n8n-nodes-trusera 0.2.0

package/README.md

@@ -0,0 +1,76 @@
+# n8n-nodes-trusera
+
+n8n community node to scan workflows for AI security risks using Trusera AI-BOM.
+
+[n8n](https://n8n.io/) is a fair-code licensed workflow automation platform.
+
+[Trusera](https://trusera.dev) provides AI Bill of Materials (AI-BOM) scanning for detecting security risks in AI-powered workflows.
+
+## Nodes
+
+### Trusera Scan
+
+Scans n8n workflow JSON for AI components and security risks. Detects:
+
+- LLM providers (OpenAI, Anthropic, Google, Ollama, etc.)
+- Agent frameworks and multi-agent chains
+- MCP client/server connections
+- Tool usage (code execution, HTTP requests)
+- Embedding and vector store configurations
+- Hardcoded API keys and credentials
+- Dangerous code patterns
+
+### Trusera Policy
+
+Evaluates scan results against configurable security policies:
+
+- Maximum critical/high severity component limits
+- Maximum risk score thresholds
+- Provider blocklists
+- Flag blocklists
+
+### Trusera Report
+
+Generates human-readable security reports from scan results:
+
+- Markdown format with severity breakdown
+- JSON summary format
+- Configurable severity threshold
+
+## Credentials
+
+### Trusera API
+
+Configure with your Trusera API key (`tsk_` prefix) and base URL for self-hosted instances.
+
+## Risk Flags
+
+| Flag | Weight | Description |
+| --- | --- | --- |
+| hardcoded_api_key | 30 | Hardcoded API key detected |
+| hardcoded_credentials | 30 | Hardcoded credentials in workflow |
+| code_http_tools | 30 | Agent with code execution and HTTP tools |
+| shadow_ai | 25 | AI dependency not declared in project files |
+| webhook_no_auth | 25 | n8n webhook without authentication |
+| internet_facing | 20 | AI endpoint exposed to internet |
+| multi_agent_no_trust | 20 | Multi-agent system without trust boundaries |
+| agent_chain_no_validation | 20 | Agent-to-agent chain without validation |
+| mcp_unknown_server | 20 | MCP client connected to unknown server |
+| no_auth | 15 | AI endpoint without authentication |
+| no_rate_limit | 10 | No rate limiting on AI endpoint |
+| deprecated_model | 10 | Using deprecated AI model |
+| no_error_handling | 10 | No error handling for AI calls |
+| unpinned_model | 5 | Model version not pinned |
+
+## Severity Thresholds
+
+| Severity | Score Range |
+| --- | --- |
+| Critical | 76 - 100 |
+| High | 51 - 75 |
+| Medium | 26 - 50 |
+| Low | 0 - 25 |
+
+## License
+
+Apache-2.0

package/dist/credentials/TruseraApi.credentials.d.ts

@@ -0,0 +1,9 @@
+import type { IAuthenticateGeneric, ICredentialType, INodeProperties } from 'n8n-workflow';
+export declare class TruseraApi implements ICredentialType {
+    name: string;
+    displayName: string;
+    documentationUrl: string;
+    properties: INodeProperties[];
+    authenticate: IAuthenticateGeneric;
+}
+//# sourceMappingURL=TruseraApi.credentials.d.ts.map

package/dist/credentials/TruseraApi.credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TruseraApi.credentials.d.ts","sourceRoot":"","sources":["../../credentials/TruseraApi.credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,oBAAoB,EACpB,eAAe,EACf,eAAe,EAChB,MAAM,cAAc,CAAC;AAEtB,qBAAa,UAAW,YAAW,eAAe;IAChD,IAAI,SAAgB;IACpB,WAAW,SAAa;IACxB,gBAAgB,SAA8B;IAE9C,UAAU,EAAE,eAAe,EAAE,CAkB3B;IAEF,YAAY,EAAE,oBAAoB,CAOhC;CACH"}

package/dist/credentials/TruseraApi.credentials.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TruseraApi = void 0;
+class TruseraApi {
+    constructor() {
+        this.name = 'truseraApi';
+        this.displayName = 'n8n API';
+        this.documentationUrl = 'https://docs.n8n.io/api/';
+        this.properties = [
+            {
+                displayName: 'API Key',
+                name: 'apiKey',
+                type: 'string',
+                typeOptions: { password: true },
+                default: '',
+                required: true,
+                description: 'n8n API key from Settings > n8n API',
+            },
+            {
+                displayName: 'n8n Base URL',
+                name: 'baseUrl',
+                type: 'string',
+                default: 'http://localhost:5678',
+                required: false,
+                description: 'URL of your n8n instance',
+            },
+        ];
+        this.authenticate = {
+            type: 'generic',
+            properties: {
+                headers: {
+                    'X-N8N-API-KEY': '={{$credentials.apiKey}}',
+                },
+            },
+        };
+    }
+}
+exports.TruseraApi = TruseraApi;
+//# sourceMappingURL=TruseraApi.credentials.js.map

package/dist/credentials/TruseraApi.credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TruseraApi.credentials.js","sourceRoot":"","sources":["../../credentials/TruseraApi.credentials.ts"],"names":[],"mappings":";;;AAMA,MAAa,UAAU;IAAvB;QACE,SAAI,GAAG,YAAY,CAAC;QACpB,gBAAW,GAAG,SAAS,CAAC;QACxB,qBAAgB,GAAG,0BAA0B,CAAC;QAE9C,eAAU,GAAsB;YAC9B;gBACE,WAAW,EAAE,SAAS;gBACtB,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE;gBAC/B,OAAO,EAAE,EAAE;gBACX,QAAQ,EAAE,IAAI;gBACd,WAAW,EAAE,qCAAqC;aACnD;YACD;gBACE,WAAW,EAAE,cAAc;gBAC3B,IAAI,EAAE,SAAS;gBACf,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,uBAAuB;gBAChC,QAAQ,EAAE,KAAK;gBACf,WAAW,EAAE,0BAA0B;aACxC;SACF,CAAC;QAEF,iBAAY,GAAyB;YACnC,IAAI,EAAE,SAAS;YACf,UAAU,EAAE;gBACV,OAAO,EAAE;oBACP,eAAe,EAAE,0BAA0B;iBAC5C;aACF;SACF,CAAC;IACJ,CAAC;CAAA;AAjCD,gCAiCC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export * from './lib/config';
+export * from './lib/models';
+export * from './lib/riskScorer';
+export * from './lib/policyEngine';
+export * from './lib/scanner';
+export * from './lib/dashboardHtml';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC;AAC7B,cAAc,cAAc,CAAC;AAC7B,cAAc,kBAAkB,CAAC;AACjC,cAAc,oBAAoB,CAAC;AACnC,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC"}

package/dist/index.js

@@ -0,0 +1,23 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./lib/config"), exports);
+__exportStar(require("./lib/models"), exports);
+__exportStar(require("./lib/riskScorer"), exports);
+__exportStar(require("./lib/policyEngine"), exports);
+__exportStar(require("./lib/scanner"), exports);
+__exportStar(require("./lib/dashboardHtml"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,+CAA6B;AAC7B,+CAA6B;AAC7B,mDAAiC;AACjC,qDAAmC;AACnC,gDAA8B;AAC9B,sDAAoC"}

package/dist/lib/config.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Configuration constants for the Trusera AI-BOM n8n scanner.
+ * Ported from the Python config.py.
+ */
+/** Set of n8n node types that involve AI capabilities. */
+export declare const N8N_AI_NODE_TYPES: ReadonlySet<string>;
+export interface ApiKeyPattern {
+    pattern: RegExp;
+    provider: string;
+}
+/** Patterns for detecting hardcoded API keys by provider. */
+export declare const API_KEY_PATTERNS: readonly ApiKeyPattern[];
+/** Risk weight assigned to each flag type. */
+export declare const RISK_WEIGHTS: Readonly<Record<string, number>>;
+/** Set of deprecated AI model identifiers. */
+export declare const DEPRECATED_MODELS: ReadonlySet<string>;
+/** Remediation entry for a risk flag. */
+export interface RemediationEntry {
+    description: string;
+    remediation: string;
+    guardrail: string;
+    owaspCategory: string;
+    owaspCategoryName: string;
+    severity: 'critical' | 'high' | 'medium' | 'low';
+}
+/** Remediation guidance mapped to each risk flag. */
+export declare const REMEDIATION_MAP: Readonly<Record<string, RemediationEntry>>;
+/** Regex patterns for detecting dangerous code in n8n Code nodes. */
+export declare const DANGEROUS_CODE_PATTERNS: readonly string[];
+//# sourceMappingURL=config.d.ts.map

package/dist/lib/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../lib/config.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,0DAA0D;AAC1D,eAAO,MAAM,iBAAiB,EAAE,WAAW,CAAC,MAAM,CA6ChD,CAAC;AAEH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,6DAA6D;AAC7D,eAAO,MAAM,gBAAgB,EAAE,SAAS,aAAa,EAoBpD,CAAC;AAEF,8CAA8C;AAC9C,eAAO,MAAM,YAAY,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAezD,CAAC;AAEF,8CAA8C;AAC9C,eAAO,MAAM,iBAAiB,EAAE,WAAW,CAAC,MAAM,CAoBhD,CAAC;AAEH,yCAAyC;AACzC,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CAClD;AAED,qDAAqD;AACrD,eAAO,MAAM,eAAe,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAiHtE,CAAC;AAEF,qEAAqE;AACrE,eAAO,MAAM,uBAAuB,EAAE,SAAS,MAAM,EAqBpD,CAAC"}

package/dist/lib/config.js

@@ -0,0 +1,254 @@
+"use strict";
+/**
+ * Configuration constants for the Trusera AI-BOM n8n scanner.
+ * Ported from the Python config.py.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DANGEROUS_CODE_PATTERNS = exports.REMEDIATION_MAP = exports.DEPRECATED_MODELS = exports.RISK_WEIGHTS = exports.API_KEY_PATTERNS = exports.N8N_AI_NODE_TYPES = void 0;
+/** Set of n8n node types that involve AI capabilities. */
+exports.N8N_AI_NODE_TYPES = new Set([
+    '@n8n/n8n-nodes-langchain.agent',
+    '@n8n/n8n-nodes-langchain.lmChatOpenAi',
+    '@n8n/n8n-nodes-langchain.lmChatAnthropic',
+    '@n8n/n8n-nodes-langchain.lmChatGoogleGemini',
+    '@n8n/n8n-nodes-langchain.lmChatOllama',
+    '@n8n/n8n-nodes-langchain.lmChatAzureOpenAi',
+    '@n8n/n8n-nodes-langchain.lmChatMistralCloud',
+    '@n8n/n8n-nodes-langchain.lmChatGroq',
+    '@n8n/n8n-nodes-langchain.lmChatCohere',
+    '@n8n/n8n-nodes-langchain.lmChatHuggingFace',
+    '@n8n/n8n-nodes-langchain.mcpClientTool',
+    '@n8n/n8n-nodes-langchain.toolHttpRequest',
+    '@n8n/n8n-nodes-langchain.toolCode',
+    '@n8n/n8n-nodes-langchain.toolWorkflow',
+    '@n8n/n8n-nodes-langchain.toolCalculator',
+    '@n8n/n8n-nodes-langchain.toolWikipedia',
+    '@n8n/n8n-nodes-langchain.embeddingsOpenAi',
+    '@n8n/n8n-nodes-langchain.embeddingsAzureOpenAi',
+    '@n8n/n8n-nodes-langchain.embeddingsCohere',
+    '@n8n/n8n-nodes-langchain.embeddingsHuggingFaceInference',
+    '@n8n/n8n-nodes-langchain.embeddingsGoogleGemini',
+    '@n8n/n8n-nodes-langchain.embeddingsOllama',
+    '@n8n/n8n-nodes-langchain.vectorStoreChroma',
+    '@n8n/n8n-nodes-langchain.vectorStorePinecone',
+    '@n8n/n8n-nodes-langchain.vectorStoreQdrant',
+    '@n8n/n8n-nodes-langchain.vectorStoreSupabase',
+    '@n8n/n8n-nodes-langchain.vectorStoreInMemory',
+    '@n8n/n8n-nodes-langchain.vectorStoreWeaviate',
+    '@n8n/n8n-nodes-langchain.memoryBufferWindow',
+    '@n8n/n8n-nodes-langchain.memoryPostgresChat',
+    '@n8n/n8n-nodes-langchain.memoryChatHistory',
+    '@n8n/n8n-nodes-langchain.memoryRedisChat',
+    '@n8n/n8n-nodes-langchain.outputParserStructured',
+    '@n8n/n8n-nodes-langchain.outputParserAutofixing',
+    '@n8n/n8n-nodes-langchain.outputParserJson',
+    '@n8n/n8n-nodes-langchain.chainLlm',
+    '@n8n/n8n-nodes-langchain.chainSummarization',
+    '@n8n/n8n-nodes-langchain.chainRetrievalQa',
+    '@n8n/n8n-nodes-langchain.textSplitterRecursiveCharacterTextSplitter',
+    '@n8n/n8n-nodes-langchain.textSplitterCharacterTextSplitter',
+    '@n8n/n8n-nodes-langchain.textSplitterMarkdownTextSplitter',
+    '@n8n/n8n-nodes-langchain.documentLoaderFile',
+    '@n8n/n8n-nodes-langchain.documentLoaderJson',
+    '@n8n/n8n-nodes-langchain.documentLoaderCsv',
+]);
+/** Patterns for detecting hardcoded API keys by provider. */
+exports.API_KEY_PATTERNS = [
+    { pattern: /sk-proj-[a-zA-Z0-9_-]{20,}/, provider: 'OpenAI' },
+    { pattern: /sk-[a-zA-Z0-9]{20,}/, provider: 'OpenAI/DeepSeek' },
+    { pattern: /sk-ant-[a-zA-Z0-9-]{20,}/, provider: 'Anthropic' },
+    { pattern: /hf_[a-zA-Z0-9]{20,}/, provider: 'HuggingFace' },
+    { pattern: /key-[a-zA-Z0-9]{20,}/, provider: 'Cohere' },
+    { pattern: /gsk_[a-zA-Z0-9]{20,}/, provider: 'Groq' },
+    { pattern: /r8_[a-zA-Z0-9]{20,}/, provider: 'Replicate' },
+    { pattern: /xai-[a-zA-Z0-9]{20,}/, provider: 'xAI' },
+    { pattern: /AIza[a-zA-Z0-9_-]{20,}/, provider: 'Google' },
+    { pattern: /fw_[a-zA-Z0-9]{20,}/, provider: 'Fireworks' },
+    { pattern: /pplx-[a-zA-Z0-9]{20,}/, provider: 'Perplexity' },
+    {
+        pattern: /(?:api[_-]?key|token|secret|together[_-]?(?:api|key))[\s'":=]+([a-f0-9]{64})\b/i,
+        provider: 'Together',
+    },
+    {
+        pattern: /(?:api[_-]?key|token|secret|mistral[_-]?(?:api|key))[\s'":=]+([a-zA-Z0-9]{32})\b/i,
+        provider: 'Mistral',
+    },
+];
+/** Risk weight assigned to each flag type. */
+exports.RISK_WEIGHTS = {
+    hardcoded_api_key: 30,
+    hardcoded_credentials: 30,
+    code_http_tools: 30,
+    shadow_ai: 25,
+    webhook_no_auth: 25,
+    internet_facing: 20,
+    multi_agent_no_trust: 20,
+    agent_chain_no_validation: 20,
+    mcp_unknown_server: 20,
+    no_auth: 15,
+    no_rate_limit: 10,
+    deprecated_model: 10,
+    no_error_handling: 10,
+    unpinned_model: 5,
+};
+/** Set of deprecated AI model identifiers. */
+exports.DEPRECATED_MODELS = new Set([
+    'gpt-3.5-turbo',
+    'gpt-3.5-turbo-0301',
+    'gpt-3.5-turbo-0613',
+    'text-davinci-003',
+    'text-davinci-002',
+    'code-davinci-002',
+    'text-ada-001',
+    'text-babbage-001',
+    'text-curie-001',
+    'text-embedding-ada-002',
+    'gpt-4-0314',
+    'gpt-4-0613',
+    'gpt-4-32k-0314',
+    'gpt-4-32k-0613',
+    'claude-instant-1',
+    'claude-instant-1.2',
+    'claude-2.0',
+    'claude-2.1',
+    'claude-3-haiku-20240307',
+]);
+/** Remediation guidance mapped to each risk flag. */
+exports.REMEDIATION_MAP = {
+    hardcoded_api_key: {
+        description: 'An AI provider API key is hardcoded in the workflow JSON instead of using n8n credentials.',
+        remediation: 'Move the API key to n8n Credentials (Settings → Credentials) and reference it via the credential selector. Rotate the exposed key immediately.',
+        guardrail: 'Enable a pre-commit hook or CI check that scans for API key patterns (sk-*, sk-ant-*, hf_*) in committed workflow exports.',
+        owaspCategory: 'LLM06',
+        owaspCategoryName: 'Excessive Agency',
+        severity: 'critical',
+    },
+    hardcoded_credentials: {
+        description: 'Sensitive credentials (passwords, tokens, secrets) are embedded directly in workflow node parameters.',
+        remediation: 'Replace inline credentials with n8n Credential objects. Audit the workflow export for any remaining secrets and rotate them.',
+        guardrail: 'Enforce a policy that workflow exports are scrubbed of secrets before sharing. Use n8n environment variables for sensitive values.',
+        owaspCategory: 'LLM06',
+        owaspCategoryName: 'Excessive Agency',
+        severity: 'critical',
+    },
+    code_http_tools: {
+        description: 'An AI agent has access to both code execution and HTTP request tools, allowing it to run arbitrary code and exfiltrate data.',
+        remediation: 'Separate code execution and HTTP tools into different workflows or agents. If both are needed, add an approval step between them.',
+        guardrail: 'Implement an output filter that blocks the agent from sending code execution results to external URLs. Use an allowlist for permitted HTTP destinations.',
+        owaspCategory: 'LLM04',
+        owaspCategoryName: 'Output Handling',
+        severity: 'critical',
+    },
+    shadow_ai: {
+        description: 'An AI dependency or integration is used in the workflow but not declared in project documentation or dependency files.',
+        remediation: 'Document all AI integrations in your project README or architecture decision records. Register the AI component in your internal AI inventory.',
+        guardrail: 'Run AI-BOM in CI to automatically detect and flag undocumented AI usage. Require AI component registration before deployment.',
+        owaspCategory: 'LLM05',
+        owaspCategoryName: 'Supply Chain',
+        severity: 'high',
+    },
+    webhook_no_auth: {
+        description: 'An n8n webhook trigger is configured without authentication, allowing anyone with the URL to invoke the workflow.',
+        remediation: 'Enable webhook authentication: use Header Auth, Basic Auth, or JWT validation. At minimum, set the webhook to use a unique, unguessable path.',
+        guardrail: 'Add a reverse proxy (nginx/Caddy) with authentication in front of n8n. Monitor webhook access logs for unauthorized calls.',
+        owaspCategory: 'LLM02',
+        owaspCategoryName: 'Sensitive Info Disclosure',
+        severity: 'high',
+    },
+    internet_facing: {
+        description: 'An AI endpoint or webhook is directly accessible from the internet without an authentication layer.',
+        remediation: 'Place the endpoint behind a VPN, API gateway, or reverse proxy with authentication. Restrict access to known IP ranges if possible.',
+        guardrail: 'Use network segmentation to ensure AI endpoints are only reachable from trusted networks. Implement rate limiting at the network edge.',
+        owaspCategory: 'LLM02',
+        owaspCategoryName: 'Sensitive Info Disclosure',
+        severity: 'medium',
+    },
+    multi_agent_no_trust: {
+        description: 'Multiple AI agents interact without defined trust boundaries, allowing one compromised agent to influence others.',
+        remediation: 'Define explicit trust boundaries between agents. Validate and sanitize all inter-agent messages. Use separate credentials per agent.',
+        guardrail: 'Implement a message broker between agents that enforces schema validation and content filtering. Log all inter-agent communication.',
+        owaspCategory: 'LLM01',
+        owaspCategoryName: 'Prompt Injection',
+        severity: 'medium',
+    },
+    agent_chain_no_validation: {
+        description: 'Agents are chained together (output of one feeds input of another) without intermediate validation or sanitization.',
+        remediation: 'Add a validation node between chained agents to check output format, content safety, and data boundaries before passing to the next agent.',
+        guardrail: 'Implement structured output parsers between agents. Use JSON schema validation for inter-agent data. Add content safety filters.',
+        owaspCategory: 'LLM01',
+        owaspCategoryName: 'Prompt Injection',
+        severity: 'medium',
+    },
+    mcp_unknown_server: {
+        description: 'An MCP (Model Context Protocol) client is connected to an unrecognized or unvetted server endpoint.',
+        remediation: 'Verify the MCP server identity and ownership. Use only trusted, audited MCP servers. Pin the server URL to a known endpoint.',
+        guardrail: 'Maintain an allowlist of approved MCP server endpoints. Block connections to unknown servers at the network level.',
+        owaspCategory: 'LLM05',
+        owaspCategoryName: 'Supply Chain',
+        severity: 'medium',
+    },
+    no_auth: {
+        description: 'An AI-related endpoint or service is configured without any authentication mechanism.',
+        remediation: 'Add authentication to the endpoint: API key, OAuth2, or mTLS depending on the use case. Never expose AI services without identity verification.',
+        guardrail: 'Enforce authentication policies at the API gateway level. Use automated scanning to detect unauthenticated endpoints.',
+        owaspCategory: 'LLM02',
+        owaspCategoryName: 'Sensitive Info Disclosure',
+        severity: 'medium',
+    },
+    no_rate_limit: {
+        description: 'No rate limiting is configured on an AI endpoint, making it vulnerable to abuse and cost overruns.',
+        remediation: 'Add rate limiting at the application or API gateway level. Set per-user and per-IP limits appropriate for your use case.',
+        guardrail: 'Configure budget alerts on AI provider accounts. Implement token-based rate limiting that accounts for LLM token consumption.',
+        owaspCategory: 'LLM10',
+        owaspCategoryName: 'Unbounded Consumption',
+        severity: 'low',
+    },
+    deprecated_model: {
+        description: 'The workflow uses an AI model version that has been deprecated by the provider and may be removed or lack security patches.',
+        remediation: 'Upgrade to the latest stable model version recommended by the provider. Test the new model version in a staging environment first.',
+        guardrail: 'Maintain a list of approved model versions. Run AI-BOM in CI to flag deprecated models before deployment.',
+        owaspCategory: 'LLM05',
+        owaspCategoryName: 'Supply Chain',
+        severity: 'low',
+    },
+    no_error_handling: {
+        description: 'AI API calls in the workflow have no error handling, which can lead to silent failures or data loss.',
+        remediation: 'Add error handling nodes after AI operations. Configure retry logic with exponential backoff. Log failures for monitoring.',
+        guardrail: 'Use n8n error workflows to catch and alert on AI operation failures. Implement circuit breakers for AI provider outages.',
+        owaspCategory: 'LLM10',
+        owaspCategoryName: 'Unbounded Consumption',
+        severity: 'low',
+    },
+    unpinned_model: {
+        description: 'The AI model version is not pinned, meaning provider-side updates could change behavior without notice.',
+        remediation: 'Pin the model to a specific version (e.g., gpt-4-0125-preview instead of gpt-4). Document the pinned version in your runbook.',
+        guardrail: 'Use a model registry or configuration file to track pinned versions. Alert when a pinned version approaches its deprecation date.',
+        owaspCategory: 'LLM05',
+        owaspCategoryName: 'Supply Chain',
+        severity: 'low',
+    },
+};
+/** Regex patterns for detecting dangerous code in n8n Code nodes. */
+exports.DANGEROUS_CODE_PATTERNS = [
+    'child_process',
+    'execSync\\(',
+    'exec\\(',
+    'spawn\\(',
+    'process\\.exit\\(',
+    'eval\\(',
+    'Function\\(',
+    'new\\s+Function\\(',
+    "require\\(['\"]fs['\"]\\)",
+    'fs\\.writeFile',
+    'fs\\.unlink',
+    '__dirname',
+    'require\\(\\s*[a-zA-Z_$]',
+    'http\\.request',
+    'https\\.request',
+    'Buffer\\.from',
+    "setTimeout\\s*\\(\\s*['\"]",
+    "setInterval\\s*\\(\\s*['\"]",
+    'document\\.cookie',
+    'window\\.location',
+];
+//# sourceMappingURL=config.js.map

package/dist/lib/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../lib/config.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,0DAA0D;AAC7C,QAAA,iBAAiB,GAAwB,IAAI,GAAG,CAAC;IAC5D,gCAAgC;IAChC,uCAAuC;IACvC,0CAA0C;IAC1C,6CAA6C;IAC7C,uCAAuC;IACvC,4CAA4C;IAC5C,6CAA6C;IAC7C,qCAAqC;IACrC,uCAAuC;IACvC,4CAA4C;IAC5C,wCAAwC;IACxC,0CAA0C;IAC1C,mCAAmC;IACnC,uCAAuC;IACvC,yCAAyC;IACzC,wCAAwC;IACxC,2CAA2C;IAC3C,gDAAgD;IAChD,2CAA2C;IAC3C,yDAAyD;IACzD,iDAAiD;IACjD,2CAA2C;IAC3C,4CAA4C;IAC5C,8CAA8C;IAC9C,4CAA4C;IAC5C,8CAA8C;IAC9C,8CAA8C;IAC9C,8CAA8C;IAC9C,6CAA6C;IAC7C,6CAA6C;IAC7C,4CAA4C;IAC5C,0CAA0C;IAC1C,iDAAiD;IACjD,iDAAiD;IACjD,2CAA2C;IAC3C,mCAAmC;IACnC,6CAA6C;IAC7C,2CAA2C;IAC3C,qEAAqE;IACrE,4DAA4D;IAC5D,2DAA2D;IAC3D,6CAA6C;IAC7C,6CAA6C;IAC7C,4CAA4C;CAC7C,CAAC,CAAC;AAOH,6DAA6D;AAChD,QAAA,gBAAgB,GAA6B;IACxD,EAAE,OAAO,EAAE,4BAA4B,EAAE,QAAQ,EAAE,QAAQ,EAAE;IAC7D,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,iBAAiB,EAAE;IAC/D,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,WAAW,EAAE;IAC9D,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,aAAa,EAAE;IAC3D,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,QAAQ,EAAE;IACvD,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,MAAM,EAAE;IACrD,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,WAAW,EAAE;IACzD,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,KAAK,EAAE;IACpD,EAAE,OAAO,EAAE,wBAAwB,EAAE,QAAQ,EAAE,QAAQ,EAAE;IACzD,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,WAAW,EAAE;IACzD,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,YAAY,EAAE;IAC5D;QACE,OAAO,EAAE,iFAAiF;QAC1F,QAAQ,EAAE,UAAU;KACrB;IACD;QACE,OAAO,EAAE,mFAAmF;QAC5F,QAAQ,EAAE,SAAS;KACpB;CACF,CAAC;AAEF,8CAA8C;AACjC,QAAA,YAAY,GAAqC;IAC5D,iBAAiB,EAAE,EAAE;IACrB,qBAAqB,EAAE,EAAE;IACzB,eAAe,EAAE,EAAE;IACnB,SAAS,EAAE,EAAE;IACb,eAAe,EAAE,EAAE;IACnB,eAAe,EAAE,EAAE;IACnB,oBAAoB,EAAE,EAAE;IACxB,yBAAyB,EAAE,EAAE;IAC7B,kBAAkB,EAAE,EAAE;IACtB,OAAO,EAAE,EAAE;IACX,aAAa,EAAE,EAAE;IACjB,gBAAgB,EAAE,EAAE;IACpB,iBAAiB,EAAE,EAAE;IACrB,cAAc,EAAE,CAAC;CAClB,CAAC;AAEF,8CAA8C;AACjC,QAAA,iBAAiB,GAAwB,IAAI,GAAG,CAAC;IAC5D,eAAe;IACf,oBAAoB;IACpB,oBAAoB;IACpB,kBAAkB;IAClB,kBAAkB;IAClB,kBAAkB;IAClB,cAAc;IACd,kBAAkB;IAClB,gBAAgB;IAChB,wBAAwB;IACxB,YAAY;IACZ,YAAY;IACZ,gBAAgB;IAChB,gBAAgB;IAChB,kBAAkB;IAClB,oBAAoB;IACpB,YAAY;IACZ,YAAY;IACZ,yBAAyB;CAC1B,CAAC,CAAC;AAYH,qDAAqD;AACxC,QAAA,eAAe,GAA+C;IACzE,iBAAiB,EAAE;QACjB,WAAW,EAAE,4FAA4F;QACzG,WAAW,EAAE,gJAAgJ;QAC7J,SAAS,EAAE,4HAA4H;QACvI,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,kBAAkB;QACrC,QAAQ,EAAE,UAAU;KACrB;IACD,qBAAqB,EAAE;QACrB,WAAW,EAAE,uGAAuG;QACpH,WAAW,EAAE,8HAA8H;QAC3I,SAAS,EAAE,oIAAoI;QAC/I,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,kBAAkB;QACrC,QAAQ,EAAE,UAAU;KACrB;IACD,eAAe,EAAE;QACf,WAAW,EAAE,8HAA8H;QAC3I,WAAW,EAAE,mIAAmI;QAChJ,SAAS,EAAE,0JAA0J;QACrK,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,iBAAiB;QACpC,QAAQ,EAAE,UAAU;KACrB;IACD,SAAS,EAAE;QACT,WAAW,EAAE,wHAAwH;QACrI,WAAW,EAAE,gJAAgJ;QAC7J,SAAS,EAAE,+HAA+H;QAC1I,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,cAAc;QACjC,QAAQ,EAAE,MAAM;KACjB;IACD,eAAe,EAAE;QACf,WAAW,EAAE,mHAAmH;QAChI,WAAW,EAAE,+IAA+I;QAC5J,SAAS,EAAE,4HAA4H;QACvI,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,2BAA2B;QAC9C,QAAQ,EAAE,MAAM;KACjB;IACD,eAAe,EAAE;QACf,WAAW,EAAE,qGAAqG;QAClH,WAAW,EAAE,qIAAqI;QAClJ,SAAS,EAAE,wIAAwI;QACnJ,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,2BAA2B;QAC9C,QAAQ,EAAE,QAAQ;KACnB;IACD,oBAAoB,EAAE;QACpB,WAAW,EAAE,mHAAmH;QAChI,WAAW,EAAE,sIAAsI;QACnJ,SAAS,EAAE,qIAAqI;QAChJ,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,kBAAkB;QACrC,QAAQ,EAAE,QAAQ;KACnB;IACD,yBAAyB,EAAE;QACzB,WAAW,EAAE,qHAAqH;QAClI,WAAW,EAAE,4IAA4I;QACzJ,SAAS,EAAE,kIAAkI;QAC7I,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,kBAAkB;QACrC,QAAQ,EAAE,QAAQ;KACnB;IACD,kBAAkB,EAAE;QAClB,WAAW,EAAE,qGAAqG;QAClH,WAAW,EAAE,8HAA8H;QAC3I,SAAS,EAAE,oHAAoH;QAC/H,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,cAAc;QACjC,QAAQ,EAAE,QAAQ;KACnB;IACD,OAAO,EAAE;QACP,WAAW,EAAE,uFAAuF;QACpG,WAAW,EAAE,iJAAiJ;QAC9J,SAAS,EAAE,uHAAuH;QAClI,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,2BAA2B;QAC9C,QAAQ,EAAE,QAAQ;KACnB;IACD,aAAa,EAAE;QACb,WAAW,EAAE,oGAAoG;QACjH,WAAW,EAAE,0HAA0H;QACvI,SAAS,EAAE,+HAA+H;QAC1I,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,uBAAuB;QAC1C,QAAQ,EAAE,KAAK;KAChB;IACD,gBAAgB,EAAE;QAChB,WAAW,EAAE,6HAA6H;QAC1I,WAAW,EAAE,oIAAoI;QACjJ,SAAS,EAAE,2GAA2G;QACtH,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,cAAc;QACjC,QAAQ,EAAE,KAAK;KAChB;IACD,iBAAiB,EAAE;QACjB,WAAW,EAAE,sGAAsG;QACnH,WAAW,EAAE,4HAA4H;QACzI,SAAS,EAAE,0HAA0H;QACrI,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,uBAAuB;QAC1C,QAAQ,EAAE,KAAK;KAChB;IACD,cAAc,EAAE;QACd,WAAW,EAAE,yGAAyG;QACtH,WAAW,EAAE,+HAA+H;QAC5I,SAAS,EAAE,mIAAmI;QAC9I,aAAa,EAAE,OAAO;QACtB,iBAAiB,EAAE,cAAc;QACjC,QAAQ,EAAE,KAAK;KAChB;CACF,CAAC;AAEF,qEAAqE;AACxD,QAAA,uBAAuB,GAAsB;IACxD,eAAe;IACf,aAAa;IACb,SAAS;IACT,UAAU;IACV,mBAAmB;IACnB,SAAS;IACT,aAAa;IACb,oBAAoB;IACpB,2BAA2B;IAC3B,gBAAgB;IAChB,aAAa;IACb,WAAW;IACX,0BAA0B;IAC1B,gBAAgB;IAChB,iBAAiB;IACjB,eAAe;IACf,4BAA4B;IAC5B,6BAA6B;IAC7B,mBAAmB;IACnB,mBAAmB;CACpB,CAAC"}

package/dist/lib/dashboardHtml.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Self-contained HTML dashboard generator for Trusera AI-BOM scan results.
+ * Ported from Python src/ai_bom/dashboard/frontend.py, adapted for
+ * static embedded data (no API calls) with optional AES-256-GCM encryption.
+ */
+import type { ScanResult } from './models';
+/**
+ * Generate a self-contained HTML dashboard for the given scan results.
+ * If `password` is provided, the scan data is AES-256-GCM encrypted and
+ * the page shows a password prompt that decrypts client-side.
+ */
+export declare function generateDashboardHtml(scanResult: ScanResult, password?: string): string;
+//# sourceMappingURL=dashboardHtml.d.ts.map

package/dist/lib/dashboardHtml.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dashboardHtml.d.ts","sourceRoot":"","sources":["../../lib/dashboardHtml.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAG3C;;;;GAIG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,UAAU,EACtB,QAAQ,CAAC,EAAE,MAAM,GAChB,MAAM,CAmlBR"}