@guava-parity/guard-scanner 13.0.0 → 16.0.0

package/docs/rules/credential-handling.md

@@ -0,0 +1,100 @@
+# Threat Category: credential-handling
+
+This document provides explainability for all rules in the `credential-handling` category.
+
+## Rule: `CRED_ENV_FILE`
+- **Severity**: HIGH
+- **Description**: Reading .env file
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CRED_ENV_REF`
+- **Severity**: MEDIUM
+- **Description**: Sensitive env var access
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CRED_SSH`
+- **Severity**: HIGH
+- **Description**: SSH key access
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CRED_WALLET`
+- **Severity**: HIGH
+- **Description**: Crypto wallet credential access
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CRED_ECHO`
+- **Severity**: HIGH
+- **Description**: Credential echo/print to output
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CRED_SUDO`
+- **Severity**: HIGH
+- **Description**: Sudo in installation instructions
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CRED_KEYCHAIN_DUMP`
+- **Severity**: CRITICAL
+- **Description**: Credential theft: macOS Keychain dumping
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CRED_BROWSER_COOKIE`
+- **Severity**: CRITICAL
+- **Description**: Credential theft: browser cookie/credential database extraction
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CRED_MIMIKATZ_PATTERN`
+- **Severity**: CRITICAL
+- **Description**: Credential theft: Mimikatz-style credential dumping tool
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CRED_CLOUD_METADATA`
+- **Severity**: CRITICAL
+- **Description**: Credential theft: cloud metadata endpoint access for IAM token theft
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CRED_GIT_CREDENTIAL`
+- **Severity**: HIGH
+- **Description**: Credential theft: git credential file access
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CRED_KUBE_CONFIG`
+- **Severity**: CRITICAL
+- **Description**: Credential theft: Kubernetes config with cluster credentials
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/cve-patterns.md

@@ -0,0 +1,332 @@
+# Threat Category: cve-patterns
+
+This document provides explainability for all rules in the `cve-patterns` category.
+
+## Rule: `CVE_GATEWAY_URL`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-25253: gatewayUrl injection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_SANDBOX_DISABLE`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-25253: sandbox disabling
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_XATTR_GATEKEEPER`
+- **Severity**: HIGH
+- **Description**: macOS Gatekeeper bypass (xattr)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_LANGGRINCH_SERIALIZATION`
+- **Severity**: CRITICAL
+- **Description**: CVE-2025-68664: LangGrinch langchain-core serialization injection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CAMOLEAK_SOURCE_EXFIL`
+- **Severity**: CRITICAL
+- **Description**: CVSS 9.6: CamoLeak silent source code exfiltration via telemetry endpoints
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `HAVOC_AMOS`
+- **Severity**: CRITICAL
+- **Description**: ClawHavoc: AMOS/Atomic Stealer
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `HAVOC_AUTOTOOL`
+- **Severity**: CRITICAL
+- **Description**: Python os.system reverse shell
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `HAVOC_DEVTCP`
+- **Severity**: CRITICAL
+- **Description**: Reverse shell: /dev/tcp
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_WS_NO_ORIGIN`
+- **Severity**: HIGH
+- **Description**: WebSocket without origin validation
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_API_GUARDRAIL_OFF`
+- **Severity**: CRITICAL
+- **Description**: API-level guardrail disabling
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `VDB_SK_RCE_FILTER`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-26030: Semantic Kernel VectorStore RCE filter bypass
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_CLAUDE_INFO_DISC`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-21852: Anthropic API Key Leak (Claude Code Info Disclosure)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_CLAUDE_PRIVESC`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-25725: Claude Code Privilege Escalation Hook
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_CLAUDE_CODE_INJ`
+- **Severity**: CRITICAL
+- **Description**: CVE-2025-59536: Claude Code Injection via untrusted hook
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_MCP_PYODIDE_RCE`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-25905: mcp-run-python Pyodide sandbox escape RCE
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_MCP_ATLASSIAN_RCE`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-27825: mcp-atlassian unauthenticated RCE+SSRF via path traversal
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_MSAGENT_SHELL`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-2256: MS-Agent check_safe() denylist bypass — unsanitized shell execution (CERT VU#431821)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_MSAGENT_DENYLIST`
+- **Severity**: HIGH
+- **Description**: CVE-2026-2256: Regex denylist pattern (bypassable)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_KIMI_EXECSYNC`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-25046: execSync with unsanitized filename (shell metachar injection)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_LANGFLOW_CSVAGENT`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-27966: Langflow CSV Agent RCE — allow_dangerous_code=True enables python_repl_ast code execution
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_LANGFLOW_REPL`
+- **Severity**: HIGH
+- **Description**: CVE-2026-27966: LangChain Python REPL tool (RCE vector via prompt injection)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_MCPJAM_RCE`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-23744: MCPJam Inspector unauthenticated RCE via /api/mcp/connect endpoint
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_SSRF_CVE`
+- **Severity**: CRITICAL
+- **Description**: Known MCP server CVEs: path traversal / argument injection / scoping bypass
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_PROMPT_TO_SHELL`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-2256 extended: prompt/user_input → shell execution chain
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `OPENCLAW_WSS_HIJACK`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-25253: OpenClaw Localhost WebSocket Hijacking
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `OPENCLAW_GATEWAY_RCE`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-25253: OpenClaw Gateway RCE via unvalidated gatewayUrl query param
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `OPENCLAW_DOCKER_PATH_INJECT`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-24763: OpenClaw Docker PATH command injection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_2026_0628_GEMINI_CHROME`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-0628: Chrome Gemini AI extension privilege escalation — panel hijack
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `OPENWEBUI_MODEL_TRUST`
+- **Severity**: CRITICAL
+- **Description**: CVE-2025-64496: Open WebUI excessive model endpoint trust → token theft + backend RCE
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_CHROME_GEMINI_HIJACK`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-0628: Chrome extension → Gemini AI hijack (camera/mic/files access)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_MARKDOWN_RCE`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-22813: Markdown render pipeline with disabled sanitization (RCE vector)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_SHELL_EXPANSION_FILENAME`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-29783: Shell expansion via unquoted filename/path variable injection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_GIT_PATH_TRAVERSAL`
+- **Severity**: CRITICAL
+- **Description**: CVE-2025-68143: mcp-server-git path traversal in repository creation
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CISCO_AI_SUPPLY_CHAIN`
+- **Severity**: CRITICAL
+- **Description**: Cisco AI supply chain: dependency confusion via AI agents in CI/CD pipeline
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `LORA_SLEEPER_INJECT`
+- **Severity**: CRITICAL
+- **Description**: LoRA sleeper injection: malicious adapter silently replacing baseline model weights
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_AGENT_CWD_INJECT`
+- **Severity**: CRITICAL
+- **Description**: CVE-2026-27001: unsanitized CWD/directory path injection into LLM prompt context
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_IDESASTER_CHAIN`
+- **Severity**: CRITICAL
+- **Description**: IDEsaster: IDE config file combined with code execution (24 CVE chain)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_COPILOT_PI_RCE`
+- **Severity**: CRITICAL
+- **Description**: GitHub Copilot prompt injection to RCE (CVE-2025-53773)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CVE_CLAUDE_CODE_WS_BYPASS`
+- **Severity**: HIGH
+- **Description**: Claude Code WebSocket unauthenticated local connection (CVE-2025-52882)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PLEASEFIX_BROWSER_HIJACK`
+- **Severity**: CRITICAL
+- **Description**: PleaseFix: browser hijack via calendar invite with extension abuse (Zenity Labs)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `OPENCLAW_CVE_CHAIN_2026`
+- **Severity**: CRITICAL
+- **Description**: OpenClaw CVE chain 2026 — brute-force auth, device registration, token theft
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/data-exposure.md

@@ -0,0 +1,84 @@
+# Threat Category: data-exposure
+
+This document provides explainability for all rules in the `data-exposure` category.
+
+## Rule: `AUTO_REFINE_MOLTBOOK_LEAK`
+- **Severity**: CRITICAL
+- **Description**: Moltbook-style API Key Leak Detection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MOLTBOOK_API_KEY_LEAK`
+- **Severity**: CRITICAL
+- **Description**: Moltbook API Extractor payload targeting Supabase keys
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DATA_VERBOSE_ERROR`
+- **Severity**: MEDIUM
+- **Description**: Data exposure: verbose error/stack trace in HTTP response
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DATA_DEBUG_ENDPOINT`
+- **Severity**: HIGH
+- **Description**: Data exposure: debug/admin endpoint exposed in production
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DATA_DIRECTORY_LISTING`
+- **Severity**: MEDIUM
+- **Description**: Data exposure: directory listing enabled in static file server
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DATA_CORS_CREDENTIALS`
+- **Severity**: CRITICAL
+- **Description**: Data exposure: CORS with credentials + wildcard origin
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DATA_LOG_SENSITIVE`
+- **Severity**: HIGH
+- **Description**: Data exposure: logging sensitive data (passwords, tokens, keys)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DATA_HEADER_LEAK`
+- **Severity**: LOW
+- **Description**: Data exposure: server technology disclosure via HTTP headers
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DATA_GIT_EXPOSED`
+- **Severity**: CRITICAL
+- **Description**: Data exposure: .git directory or .env file accessible
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `DATA_BACKUP_FILE`
+- **Severity**: MEDIUM
+- **Description**: Data exposure: backup/temporary files left in accessible location
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/exfiltration.md

@@ -0,0 +1,36 @@
+# Threat Category: exfiltration
+
+This document provides explainability for all rules in the `exfiltration` category.
+
+## Rule: `EXFIL_WEBHOOK`
+- **Severity**: CRITICAL
+- **Description**: Known exfiltration endpoint
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `EXFIL_POST`
+- **Severity**: HIGH
+- **Description**: POST with sensitive data
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `EXFIL_CURL_DATA`
+- **Severity**: HIGH
+- **Description**: curl exfiltration of secrets
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `EXFIL_DNS`
+- **Severity**: HIGH
+- **Description**: DNS-based exfiltration
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/financial-access.md

@@ -0,0 +1,84 @@
+# Threat Category: financial-access
+
+This document provides explainability for all rules in the `financial-access` category.
+
+## Rule: `FIN_CRYPTO`
+- **Severity**: HIGH
+- **Description**: Cryptocurrency transaction operations
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `FIN_PAYMENT`
+- **Severity**: MEDIUM
+- **Description**: Payment API integration
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `FIN_WALLET_DRAIN`
+- **Severity**: CRITICAL
+- **Description**: Financial: wallet/account draining attempt
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `FIN_PRIVATE_KEY_EXTRACT`
+- **Severity**: CRITICAL
+- **Description**: Financial: private key or seed phrase extraction
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `FIN_SWAP_FRONTRUN`
+- **Severity**: CRITICAL
+- **Description**: Financial: DEX swap frontrunning/sandwich attack
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `FIN_FLASH_LOAN`
+- **Severity**: CRITICAL
+- **Description**: Financial: flash loan exploit pattern
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `FIN_APPROVAL_UNLIMITED`
+- **Severity**: HIGH
+- **Description**: Financial: unlimited token approval (ERC20 approval drain risk)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `FIN_REENTRANCY`
+- **Severity**: CRITICAL
+- **Description**: Financial: reentrancy vulnerability pattern in smart contract
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `FIN_PRICE_ORACLE_MANIP`
+- **Severity**: CRITICAL
+- **Description**: Financial: price oracle manipulation attack
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `FIN_RUGPULL_PATTERN`
+- **Severity**: CRITICAL
+- **Description**: Financial: rug pull/exit scam (admin liquidity removal)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+