vaspera 2.13.0 → 2.15.0

package/dist/util/paths.js

@@ -21,6 +21,13 @@ export class PathValidationError extends Error {
         this.name = "PathValidationError";
     }
 }
+/**
+ * Options for path validation
+ */
+/** Segment-aware containment: "/base" must not match "/base-evil". */
+function isWithin(target, base) {
+    return target === base || target.startsWith(base + path.sep);
+}
 /**
  * Validate a project path for security
  *
@@ -59,7 +66,7 @@ export async function validateProjectPath(projectPath, options = {}) {
                 // If basePath is specified, ensure symlink target is within it
                 if (basePath) {
                     const resolvedBase = path.resolve(basePath);
-                    if (!realPath.startsWith(resolvedBase)) {
+                    if (!isWithin(realPath, resolvedBase)) {
                         throw new PathValidationError(`Symlink escapes base directory: ${projectPath} -> ${realPath}`, projectPath, "symlink_escape");
                     }
                 }
@@ -75,10 +82,13 @@ export async function validateProjectPath(projectPath, options = {}) {
         if (requireDirectory && !lstats.isDirectory()) {
             throw new PathValidationError(`Path is not a directory: ${projectPath}`, projectPath, "not_directory");
         }
-        // If basePath is specified, ensure the path is within it
+        // If basePath is specified, ensure the path is within it. Compare
+        // *real* paths so a symlinked ancestor (e.g. /base/link/sub where
+        // /base/link -> /etc) cannot escape via a lexical-only check.
         if (basePath) {
-            const resolvedBase = path.resolve(basePath);
-            if (!resolvedPath.startsWith(resolvedBase)) {
+            const realBase = await realpath(path.resolve(basePath));
+            const realTarget = await realpath(resolvedPath);
+            if (!isWithin(realTarget, realBase)) {
                 throw new PathValidationError(`Path is outside base directory: ${projectPath}`, projectPath, "path_traversal");
             }
         }
@@ -114,6 +124,76 @@ export async function isPathSafe(projectPath, options = {}) {
         return false;
     }
 }
+/**
+ * Resolve a relative file path inside a project tree, rejecting escapes.
+ * For paths that originate from untrusted sources (scanner output, agent
+ * findings): `../` sequences, absolute paths, and in-tree symlinks
+ * pointing outside the project are all refused.
+ *
+ * @returns The real (symlink-resolved) absolute path of the file
+ * @throws PathValidationError if the path escapes the project tree
+ */
+export async function resolveContainedFile(projectPath, relFile) {
+    const root = await realpath(projectPath);
+    const contained = (p) => p === root || p.startsWith(root + path.sep);
+    const target = path.resolve(root, relFile);
+    if (!contained(target)) {
+        throw new PathValidationError(`File path escapes project tree: ${relFile}`, relFile, "path_traversal");
+    }
+    const real = await realpath(target);
+    if (!contained(real)) {
+        throw new PathValidationError(`Symlinked file escapes project tree: ${relFile}`, relFile, "symlink_escape");
+    }
+    return real;
+}
+/**
+ * Resolve a relative *write* target inside a project tree, rejecting
+ * escapes — like resolveContainedFile but for a file that may not exist
+ * yet (the parent directory must exist and is symlink-resolved).
+ * For untrusted output paths (e.g. an `output_file` tool argument).
+ *
+ * @returns The absolute path to write to, contained within the tree
+ * @throws PathValidationError if the path escapes the project tree
+ */
+export async function resolveContainedWritePath(projectPath, relFile) {
+    const root = await realpath(projectPath);
+    const contained = (p) => p === root || p.startsWith(root + path.sep);
+    const target = path.resolve(root, relFile);
+    if (!contained(target)) {
+        throw new PathValidationError(`File path escapes project tree: ${relFile}`, relFile, "path_traversal");
+    }
+    // The leaf (and possibly intermediate dirs) may not exist yet. Resolve
+    // the nearest existing ancestor through symlinks so a symlinked
+    // directory inside the tree cannot redirect the write outside it, then
+    // re-attach the not-yet-existing remainder.
+    let ancestor = path.dirname(target);
+    while (true) {
+        try {
+            const realAncestor = await realpath(ancestor);
+            if (!contained(realAncestor)) {
+                throw new PathValidationError(`Symlinked directory escapes project tree: ${relFile}`, relFile, "symlink_escape");
+            }
+            const remainder = path.relative(ancestor, target);
+            const finalPath = path.join(realAncestor, remainder);
+            if (!contained(finalPath)) {
+                throw new PathValidationError(`File path escapes project tree: ${relFile}`, relFile, "path_traversal");
+            }
+            return finalPath;
+        }
+        catch (error) {
+            if (error instanceof PathValidationError)
+                throw error;
+            if (error.code !== "ENOENT")
+                throw error;
+            const parent = path.dirname(ancestor);
+            if (parent === ancestor) {
+                // Reached the filesystem root without an existing ancestor.
+                throw new PathValidationError(`Cannot resolve write path: ${relFile}`, relFile, "invalid_path");
+            }
+            ancestor = parent;
+        }
+    }
+}
 /**
  * Sanitize a path for use in error messages (remove sensitive info)
  */

package/dist/util/paths.js.map

@@ -1 +1 @@
-{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/util/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB;;GAEG;AACH,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAG1B;IACA;IAHlB,YACE,OAAe,EACC,IAAY,EACZ,MAKE;QAElB,KAAK,CAAC,OAAO,CAAC,CAAC;QARC,SAAI,GAAJ,IAAI,CAAQ;QACZ,WAAM,GAAN,MAAM,CAKJ;QAGlB,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAcD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,WAAmB,EACnB,UAA+B,EAAE;IAEjC,MAAM,EAAE,gBAAgB,GAAG,IAAI,EAAE,aAAa,GAAG,KAAK,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE7E,2BAA2B;IAC3B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAE/C,oCAAoC;IACpC,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChE,8DAA8D;QAC9D,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACpD,IAAI,eAAe,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,gBAAgB,CACjB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,wDAAwD;QACxD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;QAEzC,kBAAkB;QAClB,IAAI,MAAM,CAAC,cAAc,EAAE,EAAE,CAAC;YAC5B,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,mDAAmD;gBACnD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;gBAE9C,+DAA+D;gBAC/D,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;oBAC5C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;wBACvC,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,WAAW,OAAO,QAAQ,EAAE,EAC/D,WAAW,EACX,gBAAgB,CACjB,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,oBAAoB;gBACpB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvC,IAAI,gBAAgB,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,CAAC;oBACjD,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,eAAe,CAChB,CAAC;gBACJ,CAAC;gBACD,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,IAAI,gBAAgB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;YAC9C,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,yDAAyD;QACzD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAC5C,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC3C,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,WAAW,EAAE,EAChD,WAAW,EACX,gBAAgB,CACjB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YACzC,MAAM,KAAK,CAAC;QACd,CAAC;QAED,iCAAiC;QACjC,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACvD,MAAM,IAAI,mBAAmB,CAC3B,wBAAwB,WAAW,EAAE,EACrC,WAAW,EACX,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,IAAI,mBAAmB,CAC3B,iBAAiB,WAAW,MAAO,KAAe,CAAC,OAAO,EAAE,EAC5D,WAAW,EACX,cAAc,CACf,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,UAAyD,EAAE;IAE3D,OAAO,mBAAmB,CAAC,QAAQ,EAAE,EAAE,GAAG,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,CAAC,CAAC;AAChF,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,WAAmB,EACnB,UAA+B,EAAE;IAEjC,IAAI,CAAC;QACH,MAAM,mBAAmB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,SAAiB;IACtD,0CAA0C;IAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC;IAClE,IAAI,OAAO,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,OAAO,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/util/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB;;GAEG;AACH,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAG1B;IACA;IAHlB,YACE,OAAe,EACC,IAAY,EACZ,MAKE;QAElB,KAAK,CAAC,OAAO,CAAC,CAAC;QARC,SAAI,GAAJ,IAAI,CAAQ;QACZ,WAAM,GAAN,MAAM,CAKJ;QAGlB,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED;;GAEG;AACH,sEAAsE;AACtE,SAAS,QAAQ,CAAC,MAAc,EAAE,IAAY;IAC5C,OAAO,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/D,CAAC;AAWD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,WAAmB,EACnB,UAA+B,EAAE;IAEjC,MAAM,EAAE,gBAAgB,GAAG,IAAI,EAAE,aAAa,GAAG,KAAK,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE7E,2BAA2B;IAC3B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAE/C,oCAAoC;IACpC,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChE,8DAA8D;QAC9D,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACpD,IAAI,eAAe,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,gBAAgB,CACjB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,wDAAwD;QACxD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;QAEzC,kBAAkB;QAClB,IAAI,MAAM,CAAC,cAAc,EAAE,EAAE,CAAC;YAC5B,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,mDAAmD;gBACnD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;gBAE9C,+DAA+D;gBAC/D,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;oBAC5C,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,CAAC;wBACtC,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,WAAW,OAAO,QAAQ,EAAE,EAC/D,WAAW,EACX,gBAAgB,CACjB,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,oBAAoB;gBACpB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvC,IAAI,gBAAgB,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,CAAC;oBACjD,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,eAAe,CAChB,CAAC;gBACJ,CAAC;gBACD,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,IAAI,gBAAgB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;YAC9C,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,kEAAkE;QAClE,kEAAkE;QAClE,8DAA8D;QAC9D,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;YACxD,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;YAChD,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,CAAC;gBACpC,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,WAAW,EAAE,EAChD,WAAW,EACX,gBAAgB,CACjB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YACzC,MAAM,KAAK,CAAC;QACd,CAAC;QAED,iCAAiC;QACjC,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACvD,MAAM,IAAI,mBAAmB,CAC3B,wBAAwB,WAAW,EAAE,EACrC,WAAW,EACX,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,IAAI,mBAAmB,CAC3B,iBAAiB,WAAW,MAAO,KAAe,CAAC,OAAO,EAAE,EAC5D,WAAW,EACX,cAAc,CACf,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,UAAyD,EAAE;IAE3D,OAAO,mBAAmB,CAAC,QAAQ,EAAE,EAAE,GAAG,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,CAAC,CAAC;AAChF,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,WAAmB,EACnB,UAA+B,EAAE;IAEjC,IAAI,CAAC;QACH,MAAM,mBAAmB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,WAAmB,EACnB,OAAe;IAEf,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IAE7E,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,OAAO,EAAE,EAC5C,OAAO,EACP,gBAAgB,CACjB,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,mBAAmB,CAC3B,wCAAwC,OAAO,EAAE,EACjD,OAAO,EACP,gBAAgB,CACjB,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,WAAmB,EACnB,OAAe;IAEf,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IAE7E,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,OAAO,EAAE,EAC5C,OAAO,EACP,gBAAgB,CACjB,CAAC;IACJ,CAAC;IACD,uEAAuE;IACvE,gEAAgE;IAChE,uEAAuE;IACvE,4CAA4C;IAC5C,IAAI,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC9C,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC7B,MAAM,IAAI,mBAAmB,CAC3B,6CAA6C,OAAO,EAAE,EACtD,OAAO,EACP,gBAAgB,CACjB,CAAC;YACJ,CAAC;YACD,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAClD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;YACrD,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC1B,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,OAAO,EAAE,EAC5C,OAAO,EACP,gBAAgB,CACjB,CAAC;YACJ,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,mBAAmB;gBAAE,MAAM,KAAK,CAAC;YACtD,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ;gBAAE,MAAM,KAAK,CAAC;YACpE,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACtC,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACxB,4DAA4D;gBAC5D,MAAM,IAAI,mBAAmB,CAC3B,8BAA8B,OAAO,EAAE,EACvC,OAAO,EACP,cAAc,CACf,CAAC;YACJ,CAAC;YACD,QAAQ,GAAG,MAAM,CAAC;QACpB,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,SAAiB;IACtD,0CAA0C;IAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC;IAClE,IAAI,OAAO,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,OAAO,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/util/subprocess.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Safe subprocess execution for scanner adapters.
+ *
+ * Wraps execFile (never a shell) so argument values — project paths,
+ * target URLs, config file paths — can never be interpreted as shell
+ * syntax. This is the only sanctioned way to invoke external scanner
+ * binaries (CONSTITUTION: "No string-concat shell commands").
+ *
+ * @module util/subprocess
+ */
+export declare class CommandError extends Error {
+    readonly binary: string;
+    readonly args: string[];
+    readonly exitCode: number | null;
+    readonly stdout: string;
+    readonly stderr: string;
+    readonly cause?: Error | undefined;
+    constructor(message: string, binary: string, args: string[], exitCode: number | null, stdout: string, stderr: string, cause?: Error | undefined);
+}
+export interface RunCommandOptions {
+    /** Milliseconds before the process is killed. Default 120000. */
+    timeout?: number;
+    /** Max bytes captured per stream. Default 10MB. */
+    maxBuffer?: number;
+    cwd?: string;
+    env?: NodeJS.ProcessEnv;
+    /**
+     * Scanners conventionally exit non-zero when findings exist (e.g.
+     * bandit/semgrep exit 1). When true (default), a non-zero exit that
+     * still produced stdout resolves normally instead of throwing —
+     * matching the historical execAsync `.catch(e => e.stdout)` pattern.
+     */
+    tolerateExitWithOutput?: boolean;
+}
+export interface RunCommandResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+}
+/**
+ * Run a binary with discrete argv entries. No shell is ever invoked,
+ * so callers MUST NOT pre-quote values or pass shell syntax
+ * (pipes, redirects, `&&`) — restructure such logic in JS instead.
+ */
+export declare function runCommand(binary: string, args: string[], options?: RunCommandOptions): Promise<RunCommandResult>;
+/**
+ * Probe for a scanner binary by running it with a version-style flag.
+ * Returns the first line of stdout (trimmed) or null when unavailable.
+ */
+export declare function probeBinary(binary: string, args?: string[], timeout?: number): Promise<string | null>;
+//# sourceMappingURL=subprocess.d.ts.map

package/dist/util/subprocess.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"subprocess.d.ts","sourceRoot":"","sources":["../../src/util/subprocess.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,qBAAa,YAAa,SAAQ,KAAK;aAGnB,MAAM,EAAE,MAAM;aACd,IAAI,EAAE,MAAM,EAAE;aACd,QAAQ,EAAE,MAAM,GAAG,IAAI;aACvB,MAAM,EAAE,MAAM;aACd,MAAM,EAAE,MAAM;aACd,KAAK,CAAC,EAAE,KAAK;gBAN7B,OAAO,EAAE,MAAM,EACC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EAAE,EACd,QAAQ,EAAE,MAAM,GAAG,IAAI,EACvB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,KAAK,YAAA;CAKhC;AAED,MAAM,WAAW,iBAAiB;IAChC,iEAAiE;IACjE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB;;;;;OAKG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;GAIG;AACH,wBAAsB,UAAU,CAC9B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAqD3B;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,IAAI,GAAE,MAAM,EAAkB,EAC9B,OAAO,SAAO,GACb,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAUxB"}

package/dist/util/subprocess.js

@@ -0,0 +1,77 @@
+/**
+ * Safe subprocess execution for scanner adapters.
+ *
+ * Wraps execFile (never a shell) so argument values — project paths,
+ * target URLs, config file paths — can never be interpreted as shell
+ * syntax. This is the only sanctioned way to invoke external scanner
+ * binaries (CONSTITUTION: "No string-concat shell commands").
+ *
+ * @module util/subprocess
+ */
+import { execFile } from "child_process";
+export class CommandError extends Error {
+    binary;
+    args;
+    exitCode;
+    stdout;
+    stderr;
+    cause;
+    constructor(message, binary, args, exitCode, stdout, stderr, cause) {
+        super(message);
+        this.binary = binary;
+        this.args = args;
+        this.exitCode = exitCode;
+        this.stdout = stdout;
+        this.stderr = stderr;
+        this.cause = cause;
+        this.name = "CommandError";
+    }
+}
+/**
+ * Run a binary with discrete argv entries. No shell is ever invoked,
+ * so callers MUST NOT pre-quote values or pass shell syntax
+ * (pipes, redirects, `&&`) — restructure such logic in JS instead.
+ */
+export async function runCommand(binary, args, options = {}) {
+    const { timeout = 120000, maxBuffer = 10 * 1024 * 1024, cwd, env, tolerateExitWithOutput = true, } = options;
+    return new Promise((resolve, reject) => {
+        execFile(binary, args, { timeout, maxBuffer, cwd, env, encoding: "utf8" }, (error, stdout, stderr) => {
+            if (!error) {
+                resolve({ stdout, stderr, exitCode: 0 });
+                return;
+            }
+            const exitCode = typeof error.code === "number" ? error.code : null;
+            if (tolerateExitWithOutput &&
+                exitCode !== null &&
+                !error.killed &&
+                stdout &&
+                stdout.length > 0) {
+                resolve({ stdout, stderr: stderr || "", exitCode });
+                return;
+            }
+            const reason = error.killed
+                ? `timed out after ${timeout}ms`
+                : exitCode !== null
+                    ? `exited with code ${exitCode}`
+                    : `failed to start (${error.code ?? error.message})`;
+            reject(new CommandError(`${binary} ${reason}${stderr ? `: ${stderr.slice(0, 500)}` : ""}`, binary, args, exitCode, stdout ?? "", stderr ?? "", error));
+        });
+    });
+}
+/**
+ * Probe for a scanner binary by running it with a version-style flag.
+ * Returns the first line of stdout (trimmed) or null when unavailable.
+ */
+export async function probeBinary(binary, args = ["--version"], timeout = 5000) {
+    try {
+        const { stdout } = await runCommand(binary, args, {
+            timeout,
+            tolerateExitWithOutput: false,
+        });
+        return stdout.trim().split("\n")[0] ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=subprocess.js.map

package/dist/util/subprocess.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"subprocess.js","sourceRoot":"","sources":["../../src/util/subprocess.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAA0B,MAAM,eAAe,CAAC;AAEjE,MAAM,OAAO,YAAa,SAAQ,KAAK;IAGnB;IACA;IACA;IACA;IACA;IACA;IAPlB,YACE,OAAe,EACC,MAAc,EACd,IAAc,EACd,QAAuB,EACvB,MAAc,EACd,MAAc,EACd,KAAa;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QAPC,WAAM,GAAN,MAAM,CAAQ;QACd,SAAI,GAAJ,IAAI,CAAU;QACd,aAAQ,GAAR,QAAQ,CAAe;QACvB,WAAM,GAAN,MAAM,CAAQ;QACd,WAAM,GAAN,MAAM,CAAQ;QACd,UAAK,GAAL,KAAK,CAAQ;QAG7B,IAAI,CAAC,IAAI,GAAG,cAAc,CAAC;IAC7B,CAAC;CACF;AAwBD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAc,EACd,IAAc,EACd,UAA6B,EAAE;IAE/B,MAAM,EACJ,OAAO,GAAG,MAAM,EAChB,SAAS,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,EAC5B,GAAG,EACH,GAAG,EACH,sBAAsB,GAAG,IAAI,GAC9B,GAAG,OAAO,CAAC;IAEZ,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,QAAQ,CACN,MAAM,EACN,IAAI,EACJ,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,EAClD,CAAC,KAA+B,EAAE,MAAc,EAAE,MAAc,EAAE,EAAE;YAClE,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC;gBACzC,OAAO;YACT,CAAC;YAED,MAAM,QAAQ,GAAG,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;YAEpE,IACE,sBAAsB;gBACtB,QAAQ,KAAK,IAAI;gBACjB,CAAC,KAAK,CAAC,MAAM;gBACb,MAAM;gBACN,MAAM,CAAC,MAAM,GAAG,CAAC,EACjB,CAAC;gBACD,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,IAAI,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACpD,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM;gBACzB,CAAC,CAAC,mBAAmB,OAAO,IAAI;gBAChC,CAAC,CAAC,QAAQ,KAAK,IAAI;oBACjB,CAAC,CAAC,oBAAoB,QAAQ,EAAE;oBAChC,CAAC,CAAC,oBAAoB,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,GAAG,CAAC;YAEzD,MAAM,CACJ,IAAI,YAAY,CACd,GAAG,MAAM,IAAI,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EACjE,MAAM,EACN,IAAI,EACJ,QAAQ,EACR,MAAM,IAAI,EAAE,EACZ,MAAM,IAAI,EAAE,EACZ,KAAK,CACN,CACF,CAAC;QACJ,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,OAAiB,CAAC,WAAW,CAAC,EAC9B,OAAO,GAAG,IAAI;IAEd,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,IAAI,EAAE;YAChD,OAAO;YACP,sBAAsB,EAAE,KAAK;SAC9B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vaspera",
-  "version": "2.13.0",
+  "version": "2.15.0",
   "packageManager": "npm@10.2.4",
   "files": [
     "dist",
@@ -38,7 +38,7 @@
     "claude"
   ],
   "scripts": {
-    "build": "npm run generate:manifest && tsc",
+    "build": "tsc && npm run generate:manifest",
     "build:mcp": "tsc",
     "start": "node dist/index.js",
     "start:http": "node dist/http-server.js",
@@ -53,6 +53,12 @@
     "profile": "npx tsx scripts/profile.ts",
     "generate:manifest": "npx tsx scripts/generate-manifest.ts",
     "self-certify": "npm run generate:manifest && npx tsx scripts/self-certify.ts",
+    "constitution": "npx tsx scripts/constitution-check.ts",
+    "emit:cert": "npx tsx scripts/emit-sample-certificate.ts",
+    "verify:cert": "npx tsx scripts/verify-certificate.ts",
+    "benchmark": "npx tsx scripts/run-benchmark.ts",
+    "benchmark:llm": "npx tsx scripts/run-llm-benchmark.ts",
+    "benchmark:redteam": "npx tsx scripts/run-redteam-benchmark.ts",
     "test:self": "npm run self-certify",
     "release-notes": "npx tsx scripts/release-notes.ts",
     "changeset": "changeset",
@@ -76,6 +82,9 @@
     "yaml": "~2.9.0",
     "zod": "^3.24.0"
   },
+  "overrides": {
+    "shell-quote": "~1.8.4"
+  },
   "devDependencies": {
     "@changesets/changelog-github": "^0.5.0",
     "@changesets/cli": "^2.27.0",
@@ -86,6 +95,7 @@
     "@vitest/coverage-v8": "~4.1.4",
     "concurrently": "^9.1.2",
     "fast-check": "~4.8.0",
+    "openai": "~6.42.0",
     "turbo": "~2.9.6",
     "vitest": "~4.1.4"
   }

package/dist/eval/fixtures/healthcare/audit-gaps.d.ts

@@ -1,28 +0,0 @@
-/**
- * Test Fixture: Audit Gaps
- *
- * This file contains intentional audit trail gaps that should be
- * detected by the healthcare scanner. Used for testing only.
- *
- * EXPECTED FINDINGS:
- * - PHI access without audit log (high)
- * - Missing user ID in audit entries (medium)
- * - Audit log without timestamp (medium)
- *
- * @module eval/fixtures/healthcare/audit-gaps
- */
-export declare function readPatientRecord(patientId: string, userId: string): Promise<{}>;
-export declare function updateMedicalRecord(patientId: string, updates: object): Promise<{
-    success: boolean;
-}>;
-export declare function viewPatientData(patientId: string): Promise<{
-    id: string;
-    name: string;
-}>;
-export declare function deletePatientData(patientId: string, userId: string): Promise<boolean>;
-export declare function clearAuditLogs(adminId: string): Promise<void>;
-export declare function properAuditedAccess(patientId: string, userId: string): Promise<{
-    id: string;
-    name: string;
-}>;
-//# sourceMappingURL=audit-gaps.d.ts.map

package/dist/eval/fixtures/healthcare/audit-gaps.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"audit-gaps.d.ts","sourceRoot":"","sources":["../../../../src/eval/fixtures/healthcare/audit-gaps.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,eAIxE;AAGD,wBAAsB,mBAAmB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;;GAI3E;AAGD,wBAAsB,eAAe,CAAC,SAAS,EAAE,MAAM;;;GAQtD;AAGD,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,oBAQxE;AAGD,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,iBAGnD;AAqBD,wBAAsB,mBAAmB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;;;GA0B1E"}

package/dist/eval/fixtures/healthcare/audit-gaps.js

@@ -1,90 +0,0 @@
-/**
- * Test Fixture: Audit Gaps
- *
- * This file contains intentional audit trail gaps that should be
- * detected by the healthcare scanner. Used for testing only.
- *
- * EXPECTED FINDINGS:
- * - PHI access without audit log (high)
- * - Missing user ID in audit entries (medium)
- * - Audit log without timestamp (medium)
- *
- * @module eval/fixtures/healthcare/audit-gaps
- */
-// PHI access without audit logging - SHOULD BE DETECTED
-export async function readPatientRecord(patientId, userId) {
-    // No audit log call before or after PHI access
-    const patient = await database.query(`SELECT * FROM patients WHERE id = ?`, [patientId]);
-    return patient;
-}
-// Another missing audit log - SHOULD BE DETECTED
-export async function updateMedicalRecord(patientId, updates) {
-    await database.query(`UPDATE patients SET ? WHERE id = ?`, [updates, patientId]);
-    // No audit trail for this modification
-    return { success: true };
-}
-// Missing user ID in audit - SHOULD BE DETECTED
-export async function viewPatientData(patientId) {
-    await auditLog.write({
-        action: "view_patient",
-        resourceId: patientId,
-        // Missing: userId
-        timestamp: new Date().toISOString(),
-    });
-    return await fetchPatient(patientId);
-}
-// Audit log without timestamp - SHOULD BE DETECTED
-export async function deletePatientData(patientId, userId) {
-    await auditLog.write({
-        action: "delete_patient",
-        userId: userId,
-        resourceId: patientId,
-        // Missing: timestamp
-    });
-    return await database.delete("patients", patientId);
-}
-// Deletable audit log - SHOULD BE DETECTED
-export async function clearAuditLogs(adminId) {
-    // Audit logs should be immutable
-    await database.query("DELETE FROM audit_logs WHERE created_at < ?", [thirtyDaysAgo()]);
-}
-// Simulated database and audit
-const database = {
-    query: async (sql, params) => ({}),
-    delete: async (table, id) => true,
-};
-const auditLog = {
-    write: async (entry) => true,
-};
-function thirtyDaysAgo() {
-    return new Date(Date.now() - 30 * 24 * 60 * 60 * 1000).toISOString();
-}
-async function fetchPatient(id) {
-    return { id, name: "Test Patient" };
-}
-// This is OK - proper audit trail
-export async function properAuditedAccess(patientId, userId) {
-    // Log before access
-    await auditLog.write({
-        action: "phi_access",
-        userId: userId,
-        resourceType: "patient",
-        resourceId: patientId,
-        timestamp: new Date().toISOString(),
-        ipAddress: "127.0.0.1",
-        outcome: "pending",
-    });
-    const patient = await fetchPatient(patientId);
-    // Log after access with outcome
-    await auditLog.write({
-        action: "phi_access",
-        userId: userId,
-        resourceType: "patient",
-        resourceId: patientId,
-        timestamp: new Date().toISOString(),
-        outcome: "success",
-        dataAccessed: ["name", "dob", "mrn"],
-    });
-    return patient;
-}
-//# sourceMappingURL=audit-gaps.js.map

package/dist/eval/fixtures/healthcare/audit-gaps.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"audit-gaps.js","sourceRoot":"","sources":["../../../../src/eval/fixtures/healthcare/audit-gaps.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,wDAAwD;AACxD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,SAAiB,EAAE,MAAc;IACvE,+CAA+C;IAC/C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,qCAAqC,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;IACzF,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,iDAAiD;AACjD,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,SAAiB,EAAE,OAAe;IAC1E,MAAM,QAAQ,CAAC,KAAK,CAAC,oCAAoC,EAAE,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;IACjF,uCAAuC;IACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,gDAAgD;AAChD,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,SAAiB;IACrD,MAAM,QAAQ,CAAC,KAAK,CAAC;QACnB,MAAM,EAAE,cAAc;QACtB,UAAU,EAAE,SAAS;QACrB,kBAAkB;QAClB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;IACH,OAAO,MAAM,YAAY,CAAC,SAAS,CAAC,CAAC;AACvC,CAAC;AAED,mDAAmD;AACnD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,SAAiB,EAAE,MAAc;IACvE,MAAM,QAAQ,CAAC,KAAK,CAAC;QACnB,MAAM,EAAE,gBAAgB;QACxB,MAAM,EAAE,MAAM;QACd,UAAU,EAAE,SAAS;QACrB,qBAAqB;KACtB,CAAC,CAAC;IACH,OAAO,MAAM,QAAQ,CAAC,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;AACtD,CAAC;AAED,2CAA2C;AAC3C,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAe;IAClD,iCAAiC;IACjC,MAAM,QAAQ,CAAC,KAAK,CAAC,6CAA6C,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;AACzF,CAAC;AAED,+BAA+B;AAC/B,MAAM,QAAQ,GAAG;IACf,KAAK,EAAE,KAAK,EAAE,GAAW,EAAE,MAAkB,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;IACtD,MAAM,EAAE,KAAK,EAAE,KAAa,EAAE,EAAU,EAAE,EAAE,CAAC,IAAI;CAClD,CAAC;AAEF,MAAM,QAAQ,GAAG;IACf,KAAK,EAAE,KAAK,EAAE,KAAa,EAAE,EAAE,CAAC,IAAI;CACrC,CAAC;AAEF,SAAS,aAAa;IACpB,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;AACvE,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,EAAU;IACpC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;AACtC,CAAC;AAED,kCAAkC;AAClC,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,SAAiB,EAAE,MAAc;IACzE,oBAAoB;IACpB,MAAM,QAAQ,CAAC,KAAK,CAAC;QACnB,MAAM,EAAE,YAAY;QACpB,MAAM,EAAE,MAAM;QACd,YAAY,EAAE,SAAS;QACvB,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,SAAS,EAAE,WAAW;QACtB,OAAO,EAAE,SAAS;KACnB,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,CAAC;IAE9C,gCAAgC;IAChC,MAAM,QAAQ,CAAC,KAAK,CAAC;QACnB,MAAM,EAAE,YAAY;QACpB,MAAM,EAAE,MAAM;QACd,YAAY,EAAE,SAAS;QACvB,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,OAAO,EAAE,SAAS;QAClB,YAAY,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC;KACrC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/eval/fixtures/healthcare/consent-bypass.d.ts

@@ -1,31 +0,0 @@
-/**
- * Test Fixture: Consent Bypass
- *
- * This file contains intentional consent validation bypass patterns that
- * should be detected by the healthcare scanner. Used for testing only.
- *
- * EXPECTED FINDINGS:
- * - Always-true consent check (high)
- * - Missing consent validation in PHI access (high)
- * - Consent check commented out (high)
- *
- * @module eval/fixtures/healthcare/consent-bypass
- */
-export declare function hasConsent(): boolean;
-export declare function checkConsentStatus(): boolean;
-export declare function accessPatientRecord(patientId: string): Promise<{
-    id: string;
-    medicalHistory: never[];
-    ssn: string;
-}>;
-export declare function getPatientMedicalHistory(patientId: string): Promise<never[]>;
-export declare function getSUDTreatmentPlan(patientId: string): Promise<{
-    patientId: string;
-    treatmentPlan: string;
-}>;
-export declare function properConsentCheck(patientId: string, userId: string): Promise<{
-    id: string;
-    medicalHistory: never[];
-    ssn: string;
-}>;
-//# sourceMappingURL=consent-bypass.d.ts.map

package/dist/eval/fixtures/healthcare/consent-bypass.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"consent-bypass.d.ts","sourceRoot":"","sources":["../../../../src/eval/fixtures/healthcare/consent-bypass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,wBAAgB,UAAU,IAAI,OAAO,CAEpC;AAGD,wBAAgB,kBAAkB,IAAI,OAAO,CAG5C;AAGD,wBAAsB,mBAAmB,CAAC,SAAS,EAAE,MAAM;;;;GAK1D;AAGD,wBAAsB,wBAAwB,CAAC,SAAS,EAAE,MAAM,oBAI/D;AAGD,wBAAsB,mBAAmB,CAAC,SAAS,EAAE,MAAM;;;GAI1D;AAYD,wBAAsB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;;;;GAMzE"}

package/dist/eval/fixtures/healthcare/consent-bypass.js

@@ -1,61 +0,0 @@
-/**
- * Test Fixture: Consent Bypass
- *
- * This file contains intentional consent validation bypass patterns that
- * should be detected by the healthcare scanner. Used for testing only.
- *
- * EXPECTED FINDINGS:
- * - Always-true consent check (high)
- * - Missing consent validation in PHI access (high)
- * - Consent check commented out (high)
- *
- * @module eval/fixtures/healthcare/consent-bypass
- */
-// Always-true consent check - SHOULD BE DETECTED
-export function hasConsent() {
-    return true; // BUG: Always returns true without validation
-}
-// Another always-true pattern - SHOULD BE DETECTED
-export function checkConsentStatus() {
-    const consentGiven = true;
-    return consentGiven; // BUG: Hard-coded consent
-}
-// Consent check commented out - SHOULD BE DETECTED
-export async function accessPatientRecord(patientId) {
-    // if (!await checkConsentStatus()) {
-    //   throw new Error("Consent not given");
-    // }
-    return fetchPatientData(patientId);
-}
-// Missing consent validation before PHI access - SHOULD BE DETECTED
-export async function getPatientMedicalHistory(patientId) {
-    // No consent check before accessing sensitive data
-    const patient = await fetchPatientData(patientId);
-    return patient.medicalHistory;
-}
-// Missing consent check with SUD data - SHOULD BE DETECTED
-export async function getSUDTreatmentPlan(patientId) {
-    // SUD data requires explicit consent under 42 CFR Part 2
-    // but no consent validation here
-    return await fetchSUDRecords(patientId);
-}
-// Helper functions (simulated)
-async function fetchPatientData(patientId) {
-    return { id: patientId, medicalHistory: [], ssn: "123-45-6789" };
-}
-async function fetchSUDRecords(patientId) {
-    return { patientId, treatmentPlan: "Methadone maintenance" };
-}
-// This is OK - proper consent check
-export async function properConsentCheck(patientId, userId) {
-    const consent = await validateConsent(patientId, userId);
-    if (!consent.valid) {
-        throw new Error("Patient consent not obtained");
-    }
-    return await fetchPatientData(patientId);
-}
-async function validateConsent(patientId, userId) {
-    // Real implementation would check database
-    return { valid: false, scope: [], expiresAt: null };
-}
-//# sourceMappingURL=consent-bypass.js.map

package/dist/eval/fixtures/healthcare/consent-bypass.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"consent-bypass.js","sourceRoot":"","sources":["../../../../src/eval/fixtures/healthcare/consent-bypass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,iDAAiD;AACjD,MAAM,UAAU,UAAU;IACxB,OAAO,IAAI,CAAC,CAAC,8CAA8C;AAC7D,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,kBAAkB;IAChC,MAAM,YAAY,GAAG,IAAI,CAAC;IAC1B,OAAO,YAAY,CAAC,CAAC,0BAA0B;AACjD,CAAC;AAED,mDAAmD;AACnD,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,SAAiB;IACzD,qCAAqC;IACrC,0CAA0C;IAC1C,IAAI;IACJ,OAAO,gBAAgB,CAAC,SAAS,CAAC,CAAC;AACrC,CAAC;AAED,oEAAoE;AACpE,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAAC,SAAiB;IAC9D,mDAAmD;IACnD,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAClD,OAAO,OAAO,CAAC,cAAc,CAAC;AAChC,CAAC;AAED,2DAA2D;AAC3D,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,SAAiB;IACzD,yDAAyD;IACzD,iCAAiC;IACjC,OAAO,MAAM,eAAe,CAAC,SAAS,CAAC,CAAC;AAC1C,CAAC;AAED,+BAA+B;AAC/B,KAAK,UAAU,gBAAgB,CAAC,SAAiB;IAC/C,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,cAAc,EAAE,EAAE,EAAE,GAAG,EAAE,aAAa,EAAE,CAAC;AACnE,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,SAAiB;IAC9C,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,uBAAuB,EAAE,CAAC;AAC/D,CAAC;AAED,oCAAoC;AACpC,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,SAAiB,EAAE,MAAc;IACxE,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACzD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,MAAM,gBAAgB,CAAC,SAAS,CAAC,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,SAAiB,EAAE,MAAc;IAC9D,2CAA2C;IAC3C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AACtD,CAAC"}

package/dist/eval/fixtures/healthcare/phi-in-logs.d.ts

@@ -1,24 +0,0 @@
-/**
- * Test Fixture: PHI in Logs
- *
- * This file contains intentional PHI exposure patterns that should be
- * detected by the healthcare scanner. Used for testing only.
- *
- * EXPECTED FINDINGS:
- * - SSN in log output (critical)
- * - MRN in console.log (critical)
- * - Patient data in error logs (high)
- *
- * @module eval/fixtures/healthcare/phi-in-logs
- */
-export declare function logPatientInfo(patientId: string, ssn: string): void;
-export declare function logMedicalRecordAccess(mrn: string, action: string): void;
-export declare function handlePatientError(error: Error, patientSSN: string): void;
-export declare function debugPatientRecord(patient: {
-    name: string;
-    ssn: string;
-    mrn: string;
-}): void;
-export declare function logMedicationDispense(patientId: string, medication: string): void;
-export declare function logGenericMessage(message: string): void;
-//# sourceMappingURL=phi-in-logs.d.ts.map

package/dist/eval/fixtures/healthcare/phi-in-logs.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"phi-in-logs.d.ts","sourceRoot":"","sources":["../../../../src/eval/fixtures/healthcare/phi-in-logs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,QAE5D;AAGD,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,QAGjE;AAGD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,QAElE;AAGD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,QAErF;AAGD,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,QAI1E;AAGD,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,QAEhD"}

package/dist/eval/fixtures/healthcare/phi-in-logs.js

@@ -1,41 +0,0 @@
-/**
- * Test Fixture: PHI in Logs
- *
- * This file contains intentional PHI exposure patterns that should be
- * detected by the healthcare scanner. Used for testing only.
- *
- * EXPECTED FINDINGS:
- * - SSN in log output (critical)
- * - MRN in console.log (critical)
- * - Patient data in error logs (high)
- *
- * @module eval/fixtures/healthcare/phi-in-logs
- */
-// SSN in logger output - SHOULD BE DETECTED
-export function logPatientInfo(patientId, ssn) {
-    console.log(`Processing patient ${patientId} with SSN: ${ssn}`);
-}
-// MRN exposure in logs - SHOULD BE DETECTED
-export function logMedicalRecordAccess(mrn, action) {
-    console.log(`MRN ${mrn}: ${action}`);
-    console.info(`Medical record MRN: ${mrn} accessed`);
-}
-// PHI in error message - SHOULD BE DETECTED
-export function handlePatientError(error, patientSSN) {
-    console.error(`Failed to process patient. SSN: ${patientSSN}, Error: ${error.message}`);
-}
-// Patient data in debug logs - SHOULD BE DETECTED
-export function debugPatientRecord(patient) {
-    console.debug(`Patient record: ${JSON.stringify(patient)}`);
-}
-// SUD medication in logs - SHOULD BE DETECTED
-export function logMedicationDispense(patientId, medication) {
-    if (medication.toLowerCase().includes("methadone") || medication.toLowerCase().includes("suboxone")) {
-        console.log(`Dispensed ${medication} to patient ${patientId}`);
-    }
-}
-// This is OK - no PHI in logs
-export function logGenericMessage(message) {
-    console.log(message);
-}
-//# sourceMappingURL=phi-in-logs.js.map

package/dist/eval/fixtures/healthcare/phi-in-logs.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"phi-in-logs.js","sourceRoot":"","sources":["../../../../src/eval/fixtures/healthcare/phi-in-logs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,4CAA4C;AAC5C,MAAM,UAAU,cAAc,CAAC,SAAiB,EAAE,GAAW;IAC3D,OAAO,CAAC,GAAG,CAAC,sBAAsB,SAAS,cAAc,GAAG,EAAE,CAAC,CAAC;AAClE,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,sBAAsB,CAAC,GAAW,EAAE,MAAc;IAChE,OAAO,CAAC,GAAG,CAAC,OAAO,GAAG,KAAK,MAAM,EAAE,CAAC,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC,uBAAuB,GAAG,WAAW,CAAC,CAAC;AACtD,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,kBAAkB,CAAC,KAAY,EAAE,UAAkB;IACjE,OAAO,CAAC,KAAK,CAAC,mCAAmC,UAAU,YAAY,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;AAC1F,CAAC;AAED,kDAAkD;AAClD,MAAM,UAAU,kBAAkB,CAAC,OAAmD;IACpF,OAAO,CAAC,KAAK,CAAC,mBAAmB,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,qBAAqB,CAAC,SAAiB,EAAE,UAAkB;IACzE,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACpG,OAAO,CAAC,GAAG,CAAC,aAAa,UAAU,eAAe,SAAS,EAAE,CAAC,CAAC;IACjE,CAAC;AACH,CAAC;AAED,8BAA8B;AAC9B,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACvB,CAAC"}