seamshield 0.0.1 → 0.1.0

package/dist/index.js

@@ -0,0 +1,1096 @@
+#!/usr/bin/env node
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// ../../node_modules/.pnpm/picocolors@1.1.1/node_modules/picocolors/picocolors.js
+var require_picocolors = __commonJS({
+  "../../node_modules/.pnpm/picocolors@1.1.1/node_modules/picocolors/picocolors.js"(exports, module) {
+    "use strict";
+    var p = process || {};
+    var argv = p.argv || [];
+    var env = p.env || {};
+    var isColorSupported = !(!!env.NO_COLOR || argv.includes("--no-color")) && (!!env.FORCE_COLOR || argv.includes("--color") || p.platform === "win32" || (p.stdout || {}).isTTY && env.TERM !== "dumb" || !!env.CI);
+    var formatter = (open, close, replace = open) => (input) => {
+      let string = "" + input, index = string.indexOf(close, open.length);
+      return ~index ? open + replaceClose(string, close, replace, index) + close : open + string + close;
+    };
+    var replaceClose = (string, close, replace, index) => {
+      let result = "", cursor = 0;
+      do {
+        result += string.substring(cursor, index) + replace;
+        cursor = index + close.length;
+        index = string.indexOf(close, cursor);
+      } while (~index);
+      return result + string.substring(cursor);
+    };
+    var createColors = (enabled = isColorSupported) => {
+      let f = enabled ? formatter : () => String;
+      return {
+        isColorSupported: enabled,
+        reset: f("\x1B[0m", "\x1B[0m"),
+        bold: f("\x1B[1m", "\x1B[22m", "\x1B[22m\x1B[1m"),
+        dim: f("\x1B[2m", "\x1B[22m", "\x1B[22m\x1B[2m"),
+        italic: f("\x1B[3m", "\x1B[23m"),
+        underline: f("\x1B[4m", "\x1B[24m"),
+        inverse: f("\x1B[7m", "\x1B[27m"),
+        hidden: f("\x1B[8m", "\x1B[28m"),
+        strikethrough: f("\x1B[9m", "\x1B[29m"),
+        black: f("\x1B[30m", "\x1B[39m"),
+        red: f("\x1B[31m", "\x1B[39m"),
+        green: f("\x1B[32m", "\x1B[39m"),
+        yellow: f("\x1B[33m", "\x1B[39m"),
+        blue: f("\x1B[34m", "\x1B[39m"),
+        magenta: f("\x1B[35m", "\x1B[39m"),
+        cyan: f("\x1B[36m", "\x1B[39m"),
+        white: f("\x1B[37m", "\x1B[39m"),
+        gray: f("\x1B[90m", "\x1B[39m"),
+        bgBlack: f("\x1B[40m", "\x1B[49m"),
+        bgRed: f("\x1B[41m", "\x1B[49m"),
+        bgGreen: f("\x1B[42m", "\x1B[49m"),
+        bgYellow: f("\x1B[43m", "\x1B[49m"),
+        bgBlue: f("\x1B[44m", "\x1B[49m"),
+        bgMagenta: f("\x1B[45m", "\x1B[49m"),
+        bgCyan: f("\x1B[46m", "\x1B[49m"),
+        bgWhite: f("\x1B[47m", "\x1B[49m"),
+        blackBright: f("\x1B[90m", "\x1B[39m"),
+        redBright: f("\x1B[91m", "\x1B[39m"),
+        greenBright: f("\x1B[92m", "\x1B[39m"),
+        yellowBright: f("\x1B[93m", "\x1B[39m"),
+        blueBright: f("\x1B[94m", "\x1B[39m"),
+        magentaBright: f("\x1B[95m", "\x1B[39m"),
+        cyanBright: f("\x1B[96m", "\x1B[39m"),
+        whiteBright: f("\x1B[97m", "\x1B[39m"),
+        bgBlackBright: f("\x1B[100m", "\x1B[49m"),
+        bgRedBright: f("\x1B[101m", "\x1B[49m"),
+        bgGreenBright: f("\x1B[102m", "\x1B[49m"),
+        bgYellowBright: f("\x1B[103m", "\x1B[49m"),
+        bgBlueBright: f("\x1B[104m", "\x1B[49m"),
+        bgMagentaBright: f("\x1B[105m", "\x1B[49m"),
+        bgCyanBright: f("\x1B[106m", "\x1B[49m"),
+        bgWhiteBright: f("\x1B[107m", "\x1B[49m")
+      };
+    };
+    module.exports = createColors();
+    module.exports.createColors = createColors;
+  }
+});
+
+// src/index.ts
+import { spawnSync as spawnSync2 } from "child_process";
+import { existsSync as existsSync2, mkdirSync, mkdtempSync, readFileSync as readFileSync6, rmSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { dirname as dirname3, join as join7, resolve as resolve2 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { Command } from "commander";
+
+// ../core/dist/index.js
+import { readFileSync } from "fs";
+import { join as join2 } from "path";
+import { parse } from "yaml";
+import { z } from "zod";
+import { randomUUID } from "crypto";
+import { basename, extname } from "path";
+import { spawnSync } from "child_process";
+import { basename as basename2 } from "path";
+var import_picocolors = __toESM(require_picocolors(), 1);
+import { createHash } from "crypto";
+import { readFileSync as readFileSync2, readdirSync } from "fs";
+import { join as join3 } from "path";
+import { parse as parse2 } from "yaml";
+import { z as z2 } from "zod";
+import { readFileSync as readFileSync5 } from "fs";
+import { resolve } from "path";
+
+// ../rules/dist/index.js
+import { dirname, join } from "path";
+import { fileURLToPath } from "url";
+var rulesDir = join(dirname(fileURLToPath(import.meta.url)), "..", "rules");
+var findingSchemaPath = join(
+  dirname(fileURLToPath(import.meta.url)),
+  "..",
+  "schemas",
+  "finding.schema.json"
+);
+
+// ../core/dist/index.js
+import { mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { dirname as dirname2, join as join4 } from "path";
+import { existsSync } from "fs";
+import { dirname as dirname22, join as join5 } from "path";
+import { readdirSync as readdirSync2, readFileSync as readFileSync4, statSync } from "fs";
+import { join as join6, relative as relative2 } from "path";
+import { z as z3 } from "zod";
+var ConfigSchema = z.object({
+  ignore: z.array(z.string()).optional(),
+  rules: z.object({ disable: z.array(z.string()).optional() }).optional()
+});
+var EMPTY = { ignorePrefixes: [], disabledRules: /* @__PURE__ */ new Set() };
+function loadConfig(root) {
+  let text;
+  try {
+    text = readFileSync(join2(root, ".seamshield", "config.yaml"), "utf8");
+  } catch {
+    return EMPTY;
+  }
+  const parsed = ConfigSchema.parse(parse(text) ?? {});
+  return {
+    ignorePrefixes: (parsed.ignore ?? []).map(
+      (p) => p.replace(/\/\*{1,2}$/, "").replace(/\/$/, "")
+    ),
+    disabledRules: new Set(parsed.rules?.disable ?? [])
+  };
+}
+function isIgnored(rel, prefixes) {
+  return prefixes.some((p) => rel === p || rel.startsWith(`${p}/`));
+}
+function matchBasenamePattern(name, pattern) {
+  if (pattern.startsWith("*")) return name.endsWith(pattern.slice(1));
+  if (pattern.endsWith("*")) return name.startsWith(pattern.slice(0, -1));
+  return name === pattern;
+}
+function fileMatchesRule(file, check) {
+  const name = basename(file.rel);
+  if (check.exclude?.basenames?.some((p) => matchBasenamePattern(name, p))) return false;
+  if (check.exclude?.dirs) {
+    const segments = file.rel.split(/[\\/]/);
+    if (check.exclude.dirs.some((d) => segments.includes(d))) return false;
+  }
+  const include = check.include;
+  if (!include || !include.extensions && !include.basenames && !include.path_contains) {
+    return true;
+  }
+  const rel = file.rel.split("\\").join("/");
+  if (include.path_contains && !include.path_contains.some((segment) => rel.includes(segment))) {
+    return false;
+  }
+  if (!include.extensions && !include.basenames) return true;
+  const ext = extname(name).toLowerCase();
+  if (include.extensions?.includes(ext)) return true;
+  if (include.basenames?.some((p) => matchBasenamePattern(name, p))) return true;
+  return false;
+}
+function redactSecret(value) {
+  return `${value.slice(0, 8)}\u2026(${value.length} chars)`;
+}
+function buildFinding(rule, file, line, evidence, ctx) {
+  return {
+    event_id: randomUUID(),
+    event_type: "scan.finding",
+    time: (/* @__PURE__ */ new Date()).toISOString(),
+    tenant: "local",
+    decision: rule.severity === "block" ? "deny" : "scan",
+    route: { plane: "evidence", lane: "cpu", reason: [rule.id] },
+    engines: [{ name: "seamshield", version: ctx.engineVersion, role: "scanner" }],
+    provenance: { policy_bundle_digest: ctx.policyBundleDigest },
+    spans: [{ start: line, end: line, label: file, evidence }],
+    finding: {
+      rule_id: rule.id,
+      severity: rule.severity,
+      title: rule.title,
+      file,
+      line,
+      fix: rule.fix
+    }
+  };
+}
+var IGNORE_RE = /seamshield-ignore(?:[ \t]+([\w/,\- \t]+))?/;
+function isSuppressed(lines, index, ruleId) {
+  const candidates = [lines[index], index > 0 ? lines[index - 1] : void 0];
+  for (const line of candidates) {
+    if (!line) continue;
+    const match = IGNORE_RE.exec(line);
+    if (!match) continue;
+    if (!match[1]) return true;
+    if (match[1].split(/[\s,]+/).filter(Boolean).includes(ruleId)) return true;
+  }
+  return false;
+}
+function runRegexRule(rule, files, cache, ctx) {
+  const findings = [];
+  const patterns = rule.check.patterns ?? [];
+  const gate = rule.check.file_contains ? new RegExp(rule.check.file_contains) : null;
+  for (const file of files) {
+    if (!fileMatchesRule(file, rule.check)) continue;
+    const content = cache.read(file.abs);
+    if (content === null) continue;
+    if (gate && !gate.test(content)) continue;
+    const lines = content.split(/\r?\n/);
+    const matchedLines = /* @__PURE__ */ new Set();
+    for (const pattern of patterns) {
+      const re = new RegExp(pattern.regex);
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line === void 0 || matchedLines.has(i)) continue;
+        const match = re.exec(line);
+        if (!match) continue;
+        if (isSuppressed(lines, i, rule.id)) continue;
+        matchedLines.add(i);
+        const evidence = rule.check.redact ? `${pattern.name}: ${redactSecret(match[0])}` : match[0].slice(0, 120);
+        findings.push(buildFinding(rule, file.rel, i + 1, evidence, ctx));
+      }
+    }
+  }
+  return findings;
+}
+function runAbsenceRule(rule, files, cache, ctx) {
+  const findings = [];
+  const patterns = (rule.check.patterns ?? []).map((p) => new RegExp(p.regex));
+  const gate = rule.check.file_contains ? new RegExp(rule.check.file_contains) : null;
+  for (const file of files) {
+    if (!fileMatchesRule(file, rule.check)) continue;
+    const content = cache.read(file.abs);
+    if (content === null) continue;
+    if (gate && !gate.test(content)) continue;
+    const lines = content.split(/\r?\n/);
+    if (patterns.some((re) => lines.some((line) => re.test(line)))) continue;
+    if (lines.some((_, i) => isSuppressed(lines, i, rule.id))) continue;
+    findings.push(
+      buildFinding(rule, file.rel, 1, "no recognized safeguard found in this file", ctx)
+    );
+  }
+  return findings;
+}
+var ALLOWED = /* @__PURE__ */ new Set([".env.example", ".env.sample", ".env.template"]);
+var ENV_FILE_RE = /^\.env(\..+)?$/;
+function checkEnvFileCommitted(rule, ctx) {
+  const result = spawnSync(
+    "git",
+    ["-C", ctx.root, "ls-files", "--cached", "--others", "--exclude-standard"],
+    { encoding: "utf8", timeout: 1500 }
+  );
+  if (result.error || result.status !== 0 || typeof result.stdout !== "string") {
+    return [];
+  }
+  const findings = [];
+  for (const rel of result.stdout.split("\n")) {
+    if (!rel) continue;
+    const name = basename2(rel);
+    if (!ENV_FILE_RE.test(name) || ALLOWED.has(name)) continue;
+    findings.push(
+      buildFinding(rule, rel, 1, "dotenv file is tracked by git or not covered by .gitignore", ctx)
+    );
+  }
+  return findings;
+}
+function promptFor(finding) {
+  return [
+    `### ${finding.finding.rule_id} (${finding.finding.severity})`,
+    `File: ${finding.finding.file}:${finding.finding.line}`,
+    `Issue: ${finding.finding.title}`,
+    `Fix: ${finding.finding.fix.agent_prompt}`
+  ].join("\n");
+}
+function buildFixPlan(result) {
+  const items = result.findings.map((finding) => ({
+    rule_id: finding.finding.rule_id,
+    severity: finding.finding.severity,
+    title: finding.finding.title,
+    file: finding.finding.file,
+    line: finding.finding.line,
+    evidence: finding.spans[0]?.evidence ?? "",
+    fix: finding.finding.fix,
+    agent_prompt: promptFor(finding)
+  }));
+  return {
+    schema: "seamshield.fix-plan/v1",
+    target: result.target,
+    policy_bundle_digest: result.policyBundleDigest,
+    summary: { findings_total: result.findings.length },
+    items,
+    agent_markdown: [
+      "# SeamShield Fix Plan",
+      "",
+      "Apply these fixes without exposing or logging secret values.",
+      "",
+      ...items.map((item) => item.agent_prompt),
+      ""
+    ].join("\n")
+  };
+}
+var PatternSchema = z2.object({
+  name: z2.string().min(1),
+  regex: z2.string().min(1)
+});
+var RuleSchema = z2.object({
+  id: z2.string().regex(/^ss\/[a-z-]+\/[a-z0-9-]+$/),
+  severity: z2.enum(["block", "high", "warn", "info"]),
+  title: z2.string().min(1),
+  description: z2.string().min(1),
+  framework_ref: z2.string().min(1),
+  check: z2.object({
+    type: z2.enum(["regex", "absence", "builtin"]),
+    builtin: z2.string().optional(),
+    include: z2.object({
+      extensions: z2.array(z2.string()).optional(),
+      basenames: z2.array(z2.string()).optional(),
+      path_contains: z2.array(z2.string()).optional()
+    }).optional(),
+    exclude: z2.object({
+      basenames: z2.array(z2.string()).optional(),
+      dirs: z2.array(z2.string()).optional()
+    }).optional(),
+    file_contains: z2.string().optional(),
+    patterns: z2.array(PatternSchema).optional(),
+    patterns_from: z2.string().optional(),
+    redact: z2.boolean().optional()
+  }),
+  fix: z2.object({
+    summary: z2.string().min(1),
+    agent_prompt: z2.string().min(1),
+    doc_url: z2.string().optional()
+  })
+});
+var PatternFileSchema = z2.object({ patterns: z2.array(PatternSchema).min(1) });
+function loadRules(rulesDir2) {
+  const yamlFiles = readdirSync(rulesDir2).filter((f) => f.endsWith(".yaml") || f.endsWith(".yml")).sort();
+  if (yamlFiles.length === 0) {
+    throw new Error(`no rule YAML files found in ${rulesDir2}`);
+  }
+  const hash = createHash("sha256");
+  const contents = /* @__PURE__ */ new Map();
+  for (const name of yamlFiles) {
+    const text = readFileSync2(join3(rulesDir2, name), "utf8");
+    contents.set(name, text);
+    hash.update(name);
+    hash.update("\n");
+    hash.update(text);
+    hash.update("\n");
+  }
+  const rules = [];
+  for (const [name, text] of contents) {
+    const doc = parse2(text);
+    if (typeof doc !== "object" || doc === null || !("id" in doc)) continue;
+    const rule = RuleSchema.parse(doc);
+    if (rule.check.patterns_from) {
+      const source = contents.get(rule.check.patterns_from);
+      if (!source) {
+        throw new Error(
+          `${name}: patterns_from references missing file ${rule.check.patterns_from}`
+        );
+      }
+      const shared = PatternFileSchema.parse(parse2(source));
+      rule.check.patterns = [...shared.patterns, ...rule.check.patterns ?? []];
+    }
+    if ((rule.check.type === "regex" || rule.check.type === "absence") && !rule.check.patterns?.length) {
+      throw new Error(`${name}: ${rule.check.type} rule has no patterns`);
+    }
+    rules.push(rule);
+  }
+  return { rules, policyBundleDigest: hash.digest("hex") };
+}
+function renderJson(result) {
+  const bySeverity = {};
+  for (const f of result.findings) {
+    bySeverity[f.finding.severity] = (bySeverity[f.finding.severity] ?? 0) + 1;
+  }
+  return JSON.stringify(
+    {
+      schema: "seamshield.findings/v1",
+      engine: { name: "seamshield", version: result.engineVersion },
+      policy_bundle_digest: result.policyBundleDigest,
+      summary: {
+        files_scanned: result.filesScanned,
+        rules_loaded: result.rulesLoaded,
+        findings_total: result.findings.length,
+        by_severity: bySeverity
+      },
+      findings: result.findings
+    },
+    null,
+    2
+  );
+}
+function level(finding) {
+  if (finding.finding.severity === "block" || finding.finding.severity === "high") {
+    return "error";
+  }
+  if (finding.finding.severity === "warn") return "warning";
+  return "note";
+}
+function renderSarif(result) {
+  const ruleIds = [...new Set(result.findings.map((f) => f.finding.rule_id))].sort();
+  return JSON.stringify(
+    {
+      version: "2.1.0",
+      $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+      runs: [
+        {
+          tool: {
+            driver: {
+              name: "SeamShield",
+              informationUri: "https://seamshield.dev",
+              semanticVersion: result.engineVersion,
+              rules: ruleIds.map((id) => {
+                const sample = result.findings.find((f) => f.finding.rule_id === id);
+                return {
+                  id,
+                  shortDescription: { text: sample?.finding.title ?? id },
+                  help: { text: sample?.finding.fix.summary ?? "" }
+                };
+              })
+            }
+          },
+          results: result.findings.map((finding) => ({
+            ruleId: finding.finding.rule_id,
+            level: level(finding),
+            message: { text: `${finding.finding.title}: ${finding.finding.fix.summary}` },
+            locations: [
+              {
+                physicalLocation: {
+                  artifactLocation: { uri: finding.finding.file },
+                  region: { startLine: finding.finding.line }
+                }
+              }
+            ]
+          }))
+        }
+      ]
+    },
+    null,
+    2
+  );
+}
+var SEVERITY_COLOR = {
+  block: (s) => import_picocolors.default.red(s),
+  high: (s) => import_picocolors.default.magenta(s),
+  warn: (s) => import_picocolors.default.yellow(s),
+  info: (s) => import_picocolors.default.dim(s)
+};
+function renderTable(result) {
+  const lines = [];
+  lines.push(
+    `${import_picocolors.default.bold(`SeamShield v${result.engineVersion}`)}${import_picocolors.default.dim(
+      ` \u2014 ${result.filesScanned} files, ${result.rulesLoaded} rules`
+    )}`
+  );
+  lines.push("");
+  if (result.findings.length === 0) {
+    lines.push(import_picocolors.default.green("\u2713 No findings."));
+  } else {
+    for (const f of result.findings) {
+      const sev = SEVERITY_COLOR[f.finding.severity](
+        f.finding.severity.toUpperCase().padEnd(5)
+      );
+      lines.push(`${sev} ${f.finding.rule_id}  ${import_picocolors.default.bold(`${f.finding.file}:${f.finding.line}`)}`);
+      lines.push(`      ${f.finding.title}`);
+      const evidence = f.spans[0]?.evidence;
+      if (evidence) lines.push(import_picocolors.default.dim(`      evidence: ${evidence}`));
+      lines.push(`      ${import_picocolors.default.cyan("fix:")} ${f.finding.fix.summary}`);
+      lines.push("");
+    }
+    const counts = /* @__PURE__ */ new Map();
+    for (const f of result.findings) {
+      counts.set(f.finding.severity, (counts.get(f.finding.severity) ?? 0) + 1);
+    }
+    const parts = [...counts.entries()].map(([sev, n]) => SEVERITY_COLOR[sev](`${n} ${sev}`));
+    lines.push(`${import_picocolors.default.bold(`${result.findings.length} findings`)} (${parts.join(", ")})`);
+  }
+  lines.push(import_picocolors.default.dim(`policy bundle ${result.policyBundleDigest.slice(0, 12)}`));
+  return lines.join("\n");
+}
+var DEP_FIELDS = [
+  "dependencies",
+  "devDependencies",
+  "peerDependencies",
+  "optionalDependencies"
+];
+function readJson(path) {
+  return JSON.parse(readFileSync3(path, "utf8"));
+}
+function dependencyLine(text, name) {
+  const needle = `"${name}"`;
+  const index = text.indexOf(needle);
+  if (index < 0) return 1;
+  return text.slice(0, index).split(/\r?\n/).length;
+}
+function collectDependencies(ctx, files) {
+  const deps = [];
+  for (const file of files) {
+    if (!file.rel.endsWith("package.json")) continue;
+    let text;
+    let pkg2;
+    try {
+      text = readFileSync3(file.abs, "utf8");
+      pkg2 = JSON.parse(text);
+    } catch {
+      continue;
+    }
+    for (const field of DEP_FIELDS) {
+      const block = pkg2[field];
+      if (!block || typeof block !== "object") continue;
+      for (const [name, spec] of Object.entries(block)) {
+        if (typeof spec !== "string") continue;
+        deps.push({ name, spec, manifestRel: file.rel, line: dependencyLine(text, name) });
+      }
+    }
+  }
+  const seen = /* @__PURE__ */ new Set();
+  return deps.filter((dep) => {
+    const key = `${dep.name}@${dep.spec}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+function cachePath(ctx, kind, key) {
+  const safe = encodeURIComponent(key).replace(/[!'()*]/g, "_");
+  return join4(ctx.root, ".seamshield", "cache", kind, `${safe}.json`);
+}
+function readCache(ctx, kind, key) {
+  try {
+    const entry = readJson(cachePath(ctx, kind, key));
+    if (!entry.ok) return void 0;
+    if (Date.now() - entry.time > 24 * 60 * 60 * 1e3) return void 0;
+    return entry.value;
+  } catch {
+    return void 0;
+  }
+}
+function writeCache(ctx, kind, key, value) {
+  const path = cachePath(ctx, kind, key);
+  mkdirSync2(dirname2(path), { recursive: true });
+  writeFileSync2(path, JSON.stringify({ ok: true, value, time: Date.now() }));
+}
+async function fetchJson(url, init, timeoutMs, fetchImpl) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetchImpl(url, { ...init, signal: controller.signal });
+    let body = null;
+    try {
+      body = await response.json();
+    } catch {
+      body = null;
+    }
+    return { status: response.status, body };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function checkHallucinatedPackages(rule, ctx, files, options = {}) {
+  const fetchImpl = options.fetchImpl ?? globalThis.fetch;
+  if (!fetchImpl) return [];
+  const timeoutMs = options.timeoutMs ?? 750;
+  const findings = [];
+  for (const dep of collectDependencies(ctx, files)) {
+    const cached = readCache(ctx, "npm", dep.name);
+    let exists = cached?.exists;
+    if (exists === void 0) {
+      try {
+        const encoded = dep.name.startsWith("@") ? dep.name.replace("/", "%2F") : dep.name;
+        const result = await fetchJson(
+          `https://registry.npmjs.org/${encoded}`,
+          { headers: { accept: "application/vnd.npm.install-v1+json" } },
+          timeoutMs,
+          fetchImpl
+        );
+        exists = result.status !== 404;
+        if (result.status >= 200 && result.status < 500) {
+          writeCache(ctx, "npm", dep.name, { exists });
+        }
+      } catch {
+        continue;
+      }
+    }
+    if (exists === false) {
+      findings.push(
+        buildFinding(rule, dep.manifestRel, dep.line, `${dep.name} returned 404 from npm`, ctx)
+      );
+    }
+  }
+  return findings;
+}
+function normalizedVersion(spec) {
+  const exact = spec.trim().replace(/^[~^]/, "");
+  return /^\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/.test(exact) ? exact : null;
+}
+function vulnSeverity(vuln) {
+  const haystack = JSON.stringify(vuln).toLowerCase();
+  return haystack.includes("kev") || haystack.includes("known exploited") ? "block" : "high";
+}
+async function checkKnownVulnerabilities(rule, ctx, files, options = {}) {
+  const fetchImpl = options.fetchImpl ?? globalThis.fetch;
+  if (!fetchImpl) return [];
+  const deps = collectDependencies(ctx, files).map((dep) => ({ ...dep, version: normalizedVersion(dep.spec) })).filter((dep) => dep.version !== null);
+  if (deps.length === 0) return [];
+  const timeoutMs = options.timeoutMs ?? 750;
+  const findings = [];
+  for (const dep of deps) {
+    const cacheKey = `${dep.name}@${dep.version}`;
+    let vulns = readCache(ctx, "osv", cacheKey);
+    if (!vulns) {
+      try {
+        const result = await fetchJson(
+          "https://api.osv.dev/v1/query",
+          {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({
+              package: { ecosystem: "npm", name: dep.name },
+              version: dep.version
+            })
+          },
+          timeoutMs,
+          fetchImpl
+        );
+        if (result.status < 200 || result.status >= 300) continue;
+        const body = result.body;
+        vulns = body.vulns ?? [];
+        writeCache(ctx, "osv", cacheKey, vulns);
+      } catch {
+        continue;
+      }
+    }
+    for (const vuln of vulns.slice(0, 3)) {
+      const id = typeof vuln.id === "string" ? vuln.id : "OSV";
+      const severity = vulnSeverity(vuln);
+      findings.push(
+        buildFinding(
+          { ...rule, severity },
+          dep.manifestRel,
+          dep.line,
+          `${dep.name}@${dep.version} is affected by ${id}`,
+          ctx
+        )
+      );
+    }
+  }
+  return findings;
+}
+var LOCKFILES = ["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb", "bun.lock"];
+function checkNoLockfile(rule, ctx) {
+  if (!existsSync(join5(ctx.root, "package.json"))) return [];
+  let dir = ctx.root;
+  for (let depth = 0; depth < 8; depth++) {
+    if (LOCKFILES.some((name) => existsSync(join5(dir, name)))) return [];
+    const parent = dirname22(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return [buildFinding(rule, "package.json", 1, "no lockfile found next to package.json", ctx)];
+}
+var SEVERITY_RANK = {
+  block: 0,
+  high: 1,
+  warn: 2,
+  info: 3
+};
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  "dist",
+  ".next",
+  "build",
+  "out",
+  "coverage",
+  ".turbo",
+  ".vercel",
+  ".cache",
+  ".pnpm-store"
+]);
+var MAX_FILE_BYTES = 1e6;
+function walk(root) {
+  const files = [];
+  const visit = (dir) => {
+    let entries;
+    try {
+      entries = readdirSync2(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (entry.isSymbolicLink()) continue;
+      const abs = join6(dir, entry.name);
+      if (entry.isDirectory()) {
+        const rel = relative2(root, abs).split("\\").join("/");
+        if (SKIP_DIRS.has(entry.name)) continue;
+        if (entry.name === ".worktrees") continue;
+        if (rel === ".claude/worktrees" || rel.endsWith("/.claude/worktrees")) continue;
+        visit(abs);
+      } else if (entry.isFile()) {
+        try {
+          if (statSync(abs).size > MAX_FILE_BYTES) continue;
+        } catch {
+          continue;
+        }
+        files.push({ abs, rel: relative2(root, abs) });
+      }
+    }
+  };
+  visit(root);
+  return files;
+}
+var FileCache = class {
+  cache = /* @__PURE__ */ new Map();
+  read(abs) {
+    const cached = this.cache.get(abs);
+    if (cached !== void 0) return cached;
+    let value = null;
+    try {
+      const buf = readFileSync4(abs);
+      value = buf.includes(0) ? null : buf.toString("utf8");
+    } catch {
+      value = null;
+    }
+    this.cache.set(abs, value);
+    return value;
+  }
+};
+var corePkg = JSON.parse(
+  readFileSync5(new URL("../package.json", import.meta.url), "utf8")
+);
+function scan(target, options = {}) {
+  const root = resolve(target);
+  const { rules, policyBundleDigest } = loadRules(options.rulesDir ?? rulesDir);
+  const config = loadConfig(root);
+  const ctx = { root, policyBundleDigest, engineVersion: corePkg.version };
+  const files = walk(root).filter((f) => !isIgnored(f.rel, config.ignorePrefixes));
+  const cache = new FileCache();
+  let findings = [];
+  for (const rule of rules) {
+    if (config.disabledRules.has(rule.id)) continue;
+    if (rule.check.type === "regex") {
+      findings.push(...runRegexRule(rule, files, cache, ctx));
+    } else if (rule.check.type === "absence") {
+      findings.push(...runAbsenceRule(rule, files, cache, ctx));
+    } else if (rule.check.builtin === "env-file-committed") {
+      findings.push(...checkEnvFileCommitted(rule, ctx));
+    } else if (rule.check.builtin === "no-lockfile") {
+      findings.push(...checkNoLockfile(rule, ctx));
+    } else if (rule.check.builtin === "hallucinated-package" || rule.check.builtin === "known-vuln") {
+      continue;
+    } else {
+      throw new Error(`${rule.id}: unknown builtin check "${rule.check.builtin}"`);
+    }
+  }
+  findings = findings.filter((f) => !isIgnored(f.finding.file, config.ignorePrefixes));
+  findings.sort(
+    (a, b) => SEVERITY_RANK[a.finding.severity] - SEVERITY_RANK[b.finding.severity] || a.finding.file.localeCompare(b.finding.file) || a.finding.line - b.finding.line || a.finding.rule_id.localeCompare(b.finding.rule_id)
+  );
+  return {
+    target: root,
+    findings,
+    exitCode: computeExitCode(findings, options.failOn ?? "block"),
+    filesScanned: files.length,
+    rulesLoaded: rules.length,
+    policyBundleDigest,
+    engineVersion: corePkg.version,
+    networkSkipped: true
+  };
+}
+async function scanAsync(target, options = {}) {
+  const result = scan(target, options);
+  if (options.network === "off") return result;
+  const root = resolve(target);
+  const { rules } = loadRules(options.rulesDir ?? rulesDir);
+  const config = loadConfig(root);
+  const ctx = {
+    root,
+    policyBundleDigest: result.policyBundleDigest,
+    engineVersion: result.engineVersion
+  };
+  const files = walk(root).filter((f) => !isIgnored(f.rel, config.ignorePrefixes));
+  const dependencyFindings = [];
+  for (const rule of rules) {
+    if (config.disabledRules.has(rule.id)) continue;
+    if (rule.check.builtin === "hallucinated-package") {
+      dependencyFindings.push(
+        ...await checkHallucinatedPackages(rule, ctx, files, {
+          fetchImpl: options.fetchImpl,
+          timeoutMs: options.networkTimeoutMs
+        })
+      );
+    }
+    if (rule.check.builtin === "known-vuln") {
+      dependencyFindings.push(
+        ...await checkKnownVulnerabilities(rule, ctx, files, {
+          fetchImpl: options.fetchImpl,
+          timeoutMs: options.networkTimeoutMs
+        })
+      );
+    }
+  }
+  result.findings = [...result.findings, ...dependencyFindings].filter(
+    (f) => !isIgnored(f.finding.file, config.ignorePrefixes)
+  );
+  result.findings.sort(
+    (a, b) => SEVERITY_RANK[a.finding.severity] - SEVERITY_RANK[b.finding.severity] || a.finding.file.localeCompare(b.finding.file) || a.finding.line - b.finding.line || a.finding.rule_id.localeCompare(b.finding.rule_id)
+  );
+  result.exitCode = computeExitCode(result.findings, options.failOn ?? "block");
+  result.networkSkipped = false;
+  return result;
+}
+function computeExitCode(findings, failOn) {
+  if (failOn === "never") return 0;
+  const threshold = SEVERITY_RANK[failOn];
+  return findings.some((f) => SEVERITY_RANK[f.finding.severity] <= threshold) ? 1 : 0;
+}
+var FindingSchema = z3.object({
+  event_id: z3.string().min(8),
+  event_type: z3.literal("scan.finding"),
+  time: z3.string().min(20),
+  tenant: z3.string().min(1),
+  decision: z3.enum(["deny", "scan"]),
+  route: z3.object({
+    plane: z3.literal("evidence"),
+    lane: z3.literal("cpu"),
+    reason: z3.array(z3.string()).min(1)
+  }),
+  engines: z3.array(
+    z3.object({
+      name: z3.string().min(1),
+      version: z3.string().min(1),
+      role: z3.string().optional()
+    })
+  ).min(1),
+  provenance: z3.object({
+    policy_bundle_digest: z3.string().regex(/^[a-f0-9]{64}$/)
+  }),
+  spans: z3.array(
+    z3.object({
+      start: z3.number().int().min(1),
+      end: z3.number().int().min(1),
+      label: z3.string().min(1),
+      evidence: z3.string().min(1)
+    })
+  ),
+  finding: z3.object({
+    rule_id: z3.string().regex(/^ss\/[a-z-]+\/[a-z0-9-]+$/),
+    severity: z3.enum(["block", "high", "warn", "info"]),
+    title: z3.string().min(1),
+    file: z3.string().min(1),
+    line: z3.number().int().min(1),
+    fix: z3.object({
+      summary: z3.string().min(1),
+      agent_prompt: z3.string().min(1),
+      doc_url: z3.string().optional()
+    })
+  })
+});
+
+// src/index.ts
+var pkg = JSON.parse(
+  readFileSync6(new URL("../package.json", import.meta.url), "utf8")
+);
+var FORMATS = ["table", "json", "sarif"];
+var FAIL_ON = ["block", "high", "warn", "never"];
+function assertOptions(opts) {
+  if (opts.format && !FORMATS.includes(opts.format)) {
+    console.error(`seamshield: unknown --format "${opts.format}" (expected: ${FORMATS.join(", ")})`);
+    process.exitCode = 2;
+    return false;
+  }
+  if (opts.failOn && !FAIL_ON.includes(opts.failOn)) {
+    console.error(`seamshield: unknown --fail-on "${opts.failOn}" (expected: ${FAIL_ON.join(", ")})`);
+    process.exitCode = 2;
+    return false;
+  }
+  return true;
+}
+function render(format, result) {
+  if (format === "json") return renderJson(result);
+  if (format === "sarif") return renderSarif(result);
+  return renderTable(result);
+}
+async function runScan(path, opts) {
+  if (!assertOptions(opts)) return;
+  if (!existsSync2(path)) {
+    console.error(`seamshield: path not found: ${path}`);
+    process.exitCode = 2;
+    return;
+  }
+  try {
+    const result = await scanAsync(path, {
+      failOn: opts.failOn,
+      network: opts.offline ? "off" : "on"
+    });
+    console.log(render(opts.format, result));
+    process.exitCode = result.exitCode;
+  } catch (error) {
+    console.error(`seamshield: scan failed: ${error instanceof Error ? error.message : String(error)}`);
+    process.exitCode = 2;
+  }
+}
+function writeAgentContext(target, kind) {
+  const body = [
+    "# SEAMSHIELD",
+    "",
+    "- Run `npx seamshield scan --offline` before committing AI-generated changes.",
+    "- Never hardcode provider keys, service-role keys, private keys, or dotenv contents.",
+    "- Do not expose server secrets through `NEXT_PUBLIC_*` or client components.",
+    "- Do not rely on client-only auth for private data; enforce auth server-side.",
+    "- Keep Supabase RLS enabled and Firebase rules closed by default.",
+    "- If SeamShield reports findings, apply the generated `npx seamshield fix-plan` prompts.",
+    ""
+  ].join("\n");
+  if (kind === "cursor") {
+    const out2 = join7(target, ".cursor", "rules", "seamshield.mdc");
+    mkdirSync(dirname3(out2), { recursive: true });
+    writeFileSync(out2, body);
+    return out2;
+  }
+  const out = join7(target, "CLAUDE.md");
+  const existing = existsSync2(out) ? readFileSync6(out, "utf8") : "";
+  const marker = "# SEAMSHIELD";
+  const next = existing.includes(marker) ? existing.replace(/# SEAMSHIELD[\s\S]*?(?=\n# |\n?$)/, body.trimEnd()) : `${existing.trimEnd()}${existing.trim() ? "\n\n" : ""}${body}`;
+  writeFileSync(out, next.endsWith("\n") ? next : `${next}
+`);
+  return out;
+}
+function currentBin() {
+  return fileURLToPath2(import.meta.url);
+}
+function installGuard(target) {
+  const settingsPath = join7(target, ".claude", "settings.json");
+  mkdirSync(dirname3(settingsPath), { recursive: true });
+  const settings = existsSync2(settingsPath) ? JSON.parse(readFileSync6(settingsPath, "utf8")) : {};
+  const hooks = settings.hooks && typeof settings.hooks === "object" ? settings.hooks : {};
+  const command = `${process.execPath} ${JSON.stringify(currentBin())} guard check`;
+  hooks.PreToolUse = [
+    {
+      matcher: "Write|Edit|MultiEdit|Bash",
+      hooks: [{ type: "command", command }]
+    }
+  ];
+  settings.hooks = hooks;
+  writeFileSync(settingsPath, `${JSON.stringify(settings, null, 2)}
+`);
+  return settingsPath;
+}
+function hookDeny(reason) {
+  return {
+    hookSpecificOutput: {
+      hookEventName: "PreToolUse",
+      permissionDecision: "deny",
+      permissionDecisionReason: reason
+    }
+  };
+}
+function hookAllow(additionalContext) {
+  return additionalContext ? { hookSpecificOutput: { hookEventName: "PreToolUse", additionalContext } } : {};
+}
+function readStdin() {
+  return readFileSync6(0, "utf8");
+}
+function extractToolPayload(input) {
+  const tool = String(input.tool_name ?? input.toolName ?? "");
+  const raw = input.tool_input ?? input.toolInput ?? input;
+  return { tool, raw };
+}
+function contentFromTool(tool, raw) {
+  if (!/Write|Edit|MultiEdit/.test(tool)) return null;
+  const rel = String(raw.file_path ?? raw.path ?? "proposed.txt");
+  const candidate = raw.content ?? raw.new_string ?? raw.newStr ?? (Array.isArray(raw.edits) ? raw.edits.map((e) => e.new_string ?? "").join("\n") : "");
+  return typeof candidate === "string" && candidate.length > 0 ? { rel, content: candidate } : null;
+}
+function bashDecision(command) {
+  if (/git\s+add\s+\.env/.test(command)) return "ss/secrets/env-file-committed: do not stage dotenv files.";
+  if (/curl\b[\s\S]*\|\s*(?:sh|bash)/.test(command)) return "ss/agent/overbroad-permissions: do not pipe curl directly to a shell.";
+  if (/npm\s+(?:i|install|add)\s+(@?[\w.-]+\/?[\w.-]*)/.test(command)) {
+    const name = command.match(/npm\s+(?:i|install|add)\s+(@?[\w.-]+\/?[\w.-]*)/)?.[1];
+    if (name) {
+      const encoded = name.startsWith("@") ? name.replace("/", "%2F") : name;
+      const res = spawnSync2("curl", ["-fsSI", `https://registry.npmjs.org/${encoded}`], {
+        encoding: "utf8",
+        timeout: 750
+      });
+      if (res.status !== 0) return `ss/deps/hallucinated-package: npm package "${name}" did not resolve.`;
+    }
+  }
+  return null;
+}
+function guardCheck() {
+  try {
+    const parsed = JSON.parse(readStdin());
+    const { tool, raw } = extractToolPayload(parsed);
+    if (/Bash/.test(tool)) {
+      const command = String(raw.command ?? "");
+      const deny = bashDecision(command);
+      console.log(JSON.stringify(deny ? hookDeny(deny) : hookAllow()));
+      return;
+    }
+    const proposed = contentFromTool(tool, raw);
+    if (!proposed) {
+      console.log(JSON.stringify(hookAllow()));
+      return;
+    }
+    const tempRoot = mkdtempSync(join7(tmpdir(), "seamshield-guard-"));
+    const abs = join7(tempRoot, proposed.rel.replace(/^\/+/, ""));
+    mkdirSync(dirname3(abs), { recursive: true });
+    writeFileSync(abs, proposed.content);
+    const result = scan(tempRoot, { network: "off" });
+    rmSync(tempRoot, { recursive: true, force: true });
+    const block = result.findings.find((f) => f.finding.severity === "block");
+    if (block) {
+      console.log(
+        JSON.stringify(
+          hookDeny(`${block.finding.rule_id}: ${block.finding.title}. ${block.finding.fix.summary}`)
+        )
+      );
+      return;
+    }
+    console.log(JSON.stringify(hookAllow()));
+  } catch (error) {
+    const logPath = join7(process.cwd(), ".seamshield", "guard.log");
+    try {
+      mkdirSync(dirname3(logPath), { recursive: true });
+      writeFileSync(logPath, `${(/* @__PURE__ */ new Date()).toISOString()} ${String(error)}
+`, { flag: "a" });
+    } catch {
+    }
+    console.log(JSON.stringify(hookAllow("SeamShield guard failed open; run seamshield scan.")));
+  }
+}
+var program = new Command();
+program.name("seamshield").description("Security scanner for AI-generated apps: finds the flaws vibecoded projects predictably ship.").version(pkg.version);
+program.command("scan").description("Scan a project directory and report findings").argument("[path]", "directory to scan", ".").option("--format <format>", "output format: table | json | sarif", "table").option("--fail-on <severity>", "exit 1 at or above: block | high | warn | never", "block").option("--offline", "skip npm registry and OSV network checks").action((path, opts) => {
+  return runScan(path, opts);
+});
+program.command("fix-plan").description("Write .seamshield/fix-plan.json with agent-ready fix prompts").argument("[path]", "directory to scan", ".").option("--offline", "skip npm registry and OSV network checks").action(async (path, opts) => {
+  if (!existsSync2(path)) {
+    console.error(`seamshield: path not found: ${path}`);
+    process.exitCode = 2;
+    return;
+  }
+  const result = await scanAsync(path, { network: opts.offline ? "off" : "on" });
+  const out = join7(resolve2(path), ".seamshield", "fix-plan.json");
+  mkdirSync(dirname3(out), { recursive: true });
+  writeFileSync(out, `${JSON.stringify(buildFixPlan(result), null, 2)}
+`);
+  console.log(out);
+  process.exitCode = result.exitCode;
+});
+program.command("agent-context").description("Write SeamShield agent instructions into CLAUDE.md or Cursor rules").argument("[path]", "project directory", ".").option("--claude", "write CLAUDE.md", false).option("--cursor", "write .cursor/rules/seamshield.mdc", false).action((path, opts) => {
+  const target = resolve2(path);
+  const kind = opts.cursor ? "cursor" : "claude";
+  console.log(writeAgentContext(target, kind));
+});
+var guard = program.command("guard").description("Claude Code guard utilities");
+guard.command("check").description("Read a Claude Code hook event from stdin and allow or deny").action(guardCheck);
+guard.command("install").description("Install SeamShield Claude Code PreToolUse hooks").argument("[path]", "project directory", ".").action((path) => {
+  console.log(installGuard(resolve2(path)));
+});
+program.parse();