sentinelayer-cli 0.1.0

package/src/agents/jules/swarm/pattern-hunter.js

@@ -0,0 +1,123 @@
+import { JulesSubAgent } from "./sub-agent.js";
+
+const HUNTER_PROMPTS = {
+  xss: `You are an XSS PatternHunter working for Jules Tanaka.
+Search the codebase for Cross-Site Scripting vulnerabilities:
+- dangerouslySetInnerHTML with user-controlled input
+- innerHTML assignments
+- v-html directives (Vue)
+- dynamic code execution (the eval function) with user input
+- document write injection
+- javascript: URLs in href
+- template literal injection in HTML contexts
+
+Use Grep and FrontendAnalyze('find_security_sinks') to find all matches.
+For each match, determine if the input is user-controlled or sanitized.
+Return findings as JSON array: [{ "file", "line", "type", "severity", "userControlled", "sanitized", "evidence" }]`,
+
+  state: `You are a State Management PatternHunter working for Jules Tanaka.
+Search for React state anti-patterns:
+- Components with 16+ useState calls (god components)
+- useEffect with empty deps that references state (stale closures)
+- useEffect without cleanup return (subscription/timer leaks)
+- State updates in loops (N re-renders)
+- Object/array in useEffect dependency array (new reference each render)
+- Derived state stored in useState (should be computed)
+
+Use Grep and FrontendAnalyze('count_state_hooks', 'find_missing_cleanup', 'find_stale_closures').
+Return findings as JSON array: [{ "file", "line", "type", "severity", "pattern", "evidence" }]`,
+
+  hydration: `You are a Hydration Safety PatternHunter working for Jules Tanaka.
+Search for SSR/CSR hydration mismatch risks:
+- window/document/localStorage access during initial render (outside useEffect)
+- Date.now() or Math.random() in render path (non-deterministic)
+- suppressHydrationWarning without justification
+- useLayoutEffect in server components
+- Dynamic imports crossing server/client boundaries
+- Locale/theme/auth state that can differ server vs client
+
+Use Grep to find these patterns in .tsx/.jsx files.
+Return findings as JSON array: [{ "file", "line", "type", "severity", "pattern", "evidence" }]`,
+
+  a11y: `You are an Accessibility PatternHunter working for Jules Tanaka.
+Search for WCAG AA accessibility violations:
+- Images without alt text
+- Form inputs without labels (no <label> or aria-label)
+- Buttons/links without accessible text
+- Missing keyboard handlers on interactive divs (onClick without onKeyDown)
+- tabIndex=-1 removing elements from tab order
+- Missing focus management in modals/drawers
+- Poor color contrast indicators (hardcoded light gray text)
+- Missing skip navigation link
+- aria-hidden on interactive elements
+
+Use Grep and FrontendAnalyze('check_accessibility').
+Return findings as JSON array: [{ "file", "line", "type", "severity", "wcag", "userImpact", "evidence" }]`,
+
+  perf: `You are a Performance PatternHunter working for Jules Tanaka.
+Search for frontend performance anti-patterns:
+- Large bundle imports (moment, lodash full import, d3 full import)
+- Images without explicit dimensions (CLS risk)
+- Fonts without font-display strategy
+- Third-party scripts on critical render path
+- Missing React.memo on list item components
+- Inline arrow functions in map() JSX
+- Large lists without virtualization
+- Blocking script tags without async/defer
+
+Use Grep, FrontendAnalyze('check_image_optimization', 'check_font_loading', 'find_third_party_scripts').
+Return findings as JSON array: [{ "file", "line", "type", "severity", "impact", "evidence" }]`,
+
+  security: `You are a Frontend Security PatternHunter working for Jules Tanaka.
+Search for frontend-specific security issues:
+- API keys in NEXT_PUBLIC_/VITE_/REACT_APP_ env vars (especially _KEY, _SECRET, _TOKEN)
+- Missing Content-Security-Policy headers
+- Missing X-Frame-Options / frame-ancestors
+- CORS * wildcard on sensitive endpoints
+- Tokens stored in localStorage (vs httpOnly cookies)
+- Missing CSRF protection on state-changing forms
+- Source maps enabled in production build config
+
+Use Grep, FrontendAnalyze('find_env_exposure', 'check_security_headers').
+Return findings as JSON array: [{ "file", "line", "type", "severity", "cwe", "evidence" }]`,
+};
+
+/**
+ * Create a PatternHunter sub-agent for a specific issue class.
+ *
+ * @param {object} config
+ * @param {"xss"|"state"|"hydration"|"a11y"|"perf"|"security"} config.huntType
+ * @param {string} config.rootPath - Codebase root to search
+ * @param {object} config.budget
+ * @param {object} config.blackboard
+ * @param {object} [config.provider]
+ * @param {AbortController} [config.parentAbort]
+ * @param {function} [config.onEvent]
+ */
+export function createPatternHunter(config) {
+  const prompt = HUNTER_PROMPTS[config.huntType];
+  if (!prompt) {
+    throw new Error(`Unknown hunt type: ${config.huntType}. Valid: ${Object.keys(HUNTER_PROMPTS).join(", ")}`);
+  }
+
+  return new JulesSubAgent({
+    id: `hunter-${config.huntType}-${Date.now()}`,
+    role: `PatternHunter-${config.huntType}`,
+    systemPrompt: prompt,
+    allowedTools: ["Grep", "Glob", "FrontendAnalyze", "FileRead"],
+    scope: { patterns: [config.huntType], rootPath: config.rootPath },
+    budget: config.budget || {
+      maxCostUsd: 0.3,
+      maxOutputTokens: 2000,
+      maxRuntimeMs: 60000,
+      maxToolCalls: 20,
+    },
+    blackboard: config.blackboard,
+    maxTurns: 5,
+    provider: config.provider,
+    parentAbort: config.parentAbort,
+    onEvent: config.onEvent,
+  });
+}
+
+export const HUNT_TYPES = Object.keys(HUNTER_PROMPTS);

package/src/agents/jules/swarm/sub-agent.js

@@ -0,0 +1,308 @@
+import { randomUUID } from "node:crypto";
+import { createAgentContext, dispatchTool, isReadOnlyTool, BudgetExhaustedError } from "../tools/dispatch.js";
+import { createMultiProviderApiClient } from "../../../ai/client.js";
+
+/**
+ * JulesSubAgent — lightweight isolated agent for parallel audit work.
+ *
+ * Each sub-agent gets:
+ * - Own conversation context (no parent history)
+ * - Own tool access (subset of Jules' tools)
+ * - Own budget slice (clamped to parent allocation)
+ * - Shared blackboard (append-only)
+ * - Own telemetry session
+ * - AbortController linked to parent (kill propagation)
+ *
+ * Sub-agents are NOT full Jules instances. They are focused workers:
+ * - FileScanner: reads file batches, extracts structured summaries
+ * - PatternHunter: searches for specific issue classes
+ */
+
+const DEFAULT_MAX_TURNS = 10;
+const DEFAULT_TEMPERATURE = 0;
+
+export class JulesSubAgent {
+  /**
+   * @param {object} config
+   * @param {string} config.id - Unique identifier (e.g., "file-scanner-dashboard")
+   * @param {string} config.role - "FileScanner" | "PatternHunter" | "custom"
+   * @param {string} config.systemPrompt - System instruction for this sub-agent
+   * @param {string[]} config.allowedTools - Tool names this agent can use
+   * @param {object} config.scope - { files: string[], patterns: string[] }
+   * @param {object} config.budget - Budget slice { maxCostUsd, maxOutputTokens, maxRuntimeMs, maxToolCalls }
+   * @param {object} config.blackboard - Shared blackboard instance (appendEntry, query)
+   * @param {object} [config.provider] - { provider, model, apiKey } overrides
+   * @param {number} [config.maxTurns] - Max agentic loop iterations
+   * @param {AbortController} [config.parentAbort] - Linked to parent for kill propagation
+   * @param {function} [config.onEvent] - Streaming event callback
+   */
+  constructor(config) {
+    this.id = config.id || `subagent-${randomUUID().slice(0, 8)}`;
+    this.role = config.role;
+    this.systemPrompt = config.systemPrompt;
+    this.allowedTools = new Set(config.allowedTools || ["FileRead", "Grep", "Glob", "FrontendAnalyze"]);
+    this.scope = config.scope || {};
+    this.maxTurns = config.maxTurns ?? DEFAULT_MAX_TURNS;
+    this.blackboard = config.blackboard;
+    this.onEvent = config.onEvent;
+
+    // Isolated context
+    this.conversation = [];
+    this.findings = [];
+    this.turnCount = 0;
+
+    // Budget-gated agent context
+    this.ctx = createAgentContext({
+      agentIdentity: {
+        id: this.id,
+        persona: `Jules Sub-Agent (${this.role})`,
+        parentId: "frontend",
+      },
+      budget: config.budget || {
+        maxCostUsd: 1.0,
+        maxOutputTokens: 4000,
+        maxRuntimeMs: 120000,
+        maxToolCalls: 50,
+      },
+      sessionId: randomUUID(),
+      runId: `sub-${this.id}-${Date.now()}`,
+      onEvent: config.onEvent,
+    });
+
+    // LLM client
+    this.client = createMultiProviderApiClient(config.provider || {});
+
+    // Abort linkage
+    this.abortController = new AbortController();
+    if (config.parentAbort) {
+      config.parentAbort.signal.addEventListener("abort", () => {
+        this.abortController.abort();
+      }, { once: true });
+    }
+  }
+
+  /**
+   * Execute the sub-agent's task.
+   * Runs an agentic loop: LLM → tool_use → execute → feed back → repeat.
+   * Returns structured results.
+   */
+  async execute() {
+    this.emitEvent("agent_start", { role: this.role, scope: this.scope });
+
+    // Build initial messages
+    const messages = [
+      { role: "user", content: this.buildTaskPrompt() },
+    ];
+
+    try {
+      while (this.turnCount < this.maxTurns) {
+        if (this.abortController.signal.aborted) {
+          this.emitEvent("agent_abort", { reason: "parent_killed" });
+          break;
+        }
+
+        this.turnCount++;
+
+        // Call LLM
+        const response = await this.client.invoke({
+          systemPrompt: this.systemPrompt,
+          messages,
+          temperature: DEFAULT_TEMPERATURE,
+        });
+
+        // Track cost
+        this.ctx.usage.outputTokens += estimateTokens(response.text);
+        this.ctx.usage.costUsd += estimateCost(response.text);
+
+        // Parse tool_use blocks from response
+        const toolCalls = parseToolCalls(response.text);
+
+        if (toolCalls.length === 0) {
+          // No more tool calls — sub-agent is done
+          const structured = parseStructuredOutput(response.text);
+          if (structured.findings) {
+            for (const finding of structured.findings) {
+              this.findings.push(finding);
+              if (this.blackboard) {
+                await this.blackboard.appendEntry({
+                  agentId: this.id,
+                  source: this.role,
+                  ...finding,
+                });
+              }
+            }
+          }
+          messages.push({ role: "assistant", content: response.text });
+          break;
+        }
+
+        // Execute tool calls
+        const toolResults = [];
+        for (const call of toolCalls) {
+          if (!this.allowedTools.has(call.tool)) {
+            toolResults.push({ tool: call.tool, error: `Tool ${call.tool} not allowed for this sub-agent` });
+            continue;
+          }
+          try {
+            const result = await dispatchTool(call.tool, call.input, this.ctx);
+            toolResults.push({ tool: call.tool, result });
+          } catch (err) {
+            if (err instanceof BudgetExhaustedError) {
+              this.emitEvent("budget_stop", { reason: err.message });
+              return this.buildResult("budget_exhausted");
+            }
+            toolResults.push({ tool: call.tool, error: err.message });
+          }
+        }
+
+        // Feed results back to conversation
+        messages.push({ role: "assistant", content: response.text });
+        messages.push({
+          role: "user",
+          content: formatToolResults(toolResults),
+        });
+      }
+    } catch (err) {
+      this.emitEvent("agent_error", { error: err.message });
+      return this.buildResult("error", err.message);
+    }
+
+    this.emitEvent("agent_complete", {
+      findings: this.findings.length,
+      turns: this.turnCount,
+      toolCalls: this.ctx.usage.toolCalls,
+    });
+
+    return this.buildResult("completed");
+  }
+
+  buildTaskPrompt() {
+    const parts = [];
+    if (this.scope.files && this.scope.files.length > 0) {
+      parts.push(`Files in your scope:\n${this.scope.files.join("\n")}`);
+    }
+    if (this.scope.patterns && this.scope.patterns.length > 0) {
+      parts.push(`Patterns to search for:\n${this.scope.patterns.join("\n")}`);
+    }
+    parts.push("Return your findings as a JSON array in a ```json code block.");
+    return parts.join("\n\n");
+  }
+
+  buildResult(status, error) {
+    return {
+      agentId: this.id,
+      role: this.role,
+      status,
+      error: error || null,
+      findings: this.findings,
+      usage: {
+        turns: this.turnCount,
+        toolCalls: this.ctx.usage.toolCalls,
+        costUsd: this.ctx.usage.costUsd,
+        outputTokens: this.ctx.usage.outputTokens,
+        durationMs: Date.now() - this.ctx.startedAt,
+      },
+    };
+  }
+
+  emitEvent(event, payload) {
+    if (this.onEvent) {
+      this.onEvent({
+        stream: "sl_event",
+        event,
+        agent: { id: this.id, persona: `Jules Sub-Agent (${this.role})`, parentId: "frontend" },
+        payload,
+        usage: {
+          costUsd: this.ctx.usage.costUsd,
+          toolCalls: this.ctx.usage.toolCalls,
+          durationMs: Date.now() - this.ctx.startedAt,
+        },
+      });
+    }
+  }
+}
+
+/**
+ * Run a batch of sub-agents with concurrency control.
+ */
+export async function runSubAgentBatch(agents, { maxConcurrent = 4 } = {}) {
+  const results = [];
+  const queue = [...agents];
+
+  async function runNext() {
+    while (queue.length > 0) {
+      const agent = queue.shift();
+      const result = await agent.execute();
+      results.push(result);
+    }
+  }
+
+  const workers = Array.from(
+    { length: Math.min(maxConcurrent, agents.length) },
+    () => runNext(),
+  );
+  await Promise.all(workers);
+  return results;
+}
+
+// ── Helpers ──────────────────────────────────────────────────────────
+
+function parseToolCalls(text) {
+  // Parse tool_use blocks from LLM response
+  // Format: ```tool_use\n{"tool":"FileRead","input":{...}}\n```
+  const calls = [];
+  const regex = /```tool_use\s*\n([\s\S]*?)```/g;
+  let match;
+  while ((match = regex.exec(text)) !== null) {
+    try {
+      const parsed = JSON.parse(match[1].trim());
+      if (parsed.tool && parsed.input) {
+        calls.push(parsed);
+      }
+    } catch { /* skip malformed */ }
+  }
+  return calls;
+}
+
+function parseStructuredOutput(text) {
+  // Parse JSON findings from LLM response
+  const jsonMatch = text.match(/```json\s*\n([\s\S]*?)```/);
+  if (jsonMatch) {
+    try {
+      const parsed = JSON.parse(jsonMatch[1].trim());
+      if (Array.isArray(parsed)) {
+        return { findings: parsed };
+      }
+      if (parsed.findings && Array.isArray(parsed.findings)) {
+        return parsed;
+      }
+    } catch { /* skip malformed */ }
+  }
+  return { findings: [] };
+}
+
+function formatToolResults(results) {
+  return results.map(r => {
+    if (r.error) return `Tool ${r.tool} failed: ${r.error}`;
+    const summary = typeof r.result === "string" ? r.result :
+      JSON.stringify(r.result).slice(0, 2000);
+    return `Tool ${r.tool} result:\n${summary}`;
+  }).join("\n\n");
+}
+
+function estimateTokens(text) {
+  return Math.ceil((text || "").length / 4);
+}
+
+function estimateCost(text) {
+  // Rough: $15/M output tokens for Claude Sonnet
+  const tokens = estimateTokens(text);
+  return (tokens / 1_000_000) * 15;
+}
+
+export class SubAgentError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SubAgentError";
+  }
+}

package/src/agents/jules/tools/auth-audit.js

@@ -0,0 +1,222 @@
+import { execFileSync } from "node:child_process";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { randomUUID } from "node:crypto";
+
+/**
+ * Jules Tanaka — Authenticated Page Audit
+ *
+ * Provisions an AIdenID ephemeral identity, uses Playwright to log in,
+ * then inspects authenticated pages (DevTools console, DOM, headers).
+ * Falls back gracefully when AIdenID or Playwright unavailable.
+ */
+
+export function authAudit(input) {
+  if (!AUTH_OPS.has(input.operation)) {
+    throw new AuthAuditError("Unknown operation: " + input.operation + ". Valid: " + [...AUTH_OPS].join(", "));
+  }
+  return AUTH_DISPATCH[input.operation](input);
+}
+
+const AUTH_OPS = new Set([
+  "provision_test_identity",
+  "authenticated_page_check",
+  "check_auth_flow_security",
+]);
+
+const AUTH_DISPATCH = {
+  provision_test_identity: provisionTestIdentity,
+  authenticated_page_check: authenticatedPageCheck,
+  check_auth_flow_security: checkAuthFlowSecurity,
+};
+
+async function provisionTestIdentity(input) {
+  try {
+    const { provisionEmailIdentity, resolveAidenIdCredentials } = await import("../../../ai/aidenid.js");
+    const creds = resolveAidenIdCredentials();
+    if (!creds.apiKey) {
+      return { available: false, reason: "AIdenID API key not configured (set AIDENID_API_KEY)" };
+    }
+    const result = await provisionEmailIdentity({
+      apiUrl: creds.apiUrl, apiKey: creds.apiKey,
+      tags: ["jules-audit", "frontend-test"],
+      ttlSeconds: 3600, dryRun: input.execute !== true,
+    });
+    return { available: true, dryRun: input.execute !== true, identity: result.identity || result };
+  } catch (err) {
+    return { available: false, reason: "AIdenID provisioning failed: " + err.message };
+  }
+}
+
+/**
+ * Run Playwright to authenticate and inspect the page.
+ * - URLs and credentials passed ONLY via env vars (no string interpolation)
+ * - Auth verification checks URL change + cookie presence (not just click success)
+ * - Console errors redacted to prevent sensitive data leakage
+ * - Cookie values never captured (names + flags only)
+ * - Temp script cleanup in finally block (not just success path)
+ */
+function authenticatedPageCheck(input) {
+  const url = input.url;
+  if (!url) throw new AuthAuditError("authenticated_page_check requires url");
+  if (!isValidUrl(url)) throw new AuthAuditError("Invalid URL: " + url);
+
+  const loginUrl = input.loginUrl || url + "/login";
+  let scriptPath = null;
+
+  try {
+    scriptPath = secureTempFile("sl-auth-audit-" + randomUUID().slice(0, 8) + ".cjs");
+    fs.writeFileSync(scriptPath, PLAYWRIGHT_AUTH_SCRIPT);
+
+    const env = {
+      ...process.env,
+      SL_AUDIT_TARGET_URL: url,
+      SL_AUDIT_LOGIN_URL: loginUrl,
+      SL_AUDIT_TEST_EMAIL: input.email || "",
+      SL_AUDIT_TEST_PASSWORD: input.password || "",
+      SL_AUDIT_EMAIL_FIELD: input.emailField || "",
+      SL_AUDIT_PASSWORD_FIELD: input.passwordField || "",
+      SL_AUDIT_SUBMIT_SELECTOR: input.submitSelector || "",
+    };
+
+    const output = execFileSync("node", [scriptPath], {
+      encoding: "utf-8", timeout: 60000,
+      stdio: ["pipe", "pipe", "pipe"],
+      env,
+    });
+
+    const result = JSON.parse(output.trim());
+    const findings = [];
+    for (const cookie of (result.cookies || [])) {
+      if (cookie.sensitive && !cookie.httpOnly) {
+        findings.push({ severity: "P1", title: "Sensitive cookie '" + cookie.name + "' missing httpOnly flag", file: url });
+      }
+      if (cookie.sensitive && !cookie.secure) {
+        findings.push({ severity: "P1", title: "Sensitive cookie '" + cookie.name + "' missing Secure flag", file: url });
+      }
+      if (cookie.sensitive && cookie.sameSite === "None") {
+        findings.push({ severity: "P2", title: "Sensitive cookie '" + cookie.name + "' has SameSite=None", file: url });
+      }
+    }
+    return { available: true, method: "playwright", findings, ...result };
+  } catch (err) {
+    return { available: false, reason: "Playwright auth audit failed: " + err.message };
+  } finally {
+    // Clean up temp script AND its mkdtemp parent directory
+    if (scriptPath) {
+      try { fs.unlinkSync(scriptPath); } catch { /* best effort */ }
+      try { fs.rmdirSync(path.dirname(scriptPath)); } catch { /* best effort — dir may not be empty */ }
+    }
+  }
+}
+
+// Playwright script as a constant — no string interpolation of URLs/credentials.
+// All dynamic values come from environment variables at runtime.
+const PLAYWRIGHT_AUTH_SCRIPT = `
+const { chromium } = require('playwright');
+(async () => {
+  const targetUrl = process.env.SL_AUDIT_TARGET_URL;
+  const loginUrl = process.env.SL_AUDIT_LOGIN_URL;
+  const email = process.env.SL_AUDIT_TEST_EMAIL;
+  const password = process.env.SL_AUDIT_TEST_PASSWORD;
+  const emailSelector = process.env.SL_AUDIT_EMAIL_FIELD || 'input[type="email"]';
+  const passwordSelector = process.env.SL_AUDIT_PASSWORD_FIELD || 'input[type="password"]';
+  const submitSelector = process.env.SL_AUDIT_SUBMIT_SELECTOR || 'button[type="submit"]';
+
+  const browser = await chromium.launch({ headless: true });
+  const page = await browser.newPage();
+  const results = { authenticated: false, errors: [], cookies: [], headers: {}, domStats: {} };
+
+  try {
+    if (email && password && loginUrl) {
+      await page.goto(loginUrl, { waitUntil: 'networkidle', timeout: 30000 });
+      await page.fill(emailSelector, email);
+      await page.fill(passwordSelector, password);
+      await page.click(submitSelector);
+      await page.waitForNavigation({ waitUntil: 'networkidle', timeout: 15000 }).catch(() => {});
+      // P2 fix: verify auth by checking URL change + session cookie presence
+      const currentUrl = page.url();
+      const postCookies = await page.context().cookies();
+      results.authenticated = currentUrl !== loginUrl || postCookies.some(c => /session|token|auth/i.test(c.name));
+    }
+
+    await page.goto(targetUrl, { waitUntil: 'networkidle', timeout: 30000 });
+
+    // P2 fix: redact sensitive content from console errors
+    page.on('console', msg => {
+      if (msg.type() === 'error') {
+        const text = (msg.text() || '').slice(0, 200).replace(/Bearer\\s+\\S+/gi, 'Bearer [REDACTED]').replace(/token[=:]\\S+/gi, 'token=[REDACTED]');
+        results.errors.push({ text });
+      }
+    });
+
+    // P2 fix: capture cookie names + flags only, never values
+    const cookies = await page.context().cookies();
+    results.cookies = cookies.map(c => ({
+      name: c.name, domain: c.domain,
+      httpOnly: c.httpOnly, secure: c.secure,
+      sameSite: c.sameSite,
+      sensitive: /session|token|auth|jwt/i.test(c.name),
+    }));
+
+    results.domStats = await page.evaluate(() => ({
+      title: document.title,
+      nodeCount: document.querySelectorAll('*').length,
+      formCount: document.querySelectorAll('form').length,
+      inputCount: document.querySelectorAll('input').length,
+    }));
+
+    const response = await page.goto(targetUrl, { waitUntil: 'commit', timeout: 10000 }).catch(() => null);
+    if (response) {
+      const h = response.headers();
+      results.headers = {
+        'content-security-policy': h['content-security-policy'] || null,
+        'x-frame-options': h['x-frame-options'] || null,
+        'strict-transport-security': h['strict-transport-security'] || null,
+        'cache-control': h['cache-control'] || null,
+      };
+    }
+  } catch (err) {
+    results.errors.push({ text: 'Navigation error: ' + (err.message || '').slice(0, 100) });
+  } finally {
+    try { console.log(JSON.stringify(results)); } catch { /* output failure non-blocking */ }
+    await browser.close();
+  }
+})();
+`;
+
+function checkAuthFlowSecurity(input) {
+  const loginUrl = input.loginUrl || input.url;
+  if (!loginUrl) throw new AuthAuditError("check_auth_flow_security requires loginUrl or url");
+  if (!isValidUrl(loginUrl)) throw new AuthAuditError("Invalid URL: " + loginUrl);
+
+  const findings = [];
+  try {
+    const output = execFileSync("curl", ["-sI", "-L", "--max-time", "10", loginUrl], {
+      encoding: "utf-8", timeout: 15000, stdio: ["pipe", "pipe", "pipe"],
+    });
+    const headers = {};
+    for (const line of output.split("\n")) {
+      const idx = line.indexOf(":");
+      if (idx > 0) headers[line.slice(0, idx).trim().toLowerCase()] = line.slice(idx + 1).trim();
+    }
+    if (!headers["strict-transport-security"]) findings.push({ severity: "P1", title: "Login page missing HSTS header", file: loginUrl });
+    if (!headers["content-security-policy"]) findings.push({ severity: "P2", title: "Login page missing CSP header", file: loginUrl });
+    if (headers["x-powered-by"]) findings.push({ severity: "P2", title: "Login page exposes X-Powered-By: " + headers["x-powered-by"], file: loginUrl });
+  } catch { /* curl failed, non-blocking */ }
+  return { available: true, loginUrl, findings };
+}
+
+function isValidUrl(url) {
+  try { const p = new URL(url); return p.protocol === "http:" || p.protocol === "https:"; } catch { return false; }
+}
+
+function secureTempFile(name) {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), "sl-auth-"));
+  return path.join(dir, name);
+}
+
+export class AuthAuditError extends Error {
+  constructor(message) { super(message); this.name = "AuthAuditError"; }
+}