windows-exe-decompiler-mcp-server 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (190) hide show
  1. package/CODEX_INSTALLATION.md +69 -0
  2. package/COPILOT_INSTALLATION.md +77 -0
  3. package/LICENSE +21 -0
  4. package/README.md +314 -0
  5. package/bin/windows-exe-decompiler-mcp-server.js +3 -0
  6. package/dist/analysis-provenance.d.ts +184 -0
  7. package/dist/analysis-provenance.js +74 -0
  8. package/dist/analysis-task-runner.d.ts +31 -0
  9. package/dist/analysis-task-runner.js +160 -0
  10. package/dist/artifact-inventory.d.ts +23 -0
  11. package/dist/artifact-inventory.js +175 -0
  12. package/dist/cache-manager.d.ts +128 -0
  13. package/dist/cache-manager.js +454 -0
  14. package/dist/confidence-semantics.d.ts +66 -0
  15. package/dist/confidence-semantics.js +122 -0
  16. package/dist/config.d.ts +335 -0
  17. package/dist/config.js +193 -0
  18. package/dist/database.d.ts +227 -0
  19. package/dist/database.js +601 -0
  20. package/dist/decompiler-worker.d.ts +441 -0
  21. package/dist/decompiler-worker.js +1962 -0
  22. package/dist/dynamic-trace.d.ts +95 -0
  23. package/dist/dynamic-trace.js +629 -0
  24. package/dist/env-validator.d.ts +15 -0
  25. package/dist/env-validator.js +249 -0
  26. package/dist/error-handler.d.ts +28 -0
  27. package/dist/error-handler.example.d.ts +22 -0
  28. package/dist/error-handler.example.js +141 -0
  29. package/dist/error-handler.js +139 -0
  30. package/dist/ghidra-analysis-status.d.ts +49 -0
  31. package/dist/ghidra-analysis-status.js +178 -0
  32. package/dist/ghidra-config.d.ts +134 -0
  33. package/dist/ghidra-config.js +464 -0
  34. package/dist/index.d.ts +9 -0
  35. package/dist/index.js +200 -0
  36. package/dist/job-queue.d.ts +169 -0
  37. package/dist/job-queue.js +407 -0
  38. package/dist/logger.d.ts +106 -0
  39. package/dist/logger.js +176 -0
  40. package/dist/policy-guard.d.ts +115 -0
  41. package/dist/policy-guard.js +243 -0
  42. package/dist/process-output.d.ts +15 -0
  43. package/dist/process-output.js +90 -0
  44. package/dist/prompts/function-explanation-review.d.ts +5 -0
  45. package/dist/prompts/function-explanation-review.js +64 -0
  46. package/dist/prompts/semantic-name-review.d.ts +5 -0
  47. package/dist/prompts/semantic-name-review.js +63 -0
  48. package/dist/runtime-correlation.d.ts +34 -0
  49. package/dist/runtime-correlation.js +279 -0
  50. package/dist/runtime-paths.d.ts +3 -0
  51. package/dist/runtime-paths.js +11 -0
  52. package/dist/selection-diff.d.ts +667 -0
  53. package/dist/selection-diff.js +53 -0
  54. package/dist/semantic-name-suggestion-artifacts.d.ts +116 -0
  55. package/dist/semantic-name-suggestion-artifacts.js +314 -0
  56. package/dist/server.d.ts +129 -0
  57. package/dist/server.js +578 -0
  58. package/dist/tools/artifact-read.d.ts +235 -0
  59. package/dist/tools/artifact-read.js +317 -0
  60. package/dist/tools/artifacts-diff.d.ts +728 -0
  61. package/dist/tools/artifacts-diff.js +304 -0
  62. package/dist/tools/artifacts-list.d.ts +515 -0
  63. package/dist/tools/artifacts-list.js +389 -0
  64. package/dist/tools/attack-map.d.ts +290 -0
  65. package/dist/tools/attack-map.js +519 -0
  66. package/dist/tools/cache-observability.d.ts +4 -0
  67. package/dist/tools/cache-observability.js +36 -0
  68. package/dist/tools/code-function-cfg.d.ts +50 -0
  69. package/dist/tools/code-function-cfg.js +102 -0
  70. package/dist/tools/code-function-decompile.d.ts +55 -0
  71. package/dist/tools/code-function-decompile.js +103 -0
  72. package/dist/tools/code-function-disassemble.d.ts +43 -0
  73. package/dist/tools/code-function-disassemble.js +185 -0
  74. package/dist/tools/code-function-explain-apply.d.ts +255 -0
  75. package/dist/tools/code-function-explain-apply.js +225 -0
  76. package/dist/tools/code-function-explain-prepare.d.ts +535 -0
  77. package/dist/tools/code-function-explain-prepare.js +276 -0
  78. package/dist/tools/code-function-explain-review.d.ts +397 -0
  79. package/dist/tools/code-function-explain-review.js +589 -0
  80. package/dist/tools/code-function-rename-apply.d.ts +248 -0
  81. package/dist/tools/code-function-rename-apply.js +220 -0
  82. package/dist/tools/code-function-rename-prepare.d.ts +506 -0
  83. package/dist/tools/code-function-rename-prepare.js +279 -0
  84. package/dist/tools/code-function-rename-review.d.ts +574 -0
  85. package/dist/tools/code-function-rename-review.js +761 -0
  86. package/dist/tools/code-functions-list.d.ts +37 -0
  87. package/dist/tools/code-functions-list.js +91 -0
  88. package/dist/tools/code-functions-rank.d.ts +34 -0
  89. package/dist/tools/code-functions-rank.js +90 -0
  90. package/dist/tools/code-functions-reconstruct.d.ts +2725 -0
  91. package/dist/tools/code-functions-reconstruct.js +2807 -0
  92. package/dist/tools/code-functions-search.d.ts +39 -0
  93. package/dist/tools/code-functions-search.js +90 -0
  94. package/dist/tools/code-reconstruct-export.d.ts +1212 -0
  95. package/dist/tools/code-reconstruct-export.js +4002 -0
  96. package/dist/tools/code-reconstruct-plan.d.ts +274 -0
  97. package/dist/tools/code-reconstruct-plan.js +342 -0
  98. package/dist/tools/dotnet-metadata-extract.d.ts +541 -0
  99. package/dist/tools/dotnet-metadata-extract.js +355 -0
  100. package/dist/tools/dotnet-reconstruct-export.d.ts +567 -0
  101. package/dist/tools/dotnet-reconstruct-export.js +1151 -0
  102. package/dist/tools/dotnet-types-list.d.ts +325 -0
  103. package/dist/tools/dotnet-types-list.js +201 -0
  104. package/dist/tools/dynamic-dependencies.d.ts +115 -0
  105. package/dist/tools/dynamic-dependencies.js +213 -0
  106. package/dist/tools/dynamic-memory-import.d.ts +10 -0
  107. package/dist/tools/dynamic-memory-import.js +567 -0
  108. package/dist/tools/dynamic-trace-import.d.ts +10 -0
  109. package/dist/tools/dynamic-trace-import.js +235 -0
  110. package/dist/tools/entrypoint-fallback-disasm.d.ts +30 -0
  111. package/dist/tools/entrypoint-fallback-disasm.js +89 -0
  112. package/dist/tools/ghidra-analyze.d.ts +88 -0
  113. package/dist/tools/ghidra-analyze.js +208 -0
  114. package/dist/tools/ghidra-health.d.ts +37 -0
  115. package/dist/tools/ghidra-health.js +212 -0
  116. package/dist/tools/ioc-export.d.ts +209 -0
  117. package/dist/tools/ioc-export.js +542 -0
  118. package/dist/tools/packer-detect.d.ts +165 -0
  119. package/dist/tools/packer-detect.js +284 -0
  120. package/dist/tools/pe-exports-extract.d.ts +175 -0
  121. package/dist/tools/pe-exports-extract.js +253 -0
  122. package/dist/tools/pe-fingerprint.d.ts +234 -0
  123. package/dist/tools/pe-fingerprint.js +269 -0
  124. package/dist/tools/pe-imports-extract.d.ts +105 -0
  125. package/dist/tools/pe-imports-extract.js +245 -0
  126. package/dist/tools/report-generate.d.ts +157 -0
  127. package/dist/tools/report-generate.js +457 -0
  128. package/dist/tools/report-summarize.d.ts +2131 -0
  129. package/dist/tools/report-summarize.js +596 -0
  130. package/dist/tools/runtime-detect.d.ts +135 -0
  131. package/dist/tools/runtime-detect.js +247 -0
  132. package/dist/tools/sample-ingest.d.ts +94 -0
  133. package/dist/tools/sample-ingest.js +327 -0
  134. package/dist/tools/sample-profile-get.d.ts +183 -0
  135. package/dist/tools/sample-profile-get.js +121 -0
  136. package/dist/tools/sandbox-execute.d.ts +441 -0
  137. package/dist/tools/sandbox-execute.js +392 -0
  138. package/dist/tools/strings-extract.d.ts +375 -0
  139. package/dist/tools/strings-extract.js +314 -0
  140. package/dist/tools/strings-floss-decode.d.ts +143 -0
  141. package/dist/tools/strings-floss-decode.js +259 -0
  142. package/dist/tools/system-health.d.ts +434 -0
  143. package/dist/tools/system-health.js +446 -0
  144. package/dist/tools/task-cancel.d.ts +21 -0
  145. package/dist/tools/task-cancel.js +70 -0
  146. package/dist/tools/task-status.d.ts +27 -0
  147. package/dist/tools/task-status.js +106 -0
  148. package/dist/tools/task-sweep.d.ts +22 -0
  149. package/dist/tools/task-sweep.js +77 -0
  150. package/dist/tools/tool-help.d.ts +340 -0
  151. package/dist/tools/tool-help.js +261 -0
  152. package/dist/tools/yara-scan.d.ts +554 -0
  153. package/dist/tools/yara-scan.js +313 -0
  154. package/dist/types.d.ts +266 -0
  155. package/dist/types.js +41 -0
  156. package/dist/worker-pool.d.ts +204 -0
  157. package/dist/worker-pool.js +650 -0
  158. package/dist/workflows/deep-static.d.ts +104 -0
  159. package/dist/workflows/deep-static.js +276 -0
  160. package/dist/workflows/function-explanation-review.d.ts +655 -0
  161. package/dist/workflows/function-explanation-review.js +440 -0
  162. package/dist/workflows/reconstruct.d.ts +2053 -0
  163. package/dist/workflows/reconstruct.js +666 -0
  164. package/dist/workflows/semantic-name-review.d.ts +2418 -0
  165. package/dist/workflows/semantic-name-review.js +521 -0
  166. package/dist/workflows/triage.d.ts +659 -0
  167. package/dist/workflows/triage.js +1374 -0
  168. package/dist/workspace-manager.d.ts +150 -0
  169. package/dist/workspace-manager.js +411 -0
  170. package/ghidra_scripts/DecompileFunction.java +487 -0
  171. package/ghidra_scripts/DecompileFunction.py +150 -0
  172. package/ghidra_scripts/ExtractCFG.java +256 -0
  173. package/ghidra_scripts/ExtractCFG.py +233 -0
  174. package/ghidra_scripts/ExtractFunctions.java +442 -0
  175. package/ghidra_scripts/ExtractFunctions.py +101 -0
  176. package/ghidra_scripts/README.md +125 -0
  177. package/ghidra_scripts/SearchFunctionReferences.java +380 -0
  178. package/helpers/DotNetMetadataProbe/DotNetMetadataProbe.csproj +9 -0
  179. package/helpers/DotNetMetadataProbe/Program.cs +566 -0
  180. package/install-to-codex.ps1 +178 -0
  181. package/install-to-copilot.ps1 +303 -0
  182. package/package.json +101 -0
  183. package/requirements.txt +9 -0
  184. package/workers/requirements-dynamic.txt +11 -0
  185. package/workers/requirements.txt +8 -0
  186. package/workers/speakeasy_compat.py +175 -0
  187. package/workers/static_worker.py +5183 -0
  188. package/workers/yara_rules/default.yar +33 -0
  189. package/workers/yara_rules/malware_families.yar +93 -0
  190. package/workers/yara_rules/packers.yar +80 -0
package/dist/workflows/triage.d.ts ADDED
@@ -0,0 +1,659 @@
1
+ /**
2
+ * Triage workflow implementation
3
+ * Quick threat assessment workflow that completes within 5 minutes
4
+ * Requirements: 15.1, 15.2, 15.4, 15.5
5
+ */
6
+ import { z } from 'zod';
7
+ import type { ToolDefinition, ToolArgs, WorkerResult } from '../types.js';
8
+ import type { WorkspaceManager } from '../workspace-manager.js';
9
+ import type { DatabaseManager } from '../database.js';
10
+ import type { CacheManager } from '../cache-manager.js';
11
+ /**
12
+ * Input schema for triage workflow
13
+ * Requirements: 15.1
14
+ */
15
+ export declare const TriageWorkflowInputSchema: z.ZodObject<{
16
+ sample_id: z.ZodString;
17
+ force_refresh: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
18
+ }, "strip", z.ZodTypeAny, {
19
+ sample_id: string;
20
+ force_refresh: boolean;
21
+ }, {
22
+ sample_id: string;
23
+ force_refresh?: boolean | undefined;
24
+ }>;
25
+ export type TriageWorkflowInput = z.infer<typeof TriageWorkflowInputSchema>;
26
+ /**
27
+ * Output schema for triage workflow
28
+ * Requirements: 15.2, 15.4, 15.5
29
+ */
30
+ export declare const TriageWorkflowOutputSchema: z.ZodObject<{
31
+ ok: z.ZodBoolean;
32
+ data: z.ZodOptional<z.ZodObject<{
33
+ summary: z.ZodString;
34
+ confidence: z.ZodNumber;
35
+ threat_level: z.ZodEnum<["clean", "suspicious", "malicious", "unknown"]>;
36
+ iocs: z.ZodObject<{
37
+ suspicious_imports: z.ZodArray<z.ZodString, "many">;
38
+ suspicious_strings: z.ZodArray<z.ZodString, "many">;
39
+ yara_matches: z.ZodArray<z.ZodString, "many">;
40
+ yara_low_confidence: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
41
+ urls: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
42
+ ip_addresses: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
43
+ file_paths: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
44
+ registry_keys: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
45
+ high_value_iocs: z.ZodOptional<z.ZodObject<{
46
+ suspicious_apis: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
47
+ commands: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
48
+ pipes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
49
+ urls: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
50
+ network: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
51
+ }, "strip", z.ZodTypeAny, {
52
+ network?: string[] | undefined;
53
+ urls?: string[] | undefined;
54
+ suspicious_apis?: string[] | undefined;
55
+ commands?: string[] | undefined;
56
+ pipes?: string[] | undefined;
57
+ }, {
58
+ network?: string[] | undefined;
59
+ urls?: string[] | undefined;
60
+ suspicious_apis?: string[] | undefined;
61
+ commands?: string[] | undefined;
62
+ pipes?: string[] | undefined;
63
+ }>>;
64
+ compiler_artifacts: z.ZodOptional<z.ZodObject<{
65
+ cargo_paths: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
66
+ rust_markers: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
67
+ library_profile: z.ZodOptional<z.ZodObject<{
68
+ ecosystems: z.ZodArray<z.ZodString, "many">;
69
+ top_crates: z.ZodArray<z.ZodString, "many">;
70
+ notable_libraries: z.ZodArray<z.ZodString, "many">;
71
+ evidence: z.ZodArray<z.ZodString, "many">;
72
+ }, "strip", z.ZodTypeAny, {
73
+ evidence: string[];
74
+ ecosystems: string[];
75
+ top_crates: string[];
76
+ notable_libraries: string[];
77
+ }, {
78
+ evidence: string[];
79
+ ecosystems: string[];
80
+ top_crates: string[];
81
+ notable_libraries: string[];
82
+ }>>;
83
+ }, "strip", z.ZodTypeAny, {
84
+ cargo_paths?: string[] | undefined;
85
+ rust_markers?: string[] | undefined;
86
+ library_profile?: {
87
+ evidence: string[];
88
+ ecosystems: string[];
89
+ top_crates: string[];
90
+ notable_libraries: string[];
91
+ } | undefined;
92
+ }, {
93
+ cargo_paths?: string[] | undefined;
94
+ rust_markers?: string[] | undefined;
95
+ library_profile?: {
96
+ evidence: string[];
97
+ ecosystems: string[];
98
+ top_crates: string[];
99
+ notable_libraries: string[];
100
+ } | undefined;
101
+ }>>;
102
+ }, "strip", z.ZodTypeAny, {
103
+ suspicious_imports: string[];
104
+ suspicious_strings: string[];
105
+ yara_matches: string[];
106
+ yara_low_confidence?: string[] | undefined;
107
+ urls?: string[] | undefined;
108
+ ip_addresses?: string[] | undefined;
109
+ file_paths?: string[] | undefined;
110
+ registry_keys?: string[] | undefined;
111
+ high_value_iocs?: {
112
+ network?: string[] | undefined;
113
+ urls?: string[] | undefined;
114
+ suspicious_apis?: string[] | undefined;
115
+ commands?: string[] | undefined;
116
+ pipes?: string[] | undefined;
117
+ } | undefined;
118
+ compiler_artifacts?: {
119
+ cargo_paths?: string[] | undefined;
120
+ rust_markers?: string[] | undefined;
121
+ library_profile?: {
122
+ evidence: string[];
123
+ ecosystems: string[];
124
+ top_crates: string[];
125
+ notable_libraries: string[];
126
+ } | undefined;
127
+ } | undefined;
128
+ }, {
129
+ suspicious_imports: string[];
130
+ suspicious_strings: string[];
131
+ yara_matches: string[];
132
+ yara_low_confidence?: string[] | undefined;
133
+ urls?: string[] | undefined;
134
+ ip_addresses?: string[] | undefined;
135
+ file_paths?: string[] | undefined;
136
+ registry_keys?: string[] | undefined;
137
+ high_value_iocs?: {
138
+ network?: string[] | undefined;
139
+ urls?: string[] | undefined;
140
+ suspicious_apis?: string[] | undefined;
141
+ commands?: string[] | undefined;
142
+ pipes?: string[] | undefined;
143
+ } | undefined;
144
+ compiler_artifacts?: {
145
+ cargo_paths?: string[] | undefined;
146
+ rust_markers?: string[] | undefined;
147
+ library_profile?: {
148
+ evidence: string[];
149
+ ecosystems: string[];
150
+ top_crates: string[];
151
+ notable_libraries: string[];
152
+ } | undefined;
153
+ } | undefined;
154
+ }>;
155
+ evidence: z.ZodArray<z.ZodString, "many">;
156
+ evidence_weights: z.ZodObject<{
157
+ import: z.ZodNumber;
158
+ string: z.ZodNumber;
159
+ runtime: z.ZodNumber;
160
+ }, "strip", z.ZodTypeAny, {
161
+ string: number;
162
+ runtime: number;
163
+ import: number;
164
+ }, {
165
+ string: number;
166
+ runtime: number;
167
+ import: number;
168
+ }>;
169
+ inference: z.ZodOptional<z.ZodObject<{
170
+ classification: z.ZodEnum<["benign", "suspicious", "malicious", "unknown"]>;
171
+ hypotheses: z.ZodArray<z.ZodString, "many">;
172
+ false_positive_risks: z.ZodArray<z.ZodString, "many">;
173
+ intent_assessment: z.ZodOptional<z.ZodObject<{
174
+ label: z.ZodEnum<["dual_use_tool", "operator_utility", "malware_like_payload", "unknown"]>;
175
+ confidence: z.ZodNumber;
176
+ evidence: z.ZodArray<z.ZodString, "many">;
177
+ counter_evidence: z.ZodArray<z.ZodString, "many">;
178
+ }, "strip", z.ZodTypeAny, {
179
+ label: "unknown" | "dual_use_tool" | "operator_utility" | "malware_like_payload";
180
+ confidence: number;
181
+ evidence: string[];
182
+ counter_evidence: string[];
183
+ }, {
184
+ label: "unknown" | "dual_use_tool" | "operator_utility" | "malware_like_payload";
185
+ confidence: number;
186
+ evidence: string[];
187
+ counter_evidence: string[];
188
+ }>>;
189
+ tooling_assessment: z.ZodOptional<z.ZodObject<{
190
+ help_text_detected: z.ZodBoolean;
191
+ cli_surface_detected: z.ZodBoolean;
192
+ framework_hints: z.ZodArray<z.ZodString, "many">;
193
+ toolchain_markers: z.ZodArray<z.ZodString, "many">;
194
+ library_profile: z.ZodOptional<z.ZodObject<{
195
+ ecosystems: z.ZodArray<z.ZodString, "many">;
196
+ top_crates: z.ZodArray<z.ZodString, "many">;
197
+ notable_libraries: z.ZodArray<z.ZodString, "many">;
198
+ evidence: z.ZodArray<z.ZodString, "many">;
199
+ }, "strip", z.ZodTypeAny, {
200
+ evidence: string[];
201
+ ecosystems: string[];
202
+ top_crates: string[];
203
+ notable_libraries: string[];
204
+ }, {
205
+ evidence: string[];
206
+ ecosystems: string[];
207
+ top_crates: string[];
208
+ notable_libraries: string[];
209
+ }>>;
210
+ }, "strip", z.ZodTypeAny, {
211
+ help_text_detected: boolean;
212
+ cli_surface_detected: boolean;
213
+ framework_hints: string[];
214
+ toolchain_markers: string[];
215
+ library_profile?: {
216
+ evidence: string[];
217
+ ecosystems: string[];
218
+ top_crates: string[];
219
+ notable_libraries: string[];
220
+ } | undefined;
221
+ }, {
222
+ help_text_detected: boolean;
223
+ cli_surface_detected: boolean;
224
+ framework_hints: string[];
225
+ toolchain_markers: string[];
226
+ library_profile?: {
227
+ evidence: string[];
228
+ ecosystems: string[];
229
+ top_crates: string[];
230
+ notable_libraries: string[];
231
+ } | undefined;
232
+ }>>;
233
+ }, "strip", z.ZodTypeAny, {
234
+ classification: "unknown" | "suspicious" | "malicious" | "benign";
235
+ hypotheses: string[];
236
+ false_positive_risks: string[];
237
+ intent_assessment?: {
238
+ label: "unknown" | "dual_use_tool" | "operator_utility" | "malware_like_payload";
239
+ confidence: number;
240
+ evidence: string[];
241
+ counter_evidence: string[];
242
+ } | undefined;
243
+ tooling_assessment?: {
244
+ help_text_detected: boolean;
245
+ cli_surface_detected: boolean;
246
+ framework_hints: string[];
247
+ toolchain_markers: string[];
248
+ library_profile?: {
249
+ evidence: string[];
250
+ ecosystems: string[];
251
+ top_crates: string[];
252
+ notable_libraries: string[];
253
+ } | undefined;
254
+ } | undefined;
255
+ }, {
256
+ classification: "unknown" | "suspicious" | "malicious" | "benign";
257
+ hypotheses: string[];
258
+ false_positive_risks: string[];
259
+ intent_assessment?: {
260
+ label: "unknown" | "dual_use_tool" | "operator_utility" | "malware_like_payload";
261
+ confidence: number;
262
+ evidence: string[];
263
+ counter_evidence: string[];
264
+ } | undefined;
265
+ tooling_assessment?: {
266
+ help_text_detected: boolean;
267
+ cli_surface_detected: boolean;
268
+ framework_hints: string[];
269
+ toolchain_markers: string[];
270
+ library_profile?: {
271
+ evidence: string[];
272
+ ecosystems: string[];
273
+ top_crates: string[];
274
+ notable_libraries: string[];
275
+ } | undefined;
276
+ } | undefined;
277
+ }>>;
278
+ recommendation: z.ZodString;
279
+ raw_results: z.ZodObject<{
280
+ fingerprint: z.ZodOptional<z.ZodAny>;
281
+ runtime: z.ZodOptional<z.ZodAny>;
282
+ imports: z.ZodOptional<z.ZodAny>;
283
+ strings: z.ZodOptional<z.ZodAny>;
284
+ yara: z.ZodOptional<z.ZodAny>;
285
+ }, "strip", z.ZodTypeAny, {
286
+ strings?: any;
287
+ runtime?: any;
288
+ imports?: any;
289
+ fingerprint?: any;
290
+ yara?: any;
291
+ }, {
292
+ strings?: any;
293
+ runtime?: any;
294
+ imports?: any;
295
+ fingerprint?: any;
296
+ yara?: any;
297
+ }>;
298
+ }, "strip", z.ZodTypeAny, {
299
+ summary: string;
300
+ confidence: number;
301
+ evidence: string[];
302
+ threat_level: "unknown" | "clean" | "suspicious" | "malicious";
303
+ iocs: {
304
+ suspicious_imports: string[];
305
+ suspicious_strings: string[];
306
+ yara_matches: string[];
307
+ yara_low_confidence?: string[] | undefined;
308
+ urls?: string[] | undefined;
309
+ ip_addresses?: string[] | undefined;
310
+ file_paths?: string[] | undefined;
311
+ registry_keys?: string[] | undefined;
312
+ high_value_iocs?: {
313
+ network?: string[] | undefined;
314
+ urls?: string[] | undefined;
315
+ suspicious_apis?: string[] | undefined;
316
+ commands?: string[] | undefined;
317
+ pipes?: string[] | undefined;
318
+ } | undefined;
319
+ compiler_artifacts?: {
320
+ cargo_paths?: string[] | undefined;
321
+ rust_markers?: string[] | undefined;
322
+ library_profile?: {
323
+ evidence: string[];
324
+ ecosystems: string[];
325
+ top_crates: string[];
326
+ notable_libraries: string[];
327
+ } | undefined;
328
+ } | undefined;
329
+ };
330
+ evidence_weights: {
331
+ string: number;
332
+ runtime: number;
333
+ import: number;
334
+ };
335
+ recommendation: string;
336
+ raw_results: {
337
+ strings?: any;
338
+ runtime?: any;
339
+ imports?: any;
340
+ fingerprint?: any;
341
+ yara?: any;
342
+ };
343
+ inference?: {
344
+ classification: "unknown" | "suspicious" | "malicious" | "benign";
345
+ hypotheses: string[];
346
+ false_positive_risks: string[];
347
+ intent_assessment?: {
348
+ label: "unknown" | "dual_use_tool" | "operator_utility" | "malware_like_payload";
349
+ confidence: number;
350
+ evidence: string[];
351
+ counter_evidence: string[];
352
+ } | undefined;
353
+ tooling_assessment?: {
354
+ help_text_detected: boolean;
355
+ cli_surface_detected: boolean;
356
+ framework_hints: string[];
357
+ toolchain_markers: string[];
358
+ library_profile?: {
359
+ evidence: string[];
360
+ ecosystems: string[];
361
+ top_crates: string[];
362
+ notable_libraries: string[];
363
+ } | undefined;
364
+ } | undefined;
365
+ } | undefined;
366
+ }, {
367
+ summary: string;
368
+ confidence: number;
369
+ evidence: string[];
370
+ threat_level: "unknown" | "clean" | "suspicious" | "malicious";
371
+ iocs: {
372
+ suspicious_imports: string[];
373
+ suspicious_strings: string[];
374
+ yara_matches: string[];
375
+ yara_low_confidence?: string[] | undefined;
376
+ urls?: string[] | undefined;
377
+ ip_addresses?: string[] | undefined;
378
+ file_paths?: string[] | undefined;
379
+ registry_keys?: string[] | undefined;
380
+ high_value_iocs?: {
381
+ network?: string[] | undefined;
382
+ urls?: string[] | undefined;
383
+ suspicious_apis?: string[] | undefined;
384
+ commands?: string[] | undefined;
385
+ pipes?: string[] | undefined;
386
+ } | undefined;
387
+ compiler_artifacts?: {
388
+ cargo_paths?: string[] | undefined;
389
+ rust_markers?: string[] | undefined;
390
+ library_profile?: {
391
+ evidence: string[];
392
+ ecosystems: string[];
393
+ top_crates: string[];
394
+ notable_libraries: string[];
395
+ } | undefined;
396
+ } | undefined;
397
+ };
398
+ evidence_weights: {
399
+ string: number;
400
+ runtime: number;
401
+ import: number;
402
+ };
403
+ recommendation: string;
404
+ raw_results: {
405
+ strings?: any;
406
+ runtime?: any;
407
+ imports?: any;
408
+ fingerprint?: any;
409
+ yara?: any;
410
+ };
411
+ inference?: {
412
+ classification: "unknown" | "suspicious" | "malicious" | "benign";
413
+ hypotheses: string[];
414
+ false_positive_risks: string[];
415
+ intent_assessment?: {
416
+ label: "unknown" | "dual_use_tool" | "operator_utility" | "malware_like_payload";
417
+ confidence: number;
418
+ evidence: string[];
419
+ counter_evidence: string[];
420
+ } | undefined;
421
+ tooling_assessment?: {
422
+ help_text_detected: boolean;
423
+ cli_surface_detected: boolean;
424
+ framework_hints: string[];
425
+ toolchain_markers: string[];
426
+ library_profile?: {
427
+ evidence: string[];
428
+ ecosystems: string[];
429
+ top_crates: string[];
430
+ notable_libraries: string[];
431
+ } | undefined;
432
+ } | undefined;
433
+ } | undefined;
434
+ }>>;
435
+ warnings: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
436
+ errors: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
437
+ metrics: z.ZodOptional<z.ZodObject<{
438
+ elapsed_ms: z.ZodNumber;
439
+ tool: z.ZodString;
440
+ }, "strip", z.ZodTypeAny, {
441
+ elapsed_ms: number;
442
+ tool: string;
443
+ }, {
444
+ elapsed_ms: number;
445
+ tool: string;
446
+ }>>;
447
+ }, "strip", z.ZodTypeAny, {
448
+ ok: boolean;
449
+ metrics?: {
450
+ elapsed_ms: number;
451
+ tool: string;
452
+ } | undefined;
453
+ data?: {
454
+ summary: string;
455
+ confidence: number;
456
+ evidence: string[];
457
+ threat_level: "unknown" | "clean" | "suspicious" | "malicious";
458
+ iocs: {
459
+ suspicious_imports: string[];
460
+ suspicious_strings: string[];
461
+ yara_matches: string[];
462
+ yara_low_confidence?: string[] | undefined;
463
+ urls?: string[] | undefined;
464
+ ip_addresses?: string[] | undefined;
465
+ file_paths?: string[] | undefined;
466
+ registry_keys?: string[] | undefined;
467
+ high_value_iocs?: {
468
+ network?: string[] | undefined;
469
+ urls?: string[] | undefined;
470
+ suspicious_apis?: string[] | undefined;
471
+ commands?: string[] | undefined;
472
+ pipes?: string[] | undefined;
473
+ } | undefined;
474
+ compiler_artifacts?: {
475
+ cargo_paths?: string[] | undefined;
476
+ rust_markers?: string[] | undefined;
477
+ library_profile?: {
478
+ evidence: string[];
479
+ ecosystems: string[];
480
+ top_crates: string[];
481
+ notable_libraries: string[];
482
+ } | undefined;
483
+ } | undefined;
484
+ };
485
+ evidence_weights: {
486
+ string: number;
487
+ runtime: number;
488
+ import: number;
489
+ };
490
+ recommendation: string;
491
+ raw_results: {
492
+ strings?: any;
493
+ runtime?: any;
494
+ imports?: any;
495
+ fingerprint?: any;
496
+ yara?: any;
497
+ };
498
+ inference?: {
499
+ classification: "unknown" | "suspicious" | "malicious" | "benign";
500
+ hypotheses: string[];
501
+ false_positive_risks: string[];
502
+ intent_assessment?: {
503
+ label: "unknown" | "dual_use_tool" | "operator_utility" | "malware_like_payload";
504
+ confidence: number;
505
+ evidence: string[];
506
+ counter_evidence: string[];
507
+ } | undefined;
508
+ tooling_assessment?: {
509
+ help_text_detected: boolean;
510
+ cli_surface_detected: boolean;
511
+ framework_hints: string[];
512
+ toolchain_markers: string[];
513
+ library_profile?: {
514
+ evidence: string[];
515
+ ecosystems: string[];
516
+ top_crates: string[];
517
+ notable_libraries: string[];
518
+ } | undefined;
519
+ } | undefined;
520
+ } | undefined;
521
+ } | undefined;
522
+ warnings?: string[] | undefined;
523
+ errors?: string[] | undefined;
524
+ }, {
525
+ ok: boolean;
526
+ metrics?: {
527
+ elapsed_ms: number;
528
+ tool: string;
529
+ } | undefined;
530
+ data?: {
531
+ summary: string;
532
+ confidence: number;
533
+ evidence: string[];
534
+ threat_level: "unknown" | "clean" | "suspicious" | "malicious";
535
+ iocs: {
536
+ suspicious_imports: string[];
537
+ suspicious_strings: string[];
538
+ yara_matches: string[];
539
+ yara_low_confidence?: string[] | undefined;
540
+ urls?: string[] | undefined;
541
+ ip_addresses?: string[] | undefined;
542
+ file_paths?: string[] | undefined;
543
+ registry_keys?: string[] | undefined;
544
+ high_value_iocs?: {
545
+ network?: string[] | undefined;
546
+ urls?: string[] | undefined;
547
+ suspicious_apis?: string[] | undefined;
548
+ commands?: string[] | undefined;
549
+ pipes?: string[] | undefined;
550
+ } | undefined;
551
+ compiler_artifacts?: {
552
+ cargo_paths?: string[] | undefined;
553
+ rust_markers?: string[] | undefined;
554
+ library_profile?: {
555
+ evidence: string[];
556
+ ecosystems: string[];
557
+ top_crates: string[];
558
+ notable_libraries: string[];
559
+ } | undefined;
560
+ } | undefined;
561
+ };
562
+ evidence_weights: {
563
+ string: number;
564
+ runtime: number;
565
+ import: number;
566
+ };
567
+ recommendation: string;
568
+ raw_results: {
569
+ strings?: any;
570
+ runtime?: any;
571
+ imports?: any;
572
+ fingerprint?: any;
573
+ yara?: any;
574
+ };
575
+ inference?: {
576
+ classification: "unknown" | "suspicious" | "malicious" | "benign";
577
+ hypotheses: string[];
578
+ false_positive_risks: string[];
579
+ intent_assessment?: {
580
+ label: "unknown" | "dual_use_tool" | "operator_utility" | "malware_like_payload";
581
+ confidence: number;
582
+ evidence: string[];
583
+ counter_evidence: string[];
584
+ } | undefined;
585
+ tooling_assessment?: {
586
+ help_text_detected: boolean;
587
+ cli_surface_detected: boolean;
588
+ framework_hints: string[];
589
+ toolchain_markers: string[];
590
+ library_profile?: {
591
+ evidence: string[];
592
+ ecosystems: string[];
593
+ top_crates: string[];
594
+ notable_libraries: string[];
595
+ } | undefined;
596
+ } | undefined;
597
+ } | undefined;
598
+ } | undefined;
599
+ warnings?: string[] | undefined;
600
+ errors?: string[] | undefined;
601
+ }>;
602
+ export type TriageWorkflowOutput = z.infer<typeof TriageWorkflowOutputSchema>;
603
+ /**
604
+ * Tool definition for triage workflow
605
+ */
606
+ export declare const triageWorkflowToolDefinition: ToolDefinition;
607
+ export declare function extractCrateNameFromCargoPath(input: string): string | null;
608
+ declare function analyzeSuspiciousStrings(strings: unknown[]): {
609
+ suspicious: string[];
610
+ urls: string[];
611
+ ips: string[];
612
+ paths: string[];
613
+ registry: string[];
614
+ commands: string[];
615
+ pipes: string[];
616
+ cargoPaths: string[];
617
+ rustMarkers: string[];
618
+ crateNames: string[];
619
+ libraryHints: string[];
620
+ };
621
+ interface YaraSignal {
622
+ rule: string;
623
+ level: 'low' | 'medium' | 'high' | 'unknown';
624
+ score: number;
625
+ stringOnly: boolean;
626
+ generic: boolean;
627
+ }
628
+ interface IntentAssessment {
629
+ label: 'dual_use_tool' | 'operator_utility' | 'malware_like_payload' | 'unknown';
630
+ confidence: number;
631
+ evidence: string[];
632
+ counter_evidence: string[];
633
+ }
634
+ export interface LibraryProfile {
635
+ ecosystems: string[];
636
+ top_crates: string[];
637
+ notable_libraries: string[];
638
+ evidence: string[];
639
+ }
640
+ export declare function buildLibraryProfile(stringAnalysis: Pick<ReturnType<typeof analyzeSuspiciousStrings>, 'cargoPaths' | 'crateNames' | 'libraryHints' | 'rustMarkers'>, runtime: any): LibraryProfile | undefined;
641
+ export declare function applyIntentAwareYaraAdjustments(yaraSignals: YaraSignal[], intentAssessment: IntentAssessment): YaraSignal[];
642
+ export declare function calculateThreatLevelV2(yaraSignals: YaraSignal[], suspiciousImports: string[], suspiciousStrings: string[], intentAssessment: IntentAssessment): {
643
+ level: 'clean' | 'suspicious' | 'malicious' | 'unknown';
644
+ confidence: number;
645
+ };
646
+ /**
647
+ * Execute triage workflow
648
+ * Requirements: 15.1, 15.2, 15.4, 15.5
649
+ *
650
+ * This is a standalone function that can be called by other workflows
651
+ */
652
+ export declare function triageWorkflow(sampleId: string, workspaceManager: WorkspaceManager, database: DatabaseManager, cacheManager: CacheManager): Promise<TriageWorkflowOutput>;
653
+ /**
654
+ * Create triage workflow handler
655
+ * Requirements: 15.1, 15.2, 15.4, 15.5
656
+ */
657
+ export declare function createTriageWorkflowHandler(workspaceManager: WorkspaceManager, database: DatabaseManager, cacheManager: CacheManager): (args: ToolArgs) => Promise<WorkerResult>;
658
+ export {};
659
+ //# sourceMappingURL=triage.d.ts.map