guardlink 1.1.0 → 1.3.0

package/dist/analyze/tools.js

@@ -0,0 +1,236 @@
+/**
+ * GuardLink — Tool definitions for LLM function calling.
+ *
+ * Defines tools that the LLM can invoke during threat analysis:
+ *   - lookup_cve: Search for CVE details (via web fetch)
+ *   - validate_finding: Cross-reference a finding against the parsed model
+ *   - search_codebase: Search project files for patterns
+ *
+ * @exposes #llm-client to #ssrf [medium] cwe:CWE-918 -- "lookupCve fetches from NVD API with user-controlled CVE ID"
+ * @mitigates #llm-client against #ssrf using #input-sanitize -- "CVE ID validated with strict regex; URL hardcoded to NVD"
+ * @exposes #llm-client to #path-traversal [medium] cwe:CWE-22 -- "searchCodebase reads files from project root"
+ * @mitigates #llm-client against #path-traversal using #glob-filtering -- "skipDirs excludes sensitive directories; relative() bounds output"
+ * @exposes #llm-client to #dos [low] cwe:CWE-400 -- "searchCodebase reads many files; bounded by maxResults"
+ * @mitigates #llm-client against #dos using #resource-limits -- "maxResults caps output; stat.size < 500KB filter"
+ * @flows LLMToolCall -> #llm-client via createToolExecutor -- "Tool invocation input"
+ * @flows #llm-client -> NVD via fetch -- "CVE lookup API call"
+ * @flows ProjectFiles -> #llm-client via readFileSync -- "Codebase search reads"
+ * @boundary #llm-client and NVD (#nvd-api-boundary) -- "Trust boundary at external API"
+ */
+import { readFileSync, readdirSync, statSync } from 'node:fs';
+import { join, relative } from 'node:path';
+// ─── Tool definitions ────────────────────────────────────────────────
+export const GUARDLINK_TOOLS = [
+    {
+        name: 'lookup_cve',
+        description: 'Look up a CVE identifier to get vulnerability details including severity, description, and affected products. Use this when analyzing exposures that reference specific CWEs or when you need current vulnerability intelligence.',
+        parameters: {
+            type: 'object',
+            properties: {
+                cve_id: { type: 'string', description: 'CVE identifier (e.g., CVE-2024-1234)' },
+            },
+            required: ['cve_id'],
+            additionalProperties: false,
+        },
+    },
+    {
+        name: 'validate_finding',
+        description: 'Cross-reference a potential finding against the parsed threat model. Check if an exposure, mitigation, or control already exists for a given asset+threat pair.',
+        parameters: {
+            type: 'object',
+            properties: {
+                asset: { type: 'string', description: 'Asset ID or path (e.g., #auth-api or Server.Auth)' },
+                threat: { type: 'string', description: 'Threat ID or name (e.g., #sqli or SQL_Injection)' },
+                check: { type: 'string', description: 'What to check', enum: ['exposure_exists', 'mitigation_exists', 'is_unmitigated'] },
+            },
+            required: ['asset', 'threat', 'check'],
+            additionalProperties: false,
+        },
+    },
+    {
+        name: 'search_codebase',
+        description: 'Search project source files for a pattern (case-insensitive substring match). Returns matching lines with file paths and line numbers. Use this to verify code-level claims during threat analysis.',
+        parameters: {
+            type: 'object',
+            properties: {
+                pattern: { type: 'string', description: 'Search pattern (substring, case-insensitive)' },
+            },
+            required: ['pattern'],
+            additionalProperties: false,
+        },
+    },
+];
+// ─── Tool executor ───────────────────────────────────────────────────
+/**
+ * Create a tool executor bound to a project root and threat model.
+ * The executor handles all GuardLink tool calls.
+ */
+export function createToolExecutor(root, model) {
+    return async (name, args) => {
+        switch (name) {
+            case 'lookup_cve':
+                return lookupCve(args.cve_id);
+            case 'validate_finding':
+                return validateFinding(model, args.asset, args.threat, args.check);
+            case 'search_codebase':
+                return searchCodebase(root, args.pattern, args.file_glob, parseInt(args.max_results || '20', 10));
+            default:
+                return `Unknown tool: ${name}`;
+        }
+    };
+}
+// ─── Tool implementations ────────────────────────────────────────────
+/** Fetch CVE details from NVD API */
+async function lookupCve(cveId) {
+    if (!cveId || !cveId.match(/^CVE-\d{4}-\d{4,}$/i)) {
+        return `Invalid CVE ID format: ${cveId}. Expected format: CVE-YYYY-NNNNN`;
+    }
+    try {
+        const url = `https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=${encodeURIComponent(cveId.toUpperCase())}`;
+        const res = await fetch(url, {
+            headers: { 'User-Agent': 'GuardLink/1.0 (threat-modeling-tool)' },
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!res.ok) {
+            return `NVD API returned ${res.status} for ${cveId}`;
+        }
+        const data = await res.json();
+        const vuln = data.vulnerabilities?.[0]?.cve;
+        if (!vuln)
+            return `No data found for ${cveId}`;
+        const desc = vuln.descriptions?.find((d) => d.lang === 'en')?.value || 'No description';
+        const metrics = vuln.metrics?.cvssMetricV31?.[0]?.cvssData || vuln.metrics?.cvssMetricV40?.[0]?.cvssData;
+        const score = metrics?.baseScore || 'N/A';
+        const severity = metrics?.baseSeverity || 'N/A';
+        const cwes = vuln.weaknesses?.flatMap((w) => w.description?.map((d) => d.value))?.filter(Boolean) || [];
+        return JSON.stringify({
+            id: cveId.toUpperCase(),
+            description: desc.slice(0, 500),
+            cvss_score: score,
+            severity,
+            cwes,
+            published: vuln.published,
+            last_modified: vuln.lastModified,
+        });
+    }
+    catch (err) {
+        return `CVE lookup failed: ${err.message}`;
+    }
+}
+/** Validate a finding against the parsed threat model */
+function validateFinding(model, asset, threat, check) {
+    if (!model)
+        return 'No threat model available. Run guardlink parse first.';
+    const normalizeId = (s) => s.replace(/^#/, '').toLowerCase();
+    const assetId = normalizeId(asset);
+    const threatId = normalizeId(threat);
+    const matchAsset = (a) => normalizeId(a) === assetId;
+    const matchThreat = (t) => normalizeId(t) === threatId;
+    switch (check) {
+        case 'exposure_exists': {
+            const found = model.exposures.filter(e => matchAsset(e.asset) && matchThreat(e.threat));
+            if (found.length) {
+                return JSON.stringify({
+                    exists: true,
+                    count: found.length,
+                    exposures: found.map(e => ({
+                        severity: e.severity,
+                        description: e.description,
+                        file: e.location.file,
+                        line: e.location.line,
+                    })),
+                });
+            }
+            return JSON.stringify({ exists: false });
+        }
+        case 'mitigation_exists': {
+            const found = model.mitigations.filter(m => matchAsset(m.asset) && matchThreat(m.threat));
+            if (found.length) {
+                return JSON.stringify({
+                    exists: true,
+                    count: found.length,
+                    mitigations: found.map(m => ({
+                        control: m.control,
+                        description: m.description,
+                        file: m.location.file,
+                        line: m.location.line,
+                    })),
+                });
+            }
+            return JSON.stringify({ exists: false });
+        }
+        case 'is_unmitigated': {
+            const exposed = model.exposures.some(e => matchAsset(e.asset) && matchThreat(e.threat));
+            const mitigated = model.mitigations.some(m => matchAsset(m.asset) && matchThreat(m.threat));
+            const accepted = model.acceptances.some(a => matchAsset(a.asset) && matchThreat(a.threat));
+            return JSON.stringify({ exposed, mitigated, accepted, unmitigated: exposed && !mitigated && !accepted });
+        }
+        default:
+            return `Unknown check type: ${check}. Use: exposure_exists, mitigation_exists, is_unmitigated`;
+    }
+}
+/** Search project source files for a pattern */
+function searchCodebase(root, pattern, fileGlob, maxResults = 20) {
+    if (!pattern)
+        return 'No search pattern provided';
+    const results = [];
+    const pat = pattern.toLowerCase();
+    const ext = fileGlob ? fileGlob.toLowerCase() : null;
+    // Walk source files (skip node_modules, .git, dist, etc.)
+    const skipDirs = new Set(['node_modules', '.git', 'dist', 'build', '.guardlink', '__pycache__', '.next', 'vendor', 'target']);
+    function walk(dir) {
+        if (results.length >= maxResults)
+            return;
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            if (results.length >= maxResults)
+                return;
+            const full = join(dir, entry);
+            let stat;
+            try {
+                stat = statSync(full);
+            }
+            catch {
+                continue;
+            }
+            if (stat.isDirectory()) {
+                if (!skipDirs.has(entry) && !entry.startsWith('.'))
+                    walk(full);
+            }
+            else if (stat.isFile()) {
+                if (ext && !entry.toLowerCase().endsWith(ext))
+                    continue;
+                // Skip binary / large files
+                if (stat.size > 500_000)
+                    continue;
+                if (/\.(png|jpg|gif|ico|woff|ttf|eot|svg|mp[34]|zip|tar|gz|lock|map)$/i.test(entry))
+                    continue;
+                try {
+                    const content = readFileSync(full, 'utf-8');
+                    const lines = content.split('\n');
+                    for (let i = 0; i < lines.length && results.length < maxResults; i++) {
+                        if (lines[i].toLowerCase().includes(pat)) {
+                            results.push({
+                                file: relative(root, full),
+                                line: i + 1,
+                                text: lines[i].trim().slice(0, 200),
+                            });
+                        }
+                    }
+                }
+                catch { /* skip unreadable */ }
+            }
+        }
+    }
+    walk(root);
+    if (!results.length)
+        return `No matches found for "${pattern}"`;
+    return JSON.stringify(results);
+}
+//# sourceMappingURL=tools.js.map

package/dist/analyze/tools.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tools.js","sourceRoot":"","sources":["../../src/analyze/tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAI3C,wEAAwE;AAExE,MAAM,CAAC,MAAM,eAAe,GAAqB;IAC/C;QACE,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,mOAAmO;QAChP,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,sCAAsC,EAAE;aAChF;YACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;YACpB,oBAAoB,EAAE,KAAK;SAC5B;KACF;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,iKAAiK;QAC9K,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,mDAAmD,EAAE;gBAC3F,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,kDAAkD,EAAE;gBAC3F,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC,iBAAiB,EAAE,mBAAmB,EAAE,gBAAgB,CAAC,EAAE;aAC1H;YACD,QAAQ,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC;YACtC,oBAAoB,EAAE,KAAK;SAC5B;KACF;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,qMAAqM;QAClN,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,8CAA8C,EAAE;aACzF;YACD,QAAQ,EAAE,CAAC,SAAS,CAAC;YACrB,oBAAoB,EAAE,KAAK;SAC5B;KACF;CACF,CAAC;AAEF,wEAAwE;AAExE;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY,EAAE,KAAyB;IACxE,OAAO,KAAK,EAAE,IAAY,EAAE,IAAyB,EAAmB,EAAE;QACxE,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,YAAY;gBACf,OAAO,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAChC,KAAK,kBAAkB;gBACrB,OAAO,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;YACrE,KAAK,iBAAiB;gBACpB,OAAO,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;YACpG;gBACE,OAAO,iBAAiB,IAAI,EAAE,CAAC;QACnC,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE,qCAAqC;AACrC,KAAK,UAAU,SAAS,CAAC,KAAa;IACpC,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAClD,OAAO,0BAA0B,KAAK,mCAAmC,CAAC;IAC5E,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,0DAA0D,kBAAkB,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAChH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,OAAO,EAAE,EAAE,YAAY,EAAE,sCAAsC,EAAE;YACjE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,oBAAoB,GAAG,CAAC,MAAM,QAAQ,KAAK,EAAE,CAAC;QACvD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAS,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC;QAC5C,IAAI,CAAC,IAAI;YAAE,OAAO,qBAAqB,KAAK,EAAE,CAAC;QAE/C,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,KAAK,IAAI,gBAAgB,CAAC;QAC7F,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,IAAI,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC;QACzG,MAAM,KAAK,GAAG,OAAO,EAAE,SAAS,IAAI,KAAK,CAAC;QAC1C,MAAM,QAAQ,GAAG,OAAO,EAAE,YAAY,IAAI,KAAK,CAAC;QAEhD,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAM,EAAE,EAAE,CAC/C,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CACxC,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAEzB,OAAO,IAAI,CAAC,SAAS,CAAC;YACpB,EAAE,EAAE,KAAK,CAAC,WAAW,EAAE;YACvB,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YAC/B,UAAU,EAAE,KAAK;YACjB,QAAQ;YACR,IAAI;YACJ,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,aAAa,EAAE,IAAI,CAAC,YAAY;SACjC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,sBAAsB,GAAG,CAAC,OAAO,EAAE,CAAC;IAC7C,CAAC;AACH,CAAC;AAED,yDAAyD;AACzD,SAAS,eAAe,CACtB,KAAyB,EACzB,KAAa,EACb,MAAc,EACd,KAAa;IAEb,IAAI,CAAC,KAAK;QAAE,OAAO,uDAAuD,CAAC;IAE3E,MAAM,WAAW,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACrE,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAErC,MAAM,UAAU,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC;IAC7D,MAAM,WAAW,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC;IAE/D,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;YACxF,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjB,OAAO,IAAI,CAAC,SAAS,CAAC;oBACpB,MAAM,EAAE,IAAI;oBACZ,KAAK,EAAE,KAAK,CAAC,MAAM;oBACnB,SAAS,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;wBACzB,QAAQ,EAAE,CAAC,CAAC,QAAQ;wBACpB,WAAW,EAAE,CAAC,CAAC,WAAW;wBAC1B,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI;wBACrB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI;qBACtB,CAAC,CAAC;iBACJ,CAAC,CAAC;YACL,CAAC;YACD,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3C,CAAC;QACD,KAAK,mBAAmB,CAAC,CAAC,CAAC;YACzB,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;YAC1F,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjB,OAAO,IAAI,CAAC,SAAS,CAAC;oBACpB,MAAM,EAAE,IAAI;oBACZ,KAAK,EAAE,KAAK,CAAC,MAAM;oBACnB,WAAW,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;wBAC3B,OAAO,EAAE,CAAC,CAAC,OAAO;wBAClB,WAAW,EAAE,CAAC,CAAC,WAAW;wBAC1B,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI;wBACrB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI;qBACtB,CAAC,CAAC;iBACJ,CAAC,CAAC;YACL,CAAC;YACD,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3C,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,MAAM,OAAO,GAAG,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;YACxF,MAAM,SAAS,GAAG,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5F,MAAM,QAAQ,GAAG,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;YAC3F,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,IAAI,CAAC,SAAS,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC3G,CAAC;QACD;YACE,OAAO,uBAAuB,KAAK,2DAA2D,CAAC;IACnG,CAAC;AACH,CAAC;AAED,gDAAgD;AAChD,SAAS,cAAc,CACrB,IAAY,EACZ,OAAe,EACf,QAAiB,EACjB,UAAU,GAAG,EAAE;IAEf,IAAI,CAAC,OAAO;QAAE,OAAO,4BAA4B,CAAC;IAElD,MAAM,OAAO,GAAmD,EAAE,CAAC;IACnE,MAAM,GAAG,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAClC,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IAErD,0DAA0D;IAC1D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;IAE9H,SAAS,IAAI,CAAC,GAAW;QACvB,IAAI,OAAO,CAAC,MAAM,IAAI,UAAU;YAAE,OAAO;QACzC,IAAI,OAAiB,CAAC;QACtB,IAAI,CAAC;YAAC,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,OAAO;QAAC,CAAC;QAErD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,OAAO,CAAC,MAAM,IAAI,UAAU;gBAAE,OAAO;YACzC,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC9B,IAAI,IAAI,CAAC;YACT,IAAI,CAAC;gBAAC,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC;gBAAC,SAAS;YAAC,CAAC;YAElD,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;gBACvB,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YACjE,CAAC;iBAAM,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;gBACzB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC;oBAAE,SAAS;gBACxD,4BAA4B;gBAC5B,IAAI,IAAI,CAAC,IAAI,GAAG,OAAO;oBAAE,SAAS;gBAClC,IAAI,mEAAmE,CAAC,IAAI,CAAC,KAAK,CAAC;oBAAE,SAAS;gBAE9F,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;oBAC5C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;wBACrE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;4BACzC,OAAO,CAAC,IAAI,CAAC;gCACX,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;gCAC1B,IAAI,EAAE,CAAC,GAAG,CAAC;gCACX,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;6BACpC,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC,CAAC,qBAAqB,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,CAAC;IAEX,IAAI,CAAC,OAAO,CAAC,MAAM;QAAE,OAAO,yBAAyB,OAAO,GAAG,CAAC;IAChE,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC"}

package/dist/analyzer/index.d.ts

@@ -1,5 +1,8 @@
 /**
  * GuardLink Analyzer — exports.
+ *
+ * @comment -- "SARIF generation is pure transformation; no I/O in this module"
+ * @comment -- "File writes handled by CLI/MCP callers"
  */
 export { generateSarif, type SarifOptions } from './sarif.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/analyzer/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/analyzer/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/analyzer/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,YAAY,CAAC"}

package/dist/analyzer/index.js

@@ -1,5 +1,8 @@
 /**
  * GuardLink Analyzer — exports.
+ *
+ * @comment -- "SARIF generation is pure transformation; no I/O in this module"
+ * @comment -- "File writes handled by CLI/MCP callers"
  */
 export { generateSarif } from './sarif.js';
 //# sourceMappingURL=index.js.map

package/dist/analyzer/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analyzer/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAqB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analyzer/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAqB,MAAM,YAAY,CAAC"}

package/dist/analyzer/sarif.d.ts

@@ -12,12 +12,11 @@
  *   2. Parse errors (annotation syntax problems)
  *   3. Dangling references (broken #id refs)
  *
- * @exposes #sarif to #info-disclosure [low] cwe:CWE-200 -- "SARIF output contains detailed threat model findings"
- * @accepts #info-disclosure on #sarif -- "SARIF export for security tools is the intended feature"
- * @exposes #sarif to #arbitrary-write [high] cwe:CWE-73 -- "SARIF written to user-specified output path"
- * @mitigates #sarif against #arbitrary-write using #path-validation -- "CLI resolves output path before write"
- * @flows #parser -> #sarif via ThreatModel -- "SARIF generator receives parsed threat model"
- * @flows #sarif -> External_Security_Tools via SARIF_JSON -- "Output consumed by GitHub, VS Code, etc."
+ * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"
+ * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"
+ * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"
+ * @flows ThreatModel -> #sarif via generateSarif -- "Model input"
+ * @flows #sarif -> SarifLog via return -- "SARIF output"
  */
 import type { ThreatModel, ParseDiagnostic, Severity } from '../types/index.js';
 interface SarifLog {

package/dist/analyzer/sarif.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/analyzer/sarif.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAuB,eAAe,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAIrG,UAAU,QAAQ;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,QAAQ,EAAE,CAAC;CAClB;AAED,UAAU,QAAQ;IAChB,IAAI,EAAE;QACJ,MAAM,EAAE;YACN,IAAI,EAAE,MAAM,CAAC;YACb,OAAO,EAAE,MAAM,CAAC;YAChB,cAAc,EAAE,MAAM,CAAC;YACvB,KAAK,EAAE,SAAS,EAAE,CAAC;SACpB,CAAC;KACH,CAAC;IACF,OAAO,EAAE,WAAW,EAAE,CAAC;CACxB;AAED,UAAU,SAAS;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,gBAAgB,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACnC,eAAe,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACnC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE;QACpB,KAAK,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;KACrC,CAAC;IACF,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,UAAU,WAAW;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;IACpC,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1B,SAAS,EAAE,aAAa,EAAE,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,UAAU,aAAa;IACrB,gBAAgB,EAAE;QAChB,gBAAgB,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAC;QAClC,MAAM,EAAE;YACN,SAAS,EAAE,MAAM,CAAC;YAClB,WAAW,CAAC,EAAE,MAAM,CAAC;SACtB,CAAC;KACH,CAAC;CACH;AAyCD,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,0CAA0C;IAC1C,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,mEAAmE;IACnE,WAAW,CAAC,EAAE,QAAQ,CAAC;CACxB;AAED,wBAAgB,aAAa,CAC3B,KAAK,EAAE,WAAW,EAClB,WAAW,GAAE,eAAe,EAAO,EACnC,YAAY,GAAE,eAAe,EAAO,EACpC,OAAO,GAAE,YAAiB,GACzB,QAAQ,CA+EV"}
+{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/analyzer/sarif.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAuB,eAAe,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAIrG,UAAU,QAAQ;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,QAAQ,EAAE,CAAC;CAClB;AAED,UAAU,QAAQ;IAChB,IAAI,EAAE;QACJ,MAAM,EAAE;YACN,IAAI,EAAE,MAAM,CAAC;YACb,OAAO,EAAE,MAAM,CAAC;YAChB,cAAc,EAAE,MAAM,CAAC;YACvB,KAAK,EAAE,SAAS,EAAE,CAAC;SACpB,CAAC;KACH,CAAC;IACF,OAAO,EAAE,WAAW,EAAE,CAAC;CACxB;AAED,UAAU,SAAS;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,gBAAgB,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACnC,eAAe,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACnC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE;QACpB,KAAK,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;KACrC,CAAC;IACF,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,UAAU,WAAW;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;IACpC,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1B,SAAS,EAAE,aAAa,EAAE,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,UAAU,aAAa;IACrB,gBAAgB,EAAE;QAChB,gBAAgB,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAC;QAClC,MAAM,EAAE;YACN,SAAS,EAAE,MAAM,CAAC;YAClB,WAAW,CAAC,EAAE,MAAM,CAAC;SACtB,CAAC;KACH,CAAC;CACH;AAyCD,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,0CAA0C;IAC1C,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,mEAAmE;IACnE,WAAW,CAAC,EAAE,QAAQ,CAAC;CACxB;AAED,wBAAgB,aAAa,CAC3B,KAAK,EAAE,WAAW,EAClB,WAAW,GAAE,eAAe,EAAO,EACnC,YAAY,GAAE,eAAe,EAAO,EACpC,OAAO,GAAE,YAAiB,GACzB,QAAQ,CA+EV"}

package/dist/analyzer/sarif.js

@@ -12,12 +12,11 @@
  *   2. Parse errors (annotation syntax problems)
  *   3. Dangling references (broken #id refs)
  *
- * @exposes #sarif to #info-disclosure [low] cwe:CWE-200 -- "SARIF output contains detailed threat model findings"
- * @accepts #info-disclosure on #sarif -- "SARIF export for security tools is the intended feature"
- * @exposes #sarif to #arbitrary-write [high] cwe:CWE-73 -- "SARIF written to user-specified output path"
- * @mitigates #sarif against #arbitrary-write using #path-validation -- "CLI resolves output path before write"
- * @flows #parser -> #sarif via ThreatModel -- "SARIF generator receives parsed threat model"
- * @flows #sarif -> External_Security_Tools via SARIF_JSON -- "Output consumed by GitHub, VS Code, etc."
+ * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"
+ * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"
+ * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"
+ * @flows ThreatModel -> #sarif via generateSarif -- "Model input"
+ * @flows #sarif -> SarifLog via return -- "SARIF output"
  */
 // ─── Rule definitions ────────────────────────────────────────────────
 const RULES = [

package/dist/analyzer/sarif.js.map

@@ -1 +1 @@
-{"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/analyzer/sarif.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAsDH,wEAAwE;AAExE,MAAM,KAAK,GAAgB;IACzB;QACE,EAAE,EAAE,gCAAgC;QACpC,IAAI,EAAE,qBAAqB;QAC3B,gBAAgB,EAAE,EAAE,IAAI,EAAE,0DAA0D,EAAE;QACtF,eAAe,EAAE,EAAE,IAAI,EAAE,uKAAuK,EAAE;QAClM,OAAO,EAAE,0CAA0C;QACnD,oBAAoB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;KAC3C;IACD;QACE,EAAE,EAAE,gCAAgC;QACpC,IAAI,EAAE,6BAA6B;QACnC,gBAAgB,EAAE,EAAE,IAAI,EAAE,oDAAoD,EAAE;QAChF,eAAe,EAAE,EAAE,IAAI,EAAE,6GAA6G,EAAE;QACxI,OAAO,EAAE,0CAA0C;QACnD,oBAAoB,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE;KACzC;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,sBAAsB;QAC5B,gBAAgB,EAAE,EAAE,IAAI,EAAE,gCAAgC,EAAE;QAC5D,eAAe,EAAE,EAAE,IAAI,EAAE,qFAAqF,EAAE;QAChH,OAAO,EAAE,uCAAuC;QAChD,oBAAoB,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE;KACzC;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,mBAAmB;QACzB,gBAAgB,EAAE,EAAE,IAAI,EAAE,qDAAqD,EAAE;QACjF,eAAe,EAAE,EAAE,IAAI,EAAE,6EAA6E,EAAE;QACxG,OAAO,EAAE,4CAA4C;QACrD,oBAAoB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;KAC3C;CACF,CAAC;AAaF,MAAM,UAAU,aAAa,CAC3B,KAAkB,EAClB,cAAiC,EAAE,EACnC,eAAkC,EAAE,EACpC,UAAwB,EAAE;IAE1B,MAAM,EAAE,kBAAkB,GAAG,IAAI,EAAE,mBAAmB,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAE1E,MAAM,OAAO,GAAkB,EAAE,CAAC;IAElC,8BAA8B;IAC9B,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW;QAAE,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5E,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW;QAAE,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3E,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QACtC,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAEtD,kBAAkB;QAClB,IAAI,OAAO,CAAC,WAAW,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE,OAAO,CAAC,WAAW,CAAC;YAAE,SAAS;QAExF,MAAM,UAAU,GAAG,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;QACtE,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,gCAAgC,CAAC,CAAC,CAAC,gCAAgC,CAAC;QAChG,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAgB,CAAC,CAAC,CAAC,SAAkB,CAAC;QAEjE,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;QACvE,MAAM,IAAI,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAEvD,OAAO,CAAC,IAAI,CAAC;YACX,MAAM;YACN,KAAK;YACL,OAAO,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,KAAK,kBAAkB,MAAM,GAAG,IAAI,EAAE,EAAE;YAC9D,SAAS,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC3D,UAAU,EAAE;gBACV,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,OAAO;gBAC/B,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACzE;SACF,CAAC,CAAC;IACL,CAAC;IAED,qBAAqB;IACrB,IAAI,kBAAkB,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;YAC5B,IAAI,CAAC,CAAC,KAAK,KAAK,OAAO;gBAAE,SAAS;YAClC,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM,EAAE,uBAAuB;gBAC/B,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;gBAC5B,SAAS,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;aAC1C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,IAAI,mBAAmB,EAAE,CAAC;QACxB,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;YAC7B,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM,EAAE,wBAAwB;gBAChC,KAAK,EAAE,SAAS;gBAChB,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;gBAC5B,SAAS,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;aAC1C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,sGAAsG;QAC/G,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE,CAAC;gBACL,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,WAAW;wBACjB,OAAO,EAAE,OAAO;wBAChB,cAAc,EAAE,2BAA2B;wBAC3C,KAAK,EAAE,KAAK;qBACb;iBACF;gBACD,OAAO;aACR,CAAC;KACH,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE,SAAS,YAAY,CAAC,IAAY,EAAE,IAAY;IAC9C,gCAAgC;IAChC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACrC,OAAO;QACL,gBAAgB,EAAE;YAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE;YACzB,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE;SAC5B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,SAAS,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAEtF,SAAS,gBAAgB,CAAC,MAAiB,EAAE,GAAc;IACzD,IAAI,CAAC,MAAM,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACjC,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;AAC3D,CAAC"}
+{"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/analyzer/sarif.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAsDH,wEAAwE;AAExE,MAAM,KAAK,GAAgB;IACzB;QACE,EAAE,EAAE,gCAAgC;QACpC,IAAI,EAAE,qBAAqB;QAC3B,gBAAgB,EAAE,EAAE,IAAI,EAAE,0DAA0D,EAAE;QACtF,eAAe,EAAE,EAAE,IAAI,EAAE,uKAAuK,EAAE;QAClM,OAAO,EAAE,0CAA0C;QACnD,oBAAoB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;KAC3C;IACD;QACE,EAAE,EAAE,gCAAgC;QACpC,IAAI,EAAE,6BAA6B;QACnC,gBAAgB,EAAE,EAAE,IAAI,EAAE,oDAAoD,EAAE;QAChF,eAAe,EAAE,EAAE,IAAI,EAAE,6GAA6G,EAAE;QACxI,OAAO,EAAE,0CAA0C;QACnD,oBAAoB,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE;KACzC;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,sBAAsB;QAC5B,gBAAgB,EAAE,EAAE,IAAI,EAAE,gCAAgC,EAAE;QAC5D,eAAe,EAAE,EAAE,IAAI,EAAE,qFAAqF,EAAE;QAChH,OAAO,EAAE,uCAAuC;QAChD,oBAAoB,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE;KACzC;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,mBAAmB;QACzB,gBAAgB,EAAE,EAAE,IAAI,EAAE,qDAAqD,EAAE;QACjF,eAAe,EAAE,EAAE,IAAI,EAAE,6EAA6E,EAAE;QACxG,OAAO,EAAE,4CAA4C;QACrD,oBAAoB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;KAC3C;CACF,CAAC;AAaF,MAAM,UAAU,aAAa,CAC3B,KAAkB,EAClB,cAAiC,EAAE,EACnC,eAAkC,EAAE,EACpC,UAAwB,EAAE;IAE1B,MAAM,EAAE,kBAAkB,GAAG,IAAI,EAAE,mBAAmB,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAE1E,MAAM,OAAO,GAAkB,EAAE,CAAC;IAElC,8BAA8B;IAC9B,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW;QAAE,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5E,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW;QAAE,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3E,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QACtC,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAEtD,kBAAkB;QAClB,IAAI,OAAO,CAAC,WAAW,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE,OAAO,CAAC,WAAW,CAAC;YAAE,SAAS;QAExF,MAAM,UAAU,GAAG,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;QACtE,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,gCAAgC,CAAC,CAAC,CAAC,gCAAgC,CAAC;QAChG,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAgB,CAAC,CAAC,CAAC,SAAkB,CAAC;QAEjE,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;QACvE,MAAM,IAAI,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAEvD,OAAO,CAAC,IAAI,CAAC;YACX,MAAM;YACN,KAAK;YACL,OAAO,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,KAAK,kBAAkB,MAAM,GAAG,IAAI,EAAE,EAAE;YAC9D,SAAS,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC3D,UAAU,EAAE;gBACV,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,OAAO;gBAC/B,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACzE;SACF,CAAC,CAAC;IACL,CAAC;IAED,qBAAqB;IACrB,IAAI,kBAAkB,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;YAC5B,IAAI,CAAC,CAAC,KAAK,KAAK,OAAO;gBAAE,SAAS;YAClC,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM,EAAE,uBAAuB;gBAC/B,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;gBAC5B,SAAS,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;aAC1C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,IAAI,mBAAmB,EAAE,CAAC;QACxB,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;YAC7B,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM,EAAE,wBAAwB;gBAChC,KAAK,EAAE,SAAS;gBAChB,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;gBAC5B,SAAS,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;aAC1C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,sGAAsG;QAC/G,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE,CAAC;gBACL,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,WAAW;wBACjB,OAAO,EAAE,OAAO;wBAChB,cAAc,EAAE,2BAA2B;wBAC3C,KAAK,EAAE,KAAK;qBACb;iBACF;gBACD,OAAO;aACR,CAAC;KACH,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE,SAAS,YAAY,CAAC,IAAY,EAAE,IAAY;IAC9C,gCAAgC;IAChC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACrC,OAAO;QACL,gBAAgB,EAAE;YAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE;YACzB,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE;SAC5B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,SAAS,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAEtF,SAAS,gBAAgB,CAAC,MAAiB,EAAE,GAAc;IACzD,IAAI,CAAC,MAAM,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACjC,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/cli/index.d.ts

@@ -3,23 +3,34 @@
  * GuardLink CLI — Reference Implementation
  *
  * Usage:
- *   guardlink init [dir]        Initialize GuardLink in a project
- *   guardlink parse [dir]       Parse annotations, output ThreatModel JSON
- *   guardlink status [dir]      Show annotation coverage summary
- *   guardlink validate [dir]    Check for syntax errors and dangling refs
- *   guardlink analyze [framework] AI-powered threat analysis (STRIDE, DREAD, etc.)
- *   guardlink annotate <prompt>  Launch coding agent for annotation
- *   guardlink config <action>    Manage LLM provider configuration
+ *   guardlink init [dir]              Initialize GuardLink in a project
+ *   guardlink parse [dir]             Parse annotations, output ThreatModel JSON
+ *   guardlink status [dir]            Show annotation coverage summary
+ *   guardlink validate [dir]          Check for syntax errors and dangling refs
+ *   guardlink report [dir]            Generate markdown + JSON threat model report
+ *   guardlink diff [ref]              Compare threat model against a git ref
+ *   guardlink sarif [dir]             Export SARIF 2.1.0 for GitHub / VS Code
+ *   guardlink threat-report <prompt>  AI-powered threat analysis (STRIDE, DREAD, PASTA, etc.)
+ *   guardlink threat-reports          List saved AI threat reports
+ *   guardlink annotate <prompt>       Launch coding agent to add annotations
+ *   guardlink config <action>         Manage LLM provider configuration
+ *   guardlink dashboard [dir]         Generate interactive HTML dashboard
+ *   guardlink mcp                     Start MCP server (stdio) for Claude Code, Cursor, etc.
+ *   guardlink tui [dir]               Interactive TUI with slash commands + AI chat
+ *   guardlink gal                     Display GAL annotation language quick reference
  *
- * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "Accepts directory paths from command line arguments"
- * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "Writes reports and SARIF to user-specified output paths"
- * @accepts #arbitrary-write on #cli -- "Intentional feature: users specify output paths for reports"
- * @mitigates #cli against #path-traversal using #path-validation -- "resolve() normalizes paths before passing to submodules"
- * @boundary between #cli and #parser (#cli-parser-boundary) -- "CLI is the primary user input trust boundary"
- * @flows User -> #cli via argv -- "User provides directory paths and options via command line"
- * @flows #cli -> #parser via parseProject -- "CLI dispatches parsed commands to parser"
- * @flows #cli -> #report via generateReport -- "CLI writes report output"
- * @flows #cli -> #init via initProject -- "CLI initializes project structure"
+ * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"
+ * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"
+ * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"
+ * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"
+ * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"
+ * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"
+ * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"
+ * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"
+ * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"
+ * @flows #cli -> FileSystem via writeFile -- "Report/config output path"
+ * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"
+ * @handles secrets on #cli -- "Processes API keys via config commands"
  */
 export {};
 //# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;;;;GAqBG"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG"}