vaspera 2.5.0

package/dist/agents/agent-privacy.js

@@ -0,0 +1,345 @@
+/**
+ * Agent Privacy Analyzer
+ *
+ * Analyzes tool traces and agent interactions for privacy issues.
+ * Detects PII egress, cross-tenant data bleed, memory/caching of
+ * sensitive data, and consent compliance issues.
+ *
+ * @module agents/agent-privacy
+ */
+import { readFile, readdir } from "fs/promises";
+import { join } from "path";
+const PII_PATTERNS = [
+    // Email
+    {
+        type: "email",
+        pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+        severity: "medium",
+        gdprRelevant: true,
+        ccpaRelevant: true,
+        validate: (match) => !match.includes("example.com") && !match.includes("test.com"),
+    },
+    // Phone (various formats)
+    {
+        type: "phone",
+        pattern: /(?:\+1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g,
+        severity: "medium",
+        gdprRelevant: true,
+        ccpaRelevant: true,
+    },
+    // SSN
+    {
+        type: "ssn",
+        pattern: /\b\d{3}[-\s]?\d{2}[-\s]?\d{4}\b/g,
+        severity: "critical",
+        gdprRelevant: true,
+        ccpaRelevant: true,
+        validate: (match) => {
+            // Validate it's not a date or other number
+            const clean = match.replace(/[-\s]/g, "");
+            const first3 = parseInt(clean.slice(0, 3));
+            return first3 > 0 && first3 < 900 && first3 !== 666;
+        },
+    },
+    // Credit Card
+    {
+        type: "credit-card",
+        pattern: /\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b/g,
+        severity: "critical",
+        gdprRelevant: true,
+        ccpaRelevant: true,
+        validate: (match) => {
+            // Luhn algorithm validation
+            const digits = match.replace(/\D/g, "");
+            let sum = 0;
+            let isEven = false;
+            for (let i = digits.length - 1; i >= 0; i--) {
+                let d = parseInt(digits[i]);
+                if (isEven) {
+                    d *= 2;
+                    if (d > 9)
+                        d -= 9;
+                }
+                sum += d;
+                isEven = !isEven;
+            }
+            return sum % 10 === 0;
+        },
+    },
+    // IP Address
+    {
+        type: "ip-address",
+        pattern: /\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b/g,
+        severity: "low",
+        gdprRelevant: true,
+        ccpaRelevant: false,
+        validate: (match) => {
+            // Exclude localhost, private ranges for lower severity
+            return !match.startsWith("127.") &&
+                !match.startsWith("192.168.") &&
+                !match.startsWith("10.") &&
+                !match.startsWith("172.");
+        },
+    },
+    // Date of Birth patterns
+    {
+        type: "dob",
+        pattern: /\b(?:dob|date\s*of\s*birth|birthday|born\s*on)[:\s]+(\d{1,2}[-/]\d{1,2}[-/]\d{2,4})\b/gi,
+        severity: "medium",
+        gdprRelevant: true,
+        ccpaRelevant: true,
+    },
+    // Medical terms (simple detection)
+    {
+        type: "medical",
+        pattern: /\b(?:diagnosis|prescription|medication|treatment|patient|symptoms|medical\s*record)\b.*?(?:\.|$)/gi,
+        severity: "high",
+        gdprRelevant: true,
+        ccpaRelevant: true,
+    },
+    // Financial (account numbers, routing)
+    {
+        type: "financial",
+        pattern: /\b(?:account\s*(?:number|#)|routing\s*(?:number|#))[:\s]*\d{6,17}\b/gi,
+        severity: "high",
+        gdprRelevant: true,
+        ccpaRelevant: true,
+    },
+];
+// ============================================================================
+// Analysis Functions
+// ============================================================================
+/**
+ * Detect PII in a text string
+ */
+function detectPII(text, location, tool) {
+    const findings = [];
+    for (const piiPattern of PII_PATTERNS) {
+        piiPattern.pattern.lastIndex = 0;
+        let match;
+        while ((match = piiPattern.pattern.exec(text)) !== null) {
+            const matchText = match[0];
+            // Run validator if present
+            if (piiPattern.validate && !piiPattern.validate(matchText)) {
+                continue;
+            }
+            // Redact the match for safe logging
+            const redacted = redactPII(matchText, piiPattern.type);
+            findings.push({
+                type: piiPattern.type,
+                location,
+                tool,
+                severity: piiPattern.severity,
+                description: `${piiPattern.type.toUpperCase()} detected in ${location}`,
+                evidence: `Found in tool "${tool}" ${location}`,
+                redactedSample: redacted,
+                gdprRelevant: piiPattern.gdprRelevant,
+                ccpaRelevant: piiPattern.ccpaRelevant,
+            });
+        }
+    }
+    return findings;
+}
+/**
+ * Redact PII for safe logging
+ */
+function redactPII(text, type) {
+    const len = text.length;
+    if (len <= 4)
+        return "****";
+    switch (type) {
+        case "email": {
+            const [local, domain] = text.split("@");
+            return `${local[0]}***@${domain}`;
+        }
+        case "phone":
+            return `***-***-${text.slice(-4)}`;
+        case "ssn":
+            return `***-**-${text.slice(-4)}`;
+        case "credit-card":
+            return `****-****-****-${text.slice(-4)}`;
+        case "ip-address":
+            return `***.***.***.${text.split(".").pop()}`;
+        default:
+            return text.slice(0, 2) + "***" + text.slice(-2);
+    }
+}
+/**
+ * Analyze a single trace entry
+ */
+function analyzeTrace(trace) {
+    const findings = [];
+    // Analyze input
+    if (trace.input) {
+        findings.push(...detectPII(trace.input, "input", trace.tool));
+    }
+    // Analyze output
+    if (trace.output) {
+        findings.push(...detectPII(trace.output, "output", trace.tool));
+    }
+    return findings;
+}
+/**
+ * Load traces from a directory
+ */
+async function loadTraces(tracesDir) {
+    const traces = [];
+    try {
+        const files = await readdir(tracesDir);
+        const jsonlFiles = files.filter((f) => f.endsWith(".jsonl") || f.endsWith(".json"));
+        for (const file of jsonlFiles) {
+            const content = await readFile(join(tracesDir, file), "utf-8");
+            const lines = content.split("\n").filter((l) => l.trim());
+            for (const line of lines) {
+                try {
+                    const entry = JSON.parse(line);
+                    traces.push({
+                        timestamp: entry.timestamp || new Date().toISOString(),
+                        tool: entry.tool || entry.name || "unknown",
+                        input: typeof entry.input === "string" ? entry.input : JSON.stringify(entry.input || {}),
+                        output: typeof entry.output === "string" ? entry.output : JSON.stringify(entry.output || {}),
+                        sessionId: entry.sessionId,
+                        userId: entry.userId,
+                        metadata: entry.metadata,
+                    });
+                }
+                catch {
+                    // Skip invalid JSON lines
+                }
+            }
+        }
+    }
+    catch {
+        // Directory doesn't exist or can't be read
+    }
+    return traces;
+}
+// ============================================================================
+// Cross-Tenant Detection
+// ============================================================================
+/**
+ * Detect potential cross-tenant data bleed
+ */
+function detectCrossTenantIssues(traces) {
+    const findings = [];
+    // Group traces by session/user
+    const bySession = {};
+    for (const trace of traces) {
+        const key = trace.sessionId || trace.userId || "unknown";
+        if (!bySession[key])
+            bySession[key] = [];
+        bySession[key].push(trace);
+    }
+    // Look for data appearing across sessions
+    const dataBySession = {};
+    for (const [session, sessionTraces] of Object.entries(bySession)) {
+        dataBySession[session] = new Set();
+        for (const trace of sessionTraces) {
+            // Extract potential identifiers from outputs
+            const matches = (trace.output || "").match(/[a-zA-Z0-9._-]{10,}/g) || [];
+            for (const m of matches) {
+                dataBySession[session].add(m);
+            }
+        }
+    }
+    // Check for overlaps
+    const sessions = Object.keys(dataBySession);
+    for (let i = 0; i < sessions.length; i++) {
+        for (let j = i + 1; j < sessions.length; j++) {
+            const overlap = [...dataBySession[sessions[i]]].filter((d) => dataBySession[sessions[j]].has(d));
+            if (overlap.length > 10) {
+                findings.push({
+                    type: "custom",
+                    location: "memory",
+                    tool: "cross-session",
+                    severity: "high",
+                    description: "Potential cross-tenant data bleed detected",
+                    evidence: `Sessions ${sessions[i]} and ${sessions[j]} share ${overlap.length} data patterns`,
+                    gdprRelevant: true,
+                    ccpaRelevant: true,
+                });
+            }
+        }
+    }
+    return findings;
+}
+// ============================================================================
+// Main Analysis Function
+// ============================================================================
+/**
+ * Run privacy analysis on tool traces
+ */
+export async function runPrivacyAnalysis(tracesDir, options) {
+    // Load traces
+    const traces = await loadTraces(tracesDir);
+    if (traces.length === 0) {
+        return {
+            totalTraces: 0,
+            tracesAnalyzed: 0,
+            piiDetected: 0,
+            findings: [],
+            byType: {},
+            byTool: {},
+            recommendations: ["No traces found. Ensure tool usage logs are being captured."],
+        };
+    }
+    // Analyze each trace
+    const allFindings = [];
+    for (const trace of traces) {
+        allFindings.push(...analyzeTrace(trace));
+    }
+    // Detect cross-tenant issues if requested
+    if (options?.detectCrossTenant) {
+        allFindings.push(...detectCrossTenantIssues(traces));
+    }
+    // Aggregate by type
+    const byType = {};
+    for (const finding of allFindings) {
+        byType[finding.type] = (byType[finding.type] || 0) + 1;
+    }
+    // Aggregate by tool
+    const byTool = {};
+    for (const finding of allFindings) {
+        byTool[finding.tool] = (byTool[finding.tool] || 0) + 1;
+    }
+    // Generate recommendations
+    const recommendations = [];
+    if (byType["ssn"] || byType["credit-card"]) {
+        recommendations.push("CRITICAL: Sensitive financial/identity data detected. Implement PII masking immediately.");
+    }
+    if (byType["email"] || byType["phone"]) {
+        recommendations.push("Implement input/output sanitization for contact information.");
+    }
+    if (allFindings.some((f) => f.location === "output")) {
+        recommendations.push("Review tools that expose PII in outputs. Consider response filtering.");
+    }
+    if (allFindings.some((f) => f.gdprRelevant)) {
+        recommendations.push("GDPR compliance: Document lawful basis for PII processing.");
+    }
+    return {
+        totalTraces: traces.length,
+        tracesAnalyzed: traces.length,
+        piiDetected: allFindings.length,
+        findings: allFindings,
+        byType,
+        byTool,
+        recommendations,
+    };
+}
+/**
+ * Convert privacy findings to certification findings
+ */
+export function privacyToFindings(result) {
+    return result.findings.map((f, i) => ({
+        id: `prv-${String(i + 1).padStart(3, "0")}`,
+        severity: f.severity,
+        category: "pii-exposure",
+        description: f.description,
+        evidence: `${f.evidence}. Sample: ${f.redactedSample || "N/A"}`,
+        confidence: 90,
+        verifications: [],
+        created_at: new Date().toISOString(),
+        scanner_source: undefined,
+    }));
+}
+//# sourceMappingURL=agent-privacy.js.map

package/dist/agents/agent-privacy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-privacy.js","sourceRoot":"","sources":["../../src/agents/agent-privacy.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAgF5B,MAAM,YAAY,GAAiB;IACjC,QAAQ;IACR;QACE,IAAI,EAAE,OAAO;QACb,OAAO,EAAE,iDAAiD;QAC1D,QAAQ,EAAE,QAAQ;QAClB,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,IAAI;QAClB,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC;KACnF;IACD,0BAA0B;IAC1B;QACE,IAAI,EAAE,OAAO;QACb,OAAO,EAAE,qDAAqD;QAC9D,QAAQ,EAAE,QAAQ;QAClB,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,IAAI;KACnB;IACD,MAAM;IACN;QACE,IAAI,EAAE,KAAK;QACX,OAAO,EAAE,kCAAkC;QAC3C,QAAQ,EAAE,UAAU;QACpB,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,IAAI;QAClB,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE;YAClB,2CAA2C;YAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC3C,OAAO,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,GAAG,IAAI,MAAM,KAAK,GAAG,CAAC;QACtD,CAAC;KACF;IACD,cAAc;IACd;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,6FAA6F;QACtG,QAAQ,EAAE,UAAU;QACpB,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,IAAI;QAClB,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE;YAClB,4BAA4B;YAC5B,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACxC,IAAI,GAAG,GAAG,CAAC,CAAC;YACZ,IAAI,MAAM,GAAG,KAAK,CAAC;YACnB,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC5C,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5B,IAAI,MAAM,EAAE,CAAC;oBACX,CAAC,IAAI,CAAC,CAAC;oBACP,IAAI,CAAC,GAAG,CAAC;wBAAE,CAAC,IAAI,CAAC,CAAC;gBACpB,CAAC;gBACD,GAAG,IAAI,CAAC,CAAC;gBACT,MAAM,GAAG,CAAC,MAAM,CAAC;YACnB,CAAC;YACD,OAAO,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;QACxB,CAAC;KACF;IACD,aAAa;IACb;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,gGAAgG;QACzG,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,KAAK;QACnB,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE;YAClB,uDAAuD;YACvD,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;gBACzB,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC;gBAC7B,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;gBACxB,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QACnC,CAAC;KACF;IACD,yBAAyB;IACzB;QACE,IAAI,EAAE,KAAK;QACX,OAAO,EAAE,yFAAyF;QAClG,QAAQ,EAAE,QAAQ;QAClB,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,IAAI;KACnB;IACD,mCAAmC;IACnC;QACE,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,oGAAoG;QAC7G,QAAQ,EAAE,MAAM;QAChB,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,IAAI;KACnB;IACD,uCAAuC;IACvC;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,MAAM;QAChB,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,IAAI;KACnB;CACF,CAAC;AAEF,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,SAAS,CAChB,IAAY,EACZ,QAA+C,EAC/C,IAAY;IAEZ,MAAM,QAAQ,GAAqB,EAAE,CAAC;IAEtC,KAAK,MAAM,UAAU,IAAI,YAAY,EAAE,CAAC;QACtC,UAAU,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC;QAEV,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACxD,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAE3B,2BAA2B;YAC3B,IAAI,UAAU,CAAC,QAAQ,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC3D,SAAS;YACX,CAAC;YAED,oCAAoC;YACpC,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;YAEvD,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,UAAU,CAAC,IAAI;gBACrB,QAAQ;gBACR,IAAI;gBACJ,QAAQ,EAAE,UAAU,CAAC,QAAQ;gBAC7B,WAAW,EAAE,GAAG,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,gBAAgB,QAAQ,EAAE;gBACvE,QAAQ,EAAE,kBAAkB,IAAI,KAAK,QAAQ,EAAE;gBAC/C,cAAc,EAAE,QAAQ;gBACxB,YAAY,EAAE,UAAU,CAAC,YAAY;gBACrC,YAAY,EAAE,UAAU,CAAC,YAAY;aACtC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,IAAY,EAAE,IAAa;IAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC;IACxB,IAAI,GAAG,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IAE5B,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACxC,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,OAAO,MAAM,EAAE,CAAC;QACpC,CAAC;QACD,KAAK,OAAO;YACV,OAAO,WAAW,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACrC,KAAK,KAAK;YACR,OAAO,UAAU,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACpC,KAAK,aAAa;YAChB,OAAO,kBAAkB,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,KAAK,YAAY;YACf,OAAO,eAAe,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC;QAChD;YACE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,KAAiB;IACrC,MAAM,QAAQ,GAAqB,EAAE,CAAC;IAEtC,gBAAgB;IAChB,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IAChE,CAAC;IAED,iBAAiB;IACjB,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,UAAU,CAAC,SAAiB;IACzC,MAAM,MAAM,GAAiB,EAAE,CAAC;IAEhC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAEpF,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;YAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAE1D,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAC/B,MAAM,CAAC,IAAI,CAAC;wBACV,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACtD,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,SAAS;wBAC3C,KAAK,EAAE,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;wBACxF,MAAM,EAAE,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC;wBAC5F,SAAS,EAAE,KAAK,CAAC,SAAS;wBAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;wBACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;qBACzB,CAAC,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACP,0BAA0B;gBAC5B,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2CAA2C;IAC7C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,uBAAuB,CAAC,MAAoB;IACnD,MAAM,QAAQ,GAAqB,EAAE,CAAC;IAEtC,+BAA+B;IAC/B,MAAM,SAAS,GAAiC,EAAE,CAAC;IACnD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,MAAM,IAAI,SAAS,CAAC;QACzD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC;YAAE,SAAS,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QACzC,SAAS,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED,0CAA0C;IAC1C,MAAM,aAAa,GAAgC,EAAE,CAAC;IACtD,KAAK,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACjE,aAAa,CAAC,OAAO,CAAC,GAAG,IAAI,GAAG,EAAU,CAAC;QAC3C,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,6CAA6C;YAC7C,MAAM,OAAO,GAAG,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,sBAAsB,CAAC,IAAI,EAAE,CAAC;YACzE,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,aAAa,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7C,MAAM,OAAO,GAAG,CAAC,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAC3D,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAClC,CAAC;YAEF,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;gBACxB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,QAAQ;oBACd,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,eAAe;oBACrB,QAAQ,EAAE,MAAM;oBAChB,WAAW,EAAE,4CAA4C;oBACzD,QAAQ,EAAE,YAAY,QAAQ,CAAC,CAAC,CAAC,QAAQ,QAAQ,CAAC,CAAC,CAAC,UAAU,OAAO,CAAC,MAAM,gBAAgB;oBAC5F,YAAY,EAAE,IAAI;oBAClB,YAAY,EAAE,IAAI;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAAiB,EACjB,OAGC;IAED,cAAc;IACd,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,CAAC;IAE3C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO;YACL,WAAW,EAAE,CAAC;YACd,cAAc,EAAE,CAAC;YACjB,WAAW,EAAE,CAAC;YACd,QAAQ,EAAE,EAAE;YACZ,MAAM,EAAE,EAA6B;YACrC,MAAM,EAAE,EAAE;YACV,eAAe,EAAE,CAAC,6DAA6D,CAAC;SACjF,CAAC;IACJ,CAAC;IAED,qBAAqB;IACrB,MAAM,WAAW,GAAqB,EAAE,CAAC;IACzC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,WAAW,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3C,CAAC;IAED,0CAA0C;IAC1C,IAAI,OAAO,EAAE,iBAAiB,EAAE,CAAC;QAC/B,WAAW,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC,CAAC;IACvD,CAAC;IAED,oBAAoB;IACpB,MAAM,MAAM,GAA4B,EAA6B,CAAC;IACtE,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACzD,CAAC;IAED,oBAAoB;IACpB,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACzD,CAAC;IAED,2BAA2B;IAC3B,MAAM,eAAe,GAAa,EAAE,CAAC;IAErC,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;QAC3C,eAAe,CAAC,IAAI,CAAC,0FAA0F,CAAC,CAAC;IACnH,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QACvC,eAAe,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IACvF,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,EAAE,CAAC;QACrD,eAAe,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IAChG,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC;QAC5C,eAAe,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;IACrF,CAAC;IAED,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,MAAM;QAC1B,cAAc,EAAE,MAAM,CAAC,MAAM;QAC7B,WAAW,EAAE,WAAW,CAAC,MAAM;QAC/B,QAAQ,EAAE,WAAW;QACrB,MAAM;QACN,MAAM;QACN,eAAe;KAChB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAA6B;IAC7D,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QACpC,EAAE,EAAE,OAAO,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;QAC3C,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,QAAQ,EAAE,cAAiC;QAC3C,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,QAAQ,EAAE,GAAG,CAAC,CAAC,QAAQ,aAAa,CAAC,CAAC,cAAc,IAAI,KAAK,EAAE;QAC/D,UAAU,EAAE,EAAE;QACd,aAAa,EAAE,EAAE;QACjB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,cAAc,EAAE,SAAS;KAC1B,CAAC,CAAC,CAAC;AACN,CAAC"}

package/dist/agents/exploit-chain.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Exploit Chain Analyzer
+ *
+ * Automatically chains multiple vulnerabilities into attack paths.
+ * Identifies how individual findings can be combined for greater impact.
+ *
+ * Chain types:
+ * - Read → RCE: Info disclosure enables code injection
+ * - Auth bypass → Data: Skip auth to access database
+ * - SSRF → Internal: External request to internal API
+ * - XSS → Session: Script injection to cookie theft
+ *
+ * @module agents/exploit-chain
+ */
+import type { Severity, Finding } from "../certification/types.js";
+/**
+ * A single step in an exploit chain
+ */
+export interface ChainStep {
+    findingId: string;
+    finding: Finding;
+    role: "entry" | "pivot" | "target";
+    prerequisite?: string;
+    enables?: string;
+    techniques: string[];
+}
+/**
+ * A complete exploit chain
+ */
+export interface ExploitChain {
+    id: string;
+    name: string;
+    steps: ChainStep[];
+    totalSeverity: Severity;
+    originalSeverities: Severity[];
+    confidence: number;
+    attackScenario: string;
+    mitreAttackIds: string[];
+    impact: string;
+    difficulty: "trivial" | "easy" | "moderate" | "hard" | "expert";
+}
+/**
+ * Result of exploit chain analysis
+ */
+export interface ExploitChainResult {
+    totalFindings: number;
+    chainsDetected: number;
+    chains: ExploitChain[];
+    riskScore: number;
+    recommendations: string[];
+}
+/**
+ * Analyze findings for exploit chains
+ */
+export declare function analyzeExploitChains(findings: Finding[], _projectPath?: string): Promise<ExploitChainResult>;
+/**
+ * Convert exploit chains to certification findings
+ */
+export declare function exploitChainsToFindings(result: ExploitChainResult): Finding[];
+/**
+ * Get summary of exploit chain analysis
+ */
+export declare function getChainSummary(result: ExploitChainResult): string;
+//# sourceMappingURL=exploit-chain.d.ts.map

package/dist/agents/exploit-chain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exploit-chain.d.ts","sourceRoot":"","sources":["../../src/agents/exploit-chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAmB,MAAM,2BAA2B,CAAC;AAMpF;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,OAAO,GAAG,OAAO,GAAG,QAAQ,CAAC;IACnC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,SAAS,EAAE,CAAC;IACnB,aAAa,EAAE,QAAQ,CAAC;IACxB,kBAAkB,EAAE,QAAQ,EAAE,CAAC;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,SAAS,GAAG,MAAM,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;CACjE;AAwBD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,YAAY,EAAE,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAoaD;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,OAAO,EAAE,EACnB,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,kBAAkB,CAAC,CA+E7B;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,EAAE,CAsB7E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CAmBlE"}