transskill 0.2.0 → 0.2.2

package/README.md

@@ -83,34 +83,6 @@ transskill convert .cursorrules --to skill.md --dry-run
 | MCP JSON | Any MCP-compatible client | ✅ | — |
 | SOUL.md | OpenClaw | ✅ | — |
 
-## Commands
-
-```bash
-# Convert a skill to another format
-transskill convert <input> --to <format> [options]
-
-# List all supported formats
-transskill list-formats
-
-# Validate a skill file or directory
-transskill validate <input>
-
-# See all options
-transskill --help
-```
-
-### Options for `convert`
-
-| Flag | Description |
-|------|-------------|
-| `-t, --to <format>` | Target format (required) |
-| `-o, --output <path>` | Output directory (default: current dir) |
-| `--install-to <path>` | Install directly to agent config dir |
-| `--glob <pattern>` | File glob pattern (for .mdc output) |
-| `--always-apply` | Always apply rule (for .mdc output) |
-| `--dry-run` | Preview without writing files |
-| `-v, --verbose` | Detailed conversion report |
-
 ## How It Works
 
 ```
@@ -164,19 +136,177 @@ $ transskill convert ./weather-skill/ --to .cursorrules
    ⚠️  SKILL.md scripts reference will not work in .cursorrules
 ```
 
+## Commands
+
+```bash
+# Convert a skill to another format
+transskill convert <input> --to <format> [options]
+
+# List all supported formats
+transskill list-formats
+
+# Validate a skill file or directory
+transskill validate <input>
+
+# Security audit a skill file or directory
+transskill audit <input> [options]
+
+# See all options
+transskill --help
+```
+
+### Options for `convert`
+
+| Flag | Description |
+|------|-------------|
+| `-t, --to <format>` | Target format (required) |
+| `-o, --output <path>` | Output directory (default: current dir) |
+| `--install-to <path>` | Install directly to agent config dir |
+| `--glob <pattern>` | File glob pattern (for .mdc output) |
+| `--always-apply` | Always apply rule (for .mdc output) |
+| `--dry-run` | Preview without writing files |
+| `-v, --verbose` | Detailed conversion report |
+
+### Options for `audit`
+
+| Flag | Description |
+|------|-------------|
+| `--format <type>` | Output format: `console` or `json` (default: console) |
+| `--quiet` | Only show summary score |
+| `--min-severity <level>` | Minimum severity: `info`, `low`, `medium`, `high`, `critical` (default: info) |
+| `--auditor <id>` | Run only specific auditor (can be repeated) |
+| `-v, --verbose` | Show detailed findings |
+
+---
+
+## Security Audit
+
+TransSkill includes a built-in security scanner that analyzes skill files for potential security risks before you install or use them.
+
+```bash
+# Quick scan a skill file
+transskill audit my-skill.skill.md
+
+# JSON output for programmatic use
+transskill audit ./skill-dir/ --format json
+
+# Quiet mode — just the score
+transskill audit my-skill.skill.md --quiet
+
+# Only show high and critical issues
+transskill audit .cursorrules --min-severity high
+
+# Run a specific auditor only
+transskill audit mcp.json --auditor permission-scanner
+```
+
+### Audit Levels
+
+The scanner checks three layers of security concerns:
+
+| Level | Scanner | What It Checks |
+|-------|---------|----------------|
+| **L1 — Instructions** | `instruction-scanner` | Dangerous shell commands (`rm -rf`, `sudo`, `curl|sh`), prompt injection patterns, base64/hex obfuscation, suspicious URLs, remote code execution |
+| **L2 — Permissions** | `permission-scanner` | Overly broad `.mdc` globs, `alwaysApply` without scope, dangerous MCP tool names (shell/exec), filesystem access, network access, Claude `disableModelInvocation` settings |
+| **L3 — MCP** | `permission-scanner` | MCP server commands (`rm`, `sudo`, `kill`), MCP tool capabilities that could be abused |
+
+> Note: L3 checks are handled by the same PermissionScanner that handles L2. They are reported together in a single scan pass.
+
+### Scoring System
+
+The audit engine computes a numeric score (0–100) with an A–F letter grade:
+
+| Level | Score Range | Meaning |
+|-------|-------------|---------|
+| **A** | 90–100 | Excellent — minimal or no issues |
+| **B** | 70–89 | Good — minor low-severity findings |
+| **C** | 50–69 | Fair — moderate issues, review recommended |
+| **D** | 30–49 | Poor — significant issues, use with caution |
+| **F** | 0–29 | Critical — unsafe, do not use without remediation |
+
+Each finding carries a severity weight that reduces the score:
+
+| Severity | Weight |
+|----------|--------|
+| 🔴 Critical | −25 pts |
+| 🟠 High | −10 pts |
+| 🟡 Medium | −4 pts |
+| 🟢 Low | −1 pt |
+| ℹ️ Info | 0 pts |
+
+### Output Formats
+
+**Console** (default): Human-readable report with colored severity labels, line numbers, and context snippets.
+
+```
+$ transskill audit my-skill.skill.md
+
+╔══════════════════════════════════════════════╗
+║  TransSkill Security Audit                  ║
+║  Target: my-skill.skill.md                  ║
+╚══════════════════════════════════════════════╝
+
+Audit Level: L1 + L2 + L3
+
+Findings (3):
+
+🔴 Critical  | L2-003b  | MCP server 使用危险命令: rm
+              → ./my-skill.skill.md
+
+🟠 High      | L1-001   | Detected dangerous command: rm -rf /
+              → ./my-skill.skill.md:24
+              →     run: rm -rf /tmp/cache
+
+🟡 Medium    | L2-001b  | alwaysApply 规则 globs 范围过宽
+              → ./my-skill.skill.md
+
+Score: 65/100 — Level C
+3 findings (1 critical, 1 high, 1 medium)
+```
+
+**JSON**: Machine-readable for CI/CD pipelines and programmatic consumption.
+
+```bash
+transskill audit ./skills/ --format json
+```
+
+**Quiet**: One-line summary, ideal for quick checks.
+
+```bash
+transskill audit .cursorrules --quiet
+# 📊 C (65/100) — 3 findings (1🔴 1🟠 1🟡)
+```
+
+### CI/CD Integration
+
+Use the JSON flag to integrate audit results into your CI pipeline:
+
+```bash
+#!/bin/bash
+# Fail build if score drops below B (70)
+RESULT=$(transskill audit ./skills/ --format json)
+SCORE=$(echo $RESULT | jq '.score.total')
+if [ "$SCORE" -lt 70 ]; then
+  echo "❌ Security score $SCORE is below threshold (70)"
+  exit 1
+fi
+echo "✅ Security score $SCORE — passing"
+```
+
 ## Project Status
 
-**Active development.** See [tasks.md](specs/tasks.md) for current progress.
+**v0.2.1 — Active development.** See [tasks.md](specs/tasks.md) for current progress.
 
 | Phase | Status |
 |-------|--------|
 | Phase 0: Project scaffold | ✅ Complete |
 | Phase 1: InputResolver + types | ✅ Complete |
 | Phase 2: Parser layer | ✅ Complete |
-| Phase 3: Mapper + Renderer | ⬜ Pending |
-| Phase 4: CLI pipeline | ⬜ Pending |
-| Phase 5: Tests | ⬜ Pending |
+| Phase 3: Mapper + Renderer | ✅ Complete |
+| Phase 4: CLI pipeline | ✅ Complete |
+| Phase 5: Tests | ⬜ In Progress |
 | Phase 6: CI + publish | ⬜ Pending |
+| Phase A: Security audit | ✅ Complete |
 
 ## Contributing
 

package/README.zh.md

@@ -98,6 +98,9 @@ transskill list-formats
 # 验证技能文件或目录格式
 transskill validate <input>
 
+# 安全审计技能文件或目录
+transskill audit <input> [options]
+
 # 查看所有选项
 transskill --help
 ```
@@ -114,6 +117,16 @@ transskill --help
 | `--dry-run` | 预览模式，不写入文件 |
 | `-v, --verbose` | 显示详细转换报告 |
 
+### audit 选项
+
+| 参数 | 说明 |
+|------|------|
+| `--format <type>` | 输出格式：`console` 或 `json`（默认 console） |
+| `--quiet` | 仅显示评分摘要 |
+| `--min-severity <level>` | 最低报告级别：`info`, `low`, `medium`, `high`, `critical`（默认 info） |
+| `--auditor <id>` | 仅运行指定的审计器（可重复使用） |
+| `-v, --verbose` | 显示详细发现 |
+
 ## 工作原理
 
 ```
@@ -167,19 +180,136 @@ $ transskill convert ./weather-skill/ --to .cursorrules
    ⚠️  SKILL.md 中的脚本引用在 .cursorrules 中无法使用
 ```
 
+---
+
+## 安全审计
+
+TransSkill 内置安全扫描器，可以在安装或使用技能文件之前分析其中的潜在安全风险。
+
+```bash
+# 快速扫描技能文件
+transskill audit my-skill.skill.md
+
+# JSON 格式输出，适合程序化处理
+transskill audit ./skill-dir/ --format json
+
+# 安静模式——仅显示评分
+transskill audit my-skill.skill.md --quiet
+
+# 仅显示高危及以上问题
+transskill audit .cursorrules --min-severity high
+
+# 仅运行指定审计器
+transskill audit mcp.json --auditor permission-scanner
+```
+
+### 审计级别
+
+扫描器检查三个安全层级：
+
+| 级别 | 扫描器 | 检查内容 |
+|------|--------|----------|
+| **L1 — 指令扫描** | `instruction-scanner` | 危险 shell 命令（`rm -rf`、`sudo`、`curl|sh`）、提示注入模式、base64/hex 混淆、可疑 URL、远程代码执行 |
+| **L2 — 权限扫描** | `permission-scanner` | `.mdc` glob 范围过宽、`alwaysApply` 无范围限制、危险 MCP 工具名（shell/exec）、文件系统访问、网络访问、Claude `disableModelInvocation` 设置 |
+| **L3 — MCP 扫描** | `permission-scanner` | MCP 服务器命令（`rm`、`sudo`、`kill`）、可能被滥用的 MCP 工具能力 |
+
+> 注：L3 检查由同一個 PermissionScanner 处理，与 L2 在一次扫描中一并报告。
+
+### 评分体系
+
+审计引擎计算 0–100 的数值评分，对应 A–F 等级：
+
+| 等级 | 分数范围 | 含义 |
+|------|----------|------|
+| **A** | 90–100 | 优秀——几乎没有安全问题 |
+| **B** | 70–89 | 良好——存在少量低风险问题 |
+| **C** | 50–69 | 一般——存在中等风险，建议审查 |
+| **D** | 30–49 | 较差——存在显著风险，谨慎使用 |
+| **F** | 0–29 | 危险——存在严重风险，请勿直接使用 |
+
+每条发现按严重程度扣分：
+
+| 严重程度 | 扣分 |
+|----------|------|
+| 🔴 严重（Critical） | −25 分 |
+| 🟠 高危（High） | −10 分 |
+| 🟡 中危（Medium） | −4 分 |
+| 🟢 低危（Low） | −1 分 |
+| ℹ️ 信息（Info） | 0 分 |
+
+### 输出格式
+
+**控制台**（默认）：带颜色标签、行号和上下文片段的可读报告。
+
+```
+$ transskill audit my-skill.skill.md
+
+╔══════════════════════════════════════════════╗
+║  TransSkill Security Audit                  ║
+║  目标文件: my-skill.skill.md                 ║
+╚══════════════════════════════════════════════╝
+
+审计等级: L1 + L2 + L3
+
+发现 (3 项):
+
+🔴 严重      | L2-003b   | MCP 服务器使用了危险命令: rm
+              → ./my-skill.skill.md
+
+🟠 高危      | L1-001    | 检测到危险命令: rm -rf /
+              → ./my-skill.skill.md:24
+              →     run: rm -rf /tmp/cache
+
+🟡 中危      | L2-001b   | alwaysApply 规则 globs 范围过宽
+              → ./my-skill.skill.md
+
+评分: 65/100 — C 级
+3 项发现 (1 严重, 1 高危, 1 中危)
+```
+
+**JSON**：适合 CI/CD 流水线和程序化处理。
+
+```bash
+transskill audit ./skills/ --format json
+```
+
+**安静模式**：一行摘要，适合快速检查。
+
+```bash
+transskill audit .cursorrules --quiet
+# 📊 C (65/100) — 3 项发现 (1🔴 1🟠 1🟡)
+```
+
+### CI/CD 集成
+
+结合 JSON 输出将审计结果集成到 CI 流水线：
+
+```bash
+#!/bin/bash
+# 评分低于 B 级（70 分）则构建失败
+RESULT=$(transskill audit ./skills/ --format json)
+SCORE=$(echo $RESULT | jq '.score.total')
+if [ "$SCORE" -lt 70 ]; then
+  echo "❌ 安全评分 $SCORE 低于阈值 (70)"
+  exit 1
+fi
+echo "✅ 安全评分 $SCORE — 通过"
+```
+
 ## 项目进度
 
-**活跃开发中。** 详见 [tasks.md](specs/tasks.md)。
+**v0.2.1 — 活跃开发中。** 详见 [tasks.md](specs/tasks.md)。
 
 | 阶段 | 状态 |
 |------|------|
 | Phase 0: 项目脚手架 | ✅ 已完成 |
 | Phase 1: InputResolver + 类型定义 | ✅ 已完成 |
 | Phase 2: Parser 层 | ✅ 已完成 |
-| Phase 3: Mapper + Renderer | ⬜ 待完成 |
-| Phase 4: CLI 完整管道 | ⬜ 待完成 |
-| Phase 5: 测试覆盖 | ⬜ 待完成 |
+| Phase 3: Mapper + Renderer | ✅ 已完成 |
+| Phase 4: CLI 完整管道 | ✅ 已完成 |
+| Phase 5: 测试覆盖 | ⬜ 进行中 |
 | Phase 6: CI + 发布 | ⬜ 待完成 |
+| Phase A: 安全审计 | ✅ 已完成 |
 
 ## 贡献指南
 

package/dist/audit/auditor-registry.d.ts

@@ -0,0 +1,6 @@
+import type { Auditor } from './auditor.interface.js';
+export declare function registerAuditor(auditor: Auditor): void;
+export declare function getAuditor(id: string): Auditor | undefined;
+export declare function getAuditors(): Auditor[];
+export declare function clearAuditors(): void;
+//# sourceMappingURL=auditor-registry.d.ts.map

package/dist/audit/auditor-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditor-registry.d.ts","sourceRoot":"","sources":["../../src/audit/auditor-registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,wBAAwB,CAAC;AAItD,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAKtD;AAED,wBAAgB,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAE1D;AAED,wBAAgB,WAAW,IAAI,OAAO,EAAE,CAEvC;AAED,wBAAgB,aAAa,IAAI,IAAI,CAEpC"}

package/dist/audit/auditor-registry.js

@@ -0,0 +1,17 @@
+const auditors = new Map();
+export function registerAuditor(auditor) {
+    if (auditors.has(auditor.id)) {
+        throw new Error(`Auditor '${auditor.id}' is already registered`);
+    }
+    auditors.set(auditor.id, auditor);
+}
+export function getAuditor(id) {
+    return auditors.get(id);
+}
+export function getAuditors() {
+    return Array.from(auditors.values());
+}
+export function clearAuditors() {
+    auditors.clear();
+}
+//# sourceMappingURL=auditor-registry.js.map

package/dist/audit/auditor-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditor-registry.js","sourceRoot":"","sources":["../../src/audit/auditor-registry.ts"],"names":[],"mappings":"AAEA,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAmB,CAAC;AAE5C,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC9C,IAAI,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,YAAY,OAAO,CAAC,EAAE,yBAAyB,CAAC,CAAC;IACnE,CAAC;IACD,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,EAAU;IACnC,OAAO,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,QAAQ,CAAC,KAAK,EAAE,CAAC;AACnB,CAAC"}

package/dist/audit/auditor.interface.d.ts

@@ -0,0 +1,59 @@
+import type { FormatType, IntermediateSkill } from '../core/types.js';
+export type Severity = 'critical' | 'high' | 'medium' | 'low' | 'info';
+export declare const SEVERITY_ORDER: Severity[];
+export declare const SEVERITY_WEIGHTS: Record<Severity, number>;
+export declare const SEVERITY_LABELS: Record<Severity, string>;
+export interface AuditFinding {
+    id: string;
+    severity: Severity;
+    title: string;
+    description: string;
+    filePath: string;
+    lineNumber?: number;
+    snippet?: string;
+    recommendation?: string;
+    cwe?: string;
+}
+export type ScoreLevel = 'A' | 'B' | 'C' | 'D' | 'F';
+export interface SecurityScore {
+    total: number;
+    level: ScoreLevel;
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+    info: number;
+}
+export declare function computeScore(critical: number, high: number, medium: number, low: number, _info: number): SecurityScore;
+export interface AuditReport {
+    target: string;
+    format: FormatType;
+    isDirectory: boolean;
+    findings: AuditFinding[];
+    score: SecurityScore;
+    summary: string;
+    timestamp: string;
+}
+export interface Auditor {
+    /** Unique auditor identifier */
+    readonly id: string;
+    /** Human-readable name */
+    readonly name: string;
+    /** Description of what this auditor checks */
+    readonly description: string;
+    /** Which format(s) this auditor supports (empty = all) */
+    readonly supportedFormats?: FormatType[];
+    /** Run audit on a parsed skill */
+    audit(skill: IntermediateSkill, filePath: string): AuditFinding[];
+    /** Whether this auditor can handle directory-level checks */
+    readonly supportsDirectory?: boolean;
+}
+export interface AuditOptions {
+    /** Minimum severity to report */
+    minSeverity?: Severity;
+    /** Specific auditor IDs to run (empty = all) */
+    auditors?: string[];
+    /** Skip directory-level checks */
+    noDirectory?: boolean;
+}
+//# sourceMappingURL=auditor.interface.d.ts.map

package/dist/audit/auditor.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditor.interface.d.ts","sourceRoot":"","sources":["../../src/audit/auditor.interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAItE,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEvE,eAAO,MAAM,cAAc,EAAE,QAAQ,EAAkD,CAAC;AAExF,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAMrD,CAAC;AAEF,eAAO,MAAM,eAAe,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAMpD,CAAC;AAIF,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAID,MAAM,MAAM,UAAU,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;AAErD,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,UAAU,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;CACd;AAED,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,GACZ,aAAa,CAiBf;AAID,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,UAAU,CAAC;IACnB,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,KAAK,EAAE,aAAa,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,OAAO;IACtB,gCAAgC;IAChC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,0BAA0B;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,8CAA8C;IAC9C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,0DAA0D;IAC1D,QAAQ,CAAC,gBAAgB,CAAC,EAAE,UAAU,EAAE,CAAC;IACzC,kCAAkC;IAClC,KAAK,CAAC,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAM,GAAG,YAAY,EAAE,CAAC;IAClE,6DAA6D;IAC7D,QAAQ,CAAC,iBAAiB,CAAC,EAAE,OAAO,CAAC;CACtC;AAID,MAAM,WAAW,YAAY;IAC3B,iCAAiC;IACjC,WAAW,CAAC,EAAE,QAAQ,CAAC;IACvB,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,kCAAkC;IAClC,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB"}

package/dist/audit/auditor.interface.js

@@ -0,0 +1,36 @@
+export const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info'];
+export const SEVERITY_WEIGHTS = {
+    critical: 25,
+    high: 10,
+    medium: 4,
+    low: 1,
+    info: 0,
+};
+export const SEVERITY_LABELS = {
+    critical: '🔴 Critical',
+    high: '🟠 High',
+    medium: '🟡 Medium',
+    low: '🟢 Low',
+    info: 'ℹ️ Info',
+};
+export function computeScore(critical, high, medium, low, _info) {
+    const raw = 100 -
+        critical * SEVERITY_WEIGHTS.critical -
+        high * SEVERITY_WEIGHTS.high -
+        medium * SEVERITY_WEIGHTS.medium -
+        low * SEVERITY_WEIGHTS.low;
+    const total = Math.max(0, Math.min(100, raw));
+    let level;
+    if (total >= 90)
+        level = 'A';
+    else if (total >= 70)
+        level = 'B';
+    else if (total >= 50)
+        level = 'C';
+    else if (total >= 30)
+        level = 'D';
+    else
+        level = 'F';
+    return { total, level, critical, high, medium, low, info: _info };
+}
+//# sourceMappingURL=auditor.interface.js.map

package/dist/audit/auditor.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditor.interface.js","sourceRoot":"","sources":["../../src/audit/auditor.interface.ts"],"names":[],"mappings":"AAMA,MAAM,CAAC,MAAM,cAAc,GAAe,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;AAExF,MAAM,CAAC,MAAM,gBAAgB,GAA6B;IACxD,QAAQ,EAAE,EAAE;IACZ,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAA6B;IACvD,QAAQ,EAAE,aAAa;IACvB,IAAI,EAAE,SAAS;IACf,MAAM,EAAE,WAAW;IACnB,GAAG,EAAE,QAAQ;IACb,IAAI,EAAE,SAAS;CAChB,CAAC;AA8BF,MAAM,UAAU,YAAY,CAC1B,QAAgB,EAChB,IAAY,EACZ,MAAc,EACd,GAAW,EACX,KAAa;IAEb,MAAM,GAAG,GACP,GAAG;QACH,QAAQ,GAAG,gBAAgB,CAAC,QAAQ;QACpC,IAAI,GAAG,gBAAgB,CAAC,IAAI;QAC5B,MAAM,GAAG,gBAAgB,CAAC,MAAM;QAChC,GAAG,GAAG,gBAAgB,CAAC,GAAG,CAAC;IAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAE9C,IAAI,KAAiB,CAAC;IACtB,IAAI,KAAK,IAAI,EAAE;QAAE,KAAK,GAAG,GAAG,CAAC;SACxB,IAAI,KAAK,IAAI,EAAE;QAAE,KAAK,GAAG,GAAG,CAAC;SAC7B,IAAI,KAAK,IAAI,EAAE;QAAE,KAAK,GAAG,GAAG,CAAC;SAC7B,IAAI,KAAK,IAAI,EAAE;QAAE,KAAK,GAAG,GAAG,CAAC;;QAC7B,KAAK,GAAG,GAAG,CAAC;IAEjB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AACpE,CAAC"}

package/dist/audit/index.d.ts

@@ -0,0 +1,39 @@
+import type { AuditReport, AuditOptions } from './auditor.interface.js';
+import type { IntermediateSkill } from '../core/types.js';
+/**
+ * AuditEngine — the main entry point for security auditing.
+ *
+ * Flow:
+ *   1. Get all registered auditors
+ *   2. Filter by options (minSeverity, specific auditors)
+ *   3. Run each applicable auditor against the parsed skill
+ *   4. Aggregate findings
+ *   5. Compute score + generate report
+ */
+export declare class AuditEngine {
+    private readonly options;
+    constructor(options?: AuditOptions);
+    /**
+     * Audit a single parsed skill file.
+     */
+    auditSkill(skill: IntermediateSkill, filePath: string, target?: string): AuditReport;
+    /**
+     * Audit a skill directory, including file-level and directory-level checks.
+     */
+    auditDirectory(skill: IntermediateSkill, rootPath: string, skillFilePath: string, target?: string): AuditReport;
+    /**
+     * Run all auditors and return the report object.
+     */
+    run(skill: IntermediateSkill, filePath: string, isDirectory: boolean): AuditReport;
+    /**
+     * Generate console-friendly report string.
+     */
+    reportToString(report: AuditReport): string;
+    /**
+     * Generate JSON report string.
+     */
+    reportToJson(report: AuditReport, pretty?: boolean): string;
+    private resolveAuditors;
+    private buildReport;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAGV,WAAW,EACX,YAAY,EAEb,MAAM,wBAAwB,CAAC;AAGhC,OAAO,KAAK,EAAc,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAItE;;;;;;;;;GASG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;gBAErC,OAAO,GAAE,YAAiB;IAQtC;;OAEG;IACH,UAAU,CACR,KAAK,EAAE,iBAAiB,EACxB,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,GACd,WAAW;IAuBd;;OAEG;IACH,cAAc,CACZ,KAAK,EAAE,iBAAiB,EACxB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,MAAM,CAAC,EAAE,MAAM,GACd,WAAW;IAiCd;;OAEG;IACH,GAAG,CACD,KAAK,EAAE,iBAAiB,EACxB,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,OAAO,GACnB,WAAW;IAId;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,WAAW,GAAG,MAAM;IAI3C;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,UAAO,GAAG,MAAM;IAIxD,OAAO,CAAC,eAAe;IAoBvB,OAAO,CAAC,WAAW;CAoDpB"}