project-shield 1.0.0

package/dist/scanner/mcp.js

@@ -0,0 +1,322 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanMCPConfigs = scanMCPConfigs;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const glob_1 = require("glob");
+/**
+ * Scan for MCP configuration files and check 5 security items.
+ */
+async function scanMCPConfigs(targetPath, ruleset, secretsFindings) {
+    const configFiles = await findMCPConfigs(targetPath, ruleset.mcp.config_files);
+    if (configFiles.length === 0) {
+        return [];
+    }
+    const findings = [];
+    for (const configFile of configFiles) {
+        const fullPath = path.join(targetPath, configFile);
+        const config = parseMCPConfig(fullPath);
+        if (config === null)
+            continue;
+        const items = {
+            auth: checkAuth(config, ruleset.mcp.auth_fields),
+            secrets: checkSecrets(config, configFile, secretsFindings),
+            toolMeta: checkToolMeta(config, ruleset.mcp.dangerous_tool_keywords),
+            permissions: checkPermissions(config, ruleset.mcp.permission_patterns),
+            logging: checkLogging(config, ruleset.mcp.logging_fields),
+        };
+        const { overallSeverity, failedCount } = assessOverall(items);
+        findings.push({
+            file: configFile,
+            items,
+            overallSeverity,
+            failedCount,
+        });
+    }
+    return findings;
+}
+/**
+ * Find MCP config files in the target directory.
+ */
+async function findMCPConfigs(targetPath, configFileNames) {
+    const patterns = configFileNames.map(name => `**/${name}`);
+    const results = [];
+    for (const pattern of patterns) {
+        const matches = await (0, glob_1.glob)(pattern, {
+            cwd: targetPath,
+            nodir: true,
+            dot: true,
+            ignore: ['node_modules/**', '.git/**', 'dist/**', 'build/**'],
+            absolute: false,
+        });
+        results.push(...matches);
+    }
+    // Deduplicate
+    return [...new Set(results)];
+}
+/**
+ * Parse an MCP config file (JSON only in Phase 1).
+ * Returns null on parse failure (graceful skip).
+ */
+function parseMCPConfig(fullPath) {
+    try {
+        const content = fs.readFileSync(fullPath, 'utf-8');
+        return JSON.parse(content);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Recursively search for any of the given keys in an object.
+ */
+function hasAnyKey(obj, keys) {
+    if (obj === null || obj === undefined || typeof obj !== 'object') {
+        return false;
+    }
+    const lowerKeys = keys.map(k => k.toLowerCase());
+    if (Array.isArray(obj)) {
+        return obj.some(item => hasAnyKey(item, keys));
+    }
+    for (const key of Object.keys(obj)) {
+        if (lowerKeys.includes(key.toLowerCase())) {
+            return true;
+        }
+        if (hasAnyKey(obj[key], keys)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Check 1: Auth field existence.
+ */
+function checkAuth(config, authFields) {
+    const found = hasAnyKey(config, authFields);
+    if (found) {
+        return { status: 'pass', detail: 'Authentication configuration found' };
+    }
+    return { status: 'critical', detail: 'No authentication configuration detected' };
+}
+/**
+ * Check 2: Hardcoded secrets — cross-reference with F001 findings + env pattern check.
+ */
+function checkSecrets(config, filePath, secretsFindings) {
+    // Check if F001 found hardcoded secrets in this file
+    const fileSecrets = secretsFindings.filter(s => s.file === filePath && s.severity === 'critical');
+    if (fileSecrets.length > 0) {
+        return {
+            status: 'critical',
+            detail: `${fileSecrets.length} hardcoded secret(s) found in config`,
+        };
+    }
+    // Check for env reference patterns (good practice)
+    const configStr = JSON.stringify(config);
+    const envPatterns = [/\$\{[A-Z_]+\}/g, /\$[A-Z_]+/g, /process\.env\./g];
+    const hasEnvRef = envPatterns.some(p => p.test(configStr));
+    // Check for suspicious inline values (long strings that look like keys)
+    const hasInlineSecrets = checkInlineSecrets(config);
+    if (hasInlineSecrets) {
+        return { status: 'warning', detail: 'Possible inline secret values detected' };
+    }
+    if (hasEnvRef) {
+        return { status: 'pass', detail: 'Secrets use environment variable references' };
+    }
+    return { status: 'pass', detail: 'No hardcoded secrets detected' };
+}
+/**
+ * Recursively check for values that look like inline secrets.
+ */
+function checkInlineSecrets(obj) {
+    if (typeof obj === 'string') {
+        // Check for patterns that look like API keys
+        if (/^(sk-|sk_live_|sk_test_|AKIA|ghp_|gho_|xoxb-|AIza)/.test(obj)) {
+            return true;
+        }
+        return false;
+    }
+    if (obj === null || obj === undefined || typeof obj !== 'object') {
+        return false;
+    }
+    if (Array.isArray(obj)) {
+        return obj.some(item => checkInlineSecrets(item));
+    }
+    return Object.values(obj).some(v => checkInlineSecrets(v));
+}
+/**
+ * Check 3: Tool metadata — dangerous keywords in tool names/descriptions.
+ */
+function checkToolMeta(config, dangerousKeywords) {
+    const tools = extractTools(config);
+    if (tools.length === 0) {
+        return { status: 'pass', detail: 'No tools defined or no dangerous keywords found' };
+    }
+    const dangerous = [];
+    for (const tool of tools) {
+        const text = `${tool.name ?? ''} ${tool.description ?? ''}`.toLowerCase();
+        for (const keyword of dangerousKeywords) {
+            if (text.includes(keyword.toLowerCase())) {
+                dangerous.push(`${tool.name ?? 'unnamed'}: "${keyword}"`);
+            }
+        }
+    }
+    if (dangerous.length > 0) {
+        return {
+            status: 'warning',
+            detail: `Dangerous tool keywords: ${dangerous.join(', ')}`,
+        };
+    }
+    return { status: 'pass', detail: 'No dangerous tool keywords found' };
+}
+/**
+ * Extract tool definitions from MCP config.
+ */
+function extractTools(config) {
+    const tools = [];
+    // Direct tools array
+    if (Array.isArray(config.tools)) {
+        for (const tool of config.tools) {
+            if (typeof tool === 'object' && tool !== null) {
+                tools.push(tool);
+            }
+        }
+    }
+    // mcpServers -> each server may have tools
+    if (config.mcpServers && typeof config.mcpServers === 'object') {
+        for (const server of Object.values(config.mcpServers)) {
+            if (server && typeof server === 'object' && !Array.isArray(server)) {
+                const s = server;
+                // Server command/args can contain dangerous keywords
+                const command = typeof s.command === 'string' ? s.command : '';
+                const args = Array.isArray(s.args) ? s.args.join(' ') : '';
+                tools.push({ name: command, description: args });
+                if (Array.isArray(s.tools)) {
+                    for (const tool of s.tools) {
+                        if (typeof tool === 'object' && tool !== null) {
+                            tools.push(tool);
+                        }
+                    }
+                }
+            }
+        }
+    }
+    return tools;
+}
+/**
+ * Check 4: Overly broad permissions — root filesystem, wildcard network, privileged.
+ */
+function checkPermissions(config, permissionPatterns) {
+    const matched = [];
+    const allValues = collectStringValues(config);
+    for (const pattern of permissionPatterns) {
+        for (const value of pattern.values) {
+            // Exact match or the value is the entire string (not substring)
+            if (allValues.some(v => v === value || v === `"${value}"`)) {
+                matched.push(pattern.name);
+                break;
+            }
+        }
+    }
+    // Also check args arrays for privileged flags
+    const configStr = JSON.stringify(config);
+    for (const pattern of permissionPatterns) {
+        if (matched.includes(pattern.name))
+            continue;
+        for (const value of pattern.values) {
+            // Match "--privileged" or "privileged" as standalone tokens in args
+            if (value.startsWith('--') && configStr.includes(`"${value}"`)) {
+                matched.push(pattern.name);
+                break;
+            }
+        }
+    }
+    if (matched.length > 0) {
+        return {
+            status: 'critical',
+            detail: `Overly broad permissions: ${matched.join(', ')}`,
+        };
+    }
+    return { status: 'pass', detail: 'No overly broad permissions detected' };
+}
+/**
+ * Collect all string values from a nested object.
+ */
+function collectStringValues(obj) {
+    const values = [];
+    if (typeof obj === 'string') {
+        values.push(obj);
+        return values;
+    }
+    if (obj === null || obj === undefined || typeof obj !== 'object') {
+        return values;
+    }
+    if (Array.isArray(obj)) {
+        for (const item of obj) {
+            values.push(...collectStringValues(item));
+        }
+        return values;
+    }
+    for (const val of Object.values(obj)) {
+        values.push(...collectStringValues(val));
+    }
+    return values;
+}
+/**
+ * Check 5: Logging/audit configuration existence.
+ */
+function checkLogging(config, loggingFields) {
+    const found = hasAnyKey(config, loggingFields);
+    if (found) {
+        return { status: 'pass', detail: 'Logging/audit configuration found' };
+    }
+    return { status: 'warning', detail: 'No logging/audit configuration detected' };
+}
+/**
+ * Assess overall severity from the 5 check items.
+ * 3+ failures → critical, 1-2 → warning, 0 → pass
+ */
+function assessOverall(items) {
+    const checks = [items.auth, items.secrets, items.toolMeta, items.permissions, items.logging];
+    const failedCount = checks.filter(c => c.status !== 'pass').length;
+    if (failedCount >= 3) {
+        return { overallSeverity: 'critical', failedCount };
+    }
+    if (failedCount >= 1) {
+        return { overallSeverity: 'warning', failedCount };
+    }
+    return { overallSeverity: 'pass', failedCount: 0 };
+}
+//# sourceMappingURL=mcp.js.map

package/dist/scanner/mcp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp.js","sourceRoot":"","sources":["../../src/scanner/mcp.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA,wCAqCC;AAlDD,4CAA8B;AAC9B,gDAAkC;AAClC,+BAA4B;AAQ5B;;GAEG;AACI,KAAK,UAAU,cAAc,CAClC,UAAkB,EAClB,OAAgB,EAChB,eAAgC;IAEhC,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAE/E,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAElC,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,MAAM,KAAK,IAAI;YAAE,SAAS;QAE9B,MAAM,KAAK,GAAG;YACZ,IAAI,EAAE,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;YAChD,OAAO,EAAE,YAAY,CAAC,MAAM,EAAE,UAAU,EAAE,eAAe,CAAC;YAC1D,QAAQ,EAAE,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;YACpE,WAAW,EAAE,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;YACtE,OAAO,EAAE,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;SAC1D,CAAC;QAEF,MAAM,EAAE,eAAe,EAAE,WAAW,EAAE,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QAE9D,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,UAAU;YAChB,KAAK;YACL,eAAe;YACf,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,cAAc,CAC3B,UAAkB,EAClB,eAAyB;IAEzB,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,MAAM,IAAA,WAAI,EAAC,OAAO,EAAE;YAClC,GAAG,EAAE,UAAU;YACf,KAAK,EAAE,IAAI;YACX,GAAG,EAAE,IAAI;YACT,MAAM,EAAE,CAAC,iBAAiB,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC;YAC7D,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC;QACH,OAAO,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC;IAC3B,CAAC;IAED,cAAc;IACd,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,GAAY,EAAE,IAAc;IAC7C,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACjE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAEjD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAA8B,CAAC,EAAE,CAAC;QAC9D,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,SAAS,CAAE,GAA+B,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,MAA+B,EAAE,UAAoB;IACtE,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAC5C,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC;IAC1E,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,0CAA0C,EAAE,CAAC;AACpF,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CACnB,MAA+B,EAC/B,QAAgB,EAChB,eAAgC;IAEhC,qDAAqD;IACrD,MAAM,WAAW,GAAG,eAAe,CAAC,MAAM,CACxC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CACtD,CAAC;IAEF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO;YACL,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,sCAAsC;SACpE,CAAC;IACJ,CAAC;IAED,mDAAmD;IACnD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACzC,MAAM,WAAW,GAAG,CAAC,gBAAgB,EAAE,YAAY,EAAE,iBAAiB,CAAC,CAAC;IACxE,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;IAE3D,wEAAwE;IACxE,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAEpD,IAAI,gBAAgB,EAAE,CAAC;QACrB,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,wCAAwC,EAAE,CAAC;IACjF,CAAC;IAED,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,6CAA6C,EAAE,CAAC;IACnF,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,GAAY;IACtC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,6CAA6C;QAC7C,IAAI,oDAAoD,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACnE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACjE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,GAA8B,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC;AACxF,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CACpB,MAA+B,EAC/B,iBAA2B;IAE3B,MAAM,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAEnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,iDAAiD,EAAE,CAAC;IACvF,CAAC;IAED,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC,WAAW,EAAE,CAAC;QAC1E,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBACzC,SAAS,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,IAAI,SAAS,MAAM,OAAO,GAAG,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,4BAA4B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SAC3D,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;AACxE,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,MAA+B;IACnD,MAAM,KAAK,GAAmD,EAAE,CAAC;IAEjE,qBAAqB;IACrB,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAChC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAC9C,KAAK,CAAC,IAAI,CAAC,IAA+C,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,IAAI,MAAM,CAAC,UAAU,IAAI,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC/D,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,UAAqC,CAAC,EAAE,CAAC;YACjF,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnE,MAAM,CAAC,GAAG,MAAiC,CAAC;gBAC5C,qDAAqD;gBACrD,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC/D,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3D,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;gBAEjD,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC3B,KAAK,MAAM,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;wBAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;4BAC9C,KAAK,CAAC,IAAI,CAAC,IAA+C,CAAC,CAAC;wBAC9D,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,MAA+B,EAC/B,kBAAyD;IAEzD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAE9C,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnC,gEAAgE;YAChE,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;gBAC3D,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC3B,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,8CAA8C;IAC9C,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACzC,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;YAAE,SAAS;QAC7C,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnC,oEAAoE;YACpE,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;gBAC/D,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC3B,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,6BAA6B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SAC1D,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,sCAAsC,EAAE,CAAC;AAC5E,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,GAAY;IACvC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjB,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACjE,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,GAA8B,CAAC,EAAE,CAAC;QAChE,MAAM,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CACnB,MAA+B,EAC/B,aAAuB;IAEvB,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAC/C,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACzE,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,yCAAyC,EAAE,CAAC;AAClF,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,KAA0B;IAI/C,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7F,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAEnE,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;IACtD,CAAC;IACD,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC;IACrD,CAAC;IACD,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC;AACrD,CAAC"}

package/dist/scanner/pii.d.ts

@@ -0,0 +1,21 @@
+import type { PIIFinding, Ruleset } from '../types/index.js';
+/**
+ * Validate Korean RRN (Resident Registration Number) checksum.
+ * Format: 6 digits (birth date) + 1 digit (gender) + 6 digits
+ * Total: 13 digits. Last digit is check digit.
+ */
+export declare function validateKoreanRRN(digits: string): boolean;
+/**
+ * Validate credit card number using Luhn algorithm.
+ */
+export declare function luhnCheck(cardNumber: string): boolean;
+/**
+ * Validate Korean Business Registration Number check digit.
+ * Format: XXX-XX-XXXXX (10 digits total)
+ */
+export declare function validateBusinessNumber(number: string): boolean;
+/**
+ * Scan a single file's content for PII using 2-layer detection.
+ */
+export declare function scanFilePII(content: string, filePath: string, ruleset: Ruleset): PIIFinding[];
+//# sourceMappingURL=pii.d.ts.map

package/dist/scanner/pii.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii.d.ts","sourceRoot":"","sources":["../../src/scanner/pii.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAa7D;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAwBzD;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAkBrD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAa9D;AAiCD;;GAEG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,OAAO,GACf,UAAU,EAAE,CAgDd"}

package/dist/scanner/pii.js

@@ -0,0 +1,161 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateKoreanRRN = validateKoreanRRN;
+exports.luhnCheck = luhnCheck;
+exports.validateBusinessNumber = validateBusinessNumber;
+exports.scanFilePII = scanFilePII;
+const ignore_js_1 = require("./ignore.js");
+/**
+ * Mask a matched value: show first 3 chars + ****
+ */
+function maskValue(value) {
+    if (value.length <= 3)
+        return '****';
+    return value.substring(0, 3) + '****';
+}
+// ─── Checksum Validators ──────────────────────────────────────
+/**
+ * Validate Korean RRN (Resident Registration Number) checksum.
+ * Format: 6 digits (birth date) + 1 digit (gender) + 6 digits
+ * Total: 13 digits. Last digit is check digit.
+ */
+function validateKoreanRRN(digits) {
+    const clean = digits.replace(/-/g, '');
+    if (clean.length !== 13)
+        return false;
+    // Validate birth date portion
+    const monthStr = clean.substring(2, 4);
+    const dayStr = clean.substring(4, 6);
+    const month = parseInt(monthStr, 10);
+    const day = parseInt(dayStr, 10);
+    if (month < 1 || month > 12)
+        return false;
+    if (day < 1 || day > 31)
+        return false;
+    // Validate gender code (1-4)
+    const genderCode = parseInt(clean[6], 10);
+    if (genderCode < 1 || genderCode > 4)
+        return false;
+    // Checksum: multiply each digit by weights [2,3,4,5,6,7,8,9,2,3,4,5]
+    const weights = [2, 3, 4, 5, 6, 7, 8, 9, 2, 3, 4, 5];
+    let sum = 0;
+    for (let i = 0; i < 12; i++) {
+        sum += parseInt(clean[i], 10) * weights[i];
+    }
+    const checkDigit = (11 - (sum % 11)) % 10;
+    return checkDigit === parseInt(clean[12], 10);
+}
+/**
+ * Validate credit card number using Luhn algorithm.
+ */
+function luhnCheck(cardNumber) {
+    const clean = cardNumber.replace(/[\s-]/g, '');
+    if (!/^\d{13,19}$/.test(clean))
+        return false;
+    let sum = 0;
+    let alternate = false;
+    for (let i = clean.length - 1; i >= 0; i--) {
+        let digit = parseInt(clean[i], 10);
+        if (alternate) {
+            digit *= 2;
+            if (digit > 9)
+                digit -= 9;
+        }
+        sum += digit;
+        alternate = !alternate;
+    }
+    return sum % 10 === 0;
+}
+/**
+ * Validate Korean Business Registration Number check digit.
+ * Format: XXX-XX-XXXXX (10 digits total)
+ */
+function validateBusinessNumber(number) {
+    const clean = number.replace(/-/g, '');
+    if (clean.length !== 10 || !/^\d{10}$/.test(clean))
+        return false;
+    const weights = [1, 3, 7, 1, 3, 7, 1, 3, 5];
+    let sum = 0;
+    for (let i = 0; i < 9; i++) {
+        sum += parseInt(clean[i], 10) * weights[i];
+    }
+    // Add the extra calculation for the 9th position
+    sum += Math.floor((parseInt(clean[8], 10) * 5) / 10);
+    const checkDigit = (10 - (sum % 10)) % 10;
+    return checkDigit === parseInt(clean[9], 10);
+}
+/**
+ * Run checksum validation for a pattern match.
+ * Returns true if valid, false if invalid, null if not applicable.
+ */
+function runChecksum(patternId, matchedValue) {
+    switch (patternId) {
+        case 'korean_rrn_hyphen':
+        case 'korean_rrn_no_hyphen':
+            return validateKoreanRRN(matchedValue);
+        case 'credit_card':
+            return luhnCheck(matchedValue);
+        case 'korean_business_number':
+            return validateBusinessNumber(matchedValue);
+        default:
+            return null;
+    }
+}
+/**
+ * Determine PII severity based on layer results.
+ */
+function determinePIISeverity(regexHit, checksumResult) {
+    if (!regexHit)
+        return 'info';
+    if (checksumResult === true)
+        return 'confirmed';
+    if (checksumResult === null)
+        return 'possible'; // No checksum applicable
+    return 'possible'; // Checksum failed but regex matched
+}
+/**
+ * Scan a single file's content for PII using 2-layer detection.
+ */
+function scanFilePII(content, filePath, ruleset) {
+    const findings = [];
+    const lines = content.split('\n');
+    const { patterns } = ruleset.pii;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNum = i + 1;
+        // Skip shield-ignored lines
+        if ((0, ignore_js_1.isLineIgnored)(line))
+            continue;
+        for (const pattern of patterns) {
+            const regex = new RegExp(pattern.regex, 'g');
+            let match;
+            while ((match = regex.exec(line)) !== null) {
+                const matchedStr = match[0];
+                const column = (match.index ?? 0) + 1;
+                // Layer 2: Checksum validation
+                const checksumResult = pattern.has_checksum
+                    ? runChecksum(pattern.id, matchedStr)
+                    : null;
+                const severity = determinePIISeverity(true, checksumResult);
+                if (severity !== 'info') {
+                    findings.push({
+                        file: filePath,
+                        line: lineNum,
+                        column,
+                        type: pattern.id,
+                        severity,
+                        layers: {
+                            regex: true,
+                            checksum: checksumResult,
+                        },
+                        matched: maskValue(matchedStr),
+                        description: pattern.description,
+                        locale: pattern.locale,
+                    });
+                }
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=pii.js.map

package/dist/scanner/pii.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii.js","sourceRoot":"","sources":["../../src/scanner/pii.ts"],"names":[],"mappings":";;AAkBA,8CAwBC;AAKD,8BAkBC;AAMD,wDAaC;AAoCD,kCAoDC;AA3KD,2CAA4C;AAE5C;;GAEG;AACH,SAAS,SAAS,CAAC,KAAa;IAC9B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IACrC,OAAO,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC;AACxC,CAAC;AAED,iEAAiE;AAEjE;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,MAAc;IAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACvC,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAEtC,8BAA8B;IAC9B,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACjC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IAEtC,6BAA6B;IAC7B,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1C,IAAI,UAAU,GAAG,CAAC,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAEnD,qEAAqE;IACrE,MAAM,OAAO,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IACrD,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,UAAU,GAAG,CAAC,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC;IAC1C,OAAO,UAAU,KAAK,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,SAAgB,SAAS,CAAC,UAAkB;IAC1C,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAC/C,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAE7C,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,KAAK,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,IAAI,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACnC,IAAI,SAAS,EAAE,CAAC;YACd,KAAK,IAAI,CAAC,CAAC;YACX,IAAI,KAAK,GAAG,CAAC;gBAAE,KAAK,IAAI,CAAC,CAAC;QAC5B,CAAC;QACD,GAAG,IAAI,KAAK,CAAC;QACb,SAAS,GAAG,CAAC,SAAS,CAAC;IACzB,CAAC;IAED,OAAO,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,SAAgB,sBAAsB,CAAC,MAAc;IACnD,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACvC,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAEjE,MAAM,OAAO,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5C,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;IACD,iDAAiD;IACjD,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,CAAC,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC;IAC1C,OAAO,UAAU,KAAK,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAAC,SAAiB,EAAE,YAAoB;IAC1D,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,mBAAmB,CAAC;QACzB,KAAK,sBAAsB;YACzB,OAAO,iBAAiB,CAAC,YAAY,CAAC,CAAC;QACzC,KAAK,aAAa;YAChB,OAAO,SAAS,CAAC,YAAY,CAAC,CAAC;QACjC,KAAK,wBAAwB;YAC3B,OAAO,sBAAsB,CAAC,YAAY,CAAC,CAAC;QAC9C;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,QAAiB,EACjB,cAA8B;IAE9B,IAAI,CAAC,QAAQ;QAAE,OAAO,MAAM,CAAC;IAC7B,IAAI,cAAc,KAAK,IAAI;QAAE,OAAO,WAAW,CAAC;IAChD,IAAI,cAAc,KAAK,IAAI;QAAE,OAAO,UAAU,CAAC,CAAC,yBAAyB;IACzE,OAAO,UAAU,CAAC,CAAC,oCAAoC;AACzD,CAAC;AAED;;GAEG;AACH,SAAgB,WAAW,CACzB,OAAe,EACf,QAAgB,EAChB,OAAgB;IAEhB,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAClC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC;IAEjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;QAEtB,4BAA4B;QAC5B,IAAI,IAAA,yBAAa,EAAC,IAAI,CAAC;YAAE,SAAS;QAElC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC7C,IAAI,KAA6B,CAAC;YAElC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC3C,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC5B,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;gBAEtC,+BAA+B;gBAC/B,MAAM,cAAc,GAAG,OAAO,CAAC,YAAY;oBACzC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,EAAE,UAAU,CAAC;oBACrC,CAAC,CAAC,IAAI,CAAC;gBAET,MAAM,QAAQ,GAAG,oBAAoB,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;gBAE5D,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;oBACxB,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,OAAO;wBACb,MAAM;wBACN,IAAI,EAAE,OAAO,CAAC,EAAE;wBAChB,QAAQ;wBACR,MAAM,EAAE;4BACN,KAAK,EAAE,IAAI;4BACX,QAAQ,EAAE,cAAc;yBACzB;wBACD,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC;wBAC9B,WAAW,EAAE,OAAO,CAAC,WAAW;wBAChC,MAAM,EAAE,OAAO,CAAC,MAAM;qBACvB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/scanner/secrets.d.ts

@@ -0,0 +1,10 @@
+import type { SecretFinding, Ruleset } from '../types/index.js';
+/**
+ * Calculate Shannon entropy of a string.
+ */
+export declare function shannonEntropy(str: string): number;
+/**
+ * Scan a single file's content for secrets using 3-layer detection.
+ */
+export declare function scanFileSecrets(content: string, filePath: string, ruleset: Ruleset): SecretFinding[];
+//# sourceMappingURL=secrets.d.ts.map

package/dist/scanner/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../src/scanner/secrets.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAiB,MAAM,mBAAmB,CAAC;AAG/E;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAkBlD;AA+ID;;GAEG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,OAAO,GACf,aAAa,EAAE,CA0FjB"}