project-shield 1.1.5 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +194 -4
- package/dist/auditor/checks/environment.d.ts +7 -0
- package/dist/auditor/checks/environment.d.ts.map +1 -0
- package/dist/auditor/checks/environment.js +463 -0
- package/dist/auditor/checks/environment.js.map +1 -0
- package/dist/auditor/checks/hooks.d.ts +13 -0
- package/dist/auditor/checks/hooks.d.ts.map +1 -0
- package/dist/auditor/checks/hooks.js +234 -0
- package/dist/auditor/checks/hooks.js.map +1 -0
- package/dist/auditor/engine.d.ts +7 -0
- package/dist/auditor/engine.d.ts.map +1 -0
- package/dist/auditor/engine.js +183 -0
- package/dist/auditor/engine.js.map +1 -0
- package/dist/auditor/providers/claude-code.d.ts +17 -0
- package/dist/auditor/providers/claude-code.d.ts.map +1 -0
- package/dist/auditor/providers/claude-code.js +176 -0
- package/dist/auditor/providers/claude-code.js.map +1 -0
- package/dist/auditor/providers/types.d.ts +36 -0
- package/dist/auditor/providers/types.d.ts.map +1 -0
- package/dist/auditor/providers/types.js +4 -0
- package/dist/auditor/providers/types.js.map +1 -0
- package/dist/index.js +99 -2
- package/dist/index.js.map +1 -1
- package/dist/license/gate.d.ts +3 -0
- package/dist/license/gate.d.ts.map +1 -1
- package/dist/license/gate.js +9 -0
- package/dist/license/gate.js.map +1 -1
- package/dist/license/index.d.ts +1 -1
- package/dist/license/index.d.ts.map +1 -1
- package/dist/license/index.js +3 -1
- package/dist/license/index.js.map +1 -1
- package/dist/license/storage.d.ts.map +1 -1
- package/dist/license/storage.js +5 -0
- package/dist/license/storage.js.map +1 -1
- package/dist/license/types.d.ts +5 -0
- package/dist/license/types.d.ts.map +1 -1
- package/dist/license/usage.d.ts +12 -0
- package/dist/license/usage.d.ts.map +1 -1
- package/dist/license/usage.js +47 -2
- package/dist/license/usage.js.map +1 -1
- package/dist/output/audit-evidence.d.ts +10 -0
- package/dist/output/audit-evidence.d.ts.map +1 -0
- package/dist/output/audit-evidence.js +82 -0
- package/dist/output/audit-evidence.js.map +1 -0
- package/dist/output/audit-fixit.d.ts +34 -0
- package/dist/output/audit-fixit.d.ts.map +1 -0
- package/dist/output/audit-fixit.js +267 -0
- package/dist/output/audit-fixit.js.map +1 -0
- package/dist/output/audit-terminal.d.ts +15 -0
- package/dist/output/audit-terminal.d.ts.map +1 -0
- package/dist/output/audit-terminal.js +200 -0
- package/dist/output/audit-terminal.js.map +1 -0
- package/dist/retention/expiry.d.ts +13 -0
- package/dist/retention/expiry.d.ts.map +1 -0
- package/dist/retention/expiry.js +37 -0
- package/dist/retention/expiry.js.map +1 -0
- package/dist/retention/hash-detect.d.ts +12 -0
- package/dist/retention/hash-detect.d.ts.map +1 -0
- package/dist/retention/hash-detect.js +29 -0
- package/dist/retention/hash-detect.js.map +1 -0
- package/dist/retention/storage.d.ts +17 -0
- package/dist/retention/storage.d.ts.map +1 -0
- package/dist/retention/storage.js +79 -0
- package/dist/retention/storage.js.map +1 -0
- package/dist/types/audit.d.ts +77 -0
- package/dist/types/audit.d.ts.map +1 -0
- package/dist/types/audit.js +4 -0
- package/dist/types/audit.js.map +1 -0
- package/package.json +17 -5
|
@@ -0,0 +1,463 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
// ─── F008: Claude Code Environment Security Checks (9 items) ─
|
|
3
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
4
|
+
if (k2 === undefined) k2 = k;
|
|
5
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
6
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
7
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
8
|
+
}
|
|
9
|
+
Object.defineProperty(o, k2, desc);
|
|
10
|
+
}) : (function(o, m, k, k2) {
|
|
11
|
+
if (k2 === undefined) k2 = k;
|
|
12
|
+
o[k2] = m[k];
|
|
13
|
+
}));
|
|
14
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
15
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
16
|
+
}) : function(o, v) {
|
|
17
|
+
o["default"] = v;
|
|
18
|
+
});
|
|
19
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
20
|
+
var ownKeys = function(o) {
|
|
21
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
22
|
+
var ar = [];
|
|
23
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
24
|
+
return ar;
|
|
25
|
+
};
|
|
26
|
+
return ownKeys(o);
|
|
27
|
+
};
|
|
28
|
+
return function (mod) {
|
|
29
|
+
if (mod && mod.__esModule) return mod;
|
|
30
|
+
var result = {};
|
|
31
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
32
|
+
__setModuleDefault(result, mod);
|
|
33
|
+
return result;
|
|
34
|
+
};
|
|
35
|
+
})();
|
|
36
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
37
|
+
exports.checkEnvironment = checkEnvironment;
|
|
38
|
+
const fs = __importStar(require("node:fs"));
|
|
39
|
+
const path = __importStar(require("node:path"));
|
|
40
|
+
// ─── Helpers ────────────────────────────────────────────────
|
|
41
|
+
/**
|
|
42
|
+
* Strip fenced code blocks from markdown content to avoid
|
|
43
|
+
* false positives when patterns are mentioned in documentation
|
|
44
|
+
* rather than used as actual instructions.
|
|
45
|
+
*/
|
|
46
|
+
function stripCodeBlocks(content) {
|
|
47
|
+
return content.replace(/```[\s\S]*?```/g, '').replace(/`[^`\n]+`/g, '');
|
|
48
|
+
}
|
|
49
|
+
// ─── Trusted Anthropic domains ──────────────────────────────
|
|
50
|
+
const TRUSTED_BASE_URLS = [
|
|
51
|
+
'https://api.anthropic.com',
|
|
52
|
+
'https://api.anthropic.com/',
|
|
53
|
+
];
|
|
54
|
+
// ─── CLAUDE.md injection patterns ───────────────────────────
|
|
55
|
+
const INJECTION_PATTERNS = [
|
|
56
|
+
/ignore\s+(previous|all|above)\s+instructions/i,
|
|
57
|
+
/you\s+are\s+now\s+a?\s*(different|new|hacker)/i,
|
|
58
|
+
/forget\s+(everything|all|what)/i,
|
|
59
|
+
/system\s*prompt\s*:\s*override/i,
|
|
60
|
+
/new\s+instructions?\s*:/i,
|
|
61
|
+
/do\s+not\s+tell\s+the\s+user/i,
|
|
62
|
+
/secretly\s+(log|send|exfil|upload)/i,
|
|
63
|
+
/bypass\s*(all)?\s*permissions?/i,
|
|
64
|
+
/dangerously[\s-]*skip[\s-]*permissions/i,
|
|
65
|
+
/execute\s+(this|the\s+following)\s+command/i,
|
|
66
|
+
/curl\s+.*\|\s*sh/i,
|
|
67
|
+
/wget\s+.*\|\s*bash/i,
|
|
68
|
+
];
|
|
69
|
+
// ─── Dangerous tool patterns ────────────────────────────────
|
|
70
|
+
const DANGEROUS_TOOL_PATTERNS = [
|
|
71
|
+
'*', // wildcard = all tools
|
|
72
|
+
'Bash', // unrestricted shell
|
|
73
|
+
'Write', // file write
|
|
74
|
+
'Edit', // file edit
|
|
75
|
+
];
|
|
76
|
+
const EXCESSIVE_TOOL_THRESHOLD = 10;
|
|
77
|
+
/**
|
|
78
|
+
* Run all F008 environment checks and return findings.
|
|
79
|
+
*/
|
|
80
|
+
function checkEnvironment(settings, envFiles, instructionFiles, projectDir) {
|
|
81
|
+
const findings = [];
|
|
82
|
+
findings.push(...checkF008_01_baseUrl(settings, envFiles));
|
|
83
|
+
findings.push(...checkF008_02_bypassPermissions(settings));
|
|
84
|
+
findings.push(...checkF008_03_claudeMdInjection(instructionFiles));
|
|
85
|
+
findings.push(...checkF008_04_dangerouslySkipPermissions(settings, envFiles, instructionFiles));
|
|
86
|
+
findings.push(...checkF008_05_disableBypassMode(settings));
|
|
87
|
+
findings.push(...checkF008_06_excessiveToolAllowance(settings));
|
|
88
|
+
findings.push(...checkF008_07_permissionMode(settings));
|
|
89
|
+
findings.push(...checkF008_08_directoryPermissions(projectDir));
|
|
90
|
+
findings.push(...checkF008_09_projectOverride(settings));
|
|
91
|
+
return findings;
|
|
92
|
+
}
|
|
93
|
+
// ─── F008-01: ANTHROPIC_BASE_URL manipulation ───────────────
|
|
94
|
+
function checkF008_01_baseUrl(settings, envFiles) {
|
|
95
|
+
const findings = [];
|
|
96
|
+
// Check .env files for ANTHROPIC_BASE_URL
|
|
97
|
+
for (const envFile of envFiles) {
|
|
98
|
+
if (!envFile.exists)
|
|
99
|
+
continue;
|
|
100
|
+
try {
|
|
101
|
+
const content = fs.readFileSync(envFile.filePath, 'utf-8');
|
|
102
|
+
const lines = content.split('\n');
|
|
103
|
+
for (const line of lines) {
|
|
104
|
+
const trimmed = line.trim();
|
|
105
|
+
if (trimmed.startsWith('#'))
|
|
106
|
+
continue;
|
|
107
|
+
const match = trimmed.match(/^ANTHROPIC_BASE_URL\s*=\s*(.+)/);
|
|
108
|
+
if (match) {
|
|
109
|
+
const url = match[1].trim().replace(/^["']|["']$/g, '');
|
|
110
|
+
if (url && !TRUSTED_BASE_URLS.some((t) => url.startsWith(t))) {
|
|
111
|
+
findings.push({
|
|
112
|
+
id: 'F008-01',
|
|
113
|
+
title: 'ANTHROPIC_BASE_URL points to untrusted host',
|
|
114
|
+
description: `Non-official API endpoint detected: ${url}. This can intercept API keys (CVE-2026-21852).`,
|
|
115
|
+
severity: 'critical',
|
|
116
|
+
tier: 'free',
|
|
117
|
+
category: 'environment',
|
|
118
|
+
remediation: 'Remove ANTHROPIC_BASE_URL from .env or set it to https://api.anthropic.com',
|
|
119
|
+
evidence: `${envFile.filePath}: ANTHROPIC_BASE_URL=${url}`,
|
|
120
|
+
});
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
}
|
|
124
|
+
}
|
|
125
|
+
catch {
|
|
126
|
+
// ignore read errors
|
|
127
|
+
}
|
|
128
|
+
}
|
|
129
|
+
// Check settings.json for env overrides
|
|
130
|
+
for (const s of settings) {
|
|
131
|
+
if (!s.exists)
|
|
132
|
+
continue;
|
|
133
|
+
const env = s.raw.env;
|
|
134
|
+
if (typeof env === 'object' && env !== null) {
|
|
135
|
+
const baseUrl = env.ANTHROPIC_BASE_URL;
|
|
136
|
+
if (typeof baseUrl === 'string' && !TRUSTED_BASE_URLS.some((t) => baseUrl.startsWith(t))) {
|
|
137
|
+
findings.push({
|
|
138
|
+
id: 'F008-01',
|
|
139
|
+
title: 'ANTHROPIC_BASE_URL in settings points to untrusted host',
|
|
140
|
+
description: `Non-official API endpoint in settings: ${baseUrl}. API key interception risk.`,
|
|
141
|
+
severity: 'critical',
|
|
142
|
+
tier: 'free',
|
|
143
|
+
category: 'environment',
|
|
144
|
+
remediation: 'Remove ANTHROPIC_BASE_URL from settings.json env section',
|
|
145
|
+
evidence: `${s.filePath}: env.ANTHROPIC_BASE_URL=${baseUrl}`,
|
|
146
|
+
});
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
return findings;
|
|
151
|
+
}
|
|
152
|
+
// ─── F008-02: bypassPermissions enabled ─────────────────────
|
|
153
|
+
function checkF008_02_bypassPermissions(settings) {
|
|
154
|
+
const findings = [];
|
|
155
|
+
for (const s of settings) {
|
|
156
|
+
if (!s.exists)
|
|
157
|
+
continue;
|
|
158
|
+
if (s.raw.bypassPermissions === true) {
|
|
159
|
+
findings.push({
|
|
160
|
+
id: 'F008-02',
|
|
161
|
+
title: 'bypassPermissions is enabled',
|
|
162
|
+
description: 'All permission prompts are automatically approved. Complete bypass of safety checks.',
|
|
163
|
+
severity: 'critical',
|
|
164
|
+
tier: 'free',
|
|
165
|
+
category: 'environment',
|
|
166
|
+
remediation: 'Set "bypassPermissions": false in ' + s.filePath,
|
|
167
|
+
evidence: `${s.filePath}: bypassPermissions=true`,
|
|
168
|
+
});
|
|
169
|
+
}
|
|
170
|
+
}
|
|
171
|
+
return findings;
|
|
172
|
+
}
|
|
173
|
+
// ─── F008-03: CLAUDE.md injection patterns ──────────────────
|
|
174
|
+
function checkF008_03_claudeMdInjection(instructionFiles) {
|
|
175
|
+
const findings = [];
|
|
176
|
+
for (const file of instructionFiles) {
|
|
177
|
+
if (!file.exists)
|
|
178
|
+
continue;
|
|
179
|
+
try {
|
|
180
|
+
const raw = fs.readFileSync(file.filePath, 'utf-8');
|
|
181
|
+
// Strip code blocks so documented patterns don't trigger false positives
|
|
182
|
+
const content = stripCodeBlocks(raw);
|
|
183
|
+
const matchedPatterns = [];
|
|
184
|
+
for (const pattern of INJECTION_PATTERNS) {
|
|
185
|
+
if (pattern.test(content)) {
|
|
186
|
+
matchedPatterns.push(pattern.source);
|
|
187
|
+
}
|
|
188
|
+
}
|
|
189
|
+
if (matchedPatterns.length > 0) {
|
|
190
|
+
findings.push({
|
|
191
|
+
id: 'F008-03',
|
|
192
|
+
title: 'CLAUDE.md contains injection patterns',
|
|
193
|
+
description: `Potential prompt injection detected in ${path.basename(file.filePath)}. ${matchedPatterns.length} suspicious pattern(s) found.`,
|
|
194
|
+
severity: 'critical',
|
|
195
|
+
tier: 'free',
|
|
196
|
+
category: 'environment',
|
|
197
|
+
remediation: 'Review CLAUDE.md for hidden malicious instructions. Remove or rewrite suspicious directives.',
|
|
198
|
+
evidence: `${file.filePath}: matched ${matchedPatterns.length} pattern(s)`,
|
|
199
|
+
});
|
|
200
|
+
}
|
|
201
|
+
}
|
|
202
|
+
catch {
|
|
203
|
+
// ignore read errors
|
|
204
|
+
}
|
|
205
|
+
}
|
|
206
|
+
return findings;
|
|
207
|
+
}
|
|
208
|
+
// ─── F008-04: --dangerously-skip-permissions usage ──────────
|
|
209
|
+
// Scope: Claude Code files only (.claude/settings.json, .env, CLAUDE.md)
|
|
210
|
+
// Excluded: CI/scripts (.github/workflows, package.json scripts)
|
|
211
|
+
function checkF008_04_dangerouslySkipPermissions(settings, envFiles, instructionFiles) {
|
|
212
|
+
const findings = [];
|
|
213
|
+
const DSP = /dangerously[\s_-]*skip[\s_-]*permissions/i;
|
|
214
|
+
// Check settings.json raw content
|
|
215
|
+
for (const s of settings) {
|
|
216
|
+
if (!s.exists)
|
|
217
|
+
continue;
|
|
218
|
+
const raw = JSON.stringify(s.raw);
|
|
219
|
+
if (DSP.test(raw)) {
|
|
220
|
+
findings.push({
|
|
221
|
+
id: 'F008-04',
|
|
222
|
+
title: '--dangerously-skip-permissions detected in settings',
|
|
223
|
+
description: 'This flag bypasses all permission checks. Real-world case: rm -rf / execution risk.',
|
|
224
|
+
severity: 'critical',
|
|
225
|
+
tier: 'pro',
|
|
226
|
+
category: 'environment',
|
|
227
|
+
remediation: 'Remove --dangerously-skip-permissions from ' + s.filePath,
|
|
228
|
+
evidence: s.filePath,
|
|
229
|
+
});
|
|
230
|
+
}
|
|
231
|
+
}
|
|
232
|
+
// Check .env files
|
|
233
|
+
for (const envFile of envFiles) {
|
|
234
|
+
if (!envFile.exists)
|
|
235
|
+
continue;
|
|
236
|
+
try {
|
|
237
|
+
const content = fs.readFileSync(envFile.filePath, 'utf-8');
|
|
238
|
+
if (DSP.test(content)) {
|
|
239
|
+
findings.push({
|
|
240
|
+
id: 'F008-04',
|
|
241
|
+
title: '--dangerously-skip-permissions in .env',
|
|
242
|
+
description: 'Environment variable enables dangerous permission bypass.',
|
|
243
|
+
severity: 'critical',
|
|
244
|
+
tier: 'pro',
|
|
245
|
+
category: 'environment',
|
|
246
|
+
remediation: 'Remove the dangerously-skip-permissions variable from ' + envFile.filePath,
|
|
247
|
+
evidence: envFile.filePath,
|
|
248
|
+
});
|
|
249
|
+
}
|
|
250
|
+
}
|
|
251
|
+
catch {
|
|
252
|
+
// ignore
|
|
253
|
+
}
|
|
254
|
+
}
|
|
255
|
+
// Check CLAUDE.md files
|
|
256
|
+
for (const file of instructionFiles) {
|
|
257
|
+
if (!file.exists)
|
|
258
|
+
continue;
|
|
259
|
+
try {
|
|
260
|
+
const raw = fs.readFileSync(file.filePath, 'utf-8');
|
|
261
|
+
// Strip code blocks so documented references don't trigger false positives
|
|
262
|
+
const content = stripCodeBlocks(raw);
|
|
263
|
+
if (DSP.test(content)) {
|
|
264
|
+
findings.push({
|
|
265
|
+
id: 'F008-04',
|
|
266
|
+
title: '--dangerously-skip-permissions referenced in CLAUDE.md',
|
|
267
|
+
description: 'Instruction file references dangerous permission bypass flag.',
|
|
268
|
+
severity: 'critical',
|
|
269
|
+
tier: 'pro',
|
|
270
|
+
category: 'environment',
|
|
271
|
+
remediation: 'Remove dangerously-skip-permissions references from ' + file.filePath,
|
|
272
|
+
evidence: file.filePath,
|
|
273
|
+
});
|
|
274
|
+
}
|
|
275
|
+
}
|
|
276
|
+
catch {
|
|
277
|
+
// ignore
|
|
278
|
+
}
|
|
279
|
+
}
|
|
280
|
+
return findings;
|
|
281
|
+
}
|
|
282
|
+
// ─── F008-05: disableBypassPermissionsMode unconfigured ─────
|
|
283
|
+
function checkF008_05_disableBypassMode(settings) {
|
|
284
|
+
// Check if any global settings have managed-settings with disableBypassPermissionsMode
|
|
285
|
+
const globalSettings = settings.filter((s) => !s.isProjectLevel && s.exists);
|
|
286
|
+
const hasProtection = globalSettings.some((s) => {
|
|
287
|
+
const managed = s.raw['managed-settings'] ?? s.raw.managedSettings;
|
|
288
|
+
if (typeof managed !== 'object' || managed === null)
|
|
289
|
+
return false;
|
|
290
|
+
return managed.disableBypassPermissionsMode === true;
|
|
291
|
+
});
|
|
292
|
+
if (!hasProtection && globalSettings.length > 0) {
|
|
293
|
+
return [{
|
|
294
|
+
id: 'F008-05',
|
|
295
|
+
title: 'disableBypassPermissionsMode not configured',
|
|
296
|
+
description: 'Enterprise protection missing. No centralized policy prevents bypass mode activation.',
|
|
297
|
+
severity: 'medium',
|
|
298
|
+
tier: 'pro',
|
|
299
|
+
category: 'environment',
|
|
300
|
+
remediation: 'Add "managed-settings": { "disableBypassPermissionsMode": true } to global settings.json',
|
|
301
|
+
}];
|
|
302
|
+
}
|
|
303
|
+
return [];
|
|
304
|
+
}
|
|
305
|
+
// ─── F008-06: Excessive tool allowance ──────────────────────
|
|
306
|
+
function checkF008_06_excessiveToolAllowance(settings) {
|
|
307
|
+
const findings = [];
|
|
308
|
+
for (const s of settings) {
|
|
309
|
+
if (!s.exists)
|
|
310
|
+
continue;
|
|
311
|
+
const allowed = s.raw.allowedTools;
|
|
312
|
+
if (!Array.isArray(allowed))
|
|
313
|
+
continue;
|
|
314
|
+
// Check for wildcards or dangerous tools
|
|
315
|
+
const dangerousFound = allowed.filter((tool) => typeof tool === 'string' && DANGEROUS_TOOL_PATTERNS.some((p) => tool === p || tool.includes('*')));
|
|
316
|
+
if (dangerousFound.length > 0) {
|
|
317
|
+
findings.push({
|
|
318
|
+
id: 'F008-06',
|
|
319
|
+
title: 'Dangerous tools in allowedTools',
|
|
320
|
+
description: `Wildcard or dangerous tools allowed: ${dangerousFound.join(', ')}. Principle of least privilege violation.`,
|
|
321
|
+
severity: 'medium',
|
|
322
|
+
tier: 'pro',
|
|
323
|
+
category: 'environment',
|
|
324
|
+
remediation: 'Remove wildcards and restrict allowedTools to specific, needed tools in ' + s.filePath,
|
|
325
|
+
evidence: `${s.filePath}: allowedTools includes ${dangerousFound.join(', ')}`,
|
|
326
|
+
});
|
|
327
|
+
}
|
|
328
|
+
if (allowed.length > EXCESSIVE_TOOL_THRESHOLD) {
|
|
329
|
+
findings.push({
|
|
330
|
+
id: 'F008-06',
|
|
331
|
+
title: 'Excessive number of allowed tools',
|
|
332
|
+
description: `${allowed.length} tools allowed without restriction. Consider reducing to minimum necessary.`,
|
|
333
|
+
severity: 'medium',
|
|
334
|
+
tier: 'pro',
|
|
335
|
+
category: 'environment',
|
|
336
|
+
remediation: `Reduce allowedTools list in ${s.filePath} to only necessary tools (currently ${allowed.length})`,
|
|
337
|
+
evidence: `${s.filePath}: ${allowed.length} tools allowed`,
|
|
338
|
+
});
|
|
339
|
+
}
|
|
340
|
+
}
|
|
341
|
+
return findings;
|
|
342
|
+
}
|
|
343
|
+
// ─── F008-07: Permission mode verification ──────────────────
|
|
344
|
+
function checkF008_07_permissionMode(settings) {
|
|
345
|
+
const findings = [];
|
|
346
|
+
for (const s of settings) {
|
|
347
|
+
if (!s.exists)
|
|
348
|
+
continue;
|
|
349
|
+
const mode = s.raw.permissionMode ?? s.raw.permission_mode;
|
|
350
|
+
if (typeof mode === 'string' && (mode === 'auto' || mode === 'auto-accept' || mode === 'yolo')) {
|
|
351
|
+
findings.push({
|
|
352
|
+
id: 'F008-07',
|
|
353
|
+
title: 'Auto-accept permission mode active',
|
|
354
|
+
description: 'Operations run without human review. Permission prompts are automatically accepted.',
|
|
355
|
+
severity: 'medium',
|
|
356
|
+
tier: 'pro',
|
|
357
|
+
category: 'environment',
|
|
358
|
+
remediation: 'Set permissionMode to "prompt" or remove it (default is prompt) in ' + s.filePath,
|
|
359
|
+
evidence: `${s.filePath}: permissionMode=${mode}`,
|
|
360
|
+
});
|
|
361
|
+
}
|
|
362
|
+
}
|
|
363
|
+
return findings;
|
|
364
|
+
}
|
|
365
|
+
// ─── F008-08: .claude/ directory permissions ────────────────
|
|
366
|
+
function checkF008_08_directoryPermissions(projectDir) {
|
|
367
|
+
const claudeDir = path.join(projectDir, '.claude');
|
|
368
|
+
if (!fs.existsSync(claudeDir))
|
|
369
|
+
return [];
|
|
370
|
+
// On Unix-like systems, check if others have write permission
|
|
371
|
+
if (process.platform !== 'win32') {
|
|
372
|
+
try {
|
|
373
|
+
const stats = fs.statSync(claudeDir);
|
|
374
|
+
const mode = stats.mode;
|
|
375
|
+
// Check "others" write bit (0o002) and "group" write bit (0o020)
|
|
376
|
+
const othersWrite = (mode & 0o002) !== 0;
|
|
377
|
+
const groupWrite = (mode & 0o020) !== 0;
|
|
378
|
+
if (othersWrite || groupWrite) {
|
|
379
|
+
return [{
|
|
380
|
+
id: 'F008-08',
|
|
381
|
+
title: '.claude/ directory is writable by other users',
|
|
382
|
+
description: 'Privilege escalation possible. Other users can modify Claude Code configuration.',
|
|
383
|
+
severity: 'low',
|
|
384
|
+
tier: 'pro',
|
|
385
|
+
category: 'environment',
|
|
386
|
+
remediation: `Run: chmod 700 ${claudeDir}`,
|
|
387
|
+
evidence: `${claudeDir}: mode=${mode.toString(8)}`,
|
|
388
|
+
}];
|
|
389
|
+
}
|
|
390
|
+
}
|
|
391
|
+
catch {
|
|
392
|
+
// ignore stat errors
|
|
393
|
+
}
|
|
394
|
+
}
|
|
395
|
+
return [];
|
|
396
|
+
}
|
|
397
|
+
// ─── F008-09: Project-level setting override ────────────────
|
|
398
|
+
function checkF008_09_projectOverride(settings) {
|
|
399
|
+
const findings = [];
|
|
400
|
+
const globalSettings = settings.filter((s) => !s.isProjectLevel && s.exists);
|
|
401
|
+
const projectSettings = settings.filter((s) => s.isProjectLevel && s.exists);
|
|
402
|
+
if (globalSettings.length === 0 || projectSettings.length === 0)
|
|
403
|
+
return [];
|
|
404
|
+
for (const ps of projectSettings) {
|
|
405
|
+
// Check if project weakens security relative to global
|
|
406
|
+
// Case 1: Project enables bypassPermissions while global doesn't
|
|
407
|
+
if (ps.raw.bypassPermissions === true) {
|
|
408
|
+
const globalHasIt = globalSettings.some((g) => g.raw.bypassPermissions === true);
|
|
409
|
+
if (!globalHasIt) {
|
|
410
|
+
findings.push({
|
|
411
|
+
id: 'F008-09',
|
|
412
|
+
title: 'Project settings weaken global security',
|
|
413
|
+
description: 'Project enables bypassPermissions while global settings do not. CVE-2025-59536 attack pattern.',
|
|
414
|
+
severity: 'medium',
|
|
415
|
+
tier: 'pro',
|
|
416
|
+
category: 'environment',
|
|
417
|
+
remediation: 'Remove bypassPermissions from project-level ' + ps.filePath,
|
|
418
|
+
evidence: `${ps.filePath} overrides global: bypassPermissions=true`,
|
|
419
|
+
});
|
|
420
|
+
}
|
|
421
|
+
}
|
|
422
|
+
// Case 2: Project has more allowed tools than global
|
|
423
|
+
const projectAllowed = Array.isArray(ps.raw.allowedTools) ? ps.raw.allowedTools : [];
|
|
424
|
+
for (const gs of globalSettings) {
|
|
425
|
+
const globalAllowed = Array.isArray(gs.raw.allowedTools) ? gs.raw.allowedTools : [];
|
|
426
|
+
if (projectAllowed.length > 0 && projectAllowed.length > globalAllowed.length + 5) {
|
|
427
|
+
findings.push({
|
|
428
|
+
id: 'F008-09',
|
|
429
|
+
title: 'Project allows significantly more tools than global',
|
|
430
|
+
description: `Project allows ${projectAllowed.length} tools vs global ${globalAllowed.length}. Settings downgrade risk.`,
|
|
431
|
+
severity: 'medium',
|
|
432
|
+
tier: 'pro',
|
|
433
|
+
category: 'environment',
|
|
434
|
+
remediation: 'Review and reduce allowedTools in project-level ' + ps.filePath,
|
|
435
|
+
evidence: `${ps.filePath}: ${projectAllowed.length} tools vs global ${globalAllowed.length}`,
|
|
436
|
+
});
|
|
437
|
+
break;
|
|
438
|
+
}
|
|
439
|
+
}
|
|
440
|
+
// Case 3: Project sets auto-accept permission mode while global doesn't
|
|
441
|
+
const pMode = ps.raw.permissionMode ?? ps.raw.permission_mode;
|
|
442
|
+
if (typeof pMode === 'string' && (pMode === 'auto' || pMode === 'auto-accept' || pMode === 'yolo')) {
|
|
443
|
+
const globalAutoAccept = globalSettings.some((g) => {
|
|
444
|
+
const gMode = g.raw.permissionMode ?? g.raw.permission_mode;
|
|
445
|
+
return typeof gMode === 'string' && (gMode === 'auto' || gMode === 'auto-accept' || gMode === 'yolo');
|
|
446
|
+
});
|
|
447
|
+
if (!globalAutoAccept) {
|
|
448
|
+
findings.push({
|
|
449
|
+
id: 'F008-09',
|
|
450
|
+
title: 'Project enables auto-accept while global uses prompt mode',
|
|
451
|
+
description: 'Project overrides global permission mode to auto-accept. Settings downgrade risk.',
|
|
452
|
+
severity: 'medium',
|
|
453
|
+
tier: 'pro',
|
|
454
|
+
category: 'environment',
|
|
455
|
+
remediation: 'Remove permissionMode override from project-level ' + ps.filePath,
|
|
456
|
+
evidence: `${ps.filePath}: permissionMode=${pMode} overrides global`,
|
|
457
|
+
});
|
|
458
|
+
}
|
|
459
|
+
}
|
|
460
|
+
}
|
|
461
|
+
return findings;
|
|
462
|
+
}
|
|
463
|
+
//# sourceMappingURL=environment.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"environment.js","sourceRoot":"","sources":["../../../src/auditor/checks/environment.ts"],"names":[],"mappings":";AAAA,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqDhE,4CAmBC;AAtED,4CAA8B;AAC9B,gDAAkC;AAIlC,+DAA+D;AAE/D;;;;GAIG;AACH,SAAS,eAAe,CAAC,OAAe;IACtC,OAAO,OAAO,CAAC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,+DAA+D;AAC/D,MAAM,iBAAiB,GAAG;IACxB,2BAA2B;IAC3B,4BAA4B;CAC7B,CAAC;AAEF,+DAA+D;AAC/D,MAAM,kBAAkB,GAAG;IACzB,+CAA+C;IAC/C,gDAAgD;IAChD,iCAAiC;IACjC,iCAAiC;IACjC,0BAA0B;IAC1B,+BAA+B;IAC/B,qCAAqC;IACrC,iCAAiC;IACjC,yCAAyC;IACzC,6CAA6C;IAC7C,mBAAmB;IACnB,qBAAqB;CACtB,CAAC;AAEF,+DAA+D;AAC/D,MAAM,uBAAuB,GAAG;IAC9B,GAAG,EAAY,uBAAuB;IACtC,MAAM,EAAS,qBAAqB;IACpC,OAAO,EAAQ,aAAa;IAC5B,MAAM,EAAS,YAAY;CAC5B,CAAC;AAEF,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAEpC;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,QAAwB,EACxB,QAAuB,EACvB,gBAAuC,EACvC,UAAkB;IAElB,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,8BAA8B,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,8BAA8B,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACnE,QAAQ,CAAC,IAAI,CAAC,GAAG,uCAAuC,CAAC,QAAQ,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAC,CAAC;IAChG,QAAQ,CAAC,IAAI,CAAC,GAAG,8BAA8B,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,mCAAmC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAChE,QAAQ,CAAC,IAAI,CAAC,GAAG,2BAA2B,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,UAAU,CAAC,CAAC,CAAC;IAChE,QAAQ,CAAC,IAAI,CAAC,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAC,CAAC;IAEzD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,oBAAoB,CAC3B,QAAwB,EACxB,QAAuB;IAEvB,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,0CAA0C;IAC1C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,CAAC,OAAO,CAAC,MAAM;YAAE,SAAS;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC3D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAClC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS;gBACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;gBAC9D,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;oBACxD,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC7D,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,SAAS;4BACb,KAAK,EAAE,6CAA6C;4BACpD,WAAW,EAAE,uCAAuC,GAAG,iDAAiD;4BACxG,QAAQ,EAAE,UAAU;4BACpB,IAAI,EAAE,MAAM;4BACZ,QAAQ,EAAE,aAAa;4BACvB,WAAW,EAAE,4EAA4E;4BACzF,QAAQ,EAAE,GAAG,OAAO,CAAC,QAAQ,wBAAwB,GAAG,EAAE;yBAC3D,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,qBAAqB;QACvB,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,SAAS;QACxB,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,GAA0C,CAAC;QAC7D,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;YACvC,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACzF,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,SAAS;oBACb,KAAK,EAAE,yDAAyD;oBAChE,WAAW,EAAE,0CAA0C,OAAO,8BAA8B;oBAC5F,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,MAAM;oBACZ,QAAQ,EAAE,aAAa;oBACvB,WAAW,EAAE,0DAA0D;oBACvE,QAAQ,EAAE,GAAG,CAAC,CAAC,QAAQ,4BAA4B,OAAO,EAAE;iBAC7D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,8BAA8B,CAAC,QAAwB;IAC9D,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,SAAS;QACxB,IAAI,CAAC,CAAC,GAAG,CAAC,iBAAiB,KAAK,IAAI,EAAE,CAAC;YACrC,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,8BAA8B;gBACrC,WAAW,EAAE,sFAAsF;gBACnG,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,aAAa;gBACvB,WAAW,EAAE,oCAAoC,GAAG,CAAC,CAAC,QAAQ;gBAC9D,QAAQ,EAAE,GAAG,CAAC,CAAC,QAAQ,0BAA0B;aAClD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,8BAA8B,CACrC,gBAAuC;IAEvC,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,gBAAgB,EAAE,CAAC;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,SAAS;QAC3B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACpD,yEAAyE;YACzE,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;YACrC,MAAM,eAAe,GAAa,EAAE,CAAC;YAErC,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;gBACzC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC1B,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBACvC,CAAC;YACH,CAAC;YAED,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,SAAS;oBACb,KAAK,EAAE,uCAAuC;oBAC9C,WAAW,EAAE,0CAA0C,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,eAAe,CAAC,MAAM,+BAA+B;oBAC7I,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,MAAM;oBACZ,QAAQ,EAAE,aAAa;oBACvB,WAAW,EAAE,8FAA8F;oBAC3G,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,aAAa,eAAe,CAAC,MAAM,aAAa;iBAC3E,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,qBAAqB;QACvB,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,yEAAyE;AACzE,iEAAiE;AACjE,SAAS,uCAAuC,CAC9C,QAAwB,EACxB,QAAuB,EACvB,gBAAuC;IAEvC,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,2CAA2C,CAAC;IAExD,kCAAkC;IAClC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,SAAS;QACxB,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAClB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,qDAAqD;gBAC5D,WAAW,EAAE,qFAAqF;gBAClG,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,aAAa;gBACvB,WAAW,EAAE,6CAA6C,GAAG,CAAC,CAAC,QAAQ;gBACvE,QAAQ,EAAE,CAAC,CAAC,QAAQ;aACrB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,mBAAmB;IACnB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,CAAC,OAAO,CAAC,MAAM;YAAE,SAAS;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC3D,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,SAAS;oBACb,KAAK,EAAE,wCAAwC;oBAC/C,WAAW,EAAE,2DAA2D;oBACxE,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,KAAK;oBACX,QAAQ,EAAE,aAAa;oBACvB,WAAW,EAAE,wDAAwD,GAAG,OAAO,CAAC,QAAQ;oBACxF,QAAQ,EAAE,OAAO,CAAC,QAAQ;iBAC3B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,KAAK,MAAM,IAAI,IAAI,gBAAgB,EAAE,CAAC;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,SAAS;QAC3B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACpD,2EAA2E;YAC3E,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,SAAS;oBACb,KAAK,EAAE,wDAAwD;oBAC/D,WAAW,EAAE,+DAA+D;oBAC5E,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,KAAK;oBACX,QAAQ,EAAE,aAAa;oBACvB,WAAW,EAAE,sDAAsD,GAAG,IAAI,CAAC,QAAQ;oBACnF,QAAQ,EAAE,IAAI,CAAC,QAAQ;iBACxB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,8BAA8B,CAAC,QAAwB;IAC9D,uFAAuF;IACvF,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC;IAC7E,MAAM,aAAa,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;QAC9C,MAAM,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC;QACnE,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QAClE,OAAQ,OAAmC,CAAC,4BAA4B,KAAK,IAAI,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,aAAa,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC;gBACN,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,6CAA6C;gBACpD,WAAW,EAAE,uFAAuF;gBACpG,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,aAAa;gBACvB,WAAW,EAAE,0FAA0F;aACxG,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,+DAA+D;AAC/D,SAAS,mCAAmC,CAAC,QAAwB;IACnE,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,SAAS;QACxB,MAAM,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC;QACnC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;YAAE,SAAS;QAEtC,yCAAyC;QACzC,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAC7C,OAAO,IAAI,KAAK,QAAQ,IAAI,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAClG,CAAC;QAEF,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,iCAAiC;gBACxC,WAAW,EAAE,wCAAwC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,2CAA2C;gBACzH,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,aAAa;gBACvB,WAAW,EAAE,0EAA0E,GAAG,CAAC,CAAC,QAAQ;gBACpG,QAAQ,EAAE,GAAG,CAAC,CAAC,QAAQ,2BAA2B,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aAC9E,CAAC,CAAC;QACL,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,GAAG,wBAAwB,EAAE,CAAC;YAC9C,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,mCAAmC;gBAC1C,WAAW,EAAE,GAAG,OAAO,CAAC,MAAM,6EAA6E;gBAC3G,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,aAAa;gBACvB,WAAW,EAAE,+BAA+B,CAAC,CAAC,QAAQ,uCAAuC,OAAO,CAAC,MAAM,GAAG;gBAC9G,QAAQ,EAAE,GAAG,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,MAAM,gBAAgB;aAC3D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,2BAA2B,CAAC,QAAwB;IAC3D,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,SAAS;QACxB,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC;QAC3D,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,aAAa,IAAI,IAAI,KAAK,MAAM,CAAC,EAAE,CAAC;YAC/F,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,oCAAoC;gBAC3C,WAAW,EAAE,qFAAqF;gBAClG,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,aAAa;gBACvB,WAAW,EAAE,qEAAqE,GAAG,CAAC,CAAC,QAAQ;gBAC/F,QAAQ,EAAE,GAAG,CAAC,CAAC,QAAQ,oBAAoB,IAAI,EAAE;aAClD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,iCAAiC,CAAC,UAAkB;IAC3D,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAEnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,CAAC;IAEzC,8DAA8D;IAC9D,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YACrC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;YACxB,iEAAiE;YACjE,MAAM,WAAW,GAAG,CAAC,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;YACzC,MAAM,UAAU,GAAG,CAAC,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;YAExC,IAAI,WAAW,IAAI,UAAU,EAAE,CAAC;gBAC9B,OAAO,CAAC;wBACN,EAAE,EAAE,SAAS;wBACb,KAAK,EAAE,+CAA+C;wBACtD,WAAW,EAAE,kFAAkF;wBAC/F,QAAQ,EAAE,KAAK;wBACf,IAAI,EAAE,KAAK;wBACX,QAAQ,EAAE,aAAa;wBACvB,WAAW,EAAE,kBAAkB,SAAS,EAAE;wBAC1C,QAAQ,EAAE,GAAG,SAAS,UAAU,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;qBACnD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,qBAAqB;QACvB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,+DAA+D;AAC/D,SAAS,4BAA4B,CAAC,QAAwB;IAC5D,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC;IAC7E,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC;IAE7E,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE3E,KAAK,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC;QACjC,uDAAuD;QACvD,iEAAiE;QACjE,IAAI,EAAE,CAAC,GAAG,CAAC,iBAAiB,KAAK,IAAI,EAAE,CAAC;YACtC,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,iBAAiB,KAAK,IAAI,CAAC,CAAC;YACjF,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,SAAS;oBACb,KAAK,EAAE,yCAAyC;oBAChD,WAAW,EAAE,gGAAgG;oBAC7G,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,KAAK;oBACX,QAAQ,EAAE,aAAa;oBACvB,WAAW,EAAE,8CAA8C,GAAG,EAAE,CAAC,QAAQ;oBACzE,QAAQ,EAAE,GAAG,EAAE,CAAC,QAAQ,2CAA2C;iBACpE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,qDAAqD;QACrD,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;QACrF,KAAK,MAAM,EAAE,IAAI,cAAc,EAAE,CAAC;YAChC,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;YACpF,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,cAAc,CAAC,MAAM,GAAG,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClF,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,SAAS;oBACb,KAAK,EAAE,qDAAqD;oBAC5D,WAAW,EAAE,kBAAkB,cAAc,CAAC,MAAM,oBAAoB,aAAa,CAAC,MAAM,4BAA4B;oBACxH,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,KAAK;oBACX,QAAQ,EAAE,aAAa;oBACvB,WAAW,EAAE,kDAAkD,GAAG,EAAE,CAAC,QAAQ;oBAC7E,QAAQ,EAAE,GAAG,EAAE,CAAC,QAAQ,KAAK,cAAc,CAAC,MAAM,oBAAoB,aAAa,CAAC,MAAM,EAAE;iBAC7F,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,MAAM,KAAK,GAAG,EAAE,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC;QAC9D,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,aAAa,IAAI,KAAK,KAAK,MAAM,CAAC,EAAE,CAAC;YACnG,MAAM,gBAAgB,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;gBACjD,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC;gBAC5D,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,aAAa,IAAI,KAAK,KAAK,MAAM,CAAC,CAAC;YACxG,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,SAAS;oBACb,KAAK,EAAE,2DAA2D;oBAClE,WAAW,EAAE,mFAAmF;oBAChG,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,KAAK;oBACX,QAAQ,EAAE,aAAa;oBACvB,WAAW,EAAE,oDAAoD,GAAG,EAAE,CAAC,QAAQ;oBAC/E,QAAQ,EAAE,GAAG,EAAE,CAAC,QAAQ,oBAAoB,KAAK,mBAAmB;iBACrE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import type { AuditFinding } from '../../types/audit.js';
|
|
2
|
+
import type { HookConfig, ToolSettings } from '../providers/types.js';
|
|
3
|
+
interface CheckContext {
|
|
4
|
+
hooks: HookConfig[];
|
|
5
|
+
settings: ToolSettings[];
|
|
6
|
+
}
|
|
7
|
+
/**
|
|
8
|
+
* Run all F009 hooks checks and return findings.
|
|
9
|
+
* All F009 findings are tier: 'pro' (hidden from Free users entirely).
|
|
10
|
+
*/
|
|
11
|
+
export declare function checkHooks(ctx: CheckContext): AuditFinding[];
|
|
12
|
+
export {};
|
|
13
|
+
//# sourceMappingURL=hooks.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hooks.d.ts","sourceRoot":"","sources":["../../../src/auditor/checks/hooks.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAwEtE,UAAU,YAAY;IACpB,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,QAAQ,EAAE,YAAY,EAAE,CAAC;CAC1B;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,YAAY,GAAG,YAAY,EAAE,CAe5D"}
|