laxy-verify 1.3.0 → 1.3.1

package/dist/route-discovery.d.ts

@@ -0,0 +1,7 @@
+export interface RuntimeRouteDiscoveryResult {
+    routes: string[];
+    scriptUrls: string[];
+}
+export declare function extractScriptUrlsFromHtml(html: string, baseUrl: string): string[];
+export declare function extractRoutesFromText(content: string): string[];
+export declare function discoverRuntimeRoutes(baseUrl: string): Promise<RuntimeRouteDiscoveryResult>;

package/dist/route-discovery.js

@@ -0,0 +1,108 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractScriptUrlsFromHtml = extractScriptUrlsFromHtml;
+exports.extractRoutesFromText = extractRoutesFromText;
+exports.discoverRuntimeRoutes = discoverRuntimeRoutes;
+const SCRIPT_SRC_REGEX = /<script[^>]+src=["']([^"'#?]+(?:\?[^"'#]*)?)["']/gi;
+const HTML_ROUTE_REGEX = /(?:href|data-href)=["'](\/[^"'#? ]*)/gi;
+const ROUTE_SNIPPET_REGEXES = [
+    /(?:path|pathname|href|to|route|router\.push|navigate)\s*[:=(]\s*["'`]((?:\/(?!\/)[^"'`?#]+))["'`]/g,
+    /["'`]((?:\/(?!\/)[a-z0-9][^"'`?#]*))["'`]/gi,
+];
+function normalizeRoute(candidate) {
+    const decoded = candidate
+        .replace(/\\u002F/gi, "/")
+        .replace(/\\\//g, "/")
+        .trim();
+    if (!decoded.startsWith("/"))
+        return null;
+    const normalized = decoded
+        .split("?")[0]
+        ?.split("#")[0]
+        ?.replace(/\/+/g, "/")
+        ?.replace(/\/$/, "") || "/";
+    if (normalized === "/" || normalized.length < 2)
+        return null;
+    if (normalized.startsWith("/_next/") || normalized.startsWith("/api/"))
+        return null;
+    if (/[.*:[\]]/.test(normalized))
+        return null;
+    if (/\.[a-z0-9]{2,8}$/i.test(normalized))
+        return null;
+    if (/\s/.test(normalized))
+        return null;
+    if (!/^\/[a-z0-9/_-]+$/i.test(normalized))
+        return null;
+    return normalized;
+}
+function extractScriptUrlsFromHtml(html, baseUrl) {
+    const urls = [];
+    const seen = new Set();
+    for (const match of html.matchAll(SCRIPT_SRC_REGEX)) {
+        const raw = match[1];
+        if (!raw)
+            continue;
+        try {
+            const scriptUrl = new URL(raw, baseUrl);
+            if (scriptUrl.origin !== new URL(baseUrl).origin)
+                continue;
+            const href = scriptUrl.href;
+            if (!seen.has(href)) {
+                seen.add(href);
+                urls.push(href);
+            }
+        }
+        catch {
+            // Ignore malformed URLs.
+        }
+    }
+    return urls;
+}
+function extractRoutesFromText(content) {
+    const routes = [];
+    const seen = new Set();
+    for (const regex of ROUTE_SNIPPET_REGEXES) {
+        for (const match of content.matchAll(regex)) {
+            const route = normalizeRoute(match[1] ?? "");
+            if (!route || seen.has(route))
+                continue;
+            seen.add(route);
+            routes.push(route);
+        }
+    }
+    return routes;
+}
+async function discoverRuntimeRoutes(baseUrl) {
+    const htmlRes = await fetch(baseUrl, {
+        signal: AbortSignal.timeout(8000),
+        headers: { accept: "text/html,application/xhtml+xml" },
+    });
+    const html = await htmlRes.text();
+    const routes = new Set(extractRoutesFromText(html));
+    for (const match of html.matchAll(HTML_ROUTE_REGEX)) {
+        const route = normalizeRoute(match[1] ?? "");
+        if (route)
+            routes.add(route);
+    }
+    const scriptUrls = extractScriptUrlsFromHtml(html, baseUrl)
+        .filter((url) => /\/_next\/static\/chunks\/|assets\/|static\/|build\//i.test(url))
+        .slice(0, 10);
+    await Promise.all(scriptUrls.map(async (scriptUrl) => {
+        try {
+            const res = await fetch(scriptUrl, { signal: AbortSignal.timeout(5000) });
+            if (!res.ok)
+                return;
+            const content = await res.text();
+            for (const route of extractRoutesFromText(content)) {
+                routes.add(route);
+            }
+        }
+        catch {
+            // Skip chunk fetch failures. This is best-effort coverage expansion.
+        }
+    }));
+    return {
+        routes: Array.from(routes).sort((a, b) => a.localeCompare(b)),
+        scriptUrls,
+    };
+}

package/dist/security-audit.d.ts

@@ -1,17 +1,17 @@
-export interface SecurityAuditResult {
-    totalVulnerabilities: number;
-    critical: number;
-    high: number;
-    moderate: number;
-    low: number;
-    summary: string;
-    missingHeaders: string[];
-    headerCheckUrl?: string;
-    headerCheckError?: string;
-}
-export declare function auditSecurityHeaders(url: string): Promise<{
-    missingHeaders: string[];
-    checkedUrl: string;
-    error?: string;
-}>;
-export declare function runSecurityAudit(cwd: string, appUrl?: string, timeoutMs?: number): Promise<SecurityAuditResult>;
+export interface SecurityAuditResult {
+    totalVulnerabilities: number;
+    critical: number;
+    high: number;
+    moderate: number;
+    low: number;
+    summary: string;
+    missingHeaders: string[];
+    headerCheckUrl?: string;
+    headerCheckError?: string;
+}
+export declare function auditSecurityHeaders(url: string): Promise<{
+    missingHeaders: string[];
+    checkedUrl: string;
+    error?: string;
+}>;
+export declare function runSecurityAudit(cwd: string, appUrl?: string, timeoutMs?: number): Promise<SecurityAuditResult>;

package/dist/security-audit.js

@@ -1,127 +1,127 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.auditSecurityHeaders = auditSecurityHeaders;
-exports.runSecurityAudit = runSecurityAudit;
-/**
- * npm audit wrapper plus runtime security-header checks.
- *
- * The package audit catches known dependency vulnerabilities.
- * The header audit adds shallow runtime coverage for common missing
- * browser-enforced protections on the running app.
- */
-const node_child_process_1 = require("node:child_process");
-async function runNpmAudit(cwd, timeoutMs) {
-    return new Promise((resolve) => {
-        const chunks = [];
-        const proc = process.platform === "win32"
-            ? (0, node_child_process_1.spawn)(process.env.ComSpec || "cmd.exe", ["/d", "/c", "npm audit --json"], {
-                stdio: ["ignore", "pipe", "pipe"],
-                cwd,
-            })
-            : (0, node_child_process_1.spawn)("npm", ["audit", "--json"], {
-                shell: true,
-                stdio: ["ignore", "pipe", "pipe"],
-                cwd,
-            });
-        const timer = setTimeout(() => {
-            try {
-                proc.kill();
-            }
-            catch { }
-            resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0 });
-        }, timeoutMs);
-        proc.stdout?.on("data", (chunk) => chunks.push(chunk.toString()));
-        proc.stderr?.on("data", () => { });
-        proc.on("exit", () => {
-            clearTimeout(timer);
-            try {
-                const json = JSON.parse(chunks.join(""));
-                const meta = json.metadata?.vulnerabilities ?? json.vulnerabilities ?? {};
-                const critical = meta.critical ?? 0;
-                const high = meta.high ?? 0;
-                const moderate = meta.moderate ?? 0;
-                const low = meta.low ?? 0;
-                resolve({
-                    totalVulnerabilities: critical + high + moderate + low,
-                    critical,
-                    high,
-                    moderate,
-                    low,
-                });
-            }
-            catch {
-                resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0 });
-            }
-        });
-    });
-}
-async function auditSecurityHeaders(url) {
-    const requiredHeaders = ["X-Frame-Options", "Content-Security-Policy"];
-    const urlObj = new URL(url);
-    if (urlObj.protocol === "https:") {
-        requiredHeaders.push("Strict-Transport-Security");
-    }
-    let response;
-    try {
-        response = await fetch(url, {
-            method: "HEAD",
-            redirect: "follow",
-            signal: AbortSignal.timeout(5000),
-        });
-    }
-    catch {
-        try {
-            response = await fetch(url, {
-                method: "GET",
-                redirect: "follow",
-                signal: AbortSignal.timeout(5000),
-            });
-        }
-        catch (error) {
-            return {
-                missingHeaders: [],
-                checkedUrl: url,
-                error: error instanceof Error ? error.message : String(error),
-            };
-        }
-    }
-    const missingHeaders = requiredHeaders.filter((headerName) => !response.headers.get(headerName));
-    return {
-        missingHeaders,
-        checkedUrl: response.url || url,
-    };
-}
-async function runSecurityAudit(cwd, appUrl, timeoutMs = 30000) {
-    console.log("  Running security audit (npm audit + runtime headers)...");
-    const [npmAudit, headerAudit] = await Promise.all([
-        runNpmAudit(cwd, timeoutMs),
-        appUrl ? auditSecurityHeaders(appUrl) : Promise.resolve(null),
-    ]);
-    const parts = [];
-    if (npmAudit.critical > 0)
-        parts.push(`${npmAudit.critical} critical`);
-    if (npmAudit.high > 0)
-        parts.push(`${npmAudit.high} high`);
-    if (npmAudit.moderate > 0)
-        parts.push(`${npmAudit.moderate} moderate`);
-    if (npmAudit.low > 0)
-        parts.push(`${npmAudit.low} low`);
-    const missingHeaders = headerAudit?.missingHeaders ?? [];
-    if (missingHeaders.length > 0) {
-        parts.push(`missing headers: ${missingHeaders.join(", ")}`);
-    }
-    if (headerAudit?.error) {
-        parts.push(`header check skipped: ${headerAudit.error}`);
-    }
-    const summary = parts.length > 0
-        ? parts.join(" | ")
-        : "No known vulnerabilities or missing security headers";
-    console.log(`  Security: ${summary}`);
-    return {
-        ...npmAudit,
-        summary,
-        missingHeaders,
-        headerCheckUrl: headerAudit?.checkedUrl,
-        headerCheckError: headerAudit?.error,
-    };
-}
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.auditSecurityHeaders = auditSecurityHeaders;
+exports.runSecurityAudit = runSecurityAudit;
+/**
+ * npm audit wrapper plus runtime security-header checks.
+ *
+ * The package audit catches known dependency vulnerabilities.
+ * The header audit adds shallow runtime coverage for common missing
+ * browser-enforced protections on the running app.
+ */
+const node_child_process_1 = require("node:child_process");
+async function runNpmAudit(cwd, timeoutMs) {
+    return new Promise((resolve) => {
+        const chunks = [];
+        const proc = process.platform === "win32"
+            ? (0, node_child_process_1.spawn)(process.env.ComSpec || "cmd.exe", ["/d", "/c", "npm audit --json"], {
+                stdio: ["ignore", "pipe", "pipe"],
+                cwd,
+            })
+            : (0, node_child_process_1.spawn)("npm", ["audit", "--json"], {
+                shell: true,
+                stdio: ["ignore", "pipe", "pipe"],
+                cwd,
+            });
+        const timer = setTimeout(() => {
+            try {
+                proc.kill();
+            }
+            catch { }
+            resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0 });
+        }, timeoutMs);
+        proc.stdout?.on("data", (chunk) => chunks.push(chunk.toString()));
+        proc.stderr?.on("data", () => { });
+        proc.on("exit", () => {
+            clearTimeout(timer);
+            try {
+                const json = JSON.parse(chunks.join(""));
+                const meta = json.metadata?.vulnerabilities ?? json.vulnerabilities ?? {};
+                const critical = meta.critical ?? 0;
+                const high = meta.high ?? 0;
+                const moderate = meta.moderate ?? 0;
+                const low = meta.low ?? 0;
+                resolve({
+                    totalVulnerabilities: critical + high + moderate + low,
+                    critical,
+                    high,
+                    moderate,
+                    low,
+                });
+            }
+            catch {
+                resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0 });
+            }
+        });
+    });
+}
+async function auditSecurityHeaders(url) {
+    const requiredHeaders = ["X-Frame-Options", "Content-Security-Policy"];
+    const urlObj = new URL(url);
+    if (urlObj.protocol === "https:") {
+        requiredHeaders.push("Strict-Transport-Security");
+    }
+    let response;
+    try {
+        response = await fetch(url, {
+            method: "HEAD",
+            redirect: "follow",
+            signal: AbortSignal.timeout(5000),
+        });
+    }
+    catch {
+        try {
+            response = await fetch(url, {
+                method: "GET",
+                redirect: "follow",
+                signal: AbortSignal.timeout(5000),
+            });
+        }
+        catch (error) {
+            return {
+                missingHeaders: [],
+                checkedUrl: url,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    const missingHeaders = requiredHeaders.filter((headerName) => !response.headers.get(headerName));
+    return {
+        missingHeaders,
+        checkedUrl: response.url || url,
+    };
+}
+async function runSecurityAudit(cwd, appUrl, timeoutMs = 30000) {
+    console.log("  Running security audit (npm audit + runtime headers)...");
+    const [npmAudit, headerAudit] = await Promise.all([
+        runNpmAudit(cwd, timeoutMs),
+        appUrl ? auditSecurityHeaders(appUrl) : Promise.resolve(null),
+    ]);
+    const parts = [];
+    if (npmAudit.critical > 0)
+        parts.push(`${npmAudit.critical} critical`);
+    if (npmAudit.high > 0)
+        parts.push(`${npmAudit.high} high`);
+    if (npmAudit.moderate > 0)
+        parts.push(`${npmAudit.moderate} moderate`);
+    if (npmAudit.low > 0)
+        parts.push(`${npmAudit.low} low`);
+    const missingHeaders = headerAudit?.missingHeaders ?? [];
+    if (missingHeaders.length > 0) {
+        parts.push(`missing headers: ${missingHeaders.join(", ")}`);
+    }
+    if (headerAudit?.error) {
+        parts.push(`header check skipped: ${headerAudit.error}`);
+    }
+    const summary = parts.length > 0
+        ? parts.join(" | ")
+        : "No known vulnerabilities or missing security headers";
+    console.log(`  Security: ${summary}`);
+    return {
+        ...npmAudit,
+        summary,
+        missingHeaders,
+        headerCheckUrl: headerAudit?.checkedUrl,
+        headerCheckError: headerAudit?.error,
+    };
+}