@oculum/scanner 1.0.0 → 1.0.1

package/src/layer2/index.ts

@@ -72,13 +72,126 @@ export interface Layer2Result {
   stats: Layer2Stats
 }
 
+// Layer 2 detector stats type
+type Layer2DetectorStats = {
+  variables: number
+  logicGates: number
+  dangerousFunctions: number
+  riskyImports: number
+  authAntipatterns: number
+  frameworkIssues: number
+  aiFingerprints: number
+  dataExposure: number
+  byokPatterns: number
+  promptHygiene: number
+  executionSinks: number
+  agentTools: number
+  ragSafety: number
+  endpointProtection: number
+  schemaValidation: number
+}
+
+// Process a single file through all Layer 2 detectors
+function processFileLayer2(
+  file: ScanFile,
+  options: Layer2Options,
+  authHelperContext: ReturnType<typeof detectAuthHelpers>
+): { findings: Vulnerability[], stats: Layer2DetectorStats } {
+  const stats: Layer2DetectorStats = {
+    variables: 0,
+    logicGates: 0,
+    dangerousFunctions: 0,
+    riskyImports: 0,
+    authAntipatterns: 0,
+    frameworkIssues: 0,
+    aiFingerprints: 0,
+    dataExposure: 0,
+    byokPatterns: 0,
+    promptHygiene: 0,
+    executionSinks: 0,
+    agentTools: 0,
+    ragSafety: 0,
+    endpointProtection: 0,
+    schemaValidation: 0,
+  }
+
+  // Skip non-code files
+  if (!isCodeFile(file.path)) {
+    return { findings: [], stats }
+  }
+
+  // Run all detectors
+  const variableFindings = detectSensitiveVariables(file.content, file.path)
+  const logicFindings = detectLogicGates(file.content, file.path)
+  const dangerousFuncFindings = detectDangerousFunctions(file.content, file.path)
+  const riskyImportFindings = detectRiskyImports(file.content, file.path)
+  const authFindings = detectAuthAntipatterns(file.content, file.path, {
+    middlewareConfig: options.middlewareConfig,
+    authHelpers: authHelperContext,
+    fileAuthImports: options.fileAuthImports,
+  })
+  const frameworkFindings = detectFrameworkIssues(file.content, file.path)
+  const aiFindings = detectAIFingerprints(file.content, file.path)
+  const dataExposureFindings = detectDataExposure(file.content, file.path)
+  const byokFindings = detectBYOKPatterns(file.content, file.path, options.middlewareConfig)
+  const promptHygieneFindings = detectAIPromptHygiene(file.content, file.path)
+  const executionSinkFindings = detectAIExecutionSinks(file.content, file.path)
+  const agentToolFindings = detectAIAgentTools(file.content, file.path)
+  const ragSafetyFindings = detectRAGSafetyIssues(file.content, file.path)
+  const endpointProtectionFindings = detectAIEndpointProtection(file.content, file.path, {
+    middlewareConfig: options.middlewareConfig,
+  })
+  const schemaValidationFindings = detectAISchemaValidation(file.content, file.path)
+
+  // Update stats
+  stats.variables = variableFindings.length
+  stats.logicGates = logicFindings.length
+  stats.dangerousFunctions = dangerousFuncFindings.length
+  stats.riskyImports = riskyImportFindings.length
+  stats.authAntipatterns = authFindings.length
+  stats.frameworkIssues = frameworkFindings.length
+  stats.aiFingerprints = aiFindings.length
+  stats.dataExposure = dataExposureFindings.length
+  stats.byokPatterns = byokFindings.length
+  stats.promptHygiene = promptHygieneFindings.length
+  stats.executionSinks = executionSinkFindings.length
+  stats.agentTools = agentToolFindings.length
+  stats.ragSafety = ragSafetyFindings.length
+  stats.endpointProtection = endpointProtectionFindings.length
+  stats.schemaValidation = schemaValidationFindings.length
+
+  return {
+    findings: [
+      ...variableFindings,
+      ...logicFindings,
+      ...dangerousFuncFindings,
+      ...riskyImportFindings,
+      ...authFindings,
+      ...frameworkFindings,
+      ...aiFindings,
+      ...dataExposureFindings,
+      ...byokFindings,
+      ...promptHygieneFindings,
+      ...executionSinkFindings,
+      ...agentToolFindings,
+      ...ragSafetyFindings,
+      ...endpointProtectionFindings,
+      ...schemaValidationFindings,
+    ],
+    stats,
+  }
+}
+
+// Parallel batch size for Layer 2 processing
+const LAYER2_PARALLEL_BATCH_SIZE = 50
+
 export async function runLayer2Scan(
   files: ScanFile[],
   options: Layer2Options = {}
 ): Promise<Layer2Result> {
   const startTime = Date.now()
   const vulnerabilities: Vulnerability[] = []
-  const stats = {
+  const stats: Layer2DetectorStats = {
     variables: 0,
     logicGates: 0,
     dangerousFunctions: 0,
@@ -91,7 +204,6 @@ export async function runLayer2Scan(
     promptHygiene: 0,
     executionSinks: 0,
     agentTools: 0,
-    // M5: New AI-era detectors
     ragSafety: 0,
     endpointProtection: 0,
     schemaValidation: 0,
@@ -100,71 +212,19 @@ export async function runLayer2Scan(
   // Detect auth helpers once for all files (if not already provided)
   const authHelperContext = options.authHelperContext || detectAuthHelpers(files)
 
-  for (const file of files) {
-    // Only scan code files for Layer 2 (skip configs, etc.)
-    if (isCodeFile(file.path)) {
-      // Existing scanners
-      const variableFindings = detectSensitiveVariables(file.content, file.path)
-      const logicFindings = detectLogicGates(file.content, file.path)
-      
-      // New Layer 2 scanners
-      const dangerousFuncFindings = detectDangerousFunctions(file.content, file.path)
-      const riskyImportFindings = detectRiskyImports(file.content, file.path)
-      const authFindings = detectAuthAntipatterns(file.content, file.path, {
-        middlewareConfig: options.middlewareConfig,
-        authHelpers: authHelperContext,
-        fileAuthImports: options.fileAuthImports,
-      })
-      const frameworkFindings = detectFrameworkIssues(file.content, file.path)
-      const aiFindings = detectAIFingerprints(file.content, file.path)
-      const dataExposureFindings = detectDataExposure(file.content, file.path)
-      const byokFindings = detectBYOKPatterns(file.content, file.path, options.middlewareConfig)
-
-      // Story B: AI-specific detection (prompt hygiene, execution sinks, agent tools)
-      const promptHygieneFindings = detectAIPromptHygiene(file.content, file.path)
-      const executionSinkFindings = detectAIExecutionSinks(file.content, file.path)
-      const agentToolFindings = detectAIAgentTools(file.content, file.path)
-
-      // M5: New AI-era detectors
-      const ragSafetyFindings = detectRAGSafetyIssues(file.content, file.path)
-      const endpointProtectionFindings = detectAIEndpointProtection(file.content, file.path, {
-        middlewareConfig: options.middlewareConfig,
-      })
-      const schemaValidationFindings = detectAISchemaValidation(file.content, file.path)
-
-      stats.variables += variableFindings.length
-      stats.logicGates += logicFindings.length
-      stats.dangerousFunctions += dangerousFuncFindings.length
-      stats.riskyImports += riskyImportFindings.length
-      stats.authAntipatterns += authFindings.length
-      stats.frameworkIssues += frameworkFindings.length
-      stats.aiFingerprints += aiFindings.length
-      stats.dataExposure += dataExposureFindings.length
-      stats.byokPatterns += byokFindings.length
-      stats.promptHygiene += promptHygieneFindings.length
-      stats.executionSinks += executionSinkFindings.length
-      stats.agentTools += agentToolFindings.length
-      stats.ragSafety += ragSafetyFindings.length
-      stats.endpointProtection += endpointProtectionFindings.length
-      stats.schemaValidation += schemaValidationFindings.length
-
-      vulnerabilities.push(
-        ...variableFindings,
-        ...logicFindings,
-        ...dangerousFuncFindings,
-        ...riskyImportFindings,
-        ...authFindings,
-        ...frameworkFindings,
-        ...aiFindings,
-        ...dataExposureFindings,
-        ...byokFindings,
-        ...promptHygieneFindings,
-        ...executionSinkFindings,
-        ...agentToolFindings,
-        ...ragSafetyFindings,
-        ...endpointProtectionFindings,
-        ...schemaValidationFindings
-      )
+  // Process files in parallel batches for better performance on large codebases
+  for (let i = 0; i < files.length; i += LAYER2_PARALLEL_BATCH_SIZE) {
+    const batch = files.slice(i, i + LAYER2_PARALLEL_BATCH_SIZE)
+    const results = await Promise.all(
+      batch.map(file => Promise.resolve(processFileLayer2(file, options, authHelperContext)))
+    )
+    
+    for (const result of results) {
+      vulnerabilities.push(...result.findings)
+      // Accumulate stats
+      for (const [key, value] of Object.entries(result.stats)) {
+        stats[key as keyof Layer2DetectorStats] += value
+      }
     }
   }
 
@@ -197,17 +257,7 @@ export async function runLayer2Scan(
     Object.keys(exclusionConfig).length > 0 ? exclusionConfig : undefined
   )
 
-  // Log suppressed findings
-  if (suppressed.length > 0) {
-    console.log(`[Layer 2] Suppressed ${suppressed.length} findings in test/seed/example files:`)
-    const byReason = new Map<string, number>()
-    for (const { reason } of suppressed) {
-      byReason.set(reason || 'unknown', (byReason.get(reason || 'unknown') || 0) + 1)
-    }
-    for (const [reason, count] of byReason) {
-      console.log(`  - ${reason}: ${count}`)
-    }
-  }
+  // Track suppressed findings (debug info available in stats)
 
   // Build raw stats map for logging
   const rawStats: Record<string, number> = {
@@ -267,16 +317,7 @@ export async function runLayer2Scan(
     ai_schema_validation: 'ai_schema_validation',
   }
 
-  // Log heuristic breakdown (raw findings before dedupe) with tier info
-  console.log('[Layer 2] Heuristic breakdown (raw findings before dedupe):')
-  for (const [name, count] of Object.entries(rawStats)) {
-    if (count > 0) {
-      const detectorName = detectorNameMap[name]
-      const tier = detectorName ? getLayer2DetectorTier(detectorName) : 'unknown'
-      console.log(`  - ${name}: ${count} (${tier})`)
-    }
-  }
-  console.log(`[Layer 2] Tier breakdown (after dedupe): ${formatTierStats(tierStats)}`)
+  // Heuristic breakdown available in stats.raw and stats.tiers for debugging
 
   return {
     vulnerabilities: uniqueVulnerabilities,

package/src/layer3/anthropic.ts

@@ -68,11 +68,12 @@ export interface AIValidationResult {
 
 // Number of files to include in each API call (Phase 2 optimization)
 // Batching multiple files reduces API overhead and leverages prompt caching better
-const FILES_PER_API_BATCH = 5
+const FILES_PER_API_BATCH = 8
 
 // Number of API batches to process in parallel (Phase 3 optimization)
-// Higher values = faster scans but more API load; OpenAI handles this well
-const PARALLEL_API_BATCHES = 4
+// Higher values = faster scans but more API load; OpenAI/GPT-5-mini handles this well
+// Increased from 4 to 6 for better throughput on large codebases
+const PARALLEL_API_BATCHES = 6
 
 // Initialize Anthropic client
 function getAnthropicClient(): Anthropic {