vskill 0.1.2 → 0.1.3

package/dist/audit/audit-patterns.js

@@ -0,0 +1,239 @@
+/**
+ * Extended audit patterns for project-level security scanning.
+ *
+ * Imports the existing 37 SCAN_PATTERNS from the scanner module
+ * and extends them with project-audit-specific patterns for
+ * SQL injection, SSRF, XSS, hardcoded secrets, etc.
+ */
+import { SCAN_PATTERNS } from "../scanner/patterns.js";
+/**
+ * Project-specific security patterns (beyond the existing 37 skill patterns).
+ */
+export const PROJECT_PATTERNS = [
+    // --- SQL Injection ---
+    {
+        id: "SQLI-001",
+        name: "SQL string concatenation",
+        severity: "critical",
+        category: "sql-injection",
+        message: "SQL query built with string concatenation — use parameterized queries",
+        pattern: /(?:SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER)\s+.*(?:\+\s*\w|\$\{)/gi,
+        confidence: "high",
+        safeContexts: [/\/\/.*SQL/i, /\*.*SQL/i],
+    },
+    {
+        id: "SQLI-002",
+        name: "Raw SQL template literal",
+        severity: "high",
+        category: "sql-injection",
+        message: "SQL query in template literal with interpolation",
+        pattern: /`\s*(?:SELECT|INSERT|UPDATE|DELETE)\s+[^`]*\$\{/gi,
+        confidence: "high",
+    },
+    {
+        id: "SQLI-003",
+        name: "Unparameterized query method",
+        severity: "high",
+        category: "sql-injection",
+        message: "Database query with string interpolation instead of parameters",
+        pattern: /\.(?:query|execute|raw)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/gi,
+        confidence: "medium",
+    },
+    // --- SSRF ---
+    {
+        id: "SSRF-001",
+        name: "Fetch with variable URL",
+        severity: "high",
+        category: "ssrf",
+        message: "HTTP request with user-controlled URL — validate against allowlist",
+        pattern: /(?:fetch|axios\.get|axios\.post|got|request|http\.get|https\.get)\s*\(\s*(?:[a-zA-Z_]\w*(?:\.\w+)*)\s*[,)]/g,
+        confidence: "medium",
+        safeContexts: [/const\s+\w+\s*=\s*['"]https?:\/\//, /\.env\./],
+    },
+    {
+        id: "SSRF-002",
+        name: "URL from request parameters",
+        severity: "critical",
+        category: "ssrf",
+        message: "URL constructed from request input — potential SSRF",
+        pattern: /(?:req\.(?:query|params|body)\.\w+|request\.(?:query|params|body)\.\w+).*(?:fetch|axios|got|request|http|https)/g,
+        confidence: "high",
+    },
+    // --- Broken Access Control ---
+    {
+        id: "BAC-001",
+        name: "Missing auth middleware",
+        severity: "medium",
+        category: "broken-access-control",
+        message: "Route handler without visible authentication middleware",
+        pattern: /(?:app|router)\.(?:get|post|put|patch|delete)\s*\(\s*['"][^'"]*['"]\s*,\s*(?:async\s+)?\(?(?:req|ctx)/g,
+        confidence: "low",
+        safeContexts: [/auth/, /protect/, /guard/, /middleware/, /public/, /health/],
+    },
+    {
+        id: "BAC-002",
+        name: "Direct ID access without ownership check",
+        severity: "medium",
+        category: "broken-access-control",
+        message: "Resource accessed by ID from request without ownership verification",
+        pattern: /(?:findById|findOne|findUnique)\s*\(\s*(?:req\.(?:params|query|body)\.\w+|ctx\.params\.\w+)/g,
+        confidence: "low",
+        safeContexts: [/userId/, /session\.user/, /currentUser/],
+    },
+    // --- Hardcoded Secrets ---
+    {
+        id: "HS-001",
+        name: "API key assignment",
+        severity: "critical",
+        category: "hardcoded-secrets",
+        message: "Hardcoded API key or secret in source code",
+        pattern: /(?:api[_-]?key|apiKey|secret[_-]?key|secretKey|access[_-]?token|accessToken)\s*[:=]\s*['"][a-zA-Z0-9_\-]{16,}['"]/gi,
+        confidence: "high",
+        safeContexts: [/process\.env/, /\.env/, /example/, /placeholder/, /test/i, /mock/i],
+    },
+    {
+        id: "HS-002",
+        name: "Private key in source",
+        severity: "critical",
+        category: "hardcoded-secrets",
+        message: "Private key embedded in source code",
+        pattern: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/g,
+        confidence: "high",
+    },
+    {
+        id: "HS-003",
+        name: "Password assignment",
+        severity: "high",
+        category: "hardcoded-secrets",
+        message: "Hardcoded password in source code",
+        pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{4,}['"]/gi,
+        confidence: "medium",
+        safeContexts: [/process\.env/, /\.env/, /hash/, /bcrypt/, /argon/, /test/i, /mock/i, /example/i],
+    },
+    {
+        id: "HS-004",
+        name: "AWS/cloud credential pattern",
+        severity: "critical",
+        category: "hardcoded-secrets",
+        message: "Cloud provider credential pattern detected",
+        pattern: /(?:AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36})/g,
+        confidence: "high",
+    },
+    // --- XSS ---
+    {
+        id: "XSS-001",
+        name: "innerHTML assignment",
+        severity: "high",
+        category: "xss",
+        message: "Direct innerHTML assignment — use textContent or sanitize input",
+        pattern: /\.innerHTML\s*=\s*/g,
+        confidence: "high",
+        safeContexts: [/sanitize/, /DOMPurify/, /escape/],
+    },
+    {
+        id: "XSS-002",
+        name: "dangerouslySetInnerHTML",
+        severity: "high",
+        category: "xss",
+        message: "React dangerouslySetInnerHTML — ensure content is sanitized",
+        pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{/g,
+        confidence: "high",
+        safeContexts: [/sanitize/, /DOMPurify/],
+    },
+    {
+        id: "XSS-003",
+        name: "document.write",
+        severity: "high",
+        category: "xss",
+        message: "document.write with dynamic content — potential XSS",
+        pattern: /document\.write(?:ln)?\s*\(/g,
+        confidence: "medium",
+    },
+    // --- Open Redirect ---
+    {
+        id: "OR-001",
+        name: "Redirect from user input",
+        severity: "medium",
+        category: "open-redirect",
+        message: "Redirect URL from user input — validate against allowlist",
+        pattern: /(?:res\.redirect|redirect|location\.href|window\.location)\s*(?:\(|\s*=)\s*(?:req\.(?:query|params|body)\.\w+)/g,
+        confidence: "high",
+    },
+    {
+        id: "OR-002",
+        name: "Location header from variable",
+        severity: "medium",
+        category: "open-redirect",
+        message: "Location header set from variable — potential open redirect",
+        pattern: /(?:setHeader|set)\s*\(\s*['"]Location['"]\s*,\s*(?:[a-zA-Z_]\w*)/gi,
+        confidence: "low",
+        safeContexts: [/allowlist/, /whitelist/, /valid/],
+    },
+    // --- Insecure Deserialization ---
+    {
+        id: "ID-001",
+        name: "YAML unsafe load",
+        severity: "high",
+        category: "insecure-deserialization",
+        message: "yaml.load without safe loader — use yaml.safeLoad or yaml.load with safe schema",
+        pattern: /yaml\.load\s*\(/g,
+        confidence: "medium",
+        safeContexts: [/safe/, /safeLoad/, /SAFE_SCHEMA/],
+    },
+    {
+        id: "ID-002",
+        name: "Pickle deserialization",
+        severity: "critical",
+        category: "insecure-deserialization",
+        message: "pickle.loads on untrusted data — use safe alternatives",
+        pattern: /pickle\.loads?\s*\(/g,
+        confidence: "high",
+    },
+    {
+        id: "ID-003",
+        name: "Unsafe JSON parse of request body",
+        severity: "low",
+        category: "insecure-deserialization",
+        message: "JSON.parse of raw request body — ensure schema validation",
+        pattern: /JSON\.parse\s*\(\s*(?:req\.body|request\.body|body)\s*\)/g,
+        confidence: "low",
+        safeContexts: [/zod/, /joi/, /yup/, /ajv/, /validate/],
+    },
+    // --- Weak Cryptography ---
+    {
+        id: "WC-001",
+        name: "MD5 usage",
+        severity: "medium",
+        category: "weak-cryptography",
+        message: "MD5 is cryptographically broken — use SHA-256 or better",
+        pattern: /(?:createHash|crypto\.subtle\.digest)\s*\(\s*['"]md5['"]/gi,
+        confidence: "high",
+    },
+    {
+        id: "WC-002",
+        name: "SHA-1 usage",
+        severity: "medium",
+        category: "weak-cryptography",
+        message: "SHA-1 is deprecated — use SHA-256 or better",
+        pattern: /(?:createHash|crypto\.subtle\.digest)\s*\(\s*['"]sha-?1['"]/gi,
+        confidence: "high",
+    },
+];
+/**
+ * Combined audit patterns: original SCAN_PATTERNS + project-specific patterns.
+ *
+ * The SCAN_PATTERNS are adapted to AuditPatternCheck interface (id from ScanPattern.id).
+ */
+export const AUDIT_PATTERNS = [
+    ...SCAN_PATTERNS.map((sp) => ({
+        id: sp.id,
+        name: sp.name,
+        severity: sp.severity,
+        category: sp.category,
+        message: sp.description,
+        pattern: sp.pattern,
+        confidence: "high",
+    })),
+    ...PROJECT_PATTERNS,
+];
+//# sourceMappingURL=audit-patterns.js.map

package/dist/audit/audit-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-patterns.js","sourceRoot":"","sources":["../../src/audit/audit-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,aAAa,EAAoB,MAAM,wBAAwB,CAAC;AAiBzE;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAwB;IACnD,wBAAwB;IACxB;QACE,EAAE,EAAE,UAAU;QACd,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,uEAAuE;QAChF,OAAO,EAAE,0EAA0E;QACnF,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,CAAC,YAAY,EAAE,UAAU,CAAC;KACzC;IACD;QACE,EAAE,EAAE,UAAU;QACd,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,kDAAkD;QAC3D,OAAO,EAAE,mDAAmD;QAC5D,UAAU,EAAE,MAAM;KACnB;IACD;QACE,EAAE,EAAE,UAAU;QACd,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,gEAAgE;QACzE,OAAO,EAAE,qEAAqE;QAC9E,UAAU,EAAE,QAAQ;KACrB;IAED,eAAe;IACf;QACE,EAAE,EAAE,UAAU;QACd,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,oEAAoE;QAC7E,OAAO,EAAE,6GAA6G;QACtH,UAAU,EAAE,QAAQ;QACpB,YAAY,EAAE,CAAC,mCAAmC,EAAE,SAAS,CAAC;KAC/D;IACD;QACE,EAAE,EAAE,UAAU;QACd,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,qDAAqD;QAC9D,OAAO,EAAE,kHAAkH;QAC3H,UAAU,EAAE,MAAM;KACnB;IAED,gCAAgC;IAChC;QACE,EAAE,EAAE,SAAS;QACb,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,uBAAuB;QACjC,OAAO,EAAE,yDAAyD;QAClE,OAAO,EAAE,wGAAwG;QACjH,UAAU,EAAE,KAAK;QACjB,YAAY,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAC7E;IACD;QACE,EAAE,EAAE,SAAS;QACb,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,uBAAuB;QACjC,OAAO,EAAE,qEAAqE;QAC9E,OAAO,EAAE,8FAA8F;QACvG,UAAU,EAAE,KAAK;QACjB,YAAY,EAAE,CAAC,QAAQ,EAAE,eAAe,EAAE,aAAa,CAAC;KACzD;IAED,4BAA4B;IAC5B;QACE,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,mBAAmB;QAC7B,OAAO,EAAE,4CAA4C;QACrD,OAAO,EAAE,qHAAqH;QAC9H,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,CAAC,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,OAAO,CAAC;KACpF;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,mBAAmB;QAC7B,OAAO,EAAE,qCAAqC;QAC9C,OAAO,EAAE,6CAA6C;QACtD,UAAU,EAAE,MAAM;KACnB;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,mBAAmB;QAC7B,OAAO,EAAE,mCAAmC;QAC5C,OAAO,EAAE,sDAAsD;QAC/D,UAAU,EAAE,QAAQ;QACpB,YAAY,EAAE,CAAC,cAAc,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;KACjG;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,mBAAmB;QAC7B,OAAO,EAAE,4CAA4C;QACrD,OAAO,EAAE,mFAAmF;QAC5F,UAAU,EAAE,MAAM;KACnB;IAED,cAAc;IACd;QACE,EAAE,EAAE,SAAS;QACb,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,OAAO,EAAE,iEAAiE;QAC1E,OAAO,EAAE,qBAAqB;QAC9B,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,CAAC,UAAU,EAAE,WAAW,EAAE,QAAQ,CAAC;KAClD;IACD;QACE,EAAE,EAAE,SAAS;QACb,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,OAAO,EAAE,6DAA6D;QACtE,OAAO,EAAE,wCAAwC;QACjD,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,CAAC,UAAU,EAAE,WAAW,CAAC;KACxC;IACD;QACE,EAAE,EAAE,SAAS;QACb,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,OAAO,EAAE,qDAAqD;QAC9D,OAAO,EAAE,8BAA8B;QACvC,UAAU,EAAE,QAAQ;KACrB;IAED,wBAAwB;IACxB;QACE,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,2DAA2D;QACpE,OAAO,EAAE,iHAAiH;QAC1H,UAAU,EAAE,MAAM;KACnB;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,6DAA6D;QACtE,OAAO,EAAE,oEAAoE;QAC7E,UAAU,EAAE,KAAK;QACjB,YAAY,EAAE,CAAC,WAAW,EAAE,WAAW,EAAE,OAAO,CAAC;KAClD;IAED,mCAAmC;IACnC;QACE,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,0BAA0B;QACpC,OAAO,EAAE,iFAAiF;QAC1F,OAAO,EAAE,kBAAkB;QAC3B,UAAU,EAAE,QAAQ;QACpB,YAAY,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,aAAa,CAAC;KAClD;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,0BAA0B;QACpC,OAAO,EAAE,wDAAwD;QACjE,OAAO,EAAE,sBAAsB;QAC/B,UAAU,EAAE,MAAM;KACnB;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,0BAA0B;QACpC,OAAO,EAAE,2DAA2D;QACpE,OAAO,EAAE,2DAA2D;QACpE,UAAU,EAAE,KAAK;QACjB,YAAY,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,CAAC;KACvD;IAED,4BAA4B;IAC5B;QACE,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,mBAAmB;QAC7B,OAAO,EAAE,yDAAyD;QAClE,OAAO,EAAE,4DAA4D;QACrE,UAAU,EAAE,MAAM;KACnB;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,mBAAmB;QAC7B,OAAO,EAAE,6CAA6C;QACtD,OAAO,EAAE,+DAA+D;QACxE,UAAU,EAAE,MAAM;KACnB;CACF,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,cAAc,GAAwB;IACjD,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC5B,EAAE,EAAE,EAAE,CAAC,EAAE;QACT,IAAI,EAAE,EAAE,CAAC,IAAI;QACb,QAAQ,EAAE,EAAE,CAAC,QAAyC;QACtD,QAAQ,EAAE,EAAE,CAAC,QAAQ;QACrB,OAAO,EAAE,EAAE,CAAC,WAAW;QACvB,OAAO,EAAE,EAAE,CAAC,OAAO;QACnB,UAAU,EAAE,MAAe;KAC5B,CAAC,CAAC;IACH,GAAG,gBAAgB;CACpB,CAAC"}

package/dist/audit/audit-patterns.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/audit-patterns.test.js

@@ -0,0 +1,91 @@
+import { describe, it, expect } from "vitest";
+import { AUDIT_PATTERNS, PROJECT_PATTERNS } from "./audit-patterns.js";
+import { SCAN_PATTERNS } from "../scanner/patterns.js";
+describe("audit-patterns", () => {
+    it("TC-009: AUDIT_PATTERNS includes all 37 original SCAN_PATTERNS", () => {
+        const auditIds = new Set(AUDIT_PATTERNS.map((p) => p.id));
+        for (const original of SCAN_PATTERNS) {
+            expect(auditIds.has(original.id)).toBe(true);
+        }
+    });
+    it("TC-010: AUDIT_PATTERNS adds at least 15 new project-specific patterns", () => {
+        const originalIds = new Set(SCAN_PATTERNS.map((p) => p.id));
+        const newPatterns = AUDIT_PATTERNS.filter((p) => !originalIds.has(p.id));
+        expect(newPatterns.length).toBeGreaterThanOrEqual(15);
+    });
+    it("TC-011: SQL injection pattern detects string concatenation in queries", () => {
+        const sqliPatterns = PROJECT_PATTERNS.filter((p) => p.category === "sql-injection");
+        expect(sqliPatterns.length).toBeGreaterThan(0);
+        const testLine = `"SELECT * FROM users WHERE id = '" + userId + "'"`;
+        const matched = sqliPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+    it("TC-012: SSRF pattern detects URL construction from variables", () => {
+        const ssrfPatterns = PROJECT_PATTERNS.filter((p) => p.category === "ssrf");
+        expect(ssrfPatterns.length).toBeGreaterThan(0);
+        const testLine = `fetch(userProvidedUrl)`;
+        const matched = ssrfPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+    it("TC-013: Hardcoded secret pattern detects API key assignments", () => {
+        const secretPatterns = PROJECT_PATTERNS.filter((p) => p.category === "hardcoded-secrets");
+        expect(secretPatterns.length).toBeGreaterThan(0);
+        const testLine = `const API_KEY = "sk-1234567890abcdef"`;
+        const matched = secretPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+    it("TC-014: XSS pattern detects innerHTML assignment", () => {
+        const xssPatterns = PROJECT_PATTERNS.filter((p) => p.category === "xss");
+        expect(xssPatterns.length).toBeGreaterThan(0);
+        const testLine = `element.innerHTML = userInput`;
+        const matched = xssPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+    it("TC-015: safe contexts suppress false positives", () => {
+        const patternsWithSafe = PROJECT_PATTERNS.filter((p) => p.safeContexts && p.safeContexts.length > 0);
+        expect(patternsWithSafe.length).toBeGreaterThan(0);
+        // For each pattern with safeContexts, at least one safe context regex exists
+        for (const pattern of patternsWithSafe) {
+            expect(pattern.safeContexts.length).toBeGreaterThan(0);
+            expect(pattern.safeContexts[0]).toBeInstanceOf(RegExp);
+        }
+    });
+    it("TC-016: all pattern IDs are unique across combined set", () => {
+        const ids = AUDIT_PATTERNS.map((p) => p.id);
+        const uniqueIds = new Set(ids);
+        expect(uniqueIds.size).toBe(ids.length);
+    });
+    it("detects open redirect pattern", () => {
+        const redirectPatterns = PROJECT_PATTERNS.filter((p) => p.category === "open-redirect");
+        expect(redirectPatterns.length).toBeGreaterThan(0);
+        const testLine = `res.redirect(req.query.url)`;
+        const matched = redirectPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+    it("detects insecure deserialization", () => {
+        const deserPatterns = PROJECT_PATTERNS.filter((p) => p.category === "insecure-deserialization");
+        expect(deserPatterns.length).toBeGreaterThan(0);
+        const testLine = `yaml.load(userInput)`;
+        const matched = deserPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+});
+//# sourceMappingURL=audit-patterns.test.js.map

package/dist/audit/audit-patterns.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-patterns.test.js","sourceRoot":"","sources":["../../src/audit/audit-patterns.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvE,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAEvD,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC1D,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;YACrC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACzE,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,YAAY,GAAG,gBAAgB,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,eAAe,CACtC,CAAC;QACF,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAE/C,MAAM,QAAQ,GAAG,mDAAmD,CAAC;QACrE,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACtC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,YAAY,GAAG,gBAAgB,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAC7B,CAAC;QACF,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAE/C,MAAM,QAAQ,GAAG,wBAAwB,CAAC;QAC1C,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACtC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,cAAc,GAAG,gBAAgB,CAAC,MAAM,CAC5C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,mBAAmB,CAC1C,CAAC;QACF,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAEjD,MAAM,QAAQ,GAAG,uCAAuC,CAAC;QACzD,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACxC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,WAAW,GAAG,gBAAgB,CAAC,MAAM,CACzC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAC5B,CAAC;QACF,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAE9C,MAAM,QAAQ,GAAG,+BAA+B,CAAC;QACjD,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACrC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,MAAM,CAC9C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CACnD,CAAC;QACF,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAEnD,6EAA6E;QAC7E,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;YACvC,MAAM,CAAC,OAAO,CAAC,YAAa,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACxD,MAAM,CAAC,OAAO,CAAC,YAAa,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,MAAM,CAC9C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,eAAe,CACtC,CAAC;QACF,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAEnD,MAAM,QAAQ,GAAG,6BAA6B,CAAC;QAC/C,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YAC1C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,aAAa,GAAG,gBAAgB,CAAC,MAAM,CAC3C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,0BAA0B,CACjD,CAAC;QACF,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAEhD,MAAM,QAAQ,GAAG,sBAAsB,CAAC;QACxC,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACvC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/audit-scanner.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Core audit scanner — orchestrates Tier 1 pattern scanning across files.
+ *
+ * Runs extended audit patterns against each discovered file and produces
+ * an aggregated AuditResult with per-file findings, summary statistics,
+ * score, and verdict.
+ */
+import type { AuditConfig, AuditFile, AuditResult } from "./audit-types.js";
+/**
+ * Run the audit scan across all provided files.
+ *
+ * @param files - Discovered files to scan
+ * @param config - Audit configuration
+ * @returns Complete AuditResult with findings, summary, and metadata
+ */
+export declare function runAuditScan(files: AuditFile[], config: AuditConfig): AuditResult;

package/dist/audit/audit-scanner.js

@@ -0,0 +1,151 @@
+/**
+ * Core audit scanner — orchestrates Tier 1 pattern scanning across files.
+ *
+ * Runs extended audit patterns against each discovered file and produces
+ * an aggregated AuditResult with per-file findings, summary statistics,
+ * score, and verdict.
+ */
+import { AUDIT_PATTERNS } from "./audit-patterns.js";
+/** Severity scoring weights (same as existing tier1.ts) */
+const SEVERITY_DEDUCTIONS = {
+    critical: 25,
+    high: 15,
+    medium: 8,
+    low: 3,
+    info: 0,
+};
+const SEVERITY_ORDER = ["critical", "high", "medium", "low", "info"];
+/**
+ * Scan a single file against all audit patterns.
+ */
+function scanFile(file, patterns, findingCounter) {
+    const lines = file.content.split("\n");
+    const findings = [];
+    for (const pattern of patterns) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        for (let lineIdx = 0; lineIdx < lines.length; lineIdx++) {
+            const line = lines[lineIdx];
+            let match;
+            while ((match = regex.exec(line)) !== null) {
+                // Check safe contexts
+                if (pattern.safeContexts?.some((sc) => sc.test(line))) {
+                    break;
+                }
+                // Build code snippet with 2 lines context
+                const snippetLines = [];
+                const startLine = Math.max(0, lineIdx - 2);
+                const endLine = Math.min(lines.length - 1, lineIdx + 2);
+                for (let i = startLine; i <= endLine; i++) {
+                    const prefix = i === lineIdx ? ">" : " ";
+                    snippetLines.push(`${prefix} ${i + 1} | ${lines[i]}`);
+                }
+                findingCounter.count++;
+                findings.push({
+                    id: `AF-${String(findingCounter.count).padStart(3, "0")}`,
+                    ruleId: pattern.id,
+                    severity: pattern.severity,
+                    confidence: pattern.confidence,
+                    category: pattern.category,
+                    message: pattern.message,
+                    filePath: file.path,
+                    line: lineIdx + 1,
+                    column: match.index + 1,
+                    snippet: snippetLines.join("\n"),
+                    source: "tier1",
+                });
+                // Prevent infinite loop on zero-length matches
+                if (match[0].length === 0)
+                    break;
+            }
+        }
+    }
+    return findings;
+}
+/**
+ * Run the audit scan across all provided files.
+ *
+ * @param files - Discovered files to scan
+ * @param config - Audit configuration
+ * @returns Complete AuditResult with findings, summary, and metadata
+ */
+export function runAuditScan(files, config) {
+    const startedAt = new Date().toISOString();
+    const start = performance.now();
+    const allFindings = [];
+    const filesWithFindingsSet = new Set();
+    const findingCounter = { count: 0 };
+    for (const file of files) {
+        const fileFindings = scanFile(file, AUDIT_PATTERNS, findingCounter);
+        if (fileFindings.length > 0) {
+            filesWithFindingsSet.add(file.path);
+            allFindings.push(...fileFindings);
+        }
+    }
+    // Sort: severity (critical first), then file path
+    allFindings.sort((a, b) => {
+        const sevA = SEVERITY_ORDER.indexOf(a.severity);
+        const sevB = SEVERITY_ORDER.indexOf(b.severity);
+        if (sevA !== sevB)
+            return sevA - sevB;
+        return a.filePath.localeCompare(b.filePath);
+    });
+    // Compute summary
+    const summary = computeSummary(allFindings);
+    const durationMs = Math.round(performance.now() - start);
+    return {
+        rootPath: "",
+        startedAt,
+        completedAt: new Date().toISOString(),
+        durationMs,
+        filesScanned: files.length,
+        filesWithFindings: filesWithFindingsSet.size,
+        findings: allFindings,
+        summary,
+        config,
+    };
+}
+function computeSummary(findings) {
+    let critical = 0;
+    let high = 0;
+    let medium = 0;
+    let low = 0;
+    let info = 0;
+    for (const f of findings) {
+        switch (f.severity) {
+            case "critical":
+                critical++;
+                break;
+            case "high":
+                high++;
+                break;
+            case "medium":
+                medium++;
+                break;
+            case "low":
+                low++;
+                break;
+            case "info":
+                info++;
+                break;
+        }
+    }
+    let score = 100;
+    for (const f of findings) {
+        score -= SEVERITY_DEDUCTIONS[f.severity];
+    }
+    score = Math.max(0, Math.min(100, score));
+    let verdict;
+    if (score >= 80)
+        verdict = "PASS";
+    else if (score >= 50)
+        verdict = "CONCERNS";
+    else
+        verdict = "FAIL";
+    return {
+        critical, high, medium, low, info,
+        total: findings.length,
+        score,
+        verdict,
+    };
+}
+//# sourceMappingURL=audit-scanner.js.map

package/dist/audit/audit-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-scanner.js","sourceRoot":"","sources":["../../src/audit/audit-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,cAAc,EAA0B,MAAM,qBAAqB,CAAC;AAW7E,2DAA2D;AAC3D,MAAM,mBAAmB,GAA6B;IACpD,QAAQ,EAAE,EAAE;IACZ,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF,MAAM,cAAc,GAAe,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;AAEjF;;GAEG;AACH,SAAS,QAAQ,CACf,IAAe,EACf,QAA6B,EAC7B,cAAiC;IAEjC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAExE,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;YACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;YAC5B,IAAI,KAA6B,CAAC;YAElC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC3C,sBAAsB;gBACtB,IAAI,OAAO,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;oBACtD,MAAM;gBACR,CAAC;gBAED,0CAA0C;gBAC1C,MAAM,YAAY,GAAa,EAAE,CAAC;gBAClC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;gBAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;gBACxD,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,IAAI,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC1C,MAAM,MAAM,GAAG,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;oBACzC,YAAY,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACxD,CAAC;gBAED,cAAc,CAAC,KAAK,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,MAAM,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACzD,MAAM,EAAE,OAAO,CAAC,EAAE;oBAClB,QAAQ,EAAE,OAAO,CAAC,QAAoB;oBACtC,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,IAAI,EAAE,OAAO,GAAG,CAAC;oBACjB,MAAM,EAAE,KAAK,CAAC,KAAK,GAAG,CAAC;oBACvB,OAAO,EAAE,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC;oBAChC,MAAM,EAAE,OAAO;iBAChB,CAAC,CAAC;gBAEH,+CAA+C;gBAC/C,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC;oBAAE,MAAM;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAC1B,KAAkB,EAClB,MAAmB;IAEnB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAEhC,MAAM,WAAW,GAAmB,EAAE,CAAC;IACvC,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/C,MAAM,cAAc,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;QACpE,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,oBAAoB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpC,WAAW,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACxB,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,QAAoB,CAAC,CAAC;QAC5D,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,QAAoB,CAAC,CAAC;QAC5D,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,GAAG,IAAI,CAAC;QACtC,OAAO,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAClB,MAAM,OAAO,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAE5C,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;IAEzD,OAAO;QACL,QAAQ,EAAE,EAAE;QACZ,SAAS;QACT,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,UAAU;QACV,YAAY,EAAE,KAAK,CAAC,MAAM;QAC1B,iBAAiB,EAAE,oBAAoB,CAAC,IAAI;QAC5C,QAAQ,EAAE,WAAW;QACrB,OAAO;QACP,MAAM;KACP,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,QAAwB;IAC9C,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,IAAI,GAAG,CAAC,CAAC;IAEb,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;YACnB,KAAK,UAAU;gBAAE,QAAQ,EAAE,CAAC;gBAAC,MAAM;YACnC,KAAK,MAAM;gBAAE,IAAI,EAAE,CAAC;gBAAC,MAAM;YAC3B,KAAK,QAAQ;gBAAE,MAAM,EAAE,CAAC;gBAAC,MAAM;YAC/B,KAAK,KAAK;gBAAE,GAAG,EAAE,CAAC;gBAAC,MAAM;YACzB,KAAK,MAAM;gBAAE,IAAI,EAAE,CAAC;gBAAC,MAAM;QAC7B,CAAC;IACH,CAAC;IAED,IAAI,KAAK,GAAG,GAAG,CAAC;IAChB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,KAAK,IAAI,mBAAmB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IACD,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IAE1C,IAAI,OAAoB,CAAC;IACzB,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,GAAG,MAAM,CAAC;SAC7B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,GAAG,UAAU,CAAC;;QACtC,OAAO,GAAG,MAAM,CAAC;IAEtB,OAAO;QACL,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI;QACjC,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,KAAK;QACL,OAAO;KACR,CAAC;AACJ,CAAC"}

package/dist/audit/audit-scanner.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/audit-scanner.test.js

@@ -0,0 +1,112 @@
+import { describe, it, expect } from "vitest";
+import { runAuditScan } from "./audit-scanner.js";
+import { createDefaultAuditConfig } from "./audit-types.js";
+function makeFile(path, content) {
+    return { path, content, sizeBytes: Buffer.byteLength(content) };
+}
+describe("audit-scanner", () => {
+    it("TC-017: returns empty findings for clean files", () => {
+        const files = [
+            makeFile("src/clean.ts", "const x = 1;\nconst y = 2;\nexport { x, y };"),
+            makeFile("src/utils.ts", "export function add(a: number, b: number) { return a + b; }"),
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        expect(result.findings).toHaveLength(0);
+        expect(result.summary.verdict).toBe("PASS");
+        expect(result.summary.total).toBe(0);
+        expect(result.summary.score).toBe(100);
+    });
+    it("TC-018: detects findings across multiple files", () => {
+        const files = [
+            makeFile("src/cmd.ts", 'exec("rm -rf /");'),
+            makeFile("src/xss.ts", 'element.innerHTML = userInput;'),
+            makeFile("src/sql.ts", '`SELECT * FROM users WHERE id = ${userId}`'),
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        expect(result.findings.length).toBeGreaterThanOrEqual(3);
+        const filePaths = new Set(result.findings.map((f) => f.filePath));
+        expect(filePaths.has("src/cmd.ts")).toBe(true);
+        expect(filePaths.has("src/xss.ts")).toBe(true);
+        expect(filePaths.has("src/sql.ts")).toBe(true);
+    });
+    it("TC-019: findings are sorted by severity then file path", () => {
+        const files = [
+            makeFile("z-file.ts", "element.innerHTML = x;"), // high
+            makeFile("a-file.ts", 'eval("code");'), // critical
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        // Critical should come before high
+        const severities = result.findings.map((f) => f.severity);
+        const criticalIndex = severities.indexOf("critical");
+        const highIndex = severities.indexOf("high");
+        if (criticalIndex !== -1 && highIndex !== -1) {
+            expect(criticalIndex).toBeLessThan(highIndex);
+        }
+    });
+    it("TC-020: summary statistics are accurate", () => {
+        const files = [
+            makeFile("src/a.ts", 'eval("x");'), // critical (CE-001)
+            makeFile("src/b.ts", "element.innerHTML = y;"), // high (XSS-001)
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        expect(result.summary.total).toBe(result.findings.length);
+        expect(result.summary.critical + result.summary.high + result.summary.medium +
+            result.summary.low + result.summary.info).toBe(result.summary.total);
+    });
+    it("TC-021: score and verdict are calculated correctly", () => {
+        // Clean project -> score 100, PASS
+        const cleanFiles = [
+            makeFile("src/clean.ts", "const x = 1;"),
+        ];
+        const config = createDefaultAuditConfig();
+        const cleanResult = runAuditScan(cleanFiles, config);
+        expect(cleanResult.summary.score).toBe(100);
+        expect(cleanResult.summary.verdict).toBe("PASS");
+        // Many critical findings -> score < 50, FAIL
+        const badFiles = [
+            makeFile("src/bad.ts", [
+                'eval("a");',
+                'eval("b");',
+                'eval("c");',
+                'eval("d");',
+                'eval("e");',
+            ].join("\n")),
+        ];
+        const badResult = runAuditScan(badFiles, config);
+        expect(badResult.summary.score).toBeLessThan(50);
+        expect(badResult.summary.verdict).toBe("FAIL");
+    });
+    it("TC-022: duration is tracked", () => {
+        const files = [makeFile("src/a.ts", "const x = 1;")];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        expect(result.durationMs).toBeGreaterThanOrEqual(0);
+        expect(typeof result.durationMs).toBe("number");
+    });
+    it("populates filesScanned and filesWithFindings", () => {
+        const files = [
+            makeFile("src/clean.ts", "const x = 1;"),
+            makeFile("src/bad.ts", 'eval("x");'),
+            makeFile("src/also-clean.ts", "const y = 2;"),
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        expect(result.filesScanned).toBe(3);
+        expect(result.filesWithFindings).toBe(1);
+    });
+    it("applies safeContexts to suppress false positives", () => {
+        // innerHTML in a line with DOMPurify should be suppressed
+        const files = [
+            makeFile("src/safe.ts", "element.innerHTML = DOMPurify.sanitize(input);"),
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        const xssFindings = result.findings.filter((f) => f.ruleId === "XSS-001");
+        expect(xssFindings).toHaveLength(0);
+    });
+});
+//# sourceMappingURL=audit-scanner.test.js.map

package/dist/audit/audit-scanner.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-scanner.test.js","sourceRoot":"","sources":["../../src/audit/audit-scanner.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,wBAAwB,EAAkB,MAAM,kBAAkB,CAAC;AAE5E,SAAS,QAAQ,CAAC,IAAY,EAAE,OAAe;IAC7C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;AAClE,CAAC;AAED,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,cAAc,EAAE,8CAA8C,CAAC;YACxE,QAAQ,CAAC,cAAc,EAAE,6DAA6D,CAAC;SACxF,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;YAC3C,QAAQ,CAAC,YAAY,EAAE,gCAAgC,CAAC;YACxD,QAAQ,CAAC,YAAY,EAAE,4CAA4C,CAAC;SACrE,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACzD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAClE,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,WAAW,EAAE,wBAAwB,CAAC,EAAE,OAAO;YACxD,QAAQ,CAAC,WAAW,EAAE,eAAe,CAAC,EAAE,WAAW;SACpD,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,mCAAmC;QACnC,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC1D,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,aAAa,KAAK,CAAC,CAAC,IAAI,SAAS,KAAK,CAAC,CAAC,EAAE,CAAC;YAC7C,MAAM,CAAC,aAAa,CAAC,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,UAAU,EAAE,YAAY,CAAC,EAAE,oBAAoB;YACxD,QAAQ,CAAC,UAAU,EAAE,wBAAwB,CAAC,EAAE,iBAAiB;SAClE,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM;YAC1E,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,mCAAmC;QACnC,MAAM,UAAU,GAAgB;YAC9B,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;SACzC,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,WAAW,GAAG,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACrD,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAEjD,6CAA6C;QAC7C,MAAM,QAAQ,GAAgB;YAC5B,QAAQ,CAAC,YAAY,EAAE;gBACrB,YAAY;gBACZ,YAAY;gBACZ,YAAY;gBACZ,YAAY;gBACZ,YAAY;aACb,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;SACd,CAAC;QACF,MAAM,SAAS,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QACjD,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,KAAK,GAAgB,CAAC,QAAQ,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACpD,MAAM,CAAC,OAAO,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;YACxC,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;YACpC,QAAQ,CAAC,mBAAmB,EAAE,cAAc,CAAC;SAC9C,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,0DAA0D;QAC1D,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,aAAa,EAAE,gDAAgD,CAAC;SAC1E,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;QAC1E,MAAM,CAAC,WAAW,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}