guardlink 1.0.0

package/dist/init/picker.js

@@ -0,0 +1,105 @@
+/**
+ * GuardLink init — Interactive agent picker.
+ *
+ * Shows a detection-aware prompt:
+ *   - Always-created files (reference doc, AGENTS.md, .mcp.json)
+ *   - Auto-detected agents (directories found on disk)
+ *   - Optional agents the user can additionally select
+ */
+import { createInterface } from 'node:readline';
+import { getDetectedPlatforms } from './detect.js';
+export const AGENT_CHOICES = [
+    { id: 'claude', label: 'Claude Code', file: 'CLAUDE.md', platform: 'claude' },
+    { id: 'cursor', label: 'Cursor', file: '.cursor/rules/guardlink.mdc', platform: 'cursor' },
+    { id: 'codex', label: 'Codex', file: 'AGENTS.md', platform: 'codex' },
+    { id: 'copilot', label: 'GitHub Copilot', file: '.github/copilot-instructions.md', platform: 'copilot' },
+    { id: 'windsurf', label: 'Windsurf', file: '.windsurfrules', platform: 'windsurf' },
+    { id: 'cline', label: 'Cline', file: '.clinerules', platform: 'cline' },
+    { id: 'gemini', label: 'Gemini', file: '.gemini/GEMINI.md', platform: 'gemini' },
+];
+/** Files that are always created regardless of agent selection. */
+export const ALWAYS_FILES = [
+    'docs/GUARDLINK_REFERENCE.md',
+    '.mcp.json',
+];
+/**
+ * Show detection-aware prompt. Displays:
+ *   1. Always-created files
+ *   2. Auto-detected agents (from directory presence)
+ *   3. Optional agents user can add
+ *
+ * Returns combined list of agent IDs (detected + user-selected).
+ */
+export async function promptAgentSelection(agentFiles) {
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    const ask = (q) => new Promise(resolve => rl.question(q, resolve));
+    const detected = getDetectedPlatforms(agentFiles);
+    // Partition choices into detected vs optional
+    const detectedChoices = [];
+    const optionalChoices = [];
+    for (const choice of AGENT_CHOICES) {
+        const reason = detected.get(choice.platform);
+        if (reason) {
+            detectedChoices.push({ ...choice, reason });
+        }
+        else {
+            optionalChoices.push(choice);
+        }
+    }
+    // ── Display ──
+    console.error('\n  GuardLink will create:\n');
+    // Always files
+    console.error('  Always:');
+    for (const f of ALWAYS_FILES) {
+        console.error(`    ✓  ${f}`);
+    }
+    // Detected agents
+    if (detectedChoices.length > 0) {
+        console.error('\n  Auto-detected:');
+        for (const c of detectedChoices) {
+            console.error(`    ✓  ${c.file.padEnd(38)} (${c.reason})`);
+        }
+    }
+    // Optional agents
+    if (optionalChoices.length > 0) {
+        console.error('\n  Also add instructions for? (comma-separated numbers, Enter to skip)\n');
+        for (let i = 0; i < optionalChoices.length; i++) {
+            const c = optionalChoices[i];
+            console.error(`    ${i + 1}. ${c.label.padEnd(18)} → ${c.file}`);
+        }
+        console.error('');
+    }
+    // Collect selection
+    const detectedIds = detectedChoices.map(c => c.id);
+    if (optionalChoices.length === 0) {
+        // Nothing to ask — all agents detected
+        console.error('  All known agents detected. No additional selection needed.\n');
+        rl.close();
+        return detectedIds;
+    }
+    const answer = await ask('  Selection [Enter to skip]: ');
+    rl.close();
+    const selectedIds = [...detectedIds];
+    if (answer.trim()) {
+        const nums = answer.split(/[,\s]+/).map(s => parseInt(s.trim(), 10)).filter(n => !isNaN(n));
+        for (const n of nums) {
+            if (n >= 1 && n <= optionalChoices.length) {
+                selectedIds.push(optionalChoices[n - 1].id);
+            }
+        }
+    }
+    // Always include claude if nothing was detected or selected
+    if (selectedIds.length === 0) {
+        selectedIds.push('claude');
+    }
+    return selectedIds;
+}
+/**
+ * Resolve agent IDs (from picker or flags) to file paths.
+ */
+export function resolveAgentFiles(agentIds) {
+    return agentIds
+        .map(id => AGENT_CHOICES.find(c => c.id === id))
+        .filter((c) => c !== undefined);
+}
+//# sourceMappingURL=picker.js.map

package/dist/init/picker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"picker.js","sourceRoot":"","sources":["../../src/init/picker.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEhD,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AASnD,MAAM,CAAC,MAAM,aAAa,GAAkB;IAC1C,EAAE,EAAE,EAAE,QAAQ,EAAK,KAAK,EAAE,aAAa,EAAK,IAAI,EAAE,WAAW,EAA0B,QAAQ,EAAE,QAAQ,EAAE;IAC3G,EAAE,EAAE,EAAE,QAAQ,EAAK,KAAK,EAAE,QAAQ,EAAU,IAAI,EAAE,6BAA6B,EAAQ,QAAQ,EAAE,QAAQ,EAAE;IAC3G,EAAE,EAAE,EAAE,OAAO,EAAM,KAAK,EAAE,OAAO,EAAW,IAAI,EAAE,WAAW,EAA2B,QAAQ,EAAE,OAAO,EAAE;IAC3G,EAAE,EAAE,EAAE,SAAS,EAAI,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,iCAAiC,EAAK,QAAQ,EAAE,SAAS,EAAE;IAC7G,EAAE,EAAE,EAAE,UAAU,EAAG,KAAK,EAAE,UAAU,EAAQ,IAAI,EAAE,gBAAgB,EAAsB,QAAQ,EAAE,UAAU,EAAE;IAC9G,EAAE,EAAE,EAAE,OAAO,EAAM,KAAK,EAAE,OAAO,EAAW,IAAI,EAAE,aAAa,EAAyB,QAAQ,EAAE,OAAO,EAAE;IAC3G,EAAE,EAAE,EAAE,QAAQ,EAAK,KAAK,EAAE,QAAQ,EAAU,IAAI,EAAE,mBAAmB,EAAmB,QAAQ,EAAE,QAAQ,EAAE;CAC7G,CAAC;AAEF,mEAAmE;AACnE,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,6BAA6B;IAC7B,WAAW;CACZ,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,UAAuB;IAChE,MAAM,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7E,MAAM,GAAG,GAAG,CAAC,CAAS,EAAmB,EAAE,CACzC,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;IAElD,MAAM,QAAQ,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;IAElD,8CAA8C;IAC9C,MAAM,eAAe,GAA4C,EAAE,CAAC;IACpE,MAAM,eAAe,GAAkB,EAAE,CAAC;IAE1C,KAAK,MAAM,MAAM,IAAI,aAAa,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,MAAM,EAAE,CAAC;YACX,eAAe,CAAC,IAAI,CAAC,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,gBAAgB;IAEhB,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAE9C,eAAe;IACf,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC3B,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC/B,CAAC;IAED,kBAAkB;IAClB,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACpC,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;YAChC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,KAAK,CAAC,2EAA2E,CAAC,CAAC;QAC3F,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,eAAe,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAChD,MAAM,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACnE,CAAC;QACD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpB,CAAC;IAED,oBAAoB;IACpB,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAEnD,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,uCAAuC;QACvC,OAAO,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;QAChF,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,+BAA+B,CAAC,CAAC;IAC1D,EAAE,CAAC,KAAK,EAAE,CAAC;IAEX,MAAM,WAAW,GAAG,CAAC,GAAG,WAAW,CAAC,CAAC;IAErC,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;QAClB,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,eAAe,CAAC,MAAM,EAAE,CAAC;gBAC1C,WAAW,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;IACH,CAAC;IAED,4DAA4D;IAC5D,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC7B,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAkB;IAClD,OAAO,QAAQ;SACZ,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;SAC/C,MAAM,CAAC,CAAC,CAAC,EAAoB,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;AACtD,CAAC"}

package/dist/init/templates.d.ts

@@ -0,0 +1,25 @@
+/**
+ * GuardLink init — Template content for generated files.
+ */
+import type { ProjectInfo } from './detect.js';
+/**
+ * docs/GUARDLINK_REFERENCE.md — the single source of truth for annotation syntax.
+ * All agent instruction files point here instead of duplicating the full reference.
+ */
+export declare function referenceDocContent(project: ProjectInfo): string;
+/**
+ * Compact GuardLink instruction block injected into agent files.
+ * Points to docs/GUARDLINK_REFERENCE.md for full syntax.
+ */
+export declare function agentInstructions(project: ProjectInfo): string;
+export declare function cursorRulesContent(project: ProjectInfo): string;
+export declare function cursorMdcContent(project: ProjectInfo): string;
+export declare function definitionsContent(project: ProjectInfo): string;
+export declare function configContent(project: ProjectInfo): string;
+export declare const GITIGNORE_ENTRY = "\n# GuardLink\n.guardlink/*.json\n!.guardlink/config.json\n";
+/**
+ * Generate .mcp.json for Claude Code auto-configuration.
+ * When committed to repo, Claude Code automatically connects to the MCP server.
+ */
+export declare function mcpConfig(): string;
+//# sourceMappingURL=templates.d.ts.map

package/dist/init/templates.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"templates.d.ts","sourceRoot":"","sources":["../../src/init/templates.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAI/C;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CAgFhE;AAID;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CA2B9D;AAID,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CA2B/D;AAID,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CAQ7D;AAID,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CA8B/D;AAID,wBAAgB,aAAa,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CAY1D;AAID,eAAO,MAAM,eAAe,gEAI3B,CAAC;AA2CF;;;GAGG;AACH,wBAAgB,SAAS,IAAI,MAAM,CASlC"}

package/dist/init/templates.js

@@ -0,0 +1,263 @@
+/**
+ * GuardLink init — Template content for generated files.
+ */
+// ─── Canonical reference document ────────────────────────────────────
+/**
+ * docs/GUARDLINK_REFERENCE.md — the single source of truth for annotation syntax.
+ * All agent instruction files point here instead of duplicating the full reference.
+ */
+export function referenceDocContent(project) {
+    return `# GuardLink — Annotation Reference
+
+> Canonical reference for **${project.name}**. All agent instruction files point here.
+> Full specification: [docs/SPEC.md](https://github.com/Bugb-Technologies/guardlink/blob/main/docs/SPEC.md)
+
+## Quick Reference
+
+\`\`\`
+DEFINE   @asset <Component.Path> (#id) -- "description"
+         @threat <Name> (#id) [severity] cwe:CWE-NNN -- "description"
+         @control <Name> (#id) -- "description"
+
+RELATE   @mitigates <Asset> against <#threat> using <#control> -- "how"
+         @exposes <Asset> to <#threat> [severity] cwe:CWE-NNN -- "what's wrong"
+         @accepts <#threat> on <Asset> -- "why acceptable"
+         @transfers <#threat> from <Source> to <Target> -- "who handles it"
+
+FLOW     @flows <Source> -> <Target> via <mechanism> -- "details"
+         @boundary <AssetA> | <AssetB> (#id) -- "trust boundary"
+         @boundary between <AssetA> and <AssetB> (#id) -- "trust boundary"
+
+LIFECYCLE
+         @validates <#control> for <Asset> -- "test evidence"
+         @audit <Asset> -- "what needs review"
+         @owns <team-id> for <Asset> -- "responsible team"
+         @handles <pii|phi|financial|secrets|internal|public> on <Asset>
+         @assumes <Asset> -- "unverified assumption"
+
+COMMENT  @comment -- "security-relevant developer note"
+
+PROTECT  @shield -- "reason"
+         @shield:begin -- "reason"   ... code ...   @shield:end
+\`\`\`
+
+## Severity
+
+\`[P0]\` = critical, \`[P1]\` = high, \`[P2]\` = medium, \`[P3]\` = low
+
+## External References
+
+Append after severity: \`cwe:CWE-89\`, \`owasp:A03:2021\`, \`capec:CAPEC-66\`, \`attack:T1190\`
+
+## Rules
+
+1. **Define once, reference everywhere.** \`@asset\`, \`@threat\`, \`@control\` with \`(#id)\` go in \`.guardlink/definitions${project.definitionsExt}\`. Source files use relationship verbs only (\`@mitigates\`, \`@exposes\`, etc.).
+2. **Read definitions before adding.** Check for existing IDs first — avoid duplicates.
+3. **Every \`@exposes\` needs a plan.** Match with \`@mitigates\` (fix exists), \`@accepts\` (risk acknowledged), or TODO.
+4. **Always annotate security-relevant code.** At minimum, add \`@comment\` to document intent.
+5. **Use the full verb set.** \`@flows\` for data movement, \`@handles\` for data classification, \`@boundary\` for trust boundaries.
+
+## When Writing Code
+
+| Situation | Annotation |
+|-----------|------------|
+| New service/component | \`@asset\` in definitions, then reference in source |
+| Security gap exists | \`@exposes Asset to #threat\` |
+| Implementing a fix | \`@mitigates Asset against #threat using #control\` |
+| Processing sensitive data | \`@handles pii on Asset\` |
+| Proprietary algorithm | \`@shield:begin\` ... \`@shield:end\` |
+| Unsure which annotation | \`@comment -- "describe what you see"\` |
+
+## Commands
+
+\`\`\`bash
+guardlink validate .          # Check for errors
+guardlink report .            # Generate threat-model.md
+guardlink status .            # Coverage summary
+guardlink suggest <file>      # Get annotation suggestions
+\`\`\`
+
+## MCP Tools
+
+When connected via \`.mcp.json\`, use:
+- \`guardlink_parse\` — parse annotations, return threat model
+- \`guardlink_lookup\` — query threats, controls, exposures by ID
+- \`guardlink_suggest\` — get annotation suggestions for a file
+- \`guardlink_validate\` — check for syntax errors
+- \`guardlink_status\` — coverage stats
+`;
+}
+// ─── Agent instruction content (compact — points to reference doc) ───
+/**
+ * Compact GuardLink instruction block injected into agent files.
+ * Points to docs/GUARDLINK_REFERENCE.md for full syntax.
+ */
+export function agentInstructions(project) {
+    return `
+## GuardLink — Security Annotations (Required)
+
+This project uses [GuardLink](https://guardlink.bugb.io) annotations in source code comments.
+**Full reference: \`docs/GUARDLINK_REFERENCE.md\`**
+
+### Key Rules
+
+1. Definitions (\`@asset\`, \`@threat\`, \`@control\` with \`#id\`) go in \`.guardlink/definitions${project.definitionsExt}\` — read it before adding new ones.
+2. Source files use relationship verbs only: \`@mitigates\`, \`@exposes\`, \`@accepts\`, \`@flows\`, \`@handles\`, \`@boundary\`, \`@comment\`.
+3. Every \`@exposes\` needs a matching \`@mitigates\` or \`@accepts\`.
+4. Always add at least \`@comment\` on security-relevant code.
+5. Run \`guardlink validate .\` after making changes.
+
+### MCP Tools Available
+
+Use \`guardlink_lookup\` to check existing definitions. Use \`guardlink_validate\` after annotating. Use \`guardlink_suggest <file>\` for recommendations.
+
+### Quick Syntax
+
+\`\`\`
+@exposes Asset to #threat [P0] cwe:CWE-89 -- "description"
+@mitigates Asset against #threat using #control -- "how"
+@comment -- "security-relevant note"
+\`\`\`
+`.trimStart();
+}
+// ─── Cursor-specific format ──────────────────────────────────────────
+export function cursorRulesContent(project) {
+    // .cursorrules uses a flatter format without markdown headers
+    return `
+# GuardLink Security Annotations
+
+This project uses GuardLink annotations in source code comments.
+
+## Annotation Syntax
+- @asset <Component.Path> (#id) -- "description"
+- @threat <Name> (#id) [P0|P1|P2|P3] cwe:CWE-NNN -- "description"
+- @control <Name> (#id) -- "description"
+- @mitigates <Asset> against <#threat> using <#control> -- "how"
+- @exposes <Asset> to <#threat> [severity] cwe:CWE-NNN -- "what"
+- @accepts <#threat> on <Asset> -- "why"
+- @flows <Source> -> <Target> via <mechanism> -- "details"
+- @boundary between <A> and <B> (#id) -- "trust boundary"
+- @handles <pii|phi|financial|secrets> on <Asset>
+- @shield:begin -- "reason" ... @shield:end
+
+## Rules
+- All @asset, @threat, @control with (#id) go in .guardlink/definitions${project.definitionsExt}. Source files use only relationship verbs (@mitigates, @exposes, @accepts, @flows, etc).
+- Read definitions file before adding — check for existing IDs first.
+- Severity: P0=critical, P1=high, P2=medium, P3=low. Only P0-P3.
+- External refs: cwe:CWE-89, owasp:A03:2021, capec:CAPEC-66
+- Every @exposes needs a matching @mitigates or @accepts.
+- Run \`guardlink validate .\` to check annotations.
+`.trimStart();
+}
+// ─── Cursor .mdc format ──────────────────────────────────────────────
+export function cursorMdcContent(project) {
+    return `---
+description: GuardLink security annotation rules
+globs:
+alwaysApply: true
+---
+
+${cursorRulesContent(project)}`;
+}
+// ─── Shared definitions file ─────────────────────────────────────────
+export function definitionsContent(project) {
+    const c = project.commentPrefix;
+    return `${c} ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+${c} GuardLink Shared Definitions — ${project.name}
+${c}
+${c} ALL @asset, @threat, and @control declarations live here.
+${c} Source files reference by #id only (e.g. @mitigates X against #sqli).
+${c} Never redeclare an ID that exists in this file.
+${c} Before adding: read this file to check for duplicates.
+${c}
+${c} Run: guardlink validate .
+${c} ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+${c} ─── Examples (uncomment and customize for your project) ────────
+${c}
+${c}   ${c} @asset App.API (#api) -- "Main REST endpoint"
+${c}   ${c} @asset App.Database (#db) -- "Primary data store"
+${c}
+${c}   ${c} @threat SQL_Injection (#sqli) [critical] cwe:CWE-89 -- "Unsanitized input reaches SQL query"
+${c}   ${c} @threat Cross_Site_Scripting (#xss) [high] cwe:CWE-79 -- "Unsanitized input rendered in browser"
+${c}   ${c} @threat Broken_Access_Control (#bac) [critical] cwe:CWE-284 -- "Missing or bypassable authorization"
+${c}
+${c}   ${c} @control Parameterized_Queries (#prepared-stmts) -- "SQL queries use bound parameters"
+${c}   ${c} @control Input_Validation (#input-validation) -- "Input validated against schema/allowlist"
+${c}   ${c} @control RBAC (#rbac) -- "Role-based access control"
+${c}
+${c} ─── Your Definitions ──────────────────────────────────────────
+
+`;
+}
+// ─── Config file ─────────────────────────────────────────────────────
+export function configContent(project) {
+    return JSON.stringify({
+        version: '1.0.0',
+        project: project.name,
+        language: project.language,
+        definitions: `definitions${project.definitionsExt}`,
+        include: defaultIncludeForLanguage(project.language),
+        exclude: [
+            'node_modules', 'dist', 'build', '.git',
+            '__pycache__', 'target', 'vendor', '.next',
+        ],
+    }, null, 2) + '\n';
+}
+// ─── .gitignore addition ─────────────────────────────────────────────
+export const GITIGNORE_ENTRY = `
+# GuardLink
+.guardlink/*.json
+!.guardlink/config.json
+`;
+// ─── Helpers ─────────────────────────────────────────────────────────
+function toPascalCase(s) {
+    return s
+        .replace(/[-_./]/g, ' ')
+        .split(/\s+/)
+        .map(w => w.charAt(0).toUpperCase() + w.slice(1).toLowerCase())
+        .join('');
+}
+function defaultIncludeForLanguage(lang) {
+    switch (lang) {
+        case 'typescript':
+        case 'javascript':
+            return ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'];
+        case 'python':
+            return ['**/*.py'];
+        case 'go':
+            return ['**/*.go'];
+        case 'rust':
+            return ['**/*.rs'];
+        case 'java':
+            return ['**/*.java'];
+        case 'csharp':
+            return ['**/*.cs'];
+        case 'ruby':
+            return ['**/*.rb'];
+        case 'swift':
+            return ['**/*.swift'];
+        case 'kotlin':
+            return ['**/*.kt', '**/*.kts'];
+        case 'terraform':
+            return ['**/*.tf', '**/*.hcl'];
+        default:
+            return ['**/*.ts', '**/*.js', '**/*.py', '**/*.go', '**/*.rs', '**/*.java'];
+    }
+}
+// ─── MCP configuration ──────────────────────────────────────────────
+/**
+ * Generate .mcp.json for Claude Code auto-configuration.
+ * When committed to repo, Claude Code automatically connects to the MCP server.
+ */
+export function mcpConfig() {
+    return JSON.stringify({
+        mcpServers: {
+            guardlink: {
+                command: 'guardlink',
+                args: ['mcp'],
+            },
+        },
+    }, null, 2) + '\n';
+}
+//# sourceMappingURL=templates.js.map

package/dist/init/templates.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"templates.js","sourceRoot":"","sources":["../../src/init/templates.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,wEAAwE;AAExE;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAoB;IACtD,OAAO;;8BAEqB,OAAO,CAAC,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;+HA0CqF,OAAO,CAAC,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkCpJ,CAAC;AACF,CAAC;AAED,wEAAwE;AAExE;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAoB;IACpD,OAAO;;;;;;;;oGAQ2F,OAAO,CAAC,cAAc;;;;;;;;;;;;;;;;;CAiBzH,CAAC,SAAS,EAAE,CAAC;AACd,CAAC;AAED,wEAAwE;AAExE,MAAM,UAAU,kBAAkB,CAAC,OAAoB;IACrD,8DAA8D;IAC9D,OAAO;;;;;;;;;;;;;;;;;;yEAkBgE,OAAO,CAAC,cAAc;;;;;;CAM9F,CAAC,SAAS,EAAE,CAAC;AACd,CAAC;AAED,wEAAwE;AAExE,MAAM,UAAU,gBAAgB,CAAC,OAAoB;IACnD,OAAO;;;;;;EAMP,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC;AAChC,CAAC;AAED,wEAAwE;AAExE,MAAM,UAAU,kBAAkB,CAAC,OAAoB;IACrD,MAAM,CAAC,GAAG,OAAO,CAAC,aAAa,CAAC;IAEhC,OAAO,GAAG,CAAC;EACX,CAAC,mCAAmC,OAAO,CAAC,IAAI;EAChD,CAAC;EACD,CAAC;EACD,CAAC;EACD,CAAC;EACD,CAAC;EACD,CAAC;EACD,CAAC;EACD,CAAC;;EAED,CAAC;EACD,CAAC;EACD,CAAC,MAAM,CAAC;EACR,CAAC,MAAM,CAAC;EACR,CAAC;EACD,CAAC,MAAM,CAAC;EACR,CAAC,MAAM,CAAC;EACR,CAAC,MAAM,CAAC;EACR,CAAC;EACD,CAAC,MAAM,CAAC;EACR,CAAC,MAAM,CAAC;EACR,CAAC,MAAM,CAAC;EACR,CAAC;EACD,CAAC;;CAEF,CAAC;AACF,CAAC;AAED,wEAAwE;AAExE,MAAM,UAAU,aAAa,CAAC,OAAoB;IAChD,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,OAAO,EAAE,OAAO;QAChB,OAAO,EAAE,OAAO,CAAC,IAAI;QACrB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,WAAW,EAAE,cAAc,OAAO,CAAC,cAAc,EAAE;QACnD,OAAO,EAAE,yBAAyB,CAAC,OAAO,CAAC,QAAQ,CAAC;QACpD,OAAO,EAAE;YACP,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;YACvC,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO;SAC3C;KACF,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC;AACrB,CAAC;AAED,wEAAwE;AAExE,MAAM,CAAC,MAAM,eAAe,GAAG;;;;CAI9B,CAAC;AAEF,wEAAwE;AAExE,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,CAAC;SACL,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC;SACvB,KAAK,CAAC,KAAK,CAAC;SACZ,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;SAC9D,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAED,SAAS,yBAAyB,CAAC,IAAY;IAC7C,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY;YACf,OAAO,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;QACxD,KAAK,QAAQ;YACX,OAAO,CAAC,SAAS,CAAC,CAAC;QACrB,KAAK,IAAI;YACP,OAAO,CAAC,SAAS,CAAC,CAAC;QACrB,KAAK,MAAM;YACT,OAAO,CAAC,SAAS,CAAC,CAAC;QACrB,KAAK,MAAM;YACT,OAAO,CAAC,WAAW,CAAC,CAAC;QACvB,KAAK,QAAQ;YACX,OAAO,CAAC,SAAS,CAAC,CAAC;QACrB,KAAK,MAAM;YACT,OAAO,CAAC,SAAS,CAAC,CAAC;QACrB,KAAK,OAAO;YACV,OAAO,CAAC,YAAY,CAAC,CAAC;QACxB,KAAK,QAAQ;YACX,OAAO,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QACjC,KAAK,WAAW;YACd,OAAO,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QACjC;YACE,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAGD,uEAAuE;AAEvE;;;GAGG;AACH,MAAM,UAAU,SAAS;IACvB,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,UAAU,EAAE;YACV,SAAS,EAAE;gBACT,OAAO,EAAE,WAAW;gBACpB,IAAI,EAAE,CAAC,KAAK,CAAC;aACd;SACF;KACF,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC;AACrB,CAAC"}

package/dist/mcp/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * GuardLink MCP Server — exports and stdio entry point.
+ */
+export { createServer } from './server.js';
+export { lookup, type LookupResult } from './lookup.js';
+export { suggestAnnotations, type Suggestion, type SuggestOptions } from './suggest.js';
+/**
+ * Start the MCP server on stdio transport.
+ * Called from CLI: `guardlink mcp`
+ */
+export declare function startStdioServer(): Promise<void>;
+//# sourceMappingURL=index.d.ts.map

package/dist/mcp/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/mcp/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,MAAM,EAAE,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,kBAAkB,EAAE,KAAK,UAAU,EAAE,KAAK,cAAc,EAAE,MAAM,cAAc,CAAC;AAKxF;;;GAGG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC,CAItD"}

package/dist/mcp/index.js

@@ -0,0 +1,18 @@
+/**
+ * GuardLink MCP Server — exports and stdio entry point.
+ */
+export { createServer } from './server.js';
+export { lookup } from './lookup.js';
+export { suggestAnnotations } from './suggest.js';
+import { createServer } from './server.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+/**
+ * Start the MCP server on stdio transport.
+ * Called from CLI: `guardlink mcp`
+ */
+export async function startStdioServer() {
+    const server = createServer();
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}
+//# sourceMappingURL=index.js.map

package/dist/mcp/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/mcp/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,MAAM,EAAqB,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,kBAAkB,EAAwC,MAAM,cAAc,CAAC;AAExF,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AAEjF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC"}

package/dist/mcp/lookup.d.ts

@@ -0,0 +1,27 @@
+/**
+ * GuardLink Lookup — Query the threat model graph.
+ *
+ * Supports structured queries:
+ *   - "asset #config" or "asset Config" → find asset by ID or path
+ *   - "threat #sqli" → find threat by ID
+ *   - "control #rbac" → find control by ID
+ *   - "threats for #auth" → threats targeting an asset (via exposures)
+ *   - "controls for #auth" → controls protecting an asset (via mitigations)
+ *   - "flows into #engine" → data flows with target = engine
+ *   - "flows from #config" → data flows with source = config
+ *   - "unmitigated" → all unmitigated exposures
+ *   - "boundary #config" → boundaries involving asset
+ *   - Free text → fuzzy match across assets, threats, controls
+ */
+import type { ThreatModel } from '../types/index.js';
+export interface LookupResult {
+    query: string;
+    type: string;
+    count: number;
+    results: any[];
+}
+export interface LookupQuery {
+    raw: string;
+}
+export declare function lookup(model: ThreatModel, query: string): LookupResult;
+//# sourceMappingURL=lookup.d.ts.map

package/dist/mcp/lookup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/mcp/lookup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EACV,WAAW,EAGZ,MAAM,mBAAmB,CAAC;AAE3B,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,GAAG,EAAE,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;CACb;AAED,wBAAgB,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,GAAG,YAAY,CA4EtE"}