toolip 1.0.6 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (308) hide show
  1. package/README.md +189 -448
  2. package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
  3. package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
  4. package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
  5. package/dist/src/analyzers/ast/rules.d.ts +48 -0
  6. package/dist/src/analyzers/ast/rules.js +39 -0
  7. package/dist/src/analyzers/ast/rules.js.map +1 -0
  8. package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
  9. package/dist/src/analyzers/ast/source-analysis.js +225 -0
  10. package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
  11. package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
  12. package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
  13. package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
  14. package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
  15. package/dist/src/analyzers/docker/analyzer.js +103 -0
  16. package/dist/src/analyzers/docker/analyzer.js.map +1 -0
  17. package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
  18. package/dist/src/analyzers/git-history/analyzer.js +157 -0
  19. package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
  20. package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
  21. package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
  22. package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
  23. package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
  24. package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
  25. package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
  26. package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
  27. package/dist/src/analyzers/reachability/import-graph.js +110 -0
  28. package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
  29. package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
  30. package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
  31. package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
  32. package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
  33. package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
  34. package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
  35. package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
  36. package/dist/src/analyzers/vulnerability/severity.js +13 -0
  37. package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
  38. package/dist/src/application/analyzer-runner.d.ts +12 -0
  39. package/dist/src/application/analyzer-runner.js +45 -0
  40. package/dist/src/application/analyzer-runner.js.map +1 -0
  41. package/dist/src/commands/alternatives.d.ts +2 -0
  42. package/dist/src/commands/alternatives.js +17 -0
  43. package/dist/src/commands/alternatives.js.map +1 -0
  44. package/dist/src/commands/announce.d.ts +2 -0
  45. package/dist/src/commands/announce.js +27 -0
  46. package/dist/src/commands/announce.js.map +1 -0
  47. package/dist/src/commands/ast-scan.d.ts +2 -0
  48. package/dist/src/commands/ast-scan.js +86 -0
  49. package/dist/src/commands/ast-scan.js.map +1 -0
  50. package/dist/src/commands/audit-repo.d.ts +2 -0
  51. package/dist/src/commands/audit-repo.js +20 -0
  52. package/dist/src/commands/audit-repo.js.map +1 -0
  53. package/dist/src/commands/compare.d.ts +2 -0
  54. package/dist/src/commands/compare.js +19 -0
  55. package/dist/src/commands/compare.js.map +1 -0
  56. package/dist/src/commands/config.d.ts +2 -0
  57. package/dist/src/commands/config.js +69 -0
  58. package/dist/src/commands/config.js.map +1 -0
  59. package/dist/src/commands/dependency-confusion.d.ts +2 -0
  60. package/dist/src/commands/dependency-confusion.js +37 -0
  61. package/dist/src/commands/dependency-confusion.js.map +1 -0
  62. package/dist/src/commands/diff.d.ts +2 -0
  63. package/dist/src/commands/diff.js +24 -0
  64. package/dist/src/commands/diff.js.map +1 -0
  65. package/dist/src/commands/docker-scan.d.ts +2 -0
  66. package/dist/src/commands/docker-scan.js +34 -0
  67. package/dist/src/commands/docker-scan.js.map +1 -0
  68. package/dist/src/commands/doctor.d.ts +2 -0
  69. package/dist/src/commands/doctor.js +42 -0
  70. package/dist/src/commands/doctor.js.map +1 -0
  71. package/dist/src/commands/git-audit.d.ts +2 -0
  72. package/dist/src/commands/git-audit.js +37 -0
  73. package/dist/src/commands/git-audit.js.map +1 -0
  74. package/dist/src/commands/git-history.d.ts +2 -0
  75. package/dist/src/commands/git-history.js +40 -0
  76. package/dist/src/commands/git-history.js.map +1 -0
  77. package/dist/src/commands/history.d.ts +2 -0
  78. package/dist/src/commands/history.js +69 -0
  79. package/dist/src/commands/history.js.map +1 -0
  80. package/dist/src/commands/hook.d.ts +2 -0
  81. package/dist/src/commands/hook.js +16 -0
  82. package/dist/src/commands/hook.js.map +1 -0
  83. package/dist/src/commands/inspect.d.ts +2 -0
  84. package/dist/src/commands/inspect.js +24 -0
  85. package/dist/src/commands/inspect.js.map +1 -0
  86. package/dist/src/commands/install-scripts.d.ts +2 -0
  87. package/dist/src/commands/install-scripts.js +52 -0
  88. package/dist/src/commands/install-scripts.js.map +1 -0
  89. package/dist/src/commands/learn.d.ts +2 -0
  90. package/dist/src/commands/learn.js +42 -0
  91. package/dist/src/commands/learn.js.map +1 -0
  92. package/dist/src/commands/licenses.d.ts +2 -0
  93. package/dist/src/commands/licenses.js +40 -0
  94. package/dist/src/commands/licenses.js.map +1 -0
  95. package/dist/src/commands/mcp.d.ts +2 -0
  96. package/dist/src/commands/mcp.js +10 -0
  97. package/dist/src/commands/mcp.js.map +1 -0
  98. package/dist/src/commands/monorepo.d.ts +2 -0
  99. package/dist/src/commands/monorepo.js +21 -0
  100. package/dist/src/commands/monorepo.js.map +1 -0
  101. package/dist/src/commands/package-health.d.ts +2 -0
  102. package/dist/src/commands/package-health.js +50 -0
  103. package/dist/src/commands/package-health.js.map +1 -0
  104. package/dist/src/commands/pre-commit.d.ts +2 -0
  105. package/dist/src/commands/pre-commit.js +37 -0
  106. package/dist/src/commands/pre-commit.js.map +1 -0
  107. package/dist/src/commands/profile.d.ts +2 -0
  108. package/dist/src/commands/profile.js +18 -0
  109. package/dist/src/commands/profile.js.map +1 -0
  110. package/dist/src/commands/publish.d.ts +2 -0
  111. package/dist/src/commands/publish.js +25 -0
  112. package/dist/src/commands/publish.js.map +1 -0
  113. package/dist/src/commands/reachability.d.ts +2 -0
  114. package/dist/src/commands/reachability.js +47 -0
  115. package/dist/src/commands/reachability.js.map +1 -0
  116. package/dist/src/commands/sbom.d.ts +2 -0
  117. package/dist/src/commands/sbom.js +33 -0
  118. package/dist/src/commands/sbom.js.map +1 -0
  119. package/dist/src/commands/scan.d.ts +2 -0
  120. package/dist/src/commands/scan.js +48 -0
  121. package/dist/src/commands/scan.js.map +1 -0
  122. package/dist/src/commands/score.d.ts +2 -0
  123. package/dist/src/commands/score.js +24 -0
  124. package/dist/src/commands/score.js.map +1 -0
  125. package/dist/src/commands/self-test.d.ts +2 -0
  126. package/dist/src/commands/self-test.js +63 -0
  127. package/dist/src/commands/self-test.js.map +1 -0
  128. package/dist/src/commands/tree.d.ts +2 -0
  129. package/dist/src/commands/tree.js +21 -0
  130. package/dist/src/commands/tree.js.map +1 -0
  131. package/dist/src/commands/upgrade-pr.d.ts +2 -0
  132. package/dist/src/commands/upgrade-pr.js +15 -0
  133. package/dist/src/commands/upgrade-pr.js.map +1 -0
  134. package/dist/src/commands/vault.d.ts +2 -0
  135. package/dist/src/commands/vault.js +86 -0
  136. package/dist/src/commands/vault.js.map +1 -0
  137. package/dist/src/commands/vulnerabilities.d.ts +2 -0
  138. package/dist/src/commands/vulnerabilities.js +42 -0
  139. package/dist/src/commands/vulnerabilities.js.map +1 -0
  140. package/dist/src/commands/watch.d.ts +2 -0
  141. package/dist/src/commands/watch.js +34 -0
  142. package/dist/src/commands/watch.js.map +1 -0
  143. package/dist/src/config/version.d.ts +6 -0
  144. package/dist/src/config/version.js +29 -0
  145. package/dist/src/config/version.js.map +1 -0
  146. package/dist/src/contracts/analyzer.d.ts +23 -0
  147. package/dist/src/contracts/analyzer.js +2 -0
  148. package/dist/src/contracts/analyzer.js.map +1 -0
  149. package/dist/src/contracts/finding.d.ts +35 -0
  150. package/dist/src/contracts/finding.js +13 -0
  151. package/dist/src/contracts/finding.js.map +1 -0
  152. package/dist/src/contracts/report.d.ts +30 -0
  153. package/dist/src/contracts/report.js +2 -0
  154. package/dist/src/contracts/report.js.map +1 -0
  155. package/dist/src/contracts/rule.d.ts +12 -0
  156. package/dist/src/contracts/rule.js +7 -0
  157. package/dist/src/contracts/rule.js.map +1 -0
  158. package/dist/src/core/alternatives.d.ts +8 -0
  159. package/dist/src/core/alternatives.js +35 -0
  160. package/dist/src/core/alternatives.js.map +1 -0
  161. package/dist/src/core/analyze-package.d.ts +2 -0
  162. package/dist/src/core/analyze-package.js +49 -0
  163. package/dist/src/core/analyze-package.js.map +1 -0
  164. package/dist/src/core/announce/generate.d.ts +9 -0
  165. package/dist/src/core/announce/generate.js +19 -0
  166. package/dist/src/core/announce/generate.js.map +1 -0
  167. package/dist/src/core/compare-packages.d.ts +7 -0
  168. package/dist/src/core/compare-packages.js +19 -0
  169. package/dist/src/core/compare-packages.js.map +1 -0
  170. package/dist/src/core/config/load.d.ts +3 -0
  171. package/dist/src/core/config/load.js +21 -0
  172. package/dist/src/core/config/load.js.map +1 -0
  173. package/dist/src/core/config/policy.d.ts +3 -0
  174. package/dist/src/core/config/policy.js +48 -0
  175. package/dist/src/core/config/policy.js.map +1 -0
  176. package/dist/src/core/config/schema.d.ts +172 -0
  177. package/dist/src/core/config/schema.js +84 -0
  178. package/dist/src/core/config/schema.js.map +1 -0
  179. package/dist/src/core/dependencies/inventory.d.ts +9 -0
  180. package/dist/src/core/dependencies/inventory.js +43 -0
  181. package/dist/src/core/dependencies/inventory.js.map +1 -0
  182. package/dist/src/core/dependency-scan.d.ts +17 -0
  183. package/dist/src/core/dependency-scan.js +70 -0
  184. package/dist/src/core/dependency-scan.js.map +1 -0
  185. package/dist/src/core/dependency-tree.d.ts +16 -0
  186. package/dist/src/core/dependency-tree.js +19 -0
  187. package/dist/src/core/dependency-tree.js.map +1 -0
  188. package/dist/src/core/dependency-types.d.ts +17 -0
  189. package/dist/src/core/dependency-types.js +2 -0
  190. package/dist/src/core/dependency-types.js.map +1 -0
  191. package/dist/src/core/diff/security-diff.d.ts +10 -0
  192. package/dist/src/core/diff/security-diff.js +20 -0
  193. package/dist/src/core/diff/security-diff.js.map +1 -0
  194. package/dist/src/core/file-walker.d.ts +6 -0
  195. package/dist/src/core/file-walker.js +27 -0
  196. package/dist/src/core/file-walker.js.map +1 -0
  197. package/dist/src/core/git-audit.d.ts +12 -0
  198. package/dist/src/core/git-audit.js +111 -0
  199. package/dist/src/core/git-audit.js.map +1 -0
  200. package/dist/src/core/github/remote-audit.d.ts +5 -0
  201. package/dist/src/core/github/remote-audit.js +28 -0
  202. package/dist/src/core/github/remote-audit.js.map +1 -0
  203. package/dist/src/core/github/upgrade-pr.d.ts +4 -0
  204. package/dist/src/core/github/upgrade-pr.js +41 -0
  205. package/dist/src/core/github/upgrade-pr.js.map +1 -0
  206. package/dist/src/core/history/git-metadata.d.ts +5 -0
  207. package/dist/src/core/history/git-metadata.js +37 -0
  208. package/dist/src/core/history/git-metadata.js.map +1 -0
  209. package/dist/src/core/history/store.d.ts +5 -0
  210. package/dist/src/core/history/store.js +65 -0
  211. package/dist/src/core/history/store.js.map +1 -0
  212. package/dist/src/core/history/types.d.ts +27 -0
  213. package/dist/src/core/history/types.js +2 -0
  214. package/dist/src/core/history/types.js.map +1 -0
  215. package/dist/src/core/hooks.d.ts +1 -0
  216. package/dist/src/core/hooks.js +14 -0
  217. package/dist/src/core/hooks.js.map +1 -0
  218. package/dist/src/core/learn.d.ts +11 -0
  219. package/dist/src/core/learn.js +163 -0
  220. package/dist/src/core/learn.js.map +1 -0
  221. package/dist/src/core/license-analysis.d.ts +18 -0
  222. package/dist/src/core/license-analysis.js +98 -0
  223. package/dist/src/core/license-analysis.js.map +1 -0
  224. package/dist/src/core/load-toolip-ignore.d.ts +5 -0
  225. package/dist/src/core/load-toolip-ignore.js +35 -0
  226. package/dist/src/core/load-toolip-ignore.js.map +1 -0
  227. package/dist/src/core/monorepo/discover.d.ts +7 -0
  228. package/dist/src/core/monorepo/discover.js +49 -0
  229. package/dist/src/core/monorepo/discover.js.map +1 -0
  230. package/dist/src/core/npm-registry.d.ts +3 -0
  231. package/dist/src/core/npm-registry.js +5 -0
  232. package/dist/src/core/npm-registry.js.map +1 -0
  233. package/dist/src/core/pre-commit.d.ts +11 -0
  234. package/dist/src/core/pre-commit.js +22 -0
  235. package/dist/src/core/pre-commit.js.map +1 -0
  236. package/dist/src/core/profile-project.d.ts +23 -0
  237. package/dist/src/core/profile-project.js +119 -0
  238. package/dist/src/core/profile-project.js.map +1 -0
  239. package/dist/src/core/publish/html.d.ts +6 -0
  240. package/dist/src/core/publish/html.js +44 -0
  241. package/dist/src/core/publish/html.js.map +1 -0
  242. package/dist/src/core/read-dependencies.d.ts +2 -0
  243. package/dist/src/core/read-dependencies.js +24 -0
  244. package/dist/src/core/read-dependencies.js.map +1 -0
  245. package/dist/src/core/report-writer.d.ts +5 -0
  246. package/dist/src/core/report-writer.js +61 -0
  247. package/dist/src/core/report-writer.js.map +1 -0
  248. package/dist/src/core/report.d.ts +34 -0
  249. package/dist/src/core/report.js +26 -0
  250. package/dist/src/core/report.js.map +1 -0
  251. package/dist/src/core/risk-score.d.ts +5 -0
  252. package/dist/src/core/risk-score.js +14 -0
  253. package/dist/src/core/risk-score.js.map +1 -0
  254. package/dist/src/core/sbom/generate.d.ts +2 -0
  255. package/dist/src/core/sbom/generate.js +120 -0
  256. package/dist/src/core/sbom/generate.js.map +1 -0
  257. package/dist/src/core/scanner-context.d.ts +12 -0
  258. package/dist/src/core/scanner-context.js +27 -0
  259. package/dist/src/core/scanner-context.js.map +1 -0
  260. package/dist/src/core/score.d.ts +13 -0
  261. package/dist/src/core/score.js +44 -0
  262. package/dist/src/core/score.js.map +1 -0
  263. package/dist/src/core/security-doctor.d.ts +12 -0
  264. package/dist/src/core/security-doctor.js +158 -0
  265. package/dist/src/core/security-doctor.js.map +1 -0
  266. package/dist/src/core/security-patterns.d.ts +14 -0
  267. package/dist/src/core/security-patterns.js +139 -0
  268. package/dist/src/core/security-patterns.js.map +1 -0
  269. package/dist/src/core/typosquat.d.ts +6 -0
  270. package/dist/src/core/typosquat.js +50 -0
  271. package/dist/src/core/typosquat.js.map +1 -0
  272. package/dist/src/core/vault.d.ts +48 -0
  273. package/dist/src/core/vault.js +127 -0
  274. package/dist/src/core/vault.js.map +1 -0
  275. package/dist/src/core/watch/watch.d.ts +5 -0
  276. package/dist/src/core/watch/watch.js +49 -0
  277. package/dist/src/core/watch/watch.js.map +1 -0
  278. package/dist/src/errors/toolip-error.d.ts +8 -0
  279. package/dist/src/errors/toolip-error.js +11 -0
  280. package/dist/src/errors/toolip-error.js.map +1 -0
  281. package/dist/src/index.d.ts +2 -0
  282. package/dist/src/index.js +89 -0
  283. package/dist/src/index.js.map +1 -0
  284. package/dist/src/mcp/server.d.ts +1 -0
  285. package/dist/src/mcp/server.js +64 -0
  286. package/dist/src/mcp/server.js.map +1 -0
  287. package/dist/src/providers/depsdev/client.d.ts +71 -0
  288. package/dist/src/providers/depsdev/client.js +44 -0
  289. package/dist/src/providers/depsdev/client.js.map +1 -0
  290. package/dist/src/providers/osv/client.d.ts +15 -0
  291. package/dist/src/providers/osv/client.js +51 -0
  292. package/dist/src/providers/osv/client.js.map +1 -0
  293. package/dist/src/providers/osv/types.d.ts +38 -0
  294. package/dist/src/providers/osv/types.js +2 -0
  295. package/dist/src/providers/osv/types.js.map +1 -0
  296. package/dist/src/storage/memory-cache.d.ts +7 -0
  297. package/dist/src/storage/memory-cache.js +25 -0
  298. package/dist/src/storage/memory-cache.js.map +1 -0
  299. package/dist/src/utils/error-handler.d.ts +1 -0
  300. package/dist/src/utils/error-handler.js +24 -0
  301. package/dist/src/utils/error-handler.js.map +1 -0
  302. package/dist/src/utils/output.d.ts +6 -0
  303. package/dist/src/utils/output.js +72 -0
  304. package/dist/src/utils/output.js.map +1 -0
  305. package/dist/src/utils/package-output.d.ts +4 -0
  306. package/dist/src/utils/package-output.js +40 -0
  307. package/dist/src/utils/package-output.js.map +1 -0
  308. package/package.json +13 -8
@@ -0,0 +1 @@
1
+ {"version":3,"file":"version.js","sourceRoot":"","sources":["../../../src/config/version.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAOzC,SAAS,qBAAqB;IAC5B,IAAI,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7D,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;IAExC,OAAO,SAAS,KAAK,IAAI,EAAE,CAAC;QAC1B,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAE1D,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CACzB,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAChB,CAAC;YAErB,IACE,QAAQ,CAAC,IAAI,KAAK,QAAQ;gBAC1B,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,EACpC,CAAC;gBACD,OAAO,QAAQ,CAAC,OAAO,CAAC;YAC1B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yCAAyC;QAC3C,CAAC;QAED,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,IAAI,KAAK,CACb,qDAAqD,CACtD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAG,qBAAqB,EAAE,CAAC;AAEtD,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,IAAI,EAAE,qBAAqB;IAC3B,MAAM,EAAE,QAAQ;IAChB,MAAM,EAAE,2BAA2B;CACpC,CAAC"}
@@ -0,0 +1,23 @@
1
+ import type { Finding } from './finding.js';
2
+ export type AnalyzerContext = {
3
+ root: string;
4
+ signal?: AbortSignal;
5
+ cache?: AnalyzerCache;
6
+ options?: Record<string, unknown>;
7
+ };
8
+ export type AnalyzerCache = {
9
+ get<T>(key: string): Promise<T | undefined>;
10
+ set<T>(key: string, value: T, ttlMs?: number): Promise<void>;
11
+ };
12
+ export type AnalyzerResult = {
13
+ analyzer: string;
14
+ durationMs: number;
15
+ findings: Finding[];
16
+ warnings?: string[];
17
+ metadata?: Record<string, unknown>;
18
+ };
19
+ export interface Analyzer {
20
+ readonly id: string;
21
+ readonly version: string;
22
+ analyze(context: AnalyzerContext): Promise<AnalyzerResult>;
23
+ }
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=analyzer.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"analyzer.js","sourceRoot":"","sources":["../../../src/contracts/analyzer.ts"],"names":[],"mappings":""}
@@ -0,0 +1,35 @@
1
+ export declare const findingSeverities: readonly ["critical", "high", "medium", "low", "info"];
2
+ export type FindingSeverity = (typeof findingSeverities)[number];
3
+ export declare const findingConfidences: readonly ["high", "medium", "low"];
4
+ export type FindingConfidence = (typeof findingConfidences)[number];
5
+ export type FindingLocation = {
6
+ file: string;
7
+ line?: number;
8
+ column?: number;
9
+ endLine?: number;
10
+ endColumn?: number;
11
+ };
12
+ export type FindingEvidence = {
13
+ summary: string;
14
+ excerpt?: string;
15
+ fingerprint?: string;
16
+ };
17
+ export type FindingRemediation = {
18
+ summary: string;
19
+ fixedVersion?: string;
20
+ references?: string[];
21
+ };
22
+ export type Finding = {
23
+ id: string;
24
+ ruleId: string;
25
+ title: string;
26
+ category: string;
27
+ severity: FindingSeverity;
28
+ confidence: FindingConfidence;
29
+ message: string;
30
+ source: string;
31
+ location?: FindingLocation;
32
+ evidence?: FindingEvidence[];
33
+ remediation?: FindingRemediation;
34
+ metadata?: Record<string, unknown>;
35
+ };
@@ -0,0 +1,13 @@
1
+ export const findingSeverities = [
2
+ 'critical',
3
+ 'high',
4
+ 'medium',
5
+ 'low',
6
+ 'info'
7
+ ];
8
+ export const findingConfidences = [
9
+ 'high',
10
+ 'medium',
11
+ 'low'
12
+ ];
13
+ //# sourceMappingURL=finding.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"finding.js","sourceRoot":"","sources":["../../../src/contracts/finding.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,UAAU;IACV,MAAM;IACN,QAAQ;IACR,KAAK;IACL,MAAM;CACE,CAAC;AAIX,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,MAAM;IACN,QAAQ;IACR,KAAK;CACG,CAAC"}
@@ -0,0 +1,30 @@
1
+ import type { Finding } from './finding.js';
2
+ export declare const TOOLIP_REPORT_SCHEMA_VERSION = "2.0";
3
+ export type ReportSummary = {
4
+ critical: number;
5
+ high: number;
6
+ medium: number;
7
+ low: number;
8
+ info: number;
9
+ total: number;
10
+ };
11
+ export type ToolipReportV2 = {
12
+ schemaVersion: typeof TOOLIP_REPORT_SCHEMA_VERSION;
13
+ generatedAt: string;
14
+ toolipVersion: string;
15
+ project: {
16
+ root: string;
17
+ name?: string;
18
+ packageManager?: string;
19
+ };
20
+ summary: ReportSummary;
21
+ findings: Finding[];
22
+ analyzers: Array<{
23
+ id: string;
24
+ version: string;
25
+ durationMs: number;
26
+ findingCount: number;
27
+ warnings?: string[];
28
+ }>;
29
+ metadata?: Record<string, unknown>;
30
+ };
@@ -0,0 +1,2 @@
1
+ export const TOOLIP_REPORT_SCHEMA_VERSION = '2.0';
2
+ //# sourceMappingURL=report.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"report.js","sourceRoot":"","sources":["../../../src/contracts/report.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,4BAA4B,GAAG,KAAK,CAAC"}
@@ -0,0 +1,12 @@
1
+ import type { FindingConfidence, FindingSeverity } from './finding.js';
2
+ export type RuleDefinition = {
3
+ id: string;
4
+ title: string;
5
+ category: string;
6
+ defaultSeverity: FindingSeverity;
7
+ defaultConfidence: FindingConfidence;
8
+ description: string;
9
+ remediation: string;
10
+ references?: string[];
11
+ };
12
+ export declare function assertValidRuleId(ruleId: string): void;
@@ -0,0 +1,7 @@
1
+ const RULE_ID_PATTERN = /^TLP-[A-Z]+-\d{3}$/;
2
+ export function assertValidRuleId(ruleId) {
3
+ if (!RULE_ID_PATTERN.test(ruleId)) {
4
+ throw new Error(`Invalid Toolip rule ID "${ruleId}". Expected format: TLP-CATEGORY-001.`);
5
+ }
6
+ }
7
+ //# sourceMappingURL=rule.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"rule.js","sourceRoot":"","sources":["../../../src/contracts/rule.ts"],"names":[],"mappings":"AAgBA,MAAM,eAAe,GAAG,oBAAoB,CAAC;AAE7C,MAAM,UAAU,iBAAiB,CAAC,MAAc;IAC9C,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,uCAAuC,CACzE,CAAC;IACJ,CAAC;AACH,CAAC"}
@@ -0,0 +1,8 @@
1
+ export type PackageAlternative = {
2
+ package: string;
3
+ alternatives: Array<{
4
+ name: string;
5
+ reason: string;
6
+ }>;
7
+ };
8
+ export declare function findAlternatives(packageName: string): PackageAlternative;
@@ -0,0 +1,35 @@
1
+ const alternativeMap = {
2
+ request: [
3
+ { name: 'got', reason: 'Modern HTTP client with active maintenance and strong Node.js support.' },
4
+ { name: 'undici', reason: 'Fast official Node.js HTTP client maintained under the Node.js project.' },
5
+ { name: 'axios', reason: 'Popular promise-based HTTP client with broad ecosystem adoption.' }
6
+ ],
7
+ 'node-fetch': [
8
+ { name: 'undici', reason: 'Native fetch-compatible HTTP client for modern Node.js.' },
9
+ { name: 'ky', reason: 'Small fetch-based client for browser and modern JavaScript workflows.' }
10
+ ],
11
+ moment: [
12
+ { name: 'dayjs', reason: 'Small Moment-compatible API with lower bundle size.' },
13
+ { name: 'date-fns', reason: 'Modular date utilities with tree-shaking support.' },
14
+ { name: 'luxon', reason: 'Modern date-time library from the Moment maintainers.' }
15
+ ],
16
+ lodash: [
17
+ { name: 'lodash-es', reason: 'ES module build with better tree-shaking.' },
18
+ { name: 'radash', reason: 'Modern utility library with TypeScript-friendly APIs.' }
19
+ ],
20
+ uuid: [
21
+ { name: 'crypto.randomUUID', reason: 'Built into modern Node.js and avoids an extra dependency where suitable.' }
22
+ ]
23
+ };
24
+ export function findAlternatives(packageName) {
25
+ return {
26
+ package: packageName,
27
+ alternatives: alternativeMap[packageName] ?? [
28
+ {
29
+ name: 'No curated alternative yet',
30
+ reason: 'Toolip does not have a curated replacement for this package yet. Inspect maintenance, license, downloads, and dependency count manually.'
31
+ }
32
+ ]
33
+ };
34
+ }
35
+ //# sourceMappingURL=alternatives.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"alternatives.js","sourceRoot":"","sources":["../../../src/core/alternatives.ts"],"names":[],"mappings":"AAQA,MAAM,cAAc,GAAuD;IACzE,OAAO,EAAE;QACP,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,wEAAwE,EAAE;QACjG,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,yEAAyE,EAAE;QACrG,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,kEAAkE,EAAE;KAC9F;IACD,YAAY,EAAE;QACZ,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,yDAAyD,EAAE;QACrF,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,uEAAuE,EAAE;KAChG;IACD,MAAM,EAAE;QACN,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,qDAAqD,EAAE;QAChF,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,mDAAmD,EAAE;QACjF,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,uDAAuD,EAAE;KACnF;IACD,MAAM,EAAE;QACN,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,2CAA2C,EAAE;QAC1E,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,uDAAuD,EAAE;KACpF;IACD,IAAI,EAAE;QACJ,EAAE,IAAI,EAAE,mBAAmB,EAAE,MAAM,EAAE,0EAA0E,EAAE;KAClH;CACF,CAAC;AAEF,MAAM,UAAU,gBAAgB,CAAC,WAAmB;IAClD,OAAO;QACL,OAAO,EAAE,WAAW;QACpB,YAAY,EAAE,cAAc,CAAC,WAAW,CAAC,IAAI;YAC3C;gBACE,IAAI,EAAE,4BAA4B;gBAClC,MAAM,EAAE,0IAA0I;aACnJ;SACF;KACF,CAAC;AACJ,CAAC"}
@@ -0,0 +1,2 @@
1
+ import type { DependencyInfo, PackageHealth } from './dependency-types.js';
2
+ export declare function analyzePackage(dependency: DependencyInfo): Promise<PackageHealth>;
@@ -0,0 +1,49 @@
1
+ import semver from 'semver';
2
+ import { fetchPackageManifest } from './npm-registry.js';
3
+ import { calculateRiskScore } from './risk-score.js';
4
+ function cleanInstalledVersion(version) {
5
+ if (version === 'latest')
6
+ return null;
7
+ return semver.coerce(version)?.version ?? null;
8
+ }
9
+ function isOutdated(installedVersion, latestVersion) {
10
+ const cleanedInstalledVersion = cleanInstalledVersion(installedVersion);
11
+ if (!cleanedInstalledVersion || !latestVersion) {
12
+ return false;
13
+ }
14
+ const cleanedLatestVersion = semver.coerce(latestVersion)?.version;
15
+ if (!cleanedLatestVersion) {
16
+ return false;
17
+ }
18
+ return semver.lt(cleanedInstalledVersion, cleanedLatestVersion);
19
+ }
20
+ export async function analyzePackage(dependency) {
21
+ const manifest = await fetchPackageManifest(dependency.name);
22
+ const latestVersion = typeof manifest.version === 'string' ? manifest.version : null;
23
+ const publishedDate = manifest.time && latestVersion ? manifest.time[latestVersion] ?? null : null;
24
+ const ageInDays = publishedDate
25
+ ? Math.floor((Date.now() - new Date(publishedDate).getTime()) /
26
+ (1000 * 60 * 60 * 24))
27
+ : null;
28
+ const maintainers = Array.isArray(manifest.maintainers)
29
+ ? manifest.maintainers.length
30
+ : 0;
31
+ const deprecated = Boolean(manifest.deprecated);
32
+ return {
33
+ name: dependency.name,
34
+ installedVersion: dependency.version,
35
+ latestVersion,
36
+ outdated: isOutdated(dependency.version, latestVersion),
37
+ deprecated,
38
+ maintainers,
39
+ publishedAt: publishedDate,
40
+ ageInDays,
41
+ downloads: null,
42
+ riskScore: calculateRiskScore({
43
+ deprecated,
44
+ maintainers,
45
+ ageInDays
46
+ })
47
+ };
48
+ }
49
+ //# sourceMappingURL=analyze-package.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"analyze-package.js","sourceRoot":"","sources":["../../../src/core/analyze-package.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAGrD,SAAS,qBAAqB,CAAC,OAAe;IAC5C,IAAI,OAAO,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACtC,OAAO,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC;AACjD,CAAC;AAED,SAAS,UAAU,CAAC,gBAAwB,EAAE,aAA4B;IACxE,MAAM,uBAAuB,GAAG,qBAAqB,CAAC,gBAAgB,CAAC,CAAC;IAExE,IAAI,CAAC,uBAAuB,IAAI,CAAC,aAAa,EAAE,CAAC;QAC/C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,oBAAoB,GAAG,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IAEnE,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,MAAM,CAAC,EAAE,CAAC,uBAAuB,EAAE,oBAAoB,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,UAA0B;IAE1B,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAErF,MAAM,aAAa,GACjB,QAAQ,CAAC,IAAI,IAAI,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IAE/E,MAAM,SAAS,GAAG,aAAa;QAC7B,CAAC,CAAC,IAAI,CAAC,KAAK,CACR,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE,CAAC;YAC9C,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CACxB;QACH,CAAC,CAAC,IAAI,CAAC;IAET,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;QACrD,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,MAAM;QAC7B,CAAC,CAAC,CAAC,CAAC;IAEN,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAEhD,OAAO;QACL,IAAI,EAAE,UAAU,CAAC,IAAI;QACrB,gBAAgB,EAAE,UAAU,CAAC,OAAO;QACpC,aAAa;QACb,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,EAAE,aAAa,CAAC;QACvD,UAAU;QACV,WAAW;QACX,WAAW,EAAE,aAAa;QAC1B,SAAS;QACT,SAAS,EAAE,IAAI;QACf,SAAS,EAAE,kBAAkB,CAAC;YAC5B,UAAU;YACV,WAAW;YACX,SAAS;SACV,CAAC;KACH,CAAC;AACJ,CAAC"}
@@ -0,0 +1,9 @@
1
+ export type AnnouncementInput = {
2
+ version?: string;
3
+ fixed: number;
4
+ added: number;
5
+ removed: number;
6
+ scoreBefore?: number;
7
+ scoreAfter?: number;
8
+ };
9
+ export declare function generateAnnouncement(input: AnnouncementInput): string;
@@ -0,0 +1,19 @@
1
+ export function generateAnnouncement(input) {
2
+ const title = input.version
3
+ ? `Toolip ${input.version} security update`
4
+ : 'Toolip security update';
5
+ const lines = [
6
+ title,
7
+ '',
8
+ `Fixed findings: ${input.fixed}`,
9
+ `New findings: ${input.added}`,
10
+ `Removed findings: ${input.removed}`
11
+ ];
12
+ if (input.scoreBefore !== undefined &&
13
+ input.scoreAfter !== undefined) {
14
+ lines.push(`Security score: ${input.scoreBefore} → ${input.scoreAfter}`);
15
+ }
16
+ lines.push('', 'This summary was generated locally from structured Toolip scan differences.');
17
+ return lines.join('\n');
18
+ }
19
+ //# sourceMappingURL=generate.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"generate.js","sourceRoot":"","sources":["../../../../src/core/announce/generate.ts"],"names":[],"mappings":"AASA,MAAM,UAAU,oBAAoB,CAAC,KAAwB;IAC3D,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO;QACzB,CAAC,CAAC,UAAU,KAAK,CAAC,OAAO,kBAAkB;QAC3C,CAAC,CAAC,wBAAwB,CAAC;IAE7B,MAAM,KAAK,GAAG;QACZ,KAAK;QACL,EAAE;QACF,mBAAmB,KAAK,CAAC,KAAK,EAAE;QAChC,iBAAiB,KAAK,CAAC,KAAK,EAAE;QAC9B,qBAAqB,KAAK,CAAC,OAAO,EAAE;KACrC,CAAC;IAEF,IACE,KAAK,CAAC,WAAW,KAAK,SAAS;QAC/B,KAAK,CAAC,UAAU,KAAK,SAAS,EAC9B,CAAC;QACD,KAAK,CAAC,IAAI,CACR,mBAAmB,KAAK,CAAC,WAAW,MAAM,KAAK,CAAC,UAAU,EAAE,CAC7D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CACR,EAAE,EACF,6EAA6E,CAC9E,CAAC;IAEF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
@@ -0,0 +1,7 @@
1
+ import type { PackageHealth } from './dependency-types.js';
2
+ export type PackageComparison = {
3
+ packages: PackageHealth[];
4
+ safest: PackageHealth | null;
5
+ riskiest: PackageHealth | null;
6
+ };
7
+ export declare function comparePackages(packageNames: string[]): Promise<PackageComparison>;
@@ -0,0 +1,19 @@
1
+ import { analyzePackage } from './analyze-package.js';
2
+ function asDependency(packageName) {
3
+ return {
4
+ name: packageName,
5
+ version: 'latest',
6
+ type: 'dependency'
7
+ };
8
+ }
9
+ export async function comparePackages(packageNames) {
10
+ const uniqueNames = [...new Set(packageNames.map((name) => name.trim()).filter(Boolean))];
11
+ const packages = await Promise.all(uniqueNames.map((packageName) => analyzePackage(asDependency(packageName))));
12
+ const sortedByRisk = [...packages].sort((a, b) => a.riskScore - b.riskScore);
13
+ return {
14
+ packages,
15
+ safest: sortedByRisk[0] ?? null,
16
+ riskiest: sortedByRisk.at(-1) ?? null
17
+ };
18
+ }
19
+ //# sourceMappingURL=compare-packages.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"compare-packages.js","sourceRoot":"","sources":["../../../src/core/compare-packages.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAStD,SAAS,YAAY,CAAC,WAAmB;IACvC,OAAO;QACL,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,QAAQ;QACjB,IAAI,EAAE,YAAY;KACnB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,YAAsB;IAC1D,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAE1F,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAChC,WAAW,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,cAAc,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC,CAC5E,CAAC;IAEF,MAAM,YAAY,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC;IAE7E,OAAO;QACL,QAAQ;QACR,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,IAAI;QAC/B,QAAQ,EAAE,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI;KACtC,CAAC;AACJ,CAAC"}
@@ -0,0 +1,3 @@
1
+ import { type ToolipConfig } from './schema.js';
2
+ export declare const TOOLIP_CONFIG_FILE = "toolip.config.json";
3
+ export declare function loadToolipConfig(root: string): Promise<ToolipConfig>;
@@ -0,0 +1,21 @@
1
+ import { readFile } from 'node:fs/promises';
2
+ import path from 'node:path';
3
+ import { toolipConfigSchema } from './schema.js';
4
+ export const TOOLIP_CONFIG_FILE = 'toolip.config.json';
5
+ export async function loadToolipConfig(root) {
6
+ const filePath = path.join(root, TOOLIP_CONFIG_FILE);
7
+ try {
8
+ const raw = await readFile(filePath, 'utf8');
9
+ const parsed = JSON.parse(raw);
10
+ return toolipConfigSchema.parse(parsed);
11
+ }
12
+ catch (error) {
13
+ if (error instanceof Error &&
14
+ 'code' in error &&
15
+ error.code === 'ENOENT') {
16
+ return toolipConfigSchema.parse({});
17
+ }
18
+ throw error;
19
+ }
20
+ }
21
+ //# sourceMappingURL=load.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"load.js","sourceRoot":"","sources":["../../../../src/core/config/load.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,kBAAkB,EAEnB,MAAM,aAAa,CAAC;AAErB,MAAM,CAAC,MAAM,kBAAkB,GAC7B,oBAAoB,CAAC;AAEvB,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAY;IAEZ,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,IAAI,EACJ,kBAAkB,CACnB,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;QAE1C,OAAO,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IACE,KAAK,YAAY,KAAK;YACtB,MAAM,IAAI,KAAK;YACf,KAAK,CAAC,IAAI,KAAK,QAAQ,EACvB,CAAC;YACD,OAAO,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACtC,CAAC;QAED,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC"}
@@ -0,0 +1,3 @@
1
+ import type { Finding } from '../../contracts/finding.js';
2
+ import type { ToolipConfig } from './schema.js';
3
+ export declare function applyFindingPolicy(findings: Finding[], config: ToolipConfig): Finding[];
@@ -0,0 +1,48 @@
1
+ function wildcardMatch(value, pattern) {
2
+ const escaped = pattern
3
+ .replaceAll(/[.+^${}()|[\]\\]/g, '\\$&')
4
+ .replaceAll('**', '___DOUBLE_STAR___')
5
+ .replaceAll('*', '[^/]*')
6
+ .replaceAll('___DOUBLE_STAR___', '.*');
7
+ return new RegExp(`^${escaped}$`).test(value);
8
+ }
9
+ function suppressionActive(expiresAt) {
10
+ return (expiresAt === undefined ||
11
+ new Date(expiresAt).getTime() > Date.now());
12
+ }
13
+ export function applyFindingPolicy(findings, config) {
14
+ const output = [];
15
+ for (const finding of findings) {
16
+ const rule = config.rules[finding.ruleId];
17
+ const file = finding.location?.file ?? '';
18
+ if (rule?.enabled === false) {
19
+ continue;
20
+ }
21
+ let severity = rule?.severity ?? finding.severity;
22
+ for (const pathRule of rule?.paths ?? []) {
23
+ if (file &&
24
+ wildcardMatch(file, pathRule.pattern)) {
25
+ if (pathRule.enabled === false) {
26
+ severity = finding.severity;
27
+ break;
28
+ }
29
+ severity =
30
+ pathRule.severity ?? severity;
31
+ }
32
+ }
33
+ const suppressed = config.suppressions.some((suppression) => suppression.ruleId === finding.ruleId &&
34
+ suppressionActive(suppression.expiresAt) &&
35
+ (suppression.path === undefined ||
36
+ (file &&
37
+ wildcardMatch(file, suppression.path))));
38
+ if (suppressed) {
39
+ continue;
40
+ }
41
+ output.push({
42
+ ...finding,
43
+ severity
44
+ });
45
+ }
46
+ return output;
47
+ }
48
+ //# sourceMappingURL=policy.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../../src/core/config/policy.ts"],"names":[],"mappings":"AAGA,SAAS,aAAa,CACpB,KAAa,EACb,OAAe;IAEf,MAAM,OAAO,GAAG,OAAO;SACpB,UAAU,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACvC,UAAU,CAAC,IAAI,EAAE,mBAAmB,CAAC;SACrC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC;SACxB,UAAU,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC;IAEzC,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,iBAAiB,CACxB,SAAkB;IAElB,OAAO,CACL,SAAS,KAAK,SAAS;QACvB,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAC3C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,QAAmB,EACnB,MAAoB;IAEpB,MAAM,MAAM,GAAc,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC;QAE1C,IAAI,IAAI,EAAE,OAAO,KAAK,KAAK,EAAE,CAAC;YAC5B,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,GACV,IAAI,EAAE,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;QAErC,KAAK,MAAM,QAAQ,IAAI,IAAI,EAAE,KAAK,IAAI,EAAE,EAAE,CAAC;YACzC,IACE,IAAI;gBACJ,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,EACrC,CAAC;gBACD,IAAI,QAAQ,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;oBAC/B,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;oBAC5B,MAAM;gBACR,CAAC;gBAED,QAAQ;oBACN,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC;YAClC,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,CACzC,CAAC,WAAW,EAAE,EAAE,CACd,WAAW,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM;YACrC,iBAAiB,CACf,WAAW,CAAC,SAAS,CACtB;YACD,CACE,WAAW,CAAC,IAAI,KAAK,SAAS;gBAC9B,CACE,IAAI;oBACJ,aAAa,CACX,IAAI,EACJ,WAAW,CAAC,IAAI,CACjB,CACF,CACF,CACJ,CAAC;QAEF,IAAI,UAAU,EAAE,CAAC;YACf,SAAS;QACX,CAAC;QAED,MAAM,CAAC,IAAI,CAAC;YACV,GAAG,OAAO;YACV,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
@@ -0,0 +1,172 @@
1
+ import { z } from 'zod';
2
+ export declare const toolipConfigSchema: z.ZodObject<{
3
+ schemaVersion: z.ZodDefault<z.ZodLiteral<"1.0">>;
4
+ include: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
5
+ exclude: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
6
+ rules: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
7
+ enabled: z.ZodOptional<z.ZodBoolean>;
8
+ severity: z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low", "info"]>>;
9
+ paths: z.ZodOptional<z.ZodArray<z.ZodObject<{
10
+ pattern: z.ZodString;
11
+ severity: z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low", "info"]>>;
12
+ enabled: z.ZodOptional<z.ZodBoolean>;
13
+ }, "strip", z.ZodTypeAny, {
14
+ pattern: string;
15
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
16
+ enabled?: boolean | undefined;
17
+ }, {
18
+ pattern: string;
19
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
20
+ enabled?: boolean | undefined;
21
+ }>, "many">>;
22
+ }, "strip", z.ZodTypeAny, {
23
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
24
+ enabled?: boolean | undefined;
25
+ paths?: {
26
+ pattern: string;
27
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
28
+ enabled?: boolean | undefined;
29
+ }[] | undefined;
30
+ }, {
31
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
32
+ enabled?: boolean | undefined;
33
+ paths?: {
34
+ pattern: string;
35
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
36
+ enabled?: boolean | undefined;
37
+ }[] | undefined;
38
+ }>>>;
39
+ suppressions: z.ZodDefault<z.ZodArray<z.ZodObject<{
40
+ ruleId: z.ZodString;
41
+ path: z.ZodOptional<z.ZodString>;
42
+ reason: z.ZodString;
43
+ expiresAt: z.ZodOptional<z.ZodString>;
44
+ }, "strip", z.ZodTypeAny, {
45
+ ruleId: string;
46
+ reason: string;
47
+ expiresAt?: string | undefined;
48
+ path?: string | undefined;
49
+ }, {
50
+ ruleId: string;
51
+ reason: string;
52
+ expiresAt?: string | undefined;
53
+ path?: string | undefined;
54
+ }>, "many">>;
55
+ history: z.ZodDefault<z.ZodObject<{
56
+ enabled: z.ZodDefault<z.ZodBoolean>;
57
+ maxEntries: z.ZodDefault<z.ZodNumber>;
58
+ }, "strip", z.ZodTypeAny, {
59
+ enabled: boolean;
60
+ maxEntries: number;
61
+ }, {
62
+ enabled?: boolean | undefined;
63
+ maxEntries?: number | undefined;
64
+ }>>;
65
+ providers: z.ZodDefault<z.ZodObject<{
66
+ osv: z.ZodDefault<z.ZodObject<{
67
+ enabled: z.ZodDefault<z.ZodBoolean>;
68
+ timeoutMs: z.ZodDefault<z.ZodNumber>;
69
+ }, "strip", z.ZodTypeAny, {
70
+ timeoutMs: number;
71
+ enabled: boolean;
72
+ }, {
73
+ timeoutMs?: number | undefined;
74
+ enabled?: boolean | undefined;
75
+ }>>;
76
+ depsDev: z.ZodDefault<z.ZodObject<{
77
+ enabled: z.ZodDefault<z.ZodBoolean>;
78
+ timeoutMs: z.ZodDefault<z.ZodNumber>;
79
+ }, "strip", z.ZodTypeAny, {
80
+ timeoutMs: number;
81
+ enabled: boolean;
82
+ }, {
83
+ timeoutMs?: number | undefined;
84
+ enabled?: boolean | undefined;
85
+ }>>;
86
+ }, "strip", z.ZodTypeAny, {
87
+ osv: {
88
+ timeoutMs: number;
89
+ enabled: boolean;
90
+ };
91
+ depsDev: {
92
+ timeoutMs: number;
93
+ enabled: boolean;
94
+ };
95
+ }, {
96
+ osv?: {
97
+ timeoutMs?: number | undefined;
98
+ enabled?: boolean | undefined;
99
+ } | undefined;
100
+ depsDev?: {
101
+ timeoutMs?: number | undefined;
102
+ enabled?: boolean | undefined;
103
+ } | undefined;
104
+ }>>;
105
+ }, "strip", z.ZodTypeAny, {
106
+ schemaVersion: "1.0";
107
+ history: {
108
+ enabled: boolean;
109
+ maxEntries: number;
110
+ };
111
+ include: string[];
112
+ exclude: string[];
113
+ rules: Record<string, {
114
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
115
+ enabled?: boolean | undefined;
116
+ paths?: {
117
+ pattern: string;
118
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
119
+ enabled?: boolean | undefined;
120
+ }[] | undefined;
121
+ }>;
122
+ suppressions: {
123
+ ruleId: string;
124
+ reason: string;
125
+ expiresAt?: string | undefined;
126
+ path?: string | undefined;
127
+ }[];
128
+ providers: {
129
+ osv: {
130
+ timeoutMs: number;
131
+ enabled: boolean;
132
+ };
133
+ depsDev: {
134
+ timeoutMs: number;
135
+ enabled: boolean;
136
+ };
137
+ };
138
+ }, {
139
+ schemaVersion?: "1.0" | undefined;
140
+ history?: {
141
+ enabled?: boolean | undefined;
142
+ maxEntries?: number | undefined;
143
+ } | undefined;
144
+ include?: string[] | undefined;
145
+ exclude?: string[] | undefined;
146
+ rules?: Record<string, {
147
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
148
+ enabled?: boolean | undefined;
149
+ paths?: {
150
+ pattern: string;
151
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
152
+ enabled?: boolean | undefined;
153
+ }[] | undefined;
154
+ }> | undefined;
155
+ suppressions?: {
156
+ ruleId: string;
157
+ reason: string;
158
+ expiresAt?: string | undefined;
159
+ path?: string | undefined;
160
+ }[] | undefined;
161
+ providers?: {
162
+ osv?: {
163
+ timeoutMs?: number | undefined;
164
+ enabled?: boolean | undefined;
165
+ } | undefined;
166
+ depsDev?: {
167
+ timeoutMs?: number | undefined;
168
+ enabled?: boolean | undefined;
169
+ } | undefined;
170
+ } | undefined;
171
+ }>;
172
+ export type ToolipConfig = z.infer<typeof toolipConfigSchema>;