@clear-capabilities/agentic-security-scanner 0.77.0 → 0.78.0

package/src/sast/.agentic-security/last-scan.json.sig

@@ -0,0 +1 @@
+411dd662c96624bcc85746b90c2d1a487fd15e7da71fe116cb3d8e548071a588

package/src/sast/.agentic-security/scan-history.json

@@ -0,0 +1,408 @@
+[
+  {
+    "timestamp": "2026-05-26T16:30:07.351Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-26T16:34:28.797Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T01:10:20.082Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T03:05:16.971Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T03:18:22.550Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T09:09:50.637Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T09:10:10.121Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T09:12:25.348Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T09:17:13.165Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T09:21:04.965Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T09:21:46.189Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T09:24:34.687Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T09:43:08.807Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T09:43:30.205Z",
+    "label": "scan",
+    "total": 17,
+    "critical": 0,
+    "high": 0,
+    "medium": 2,
+    "low": 15,
+    "kev": 0,
+    "ids": [
+      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
+      "client-side:CLIENT_EVAL:client-side.js:135",
+      "client-side:CLIENT_EVAL:client-side.js:139",
+      "client-side:CLIENT_EVAL:client-side.js:140",
+      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
+      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
+      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
+      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
+      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "spec-drift:rate-limit-impl:rate-limit.js:34",
+      "spec-drift:rate-limit-impl:rate-limit.js:77",
+      "ssrf-meta-hardcoded:go-extended.js:39",
+      "ssrf-meta-hardcoded:python-sinks.js:186",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
+      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
+      "zip-slip:zip-slip.js:192:node-entry"
+    ]
+  }
+]

package/src/sast/.agentic-security/streak.json

@@ -0,0 +1,20 @@
+{
+  "firstScanDate": "2026-05-26T16:30:07.386Z",
+  "lastScanDate": "2026-05-27T09:43:30.233Z",
+  "totalScans": 14,
+  "daysCleanCritical": 2,
+  "lastCleanDate": "2026-05-27",
+  "lastCriticalDate": null,
+  "hasEverHadCritical": false,
+  "bestDaysCleanCritical": 2,
+  "totalFindingsAtFirstScan": 27,
+  "totalFindingsAtLastScan": 28,
+  "totalFixesInferred": 0,
+  "lastGrade": "A-",
+  "bestGrade": "A-",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-scan"
+  ],
+  "previousGrade": "A-"
+}

package/src/sast/cache-poisoning.js

@@ -0,0 +1,77 @@
+// Cache poisoning via tainted response headers.
+//
+// Detects reflected request headers in responses that CDNs/proxies key on.
+// X-Forwarded-Host, X-Forwarded-Proto, X-Original-URL reflected into
+// response headers or HTML body enables web cache poisoning attacks.
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+
+const CACHE_KEY_HEADERS = /x-forwarded-host|x-forwarded-proto|x-original-url|x-rewrite-url|x-forwarded-for|x-host/i;
+const TAINT_SOURCES = /req\.headers|request\.headers|request\.META|getHeader|get_header|\$_SERVER/;
+
+export function scanCachePoisoning(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+  if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py|go|rb|php|phtml)$/i.test(fp)) return [];
+
+  const findings = [];
+
+  // Pattern 1: Reflected cache-key header in response
+  // res.setHeader('X-Forwarded-Host', req.headers['x-forwarded-host'])
+  const headerReflectRe = /(?:setHeader|set|header|add_header|Header\.Set|Header\.Add)\s*\(\s*['"]([^'"]+)['"]\s*,\s*[^)]*(?:req\.headers|request\.headers|request\.META|\$_SERVER)/g;
+  for (const m of raw.matchAll(headerReflectRe)) {
+    const headerName = m[1];
+    if (!CACHE_KEY_HEADERS.test(headerName)) continue;
+    const line = _line(raw, m.index);
+    findings.push({
+      id: `cache-poison-reflect:${fp}:${line}`,
+      file: fp, line,
+      vuln: `Cache Poisoning — ${headerName} reflected from request to response`,
+      severity: 'high',
+      family: 'cache-poisoning',
+      cwe: 'CWE-349',
+      parser: 'CACHE-POISON',
+      confidence: 0.75,
+      description: `The ${headerName} request header is reflected in the response. If a CDN or reverse proxy caches this response, an attacker can poison the cache for all users by sending a crafted ${headerName} value.`,
+      remediation: `Don't reflect ${headerName} into the response. If you need the value for redirects, validate it against an allow-list of trusted hosts.`,
+    });
+  }
+
+  // Pattern 2: Cache-Control or Vary set from user input
+  const cacheControlTaintRe = /(?:Cache-Control|Vary)\s*['"]\s*,\s*[^)]*(?:req\.|request\.|params|query|body|\$_GET|\$_REQUEST)/g;
+  for (const m of raw.matchAll(cacheControlTaintRe)) {
+    const line = _line(raw, m.index);
+    findings.push({
+      id: `cache-poison-control:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Cache Poisoning — Cache-Control or Vary header set from user input',
+      severity: 'high',
+      family: 'cache-poisoning',
+      cwe: 'CWE-349',
+      parser: 'CACHE-POISON',
+      confidence: 0.65,
+      description: 'Cache-Control or Vary response header is derived from user input. An attacker can manipulate caching behavior to serve stale or poisoned content.',
+      remediation: 'Set Cache-Control and Vary headers from server-side constants, never from user input.',
+    });
+  }
+
+  // Pattern 3: Host header used in URL generation (redirect/link)
+  const hostRedirectRe = /(?:req\.headers\.host|request\.get_host|request\.host|request\.META\s*\[\s*['"]HTTP_HOST['"])\s*[^;\n]*(?:redirect|location|href|url|link)/gi;
+  for (const m of raw.matchAll(hostRedirectRe)) {
+    const line = _line(raw, m.index);
+    findings.push({
+      id: `cache-poison-host:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Cache Poisoning — Host header used in URL/redirect generation',
+      severity: 'medium',
+      family: 'cache-poisoning',
+      cwe: 'CWE-644',
+      parser: 'CACHE-POISON',
+      confidence: 0.60,
+      description: 'The Host request header is used to generate URLs or redirects. Combined with caching, an attacker can redirect all cached users to a malicious host.',
+      remediation: 'Use a server-configured base URL instead of the Host header. Validate Host against an allow-list.',
+    });
+  }
+
+  return findings;
+}

package/src/sast/comparison-safety.js

@@ -0,0 +1,73 @@
+// Timing-safe comparison and type-coercion safety detector.
+//
+// Flags:
+//   1. Direct === / == on HMAC/signature/token/OTP values (timing attack)
+//   2. Loose == in authorization checks (type coercion)
+//   3. Missing timingSafeEqual / hmac.compare_digest in verification functions
+
+const TIMING_SENSITIVE = /\b(hmac|signature|digest|hash|mac|checksum|token|otp|apiKey|api_key|secret_key|webhook_secret|signing_key)\b/i;
+const AUTH_CONTEXT = /\b(role|permission|isAdmin|is_admin|accessLevel|access_level|privilege|authorization|auth_level)\b/i;
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+
+export function scanComparisonSafety(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+  if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py|go)$/i.test(fp)) return [];
+
+  const findings = [];
+
+  // 1. Timing-unsafe comparison: x === y where x or y is named like a secret
+  for (const m of raw.matchAll(/(\w+)\s*===?\s*(\w+)/g)) {
+    const left = m[1], right = m[2];
+    if (!TIMING_SENSITIVE.test(left) && !TIMING_SENSITIVE.test(right)) continue;
+    const line = _line(raw, m.index);
+    const lineStart = raw.lastIndexOf('\n', m.index) + 1;
+    const lineText = raw.slice(lineStart, raw.indexOf('\n', m.index));
+    // Skip if timingSafeEqual or compare_digest is nearby
+    const context = raw.slice(Math.max(0, m.index - 200), m.index + 200);
+    if (/timingSafeEqual|compare_digest|ConstantTimeCompare|constant_time_compare/i.test(context)) continue;
+    // Skip if inside a comment
+    if (/^\s*\/\/|^\s*#|^\s*\*/.test(lineText)) continue;
+    findings.push({
+      id: `timing-unsafe:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Timing-Unsafe Comparison — secret/HMAC compared with === instead of timingSafeEqual',
+      severity: 'medium',
+      family: 'timing-attack',
+      cwe: 'CWE-208',
+      parser: 'COMPARISON',
+      confidence: 0.70,
+      description: `String === comparison on "${TIMING_SENSITIVE.exec(left + ' ' + right)?.[1] || 'secret'}" leaks timing information. An attacker can measure response times to guess the value byte-by-byte.`,
+      remediation: 'Use crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b)) in Node.js, hmac.compare_digest(a, b) in Python, or subtle.ConstantTimeCompare(a, b) in Go.',
+      snippet: lineText.trim().slice(0, 100),
+    });
+  }
+
+  // 2. Loose equality == in auth context
+  for (const m of raw.matchAll(/(\w+)\s*==\s*(?!=)(\w+|['"][^'"]+['"])/g)) {
+    const left = m[1], right = m[2];
+    if (!AUTH_CONTEXT.test(left) && !AUTH_CONTEXT.test(right)) continue;
+    const line = _line(raw, m.index);
+    const lineStart = raw.lastIndexOf('\n', m.index) + 1;
+    const lineText = raw.slice(lineStart, raw.indexOf('\n', m.index));
+    if (/^\s*\/\/|^\s*#|^\s*\*/.test(lineText)) continue;
+    // Only flag JS/TS (Python and Go use == for equality, not coercion)
+    if (!/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) continue;
+    findings.push({
+      id: `loose-equality-auth:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Loose Equality in Auth Check — == allows type coercion bypass',
+      severity: 'high',
+      family: 'type-coercion',
+      cwe: 'CWE-697',
+      parser: 'COMPARISON',
+      confidence: 0.65,
+      description: `Loose equality (==) on "${AUTH_CONTEXT.exec(left + ' ' + right)?.[1] || 'auth field'}" allows type coercion. "1" == 1 is true; an attacker may bypass checks by sending a different type.`,
+      remediation: 'Use strict equality (===) for all authorization checks.',
+      snippet: lineText.trim().slice(0, 100),
+    });
+  }
+
+  return findings;
+}

package/src/sast/db-taint.js

@@ -213,3 +213,57 @@ export function scanDbTaint(fp, raw) {
   }
   return findings;
 }
+
+// ── Cross-file stored injection ────────────────────────────────────────────
+//
+// Extends the same-file detector to work across all files in the project.
+// Collects ORM writes and render-of-reads across all files, then matches
+// by field name to find stored XSS / stored injection paths.
+
+export function scanDbTaintCrossFile(fileContents) {
+  if (!fileContents || typeof fileContents !== 'object') return [];
+  const allWrites = [];
+  const allReads = [];
+  for (const [fp, raw] of Object.entries(fileContents)) {
+    if (!raw || typeof raw !== 'string' || raw.length > 500_000) continue;
+    const lang = _lang(fp);
+    if (!lang) continue;
+    const code = blankComments(raw, lang === 'py' ? 'py' : undefined);
+    const writes = _findTaintedWrites(code, lang);
+    for (const w of writes) allWrites.push({ ...w, file: fp });
+    const reads = _findRendersOfReads(code, lang);
+    for (const r of reads) allReads.push({ ...r, file: fp });
+  }
+  const findings = [];
+  const seen = new Set();
+  for (const w of allWrites) {
+    for (const r of allReads) {
+      if (w.file === r.file) continue;
+      if (w.field !== r.field) continue;
+      const id = `db-taint-xfile:${w.file}:${w.line}->${r.file}:${r.line}:${w.field}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      findings.push({
+        id,
+        file: r.file, line: r.line,
+        vuln: `Stored XSS via DB round-trip — cross-file (${w.model || '?'}.${w.field})`,
+        severity: 'high',
+        cwe: 'CWE-79',
+        family: 'stored-xss',
+        stride: 'Tampering',
+        remediation:
+          `User content written to ${w.model || '?'}.${w.field} at ${w.file}:${w.line} is later read at ${r.file}:${r.line} and rendered. ` +
+          'Sanitize at write time (HTML-escape), escape at render time, and use CSP to block inline scripts.',
+        parser: 'DB-TAINT-XFILE',
+        confidence: 0.60,
+        source: { file: w.file, line: w.line, label: `${w.model || '?'}.${w.field} write` },
+        sink: { file: r.file, line: r.line, label: `${w.field} render` },
+        trace: [
+          { file: w.file, line: w.line, kind: 'db-write', sourceLabel: `${w.model || '?'}.${w.field} ← user input` },
+          { file: r.file, line: r.line, kind: 'db-read',  sourceLabel: `${w.field} → render sink` },
+        ],
+      });
+    }
+  }
+  return findings;
+}