npm - graphql-sentinel - Versions diffs - 1.0.0 - Mend

graphql-sentinel 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/cli.cjs ADDED Viewed

@@ -0,0 +1,1834 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+// src/cli.ts
+var import_commander3 = require("commander");
+// src/cli/scan.ts
+var import_commander = require("commander");
+// src/scanner/checks/introspection.ts
+var introspectionCheck = {
+  name: "introspection",
+  severity: "medium",
+  async run(endpoint, headers) {
+    const query = "{ __schema { types { name } } }";
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          ...headers
+        },
+        body: JSON.stringify({ query })
+      });
+      const body = await response.json();
+      const hasSchema = body?.data?.__schema?.types?.length > 0;
+      return {
+        check: "introspection",
+        severity: "medium",
+        passed: !hasSchema,
+        title: "Introspection Enabled",
+        description: hasSchema ? "GraphQL introspection is enabled, exposing the full API schema to attackers." : "GraphQL introspection is properly disabled.",
+        remediation: "Disable introspection in production to prevent schema exposure.",
+        details: {
+          introspectionEnabled: hasSchema,
+          typesFound: hasSchema ? body.data.__schema.types.length : 0
+        }
+      };
+    } catch (error) {
+      return {
+        check: "introspection",
+        severity: "medium",
+        passed: true,
+        title: "Introspection Enabled",
+        description: "Could not perform introspection query (likely disabled or endpoint unreachable).",
+        remediation: "Disable introspection in production to prevent schema exposure.",
+        details: { error: String(error) }
+      };
+    }
+  }
+};
+// src/scanner/checks/depth-limit.ts
+var depthLimitCheck = {
+  name: "depth-limit",
+  severity: "high",
+  async run(endpoint, headers) {
+    const depth = 20;
+    let current = "__typename";
+    for (let i = depth; i >= 0; i--) {
+      current = `d${i}: __type(name: "Query") { ${current} }`;
+    }
+    const query = `{ ${current} }`;
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          ...headers
+        },
+        body: JSON.stringify({ query })
+      });
+      const body = await response.json();
+      const hasErrors = body?.errors?.length > 0;
+      const depthError = body?.errors?.some(
+        (e) => e.message.toLowerCase().includes("depth") || e.message.toLowerCase().includes("too complex") || e.message.toLowerCase().includes("max") || e.message.toLowerCase().includes("limit")
+      );
+      if (depthError) {
+        return {
+          check: "depth-limit",
+          severity: "high",
+          passed: true,
+          title: "No Query Depth Limit",
+          description: "Server properly enforces query depth limits.",
+          remediation: "Enforce query depth limits to prevent deeply nested query attacks.",
+          details: { depthTested: depth, blocked: true }
+        };
+      }
+      const noDepthLimit = !hasErrors || !depthError;
+      return {
+        check: "depth-limit",
+        severity: "high",
+        passed: !noDepthLimit,
+        title: "No Query Depth Limit",
+        description: noDepthLimit ? "Server does not enforce query depth limits, enabling denial-of-service via deeply nested queries." : "Server properly enforces query depth limits.",
+        remediation: "Enforce query depth limits to prevent deeply nested query attacks.",
+        details: { depthTested: depth, blocked: !noDepthLimit }
+      };
+    } catch (error) {
+      return {
+        check: "depth-limit",
+        severity: "high",
+        passed: true,
+        title: "No Query Depth Limit",
+        description: "Could not test query depth (endpoint unreachable or request failed).",
+        remediation: "Enforce query depth limits to prevent deeply nested query attacks.",
+        details: { error: String(error) }
+      };
+    }
+  }
+};
+// src/scanner/checks/batch-attack.ts
+var batchAttackCheck = {
+  name: "batch-attack",
+  severity: "medium",
+  async run(endpoint, headers) {
+    const singleQuery = { query: "{ __typename }" };
+    const batchPayload = Array.from({ length: 10 }, () => ({ ...singleQuery }));
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          ...headers
+        },
+        body: JSON.stringify(batchPayload)
+      });
+      const body = await response.json();
+      const isBatchResponse = Array.isArray(body) && body.length === 10;
+      return {
+        check: "batch-attack",
+        severity: "medium",
+        passed: !isBatchResponse,
+        title: "Batch Queries Allowed",
+        description: isBatchResponse ? "Server accepts batched queries, enabling amplification attacks." : "Server does not accept batched queries.",
+        remediation: "Disable or limit batch query support to prevent query amplification attacks.",
+        details: {
+          batchSize: 10,
+          batchAccepted: isBatchResponse,
+          responseType: Array.isArray(body) ? "array" : typeof body
+        }
+      };
+    } catch (error) {
+      return {
+        check: "batch-attack",
+        severity: "medium",
+        passed: true,
+        title: "Batch Queries Allowed",
+        description: "Could not test batch queries (endpoint unreachable or request failed).",
+        remediation: "Disable or limit batch query support to prevent query amplification attacks.",
+        details: { error: String(error) }
+      };
+    }
+  }
+};
+// src/scanner/checks/field-suggestion.ts
+var fieldSuggestionCheck = {
+  name: "field-suggestion",
+  severity: "low",
+  async run(endpoint, headers) {
+    const query = "{ __schemax }";
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          ...headers
+        },
+        body: JSON.stringify({ query })
+      });
+      const body = await response.json();
+      const errorMessages = (body?.errors || []).map((e) => e.message).join(" ");
+      const hasSuggestions = errorMessages.toLowerCase().includes("did you mean") || errorMessages.toLowerCase().includes("do you mean");
+      return {
+        check: "field-suggestion",
+        severity: "low",
+        passed: !hasSuggestions,
+        title: "Field Suggestions Exposed",
+        description: hasSuggestions ? "Server exposes field suggestions in error messages, aiding schema discovery." : "Server does not expose field suggestions in error messages.",
+        remediation: "Disable field suggestions in production to prevent schema enumeration via error messages.",
+        details: {
+          suggestionsExposed: hasSuggestions,
+          errorMessages: errorMessages.substring(0, 500)
+        }
+      };
+    } catch (error) {
+      return {
+        check: "field-suggestion",
+        severity: "low",
+        passed: true,
+        title: "Field Suggestions Exposed",
+        description: "Could not test field suggestions (endpoint unreachable or request failed).",
+        remediation: "Disable field suggestions in production to prevent schema enumeration via error messages.",
+        details: { error: String(error) }
+      };
+    }
+  }
+};
+// src/scanner/checks/alias-overloading.ts
+var aliasOverloadingCheck = {
+  name: "alias-overloading",
+  severity: "medium",
+  async run(endpoint, headers) {
+    const aliasCount = 100;
+    const aliases = Array.from({ length: aliasCount }, (_, i) => `a${i}: __typename`).join(" ");
+    const query = `{ ${aliases} }`;
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          ...headers
+        },
+        body: JSON.stringify({ query })
+      });
+      const body = await response.json();
+      const hasData2 = body?.data !== void 0 && body?.data !== null;
+      const aliasKeys = hasData2 ? Object.keys(body.data) : [];
+      const allAliasesResolved = aliasKeys.length >= aliasCount;
+      const hasAliasError = body?.errors?.some(
+        (e) => e.message.toLowerCase().includes("alias") || e.message.toLowerCase().includes("too many") || e.message.toLowerCase().includes("limit")
+      );
+      const passed = hasAliasError || !allAliasesResolved;
+      return {
+        check: "alias-overloading",
+        severity: "medium",
+        passed,
+        title: "Alias Overloading Possible",
+        description: passed ? "Server properly limits the number of aliases in a query." : `Server accepted ${aliasCount} aliases without restriction, enabling alias-based DoS attacks.`,
+        remediation: "Implement alias limits to prevent denial-of-service via alias overloading.",
+        details: {
+          aliasesTested: aliasCount,
+          aliasesAccepted: aliasKeys.length,
+          blocked: passed
+        }
+      };
+    } catch (error) {
+      return {
+        check: "alias-overloading",
+        severity: "medium",
+        passed: true,
+        title: "Alias Overloading Possible",
+        description: "Could not test alias overloading (endpoint unreachable or request failed).",
+        remediation: "Implement alias limits to prevent denial-of-service via alias overloading.",
+        details: { error: String(error) }
+      };
+    }
+  }
+};
+// src/scanner/checks/csrf.ts
+var csrfCheck = {
+  name: "csrf",
+  severity: "high",
+  async run(endpoint, headers) {
+    const query = encodeURIComponent("{ __typename }");
+    const url = `${endpoint}?query=${query}`;
+    try {
+      const response = await fetch(url, {
+        method: "GET",
+        headers: {
+          ...headers
+        }
+      });
+      const body = await response.json();
+      const hasData2 = body?.data?.__typename !== void 0;
+      return {
+        check: "csrf",
+        severity: "high",
+        passed: !hasData2,
+        title: "GET Mutations Allowed (CSRF Risk)",
+        description: hasData2 ? "Server accepts GraphQL queries via GET requests, which can be exploited for CSRF attacks on mutations." : "Server does not accept GraphQL queries via GET requests.",
+        remediation: "Disable GET method for GraphQL queries, or at minimum restrict GET to only allow queries (not mutations).",
+        details: {
+          getRequestAccepted: hasData2,
+          statusCode: response.status
+        }
+      };
+    } catch (error) {
+      return {
+        check: "csrf",
+        severity: "high",
+        passed: true,
+        title: "GET Mutations Allowed (CSRF Risk)",
+        description: "Could not test CSRF via GET request (endpoint unreachable or request failed).",
+        remediation: "Disable GET method for GraphQL queries, or at minimum restrict GET to only allow queries (not mutations).",
+        details: { error: String(error) }
+      };
+    }
+  }
+};
+// src/scanner/checks/auth-bypass.ts
+var INTROSPECTION_QUERY = `{
+  __schema {
+    queryType { name }
+    types {
+      name
+      kind
+      fields {
+        name
+        type { name kind ofType { name kind } }
+      }
+    }
+  }
+}`;
+function findFirstQueryField(schemaData) {
+  const types = schemaData?.__schema?.types;
+  if (!Array.isArray(types)) return null;
+  const queryTypeName = schemaData?.__schema?.queryType?.name || "Query";
+  const queryType = types.find((t) => t.name === queryTypeName);
+  if (!queryType?.fields || !Array.isArray(queryType.fields)) return null;
+  for (const field of queryType.fields) {
+    if (field.name.startsWith("__")) continue;
+    return field.name;
+  }
+  return null;
+}
+async function sendQuery(endpoint, query, headers) {
+  try {
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...headers
+      },
+      body: JSON.stringify({ query })
+    });
+    const body = await response.json();
+    return { status: response.status, body };
+  } catch {
+    return { status: 0, body: null };
+  }
+}
+function isAuthError(body, status) {
+  if (status === 401 || status === 403) return true;
+  if (!body) return false;
+  const errors = body?.errors;
+  if (!Array.isArray(errors)) return false;
+  return errors.some((e) => {
+    const msg = (e.message || "").toLowerCase();
+    const code = (e.extensions?.code || "").toLowerCase();
+    return msg.includes("unauthorized") || msg.includes("unauthenticated") || msg.includes("not authenticated") || msg.includes("authentication required") || msg.includes("access denied") || msg.includes("forbidden") || msg.includes("must be logged in") || msg.includes("not allowed") || code.includes("unauthenticated") || code.includes("unauthorized") || code.includes("forbidden");
+  });
+}
+function hasData(body) {
+  if (!body) return false;
+  const data = body?.data;
+  if (data === null || data === void 0) return false;
+  if (typeof data === "object") {
+    return Object.values(data).some((v) => v !== null);
+  }
+  return true;
+}
+var authBypassCheck = {
+  name: "auth-bypass",
+  severity: "high",
+  async run(endpoint, headers) {
+    try {
+      const introResult = await sendQuery(endpoint, INTROSPECTION_QUERY, headers);
+      let testField = null;
+      if (introResult.body && hasData(introResult.body)) {
+        testField = findFirstQueryField(introResult.body.data);
+      }
+      const testQuery = testField ? `{ ${testField} }` : "{ __typename }";
+      const noAuthResult = await sendQuery(endpoint, testQuery);
+      const noAuthBlocked = isAuthError(noAuthResult.body, noAuthResult.status);
+      const noAuthHasData = hasData(noAuthResult.body);
+      const emptyAuthResult = await sendQuery(endpoint, testQuery, {
+        Authorization: ""
+      });
+      const emptyAuthBlocked = isAuthError(emptyAuthResult.body, emptyAuthResult.status);
+      const emptyAuthHasData = hasData(emptyAuthResult.body);
+      const invalidTokenResult = await sendQuery(endpoint, testQuery, {
+        Authorization: "Bearer invalid_token_sentinel_test"
+      });
+      const invalidTokenBlocked = isAuthError(invalidTokenResult.body, invalidTokenResult.status);
+      const invalidTokenHasData = hasData(invalidTokenResult.body);
+      if (headers && (headers["Authorization"] || headers["authorization"])) {
+        await sendQuery(endpoint, testQuery, headers);
+      }
+      const allBlocked = noAuthBlocked && emptyAuthBlocked && invalidTokenBlocked;
+      const anyDataLeaked = noAuthHasData || emptyAuthHasData || invalidTokenHasData;
+      const isPublicApi = !headers && noAuthHasData && !noAuthBlocked;
+      if (isPublicApi && !headers) {
+        return {
+          check: "auth-bypass",
+          severity: "info",
+          passed: true,
+          title: "Authorization Bypass Detection",
+          description: "API appears to be publicly accessible without authentication. Verify this is intentional.",
+          remediation: "If this API should require authentication, implement proper auth middleware.",
+          details: {
+            publicApi: true,
+            noAuthBlocked,
+            emptyAuthBlocked,
+            invalidTokenBlocked,
+            testQuery
+          }
+        };
+      }
+      if (allBlocked) {
+        return {
+          check: "auth-bypass",
+          severity: "high",
+          passed: true,
+          title: "Authorization Bypass Detection",
+          description: "All unauthorized requests were properly rejected. Authorization checks appear to be in place.",
+          remediation: "Continue enforcing authorization checks on all fields and mutations.",
+          details: {
+            noAuthBlocked,
+            emptyAuthBlocked,
+            invalidTokenBlocked,
+            testQuery
+          }
+        };
+      }
+      if (anyDataLeaked) {
+        const bypasses = [];
+        if (noAuthHasData) bypasses.push("no-auth-header");
+        if (emptyAuthHasData) bypasses.push("empty-auth-header");
+        if (invalidTokenHasData) bypasses.push("invalid-bearer-token");
+        return {
+          check: "auth-bypass",
+          severity: "high",
+          passed: false,
+          title: "Authorization Bypass Detection",
+          description: `Data was returned without valid authorization via: ${bypasses.join(", ")}. The API may have missing or improperly configured authorization.`,
+          remediation: "Ensure all queries require proper authentication. Validate authorization tokens on every request and verify field-level authorization is enforced.",
+          details: {
+            noAuthBlocked,
+            noAuthHasData,
+            emptyAuthBlocked,
+            emptyAuthHasData,
+            invalidTokenBlocked,
+            invalidTokenHasData,
+            bypasses,
+            testQuery
+          }
+        };
+      }
+      return {
+        check: "auth-bypass",
+        severity: "high",
+        passed: true,
+        title: "Authorization Bypass Detection",
+        description: "Unauthorized requests did not return data. Authorization appears to be configured.",
+        remediation: "Continue enforcing authorization checks on all fields and mutations.",
+        details: {
+          noAuthBlocked,
+          emptyAuthBlocked,
+          invalidTokenBlocked,
+          testQuery
+        }
+      };
+    } catch (error) {
+      return {
+        check: "auth-bypass",
+        severity: "high",
+        passed: true,
+        title: "Authorization Bypass Detection",
+        description: "Could not perform authorization bypass check (endpoint unreachable or request failed).",
+        remediation: "Ensure all queries require proper authentication and retry the scan.",
+        details: { error: String(error) }
+      };
+    }
+  }
+};
+// src/scanner/checks/index.ts
+var allChecks = [
+  introspectionCheck,
+  depthLimitCheck,
+  batchAttackCheck,
+  fieldSuggestionCheck,
+  aliasOverloadingCheck,
+  csrfCheck,
+  authBypassCheck
+];
+function getChecks(names) {
+  if (!names || names.length === 0) {
+    return allChecks;
+  }
+  return allChecks.filter((check) => names.includes(check.name));
+}
+// src/scanner/runner.ts
+async function runScan(config) {
+  const { endpoint, headers, checks: checkNames, timeout = 1e4 } = config;
+  const checks = getChecks(checkNames);
+  const startTime = Date.now();
+  const results = await Promise.all(
+    checks.map(async (check) => {
+      try {
+        const result = await Promise.race([
+          check.run(endpoint, headers),
+          new Promise(
+            (_, reject) => setTimeout(() => reject(new Error(`Check '${check.name}' timed out`)), timeout)
+          )
+        ]);
+        return result;
+      } catch (error) {
+        return {
+          check: check.name,
+          severity: check.severity,
+          passed: true,
+          title: `Check ${check.name}`,
+          description: `Check failed to execute: ${String(error)}`,
+          remediation: "Retry the scan or check endpoint availability.",
+          details: { error: String(error) }
+        };
+      }
+    })
+  );
+  const duration = Date.now() - startTime;
+  const bySeverity = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    info: 0
+  };
+  const failed = results.filter((r) => !r.passed);
+  for (const result of failed) {
+    bySeverity[result.severity]++;
+  }
+  return {
+    target: endpoint,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    duration,
+    results,
+    summary: {
+      total: results.length,
+      passed: results.filter((r) => r.passed).length,
+      failed: failed.length,
+      bySeverity
+    }
+  };
+}
+// src/reporter/json.ts
+function generateJsonReport(report) {
+  return JSON.stringify(report, null, 2);
+}
+// src/reporter/terminal.ts
+var COLORS = {
+  reset: "\x1B[0m",
+  bold: "\x1B[1m",
+  dim: "\x1B[2m",
+  red: "\x1B[31m",
+  green: "\x1B[32m",
+  yellow: "\x1B[33m",
+  blue: "\x1B[34m",
+  magenta: "\x1B[35m",
+  cyan: "\x1B[36m",
+  white: "\x1B[37m",
+  bgRed: "\x1B[41m",
+  bgGreen: "\x1B[42m",
+  bgYellow: "\x1B[43m",
+  bgBlue: "\x1B[44m",
+  bgMagenta: "\x1B[45m"
+};
+function severityColor(severity) {
+  switch (severity) {
+    case "critical":
+      return COLORS.bgRed + COLORS.white;
+    case "high":
+      return COLORS.red;
+    case "medium":
+      return COLORS.yellow;
+    case "low":
+      return COLORS.blue;
+    case "info":
+      return COLORS.dim;
+  }
+}
+function severityBadge(severity) {
+  const color = severityColor(severity);
+  return `${color}[${severity.toUpperCase()}]${COLORS.reset}`;
+}
+function statusIcon(passed) {
+  return passed ? `${COLORS.green}PASS${COLORS.reset}` : `${COLORS.red}FAIL${COLORS.reset}`;
+}
+function formatResult(result) {
+  const lines = [];
+  lines.push(
+    `  ${statusIcon(result.passed)} ${severityBadge(result.severity)} ${COLORS.bold}${result.title}${COLORS.reset}`
+  );
+  lines.push(`       ${COLORS.dim}${result.description}${COLORS.reset}`);
+  if (!result.passed) {
+    lines.push(`       ${COLORS.cyan}Remediation: ${result.remediation}${COLORS.reset}`);
+  }
+  return lines.join("\n");
+}
+function generateTerminalReport(report) {
+  const lines = [];
+  lines.push("");
+  lines.push(
+    `${COLORS.bold}${COLORS.magenta}=== GraphQL Sentinel Security Scan ===${COLORS.reset}`
+  );
+  lines.push(`${COLORS.dim}Target:    ${report.target}${COLORS.reset}`);
+  lines.push(`${COLORS.dim}Timestamp: ${report.timestamp}${COLORS.reset}`);
+  lines.push(`${COLORS.dim}Duration:  ${report.duration}ms${COLORS.reset}`);
+  lines.push("");
+  lines.push(`${COLORS.bold}Results:${COLORS.reset}`);
+  lines.push("");
+  for (const result of report.results) {
+    lines.push(formatResult(result));
+    lines.push("");
+  }
+  lines.push(`${COLORS.bold}${COLORS.magenta}--- Summary ---${COLORS.reset}`);
+  lines.push(`  Total checks: ${report.summary.total}`);
+  lines.push(`  ${COLORS.green}Passed: ${report.summary.passed}${COLORS.reset}`);
+  lines.push(`  ${COLORS.red}Failed: ${report.summary.failed}${COLORS.reset}`);
+  if (report.summary.failed > 0) {
+    lines.push("");
+    lines.push(`  ${COLORS.bold}Failures by severity:${COLORS.reset}`);
+    for (const [severity, count] of Object.entries(report.summary.bySeverity)) {
+      if (count > 0) {
+        lines.push(`    ${severityBadge(severity)} ${count}`);
+      }
+    }
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+// src/reporter/html.ts
+function severityColor2(severity) {
+  switch (severity) {
+    case "critical":
+      return "#dc2626";
+    case "high":
+      return "#ea580c";
+    case "medium":
+      return "#ca8a04";
+    case "low":
+      return "#2563eb";
+    case "info":
+      return "#6b7280";
+  }
+}
+function escapeHtml(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+function renderResult(result, index) {
+  const color = severityColor2(result.severity);
+  const statusClass = result.passed ? "pass" : "fail";
+  return `
+    <div class="result ${statusClass}">
+      <div class="result-header" onclick="toggleDetails('details-${index}')">
+        <span class="status-icon">${result.passed ? "&#10004;" : "&#10008;"}</span>
+        <span class="severity-badge" style="background-color: ${color}">${result.severity.toUpperCase()}</span>
+        <span class="result-title">${escapeHtml(result.title)}</span>
+      </div>
+      <div class="result-body">
+        <p class="description">${escapeHtml(result.description)}</p>
+        ${!result.passed ? `<details id="details-${index}">
+            <summary>Remediation</summary>
+            <p class="remediation">${escapeHtml(result.remediation)}</p>
+          </details>` : ""}
+      </div>
+    </div>`;
+}
+function generateHtmlReport(report) {
+  const results = report.results.map((r, i) => renderResult(r, i)).join("\n");
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>GraphQL Sentinel Security Report</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: #0f172a; color: #e2e8f0; padding: 2rem; }
+    .container { max-width: 800px; margin: 0 auto; }
+    h1 { color: #a78bfa; margin-bottom: 0.5rem; font-size: 1.5rem; }
+    .meta { color: #94a3b8; font-size: 0.875rem; margin-bottom: 2rem; }
+    .meta span { margin-right: 1.5rem; }
+    .result { background: #1e293b; border-radius: 8px; margin-bottom: 0.75rem; border-left: 4px solid #475569; overflow: hidden; }
+    .result.fail { border-left-color: #ef4444; }
+    .result.pass { border-left-color: #22c55e; }
+    .result-header { display: flex; align-items: center; padding: 0.75rem 1rem; cursor: pointer; gap: 0.75rem; }
+    .result-header:hover { background: #334155; }
+    .status-icon { font-size: 1.1rem; min-width: 1.5rem; text-align: center; }
+    .pass .status-icon { color: #22c55e; }
+    .fail .status-icon { color: #ef4444; }
+    .severity-badge { color: white; padding: 0.15rem 0.5rem; border-radius: 4px; font-size: 0.7rem; font-weight: 600; text-transform: uppercase; }
+    .result-title { font-weight: 600; }
+    .result-body { padding: 0 1rem 0.75rem 3.25rem; }
+    .description { color: #94a3b8; font-size: 0.875rem; margin-bottom: 0.5rem; }
+    details { margin-top: 0.5rem; }
+    summary { color: #60a5fa; cursor: pointer; font-size: 0.875rem; }
+    summary:hover { color: #93c5fd; }
+    .remediation { color: #86efac; font-size: 0.875rem; margin-top: 0.5rem; padding: 0.5rem; background: #1a2e1a; border-radius: 4px; }
+    .summary-box { background: #1e293b; border-radius: 8px; padding: 1.5rem; margin-top: 1.5rem; }
+    .summary-box h2 { color: #a78bfa; margin-bottom: 1rem; font-size: 1.1rem; }
+    .summary-stats { display: flex; gap: 2rem; flex-wrap: wrap; }
+    .stat { text-align: center; }
+    .stat-value { font-size: 1.5rem; font-weight: 700; }
+    .stat-label { font-size: 0.75rem; color: #94a3b8; }
+    .stat-pass .stat-value { color: #22c55e; }
+    .stat-fail .stat-value { color: #ef4444; }
+    .severity-counts { display: flex; gap: 0.5rem; flex-wrap: wrap; margin-top: 1rem; }
+    .severity-count { padding: 0.25rem 0.75rem; border-radius: 4px; font-size: 0.8rem; color: white; }
+    footer { text-align: center; color: #64748b; margin-top: 2rem; font-size: 0.75rem; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>GraphQL Sentinel Security Report</h1>
+    <div class="meta">
+      <span>Target: ${escapeHtml(report.target)}</span>
+      <span>Date: ${escapeHtml(report.timestamp)}</span>
+      <span>Duration: ${report.duration}ms</span>
+    </div>
+    ${results}
+    <div class="summary-box">
+      <h2>Summary</h2>
+      <div class="summary-stats">
+        <div class="stat">
+          <div class="stat-value">${report.summary.total}</div>
+          <div class="stat-label">Total Checks</div>
+        </div>
+        <div class="stat stat-pass">
+          <div class="stat-value">${report.summary.passed}</div>
+          <div class="stat-label">Passed</div>
+        </div>
+        <div class="stat stat-fail">
+          <div class="stat-value">${report.summary.failed}</div>
+          <div class="stat-label">Failed</div>
+        </div>
+      </div>
+      ${report.summary.failed > 0 ? `<div class="severity-counts">
+          ${Object.entries(report.summary.bySeverity).filter(([_, count]) => count > 0).map(
+    ([severity, count]) => `<span class="severity-count" style="background-color: ${severityColor2(severity)}">${severity}: ${count}</span>`
+  ).join("\n          ")}
+        </div>` : ""}
+    </div>
+    <footer>Generated by GraphQL Sentinel v0.1.0</footer>
+  </div>
+  <script>
+    function toggleDetails(id) {
+      const el = document.getElementById(id);
+      if (el) { el.open = !el.open; }
+    }
+  </script>
+</body>
+</html>`;
+}
+// src/reporter/sarif.ts
+function mapSeverityToSarif(severity) {
+  switch (severity) {
+    case "critical":
+    case "high":
+      return "error";
+    case "medium":
+      return "warning";
+    case "low":
+    case "info":
+      return "note";
+  }
+}
+function generateSarifReport(report) {
+  const sarif = {
+    version: "2.1.0",
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "graphql-sentinel",
+            version: "0.1.0",
+            informationUri: "https://github.com/mstuart/graphql-sentinel",
+            rules: report.results.map((r) => ({
+              id: r.check,
+              name: r.title,
+              shortDescription: { text: r.title },
+              fullDescription: { text: r.description },
+              helpUri: "https://github.com/mstuart/graphql-sentinel",
+              defaultConfiguration: {
+                level: mapSeverityToSarif(r.severity)
+              },
+              properties: {
+                tags: ["security", "graphql"]
+              }
+            }))
+          }
+        },
+        results: report.results.filter((r) => !r.passed).map((r) => ({
+          ruleId: r.check,
+          level: mapSeverityToSarif(r.severity),
+          message: { text: `${r.title}: ${r.description}` },
+          locations: [
+            {
+              physicalLocation: {
+                artifactLocation: { uri: report.target }
+              }
+            }
+          ],
+          ...r.remediation ? {
+            fixes: [
+              {
+                description: { text: r.remediation }
+              }
+            ]
+          } : {}
+        }))
+      }
+    ]
+  };
+  return JSON.stringify(sarif, null, 2);
+}
+// src/reporter/dashboard.ts
+function escapeHtml2(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+var SEVERITY_WEIGHTS = {
+  critical: 25,
+  high: 20,
+  medium: 10,
+  low: 5,
+  info: 1
+};
+var SEVERITY_COLORS = {
+  critical: "#dc2626",
+  high: "#ea580c",
+  medium: "#ca8a04",
+  low: "#2563eb",
+  info: "#6b7280"
+};
+var CATEGORY_MAP = {
+  introspection: "Information Disclosure",
+  "field-suggestion": "Information Disclosure",
+  "depth-limit": "Denial of Service",
+  "batch-attack": "Denial of Service",
+  "alias-overloading": "Denial of Service",
+  csrf: "Authorization",
+  "auth-bypass": "Authorization"
+};
+function calculatePostureScore(results) {
+  if (results.length === 0) return 100;
+  let totalWeight = 0;
+  let failedWeight = 0;
+  for (const result of results) {
+    const weight = SEVERITY_WEIGHTS[result.severity];
+    totalWeight += weight;
+    if (!result.passed) {
+      failedWeight += weight;
+    }
+  }
+  if (totalWeight === 0) return 100;
+  const score = Math.round((totalWeight - failedWeight) / totalWeight * 100);
+  return Math.max(0, Math.min(100, score));
+}
+function getScoreColor(score) {
+  if (score >= 80) return "#22c55e";
+  if (score >= 60) return "#ca8a04";
+  if (score >= 40) return "#ea580c";
+  return "#dc2626";
+}
+function getScoreLabel(score) {
+  if (score >= 90) return "Excellent";
+  if (score >= 80) return "Good";
+  if (score >= 60) return "Fair";
+  if (score >= 40) return "Poor";
+  return "Critical";
+}
+function generateExecutiveSummary(report, score) {
+  const { summary } = report;
+  const criticalHigh = (summary.bySeverity.critical || 0) + (summary.bySeverity.high || 0);
+  if (score >= 90) {
+    return `The GraphQL endpoint at ${escapeHtml2(report.target)} demonstrates strong security posture with a score of ${score}/100. All ${summary.total} security checks were evaluated, with ${summary.passed} passing. No critical remediation is required at this time.`;
+  }
+  if (score >= 60) {
+    return `The GraphQL endpoint at ${escapeHtml2(report.target)} has a moderate security posture with a score of ${score}/100. Out of ${summary.total} checks, ${summary.failed} issues were identified. ${criticalHigh > 0 ? `${criticalHigh} high-severity issue(s) require immediate attention.` : "Issues found are of moderate severity and should be addressed in the near term."}`;
+  }
+  return `The GraphQL endpoint at ${escapeHtml2(report.target)} requires immediate security attention with a score of ${score}/100. ${summary.failed} out of ${summary.total} checks failed, including ${criticalHigh} high or critical severity issue(s). Immediate remediation is strongly recommended to protect against known attack vectors.`;
+}
+function generateCategoryBreakdown(results) {
+  const categories = {};
+  for (const result of results) {
+    const category = CATEGORY_MAP[result.check] || "Other";
+    if (!categories[category]) {
+      categories[category] = [];
+    }
+    categories[category].push(result);
+  }
+  return categories;
+}
+function generateTimelineSvg(reports) {
+  if (reports.length < 2) return "";
+  const width = 600;
+  const height = 200;
+  const padding = 40;
+  const chartWidth = width - padding * 2;
+  const chartHeight = height - padding * 2;
+  const scores = reports.map((r) => calculatePostureScore(r.results));
+  const maxScore = 100;
+  const minScore = 0;
+  const points = scores.map((score, i) => {
+    const x = padding + i / (scores.length - 1) * chartWidth;
+    const y = padding + chartHeight - (score - minScore) / (maxScore - minScore) * chartHeight;
+    return { x, y, score };
+  });
+  const pathData = points.map((p, i) => `${i === 0 ? "M" : "L"} ${p.x} ${p.y}`).join(" ");
+  const labels = reports.map((r, i) => {
+    const x = padding + i / (reports.length - 1) * chartWidth;
+    const date = new Date(r.timestamp);
+    const label = `${date.getMonth() + 1}/${date.getDate()}`;
+    return `<text x="${x}" y="${height - 5}" text-anchor="middle" fill="#94a3b8" font-size="10">${label}</text>`;
+  });
+  const dots = points.map(
+    (p) => `<circle cx="${p.x}" cy="${p.y}" r="4" fill="${getScoreColor(p.score)}" />
+       <text x="${p.x}" y="${p.y - 10}" text-anchor="middle" fill="#e2e8f0" font-size="11">${p.score}</text>`
+  );
+  const gridLines = [0, 25, 50, 75, 100].map((v) => {
+    const y = padding + chartHeight - v / 100 * chartHeight;
+    return `<line x1="${padding}" y1="${y}" x2="${width - padding}" y2="${y}" stroke="#334155" stroke-width="0.5" />
+            <text x="${padding - 5}" y="${y + 4}" text-anchor="end" fill="#64748b" font-size="10">${v}</text>`;
+  });
+  return `
+    <svg viewBox="0 0 ${width} ${height}" xmlns="http://www.w3.org/2000/svg" style="width:100%;max-width:${width}px;height:auto;">
+      <rect width="${width}" height="${height}" fill="#0f172a" rx="8" />
+      ${gridLines.join("\n")}
+      <path d="${pathData}" fill="none" stroke="#a78bfa" stroke-width="2" />
+      ${dots.join("\n")}
+      ${labels.join("\n")}
+    </svg>`;
+}
+function renderCheckDetail(result, index) {
+  const color = SEVERITY_COLORS[result.severity];
+  const statusClass = result.passed ? "pass" : "fail";
+  const category = CATEGORY_MAP[result.check] || "Other";
+  return `
+    <div class="check-card ${statusClass}">
+      <div class="check-header" onclick="toggleCheck(${index})">
+        <span class="check-status">${result.passed ? "&#10004;" : "&#10008;"}</span>
+        <span class="sev-badge" style="background:${color}">${result.severity.toUpperCase()}</span>
+        <span class="check-name">${escapeHtml2(result.title)}</span>
+        <span class="check-category">${escapeHtml2(category)}</span>
+        <span class="check-chevron" id="chevron-${index}">&#9654;</span>
+      </div>
+      <div class="check-details" id="check-${index}" style="display:none;">
+        <p class="check-desc">${escapeHtml2(result.description)}</p>
+        ${!result.passed ? `<div class="remediation-box"><strong>Remediation:</strong> ${escapeHtml2(result.remediation)}</div>` : ""}
+      </div>
+    </div>`;
+}
+function generateDashboard(reports, config) {
+  if (reports.length === 0) {
+    return "<html><body>No reports provided</body></html>";
+  }
+  const latestReport = reports[reports.length - 1];
+  const score = calculatePostureScore(latestReport.results);
+  const scoreColor = getScoreColor(score);
+  const scoreLabel = getScoreLabel(score);
+  const executiveSummary = generateExecutiveSummary(latestReport, score);
+  const categories = generateCategoryBreakdown(latestReport.results);
+  const timelineSvg = generateTimelineSvg(reports);
+  const title = config?.title || "GraphQL Sentinel Security Dashboard";
+  const checkCards = latestReport.results.map((r, i) => renderCheckDetail(r, i)).join("\n");
+  const categoryCards = Object.entries(categories).map(([cat, results]) => {
+    const catPassed = results.filter((r) => r.passed).length;
+    const catFailed = results.filter((r) => !r.passed).length;
+    const catColor = catFailed > 0 ? "#ef4444" : "#22c55e";
+    return `
+        <div class="cat-card">
+          <div class="cat-header">
+            <span class="cat-icon" style="color:${catColor}">${catFailed > 0 ? "&#9888;" : "&#10004;"}</span>
+            <span class="cat-name">${escapeHtml2(cat)}</span>
+          </div>
+          <div class="cat-stats">
+            <span class="cat-passed">${catPassed} passed</span>
+            <span class="cat-failed">${catFailed} failed</span>
+          </div>
+        </div>`;
+  }).join("\n");
+  const severityCounts = Object.entries(latestReport.summary.bySeverity).filter(([_, count]) => count > 0).map(
+    ([sev, count]) => `<span class="sev-count" style="background:${SEVERITY_COLORS[sev]}">${sev}: ${count}</span>`
+  ).join("\n");
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${escapeHtml2(title)}</title>
+  <style>
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:#0f172a;color:#e2e8f0;padding:1.5rem;min-height:100vh}
+    .dashboard{max-width:1000px;margin:0 auto}
+    h1{color:#a78bfa;font-size:1.4rem;margin-bottom:.25rem}
+    .subtitle{color:#64748b;font-size:.8rem;margin-bottom:1.5rem}
+    .grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(280px,1fr));gap:1rem;margin-bottom:1.5rem}
+    .card{background:#1e293b;border-radius:8px;padding:1.25rem}
+    .score-card{text-align:center;position:relative}
+    .score-ring{position:relative;width:120px;height:120px;margin:0 auto .75rem}
+    .score-ring svg{transform:rotate(-90deg)}
+    .score-value{position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);font-size:2rem;font-weight:700}
+    .score-label{font-size:.85rem;color:#94a3b8;margin-bottom:.5rem}
+    .summary-card p{color:#94a3b8;font-size:.85rem;line-height:1.6}
+    .stats-row{display:flex;gap:1.5rem;flex-wrap:wrap;margin-top:1rem}
+    .stat{text-align:center}
+    .stat-val{font-size:1.3rem;font-weight:700}
+    .stat-lbl{font-size:.7rem;color:#94a3b8;text-transform:uppercase;letter-spacing:.5px}
+    .stat-pass .stat-val{color:#22c55e}
+    .stat-fail .stat-val{color:#ef4444}
+    .severity-row{display:flex;gap:.5rem;flex-wrap:wrap;margin-top:.75rem}
+    .sev-count{padding:.15rem .6rem;border-radius:4px;font-size:.7rem;color:#fff;font-weight:600;text-transform:uppercase}
+    .section-title{color:#a78bfa;font-size:1rem;font-weight:600;margin-bottom:.75rem;padding-bottom:.5rem;border-bottom:1px solid #334155}
+    .timeline-card{margin-bottom:1.5rem}
+    .cat-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(200px,1fr));gap:.75rem;margin-bottom:1.5rem}
+    .cat-card{background:#1e293b;border-radius:8px;padding:1rem}
+    .cat-header{display:flex;align-items:center;gap:.5rem;margin-bottom:.5rem}
+    .cat-icon{font-size:1.1rem}
+    .cat-name{font-weight:600;font-size:.85rem}
+    .cat-stats{display:flex;gap:1rem;font-size:.75rem}
+    .cat-passed{color:#22c55e}
+    .cat-failed{color:#ef4444}
+    .checks-section{margin-bottom:1.5rem}
+    .check-card{background:#1e293b;border-radius:8px;margin-bottom:.5rem;overflow:hidden;border-left:4px solid #475569}
+    .check-card.fail{border-left-color:#ef4444}
+    .check-card.pass{border-left-color:#22c55e}
+    .check-header{display:flex;align-items:center;padding:.75rem 1rem;cursor:pointer;gap:.75rem;user-select:none}
+    .check-header:hover{background:#334155}
+    .check-status{font-size:1rem;min-width:1.25rem;text-align:center}
+    .pass .check-status{color:#22c55e}
+    .fail .check-status{color:#ef4444}
+    .sev-badge{color:#fff;padding:.1rem .45rem;border-radius:3px;font-size:.65rem;font-weight:600;text-transform:uppercase}
+    .check-name{font-weight:600;font-size:.85rem;flex:1}
+    .check-category{font-size:.7rem;color:#64748b;background:#0f172a;padding:.15rem .5rem;border-radius:3px}
+    .check-chevron{color:#64748b;font-size:.7rem;transition:transform .2s}
+    .check-chevron.open{transform:rotate(90deg)}
+    .check-details{padding:.75rem 1rem .75rem 3.5rem;border-top:1px solid #334155}
+    .check-desc{color:#94a3b8;font-size:.8rem;line-height:1.5;margin-bottom:.5rem}
+    .remediation-box{background:#1a2e1a;color:#86efac;font-size:.8rem;padding:.5rem .75rem;border-radius:4px;line-height:1.5}
+    footer{text-align:center;color:#475569;font-size:.7rem;margin-top:2rem;padding-top:1rem;border-top:1px solid #1e293b}
+  </style>
+</head>
+<body>
+  <div class="dashboard">
+    <h1>${escapeHtml2(title)}</h1>
+    <div class="subtitle">Target: ${escapeHtml2(latestReport.target)} | ${escapeHtml2(latestReport.timestamp)} | ${latestReport.duration}ms</div>
+    <div class="grid">
+      <div class="card score-card">
+        <div class="section-title">Security Posture</div>
+        <div class="score-ring">
+          <svg viewBox="0 0 120 120">
+            <circle cx="60" cy="60" r="52" fill="none" stroke="#334155" stroke-width="8"/>
+            <circle cx="60" cy="60" r="52" fill="none" stroke="${scoreColor}" stroke-width="8" stroke-dasharray="${score / 100 * 327} 327" stroke-linecap="round"/>
+          </svg>
+          <div class="score-value" style="color:${scoreColor}">${score}</div>
+        </div>
+        <div class="score-label">${scoreLabel}</div>
+        <div class="stats-row">
+          <div class="stat"><div class="stat-val">${latestReport.summary.total}</div><div class="stat-lbl">Total</div></div>
+          <div class="stat stat-pass"><div class="stat-val">${latestReport.summary.passed}</div><div class="stat-lbl">Passed</div></div>
+          <div class="stat stat-fail"><div class="stat-val">${latestReport.summary.failed}</div><div class="stat-lbl">Failed</div></div>
+        </div>
+        ${severityCounts ? `<div class="severity-row">${severityCounts}</div>` : ""}
+      </div>
+      <div class="card summary-card">
+        <div class="section-title">Executive Summary</div>
+        <p>${executiveSummary}</p>
+      </div>
+    </div>
+    ${timelineSvg ? `
+    <div class="card timeline-card">
+      <div class="section-title">Vulnerability Timeline</div>
+      ${timelineSvg}
+    </div>` : ""}
+    <div class="section-title">Category Breakdown</div>
+    <div class="cat-grid">
+      ${categoryCards}
+    </div>
+    <div class="checks-section">
+      <div class="section-title">Check Details</div>
+      ${checkCards}
+    </div>
+    <footer>Generated by GraphQL Sentinel v${"1.0.0"}</footer>
+  </div>
+  <script>
+    function toggleCheck(idx){
+      var el=document.getElementById('check-'+idx);
+      var ch=document.getElementById('chevron-'+idx);
+      if(el.style.display==='none'){el.style.display='block';ch.classList.add('open');}
+      else{el.style.display='none';ch.classList.remove('open');}
+    }
+    // Persist scan results in localStorage for timeline tracking
+    (function(){
+      try{
+        var key='graphql-sentinel-history';
+        var current=${JSON.stringify({
+    target: latestReport.target,
+    timestamp: latestReport.timestamp,
+    score,
+    passed: latestReport.summary.passed,
+    failed: latestReport.summary.failed,
+    total: latestReport.summary.total
+  })};
+        var history=JSON.parse(localStorage.getItem(key)||'[]');
+        // Avoid duplicates by timestamp
+        if(!history.some(function(h){return h.timestamp===current.timestamp;})){
+          history.push(current);
+          // Keep last 50 entries
+          if(history.length>50)history=history.slice(-50);
+          localStorage.setItem(key,JSON.stringify(history));
+        }
+      }catch(e){/* ignore storage errors */}
+    })();
+  </script>
+</body>
+</html>`;
+}
+// src/reporter/index.ts
+function generateReport(report, format) {
+  switch (format) {
+    case "json":
+      return generateJsonReport(report);
+    case "terminal":
+      return generateTerminalReport(report);
+    case "html":
+      return generateHtmlReport(report);
+    case "sarif":
+      return generateSarifReport(report);
+    case "dashboard":
+      return generateDashboard([report]);
+    default:
+      throw new Error(`Unknown report format: ${format}`);
+  }
+}
+// src/cli/scan.ts
+var import_node_fs = __toESM(require("fs"), 1);
+function createScanCommand() {
+  return new import_commander.Command("scan").description("Scan a GraphQL endpoint for security vulnerabilities").argument("<url>", "GraphQL endpoint URL to scan").option("-f, --format <format>", "Output format (terminal, json, html)", "terminal").option("-o, --output <file>", "Write report to file instead of stdout").option(
+    "-H, --header <header...>",
+    'Custom headers (format: "Key: Value")'
+  ).option("-c, --checks <checks>", "Comma-separated list of checks to run").option("-t, --timeout <ms>", "Timeout per check in milliseconds", "10000").action(async (url, options) => {
+    const headers = {};
+    if (options.header) {
+      for (const h of options.header) {
+        const colonIdx = h.indexOf(":");
+        if (colonIdx > 0) {
+          const key = h.substring(0, colonIdx).trim();
+          const value = h.substring(colonIdx + 1).trim();
+          headers[key] = value;
+        }
+      }
+    }
+    const checks = options.checks ? options.checks.split(",").map((c) => c.trim()) : void 0;
+    const format = options.format;
+    if (!["terminal", "json", "html", "sarif", "dashboard"].includes(format)) {
+      console.error(`Invalid format "${format}". Use: terminal, json, html, sarif, dashboard`);
+      process.exit(1);
+    }
+    if (format === "terminal") {
+      console.log(`
+Scanning ${url}...
+`);
+    }
+    try {
+      const report = await runScan({
+        endpoint: url,
+        headers: Object.keys(headers).length > 0 ? headers : void 0,
+        checks,
+        timeout: parseInt(options.timeout, 10)
+      });
+      const output = generateReport(report, format);
+      if (options.output) {
+        import_node_fs.default.writeFileSync(options.output, output, "utf-8");
+        console.log(`Report written to ${options.output}`);
+      } else {
+        console.log(output);
+      }
+      const hasCriticalFailures = report.results.some(
+        (r) => !r.passed && (r.severity === "critical" || r.severity === "high")
+      );
+      if (hasCriticalFailures) {
+        process.exit(1);
+      }
+    } catch (error) {
+      console.error(`Scan failed: ${error instanceof Error ? error.message : String(error)}`);
+      process.exit(2);
+    }
+  });
+}
+// src/cli/proxy.ts
+var import_commander2 = require("commander");
+// src/proxy/server.ts
+var import_node_http = __toESM(require("http"), 1);
+var import_graphql6 = require("graphql");
+// src/shield/depth-limiter.ts
+var import_graphql = require("graphql");
+function createDepthLimitRule(maxDepth = 10) {
+  return function DepthLimitRule(context) {
+    return {
+      Document: {
+        enter(node) {
+          const depth = measureDepth(node);
+          if (depth > maxDepth) {
+            context.reportError(
+              new import_graphql.GraphQLError(
+                `Query depth of ${depth} exceeds maximum allowed depth of ${maxDepth}.`
+              )
+            );
+          }
+        }
+      }
+    };
+  };
+}
+function measureDepth(node, currentDepth = 0) {
+  if (!node || typeof node !== "object") {
+    return currentDepth;
+  }
+  const selectionSet = node.selectionSet;
+  if (selectionSet && Array.isArray(selectionSet.selections)) {
+    let maxChildDepth = currentDepth + 1;
+    for (const selection of selectionSet.selections) {
+      const childDepth = measureDepth(selection, currentDepth + 1);
+      if (childDepth > maxChildDepth) {
+        maxChildDepth = childDepth;
+      }
+    }
+    return maxChildDepth;
+  }
+  const definitions = node.definitions;
+  if (Array.isArray(definitions)) {
+    let maxDefDepth = 0;
+    for (const def of definitions) {
+      const defDepth = measureDepth(def, 0);
+      if (defDepth > maxDefDepth) {
+        maxDefDepth = defDepth;
+      }
+    }
+    return maxDefDepth;
+  }
+  return currentDepth;
+}
+// src/shield/complexity-analyzer.ts
+var import_graphql2 = require("graphql");
+function createComplexityRule(config = {}) {
+  const {
+    maxComplexity = 1e3,
+    defaultFieldCost = 1,
+    listFieldMultiplier = 10
+  } = config;
+  return function ComplexityRule(context) {
+    let complexity = 0;
+    const multiplierStack = [1];
+    return {
+      Field: {
+        enter(_node) {
+          const currentMultiplier = multiplierStack[multiplierStack.length - 1] || 1;
+          complexity += defaultFieldCost * currentMultiplier;
+          const fieldDef = context.getFieldDef();
+          if (fieldDef) {
+            const type = fieldDef.type;
+            const typeName = type.toString();
+            if (typeName.startsWith("[")) {
+              multiplierStack.push(currentMultiplier * listFieldMultiplier);
+            } else {
+              multiplierStack.push(currentMultiplier);
+            }
+          } else {
+            multiplierStack.push(currentMultiplier);
+          }
+        },
+        leave() {
+          multiplierStack.pop();
+        }
+      },
+      Document: {
+        leave() {
+          if (complexity > maxComplexity) {
+            context.reportError(
+              new import_graphql2.GraphQLError(
+                `Query complexity of ${complexity} exceeds maximum allowed complexity of ${maxComplexity}.`
+              )
+            );
+          }
+        }
+      }
+    };
+  };
+}
+// src/shield/alias-limiter.ts
+var import_graphql3 = require("graphql");
+function createAliasLimitRule(maxAliases = 15) {
+  return function AliasLimitRule(context) {
+    let aliasCount = 0;
+    return {
+      Field: {
+        enter(node) {
+          if (node.alias) {
+            aliasCount++;
+          }
+        }
+      },
+      Document: {
+        leave() {
+          if (aliasCount > maxAliases) {
+            context.reportError(
+              new import_graphql3.GraphQLError(
+                `Query contains ${aliasCount} aliases, exceeding the maximum of ${maxAliases}.`
+              )
+            );
+          }
+        }
+      }
+    };
+  };
+}
+// src/shield/introspection-control.ts
+var import_graphql4 = require("graphql");
+function createIntrospectionControlRule() {
+  return function IntrospectionControlRule(context) {
+    return {
+      Field(node) {
+        const fieldName = node.name.value;
+        if (fieldName === "__schema" || fieldName === "__type") {
+          context.reportError(
+            new import_graphql4.GraphQLError(
+              `Introspection query is not allowed. Field "${fieldName}" is disabled.`
+            )
+          );
+        }
+      }
+    };
+  };
+}
+// src/shield/rate-limiter.ts
+function createRateLimiter(config) {
+  const { window, max } = config;
+  const clients = /* @__PURE__ */ new Map();
+  const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [key, record] of clients.entries()) {
+      record.entries = record.entries.filter((e) => now - e.timestamp < window);
+      if (record.entries.length === 0) {
+        clients.delete(key);
+      }
+    }
+  }, window);
+  if (cleanupInterval.unref) {
+    cleanupInterval.unref();
+  }
+  return {
+    check(key, cost = 1) {
+      const now = Date.now();
+      if (!clients.has(key)) {
+        clients.set(key, { entries: [] });
+      }
+      const record = clients.get(key);
+      record.entries = record.entries.filter((e) => now - e.timestamp < window);
+      const currentCost = record.entries.reduce((sum, e) => sum + e.cost, 0);
+      if (currentCost + cost > max) {
+        return {
+          allowed: false,
+          remaining: Math.max(0, max - currentCost)
+        };
+      }
+      record.entries.push({ timestamp: now, cost });
+      return {
+        allowed: true,
+        remaining: max - currentCost - cost
+      };
+    },
+    reset(key) {
+      if (key) {
+        clients.delete(key);
+      } else {
+        clients.clear();
+      }
+    },
+    destroy() {
+      clearInterval(cleanupInterval);
+      clients.clear();
+    }
+  };
+}
+// src/shield/field-auth.ts
+var import_graphql5 = require("graphql");
+function createFieldAuthRule(config) {
+  return function FieldAuthRule(context) {
+    const typeStack = [];
+    return {
+      OperationDefinition: {
+        enter() {
+          const queryType = context.getSchema().getQueryType();
+          typeStack.push(queryType?.name || "Query");
+        },
+        leave() {
+          typeStack.pop();
+        }
+      },
+      Field: {
+        enter(node) {
+          const fieldName = node.name.value;
+          const parentType = typeStack[typeStack.length - 1] || "Query";
+          const ruleKey = `${parentType}.${fieldName}`;
+          const rule = config.rules[ruleKey];
+          if (!rule) {
+            const wildcardField = config.rules[`*.${fieldName}`];
+            const wildcardType = config.rules[`${parentType}.*`];
+            const effectiveRule = wildcardField || wildcardType;
+            if (effectiveRule) {
+              checkRule(effectiveRule, ruleKey, context, config);
+            }
+          } else {
+            checkRule(rule, ruleKey, context, config);
+          }
+          const fieldDef = context.getFieldDef();
+          if (fieldDef) {
+            const namedType = getNamedType(fieldDef.type);
+            if (namedType && "name" in namedType) {
+              typeStack.push(namedType.name);
+            }
+          }
+        },
+        leave() {
+          const fieldDef = context.getFieldDef();
+          if (fieldDef) {
+            const namedType = getNamedType(fieldDef.type);
+            if (namedType && "name" in namedType) {
+              typeStack.pop();
+            }
+          }
+        }
+      }
+    };
+  };
+}
+function checkRule(rule, ruleKey, context, config) {
+  const userContext = config.extractContext ? config.extractContext(context._contextValue) : null;
+  if (rule.requireAuth) {
+    if (!userContext || !userContext.authenticated) {
+      context.reportError(
+        new import_graphql5.GraphQLError(
+          `Access denied: field "${ruleKey}" requires authentication.`
+        )
+      );
+      return;
+    }
+  }
+  if (rule.roles && rule.roles.length > 0) {
+    if (!userContext) {
+      context.reportError(
+        new import_graphql5.GraphQLError(
+          `Access denied: field "${ruleKey}" requires one of roles: ${rule.roles.join(", ")}.`
+        )
+      );
+      return;
+    }
+    const hasRole = rule.roles.some((r) => userContext.roles.includes(r));
+    if (!hasRole) {
+      context.reportError(
+        new import_graphql5.GraphQLError(
+          `Access denied: field "${ruleKey}" requires one of roles: ${rule.roles.join(", ")}.`
+        )
+      );
+      return;
+    }
+  }
+  if (rule.permissions && rule.permissions.length > 0) {
+    if (!userContext) {
+      context.reportError(
+        new import_graphql5.GraphQLError(
+          `Access denied: field "${ruleKey}" requires one of permissions: ${rule.permissions.join(", ")}.`
+        )
+      );
+      return;
+    }
+    const hasPermission = rule.permissions.some(
+      (p) => userContext.permissions.includes(p)
+    );
+    if (!hasPermission) {
+      context.reportError(
+        new import_graphql5.GraphQLError(
+          `Access denied: field "${ruleKey}" requires one of permissions: ${rule.permissions.join(", ")}.`
+        )
+      );
+      return;
+    }
+  }
+}
+function getNamedType(type) {
+  if (!type) return null;
+  if (type.ofType) return getNamedType(type.ofType);
+  return type;
+}
+// src/shield/index.ts
+function createShield(config) {
+  const validationRules = [];
+  if (config.maxDepth !== void 0) {
+    validationRules.push(createDepthLimitRule(config.maxDepth));
+  }
+  if (config.maxComplexity !== void 0) {
+    validationRules.push(
+      createComplexityRule({
+        maxComplexity: config.maxComplexity
+      })
+    );
+  }
+  if (config.maxAliases !== void 0) {
+    validationRules.push(createAliasLimitRule(config.maxAliases));
+  }
+  if (config.disableIntrospection) {
+    validationRules.push(createIntrospectionControlRule());
+  }
+  if (config.fieldAuth) {
+    validationRules.push(createFieldAuthRule(config.fieldAuth));
+  }
+  let rateLimiter;
+  if (config.rateLimit) {
+    rateLimiter = createRateLimiter(config.rateLimit);
+  }
+  return { validationRules, rateLimiter };
+}
+// src/proxy/server.ts
+function readBody(req) {
+  return new Promise((resolve, reject) => {
+    let body = "";
+    req.on("data", (chunk) => body += chunk);
+    req.on("end", () => resolve(body));
+    req.on("error", reject);
+  });
+}
+function setCorsHeaders(res) {
+  res.setHeader("Access-Control-Allow-Origin", "*");
+  res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+}
+function createProxyServer(config) {
+  const shield = createShield(config.shield);
+  const enableCors = config.cors !== false;
+  const server = import_node_http.default.createServer(async (req, res) => {
+    if (enableCors) {
+      setCorsHeaders(res);
+    }
+    if (req.method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    if (req.method !== "POST") {
+      res.writeHead(405, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ errors: [{ message: "Only POST method is allowed" }] }));
+      return;
+    }
+    try {
+      const body = await readBody(req);
+      let parsed;
+      try {
+        parsed = JSON.parse(body);
+      } catch {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ errors: [{ message: "Invalid JSON in request body" }] }));
+        return;
+      }
+      if (!parsed.query || typeof parsed.query !== "string") {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ errors: [{ message: "Missing or invalid query field" }] }));
+        return;
+      }
+      let document;
+      try {
+        document = (0, import_graphql6.parse)(parsed.query);
+      } catch (parseError) {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({
+            errors: [
+              {
+                message: `GraphQL parse error: ${parseError instanceof Error ? parseError.message : String(parseError)}`
+              }
+            ]
+          })
+        );
+        return;
+      }
+      const validationErrors = validateWithRules(document, shield.validationRules);
+      if (validationErrors.length > 0) {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({
+            errors: validationErrors.map((e) => ({
+              message: e.message,
+              extensions: { code: "GRAPHQL_SENTINEL_BLOCKED" }
+            }))
+          })
+        );
+        return;
+      }
+      if (shield.rateLimiter) {
+        const clientIp = req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
+        const result = shield.rateLimiter.check(clientIp);
+        if (!result.allowed) {
+          res.writeHead(429, { "Content-Type": "application/json" });
+          res.end(
+            JSON.stringify({
+              errors: [
+                {
+                  message: "Rate limit exceeded",
+                  extensions: { code: "RATE_LIMITED", remaining: result.remaining }
+                }
+              ]
+            })
+          );
+          return;
+        }
+      }
+      const forwardHeaders = {
+        "Content-Type": "application/json",
+        ...config.headers
+      };
+      if (req.headers["authorization"]) {
+        forwardHeaders["Authorization"] = req.headers["authorization"];
+      }
+      const upstreamResponse = await fetch(config.target, {
+        method: "POST",
+        headers: forwardHeaders,
+        body: JSON.stringify({
+          query: parsed.query,
+          variables: parsed.variables,
+          operationName: parsed.operationName
+        })
+      });
+      const upstreamBody = await upstreamResponse.text();
+      const contentType = upstreamResponse.headers.get("content-type");
+      if (contentType) {
+        res.setHeader("Content-Type", contentType);
+      } else {
+        res.setHeader("Content-Type", "application/json");
+      }
+      res.writeHead(upstreamResponse.status);
+      res.end(upstreamBody);
+    } catch (error) {
+      res.writeHead(502, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          errors: [
+            {
+              message: `Proxy error: ${error instanceof Error ? error.message : String(error)}`
+            }
+          ]
+        })
+      );
+    }
+  });
+  return server;
+}
+function validateWithRules(document, rules) {
+  const errors = [];
+  const mockContext = {
+    reportError(error) {
+      errors.push(error);
+    },
+    getSchema() {
+      return {
+        getQueryType() {
+          return { name: "Query" };
+        },
+        getMutationType() {
+          return null;
+        },
+        getSubscriptionType() {
+          return null;
+        }
+      };
+    },
+    getFieldDef() {
+      return null;
+    }
+  };
+  for (const rule of rules) {
+    const visitor = rule(mockContext);
+    visitNode(document, visitor);
+  }
+  return errors;
+}
+function visitNode(node, visitor) {
+  if (!node || typeof node !== "object") return;
+  const kind = node.kind;
+  if (!kind) return;
+  const kindVisitor = visitor[kind];
+  if (kindVisitor) {
+    if (typeof kindVisitor === "function") {
+      kindVisitor(node);
+    } else if (kindVisitor.enter) {
+      kindVisitor.enter(node);
+    }
+  }
+  for (const key of Object.keys(node)) {
+    const value = node[key];
+    if (Array.isArray(value)) {
+      for (const child of value) {
+        if (child && typeof child === "object" && child.kind) {
+          visitNode(child, visitor);
+        }
+      }
+    } else if (value && typeof value === "object" && value.kind) {
+      visitNode(value, visitor);
+    }
+  }
+  if (kindVisitor) {
+    if (kindVisitor.leave) {
+      kindVisitor.leave(node);
+    }
+  }
+}
+async function startProxy(config) {
+  const server = createProxyServer(config);
+  return new Promise((resolve) => {
+    server.listen(config.port, () => {
+      console.log(`GraphQL Sentinel proxy running on port ${config.port}`);
+      console.log(`Forwarding to ${config.target}`);
+      resolve(server);
+    });
+  });
+}
+// src/cli/proxy.ts
+function createProxyCommand() {
+  return new import_commander2.Command("proxy").description("Start a security proxy in front of a GraphQL endpoint").argument("<target>", "Upstream GraphQL endpoint URL").option("-p, --port <port>", "Proxy listening port", "4000").option("--max-depth <depth>", "Maximum query depth").option("--max-complexity <complexity>", "Maximum query complexity").option("--max-aliases <aliases>", "Maximum number of aliases").option("--disable-introspection", "Block introspection queries").option("--rate-limit-window <ms>", "Rate limit window in milliseconds").option("--rate-limit-max <max>", "Maximum requests per window").option(
+    "-H, --header <header...>",
+    'Headers to forward to upstream (format: "Key: Value")'
+  ).option("--no-cors", "Disable CORS headers").action(
+    async (target, options) => {
+      const shieldConfig = {};
+      if (options.maxDepth) {
+        shieldConfig.maxDepth = parseInt(options.maxDepth, 10);
+      }
+      if (options.maxComplexity) {
+        shieldConfig.maxComplexity = parseInt(options.maxComplexity, 10);
+      }
+      if (options.maxAliases) {
+        shieldConfig.maxAliases = parseInt(options.maxAliases, 10);
+      }
+      if (options.disableIntrospection) {
+        shieldConfig.disableIntrospection = true;
+      }
+      if (options.rateLimitWindow && options.rateLimitMax) {
+        shieldConfig.rateLimit = {
+          window: parseInt(options.rateLimitWindow, 10),
+          max: parseInt(options.rateLimitMax, 10)
+        };
+      }
+      const headers = {};
+      if (options.header) {
+        for (const h of options.header) {
+          const colonIdx = h.indexOf(":");
+          if (colonIdx > 0) {
+            const key = h.substring(0, colonIdx).trim();
+            const value = h.substring(colonIdx + 1).trim();
+            headers[key] = value;
+          }
+        }
+      }
+      try {
+        await startProxy({
+          target,
+          port: parseInt(options.port, 10),
+          shield: shieldConfig,
+          headers: Object.keys(headers).length > 0 ? headers : void 0,
+          cors: options.cors
+        });
+      } catch (error) {
+        console.error(
+          `Failed to start proxy: ${error instanceof Error ? error.message : String(error)}`
+        );
+        process.exit(1);
+      }
+    }
+  );
+}
+// src/cli.ts
+var program = new import_commander3.Command().name("graphql-sentinel").description("GraphQL security scanner and runtime shield").version("1.0.0");
+program.addCommand(createScanCommand());
+program.addCommand(createProxyCommand());
+program.parse();
+//# sourceMappingURL=cli.cjs.map