toolip 1.0.6 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (308) hide show
  1. package/README.md +189 -448
  2. package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
  3. package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
  4. package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
  5. package/dist/src/analyzers/ast/rules.d.ts +48 -0
  6. package/dist/src/analyzers/ast/rules.js +39 -0
  7. package/dist/src/analyzers/ast/rules.js.map +1 -0
  8. package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
  9. package/dist/src/analyzers/ast/source-analysis.js +225 -0
  10. package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
  11. package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
  12. package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
  13. package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
  14. package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
  15. package/dist/src/analyzers/docker/analyzer.js +103 -0
  16. package/dist/src/analyzers/docker/analyzer.js.map +1 -0
  17. package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
  18. package/dist/src/analyzers/git-history/analyzer.js +157 -0
  19. package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
  20. package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
  21. package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
  22. package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
  23. package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
  24. package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
  25. package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
  26. package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
  27. package/dist/src/analyzers/reachability/import-graph.js +110 -0
  28. package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
  29. package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
  30. package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
  31. package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
  32. package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
  33. package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
  34. package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
  35. package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
  36. package/dist/src/analyzers/vulnerability/severity.js +13 -0
  37. package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
  38. package/dist/src/application/analyzer-runner.d.ts +12 -0
  39. package/dist/src/application/analyzer-runner.js +45 -0
  40. package/dist/src/application/analyzer-runner.js.map +1 -0
  41. package/dist/src/commands/alternatives.d.ts +2 -0
  42. package/dist/src/commands/alternatives.js +17 -0
  43. package/dist/src/commands/alternatives.js.map +1 -0
  44. package/dist/src/commands/announce.d.ts +2 -0
  45. package/dist/src/commands/announce.js +27 -0
  46. package/dist/src/commands/announce.js.map +1 -0
  47. package/dist/src/commands/ast-scan.d.ts +2 -0
  48. package/dist/src/commands/ast-scan.js +86 -0
  49. package/dist/src/commands/ast-scan.js.map +1 -0
  50. package/dist/src/commands/audit-repo.d.ts +2 -0
  51. package/dist/src/commands/audit-repo.js +20 -0
  52. package/dist/src/commands/audit-repo.js.map +1 -0
  53. package/dist/src/commands/compare.d.ts +2 -0
  54. package/dist/src/commands/compare.js +19 -0
  55. package/dist/src/commands/compare.js.map +1 -0
  56. package/dist/src/commands/config.d.ts +2 -0
  57. package/dist/src/commands/config.js +69 -0
  58. package/dist/src/commands/config.js.map +1 -0
  59. package/dist/src/commands/dependency-confusion.d.ts +2 -0
  60. package/dist/src/commands/dependency-confusion.js +37 -0
  61. package/dist/src/commands/dependency-confusion.js.map +1 -0
  62. package/dist/src/commands/diff.d.ts +2 -0
  63. package/dist/src/commands/diff.js +24 -0
  64. package/dist/src/commands/diff.js.map +1 -0
  65. package/dist/src/commands/docker-scan.d.ts +2 -0
  66. package/dist/src/commands/docker-scan.js +34 -0
  67. package/dist/src/commands/docker-scan.js.map +1 -0
  68. package/dist/src/commands/doctor.d.ts +2 -0
  69. package/dist/src/commands/doctor.js +42 -0
  70. package/dist/src/commands/doctor.js.map +1 -0
  71. package/dist/src/commands/git-audit.d.ts +2 -0
  72. package/dist/src/commands/git-audit.js +37 -0
  73. package/dist/src/commands/git-audit.js.map +1 -0
  74. package/dist/src/commands/git-history.d.ts +2 -0
  75. package/dist/src/commands/git-history.js +40 -0
  76. package/dist/src/commands/git-history.js.map +1 -0
  77. package/dist/src/commands/history.d.ts +2 -0
  78. package/dist/src/commands/history.js +69 -0
  79. package/dist/src/commands/history.js.map +1 -0
  80. package/dist/src/commands/hook.d.ts +2 -0
  81. package/dist/src/commands/hook.js +16 -0
  82. package/dist/src/commands/hook.js.map +1 -0
  83. package/dist/src/commands/inspect.d.ts +2 -0
  84. package/dist/src/commands/inspect.js +24 -0
  85. package/dist/src/commands/inspect.js.map +1 -0
  86. package/dist/src/commands/install-scripts.d.ts +2 -0
  87. package/dist/src/commands/install-scripts.js +52 -0
  88. package/dist/src/commands/install-scripts.js.map +1 -0
  89. package/dist/src/commands/learn.d.ts +2 -0
  90. package/dist/src/commands/learn.js +42 -0
  91. package/dist/src/commands/learn.js.map +1 -0
  92. package/dist/src/commands/licenses.d.ts +2 -0
  93. package/dist/src/commands/licenses.js +40 -0
  94. package/dist/src/commands/licenses.js.map +1 -0
  95. package/dist/src/commands/mcp.d.ts +2 -0
  96. package/dist/src/commands/mcp.js +10 -0
  97. package/dist/src/commands/mcp.js.map +1 -0
  98. package/dist/src/commands/monorepo.d.ts +2 -0
  99. package/dist/src/commands/monorepo.js +21 -0
  100. package/dist/src/commands/monorepo.js.map +1 -0
  101. package/dist/src/commands/package-health.d.ts +2 -0
  102. package/dist/src/commands/package-health.js +50 -0
  103. package/dist/src/commands/package-health.js.map +1 -0
  104. package/dist/src/commands/pre-commit.d.ts +2 -0
  105. package/dist/src/commands/pre-commit.js +37 -0
  106. package/dist/src/commands/pre-commit.js.map +1 -0
  107. package/dist/src/commands/profile.d.ts +2 -0
  108. package/dist/src/commands/profile.js +18 -0
  109. package/dist/src/commands/profile.js.map +1 -0
  110. package/dist/src/commands/publish.d.ts +2 -0
  111. package/dist/src/commands/publish.js +25 -0
  112. package/dist/src/commands/publish.js.map +1 -0
  113. package/dist/src/commands/reachability.d.ts +2 -0
  114. package/dist/src/commands/reachability.js +47 -0
  115. package/dist/src/commands/reachability.js.map +1 -0
  116. package/dist/src/commands/sbom.d.ts +2 -0
  117. package/dist/src/commands/sbom.js +33 -0
  118. package/dist/src/commands/sbom.js.map +1 -0
  119. package/dist/src/commands/scan.d.ts +2 -0
  120. package/dist/src/commands/scan.js +48 -0
  121. package/dist/src/commands/scan.js.map +1 -0
  122. package/dist/src/commands/score.d.ts +2 -0
  123. package/dist/src/commands/score.js +24 -0
  124. package/dist/src/commands/score.js.map +1 -0
  125. package/dist/src/commands/self-test.d.ts +2 -0
  126. package/dist/src/commands/self-test.js +63 -0
  127. package/dist/src/commands/self-test.js.map +1 -0
  128. package/dist/src/commands/tree.d.ts +2 -0
  129. package/dist/src/commands/tree.js +21 -0
  130. package/dist/src/commands/tree.js.map +1 -0
  131. package/dist/src/commands/upgrade-pr.d.ts +2 -0
  132. package/dist/src/commands/upgrade-pr.js +15 -0
  133. package/dist/src/commands/upgrade-pr.js.map +1 -0
  134. package/dist/src/commands/vault.d.ts +2 -0
  135. package/dist/src/commands/vault.js +86 -0
  136. package/dist/src/commands/vault.js.map +1 -0
  137. package/dist/src/commands/vulnerabilities.d.ts +2 -0
  138. package/dist/src/commands/vulnerabilities.js +42 -0
  139. package/dist/src/commands/vulnerabilities.js.map +1 -0
  140. package/dist/src/commands/watch.d.ts +2 -0
  141. package/dist/src/commands/watch.js +34 -0
  142. package/dist/src/commands/watch.js.map +1 -0
  143. package/dist/src/config/version.d.ts +6 -0
  144. package/dist/src/config/version.js +29 -0
  145. package/dist/src/config/version.js.map +1 -0
  146. package/dist/src/contracts/analyzer.d.ts +23 -0
  147. package/dist/src/contracts/analyzer.js +2 -0
  148. package/dist/src/contracts/analyzer.js.map +1 -0
  149. package/dist/src/contracts/finding.d.ts +35 -0
  150. package/dist/src/contracts/finding.js +13 -0
  151. package/dist/src/contracts/finding.js.map +1 -0
  152. package/dist/src/contracts/report.d.ts +30 -0
  153. package/dist/src/contracts/report.js +2 -0
  154. package/dist/src/contracts/report.js.map +1 -0
  155. package/dist/src/contracts/rule.d.ts +12 -0
  156. package/dist/src/contracts/rule.js +7 -0
  157. package/dist/src/contracts/rule.js.map +1 -0
  158. package/dist/src/core/alternatives.d.ts +8 -0
  159. package/dist/src/core/alternatives.js +35 -0
  160. package/dist/src/core/alternatives.js.map +1 -0
  161. package/dist/src/core/analyze-package.d.ts +2 -0
  162. package/dist/src/core/analyze-package.js +49 -0
  163. package/dist/src/core/analyze-package.js.map +1 -0
  164. package/dist/src/core/announce/generate.d.ts +9 -0
  165. package/dist/src/core/announce/generate.js +19 -0
  166. package/dist/src/core/announce/generate.js.map +1 -0
  167. package/dist/src/core/compare-packages.d.ts +7 -0
  168. package/dist/src/core/compare-packages.js +19 -0
  169. package/dist/src/core/compare-packages.js.map +1 -0
  170. package/dist/src/core/config/load.d.ts +3 -0
  171. package/dist/src/core/config/load.js +21 -0
  172. package/dist/src/core/config/load.js.map +1 -0
  173. package/dist/src/core/config/policy.d.ts +3 -0
  174. package/dist/src/core/config/policy.js +48 -0
  175. package/dist/src/core/config/policy.js.map +1 -0
  176. package/dist/src/core/config/schema.d.ts +172 -0
  177. package/dist/src/core/config/schema.js +84 -0
  178. package/dist/src/core/config/schema.js.map +1 -0
  179. package/dist/src/core/dependencies/inventory.d.ts +9 -0
  180. package/dist/src/core/dependencies/inventory.js +43 -0
  181. package/dist/src/core/dependencies/inventory.js.map +1 -0
  182. package/dist/src/core/dependency-scan.d.ts +17 -0
  183. package/dist/src/core/dependency-scan.js +70 -0
  184. package/dist/src/core/dependency-scan.js.map +1 -0
  185. package/dist/src/core/dependency-tree.d.ts +16 -0
  186. package/dist/src/core/dependency-tree.js +19 -0
  187. package/dist/src/core/dependency-tree.js.map +1 -0
  188. package/dist/src/core/dependency-types.d.ts +17 -0
  189. package/dist/src/core/dependency-types.js +2 -0
  190. package/dist/src/core/dependency-types.js.map +1 -0
  191. package/dist/src/core/diff/security-diff.d.ts +10 -0
  192. package/dist/src/core/diff/security-diff.js +20 -0
  193. package/dist/src/core/diff/security-diff.js.map +1 -0
  194. package/dist/src/core/file-walker.d.ts +6 -0
  195. package/dist/src/core/file-walker.js +27 -0
  196. package/dist/src/core/file-walker.js.map +1 -0
  197. package/dist/src/core/git-audit.d.ts +12 -0
  198. package/dist/src/core/git-audit.js +111 -0
  199. package/dist/src/core/git-audit.js.map +1 -0
  200. package/dist/src/core/github/remote-audit.d.ts +5 -0
  201. package/dist/src/core/github/remote-audit.js +28 -0
  202. package/dist/src/core/github/remote-audit.js.map +1 -0
  203. package/dist/src/core/github/upgrade-pr.d.ts +4 -0
  204. package/dist/src/core/github/upgrade-pr.js +41 -0
  205. package/dist/src/core/github/upgrade-pr.js.map +1 -0
  206. package/dist/src/core/history/git-metadata.d.ts +5 -0
  207. package/dist/src/core/history/git-metadata.js +37 -0
  208. package/dist/src/core/history/git-metadata.js.map +1 -0
  209. package/dist/src/core/history/store.d.ts +5 -0
  210. package/dist/src/core/history/store.js +65 -0
  211. package/dist/src/core/history/store.js.map +1 -0
  212. package/dist/src/core/history/types.d.ts +27 -0
  213. package/dist/src/core/history/types.js +2 -0
  214. package/dist/src/core/history/types.js.map +1 -0
  215. package/dist/src/core/hooks.d.ts +1 -0
  216. package/dist/src/core/hooks.js +14 -0
  217. package/dist/src/core/hooks.js.map +1 -0
  218. package/dist/src/core/learn.d.ts +11 -0
  219. package/dist/src/core/learn.js +163 -0
  220. package/dist/src/core/learn.js.map +1 -0
  221. package/dist/src/core/license-analysis.d.ts +18 -0
  222. package/dist/src/core/license-analysis.js +98 -0
  223. package/dist/src/core/license-analysis.js.map +1 -0
  224. package/dist/src/core/load-toolip-ignore.d.ts +5 -0
  225. package/dist/src/core/load-toolip-ignore.js +35 -0
  226. package/dist/src/core/load-toolip-ignore.js.map +1 -0
  227. package/dist/src/core/monorepo/discover.d.ts +7 -0
  228. package/dist/src/core/monorepo/discover.js +49 -0
  229. package/dist/src/core/monorepo/discover.js.map +1 -0
  230. package/dist/src/core/npm-registry.d.ts +3 -0
  231. package/dist/src/core/npm-registry.js +5 -0
  232. package/dist/src/core/npm-registry.js.map +1 -0
  233. package/dist/src/core/pre-commit.d.ts +11 -0
  234. package/dist/src/core/pre-commit.js +22 -0
  235. package/dist/src/core/pre-commit.js.map +1 -0
  236. package/dist/src/core/profile-project.d.ts +23 -0
  237. package/dist/src/core/profile-project.js +119 -0
  238. package/dist/src/core/profile-project.js.map +1 -0
  239. package/dist/src/core/publish/html.d.ts +6 -0
  240. package/dist/src/core/publish/html.js +44 -0
  241. package/dist/src/core/publish/html.js.map +1 -0
  242. package/dist/src/core/read-dependencies.d.ts +2 -0
  243. package/dist/src/core/read-dependencies.js +24 -0
  244. package/dist/src/core/read-dependencies.js.map +1 -0
  245. package/dist/src/core/report-writer.d.ts +5 -0
  246. package/dist/src/core/report-writer.js +61 -0
  247. package/dist/src/core/report-writer.js.map +1 -0
  248. package/dist/src/core/report.d.ts +34 -0
  249. package/dist/src/core/report.js +26 -0
  250. package/dist/src/core/report.js.map +1 -0
  251. package/dist/src/core/risk-score.d.ts +5 -0
  252. package/dist/src/core/risk-score.js +14 -0
  253. package/dist/src/core/risk-score.js.map +1 -0
  254. package/dist/src/core/sbom/generate.d.ts +2 -0
  255. package/dist/src/core/sbom/generate.js +120 -0
  256. package/dist/src/core/sbom/generate.js.map +1 -0
  257. package/dist/src/core/scanner-context.d.ts +12 -0
  258. package/dist/src/core/scanner-context.js +27 -0
  259. package/dist/src/core/scanner-context.js.map +1 -0
  260. package/dist/src/core/score.d.ts +13 -0
  261. package/dist/src/core/score.js +44 -0
  262. package/dist/src/core/score.js.map +1 -0
  263. package/dist/src/core/security-doctor.d.ts +12 -0
  264. package/dist/src/core/security-doctor.js +158 -0
  265. package/dist/src/core/security-doctor.js.map +1 -0
  266. package/dist/src/core/security-patterns.d.ts +14 -0
  267. package/dist/src/core/security-patterns.js +139 -0
  268. package/dist/src/core/security-patterns.js.map +1 -0
  269. package/dist/src/core/typosquat.d.ts +6 -0
  270. package/dist/src/core/typosquat.js +50 -0
  271. package/dist/src/core/typosquat.js.map +1 -0
  272. package/dist/src/core/vault.d.ts +48 -0
  273. package/dist/src/core/vault.js +127 -0
  274. package/dist/src/core/vault.js.map +1 -0
  275. package/dist/src/core/watch/watch.d.ts +5 -0
  276. package/dist/src/core/watch/watch.js +49 -0
  277. package/dist/src/core/watch/watch.js.map +1 -0
  278. package/dist/src/errors/toolip-error.d.ts +8 -0
  279. package/dist/src/errors/toolip-error.js +11 -0
  280. package/dist/src/errors/toolip-error.js.map +1 -0
  281. package/dist/src/index.d.ts +2 -0
  282. package/dist/src/index.js +89 -0
  283. package/dist/src/index.js.map +1 -0
  284. package/dist/src/mcp/server.d.ts +1 -0
  285. package/dist/src/mcp/server.js +64 -0
  286. package/dist/src/mcp/server.js.map +1 -0
  287. package/dist/src/providers/depsdev/client.d.ts +71 -0
  288. package/dist/src/providers/depsdev/client.js +44 -0
  289. package/dist/src/providers/depsdev/client.js.map +1 -0
  290. package/dist/src/providers/osv/client.d.ts +15 -0
  291. package/dist/src/providers/osv/client.js +51 -0
  292. package/dist/src/providers/osv/client.js.map +1 -0
  293. package/dist/src/providers/osv/types.d.ts +38 -0
  294. package/dist/src/providers/osv/types.js +2 -0
  295. package/dist/src/providers/osv/types.js.map +1 -0
  296. package/dist/src/storage/memory-cache.d.ts +7 -0
  297. package/dist/src/storage/memory-cache.js +25 -0
  298. package/dist/src/storage/memory-cache.js.map +1 -0
  299. package/dist/src/utils/error-handler.d.ts +1 -0
  300. package/dist/src/utils/error-handler.js +24 -0
  301. package/dist/src/utils/error-handler.js.map +1 -0
  302. package/dist/src/utils/output.d.ts +6 -0
  303. package/dist/src/utils/output.js +72 -0
  304. package/dist/src/utils/output.js.map +1 -0
  305. package/dist/src/utils/package-output.d.ts +4 -0
  306. package/dist/src/utils/package-output.js +40 -0
  307. package/dist/src/utils/package-output.js.map +1 -0
  308. package/package.json +13 -8
@@ -0,0 +1,37 @@
1
+ import { execFile } from 'node:child_process';
2
+ import { promisify } from 'node:util';
3
+ const execFileAsync = promisify(execFile);
4
+ async function git(root, args) {
5
+ try {
6
+ const { stdout } = await execFileAsync('git', args, {
7
+ cwd: root,
8
+ encoding: 'utf8'
9
+ });
10
+ return stdout.trim() || undefined;
11
+ }
12
+ catch {
13
+ return undefined;
14
+ }
15
+ }
16
+ export async function readGitMetadata(root) {
17
+ const branch = await git(root, [
18
+ 'branch',
19
+ '--show-current'
20
+ ]);
21
+ const commit = await git(root, [
22
+ 'rev-parse',
23
+ 'HEAD'
24
+ ]);
25
+ const status = await git(root, [
26
+ 'status',
27
+ '--porcelain'
28
+ ]);
29
+ return {
30
+ branch,
31
+ commit,
32
+ dirty: status === undefined
33
+ ? undefined
34
+ : status.length > 0
35
+ };
36
+ }
37
+ //# sourceMappingURL=git-metadata.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"git-metadata.js","sourceRoot":"","sources":["../../../../src/core/history/git-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,KAAK,UAAU,GAAG,CAChB,IAAY,EACZ,IAAc;IAEd,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CACpC,KAAK,EACL,IAAI,EACJ;YACE,GAAG,EAAE,IAAI;YACT,QAAQ,EAAE,MAAM;SACjB,CACF,CAAC;QAEF,OAAO,MAAM,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAY;IAMZ,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE;QAC7B,QAAQ;QACR,gBAAgB;KACjB,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE;QAC7B,WAAW;QACX,MAAM;KACP,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE;QAC7B,QAAQ;QACR,aAAa;KACd,CAAC,CAAC;IAEH,OAAO;QACL,MAAM;QACN,MAAM;QACN,KAAK,EACH,MAAM,KAAK,SAAS;YAClB,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;KACxB,CAAC;AACJ,CAAC"}
@@ -0,0 +1,5 @@
1
+ import type { HistoryEntry, HistoryStore } from './types.js';
2
+ export declare function historyFilePath(root: string): string;
3
+ export declare function readHistory(root: string): Promise<HistoryStore>;
4
+ export declare function appendHistory(root: string, entry: HistoryEntry, maxEntries?: number): Promise<void>;
5
+ export declare function clearHistory(root: string): Promise<void>;
@@ -0,0 +1,65 @@
1
+ import { mkdir, readFile, rename, writeFile } from 'node:fs/promises';
2
+ import path from 'node:path';
3
+ const schemaVersion = '1.0';
4
+ export function historyFilePath(root) {
5
+ return path.join(root, '.toolip', 'history.json');
6
+ }
7
+ export async function readHistory(root) {
8
+ const filePath = historyFilePath(root);
9
+ try {
10
+ const raw = await readFile(filePath, 'utf8');
11
+ const parsed = JSON.parse(raw);
12
+ if (parsed.schemaVersion !== schemaVersion ||
13
+ !Array.isArray(parsed.entries)) {
14
+ throw new Error('Unsupported Toolip history schema.');
15
+ }
16
+ return parsed;
17
+ }
18
+ catch (error) {
19
+ if (error instanceof Error &&
20
+ 'code' in error &&
21
+ error.code === 'ENOENT') {
22
+ return {
23
+ schemaVersion,
24
+ entries: []
25
+ };
26
+ }
27
+ throw error;
28
+ }
29
+ }
30
+ export async function appendHistory(root, entry, maxEntries = 500) {
31
+ const filePath = historyFilePath(root);
32
+ const directory = path.dirname(filePath);
33
+ const temporary = `${filePath}.tmp`;
34
+ await mkdir(directory, {
35
+ recursive: true
36
+ });
37
+ const current = await readHistory(root);
38
+ const entries = [
39
+ ...current.entries,
40
+ entry
41
+ ].slice(-Math.max(1, maxEntries));
42
+ await writeFile(temporary, `${JSON.stringify({
43
+ schemaVersion,
44
+ entries
45
+ }, null, 2)}\n`, {
46
+ encoding: 'utf8',
47
+ mode: 0o600
48
+ });
49
+ await rename(temporary, filePath);
50
+ }
51
+ export async function clearHistory(root) {
52
+ const filePath = historyFilePath(root);
53
+ const directory = path.dirname(filePath);
54
+ await mkdir(directory, {
55
+ recursive: true
56
+ });
57
+ await writeFile(filePath, `${JSON.stringify({
58
+ schemaVersion,
59
+ entries: []
60
+ }, null, 2)}\n`, {
61
+ encoding: 'utf8',
62
+ mode: 0o600
63
+ });
64
+ }
65
+ //# sourceMappingURL=store.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.js","sourceRoot":"","sources":["../../../../src/core/history/store.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,EACL,QAAQ,EACR,MAAM,EACN,SAAS,EACV,MAAM,kBAAkB,CAAC;AAC1B,OAAO,IAAI,MAAM,WAAW,CAAC;AAM7B,MAAM,aAAa,GAAG,KAAc,CAAC;AAErC,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAY;IAEZ,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IAEvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;QAE/C,IACE,MAAM,CAAC,aAAa,KAAK,aAAa;YACtC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAC9B,CAAC;YACD,MAAM,IAAI,KAAK,CACb,oCAAoC,CACrC,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IACE,KAAK,YAAY,KAAK;YACtB,MAAM,IAAI,KAAK;YACf,KAAK,CAAC,IAAI,KAAK,QAAQ,EACvB,CAAC;YACD,OAAO;gBACL,aAAa;gBACb,OAAO,EAAE,EAAE;aACZ,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAAY,EACZ,KAAmB,EACnB,UAAU,GAAG,GAAG;IAEhB,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACvC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,GAAG,QAAQ,MAAM,CAAC;IAEpC,MAAM,KAAK,CAAC,SAAS,EAAE;QACrB,SAAS,EAAE,IAAI;KAChB,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG;QACd,GAAG,OAAO,CAAC,OAAO;QAClB,KAAK;KACN,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;IAElC,MAAM,SAAS,CACb,SAAS,EACT,GAAG,IAAI,CAAC,SAAS,CACf;QACE,aAAa;QACb,OAAO;KACe,EACxB,IAAI,EACJ,CAAC,CACF,IAAI,EACL;QACE,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,KAAK;KACZ,CACF,CAAC;IAEF,MAAM,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAY;IAEZ,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACvC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEzC,MAAM,KAAK,CAAC,SAAS,EAAE;QACrB,SAAS,EAAE,IAAI;KAChB,CAAC,CAAC;IAEH,MAAM,SAAS,CACb,QAAQ,EACR,GAAG,IAAI,CAAC,SAAS,CACf;QACE,aAAa;QACb,OAAO,EAAE,EAAE;KACW,EACxB,IAAI,EACJ,CAAC,CACF,IAAI,EACL;QACE,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,KAAK;KACZ,CACF,CAAC;AACJ,CAAC"}
@@ -0,0 +1,27 @@
1
+ export type HistorySummary = {
2
+ critical: number;
3
+ high: number;
4
+ medium: number;
5
+ low: number;
6
+ info: number;
7
+ total: number;
8
+ };
9
+ export type HistoryEntry = {
10
+ id: string;
11
+ createdAt: string;
12
+ toolipVersion: string;
13
+ command: string;
14
+ git?: {
15
+ branch?: string;
16
+ commit?: string;
17
+ dirty?: boolean;
18
+ };
19
+ score?: number;
20
+ summary: HistorySummary;
21
+ findingIds: string[];
22
+ metadata?: Record<string, unknown>;
23
+ };
24
+ export type HistoryStore = {
25
+ schemaVersion: '1.0';
26
+ entries: HistoryEntry[];
27
+ };
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/core/history/types.ts"],"names":[],"mappings":""}
@@ -0,0 +1 @@
1
+ export declare function installPreCommitHook(root: string): Promise<string>;
@@ -0,0 +1,14 @@
1
+ import { mkdir, writeFile, chmod } from 'node:fs/promises';
2
+ import path from 'node:path';
3
+ export async function installPreCommitHook(root) {
4
+ const hooksDir = path.join(root, '.git', 'hooks');
5
+ const hookPath = path.join(hooksDir, 'pre-commit');
6
+ await mkdir(hooksDir, { recursive: true });
7
+ await writeFile(hookPath, `#!/bin/sh
8
+ echo "Running Toolip pre-commit checks..."
9
+ npx toolip pre-commit
10
+ `, 'utf8');
11
+ await chmod(hookPath, 0o755);
12
+ return hookPath;
13
+ }
14
+ //# sourceMappingURL=hooks.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"hooks.js","sourceRoot":"","sources":["../../../src/core/hooks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,IAAY;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IAEnD,MAAM,KAAK,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE3C,MAAM,SAAS,CACb,QAAQ,EACR;;;CAGH,EACG,MAAM,CACP,CAAC;IAEF,MAAM,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAE7B,OAAO,QAAQ,CAAC;AAClB,CAAC"}
@@ -0,0 +1,11 @@
1
+ export type LearnTopic = {
2
+ id: string;
3
+ title: string;
4
+ explanation: string;
5
+ risks: string[];
6
+ mistakes: string[];
7
+ secureExamples: string[];
8
+ bestPractices: string[];
9
+ };
10
+ export declare function listLearnTopics(): LearnTopic[];
11
+ export declare function getLearnTopic(topic: string): LearnTopic | null;
@@ -0,0 +1,163 @@
1
+ const topics = {
2
+ cors: {
3
+ id: 'cors',
4
+ title: 'CORS Security',
5
+ explanation: 'CORS controls which origins can access browser-protected resources from your API.',
6
+ risks: [
7
+ 'Overly broad origins can expose APIs to untrusted frontends.',
8
+ 'Credentials with wildcard origins can create serious access-control mistakes.'
9
+ ],
10
+ mistakes: [
11
+ 'Using origin: "*" for authenticated APIs.',
12
+ 'Using the same CORS policy in development and production.'
13
+ ],
14
+ secureExamples: [
15
+ 'Allow only https://yourdomain.com in production.',
16
+ 'Use environment-specific allowed origin lists.'
17
+ ],
18
+ bestPractices: [
19
+ 'Avoid wildcard origins for sensitive APIs.',
20
+ 'Review CORS together with cookies, credentials, and authentication.'
21
+ ]
22
+ },
23
+ jwt: {
24
+ id: 'jwt',
25
+ title: 'JWT Security',
26
+ explanation: 'JWTs are signed tokens used to represent claims, identity, and authorization context.',
27
+ risks: [
28
+ 'Weak secrets allow token forgery.',
29
+ 'Long-lived tokens increase impact after theft.'
30
+ ],
31
+ mistakes: [
32
+ 'Using "secret" or "password" as the JWT secret.',
33
+ 'Setting access tokens to last for months or years.'
34
+ ],
35
+ secureExamples: [
36
+ 'Use a long random secret from a secret manager.',
37
+ 'Use short access-token lifetimes with refresh-token rotation.'
38
+ ],
39
+ bestPractices: [
40
+ 'Validate issuer, audience, signature, and expiry.',
41
+ 'Never store JWT secrets in source code.'
42
+ ]
43
+ },
44
+ xss: {
45
+ id: 'xss',
46
+ title: 'Cross-Site Scripting',
47
+ explanation: 'XSS happens when untrusted input is rendered as executable browser code.',
48
+ risks: [
49
+ 'Session theft.',
50
+ 'Account takeover.',
51
+ 'Malicious actions performed as the user.'
52
+ ],
53
+ mistakes: [
54
+ 'Rendering raw HTML from users.',
55
+ 'Trusting sanitized content without context-aware escaping.'
56
+ ],
57
+ secureExamples: [
58
+ 'Escape output by default.',
59
+ 'Use CSP to reduce script execution risk.'
60
+ ],
61
+ bestPractices: [
62
+ 'Avoid dangerous HTML injection APIs.',
63
+ 'Sanitize rich text with a trusted sanitizer.'
64
+ ]
65
+ },
66
+ csrf: {
67
+ id: 'csrf',
68
+ title: 'Cross-Site Request Forgery',
69
+ explanation: 'CSRF tricks a logged-in browser into sending unwanted authenticated requests.',
70
+ risks: [
71
+ 'Unauthorized state changes.',
72
+ 'Account setting changes.',
73
+ 'Financial or administrative actions triggered silently.'
74
+ ],
75
+ mistakes: [
76
+ 'Relying only on cookies for authentication.',
77
+ 'Not using SameSite cookie settings.'
78
+ ],
79
+ secureExamples: [
80
+ 'Use SameSite=Lax or SameSite=Strict cookies.',
81
+ 'Use CSRF tokens for sensitive state-changing requests.'
82
+ ],
83
+ bestPractices: [
84
+ 'Require explicit anti-CSRF protection for cookie-authenticated apps.',
85
+ 'Avoid GET requests for state-changing operations.'
86
+ ]
87
+ },
88
+ secrets: {
89
+ id: 'secrets',
90
+ title: 'Secrets Management',
91
+ explanation: 'Secrets are credentials such as API keys, tokens, passwords, and private keys.',
92
+ risks: [
93
+ 'Committed secrets can be copied forever from Git history.',
94
+ 'Leaked credentials can grant attackers access to production systems.'
95
+ ],
96
+ mistakes: [
97
+ 'Storing secrets in .env files committed to Git.',
98
+ 'Hardcoding API keys in source files.'
99
+ ],
100
+ secureExamples: [
101
+ 'Use environment variables or encrypted local vaults.',
102
+ 'Rotate credentials after exposure.'
103
+ ],
104
+ bestPractices: [
105
+ 'Keep .env files ignored.',
106
+ 'Commit only safe .env.example files.',
107
+ 'Scan before committing.'
108
+ ]
109
+ },
110
+ auth: {
111
+ id: 'auth',
112
+ title: 'Authentication and Authorization',
113
+ explanation: 'Authentication verifies identity; authorization decides what that identity can access.',
114
+ risks: [
115
+ 'Broken access control.',
116
+ 'Privilege escalation.',
117
+ 'Session compromise.'
118
+ ],
119
+ mistakes: [
120
+ 'Checking only if a user is logged in.',
121
+ 'Trusting client-side roles.'
122
+ ],
123
+ secureExamples: [
124
+ 'Check permissions on the server for every protected action.',
125
+ 'Use least privilege access rules.'
126
+ ],
127
+ bestPractices: [
128
+ 'Separate authentication from authorization.',
129
+ 'Log sensitive access and permission changes.'
130
+ ]
131
+ },
132
+ dependencies: {
133
+ id: 'dependencies',
134
+ title: 'Dependency Security',
135
+ explanation: 'Dependency security is about managing risk from third-party packages.',
136
+ risks: [
137
+ 'Deprecated packages may stop receiving fixes.',
138
+ 'Typosquatted packages can impersonate popular libraries.',
139
+ 'Transitive dependencies can introduce hidden risk.'
140
+ ],
141
+ mistakes: [
142
+ 'Installing packages without checking maintainers.',
143
+ 'Ignoring deprecated package warnings.',
144
+ 'Allowing dependency bloat.'
145
+ ],
146
+ secureExamples: [
147
+ 'Inspect package health before adoption.',
148
+ 'Prefer maintained packages with active releases.'
149
+ ],
150
+ bestPractices: [
151
+ 'Review lockfile changes.',
152
+ 'Use small dependency surfaces.',
153
+ 'Replace abandoned packages early.'
154
+ ]
155
+ }
156
+ };
157
+ export function listLearnTopics() {
158
+ return Object.values(topics);
159
+ }
160
+ export function getLearnTopic(topic) {
161
+ return topics[topic.toLowerCase()] ?? null;
162
+ }
163
+ //# sourceMappingURL=learn.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"learn.js","sourceRoot":"","sources":["../../../src/core/learn.ts"],"names":[],"mappings":"AAUA,MAAM,MAAM,GAA+B;IACzC,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM;QACV,KAAK,EAAE,eAAe;QACtB,WAAW,EAAE,mFAAmF;QAChG,KAAK,EAAE;YACL,8DAA8D;YAC9D,+EAA+E;SAChF;QACD,QAAQ,EAAE;YACR,2CAA2C;YAC3C,2DAA2D;SAC5D;QACD,cAAc,EAAE;YACd,kDAAkD;YAClD,gDAAgD;SACjD;QACD,aAAa,EAAE;YACb,4CAA4C;YAC5C,qEAAqE;SACtE;KACF;IACD,GAAG,EAAE;QACH,EAAE,EAAE,KAAK;QACT,KAAK,EAAE,cAAc;QACrB,WAAW,EAAE,uFAAuF;QACpG,KAAK,EAAE;YACL,mCAAmC;YACnC,gDAAgD;SACjD;QACD,QAAQ,EAAE;YACR,iDAAiD;YACjD,oDAAoD;SACrD;QACD,cAAc,EAAE;YACd,iDAAiD;YACjD,+DAA+D;SAChE;QACD,aAAa,EAAE;YACb,mDAAmD;YACnD,yCAAyC;SAC1C;KACF;IACD,GAAG,EAAE;QACH,EAAE,EAAE,KAAK;QACT,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EAAE,0EAA0E;QACvF,KAAK,EAAE;YACL,gBAAgB;YAChB,mBAAmB;YACnB,0CAA0C;SAC3C;QACD,QAAQ,EAAE;YACR,gCAAgC;YAChC,4DAA4D;SAC7D;QACD,cAAc,EAAE;YACd,2BAA2B;YAC3B,0CAA0C;SAC3C;QACD,aAAa,EAAE;YACb,sCAAsC;YACtC,8CAA8C;SAC/C;KACF;IACD,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM;QACV,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,+EAA+E;QAC5F,KAAK,EAAE;YACL,6BAA6B;YAC7B,0BAA0B;YAC1B,yDAAyD;SAC1D;QACD,QAAQ,EAAE;YACR,6CAA6C;YAC7C,qCAAqC;SACtC;QACD,cAAc,EAAE;YACd,8CAA8C;YAC9C,wDAAwD;SACzD;QACD,aAAa,EAAE;YACb,sEAAsE;YACtE,mDAAmD;SACpD;KACF;IACD,OAAO,EAAE;QACP,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,gFAAgF;QAC7F,KAAK,EAAE;YACL,2DAA2D;YAC3D,sEAAsE;SACvE;QACD,QAAQ,EAAE;YACR,iDAAiD;YACjD,sCAAsC;SACvC;QACD,cAAc,EAAE;YACd,sDAAsD;YACtD,oCAAoC;SACrC;QACD,aAAa,EAAE;YACb,0BAA0B;YAC1B,sCAAsC;YACtC,yBAAyB;SAC1B;KACF;IACD,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM;QACV,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,wFAAwF;QACrG,KAAK,EAAE;YACL,wBAAwB;YACxB,uBAAuB;YACvB,qBAAqB;SACtB;QACD,QAAQ,EAAE;YACR,uCAAuC;YACvC,6BAA6B;SAC9B;QACD,cAAc,EAAE;YACd,6DAA6D;YAC7D,mCAAmC;SACpC;QACD,aAAa,EAAE;YACb,6CAA6C;YAC7C,8CAA8C;SAC/C;KACF;IACD,YAAY,EAAE;QACZ,EAAE,EAAE,cAAc;QAClB,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EAAE,uEAAuE;QACpF,KAAK,EAAE;YACL,+CAA+C;YAC/C,0DAA0D;YAC1D,oDAAoD;SACrD;QACD,QAAQ,EAAE;YACR,mDAAmD;YACnD,uCAAuC;YACvC,4BAA4B;SAC7B;QACD,cAAc,EAAE;YACd,yCAAyC;YACzC,kDAAkD;SACnD;QACD,aAAa,EAAE;YACb,0BAA0B;YAC1B,gCAAgC;YAChC,mCAAmC;SACpC;KACF;CACF,CAAC;AAEF,MAAM,UAAU,eAAe;IAC7B,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,OAAO,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,IAAI,CAAC;AAC7C,CAAC"}
@@ -0,0 +1,18 @@
1
+ import type { ToolipFinding } from './report.js';
2
+ export type LicenseEntry = {
3
+ name: string;
4
+ version: string;
5
+ license: string;
6
+ type: 'dependency' | 'devDependency';
7
+ };
8
+ export type LicenseAnalysisResult = {
9
+ licenses: LicenseEntry[];
10
+ findings: ToolipFinding[];
11
+ summary: {
12
+ total: number;
13
+ unknown: number;
14
+ restrictive: number;
15
+ distribution: Record<string, number>;
16
+ };
17
+ };
18
+ export declare function analyzeLicenses(root: string): Promise<LicenseAnalysisResult>;
@@ -0,0 +1,98 @@
1
+ import { readFile } from 'node:fs/promises';
2
+ import path from 'node:path';
3
+ const restrictiveLicenses = new Set([
4
+ 'GPL',
5
+ 'GPL-2.0',
6
+ 'GPL-3.0',
7
+ 'AGPL',
8
+ 'AGPL-3.0',
9
+ 'LGPL',
10
+ 'LGPL-2.1',
11
+ 'LGPL-3.0'
12
+ ]);
13
+ export async function analyzeLicenses(root) {
14
+ const packageJsonPath = path.join(root, 'package.json');
15
+ const raw = await readFile(packageJsonPath, 'utf8');
16
+ const pkg = JSON.parse(raw);
17
+ const entries = [
18
+ ...Object.entries(pkg.dependencies ?? {}).map(([name, version]) => ({
19
+ name,
20
+ version,
21
+ license: inferLicense(name),
22
+ type: 'dependency'
23
+ })),
24
+ ...Object.entries(pkg.devDependencies ?? {}).map(([name, version]) => ({
25
+ name,
26
+ version,
27
+ license: inferLicense(name),
28
+ type: 'devDependency'
29
+ }))
30
+ ].sort((a, b) => a.name.localeCompare(b.name));
31
+ const findings = entries.flatMap(licenseToFindings);
32
+ const distribution = entries.reduce((summary, entry) => {
33
+ summary[entry.license] = (summary[entry.license] ?? 0) + 1;
34
+ return summary;
35
+ }, {});
36
+ return {
37
+ licenses: entries,
38
+ findings,
39
+ summary: {
40
+ total: entries.length,
41
+ unknown: entries.filter((entry) => entry.license === 'UNKNOWN').length,
42
+ restrictive: entries.filter((entry) => restrictiveLicenses.has(entry.license)).length,
43
+ distribution
44
+ }
45
+ };
46
+ }
47
+ function inferLicense(packageName) {
48
+ const known = {
49
+ '@types/node': 'MIT',
50
+ '@types/semver': 'MIT',
51
+ axios: 'MIT',
52
+ chalk: 'MIT',
53
+ commander: 'MIT',
54
+ express: 'MIT',
55
+ 'fast-glob': 'MIT',
56
+ ignore: 'MIT',
57
+ ora: 'MIT',
58
+ pacote: 'ISC',
59
+ react: 'MIT',
60
+ request: 'Apache-2.0',
61
+ semver: 'ISC',
62
+ tsx: 'MIT',
63
+ typescript: 'Apache-2.0',
64
+ vitest: 'MIT',
65
+ zod: 'MIT'
66
+ };
67
+ return known[packageName] ?? 'UNKNOWN';
68
+ }
69
+ function licenseToFindings(entry) {
70
+ if (entry.license === 'UNKNOWN') {
71
+ return [
72
+ {
73
+ id: `TOOLIP-LICENSE-UNKNOWN-${entry.name.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
74
+ title: `Unknown license: ${entry.name}`,
75
+ severity: 'medium',
76
+ category: 'license',
77
+ message: `${entry.name} does not have a known license in Toolip's local license intelligence map.`,
78
+ recommendation: 'Manually verify the package license before using it in commercial or distributed software.',
79
+ evidence: entry.version
80
+ }
81
+ ];
82
+ }
83
+ if (restrictiveLicenses.has(entry.license)) {
84
+ return [
85
+ {
86
+ id: `TOOLIP-LICENSE-RESTRICTIVE-${entry.name.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
87
+ title: `Restrictive license detected: ${entry.name}`,
88
+ severity: 'high',
89
+ category: 'license',
90
+ message: `${entry.name} appears to use ${entry.license}, which may introduce redistribution obligations.`,
91
+ recommendation: 'Review the license terms with care before using this package in proprietary software.',
92
+ evidence: entry.license
93
+ }
94
+ ];
95
+ }
96
+ return [];
97
+ }
98
+ //# sourceMappingURL=license-analysis.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"license-analysis.js","sourceRoot":"","sources":["../../../src/core/license-analysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAqB7B,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,KAAK;IACL,SAAS;IACT,SAAS;IACT,MAAM;IACN,UAAU;IACV,MAAM;IACN,UAAU;IACV,UAAU;CACX,CAAC,CAAC;AAEH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAY;IAChD,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAEpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAGzB,CAAC;IAEF,MAAM,OAAO,GAAmB;QAC9B,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;YAClE,IAAI;YACJ,OAAO;YACP,OAAO,EAAE,YAAY,CAAC,IAAI,CAAC;YAC3B,IAAI,EAAE,YAAqB;SAC5B,CAAC,CAAC;QACH,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;YACrE,IAAI;YACJ,OAAO;YACP,OAAO,EAAE,YAAY,CAAC,IAAI,CAAC;YAC3B,IAAI,EAAE,eAAwB;SAC/B,CAAC,CAAC;KACJ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAE/C,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAyB,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE;QAC7E,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAC3D,OAAO,OAAO,CAAC;IACjB,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,QAAQ;QACR,OAAO,EAAE;YACP,KAAK,EAAE,OAAO,CAAC,MAAM;YACrB,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,MAAM;YACtE,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,mBAAmB,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;YACrF,YAAY;SACb;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,WAAmB;IACvC,MAAM,KAAK,GAA2B;QACpC,aAAa,EAAE,KAAK;QACpB,eAAe,EAAE,KAAK;QACtB,KAAK,EAAE,KAAK;QACZ,KAAK,EAAE,KAAK;QACZ,SAAS,EAAE,KAAK;QAChB,OAAO,EAAE,KAAK;QACd,WAAW,EAAE,KAAK;QAClB,MAAM,EAAE,KAAK;QACb,GAAG,EAAE,KAAK;QACV,MAAM,EAAE,KAAK;QACb,KAAK,EAAE,KAAK;QACZ,OAAO,EAAE,YAAY;QACrB,MAAM,EAAE,KAAK;QACb,GAAG,EAAE,KAAK;QACV,UAAU,EAAE,YAAY;QACxB,MAAM,EAAE,KAAK;QACb,GAAG,EAAE,KAAK;KACX,CAAC;IAEF,OAAO,KAAK,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC;AACzC,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAmB;IAC5C,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO;YACL;gBACE,EAAE,EAAE,0BAA0B,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;gBACtF,KAAK,EAAE,oBAAoB,KAAK,CAAC,IAAI,EAAE;gBACvC,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,GAAG,KAAK,CAAC,IAAI,4EAA4E;gBAClG,cAAc,EAAE,4FAA4F;gBAC5G,QAAQ,EAAE,KAAK,CAAC,OAAO;aACxB;SACF,CAAC;IACJ,CAAC;IAED,IAAI,mBAAmB,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,OAAO;YACL;gBACE,EAAE,EAAE,8BAA8B,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;gBAC1F,KAAK,EAAE,iCAAiC,KAAK,CAAC,IAAI,EAAE;gBACpD,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,GAAG,KAAK,CAAC,IAAI,mBAAmB,KAAK,CAAC,OAAO,mDAAmD;gBACzG,cAAc,EAAE,uFAAuF;gBACvG,QAAQ,EAAE,KAAK,CAAC,OAAO;aACxB;SACF,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC"}
@@ -0,0 +1,5 @@
1
+ export type ToolipIgnore = {
2
+ ignores(filePath: string): boolean;
3
+ patterns: string[];
4
+ };
5
+ export declare function loadToolipIgnore(root: string): Promise<ToolipIgnore>;
@@ -0,0 +1,35 @@
1
+ import { readFile } from 'node:fs/promises';
2
+ import path from 'node:path';
3
+ import ignore from 'ignore';
4
+ const defaultPatterns = [
5
+ 'node_modules',
6
+ 'dist',
7
+ 'coverage',
8
+ 'build',
9
+ '.git',
10
+ '.toolip-vault.json'
11
+ ];
12
+ export async function loadToolipIgnore(root) {
13
+ const ignoreFile = path.join(root, '.toolipignore');
14
+ let customPatterns = [];
15
+ try {
16
+ const raw = await readFile(ignoreFile, 'utf8');
17
+ customPatterns = raw
18
+ .split('\n')
19
+ .map((line) => line.trim())
20
+ .filter((line) => line.length > 0 && !line.startsWith('#'));
21
+ }
22
+ catch {
23
+ customPatterns = [];
24
+ }
25
+ const patterns = [...defaultPatterns, ...customPatterns];
26
+ const ig = ignore().add(patterns);
27
+ return {
28
+ patterns,
29
+ ignores(filePath) {
30
+ const relativePath = path.relative(root, filePath).replaceAll('\\', '/');
31
+ return relativePath.length > 0 && ig.ignores(relativePath);
32
+ }
33
+ };
34
+ }
35
+ //# sourceMappingURL=load-toolip-ignore.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"load-toolip-ignore.js","sourceRoot":"","sources":["../../../src/core/load-toolip-ignore.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAO5B,MAAM,eAAe,GAAG;IACtB,cAAc;IACd,MAAM;IACN,UAAU;IACV,OAAO;IACP,MAAM;IACN,oBAAoB;CACrB,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAY;IACjD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IACpD,IAAI,cAAc,GAAa,EAAE,CAAC;IAElC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAC/C,cAAc,GAAG,GAAG;aACjB,KAAK,CAAC,IAAI,CAAC;aACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;aAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,cAAc,GAAG,EAAE,CAAC;IACtB,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,cAAc,CAAC,CAAC;IACzD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAElC,OAAO;QACL,QAAQ;QACR,OAAO,CAAC,QAAgB;YACtB,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YACzE,OAAO,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC7D,CAAC;KACF,CAAC;AACJ,CAAC"}
@@ -0,0 +1,7 @@
1
+ export type WorkspaceProject = {
2
+ root: string;
3
+ relativePath: string;
4
+ name?: string;
5
+ version?: string;
6
+ };
7
+ export declare function discoverWorkspaces(root: string): Promise<WorkspaceProject[]>;
@@ -0,0 +1,49 @@
1
+ import { readFile } from 'node:fs/promises';
2
+ import path from 'node:path';
3
+ import fg from 'fast-glob';
4
+ async function patterns(root) {
5
+ const manifest = JSON.parse(await readFile(path.join(root, 'package.json'), 'utf8'));
6
+ if (Array.isArray(manifest.workspaces)) {
7
+ return manifest.workspaces;
8
+ }
9
+ if (Array.isArray(manifest.workspaces?.packages)) {
10
+ return manifest.workspaces.packages;
11
+ }
12
+ try {
13
+ const yaml = await readFile(path.join(root, 'pnpm-workspace.yaml'), 'utf8');
14
+ return yaml
15
+ .split(/\r?\n/)
16
+ .map((line) => line.match(/^\s*-\s*['"]?([^'"]+)['"]?\s*$/)?.[1])
17
+ .filter((value) => Boolean(value));
18
+ }
19
+ catch {
20
+ return [];
21
+ }
22
+ }
23
+ export async function discoverWorkspaces(root) {
24
+ const workspacePatterns = await patterns(root);
25
+ if (workspacePatterns.length === 0) {
26
+ return [{
27
+ root,
28
+ relativePath: '.'
29
+ }];
30
+ }
31
+ const manifests = await fg(workspacePatterns.map((pattern) => `${pattern.replace(/\/$/, '')}/package.json`), {
32
+ cwd: root,
33
+ absolute: false,
34
+ onlyFiles: true,
35
+ ignore: ['**/node_modules/**', '**/dist/**']
36
+ });
37
+ return Promise.all(manifests.sort().map(async (manifestPath) => {
38
+ const absolute = path.join(root, manifestPath);
39
+ const manifest = JSON.parse(await readFile(absolute, 'utf8'));
40
+ const workspaceRoot = path.dirname(absolute);
41
+ return {
42
+ root: workspaceRoot,
43
+ relativePath: path.relative(root, workspaceRoot) || '.',
44
+ name: manifest.name,
45
+ version: manifest.version
46
+ };
47
+ }));
48
+ }
49
+ //# sourceMappingURL=discover.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"discover.js","sourceRoot":"","sources":["../../../../src/core/monorepo/discover.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,WAAW,CAAC;AAe3B,KAAK,UAAU,QAAQ,CAAC,IAAY;IAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CACzB,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,MAAM,CAAC,CACxC,CAAC;IAElB,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACvC,OAAO,QAAQ,CAAC,UAAU,CAAC;IAC7B,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,CAAC;QACjD,OAAO,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC;IACtC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,qBAAqB,CAAC,EAAE,MAAM,CAAC,CAAC;QAC5E,OAAO,IAAI;aACR,KAAK,CAAC,OAAO,CAAC;aACd,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,gCAAgC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;aAChE,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,IAAY;IACnD,MAAM,iBAAiB,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;IAE/C,IAAI,iBAAiB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC;gBACN,IAAI;gBACJ,YAAY,EAAE,GAAG;aAClB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,EAAE,CACxB,iBAAiB,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,eAAe,CAAC,EAChF;QACE,GAAG,EAAE,IAAI;QACT,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,IAAI;QACf,MAAM,EAAE,CAAC,oBAAoB,EAAE,YAAY,CAAC;KAC7C,CACF,CAAC;IAEF,OAAO,OAAO,CAAC,GAAG,CAChB,SAAS,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,EAAE,YAAY,EAAE,EAAE;QAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAG3D,CAAC;QACF,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAE7C,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,IAAI,GAAG;YACvD,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,OAAO,EAAE,QAAQ,CAAC,OAAO;SAC1B,CAAC;IACJ,CAAC,CAAC,CACH,CAAC;AACJ,CAAC"}
@@ -0,0 +1,3 @@
1
+ import { type PackageManifest } from 'pacote';
2
+ export type NpmPackageManifest = PackageManifest;
3
+ export declare function fetchPackageManifest(packageName: string): Promise<NpmPackageManifest>;
@@ -0,0 +1,5 @@
1
+ import pacote from 'pacote';
2
+ export async function fetchPackageManifest(packageName) {
3
+ return pacote.manifest(packageName);
4
+ }
5
+ //# sourceMappingURL=npm-registry.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"npm-registry.js","sourceRoot":"","sources":["../../../src/core/npm-registry.ts"],"names":[],"mappings":"AAAA,OAAO,MAAgC,MAAM,QAAQ,CAAC;AAItD,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,WAAmB;IAC5D,OAAO,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACtC,CAAC"}
@@ -0,0 +1,11 @@
1
+ import type { ToolipFinding } from './report.js';
2
+ export type PreCommitResult = {
3
+ passed: boolean;
4
+ findings: ToolipFinding[];
5
+ summary: {
6
+ critical: number;
7
+ high: number;
8
+ blocking: number;
9
+ };
10
+ };
11
+ export declare function runPreCommit(root: string): Promise<PreCommitResult>;
@@ -0,0 +1,22 @@
1
+ import { runGitAudit } from './git-audit.js';
2
+ import { runSecurityDoctor } from './security-doctor.js';
3
+ export async function runPreCommit(root) {
4
+ const [doctor, gitAudit] = await Promise.all([
5
+ runSecurityDoctor(root),
6
+ runGitAudit(root)
7
+ ]);
8
+ const findings = [...doctor.findings, ...gitAudit.findings];
9
+ const critical = findings.filter((finding) => finding.severity === 'critical').length;
10
+ const high = findings.filter((finding) => finding.severity === 'high').length;
11
+ const blocking = critical + high;
12
+ return {
13
+ passed: blocking === 0,
14
+ findings,
15
+ summary: {
16
+ critical,
17
+ high,
18
+ blocking
19
+ }
20
+ };
21
+ }
22
+ //# sourceMappingURL=pre-commit.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"pre-commit.js","sourceRoot":"","sources":["../../../src/core/pre-commit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAazD,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAY;IAC7C,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC3C,iBAAiB,CAAC,IAAI,CAAC;QACvB,WAAW,CAAC,IAAI,CAAC;KAClB,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,CAAC,GAAG,MAAM,CAAC,QAAQ,EAAE,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC5D,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IACtF,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAC9E,MAAM,QAAQ,GAAG,QAAQ,GAAG,IAAI,CAAC;IAEjC,OAAO;QACL,MAAM,EAAE,QAAQ,KAAK,CAAC;QACtB,QAAQ;QACR,OAAO,EAAE;YACP,QAAQ;YACR,IAAI;YACJ,QAAQ;SACT;KACF,CAAC;AACJ,CAAC"}