vaspera 2.14.0 → 2.15.0

package/dist/scanners/terraform.js.map

@@ -1 +1 @@
-{"version":3,"file":"terraform.js","sourceRoot":"","sources":["../../src/scanners/terraform.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAKjC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AAkDlC,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACzE,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,IAAI;YACf,OAAO,EAAE,MAAM,CAAC,IAAI,EAAE;SACvB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,KAAK;YAChB,KAAK,EAAE,sEAAsE;SAC9E,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,mBAAmB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3E,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,IAAI;YACf,OAAO,EAAE,MAAM,CAAC,IAAI,EAAE;SACvB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,KAAK;YAChB,KAAK,EAAE,sDAAsD;SAC9D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB;IACnC,QAAQ,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;QAC/B,KAAK,UAAU;YACb,OAAO,UAAU,CAAC;QACpB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,WAAmB,EACnB,OAA8B;IAE9B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,mBAAmB,EAAE,CAAC;QACjD,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,QAAQ,EAAE,EAAE;gBACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBAChC,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,YAAY,CAAC,KAAK;aAC1B,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAChC,UAAU,WAAW,4BAA4B,EACjD;YACE,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,MAAM;YACnC,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CACF,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YAChB,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjB,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC9D,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,MAAM,MAAM,GAAgB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAA2B,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAC/E,OAAO,EAAE,OAAgB;YACzB,MAAM,EAAE,SAAS,MAAM,CAAC,OAAO,EAAE;YACjC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,GAAG,GAAG,EAAE,EAAE,CAAC;YAC7D,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU;YAChC,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ;YACjC,OAAO,EAAE,GAAG,MAAM,CAAC,gBAAgB,KAAK,MAAM,CAAC,WAAW,EAAE;YAC5D,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC;YACtC,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE;gBACR,QAAQ,EAAE,MAAM,CAAC,aAAa;gBAC9B,OAAO,EAAE,MAAM,CAAC,YAAY;gBAC5B,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB;SACF,CAAC,CAAC,CAAC;QAEJ,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;YACR,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,YAAY,CAAC,OAAO;SAC9B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,WAAmB,EACnB,OAAkD;IAElD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,qBAAqB,EAAE,CAAC;QACnD,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,SAAS;gBAClB,QAAQ,EAAE,EAAE;gBACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBAChC,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,YAAY,CAAC,KAAK;aAC1B,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,GAAG,eAAe,WAAW,qBAAqB,CAAC;QAC9D,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;YACvB,OAAO,IAAI,gBAAgB,OAAO,CAAC,SAAS,EAAE,CAAC;QACjD,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE;YAC1C,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,MAAM;YACnC,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACjB,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjB,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC9D,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAoB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACpD,MAAM,QAAQ,GAA2B,EAAE,CAAC;QAE5C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;gBAClD,QAAQ,CAAC,IAAI,CAAC;oBACZ,OAAO,EAAE,SAAkB;oBAC3B,MAAM,EAAE,WAAW,MAAM,CAAC,QAAQ,EAAE;oBACpC,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,GAAG,GAAG,EAAE,EAAE,CAAC;oBACrD,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC;oBAC/B,OAAO,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC;oBAClC,OAAO,EAAE,MAAM,CAAC,UAAU;oBAC1B,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,IAAI,QAAQ,CAAC;oBAClD,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE;wBACR,SAAS,EAAE,MAAM,CAAC,UAAU;wBAC5B,QAAQ,EAAE,MAAM,CAAC,QAAQ;wBACzB,SAAS,EAAE,MAAM,CAAC,SAAS;qBAC5B;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,QAAQ;YACR,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,YAAY,CAAC,OAAO;SAC9B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,WAAmB,EACnB,OAA8B;IAE9B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,MAAM,CAAC,WAAW,EAAE,aAAa,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACrD,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;QAC9B,UAAU,CAAC,WAAW,EAAE,OAAO,CAAC;KACjC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,CAAC,GAAG,WAAW,CAAC,QAAQ,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IACtE,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,IAAI,aAAa,CAAC,OAAO,CAAC;IAE7D,OAAO;QACL,OAAO,EAAE,WAAW;QACpB,QAAQ;QACR,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;QAChC,OAAO;QACP,KAAK,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,2BAA2B,CAAC,CAAC,CAAC,SAAS;KAC1D,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,WAAmB;IACvD,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAChC,SAAS,WAAW,uGAAuG,EAC3H,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;QACF,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}
+{"version":3,"file":"terraform.js","sourceRoot":"","sources":["../../src/scanners/terraform.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAmD5C,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,IAAI;YACf,OAAO;SACR,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,OAAO;QAChB,SAAS,EAAE,KAAK;QAChB,KAAK,EAAE,sEAAsE;KAC9E,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,CAAC;IAC7C,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,IAAI;YACf,OAAO;SACR,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,SAAS,EAAE,KAAK;QAChB,KAAK,EAAE,sDAAsD;KAC9D,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB;IACnC,QAAQ,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;QAC/B,KAAK,UAAU;YACb,OAAO,UAAU,CAAC;QACpB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,WAAmB,EACnB,OAA8B;IAE9B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,mBAAmB,EAAE,CAAC;QACjD,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,QAAQ,EAAE,EAAE;gBACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBAChC,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,YAAY,CAAC,KAAK;aAC1B,CAAC;QACJ,CAAC;QAED,iEAAiE;QACjE,6CAA6C;QAC7C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,UAAU,CACjC,OAAO,EACP,CAAC,WAAW,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,CAAC,EAC/C;YACE,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,MAAM;YACnC,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CACF,CAAC;QAEF,MAAM,MAAM,GAAG,SAAS,CAAc,MAAM,EAAE,cAAc,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAA2B,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAC/E,OAAO,EAAE,OAAgB;YACzB,MAAM,EAAE,SAAS,MAAM,CAAC,OAAO,EAAE;YACjC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,GAAG,GAAG,EAAE,EAAE,CAAC;YAC7D,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU;YAChC,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ;YACjC,OAAO,EAAE,GAAG,MAAM,CAAC,gBAAgB,KAAK,MAAM,CAAC,WAAW,EAAE;YAC5D,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC;YACtC,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE;gBACR,QAAQ,EAAE,MAAM,CAAC,aAAa;gBAC9B,OAAO,EAAE,MAAM,CAAC,YAAY;gBAC5B,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB;SACF,CAAC,CAAC,CAAC;QAEJ,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;YACR,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,YAAY,CAAC,OAAO;SAC9B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,WAAmB,EACnB,OAAkD;IAElD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,qBAAqB,EAAE,CAAC;QACnD,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,SAAS;gBAClB,QAAQ,EAAE,EAAE;gBACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBAChC,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,YAAY,CAAC,KAAK;aAC1B,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;QAC5D,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;YACvB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAC9C,CAAC;QAED,mEAAmE;QACnE,6CAA6C;QAC7C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE;YACnD,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,MAAM;YACnC,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,SAAS,CAAkB,MAAM,EAAE,gBAAgB,CAAC,CAAC;QACrE,MAAM,QAAQ,GAA2B,EAAE,CAAC;QAE5C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;gBAClD,QAAQ,CAAC,IAAI,CAAC;oBACZ,OAAO,EAAE,SAAkB;oBAC3B,MAAM,EAAE,WAAW,MAAM,CAAC,QAAQ,EAAE;oBACpC,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,GAAG,GAAG,EAAE,EAAE,CAAC;oBACrD,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC;oBAC/B,OAAO,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC;oBAClC,OAAO,EAAE,MAAM,CAAC,UAAU;oBAC1B,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,IAAI,QAAQ,CAAC;oBAClD,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE;wBACR,SAAS,EAAE,MAAM,CAAC,UAAU;wBAC5B,QAAQ,EAAE,MAAM,CAAC,QAAQ;wBACzB,SAAS,EAAE,MAAM,CAAC,SAAS;qBAC5B;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,QAAQ;YACR,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,YAAY,CAAC,OAAO;SAC9B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,WAAmB,EACnB,OAA8B;IAE9B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,MAAM,CAAC,WAAW,EAAE,aAAa,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACrD,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;QAC9B,UAAU,CAAC,WAAW,EAAE,OAAO,CAAC;KACjC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,CAAC,GAAG,WAAW,CAAC,QAAQ,EAAE,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IACtE,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,IAAI,aAAa,CAAC,OAAO,CAAC;IAE7D,OAAO;QACL,OAAO,EAAE,WAAW;QACpB,QAAQ;QACR,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;QAChC,OAAO;QACP,KAAK,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,2BAA2B,CAAC,CAAC,CAAC,SAAS;KAC1D,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,WAAmB;IACvD,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,UAAU,CACjC,MAAM,EACN;YACE,WAAW;YACX,WAAW;YACX,GAAG;YACH,GAAG;YACH,OAAO;YACP,MAAM;YACN,IAAI;YACJ,OAAO;YACP,UAAU;YACV,IAAI;YACJ,OAAO;YACP,aAAa;YACb,IAAI;YACJ,OAAO;YACP,YAAY;YACZ,GAAG;YACH,QAAQ;SACT,EACD,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;QACF,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/scanners/trivy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"trivy.d.ts","sourceRoot":"","sources":["../../src/scanners/trivy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAwB,aAAa,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AA6F3F;;GAEG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,mBAAmB,CAAC,CAkBxE;AASD;;GAEG;AACH,wBAAsB,QAAQ,CAC5B,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,IAAI,GAAG,QAAQ,GAAG,MAAM,CAAC;IACpC,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB,GACA,OAAO,CAAC,aAAa,CAAC,CA8IxB;AAED;;GAEG;AACH,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAUrE"}
+{"version":3,"file":"trivy.d.ts","sourceRoot":"","sources":["../../src/scanners/trivy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAwB,aAAa,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AA2F3F;;GAEG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,mBAAmB,CAAC,CAexE;AASD;;GAEG;AACH,wBAAsB,QAAQ,CAC5B,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,IAAI,GAAG,QAAQ,GAAG,MAAM,CAAC;IACpC,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB,GACA,OAAO,CAAC,aAAa,CAAC,CAsIxB;AAED;;GAEG;AACH,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CA+BrE"}

package/dist/scanners/trivy.js

@@ -5,31 +5,27 @@
  *
  * @module scanners/trivy
  */
-import { exec } from "child_process";
-import { promisify } from "util";
+import { runCommand, probeBinary } from "../util/subprocess.js";
+import { parseJson } from "../util/json.js";
 import { SEVERITY_MAPPINGS } from "./types.js";
-const execAsync = promisify(exec);
 /**
  * Check if Trivy is available
  */
 export async function checkTrivyAvailable() {
-    try {
-        const { stdout } = await execAsync("trivy --version", { timeout: 5000 });
-        const match = stdout.match(/Version: ([\d.]+)/);
-        const version = match ? match[1] : stdout.trim().split("\n")[0];
+    const firstLine = await probeBinary("trivy");
+    if (firstLine !== null) {
+        const match = firstLine.match(/Version: ([\d.]+)/);
         return {
             scanner: "trivy",
             available: true,
-            version,
-        };
-    }
-    catch (error) {
-        return {
-            scanner: "trivy",
-            available: false,
-            error: error instanceof Error ? error.message : "Trivy not found",
+            version: match ? match[1] : firstLine,
         };
     }
+    return {
+        scanner: "trivy",
+        available: false,
+        error: "Trivy not found",
+    };
 }
 /**
  * Convert Trivy severity to vaspera severity
@@ -54,28 +50,20 @@ export async function runTrivy(projectPath, options) {
                 error: "Trivy is not installed. Install from: https://aquasecurity.github.io/trivy/",
             };
         }
-        // Build command
         const scanType = options?.scanType || "fs";
-        let command = `trivy ${scanType} --format json`;
+        const args = [scanType, "--format", "json"];
         if (options?.ignoreUnfixed) {
-            command += " --ignore-unfixed";
+            args.push("--ignore-unfixed");
         }
         if (options?.severity && options.severity.length > 0) {
-            command += ` --severity ${options.severity.join(",")}`;
+            args.push("--severity", options.severity.join(","));
         }
-        command += ` "${projectPath}"`;
-        // Run Trivy
-        const { stdout, stderr } = await execAsync(command, {
+        args.push(projectPath);
+        const { stdout } = await runCommand("trivy", args, {
             timeout: options?.timeout || 300000, // 5 minutes for Trivy
             maxBuffer: 50 * 1024 * 1024, // 50MB
-        }).catch((error) => {
-            if (error.stdout) {
-                return { stdout: error.stdout, stderr: error.stderr || "" };
-            }
-            throw error;
         });
-        // Parse JSON output
-        const output = JSON.parse(stdout);
+        const output = parseJson(stdout, "trivy output");
         // Convert to DeterministicFindings
         const findings = [];
         for (const result of output.Results) {
@@ -177,7 +165,27 @@ export async function runTrivy(projectPath, options) {
  */
 export async function detectIaC(projectPath) {
     try {
-        const { stdout } = await execAsync(`find "${projectPath}" -maxdepth 3 \\( -name "Dockerfile*" -o -name "*.tf" -o -name "*.yaml" -name "*compose*.yml" -o -name "kubernetes*.yaml" \\) | head -1`, { timeout: 5000 });
+        const { stdout } = await runCommand("find", [
+            projectPath,
+            "-maxdepth",
+            "3",
+            "(",
+            "-name",
+            "Dockerfile*",
+            "-o",
+            "-name",
+            "*.tf",
+            "-o",
+            "-name",
+            "*.yaml",
+            "-name",
+            "*compose*.yml",
+            "-o",
+            "-name",
+            "kubernetes*.yaml",
+            ")",
+            "-print",
+        ], { timeout: 5000 });
         return stdout.trim().length > 0;
     }
     catch {

package/dist/scanners/trivy.js.map

@@ -1 +1 @@
-{"version":3,"file":"trivy.js","sourceRoot":"","sources":["../../src/scanners/trivy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE/C,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AA0FlC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACzE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAEhE,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,IAAI;YACf,OAAO;SACR,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,KAAK;YAChB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,iBAAiB;SAClE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,QAA4D;IAC/E,OAAO,iBAAiB,CAAC,KAAK,CAAC,QAAQ,CAAoD,CAAC;AAC9F,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,WAAmB,EACnB,OAKC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,CAAC;QACH,8BAA8B;QAC9B,MAAM,YAAY,GAAG,MAAM,mBAAmB,EAAE,CAAC;QACjD,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,QAAQ,EAAE,EAAE;gBACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBAChC,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,6EAA6E;aACrF,CAAC;QACJ,CAAC;QAED,gBAAgB;QAChB,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,IAAI,CAAC;QAC3C,IAAI,OAAO,GAAG,SAAS,QAAQ,gBAAgB,CAAC;QAEhD,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;YAC3B,OAAO,IAAI,mBAAmB,CAAC;QACjC,CAAC;QAED,IAAI,OAAO,EAAE,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrD,OAAO,IAAI,eAAe,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACzD,CAAC;QAED,OAAO,IAAI,KAAK,WAAW,GAAG,CAAC;QAE/B,YAAY;QACZ,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE;YAClD,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,MAAM,EAAE,sBAAsB;YAC3D,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,OAAO;SACrC,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACjB,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjB,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC9D,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,oBAAoB;QACpB,MAAM,MAAM,GAAgB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE/C,mCAAmC;QACnC,MAAM,QAAQ,GAA2B,EAAE,CAAC;QAE5C,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,0BAA0B;YAC1B,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;gBAC3B,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;oBAC1C,QAAQ,CAAC,IAAI,CAAC;wBACZ,OAAO,EAAE,OAAgB;wBACzB,MAAM,EAAE,SAAS,IAAI,CAAC,eAAe,EAAE;wBACvC,IAAI,EAAE,MAAM,CAAC,MAAM;wBACnB,IAAI,EAAE,CAAC;wBACP,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,gBAAgB,KAAK,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;wBACxJ,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;wBACpC,UAAU,EAAE,GAAG;wBACf,MAAM,EAAE,IAAI,CAAC,MAAM;wBACnB,MAAM,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC;wBAC9B,YAAY,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY;wBACjC,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,SAAS;wBACtE,QAAQ,EAAE;4BACR,OAAO,EAAE,IAAI,CAAC,OAAO;4BACrB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;4BACvC,YAAY,EAAE,IAAI,CAAC,YAAY;4BAC/B,UAAU,EAAE,IAAI,CAAC,UAAU;yBAC5B;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,4BAA4B;YAC5B,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;gBAC7B,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;oBACjD,MAAM,SAAS,GAAG,SAAS,CAAC,aAAa,EAAE,SAAS,IAAI,CAAC,CAAC;oBAC1D,QAAQ,CAAC,IAAI,CAAC;wBACZ,OAAO,EAAE,OAAgB;wBACzB,MAAM,EAAE,SAAS,SAAS,CAAC,EAAE,EAAE;wBAC/B,IAAI,EAAE,MAAM,CAAC,MAAM;wBACnB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,OAAO;wBACzC,OAAO,EAAE,GAAG,SAAS,CAAC,KAAK,KAAK,SAAS,CAAC,OAAO,EAAE;wBACnD,QAAQ,EAAE,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC;wBACzC,UAAU,EAAE,GAAG;wBACf,GAAG,EAAE,SAAS,CAAC,UAAU;wBACzB,QAAQ,EAAE,SAAS,CAAC,aAAa,EAAE,IAAI,EAAE,KAAK;4BAC5C,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;6BACtB,IAAI,CAAC,IAAI,CAAC;wBACb,QAAQ,EAAE;4BACR,IAAI,EAAE,SAAS,CAAC,IAAI;4BACpB,SAAS,EAAE,SAAS,CAAC,SAAS;4BAC9B,QAAQ,EAAE,SAAS,CAAC,aAAa,EAAE,QAAQ;4BAC3C,QAAQ,EAAE,SAAS,CAAC,aAAa,EAAE,QAAQ;4BAC3C,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,OAAO;4BACzC,UAAU,EAAE,SAAS,CAAC,UAAU;yBACjC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,kBAAkB;YAClB,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpC,QAAQ,CAAC,IAAI,CAAC;wBACZ,OAAO,EAAE,OAAgB;wBACzB,MAAM,EAAE,SAAS,MAAM,CAAC,MAAM,EAAE;wBAChC,IAAI,EAAE,MAAM,CAAC,MAAM;wBACnB,IAAI,EAAE,MAAM,CAAC,SAAS;wBACtB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,GAAG,MAAM,CAAC,KAAK,KAAK,MAAM,CAAC,QAAQ,EAAE;wBAC9C,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC;wBACtC,UAAU,EAAE,GAAG;wBACf,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK;4BAC1B,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;6BACtB,IAAI,CAAC,IAAI,CAAC;wBACb,QAAQ,EAAE;4BACR,QAAQ,EAAE,MAAM,CAAC,QAAQ;4BACzB,KAAK,EAAE,MAAM,CAAC,KAAK;yBACpB;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;YACR,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,YAAY,CAAC,OAAO;SAC9B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,WAAmB;IACjD,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAChC,SAAS,WAAW,yIAAyI,EAC7J,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;QACF,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}
+{"version":3,"file":"trivy.js","sourceRoot":"","sources":["../../src/scanners/trivy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AA0F/C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACnD,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,IAAI;YACf,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;SACtC,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,OAAO;QAChB,SAAS,EAAE,KAAK;QAChB,KAAK,EAAE,iBAAiB;KACzB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,QAA4D;IAC/E,OAAO,iBAAiB,CAAC,KAAK,CAAC,QAAQ,CAAoD,CAAC;AAC9F,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,WAAmB,EACnB,OAKC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,CAAC;QACH,8BAA8B;QAC9B,MAAM,YAAY,GAAG,MAAM,mBAAmB,EAAE,CAAC;QACjD,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,QAAQ,EAAE,EAAE;gBACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBAChC,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,6EAA6E;aACrF,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,IAAI,CAAC;QAC3C,MAAM,IAAI,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;QAE5C,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;YAC3B,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAChC,CAAC;QAED,IAAI,OAAO,EAAE,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAEvB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,IAAI,EAAE;YACjD,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,MAAM,EAAE,sBAAsB;YAC3D,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,OAAO;SACrC,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,SAAS,CAAc,MAAM,EAAE,cAAc,CAAC,CAAC;QAE9D,mCAAmC;QACnC,MAAM,QAAQ,GAA2B,EAAE,CAAC;QAE5C,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,0BAA0B;YAC1B,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;gBAC3B,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;oBAC1C,QAAQ,CAAC,IAAI,CAAC;wBACZ,OAAO,EAAE,OAAgB;wBACzB,MAAM,EAAE,SAAS,IAAI,CAAC,eAAe,EAAE;wBACvC,IAAI,EAAE,MAAM,CAAC,MAAM;wBACnB,IAAI,EAAE,CAAC;wBACP,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,gBAAgB,KAAK,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;wBACxJ,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;wBACpC,UAAU,EAAE,GAAG;wBACf,MAAM,EAAE,IAAI,CAAC,MAAM;wBACnB,MAAM,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC;wBAC9B,YAAY,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY;wBACjC,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,SAAS;wBACtE,QAAQ,EAAE;4BACR,OAAO,EAAE,IAAI,CAAC,OAAO;4BACrB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;4BACvC,YAAY,EAAE,IAAI,CAAC,YAAY;4BAC/B,UAAU,EAAE,IAAI,CAAC,UAAU;yBAC5B;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,4BAA4B;YAC5B,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;gBAC7B,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;oBACjD,MAAM,SAAS,GAAG,SAAS,CAAC,aAAa,EAAE,SAAS,IAAI,CAAC,CAAC;oBAC1D,QAAQ,CAAC,IAAI,CAAC;wBACZ,OAAO,EAAE,OAAgB;wBACzB,MAAM,EAAE,SAAS,SAAS,CAAC,EAAE,EAAE;wBAC/B,IAAI,EAAE,MAAM,CAAC,MAAM;wBACnB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,OAAO;wBACzC,OAAO,EAAE,GAAG,SAAS,CAAC,KAAK,KAAK,SAAS,CAAC,OAAO,EAAE;wBACnD,QAAQ,EAAE,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC;wBACzC,UAAU,EAAE,GAAG;wBACf,GAAG,EAAE,SAAS,CAAC,UAAU;wBACzB,QAAQ,EAAE,SAAS,CAAC,aAAa,EAAE,IAAI,EAAE,KAAK;4BAC5C,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;6BACtB,IAAI,CAAC,IAAI,CAAC;wBACb,QAAQ,EAAE;4BACR,IAAI,EAAE,SAAS,CAAC,IAAI;4BACpB,SAAS,EAAE,SAAS,CAAC,SAAS;4BAC9B,QAAQ,EAAE,SAAS,CAAC,aAAa,EAAE,QAAQ;4BAC3C,QAAQ,EAAE,SAAS,CAAC,aAAa,EAAE,QAAQ;4BAC3C,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,OAAO;4BACzC,UAAU,EAAE,SAAS,CAAC,UAAU;yBACjC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,kBAAkB;YAClB,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpC,QAAQ,CAAC,IAAI,CAAC;wBACZ,OAAO,EAAE,OAAgB;wBACzB,MAAM,EAAE,SAAS,MAAM,CAAC,MAAM,EAAE;wBAChC,IAAI,EAAE,MAAM,CAAC,MAAM;wBACnB,IAAI,EAAE,MAAM,CAAC,SAAS;wBACtB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,GAAG,MAAM,CAAC,KAAK,KAAK,MAAM,CAAC,QAAQ,EAAE;wBAC9C,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC;wBACtC,UAAU,EAAE,GAAG;wBACf,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK;4BAC1B,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;6BACtB,IAAI,CAAC,IAAI,CAAC;wBACb,QAAQ,EAAE;4BACR,QAAQ,EAAE,MAAM,CAAC,QAAQ;4BACzB,KAAK,EAAE,MAAM,CAAC,KAAK;yBACpB;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;YACR,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,YAAY,CAAC,OAAO;SAC9B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,WAAmB;IACjD,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,UAAU,CACjC,MAAM,EACN;YACE,WAAW;YACX,WAAW;YACX,GAAG;YACH,GAAG;YACH,OAAO;YACP,aAAa;YACb,IAAI;YACJ,OAAO;YACP,MAAM;YACN,IAAI;YACJ,OAAO;YACP,QAAQ;YACR,OAAO;YACP,eAAe;YACf,IAAI;YACJ,OAAO;YACP,kBAAkB;YAClB,GAAG;YACH,QAAQ;SACT,EACD,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;QACF,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/tool-guard.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Tool registration guard.
+ *
+ * Enforces CONSTITUTION rule 3 — "every project_path input goes through
+ * validateProjectPath()" — by construction rather than by convention:
+ * once applied, ANY registered tool whose arguments include a string
+ * `project_path` has it validated and canonicalised before the handler
+ * runs, so individual handlers cannot forget the check. Handlers always
+ * receive a resolved, existing directory path.
+ *
+ * @module tool-guard
+ */
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export interface ProjectPathGuardOptions {
+    /**
+     * When set, every project_path must resolve inside this directory
+     * (symlinks included). Wire to VASPERA_PATH_BOUNDARY for deployments
+     * that should never scan outside a workspace root.
+     */
+    basePath?: string;
+}
+type ToolHandler = (...handlerArgs: unknown[]) => unknown;
+export interface ToolAnnotationsSummary {
+    readOnlyHint?: boolean;
+    destructiveHint?: boolean;
+}
+/**
+ * Registry of every registered tool's annotations, populated as tools
+ * are registered. The HTTP transport uses it to decide which tools may
+ * be invoked remotely (read-only by default).
+ */
+export declare const toolAnnotations: Map<string, ToolAnnotationsSummary>;
+/** Minimal structural view of McpServer used by the guard (method syntax
+ * keeps it bivariant so both real and fake servers are accepted). */
+export interface ToolRegistrar {
+    registerTool(name: string, config: unknown, handler: ToolHandler): unknown;
+}
+export declare function applyProjectPathGuard(server: McpServer | ToolRegistrar, options?: ProjectPathGuardOptions): void;
+export {};
+//# sourceMappingURL=tool-guard.d.ts.map

package/dist/tool-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-guard.d.ts","sourceRoot":"","sources":["../src/tool-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAGzE,MAAM,WAAW,uBAAuB;IACtC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,KAAK,WAAW,GAAG,CAAC,GAAG,WAAW,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC;AAE1D,MAAM,WAAW,sBAAsB;IACrC,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED;;;;GAIG;AACH,eAAO,MAAM,eAAe,qCAA4C,CAAC;AAEzE;qEACqE;AACrE,MAAM,WAAW,aAAa;IAC5B,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC;CAC5E;AAED,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,SAAS,GAAG,aAAa,EACjC,OAAO,GAAE,uBAA4B,GACpC,IAAI,CAwCN"}

package/dist/tool-guard.js

@@ -0,0 +1,55 @@
+/**
+ * Tool registration guard.
+ *
+ * Enforces CONSTITUTION rule 3 — "every project_path input goes through
+ * validateProjectPath()" — by construction rather than by convention:
+ * once applied, ANY registered tool whose arguments include a string
+ * `project_path` has it validated and canonicalised before the handler
+ * runs, so individual handlers cannot forget the check. Handlers always
+ * receive a resolved, existing directory path.
+ *
+ * @module tool-guard
+ */
+import { validateProjectPath, PathValidationError } from "./util/paths.js";
+/**
+ * Registry of every registered tool's annotations, populated as tools
+ * are registered. The HTTP transport uses it to decide which tools may
+ * be invoked remotely (read-only by default).
+ */
+export const toolAnnotations = new Map();
+export function applyProjectPathGuard(server, options = {}) {
+    const registrar = server;
+    const original = registrar.registerTool.bind(registrar);
+    const patched = (name, config, handler) => {
+        const annotations = config
+            ?.annotations;
+        toolAnnotations.set(name, {
+            readOnlyHint: annotations?.readOnlyHint,
+            destructiveHint: annotations?.destructiveHint,
+        });
+        const guarded = async (first, ...rest) => {
+            if (first &&
+                typeof first === "object" &&
+                typeof first.project_path === "string") {
+                const args = first;
+                try {
+                    const validated = await validateProjectPath(args.project_path, options.basePath ? { basePath: options.basePath } : {});
+                    first = { ...args, project_path: validated };
+                }
+                catch (error) {
+                    if (error instanceof PathValidationError) {
+                        return {
+                            content: [{ type: "text", text: `Error: ${error.message}` }],
+                            isError: true,
+                        };
+                    }
+                    throw error;
+                }
+            }
+            return handler(first, ...rest);
+        };
+        return original(name, config, guarded);
+    };
+    registrar.registerTool = patched;
+}
+//# sourceMappingURL=tool-guard.js.map

package/dist/tool-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-guard.js","sourceRoot":"","sources":["../src/tool-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAkB3E;;;;GAIG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,IAAI,GAAG,EAAkC,CAAC;AAQzE,MAAM,UAAU,qBAAqB,CACnC,MAAiC,EACjC,UAAmC,EAAE;IAErC,MAAM,SAAS,GAAG,MAAuB,CAAC;IAC1C,MAAM,QAAQ,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAExD,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,MAAe,EAAE,OAAoB,EAAE,EAAE;QACtE,MAAM,WAAW,GAAI,MAA0D;YAC7E,EAAE,WAAW,CAAC;QAChB,eAAe,CAAC,GAAG,CAAC,IAAI,EAAE;YACxB,YAAY,EAAE,WAAW,EAAE,YAAY;YACvC,eAAe,EAAE,WAAW,EAAE,eAAe;SAC9C,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,KAAK,EAAE,KAAc,EAAE,GAAG,IAAe,EAAE,EAAE;YAC3D,IACE,KAAK;gBACL,OAAO,KAAK,KAAK,QAAQ;gBACzB,OAAQ,KAAiC,CAAC,YAAY,KAAK,QAAQ,EACnE,CAAC;gBACD,MAAM,IAAI,GAAG,KAAgC,CAAC;gBAC9C,IAAI,CAAC;oBACH,MAAM,SAAS,GAAG,MAAM,mBAAmB,CACzC,IAAI,CAAC,YAAsB,EAC3B,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CACvD,CAAC;oBACF,KAAK,GAAG,EAAE,GAAG,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,CAAC;gBAC/C,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;wBACzC,OAAO;4BACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,UAAU,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;4BACrE,OAAO,EAAE,IAAI;yBACd,CAAC;oBACJ,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;YACD,OAAO,OAAO,CAAC,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC;QACjC,CAAC,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAsB,CAAC,CAAC;IACxD,CAAC,CAAC;IAED,SAAuC,CAAC,YAAY,GAAG,OAAO,CAAC;AAClE,CAAC"}

package/dist/util/index.d.ts

@@ -5,8 +5,9 @@
  *
  * @module util
  */
-export { validateProjectPath, validateFilePath, isPathSafe, sanitizePathForLogging, PathValidationError, type ValidatePathOptions, } from "./paths.js";
+export { validateProjectPath, validateFilePath, isPathSafe, resolveContainedFile, sanitizePathForLogging, PathValidationError, type ValidatePathOptions, } from "./paths.js";
 export { parseJson, tryParseJson, parseJsonOrDefault, isValidJson, safeStringify, JsonParseError, type ParseJsonOptions, } from "./json.js";
 export { withRetry, withRetryAndCircuitBreaker, createRetryWrapper, classifyError, CircuitBreaker, RetryError, CircuitOpenError, type RetryOptions, type CircuitBreakerOptions, type ErrorType, type CircuitState, } from "./retry.js";
+export { runCommand, probeBinary, CommandError, type RunCommandOptions, type RunCommandResult, } from "./subprocess.js";
 export { PromiseQueue, runConcurrent, runConcurrentValues, mapConcurrent, throttle, batchConcurrent, getConcurrencyLevel, DEFAULT_CONCURRENCY, type QueueOptions, type QueueTask, type TaskResult, type QueueStats, } from "./concurrency.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/util/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/util/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,UAAU,EACV,sBAAsB,EACtB,mBAAmB,EACnB,KAAK,mBAAmB,GACzB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,cAAc,EACd,KAAK,gBAAgB,GACtB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,SAAS,EACT,0BAA0B,EAC1B,kBAAkB,EAClB,aAAa,EACb,cAAc,EACd,UAAU,EACV,gBAAgB,EAChB,KAAK,YAAY,EACjB,KAAK,qBAAqB,EAC1B,KAAK,SAAS,EACd,KAAK,YAAY,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,YAAY,EACZ,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,QAAQ,EACR,eAAe,EACf,mBAAmB,EACnB,mBAAmB,EACnB,KAAK,YAAY,EACjB,KAAK,SAAS,EACd,KAAK,UAAU,EACf,KAAK,UAAU,GAChB,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/util/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,UAAU,EACV,oBAAoB,EACpB,sBAAsB,EACtB,mBAAmB,EACnB,KAAK,mBAAmB,GACzB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,cAAc,EACd,KAAK,gBAAgB,GACtB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,SAAS,EACT,0BAA0B,EAC1B,kBAAkB,EAClB,aAAa,EACb,cAAc,EACd,UAAU,EACV,gBAAgB,EAChB,KAAK,YAAY,EACjB,KAAK,qBAAqB,EAC1B,KAAK,SAAS,EACd,KAAK,YAAY,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,UAAU,EACV,WAAW,EACX,YAAY,EACZ,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,GACtB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,YAAY,EACZ,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,QAAQ,EACR,eAAe,EACf,mBAAmB,EACnB,mBAAmB,EACnB,KAAK,YAAY,EACjB,KAAK,SAAS,EACd,KAAK,UAAU,EACf,KAAK,UAAU,GAChB,MAAM,kBAAkB,CAAC"}

package/dist/util/index.js

@@ -5,8 +5,9 @@
  *
  * @module util
  */
-export { validateProjectPath, validateFilePath, isPathSafe, sanitizePathForLogging, PathValidationError, } from "./paths.js";
+export { validateProjectPath, validateFilePath, isPathSafe, resolveContainedFile, sanitizePathForLogging, PathValidationError, } from "./paths.js";
 export { parseJson, tryParseJson, parseJsonOrDefault, isValidJson, safeStringify, JsonParseError, } from "./json.js";
 export { withRetry, withRetryAndCircuitBreaker, createRetryWrapper, classifyError, CircuitBreaker, RetryError, CircuitOpenError, } from "./retry.js";
+export { runCommand, probeBinary, CommandError, } from "./subprocess.js";
 export { PromiseQueue, runConcurrent, runConcurrentValues, mapConcurrent, throttle, batchConcurrent, getConcurrencyLevel, DEFAULT_CONCURRENCY, } from "./concurrency.js";
 //# sourceMappingURL=index.js.map

package/dist/util/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/util/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,UAAU,EACV,sBAAsB,EACtB,mBAAmB,GAEpB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,cAAc,GAEf,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,SAAS,EACT,0BAA0B,EAC1B,kBAAkB,EAClB,aAAa,EACb,cAAc,EACd,UAAU,EACV,gBAAgB,GAKjB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,YAAY,EACZ,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,QAAQ,EACR,eAAe,EACf,mBAAmB,EACnB,mBAAmB,GAKpB,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/util/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,UAAU,EACV,oBAAoB,EACpB,sBAAsB,EACtB,mBAAmB,GAEpB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,WAAW,EACX,aAAa,EACb,cAAc,GAEf,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,SAAS,EACT,0BAA0B,EAC1B,kBAAkB,EAClB,aAAa,EACb,cAAc,EACd,UAAU,EACV,gBAAgB,GAKjB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,UAAU,EACV,WAAW,EACX,YAAY,GAGb,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,YAAY,EACZ,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,QAAQ,EACR,eAAe,EACf,mBAAmB,EACnB,mBAAmB,GAKpB,MAAM,kBAAkB,CAAC"}

package/dist/util/paths.d.ts

@@ -14,9 +14,6 @@ export declare class PathValidationError extends Error {
     readonly reason: "not_found" | "not_directory" | "symlink_escape" | "path_traversal" | "invalid_path";
     constructor(message: string, path: string, reason: "not_found" | "not_directory" | "symlink_escape" | "path_traversal" | "invalid_path");
 }
-/**
- * Options for path validation
- */
 export interface ValidatePathOptions {
     /** Require the path to be a directory (default: true) */
     requireDirectory?: boolean;
@@ -49,6 +46,26 @@ export declare function validateFilePath(filePath: string, options?: Omit<Valida
  * Check if a path is safe (doesn't throw, returns boolean)
  */
 export declare function isPathSafe(projectPath: string, options?: ValidatePathOptions): Promise<boolean>;
+/**
+ * Resolve a relative file path inside a project tree, rejecting escapes.
+ * For paths that originate from untrusted sources (scanner output, agent
+ * findings): `../` sequences, absolute paths, and in-tree symlinks
+ * pointing outside the project are all refused.
+ *
+ * @returns The real (symlink-resolved) absolute path of the file
+ * @throws PathValidationError if the path escapes the project tree
+ */
+export declare function resolveContainedFile(projectPath: string, relFile: string): Promise<string>;
+/**
+ * Resolve a relative *write* target inside a project tree, rejecting
+ * escapes — like resolveContainedFile but for a file that may not exist
+ * yet (the parent directory must exist and is symlink-resolved).
+ * For untrusted output paths (e.g. an `output_file` tool argument).
+ *
+ * @returns The absolute path to write to, contained within the tree
+ * @throws PathValidationError if the path escapes the project tree
+ */
+export declare function resolveContainedWritePath(projectPath: string, relFile: string): Promise<string>;
 /**
  * Sanitize a path for use in error messages (remove sensitive info)
  */

package/dist/util/paths.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../src/util/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,KAAK;aAG1B,IAAI,EAAE,MAAM;aACZ,MAAM,EAClB,WAAW,GACX,eAAe,GACf,gBAAgB,GAChB,gBAAgB,GAChB,cAAc;gBAPlB,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,MAAM,EAClB,WAAW,GACX,eAAe,GACf,gBAAgB,GAChB,gBAAgB,GAChB,cAAc;CAKrB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,yDAAyD;IACzD,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,0EAA0E;IAC1E,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,mBAAmB,CACvC,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,MAAM,CAAC,CAiGjB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,IAAI,CAAC,mBAAmB,EAAE,kBAAkB,CAAM,GAC1D,OAAO,CAAC,MAAM,CAAC,CAEjB;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC9B,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,OAAO,CAAC,CAOlB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAOhE"}
+{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../src/util/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,KAAK;aAG1B,IAAI,EAAE,MAAM;aACZ,MAAM,EAClB,WAAW,GACX,eAAe,GACf,gBAAgB,GAChB,gBAAgB,GAChB,cAAc;gBAPlB,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,MAAM,EAClB,WAAW,GACX,eAAe,GACf,gBAAgB,GAChB,gBAAgB,GAChB,cAAc;CAKrB;AAUD,MAAM,WAAW,mBAAmB;IAClC,yDAAyD;IACzD,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,0EAA0E;IAC1E,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,mBAAmB,CACvC,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,MAAM,CAAC,CAoGjB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,IAAI,CAAC,mBAAmB,EAAE,kBAAkB,CAAM,GAC1D,OAAO,CAAC,MAAM,CAAC,CAEjB;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC9B,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,OAAO,CAAC,CAOlB;AAED;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CACxC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,CAAC,CAqBjB;AAED;;;;;;;;GAQG;AACH,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,CAAC,CAoDjB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAOhE"}

package/dist/util/paths.js

@@ -21,6 +21,13 @@ export class PathValidationError extends Error {
         this.name = "PathValidationError";
     }
 }
+/**
+ * Options for path validation
+ */
+/** Segment-aware containment: "/base" must not match "/base-evil". */
+function isWithin(target, base) {
+    return target === base || target.startsWith(base + path.sep);
+}
 /**
  * Validate a project path for security
  *
@@ -59,7 +66,7 @@ export async function validateProjectPath(projectPath, options = {}) {
                 // If basePath is specified, ensure symlink target is within it
                 if (basePath) {
                     const resolvedBase = path.resolve(basePath);
-                    if (!realPath.startsWith(resolvedBase)) {
+                    if (!isWithin(realPath, resolvedBase)) {
                         throw new PathValidationError(`Symlink escapes base directory: ${projectPath} -> ${realPath}`, projectPath, "symlink_escape");
                     }
                 }
@@ -75,10 +82,13 @@ export async function validateProjectPath(projectPath, options = {}) {
         if (requireDirectory && !lstats.isDirectory()) {
             throw new PathValidationError(`Path is not a directory: ${projectPath}`, projectPath, "not_directory");
         }
-        // If basePath is specified, ensure the path is within it
+        // If basePath is specified, ensure the path is within it. Compare
+        // *real* paths so a symlinked ancestor (e.g. /base/link/sub where
+        // /base/link -> /etc) cannot escape via a lexical-only check.
         if (basePath) {
-            const resolvedBase = path.resolve(basePath);
-            if (!resolvedPath.startsWith(resolvedBase)) {
+            const realBase = await realpath(path.resolve(basePath));
+            const realTarget = await realpath(resolvedPath);
+            if (!isWithin(realTarget, realBase)) {
                 throw new PathValidationError(`Path is outside base directory: ${projectPath}`, projectPath, "path_traversal");
             }
         }
@@ -114,6 +124,76 @@ export async function isPathSafe(projectPath, options = {}) {
         return false;
     }
 }
+/**
+ * Resolve a relative file path inside a project tree, rejecting escapes.
+ * For paths that originate from untrusted sources (scanner output, agent
+ * findings): `../` sequences, absolute paths, and in-tree symlinks
+ * pointing outside the project are all refused.
+ *
+ * @returns The real (symlink-resolved) absolute path of the file
+ * @throws PathValidationError if the path escapes the project tree
+ */
+export async function resolveContainedFile(projectPath, relFile) {
+    const root = await realpath(projectPath);
+    const contained = (p) => p === root || p.startsWith(root + path.sep);
+    const target = path.resolve(root, relFile);
+    if (!contained(target)) {
+        throw new PathValidationError(`File path escapes project tree: ${relFile}`, relFile, "path_traversal");
+    }
+    const real = await realpath(target);
+    if (!contained(real)) {
+        throw new PathValidationError(`Symlinked file escapes project tree: ${relFile}`, relFile, "symlink_escape");
+    }
+    return real;
+}
+/**
+ * Resolve a relative *write* target inside a project tree, rejecting
+ * escapes — like resolveContainedFile but for a file that may not exist
+ * yet (the parent directory must exist and is symlink-resolved).
+ * For untrusted output paths (e.g. an `output_file` tool argument).
+ *
+ * @returns The absolute path to write to, contained within the tree
+ * @throws PathValidationError if the path escapes the project tree
+ */
+export async function resolveContainedWritePath(projectPath, relFile) {
+    const root = await realpath(projectPath);
+    const contained = (p) => p === root || p.startsWith(root + path.sep);
+    const target = path.resolve(root, relFile);
+    if (!contained(target)) {
+        throw new PathValidationError(`File path escapes project tree: ${relFile}`, relFile, "path_traversal");
+    }
+    // The leaf (and possibly intermediate dirs) may not exist yet. Resolve
+    // the nearest existing ancestor through symlinks so a symlinked
+    // directory inside the tree cannot redirect the write outside it, then
+    // re-attach the not-yet-existing remainder.
+    let ancestor = path.dirname(target);
+    while (true) {
+        try {
+            const realAncestor = await realpath(ancestor);
+            if (!contained(realAncestor)) {
+                throw new PathValidationError(`Symlinked directory escapes project tree: ${relFile}`, relFile, "symlink_escape");
+            }
+            const remainder = path.relative(ancestor, target);
+            const finalPath = path.join(realAncestor, remainder);
+            if (!contained(finalPath)) {
+                throw new PathValidationError(`File path escapes project tree: ${relFile}`, relFile, "path_traversal");
+            }
+            return finalPath;
+        }
+        catch (error) {
+            if (error instanceof PathValidationError)
+                throw error;
+            if (error.code !== "ENOENT")
+                throw error;
+            const parent = path.dirname(ancestor);
+            if (parent === ancestor) {
+                // Reached the filesystem root without an existing ancestor.
+                throw new PathValidationError(`Cannot resolve write path: ${relFile}`, relFile, "invalid_path");
+            }
+            ancestor = parent;
+        }
+    }
+}
 /**
  * Sanitize a path for use in error messages (remove sensitive info)
  */

package/dist/util/paths.js.map

@@ -1 +1 @@
-{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/util/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB;;GAEG;AACH,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAG1B;IACA;IAHlB,YACE,OAAe,EACC,IAAY,EACZ,MAKE;QAElB,KAAK,CAAC,OAAO,CAAC,CAAC;QARC,SAAI,GAAJ,IAAI,CAAQ;QACZ,WAAM,GAAN,MAAM,CAKJ;QAGlB,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAcD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,WAAmB,EACnB,UAA+B,EAAE;IAEjC,MAAM,EAAE,gBAAgB,GAAG,IAAI,EAAE,aAAa,GAAG,KAAK,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE7E,2BAA2B;IAC3B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAE/C,oCAAoC;IACpC,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChE,8DAA8D;QAC9D,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACpD,IAAI,eAAe,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,gBAAgB,CACjB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,wDAAwD;QACxD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;QAEzC,kBAAkB;QAClB,IAAI,MAAM,CAAC,cAAc,EAAE,EAAE,CAAC;YAC5B,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,mDAAmD;gBACnD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;gBAE9C,+DAA+D;gBAC/D,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;oBAC5C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;wBACvC,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,WAAW,OAAO,QAAQ,EAAE,EAC/D,WAAW,EACX,gBAAgB,CACjB,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,oBAAoB;gBACpB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvC,IAAI,gBAAgB,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,CAAC;oBACjD,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,eAAe,CAChB,CAAC;gBACJ,CAAC;gBACD,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,IAAI,gBAAgB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;YAC9C,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,yDAAyD;QACzD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAC5C,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC3C,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,WAAW,EAAE,EAChD,WAAW,EACX,gBAAgB,CACjB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YACzC,MAAM,KAAK,CAAC;QACd,CAAC;QAED,iCAAiC;QACjC,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACvD,MAAM,IAAI,mBAAmB,CAC3B,wBAAwB,WAAW,EAAE,EACrC,WAAW,EACX,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,IAAI,mBAAmB,CAC3B,iBAAiB,WAAW,MAAO,KAAe,CAAC,OAAO,EAAE,EAC5D,WAAW,EACX,cAAc,CACf,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,UAAyD,EAAE;IAE3D,OAAO,mBAAmB,CAAC,QAAQ,EAAE,EAAE,GAAG,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,CAAC,CAAC;AAChF,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,WAAmB,EACnB,UAA+B,EAAE;IAEjC,IAAI,CAAC;QACH,MAAM,mBAAmB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,SAAiB;IACtD,0CAA0C;IAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC;IAClE,IAAI,OAAO,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,OAAO,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/util/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB;;GAEG;AACH,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAG1B;IACA;IAHlB,YACE,OAAe,EACC,IAAY,EACZ,MAKE;QAElB,KAAK,CAAC,OAAO,CAAC,CAAC;QARC,SAAI,GAAJ,IAAI,CAAQ;QACZ,WAAM,GAAN,MAAM,CAKJ;QAGlB,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED;;GAEG;AACH,sEAAsE;AACtE,SAAS,QAAQ,CAAC,MAAc,EAAE,IAAY;IAC5C,OAAO,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/D,CAAC;AAWD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,WAAmB,EACnB,UAA+B,EAAE;IAEjC,MAAM,EAAE,gBAAgB,GAAG,IAAI,EAAE,aAAa,GAAG,KAAK,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE7E,2BAA2B;IAC3B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAE/C,oCAAoC;IACpC,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChE,8DAA8D;QAC9D,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACpD,IAAI,eAAe,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,gBAAgB,CACjB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,wDAAwD;QACxD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;QAEzC,kBAAkB;QAClB,IAAI,MAAM,CAAC,cAAc,EAAE,EAAE,CAAC;YAC5B,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,mDAAmD;gBACnD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;gBAE9C,+DAA+D;gBAC/D,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;oBAC5C,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,CAAC;wBACtC,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,WAAW,OAAO,QAAQ,EAAE,EAC/D,WAAW,EACX,gBAAgB,CACjB,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,oBAAoB;gBACpB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvC,IAAI,gBAAgB,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,CAAC;oBACjD,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,eAAe,CAChB,CAAC;gBACJ,CAAC;gBACD,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,IAAI,gBAAgB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;YAC9C,MAAM,IAAI,mBAAmB,CAC3B,4BAA4B,WAAW,EAAE,EACzC,WAAW,EACX,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,kEAAkE;QAClE,kEAAkE;QAClE,8DAA8D;QAC9D,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;YACxD,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;YAChD,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,CAAC;gBACpC,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,WAAW,EAAE,EAChD,WAAW,EACX,gBAAgB,CACjB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YACzC,MAAM,KAAK,CAAC;QACd,CAAC;QAED,iCAAiC;QACjC,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACvD,MAAM,IAAI,mBAAmB,CAC3B,wBAAwB,WAAW,EAAE,EACrC,WAAW,EACX,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,IAAI,mBAAmB,CAC3B,iBAAiB,WAAW,MAAO,KAAe,CAAC,OAAO,EAAE,EAC5D,WAAW,EACX,cAAc,CACf,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,UAAyD,EAAE;IAE3D,OAAO,mBAAmB,CAAC,QAAQ,EAAE,EAAE,GAAG,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,CAAC,CAAC;AAChF,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,WAAmB,EACnB,UAA+B,EAAE;IAEjC,IAAI,CAAC;QACH,MAAM,mBAAmB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,WAAmB,EACnB,OAAe;IAEf,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IAE7E,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,OAAO,EAAE,EAC5C,OAAO,EACP,gBAAgB,CACjB,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,mBAAmB,CAC3B,wCAAwC,OAAO,EAAE,EACjD,OAAO,EACP,gBAAgB,CACjB,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,WAAmB,EACnB,OAAe;IAEf,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IAE7E,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,OAAO,EAAE,EAC5C,OAAO,EACP,gBAAgB,CACjB,CAAC;IACJ,CAAC;IACD,uEAAuE;IACvE,gEAAgE;IAChE,uEAAuE;IACvE,4CAA4C;IAC5C,IAAI,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC9C,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC7B,MAAM,IAAI,mBAAmB,CAC3B,6CAA6C,OAAO,EAAE,EACtD,OAAO,EACP,gBAAgB,CACjB,CAAC;YACJ,CAAC;YACD,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAClD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;YACrD,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC1B,MAAM,IAAI,mBAAmB,CAC3B,mCAAmC,OAAO,EAAE,EAC5C,OAAO,EACP,gBAAgB,CACjB,CAAC;YACJ,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,mBAAmB;gBAAE,MAAM,KAAK,CAAC;YACtD,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ;gBAAE,MAAM,KAAK,CAAC;YACpE,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACtC,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACxB,4DAA4D;gBAC5D,MAAM,IAAI,mBAAmB,CAC3B,8BAA8B,OAAO,EAAE,EACvC,OAAO,EACP,cAAc,CACf,CAAC;YACJ,CAAC;YACD,QAAQ,GAAG,MAAM,CAAC;QACpB,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,SAAiB;IACtD,0CAA0C;IAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC;IAClE,IAAI,OAAO,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,OAAO,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/util/subprocess.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Safe subprocess execution for scanner adapters.
+ *
+ * Wraps execFile (never a shell) so argument values — project paths,
+ * target URLs, config file paths — can never be interpreted as shell
+ * syntax. This is the only sanctioned way to invoke external scanner
+ * binaries (CONSTITUTION: "No string-concat shell commands").
+ *
+ * @module util/subprocess
+ */
+export declare class CommandError extends Error {
+    readonly binary: string;
+    readonly args: string[];
+    readonly exitCode: number | null;
+    readonly stdout: string;
+    readonly stderr: string;
+    readonly cause?: Error | undefined;
+    constructor(message: string, binary: string, args: string[], exitCode: number | null, stdout: string, stderr: string, cause?: Error | undefined);
+}
+export interface RunCommandOptions {
+    /** Milliseconds before the process is killed. Default 120000. */
+    timeout?: number;
+    /** Max bytes captured per stream. Default 10MB. */
+    maxBuffer?: number;
+    cwd?: string;
+    env?: NodeJS.ProcessEnv;
+    /**
+     * Scanners conventionally exit non-zero when findings exist (e.g.
+     * bandit/semgrep exit 1). When true (default), a non-zero exit that
+     * still produced stdout resolves normally instead of throwing —
+     * matching the historical execAsync `.catch(e => e.stdout)` pattern.
+     */
+    tolerateExitWithOutput?: boolean;
+}
+export interface RunCommandResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+}
+/**
+ * Run a binary with discrete argv entries. No shell is ever invoked,
+ * so callers MUST NOT pre-quote values or pass shell syntax
+ * (pipes, redirects, `&&`) — restructure such logic in JS instead.
+ */
+export declare function runCommand(binary: string, args: string[], options?: RunCommandOptions): Promise<RunCommandResult>;
+/**
+ * Probe for a scanner binary by running it with a version-style flag.
+ * Returns the first line of stdout (trimmed) or null when unavailable.
+ */
+export declare function probeBinary(binary: string, args?: string[], timeout?: number): Promise<string | null>;
+//# sourceMappingURL=subprocess.d.ts.map

package/dist/util/subprocess.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"subprocess.d.ts","sourceRoot":"","sources":["../../src/util/subprocess.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,qBAAa,YAAa,SAAQ,KAAK;aAGnB,MAAM,EAAE,MAAM;aACd,IAAI,EAAE,MAAM,EAAE;aACd,QAAQ,EAAE,MAAM,GAAG,IAAI;aACvB,MAAM,EAAE,MAAM;aACd,MAAM,EAAE,MAAM;aACd,KAAK,CAAC,EAAE,KAAK;gBAN7B,OAAO,EAAE,MAAM,EACC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EAAE,EACd,QAAQ,EAAE,MAAM,GAAG,IAAI,EACvB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,KAAK,YAAA;CAKhC;AAED,MAAM,WAAW,iBAAiB;IAChC,iEAAiE;IACjE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB;;;;;OAKG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;GAIG;AACH,wBAAsB,UAAU,CAC9B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAqD3B;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,IAAI,GAAE,MAAM,EAAkB,EAC9B,OAAO,SAAO,GACb,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAUxB"}