skillscan 0.1.0

package/dist/scanner/engine.js

@@ -0,0 +1,119 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScanEngine = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const skillmd_1 = require("./parsers/skillmd");
+const skilljson_1 = require("./parsers/skilljson");
+const rules_1 = require("./rules");
+const trust_score_1 = require("../scoring/trust-score");
+class ScanEngine {
+    async scan(options) {
+        const startTime = Date.now();
+        const { path: skillPath } = options;
+        const stats = fs.statSync(skillPath);
+        const isDirectory = stats.isDirectory();
+        const filesToScan = isDirectory
+            ? this.discoverFiles(skillPath)
+            : [skillPath];
+        const allFindings = [];
+        let skillName = path.basename(skillPath);
+        for (const file of filesToScan) {
+            const content = fs.readFileSync(file, 'utf-8');
+            const metadata = this.parseFile(file, content);
+            if (metadata.name) {
+                skillName = metadata.name;
+            }
+            const rules = (0, rules_1.getAllRules)();
+            for (const rule of rules) {
+                const findings = rule.check(content, metadata, file);
+                allFindings.push(...findings);
+            }
+        }
+        const score = (0, trust_score_1.calculateScore)(allFindings);
+        const rating = (0, trust_score_1.getRating)(score);
+        return {
+            skillPath,
+            skillName,
+            findings: allFindings,
+            score,
+            rating,
+            scannedAt: new Date().toISOString(),
+            scanDuration: Date.now() - startTime
+        };
+    }
+    discoverFiles(dirPath) {
+        const files = [];
+        const entries = fs.readdirSync(dirPath, { withFileTypes: true });
+        for (const entry of entries) {
+            const fullPath = path.join(dirPath, entry.name);
+            if (entry.isDirectory()) {
+                // Skip node_modules and hidden directories
+                if (!entry.name.startsWith('.') && entry.name !== 'node_modules') {
+                    files.push(...this.discoverFiles(fullPath));
+                }
+            }
+            else {
+                // Include relevant skill files
+                const ext = path.extname(entry.name).toLowerCase();
+                const name = entry.name.toLowerCase();
+                if (name === 'skill.md' || name === 'skill.json' ||
+                    ext === '.md' || ext === '.json' || ext === '.yaml' || ext === '.yml') {
+                    files.push(fullPath);
+                }
+            }
+        }
+        return files;
+    }
+    parseFile(filePath, content) {
+        const ext = path.extname(filePath).toLowerCase();
+        const name = path.basename(filePath).toLowerCase();
+        if (name === 'skill.md' || ext === '.md') {
+            return (0, skillmd_1.parseSkillMd)(content);
+        }
+        if (name === 'skill.json' || ext === '.json') {
+            return (0, skilljson_1.parseSkillJson)(content);
+        }
+        // Default metadata for other files
+        return {
+            name: path.basename(filePath),
+            rawContent: content,
+            frontmatter: {}
+        };
+    }
+}
+exports.ScanEngine = ScanEngine;
+//# sourceMappingURL=engine.js.map

package/dist/scanner/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/scanner/engine.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,+CAAiD;AACjD,mDAAqD;AACrD,mCAAsC;AACtC,wDAAmE;AAEnE,MAAa,UAAU;IACrB,KAAK,CAAC,IAAI,CAAC,OAAoB;QAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;QAEpC,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACrC,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAExC,MAAM,WAAW,GAAG,WAAW;YAC7B,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC;YAC/B,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAEhB,MAAM,WAAW,GAAc,EAAE,CAAC;QAClC,IAAI,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAEzC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAE/C,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAClB,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC;YAC5B,CAAC;YAED,MAAM,KAAK,GAAG,IAAA,mBAAW,GAAE,CAAC;YAC5B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;gBACrD,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAAG,IAAA,4BAAc,EAAC,WAAW,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,IAAA,uBAAS,EAAC,KAAK,CAAC,CAAC;QAEhC,OAAO;YACL,SAAS;YACT,SAAS;YACT,QAAQ,EAAE,WAAW;YACrB,KAAK;YACL,MAAM;YACN,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;SACrC,CAAC;IACJ,CAAC;IAEO,aAAa,CAAC,OAAe;QACnC,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAEjE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YAEhD,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,2CAA2C;gBAC3C,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;oBACjE,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAC9C,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,+BAA+B;gBAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBACnD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBAEtC,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,YAAY;oBAC5C,GAAG,KAAK,KAAK,IAAI,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;oBAC1E,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,SAAS,CAAC,QAAgB,EAAE,OAAe;QACjD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;QAEnD,IAAI,IAAI,KAAK,UAAU,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;YACzC,OAAO,IAAA,sBAAY,EAAC,OAAO,CAAC,CAAC;QAC/B,CAAC;QAED,IAAI,IAAI,KAAK,YAAY,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;YAC7C,OAAO,IAAA,0BAAc,EAAC,OAAO,CAAC,CAAC;QACjC,CAAC;QAED,mCAAmC;QACnC,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC7B,UAAU,EAAE,OAAO;YACnB,WAAW,EAAE,EAAE;SAChB,CAAC;IACJ,CAAC;CACF;AA1FD,gCA0FC"}

package/dist/scanner/parsers/skilljson.d.ts

@@ -0,0 +1,3 @@
+import { SkillMetadata } from '../../types';
+export declare function parseSkillJson(content: string): SkillMetadata;
+//# sourceMappingURL=skilljson.d.ts.map

package/dist/scanner/parsers/skilljson.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"skilljson.d.ts","sourceRoot":"","sources":["../../../src/scanner/parsers/skilljson.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAkB,MAAM,aAAa,CAAC;AAE5D,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,CAkC7D"}

package/dist/scanner/parsers/skilljson.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseSkillJson = parseSkillJson;
+function parseSkillJson(content) {
+    try {
+        const json = JSON.parse(content);
+        const tools = [];
+        if (json.tools && Array.isArray(json.tools)) {
+            for (const tool of json.tools) {
+                if (typeof tool === 'object' && tool.name) {
+                    tools.push({
+                        name: tool.name,
+                        description: tool.description,
+                        parameters: tool.parameters
+                    });
+                }
+            }
+        }
+        return {
+            name: json.name || '',
+            description: json.description,
+            version: json.version,
+            author: json.author,
+            tools,
+            rawContent: content,
+            frontmatter: json
+        };
+    }
+    catch {
+        // Invalid JSON, return minimal metadata
+        return {
+            name: '',
+            rawContent: content,
+            frontmatter: {}
+        };
+    }
+}
+//# sourceMappingURL=skilljson.js.map

package/dist/scanner/parsers/skilljson.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"skilljson.js","sourceRoot":"","sources":["../../../src/scanner/parsers/skilljson.ts"],"names":[],"mappings":";;AAEA,wCAkCC;AAlCD,SAAgB,cAAc,CAAC,OAAe;IAC5C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAEjC,MAAM,KAAK,GAAqB,EAAE,CAAC;QACnC,IAAI,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5C,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBAC9B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;oBAC1C,KAAK,CAAC,IAAI,CAAC;wBACT,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,WAAW,EAAE,IAAI,CAAC,WAAW;wBAC7B,UAAU,EAAE,IAAI,CAAC,UAAU;qBAC5B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;YACrB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,KAAK;YACL,UAAU,EAAE,OAAO;YACnB,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,wCAAwC;QACxC,OAAO;YACL,IAAI,EAAE,EAAE;YACR,UAAU,EAAE,OAAO;YACnB,WAAW,EAAE,EAAE;SAChB,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/scanner/parsers/skillmd.d.ts

@@ -0,0 +1,3 @@
+import { SkillMetadata } from '../../types';
+export declare function parseSkillMd(content: string): SkillMetadata;
+//# sourceMappingURL=skillmd.d.ts.map

package/dist/scanner/parsers/skillmd.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"skillmd.d.ts","sourceRoot":"","sources":["../../../src/scanner/parsers/skillmd.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAkB,MAAM,aAAa,CAAC;AAE5D,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,CA0B3D"}

package/dist/scanner/parsers/skillmd.js

@@ -0,0 +1,48 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseSkillMd = parseSkillMd;
+const gray_matter_1 = __importDefault(require("gray-matter"));
+function parseSkillMd(content) {
+    const { data: frontmatter, content: bodyContent } = (0, gray_matter_1.default)(content);
+    // Extract tools from frontmatter if present
+    const tools = [];
+    if (frontmatter.tools && Array.isArray(frontmatter.tools)) {
+        for (const tool of frontmatter.tools) {
+            if (typeof tool === 'object' && tool.name) {
+                tools.push({
+                    name: tool.name,
+                    description: tool.description,
+                    parameters: tool.parameters
+                });
+            }
+        }
+    }
+    return {
+        name: frontmatter.name || frontmatter.title || '',
+        description: frontmatter.description || extractFirstParagraph(bodyContent),
+        version: frontmatter.version,
+        author: frontmatter.author,
+        tools,
+        rawContent: content,
+        frontmatter
+    };
+}
+function extractFirstParagraph(content) {
+    const lines = content.split('\n');
+    const paragraphLines = [];
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (trimmed.startsWith('#'))
+            continue; // Skip headers
+        if (trimmed === '' && paragraphLines.length > 0)
+            break;
+        if (trimmed !== '') {
+            paragraphLines.push(trimmed);
+        }
+    }
+    return paragraphLines.join(' ').slice(0, 200);
+}
+//# sourceMappingURL=skillmd.js.map

package/dist/scanner/parsers/skillmd.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"skillmd.js","sourceRoot":"","sources":["../../../src/scanner/parsers/skillmd.ts"],"names":[],"mappings":";;;;;AAGA,oCA0BC;AA7BD,8DAAiC;AAGjC,SAAgB,YAAY,CAAC,OAAe;IAC1C,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,IAAA,qBAAM,EAAC,OAAO,CAAC,CAAC;IAEpE,4CAA4C;IAC5C,MAAM,KAAK,GAAqB,EAAE,CAAC;IACnC,IAAI,WAAW,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1D,KAAK,MAAM,IAAI,IAAI,WAAW,CAAC,KAAK,EAAE,CAAC;YACrC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC1C,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,WAAW,EAAE,IAAI,CAAC,WAAW;oBAC7B,UAAU,EAAE,IAAI,CAAC,UAAU;iBAC5B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI,EAAE,WAAW,CAAC,IAAI,IAAI,WAAW,CAAC,KAAK,IAAI,EAAE;QACjD,WAAW,EAAE,WAAW,CAAC,WAAW,IAAI,qBAAqB,CAAC,WAAW,CAAC;QAC1E,OAAO,EAAE,WAAW,CAAC,OAAO;QAC5B,MAAM,EAAE,WAAW,CAAC,MAAM;QAC1B,KAAK;QACL,UAAU,EAAE,OAAO;QACnB,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,OAAe;IAC5C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,cAAc,GAAa,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS,CAAC,eAAe;QACtD,IAAI,OAAO,KAAK,EAAE,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC;YAAE,MAAM;QACvD,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;YACnB,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,OAAO,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AAChD,CAAC"}

package/dist/scanner/rules/file-access.d.ts

@@ -0,0 +1,11 @@
+import { Rule, Finding, SkillMetadata, Severity } from '../../types';
+export declare class FileAccessRule implements Rule {
+    id: string;
+    name: string;
+    description: string;
+    severity: Severity;
+    private patterns;
+    check(content: string, _metadata: SkillMetadata, filePath: string): Finding[];
+    private getLineNumber;
+}
+//# sourceMappingURL=file-access.d.ts.map

package/dist/scanner/rules/file-access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-access.d.ts","sourceRoot":"","sources":["../../../src/scanner/rules/file-access.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAErE,qBAAa,cAAe,YAAW,IAAI;IACzC,EAAE,SAAiB;IACnB,IAAI,SAAsC;IAC1C,WAAW,SAAwE;IACnF,QAAQ,EAAE,QAAQ,CAAU;IAE5B,OAAO,CAAC,QAAQ,CAqCd;IAEF,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE;IA2B7E,OAAO,CAAC,aAAa;CAGtB"}

package/dist/scanner/rules/file-access.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FileAccessRule = void 0;
+class FileAccessRule {
+    constructor() {
+        this.id = 'file-access';
+        this.name = 'Suspicious File Access Detection';
+        this.description = 'Detects suspicious file access patterns that could exfiltrate data';
+        this.severity = 'HIGH';
+        this.patterns = [
+            {
+                name: 'path-traversal',
+                regex: /\.\.\/|\.\.\\|\.\.[\/\\]/gi,
+                severity: 'HIGH',
+                message: 'Path traversal pattern detected - may access files outside intended directory'
+            },
+            {
+                name: 'home-directory-access',
+                regex: /~\/|%HOME%|%USERPROFILE%|\$HOME/gi,
+                severity: 'HIGH',
+                message: 'Home directory access pattern detected'
+            },
+            {
+                name: 'wildcard-read',
+                regex: /\*\.\w{2,4}|\*\*\/\*|glob\s*\(/gi,
+                severity: 'MEDIUM',
+                message: 'Wildcard file pattern detected - may sweep multiple files'
+            },
+            {
+                name: 'sensitive-file-extensions',
+                regex: /\.(pem|key|crt|pfx|p12|jks|keystore|env|credentials)\b/gi,
+                severity: 'HIGH',
+                message: 'Reference to sensitive file type detected'
+            },
+            {
+                name: 'read-file-operations',
+                regex: /readFile|readFileSync|fs\.read|open\s*\(|fopen|file_get_contents/gi,
+                severity: 'LOW',
+                message: 'File read operation detected - verify intended behavior'
+            },
+            {
+                name: 'network-after-read',
+                regex: /(fetch|axios|request|http\.|https\.|XMLHttpRequest|curl|wget)/gi,
+                severity: 'MEDIUM',
+                message: 'Network operation detected - check if combined with file access'
+            }
+        ];
+    }
+    check(content, _metadata, filePath) {
+        const findings = [];
+        const lines = content.split('\n');
+        for (const pattern of this.patterns) {
+            let match;
+            const regex = new RegExp(pattern.regex.source, pattern.regex.flags);
+            while ((match = regex.exec(content)) !== null) {
+                const lineNumber = this.getLineNumber(content, match.index);
+                const contextLine = lines[lineNumber - 1] || '';
+                findings.push({
+                    ruleId: this.id,
+                    ruleName: this.name,
+                    severity: pattern.severity,
+                    message: `${pattern.message}: "${match[0]}"`,
+                    file: filePath,
+                    line: lineNumber,
+                    context: contextLine.trim().slice(0, 100)
+                });
+            }
+        }
+        return findings;
+    }
+    getLineNumber(content, index) {
+        return content.slice(0, index).split('\n').length;
+    }
+}
+exports.FileAccessRule = FileAccessRule;
+//# sourceMappingURL=file-access.js.map

package/dist/scanner/rules/file-access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-access.js","sourceRoot":"","sources":["../../../src/scanner/rules/file-access.ts"],"names":[],"mappings":";;;AAEA,MAAa,cAAc;IAA3B;QACE,OAAE,GAAG,aAAa,CAAC;QACnB,SAAI,GAAG,kCAAkC,CAAC;QAC1C,gBAAW,GAAG,oEAAoE,CAAC;QACnF,aAAQ,GAAa,MAAM,CAAC;QAEpB,aAAQ,GAAG;YACjB;gBACE,IAAI,EAAE,gBAAgB;gBACtB,KAAK,EAAE,4BAA4B;gBACnC,QAAQ,EAAE,MAAkB;gBAC5B,OAAO,EAAE,+EAA+E;aACzF;YACD;gBACE,IAAI,EAAE,uBAAuB;gBAC7B,KAAK,EAAE,mCAAmC;gBAC1C,QAAQ,EAAE,MAAkB;gBAC5B,OAAO,EAAE,wCAAwC;aAClD;YACD;gBACE,IAAI,EAAE,eAAe;gBACrB,KAAK,EAAE,kCAAkC;gBACzC,QAAQ,EAAE,QAAoB;gBAC9B,OAAO,EAAE,2DAA2D;aACrE;YACD;gBACE,IAAI,EAAE,2BAA2B;gBACjC,KAAK,EAAE,0DAA0D;gBACjE,QAAQ,EAAE,MAAkB;gBAC5B,OAAO,EAAE,2CAA2C;aACrD;YACD;gBACE,IAAI,EAAE,sBAAsB;gBAC5B,KAAK,EAAE,oEAAoE;gBAC3E,QAAQ,EAAE,KAAiB;gBAC3B,OAAO,EAAE,yDAAyD;aACnE;YACD;gBACE,IAAI,EAAE,oBAAoB;gBAC1B,KAAK,EAAE,iEAAiE;gBACxE,QAAQ,EAAE,QAAoB;gBAC9B,OAAO,EAAE,iEAAiE;aAC3E;SACF,CAAC;IAgCJ,CAAC;IA9BC,KAAK,CAAC,OAAe,EAAE,SAAwB,EAAE,QAAgB;QAC/D,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAElC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,IAAI,KAAK,CAAC;YACV,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAEpE,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC5D,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEhD,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,OAAO,EAAE,GAAG,OAAO,CAAC,OAAO,MAAM,KAAK,CAAC,CAAC,CAAC,GAAG;oBAC5C,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,UAAU;oBAChB,OAAO,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBAC1C,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,KAAa;QAClD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;IACpD,CAAC;CACF;AA3ED,wCA2EC"}

package/dist/scanner/rules/hidden-instructions.d.ts

@@ -0,0 +1,13 @@
+import { Rule, Finding, SkillMetadata, Severity } from '../../types';
+export declare class HiddenInstructionsRule implements Rule {
+    id: string;
+    name: string;
+    description: string;
+    severity: Severity;
+    private zeroWidthChars;
+    private patterns;
+    check(content: string, _metadata: SkillMetadata, filePath: string): Finding[];
+    private getLineNumber;
+    private sanitizeContext;
+}
+//# sourceMappingURL=hidden-instructions.d.ts.map

package/dist/scanner/rules/hidden-instructions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hidden-instructions.d.ts","sourceRoot":"","sources":["../../../src/scanner/rules/hidden-instructions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAErE,qBAAa,sBAAuB,YAAW,IAAI;IACjD,EAAE,SAAyB;IAC3B,IAAI,SAAmC;IACvC,WAAW,SAAoF;IAC/F,QAAQ,EAAE,QAAQ,CAAU;IAG5B,OAAO,CAAC,cAAc,CAOpB;IAGF,OAAO,CAAC,QAAQ,CA+Bd;IAEF,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE;IA2B7E,OAAO,CAAC,aAAa;IAIrB,OAAO,CAAC,eAAe;CAQxB"}

package/dist/scanner/rules/hidden-instructions.js

@@ -0,0 +1,88 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HiddenInstructionsRule = void 0;
+class HiddenInstructionsRule {
+    constructor() {
+        this.id = 'hidden-instructions';
+        this.name = 'Hidden Instructions Detection';
+        this.description = 'Detects instructions hidden using whitespace, Unicode tricks, or HTML comments';
+        this.severity = 'HIGH';
+        // Zero-width characters that can hide text
+        this.zeroWidthChars = [
+            '\u200B', // Zero-width space
+            '\u200C', // Zero-width non-joiner
+            '\u200D', // Zero-width joiner
+            '\u2060', // Word joiner
+            '\uFEFF', // Zero-width no-break space
+            '\u00AD', // Soft hyphen
+        ];
+        // Patterns for hidden instructions
+        this.patterns = [
+            {
+                name: 'zero-width-characters',
+                regex: /[\u200B\u200C\u200D\u2060\uFEFF\u00AD]+/g,
+                severity: 'HIGH',
+                message: 'Zero-width characters detected - may hide malicious instructions'
+            },
+            {
+                name: 'html-comments',
+                regex: /<!--[\s\S]*?-->/g,
+                severity: 'MEDIUM',
+                message: 'HTML comment found - may contain hidden instructions'
+            },
+            {
+                name: 'excessive-whitespace',
+                regex: /[^\S\n]{20,}/g, // 20+ consecutive whitespace chars (not newlines)
+                severity: 'MEDIUM',
+                message: 'Excessive whitespace detected - may hide text visually'
+            },
+            {
+                name: 'unicode-homoglyphs',
+                regex: /[\u0400-\u04FF\u0370-\u03FF]/g, // Cyrillic/Greek chars that look like Latin
+                severity: 'MEDIUM',
+                message: 'Unicode homoglyphs detected - characters that look like ASCII but are different'
+            },
+            {
+                name: 'rtl-override',
+                regex: /[\u202E\u202D\u202C\u2066\u2067\u2068\u2069]/g, // RTL/LTR override characters
+                severity: 'HIGH',
+                message: 'Text direction override character detected - can reverse visible text'
+            }
+        ];
+    }
+    check(content, _metadata, filePath) {
+        const findings = [];
+        const lines = content.split('\n');
+        for (const pattern of this.patterns) {
+            let match;
+            const regex = new RegExp(pattern.regex.source, pattern.regex.flags);
+            while ((match = regex.exec(content)) !== null) {
+                const lineNumber = this.getLineNumber(content, match.index);
+                const contextLine = lines[lineNumber - 1] || '';
+                findings.push({
+                    ruleId: this.id,
+                    ruleName: this.name,
+                    severity: pattern.severity,
+                    message: pattern.message,
+                    file: filePath,
+                    line: lineNumber,
+                    context: this.sanitizeContext(contextLine)
+                });
+            }
+        }
+        return findings;
+    }
+    getLineNumber(content, index) {
+        return content.slice(0, index).split('\n').length;
+    }
+    sanitizeContext(line) {
+        // Replace zero-width chars with visible markers for display
+        let sanitized = line;
+        for (const char of this.zeroWidthChars) {
+            sanitized = sanitized.replace(new RegExp(char, 'g'), '[ZW]');
+        }
+        return sanitized.slice(0, 100);
+    }
+}
+exports.HiddenInstructionsRule = HiddenInstructionsRule;
+//# sourceMappingURL=hidden-instructions.js.map

package/dist/scanner/rules/hidden-instructions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hidden-instructions.js","sourceRoot":"","sources":["../../../src/scanner/rules/hidden-instructions.ts"],"names":[],"mappings":";;;AAEA,MAAa,sBAAsB;IAAnC;QACE,OAAE,GAAG,qBAAqB,CAAC;QAC3B,SAAI,GAAG,+BAA+B,CAAC;QACvC,gBAAW,GAAG,gFAAgF,CAAC;QAC/F,aAAQ,GAAa,MAAM,CAAC;QAE5B,2CAA2C;QACnC,mBAAc,GAAG;YACvB,QAAQ,EAAE,mBAAmB;YAC7B,QAAQ,EAAE,wBAAwB;YAClC,QAAQ,EAAE,oBAAoB;YAC9B,QAAQ,EAAE,cAAc;YACxB,QAAQ,EAAE,4BAA4B;YACtC,QAAQ,EAAE,cAAc;SACzB,CAAC;QAEF,mCAAmC;QAC3B,aAAQ,GAAG;YACjB;gBACE,IAAI,EAAE,uBAAuB;gBAC7B,KAAK,EAAE,0CAA0C;gBACjD,QAAQ,EAAE,MAAkB;gBAC5B,OAAO,EAAE,kEAAkE;aAC5E;YACD;gBACE,IAAI,EAAE,eAAe;gBACrB,KAAK,EAAE,kBAAkB;gBACzB,QAAQ,EAAE,QAAoB;gBAC9B,OAAO,EAAE,sDAAsD;aAChE;YACD;gBACE,IAAI,EAAE,sBAAsB;gBAC5B,KAAK,EAAE,eAAe,EAAE,kDAAkD;gBAC1E,QAAQ,EAAE,QAAoB;gBAC9B,OAAO,EAAE,wDAAwD;aAClE;YACD;gBACE,IAAI,EAAE,oBAAoB;gBAC1B,KAAK,EAAE,+BAA+B,EAAE,4CAA4C;gBACpF,QAAQ,EAAE,QAAoB;gBAC9B,OAAO,EAAE,iFAAiF;aAC3F;YACD;gBACE,IAAI,EAAE,cAAc;gBACpB,KAAK,EAAE,+CAA+C,EAAE,8BAA8B;gBACtF,QAAQ,EAAE,MAAkB;gBAC5B,OAAO,EAAE,uEAAuE;aACjF;SACF,CAAC;IAyCJ,CAAC;IAvCC,KAAK,CAAC,OAAe,EAAE,SAAwB,EAAE,QAAgB;QAC/D,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAElC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,IAAI,KAAK,CAAC;YACV,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAEpE,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC5D,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEhD,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,UAAU;oBAChB,OAAO,EAAE,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC;iBAC3C,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,KAAa;QAClD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;IACpD,CAAC;IAEO,eAAe,CAAC,IAAY;QAClC,4DAA4D;QAC5D,IAAI,SAAS,GAAG,IAAI,CAAC;QACrB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACvC,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACjC,CAAC;CACF;AAzFD,wDAyFC"}

package/dist/scanner/rules/index.d.ts

@@ -0,0 +1,4 @@
+import { Rule } from '../../types';
+export declare function getAllRules(): Rule[];
+export declare function getRuleById(id: string): Rule | undefined;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanner/rules/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanner/rules/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAanC,wBAAgB,WAAW,IAAI,IAAI,EAAE,CAEpC;AAED,wBAAgB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,CAExD"}

package/dist/scanner/rules/index.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAllRules = getAllRules;
+exports.getRuleById = getRuleById;
+const hidden_instructions_1 = require("./hidden-instructions");
+const file_access_1 = require("./file-access");
+const prompt_injection_1 = require("./prompt-injection");
+const sensitive_paths_1 = require("./sensitive-paths");
+const rules = [
+    new hidden_instructions_1.HiddenInstructionsRule(),
+    new file_access_1.FileAccessRule(),
+    new prompt_injection_1.PromptInjectionRule(),
+    new sensitive_paths_1.SensitivePathsRule()
+];
+function getAllRules() {
+    return rules;
+}
+function getRuleById(id) {
+    return rules.find(r => r.id === id);
+}
+//# sourceMappingURL=index.js.map

package/dist/scanner/rules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanner/rules/index.ts"],"names":[],"mappings":";;AAaA,kCAEC;AAED,kCAEC;AAlBD,+DAA+D;AAC/D,+CAA+C;AAC/C,yDAAyD;AACzD,uDAAuD;AAEvD,MAAM,KAAK,GAAW;IACpB,IAAI,4CAAsB,EAAE;IAC5B,IAAI,4BAAc,EAAE;IACpB,IAAI,sCAAmB,EAAE;IACzB,IAAI,oCAAkB,EAAE;CACzB,CAAC;AAEF,SAAgB,WAAW;IACzB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,WAAW,CAAC,EAAU;IACpC,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AACtC,CAAC"}

package/dist/scanner/rules/prompt-injection.d.ts

@@ -0,0 +1,11 @@
+import { Rule, Finding, SkillMetadata, Severity } from '../../types';
+export declare class PromptInjectionRule implements Rule {
+    id: string;
+    name: string;
+    description: string;
+    severity: Severity;
+    private patterns;
+    check(content: string, _metadata: SkillMetadata, filePath: string): Finding[];
+    private getLineNumber;
+}
+//# sourceMappingURL=prompt-injection.d.ts.map

package/dist/scanner/rules/prompt-injection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-injection.d.ts","sourceRoot":"","sources":["../../../src/scanner/rules/prompt-injection.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAErE,qBAAa,mBAAoB,YAAW,IAAI;IAC9C,EAAE,SAAsB;IACxB,IAAI,SAAgC;IACpC,WAAW,SAAmE;IAC9E,QAAQ,EAAE,QAAQ,CAAc;IAEhC,OAAO,CAAC,QAAQ,CAoFd;IAEF,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE;IAmC7E,OAAO,CAAC,aAAa;CAGtB"}

package/dist/scanner/rules/prompt-injection.js

@@ -0,0 +1,130 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PromptInjectionRule = void 0;
+class PromptInjectionRule {
+    constructor() {
+        this.id = 'prompt-injection';
+        this.name = 'Prompt Injection Detection';
+        this.description = 'Detects known prompt injection patterns and override attempts';
+        this.severity = 'CRITICAL';
+        this.patterns = [
+            // Instruction override attempts
+            {
+                name: 'ignore-instructions',
+                regex: /ignore\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|rules?)/gi,
+                severity: 'CRITICAL',
+                message: 'Instruction override attempt detected'
+            },
+            {
+                name: 'disregard-instructions',
+                regex: /disregard\s+(all\s+)?(previous|prior|above|earlier|your)\s+(instructions?|prompts?|rules?)/gi,
+                severity: 'CRITICAL',
+                message: 'Instruction override attempt detected'
+            },
+            {
+                name: 'forget-instructions',
+                regex: /forget\s+(everything|all|your)\s+(you\s+)?(know|learned|were\s+told)/gi,
+                severity: 'CRITICAL',
+                message: 'Memory/instruction reset attempt detected'
+            },
+            // System prompt extraction
+            {
+                name: 'system-prompt-extraction',
+                regex: /(reveal|show|output|print|display|tell\s+me)\s+(your\s+)?(system\s+prompt|instructions|rules)/gi,
+                severity: 'CRITICAL',
+                message: 'System prompt extraction attempt detected'
+            },
+            {
+                name: 'repeat-instructions',
+                regex: /repeat\s+(your\s+)?(initial|original|system|first)\s+(instructions?|prompt|message)/gi,
+                severity: 'HIGH',
+                message: 'Instruction extraction attempt detected'
+            },
+            // Role confusion
+            {
+                name: 'role-override',
+                regex: /you\s+are\s+(now|actually|really)\s+(a|an|the)/gi,
+                severity: 'HIGH',
+                message: 'Role override attempt detected'
+            },
+            {
+                name: 'act-as',
+                regex: /act\s+as\s+(if\s+you\s+are\s+|a\s+|an\s+)?[a-z]+/gi,
+                severity: 'MEDIUM',
+                message: 'Role impersonation instruction detected'
+            },
+            {
+                name: 'pretend-to-be',
+                regex: /pretend\s+(to\s+be|you\s+are|that)/gi,
+                severity: 'MEDIUM',
+                message: 'Role impersonation instruction detected'
+            },
+            // Encoded payloads
+            {
+                name: 'base64-payload',
+                regex: /[A-Za-z0-9+/]{40,}={0,2}/g, // Long base64 strings
+                severity: 'HIGH',
+                message: 'Possible base64 encoded payload detected'
+            },
+            {
+                name: 'hex-payload',
+                regex: /\\x[0-9a-fA-F]{2}(\\x[0-9a-fA-F]{2}){10,}/g, // Hex encoded strings
+                severity: 'HIGH',
+                message: 'Possible hex encoded payload detected'
+            },
+            // Jailbreak patterns
+            {
+                name: 'do-anything-now',
+                regex: /D\.?A\.?N\.?|do\s+anything\s+now/gi,
+                severity: 'CRITICAL',
+                message: 'Known jailbreak pattern (DAN) detected'
+            },
+            {
+                name: 'developer-mode',
+                regex: /developer\s+mode|dev\s+mode\s+enabled/gi,
+                severity: 'HIGH',
+                message: 'Developer mode bypass attempt detected'
+            },
+            {
+                name: 'hypothetical-bypass',
+                regex: /hypothetically|in\s+theory|just\s+pretend|for\s+educational\s+purposes/gi,
+                severity: 'MEDIUM',
+                message: 'Hypothetical framing that may bypass safety - review context'
+            }
+        ];
+    }
+    check(content, _metadata, filePath) {
+        const findings = [];
+        const lines = content.split('\n');
+        for (const pattern of this.patterns) {
+            let match;
+            const regex = new RegExp(pattern.regex.source, pattern.regex.flags);
+            while ((match = regex.exec(content)) !== null) {
+                const lineNumber = this.getLineNumber(content, match.index);
+                const contextLine = lines[lineNumber - 1] || '';
+                // Skip base64 if it looks like a legitimate data URI or well-known format
+                if (pattern.name === 'base64-payload') {
+                    const ctx = content.slice(Math.max(0, match.index - 50), match.index + match[0].length + 50);
+                    if (ctx.includes('data:image') || ctx.includes('data:application')) {
+                        continue;
+                    }
+                }
+                findings.push({
+                    ruleId: this.id,
+                    ruleName: this.name,
+                    severity: pattern.severity,
+                    message: `${pattern.message}: "${match[0].slice(0, 50)}${match[0].length > 50 ? '...' : ''}"`,
+                    file: filePath,
+                    line: lineNumber,
+                    context: contextLine.trim().slice(0, 100)
+                });
+            }
+        }
+        return findings;
+    }
+    getLineNumber(content, index) {
+        return content.slice(0, index).split('\n').length;
+    }
+}
+exports.PromptInjectionRule = PromptInjectionRule;
+//# sourceMappingURL=prompt-injection.js.map

package/dist/scanner/rules/prompt-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-injection.js","sourceRoot":"","sources":["../../../src/scanner/rules/prompt-injection.ts"],"names":[],"mappings":";;;AAEA,MAAa,mBAAmB;IAAhC;QACE,OAAE,GAAG,kBAAkB,CAAC;QACxB,SAAI,GAAG,4BAA4B,CAAC;QACpC,gBAAW,GAAG,+DAA+D,CAAC;QAC9E,aAAQ,GAAa,UAAU,CAAC;QAExB,aAAQ,GAAG;YACjB,gCAAgC;YAChC;gBACE,IAAI,EAAE,qBAAqB;gBAC3B,KAAK,EAAE,sFAAsF;gBAC7F,QAAQ,EAAE,UAAsB;gBAChC,OAAO,EAAE,uCAAuC;aACjD;YACD;gBACE,IAAI,EAAE,wBAAwB;gBAC9B,KAAK,EAAE,8FAA8F;gBACrG,QAAQ,EAAE,UAAsB;gBAChC,OAAO,EAAE,uCAAuC;aACjD;YACD;gBACE,IAAI,EAAE,qBAAqB;gBAC3B,KAAK,EAAE,wEAAwE;gBAC/E,QAAQ,EAAE,UAAsB;gBAChC,OAAO,EAAE,2CAA2C;aACrD;YACD,2BAA2B;YAC3B;gBACE,IAAI,EAAE,0BAA0B;gBAChC,KAAK,EAAE,iGAAiG;gBACxG,QAAQ,EAAE,UAAsB;gBAChC,OAAO,EAAE,2CAA2C;aACrD;YACD;gBACE,IAAI,EAAE,qBAAqB;gBAC3B,KAAK,EAAE,uFAAuF;gBAC9F,QAAQ,EAAE,MAAkB;gBAC5B,OAAO,EAAE,yCAAyC;aACnD;YACD,iBAAiB;YACjB;gBACE,IAAI,EAAE,eAAe;gBACrB,KAAK,EAAE,kDAAkD;gBACzD,QAAQ,EAAE,MAAkB;gBAC5B,OAAO,EAAE,gCAAgC;aAC1C;YACD;gBACE,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,oDAAoD;gBAC3D,QAAQ,EAAE,QAAoB;gBAC9B,OAAO,EAAE,yCAAyC;aACnD;YACD;gBACE,IAAI,EAAE,eAAe;gBACrB,KAAK,EAAE,sCAAsC;gBAC7C,QAAQ,EAAE,QAAoB;gBAC9B,OAAO,EAAE,yCAAyC;aACnD;YACD,mBAAmB;YACnB;gBACE,IAAI,EAAE,gBAAgB;gBACtB,KAAK,EAAE,2BAA2B,EAAE,sBAAsB;gBAC1D,QAAQ,EAAE,MAAkB;gBAC5B,OAAO,EAAE,0CAA0C;aACpD;YACD;gBACE,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,4CAA4C,EAAE,sBAAsB;gBAC3E,QAAQ,EAAE,MAAkB;gBAC5B,OAAO,EAAE,uCAAuC;aACjD;YACD,qBAAqB;YACrB;gBACE,IAAI,EAAE,iBAAiB;gBACvB,KAAK,EAAE,oCAAoC;gBAC3C,QAAQ,EAAE,UAAsB;gBAChC,OAAO,EAAE,wCAAwC;aAClD;YACD;gBACE,IAAI,EAAE,gBAAgB;gBACtB,KAAK,EAAE,yCAAyC;gBAChD,QAAQ,EAAE,MAAkB;gBAC5B,OAAO,EAAE,wCAAwC;aAClD;YACD;gBACE,IAAI,EAAE,qBAAqB;gBAC3B,KAAK,EAAE,0EAA0E;gBACjF,QAAQ,EAAE,QAAoB;gBAC9B,OAAO,EAAE,8DAA8D;aACxE;SACF,CAAC;IAwCJ,CAAC;IAtCC,KAAK,CAAC,OAAe,EAAE,SAAwB,EAAE,QAAgB;QAC/D,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAElC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,IAAI,KAAK,CAAC;YACV,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAEpE,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC5D,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEhD,0EAA0E;gBAC1E,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;oBACtC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;oBAC7F,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;wBACnE,SAAS;oBACX,CAAC;gBACH,CAAC;gBAED,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,OAAO,EAAE,GAAG,OAAO,CAAC,OAAO,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG;oBAC7F,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,UAAU;oBAChB,OAAO,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBAC1C,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,KAAa;QAClD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;IACpD,CAAC;CACF;AAlID,kDAkIC"}