@oculum/scanner 1.0.0 → 1.0.2

package/src/index.ts

@@ -138,6 +138,8 @@ export interface ScanOptions {
   scanMode?: ScanMode | ScanModeConfig
   /** Scan depth (cheap/validated/deep) - controls AI usage */
   scanDepth?: ScanDepth
+  /** Suppress console.log output (for interactive CLI mode) */
+  quiet?: boolean
 }
 
 export interface ScanProgress {
@@ -214,10 +216,18 @@ export async function runScan(
   const scanModeConfig = resolveScanModeConfig(options)
   const isIncremental = scanModeConfig.mode === 'incremental'
   const depth = scanModeConfig.scanDepth || 'cheap'
+  const quiet = options.quiet ?? false
 
-  console.log(`[Scanner] repo=${repoInfo.name} mode=${scanModeConfig.mode} depth=${depth} files=${files.length}`)
+  // Conditional logging helper - suppresses output in quiet mode (interactive CLI)
+  const log = (message: string) => {
+    if (!quiet) {
+      console.log(message)
+    }
+  }
+
+  log(`[Scanner] repo=${repoInfo.name} mode=${scanModeConfig.mode} depth=${depth} files=${files.length}`)
   if (isIncremental && scanModeConfig.changedFiles) {
-    console.log(`[Scanner] repo=${repoInfo.name} incremental_files=${scanModeConfig.changedFiles.length}`)
+    log(`[Scanner] repo=${repoInfo.name} incremental_files=${scanModeConfig.changedFiles.length}`)
   }
 
   // Report progress helper
@@ -247,19 +257,19 @@ export async function runScan(
     // Detect global auth middleware before scanning (always on all files for context)
     const middlewareConfig = detectGlobalAuthMiddleware(files)
     if (middlewareConfig.hasAuthMiddleware) {
-      console.log(`[Scanner] repo=${repoInfo.name} auth_middleware=${middlewareConfig.authType || 'unknown'} file=${middlewareConfig.middlewareFile}`)
+      log(`[Scanner] repo=${repoInfo.name} auth_middleware=${middlewareConfig.authType || 'unknown'} file=${middlewareConfig.middlewareFile}`)
     }
 
     // Build imported auth registry for cross-file middleware detection
     const fileAuthImports = buildFileAuthImports(files)
     const filesWithImportedAuth = Array.from(fileAuthImports.values()).filter(f => f.usesImportedAuth).length
     if (filesWithImportedAuth > 0) {
-      console.log(`[Scanner] repo=${repoInfo.name} files_with_imported_auth=${filesWithImportedAuth}`)
+      log(`[Scanner] repo=${repoInfo.name} files_with_imported_auth=${filesWithImportedAuth}`)
     }
 
     // Layer 1: Surface Scan
     reportProgress('layer1', 'Running surface scan (patterns, entropy, config)...')
-    let layer1Result = await runLayer1Scan(files)
+    let layer1Result = await runLayer1Scan(files, onProgress)
 
     // Aggregate repeated localhost findings
     const layer1RawCount = layer1Result.vulnerabilities.length
@@ -267,18 +277,18 @@ export async function runScan(
       ...layer1Result,
       vulnerabilities: aggregateLocalhostFindings(layer1Result.vulnerabilities)
     }
-    console.log(`[Layer1] repo=${repoInfo.name} findings_raw=${layer1RawCount} findings_deduped=${layer1Result.vulnerabilities.length}`)
+    log(`[Layer1] repo=${repoInfo.name} findings_raw=${layer1RawCount} findings_deduped=${layer1Result.vulnerabilities.length}`)
 
     // Layer 2: Structural Scan
     reportProgress('layer2', 'Running structural scan (variables, logic gates)...', layer1Result.vulnerabilities.length)
-    const layer2Result = await runLayer2Scan(files, { middlewareConfig, fileAuthImports })
+    const layer2Result = await runLayer2Scan(files, { middlewareConfig, fileAuthImports }, onProgress)
 
     // Format heuristic breakdown for logging
     const heuristicBreakdown = Object.entries(layer2Result.stats.raw)
       .filter(([, count]) => count > 0)
       .map(([name, count]) => `${name}:${count}`)
       .join(',')
-    console.log(`[Layer2] repo=${repoInfo.name} findings_raw=${Object.values(layer2Result.stats.raw).reduce((a, b) => a + b, 0)} findings_deduped=${layer2Result.vulnerabilities.length} heuristic_breakdown={${heuristicBreakdown}}`)
+    log(`[Layer2] repo=${repoInfo.name} findings_raw=${Object.values(layer2Result.stats.raw).reduce((a, b) => a + b, 0)} findings_deduped=${layer2Result.vulnerabilities.length} heuristic_breakdown={${heuristicBreakdown}}`)
 
     // Combine Layer 1 and Layer 2 findings
     const layer12Findings = [...layer1Result.vulnerabilities, ...layer2Result.vulnerabilities]
@@ -293,8 +303,8 @@ export async function runScan(
     const tierFiltered = filterByTierAndDepth(aggregatedFindings, depth)
 
     // Log tier breakdown
-    console.log(`[Scanner] repo=${repoInfo.name} tier_breakdown=${formatTierStats(tierFiltered.tierStats)}`)
-    console.log(`[Scanner] repo=${repoInfo.name} depth=${depth} tier_routing: surface=${tierFiltered.toSurface.length} validate=${tierFiltered.toValidate.length} hidden=${tierFiltered.hidden.length}`)
+    log(`[Scanner] repo=${repoInfo.name} tier_breakdown=${formatTierStats(tierFiltered.tierStats)}`)
+    log(`[Scanner] repo=${repoInfo.name} depth=${depth} tier_routing: surface=${tierFiltered.toSurface.length} validate=${tierFiltered.toValidate.length} hidden=${tierFiltered.hidden.length}`)
 
     // For cheap scans: Tier A surfaces directly, Tier B/C are hidden
     // For validated/deep: Tier A surfaces, Tier B goes through AI validation, Tier C hidden
@@ -322,7 +332,7 @@ export async function runScan(
       autoDismissBySeverity[d.finding.severity] = (autoDismissBySeverity[d.finding.severity] || 0) + 1
     }
     if (autoDismissed.length > 0) {
-      console.log(`[Layer2] repo=${repoInfo.name} auto_dismissed_total=${autoDismissed.length} by_severity={info:${autoDismissBySeverity.info},low:${autoDismissBySeverity.low},medium:${autoDismissBySeverity.medium},high:${autoDismissBySeverity.high}}`)
+      log(`[Layer2] repo=${repoInfo.name} auto_dismissed_total=${autoDismissed.length} by_severity={info:${autoDismissBySeverity.info},low:${autoDismissBySeverity.low},medium:${autoDismissBySeverity.medium},high:${autoDismissBySeverity.high}}`)
     }
 
     // Apply per-file cap to validation candidates (cost control)
@@ -349,15 +359,15 @@ export async function runScan(
         const { stats: validationStats } = validationResult
         capturedValidationStats = validationStats // Capture for return
 
-        console.log(`[AI Validation] repo=${repoInfo.name} depth=${depth} candidates=${findingsToValidate.length} capped_from=${requiresValidation.length} auto_dismissed=${autoDismissed.length} kept=${validationStats.confirmedFindings} rejected=${validationStats.dismissedFindings} downgraded=${validationStats.downgradedFindings}`)
-        console.log(`[AI Validation] cost_estimate: input_tokens=${validationStats.estimatedInputTokens} output_tokens=${validationStats.estimatedOutputTokens} cost=$${validationStats.estimatedCost.toFixed(4)} api_calls=${validationStats.apiCalls}`)
+        log(`[AI Validation] repo=${repoInfo.name} depth=${depth} candidates=${findingsToValidate.length} capped_from=${requiresValidation.length} auto_dismissed=${autoDismissed.length} kept=${validationStats.confirmedFindings} rejected=${validationStats.dismissedFindings} downgraded=${validationStats.downgradedFindings}`)
+        log(`[AI Validation] cost_estimate: input_tokens=${validationStats.estimatedInputTokens} output_tokens=${validationStats.estimatedOutputTokens} cost=$${validationStats.estimatedCost.toFixed(4)} api_calls=${validationStats.apiCalls}`)
 
         // Add back findings that weren't validated (not in changed files)
         const notValidated = cappedValidation.filter(v => !findingsToValidate.includes(v))
         validatedFindings.push(...notValidated)
       }
     } else if (scanModeConfig.skipAIValidation) {
-      console.log(`[AI Validation] repo=${repoInfo.name} depth=${depth} skipped=true reason=scan_mode_config`)
+      log(`[AI Validation] repo=${repoInfo.name} depth=${depth} skipped=true reason=scan_mode_config`)
     }
 
     // Combine validated and non-validated findings
@@ -393,9 +403,9 @@ export async function runScan(
         },
       })
       allVulnerabilities.push(...layer3Result.vulnerabilities)
-      console.log(`[Layer3] repo=${repoInfo.name} depth=${depth} files_analyzed=${layer3Result.aiAnalyzed} findings=${layer3Result.vulnerabilities.length}`)
+      log(`[Layer3] repo=${repoInfo.name} depth=${depth} files_analyzed=${layer3Result.aiAnalyzed} findings=${layer3Result.vulnerabilities.length}`)
     } else if (scanModeConfig.skipLayer3) {
-      console.log(`[Layer3] repo=${repoInfo.name} depth=${depth} skipped=true reason=scan_mode_config`)
+      log(`[Layer3] repo=${repoInfo.name} depth=${depth} skipped=true reason=scan_mode_config`)
     }
 
     // Deduplicate vulnerabilities
@@ -553,9 +563,7 @@ function capValidationCandidatesPerFile(
     const capped = sorted.slice(0, maxPerFile)
     result.push(...capped)
 
-    if (sorted.length > maxPerFile) {
-      console.log(`[Scanner] Capped ${filePath}: ${sorted.length} → ${maxPerFile} validation candidates`)
-    }
+    // Note: Capping log removed to support quiet mode - this is debug info only
   }
 
   return result
@@ -683,7 +691,7 @@ function resolveContradictions(
             : isClientCallingProtectedAPI 
               ? 'client component calling protected API'
               : 'route is protected'
-          console.log(`[Contradiction] Dropping "${vuln.title}" (${vuln.severity}) - ${reason}`)
+          // Note: Contradiction log removed to support quiet mode - this is debug info only
           continue // Skip this finding
         }
         

package/src/layer1/index.ts

@@ -5,6 +5,7 @@
  */
 
 import type { Vulnerability, ScanFile } from '../types'
+import type { ProgressCallback } from '../index'
 import { detectHighEntropyStrings } from './entropy'
 import { detectKnownPatterns } from './patterns'
 import { auditConfiguration } from './config-audit'
@@ -46,12 +47,12 @@ export interface Layer1Result {
   stats: Layer1Stats
 }
 
-export async function runLayer1Scan(files: ScanFile[]): Promise<Layer1Result> {
-  const startTime = Date.now()
-  const vulnerabilities: Vulnerability[] = []
-
-  // Track raw counts per detector (before dedupe)
-  const rawStats: Record<Layer1DetectorName, number> = {
+// Process a single file through all Layer 1 detectors
+function processFileLayer1(file: ScanFile): { 
+  findings: Vulnerability[], 
+  stats: Record<Layer1DetectorName, number> 
+} {
+  const stats: Record<Layer1DetectorName, number> = {
     known_secrets: 0,
     weak_crypto: 0,
     sensitive_urls: 0,
@@ -61,33 +62,78 @@ export async function runLayer1Scan(files: ScanFile[]): Promise<Layer1Result> {
     ai_comments: 0,
   }
 
-  for (const file of files) {
-    // Run all Layer 1 detectors and track raw counts
-    const entropyFindings = detectHighEntropyStrings(file.content, file.path)
-    const patternFindings = detectKnownPatterns(file.content, file.path)
-    const configFindings = auditConfiguration(file.content, file.path)
-    const fileFlags = detectDangerousFiles(file.content, file.path)
-    const commentFindings = detectAICommentPatterns(file.content, file.path)
-    const urlFindings = detectSensitiveURLs(file.content, file.path)
-    const cryptoFindings = detectWeakCrypto(file.content, file.path)
-
-    rawStats.entropy += entropyFindings.length
-    rawStats.known_secrets += patternFindings.length
-    rawStats.config_audit += configFindings.length
-    rawStats.file_flags += fileFlags.length
-    rawStats.ai_comments += commentFindings.length
-    rawStats.sensitive_urls += urlFindings.length
-    rawStats.weak_crypto += cryptoFindings.length
-
-    vulnerabilities.push(
+  const entropyFindings = detectHighEntropyStrings(file.content, file.path)
+  const patternFindings = detectKnownPatterns(file.content, file.path)
+  const configFindings = auditConfiguration(file.content, file.path)
+  const fileFlags = detectDangerousFiles(file.content, file.path)
+  const commentFindings = detectAICommentPatterns(file.content, file.path)
+  const urlFindings = detectSensitiveURLs(file.content, file.path)
+  const cryptoFindings = detectWeakCrypto(file.content, file.path)
+
+  stats.entropy = entropyFindings.length
+  stats.known_secrets = patternFindings.length
+  stats.config_audit = configFindings.length
+  stats.file_flags = fileFlags.length
+  stats.ai_comments = commentFindings.length
+  stats.sensitive_urls = urlFindings.length
+  stats.weak_crypto = cryptoFindings.length
+
+  return {
+    findings: [
       ...entropyFindings,
       ...patternFindings,
       ...configFindings,
       ...fileFlags,
       ...commentFindings,
       ...urlFindings,
-      ...cryptoFindings
-    )
+      ...cryptoFindings,
+    ],
+    stats,
+  }
+}
+
+// Parallel batch size for Layer 1 processing
+const LAYER1_PARALLEL_BATCH_SIZE = 50
+
+export async function runLayer1Scan(files: ScanFile[], onProgress?: ProgressCallback): Promise<Layer1Result> {
+  const startTime = Date.now()
+  const vulnerabilities: Vulnerability[] = []
+
+  // Track raw counts per detector (before dedupe)
+  const rawStats: Record<Layer1DetectorName, number> = {
+    known_secrets: 0,
+    weak_crypto: 0,
+    sensitive_urls: 0,
+    entropy: 0,
+    config_audit: 0,
+    file_flags: 0,
+    ai_comments: 0,
+  }
+
+  // Process files in parallel batches for better performance on large codebases
+  for (let i = 0; i < files.length; i += LAYER1_PARALLEL_BATCH_SIZE) {
+    const batch = files.slice(i, i + LAYER1_PARALLEL_BATCH_SIZE)
+    const results = await Promise.all(batch.map(file => Promise.resolve(processFileLayer1(file))))
+    
+    for (const result of results) {
+      vulnerabilities.push(...result.findings)
+      // Accumulate stats
+      for (const [key, value] of Object.entries(result.stats)) {
+        rawStats[key as Layer1DetectorName] += value
+      }
+    }
+
+    // Report progress after each batch
+    if (onProgress) {
+      const filesProcessed = Math.min(i + LAYER1_PARALLEL_BATCH_SIZE, files.length)
+      onProgress({
+        status: 'layer1',
+        message: 'Running surface scan (patterns, entropy, config)...',
+        filesProcessed,
+        totalFiles: files.length,
+        vulnerabilitiesFound: vulnerabilities.length,
+      })
+    }
   }
 
   // Deduplicate findings (same line might be caught by multiple detectors)
@@ -96,18 +142,7 @@ export async function runLayer1Scan(files: ScanFile[]): Promise<Layer1Result> {
   // Apply path exclusions to filter out findings in test/seed/example files
   const { kept: uniqueVulnerabilities, suppressed } = filterFindingsByPath(dedupedVulnerabilities)
 
-  // Log suppressed findings
-  if (suppressed.length > 0) {
-    const byReason: Record<string, number> = {}
-    for (const s of suppressed) {
-      const reason = s.reason || 'unknown'
-      byReason[reason] = (byReason[reason] || 0) + 1
-    }
-    console.log(`[Layer 1] Suppressed ${suppressed.length} findings in test/seed/example files:`)
-    for (const [reason, count] of Object.entries(byReason)) {
-      console.log(`  - ${reason}: ${count}`)
-    }
-  }
+  // Track suppressed findings (debug info available in stats)
 
   // Compute deduped counts per category
   const dedupedStats: Record<string, number> = {}
@@ -121,15 +156,7 @@ export async function runLayer1Scan(files: ScanFile[]): Promise<Layer1Result> {
     uniqueVulnerabilities.map(v => ({ category: v.category, layer: 1 as const }))
   )
 
-  // Log heuristic breakdown with tier info
-  console.log('[Layer 1] Heuristic breakdown (raw findings before dedupe):')
-  for (const [name, count] of Object.entries(rawStats)) {
-    if (count > 0) {
-      const tier = getLayer1DetectorTier(name as Layer1DetectorName)
-      console.log(`  - ${name}: ${count} (${tier})`)
-    }
-  }
-  console.log(`[Layer 1] Tier breakdown (after dedupe): ${formatTierStats(tierStats)}`)
+  // Heuristic breakdown available in stats.raw and stats.tiers for debugging
 
   return {
     vulnerabilities: uniqueVulnerabilities,

package/src/layer2/index.ts

@@ -6,6 +6,7 @@
  */
 
 import type { Vulnerability, ScanFile } from '../types'
+import type { ProgressCallback } from '../index'
 import type { MiddlewareAuthConfig } from '../utils/middleware-detector'
 import { detectAuthHelpers, type AuthHelperContext } from '../utils/auth-helper-detector'
 import type { FileAuthImports } from '../utils/imported-auth-detector'
@@ -72,13 +73,127 @@ export interface Layer2Result {
   stats: Layer2Stats
 }
 
+// Layer 2 detector stats type
+type Layer2DetectorStats = {
+  variables: number
+  logicGates: number
+  dangerousFunctions: number
+  riskyImports: number
+  authAntipatterns: number
+  frameworkIssues: number
+  aiFingerprints: number
+  dataExposure: number
+  byokPatterns: number
+  promptHygiene: number
+  executionSinks: number
+  agentTools: number
+  ragSafety: number
+  endpointProtection: number
+  schemaValidation: number
+}
+
+// Process a single file through all Layer 2 detectors
+function processFileLayer2(
+  file: ScanFile,
+  options: Layer2Options,
+  authHelperContext: ReturnType<typeof detectAuthHelpers>
+): { findings: Vulnerability[], stats: Layer2DetectorStats } {
+  const stats: Layer2DetectorStats = {
+    variables: 0,
+    logicGates: 0,
+    dangerousFunctions: 0,
+    riskyImports: 0,
+    authAntipatterns: 0,
+    frameworkIssues: 0,
+    aiFingerprints: 0,
+    dataExposure: 0,
+    byokPatterns: 0,
+    promptHygiene: 0,
+    executionSinks: 0,
+    agentTools: 0,
+    ragSafety: 0,
+    endpointProtection: 0,
+    schemaValidation: 0,
+  }
+
+  // Skip non-code files
+  if (!isCodeFile(file.path)) {
+    return { findings: [], stats }
+  }
+
+  // Run all detectors
+  const variableFindings = detectSensitiveVariables(file.content, file.path)
+  const logicFindings = detectLogicGates(file.content, file.path)
+  const dangerousFuncFindings = detectDangerousFunctions(file.content, file.path)
+  const riskyImportFindings = detectRiskyImports(file.content, file.path)
+  const authFindings = detectAuthAntipatterns(file.content, file.path, {
+    middlewareConfig: options.middlewareConfig,
+    authHelpers: authHelperContext,
+    fileAuthImports: options.fileAuthImports,
+  })
+  const frameworkFindings = detectFrameworkIssues(file.content, file.path)
+  const aiFindings = detectAIFingerprints(file.content, file.path)
+  const dataExposureFindings = detectDataExposure(file.content, file.path)
+  const byokFindings = detectBYOKPatterns(file.content, file.path, options.middlewareConfig)
+  const promptHygieneFindings = detectAIPromptHygiene(file.content, file.path)
+  const executionSinkFindings = detectAIExecutionSinks(file.content, file.path)
+  const agentToolFindings = detectAIAgentTools(file.content, file.path)
+  const ragSafetyFindings = detectRAGSafetyIssues(file.content, file.path)
+  const endpointProtectionFindings = detectAIEndpointProtection(file.content, file.path, {
+    middlewareConfig: options.middlewareConfig,
+  })
+  const schemaValidationFindings = detectAISchemaValidation(file.content, file.path)
+
+  // Update stats
+  stats.variables = variableFindings.length
+  stats.logicGates = logicFindings.length
+  stats.dangerousFunctions = dangerousFuncFindings.length
+  stats.riskyImports = riskyImportFindings.length
+  stats.authAntipatterns = authFindings.length
+  stats.frameworkIssues = frameworkFindings.length
+  stats.aiFingerprints = aiFindings.length
+  stats.dataExposure = dataExposureFindings.length
+  stats.byokPatterns = byokFindings.length
+  stats.promptHygiene = promptHygieneFindings.length
+  stats.executionSinks = executionSinkFindings.length
+  stats.agentTools = agentToolFindings.length
+  stats.ragSafety = ragSafetyFindings.length
+  stats.endpointProtection = endpointProtectionFindings.length
+  stats.schemaValidation = schemaValidationFindings.length
+
+  return {
+    findings: [
+      ...variableFindings,
+      ...logicFindings,
+      ...dangerousFuncFindings,
+      ...riskyImportFindings,
+      ...authFindings,
+      ...frameworkFindings,
+      ...aiFindings,
+      ...dataExposureFindings,
+      ...byokFindings,
+      ...promptHygieneFindings,
+      ...executionSinkFindings,
+      ...agentToolFindings,
+      ...ragSafetyFindings,
+      ...endpointProtectionFindings,
+      ...schemaValidationFindings,
+    ],
+    stats,
+  }
+}
+
+// Parallel batch size for Layer 2 processing
+const LAYER2_PARALLEL_BATCH_SIZE = 50
+
 export async function runLayer2Scan(
   files: ScanFile[],
-  options: Layer2Options = {}
+  options: Layer2Options = {},
+  onProgress?: ProgressCallback
 ): Promise<Layer2Result> {
   const startTime = Date.now()
   const vulnerabilities: Vulnerability[] = []
-  const stats = {
+  const stats: Layer2DetectorStats = {
     variables: 0,
     logicGates: 0,
     dangerousFunctions: 0,
@@ -91,7 +206,6 @@ export async function runLayer2Scan(
     promptHygiene: 0,
     executionSinks: 0,
     agentTools: 0,
-    // M5: New AI-era detectors
     ragSafety: 0,
     endpointProtection: 0,
     schemaValidation: 0,
@@ -100,71 +214,31 @@ export async function runLayer2Scan(
   // Detect auth helpers once for all files (if not already provided)
   const authHelperContext = options.authHelperContext || detectAuthHelpers(files)
 
-  for (const file of files) {
-    // Only scan code files for Layer 2 (skip configs, etc.)
-    if (isCodeFile(file.path)) {
-      // Existing scanners
-      const variableFindings = detectSensitiveVariables(file.content, file.path)
-      const logicFindings = detectLogicGates(file.content, file.path)
-      
-      // New Layer 2 scanners
-      const dangerousFuncFindings = detectDangerousFunctions(file.content, file.path)
-      const riskyImportFindings = detectRiskyImports(file.content, file.path)
-      const authFindings = detectAuthAntipatterns(file.content, file.path, {
-        middlewareConfig: options.middlewareConfig,
-        authHelpers: authHelperContext,
-        fileAuthImports: options.fileAuthImports,
-      })
-      const frameworkFindings = detectFrameworkIssues(file.content, file.path)
-      const aiFindings = detectAIFingerprints(file.content, file.path)
-      const dataExposureFindings = detectDataExposure(file.content, file.path)
-      const byokFindings = detectBYOKPatterns(file.content, file.path, options.middlewareConfig)
-
-      // Story B: AI-specific detection (prompt hygiene, execution sinks, agent tools)
-      const promptHygieneFindings = detectAIPromptHygiene(file.content, file.path)
-      const executionSinkFindings = detectAIExecutionSinks(file.content, file.path)
-      const agentToolFindings = detectAIAgentTools(file.content, file.path)
-
-      // M5: New AI-era detectors
-      const ragSafetyFindings = detectRAGSafetyIssues(file.content, file.path)
-      const endpointProtectionFindings = detectAIEndpointProtection(file.content, file.path, {
-        middlewareConfig: options.middlewareConfig,
+  // Process files in parallel batches for better performance on large codebases
+  for (let i = 0; i < files.length; i += LAYER2_PARALLEL_BATCH_SIZE) {
+    const batch = files.slice(i, i + LAYER2_PARALLEL_BATCH_SIZE)
+    const results = await Promise.all(
+      batch.map(file => Promise.resolve(processFileLayer2(file, options, authHelperContext)))
+    )
+    
+    for (const result of results) {
+      vulnerabilities.push(...result.findings)
+      // Accumulate stats
+      for (const [key, value] of Object.entries(result.stats)) {
+        stats[key as keyof Layer2DetectorStats] += value
+      }
+    }
+
+    // Report progress after each batch
+    if (onProgress) {
+      const filesProcessed = Math.min(i + LAYER2_PARALLEL_BATCH_SIZE, files.length)
+      onProgress({
+        status: 'layer2',
+        message: 'Running structural scan (variables, logic gates)...',
+        filesProcessed,
+        totalFiles: files.length,
+        vulnerabilitiesFound: vulnerabilities.length,
       })
-      const schemaValidationFindings = detectAISchemaValidation(file.content, file.path)
-
-      stats.variables += variableFindings.length
-      stats.logicGates += logicFindings.length
-      stats.dangerousFunctions += dangerousFuncFindings.length
-      stats.riskyImports += riskyImportFindings.length
-      stats.authAntipatterns += authFindings.length
-      stats.frameworkIssues += frameworkFindings.length
-      stats.aiFingerprints += aiFindings.length
-      stats.dataExposure += dataExposureFindings.length
-      stats.byokPatterns += byokFindings.length
-      stats.promptHygiene += promptHygieneFindings.length
-      stats.executionSinks += executionSinkFindings.length
-      stats.agentTools += agentToolFindings.length
-      stats.ragSafety += ragSafetyFindings.length
-      stats.endpointProtection += endpointProtectionFindings.length
-      stats.schemaValidation += schemaValidationFindings.length
-
-      vulnerabilities.push(
-        ...variableFindings,
-        ...logicFindings,
-        ...dangerousFuncFindings,
-        ...riskyImportFindings,
-        ...authFindings,
-        ...frameworkFindings,
-        ...aiFindings,
-        ...dataExposureFindings,
-        ...byokFindings,
-        ...promptHygieneFindings,
-        ...executionSinkFindings,
-        ...agentToolFindings,
-        ...ragSafetyFindings,
-        ...endpointProtectionFindings,
-        ...schemaValidationFindings
-      )
     }
   }
 
@@ -197,17 +271,7 @@ export async function runLayer2Scan(
     Object.keys(exclusionConfig).length > 0 ? exclusionConfig : undefined
   )
 
-  // Log suppressed findings
-  if (suppressed.length > 0) {
-    console.log(`[Layer 2] Suppressed ${suppressed.length} findings in test/seed/example files:`)
-    const byReason = new Map<string, number>()
-    for (const { reason } of suppressed) {
-      byReason.set(reason || 'unknown', (byReason.get(reason || 'unknown') || 0) + 1)
-    }
-    for (const [reason, count] of byReason) {
-      console.log(`  - ${reason}: ${count}`)
-    }
-  }
+  // Track suppressed findings (debug info available in stats)
 
   // Build raw stats map for logging
   const rawStats: Record<string, number> = {
@@ -267,16 +331,7 @@ export async function runLayer2Scan(
     ai_schema_validation: 'ai_schema_validation',
   }
 
-  // Log heuristic breakdown (raw findings before dedupe) with tier info
-  console.log('[Layer 2] Heuristic breakdown (raw findings before dedupe):')
-  for (const [name, count] of Object.entries(rawStats)) {
-    if (count > 0) {
-      const detectorName = detectorNameMap[name]
-      const tier = detectorName ? getLayer2DetectorTier(detectorName) : 'unknown'
-      console.log(`  - ${name}: ${count} (${tier})`)
-    }
-  }
-  console.log(`[Layer 2] Tier breakdown (after dedupe): ${formatTierStats(tierStats)}`)
+  // Heuristic breakdown available in stats.raw and stats.tiers for debugging
 
   return {
     vulnerabilities: uniqueVulnerabilities,

package/src/layer3/anthropic.ts

@@ -68,11 +68,12 @@ export interface AIValidationResult {
 
 // Number of files to include in each API call (Phase 2 optimization)
 // Batching multiple files reduces API overhead and leverages prompt caching better
-const FILES_PER_API_BATCH = 5
+const FILES_PER_API_BATCH = 8
 
 // Number of API batches to process in parallel (Phase 3 optimization)
-// Higher values = faster scans but more API load; OpenAI handles this well
-const PARALLEL_API_BATCHES = 4
+// Higher values = faster scans but more API load; OpenAI/GPT-5-mini handles this well
+// Increased from 4 to 6 for better throughput on large codebases
+const PARALLEL_API_BATCHES = 6
 
 // Initialize Anthropic client
 function getAnthropicClient(): Anthropic {