vaspera 2.14.0 → 2.16.0

package/dist/__tests__/history/decisions.test.js

@@ -0,0 +1,54 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtemp, rm } from "fs/promises";
+import { tmpdir } from "os";
+import { join } from "path";
+import { recordDecision, getDecisionProvenance } from "../../history/decisions.js";
+import { verifyHistoryIntegrity } from "../../history/verify.js";
+describe("decision provenance", () => {
+    let dir;
+    beforeEach(async () => {
+        dir = await mkdtemp(join(tmpdir(), "decisions-"));
+    });
+    afterEach(async () => {
+        await rm(dir, { recursive: true, force: true });
+    });
+    it("records a decision as a hash-chained entry with digests (not raw content)", async () => {
+        const entry = await recordDecision(dir, {
+            decisionType: "tool_call",
+            model: "claude-fable-5",
+            input: "secret-bearing input: token=sk-abc123",
+            prompt: "system prompt text",
+            output: "called tool X",
+            toolsInvoked: ["search"],
+            summary: "Chose to call search",
+            confidence: 88,
+        });
+        expect(entry.type).toBe("decision_record");
+        expect(entry.integrity?.hash).toMatch(/^[a-f0-9]{64}$/);
+        expect(entry.integrity?.previousHash).toBeTruthy();
+        // raw content is NOT stored — only digests
+        expect(entry.inputDigest).toMatch(/^[a-f0-9]{64}$/);
+        expect(JSON.stringify(entry)).not.toContain("sk-abc123");
+        expect(JSON.stringify(entry)).not.toContain("system prompt text");
+    });
+    it("chains multiple decisions and reports provenance", async () => {
+        await recordDecision(dir, { decisionType: "gen", model: "m", input: "a", output: "b" });
+        await recordDecision(dir, { decisionType: "gen", model: "m", input: "c", output: "d" });
+        const prov = await getDecisionProvenance(dir);
+        expect(prov.decisionRecords).toBe(2);
+        expect(prov.auditTrailHead).toMatch(/^[a-f0-9]{64}$/);
+    });
+    it("the decision chain verifies as tamper-evident", async () => {
+        await recordDecision(dir, { decisionType: "gen", model: "m", input: "a", output: "b" });
+        await recordDecision(dir, { decisionType: "gen", model: "m", input: "c", output: "d" });
+        const result = await verifyHistoryIntegrity(dir);
+        expect(result.verified).toBe(true);
+        expect(result.chainIntegrity).toBe(true);
+    });
+    it("empty project reports genesis head and zero records", async () => {
+        const prov = await getDecisionProvenance(dir);
+        expect(prov.decisionRecords).toBe(0);
+        expect(prov.auditTrailHead).toBeTruthy();
+    });
+});
+//# sourceMappingURL=decisions.test.js.map

package/dist/__tests__/history/decisions.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decisions.test.js","sourceRoot":"","sources":["../../../src/__tests__/history/decisions.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnF,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAEjE,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,IAAI,GAAW,CAAC;IAEhB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2EAA2E,EAAE,KAAK,IAAI,EAAE;QACzF,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,GAAG,EAAE;YACtC,YAAY,EAAE,WAAW;YACzB,KAAK,EAAE,gBAAgB;YACvB,KAAK,EAAE,uCAAuC;YAC9C,MAAM,EAAE,oBAAoB;YAC5B,MAAM,EAAE,eAAe;YACvB,YAAY,EAAE,CAAC,QAAQ,CAAC;YACxB,OAAO,EAAE,sBAAsB;YAC/B,UAAU,EAAE,EAAE;SACf,CAAC,CAAC;QAEH,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAC3C,MAAM,CAAC,KAAK,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACxD,MAAM,CAAC,KAAK,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC,UAAU,EAAE,CAAC;QACnD,2CAA2C;QAC3C,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACzD,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACxF,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACxF,MAAM,IAAI,GAAG,MAAM,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACxF,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACxF,MAAM,MAAM,GAAG,MAAM,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,IAAI,GAAG,MAAM,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,UAAU,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/http-auth.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=http-auth.test.d.ts.map

package/dist/__tests__/http-auth.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/http-auth.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/http-auth.test.js

@@ -0,0 +1,55 @@
+import { describe, it, expect } from "vitest";
+import { resolveAuthConfig, isAuthorized, HttpAuthConfigError, } from "../http-auth.js";
+const TOKEN = "0123456789abcdef0123456789abcdef";
+function requestWith(authorization) {
+    return { headers: authorization ? { authorization } : {} };
+}
+describe("resolveAuthConfig", () => {
+    it("enforces auth when VASPERA_HTTP_TOKEN is set", () => {
+        const config = resolveAuthConfig({ VASPERA_HTTP_TOKEN: TOKEN });
+        expect(config.token).toBe(TOKEN);
+    });
+    it("trims whitespace from the token", () => {
+        const config = resolveAuthConfig({ VASPERA_HTTP_TOKEN: `  ${TOKEN}  ` });
+        expect(config.token).toBe(TOKEN);
+    });
+    it("rejects tokens shorter than 16 characters", () => {
+        expect(() => resolveAuthConfig({ VASPERA_HTTP_TOKEN: "short" })).toThrow(HttpAuthConfigError);
+    });
+    it("refuses to start with no token and no explicit opt-in", () => {
+        expect(() => resolveAuthConfig({})).toThrow(HttpAuthConfigError);
+    });
+    it("treats an empty token as unset", () => {
+        expect(() => resolveAuthConfig({ VASPERA_HTTP_TOKEN: "  " })).toThrow(HttpAuthConfigError);
+    });
+    it("allows open mode only with explicit opt-in", () => {
+        const config = resolveAuthConfig({ VASPERA_HTTP_ALLOW_UNAUTHENTICATED: "true" });
+        expect(config.token).toBeNull();
+    });
+    it("does not accept opt-in values other than 'true'", () => {
+        expect(() => resolveAuthConfig({ VASPERA_HTTP_ALLOW_UNAUTHENTICATED: "1" })).toThrow(HttpAuthConfigError);
+    });
+});
+describe("isAuthorized", () => {
+    const config = { token: TOKEN };
+    it("accepts a matching bearer token", () => {
+        expect(isAuthorized(requestWith(`Bearer ${TOKEN}`), config)).toBe(true);
+    });
+    it("rejects a missing Authorization header", () => {
+        expect(isAuthorized(requestWith(), config)).toBe(false);
+    });
+    it("rejects a wrong token of the same length", () => {
+        const wrong = "f".repeat(TOKEN.length);
+        expect(isAuthorized(requestWith(`Bearer ${wrong}`), config)).toBe(false);
+    });
+    it("rejects a token of different length", () => {
+        expect(isAuthorized(requestWith(`Bearer ${TOKEN}extra`), config)).toBe(false);
+    });
+    it("rejects non-bearer schemes", () => {
+        expect(isAuthorized(requestWith(`Basic ${TOKEN}`), config)).toBe(false);
+    });
+    it("allows everything in explicit open mode", () => {
+        expect(isAuthorized(requestWith(), { token: null })).toBe(true);
+    });
+});
+//# sourceMappingURL=http-auth.test.js.map

package/dist/__tests__/http-auth.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth.test.js","sourceRoot":"","sources":["../../src/__tests__/http-auth.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,mBAAmB,GACpB,MAAM,iBAAiB,CAAC;AAEzB,MAAM,KAAK,GAAG,kCAAkC,CAAC;AAEjD,SAAS,WAAW,CAAC,aAAsB;IACzC,OAAO,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,EAAqB,CAAC;AAChF,CAAC;AAED,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAC;QAChE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,KAAK,KAAK,IAAI,EAAE,CAAC,CAAC;QACzE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,GAAG,EAAE,CAAC,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CACtE,mBAAmB,CACpB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,CAAC,GAAG,EAAE,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,GAAG,EAAE,CAAC,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CACnE,mBAAmB,CACpB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,kCAAkC,EAAE,MAAM,EAAE,CAAC,CAAC;QACjF,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,CAAC,GAAG,EAAE,CACV,iBAAiB,CAAC,EAAE,kCAAkC,EAAE,GAAG,EAAE,CAAC,CAC/D,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,MAAM,MAAM,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAEhC,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,UAAU,KAAK,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,CAAC,YAAY,CAAC,WAAW,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACvC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,UAAU,KAAK,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,UAAU,KAAK,OAAO,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,KAAK,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,YAAY,CAAC,WAAW,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/http-policy.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=http-policy.test.d.ts.map

package/dist/__tests__/http-policy.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-policy.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/http-policy.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/http-policy.test.js

@@ -0,0 +1,69 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { resolveToolPolicy, isToolAllowed, findBlockedToolCall, } from "../http-policy.js";
+import { toolAnnotations } from "../tool-guard.js";
+describe("resolveToolPolicy", () => {
+    it("defaults to readonly", () => {
+        expect(resolveToolPolicy({}).mode).toBe("readonly");
+    });
+    it("parses all", () => {
+        expect(resolveToolPolicy({ VASPERA_HTTP_TOOLS: "all" }).mode).toBe("all");
+    });
+    it("parses an explicit allowlist", () => {
+        const policy = resolveToolPolicy({
+            VASPERA_HTTP_TOOLS: "certification_status, hardening_dashboard",
+        });
+        expect(policy.mode).toBe("allowlist");
+        expect(policy.allowlist.has("certification_status")).toBe(true);
+        expect(policy.allowlist.has("hardening_dashboard")).toBe(true);
+    });
+});
+describe("isToolAllowed", () => {
+    beforeEach(() => {
+        toolAnnotations.clear();
+        toolAnnotations.set("read_tool", { readOnlyHint: true, destructiveHint: false });
+        toolAnnotations.set("write_tool", { readOnlyHint: false, destructiveHint: true });
+    });
+    it("readonly mode allows only readOnlyHint tools", () => {
+        const policy = resolveToolPolicy({});
+        expect(isToolAllowed("read_tool", policy)).toBe(true);
+        expect(isToolAllowed("write_tool", policy)).toBe(false);
+    });
+    it("readonly mode denies unknown tools", () => {
+        const policy = resolveToolPolicy({});
+        expect(isToolAllowed("never_registered", policy)).toBe(false);
+    });
+    it("all mode allows everything", () => {
+        const policy = resolveToolPolicy({ VASPERA_HTTP_TOOLS: "all" });
+        expect(isToolAllowed("write_tool", policy)).toBe(true);
+    });
+    it("allowlist mode allows exactly the listed tools", () => {
+        const policy = resolveToolPolicy({ VASPERA_HTTP_TOOLS: "write_tool" });
+        expect(isToolAllowed("write_tool", policy)).toBe(true);
+        expect(isToolAllowed("read_tool", policy)).toBe(false);
+    });
+});
+describe("findBlockedToolCall", () => {
+    beforeEach(() => {
+        toolAnnotations.clear();
+        toolAnnotations.set("read_tool", { readOnlyHint: true });
+    });
+    const policy = resolveToolPolicy({});
+    it("passes non-tool-call messages", () => {
+        expect(findBlockedToolCall({ method: "initialize", id: 1 }, policy)).toBeNull();
+    });
+    it("passes allowed tool calls", () => {
+        expect(findBlockedToolCall({ method: "tools/call", params: { name: "read_tool" }, id: 2 }, policy)).toBeNull();
+    });
+    it("blocks disallowed tool calls and reports the id", () => {
+        const blocked = findBlockedToolCall({ method: "tools/call", params: { name: "autofix_apply" }, id: 3 }, policy);
+        expect(blocked).toEqual({ toolName: "autofix_apply", id: 3 });
+    });
+    it("scans JSON-RPC batches", () => {
+        const blocked = findBlockedToolCall([
+            { method: "tools/call", params: { name: "read_tool" }, id: 1 },
+            { method: "tools/call", params: { name: "certification_scan" }, id: 2 },
+        ], policy);
+        expect(blocked).toEqual({ toolName: "certification_scan", id: 2 });
+    });
+});
+//# sourceMappingURL=http-policy.test.js.map

package/dist/__tests__/http-policy.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-policy.test.js","sourceRoot":"","sources":["../../src/__tests__/http-policy.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC1D,OAAO,EACL,iBAAiB,EACjB,aAAa,EACb,mBAAmB,GACpB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEnD,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,YAAY,EAAE,GAAG,EAAE;QACpB,MAAM,CAAC,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,MAAM,GAAG,iBAAiB,CAAC;YAC/B,kBAAkB,EAAE,2CAA2C;SAChE,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,UAAU,CAAC,GAAG,EAAE;QACd,eAAe,CAAC,KAAK,EAAE,CAAC;QACxB,eAAe,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC,CAAC;QACjF,eAAe,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,aAAa,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtD,MAAM,CAAC,aAAa,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,aAAa,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAC;QAChE,MAAM,CAAC,aAAa,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QACvE,MAAM,CAAC,aAAa,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,aAAa,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,UAAU,CAAC,GAAG,EAAE;QACd,eAAe,CAAC,KAAK,EAAE,CAAC;QACxB,eAAe,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;IAErC,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CACJ,mBAAmB,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,MAAM,CAAC,CAC7D,CAAC,QAAQ,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CACJ,mBAAmB,CACjB,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAC9D,MAAM,CACP,CACF,CAAC,QAAQ,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,OAAO,GAAG,mBAAmB,CACjC,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAClE,MAAM,CACP,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,OAAO,GAAG,mBAAmB,CACjC;YACE,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE;YAC9D,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE;SACxE,EACD,MAAM,CACP,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,oBAAoB,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/http-server-transport.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=http-server-transport.test.d.ts.map

package/dist/__tests__/http-server-transport.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-server-transport.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/http-server-transport.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/http-server-transport.test.js

@@ -0,0 +1,132 @@
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { spawn } from "child_process";
+import { once } from "events";
+import { existsSync, readFileSync } from "fs";
+// Needs the built server; CI builds before testing. Skip cleanly when
+// running `vitest` locally without a prior `npm run build`.
+const BUILT = existsSync("dist/http-server.js");
+/**
+ * End-to-end transport contract for the HTTP server. Guards the
+ * singleton-transport regression: the server must handle many
+ * sequential JSON-RPC clients (not just the first), and must answer GET
+ * with 405 so streaming clients fall back to POST instead of deadlocking.
+ */
+const PORT = 3211;
+const BASE = `http://localhost:${PORT}/mcp`;
+const TOKEN = "test-transport-token";
+let proc;
+async function rpc(body, token = TOKEN) {
+    return fetch(BASE, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Accept: "application/json, text/event-stream",
+            ...(token ? { Authorization: `Bearer ${token}` } : {}),
+        },
+        body: JSON.stringify(body),
+    });
+}
+beforeAll(async () => {
+    proc = spawn("node", ["dist/http-server.js"], {
+        env: { ...process.env, VASPERA_HTTP_TOKEN: TOKEN, MCP_HTTP_PORT: String(PORT) },
+        stdio: ["ignore", "ignore", "pipe"],
+    });
+    // Wait for the startup line on stderr
+    const start = Date.now();
+    while (Date.now() - start < 20000) {
+        const [chunk] = (await once(proc.stderr, "data"));
+        if (chunk.toString().includes("http-server.started"))
+            return;
+    }
+    throw new Error("server did not start");
+}, 30000);
+afterAll(() => {
+    proc?.kill("SIGKILL");
+});
+describe.skipIf(!BUILT)("HTTP server transport contract", () => {
+    it("rejects POST without a token (401)", async () => {
+        const res = await rpc({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }, "");
+        expect(res.status).toBe(401);
+    });
+    it("answers GET with 405 (no server-initiated streaming)", async () => {
+        const res = await fetch(BASE, {
+            method: "GET",
+            headers: { Authorization: `Bearer ${TOKEN}` },
+        });
+        expect(res.status).toBe(405);
+        expect(res.headers.get("allow")).toBe("POST");
+    });
+    it("returns 400 for invalid JSON", async () => {
+        const res = await fetch(BASE, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${TOKEN}`,
+            },
+            body: "not json",
+        });
+        expect(res.status).toBe(400);
+    });
+    it("blocks a write tool over HTTP with a policy error (403)", async () => {
+        const res = await rpc({
+            jsonrpc: "2.0",
+            id: 2,
+            method: "tools/call",
+            params: { name: "autofix_apply", arguments: {} },
+        });
+        expect(res.status).toBe(403);
+        const body = await res.json();
+        expect(body.error.message).toMatch(/not exposed over HTTP/);
+    });
+    it("serves tools/list to many sequential clients (singleton regression)", async () => {
+        for (let i = 0; i < 3; i++) {
+            const res = await rpc({ jsonrpc: "2.0", id: 100 + i, method: "tools/list", params: {} });
+            expect(res.status).toBe(200);
+            const text = await res.text();
+            expect(text).toMatch(/certification_scan|hardening_list_projects/);
+        }
+    });
+});
+describe.skipIf(!BUILT)("public /verify endpoint (unauthenticated)", () => {
+    const VERIFY = `http://localhost:${PORT}/verify`;
+    const sampleCert = JSON.parse(readFileSync("examples/agent-certificate.sample.json", "utf-8"));
+    it("verifies a valid certificate WITHOUT a token (the whole point)", async () => {
+        const res = await fetch(VERIFY, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" }, // deliberately no Authorization
+            body: JSON.stringify(sampleCert),
+        });
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.valid).toBe(true);
+        expect(body.contentDigestValid).toBe(true);
+        expect(body.claims?.subject?.name).toBeTruthy();
+    });
+    it("reports a tampered certificate as invalid (still 200, verdict in body)", async () => {
+        const tampered = { ...sampleCert, overallScore: 100 };
+        const res = await fetch(VERIFY, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(tampered),
+        });
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.valid).toBe(false);
+        expect(body.contentDigestValid).toBe(false);
+    });
+    it("returns 400 for an invalid JSON body", async () => {
+        const res = await fetch(VERIFY, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: "not json",
+        });
+        expect(res.status).toBe(400);
+    });
+    it("serves GET /verify as self-documenting usage", async () => {
+        const res = await fetch(VERIFY, { method: "GET" });
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.method).toBe("POST");
+    });
+});
+//# sourceMappingURL=http-server-transport.test.js.map

package/dist/__tests__/http-server-transport.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-server-transport.test.js","sourceRoot":"","sources":["../../src/__tests__/http-server-transport.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AACnE,OAAO,EAAE,KAAK,EAAgB,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAE9C,sEAAsE;AACtE,4DAA4D;AAC5D,MAAM,KAAK,GAAG,UAAU,CAAC,qBAAqB,CAAC,CAAC;AAEhD;;;;;GAKG;AACH,MAAM,IAAI,GAAG,IAAI,CAAC;AAClB,MAAM,IAAI,GAAG,oBAAoB,IAAI,MAAM,CAAC;AAC5C,MAAM,KAAK,GAAG,sBAAsB,CAAC;AACrC,IAAI,IAAkB,CAAC;AAEvB,KAAK,UAAU,GAAG,CAAC,IAAa,EAAE,KAAK,GAAG,KAAK;IAC7C,OAAO,KAAK,CAAC,IAAI,EAAE;QACjB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,qCAAqC;YAC7C,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvD;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;AACL,CAAC;AAED,SAAS,CAAC,KAAK,IAAI,EAAE;IACnB,IAAI,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,qBAAqB,CAAC,EAAE;QAC5C,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;QAC/E,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC;KACpC,CAAC,CAAC;IACH,sCAAsC;IACtC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,KAAK,EAAE,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAO,EAAE,MAAM,CAAC,CAAa,CAAC;QAC/D,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,qBAAqB,CAAC;YAAE,OAAO;IAC/D,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;AAC1C,CAAC,EAAE,KAAK,CAAC,CAAC;AAEV,QAAQ,CAAC,GAAG,EAAE;IACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;AACxB,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC7D,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QACvF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE;YAC5B,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;SAC9C,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE;YAC5B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,KAAK,EAAE;aACjC;YACD,IAAI,EAAE,UAAU;SACjB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC;YACpB,OAAO,EAAE,KAAK;YACd,EAAE,EAAE,CAAC;YACL,MAAM,EAAE,YAAY;YACpB,MAAM,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,SAAS,EAAE,EAAE,EAAE;SACjD,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,GAAG,GAAG,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;YACzF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC7B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC;QACrE,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,2CAA2C,EAAE,GAAG,EAAE;IACxE,MAAM,MAAM,GAAG,oBAAoB,IAAI,SAAS,CAAC;IACjD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAC3B,YAAY,CAAC,wCAAwC,EAAE,OAAO,CAAC,CAChE,CAAC;IAEF,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,EAAE;YAC9B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,gCAAgC;YACjF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;SACjC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;QACtF,MAAM,QAAQ,GAAG,EAAE,GAAG,UAAU,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;QACtD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,EAAE;YAC9B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;SAC/B,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,EAAE;YAC9B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,UAAU;SACjB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/integration/destructive-guards.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=destructive-guards.test.d.ts.map

package/dist/__tests__/integration/destructive-guards.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"destructive-guards.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/integration/destructive-guards.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/integration/destructive-guards.test.js

@@ -0,0 +1,49 @@
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { InMemoryTransport } from "@modelcontextprotocol/sdk/inMemory.js";
+import { server } from "../../index.js";
+/**
+ * Fail-closed guards on destructive tools: deploy_vercel_promote /
+ * deploy_vercel_rollback / consensus_clear must NOT act unless the caller
+ * passes confirm: true. Without it they return a no-op preview. Verified
+ * through the real MCP boundary (in-memory client → server tools/call).
+ */
+describe("destructive-tool confirm guards", () => {
+    let client;
+    beforeAll(async () => {
+        const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+        client = new Client({ name: "guard-test", version: "1.0.0" }, { capabilities: {} });
+        await Promise.all([client.connect(clientTransport), server.connect(serverTransport)]);
+    });
+    afterAll(async () => {
+        await client?.close().catch(() => undefined);
+        await server.close().catch(() => undefined);
+    });
+    async function call(name, args) {
+        const res = (await client.callTool({ name, arguments: args }));
+        const text = res.content.find((c) => c.type === "text")?.text ?? "{}";
+        return JSON.parse(text);
+    }
+    it("consensus_clear is a no-op preview without confirm", async () => {
+        const out = await call("consensus_clear", { certification_id: "cert-guard-test" });
+        expect(out.preview).toBe(true);
+        expect(out.cleared).toBeUndefined();
+    });
+    it("deploy_vercel_promote is a no-op preview without confirm", async () => {
+        const out = await call("deploy_vercel_promote", {
+            project_id: "proj",
+            deployment_id: "dpl_123",
+        });
+        expect(out.preview).toBe(true);
+        expect(out.success).toBeUndefined();
+    });
+    it("deploy_vercel_rollback is a no-op preview without confirm", async () => {
+        const out = await call("deploy_vercel_rollback", {
+            project_id: "proj",
+            deployment_id: "dpl_123",
+        });
+        expect(out.preview).toBe(true);
+        expect(out.success).toBeUndefined();
+    });
+});
+//# sourceMappingURL=destructive-guards.test.js.map

package/dist/__tests__/integration/destructive-guards.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"destructive-guards.test.js","sourceRoot":"","sources":["../../../src/__tests__/integration/destructive-guards.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AACnE,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AAC1E,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAExC;;;;;GAKG;AACH,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;IAC/C,IAAI,MAAc,CAAC;IAEnB,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,CAAC,eAAe,EAAE,eAAe,CAAC,GAAG,iBAAiB,CAAC,gBAAgB,EAAE,CAAC;QAChF,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,CAAC;QACpF,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,MAAM,MAAM,EAAE,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAC7C,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,KAAK,UAAU,IAAI,CAAC,IAAY,EAAE,IAA6B;QAC7D,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAE5D,CAAC;QACF,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,EAAE,IAAI,IAAI,IAAI,CAAC;QACtE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;IACrD,CAAC;IAED,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,CAAC,CAAC;QACnF,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,uBAAuB,EAAE;YAC9C,UAAU,EAAE,MAAM;YAClB,aAAa,EAAE,SAAS;SACzB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,wBAAwB,EAAE;YAC/C,UAAU,EAAE,MAAM;YAClB,aAAa,EAAE,SAAS;SACzB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/logger-redaction.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=logger-redaction.test.d.ts.map

package/dist/__tests__/logger-redaction.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger-redaction.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/logger-redaction.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/logger-redaction.test.js

@@ -0,0 +1,74 @@
+import { describe, it, expect, vi, afterEach } from "vitest";
+import { logger } from "../logger.js";
+function captureLog(fn) {
+    const spy = vi.spyOn(console, "error").mockImplementation(() => { });
+    try {
+        fn();
+        return String(spy.mock.calls[0]?.[0] ?? "");
+    }
+    finally {
+        spy.mockRestore();
+    }
+}
+afterEach(() => {
+    vi.restoreAllMocks();
+});
+describe("logger secret redaction", () => {
+    it("redacts secret-shaped keys", () => {
+        const line = captureLog(() => logger.error("test", {
+            apiKey: "sk-abcdef1234567890abcdef",
+            authorization: "Bearer abc123",
+            password: "hunter2",
+            normal: "visible",
+        }));
+        expect(line).not.toContain("sk-abcdef");
+        expect(line).not.toContain("hunter2");
+        expect(line).not.toContain("Bearer abc123");
+        expect(line).toContain("visible");
+        expect(line).toContain("[REDACTED]");
+    });
+    it("redacts nested config objects", () => {
+        const line = captureLog(() => logger.error("test", {
+            config: {
+                endpoint: "https://example.com",
+                api_key: "vpm_live_supersecretvalue",
+                nested: { client_secret: "deep-secret" },
+            },
+        }));
+        expect(line).not.toContain("supersecretvalue");
+        expect(line).not.toContain("deep-secret");
+        expect(line).toContain("https://example.com");
+    });
+    it("redacts token-shaped values under innocent keys", () => {
+        const line = captureLog(() => logger.error("test", {
+            detail: "ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+            header: "Bearer eyJhbGciOiJIUzI1NiJ9.payload.sig",
+        }));
+        expect(line).not.toContain("ghp_");
+        expect(line).not.toContain("eyJhbGciOiJIUzI1NiJ9");
+    });
+    it("redacts a secret EMBEDDED inside a larger string (not just whole values)", () => {
+        const line = captureLog(() => logger.error("test", {
+            msg: "request to https://api/x failed: Authorization: Bearer sk-abcdef1234567890abcdef returned 401",
+            url: "https://u:ghp_abcdefghijklmnopqrstuvwxyz0123456789@host/repo",
+        }));
+        expect(line).not.toContain("sk-abcdef");
+        expect(line).not.toContain("ghp_abcdef");
+        expect(line).toContain("[REDACTED]");
+        // surrounding context preserved
+        expect(line).toContain("returned 401");
+    });
+    it("does not crash on circular references", () => {
+        const a = { name: "node" };
+        a.self = a;
+        const line = captureLog(() => logger.error("test", { graph: a, ok: "visible" }));
+        expect(line).toContain("[Circular]");
+        expect(line).toContain("visible");
+    });
+    it("leaves ordinary context intact", () => {
+        const line = captureLog(() => logger.info("test", { certId: "cert-123", count: 5, flag: true }));
+        expect(line).toContain("cert-123");
+        expect(line).toContain("5");
+    });
+});
+//# sourceMappingURL=logger-redaction.test.js.map

package/dist/__tests__/logger-redaction.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger-redaction.test.js","sourceRoot":"","sources":["../../src/__tests__/logger-redaction.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAEtC,SAAS,UAAU,CAAC,EAAc;IAChC,MAAM,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACpE,IAAI,CAAC;QACH,EAAE,EAAE,CAAC;QACL,OAAO,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC;YAAS,CAAC;QACT,GAAG,CAAC,WAAW,EAAE,CAAC;IACpB,CAAC;AACH,CAAC;AAED,SAAS,CAAC,GAAG,EAAE;IACb,EAAE,CAAC,eAAe,EAAE,CAAC;AACvB,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,EAAE,CAC3B,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE;YACnB,MAAM,EAAE,2BAA2B;YACnC,aAAa,EAAE,eAAe;YAC9B,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,SAAS;SAClB,CAAC,CACH,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACtC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAClC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,EAAE,CAC3B,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE;YACnB,MAAM,EAAE;gBACN,QAAQ,EAAE,qBAAqB;gBAC/B,OAAO,EAAE,2BAA2B;gBACpC,MAAM,EAAE,EAAE,aAAa,EAAE,aAAa,EAAE;aACzC;SACF,CAAC,CACH,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;QAC/C,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QAC1C,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,EAAE,CAC3B,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE;YACnB,MAAM,EAAE,0CAA0C;YAClD,MAAM,EAAE,yCAAyC;SAClD,CAAC,CACH,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACnC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,EAAE,CAC3B,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE;YACnB,GAAG,EAAE,+FAA+F;YACpG,GAAG,EAAE,8DAA8D;SACpE,CAAC,CACH,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACrC,gCAAgC;QAChC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAA4B,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACpD,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;QACX,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QACjF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,EAAE,CAC3B,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAClE,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACnC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/manifest-schema.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=manifest-schema.test.d.ts.map

package/dist/__tests__/manifest-schema.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest-schema.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/manifest-schema.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/manifest-schema.test.js

@@ -0,0 +1,43 @@
+import { describe, it, expect } from "vitest";
+import { readFileSync } from "fs";
+import { join } from "path";
+/**
+ * Contract test for the published manifest (mcp.json).
+ *
+ * Regression guard for the empty-schema bug: the generator used to emit a
+ * bare `{ type: "object" }` placeholder for every tool, so the published
+ * manifest exposed NO input properties (0/113). The generator now derives
+ * real JSON Schema from the live server's tools/list. These assertions fail
+ * if it ever regresses to placeholders.
+ */
+const manifest = JSON.parse(readFileSync(join(process.cwd(), "mcp.json"), "utf-8"));
+function hasProps(t) {
+    return !!t.inputSchema?.properties && Object.keys(t.inputSchema.properties).length > 0;
+}
+describe("mcp.json input schemas", () => {
+    it("every tool carries an object inputSchema", () => {
+        for (const t of manifest.tools) {
+            expect(t.inputSchema, t.name).toBeDefined();
+            expect(t.inputSchema.type, t.name).toBe("object");
+        }
+    });
+    it("the vast majority of tools expose real input properties (not placeholders)", () => {
+        const withProps = manifest.tools.filter(hasProps).length;
+        // Pre-fix this was 0. A handful of tools are genuinely arg-less, so we
+        // assert a high floor rather than 100%.
+        expect(withProps).toBeGreaterThanOrEqual(Math.floor(manifest.tools.length * 0.85));
+    });
+    it("a known tool exposes its declared parameter (hardening_list_projects → base_dir)", () => {
+        const tool = manifest.tools.find((t) => t.name === "hardening_list_projects");
+        expect(tool).toBeDefined();
+        expect(tool.inputSchema?.properties).toHaveProperty("base_dir");
+    });
+    it("no tool is left with a bare placeholder when it declares parameters", () => {
+        // A bare placeholder is `{ type: "object" }` with no properties key at
+        // all. That's only acceptable for genuinely arg-less tools; assert the
+        // count of bare placeholders stays small.
+        const bare = manifest.tools.filter((t) => t.inputSchema && !("properties" in t.inputSchema));
+        expect(bare.length).toBeLessThanOrEqual(Math.ceil(manifest.tools.length * 0.15));
+    });
+});
+//# sourceMappingURL=manifest-schema.test.js.map

package/dist/__tests__/manifest-schema.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest-schema.test.js","sourceRoot":"","sources":["../../src/__tests__/manifest-schema.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B;;;;;;;;GAQG;AACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CACzB,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,EAAE,OAAO,CAAC,CASvD,CAAC;AAEF,SAAS,QAAQ,CAAC,CAA6D;IAC7E,OAAO,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,UAAU,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AACzF,CAAC;AAED,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAC5C,MAAM,CAAC,CAAC,CAAC,WAAY,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4EAA4E,EAAE,GAAG,EAAE;QACpF,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;QACzD,uEAAuE;QACvE,wCAAwC;QACxC,MAAM,CAAC,SAAS,CAAC,CAAC,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC;IACrF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kFAAkF,EAAE,GAAG,EAAE;QAC1F,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,yBAAyB,CAAC,CAAC;QAC9E,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC3B,MAAM,CAAC,IAAK,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,uEAAuE;QACvE,uEAAuE;QACvE,0CAA0C;QAC1C,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,WAAW,CAAC,CACzD,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/scanners/builtin-rules.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=builtin-rules.test.d.ts.map

package/dist/__tests__/scanners/builtin-rules.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"builtin-rules.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/scanners/builtin-rules.test.ts"],"names":[],"mappings":""}