toolip 1.0.7 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (174) hide show
  1. package/README.md +189 -448
  2. package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
  3. package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
  4. package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
  5. package/dist/src/analyzers/ast/rules.d.ts +48 -0
  6. package/dist/src/analyzers/ast/rules.js +39 -0
  7. package/dist/src/analyzers/ast/rules.js.map +1 -0
  8. package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
  9. package/dist/src/analyzers/ast/source-analysis.js +225 -0
  10. package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
  11. package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
  12. package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
  13. package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
  14. package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
  15. package/dist/src/analyzers/docker/analyzer.js +103 -0
  16. package/dist/src/analyzers/docker/analyzer.js.map +1 -0
  17. package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
  18. package/dist/src/analyzers/git-history/analyzer.js +202 -0
  19. package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
  20. package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
  21. package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
  22. package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
  23. package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
  24. package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
  25. package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
  26. package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
  27. package/dist/src/analyzers/reachability/import-graph.js +110 -0
  28. package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
  29. package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
  30. package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
  31. package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
  32. package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
  33. package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
  34. package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
  35. package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
  36. package/dist/src/analyzers/vulnerability/severity.js +13 -0
  37. package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
  38. package/dist/src/application/analyzer-runner.d.ts +12 -0
  39. package/dist/src/application/analyzer-runner.js +45 -0
  40. package/dist/src/application/analyzer-runner.js.map +1 -0
  41. package/dist/src/commands/announce.d.ts +2 -0
  42. package/dist/src/commands/announce.js +27 -0
  43. package/dist/src/commands/announce.js.map +1 -0
  44. package/dist/src/commands/ast-scan.d.ts +2 -0
  45. package/dist/src/commands/ast-scan.js +86 -0
  46. package/dist/src/commands/ast-scan.js.map +1 -0
  47. package/dist/src/commands/audit-repo.d.ts +2 -0
  48. package/dist/src/commands/audit-repo.js +20 -0
  49. package/dist/src/commands/audit-repo.js.map +1 -0
  50. package/dist/src/commands/config.d.ts +2 -0
  51. package/dist/src/commands/config.js +69 -0
  52. package/dist/src/commands/config.js.map +1 -0
  53. package/dist/src/commands/dependency-confusion.d.ts +2 -0
  54. package/dist/src/commands/dependency-confusion.js +37 -0
  55. package/dist/src/commands/dependency-confusion.js.map +1 -0
  56. package/dist/src/commands/diff.d.ts +2 -0
  57. package/dist/src/commands/diff.js +24 -0
  58. package/dist/src/commands/diff.js.map +1 -0
  59. package/dist/src/commands/docker-scan.d.ts +2 -0
  60. package/dist/src/commands/docker-scan.js +34 -0
  61. package/dist/src/commands/docker-scan.js.map +1 -0
  62. package/dist/src/commands/git-history.d.ts +2 -0
  63. package/dist/src/commands/git-history.js +40 -0
  64. package/dist/src/commands/git-history.js.map +1 -0
  65. package/dist/src/commands/history.d.ts +2 -0
  66. package/dist/src/commands/history.js +69 -0
  67. package/dist/src/commands/history.js.map +1 -0
  68. package/dist/src/commands/install-scripts.d.ts +2 -0
  69. package/dist/src/commands/install-scripts.js +52 -0
  70. package/dist/src/commands/install-scripts.js.map +1 -0
  71. package/dist/src/commands/mcp.d.ts +2 -0
  72. package/dist/src/commands/mcp.js +10 -0
  73. package/dist/src/commands/mcp.js.map +1 -0
  74. package/dist/src/commands/monorepo.d.ts +2 -0
  75. package/dist/src/commands/monorepo.js +21 -0
  76. package/dist/src/commands/monorepo.js.map +1 -0
  77. package/dist/src/commands/package-health.d.ts +2 -0
  78. package/dist/src/commands/package-health.js +50 -0
  79. package/dist/src/commands/package-health.js.map +1 -0
  80. package/dist/src/commands/publish.d.ts +2 -0
  81. package/dist/src/commands/publish.js +25 -0
  82. package/dist/src/commands/publish.js.map +1 -0
  83. package/dist/src/commands/reachability.d.ts +2 -0
  84. package/dist/src/commands/reachability.js +47 -0
  85. package/dist/src/commands/reachability.js.map +1 -0
  86. package/dist/src/commands/sbom.d.ts +2 -0
  87. package/dist/src/commands/sbom.js +33 -0
  88. package/dist/src/commands/sbom.js.map +1 -0
  89. package/dist/src/commands/upgrade-pr.d.ts +2 -0
  90. package/dist/src/commands/upgrade-pr.js +15 -0
  91. package/dist/src/commands/upgrade-pr.js.map +1 -0
  92. package/dist/src/commands/vulnerabilities.d.ts +2 -0
  93. package/dist/src/commands/vulnerabilities.js +42 -0
  94. package/dist/src/commands/vulnerabilities.js.map +1 -0
  95. package/dist/src/commands/watch.d.ts +2 -0
  96. package/dist/src/commands/watch.js +34 -0
  97. package/dist/src/commands/watch.js.map +1 -0
  98. package/dist/src/contracts/analyzer.d.ts +23 -0
  99. package/dist/src/contracts/analyzer.js +2 -0
  100. package/dist/src/contracts/analyzer.js.map +1 -0
  101. package/dist/src/contracts/finding.d.ts +35 -0
  102. package/dist/src/contracts/finding.js +13 -0
  103. package/dist/src/contracts/finding.js.map +1 -0
  104. package/dist/src/contracts/report.d.ts +30 -0
  105. package/dist/src/contracts/report.js +2 -0
  106. package/dist/src/contracts/report.js.map +1 -0
  107. package/dist/src/contracts/rule.d.ts +12 -0
  108. package/dist/src/contracts/rule.js +7 -0
  109. package/dist/src/contracts/rule.js.map +1 -0
  110. package/dist/src/core/announce/generate.d.ts +9 -0
  111. package/dist/src/core/announce/generate.js +19 -0
  112. package/dist/src/core/announce/generate.js.map +1 -0
  113. package/dist/src/core/config/load.d.ts +3 -0
  114. package/dist/src/core/config/load.js +21 -0
  115. package/dist/src/core/config/load.js.map +1 -0
  116. package/dist/src/core/config/policy.d.ts +3 -0
  117. package/dist/src/core/config/policy.js +48 -0
  118. package/dist/src/core/config/policy.js.map +1 -0
  119. package/dist/src/core/config/schema.d.ts +172 -0
  120. package/dist/src/core/config/schema.js +84 -0
  121. package/dist/src/core/config/schema.js.map +1 -0
  122. package/dist/src/core/dependencies/inventory.d.ts +9 -0
  123. package/dist/src/core/dependencies/inventory.js +43 -0
  124. package/dist/src/core/dependencies/inventory.js.map +1 -0
  125. package/dist/src/core/diff/security-diff.d.ts +10 -0
  126. package/dist/src/core/diff/security-diff.js +20 -0
  127. package/dist/src/core/diff/security-diff.js.map +1 -0
  128. package/dist/src/core/github/remote-audit.d.ts +5 -0
  129. package/dist/src/core/github/remote-audit.js +28 -0
  130. package/dist/src/core/github/remote-audit.js.map +1 -0
  131. package/dist/src/core/github/upgrade-pr.d.ts +4 -0
  132. package/dist/src/core/github/upgrade-pr.js +41 -0
  133. package/dist/src/core/github/upgrade-pr.js.map +1 -0
  134. package/dist/src/core/history/git-metadata.d.ts +5 -0
  135. package/dist/src/core/history/git-metadata.js +37 -0
  136. package/dist/src/core/history/git-metadata.js.map +1 -0
  137. package/dist/src/core/history/store.d.ts +5 -0
  138. package/dist/src/core/history/store.js +65 -0
  139. package/dist/src/core/history/store.js.map +1 -0
  140. package/dist/src/core/history/types.d.ts +27 -0
  141. package/dist/src/core/history/types.js +2 -0
  142. package/dist/src/core/history/types.js.map +1 -0
  143. package/dist/src/core/monorepo/discover.d.ts +7 -0
  144. package/dist/src/core/monorepo/discover.js +49 -0
  145. package/dist/src/core/monorepo/discover.js.map +1 -0
  146. package/dist/src/core/publish/html.d.ts +6 -0
  147. package/dist/src/core/publish/html.js +44 -0
  148. package/dist/src/core/publish/html.js.map +1 -0
  149. package/dist/src/core/sbom/generate.d.ts +2 -0
  150. package/dist/src/core/sbom/generate.js +120 -0
  151. package/dist/src/core/sbom/generate.js.map +1 -0
  152. package/dist/src/core/security-doctor.js +19 -5
  153. package/dist/src/core/security-doctor.js.map +1 -1
  154. package/dist/src/core/watch/watch.d.ts +5 -0
  155. package/dist/src/core/watch/watch.js +49 -0
  156. package/dist/src/core/watch/watch.js.map +1 -0
  157. package/dist/src/index.js +38 -0
  158. package/dist/src/index.js.map +1 -1
  159. package/dist/src/mcp/server.d.ts +1 -0
  160. package/dist/src/mcp/server.js +64 -0
  161. package/dist/src/mcp/server.js.map +1 -0
  162. package/dist/src/providers/depsdev/client.d.ts +71 -0
  163. package/dist/src/providers/depsdev/client.js +44 -0
  164. package/dist/src/providers/depsdev/client.js.map +1 -0
  165. package/dist/src/providers/osv/client.d.ts +15 -0
  166. package/dist/src/providers/osv/client.js +51 -0
  167. package/dist/src/providers/osv/client.js.map +1 -0
  168. package/dist/src/providers/osv/types.d.ts +38 -0
  169. package/dist/src/providers/osv/types.js +2 -0
  170. package/dist/src/providers/osv/types.js.map +1 -0
  171. package/dist/src/storage/memory-cache.d.ts +7 -0
  172. package/dist/src/storage/memory-cache.js +25 -0
  173. package/dist/src/storage/memory-cache.js.map +1 -0
  174. package/package.json +5 -3
@@ -0,0 +1,30 @@
1
+ import type { Finding } from './finding.js';
2
+ export declare const TOOLIP_REPORT_SCHEMA_VERSION = "2.0";
3
+ export type ReportSummary = {
4
+ critical: number;
5
+ high: number;
6
+ medium: number;
7
+ low: number;
8
+ info: number;
9
+ total: number;
10
+ };
11
+ export type ToolipReportV2 = {
12
+ schemaVersion: typeof TOOLIP_REPORT_SCHEMA_VERSION;
13
+ generatedAt: string;
14
+ toolipVersion: string;
15
+ project: {
16
+ root: string;
17
+ name?: string;
18
+ packageManager?: string;
19
+ };
20
+ summary: ReportSummary;
21
+ findings: Finding[];
22
+ analyzers: Array<{
23
+ id: string;
24
+ version: string;
25
+ durationMs: number;
26
+ findingCount: number;
27
+ warnings?: string[];
28
+ }>;
29
+ metadata?: Record<string, unknown>;
30
+ };
@@ -0,0 +1,2 @@
1
+ export const TOOLIP_REPORT_SCHEMA_VERSION = '2.0';
2
+ //# sourceMappingURL=report.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"report.js","sourceRoot":"","sources":["../../../src/contracts/report.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,4BAA4B,GAAG,KAAK,CAAC"}
@@ -0,0 +1,12 @@
1
+ import type { FindingConfidence, FindingSeverity } from './finding.js';
2
+ export type RuleDefinition = {
3
+ id: string;
4
+ title: string;
5
+ category: string;
6
+ defaultSeverity: FindingSeverity;
7
+ defaultConfidence: FindingConfidence;
8
+ description: string;
9
+ remediation: string;
10
+ references?: string[];
11
+ };
12
+ export declare function assertValidRuleId(ruleId: string): void;
@@ -0,0 +1,7 @@
1
+ const RULE_ID_PATTERN = /^TLP-[A-Z]+-\d{3}$/;
2
+ export function assertValidRuleId(ruleId) {
3
+ if (!RULE_ID_PATTERN.test(ruleId)) {
4
+ throw new Error(`Invalid Toolip rule ID "${ruleId}". Expected format: TLP-CATEGORY-001.`);
5
+ }
6
+ }
7
+ //# sourceMappingURL=rule.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"rule.js","sourceRoot":"","sources":["../../../src/contracts/rule.ts"],"names":[],"mappings":"AAgBA,MAAM,eAAe,GAAG,oBAAoB,CAAC;AAE7C,MAAM,UAAU,iBAAiB,CAAC,MAAc;IAC9C,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,uCAAuC,CACzE,CAAC;IACJ,CAAC;AACH,CAAC"}
@@ -0,0 +1,9 @@
1
+ export type AnnouncementInput = {
2
+ version?: string;
3
+ fixed: number;
4
+ added: number;
5
+ removed: number;
6
+ scoreBefore?: number;
7
+ scoreAfter?: number;
8
+ };
9
+ export declare function generateAnnouncement(input: AnnouncementInput): string;
@@ -0,0 +1,19 @@
1
+ export function generateAnnouncement(input) {
2
+ const title = input.version
3
+ ? `Toolip ${input.version} security update`
4
+ : 'Toolip security update';
5
+ const lines = [
6
+ title,
7
+ '',
8
+ `Fixed findings: ${input.fixed}`,
9
+ `New findings: ${input.added}`,
10
+ `Removed findings: ${input.removed}`
11
+ ];
12
+ if (input.scoreBefore !== undefined &&
13
+ input.scoreAfter !== undefined) {
14
+ lines.push(`Security score: ${input.scoreBefore} → ${input.scoreAfter}`);
15
+ }
16
+ lines.push('', 'This summary was generated locally from structured Toolip scan differences.');
17
+ return lines.join('\n');
18
+ }
19
+ //# sourceMappingURL=generate.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"generate.js","sourceRoot":"","sources":["../../../../src/core/announce/generate.ts"],"names":[],"mappings":"AASA,MAAM,UAAU,oBAAoB,CAAC,KAAwB;IAC3D,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO;QACzB,CAAC,CAAC,UAAU,KAAK,CAAC,OAAO,kBAAkB;QAC3C,CAAC,CAAC,wBAAwB,CAAC;IAE7B,MAAM,KAAK,GAAG;QACZ,KAAK;QACL,EAAE;QACF,mBAAmB,KAAK,CAAC,KAAK,EAAE;QAChC,iBAAiB,KAAK,CAAC,KAAK,EAAE;QAC9B,qBAAqB,KAAK,CAAC,OAAO,EAAE;KACrC,CAAC;IAEF,IACE,KAAK,CAAC,WAAW,KAAK,SAAS;QAC/B,KAAK,CAAC,UAAU,KAAK,SAAS,EAC9B,CAAC;QACD,KAAK,CAAC,IAAI,CACR,mBAAmB,KAAK,CAAC,WAAW,MAAM,KAAK,CAAC,UAAU,EAAE,CAC7D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CACR,EAAE,EACF,6EAA6E,CAC9E,CAAC;IAEF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
@@ -0,0 +1,3 @@
1
+ import { type ToolipConfig } from './schema.js';
2
+ export declare const TOOLIP_CONFIG_FILE = "toolip.config.json";
3
+ export declare function loadToolipConfig(root: string): Promise<ToolipConfig>;
@@ -0,0 +1,21 @@
1
+ import { readFile } from 'node:fs/promises';
2
+ import path from 'node:path';
3
+ import { toolipConfigSchema } from './schema.js';
4
+ export const TOOLIP_CONFIG_FILE = 'toolip.config.json';
5
+ export async function loadToolipConfig(root) {
6
+ const filePath = path.join(root, TOOLIP_CONFIG_FILE);
7
+ try {
8
+ const raw = await readFile(filePath, 'utf8');
9
+ const parsed = JSON.parse(raw);
10
+ return toolipConfigSchema.parse(parsed);
11
+ }
12
+ catch (error) {
13
+ if (error instanceof Error &&
14
+ 'code' in error &&
15
+ error.code === 'ENOENT') {
16
+ return toolipConfigSchema.parse({});
17
+ }
18
+ throw error;
19
+ }
20
+ }
21
+ //# sourceMappingURL=load.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"load.js","sourceRoot":"","sources":["../../../../src/core/config/load.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,kBAAkB,EAEnB,MAAM,aAAa,CAAC;AAErB,MAAM,CAAC,MAAM,kBAAkB,GAC7B,oBAAoB,CAAC;AAEvB,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAY;IAEZ,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,IAAI,EACJ,kBAAkB,CACnB,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;QAE1C,OAAO,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IACE,KAAK,YAAY,KAAK;YACtB,MAAM,IAAI,KAAK;YACf,KAAK,CAAC,IAAI,KAAK,QAAQ,EACvB,CAAC;YACD,OAAO,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACtC,CAAC;QAED,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC"}
@@ -0,0 +1,3 @@
1
+ import type { Finding } from '../../contracts/finding.js';
2
+ import type { ToolipConfig } from './schema.js';
3
+ export declare function applyFindingPolicy(findings: Finding[], config: ToolipConfig): Finding[];
@@ -0,0 +1,48 @@
1
+ function wildcardMatch(value, pattern) {
2
+ const escaped = pattern
3
+ .replaceAll(/[.+^${}()|[\]\\]/g, '\\$&')
4
+ .replaceAll('**', '___DOUBLE_STAR___')
5
+ .replaceAll('*', '[^/]*')
6
+ .replaceAll('___DOUBLE_STAR___', '.*');
7
+ return new RegExp(`^${escaped}$`).test(value);
8
+ }
9
+ function suppressionActive(expiresAt) {
10
+ return (expiresAt === undefined ||
11
+ new Date(expiresAt).getTime() > Date.now());
12
+ }
13
+ export function applyFindingPolicy(findings, config) {
14
+ const output = [];
15
+ for (const finding of findings) {
16
+ const rule = config.rules[finding.ruleId];
17
+ const file = finding.location?.file ?? '';
18
+ if (rule?.enabled === false) {
19
+ continue;
20
+ }
21
+ let severity = rule?.severity ?? finding.severity;
22
+ for (const pathRule of rule?.paths ?? []) {
23
+ if (file &&
24
+ wildcardMatch(file, pathRule.pattern)) {
25
+ if (pathRule.enabled === false) {
26
+ severity = finding.severity;
27
+ break;
28
+ }
29
+ severity =
30
+ pathRule.severity ?? severity;
31
+ }
32
+ }
33
+ const suppressed = config.suppressions.some((suppression) => suppression.ruleId === finding.ruleId &&
34
+ suppressionActive(suppression.expiresAt) &&
35
+ (suppression.path === undefined ||
36
+ (file &&
37
+ wildcardMatch(file, suppression.path))));
38
+ if (suppressed) {
39
+ continue;
40
+ }
41
+ output.push({
42
+ ...finding,
43
+ severity
44
+ });
45
+ }
46
+ return output;
47
+ }
48
+ //# sourceMappingURL=policy.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../../src/core/config/policy.ts"],"names":[],"mappings":"AAGA,SAAS,aAAa,CACpB,KAAa,EACb,OAAe;IAEf,MAAM,OAAO,GAAG,OAAO;SACpB,UAAU,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACvC,UAAU,CAAC,IAAI,EAAE,mBAAmB,CAAC;SACrC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC;SACxB,UAAU,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC;IAEzC,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,iBAAiB,CACxB,SAAkB;IAElB,OAAO,CACL,SAAS,KAAK,SAAS;QACvB,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAC3C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,QAAmB,EACnB,MAAoB;IAEpB,MAAM,MAAM,GAAc,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC;QAE1C,IAAI,IAAI,EAAE,OAAO,KAAK,KAAK,EAAE,CAAC;YAC5B,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,GACV,IAAI,EAAE,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;QAErC,KAAK,MAAM,QAAQ,IAAI,IAAI,EAAE,KAAK,IAAI,EAAE,EAAE,CAAC;YACzC,IACE,IAAI;gBACJ,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,EACrC,CAAC;gBACD,IAAI,QAAQ,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;oBAC/B,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;oBAC5B,MAAM;gBACR,CAAC;gBAED,QAAQ;oBACN,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC;YAClC,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,CACzC,CAAC,WAAW,EAAE,EAAE,CACd,WAAW,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM;YACrC,iBAAiB,CACf,WAAW,CAAC,SAAS,CACtB;YACD,CACE,WAAW,CAAC,IAAI,KAAK,SAAS;gBAC9B,CACE,IAAI;oBACJ,aAAa,CACX,IAAI,EACJ,WAAW,CAAC,IAAI,CACjB,CACF,CACF,CACJ,CAAC;QAEF,IAAI,UAAU,EAAE,CAAC;YACf,SAAS;QACX,CAAC;QAED,MAAM,CAAC,IAAI,CAAC;YACV,GAAG,OAAO;YACV,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
@@ -0,0 +1,172 @@
1
+ import { z } from 'zod';
2
+ export declare const toolipConfigSchema: z.ZodObject<{
3
+ schemaVersion: z.ZodDefault<z.ZodLiteral<"1.0">>;
4
+ include: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
5
+ exclude: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
6
+ rules: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
7
+ enabled: z.ZodOptional<z.ZodBoolean>;
8
+ severity: z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low", "info"]>>;
9
+ paths: z.ZodOptional<z.ZodArray<z.ZodObject<{
10
+ pattern: z.ZodString;
11
+ severity: z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low", "info"]>>;
12
+ enabled: z.ZodOptional<z.ZodBoolean>;
13
+ }, "strip", z.ZodTypeAny, {
14
+ pattern: string;
15
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
16
+ enabled?: boolean | undefined;
17
+ }, {
18
+ pattern: string;
19
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
20
+ enabled?: boolean | undefined;
21
+ }>, "many">>;
22
+ }, "strip", z.ZodTypeAny, {
23
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
24
+ enabled?: boolean | undefined;
25
+ paths?: {
26
+ pattern: string;
27
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
28
+ enabled?: boolean | undefined;
29
+ }[] | undefined;
30
+ }, {
31
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
32
+ enabled?: boolean | undefined;
33
+ paths?: {
34
+ pattern: string;
35
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
36
+ enabled?: boolean | undefined;
37
+ }[] | undefined;
38
+ }>>>;
39
+ suppressions: z.ZodDefault<z.ZodArray<z.ZodObject<{
40
+ ruleId: z.ZodString;
41
+ path: z.ZodOptional<z.ZodString>;
42
+ reason: z.ZodString;
43
+ expiresAt: z.ZodOptional<z.ZodString>;
44
+ }, "strip", z.ZodTypeAny, {
45
+ ruleId: string;
46
+ reason: string;
47
+ expiresAt?: string | undefined;
48
+ path?: string | undefined;
49
+ }, {
50
+ ruleId: string;
51
+ reason: string;
52
+ expiresAt?: string | undefined;
53
+ path?: string | undefined;
54
+ }>, "many">>;
55
+ history: z.ZodDefault<z.ZodObject<{
56
+ enabled: z.ZodDefault<z.ZodBoolean>;
57
+ maxEntries: z.ZodDefault<z.ZodNumber>;
58
+ }, "strip", z.ZodTypeAny, {
59
+ enabled: boolean;
60
+ maxEntries: number;
61
+ }, {
62
+ enabled?: boolean | undefined;
63
+ maxEntries?: number | undefined;
64
+ }>>;
65
+ providers: z.ZodDefault<z.ZodObject<{
66
+ osv: z.ZodDefault<z.ZodObject<{
67
+ enabled: z.ZodDefault<z.ZodBoolean>;
68
+ timeoutMs: z.ZodDefault<z.ZodNumber>;
69
+ }, "strip", z.ZodTypeAny, {
70
+ timeoutMs: number;
71
+ enabled: boolean;
72
+ }, {
73
+ timeoutMs?: number | undefined;
74
+ enabled?: boolean | undefined;
75
+ }>>;
76
+ depsDev: z.ZodDefault<z.ZodObject<{
77
+ enabled: z.ZodDefault<z.ZodBoolean>;
78
+ timeoutMs: z.ZodDefault<z.ZodNumber>;
79
+ }, "strip", z.ZodTypeAny, {
80
+ timeoutMs: number;
81
+ enabled: boolean;
82
+ }, {
83
+ timeoutMs?: number | undefined;
84
+ enabled?: boolean | undefined;
85
+ }>>;
86
+ }, "strip", z.ZodTypeAny, {
87
+ osv: {
88
+ timeoutMs: number;
89
+ enabled: boolean;
90
+ };
91
+ depsDev: {
92
+ timeoutMs: number;
93
+ enabled: boolean;
94
+ };
95
+ }, {
96
+ osv?: {
97
+ timeoutMs?: number | undefined;
98
+ enabled?: boolean | undefined;
99
+ } | undefined;
100
+ depsDev?: {
101
+ timeoutMs?: number | undefined;
102
+ enabled?: boolean | undefined;
103
+ } | undefined;
104
+ }>>;
105
+ }, "strip", z.ZodTypeAny, {
106
+ schemaVersion: "1.0";
107
+ history: {
108
+ enabled: boolean;
109
+ maxEntries: number;
110
+ };
111
+ include: string[];
112
+ exclude: string[];
113
+ rules: Record<string, {
114
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
115
+ enabled?: boolean | undefined;
116
+ paths?: {
117
+ pattern: string;
118
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
119
+ enabled?: boolean | undefined;
120
+ }[] | undefined;
121
+ }>;
122
+ suppressions: {
123
+ ruleId: string;
124
+ reason: string;
125
+ expiresAt?: string | undefined;
126
+ path?: string | undefined;
127
+ }[];
128
+ providers: {
129
+ osv: {
130
+ timeoutMs: number;
131
+ enabled: boolean;
132
+ };
133
+ depsDev: {
134
+ timeoutMs: number;
135
+ enabled: boolean;
136
+ };
137
+ };
138
+ }, {
139
+ schemaVersion?: "1.0" | undefined;
140
+ history?: {
141
+ enabled?: boolean | undefined;
142
+ maxEntries?: number | undefined;
143
+ } | undefined;
144
+ include?: string[] | undefined;
145
+ exclude?: string[] | undefined;
146
+ rules?: Record<string, {
147
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
148
+ enabled?: boolean | undefined;
149
+ paths?: {
150
+ pattern: string;
151
+ severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
152
+ enabled?: boolean | undefined;
153
+ }[] | undefined;
154
+ }> | undefined;
155
+ suppressions?: {
156
+ ruleId: string;
157
+ reason: string;
158
+ expiresAt?: string | undefined;
159
+ path?: string | undefined;
160
+ }[] | undefined;
161
+ providers?: {
162
+ osv?: {
163
+ timeoutMs?: number | undefined;
164
+ enabled?: boolean | undefined;
165
+ } | undefined;
166
+ depsDev?: {
167
+ timeoutMs?: number | undefined;
168
+ enabled?: boolean | undefined;
169
+ } | undefined;
170
+ } | undefined;
171
+ }>;
172
+ export type ToolipConfig = z.infer<typeof toolipConfigSchema>;
@@ -0,0 +1,84 @@
1
+ import { z } from 'zod';
2
+ export const toolipConfigSchema = z.object({
3
+ schemaVersion: z.literal('1.0').default('1.0'),
4
+ include: z.array(z.string()).default([]),
5
+ exclude: z.array(z.string()).default([]),
6
+ rules: z
7
+ .record(z.object({
8
+ enabled: z.boolean().optional(),
9
+ severity: z
10
+ .enum([
11
+ 'critical',
12
+ 'high',
13
+ 'medium',
14
+ 'low',
15
+ 'info'
16
+ ])
17
+ .optional(),
18
+ paths: z
19
+ .array(z.object({
20
+ pattern: z.string(),
21
+ severity: z
22
+ .enum([
23
+ 'critical',
24
+ 'high',
25
+ 'medium',
26
+ 'low',
27
+ 'info'
28
+ ])
29
+ .optional(),
30
+ enabled: z.boolean().optional()
31
+ }))
32
+ .optional()
33
+ }))
34
+ .default({}),
35
+ suppressions: z
36
+ .array(z.object({
37
+ ruleId: z.string(),
38
+ path: z.string().optional(),
39
+ reason: z.string().min(3),
40
+ expiresAt: z.string().datetime().optional()
41
+ }))
42
+ .default([]),
43
+ history: z
44
+ .object({
45
+ enabled: z.boolean().default(true),
46
+ maxEntries: z.number().int().positive().max(5000).default(500)
47
+ })
48
+ .default({
49
+ enabled: true,
50
+ maxEntries: 500
51
+ }),
52
+ providers: z
53
+ .object({
54
+ osv: z
55
+ .object({
56
+ enabled: z.boolean().default(true),
57
+ timeoutMs: z.number().int().positive().default(20000)
58
+ })
59
+ .default({
60
+ enabled: true,
61
+ timeoutMs: 20000
62
+ }),
63
+ depsDev: z
64
+ .object({
65
+ enabled: z.boolean().default(true),
66
+ timeoutMs: z.number().int().positive().default(20000)
67
+ })
68
+ .default({
69
+ enabled: true,
70
+ timeoutMs: 20000
71
+ })
72
+ })
73
+ .default({
74
+ osv: {
75
+ enabled: true,
76
+ timeoutMs: 20000
77
+ },
78
+ depsDev: {
79
+ enabled: true,
80
+ timeoutMs: 20000
81
+ }
82
+ })
83
+ });
84
+ //# sourceMappingURL=schema.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../src/core/config/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAC9C,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,KAAK,EAAE,CAAC;SACL,MAAM,CACL,CAAC,CAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAC/B,QAAQ,EAAE,CAAC;aACR,IAAI,CAAC;YACJ,UAAU;YACV,MAAM;YACN,QAAQ;YACR,KAAK;YACL,MAAM;SACP,CAAC;aACD,QAAQ,EAAE;QACb,KAAK,EAAE,CAAC;aACL,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;YACnB,QAAQ,EAAE,CAAC;iBACR,IAAI,CAAC;gBACJ,UAAU;gBACV,MAAM;gBACN,QAAQ;gBACR,KAAK;gBACL,MAAM;aACP,CAAC;iBACD,QAAQ,EAAE;YACb,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;SAChC,CAAC,CACH;aACA,QAAQ,EAAE;KACd,CAAC,CACH;SACA,OAAO,CAAC,EAAE,CAAC;IACd,YAAY,EAAE,CAAC;SACZ,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;QACP,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACzB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;KAC5C,CAAC,CACH;SACA,OAAO,CAAC,EAAE,CAAC;IACd,OAAO,EAAE,CAAC;SACP,MAAM,CAAC;QACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QAClC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;KAC/D,CAAC;SACD,OAAO,CAAC;QACP,OAAO,EAAE,IAAI;QACb,UAAU,EAAE,GAAG;KAChB,CAAC;IACJ,SAAS,EAAE,CAAC;SACT,MAAM,CAAC;QACN,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;YAClC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;SACtD,CAAC;aACD,OAAO,CAAC;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB,CAAC;QACJ,OAAO,EAAE,CAAC;aACP,MAAM,CAAC;YACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;YAClC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;SACtD,CAAC;aACD,OAAO,CAAC;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB,CAAC;KACL,CAAC;SACD,OAAO,CAAC;QACP,GAAG,EAAE;YACH,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB;QACD,OAAO,EAAE;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB;KACF,CAAC;CACL,CAAC,CAAC"}
@@ -0,0 +1,9 @@
1
+ export type DependencyIdentity = {
2
+ ecosystem: 'npm';
3
+ name: string;
4
+ version: string;
5
+ direct: boolean;
6
+ development: boolean;
7
+ source: 'package-lock';
8
+ };
9
+ export declare function readNpmDependencyInventory(root: string): Promise<DependencyIdentity[]>;
@@ -0,0 +1,43 @@
1
+ import { readFile } from 'node:fs/promises';
2
+ import path from 'node:path';
3
+ function packageNameFromLockPath(lockPath) {
4
+ const marker = 'node_modules/';
5
+ const markerIndex = lockPath.lastIndexOf(marker);
6
+ if (markerIndex === -1)
7
+ return undefined;
8
+ return lockPath.slice(markerIndex + marker.length);
9
+ }
10
+ function isDirectPackagePath(lockPath) {
11
+ if (!lockPath.startsWith('node_modules/'))
12
+ return false;
13
+ const remainder = lockPath.slice('node_modules/'.length);
14
+ if (remainder.startsWith('@'))
15
+ return remainder.split('/').length === 2;
16
+ return !remainder.includes('/');
17
+ }
18
+ export async function readNpmDependencyInventory(root) {
19
+ const raw = await readFile(path.join(root, 'package-lock.json'), 'utf8');
20
+ const lockfile = JSON.parse(raw);
21
+ if (!lockfile.packages) {
22
+ throw new Error('Toolip requires package-lock.json lockfileVersion 2 or newer.');
23
+ }
24
+ const dependencies = new Map();
25
+ for (const [lockPath, entry] of Object.entries(lockfile.packages)) {
26
+ if (lockPath === '' || !entry.version)
27
+ continue;
28
+ const name = entry.name ?? packageNameFromLockPath(lockPath);
29
+ if (!name)
30
+ continue;
31
+ const identity = {
32
+ ecosystem: 'npm',
33
+ name,
34
+ version: entry.version,
35
+ direct: isDirectPackagePath(lockPath),
36
+ development: Boolean(entry.dev),
37
+ source: 'package-lock'
38
+ };
39
+ dependencies.set(`npm:${identity.name}@${identity.version}`, identity);
40
+ }
41
+ return [...dependencies.values()].sort((a, b) => `${a.name}@${a.version}`.localeCompare(`${b.name}@${b.version}`));
42
+ }
43
+ //# sourceMappingURL=inventory.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"inventory.js","sourceRoot":"","sources":["../../../../src/core/dependencies/inventory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAmB7B,SAAS,uBAAuB,CAAC,QAAgB;IAC/C,MAAM,MAAM,GAAG,eAAe,CAAC;IAC/B,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACjD,IAAI,WAAW,KAAK,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACzC,OAAO,QAAQ,CAAC,KAAK,CAAC,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACzD,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IACxE,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,IAAY;IAC3D,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,mBAAmB,CAAC,EAAE,MAAM,CAAC,CAAC;IACzE,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;IAElD,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,GAAG,EAA8B,CAAC;IAE3D,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClE,IAAI,QAAQ,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;YAAE,SAAS;QAChD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC7D,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,MAAM,QAAQ,GAAuB;YACnC,SAAS,EAAE,KAAK;YAChB,IAAI;YACJ,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,MAAM,EAAE,mBAAmB,CAAC,QAAQ,CAAC;YACrC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC;YAC/B,MAAM,EAAE,cAAc;SACvB,CAAC;QAEF,YAAY,CAAC,GAAG,CAAC,OAAO,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACzE,CAAC;IAED,OAAO,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAC9C,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CACjE,CAAC;AACJ,CAAC"}
@@ -0,0 +1,10 @@
1
+ export type SecurityDiffResult = {
2
+ base: string;
3
+ head: string;
4
+ files: string[];
5
+ packageManifestChanged: boolean;
6
+ lockfileChanged: boolean;
7
+ dockerfilesChanged: string[];
8
+ sourceFilesChanged: string[];
9
+ };
10
+ export declare function securityDiff(root: string, base: string, head: string): Promise<SecurityDiffResult>;
@@ -0,0 +1,20 @@
1
+ import { execFile } from 'node:child_process';
2
+ import { promisify } from 'node:util';
3
+ const execFileAsync = promisify(execFile);
4
+ export async function securityDiff(root, base, head) {
5
+ const { stdout } = await execFileAsync('git', ['diff', '--name-only', `${base}..${head}`], {
6
+ cwd: root,
7
+ encoding: 'utf8'
8
+ });
9
+ const files = stdout.split(/\r?\n/).filter(Boolean);
10
+ return {
11
+ base,
12
+ head,
13
+ files,
14
+ packageManifestChanged: files.some((file) => /(^|\/)package\.json$/.test(file)),
15
+ lockfileChanged: files.some((file) => /(^|\/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock)$/.test(file)),
16
+ dockerfilesChanged: files.filter((file) => /(^|\/)Dockerfile(?:\..+)?$/.test(file)),
17
+ sourceFilesChanged: files.filter((file) => /\.(js|jsx|ts|tsx|mjs|cjs)$/.test(file))
18
+ };
19
+ }
20
+ //# sourceMappingURL=security-diff.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"security-diff.js","sourceRoot":"","sources":["../../../../src/core/diff/security-diff.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAY1C,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAY,EACZ,IAAY,EACZ,IAAY;IAEZ,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CACpC,KAAK,EACL,CAAC,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,KAAK,IAAI,EAAE,CAAC,EAC3C;QACE,GAAG,EAAE,IAAI;QACT,QAAQ,EAAE,MAAM;KACjB,CACF,CAAC;IAEF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAEpD,OAAO;QACL,IAAI;QACJ,IAAI;QACJ,KAAK;QACL,sBAAsB,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/E,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,wDAAwD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1G,kBAAkB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnF,kBAAkB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACpF,CAAC;AACJ,CAAC"}
@@ -0,0 +1,5 @@
1
+ import { runSecurityDoctor } from '../security-doctor.js';
2
+ export declare function auditRemoteRepository(url: string): Promise<{
3
+ repository: string;
4
+ report: Awaited<ReturnType<typeof runSecurityDoctor>>;
5
+ }>;
@@ -0,0 +1,28 @@
1
+ import { mkdtemp, rm } from 'node:fs/promises';
2
+ import { execFile } from 'node:child_process';
3
+ import { promisify } from 'node:util';
4
+ import os from 'node:os';
5
+ import path from 'node:path';
6
+ import { runSecurityDoctor } from '../security-doctor.js';
7
+ const execFileAsync = promisify(execFile);
8
+ export async function auditRemoteRepository(url) {
9
+ if (!/^https:\/\/github\.com\/[^/]+\/[^/]+(?:\.git)?$/.test(url)) {
10
+ throw new Error('Only public GitHub repository URLs are supported.');
11
+ }
12
+ const temporaryRoot = await mkdtemp(path.join(os.tmpdir(), 'toolip-remote-audit-'));
13
+ const target = path.join(temporaryRoot, 'repository');
14
+ try {
15
+ await execFileAsync('gh', ['repo', 'clone', url, target, '--', '--depth=1'], {
16
+ encoding: 'utf8'
17
+ });
18
+ const report = await runSecurityDoctor(target);
19
+ return {
20
+ repository: url,
21
+ report
22
+ };
23
+ }
24
+ finally {
25
+ await rm(temporaryRoot, { recursive: true, force: true });
26
+ }
27
+ }
28
+ //# sourceMappingURL=remote-audit.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"remote-audit.js","sourceRoot":"","sources":["../../../../src/core/github/remote-audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,GAAW;IAIrD,IAAI,CAAC,iDAAiD,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC,CAAC;IACpF,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IAEtD,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE;YAC3E,QAAQ,EAAE,MAAM;SACjB,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAE/C,OAAO;YACL,UAAU,EAAE,GAAG;YACf,MAAM;SACP,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC"}
@@ -0,0 +1,4 @@
1
+ export declare function createUpgradePullRequest(root: string, packageName: string, targetVersion: string, dryRun: boolean): Promise<{
2
+ branch: string;
3
+ changed: boolean;
4
+ }>;
@@ -0,0 +1,41 @@
1
+ import { readFile, writeFile } from 'node:fs/promises';
2
+ import { execFile } from 'node:child_process';
3
+ import { promisify } from 'node:util';
4
+ import path from 'node:path';
5
+ const execFileAsync = promisify(execFile);
6
+ export async function createUpgradePullRequest(root, packageName, targetVersion, dryRun) {
7
+ const manifestPath = path.join(root, 'package.json');
8
+ const manifest = JSON.parse(await readFile(manifestPath, 'utf8'));
9
+ const sections = ['dependencies', 'devDependencies', 'optionalDependencies', 'peerDependencies'];
10
+ let changed = false;
11
+ for (const section of sections) {
12
+ if (manifest[section]?.[packageName]) {
13
+ manifest[section][packageName] = targetVersion;
14
+ changed = true;
15
+ }
16
+ }
17
+ if (!changed) {
18
+ throw new Error(`${packageName} is not declared in package.json.`);
19
+ }
20
+ const branch = `toolip/upgrade-${packageName.replaceAll(/[^A-Za-z0-9]/g, '-')}-${targetVersion}`;
21
+ if (dryRun) {
22
+ return { branch, changed: true };
23
+ }
24
+ await execFileAsync('git', ['switch', '-c', branch], { cwd: root });
25
+ await writeFile(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`);
26
+ await execFileAsync('npm', ['install', '--package-lock-only'], { cwd: root });
27
+ await execFileAsync('npm', ['test'], { cwd: root });
28
+ await execFileAsync('git', ['add', 'package.json', 'package-lock.json'], { cwd: root });
29
+ await execFileAsync('git', ['commit', '-m', `chore: upgrade ${packageName} to ${targetVersion}`], { cwd: root });
30
+ await execFileAsync('git', ['push', '-u', 'origin', branch], { cwd: root });
31
+ await execFileAsync('gh', [
32
+ 'pr',
33
+ 'create',
34
+ '--title',
35
+ `chore: upgrade ${packageName} to ${targetVersion}`,
36
+ '--body',
37
+ `Toolip generated this dependency upgrade after updating the lockfile and running the project test suite.`
38
+ ], { cwd: root });
39
+ return { branch, changed: true };
40
+ }
41
+ //# sourceMappingURL=upgrade-pr.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"upgrade-pr.js","sourceRoot":"","sources":["../../../../src/core/github/upgrade-pr.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,IAAY,EACZ,WAAmB,EACnB,aAAqB,EACrB,MAAe;IAEf,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAwB,CAAC;IACzF,MAAM,QAAQ,GAAG,CAAC,cAAc,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,kBAAkB,CAAC,CAAC;IACjG,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC;YACrC,QAAQ,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,GAAG,aAAa,CAAC;YAC/C,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,WAAW,mCAAmC,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,WAAW,CAAC,UAAU,CAAC,eAAe,EAAE,GAAG,CAAC,IAAI,aAAa,EAAE,CAAC;IAEjG,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACpE,MAAM,SAAS,CAAC,YAAY,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IACxE,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,qBAAqB,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9E,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,cAAc,EAAE,mBAAmB,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACxF,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,kBAAkB,WAAW,OAAO,aAAa,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACjH,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5E,MAAM,aAAa,CACjB,IAAI,EACJ;QACE,IAAI;QACJ,QAAQ;QACR,SAAS;QACT,kBAAkB,WAAW,OAAO,aAAa,EAAE;QACnD,QAAQ;QACR,0GAA0G;KAC3G,EACD,EAAE,GAAG,EAAE,IAAI,EAAE,CACd,CAAC;IAEF,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACnC,CAAC"}