hackmyagent 0.11.13 → 0.11.15

package/dist/nanomind-core/types.d.ts

@@ -0,0 +1,125 @@
+/**
+ * NanoMind Core Types -- Abstract Security Tree (AST)
+ *
+ * The SecurityAST is the foundational data structure that ALL scanners consume.
+ * NanoMind compiles raw artifacts into ASTs. Analyzers query ASTs, not raw text.
+ *
+ * Security properties:
+ * - Every AST is cryptographically signed (Ed25519)
+ * - Signature includes contentHash + modelVersion + timestamp
+ * - Analyzers verify signature before processing
+ * - Tampered ASTs are rejected
+ */
+export interface SecurityAST {
+    /** Artifact identity */
+    artifactType: ArtifactType;
+    contentHash: string;
+    artifactPath?: string;
+    artifactSize: number;
+    /** Declarations: what the artifact SAYS it does */
+    declaredPurpose: string;
+    declaredCapabilities: Capability[];
+    declaredConstraints: Constraint[];
+    declaredDataAccess: DataAccessPattern[];
+    /** Inferred: what NanoMind UNDERSTANDS it does */
+    inferredCapabilities: Capability[];
+    inferredRiskSurface: RiskSurface[];
+    intentClassification: IntentClass;
+    intentConfidence: number;
+    /** Relationships */
+    dependsOn: string[];
+    governedBy: string[];
+    /** Evidence: exact text regions supporting the classification */
+    evidenceSpans: EvidenceSpan[];
+    /** Cryptographic integrity */
+    signature: string;
+    modelVersion: string;
+    compiledAt: string;
+}
+export type ArtifactType = 'skill' | 'mcp_config' | 'soul' | 'system_prompt' | 'agent_config' | 'a2a_card' | 'credential_file' | 'source_code' | 'env_file' | 'unknown';
+export interface Capability {
+    /** Capability identifier (e.g., "db.read", "api.call", "file.write") */
+    name: string;
+    /** Scope of the capability (e.g., "customers table", "weather API") */
+    scope: string;
+    /** Was this explicitly declared in the artifact? */
+    declared: boolean;
+    /** Was this inferred by NanoMind from the content? */
+    inferred: boolean;
+    /** Risk level of this capability */
+    riskLevel: 'low' | 'medium' | 'high' | 'critical';
+    /** Evidence: text span that declares or implies this capability */
+    evidence?: string;
+}
+export interface Constraint {
+    /** The constraint as written in the artifact */
+    text: string;
+    /** Governance domain (trust, oversight, data_handling, etc.) */
+    domain: ConstraintDomain;
+    /** How enforceable is this constraint? (0 = aspirational, 1 = enforced) */
+    enforceability: number;
+    /** How easy to bypass? (0 = robust, 1 = trivially bypassable) */
+    bypassRisk: number;
+    /** Specific weakness if bypassRisk > 0.5 */
+    weakness?: string;
+}
+export type ConstraintDomain = 'trust_hierarchy' | 'human_oversight' | 'data_handling' | 'action_reversibility' | 'capability_boundary' | 'identity_disclosure' | 'error_handling' | 'credential_management' | 'behavioral_constraint' | 'general';
+export interface DataAccessPattern {
+    /** What data type is accessed */
+    dataType: string;
+    /** How it's accessed */
+    accessMode: 'read' | 'write' | 'delete' | 'transmit';
+    /** Where it goes (if transmit) */
+    destination?: string;
+    /** Is this access declared in capabilities? */
+    coveredByCapability: boolean;
+}
+export interface RiskSurface {
+    /** What aspect of the artifact is risky */
+    surface: string;
+    /** Attack class from HMA taxonomy */
+    attackClass: string;
+    /** Confidence this is a real risk (0-1) */
+    confidence: number;
+    /** Specific text that creates this risk */
+    evidence: string;
+    /** How to mitigate */
+    mitigation?: string;
+}
+export type IntentClass = 'benign' | 'suspicious' | 'malicious';
+export interface EvidenceSpan {
+    /** Start character offset in original artifact */
+    start: number;
+    /** End character offset */
+    end: number;
+    /** The actual text */
+    text: string;
+    /** What this evidence supports */
+    supports: string;
+    /** Confidence this evidence is relevant */
+    confidence: number;
+}
+export interface CompilerConfig {
+    /** NanoMind daemon URL */
+    daemonUrl: string;
+    /** Signing key for AST integrity (Ed25519 private key, hex) */
+    signingKey?: string;
+    /** Whether to call NanoMind for inference (false = heuristic only) */
+    useNanoMind: boolean;
+    /** Maximum artifact size to process (bytes, default 1MB) */
+    maxArtifactSize: number;
+    /** Request timeout for NanoMind daemon (ms) */
+    daemonTimeoutMs: number;
+}
+export declare const DEFAULT_COMPILER_CONFIG: CompilerConfig;
+export interface CompilationResult {
+    /** The compiled AST */
+    ast: SecurityAST;
+    /** Compilation metadata */
+    durationMs: number;
+    /** Whether NanoMind was used (false = heuristic fallback) */
+    nanomindUsed: boolean;
+    /** Warnings during compilation */
+    warnings: string[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/nanomind-core/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/nanomind-core/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,MAAM,WAAW,WAAW;IAC1B,wBAAwB;IACxB,YAAY,EAAE,YAAY,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IAErB,mDAAmD;IACnD,eAAe,EAAE,MAAM,CAAC;IACxB,oBAAoB,EAAE,UAAU,EAAE,CAAC;IACnC,mBAAmB,EAAE,UAAU,EAAE,CAAC;IAClC,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IAExC,kDAAkD;IAClD,oBAAoB,EAAE,UAAU,EAAE,CAAC;IACnC,mBAAmB,EAAE,WAAW,EAAE,CAAC;IACnC,oBAAoB,EAAE,WAAW,CAAC;IAClC,gBAAgB,EAAE,MAAM,CAAC;IAEzB,oBAAoB;IACpB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,UAAU,EAAE,MAAM,EAAE,CAAC;IAErB,iEAAiE;IACjE,aAAa,EAAE,YAAY,EAAE,CAAC;IAE9B,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACpB;AAMD,MAAM,MAAM,YAAY,GACpB,OAAO,GACP,YAAY,GACZ,MAAM,GACN,eAAe,GACf,cAAc,GACd,UAAU,GACV,iBAAiB,GACjB,aAAa,GACb,UAAU,GACV,SAAS,CAAC;AAMd,MAAM,WAAW,UAAU;IACzB,wEAAwE;IACxE,IAAI,EAAE,MAAM,CAAC;IACb,uEAAuE;IACvE,KAAK,EAAE,MAAM,CAAC;IACd,oDAAoD;IACpD,QAAQ,EAAE,OAAO,CAAC;IAClB,sDAAsD;IACtD,QAAQ,EAAE,OAAO,CAAC;IAClB,oCAAoC;IACpC,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IAClD,mEAAmE;IACnE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAMD,MAAM,WAAW,UAAU;IACzB,gDAAgD;IAChD,IAAI,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,MAAM,EAAE,gBAAgB,CAAC;IACzB,2EAA2E;IAC3E,cAAc,EAAE,MAAM,CAAC;IACvB,iEAAiE;IACjE,UAAU,EAAE,MAAM,CAAC;IACnB,4CAA4C;IAC5C,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,gBAAgB,GACxB,iBAAiB,GACjB,iBAAiB,GACjB,eAAe,GACf,sBAAsB,GACtB,qBAAqB,GACrB,qBAAqB,GACrB,gBAAgB,GAChB,uBAAuB,GACvB,uBAAuB,GACvB,SAAS,CAAC;AAMd,MAAM,WAAW,iBAAiB;IAChC,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,UAAU,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,UAAU,CAAC;IACrD,kCAAkC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,mBAAmB,EAAE,OAAO,CAAC;CAC9B;AAMD,MAAM,WAAW,WAAW;IAC1B,2CAA2C;IAC3C,OAAO,EAAE,MAAM,CAAC;IAChB,qCAAqC;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,sBAAsB;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAMD,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,YAAY,GAAG,WAAW,CAAC;AAMhE,MAAM,WAAW,YAAY;IAC3B,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC;IACd,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,sBAAsB;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;CACpB;AAMD,MAAM,WAAW,cAAc;IAC7B,0BAA0B;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,+DAA+D;IAC/D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sEAAsE;IACtE,WAAW,EAAE,OAAO,CAAC;IACrB,4DAA4D;IAC5D,eAAe,EAAE,MAAM,CAAC;IACxB,+CAA+C;IAC/C,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,eAAO,MAAM,uBAAuB,EAAE,cAKrC,CAAC;AAMF,MAAM,WAAW,iBAAiB;IAChC,uBAAuB;IACvB,GAAG,EAAE,WAAW,CAAC;IACjB,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,6DAA6D;IAC7D,YAAY,EAAE,OAAO,CAAC;IACtB,kCAAkC;IAClC,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB"}

package/dist/nanomind-core/types.js

@@ -0,0 +1,22 @@
+"use strict";
+/**
+ * NanoMind Core Types -- Abstract Security Tree (AST)
+ *
+ * The SecurityAST is the foundational data structure that ALL scanners consume.
+ * NanoMind compiles raw artifacts into ASTs. Analyzers query ASTs, not raw text.
+ *
+ * Security properties:
+ * - Every AST is cryptographically signed (Ed25519)
+ * - Signature includes contentHash + modelVersion + timestamp
+ * - Analyzers verify signature before processing
+ * - Tampered ASTs are rejected
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_COMPILER_CONFIG = void 0;
+exports.DEFAULT_COMPILER_CONFIG = {
+    daemonUrl: 'http://127.0.0.1:47200',
+    useNanoMind: true,
+    maxArtifactSize: 1048576, // 1MB
+    daemonTimeoutMs: 5000,
+};
+//# sourceMappingURL=types.js.map

package/dist/nanomind-core/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/nanomind-core/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AA8KU,QAAA,uBAAuB,GAAmB;IACrD,SAAS,EAAE,wBAAwB;IACnC,WAAW,EAAE,IAAI;IACjB,eAAe,EAAE,OAAS,EAAE,MAAM;IAClC,eAAe,EAAE,IAAI;CACtB,CAAC"}

package/dist/output/asff.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"asff.d.ts","sourceRoot":"","sources":["../../src/output/asff.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAiDD;;GAEG;AACH,wBAAgB,MAAM,CACpB,QAAQ,EAAE,eAAe,EAAE,EAC3B,OAAO,GAAE;IACP,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACf,GACL,MAAM,CAuER;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CASpD"}
+{"version":3,"file":"asff.d.ts","sourceRoot":"","sources":["../../src/output/asff.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAiDD;;GAEG;AACH,wBAAgB,MAAM,CACpB,QAAQ,EAAE,eAAe,EAAE,EAC3B,OAAO,GAAE;IACP,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACf,GACL,MAAM,CAuER;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CASpD"}

package/dist/output/asff.js

@@ -14,6 +14,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.toASSF = toASSF;
 exports.batchASSF = batchASSF;
+const index_js_1 = require("../index.js");
 const SEVERITY_MAP = {
     critical: 'CRITICAL',
     high: 'HIGH',
@@ -72,7 +73,7 @@ function toASSF(findings, options = {}) {
             ProductFields: {
                 'opena2a/checkId': f.checkId,
                 'opena2a/scanner': 'hackmyagent',
-                'opena2a/scannerVersion': '0.11.11',
+                'opena2a/scannerVersion': index_js_1.VERSION,
             },
             RecordState: 'ACTIVE',
             Workflow: { Status: 'NEW' },

package/dist/output/asff.js.map

@@ -1 +1 @@
-{"version":3,"file":"asff.js","sourceRoot":"","sources":["../../src/output/asff.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAiEH,wBA8EC;AAKD,8BASC;AAlHD,MAAM,YAAY,GAA2B;IAC3C,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;IACV,aAAa,EAAE,eAAe;IAC9B,IAAI,EAAE,eAAe;CACtB,CAAC;AAEF,MAAM,iBAAiB,GAA2B;IAChD,WAAW,EAAE,uDAAuD;IACpE,GAAG,EAAE,qEAAqE;IAC1E,OAAO,EAAE,uDAAuD;IAChE,SAAS,EAAE,uDAAuD;IAClE,YAAY,EAAE,uDAAuD;IACrE,UAAU,EAAE,qEAAqE;IACjF,MAAM,EAAE,+DAA+D;CACxE,CAAC;AAEF;;GAEG;AACH,SAAgB,MAAM,CACpB,QAA2B,EAC3B,UAII,EAAE;IAEN,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,cAAc,CAAC;IACvF,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,WAAW,CAAC;IAC1E,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACrD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,MAAM,UAAU,GAAG,uBAAuB,MAAM,IAAI,SAAS,YAAY,SAAS,UAAU,CAAC;IAE7F,uDAAuD;IACvD,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAE3D,MAAM,YAAY,GAAiB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QAChD,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,eAAe,CAAC;QAC7D,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACrE,MAAM,KAAK,GAAG,iBAAiB,CAAC,QAAQ,CAAC;YACvC,CAAC,CAAC,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YAC/B,CAAC,CAAC,CAAC,mCAAmC,CAAC,CAAC;QAE1C,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,CAAC;QAClC,MAAM,WAAW,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;QAEtE,MAAM,OAAO,GAAe;YAC1B,aAAa,EAAE,YAAY;YAC3B,EAAE,EAAE,eAAe,CAAC,CAAC,OAAO,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE;YAC5C,UAAU,EAAE,UAAU;YACtB,WAAW,EAAE,eAAe,CAAC,CAAC,OAAO,EAAE;YACvC,YAAY,EAAE,SAAS;YACvB,KAAK,EAAE,KAAK;YACZ,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE;gBACR,KAAK,EAAE,QAAQ;gBACf,QAAQ,EAAE,CAAC,CAAC,QAAQ;aACrB;YACD,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YAC1B,WAAW,EAAE,WAAW;YACxB,SAAS,EAAE,CAAC;oBACV,IAAI,EAAE,OAAO;oBACb,EAAE,EAAE,CAAC,CAAC,IAAI,IAAI,SAAS;iBACxB,CAAC;YACF,aAAa,EAAE;gBACb,iBAAiB,EAAE,CAAC,CAAC,OAAO;gBAC5B,iBAAiB,EAAE,aAAa;gBAChC,wBAAwB,EAAE,SAAS;aACpC;YACD,WAAW,EAAE,QAAQ;YACrB,QAAQ,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;SAC5B,CAAC;QAEF,IAAI,CAAC,CAAC,cAAc,EAAE,CAAC;YACrB,OAAO,CAAC,WAAW,GAAG;gBACpB,cAAc,EAAE;oBACd,IAAI,EAAE,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACpC,GAAG,EAAE,uCAAuC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE;iBACtE;aACF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,GAAG;gBAC7B,KAAK,EAAE;oBACL,QAAQ,EAAE,CAAC,CAAC,IAAI;oBAChB,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAClD;aACF,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,SAAgB,SAAS,CAAC,QAAgB;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,IAAI,GAAG,EAAE,CAAC;QAC9C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
+{"version":3,"file":"asff.js","sourceRoot":"","sources":["../../src/output/asff.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAmEH,wBA8EC;AAKD,8BASC;AA7JD,0CAAsC;AA2CtC,MAAM,YAAY,GAA2B;IAC3C,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;IACV,aAAa,EAAE,eAAe;IAC9B,IAAI,EAAE,eAAe;CACtB,CAAC;AAEF,MAAM,iBAAiB,GAA2B;IAChD,WAAW,EAAE,uDAAuD;IACpE,GAAG,EAAE,qEAAqE;IAC1E,OAAO,EAAE,uDAAuD;IAChE,SAAS,EAAE,uDAAuD;IAClE,YAAY,EAAE,uDAAuD;IACrE,UAAU,EAAE,qEAAqE;IACjF,MAAM,EAAE,+DAA+D;CACxE,CAAC;AAEF;;GAEG;AACH,SAAgB,MAAM,CACpB,QAA2B,EAC3B,UAII,EAAE;IAEN,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,cAAc,CAAC;IACvF,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,WAAW,CAAC;IAC1E,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACrD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,MAAM,UAAU,GAAG,uBAAuB,MAAM,IAAI,SAAS,YAAY,SAAS,UAAU,CAAC;IAE7F,uDAAuD;IACvD,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAE3D,MAAM,YAAY,GAAiB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QAChD,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,eAAe,CAAC;QAC7D,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACrE,MAAM,KAAK,GAAG,iBAAiB,CAAC,QAAQ,CAAC;YACvC,CAAC,CAAC,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YAC/B,CAAC,CAAC,CAAC,mCAAmC,CAAC,CAAC;QAE1C,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,CAAC;QAClC,MAAM,WAAW,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;QAEtE,MAAM,OAAO,GAAe;YAC1B,aAAa,EAAE,YAAY;YAC3B,EAAE,EAAE,eAAe,CAAC,CAAC,OAAO,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE;YAC5C,UAAU,EAAE,UAAU;YACtB,WAAW,EAAE,eAAe,CAAC,CAAC,OAAO,EAAE;YACvC,YAAY,EAAE,SAAS;YACvB,KAAK,EAAE,KAAK;YACZ,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE;gBACR,KAAK,EAAE,QAAQ;gBACf,QAAQ,EAAE,CAAC,CAAC,QAAQ;aACrB;YACD,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YAC1B,WAAW,EAAE,WAAW;YACxB,SAAS,EAAE,CAAC;oBACV,IAAI,EAAE,OAAO;oBACb,EAAE,EAAE,CAAC,CAAC,IAAI,IAAI,SAAS;iBACxB,CAAC;YACF,aAAa,EAAE;gBACb,iBAAiB,EAAE,CAAC,CAAC,OAAO;gBAC5B,iBAAiB,EAAE,aAAa;gBAChC,wBAAwB,EAAE,kBAAO;aAClC;YACD,WAAW,EAAE,QAAQ;YACrB,QAAQ,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;SAC5B,CAAC;QAEF,IAAI,CAAC,CAAC,cAAc,EAAE,CAAC;YACrB,OAAO,CAAC,WAAW,GAAG;gBACpB,cAAc,EAAE;oBACd,IAAI,EAAE,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACpC,GAAG,EAAE,uCAAuC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE;iBACtE;aACF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,GAAG;gBAC7B,KAAK,EAAE;oBACL,QAAQ,EAAE,CAAC,CAAC,IAAI;oBAChB,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAClD;aACF,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,SAAgB,SAAS,CAAC,QAAgB;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,IAAI,GAAG,EAAE,CAAC;QAC9C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/semantic/index.d.ts

@@ -12,6 +12,10 @@ export { LLMAnalyzer, AnthropicClient, LLMCache, BudgetTracker } from './llm';
 export { toSecurityFinding, toSecurityFindings } from './integration/finding-adapter';
 export { SEMANTIC_OASB_MAPPINGS, getSemanticCheckIds, getUpgradedControlIds } from './integration/oasb-upgrader';
 export { CostEstimator } from './integration/cost-estimator';
+export { enhanceScanFindings, getEnhancementStats } from './nanomind-enhancer';
+export type { EnhancedFinding } from './nanomind-enhancer';
+export { isDaemonAvailable, analyzeSkillIntent, analyzeSoulCompleteness, analyzeMCPScope, analyzePromptIntent, explainFinding, } from './nanomind-analyzer';
+export type { NanoMindInferRequest, NanoMindInferResponse, SemanticFinding as NanoMindFinding, } from './nanomind-analyzer';
 export { buildDeepScanResult } from './deep-scan';
 export type { SemanticFinding, SemanticSeverity, SemanticCategory, AnalysisContext, AnalysisFile, FileType, ExistingFinding, LLMAnalysisOptions, CostEstimate, DeepScanResult, DeepAnalysisFile, McpServerConfig, McpConfigFile, ClaudeSettings, } from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/semantic/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/semantic/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EACL,yBAAyB,EACzB,iBAAiB,EACjB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAG9E,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACtF,OAAO,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAG7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAGlD,YAAY,EACV,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,eAAe,EACf,YAAY,EACZ,QAAQ,EACR,eAAe,EACf,kBAAkB,EAClB,YAAY,EACZ,cAAc,EACd,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,cAAc,GACf,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/semantic/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EACL,yBAAyB,EACzB,iBAAiB,EACjB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAG9E,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACtF,OAAO,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AACjH,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAG7D,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC/E,YAAY,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAG3D,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,uBAAuB,EACvB,eAAe,EACf,mBAAmB,EACnB,cAAc,GACf,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,qBAAqB,EACrB,eAAe,IAAI,eAAe,GACnC,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAGlD,YAAY,EACV,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,eAAe,EACf,YAAY,EACZ,QAAQ,EACR,eAAe,EACf,kBAAkB,EAClB,YAAY,EACZ,cAAc,EACd,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,cAAc,GACf,MAAM,SAAS,CAAC"}

package/dist/semantic/index.js

@@ -8,7 +8,7 @@
  * Zero runtime dependencies. Imported by core scanner and MCP server.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.buildDeepScanResult = exports.CostEstimator = exports.getUpgradedControlIds = exports.getSemanticCheckIds = exports.SEMANTIC_OASB_MAPPINGS = exports.toSecurityFindings = exports.toSecurityFinding = exports.BudgetTracker = exports.LLMCache = exports.AnthropicClient = exports.LLMAnalyzer = exports.PermissionModelAnalyzer = exports.InstructionAnalyzer = exports.McpConfigAnalyzer = exports.CredentialContextAnalyzer = exports.StructuralAnalyzer = void 0;
+exports.buildDeepScanResult = exports.explainFinding = exports.analyzePromptIntent = exports.analyzeMCPScope = exports.analyzeSoulCompleteness = exports.analyzeSkillIntent = exports.isDaemonAvailable = exports.getEnhancementStats = exports.enhanceScanFindings = exports.CostEstimator = exports.getUpgradedControlIds = exports.getSemanticCheckIds = exports.SEMANTIC_OASB_MAPPINGS = exports.toSecurityFindings = exports.toSecurityFinding = exports.BudgetTracker = exports.LLMCache = exports.AnthropicClient = exports.LLMAnalyzer = exports.PermissionModelAnalyzer = exports.InstructionAnalyzer = exports.McpConfigAnalyzer = exports.CredentialContextAnalyzer = exports.StructuralAnalyzer = void 0;
 // Layer 2: Structural Analysis
 var structural_1 = require("./structural");
 Object.defineProperty(exports, "StructuralAnalyzer", { enumerable: true, get: function () { return structural_1.StructuralAnalyzer; } });
@@ -33,6 +33,18 @@ Object.defineProperty(exports, "getSemanticCheckIds", { enumerable: true, get: f
 Object.defineProperty(exports, "getUpgradedControlIds", { enumerable: true, get: function () { return oasb_upgrader_1.getUpgradedControlIds; } });
 var cost_estimator_1 = require("./integration/cost-estimator");
 Object.defineProperty(exports, "CostEstimator", { enumerable: true, get: function () { return cost_estimator_1.CostEstimator; } });
+// NanoMind Scanner Enhancer (default-on for ALL scanners)
+var nanomind_enhancer_1 = require("./nanomind-enhancer");
+Object.defineProperty(exports, "enhanceScanFindings", { enumerable: true, get: function () { return nanomind_enhancer_1.enhanceScanFindings; } });
+Object.defineProperty(exports, "getEnhancementStats", { enumerable: true, get: function () { return nanomind_enhancer_1.getEnhancementStats; } });
+// Layer 4: NanoMind Local Semantic Analysis
+var nanomind_analyzer_1 = require("./nanomind-analyzer");
+Object.defineProperty(exports, "isDaemonAvailable", { enumerable: true, get: function () { return nanomind_analyzer_1.isDaemonAvailable; } });
+Object.defineProperty(exports, "analyzeSkillIntent", { enumerable: true, get: function () { return nanomind_analyzer_1.analyzeSkillIntent; } });
+Object.defineProperty(exports, "analyzeSoulCompleteness", { enumerable: true, get: function () { return nanomind_analyzer_1.analyzeSoulCompleteness; } });
+Object.defineProperty(exports, "analyzeMCPScope", { enumerable: true, get: function () { return nanomind_analyzer_1.analyzeMCPScope; } });
+Object.defineProperty(exports, "analyzePromptIntent", { enumerable: true, get: function () { return nanomind_analyzer_1.analyzePromptIntent; } });
+Object.defineProperty(exports, "explainFinding", { enumerable: true, get: function () { return nanomind_analyzer_1.explainFinding; } });
 // Deep scan builder (for MCP server)
 var deep_scan_1 = require("./deep-scan");
 Object.defineProperty(exports, "buildDeepScanResult", { enumerable: true, get: function () { return deep_scan_1.buildDeepScanResult; } });

package/dist/semantic/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/semantic/index.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAEH,+BAA+B;AAC/B,2CAAkD;AAAzC,gHAAA,kBAAkB,OAAA;AAC3B,2CAKsB;AAJpB,uHAAA,yBAAyB,OAAA;AACzB,+GAAA,iBAAiB,OAAA;AACjB,iHAAA,mBAAmB,OAAA;AACnB,qHAAA,uBAAuB,OAAA;AAGzB,wBAAwB;AACxB,6BAA8E;AAArE,kGAAA,WAAW,OAAA;AAAE,sGAAA,eAAe,OAAA;AAAE,+FAAA,QAAQ,OAAA;AAAE,oGAAA,aAAa,OAAA;AAE9D,cAAc;AACd,iEAAsF;AAA7E,oHAAA,iBAAiB,OAAA;AAAE,qHAAA,kBAAkB,OAAA;AAC9C,6DAAiH;AAAxG,uHAAA,sBAAsB,OAAA;AAAE,oHAAA,mBAAmB,OAAA;AAAE,sHAAA,qBAAqB,OAAA;AAC3E,+DAA6D;AAApD,+GAAA,aAAa,OAAA;AAEtB,qCAAqC;AACrC,yCAAkD;AAAzC,gHAAA,mBAAmB,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/semantic/index.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAEH,+BAA+B;AAC/B,2CAAkD;AAAzC,gHAAA,kBAAkB,OAAA;AAC3B,2CAKsB;AAJpB,uHAAA,yBAAyB,OAAA;AACzB,+GAAA,iBAAiB,OAAA;AACjB,iHAAA,mBAAmB,OAAA;AACnB,qHAAA,uBAAuB,OAAA;AAGzB,wBAAwB;AACxB,6BAA8E;AAArE,kGAAA,WAAW,OAAA;AAAE,sGAAA,eAAe,OAAA;AAAE,+FAAA,QAAQ,OAAA;AAAE,oGAAA,aAAa,OAAA;AAE9D,cAAc;AACd,iEAAsF;AAA7E,oHAAA,iBAAiB,OAAA;AAAE,qHAAA,kBAAkB,OAAA;AAC9C,6DAAiH;AAAxG,uHAAA,sBAAsB,OAAA;AAAE,oHAAA,mBAAmB,OAAA;AAAE,sHAAA,qBAAqB,OAAA;AAC3E,+DAA6D;AAApD,+GAAA,aAAa,OAAA;AAEtB,0DAA0D;AAC1D,yDAA+E;AAAtE,wHAAA,mBAAmB,OAAA;AAAE,wHAAA,mBAAmB,OAAA;AAGjD,4CAA4C;AAC5C,yDAO6B;AAN3B,sHAAA,iBAAiB,OAAA;AACjB,uHAAA,kBAAkB,OAAA;AAClB,4HAAA,uBAAuB,OAAA;AACvB,oHAAA,eAAe,OAAA;AACf,wHAAA,mBAAmB,OAAA;AACnB,mHAAA,cAAc,OAAA;AAQhB,qCAAqC;AACrC,yCAAkD;AAAzC,gHAAA,mBAAmB,OAAA"}

package/dist/semantic/nanomind-analyzer.d.ts

@@ -0,0 +1,77 @@
+/**
+ * NanoMind Semantic Analyzer
+ *
+ * Uses the local NanoMind daemon (localhost:47200) for semantic analysis
+ * of skills, SOUL.md, MCP tools, and system prompts.
+ *
+ * Unlike the LLM analyzer (--deep flag, cloud API, costs money),
+ * the NanoMind analyzer (--semantic flag) runs 100% locally with
+ * zero cost per inference and zero data leaving the machine.
+ *
+ * Two-layer architecture:
+ * 1. Static checks run first (fast, deterministic, 183 rules)
+ * 2. NanoMind activates on ambiguous/NLP targets (semantic intent classification)
+ */
+export interface NanoMindInferRequest {
+    intent: string;
+    input: string;
+    context?: {
+        agentId?: string;
+        driftScore?: number;
+        declaredPurpose?: string;
+    };
+    priority?: 'high' | 'medium' | 'low';
+}
+export interface NanoMindInferResponse {
+    intent: string;
+    result: string;
+    confidence: number;
+    attackClass?: string;
+    evidence?: string;
+    remediation?: string;
+    latencyMs: number;
+    modelVersion: string;
+}
+export interface SemanticFinding {
+    checkId: string;
+    severity: 'critical' | 'high' | 'medium' | 'low' | 'info';
+    title: string;
+    description: string;
+    evidence: string[];
+    confidence: number;
+    attackClass?: string;
+    remediation?: string;
+    source: 'nanomind';
+}
+/**
+ * Check if the NanoMind daemon is running.
+ */
+export declare function isDaemonAvailable(): Promise<boolean>;
+/**
+ * Analyze a skill for malicious intent using NanoMind.
+ * SCAN_SKILL_INTENT: scores the skill's instruction set for exfiltration,
+ * injection, override, and persistence intent.
+ */
+export declare function analyzeSkillIntent(skillContent: string): Promise<SemanticFinding | null>;
+/**
+ * Analyze SOUL.md governance completeness using NanoMind.
+ * SCAN_SOUL_COMPLETENESS: assesses whether governance constraints
+ * actually cover the attack surface.
+ */
+export declare function analyzeSoulCompleteness(soulContent: string): Promise<SemanticFinding | null>;
+/**
+ * Analyze MCP tool description for scope mismatches.
+ * SCAN_MCP_SCOPE: detects undeclared permissions in natural language descriptions.
+ */
+export declare function analyzeMCPScope(toolName: string, toolDescription: string, declaredCapabilities: string[]): Promise<SemanticFinding | null>;
+/**
+ * Analyze system prompt behavioral envelope.
+ * SCAN_PROMPT_INTENT: detects jailbreak seeds, capability creep, override risk.
+ */
+export declare function analyzePromptIntent(promptContent: string): Promise<SemanticFinding | null>;
+/**
+ * Generate a human-readable explanation of any finding.
+ * SCAN_EXPLAIN: translates machine findings into plain English.
+ */
+export declare function explainFinding(findingJSON: string): Promise<string | null>;
+//# sourceMappingURL=nanomind-analyzer.d.ts.map

package/dist/semantic/nanomind-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nanomind-analyzer.d.ts","sourceRoot":"","sources":["../../src/semantic/nanomind-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE;QACR,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF,QAAQ,CAAC,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACtC;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAC1D,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,UAAU,CAAC;CACpB;AAID;;GAEG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,OAAO,CAAC,CAO1D;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAoB9F;AAED;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAmBlG;AAED;;;GAGG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,MAAM,EACvB,oBAAoB,EAAE,MAAM,EAAE,GAC7B,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAsBjC;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAoBhG;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAQhF"}

package/dist/semantic/nanomind-analyzer.js

@@ -0,0 +1,165 @@
+"use strict";
+/**
+ * NanoMind Semantic Analyzer
+ *
+ * Uses the local NanoMind daemon (localhost:47200) for semantic analysis
+ * of skills, SOUL.md, MCP tools, and system prompts.
+ *
+ * Unlike the LLM analyzer (--deep flag, cloud API, costs money),
+ * the NanoMind analyzer (--semantic flag) runs 100% locally with
+ * zero cost per inference and zero data leaving the machine.
+ *
+ * Two-layer architecture:
+ * 1. Static checks run first (fast, deterministic, 183 rules)
+ * 2. NanoMind activates on ambiguous/NLP targets (semantic intent classification)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isDaemonAvailable = isDaemonAvailable;
+exports.analyzeSkillIntent = analyzeSkillIntent;
+exports.analyzeSoulCompleteness = analyzeSoulCompleteness;
+exports.analyzeMCPScope = analyzeMCPScope;
+exports.analyzePromptIntent = analyzePromptIntent;
+exports.explainFinding = explainFinding;
+const DAEMON_URL = process.env.NANOMIND_URL ?? 'http://127.0.0.1:47200';
+/**
+ * Check if the NanoMind daemon is running.
+ */
+async function isDaemonAvailable() {
+    try {
+        const resp = await fetch(`${DAEMON_URL}/health`, { signal: AbortSignal.timeout(2000) });
+        return resp.ok;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Analyze a skill for malicious intent using NanoMind.
+ * SCAN_SKILL_INTENT: scores the skill's instruction set for exfiltration,
+ * injection, override, and persistence intent.
+ */
+async function analyzeSkillIntent(skillContent) {
+    const resp = await callDaemon({
+        intent: 'SCAN_SKILL_INTENT',
+        input: skillContent,
+        priority: 'high',
+    });
+    if (!resp || resp.confidence < 0.5)
+        return null;
+    return {
+        checkId: `SKILL-SEMANTIC-${Date.now().toString(36).slice(-4).toUpperCase()}`,
+        severity: resp.confidence >= 0.85 ? 'critical' : resp.confidence >= 0.7 ? 'high' : 'medium',
+        title: `Semantic Intent: ${resp.attackClass ?? resp.result}`,
+        description: `NanoMind classified this skill's intent as ${resp.result} with ${(resp.confidence * 100).toFixed(0)}% confidence.`,
+        evidence: resp.evidence ? [resp.evidence] : [],
+        confidence: resp.confidence,
+        attackClass: resp.attackClass,
+        remediation: resp.remediation,
+        source: 'nanomind',
+    };
+}
+/**
+ * Analyze SOUL.md governance completeness using NanoMind.
+ * SCAN_SOUL_COMPLETENESS: assesses whether governance constraints
+ * actually cover the attack surface.
+ */
+async function analyzeSoulCompleteness(soulContent) {
+    const resp = await callDaemon({
+        intent: 'SCAN_SOUL_COMPLETENESS',
+        input: soulContent,
+        priority: 'medium',
+    });
+    if (!resp)
+        return null;
+    return {
+        checkId: `SOUL-SEMANTIC-${Date.now().toString(36).slice(-4).toUpperCase()}`,
+        severity: resp.confidence >= 0.7 ? 'high' : 'medium',
+        title: 'SOUL Governance Gap Detected',
+        description: `NanoMind identified governance gaps in this SOUL.md: ${resp.result}`,
+        evidence: resp.evidence ? [resp.evidence] : [],
+        confidence: resp.confidence,
+        remediation: resp.remediation,
+        source: 'nanomind',
+    };
+}
+/**
+ * Analyze MCP tool description for scope mismatches.
+ * SCAN_MCP_SCOPE: detects undeclared permissions in natural language descriptions.
+ */
+async function analyzeMCPScope(toolName, toolDescription, declaredCapabilities) {
+    const input = JSON.stringify({ toolName, toolDescription, declaredCapabilities });
+    const resp = await callDaemon({
+        intent: 'SCAN_MCP_SCOPE',
+        input,
+        priority: 'medium',
+    });
+    if (!resp || resp.confidence < 0.5)
+        return null;
+    return {
+        checkId: `MCP-SEMANTIC-${Date.now().toString(36).slice(-4).toUpperCase()}`,
+        severity: resp.confidence >= 0.8 ? 'high' : 'medium',
+        title: `MCP Scope Mismatch: ${toolName}`,
+        description: `NanoMind detected scope mismatch between tool description and declared capabilities: ${resp.result}`,
+        evidence: resp.evidence ? [resp.evidence] : [],
+        confidence: resp.confidence,
+        attackClass: resp.attackClass,
+        remediation: resp.remediation,
+        source: 'nanomind',
+    };
+}
+/**
+ * Analyze system prompt behavioral envelope.
+ * SCAN_PROMPT_INTENT: detects jailbreak seeds, capability creep, override risk.
+ */
+async function analyzePromptIntent(promptContent) {
+    const resp = await callDaemon({
+        intent: 'SCAN_PROMPT_INTENT',
+        input: promptContent,
+        priority: 'high',
+    });
+    if (!resp || resp.confidence < 0.5)
+        return null;
+    return {
+        checkId: `PROMPT-SEMANTIC-${Date.now().toString(36).slice(-4).toUpperCase()}`,
+        severity: resp.confidence >= 0.8 ? 'critical' : resp.confidence >= 0.6 ? 'high' : 'medium',
+        title: `System Prompt Risk: ${resp.attackClass ?? resp.result}`,
+        description: `NanoMind analyzed the system prompt behavioral envelope: ${resp.result}`,
+        evidence: resp.evidence ? [resp.evidence] : [],
+        confidence: resp.confidence,
+        attackClass: resp.attackClass,
+        remediation: resp.remediation,
+        source: 'nanomind',
+    };
+}
+/**
+ * Generate a human-readable explanation of any finding.
+ * SCAN_EXPLAIN: translates machine findings into plain English.
+ */
+async function explainFinding(findingJSON) {
+    const resp = await callDaemon({
+        intent: 'SCAN_EXPLAIN',
+        input: findingJSON,
+        priority: 'low',
+    });
+    return resp?.result ?? null;
+}
+/**
+ * Internal: call the NanoMind daemon.
+ */
+async function callDaemon(req) {
+    try {
+        const resp = await fetch(`${DAEMON_URL}/v1/infer`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(req),
+            signal: AbortSignal.timeout(1200), // 1.2s timeout per brief spec
+        });
+        if (!resp.ok)
+            return null;
+        return await resp.json();
+    }
+    catch {
+        return null; // daemon unavailable or timeout -- fail gracefully
+    }
+}
+//# sourceMappingURL=nanomind-analyzer.js.map

package/dist/semantic/nanomind-analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nanomind-analyzer.js","sourceRoot":"","sources":["../../src/semantic/nanomind-analyzer.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAyCH,8CAOC;AAOD,gDAoBC;AAOD,0DAmBC;AAMD,0CA0BC;AAMD,kDAoBC;AAMD,wCAQC;AAzID,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,wBAAwB,CAAC;AAExE;;GAEG;AACI,KAAK,UAAU,iBAAiB;IACrC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,UAAU,SAAS,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACxF,OAAO,IAAI,CAAC,EAAE,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,kBAAkB,CAAC,YAAoB;IAC3D,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC;QAC5B,MAAM,EAAE,mBAAmB;QAC3B,KAAK,EAAE,YAAY;QACnB,QAAQ,EAAE,MAAM;KACjB,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IAEhD,OAAO;QACL,OAAO,EAAE,kBAAkB,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE;QAC5E,QAAQ,EAAE,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;QAC3F,KAAK,EAAE,oBAAoB,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,EAAE;QAC5D,WAAW,EAAE,8CAA8C,IAAI,CAAC,MAAM,SAAS,CAAC,IAAI,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;QAChI,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE;QAC9C,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,MAAM,EAAE,UAAU;KACnB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,uBAAuB,CAAC,WAAmB;IAC/D,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC;QAC5B,MAAM,EAAE,wBAAwB;QAChC,KAAK,EAAE,WAAW;QAClB,QAAQ,EAAE,QAAQ;KACnB,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,OAAO;QACL,OAAO,EAAE,iBAAiB,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE;QAC3E,QAAQ,EAAE,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;QACpD,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,wDAAwD,IAAI,CAAC,MAAM,EAAE;QAClF,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE;QAC9C,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,MAAM,EAAE,UAAU;KACnB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,eAAuB,EACvB,oBAA8B;IAE9B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,eAAe,EAAE,oBAAoB,EAAE,CAAC,CAAC;IAElF,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC;QAC5B,MAAM,EAAE,gBAAgB;QACxB,KAAK;QACL,QAAQ,EAAE,QAAQ;KACnB,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IAEhD,OAAO;QACL,OAAO,EAAE,gBAAgB,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE;QAC1E,QAAQ,EAAE,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;QACpD,KAAK,EAAE,uBAAuB,QAAQ,EAAE;QACxC,WAAW,EAAE,wFAAwF,IAAI,CAAC,MAAM,EAAE;QAClH,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE;QAC9C,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,MAAM,EAAE,UAAU;KACnB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,mBAAmB,CAAC,aAAqB;IAC7D,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC;QAC5B,MAAM,EAAE,oBAAoB;QAC5B,KAAK,EAAE,aAAa;QACpB,QAAQ,EAAE,MAAM;KACjB,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IAEhD,OAAO;QACL,OAAO,EAAE,mBAAmB,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE;QAC7E,QAAQ,EAAE,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;QAC1F,KAAK,EAAE,uBAAuB,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,EAAE;QAC/D,WAAW,EAAE,4DAA4D,IAAI,CAAC,MAAM,EAAE;QACtF,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE;QAC9C,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,MAAM,EAAE,UAAU;KACnB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,cAAc,CAAC,WAAmB;IACtD,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC;QAC5B,MAAM,EAAE,cAAc;QACtB,KAAK,EAAE,WAAW;QAClB,QAAQ,EAAE,KAAK;KAChB,CAAC,CAAC;IAEH,OAAO,IAAI,EAAE,MAAM,IAAI,IAAI,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,UAAU,CAAC,GAAyB;IACjD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,UAAU,WAAW,EAAE;YACjD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC;YACzB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,8BAA8B;SAClE,CAAC,CAAC;QAEH,IAAI,CAAC,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAC1B,OAAO,MAAM,IAAI,CAAC,IAAI,EAA2B,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,CAAC,mDAAmD;IAClE,CAAC;AACH,CAAC"}

package/dist/semantic/nanomind-enhancer.d.ts

@@ -0,0 +1,50 @@
+/**
+ * NanoMind Scanner Enhancer
+ *
+ * Wraps around HMA's existing static scanner output and adds semantic
+ * analysis to every finding category. This makes NanoMind the default
+ * intelligence layer for ALL scanners, not just --deep mode.
+ *
+ * Architecture:
+ *   Static scan runs first (204 checks, fast, deterministic)
+ *   → NanoMind enhancer runs on the results + source artifacts
+ *   → Reduces false positives (benign patterns that look suspicious)
+ *   → Catches false negatives (malicious patterns that look benign)
+ *   → Upgrades finding severity based on semantic context
+ *   → Adds evidence and remediation from NanoMind classification
+ *
+ * This runs automatically when the NanoMind daemon is available.
+ * No flags needed. If daemon is down, scan works exactly as before.
+ */
+export interface ScanFinding {
+    checkId: string;
+    name: string;
+    severity: string;
+    passed: boolean;
+    file?: string;
+    description?: string;
+    fix?: string;
+}
+export interface EnhancedFinding extends ScanFinding {
+    nanomindEnhanced: boolean;
+    nanomindConfidence?: number;
+    nanomindVerdict?: 'confirmed' | 'false_positive' | 'upgraded' | 'downgraded';
+    nanomindEvidence?: string;
+    originalSeverity?: string;
+}
+/**
+ * Enhance scan findings with NanoMind semantic analysis.
+ * Called automatically after every static scan when daemon is available.
+ *
+ * Returns the same findings array with NanoMind annotations added.
+ * Does NOT remove findings -- only annotates them with semantic context.
+ */
+export declare function enhanceScanFindings(findings: ScanFinding[], sourceFiles: Map<string, string>): Promise<EnhancedFinding[]>;
+export declare function getEnhancementStats(findings: EnhancedFinding[]): {
+    total: number;
+    enhanced: number;
+    falsePositivesDetected: number;
+    upgraded: number;
+    confirmed: number;
+};
+//# sourceMappingURL=nanomind-enhancer.d.ts.map

package/dist/semantic/nanomind-enhancer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nanomind-enhancer.d.ts","sourceRoot":"","sources":["../../src/semantic/nanomind-enhancer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,OAAO,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,eAAgB,SAAQ,WAAW;IAClD,gBAAgB,EAAE,OAAO,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,eAAe,CAAC,EAAE,WAAW,GAAG,gBAAgB,GAAG,UAAU,GAAG,YAAY,CAAC;IAC7E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,WAAW,EAAE,EACvB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,OAAO,CAAC,eAAe,EAAE,CAAC,CAe5B;AAmLD,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,eAAe,EAAE,GAAG;IAChE,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB,CASA"}