kramscan 0.2.0 → 0.3.0

package/dist/core/diff-engine.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.diffScanResults = diffScanResults;
+/**
+ * Creates a unique fingerprint for a vulnerability to enable comparison.
+ */
+function vulnFingerprint(v) {
+    return `${v.type}:${v.severity}:${v.title}:${new URL(v.url).pathname}`;
+}
+/**
+ * Compares two scan results and produces a diff of new and resolved vulnerabilities.
+ */
+function diffScanResults(previous, current) {
+    const prevFingerprints = new Map();
+    const currFingerprints = new Map();
+    for (const v of previous.vulnerabilities) {
+        prevFingerprints.set(vulnFingerprint(v), v);
+    }
+    for (const v of current.vulnerabilities) {
+        currFingerprints.set(vulnFingerprint(v), v);
+    }
+    const newVulnerabilities = [];
+    const resolvedVulnerabilities = [];
+    let unchangedCount = 0;
+    // Find new vulnerabilities (in current but not in previous)
+    for (const [fp, vuln] of currFingerprints) {
+        if (!prevFingerprints.has(fp)) {
+            newVulnerabilities.push(vuln);
+        }
+        else {
+            unchangedCount++;
+        }
+    }
+    // Find resolved vulnerabilities (in previous but not in current)
+    for (const [fp, vuln] of prevFingerprints) {
+        if (!currFingerprints.has(fp)) {
+            resolvedVulnerabilities.push(vuln);
+        }
+    }
+    return {
+        newVulnerabilities,
+        resolvedVulnerabilities,
+        unchangedCount,
+        previousTotal: previous.vulnerabilities.length,
+        currentTotal: current.vulnerabilities.length,
+    };
+}

package/dist/core/scan-index.d.ts

@@ -13,6 +13,7 @@ export interface ScanIndexEntry {
         low: number;
         info: number;
     };
+    score?: number;
 }
 export declare function addScanToIndex(entry: Omit<ScanIndexEntry, "id">): Promise<ScanIndexEntry>;
 export declare function listScans(limit?: number): Promise<ScanIndexEntry[]>;

package/dist/core/scanner.js

@@ -30,7 +30,7 @@ class Scanner extends events_1.EventEmitter {
     maxLinksPerPage = 50;
     includePatterns = [];
     excludePatterns = [];
-    userAgent = "KramScan/0.1.0";
+    userAgent = "KramScan/0.2.0";
     scanErrors = [];
     pluginErrors = new Map();
     usePlugins = true;
@@ -63,6 +63,11 @@ class Scanner extends events_1.EventEmitter {
         plugins_1.pluginManager.register(new plugins_2.SecurityHeadersPlugin());
         plugins_1.pluginManager.register(new plugins_2.SensitiveDataPlugin());
         plugins_1.pluginManager.register(new plugins_2.CSRFPlugin());
+        plugins_1.pluginManager.register(new plugins_2.CORSAnalyzerPlugin());
+        plugins_1.pluginManager.register(new plugins_2.DebugEndpointPlugin());
+        plugins_1.pluginManager.register(new plugins_2.DirectoryTraversalPlugin());
+        plugins_1.pluginManager.register(new plugins_2.CookieSecurityPlugin());
+        plugins_1.pluginManager.register(new plugins_2.OpenRedirectPlugin());
     }
     // Type-safe event emitter methods
     emit(event, data) {
@@ -189,6 +194,7 @@ class Scanner extends events_1.EventEmitter {
                 testedForms: this.testedForms,
                 requestsMade: this.requestsMade,
             },
+            score: this.detector.calculateScore(),
         };
         this.emit("scan:complete", { result });
         return result;

package/dist/core/server-probe.d.ts

@@ -0,0 +1,20 @@
+export interface ProbeResult {
+    reachable: boolean;
+    statusCode?: number;
+    server?: string;
+    framework?: string;
+    responseTime: number;
+}
+/**
+ * Probes a localhost URL for server readiness.
+ * Polls with exponential backoff until the server responds or timeout is reached.
+ */
+export declare function probeServer(url: string, options?: {
+    timeout?: number;
+    interval?: number;
+    maxAttempts?: number;
+}): Promise<ProbeResult>;
+/**
+ * Checks if a URL points to localhost.
+ */
+export declare function isLocalhost(url: string): boolean;

package/dist/core/server-probe.js

@@ -0,0 +1,109 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.probeServer = probeServer;
+exports.isLocalhost = isLocalhost;
+const http_1 = __importDefault(require("http"));
+const https_1 = __importDefault(require("https"));
+/**
+ * Probes a localhost URL for server readiness.
+ * Polls with exponential backoff until the server responds or timeout is reached.
+ */
+async function probeServer(url, options = {}) {
+    const { timeout = 30000, interval = 1000, maxAttempts = 20 } = options;
+    const startTime = Date.now();
+    let attempts = 0;
+    let lastError = null;
+    while (attempts < maxAttempts && Date.now() - startTime < timeout) {
+        attempts++;
+        try {
+            const result = await pingUrl(url);
+            if (result.reachable) {
+                return result;
+            }
+            lastError = `HTTP ${result.statusCode}`;
+        }
+        catch (err) {
+            lastError = err.message;
+        }
+        // Exponential backoff with cap
+        const delay = Math.min(interval * Math.pow(1.5, attempts - 1), 5000);
+        await sleep(delay);
+    }
+    return {
+        reachable: false,
+        responseTime: Date.now() - startTime,
+    };
+}
+/**
+ * Single ping to a URL — returns immediately.
+ */
+function pingUrl(url) {
+    return new Promise((resolve, reject) => {
+        const startTime = Date.now();
+        const parsedUrl = new URL(url);
+        const client = parsedUrl.protocol === "https:" ? https_1.default : http_1.default;
+        const req = client.get(url, {
+            timeout: 5000,
+            rejectUnauthorized: false, // Allow self-signed certs in dev
+        }, (res) => {
+            const responseTime = Date.now() - startTime;
+            const server = res.headers["server"] || undefined;
+            const poweredBy = res.headers["x-powered-by"] || "";
+            // Detect framework from headers
+            let framework;
+            if (poweredBy.includes("Express"))
+                framework = "Express.js";
+            else if (poweredBy.includes("Next.js"))
+                framework = "Next.js";
+            else if (poweredBy.includes("Nuxt"))
+                framework = "Nuxt.js";
+            else if (poweredBy.includes("PHP"))
+                framework = "PHP";
+            else if (poweredBy.includes("ASP.NET"))
+                framework = "ASP.NET";
+            else if (res.headers["x-django-request-id"])
+                framework = "Django";
+            else if (res.headers["x-request-id"] && server?.includes("nginx"))
+                framework = "Rails/nginx";
+            // Consume body to free socket
+            res.resume();
+            resolve({
+                reachable: (res.statusCode || 0) >= 100 && (res.statusCode || 0) < 600,
+                statusCode: res.statusCode,
+                server: server,
+                framework,
+                responseTime,
+            });
+        });
+        req.on("error", (err) => {
+            reject(err);
+        });
+        req.on("timeout", () => {
+            req.destroy();
+            reject(new Error("Connection timed out"));
+        });
+    });
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+ * Checks if a URL points to localhost.
+ */
+function isLocalhost(url) {
+    try {
+        const parsed = new URL(url);
+        const host = parsed.hostname.toLowerCase();
+        return (host === "localhost" ||
+            host === "127.0.0.1" ||
+            host === "0.0.0.0" ||
+            host === "::1" ||
+            host.endsWith(".localhost"));
+    }
+    catch {
+        return false;
+    }
+}

package/dist/core/vulnerability-detector.d.ts

@@ -28,6 +28,7 @@ export interface ScanResult {
         testedForms: number;
         requestsMade: number;
     };
+    score: number;
 }
 export declare class VulnerabilityDetector {
     private vulnerabilities;
@@ -59,5 +60,10 @@ export declare class VulnerabilityDetector {
         low: number;
         info: number;
     };
+    /**
+     * Calculates a security score from 0-100
+     * 100 is perfect, 0 is very poor
+     */
+    calculateScore(): number;
     clear(): void;
 }

package/dist/core/vulnerability-detector.js

@@ -452,6 +452,27 @@ class VulnerabilityDetector {
         }
         return summary;
     }
+    /**
+     * Calculates a security score from 0-100
+     * 100 is perfect, 0 is very poor
+     */
+    calculateScore() {
+        if (this.vulnerabilities.length === 0)
+            return 100;
+        const weights = {
+            critical: 25,
+            high: 10,
+            medium: 5,
+            low: 2,
+            info: 0,
+        };
+        let totalDeduction = 0;
+        for (const vuln of this.vulnerabilities) {
+            totalDeduction += weights[vuln.severity] || 0;
+        }
+        const score = Math.max(0, 100 - totalDeduction);
+        return Math.round(score);
+    }
     clear() {
         this.vulnerabilities = [];
         this.reportedHeaders.clear();

package/dist/plugins/index.d.ts

@@ -5,3 +5,8 @@ export { SQLInjectionPlugin } from "./vulnerabilities/SQLInjectionPlugin";
 export { SecurityHeadersPlugin } from "./vulnerabilities/SecurityHeadersPlugin";
 export { SensitiveDataPlugin } from "./vulnerabilities/SensitiveDataPlugin";
 export { CSRFPlugin } from "./vulnerabilities/CSRFPlugin";
+export { CORSAnalyzerPlugin } from "./vulnerabilities/CORSAnalyzerPlugin";
+export { DebugEndpointPlugin } from "./vulnerabilities/DebugEndpointPlugin";
+export { DirectoryTraversalPlugin } from "./vulnerabilities/DirectoryTraversalPlugin";
+export { CookieSecurityPlugin } from "./vulnerabilities/CookieSecurityPlugin";
+export { OpenRedirectPlugin } from "./vulnerabilities/OpenRedirectPlugin";

package/dist/plugins/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CSRFPlugin = exports.SensitiveDataPlugin = exports.SecurityHeadersPlugin = exports.SQLInjectionPlugin = exports.XSSPlugin = exports.pluginManager = exports.PluginManager = exports.BaseVulnerabilityPlugin = void 0;
+exports.OpenRedirectPlugin = exports.CookieSecurityPlugin = exports.DirectoryTraversalPlugin = exports.DebugEndpointPlugin = exports.CORSAnalyzerPlugin = exports.CSRFPlugin = exports.SensitiveDataPlugin = exports.SecurityHeadersPlugin = exports.SQLInjectionPlugin = exports.XSSPlugin = exports.pluginManager = exports.PluginManager = exports.BaseVulnerabilityPlugin = void 0;
 var types_1 = require("./types");
 Object.defineProperty(exports, "BaseVulnerabilityPlugin", { enumerable: true, get: function () { return types_1.BaseVulnerabilityPlugin; } });
 var PluginManager_1 = require("./PluginManager");
@@ -17,3 +17,13 @@ var SensitiveDataPlugin_1 = require("./vulnerabilities/SensitiveDataPlugin");
 Object.defineProperty(exports, "SensitiveDataPlugin", { enumerable: true, get: function () { return SensitiveDataPlugin_1.SensitiveDataPlugin; } });
 var CSRFPlugin_1 = require("./vulnerabilities/CSRFPlugin");
 Object.defineProperty(exports, "CSRFPlugin", { enumerable: true, get: function () { return CSRFPlugin_1.CSRFPlugin; } });
+var CORSAnalyzerPlugin_1 = require("./vulnerabilities/CORSAnalyzerPlugin");
+Object.defineProperty(exports, "CORSAnalyzerPlugin", { enumerable: true, get: function () { return CORSAnalyzerPlugin_1.CORSAnalyzerPlugin; } });
+var DebugEndpointPlugin_1 = require("./vulnerabilities/DebugEndpointPlugin");
+Object.defineProperty(exports, "DebugEndpointPlugin", { enumerable: true, get: function () { return DebugEndpointPlugin_1.DebugEndpointPlugin; } });
+var DirectoryTraversalPlugin_1 = require("./vulnerabilities/DirectoryTraversalPlugin");
+Object.defineProperty(exports, "DirectoryTraversalPlugin", { enumerable: true, get: function () { return DirectoryTraversalPlugin_1.DirectoryTraversalPlugin; } });
+var CookieSecurityPlugin_1 = require("./vulnerabilities/CookieSecurityPlugin");
+Object.defineProperty(exports, "CookieSecurityPlugin", { enumerable: true, get: function () { return CookieSecurityPlugin_1.CookieSecurityPlugin; } });
+var OpenRedirectPlugin_1 = require("./vulnerabilities/OpenRedirectPlugin");
+Object.defineProperty(exports, "OpenRedirectPlugin", { enumerable: true, get: function () { return OpenRedirectPlugin_1.OpenRedirectPlugin; } });

package/dist/plugins/vulnerabilities/CORSAnalyzerPlugin.d.ts

@@ -0,0 +1,10 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+import { Vulnerability } from "../../core/vulnerability-detector";
+export declare class CORSAnalyzerPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "CORS Analyzer";
+    readonly type: "header";
+    readonly description = "Detects overly permissive Cross-Origin Resource Sharing configurations";
+    private readonly reportedHosts;
+    analyzeHeaders(context: PluginContext, headers: Record<string, string>): Promise<Vulnerability[]>;
+    reset(): void;
+}

package/dist/plugins/vulnerabilities/CORSAnalyzerPlugin.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CORSAnalyzerPlugin = void 0;
+const types_1 = require("../types");
+class CORSAnalyzerPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "CORS Analyzer";
+    type = "header";
+    description = "Detects overly permissive Cross-Origin Resource Sharing configurations";
+    reportedHosts = new Set();
+    async analyzeHeaders(context, headers) {
+        const host = new URL(context.url).host;
+        // Only report once per host
+        if (this.reportedHosts.has(host)) {
+            return [];
+        }
+        const vulnerabilities = [];
+        const acao = headers["access-control-allow-origin"];
+        const acac = headers["access-control-allow-credentials"];
+        const acam = headers["access-control-allow-methods"];
+        const acah = headers["access-control-allow-headers"];
+        // Check for wildcard origin
+        if (acao === "*") {
+            vulnerabilities.push(this.createVulnerability("CORS: Wildcard Origin Allowed", `The server at ${host} allows requests from any origin (Access-Control-Allow-Origin: *). ` +
+                `This can expose sensitive data to malicious third-party websites.`, context.url, "medium", `Access-Control-Allow-Origin: *`, "Restrict Access-Control-Allow-Origin to trusted domains only. " +
+                "Use a whitelist of allowed origins instead of the wildcard *.", "CWE-942"));
+        }
+        // Check for wildcard with credentials (very dangerous)
+        if (acao === "*" && acac?.toLowerCase() === "true") {
+            vulnerabilities.push(this.createVulnerability("CORS: Wildcard Origin with Credentials", `The server at ${host} allows any origin AND sends credentials. ` +
+                `This is a critical misconfiguration that can lead to complete session hijacking.`, context.url, "critical", `Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true`, "Never combine wildcard origin with credentials. " +
+                "Validate the Origin header against a strict whitelist and reflect only trusted origins.", "CWE-942"));
+        }
+        // Check if origin is reflected without validation (test with a probe)
+        if (acao && acao !== "*" && acao !== "null") {
+            // If the ACAO reflects back what looks like an origin, it might be reflecting without validation
+            const isLikelyReflecting = acao.includes("://") && !acao.includes(host);
+            if (isLikelyReflecting && acac?.toLowerCase() === "true") {
+                vulnerabilities.push(this.createVulnerability("CORS: Origin Reflection with Credentials", `The server at ${host} appears to reflect the Origin header value while also allowing credentials. ` +
+                    `An attacker can make authenticated requests from any origin.`, context.url, "high", `Access-Control-Allow-Origin: ${acao}, Access-Control-Allow-Credentials: true`, "Validate the Origin header against a strict whitelist of trusted domains. " +
+                    "Never blindly reflect the Origin header.", "CWE-942"));
+            }
+        }
+        // Check for null origin allowed (can be exploited via sandboxed iframes)
+        if (acao === "null") {
+            vulnerabilities.push(this.createVulnerability("CORS: Null Origin Allowed", `The server at ${host} accepts the 'null' origin. ` +
+                `Attackers can exploit this using sandboxed iframes or data URIs.`, context.url, "medium", `Access-Control-Allow-Origin: null`, "Do not allow the 'null' origin. Sandboxed iframes and redirects can send Origin: null.", "CWE-942"));
+        }
+        // Check for dangerous methods
+        if (acam) {
+            const dangerousMethods = ["PUT", "DELETE", "PATCH"];
+            const allowedMethods = acam.toUpperCase().split(",").map(m => m.trim());
+            const exposed = dangerousMethods.filter(m => allowedMethods.includes(m));
+            if (exposed.length > 0 && acao === "*") {
+                vulnerabilities.push(this.createVulnerability("CORS: Dangerous Methods with Wildcard Origin", `The server at ${host} allows ${exposed.join(", ")} methods from any origin. ` +
+                    `This could allow unauthorized data modification from third-party sites.`, context.url, "high", `Access-Control-Allow-Methods: ${acam}; Access-Control-Allow-Origin: *`, "Restrict allowed methods to those actually needed, and never combine with wildcard origin.", "CWE-942"));
+            }
+        }
+        if (vulnerabilities.length > 0) {
+            this.reportedHosts.add(host);
+        }
+        return vulnerabilities;
+    }
+    reset() {
+        this.reportedHosts.clear();
+    }
+}
+exports.CORSAnalyzerPlugin = CORSAnalyzerPlugin;

package/dist/plugins/vulnerabilities/CookieSecurityPlugin.d.ts

@@ -0,0 +1,10 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+import { Vulnerability } from "../../core/vulnerability-detector";
+export declare class CookieSecurityPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Cookie Security Auditor";
+    readonly type: "header";
+    readonly description = "Audits cookies for missing security flags (HttpOnly, Secure, SameSite)";
+    private readonly reportedCookies;
+    analyzeHeaders(context: PluginContext, headers: Record<string, string>): Promise<Vulnerability[]>;
+    reset(): void;
+}

package/dist/plugins/vulnerabilities/CookieSecurityPlugin.js

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CookieSecurityPlugin = void 0;
+const types_1 = require("../types");
+class CookieSecurityPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Cookie Security Auditor";
+    type = "header";
+    description = "Audits cookies for missing security flags (HttpOnly, Secure, SameSite)";
+    reportedCookies = new Set();
+    async analyzeHeaders(context, headers) {
+        const vulnerabilities = [];
+        const host = new URL(context.url).host;
+        // Collect all set-cookie headers
+        const setCookieHeader = headers["set-cookie"];
+        if (!setCookieHeader)
+            return [];
+        // set-cookie headers might be combined with newlines in some scenarios
+        const cookies = setCookieHeader.split(/,(?=[^;]*=)/g).map(c => c.trim());
+        for (const cookie of cookies) {
+            const cookieName = cookie.split("=")[0]?.trim();
+            if (!cookieName)
+                continue;
+            const cookieKey = `${host}:${cookieName}`;
+            if (this.reportedCookies.has(cookieKey))
+                continue;
+            const cookieLower = cookie.toLowerCase();
+            const issues = [];
+            // Check HttpOnly flag
+            if (!cookieLower.includes("httponly")) {
+                issues.push("Missing HttpOnly flag (vulnerable to XSS cookie theft)");
+            }
+            // Check Secure flag
+            if (!cookieLower.includes("secure")) {
+                issues.push("Missing Secure flag (cookie sent over HTTP)");
+            }
+            // Check SameSite attribute
+            if (!cookieLower.includes("samesite")) {
+                issues.push("Missing SameSite attribute (vulnerable to CSRF)");
+            }
+            else if (cookieLower.includes("samesite=none")) {
+                if (!cookieLower.includes("secure")) {
+                    issues.push("SameSite=None without Secure flag (browser will reject)");
+                }
+                issues.push("SameSite=None allows cross-site requests (verify this is intentional)");
+            }
+            // Check for session-like cookies with missing flags
+            const isSessionCookie = /^(sess|session|sid|token|auth|jwt|csrf|xsrf|connect\.sid|phpsessid|jsessionid|asp\.net_sessionid)/i.test(cookieName);
+            if (issues.length > 0) {
+                const severity = isSessionCookie
+                    ? (issues.some(i => i.includes("HttpOnly")) ? "high" : "medium")
+                    : "low";
+                this.reportedCookies.add(cookieKey);
+                vulnerabilities.push(this.createVulnerability(`Insecure Cookie: ${cookieName}`, `The cookie '${cookieName}' on ${host} has security issues:\n` +
+                    issues.map(i => `  • ${i}`).join("\n"), context.url, severity, `Set-Cookie: ${cookie.substring(0, 200)}`, "Set all cookies with: HttpOnly (prevents JS access), " +
+                    "Secure (HTTPS only), SameSite=Lax or Strict (CSRF protection). " +
+                    "Example: Set-Cookie: session=abc; HttpOnly; Secure; SameSite=Lax; Path=/", "CWE-614"));
+            }
+            // Check for overly broad domain
+            const domainMatch = cookie.match(/domain=([^;]+)/i);
+            if (domainMatch) {
+                const domain = domainMatch[1].trim();
+                if (domain.startsWith(".") && domain.split(".").length <= 2) {
+                    this.reportedCookies.add(cookieKey + ":domain");
+                    vulnerabilities.push(this.createVulnerability(`Cookie Domain Too Broad: ${cookieName}`, `The cookie '${cookieName}' has domain set to '${domain}', which allows ` +
+                        `any subdomain to read this cookie. This increases the attack surface.`, context.url, "low", `Domain=${domain}`, "Set the cookie domain to the most specific subdomain possible.", "CWE-1275"));
+                }
+            }
+            // Check for missing expiry on session cookies (persistent session)
+            if (isSessionCookie && !cookieLower.includes("expires") && !cookieLower.includes("max-age")) {
+                // This is actually good practice (session cookie dies with browser close)
+                // But if there's _no_ expiry and it's NOT a session cookie, flag it
+            }
+            else if (isSessionCookie && cookieLower.includes("max-age")) {
+                const maxAgeMatch = cookie.match(/max-age=(\d+)/i);
+                if (maxAgeMatch) {
+                    const maxAge = parseInt(maxAgeMatch[1], 10);
+                    const thirtyDays = 30 * 24 * 60 * 60;
+                    if (maxAge > thirtyDays) {
+                        vulnerabilities.push(this.createVulnerability(`Long-Lived Session Cookie: ${cookieName}`, `The session cookie '${cookieName}' has a very long lifetime (${Math.round(maxAge / 86400)} days). ` +
+                            `Long-lived session tokens increase the window for token theft.`, context.url, "low", `Max-Age=${maxAge} (${Math.round(maxAge / 86400)} days)`, "Set session cookie lifetime to the minimum needed (e.g., 24 hours for most apps).", "CWE-613"));
+                    }
+                }
+            }
+        }
+        return vulnerabilities;
+    }
+    reset() {
+        this.reportedCookies.clear();
+    }
+}
+exports.CookieSecurityPlugin = CookieSecurityPlugin;

package/dist/plugins/vulnerabilities/DebugEndpointPlugin.d.ts

@@ -0,0 +1,15 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+import { Vulnerability } from "../../core/vulnerability-detector";
+export declare class DebugEndpointPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Debug Endpoint Detector";
+    readonly type: "info";
+    readonly description = "Probes for common debug, admin, and development endpoints left exposed";
+    private readonly reportedPaths;
+    /**
+     * Common debug/dev endpoints that developers forget to disable before deployment.
+     * Each entry has a path, a human-readable name, and expected severity.
+     */
+    private readonly debugEndpoints;
+    analyzeContent(context: PluginContext, content: string): Promise<Vulnerability[]>;
+    reset(): void;
+}