hackmyagent 0.11.13 → 0.11.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +26 -3
- package/dist/attack-engine/feedback-loop.d.ts +36 -0
- package/dist/attack-engine/feedback-loop.d.ts.map +1 -0
- package/dist/attack-engine/feedback-loop.js +261 -0
- package/dist/attack-engine/feedback-loop.js.map +1 -0
- package/dist/attack-engine/index.d.ts +13 -0
- package/dist/attack-engine/index.d.ts.map +1 -0
- package/dist/attack-engine/index.js +21 -0
- package/dist/attack-engine/index.js.map +1 -0
- package/dist/attack-engine/payload-generator.d.ts +21 -0
- package/dist/attack-engine/payload-generator.d.ts.map +1 -0
- package/dist/attack-engine/payload-generator.js +210 -0
- package/dist/attack-engine/payload-generator.js.map +1 -0
- package/dist/attack-engine/target-reader.d.ts +15 -0
- package/dist/attack-engine/target-reader.d.ts.map +1 -0
- package/dist/attack-engine/target-reader.js +152 -0
- package/dist/attack-engine/target-reader.js.map +1 -0
- package/dist/attack-engine/training-pipeline.d.ts +57 -0
- package/dist/attack-engine/training-pipeline.d.ts.map +1 -0
- package/dist/attack-engine/training-pipeline.js +146 -0
- package/dist/attack-engine/training-pipeline.js.map +1 -0
- package/dist/attack-engine/types.d.ts +133 -0
- package/dist/attack-engine/types.d.ts.map +1 -0
- package/dist/attack-engine/types.js +22 -0
- package/dist/attack-engine/types.js.map +1 -0
- package/dist/cli.js +248 -15
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -1
- package/dist/index.js.map +1 -1
- package/dist/nanomind-core/analyzers/capability-analyzer.d.ts +40 -0
- package/dist/nanomind-core/analyzers/capability-analyzer.d.ts.map +1 -0
- package/dist/nanomind-core/analyzers/capability-analyzer.js +310 -0
- package/dist/nanomind-core/analyzers/capability-analyzer.js.map +1 -0
- package/dist/nanomind-core/analyzers/code-analyzer.d.ts +21 -0
- package/dist/nanomind-core/analyzers/code-analyzer.d.ts.map +1 -0
- package/dist/nanomind-core/analyzers/code-analyzer.js +350 -0
- package/dist/nanomind-core/analyzers/code-analyzer.js.map +1 -0
- package/dist/nanomind-core/analyzers/credential-analyzer.d.ts +20 -0
- package/dist/nanomind-core/analyzers/credential-analyzer.d.ts.map +1 -0
- package/dist/nanomind-core/analyzers/credential-analyzer.js +317 -0
- package/dist/nanomind-core/analyzers/credential-analyzer.js.map +1 -0
- package/dist/nanomind-core/analyzers/governance-analyzer.d.ts +22 -0
- package/dist/nanomind-core/analyzers/governance-analyzer.d.ts.map +1 -0
- package/dist/nanomind-core/analyzers/governance-analyzer.js +393 -0
- package/dist/nanomind-core/analyzers/governance-analyzer.js.map +1 -0
- package/dist/nanomind-core/analyzers/prompt-analyzer.d.ts +22 -0
- package/dist/nanomind-core/analyzers/prompt-analyzer.d.ts.map +1 -0
- package/dist/nanomind-core/analyzers/prompt-analyzer.js +486 -0
- package/dist/nanomind-core/analyzers/prompt-analyzer.js.map +1 -0
- package/dist/nanomind-core/analyzers/scope-analyzer.d.ts +20 -0
- package/dist/nanomind-core/analyzers/scope-analyzer.d.ts.map +1 -0
- package/dist/nanomind-core/analyzers/scope-analyzer.js +326 -0
- package/dist/nanomind-core/analyzers/scope-analyzer.js.map +1 -0
- package/dist/nanomind-core/compiler/semantic-compiler.d.ts +41 -0
- package/dist/nanomind-core/compiler/semantic-compiler.d.ts.map +1 -0
- package/dist/nanomind-core/compiler/semantic-compiler.js +490 -0
- package/dist/nanomind-core/compiler/semantic-compiler.js.map +1 -0
- package/dist/nanomind-core/index.d.ts +30 -0
- package/dist/nanomind-core/index.d.ts.map +1 -0
- package/dist/nanomind-core/index.js +45 -0
- package/dist/nanomind-core/index.js.map +1 -0
- package/dist/nanomind-core/ingestion/artifact-parser.d.ts +48 -0
- package/dist/nanomind-core/ingestion/artifact-parser.d.ts.map +1 -0
- package/dist/nanomind-core/ingestion/artifact-parser.js +203 -0
- package/dist/nanomind-core/ingestion/artifact-parser.js.map +1 -0
- package/dist/nanomind-core/ingestion/input-sanitizer.d.ts +49 -0
- package/dist/nanomind-core/ingestion/input-sanitizer.d.ts.map +1 -0
- package/dist/nanomind-core/ingestion/input-sanitizer.js +80 -0
- package/dist/nanomind-core/ingestion/input-sanitizer.js.map +1 -0
- package/dist/nanomind-core/scanner-bridge.d.ts +49 -0
- package/dist/nanomind-core/scanner-bridge.d.ts.map +1 -0
- package/dist/nanomind-core/scanner-bridge.js +317 -0
- package/dist/nanomind-core/scanner-bridge.js.map +1 -0
- package/dist/nanomind-core/security/defense-in-depth.d.ts +99 -0
- package/dist/nanomind-core/security/defense-in-depth.d.ts.map +1 -0
- package/dist/nanomind-core/security/defense-in-depth.js +206 -0
- package/dist/nanomind-core/security/defense-in-depth.js.map +1 -0
- package/dist/nanomind-core/security/integrity-verifier.d.ts +132 -0
- package/dist/nanomind-core/security/integrity-verifier.d.ts.map +1 -0
- package/dist/nanomind-core/security/integrity-verifier.js +437 -0
- package/dist/nanomind-core/security/integrity-verifier.js.map +1 -0
- package/dist/nanomind-core/types.d.ts +125 -0
- package/dist/nanomind-core/types.d.ts.map +1 -0
- package/dist/nanomind-core/types.js +22 -0
- package/dist/nanomind-core/types.js.map +1 -0
- package/dist/output/asff.d.ts.map +1 -1
- package/dist/output/asff.js +2 -1
- package/dist/output/asff.js.map +1 -1
- package/dist/semantic/index.d.ts +4 -0
- package/dist/semantic/index.d.ts.map +1 -1
- package/dist/semantic/index.js +13 -1
- package/dist/semantic/index.js.map +1 -1
- package/dist/semantic/nanomind-analyzer.d.ts +77 -0
- package/dist/semantic/nanomind-analyzer.d.ts.map +1 -0
- package/dist/semantic/nanomind-analyzer.js +165 -0
- package/dist/semantic/nanomind-analyzer.js.map +1 -0
- package/dist/semantic/nanomind-enhancer.d.ts +50 -0
- package/dist/semantic/nanomind-enhancer.d.ts.map +1 -0
- package/dist/semantic/nanomind-enhancer.js +203 -0
- package/dist/semantic/nanomind-enhancer.js.map +1 -0
- package/dist/simulation/engine.d.ts +69 -0
- package/dist/simulation/engine.d.ts.map +1 -0
- package/dist/simulation/engine.js +297 -0
- package/dist/simulation/engine.js.map +1 -0
- package/dist/simulation/index.d.ts +15 -0
- package/dist/simulation/index.d.ts.map +1 -0
- package/dist/simulation/index.js +31 -0
- package/dist/simulation/index.js.map +1 -0
- package/dist/simulation/llm-executor.d.ts +58 -0
- package/dist/simulation/llm-executor.d.ts.map +1 -0
- package/dist/simulation/llm-executor.js +297 -0
- package/dist/simulation/llm-executor.js.map +1 -0
- package/dist/simulation/mock-tools.d.ts +35 -0
- package/dist/simulation/mock-tools.d.ts.map +1 -0
- package/dist/simulation/mock-tools.js +181 -0
- package/dist/simulation/mock-tools.js.map +1 -0
- package/dist/simulation/probes.d.ts +17 -0
- package/dist/simulation/probes.d.ts.map +1 -0
- package/dist/simulation/probes.js +295 -0
- package/dist/simulation/probes.js.map +1 -0
- package/dist/simulation/types.d.ts +79 -0
- package/dist/simulation/types.d.ts.map +1 -0
- package/dist/simulation/types.js +25 -0
- package/dist/simulation/types.js.map +1 -0
- package/package.json +1 -1
|
@@ -0,0 +1,317 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Credential Analyzer -- AST-based AST-CRED-* checks
|
|
4
|
+
*
|
|
5
|
+
* Queries the SecurityAST for credential exposure patterns instead of
|
|
6
|
+
* regex-matching raw text. Understands data flow through AST.declaredDataAccess
|
|
7
|
+
* and distinguishes real credentials from test fixtures and documentation.
|
|
8
|
+
*
|
|
9
|
+
* Checks:
|
|
10
|
+
* AST-CRED-001: Credentials in non-environment contexts
|
|
11
|
+
* AST-CRED-002: Credential forwarding to external destinations
|
|
12
|
+
* AST-CRED-003: Hardcoded secrets in artifact content
|
|
13
|
+
*/
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.analyzeCredentials = analyzeCredentials;
|
|
16
|
+
const defense_in_depth_js_1 = require("../security/defense-in-depth.js");
|
|
17
|
+
// ============================================================================
|
|
18
|
+
// Public API
|
|
19
|
+
// ============================================================================
|
|
20
|
+
/**
|
|
21
|
+
* Analyze a SecurityAST for credential-related security issues.
|
|
22
|
+
* Verifies AST integrity before processing.
|
|
23
|
+
*/
|
|
24
|
+
function analyzeCredentials(ast, verifier) {
|
|
25
|
+
(0, defense_in_depth_js_1.assertASTIntegrity)(ast, verifier);
|
|
26
|
+
const findings = [];
|
|
27
|
+
findings.push(...checkCredentialsInNonEnvContext(ast));
|
|
28
|
+
findings.push(...checkCredentialForwarding(ast));
|
|
29
|
+
findings.push(...checkHardcodedSecrets(ast));
|
|
30
|
+
return findings;
|
|
31
|
+
}
|
|
32
|
+
// ============================================================================
|
|
33
|
+
// AST-CRED-001: Credentials in non-environment contexts
|
|
34
|
+
// ============================================================================
|
|
35
|
+
/**
|
|
36
|
+
* Detects credential data access patterns that occur outside of proper
|
|
37
|
+
* environment variable / secret manager contexts. Skills and configs
|
|
38
|
+
* should reference credentials via env vars, not inline.
|
|
39
|
+
*
|
|
40
|
+
* Uses AST.declaredDataAccess to find credential-type data patterns
|
|
41
|
+
* and checks whether the artifact type is an appropriate context.
|
|
42
|
+
*/
|
|
43
|
+
function checkCredentialsInNonEnvContext(ast) {
|
|
44
|
+
const findings = [];
|
|
45
|
+
// Env files and credential files are expected to contain credentials
|
|
46
|
+
const safeContextTypes = new Set(['env_file', 'credential_file']);
|
|
47
|
+
if (safeContextTypes.has(ast.artifactType)) {
|
|
48
|
+
return findings;
|
|
49
|
+
}
|
|
50
|
+
const credentialAccess = ast.declaredDataAccess.filter(d => d.dataType === 'credentials');
|
|
51
|
+
if (credentialAccess.length === 0) {
|
|
52
|
+
return findings;
|
|
53
|
+
}
|
|
54
|
+
// Check if evidence spans suggest these are documentation examples or test fixtures
|
|
55
|
+
const isDocOrTest = isDocumentationOrTestContext(ast);
|
|
56
|
+
for (const access of credentialAccess) {
|
|
57
|
+
// Credential reads in skills/configs/source code are suspicious
|
|
58
|
+
// unless the artifact is clearly documentation or test fixture
|
|
59
|
+
if (isDocOrTest) {
|
|
60
|
+
continue;
|
|
61
|
+
}
|
|
62
|
+
const severity = deriveSeverity(access, ast);
|
|
63
|
+
findings.push({
|
|
64
|
+
checkId: 'AST-CRED-001',
|
|
65
|
+
name: 'Credentials in Non-Environment Context',
|
|
66
|
+
description: `Credential data (${access.accessMode}) detected in a ${ast.artifactType} artifact. ` +
|
|
67
|
+
'Credentials should only be referenced via environment variables or secret managers, ' +
|
|
68
|
+
'never embedded in skills, configs, or source code.',
|
|
69
|
+
category: 'Credential Security',
|
|
70
|
+
severity,
|
|
71
|
+
passed: false,
|
|
72
|
+
message: `Credential ${access.accessMode} in ${ast.artifactType} context`,
|
|
73
|
+
fixable: true,
|
|
74
|
+
file: ast.artifactPath,
|
|
75
|
+
fix: 'Replace inline credentials with environment variable references (e.g., $API_KEY or process.env.API_KEY). ' +
|
|
76
|
+
'Use a secret manager for production deployments.',
|
|
77
|
+
guidance: 'Credentials embedded in non-env artifacts can be leaked through version control, ' +
|
|
78
|
+
'logs, or prompt injection attacks that extract artifact content.',
|
|
79
|
+
attackClass: 'CRED-EXPOSURE',
|
|
80
|
+
confidence: isDocOrTest ? 0.3 : 0.8,
|
|
81
|
+
});
|
|
82
|
+
}
|
|
83
|
+
return findings;
|
|
84
|
+
}
|
|
85
|
+
// ============================================================================
|
|
86
|
+
// AST-CRED-002: Credential forwarding patterns
|
|
87
|
+
// ============================================================================
|
|
88
|
+
/**
|
|
89
|
+
* Detects credentials being transmitted to external destinations.
|
|
90
|
+
* Cross-references AST.declaredDataAccess (transmit mode) with
|
|
91
|
+
* credential data types to find forwarding patterns.
|
|
92
|
+
*/
|
|
93
|
+
function checkCredentialForwarding(ast) {
|
|
94
|
+
const findings = [];
|
|
95
|
+
// Find credential data that is transmitted externally
|
|
96
|
+
// Direct: credentials type with transmit mode
|
|
97
|
+
const directCredTransmit = ast.declaredDataAccess.filter(d => d.dataType === 'credentials' && d.accessMode === 'transmit');
|
|
98
|
+
// Indirect: credentials type (read) combined with any transmit pattern
|
|
99
|
+
const hasCredentialAccess = ast.declaredDataAccess.some(d => d.dataType === 'credentials');
|
|
100
|
+
const hasExternalTransmit = ast.declaredDataAccess.some(d => d.accessMode === 'transmit');
|
|
101
|
+
const hasExfilRisk = ast.inferredRiskSurface.some(r => r.attackClass === 'SKILL-EXFIL' || r.attackClass === 'DATA-EXFIL');
|
|
102
|
+
// Combine direct transmissions with indirect patterns
|
|
103
|
+
const credentialTransmissions = [];
|
|
104
|
+
for (const d of directCredTransmit) {
|
|
105
|
+
credentialTransmissions.push({ destination: d.destination ?? 'unknown endpoint' });
|
|
106
|
+
}
|
|
107
|
+
// If credentials are accessed AND there's external transmission, flag it
|
|
108
|
+
if (directCredTransmit.length === 0 && hasCredentialAccess && hasExternalTransmit) {
|
|
109
|
+
credentialTransmissions.push({ destination: 'external endpoint' });
|
|
110
|
+
}
|
|
111
|
+
// If credentials are accessed AND there's an exfiltration risk surface
|
|
112
|
+
if (directCredTransmit.length === 0 && credentialTransmissions.length === 0 && hasCredentialAccess && hasExfilRisk) {
|
|
113
|
+
credentialTransmissions.push({ destination: 'external (inferred from exfiltration risk)' });
|
|
114
|
+
}
|
|
115
|
+
for (const transmission of credentialTransmissions) {
|
|
116
|
+
const destination = transmission.destination;
|
|
117
|
+
// Cross-check with risk surfaces for corroboration
|
|
118
|
+
const corroboratingRisk = ast.inferredRiskSurface.find(r => r.attackClass === 'CRED-HARVEST' || r.attackClass === 'SKILL-EXFIL');
|
|
119
|
+
const confidence = corroboratingRisk
|
|
120
|
+
? Math.max(corroboratingRisk.confidence, 0.8)
|
|
121
|
+
: 0.7;
|
|
122
|
+
findings.push({
|
|
123
|
+
checkId: 'AST-CRED-002',
|
|
124
|
+
name: 'Credential Forwarding Detected',
|
|
125
|
+
description: `Credentials are being transmitted to ${destination}. ` +
|
|
126
|
+
'Credential forwarding is a primary exfiltration vector. ' +
|
|
127
|
+
'Even legitimate logging must never include credential values.',
|
|
128
|
+
category: 'Credential Security',
|
|
129
|
+
severity: 'critical',
|
|
130
|
+
passed: false,
|
|
131
|
+
message: `Credential forwarding to ${destination}`,
|
|
132
|
+
fixable: true,
|
|
133
|
+
file: ast.artifactPath,
|
|
134
|
+
fix: `Remove credential transmission to ${destination}. ` +
|
|
135
|
+
'If external auth is needed, use OAuth token exchange or a credential broker. ' +
|
|
136
|
+
'Never forward raw credentials.',
|
|
137
|
+
guidance: 'Credential forwarding enables account takeover. Even forwarding to "trusted" ' +
|
|
138
|
+
'endpoints is risky because the destination can be compromised or spoofed.',
|
|
139
|
+
attackClass: 'CRED-EXFIL',
|
|
140
|
+
confidence,
|
|
141
|
+
evidence: corroboratingRisk?.evidence,
|
|
142
|
+
});
|
|
143
|
+
}
|
|
144
|
+
// Also check: capabilities that imply credential forwarding
|
|
145
|
+
const forwardingCaps = ast.inferredCapabilities.filter(c => c.name.includes('send') || c.name.includes('transmit') || c.name.includes('forward'));
|
|
146
|
+
for (const cap of forwardingCaps) {
|
|
147
|
+
const mentionsCredentials = cap.evidence?.toLowerCase().includes('credential') ||
|
|
148
|
+
cap.evidence?.toLowerCase().includes('token') ||
|
|
149
|
+
cap.evidence?.toLowerCase().includes('secret') ||
|
|
150
|
+
cap.evidence?.toLowerCase().includes('password');
|
|
151
|
+
if (mentionsCredentials) {
|
|
152
|
+
// Avoid duplicates -- only add if we didn't already find a direct transmission
|
|
153
|
+
if (credentialTransmissions.length === 0) {
|
|
154
|
+
findings.push({
|
|
155
|
+
checkId: 'AST-CRED-002',
|
|
156
|
+
name: 'Credential Forwarding Detected',
|
|
157
|
+
description: `Inferred capability "${cap.name}" involves credential data. ` +
|
|
158
|
+
'This pattern suggests credentials may be forwarded externally.',
|
|
159
|
+
category: 'Credential Security',
|
|
160
|
+
severity: 'high',
|
|
161
|
+
passed: false,
|
|
162
|
+
message: `Inferred credential forwarding via ${cap.name}`,
|
|
163
|
+
fixable: true,
|
|
164
|
+
file: ast.artifactPath,
|
|
165
|
+
fix: 'Remove or restrict the capability that forwards credential data. ' +
|
|
166
|
+
'Use environment variable references instead of passing credential values.',
|
|
167
|
+
attackClass: 'CRED-EXFIL',
|
|
168
|
+
confidence: 0.6,
|
|
169
|
+
evidence: cap.evidence,
|
|
170
|
+
});
|
|
171
|
+
}
|
|
172
|
+
}
|
|
173
|
+
}
|
|
174
|
+
return findings;
|
|
175
|
+
}
|
|
176
|
+
// ============================================================================
|
|
177
|
+
// AST-CRED-003: Hardcoded secrets in artifact content
|
|
178
|
+
// ============================================================================
|
|
179
|
+
/**
|
|
180
|
+
* Detects evidence of hardcoded secrets in the artifact by examining
|
|
181
|
+
* evidence spans and risk surfaces for credential patterns.
|
|
182
|
+
* Distinguishes real secrets from test fixtures (containing "FAKE",
|
|
183
|
+
* "EXAMPLE", "test", "placeholder") and documentation examples.
|
|
184
|
+
*/
|
|
185
|
+
function checkHardcodedSecrets(ast) {
|
|
186
|
+
const findings = [];
|
|
187
|
+
// Look for evidence spans that support credential exposure
|
|
188
|
+
const credentialEvidence = ast.evidenceSpans.filter(e => e.supports === 'CRED-HARVEST' ||
|
|
189
|
+
e.supports === 'CRED-EXFIL' ||
|
|
190
|
+
e.supports === 'credential_exposure');
|
|
191
|
+
// Check risk surfaces for credential patterns
|
|
192
|
+
const credentialRisks = ast.inferredRiskSurface.filter(r => r.attackClass === 'CRED-HARVEST');
|
|
193
|
+
// Combine signals
|
|
194
|
+
const hasCredentialSignals = credentialEvidence.length > 0 || credentialRisks.length > 0;
|
|
195
|
+
if (!hasCredentialSignals) {
|
|
196
|
+
return findings;
|
|
197
|
+
}
|
|
198
|
+
// Filter out defensive constraint contexts: if the artifact has constraints
|
|
199
|
+
// about credential management (e.g., "must never store credentials"), the
|
|
200
|
+
// CRED-HARVEST signal is from the constraint text, not actual harvesting.
|
|
201
|
+
const hasDefensiveCredConstraint = ast.declaredConstraints.some(c => c.domain === 'credential_management' && c.enforceability >= 0.6);
|
|
202
|
+
if (hasDefensiveCredConstraint && credentialEvidence.length === 0) {
|
|
203
|
+
// The credential signal is likely from the constraint text, not from
|
|
204
|
+
// actual credential harvesting patterns. Only risk surfaces exist,
|
|
205
|
+
// and they were triggered by the constraint's mention of credentials.
|
|
206
|
+
return findings;
|
|
207
|
+
}
|
|
208
|
+
// Filter out test fixtures and documentation
|
|
209
|
+
const isTestOrDoc = isDocumentationOrTestContext(ast);
|
|
210
|
+
const evidenceTexts = credentialEvidence.map(e => e.text);
|
|
211
|
+
const allTestFixtures = evidenceTexts.every(t => isTestFixtureCredential(t));
|
|
212
|
+
if (isTestOrDoc && allTestFixtures) {
|
|
213
|
+
return findings;
|
|
214
|
+
}
|
|
215
|
+
// Determine severity based on artifact type and evidence strength
|
|
216
|
+
const maxConfidence = Math.max(...credentialEvidence.map(e => e.confidence), ...credentialRisks.map(r => r.confidence), 0);
|
|
217
|
+
const severity = maxConfidence >= 0.8 ? 'critical' : maxConfidence >= 0.5 ? 'high' : 'medium';
|
|
218
|
+
const evidenceSummary = credentialEvidence.length > 0
|
|
219
|
+
? credentialEvidence[0].text.slice(0, 120)
|
|
220
|
+
: credentialRisks[0]?.evidence ?? 'Credential pattern detected';
|
|
221
|
+
findings.push({
|
|
222
|
+
checkId: 'AST-CRED-003',
|
|
223
|
+
name: 'Hardcoded Secret Detected',
|
|
224
|
+
description: 'The artifact contains patterns consistent with hardcoded secrets. ' +
|
|
225
|
+
'Hardcoded credentials are exposed in version control, build artifacts, ' +
|
|
226
|
+
'and prompt injection attacks that extract artifact content.',
|
|
227
|
+
category: 'Credential Security',
|
|
228
|
+
severity,
|
|
229
|
+
passed: false,
|
|
230
|
+
message: `Hardcoded secret: ${evidenceSummary.slice(0, 80)}`,
|
|
231
|
+
fixable: true,
|
|
232
|
+
file: ast.artifactPath,
|
|
233
|
+
fix: 'Move all secrets to environment variables or a secret manager. ' +
|
|
234
|
+
'Replace hardcoded values with references: $SECRET_NAME or process.env.SECRET_NAME. ' +
|
|
235
|
+
'Rotate any credentials that were committed to version control.',
|
|
236
|
+
guidance: 'After removing hardcoded credentials, rotate them immediately. ' +
|
|
237
|
+
'The old values may already be in git history or build caches.',
|
|
238
|
+
attackClass: 'CRED-HARDCODED',
|
|
239
|
+
confidence: allTestFixtures ? 0.3 : maxConfidence,
|
|
240
|
+
evidence: evidenceSummary,
|
|
241
|
+
});
|
|
242
|
+
return findings;
|
|
243
|
+
}
|
|
244
|
+
// ============================================================================
|
|
245
|
+
// Helpers
|
|
246
|
+
// ============================================================================
|
|
247
|
+
/**
|
|
248
|
+
* Determine if the artifact is a documentation example or test fixture.
|
|
249
|
+
* Test fixtures contain "FAKE", "EXAMPLE", "placeholder", etc.
|
|
250
|
+
* Documentation contexts reference credentials for illustration only.
|
|
251
|
+
*/
|
|
252
|
+
function isDocumentationOrTestContext(ast) {
|
|
253
|
+
const path = (ast.artifactPath ?? '').toLowerCase();
|
|
254
|
+
// Test fixtures
|
|
255
|
+
if (path.includes('test/') ||
|
|
256
|
+
path.includes('__tests__/') ||
|
|
257
|
+
path.includes('fixture') ||
|
|
258
|
+
path.includes('example') ||
|
|
259
|
+
path.includes('.example')) {
|
|
260
|
+
return true;
|
|
261
|
+
}
|
|
262
|
+
// Documentation (but not .skill.md, .soul.md, or CLAUDE.md which are functional)
|
|
263
|
+
if ((path.endsWith('.md') &&
|
|
264
|
+
!path.endsWith('.skill.md') &&
|
|
265
|
+
!path.endsWith('.soul.md') &&
|
|
266
|
+
!path.endsWith('claude.md')) ||
|
|
267
|
+
path.includes('doc/') ||
|
|
268
|
+
path.includes('docs/') ||
|
|
269
|
+
path.includes('readme')) {
|
|
270
|
+
return true;
|
|
271
|
+
}
|
|
272
|
+
// Check declared purpose for test/doc language
|
|
273
|
+
const purpose = ast.declaredPurpose.toLowerCase();
|
|
274
|
+
if (purpose.includes('test') ||
|
|
275
|
+
purpose.includes('example') ||
|
|
276
|
+
purpose.includes('documentation') ||
|
|
277
|
+
purpose.includes('fixture') ||
|
|
278
|
+
purpose.includes('demo')) {
|
|
279
|
+
return true;
|
|
280
|
+
}
|
|
281
|
+
return false;
|
|
282
|
+
}
|
|
283
|
+
/**
|
|
284
|
+
* Check if a credential-like string is a test fixture (contains markers
|
|
285
|
+
* like FAKE, EXAMPLE, placeholder, etc.)
|
|
286
|
+
*/
|
|
287
|
+
function isTestFixtureCredential(text) {
|
|
288
|
+
const upper = text.toUpperCase();
|
|
289
|
+
return (upper.includes('FAKE') ||
|
|
290
|
+
upper.includes('EXAMPLE') ||
|
|
291
|
+
upper.includes('PLACEHOLDER') ||
|
|
292
|
+
upper.includes('TEST') ||
|
|
293
|
+
upper.includes('DUMMY') ||
|
|
294
|
+
upper.includes('SAMPLE') ||
|
|
295
|
+
upper.includes('XXX') ||
|
|
296
|
+
upper.includes('YOUR_') ||
|
|
297
|
+
upper.includes('<YOUR'));
|
|
298
|
+
}
|
|
299
|
+
/**
|
|
300
|
+
* Derive severity from data access pattern and artifact context.
|
|
301
|
+
*/
|
|
302
|
+
function deriveSeverity(access, ast) {
|
|
303
|
+
// Transmitting credentials is always critical
|
|
304
|
+
if (access.accessMode === 'transmit')
|
|
305
|
+
return 'critical';
|
|
306
|
+
// Writing credentials outside env context is high
|
|
307
|
+
if (access.accessMode === 'write')
|
|
308
|
+
return 'high';
|
|
309
|
+
// Reading credentials in a skill is medium (might be legitimate env var ref)
|
|
310
|
+
if (ast.artifactType === 'skill' || ast.artifactType === 'system_prompt')
|
|
311
|
+
return 'medium';
|
|
312
|
+
// Source code with credential access is high
|
|
313
|
+
if (ast.artifactType === 'source_code')
|
|
314
|
+
return 'high';
|
|
315
|
+
return 'medium';
|
|
316
|
+
}
|
|
317
|
+
//# sourceMappingURL=credential-analyzer.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credential-analyzer.js","sourceRoot":"","sources":["../../../src/nanomind-core/analyzers/credential-analyzer.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAcH,gDAaC;AAvBD,yEAAqE;AAErE,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E;;;GAGG;AACH,SAAgB,kBAAkB,CAChC,GAAgB,EAChB,QAAuC;IAEvC,IAAA,wCAAkB,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAElC,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAElC,QAAQ,CAAC,IAAI,CAAC,GAAG,+BAA+B,CAAC,GAAG,CAAC,CAAC,CAAC;IACvD,QAAQ,CAAC,IAAI,CAAC,GAAG,yBAAyB,CAAC,GAAG,CAAC,CAAC,CAAC;IACjD,QAAQ,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC,CAAC;IAE7C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,wDAAwD;AACxD,+EAA+E;AAE/E;;;;;;;GAOG;AACH,SAAS,+BAA+B,CAAC,GAAgB;IACvD,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAElC,qEAAqE;IACrE,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC,CAAC;IAClE,IAAI,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;QAC3C,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,gBAAgB,GAAG,GAAG,CAAC,kBAAkB,CAAC,MAAM,CACpD,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,aAAa,CAClC,CAAC;IAEF,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,oFAAoF;IACpF,MAAM,WAAW,GAAG,4BAA4B,CAAC,GAAG,CAAC,CAAC;IAEtD,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,gEAAgE;QAChE,+DAA+D;QAC/D,IAAI,WAAW,EAAE,CAAC;YAChB,SAAS;QACX,CAAC;QAED,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAE7C,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,cAAc;YACvB,IAAI,EAAE,wCAAwC;YAC9C,WAAW,EACT,oBAAoB,MAAM,CAAC,UAAU,mBAAmB,GAAG,CAAC,YAAY,aAAa;gBACrF,sFAAsF;gBACtF,oDAAoD;YACtD,QAAQ,EAAE,qBAAqB;YAC/B,QAAQ;YACR,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,cAAc,MAAM,CAAC,UAAU,OAAO,GAAG,CAAC,YAAY,UAAU;YACzE,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,GAAG,CAAC,YAAY;YACtB,GAAG,EACD,2GAA2G;gBAC3G,kDAAkD;YACpD,QAAQ,EACN,mFAAmF;gBACnF,kEAAkE;YACpE,WAAW,EAAE,eAAe;YAC5B,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;SACpC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,+CAA+C;AAC/C,+EAA+E;AAE/E;;;;GAIG;AACH,SAAS,yBAAyB,CAAC,GAAgB;IACjD,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAElC,sDAAsD;IACtD,8CAA8C;IAC9C,MAAM,kBAAkB,GAAG,GAAG,CAAC,kBAAkB,CAAC,MAAM,CACtD,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,aAAa,IAAI,CAAC,CAAC,UAAU,KAAK,UAAU,CACjE,CAAC;IACF,uEAAuE;IACvE,MAAM,mBAAmB,GAAG,GAAG,CAAC,kBAAkB,CAAC,IAAI,CACrD,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,aAAa,CAClC,CAAC;IACF,MAAM,mBAAmB,GAAG,GAAG,CAAC,kBAAkB,CAAC,IAAI,CACrD,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,UAAU,CACjC,CAAC;IACF,MAAM,YAAY,GAAG,GAAG,CAAC,mBAAmB,CAAC,IAAI,CAC/C,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,aAAa,IAAI,CAAC,CAAC,WAAW,KAAK,YAAY,CACvE,CAAC;IAEF,sDAAsD;IACtD,MAAM,uBAAuB,GAAmC,EAAE,CAAC;IACnE,KAAK,MAAM,CAAC,IAAI,kBAAkB,EAAE,CAAC;QACnC,uBAAuB,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,kBAAkB,EAAE,CAAC,CAAC;IACrF,CAAC;IACD,yEAAyE;IACzE,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,IAAI,mBAAmB,IAAI,mBAAmB,EAAE,CAAC;QAClF,uBAAuB,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,mBAAmB,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,uEAAuE;IACvE,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,IAAI,uBAAuB,CAAC,MAAM,KAAK,CAAC,IAAI,mBAAmB,IAAI,YAAY,EAAE,CAAC;QACnH,uBAAuB,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,4CAA4C,EAAE,CAAC,CAAC;IAC9F,CAAC;IAED,KAAK,MAAM,YAAY,IAAI,uBAAuB,EAAE,CAAC;QACnD,MAAM,WAAW,GAAG,YAAY,CAAC,WAAW,CAAC;QAE7C,mDAAmD;QACnD,MAAM,iBAAiB,GAAG,GAAG,CAAC,mBAAmB,CAAC,IAAI,CACpD,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,cAAc,IAAI,CAAC,CAAC,WAAW,KAAK,aAAa,CACzE,CAAC;QAEF,MAAM,UAAU,GAAG,iBAAiB;YAClC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,iBAAiB,CAAC,UAAU,EAAE,GAAG,CAAC;YAC7C,CAAC,CAAC,GAAG,CAAC;QAER,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,cAAc;YACvB,IAAI,EAAE,gCAAgC;YACtC,WAAW,EACT,wCAAwC,WAAW,IAAI;gBACvD,0DAA0D;gBAC1D,+DAA+D;YACjE,QAAQ,EAAE,qBAAqB;YAC/B,QAAQ,EAAE,UAAU;YACpB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,4BAA4B,WAAW,EAAE;YAClD,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,GAAG,CAAC,YAAY;YACtB,GAAG,EACD,qCAAqC,WAAW,IAAI;gBACpD,+EAA+E;gBAC/E,gCAAgC;YAClC,QAAQ,EACN,+EAA+E;gBAC/E,2EAA2E;YAC7E,WAAW,EAAE,YAAY;YACzB,UAAU;YACV,QAAQ,EAAE,iBAAiB,EAAE,QAAQ;SACtC,CAAC,CAAC;IACL,CAAC;IAED,4DAA4D;IAC5D,MAAM,cAAc,GAAG,GAAG,CAAC,oBAAoB,CAAC,MAAM,CACpD,CAAC,CAAC,EAAE,CACF,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CACvF,CAAC;IAEF,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;QACjC,MAAM,mBAAmB,GACvB,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC;YAClD,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC7C,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC9C,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAEnD,IAAI,mBAAmB,EAAE,CAAC;YACxB,+EAA+E;YAC/E,IAAI,uBAAuB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzC,QAAQ,CAAC,IAAI,CAAC;oBACZ,OAAO,EAAE,cAAc;oBACvB,IAAI,EAAE,gCAAgC;oBACtC,WAAW,EACT,wBAAwB,GAAG,CAAC,IAAI,8BAA8B;wBAC9D,gEAAgE;oBAClE,QAAQ,EAAE,qBAAqB;oBAC/B,QAAQ,EAAE,MAAM;oBAChB,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,sCAAsC,GAAG,CAAC,IAAI,EAAE;oBACzD,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,GAAG,CAAC,YAAY;oBACtB,GAAG,EACD,mEAAmE;wBACnE,2EAA2E;oBAC7E,WAAW,EAAE,YAAY;oBACzB,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE,GAAG,CAAC,QAAQ;iBACvB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,sDAAsD;AACtD,+EAA+E;AAE/E;;;;;GAKG;AACH,SAAS,qBAAqB,CAAC,GAAgB;IAC7C,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAElC,2DAA2D;IAC3D,MAAM,kBAAkB,GAAG,GAAG,CAAC,aAAa,CAAC,MAAM,CACjD,CAAC,CAAC,EAAE,CACF,CAAC,CAAC,QAAQ,KAAK,cAAc;QAC7B,CAAC,CAAC,QAAQ,KAAK,YAAY;QAC3B,CAAC,CAAC,QAAQ,KAAK,qBAAqB,CACvC,CAAC;IAEF,8CAA8C;IAC9C,MAAM,eAAe,GAAG,GAAG,CAAC,mBAAmB,CAAC,MAAM,CACpD,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,cAAc,CACtC,CAAC;IAEF,kBAAkB;IAClB,MAAM,oBAAoB,GACxB,kBAAkB,CAAC,MAAM,GAAG,CAAC,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC;IAE9D,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,4EAA4E;IAC5E,0EAA0E;IAC1E,0EAA0E;IAC1E,MAAM,0BAA0B,GAAG,GAAG,CAAC,mBAAmB,CAAC,IAAI,CAC7D,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,uBAAuB,IAAI,CAAC,CAAC,cAAc,IAAI,GAAG,CACrE,CAAC;IACF,IAAI,0BAA0B,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClE,qEAAqE;QACrE,mEAAmE;QACnE,sEAAsE;QACtE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,6CAA6C;IAC7C,MAAM,WAAW,GAAG,4BAA4B,CAAC,GAAG,CAAC,CAAC;IACtD,MAAM,aAAa,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC1D,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;IAE7E,IAAI,WAAW,IAAI,eAAe,EAAE,CAAC;QACnC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,kEAAkE;IAClE,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAC5B,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,EAC5C,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,EACzC,CAAC,CACF,CAAC;IAEF,MAAM,QAAQ,GACZ,aAAa,IAAI,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,aAAa,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;IAE/E,MAAM,eAAe,GACnB,kBAAkB,CAAC,MAAM,GAAG,CAAC;QAC3B,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;QAC1C,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,QAAQ,IAAI,6BAA6B,CAAC;IAEpE,QAAQ,CAAC,IAAI,CAAC;QACZ,OAAO,EAAE,cAAc;QACvB,IAAI,EAAE,2BAA2B;QACjC,WAAW,EACT,oEAAoE;YACpE,yEAAyE;YACzE,6DAA6D;QAC/D,QAAQ,EAAE,qBAAqB;QAC/B,QAAQ;QACR,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,qBAAqB,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;QAC5D,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,GAAG,CAAC,YAAY;QACtB,GAAG,EACD,iEAAiE;YACjE,qFAAqF;YACrF,gEAAgE;QAClE,QAAQ,EACN,iEAAiE;YACjE,+DAA+D;QACjE,WAAW,EAAE,gBAAgB;QAC7B,UAAU,EAAE,eAAe,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,aAAa;QACjD,QAAQ,EAAE,eAAe;KAC1B,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E;;;;GAIG;AACH,SAAS,4BAA4B,CAAC,GAAgB;IACpD,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAEpD,gBAAgB;IAChB,IACE,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;QACtB,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;QAC3B,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EACzB,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iFAAiF;IACjF,IACE,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QACnB,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC3B,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QAC1B,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC9B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QACrB,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;QACtB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EACvB,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+CAA+C;IAC/C,MAAM,OAAO,GAAG,GAAG,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;IAClD,IACE,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;QACxB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC3B,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;QACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC3B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EACxB,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,uBAAuB,CAAC,IAAY;IAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,OAAO,CACL,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC;QACtB,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;QACzB,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC7B,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC;QACtB,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC;QACvB,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACxB,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;QACrB,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC;QACvB,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CACxB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CACrB,MAAyB,EACzB,GAAgB;IAEhB,8CAA8C;IAC9C,IAAI,MAAM,CAAC,UAAU,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACxD,kDAAkD;IAClD,IAAI,MAAM,CAAC,UAAU,KAAK,OAAO;QAAE,OAAO,MAAM,CAAC;IACjD,6EAA6E;IAC7E,IAAI,GAAG,CAAC,YAAY,KAAK,OAAO,IAAI,GAAG,CAAC,YAAY,KAAK,eAAe;QAAE,OAAO,QAAQ,CAAC;IAC1F,6CAA6C;IAC7C,IAAI,GAAG,CAAC,YAAY,KAAK,aAAa;QAAE,OAAO,MAAM,CAAC;IACtD,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Governance Analyzer -- AST-based AST-GOV-* checks
|
|
3
|
+
*
|
|
4
|
+
* Queries the SecurityAST for governance and SOUL gaps. Evaluates
|
|
5
|
+
* constraint coverage, enforceability, and override resistance using
|
|
6
|
+
* the structured AST.declaredConstraints instead of raw text matching.
|
|
7
|
+
*
|
|
8
|
+
* Checks:
|
|
9
|
+
* AST-GOV-001: Constraint domain coverage gaps (9 domains)
|
|
10
|
+
* AST-GOV-002: Weak constraint enforceability
|
|
11
|
+
* AST-GOV-003: Missing governance for capabilities
|
|
12
|
+
* AST-GOV-004: Override resistance gaps
|
|
13
|
+
* AST-GOV-005: Governance-capability ratio imbalance
|
|
14
|
+
*/
|
|
15
|
+
import type { SecurityAST } from '../types.js';
|
|
16
|
+
import type { ASTFinding } from './capability-analyzer.js';
|
|
17
|
+
/**
|
|
18
|
+
* Analyze a SecurityAST for governance and SOUL-related issues.
|
|
19
|
+
* Verifies AST integrity before processing.
|
|
20
|
+
*/
|
|
21
|
+
export declare function analyzeGovernance(ast: SecurityAST, verifier: (ast: SecurityAST) => boolean): ASTFinding[];
|
|
22
|
+
//# sourceMappingURL=governance-analyzer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"governance-analyzer.d.ts","sourceRoot":"","sources":["../../../src/nanomind-core/analyzers/governance-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,WAAW,EAA4C,MAAM,aAAa,CAAC;AACzF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAqD3D;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,GAAG,EAAE,WAAW,EAChB,QAAQ,EAAE,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,GACtC,UAAU,EAAE,CAYd"}
|