mcp-security-scanner 1.0.0

package/dist/static/index.js

@@ -0,0 +1,114 @@
+import { z } from "zod";
+import { text } from "../types/index.js";
+import { initProject } from "./ast-engine.js";
+import { analyzeCommandInjection } from "./analyzers/command-injection.js";
+import { analyzeSsrf } from "./analyzers/ssrf.js";
+import { analyzePathTraversal } from "./analyzers/path-traversal.js";
+import { analyzeCodeExecution } from "./analyzers/code-execution.js";
+import { analyzeHardcodedSecrets } from "./analyzers/secret-hardcoded.js";
+import { analyzeLogging } from "./analyzers/logging-audit.js";
+import { analyzeInsecureCrypto } from "./analyzers/insecure-crypto.js";
+import { analyzePrototypePollution } from "./analyzers/prototype-pollution.js";
+import { analyzeRegexDos } from "./analyzers/regex-dos.js";
+import { analyzeUnsafeRegex } from "./analyzers/unsafe-regex.js";
+import { analyzeInfoDisclosure } from "./analyzers/info-disclosure.js";
+const pathSchema = {
+    path: z.string().describe("Directory path containing TypeScript/JavaScript source files to analyze"),
+    include_node_modules: z.boolean().optional().describe("Include node_modules in scan (default: false)"),
+    tsconfig_path: z.string().optional().describe("Path to tsconfig.json (optional)"),
+};
+function formatFindings(findings) {
+    if (findings.length === 0)
+        return "No findings.";
+    const bySeverity = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+    for (const f of findings)
+        bySeverity[f.severity]++;
+    let output = `${findings.length} finding(s): ${bySeverity.critical} critical, ${bySeverity.high} high, ${bySeverity.medium} medium, ${bySeverity.low} low, ${bySeverity.info} info\n\n`;
+    for (const f of findings) {
+        output += `[${f.severity.toUpperCase()}] ${f.id}: ${f.title}\n`;
+        if (f.file)
+            output += `  File: ${f.file}:${f.line ?? 0}:${f.column ?? 0}\n`;
+        output += `  OWASP: ${f.owasp_mcp} — ${f.owasp_mcp_title}\n`;
+        output += `  Evidence: ${f.evidence}\n`;
+        output += `  Remediation: ${f.remediation}\n\n`;
+    }
+    return output.trim();
+}
+const allAnalyzers = [
+    { name: "command-injection", fn: analyzeCommandInjection },
+    { name: "ssrf", fn: analyzeSsrf },
+    { name: "path-traversal", fn: analyzePathTraversal },
+    { name: "code-execution", fn: analyzeCodeExecution },
+    { name: "hardcoded-secrets", fn: analyzeHardcodedSecrets },
+    { name: "logging-audit", fn: analyzeLogging },
+    { name: "insecure-crypto", fn: analyzeInsecureCrypto },
+    { name: "prototype-pollution", fn: analyzePrototypePollution },
+    { name: "regex-dos", fn: analyzeRegexDos },
+    { name: "unsafe-regex", fn: analyzeUnsafeRegex },
+    { name: "info-disclosure", fn: analyzeInfoDisclosure },
+];
+const sastScanDirectory = {
+    name: "sast_scan_directory",
+    description: "Run ALL static analysis checks on a TypeScript/JavaScript source directory. Initializes AST project, discovers source files, runs all 11 analyzers, and returns aggregated findings sorted by severity.",
+    schema: pathSchema,
+    async execute(args) {
+        const { project, sourceFiles, rootDir } = initProject(args.path, args.tsconfig_path);
+        if (sourceFiles.length === 0) {
+            return text(`No source files found in ${args.path}`);
+        }
+        const allFindings = [];
+        for (const analyzer of allAnalyzers) {
+            try {
+                const findings = analyzer.fn(sourceFiles);
+                allFindings.push(...findings);
+            }
+            catch (err) {
+                allFindings.push({
+                    id: `SAST-ERR-${analyzer.name}`,
+                    title: `Analyzer Error: ${analyzer.name}`,
+                    severity: "info",
+                    owasp_mcp: "MCP05",
+                    owasp_mcp_title: "Command Injection & Code Execution",
+                    category: "static",
+                    evidence: `${analyzer.name} analyzer threw: ${err instanceof Error ? err.message : String(err)}`,
+                    remediation: "This is an internal scanner error, not a finding in your code.",
+                });
+            }
+        }
+        // Sort by severity
+        const order = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+        allFindings.sort((a, b) => order[a.severity] - order[b.severity]);
+        let header = `Scanned ${sourceFiles.length} files in ${rootDir}\n\n`;
+        return text(header + formatFindings(allFindings));
+    },
+};
+function makeSingleAnalyzerTool(name, description, analyzerFn) {
+    return {
+        name,
+        description,
+        schema: { path: z.string().describe("Directory path containing source files to analyze") },
+        async execute(args) {
+            const { sourceFiles, rootDir } = initProject(args.path);
+            if (sourceFiles.length === 0)
+                return text(`No source files found in ${args.path}`);
+            const findings = analyzerFn(sourceFiles);
+            let header = `Scanned ${sourceFiles.length} files in ${rootDir}\n\n`;
+            return text(header + formatFindings(findings));
+        },
+    };
+}
+export const staticTools = [
+    sastScanDirectory,
+    makeSingleAnalyzerTool("sast_command_injection", "AST-scan for command injection: child_process.exec(), execSync(), spawn() with shell:true — where arguments include user-controlled input. Reports file, line, column, and the exact dangerous expression.", analyzeCommandInjection),
+    makeSingleAnalyzerTool("sast_ssrf", "AST-scan for SSRF: fetch(), axios.get/post(), http.request() — where the URL argument contains user-controlled input without domain validation.", analyzeSsrf),
+    makeSingleAnalyzerTool("sast_path_traversal", "AST-scan for path traversal: fs.readFile(), writeFile(), readdir(), unlink() — where path argument includes user input without path.resolve() validation.", analyzePathTraversal),
+    makeSingleAnalyzerTool("sast_code_execution", "AST-scan for dangerous code execution: eval(), new Function(), vm.runInNewContext(), setTimeout(string). Any occurrence is flagged regardless of input source.", analyzeCodeExecution),
+    makeSingleAnalyzerTool("sast_hardcoded_secrets", "Scan all string literals and template literals for hardcoded secrets using 20+ regex patterns: AWS keys, GitHub tokens, Slack tokens, Stripe keys, private keys, JWTs, database URLs, and more.", analyzeHardcodedSecrets),
+    makeSingleAnalyzerTool("sast_missing_logging", "Detect missing security controls: tool handlers without try-catch, empty catch blocks, stack trace exposure in responses, missing audit logging.", analyzeLogging),
+    makeSingleAnalyzerTool("sast_insecure_crypto", "Detect weak cryptography: createHash('md5'), createHash('sha1'), Math.random() for token generation, DES/RC4 usage.", analyzeInsecureCrypto),
+    makeSingleAnalyzerTool("sast_prototype_pollution", "Detect prototype pollution: Object.assign() with user input, JSON.parse() on untrusted data, bracket notation with user-controlled keys.", analyzePrototypePollution),
+    makeSingleAnalyzerTool("sast_regex_dos", "Detect ReDoS patterns: nested quantifiers (a+)+, alternation with overlap, backreferences in quantified groups.", analyzeRegexDos),
+    makeSingleAnalyzerTool("sast_unsafe_regex", "Detect new RegExp() with user-controlled input without proper escaping. Attacker-controlled regex can cause ReDoS or bypass validation.", analyzeUnsafeRegex),
+    makeSingleAnalyzerTool("sast_info_disclosure", "Detect information disclosure: sensitive data in console.log, process.env serialization, stack traces in responses, file paths in error messages.", analyzeInfoDisclosure),
+];
+//# sourceMappingURL=index.js.map

package/dist/static/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/static/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,IAAI,EAAQ,MAAM,mBAAmB,CAAC;AAE/C,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AAEvE,MAAM,UAAU,GAAG;IACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,yEAAyE,CAAC;IACpG,oBAAoB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,+CAA+C,CAAC;IACtG,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kCAAkC,CAAC;CAClF,CAAC;AAEF,SAAS,cAAc,CAAC,QAAmB;IACzC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,cAAc,CAAC;IAEjD,MAAM,UAAU,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IACxE,KAAK,MAAM,CAAC,IAAI,QAAQ;QAAE,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IAEnD,IAAI,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,gBAAgB,UAAU,CAAC,QAAQ,cAAc,UAAU,CAAC,IAAI,UAAU,UAAU,CAAC,MAAM,YAAY,UAAU,CAAC,GAAG,SAAS,UAAU,CAAC,IAAI,WAAW,CAAC;IAExL,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC;QAChE,IAAI,CAAC,CAAC,IAAI;YAAE,MAAM,IAAI,WAAW,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC;QAC5E,MAAM,IAAI,YAAY,CAAC,CAAC,SAAS,MAAM,CAAC,CAAC,eAAe,IAAI,CAAC;QAC7D,MAAM,IAAI,eAAe,CAAC,CAAC,QAAQ,IAAI,CAAC;QACxC,MAAM,IAAI,kBAAkB,CAAC,CAAC,WAAW,MAAM,CAAC;IAClD,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;AACvB,CAAC;AAED,MAAM,YAAY,GAAwD;IACxE,EAAE,IAAI,EAAE,mBAAmB,EAAE,EAAE,EAAE,uBAAuB,EAAE;IAC1D,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE;IACjC,EAAE,IAAI,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE;IACpD,EAAE,IAAI,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE;IACpD,EAAE,IAAI,EAAE,mBAAmB,EAAE,EAAE,EAAE,uBAAuB,EAAE;IAC1D,EAAE,IAAI,EAAE,eAAe,EAAE,EAAE,EAAE,cAAc,EAAE;IAC7C,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,EAAE,qBAAqB,EAAE;IACtD,EAAE,IAAI,EAAE,qBAAqB,EAAE,EAAE,EAAE,yBAAyB,EAAE;IAC9D,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,eAAe,EAAE;IAC1C,EAAE,IAAI,EAAE,cAAc,EAAE,EAAE,EAAE,kBAAkB,EAAE;IAChD,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,EAAE,qBAAqB,EAAE;CACvD,CAAC;AAEF,MAAM,iBAAiB,GAAY;IACjC,IAAI,EAAE,qBAAqB;IAC3B,WAAW,EACT,yMAAyM;IAC3M,MAAM,EAAE,UAAU;IAClB,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,WAAW,CACnD,IAAI,CAAC,IAAc,EACnB,IAAI,CAAC,aAAmC,CACzC,CAAC;QAEF,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,4BAA4B,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACvD,CAAC;QAED,MAAM,WAAW,GAAc,EAAE,CAAC;QAClC,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC;gBAC1C,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAChC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,WAAW,CAAC,IAAI,CAAC;oBACf,EAAE,EAAE,YAAY,QAAQ,CAAC,IAAI,EAAE;oBAC/B,KAAK,EAAE,mBAAmB,QAAQ,CAAC,IAAI,EAAE;oBACzC,QAAQ,EAAE,MAAM;oBAChB,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,oCAAoC;oBACrD,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,GAAG,QAAQ,CAAC,IAAI,oBAAoB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;oBAChG,WAAW,EAAE,gEAAgE;iBAC9E,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,MAAM,KAAK,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC3F,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAElE,IAAI,MAAM,GAAG,WAAW,WAAW,CAAC,MAAM,aAAa,OAAO,MAAM,CAAC;QACrE,OAAO,IAAI,CAAC,MAAM,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC,CAAC;IACpD,CAAC;CACF,CAAC;AAEF,SAAS,sBAAsB,CAC7B,IAAY,EACZ,WAAmB,EACnB,UAAuC;IAEvC,OAAO;QACL,IAAI;QACJ,WAAW;QACX,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mDAAmD,CAAC,EAAE;QAC1F,KAAK,CAAC,OAAO,CAAC,IAAI;YAChB,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC,IAAc,CAAC,CAAC;YAClE,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC,4BAA4B,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACnF,MAAM,QAAQ,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;YACzC,IAAI,MAAM,GAAG,WAAW,WAAW,CAAC,MAAM,aAAa,OAAO,MAAM,CAAC;YACrE,OAAO,IAAI,CAAC,MAAM,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;QACjD,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAc;IACpC,iBAAiB;IACjB,sBAAsB,CACpB,wBAAwB,EACxB,4MAA4M,EAC5M,uBAAuB,CACxB;IACD,sBAAsB,CACpB,WAAW,EACX,iJAAiJ,EACjJ,WAAW,CACZ;IACD,sBAAsB,CACpB,qBAAqB,EACrB,2JAA2J,EAC3J,oBAAoB,CACrB;IACD,sBAAsB,CACpB,qBAAqB,EACrB,gKAAgK,EAChK,oBAAoB,CACrB;IACD,sBAAsB,CACpB,wBAAwB,EACxB,iMAAiM,EACjM,uBAAuB,CACxB;IACD,sBAAsB,CACpB,sBAAsB,EACtB,kJAAkJ,EAClJ,cAAc,CACf;IACD,sBAAsB,CACpB,sBAAsB,EACtB,qHAAqH,EACrH,qBAAqB,CACtB;IACD,sBAAsB,CACpB,0BAA0B,EAC1B,0IAA0I,EAC1I,yBAAyB,CAC1B;IACD,sBAAsB,CACpB,gBAAgB,EAChB,iHAAiH,EACjH,eAAe,CAChB;IACD,sBAAsB,CACpB,mBAAmB,EACnB,yIAAyI,EACzI,kBAAkB,CACnB;IACD,sBAAsB,CACpB,sBAAsB,EACtB,mJAAmJ,EACnJ,qBAAqB,CACtB;CACF,CAAC"}

package/dist/static/taint-tracker.d.ts

@@ -0,0 +1,15 @@
+import { Node, type SourceFile, type CallExpression } from "ts-morph";
+export interface TaintFlow {
+    source: string;
+    sink: string;
+    file: string;
+    line: number;
+    column: number;
+    evidence: string;
+}
+export declare function isCallTainted(call: CallExpression): boolean;
+export declare function getCallEvidence(call: CallExpression): string;
+export declare function findToolHandlers(sourceFile: SourceFile): Node[];
+export declare function isInsideTryCatch(node: Node): boolean;
+export declare function isEmptyCatch(node: Node): boolean;
+//# sourceMappingURL=taint-tracker.d.ts.map

package/dist/static/taint-tracker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint-tracker.d.ts","sourceRoot":"","sources":["../../src/static/taint-tracker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAc,KAAK,UAAU,EAAE,KAAK,cAAc,EAAE,MAAM,UAAU,CAAC;AAGlF,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAGD,wBAAgB,aAAa,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAG3D;AAGD,wBAAgB,eAAe,CAAC,IAAI,EAAE,cAAc,GAAG,MAAM,CAI5D;AAGD,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,UAAU,GAAG,IAAI,EAAE,CAwC/D;AAGD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAOpD;AAGD,wBAAgB,YAAY,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAKhD"}

package/dist/static/taint-tracker.js

@@ -0,0 +1,70 @@
+import { SyntaxKind } from "ts-morph";
+import { containsUserInput } from "./ast-engine.js";
+// Check if any argument to a call expression contains tainted data
+export function isCallTainted(call) {
+    const args = call.getArguments();
+    return args.some(arg => containsUserInput(arg));
+}
+// Get a human-readable evidence string for a call
+export function getCallEvidence(call) {
+    const text = call.getText();
+    // Truncate very long call expressions
+    return text.length > 200 ? text.substring(0, 200) + "..." : text;
+}
+// Find all function declarations that look like MCP tool handlers
+export function findToolHandlers(sourceFile) {
+    const handlers = [];
+    // Look for: async execute(args, ...) { ... }
+    const methods = sourceFile.getDescendantsOfKind(SyntaxKind.MethodDeclaration);
+    for (const m of methods) {
+        const name = m.getName();
+        if (name === "execute" || name === "handler" || name === "run") {
+            handlers.push(m);
+        }
+    }
+    // Look for: execute: async (args) => { ... }
+    // These are property assignments in object literals
+    const propAssignments = sourceFile.getDescendantsOfKind(SyntaxKind.PropertyAssignment);
+    for (const pa of propAssignments) {
+        const name = pa.getName();
+        if (name === "execute" || name === "handler" || name === "run") {
+            handlers.push(pa);
+        }
+    }
+    // Also look for async functions that take (args, ctx) pattern
+    const funcs = sourceFile.getDescendantsOfKind(SyntaxKind.FunctionDeclaration);
+    for (const f of funcs) {
+        const params = f.getParameters();
+        if (params.some(p => p.getName() === "args" || p.getName() === "ctx")) {
+            handlers.push(f);
+        }
+    }
+    const arrowFuncs = sourceFile.getDescendantsOfKind(SyntaxKind.ArrowFunction);
+    for (const f of arrowFuncs) {
+        const params = f.getParameters();
+        if (params.some(p => p.getName() === "args")) {
+            handlers.push(f);
+        }
+    }
+    return handlers;
+}
+// Check if a node is inside a try-catch block
+export function isInsideTryCatch(node) {
+    let current = node.getParent();
+    while (current) {
+        if (current.getKind() === SyntaxKind.TryStatement)
+            return true;
+        current = current.getParent();
+    }
+    return false;
+}
+// Check if a catch clause is empty (swallows errors)
+export function isEmptyCatch(node) {
+    if (node.getKind() !== SyntaxKind.CatchClause)
+        return false;
+    const block = node.getChildrenOfKind(SyntaxKind.Block)[0];
+    if (!block)
+        return true;
+    return block.getStatements().length === 0;
+}
+//# sourceMappingURL=taint-tracker.js.map

package/dist/static/taint-tracker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint-tracker.js","sourceRoot":"","sources":["../../src/static/taint-tracker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAQ,UAAU,EAAwC,MAAM,UAAU,CAAC;AAClF,OAAO,EAAqC,iBAAiB,EAAe,MAAM,iBAAiB,CAAC;AAWpG,mEAAmE;AACnE,MAAM,UAAU,aAAa,CAAC,IAAoB;IAChD,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;IACjC,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,kDAAkD;AAClD,MAAM,UAAU,eAAe,CAAC,IAAoB;IAClD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IAC5B,sCAAsC;IACtC,OAAO,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AACnE,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,gBAAgB,CAAC,UAAsB;IACrD,MAAM,QAAQ,GAAW,EAAE,CAAC;IAE5B,6CAA6C;IAC7C,MAAM,OAAO,GAAG,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;IAC9E,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;QACzB,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;YAC/D,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,oDAAoD;IACpD,MAAM,eAAe,GAAG,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;IACvF,KAAK,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;QAC1B,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;YAC/D,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,MAAM,KAAK,GAAG,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,mBAAmB,CAAC,CAAC;IAC9E,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,CAAC,CAAC,aAAa,EAAE,CAAC;QACjC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,KAAK,MAAM,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,KAAK,CAAC,EAAE,CAAC;YACtE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;IAC7E,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,CAAC,CAAC,aAAa,EAAE,CAAC;QACjC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,KAAK,MAAM,CAAC,EAAE,CAAC;YAC7C,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,gBAAgB,CAAC,IAAU;IACzC,IAAI,OAAO,GAAqB,IAAI,CAAC,SAAS,EAAE,CAAC;IACjD,OAAO,OAAO,EAAE,CAAC;QACf,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QAC/D,OAAO,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAChC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,qDAAqD;AACrD,MAAM,UAAU,YAAY,CAAC,IAAU;IACrC,IAAI,IAAI,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,WAAW;QAAE,OAAO,KAAK,CAAC;IAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1D,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO,KAAK,CAAC,aAAa,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC;AAC5C,CAAC"}

package/dist/types/findings.d.ts

@@ -0,0 +1,60 @@
+export type OwaspMcpId = "MCP01" | "MCP02" | "MCP03" | "MCP04" | "MCP05" | "MCP06" | "MCP07" | "MCP08" | "MCP09" | "MCP10";
+export type Severity = "critical" | "high" | "medium" | "low" | "info";
+export type FindingCategory = "runtime" | "static" | "config" | "deps" | "report";
+export interface Finding {
+    id: string;
+    title: string;
+    severity: Severity;
+    owasp_mcp: OwaspMcpId;
+    owasp_mcp_title: string;
+    category: FindingCategory;
+    file?: string;
+    line?: number;
+    column?: number;
+    evidence: string;
+    remediation: string;
+    cwe?: string;
+    references?: string[];
+}
+export interface ToolPin {
+    name: string;
+    hash: string;
+    description_preview: string;
+}
+export interface PinFile {
+    pin_name: string;
+    server_command: string;
+    server_args?: string[];
+    timestamp: string;
+    tool_count: number;
+    manifest_hash: string;
+    tools: ToolPin[];
+}
+export interface ScanReport {
+    scanner: string;
+    version: string;
+    timestamp: string;
+    target: string;
+    duration_ms: number;
+    summary: {
+        total: number;
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+        info: number;
+    };
+    owasp_compliance: OwaspComplianceEntry[];
+    findings: Finding[];
+}
+export interface OwaspComplianceEntry {
+    id: OwaspMcpId;
+    title: string;
+    status: "pass" | "fail" | "not_tested";
+    finding_count: number;
+    highest_severity: Severity | null;
+}
+export declare function createFinding(partial: Omit<Finding, "id"> & {
+    id?: string;
+}, idPrefix: string, counter: number): Finding;
+//# sourceMappingURL=findings.d.ts.map

package/dist/types/findings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"findings.d.ts","sourceRoot":"","sources":["../../src/types/findings.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,UAAU,GAClB,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,CAAC;AAEZ,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEvE,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;AAIlF,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,QAAQ,CAAC;IACnB,SAAS,EAAE,UAAU,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,eAAe,CAAC;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAID,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,OAAO;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,OAAO,EAAE,CAAC;CAClB;AAID,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE;QACP,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;IACF,gBAAgB,EAAE,oBAAoB,EAAE,CAAC;IACzC,QAAQ,EAAE,OAAO,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,UAAU,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,YAAY,CAAC;IACvC,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,QAAQ,GAAG,IAAI,CAAC;CACnC;AAID,wBAAgB,aAAa,CAC3B,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG;IAAE,EAAE,CAAC,EAAE,MAAM,CAAA;CAAE,EAC9C,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GACd,OAAO,CAKT"}

package/dist/types/findings.js

@@ -0,0 +1,9 @@
+// ─── OWASP MCP Top 10 Categories ───
+// ─── Helper to create findings ───
+export function createFinding(partial, idPrefix, counter) {
+    return {
+        ...partial,
+        id: partial.id ?? `${idPrefix}-${String(counter).padStart(3, "0")}`,
+    };
+}
+//# sourceMappingURL=findings.js.map

package/dist/types/findings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"findings.js","sourceRoot":"","sources":["../../src/types/findings.ts"],"names":[],"mappings":"AAAA,sCAAsC;AAkFtC,oCAAoC;AAEpC,MAAM,UAAU,aAAa,CAC3B,OAA8C,EAC9C,QAAgB,EAChB,OAAe;IAEf,OAAO;QACL,GAAG,OAAO;QACV,EAAE,EAAE,OAAO,CAAC,EAAE,IAAI,GAAG,QAAQ,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;KACpE,CAAC;AACJ,CAAC"}

package/dist/types/index.d.ts

@@ -0,0 +1,23 @@
+import type { z } from "zod";
+export interface ToolDef {
+    name: string;
+    description: string;
+    schema: Record<string, z.ZodType>;
+    execute: (args: Record<string, unknown>, ctx: ToolContext) => Promise<ToolResult>;
+}
+export interface ToolContext {
+    config: ScannerConfig;
+}
+export interface ScannerConfig {
+    pinDir: string;
+}
+export interface ToolResult {
+    [key: string]: unknown;
+    content: {
+        type: "text";
+        text: string;
+    }[];
+}
+export declare function text(msg: string): ToolResult;
+export declare function json(data: unknown): ToolResult;
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAI7B,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC;IAClC,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;CACnF;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,aAAa,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,UAAU;IACzB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IACvB,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CAC3C;AAID,wBAAgB,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAE5C;AAED,wBAAgB,IAAI,CAAC,IAAI,EAAE,OAAO,GAAG,UAAU,CAE9C"}

package/dist/types/index.js

@@ -0,0 +1,8 @@
+// ─── Response Helpers ───
+export function text(msg) {
+    return { content: [{ type: "text", text: msg }] };
+}
+export function json(data) {
+    return text(JSON.stringify(data, null, 2));
+}
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAwBA,2BAA2B;AAE3B,MAAM,UAAU,IAAI,CAAC,GAAW;IAC9B,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,IAAI,CAAC,IAAa;IAChC,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC7C,CAAC"}

package/dist/utils/crypto.d.ts

@@ -0,0 +1,4 @@
+export declare function sha256(input: string): string;
+export declare function hashToolDefinition(name: string, description: string, schema: unknown): string;
+export declare function hashManifest(toolHashes: string[]): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/utils/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/utils/crypto.ts"],"names":[],"mappings":"AAEA,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE5C;AAED,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,MAAM,CAG7F;AAED,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,MAAM,CAEzD"}

package/dist/utils/crypto.js

@@ -0,0 +1,12 @@
+import { createHash } from "node:crypto";
+export function sha256(input) {
+    return createHash("sha256").update(input, "utf8").digest("hex");
+}
+export function hashToolDefinition(name, description, schema) {
+    const payload = JSON.stringify({ name, description, schema });
+    return sha256(payload);
+}
+export function hashManifest(toolHashes) {
+    return sha256(toolHashes.sort().join(":"));
+}
+//# sourceMappingURL=crypto.js.map

package/dist/utils/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/utils/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,UAAU,MAAM,CAAC,KAAa;IAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,IAAY,EAAE,WAAmB,EAAE,MAAe;IACnF,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC;IAC9D,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,UAAoB;IAC/C,OAAO,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC7C,CAAC"}

package/dist/utils/fs-helpers.d.ts

@@ -0,0 +1,7 @@
+export declare function safeReadFile(filePath: string): Promise<string | null>;
+export declare function safeReadJson<T = unknown>(filePath: string): Promise<T | null>;
+export declare function fileExists(filePath: string): Promise<boolean>;
+export declare function getFileStat(filePath: string): Promise<import("fs").Stats | null>;
+export declare function discoverSourceFiles(dir: string, includeNodeModules?: boolean): Promise<string[]>;
+export declare function discoverFiles(dir: string, pattern: RegExp): Promise<string[]>;
+//# sourceMappingURL=fs-helpers.d.ts.map

package/dist/utils/fs-helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fs-helpers.d.ts","sourceRoot":"","sources":["../../src/utils/fs-helpers.ts"],"names":[],"mappings":"AAGA,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAM3E;AAED,wBAAsB,YAAY,CAAC,CAAC,GAAG,OAAO,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAQnF;AAED,wBAAsB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAOnE;AAED,wBAAsB,WAAW,CAAC,QAAQ,EAAE,MAAM,sCAMjD;AAID,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,EACX,kBAAkB,UAAQ,GACzB,OAAO,CAAC,MAAM,EAAE,CAAC,CA0BnB;AAED,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAwBnF"}

package/dist/utils/fs-helpers.js

@@ -0,0 +1,92 @@
+import { readFile, readdir, stat, access } from "node:fs/promises";
+import { join, resolve, extname } from "node:path";
+export async function safeReadFile(filePath) {
+    try {
+        return await readFile(filePath, "utf8");
+    }
+    catch {
+        return null;
+    }
+}
+export async function safeReadJson(filePath) {
+    const content = await safeReadFile(filePath);
+    if (!content)
+        return null;
+    try {
+        return JSON.parse(content);
+    }
+    catch {
+        return null;
+    }
+}
+export async function fileExists(filePath) {
+    try {
+        await access(filePath);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function getFileStat(filePath) {
+    try {
+        return await stat(filePath);
+    }
+    catch {
+        return null;
+    }
+}
+const TS_JS_EXTENSIONS = new Set([".ts", ".js", ".mts", ".mjs", ".cts", ".cjs"]);
+export async function discoverSourceFiles(dir, includeNodeModules = false) {
+    const results = [];
+    async function walk(currentDir) {
+        let entries;
+        try {
+            entries = await readdir(currentDir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            const fullPath = join(currentDir, entry.name);
+            if (entry.isDirectory()) {
+                if (entry.name === "node_modules" && !includeNodeModules)
+                    continue;
+                if (entry.name === "dist" || entry.name === ".git")
+                    continue;
+                await walk(fullPath);
+            }
+            else if (entry.isFile() && TS_JS_EXTENSIONS.has(extname(entry.name))) {
+                results.push(fullPath);
+            }
+        }
+    }
+    await walk(resolve(dir));
+    return results.sort();
+}
+export async function discoverFiles(dir, pattern) {
+    const results = [];
+    async function walk(currentDir) {
+        let entries;
+        try {
+            entries = await readdir(currentDir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            const fullPath = join(currentDir, entry.name);
+            if (entry.isDirectory()) {
+                if (entry.name === "node_modules" || entry.name === ".git")
+                    continue;
+                await walk(fullPath);
+            }
+            else if (entry.isFile() && pattern.test(entry.name)) {
+                results.push(fullPath);
+            }
+        }
+    }
+    await walk(resolve(dir));
+    return results.sort();
+}
+//# sourceMappingURL=fs-helpers.js.map

package/dist/utils/fs-helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fs-helpers.js","sourceRoot":"","sources":["../../src/utils/fs-helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AACnE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEnD,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,IAAI,CAAC;QACH,OAAO,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAc,QAAgB;IAC9D,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC7C,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAM,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,QAAgB;IAC/C,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,QAAgB;IAChD,IAAI,CAAC;QACH,OAAO,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAEjF,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,GAAW,EACX,kBAAkB,GAAG,KAAK;IAE1B,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,UAAU,IAAI,CAAC,UAAkB;QACpC,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YAE9C,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,IAAI,CAAC,kBAAkB;oBAAE,SAAS;gBACnE,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM;oBAAE,SAAS;gBAC7D,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;YACvB,CAAC;iBAAM,IAAI,KAAK,CAAC,MAAM,EAAE,IAAI,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;gBACvE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW,EAAE,OAAe;IAC9D,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,UAAU,IAAI,CAAC,UAAkB;QACpC,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YAC9C,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM;oBAAE,SAAS;gBACrE,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;YACvB,CAAC;iBAAM,IAAI,KAAK,CAAC,MAAM,EAAE,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtD,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC;AACxB,CAAC"}

package/dist/utils/levenshtein.d.ts

@@ -0,0 +1,7 @@
+export declare function levenshtein(a: string, b: string): number;
+export declare function isKeyboardAdjacent(a: string, b: string): boolean;
+export declare function isVowelSwap(a: string, b: string): boolean;
+export declare function normalizeSeparators(name: string): string;
+export declare function isSeparatorConfusion(a: string, b: string): boolean;
+export declare function isScopeSquatting(a: string, b: string): boolean;
+//# sourceMappingURL=levenshtein.d.ts.map

package/dist/utils/levenshtein.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"levenshtein.d.ts","sourceRoot":"","sources":["../../src/utils/levenshtein.ts"],"names":[],"mappings":"AAAA,wBAAgB,WAAW,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAwBxD;AAkBD,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAYhE;AAID,wBAAgB,WAAW,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAWzD;AAED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAExD;AAED,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAGlE;AAED,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAS9D"}

package/dist/utils/levenshtein.js

@@ -0,0 +1,89 @@
+export function levenshtein(a, b) {
+    const m = a.length;
+    const n = b.length;
+    if (m === 0)
+        return n;
+    if (n === 0)
+        return m;
+    const dp = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
+    for (let i = 0; i <= m; i++)
+        dp[i][0] = i;
+    for (let j = 0; j <= n; j++)
+        dp[0][j] = j;
+    for (let i = 1; i <= m; i++) {
+        for (let j = 1; j <= n; j++) {
+            const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+            dp[i][j] = Math.min(dp[i - 1][j] + 1, dp[i][j - 1] + 1, dp[i - 1][j - 1] + cost);
+        }
+    }
+    return dp[m][n];
+}
+// Keyboard adjacency map (QWERTY layout)
+const KEYBOARD_ADJACENT = {
+    q: ["w", "a"], w: ["q", "e", "s", "a"], e: ["w", "r", "d", "s"],
+    r: ["e", "t", "f", "d"], t: ["r", "y", "g", "f"], y: ["t", "u", "h", "g"],
+    u: ["y", "i", "j", "h"], i: ["u", "o", "k", "j"], o: ["i", "p", "l", "k"],
+    p: ["o", "l"],
+    a: ["q", "w", "s", "z"], s: ["a", "w", "e", "d", "z", "x"],
+    d: ["s", "e", "r", "f", "x", "c"], f: ["d", "r", "t", "g", "c", "v"],
+    g: ["f", "t", "y", "h", "v", "b"], h: ["g", "y", "u", "j", "b", "n"],
+    j: ["h", "u", "i", "k", "n", "m"], k: ["j", "i", "o", "l", "m"],
+    l: ["k", "o", "p"],
+    z: ["a", "s", "x"], x: ["z", "s", "d", "c"],
+    c: ["x", "d", "f", "v"], v: ["c", "f", "g", "b"],
+    b: ["v", "g", "h", "n"], n: ["b", "h", "j", "m"], m: ["n", "j", "k"],
+};
+export function isKeyboardAdjacent(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diffs = 0;
+    for (let i = 0; i < a.length; i++) {
+        if (a[i] !== b[i]) {
+            diffs++;
+            if (diffs > 1)
+                return false;
+            const adj = KEYBOARD_ADJACENT[a[i].toLowerCase()];
+            if (!adj || !adj.includes(b[i].toLowerCase()))
+                return false;
+        }
+    }
+    return diffs === 1;
+}
+const VOWELS = new Set(["a", "e", "i", "o", "u"]);
+export function isVowelSwap(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diffs = 0;
+    for (let i = 0; i < a.length; i++) {
+        if (a[i] !== b[i]) {
+            diffs++;
+            if (diffs > 1)
+                return false;
+            if (!VOWELS.has(a[i].toLowerCase()) || !VOWELS.has(b[i].toLowerCase()))
+                return false;
+        }
+    }
+    return diffs === 1;
+}
+export function normalizeSeparators(name) {
+    return name.replace(/[-._]/g, "-").toLowerCase();
+}
+export function isSeparatorConfusion(a, b) {
+    if (a === b)
+        return false;
+    return normalizeSeparators(a) === normalizeSeparators(b);
+}
+export function isScopeSquatting(a, b) {
+    const scopeA = a.match(/^@([^/]+)\//);
+    const scopeB = b.match(/^@([^/]+)\//);
+    if (!scopeA || !scopeB)
+        return false;
+    if (scopeA[1] === scopeB[1])
+        return false;
+    const nameA = a.replace(/^@[^/]+\//, "");
+    const nameB = b.replace(/^@[^/]+\//, "");
+    if (nameA !== nameB)
+        return false;
+    return levenshtein(scopeA[1], scopeB[1]) <= 2;
+}
+//# sourceMappingURL=levenshtein.js.map

package/dist/utils/levenshtein.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"levenshtein.js","sourceRoot":"","sources":["../../src/utils/levenshtein.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,WAAW,CAAC,CAAS,EAAE,CAAS;IAC9C,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IACnB,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAEnB,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACtB,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEtB,MAAM,EAAE,GAAe,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAEjF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;QAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;QAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAE1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3C,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CACjB,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAChB,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,EAChB,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CACxB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,yCAAyC;AACzC,MAAM,iBAAiB,GAA6B;IAClD,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IAC/D,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IACzE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IACzE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC;IACb,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IAC1D,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IACpE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IACpE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IAC/D,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IAClB,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IAC3C,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IAChD,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;CACrE,CAAC;AAEF,MAAM,UAAU,kBAAkB,CAAC,CAAS,EAAE,CAAS;IACrD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAClB,KAAK,EAAE,CAAC;YACR,IAAI,KAAK,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC5B,MAAM,GAAG,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YAClD,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;gBAAE,OAAO,KAAK,CAAC;QAC9D,CAAC;IACH,CAAC;IACD,OAAO,KAAK,KAAK,CAAC,CAAC;AACrB,CAAC;AAED,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;AAElD,MAAM,UAAU,WAAW,CAAC,CAAS,EAAE,CAAS;IAC9C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAClB,KAAK,EAAE,CAAC;YACR,IAAI,KAAK,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC5B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;gBAAE,OAAO,KAAK,CAAC;QACvF,CAAC;IACH,CAAC;IACD,OAAO,KAAK,KAAK,CAAC,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;AACnD,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,CAAS,EAAE,CAAS;IACvD,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1B,OAAO,mBAAmB,CAAC,CAAC,CAAC,KAAK,mBAAmB,CAAC,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAAS,EAAE,CAAS;IACnD,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IACtC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACrC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IACzC,IAAI,KAAK,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAClC,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;AAChD,CAAC"}