vskill 0.1.2 → 0.1.3

package/dist/audit/__fixtures__/clean-project/app.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/__fixtures__/clean-project/app.js

@@ -0,0 +1,8 @@
+// Clean application — no security issues
+import { createServer } from "node:http";
+const server = createServer((req, res) => {
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "ok" }));
+});
+server.listen(3000);
+//# sourceMappingURL=app.js.map

package/dist/audit/__fixtures__/clean-project/app.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.js","sourceRoot":"","sources":["../../../../src/audit/__fixtures__/clean-project/app.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;IACvC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC5C,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC"}

package/dist/audit/__fixtures__/clean-project/utils.d.ts

@@ -0,0 +1,2 @@
+export declare function add(a: number, b: number): number;
+export declare function greet(name: string): string;

package/dist/audit/__fixtures__/clean-project/utils.js

@@ -0,0 +1,8 @@
+// Clean utility module
+export function add(a, b) {
+    return a + b;
+}
+export function greet(name) {
+    return `Hello, ${name}!`;
+}
+//# sourceMappingURL=utils.js.map

package/dist/audit/__fixtures__/clean-project/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../../src/audit/__fixtures__/clean-project/utils.ts"],"names":[],"mappings":"AAAA,uBAAuB;AACvB,MAAM,UAAU,GAAG,CAAC,CAAS,EAAE,CAAS;IACtC,OAAO,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,MAAM,UAAU,KAAK,CAAC,IAAY;IAChC,OAAO,UAAU,IAAI,GAAG,CAAC;AAC3B,CAAC"}

package/dist/audit/__fixtures__/mixed-project/risky.d.ts

@@ -0,0 +1 @@
+export declare function deploy(branch: string): void;

package/dist/audit/__fixtures__/mixed-project/risky.js

@@ -0,0 +1,6 @@
+// Risky module — one vulnerability
+import { exec } from "node:child_process";
+export function deploy(branch) {
+    exec(`git push origin ${branch}`);
+}
+//# sourceMappingURL=risky.js.map

package/dist/audit/__fixtures__/mixed-project/risky.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"risky.js","sourceRoot":"","sources":["../../../../src/audit/__fixtures__/mixed-project/risky.ts"],"names":[],"mappings":"AAAA,mCAAmC;AACnC,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAE1C,MAAM,UAAU,MAAM,CAAC,MAAc;IACnC,IAAI,CAAC,mBAAmB,MAAM,EAAE,CAAC,CAAC;AACpC,CAAC"}

package/dist/audit/__fixtures__/mixed-project/safe.d.ts

@@ -0,0 +1 @@
+export declare function parseId(raw: string): number;

package/dist/audit/__fixtures__/mixed-project/safe.js

@@ -0,0 +1,5 @@
+// Safe module — no issues
+export function parseId(raw) {
+    return parseInt(raw, 10);
+}
+//# sourceMappingURL=safe.js.map

package/dist/audit/__fixtures__/mixed-project/safe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe.js","sourceRoot":"","sources":["../../../../src/audit/__fixtures__/mixed-project/safe.ts"],"names":[],"mappings":"AAAA,0BAA0B;AAC1B,MAAM,UAAU,OAAO,CAAC,GAAW;IACjC,OAAO,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC"}

package/dist/audit/__fixtures__/vulnerable-project/handler.d.ts

@@ -0,0 +1,4 @@
+export declare function runCommand(userInput: string): void;
+export declare function evaluate(code: string): any;
+export declare function renderHtml(el: HTMLElement, content: string): void;
+export declare function getUser(db: any, userId: string): any;

package/dist/audit/__fixtures__/vulnerable-project/handler.js

@@ -0,0 +1,21 @@
+// Vulnerable handler — multiple security issues
+import { exec } from "node:child_process";
+// CI-001: Command injection via exec
+export function runCommand(userInput) {
+    exec(`ls ${userInput}`);
+}
+// CE-001: Code execution via eval
+export function evaluate(code) {
+    return eval(code);
+}
+// XSS-001: innerHTML assignment
+export function renderHtml(el, content) {
+    el.innerHTML = content;
+}
+// HS-001: Hardcoded API key
+const API_KEY = "sk-1234567890abcdef1234567890abcdef";
+// SQLI-001: SQL injection via concatenation
+export function getUser(db, userId) {
+    return db.query("SELECT * FROM users WHERE id = '" + userId + "'");
+}
+//# sourceMappingURL=handler.js.map

package/dist/audit/__fixtures__/vulnerable-project/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../../src/audit/__fixtures__/vulnerable-project/handler.ts"],"names":[],"mappings":"AAAA,gDAAgD;AAChD,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAE1C,qCAAqC;AACrC,MAAM,UAAU,UAAU,CAAC,SAAiB;IAC1C,IAAI,CAAC,MAAM,SAAS,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED,kCAAkC;AAClC,MAAM,UAAU,QAAQ,CAAC,IAAY;IACnC,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC;AACpB,CAAC;AAED,gCAAgC;AAChC,MAAM,UAAU,UAAU,CAAC,EAAe,EAAE,OAAe;IACzD,EAAE,CAAC,SAAS,GAAG,OAAO,CAAC;AACzB,CAAC;AAED,4BAA4B;AAC5B,MAAM,OAAO,GAAG,qCAAqC,CAAC;AAEtD,4CAA4C;AAC5C,MAAM,UAAU,OAAO,CAAC,EAAO,EAAE,MAAc;IAC7C,OAAO,EAAE,CAAC,KAAK,CAAC,kCAAkC,GAAG,MAAM,GAAG,GAAG,CAAC,CAAC;AACrE,CAAC"}

package/dist/audit/audit-integration.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/audit-integration.test.js

@@ -0,0 +1,92 @@
+import { describe, it, expect } from "vitest";
+import { join } from "node:path";
+import { discoverAuditFiles } from "./file-discovery.js";
+import { runAuditScan } from "./audit-scanner.js";
+import { createDefaultAuditConfig } from "./audit-types.js";
+import { formatJson } from "./formatters/json-formatter.js";
+import { formatSarif } from "./formatters/sarif-formatter.js";
+import { attachFixSuggestions } from "./fix-suggestions.js";
+import { loadAuditConfig } from "./config.js";
+const FIXTURES = join(import.meta.dirname, "__fixtures__");
+describe("audit integration", () => {
+    it("TC-054: clean project produces PASS verdict", async () => {
+        const config = createDefaultAuditConfig();
+        const files = await discoverAuditFiles(join(FIXTURES, "clean-project"), config);
+        const result = runAuditScan(files, config);
+        expect(result.findings).toHaveLength(0);
+        expect(result.summary.verdict).toBe("PASS");
+        expect(result.summary.score).toBe(100);
+        expect(result.filesScanned).toBe(2);
+    });
+    it("TC-055: vulnerable project detects all planted vulnerabilities", async () => {
+        const config = createDefaultAuditConfig();
+        const files = await discoverAuditFiles(join(FIXTURES, "vulnerable-project"), config);
+        const result = runAuditScan(files, config);
+        expect(result.findings.length).toBeGreaterThanOrEqual(5);
+        const ruleIds = result.findings.map((f) => f.ruleId);
+        // exec() detection
+        expect(ruleIds.some((id) => id.startsWith("CI-"))).toBe(true);
+        // eval() detection
+        expect(ruleIds.some((id) => id.startsWith("CE-"))).toBe(true);
+        // innerHTML detection
+        expect(ruleIds.some((id) => id.startsWith("XSS-"))).toBe(true);
+        // Hardcoded secret detection
+        expect(ruleIds.some((id) => id.startsWith("HS-"))).toBe(true);
+        // SQL injection detection
+        expect(ruleIds.some((id) => id.startsWith("SQLI-"))).toBe(true);
+    });
+    it("TC-056: JSON output is valid and complete", async () => {
+        const config = createDefaultAuditConfig();
+        const files = await discoverAuditFiles(join(FIXTURES, "mixed-project"), config);
+        const result = runAuditScan(files, config);
+        const json = formatJson(result);
+        const parsed = JSON.parse(json);
+        expect(parsed.findings).toBeDefined();
+        expect(parsed.summary).toBeDefined();
+        expect(parsed.summary.critical).toBeDefined();
+        expect(parsed.summary.high).toBeDefined();
+        expect(parsed.summary.medium).toBeDefined();
+        expect(parsed.summary.low).toBeDefined();
+        expect(parsed.summary.info).toBeDefined();
+        expect(parsed.summary.score).toBeGreaterThanOrEqual(0);
+        expect(parsed.summary.verdict).toBeDefined();
+        expect(parsed.filesScanned).toBe(2);
+    });
+    it("TC-057: SARIF output has correct structure", async () => {
+        const config = createDefaultAuditConfig();
+        const files = await discoverAuditFiles(join(FIXTURES, "vulnerable-project"), config);
+        const result = runAuditScan(files, config);
+        const sarif = formatSarif(result);
+        const parsed = JSON.parse(sarif);
+        expect(parsed.version).toBe("2.1.0");
+        expect(parsed.$schema).toContain("sarif");
+        expect(parsed.runs).toHaveLength(1);
+        expect(parsed.runs[0].tool.driver.name).toBe("vskill-audit");
+        expect(parsed.runs[0].results.length).toBeGreaterThanOrEqual(5);
+        // Each result has correct location structure
+        for (const r of parsed.runs[0].results) {
+            expect(r.ruleId).toBeDefined();
+            expect(r.message.text).toBeDefined();
+            expect(r.locations[0].physicalLocation.artifactLocation.uri).toBeDefined();
+            expect(r.locations[0].physicalLocation.region.startLine).toBeGreaterThan(0);
+        }
+    });
+    it("fix suggestions are attached when fix=true", async () => {
+        const config = createDefaultAuditConfig();
+        config.fix = true;
+        const files = await discoverAuditFiles(join(FIXTURES, "vulnerable-project"), config);
+        const result = runAuditScan(files, config);
+        const withFixes = attachFixSuggestions(result.findings, true);
+        // Every finding should have a suggestedFix
+        for (const f of withFixes) {
+            expect(f.suggestedFix).toBeDefined();
+            expect(f.suggestedFix.length).toBeGreaterThan(0);
+        }
+    });
+    it("config loading works end-to-end", async () => {
+        const config = await loadAuditConfig(join(FIXTURES, "clean-project"), {});
+        expect(config.maxFiles).toBe(500);
+        expect(config.excludePaths).toEqual([]);
+    });
+});
+//# sourceMappingURL=audit-integration.test.js.map

package/dist/audit/audit-integration.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-integration.test.js","sourceRoot":"","sources":["../../src/audit/audit-integration.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAC;AAC9D,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;AAE3D,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,EAAE,MAAM,CAAC,CAAC;QAChF,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,oBAAoB,CAAC,EAAE,MAAM,CAAC,CAAC;QACrF,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QAEzD,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QACrD,mBAAmB;QACnB,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,mBAAmB;QACnB,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,sBAAsB;QACtB,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,6BAA6B;QAC7B,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,0BAA0B;QAC1B,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,EAAE,MAAM,CAAC,CAAC;QAChF,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QAEhC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;QACzC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,oBAAoB,CAAC,EAAE,MAAM,CAAC,CAAC;QACrF,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC3C,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QAElC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC7D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QAEhE,6CAA6C;QAC7C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;YACvC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;YAC/B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YACrC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;YAC3E,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;QAClB,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,oBAAoB,CAAC,EAAE,MAAM,CAAC,CAAC;QACrF,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC3C,MAAM,SAAS,GAAG,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAE9D,2CAA2C;QAC3C,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;YAC1B,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;YACrC,MAAM,CAAC,CAAC,CAAC,YAAa,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACpD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1E,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/audit-llm.d.ts

@@ -0,0 +1,25 @@
+/**
+ * LLM-based security analysis engine.
+ *
+ * Performs deeper analysis on Tier 1 flagged files using an LLM
+ * (via subprocess). Traces data flows and identifies complex
+ * vulnerabilities that regex patterns alone cannot detect.
+ */
+import type { AuditConfig, AuditFile, AuditFinding } from "./audit-types.js";
+/**
+ * Build a security analysis prompt for the LLM.
+ */
+export declare function buildLlmPrompt(file: AuditFile, tier1Findings: AuditFinding[]): string;
+/**
+ * Parse the LLM's JSON response into AuditFinding objects.
+ */
+export declare function parseLlmResponse(response: string, filePath: string): AuditFinding[];
+/**
+ * Run LLM analysis on flagged files.
+ *
+ * @param files - Files that had Tier 1 findings
+ * @param tier1Findings - All Tier 1 findings (to provide context)
+ * @param config - Audit configuration
+ * @returns Additional findings from LLM analysis
+ */
+export declare function runLlmAnalysis(files: AuditFile[], tier1Findings: AuditFinding[], config: AuditConfig): Promise<AuditFinding[]>;

package/dist/audit/audit-llm.js

@@ -0,0 +1,139 @@
+/**
+ * LLM-based security analysis engine.
+ *
+ * Performs deeper analysis on Tier 1 flagged files using an LLM
+ * (via subprocess). Traces data flows and identifies complex
+ * vulnerabilities that regex patterns alone cannot detect.
+ */
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+const execFileAsync = promisify(execFile);
+/**
+ * Build a security analysis prompt for the LLM.
+ */
+export function buildLlmPrompt(file, tier1Findings) {
+    const findingSummaries = tier1Findings
+        .map((f) => `  - [${f.ruleId}] ${f.severity} (${f.category}): ${f.message} (line ${f.line})`)
+        .join("\n");
+    return `Analyze this file for security vulnerabilities. Focus on data flow from user input to dangerous sinks.
+
+File: ${file.path}
+Tier 1 findings:
+${findingSummaries}
+
+Source code:
+\`\`\`
+${file.content}
+\`\`\`
+
+Respond with JSON only:
+{
+  "findings": [{
+    "ruleId": "LLM-XXX-NNN",
+    "severity": "critical|high|medium|low|info",
+    "confidence": "high|medium|low",
+    "category": "category-name",
+    "message": "description",
+    "line": <number>,
+    "dataFlow": {
+      "steps": [{"file": "path", "line": <number>, "description": "what happens", "code": "snippet"}]
+    },
+    "suggestedFix": "how to fix"
+  }]
+}`;
+}
+/**
+ * Parse the LLM's JSON response into AuditFinding objects.
+ */
+export function parseLlmResponse(response, filePath) {
+    try {
+        // Extract JSON from response (may contain markdown wrapping)
+        const jsonMatch = response.match(/\{[\s\S]*\}/);
+        if (!jsonMatch)
+            return [];
+        const data = JSON.parse(jsonMatch[0]);
+        if (!data.findings || !Array.isArray(data.findings))
+            return [];
+        let counter = 0;
+        return data.findings.map((f) => {
+            counter++;
+            const finding = {
+                id: `LLM-${String(counter).padStart(3, "0")}`,
+                ruleId: f.ruleId || "LLM-UNKNOWN",
+                severity: f.severity || "medium",
+                confidence: f.confidence || "medium",
+                category: f.category || "unknown",
+                message: f.message || "",
+                filePath,
+                line: f.line || 1,
+                snippet: "",
+                source: "llm",
+            };
+            // Parse data flow if present
+            if (f.dataFlow && typeof f.dataFlow === "object") {
+                const df = f.dataFlow;
+                if (Array.isArray(df.steps)) {
+                    finding.dataFlow = {
+                        steps: df.steps.map((s) => ({
+                            file: s.file || filePath,
+                            line: s.line || 1,
+                            description: s.description || "",
+                            code: s.code || "",
+                        })),
+                    };
+                }
+            }
+            // Parse suggested fix
+            if (f.suggestedFix && typeof f.suggestedFix === "string") {
+                finding.suggestedFix = f.suggestedFix;
+            }
+            return finding;
+        });
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Run LLM analysis on flagged files.
+ *
+ * @param files - Files that had Tier 1 findings
+ * @param tier1Findings - All Tier 1 findings (to provide context)
+ * @param config - Audit configuration
+ * @returns Additional findings from LLM analysis
+ */
+export async function runLlmAnalysis(files, tier1Findings, config) {
+    if (config.tier1Only || files.length === 0)
+        return [];
+    // Group Tier 1 findings by file
+    const findingsByFile = new Map();
+    for (const f of tier1Findings) {
+        const group = findingsByFile.get(f.filePath) || [];
+        group.push(f);
+        findingsByFile.set(f.filePath, group);
+    }
+    const allLlmFindings = [];
+    // Process files with concurrency limit
+    const concurrency = config.llmConcurrency;
+    for (let i = 0; i < files.length; i += concurrency) {
+        const batch = files.slice(i, i + concurrency);
+        const promises = batch.map(async (file) => {
+            const fileFindings = findingsByFile.get(file.path) || [];
+            const prompt = buildLlmPrompt(file, fileFindings);
+            try {
+                const { stdout } = await execFileAsync(config.llmProvider || "claude", ["--print", prompt], { timeout: config.llmTimeout });
+                return parseLlmResponse(stdout, file.path);
+            }
+            catch {
+                // Graceful fallback: LLM unavailable or timed out
+                return [];
+            }
+        });
+        const results = await Promise.all(promises);
+        for (const findings of results) {
+            allLlmFindings.push(...findings);
+        }
+    }
+    return allLlmFindings;
+}
+//# sourceMappingURL=audit-llm.js.map

package/dist/audit/audit-llm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-llm.js","sourceRoot":"","sources":["../../src/audit/audit-llm.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAQtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,IAAe,EACf,aAA6B;IAE7B,MAAM,gBAAgB,GAAG,aAAa;SACnC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,QAAQ,MAAM,CAAC,CAAC,OAAO,UAAU,CAAC,CAAC,IAAI,GAAG,CAAC;SAC5F,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,OAAO;;QAED,IAAI,CAAC,IAAI;;EAEf,gBAAgB;;;;EAIhB,IAAI,CAAC,OAAO;;;;;;;;;;;;;;;;;EAiBZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,QAAgB;IAEhB,IAAI,CAAC;QACH,6DAA6D;QAC7D,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAChD,IAAI,CAAC,SAAS;YAAE,OAAO,EAAE,CAAC;QAE1B,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAC;QAE/D,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAA0B,EAAE,EAAE;YACtD,OAAO,EAAE,CAAC;YACV,MAAM,OAAO,GAAiB;gBAC5B,EAAE,EAAE,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBAC7C,MAAM,EAAG,CAAC,CAAC,MAAiB,IAAI,aAAa;gBAC7C,QAAQ,EAAG,CAAC,CAAC,QAAqC,IAAI,QAAQ;gBAC9D,UAAU,EAAG,CAAC,CAAC,UAAyC,IAAI,QAAQ;gBACpE,QAAQ,EAAG,CAAC,CAAC,QAAmB,IAAI,SAAS;gBAC7C,OAAO,EAAG,CAAC,CAAC,OAAkB,IAAI,EAAE;gBACpC,QAAQ;gBACR,IAAI,EAAG,CAAC,CAAC,IAAe,IAAI,CAAC;gBAC7B,OAAO,EAAE,EAAE;gBACX,MAAM,EAAE,KAAK;aACd,CAAC;YAEF,6BAA6B;YAC7B,IAAI,CAAC,CAAC,QAAQ,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACjD,MAAM,EAAE,GAAG,CAAC,CAAC,QAAmC,CAAC;gBACjD,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC5B,OAAO,CAAC,QAAQ,GAAG;wBACjB,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAA0B,EAAE,EAAE,CAAC,CAAC;4BACnD,IAAI,EAAG,CAAC,CAAC,IAAe,IAAI,QAAQ;4BACpC,IAAI,EAAG,CAAC,CAAC,IAAe,IAAI,CAAC;4BAC7B,WAAW,EAAG,CAAC,CAAC,WAAsB,IAAI,EAAE;4BAC5C,IAAI,EAAG,CAAC,CAAC,IAAe,IAAI,EAAE;yBAC/B,CAAC,CAAC;qBACoB,CAAC;gBAC5B,CAAC;YACH,CAAC;YAED,sBAAsB;YACtB,IAAI,CAAC,CAAC,YAAY,IAAI,OAAO,CAAC,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;gBACzD,OAAO,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,CAAC;YACxC,CAAC;YAED,OAAO,OAAO,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAkB,EAClB,aAA6B,EAC7B,MAAmB;IAEnB,IAAI,MAAM,CAAC,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEtD,gCAAgC;IAChC,MAAM,cAAc,GAAG,IAAI,GAAG,EAA0B,CAAC;IACzD,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnD,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACd,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,cAAc,GAAmB,EAAE,CAAC;IAE1C,uCAAuC;IACvC,MAAM,WAAW,GAAG,MAAM,CAAC,cAAc,CAAC;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,WAAW,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;YACxC,MAAM,YAAY,GAAG,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACzD,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;YAElD,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CACpC,MAAM,CAAC,WAAW,IAAI,QAAQ,EAC9B,CAAC,SAAS,EAAE,MAAM,CAAC,EACnB,EAAE,OAAO,EAAE,MAAM,CAAC,UAAU,EAAE,CAC/B,CAAC;gBACF,OAAO,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7C,CAAC;YAAC,MAAM,CAAC;gBACP,kDAAkD;gBAClD,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5C,KAAK,MAAM,QAAQ,IAAI,OAAO,EAAE,CAAC;YAC/B,cAAc,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,OAAO,cAAc,CAAC;AACxB,CAAC"}

package/dist/audit/audit-llm.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/audit-llm.test.js

@@ -0,0 +1,110 @@
+import { describe, it, expect } from "vitest";
+import { buildLlmPrompt, parseLlmResponse, runLlmAnalysis } from "./audit-llm.js";
+import { createDefaultAuditConfig } from "./audit-types.js";
+describe("audit-llm", () => {
+    describe("buildLlmPrompt", () => {
+        it("TC-040: builds correct prompt with file content and Tier 1 findings", () => {
+            const file = {
+                path: "src/handler.ts",
+                content: 'const msg = req.body.message;\nexec(`echo ${msg}`);',
+                sizeBytes: 50,
+            };
+            const findings = [
+                {
+                    id: "AF-001", ruleId: "CI-001", severity: "critical", confidence: "high",
+                    category: "command-injection", message: "exec() call detected",
+                    filePath: "src/handler.ts", line: 2, snippet: "exec(`echo ${msg}`);",
+                    source: "tier1",
+                },
+            ];
+            const prompt = buildLlmPrompt(file, findings);
+            expect(prompt).toContain("src/handler.ts");
+            expect(prompt).toContain("exec(`echo ${msg}`)");
+            expect(prompt).toContain("CI-001");
+            expect(prompt).toContain("command-injection");
+        });
+    });
+    describe("parseLlmResponse", () => {
+        it("TC-041: parses valid LLM JSON response", () => {
+            const response = JSON.stringify({
+                findings: [
+                    {
+                        ruleId: "LLM-CI-001",
+                        severity: "critical",
+                        confidence: "high",
+                        category: "command-injection",
+                        message: "Command injection via webhook payload",
+                        line: 2,
+                        dataFlow: {
+                            steps: [
+                                { file: "src/handler.ts", line: 1, description: "User input", code: "const msg = req.body.message;" },
+                                { file: "src/handler.ts", line: 2, description: "Shell exec", code: "exec(`echo ${msg}`);" },
+                            ],
+                        },
+                        suggestedFix: "Use execFile with array args instead of exec with template",
+                    },
+                ],
+            });
+            const parsed = parseLlmResponse(response, "src/handler.ts");
+            expect(parsed).toHaveLength(1);
+            expect(parsed[0].ruleId).toBe("LLM-CI-001");
+            expect(parsed[0].source).toBe("llm");
+            expect(parsed[0].filePath).toBe("src/handler.ts");
+        });
+        it("TC-042: returns empty array on invalid JSON", () => {
+            const parsed = parseLlmResponse("not json at all", "src/file.ts");
+            expect(parsed).toHaveLength(0);
+        });
+        it("TC-045: data flow trace is parsed from LLM response", () => {
+            const response = JSON.stringify({
+                findings: [{
+                        ruleId: "LLM-SSRF-001",
+                        severity: "high",
+                        confidence: "high",
+                        category: "ssrf",
+                        message: "SSRF via user URL",
+                        line: 10,
+                        dataFlow: {
+                            steps: [
+                                { file: "src/api.ts", line: 5, description: "Input received", code: "const url = req.query.url;" },
+                                { file: "src/api.ts", line: 10, description: "Fetch called", code: "fetch(url);" },
+                            ],
+                        },
+                    }],
+            });
+            const parsed = parseLlmResponse(response, "src/api.ts");
+            expect(parsed[0].dataFlow).toBeDefined();
+            expect(parsed[0].dataFlow.steps).toHaveLength(2);
+            expect(parsed[0].dataFlow.steps[0].file).toBe("src/api.ts");
+            expect(parsed[0].dataFlow.steps[1].line).toBe(10);
+        });
+        it("TC-046: missing data flow is handled gracefully", () => {
+            const response = JSON.stringify({
+                findings: [{
+                        ruleId: "LLM-XSS-001",
+                        severity: "high",
+                        confidence: "medium",
+                        category: "xss",
+                        message: "Potential XSS",
+                        line: 5,
+                    }],
+            });
+            const parsed = parseLlmResponse(response, "src/page.ts");
+            expect(parsed[0].dataFlow).toBeUndefined();
+        });
+    });
+    describe("runLlmAnalysis", () => {
+        it("TC-043: skips LLM when tier1Only is true", async () => {
+            const config = createDefaultAuditConfig();
+            config.tier1Only = true;
+            const result = await runLlmAnalysis([], [], config);
+            expect(result).toHaveLength(0);
+        });
+        it("TC-044: returns empty when no flagged files", async () => {
+            const config = createDefaultAuditConfig();
+            const result = await runLlmAnalysis([], [], config);
+            expect(result).toHaveLength(0);
+        });
+    });
+});
+//# sourceMappingURL=audit-llm.test.js.map

package/dist/audit/audit-llm.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-llm.test.js","sourceRoot":"","sources":["../../src/audit/audit-llm.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAkB,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAClF,OAAO,EAAE,wBAAwB,EAAqC,MAAM,kBAAkB,CAAC;AAE/F,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;YAC7E,MAAM,IAAI,GAAc;gBACtB,IAAI,EAAE,gBAAgB;gBACtB,OAAO,EAAE,qDAAqD;gBAC9D,SAAS,EAAE,EAAE;aACd,CAAC;YACF,MAAM,QAAQ,GAAmB;gBAC/B;oBACE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM;oBACxE,QAAQ,EAAE,mBAAmB,EAAE,OAAO,EAAE,sBAAsB;oBAC9D,QAAQ,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,sBAAsB;oBACpE,MAAM,EAAE,OAAO;iBAChB;aACF,CAAC;YAEF,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAE9C,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAChC,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC9B,QAAQ,EAAE;oBACR;wBACE,MAAM,EAAE,YAAY;wBACpB,QAAQ,EAAE,UAAU;wBACpB,UAAU,EAAE,MAAM;wBAClB,QAAQ,EAAE,mBAAmB;wBAC7B,OAAO,EAAE,uCAAuC;wBAChD,IAAI,EAAE,CAAC;wBACP,QAAQ,EAAE;4BACR,KAAK,EAAE;gCACL,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,+BAA+B,EAAE;gCACrG,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,sBAAsB,EAAE;6BAC7F;yBACF;wBACD,YAAY,EAAE,4DAA4D;qBAC3E;iBACF;aACF,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;YAE5D,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC5C,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;YACrD,MAAM,MAAM,GAAG,gBAAgB,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;YAClE,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;YAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC9B,QAAQ,EAAE,CAAC;wBACT,MAAM,EAAE,cAAc;wBACtB,QAAQ,EAAE,MAAM;wBAChB,UAAU,EAAE,MAAM;wBAClB,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,mBAAmB;wBAC5B,IAAI,EAAE,EAAE;wBACR,QAAQ,EAAE;4BACR,KAAK,EAAE;gCACL,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,EAAE,WAAW,EAAE,gBAAgB,EAAE,IAAI,EAAE,4BAA4B,EAAE;gCAClG,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE;6BACnF;yBACF;qBACF,CAAC;aACH,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YAExD,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;YACzC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAS,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAClD,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC7D,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC9B,QAAQ,EAAE,CAAC;wBACT,MAAM,EAAE,aAAa;wBACrB,QAAQ,EAAE,MAAM;wBAChB,UAAU,EAAE,QAAQ;wBACpB,QAAQ,EAAE,KAAK;wBACf,OAAO,EAAE,eAAe;wBACxB,IAAI,EAAE,CAAC;qBACR,CAAC;aACH,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,aAAa,EAAE,CAAC;QAC7C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;YAC1C,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;YAExB,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;YAEpD,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;YAC1C,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;YACpD,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/audit-patterns.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Extended audit patterns for project-level security scanning.
+ *
+ * Imports the existing 37 SCAN_PATTERNS from the scanner module
+ * and extends them with project-audit-specific patterns for
+ * SQL injection, SSRF, XSS, hardcoded secrets, etc.
+ */
+import type { PatternCheck } from "../scanner/types.js";
+/**
+ * Extended pattern with safe-context awareness and confidence.
+ */
+export interface AuditPatternCheck extends PatternCheck {
+    /** Pattern ID (unique across all patterns) */
+    id: string;
+    /** Human-readable name */
+    name: string;
+    /** Regexes that suppress the finding when they match the line */
+    safeContexts?: RegExp[];
+    /** Default confidence for this pattern */
+    confidence: "high" | "medium" | "low";
+}
+/**
+ * Project-specific security patterns (beyond the existing 37 skill patterns).
+ */
+export declare const PROJECT_PATTERNS: AuditPatternCheck[];
+/**
+ * Combined audit patterns: original SCAN_PATTERNS + project-specific patterns.
+ *
+ * The SCAN_PATTERNS are adapted to AuditPatternCheck interface (id from ScanPattern.id).
+ */
+export declare const AUDIT_PATTERNS: AuditPatternCheck[];