@activemind/scd 1.4.0

package/lib/taint-register.js

@@ -0,0 +1,196 @@
+/**
+ * taint-register.js
+ * Pre-scan single-file taint tracking.
+ *
+ * Builds a register of variables that are assigned from external/user-controlled
+ * sources (HTTP input, CLI args, environment). Passed to the scanner so rules
+ * can detect when a tainted variable reaches a dangerous sink.
+ *
+ * Scope: single-file, single-assignment. Does not track:
+ *   - Cross-function taint propagation
+ *   - Chained assignments ($a = $b; $b = $_GET['x'])
+ *   - Conditional assignments
+ *
+ * These limitations are acceptable for the current regex-based engine.
+ * Full taint analysis is on the roadmap as a future architectural improvement.
+ *
+ * Usage:
+ *   const { buildTaintRegister } = require('./taint-register');
+ *   const taint = buildTaintRegister(fileContent, 'php');
+ *   // taint.has('id')   → true if $id was assigned from $_GET/$_POST etc.
+ *   // taint.getLine('id') → line number of the assignment
+ *   // taint.getSource('id') → '$_GET["id"]'
+ */
+
+'use strict';
+
+// ── Source patterns per language ──────────────────────────────────────────
+// Each pattern captures: group 1 = variable name
+
+const SOURCE_PATTERNS = {
+  php: [
+    // $varname = $_GET['key'] / $_POST['key'] / $_REQUEST / $_COOKIE / $_SESSION
+    /^\s*\$(\w+)\s*=\s*(\$_(?:GET|POST|REQUEST|COOKIE|SESSION)\s*\[['"][^'"]{0,60}['"]\])/,
+    // $varname = $_SERVER['key'] (e.g. HTTP_HOST, REQUEST_URI)
+    /^\s*\$(\w+)\s*=\s*(\$_SERVER\s*\[['"](?:HTTP_\w+|REQUEST_URI|QUERY_STRING|PATH_INFO)['"]\])/,
+    // $varname = htmlspecialchars_decode(...)  ← still tainted after decode
+    /^\s*\$(\w+)\s*=\s*(htmlspecialchars_decode\s*\(\s*\$_(?:GET|POST|REQUEST)\s*\[)/,
+    // $varname = trim/strip/addslashes of superglobal ← still tainted (insufficient sanitisation)
+    /^\s*\$(\w+)\s*=\s*(?:trim|strip_tags|addslashes|stripslashes|htmlentities)\s*\(\s*(\$_(?:GET|POST|REQUEST|COOKIE)\s*\[)/,
+  ],
+
+  python: [
+    // var = request.args.get('key') / request.args['key']
+    /^\s*(\w+)\s*=\s*(request\.(?:args|form|values|files)(?:\.get\s*\(|(?:\[)))/,
+    // var = request.json.get / request.json['key']
+    /^\s*(\w+)\s*=\s*(request\.json(?:\.get\s*\(|\[))/,
+    // var = flask.request. / g. shorthand
+    /^\s*(\w+)\s*=\s*(flask\.request\.(?:args|form|json|values))/,
+    // var = sys.argv[n]
+    /^\s*(\w+)\s*=\s*(sys\.argv\s*\[(?:[1-9]|\w+)\])/,
+  ],
+
+  js: [
+    // const/let/var name = req.query.x / req.body.x / req.params.x
+    /^\s*(?:const|let|var)\s+(\w+)\s*=\s*(req\.(?:query|body|params)(?:\.\w+|\[['"][^'"]{0,40}['"]\]))/,
+    // const name = req.query['x']
+    /^\s*(?:const|let|var)\s+(\w+)\s*=\s*(request\.(?:query|body|params))/,
+    // destructuring: const { id } = req.query  ← handled separately below
+  ],
+
+  ts: [
+    // Same as JS
+    /^\s*(?:const|let|var)\s+(\w+)\s*=\s*(req\.(?:query|body|params)(?:\.\w+|\[['"][^'"]{0,40}['"]\]))/,
+  ],
+};
+
+// ── TaintRegister class ───────────────────────────────────────────────────
+
+class TaintRegister {
+  constructor() {
+    // Map: varName → { line, source }
+    this._vars = new Map();
+  }
+
+  /**
+   * Record a tainted variable.
+   */
+  add(varName, lineNumber, source) {
+    if (!this._vars.has(varName)) {
+      this._vars.set(varName, { line: lineNumber, source });
+    }
+  }
+
+  /**
+   * Returns true if varName is tainted.
+   */
+  has(varName) {
+    return this._vars.has(varName);
+  }
+
+  /**
+   * Returns the line number where varName was tainted, or null.
+   */
+  getLine(varName) {
+    return this._vars.get(varName)?.line ?? null;
+  }
+
+  /**
+   * Returns the source expression (e.g. '$_GET["id"]'), or null.
+   */
+  getSource(varName) {
+    return this._vars.get(varName)?.source ?? null;
+  }
+
+  /**
+   * Returns all tainted variable names.
+   */
+  all() {
+    return [...this._vars.keys()];
+  }
+
+  /**
+   * Returns true if the register has any entries.
+   */
+  isEmpty() {
+    return this._vars.size === 0;
+  }
+}
+
+// ── Builder ───────────────────────────────────────────────────────────────
+
+/**
+ * Build a TaintRegister from file content.
+ *
+ * @param {string} content     - Full file content
+ * @param {string} language    - 'php' | 'python' | 'js' | 'ts'
+ * @returns {TaintRegister}
+ */
+function buildTaintRegister(content, language) {
+  const register = new TaintRegister();
+  const patterns = SOURCE_PATTERNS[language] || [];
+
+  if (patterns.length === 0) return register;
+
+  const lines = content.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line    = lines[i];
+    const lineNum = i + 1;
+
+    // Skip comments
+    const trimmed = line.trim();
+    if (
+      trimmed.startsWith('//') ||
+      trimmed.startsWith('#') ||
+      trimmed.startsWith('*') ||
+      trimmed.startsWith('/*')
+    ) continue;
+
+    for (const pattern of patterns) {
+      const m = line.match(pattern);
+      if (m) {
+        register.add(m[1], lineNum, m[2]);
+        break; // one pattern match per line is enough
+      }
+    }
+
+    // PHP: handle destructuring-style list() / extract()
+    if (language === 'php') {
+      // extract($_GET) / extract($_POST) — all vars in scope become tainted
+      // We can't know the keys, mark a wildcard
+      if (/extract\s*\(\s*\$_(?:GET|POST|REQUEST)/.test(line)) {
+        register.add('*', lineNum, 'extract()');
+      }
+    }
+
+    // JS/TS: destructuring  const { id, name } = req.query
+    if (language === 'js' || language === 'ts') {
+      const destructure = line.match(/^\s*(?:const|let|var)\s*\{([^}]{1,200})\}\s*=\s*(req\.(?:query|body|params))/);
+      if (destructure) {
+        const source = destructure[2];
+        const vars   = destructure[1].split(',').map(v => v.trim().split(/\s*:\s*/)[0].trim());
+        for (const v of vars) {
+          if (/^\w+$/.test(v)) register.add(v, lineNum, source);
+        }
+      }
+    }
+  }
+
+  return register;
+}
+
+/**
+ * Map file extension to language key.
+ */
+function extToLanguage(ext) {
+  const map = {
+    php: 'php', php5: 'php', phtml: 'php',
+    py:  'python',
+    js:  'js', mjs: 'js', cjs: 'js',
+    ts:  'ts', tsx: 'ts',
+  };
+  return map[ext.toLowerCase()] || null;
+}
+
+module.exports = { buildTaintRegister, extToLanguage, TaintRegister };

package/lib/version-check.js

@@ -0,0 +1,46 @@
+'use strict';
+
+/**
+ * version-check.js
+ * Compares the local scd version against the server's minimum required version.
+ * Used by interactive commands to warn when the CLI needs upgrading.
+ *
+ * The server's min_cli_version is cached in ~/.scd/config after each successful
+ * batch flush or health check — no extra network call needed at command time.
+ */
+
+const pkg = require('../package.json');
+
+function semverLt(a, b) {
+  const pa = String(a).split('.').map(Number);
+  const pb = String(b).split('.').map(Number);
+  for (let i = 0; i < 3; i++) {
+    const na = pa[i] || 0, nb = pb[i] || 0;
+    if (na < nb) return true;
+    if (na > nb) return false;
+  }
+  return false; // equal
+}
+
+/**
+ * Returns a warning string if the local CLI version is below the server's
+ * minimum required version, or null if everything is fine or no server info
+ * is cached yet.
+ */
+function getVersionWarning() {
+  try {
+    const { getMinCliVersion, getServerVersion } = require('./global-config');
+    const minVer = getMinCliVersion();
+    if (!minVer) return null;                          // no server info cached yet
+    if (!semverLt(pkg.version, minVer)) return null;  // up to date
+
+    const serverVer = getServerVersion();
+    const serverPart = serverVer ? ` (server: v${serverVer})` : '';
+    return `⚠  scd v${pkg.version} is outdated — scd-server requires v${minVer} or later${serverPart}.\n` +
+           `   Run: npm install -g @activemind/scd`;
+  } catch {
+    return null; // never let this break a command
+  }
+}
+
+module.exports = { getVersionWarning };

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@activemind/scd",
+  "version": "1.4.0",
+  "description": "Secure Code by Design – automated security scanning for development teams",
+  "author": "Activemind Solutions AB",
+  "license": "SEE LICENSE IN LICENSE.md",
+  "homepage": "https://securecodebydesign.com",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/activemindsolutions/scd.git"
+  },
+  "engines": {
+    "node": ">=22.0.0"
+  },
+  "bin": {
+    "scd": "bin/scd.js"
+  },
+  "main": "./bin/scd.js",
+  "files": [
+    "bin/",
+    "lib/",
+    "rules/",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "link": "npm link",
+    "unlink": "npm unlink -g @activemind/scd",
+    "test": "node --test tests/**/*.test.js",
+    "test:integrity": "node --test tests/integrity/*.test.js",
+    "test:smoke": "node --test tests/smoke/*.test.js",
+    "test:rules": "node --test tests/rules/*.test.js"
+  },
+  "dependencies": {
+    "commander": "^14.0.3"
+  }
+}

package/rules/rule-loader.js

@@ -0,0 +1,324 @@
+'use strict';
+
+/**
+ * rule-loader.js
+ * Compiles a raw rule definition (from JSON) into a runtime rule object
+ * compatible with scanner-full.js.
+ *
+ * JSON rules cannot contain RegExp literals or functions — rule-loader
+ * bridges that gap by compiling patterns and normalising confidence at
+ * load time.
+ *
+ * ── Schema version ──────────────────────────────────────────────────────────
+ * schema_version: 1
+ *
+ * ── Full field reference ────────────────────────────────────────────────────
+ *
+ * Required:
+ *   id           {string}   Stable rule ID, e.g. "INFRA-001". Plugin rules
+ *                           must use a prefix matching their pack_id to avoid
+ *                           collisions with built-in rules.
+ *   name         {string}   Human-readable rule name
+ *   severity     {string}   "CRITICAL" | "HIGH" | "MEDIUM" | "EXPOSURE"
+ *   category     {string}   OWASP category or custom grouping
+ *   pattern      {string}   Regex pattern string (compiled to RegExp at load time)
+ *
+ * Optional:
+ *   flags        {string}   Regex flags for pattern (default: "gi")
+ *   antipattern  {string}   Regex pattern string — if matched near the finding,
+ *                           the finding is suppressed. Compiled with antipattern_flags.
+ *   antipattern_flags {string}  Flags for antipattern regex (default: "i")
+ *   antipattern_preset {string} Named preset expanding to a standard antipattern.
+ *                           Applied in addition to antipattern if both are set.
+ *                           Available presets: "DEV_CONTEXT", "ADDR_AS_DATA",
+ *                           "LINK_EXAMPLE", "ENV_VAR_REF"
+ *   lookahead    {number}   Chars to scan ahead of match for antipattern (default: 300)
+ *   lookbehind   {number}   Chars to scan behind match for antipattern (default: 120)
+ *   exclude_file_types {string[]}  File extensions to skip entirely, e.g. ["md","txt"]
+ *   file_types   {string[]}  File extensions this rule applies to (sensitive-file rules)
+ *   match_mode   {string}   "content" (default) | "filename"
+ *   taint_aware  {boolean}  True if rule requires taint tracking
+ *   taint_extract {string}  Taint extraction strategy: "concat" | "interpolation" | "func_concat"
+ *   service      {string}   Service name for secrets rules
+ *   resolve_hint {string}   Additional remediation hint
+ *   why          {string}   Explanation of the vulnerability
+ *   scenario     {string}   Attack scenario description
+ *   fix          {string}   Remediation guidance
+ *   checklist    {string[]} Step-by-step remediation checklist
+ *   source       {string}   Set by loader — "builtin" | pack_id. Never set in JSON.
+ *
+ * ── Confidence ──────────────────────────────────────────────────────────────
+ * Omit confidence_rules → defaults to "HIGH" (same as current JS rules).
+ *
+ * confidence_rules: array of condition objects, evaluated top-to-bottom.
+ * First matching condition wins. Always include a { "default": "..." } last.
+ *
+ * Available conditions (evaluated top-to-bottom, first match wins):
+ *   if_file_context      {string|string[]}  Matches classifyFileContext() result.
+ *                        Values: "frontend" | "backend" | "config" | "doc" | "test"
+ *   if_path_contains     {string[]}         filePath contains any term (case-insensitive)
+ *   if_line_contains     {string[]}         lineRaw contains any term (case-insensitive)
+ *   if_value_matches     {string}           Captured group 1 (or full match) tests against regex
+ *   if_value_not_matches {string}           Captured group 1 does NOT test against regex
+ *   if_value_shorter_than {number}          Captured group 1 length < threshold
+ *   default              {string}           Fallback — always matches
+ *
+ * Example:
+ *   "confidence_rules": [
+ *     { "if_value_matches": "^(?:sk-|ghp_|AKIA)",   "then": "HIGH"   },
+ *     { "if_value_not_matches": "\\d",              "then": "LOW"    },
+ *     { "if_value_shorter_than": 12,                  "then": "LOW"    },
+ *     { "if_file_context": ["test", "doc"],           "then": "LOW"    },
+ *     { "if_path_contains": ["auth", "login"],        "then": "HIGH"   },
+ *     { "default": "MEDIUM" }
+ *   ]
+ *
+ * ── Plugin / pack rules ──────────────────────────────────────────────────────
+ * Rule packs are JSON files placed in ~/.scd/plugins/rules/ (community/custom)
+ * or delivered to ~/.scd/packs/ (commercial, via scd-server).
+ *
+ * Pack file format:
+ *   {
+ *     "schema_version": 1,
+ *     "pack_id": "my-pack",
+ *     "pack_name": "My Rule Pack",
+ *     "pack_version": "1.0.0",
+ *     "author": "...",
+ *     "rules": [ { ... }, { ... } ]
+ *   }
+ *
+ * Rule IDs in a pack must use a prefix matching pack_id to avoid collisions
+ * with built-in rules (e.g. pack_id "fintech" → rule IDs "FINTECH-001" etc.)
+ *
+ * License enforcement is server-side: scd-server validates rule source against
+ * the customer's license. The CLI runs offline (trust on install for plugins).
+ */
+
+// ── File context classifier ─────────────────────────────────────────────────
+// Kept here (not imported from rules-infra-leakage.js) so rule-loader is
+// self-contained and usable by scanner-full without creating a circular dep.
+
+const FRONTEND_EXTS = new Set(['js', 'ts', 'jsx', 'tsx', 'mjs', 'cjs', 'vue', 'svelte', 'html', 'htm']);
+const DOC_EXTS      = new Set(['md', 'txt', 'log', 'rst', 'adoc']);
+const CONFIG_EXTS   = new Set(['json', 'yml', 'yaml', 'toml', 'ini', 'env', 'conf', 'cfg', 'properties', 'xml']);
+
+function classifyFileContext(filePath) {
+  if (!filePath) return 'backend';
+  const ext   = filePath.split('.').pop().toLowerCase();
+  const lower = filePath.toLowerCase();
+  // Test check first — matches path segments at any position including start,
+  // and .test.js / .spec.js filename suffixes
+  if (/(?:^|[/\\])(?:tests?|spec|__tests__|__mocks__|fixtures)(?:[/\\]|$)|\.(?:test|spec)\.[a-z]+$/.test(lower)) return 'test';
+  if (FRONTEND_EXTS.has(ext)) return 'frontend';
+  if (DOC_EXTS.has(ext))      return 'doc';
+  if (CONFIG_EXTS.has(ext))   return 'config';
+  return 'backend';
+}
+
+// ── Antipattern presets ─────────────────────────────────────────────────────
+// Shared patterns used by multiple built-in rules. Plugin rules can reference
+// these by name via antipattern_preset for convenience — but inline patterns
+// are always preferred for transparency.
+
+const ANTIPATTERN_PRESETS = {
+  DEV_CONTEXT:  '(?:example|sample|placeholder|TODO|FIXME|NOTE|demo|mock|fake|dummy|test|spec|localhost_only|dev.only|development.only)',
+  ADDR_AS_DATA: '(?:==\\s*[\'"`]|!=\\s*[\'"`]|\\.startswith\\s*\\(|netloc\\s*==|\\.host\\s*==|is_loopback|is_private|is_reserved|_has_ipv6|check.*local|local.*check|returns\\s+(?:True|False)\\s+if|e\\.g\\.|i\\.e\\.|for\\s+example|#.*if\\s+ip\\s*=|#.*ip\\s*=|log\\.(?:debug|info|warning|error|critical)\\s*\\()',
+  LINK_EXAMPLE: '(?:example\\.com|example\\.org|example\\.net|your[-_]?(?:host|domain|server|url)|<host>|<server>|\\[host\\]|\\[server\\])',
+  ENV_VAR_REF:  '(?:process\\.env|os\\.environ|getenv|System\\.getenv|\\$\\{|\\$[A-Z_]+\\b)',
+};
+
+// ── Confidence rule evaluator ───────────────────────────────────────────────
+
+/**
+ * Build a confidence function from a confidence_rules array.
+ * Returns a function with the same signature as the existing JS confidence
+ * functions: (matchObj, lineRaw, filePath) => 'HIGH' | 'MEDIUM' | 'LOW'
+ *
+ * @param {Array} rules  Array of condition objects from JSON
+ * @returns {function}
+ */
+function buildConfidenceFunction(rules) {
+  return function confidenceFromRules(matchObj, lineRaw, filePath) {
+    const fileCtx  = classifyFileContext(filePath);
+    const lineLow  = (lineRaw  || '').toLowerCase();
+    const pathLow  = (filePath || '').toLowerCase();
+
+    // Extract captured value from matchObj (capture group 1, or full match as fallback).
+    // Used by if_value_matches / if_value_not_matches / if_value_shorter_than.
+    // matchObj is the raw RegExp match array: match[0] = full match, match[1] = first group.
+    const value = (matchObj && (matchObj[1] || matchObj[0])) || '';
+
+    for (const rule of rules) {
+      // { default: "MEDIUM" }
+      if ('default' in rule) {
+        return rule.default;
+      }
+
+      let matched = false;
+
+      // { if_file_context: "frontend" } or { if_file_context: ["test","backend"] }
+      if (rule.if_file_context !== undefined) {
+        const targets = Array.isArray(rule.if_file_context)
+          ? rule.if_file_context
+          : [rule.if_file_context];
+        if (targets.includes(fileCtx)) matched = true;
+      }
+
+      // { if_path_contains: ["auth","login"] }
+      if (!matched && rule.if_path_contains !== undefined) {
+        if (rule.if_path_contains.some(t => pathLow.includes(t.toLowerCase()))) matched = true;
+      }
+
+      // { if_line_contains: ["nonce","csrf"] }
+      if (!matched && rule.if_line_contains !== undefined) {
+        if (rule.if_line_contains.some(t => lineLow.includes(t.toLowerCase()))) matched = true;
+      }
+
+      // { if_value_matches: "^sk-" }
+      // Matches if the captured value (match group 1, or full match) tests against the regex.
+      if (!matched && rule.if_value_matches !== undefined) {
+        try {
+          if (new RegExp(rule.if_value_matches).test(value)) matched = true;
+        } catch { /* invalid regex in rule — skip */ }
+      }
+
+      // { if_value_not_matches: "\\d" }
+      // Matches if the value does NOT test against the regex.
+      if (!matched && rule.if_value_not_matches !== undefined) {
+        try {
+          if (!new RegExp(rule.if_value_not_matches).test(value)) matched = true;
+        } catch { /* invalid regex in rule — skip */ }
+      }
+
+      // { if_value_shorter_than: 12 }
+      // Matches if the value length is strictly less than the threshold.
+      if (!matched && rule.if_value_shorter_than !== undefined) {
+        if (value.length < rule.if_value_shorter_than) matched = true;
+      }
+
+      if (matched) return rule.then;
+    }
+
+    // No rule matched and no default — fall back to HIGH
+    return 'HIGH';
+  };
+}
+
+
+// ── Core loader ─────────────────────────────────────────────────────────────
+
+/**
+ * Load and compile a single raw rule definition from JSON.
+ * Returns a runtime rule object compatible with scanner-full.js.
+ *
+ * @param {object} raw     Parsed rule object from JSON
+ * @param {string} source  "builtin" or pack_id — set by caller
+ * @returns {object}       Compiled rule ready for use by scanner-full
+ */
+function loadRule(raw, source) {
+  if (!raw.id)      throw new Error('Rule missing required field: id');
+  if (!raw.pattern) throw new Error(`Rule ${raw.id} missing required field: pattern`);
+
+  // ── Pattern ─────────────────────────────────────────────────────────────
+  const compiled = {
+    ...raw,
+    // Rename snake_case JSON fields to camelCase for scanner-full compatibility
+    id:               raw.id,
+    name:             raw.name || raw.title || raw.id,
+    severity:         raw.severity         || 'HIGH',
+    category:         raw.category         || 'Uncategorised',
+    pattern:          new RegExp(raw.pattern, raw.flags || 'gi'),
+    lookahead:        raw.lookahead        ?? undefined,
+    lookbehind:       raw.lookbehind       ?? undefined,
+    fileTypes:        raw.file_types       ?? undefined,
+    excludeFileTypes: raw.exclude_file_types ?? undefined,
+    extensions:       raw.extensions        ?? undefined,
+    skipForFileTypes: raw.skip_for_file_types ?? undefined,
+    matchMode:        raw.match_mode       ?? undefined,
+    taintAware:       raw.taint_aware      ?? undefined,
+    taintExtract:     raw.taint_extract    ?? undefined,
+    service:          raw.service          ?? undefined,
+    resolve_hint:     raw.resolve_hint     ?? undefined,
+    source:           source               || 'builtin',
+    why:              raw.why || raw.description || undefined,
+    // scan_comments: true — rule intentionally matches comment line content.
+    // Opts out of the global comment-line suppression in scanFileWithRules().
+    // Use only for rules whose pattern explicitly targets comment syntax
+    // (e.g. @ts-ignore, TODO/FIXME with sensitive data, commented-out secrets).
+    scanComments:     raw.scan_comments    ?? false,
+  };
+
+  // ── Antipattern ─────────────────────────────────────────────────────────
+  // Combine inline antipattern + optional preset into a single RegExp.
+  const apFlags = raw.antipattern_flags || 'i';
+  const parts   = [];
+
+  if (raw.antipattern) {
+    parts.push(raw.antipattern);
+  }
+
+  if (Array.isArray(raw.antipatterns)) {
+    parts.push(...raw.antipatterns);
+  }
+
+  if (raw.antipattern_preset) {
+    const preset = ANTIPATTERN_PRESETS[raw.antipattern_preset];
+    if (!preset) {
+      console.warn(`[scd] Unknown antipattern_preset "${raw.antipattern_preset}" in rule ${raw.id}`);
+    } else {
+      parts.push(preset);
+    }
+  }
+
+  compiled.antipattern = parts.length > 0
+    ? new RegExp(parts.join('|'), apFlags)
+    : null;
+
+  // Clean up JSON-only fields that scanner-full doesn't need
+  delete compiled.flags;
+  delete compiled.antipattern_flags;
+  delete compiled.antipattern_preset;
+  delete compiled.antipatterns;       // array form — compiled into compiled.antipattern above
+  delete compiled.file_types;
+  delete compiled.exclude_file_types;
+  delete compiled.skip_for_file_types; // camelCase version kept as skipForFileTypes
+  delete compiled.match_mode;
+  delete compiled.taint_aware;
+  delete compiled.taint_extract;
+  delete compiled.schema_version;
+  delete compiled.variant;  // variant is internal — scanner sees only id
+  delete compiled.title;       // alias for name — compiled.name is set above
+  delete compiled.description; // alias for why  — compiled.why  is set above
+
+  // ── Confidence ──────────────────────────────────────────────────────────
+  // confidence_rules array → compiled function
+  // Static string → kept as-is (scanner-full handles both)
+  // Omitted → no confidence property, scanner-full defaults to HIGH
+  if (Array.isArray(raw.confidence_rules)) {
+    compiled.confidence = buildConfidenceFunction(raw.confidence_rules);
+    delete compiled.confidence_rules;
+  } else if (raw.confidence && typeof raw.confidence === 'string') {
+    compiled.confidence = raw.confidence;
+  } else {
+    delete compiled.confidence;
+    delete compiled.confidence_rules;
+  }
+
+  return compiled;
+}
+
+/**
+ * Load all rules from a pack object (parsed pack JSON).
+ * Returns an array of compiled rule objects.
+ *
+ * @param {object} pack   Parsed pack JSON with pack_id and rules array
+ * @returns {object[]}    Array of compiled rules
+ */
+function loadPack(pack) {
+  if (!Array.isArray(pack.rules)) {
+    throw new Error(`Pack "${pack.pack_id || '?'}" has no rules array`);
+  }
+  return pack.rules.map(raw => loadRule(raw, pack.pack_id || 'unknown'));
+}
+
+module.exports = { loadRule, loadPack, classifyFileContext, ANTIPATTERN_PRESETS };