webmcp-cli 1.2.2 → 1.2.3

package/dist/rules/schema/SCHEMA-007.js

@@ -0,0 +1,73 @@
+/**
+ * SCHEMA-007: Enum Values Described
+ *
+ * Checks that enum properties use oneOf with title/const for clear options
+ * rather than bare enum arrays without descriptions.
+ */
+import { createRuleResult } from '../runner.js';
+export const SCHEMA_007 = {
+    id: 'SCHEMA-007',
+    category: 'schema',
+    name: 'Enum Values Described',
+    description: 'Enum properties should use oneOf with title/const for clear options',
+    severity: 'info',
+    maxScore: 3,
+    async check(context) {
+        if (context.tools.length === 0) {
+            return createRuleResult('SCHEMA-007', 3, {
+                passed: true,
+                score: 3,
+                message: 'No tools detected (rule not applicable)',
+            });
+        }
+        const violations = [];
+        let enumCount = 0;
+        for (const tool of context.tools) {
+            if (!tool.inputSchema?.properties)
+                continue;
+            for (const [paramName, paramDef] of Object.entries(tool.inputSchema.properties)) {
+                if (!paramDef.enum || paramDef.enum.length <= 1)
+                    continue;
+                enumCount++;
+                // Check if there's a corresponding oneOf with titles
+                if (!paramDef.oneOf) {
+                    violations.push({ tool: tool.name, param: paramName });
+                }
+                else {
+                    const allHaveTitles = paramDef.oneOf.every((opt) => opt['title'] || opt['description']);
+                    if (!allHaveTitles) {
+                        violations.push({ tool: tool.name, param: paramName });
+                    }
+                }
+            }
+        }
+        if (enumCount === 0) {
+            return createRuleResult('SCHEMA-007', 3, {
+                passed: true,
+                score: 3,
+                message: 'No enum properties found to check',
+            });
+        }
+        if (violations.length === 0) {
+            return createRuleResult('SCHEMA-007', 3, {
+                passed: true,
+                score: 3,
+                message: 'All enum properties have descriptive oneOf options',
+            });
+        }
+        return createRuleResult('SCHEMA-007', 3, {
+            passed: false,
+            score: Math.max(0, 3 - violations.length),
+            message: `${violations.length} enum property/properties lack descriptive oneOf options`,
+            details: violations.map((v) => `Property "${v.param}" in tool "${v.tool}" uses bare enum without oneOf titles`),
+            suggestions: [
+                'Replace bare enum with oneOf containing title and const',
+                'Example: { "oneOf": [{ "const": "economy", "title": "Economy (cheapest fare)" }] }',
+                'Descriptive options help agents make correct selections',
+            ],
+            affectedTools: [...new Set(violations.map((v) => v.tool))],
+        });
+    },
+};
+export default SCHEMA_007;
+//# sourceMappingURL=SCHEMA-007.js.map

package/dist/rules/schema/SCHEMA-007.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SCHEMA-007.js","sourceRoot":"","sources":["../../../src/rules/schema/SCHEMA-007.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,CAAC,MAAM,UAAU,GAAS;IAC9B,EAAE,EAAE,YAAY;IAChB,QAAQ,EAAE,QAAQ;IAClB,IAAI,EAAE,uBAAuB;IAC7B,WAAW,EAAE,qEAAqE;IAClF,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,CAAC;IAEX,KAAK,CAAC,KAAK,CAAC,OAAoB;QAC9B,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;gBACvC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,yCAAyC;aACnD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,UAAU,GAAsC,EAAE,CAAC;QACzD,IAAI,SAAS,GAAG,CAAC,CAAC;QAElB,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU;gBAAE,SAAS;YAE5C,KAAK,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAChD,IAAI,CAAC,WAAW,CAAC,UAAU,CAC5B,EAAE,CAAC;gBACF,IAAI,CAAC,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC;oBAAE,SAAS;gBAC1D,SAAS,EAAE,CAAC;gBAEZ,qDAAqD;gBACrD,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;oBACpB,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;gBACzD,CAAC;qBAAM,CAAC;oBACN,MAAM,aAAa,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,CACxC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,aAAa,CAAC,CAC5C,CAAC;oBACF,IAAI,CAAC,aAAa,EAAE,CAAC;wBACnB,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;oBACzD,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;YACpB,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;gBACvC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,mCAAmC;aAC7C,CAAC,CAAC;QACL,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;gBACvC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,oDAAoD;aAC9D,CAAC,CAAC;QACL,CAAC;QAED,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;YACvC,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC;YACzC,OAAO,EAAE,GAAG,UAAU,CAAC,MAAM,0DAA0D;YACvF,OAAO,EAAE,UAAU,CAAC,GAAG,CACrB,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,KAAK,cAAc,CAAC,CAAC,IAAI,uCAAuC,CACvF;YACD,WAAW,EAAE;gBACX,yDAAyD;gBACzD,oFAAoF;gBACpF,yDAAyD;aAC1D;YACD,aAAa,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;SAC3D,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/rules/schema/SCHEMA-008.d.ts

@@ -0,0 +1,9 @@
+/**
+ * SCHEMA-008: Number Has Bounds
+ *
+ * Checks that number properties have minimum/maximum constraints.
+ * Bounds help agents provide valid values.
+ */
+import type { Rule } from '../../core/types/rule.js';
+export declare const SCHEMA_008: Rule;
+export default SCHEMA_008;

package/dist/rules/schema/SCHEMA-008.js

@@ -0,0 +1,70 @@
+/**
+ * SCHEMA-008: Number Has Bounds
+ *
+ * Checks that number properties have minimum/maximum constraints.
+ * Bounds help agents provide valid values.
+ */
+import { createRuleResult } from '../runner.js';
+export const SCHEMA_008 = {
+    id: 'SCHEMA-008',
+    category: 'schema',
+    name: 'Number Has Bounds',
+    description: 'Number properties should have minimum/maximum constraints',
+    severity: 'warning',
+    maxScore: 5,
+    async check(context) {
+        if (context.tools.length === 0) {
+            return createRuleResult('SCHEMA-008', 5, {
+                passed: true,
+                score: 5,
+                message: 'No tools detected (rule not applicable)',
+            });
+        }
+        const violations = [];
+        let numberParamCount = 0;
+        for (const tool of context.tools) {
+            if (!tool.inputSchema?.properties)
+                continue;
+            for (const [paramName, paramDef] of Object.entries(tool.inputSchema.properties)) {
+                if (paramDef.type !== 'number' && paramDef.type !== 'integer') {
+                    continue;
+                }
+                numberParamCount++;
+                const hasBounds = paramDef.minimum !== undefined ||
+                    paramDef.maximum !== undefined ||
+                    paramDef.enum !== undefined;
+                if (!hasBounds) {
+                    violations.push({ tool: tool.name, param: paramName });
+                }
+            }
+        }
+        if (numberParamCount === 0) {
+            return createRuleResult('SCHEMA-008', 5, {
+                passed: true,
+                score: 5,
+                message: 'No number properties found to check',
+            });
+        }
+        if (violations.length === 0) {
+            return createRuleResult('SCHEMA-008', 5, {
+                passed: true,
+                score: 5,
+                message: 'All number properties have bounds',
+            });
+        }
+        return createRuleResult('SCHEMA-008', 5, {
+            passed: false,
+            score: Math.max(0, 5 - violations.length * 2),
+            message: `${violations.length} number property/properties lack bounds`,
+            details: violations.map((v) => `Property "${v.param}" in tool "${v.tool}" has no minimum/maximum`),
+            suggestions: [
+                'Add minimum and/or maximum to number properties',
+                'Example: { "type": "number", "minimum": 1, "maximum": 10 }',
+                'Bounds prevent agents from providing out-of-range values',
+            ],
+            affectedTools: [...new Set(violations.map((v) => v.tool))],
+        });
+    },
+};
+export default SCHEMA_008;
+//# sourceMappingURL=SCHEMA-008.js.map

package/dist/rules/schema/SCHEMA-008.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SCHEMA-008.js","sourceRoot":"","sources":["../../../src/rules/schema/SCHEMA-008.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,CAAC,MAAM,UAAU,GAAS;IAC9B,EAAE,EAAE,YAAY;IAChB,QAAQ,EAAE,QAAQ;IAClB,IAAI,EAAE,mBAAmB;IACzB,WAAW,EAAE,2DAA2D;IACxE,QAAQ,EAAE,SAAS;IACnB,QAAQ,EAAE,CAAC;IAEX,KAAK,CAAC,KAAK,CAAC,OAAoB;QAC9B,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;gBACvC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,yCAAyC;aACnD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,UAAU,GAAsC,EAAE,CAAC;QACzD,IAAI,gBAAgB,GAAG,CAAC,CAAC;QAEzB,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU;gBAAE,SAAS;YAE5C,KAAK,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAChD,IAAI,CAAC,WAAW,CAAC,UAAU,CAC5B,EAAE,CAAC;gBACF,IAAI,QAAQ,CAAC,IAAI,KAAK,QAAQ,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;oBAC9D,SAAS;gBACX,CAAC;gBACD,gBAAgB,EAAE,CAAC;gBAEnB,MAAM,SAAS,GACb,QAAQ,CAAC,OAAO,KAAK,SAAS;oBAC9B,QAAQ,CAAC,OAAO,KAAK,SAAS;oBAC9B,QAAQ,CAAC,IAAI,KAAK,SAAS,CAAC;gBAE9B,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,gBAAgB,KAAK,CAAC,EAAE,CAAC;YAC3B,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;gBACvC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,qCAAqC;aAC/C,CAAC,CAAC;QACL,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;gBACvC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,mCAAmC;aAC7C,CAAC,CAAC;QACL,CAAC;QAED,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;YACvC,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7C,OAAO,EAAE,GAAG,UAAU,CAAC,MAAM,yCAAyC;YACtE,OAAO,EAAE,UAAU,CAAC,GAAG,CACrB,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,KAAK,cAAc,CAAC,CAAC,IAAI,0BAA0B,CAC1E;YACD,WAAW,EAAE;gBACX,iDAAiD;gBACjD,4DAA4D;gBAC5D,0DAA0D;aAC3D;YACD,aAAa,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;SAC3D,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/rules/schema/SCHEMA-009.d.ts

@@ -0,0 +1,10 @@
+/**
+ * SCHEMA-009: String Has Format
+ *
+ * Checks that string properties use format hints where applicable.
+ * Heuristic: if the parameter name suggests a specific format (email, date, url),
+ * the schema should declare it.
+ */
+import type { Rule } from '../../core/types/rule.js';
+export declare const SCHEMA_009: Rule;
+export default SCHEMA_009;

package/dist/rules/schema/SCHEMA-009.js

@@ -0,0 +1,80 @@
+/**
+ * SCHEMA-009: String Has Format
+ *
+ * Checks that string properties use format hints where applicable.
+ * Heuristic: if the parameter name suggests a specific format (email, date, url),
+ * the schema should declare it.
+ */
+import { createRuleResult } from '../runner.js';
+const FORMAT_HINTS = [
+    { namePattern: /email/i, expectedFormat: 'email' },
+    { namePattern: /\burl\b|uri|href|link/i, expectedFormat: 'uri' },
+    { namePattern: /\bdate\b/i, expectedFormat: 'date or date-time' },
+    { namePattern: /\bdate[_-]?time\b|timestamp/i, expectedFormat: 'date-time' },
+    { namePattern: /\btime\b$/i, expectedFormat: 'time' },
+    { namePattern: /\bipv4\b|ip[_-]?address/i, expectedFormat: 'ipv4' },
+    { namePattern: /\bipv6\b/i, expectedFormat: 'ipv6' },
+    { namePattern: /\buuid\b|guid/i, expectedFormat: 'uuid' },
+    { namePattern: /\bhostname\b/i, expectedFormat: 'hostname' },
+];
+export const SCHEMA_009 = {
+    id: 'SCHEMA-009',
+    category: 'schema',
+    name: 'String Has Format',
+    description: 'String properties should use format hints where applicable',
+    severity: 'info',
+    maxScore: 3,
+    async check(context) {
+        if (context.tools.length === 0) {
+            return createRuleResult('SCHEMA-009', 3, {
+                passed: true,
+                score: 3,
+                message: 'No tools detected (rule not applicable)',
+            });
+        }
+        const violations = [];
+        for (const tool of context.tools) {
+            if (!tool.inputSchema?.properties)
+                continue;
+            for (const [paramName, paramDef] of Object.entries(tool.inputSchema.properties)) {
+                if (paramDef.type !== 'string')
+                    continue;
+                if (paramDef.format)
+                    continue; // Already has format
+                if (paramDef.enum || paramDef.oneOf)
+                    continue; // Enum, no format needed
+                for (const { namePattern, expectedFormat } of FORMAT_HINTS) {
+                    if (namePattern.test(paramName)) {
+                        violations.push({
+                            tool: tool.name,
+                            param: paramName,
+                            format: expectedFormat,
+                        });
+                        break;
+                    }
+                }
+            }
+        }
+        if (violations.length === 0) {
+            return createRuleResult('SCHEMA-009', 3, {
+                passed: true,
+                score: 3,
+                message: 'String properties use format hints where applicable',
+            });
+        }
+        return createRuleResult('SCHEMA-009', 3, {
+            passed: false,
+            score: Math.max(0, 3 - violations.length),
+            message: `${violations.length} string property/properties could benefit from format hints`,
+            details: violations.map((v) => `Property "${v.param}" in tool "${v.tool}" should use format: "${v.format}"`),
+            suggestions: [
+                'Use JSON Schema format keyword for well-known string types',
+                'Supported formats: email, uri, date, date-time, time, ipv4, ipv6, uuid, hostname',
+                'Example: { "type": "string", "format": "email" }',
+            ],
+            affectedTools: [...new Set(violations.map((v) => v.tool))],
+        });
+    },
+};
+export default SCHEMA_009;
+//# sourceMappingURL=SCHEMA-009.js.map

package/dist/rules/schema/SCHEMA-009.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SCHEMA-009.js","sourceRoot":"","sources":["../../../src/rules/schema/SCHEMA-009.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,YAAY,GAAsD;IACtE,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE;IAClD,EAAE,WAAW,EAAE,wBAAwB,EAAE,cAAc,EAAE,KAAK,EAAE;IAChE,EAAE,WAAW,EAAE,WAAW,EAAE,cAAc,EAAE,mBAAmB,EAAE;IACjE,EAAE,WAAW,EAAE,8BAA8B,EAAE,cAAc,EAAE,WAAW,EAAE;IAC5E,EAAE,WAAW,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,EAAE;IACrD,EAAE,WAAW,EAAE,0BAA0B,EAAE,cAAc,EAAE,MAAM,EAAE;IACnE,EAAE,WAAW,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,EAAE;IACpD,EAAE,WAAW,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,EAAE;IACzD,EAAE,WAAW,EAAE,eAAe,EAAE,cAAc,EAAE,UAAU,EAAE;CAC7D,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAS;IAC9B,EAAE,EAAE,YAAY;IAChB,QAAQ,EAAE,QAAQ;IAClB,IAAI,EAAE,mBAAmB;IACzB,WAAW,EAAE,4DAA4D;IACzE,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,CAAC;IAEX,KAAK,CAAC,KAAK,CAAC,OAAoB;QAC9B,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;gBACvC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,yCAAyC;aACnD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,UAAU,GAAsD,EAAE,CAAC;QAEzE,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU;gBAAE,SAAS;YAE5C,KAAK,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAChD,IAAI,CAAC,WAAW,CAAC,UAAU,CAC5B,EAAE,CAAC;gBACF,IAAI,QAAQ,CAAC,IAAI,KAAK,QAAQ;oBAAE,SAAS;gBACzC,IAAI,QAAQ,CAAC,MAAM;oBAAE,SAAS,CAAC,qBAAqB;gBACpD,IAAI,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,KAAK;oBAAE,SAAS,CAAC,yBAAyB;gBAExE,KAAK,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,IAAI,YAAY,EAAE,CAAC;oBAC3D,IAAI,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;wBAChC,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,KAAK,EAAE,SAAS;4BAChB,MAAM,EAAE,cAAc;yBACvB,CAAC,CAAC;wBACH,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;gBACvC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,qDAAqD;aAC/D,CAAC,CAAC;QACL,CAAC;QAED,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;YACvC,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC;YACzC,OAAO,EAAE,GAAG,UAAU,CAAC,MAAM,6DAA6D;YAC1F,OAAO,EAAE,UAAU,CAAC,GAAG,CACrB,CAAC,CAAC,EAAE,EAAE,CACJ,aAAa,CAAC,CAAC,KAAK,cAAc,CAAC,CAAC,IAAI,yBAAyB,CAAC,CAAC,MAAM,GAAG,CAC/E;YACD,WAAW,EAAE;gBACX,4DAA4D;gBAC5D,kFAAkF;gBAClF,kDAAkD;aACnD;YACD,aAAa,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;SAC3D,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/rules/schema/SCHEMA-010.d.ts

@@ -0,0 +1,9 @@
+/**
+ * SCHEMA-010: No Excessive Nesting
+ *
+ * Checks that schema nesting depth doesn't exceed 3 levels.
+ * Deeply nested schemas are harder for agents to reason about.
+ */
+import type { Rule } from '../../core/types/rule.js';
+export declare const SCHEMA_010: Rule;
+export default SCHEMA_010;

package/dist/rules/schema/SCHEMA-010.js

@@ -0,0 +1,96 @@
+/**
+ * SCHEMA-010: No Excessive Nesting
+ *
+ * Checks that schema nesting depth doesn't exceed 3 levels.
+ * Deeply nested schemas are harder for agents to reason about.
+ */
+import { createRuleResult } from '../runner.js';
+const MAX_NESTING_DEPTH = 3;
+function measureDepth(schema, current) {
+    let maxDepth = current;
+    if (schema.properties) {
+        for (const prop of Object.values(schema.properties)) {
+            const childDepth = measureDepth(prop, current + 1);
+            if (childDepth > maxDepth) {
+                maxDepth = childDepth;
+            }
+        }
+    }
+    if (schema.items) {
+        const itemDepth = measureDepth(schema.items, current + 1);
+        if (itemDepth > maxDepth) {
+            maxDepth = itemDepth;
+        }
+    }
+    if (schema.oneOf) {
+        for (const option of schema.oneOf) {
+            const optionDepth = measureDepth(option, current + 1);
+            if (optionDepth > maxDepth) {
+                maxDepth = optionDepth;
+            }
+        }
+    }
+    if (schema.anyOf) {
+        for (const option of schema.anyOf) {
+            const optionDepth = measureDepth(option, current + 1);
+            if (optionDepth > maxDepth) {
+                maxDepth = optionDepth;
+            }
+        }
+    }
+    if (schema.additionalProperties &&
+        typeof schema.additionalProperties === 'object') {
+        const apDepth = measureDepth(schema.additionalProperties, current + 1);
+        if (apDepth > maxDepth) {
+            maxDepth = apDepth;
+        }
+    }
+    return maxDepth;
+}
+export const SCHEMA_010 = {
+    id: 'SCHEMA-010',
+    category: 'schema',
+    name: 'No Excessive Nesting',
+    description: `Schema nesting depth should not exceed ${MAX_NESTING_DEPTH} levels`,
+    severity: 'warning',
+    maxScore: 5,
+    async check(context) {
+        if (context.tools.length === 0) {
+            return createRuleResult('SCHEMA-010', 5, {
+                passed: true,
+                score: 5,
+                message: 'No tools detected (rule not applicable)',
+            });
+        }
+        const violations = [];
+        for (const tool of context.tools) {
+            if (!tool.inputSchema?.properties)
+                continue;
+            const depth = measureDepth(tool.inputSchema, 0);
+            if (depth > MAX_NESTING_DEPTH) {
+                violations.push({ name: tool.name, depth });
+            }
+        }
+        if (violations.length === 0) {
+            return createRuleResult('SCHEMA-010', 5, {
+                passed: true,
+                score: 5,
+                message: `All schemas have acceptable nesting depth (≤${MAX_NESTING_DEPTH})`,
+            });
+        }
+        return createRuleResult('SCHEMA-010', 5, {
+            passed: false,
+            score: Math.max(0, 5 - violations.length * 2),
+            message: `${violations.length} tool(s) have excessively nested schemas`,
+            details: violations.map((v) => `Tool "${v.name}" has nesting depth of ${v.depth} (max: ${MAX_NESTING_DEPTH})`),
+            suggestions: [
+                'Flatten nested objects into top-level parameters where possible',
+                'Use separate tools for complex nested operations',
+                'Deeply nested schemas are harder for agents to fill correctly',
+            ],
+            affectedTools: violations.map((v) => v.name),
+        });
+    },
+};
+export default SCHEMA_010;
+//# sourceMappingURL=SCHEMA-010.js.map

package/dist/rules/schema/SCHEMA-010.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SCHEMA-010.js","sourceRoot":"","sources":["../../../src/rules/schema/SCHEMA-010.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAE5B,SAAS,YAAY,CAAC,MAA0B,EAAE,OAAe;IAC/D,IAAI,QAAQ,GAAG,OAAO,CAAC;IAEvB,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YACpD,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;YACnD,IAAI,UAAU,GAAG,QAAQ,EAAE,CAAC;gBAC1B,QAAQ,GAAG,UAAU,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;QAC1D,IAAI,SAAS,GAAG,QAAQ,EAAE,CAAC;YACzB,QAAQ,GAAG,SAAS,CAAC;QACvB,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;YACtD,IAAI,WAAW,GAAG,QAAQ,EAAE,CAAC;gBAC3B,QAAQ,GAAG,WAAW,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;YACtD,IAAI,WAAW,GAAG,QAAQ,EAAE,CAAC;gBAC3B,QAAQ,GAAG,WAAW,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAED,IACE,MAAM,CAAC,oBAAoB;QAC3B,OAAO,MAAM,CAAC,oBAAoB,KAAK,QAAQ,EAC/C,CAAC;QACD,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,oBAAoB,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;QACvE,IAAI,OAAO,GAAG,QAAQ,EAAE,CAAC;YACvB,QAAQ,GAAG,OAAO,CAAC;QACrB,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,MAAM,UAAU,GAAS;IAC9B,EAAE,EAAE,YAAY;IAChB,QAAQ,EAAE,QAAQ;IAClB,IAAI,EAAE,sBAAsB;IAC5B,WAAW,EAAE,0CAA0C,iBAAiB,SAAS;IACjF,QAAQ,EAAE,SAAS;IACnB,QAAQ,EAAE,CAAC;IAEX,KAAK,CAAC,KAAK,CAAC,OAAoB;QAC9B,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;gBACvC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,yCAAyC;aACnD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,UAAU,GAAsC,EAAE,CAAC;QAEzD,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU;gBAAE,SAAS;YAE5C,MAAM,KAAK,GAAG,YAAY,CACxB,IAAI,CAAC,WAA4C,EACjD,CAAC,CACF,CAAC;YACF,IAAI,KAAK,GAAG,iBAAiB,EAAE,CAAC;gBAC9B,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;gBACvC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,+CAA+C,iBAAiB,GAAG;aAC7E,CAAC,CAAC;QACL,CAAC;QAED,OAAO,gBAAgB,CAAC,YAAY,EAAE,CAAC,EAAE;YACvC,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7C,OAAO,EAAE,GAAG,UAAU,CAAC,MAAM,0CAA0C;YACvE,OAAO,EAAE,UAAU,CAAC,GAAG,CACrB,CAAC,CAAC,EAAE,EAAE,CACJ,SAAS,CAAC,CAAC,IAAI,0BAA0B,CAAC,CAAC,KAAK,UAAU,iBAAiB,GAAG,CACjF;YACD,WAAW,EAAE;gBACX,iEAAiE;gBACjE,kDAAkD;gBAClD,+DAA+D;aAChE;YACD,aAAa,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAC7C,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/rules/schema/SCHEMA-012.d.ts

@@ -0,0 +1,9 @@
+/**
+ * SCHEMA-012: No Duplicate Params
+ *
+ * Checks that there are no duplicate parameter names (case-insensitive)
+ * within a single tool's schema.
+ */
+import type { Rule } from '../../core/types/rule.js';
+export declare const SCHEMA_012: Rule;
+export default SCHEMA_012;

package/dist/rules/schema/SCHEMA-012.js

@@ -0,0 +1,65 @@
+/**
+ * SCHEMA-012: No Duplicate Params
+ *
+ * Checks that there are no duplicate parameter names (case-insensitive)
+ * within a single tool's schema.
+ */
+import { createRuleResult } from '../runner.js';
+export const SCHEMA_012 = {
+    id: 'SCHEMA-012',
+    category: 'schema',
+    name: 'No Duplicate Params',
+    description: 'No duplicate parameter names (case-insensitive)',
+    severity: 'critical',
+    maxScore: 10,
+    async check(context) {
+        if (context.tools.length === 0) {
+            return createRuleResult('SCHEMA-012', 10, {
+                passed: true,
+                score: 10,
+                message: 'No tools detected (rule not applicable)',
+            });
+        }
+        const violations = [];
+        for (const tool of context.tools) {
+            if (!tool.inputSchema?.properties)
+                continue;
+            const paramNames = Object.keys(tool.inputSchema.properties);
+            const lowerNames = new Map();
+            for (const name of paramNames) {
+                const lower = name.toLowerCase();
+                const existing = lowerNames.get(lower) ?? [];
+                existing.push(name);
+                lowerNames.set(lower, existing);
+            }
+            const duplicates = Array.from(lowerNames.values()).filter((names) => names.length > 1);
+            if (duplicates.length > 0) {
+                violations.push({
+                    tool: tool.name,
+                    params: duplicates.map((d) => d.join(', ')),
+                });
+            }
+        }
+        if (violations.length === 0) {
+            return createRuleResult('SCHEMA-012', 10, {
+                passed: true,
+                score: 10,
+                message: 'No duplicate parameter names found',
+            });
+        }
+        return createRuleResult('SCHEMA-012', 10, {
+            passed: false,
+            score: Math.max(0, 10 - violations.length * 5),
+            message: `${violations.length} tool(s) have duplicate parameter names`,
+            details: violations.flatMap((v) => v.params.map((p) => `Tool "${v.tool}" has case-insensitive duplicate params: ${p}`)),
+            suggestions: [
+                'Ensure all parameter names are unique (case-insensitive)',
+                'Use distinct, descriptive names for each parameter',
+                'Example: use "departure_city" and "arrival_city" instead of "City" and "city"',
+            ],
+            affectedTools: violations.map((v) => v.tool),
+        });
+    },
+};
+export default SCHEMA_012;
+//# sourceMappingURL=SCHEMA-012.js.map

package/dist/rules/schema/SCHEMA-012.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SCHEMA-012.js","sourceRoot":"","sources":["../../../src/rules/schema/SCHEMA-012.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,CAAC,MAAM,UAAU,GAAS;IAC9B,EAAE,EAAE,YAAY;IAChB,QAAQ,EAAE,QAAQ;IAClB,IAAI,EAAE,qBAAqB;IAC3B,WAAW,EAAE,iDAAiD;IAC9D,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,EAAE;IAEZ,KAAK,CAAC,KAAK,CAAC,OAAoB;QAC9B,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,YAAY,EAAE,EAAE,EAAE;gBACxC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,EAAE;gBACT,OAAO,EAAE,yCAAyC;aACnD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,UAAU,GAAyC,EAAE,CAAC;QAE5D,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU;gBAAE,SAAS;YAE5C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;YAC5D,MAAM,UAAU,GAAG,IAAI,GAAG,EAAoB,CAAC;YAE/C,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;gBAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjC,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;gBAC7C,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACpB,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YAClC,CAAC;YAED,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CACvD,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAC5B,CAAC;YAEF,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1B,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,MAAM,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;iBAC5C,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,gBAAgB,CAAC,YAAY,EAAE,EAAE,EAAE;gBACxC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,EAAE;gBACT,OAAO,EAAE,oCAAoC;aAC9C,CAAC,CAAC;QACL,CAAC;QAED,OAAO,gBAAgB,CAAC,YAAY,EAAE,EAAE,EAAE;YACxC,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;YAC9C,OAAO,EAAE,GAAG,UAAU,CAAC,MAAM,yCAAyC;YACtE,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAChC,CAAC,CAAC,MAAM,CAAC,GAAG,CACV,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,IAAI,4CAA4C,CAAC,EAAE,CACtE,CACF;YACD,WAAW,EAAE;gBACX,0DAA0D;gBAC1D,oDAAoD;gBACpD,+EAA+E;aAChF;YACD,aAAa,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAC7C,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/rules/security/SEC-002.d.ts

@@ -0,0 +1,8 @@
+/**
+ * SEC-002: No Parameter Description Injection
+ *
+ * Checks that parameter descriptions don't contain injection patterns
+ * such as prompt injection, SQL injection, or script injection.
+ */
+import type { Rule } from '../../core/types/rule.js';
+export declare const SEC_002: Rule;

package/dist/rules/security/SEC-002.js

@@ -0,0 +1,81 @@
+/**
+ * SEC-002: No Parameter Description Injection
+ *
+ * Checks that parameter descriptions don't contain injection patterns
+ * such as prompt injection, SQL injection, or script injection.
+ */
+import { createRuleResult } from '../runner.js';
+const INJECTION_PATTERNS = [
+    /ignore\s+(all\s+)?previous\s+instructions/i,
+    /you\s+are\s+now/i,
+    /system\s*:\s*/i,
+    /\bDROP\s+TABLE\b/i,
+    /\bUNION\s+SELECT\b/i,
+    /['"];\s*--/,
+    /<script[\s>]/i,
+    /javascript\s*:/i,
+    /on\w+\s*=/i,
+    /\bexec\s*\(/i,
+    /\beval\s*\(/i,
+    /\{\{.*\}\}/,
+    /\$\{.*\}/,
+    /<%.*%>/,
+];
+export const SEC_002 = {
+    id: 'SEC-002',
+    category: 'security',
+    name: 'No Parameter Description Injection',
+    description: 'Parameter descriptions must not contain injection patterns',
+    severity: 'critical',
+    maxScore: 10,
+    async check(context) {
+        const tools = context.tools;
+        if (tools.length === 0) {
+            return createRuleResult('SEC-002', 10, {
+                passed: true,
+                score: 10,
+                message: 'No tools detected (rule not applicable)',
+            });
+        }
+        const violations = [];
+        for (const tool of tools) {
+            const schema = tool.inputSchema;
+            if (!schema?.properties)
+                continue;
+            for (const [paramName, prop] of Object.entries(schema.properties)) {
+                const desc = prop.description ?? '';
+                for (const pattern of INJECTION_PATTERNS) {
+                    if (pattern.test(desc)) {
+                        violations.push({
+                            tool: tool.name,
+                            param: paramName,
+                            pattern: pattern.source,
+                        });
+                        break;
+                    }
+                }
+            }
+        }
+        if (violations.length === 0) {
+            return createRuleResult('SEC-002', 10, {
+                passed: true,
+                score: 10,
+                message: 'No injection patterns found in parameter descriptions',
+            });
+        }
+        const penalty = violations.length * 5;
+        const score = Math.max(0, 10 - penalty);
+        return createRuleResult('SEC-002', 10, {
+            passed: false,
+            score,
+            message: `${violations.length} parameter(s) contain injection patterns`,
+            details: violations.map((v) => `Tool "${v.tool}" param "${v.param}" matches injection pattern: ${v.pattern}`),
+            suggestions: [
+                'Remove any prompt injection, SQL injection, or XSS patterns from parameter descriptions',
+                'Descriptions should be plain, informative text only',
+            ],
+            affectedTools: [...new Set(violations.map((v) => v.tool))],
+        });
+    },
+};
+//# sourceMappingURL=SEC-002.js.map

package/dist/rules/security/SEC-002.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SEC-002.js","sourceRoot":"","sources":["../../../src/rules/security/SEC-002.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,kBAAkB,GAAG;IACzB,4CAA4C;IAC5C,kBAAkB;IAClB,gBAAgB;IAChB,mBAAmB;IACnB,qBAAqB;IACrB,YAAY;IACZ,eAAe;IACf,iBAAiB;IACjB,YAAY;IACZ,cAAc;IACd,cAAc;IACd,YAAY;IACZ,UAAU;IACV,QAAQ;CACT,CAAC;AAEF,MAAM,CAAC,MAAM,OAAO,GAAS;IAC3B,EAAE,EAAE,SAAS;IACb,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,oCAAoC;IAC1C,WAAW,EAAE,4DAA4D;IACzE,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,EAAE;IAEZ,KAAK,CAAC,KAAK,CAAC,OAAoB;QAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAE5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,gBAAgB,CAAC,SAAS,EAAE,EAAE,EAAE;gBACrC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,EAAE;gBACT,OAAO,EAAE,yCAAyC;aACnD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,UAAU,GAAuD,EAAE,CAAC;QAE1E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;YAChC,IAAI,CAAC,MAAM,EAAE,UAAU;gBAAE,SAAS;YAElC,KAAK,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;gBAClE,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBACpC,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;oBACzC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,KAAK,EAAE,SAAS;4BAChB,OAAO,EAAE,OAAO,CAAC,MAAM;yBACxB,CAAC,CAAC;wBACH,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,gBAAgB,CAAC,SAAS,EAAE,EAAE,EAAE;gBACrC,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,EAAE;gBACT,OAAO,EAAE,uDAAuD;aACjE,CAAC,CAAC;QACL,CAAC;QAED,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;QACtC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,GAAG,OAAO,CAAC,CAAC;QAExC,OAAO,gBAAgB,CAAC,SAAS,EAAE,EAAE,EAAE;YACrC,MAAM,EAAE,KAAK;YACb,KAAK;YACL,OAAO,EAAE,GAAG,UAAU,CAAC,MAAM,0CAA0C;YACvE,OAAO,EAAE,UAAU,CAAC,GAAG,CACrB,CAAC,CAAC,EAAE,EAAE,CACJ,SAAS,CAAC,CAAC,IAAI,YAAY,CAAC,CAAC,KAAK,gCAAgC,CAAC,CAAC,OAAO,EAAE,CAChF;YACD,WAAW,EAAE;gBACX,yFAAyF;gBACzF,qDAAqD;aACtD;YACD,aAAa,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;SAC3D,CAAC,CAAC;IACL,CAAC;CACF,CAAC"}

package/dist/rules/security/SEC-003.d.ts

@@ -0,0 +1,8 @@
+/**
+ * SEC-003: Output Sanitization
+ *
+ * Checks that execute functions sanitize user-generated content
+ * in return values to prevent XSS or injection through tool outputs.
+ */
+import type { Rule } from '../../core/types/rule.js';
+export declare const SEC_003: Rule;

package/dist/rules/security/SEC-003.js

@@ -0,0 +1,85 @@
+/**
+ * SEC-003: Output Sanitization
+ *
+ * Checks that execute functions sanitize user-generated content
+ * in return values to prevent XSS or injection through tool outputs.
+ */
+import { createRuleResult } from '../runner.js';
+const SANITIZATION_PATTERNS = [
+    /escapeHtml/i,
+    /sanitize/i,
+    /DOMPurify/i,
+    /textContent/,
+    /innerText/,
+    /encodeURIComponent/,
+    /encodeURI\b/,
+    /htmlEncode/i,
+    /stripTags/i,
+    /createTextNode/,
+];
+const USER_CONTENT_PATTERNS = [
+    /innerHTML/,
+    /\.html\s*\(/,
+    /document\.write/,
+    /insertAdjacentHTML/,
+    /outerHTML\s*=/,
+];
+export const SEC_003 = {
+    id: 'SEC-003',
+    category: 'security',
+    name: 'Output Sanitization',
+    description: 'Execute functions should sanitize user-generated content in return values',
+    severity: 'warning',
+    maxScore: 8,
+    async check(context) {
+        const tools = context.tools;
+        if (tools.length === 0) {
+            return createRuleResult('SEC-003', 8, {
+                passed: true,
+                score: 8,
+                message: 'No tools detected (rule not applicable)',
+            });
+        }
+        const toolsWithExecute = tools.filter((t) => t.executeSource && t.executeSource.length > 0);
+        if (toolsWithExecute.length === 0) {
+            return createRuleResult('SEC-003', 8, {
+                passed: true,
+                score: 8,
+                message: 'No execute functions available for analysis',
+            });
+        }
+        const violations = [];
+        for (const tool of toolsWithExecute) {
+            const src = tool.executeSource ?? '';
+            const usesUnsafeOutput = USER_CONTENT_PATTERNS.some((p) => p.test(src));
+            if (!usesUnsafeOutput)
+                continue;
+            const hasSanitization = SANITIZATION_PATTERNS.some((p) => p.test(src));
+            if (!hasSanitization) {
+                violations.push(tool.name);
+            }
+        }
+        if (violations.length === 0) {
+            return createRuleResult('SEC-003', 8, {
+                passed: true,
+                score: 8,
+                message: 'Execute functions properly sanitize user-generated content',
+            });
+        }
+        const penalty = violations.length * 4;
+        const score = Math.max(0, 8 - penalty);
+        return createRuleResult('SEC-003', 8, {
+            passed: false,
+            score,
+            message: `${violations.length} tool(s) may return unsanitized user content`,
+            details: violations.map((name) => `Tool "${name}" uses innerHTML/document.write but lacks sanitization`),
+            suggestions: [
+                'Use textContent instead of innerHTML when inserting user data',
+                'Apply DOMPurify or escapeHtml() before returning HTML content',
+                'Use encodeURIComponent() for URL parameters in output',
+            ],
+            affectedTools: violations,
+        });
+    },
+};
+//# sourceMappingURL=SEC-003.js.map