npm - hackmyagent - Versions diffs - 0.11.14 → 0.12.0 - Mend

hackmyagent 0.11.14 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (73) hide show

package/dist/nanomind-core/analyzers/scope-analyzer.js ADDED Viewed

@@ -0,0 +1,326 @@
+"use strict";
+/**
+ * Scope Analyzer -- AST-based AST-SCOPE-* checks
+ *
+ * Queries the SecurityAST for MCP tool scope mismatches and A2A exposure.
+ * Compares declared capabilities against inferred capabilities to detect
+ * wildcard access, undeclared permissions, and scope-purpose mismatches.
+ *
+ * Checks:
+ *   AST-SCOPE-001: Wildcard tool access in MCP configurations
+ *   AST-SCOPE-002: Undeclared tool permissions (inferred but not declared)
+ *   AST-SCOPE-003: Scope-purpose mismatch (capabilities inconsistent with purpose)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeScope = analyzeScope;
+const defense_in_depth_js_1 = require("../security/defense-in-depth.js");
+// ============================================================================
+// Public API
+// ============================================================================
+/**
+ * Analyze a SecurityAST for scope and permission issues.
+ * Verifies AST integrity before processing.
+ */
+function analyzeScope(ast, verifier) {
+    (0, defense_in_depth_js_1.assertASTIntegrity)(ast, verifier);
+    const findings = [];
+    findings.push(...checkWildcardToolAccess(ast));
+    findings.push(...checkUndeclaredPermissions(ast));
+    findings.push(...checkScopePurposeMismatch(ast));
+    return findings;
+}
+// ============================================================================
+// AST-SCOPE-001: Wildcard tool access
+// ============================================================================
+/**
+ * Detects wildcard ("*") tool access in MCP configurations and agent configs.
+ * Wildcard access grants the agent unlimited tool permissions, which is
+ * the MCP equivalent of running as root.
+ *
+ * Also detects partial wildcards (e.g., "db.*") that grant broad access
+ * within a domain.
+ */
+function checkWildcardToolAccess(ast) {
+    const findings = [];
+    // Full wildcards: capabilities with "*" in the name
+    const fullWildcards = ast.declaredCapabilities.filter(c => c.name.includes('*'));
+    for (const cap of fullWildcards) {
+        const isFullWildcard = cap.name.endsWith('.*') || cap.name === '*';
+        const scope = cap.scope || 'all tools';
+        findings.push({
+            checkId: 'AST-SCOPE-001',
+            name: isFullWildcard ? 'Full Wildcard Tool Access' : 'Partial Wildcard Tool Access',
+            description: isFullWildcard
+                ? `Wildcard capability "${cap.name}" grants unrestricted access to ${scope}. ` +
+                    'This is the MCP equivalent of running as root. Any tool in the server can be ' +
+                    'invoked, including dangerous operations like file deletion or code execution.'
+                : `Partial wildcard "${cap.name}" grants broad access within ${scope}. ` +
+                    'While scoped to a domain, this still allows access to every tool in that domain ' +
+                    'including tools not needed for the declared purpose.',
+            category: 'Scope Security',
+            severity: isFullWildcard ? 'critical' : 'high',
+            passed: false,
+            message: `Wildcard access: ${cap.name} (scope: ${scope})`,
+            fixable: true,
+            file: ast.artifactPath,
+            fix: isFullWildcard
+                ? `Replace wildcard "*" with an explicit allowlist of needed tools. ` +
+                    `In your MCP config, change "allowedTools": ["*"] to "allowedTools": ["tool1", "tool2"]. ` +
+                    'Only include tools the agent actually needs.'
+                : `Replace partial wildcard "${cap.name}" with specific tool names. ` +
+                    `List only the ${cap.name.split('.')[0]} tools the agent actually uses.`,
+            guidance: 'Principle of least privilege: grant only the minimum permissions needed. ' +
+                'Wildcard access means a prompt injection attack can invoke any tool.',
+            attackClass: 'SCOPE-WILDCARD',
+            confidence: 0.95,
+        });
+    }
+    // Also flag MCP configs where no allowedTools is specified (implicit wildcard)
+    if (ast.artifactType === 'mcp_config') {
+        const mcpCaps = ast.declaredCapabilities.filter(c => c.name.startsWith('mcp.'));
+        // If there are MCP capabilities but none have explicit tool names (all are server-level)
+        const hasOnlyServerLevel = mcpCaps.length > 0 && mcpCaps.every(c => {
+            const parts = c.name.split('.');
+            return parts.length <= 2; // "mcp.servername" without a tool name
+        });
+        if (hasOnlyServerLevel && fullWildcards.length === 0) {
+            // MCP server declared without explicit tool restrictions
+            for (const cap of mcpCaps) {
+                findings.push({
+                    checkId: 'AST-SCOPE-001',
+                    name: 'Implicit Wildcard MCP Access',
+                    description: `MCP server "${cap.scope}" is configured without an explicit tool allowlist. ` +
+                        'When no allowedTools is specified, all tools on the server are accessible.',
+                    category: 'Scope Security',
+                    severity: 'high',
+                    passed: false,
+                    message: `Implicit wildcard: MCP server ${cap.scope}`,
+                    fixable: true,
+                    file: ast.artifactPath,
+                    fix: `Add an "allowedTools" list to the "${cap.scope}" server configuration. ` +
+                        'Specify only the tools your agent needs.',
+                    guidance: 'MCP servers can expose dangerous tools (file system, shell execution). ' +
+                        'Always restrict access to a named allowlist.',
+                    attackClass: 'SCOPE-WILDCARD',
+                    confidence: 0.8,
+                });
+            }
+        }
+    }
+    return findings;
+}
+// ============================================================================
+// AST-SCOPE-002: Undeclared tool permissions
+// ============================================================================
+/**
+ * Detects capabilities that NanoMind inferred from the artifact content
+ * but that were not explicitly declared. Undeclared permissions mean the
+ * agent can do more than its manifest claims.
+ *
+ * This is the scope-specific version of AST-CAP-001 (undeclared capabilities).
+ * While CAP-001 flags any undeclared capability, SCOPE-002 focuses on
+ * tool permissions and access patterns.
+ */
+function checkUndeclaredPermissions(ast) {
+    const findings = [];
+    // Build list of declared capability names (normalized)
+    const declaredNamesList = ast.declaredCapabilities.map(c => normalizeCapName(c.name));
+    // Find inferred capabilities not covered by declarations
+    const undeclaredInferred = ast.inferredCapabilities.filter(c => {
+        const normalized = normalizeCapName(c.name);
+        // Check exact match
+        if (declaredNamesList.includes(normalized))
+            return false;
+        // Check if covered by a broader declared capability (e.g., "db.*" covers "db.read")
+        for (const declared of declaredNamesList) {
+            if (declared.endsWith('.*') && normalized.startsWith(declared.slice(0, -1))) {
+                return false;
+            }
+        }
+        return true;
+    });
+    for (const cap of undeclaredInferred) {
+        const severity = cap.riskLevel === 'critical'
+            ? 'critical'
+            : cap.riskLevel === 'high'
+                ? 'high'
+                : 'medium';
+        findings.push({
+            checkId: 'AST-SCOPE-002',
+            name: 'Undeclared Tool Permission',
+            description: `Tool permission "${cap.name}" (scope: ${cap.scope || 'unscoped'}) was inferred ` +
+                'from artifact content but is not declared in the capability manifest. ' +
+                'The artifact exercises permissions beyond its declared scope.',
+            category: 'Scope Security',
+            severity,
+            passed: false,
+            message: `Undeclared permission: ${cap.name} (${cap.riskLevel}-risk)`,
+            fixable: true,
+            file: ast.artifactPath,
+            fix: `Either declare "${cap.name}" in your capability manifest (if intended) ` +
+                'or remove the code/instructions that exercise this permission. ' +
+                'If declared, add a governance constraint for this capability.',
+            guidance: 'Every tool permission must be explicitly declared. Undeclared permissions are a ' +
+                'supply chain risk: users and orchestrators cannot audit what the agent actually does.',
+            attackClass: 'SCOPE-UNDECLARED',
+            confidence: ast.intentConfidence,
+            evidence: cap.evidence,
+        });
+    }
+    return findings;
+}
+// ============================================================================
+// AST-SCOPE-003: Scope-purpose mismatch
+// ============================================================================
+/**
+ * Detects capabilities that are inconsistent with the artifact's declared
+ * purpose. A "weather lookup" agent with file.delete capabilities is
+ * suspicious regardless of whether the capability is declared.
+ *
+ * Uses semantic comparison between the declared purpose and each capability,
+ * considering both declared and inferred capabilities.
+ */
+function checkScopePurposeMismatch(ast) {
+    const findings = [];
+    const purpose = ast.declaredPurpose.toLowerCase();
+    // Skip if purpose is generic / unknown
+    if (purpose === 'unknown purpose' ||
+        purpose.length < 10 ||
+        purpose.includes('does whatever') ||
+        purpose.includes('general purpose')) {
+        return findings;
+    }
+    // Extract purpose domain keywords
+    const purposeKeywords = extractPurposeKeywords(purpose);
+    if (purposeKeywords.size < 2) {
+        return findings; // Not enough context to judge mismatch
+    }
+    // Check all capabilities (declared + inferred) for relevance to purpose
+    const allCaps = [...ast.declaredCapabilities, ...ast.inferredCapabilities];
+    // Deduplicate by name
+    const seen = new Set();
+    const uniqueCaps = [];
+    for (const cap of allCaps) {
+        if (!seen.has(cap.name)) {
+            seen.add(cap.name);
+            uniqueCaps.push(cap);
+        }
+    }
+    for (const cap of uniqueCaps) {
+        // Only flag high/critical risk mismatches
+        if (cap.riskLevel !== 'high' && cap.riskLevel !== 'critical') {
+            continue;
+        }
+        const capKeywords = extractCapabilityKeywords(cap.name, cap.scope);
+        const overlap = setIntersection(purposeKeywords, capKeywords);
+        // If zero overlap between purpose and capability keywords, it's a mismatch
+        if (overlap.size === 0 && capKeywords.size > 0) {
+            findings.push({
+                checkId: 'AST-SCOPE-003',
+                name: 'Scope-Purpose Mismatch',
+                description: `${cap.riskLevel}-risk capability "${cap.name}" (scope: ${cap.scope || 'unscoped'}) ` +
+                    `does not align with declared purpose: "${truncate(ast.declaredPurpose, 100)}". ` +
+                    'This could indicate a trojan capability hidden in an otherwise legitimate agent.',
+                category: 'Scope Security',
+                severity: cap.riskLevel === 'critical' ? 'critical' : 'high',
+                passed: false,
+                message: `"${cap.name}" does not match purpose "${truncate(ast.declaredPurpose, 50)}"`,
+                fixable: true,
+                file: ast.artifactPath,
+                fix: `Either update the purpose description to explain why "${cap.name}" is needed, ` +
+                    `or remove this capability if it is not required. ` +
+                    'A clear purpose statement helps users and scanners trust the agent.',
+                guidance: 'Scope-purpose mismatches are a red flag for trojan agents that hide malicious ' +
+                    'capabilities behind a benign-sounding purpose. Even if the capability is legitimate, ' +
+                    'the purpose should explain why it is needed.',
+                attackClass: 'SEMANTIC-MISMATCH',
+                confidence: 0.65,
+                evidence: cap.evidence,
+            });
+        }
+    }
+    return findings;
+}
+// ============================================================================
+// Helpers
+// ============================================================================
+/**
+ * Normalize a capability name for comparison.
+ * "MCP.github.issues_list" -> "mcp.github.issues_list"
+ */
+function normalizeCapName(name) {
+    return name.toLowerCase().replace(/-/g, '_');
+}
+/**
+ * Extract meaningful keywords from a purpose string.
+ * Filters out stop words and short tokens.
+ */
+function extractPurposeKeywords(purpose) {
+    const stopWords = new Set([
+        'the', 'and', 'for', 'with', 'that', 'this', 'from', 'have', 'will',
+        'can', 'not', 'are', 'was', 'been', 'being', 'has', 'had', 'does',
+        'did', 'but', 'its', 'they', 'their', 'what', 'which', 'when',
+        'where', 'who', 'whom', 'how', 'all', 'each', 'every', 'both',
+        'few', 'more', 'most', 'other', 'some', 'such', 'than', 'too',
+        'very', 'just', 'about', 'also', 'only', 'then', 'tool', 'agent',
+        'help', 'users', 'user',
+    ]);
+    const result = new Set();
+    purpose
+        .split(/[\s,.;:!?()[\]{}]+/)
+        .map(w => w.toLowerCase())
+        .filter(w => w.length > 3 && !stopWords.has(w))
+        .forEach(w => result.add(w));
+    return result;
+}
+/**
+ * Extract keywords from a capability name and scope.
+ * "db.read" + "customers table" -> {"read", "customers", "table", "database"}
+ */
+function extractCapabilityKeywords(name, scope) {
+    const parts = name.split(/[._-]/).filter(p => p.length > 2);
+    // Expand abbreviations
+    const expansions = {
+        db: ['database', 'data'],
+        api: ['interface', 'endpoint', 'service'],
+        fs: ['file', 'filesystem'],
+        mcp: ['tool', 'server'],
+        auth: ['authentication', 'credential'],
+        exec: ['execute', 'shell'],
+        admin: ['administration', 'privilege'],
+    };
+    const keywords = new Set();
+    for (const part of parts) {
+        keywords.add(part.toLowerCase());
+        const expanded = expansions[part.toLowerCase()];
+        if (expanded) {
+            for (const e of expanded) {
+                keywords.add(e);
+            }
+        }
+    }
+    // Add scope words
+    if (scope) {
+        for (const word of scope.split(/[\s,.]+/)) {
+            if (word.length > 2) {
+                keywords.add(word.toLowerCase());
+            }
+        }
+    }
+    return keywords;
+}
+function setIntersection(a, b) {
+    const result = new Set();
+    a.forEach(item => {
+        if (b.has(item)) {
+            result.add(item);
+        }
+    });
+    return result;
+}
+function truncate(text, maxLen) {
+    if (text.length <= maxLen)
+        return text;
+    return text.slice(0, maxLen - 3) + '...';
+}
+//# sourceMappingURL=scope-analyzer.js.map

package/dist/nanomind-core/analyzers/scope-analyzer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"scope-analyzer.js","sourceRoot":"","sources":["../../../src/nanomind-core/analyzers/scope-analyzer.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAcH,oCAaC;AAvBD,yEAAqE;AAErE,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E;;;GAGG;AACH,SAAgB,YAAY,CAC1B,GAAgB,EAChB,QAAuC;IAEvC,IAAA,wCAAkB,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAElC,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAElC,QAAQ,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/C,QAAQ,CAAC,IAAI,CAAC,GAAG,0BAA0B,CAAC,GAAG,CAAC,CAAC,CAAC;IAClD,QAAQ,CAAC,IAAI,CAAC,GAAG,yBAAyB,CAAC,GAAG,CAAC,CAAC,CAAC;IAEjD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,sCAAsC;AACtC,+EAA+E;AAE/E;;;;;;;GAOG;AACH,SAAS,uBAAuB,CAAC,GAAgB;IAC/C,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAElC,oDAAoD;IACpD,MAAM,aAAa,GAAG,GAAG,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;IAEjF,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;QAChC,MAAM,cAAc,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC;QACnE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,IAAI,WAAW,CAAC;QAEvC,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,eAAe;YACxB,IAAI,EAAE,cAAc,CAAC,CAAC,CAAC,2BAA2B,CAAC,CAAC,CAAC,8BAA8B;YACnF,WAAW,EAAE,cAAc;gBACzB,CAAC,CAAC,wBAAwB,GAAG,CAAC,IAAI,mCAAmC,KAAK,IAAI;oBAC5E,+EAA+E;oBAC/E,+EAA+E;gBACjF,CAAC,CAAC,qBAAqB,GAAG,CAAC,IAAI,gCAAgC,KAAK,IAAI;oBACtE,kFAAkF;oBAClF,sDAAsD;YAC1D,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;YAC9C,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,oBAAoB,GAAG,CAAC,IAAI,YAAY,KAAK,GAAG;YACzD,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,GAAG,CAAC,YAAY;YACtB,GAAG,EAAE,cAAc;gBACjB,CAAC,CAAC,mEAAmE;oBACnE,0FAA0F;oBAC1F,8CAA8C;gBAChD,CAAC,CAAC,6BAA6B,GAAG,CAAC,IAAI,8BAA8B;oBACnE,iBAAiB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,iCAAiC;YAC5E,QAAQ,EACN,2EAA2E;gBAC3E,sEAAsE;YACxE,WAAW,EAAE,gBAAgB;YAC7B,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,+EAA+E;IAC/E,IAAI,GAAG,CAAC,YAAY,KAAK,YAAY,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,GAAG,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;QAChF,yFAAyF;QACzF,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;YACjE,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAChC,OAAO,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,uCAAuC;QACnE,CAAC,CAAC,CAAC;QAEH,IAAI,kBAAkB,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrD,yDAAyD;YACzD,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;gBAC1B,QAAQ,CAAC,IAAI,CAAC;oBACZ,OAAO,EAAE,eAAe;oBACxB,IAAI,EAAE,8BAA8B;oBACpC,WAAW,EACT,eAAe,GAAG,CAAC,KAAK,sDAAsD;wBAC9E,4EAA4E;oBAC9E,QAAQ,EAAE,gBAAgB;oBAC1B,QAAQ,EAAE,MAAM;oBAChB,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,iCAAiC,GAAG,CAAC,KAAK,EAAE;oBACrD,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,GAAG,CAAC,YAAY;oBACtB,GAAG,EACD,sCAAsC,GAAG,CAAC,KAAK,0BAA0B;wBACzE,0CAA0C;oBAC5C,QAAQ,EACN,yEAAyE;wBACzE,8CAA8C;oBAChD,WAAW,EAAE,gBAAgB;oBAC7B,UAAU,EAAE,GAAG;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,6CAA6C;AAC7C,+EAA+E;AAE/E;;;;;;;;GAQG;AACH,SAAS,0BAA0B,CAAC,GAAgB;IAClD,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAElC,uDAAuD;IACvD,MAAM,iBAAiB,GAAG,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAEtF,yDAAyD;IACzD,MAAM,kBAAkB,GAAG,GAAG,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;QAC7D,MAAM,UAAU,GAAG,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC5C,oBAAoB;QACpB,IAAI,iBAAiB,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;QACzD,oFAAoF;QACpF,KAAK,MAAM,QAAQ,IAAI,iBAAiB,EAAE,CAAC;YACzC,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5E,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,KAAK,UAAU;YAC3C,CAAC,CAAC,UAAU;YACZ,CAAC,CAAC,GAAG,CAAC,SAAS,KAAK,MAAM;gBACxB,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,QAAQ,CAAC;QAEf,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,eAAe;YACxB,IAAI,EAAE,4BAA4B;YAClC,WAAW,EACT,oBAAoB,GAAG,CAAC,IAAI,aAAa,GAAG,CAAC,KAAK,IAAI,UAAU,iBAAiB;gBACjF,wEAAwE;gBACxE,+DAA+D;YACjE,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ;YACR,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,0BAA0B,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC,SAAS,QAAQ;YACrE,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,GAAG,CAAC,YAAY;YACtB,GAAG,EACD,mBAAmB,GAAG,CAAC,IAAI,8CAA8C;gBACzE,iEAAiE;gBACjE,+DAA+D;YACjE,QAAQ,EACN,kFAAkF;gBAClF,uFAAuF;YACzF,WAAW,EAAE,kBAAkB;YAC/B,UAAU,EAAE,GAAG,CAAC,gBAAgB;YAChC,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,wCAAwC;AACxC,+EAA+E;AAE/E;;;;;;;GAOG;AACH,SAAS,yBAAyB,CAAC,GAAgB;IACjD,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAElC,MAAM,OAAO,GAAG,GAAG,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;IAElD,uCAAuC;IACvC,IACE,OAAO,KAAK,iBAAiB;QAC7B,OAAO,CAAC,MAAM,GAAG,EAAE;QACnB,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;QACjC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EACnC,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,kCAAkC;IAClC,MAAM,eAAe,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;IAExD,IAAI,eAAe,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO,QAAQ,CAAC,CAAC,uCAAuC;IAC1D,CAAC;IAED,wEAAwE;IACxE,MAAM,OAAO,GAAG,CAAC,GAAG,GAAG,CAAC,oBAAoB,EAAE,GAAG,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAE3E,sBAAsB;IACtB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,UAAU,GAAiB,EAAE,CAAC;IACpC,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACnB,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,0CAA0C;QAC1C,IAAI,GAAG,CAAC,SAAS,KAAK,MAAM,IAAI,GAAG,CAAC,SAAS,KAAK,UAAU,EAAE,CAAC;YAC7D,SAAS;QACX,CAAC;QAED,MAAM,WAAW,GAAG,yBAAyB,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;QACnE,MAAM,OAAO,GAAG,eAAe,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;QAE9D,2EAA2E;QAC3E,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC,IAAI,WAAW,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC/C,QAAQ,CAAC,IAAI,CAAC;gBACZ,OAAO,EAAE,eAAe;gBACxB,IAAI,EAAE,wBAAwB;gBAC9B,WAAW,EACT,GAAG,GAAG,CAAC,SAAS,qBAAqB,GAAG,CAAC,IAAI,aAAa,GAAG,CAAC,KAAK,IAAI,UAAU,IAAI;oBACrF,0CAA0C,QAAQ,CAAC,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,KAAK;oBACjF,kFAAkF;gBACpF,QAAQ,EAAE,gBAAgB;gBAC1B,QAAQ,EAAE,GAAG,CAAC,SAAS,KAAK,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;gBAC5D,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,IAAI,GAAG,CAAC,IAAI,6BAA6B,QAAQ,CAAC,GAAG,CAAC,eAAe,EAAE,EAAE,CAAC,GAAG;gBACtF,OAAO,EAAE,IAAI;gBACb,IAAI,EAAE,GAAG,CAAC,YAAY;gBACtB,GAAG,EACD,yDAAyD,GAAG,CAAC,IAAI,eAAe;oBAChF,mDAAmD;oBACnD,qEAAqE;gBACvE,QAAQ,EACN,gFAAgF;oBAChF,uFAAuF;oBACvF,8CAA8C;gBAChD,WAAW,EAAE,mBAAmB;gBAChC,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,GAAG,CAAC,QAAQ;aACvB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E;;;GAGG;AACH,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,OAAe;IAC7C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;QACxB,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;QACnE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM;QACjE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;QAC7D,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;QAC7D,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK;QAC7D,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO;QAChE,MAAM,EAAE,OAAO,EAAE,MAAM;KACxB,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,OAAO;SACJ,KAAK,CAAC,oBAAoB,CAAC;SAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;SACzB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;SAC9C,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,yBAAyB,CAAC,IAAY,EAAE,KAAa;IAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE5D,uBAAuB;IACvB,MAAM,UAAU,GAA6B;QAC3C,EAAE,EAAE,CAAC,UAAU,EAAE,MAAM,CAAC;QACxB,GAAG,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC;QACzC,EAAE,EAAE,CAAC,MAAM,EAAE,YAAY,CAAC;QAC1B,GAAG,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC;QACvB,IAAI,EAAE,CAAC,gBAAgB,EAAE,YAAY,CAAC;QACtC,IAAI,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC;QAC1B,KAAK,EAAE,CAAC,gBAAgB,EAAE,WAAW,CAAC;KACvC,CAAC;IAEF,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAChD,IAAI,QAAQ,EAAE,CAAC;YACb,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1C,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,eAAe,CAAI,CAAS,EAAE,CAAS;IAC9C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAK,CAAC;IAC5B,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE;QACf,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAChB,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,QAAQ,CAAC,IAAY,EAAE,MAAc;IAC5C,IAAI,IAAI,CAAC,MAAM,IAAI,MAAM;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC;AAC3C,CAAC"}

package/dist/nanomind-core/compiler/semantic-compiler.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+/**
+ * NanoMind Semantic Compiler
+ *
+ * The core of the architecture. Compiles raw artifacts into Abstract Security Trees.
+ * ALL scanners consume the AST -- no scanner reads raw text directly.
+ *
+ * Pipeline:
+ *   1. Parse artifact (validate, classify, hash)
+ *   2. Sanitize for NanoMind (strip manipulation attempts)
+ *   3. Extract declared capabilities and constraints
+ *   4. Run NanoMind inference for intent + inferred capabilities
+ *   5. Map risk surfaces
+ *   6. Extract evidence spans
+ *   7. Sign the AST
+ *   8. Return CompilationResult
+ *
+ * Security:
+ *   - Input sanitized before NanoMind processes it
+ *   - AST signed with Ed25519 for integrity
+ *   - Model version embedded for reproducibility
+ *   - Content-addressed caching via SHA-256 hash
+ */
+import type { SecurityAST, CompilationResult, CompilerConfig } from '../types.js';
+export declare class SemanticCompiler {
+    private config;
+    private cache;
+    constructor(config?: Partial<CompilerConfig>);
+    /**
+     * Compile an artifact into a SecurityAST.
+     * This is the main entry point for the entire NanoMind pipeline.
+     */
+    compile(content: string, path?: string): Promise<CompilationResult>;
+    /**
+     * Verify an AST's cryptographic signature.
+     * Analyzers MUST call this before processing an AST.
+     */
+    verifyAST(ast: SecurityAST): boolean;
+    private runNanoMindInference;
+    private signAST;
+}
+//# sourceMappingURL=semantic-compiler.d.ts.map

package/dist/nanomind-core/compiler/semantic-compiler.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"semantic-compiler.d.ts","sourceRoot":"","sources":["../../../src/nanomind-core/compiler/semantic-compiler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAKH,OAAO,KAAK,EACV,WAAW,EACX,iBAAiB,EACjB,cAAc,EASf,MAAM,aAAa,CAAC;AAErB,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,KAAK,CAAkC;gBAEnC,MAAM,GAAE,OAAO,CAAC,cAAc,CAAM;IAUhD;;;OAGG;IACG,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IA0GzE;;;OAGG;IACH,SAAS,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO;YAStB,oBAAoB;IA+ClC,OAAO,CAAC,OAAO;CAchB"}