guardlink 1.0.0

package/dist/analyze/index.js

@@ -0,0 +1,306 @@
+/**
+ * GuardLink Threat Reports — AI-powered threat model analysis.
+ *
+ * Serializes the threat model, sends it to an LLM with a framework-
+ * specific prompt, streams the response, and saves timestamped results
+ * to .guardlink/threat-reports/.
+ *
+ * @exposes #llm-client to #arbitrary-write [high] cwe:CWE-73 -- "Writes threat reports to .guardlink/threat-reports/"
+ * @exposes #llm-client to #prompt-injection [medium] cwe:CWE-77 -- "Serialized threat model embedded in LLM prompt"
+ * @accepts #prompt-injection on #llm-client -- "Core feature: threat model serialized as LLM prompt for analysis"
+ * @mitigates #llm-client against #arbitrary-write using #path-validation -- "Reports written to fixed .guardlink/threat-reports/ subdirectory"
+ * @flows #parser -> #llm-client via ThreatModel -- "Parsed model data serialized for LLM analysis"
+ * @flows #llm-client -> Filesystem via writeFileSync -- "Analysis results saved as markdown files"
+ * @handles internal on #llm-client -- "Processes security-sensitive threat model for AI analysis"
+ */
+import { existsSync, mkdirSync, writeFileSync, readdirSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { FRAMEWORK_LABELS, FRAMEWORK_PROMPTS, buildUserMessage } from './prompts.js';
+import { chatCompletion } from './llm.js';
+export { FRAMEWORK_LABELS, FRAMEWORK_PROMPTS, buildUserMessage } from './prompts.js';
+export { buildConfig, autoDetectConfig } from './llm.js';
+// ─── Serialization ───────────────────────────────────────────────────
+/**
+ * Serialize the threat model to a compact representation for LLM context.
+ * Strips empty arrays and location details to save tokens.
+ */
+export function serializeModel(model) {
+    const compact = {
+        project: model.project,
+        annotations: model.annotations_parsed,
+        source_files: model.source_files,
+    };
+    // Only include non-empty sections
+    if (model.assets.length)
+        compact.assets = model.assets.map(a => ({
+            path: a.path.join('.'), id: a.id, description: a.description,
+        }));
+    if (model.threats.length)
+        compact.threats = model.threats.map(t => ({
+            name: t.name, id: t.id, severity: t.severity,
+            refs: t.external_refs.length ? t.external_refs : undefined,
+            description: t.description,
+        }));
+    if (model.controls.length)
+        compact.controls = model.controls.map(c => ({
+            name: c.name, id: c.id, description: c.description,
+        }));
+    if (model.mitigations.length)
+        compact.mitigations = model.mitigations.map(m => ({
+            asset: m.asset, threat: m.threat, control: m.control,
+            description: m.description, file: m.location.file,
+        }));
+    if (model.exposures.length)
+        compact.exposures = model.exposures.map(e => ({
+            asset: e.asset, threat: e.threat, severity: e.severity,
+            refs: e.external_refs.length ? e.external_refs : undefined,
+            description: e.description, file: e.location.file,
+        }));
+    if (model.acceptances.length)
+        compact.acceptances = model.acceptances.map(a => ({
+            asset: a.asset, threat: a.threat, description: a.description,
+        }));
+    if (model.transfers.length)
+        compact.transfers = model.transfers.map(t => ({
+            threat: t.threat, source: t.source, target: t.target,
+        }));
+    if (model.flows.length)
+        compact.flows = model.flows.map(f => ({
+            source: f.source, target: f.target, mechanism: f.mechanism,
+        }));
+    if (model.boundaries.length)
+        compact.boundaries = model.boundaries.map(b => ({
+            a: b.asset_a, b: b.asset_b, id: b.id, description: b.description,
+        }));
+    if (model.data_handling.length)
+        compact.data_handling = model.data_handling.map(h => ({
+            classification: h.classification, asset: h.asset,
+        }));
+    if (model.assumptions.length)
+        compact.assumptions = model.assumptions.map(a => ({
+            asset: a.asset, description: a.description,
+        }));
+    if (model.comments.length)
+        compact.comments = model.comments.map(c => ({
+            description: c.description, file: c.location.file,
+        }));
+    if (model.validations.length)
+        compact.validations = model.validations.map(v => ({
+            control: v.control, asset: v.asset,
+        }));
+    // Coverage summary
+    compact.coverage = {
+        total_symbols: model.coverage.total_symbols,
+        annotated: model.coverage.annotated_symbols,
+        percent: model.coverage.coverage_percent,
+    };
+    // Unmitigated exposures summary
+    const mitigatedSet = new Set();
+    for (const m of model.mitigations)
+        mitigatedSet.add(`${m.asset}::${m.threat}`);
+    for (const a of model.acceptances)
+        mitigatedSet.add(`${a.asset}::${a.threat}`);
+    const unmitigated = model.exposures.filter(e => !mitigatedSet.has(`${e.asset}::${e.threat}`));
+    if (unmitigated.length) {
+        compact.unmitigated_exposures = unmitigated.map(e => ({
+            asset: e.asset, threat: e.threat, severity: e.severity,
+        }));
+    }
+    return JSON.stringify(compact, null, 2);
+}
+/**
+ * Compact serialization for MCP agent mode.
+ *
+ * Designed to minimize token usage (~2-3k tokens vs ~10k for full)
+ * while giving the agent everything it needs:
+ *   - Stats summary (one line)
+ *   - Asset list (compact)
+ *   - ALL unmitigated exposures (the actionable stuff)
+ *   - Threat severity index (deduped)
+ *   - Flows & boundaries (structural context)
+ *   - Data handling classifications
+ *
+ * Omits: resolved mitigations, acceptances, working controls,
+ * full descriptions (capped at 80 chars), per-exposure file paths,
+ * comments, validations, assumptions (low signal for analysis).
+ *
+ * The agent can call guardlink_parse or read guardlink://model
+ * for full detail if needed.
+ */
+export function serializeModelCompact(model) {
+    // Compute unmitigated set
+    const covered = new Set();
+    for (const m of model.mitigations)
+        covered.add(`${m.asset}::${m.threat}`);
+    for (const a of model.acceptances)
+        covered.add(`${a.asset}::${a.threat}`);
+    const unmitigated = model.exposures.filter(e => !covered.has(`${e.asset}::${e.threat}`));
+    const cap = (s, n = 80) => s && s.length > n ? s.slice(0, n - 1) + '…' : s;
+    // Severity counts
+    const sevCounts = {};
+    for (const e of unmitigated) {
+        const s = e.severity || 'unset';
+        sevCounts[s] = (sevCounts[s] || 0) + 1;
+    }
+    const compact = {
+        project: model.project,
+        summary: `${model.annotations_parsed} annotations, ${model.assets.length} assets, ${model.threats.length} threats, ${model.controls.length} controls, ${model.exposures.length} exposures (${unmitigated.length} unmitigated), ${model.mitigations.length} mitigations`,
+        severity_breakdown: sevCounts,
+    };
+    // Assets — just path + id, no descriptions
+    if (model.assets.length) {
+        compact.assets = model.assets.map(a => a.id || a.path.join('.'));
+    }
+    // Unmitigated exposures — grouped by asset for compactness
+    if (unmitigated.length) {
+        const byAsset = {};
+        for (const e of unmitigated) {
+            const key = e.asset;
+            if (!byAsset[key])
+                byAsset[key] = [];
+            const entry = { threat: e.threat, severity: e.severity };
+            if (e.external_refs.length)
+                entry.refs = e.external_refs;
+            if (e.description)
+                entry.desc = cap(e.description);
+            byAsset[key].push(entry);
+        }
+        compact.unmitigated = byAsset;
+    }
+    // Threat index — deduped, severity + refs only
+    if (model.threats.length) {
+        compact.threats = model.threats.map(t => {
+            const entry = { id: t.id, severity: t.severity };
+            if (t.external_refs.length)
+                entry.refs = t.external_refs;
+            return entry;
+        });
+    }
+    // Flows & boundaries — structural context for attack path analysis
+    if (model.flows.length) {
+        compact.flows = model.flows.map(f => `${f.source} → ${f.target}${f.mechanism ? ' via ' + f.mechanism : ''}`);
+    }
+    if (model.boundaries.length) {
+        compact.boundaries = model.boundaries.map(b => `${b.asset_a} | ${b.asset_b}${b.description ? ': ' + cap(b.description, 40) : ''}`);
+    }
+    // Data handling — classification matters for compliance analysis
+    if (model.data_handling.length) {
+        compact.data_handling = model.data_handling.map(h => `${h.asset}: ${h.classification}`);
+    }
+    // Mitigation count per asset (not full details — just "how defended is each asset?")
+    if (model.mitigations.length) {
+        const mitByAsset = {};
+        for (const m of model.mitigations)
+            mitByAsset[m.asset] = (mitByAsset[m.asset] || 0) + 1;
+        compact.mitigations_per_asset = mitByAsset;
+    }
+    return JSON.stringify(compact, null, 2);
+}
+// ─── Threat report generation ────────────────────────────────────────
+/** Storage directory for threat reports (new path) */
+const THREAT_REPORTS_DIR = 'threat-reports';
+/** Legacy storage directory (read fallback) */
+const LEGACY_ANALYSES_DIR = 'analyses';
+export async function generateThreatReport(opts) {
+    const { root, model, framework, llmConfig, customPrompt } = opts;
+    const modelJson = serializeModel(model);
+    const systemPrompt = FRAMEWORK_PROMPTS[framework];
+    const userMessage = buildUserMessage(modelJson, framework, customPrompt);
+    const timestamp = new Date().toISOString().replace(/[:.]/g, '-').slice(0, 19);
+    // Call LLM
+    const response = await chatCompletion(llmConfig, systemPrompt, userMessage, opts.stream ? opts.onChunk : undefined);
+    // Save to .guardlink/threat-reports/
+    const reportsDir = join(root, '.guardlink', THREAT_REPORTS_DIR);
+    if (!existsSync(reportsDir)) {
+        mkdirSync(reportsDir, { recursive: true });
+    }
+    const filename = `${timestamp}-${framework}.md`;
+    const filepath = join(reportsDir, filename);
+    const header = `---
+framework: ${framework}
+label: ${FRAMEWORK_LABELS[framework]}
+model: ${response.model}
+timestamp: ${new Date().toISOString()}
+input_tokens: ${response.inputTokens || 'unknown'}
+output_tokens: ${response.outputTokens || 'unknown'}
+project: ${model.project}
+annotations: ${model.annotations_parsed}
+---
+
+# ${FRAMEWORK_LABELS[framework]}
+
+> Generated by \`guardlink threat-report ${framework}\` on ${new Date().toISOString().slice(0, 10)}
+> Model: ${response.model} | Project: ${model.project} | Annotations: ${model.annotations_parsed}
+
+`;
+    writeFileSync(filepath, header + response.content + '\n');
+    return {
+        framework,
+        label: FRAMEWORK_LABELS[framework],
+        content: response.content,
+        model: response.model,
+        timestamp,
+        savedTo: `.guardlink/${THREAT_REPORTS_DIR}/${filename}`,
+        inputTokens: response.inputTokens,
+        outputTokens: response.outputTokens,
+    };
+}
+/** Read .md files from a .guardlink subdirectory */
+function readReportsFromDir(dirPath, dirName) {
+    if (!existsSync(dirPath))
+        return [];
+    return readdirSync(dirPath)
+        .filter(f => f.endsWith('.md'))
+        .map(filename => {
+        const match = filename.match(/^(\d{4}-\d{2}-\d{2}T\d{2}-\d{2}-\d{2})-(\w+)\.md$/);
+        const framework = match?.[2] || 'unknown';
+        const timestamp = match?.[1]?.replace(/T/, ' ').replace(/-/g, (m, offset) => offset > 9 ? ':' : '-') || filename;
+        let model;
+        try {
+            const content = readFileSync(join(dirPath, filename), 'utf-8');
+            const modelMatch = content.match(/^model:\s*(.+)$/m);
+            if (modelMatch)
+                model = modelMatch[1].trim();
+        }
+        catch { /* ignore */ }
+        return {
+            filename,
+            framework,
+            timestamp,
+            label: FRAMEWORK_LABELS[framework] || framework,
+            model,
+            dirName,
+        };
+    });
+}
+export function listThreatReports(root) {
+    // Read from new path first, then legacy, merge and dedup by filename
+    const newDir = join(root, '.guardlink', THREAT_REPORTS_DIR);
+    const legacyDir = join(root, '.guardlink', LEGACY_ANALYSES_DIR);
+    const reports = readReportsFromDir(newDir, THREAT_REPORTS_DIR);
+    const legacy = readReportsFromDir(legacyDir, LEGACY_ANALYSES_DIR);
+    // Merge: new path takes precedence if same filename exists in both
+    const seen = new Set(reports.map(r => r.filename));
+    for (const l of legacy) {
+        if (!seen.has(l.filename))
+            reports.push(l);
+    }
+    return reports.sort((a, b) => b.filename.localeCompare(a.filename));
+}
+const MAX_REPORTS_IN_DASHBOARD = 50;
+export function loadThreatReportsForDashboard(root) {
+    const entries = listThreatReports(root).slice(0, MAX_REPORTS_IN_DASHBOARD);
+    const result = [];
+    for (const entry of entries) {
+        const dir = join(root, '.guardlink', entry.dirName || THREAT_REPORTS_DIR);
+        try {
+            const raw = readFileSync(join(dir, entry.filename), 'utf-8');
+            const content = raw.replace(/^---[\s\S]*?---\n*/, '').trim();
+            if (content)
+                result.push({ ...entry, content });
+        }
+        catch { /* skip unreadable files */ }
+    }
+    return result;
+}
+//# sourceMappingURL=index.js.map

package/dist/analyze/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analyze/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC1F,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAA0B,gBAAgB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAC7G,OAAO,EAA+B,cAAc,EAAE,MAAM,UAAU,CAAC;AAEvE,OAAO,EAA0B,gBAAgB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAC7G,OAAO,EAAoC,WAAW,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAyB3F,wEAAwE;AAExE;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,KAAkB;IAC/C,MAAM,OAAO,GAAwB;QACnC,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,WAAW,EAAE,KAAK,CAAC,kBAAkB;QACrC,YAAY,EAAE,KAAK,CAAC,YAAY;KACjC,CAAC;IAEF,kCAAkC;IAClC,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM;QAAE,OAAO,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC/D,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW;SAC7D,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM;QAAE,OAAO,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAClE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ;YAC5C,IAAI,EAAE,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;YAC1D,WAAW,EAAE,CAAC,CAAC,WAAW;SAC3B,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM;QAAE,OAAO,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACrE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW;SACnD,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,WAAW,CAAC,MAAM;QAAE,OAAO,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC9E,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO;YACpD,WAAW,EAAE,CAAC,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI;SAClD,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM;QAAE,OAAO,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACxE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACtD,IAAI,EAAE,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;YAC1D,WAAW,EAAE,CAAC,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI;SAClD,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,WAAW,CAAC,MAAM;QAAE,OAAO,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC9E,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW;SAC7D,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM;QAAE,OAAO,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACxE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM;SACrD,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM;QAAE,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC5D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS;SAC3D,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM;QAAE,OAAO,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC3E,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW;SACjE,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM;QAAE,OAAO,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACpF,cAAc,EAAE,CAAC,CAAC,cAAc,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK;SACjD,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,WAAW,CAAC,MAAM;QAAE,OAAO,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC9E,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW;SAC3C,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM;QAAE,OAAO,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACrE,WAAW,EAAE,CAAC,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI;SAClD,CAAC,CAAC,CAAC;IACJ,IAAI,KAAK,CAAC,WAAW,CAAC,MAAM;QAAE,OAAO,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC9E,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK;SACnC,CAAC,CAAC,CAAC;IAEJ,mBAAmB;IACnB,OAAO,CAAC,QAAQ,GAAG;QACjB,aAAa,EAAE,KAAK,CAAC,QAAQ,CAAC,aAAa;QAC3C,SAAS,EAAE,KAAK,CAAC,QAAQ,CAAC,iBAAiB;QAC3C,OAAO,EAAE,KAAK,CAAC,QAAQ,CAAC,gBAAgB;KACzC,CAAC;IAEF,gCAAgC;IAChC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW;QAAE,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC/E,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW;QAAE,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC/E,MAAM,WAAW,GAAG,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC9F,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,qBAAqB,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACpD,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ;SACvD,CAAC,CAAC,CAAC;IACN,CAAC;IAED,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAkB;IACtD,0BAA0B;IAC1B,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW;QAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1E,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW;QAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1E,MAAM,WAAW,GAAG,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAEzF,MAAM,GAAG,GAAG,CAAC,CAAqB,EAAE,CAAC,GAAG,EAAE,EAAE,EAAE,CAC5C,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAElD,kBAAkB;IAClB,MAAM,SAAS,GAA2B,EAAE,CAAC;IAC7C,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,IAAI,OAAO,CAAC;QAChC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,OAAO,GAAwB;QACnC,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,OAAO,EAAE,GAAG,KAAK,CAAC,kBAAkB,iBAAiB,KAAK,CAAC,MAAM,CAAC,MAAM,YAAY,KAAK,CAAC,OAAO,CAAC,MAAM,aAAa,KAAK,CAAC,QAAQ,CAAC,MAAM,cAAc,KAAK,CAAC,SAAS,CAAC,MAAM,eAAe,WAAW,CAAC,MAAM,kBAAkB,KAAK,CAAC,WAAW,CAAC,MAAM,cAAc;QACvQ,kBAAkB,EAAE,SAAS;KAC9B,CAAC;IAEF,2CAA2C;IAC3C,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACxB,OAAO,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACnE,CAAC;IAED,2DAA2D;IAC3D,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,OAAO,GAA0B,EAAE,CAAC;QAC1C,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;YAC5B,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;gBAAE,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YACrC,MAAM,KAAK,GAAwB,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;YAC9E,IAAI,CAAC,CAAC,aAAa,CAAC,MAAM;gBAAE,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,aAAa,CAAC;YACzD,IAAI,CAAC,CAAC,WAAW;gBAAE,KAAK,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;YACnD,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;QACD,OAAO,CAAC,WAAW,GAAG,OAAO,CAAC;IAChC,CAAC;IAED,+CAA+C;IAC/C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QACzB,OAAO,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YACtC,MAAM,KAAK,GAAwB,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;YACtE,IAAI,CAAC,CAAC,aAAa,CAAC,MAAM;gBAAE,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,aAAa,CAAC;YACzD,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,CAAC;IACL,CAAC;IAED,mEAAmE;IACnE,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC/G,CAAC;IACD,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;QAC5B,OAAO,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,OAAO,MAAM,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrI,CAAC;IAED,iEAAiE;IACjE,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM,EAAE,CAAC;QAC/B,OAAO,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC;IAC1F,CAAC;IAED,qFAAqF;IACrF,IAAI,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC;QAC7B,MAAM,UAAU,GAA2B,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW;YAAE,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACxF,OAAO,CAAC,qBAAqB,GAAG,UAAU,CAAC;IAC7C,CAAC;IAED,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,wEAAwE;AAExE,sDAAsD;AACtD,MAAM,kBAAkB,GAAG,gBAAgB,CAAC;AAC5C,+CAA+C;AAC/C,MAAM,mBAAmB,GAAG,UAAU,CAAC;AAEvC,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,IAAyB;IAClE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;IAEjE,MAAM,SAAS,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,YAAY,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,WAAW,GAAG,gBAAgB,CAAC,SAAS,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;IAEzE,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAE9E,WAAW;IACX,MAAM,QAAQ,GAAG,MAAM,cAAc,CACnC,SAAS,EACT,YAAY,EACZ,WAAW,EACX,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CACvC,CAAC;IAEF,qCAAqC;IACrC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE,kBAAkB,CAAC,CAAC;IAChE,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,SAAS,IAAI,SAAS,KAAK,CAAC;IAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAG;aACJ,SAAS;SACb,gBAAgB,CAAC,SAAS,CAAC;SAC3B,QAAQ,CAAC,KAAK;aACV,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACrB,QAAQ,CAAC,WAAW,IAAI,SAAS;iBAChC,QAAQ,CAAC,YAAY,IAAI,SAAS;WACxC,KAAK,CAAC,OAAO;eACT,KAAK,CAAC,kBAAkB;;;IAGnC,gBAAgB,CAAC,SAAS,CAAC;;2CAEY,SAAS,SAAS,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;WACvF,QAAQ,CAAC,KAAK,eAAe,KAAK,CAAC,OAAO,mBAAmB,KAAK,CAAC,kBAAkB;;CAE/F,CAAC;IAEA,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAE1D,OAAO;QACL,SAAS;QACT,KAAK,EAAE,gBAAgB,CAAC,SAAS,CAAC;QAClC,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,SAAS;QACT,OAAO,EAAE,cAAc,kBAAkB,IAAI,QAAQ,EAAE;QACvD,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,YAAY,EAAE,QAAQ,CAAC,YAAY;KACpC,CAAC;AACJ,CAAC;AAcD,oDAAoD;AACpD,SAAS,kBAAkB,CAAC,OAAe,EAAE,OAAe;IAC1D,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC;IACpC,OAAO,WAAW,CAAC,OAAO,CAAC;SACxB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;SAC9B,GAAG,CAAC,QAAQ,CAAC,EAAE;QACd,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;QAClF,MAAM,SAAS,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;QAC1C,MAAM,SAAS,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC;QAEjH,IAAI,KAAyB,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC;YAC/D,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;YACrD,IAAI,UAAU;gBAAE,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAExB,OAAO;YACL,QAAQ;YACR,SAAS;YACT,SAAS;YACT,KAAK,EAAE,gBAAgB,CAAC,SAA8B,CAAC,IAAI,SAAS;YACpE,KAAK;YACL,OAAO;SACR,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,qEAAqE;IACrE,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE,kBAAkB,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE,mBAAmB,CAAC,CAAC;IAEhE,MAAM,OAAO,GAAG,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,kBAAkB,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;IAElE,mEAAmE;IACnE,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IACnD,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;AACtE,CAAC;AAQD,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAEpC,MAAM,UAAU,6BAA6B,CAAC,IAAY;IACxD,MAAM,OAAO,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,wBAAwB,CAAC,CAAC;IAC3E,MAAM,MAAM,GAA8B,EAAE,CAAC;IAE7C,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE,KAAK,CAAC,OAAO,IAAI,kBAAkB,CAAC,CAAC;QAC1E,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC;YAC7D,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7D,IAAI,OAAO;gBAAE,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC,CAAC,2BAA2B,CAAC,CAAC;IACzC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/analyze/llm.d.ts

@@ -0,0 +1,52 @@
+/**
+ * GuardLink Threat Reports — Lightweight LLM client using raw fetch.
+ *
+ * Supports:
+ *   - Anthropic Messages API (claude-sonnet-4-5-20250929, etc.)
+ *   - OpenAI-compatible Chat Completions (GPT-4o, DeepSeek, OpenRouter)
+ *
+ * Zero dependencies — uses Node 20+ built-in fetch.
+ *
+ * @exposes #llm-client to #api-key-exposure [high] cwe:CWE-798 -- "Reads API keys from environment variables"
+ * @exposes #llm-client to #ssrf [medium] cwe:CWE-918 -- "Makes HTTP requests to configurable provider URLs"
+ * @exposes #llm-client to #prompt-injection [medium] cwe:CWE-77 -- "Sends threat model content as LLM prompt"
+ * @accepts #prompt-injection on #llm-client -- "Core feature: threat model data is sent to LLM for analysis"
+ * @mitigates #llm-client against #ssrf using #config-validation -- "BASE_URLS are hardcoded to known providers"
+ * @mitigates #llm-client against #api-key-exposure using #key-redaction -- "Keys read from env, not logged"
+ * @handles secrets on #llm-client -- "API keys held in memory during request lifecycle"
+ * @boundary between #llm-client and External_LLM_APIs (#llm-boundary) -- "HTTP requests cross network trust boundary to external AI providers"
+ * @flows #llm-client -> External_LLM_APIs via fetch -- "HTTP POST with auth headers and prompt payload"
+ * @flows External_LLM_APIs -> #llm-client via response -- "Streaming or complete response from LLM provider"
+ */
+export type LLMProvider = 'anthropic' | 'openai' | 'openrouter' | 'deepseek';
+export interface LLMConfig {
+    provider: LLMProvider;
+    model: string;
+    apiKey: string;
+    baseUrl?: string;
+    maxTokens?: number;
+}
+export interface LLMResponse {
+    content: string;
+    model: string;
+    inputTokens?: number;
+    outputTokens?: number;
+}
+/**
+ * Auto-detect provider from environment variables.
+ * Returns null if no API key found.
+ */
+export declare function autoDetectConfig(): LLMConfig | null;
+/**
+ * Build config from explicit flags + env vars.
+ */
+export declare function buildConfig(opts: {
+    provider?: string;
+    model?: string;
+    apiKey?: string;
+}): LLMConfig | null;
+/**
+ * Send a message to the LLM and return the response.
+ */
+export declare function chatCompletion(config: LLMConfig, systemPrompt: string, userMessage: string, onChunk?: (text: string) => void): Promise<LLMResponse>;
+//# sourceMappingURL=llm.d.ts.map

package/dist/analyze/llm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm.d.ts","sourceRoot":"","sources":["../../src/analyze/llm.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,QAAQ,GAAG,YAAY,GAAG,UAAU,CAAC;AAE7E,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,WAAW,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAgBD;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,SAAS,GAAG,IAAI,CA+BnD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE;IAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GAAG,SAAS,GAAG,IAAI,CA2BnB;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,SAAS,EACjB,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,GAC/B,OAAO,CAAC,WAAW,CAAC,CAMtB"}