mitnick-cli 1.0.0

package/dist/analyzers/dormant-package/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/dormant-package/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAS/C,6DAA6D;AAE7D,yDAAyD;AACzD,MAAM,uBAAuB,GAAG,GAAG,CAAC;AAEpC,4BAA4B;AAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAEvC,6DAA6D;AAE7D,MAAM,OAAO,sBAAsB;IACxB,IAAI,GAAG,iBAAiB,CAAC;IACzB,WAAW,GAAG,+DAA+D,CAAC;IAEvF,OAAO,CAAC,OAAwB;QAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC,gBAAgB,CAAC;YAEpE,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,sDAAsD;gBACtD,OAAO,OAAO,CAAC,OAAO,CAAC;oBACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,EAAE;oBACZ,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;iBACpC,CAAC,CAAC;YACL,CAAC;YAED,+CAA+C;YAC/C,MAAM,YAAY,GAAG,IAAI,CAAC,uBAAuB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAErE,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5B,OAAO,OAAO,CAAC,OAAO,CAAC;oBACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,EAAE;oBACZ,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;iBACpC,CAAC,CAAC;YACL,CAAC;YAED,iEAAiE;YACjE,MAAM,MAAM,GAAG,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACrD,MAAM,QAAQ,GAAG,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAEvD,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACzB,OAAO,OAAO,CAAC,OAAO,CAAC;oBACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,EAAE;oBACZ,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;iBACpC,CAAC,CAAC;YACL,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC;YAE3F,IAAI,OAAO,GAAG,uBAAuB,EAAE,CAAC;gBACtC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;gBAC3C,MAAM,QAAQ,GAAG,CAAC,OAAO,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;gBAE5C,gDAAgD;gBAChD,MAAM,gBAAgB,GACpB,MAAM,CAAC,OAAO,KAAK,OAAO,CAAC,OAAO;oBAClC,MAAM,CAAC,OAAO,KAAK,OAAO,CAAC,gBAAgB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAEjE,IAAI,gBAAgB,EAAE,CAAC;oBACrB,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,QAAQ,EAAE,QAAQ;wBAClB,KAAK,EAAE,6BAA6B,SAAS,qBAAqB;wBAClE,WAAW,EACT,uBAAuB,MAAM,CAAC,OAAO,qBAAqB;4BAC1D,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS,mBAAmB,OAAO,QAAQ;4BACzF,KAAK,QAAQ,uCAAuC,QAAQ,CAAC,OAAO,IAAI;4BACxE,aAAa,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS,KAAK;4BACxE,mEAAmE;wBACrE,cAAc,EACZ,0EAA0E;4BAC1E,uDAAuD;qBAC1D,CAAC,CAAC;oBAEH,4EAA4E;oBAC5E,8CAA8C;oBAC9C,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAC7B,QAAQ,CAAC,IAAI,CAAC;4BACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,QAAQ,EAAE,MAAM;4BAChB,KAAK,EAAE,kDAAkD;4BACzD,WAAW,EACT,+BAA+B,OAAO,iDAAiD;gCACvF,IAAI,WAAW,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,SAAS,sDAAsD;4BAC7F,cAAc,EACZ,4EAA4E;gCAC5E,sEAAsE;yBACzE,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,4DAA4D;gBAC5D,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CACT,IAAI,IAAI,CAAC,IAAI,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7F,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ;YACR,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC,CAAC;IACL,CAAC;IAEO,uBAAuB,CAC7B,QAA2B,EAC3B,OAAyC;QAEzC,MAAM,MAAM,GAAkB,EAAE,CAAC;QAEjC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;YACjC,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,EAAE;gBAAE,SAAS;YAEtD,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBAAE,SAAS;YAEpC,MAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACjC,CAAC;QAED,yBAAyB;QACzB,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3D,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,mBAAmB,CAAC,YAAoC,EAAE,QAAmB;QACnF,gFAAgF;QAChF,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,IAAI,WAAoC,CAAC;QACzC,IAAI,SAAkC,CAAC;QAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YACjD,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACjC,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI;gBAAE,SAAS;YAE7B,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAAG,UAAU,CAAC;YACrE,IAAI,GAAG,GAAG,MAAM,EAAE,CAAC;gBACjB,MAAM,GAAG,GAAG,CAAC;gBACb,WAAW,GAAG,IAAI,CAAC;gBACnB,SAAS,GAAG,IAAI,CAAC;YACnB,CAAC;QACH,CAAC;QAED,IAAI,MAAM,GAAG,uBAAuB,GAAG,CAAC,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;YACrE,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,4BAA4B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO;gBAC5D,WAAW,EACT,oBAAoB,WAAW,CAAC,OAAO,QAAQ,SAAS,CAAC,OAAO,IAAI;oBACpE,sBAAsB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ;aACnD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF"}

package/dist/analyzers/file-based-analyzer.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Abstract base class for analyzers that walk source files in the extracted package.
+ *
+ * Subclasses only need to implement `analyzeFile()` — the file-walking boilerplate
+ * (directory traversal, extension filtering, safe reads) is handled here.
+ */
+import type { Analyzer } from './analyzer.interface.js';
+import type { AnalysisContext, AnalyzerResult, Finding } from '../core/types.js';
+export declare abstract class FileBasedAnalyzer implements Analyzer {
+    abstract readonly name: string;
+    abstract readonly description: string;
+    /**
+     * Analyze a single source file and return any findings.
+     * @param source  The file contents as a UTF-8 string.
+     * @param relativePath  The path relative to the extraction root.
+     */
+    protected abstract analyzeFile(source: string, relativePath: string): Finding[];
+    analyze(context: AnalysisContext): Promise<AnalyzerResult>;
+}
+//# sourceMappingURL=file-based-analyzer.d.ts.map

package/dist/analyzers/file-based-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-based-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/file-based-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAKjF,8BAAsB,iBAAkB,YAAW,QAAQ;IACzD,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAEtC;;;;OAIG;IACH,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,EAAE;IAEzE,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;CA0BjE"}

package/dist/analyzers/file-based-analyzer.js

@@ -0,0 +1,35 @@
+/**
+ * Abstract base class for analyzers that walk source files in the extracted package.
+ *
+ * Subclasses only need to implement `analyzeFile()` — the file-walking boilerplate
+ * (directory traversal, extension filtering, safe reads) is handled here.
+ */
+import { walkDirectory, readFileSafe, isAnalyzableFile } from '../utils/fs.js';
+import { logger } from '../utils/logger.js';
+import { relative } from 'node:path';
+export class FileBasedAnalyzer {
+    async analyze(context) {
+        const start = performance.now();
+        const findings = [];
+        try {
+            for await (const filePath of walkDirectory(context.extractedPath)) {
+                if (!isAnalyzableFile(filePath))
+                    continue;
+                const source = await readFileSafe(filePath);
+                if (source === null || source.length === 0)
+                    continue;
+                const relPath = relative(context.extractedPath, filePath);
+                findings.push(...this.analyzeFile(source, relPath));
+            }
+        }
+        catch (error) {
+            logger.warn(`[${this.name}] Unexpected error: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        return {
+            analyzer: this.name,
+            findings,
+            duration: performance.now() - start,
+        };
+    }
+}
+//# sourceMappingURL=file-based-analyzer.js.map

package/dist/analyzers/file-based-analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-based-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/file-based-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAC/E,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,MAAM,OAAgB,iBAAiB;IAWrC,KAAK,CAAC,OAAO,CAAC,OAAwB;QACpC,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,IAAI,KAAK,EAAE,MAAM,QAAQ,IAAI,aAAa,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;gBAClE,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBAE1C,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;gBAC5C,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;oBAAE,SAAS;gBAErD,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;gBAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CACT,IAAI,IAAI,CAAC,IAAI,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7F,CAAC;QACJ,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ;YACR,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;CACF"}

package/dist/analyzers/install-scripts/index.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Install Script Analyzer — detects lifecycle scripts in package.json
+ * and analyzes their contents for suspicious patterns.
+ */
+import type { Analyzer } from '../analyzer.interface.js';
+import type { AnalysisContext, AnalyzerResult } from '../../core/types.js';
+export declare class InstallScriptAnalyzer implements Analyzer {
+    readonly name = "install-scripts";
+    readonly description = "Detects lifecycle scripts and analyzes their contents for suspicious patterns";
+    analyze(context: AnalysisContext): Promise<AnalyzerResult>;
+    private detectSuspiciousPatterns;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/install-scripts/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/install-scripts/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAqB,MAAM,qBAAqB,CAAC;AA2E9F,qBAAa,qBAAsB,YAAW,QAAQ;IACpD,QAAQ,CAAC,IAAI,qBAAqB;IAClC,QAAQ,CAAC,WAAW,mFAC8D;IAElF,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;IAiD1D,OAAO,CAAC,wBAAwB;CAkBjC"}

package/dist/analyzers/install-scripts/index.js

@@ -0,0 +1,125 @@
+/**
+ * Install Script Analyzer — detects lifecycle scripts in package.json
+ * and analyzes their contents for suspicious patterns.
+ */
+import { truncate } from '../../utils/strings.js';
+import { logger } from '../../utils/logger.js';
+// ─── Constants ────────────────────────────────────────────
+const LIFECYCLE_HOOKS = [
+    'preinstall',
+    'install',
+    'postinstall',
+    'preuninstall',
+    'postuninstall',
+];
+const SUSPICIOUS_PATTERNS = [
+    { pattern: /\bcurl\b/i, label: 'curl command (network download)', severity: 'critical' },
+    { pattern: /\bwget\b/i, label: 'wget command (network download)', severity: 'critical' },
+    { pattern: /\beval\b/, label: 'eval usage (dynamic code execution)', severity: 'critical' },
+    {
+        pattern: /\bnew\s+Function\b/,
+        label: 'new Function() (dynamic code creation)',
+        severity: 'critical',
+    },
+    {
+        pattern: /\b(base64|atob|btoa|Buffer\.from)\b/,
+        label: 'encoded string handling',
+        severity: 'critical',
+    },
+    {
+        pattern: /\b(sh|bash|cmd|powershell|pwsh)\s+-c\b/,
+        label: 'shell spawning',
+        severity: 'critical',
+    },
+    {
+        pattern: /\bchild_process\b/,
+        label: 'child_process usage (subprocess spawning)',
+        severity: 'critical',
+    },
+    {
+        pattern: /\b(exec|execSync|spawn|spawnSync|execFile)\b/,
+        label: 'process execution',
+        severity: 'critical',
+    },
+    {
+        pattern: /process\.env/,
+        label: 'environment variable access',
+        severity: 'high',
+    },
+    {
+        pattern: /\$\{?\w*HOME\b|\$\{?\w*USER\b|\$\{?\w*PATH\b/,
+        label: 'environment variable reference',
+        severity: 'high',
+    },
+    {
+        pattern: /https?:\/\/[^\s"']+/,
+        label: 'hardcoded URL',
+        severity: 'high',
+    },
+    {
+        pattern: /\brm\s+-rf\b/,
+        label: 'recursive file deletion',
+        severity: 'high',
+    },
+];
+// ─── Analyzer ─────────────────────────────────────────────
+export class InstallScriptAnalyzer {
+    name = 'install-scripts';
+    description = 'Detects lifecycle scripts and analyzes their contents for suspicious patterns';
+    analyze(context) {
+        const start = performance.now();
+        const findings = [];
+        try {
+            const scripts = context.packageJson['scripts'];
+            if (scripts === null || scripts === undefined || typeof scripts !== 'object') {
+                return Promise.resolve({
+                    analyzer: this.name,
+                    findings: [],
+                    duration: performance.now() - start,
+                });
+            }
+            const scriptsRecord = scripts;
+            for (const hook of LIFECYCLE_HOOKS) {
+                const scriptValue = scriptsRecord[hook];
+                if (typeof scriptValue !== 'string')
+                    continue;
+                const scriptContent = scriptValue;
+                // Flag presence of any lifecycle hook
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'high',
+                    title: `Lifecycle script detected: ${hook}`,
+                    description: `The package defines a "${hook}" script: "${truncate(scriptContent, 120)}"`,
+                    recommendation: 'Review the script carefully before installing. Consider using --ignore-scripts flag.',
+                });
+                // Analyze content for suspicious patterns
+                const suspiciousMatches = this.detectSuspiciousPatterns(scriptContent, hook);
+                findings.push(...suspiciousMatches);
+            }
+        }
+        catch (error) {
+            logger.warn(`[${this.name}] Unexpected error: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        return Promise.resolve({
+            analyzer: this.name,
+            findings,
+            duration: performance.now() - start,
+        });
+    }
+    detectSuspiciousPatterns(script, hook) {
+        const findings = [];
+        for (const { pattern, label, severity } of SUSPICIOUS_PATTERNS) {
+            if (pattern.test(script)) {
+                findings.push({
+                    analyzer: this.name,
+                    severity: severity === 'critical' ? 'critical' : 'high',
+                    title: `Suspicious content in ${hook}: ${label}`,
+                    description: `The "${hook}" script contains ${label}. Script: "${truncate(script, 200)}"`,
+                    recommendation: 'Inspect the script manually. This pattern is commonly seen in malicious packages.',
+                });
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/analyzers/install-scripts/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/install-scripts/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE/C,6DAA6D;AAE7D,MAAM,eAAe,GAAG;IACtB,YAAY;IACZ,SAAS;IACT,aAAa;IACb,cAAc;IACd,eAAe;CACP,CAAC;AAUX,MAAM,mBAAmB,GAAiC;IACxD,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,iCAAiC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACxF,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,iCAAiC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACxF,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,qCAAqC,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC3F;QACE,OAAO,EAAE,oBAAoB;QAC7B,KAAK,EAAE,wCAAwC;QAC/C,QAAQ,EAAE,UAAU;KACrB;IACD;QACE,OAAO,EAAE,qCAAqC;QAC9C,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU;KACrB;IACD;QACE,OAAO,EAAE,wCAAwC;QACjD,KAAK,EAAE,gBAAgB;QACvB,QAAQ,EAAE,UAAU;KACrB;IACD;QACE,OAAO,EAAE,mBAAmB;QAC5B,KAAK,EAAE,2CAA2C;QAClD,QAAQ,EAAE,UAAU;KACrB;IACD;QACE,OAAO,EAAE,8CAA8C;QACvD,KAAK,EAAE,mBAAmB;QAC1B,QAAQ,EAAE,UAAU;KACrB;IACD;QACE,OAAO,EAAE,cAAc;QACvB,KAAK,EAAE,6BAA6B;QACpC,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,OAAO,EAAE,8CAA8C;QACvD,KAAK,EAAE,gCAAgC;QACvC,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,OAAO,EAAE,qBAAqB;QAC9B,KAAK,EAAE,eAAe;QACtB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,OAAO,EAAE,cAAc;QACvB,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,MAAM;KACjB;CACO,CAAC;AAEX,6DAA6D;AAE7D,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,iBAAiB,CAAC;IACzB,WAAW,GAClB,+EAA+E,CAAC;IAElF,OAAO,CAAC,OAAwB;QAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;YAC/C,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC7E,OAAO,OAAO,CAAC,OAAO,CAAC;oBACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,EAAE;oBACZ,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;iBACpC,CAAC,CAAC;YACL,CAAC;YAED,MAAM,aAAa,GAAG,OAA4C,CAAC;YAEnE,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;gBACnC,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;gBACxC,IAAI,OAAO,WAAW,KAAK,QAAQ;oBAAE,SAAS;gBAE9C,MAAM,aAAa,GAAG,WAAW,CAAC;gBAElC,sCAAsC;gBACtC,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,8BAA8B,IAAI,EAAE;oBAC3C,WAAW,EAAE,0BAA0B,IAAI,cAAc,QAAQ,CAAC,aAAa,EAAE,GAAG,CAAC,GAAG;oBACxF,cAAc,EACZ,sFAAsF;iBACzF,CAAC,CAAC;gBAEH,0CAA0C;gBAC1C,MAAM,iBAAiB,GAAG,IAAI,CAAC,wBAAwB,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;gBAC7E,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CACT,IAAI,IAAI,CAAC,IAAI,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7F,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ;YACR,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC,CAAC;IACL,CAAC;IAEO,wBAAwB,CAAC,MAAc,EAAE,IAAmB;QAClE,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,mBAAmB,EAAE,CAAC;YAC/D,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzB,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;oBACvD,KAAK,EAAE,yBAAyB,IAAI,KAAK,KAAK,EAAE;oBAChD,WAAW,EAAE,QAAQ,IAAI,qBAAqB,KAAK,cAAc,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG;oBACzF,cAAc,EACZ,mFAAmF;iBACtF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/license/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * License Analyzer — checks the package's license field for compliance
+ * risks including copyleft, missing, and non-standard licenses.
+ */
+import type { Analyzer } from '../analyzer.interface.js';
+import type { AnalysisContext, AnalyzerResult } from '../../core/types.js';
+export declare class LicenseAnalyzer implements Analyzer {
+    readonly name = "license";
+    readonly description = "Checks package license for compliance risks and missing license information";
+    analyze(context: AnalysisContext): Promise<AnalyzerResult>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/license/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/license/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAqB,MAAM,qBAAqB,CAAC;AA6F9F,qBAAa,eAAgB,YAAW,QAAQ;IAC9C,QAAQ,CAAC,IAAI,aAAa;IAC1B,QAAQ,CAAC,WAAW,iFAC4D;IAEhF,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;CAiI3D"}

package/dist/analyzers/license/index.js

@@ -0,0 +1,199 @@
+/**
+ * License Analyzer — checks the package's license field for compliance
+ * risks including copyleft, missing, and non-standard licenses.
+ */
+import { logger } from '../../utils/logger.js';
+// ─── License classifications ─────────────────────────────
+/** Permissive licenses that are generally safe for any use. */
+const PERMISSIVE_LICENSES = [
+    'MIT',
+    'Apache-2.0',
+    'BSD-2-Clause',
+    'BSD-3-Clause',
+    'ISC',
+    'Unlicense',
+    'CC0-1.0',
+    '0BSD',
+    'Artistic-2.0',
+    'Zlib',
+    'BSL-1.0',
+    'PostgreSQL',
+    'BlueOak-1.0.0',
+];
+/** Copyleft licenses that impose distribution requirements. */
+const COPYLEFT_LICENSES = [
+    'GPL-2.0',
+    'GPL-2.0-only',
+    'GPL-2.0-or-later',
+    'GPL-3.0',
+    'GPL-3.0-only',
+    'GPL-3.0-or-later',
+    'AGPL-3.0',
+    'AGPL-3.0-only',
+    'AGPL-3.0-or-later',
+    'LGPL-2.0',
+    'LGPL-2.0-only',
+    'LGPL-2.0-or-later',
+    'LGPL-2.1',
+    'LGPL-2.1-only',
+    'LGPL-2.1-or-later',
+    'LGPL-3.0',
+    'LGPL-3.0-only',
+    'LGPL-3.0-or-later',
+    'MPL-2.0',
+    'EUPL-1.1',
+    'EUPL-1.2',
+    'SSPL-1.0',
+    'CPAL-1.0',
+    'OSL-3.0',
+    'CECILL-2.1',
+];
+// ─── Helpers ──────────────────────────────────────────────
+function normalizeIdentifier(license) {
+    return license.trim().replace(/\s+/g, '-');
+}
+function isPermissive(identifier) {
+    const upper = identifier.toUpperCase();
+    return PERMISSIVE_LICENSES.some((l) => l.toUpperCase() === upper);
+}
+function isCopyleft(identifier) {
+    const upper = identifier.toUpperCase();
+    return COPYLEFT_LICENSES.some((l) => l.toUpperCase() === upper);
+}
+function isCopyleftPrefix(identifier) {
+    const upper = identifier.toUpperCase();
+    return (upper.startsWith('GPL') ||
+        upper.startsWith('AGPL') ||
+        upper.startsWith('LGPL') ||
+        upper.startsWith('MPL') ||
+        upper.startsWith('EUPL') ||
+        upper.startsWith('SSPL') ||
+        upper.startsWith('CPAL'));
+}
+/**
+ * Parse a simple SPDX expression (handles OR and AND but not complex nesting).
+ * Returns individual identifiers.
+ */
+function parseSpdxIdentifiers(expression) {
+    return expression
+        .split(/\s+(?:OR|AND|WITH)\s+/i)
+        .map((s) => s.replace(/[()]/g, '').trim())
+        .filter((s) => s.length > 0);
+}
+// ─── Analyzer ─────────────────────────────────────────────
+export class LicenseAnalyzer {
+    name = 'license';
+    description = 'Checks package license for compliance risks and missing license information';
+    analyze(context) {
+        const start = performance.now();
+        const findings = [];
+        try {
+            const licenseField = context.packageJson['license'];
+            // Check for missing license
+            if (licenseField === undefined || licenseField === null) {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'medium',
+                    title: 'Missing license',
+                    description: 'The package does not declare a license in package.json. ' +
+                        'Without a license, default copyright laws apply and you may not have permission to use the code.',
+                    recommendation: 'Contact the maintainer to clarify the licensing terms.',
+                });
+                return Promise.resolve({
+                    analyzer: this.name,
+                    findings,
+                    duration: performance.now() - start,
+                });
+            }
+            // Handle legacy "licenses" array format
+            if (typeof licenseField !== 'string') {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'low',
+                    title: 'Non-standard license format',
+                    description: 'The license field is not a string. It may use a legacy format or be improperly defined.',
+                    recommendation: 'Review the package license manually.',
+                });
+                return Promise.resolve({
+                    analyzer: this.name,
+                    findings,
+                    duration: performance.now() - start,
+                });
+            }
+            const licenseString = licenseField;
+            // Check for common "no license" patterns
+            if (licenseString === 'UNLICENSED' ||
+                licenseString === 'SEE LICENSE IN LICENSE' ||
+                licenseString.toUpperCase() === 'NONE') {
+                const severity = licenseString === 'UNLICENSED' ? 'medium' : 'low';
+                findings.push({
+                    analyzer: this.name,
+                    severity,
+                    title: licenseString === 'UNLICENSED'
+                        ? 'Proprietary/unlicensed package'
+                        : 'Custom license reference',
+                    description: `The package license is "${licenseString}". ` +
+                        (licenseString === 'UNLICENSED'
+                            ? 'This means it is proprietary and you may not have permission to use it.'
+                            : 'Review the referenced license file for terms.'),
+                    recommendation: 'Review the license terms before using this package.',
+                });
+                return Promise.resolve({
+                    analyzer: this.name,
+                    findings,
+                    duration: performance.now() - start,
+                });
+            }
+            // Parse SPDX identifiers
+            const identifiers = parseSpdxIdentifiers(licenseString);
+            let hasCopyleft = false;
+            let hasPermissive = false;
+            let hasUnknown = false;
+            for (const identifier of identifiers) {
+                const normalized = normalizeIdentifier(identifier);
+                if (isPermissive(normalized)) {
+                    hasPermissive = true;
+                }
+                else if (isCopyleft(normalized) || isCopyleftPrefix(normalized)) {
+                    hasCopyleft = true;
+                    findings.push({
+                        analyzer: this.name,
+                        severity: 'medium',
+                        title: `Copyleft license: ${normalized}`,
+                        description: `The package uses the ${normalized} license, which requires derivative works ` +
+                            'to be distributed under the same license terms.',
+                        recommendation: 'Ensure your project complies with copyleft requirements, or choose an alternative package.',
+                    });
+                }
+                else {
+                    hasUnknown = true;
+                    findings.push({
+                        analyzer: this.name,
+                        severity: 'low',
+                        title: `Non-standard license: ${normalized}`,
+                        description: `The license identifier "${normalized}" is not a commonly recognized SPDX identifier.`,
+                        recommendation: 'Review the license terms manually to understand your obligations.',
+                    });
+                }
+            }
+            // Info finding for permissive-only licenses
+            if (hasPermissive && !hasCopyleft && !hasUnknown) {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'info',
+                    title: `Permissive license: ${licenseString}`,
+                    description: `The package uses the permissive ${licenseString} license.`,
+                });
+            }
+        }
+        catch (error) {
+            logger.warn(`[${this.name}] Unexpected error: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        return Promise.resolve({
+            analyzer: this.name,
+            findings,
+            duration: performance.now() - start,
+        });
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/analyzers/license/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/license/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE/C,4DAA4D;AAE5D,+DAA+D;AAC/D,MAAM,mBAAmB,GAAsB;IAC7C,KAAK;IACL,YAAY;IACZ,cAAc;IACd,cAAc;IACd,KAAK;IACL,WAAW;IACX,SAAS;IACT,MAAM;IACN,cAAc;IACd,MAAM;IACN,SAAS;IACT,YAAY;IACZ,eAAe;CAChB,CAAC;AAEF,+DAA+D;AAC/D,MAAM,iBAAiB,GAAsB;IAC3C,SAAS;IACT,cAAc;IACd,kBAAkB;IAClB,SAAS;IACT,cAAc;IACd,kBAAkB;IAClB,UAAU;IACV,eAAe;IACf,mBAAmB;IACnB,UAAU;IACV,eAAe;IACf,mBAAmB;IACnB,UAAU;IACV,eAAe;IACf,mBAAmB;IACnB,UAAU;IACV,eAAe;IACf,mBAAmB;IACnB,SAAS;IACT,UAAU;IACV,UAAU;IACV,UAAU;IACV,UAAU;IACV,SAAS;IACT,YAAY;CACb,CAAC;AAEF,6DAA6D;AAE7D,SAAS,mBAAmB,CAAC,OAAe;IAC1C,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,YAAY,CAAC,UAAkB;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IACvC,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,UAAU,CAAC,UAAkB;IACpC,MAAM,KAAK,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IACvC,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB;IAC1C,MAAM,KAAK,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IACvC,OAAO,CACL,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QACvB,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QACxB,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QACxB,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QACvB,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QACxB,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QACxB,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CACzB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,UAAkB;IAC9C,OAAO,UAAU;SACd,KAAK,CAAC,wBAAwB,CAAC;SAC/B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;SACzC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACjC,CAAC;AAED,6DAA6D;AAE7D,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,SAAS,CAAC;IACjB,WAAW,GAClB,6EAA6E,CAAC;IAEhF,OAAO,CAAC,OAAwB;QAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;YAEpD,4BAA4B;YAC5B,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;gBACxD,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,iBAAiB;oBACxB,WAAW,EACT,0DAA0D;wBAC1D,kGAAkG;oBACpG,cAAc,EAAE,wDAAwD;iBACzE,CAAC,CAAC;gBACH,OAAO,OAAO,CAAC,OAAO,CAAC;oBACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ;oBACR,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;iBACpC,CAAC,CAAC;YACL,CAAC;YAED,wCAAwC;YACxC,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;gBACrC,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,6BAA6B;oBACpC,WAAW,EACT,yFAAyF;oBAC3F,cAAc,EAAE,sCAAsC;iBACvD,CAAC,CAAC;gBACH,OAAO,OAAO,CAAC,OAAO,CAAC;oBACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ;oBACR,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;iBACpC,CAAC,CAAC;YACL,CAAC;YAED,MAAM,aAAa,GAAG,YAAY,CAAC;YAEnC,yCAAyC;YACzC,IACE,aAAa,KAAK,YAAY;gBAC9B,aAAa,KAAK,wBAAwB;gBAC1C,aAAa,CAAC,WAAW,EAAE,KAAK,MAAM,EACtC,CAAC;gBACD,MAAM,QAAQ,GAAa,aAAa,KAAK,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC;gBAC7E,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ;oBACR,KAAK,EACH,aAAa,KAAK,YAAY;wBAC5B,CAAC,CAAC,gCAAgC;wBAClC,CAAC,CAAC,0BAA0B;oBAChC,WAAW,EACT,2BAA2B,aAAa,KAAK;wBAC7C,CAAC,aAAa,KAAK,YAAY;4BAC7B,CAAC,CAAC,yEAAyE;4BAC3E,CAAC,CAAC,+CAA+C,CAAC;oBACtD,cAAc,EAAE,qDAAqD;iBACtE,CAAC,CAAC;gBACH,OAAO,OAAO,CAAC,OAAO,CAAC;oBACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ;oBACR,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;iBACpC,CAAC,CAAC;YACL,CAAC;YAED,yBAAyB;YACzB,MAAM,WAAW,GAAG,oBAAoB,CAAC,aAAa,CAAC,CAAC;YAExD,IAAI,WAAW,GAAG,KAAK,CAAC;YACxB,IAAI,aAAa,GAAG,KAAK,CAAC;YAC1B,IAAI,UAAU,GAAG,KAAK,CAAC;YAEvB,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;gBACrC,MAAM,UAAU,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;gBAEnD,IAAI,YAAY,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC7B,aAAa,GAAG,IAAI,CAAC;gBACvB,CAAC;qBAAM,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,gBAAgB,CAAC,UAAU,CAAC,EAAE,CAAC;oBAClE,WAAW,GAAG,IAAI,CAAC;oBACnB,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,QAAQ,EAAE,QAAQ;wBAClB,KAAK,EAAE,qBAAqB,UAAU,EAAE;wBACxC,WAAW,EACT,wBAAwB,UAAU,4CAA4C;4BAC9E,iDAAiD;wBACnD,cAAc,EACZ,4FAA4F;qBAC/F,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,UAAU,GAAG,IAAI,CAAC;oBAClB,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,QAAQ,EAAE,KAAK;wBACf,KAAK,EAAE,yBAAyB,UAAU,EAAE;wBAC5C,WAAW,EAAE,2BAA2B,UAAU,iDAAiD;wBACnG,cAAc,EAAE,mEAAmE;qBACpF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,4CAA4C;YAC5C,IAAI,aAAa,IAAI,CAAC,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;gBACjD,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,uBAAuB,aAAa,EAAE;oBAC7C,WAAW,EAAE,mCAAmC,aAAa,WAAW;iBACzE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CACT,IAAI,IAAI,CAAC,IAAI,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7F,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ;YACR,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/analyzers/maintainer/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Maintainer Analyzer — evaluates package maintainer health using
+ * registry metadata (bus factor, maintainer count).
+ */
+import type { Analyzer } from '../analyzer.interface.js';
+import type { AnalysisContext, AnalyzerResult } from '../../core/types.js';
+export declare class MaintainerAnalyzer implements Analyzer {
+    readonly name = "maintainer";
+    readonly description = "Evaluates package maintainer health and bus factor risk";
+    analyze(context: AnalysisContext): Promise<AnalyzerResult>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/maintainer/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/maintainer/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAW,MAAM,qBAAqB,CAAC;AAKpF,qBAAa,kBAAmB,YAAW,QAAQ;IACjD,QAAQ,CAAC,IAAI,gBAAgB;IAC7B,QAAQ,CAAC,WAAW,6DAA6D;IAEjF,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;CA4F3D"}

package/dist/analyzers/maintainer/index.js

@@ -0,0 +1,93 @@
+/**
+ * Maintainer Analyzer — evaluates package maintainer health using
+ * registry metadata (bus factor, maintainer count).
+ */
+import { logger } from '../../utils/logger.js';
+// ─── Analyzer ─────────────────────────────────────────────
+export class MaintainerAnalyzer {
+    name = 'maintainer';
+    description = 'Evaluates package maintainer health and bus factor risk';
+    analyze(context) {
+        const start = performance.now();
+        const findings = [];
+        try {
+            const { maintainers } = context.registryMetadata;
+            if (maintainers.length === 0) {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'medium',
+                    title: 'No maintainers listed',
+                    description: 'The package has no maintainers listed in the registry metadata. ' +
+                        'This could indicate an abandoned or improperly published package.',
+                    recommendation: 'Verify the package is actively maintained before relying on it.',
+                });
+            }
+            else if (maintainers.length === 1) {
+                const maintainer = maintainers[0];
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'low',
+                    title: 'Single maintainer (bus factor = 1)',
+                    description: `The package has only one maintainer: ${maintainer?.name ?? 'unknown'}. ` +
+                        'If this person becomes unavailable, the package may become unmaintained.',
+                    recommendation: 'Consider the risk of depending on a single-maintainer package. ' +
+                        'Check if there are alternative packages with broader maintainer support.',
+                });
+            }
+            else {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'info',
+                    title: `${maintainers.length} maintainers`,
+                    description: `The package has ${maintainers.length} maintainers: ` +
+                        `${maintainers.map((m) => m.name).join(', ')}.`,
+                });
+            }
+            // Check if the package was recently published (new package risk)
+            const publishedAt = context.registryMetadata.publishedAt;
+            if (publishedAt !== undefined && publishedAt !== '') {
+                const publishDate = new Date(publishedAt);
+                const now = new Date();
+                const ageInDays = (now.getTime() - publishDate.getTime()) / (1000 * 60 * 60 * 24);
+                if (ageInDays < 7) {
+                    findings.push({
+                        analyzer: this.name,
+                        severity: 'medium',
+                        title: 'Very recently published version',
+                        description: `This version was published ${Math.floor(ageInDays)} day(s) ago (${publishedAt}). ` +
+                            'Very new versions have had less community scrutiny.',
+                        recommendation: 'Consider waiting for community feedback before adopting very new versions.',
+                    });
+                }
+                else if (ageInDays < 30) {
+                    findings.push({
+                        analyzer: this.name,
+                        severity: 'info',
+                        title: 'Recently published version',
+                        description: `This version was published ${Math.floor(ageInDays)} day(s) ago (${publishedAt}).`,
+                    });
+                }
+            }
+            // Check total number of versions as a maturity signal
+            const versionCount = context.registryMetadata.versions.length;
+            if (versionCount === 1) {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'low',
+                    title: 'First published version',
+                    description: 'This package has only one published version, indicating it is brand new.',
+                    recommendation: 'New packages have had less vetting. Review the code carefully.',
+                });
+            }
+        }
+        catch (error) {
+            logger.warn(`[${this.name}] Unexpected error: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        return Promise.resolve({
+            analyzer: this.name,
+            findings,
+            duration: performance.now() - start,
+        });
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/analyzers/maintainer/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/maintainer/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE/C,6DAA6D;AAE7D,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,YAAY,CAAC;IACpB,WAAW,GAAG,yDAAyD,CAAC;IAEjF,OAAO,CAAC,OAAwB;QAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,MAAM,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC,gBAAgB,CAAC;YAEjD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC7B,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,uBAAuB;oBAC9B,WAAW,EACT,kEAAkE;wBAClE,mEAAmE;oBACrE,cAAc,EAAE,iEAAiE;iBAClF,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACpC,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,oCAAoC;oBAC3C,WAAW,EACT,wCAAwC,UAAU,EAAE,IAAI,IAAI,SAAS,IAAI;wBACzE,0EAA0E;oBAC5E,cAAc,EACZ,iEAAiE;wBACjE,0EAA0E;iBAC7E,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,GAAG,WAAW,CAAC,MAAM,cAAc;oBAC1C,WAAW,EACT,mBAAmB,WAAW,CAAC,MAAM,gBAAgB;wBACrD,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;iBAClD,CAAC,CAAC;YACL,CAAC;YAED,iEAAiE;YACjE,MAAM,WAAW,GAAG,OAAO,CAAC,gBAAgB,CAAC,WAAW,CAAC;YACzD,IAAI,WAAW,KAAK,SAAS,IAAI,WAAW,KAAK,EAAE,EAAE,CAAC;gBACpD,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC;gBAC1C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;gBAElF,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;oBAClB,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,QAAQ,EAAE,QAAQ;wBAClB,KAAK,EAAE,iCAAiC;wBACxC,WAAW,EACT,8BAA8B,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,gBAAgB,WAAW,KAAK;4BACnF,qDAAqD;wBACvD,cAAc,EACZ,4EAA4E;qBAC/E,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,SAAS,GAAG,EAAE,EAAE,CAAC;oBAC1B,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,QAAQ,EAAE,MAAM;wBAChB,KAAK,EAAE,4BAA4B;wBACnC,WAAW,EAAE,8BAA8B,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,gBAAgB,WAAW,IAAI;qBAChG,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,sDAAsD;YACtD,MAAM,YAAY,GAAG,OAAO,CAAC,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC9D,IAAI,YAAY,KAAK,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,yBAAyB;oBAChC,WAAW,EAAE,0EAA0E;oBACvF,cAAc,EAAE,gEAAgE;iBACjF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CACT,IAAI,IAAI,CAAC,IAAI,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7F,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ;YACR,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/analyzers/network-calls/index.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Network Call Analyzer — detects outbound HTTP requests, WebSocket
+ * connections, hardcoded IPs, and imports of networking libraries.
+ */
+import type { Finding } from '../../core/types.js';
+import { FileBasedAnalyzer } from '../file-based-analyzer.js';
+export declare class NetworkCallsAnalyzer extends FileBasedAnalyzer {
+    readonly name = "network-calls";
+    readonly description = "Detects outbound network requests, hardcoded IPs, and networking library imports";
+    protected analyzeFile(source: string, relPath: string): Finding[];
+    private detectNetworkAPIs;
+    private detectNetworkImports;
+    private detectHardcodedIPs;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/network-calls/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/network-calls/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAwB9D,qBAAa,oBAAqB,SAAQ,iBAAiB;IACzD,QAAQ,CAAC,IAAI,mBAAmB;IAChC,QAAQ,CAAC,WAAW,sFACiE;IAErF,SAAS,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,EAAE;IAUjE,OAAO,CAAC,iBAAiB;IAoGzB,OAAO,CAAC,oBAAoB;IA2D5B,OAAO,CAAC,kBAAkB;CAsC3B"}