npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/dist/modes/incremental.js ADDED Viewed

@@ -0,0 +1,200 @@
+"use strict";
+/**
+ * Incremental Scan Mode
+ * Optimized scanning for PR workflows - only scan changed files and surface relevant findings
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runIncrementalScan = runIncrementalScan;
+exports.createPRScanConfig = createPRScanConfig;
+exports.formatIncrementalForPR = formatIncrementalForPR;
+const layer1_1 = require("../layer1");
+const layer2_1 = require("../layer2");
+const diff_parser_1 = require("../utils/diff-parser");
+const middleware_detector_1 = require("../utils/middleware-detector");
+/**
+ * Run an incremental scan optimized for PR workflows
+ *
+ * This scans:
+ * 1. All changed files (added + modified)
+ * 2. Files that import changed files (for context)
+ * 3. Middleware files (for auth context)
+ *
+ * And only surfaces findings on/near changed lines.
+ */
+async function runIncrementalScan(allFiles, options) {
+    const startTime = Date.now();
+    const { diffContent, changedFiles, strictLineMatching = false, contextWindow = 5, markAsIntroduced = true, previousFindings = [], } = options;
+    // Parse diff or file list to get changed files
+    let diffs;
+    if (diffContent) {
+        diffs = (0, diff_parser_1.parseDiff)(diffContent, contextWindow);
+    }
+    else if (changedFiles && changedFiles.length > 0) {
+        diffs = (0, diff_parser_1.parseChangedFileList)(changedFiles);
+    }
+    else {
+        // No diff info - scan everything but don't filter
+        console.log('[Incremental] No diff info provided, scanning all files');
+        diffs = new Map();
+    }
+    const changedPaths = (0, diff_parser_1.getChangedFilePaths)(diffs);
+    console.log(`[Incremental] Changed files: ${changedPaths.length}`);
+    // Build file index for import resolution
+    const fileIndex = new Map();
+    for (const file of allFiles) {
+        fileIndex.set(file.path, file);
+    }
+    // Determine which files to scan
+    const filesToScan = [];
+    const scannedPaths = new Set();
+    // 1. Add all changed files
+    for (const path of changedPaths) {
+        const file = fileIndex.get(path);
+        if (file && !scannedPaths.has(path)) {
+            filesToScan.push(file);
+            scannedPaths.add(path);
+        }
+    }
+    // 2. Add files that import changed files (for context)
+    // This helps detect issues where changes break dependencies
+    const importers = findImporters(allFiles, changedPaths);
+    for (const path of importers) {
+        if (!scannedPaths.has(path)) {
+            const file = fileIndex.get(path);
+            if (file) {
+                filesToScan.push(file);
+                scannedPaths.add(path);
+            }
+        }
+    }
+    // 3. Always include middleware files for auth context
+    const middlewareFile = allFiles.find(f => f.path.includes('middleware.ts') ||
+        f.path.includes('middleware.js'));
+    if (middlewareFile && !scannedPaths.has(middlewareFile.path)) {
+        filesToScan.push(middlewareFile);
+        scannedPaths.add(middlewareFile.path);
+    }
+    console.log(`[Incremental] Scanning ${filesToScan.length} files (${changedPaths.length} changed + ${importers.size} importers)`);
+    // Detect auth middleware from ALL files (for context)
+    const middlewareConfig = (0, middleware_detector_1.detectGlobalAuthMiddleware)(allFiles);
+    // Run Layer 1 + Layer 2 on selected files
+    const layer1Result = await (0, layer1_1.runLayer1Scan)(filesToScan);
+    const layer2Result = await (0, layer2_1.runLayer2Scan)(filesToScan, { middlewareConfig });
+    let allFindings = [...layer1Result.vulnerabilities, ...layer2Result.vulnerabilities];
+    // Filter to only findings on/near changed lines
+    if (diffs.size > 0) {
+        const beforeFilter = allFindings.length;
+        allFindings = (0, diff_parser_1.filterToChangedLines)(allFindings, diffs, { strictMode: strictLineMatching });
+        console.log(`[Incremental] Filtered findings: ${beforeFilter} → ${allFindings.length} (on/near changed lines)`);
+    }
+    // Mark findings as introduced and separate pre-existing
+    const introduced = [];
+    const preExisting = [];
+    if (previousFindings.length > 0) {
+        // Create fingerprints for previous findings
+        const previousFingerprints = new Set(previousFindings.map(f => `${f.filePath}:${f.lineNumber}:${f.category}`));
+        for (const finding of allFindings) {
+            const fingerprint = `${finding.filePath}:${finding.lineNumber}:${finding.category}`;
+            if (previousFingerprints.has(fingerprint)) {
+                preExisting.push(finding);
+            }
+            else {
+                if (markAsIntroduced) {
+                    finding.validationNotes = (finding.validationNotes || '') + ' [Introduced in this PR]';
+                }
+                introduced.push(finding);
+            }
+        }
+    }
+    else {
+        // No previous findings - all are "introduced"
+        introduced.push(...allFindings);
+    }
+    const duration = Date.now() - startTime;
+    console.log(`[Incremental] Scan completed in ${duration}ms: ${introduced.length} new, ${preExisting.length} pre-existing`);
+    return {
+        findings: allFindings,
+        introduced,
+        preExisting,
+        filesScanned: filesToScan.length,
+        filesChanged: changedPaths.length,
+        diffs,
+        duration,
+    };
+}
+/**
+ * Find files that import any of the changed files
+ */
+function findImporters(allFiles, changedPaths) {
+    const importers = new Set();
+    // Create patterns to match imports
+    const importPatterns = changedPaths.map(path => {
+        // Remove extension for import matching
+        const withoutExt = path.replace(/\.[^/.]+$/, '');
+        // Get just the filename without path for relative imports
+        const filename = withoutExt.split('/').pop() || '';
+        return { fullPath: withoutExt, filename };
+    });
+    for (const file of allFiles) {
+        // Skip if this file is already in changed paths
+        if (changedPaths.includes(file.path))
+            continue;
+        // Check if this file imports any changed file
+        for (const { fullPath, filename } of importPatterns) {
+            // Match various import patterns
+            const importRegex = new RegExp(`(?:import|require)\\s*(?:\\([^)]*|[^;]*from\\s*)['"]` +
+                `(?:\\.{0,2}/)?(?:${escapeRegex(fullPath)}|[^'"]*/${escapeRegex(filename)})['"]`, 'i');
+            if (importRegex.test(file.content)) {
+                importers.add(file.path);
+                break;
+            }
+        }
+    }
+    return importers;
+}
+/**
+ * Escape special regex characters
+ */
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Create a PR-optimized scan config
+ */
+function createPRScanConfig(changedFiles, options = {}) {
+    return {
+        mode: 'incremental',
+        changedFiles,
+        skipAIValidation: false, // Use AI for validation
+        skipLayer3: true, // Skip deep analysis for speed
+        maxAIValidationFiles: 20,
+        maxLayer3Files: 0,
+        scanDepth: 'cheap', // Fast feedback for PRs
+        ...options,
+    };
+}
+/**
+ * Format incremental scan result for PR comment
+ */
+function formatIncrementalForPR(result) {
+    const blocking = result.introduced.filter(f => f.severity === 'critical' || f.severity === 'high');
+    let summary;
+    if (result.introduced.length === 0) {
+        summary = `✅ No new security issues introduced in this PR`;
+    }
+    else if (blocking.length > 0) {
+        summary = `🚨 ${blocking.length} blocking issue${blocking.length === 1 ? '' : 's'} introduced`;
+    }
+    else {
+        summary = `⚠️ ${result.introduced.length} new issue${result.introduced.length === 1 ? '' : 's'} to review`;
+    }
+    if (result.preExisting.length > 0) {
+        summary += ` (${result.preExisting.length} pre-existing)`;
+    }
+    return {
+        summary,
+        hasNewIssues: result.introduced.length > 0,
+        blockingIssues: blocking.length,
+    };
+}
+//# sourceMappingURL=incremental.js.map

package/dist/modes/incremental.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"incremental.js","sourceRoot":"","sources":["../../src/modes/incremental.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AA8DH,gDAkIC;AAkDD,gDAcC;AAKD,wDA4BC;AA9RD,sCAAyC;AACzC,sCAAyC;AACzC,sDAM6B;AAC7B,sEAAyE;AAwCzE;;;;;;;;;GASG;AACI,KAAK,UAAU,kBAAkB,CACtC,QAAoB,EACpB,OAA+B;IAE/B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAE5B,MAAM,EACJ,WAAW,EACX,YAAY,EACZ,kBAAkB,GAAG,KAAK,EAC1B,aAAa,GAAG,CAAC,EACjB,gBAAgB,GAAG,IAAI,EACvB,gBAAgB,GAAG,EAAE,GACtB,GAAG,OAAO,CAAA;IAEX,+CAA+C;IAC/C,IAAI,KAA4B,CAAA;IAEhC,IAAI,WAAW,EAAE,CAAC;QAChB,KAAK,GAAG,IAAA,uBAAS,EAAC,WAAW,EAAE,aAAa,CAAC,CAAA;IAC/C,CAAC;SAAM,IAAI,YAAY,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnD,KAAK,GAAG,IAAA,kCAAoB,EAAC,YAAY,CAAC,CAAA;IAC5C,CAAC;SAAM,CAAC;QACN,kDAAkD;QAClD,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAA;QACtE,KAAK,GAAG,IAAI,GAAG,EAAE,CAAA;IACnB,CAAC;IAED,MAAM,YAAY,GAAG,IAAA,iCAAmB,EAAC,KAAK,CAAC,CAAA;IAC/C,OAAO,CAAC,GAAG,CAAC,gCAAgC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAA;IAElE,yCAAyC;IACzC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAoB,CAAA;IAC7C,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IAChC,CAAC;IAED,gCAAgC;IAChC,MAAM,WAAW,GAAe,EAAE,CAAA;IAClC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAA;IAEtC,2BAA2B;IAC3B,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QAChC,IAAI,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YACtB,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QACxB,CAAC;IACH,CAAC;IAED,uDAAuD;IACvD,4DAA4D;IAC5D,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAA;IACvD,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;YAChC,IAAI,IAAI,EAAE,CAAC;gBACT,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBACtB,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACvC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC;QAChC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CACjC,CAAA;IACD,IAAI,cAAc,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,WAAW,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QAChC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,CAAA;IACvC,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,0BAA0B,WAAW,CAAC,MAAM,WAAW,YAAY,CAAC,MAAM,cAAc,SAAS,CAAC,IAAI,aAAa,CAAC,CAAA;IAEhI,sDAAsD;IACtD,MAAM,gBAAgB,GAAG,IAAA,gDAA0B,EAAC,QAAQ,CAAC,CAAA;IAE7D,0CAA0C;IAC1C,MAAM,YAAY,GAAG,MAAM,IAAA,sBAAa,EAAC,WAAW,CAAC,CAAA;IACrD,MAAM,YAAY,GAAG,MAAM,IAAA,sBAAa,EAAC,WAAW,EAAE,EAAE,gBAAgB,EAAE,CAAC,CAAA;IAE3E,IAAI,WAAW,GAAG,CAAC,GAAG,YAAY,CAAC,eAAe,EAAE,GAAG,YAAY,CAAC,eAAe,CAAC,CAAA;IAEpF,gDAAgD;IAChD,IAAI,KAAK,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACnB,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CAAA;QACvC,WAAW,GAAG,IAAA,kCAAoB,EAAC,WAAW,EAAE,KAAK,EAAE,EAAE,UAAU,EAAE,kBAAkB,EAAE,CAAC,CAAA;QAC1F,OAAO,CAAC,GAAG,CAAC,oCAAoC,YAAY,MAAM,WAAW,CAAC,MAAM,0BAA0B,CAAC,CAAA;IACjH,CAAC;IAED,wDAAwD;IACxD,MAAM,UAAU,GAAoB,EAAE,CAAA;IACtC,MAAM,WAAW,GAAoB,EAAE,CAAA;IAEvC,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,4CAA4C;QAC5C,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAClC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CACzE,CAAA;QAED,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,WAAW,GAAG,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAA;YAEnF,IAAI,oBAAoB,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC1C,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;YAC3B,CAAC;iBAAM,CAAC;gBACN,IAAI,gBAAgB,EAAE,CAAC;oBACrB,OAAO,CAAC,eAAe,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,CAAC,GAAG,0BAA0B,CAAA;gBACxF,CAAC;gBACD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,8CAA8C;QAC9C,UAAU,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAA;IACjC,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAA;IACvC,OAAO,CAAC,GAAG,CAAC,mCAAmC,QAAQ,OAAO,UAAU,CAAC,MAAM,SAAS,WAAW,CAAC,MAAM,eAAe,CAAC,CAAA;IAE1H,OAAO;QACL,QAAQ,EAAE,WAAW;QACrB,UAAU;QACV,WAAW;QACX,YAAY,EAAE,WAAW,CAAC,MAAM;QAChC,YAAY,EAAE,YAAY,CAAC,MAAM;QACjC,KAAK;QACL,QAAQ;KACT,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,QAAoB,EAAE,YAAsB;IACjE,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAA;IAEnC,mCAAmC;IACnC,MAAM,cAAc,GAAG,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;QAC7C,uCAAuC;QACvC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAA;QAChD,0DAA0D;QAC1D,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAA;QAClD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAA;IAC3C,CAAC,CAAC,CAAA;IAEF,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,gDAAgD;QAChD,IAAI,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAQ;QAE9C,8CAA8C;QAC9C,KAAK,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,cAAc,EAAE,CAAC;YACpD,gCAAgC;YAChC,MAAM,WAAW,GAAG,IAAI,MAAM,CAC5B,sDAAsD;gBACtD,oBAAoB,WAAW,CAAC,QAAQ,CAAC,WAAW,WAAW,CAAC,QAAQ,CAAC,OAAO,EAChF,GAAG,CACJ,CAAA;YAED,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBACxB,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAA;AACnD,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAChC,YAAsB,EACtB,UAAmC,EAAE;IAErC,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,YAAY;QACZ,gBAAgB,EAAE,KAAK,EAAG,wBAAwB;QAClD,UAAU,EAAE,IAAI,EAAW,+BAA+B;QAC1D,oBAAoB,EAAE,EAAE;QACxB,cAAc,EAAE,CAAC;QACjB,SAAS,EAAE,OAAO,EAAS,wBAAwB;QACnD,GAAG,OAAO;KACX,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB,CAAC,MAA6B;IAKlE,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CACvC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CACxD,CAAA;IAED,IAAI,OAAe,CAAA;IAEnB,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO,GAAG,gDAAgD,CAAA;IAC5D,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,kBAAkB,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,aAAa,CAAA;IAChG,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,MAAM,aAAa,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,YAAY,CAAA;IAC5G,CAAC;IAED,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,KAAK,MAAM,CAAC,WAAW,CAAC,MAAM,gBAAgB,CAAA;IAC3D,CAAC;IAED,OAAO;QACL,OAAO;QACP,YAAY,EAAE,MAAM,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;QAC1C,cAAc,EAAE,QAAQ,CAAC,MAAM;KAChC,CAAA;AACH,CAAC"}

package/dist/tiers.d.ts ADDED Viewed

@@ -0,0 +1,125 @@
+/**
+ * Detector Tier System
+ *
+ * Provides a shared language for "how much we trust this detector" so we can:
+ * - Filter findings in runScan by tier + depth
+ * - Log tier breakdowns for tuning
+ * - Route AI validation budget toward Tier B
+ *
+ * Security reasoning:
+ * - Makes it explicit which detectors are safe to expose in cheap scans
+ * - Avoids "accidental promotion" of an experimental heuristic to production output
+ */
+import type { VulnerabilityCategory } from './types';
+/**
+ * Detector tiers control visibility and trust level:
+ *
+ * - core: High-precision SAST + core AI-safety detectors. Visible in all scan depths.
+ * - ai_assisted: Context-heavy heuristics that need AI validation. Shown in validated/deep.
+ * - experimental: High-noise signals used only for internal scoring/AI hints. Hidden from users.
+ */
+export type DetectorTier = 'core' | 'ai_assisted' | 'experimental';
+/**
+ * Tier statistics for logging and analysis
+ */
+export interface TierStats {
+    core: number;
+    ai_assisted: number;
+    experimental: number;
+}
+/**
+ * Layer 1 detector names (internal identifiers matching detector function names)
+ */
+export type Layer1DetectorName = 'known_secrets' | 'weak_crypto' | 'sensitive_urls' | 'entropy' | 'config_audit' | 'file_flags' | 'ai_comments';
+/**
+ * Layer 1 tier assignments
+ *
+ * Tier A (core):
+ *   - known_secrets: Hardcoded secrets are objectively bad and high-impact
+ *   - weak_crypto: Weak crypto is a classic SAST finding with clear remediation
+ *   - sensitive_urls: Hardcoded webhook URLs + tokens are real data exfil vectors
+ *
+ * Tier B (ai_assisted):
+ *   - entropy: Great at finding candidates, needs AI to separate real secrets from noise
+ *   - config_audit: Depends on project norms; better reviewed with AI + project context
+ *   - file_flags: Subjective items should be AI-triaged (except committed .env = Tier A)
+ *
+ * Tier C (experimental):
+ *   - ai_comments: Not directly a vuln; belongs in separate "AI hygiene" report
+ */
+export declare const LAYER1_DETECTOR_TIERS: Record<Layer1DetectorName, DetectorTier>;
+/**
+ * Mapping from vulnerability category to Layer 1 detector name
+ * Used for tier lookups when we only have the category
+ */
+export declare const LAYER1_CATEGORY_TO_DETECTOR: Partial<Record<VulnerabilityCategory, Layer1DetectorName>>;
+/**
+ * Layer 2 detector names (internal identifiers matching detector function names)
+ */
+export type Layer2DetectorName = 'dangerous_functions' | 'byok_patterns' | 'ai_execution_sinks' | 'ai_agent_tools' | 'auth_antipatterns' | 'data_exposure' | 'ai_fingerprinting' | 'ai_prompt_hygiene' | 'logic_gates' | 'variables' | 'risky_imports' | 'framework_checks' | 'ai_rag_safety' | 'ai_endpoint_protection' | 'ai_schema_validation';
+/**
+ * Layer 2 tier assignments
+ *
+ * Tier A (core) - High-precision, high-risk, clear remediation:
+ *   - dangerous_functions: Classic injection footholds (eval, exec, unsafe SQL)
+ *   - byok_patterns: Storing/logging BYOK is critical AI-era customer trust risk
+ *   - ai_execution_sinks: Core to Oculum's AI story; LLM output as code/commands
+ *   - ai_agent_tools: Over-permissive tools are central AI alignment problem
+ *
+ * Tier B (ai_assisted) - Context-heavy, need AI validation:
+ *   - auth_antipatterns: Very context-dependent; needs middleware awareness
+ *   - data_exposure: Logging queries/user IDs is often acceptable but context-specific
+ *   - ai_fingerprinting: TypeScript 'any' at trust boundaries is risk indicator, not vuln
+ *   - ai_prompt_hygiene: Needs semantic understanding of prompt design
+ *
+ * Tier C (experimental) - High-noise, internal use only:
+ *   - logic_gates: Many hits with limited actionable signal
+ *   - variables: Generic token/password variable names - too generic
+ *   - risky_imports: Most imports are fine; keep tiny whitelist if proved valuable
+ *   - framework_checks: Many findings are style/low-risk; prone to noisy lint
+ */
+export declare const LAYER2_DETECTOR_TIERS: Record<Layer2DetectorName, DetectorTier>;
+/**
+ * Mapping from vulnerability category to Layer 2 detector name
+ * Used for tier lookups when we only have the category
+ *
+ * NOTE: Some categories are used by multiple detectors:
+ * - ai_pattern: used by ai-fingerprinting (Tier B), byok-patterns (Tier A), dangerous-functions (Tier A)
+ * - insecure_config: used by config-audit (L1 Tier B), framework-checks (L2 Tier C)
+ *
+ * For ambiguous categories, we use the most conservative (highest trust) tier mapping.
+ * When category alone isn't sufficient, the orchestrator can use detector-specific tracking.
+ */
+export declare const LAYER2_CATEGORY_TO_DETECTOR: Partial<Record<VulnerabilityCategory, Layer2DetectorName>>;
+/**
+ * Get the tier for a vulnerability based on its category and layer
+ */
+export declare function getTierForCategory(category: VulnerabilityCategory, layer: 1 | 2 | 3): DetectorTier;
+/**
+ * Get tier for a Layer 1 detector by name
+ */
+export declare function getLayer1DetectorTier(detector: Layer1DetectorName): DetectorTier;
+/**
+ * Get tier for a Layer 2 detector by name
+ */
+export declare function getLayer2DetectorTier(detector: Layer2DetectorName): DetectorTier;
+/**
+ * Check if a tier should be visible at a given scan depth
+ */
+export declare function isTierVisibleAtDepth(tier: DetectorTier, depth: 'cheap' | 'validated' | 'deep'): boolean;
+/**
+ * Check if a tier should go through AI validation at a given scan depth
+ */
+export declare function shouldValidateWithAI(tier: DetectorTier, depth: 'cheap' | 'validated' | 'deep'): boolean;
+/**
+ * Compute tier statistics from an array of vulnerabilities
+ */
+export declare function computeTierStats(vulnerabilities: Array<{
+    category: VulnerabilityCategory;
+    layer: 1 | 2 | 3;
+}>): TierStats;
+/**
+ * Format tier stats for logging
+ */
+export declare function formatTierStats(stats: TierStats): string;
+//# sourceMappingURL=tiers.d.ts.map

package/dist/tiers.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"tiers.d.ts","sourceRoot":"","sources":["../src/tiers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA;AAEpD;;;;;;GAMG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,aAAa,GAAG,cAAc,CAAA;AAElE;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;CACrB;AAMD;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,eAAe,GACf,aAAa,GACb,gBAAgB,GAChB,SAAS,GACT,cAAc,GACd,YAAY,GACZ,aAAa,CAAA;AAEjB;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB,EAAE,MAAM,CAAC,kBAAkB,EAAE,YAAY,CAQ1E,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,2BAA2B,EAAE,OAAO,CAAC,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC,CASlG,CAAA;AAMD;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,qBAAqB,GACrB,eAAe,GACf,oBAAoB,GACpB,gBAAgB,GAChB,mBAAmB,GACnB,eAAe,GACf,mBAAmB,GACnB,mBAAmB,GACnB,aAAa,GACb,WAAW,GACX,eAAe,GACf,kBAAkB,GAElB,eAAe,GACf,wBAAwB,GACxB,sBAAsB,CAAA;AAE1B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,qBAAqB,EAAE,MAAM,CAAC,kBAAkB,EAAE,YAAY,CAuB1E,CAAA;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,2BAA2B,EAAE,OAAO,CAAC,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC,CAkClG,CAAA;AAMD;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,qBAAqB,EAC/B,KAAK,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GACf,YAAY,CAoBd;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,YAAY,CAEhF;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,YAAY,CAEhF;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,YAAY,EAClB,KAAK,EAAE,OAAO,GAAG,WAAW,GAAG,MAAM,GACpC,OAAO,CAYT;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,YAAY,EAClB,KAAK,EAAE,OAAO,GAAG,WAAW,GAAG,MAAM,GACpC,OAAO,CAUT;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,eAAe,EAAE,KAAK,CAAC;IAAE,QAAQ,EAAE,qBAAqB,CAAC;IAAC,KAAK,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;CAAE,CAAC,GAC5E,SAAS,CAaX;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAExD"}

package/dist/tiers.js ADDED Viewed

@@ -0,0 +1,234 @@
+"use strict";
+/**
+ * Detector Tier System
+ *
+ * Provides a shared language for "how much we trust this detector" so we can:
+ * - Filter findings in runScan by tier + depth
+ * - Log tier breakdowns for tuning
+ * - Route AI validation budget toward Tier B
+ *
+ * Security reasoning:
+ * - Makes it explicit which detectors are safe to expose in cheap scans
+ * - Avoids "accidental promotion" of an experimental heuristic to production output
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LAYER2_CATEGORY_TO_DETECTOR = exports.LAYER2_DETECTOR_TIERS = exports.LAYER1_CATEGORY_TO_DETECTOR = exports.LAYER1_DETECTOR_TIERS = void 0;
+exports.getTierForCategory = getTierForCategory;
+exports.getLayer1DetectorTier = getLayer1DetectorTier;
+exports.getLayer2DetectorTier = getLayer2DetectorTier;
+exports.isTierVisibleAtDepth = isTierVisibleAtDepth;
+exports.shouldValidateWithAI = shouldValidateWithAI;
+exports.computeTierStats = computeTierStats;
+exports.formatTierStats = formatTierStats;
+/**
+ * Layer 1 tier assignments
+ *
+ * Tier A (core):
+ *   - known_secrets: Hardcoded secrets are objectively bad and high-impact
+ *   - weak_crypto: Weak crypto is a classic SAST finding with clear remediation
+ *   - sensitive_urls: Hardcoded webhook URLs + tokens are real data exfil vectors
+ *
+ * Tier B (ai_assisted):
+ *   - entropy: Great at finding candidates, needs AI to separate real secrets from noise
+ *   - config_audit: Depends on project norms; better reviewed with AI + project context
+ *   - file_flags: Subjective items should be AI-triaged (except committed .env = Tier A)
+ *
+ * Tier C (experimental):
+ *   - ai_comments: Not directly a vuln; belongs in separate "AI hygiene" report
+ */
+exports.LAYER1_DETECTOR_TIERS = {
+    known_secrets: 'core',
+    weak_crypto: 'core',
+    sensitive_urls: 'core',
+    entropy: 'ai_assisted',
+    config_audit: 'ai_assisted',
+    file_flags: 'ai_assisted', // Mixed: committed .env is effectively core
+    ai_comments: 'experimental',
+};
+/**
+ * Mapping from vulnerability category to Layer 1 detector name
+ * Used for tier lookups when we only have the category
+ */
+exports.LAYER1_CATEGORY_TO_DETECTOR = {
+    hardcoded_secret: 'known_secrets',
+    weak_crypto: 'weak_crypto',
+    sensitive_url: 'sensitive_urls',
+    high_entropy_string: 'entropy',
+    insecure_config: 'config_audit',
+    root_container: 'config_audit',
+    dangerous_file: 'file_flags',
+    ai_pattern: 'ai_comments', // AI comment patterns detected in Layer 1
+};
+/**
+ * Layer 2 tier assignments
+ *
+ * Tier A (core) - High-precision, high-risk, clear remediation:
+ *   - dangerous_functions: Classic injection footholds (eval, exec, unsafe SQL)
+ *   - byok_patterns: Storing/logging BYOK is critical AI-era customer trust risk
+ *   - ai_execution_sinks: Core to Oculum's AI story; LLM output as code/commands
+ *   - ai_agent_tools: Over-permissive tools are central AI alignment problem
+ *
+ * Tier B (ai_assisted) - Context-heavy, need AI validation:
+ *   - auth_antipatterns: Very context-dependent; needs middleware awareness
+ *   - data_exposure: Logging queries/user IDs is often acceptable but context-specific
+ *   - ai_fingerprinting: TypeScript 'any' at trust boundaries is risk indicator, not vuln
+ *   - ai_prompt_hygiene: Needs semantic understanding of prompt design
+ *
+ * Tier C (experimental) - High-noise, internal use only:
+ *   - logic_gates: Many hits with limited actionable signal
+ *   - variables: Generic token/password variable names - too generic
+ *   - risky_imports: Most imports are fine; keep tiny whitelist if proved valuable
+ *   - framework_checks: Many findings are style/low-risk; prone to noisy lint
+ */
+exports.LAYER2_DETECTOR_TIERS = {
+    // Tier A - Core SAST / AI-safety
+    dangerous_functions: 'core',
+    byok_patterns: 'core',
+    ai_execution_sinks: 'core',
+    ai_agent_tools: 'core',
+    // Tier B - AI-assisted heuristics
+    auth_antipatterns: 'ai_assisted',
+    data_exposure: 'ai_assisted',
+    ai_fingerprinting: 'ai_assisted',
+    ai_prompt_hygiene: 'ai_assisted',
+    // Tier C - Experimental / high-noise
+    logic_gates: 'experimental',
+    variables: 'experimental',
+    risky_imports: 'experimental',
+    framework_checks: 'experimental',
+    // M5: New AI-era detectors
+    ai_rag_safety: 'core', // Tier A - Cross-tenant data access is critical
+    ai_endpoint_protection: 'core', // Tier A - Cost abuse / API exposure has clear signals
+    ai_schema_validation: 'ai_assisted', // Tier B - Context-dependent, benefits from AI validation
+};
+/**
+ * Mapping from vulnerability category to Layer 2 detector name
+ * Used for tier lookups when we only have the category
+ *
+ * NOTE: Some categories are used by multiple detectors:
+ * - ai_pattern: used by ai-fingerprinting (Tier B), byok-patterns (Tier A), dangerous-functions (Tier A)
+ * - insecure_config: used by config-audit (L1 Tier B), framework-checks (L2 Tier C)
+ *
+ * For ambiguous categories, we use the most conservative (highest trust) tier mapping.
+ * When category alone isn't sufficient, the orchestrator can use detector-specific tracking.
+ */
+exports.LAYER2_CATEGORY_TO_DETECTOR = {
+    // Tier A categories (unambiguous)
+    dangerous_function: 'dangerous_functions',
+    sql_injection: 'dangerous_functions',
+    command_injection: 'dangerous_functions',
+    ai_unsafe_execution: 'ai_execution_sinks',
+    ai_overpermissive_tool: 'ai_agent_tools',
+    // Tier B categories
+    missing_auth: 'auth_antipatterns',
+    data_exposure: 'data_exposure',
+    ai_prompt_injection: 'ai_prompt_hygiene',
+    // ai_pattern is ambiguous - used by multiple detectors with different tiers:
+    // - ai-fingerprinting (Tier B): TypeScript 'any' at boundaries
+    // - byok-patterns (Tier A): BYOK key handling
+    // - dangerous-functions (Tier A): JSON.parse related AI patterns
+    // Default to ai_fingerprinting (Tier B) since it's most common; byok/dangerous_functions
+    // findings are usually categorized differently or handled explicitly
+    ai_pattern: 'ai_fingerprinting',
+    // Tier C categories
+    security_bypass: 'logic_gates',
+    sensitive_variable: 'variables',
+    suspicious_package: 'risky_imports',
+    cors_misconfiguration: 'framework_checks',
+    // insecure_config from framework-checks is Tier C in Layer 2
+    // (but same category from config-audit is Tier B in Layer 1 - handled by layer check)
+    insecure_config: 'framework_checks',
+    // M5: New AI-era categories
+    ai_rag_exfiltration: 'ai_rag_safety',
+    ai_endpoint_unprotected: 'ai_endpoint_protection',
+    ai_schema_mismatch: 'ai_schema_validation',
+};
+// ============================================================================
+// Tier Lookup Helpers
+// ============================================================================
+/**
+ * Get the tier for a vulnerability based on its category and layer
+ */
+function getTierForCategory(category, layer) {
+    if (layer === 1) {
+        const detector = exports.LAYER1_CATEGORY_TO_DETECTOR[category];
+        if (detector) {
+            return exports.LAYER1_DETECTOR_TIERS[detector];
+        }
+    }
+    else if (layer === 2) {
+        const detector = exports.LAYER2_CATEGORY_TO_DETECTOR[category];
+        if (detector) {
+            return exports.LAYER2_DETECTOR_TIERS[detector];
+        }
+    }
+    // Layer 3 findings are always core (AI semantic analysis)
+    if (layer === 3) {
+        return 'core';
+    }
+    // Default to ai_assisted if unmapped (safe default - will go through AI validation)
+    return 'ai_assisted';
+}
+/**
+ * Get tier for a Layer 1 detector by name
+ */
+function getLayer1DetectorTier(detector) {
+    return exports.LAYER1_DETECTOR_TIERS[detector];
+}
+/**
+ * Get tier for a Layer 2 detector by name
+ */
+function getLayer2DetectorTier(detector) {
+    return exports.LAYER2_DETECTOR_TIERS[detector];
+}
+/**
+ * Check if a tier should be visible at a given scan depth
+ */
+function isTierVisibleAtDepth(tier, depth) {
+    switch (depth) {
+        case 'cheap':
+            // Only Tier A (core) findings are visible in cheap scans
+            return tier === 'core';
+        case 'validated':
+            // Tier A always visible, Tier B visible after AI validation
+            return tier === 'core' || tier === 'ai_assisted';
+        case 'deep':
+            // Same as validated for visibility (deep adds Layer 3, not more tiers)
+            return tier === 'core' || tier === 'ai_assisted';
+    }
+}
+/**
+ * Check if a tier should go through AI validation at a given scan depth
+ */
+function shouldValidateWithAI(tier, depth) {
+    // Cheap scans skip AI validation entirely
+    if (depth === 'cheap') {
+        return false;
+    }
+    // In validated/deep, Tier B findings should go through AI validation
+    // Tier A is high-precision and doesn't need AI validation
+    // Tier C is hidden anyway
+    return tier === 'ai_assisted';
+}
+/**
+ * Compute tier statistics from an array of vulnerabilities
+ */
+function computeTierStats(vulnerabilities) {
+    const stats = {
+        core: 0,
+        ai_assisted: 0,
+        experimental: 0,
+    };
+    for (const vuln of vulnerabilities) {
+        const tier = getTierForCategory(vuln.category, vuln.layer);
+        stats[tier]++;
+    }
+    return stats;
+}
+/**
+ * Format tier stats for logging
+ */
+function formatTierStats(stats) {
+    return `tiers={core:${stats.core},ai_assisted:${stats.ai_assisted},experimental:${stats.experimental}}`;
+}
+//# sourceMappingURL=tiers.js.map

package/dist/tiers.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"tiers.js","sourceRoot":"","sources":["../src/tiers.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AA4MH,gDAuBC;AAKD,sDAEC;AAKD,sDAEC;AAKD,oDAeC;AAKD,oDAaC;AAKD,4CAeC;AAKD,0CAEC;AA5QD;;;;;;;;;;;;;;;GAeG;AACU,QAAA,qBAAqB,GAA6C;IAC7E,aAAa,EAAE,MAAM;IACrB,WAAW,EAAE,MAAM;IACnB,cAAc,EAAE,MAAM;IACtB,OAAO,EAAE,aAAa;IACtB,YAAY,EAAE,aAAa;IAC3B,UAAU,EAAE,aAAa,EAAG,4CAA4C;IACxE,WAAW,EAAE,cAAc;CAC5B,CAAA;AAED;;;GAGG;AACU,QAAA,2BAA2B,GAA+D;IACrG,gBAAgB,EAAE,eAAe;IACjC,WAAW,EAAE,aAAa;IAC1B,aAAa,EAAE,gBAAgB;IAC/B,mBAAmB,EAAE,SAAS;IAC9B,eAAe,EAAE,cAAc;IAC/B,cAAc,EAAE,cAAc;IAC9B,cAAc,EAAE,YAAY;IAC5B,UAAU,EAAE,aAAa,EAAG,0CAA0C;CACvE,CAAA;AA2BD;;;;;;;;;;;;;;;;;;;;GAoBG;AACU,QAAA,qBAAqB,GAA6C;IAC7E,iCAAiC;IACjC,mBAAmB,EAAE,MAAM;IAC3B,aAAa,EAAE,MAAM;IACrB,kBAAkB,EAAE,MAAM;IAC1B,cAAc,EAAE,MAAM;IAEtB,kCAAkC;IAClC,iBAAiB,EAAE,aAAa;IAChC,aAAa,EAAE,aAAa;IAC5B,iBAAiB,EAAE,aAAa;IAChC,iBAAiB,EAAE,aAAa;IAEhC,qCAAqC;IACrC,WAAW,EAAE,cAAc;IAC3B,SAAS,EAAE,cAAc;IACzB,aAAa,EAAE,cAAc;IAC7B,gBAAgB,EAAE,cAAc;IAEhC,2BAA2B;IAC3B,aAAa,EAAE,MAAM,EAAY,gDAAgD;IACjF,sBAAsB,EAAE,MAAM,EAAG,uDAAuD;IACxF,oBAAoB,EAAE,aAAa,EAAE,0DAA0D;CAChG,CAAA;AAED;;;;;;;;;;GAUG;AACU,QAAA,2BAA2B,GAA+D;IACrG,kCAAkC;IAClC,kBAAkB,EAAE,qBAAqB;IACzC,aAAa,EAAE,qBAAqB;IACpC,iBAAiB,EAAE,qBAAqB;IACxC,mBAAmB,EAAE,oBAAoB;IACzC,sBAAsB,EAAE,gBAAgB;IAExC,oBAAoB;IACpB,YAAY,EAAE,mBAAmB;IACjC,aAAa,EAAE,eAAe;IAC9B,mBAAmB,EAAE,mBAAmB;IAExC,6EAA6E;IAC7E,+DAA+D;IAC/D,8CAA8C;IAC9C,iEAAiE;IACjE,yFAAyF;IACzF,qEAAqE;IACrE,UAAU,EAAE,mBAAmB;IAE/B,oBAAoB;IACpB,eAAe,EAAE,aAAa;IAC9B,kBAAkB,EAAE,WAAW;IAC/B,kBAAkB,EAAE,eAAe;IACnC,qBAAqB,EAAE,kBAAkB;IACzC,6DAA6D;IAC7D,sFAAsF;IACtF,eAAe,EAAE,kBAAkB;IAEnC,4BAA4B;IAC5B,mBAAmB,EAAE,eAAe;IACpC,uBAAuB,EAAE,wBAAwB;IACjD,kBAAkB,EAAE,sBAAsB;CAC3C,CAAA;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,kBAAkB,CAChC,QAA+B,EAC/B,KAAgB;IAEhB,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,MAAM,QAAQ,GAAG,mCAA2B,CAAC,QAAQ,CAAC,CAAA;QACtD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;QACxC,CAAC;IACH,CAAC;SAAM,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,mCAA2B,CAAC,QAAQ,CAAC,CAAA;QACtD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;QACxC,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,OAAO,MAAM,CAAA;IACf,CAAC;IAED,oFAAoF;IACpF,OAAO,aAAa,CAAA;AACtB,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,QAA4B;IAChE,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,QAA4B;IAChE,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAClC,IAAkB,EAClB,KAAqC;IAErC,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,OAAO;YACV,yDAAyD;YACzD,OAAO,IAAI,KAAK,MAAM,CAAA;QACxB,KAAK,WAAW;YACd,4DAA4D;YAC5D,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,aAAa,CAAA;QAClD,KAAK,MAAM;YACT,uEAAuE;YACvE,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,aAAa,CAAA;IACpD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAClC,IAAkB,EAClB,KAAqC;IAErC,0CAA0C;IAC1C,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,qEAAqE;IACrE,0DAA0D;IAC1D,0BAA0B;IAC1B,OAAO,IAAI,KAAK,aAAa,CAAA;AAC/B,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,eAA6E;IAE7E,MAAM,KAAK,GAAc;QACvB,IAAI,EAAE,CAAC;QACP,WAAW,EAAE,CAAC;QACd,YAAY,EAAE,CAAC;KAChB,CAAA;IAED,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;QAC1D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAA;IACf,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,KAAgB;IAC9C,OAAO,eAAe,KAAK,CAAC,IAAI,gBAAgB,KAAK,CAAC,WAAW,iBAAiB,KAAK,CAAC,YAAY,GAAG,CAAA;AACzG,CAAC"}