project-shield 1.0.0

package/dist/scanner/engine.js

@@ -0,0 +1,155 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scan = scan;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const glob_1 = require("glob");
+const ruleset_js_1 = require("../integrity/ruleset.js");
+const failsafe_js_1 = require("../integrity/failsafe.js");
+const ignore_js_1 = require("./ignore.js");
+const secrets_js_1 = require("./secrets.js");
+const pii_js_1 = require("./pii.js");
+const mcp_js_1 = require("./mcp.js");
+const injection_js_1 = require("./injection.js");
+// Binary file extensions to skip
+const BINARY_EXTENSIONS = new Set([
+    '.png', '.jpg', '.jpeg', '.gif', '.bmp', '.ico', '.svg',
+    '.woff', '.woff2', '.ttf', '.eot', '.otf',
+    '.zip', '.tar', '.gz', '.bz2', '.7z', '.rar',
+    '.pdf', '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx',
+    '.exe', '.dll', '.so', '.dylib', '.bin',
+    '.mp3', '.mp4', '.avi', '.mov', '.wav', '.flac',
+    '.pyc', '.class', '.o', '.obj',
+    '.lock',
+]);
+// Default directories to always exclude
+const DEFAULT_EXCLUDE_DIRS = [
+    'node_modules',
+    '.git',
+    'dist',
+    'build',
+    '.next',
+    '__pycache__',
+    '.venv',
+    'venv',
+    'coverage',
+];
+/**
+ * Check if a file is binary by extension.
+ */
+function isBinaryFile(filePath) {
+    const ext = path.extname(filePath).toLowerCase();
+    return BINARY_EXTENSIONS.has(ext);
+}
+/**
+ * Run the full scan pipeline.
+ */
+async function scan(config) {
+    return (0, failsafe_js_1.withFailsafe)(async () => {
+        const startTime = Date.now();
+        // Load ruleset
+        const ruleset = (0, ruleset_js_1.loadRuleset)(config.rulesetPath);
+        // Load ignore patterns
+        const ignorePatterns = (0, ignore_js_1.loadIgnorePatterns)(config.targetPath, config.ignorePath);
+        // Find all files
+        const allFiles = await (0, glob_1.glob)('**/*', {
+            cwd: config.targetPath,
+            nodir: true,
+            dot: true,
+            ignore: DEFAULT_EXCLUDE_DIRS.map(d => `${d}/**`),
+            absolute: false,
+        });
+        let filesExcluded = 0;
+        const filesToScan = [];
+        for (const file of allFiles) {
+            // Skip binary files
+            if (isBinaryFile(file)) {
+                filesExcluded++;
+                continue;
+            }
+            // Skip ignored files
+            if ((0, ignore_js_1.isFileIgnored)(file, ignorePatterns)) {
+                filesExcluded++;
+                continue;
+            }
+            filesToScan.push(file);
+        }
+        // Scan each file
+        const allSecrets = [];
+        const allPII = [];
+        const allInjection = [];
+        for (const file of filesToScan) {
+            const fullFilePath = path.join(config.targetPath, file);
+            let content;
+            try {
+                content = fs.readFileSync(fullFilePath, 'utf-8');
+            }
+            catch {
+                // Skip files that can't be read
+                continue;
+            }
+            const secrets = (0, secrets_js_1.scanFileSecrets)(content, file, ruleset);
+            const pii = (0, pii_js_1.scanFilePII)(content, file, ruleset);
+            const injection = (0, injection_js_1.scanFileInjection)(content, file, ruleset);
+            allSecrets.push(...secrets);
+            allPII.push(...pii);
+            allInjection.push(...injection);
+        }
+        // MCP scan (after secrets, to cross-reference)
+        const allMCP = await (0, mcp_js_1.scanMCPConfigs)(config.targetPath, ruleset, allSecrets);
+        const timeMs = Date.now() - startTime;
+        return {
+            secrets: allSecrets,
+            pii: allPII,
+            mcp: allMCP,
+            injection: allInjection,
+            summary: {
+                filesScanned: filesToScan.length,
+                filesExcluded,
+                timeMs,
+                critical: allSecrets.filter(s => s.severity === 'critical').length,
+                warning: allSecrets.filter(s => s.severity === 'warning').length,
+                confirmedPii: allPII.filter(p => p.severity === 'confirmed').length,
+                possiblePii: allPII.filter(p => p.severity === 'possible').length,
+                mcpCritical: allMCP.filter(m => m.overallSeverity === 'critical').length,
+                mcpWarning: allMCP.filter(m => m.overallSeverity === 'warning').length,
+                injectionCritical: allInjection.filter(j => j.severity === 'critical').length,
+                injectionWarning: allInjection.filter(j => j.severity === 'warning').length,
+            },
+        };
+    });
+}
+//# sourceMappingURL=engine.js.map

package/dist/scanner/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/scanner/engine.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDA,oBAwFC;AAxID,4CAA8B;AAC9B,gDAAkC;AAClC,+BAA4B;AAE5B,wDAAsD;AACtD,0DAAwD;AACxD,2CAAgE;AAChE,6CAA+C;AAC/C,qCAAuC;AACvC,qCAA0C;AAC1C,iDAAmD;AAEnD,iCAAiC;AACjC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IACzC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM;IAC5C,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO;IACzD,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM;IACvC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO;IAC/C,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM;IAC9B,OAAO;CACR,CAAC,CAAC;AAEH,wCAAwC;AACxC,MAAM,oBAAoB,GAAG;IAC3B,cAAc;IACd,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,aAAa;IACb,OAAO;IACP,MAAM;IACN,UAAU;CACX,CAAC;AAEF;;GAEG;AACH,SAAS,YAAY,CAAC,QAAgB;IACpC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IACjD,OAAO,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,IAAI,CAAC,MAAkB;IAC3C,OAAO,IAAA,0BAAY,EAAC,KAAK,IAAI,EAAE;QAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,eAAe;QACf,MAAM,OAAO,GAAY,IAAA,wBAAW,EAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEzD,uBAAuB;QACvB,MAAM,cAAc,GAAG,IAAA,8BAAkB,EAAC,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;QAEhF,iBAAiB;QACjB,MAAM,QAAQ,GAAG,MAAM,IAAA,WAAI,EAAC,MAAM,EAAE;YAClC,GAAG,EAAE,MAAM,CAAC,UAAU;YACtB,KAAK,EAAE,IAAI;YACX,GAAG,EAAE,IAAI;YACT,MAAM,EAAE,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC;YAChD,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC;QAEH,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,MAAM,WAAW,GAAa,EAAE,CAAC;QAEjC,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;YAC5B,oBAAoB;YACpB,IAAI,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,aAAa,EAAE,CAAC;gBAChB,SAAS;YACX,CAAC;YAED,qBAAqB;YACrB,IAAI,IAAA,yBAAa,EAAC,IAAI,EAAE,cAAc,CAAC,EAAE,CAAC;gBACxC,aAAa,EAAE,CAAC;gBAChB,SAAS;YACX,CAAC;YAED,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzB,CAAC;QAED,iBAAiB;QACjB,MAAM,UAAU,GAAG,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,EAAE,CAAC;QAClB,MAAM,YAAY,GAAG,EAAE,CAAC;QAExB,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;YACxD,IAAI,OAAe,CAAC;YAEpB,IAAI,CAAC;gBACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;YACnD,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;gBAChC,SAAS;YACX,CAAC;YAED,MAAM,OAAO,GAAG,IAAA,4BAAe,EAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;YACxD,MAAM,GAAG,GAAG,IAAA,oBAAW,EAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;YAChD,MAAM,SAAS,GAAG,IAAA,gCAAiB,EAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;YAE5D,UAAU,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC;YACpB,YAAY,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,CAAC;QAClC,CAAC;QAED,+CAA+C;QAC/C,MAAM,MAAM,GAAG,MAAM,IAAA,uBAAc,EAAC,MAAM,CAAC,UAAU,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QAE5E,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAEtC,OAAO;YACL,OAAO,EAAE,UAAU;YACnB,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,MAAM;YACX,SAAS,EAAE,YAAY;YACvB,OAAO,EAAE;gBACP,YAAY,EAAE,WAAW,CAAC,MAAM;gBAChC,aAAa;gBACb,MAAM;gBACN,QAAQ,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;gBAClE,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,MAAM;gBAChE,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,WAAW,CAAC,CAAC,MAAM;gBACnE,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;gBACjE,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,UAAU,CAAC,CAAC,MAAM;gBACxE,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,SAAS,CAAC,CAAC,MAAM;gBACtE,iBAAiB,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;gBAC7E,gBAAgB,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,MAAM;aAC5E;SACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/scanner/ignore.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Check if a line has a shield-ignore comment.
+ * Supports: // shield-ignore, # shield-ignore, /* shield-ignore *​/
+ */
+export declare function isLineIgnored(line: string): boolean;
+/**
+ * Parse a .shieldignore file (same format as .gitignore).
+ * Returns an array of glob patterns to exclude.
+ */
+export declare function parseShieldIgnore(ignorePath: string): string[];
+/**
+ * Check if a file path matches any of the ignore patterns.
+ * Uses simple glob matching (supports * and ** patterns).
+ */
+export declare function isFileIgnored(filePath: string, patterns: string[]): boolean;
+/**
+ * Load ignore patterns from a .shieldignore file, resolving relative to a base directory.
+ */
+export declare function loadIgnorePatterns(basePath: string, customIgnorePath?: string): string[];
+//# sourceMappingURL=ignore.d.ts.map

package/dist/scanner/ignore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ignore.d.ts","sourceRoot":"","sources":["../../src/scanner/ignore.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAQnD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAU9D;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAmB3E;AA0BD;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAaxF"}

package/dist/scanner/ignore.js

@@ -0,0 +1,125 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isLineIgnored = isLineIgnored;
+exports.parseShieldIgnore = parseShieldIgnore;
+exports.isFileIgnored = isFileIgnored;
+exports.loadIgnorePatterns = loadIgnorePatterns;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+/**
+ * Check if a line has a shield-ignore comment.
+ * Supports: // shield-ignore, # shield-ignore, /* shield-ignore *​/
+ */
+function isLineIgnored(line) {
+    const trimmed = line.trim();
+    // Check for inline comments
+    return (trimmed.includes('// shield-ignore') ||
+        trimmed.includes('# shield-ignore') ||
+        trimmed.includes('/* shield-ignore'));
+}
+/**
+ * Parse a .shieldignore file (same format as .gitignore).
+ * Returns an array of glob patterns to exclude.
+ */
+function parseShieldIgnore(ignorePath) {
+    if (!fs.existsSync(ignorePath)) {
+        return [];
+    }
+    const content = fs.readFileSync(ignorePath, 'utf-8');
+    return content
+        .split('\n')
+        .map(line => line.trim())
+        .filter(line => line.length > 0 && !line.startsWith('#'));
+}
+/**
+ * Check if a file path matches any of the ignore patterns.
+ * Uses simple glob matching (supports * and ** patterns).
+ */
+function isFileIgnored(filePath, patterns) {
+    const normalized = filePath.replace(/\\/g, '/');
+    for (const pattern of patterns) {
+        const normalizedPattern = pattern.replace(/\\/g, '/');
+        // Direct match
+        if (normalized === normalizedPattern)
+            return true;
+        // Check if the file is inside an ignored directory
+        if (normalizedPattern.endsWith('/')) {
+            if (normalized.startsWith(normalizedPattern))
+                return true;
+        }
+        // Simple wildcard matching
+        if (matchGlob(normalized, normalizedPattern))
+            return true;
+    }
+    return false;
+}
+/**
+ * Simple glob matcher supporting * and ** patterns.
+ * ** matches zero or more directories.
+ */
+function matchGlob(filePath, pattern) {
+    // Handle **/ specifically: it should match zero or more directories
+    // Replace **/ with a special token first
+    let regexStr = pattern
+        .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+        .replace(/\*\*\//g, '{{GLOBSTAR_SLASH}}')
+        .replace(/\*\*/g, '{{GLOBSTAR}}')
+        .replace(/\*/g, '[^/]*')
+        .replace(/\{\{GLOBSTAR_SLASH\}\}/g, '([^/]+/)*') // zero or more directories
+        .replace(/\{\{GLOBSTAR\}\}/g, '.*')
+        .replace(/\?/g, '[^/]');
+    const regex = new RegExp(`^${regexStr}$`);
+    if (regex.test(filePath))
+        return true;
+    // Also check if the pattern matches as a directory prefix
+    const dirRegex = new RegExp(`(^|/)${regexStr}(/|$)`);
+    return dirRegex.test(filePath);
+}
+/**
+ * Load ignore patterns from a .shieldignore file, resolving relative to a base directory.
+ */
+function loadIgnorePatterns(basePath, customIgnorePath) {
+    const patterns = [];
+    // Load from default .shieldignore in base path
+    const defaultIgnore = path.join(basePath, '.shieldignore');
+    patterns.push(...parseShieldIgnore(defaultIgnore));
+    // Load from custom path if provided
+    if (customIgnorePath && customIgnorePath !== defaultIgnore) {
+        patterns.push(...parseShieldIgnore(customIgnorePath));
+    }
+    return patterns;
+}
+//# sourceMappingURL=ignore.js.map

package/dist/scanner/ignore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ignore.js","sourceRoot":"","sources":["../../src/scanner/ignore.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAOA,sCAQC;AAMD,8CAUC;AAMD,sCAmBC;AA6BD,gDAaC;AAlGD,4CAA8B;AAC9B,gDAAkC;AAElC;;;GAGG;AACH,SAAgB,aAAa,CAAC,IAAY;IACxC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,4BAA4B;IAC5B,OAAO,CACL,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;QACpC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QACnC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CACrC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,UAAkB;IAClD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACrD,OAAO,OAAO;SACX,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SACxB,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,QAAgB,EAAE,QAAkB;IAChE,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAEhD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAEtD,eAAe;QACf,IAAI,UAAU,KAAK,iBAAiB;YAAE,OAAO,IAAI,CAAC;QAElD,mDAAmD;QACnD,IAAI,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACpC,IAAI,UAAU,CAAC,UAAU,CAAC,iBAAiB,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC5D,CAAC;QAED,2BAA2B;QAC3B,IAAI,SAAS,CAAC,UAAU,EAAE,iBAAiB,CAAC;YAAE,OAAO,IAAI,CAAC;IAC5D,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAAC,QAAgB,EAAE,OAAe;IAClD,oEAAoE;IACpE,yCAAyC;IACzC,IAAI,QAAQ,GAAG,OAAO;SACnB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACpC,OAAO,CAAC,SAAS,EAAE,oBAAoB,CAAC;SACxC,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC;SAChC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC;SACvB,OAAO,CAAC,yBAAyB,EAAE,WAAW,CAAC,CAAE,2BAA2B;SAC5E,OAAO,CAAC,mBAAmB,EAAE,IAAI,CAAC;SAClC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAE1B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC;IAC1C,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtC,0DAA0D;IAC1D,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,QAAQ,QAAQ,OAAO,CAAC,CAAC;IACrD,OAAO,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,QAAgB,EAAE,gBAAyB;IAC5E,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,+CAA+C;IAC/C,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,aAAa,CAAC,CAAC,CAAC;IAEnD,oCAAoC;IACpC,IAAI,gBAAgB,IAAI,gBAAgB,KAAK,aAAa,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/scanner/injection.d.ts

@@ -0,0 +1,15 @@
+import type { InjectionFinding, Ruleset } from '../types/index.js';
+/**
+ * Scan a single file for prompt injection patterns using 2-layer detection.
+ *
+ * Layer 1: Keyword/pattern matching (direct + indirect patterns)
+ * Layer 2: Structural analysis (comments, zero-width chars, tool length)
+ *
+ * Cross-judgment:
+ * - Layer 1 + Layer 2 = critical
+ * - Layer 1 only = warning
+ * - Layer 2 only (zero-width/comment with injection) = warning
+ * - Encoded bypass (Base64/URL) = automatic critical
+ */
+export declare function scanFileInjection(content: string, filePath: string, ruleset: Ruleset): InjectionFinding[];
+//# sourceMappingURL=injection.d.ts.map

package/dist/scanner/injection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection.d.ts","sourceRoot":"","sources":["../../src/scanner/injection.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAoB,OAAO,EAAE,MAAM,mBAAmB,CAAC;AA8IrF;;;;;;;;;;;GAWG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,OAAO,GACf,gBAAgB,EAAE,CAiHpB"}

package/dist/scanner/injection.js

@@ -0,0 +1,234 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanFileInjection = scanFileInjection;
+const ignore_js_1 = require("./ignore.js");
+/**
+ * Extract surrounding context (up to 50 chars) around a match position.
+ */
+function extractContext(line, matchIdx, matchLen) {
+    const contextRadius = 25;
+    const start = Math.max(0, matchIdx - contextRadius);
+    const end = Math.min(line.length, matchIdx + matchLen + contextRadius);
+    let ctx = line.substring(start, end).trim();
+    if (ctx.length > 50) {
+        ctx = ctx.substring(0, 50);
+    }
+    return ctx;
+}
+/**
+ * Layer 1: Keyword/pattern matching against a line.
+ */
+function keywordLayer(line, patterns) {
+    const hits = [];
+    for (const pattern of patterns) {
+        const regex = new RegExp(pattern.regex, 'gi');
+        let match;
+        while ((match = regex.exec(line)) !== null) {
+            hits.push({ pattern, match });
+        }
+    }
+    return hits;
+}
+/**
+ * Check if text contains a Base64 encoded string, decode it, and re-check patterns.
+ */
+function decodeAndCheck(text, allPatterns) {
+    // Match Base64 strings (at least 20 chars to reduce FP)
+    const base64Regex = /[A-Za-z0-9+/]{20,}={0,2}/g;
+    let b64Match;
+    while ((b64Match = base64Regex.exec(text)) !== null) {
+        try {
+            const decoded = Buffer.from(b64Match[0], 'base64').toString('utf-8');
+            // Check if decoded text is printable (reduce FP from random base64)
+            if (!/^[\x20-\x7E\s]{4,}$/.test(decoded))
+                continue;
+            const hits = keywordLayer(decoded, allPatterns);
+            if (hits.length > 0) {
+                return { decoded, hits };
+            }
+        }
+        catch {
+            // Not valid base64, skip
+        }
+    }
+    // URL encoding check
+    if (text.includes('%')) {
+        try {
+            const decoded = decodeURIComponent(text);
+            if (decoded !== text) {
+                const hits = keywordLayer(decoded, allPatterns);
+                if (hits.length > 0) {
+                    return { decoded, hits };
+                }
+            }
+        }
+        catch {
+            // Not valid URL encoding, skip
+        }
+    }
+    return null;
+}
+/**
+ * Layer 2: Structural analysis on content/line.
+ */
+function structureLayer(fullContent, line, lineIdx, ruleset) {
+    const structural = ruleset.injection.structural;
+    // Check if line is inside an HTML comment
+    let inComment = false;
+    let commentText;
+    const htmlCommentRegex = new RegExp(structural.html_comment_regex, 'g');
+    let htmlMatch;
+    while ((htmlMatch = htmlCommentRegex.exec(fullContent)) !== null) {
+        const commentStart = fullContent.substring(0, htmlMatch.index).split('\n').length - 1;
+        const commentEnd = fullContent.substring(0, htmlMatch.index + htmlMatch[0].length).split('\n').length - 1;
+        if (lineIdx >= commentStart && lineIdx <= commentEnd) {
+            inComment = true;
+            commentText = htmlMatch[0].replace(/<!--\s*/, '').replace(/\s*-->/, '');
+            break;
+        }
+    }
+    // Check for markdown comments
+    if (!inComment) {
+        const mdCommentRegex = new RegExp(structural.markdown_comment_regex, 'g');
+        let mdMatch;
+        while ((mdMatch = mdCommentRegex.exec(line)) !== null) {
+            inComment = true;
+            commentText = mdMatch[0];
+            break;
+        }
+    }
+    // Check for zero-width characters
+    const zeroWidthChars = ['\u200B', '\u200C', '\u200D', '\uFEFF', '\u2060'];
+    const hasZeroWidth = zeroWidthChars.some(ch => line.includes(ch));
+    // Tool description length anomaly (for JSON files with tool descriptions)
+    let toolLengthAnomaly = false;
+    try {
+        if (line.includes('"description"')) {
+            const descMatch = /"description"\s*:\s*"([^"]*)"/.exec(line);
+            if (descMatch && descMatch[1].length > 200 * structural.tool_length_multiplier) {
+                toolLengthAnomaly = true;
+            }
+        }
+    }
+    catch {
+        // Ignore parsing errors
+    }
+    return { inComment, hasZeroWidth, toolLengthAnomaly, commentText };
+}
+/**
+ * Scan a single file for prompt injection patterns using 2-layer detection.
+ *
+ * Layer 1: Keyword/pattern matching (direct + indirect patterns)
+ * Layer 2: Structural analysis (comments, zero-width chars, tool length)
+ *
+ * Cross-judgment:
+ * - Layer 1 + Layer 2 = critical
+ * - Layer 1 only = warning
+ * - Layer 2 only (zero-width/comment with injection) = warning
+ * - Encoded bypass (Base64/URL) = automatic critical
+ */
+function scanFileInjection(content, filePath, ruleset) {
+    const findings = [];
+    const lines = content.split('\n');
+    const allPatterns = [
+        ...ruleset.injection.direct_patterns,
+        ...ruleset.injection.indirect_patterns,
+    ];
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNum = i + 1;
+        if ((0, ignore_js_1.isLineIgnored)(line))
+            continue;
+        // Layer 1: Keyword matching
+        const directHits = keywordLayer(line, ruleset.injection.direct_patterns);
+        const indirectHits = keywordLayer(line, ruleset.injection.indirect_patterns);
+        const allHits = [...directHits, ...indirectHits];
+        const hasKeyword = allHits.length > 0;
+        // Layer 2: Structural analysis
+        const structure = structureLayer(content, line, i, ruleset);
+        const hasStructure = structure.inComment || structure.hasZeroWidth || structure.toolLengthAnomaly;
+        // Check for encoded injection
+        const encodedResult = decodeAndCheck(line, allPatterns);
+        if (encodedResult) {
+            const firstHit = encodedResult.hits[0];
+            findings.push({
+                file: filePath,
+                line: lineNum,
+                type: 'encoded',
+                severity: 'critical',
+                layers: { keyword: true, structure: false },
+                pattern: firstHit.pattern.id,
+                context: extractContext(line, 0, Math.min(line.length, 50)),
+                description: `Encoded injection detected (${firstHit.pattern.description})`,
+            });
+            continue; // Don't double-report
+        }
+        // Cross-judgment for keyword hits
+        if (hasKeyword) {
+            for (const hit of allHits) {
+                const matchIdx = hit.match.index ?? 0;
+                const severity = hasStructure ? 'critical' : 'warning';
+                const type = hit.pattern.type === 'direct' ? 'direct' : 'indirect';
+                findings.push({
+                    file: filePath,
+                    line: lineNum,
+                    type,
+                    severity,
+                    layers: { keyword: true, structure: hasStructure },
+                    pattern: hit.pattern.id,
+                    context: extractContext(line, matchIdx, hit.match[0].length),
+                    description: hit.pattern.description,
+                });
+            }
+        }
+        // Structure-only findings
+        if (!hasKeyword && hasStructure) {
+            // For comments, re-check the comment text for injection patterns
+            if (structure.inComment && structure.commentText) {
+                const commentHits = keywordLayer(structure.commentText, allPatterns);
+                if (commentHits.length > 0) {
+                    for (const hit of commentHits) {
+                        findings.push({
+                            file: filePath,
+                            line: lineNum,
+                            type: 'structural',
+                            severity: 'critical',
+                            layers: { keyword: true, structure: true },
+                            pattern: hit.pattern.id,
+                            context: extractContext(line, 0, Math.min(line.length, 50)),
+                            description: `Hidden injection in comment (${hit.pattern.description})`,
+                        });
+                    }
+                }
+            }
+            // Zero-width character detection
+            if (structure.hasZeroWidth) {
+                findings.push({
+                    file: filePath,
+                    line: lineNum,
+                    type: 'structural',
+                    severity: 'warning',
+                    layers: { keyword: false, structure: true },
+                    pattern: 'zero_width_chars',
+                    context: extractContext(line, 0, Math.min(line.length, 50)),
+                    description: 'Zero-width Unicode characters detected (potential text hiding)',
+                });
+            }
+            // Tool length anomaly
+            if (structure.toolLengthAnomaly) {
+                findings.push({
+                    file: filePath,
+                    line: lineNum,
+                    type: 'structural',
+                    severity: 'warning',
+                    layers: { keyword: false, structure: true },
+                    pattern: 'tool_length_anomaly',
+                    context: extractContext(line, 0, Math.min(line.length, 50)),
+                    description: 'Abnormally long tool description (potential injection payload)',
+                });
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=injection.js.map

package/dist/scanner/injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection.js","sourceRoot":"","sources":["../../src/scanner/injection.ts"],"names":[],"mappings":";;AA0JA,8CAqHC;AA9QD,2CAA4C;AAE5C;;GAEG;AACH,SAAS,cAAc,CAAC,IAAY,EAAE,QAAgB,EAAE,QAAgB;IACtE,MAAM,aAAa,GAAG,EAAE,CAAC;IACzB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,GAAG,aAAa,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,QAAQ,GAAG,aAAa,CAAC,CAAC;IACvE,IAAI,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5C,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACpB,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CACnB,IAAY,EACZ,QAA4B;IAE5B,MAAM,IAAI,GAA4D,EAAE,CAAC;IACzE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAC9C,IAAI,KAA6B,CAAC;QAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC3C,IAAI,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CACrB,IAAY,EACZ,WAA+B;IAE/B,wDAAwD;IACxD,MAAM,WAAW,GAAG,2BAA2B,CAAC;IAChD,IAAI,QAAgC,CAAC;IAErC,OAAO,CAAC,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACrE,oEAAoE;YACpE,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,SAAS;YAEnD,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YAChD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;YAC3B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yBAAyB;QAC3B,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACzC,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;gBACrB,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;gBAChD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACpB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;gBAC3B,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,+BAA+B;QACjC,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CACrB,WAAmB,EACnB,IAAY,EACZ,OAAe,EACf,OAAgB;IAOhB,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,UAAU,CAAC;IAEhD,0CAA0C;IAC1C,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,WAA+B,CAAC;IAEpC,MAAM,gBAAgB,GAAG,IAAI,MAAM,CAAC,UAAU,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;IACxE,IAAI,SAAiC,CAAC;IACtC,OAAO,CAAC,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACjE,MAAM,YAAY,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;QACtF,MAAM,UAAU,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;QAC1G,IAAI,OAAO,IAAI,YAAY,IAAI,OAAO,IAAI,UAAU,EAAE,CAAC;YACrD,SAAS,GAAG,IAAI,CAAC;YACjB,WAAW,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YACxE,MAAM;QACR,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,cAAc,GAAG,IAAI,MAAM,CAAC,UAAU,CAAC,sBAAsB,EAAE,GAAG,CAAC,CAAC;QAC1E,IAAI,OAA+B,CAAC;QACpC,OAAO,CAAC,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtD,SAAS,GAAG,IAAI,CAAC;YACjB,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACzB,MAAM;QACR,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC1E,MAAM,YAAY,GAAG,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;IAElE,0EAA0E;IAC1E,IAAI,iBAAiB,GAAG,KAAK,CAAC;IAC9B,IAAI,CAAC;QACH,IAAI,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YACnC,MAAM,SAAS,GAAG,+BAA+B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7D,IAAI,SAAS,IAAI,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,GAAG,GAAG,UAAU,CAAC,sBAAsB,EAAE,CAAC;gBAC/E,iBAAiB,GAAG,IAAI,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,wBAAwB;IAC1B,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAC;AACrE,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,iBAAiB,CAC/B,OAAe,EACf,QAAgB,EAChB,OAAgB;IAEhB,MAAM,QAAQ,GAAuB,EAAE,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,WAAW,GAAG;QAClB,GAAG,OAAO,CAAC,SAAS,CAAC,eAAe;QACpC,GAAG,OAAO,CAAC,SAAS,CAAC,iBAAiB;KACvC,CAAC;IAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;QAEtB,IAAI,IAAA,yBAAa,EAAC,IAAI,CAAC;YAAE,SAAS;QAElC,4BAA4B;QAC5B,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QACzE,MAAM,YAAY,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;QAC7E,MAAM,OAAO,GAAG,CAAC,GAAG,UAAU,EAAE,GAAG,YAAY,CAAC,CAAC;QACjD,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;QAEtC,+BAA+B;QAC/B,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;QAC5D,MAAM,YAAY,GAAG,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,YAAY,IAAI,SAAS,CAAC,iBAAiB,CAAC;QAElG,8BAA8B;QAC9B,MAAM,aAAa,GAAG,cAAc,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACxD,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACvC,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,SAAS;gBACf,QAAQ,EAAE,UAAU;gBACpB,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE;gBAC3C,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,EAAE;gBAC5B,OAAO,EAAE,cAAc,CAAC,IAAI,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;gBAC3D,WAAW,EAAE,+BAA+B,QAAQ,CAAC,OAAO,CAAC,WAAW,GAAG;aAC5E,CAAC,CAAC;YACH,SAAS,CAAC,sBAAsB;QAClC,CAAC;QAED,kCAAkC;QAClC,IAAI,UAAU,EAAE,CAAC;YACf,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;gBAC1B,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC;gBACtC,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;gBACvD,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAiB,CAAC,CAAC,CAAC,UAAmB,CAAC;gBAErF,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,OAAO;oBACb,IAAI;oBACJ,QAAQ;oBACR,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,YAAY,EAAE;oBAClD,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,EAAE;oBACvB,OAAO,EAAE,cAAc,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;oBAC5D,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,WAAW;iBACrC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,IAAI,CAAC,UAAU,IAAI,YAAY,EAAE,CAAC;YAChC,iEAAiE;YACjE,IAAI,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;gBACjD,MAAM,WAAW,GAAG,YAAY,CAAC,SAAS,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;gBACrE,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;wBAC9B,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,OAAO;4BACb,IAAI,EAAE,YAAY;4BAClB,QAAQ,EAAE,UAAU;4BACpB,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE;4BAC1C,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,EAAE;4BACvB,OAAO,EAAE,cAAc,CAAC,IAAI,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;4BAC3D,WAAW,EAAE,gCAAgC,GAAG,CAAC,OAAO,CAAC,WAAW,GAAG;yBACxE,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,iCAAiC;YACjC,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;gBAC3B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,YAAY;oBAClB,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE;oBAC3C,OAAO,EAAE,kBAAkB;oBAC3B,OAAO,EAAE,cAAc,CAAC,IAAI,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;oBAC3D,WAAW,EAAE,gEAAgE;iBAC9E,CAAC,CAAC;YACL,CAAC;YAED,sBAAsB;YACtB,IAAI,SAAS,CAAC,iBAAiB,EAAE,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,YAAY;oBAClB,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE;oBAC3C,OAAO,EAAE,qBAAqB;oBAC9B,OAAO,EAAE,cAAc,CAAC,IAAI,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;oBAC3D,WAAW,EAAE,gEAAgE;iBAC9E,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/scanner/mcp.d.ts

@@ -0,0 +1,6 @@
+import type { MCPFinding, SecretFinding, Ruleset } from '../types/index.js';
+/**
+ * Scan for MCP configuration files and check 5 security items.
+ */
+export declare function scanMCPConfigs(targetPath: string, ruleset: Ruleset, secretsFindings: SecretFinding[]): Promise<MCPFinding[]>;
+//# sourceMappingURL=mcp.d.ts.map

package/dist/scanner/mcp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp.d.ts","sourceRoot":"","sources":["../../src/scanner/mcp.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,UAAU,EAEV,aAAa,EACb,OAAO,EACR,MAAM,mBAAmB,CAAC;AAE3B;;GAEG;AACH,wBAAsB,cAAc,CAClC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,OAAO,EAChB,eAAe,EAAE,aAAa,EAAE,GAC/B,OAAO,CAAC,UAAU,EAAE,CAAC,CAiCvB"}