hackmyagent 0.14.1 → 0.15.0

package/dist/hardening/mcp-tool-enum.js

@@ -1,315 +0,0 @@
-"use strict";
-/**
- * MCP Tool Enumeration (MCPTOOL-001 to MCPTOOL-005)
- *
- * Connects to configured MCP servers, discovers their tools via JSON-RPC,
- * and classifies dangerous capabilities. Only runs with --deep or --live-mcp flag.
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.discoverMcpConfigs = discoverMcpConfigs;
-exports.enumerateStdioTools = enumerateStdioTools;
-exports.classifyTools = classifyTools;
-exports.checkMcpToolEnumeration = checkMcpToolEnumeration;
-const child_process_1 = require("child_process");
-const fs = __importStar(require("fs/promises"));
-const path = __importStar(require("path"));
-const os = __importStar(require("os"));
-// Dangerous capability classification
-const EXECUTION_TOOLS = new Set([
-    'execute_command', 'bash', 'shell', 'run_command', 'exec',
-    'run_script', 'terminal', 'execute', 'run', 'system',
-    'execute_shell', 'run_shell', 'subprocess',
-]);
-const FILESYSTEM_WRITE_TOOLS = new Set([
-    'write_file', 'create_file', 'delete_file', 'edit_file',
-    'write', 'remove_file', 'mkdir', 'rename_file', 'move_file',
-    'append_file', 'overwrite_file', 'file_write',
-]);
-const NETWORK_TOOLS = new Set([
-    'fetch', 'http_request', 'curl', 'wget', 'request',
-    'http_get', 'http_post', 'web_request', 'send_request',
-    'make_request', 'api_call',
-]);
-const CREDENTIAL_TOOLS = new Set([
-    'get_secret', 'read_env', 'get_credential', 'get_password',
-    'read_secret', 'fetch_secret', 'env_var', 'get_token',
-    'read_keychain', 'get_api_key',
-]);
-const SPAWN_TIMEOUT_MS = 5000;
-const JSON_RPC_VERSION = '2.0';
-/**
- * Discover MCP server configurations from known config file locations.
- */
-async function discoverMcpConfigs(targetDir) {
-    const configs = new Map();
-    const configPaths = [
-        path.join(targetDir, 'mcp.json'),
-        path.join(targetDir, '.cursor', 'mcp.json'),
-        path.join(targetDir, '.vscode', 'mcp.json'),
-        path.join(os.homedir(), '.claude', 'settings.json'),
-    ];
-    for (const configPath of configPaths) {
-        try {
-            const content = await fs.readFile(configPath, 'utf-8');
-            const parsed = JSON.parse(content);
-            // Handle different config formats
-            const servers = parsed.mcpServers || parsed.servers || {};
-            for (const [name, serverConfig] of Object.entries(servers)) {
-                const config = serverConfig;
-                if (config.command || config.url) {
-                    configs.set(name, {
-                        config: {
-                            command: config.command,
-                            args: config.args,
-                            env: config.env,
-                            url: config.url,
-                        },
-                        configPath,
-                    });
-                }
-            }
-        }
-        catch {
-            // Config file doesn't exist or is invalid, skip
-        }
-    }
-    return configs;
-}
-/**
- * Connect to a stdio MCP server and enumerate its tools.
- */
-async function enumerateStdioTools(serverName, config) {
-    return new Promise((resolve) => {
-        let child = null;
-        let buffer = '';
-        let resolved = false;
-        const cleanup = () => {
-            if (child && !child.killed) {
-                child.kill('SIGTERM');
-            }
-        };
-        const finish = (result) => {
-            if (!resolved) {
-                resolved = true;
-                cleanup();
-                resolve(result);
-            }
-        };
-        // Timeout
-        const timer = setTimeout(() => {
-            finish({ serverName, configPath: '', tools: [], error: 'Timeout after 5s' });
-        }, SPAWN_TIMEOUT_MS);
-        try {
-            child = (0, child_process_1.spawn)(config.command, config.args || [], {
-                stdio: ['pipe', 'pipe', 'pipe'],
-                env: { ...process.env, ...config.env },
-            });
-            child.on('error', (err) => {
-                clearTimeout(timer);
-                finish({ serverName, configPath: '', tools: [], error: err.message });
-            });
-            child.stdout?.on('data', (data) => {
-                buffer += data.toString();
-                // Try to parse JSON-RPC responses
-                const lines = buffer.split('\n');
-                for (const line of lines) {
-                    const trimmed = line.trim();
-                    if (!trimmed)
-                        continue;
-                    try {
-                        const msg = JSON.parse(trimmed);
-                        // Response to initialize
-                        if (msg.id === 1 && msg.result) {
-                            // Send tools/list
-                            const toolsRequest = JSON.stringify({
-                                jsonrpc: JSON_RPC_VERSION,
-                                id: 2,
-                                method: 'tools/list',
-                                params: {},
-                            }) + '\n';
-                            child?.stdin?.write(toolsRequest);
-                        }
-                        // Response to tools/list
-                        if (msg.id === 2 && msg.result) {
-                            clearTimeout(timer);
-                            const tools = (msg.result.tools || []).map((t) => ({
-                                name: t.name,
-                                description: t.description,
-                                inputSchema: t.inputSchema,
-                            }));
-                            finish({ serverName, configPath: '', tools });
-                        }
-                    }
-                    catch {
-                        // Not valid JSON, skip
-                    }
-                }
-                // Keep only the last incomplete line in buffer
-                buffer = lines[lines.length - 1] || '';
-            });
-            // Send initialize request
-            const initRequest = JSON.stringify({
-                jsonrpc: JSON_RPC_VERSION,
-                id: 1,
-                method: 'initialize',
-                params: {
-                    protocolVersion: '2024-11-05',
-                    capabilities: {},
-                    clientInfo: { name: 'hackmyagent-scanner', version: '0.8.0' },
-                },
-            }) + '\n';
-            child.stdin?.write(initRequest);
-        }
-        catch (err) {
-            clearTimeout(timer);
-            finish({ serverName, configPath: '', tools: [], error: err.message });
-        }
-    });
-}
-/**
- * Classify tool capabilities and generate security findings.
- */
-function classifyTools(serverName, configPath, tools) {
-    const findings = [];
-    // MCPTOOL-001: Execution tools
-    const execTools = tools.filter((t) => EXECUTION_TOOLS.has(t.name.toLowerCase()));
-    if (execTools.length > 0) {
-        findings.push({
-            checkId: 'MCPTOOL-001',
-            name: 'MCP server exposes command execution',
-            description: `MCP server "${serverName}" provides tools that can execute arbitrary commands: ${execTools.map((t) => t.name).join(', ')}. This allows the AI to run any system command.`,
-            category: 'mcp-capability',
-            severity: 'critical',
-            passed: false,
-            message: `${serverName}: ${execTools.length} execution tool(s) exposed`,
-            fixable: false,
-            file: configPath,
-            fix: 'Restrict command execution tools or add an allowlist of permitted commands.',
-        });
-    }
-    // MCPTOOL-002: Filesystem write tools
-    const fsWriteTools = tools.filter((t) => FILESYSTEM_WRITE_TOOLS.has(t.name.toLowerCase()));
-    if (fsWriteTools.length > 0) {
-        findings.push({
-            checkId: 'MCPTOOL-002',
-            name: 'MCP server exposes filesystem write',
-            description: `MCP server "${serverName}" provides tools that can write/delete files: ${fsWriteTools.map((t) => t.name).join(', ')}. This allows modifying system files.`,
-            category: 'mcp-capability',
-            severity: 'high',
-            passed: false,
-            message: `${serverName}: ${fsWriteTools.length} filesystem write tool(s) exposed`,
-            fixable: false,
-            file: configPath,
-            fix: 'Add path restrictions to filesystem write tools.',
-        });
-    }
-    // MCPTOOL-003: Unrestricted network tools
-    const netTools = tools.filter((t) => NETWORK_TOOLS.has(t.name.toLowerCase()));
-    if (netTools.length > 0) {
-        findings.push({
-            checkId: 'MCPTOOL-003',
-            name: 'MCP server exposes unrestricted network access',
-            description: `MCP server "${serverName}" provides tools for network requests: ${netTools.map((t) => t.name).join(', ')}. This allows data exfiltration.`,
-            category: 'mcp-capability',
-            severity: 'high',
-            passed: false,
-            message: `${serverName}: ${netTools.length} network tool(s) exposed`,
-            fixable: false,
-            file: configPath,
-            fix: 'Restrict network access to specific domains or add an allowlist.',
-        });
-    }
-    // MCPTOOL-004: Credential-accessing tools
-    const credTools = tools.filter((t) => CREDENTIAL_TOOLS.has(t.name.toLowerCase()));
-    if (credTools.length > 0) {
-        findings.push({
-            checkId: 'MCPTOOL-004',
-            name: 'MCP server exposes credential access',
-            description: `MCP server "${serverName}" provides tools that access credentials: ${credTools.map((t) => t.name).join(', ')}.`,
-            category: 'mcp-capability',
-            severity: 'critical',
-            passed: false,
-            message: `${serverName}: ${credTools.length} credential-accessing tool(s) exposed`,
-            fixable: false,
-            file: configPath,
-            fix: 'Remove credential access tools or use secretless-ai broker for credential isolation.',
-        });
-    }
-    // MCPTOOL-005: Server with 10+ tools and no apparent access control
-    if (tools.length >= 10) {
-        findings.push({
-            checkId: 'MCPTOOL-005',
-            name: 'MCP server exposes excessive tools',
-            description: `MCP server "${serverName}" exposes ${tools.length} tools. Large tool surfaces increase the attack area for prompt injection.`,
-            category: 'mcp-capability',
-            severity: 'medium',
-            passed: false,
-            message: `${serverName}: ${tools.length} tools exposed (threshold: 10)`,
-            fixable: false,
-            file: configPath,
-            fix: 'Reduce the number of exposed tools or implement per-tool access controls.',
-        });
-    }
-    return findings;
-}
-/**
- * Run full MCP tool enumeration scan.
- * Discovers MCP configs, connects to each server, enumerates tools, classifies dangers.
- */
-async function checkMcpToolEnumeration(targetDir, onProgress) {
-    const findings = [];
-    const configs = await discoverMcpConfigs(targetDir);
-    if (configs.size === 0)
-        return findings;
-    onProgress?.(`Found ${configs.size} MCP server(s), enumerating tools...`);
-    for (const [serverName, { config, configPath }] of configs) {
-        onProgress?.(`Scanning ${serverName}...`);
-        if (config.command) {
-            const result = await enumerateStdioTools(serverName, config);
-            if (result.error) {
-                // Non-fatal: server couldn't be reached
-                onProgress?.(`  ${serverName}: ${result.error}`);
-                continue;
-            }
-            const serverFindings = classifyTools(serverName, configPath, result.tools);
-            findings.push(...serverFindings);
-            onProgress?.(`  ${serverName}: ${result.tools.length} tools, ${serverFindings.length} findings`);
-        }
-        // SSE servers would go here (future)
-    }
-    return findings;
-}
-//# sourceMappingURL=mcp-tool-enum.js.map

package/dist/hardening/mcp-tool-enum.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"mcp-tool-enum.js","sourceRoot":"","sources":["../../src/hardening/mcp-tool-enum.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2DH,gDAwCC;AAKD,kDAoGC;AAKD,sCA4FC;AAMD,0DAiCC;AAlVD,iDAAyD;AACzD,gDAAkC;AAClC,2CAA6B;AAC7B,uCAAyB;AAuBzB,sCAAsC;AACtC,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,iBAAiB,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM;IACzD,YAAY,EAAE,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ;IACpD,eAAe,EAAE,WAAW,EAAE,YAAY;CAC3C,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IACrC,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW;IACvD,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW;IAC3D,aAAa,EAAE,gBAAgB,EAAE,YAAY;CAC9C,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS;IAClD,UAAU,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc;IACtD,cAAc,EAAE,UAAU;CAC3B,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,YAAY,EAAE,UAAU,EAAE,gBAAgB,EAAE,cAAc;IAC1D,aAAa,EAAE,cAAc,EAAE,SAAS,EAAE,WAAW;IACrD,eAAe,EAAE,aAAa;CAC/B,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,IAAK,CAAC;AAC/B,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAE/B;;GAEG;AACI,KAAK,UAAU,kBAAkB,CACtC,SAAiB;IAEjB,MAAM,OAAO,GAAG,IAAI,GAAG,EAA2D,CAAC;IAEnF,MAAM,WAAW,GAAG;QAClB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC;QAC3C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC;QAC3C,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,eAAe,CAAC;KACpD,CAAC;IAEF,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACvD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAEnC,kCAAkC;YAClC,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;YAE1D,KAAK,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC3D,MAAM,MAAM,GAAG,YAAuC,CAAC;gBACvD,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;oBACjC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE;wBAChB,MAAM,EAAE;4BACN,OAAO,EAAE,MAAM,CAAC,OAAiB;4BACjC,IAAI,EAAE,MAAM,CAAC,IAA4B;4BACzC,GAAG,EAAE,MAAM,CAAC,GAAyC;4BACrD,GAAG,EAAE,MAAM,CAAC,GAAyB;yBACtC;wBACD,UAAU;qBACX,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gDAAgD;QAClD,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,mBAAmB,CACvC,UAAkB,EAClB,MAAuB;IAEvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,KAAK,GAAwB,IAAI,CAAC;QACtC,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;QAErB,MAAM,OAAO,GAAG,GAAG,EAAE;YACnB,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;gBAC3B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC;QACH,CAAC,CAAC;QAEF,MAAM,MAAM,GAAG,CAAC,MAAuB,EAAE,EAAE;YACzC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,QAAQ,GAAG,IAAI,CAAC;gBAChB,OAAO,EAAE,CAAC;gBACV,OAAO,CAAC,MAAM,CAAC,CAAC;YAClB,CAAC;QACH,CAAC,CAAC;QAEF,UAAU;QACV,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC/E,CAAC,EAAE,gBAAgB,CAAC,CAAC;QAErB,IAAI,CAAC;YACH,KAAK,GAAG,IAAA,qBAAK,EAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE,EAAE;gBAC/C,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;gBAC/B,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,GAAG,EAAE;aACvC,CAAC,CAAC;YAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACxB,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACxE,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBACxC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAE1B,kCAAkC;gBAClC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;oBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;oBAC5B,IAAI,CAAC,OAAO;wBAAE,SAAS;oBAEvB,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;wBAEhC,yBAAyB;wBACzB,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;4BAC/B,kBAAkB;4BAClB,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC;gCAClC,OAAO,EAAE,gBAAgB;gCACzB,EAAE,EAAE,CAAC;gCACL,MAAM,EAAE,YAAY;gCACpB,MAAM,EAAE,EAAE;6BACX,CAAC,GAAG,IAAI,CAAC;4BACV,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;wBACpC,CAAC;wBAED,yBAAyB;wBACzB,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;4BAC/B,YAAY,CAAC,KAAK,CAAC,CAAC;4BACpB,MAAM,KAAK,GAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CACvD,CAAC,CAA0B,EAAE,EAAE,CAAC,CAAC;gCAC/B,IAAI,EAAE,CAAC,CAAC,IAAc;gCACtB,WAAW,EAAE,CAAC,CAAC,WAAiC;gCAChD,WAAW,EAAE,CAAC,CAAC,WAAkD;6BAClE,CAAC,CACH,CAAC;4BACF,MAAM,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;wBAChD,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,uBAAuB;oBACzB,CAAC;gBACH,CAAC;gBACD,+CAA+C;gBAC/C,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACzC,CAAC,CAAC,CAAC;YAEH,0BAA0B;YAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;gBACjC,OAAO,EAAE,gBAAgB;gBACzB,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,eAAe,EAAE,YAAY;oBAC7B,YAAY,EAAE,EAAE;oBAChB,UAAU,EAAE,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,OAAO,EAAE;iBAC9D;aACF,CAAC,GAAG,IAAI,CAAC;YACV,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QAClC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAgB,aAAa,CAC3B,UAAkB,EAClB,UAAkB,EAClB,KAAoB;IAEpB,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,+BAA+B;IAC/B,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACjF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,sCAAsC;YAC5C,WAAW,EAAE,eAAe,UAAU,yDAAyD,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,iDAAiD;YACvL,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,UAAsB;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,GAAG,UAAU,KAAK,SAAS,CAAC,MAAM,4BAA4B;YACvE,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,6EAA6E;SACnF,CAAC,CAAC;IACL,CAAC;IAED,sCAAsC;IACtC,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC3F,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,qCAAqC;YAC3C,WAAW,EAAE,eAAe,UAAU,iDAAiD,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,uCAAuC;YACxK,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,MAAkB;YAC5B,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,GAAG,UAAU,KAAK,YAAY,CAAC,MAAM,mCAAmC;YACjF,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,kDAAkD;SACxD,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC9E,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,gDAAgD;YACtD,WAAW,EAAE,eAAe,UAAU,0CAA0C,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,kCAAkC;YACxJ,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,MAAkB;YAC5B,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,GAAG,UAAU,KAAK,QAAQ,CAAC,MAAM,0BAA0B;YACpE,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,kEAAkE;SACxE,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAClF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,sCAAsC;YAC5C,WAAW,EAAE,eAAe,UAAU,6CAA6C,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;YAC7H,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,UAAsB;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,GAAG,UAAU,KAAK,SAAS,CAAC,MAAM,uCAAuC;YAClF,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,sFAAsF;SAC5F,CAAC,CAAC;IACL,CAAC;IAED,oEAAoE;IACpE,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;QACvB,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,oCAAoC;YAC1C,WAAW,EAAE,eAAe,UAAU,aAAa,KAAK,CAAC,MAAM,4EAA4E;YAC3I,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,QAAoB;YAC9B,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,GAAG,UAAU,KAAK,KAAK,CAAC,MAAM,gCAAgC;YACvE,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,2EAA2E;SACjF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,uBAAuB,CAC3C,SAAiB,EACjB,UAAsC;IAEtC,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACpD,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAExC,UAAU,EAAE,CAAC,SAAS,OAAO,CAAC,IAAI,sCAAsC,CAAC,CAAC;IAE1E,KAAK,MAAM,CAAC,UAAU,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,IAAI,OAAO,EAAE,CAAC;QAC3D,UAAU,EAAE,CAAC,YAAY,UAAU,KAAK,CAAC,CAAC;QAE1C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YAC7D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,wCAAwC;gBACxC,UAAU,EAAE,CAAC,KAAK,UAAU,KAAK,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;gBACjD,SAAS;YACX,CAAC;YAED,MAAM,cAAc,GAAG,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC3E,QAAQ,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC;YAEjC,UAAU,EAAE,CACV,KAAK,UAAU,KAAK,MAAM,CAAC,KAAK,CAAC,MAAM,WAAW,cAAc,CAAC,MAAM,WAAW,CACnF,CAAC;QACJ,CAAC;QACD,qCAAqC;IACvC,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/hardening/shell-checks.d.ts

@@ -1,21 +0,0 @@
-/**
- * Shell environment and history scanning checks.
- * Scans ~/.bashrc, ~/.zshrc, ~/.profile, ~/.zshenv for exported secrets
- * and ~/.bash_history, ~/.zsh_history for credentials in command history.
- */
-import type { SecurityFinding } from './security-check';
-export declare const SHELL_CREDENTIAL_PATTERNS: {
-    name: string;
-    pattern: RegExp;
-}[];
-/**
- * Scan shell environment config files for exported secrets.
- * Checks ~/.bashrc, ~/.zshrc, ~/.profile, ~/.zshenv
- */
-export declare function checkShellEnvironment(): Promise<SecurityFinding[]>;
-/**
- * Scan shell history files for credentials.
- * Checks ~/.bash_history, ~/.zsh_history (last 10K lines)
- */
-export declare function checkShellHistory(): Promise<SecurityFinding[]>;
-//# sourceMappingURL=shell-checks.d.ts.map

package/dist/hardening/shell-checks.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"shell-checks.d.ts","sourceRoot":"","sources":["../../src/hardening/shell-checks.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,eAAe,EAAY,MAAM,kBAAkB,CAAC;AAGlE,eAAO,MAAM,yBAAyB;;;GAerC,CAAC;AAiBF;;;GAGG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC,CA4DxE;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC,CAiFpE"}

package/dist/hardening/shell-checks.js

@@ -1,236 +0,0 @@
-"use strict";
-/**
- * Shell environment and history scanning checks.
- * Scans ~/.bashrc, ~/.zshrc, ~/.profile, ~/.zshenv for exported secrets
- * and ~/.bash_history, ~/.zsh_history for credentials in command history.
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SHELL_CREDENTIAL_PATTERNS = void 0;
-exports.checkShellEnvironment = checkShellEnvironment;
-exports.checkShellHistory = checkShellHistory;
-const fs = __importStar(require("fs/promises"));
-const path = __importStar(require("path"));
-const os = __importStar(require("os"));
-// Credential patterns to detect in shell files and LLM configs
-exports.SHELL_CREDENTIAL_PATTERNS = [
-    { name: 'ANTHROPIC_API_KEY', pattern: /sk-ant-api\d{2}-[a-zA-Z0-9_-]{20,}/ },
-    { name: 'OPENAI_API_KEY', pattern: /sk-proj-[a-zA-Z0-9]{20,}/ },
-    { name: 'OPENAI_API_KEY', pattern: /sk-[a-zA-Z0-9]{48,}/ },
-    { name: 'AWS_ACCESS_KEY', pattern: /AKIA[0-9A-Z]{16}/ },
-    { name: 'GITHUB_TOKEN', pattern: /ghp_[a-zA-Z0-9]{36}/ },
-    { name: 'GITHUB_TOKEN', pattern: /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/ },
-    { name: 'SLACK_TOKEN', pattern: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/ },
-    { name: 'GOOGLE_API_KEY', pattern: /AIza[0-9A-Za-z_-]{35}/ },
-    { name: 'STRIPE_KEY', pattern: /sk_live_[0-9a-zA-Z]{24,}/ },
-    { name: 'SENDGRID_KEY', pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/ },
-    { name: 'OPENROUTER_KEY', pattern: /sk-or-v1-[a-zA-Z0-9]{48,}/ },
-    { name: 'GROQ_KEY', pattern: /gsk_[a-zA-Z0-9]{20,}/ },
-    { name: 'REPLICATE_TOKEN', pattern: /r8_[a-zA-Z0-9]{20,}/ },
-    { name: 'HUGGINGFACE_TOKEN', pattern: /hf_[a-zA-Z0-9]{20,}/ },
-];
-// Command-line patterns that indicate credentials passed as arguments
-const COMMAND_CREDENTIAL_PATTERNS = [
-    /curl\s+[^\n]*-H\s*["']Authorization:\s*Bearer\s+\S{20,}["']/i,
-    /curl\s+[^\n]*-H\s*["']x-api-key:\s*\S{20,}["']/i,
-    /--api[_-]?key[=\s]+\S{20,}/i,
-    /--token[=\s]+\S{20,}/i,
-    /--secret[=\s]+\S{20,}/i,
-    /--password[=\s]+\S{10,}/i,
-];
-const SHELL_CONFIG_FILES = ['.bashrc', '.zshrc', '.profile', '.zshenv'];
-const HISTORY_FILES = ['.bash_history', '.zsh_history'];
-const MAX_HISTORY_LINES = 10000;
-const MAX_LINE_LENGTH = 10000;
-/**
- * Scan shell environment config files for exported secrets.
- * Checks ~/.bashrc, ~/.zshrc, ~/.profile, ~/.zshenv
- */
-async function checkShellEnvironment() {
-    const findings = [];
-    const homeDir = os.homedir();
-    for (const configFile of SHELL_CONFIG_FILES) {
-        const filePath = path.join(homeDir, configFile);
-        let content;
-        try {
-            content = await fs.readFile(filePath, 'utf-8');
-        }
-        catch {
-            continue; // File doesn't exist, skip
-        }
-        const lines = content.split('\n');
-        for (let i = 0; i < lines.length; i++) {
-            const line = lines[i];
-            // Skip empty lines and lines over max length
-            if (!line || line.length > MAX_LINE_LENGTH)
-                continue;
-            // Skip comment lines
-            if (/^\s*#/.test(line))
-                continue;
-            // Skip env var references (${VAR} or $VAR without a literal value)
-            if (/\$\{[A-Z_]+\}/.test(line) || /\$[A-Z_]+/.test(line)) {
-                // But only skip if there's no literal credential pattern
-                let hasCredential = false;
-                for (const { pattern } of exports.SHELL_CREDENTIAL_PATTERNS) {
-                    if (pattern.test(line)) {
-                        hasCredential = true;
-                        break;
-                    }
-                }
-                if (!hasCredential)
-                    continue;
-            }
-            for (const { name, pattern } of exports.SHELL_CREDENTIAL_PATTERNS) {
-                if (pattern.test(line)) {
-                    const checkId = getShellCheckId(name);
-                    findings.push({
-                        checkId,
-                        name: `Exposed ${name} in shell config`,
-                        description: `Found ${name} hardcoded in ~/${configFile}. Credentials in shell config files are loaded into every terminal session and may be captured by AI coding assistants.`,
-                        category: 'credential-exposure',
-                        severity: 'critical',
-                        passed: false,
-                        message: `~/${configFile}:${i + 1} contains ${name}`,
-                        fixable: false,
-                        file: `~/${configFile}`,
-                        line: i + 1,
-                        fix: 'Move credentials to a secret manager. Run: npx secretless-ai doctor',
-                    });
-                    break; // One finding per line
-                }
-            }
-        }
-    }
-    return findings;
-}
-/**
- * Scan shell history files for credentials.
- * Checks ~/.bash_history, ~/.zsh_history (last 10K lines)
- */
-async function checkShellHistory() {
-    const findings = [];
-    const homeDir = os.homedir();
-    for (const histFile of HISTORY_FILES) {
-        const filePath = path.join(homeDir, histFile);
-        let content;
-        try {
-            content = await fs.readFile(filePath, 'utf-8');
-        }
-        catch {
-            continue; // File doesn't exist, skip
-        }
-        const allLines = content.split('\n');
-        // Only scan last MAX_HISTORY_LINES
-        const startIdx = Math.max(0, allLines.length - MAX_HISTORY_LINES);
-        const lines = allLines.slice(startIdx);
-        for (let i = 0; i < lines.length; i++) {
-            let line = lines[i];
-            // Skip empty lines and lines over max length
-            if (!line || line.length > MAX_LINE_LENGTH)
-                continue;
-            // Strip zsh extended history timestamp prefix: `: 1234567890:0;actual command`
-            const zshMatch = line.match(/^:\s*\d+:\d+;(.*)$/);
-            if (zshMatch) {
-                line = zshMatch[1];
-            }
-            const lineNum = startIdx + i + 1;
-            let foundOnLine = false;
-            // Check credential patterns in history (SHELLHIST-001/002)
-            for (const { name, pattern } of exports.SHELL_CREDENTIAL_PATTERNS) {
-                if (pattern.test(line)) {
-                    findings.push({
-                        checkId: getHistoryCheckId(name),
-                        name: 'Credential in shell history',
-                        description: `Found ${name} in ~/${histFile}. Credentials pasted into terminal are stored in history and accessible to any process running as your user.`,
-                        category: 'credential-exposure',
-                        severity: 'high',
-                        passed: false,
-                        message: `~/${histFile}:${lineNum} contains ${name}`,
-                        fixable: false,
-                        file: `~/${histFile}`,
-                        line: lineNum,
-                        fix: 'Clear history entry and use a secret manager. Run: npx secretless-ai scan-history',
-                    });
-                    foundOnLine = true;
-                    break;
-                }
-            }
-            // Check command-line credential patterns (SHELLHIST-003)
-            // Only if we haven't already found a credential pattern on this line
-            if (!foundOnLine) {
-                for (const pattern of COMMAND_CREDENTIAL_PATTERNS) {
-                    if (pattern.test(line)) {
-                        findings.push({
-                            checkId: 'SHELLHIST-003',
-                            name: 'Credential in command arguments',
-                            description: `Found credential passed as command argument in ~/${histFile}. Command-line arguments are visible in process listings and stored in history.`,
-                            category: 'credential-exposure',
-                            severity: 'high',
-                            passed: false,
-                            message: `~/${histFile}:${lineNum} contains credential in command`,
-                            fixable: false,
-                            file: `~/${histFile}`,
-                            line: lineNum,
-                            fix: 'Use environment variables instead of command-line arguments for credentials.',
-                        });
-                        break;
-                    }
-                }
-            }
-        }
-    }
-    return findings;
-}
-function getShellCheckId(credName) {
-    switch (credName) {
-        case 'ANTHROPIC_API_KEY': return 'SHELL-001';
-        case 'OPENAI_API_KEY': return 'SHELL-002';
-        case 'AWS_ACCESS_KEY': return 'SHELL-003';
-        default: return 'SHELL-004';
-    }
-}
-function getHistoryCheckId(credName) {
-    switch (credName) {
-        case 'ANTHROPIC_API_KEY':
-        case 'OPENAI_API_KEY':
-            return 'SHELLHIST-001';
-        case 'AWS_ACCESS_KEY':
-        case 'GITHUB_TOKEN':
-            return 'SHELLHIST-002';
-        default:
-            return 'SHELLHIST-001';
-    }
-}
-//# sourceMappingURL=shell-checks.js.map

package/dist/hardening/shell-checks.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"shell-checks.js","sourceRoot":"","sources":["../../src/hardening/shell-checks.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4CH,sDA4DC;AAMD,8CAiFC;AA7LD,gDAAkC;AAClC,2CAA6B;AAC7B,uCAAyB;AAGzB,+DAA+D;AAClD,QAAA,yBAAyB,GAAG;IACvC,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,oCAAoC,EAAE;IAC5E,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,0BAA0B,EAAE;IAC/D,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,qBAAqB,EAAE;IAC1D,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,kBAAkB,EAAE;IACvD,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,qBAAqB,EAAE;IACxD,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,4CAA4C,EAAE;IAC/E,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,sDAAsD,EAAE;IACxF,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,uBAAuB,EAAE;IAC5D,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,0BAA0B,EAAE;IAC3D,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,0CAA0C,EAAE;IAC7E,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,2BAA2B,EAAE;IAChE,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,sBAAsB,EAAE;IACrD,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,qBAAqB,EAAE;IAC3D,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,qBAAqB,EAAE;CAC9D,CAAC;AAEF,sEAAsE;AACtE,MAAM,2BAA2B,GAAG;IAClC,8DAA8D;IAC9D,iDAAiD;IACjD,6BAA6B;IAC7B,uBAAuB;IACvB,wBAAwB;IACxB,0BAA0B;CAC3B,CAAC;AAEF,MAAM,kBAAkB,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;AACxE,MAAM,aAAa,GAAG,CAAC,eAAe,EAAE,cAAc,CAAC,CAAC;AACxD,MAAM,iBAAiB,GAAG,KAAM,CAAC;AACjC,MAAM,eAAe,GAAG,KAAM,CAAC;AAE/B;;;GAGG;AACI,KAAK,UAAU,qBAAqB;IACzC,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAE7B,KAAK,MAAM,UAAU,IAAI,kBAAkB,EAAE,CAAC;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAEhD,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,2BAA2B;QACvC,CAAC;QAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAEtB,6CAA6C;YAC7C,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,eAAe;gBAAE,SAAS;YAErD,qBAAqB;YACrB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEjC,mEAAmE;YACnE,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzD,yDAAyD;gBACzD,IAAI,aAAa,GAAG,KAAK,CAAC;gBAC1B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,iCAAyB,EAAE,CAAC;oBACpD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,aAAa,GAAG,IAAI,CAAC;wBACrB,MAAM;oBACR,CAAC;gBACH,CAAC;gBACD,IAAI,CAAC,aAAa;oBAAE,SAAS;YAC/B,CAAC;YAED,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,iCAAyB,EAAE,CAAC;gBAC1D,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;oBACtC,QAAQ,CAAC,IAAI,CAAC;wBACZ,OAAO;wBACP,IAAI,EAAE,WAAW,IAAI,kBAAkB;wBACvC,WAAW,EAAE,SAAS,IAAI,mBAAmB,UAAU,yHAAyH;wBAChL,QAAQ,EAAE,qBAAqB;wBAC/B,QAAQ,EAAE,UAAsB;wBAChC,MAAM,EAAE,KAAK;wBACb,OAAO,EAAE,KAAK,UAAU,IAAI,CAAC,GAAG,CAAC,aAAa,IAAI,EAAE;wBACpD,OAAO,EAAE,KAAK;wBACd,IAAI,EAAE,KAAK,UAAU,EAAE;wBACvB,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,GAAG,EAAE,qEAAqE;qBAC3E,CAAC,CAAC;oBACH,MAAM,CAAC,uBAAuB;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,iBAAiB;IACrC,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAE7B,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE9C,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,2BAA2B;QACvC,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACrC,mCAAmC;QACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,MAAM,GAAG,iBAAiB,CAAC,CAAC;QAClE,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,IAAI,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAEpB,6CAA6C;YAC7C,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,eAAe;gBAAE,SAAS;YAErD,+EAA+E;YAC/E,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YAClD,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;YACrB,CAAC;YAED,MAAM,OAAO,GAAG,QAAQ,GAAG,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,WAAW,GAAG,KAAK,CAAC;YAExB,2DAA2D;YAC3D,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,iCAAyB,EAAE,CAAC;gBAC1D,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,QAAQ,CAAC,IAAI,CAAC;wBACZ,OAAO,EAAE,iBAAiB,CAAC,IAAI,CAAC;wBAChC,IAAI,EAAE,6BAA6B;wBACnC,WAAW,EAAE,SAAS,IAAI,SAAS,QAAQ,8GAA8G;wBACzJ,QAAQ,EAAE,qBAAqB;wBAC/B,QAAQ,EAAE,MAAkB;wBAC5B,MAAM,EAAE,KAAK;wBACb,OAAO,EAAE,KAAK,QAAQ,IAAI,OAAO,aAAa,IAAI,EAAE;wBACpD,OAAO,EAAE,KAAK;wBACd,IAAI,EAAE,KAAK,QAAQ,EAAE;wBACrB,IAAI,EAAE,OAAO;wBACb,GAAG,EAAE,mFAAmF;qBACzF,CAAC,CAAC;oBACH,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,yDAAyD;YACzD,qEAAqE;YACrE,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,KAAK,MAAM,OAAO,IAAI,2BAA2B,EAAE,CAAC;oBAClD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,QAAQ,CAAC,IAAI,CAAC;4BACZ,OAAO,EAAE,eAAe;4BACxB,IAAI,EAAE,iCAAiC;4BACvC,WAAW,EAAE,oDAAoD,QAAQ,iFAAiF;4BAC1J,QAAQ,EAAE,qBAAqB;4BAC/B,QAAQ,EAAE,MAAkB;4BAC5B,MAAM,EAAE,KAAK;4BACb,OAAO,EAAE,KAAK,QAAQ,IAAI,OAAO,iCAAiC;4BAClE,OAAO,EAAE,KAAK;4BACd,IAAI,EAAE,KAAK,QAAQ,EAAE;4BACrB,IAAI,EAAE,OAAO;4BACb,GAAG,EAAE,8EAA8E;yBACpF,CAAC,CAAC;wBACH,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,mBAAmB,CAAC,CAAC,OAAO,WAAW,CAAC;QAC7C,KAAK,gBAAgB,CAAC,CAAC,OAAO,WAAW,CAAC;QAC1C,KAAK,gBAAgB,CAAC,CAAC,OAAO,WAAW,CAAC;QAC1C,OAAO,CAAC,CAAC,OAAO,WAAW,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB;IACzC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,mBAAmB,CAAC;QACzB,KAAK,gBAAgB;YACnB,OAAO,eAAe,CAAC;QACzB,KAAK,gBAAgB,CAAC;QACtB,KAAK,cAAc;YACjB,OAAO,eAAe,CAAC;QACzB;YACE,OAAO,eAAe,CAAC;IAC3B,CAAC;AACH,CAAC"}

package/dist/nanomind-core/telemetry/auto-update.d.ts

@@ -1,27 +0,0 @@
-/**
- * NanoMind Auto-Update
- *
- * Checks the Registry for newer model versions on each run.
- * Downloads and caches the latest model if available.
- * Never blocks: if check/download fails, use the cached version.
- */
-import { TelemetryConfig } from './config.js';
-export interface ModelVersionInfo {
-    version: string;
-    sha256: string;
-    downloadUrl: string;
-    changelog: string;
-    publishedAt: string;
-}
-/**
- * Check if a newer model version is available.
- * Returns null if check fails or no update available.
- * Respects CHECK_INTERVAL_MS to avoid hammering the registry.
- */
-export declare function checkForUpdate(currentVersion: string, config?: TelemetryConfig): Promise<ModelVersionInfo | null>;
-/**
- * Download and cache a new model version.
- * Returns the local path to the downloaded model, or null on failure.
- */
-export declare function downloadModel(info: ModelVersionInfo): Promise<string | null>;
-//# sourceMappingURL=auto-update.d.ts.map

package/dist/nanomind-core/telemetry/auto-update.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auto-update.d.ts","sourceRoot":"","sources":["../../../src/nanomind-core/telemetry/auto-update.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAc,MAAM,aAAa,CAAC;AAU1D,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,wBAAsB,cAAc,CAClC,cAAc,EAAE,MAAM,EACtB,MAAM,CAAC,EAAE,eAAe,GACvB,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CA4BlC;AAED;;;GAGG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmBlF"}