securl 1.4.1

package/dist/postureDigest.js

@@ -0,0 +1,159 @@
+const SEVERITY_ORDER = {
+    critical: 0,
+    warning: 1,
+    info: 2,
+};
+const normalizeArray = (value) => (Array.isArray(value) ? value : []);
+const countIssuesBySeverity = (issues) => ({
+    critical: issues.filter((issue) => issue.severity === "critical").length,
+    warning: issues.filter((issue) => issue.severity === "warning").length,
+    info: issues.filter((issue) => issue.severity === "info").length,
+});
+const topIssues = (issues, limit) => [...issues]
+    .sort((left, right) => {
+    const severityDelta = SEVERITY_ORDER[left.severity] - SEVERITY_ORDER[right.severity];
+    if (severityDelta !== 0) {
+        return severityDelta;
+    }
+    return left.title.localeCompare(right.title);
+})
+    .slice(0, limit)
+    .map((issue) => ({
+    severity: issue.severity,
+    title: issue.title,
+    detail: issue.detail,
+    confidence: issue.confidence,
+    source: issue.source,
+    owasp: issue.owasp,
+    mitre: issue.mitre,
+}));
+export function buildPostureDigest(analysis, { findingLimit = 8 } = {}) {
+    const issues = normalizeArray(analysis.issues);
+    const compromiseIndicators = normalizeArray(analysis.compromiseSignals?.indicators);
+    const riskIndicators = compromiseIndicators.filter((indicator) => ["warning", "critical"].includes(indicator.severity));
+    return {
+        generatedAt: new Date().toISOString(),
+        target: {
+            inputUrl: analysis.inputUrl,
+            finalUrl: analysis.finalUrl,
+            host: analysis.host,
+            statusCode: analysis.statusCode,
+            responseTimeMs: analysis.responseTimeMs,
+            scannedAt: analysis.scannedAt,
+        },
+        posture: {
+            score: analysis.score,
+            grade: analysis.grade,
+            summary: analysis.summary,
+            overview: analysis.executiveSummary?.overview ?? null,
+            mainRisk: analysis.executiveSummary?.mainRisk ?? null,
+            posture: analysis.executiveSummary?.posture ?? null,
+            takeaways: normalizeArray(analysis.executiveSummary?.takeaways),
+            limited: analysis.assessmentLimitation?.limited ?? false,
+            limitedKind: analysis.assessmentLimitation?.kind ?? null,
+            limitation: analysis.assessmentLimitation ?? null,
+            scoreDrivers: normalizeArray(analysis.scoreDrivers).slice(0, 8),
+        },
+        findings: {
+            total: issues.length,
+            bySeverity: countIssuesBySeverity(issues),
+            top: topIssues(issues, findingLimit),
+        },
+        remediationPlan: analysis.remediationPlan ? {
+            summary: analysis.remediationPlan.summary,
+            totalActions: analysis.remediationPlan.totalActions,
+            highImpactActions: analysis.remediationPlan.highImpactActions,
+            quickWins: analysis.remediationPlan.quickWins,
+            topActions: normalizeArray(analysis.remediationPlan.items).slice(0, 5).map((item) => ({
+                id: item.id,
+                priority: item.priority,
+                title: item.title,
+                owner: item.owner,
+                effort: item.effort,
+                impact: item.impact,
+                action: item.action,
+                verify: item.verify,
+                relatedFindings: item.relatedFindings,
+            })),
+        } : null,
+        controls: {
+            headers: {
+                total: normalizeArray(analysis.headers).length,
+                missing: normalizeArray(analysis.headers).filter((header) => header.status === "missing").length,
+                warning: normalizeArray(analysis.headers).filter((header) => header.status === "warning").length,
+                present: normalizeArray(analysis.headers).filter((header) => header.status === "present").length,
+            },
+            cookies: {
+                total: normalizeArray(analysis.cookies).length,
+                issues: normalizeArray(analysis.cookieAnalysis?.issues),
+            },
+            tls: {
+                available: analysis.certificate?.available ?? false,
+                valid: analysis.certificate?.valid ?? false,
+                authorized: analysis.certificate?.authorized ?? false,
+                issuer: analysis.certificate?.issuer ?? null,
+                daysRemaining: analysis.certificate?.daysRemaining ?? null,
+                issues: normalizeArray(analysis.certificate?.issues),
+            },
+        },
+        surface: {
+            redirects: {
+                totalHops: analysis.redirectChain?.totalHops ?? normalizeArray(analysis.redirects).length,
+                hasMixedRedirect: analysis.redirectChain?.hasMixedRedirect ?? false,
+                crossesDomain: analysis.redirectChain?.crossesDomain ?? false,
+                issues: normalizeArray(analysis.redirectChain?.issues),
+            },
+            exposure: {
+                issues: normalizeArray(analysis.exposure?.issues),
+                interesting: normalizeArray(analysis.exposure?.probes).filter((probe) => probe.finding === "interesting").length,
+                exposed: normalizeArray(analysis.exposure?.probes).filter((probe) => probe.finding === "exposed").length,
+            },
+            api: {
+                issues: normalizeArray(analysis.apiSurface?.issues),
+                public: normalizeArray(analysis.apiSurface?.probes).filter((probe) => probe.classification === "public").length,
+                interesting: normalizeArray(analysis.apiSurface?.probes).filter((probe) => probe.classification === "interesting").length,
+            },
+            cors: {
+                issues: normalizeArray(analysis.corsSecurity?.issues),
+                allowCredentials: analysis.corsSecurity?.allowCredentials ?? null,
+                allowedOrigin: analysis.corsSecurity?.allowedOrigin ?? null,
+            },
+        },
+        trust: {
+            domainSecurity: {
+                emailDeliverabilityScore: analysis.domainSecurity?.emailDeliverabilityScore ?? null,
+                issues: normalizeArray(analysis.domainSecurity?.issues),
+                strengths: normalizeArray(analysis.domainSecurity?.strengths),
+            },
+            securityTxt: {
+                status: analysis.securityTxt?.status ?? null,
+                contact: normalizeArray(analysis.securityTxt?.contact),
+            },
+            thirdParty: {
+                providers: normalizeArray(analysis.thirdPartyTrust?.providers).map((provider) => provider.name),
+                highRiskProviders: analysis.thirdPartyTrust?.highRiskProviders ?? 0,
+                issues: normalizeArray(analysis.thirdPartyTrust?.issues),
+            },
+            identityProvider: analysis.identityProvider?.provider ?? null,
+            wafProviders: normalizeArray(analysis.wafFingerprint?.providers).map((provider) => provider.name),
+            infrastructureProviders: normalizeArray(analysis.infrastructure?.providers).map((provider) => provider.provider),
+        },
+        intelligence: {
+            passiveRead: analysis.passiveIntelligence?.postureRead ?? null,
+            compromisePosture: analysis.compromiseSignals?.posture ?? null,
+            compromiseSummary: analysis.compromiseSignals?.summary ?? null,
+            riskIndicators: riskIndicators.slice(0, 8).map((indicator) => ({
+                severity: indicator.severity,
+                category: indicator.category,
+                title: indicator.title,
+                detail: indicator.detail,
+                confidence: indicator.confidence,
+            })),
+            ctPriorityHosts: normalizeArray(analysis.ctDiscovery?.prioritizedHosts)
+                .slice(0, 10)
+                .map((host) => host.host),
+            aiVendors: normalizeArray(analysis.aiSurface?.vendors).map((vendor) => vendor.name),
+        },
+        timing: analysis.scanTiming ?? null,
+    };
+}

package/dist/postureDrift.d.ts

@@ -0,0 +1,4 @@
+import type { HistoryDiff, HistorySnapshot, PostureDriftReport, PostureRiskEvent } from "./types.js";
+export declare function buildPostureDriftReportFromDiff(current: HistorySnapshot, previous: HistorySnapshot, diff: HistoryDiff, riskEvents?: PostureRiskEvent[]): PostureDriftReport;
+export declare function buildPostureDriftReportFromSnapshots(current: HistorySnapshot, previous: HistorySnapshot): PostureDriftReport;
+export declare function buildPostureDriftReport(history: HistorySnapshot[]): PostureDriftReport | null;

package/dist/postureDrift.js

@@ -0,0 +1,118 @@
+import { buildHistoryDiffFromSnapshots } from "./historyDiff.js";
+import { buildPostureRiskEventsFromSnapshots } from "./riskEvents.js";
+const SEVERITY_ORDER = {
+    none: 0,
+    info: 1,
+    warning: 2,
+    critical: 3,
+};
+function snapshotSummary(snapshot) {
+    return {
+        finalUrl: snapshot.finalUrl,
+        host: snapshot.host,
+        scannedAt: snapshot.scannedAt,
+        score: snapshot.score,
+        grade: snapshot.grade,
+        statusCode: snapshot.statusCode,
+    };
+}
+function highestSeverity(events) {
+    return events.reduce((highest, event) => (SEVERITY_ORDER[event.severity] > SEVERITY_ORDER[highest] ? event.severity : highest), "none");
+}
+function countEvents(events) {
+    return events.reduce((counts, event) => {
+        counts[event.severity] += 1;
+        return counts;
+    }, {
+        critical: 0,
+        warning: 0,
+        info: 0,
+    });
+}
+function sortEventsBySeverity(events) {
+    return [...events].sort((left, right) => {
+        const severityDelta = SEVERITY_ORDER[right.severity] - SEVERITY_ORDER[left.severity];
+        if (severityDelta !== 0) {
+            return severityDelta;
+        }
+        return left.eventType.localeCompare(right.eventType);
+    });
+}
+function addArea(areas, condition, area) {
+    if (condition) {
+        areas.add(area);
+    }
+}
+function changedAreas(diff) {
+    const areas = new Set();
+    addArea(areas, typeof diff.scoreDelta === "number" && diff.scoreDelta !== 0, "score");
+    addArea(areas, diff.previousGrade !== diff.currentGrade, "grade");
+    addArea(areas, Boolean(diff.statusCodeDelta && diff.statusCodeDelta.from !== diff.statusCodeDelta.to), "status");
+    addArea(areas, Boolean(diff.certificateDaysRemainingDelta?.delta), "certificate");
+    addArea(areas, diff.headerChanges.length > 0, "headers");
+    addArea(areas, diff.newIssues.length > 0 || diff.resolvedIssues.length > 0, "findings");
+    addArea(areas, diff.newThirdPartyProviders.length > 0 || diff.removedThirdPartyProviders.length > 0, "third_party");
+    addArea(areas, diff.newAiVendors.length > 0 || diff.removedAiVendors.length > 0, "ai");
+    addArea(areas, Boolean(diff.identityProviderChange), "identity");
+    addArea(areas, diff.wafProviderChanges.newProviders.length > 0 || diff.wafProviderChanges.removedProviders.length > 0, "waf");
+    addArea(areas, diff.ctPriorityHostChanges.newHosts.length > 0 || diff.ctPriorityHostChanges.removedHosts.length > 0, "ct");
+    return [...areas];
+}
+function hasPositiveChange(diff) {
+    return ((typeof diff.scoreDelta === "number" && diff.scoreDelta > 0) ||
+        diff.resolvedIssues.length > 0 ||
+        diff.wafProviderChanges.newProviders.length > 0);
+}
+function hasNegativeChange(diff, events) {
+    return (events.some((event) => event.severity === "warning" || event.severity === "critical") ||
+        (typeof diff.scoreDelta === "number" && diff.scoreDelta < 0) ||
+        diff.newIssues.length > 0 ||
+        diff.wafProviderChanges.removedProviders.length > 0);
+}
+function buildDirection(diff, events) {
+    const negative = hasNegativeChange(diff, events);
+    const positive = hasPositiveChange(diff);
+    if (negative) {
+        return "regressed";
+    }
+    if (positive) {
+        return "improved";
+    }
+    if (changedAreas(diff).length > 0) {
+        return "changed";
+    }
+    return "unchanged";
+}
+export function buildPostureDriftReportFromDiff(current, previous, diff, riskEvents = buildPostureRiskEventsFromSnapshots(current, previous, diff)) {
+    const summaryItems = diff.summary.length ? diff.summary : ["No posture drift detected."];
+    const eventCounts = countEvents(riskEvents);
+    const topEvents = sortEventsBySeverity(riskEvents).slice(0, 5);
+    return {
+        current: snapshotSummary(current),
+        previous: snapshotSummary(previous),
+        diff,
+        riskEvents,
+        summary: {
+            direction: buildDirection(diff, riskEvents),
+            severity: highestSeverity(riskEvents),
+            scoreDelta: typeof diff.scoreDelta === "number" ? diff.scoreDelta : null,
+            gradeChanged: diff.previousGrade !== diff.currentGrade,
+            hasRegression: hasNegativeChange(diff, riskEvents),
+            hasImprovement: hasPositiveChange(diff),
+            eventCounts,
+            changedAreas: changedAreas(diff),
+            topEvents,
+            summary: summaryItems,
+        },
+    };
+}
+export function buildPostureDriftReportFromSnapshots(current, previous) {
+    const diff = buildHistoryDiffFromSnapshots(current, previous);
+    return buildPostureDriftReportFromDiff(current, previous, diff);
+}
+export function buildPostureDriftReport(history) {
+    if (history.length < 2) {
+        return null;
+    }
+    return buildPostureDriftReportFromSnapshots(history[0], history[1]);
+}

package/dist/postureRemediation.d.ts

@@ -0,0 +1,6 @@
+import type { AnalysisResult, RemediationPlan, ScanEvidenceReference, ScanIssue } from "./types.js";
+export declare function buildIssueEvidence(issue: ScanIssue, analysis: AnalysisResult): ScanEvidenceReference[];
+export declare function attachIssueEvidence(analysis: AnalysisResult): AnalysisResult;
+export declare function buildPostureRemediationPlan(analysis: AnalysisResult, { limit }?: {
+    limit?: number;
+}): RemediationPlan;

package/dist/postureRemediation.js

@@ -0,0 +1,286 @@
+const normalizeArray = (value) => (Array.isArray(value) ? value : []);
+const HEADER_AREA_KEYS = new Set(["edge", "content"]);
+const slug = (value) => {
+    let output = "";
+    let pendingDash = false;
+    for (const char of value.toLowerCase()) {
+        const code = char.charCodeAt(0);
+        const isAsciiLetter = code >= 97 && code <= 122;
+        const isDigit = code >= 48 && code <= 57;
+        if (isAsciiLetter || isDigit) {
+            if (pendingDash && output.length > 0)
+                output += "-";
+            output += char;
+            pendingDash = false;
+        }
+        else {
+            pendingDash = true;
+        }
+        if (output.length >= 80)
+            break;
+    }
+    return output || "remediation";
+};
+function issueSeverityRank(issue) {
+    if (issue.severity === "critical")
+        return 0;
+    if (issue.severity === "warning")
+        return 1;
+    return 2;
+}
+function impactFromScore(scoreImpact, issue) {
+    if (scoreImpact !== null && scoreImpact >= 15)
+        return "high";
+    if (issue?.severity === "critical")
+        return "high";
+    if (scoreImpact !== null && scoreImpact >= 5)
+        return "medium";
+    if (issue?.severity === "warning")
+        return "medium";
+    return "low";
+}
+function ownerForArea(areaKey) {
+    if (areaKey === "domain")
+        return "dns";
+    if (areaKey === "trust" || areaKey === "ai")
+        return "third_party";
+    if (areaKey === "headers" || areaKey === "edge" || areaKey === "content")
+        return "edge";
+    if (areaKey === "certificate" || areaKey === "transport")
+        return "edge";
+    return "app";
+}
+function effortFor(owner, title) {
+    const lower = title.toLowerCase();
+    if (owner === "dns" || lower.includes("content-security-policy") || lower.includes("csp"))
+        return "medium";
+    if (lower.includes("third-party") || lower.includes("identity"))
+        return "medium";
+    if (lower.includes("limited assessment") || lower.includes("service unavailable"))
+        return "high";
+    return "low";
+}
+function evidenceKindForScoreSource(source) {
+    if (source === "tls")
+        return "tls";
+    if (source === "cookies")
+        return "cookie";
+    if (source === "dns")
+        return "dns";
+    if (source === "html")
+        return "html";
+    if (source === "public_record")
+        return "public_record";
+    return "score_driver";
+}
+function headerEvidenceForIssue(issue, headers) {
+    const issueText = `${issue.title} ${issue.detail}`.toLowerCase();
+    const matched = headers.find((header) => issueText.includes(header.label.toLowerCase()) || issueText.includes(header.key.toLowerCase()));
+    if (!matched)
+        return [];
+    return [{
+            kind: "header",
+            label: matched.label,
+            observed: matched.value ?? matched.status,
+            expected: matched.recommendation,
+            source: issue.source,
+        }];
+}
+function cookieEvidenceForIssue(issue, analysis) {
+    const titleLower = issue.title.toLowerCase();
+    const prefix = "cookie ";
+    const suffix = " needs attention";
+    const cookieName = titleLower.startsWith(prefix) && titleLower.endsWith(suffix)
+        ? issue.title.slice(prefix.length, issue.title.length - suffix.length).trim() || null
+        : null;
+    const cookie = cookieName
+        ? normalizeArray(analysis.cookies).find((item) => item.name === cookieName)
+        : null;
+    if (!cookieName && !cookie)
+        return [];
+    return [{
+            kind: "cookie",
+            label: cookieName ?? cookie?.name ?? "Cookie",
+            observed: cookie
+                ? [
+                    cookie.secure ? "Secure" : "missing Secure",
+                    cookie.httpOnly ? "HttpOnly" : "missing HttpOnly",
+                    cookie.sameSite ? `SameSite=${cookie.sameSite}` : "missing SameSite",
+                ].join(", ")
+                : issue.detail,
+            expected: "Session and authentication cookies should use Secure, HttpOnly, and an appropriate SameSite policy.",
+            source: issue.source,
+        }];
+}
+export function buildIssueEvidence(issue, analysis) {
+    const evidence = [
+        ...normalizeArray(issue.evidence),
+        ...headerEvidenceForIssue(issue, normalizeArray(analysis.headers)),
+        ...cookieEvidenceForIssue(issue, analysis),
+    ];
+    if (issue.area === "transport" && issue.title.toLowerCase().includes("https")) {
+        evidence.push({
+            kind: "tls",
+            label: "Final URL",
+            observed: analysis.finalUrl,
+            expected: "HTTPS with a trusted certificate chain.",
+            url: analysis.finalUrl,
+            source: issue.source,
+        });
+    }
+    if (issue.area === "certificate") {
+        evidence.push({
+            kind: "tls",
+            label: analysis.certificate?.subject ?? analysis.host,
+            observed: normalizeArray(analysis.certificate?.issues).join("; ") || analysis.certificate?.issuer || null,
+            expected: "Valid, trusted certificate with comfortable renewal runway.",
+            source: issue.source,
+        });
+    }
+    if (issue.title.toLowerCase().includes("redirect")) {
+        evidence.push({
+            kind: "redirect",
+            label: "Redirect chain",
+            observed: `${analysis.redirectChain?.totalHops ?? normalizeArray(analysis.redirects).length} hop(s)`,
+            expected: "Short HTTPS-only redirect chain.",
+            url: analysis.finalUrl,
+            source: issue.source,
+        });
+    }
+    const seen = new Set();
+    return evidence.filter((item) => {
+        const key = `${item.kind}:${item.label}:${item.observed ?? ""}`;
+        if (seen.has(key))
+            return false;
+        seen.add(key);
+        return true;
+    });
+}
+export function attachIssueEvidence(analysis) {
+    return {
+        ...analysis,
+        issues: normalizeArray(analysis.issues).map((issue) => ({
+            ...issue,
+            evidence: buildIssueEvidence(issue, analysis),
+        })),
+    };
+}
+function relatedFindingsForDriver(driver, issues) {
+    const driverText = `${driver.areaKey} ${driver.label} ${driver.detail}`.toLowerCase();
+    return issues
+        .filter((issue) => {
+        if (HEADER_AREA_KEYS.has(driver.areaKey) && issue.area === "headers")
+            return true;
+        if (driver.source === "cookies" && issue.area === "cookies")
+            return true;
+        if (driver.source === "tls" && (issue.area === "certificate" || issue.area === "transport"))
+            return true;
+        return driverText.includes(issue.title.toLowerCase());
+    })
+        .sort((left, right) => issueSeverityRank(left) - issueSeverityRank(right))
+        .slice(0, 4)
+        .map((issue) => issue.title);
+}
+function actionFor(owner, title, detail) {
+    const lower = `${title} ${detail}`.toLowerCase();
+    if (lower.includes("content-security-policy") || lower.includes("csp")) {
+        return "Define a deployable CSP baseline, test it in report-only mode if needed, then enforce it on the edge or app response.";
+    }
+    if (lower.includes("header")) {
+        return "Set the missing or weak browser security headers at the edge, reverse proxy, or application response layer.";
+    }
+    if (owner === "dns") {
+        return "Update DNS/provider configuration, then rescan once records have propagated.";
+    }
+    if (lower.includes("cookie")) {
+        return "Adjust application cookie attributes for session-sensitive cookies and verify the Set-Cookie response.";
+    }
+    if (lower.includes("certificate") || lower.includes("tls")) {
+        return "Review certificate issuance, renewal, and TLS termination configuration on the serving edge.";
+    }
+    if (owner === "third_party") {
+        return "Confirm ownership, data handling, and necessity for the observed third-party surface.";
+    }
+    return "Review the finding, apply the smallest safe configuration change, then rescan the same URL.";
+}
+function verifyFor(owner) {
+    if (owner === "dns")
+        return "Rescan after DNS propagation and confirm Domain & Trust findings are reduced.";
+    if (owner === "third_party")
+        return "Rescan and confirm the vendor signal is either disclosed, justified, or removed.";
+    return "Rescan the target and confirm the related finding is resolved or downgraded.";
+}
+function itemFromDriver(driver, analysis, priority) {
+    const issues = normalizeArray(analysis.issues);
+    const owner = ownerForArea(driver.areaKey);
+    const relatedFindings = relatedFindingsForDriver(driver, issues);
+    return {
+        id: slug(`${driver.areaKey}-${driver.label}`),
+        priority,
+        title: driver.label,
+        detail: driver.detail,
+        owner,
+        effort: effortFor(owner, driver.label),
+        impact: impactFromScore(driver.impact),
+        action: actionFor(owner, driver.label, driver.detail),
+        verify: verifyFor(owner),
+        scoreImpact: driver.impact,
+        relatedFindings,
+        evidence: [{
+                kind: evidenceKindForScoreSource(driver.source),
+                label: driver.areaLabel,
+                observed: driver.detail,
+                source: driver.source,
+            }],
+    };
+}
+function itemFromIssue(issue, analysis, priority) {
+    const owner = ownerForArea(issue.area);
+    return {
+        id: slug(`${issue.area}-${issue.title}`),
+        priority,
+        title: issue.title,
+        detail: issue.detail,
+        owner,
+        effort: effortFor(owner, issue.title),
+        impact: impactFromScore(null, issue),
+        action: actionFor(owner, issue.title, issue.detail),
+        verify: verifyFor(owner),
+        scoreImpact: null,
+        relatedFindings: [issue.title],
+        evidence: buildIssueEvidence(issue, analysis),
+    };
+}
+export function buildPostureRemediationPlan(analysis, { limit = 10 } = {}) {
+    const issues = normalizeArray(analysis.issues);
+    const driverItems = normalizeArray(analysis.scoreDrivers)
+        .filter((driver) => driver.impact > 0)
+        .map((driver, index) => itemFromDriver(driver, analysis, index + 1));
+    const existingTitles = new Set(driverItems.map((item) => item.title.toLowerCase()));
+    const issueItems = issues
+        .filter((issue) => !existingTitles.has(issue.title.toLowerCase()))
+        .sort((left, right) => issueSeverityRank(left) - issueSeverityRank(right) || left.title.localeCompare(right.title))
+        .map((issue, index) => itemFromIssue(issue, analysis, driverItems.length + index + 1));
+    const deduped = [];
+    const seen = new Set();
+    for (const item of [...driverItems, ...issueItems]) {
+        if (seen.has(item.id))
+            continue;
+        seen.add(item.id);
+        deduped.push({ ...item, priority: deduped.length + 1 });
+        if (deduped.length >= limit)
+            break;
+    }
+    const highImpactActions = deduped.filter((item) => item.impact === "high").length;
+    const quickWins = deduped.filter((item) => item.effort === "low").length;
+    return {
+        generatedAt: new Date().toISOString(),
+        summary: deduped.length
+            ? `${deduped.length} prioritized remediation action${deduped.length === 1 ? "" : "s"} generated from score drivers and findings.`
+            : "No remediation actions were generated from the current passive evidence.",
+        totalActions: deduped.length,
+        highImpactActions,
+        quickWins,
+        items: deduped,
+    };
+}

package/dist/redirectChain.d.ts

@@ -0,0 +1,2 @@
+import type { RedirectChainInfo, RedirectHop } from "./types.js";
+export declare function analyzeRedirectChain(submittedUrl: URL, finalUrl: URL, redirects: RedirectHop[]): RedirectChainInfo;

package/dist/redirectChain.js

@@ -0,0 +1,39 @@
+import { getSiteDomain } from "./utils.js";
+const redirectStatuses = new Set([301, 302, 303, 307, 308]);
+export function analyzeRedirectChain(submittedUrl, finalUrl, redirects) {
+    const hops = redirects.map((hop) => ({
+        ...hop,
+        status: hop.status ?? hop.statusCode,
+        isHttps: hop.isHttps ?? hop.secure,
+    }));
+    const redirectHops = hops.filter((hop) => redirectStatuses.has(hop.status));
+    const startedHttps = submittedUrl.protocol === "https:";
+    const endedHttps = finalUrl.protocol === "https:";
+    const hasMixedRedirect = startedHttps && endedHttps && hops.some((hop) => !hop.isHttps);
+    const isLongChain = redirectHops.length > 3;
+    const crossesDomain = getSiteDomain(submittedUrl.hostname) !== getSiteDomain(finalUrl.hostname);
+    const issues = [];
+    const strengths = [];
+    if (hasMixedRedirect) {
+        issues.push("Redirect chain includes an HTTP hop before reaching the final HTTPS URL.");
+    }
+    if (isLongChain) {
+        issues.push("Redirect chain is longer than three hops, which adds latency and can make policy enforcement harder to reason about.");
+    }
+    if (crossesDomain) {
+        issues.push("Final URL resolves to a different registrable domain than the submitted URL.");
+    }
+    if (!issues.length) {
+        strengths.push("Redirect chain stayed short, HTTPS-only, and on the expected domain.");
+    }
+    return {
+        hops,
+        finalUrl: finalUrl.toString(),
+        totalHops: redirectHops.length,
+        hasMixedRedirect,
+        isLongChain,
+        crossesDomain,
+        issues,
+        strengths,
+    };
+}

package/dist/riskEvents.d.ts

@@ -0,0 +1,3 @@
+import type { HistoryDiff, HistorySnapshot, PostureRiskEvent } from "./types.js";
+export declare function buildPostureRiskEventsFromDiff(diff: HistoryDiff | null | undefined): PostureRiskEvent[];
+export declare function buildPostureRiskEventsFromSnapshots(current: HistorySnapshot, previous: HistorySnapshot, diff: HistoryDiff): PostureRiskEvent[];