safecrab 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Safecrab Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,220 @@
+# 🦀 Safecrab
+
+**Security scanner for Linux VPS environments** — Detect accidental service exposure and false security assumptions.
+
+> "It's the eslint of server exposure."
+
+Safecrab is a **read-only** CLI tool that reveals the truth about what services are actually reachable on your Linux VPS, even when you think they're protected by tunnels, VPNs, or firewalls.
+
+## What It Does
+
+Safecrab answers the critical question:
+
+> **"What services are reachable, from where, and why?"**
+
+Not just "Is the firewall enabled?"
+
+### Key Features
+
+- 🔍 **Detects listening services** (via `ss -tulnp`)
+- 🌐 **Identifies exposure paths**: public internet, Tailscale, Cloudflare Tunnel, localhost
+- 🚨 **Finds tunnel bypass scenarios**: When services are exposed publicly *despite* having tunnels
+- 🤖 **Escalates AI/ML services**: Automatically treats exposed AI servers as critical risks
+- 📊 **Beautiful terminal UI**: Clear, calm explanations without jargon
+- 🔒 **100% read-only**: Makes zero system changes
+
+## Installation
+
+```bash
+npm install -g safecrab
+```
+
+Or use directly with `npx`:
+
+```bash
+npx safecrab scan
+```
+
+## Usage
+
+```bash
+safecrab scan
+```
+
+For best visibility, run with root privileges:
+
+```bash
+sudo safecrab scan
+```
+
+> **Note**: Running without root may hide some services. Safecrab will warn you but continue with best-effort scanning.
+
+## Example Output
+
+```
+🦀 Safecrab Security Scan
+
+Summary:
+  → 5 services detected
+  → 2 publicly reachable
+  → 1 critical issues
+
+CRITICAL
+✖ Tunnel bypass detected
+  Port 3000 (ollama) is accessible via both Cloudflare Tunnel and directly
+  from the public internet. The tunnel does not protect this service.
+
+  Recommendation:
+    Bind the service to localhost (127.0.0.1) or restrict access via firewall
+    to ensure traffic only flows through the tunnel.
+
+WARNINGS
+⚠ Service exposed to public internet
+  Port 22 (sshd) is accessible from the public internet.
+
+  Recommendation:
+    Verify this service should be publicly accessible. If not, bind to
+    localhost or use firewall rules.
+
+INFO
+✔ Firewall is enabled
+  UFW firewall is active with default inbound policy: deny.
+
+✔ Tailscale is connected
+  Tailscale VPN is active and available for secure access.
+
+No changes were made to your system.
+```
+
+## Who Is This For?
+
+Safecrab is designed for:
+
+- **Developers** running AI models, APIs, or dev servers on VPS instances
+- **Self-hosters** managing services like Ollama, Jupyter, or internal dashboards
+- **Security-conscious users** who want visibility without complexity
+- **Anyone** who has ever said: *"Oh wow, I thought this was private."*
+
+## Common Scenarios Detected
+
+### 1. Tunnel Bypass (Critical)
+
+You set up a Cloudflare Tunnel but forgot to bind your service to localhost. **Safecrab detects both paths** and warns you.
+
+### 2. Exposed AI Services (Critical)
+
+Ollama, LLaMA, Python servers, Node.js apps exposed to the public internet are automatically escalated to critical severity.
+
+### 3. Tailscale Available But Unused (Warning)
+
+You have Tailscale connected but services are still publicly accessible instead of using the VPN.
+
+### 4. SSH Without Firewall (Warning)
+
+SSH port 22 is reachable from the public internet without firewall protection.
+
+## What Safecrab Does NOT Do
+
+- ❌ Modify system configuration
+- ❌ Change firewall rules
+- ❌ Restart services
+- ❌ Require credentials
+- ❌ Make network requests
+- ❌ Write any files
+
+**Safecrab is 100% read-only.** It only observes and reports.
+
+## How It Works
+
+1. **Collects system facts**: Network interfaces, listening services, firewall status
+2. **Detects security context**: Tailscale, Cloudflare Tunnel, UFW status
+3. **Resolves exposure paths**: Determines which services are reachable from where
+4. **Applies risk heuristics**: Categorizes findings by severity
+5. **Renders human-readable report**: Beautiful terminal output with clear explanations
+
+## Exit Codes
+
+- `0` — No critical issues found
+- `1` — Critical security issues detected
+
+Use in scripts:
+
+```bash
+safecrab scan
+if [ $? -eq 1 ]; then
+  echo "Critical security issues found!"
+  exit 1
+fi
+```
+
+## System Requirements
+
+- **OS**: Linux (Ubuntu, Debian, or similar)
+- **Runtime**: Node.js 20 or later
+- **Commands**: `ss`, `ip` (standard on most Linux systems)
+- **Optional**: `ufw`, `tailscale`, `cloudflared` for enhanced detection
+
+## Development
+
+```bash
+# Clone the repository
+git clone https://github.com/isacssw/safecrab.git
+cd safecrab
+
+# Install dependencies
+npm install
+
+# Build
+npm run build
+
+# Run tests
+npm test
+
+# Run locally
+npm run build && node dist/cli/index.js scan
+```
+
+## Architecture
+
+```
+safecrab/
+├── src/
+│   ├── system/      # Layer 1: Raw system facts
+│   ├── engine/      # Layer 2: Interpreted truth
+│   └── ui/          # Layer 3: Human presentation
+```
+
+See the [project specification](SPEC.md) for detailed architecture.
+
+## Philosophy
+
+> **"Safecrab does not enforce security. It reveals truth."**
+
+Safecrab helps you understand your actual security posture, not your assumed security posture. Enforcement comes later — first, you need visibility.
+
+## Roadmap
+
+**MVP (Current)**: Read-only scanning with beautiful terminal output
+
+**Post-MVP**:
+- JSON output for CI/CD integration
+- Automated fix suggestions
+- Config file support
+- GitHub Actions integration
+- Single binary distribution
+
+## Contributing
+
+Contributions are welcome! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+
+## License
+
+MIT
+
+## Credits
+
+Built with love for the self-hosting and security-conscious community.
+
+---
+
+**If you found a service you didn't know was exposed, Safecrab succeeded.** ✨

package/dist/cli/commands/scan.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Scan command - orchestrates the security scan
+ */
+export declare function scanCommand(): Promise<void>;
+//# sourceMappingURL=scan.d.ts.map

package/dist/cli/commands/scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/scan.ts"],"names":[],"mappings":"AAAA;;GAEG;AASH,wBAAsB,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC,CA2CjD"}

package/dist/cli/commands/scan.js

@@ -0,0 +1,47 @@
+/**
+ * Scan command - orchestrates the security scan
+ */
+import ora from "ora";
+import { buildNetworkContext } from "../../engine/context.js";
+import { resolveAllExposures } from "../../engine/exposure.js";
+import { analyzeExposures } from "../../engine/heuristics.js";
+import { collectListeningServices } from "../../system/collectors/services.js";
+import { getExitCode, renderReport } from "../../ui/renderer.js";
+export async function scanCommand() {
+    let spinner = ora("Detecting services...").start();
+    try {
+        // Step 1: Collect listening services
+        const services = await collectListeningServices();
+        spinner.succeed(`Found ${services.length} listening services`);
+        // Step 2: Build network context
+        spinner = ora("Analyzing network context...").start();
+        const context = await buildNetworkContext();
+        spinner.succeed("Network context analyzed");
+        // Step 3: Resolve exposure paths
+        spinner = ora("Evaluating exposure paths...").start();
+        const exposures = resolveAllExposures(services, context);
+        spinner.succeed("Exposure analysis complete");
+        // Step 4: Run risk heuristics
+        spinner = ora("Running security checks...").start();
+        const findings = analyzeExposures(exposures, context);
+        spinner.succeed("Security analysis complete");
+        spinner.stop();
+        // Step 5: Render report
+        const report = renderReport({ services, findings });
+        console.log(`\n${report}\n`);
+        // Step 6: Exit with appropriate code
+        const exitCode = getExitCode(findings);
+        process.exit(exitCode);
+    }
+    catch (error) {
+        spinner.fail("Scan failed");
+        if (error instanceof Error) {
+            console.error(`\nError: ${error.message}`);
+        }
+        else {
+            console.error("\nAn unknown error occurred");
+        }
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=scan.js.map

package/dist/cli/commands/scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../../src/cli/commands/scan.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,wBAAwB,EAAE,MAAM,qCAAqC,CAAC;AAC/E,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAEjE,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,IAAI,OAAO,GAAG,GAAG,CAAC,uBAAuB,CAAC,CAAC,KAAK,EAAE,CAAC;IAEnD,IAAI,CAAC;QACH,qCAAqC;QACrC,MAAM,QAAQ,GAAG,MAAM,wBAAwB,EAAE,CAAC;QAClD,OAAO,CAAC,OAAO,CAAC,SAAS,QAAQ,CAAC,MAAM,qBAAqB,CAAC,CAAC;QAE/D,gCAAgC;QAChC,OAAO,GAAG,GAAG,CAAC,8BAA8B,CAAC,CAAC,KAAK,EAAE,CAAC;QACtD,MAAM,OAAO,GAAG,MAAM,mBAAmB,EAAE,CAAC;QAC5C,OAAO,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;QAE5C,iCAAiC;QACjC,OAAO,GAAG,GAAG,CAAC,8BAA8B,CAAC,CAAC,KAAK,EAAE,CAAC;QACtD,MAAM,SAAS,GAAG,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACzD,OAAO,CAAC,OAAO,CAAC,4BAA4B,CAAC,CAAC;QAE9C,8BAA8B;QAC9B,OAAO,GAAG,GAAG,CAAC,4BAA4B,CAAC,CAAC,KAAK,EAAE,CAAC;QACpD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACtD,OAAO,CAAC,OAAO,CAAC,4BAA4B,CAAC,CAAC;QAE9C,OAAO,CAAC,IAAI,EAAE,CAAC;QAEf,wBAAwB;QACxB,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC;QAE7B,qCAAqC;QACrC,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;QACvC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAE5B,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,OAAO,CAAC,KAAK,CAAC,YAAY,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAC/C,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/cli/index.d.ts

@@ -0,0 +1,6 @@
+#!/usr/bin/env node
+/**
+ * Safecrab CLI entry point
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AAEA;;GAEG"}

package/dist/cli/index.js

@@ -0,0 +1,23 @@
+#!/usr/bin/env node
+/**
+ * Safecrab CLI entry point
+ */
+import { Command } from "commander";
+import { scanCommand } from "./commands/scan.js";
+const program = new Command();
+program
+    .name("safecrab")
+    .description("Security scanner for Linux VPS environments - detect accidental service exposure")
+    .version("0.1.0");
+program
+    .command("scan")
+    .description("Scan for exposed services and security issues")
+    .action(async () => {
+    await scanCommand();
+});
+// If no command specified, default to scan
+if (process.argv.length === 2) {
+    process.argv.push("scan");
+}
+program.parse();
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AAEA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEjD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CAAC,kFAAkF,CAAC;KAC/F,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,+CAA+C,CAAC;KAC5D,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,WAAW,EAAE,CAAC;AACtB,CAAC,CAAC,CAAC;AAEL,2CAA2C;AAC3C,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;IAC9B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC5B,CAAC;AAED,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/engine/context.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Build NetworkContext from system collectors
+ */
+import type { NetworkContext } from "./types.js";
+export declare function buildNetworkContext(): Promise<NetworkContext>;
+//# sourceMappingURL=context.d.ts.map

package/dist/engine/context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../../src/engine/context.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,cAAc,CAAC,CAyBnE"}

package/dist/engine/context.js

@@ -0,0 +1,33 @@
+/**
+ * Build NetworkContext from system collectors
+ */
+import { collectCloudflareStatus } from "../system/collectors/cloudflare.js";
+import { collectFirewallStatus } from "../system/collectors/firewall.js";
+import { collectNetworkInterfaces } from "../system/collectors/network.js";
+import { collectTailscaleStatus } from "../system/collectors/tailscale.js";
+export async function buildNetworkContext() {
+    // Run all collectors in parallel
+    const [interfaces, firewall, tailscale, cloudflare] = await Promise.all([
+        collectNetworkInterfaces(),
+        collectFirewallStatus(),
+        collectTailscaleStatus(),
+        collectCloudflareStatus(),
+    ]);
+    return {
+        firewall: {
+            enabled: firewall.enabled,
+            defaultInbound: firewall.defaultInbound,
+            statusKnown: firewall.statusKnown,
+        },
+        tailscale: {
+            installed: tailscale.installed,
+            connected: tailscale.connected,
+            interface: tailscale.interface,
+        },
+        cloudflare: {
+            tunnelDetected: cloudflare.tunnelDetected,
+        },
+        interfaces,
+    };
+}
+//# sourceMappingURL=context.js.map

package/dist/engine/context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.js","sourceRoot":"","sources":["../../src/engine/context.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,uBAAuB,EAAE,MAAM,oCAAoC,CAAC;AAC7E,OAAO,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAC;AACzE,OAAO,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAC3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAC;AAG3E,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,iCAAiC;IACjC,MAAM,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACtE,wBAAwB,EAAE;QAC1B,qBAAqB,EAAE;QACvB,sBAAsB,EAAE;QACxB,uBAAuB,EAAE;KAC1B,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ,EAAE;YACR,OAAO,EAAE,QAAQ,CAAC,OAAO;YACzB,cAAc,EAAE,QAAQ,CAAC,cAAc;YACvC,WAAW,EAAE,QAAQ,CAAC,WAAW;SAClC;QACD,SAAS,EAAE;YACT,SAAS,EAAE,SAAS,CAAC,SAAS;YAC9B,SAAS,EAAE,SAAS,CAAC,SAAS;YAC9B,SAAS,EAAE,SAAS,CAAC,SAAS;SAC/B;QACD,UAAU,EAAE;YACV,cAAc,EAAE,UAAU,CAAC,cAAc;SAC1C;QACD,UAAU;KACX,CAAC;AACJ,CAAC"}

package/dist/engine/exposure.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Exposure resolution logic
+ * Determines which exposure paths each service has
+ */
+import type { ExposurePath, ListeningService, NetworkContext, ServiceExposure } from "./types.js";
+/**
+ * Resolve exposure paths for a listening service
+ *
+ * Logic:
+ * - 127.0.0.1 binding → localhost-only
+ * - Public interface + firewall allows → public-internet
+ * - tailscale0 interface → tailscale
+ * - Cloudflare tunnel detected → cloudflare-tunnel
+ *
+ * Multiple paths can coexist (e.g., tunnel + public = bypass)
+ */
+export declare function resolveExposure(service: ListeningService, context: NetworkContext): ExposurePath[];
+/**
+ * Resolve exposure for all services
+ */
+export declare function resolveAllExposures(services: ListeningService[], context: NetworkContext): ServiceExposure[];
+//# sourceMappingURL=exposure.d.ts.map

package/dist/engine/exposure.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exposure.d.ts","sourceRoot":"","sources":["../../src/engine/exposure.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElG;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,gBAAgB,EACzB,OAAO,EAAE,cAAc,GACtB,YAAY,EAAE,CA6BhB;AAkED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,OAAO,EAAE,cAAc,GACtB,eAAe,EAAE,CAKnB"}

package/dist/engine/exposure.js

@@ -0,0 +1,100 @@
+/**
+ * Exposure resolution logic
+ * Determines which exposure paths each service has
+ */
+/**
+ * Resolve exposure paths for a listening service
+ *
+ * Logic:
+ * - 127.0.0.1 binding → localhost-only
+ * - Public interface + firewall allows → public-internet
+ * - tailscale0 interface → tailscale
+ * - Cloudflare tunnel detected → cloudflare-tunnel
+ *
+ * Multiple paths can coexist (e.g., tunnel + public = bypass)
+ */
+export function resolveExposure(service, context) {
+    const paths = [];
+    // Check if localhost only
+    if (isLocalhostOnly(service)) {
+        return ["localhost-only"];
+    }
+    // Check for Tailscale exposure
+    if (isTailscaleExposed(service, context)) {
+        paths.push("tailscale");
+    }
+    // Check for Cloudflare tunnel
+    if (context.cloudflare.tunnelDetected) {
+        paths.push("cloudflare-tunnel");
+    }
+    // Check for public internet exposure
+    if (isPublicExposed(service, context)) {
+        paths.push("public-internet");
+    }
+    // If no paths determined, assume localhost
+    if (paths.length === 0) {
+        return ["localhost-only"];
+    }
+    return paths;
+}
+/**
+ * Check if service is localhost-only
+ */
+function isLocalhostOnly(service) {
+    // Bound to localhost IP
+    if (service.boundIp === "127.0.0.1" ||
+        service.boundIp === "::1" ||
+        service.boundIp === "localhost") {
+        return true;
+    }
+    // Only bound to loopback interface
+    if (service.interfaces.length === 1 && service.interfaces[0] === "lo") {
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if service is exposed via Tailscale
+ */
+function isTailscaleExposed(service, context) {
+    if (!context.tailscale.connected) {
+        return false;
+    }
+    const tailscaleInterface = context.tailscale.interface ?? "tailscale0";
+    // Service is bound to tailscale interface
+    return service.interfaces.includes(tailscaleInterface);
+}
+/**
+ * Check if service is exposed to public internet
+ */
+function isPublicExposed(service, context) {
+    // Check if bound to any public interface
+    const hasPublicInterface = service.interfaces.some((iface) => {
+        const interfaceInfo = context.interfaces.find((i) => i.name === iface);
+        return interfaceInfo?.isPublic ?? false;
+    });
+    if (!hasPublicInterface) {
+        return false;
+    }
+    // If firewall is enabled with deny default, service might be blocked
+    // However, we assume public exposure unless explicitly proven otherwise
+    // (conservative security assumption)
+    // If firewall explicitly allows all, definitely exposed
+    if (context.firewall.defaultInbound === "allow") {
+        return true;
+    }
+    // If firewall denies by default, still assume exposed
+    // (we can't determine specific rules without deep inspection)
+    // This is intentionally conservative
+    return true;
+}
+/**
+ * Resolve exposure for all services
+ */
+export function resolveAllExposures(services, context) {
+    return services.map((service) => ({
+        service,
+        paths: resolveExposure(service, context),
+    }));
+}
+//# sourceMappingURL=exposure.js.map

package/dist/engine/exposure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exposure.js","sourceRoot":"","sources":["../../src/engine/exposure.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAC7B,OAAyB,EACzB,OAAuB;IAEvB,MAAM,KAAK,GAAmB,EAAE,CAAC;IAEjC,0BAA0B;IAC1B,IAAI,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC5B,CAAC;IAED,+BAA+B;IAC/B,IAAI,kBAAkB,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,CAAC;QACzC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC1B,CAAC;IAED,8BAA8B;IAC9B,IAAI,OAAO,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAClC,CAAC;IAED,qCAAqC;IACrC,IAAI,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAChC,CAAC;IAED,2CAA2C;IAC3C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC5B,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,OAAyB;IAChD,wBAAwB;IACxB,IACE,OAAO,CAAC,OAAO,KAAK,WAAW;QAC/B,OAAO,CAAC,OAAO,KAAK,KAAK;QACzB,OAAO,CAAC,OAAO,KAAK,WAAW,EAC/B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mCAAmC;IACnC,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,OAAyB,EAAE,OAAuB;IAC5E,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,SAAS,IAAI,YAAY,CAAC;IAEvE,0CAA0C;IAC1C,OAAO,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;AACzD,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,OAAyB,EAAE,OAAuB;IACzE,yCAAyC;IACzC,MAAM,kBAAkB,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3D,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC;QACvE,OAAO,aAAa,EAAE,QAAQ,IAAI,KAAK,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,qEAAqE;IACrE,wEAAwE;IACxE,qCAAqC;IAErC,wDAAwD;IACxD,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,KAAK,OAAO,EAAE,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sDAAsD;IACtD,8DAA8D;IAC9D,qCAAqC;IACrC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAA4B,EAC5B,OAAuB;IAEvB,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAChC,OAAO;QACP,KAAK,EAAE,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC;KACzC,CAAC,CAAC,CAAC;AACN,CAAC"}

package/dist/engine/heuristics.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Risk heuristics - composable security rules
+ * Each rule returns Finding | null
+ */
+import type { Finding, NetworkContext, ServiceExposure } from "./types.js";
+/**
+ * Run all heuristics on service exposures
+ * Returns findings sorted by severity (critical > warning > info)
+ */
+export declare function analyzeExposures(exposures: ServiceExposure[], context: NetworkContext): Finding[];
+//# sourceMappingURL=heuristics.d.ts.map

package/dist/engine/heuristics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"heuristics.d.ts","sourceRoot":"","sources":["../../src/engine/heuristics.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAmB,cAAc,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE5F;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,eAAe,EAAE,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,EAAE,CA6BjG"}