npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/dist/layer2/ai-schema-validation.js ADDED Viewed

@@ -0,0 +1,375 @@
+"use strict";
+/**
+ * Layer 2: AI Schema/Tooling Validation Detection
+ * Detects missing or weak validation of AI-generated structured outputs
+ *
+ * Covers:
+ * - M5.3: Schema/tooling mismatch
+ * - Unvalidated JSON parsing of AI outputs
+ * - Weak schema patterns (any, permissive)
+ * - Tool invocation parameters not validated
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectAISchemaValidation = detectAISchemaValidation;
+exports.isAIContextFile = isAIContextFile;
+exports.hasSchemaValidation = hasSchemaValidation;
+const context_helpers_1 = require("../utils/context-helpers");
+// ============================================================================
+// Context Detection
+// ============================================================================
+/**
+ * Check if file is in an AI/LLM context
+ */
+function isAIContextFile(filePath, content) {
+    // File path patterns
+    const aiPathPatterns = [
+        /\/(ai|llm|chat|openai|anthropic|agents?|tools?)\//i,
+        /(ai|llm|chat|agent|tool|function).*\.(ts|js|tsx|jsx|py)$/i,
+    ];
+    if (aiPathPatterns.some(p => p.test(filePath))) {
+        return true;
+    }
+    // Content patterns
+    const aiContentPatterns = [
+        /openai\.|anthropic\.|ChatCompletion|MessageCreate/i,
+        /\.chat\.completions?\.create/i,
+        /\.messages\.create/i,
+        /generateText|streamText|generateObject/i,
+        /tool_calls?|function_call|functionCall/i,
+        /from\s+['"](?:openai|@anthropic-ai|langchain)/i,
+    ];
+    return aiContentPatterns.some(p => p.test(content));
+}
+/**
+ * Check if there's schema validation in the context
+ */
+function hasSchemaValidation(context) {
+    const validationPatterns = [
+        // Zod
+        /z\.(?:parse|safeParse|parseAsync)\s*\(/i,
+        /\.parse\s*\([^)]*response/i,
+        /zodSchema|z\.object/i,
+        // Ajv
+        /ajv\.(?:compile|validate)/i,
+        /\.validate\s*\([^)]*schema/i,
+        // Joi
+        /joi\.(?:object|string|number).*\.validate/i,
+        /\.validate\s*\([^)]*joi/i,
+        // Yup
+        /yup\.(?:object|string|number).*\.validate/i,
+        // TypeBox
+        /Type\.(?:Object|String|Number)/i,
+        /Value\.(?:Check|Decode)/i,
+        // Generic validation
+        /validateSchema|schemaValidator/i,
+        /JSON\.parse.*try.*catch.*schema/i,
+        // OpenAI Structured Outputs
+        /response_format.*json_schema/i,
+        /json_schema\s*:/i,
+    ];
+    return validationPatterns.some(p => p.test(context));
+}
+/**
+ * Check if there's a security-sensitive sink after parsing
+ */
+function hasSecuritySink(context) {
+    const sinkPatterns = [
+        // Execution sinks
+        /eval\s*\(/i,
+        /Function\s*\(/i,
+        /exec\s*\(|spawn\s*\(/i,
+        /child_process/i,
+        // Database sinks
+        /\.query\s*\(/i,
+        /\.execute\s*\(/i,
+        /\.raw\s*\(/i,
+        /\$\{.*\}.*(?:SELECT|INSERT|UPDATE|DELETE)/i,
+        // File system sinks
+        /fs\.(?:readFile|writeFile|unlink|mkdir)/i,
+        /readFileSync|writeFileSync/i,
+        // Network sinks
+        /fetch\s*\(|axios\.|request\s*\(/i,
+        // DOM sinks (if applicable)
+        /innerHTML|dangerouslySetInnerHTML/i,
+    ];
+    return sinkPatterns.some(p => p.test(context));
+}
+/**
+ * Check if there's try-catch around the parsing
+ */
+function hasTryCatch(content, lineIndex) {
+    const lines = content.split('\n');
+    const start = Math.max(0, lineIndex - 15);
+    const end = Math.min(lines.length, lineIndex + 5);
+    const context = lines.slice(start, end).join('\n');
+    // Simple check for try block wrapping
+    const tryPattern = /try\s*\{[^}]*$/;
+    const beforeContext = lines.slice(start, lineIndex).join('\n');
+    return tryPattern.test(beforeContext);
+}
+/**
+ * Get surrounding context
+ */
+function getSurroundingContext(content, lineIndex, windowSize = 20) {
+    const lines = content.split('\n');
+    const start = Math.max(0, lineIndex - windowSize);
+    const end = Math.min(lines.length, lineIndex + windowSize);
+    return lines.slice(start, end).join('\n');
+}
+/**
+ * Unvalidated AI output parsing patterns
+ */
+const UNVALIDATED_PARSING_PATTERNS = [
+    // JSON.parse on AI response content
+    {
+        name: 'AI response content parsed without validation',
+        pattern: /JSON\.parse\s*\(\s*(?:response|result|completion|output|message)(?:\.\w+)*(?:\.content|\.text|\.message)?/gi,
+        riskType: 'unvalidated_parse',
+        baseSeverity: 'medium',
+        description: 'AI-generated JSON parsed without schema validation. Model may return malformed or malicious structures.',
+        suggestedFix: 'Validate with schema: const data = schema.parse(JSON.parse(response.content)) // using zod',
+    },
+    // OpenAI choices parsing
+    {
+        name: 'OpenAI response parsed directly',
+        pattern: /JSON\.parse\s*\(\s*(?:\w+\.)?choices\[\d+\]\.message\.content/gi,
+        riskType: 'unvalidated_parse',
+        baseSeverity: 'medium',
+        description: 'OpenAI response content parsed without validation. AI output structure should be verified.',
+        suggestedFix: 'Use OpenAI Structured Outputs (response_format: { type: "json_schema", json_schema: {...} }) or validate with zod.',
+    },
+    // Anthropic content parsing
+    {
+        name: 'Anthropic response parsed directly',
+        pattern: /JSON\.parse\s*\(\s*(?:\w+\.)?content\[0\]\.text/gi,
+        riskType: 'unvalidated_parse',
+        baseSeverity: 'medium',
+        description: 'Anthropic response parsed without validation. AI output may not match expected schema.',
+        suggestedFix: 'Validate response structure with zod or similar schema validation library.',
+    },
+    // Tool call arguments parsing
+    {
+        name: 'Tool call arguments parsed without validation',
+        pattern: /JSON\.parse\s*\(\s*(?:\w+\.)?(?:tool_calls?|function_call)(?:\[\d+\])?\.(?:function\.)?arguments/gi,
+        riskType: 'unvalidated_parse',
+        baseSeverity: 'medium',
+        description: 'Function calling arguments parsed without schema validation. Tool parameters should be verified.',
+        suggestedFix: 'Define and validate tool argument schema: const args = toolSchema.parse(JSON.parse(toolCall.function.arguments))',
+    },
+    // Generic AI output parsing
+    {
+        name: 'AI output assigned without parsing/validation',
+        pattern: /(?:const|let|var)\s+\w+\s*=\s*(?:response|completion|result)\.(?:content|text|data)\s*;?\s*(?!.*(?:parse|validate|schema))/gi,
+        riskType: 'unvalidated_parse',
+        baseSeverity: 'low',
+        description: 'AI output assigned directly to variable. If used as structured data, validate first.',
+        suggestedFix: 'If expecting JSON: const data = schema.safeParse(JSON.parse(response.content))',
+    },
+];
+/**
+ * Weak schema patterns
+ */
+const WEAK_SCHEMA_PATTERNS = [
+    // any type for AI response
+    {
+        name: 'AI response typed as any',
+        pattern: /(?:response|aiResponse|completion|result)\s*:\s*any\b/gi,
+        riskType: 'weak_schema',
+        baseSeverity: 'low',
+        description: 'AI response typed as `any`. TypeScript cannot catch type errors at compile time.',
+        suggestedFix: 'Define explicit interface and use runtime validation: interface AIResponse { ... }; const data: AIResponse = schema.parse(response)',
+    },
+    // Permissive zod schemas
+    {
+        name: 'Permissive zod schema for AI output',
+        pattern: /z\.(?:any|unknown)\s*\(\s*\).*(?:response|output|completion)/gi,
+        riskType: 'weak_schema',
+        baseSeverity: 'low',
+        description: 'Using z.any() or z.unknown() defeats the purpose of schema validation.',
+        suggestedFix: 'Define specific schema: z.object({ field: z.string(), ... }).strict()',
+    },
+    // Passthrough schemas
+    {
+        name: 'Passthrough schema allowing extra properties',
+        pattern: /z\.object\s*\([^)]+\)\.passthrough\s*\(\s*\)/gi,
+        riskType: 'weak_schema',
+        baseSeverity: 'info',
+        description: 'Schema uses passthrough() allowing unexpected properties from AI output.',
+        suggestedFix: 'Use .strict() instead to reject unexpected properties from AI responses.',
+    },
+    // Record<string, any>
+    {
+        name: 'Record<string, any> for AI data',
+        pattern: /Record<string,\s*any>\s*.*(?:response|result|output|completion|aiData)/gi,
+        riskType: 'weak_schema',
+        baseSeverity: 'low',
+        description: 'Generic Record<string, any> type used for AI output provides no type safety.',
+        suggestedFix: 'Define specific interface or use zod schema for runtime validation.',
+    },
+    // Object type without specifics
+    {
+        name: 'Generic object type for AI response',
+        pattern: /(?:response|completion|aiOutput)\s*:\s*(?:object|Object|{})\b/gi,
+        riskType: 'weak_schema',
+        baseSeverity: 'info',
+        description: 'Generic object type for AI response. Consider defining specific interface.',
+        suggestedFix: 'Replace with specific interface that documents expected AI output structure.',
+    },
+];
+/**
+ * Tool parameter validation issues
+ */
+const TOOL_PARAM_PATTERNS = [
+    // Tool parameters used directly in paths
+    {
+        name: 'Tool parameter used in file path',
+        pattern: /(?:tool|args|parameters)(?:\.\w+)*\.(?:path|filename|filepath|file).*(?:readFile|writeFile|fs\.|path\.)/gi,
+        riskType: 'tool_params',
+        baseSeverity: 'high',
+        description: 'AI-generated file path used without validation. Path traversal attack possible.',
+        suggestedFix: 'Validate path against allowlist: if (!allowedPaths.some(p => resolvedPath.startsWith(p))) throw new Error("Invalid path")',
+    },
+    // Tool parameters in commands
+    {
+        name: 'Tool parameter used in shell command',
+        pattern: /(?:tool|args|parameters)(?:\.\w+)*\.(?:command|cmd|script).*(?:exec|spawn|shell)/gi,
+        riskType: 'tool_params',
+        baseSeverity: 'critical',
+        description: 'AI-generated command executed without validation. Command injection possible.',
+        suggestedFix: 'Use allowlist for permitted commands. Never execute arbitrary AI-generated commands.',
+    },
+    // Tool parameters in URLs
+    {
+        name: 'Tool parameter used in URL',
+        pattern: /(?:tool|args|parameters)(?:\.\w+)*\.(?:url|endpoint|host).*(?:fetch|axios|request|http)/gi,
+        riskType: 'tool_params',
+        baseSeverity: 'high',
+        description: 'AI-generated URL used without validation. SSRF attack possible.',
+        suggestedFix: 'Validate URL against allowlist of permitted hosts before making request.',
+    },
+    // Tool parameters in database queries
+    {
+        name: 'Tool parameter used in database query',
+        pattern: /(?:tool|args|parameters)(?:\.\w+)*\.(?:query|sql|table|column).*(?:\.query|\.execute|\.raw)/gi,
+        riskType: 'tool_params',
+        baseSeverity: 'high',
+        description: 'AI-generated value used in database query. SQL injection possible.',
+        suggestedFix: 'Use parameterized queries. Validate table/column names against allowlist.',
+    },
+    // Function call name used in switch/if
+    {
+        name: 'Tool/function call routed without validation',
+        pattern: /(?:tool_call|function_call|functionCall)\.(?:name|function\.name).*(?:switch|if|\[.*\])/gi,
+        riskType: 'tool_params',
+        baseSeverity: 'medium',
+        description: 'AI-selected function name used for routing. Validate against allowed functions.',
+        suggestedFix: 'Check function name against allowlist: const allowedFunctions = ["search", "calculate"]; if (!allowedFunctions.includes(name)) throw',
+    },
+];
+// ============================================================================
+// Main Detection Function
+// ============================================================================
+/**
+ * Main detection function for AI schema/tooling validation issues
+ */
+function detectAISchemaValidation(content, filePath) {
+    const vulnerabilities = [];
+    // Skip non-applicable files
+    if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    if ((0, context_helpers_1.isDocumentationFile)(filePath))
+        return vulnerabilities;
+    // Only scan files in AI context
+    if (!isAIContextFile(filePath, content)) {
+        return vulnerabilities;
+    }
+    const lines = content.split('\n');
+    const isTestFile = (0, context_helpers_1.isTestOrMockFile)(filePath);
+    // Check file-level validation presence
+    const fileHasValidation = hasSchemaValidation(content);
+    // Process all pattern categories
+    const allPatterns = [
+        ...UNVALIDATED_PARSING_PATTERNS,
+        ...WEAK_SCHEMA_PATTERNS,
+        ...TOOL_PARAM_PATTERNS,
+    ];
+    for (const pattern of allPatterns) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, context_helpers_1.isComment)(lineContent))
+                continue;
+            // Get surrounding context
+            const context = getSurroundingContext(content, lineNumber - 1, 20);
+            // Check for local validation
+            const localHasValidation = hasSchemaValidation(context);
+            const localHasTryCatch = hasTryCatch(content, lineNumber - 1);
+            const localHasSecuritySink = hasSecuritySink(context);
+            // Calculate severity based on context
+            let severity = pattern.baseSeverity;
+            const notes = [];
+            // Apply context-aware adjustments
+            if (pattern.riskType === 'unvalidated_parse') {
+                if (localHasValidation || fileHasValidation) {
+                    severity = 'info';
+                    notes.push('Schema validation detected nearby');
+                }
+                else if (localHasSecuritySink) {
+                    // Elevate if used in security-sensitive context
+                    if (severity === 'medium')
+                        severity = 'high';
+                    notes.push('Used in security-sensitive context');
+                }
+                else if (localHasTryCatch && !localHasSecuritySink) {
+                    // Try-catch without sink is minor
+                    severity = 'low';
+                    notes.push('Has try-catch but no schema validation');
+                }
+            }
+            if (pattern.riskType === 'weak_schema') {
+                // Weak schemas at API boundaries are more concerning
+                if (/export|handler|route|api/i.test(context)) {
+                    if (severity === 'low')
+                        severity = 'medium';
+                    notes.push('At API boundary');
+                }
+            }
+            if (pattern.riskType === 'tool_params') {
+                // Already high/critical, check for mitigation
+                if (localHasValidation) {
+                    severity = severity === 'critical' ? 'medium' : 'low';
+                    notes.push('Validation detected');
+                }
+            }
+            // Downgrade test files
+            if (isTestFile) {
+                severity = 'info';
+                notes.push('in test file');
+            }
+            // Build final description
+            let description = pattern.description;
+            if (notes.length > 0) {
+                description += ` (${notes.join('; ')})`;
+            }
+            vulnerabilities.push({
+                id: `ai-schema-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_schema_mismatch',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: severity === 'info' ? 'low' : 'medium',
+                layer: 2,
+                requiresAIValidation: true, // Tier B - always validate with AI
+            });
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=ai-schema-validation.js.map

package/dist/layer2/ai-schema-validation.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ai-schema-validation.js","sourceRoot":"","sources":["../../src/layer2/ai-schema-validation.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAuSH,4DAiHC;AAGQ,0CAAe;AAAE,kDAAmB;AAxZ7C,8DAKiC;AAEjC,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,eAAe,CAAC,QAAgB,EAAE,OAAe;IACxD,qBAAqB;IACrB,MAAM,cAAc,GAAG;QACrB,oDAAoD;QACpD,2DAA2D;KAC5D,CAAA;IAED,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC/C,OAAO,IAAI,CAAA;IACb,CAAC;IAED,mBAAmB;IACnB,MAAM,iBAAiB,GAAG;QACxB,oDAAoD;QACpD,+BAA+B;QAC/B,qBAAqB;QACrB,yCAAyC;QACzC,yCAAyC;QACzC,gDAAgD;KACjD,CAAA;IAED,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACrD,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,OAAe;IAC1C,MAAM,kBAAkB,GAAG;QACzB,MAAM;QACN,yCAAyC;QACzC,4BAA4B;QAC5B,sBAAsB;QACtB,MAAM;QACN,4BAA4B;QAC5B,6BAA6B;QAC7B,MAAM;QACN,4CAA4C;QAC5C,0BAA0B;QAC1B,MAAM;QACN,4CAA4C;QAC5C,UAAU;QACV,iCAAiC;QACjC,0BAA0B;QAC1B,qBAAqB;QACrB,iCAAiC;QACjC,kCAAkC;QAClC,4BAA4B;QAC5B,+BAA+B;QAC/B,kBAAkB;KACnB,CAAA;IACD,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,OAAe;IACtC,MAAM,YAAY,GAAG;QACnB,kBAAkB;QAClB,YAAY;QACZ,gBAAgB;QAChB,uBAAuB;QACvB,gBAAgB;QAChB,iBAAiB;QACjB,eAAe;QACf,iBAAiB;QACjB,aAAa;QACb,4CAA4C;QAC5C,oBAAoB;QACpB,0CAA0C;QAC1C,6BAA6B;QAC7B,gBAAgB;QAChB,kCAAkC;QAClC,4BAA4B;QAC5B,oCAAoC;KACrC,CAAA;IACD,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AAChD,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,OAAe,EAAE,SAAiB;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,EAAE,CAAC,CAAA;IACzC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,CAAC,CAAC,CAAA;IACjD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAElD,sCAAsC;IACtC,MAAM,UAAU,GAAG,gBAAgB,CAAA;IACnC,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAC9D,OAAO,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;AACvC,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,OAAe,EAAE,SAAiB,EAAE,aAAqB,EAAE;IACxF,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,UAAU,CAAC,CAAA;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,CAAC,CAAA;IAC1D,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AAC3C,CAAC;AAeD;;GAEG;AACH,MAAM,4BAA4B,GAA8B;IAC9D,oCAAoC;IACpC;QACE,IAAI,EAAE,+CAA+C;QACrD,OAAO,EAAE,6GAA6G;QACtH,QAAQ,EAAE,mBAAmB;QAC7B,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,yGAAyG;QACtH,YAAY,EAAE,4FAA4F;KAC3G;IACD,yBAAyB;IACzB;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE,mBAAmB;QAC7B,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,4FAA4F;QACzG,YAAY,EAAE,oHAAoH;KACnI;IACD,4BAA4B;IAC5B;QACE,IAAI,EAAE,oCAAoC;QAC1C,OAAO,EAAE,mDAAmD;QAC5D,QAAQ,EAAE,mBAAmB;QAC7B,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,wFAAwF;QACrG,YAAY,EAAE,4EAA4E;KAC3F;IACD,8BAA8B;IAC9B;QACE,IAAI,EAAE,+CAA+C;QACrD,OAAO,EAAE,oGAAoG;QAC7G,QAAQ,EAAE,mBAAmB;QAC7B,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,kGAAkG;QAC/G,YAAY,EAAE,kHAAkH;KACjI;IACD,4BAA4B;IAC5B;QACE,IAAI,EAAE,+CAA+C;QACrD,OAAO,EAAE,8HAA8H;QACvI,QAAQ,EAAE,mBAAmB;QAC7B,YAAY,EAAE,KAAK;QACnB,WAAW,EAAE,sFAAsF;QACnG,YAAY,EAAE,gFAAgF;KAC/F;CACF,CAAA;AAED;;GAEG;AACH,MAAM,oBAAoB,GAA8B;IACtD,2BAA2B;IAC3B;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,yDAAyD;QAClE,QAAQ,EAAE,aAAa;QACvB,YAAY,EAAE,KAAK;QACnB,WAAW,EAAE,kFAAkF;QAC/F,YAAY,EAAE,qIAAqI;KACpJ;IACD,yBAAyB;IACzB;QACE,IAAI,EAAE,qCAAqC;QAC3C,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,aAAa;QACvB,YAAY,EAAE,KAAK;QACnB,WAAW,EAAE,wEAAwE;QACrF,YAAY,EAAE,uEAAuE;KACtF;IACD,sBAAsB;IACtB;QACE,IAAI,EAAE,8CAA8C;QACpD,OAAO,EAAE,gDAAgD;QACzD,QAAQ,EAAE,aAAa;QACvB,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,0EAA0E;QACvF,YAAY,EAAE,0EAA0E;KACzF;IACD,sBAAsB;IACtB;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,0EAA0E;QACnF,QAAQ,EAAE,aAAa;QACvB,YAAY,EAAE,KAAK;QACnB,WAAW,EAAE,8EAA8E;QAC3F,YAAY,EAAE,qEAAqE;KACpF;IACD,gCAAgC;IAChC;QACE,IAAI,EAAE,qCAAqC;QAC3C,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE,aAAa;QACvB,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,4EAA4E;QACzF,YAAY,EAAE,8EAA8E;KAC7F;CACF,CAAA;AAED;;GAEG;AACH,MAAM,mBAAmB,GAA8B;IACrD,yCAAyC;IACzC;QACE,IAAI,EAAE,kCAAkC;QACxC,OAAO,EAAE,2GAA2G;QACpH,QAAQ,EAAE,aAAa;QACvB,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,iFAAiF;QAC9F,YAAY,EAAE,2HAA2H;KAC1I;IACD,8BAA8B;IAC9B;QACE,IAAI,EAAE,sCAAsC;QAC5C,OAAO,EAAE,oFAAoF;QAC7F,QAAQ,EAAE,aAAa;QACvB,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,+EAA+E;QAC5F,YAAY,EAAE,sFAAsF;KACrG;IACD,0BAA0B;IAC1B;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,2FAA2F;QACpG,QAAQ,EAAE,aAAa;QACvB,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,iEAAiE;QAC9E,YAAY,EAAE,0EAA0E;KACzF;IACD,sCAAsC;IACtC;QACE,IAAI,EAAE,uCAAuC;QAC7C,OAAO,EAAE,+FAA+F;QACxG,QAAQ,EAAE,aAAa;QACvB,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,oEAAoE;QACjF,YAAY,EAAE,2EAA2E;KAC1F;IACD,uCAAuC;IACvC;QACE,IAAI,EAAE,8CAA8C;QACpD,OAAO,EAAE,2FAA2F;QACpG,QAAQ,EAAE,aAAa;QACvB,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,iFAAiF;QAC9F,YAAY,EAAE,sIAAsI;KACrJ;CACF,CAAA;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,wBAAwB,CACtC,OAAe,EACf,QAAgB;IAEhB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,4BAA4B;IAC5B,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAC5D,IAAI,IAAA,qCAAmB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAEzD,gCAAgC;IAChC,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;QACxC,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAE7C,uCAAuC;IACvC,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAA;IAEtD,iCAAiC;IACjC,MAAM,WAAW,GAA8B;QAC7C,GAAG,4BAA4B;QAC/B,GAAG,oBAAoB;QACvB,GAAG,mBAAmB;KACvB,CAAA;IAED,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QACvE,IAAI,KAAK,CAAA;QAET,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAA;YACvE,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;YAEvD,gBAAgB;YAChB,IAAI,IAAA,2BAAS,EAAC,WAAW,CAAC;gBAAE,SAAQ;YAEpC,0BAA0B;YAC1B,MAAM,OAAO,GAAG,qBAAqB,CAAC,OAAO,EAAE,UAAU,GAAG,CAAC,EAAE,EAAE,CAAC,CAAA;YAElE,6BAA6B;YAC7B,MAAM,kBAAkB,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAA;YACvD,MAAM,gBAAgB,GAAG,WAAW,CAAC,OAAO,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;YAC7D,MAAM,oBAAoB,GAAG,eAAe,CAAC,OAAO,CAAC,CAAA;YAErD,sCAAsC;YACtC,IAAI,QAAQ,GAAG,OAAO,CAAC,YAAY,CAAA;YACnC,MAAM,KAAK,GAAa,EAAE,CAAA;YAE1B,kCAAkC;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,mBAAmB,EAAE,CAAC;gBAC7C,IAAI,kBAAkB,IAAI,iBAAiB,EAAE,CAAC;oBAC5C,QAAQ,GAAG,MAAM,CAAA;oBACjB,KAAK,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAA;gBACjD,CAAC;qBAAM,IAAI,oBAAoB,EAAE,CAAC;oBAChC,gDAAgD;oBAChD,IAAI,QAAQ,KAAK,QAAQ;wBAAE,QAAQ,GAAG,MAAM,CAAA;oBAC5C,KAAK,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAA;gBAClD,CAAC;qBAAM,IAAI,gBAAgB,IAAI,CAAC,oBAAoB,EAAE,CAAC;oBACrD,kCAAkC;oBAClC,QAAQ,GAAG,KAAK,CAAA;oBAChB,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAA;gBACtD,CAAC;YACH,CAAC;YAED,IAAI,OAAO,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;gBACvC,qDAAqD;gBACrD,IAAI,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC9C,IAAI,QAAQ,KAAK,KAAK;wBAAE,QAAQ,GAAG,QAAQ,CAAA;oBAC3C,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBAC/B,CAAC;YACH,CAAC;YAED,IAAI,OAAO,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;gBACvC,8CAA8C;gBAC9C,IAAI,kBAAkB,EAAE,CAAC;oBACvB,QAAQ,GAAG,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAA;oBACrD,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;gBACnC,CAAC;YACH,CAAC;YAED,uBAAuB;YACvB,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,GAAG,MAAM,CAAA;gBACjB,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;YAC5B,CAAC;YAED,0BAA0B;YAC1B,IAAI,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;YACrC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrB,WAAW,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAA;YACzC,CAAC;YAED,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,aAAa,QAAQ,IAAI,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE;gBAC9E,QAAQ;gBACR,UAAU;gBACV,WAAW;gBACX,QAAQ;gBACR,QAAQ,EAAE,oBAAoB;gBAC9B,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,WAAW;gBACX,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,UAAU,EAAE,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ;gBAClD,KAAK,EAAE,CAAC;gBACR,oBAAoB,EAAE,IAAI,EAAE,mCAAmC;aAChE,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/layer2/auth-antipatterns.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * Layer 2: Authentication Anti-Pattern Detection
+ * Identifies weak or missing authentication/authorization patterns
+ *
+ * Key improvements:
+ * - Respects global middleware protection (caps severity at info)
+ * - Detects throwing auth helpers and suppresses redundant null checks
+ * - Properly classifies public endpoints
+ */
+import type { Vulnerability } from '../types';
+import type { MiddlewareAuthConfig } from '../utils/middleware-detector';
+import type { AuthHelperContext } from '../utils/auth-helper-detector';
+import type { FileAuthImports } from '../utils/imported-auth-detector';
+export interface AuthAntipatternOptions {
+    middlewareConfig?: MiddlewareAuthConfig;
+    authHelpers?: AuthHelperContext;
+    fileAuthImports?: Map<string, FileAuthImports>;
+}
+export declare function detectAuthAntipatterns(content: string, filePath: string, options?: AuthAntipatternOptions): Vulnerability[];
+//# sourceMappingURL=auth-antipatterns.d.ts.map

package/dist/layer2/auth-antipatterns.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-antipatterns.d.ts","sourceRoot":"","sources":["../../src/layer2/auth-antipatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,UAAU,CAAA;AACpE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAA;AAExE,OAAO,KAAK,EAAc,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AAElF,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAA;AA6OtE,MAAM,WAAW,sBAAsB;IACrC,gBAAgB,CAAC,EAAE,oBAAoB,CAAA;IACvC,WAAW,CAAC,EAAE,iBAAiB,CAAA;IAC/B,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;CAC/C;AAED,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,sBAA2B,GACnC,aAAa,EAAE,CAmIjB"}