mcp-sentinel 0.1.3 → 0.2.0

package/README.md

@@ -1,54 +1,102 @@
 <p align="center">
   <h1 align="center">MCP Sentinel</h1>
   <p align="center">
-    <strong>Know what your MCP servers can do — before your AI agent does.</strong>
+    <strong>Know what your MCP servers can do -- before your AI agent does.</strong>
   </p>
   <p align="center">
     <a href="https://www.npmjs.com/package/mcp-sentinel"><img src="https://img.shields.io/npm/v/mcp-sentinel.svg" alt="npm version"></a>
+    <a href="https://www.npmjs.com/package/mcp-sentinel"><img src="https://img.shields.io/npm/dm/mcp-sentinel.svg" alt="npm downloads"></a>
     <a href="https://github.com/oktsec/mcp-sentinel/blob/main/LICENSE"><img src="https://img.shields.io/npm/l/mcp-sentinel.svg" alt="license"></a>
     <a href="https://nodejs.org"><img src="https://img.shields.io/node/v/mcp-sentinel.svg" alt="node version"></a>
+    <a href="https://github.com/oktsec/mcp-sentinel"><img src="https://img.shields.io/github/stars/oktsec/mcp-sentinel?style=social" alt="GitHub stars"></a>
   </p>
 </p>
 
+> **v0.2.0** -- Risk scoring (A-F), SARIF output, per-tool security analysis, verbose mode, HTTP header support
+
 ---
 
 ## The Problem
 
-You add an MCP server to Claude Desktop, Cursor, or your agent framework. Now that server has tools your AI can call — tools that might read your files, run shell commands, or delete data.
+You add an MCP server to Claude Desktop, Cursor, or your agent framework. Now that server has tools your AI can call -- tools that might read your files, run shell commands, or delete data.
 
 **You're trusting code you haven't reviewed.**
 
-MCP Sentinel connects to any MCP server, shows you every tool it exposes, and lets you define security policies that block dangerous ones automatically.
+MCP Sentinel connects to any MCP server, shows you every tool it exposes, assigns a risk score, and lets you define security policies that block dangerous ones automatically.
+
+### Features
+
+- **Risk Scoring** -- A-F grade for every server based on tool risk, security findings, and attack surface
+- **Policy Engine** -- YAML-based deny/require/allow rules with glob patterns and auto-detection
+- **Deep Security Analysis** -- Per-tool scanning with [Aguara](https://github.com/garagon/aguara) (177 rules: prompt injection, exfiltration, credential leaks)
+- **Smart Categorization** -- Tools auto-escalate from "read" to "admin" when critical findings are detected
+- **Multi-Transport** -- stdio, SSE, and Streamable HTTP with custom header support
+- **Config Discovery** -- Auto-scan servers from Claude Desktop, Cursor, Windsurf, VS Code, Zed
+- **CI/CD Ready** -- SARIF output for GitHub Code Scanning, exit codes for policy violations
+- **Drift Detection** -- Save baselines and detect added/removed/changed tools over time
+- **Multiple Exports** -- Terminal, JSON, Markdown, SARIF
 
 ## Quick Start
 
 ```bash
-# Scan any MCP server — no install needed
+# Scan any MCP server -- no install needed
 npx mcp-sentinel npx @modelcontextprotocol/server-filesystem /tmp
 ```
 
 That's it. You'll see every tool the server exposes, categorized by risk:
 
 ```
-🔍 MCP Sentinel v0.1.0
+┌──────────────────────────────┐
+│  MCP Sentinel v0.2.0         │
+└──────────────────────────────┘
+
+  Server        secure-filesystem-server v0.2.0
+  Capabilities  tools
+  Risk Score    B (82/100)
+
+🔧 Tools (14)    11 read · 3 write · 0 admin
 
-📦 Server: secure-filesystem-server v0.2.0
-   Capabilities: tools
+  ⚠ move_file                                              write
+    Move or rename files and directories
 
-🔧 Tools (14)  11 read · 3 write · 0 admin
+  ⚠ edit_file                                              write
+    Make line-based edits to a text file
+    path* · edits* · dryRun
 
-  ✅ read_file            Read the complete contents of a file... (3 params)
-  ✅ read_multiple_files  Read multiple files simultaneously... (1 params)
-  ✏️ write_file           Create a new file or overwrite... [write] (2 params)
-  ✏️ create_directory     Create a new directory... [write] (1 params)
-  ✏️ move_file            Move or rename files... [write] (2 params)
-  ✅ list_directory       Get a detailed listing of all files... (1 params)
-  ✅ search_files         Recursively search for files... (3 params)
+  ⚠ write_file                                             write
+    Create a new file or overwrite an existing file
+    path* · content*
+
+  ✔ read_file                                               read
+    Read the complete contents of a file from the file system
+    path*
+
+  ✔ list_directory                                          read
+    Get a detailed listing of all files and directories
+    path*
   ...
 
-Scanned in 1706ms
+  ──────────────────────────────────────────────────────────────
+
+  🛡️  No security findings · aguara scan clean
+
+  ──────────────────────────────────────────────────────────────
+
+  Scanned in 1706ms  ·  Deep scan: https://aguarascan.com
 ```
 
+## Risk Score
+
+Every server gets an **A-F grade** (0-100 scale) based on three factors:
+
+| Factor | Weight | What it measures |
+|--------|--------|-----------------|
+| Tool risk | 40 pts | Penalty for write (-3) and admin (-8) tools |
+| Finding risk | 40 pts | Penalty per aguara finding, weighted by severity |
+| Surface risk | 20 pts | Penalty for large tool counts (>10, >20) |
+
+A read-only server with no findings scores **A (100/100)**. A server with admin tools and critical findings scores **D** or **F**.
+
 ## Add a Security Policy
 
 Create a `.mcp-policy.yml` in your project root:
@@ -57,9 +105,13 @@ Create a `.mcp-policy.yml` in your project root:
 deny:
   categories: [admin]           # Block dangerous tools (delete, exec, shell)
   tools: ["write_*", "move_*"]  # Block by name pattern
+  descriptions: ["*ssh*"]       # Block tools mentioning SSH in descriptions
 
 require:
   maxTools: 10                  # Limit attack surface
+  maxFindings:                  # Limit security findings by severity
+    critical: 0
+    high: 0
 
 allow:
   tools: ["write_file"]         # Exceptions to deny rules
@@ -74,10 +126,10 @@ npx mcp-sentinel --policy .mcp-policy.yml npx @modelcontextprotocol/server-files
 ```
 🛡️  Policy: .mcp-policy.yml
 
-  ❌ secure-filesystem-server: policy FAILED (2 violations)
+  ✖ secure-filesystem-server policy FAILED (2 violations)
 
-     ✖ [deny.tools] Tool 'move_file' matches denied pattern 'move_*'
-     ✖ [require.maxTools] Server exposes 14 tools, policy allows max 10
+    → [deny.tools] Tool 'move_file' matches denied pattern 'move_*'
+    → [require.maxTools] Server exposes 14 tools, policy allows max 10
 ```
 
 Exit code `2` = violations found. Your CI pipeline stops here.
@@ -114,13 +166,40 @@ jobs:
 
 </details>
 
+<details>
+<summary>SARIF integration for GitHub Code Scanning</summary>
+
+```yaml
+# .github/workflows/mcp-audit.yml
+name: MCP Security Audit
+on: [pull_request]
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with: { node-version: 20 }
+      - run: npx mcp-sentinel --sarif results.sarif npx ./your-mcp-server
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+        if: always()
+```
+
+</details>
+
 ## What Else Can It Do?
 
 ```bash
 # Scan a remote server over HTTP
 npx mcp-sentinel http://localhost:3000/mcp
 
-# Scan all servers from your Claude Desktop, Cursor, or Windsurf config
+# Scan with custom headers (for authenticated servers)
+npx mcp-sentinel --header "Authorization: Bearer xxx" http://localhost:3000/mcp
+
+# Scan all servers from your Claude Desktop, Cursor, Windsurf, VS Code, or Zed config
 npx mcp-sentinel --config
 
 # Save a scan and detect changes later (drift detection)
@@ -130,9 +209,13 @@ npx mcp-sentinel npx @modelcontextprotocol/server-filesystem /tmp --diff baselin
 # Scan multiple servers in one command
 npx mcp-sentinel npx @modelcontextprotocol/server-filesystem /tmp --- npx @modelcontextprotocol/server-github
 
-# Export as JSON or Markdown
+# Export as JSON, Markdown, or SARIF
 npx mcp-sentinel --json npx @modelcontextprotocol/server-filesystem /tmp
 npx mcp-sentinel --markdown report.md npx @modelcontextprotocol/server-filesystem /tmp
+npx mcp-sentinel --sarif report.sarif npx @modelcontextprotocol/server-filesystem /tmp
+
+# Verbose mode: full descriptions, finding details, and remediation
+npx mcp-sentinel --verbose npx @modelcontextprotocol/server-filesystem /tmp
 ```
 
 ## Policy Reference
@@ -141,8 +224,10 @@ npx mcp-sentinel --markdown report.md npx @modelcontextprotocol/server-filesyste
 |------|-------------|---------|
 | `deny.categories` | Block tools by category | `[admin]`, `[admin, write]` |
 | `deny.tools` | Block by name or glob | `["delete_*", "run_command"]` |
+| `deny.descriptions` | Block tools by description content | `["*ssh*", "*IMPORTANT*"]` |
 | `require.maxTools` | Max number of tools allowed | `20` |
 | `require.aguara` | Require zero security findings | `clean` |
+| `require.maxFindings` | Limit findings by severity | `{ critical: 0, high: 0 }` |
 | `allow.tools` | Exceptions to deny rules | `["execute_query"]` |
 
 ### Starter Policies
@@ -151,32 +236,41 @@ Pick one from [`examples/policies/`](examples/policies/) and customize:
 
 | Policy | Best for |
 |--------|----------|
-| [`permissive.yml`](examples/policies/permissive.yml) | Local development — blocks only destructive patterns |
-| [`standard.yml`](examples/policies/standard.yml) | Team development — blocks admin + exec, allows writes |
-| [`strict.yml`](examples/policies/strict.yml) | Production — blocks admin + write, requires security scan |
-| [`ci-pipeline.yml`](examples/policies/ci-pipeline.yml) | CI/CD — blocks admin + deploy + push |
+| [`permissive.yml`](examples/policies/permissive.yml) | Local development -- blocks only destructive patterns |
+| [`standard.yml`](examples/policies/standard.yml) | Team development -- blocks admin + exec, allows writes |
+| [`strict.yml`](examples/policies/strict.yml) | Production -- blocks admin + write, requires security scan |
+| [`ci-pipeline.yml`](examples/policies/ci-pipeline.yml) | CI/CD -- blocks admin + deploy + push |
 
 ## Deep Security Analysis with Aguara
 
-MCP Sentinel can optionally integrate with [Aguara](https://github.com/garagon/aguara), a security scanner with 177 rules that detects prompt injection, data exfiltration, credential leaks, and more.
+MCP Sentinel integrates with [Aguara](https://github.com/garagon/aguara), a security scanner with 177 rules that detects prompt injection, data exfiltration, credential leaks, and more.
+
+When Aguara is installed, MCP Sentinel:
+- Scans each tool individually and attributes findings to specific tools
+- Escalates tool categories based on findings (a "read" tool with a critical injection finding becomes "admin")
+- Reports severity, category, description, and remediation for each finding
+- Factors findings into the risk score
 
 ```bash
 # Install Aguara (optional)
 curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
 ```
 
-Once installed, MCP Sentinel auto-detects it and runs the analysis. Add `require.aguara: clean` to your policy to enforce zero findings.
+Once installed, MCP Sentinel auto-detects it. Add `require.aguara: clean` to your policy to enforce zero findings.
 
 ## All Options
 
 | Flag | Description |
 |------|-------------|
 | `--policy <file>` | Enforce a security policy (auto-detects `.mcp-policy.yml`) |
-| `--config` | Scan servers from Claude Desktop / Cursor / Windsurf config |
+| `--config` | Scan servers from Claude Desktop / Cursor / Windsurf / VS Code / Zed config |
 | `--diff <file.json>` | Compare against a previous scan |
+| `--sarif <file>` | Export SARIF report for GitHub Code Scanning |
 | `--transport <type>` | Force transport: `stdio`, `sse`, `streamable-http` |
 | `--json` | JSON output |
 | `--markdown <file>` | Export Markdown report |
+| `--verbose` | Show full descriptions, finding details, and remediation |
+| `--header <value>` | HTTP header for remote servers (repeatable) |
 | `--fail-on-findings` | Exit code 2 if aguara finds issues |
 | `--no-color` | Disable colors |
 | `--timeout <ms>` | Connection timeout (default: 30000) |
@@ -193,11 +287,12 @@ Once installed, MCP Sentinel auto-detects it and runs the analysis. Add `require
 │  sentinel │ SSE     │  MCP Server    │
 │           ├──────── │  (remote)      │
 │  Scan     │         └────────────────┘
-│  Enforce  │
-│  Diff     │         ┌──────────────────┐
-│  Report   │ ──────► │  Aguara (177      │
-└───────────┘         │  security rules)  │
-     │                └──────────────────┘
+│  Score    │
+│  Enforce  │         ┌──────────────────┐
+│  Diff     │ ──────► │  Aguara (177      │
+│  Report   │         │  security rules)  │
+└───────────┘         └──────────────────┘
+     │
      ▼
  .mcp-policy.yml
  (deny / require / allow)
@@ -209,10 +304,10 @@ MCP Sentinel is part of the [Aguara](https://github.com/garagon/aguara) security
 
 | Tool | What it does |
 |------|-------------|
-| **[Aguara](https://github.com/garagon/aguara)** | Security scanner — 177 rules, NLP, toxic-flow analysis |
-| **[MCP Aguara](https://github.com/garagon/mcp-aguara)** | MCP server — gives AI agents security scanning as a tool |
-| **MCP Sentinel** | Policy enforcement — audit, enforce, and monitor MCP servers |
-| **[Aguara Watch](https://aguarascan.com)** | Cloud platform — continuous monitoring of MCP registries |
+| **[Aguara](https://github.com/garagon/aguara)** | Security scanner -- 177 rules, NLP, toxic-flow analysis |
+| **[MCP Aguara](https://github.com/garagon/mcp-aguara)** | MCP server -- gives AI agents security scanning as a tool |
+| **MCP Sentinel** | Policy enforcement -- audit, score, enforce, and monitor MCP servers |
+| **[Aguara Watch](https://aguarascan.com)** | Cloud platform -- continuous monitoring of MCP registries |
 
 ## Contributing
 
@@ -220,4 +315,4 @@ Contributions welcome. Please open an issue first to discuss what you'd like to
 
 ## License
 
-[Apache 2.0](LICENSE) — Gustavo Aragon ([@oktsec](https://github.com/oktsec))
+[Apache 2.0](LICENSE) -- Gustavo Aragon ([@oktsec](https://github.com/oktsec))

package/dist/aguara.d.ts

@@ -1,4 +1,10 @@
-import type { ToolInfo, AguaraResult } from "./types.js";
+import type { ToolInfo, ResourceInfo, ResourceTemplateInfo, PromptInfo, AguaraResult } from "./types.js";
 export declare function isAguaraInstalled(): Promise<boolean>;
-export declare function scanWithAguara(tools: ToolInfo[]): Promise<AguaraResult>;
+export interface AguaraScanInput {
+    tools: ToolInfo[];
+    resources: ResourceInfo[];
+    resourceTemplates: ResourceTemplateInfo[];
+    prompts: PromptInfo[];
+}
+export declare function scanWithAguara(input: AguaraScanInput): Promise<AguaraResult>;
 //# sourceMappingURL=aguara.d.ts.map

package/dist/aguara.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"aguara.d.ts","sourceRoot":"","sources":["../src/aguara.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAiB,MAAM,YAAY,CAAC;AAIxE,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,OAAO,CAAC,CAO1D;AAyDD,wBAAsB,cAAc,CAAC,KAAK,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC,CAgD7E"}
+{"version":3,"file":"aguara.d.ts","sourceRoot":"","sources":["../src/aguara.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,oBAAoB,EAAE,UAAU,EAAE,YAAY,EAAiB,MAAM,YAAY,CAAC;AAWxH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,OAAO,CAAC,CAO1D;AAqHD,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,SAAS,EAAE,YAAY,EAAE,CAAC;IAC1B,iBAAiB,EAAE,oBAAoB,EAAE,CAAC;IAC1C,OAAO,EAAE,UAAU,EAAE,CAAC;CACvB;AAED,wBAAsB,cAAc,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,YAAY,CAAC,CA8FlF"}

package/dist/aguara.js

@@ -1,9 +1,15 @@
 import { execFile } from "node:child_process";
-import { writeFile, unlink, mkdtemp } from "node:fs/promises";
+import { writeFile, unlink, mkdtemp, mkdir } from "node:fs/promises";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
 import { promisify } from "node:util";
 const execFileAsync = promisify(execFile);
+const SEV_LABELS = {
+    4: "CRITICAL",
+    3: "HIGH",
+    2: "MEDIUM",
+    1: "LOW",
+};
 export async function isAguaraInstalled() {
     try {
         await execFileAsync("aguara", ["version"]);
@@ -13,91 +19,191 @@ export async function isAguaraInstalled() {
         return false;
     }
 }
-function buildScanContent(tools) {
+function buildToolFile(tool) {
     const lines = [];
-    for (const tool of tools) {
-        lines.push(`## Tool: ${tool.name}`);
+    lines.push(`## Tool: ${tool.name}`);
+    lines.push("");
+    lines.push(tool.description);
+    lines.push("");
+    if (tool.parameters.length > 0) {
+        for (const p of tool.parameters) {
+            lines.push(`- ${p.name} (${p.type}${p.required ? ", required" : ""}): ${p.description}`);
+        }
         lines.push("");
-        lines.push(tool.description);
+    }
+    return lines.join("\n");
+}
+function buildResourceContent(resources, templates) {
+    const lines = [];
+    for (const r of resources) {
+        lines.push(`## Resource: ${r.name}`);
+        lines.push(`URI: ${r.uri}`);
+        if (r.description.length > 0)
+            lines.push(r.description);
+        lines.push("");
+    }
+    for (const r of templates) {
+        lines.push(`## Resource Template: ${r.name}`);
+        lines.push(`URI Template: ${r.uriTemplate}`);
+        if (r.description.length > 0)
+            lines.push(r.description);
         lines.push("");
-        if (tool.parameters.length > 0) {
-            lines.push(`Parameters: ${tool.parameters.map((p) => p.name).join(", ")}`);
-            lines.push("");
-        }
     }
     return lines.join("\n");
 }
-function parseAguaraOutput(stdout) {
-    try {
-        const parsed = JSON.parse(stdout);
-        const findings = [];
-        if (Array.isArray(parsed.findings)) {
-            for (const f of parsed.findings) {
-                findings.push({
-                    severity: String(f.severity ?? "UNKNOWN"),
-                    ruleId: String(f.rule_id ?? ""),
-                    ruleName: String(f.rule_name ?? ""),
-                    matchedText: String(f.matched_text ?? ""),
-                    line: typeof f.line === "number" ? f.line : undefined,
-                });
+function buildPromptContent(prompts) {
+    const lines = [];
+    for (const p of prompts) {
+        lines.push(`## Prompt: ${p.name}`);
+        if (p.description.length > 0)
+            lines.push(p.description);
+        if (p.arguments.length > 0) {
+            for (const a of p.arguments) {
+                lines.push(`- ${a.name}${a.required ? " (required)" : ""}: ${a.description}`);
             }
         }
-        return {
-            findings,
-            summary: typeof parsed.summary === "string" ? parsed.summary : `${findings.length} finding(s)`,
-        };
-    }
-    catch {
-        return { findings: [], summary: "Failed to parse aguara output" };
+        lines.push("");
     }
+    return lines.join("\n");
 }
-export async function scanWithAguara(tools) {
-    const installed = await isAguaraInstalled();
-    if (!installed) {
-        return {
-            available: false,
-            findings: [],
-            summary: "aguara not installed — install from https://github.com/garagon/aguara for deep security analysis",
-        };
+function normalizeSeverity(sev) {
+    if (typeof sev === "number")
+        return SEV_LABELS[sev] ?? String(sev);
+    if (typeof sev === "string") {
+        const upper = sev.toUpperCase();
+        if (["CRITICAL", "HIGH", "MEDIUM", "LOW"].includes(upper))
+            return upper;
+        return sev;
     }
-    const content = buildScanContent(tools);
-    const tmpDir = await mkdtemp(join(tmpdir(), "mcp-sentinel-"));
-    const tmpFile = join(tmpDir, "tools.md");
+    return "UNKNOWN";
+}
+function parseFindings(raw, toolName) {
+    return raw.map((f) => ({
+        severity: normalizeSeverity(f.severity),
+        ruleId: String(f.rule_id ?? ""),
+        ruleName: String(f.rule_name ?? ""),
+        category: String(f.category ?? ""),
+        description: String(f.description ?? ""),
+        matchedText: String(f.matched_text ?? ""),
+        toolName,
+        line: typeof f.line === "number" ? f.line : undefined,
+        confidence: typeof f.confidence === "number" ? f.confidence : undefined,
+        score: typeof f.score === "number" ? f.score : undefined,
+        remediation: typeof f.remediation === "string" ? f.remediation : undefined,
+    }));
+}
+async function runAguara(filePath) {
     try {
-        await writeFile(tmpFile, content, "utf-8");
         const { stdout } = await execFileAsync("aguara", [
-            "scan", tmpFile, "--format", "json", "--severity", "low",
+            "scan", filePath, "--format", "json", "--severity", "low",
         ], {
             timeout: 30_000,
             env: process.env,
             maxBuffer: 10 * 1024 * 1024,
         });
-        const result = parseAguaraOutput(stdout);
-        return { available: true, ...result };
+        return JSON.parse(stdout);
     }
     catch (err) {
         // aguara exits with code 1 when findings are found, but still outputs JSON
         if (typeof err === "object" && err !== null && "stdout" in err) {
             const stdout = String(err.stdout);
             if (stdout.trim().length > 0) {
-                const result = parseAguaraOutput(stdout);
-                return { available: true, ...result };
+                return JSON.parse(stdout);
             }
         }
+        return { findings: [] };
+    }
+}
+export async function scanWithAguara(input) {
+    const installed = await isAguaraInstalled();
+    if (!installed) {
+        return {
+            available: false,
+            findings: [],
+            summary: "aguara not installed",
+        };
+    }
+    const tmpDir = await mkdtemp(join(tmpdir(), "mcp-sentinel-"));
+    const toolsDir = join(tmpDir, "tools");
+    await mkdir(toolsDir);
+    const allFindings = [];
+    const filesToClean = [];
+    let rulesLoaded = 0;
+    let totalDuration = 0;
+    try {
+        // Scan each tool individually for per-tool finding attribution
+        for (const tool of input.tools) {
+            const content = buildToolFile(tool);
+            const filePath = join(toolsDir, `${tool.name}.md`);
+            await writeFile(filePath, content, "utf-8");
+            filesToClean.push(filePath);
+            const output = await runAguara(filePath);
+            if (output.rules_loaded !== undefined)
+                rulesLoaded = output.rules_loaded;
+            if (output.duration_ms !== undefined)
+                totalDuration += output.duration_ms;
+            if (Array.isArray(output.findings)) {
+                allFindings.push(...parseFindings(output.findings, tool.name));
+            }
+        }
+        // Scan resources
+        if (input.resources.length > 0 || input.resourceTemplates.length > 0) {
+            const content = buildResourceContent(input.resources, input.resourceTemplates);
+            if (content.trim().length > 0) {
+                const filePath = join(tmpDir, "resources.md");
+                await writeFile(filePath, content, "utf-8");
+                filesToClean.push(filePath);
+                const output = await runAguara(filePath);
+                if (output.duration_ms !== undefined)
+                    totalDuration += output.duration_ms;
+                if (Array.isArray(output.findings)) {
+                    allFindings.push(...parseFindings(output.findings, "[resource]"));
+                }
+            }
+        }
+        // Scan prompts
+        if (input.prompts.length > 0) {
+            const content = buildPromptContent(input.prompts);
+            if (content.trim().length > 0) {
+                const filePath = join(tmpDir, "prompts.md");
+                await writeFile(filePath, content, "utf-8");
+                filesToClean.push(filePath);
+                const output = await runAguara(filePath);
+                if (output.duration_ms !== undefined)
+                    totalDuration += output.duration_ms;
+                if (Array.isArray(output.findings)) {
+                    allFindings.push(...parseFindings(output.findings, "[prompt]"));
+                }
+            }
+        }
+        // Sort by severity (CRITICAL first)
+        const sevOrder = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3 };
+        allFindings.sort((a, b) => (sevOrder[a.severity] ?? 9) - (sevOrder[b.severity] ?? 9));
+        return {
+            available: true,
+            findings: allFindings,
+            summary: `${allFindings.length} finding(s)`,
+            rulesLoaded: rulesLoaded > 0 ? rulesLoaded : undefined,
+            durationMs: totalDuration > 0 ? totalDuration : undefined,
+        };
+    }
+    catch {
         return {
             available: true,
             findings: [],
-            summary: `aguara scan failed: ${err instanceof Error ? err.message : "unknown error"}`,
+            summary: "aguara scan failed",
         };
     }
     finally {
-        try {
-            await unlink(tmpFile);
+        for (const f of filesToClean) {
+            try {
+                await unlink(f);
+            }
+            catch { /* cleanup */ }
         }
-        catch { /* cleanup */ }
         try {
-            const { rmdir } = await import("node:fs/promises");
-            await rmdir(tmpDir);
+            const { rm } = await import("node:fs/promises");
+            await rm(tmpDir, { recursive: true });
         }
         catch { /* cleanup */ }
     }

package/dist/aguara.js.map

@@ -1 +1 @@
-{"version":3,"file":"aguara.js","sourceRoot":"","sources":["../src/aguara.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,QAAQ,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAiB;IACzC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACpC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,KAAK,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC3E,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAaD,SAAS,iBAAiB,CAAC,MAAc;IACvC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAqB,CAAC;QACtD,MAAM,QAAQ,GAAoB,EAAE,CAAC;QAErC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,IAAI,SAAS,CAAC;oBACzC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC;oBAC/B,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC;oBACnC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,IAAI,EAAE,CAAC;oBACzC,IAAI,EAAE,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;iBACtD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,QAAQ;YACR,OAAO,EAAE,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,aAAa;SAC/F,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACpE,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAiB;IACpD,MAAM,SAAS,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAC5C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,QAAQ,EAAE,EAAE;YACZ,OAAO,EAAE,kGAAkG;SAC5G,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,CAAC,CAAC,CAAC;IAC9D,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAEzC,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAE3C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE;YAC/C,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK;SACzD,EAAE;YACD,OAAO,EAAE,MAAM;YACf,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;QACzC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC;IACxC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,2EAA2E;QAC3E,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,IAAI,QAAQ,IAAI,GAAG,EAAE,CAAC;YAC/D,MAAM,MAAM,GAAG,MAAM,CAAE,GAA2B,CAAC,MAAM,CAAC,CAAC;YAC3D,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;gBACzC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC;YACxC,CAAC;QACH,CAAC;QACD,OAAO;YACL,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,EAAE;YACZ,OAAO,EAAE,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;SACvF,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,IAAI,CAAC;YAAC,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;QACtD,IAAI,CAAC;YACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;YACnD,MAAM,KAAK,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;IAC3B,CAAC;AACH,CAAC"}
+{"version":3,"file":"aguara.js","sourceRoot":"","sources":["../src/aguara.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,UAAU,GAA2B;IACzC,CAAC,EAAE,UAAU;IACb,CAAC,EAAE,MAAM;IACT,CAAC,EAAE,QAAQ;IACX,CAAC,EAAE,KAAK;CACT,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,QAAQ,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,IAAc;IACnC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IACpC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAChC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QAC3F,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,oBAAoB,CAAC,SAAyB,EAAE,SAAiC;IACxF,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACrC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;QAC5B,IAAI,CAAC,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9C,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QAC7C,IAAI,CAAC,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAqB;IAC/C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACnC,IAAI,CAAC,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QACxD,IAAI,CAAC,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;gBAC5B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YAChF,CAAC;QACH,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAsBD,SAAS,iBAAiB,CAAC,GAAgC;IACzD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,UAAU,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC;IACnE,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAChC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACxE,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,aAAa,CAAC,GAAuB,EAAE,QAAgB;IAC9D,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrB,QAAQ,EAAE,iBAAiB,CAAC,CAAC,CAAC,QAAQ,CAAC;QACvC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC;QAC/B,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC;QACnC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC;QAClC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,IAAI,EAAE,CAAC;QACxC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,IAAI,EAAE,CAAC;QACzC,QAAQ;QACR,IAAI,EAAE,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QACrD,UAAU,EAAE,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;QACvE,KAAK,EAAE,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QACxD,WAAW,EAAE,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;KAC3E,CAAC,CAAC,CAAC;AACN,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,QAAgB;IACvC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE;YAC/C,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK;SAC1D,EAAE;YACD,OAAO,EAAE,MAAM;YACf,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAqB,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,2EAA2E;QAC3E,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,IAAI,QAAQ,IAAI,GAAG,EAAE,CAAC;YAC/D,MAAM,MAAM,GAAG,MAAM,CAAE,GAA2B,CAAC,MAAM,CAAC,CAAC;YAC3D,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAqB,CAAC;YAChD,CAAC;QACH,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC1B,CAAC;AACH,CAAC;AASD,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAsB;IACzD,MAAM,SAAS,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAC5C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,QAAQ,EAAE,EAAE;YACZ,OAAO,EAAE,sBAAsB;SAChC,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,CAAC,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,MAAM,KAAK,CAAC,QAAQ,CAAC,CAAC;IAEtB,MAAM,WAAW,GAAoB,EAAE,CAAC;IACxC,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,IAAI,CAAC;QACH,+DAA+D;QAC/D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAC/B,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;YACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;YACnD,MAAM,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;YAC5C,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAE5B,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;YACzC,IAAI,MAAM,CAAC,YAAY,KAAK,SAAS;gBAAE,WAAW,GAAG,MAAM,CAAC,YAAY,CAAC;YACzE,IAAI,MAAM,CAAC,WAAW,KAAK,SAAS;gBAAE,aAAa,IAAI,MAAM,CAAC,WAAW,CAAC;YAE1E,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACnC,WAAW,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,MAAM,OAAO,GAAG,oBAAoB,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC;YAC/E,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;gBAC9C,MAAM,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;gBAC5C,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAE5B,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;gBACzC,IAAI,MAAM,CAAC,WAAW,KAAK,SAAS;oBAAE,aAAa,IAAI,MAAM,CAAC,WAAW,CAAC;gBAC1E,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnC,WAAW,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;gBACpE,CAAC;YACH,CAAC;QACH,CAAC;QAED,eAAe;QACf,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAClD,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;gBAC5C,MAAM,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;gBAC5C,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAE5B,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;gBACzC,IAAI,MAAM,CAAC,WAAW,KAAK,SAAS;oBAAE,aAAa,IAAI,MAAM,CAAC,WAAW,CAAC;gBAC1E,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnC,WAAW,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;gBAClE,CAAC;YACH,CAAC;QACH,CAAC;QAED,oCAAoC;QACpC,MAAM,QAAQ,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QACrF,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAEtF,OAAO;YACL,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,WAAW;YACrB,OAAO,EAAE,GAAG,WAAW,CAAC,MAAM,aAAa;YAC3C,WAAW,EAAE,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACtD,UAAU,EAAE,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;SAC1D,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,EAAE;YACZ,OAAO,EAAE,oBAAoB;SAC9B,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;YAC7B,IAAI,CAAC;gBAAC,MAAM,MAAM,CAAC,CAAC,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;QAClD,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,EAAE,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;YAChD,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;IAC3B,CAAC;AACH,CAAC"}

package/dist/analyzer.d.ts

@@ -1,6 +1,6 @@
-import type { ToolInfo, AnalyzedTool, ToolCategory } from "./types.js";
-export declare function categorizeTool(tool: ToolInfo): ToolCategory;
-export declare function analyzeTools(tools: ToolInfo[]): AnalyzedTool[];
+import type { ToolInfo, AnalyzedTool, ToolCategory, AguaraFinding } from "./types.js";
+export declare function categorizeTool(tool: ToolInfo, findings?: AguaraFinding[]): ToolCategory;
+export declare function analyzeTools(tools: ToolInfo[], findingsByTool?: Map<string, AguaraFinding[]>): AnalyzedTool[];
 export declare function summarize(tools: AnalyzedTool[]): {
     read: number;
     write: number;

package/dist/analyzer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,QAAQ,EACR,YAAY,EACZ,YAAY,EACb,MAAM,YAAY,CAAC;AAepB,wBAAgB,cAAc,CAAC,IAAI,EAAE,QAAQ,GAAG,YAAY,CAU3D;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,QAAQ,EAAE,GAAG,YAAY,EAAE,CAK9D;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,YAAY,EAAE,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAY/F"}
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,QAAQ,EACR,YAAY,EACZ,YAAY,EACZ,aAAa,EACd,MAAM,YAAY,CAAC;AAsBpB,wBAAgB,cAAc,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,EAAE,aAAa,EAAE,GAAG,YAAY,CAmBvF;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,cAAc,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,EAAE,CAAC,GAAG,YAAY,EAAE,CAS7G;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,YAAY,EAAE,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAY/F"}