securl 1.4.1

package/dist/riskEvents.js

@@ -0,0 +1,187 @@
+const GRADE_ORDER = new Map([
+    ["A", 0],
+    ["B", 1],
+    ["C", 2],
+    ["D", 3],
+    ["E", 4],
+    ["F", 5],
+]);
+function normalizeGrade(grade) {
+    if (!grade) {
+        return null;
+    }
+    const normalized = grade.trim().toUpperCase().slice(0, 1);
+    return GRADE_ORDER.has(normalized) ? normalized : null;
+}
+function compareGrades(currentGrade, previousGrade) {
+    const current = normalizeGrade(currentGrade);
+    const previous = normalizeGrade(previousGrade);
+    if (!current || !previous) {
+        return null;
+    }
+    return (GRADE_ORDER.get(current) ?? 0) - (GRADE_ORDER.get(previous) ?? 0);
+}
+function scoreRegressionSeverity(delta) {
+    if (delta <= -25) {
+        return "critical";
+    }
+    if (delta <= -10) {
+        return "warning";
+    }
+    return "info";
+}
+function pushEvent(events, event) {
+    events.push(event);
+}
+export function buildPostureRiskEventsFromDiff(diff) {
+    if (!diff) {
+        return [];
+    }
+    const events = [];
+    const scoreDelta = typeof diff.scoreDelta === "number" ? diff.scoreDelta : null;
+    if (scoreDelta !== null && scoreDelta < 0) {
+        pushEvent(events, {
+            eventType: "score_regressed",
+            severity: scoreRegressionSeverity(scoreDelta),
+            title: "Score regressed",
+            detail: `The posture score dropped by ${Math.abs(scoreDelta)} point${Math.abs(scoreDelta) === 1 ? "" : "s"}.`,
+            metadata: {
+                previousScore: diff.previousScore,
+                scoreDelta,
+            },
+        });
+    }
+    const gradeDelta = compareGrades(diff.currentGrade, diff.previousGrade);
+    if (gradeDelta !== null && gradeDelta > 0) {
+        pushEvent(events, {
+            eventType: "grade_dropped",
+            severity: gradeDelta >= 2 ? "critical" : "warning",
+            title: "Grade dropped",
+            detail: `The posture grade changed from ${diff.previousGrade} to ${diff.currentGrade}.`,
+            metadata: {
+                previousGrade: diff.previousGrade,
+                currentGrade: diff.currentGrade,
+            },
+        });
+    }
+    if (diff.statusCodeDelta && diff.statusCodeDelta.from !== diff.statusCodeDelta.to) {
+        pushEvent(events, {
+            eventType: "status_code_changed",
+            severity: "info",
+            title: "HTTP status changed",
+            detail: `The HTTP status changed from ${diff.statusCodeDelta.from} to ${diff.statusCodeDelta.to}.`,
+            metadata: diff.statusCodeDelta,
+        });
+    }
+    const certDelta = diff.certificateDaysRemainingDelta;
+    if (certDelta && typeof certDelta.to === "number" && certDelta.to <= 14) {
+        pushEvent(events, {
+            eventType: "certificate_expiring_soon",
+            severity: certDelta.to <= 7 ? "critical" : "warning",
+            title: "Certificate expires soon",
+            detail: `The certificate has ${certDelta.to} day${certDelta.to === 1 ? "" : "s"} remaining.`,
+            metadata: certDelta,
+        });
+    }
+    else if (certDelta && typeof certDelta.delta === "number" && certDelta.delta <= -30) {
+        pushEvent(events, {
+            eventType: "certificate_window_shortened",
+            severity: "warning",
+            title: "Certificate window shortened",
+            detail: `The certificate validity window shortened by ${Math.abs(certDelta.delta)} days.`,
+            metadata: certDelta,
+        });
+    }
+    const removedHeaders = diff.headerChanges.filter((change) => ["pass", "present"].includes(change.from) && change.to !== change.from);
+    if (removedHeaders.length) {
+        pushEvent(events, {
+            eventType: "security_header_regressed",
+            severity: "warning",
+            title: "Security headers regressed",
+            detail: `${removedHeaders.length} security header${removedHeaders.length === 1 ? "" : "s"} moved away from a passing state.`,
+            metadata: {
+                headers: removedHeaders,
+            },
+        });
+    }
+    if (diff.wafProviderChanges.removedProviders.length) {
+        pushEvent(events, {
+            eventType: "waf_signal_removed",
+            severity: "warning",
+            title: "WAF or edge signal disappeared",
+            detail: `Previously observed WAF or edge signals disappeared: ${diff.wafProviderChanges.removedProviders.join(", ")}.`,
+            metadata: {
+                removedProviders: diff.wafProviderChanges.removedProviders,
+            },
+        });
+    }
+    if (diff.ctPriorityHostChanges.newHosts.length) {
+        pushEvent(events, {
+            eventType: "new_ct_priority_hosts",
+            severity: "info",
+            title: "New CT hosts observed",
+            detail: `New high-priority certificate transparency hosts appeared: ${diff.ctPriorityHostChanges.newHosts.join(", ")}.`,
+            metadata: {
+                newHosts: diff.ctPriorityHostChanges.newHosts,
+            },
+        });
+    }
+    if (diff.identityProviderChange) {
+        pushEvent(events, {
+            eventType: "identity_provider_changed",
+            severity: "info",
+            title: "Identity provider changed",
+            detail: `Identity provider changed from ${diff.identityProviderChange.from ?? "none"} to ${diff.identityProviderChange.to ?? "none"}.`,
+            metadata: diff.identityProviderChange,
+        });
+    }
+    if (diff.newThirdPartyProviders.length) {
+        pushEvent(events, {
+            eventType: "new_third_party_providers",
+            severity: "info",
+            title: "New third-party providers observed",
+            detail: `New third-party providers were observed: ${diff.newThirdPartyProviders.join(", ")}.`,
+            metadata: {
+                newProviders: diff.newThirdPartyProviders,
+            },
+        });
+    }
+    if (diff.newAiVendors.length) {
+        pushEvent(events, {
+            eventType: "new_ai_vendors",
+            severity: "info",
+            title: "New AI vendors observed",
+            detail: `New AI vendors were observed: ${diff.newAiVendors.join(", ")}.`,
+            metadata: {
+                newVendors: diff.newAiVendors,
+            },
+        });
+    }
+    return events;
+}
+export function buildPostureRiskEventsFromSnapshots(current, previous, diff) {
+    const events = buildPostureRiskEventsFromDiff(diff);
+    const previousCriticalIssues = new Set(previous.issues
+        .filter((issue) => issue.severity === "critical")
+        .map((issue) => issue.title));
+    const newCriticalIssues = current.issues
+        .filter((issue) => issue.severity === "critical" && !previousCriticalIssues.has(issue.title))
+        .map((issue) => ({
+        title: issue.title,
+        detail: issue.detail,
+        confidence: issue.confidence,
+        source: issue.source,
+    }));
+    if (newCriticalIssues.length) {
+        events.unshift({
+            eventType: "new_critical_findings",
+            severity: "critical",
+            title: "New critical findings",
+            detail: `${newCriticalIssues.length} new critical finding${newCriticalIssues.length === 1 ? "" : "s"} appeared.`,
+            metadata: {
+                issues: newCriticalIssues,
+            },
+        });
+    }
+    return events;
+}

package/dist/scannerConfig.d.ts

@@ -0,0 +1,49 @@
+export declare const REQUEST_TIMEOUT_MS = 12000;
+export declare const SECONDARY_REQUEST_TIMEOUT_MS = 4000;
+export declare const MAX_SCAN_DURATION_MS = 45000;
+export declare const TLS_HANDSHAKE_TIMEOUT_MS = 10000;
+export declare const DNS_LOOKUP_TIMEOUT_MS = 2500;
+export declare const TEXT_BODY_LIMIT = 256000;
+export declare const HTML_SIGNATURE_LIMIT = 280;
+export declare const DISCOVERY_PATH_LIMIT = 10;
+export declare const SUMMARY_EVIDENCE_LIMIT = 3;
+export declare const CLIENT_EXPOSURE_EVIDENCE_LIMIT = 6;
+export declare const LIBRARY_RISK_LOOKUP_LIMIT = 8;
+export declare const OSV_QUERY_TIMEOUT_MS = 3000;
+export declare const OSV_DETAIL_LOOKUP_LIMIT = 12;
+export declare const CT_LOOKUP_TIMEOUT_MS = 1500;
+export declare const CT_CACHE_TTL_MS: number;
+export declare const CT_SUBDOMAIN_LIMIT = 20;
+export declare const CT_WILDCARD_LIMIT = 5;
+export declare const CT_SAMPLE_LIMIT = 4;
+export declare const CT_SAMPLE_CONCURRENCY_LIMIT = 2;
+export declare const OIDC_DISCOVERY_TIMEOUT_MS = 4000;
+export declare const CRAWL_CONCURRENCY_LIMIT = 2;
+export declare const CRAWL_PAGE_LIMIT = 6;
+export declare const OSV_DETAIL_CONCURRENCY_LIMIT = 3;
+export declare const DEEP_PASSIVE_SCAN_TIMEOUT_MS = 75000;
+export declare const DEEP_PASSIVE_CT_SUBDOMAIN_LIMIT = 50;
+export declare const DEEP_PASSIVE_CT_WILDCARD_LIMIT = 10;
+export declare const DEEP_PASSIVE_CT_SAMPLE_LIMIT = 10;
+export declare const DEEP_PASSIVE_CRAWL_PAGE_LIMIT = 10;
+export declare const REDIRECT_LIMIT = 5;
+export declare const CRAWL_CANDIDATES: {
+    label: string;
+    path: string;
+}[];
+export declare const EXPOSURE_PROBES: {
+    label: string;
+    path: string;
+}[];
+export declare const DEEP_PASSIVE_EXPOSURE_PROBES: {
+    label: string;
+    path: string;
+}[];
+export declare const API_SURFACE_PROBES: {
+    label: string;
+    path: string;
+}[];
+export declare const DEEP_PASSIVE_API_SURFACE_PROBES: {
+    label: string;
+    path: string;
+}[];

package/dist/scannerConfig.js

@@ -0,0 +1,79 @@
+// Network and parsing limits are intentionally conservative because this package
+// is designed for low-noise, best-effort external posture analysis rather than
+// deep crawling or full content retrieval.
+export const REQUEST_TIMEOUT_MS = 12_000;
+export const SECONDARY_REQUEST_TIMEOUT_MS = 4_000;
+export const MAX_SCAN_DURATION_MS = 45_000;
+export const TLS_HANDSHAKE_TIMEOUT_MS = 10_000;
+export const DNS_LOOKUP_TIMEOUT_MS = 2_500;
+// Cap fetched text bodies so block pages or giant responses do not dominate
+// memory use or slow downstream passive analysis.
+export const TEXT_BODY_LIMIT = 256_000;
+// Keep HTML signatures small because they are only used for lightweight
+// fallback detection, not content comparison.
+export const HTML_SIGNATURE_LIMIT = 280;
+// Discovery and evidence limits are intentionally short to keep passive
+// reporting readable and avoid over-claiming from noisy pages.
+export const DISCOVERY_PATH_LIMIT = 10;
+export const SUMMARY_EVIDENCE_LIMIT = 3;
+export const CLIENT_EXPOSURE_EVIDENCE_LIMIT = 6;
+export const LIBRARY_RISK_LOOKUP_LIMIT = 8;
+export const OSV_QUERY_TIMEOUT_MS = 3_000;
+export const OSV_DETAIL_LOOKUP_LIMIT = 12;
+export const CT_LOOKUP_TIMEOUT_MS = 1_500;
+export const CT_CACHE_TTL_MS = 15 * 60 * 1_000;
+export const CT_SUBDOMAIN_LIMIT = 20;
+export const CT_WILDCARD_LIMIT = 5;
+export const CT_SAMPLE_LIMIT = 4;
+export const CT_SAMPLE_CONCURRENCY_LIMIT = 2;
+export const OIDC_DISCOVERY_TIMEOUT_MS = 4_000;
+export const CRAWL_CONCURRENCY_LIMIT = 2;
+export const CRAWL_PAGE_LIMIT = 6;
+export const OSV_DETAIL_CONCURRENCY_LIMIT = 3;
+export const DEEP_PASSIVE_SCAN_TIMEOUT_MS = 75_000;
+export const DEEP_PASSIVE_CT_SUBDOMAIN_LIMIT = 50;
+export const DEEP_PASSIVE_CT_WILDCARD_LIMIT = 10;
+export const DEEP_PASSIVE_CT_SAMPLE_LIMIT = 10;
+export const DEEP_PASSIVE_CRAWL_PAGE_LIMIT = 10;
+// Redirect following stays shallow to reduce SSRF risk and keep scans close to
+// normal browser behavior.
+export const REDIRECT_LIMIT = 5;
+export const CRAWL_CANDIDATES = [
+    { label: "Homepage", path: "/" },
+    { label: "Login", path: "/login" },
+    { label: "App", path: "/app" },
+    { label: "Dashboard", path: "/dashboard" },
+    { label: "Admin", path: "/admin" },
+    { label: "API root", path: "/api" },
+];
+export const EXPOSURE_PROBES = [
+    { label: "Robots", path: "/robots.txt" },
+    { label: "Sitemap", path: "/sitemap.xml" },
+    { label: "Git metadata", path: "/.git/HEAD" },
+    { label: "Environment file", path: "/.env" },
+];
+export const DEEP_PASSIVE_EXPOSURE_PROBES = [
+    ...EXPOSURE_PROBES,
+    { label: "Well-known security", path: "/.well-known/security.txt" },
+    { label: "OpenID configuration", path: "/.well-known/openid-configuration" },
+    { label: "OAuth metadata", path: "/.well-known/oauth-authorization-server" },
+    { label: "Change password", path: "/.well-known/change-password" },
+    { label: "Humans", path: "/humans.txt" },
+    { label: "Ads", path: "/ads.txt" },
+    { label: "Server status", path: "/server-status" },
+    { label: "WordPress API", path: "/wp-json" },
+];
+export const API_SURFACE_PROBES = [
+    { label: "API root", path: "/api" },
+    { label: "GraphQL", path: "/graphql" },
+    { label: "Versioned API", path: "/api/v1" },
+];
+export const DEEP_PASSIVE_API_SURFACE_PROBES = [
+    ...API_SURFACE_PROBES,
+    { label: "OpenAPI", path: "/openapi.json" },
+    { label: "Swagger", path: "/swagger.json" },
+    { label: "API docs", path: "/api-docs" },
+    { label: "Docs", path: "/docs" },
+    { label: "REST", path: "/rest" },
+    { label: "RPC", path: "/rpc" },
+];

package/dist/scoring.d.ts

@@ -0,0 +1,32 @@
+import type { AnalysisResult, CertificateResult, CookieResult, RedirectHop, ScoreDriver, SecurityHeaderResult } from "./types.js";
+export type PostureAreaKey = "edge" | "content" | "domain" | "exposure" | "api" | "trust" | "ai";
+export interface PostureAreaScore {
+    key: PostureAreaKey;
+    label: string;
+    score: number;
+    status: "strong" | "watch" | "weak";
+}
+type PostureScoringInput = Omit<AnalysisResult, "executiveSummary"> & {
+    executiveSummary?: AnalysisResult["executiveSummary"];
+};
+export declare function gradeForScore(score: number): string;
+export declare function scoreAnalysis({ isHttps, headerResults, certificate, cookies, redirects, limitedResponse, }: {
+    isHttps: boolean;
+    headerResults: SecurityHeaderResult[];
+    certificate: CertificateResult;
+    cookies: CookieResult[];
+    redirects: RedirectHop[];
+    limitedResponse?: boolean;
+}): {
+    score: number;
+    grade: string;
+};
+export declare function getPostureAreaScores(analysis: PostureScoringInput): PostureAreaScore[];
+export declare function getPostureScoreDrivers(analysis: PostureScoringInput): ScoreDriver[];
+export declare function scorePostureAnalysis(analysis: PostureScoringInput): {
+    score: number;
+    grade: string;
+    scoreDrivers: ScoreDriver[];
+};
+export declare function summarizePostureGrade(grade: string): string;
+export {};