sovr-mcp-proxy 7.0.0 → 7.2.0

package/dist/semanticAnalyzer.js

@@ -0,0 +1,911 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/semanticAnalyzer.ts
+var semanticAnalyzer_exports = {};
+__export(semanticAnalyzer_exports, {
+  BUILTIN_RULES: () => BUILTIN_RULES,
+  SemanticAnalyzer: () => SemanticAnalyzer,
+  analyzeStructure: () => analyzeStructure,
+  checkSQLType: () => checkSQLType,
+  classifyFormalFinding: () => classifyFormalFinding,
+  classifyStructuralFinding: () => classifyStructuralFinding,
+  createParanoidAnalyzer: () => createParanoidAnalyzer,
+  createSemanticAnalyzer: () => createSemanticAnalyzer,
+  findRuleCategoryByName: () => findRuleCategoryByName,
+  formalVerify: () => formalVerify,
+  runStateMachine: () => runStateMachine,
+  structuralRiskAssessment: () => structuralRiskAssessment,
+  verifyPathConstraints: () => verifyPathConstraints
+});
+module.exports = __toCommonJS(semanticAnalyzer_exports);
+var BUILTIN_RULES = [
+  // ── Data Destruction ──
+  {
+    id: "destroy-rm-rf",
+    name: "Recursive file deletion",
+    category: "data_destruction",
+    patterns: [
+      { type: "regex", value: "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|--recursive)\\s", target: "command" },
+      { type: "regex", value: "rm\\s+(-[a-zA-Z]*f[a-zA-Z]*r)\\s", target: "command" },
+      { type: "keyword", value: "shred", target: "command" },
+      { type: "keyword", value: "wipe", target: "command" }
+    ],
+    riskLevel: "critical",
+    priority: 100,
+    polarity: "negative"
+  },
+  {
+    id: "destroy-db-drop",
+    name: "Database destruction",
+    category: "data_destruction",
+    patterns: [
+      { type: "regex", value: "DROP\\s+(TABLE|DATABASE|SCHEMA|INDEX)", target: "arguments", caseSensitive: false },
+      { type: "regex", value: "TRUNCATE\\s+TABLE", target: "arguments", caseSensitive: false },
+      { type: "regex", value: "DELETE\\s+FROM\\s+\\w+\\s*$", target: "arguments", caseSensitive: false }
+    ],
+    riskLevel: "critical",
+    priority: 100,
+    polarity: "negative"
+  },
+  {
+    id: "destroy-format",
+    name: "Disk formatting",
+    category: "data_destruction",
+    patterns: [
+      { type: "regex", value: "mkfs\\.", target: "command" },
+      { type: "regex", value: "dd\\s+.*of=/dev/", target: "command" },
+      { type: "regex", value: "format\\s+[A-Z]:", target: "command", caseSensitive: false }
+    ],
+    riskLevel: "critical",
+    priority: 100,
+    polarity: "negative"
+  },
+  {
+    id: "destroy-find-delete",
+    name: "Find and delete (rm -rf equivalent)",
+    category: "data_destruction",
+    patterns: [
+      { type: "regex", value: "find\\s+.*-delete", target: "command" },
+      { type: "regex", value: "find\\s+.*-exec\\s+rm", target: "command" },
+      { type: "regex", value: "xargs\\s+rm", target: "command" }
+    ],
+    riskLevel: "dangerous",
+    priority: 95,
+    polarity: "negative"
+  },
+  // ── Data Exfiltration ──
+  {
+    id: "exfil-curl-post",
+    name: "Data upload via curl/wget",
+    category: "data_exfiltration",
+    patterns: [
+      { type: "regex", value: "curl\\s+.*(-d|--data|--upload-file|-F|--form)\\s", target: "command" },
+      { type: "regex", value: "curl\\s+.*-X\\s*(POST|PUT)", target: "command", caseSensitive: false },
+      { type: "regex", value: "wget\\s+.*--post", target: "command" }
+    ],
+    riskLevel: "suspicious",
+    priority: 80,
+    polarity: "negative"
+  },
+  {
+    id: "exfil-pipe-network",
+    name: "Piping data to network",
+    category: "data_exfiltration",
+    patterns: [
+      { type: "regex", value: "cat\\s+.*\\|\\s*(nc|netcat|curl|wget)", target: "command" },
+      { type: "regex", value: "(tar|zip|gzip)\\s+.*\\|\\s*(nc|curl)", target: "command" },
+      { type: "regex", value: "base64\\s+.*\\|\\s*curl", target: "command" }
+    ],
+    riskLevel: "dangerous",
+    priority: 90,
+    polarity: "negative"
+  },
+  {
+    id: "exfil-dns",
+    name: "DNS exfiltration",
+    category: "data_exfiltration",
+    patterns: [
+      { type: "regex", value: "dig\\s+.*\\$\\(", target: "command" },
+      { type: "regex", value: "nslookup\\s+.*\\$\\(", target: "command" }
+    ],
+    riskLevel: "critical",
+    priority: 95,
+    polarity: "negative"
+  },
+  // ── Privilege Escalation ──
+  {
+    id: "privesc-sudo",
+    name: "Privilege escalation via sudo",
+    category: "privilege_escalation",
+    patterns: [
+      { type: "regex", value: "sudo\\s+", target: "command" },
+      { type: "regex", value: "su\\s+-", target: "command" },
+      { type: "keyword", value: "doas", target: "command" }
+    ],
+    riskLevel: "dangerous",
+    priority: 85,
+    polarity: "negative"
+  },
+  {
+    id: "privesc-chmod",
+    name: "Permission modification",
+    category: "privilege_escalation",
+    patterns: [
+      { type: "regex", value: "chmod\\s+(777|\\+s|u\\+s|g\\+s)", target: "command" },
+      { type: "regex", value: "chown\\s+root", target: "command" },
+      { type: "regex", value: "setuid", target: "command" }
+    ],
+    riskLevel: "dangerous",
+    priority: 85,
+    polarity: "negative"
+  },
+  // ── Code Execution ──
+  {
+    id: "exec-remote",
+    name: "Remote code execution",
+    category: "code_execution",
+    patterns: [
+      { type: "regex", value: "curl\\s+.*\\|\\s*(sh|bash|python|node|perl|ruby)", target: "command" },
+      { type: "regex", value: "wget\\s+.*\\|\\s*(sh|bash)", target: "command" },
+      { type: "regex", value: "eval\\s*\\(", target: "arguments" },
+      { type: "regex", value: "exec\\s*\\(", target: "arguments" }
+    ],
+    riskLevel: "critical",
+    priority: 100,
+    polarity: "negative"
+  },
+  {
+    id: "exec-obfuscated",
+    name: "Obfuscated execution",
+    category: "code_execution",
+    patterns: [
+      { type: "regex", value: "\\$\\(.*\\)", target: "command" },
+      { type: "regex", value: "`[^`]+`", target: "command" },
+      { type: "regex", value: "base64\\s+(-d|--decode)", target: "command" },
+      { type: "regex", value: "\\\\x[0-9a-fA-F]{2}", target: "arguments" }
+    ],
+    riskLevel: "suspicious",
+    priority: 75,
+    polarity: "negative"
+  },
+  // ── Credential Access ──
+  {
+    id: "cred-env",
+    name: "Environment variable access",
+    category: "credential_access",
+    patterns: [
+      { type: "regex", value: "\\$\\{?(API_KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL)", target: "command", caseSensitive: false },
+      { type: "regex", value: "printenv|env\\s*$", target: "command" },
+      { type: "regex", value: "cat\\s+.*\\.(env|secret|key|pem|crt)", target: "command" }
+    ],
+    riskLevel: "dangerous",
+    priority: 90,
+    polarity: "negative"
+  },
+  {
+    id: "cred-ssh",
+    name: "SSH key access",
+    category: "credential_access",
+    patterns: [
+      { type: "regex", value: "cat\\s+.*\\.ssh/(id_rsa|id_ed25519|authorized_keys)", target: "command" },
+      { type: "regex", value: "ssh-keygen", target: "command" }
+    ],
+    riskLevel: "dangerous",
+    priority: 85,
+    polarity: "negative"
+  },
+  // ── Financial Operations ──
+  {
+    id: "finance-payment",
+    name: "Payment/transfer operation",
+    category: "financial_operation",
+    patterns: [
+      { type: "keyword", value: "payment", target: "tool_name" },
+      { type: "keyword", value: "transfer", target: "tool_name" },
+      { type: "keyword", value: "checkout", target: "tool_name" },
+      { type: "keyword", value: "invoice", target: "tool_name" }
+    ],
+    riskLevel: "dangerous",
+    priority: 90,
+    polarity: "negative"
+  },
+  // ── Network Access ──
+  {
+    id: "net-reverse-shell",
+    name: "Reverse shell attempt",
+    category: "network_access",
+    patterns: [
+      { type: "regex", value: "(nc|netcat|ncat)\\s+.*-e\\s", target: "command" },
+      { type: "regex", value: "bash\\s+-i\\s+>\\s*&\\s*/dev/tcp/", target: "command" },
+      { type: "regex", value: "/dev/(tcp|udp)/", target: "command" }
+    ],
+    riskLevel: "critical",
+    priority: 100,
+    polarity: "negative"
+  },
+  // ── System Modification ──
+  {
+    id: "sys-service",
+    name: "System service modification",
+    category: "system_modification",
+    patterns: [
+      { type: "regex", value: "systemctl\\s+(stop|disable|mask|restart)", target: "command" },
+      { type: "regex", value: "service\\s+\\w+\\s+(stop|restart)", target: "command" },
+      { type: "regex", value: "crontab\\s+-[er]", target: "command" }
+    ],
+    riskLevel: "dangerous",
+    priority: 80,
+    polarity: "negative"
+  },
+  // ── File Modification ──
+  {
+    id: "file-write-system",
+    name: "System file modification",
+    category: "file_modification",
+    patterns: [
+      { type: "regex", value: "(>|>>)\\s*/etc/", target: "command" },
+      { type: "regex", value: "tee\\s+(-a\\s+)?/etc/", target: "command" },
+      { type: "regex", value: "sed\\s+-i.*\\s+/etc/", target: "command" }
+    ],
+    riskLevel: "dangerous",
+    priority: 85,
+    polarity: "negative"
+  },
+  // ── Benign / Read-only ──
+  {
+    id: "safe-read",
+    name: "Read-only operation",
+    category: "read_only",
+    patterns: [
+      { type: "regex", value: "^(ls|cat|head|tail|less|more|wc|file|stat|du|df)\\s", target: "command" },
+      { type: "regex", value: "^(echo|printf|date|whoami|hostname|uname|pwd)\\s*", target: "command" },
+      { type: "regex", value: "^(grep|awk|sed|sort|uniq|cut|tr)\\s", target: "command" },
+      { type: "regex", value: "^SELECT\\s", target: "arguments", caseSensitive: false }
+    ],
+    riskLevel: "safe",
+    priority: 10,
+    polarity: "positive"
+  }
+];
+function analyzeStructure(command) {
+  const pipes = command.split(/(?<![|])\|(?![|])/).map((s) => s.trim()).filter(Boolean);
+  const redirections = [...command.matchAll(/(>{1,2})\s*(\S+)/g)].map((m) => m[2]);
+  const subshells = [...command.matchAll(/\$\(([^)]+)\)/g)].map((m) => m[1]);
+  const backtickSubs = [...command.matchAll(/`([^`]+)`/g)].map((m) => m[1]);
+  const filePaths = [...command.matchAll(/(?:^|\s)(\/[\w./-]+)/g)].map((m) => m[1]);
+  const networkTargets = [
+    ...command.matchAll(/https?:\/\/[\w./:@-]+/g),
+    ...command.matchAll(/(\d{1,3}\.){3}\d{1,3}(:\d+)?/g)
+  ].map((m) => m[0]);
+  const envVars = [...command.matchAll(/\$\{?([A-Z_][A-Z0-9_]*)\}?/g)].map((m) => m[1]);
+  let complexity = 0;
+  complexity += pipes.length * 10;
+  complexity += redirections.length * 8;
+  complexity += (subshells.length + backtickSubs.length) * 15;
+  complexity += envVars.length * 3;
+  complexity += networkTargets.length * 12;
+  complexity += command.length > 200 ? 20 : command.length > 100 ? 10 : 0;
+  return {
+    pipes,
+    redirections,
+    subshells: [...subshells, ...backtickSubs],
+    filePaths,
+    networkTargets,
+    envVars,
+    complexity
+  };
+}
+function structuralRiskAssessment(structure) {
+  const findings = [];
+  let riskScore = 0;
+  if (structure.pipes.length > 3) {
+    findings.push(`Long pipe chain (${structure.pipes.length} segments) \u2014 potential obfuscation`);
+    riskScore += 15;
+  }
+  if (structure.subshells.length > 0) {
+    findings.push(`Command substitution detected (${structure.subshells.length} instances)`);
+    riskScore += structure.subshells.length * 10;
+  }
+  const sensitivePaths = structure.filePaths.filter(
+    (p) => /\/(etc|root|\.ssh|\.gnupg|\.aws|\.config|proc|sys|dev)\//.test(p)
+  );
+  if (sensitivePaths.length > 0) {
+    findings.push(`Sensitive paths accessed: ${sensitivePaths.join(", ")}`);
+    riskScore += sensitivePaths.length * 15;
+  }
+  if (structure.networkTargets.length > 0) {
+    findings.push(`Network targets: ${structure.networkTargets.join(", ")}`);
+    riskScore += 10;
+  }
+  if (structure.complexity > 50) {
+    findings.push(`High command complexity (score: ${structure.complexity})`);
+    riskScore += 10;
+  }
+  if (structure.redirections.length > 1) {
+    findings.push(`Multiple redirections (${structure.redirections.length})`);
+    riskScore += 5;
+  }
+  const sensitiveEnvVars = structure.envVars.filter(
+    (v) => /(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|PRIVATE)/i.test(v)
+  );
+  if (sensitiveEnvVars.length > 0) {
+    findings.push(`Sensitive env vars referenced: ${sensitiveEnvVars.join(", ")}`);
+    riskScore += sensitiveEnvVars.length * 12;
+  }
+  riskScore = Math.min(riskScore, 100);
+  let riskLevel;
+  if (riskScore < 20) riskLevel = "safe";
+  else if (riskScore < 45) riskLevel = "suspicious";
+  else if (riskScore < 70) riskLevel = "dangerous";
+  else riskLevel = "critical";
+  return {
+    riskLevel,
+    riskScore,
+    confidence: 0.7,
+    findings
+  };
+}
+var STATE_TRANSITIONS = [
+  // safe → elevated
+  { from: "safe", trigger: "sudo/su detected", to: "elevated", pattern: /\b(sudo|su\s+-|doas)\b/ },
+  { from: "safe", trigger: "write operation detected", to: "elevated", pattern: /\b(mv|cp|tee|sed\s+-i|chmod|chown)\b/ },
+  { from: "safe", trigger: "network write detected", to: "elevated", pattern: /\bcurl\s+.*(-d|--data|-X\s*(POST|PUT|DELETE))/i },
+  // elevated → destructive
+  { from: "elevated", trigger: "delete operation detected", to: "destructive", pattern: /\b(rm|unlink|rmdir)\b/ },
+  { from: "elevated", trigger: "database write detected", to: "destructive", pattern: /\b(INSERT|UPDATE|DELETE|ALTER)\b/i },
+  { from: "elevated", trigger: "service modification detected", to: "destructive", pattern: /\b(systemctl|service)\s+(stop|disable|restart)\b/ },
+  // safe → destructive (direct jump for known dangerous patterns)
+  { from: "safe", trigger: "direct delete detected", to: "destructive", pattern: /\brm\s+-[a-zA-Z]*r/ },
+  { from: "safe", trigger: "database mutation detected", to: "destructive", pattern: /\b(DELETE\s+FROM|UPDATE\s+\w+\s+SET)\b/i },
+  // destructive → irreversible
+  { from: "destructive", trigger: "recursive force delete", to: "irreversible", pattern: /\brm\s+-[a-zA-Z]*r[a-zA-Z]*f\b/ },
+  { from: "destructive", trigger: "DROP/TRUNCATE detected", to: "irreversible", pattern: /\b(DROP|TRUNCATE)\s+(TABLE|DATABASE|SCHEMA)\b/i },
+  { from: "destructive", trigger: "disk format detected", to: "irreversible", pattern: /\b(mkfs|dd\s+.*of=\/dev\/)\b/ },
+  // elevated → irreversible (direct jump)
+  { from: "elevated", trigger: "sudo + recursive delete", to: "irreversible", pattern: /sudo\s+rm\s+-[a-zA-Z]*r[a-zA-Z]*f/ },
+  { from: "elevated", trigger: "sudo + DROP", to: "irreversible", pattern: /sudo\s+.*\b(DROP|TRUNCATE)\b/i },
+  // safe → irreversible (worst case direct jump)
+  { from: "safe", trigger: "rm -rf / detected", to: "irreversible", pattern: /rm\s+-[a-zA-Z]*r[a-zA-Z]*f\s+\// },
+  { from: "safe", trigger: "DROP TABLE without conditions", to: "irreversible", pattern: /DROP\s+(TABLE|DATABASE)\b/i }
+];
+function verifyPathConstraints(command, filePaths, allowedPaths) {
+  const results = [];
+  const getOperation = (cmd, path) => {
+    if (/\b(rm|unlink|rmdir|shred)\b/.test(cmd)) return "delete";
+    if (/\b(mv|cp|tee|sed\s+-i|chmod|chown|mkdir|touch)\b/.test(cmd)) return "write";
+    if (/\b(>|>>)/.test(cmd)) return "write";
+    if (/\b(sh|bash|python|node|perl|ruby|exec)\b/.test(cmd)) return "execute";
+    return "read";
+  };
+  for (const filePath of filePaths) {
+    const operation = getOperation(command, filePath);
+    const normalizedPath = normalizePath(filePath);
+    let withinBounds = false;
+    if (allowedPaths.length === 0) {
+      withinBounds = operation === "read" || !isSystemPath(normalizedPath);
+    } else {
+      withinBounds = allowedPaths.some(
+        (allowed) => normalizedPath.startsWith(normalizePath(allowed))
+      );
+    }
+    if ((operation === "write" || operation === "delete") && isSystemPath(normalizedPath)) {
+      withinBounds = false;
+    }
+    const constraint = {
+      path: filePath,
+      operation,
+      withinBounds
+    };
+    if (!withinBounds) {
+      constraint.violation = `${operation} operation on "${filePath}" is outside allowed boundaries`;
+    }
+    results.push(constraint);
+  }
+  return results;
+}
+function normalizePath(p) {
+  const parts = p.split("/").filter(Boolean);
+  const resolved = [];
+  for (const part of parts) {
+    if (part === "..") resolved.pop();
+    else if (part !== ".") resolved.push(part);
+  }
+  return "/" + resolved.join("/");
+}
+function isSystemPath(p) {
+  const systemPrefixes = [
+    "/etc/",
+    "/usr/",
+    "/bin/",
+    "/sbin/",
+    "/boot/",
+    "/proc/",
+    "/sys/",
+    "/dev/",
+    "/root/",
+    "/var/log/",
+    "/var/run/"
+  ];
+  return systemPrefixes.some((prefix) => p.startsWith(prefix));
+}
+function checkSQLType(sql, safeTables) {
+  const trimmed = sql.trim().toUpperCase();
+  let statementType = "UNKNOWN";
+  if (trimmed.startsWith("SELECT")) statementType = "SELECT";
+  else if (trimmed.startsWith("INSERT")) statementType = "INSERT";
+  else if (trimmed.startsWith("UPDATE")) statementType = "UPDATE";
+  else if (trimmed.startsWith("DELETE")) statementType = "DELETE";
+  else if (trimmed.startsWith("DROP")) statementType = "DROP";
+  else if (trimmed.startsWith("CREATE")) statementType = "CREATE";
+  else if (trimmed.startsWith("ALTER")) statementType = "ALTER";
+  else if (trimmed.startsWith("TRUNCATE")) statementType = "TRUNCATE";
+  const hasWhereClause = /\bWHERE\b/i.test(sql);
+  const tableMatches = [
+    ...sql.matchAll(/\bFROM\s+`?(\w+)`?/gi),
+    ...sql.matchAll(/\bINTO\s+`?(\w+)`?/gi),
+    ...sql.matchAll(/\bUPDATE\s+`?(\w+)`?/gi),
+    ...sql.matchAll(/\bTABLE\s+`?(\w+)`?/gi),
+    ...sql.matchAll(/\bJOIN\s+`?(\w+)`?/gi)
+  ];
+  const tables = [...new Set(tableMatches.map((m) => m[1].toLowerCase()))];
+  const tablesAreSafe = safeTables.length === 0 || tables.every(
+    (t) => safeTables.map((s) => s.toLowerCase()).includes(t)
+  );
+  const violations = [];
+  if ((statementType === "UPDATE" || statementType === "DELETE") && !hasWhereClause) {
+    violations.push(`${statementType} without WHERE clause \u2014 will affect ALL rows`);
+  }
+  if (statementType === "DROP" || statementType === "TRUNCATE") {
+    violations.push(`${statementType} is an irreversible operation`);
+  }
+  if (!tablesAreSafe && tables.length > 0) {
+    violations.push(`Tables not in safe list: ${tables.join(", ")}`);
+  }
+  const statementCount = sql.split(";").filter((s) => s.trim().length > 0).length;
+  if (statementCount > 1) {
+    violations.push(`Multiple SQL statements detected (${statementCount}) \u2014 potential injection`);
+  }
+  return {
+    statementType,
+    hasWhereClause,
+    tables,
+    tablesAreSafe,
+    violations
+  };
+}
+function runStateMachine(command) {
+  let currentState = "safe";
+  const transitions = [];
+  const stateOrder = {
+    safe: 0,
+    elevated: 1,
+    destructive: 2,
+    irreversible: 3
+  };
+  for (const transition of STATE_TRANSITIONS) {
+    if (transition.pattern.test(command)) {
+      if (stateOrder[transition.to] > stateOrder[currentState]) {
+        if (transition.from === currentState || stateOrder[transition.from] <= stateOrder[currentState]) {
+          transitions.push({
+            trigger: transition.trigger,
+            from: currentState,
+            to: transition.to
+          });
+          currentState = transition.to;
+        }
+      }
+    }
+  }
+  return { finalState: currentState, transitions };
+}
+function formalVerify(command, args, structure, config) {
+  const findings = [];
+  let riskScore = 0;
+  const pathViolations = verifyPathConstraints(command, structure.filePaths, config.allowedPaths);
+  const violations = pathViolations.filter((p) => !p.withinBounds);
+  if (violations.length > 0) {
+    for (const v of violations) {
+      findings.push(`PATH VIOLATION: ${v.violation}`);
+    }
+    riskScore += violations.length * 20;
+  }
+  const { finalState, transitions } = runStateMachine(command);
+  const stateScores = {
+    safe: 0,
+    elevated: 25,
+    destructive: 60,
+    irreversible: 95
+  };
+  riskScore = Math.max(riskScore, stateScores[finalState]);
+  if (transitions.length > 0) {
+    findings.push(`State machine: ${transitions.map((t) => `${t.from}\u2192${t.to} (${t.trigger})`).join(", ")}`);
+  }
+  if (finalState === "irreversible") {
+    findings.push(`FORMAL PROOF: Command reaches IRREVERSIBLE state \u2014 cannot be undone`);
+  }
+  let sqlCheck;
+  const sqlContent = extractSQL(args);
+  if (sqlContent) {
+    sqlCheck = checkSQLType(sqlContent, config.safeTables);
+    if (sqlCheck.violations.length > 0) {
+      for (const v of sqlCheck.violations) {
+        findings.push(`SQL VIOLATION: ${v}`);
+      }
+      riskScore += sqlCheck.violations.length * 25;
+    }
+  }
+  const complexityExceeded = structure.complexity > config.maxComplexity;
+  if (complexityExceeded) {
+    findings.push(`COMPLEXITY EXCEEDED: ${structure.complexity} > ${config.maxComplexity} threshold`);
+    riskScore += 15;
+  }
+  riskScore = Math.min(riskScore, 100);
+  return {
+    pathViolations,
+    finalState,
+    transitions,
+    sqlCheck,
+    complexityScore: structure.complexity,
+    complexityExceeded,
+    riskScore,
+    findings
+  };
+}
+function extractSQL(args) {
+  for (const key of ["query", "sql", "statement", "command"]) {
+    if (typeof args[key] === "string") {
+      const val = args[key];
+      if (/\b(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER|TRUNCATE)\b/i.test(val)) {
+        return val;
+      }
+    }
+  }
+  return null;
+}
+function findRuleCategoryByName(ruleName, rules) {
+  const rule = rules.find((r) => r.name === ruleName);
+  return rule?.category ?? "code_execution";
+}
+function classifyStructuralFinding(finding) {
+  if (/sensitive\s*path/i.test(finding)) return "file_modification";
+  if (/network\s*target/i.test(finding)) return "network_access";
+  if (/pipe\s*chain|command\s*substitution/i.test(finding)) return "code_execution";
+  if (/redirect/i.test(finding)) return "file_modification";
+  if (/complex/i.test(finding)) return "code_execution";
+  if (/env\s*var/i.test(finding)) return "credential_access";
+  return "code_execution";
+}
+function classifyFormalFinding(finding) {
+  if (/PATH\s*VIOLATION/i.test(finding)) return "file_modification";
+  if (/SQL\s*VIOLATION/i.test(finding)) return "data_destruction";
+  if (/IRREVERSIBLE/i.test(finding)) return "data_destruction";
+  if (/COMPLEXITY/i.test(finding)) return "code_execution";
+  if (/state\s*machine.*destructive/i.test(finding)) return "data_destruction";
+  if (/state\s*machine.*elevated/i.test(finding)) return "privilege_escalation";
+  return "system_modification";
+}
+var SemanticAnalyzer = class {
+  config;
+  rules;
+  constructor(config = {}) {
+    this.config = {
+      customRules: config.customRules ?? [],
+      enableStructural: config.enableStructural ?? true,
+      enableFormalVerification: config.enableFormalVerification ?? true,
+      sensitivity: config.sensitivity ?? "medium",
+      allowedPaths: config.allowedPaths ?? [],
+      safeTables: config.safeTables ?? [],
+      maxComplexity: config.maxComplexity ?? 80
+    };
+    this.rules = [...BUILTIN_RULES, ...this.config.customRules].sort((a, b) => b.priority - a.priority);
+  }
+  /**
+   * Analyze a tool call for security risks.
+   * All three layers are deterministic — zero LLM dependency.
+   */
+  async analyze(toolName, args) {
+    const startTime = Date.now();
+    const ruleResult = this.analyzeWithRules(toolName, args);
+    let structuralResult = { riskLevel: "safe", riskScore: 0, confidence: 0, findings: [] };
+    let structure = null;
+    const command = this.extractCommand(toolName, args);
+    if (this.config.enableStructural && command) {
+      structure = analyzeStructure(command);
+      structuralResult = structuralRiskAssessment(structure);
+    }
+    let formalResult;
+    if (this.config.enableFormalVerification && command) {
+      const struct = structure ?? analyzeStructure(command);
+      const fv = formalVerify(command, args, struct, this.config);
+      formalResult = {
+        riskLevel: fv.riskScore >= 70 ? "critical" : fv.riskScore >= 45 ? "dangerous" : fv.riskScore >= 20 ? "suspicious" : "safe",
+        riskScore: fv.riskScore,
+        confidence: 0.95,
+        // Formal verification has highest confidence — it's math, not guessing
+        findings: fv.findings
+      };
+    }
+    const intents = this.collectIntents(ruleResult, structuralResult, formalResult);
+    const finalResult = this.combineResults(ruleResult, structuralResult, formalResult);
+    return {
+      ...finalResult,
+      intents,
+      layers: {
+        rules: ruleResult,
+        structural: structuralResult,
+        formal: formalResult
+      },
+      durationMs: Date.now() - startTime
+    };
+  }
+  /** Quick synchronous check (Layer 1 only, for hot path) */
+  quickCheck(toolName, args) {
+    const result = this.analyzeWithRules(toolName, args);
+    return {
+      riskLevel: result.riskLevel,
+      riskScore: result.riskScore,
+      topFinding: result.findings[0] || "No findings"
+    };
+  }
+  /** Add custom rules at runtime */
+  addRule(rule) {
+    this.rules.push(rule);
+    this.rules.sort((a, b) => b.priority - a.priority);
+  }
+  /** Get all active rules */
+  getRules() {
+    return [...this.rules];
+  }
+  // ─── Private ─────────────────────────────────────────────────────────────
+  analyzeWithRules(toolName, args) {
+    const findings = [];
+    let maxRiskScore = 0;
+    let maxRiskLevel = "safe";
+    let hasPositiveMatch = false;
+    const argsStr = JSON.stringify(args);
+    const command = this.extractCommand(toolName, args);
+    for (const rule of this.rules) {
+      let matched = false;
+      for (const pattern of rule.patterns) {
+        const target = this.getPatternTarget(pattern.target, toolName, command, argsStr);
+        if (!target) continue;
+        switch (pattern.type) {
+          case "regex": {
+            const flags = pattern.caseSensitive === false ? "i" : "";
+            const regex = new RegExp(pattern.value, flags);
+            if (regex.test(target)) matched = true;
+            break;
+          }
+          case "keyword": {
+            const searchIn = pattern.caseSensitive ? target : target.toLowerCase();
+            const searchFor = pattern.caseSensitive ? pattern.value : pattern.value.toLowerCase();
+            if (searchIn.includes(searchFor)) matched = true;
+            break;
+          }
+          case "sequence": {
+            const keywords = pattern.value.split(",").map((k) => k.trim());
+            let lastIndex = -1;
+            let allFound = true;
+            for (const kw of keywords) {
+              const idx = target.indexOf(kw, lastIndex + 1);
+              if (idx === -1) {
+                allFound = false;
+                break;
+              }
+              lastIndex = idx;
+            }
+            if (allFound) matched = true;
+            break;
+          }
+        }
+        if (matched) break;
+      }
+      if (matched) {
+        if (rule.polarity === "positive") {
+          hasPositiveMatch = true;
+          findings.push(`\u2713 ${rule.name}`);
+        } else {
+          findings.push(`\u2717 ${rule.name} [${rule.riskLevel}]`);
+          const ruleScore = this.riskLevelToScore(rule.riskLevel);
+          if (ruleScore > maxRiskScore) {
+            maxRiskScore = ruleScore;
+            maxRiskLevel = rule.riskLevel;
+          }
+        }
+      }
+    }
+    maxRiskScore = this.applySensitivity(maxRiskScore);
+    if (hasPositiveMatch && maxRiskScore === 0) {
+      return { riskLevel: "safe", riskScore: 0, confidence: 0.9, findings };
+    }
+    return {
+      riskLevel: maxRiskLevel,
+      riskScore: maxRiskScore,
+      confidence: findings.length > 0 ? 0.85 : 0.5,
+      findings
+    };
+  }
+  extractCommand(toolName, args) {
+    for (const key of ["command", "cmd", "query", "sql", "script", "code", "input"]) {
+      if (typeof args[key] === "string") return args[key];
+    }
+    if (["bash", "shell", "exec", "run_command"].includes(toolName.toLowerCase())) {
+      const firstStr = Object.values(args).find((v) => typeof v === "string");
+      if (firstStr) return firstStr;
+    }
+    return null;
+  }
+  getPatternTarget(target, toolName, command, argsStr) {
+    switch (target) {
+      case "tool_name":
+        return toolName;
+      case "command":
+        return command;
+      case "arguments":
+        return argsStr;
+      case "full_context":
+        return `${toolName} ${command || ""} ${argsStr}`;
+      default:
+        return null;
+    }
+  }
+  riskLevelToScore(level) {
+    switch (level) {
+      case "safe":
+        return 0;
+      case "suspicious":
+        return 35;
+      case "dangerous":
+        return 65;
+      case "critical":
+        return 90;
+      default:
+        return 50;
+    }
+  }
+  applySensitivity(score) {
+    switch (this.config.sensitivity) {
+      case "low":
+        return Math.max(0, score - 15);
+      case "medium":
+        return score;
+      case "high":
+        return Math.min(100, score + 10);
+      case "paranoid":
+        return Math.min(100, score + 25);
+    }
+  }
+  /**
+   * Collect intents with CORRECT IntentCategory mapping.
+   * 
+   * BUG FIX: Previously all intents were mapped to 'code_execution'.
+   * Now we properly extract the category from:
+   *   - Rule findings → look up the matched rule's category
+   *   - Structural findings → classify based on finding content
+   *   - Formal findings → classify based on violation type
+   */
+  collectIntents(ruleResult, structuralResult, formalResult) {
+    const intents = [];
+    for (const finding of ruleResult.findings) {
+      if (finding.startsWith("\u2717")) {
+        const match = finding.match(/✗ (.+) \[(\w+)\]/);
+        if (match) {
+          const ruleName = match[1];
+          const category = findRuleCategoryByName(ruleName, this.rules);
+          intents.push({
+            category,
+            description: ruleName,
+            confidence: ruleResult.confidence,
+            source: "rule",
+            evidence: [finding]
+          });
+        }
+      }
+    }
+    for (const finding of structuralResult.findings) {
+      const category = classifyStructuralFinding(finding);
+      intents.push({
+        category,
+        description: finding,
+        confidence: structuralResult.confidence,
+        source: "structural",
+        evidence: [finding]
+      });
+    }
+    if (formalResult) {
+      for (const finding of formalResult.findings) {
+        const category = classifyFormalFinding(finding);
+        intents.push({
+          category,
+          description: finding,
+          confidence: formalResult.confidence,
+          source: "formal",
+          evidence: [finding]
+        });
+      }
+    }
+    return intents;
+  }
+  combineResults(ruleResult, structuralResult, formalResult) {
+    const ruleWeight = 0.35;
+    const structWeight = 0.25;
+    const formalWeight = formalResult ? 0.4 : 0;
+    const normalizer = ruleWeight + structWeight + formalWeight;
+    const combinedScore = Math.round(
+      (ruleResult.riskScore * ruleWeight + structuralResult.riskScore * structWeight + (formalResult?.riskScore ?? 0) * formalWeight) / normalizer
+    );
+    const levels = [ruleResult.riskLevel, structuralResult.riskLevel, formalResult?.riskLevel].filter(Boolean);
+    const levelOrder = { safe: 0, suspicious: 1, dangerous: 2, critical: 3 };
+    const maxLevel = levels.reduce(
+      (max, l) => (levelOrder[l] ?? 0) > (levelOrder[max] ?? 0) ? l : max,
+      "safe"
+    );
+    const confidence = Math.round(
+      (ruleResult.confidence * ruleWeight + structuralResult.confidence * structWeight + (formalResult?.confidence ?? 0) * formalWeight) / normalizer * 100
+    ) / 100;
+    let recommendation;
+    if (combinedScore < 20) recommendation = "allow";
+    else if (combinedScore < 45) recommendation = "warn";
+    else if (combinedScore < 70) recommendation = "require-approval";
+    else recommendation = "block";
+    const allFindings = [
+      ...ruleResult.findings,
+      ...structuralResult.findings,
+      ...formalResult?.findings ?? []
+    ];
+    const explanation = allFindings.length > 0 ? `Risk: ${maxLevel} (score: ${combinedScore}). Findings: ${allFindings.slice(0, 3).join("; ")}` : `Risk: ${maxLevel} (score: ${combinedScore}). No specific findings.`;
+    return {
+      riskLevel: maxLevel,
+      riskScore: combinedScore,
+      confidence,
+      recommendation,
+      explanation
+    };
+  }
+};
+function createSemanticAnalyzer(overrides = {}) {
+  return new SemanticAnalyzer(overrides);
+}
+function createParanoidAnalyzer(config) {
+  return new SemanticAnalyzer({
+    enableStructural: true,
+    enableFormalVerification: true,
+    sensitivity: "paranoid",
+    maxComplexity: 40,
+    allowedPaths: config?.allowedPaths ?? [],
+    safeTables: config?.safeTables ?? []
+  });
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  BUILTIN_RULES,
+  SemanticAnalyzer,
+  analyzeStructure,
+  checkSQLType,
+  classifyFormalFinding,
+  classifyStructuralFinding,
+  createParanoidAnalyzer,
+  createSemanticAnalyzer,
+  findRuleCategoryByName,
+  formalVerify,
+  runStateMachine,
+  structuralRiskAssessment,
+  verifyPathConstraints
+});