@oculum/cli 1.0.4 → 1.0.5

package/dist/index.js

@@ -11474,6 +11474,34 @@ var require_types = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.SCAN_MODE_DEFAULTS = exports2.MAX_FILE_SIZE = exports2.SPECIAL_FILES = exports2.SCANNABLE_EXTENSIONS = void 0;
+    exports2.createCancellationToken = createCancellationToken2;
+    function createCancellationToken2() {
+      const cleanupCallbacks = [];
+      const token = {
+        cancelled: false,
+        reason: void 0,
+        cancel(reason) {
+          if (!token.cancelled) {
+            token.cancelled = true;
+            token.reason = reason;
+            cleanupCallbacks.forEach((cb) => {
+              try {
+                cb();
+              } catch (e2) {
+              }
+            });
+          }
+        },
+        onCancel(callback) {
+          if (token.cancelled) {
+            callback();
+          } else {
+            cleanupCallbacks.push(callback);
+          }
+        }
+      };
+      return token;
+    }
     exports2.SCANNABLE_EXTENSIONS = [
       ".js",
       ".jsx",
@@ -14444,7 +14472,8 @@ var require_layer1 = __commonJS({
       };
     }
     var LAYER1_PARALLEL_BATCH_SIZE = 50;
-    async function runLayer1Scan(files) {
+    var PROGRESS_UPDATE_INTERVAL = 10;
+    async function runLayer1Scan(files, onProgress, cancellationToken) {
       const startTime = Date.now();
       const vulnerabilities = [];
       const rawStats = {
@@ -14456,7 +14485,11 @@ var require_layer1 = __commonJS({
         file_flags: 0,
         ai_comments: 0
       };
+      let filesProcessed = 0;
+      let lastProgressUpdate = 0;
       for (let i = 0; i < files.length; i += LAYER1_PARALLEL_BATCH_SIZE) {
+        if (cancellationToken?.cancelled)
+          break;
         const batch = files.slice(i, i + LAYER1_PARALLEL_BATCH_SIZE);
         const results = await Promise.all(batch.map((file) => Promise.resolve(processFileLayer1(file))));
         for (const result of results) {
@@ -14465,6 +14498,17 @@ var require_layer1 = __commonJS({
             rawStats[key] += value;
           }
         }
+        filesProcessed = Math.min(i + LAYER1_PARALLEL_BATCH_SIZE, files.length);
+        if (onProgress && (filesProcessed - lastProgressUpdate >= PROGRESS_UPDATE_INTERVAL || filesProcessed === files.length)) {
+          onProgress({
+            status: "layer1",
+            message: "Running surface scan (patterns, entropy, config)...",
+            filesProcessed,
+            totalFiles: files.length,
+            vulnerabilitiesFound: vulnerabilities.length
+          });
+          lastProgressUpdate = filesProcessed;
+        }
       }
       const dedupedVulnerabilities = deduplicateFindings(vulnerabilities);
       const { kept: uniqueVulnerabilities, suppressed } = (0, path_exclusions_1.filterFindingsByPath)(dedupedVulnerabilities);
@@ -15867,6 +15911,139 @@ var require_dangerous_functions = __commonJS({
       }
       return false;
     }
+    function extractMathRandomVariableName(lineContent) {
+      const assignmentMatch = lineContent.match(/(?:const|let|var)\s+(\w+)\s*=.*Math\.random/);
+      if (assignmentMatch)
+        return assignmentMatch[1];
+      const propertyMatch = lineContent.match(/(\w+)\s*[:=]\s*Math\.random/);
+      if (propertyMatch)
+        return propertyMatch[1];
+      const paramMatch = lineContent.match(/(\w+)\s*=\s*Math\.random/);
+      if (paramMatch)
+        return paramMatch[1];
+      return null;
+    }
+    function classifyVariableNameRisk(varName) {
+      if (!varName)
+        return "medium";
+      const lower = varName.toLowerCase();
+      const highRiskPatterns = [
+        "token",
+        "secret",
+        "key",
+        "password",
+        "credential",
+        "signature",
+        "salt",
+        "nonce",
+        "session",
+        "csrf",
+        "auth",
+        "apikey",
+        "accesstoken",
+        "refreshtoken",
+        "jwt",
+        "bearer",
+        "oauth",
+        "sessionid"
+      ];
+      if (highRiskPatterns.some((p2) => lower.includes(p2))) {
+        return "high";
+      }
+      const lowRiskPatterns = [
+        // Business identifiers
+        "id",
+        "uid",
+        "guid",
+        "business",
+        "order",
+        "invoice",
+        "customer",
+        "user",
+        "product",
+        "item",
+        "transaction",
+        "request",
+        "reference",
+        "tracking",
+        "confirmation",
+        // Test/demo data
+        "test",
+        "mock",
+        "demo",
+        "sample",
+        "example",
+        "fixture",
+        "random",
+        "temp",
+        "temporary",
+        "generated",
+        "dummy",
+        // UI identifiers
+        "toast",
+        "notification",
+        "element",
+        "component",
+        "widget",
+        "modal",
+        "dialog",
+        "popup",
+        "unique",
+        "react"
+      ];
+      if (lowRiskPatterns.some((p2) => lower.includes(p2))) {
+        return "low";
+      }
+      return "medium";
+    }
+    function analyzeMathRandomContext(content, filePath, lineNumber) {
+      const lines = content.split("\n");
+      const start = Math.max(0, lineNumber - 10);
+      const end = Math.min(lines.length, lineNumber + 5);
+      const context = lines.slice(start, end).join("\n");
+      const securityPatterns = [
+        /\b(generate|create)(Token|Secret|Key|Password|Nonce|Salt|Session|Signature)/i,
+        /\b(auth|crypto|encrypt|decrypt|hash|sign)\b/i,
+        /function\s+.*(?:token|secret|key|auth|crypto)/i,
+        /\bimport.*(?:crypto|jsonwebtoken|bcrypt|argon2|jose)/i,
+        /\/\*.*(?:security|authentication|cryptograph|authorization)/i,
+        /\/\/.*(?:security|auth|crypto|token|secret)/i
+      ];
+      const inSecurityContext = securityPatterns.some((p2) => p2.test(context));
+      const testFilePatterns = /\.(test|spec)\.(ts|tsx|js|jsx)$/i;
+      const testContextPatterns = [
+        /\b(describe|it|test|expect|mock|jest|vitest|mocha|chai)\b/i,
+        /\b(beforeEach|afterEach|beforeAll|afterAll)\b/i,
+        /\b(fixture|stub|spy)\b/i
+      ];
+      const inTestContext = testFilePatterns.test(filePath) || testContextPatterns.some((p2) => p2.test(context));
+      const lineContent = lines[lineNumber];
+      const inUIContext = isCosmeticMathRandom(lineContent, content, lineNumber);
+      const businessLogicPatterns = [
+        /\b(business|order|invoice|customer|product|transaction)Id\b/i,
+        /\b(reference|tracking|confirmation)Number\b/i,
+        /\bgenerate.*Id\b/i,
+        /\bcreate.*Id\b/i
+      ];
+      const inBusinessLogicContext = businessLogicPatterns.some((p2) => p2.test(context)) && !inSecurityContext;
+      let contextDescription = "unknown context";
+      if (inSecurityContext) {
+        contextDescription = "security-sensitive function";
+      } else if (inTestContext) {
+        contextDescription = "test/mock data generation";
+      } else if (inUIContext) {
+        contextDescription = "UI/cosmetic usage";
+      } else if (inBusinessLogicContext) {
+        contextDescription = "business identifier generation";
+      }
+      return {
+        inSecurityContext,
+        inTestContext,
+        inUIContext,
+        inBusinessLogicContext,
+        contextDescription
+      };
+    }
     function detectDangerousFunctions(content, filePath) {
       const vulnerabilities = [];
       if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath)) {
@@ -16090,9 +16267,57 @@ var require_dangerous_functions = __commonJS({
               }
             }
             if (funcPattern.name === "Math.random for security") {
-              if (isCosmeticMathRandom(line, content, index)) {
+              const varName = extractMathRandomVariableName(line);
+              const nameRisk = classifyVariableNameRisk(varName);
+              const context = analyzeMathRandomContext(content, filePath, index);
+              if (context.inUIContext) {
                 break;
               }
+              let severity2 = "medium";
+              let confidence2 = "medium";
+              let explanation = "";
+              let description = funcPattern.description;
+              let suggestedFix = funcPattern.suggestedFix;
+              if (context.inTestContext) {
+                severity2 = "info";
+                confidence2 = "low";
+                explanation = " (test data generation)";
+                description = "Math.random() used in test context for generating mock data. Not security-critical, but consider crypto.randomUUID() for better uniqueness in tests.";
+                suggestedFix = "Consider crypto.randomUUID() for test data uniqueness, though Math.random() is acceptable in tests";
+              } else if (nameRisk === "high" || context.inSecurityContext) {
+                severity2 = "high";
+                confidence2 = "high";
+                explanation = " (security-sensitive context)";
+                description = "Math.random() is NOT cryptographically secure and MUST NOT be used for tokens, keys, passwords, or session IDs. This can lead to predictable values that attackers can exploit.";
+                suggestedFix = "Replace with crypto.randomBytes() or crypto.randomUUID() for security-sensitive operations";
+              } else if (nameRisk === "low" || context.inBusinessLogicContext) {
+                severity2 = "low";
+                confidence2 = "medium";
+                explanation = " (business identifier)";
+                description = "Math.random() is being used for non-security purposes (business IDs, tracking numbers). While not critical, Math.random() can produce collisions in high-volume scenarios.";
+                suggestedFix = "Consider crypto.randomUUID() for better uniqueness guarantees and collision resistance";
+              } else {
+                severity2 = "medium";
+                confidence2 = "medium";
+                explanation = " (unclear context)";
+                description = "Math.random() is being used. Verify this is not for security-critical purposes like tokens, session IDs, or cryptographic operations.";
+                suggestedFix = "If used for security, replace with crypto.randomBytes(). For unique IDs, use crypto.randomUUID()";
+              }
+              const title = `Math.random() in ${context.contextDescription}${explanation}`;
+              vulnerabilities.push({
+                id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+                filePath,
+                lineNumber: index + 1,
+                lineContent: line.trim(),
+                severity: severity2,
+                category: "dangerous_function",
+                title,
+                description,
+                suggestedFix,
+                confidence: confidence2,
+                layer: 2
+              });
+              break;
             }
             let severity = funcPattern.severity;
             let confidence = "high";
@@ -20768,7 +20993,8 @@ var require_layer2 = __commonJS({
       };
     }
     var LAYER2_PARALLEL_BATCH_SIZE = 50;
-    async function runLayer2Scan(files, options = {}) {
+    var PROGRESS_UPDATE_INTERVAL = 10;
+    async function runLayer2Scan(files, options = {}, onProgress, cancellationToken) {
       const startTime = Date.now();
       const vulnerabilities = [];
       const stats = {
@@ -20789,7 +21015,11 @@ var require_layer2 = __commonJS({
         schemaValidation: 0
       };
       const authHelperContext = options.authHelperContext || (0, auth_helper_detector_1.detectAuthHelpers)(files);
+      let filesProcessed = 0;
+      let lastProgressUpdate = 0;
       for (let i = 0; i < files.length; i += LAYER2_PARALLEL_BATCH_SIZE) {
+        if (cancellationToken?.cancelled)
+          break;
         const batch = files.slice(i, i + LAYER2_PARALLEL_BATCH_SIZE);
         const results = await Promise.all(batch.map((file) => Promise.resolve(processFileLayer2(file, options, authHelperContext))));
         for (const result of results) {
@@ -20798,6 +21028,17 @@ var require_layer2 = __commonJS({
             stats[key] += value;
           }
         }
+        filesProcessed = Math.min(i + LAYER2_PARALLEL_BATCH_SIZE, files.length);
+        if (onProgress && (filesProcessed - lastProgressUpdate >= PROGRESS_UPDATE_INTERVAL || filesProcessed === files.length)) {
+          onProgress({
+            status: "layer2",
+            message: "Running structural scan (variables, logic gates)...",
+            filesProcessed,
+            totalFiles: files.length,
+            vulnerabilitiesFound: vulnerabilities.length
+          });
+          lastProgressUpdate = filesProcessed;
+        }
       }
       const dedupedVulnerabilities = deduplicateFindings(vulnerabilities);
       const excludeTestFiles = options.excludeTestFiles !== false;
@@ -37170,7 +37411,7 @@ For each candidate finding, return:
       console.log(`  - Estimated cost: $${stats.estimatedCost.toFixed(4)}`);
       return { vulnerabilities: validatedFindings, stats };
     }
-    async function validateFindingsWithAI(findings, files, projectContext) {
+    async function validateFindingsWithAI(findings, files, projectContext, onProgress) {
       const stats = {
         totalFindings: findings.length,
         validatedFindings: 0,
@@ -37220,9 +37461,17 @@ For each candidate finding, return:
       let totalApiBatches = 0;
       const totalFileBatches = Math.ceil(fileEntries.length / FILES_PER_API_BATCH);
       console.log(`[AI Validation] Phase 2: Processing ${fileEntries.length} files in ${totalFileBatches} API batch(es) (${FILES_PER_API_BATCH} files/batch)`);
+      let filesValidated = 0;
       for (let batchStart = 0; batchStart < fileEntries.length; batchStart += FILES_PER_API_BATCH) {
         const fileBatch = fileEntries.slice(batchStart, batchStart + FILES_PER_API_BATCH);
         const batchNum = Math.floor(batchStart / FILES_PER_API_BATCH) + 1;
+        if (onProgress) {
+          onProgress({
+            filesProcessed: filesValidated,
+            totalFiles: fileEntries.length,
+            status: `AI validating batch ${batchNum}/${totalFileBatches}`
+          });
+        }
         console.log(`[AI Validation] API Batch ${batchNum}/${totalFileBatches}: ${fileBatch.length} files`);
         const fileDataList = [];
         const filesWithoutContent = [];
@@ -37358,6 +37607,14 @@ For each candidate finding, return:
         }
         const batchDuration = Date.now() - batchStartTime;
         totalBatchWaitTime += batchDuration;
+        filesValidated += fileBatch.length;
+        if (onProgress) {
+          onProgress({
+            filesProcessed: filesValidated,
+            totalFiles: fileEntries.length,
+            status: `AI validation complete for batch ${batchNum}/${totalFileBatches}`
+          });
+        }
       }
       const totalCacheableTokens = stats.cacheCreationTokens + stats.cacheReadTokens;
       stats.cacheHitRate = totalCacheableTokens > 0 ? stats.cacheReadTokens / totalCacheableTokens : 0;
@@ -38431,11 +38688,29 @@ var require_layer3 = __commonJS({
       const vulnerabilities = [];
       let aiAnalyzedCount = 0;
       const maxAIFiles = options.maxFiles ?? MAX_AI_FILES;
+      if (options.cancellationToken?.cancelled) {
+        return {
+          vulnerabilities: [],
+          filesScanned: files.length,
+          duration: Date.now() - startTime,
+          aiAnalyzed: 0
+        };
+      }
       const packageFiles = files.filter((f) => f.path.endsWith("package.json"));
       for (const file of packageFiles) {
+        if (options.cancellationToken?.cancelled)
+          break;
         const packageFindings = await (0, package_check_1.checkPackages)(file.content, file.path);
         vulnerabilities.push(...packageFindings);
       }
+      if (options.cancellationToken?.cancelled) {
+        return {
+          vulnerabilities,
+          filesScanned: files.length,
+          duration: Date.now() - startTime,
+          aiAnalyzed: 0
+        };
+      }
       if (options.enableAI !== false) {
         const aiCandidates = files.filter((f) => {
           const hasPriorityExt = AI_PRIORITY_EXTENSIONS.some((ext2) => f.path.endsWith(ext2));
@@ -38722,7 +38997,7 @@ var require_dist = __commonJS({
       for (var p2 in m2) if (p2 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p2)) __createBinding(exports3, m2, p2);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.validateFindingsWithAI = exports2.buildProjectContext = exports2.runLayer3Scan = exports2.runLayer2Scan = exports2.runLayer1Scan = void 0;
+    exports2.createCancellationToken = exports2.validateFindingsWithAI = exports2.buildProjectContext = exports2.runLayer3Scan = exports2.runLayer2Scan = exports2.runLayer1Scan = void 0;
     exports2.runScan = runScan2;
     exports2.computeIssueMixFromVulnerabilities = computeIssueMixFromVulnerabilities;
     var types_1 = require_types();
@@ -38799,11 +39074,17 @@ var require_dist = __commonJS({
       const isIncremental = scanModeConfig.mode === "incremental";
       const depth = scanModeConfig.scanDepth || "cheap";
       const quiet = options.quiet ?? false;
+      const cancellationToken = options.cancellationToken;
       const log = (message) => {
         if (!quiet) {
           console.log(message);
         }
       };
+      const checkCancelled = () => {
+        if (cancellationToken?.cancelled) {
+          throw new Error(`Scan cancelled: ${cancellationToken.reason || "user requested"}`);
+        }
+      };
       log(`[Scanner] repo=${repoInfo.name} mode=${scanModeConfig.mode} depth=${depth} files=${files.length}`);
       if (isIncremental && scanModeConfig.changedFiles) {
         log(`[Scanner] repo=${repoInfo.name} incremental_files=${scanModeConfig.changedFiles.length}`);
@@ -38820,8 +39101,11 @@ var require_dist = __commonJS({
         }
       };
       const filesForAI = isIncremental && scanModeConfig.changedFiles ? files.filter((f) => scanModeConfig.changedFiles.some((cf) => f.path.endsWith(cf) || f.path.includes(cf))) : files;
+      let middlewareConfig;
+      let capturedValidationStats;
       try {
-        const middlewareConfig = (0, middleware_detector_1.detectGlobalAuthMiddleware)(files);
+        checkCancelled();
+        middlewareConfig = (0, middleware_detector_1.detectGlobalAuthMiddleware)(files);
         if (middlewareConfig.hasAuthMiddleware) {
           log(`[Scanner] repo=${repoInfo.name} auth_middleware=${middlewareConfig.authType || "unknown"} file=${middlewareConfig.middlewareFile}`);
         }
@@ -38830,16 +39114,18 @@ var require_dist = __commonJS({
         if (filesWithImportedAuth > 0) {
           log(`[Scanner] repo=${repoInfo.name} files_with_imported_auth=${filesWithImportedAuth}`);
         }
+        checkCancelled();
         reportProgress("layer1", "Running surface scan (patterns, entropy, config)...");
-        let layer1Result = await (0, layer1_1.runLayer1Scan)(files);
+        let layer1Result = await (0, layer1_1.runLayer1Scan)(files, onProgress, cancellationToken);
         const layer1RawCount = layer1Result.vulnerabilities.length;
         layer1Result = {
           ...layer1Result,
           vulnerabilities: (0, urls_1.aggregateLocalhostFindings)(layer1Result.vulnerabilities)
         };
         log(`[Layer1] repo=${repoInfo.name} findings_raw=${layer1RawCount} findings_deduped=${layer1Result.vulnerabilities.length}`);
+        checkCancelled();
         reportProgress("layer2", "Running structural scan (variables, logic gates)...", layer1Result.vulnerabilities.length);
-        const layer2Result = await (0, layer2_1.runLayer2Scan)(files, { middlewareConfig, fileAuthImports });
+        const layer2Result = await (0, layer2_1.runLayer2Scan)(files, { middlewareConfig, fileAuthImports }, onProgress, cancellationToken);
         const heuristicBreakdown = Object.entries(layer2Result.stats.raw).filter(([, count]) => count > 0).map(([name, count]) => `${name}:${count}`).join(",");
         log(`[Layer2] repo=${repoInfo.name} findings_raw=${Object.values(layer2Result.stats.raw).reduce((a, b3) => a + b3, 0)} findings_deduped=${layer2Result.vulnerabilities.length} heuristic_breakdown={${heuristicBreakdown}}`);
         const layer12Findings = [...layer1Result.vulnerabilities, ...layer2Result.vulnerabilities];
@@ -38867,17 +39153,33 @@ var require_dist = __commonJS({
         }
         const maxValidationFiles = scanModeConfig.maxAIValidationFiles || MAX_VALIDATION_CANDIDATES_PER_FILE;
         const cappedValidation = capValidationCandidatesPerFile(afterAutoDismiss, maxValidationFiles);
+        checkCancelled();
         let validatedFindings = cappedValidation;
-        let capturedValidationStats = void 0;
+        let capturedValidationStats2 = void 0;
         const shouldValidate = options.enableAI !== false && !scanModeConfig.skipAIValidation && cappedValidation.length > 0;
         if (shouldValidate) {
+          checkCancelled();
           reportProgress("validating", "AI validating findings (entropy, secrets, AI patterns)...", cappedValidation.length);
           const findingsToValidate = isIncremental && scanModeConfig.changedFiles ? cappedValidation.filter((v2) => scanModeConfig.changedFiles.some((cf) => v2.filePath.endsWith(cf) || v2.filePath.includes(cf))) : cappedValidation;
           if (findingsToValidate.length > 0) {
-            const validationResult = await (0, anthropic_1.validateFindingsWithAI)(findingsToValidate, filesForAI);
+            const validationResult = await (0, anthropic_1.validateFindingsWithAI)(
+              findingsToValidate,
+              filesForAI,
+              void 0,
+              // projectContext (uses default)
+              onProgress ? (progress) => {
+                onProgress({
+                  status: "validating",
+                  message: progress.status,
+                  filesProcessed: progress.filesProcessed,
+                  totalFiles: progress.totalFiles,
+                  vulnerabilitiesFound: allVulnerabilities.length
+                });
+              } : void 0
+            );
             validatedFindings = validationResult.vulnerabilities;
             const { stats: validationStats } = validationResult;
-            capturedValidationStats = validationStats;
+            capturedValidationStats2 = validationStats;
             log(`[AI Validation] repo=${repoInfo.name} depth=${depth} candidates=${findingsToValidate.length} capped_from=${requiresValidation.length} auto_dismissed=${autoDismissed.length} kept=${validationStats.confirmedFindings} rejected=${validationStats.dismissedFindings} downgraded=${validationStats.downgradedFindings}`);
             log(`[AI Validation] cost_estimate: input_tokens=${validationStats.estimatedInputTokens} output_tokens=${validationStats.estimatedOutputTokens} cost=$${validationStats.estimatedCost.toFixed(4)} api_calls=${validationStats.apiCalls}`);
             const notValidated = cappedValidation.filter((v2) => !findingsToValidate.includes(v2));
@@ -38889,6 +39191,7 @@ var require_dist = __commonJS({
         allVulnerabilities.push(...validatedFindings, ...noValidationNeeded);
         const shouldRunLayer3 = options.enableAI !== false && !scanModeConfig.skipLayer3;
         if (shouldRunLayer3) {
+          checkCancelled();
           reportProgress("layer3", "Running AI semantic analysis...", allVulnerabilities.length);
           const filesToAnalyze = isIncremental ? filesForAI : files;
           const maxLayer3Files = scanModeConfig.maxLayer3Files || 10;
@@ -38906,7 +39209,8 @@ var require_dist = __commonJS({
                 hasThrowingHelpers: true,
                 summary: authHelperContext.summary
               } : void 0
-            }
+            },
+            cancellationToken
           });
           allVulnerabilities.push(...layer3Result.vulnerabilities);
           log(`[Layer3] repo=${repoInfo.name} depth=${depth} files_analyzed=${layer3Result.aiAnalyzed} findings=${layer3Result.vulnerabilities.length}`);
@@ -38933,9 +39237,34 @@ var require_dist = __commonJS({
           hasBlockingIssues,
           scanDuration: Date.now() - startTime,
           timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-          validationStats: capturedValidationStats
+          validationStats: capturedValidationStats2
         };
       } catch (error) {
+        if (cancellationToken?.cancelled) {
+          reportProgress("failed", "Scan cancelled");
+          const uniqueVulnerabilities = deduplicateVulnerabilities(allVulnerabilities);
+          const resolvedVulnerabilities = resolveContradictions(uniqueVulnerabilities, middlewareConfig);
+          const sortedVulnerabilities = sortBySeverity(resolvedVulnerabilities);
+          const severityCounts = computeSeverityCounts(sortedVulnerabilities);
+          const categoryCounts = computeCategoryCounts(sortedVulnerabilities);
+          return {
+            repoName: repoInfo.name,
+            repoUrl: repoInfo.url,
+            branch: repoInfo.branch,
+            filesScanned: files.length,
+            filesSkipped: 0,
+            vulnerabilities: sortedVulnerabilities,
+            severityCounts,
+            categoryCounts,
+            hasBlockingIssues: false,
+            // Don't block on partial results
+            scanDuration: Date.now() - startTime,
+            timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+            validationStats: capturedValidationStats,
+            cancelled: true,
+            cancelReason: cancellationToken.reason
+          };
+        }
         reportProgress("failed", `Scan failed: ${error}`);
         throw error;
       }
@@ -39173,6 +39502,10 @@ Found ${group.length} occurrences at lines: ${lineDisplay}`,
     Object.defineProperty(exports2, "validateFindingsWithAI", { enumerable: true, get: function() {
       return anthropic_2.validateFindingsWithAI;
     } });
+    var types_2 = require_types();
+    Object.defineProperty(exports2, "createCancellationToken", { enumerable: true, get: function() {
+      return types_2.createCancellationToken;
+    } });
   }
 });
 
@@ -42798,6 +43131,103 @@ async function callBackendAPI(files, depth, apiKey, repoInfo) {
   }
   return data.result;
 }
+async function callBackendAPIStream(files, depth, apiKey, repoInfo, onProgress) {
+  const baseUrl = getApiBaseUrl();
+  const streamUrl = `${baseUrl}/v1/scan/stream`;
+  try {
+    const response = await fetch(streamUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${apiKey}`,
+        "X-Oculum-Client": "cli",
+        "X-Oculum-Version": "1.0.0"
+      },
+      body: JSON.stringify({
+        files,
+        depth,
+        repoName: repoInfo.name,
+        repoUrl: repoInfo.url,
+        branch: repoInfo.branch
+      })
+    });
+    if (!response.ok) {
+      console.warn(`[API] SSE endpoint failed with ${response.status}, falling back to regular POST`);
+      return await callBackendAPI(files, depth, apiKey, repoInfo);
+    }
+    if (!response.body) {
+      throw new APIError("Response body is empty", 500);
+    }
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    let result = null;
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split("\n");
+      buffer = lines.pop() || "";
+      let currentEvent = null;
+      let currentData = null;
+      for (const line of lines) {
+        if (line.startsWith("event: ")) {
+          currentEvent = line.slice(7).trim();
+        } else if (line.startsWith("data: ")) {
+          currentData = line.slice(6).trim();
+        } else if (line === "" && currentEvent && currentData) {
+          try {
+            const data = JSON.parse(currentData);
+            switch (currentEvent) {
+              case "progress":
+                if (onProgress) {
+                  onProgress({
+                    status: data.status,
+                    message: data.message || "",
+                    filesProcessed: data.filesProcessed || 0,
+                    totalFiles: data.totalFiles || 0,
+                    vulnerabilitiesFound: data.vulnerabilitiesFound || 0
+                  });
+                }
+                break;
+              case "complete":
+                if (!data.result) {
+                  console.error("[API] Complete event received but no result in data:", data);
+                  throw new APIError("Backend scan completed but returned no result data", 500);
+                }
+                result = data.result;
+                break;
+              case "error":
+                console.error("[API] Backend sent error event:", data);
+                throw new APIError(
+                  data.message || data.error || "Scan failed",
+                  data.status || 500,
+                  data.error
+                );
+            }
+          } catch (parseError) {
+            if (parseError instanceof APIError) throw parseError;
+            console.error("[API] Failed to parse SSE event:", parseError);
+          }
+          currentEvent = null;
+          currentData = null;
+        }
+      }
+    }
+    if (!result) {
+      console.error("[API] Stream ended without receiving complete event");
+      throw new APIError("No result received from stream", 500);
+    }
+    console.log("[API] SSE stream completed successfully");
+    return result;
+  } catch (error) {
+    if (error instanceof APIError) {
+      throw error;
+    }
+    console.warn("[API] SSE streaming failed, falling back to regular POST:", error);
+    return await callBackendAPI(files, depth, apiKey, repoInfo);
+  }
+}
 async function verifyApiKey(apiKey) {
   const baseUrl = getApiBaseUrl();
   const url = `${baseUrl}/v1/verify-key`;
@@ -43404,6 +43834,23 @@ async function collectFilesForScan(targetPath, options) {
   }
   return collectFiles(targetPath);
 }
+function createEmptyResult(targetPath) {
+  return {
+    repoName: (0, import_path3.basename)((0, import_path3.resolve)(targetPath)),
+    repoUrl: "",
+    branch: "local",
+    filesScanned: 0,
+    filesSkipped: 0,
+    vulnerabilities: [],
+    severityCounts: { critical: 0, high: 0, medium: 0, low: 0, info: 0 },
+    categoryCounts: {},
+    hasBlockingIssues: false,
+    scanDuration: 0,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    cancelled: true,
+    cancelReason: "User cancelled scan"
+  };
+}
 function formatOutput(result, format, noColor) {
   switch (format) {
     case "json":
@@ -43501,6 +43948,10 @@ var quietSpinner = {
     if (msg) console.error(msg);
     return quietSpinner;
   },
+  warn: (msg) => {
+    if (msg) console.warn(msg);
+    return quietSpinner;
+  },
   stop: () => quietSpinner,
   text: ""
 };
@@ -43508,6 +43959,7 @@ async function runScanOnce(targetPath, options) {
   const spinner = options.quiet ? quietSpinner : ora();
   const config = getConfig();
   const noColor = options.color === false;
+  const cancellationToken = (0, import_scanner.createCancellationToken)();
   if ((options.depth === "validated" || options.depth === "deep") && !isAuthenticated()) {
     if (!options.quiet) {
       console.log("");
@@ -43540,22 +43992,28 @@ async function runScanOnce(targetPath, options) {
   }
   spinner.succeed(`Found ${files.length} files to scan`);
   const onProgress = (progress) => {
-    if (options.verbose) {
-      console.log(`[Progress] ${progress.status}: ${progress.filesProcessed}/${progress.totalFiles} files, ${progress.vulnerabilitiesFound} findings`);
+    if (!options.quiet && !options.verbose) {
+      if (progress.filesProcessed && progress.filesProcessed < progress.totalFiles) {
+        console.log(`[Progress] ${progress.status}: ${progress.filesProcessed}/${progress.totalFiles} files`);
+      }
+    } else if (options.verbose) {
+      if (progress.filesProcessed && progress.filesProcessed < progress.totalFiles) {
+        console.log(`[Progress] ${progress.status}: ${progress.filesProcessed}/${progress.totalFiles} files`);
+      }
     }
     const fileProgress = progress.filesProcessed && progress.filesProcessed < progress.totalFiles ? ` \u2022 ${progress.filesProcessed}/${progress.totalFiles} files` : ` (${progress.totalFiles} files)`;
     switch (progress.status) {
       case "layer1":
-        spinner.text = `Layer 1: Pattern matching${fileProgress} ${source_default.dim(`\u2192 ${progress.vulnerabilitiesFound} candidates`)}`;
+        spinner.text = `Layer 1: Pattern matching${fileProgress}`;
         break;
       case "layer2":
-        spinner.text = `Layer 2: Code structure analysis${fileProgress} ${source_default.dim(`\u2192 ${progress.vulnerabilitiesFound} findings`)}`;
+        spinner.text = `Layer 2: Code structure analysis${fileProgress}`;
         break;
       case "validating":
-        spinner.text = `AI validation${fileProgress} ${source_default.dim(`\u2192 reviewing ${progress.vulnerabilitiesFound} candidates`)}`;
+        spinner.text = `AI validation${fileProgress}`;
         break;
       case "layer3":
-        spinner.text = `Layer 3: Deep AI analysis${fileProgress} ${source_default.dim(`\u2192 semantic security check`)}`;
+        spinner.text = `Layer 3: Deep AI analysis${fileProgress}`;
         break;
       case "complete":
         const issueText = progress.vulnerabilitiesFound === 1 ? "issue" : "issues";
@@ -43571,12 +44029,24 @@ async function runScanOnce(targetPath, options) {
     }
   };
   let result;
+  let sigintHandler = null;
+  if (!options.quiet) {
+    sigintHandler = () => {
+      spinner.warn(source_default.yellow("\n\u26A0\uFE0F  Cancelling scan... (press Ctrl+C again to force quit)"));
+      cancellationToken.cancel("User pressed Ctrl+C");
+      process.once("SIGINT", () => {
+        spinner.fail(source_default.red("Scan aborted forcefully"));
+        process.exit(130);
+      });
+    };
+    process.once("SIGINT", sigintHandler);
+  }
   try {
     spinner.start("Starting scan...");
     const hasLocalAI = !!process.env.ANTHROPIC_API_KEY;
     if (options.depth !== "cheap" && isAuthenticated() && !hasLocalAI) {
-      spinner.text = `Backend ${options.depth} scan analyzing ${files.length} files...`;
-      result = await callBackendAPI(
+      spinner.text = `Backend ${options.depth} scan starting...`;
+      result = await callBackendAPIStream(
         files,
         options.depth,
         config.apiKey,
@@ -43584,7 +44054,9 @@ async function runScanOnce(targetPath, options) {
           name: (0, import_path3.basename)((0, import_path3.resolve)(targetPath)),
           url: "",
           branch: "local"
-        }
+        },
+        onProgress
+        // Stream real-time progress from backend
       );
       spinner.succeed(`Backend ${options.depth} scan complete`);
     } else {
@@ -43600,15 +44072,38 @@ async function runScanOnce(targetPath, options) {
         {
           enableAI,
           scanDepth: options.depth,
-          quiet: shouldBeQuiet
+          quiet: shouldBeQuiet,
+          cancellationToken
         },
         onProgress
       );
     }
   } catch (err) {
+    if (cancellationToken.cancelled) {
+      spinner.warn(source_default.yellow(`
+\u26A0\uFE0F  Scan cancelled after processing some files`));
+      if (result && result.vulnerabilities) {
+        console.log(source_default.dim(`
+\u{1F4CA} Partial results: ${result.vulnerabilities.length} issues found before cancellation
+`));
+      }
+      return {
+        result: result || createEmptyResult(targetPath),
+        output: "Scan cancelled",
+        exitCode: 130
+        // Standard SIGINT exit code
+      };
+    }
     const enhanced = enhanceError(err);
     spinner.fail(enhanced.message);
     throw err;
+  } finally {
+    if (sigintHandler) {
+      process.off("SIGINT", sigintHandler);
+    }
+  }
+  if (!result) {
+    throw new Error("Scan failed: no result returned");
   }
   const output = formatOutput(result, options.format, noColor);
   if (options.output) {
@@ -47872,7 +48367,7 @@ var usageCommand = new Command("usage").description("Show current usage and quot
 
 // src/index.ts
 var program2 = new Command();
-program2.name("oculum").description("AI-native security scanner for detecting vulnerabilities in LLM-generated code").version("1.0.4").addHelpText("after", `
+program2.name("oculum").description("AI-native security scanner for detecting vulnerabilities in LLM-generated code").version("1.0.5").addHelpText("after", `
 Quick Start:
   $ oculum scan .          Scan current directory (free)
   $ oculum ui              Interactive mode with guided setup

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oculum/cli",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "AI-native security scanner CLI for detecting vulnerabilities in AI-generated code, BYOK patterns, and modern web applications",
   "main": "dist/index.js",
   "bin": {
@@ -18,7 +18,7 @@
     "url": "https://github.com/flexipie/oculum/issues"
   },
   "scripts": {
-    "build": "esbuild src/index.ts --bundle --platform=node --target=node18 --outfile=dist/index.js --banner:js=\"#!/usr/bin/env node\" --define:process.env.OCULUM_API_URL='undefined' --define:VERSION='\"1.0.4\"'",
+    "build": "esbuild src/index.ts --bundle --platform=node --target=node18 --outfile=dist/index.js --banner:js=\"#!/usr/bin/env node\" --define:process.env.OCULUM_API_URL='undefined' --define:VERSION='\"1.0.5\"'",
     "dev": "npm run build -- --watch",
     "test": "echo \"No tests configured yet\"",
     "lint": "eslint src/"