project-shield 1.1.6 → 2.0.0

package/dist/auditor/checks/hooks.js

@@ -0,0 +1,234 @@
+"use strict";
+// ─── F009: Hooks Malicious Command Detection (7 items) ──────
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkHooks = checkHooks;
+// ─── F009-01: Network request patterns ──────────────────────
+const NETWORK_PATTERNS = [
+    /\bcurl\b/i,
+    /\bwget\b/i,
+    /\bnc\b/,
+    /\bncat\b/i,
+    /\bnetcat\b/i,
+    /\bhttp\b.*\brequest\b/i,
+    /\bfetch\b/i,
+    /\bhttpie\b/i,
+    /\baria2c?\b/i,
+];
+// ─── F009-02: Data exfiltration patterns ────────────────────
+const EXFIL_PATTERNS = [
+    />\s*\/dev\/tcp\//, // > /dev/tcp/host/port
+    /\bbase64\b.*\|\s*(curl|wget|nc)\b/i, // base64 | curl
+    /(curl|wget|nc).*\|\s*base64\b/i, // curl | base64
+    /\bdig\b.*\bTXT\b/i, // DNS tunneling via dig TXT
+    /\bnslookup\b.*\./, // DNS lookup
+    /\bbase64\b.*-w\s*0/, // base64 no-wrap (exfil prep)
+    /\|\s*xxd\b/, // hex dump pipe
+];
+// ─── F009-03: Reverse shell patterns ────────────────────────
+const REVERSE_SHELL_PATTERNS = [
+    /\bbash\s+-i\b/, // bash -i (interactive)
+    /\bpython[23]?\s+-c\b.*socket/i, // python -c ... socket
+    /\bnc\s+-e\b/, // nc -e (execute)
+    /\bncat\s+.*-e\b/, // ncat -e
+    /\bperl\s+-e\b.*socket/i, // perl -e ... socket
+    /\bruby\s+-r\s*socket\b/i, // ruby -r socket
+    /\bphp\s+-r\b.*fsockopen/i, // php -r ... fsockopen
+    /\/dev\/tcp\/\d/, // /dev/tcp/IP
+    /\bmkfifo\b.*\bnc\b/, // mkfifo + nc combo
+];
+// ─── F009-04: File deletion patterns ────────────────────────
+const FILE_DELETE_PATTERNS = [
+    /\brm\s+-[a-z]*r[a-z]*f\b/, // rm -rf
+    /\brm\s+-[a-z]*f[a-z]*r\b/, // rm -fr
+    /\bdel\s+\/[fF]\b/, // del /f (Windows)
+    /\bshred\b/, // shred
+    /\brmdir\s+\/[sS]\b/, // rmdir /s (Windows)
+    /\brm\s+-rf\s+[\/~]/, // rm -rf / or ~
+];
+// ─── F009-05: Environment variable reading patterns ─────────
+const ENV_READ_PATTERNS = [
+    /\benv\b(?!\s*=)/, // env command (not assignment)
+    /\bprintenv\b/, // printenv
+    /\$ANTHROPIC_API_KEY\b/, // direct key reference
+    /\$CLAUDE_API_KEY\b/,
+    /\$OPENAI_API_KEY\b/,
+    /\$AWS_SECRET_ACCESS_KEY\b/,
+    /\$GITHUB_TOKEN\b/,
+    /\bset\b\s*\|/, // set | (list all vars)
+    /\bexport\s+-p\b/, // export -p (print all)
+];
+// ─── F009-07: Obfuscated command patterns (MVP) ─────────────
+const OBFUSCATION_PATTERNS = [
+    /\bbase64\s+-d\b.*\|\s*(sh|bash)\b/i, // base64 -d | sh
+    /\bbase64\s+--decode\b.*\|\s*(sh|bash)\b/i,
+    /\beval\s+\$\(/, // eval $(...)
+    /\beval\s+"?\$\(/, // eval "$(...)"
+    /\$\(.*\bbase64\b.*-d\)/, // $(... base64 -d ...)
+    /echo\s+.*\|\s*base64\s+-d\s*\|\s*(sh|bash)\b/i,
+];
+/**
+ * Run all F009 hooks checks and return findings.
+ * All F009 findings are tier: 'pro' (hidden from Free users entirely).
+ */
+function checkHooks(ctx) {
+    const findings = [];
+    const { hooks, settings } = ctx;
+    if (hooks.length === 0)
+        return findings;
+    findings.push(...checkF009_01_networkRequests(hooks));
+    findings.push(...checkF009_02_dataExfiltration(hooks));
+    findings.push(...checkF009_03_reverseShell(hooks));
+    findings.push(...checkF009_04_fileDeletion(hooks));
+    findings.push(...checkF009_05_envVarReading(hooks));
+    findings.push(...checkF009_06_repoLevelHooks(settings));
+    findings.push(...checkF009_07_obfuscatedCommands(hooks));
+    return findings;
+}
+// ─── F009-01: Network requests ──────────────────────────────
+function checkF009_01_networkRequests(hooks) {
+    const findings = [];
+    for (const hook of hooks) {
+        const matched = NETWORK_PATTERNS.filter((p) => p.test(hook.command));
+        if (matched.length > 0) {
+            findings.push({
+                id: 'F009-01',
+                title: 'Network request in hook command',
+                description: `Hook "${hook.event}" contains network tool. Data exfiltration channel detected.`,
+                severity: 'critical',
+                tier: 'pro',
+                category: 'hooks',
+                remediation: `Review and remove network commands from hook: ${hook.event}${hook.matcher ? ` (matcher: ${hook.matcher})` : ''}`,
+                evidence: `command: ${hook.command}`,
+            });
+        }
+    }
+    return findings;
+}
+// ─── F009-02: Data exfiltration patterns ────────────────────
+function checkF009_02_dataExfiltration(hooks) {
+    const findings = [];
+    for (const hook of hooks) {
+        const matched = EXFIL_PATTERNS.filter((p) => p.test(hook.command));
+        if (matched.length > 0) {
+            findings.push({
+                id: 'F009-02',
+                title: 'Data exfiltration pattern in hook',
+                description: `Hook "${hook.event}" contains data exfiltration pattern (CVE-2025-59536).`,
+                severity: 'critical',
+                tier: 'pro',
+                category: 'hooks',
+                remediation: `Remove suspicious data transfer commands from hook: ${hook.event}`,
+                evidence: `command: ${hook.command}`,
+            });
+        }
+    }
+    return findings;
+}
+// ─── F009-03: Reverse shell patterns ────────────────────────
+function checkF009_03_reverseShell(hooks) {
+    const findings = [];
+    for (const hook of hooks) {
+        const matched = REVERSE_SHELL_PATTERNS.filter((p) => p.test(hook.command));
+        if (matched.length > 0) {
+            findings.push({
+                id: 'F009-03',
+                title: 'Reverse shell pattern in hook',
+                description: `Hook "${hook.event}" contains reverse shell pattern. Remote access backdoor detected.`,
+                severity: 'critical',
+                tier: 'pro',
+                category: 'hooks',
+                remediation: `Remove reverse shell commands from hook: ${hook.event}`,
+                evidence: `command: ${hook.command}`,
+            });
+        }
+    }
+    return findings;
+}
+// ─── F009-04: File deletion ─────────────────────────────────
+function checkF009_04_fileDeletion(hooks) {
+    const findings = [];
+    for (const hook of hooks) {
+        const matched = FILE_DELETE_PATTERNS.filter((p) => p.test(hook.command));
+        if (matched.length > 0) {
+            findings.push({
+                id: 'F009-04',
+                title: 'Destructive file operation in hook',
+                description: `Hook "${hook.event}" contains file deletion commands. Data destruction risk.`,
+                severity: 'medium',
+                tier: 'pro',
+                category: 'hooks',
+                remediation: `Review and restrict file deletion in hook: ${hook.event}`,
+                evidence: `command: ${hook.command}`,
+            });
+        }
+    }
+    return findings;
+}
+// ─── F009-05: Environment variable reading ──────────────────
+function checkF009_05_envVarReading(hooks) {
+    const findings = [];
+    for (const hook of hooks) {
+        const matched = ENV_READ_PATTERNS.filter((p) => p.test(hook.command));
+        if (matched.length > 0) {
+            findings.push({
+                id: 'F009-05',
+                title: 'Environment variable access in hook',
+                description: `Hook "${hook.event}" reads environment variables. Credential collection risk.`,
+                severity: 'medium',
+                tier: 'pro',
+                category: 'hooks',
+                remediation: `Remove or restrict env var access in hook: ${hook.event}`,
+                evidence: `command: ${hook.command}`,
+            });
+        }
+    }
+    return findings;
+}
+// ─── F009-06: Repository-level hooks ────────────────────────
+function checkF009_06_repoLevelHooks(settings) {
+    const findings = [];
+    const projectSettings = settings.filter((s) => s.isProjectLevel && s.exists);
+    for (const s of projectSettings) {
+        const hooksObj = s.raw.hooks;
+        if (typeof hooksObj === 'object' && hooksObj !== null) {
+            const hookEntries = Object.entries(hooksObj);
+            const hookCount = hookEntries.reduce((count, [, handlers]) => {
+                return count + (Array.isArray(handlers) ? handlers.length : 0);
+            }, 0);
+            if (hookCount > 0) {
+                findings.push({
+                    id: 'F009-06',
+                    title: 'Hooks defined in project-level settings',
+                    description: `${hookCount} hook(s) in project settings auto-execute on all collaborator machines. Lateral movement risk.`,
+                    severity: 'medium',
+                    tier: 'pro',
+                    category: 'hooks',
+                    remediation: 'Move hooks to user-level settings or review project hooks in ' + s.filePath,
+                    evidence: `${s.filePath}: ${hookCount} hook(s) defined`,
+                });
+            }
+        }
+    }
+    return findings;
+}
+// ─── F009-07: Obfuscated commands (MVP) ─────────────────────
+function checkF009_07_obfuscatedCommands(hooks) {
+    const findings = [];
+    for (const hook of hooks) {
+        const matched = OBFUSCATION_PATTERNS.filter((p) => p.test(hook.command));
+        if (matched.length > 0) {
+            findings.push({
+                id: 'F009-07',
+                title: 'Obfuscated command in hook',
+                description: `Hook "${hook.event}" contains obfuscated command (base64+eval). Detection evasion attempt.`,
+                severity: 'critical',
+                tier: 'pro',
+                category: 'hooks',
+                remediation: `Remove obfuscated commands from hook: ${hook.event}. Replace with plain-text equivalents.`,
+                evidence: `command: ${hook.command}`,
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=hooks.js.map

package/dist/auditor/checks/hooks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hooks.js","sourceRoot":"","sources":["../../../src/auditor/checks/hooks.ts"],"names":[],"mappings":";AAAA,+DAA+D;;AAoF/D,gCAeC;AA9FD,+DAA+D;AAC/D,MAAM,gBAAgB,GAAG;IACvB,WAAW;IACX,WAAW;IACX,QAAQ;IACR,WAAW;IACX,aAAa;IACb,wBAAwB;IACxB,YAAY;IACZ,aAAa;IACb,cAAc;CACf,CAAC;AAEF,+DAA+D;AAC/D,MAAM,cAAc,GAAG;IACrB,kBAAkB,EAAsB,uBAAuB;IAC/D,oCAAoC,EAAG,gBAAgB;IACvD,gCAAgC,EAAO,gBAAgB;IACvD,mBAAmB,EAAoB,4BAA4B;IACnE,kBAAkB,EAAsB,aAAa;IACrD,oBAAoB,EAAoB,8BAA8B;IACtE,YAAY,EAA4B,gBAAgB;CACzD,CAAC;AAEF,+DAA+D;AAC/D,MAAM,sBAAsB,GAAG;IAC7B,eAAe,EAAyB,wBAAwB;IAChE,+BAA+B,EAAQ,uBAAuB;IAC9D,aAAa,EAA2B,kBAAkB;IAC1D,iBAAiB,EAAuB,UAAU;IAClD,wBAAwB,EAAe,qBAAqB;IAC5D,yBAAyB,EAAc,iBAAiB;IACxD,0BAA0B,EAAa,uBAAuB;IAC9D,gBAAgB,EAAwB,cAAc;IACtD,oBAAoB,EAAmB,oBAAoB;CAC5D,CAAC;AAEF,+DAA+D;AAC/D,MAAM,oBAAoB,GAAG;IAC3B,0BAA0B,EAAa,SAAS;IAChD,0BAA0B,EAAa,SAAS;IAChD,kBAAkB,EAAsB,mBAAmB;IAC3D,WAAW,EAA6B,QAAQ;IAChD,oBAAoB,EAAoB,qBAAqB;IAC7D,oBAAoB,EAAmB,gBAAgB;CACxD,CAAC;AAEF,+DAA+D;AAC/D,MAAM,iBAAiB,GAAG;IACxB,iBAAiB,EAAuB,+BAA+B;IACvE,cAAc,EAA0B,WAAW;IACnD,uBAAuB,EAAiB,uBAAuB;IAC/D,oBAAoB;IACpB,oBAAoB;IACpB,2BAA2B;IAC3B,kBAAkB;IAClB,cAAc,EAA0B,wBAAwB;IAChE,iBAAiB,EAAuB,wBAAwB;CACjE,CAAC;AAEF,+DAA+D;AAC/D,MAAM,oBAAoB,GAAG;IAC3B,oCAAoC,EAAI,iBAAiB;IACzD,0CAA0C;IAC1C,eAAe,EAA0B,cAAc;IACvD,iBAAiB,EAAyB,gBAAgB;IAC1D,wBAAwB,EAAgB,uBAAuB;IAC/D,+CAA+C;CAChD,CAAC;AAOF;;;GAGG;AACH,SAAgB,UAAU,CAAC,GAAiB;IAC1C,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;IAEhC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAExC,QAAQ,CAAC,IAAI,CAAC,GAAG,4BAA4B,CAAC,KAAK,CAAC,CAAC,CAAC;IACtD,QAAQ,CAAC,IAAI,CAAC,GAAG,6BAA6B,CAAC,KAAK,CAAC,CAAC,CAAC;IACvD,QAAQ,CAAC,IAAI,CAAC,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC,CAAC;IACnD,QAAQ,CAAC,IAAI,CAAC,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC,CAAC;IACnD,QAAQ,CAAC,IAAI,CAAC,GAAG,0BAA0B,CAAC,KAAK,CAAC,CAAC,CAAC;IACpD,QAAQ,CAAC,IAAI,CAAC,GAAG,2BAA2B,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,+BAA+B,CAAC,KAAK,CAAC,CAAC,CAAC;IAEzD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,4BAA4B,CAAC,KAAmB;IACvD,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QACrE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,iCAAiC;gBACxC,WAAW,EAAE,SAAS,IAAI,CAAC,KAAK,8DAA8D;gBAC9F,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,iDAAiD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;gBAC9H,QAAQ,EAAE,YAAY,IAAI,CAAC,OAAO,EAAE;aACrC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,6BAA6B,CAAC,KAAmB;IACxD,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QACnE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,mCAAmC;gBAC1C,WAAW,EAAE,SAAS,IAAI,CAAC,KAAK,wDAAwD;gBACxF,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,uDAAuD,IAAI,CAAC,KAAK,EAAE;gBAChF,QAAQ,EAAE,YAAY,IAAI,CAAC,OAAO,EAAE;aACrC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,yBAAyB,CAAC,KAAmB;IACpD,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3E,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,+BAA+B;gBACtC,WAAW,EAAE,SAAS,IAAI,CAAC,KAAK,oEAAoE;gBACpG,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,4CAA4C,IAAI,CAAC,KAAK,EAAE;gBACrE,QAAQ,EAAE,YAAY,IAAI,CAAC,OAAO,EAAE;aACrC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,yBAAyB,CAAC,KAAmB;IACpD,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QACzE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,oCAAoC;gBAC3C,WAAW,EAAE,SAAS,IAAI,CAAC,KAAK,2DAA2D;gBAC3F,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,8CAA8C,IAAI,CAAC,KAAK,EAAE;gBACvE,QAAQ,EAAE,YAAY,IAAI,CAAC,OAAO,EAAE;aACrC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,0BAA0B,CAAC,KAAmB;IACrD,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QACtE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,qCAAqC;gBAC5C,WAAW,EAAE,SAAS,IAAI,CAAC,KAAK,4DAA4D;gBAC5F,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,8CAA8C,IAAI,CAAC,KAAK,EAAE;gBACvE,QAAQ,EAAE,YAAY,IAAI,CAAC,OAAO,EAAE;aACrC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,2BAA2B,CAAC,QAAwB;IAC3D,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC;IAC7E,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;QAC7B,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtD,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,QAAmC,CAAC,CAAC;YACxE,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE;gBAC3D,OAAO,KAAK,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACjE,CAAC,EAAE,CAAC,CAAC,CAAC;YAEN,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBAClB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,SAAS;oBACb,KAAK,EAAE,yCAAyC;oBAChD,WAAW,EAAE,GAAG,SAAS,gGAAgG;oBACzH,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,KAAK;oBACX,QAAQ,EAAE,OAAO;oBACjB,WAAW,EAAE,+DAA+D,GAAG,CAAC,CAAC,QAAQ;oBACzF,QAAQ,EAAE,GAAG,CAAC,CAAC,QAAQ,KAAK,SAAS,kBAAkB;iBACxD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+DAA+D;AAC/D,SAAS,+BAA+B,CAAC,KAAmB;IAC1D,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QACzE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,4BAA4B;gBACnC,WAAW,EAAE,SAAS,IAAI,CAAC,KAAK,yEAAyE;gBACzG,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,yCAAyC,IAAI,CAAC,KAAK,wCAAwC;gBACxG,QAAQ,EAAE,YAAY,IAAI,CAAC,OAAO,EAAE;aACrC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/auditor/engine.d.ts

@@ -0,0 +1,7 @@
+import type { AuditConfig, AuditResult } from '../types/audit.js';
+import type { FeatureGate } from '../license/types.js';
+export declare class AuditFailedError extends Error {
+    constructor(message: string);
+}
+export declare function audit(config: AuditConfig, gate: FeatureGate): Promise<AuditResult>;
+//# sourceMappingURL=engine.d.ts.map

package/dist/auditor/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/auditor/engine.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAA4B,MAAM,mBAAmB,CAAC;AAC5F,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAKvD,qBAAa,gBAAiB,SAAQ,KAAK;gBAC7B,OAAO,EAAE,MAAM;CAI5B;AAmDD,wBAAsB,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAgFxF"}

package/dist/auditor/engine.js

@@ -0,0 +1,183 @@
+"use strict";
+// ─── Audit Engine ───────────────────────────────────────────
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditFailedError = void 0;
+exports.audit = audit;
+const crypto = __importStar(require("node:crypto"));
+const claude_code_js_1 = require("./providers/claude-code.js");
+const environment_js_1 = require("./checks/environment.js");
+const hooks_js_1 = require("./checks/hooks.js");
+class AuditFailedError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'AuditFailedError';
+    }
+}
+exports.AuditFailedError = AuditFailedError;
+function calculateScore(findings) {
+    let deductions = 0;
+    let envDeductions = 0;
+    let hookDeductions = 0;
+    for (const f of findings) {
+        let points = 0;
+        switch (f.severity) {
+            case 'critical':
+                points = 25;
+                break;
+            case 'high':
+                points = 15;
+                break;
+            case 'medium':
+                points = 10;
+                break;
+            case 'low':
+                points = 5;
+                break;
+            case 'info':
+                points = 0;
+                break;
+        }
+        deductions += points;
+        if (f.category === 'environment')
+            envDeductions += points;
+        if (f.category === 'hooks')
+            hookDeductions += points;
+    }
+    const total = Math.max(0, 100 - deductions);
+    let grade;
+    if (findings.some((f) => f.severity === 'critical'))
+        grade = 'F';
+    else if (total >= 90)
+        grade = 'A';
+    else if (total >= 80)
+        grade = 'B';
+    else if (total >= 70)
+        grade = 'C';
+    else if (total >= 60)
+        grade = 'D';
+    else if (total >= 50)
+        grade = 'E';
+    else
+        grade = 'F';
+    return {
+        total,
+        grade,
+        breakdown: {
+            environment: Math.max(0, 50 - envDeductions),
+            hooks: Math.max(0, 50 - hookDeductions),
+        },
+    };
+}
+function computeSettingsHash(settings) {
+    const combined = settings
+        .filter((s) => Object.keys(s.raw).length > 0)
+        .map((s) => JSON.stringify(s.raw))
+        .join('|');
+    if (!combined)
+        return '';
+    return crypto.createHash('sha256').update(combined).digest('hex');
+}
+async function audit(config, gate) {
+    const projectDir = config.projectDir ?? process.cwd();
+    const provider = new claude_code_js_1.ClaudeCodeProvider(projectDir);
+    // 1. Detect environment
+    const detected = await provider.detectEnvironment();
+    // 2. Gather data
+    const settings = await provider.getSettings();
+    const settingsHash = computeSettingsHash(settings);
+    if (!detected) {
+        // No Claude Code environment found — perfect score
+        const emptyScore = calculateScore([]);
+        return {
+            environment: [],
+            hooks: [],
+            score: emptyScore,
+            summary: {
+                total: 0,
+                critical: 0,
+                high: 0,
+                medium: 0,
+                low: 0,
+                info: 0,
+                freeVisible: 0,
+                proOnly: 0,
+            },
+            settingsHash,
+            scannedAt: new Date().toISOString(),
+            projectDir,
+        };
+    }
+    // 3. Collect provider data
+    const hooks = await provider.getHooks();
+    const envFiles = await provider.getEnvFiles();
+    const instructionFiles = await provider.getInstructionFiles();
+    // 4. F008 environment checks (9 items)
+    const envFindings = (0, environment_js_1.checkEnvironment)(settings, envFiles, instructionFiles, projectDir);
+    // 5. F009 hooks checks (7 items)
+    const hookFindings = (0, hooks_js_1.checkHooks)({ hooks, settings });
+    // 6. Combine all findings (before gate filtering)
+    const allFindings = [...envFindings, ...hookFindings];
+    // 7. Score based on ALL findings (Free users see real score → conversion trigger)
+    const score = calculateScore(allFindings);
+    // 8. Gate filtering for visible results
+    const visibleEnv = gate.canAuditFull
+        ? envFindings
+        : envFindings.filter((f) => f.tier === 'free');
+    const visibleHooks = gate.canAuditHooks
+        ? hookFindings
+        : [];
+    // 9. Summary based on ALL findings (not just visible)
+    const summary = {
+        total: allFindings.length,
+        critical: allFindings.filter((f) => f.severity === 'critical').length,
+        high: allFindings.filter((f) => f.severity === 'high').length,
+        medium: allFindings.filter((f) => f.severity === 'medium').length,
+        low: allFindings.filter((f) => f.severity === 'low').length,
+        info: allFindings.filter((f) => f.severity === 'info').length,
+        freeVisible: allFindings.filter((f) => f.tier === 'free').length,
+        proOnly: allFindings.filter((f) => f.tier === 'pro').length,
+    };
+    return {
+        environment: visibleEnv,
+        hooks: visibleHooks,
+        score,
+        summary,
+        settingsHash,
+        scannedAt: new Date().toISOString(),
+        projectDir,
+    };
+}
+//# sourceMappingURL=engine.js.map

package/dist/auditor/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/auditor/engine.ts"],"names":[],"mappings":";AAAA,+DAA+D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiE/D,sBAgFC;AA/ID,oDAAsC;AAGtC,+DAAgE;AAChE,4DAA2D;AAC3D,gDAA+C;AAE/C,MAAa,gBAAiB,SAAQ,KAAK;IACzC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AALD,4CAKC;AAED,SAAS,cAAc,CAAC,QAAwB;IAC9C,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,cAAc,GAAG,CAAC,CAAC;IAEvB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;YACnB,KAAK,UAAU;gBAAE,MAAM,GAAG,EAAE,CAAC;gBAAC,MAAM;YACpC,KAAK,MAAM;gBAAM,MAAM,GAAG,EAAE,CAAC;gBAAC,MAAM;YACpC,KAAK,QAAQ;gBAAI,MAAM,GAAG,EAAE,CAAC;gBAAC,MAAM;YACpC,KAAK,KAAK;gBAAO,MAAM,GAAG,CAAC,CAAC;gBAAE,MAAM;YACpC,KAAK,MAAM;gBAAM,MAAM,GAAG,CAAC,CAAC;gBAAE,MAAM;QACtC,CAAC;QACD,UAAU,IAAI,MAAM,CAAC;QACrB,IAAI,CAAC,CAAC,QAAQ,KAAK,aAAa;YAAE,aAAa,IAAI,MAAM,CAAC;QAC1D,IAAI,CAAC,CAAC,QAAQ,KAAK,OAAO;YAAE,cAAc,IAAI,MAAM,CAAC;IACvD,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,UAAU,CAAC,CAAC;IAE5C,IAAI,KAA0B,CAAC;IAC/B,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC;QAAE,KAAK,GAAG,GAAG,CAAC;SAC5D,IAAI,KAAK,IAAI,EAAE;QAAE,KAAK,GAAG,GAAG,CAAC;SAC7B,IAAI,KAAK,IAAI,EAAE;QAAE,KAAK,GAAG,GAAG,CAAC;SAC7B,IAAI,KAAK,IAAI,EAAE;QAAE,KAAK,GAAG,GAAG,CAAC;SAC7B,IAAI,KAAK,IAAI,EAAE;QAAE,KAAK,GAAG,GAAG,CAAC;SAC7B,IAAI,KAAK,IAAI,EAAE;QAAE,KAAK,GAAG,GAAG,CAAC;;QAC7B,KAAK,GAAG,GAAG,CAAC;IAEjB,OAAO;QACL,KAAK;QACL,KAAK;QACL,SAAS,EAAE;YACT,WAAW,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,GAAG,aAAa,CAAC;YAC5C,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,GAAG,cAAc,CAAC;SACxC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAiD;IAC5E,MAAM,QAAQ,GAAG,QAAQ;SACtB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;SAC5C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;SACjC,IAAI,CAAC,GAAG,CAAC,CAAC;IACb,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IACzB,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC;AAEM,KAAK,UAAU,KAAK,CAAC,MAAmB,EAAE,IAAiB;IAChE,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACtD,MAAM,QAAQ,GAAG,IAAI,mCAAkB,CAAC,UAAU,CAAC,CAAC;IAEpD,wBAAwB;IACxB,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE,CAAC;IAEpD,iBAAiB;IACjB,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC9C,MAAM,YAAY,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAEnD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,mDAAmD;QACnD,MAAM,UAAU,GAAG,cAAc,CAAC,EAAE,CAAC,CAAC;QACtC,OAAO;YACL,WAAW,EAAE,EAAE;YACf,KAAK,EAAE,EAAE;YACT,KAAK,EAAE,UAAU;YACjB,OAAO,EAAE;gBACP,KAAK,EAAE,CAAC;gBACR,QAAQ,EAAE,CAAC;gBACX,IAAI,EAAE,CAAC;gBACP,MAAM,EAAE,CAAC;gBACT,GAAG,EAAE,CAAC;gBACN,IAAI,EAAE,CAAC;gBACP,WAAW,EAAE,CAAC;gBACd,OAAO,EAAE,CAAC;aACX;YACD,YAAY;YACZ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU;SACX,CAAC;IACJ,CAAC;IAED,2BAA2B;IAC3B,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,CAAC;IACxC,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC9C,MAAM,gBAAgB,GAAG,MAAM,QAAQ,CAAC,mBAAmB,EAAE,CAAC;IAE9D,uCAAuC;IACvC,MAAM,WAAW,GAAmB,IAAA,iCAAgB,EAAC,QAAQ,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,CAAC,CAAC;IAEvG,iCAAiC;IACjC,MAAM,YAAY,GAAmB,IAAA,qBAAU,EAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAErE,kDAAkD;IAClD,MAAM,WAAW,GAAG,CAAC,GAAG,WAAW,EAAE,GAAG,YAAY,CAAC,CAAC;IAEtD,kFAAkF;IAClF,MAAM,KAAK,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAE1C,wCAAwC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY;QAClC,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC;IACjD,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa;QACrC,CAAC,CAAC,YAAY;QACd,CAAC,CAAC,EAAE,CAAC;IAEP,sDAAsD;IACtD,MAAM,OAAO,GAAG;QACd,KAAK,EAAE,WAAW,CAAC,MAAM;QACzB,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;QACrE,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;QAC7D,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;QACjE,GAAG,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;QAC3D,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;QAC7D,WAAW,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,MAAM;QAChE,OAAO,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,MAAM;KAC5D,CAAC;IAEF,OAAO;QACL,WAAW,EAAE,UAAU;QACvB,KAAK,EAAE,YAAY;QACnB,KAAK;QACL,OAAO;QACP,YAAY;QACZ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,UAAU;KACX,CAAC;AACJ,CAAC"}

package/dist/auditor/providers/claude-code.d.ts

@@ -0,0 +1,17 @@
+import type { AuditProvider, ToolSettings, HookConfig, EnvFileInfo, InstructionFileInfo } from './types.js';
+export declare class ClaudeCodeProvider implements AuditProvider {
+    readonly name = "claude-code";
+    private readonly projectDir;
+    private readonly homeDir;
+    constructor(projectDir?: string);
+    private getSettingsFiles;
+    private getEnvFilePaths;
+    private getInstructionPaths;
+    private safeReadJson;
+    detectEnvironment(): Promise<boolean>;
+    getSettings(): Promise<ToolSettings[]>;
+    getHooks(): Promise<HookConfig[]>;
+    getEnvFiles(): Promise<EnvFileInfo[]>;
+    getInstructionFiles(): Promise<InstructionFileInfo[]>;
+}
+//# sourceMappingURL=claude-code.d.ts.map

package/dist/auditor/providers/claude-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-code.d.ts","sourceRoot":"","sources":["../../../src/auditor/providers/claude-code.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EACV,aAAa,EACb,YAAY,EACZ,UAAU,EACV,WAAW,EACX,mBAAmB,EACpB,MAAM,YAAY,CAAC;AAOpB,qBAAa,kBAAmB,YAAW,aAAa;IACtD,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,UAAU,CAAC,EAAE,MAAM;IAK/B,OAAO,CAAC,gBAAgB;IASxB,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,YAAY;IAad,iBAAiB,IAAI,OAAO,CAAC,OAAO,CAAC;IAUrC,WAAW,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;IAmBtC,QAAQ,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IA0BjC,WAAW,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;IAqBrC,mBAAmB,IAAI,OAAO,CAAC,mBAAmB,EAAE,CAAC;CAc5D"}

package/dist/auditor/providers/claude-code.js

@@ -0,0 +1,176 @@
+"use strict";
+// ─── Claude Code Audit Provider ─────────────────────────────
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClaudeCodeProvider = void 0;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const os = __importStar(require("node:os"));
+class ClaudeCodeProvider {
+    name = 'claude-code';
+    projectDir;
+    homeDir;
+    constructor(projectDir) {
+        this.projectDir = projectDir ?? process.cwd();
+        this.homeDir = os.homedir();
+    }
+    getSettingsFiles() {
+        return [
+            { filePath: path.join(this.homeDir, '.claude', 'settings.json'), isProjectLevel: false },
+            { filePath: path.join(this.homeDir, '.claude.json'), isProjectLevel: false },
+            { filePath: path.join(this.projectDir, '.claude', 'settings.json'), isProjectLevel: true },
+            { filePath: path.join(this.projectDir, '.claude', 'settings.local.json'), isProjectLevel: true },
+        ];
+    }
+    getEnvFilePaths() {
+        return [
+            path.join(this.projectDir, '.env'),
+            path.join(this.projectDir, '.env.local'),
+        ];
+    }
+    getInstructionPaths() {
+        return [
+            path.join(this.projectDir, 'CLAUDE.md'),
+            path.join(this.projectDir, '.claude', 'CLAUDE.md'),
+        ];
+    }
+    safeReadJson(filePath) {
+        try {
+            const raw = fs.readFileSync(filePath, 'utf-8');
+            const parsed = JSON.parse(raw);
+            if (typeof parsed === 'object' && parsed !== null && !Array.isArray(parsed)) {
+                return parsed;
+            }
+            return {};
+        }
+        catch {
+            return {};
+        }
+    }
+    async detectEnvironment() {
+        // Primary signals: .claude/ directory or CLAUDE.md — these are Claude Code specific.
+        // .env alone is NOT sufficient (every Node project has .env).
+        const primaryPaths = [
+            ...this.getSettingsFiles().map((s) => s.filePath),
+            ...this.getInstructionPaths(),
+        ];
+        return primaryPaths.some((p) => fs.existsSync(p));
+    }
+    async getSettings() {
+        const results = [];
+        for (const spec of this.getSettingsFiles()) {
+            const exists = fs.existsSync(spec.filePath);
+            const raw = exists ? this.safeReadJson(spec.filePath) : {};
+            const permissions = (typeof raw.permissions === 'object' && raw.permissions !== null)
+                ? raw.permissions
+                : {};
+            results.push({
+                permissions,
+                raw,
+                exists,
+                isProjectLevel: spec.isProjectLevel,
+                filePath: spec.filePath,
+            });
+        }
+        return results;
+    }
+    async getHooks() {
+        const hooks = [];
+        for (const spec of this.getSettingsFiles()) {
+            if (!fs.existsSync(spec.filePath))
+                continue;
+            const raw = this.safeReadJson(spec.filePath);
+            const hooksObj = raw.hooks;
+            if (typeof hooksObj !== 'object' || hooksObj === null)
+                continue;
+            // hooks structure: { "PreToolUse": [{ "matcher": "...", "command": "..." }], ... }
+            for (const [event, handlers] of Object.entries(hooksObj)) {
+                if (!Array.isArray(handlers))
+                    continue;
+                for (const handler of handlers) {
+                    if (typeof handler !== 'object' || handler === null)
+                        continue;
+                    const h = handler;
+                    if (typeof h.command !== 'string')
+                        continue;
+                    hooks.push({
+                        event,
+                        matcher: typeof h.matcher === 'string' ? h.matcher : undefined,
+                        command: h.command,
+                    });
+                }
+            }
+        }
+        return hooks;
+    }
+    async getEnvFiles() {
+        return this.getEnvFilePaths().map((filePath) => {
+            const exists = fs.existsSync(filePath);
+            let keys = [];
+            if (exists) {
+                try {
+                    const content = fs.readFileSync(filePath, 'utf-8');
+                    keys = content
+                        .split('\n')
+                        .map((line) => line.trim())
+                        .filter((line) => line && !line.startsWith('#'))
+                        .map((line) => line.split('=')[0].trim())
+                        .filter((key) => key.length > 0);
+                }
+                catch {
+                    // ignore read errors
+                }
+            }
+            return { filePath, exists, keys };
+        });
+    }
+    async getInstructionFiles() {
+        return this.getInstructionPaths().map((filePath) => {
+            const exists = fs.existsSync(filePath);
+            let sizeBytes = 0;
+            if (exists) {
+                try {
+                    sizeBytes = fs.statSync(filePath).size;
+                }
+                catch {
+                    // ignore stat errors
+                }
+            }
+            return { filePath, exists, sizeBytes };
+        });
+    }
+}
+exports.ClaudeCodeProvider = ClaudeCodeProvider;
+//# sourceMappingURL=claude-code.js.map

package/dist/auditor/providers/claude-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-code.js","sourceRoot":"","sources":["../../../src/auditor/providers/claude-code.ts"],"names":[],"mappings":";AAAA,+DAA+D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAE/D,4CAA8B;AAC9B,gDAAkC;AAClC,4CAA8B;AAc9B,MAAa,kBAAkB;IACpB,IAAI,GAAG,aAAa,CAAC;IACb,UAAU,CAAS;IACnB,OAAO,CAAS;IAEjC,YAAY,UAAmB;QAC7B,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAC9C,IAAI,CAAC,OAAO,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAC9B,CAAC;IAEO,gBAAgB;QACtB,OAAO;YACL,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,eAAe,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE;YACxF,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE;YAC5E,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,eAAe,CAAC,EAAE,cAAc,EAAE,IAAI,EAAE;YAC1F,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,qBAAqB,CAAC,EAAE,cAAc,EAAE,IAAI,EAAE;SACjG,CAAC;IACJ,CAAC;IAEO,eAAe;QACrB,OAAO;YACL,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC;YAClC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC;SACzC,CAAC;IACJ,CAAC;IAEO,mBAAmB;QACzB,OAAO;YACL,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC;YACvC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,WAAW,CAAC;SACnD,CAAC;IACJ,CAAC;IAEO,YAAY,CAAC,QAAgB;QACnC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5E,OAAO,MAAiC,CAAC;YAC3C,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,qFAAqF;QACrF,8DAA8D;QAC9D,MAAM,YAAY,GAAG;YACnB,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;YACjD,GAAG,IAAI,CAAC,mBAAmB,EAAE;SAC9B,CAAC;QACF,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,OAAO,GAAmB,EAAE,CAAC;QACnC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,gBAAgB,EAAE,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAG,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC5C,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3D,MAAM,WAAW,GAAG,CAAC,OAAO,GAAG,CAAC,WAAW,KAAK,QAAQ,IAAI,GAAG,CAAC,WAAW,KAAK,IAAI,CAAC;gBACnF,CAAC,CAAC,GAAG,CAAC,WAAsC;gBAC5C,CAAC,CAAC,EAAE,CAAC;YACP,OAAO,CAAC,IAAI,CAAC;gBACX,WAAW;gBACX,GAAG;gBACH,MAAM;gBACN,cAAc,EAAE,IAAI,CAAC,cAAc;gBACnC,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACxB,CAAC,CAAC;QACL,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,MAAM,KAAK,GAAiB,EAAE,CAAC;QAC/B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,gBAAgB,EAAE,EAAE,CAAC;YAC3C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC7C,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC;YAC3B,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,IAAI;gBAAE,SAAS;YAEhE,mFAAmF;YACnF,KAAK,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAmC,CAAC,EAAE,CAAC;gBACpF,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACvC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;oBAC/B,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI;wBAAE,SAAS;oBAC9D,MAAM,CAAC,GAAG,OAAkC,CAAC;oBAC7C,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ;wBAAE,SAAS;oBAC5C,KAAK,CAAC,IAAI,CAAC;wBACT,KAAK;wBACL,OAAO,EAAE,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;wBAC9D,OAAO,EAAE,CAAC,CAAC,OAAO;qBACnB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,WAAW;QACf,OAAO,IAAI,CAAC,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE;YAC7C,MAAM,MAAM,GAAG,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACvC,IAAI,IAAI,GAAa,EAAE,CAAC;YACxB,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBACnD,IAAI,GAAG,OAAO;yBACX,KAAK,CAAC,IAAI,CAAC;yBACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;yBAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;yBAC/C,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;yBACxC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACrC,CAAC;gBAAC,MAAM,CAAC;oBACP,qBAAqB;gBACvB,CAAC;YACH,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QACpC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,mBAAmB;QACvB,OAAO,IAAI,CAAC,mBAAmB,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE;YACjD,MAAM,MAAM,GAAG,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACvC,IAAI,SAAS,GAAG,CAAC,CAAC;YAClB,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC;oBACH,SAAS,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC;gBACzC,CAAC;gBAAC,MAAM,CAAC;oBACP,qBAAqB;gBACvB,CAAC;YACH,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;QACzC,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAxID,gDAwIC"}