mcp-security-scanner 1.0.0

package/dist/static/analyzers/prototype-pollution.js

@@ -0,0 +1,80 @@
+import { findCallExpressions, getCallName, getQualifiedCallName, getLocation, containsUserInput, SyntaxKind } from "../ast-engine.js";
+import { getCallEvidence } from "../taint-tracker.js";
+export function analyzePrototypePollution(sourceFiles) {
+    const findings = [];
+    let counter = 0;
+    for (const sf of sourceFiles) {
+        const calls = findCallExpressions(sf);
+        for (const call of calls) {
+            const qname = getQualifiedCallName(call);
+            // Object.assign with user input
+            if (qname === "Object.assign") {
+                const args = call.getArguments();
+                if (args.length >= 2 && containsUserInput(args[args.length - 1])) {
+                    const loc = getLocation(call);
+                    counter++;
+                    findings.push({
+                        id: `SAST-PROTO-${String(counter).padStart(3, "0")}`,
+                        title: "Prototype Pollution via Object.assign()",
+                        severity: "high",
+                        owasp_mcp: "MCP05",
+                        owasp_mcp_title: "Command Injection & Code Execution",
+                        category: "static",
+                        file: loc.file,
+                        line: loc.line,
+                        column: loc.column,
+                        evidence: getCallEvidence(call),
+                        remediation: "Filter __proto__, constructor, and prototype properties from user input before passing to Object.assign(). Use a safe merge utility.",
+                        cwe: "CWE-1321",
+                    });
+                }
+            }
+            // JSON.parse followed by spread/assign
+            if (getCallName(call) === "parse" && qname === "JSON.parse") {
+                if (containsUserInput(call)) {
+                    const loc = getLocation(call);
+                    counter++;
+                    findings.push({
+                        id: `SAST-PROTO-${String(counter).padStart(3, "0")}`,
+                        title: "JSON.parse() with Untrusted Input",
+                        severity: "medium",
+                        owasp_mcp: "MCP05",
+                        owasp_mcp_title: "Command Injection & Code Execution",
+                        category: "static",
+                        file: loc.file,
+                        line: loc.line,
+                        column: loc.column,
+                        evidence: getCallEvidence(call),
+                        remediation: "Validate JSON.parse output before using in Object.assign/spread. Filter __proto__ and constructor keys.",
+                        cwe: "CWE-1321",
+                    });
+                }
+            }
+        }
+        // Check for bracket notation with user input: obj[userInput]
+        const elementAccess = sf.getDescendantsOfKind(SyntaxKind.ElementAccessExpression);
+        for (const ea of elementAccess) {
+            const arg = ea.getArgumentExpression();
+            if (arg && containsUserInput(arg)) {
+                const loc = getLocation(ea);
+                counter++;
+                findings.push({
+                    id: `SAST-PROTO-${String(counter).padStart(3, "0")}`,
+                    title: "Dynamic Property Access with User Input",
+                    severity: "medium",
+                    owasp_mcp: "MCP05",
+                    owasp_mcp_title: "Command Injection & Code Execution",
+                    category: "static",
+                    file: loc.file,
+                    line: loc.line,
+                    column: loc.column,
+                    evidence: ea.getText().substring(0, 200),
+                    remediation: "Validate property names against an allowlist before using bracket notation with user input. Block __proto__, constructor, prototype.",
+                    cwe: "CWE-1321",
+                });
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=prototype-pollution.js.map

package/dist/static/analyzers/prototype-pollution.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prototype-pollution.js","sourceRoot":"","sources":["../../../src/static/analyzers/prototype-pollution.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,oBAAoB,EAAE,WAAW,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACtI,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,MAAM,UAAU,yBAAyB,CAAC,WAAyB;IACjE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;QACtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;YAEzC,gCAAgC;YAChC,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;gBAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;gBACjC,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjE,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;oBAC9B,OAAO,EAAE,CAAC;oBACV,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,cAAc,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBACpD,KAAK,EAAE,yCAAyC;wBAChD,QAAQ,EAAE,MAAM;wBAChB,SAAS,EAAE,OAAO;wBAClB,eAAe,EAAE,oCAAoC;wBACrD,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC;wBAC/B,WAAW,EAAE,sIAAsI;wBACnJ,GAAG,EAAE,UAAU;qBAChB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,uCAAuC;YACvC,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,OAAO,IAAI,KAAK,KAAK,YAAY,EAAE,CAAC;gBAC5D,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC5B,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;oBAC9B,OAAO,EAAE,CAAC;oBACV,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,cAAc,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBACpD,KAAK,EAAE,mCAAmC;wBAC1C,QAAQ,EAAE,QAAQ;wBAClB,SAAS,EAAE,OAAO;wBAClB,eAAe,EAAE,oCAAoC;wBACrD,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC;wBAC/B,WAAW,EAAE,yGAAyG;wBACtH,GAAG,EAAE,UAAU;qBAChB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,6DAA6D;QAC7D,MAAM,aAAa,GAAG,EAAE,CAAC,oBAAoB,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC;QAClF,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;YAC/B,MAAM,GAAG,GAAG,EAAE,CAAC,qBAAqB,EAAE,CAAC;YACvC,IAAI,GAAG,IAAI,iBAAiB,CAAC,GAAG,CAAC,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;gBAC5B,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,cAAc,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACpD,KAAK,EAAE,yCAAyC;oBAChD,QAAQ,EAAE,QAAQ;oBAClB,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,oCAAoC;oBACrD,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,QAAQ,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBACxC,WAAW,EAAE,sIAAsI;oBACnJ,GAAG,EAAE,UAAU;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/analyzers/regex-dos.d.ts

@@ -0,0 +1,4 @@
+import type { SourceFile } from "ts-morph";
+import type { Finding } from "../../types/findings.js";
+export declare function analyzeRegexDos(sourceFiles: SourceFile[]): Finding[];
+//# sourceMappingURL=regex-dos.d.ts.map

package/dist/static/analyzers/regex-dos.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"regex-dos.d.ts","sourceRoot":"","sources":["../../../src/static/analyzers/regex-dos.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAWvD,wBAAgB,eAAe,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,CAuEpE"}

package/dist/static/analyzers/regex-dos.js

@@ -0,0 +1,78 @@
+import { getLocation, SyntaxKind } from "../ast-engine.js";
+// Patterns that indicate ReDoS vulnerability
+const REDOS_PATTERNS = [
+    /\(.*[+*].*\)[+*]/, // Nested quantifiers: (a+)+
+    /\(.*\|.*\)[+*]/, // Alternation in quantified group: (a|b)+
+    /\([^)]*[+*][^)]*[+*][^)]*\)/, // Multiple quantifiers in group
+    /(.)\+\1\+/, // Overlapping quantifiers like a+a+
+];
+export function analyzeRegexDos(sourceFiles) {
+    const findings = [];
+    let counter = 0;
+    for (const sf of sourceFiles) {
+        // Check RegExp literals
+        const regexLiterals = sf.getDescendantsOfKind(SyntaxKind.RegularExpressionLiteral);
+        for (const regex of regexLiterals) {
+            const text = regex.getText();
+            // Remove the /flags part to get pattern
+            const pattern = text.slice(1, text.lastIndexOf("/"));
+            for (const redos of REDOS_PATTERNS) {
+                if (redos.test(pattern)) {
+                    const loc = getLocation(regex);
+                    counter++;
+                    findings.push({
+                        id: `SAST-REDOS-${String(counter).padStart(3, "0")}`,
+                        title: "Potential ReDoS Pattern",
+                        severity: "medium",
+                        owasp_mcp: "MCP05",
+                        owasp_mcp_title: "Command Injection & Code Execution",
+                        category: "static",
+                        file: loc.file,
+                        line: loc.line,
+                        column: loc.column,
+                        evidence: `Regex literal with potential catastrophic backtracking: ${text.substring(0, 100)}`,
+                        remediation: "Refactor regex to avoid nested quantifiers and overlapping alternations. Consider using a regex engine with backtracking limits.",
+                        cwe: "CWE-1333",
+                    });
+                    break;
+                }
+            }
+        }
+        // Check new RegExp() with string arguments for same patterns
+        const newExprs = sf.getDescendantsOfKind(SyntaxKind.NewExpression);
+        for (const expr of newExprs) {
+            if (expr.getExpression().getText() !== "RegExp")
+                continue;
+            const args = expr.getArguments();
+            if (args.length === 0)
+                continue;
+            const firstArg = args[0];
+            if (firstArg.getKind() === SyntaxKind.StringLiteral) {
+                const pattern = firstArg.getText().replace(/^['"]|['"]$/g, "");
+                for (const redos of REDOS_PATTERNS) {
+                    if (redos.test(pattern)) {
+                        const loc = getLocation(expr);
+                        counter++;
+                        findings.push({
+                            id: `SAST-REDOS-${String(counter).padStart(3, "0")}`,
+                            title: "Potential ReDoS in new RegExp()",
+                            severity: "medium",
+                            owasp_mcp: "MCP05",
+                            owasp_mcp_title: "Command Injection & Code Execution",
+                            category: "static",
+                            file: loc.file,
+                            line: loc.line,
+                            column: loc.column,
+                            evidence: `new RegExp() with potential backtracking: ${expr.getText().substring(0, 100)}`,
+                            remediation: "Refactor regex pattern to avoid nested quantifiers. Consider using a safe regex library.",
+                            cwe: "CWE-1333",
+                        });
+                        break;
+                    }
+                }
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=regex-dos.js.map

package/dist/static/analyzers/regex-dos.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"regex-dos.js","sourceRoot":"","sources":["../../../src/static/analyzers/regex-dos.ts"],"names":[],"mappings":"AAEA,OAAO,EAAsB,WAAW,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE/E,6CAA6C;AAC7C,MAAM,cAAc,GAAa;IAC/B,kBAAkB,EAAY,4BAA4B;IAC1D,gBAAgB,EAAc,0CAA0C;IACxE,6BAA6B,EAAE,gCAAgC;IAC/D,WAAW,EAAoB,oCAAoC;CACpE,CAAC;AAEF,MAAM,UAAU,eAAe,CAAC,WAAyB;IACvD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,wBAAwB;QACxB,MAAM,aAAa,GAAG,EAAE,CAAC,oBAAoB,CAAC,UAAU,CAAC,wBAAwB,CAAC,CAAC;QACnF,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;YAC7B,wCAAwC;YACxC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;YAErD,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;gBACnC,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACxB,MAAM,GAAG,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;oBAC/B,OAAO,EAAE,CAAC;oBACV,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,cAAc,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBACpD,KAAK,EAAE,yBAAyB;wBAChC,QAAQ,EAAE,QAAQ;wBAClB,SAAS,EAAE,OAAO;wBAClB,eAAe,EAAE,oCAAoC;wBACrD,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,QAAQ,EAAE,2DAA2D,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBAC7F,WAAW,EAAE,kIAAkI;wBAC/I,GAAG,EAAE,UAAU;qBAChB,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAED,6DAA6D;QAC7D,MAAM,QAAQ,GAAG,EAAE,CAAC,oBAAoB,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QACnE,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;YAC5B,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,KAAK,QAAQ;gBAAE,SAAS;YAC1D,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YACjC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAEhC,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACzB,IAAI,QAAQ,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,aAAa,EAAE,CAAC;gBACpD,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;gBAC/D,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;oBACnC,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBACxB,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;wBAC9B,OAAO,EAAE,CAAC;wBACV,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,cAAc,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;4BACpD,KAAK,EAAE,iCAAiC;4BACxC,QAAQ,EAAE,QAAQ;4BAClB,SAAS,EAAE,OAAO;4BAClB,eAAe,EAAE,oCAAoC;4BACrD,QAAQ,EAAE,QAAQ;4BAClB,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,MAAM,EAAE,GAAG,CAAC,MAAM;4BAClB,QAAQ,EAAE,6CAA6C,IAAI,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;4BACzF,WAAW,EAAE,0FAA0F;4BACvG,GAAG,EAAE,UAAU;yBAChB,CAAC,CAAC;wBACH,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/analyzers/secret-hardcoded.d.ts

@@ -0,0 +1,4 @@
+import type { SourceFile } from "ts-morph";
+import type { Finding } from "../../types/findings.js";
+export declare function analyzeHardcodedSecrets(sourceFiles: SourceFile[]): Finding[];
+//# sourceMappingURL=secret-hardcoded.d.ts.map

package/dist/static/analyzers/secret-hardcoded.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-hardcoded.d.ts","sourceRoot":"","sources":["../../../src/static/analyzers/secret-hardcoded.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAIvD,wBAAgB,uBAAuB,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,CAuE5E"}

package/dist/static/analyzers/secret-hardcoded.js

@@ -0,0 +1,70 @@
+import { findStringLiterals, findTemplateExpressions, getLocation } from "../ast-engine.js";
+import { SECRET_PATTERNS } from "../../data/secret-patterns.js";
+export function analyzeHardcodedSecrets(sourceFiles) {
+    const findings = [];
+    let counter = 0;
+    for (const sf of sourceFiles) {
+        // Skip test files
+        const filePath = sf.getFilePath();
+        if (filePath.includes(".test.") || filePath.includes(".spec.") || filePath.includes("__test__"))
+            continue;
+        // Check string literals
+        const strings = findStringLiterals(sf);
+        for (const str of strings) {
+            const value = str.getLiteralText();
+            if (value.length < 8)
+                continue; // Skip short strings
+            for (const pattern of SECRET_PATTERNS) {
+                if (pattern.pattern.test(value)) {
+                    const loc = getLocation(str);
+                    counter++;
+                    // Mask the secret in evidence
+                    const masked = value.substring(0, 8) + "..." + value.substring(value.length - 4);
+                    findings.push({
+                        id: `SAST-SECRET-${String(counter).padStart(3, "0")}`,
+                        title: `Hardcoded ${pattern.name}`,
+                        severity: pattern.severity,
+                        owasp_mcp: "MCP01",
+                        owasp_mcp_title: "Excessive Privilege & Token Mismanagement",
+                        category: "static",
+                        file: loc.file,
+                        line: loc.line,
+                        column: loc.column,
+                        evidence: `${pattern.name} found in string literal: "${masked}"`,
+                        remediation: "Move secrets to environment variables. Use process.env to read them at runtime. Never commit secrets to source code.",
+                        cwe: "CWE-798",
+                    });
+                    break; // One finding per string
+                }
+            }
+        }
+        // Check template literals
+        const templates = findTemplateExpressions(sf);
+        for (const tmpl of templates) {
+            const text = tmpl.getText();
+            for (const pattern of SECRET_PATTERNS) {
+                if (pattern.pattern.test(text)) {
+                    const loc = getLocation(tmpl);
+                    counter++;
+                    findings.push({
+                        id: `SAST-SECRET-${String(counter).padStart(3, "0")}`,
+                        title: `Hardcoded ${pattern.name} in Template Literal`,
+                        severity: pattern.severity,
+                        owasp_mcp: "MCP01",
+                        owasp_mcp_title: "Excessive Privilege & Token Mismanagement",
+                        category: "static",
+                        file: loc.file,
+                        line: loc.line,
+                        column: loc.column,
+                        evidence: `${pattern.name} found in template literal`,
+                        remediation: "Move secrets to environment variables. Use process.env to read them at runtime.",
+                        cwe: "CWE-798",
+                    });
+                    break;
+                }
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=secret-hardcoded.js.map

package/dist/static/analyzers/secret-hardcoded.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-hardcoded.js","sourceRoot":"","sources":["../../../src/static/analyzers/secret-hardcoded.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,WAAW,EAAoB,MAAM,kBAAkB,CAAC;AAC9G,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,MAAM,UAAU,uBAAuB,CAAC,WAAyB;IAC/D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,kBAAkB;QAClB,MAAM,QAAQ,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;QAClC,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,SAAS;QAE1G,wBAAwB;QACxB,MAAM,OAAO,GAAG,kBAAkB,CAAC,EAAE,CAAC,CAAC;QACvC,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,GAAG,CAAC,cAAc,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAS,CAAC,qBAAqB;YAErD,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;gBACtC,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBAChC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;oBAC7B,OAAO,EAAE,CAAC;oBAEV,8BAA8B;oBAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;oBAEjF,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,eAAe,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBACrD,KAAK,EAAE,aAAa,OAAO,CAAC,IAAI,EAAE;wBAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,SAAS,EAAE,OAAO;wBAClB,eAAe,EAAE,2CAA2C;wBAC5D,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,QAAQ,EAAE,GAAG,OAAO,CAAC,IAAI,8BAA8B,MAAM,GAAG;wBAChE,WAAW,EAAE,sHAAsH;wBACnI,GAAG,EAAE,SAAS;qBACf,CAAC,CAAC;oBACH,MAAM,CAAC,yBAAyB;gBAClC,CAAC;YACH,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,MAAM,SAAS,GAAG,uBAAuB,CAAC,EAAE,CAAC,CAAC;QAC9C,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5B,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;gBACtC,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC/B,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;oBAC9B,OAAO,EAAE,CAAC;oBACV,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,eAAe,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBACrD,KAAK,EAAE,aAAa,OAAO,CAAC,IAAI,sBAAsB;wBACtD,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,SAAS,EAAE,OAAO;wBAClB,eAAe,EAAE,2CAA2C;wBAC5D,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,QAAQ,EAAE,GAAG,OAAO,CAAC,IAAI,4BAA4B;wBACrD,WAAW,EAAE,iFAAiF;wBAC9F,GAAG,EAAE,SAAS;qBACf,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/analyzers/ssrf.d.ts

@@ -0,0 +1,4 @@
+import type { SourceFile } from "ts-morph";
+import type { Finding } from "../../types/findings.js";
+export declare function analyzeSsrf(sourceFiles: SourceFile[]): Finding[];
+//# sourceMappingURL=ssrf.d.ts.map

package/dist/static/analyzers/ssrf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf.d.ts","sourceRoot":"","sources":["../../../src/static/analyzers/ssrf.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAMvD,wBAAgB,WAAW,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,CAqChE"}

package/dist/static/analyzers/ssrf.js

@@ -0,0 +1,39 @@
+import { findCallExpressions, getCallName, getLocation, containsUserInput } from "../ast-engine.js";
+import { getCallEvidence } from "../taint-tracker.js";
+const SSRF_NAMES = new Set(["fetch", "get", "post", "put", "delete", "patch", "request"]);
+export function analyzeSsrf(sourceFiles) {
+    const findings = [];
+    let counter = 0;
+    for (const sf of sourceFiles) {
+        const calls = findCallExpressions(sf);
+        for (const call of calls) {
+            const name = getCallName(call);
+            if (!SSRF_NAMES.has(name))
+                continue;
+            const args = call.getArguments();
+            if (args.length === 0)
+                continue;
+            const firstArg = args[0];
+            if (!containsUserInput(firstArg))
+                continue;
+            const loc = getLocation(call);
+            counter++;
+            findings.push({
+                id: `SAST-SSRF-${String(counter).padStart(3, "0")}`,
+                title: `Potential SSRF via ${name}()`,
+                severity: "high",
+                owasp_mcp: "MCP05",
+                owasp_mcp_title: "Command Injection & Code Execution",
+                category: "static",
+                file: loc.file,
+                line: loc.line,
+                column: loc.column,
+                evidence: getCallEvidence(call),
+                remediation: "Validate and allowlist URLs before making requests. Never pass user-controlled input directly as request URLs.",
+                cwe: "CWE-918",
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=ssrf.js.map

package/dist/static/analyzers/ssrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf.js","sourceRoot":"","sources":["../../../src/static/analyzers/ssrf.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACpG,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;AAE1F,MAAM,UAAU,WAAW,CAAC,WAAyB;IACnD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;QACtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;YAC/B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEpC,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YACjC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAEhC,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACzB,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAE3C,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;YAEV,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,aAAa,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACnD,KAAK,EAAE,sBAAsB,IAAI,IAAI;gBACrC,QAAQ,EAAE,MAAM;gBAChB,SAAS,EAAE,OAAO;gBAClB,eAAe,EAAE,oCAAoC;gBACrD,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC;gBAC/B,WAAW,EAAE,gHAAgH;gBAC7H,GAAG,EAAE,SAAS;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/analyzers/unsafe-regex.d.ts

@@ -0,0 +1,4 @@
+import type { SourceFile } from "ts-morph";
+import type { Finding } from "../../types/findings.js";
+export declare function analyzeUnsafeRegex(sourceFiles: SourceFile[]): Finding[];
+//# sourceMappingURL=unsafe-regex.d.ts.map

package/dist/static/analyzers/unsafe-regex.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unsafe-regex.d.ts","sourceRoot":"","sources":["../../../src/static/analyzers/unsafe-regex.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAGvD,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,CAoCvE"}

package/dist/static/analyzers/unsafe-regex.js

@@ -0,0 +1,36 @@
+import { findNewRegExpCalls, getLocation, containsUserInput } from "../ast-engine.js";
+export function analyzeUnsafeRegex(sourceFiles) {
+    const findings = [];
+    let counter = 0;
+    for (const sf of sourceFiles) {
+        const regexpCalls = findNewRegExpCalls(sf);
+        for (const call of regexpCalls) {
+            const args = call.getChildrenOfKind(18); // SyntaxList children
+            // Get first argument
+            const firstArg = call.getChildren().find(c => {
+                const kind = c.getKindName();
+                return kind === "SyntaxList";
+            });
+            if (containsUserInput(call)) {
+                const loc = getLocation(call);
+                counter++;
+                findings.push({
+                    id: `SAST-REGEX-${String(counter).padStart(3, "0")}`,
+                    title: "User Input in new RegExp()",
+                    severity: "high",
+                    owasp_mcp: "MCP05",
+                    owasp_mcp_title: "Command Injection & Code Execution",
+                    category: "static",
+                    file: loc.file,
+                    line: loc.line,
+                    column: loc.column,
+                    evidence: call.getText().substring(0, 200),
+                    remediation: "Escape user input before passing to new RegExp(). Use a function like escapeRegExp(str) { return str.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&'); }",
+                    cwe: "CWE-185",
+                });
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=unsafe-regex.js.map

package/dist/static/analyzers/unsafe-regex.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unsafe-regex.js","sourceRoot":"","sources":["../../../src/static/analyzers/unsafe-regex.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAEtF,MAAM,UAAU,kBAAkB,CAAC,WAAyB;IAC1D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,MAAM,WAAW,GAAG,kBAAkB,CAAC,EAAE,CAAC,CAAC;QAC3C,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,CAAC,sBAAsB;YAC/D,qBAAqB;YACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC3C,MAAM,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC7B,OAAO,IAAI,KAAK,YAAY,CAAC;YAC/B,CAAC,CAAC,CAAC;YAEH,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;gBAC9B,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,cAAc,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACpD,KAAK,EAAE,4BAA4B;oBACnC,QAAQ,EAAE,MAAM;oBAChB,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,oCAAoC;oBACrD,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,QAAQ,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,WAAW,EAAE,qJAAqJ;oBAClK,GAAG,EAAE,SAAS;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/ast-engine.d.ts

@@ -0,0 +1,22 @@
+import { Project, SourceFile, SyntaxKind, Node, CallExpression, StringLiteral } from "ts-morph";
+export interface AstProject {
+    project: Project;
+    sourceFiles: SourceFile[];
+    rootDir: string;
+}
+export declare function initProject(path: string, tsconfigPath?: string): AstProject;
+export declare function findCallExpressions(sourceFile: SourceFile): CallExpression[];
+export declare function getCallName(call: CallExpression): string;
+export declare function getQualifiedCallName(call: CallExpression): string;
+export declare function containsUserInput(node: Node): boolean;
+export declare function getLocation(node: Node): {
+    file: string;
+    line: number;
+    column: number;
+};
+export declare function findStringLiterals(sourceFile: SourceFile): StringLiteral[];
+export declare function findTemplateExpressions(sourceFile: SourceFile): Node[];
+export declare function hasShellTrue(call: CallExpression): boolean;
+export declare function findNewRegExpCalls(sourceFile: SourceFile): Node[];
+export { SyntaxKind, Node, type SourceFile, type CallExpression };
+//# sourceMappingURL=ast-engine.d.ts.map

package/dist/static/ast-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast-engine.d.ts","sourceRoot":"","sources":["../../src/static/ast-engine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,IAAI,EAAE,cAAc,EAAE,aAAa,EAA4D,MAAM,UAAU,CAAC;AAG1J,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,UAAU,CAoD3E;AAGD,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,UAAU,GAAG,cAAc,EAAE,CAE5E;AAGD,wBAAgB,WAAW,CAAC,IAAI,EAAE,cAAc,GAAG,MAAM,CAcxD;AAGD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,cAAc,GAAG,MAAM,CAejE;AAGD,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CA8BrD;AAGD,wBAAgB,WAAW,CAAC,IAAI,EAAE,IAAI,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAStF;AAGD,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,UAAU,GAAG,aAAa,EAAE,CAE1E;AAGD,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,UAAU,GAAG,IAAI,EAAE,CAKtE;AAGD,wBAAgB,YAAY,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAO1D;AAGD,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,UAAU,GAAG,IAAI,EAAE,CAYjE;AAED,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,KAAK,UAAU,EAAE,KAAK,cAAc,EAAE,CAAC"}

package/dist/static/ast-engine.js

@@ -0,0 +1,155 @@
+import { Project, SyntaxKind, Node } from "ts-morph";
+import { resolve } from "node:path";
+export function initProject(path, tsconfigPath) {
+    const rootDir = resolve(path);
+    const project = new Project({
+        compilerOptions: {
+            allowJs: true,
+            checkJs: false,
+            noEmit: true,
+            skipLibCheck: true,
+            target: 99, // ESNext
+            module: 99, // ESNext
+        },
+        skipAddingFilesFromTsConfig: true,
+        skipFileDependencyResolution: true,
+    });
+    // Discover and add source files
+    const globs = [
+        `${rootDir}/**/*.ts`,
+        `${rootDir}/**/*.js`,
+        `${rootDir}/**/*.mts`,
+        `${rootDir}/**/*.mjs`,
+    ];
+    const excludeGlobs = [
+        `${rootDir}/node_modules/**`,
+        `${rootDir}/dist/**`,
+        `${rootDir}/.git/**`,
+        `${rootDir}/**/*.d.ts`,
+    ];
+    project.addSourceFilesAtPaths(globs);
+    // Remove excluded files
+    for (const sf of project.getSourceFiles()) {
+        const fp = sf.getFilePath();
+        if (excludeGlobs.some(g => {
+            const base = g.replace("/**", "");
+            return fp.includes(base.replace(`${rootDir}/`, ""));
+        })) {
+            // Simplistic: check if path contains node_modules, dist, .git, or ends with .d.ts
+        }
+    }
+    const sourceFiles = project.getSourceFiles().filter(sf => {
+        const fp = sf.getFilePath();
+        return !fp.includes("/node_modules/") &&
+            !fp.includes("/dist/") &&
+            !fp.includes("/.git/") &&
+            !fp.endsWith(".d.ts");
+    });
+    return { project, sourceFiles, rootDir };
+}
+// Helper: find all call expressions in a source file
+export function findCallExpressions(sourceFile) {
+    return sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression);
+}
+// Helper: get the function/method name from a call expression
+export function getCallName(call) {
+    const expr = call.getExpression();
+    // Simple call: exec(...)
+    if (Node.isIdentifier(expr)) {
+        return expr.getText();
+    }
+    // Property access: child_process.exec(...), fs.readFile(...)
+    if (Node.isPropertyAccessExpression(expr)) {
+        return expr.getName();
+    }
+    return expr.getText();
+}
+// Helper: get the full qualified call name like "child_process.exec" or "fs.readFile"
+export function getQualifiedCallName(call) {
+    const expr = call.getExpression();
+    if (Node.isPropertyAccessExpression(expr)) {
+        const obj = expr.getExpression();
+        if (Node.isIdentifier(obj)) {
+            return `${obj.getText()}.${expr.getName()}`;
+        }
+    }
+    if (Node.isIdentifier(expr)) {
+        return expr.getText();
+    }
+    return expr.getText();
+}
+// Helper: check if an expression contains user input (function params, args.*, etc)
+export function containsUserInput(node) {
+    const text = node.getText();
+    // Check for common user input patterns
+    const userInputPatterns = [
+        /\bargs\b/, // MCP tool args
+        /\breq\.query\b/, // Express query
+        /\breq\.params\b/, // Express params
+        /\breq\.body\b/, // Express body
+        /\breq\.headers\b/, // Express headers
+        /\bparams\b/, // Generic params
+        /\binput\b/, // Generic input
+        /\buserInput\b/, // Generic userInput
+    ];
+    if (userInputPatterns.some(p => p.test(text)))
+        return true;
+    // Check for template literals with interpolations
+    if (node.getKind() === SyntaxKind.TemplateExpression)
+        return true;
+    // Check for identifiers that trace to function parameters
+    const identifiers = node.getDescendantsOfKind(SyntaxKind.Identifier);
+    for (const id of identifiers) {
+        const name = id.getText();
+        if (["args", "params", "input", "query", "body", "userInput", "data", "payload"].includes(name)) {
+            return true;
+        }
+    }
+    return false;
+}
+// Helper: get location info
+export function getLocation(node) {
+    const sf = node.getSourceFile();
+    const start = node.getStart();
+    const { line, column } = sf.getLineAndColumnAtPos(start);
+    return {
+        file: sf.getFilePath(),
+        line,
+        column,
+    };
+}
+// Helper: get all string literals in a file
+export function findStringLiterals(sourceFile) {
+    return sourceFile.getDescendantsOfKind(SyntaxKind.StringLiteral);
+}
+// Helper: get all template expressions (template literals with interpolation)
+export function findTemplateExpressions(sourceFile) {
+    return [
+        ...sourceFile.getDescendantsOfKind(SyntaxKind.TemplateExpression),
+        ...sourceFile.getDescendantsOfKind(SyntaxKind.NoSubstitutionTemplateLiteral),
+    ];
+}
+// Helper: check if a call has shell:true in options
+export function hasShellTrue(call) {
+    const args = call.getArguments();
+    for (const arg of args) {
+        const text = arg.getText();
+        if (/shell\s*:\s*true/.test(text))
+            return true;
+    }
+    return false;
+}
+// Helper: find new RegExp() calls
+export function findNewRegExpCalls(sourceFile) {
+    const results = [];
+    // new RegExp(...)
+    const newExprs = sourceFile.getDescendantsOfKind(SyntaxKind.NewExpression);
+    for (const expr of newExprs) {
+        if (expr.getExpression().getText() === "RegExp") {
+            results.push(expr);
+        }
+    }
+    return results;
+}
+export { SyntaxKind, Node };
+//# sourceMappingURL=ast-engine.js.map

package/dist/static/ast-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast-engine.js","sourceRoot":"","sources":["../../src/static/ast-engine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAc,UAAU,EAAE,IAAI,EAA2F,MAAM,UAAU,CAAC;AAC1J,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQpC,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,YAAqB;IAC7D,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;QAC1B,eAAe,EAAE;YACf,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,IAAI;YACZ,YAAY,EAAE,IAAI;YAClB,MAAM,EAAE,EAAE,EAAE,SAAS;YACrB,MAAM,EAAE,EAAE,EAAE,SAAS;SACtB;QACD,2BAA2B,EAAE,IAAI;QACjC,4BAA4B,EAAE,IAAI;KACnC,CAAC,CAAC;IAEH,gCAAgC;IAChC,MAAM,KAAK,GAAG;QACZ,GAAG,OAAO,UAAU;QACpB,GAAG,OAAO,UAAU;QACpB,GAAG,OAAO,WAAW;QACrB,GAAG,OAAO,WAAW;KACtB,CAAC;IAEF,MAAM,YAAY,GAAG;QACnB,GAAG,OAAO,kBAAkB;QAC5B,GAAG,OAAO,UAAU;QACpB,GAAG,OAAO,UAAU;QACpB,GAAG,OAAO,YAAY;KACvB,CAAC;IAEF,OAAO,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAErC,wBAAwB;IACxB,KAAK,MAAM,EAAE,IAAI,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC;QAC1C,MAAM,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;QAC5B,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;YACxB,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAClC,OAAO,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;QACtD,CAAC,CAAC,EAAE,CAAC;YACH,kFAAkF;QACpF,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE;QACvD,MAAM,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;QAC5B,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAC9B,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACtB,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACtB,CAAC,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;AAC3C,CAAC;AAED,qDAAqD;AACrD,MAAM,UAAU,mBAAmB,CAAC,UAAsB;IACxD,OAAO,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;AACpE,CAAC;AAED,8DAA8D;AAC9D,MAAM,UAAU,WAAW,CAAC,IAAoB;IAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;IAElC,yBAAyB;IACzB,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;IACxB,CAAC;IAED,6DAA6D;IAC7D,IAAI,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;IACxB,CAAC;IAED,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;AACxB,CAAC;AAED,sFAAsF;AACtF,MAAM,UAAU,oBAAoB,CAAC,IAAoB;IACvD,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;IAElC,IAAI,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3B,OAAO,GAAG,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;IACxB,CAAC;IAED,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;AACxB,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,iBAAiB,CAAC,IAAU;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IAE5B,uCAAuC;IACvC,MAAM,iBAAiB,GAAG;QACxB,UAAU,EAAY,gBAAgB;QACtC,gBAAgB,EAAM,gBAAgB;QACtC,iBAAiB,EAAK,iBAAiB;QACvC,eAAe,EAAO,eAAe;QACrC,kBAAkB,EAAI,kBAAkB;QACxC,YAAY,EAAU,iBAAiB;QACvC,WAAW,EAAW,gBAAgB;QACtC,eAAe,EAAO,oBAAoB;KAC3C,CAAC;IAEF,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3D,kDAAkD;IAClD,IAAI,IAAI,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,kBAAkB;QAAE,OAAO,IAAI,CAAC;IAElE,0DAA0D;IAC1D,MAAM,WAAW,GAAG,IAAI,CAAC,oBAAoB,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IACrE,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;QAC1B,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAChG,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4BAA4B;AAC5B,MAAM,UAAU,WAAW,CAAC,IAAU;IACpC,MAAM,EAAE,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;IAChC,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;IAC9B,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACzD,OAAO;QACL,IAAI,EAAE,EAAE,CAAC,WAAW,EAAE;QACtB,IAAI;QACJ,MAAM;KACP,CAAC;AACJ,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,kBAAkB,CAAC,UAAsB;IACvD,OAAO,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;AACnE,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,uBAAuB,CAAC,UAAsB;IAC5D,OAAO;QACL,GAAG,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,kBAAkB,CAAC;QACjE,GAAG,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,6BAA6B,CAAC;KAC7E,CAAC;AACJ,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,YAAY,CAAC,IAAoB;IAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;IACjC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;QAC3B,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IACjD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,kCAAkC;AAClC,MAAM,UAAU,kBAAkB,CAAC,UAAsB;IACvD,MAAM,OAAO,GAAW,EAAE,CAAC;IAE3B,kBAAkB;IAClB,MAAM,QAAQ,GAAG,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;IAC3E,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;YAChD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,OAAO,EAAE,UAAU,EAAE,IAAI,EAAwC,CAAC"}

package/dist/static/index.d.ts

@@ -0,0 +1,3 @@
+import type { ToolDef } from "../types/index.js";
+export declare const staticTools: ToolDef[];
+//# sourceMappingURL=index.d.ts.map

package/dist/static/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/static/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAqHjD,eAAO,MAAM,WAAW,EAAE,OAAO,EAyDhC,CAAC"}