scriptguard 1.0.0

package/dist/cli.js

@@ -0,0 +1,283 @@
+#!/usr/bin/env node
+"use strict";
+/** ScriptGuard — CLI entry point */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const index_js_1 = require("./scanners/index.js");
+const RISK_ICONS = {
+    low: '⚪',
+    medium: '🟡',
+    high: '🟠',
+    critical: '🔴',
+};
+const RISK_COLORS = {
+    low: '\x1b[37m',
+    medium: '\x1b[33m',
+    high: '\x1b[38;5;208m',
+    critical: '\x1b[31m',
+};
+const RESET = '\x1b[0m';
+const BOLD = '\x1b[1m';
+const DIM = '\x1b[2m';
+const GREEN = '\x1b[32m';
+function bold(text) {
+    return `${BOLD}${text}${RESET}`;
+}
+function dim(text) {
+    return `${DIM}${text}${RESET}`;
+}
+function colorRisk(level) {
+    return `${RISK_COLORS[level]}${level.toUpperCase()}${RESET}`;
+}
+function formatTable(result) {
+    const lines = [];
+    lines.push('');
+    lines.push(bold('  🔒 ScriptGuard — npm Lifecycle Script Security Scanner'));
+    lines.push('');
+    lines.push(`  Scanned ${bold(String(result.totalPackages))} packages (${result.packagesWithScripts} with lifecycle scripts) in ${result.scanDurationMs}ms`);
+    lines.push('');
+    if (result.totalFindings === 0) {
+        lines.push(`  ${GREEN}✅ No suspicious lifecycle scripts detected${RESET}`);
+        lines.push('');
+        return lines.join('\n');
+    }
+    // Summary
+    lines.push(bold('  Summary'));
+    lines.push(`  Overall Risk: ${colorRisk(result.overallRiskLevel)} (${result.overallRiskScore}/100)`);
+    lines.push(`  Findings: ${result.totalFindings} total — ${RISK_ICONS.critical} ${result.findingsByLevel.critical} critical | ${RISK_ICONS.high} ${result.findingsByLevel.high} high | ${RISK_ICONS.medium} ${result.findingsByLevel.medium} medium | ${RISK_ICONS.low} ${result.findingsByLevel.low} low`);
+    // AI Analysis Summary
+    if (result.aiAnalysis) {
+        lines.push('');
+        lines.push(bold('  AI Analysis'));
+        lines.push(`  False positives filtered: ${GREEN}${result.aiAnalysis.totalFalsePositivesFiltered}${RESET}`);
+        lines.push(`  New threats detected: ${RISK_ICONS.high} ${result.aiAnalysis.totalNewThreatsDetected}${RESET}`);
+        lines.push(`  Tokens used: ${dim(String(result.aiAnalysis.totalTokensUsed))}`);
+        lines.push(`  AI duration: ${dim(result.aiAnalysis.durationMs + 'ms')}`);
+    }
+    lines.push('');
+    // Per-package findings
+    lines.push(bold('  Findings'));
+    lines.push('  ' + '─'.repeat(70));
+    for (const analysis of result.analyses) {
+        if (analysis.findings.length === 0)
+            continue;
+        lines.push('');
+        lines.push(`  ${bold(analysis.name)}${dim('@' + analysis.version)} ${colorRisk(analysis.riskLevel)} [${analysis.riskScore}/100]`);
+        for (const finding of analysis.findings) {
+            lines.push(`    ${RISK_ICONS[finding.riskLevel]} ${colorRisk(finding.riskLevel)} ${finding.pattern}`);
+            lines.push(`      ${dim(finding.description)}`);
+            if (finding.match) {
+                const truncated = finding.match.length > 60 ? finding.match.substring(0, 57) + '...' : finding.match;
+                lines.push(`      ${dim('Match:')} ${truncated}`);
+            }
+            // Display AI insights if available
+            if (finding.aiAnalysis && finding.aiAnalysis.insights.length > 0) {
+                for (const insight of finding.aiAnalysis.insights) {
+                    const insightIcon = insight.type === 'false-positive' ? '✅' : '⚠️';
+                    lines.push(`      ${dim(insightIcon)} ${dim(insight.description)}`);
+                    if (insight.attackTechnique) {
+                        lines.push(`        ${dim('Technique:')} ${dim(insight.attackTechnique)}`);
+                    }
+                    if (insight.remediation) {
+                        lines.push(`        ${dim('Remediation:')} ${dim(insight.remediation.substring(0, 80) + (insight.remediation.length > 80 ? '...' : ''))}`);
+                    }
+                }
+            }
+        }
+    }
+    lines.push('');
+    lines.push('  ' + '─'.repeat(70));
+    if (result.aiAnalysis) {
+        lines.push(`  ${dim('Run with --format json for machine-readable output')}`);
+        lines.push(`  ${dim('Run with --ai to enable AI analysis')}`);
+    }
+    else {
+        lines.push(`  ${dim('Run with --format json for machine-readable output')}`);
+        lines.push(`  ${dim('Run with --ai to enable AI analysis (requires GOOGLE_AI_API_KEY)')}`);
+    }
+    lines.push('');
+    return lines.join('\n');
+}
+function formatJson(result) {
+    return JSON.stringify(result, null, 2);
+}
+function formatSarif(result) {
+    const sarif = {
+        $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json',
+        version: '2.1.0',
+        runs: [{
+                tool: {
+                    driver: {
+                        name: 'ScriptGuard',
+                        version: '1.0.0',
+                        informationUri: 'https://github.com/ferrierepete/scriptguard',
+                        rules: result.analyses.flatMap((a) => a.findings.map((f) => ({
+                            id: f.pattern,
+                            shortDescription: { text: f.description },
+                            defaultConfiguration: { level: sarifLevel(f.riskLevel) },
+                        }))),
+                    },
+                },
+                results: result.analyses.flatMap((a) => a.findings.map((f) => ({
+                    ruleId: f.pattern,
+                    level: sarifLevel(f.riskLevel),
+                    message: { text: `[${a.name}] ${f.scriptName}: ${f.description}` },
+                    locations: [{
+                            physicalLocation: {
+                                artifactLocation: { uri: `node_modules/${a.name}/package.json` },
+                            },
+                        }],
+                }))),
+            }],
+    };
+    return JSON.stringify(sarif, null, 2);
+}
+function sarifLevel(level) {
+    switch (level) {
+        case 'critical':
+        case 'high': return 'error';
+        case 'medium': return 'warning';
+        case 'low': return 'note';
+    }
+}
+const program = new commander_1.Command();
+program
+    .name('scriptguard')
+    .description('Security scanner for npm package lifecycle scripts')
+    .version('1.0.0');
+program
+    .command('scan')
+    .description('Scan installed npm packages for malicious lifecycle scripts')
+    .option('-p, --path <path>', 'Project path', process.cwd())
+    .option('--include-dev', 'Include devDependencies', false)
+    .option('--min-risk <level>', 'Minimum risk level to report (low/medium/high/critical)', 'low')
+    .option('--fail-on <level>', 'Exit with code 1 if findings at or above this level', '')
+    .option('-f, --format <format>', 'Output format (table/json/sarif)', 'table')
+    .option('--ai', 'Enable AI analysis with Gemini API')
+    .option('--ai-mode <mode>', 'AI analysis depth (basic/standard/thorough)', 'standard')
+    .option('--ai-mitigation', 'Include remediation recommendations in AI output', true)
+    .option('--ai-max-tokens <number>', 'Maximum tokens per AI request', '1000')
+    .option('--ai-timeout <ms>', 'AI request timeout in milliseconds', '10000')
+    .action(async (opts) => {
+    const minRisk = (opts.minRisk || 'low');
+    const format = opts.format || 'table';
+    const failLevel = opts.failOn ? opts.failOn : undefined;
+    // Check for AI API key if AI is enabled
+    if (opts.ai && !process.env.GOOGLE_AI_API_KEY) {
+        console.error('\n  ❌ Error: GOOGLE_AI_API_KEY environment variable not set');
+        console.error('  Get your key at: https://makersuite.google.com/app/apikey\n');
+        console.error('  Then run: export GOOGLE_AI_API_KEY=your_key_here\n');
+        process.exit(2);
+    }
+    try {
+        // Build AI options if enabled
+        const aiOptions = opts.ai ? {
+            enabled: true,
+            mode: opts.aiMode || 'standard',
+            mitigation: opts.aiMitigation !== false,
+            maxTokens: parseInt(opts.aiMaxTokens || '1000'),
+            timeout: parseInt(opts.aiTimeout || '10000'),
+        } : undefined;
+        let result = await (0, index_js_1.scanProject)({
+            path: opts.path || process.cwd(),
+            includeDev: opts.includeDev || false,
+            minRiskLevel: minRisk,
+            format,
+            failLevel,
+            ai: aiOptions,
+        });
+        if (minRisk !== 'low') {
+            result = {
+                ...result,
+                analyses: (0, index_js_1.filterByRiskLevel)(result.analyses, minRisk),
+            };
+        }
+        const output = format === 'json' ? formatJson(result)
+            : format === 'sarif' ? formatSarif(result)
+                : formatTable(result);
+        console.log(output);
+        if (failLevel && (0, index_js_1.shouldFail)(result, failLevel)) {
+            process.exit(1);
+        }
+    }
+    catch (err) {
+        console.error(`\n  ❌ Error: ${err.message}\n`);
+        process.exit(2);
+    }
+});
+program
+    .command('check')
+    .description('Check a single package.json for risky lifecycle scripts')
+    .argument('<path>', 'Path to package.json')
+    .option('-f, --format <format>', 'Output format (table/json/sarif)', 'table')
+    .action((filePath, opts) => {
+    const resolved = path.resolve(filePath);
+    if (!fs.existsSync(resolved)) {
+        console.error(`\n  ❌ File not found: ${resolved}\n`);
+        process.exit(2);
+    }
+    const result = (0, index_js_1.scanPackageJson)(resolved);
+    const format = opts.format || 'table';
+    const output = format === 'json' ? formatJson(result)
+        : format === 'sarif' ? formatSarif(result)
+            : formatTable(result);
+    console.log(output);
+});
+program
+    .command('patterns')
+    .description('List all detection patterns')
+    .action(async () => {
+    const { PATTERN_RULES } = await import('./scanners/patterns.js');
+    console.log('\n  🔒 ScriptGuard Detection Patterns\n');
+    const byCategory = new Map();
+    for (const rule of PATTERN_RULES) {
+        const list = byCategory.get(rule.category) || [];
+        list.push(rule);
+        byCategory.set(rule.category, list);
+    }
+    for (const [category, rules] of byCategory) {
+        console.log(`  ${bold(category.toUpperCase())}`);
+        for (const rule of rules) {
+            console.log(`    ${RISK_ICONS[rule.riskLevel]} ${rule.name} ${dim('[' + rule.riskLevel + ']')}`);
+            console.log(`      ${dim(rule.description)}`);
+        }
+        console.log('');
+    }
+});
+program.parse();
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";;AACA,oCAAoC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEpC,yCAAoC;AACpC,4CAA8B;AAC9B,gDAAkC;AAElC,kDAAkG;AAElG,MAAM,UAAU,GAA8B;IAC5C,GAAG,EAAE,GAAG;IACR,MAAM,EAAE,IAAI;IACZ,IAAI,EAAE,IAAI;IACV,QAAQ,EAAE,IAAI;CACf,CAAC;AAEF,MAAM,WAAW,GAA8B;IAC7C,GAAG,EAAE,UAAU;IACf,MAAM,EAAE,UAAU;IAClB,IAAI,EAAE,gBAAgB;IACtB,QAAQ,EAAE,UAAU;CACrB,CAAC;AAEF,MAAM,KAAK,GAAG,SAAS,CAAC;AACxB,MAAM,IAAI,GAAG,SAAS,CAAC;AACvB,MAAM,GAAG,GAAG,SAAS,CAAC;AACtB,MAAM,KAAK,GAAG,UAAU,CAAC;AAEzB,SAAS,IAAI,CAAC,IAAY;IACxB,OAAO,GAAG,IAAI,GAAG,IAAI,GAAG,KAAK,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,GAAG,CAAC,IAAY;IACvB,OAAO,GAAG,GAAG,GAAG,IAAI,GAAG,KAAK,EAAE,CAAC;AACjC,CAAC;AAED,SAAS,SAAS,CAAC,KAAgB;IACjC,OAAO,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC,WAAW,EAAE,GAAG,KAAK,EAAE,CAAC;AAC/D,CAAC;AAED,SAAS,WAAW,CAAC,MAAkB;IACrC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC,CAAC;IAC7E,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,cAAc,MAAM,CAAC,mBAAmB,+BAA+B,MAAM,CAAC,cAAc,IAAI,CAAC,CAAC;IAC5J,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,IAAI,MAAM,CAAC,aAAa,KAAK,CAAC,EAAE,CAAC;QAC/B,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,6CAA6C,KAAK,EAAE,CAAC,CAAC;QAC3E,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,UAAU;IACV,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAC9B,KAAK,CAAC,IAAI,CAAC,mBAAmB,SAAS,CAAC,MAAM,CAAC,gBAAgB,CAAC,KAAK,MAAM,CAAC,gBAAgB,OAAO,CAAC,CAAC;IACrG,KAAK,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,aAAa,YAAY,UAAU,CAAC,QAAQ,IAAI,MAAM,CAAC,eAAe,CAAC,QAAQ,eAAe,UAAU,CAAC,IAAI,IAAI,MAAM,CAAC,eAAe,CAAC,IAAI,WAAW,UAAU,CAAC,MAAM,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,aAAa,UAAU,CAAC,GAAG,IAAI,MAAM,CAAC,eAAe,CAAC,GAAG,MAAM,CAAC,CAAC;IAE3S,sBAAsB;IACtB,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC;QAClC,KAAK,CAAC,IAAI,CAAC,+BAA+B,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,2BAA2B,GAAG,KAAK,EAAE,CAAC,CAAC;QAC3G,KAAK,CAAC,IAAI,CAAC,2BAA2B,UAAU,CAAC,IAAI,IAAI,MAAM,CAAC,UAAU,CAAC,uBAAuB,GAAG,KAAK,EAAE,CAAC,CAAC;QAC9G,KAAK,CAAC,IAAI,CAAC,kBAAkB,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC;QAC/E,KAAK,CAAC,IAAI,CAAC,kBAAkB,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,uBAAuB;IACvB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;IAC/B,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAElC,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACvC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAE7C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,QAAQ,CAAC,SAAS,OAAO,CAAC,CAAC;QAElI,KAAK,MAAM,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACxC,KAAK,CAAC,IAAI,CAAC,OAAO,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;YACtG,KAAK,CAAC,IAAI,CAAC,SAAS,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAChD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;gBACrG,KAAK,CAAC,IAAI,CAAC,SAAS,GAAG,CAAC,QAAQ,CAAC,IAAI,SAAS,EAAE,CAAC,CAAC;YACpD,CAAC;YAED,mCAAmC;YACnC,IAAI,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjE,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;oBAClD,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,KAAK,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;oBACnE,KAAK,CAAC,IAAI,CAAC,SAAS,GAAG,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;oBACpE,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;wBAC5B,KAAK,CAAC,IAAI,CAAC,WAAW,GAAG,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;oBAC7E,CAAC;oBACD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;wBACxB,KAAK,CAAC,IAAI,CAAC,WAAW,GAAG,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC7I,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAClC,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,oDAAoD,CAAC,EAAE,CAAC,CAAC;QAC7E,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,qCAAqC,CAAC,EAAE,CAAC,CAAC;IAChE,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,oDAAoD,CAAC,EAAE,CAAC,CAAC;QAC7E,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,kEAAkE,CAAC,EAAE,CAAC,CAAC;IAC7F,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,UAAU,CAAC,MAAkB;IACpC,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,WAAW,CAAC,MAAkB;IACrC,MAAM,KAAK,GAAG;QACZ,OAAO,EAAE,sGAAsG;QAC/G,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE,CAAC;gBACL,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,aAAa;wBACnB,OAAO,EAAE,OAAO;wBAChB,cAAc,EAAE,6CAA6C;wBAC7D,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACnC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;4BACrB,EAAE,EAAE,CAAC,CAAC,OAAO;4BACb,gBAAgB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE;4BACzC,oBAAoB,EAAE,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE;yBACzD,CAAC,CAAC,CACJ;qBACF;iBACF;gBACD,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACrC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACrB,MAAM,EAAE,CAAC,CAAC,OAAO;oBACjB,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;oBAC9B,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC,WAAW,EAAE,EAAE;oBAClE,SAAS,EAAE,CAAC;4BACV,gBAAgB,EAAE;gCAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC,IAAI,eAAe,EAAE;6BACjE;yBACF,CAAC;iBACH,CAAC,CAAC,CACJ;aACF,CAAC;KACH,CAAC;IACF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,UAAU,CAAC,KAAgB;IAClC,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,UAAU,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,OAAO,OAAO,CAAC;QAC5B,KAAK,QAAQ,CAAC,CAAC,OAAO,SAAS,CAAC;QAChC,KAAK,KAAK,CAAC,CAAC,OAAO,MAAM,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,aAAa,CAAC;KACnB,WAAW,CAAC,oDAAoD,CAAC;KACjE,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,6DAA6D,CAAC;KAC1E,MAAM,CAAC,mBAAmB,EAAE,cAAc,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KAC1D,MAAM,CAAC,eAAe,EAAE,yBAAyB,EAAE,KAAK,CAAC;KACzD,MAAM,CAAC,oBAAoB,EAAE,yDAAyD,EAAE,KAAK,CAAC;KAC9F,MAAM,CAAC,mBAAmB,EAAE,qDAAqD,EAAE,EAAE,CAAC;KACtF,MAAM,CAAC,uBAAuB,EAAE,kCAAkC,EAAE,OAAO,CAAC;KAC5E,MAAM,CAAC,MAAM,EAAE,oCAAoC,CAAC;KACpD,MAAM,CAAC,kBAAkB,EAAE,6CAA6C,EAAE,UAAU,CAAC;KACrF,MAAM,CAAC,iBAAiB,EAAE,kDAAkD,EAAE,IAAI,CAAC;KACnF,MAAM,CAAC,0BAA0B,EAAE,+BAA+B,EAAE,MAAM,CAAC;KAC3E,MAAM,CAAC,mBAAmB,EAAE,oCAAoC,EAAE,OAAO,CAAC;KAC1E,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,KAAK,CAAc,CAAC;IACrD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC;IACtC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAE,IAAI,CAAC,MAAoB,CAAC,CAAC,CAAC,SAAS,CAAC;IAEvE,wCAAwC;IACxC,IAAI,IAAI,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QAC9C,OAAO,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;QAC7E,OAAO,CAAC,KAAK,CAAC,+DAA+D,CAAC,CAAC;QAC/E,OAAO,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC;QACH,8BAA8B;QAC9B,MAAM,SAAS,GAA0B,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACjD,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,IAAI,CAAC,MAAM,IAAI,UAAU;YAC/B,UAAU,EAAE,IAAI,CAAC,YAAY,KAAK,KAAK;YACvC,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,IAAI,MAAM,CAAC;YAC/C,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC;SAC7C,CAAC,CAAC,CAAC,SAAS,CAAC;QAEd,IAAI,MAAM,GAAG,MAAM,IAAA,sBAAW,EAAC;YAC7B,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,EAAE;YAChC,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,KAAK;YACpC,YAAY,EAAE,OAAO;YACrB,MAAM;YACN,SAAS;YACT,EAAE,EAAE,SAAS;SACd,CAAC,CAAC;QAEH,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;YACtB,MAAM,GAAG;gBACP,GAAG,MAAM;gBACT,QAAQ,EAAE,IAAA,4BAAiB,EAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC;aACtD,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC;YACnD,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC;gBAC1C,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAExB,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAEpB,IAAI,SAAS,IAAI,IAAA,qBAAU,EAAC,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;YAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,gBAAgB,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;QAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,yDAAyD,CAAC;KACtE,QAAQ,CAAC,QAAQ,EAAE,sBAAsB,CAAC;KAC1C,MAAM,CAAC,uBAAuB,EAAE,kCAAkC,EAAE,OAAO,CAAC;KAC5E,MAAM,CAAC,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE;IACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,KAAK,CAAC,yBAAyB,QAAQ,IAAI,CAAC,CAAC;QACrD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,0BAAe,EAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC;IAEtC,MAAM,MAAM,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC;QACnD,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC;YAC1C,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAExB,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CAAC,6BAA6B,CAAC;KAC1C,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;IACvD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAgC,CAAC;IAC3D,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACjD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChB,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC,CAAC;QACjD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,OAAO,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,GAAG,GAAG,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;YACjG,OAAO,CAAC,GAAG,CAAC,SAAS,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+/** ScriptGuard — Public API exports */
+export { scanProject, scanPackageJson, shouldFail, filterByRiskLevel } from './scanners/index.js';
+export { analyzePackage, scanInstalledPackages, scanSinglePackage } from './scanners/lifecycle.js';
+export { PATTERN_RULES } from './scanners/patterns.js';
+export type { Finding, PackageAnalysis, ScanResult, ScanOptions, PatternRule, RiskLevel, } from './types/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,uCAAuC;AAEvC,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAClG,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACnG,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,YAAY,EACV,OAAO,EACP,eAAe,EACf,UAAU,EACV,WAAW,EACX,WAAW,EACX,SAAS,GACV,MAAM,kBAAkB,CAAC"}

package/dist/index.js

@@ -0,0 +1,16 @@
+"use strict";
+/** ScriptGuard — Public API exports */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PATTERN_RULES = exports.scanSinglePackage = exports.scanInstalledPackages = exports.analyzePackage = exports.filterByRiskLevel = exports.shouldFail = exports.scanPackageJson = exports.scanProject = void 0;
+var index_js_1 = require("./scanners/index.js");
+Object.defineProperty(exports, "scanProject", { enumerable: true, get: function () { return index_js_1.scanProject; } });
+Object.defineProperty(exports, "scanPackageJson", { enumerable: true, get: function () { return index_js_1.scanPackageJson; } });
+Object.defineProperty(exports, "shouldFail", { enumerable: true, get: function () { return index_js_1.shouldFail; } });
+Object.defineProperty(exports, "filterByRiskLevel", { enumerable: true, get: function () { return index_js_1.filterByRiskLevel; } });
+var lifecycle_js_1 = require("./scanners/lifecycle.js");
+Object.defineProperty(exports, "analyzePackage", { enumerable: true, get: function () { return lifecycle_js_1.analyzePackage; } });
+Object.defineProperty(exports, "scanInstalledPackages", { enumerable: true, get: function () { return lifecycle_js_1.scanInstalledPackages; } });
+Object.defineProperty(exports, "scanSinglePackage", { enumerable: true, get: function () { return lifecycle_js_1.scanSinglePackage; } });
+var patterns_js_1 = require("./scanners/patterns.js");
+Object.defineProperty(exports, "PATTERN_RULES", { enumerable: true, get: function () { return patterns_js_1.PATTERN_RULES; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA,uCAAuC;;;AAEvC,gDAAkG;AAAzF,uGAAA,WAAW,OAAA;AAAE,2GAAA,eAAe,OAAA;AAAE,sGAAA,UAAU,OAAA;AAAE,6GAAA,iBAAiB,OAAA;AACpE,wDAAmG;AAA1F,8GAAA,cAAc,OAAA;AAAE,qHAAA,qBAAqB,OAAA;AAAE,iHAAA,iBAAiB,OAAA;AACjE,sDAAuD;AAA9C,4GAAA,aAAa,OAAA"}

package/dist/scanners/index.d.ts

@@ -0,0 +1,10 @@
+/** ScriptGuard — Aggregate scanner */
+import type { ScanResult, ScanOptions, RiskLevel, PackageAnalysis, AIOptions } from '../types/index.js';
+export declare function scanProject(options: ScanOptions & {
+    ai?: AIOptions;
+}): Promise<ScanResult>;
+export declare function scanProjectSync(options: ScanOptions): ScanResult;
+export declare function scanPackageJson(filePath: string): ScanResult;
+export declare function shouldFail(result: ScanResult, failLevel?: RiskLevel): boolean;
+export declare function filterByRiskLevel(analyses: PackageAnalysis[], minLevel: RiskLevel): PackageAnalysis[];
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/scanners/index.ts"],"names":[],"mappings":"AAAA,sCAAsC;AAEtC,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,EAAE,eAAe,EAAE,SAAS,EAAkB,MAAM,mBAAmB,CAAC;AAsDxH,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,GAAG;IAAE,EAAE,CAAC,EAAE,SAAS,CAAA;CAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAiBhG;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,WAAW,GAAG,UAAU,CAIhE;AAED,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAS5D;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC,EAAE,SAAS,GAAG,OAAO,CAM7E;AAED,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,eAAe,EAAE,EAAE,QAAQ,EAAE,SAAS,GAAG,eAAe,EAAE,CAQrG"}

package/dist/scanners/index.js

@@ -0,0 +1,202 @@
+"use strict";
+/** ScriptGuard — Aggregate scanner */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanProject = scanProject;
+exports.scanProjectSync = scanProjectSync;
+exports.scanPackageJson = scanPackageJson;
+exports.shouldFail = shouldFail;
+exports.filterByRiskLevel = filterByRiskLevel;
+const lifecycle_js_1 = require("./lifecycle.js");
+const index_js_1 = require("../ai/index.js");
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const RISK_LEVEL_ORDER = {
+    low: 0,
+    medium: 1,
+    high: 2,
+    critical: 3,
+};
+function aggregateResults(analyses, startTime) {
+    const totalFindings = analyses.reduce((sum, a) => sum + a.findings.length, 0);
+    const findingsByLevel = { low: 0, medium: 0, high: 0, critical: 0 };
+    for (const a of analyses) {
+        for (const f of a.findings) {
+            findingsByLevel[f.riskLevel]++;
+        }
+    }
+    const packagesWithScripts = analyses.filter((a) => Object.keys(a.scripts).length > 0).length;
+    let overallRiskScore = 0;
+    if (analyses.length > 0) {
+        const total = analyses.reduce((sum, a) => sum + a.riskScore, 0);
+        overallRiskScore = Math.round(total / analyses.length);
+        // Weight by max finding
+        const maxScore = Math.max(...analyses.map((a) => a.riskScore));
+        overallRiskScore = Math.min(100, Math.round(overallRiskScore * 0.3 + maxScore * 0.7));
+    }
+    let overallRiskLevel = 'low';
+    if (findingsByLevel.critical > 0)
+        overallRiskLevel = 'critical';
+    else if (findingsByLevel.high > 0)
+        overallRiskLevel = 'high';
+    else if (findingsByLevel.medium > 0)
+        overallRiskLevel = 'medium';
+    return {
+        totalPackages: analyses.length,
+        packagesWithScripts,
+        analyses,
+        totalFindings,
+        findingsByLevel,
+        overallRiskScore,
+        overallRiskLevel,
+        scanDurationMs: Date.now() - startTime,
+    };
+}
+async function scanProject(options) {
+    const startTime = Date.now();
+    const analyses = (0, lifecycle_js_1.scanInstalledPackages)(options.path, options.includeDev);
+    let result = aggregateResults(analyses, startTime);
+    // Phase 2: AI analysis (opt-in)
+    if (options.ai?.enabled) {
+        try {
+            result = await enrichWithAI(result, options.ai);
+        }
+        catch (error) {
+            // Graceful degradation - return regex-only results on AI failure
+            console.warn(`\n  ⚠️  AI analysis failed: ${error.message}`);
+            console.warn('  Continuing with regex-based scanning only.\n');
+        }
+    }
+    return result;
+}
+function scanProjectSync(options) {
+    const startTime = Date.now();
+    const analyses = (0, lifecycle_js_1.scanInstalledPackages)(options.path, options.includeDev);
+    return aggregateResults(analyses, startTime);
+}
+function scanPackageJson(filePath) {
+    const startTime = Date.now();
+    const content = fs.readFileSync(filePath, 'utf-8');
+    const analysis = (0, lifecycle_js_1.analyzePackage)(JSON.parse(content).name || path.basename(path.dirname(filePath)), JSON.parse(content).version || 'unknown', JSON.parse(content).scripts || {});
+    return aggregateResults([analysis], startTime);
+}
+function shouldFail(result, failLevel) {
+    if (!failLevel)
+        return false;
+    const threshold = RISK_LEVEL_ORDER[failLevel];
+    return result.analyses.some((a) => a.findings.some((f) => RISK_LEVEL_ORDER[f.riskLevel] >= threshold));
+}
+function filterByRiskLevel(analyses, minLevel) {
+    const threshold = RISK_LEVEL_ORDER[minLevel];
+    return analyses
+        .map((a) => ({
+        ...a,
+        findings: a.findings.filter((f) => RISK_LEVEL_ORDER[f.riskLevel] >= threshold),
+    }))
+        .filter((a) => a.findings.length > 0);
+}
+/**
+ * Enrich scan results with AI analysis
+ */
+async function enrichWithAI(result, aiOptions) {
+    const aiStartTime = Date.now();
+    // Prepare batch request with packages that have findings or lifecycle scripts
+    const packagesToAnalyze = result.analyses.filter(a => a.findings.length > 0 || Object.keys(a.scripts).length > 0);
+    if (packagesToAnalyze.length === 0) {
+        return result;
+    }
+    // Build batch request
+    const batchRequest = {
+        packages: packagesToAnalyze.map(a => ({
+            name: a.name,
+            version: a.version,
+            scripts: a.scripts,
+            findings: a.findings,
+        })),
+        mode: aiOptions.mode || 'standard',
+    };
+    // Call Gemini API
+    const client = (0, index_js_1.getGeminiClient)(aiOptions.apiKey);
+    const aiResponse = await client.analyzeBatch(batchRequest);
+    // Merge AI results back into analyses
+    const aiAnalyses = new Map(aiResponse.analyses.map(a => [`${a.package}@${a.version}`, a]));
+    let totalFalsePositivesFiltered = 0;
+    let totalNewThreatsDetected = 0;
+    for (const analysis of result.analyses) {
+        const key = `${analysis.name}@${analysis.version}`;
+        const aiAnalysis = aiAnalyses.get(key);
+        if (aiAnalysis) {
+            // Add AI analysis to findings
+            for (const finding of analysis.findings) {
+                finding.aiAnalysis = aiAnalysis;
+            }
+            totalFalsePositivesFiltered += aiAnalysis.falsePositivesFiltered;
+            totalNewThreatsDetected += aiAnalysis.newThreatsDetected;
+            // Update risk score based on AI insights
+            if (aiAnalysis.insights.length > 0) {
+                const maxInsightSeverity = aiAnalysis.insights.reduce((max, insight) => {
+                    const severityOrder = { low: 0, medium: 1, high: 2, critical: 3 };
+                    return Math.max(max, severityOrder[insight.severity]);
+                }, 0);
+                // Adjust risk score based on AI confidence
+                if (maxInsightSeverity >= 3 && aiAnalysis.confidence > 0.7) {
+                    analysis.riskScore = Math.min(100, analysis.riskScore + 20);
+                }
+                else if (maxInsightSeverity === 0 && aiAnalysis.falsePositivesFiltered > 0) {
+                    // Lower risk if AI identified false positives
+                    analysis.riskScore = Math.max(0, analysis.riskScore - 30);
+                }
+                // Recalculate risk level
+                if (analysis.riskScore >= 75)
+                    analysis.riskLevel = 'critical';
+                else if (analysis.riskScore >= 50)
+                    analysis.riskLevel = 'high';
+                else if (analysis.riskScore >= 25)
+                    analysis.riskLevel = 'medium';
+                else
+                    analysis.riskLevel = 'low';
+            }
+        }
+    }
+    // Add AI summary to result
+    result.aiAnalysis = {
+        totalTokensUsed: aiResponse.totalTokensUsed,
+        totalFalsePositivesFiltered,
+        totalNewThreatsDetected,
+        durationMs: Date.now() - aiStartTime,
+    };
+    return result;
+}
+//# sourceMappingURL=index.js.map

package/dist/scanners/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/scanners/index.ts"],"names":[],"mappings":";AAAA,sCAAsC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwDtC,kCAiBC;AAED,0CAIC;AAED,0CASC;AAED,gCAMC;AAED,8CAQC;AAzGD,iDAAuE;AACvE,6CAAiD;AACjD,4CAA8B;AAC9B,gDAAkC;AAElC,MAAM,gBAAgB,GAA8B;IAClD,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,SAAS,gBAAgB,CACvB,QAA2B,EAC3B,SAAiB;IAEjB,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC9E,MAAM,eAAe,GAA8B,EAAE,GAAG,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IAE/F,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;YAC3B,eAAe,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,CAAC;IACH,CAAC;IAED,MAAM,mBAAmB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;IAE7F,IAAI,gBAAgB,GAAG,CAAC,CAAC;IACzB,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAChE,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;QACvD,wBAAwB;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;QAC/D,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,gBAAgB,GAAG,GAAG,GAAG,QAAQ,GAAG,GAAG,CAAC,CAAC,CAAC;IACxF,CAAC;IAED,IAAI,gBAAgB,GAAc,KAAK,CAAC;IACxC,IAAI,eAAe,CAAC,QAAQ,GAAG,CAAC;QAAE,gBAAgB,GAAG,UAAU,CAAC;SAC3D,IAAI,eAAe,CAAC,IAAI,GAAG,CAAC;QAAE,gBAAgB,GAAG,MAAM,CAAC;SACxD,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC;QAAE,gBAAgB,GAAG,QAAQ,CAAC;IAEjE,OAAO;QACL,aAAa,EAAE,QAAQ,CAAC,MAAM;QAC9B,mBAAmB;QACnB,QAAQ;QACR,aAAa;QACb,eAAe;QACf,gBAAgB;QAChB,gBAAgB;QAChB,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;KACvC,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,WAAW,CAAC,OAAyC;IACzE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAG,IAAA,oCAAqB,EAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACzE,IAAI,MAAM,GAAG,gBAAgB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAEnD,gCAAgC;IAChC,IAAI,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,iEAAiE;YACjE,OAAO,CAAC,IAAI,CAAC,+BAA+B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7D,OAAO,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAgB,eAAe,CAAC,OAAoB;IAClD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAG,IAAA,oCAAqB,EAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACzE,OAAO,gBAAgB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;AAC/C,CAAC;AAED,SAAgB,eAAe,CAAC,QAAgB;IAC9C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,IAAA,6BAAc,EAC7B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,EACjE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,OAAO,IAAI,SAAS,EACxC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,OAAO,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,gBAAgB,CAAC,CAAC,QAAQ,CAAC,EAAE,SAAS,CAAC,CAAC;AACjD,CAAC;AAED,SAAgB,UAAU,CAAC,MAAkB,EAAE,SAAqB;IAClE,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC7B,MAAM,SAAS,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAChC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,CACnE,CAAC;AACJ,CAAC;AAED,SAAgB,iBAAiB,CAAC,QAA2B,EAAE,QAAmB;IAChF,MAAM,SAAS,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC7C,OAAO,QAAQ;SACZ,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACX,GAAG,CAAC;QACJ,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC;KAC/E,CAAC,CAAC;SACF,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,YAAY,CAAC,MAAkB,EAAE,SAAoB;IAClE,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE/B,8EAA8E;IAC9E,MAAM,iBAAiB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAC9C,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAChE,CAAC;IAEF,IAAI,iBAAiB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,sBAAsB;IACtB,MAAM,YAAY,GAAmB;QACnC,QAAQ,EAAE,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACpC,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,QAAQ,EAAE,CAAC,CAAC,QAAQ;SACrB,CAAC,CAAC;QACH,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,UAAU;KACnC,CAAC;IAEF,kBAAkB;IAClB,MAAM,MAAM,GAAG,IAAA,0BAAe,EAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC;IAE3D,sCAAsC;IACtC,MAAM,UAAU,GAAG,IAAI,GAAG,CACxB,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,CAC/D,CAAC;IAEF,IAAI,2BAA2B,GAAG,CAAC,CAAC;IACpC,IAAI,uBAAuB,GAAG,CAAC,CAAC;IAEhC,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,GAAG,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACnD,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEvC,IAAI,UAAU,EAAE,CAAC;YACf,8BAA8B;YAC9B,KAAK,MAAM,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACxC,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC;YAClC,CAAC;YAED,2BAA2B,IAAI,UAAU,CAAC,sBAAsB,CAAC;YACjE,uBAAuB,IAAI,UAAU,CAAC,kBAAkB,CAAC;YAEzD,yCAAyC;YACzC,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACnC,MAAM,kBAAkB,GAAG,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE;oBACrE,MAAM,aAAa,GAAG,EAAE,GAAG,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;oBAClE,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;gBACxD,CAAC,EAAE,CAAC,CAAC,CAAC;gBAEN,2CAA2C;gBAC3C,IAAI,kBAAkB,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,GAAG,GAAG,EAAE,CAAC;oBAC3D,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,SAAS,GAAG,EAAE,CAAC,CAAC;gBAC9D,CAAC;qBAAM,IAAI,kBAAkB,KAAK,CAAC,IAAI,UAAU,CAAC,sBAAsB,GAAG,CAAC,EAAE,CAAC;oBAC7E,8CAA8C;oBAC9C,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,SAAS,GAAG,EAAE,CAAC,CAAC;gBAC5D,CAAC;gBAED,yBAAyB;gBACzB,IAAI,QAAQ,CAAC,SAAS,IAAI,EAAE;oBAAE,QAAQ,CAAC,SAAS,GAAG,UAAU,CAAC;qBACzD,IAAI,QAAQ,CAAC,SAAS,IAAI,EAAE;oBAAE,QAAQ,CAAC,SAAS,GAAG,MAAM,CAAC;qBAC1D,IAAI,QAAQ,CAAC,SAAS,IAAI,EAAE;oBAAE,QAAQ,CAAC,SAAS,GAAG,QAAQ,CAAC;;oBAC5D,QAAQ,CAAC,SAAS,GAAG,KAAK,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,MAAM,CAAC,UAAU,GAAG;QAClB,eAAe,EAAE,UAAU,CAAC,eAAe;QAC3C,2BAA2B;QAC3B,uBAAuB;QACvB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW;KACrC,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/scanners/lifecycle.d.ts

@@ -0,0 +1,10 @@
+/** ScriptGuard — Lifecycle script parser — reads package.json files from node_modules */
+import type { PackageAnalysis, RiskLevel } from '../types/index.js';
+declare function extractLifecycleScripts(scripts: Record<string, string>): Record<string, string>;
+declare function calculateRiskScore(findings: PackageAnalysis['findings']): number;
+declare function riskLevelFromScore(score: number): RiskLevel;
+export declare function analyzePackage(name: string, version: string, scripts: Record<string, string>): PackageAnalysis;
+export declare function scanInstalledPackages(projectPath: string, includeDev?: boolean): PackageAnalysis[];
+export declare function scanSinglePackage(pkgJsonContent: string): PackageAnalysis;
+export { extractLifecycleScripts, calculateRiskScore, riskLevelFromScore };
+//# sourceMappingURL=lifecycle.d.ts.map

package/dist/scanners/lifecycle.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lifecycle.d.ts","sourceRoot":"","sources":["../../src/scanners/lifecycle.ts"],"names":[],"mappings":"AAAA,yFAAyF;AAIzF,OAAO,KAAK,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAoCpE,iBAAS,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQxF;AA4BD,iBAAS,kBAAkB,CAAC,QAAQ,EAAE,eAAe,CAAC,UAAU,CAAC,GAAG,MAAM,CAKzE;AAED,iBAAS,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,CAKpD;AAED,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC9B,eAAe,CAgCjB;AAED,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,UAAQ,GAAG,eAAe,EAAE,CAuDhG;AAED,wBAAgB,iBAAiB,CAAC,cAAc,EAAE,MAAM,GAAG,eAAe,CAOzE;AAED,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,CAAC"}