@oculum/cli 1.0.13 → 1.0.15

package/dist/index.js

@@ -12404,6 +12404,29 @@ var require_entropy = __commonJS({
       ];
       return debugPatterns.some((pattern) => pattern.test(lineContent));
     }
+    function isCommandLineSnippet(value, lineContent) {
+      const commandContextPatterns = [
+        /\b(quickFix|command|example|usage|cli|help|hint)\b/i,
+        /\b(run|exec|execute|install)\b\s*:/i
+      ];
+      const envAssignmentPatterns = [
+        /^\s*(export\s+)?[A-Z_][A-Z0-9_]*=/,
+        // export VAR=... or VAR=...
+        /\bNODE_OPTIONS=/i
+      ];
+      const commandPatterns = [
+        /^\s*\$\s+/,
+        // shell prompt
+        /\s--[a-z0-9][a-z0-9-]*/i,
+        // CLI flags
+        /\b(npm|pnpm|yarn|npx|node|bun|deno|git|curl|wget|oculum|python|pip|brew)\b/i
+      ];
+      const hasCommandContext = commandContextPatterns.some((p2) => p2.test(lineContent));
+      const looksLikeEnvAssignment = envAssignmentPatterns.some((p2) => p2.test(value));
+      const looksLikeCommand = commandPatterns.some((p2) => p2.test(value));
+      const hasMultipleTokens = value.trim().split(/\s+/).length >= 2;
+      return (hasCommandContext || looksLikeEnvAssignment || looksLikeCommand) && hasMultipleTokens;
+    }
     function isInlineStyle(lineContent) {
       const jsxStylePatterns = [
         /style\s*=\s*\{\{/,
@@ -12556,6 +12579,8 @@ var require_entropy = __commonJS({
           continue;
         if (isDebugLogContent(lineContent))
           continue;
+        if (isCommandLineSnippet(value, lineContent))
+          continue;
         if (isRegexPattern(value))
           continue;
         if (isTemplateWithCode(value, lineContent))
@@ -14317,7 +14342,11 @@ var require_path_exclusions = __commonJS({
         "**/demo/**",
         "**/sample/**",
         "**/samples/**",
-        "**/playground/**"
+        "**/playground/**",
+        "**/oculum.json",
+        // Scanner output files
+        "**/*.scan.json"
+        // Any scan result files
       ],
       fixturePatterns: [
         "**/fixtures/**",
@@ -15892,8 +15921,7 @@ var require_dangerous_functions = __commonJS({
       const contextEnd = Math.min(lines.length, lineNumber + 5);
       const context = lines.slice(contextStart, contextEnd).join("\n");
       const cosmeticContextPatterns = [
-        // UI component files
-        /\/(components?|ui|widgets?|animations?|contexts?)\//i,
+        // UI component files - REMOVED, let severity classification handle these
         // Style-related variables/functions
         /\b(style|styles|css|className|animation|transition)/i,
         /\b(width|height|opacity|color|transform|rotate|scale|translate)/i,
@@ -15906,13 +15934,9 @@ var require_dangerous_functions = __commonJS({
         /delay.*Math\.random/i,
         /duration.*Math\.random/i,
         // UI state variations
-        /\b(variant|theme|layout|position).*Math\.random/i,
-        // UI identifier variable names (toast, notification, element, component IDs)
-        /\b(toast|notification|element|component|widget|modal|dialog|popup).*id\b/i,
-        /\bid\s*=.*Math\.random/i,
-        /\bkey\s*=.*Math\.random/i,
-        // React keys
-        /\btempId|temporaryId|uniqueId\b/i
+        /\b(variant|theme|layout|position).*Math\.random/i
+        // NOTE: Removed UI identifier patterns (key, id, tempId, etc.) - these should be
+        // classified with info/low severity by the severity classification logic, not skipped entirely
       ];
       if (cosmeticContextPatterns.some((p2) => p2.test(context))) {
         return true;
@@ -15936,10 +15960,14 @@ var require_dangerous_functions = __commonJS({
     }
     function extractFunctionContext(content, lineNumber) {
       const lines = content.split("\n");
-      const start = Math.max(0, lineNumber - 10);
+      const start = Math.max(0, lineNumber - 20);
       for (let i = lineNumber; i >= start; i--) {
         const line = lines[i];
-        const funcDeclMatch = line.match(/(?:export\s+)?function\s+(\w+)/i);
+        const hasMethodCallWithArrowCallback = /\.\w+\(.*\([^)]*\)\s*=>/.test(line);
+        if (hasMethodCallWithArrowCallback) {
+          continue;
+        }
+        const funcDeclMatch = line.match(/(?:export\s+)?(?:async\s+)?function\s+(\w+)/i);
         if (funcDeclMatch) {
           return funcDeclMatch[1].toLowerCase();
         }
@@ -16077,7 +16105,24 @@ var require_dangerous_functions = __commonJS({
         "dialog",
         "popup",
         "unique",
-        "react"
+        "react",
+        // Non-security randomness usage (backoff/sampling/experiments)
+        "jitter",
+        "retry",
+        "backoff",
+        "delay",
+        "timeout",
+        "latency",
+        "sample",
+        "sampling",
+        "probability",
+        "chance",
+        "rollout",
+        "experiment",
+        "abtest",
+        "cohort",
+        "bucket",
+        "variant"
       ];
       if (lowRiskPatterns.some((p2) => lower.includes(p2))) {
         return "low";
@@ -16109,7 +16154,9 @@ var require_dangerous_functions = __commonJS({
       const inUIContext = isCosmeticMathRandom(lineContent, content, lineNumber);
       const businessLogicPatterns = [
         /\b(business|order|invoice|customer|product|transaction)Id\b/i,
-        /\b(reference|tracking|confirmation)Number\b/i
+        /\b(reference|tracking|confirmation)Number\b/i,
+        /\b(backoff|retry|jitter|delay|timeout|latency)\b/i,
+        /\b(sample|sampling|probability|chance|rollout|experiment|abtest|cohort|bucket|variant)\b/i
       ];
       const inBusinessLogicContext = businessLogicPatterns.some((p2) => p2.test(context)) && !inSecurityContext;
       let contextDescription = "unknown context";
@@ -16120,7 +16167,7 @@ var require_dangerous_functions = __commonJS({
       } else if (inUIContext) {
         contextDescription = "UI/cosmetic usage";
       } else if (inBusinessLogicContext) {
-        contextDescription = "business identifier generation";
+        contextDescription = "non-security usage";
       }
       return {
         inSecurityContext,
@@ -16388,24 +16435,24 @@ var require_dangerous_functions = __commonJS({
                 explanation = " (seed/demo data generation)";
                 description = "Math.random() used for generating fixture/seed data. Not security-critical in development contexts.";
                 suggestedFix = "Acceptable for seed data. Use crypto.randomUUID() if uniqueness guarantees needed.";
-              } else if (nameRisk === "high" || context.inSecurityContext || functionIntent === "security") {
-                severity2 = "high";
-                confidence2 = "high";
-                explanation = " (security-sensitive context)";
-                description = "Math.random() is NOT cryptographically secure and MUST NOT be used for tokens, keys, passwords, or session IDs. This can lead to predictable values that attackers can exploit.";
-                suggestedFix = "Replace with crypto.randomBytes() or crypto.randomUUID() for security-sensitive operations";
               } else if (toStringPattern.intent === "short-ui-id") {
                 severity2 = "info";
                 confidence2 = "low";
                 explanation = " (UI correlation ID)";
                 description = "Math.random() used for short UI correlation IDs. Not security-critical, but collisions possible in high-volume scenarios.";
                 suggestedFix = "For UI correlation, crypto.randomUUID() provides better uniqueness guarantees";
+              } else if (nameRisk === "high" || context.inSecurityContext || functionIntent === "security") {
+                severity2 = "high";
+                confidence2 = "high";
+                explanation = " (security-sensitive context)";
+                description = "Math.random() is NOT cryptographically secure and MUST NOT be used for tokens, keys, passwords, or session IDs. This can lead to predictable values that attackers can exploit.";
+                suggestedFix = "Replace with crypto.randomBytes() or crypto.randomUUID() for security-sensitive operations";
               } else if (nameRisk === "low" || context.inBusinessLogicContext || toStringPattern.intent === "business-id") {
                 severity2 = "low";
                 confidence2 = "low";
-                explanation = " (business identifier)";
-                description = "Math.random() is being used for non-security purposes (business IDs, tracking numbers). While not critical, Math.random() can produce collisions in high-volume scenarios.";
-                suggestedFix = "Consider crypto.randomUUID() for better uniqueness guarantees and collision resistance";
+                explanation = " (non-security usage)";
+                description = "Math.random() is being used for non-security purposes (business IDs, sampling, jitter/backoff, experiments). While not critical, Math.random() can produce collisions or bias in high-volume scenarios.";
+                suggestedFix = "Use crypto.randomUUID() for uniqueness-sensitive IDs. For sampling/backoff, consider a seeded PRNG if determinism is needed.";
               } else {
                 severity2 = "medium";
                 confidence2 = "medium";
@@ -37475,7 +37522,7 @@ Example response format (OPTIMIZED):
                                 keep: { type: "boolean" }
                               },
                               required: ["index", "keep"],
-                              additionalProperties: true
+                              additionalProperties: false
                             }
                           }
                         },
@@ -44649,18 +44696,19 @@ async function status() {
   spinner.succeed("  Authenticated");
   console.log("");
   const email = result.email || config.email || "unknown";
-  const tier = result.tier || "free";
-  if (tier !== config.tier || email !== config.email) {
-    setAuthCredentials(config.apiKey, email, tier);
+  const rawTier = String(result.tier || "free");
+  const normalizedTier = rawTier === "enterprise" ? "max" : rawTier;
+  if (normalizedTier !== config.tier || email !== config.email) {
+    setAuthCredentials(config.apiKey, email, normalizedTier);
   }
-  const tierBadge = tier === "pro" ? source_default.bgBlue.white(" PRO ") : tier === "enterprise" ? source_default.bgMagenta.white(" ENTERPRISE ") : source_default.bgGray.white(" FREE ");
+  const tierBadge = normalizedTier === "pro" ? source_default.bgBlue.white(" PRO ") : normalizedTier === "max" ? source_default.bgMagenta.white(" MAX ") : normalizedTier === "starter" ? source_default.bgCyan.white(" STARTER ") : source_default.bgGray.white(" FREE ");
   console.log(source_default.dim("  Email: ") + source_default.white(email));
   console.log(source_default.dim("  Plan:  ") + tierBadge);
   console.log("");
   console.log(source_default.bold("  Available Scan Depths:"));
   console.log("");
   console.log(source_default.green("  \u2713 ") + source_default.white("cheap") + source_default.dim("      Fast pattern matching (always free)"));
-  if (tier === "pro" || tier === "enterprise") {
+  if (normalizedTier === "pro" || normalizedTier === "max") {
     console.log(source_default.green("  \u2713 ") + source_default.white("validated") + source_default.dim("  AI validation (~70% fewer false positives)"));
     console.log(source_default.dim("  \u{1F512} ") + source_default.white("deep") + source_default.dim("       Multi-agent analysis (coming soon)"));
   } else {
@@ -46394,6 +46442,48 @@ var esm_default = { watch, FSWatcher };
 // src/commands/watch.ts
 var import_scanner2 = __toESM(require_dist());
 var import_formatters2 = __toESM(require_formatters());
+var WATCH_IGNORE_PATTERNS = [
+  "**/node_modules/**",
+  "**/dist/**",
+  "**/build/**",
+  "**/.git/**",
+  "**/vendor/**",
+  "**/__pycache__/**",
+  "**/venv/**",
+  "**/.venv/**",
+  "**/coverage/**",
+  "**/.next/**",
+  "**/.nuxt/**",
+  "**/.turbo/**",
+  "**/out/**",
+  "**/.cache/**",
+  "**/.vercel/**",
+  "**/.netlify/**",
+  "**/target/**",
+  "**/bin/**",
+  "**/obj/**",
+  "**/.gradle/**",
+  "**/.mvn/**",
+  "**/bower_components/**",
+  "**/jspm_packages/**",
+  "**/.yarn/**",
+  "**/.pnp.*",
+  "**/package-lock.json",
+  "**/yarn.lock",
+  "**/pnpm-lock.yaml",
+  "**/*.min.js",
+  "**/*.min.css",
+  "**/*.bundle.js",
+  "**/validation-test/**",
+  "**/validation-repos/**",
+  "**/validation-results/**",
+  "**/test-files/**",
+  "**/.env",
+  "**/.env.*",
+  "**/.env.local",
+  "**/.env.*.local",
+  "**/**.env"
+];
 function isScannableFile2(filePath) {
   const ext2 = (0, import_path5.extname)(filePath).toLowerCase();
   const fileName = (0, import_path5.basename)(filePath);
@@ -46563,17 +46653,9 @@ async function watch2(targetPath, options) {
       "**/*.cs",
       "**/package.json"
     ];
-    const ignorePatterns2 = [
-      "**/node_modules/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/.git/**",
-      "**/vendor/**",
-      "**/__pycache__/**"
-    ];
     const allFiles2 = await glob3(patterns2, {
       cwd: absolutePath,
-      ignore: ignorePatterns2,
+      ignore: WATCH_IGNORE_PATTERNS,
       nodir: true,
       absolute: true
     });
@@ -46584,35 +46666,7 @@ async function watch2(targetPath, options) {
     isScanning = false;
     runScanOnChanges();
   };
-  const watcherIgnore = [
-    "**/node_modules/**",
-    "**/dist/**",
-    "**/build/**",
-    "**/.git/**",
-    "**/vendor/**",
-    "**/__pycache__/**",
-    "**/venv/**",
-    "**/.venv/**",
-    "**/coverage/**",
-    "**/.next/**",
-    "**/.nuxt/**",
-    "**/.turbo/**",
-    "**/out/**",
-    "**/.cache/**",
-    "**/.vercel/**",
-    "**/.netlify/**",
-    "**/target/**",
-    "**/.gradle/**",
-    "**/.mvn/**",
-    "**/bower_components/**",
-    "**/.yarn/**",
-    "**/package-lock.json",
-    "**/yarn.lock",
-    "**/pnpm-lock.yaml",
-    "**/*.min.js",
-    "**/*.min.css",
-    "**/*.bundle.js"
-  ];
+  const watcherIgnore = WATCH_IGNORE_PATTERNS;
   const watcher = esm_default.watch(absolutePath, {
     ignored: watcherIgnore,
     persistent: true,
@@ -46696,42 +46750,9 @@ async function watch2(targetPath, options) {
     "**/*.cs",
     "**/package.json"
   ];
-  const ignorePatterns = [
-    "**/node_modules/**",
-    "**/dist/**",
-    "**/build/**",
-    "**/.git/**",
-    "**/vendor/**",
-    "**/__pycache__/**",
-    "**/venv/**",
-    "**/.venv/**",
-    "**/coverage/**",
-    "**/.next/**",
-    "**/.nuxt/**",
-    "**/.turbo/**",
-    "**/out/**",
-    "**/.cache/**",
-    "**/.vercel/**",
-    "**/.netlify/**",
-    "**/target/**",
-    "**/bin/**",
-    "**/obj/**",
-    "**/.gradle/**",
-    "**/.mvn/**",
-    "**/bower_components/**",
-    "**/jspm_packages/**",
-    "**/.yarn/**",
-    "**/.pnp.*",
-    "**/package-lock.json",
-    "**/yarn.lock",
-    "**/pnpm-lock.yaml",
-    "**/*.min.js",
-    "**/*.min.css",
-    "**/*.bundle.js"
-  ];
   const allFiles = await glob2(patterns, {
     cwd: absolutePath,
-    ignore: ignorePatterns,
+    ignore: WATCH_IGNORE_PATTERNS,
     nodir: true,
     absolute: true
   });
@@ -47453,7 +47474,7 @@ function showLogo() {
 async function showWelcomeScreen() {
   console.clear();
   showLogo();
-  console.log(source_default.bold.white("  AI-Native api key Security Scanner for Modern Codebases\n"));
+  console.log(source_default.bold.white("  AI-Native Security Scanner for Modern Codebases\n"));
   console.log(source_default.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"));
   console.log(source_default.white("  Oculum detects security vulnerabilities in AI-generated"));
   console.log(source_default.white("  code and LLM-powered applications, including:\n"));
@@ -48586,7 +48607,7 @@ async function runUsageFlow() {
     console.log(source_default.bold("  \u{1F4CA} Oculum Usage"));
     console.log(source_default.dim("  " + "\u2500".repeat(38)));
     console.log("");
-    const planBadge = plan.name === "pro" ? source_default.bgBlue.white(" PRO ") : plan.name === "enterprise" || plan.name === "max" ? source_default.bgMagenta.white(" MAX ") : plan.name === "starter" ? source_default.bgCyan.white(" STARTER ") : source_default.bgGray.white(" FREE ");
+    const planBadge = plan.name === "pro" ? source_default.bgBlue.white(" PRO ") : plan.name === "max" ? source_default.bgMagenta.white(" MAX ") : plan.name === "starter" ? source_default.bgCyan.white(" STARTER ") : source_default.bgGray.white(" FREE ");
     console.log(source_default.dim("  Plan: ") + planBadge + source_default.white(` ${plan.displayName}`));
     console.log(source_default.dim("  Month: ") + source_default.white(usageData.month));
     console.log("");
@@ -48878,7 +48899,7 @@ async function usage(options) {
     console.log(source_default.bold("  \u{1F4CA} Oculum Usage"));
     console.log(source_default.dim("  " + "\u2500".repeat(38)));
     console.log("");
-    const planBadge = plan.name === "pro" ? source_default.bgBlue.white(" PRO ") : plan.name === "enterprise" || plan.name === "max" ? source_default.bgMagenta.white(" MAX ") : plan.name === "starter" ? source_default.bgCyan.white(" STARTER ") : source_default.bgGray.white(" FREE ");
+    const planBadge = plan.name === "pro" ? source_default.bgBlue.white(" PRO ") : plan.name === "max" ? source_default.bgMagenta.white(" MAX ") : plan.name === "starter" ? source_default.bgCyan.white(" STARTER ") : source_default.bgGray.white(" FREE ");
     console.log(source_default.dim("  Plan: ") + planBadge + source_default.white(` ${plan.displayName}`));
     console.log(source_default.dim("  Month: ") + source_default.white(usageData.month));
     console.log("");
@@ -49377,7 +49398,7 @@ function shouldRunUI() {
   return isOcAlias || isUICommand;
 }
 var program2 = new Command();
-program2.name("oculum").description("AI-native security scanner for detecting vulnerabilities in LLM-generated code").version("1.0.9").addHelpText("after", `
+program2.name("oculum").description("AI-native security scanner for detecting vulnerabilities in LLM-generated code").version("1.0.15").addHelpText("after", `
 Quick Start:
   $ oculum scan .          Scan current directory (free)
   $ oculum ui              Interactive mode with guided setup

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oculum/cli",
-  "version": "1.0.13",
+  "version": "1.0.15",
   "description": "AI-native security scanner CLI for detecting vulnerabilities in AI-generated code, BYOK patterns, and modern web applications",
   "main": "dist/index.js",
   "bin": {
@@ -19,14 +19,14 @@
     "url": "https://github.com/flexipie/oculum/issues"
   },
   "scripts": {
-    "build": "esbuild src/index.ts --bundle --platform=node --target=node18 --outfile=dist/index.js --banner:js=\"#!/usr/bin/env node\" --define:process.env.OCULUM_API_URL='undefined' --define:VERSION='\"1.0.9\"'",
+    "build": "esbuild src/index.ts --bundle --platform=node --target=node18 --outfile=dist/index.js --banner:js=\"#!/usr/bin/env node\" --define:process.env.OCULUM_API_URL='undefined' --define:VERSION='\"'$npm_package_version'\"'",
     "dev": "npm run build -- --watch",
     "test": "echo \"No tests configured yet\"",
     "lint": "eslint src/"
   },
   "dependencies": {
-    "@oculum/scanner": "^1.0.3",
-    "@oculum/shared": "^1.0.2",
+    "@oculum/scanner": "^1.0.5",
+    "@oculum/shared": "^1.0.5",
     "commander": "^12.1.0",
     "chalk": "^5.3.0",
     "ora": "^8.1.1",