npm - shieldcortex - Versions diffs - 2.4.23 → 2.4.25 - Mend

shieldcortex 2.4.23 → 2.4.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

package/dist/defence/skill-scanner/index.js ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * Skill Scanner
+ *
+ * Framework-agnostic scanner for AI agent instruction files.
+ * Detects prompt injection, data exfiltration, tool abuse, and other
+ * threats hidden in skill definitions, hook files, and agent rules.
+ *
+ * Supports: Claude Code (SKILL.md, CLAUDE.md), OpenClaw (HOOK.md, handler.js),
+ * Cursor (.cursorrules), Windsurf (.windsurfrules), Cline (.clinerules),
+ * GitHub Copilot (copilot-instructions.md), Aider (.aider.conf.yml),
+ * Continue (.continue/config.json).
+ */
+export { scanSkill, scanSkillContent } from './scan-skill.js';
+export { detectSkillThreats, detectCodeThreats } from './patterns.js';
+export { parseSkillFile, readSkillFile, detectFormat } from './parser.js';
+export { discoverSkillFiles } from './discover.js';
+//# sourceMappingURL=index.js.map

package/dist/defence/skill-scanner/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/defence/skill-scanner/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAO9D,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGtE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC"}

package/dist/defence/skill-scanner/parser.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * Skill File Parser
+ *
+ * Parses agent instruction files from 8 different AI frameworks into a common
+ * format for scanning. Supports SKILL.md, HOOK.md, handler.js, .cursorrules,
+ * .windsurfrules, .clinerules, CLAUDE.md, copilot-instructions.md,
+ * .aider.conf.yml, and .continue/config.json.
+ *
+ * The parser never throws — malformed input produces sensible defaults.
+ */
+export type SkillFormat = 'skill-md' | 'hook-md' | 'hook-js' | 'rules' | 'claude-md' | 'copilot-md' | 'aider-yml' | 'continue-json' | 'unknown';
+export interface ParsedSkill {
+    /** Extracted from metadata or filename */
+    name: string;
+    /** Auto-detected format */
+    format: SkillFormat;
+    /** The text content to scan (body only, no frontmatter) */
+    content: string;
+    /** YAML/JSON frontmatter if present */
+    metadata?: Record<string, unknown>;
+    /** Original file contents */
+    raw: string;
+    /** Source path if read from disc */
+    filePath?: string;
+}
+/**
+ * Auto-detect the skill format based on the file path.
+ * Uses basename for filename matching; case-insensitive for .md files.
+ */
+export declare function detectFormat(filePath: string): SkillFormat;
+/**
+ * Parse file content into a ParsedSkill structure.
+ *
+ * @param content  Raw file content
+ * @param format   Detected format (defaults to 'unknown')
+ */
+export declare function parseSkillFile(content: string, format?: SkillFormat): ParsedSkill;
+/**
+ * Read a skill file from disc, auto-detect its format, and parse it.
+ *
+ * Returns a ParsedSkill with the filePath field populated.
+ * If the file cannot be read, returns a minimal ParsedSkill with empty content.
+ */
+export declare function readSkillFile(filePath: string): ParsedSkill;
+//# sourceMappingURL=parser.d.ts.map

package/dist/defence/skill-scanner/parser.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../../src/defence/skill-scanner/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAOH,MAAM,MAAM,WAAW,GACnB,UAAU,GACV,SAAS,GACT,SAAS,GACT,OAAO,GACP,WAAW,GACX,YAAY,GACZ,WAAW,GACX,eAAe,GACf,SAAS,CAAC;AAEd,MAAM,WAAW,WAAW;IAC1B,0CAA0C;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,2BAA2B;IAC3B,MAAM,EAAE,WAAW,CAAC;IACpB,2DAA2D;IAC3D,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,6BAA6B;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID;;;GAGG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,CA2B1D;AA6KD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,WAAW,CAqDjF;AA4HD;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,CA2B3D"}

package/dist/defence/skill-scanner/parser.js ADDED Viewed

@@ -0,0 +1,373 @@
+/**
+ * Skill File Parser
+ *
+ * Parses agent instruction files from 8 different AI frameworks into a common
+ * format for scanning. Supports SKILL.md, HOOK.md, handler.js, .cursorrules,
+ * .windsurfrules, .clinerules, CLAUDE.md, copilot-instructions.md,
+ * .aider.conf.yml, and .continue/config.json.
+ *
+ * The parser never throws — malformed input produces sensible defaults.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+// ── Format Detection ──
+/**
+ * Auto-detect the skill format based on the file path.
+ * Uses basename for filename matching; case-insensitive for .md files.
+ */
+export function detectFormat(filePath) {
+    const basename = path.basename(filePath);
+    const lower = basename.toLowerCase();
+    // Exact filename matches (case-insensitive for .md)
+    if (lower === 'skill.md')
+        return 'skill-md';
+    if (lower === 'hook.md')
+        return 'hook-md';
+    if (basename === 'handler.js')
+        return 'hook-js';
+    if (lower === 'claude.md')
+        return 'claude-md';
+    if (lower === 'copilot-instructions.md')
+        return 'copilot-md';
+    if (basename === '.aider.conf.yml')
+        return 'aider-yml';
+    // Rules files (exact basename match, case-sensitive — these are dotfiles)
+    if (basename === '.cursorrules' || basename === '.windsurfrules' || basename === '.clinerules') {
+        return 'rules';
+    }
+    // Path-based matches
+    const normalised = filePath.replace(/\\/g, '/');
+    if (normalised.includes('.claude/commands/'))
+        return 'claude-md';
+    if (basename === 'config.json' && normalised.includes('.continue/')) {
+        return 'continue-json';
+    }
+    return 'unknown';
+}
+// ── Simple YAML Parser ──
+/**
+ * Parse simple YAML key-value pairs, supporting one level of nesting.
+ *
+ * This does NOT handle the full YAML specification — only the straightforward
+ * frontmatter structures used by skill and hook files:
+ *   key: value
+ *   key: "quoted value"
+ *   parent:
+ *     child: value
+ */
+function parseSimpleYaml(yamlText) {
+    const result = {};
+    const lines = yamlText.split('\n');
+    let currentParent = null;
+    let nestedObj = null;
+    for (const line of lines) {
+        // Skip empty lines and comments
+        const trimmed = line.trimEnd();
+        if (trimmed === '' || trimmed.startsWith('#')) {
+            continue;
+        }
+        // Determine indentation level
+        const indent = line.length - line.trimStart().length;
+        const content = trimmed.trim();
+        // Match key: value pattern
+        const kvMatch = content.match(/^([A-Za-z_][\w.-]*)\s*:\s*(.*)/);
+        if (!kvMatch)
+            continue;
+        const key = kvMatch[1];
+        let value = kvMatch[2].trim();
+        if (indent >= 2 && currentParent && nestedObj) {
+            // This is a nested key under the current parent
+            nestedObj[key] = unquoteValue(value);
+        }
+        else {
+            // Top-level key — flush any previous nested object
+            if (currentParent && nestedObj) {
+                result[currentParent] = nestedObj;
+                currentParent = null;
+                nestedObj = null;
+            }
+            if (value === '' || value === '') {
+                // This key has no inline value — it introduces a nested block
+                currentParent = key;
+                nestedObj = {};
+            }
+            else {
+                result[key] = unquoteValue(value);
+            }
+        }
+    }
+    // Flush trailing nested object
+    if (currentParent && nestedObj) {
+        result[currentParent] = nestedObj;
+    }
+    return result;
+}
+/**
+ * Remove surrounding quotes from a YAML value string and coerce simple types.
+ */
+function unquoteValue(raw) {
+    if (raw === '')
+        return '';
+    // Remove surrounding quotes (single or double)
+    if ((raw.startsWith('"') && raw.endsWith('"')) ||
+        (raw.startsWith("'") && raw.endsWith("'"))) {
+        return raw.slice(1, -1);
+    }
+    // Boolean coercion
+    if (raw === 'true')
+        return true;
+    if (raw === 'false')
+        return false;
+    // Numeric coercion
+    if (/^-?\d+(\.\d+)?$/.test(raw)) {
+        return Number(raw);
+    }
+    return raw;
+}
+// ── Frontmatter Extraction ──
+/**
+ * Split YAML frontmatter (between --- markers at the start of a file)
+ * from the markdown body. Returns [frontmatter, body].
+ */
+function splitFrontmatter(content) {
+    // Frontmatter must start at the very beginning of the file
+    if (!content.startsWith('---')) {
+        return [null, content];
+    }
+    // Find the closing --- marker (must be on its own line)
+    const closingIndex = content.indexOf('\n---', 3);
+    if (closingIndex === -1) {
+        // No closing marker — treat the entire file as body
+        return [null, content];
+    }
+    const frontmatter = content.slice(3, closingIndex).trim();
+    const body = content.slice(closingIndex + 4).trim();
+    return [frontmatter, body];
+}
+// ── Name Extraction Helpers ──
+/**
+ * Try to extract a name from the first line comment in a JS file,
+ * For example: "// my-hook" or block comments like "Hook Name".
+ */
+function extractJsName(source) {
+    const firstLine = source.split('\n')[0]?.trim() ?? '';
+    // Single-line comment: // name
+    const singleComment = firstLine.match(/^\/\/\s*(.+)/);
+    if (singleComment) {
+        return singleComment[1].trim();
+    }
+    // Block comment: /* name */
+    const blockComment = firstLine.match(/^\/\*\s*(.+?)\s*\*\//);
+    if (blockComment) {
+        return blockComment[1].trim();
+    }
+    // module.exports name — look for module.exports.name = "..."
+    const exportsName = source.match(/module\.exports\.name\s*=\s*["']([^"']+)["']/);
+    if (exportsName) {
+        return exportsName[1];
+    }
+    // module.exports = { name: "..." }
+    const objName = source.match(/module\.exports\s*=\s*\{[^}]*name\s*:\s*["']([^"']+)["']/);
+    if (objName) {
+        return objName[1];
+    }
+    return null;
+}
+/**
+ * Derive a name from a filename, stripping the extension and leading dot.
+ */
+function nameFromFilename(filename) {
+    const basename = path.basename(filename);
+    const ext = path.extname(basename);
+    let name = ext ? basename.slice(0, -ext.length) : basename;
+    // Strip leading dot for dotfiles (e.g. .cursorrules -> cursorrules)
+    if (name.startsWith('.')) {
+        name = name.slice(1);
+    }
+    return name || 'unknown';
+}
+// ── Core Parser ──
+/**
+ * Parse file content into a ParsedSkill structure.
+ *
+ * @param content  Raw file content
+ * @param format   Detected format (defaults to 'unknown')
+ */
+export function parseSkillFile(content, format) {
+    const effectiveFormat = format ?? 'unknown';
+    const raw = content;
+    // Guard against empty or binary-looking content
+    if (!content || content.length === 0) {
+        return {
+            name: 'unknown',
+            format: effectiveFormat,
+            content: '',
+            raw,
+        };
+    }
+    // Detect likely binary content (high ratio of non-printable characters)
+    const nonPrintable = content.slice(0, 1024).replace(/[\x20-\x7E\t\n\r]/g, '').length;
+    if (nonPrintable > 128) {
+        return {
+            name: 'unknown',
+            format: effectiveFormat,
+            content: '',
+            raw,
+        };
+    }
+    switch (effectiveFormat) {
+        case 'skill-md':
+        case 'hook-md':
+            return parseMarkdownWithFrontmatter(content, effectiveFormat, raw);
+        case 'rules':
+        case 'claude-md':
+        case 'copilot-md':
+            return parseRawContent(content, effectiveFormat, raw);
+        case 'hook-js':
+            return parseJavaScript(content, raw);
+        case 'aider-yml':
+            return parseAiderYaml(content, raw);
+        case 'continue-json':
+            return parseContinueJson(content, raw);
+        case 'unknown':
+        default:
+            return {
+                name: 'unknown',
+                format: 'unknown',
+                content,
+                raw,
+            };
+    }
+}
+/**
+ * Parse a markdown file that may contain YAML frontmatter (skill-md, hook-md).
+ */
+function parseMarkdownWithFrontmatter(content, format, raw) {
+    const [frontmatter, body] = splitFrontmatter(content);
+    let metadata;
+    let name = 'unknown';
+    if (frontmatter) {
+        try {
+            metadata = parseSimpleYaml(frontmatter);
+        }
+        catch {
+            // Malformed YAML — continue without metadata
+            metadata = undefined;
+        }
+        if (metadata && typeof metadata.name === 'string' && metadata.name.length > 0) {
+            name = metadata.name;
+        }
+    }
+    return {
+        name,
+        format,
+        content: body,
+        metadata,
+        raw,
+    };
+}
+/**
+ * Parse a raw content file with no frontmatter (rules, claude-md, copilot-md).
+ * The name is derived from the filename if available, otherwise defaults.
+ */
+function parseRawContent(content, format, raw) {
+    // Name will be overridden by readSkillFile when filePath is available
+    return {
+        name: 'unknown',
+        format,
+        content,
+        raw,
+    };
+}
+/**
+ * Parse a JavaScript hook file.
+ */
+function parseJavaScript(content, raw) {
+    const extracted = extractJsName(content);
+    return {
+        name: extracted ?? 'handler',
+        format: 'hook-js',
+        content,
+        raw,
+    };
+}
+/**
+ * Parse an Aider YAML configuration file.
+ */
+function parseAiderYaml(content, raw) {
+    let metadata;
+    try {
+        metadata = parseSimpleYaml(content);
+    }
+    catch {
+        // Malformed YAML — continue without metadata
+        metadata = undefined;
+    }
+    return {
+        name: 'aider',
+        format: 'aider-yml',
+        content,
+        metadata,
+        raw,
+    };
+}
+/**
+ * Parse a Continue JSON configuration file.
+ */
+function parseContinueJson(content, raw) {
+    let metadata;
+    let parsedContent = content;
+    let name = 'continue';
+    try {
+        const parsed = JSON.parse(content);
+        metadata = parsed;
+        parsedContent = JSON.stringify(parsed);
+        if (typeof parsed.name === 'string' && parsed.name.length > 0) {
+            name = parsed.name;
+        }
+    }
+    catch {
+        // Malformed JSON — use raw content as-is
+        metadata = undefined;
+        parsedContent = content;
+    }
+    return {
+        name,
+        format: 'continue-json',
+        content: parsedContent,
+        metadata,
+        raw,
+    };
+}
+// ── File Reader ──
+/**
+ * Read a skill file from disc, auto-detect its format, and parse it.
+ *
+ * Returns a ParsedSkill with the filePath field populated.
+ * If the file cannot be read, returns a minimal ParsedSkill with empty content.
+ */
+export function readSkillFile(filePath) {
+    let content;
+    try {
+        content = fs.readFileSync(filePath, 'utf-8');
+    }
+    catch {
+        // File unreadable — return a safe default
+        return {
+            name: nameFromFilename(filePath),
+            format: detectFormat(filePath),
+            content: '',
+            raw: '',
+            filePath,
+        };
+    }
+    const format = detectFormat(filePath);
+    const result = parseSkillFile(content, format);
+    result.filePath = filePath;
+    // For formats that derive their name from the filename, apply it now
+    if (result.name === 'unknown' || result.name === '') {
+        result.name = nameFromFilename(filePath);
+    }
+    return result;
+}
+//# sourceMappingURL=parser.js.map

package/dist/defence/skill-scanner/parser.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"parser.js","sourceRoot":"","sources":["../../../src/defence/skill-scanner/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AA8BlC,yBAAyB;AAEzB;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,QAAgB;IAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAErC,oDAAoD;IACpD,IAAI,KAAK,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IAC5C,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,QAAQ,KAAK,YAAY;QAAE,OAAO,SAAS,CAAC;IAChD,IAAI,KAAK,KAAK,WAAW;QAAE,OAAO,WAAW,CAAC;IAC9C,IAAI,KAAK,KAAK,yBAAyB;QAAE,OAAO,YAAY,CAAC;IAC7D,IAAI,QAAQ,KAAK,iBAAiB;QAAE,OAAO,WAAW,CAAC;IAEvD,0EAA0E;IAC1E,IAAI,QAAQ,KAAK,cAAc,IAAI,QAAQ,KAAK,gBAAgB,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC/F,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,qBAAqB;IACrB,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAEhD,IAAI,UAAU,CAAC,QAAQ,CAAC,mBAAmB,CAAC;QAAE,OAAO,WAAW,CAAC;IAEjE,IAAI,QAAQ,KAAK,aAAa,IAAI,UAAU,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QACpE,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,2BAA2B;AAE3B;;;;;;;;;GASG;AACH,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEnC,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,IAAI,SAAS,GAAmC,IAAI,CAAC;IAErD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,gCAAgC;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAC/B,IAAI,OAAO,KAAK,EAAE,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9C,SAAS;QACX,CAAC;QAED,8BAA8B;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAE/B,2BAA2B;QAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QAChE,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACvB,IAAI,KAAK,GAAW,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAEtC,IAAI,MAAM,IAAI,CAAC,IAAI,aAAa,IAAI,SAAS,EAAE,CAAC;YAC9C,gDAAgD;YAChD,SAAS,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,mDAAmD;YACnD,IAAI,aAAa,IAAI,SAAS,EAAE,CAAC;gBAC/B,MAAM,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC;gBAClC,aAAa,GAAG,IAAI,CAAC;gBACrB,SAAS,GAAG,IAAI,CAAC;YACnB,CAAC;YAED,IAAI,KAAK,KAAK,EAAE,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;gBACjC,8DAA8D;gBAC9D,aAAa,GAAG,GAAG,CAAC;gBACpB,SAAS,GAAG,EAAE,CAAC;YACjB,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,IAAI,aAAa,IAAI,SAAS,EAAE,CAAC;QAC/B,MAAM,CAAC,aAAa,CAAC,GAAG,SAAS,CAAC;IACpC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,GAAW;IAC/B,IAAI,GAAG,KAAK,EAAE;QAAE,OAAO,EAAE,CAAC;IAE1B,+CAA+C;IAC/C,IACE,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC1C,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC1C,CAAC;QACD,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,mBAAmB;IACnB,IAAI,GAAG,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,GAAG,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAElC,mBAAmB;IACnB,IAAI,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,+BAA+B;AAE/B;;;GAGG;AACH,SAAS,gBAAgB,CAAC,OAAe;IACvC,2DAA2D;IAC3D,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACzB,CAAC;IAED,wDAAwD;IACxD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACjD,IAAI,YAAY,KAAK,CAAC,CAAC,EAAE,CAAC;QACxB,oDAAoD;QACpD,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACzB,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAEpD,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,gCAAgC;AAEhC;;;GAGG;AACH,SAAS,aAAa,CAAC,MAAc;IACnC,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IAEtD,+BAA+B;IAC/B,MAAM,aAAa,GAAG,SAAS,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IACtD,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACjC,CAAC;IAED,4BAA4B;IAC5B,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC7D,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAChC,CAAC;IAED,6DAA6D;IAC7D,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;IACjF,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,WAAW,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IAED,mCAAmC;IACnC,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,0DAA0D,CAAC,CAAC;IACzF,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,IAAI,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IAE3D,oEAAoE;IACpE,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACvB,CAAC;IAED,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,oBAAoB;AAEpB;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe,EAAE,MAAoB;IAClE,MAAM,eAAe,GAAG,MAAM,IAAI,SAAS,CAAC;IAC5C,MAAM,GAAG,GAAG,OAAO,CAAC;IAEpB,gDAAgD;IAChD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrC,OAAO;YACL,IAAI,EAAE,SAAS;YACf,MAAM,EAAE,eAAe;YACvB,OAAO,EAAE,EAAE;YACX,GAAG;SACJ,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC;IACrF,IAAI,YAAY,GAAG,GAAG,EAAE,CAAC;QACvB,OAAO;YACL,IAAI,EAAE,SAAS;YACf,MAAM,EAAE,eAAe;YACvB,OAAO,EAAE,EAAE;YACX,GAAG;SACJ,CAAC;IACJ,CAAC;IAED,QAAQ,eAAe,EAAE,CAAC;QACxB,KAAK,UAAU,CAAC;QAChB,KAAK,SAAS;YACZ,OAAO,4BAA4B,CAAC,OAAO,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC;QAErE,KAAK,OAAO,CAAC;QACb,KAAK,WAAW,CAAC;QACjB,KAAK,YAAY;YACf,OAAO,eAAe,CAAC,OAAO,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC;QAExD,KAAK,SAAS;YACZ,OAAO,eAAe,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAEvC,KAAK,WAAW;YACd,OAAO,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAEtC,KAAK,eAAe;YAClB,OAAO,iBAAiB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAEzC,KAAK,SAAS,CAAC;QACf;YACE,OAAO;gBACL,IAAI,EAAE,SAAS;gBACf,MAAM,EAAE,SAAS;gBACjB,OAAO;gBACP,GAAG;aACJ,CAAC;IACN,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,4BAA4B,CACnC,OAAe,EACf,MAA8B,EAC9B,GAAW;IAEX,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAEtD,IAAI,QAA6C,CAAC;IAClD,IAAI,IAAI,GAAG,SAAS,CAAC;IAErB,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,QAAQ,GAAG,eAAe,CAAC,WAAW,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;YAC7C,QAAQ,GAAG,SAAS,CAAC;QACvB,CAAC;QAED,IAAI,QAAQ,IAAI,OAAO,QAAQ,CAAC,IAAI,KAAK,QAAQ,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9E,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI;QACJ,MAAM;QACN,OAAO,EAAE,IAAI;QACb,QAAQ;QACR,GAAG;KACJ,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CACtB,OAAe,EACf,MAA4C,EAC5C,GAAW;IAEX,sEAAsE;IACtE,OAAO;QACL,IAAI,EAAE,SAAS;QACf,MAAM;QACN,OAAO;QACP,GAAG;KACJ,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,OAAe,EAAE,GAAW;IACnD,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAEzC,OAAO;QACL,IAAI,EAAE,SAAS,IAAI,SAAS;QAC5B,MAAM,EAAE,SAAS;QACjB,OAAO;QACP,GAAG;KACJ,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,OAAe,EAAE,GAAW;IAClD,IAAI,QAA6C,CAAC;IAElD,IAAI,CAAC;QACH,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,6CAA6C;QAC7C,QAAQ,GAAG,SAAS,CAAC;IACvB,CAAC;IAED,OAAO;QACL,IAAI,EAAE,OAAO;QACb,MAAM,EAAE,WAAW;QACnB,OAAO;QACP,QAAQ;QACR,GAAG;KACJ,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,OAAe,EAAE,GAAW;IACrD,IAAI,QAA6C,CAAC;IAClD,IAAI,aAAa,GAAG,OAAO,CAAC;IAC5B,IAAI,IAAI,GAAG,UAAU,CAAC;IAEtB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;QAC9D,QAAQ,GAAG,MAAM,CAAC;QAClB,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAEvC,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,yCAAyC;QACzC,QAAQ,GAAG,SAAS,CAAC;QACrB,aAAa,GAAG,OAAO,CAAC;IAC1B,CAAC;IAED,OAAO;QACL,IAAI;QACJ,MAAM,EAAE,eAAe;QACvB,OAAO,EAAE,aAAa;QACtB,QAAQ;QACR,GAAG;KACJ,CAAC;AACJ,CAAC;AAED,oBAAoB;AAEpB;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,IAAI,OAAe,CAAC;IAEpB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,0CAA0C;QAC1C,OAAO;YACL,IAAI,EAAE,gBAAgB,CAAC,QAAQ,CAAC;YAChC,MAAM,EAAE,YAAY,CAAC,QAAQ,CAAC;YAC9B,OAAO,EAAE,EAAE;YACX,GAAG,EAAE,EAAE;YACP,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAE/C,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAE3B,qEAAqE;IACrE,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,IAAI,MAAM,CAAC,IAAI,KAAK,EAAE,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/defence/skill-scanner/patterns.d.ts ADDED Viewed

@@ -0,0 +1,37 @@
+/**
+ * Skill-Specific Threat Patterns
+ *
+ * Detects malicious patterns in agent instruction files (skill files, tool
+ * definitions, .mdc rules, etc.) and in code files (JS/TS/JSON) that may
+ * accompany them.
+ *
+ * Two entry points:
+ *  - detectSkillThreats()  — natural-language instruction scanning
+ *  - detectCodeThreats()   — JavaScript / JSON code scanning
+ *
+ * Follows the same conventions as instruction-detector.ts:
+ *  - One match per group is enough (break after first)
+ *  - MAX_SCAN_LENGTH truncation to prevent ReDOS
+ *  - safeRegexTest wrapper for every test
+ *  - Length caps on unbounded quantifiers ([\s\S]{0,N})
+ */
+export interface SkillThreatResult {
+    detected: boolean;
+    threats: string[];
+    confidence: number;
+}
+/**
+ * Analyse natural-language skill / instruction content for threat patterns.
+ *
+ * Designed for scanning .mdc files, skill definitions, tool descriptions,
+ * and similar agent instruction documents.
+ */
+export declare function detectSkillThreats(content: string): SkillThreatResult;
+/**
+ * Analyse JavaScript / JSON code content for threat patterns.
+ *
+ * Designed for scanning code files that accompany skill definitions —
+ * tool implementations, config files, etc.
+ */
+export declare function detectCodeThreats(content: string): SkillThreatResult;
+//# sourceMappingURL=patterns.d.ts.map

package/dist/defence/skill-scanner/patterns.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/defence/skill-scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AA2OD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,CAErE;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,CAEpE"}