vaspera 2.5.0

package/dist/scanners/agent/credential-scope-audit.js

@@ -0,0 +1,404 @@
+/**
+ * Credential Scope Audit Scanner
+ *
+ * Inspects credentials and tokens for over-scoping and rotation needs.
+ * Detects common credential patterns and analyzes their permissions:
+ * - GitHub PATs with excessive scopes
+ * - AWS credentials with AdministratorAccess
+ * - Unrotated tokens older than 90 days
+ * - Hardcoded credentials in config
+ *
+ * @module scanners/agent/credential-scope-audit
+ */
+import { createHash } from "crypto";
+import { readFile } from "fs/promises";
+import { join } from "path";
+const CREDENTIAL_PATTERNS = [
+    // GitHub Personal Access Token (classic)
+    {
+        type: "github-pat",
+        pattern: /ghp_[A-Za-z0-9]{36}/g,
+        recommended: ["read:repo", "read:user"],
+    },
+    // GitHub Personal Access Token (fine-grained)
+    {
+        type: "github-pat",
+        pattern: /github_pat_[A-Za-z0-9_]{22,}/g,
+    },
+    // GitHub App installation token
+    {
+        type: "github-app",
+        pattern: /ghs_[A-Za-z0-9]{36}/g,
+    },
+    // AWS Access Key ID
+    {
+        type: "aws-access-key",
+        pattern: /AKIA[A-Z0-9]{16}/g,
+        recommended: ["Specific IAM policy, not AdministratorAccess"],
+        isOverscoped: () => true, // Can't determine scopes from key
+    },
+    // GCP Service Account
+    {
+        type: "gcp-service-account",
+        pattern: /"type"\s*:\s*"service_account"/g,
+    },
+    // Azure Service Principal
+    {
+        type: "azure-service-principal",
+        pattern: /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/gi,
+    },
+    // Generic API Key patterns
+    {
+        type: "api-key",
+        pattern: /(?:api[_-]?key|apikey|api_secret)\s*[=:]\s*["']?([A-Za-z0-9_\-]{20,})["']?/gi,
+        recommended: ["Rotate and scope to specific endpoints"],
+    },
+    // OpenAI API Key
+    {
+        type: "api-key",
+        pattern: /sk-[A-Za-z0-9]{20,}/g,
+        recommended: ["Set usage limits and monitor spending"],
+    },
+    // JWT Token
+    {
+        type: "jwt",
+        pattern: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g,
+    },
+    // Bearer Token in configs
+    {
+        type: "oauth-token",
+        pattern: /bearer\s+[A-Za-z0-9_\-\.]{20,}/gi,
+    },
+];
+// ============================================================================
+// Known Overscoped Patterns
+// ============================================================================
+/**
+ * GitHub PAT scopes that are often over-provisioned
+ */
+const GITHUB_OVERSCOPED_PATTERNS = [
+    { scope: "repo", severity: "high", reason: "Full repository access - consider read:* only" },
+    { scope: "admin:org", severity: "critical", reason: "Organization admin - rarely needed" },
+    { scope: "admin:repo_hook", severity: "high", reason: "Webhook admin - security risk" },
+    { scope: "admin:enterprise", severity: "critical", reason: "Enterprise admin - extreme risk" },
+    { scope: "delete_repo", severity: "critical", reason: "Can delete repositories" },
+    { scope: "write:packages", severity: "medium", reason: "Can publish packages" },
+];
+/**
+ * AWS IAM policies that indicate over-provisioning
+ */
+const AWS_OVERSCOPED_POLICIES = [
+    { policy: "AdministratorAccess", severity: "critical", reason: "Full AWS admin access" },
+    { policy: "PowerUserAccess", severity: "high", reason: "Near-full access except IAM" },
+    { policy: "IAMFullAccess", severity: "critical", reason: "Can create/modify IAM policies" },
+    { policy: "*:*", severity: "critical", reason: "Wildcard all actions/resources" },
+    { policy: "s3:*", severity: "high", reason: "Full S3 access - scope to specific buckets" },
+    { policy: "ec2:*", severity: "high", reason: "Full EC2 access - scope to specific instances" },
+];
+// ============================================================================
+// Config File Scanning
+// ============================================================================
+/**
+ * Scan a config file for credentials
+ */
+async function scanConfigFile(filePath, content) {
+    const findings = [];
+    const lines = content.split("\n");
+    for (const credPattern of CREDENTIAL_PATTERNS) {
+        credPattern.pattern.lastIndex = 0;
+        let match;
+        while ((match = credPattern.pattern.exec(content)) !== null) {
+            // Calculate line number
+            const beforeMatch = content.substring(0, match.index);
+            const lineNumber = beforeMatch.split("\n").length;
+            // Get context for scope extraction
+            const lineContent = lines[lineNumber - 1] || "";
+            // Redact the credential
+            const redactedId = redactCredential(match[0]);
+            findings.push({
+                credentialType: credPattern.type,
+                identifier: redactedId,
+                currentScopes: credPattern.extractScopes
+                    ? credPattern.extractScopes(match[0], content)
+                    : ["Unknown - manual review required"],
+                recommendedScopes: credPattern.recommended || ["Scope to minimum required permissions"],
+                unusedScopes: [],
+                severity: credPattern.isOverscoped?.(credPattern.recommended || []) ? "high" : "medium",
+                rotationRecommended: true,
+                ageInDays: undefined, // Can't determine from static analysis
+            });
+        }
+    }
+    return findings;
+}
+/**
+ * Redact a credential for safe logging
+ */
+function redactCredential(credential) {
+    if (credential.length <= 8) {
+        return "****";
+    }
+    return credential.slice(0, 4) + "****" + credential.slice(-4);
+}
+/**
+ * Scan directory for config files containing credentials
+ */
+async function scanForCredentials(dirPath) {
+    const results = [];
+    // Files to scan
+    const configPatterns = [
+        ".env",
+        ".env.local",
+        ".env.development",
+        ".env.production",
+        "config.json",
+        "secrets.json",
+        ".vaspera/secrets.json",
+        "server.json",
+        "claude_desktop_config.json",
+    ];
+    for (const pattern of configPatterns) {
+        const filePath = join(dirPath, pattern);
+        try {
+            const content = await readFile(filePath, "utf-8");
+            const findings = await scanConfigFile(filePath, content);
+            if (findings.length > 0) {
+                results.push({ file: filePath, findings });
+            }
+        }
+        catch {
+            // File doesn't exist or can't be read
+        }
+    }
+    return results;
+}
+// ============================================================================
+// Environment Variable Analysis
+// ============================================================================
+/**
+ * Analyze environment variables for credentials
+ */
+function analyzeEnvironmentVariables() {
+    const findings = [];
+    // Check common credential environment variables
+    const credentialEnvVars = [
+        { name: "GITHUB_TOKEN", type: "github-pat" },
+        { name: "GITHUB_PAT", type: "github-pat" },
+        { name: "GH_TOKEN", type: "github-pat" },
+        { name: "AWS_ACCESS_KEY_ID", type: "aws-access-key" },
+        { name: "AWS_SECRET_ACCESS_KEY", type: "aws-access-key" },
+        { name: "OPENAI_API_KEY", type: "api-key" },
+        { name: "ANTHROPIC_API_KEY", type: "api-key" },
+        { name: "AZURE_CLIENT_SECRET", type: "azure-service-principal" },
+        { name: "GOOGLE_APPLICATION_CREDENTIALS", type: "gcp-service-account" },
+    ];
+    for (const { name, type } of credentialEnvVars) {
+        const value = process.env[name];
+        if (value) {
+            findings.push({
+                credentialType: type,
+                identifier: `${name}=${redactCredential(value)}`,
+                currentScopes: ["Environment variable - scopes unknown"],
+                recommendedScopes: ["Review and minimize scopes"],
+                unusedScopes: [],
+                severity: "medium",
+                rotationRecommended: true,
+            });
+        }
+    }
+    return findings;
+}
+// ============================================================================
+// Scope Analysis
+// ============================================================================
+/**
+ * Check for GitHub PAT scope over-provisioning
+ */
+function analyzeGitHubScopes(scopes) {
+    const issues = [];
+    let maxSeverity = "low";
+    for (const scope of scopes) {
+        for (const pattern of GITHUB_OVERSCOPED_PATTERNS) {
+            if (scope.toLowerCase().includes(pattern.scope.toLowerCase())) {
+                issues.push(`${pattern.scope}: ${pattern.reason}`);
+                if (["critical", "high"].includes(pattern.severity) &&
+                    (maxSeverity === "low" || maxSeverity === "medium")) {
+                    maxSeverity = pattern.severity;
+                }
+            }
+        }
+    }
+    return {
+        overscoped: issues.length > 0,
+        issues,
+        severity: maxSeverity,
+    };
+}
+// ============================================================================
+// Finding Conversion
+// ============================================================================
+/**
+ * Convert credential findings to deterministic findings
+ */
+function credentialsToDeterministicFindings(findings, fileResults) {
+    const deterministicFindings = [];
+    // File-based findings
+    for (const { file, findings: fileFindings } of fileResults) {
+        for (const finding of fileFindings) {
+            deterministicFindings.push({
+                scanner: "semgrep",
+                ruleId: `credential-scope:${finding.credentialType}`,
+                file,
+                line: 0,
+                message: `${finding.credentialType}: Credential found in config file - review scope and rotation`,
+                severity: finding.severity,
+                confidence: 100,
+                evidence: [
+                    `Identifier: ${finding.identifier}`,
+                    `Current scopes: ${finding.currentScopes.join(", ")}`,
+                    `Recommended: ${finding.recommendedScopes.join(", ")}`,
+                    finding.rotationRecommended ? "Rotation recommended" : "",
+                ]
+                    .filter(Boolean)
+                    .join("\n"),
+                metadata: {
+                    agentScanner: "credential-scope-audit",
+                    credentialType: finding.credentialType,
+                    rotationRecommended: finding.rotationRecommended,
+                },
+            });
+        }
+    }
+    // Environment variable findings
+    for (const finding of findings) {
+        deterministicFindings.push({
+            scanner: "semgrep",
+            ruleId: `credential-scope:env:${finding.credentialType}`,
+            file: "environment",
+            line: 0,
+            message: `${finding.credentialType}: Credential in environment - verify minimal scopes`,
+            severity: finding.severity,
+            confidence: 100,
+            evidence: [
+                `Variable: ${finding.identifier.split("=")[0]}`,
+                `Type: ${finding.credentialType}`,
+                `Recommendation: ${finding.recommendedScopes.join(", ")}`,
+            ].join("\n"),
+            metadata: {
+                agentScanner: "credential-scope-audit",
+                credentialType: finding.credentialType,
+                source: "environment",
+            },
+        });
+    }
+    // Summary
+    const totalFindings = deterministicFindings.length;
+    if (totalFindings > 0) {
+        const byType = {};
+        for (const f of [...findings, ...fileResults.flatMap((r) => r.findings)]) {
+            byType[f.credentialType] = (byType[f.credentialType] || 0) + 1;
+        }
+        const criticalCount = deterministicFindings.filter((f) => f.severity === "critical").length;
+        const highCount = deterministicFindings.filter((f) => f.severity === "high").length;
+        deterministicFindings.push({
+            scanner: "semgrep",
+            ruleId: "credential-scope:summary",
+            file: "mcp-manifest",
+            line: 0,
+            message: `Credential scope audit found ${totalFindings} credential(s) requiring review`,
+            severity: criticalCount > 0 ? "critical" : highCount > 0 ? "high" : "medium",
+            confidence: 100,
+            evidence: [
+                `Total credentials found: ${totalFindings}`,
+                `By type:`,
+                ...Object.entries(byType).map(([type, count]) => `  - ${type}: ${count}`),
+                "",
+                "Recommendations:",
+                "  - Apply principle of least privilege",
+                "  - Rotate credentials regularly (every 90 days)",
+                "  - Use short-lived tokens where possible",
+                "  - Avoid storing credentials in config files",
+            ].join("\n"),
+            metadata: {
+                agentScanner: "credential-scope-audit",
+                totalCredentials: totalFindings,
+                byType,
+            },
+        });
+    }
+    return deterministicFindings;
+}
+// ============================================================================
+// Main Scanner Function
+// ============================================================================
+/**
+ * Run credential scope audit scanner
+ */
+export async function runCredentialScopeAudit(manifest, options) {
+    const startTime = Date.now();
+    const scanPath = options?.scanPath || process.cwd();
+    // Scan config files
+    const fileResults = await scanForCredentials(scanPath);
+    // Scan additional files if specified
+    if (options?.additionalFiles) {
+        for (const filePath of options.additionalFiles) {
+            try {
+                const content = await readFile(filePath, "utf-8");
+                const findings = await scanConfigFile(filePath, content);
+                if (findings.length > 0) {
+                    fileResults.push({ file: filePath, findings });
+                }
+            }
+            catch {
+                // Skip unreadable files
+            }
+        }
+    }
+    // Scan environment if requested
+    const envFindings = [];
+    if (options?.scanEnvironment !== false) {
+        envFindings.push(...analyzeEnvironmentVariables());
+    }
+    // Convert to deterministic findings
+    const findings = credentialsToDeterministicFindings(envFindings, fileResults);
+    // Calculate manifest hash
+    const manifestHash = createHash("sha256")
+        .update(JSON.stringify(manifest))
+        .digest("hex");
+    return {
+        scanner: "credential-scope-audit",
+        findings,
+        duration: Date.now() - startTime,
+        success: true,
+        mcpServerName: manifest.name,
+        mcpServerVersion: manifest.version,
+        manifestHash,
+        version: "1.0.0",
+        rulesUsed: ["config-scan", "env-scan"],
+    };
+}
+/**
+ * Check if credential scope audit is available
+ */
+export async function checkCredentialScopeAuditAvailable() {
+    return {
+        scanner: "credential-scope-audit",
+        available: true,
+        version: "1.0.0",
+    };
+}
+/**
+ * Get credential audit summary
+ */
+export function getCredentialAuditSummary(result) {
+    const summaryFinding = result.findings.find((f) => f.ruleId === "credential-scope:summary");
+    if (!summaryFinding?.metadata) {
+        return null;
+    }
+    const meta = summaryFinding.metadata;
+    return {
+        totalCredentials: meta.totalCredentials || 0,
+        byType: meta.byType || {},
+    };
+}
+//# sourceMappingURL=credential-scope-audit.js.map

package/dist/scanners/agent/credential-scope-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-scope-audit.js","sourceRoot":"","sources":["../../../src/scanners/agent/credential-scope-audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAW,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAyB5B,MAAM,mBAAmB,GAAwB;IAC/C,yCAAyC;IACzC;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,sBAAsB;QAC/B,WAAW,EAAE,CAAC,WAAW,EAAE,WAAW,CAAC;KACxC;IACD,8CAA8C;IAC9C;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,+BAA+B;KACzC;IACD,gCAAgC;IAChC;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,sBAAsB;KAChC;IACD,oBAAoB;IACpB;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,mBAAmB;QAC5B,WAAW,EAAE,CAAC,8CAA8C,CAAC;QAC7D,YAAY,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,kCAAkC;KAC7D;IACD,sBAAsB;IACtB;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,iCAAiC;KAC3C;IACD,0BAA0B;IAC1B;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,gEAAgE;KAC1E;IACD,2BAA2B;IAC3B;QACE,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,8EAA8E;QACvF,WAAW,EAAE,CAAC,wCAAwC,CAAC;KACxD;IACD,iBAAiB;IACjB;QACE,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,sBAAsB;QAC/B,WAAW,EAAE,CAAC,uCAAuC,CAAC;KACvD;IACD,YAAY;IACZ;QACE,IAAI,EAAE,KAAK;QACX,OAAO,EAAE,gEAAgE;KAC1E;IACD,0BAA0B;IAC1B;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,kCAAkC;KAC5C;CACF,CAAC;AAEF,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E;;GAEG;AACH,MAAM,0BAA0B,GAAG;IACjC,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAkB,EAAE,MAAM,EAAE,+CAA+C,EAAE;IACxG,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAsB,EAAE,MAAM,EAAE,oCAAoC,EAAE;IACtG,EAAE,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAkB,EAAE,MAAM,EAAE,+BAA+B,EAAE;IACnG,EAAE,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,UAAsB,EAAE,MAAM,EAAE,iCAAiC,EAAE;IAC1G,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAsB,EAAE,MAAM,EAAE,yBAAyB,EAAE;IAC7F,EAAE,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAoB,EAAE,MAAM,EAAE,sBAAsB,EAAE;CAC5F,CAAC;AAEF;;GAEG;AACH,MAAM,uBAAuB,GAAG;IAC9B,EAAE,MAAM,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAsB,EAAE,MAAM,EAAE,uBAAuB,EAAE;IACpG,EAAE,MAAM,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAkB,EAAE,MAAM,EAAE,6BAA6B,EAAE;IAClG,EAAE,MAAM,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAsB,EAAE,MAAM,EAAE,gCAAgC,EAAE;IACvG,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAsB,EAAE,MAAM,EAAE,gCAAgC,EAAE;IAC7F,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAkB,EAAE,MAAM,EAAE,4CAA4C,EAAE;IACtG,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAkB,EAAE,MAAM,EAAE,+CAA+C,EAAE;CAC3G,CAAC;AAEF,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;GAEG;AACH,KAAK,UAAU,cAAc,CAC3B,QAAgB,EAChB,OAAe;IAEf,MAAM,QAAQ,GAA6B,EAAE,CAAC;IAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,WAAW,IAAI,mBAAmB,EAAE,CAAC;QAC9C,WAAW,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAElC,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC5D,wBAAwB;YACxB,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACtD,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;YAElD,mCAAmC;YACnC,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAEhD,wBAAwB;YACxB,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAE9C,QAAQ,CAAC,IAAI,CAAC;gBACZ,cAAc,EAAE,WAAW,CAAC,IAAI;gBAChC,UAAU,EAAE,UAAU;gBACtB,aAAa,EAAE,WAAW,CAAC,aAAa;oBACtC,CAAC,CAAC,WAAW,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC;oBAC9C,CAAC,CAAC,CAAC,kCAAkC,CAAC;gBACxC,iBAAiB,EAAE,WAAW,CAAC,WAAW,IAAI,CAAC,uCAAuC,CAAC;gBACvF,YAAY,EAAE,EAAE;gBAChB,QAAQ,EAAE,WAAW,CAAC,YAAY,EAAE,CAAC,WAAW,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;gBACvF,mBAAmB,EAAE,IAAI;gBACzB,SAAS,EAAE,SAAS,EAAE,uCAAuC;aAC9D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,UAAkB;IAC1C,IAAI,UAAU,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAC3B,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAC/B,OAAe;IAEf,MAAM,OAAO,GAA2D,EAAE,CAAC;IAE3E,gBAAgB;IAChB,MAAM,cAAc,GAAG;QACrB,MAAM;QACN,YAAY;QACZ,kBAAkB;QAClB,iBAAiB;QACjB,aAAa;QACb,cAAc;QACd,uBAAuB;QACvB,aAAa;QACb,4BAA4B;KAC7B,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAExC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAClD,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEzD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sCAAsC;QACxC,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,+EAA+E;AAC/E,gCAAgC;AAChC,+EAA+E;AAE/E;;GAEG;AACH,SAAS,2BAA2B;IAClC,MAAM,QAAQ,GAA6B,EAAE,CAAC;IAE9C,gDAAgD;IAChD,MAAM,iBAAiB,GAAG;QACxB,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,YAA8B,EAAE;QAC9D,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,YAA8B,EAAE;QAC5D,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,YAA8B,EAAE;QAC1D,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,gBAAkC,EAAE;QACvE,EAAE,IAAI,EAAE,uBAAuB,EAAE,IAAI,EAAE,gBAAkC,EAAE;QAC3E,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,SAA2B,EAAE;QAC7D,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAA2B,EAAE;QAChE,EAAE,IAAI,EAAE,qBAAqB,EAAE,IAAI,EAAE,yBAA2C,EAAE;QAClF,EAAE,IAAI,EAAE,gCAAgC,EAAE,IAAI,EAAE,qBAAuC,EAAE;KAC1F,CAAC;IAEF,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,iBAAiB,EAAE,CAAC;QAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAEhC,IAAI,KAAK,EAAE,CAAC;YACV,QAAQ,CAAC,IAAI,CAAC;gBACZ,cAAc,EAAE,IAAI;gBACpB,UAAU,EAAE,GAAG,IAAI,IAAI,gBAAgB,CAAC,KAAK,CAAC,EAAE;gBAChD,aAAa,EAAE,CAAC,uCAAuC,CAAC;gBACxD,iBAAiB,EAAE,CAAC,4BAA4B,CAAC;gBACjD,YAAY,EAAE,EAAE;gBAChB,QAAQ,EAAE,QAAQ;gBAClB,mBAAmB,EAAE,IAAI;aAC1B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,mBAAmB,CAC1B,MAAgB;IAEhB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,WAAW,GAAa,KAAK,CAAC;IAElC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,KAAK,MAAM,OAAO,IAAI,0BAA0B,EAAE,CAAC;YACjD,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBAC9D,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,KAAK,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;gBACnD,IACE,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC;oBAC/C,CAAC,WAAW,KAAK,KAAK,IAAI,WAAW,KAAK,QAAQ,CAAC,EACnD,CAAC;oBACD,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;gBACjC,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC;QAC7B,MAAM;QACN,QAAQ,EAAE,WAAW;KACtB,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,kCAAkC,CACzC,QAAkC,EAClC,WAAmE;IAEnE,MAAM,qBAAqB,GAA2B,EAAE,CAAC;IAEzD,sBAAsB;IACtB,KAAK,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,IAAI,WAAW,EAAE,CAAC;QAC3D,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;YACnC,qBAAqB,CAAC,IAAI,CAAC;gBACzB,OAAO,EAAE,SAAkB;gBAC3B,MAAM,EAAE,oBAAoB,OAAO,CAAC,cAAc,EAAE;gBACpD,IAAI;gBACJ,IAAI,EAAE,CAAC;gBACP,OAAO,EAAE,GAAG,OAAO,CAAC,cAAc,+DAA+D;gBACjG,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,UAAU,EAAE,GAAG;gBACf,QAAQ,EAAE;oBACR,eAAe,OAAO,CAAC,UAAU,EAAE;oBACnC,mBAAmB,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;oBACrD,gBAAgB,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;oBACtD,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,EAAE;iBAC1D;qBACE,MAAM,CAAC,OAAO,CAAC;qBACf,IAAI,CAAC,IAAI,CAAC;gBACb,QAAQ,EAAE;oBACR,YAAY,EAAE,wBAAwB;oBACtC,cAAc,EAAE,OAAO,CAAC,cAAc;oBACtC,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;iBACjD;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,qBAAqB,CAAC,IAAI,CAAC;YACzB,OAAO,EAAE,SAAkB;YAC3B,MAAM,EAAE,wBAAwB,OAAO,CAAC,cAAc,EAAE;YACxD,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,CAAC;YACP,OAAO,EAAE,GAAG,OAAO,CAAC,cAAc,qDAAqD;YACvF,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE;gBACR,aAAa,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;gBAC/C,SAAS,OAAO,CAAC,cAAc,EAAE;gBACjC,mBAAmB,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aAC1D,CAAC,IAAI,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE;gBACR,YAAY,EAAE,wBAAwB;gBACtC,cAAc,EAAE,OAAO,CAAC,cAAc;gBACtC,MAAM,EAAE,aAAa;aACtB;SACF,CAAC,CAAC;IACL,CAAC;IAED,UAAU;IACV,MAAM,aAAa,GAAG,qBAAqB,CAAC,MAAM,CAAC;IACnD,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,KAAK,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACzE,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,aAAa,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;QAC5F,MAAM,SAAS,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;QAEpF,qBAAqB,CAAC,IAAI,CAAC;YACzB,OAAO,EAAE,SAAkB;YAC3B,MAAM,EAAE,0BAA0B;YAClC,IAAI,EAAE,cAAc;YACpB,IAAI,EAAE,CAAC;YACP,OAAO,EAAE,gCAAgC,aAAa,iCAAiC;YACvF,QAAQ,EAAE,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;YAC5E,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE;gBACR,4BAA4B,aAAa,EAAE;gBAC3C,UAAU;gBACV,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,KAAK,EAAE,CAAC;gBACzE,EAAE;gBACF,kBAAkB;gBAClB,wCAAwC;gBACxC,kDAAkD;gBAClD,2CAA2C;gBAC3C,+CAA+C;aAChD,CAAC,IAAI,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE;gBACR,YAAY,EAAE,wBAAwB;gBACtC,gBAAgB,EAAE,aAAa;gBAC/B,MAAM;aACP;SACF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAED,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,QAAqB,EACrB,OAOC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAEpD,oBAAoB;IACpB,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAEvD,qCAAqC;IACrC,IAAI,OAAO,EAAE,eAAe,EAAE,CAAC;QAC7B,KAAK,MAAM,QAAQ,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;YAC/C,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAEzD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACxB,WAAW,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,MAAM,WAAW,GAA6B,EAAE,CAAC;IACjD,IAAI,OAAO,EAAE,eAAe,KAAK,KAAK,EAAE,CAAC;QACvC,WAAW,CAAC,IAAI,CAAC,GAAG,2BAA2B,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,oCAAoC;IACpC,MAAM,QAAQ,GAAG,kCAAkC,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAE9E,0BAA0B;IAC1B,MAAM,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC;SACtC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;SAChC,MAAM,CAAC,KAAK,CAAC,CAAC;IAEjB,OAAO;QACL,OAAO,EAAE,wBAAwB;QACjC,QAAQ;QACR,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;QAChC,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,QAAQ,CAAC,IAAI;QAC5B,gBAAgB,EAAE,QAAQ,CAAC,OAAO;QAClC,YAAY;QACZ,OAAO,EAAE,OAAO;QAChB,SAAS,EAAE,CAAC,aAAa,EAAE,UAAU,CAAC;KACvC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kCAAkC;IAKtD,OAAO;QACL,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,IAAI;QACf,OAAO,EAAE,OAAO;KACjB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAA0B;IAIlE,MAAM,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CACzC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,0BAA0B,CAC/C,CAAC;IAEF,IAAI,CAAC,cAAc,EAAE,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,cAAc,CAAC,QAG3B,CAAC;IAEF,OAAO;QACL,gBAAgB,EAAE,IAAI,CAAC,gBAAgB,IAAI,CAAC;QAC5C,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE;KAC1B,CAAC;AACJ,CAAC"}

package/dist/scanners/agent/exfil-path-graph.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Exfiltration Path Graph Scanner
+ *
+ * Builds a directed graph of MCP tools based on their capabilities,
+ * then finds potential data exfiltration paths from secret sources
+ * (tools that read sensitive data) to network sinks (tools that can
+ * send data externally).
+ *
+ * Key features:
+ * - Tool capability classification (reads_secrets, network_access, etc.)
+ * - Path finding from sources to sinks
+ * - Minimal cut-set computation (tools to sandbox)
+ * - Mermaid diagram generation for visualization
+ *
+ * @module scanners/agent/exfil-path-graph
+ */
+import type { AgentScannerResult, MCPManifest, ToolGraph } from "./types.js";
+/**
+ * Run exfiltration path graph scanner
+ */
+export declare function runExfilPathScanner(manifest: MCPManifest, _options?: {
+    /** Include all edges in diagram (default: only exfil paths) */
+    includeAllEdges?: boolean;
+    /** Maximum path length to consider */
+    maxPathLength?: number;
+}): Promise<AgentScannerResult>;
+/**
+ * Check if exfil path scanner is available (always true - no external deps)
+ */
+export declare function checkExfilPathAvailable(): Promise<{
+    scanner: "exfil-path-graph";
+    available: boolean;
+    version: string;
+}>;
+/**
+ * Get exfil graph from scanner result
+ */
+export declare function getExfilGraph(result: AgentScannerResult): ToolGraph | null;
+/**
+ * Get exfil path summary
+ */
+export declare function getExfilSummary(result: AgentScannerResult): {
+    totalPaths: number;
+    criticalPaths: number;
+    highPaths: number;
+    sources: string[];
+    sinks: string[];
+    cutSet: string[];
+} | null;
+//# sourceMappingURL=exfil-path-graph.d.ts.map

package/dist/scanners/agent/exfil-path-graph.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exfil-path-graph.d.ts","sourceRoot":"","sources":["../../../src/scanners/agent/exfil-path-graph.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,KAAK,EACV,kBAAkB,EAClB,WAAW,EAEX,SAAS,EAKV,MAAM,YAAY,CAAC;AAwpBpB;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,WAAW,EACrB,QAAQ,CAAC,EAAE;IACT,+DAA+D;IAC/D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,sCAAsC;IACtC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,GACA,OAAO,CAAC,kBAAkB,CAAC,CA0G7B;AAED;;GAEG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC;IACvD,OAAO,EAAE,kBAAkB,CAAC;IAC5B,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC,CAMD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,kBAAkB,GAAG,SAAS,GAAG,IAAI,CAyB1E;AAUD;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,kBAAkB,GAAG;IAC3D,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB,GAAG,IAAI,CA0BP"}