hackmyagent 0.7.2 → 0.8.1

package/dist/semantic/structural/credential-context.js

@@ -0,0 +1,295 @@
+"use strict";
+/**
+ * Context-Aware Credential Detection (Layer 2)
+ *
+ * Catches credentials that regex misses by understanding structure:
+ * - URL passwords (postgres://admin:password123@host)
+ * - Generic tokens in config (key-name heuristics)
+ * - Short API keys below regex thresholds
+ * - Secrets in instruction files (CLAUDE.md, .cursorrules)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CredentialContextAnalyzer = void 0;
+/** Key names that indicate a secret value */
+const SECRET_KEY_PATTERN = /^(.*_)?(secret|token|key|password|passwd|credential|auth|apikey|api_key|access_key|private_key|client_secret|signing_key|encryption_key|master_key|jwt_secret|session_secret|db_password|database_password)(_.*)?$/i;
+/** URL with embedded credentials: protocol://user:password@host
+ * Uses greedy .+ for password to handle @ chars in passwords.
+ * The greedy match backtracks to the last valid @hostname boundary. */
+const URL_CREDENTIAL_PATTERN = /(?:postgres|postgresql|mysql|mongodb|redis|amqp|rabbitmq|ftp|sftp|https?):\/\/([^:]+):(.+)@([a-zA-Z0-9][-a-zA-Z0-9.]*(?::\d+)?(?:\/[^\s"',)]*)?)/gi;
+/** Values that are NOT secrets (env var refs, booleans, paths, etc.) */
+function isNonSecretValue(value) {
+    const trimmed = value.trim().replace(/^["']|["']$/g, '');
+    // Empty or whitespace
+    if (!trimmed || trimmed.length === 0)
+        return true;
+    // Env var reference
+    if (/^\$\{.*\}$/.test(trimmed) || /^\$[A-Z_]+$/.test(trimmed))
+        return true;
+    // Boolean
+    if (/^(true|false)$/i.test(trimmed))
+        return true;
+    // Pure number
+    if (/^\d+(\.\d+)?$/.test(trimmed))
+        return true;
+    // File path (starts with / or ./ or ~/)
+    if (/^[.~]?\//.test(trimmed) && !trimmed.includes('@'))
+        return true;
+    // URL without credentials
+    if (/^https?:\/\/[^:@]*$/.test(trimmed))
+        return true;
+    // Placeholder values
+    if (/^(xxx|your[-_]|change[-_]me|replace[-_]|TODO|FIXME|placeholder|example)/i.test(trimmed))
+        return true;
+    // Common non-secret config values
+    if (/^(localhost|127\.0\.0\.1|0\.0\.0\.0|none|null|undefined|default)$/i.test(trimmed))
+        return true;
+    return false;
+}
+/** Severity based on file location */
+function severityForFile(filePath) {
+    const lower = filePath.toLowerCase();
+    // In LLM context window — exposed to AI provider, extractable via prompt injection
+    if (lower.endsWith('claude.md') ||
+        lower.endsWith('.cursorrules') ||
+        lower.endsWith('.windsurfrules') ||
+        lower.endsWith('.clinerules') ||
+        lower.includes('copilot-instructions')) {
+        return 'critical';
+    }
+    // MCP configs — tool config, often committed
+    if (lower.includes('mcp.json') ||
+        lower.includes('mcp.yaml')) {
+        return 'critical';
+    }
+    // .env files that might be committed
+    if (lower.includes('.env')) {
+        return 'high';
+    }
+    // Config files
+    return 'high';
+}
+/**
+ * Detect URL-embedded passwords
+ */
+function detectUrlPasswords(file) {
+    const findings = [];
+    const lines = file.content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        URL_CREDENTIAL_PATTERN.lastIndex = 0;
+        let match;
+        while ((match = URL_CREDENTIAL_PATTERN.exec(line)) !== null) {
+            const password = match[2];
+            // Skip env var references in URLs
+            if (password.startsWith('${') || password.startsWith('$'))
+                continue;
+            // Skip very short passwords that might be ports
+            if (password.length < 3)
+                continue;
+            findings.push({
+                id: 'SEM-CRED-001',
+                title: 'Password embedded in URL',
+                description: `Database or service URL contains an inline password. The password is visible in plaintext in ${file.path}.`,
+                rationale: 'URL-embedded credentials are logged by proxies, shell history, and process listings. They bypass .env file protections and are easily leaked in stack traces.',
+                category: 'credential',
+                severity: severityForFile(file.path),
+                file: file.path,
+                line: i + 1,
+                recommendation: 'Move the password to an environment variable and reference it: postgresql://${DB_USER}:${DB_PASSWORD}@host/db',
+                layer: 2,
+                autoFixable: false,
+            });
+        }
+    }
+    return findings;
+}
+/**
+ * Detect generic tokens via key-name heuristics
+ */
+function detectGenericTokens(file) {
+    const findings = [];
+    const lines = file.content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // JSON key:value patterns
+        const jsonMatch = line.match(/"([^"]+)"\s*:\s*"([^"]+)"/);
+        if (jsonMatch) {
+            const [, key, value] = jsonMatch;
+            if (SECRET_KEY_PATTERN.test(key) && !isNonSecretValue(value)) {
+                // Ensure value looks like it could be a secret (min length, some entropy)
+                if (value.length >= 8 && !/^[a-z]+$/i.test(value)) {
+                    findings.push({
+                        id: 'SEM-CRED-002',
+                        title: 'Hardcoded secret in config',
+                        description: `Key "${key}" contains what appears to be a hardcoded secret value in ${file.path}.`,
+                        rationale: 'Config files with hardcoded secrets are commonly committed to version control. The key name strongly indicates this value should be treated as a secret.',
+                        category: 'credential',
+                        severity: severityForFile(file.path),
+                        file: file.path,
+                        line: i + 1,
+                        recommendation: `Move "${key}" value to an environment variable and reference it with \${${key.toUpperCase().replace(/[^A-Z0-9]/g, '_')}}`,
+                        layer: 2,
+                        autoFixable: false,
+                    });
+                }
+            }
+        }
+        // YAML key: value patterns
+        const yamlMatch = line.match(/^(\s*)([a-zA-Z_][a-zA-Z0-9_-]*)\s*:\s*(.+)$/);
+        if (yamlMatch && !jsonMatch) {
+            const [, , key, rawValue] = yamlMatch;
+            const value = rawValue.trim().replace(/^["']|["']$/g, '');
+            if (SECRET_KEY_PATTERN.test(key) && !isNonSecretValue(value)) {
+                if (value.length >= 8 && !/^[a-z]+$/i.test(value)) {
+                    findings.push({
+                        id: 'SEM-CRED-002',
+                        title: 'Hardcoded secret in config',
+                        description: `Key "${key}" contains what appears to be a hardcoded secret value in ${file.path}.`,
+                        rationale: 'Config files with hardcoded secrets are commonly committed to version control. The key name strongly indicates this value should be treated as a secret.',
+                        category: 'credential',
+                        severity: severityForFile(file.path),
+                        file: file.path,
+                        line: i + 1,
+                        recommendation: `Move "${key}" value to an environment variable.`,
+                        layer: 2,
+                        autoFixable: false,
+                    });
+                }
+            }
+        }
+        // .env KEY=VALUE patterns
+        const envMatch = line.match(/^([A-Z][A-Z0-9_]*)=(.+)$/);
+        if (envMatch) {
+            const [, key, rawValue] = envMatch;
+            const value = rawValue.trim().replace(/^["']|["']$/g, '');
+            if (SECRET_KEY_PATTERN.test(key) && !isNonSecretValue(value)) {
+                if (value.length >= 8 && !/^[a-z]+$/i.test(value)) {
+                    findings.push({
+                        id: 'SEM-CRED-002',
+                        title: 'Hardcoded secret in config',
+                        description: `Environment variable "${key}" contains a hardcoded secret value in ${file.path}.`,
+                        rationale: '.env files with hardcoded secrets should be gitignored. If this file is committed, the secret is exposed in version control history.',
+                        category: 'credential',
+                        severity: severityForFile(file.path),
+                        file: file.path,
+                        line: i + 1,
+                        recommendation: `Ensure ${file.path} is in .gitignore and rotate this credential.`,
+                        layer: 2,
+                        autoFixable: false,
+                    });
+                }
+            }
+        }
+    }
+    return findings;
+}
+/**
+ * Detect credential-like strings in instruction files
+ * (CLAUDE.md, .cursorrules, copilot-instructions.md)
+ *
+ * These files are loaded into the LLM context window,
+ * so ANY credential here is critical severity.
+ */
+function detectCredentialsInInstructions(file) {
+    if (file.type !== 'agent_instructions' &&
+        !file.path.toLowerCase().endsWith('claude.md') &&
+        !file.path.toLowerCase().endsWith('.cursorrules')) {
+        return [];
+    }
+    const findings = [];
+    const lines = file.content.split('\n');
+    // Patterns that look like API keys/tokens (broader than core scanner's regex)
+    const broadCredentialPatterns = [
+        { name: 'API key prefix', pattern: /(?:sk-|pk-|rk-|ak-)[a-zA-Z0-9_-]{16,}/g },
+        { name: 'Bearer token', pattern: /Bearer\s+[a-zA-Z0-9._-]{20,}/g },
+        { name: 'Generic long token', pattern: /(?:token|key|secret|password)\s*[=:]\s*['"]?([a-zA-Z0-9_-]{32,})['"]?/gi },
+        { name: 'Base64 credential', pattern: /(?:password|secret|token|key)\s*[=:]\s*['"]?([A-Za-z0-9+/]{40,}={0,2})['"]?/gi },
+    ];
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const { name, pattern } of broadCredentialPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: 'SEM-CRED-003',
+                    title: 'Credential in agent instructions',
+                    description: `Detected ${name} pattern in ${file.path}. This file is loaded into the LLM context window.`,
+                    rationale: 'Agent instruction files (CLAUDE.md, .cursorrules) are sent to the AI provider with every request. Any credential in these files is exposed to the AI provider and can be extracted via prompt injection attacks.',
+                    category: 'credential',
+                    severity: 'critical',
+                    file: file.path,
+                    line: i + 1,
+                    recommendation: 'Remove all credentials from instruction files immediately. Use environment variables or a secrets manager instead.',
+                    layer: 2,
+                    autoFixable: false,
+                });
+                break; // One finding per line
+            }
+        }
+    }
+    return findings;
+}
+/**
+ * Detect secrets passed via MCP server env blocks
+ */
+function detectMcpEnvSecrets(file) {
+    if (file.type !== 'mcp_config' && file.type !== 'claude_settings') {
+        return [];
+    }
+    const findings = [];
+    let config;
+    try {
+        config = JSON.parse(file.content);
+    }
+    catch {
+        return [];
+    }
+    const servers = config.mcpServers || {};
+    const lines = file.content.split('\n');
+    for (const [serverName, serverConfig] of Object.entries(servers)) {
+        if (!serverConfig.env)
+            continue;
+        for (const [key, value] of Object.entries(serverConfig.env)) {
+            if (typeof value !== 'string')
+                continue;
+            if (SECRET_KEY_PATTERN.test(key) && !isNonSecretValue(value)) {
+                // Find the line number
+                let lineNum;
+                for (let i = 0; i < lines.length; i++) {
+                    if (lines[i].includes(`"${key}"`) && lines[i].includes(value.substring(0, 20))) {
+                        lineNum = i + 1;
+                        break;
+                    }
+                }
+                findings.push({
+                    id: 'SEM-CRED-004',
+                    title: 'Secret hardcoded in MCP server config',
+                    description: `MCP server "${serverName}" has secret "${key}" hardcoded in env block of ${file.path}.`,
+                    rationale: 'MCP config files are typically committed to version control. Secrets in the env block are visible in plaintext. Use environment variable references instead.',
+                    category: 'credential',
+                    severity: 'critical',
+                    file: file.path,
+                    line: lineNum,
+                    recommendation: `Replace the hardcoded value with an env var reference: "${key}": "\${${key}}"`,
+                    layer: 2,
+                    autoFixable: false,
+                });
+            }
+        }
+    }
+    return findings;
+}
+class CredentialContextAnalyzer {
+    analyze(files) {
+        const findings = [];
+        for (const file of files) {
+            findings.push(...detectUrlPasswords(file));
+            findings.push(...detectGenericTokens(file));
+            findings.push(...detectCredentialsInInstructions(file));
+            findings.push(...detectMcpEnvSecrets(file));
+        }
+        return findings;
+    }
+}
+exports.CredentialContextAnalyzer = CredentialContextAnalyzer;
+//# sourceMappingURL=credential-context.js.map

package/dist/semantic/structural/credential-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-context.js","sourceRoot":"","sources":["../../../src/semantic/structural/credential-context.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAIH,6CAA6C;AAC7C,MAAM,kBAAkB,GACtB,qNAAqN,CAAC;AAExN;;uEAEuE;AACvE,MAAM,sBAAsB,GAC1B,oJAAoJ,CAAC;AAEvJ,wEAAwE;AACxE,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;IAEzD,sBAAsB;IACtB,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAElD,oBAAoB;IACpB,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3E,UAAU;IACV,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAEjD,cAAc;IACd,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/C,wCAAwC;IACxC,IAAI,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpE,0BAA0B;IAC1B,IAAI,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAErD,qBAAqB;IACrB,IAAI,0EAA0E,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1G,kCAAkC;IAClC,IAAI,oEAAoE,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpG,OAAO,KAAK,CAAC;AACf,CAAC;AAED,sCAAsC;AACtC,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAErC,mFAAmF;IACnF,IACE,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC3B,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC;QAC9B,KAAK,CAAC,QAAQ,CAAC,gBAAgB,CAAC;QAChC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC7B,KAAK,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EACtC,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,6CAA6C;IAC7C,IACE,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC;QAC1B,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,EAC1B,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,qCAAqC;IACrC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,eAAe;IACf,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,IAAkB;IAC5C,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,sBAAsB,CAAC,SAAS,GAAG,CAAC,CAAC;QACrC,IAAI,KAAK,CAAC;QAEV,OAAO,CAAC,KAAK,GAAG,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC5D,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,kCAAkC;YAClC,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YACpE,gDAAgD;YAChD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAS;YAElC,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,cAAc;gBAClB,KAAK,EAAE,0BAA0B;gBACjC,WAAW,EAAE,gGAAgG,IAAI,CAAC,IAAI,GAAG;gBACzH,SAAS,EACP,+JAA+J;gBACjK,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;gBACpC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI,EAAE,CAAC,GAAG,CAAC;gBACX,cAAc,EACZ,+GAA+G;gBACjH,KAAK,EAAE,CAAC;gBACR,WAAW,EAAE,KAAK;aACnB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,IAAkB;IAC7C,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,0BAA0B;QAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,SAAS,CAAC;YACjC,IAAI,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC7D,0EAA0E;gBAC1E,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBAClD,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,cAAc;wBAClB,KAAK,EAAE,4BAA4B;wBACnC,WAAW,EAAE,QAAQ,GAAG,6DAA6D,IAAI,CAAC,IAAI,GAAG;wBACjG,SAAS,EACP,0JAA0J;wBAC5J,QAAQ,EAAE,YAAY;wBACtB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;wBACpC,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,cAAc,EAAE,SAAS,GAAG,+DAA+D,GAAG,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,GAAG;wBAC1I,KAAK,EAAE,CAAC;wBACR,WAAW,EAAE,KAAK;qBACnB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;QAC5E,IAAI,SAAS,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5B,MAAM,CAAC,EAAE,AAAD,EAAG,GAAG,EAAE,QAAQ,CAAC,GAAG,SAAS,CAAC;YACtC,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;YAC1D,IAAI,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC7D,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBAClD,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,cAAc;wBAClB,KAAK,EAAE,4BAA4B;wBACnC,WAAW,EAAE,QAAQ,GAAG,6DAA6D,IAAI,CAAC,IAAI,GAAG;wBACjG,SAAS,EACP,0JAA0J;wBAC5J,QAAQ,EAAE,YAAY;wBACtB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;wBACpC,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,cAAc,EAAE,SAAS,GAAG,qCAAqC;wBACjE,KAAK,EAAE,CAAC;wBACR,WAAW,EAAE,KAAK;qBACnB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;QACxD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,CAAC,EAAE,GAAG,EAAE,QAAQ,CAAC,GAAG,QAAQ,CAAC;YACnC,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;YAC1D,IAAI,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC7D,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBAClD,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,cAAc;wBAClB,KAAK,EAAE,4BAA4B;wBACnC,WAAW,EAAE,yBAAyB,GAAG,0CAA0C,IAAI,CAAC,IAAI,GAAG;wBAC/F,SAAS,EACP,sIAAsI;wBACxI,QAAQ,EAAE,YAAY;wBACtB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;wBACpC,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,cAAc,EAAE,UAAU,IAAI,CAAC,IAAI,+CAA+C;wBAClF,KAAK,EAAE,CAAC;wBACR,WAAW,EAAE,KAAK;qBACnB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,+BAA+B,CAAC,IAAkB;IACzD,IACE,IAAI,CAAC,IAAI,KAAK,oBAAoB;QAClC,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC9C,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,EACjD,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEvC,8EAA8E;IAC9E,MAAM,uBAAuB,GAAG;QAC9B,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,wCAAwC,EAAE;QAC7E,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,+BAA+B,EAAE;QAClE,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,yEAAyE,EAAE;QAClH,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,+EAA+E,EAAE;KACxH,CAAC;IAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,uBAAuB,EAAE,CAAC;YACxD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,cAAc;oBAClB,KAAK,EAAE,kCAAkC;oBACzC,WAAW,EAAE,YAAY,IAAI,eAAe,IAAI,CAAC,IAAI,oDAAoD;oBACzG,SAAS,EACP,kNAAkN;oBACpN,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,cAAc,EACZ,oHAAoH;oBACtH,KAAK,EAAE,CAAC;oBACR,WAAW,EAAE,KAAK;iBACnB,CAAC,CAAC;gBACH,MAAM,CAAC,uBAAuB;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,IAAkB;IAC7C,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QAClE,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,IAAI,MAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GACV,MAA4E,CAAC,UAAU,IAAI,EAAE,CAAC;IAEjG,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEvC,KAAK,MAAM,CAAC,UAAU,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACjE,IAAI,CAAC,YAAY,CAAC,GAAG;YAAE,SAAS;QAEhC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5D,IAAI,OAAO,KAAK,KAAK,QAAQ;gBAAE,SAAS;YACxC,IAAI,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC7D,uBAAuB;gBACvB,IAAI,OAA2B,CAAC;gBAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;wBAC/E,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;wBAChB,MAAM;oBACR,CAAC;gBACH,CAAC;gBAED,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,cAAc;oBAClB,KAAK,EAAE,uCAAuC;oBAC9C,WAAW,EAAE,eAAe,UAAU,iBAAiB,GAAG,+BAA+B,IAAI,CAAC,IAAI,GAAG;oBACrG,SAAS,EACP,8JAA8J;oBAChK,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,OAAO;oBACb,cAAc,EAAE,2DAA2D,GAAG,UAAU,GAAG,IAAI;oBAC/F,KAAK,EAAE,CAAC;oBACR,WAAW,EAAE,KAAK;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAa,yBAAyB;IACpC,OAAO,CAAC,KAAqB;QAC3B,MAAM,QAAQ,GAAsB,EAAE,CAAC;QAEvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,QAAQ,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC;YAC5C,QAAQ,CAAC,IAAI,CAAC,GAAG,+BAA+B,CAAC,IAAI,CAAC,CAAC,CAAC;YACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9C,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAbD,8DAaC"}

package/dist/semantic/structural/index.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Structural Analyzer (Layer 2 Orchestrator)
+ *
+ * Runs all Layer 2 analyzers against a target directory.
+ * Discovers security-relevant files, classifies them, reads content,
+ * and runs each analyzer.
+ */
+import type { SemanticFinding, AnalysisFile } from '../types';
+export declare class StructuralAnalyzer {
+    private credentialAnalyzer;
+    private mcpAnalyzer;
+    private instructionAnalyzer;
+    private permissionAnalyzer;
+    /**
+     * Discover and analyze all security-relevant files in the target directory.
+     */
+    analyze(targetDir: string): Promise<SemanticFinding[]>;
+    /**
+     * Discover and read security-relevant files.
+     * Exported for use by the MCP server's deep_scan tool.
+     */
+    discoverFiles(targetDir: string): Promise<AnalysisFile[]>;
+}
+export { CredentialContextAnalyzer } from './credential-context';
+export { McpConfigAnalyzer } from './mcp-config';
+export { InstructionAnalyzer } from './instruction';
+export { PermissionModelAnalyzer } from './permission-model';
+//# sourceMappingURL=index.d.ts.map

package/dist/semantic/structural/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/semantic/structural/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,eAAe,EAAE,YAAY,EAAY,MAAM,UAAU,CAAC;AAuCxE,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,kBAAkB,CAAmC;IAC7D,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,mBAAmB,CAA6B;IACxD,OAAO,CAAC,kBAAkB,CAAiC;IAE3D;;OAEG;IACG,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IAc5D;;;OAGG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;CA6BhE;AAED,OAAO,EAAE,yBAAyB,EAAE,MAAM,sBAAsB,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/semantic/structural/index.js

@@ -0,0 +1,138 @@
+"use strict";
+/**
+ * Structural Analyzer (Layer 2 Orchestrator)
+ *
+ * Runs all Layer 2 analyzers against a target directory.
+ * Discovers security-relevant files, classifies them, reads content,
+ * and runs each analyzer.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionModelAnalyzer = exports.InstructionAnalyzer = exports.McpConfigAnalyzer = exports.CredentialContextAnalyzer = exports.StructuralAnalyzer = void 0;
+const fs = __importStar(require("fs/promises"));
+const path = __importStar(require("path"));
+const credential_context_1 = require("./credential-context");
+const mcp_config_1 = require("./mcp-config");
+const instruction_1 = require("./instruction");
+const permission_model_1 = require("./permission-model");
+/** Max file size to read (prevents OOM on huge files) */
+const MAX_FILE_SIZE = 512 * 1024; // 512KB
+/** Security-relevant files to look for */
+const FILE_DISCOVERY = [
+    // Agent instruction files
+    { glob: 'CLAUDE.md', type: 'agent_instructions' },
+    { glob: '.cursorrules', type: 'agent_instructions' },
+    { glob: '.windsurfrules', type: 'agent_instructions' },
+    { glob: '.clinerules', type: 'agent_instructions' },
+    { glob: '.github/copilot-instructions.md', type: 'agent_instructions' },
+    // MCP config files
+    { glob: 'mcp.json', type: 'mcp_config' },
+    { glob: '.cursor/mcp.json', type: 'mcp_config' },
+    { glob: '.vscode/mcp.json', type: 'mcp_config' },
+    // Claude settings
+    { glob: '.claude/settings.json', type: 'claude_settings' },
+    // Env files
+    { glob: '.env', type: 'env_file' },
+    { glob: '.env.local', type: 'env_file' },
+    { glob: '.env.development', type: 'env_file' },
+    { glob: '.env.production', type: 'env_file' },
+    // Config files
+    { glob: 'config.json', type: 'config_file' },
+    { glob: 'config.yaml', type: 'config_file' },
+    { glob: 'config.yml', type: 'config_file' },
+    { glob: 'settings.json', type: 'config_file' },
+];
+class StructuralAnalyzer {
+    constructor() {
+        this.credentialAnalyzer = new credential_context_1.CredentialContextAnalyzer();
+        this.mcpAnalyzer = new mcp_config_1.McpConfigAnalyzer();
+        this.instructionAnalyzer = new instruction_1.InstructionAnalyzer();
+        this.permissionAnalyzer = new permission_model_1.PermissionModelAnalyzer();
+    }
+    /**
+     * Discover and analyze all security-relevant files in the target directory.
+     */
+    async analyze(targetDir) {
+        const files = await this.discoverFiles(targetDir);
+        if (files.length === 0)
+            return [];
+        const findings = [];
+        findings.push(...this.credentialAnalyzer.analyze(files));
+        findings.push(...this.mcpAnalyzer.analyze(files));
+        findings.push(...this.instructionAnalyzer.analyze(files));
+        findings.push(...this.permissionAnalyzer.analyze(files));
+        return findings;
+    }
+    /**
+     * Discover and read security-relevant files.
+     * Exported for use by the MCP server's deep_scan tool.
+     */
+    async discoverFiles(targetDir) {
+        const files = [];
+        for (const { glob, type } of FILE_DISCOVERY) {
+            const filePath = path.join(targetDir, glob);
+            try {
+                const stat = await fs.stat(filePath);
+                if (!stat.isFile())
+                    continue;
+                const truncated = stat.size > MAX_FILE_SIZE;
+                const content = await fs.readFile(filePath, 'utf-8');
+                const finalContent = truncated
+                    ? content.substring(0, MAX_FILE_SIZE)
+                    : content;
+                files.push({
+                    path: glob,
+                    type,
+                    content: finalContent,
+                    truncated,
+                });
+            }
+            catch {
+                // File doesn't exist — skip
+            }
+        }
+        return files;
+    }
+}
+exports.StructuralAnalyzer = StructuralAnalyzer;
+var credential_context_2 = require("./credential-context");
+Object.defineProperty(exports, "CredentialContextAnalyzer", { enumerable: true, get: function () { return credential_context_2.CredentialContextAnalyzer; } });
+var mcp_config_2 = require("./mcp-config");
+Object.defineProperty(exports, "McpConfigAnalyzer", { enumerable: true, get: function () { return mcp_config_2.McpConfigAnalyzer; } });
+var instruction_2 = require("./instruction");
+Object.defineProperty(exports, "InstructionAnalyzer", { enumerable: true, get: function () { return instruction_2.InstructionAnalyzer; } });
+var permission_model_2 = require("./permission-model");
+Object.defineProperty(exports, "PermissionModelAnalyzer", { enumerable: true, get: function () { return permission_model_2.PermissionModelAnalyzer; } });
+//# sourceMappingURL=index.js.map

package/dist/semantic/structural/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/semantic/structural/index.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,gDAAkC;AAClC,2CAA6B;AAE7B,6DAAiE;AACjE,6CAAiD;AACjD,+CAAoD;AACpD,yDAA6D;AAE7D,yDAAyD;AACzD,MAAM,aAAa,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,QAAQ;AAE1C,0CAA0C;AAC1C,MAAM,cAAc,GAA4C;IAC9D,0BAA0B;IAC1B,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,oBAAoB,EAAE;IACjD,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE;IACpD,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,oBAAoB,EAAE;IACtD,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,oBAAoB,EAAE;IACnD,EAAE,IAAI,EAAE,iCAAiC,EAAE,IAAI,EAAE,oBAAoB,EAAE;IAEvE,mBAAmB;IACnB,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE;IACxC,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,YAAY,EAAE;IAChD,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,YAAY,EAAE;IAEhD,kBAAkB;IAClB,EAAE,IAAI,EAAE,uBAAuB,EAAE,IAAI,EAAE,iBAAiB,EAAE;IAE1D,YAAY;IACZ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE;IAClC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE;IACxC,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,UAAU,EAAE;IAC9C,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,UAAU,EAAE;IAE7C,eAAe;IACf,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE;IAC5C,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE;IAC5C,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,aAAa,EAAE;IAC3C,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE,aAAa,EAAE;CAC/C,CAAC;AAEF,MAAa,kBAAkB;IAA/B;QACU,uBAAkB,GAAG,IAAI,8CAAyB,EAAE,CAAC;QACrD,gBAAW,GAAG,IAAI,8BAAiB,EAAE,CAAC;QACtC,wBAAmB,GAAG,IAAI,iCAAmB,EAAE,CAAC;QAChD,uBAAkB,GAAG,IAAI,0CAAuB,EAAE,CAAC;IAoD7D,CAAC;IAlDC;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,SAAiB;QAC7B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAElC,MAAM,QAAQ,GAAsB,EAAE,CAAC;QAEvC,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QACzD,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAClD,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAEzD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,MAAM,KAAK,GAAmB,EAAE,CAAC;QAEjC,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,cAAc,EAAE,CAAC;YAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAE5C,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACrC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;oBAAE,SAAS;gBAE7B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;gBAC5C,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBACrD,MAAM,YAAY,GAAG,SAAS;oBAC5B,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,aAAa,CAAC;oBACrC,CAAC,CAAC,OAAO,CAAC;gBAEZ,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,IAAI;oBACV,IAAI;oBACJ,OAAO,EAAE,YAAY;oBACrB,SAAS;iBACV,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,4BAA4B;YAC9B,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAxDD,gDAwDC;AAED,2DAAiE;AAAxD,+HAAA,yBAAyB,OAAA;AAClC,2CAAiD;AAAxC,+GAAA,iBAAiB,OAAA;AAC1B,6CAAoD;AAA3C,kHAAA,mBAAmB,OAAA;AAC5B,uDAA6D;AAApD,2HAAA,uBAAuB,OAAA"}

package/dist/semantic/structural/instruction.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Agent Instruction Static Analysis (Layer 2)
+ *
+ * Analyzes CLAUDE.md, .cursorrules, .windsurfrules, .clinerules,
+ * copilot-instructions.md for security issues:
+ * - Overly permissive instructions
+ * - Exfiltration enablement
+ * - Missing security boundaries
+ * - Large attack surface
+ */
+import type { SemanticFinding, AnalysisFile } from '../types';
+export declare class InstructionAnalyzer {
+    analyze(files: AnalysisFile[]): SemanticFinding[];
+    private checkPermissiveInstructions;
+    private checkExfiltrationEnablement;
+    private checkMissingSecurityBoundaries;
+    private checkLargeAttackSurface;
+}
+//# sourceMappingURL=instruction.d.ts.map

package/dist/semantic/structural/instruction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"instruction.d.ts","sourceRoot":"","sources":["../../../src/semantic/structural/instruction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAiD9D,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,KAAK,EAAE,YAAY,EAAE,GAAG,eAAe,EAAE;IAiBjD,OAAO,CAAC,2BAA2B;IAgCnC,OAAO,CAAC,2BAA2B;IAgCnC,OAAO,CAAC,8BAA8B;IA8BtC,OAAO,CAAC,uBAAuB;CAyBhC"}