remediation\": \"How to fix the issue\"\n    }\n  ]\n}\n\nIf no vulnerabilities are found, return: { \"findings\": [] }\n\nBe precise and avoid false positives. Only report genuine security concerns.";
+export declare const SECRETS_ANALYSIS_PROMPT = "You are a secrets detection specialist. Analyze the following code for hardcoded secrets, credentials, API keys, tokens, and sensitive configuration.\n\nLook for:\n- API keys (AWS, GCP, Azure, Stripe, SendGrid, Twilio, etc.)\n- Passwords and credentials\n- Private keys and certificates\n- Database connection strings with credentials\n- OAuth client secrets\n- JWT secrets\n- Encryption keys\n- Webhook URLs with tokens\n\nRespond in JSON format:\n{\n  \"findings\": [\n    {\n      \"title\": \"Type of secret found\",\n      \"description\": \"What was found and why it's a risk\",\n      \"severity\": \"critical|high|medium\",\n      \"confidence\": \"high|medium|low\",\n      \"line\": <line_number_or_null>,\n      \"cwe\": \"CWE-798\",\n      \"remediation\": \"How to properly handle this secret\"\n    }\n  ]\n}";
+export declare const ZERO_DAY_PROMPT = "You are an elite security researcher analyzing code for novel, zero-day class vulnerabilities that standard scanners would miss.\n\nFocus on:\n1. **Logic bugs** \u2014 Subtle flaws in business logic, authentication flows, or authorization checks\n2. **Race conditions** \u2014 Time-of-check to time-of-use bugs, concurrent access issues\n3. **Type confusion** \u2014 Unexpected type coercion leading to security bypass\n4. **Integer issues** \u2014 Overflow, underflow, truncation leading to security impacts\n5. **State management** \u2014 Inconsistent state that could be exploited\n6. **Error handling** \u2014 Errors that leak info or bypass security checks\n7. **Deserialization** \u2014 Unsafe data handling leading to code execution\n8. **Side channels** \u2014 Timing attacks, cache-based attacks\n\nOnly report findings you have HIGH confidence in. These should be genuine, exploitable issues.\n\nRespond in JSON format:\n{\n  \"findings\": [\n    {\n      \"title\": \"Vulnerability title\",\n      \"description\": \"Detailed technical explanation\",\n      \"severity\": \"critical|high|medium\",\n      \"confidence\": \"high|medium\",\n      \"line\": <line_number_or_null>,\n      \"cwe\": \"CWE-XXX\",\n      \"remediation\": \"Specific fix\"\n    }\n  ]\n}";
+export declare function buildAnalysisPrompt(code: string, context: string, promptType?: 'security' | 'secrets' | 'zeroday'): string;
+//# sourceMappingURL=prompts.d.ts.map

package/dist/ai/prompts.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"prompts.d.ts","sourceRoot":"","sources":["../../src/ai/prompts.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,wBAAwB,+4CA4BwC,CAAC;AAE9E,eAAO,MAAM,uBAAuB,2zBAyBlC,CAAC;AAEH,eAAO,MAAM,eAAe,8vCA2B1B,CAAC;AAEH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,GAAE,UAAU,GAAG,SAAS,GAAG,SAAsB,GAAG,MAAM,CAatI"}

package/dist/ai/prompts.js ADDED Viewed

@@ -0,0 +1,101 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ZERO_DAY_PROMPT = exports.SECRETS_ANALYSIS_PROMPT = exports.SECURITY_ANALYSIS_PROMPT = void 0;
+exports.buildAnalysisPrompt = buildAnalysisPrompt;
+exports.SECURITY_ANALYSIS_PROMPT = `You are a senior application security engineer performing a code review. Analyze the following code for security vulnerabilities.
+Look for:
+1. **Injection flaws** — SQL injection, command injection, XSS, LDAP injection, template injection
+2. **Authentication/Authorization bugs** — bypass conditions, privilege escalation, session issues
+3. **Cryptographic weaknesses** — weak algorithms, hardcoded keys, insecure randomness
+4. **Business logic vulnerabilities** — race conditions, TOCTOU, integer overflow, logic bypasses
+5. **Data exposure** — sensitive data in logs, responses, URLs, or error messages
+6. **Insecure configurations** — debug modes, permissive CORS, missing security headers
+7. **Novel attack vectors** — unusual patterns that could be exploited
+For each vulnerability found, respond in this exact JSON format:
+{
+  "findings": [
+    {
+      "title": "Brief vulnerability title",
+      "description": "Detailed explanation of the vulnerability and its impact",
+      "severity": "critical|high|medium|low|info",
+      "confidence": "high|medium|low",
+      "line": <line_number_or_null>,
+      "cwe": "CWE-XXX",
+      "remediation": "How to fix the issue"
+    }
+  ]
+}
+If no vulnerabilities are found, return: { "findings": [] }
+Be precise and avoid false positives. Only report genuine security concerns.`;
+exports.SECRETS_ANALYSIS_PROMPT = `You are a secrets detection specialist. Analyze the following code for hardcoded secrets, credentials, API keys, tokens, and sensitive configuration.
+Look for:
+- API keys (AWS, GCP, Azure, Stripe, SendGrid, Twilio, etc.)
+- Passwords and credentials
+- Private keys and certificates
+- Database connection strings with credentials
+- OAuth client secrets
+- JWT secrets
+- Encryption keys
+- Webhook URLs with tokens
+Respond in JSON format:
+{
+  "findings": [
+    {
+      "title": "Type of secret found",
+      "description": "What was found and why it's a risk",
+      "severity": "critical|high|medium",
+      "confidence": "high|medium|low",
+      "line": <line_number_or_null>,
+      "cwe": "CWE-798",
+      "remediation": "How to properly handle this secret"
+    }
+  ]
+}`;
+exports.ZERO_DAY_PROMPT = `You are an elite security researcher analyzing code for novel, zero-day class vulnerabilities that standard scanners would miss.
+Focus on:
+1. **Logic bugs** — Subtle flaws in business logic, authentication flows, or authorization checks
+2. **Race conditions** — Time-of-check to time-of-use bugs, concurrent access issues
+3. **Type confusion** — Unexpected type coercion leading to security bypass
+4. **Integer issues** — Overflow, underflow, truncation leading to security impacts
+5. **State management** — Inconsistent state that could be exploited
+6. **Error handling** — Errors that leak info or bypass security checks
+7. **Deserialization** — Unsafe data handling leading to code execution
+8. **Side channels** — Timing attacks, cache-based attacks
+Only report findings you have HIGH confidence in. These should be genuine, exploitable issues.
+Respond in JSON format:
+{
+  "findings": [
+    {
+      "title": "Vulnerability title",
+      "description": "Detailed technical explanation",
+      "severity": "critical|high|medium",
+      "confidence": "high|medium",
+      "line": <line_number_or_null>,
+      "cwe": "CWE-XXX",
+      "remediation": "Specific fix"
+    }
+  ]
+}`;
+function buildAnalysisPrompt(code, context, promptType = 'security') {
+    const prompt = promptType === 'secrets' ? exports.SECRETS_ANALYSIS_PROMPT
+        : promptType === 'zeroday' ? exports.ZERO_DAY_PROMPT
+            : exports.SECURITY_ANALYSIS_PROMPT;
+    return `${prompt}
+Context: ${context}
+Code to analyze:
+\`\`\`
+${code}
+\`\`\``;
+}
+//# sourceMappingURL=prompts.js.map

package/dist/ai/prompts.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"prompts.js","sourceRoot":"","sources":["../../src/ai/prompts.ts"],"names":[],"mappings":";;;AAsFA,kDAaC;AAnGY,QAAA,wBAAwB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;6EA4BqC,CAAC;AAEjE,QAAA,uBAAuB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;EAyBrC,CAAC;AAEU,QAAA,eAAe,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2B7B,CAAC;AAEH,SAAgB,mBAAmB,CAAC,IAAY,EAAE,OAAe,EAAE,aAAiD,UAAU;IAC5H,MAAM,MAAM,GAAG,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,+BAAuB;QAC/D,CAAC,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,uBAAe;YAC5C,CAAC,CAAC,gCAAwB,CAAC;IAE7B,OAAO,GAAG,MAAM;;WAEP,OAAO;;;;EAIhB,IAAI;OACC,CAAC;AACR,CAAC"}

package/dist/ai/provider.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import { AIFinding } from '../core/severity';
+export interface AIProvider {
+    name: string;
+    analyze(code: string, context: string): Promise<AIFinding[]>;
+    isAvailable(): boolean;
+}
+export declare function getAvailableProvider(preferred?: string): AIProvider | null;
+export declare function parseAIResponse(response: string): AIFinding[];
+//# sourceMappingURL=provider.d.ts.map