npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/src/__tests__/benchmark/utils/test-runner.ts ADDED Viewed

@@ -0,0 +1,475 @@
+/**
+ * Test runner utilities for the security benchmark suite
+ */
+import { runLayer1Scan } from '../../../layer1'
+import { runLayer2Scan } from '../../../layer2'
+import { computeTierStats, formatTierStats, getTierForCategory } from '../../../tiers'
+import type {
+  TestFixture,
+  TestResult,
+  TestGroup,
+  BenchmarkSummary,
+  BenchmarkMetrics,
+  DetectorMetrics,
+  SeverityMetrics
+} from '../types'
+import type { Vulnerability, VulnerabilityCategory } from '../../../types'
+/**
+ * Run a single test fixture
+ */
+export async function runTestFixture(fixture: TestFixture): Promise<TestResult> {
+  const layer1Result = await runLayer1Scan([fixture.file])
+  const layer2Result = await runLayer2Scan([fixture.file])
+  const allFindings = [...layer1Result.vulnerabilities, ...layer2Result.vulnerabilities]
+  const foundCategories = new Set(allFindings.map(f => f.category))
+  const unexpectedCategories: VulnerabilityCategory[] = []
+  const acceptableInfoFindings: Vulnerability[] = []
+  const problematicFindings: Vulnerability[] = []
+  let passed = true
+  let failureReason: string | undefined
+  if (fixture.expectFindings) {
+    // True positive test - should find vulnerabilities
+    if (allFindings.length === 0) {
+      passed = false
+      failureReason = 'Expected vulnerabilities but found none'
+    } else {
+      // Check we found expected categories
+      for (const cat of fixture.expectedCategories || []) {
+        if (!foundCategories.has(cat)) {
+          passed = false
+          failureReason = `Missing expected category: ${cat}`
+        }
+      }
+    }
+  } else {
+    // False negative test - should NOT flag actual vulnerabilities
+    // Default: Fail on medium+ severity (critical, high, medium)
+    // Optional: Allow specific info/low findings via allowedInfoFindings
+    const mediumOrHigher = allFindings.filter(f =>
+      f.severity === 'critical' || f.severity === 'high' || f.severity === 'medium'
+    )
+    // Check if medium+ findings exist
+    if (mediumOrHigher.length > 0) {
+      passed = false
+      failureReason = `Found ${mediumOrHigher.length} false positive(s) with medium+ severity`
+      problematicFindings.push(...mediumOrHigher)
+      for (const f of mediumOrHigher) {
+        unexpectedCategories.push(f.category)
+      }
+    }
+    // Check low-severity findings (low, info)
+    const lowSeverity = allFindings.filter(f =>
+      f.severity === 'low' || f.severity === 'info'
+    )
+    if (lowSeverity.length > 0) {
+      // Check if these are allowed
+      const allowedCategories = new Map(
+        (fixture.allowedInfoFindings || []).map(a => [a.category, a.maxCount])
+      )
+      for (const finding of lowSeverity) {
+        const allowedCount = allowedCategories.get(finding.category)
+        if (allowedCount === undefined) {
+          // Not allowed - this is a false positive
+          passed = false
+          if (!failureReason) {
+            failureReason = `Found unexpected ${finding.severity} finding: ${finding.category}`
+          }
+          problematicFindings.push(finding)
+          unexpectedCategories.push(finding.category)
+        } else {
+          // Allowed but track it
+          acceptableInfoFindings.push(finding)
+          // Check if we exceeded the allowed count
+          const countForCategory = lowSeverity.filter(f => f.category === finding.category).length
+          if (countForCategory > allowedCount) {
+            passed = false
+            failureReason = `Exceeded allowed count for ${finding.category}: ${countForCategory} > ${allowedCount}`
+            problematicFindings.push(finding)
+          }
+        }
+      }
+    }
+  }
+  return {
+    name: fixture.name,
+    file: fixture.file,
+    layer1Findings: layer1Result.vulnerabilities,
+    layer2Findings: layer2Result.vulnerabilities,
+    expectedCategories: fixture.expectedCategories || [],
+    unexpectedCategories,
+    passed,
+    failureReason,
+    acceptableInfoFindings,
+    problematicFindings,
+  }
+}
+/**
+ * Run all fixtures in a test group
+ */
+export async function runTestGroup(group: TestGroup): Promise<TestResult[]> {
+  const results: TestResult[] = []
+  // Run true positive tests
+  for (const fixture of group.truePositives) {
+    results.push(await runTestFixture(fixture))
+  }
+  // Run false negative tests
+  for (const fixture of group.falseNegatives) {
+    results.push(await runTestFixture(fixture))
+  }
+  return results
+}
+/**
+ * Print results for a single test
+ */
+export function printTestResult(result: TestResult): void {
+  const totalFindings = result.layer1Findings.length + result.layer2Findings.length
+  console.log(`\n📋 ${result.name}`)
+  console.log(`   File: ${result.file.path}`)
+  console.log(`   Layer 1 findings: ${result.layer1Findings.length}`)
+  console.log(`   Layer 2 findings: ${result.layer2Findings.length}`)
+  if (totalFindings > 0) {
+    const allFindings = [...result.layer1Findings, ...result.layer2Findings]
+    const byCategory: Record<string, number> = {}
+    const bySeverity: Record<string, number> = {}
+    for (const f of allFindings) {
+      byCategory[f.category] = (byCategory[f.category] || 0) + 1
+      bySeverity[f.severity] = (bySeverity[f.severity] || 0) + 1
+    }
+    console.log('   By category:', Object.entries(byCategory).map(([k, v]) => `${k}:${v}`).join(', '))
+    console.log('   By severity:', Object.entries(bySeverity).map(([k, v]) => `${k}:${v}`).join(', '))
+    // Tier breakdown
+    const tierStats = computeTierStats(allFindings.map(f => ({ category: f.category, layer: f.layer })))
+    console.log(`   ${formatTierStats(tierStats)}`)
+  }
+  if (result.passed) {
+    const isTPTest = result.expectedCategories.length > 0 || result.name.includes('True Positive')
+    if (isTPTest) {
+      console.log('   ✅ PASS: Detected expected vulnerabilities')
+    } else {
+      console.log('   ✅ PASS: No false positives')
+      if (result.acceptableInfoFindings && result.acceptableInfoFindings.length > 0) {
+        console.log(`   ℹ️  Note: ${result.acceptableInfoFindings.length} acceptable low-severity finding(s)`)
+      }
+    }
+  } else {
+    console.log(`   ❌ FAIL: ${result.failureReason}`)
+    if (result.problematicFindings && result.problematicFindings.length > 0) {
+      console.log('   Problematic findings:')
+      for (const f of result.problematicFindings) {
+        console.log(`      - ${f.category} (${f.severity}): ${f.title}`)
+      }
+    }
+  }
+}
+/**
+ * Compute detailed benchmark metrics
+ */
+export function computeMetrics(results: TestResult[]): BenchmarkMetrics {
+  // Collect all categories and detectors
+  const allCategories = new Set<VulnerabilityCategory>()
+  const detectorStats = new Map<string, { tp: number; fp: number; fn: number }>()
+  // Initialize severity distributions
+  const severityDistribution: SeverityMetrics = { critical: 0, high: 0, medium: 0, low: 0, info: 0 }
+  const falsePositiveSeverity: SeverityMetrics = { critical: 0, high: 0, medium: 0, low: 0, info: 0 }
+  let totalVulnerabilitiesDetected = 0
+  let truePositiveDetections = 0
+  let falsePositiveDetections = 0
+  let missedVulnerabilities = 0
+  // Tier tracking
+  const tierStats = {
+    tierA: { tested: 0, passed: 0 },
+    tierB: { tested: 0, passed: 0 },
+    tierC: { tested: 0, passed: 0 },
+  }
+  for (const result of results) {
+    const allFindings = [...result.layer1Findings, ...result.layer2Findings]
+    const isTPTest = result.expectedCategories.length > 0 || result.name.includes('True Positive')
+    const isFNTest = result.name.includes('False Negative') || result.name.includes('Should Not Flag')
+    // Track tier stats
+    for (const finding of allFindings) {
+      const tier = getTierForCategory(finding.category, finding.layer)
+      if (tier === 'core') {
+        tierStats.tierA.tested++
+        if (result.passed) tierStats.tierA.passed++
+      } else if (tier === 'ai_assisted') {
+        tierStats.tierB.tested++
+        if (result.passed) tierStats.tierB.passed++
+      } else if (tier === 'experimental') {
+        tierStats.tierC.tested++
+        if (result.passed) tierStats.tierC.passed++
+      }
+    }
+    // Process findings
+    for (const finding of allFindings) {
+      allCategories.add(finding.category)
+      totalVulnerabilitiesDetected++
+      // Update severity distribution
+      severityDistribution[finding.severity]++
+      // Initialize detector stats if not exists
+      if (!detectorStats.has(finding.category)) {
+        detectorStats.set(finding.category, { tp: 0, fp: 0, fn: 0 })
+      }
+      const stats = detectorStats.get(finding.category)!
+      if (isTPTest) {
+        // True positive test - findings are expected
+        if (result.expectedCategories?.includes(finding.category)) {
+          stats.tp++
+          truePositiveDetections++
+        }
+      } else if (isFNTest) {
+        // False negative test - findings are false positives
+        const isAcceptable = result.acceptableInfoFindings?.some(f => f.id === finding.id)
+        if (!isAcceptable) {
+          stats.fp++
+          falsePositiveDetections++
+          falsePositiveSeverity[finding.severity]++
+        }
+      }
+    }
+    // Track missed vulnerabilities (false negatives)
+    if (isTPTest && !result.passed) {
+      for (const expectedCat of result.expectedCategories || []) {
+        if (!detectorStats.has(expectedCat)) {
+          detectorStats.set(expectedCat, { tp: 0, fp: 0, fn: 0 })
+        }
+        const foundIt = allFindings.some(f => f.category === expectedCat)
+        if (!foundIt) {
+          detectorStats.get(expectedCat)!.fn++
+          missedVulnerabilities++
+        }
+      }
+    }
+  }
+  // Compute detector metrics
+  const byDetector: DetectorMetrics[] = Array.from(detectorStats.entries())
+    .map(([name, stats]) => {
+      const precision = stats.tp + stats.fp > 0 ? stats.tp / (stats.tp + stats.fp) : 0
+      const recall = stats.tp + stats.fn > 0 ? stats.tp / (stats.tp + stats.fn) : 0
+      return {
+        name,
+        truePositives: stats.tp,
+        falsePositives: stats.fp,
+        falseNegatives: stats.fn,
+        precision,
+        recall,
+      }
+    })
+    .sort((a, b) => b.falsePositives - a.falsePositives) // Sort by FP count
+  // Compute coverage
+  const knownCategories: VulnerabilityCategory[] = [
+    'hardcoded_secret',
+    'high_entropy_string',
+    'weak_crypto',
+    'sensitive_url',
+    'dangerous_function',
+    'missing_auth',
+    'data_exposure',
+    'ai_pattern',
+    'ai_prompt_injection',
+    'ai_unsafe_execution',
+    'ai_overpermissive_tool',
+    'insecure_config',
+    'suspicious_package',
+    'sensitive_variable',
+  ]
+  const categoriesTested = Array.from(allCategories).filter(c => knownCategories.includes(c)).length
+  const untestedCategories = knownCategories.filter(c => !allCategories.has(c))
+  return {
+    detection: {
+      totalVulnerabilitiesDetected,
+      truePositiveDetections,
+      falsePositiveDetections,
+      missedVulnerabilities,
+    },
+    byDetector,
+    severityDistribution,
+    falsePositiveSeverity,
+    coverage: {
+      totalCategories: knownCategories.length,
+      categoriesTested,
+      coveragePercent: (categoriesTested / knownCategories.length) * 100,
+      untestedCategories,
+    },
+    byTier: tierStats,
+  }
+}
+/**
+ * Compute benchmark summary from results
+ */
+export function computeSummary(results: TestResult[]): BenchmarkSummary {
+  let truePositivePassed = 0
+  let truePositiveFailed = 0
+  let falseNegativePassed = 0
+  let falseNegativeFailed = 0
+  for (const result of results) {
+    const isTPTest = result.expectedCategories.length > 0 ||
+                     result.name.includes('True Positive')
+    const isFNTest = result.name.includes('False Negative') ||
+                     result.name.includes('Should Not Flag')
+    if (isTPTest) {
+      if (result.passed) {
+        truePositivePassed++
+      } else {
+        truePositiveFailed++
+      }
+    } else if (isFNTest) {
+      if (result.passed) {
+        falseNegativePassed++
+      } else {
+        falseNegativeFailed++
+      }
+    }
+  }
+  const totalTests = truePositivePassed + truePositiveFailed + falseNegativePassed + falseNegativeFailed
+  const passedTests = truePositivePassed + falseNegativePassed
+  const passRate = totalTests > 0 ? (passedTests / totalTests) * 100 : 0
+  const metrics = computeMetrics(results)
+  return {
+    truePositivePassed,
+    truePositiveFailed,
+    falseNegativePassed,
+    falseNegativeFailed,
+    totalTests,
+    passedTests,
+    passRate,
+    results,
+    metrics,
+  }
+}
+/**
+ * Print detailed metrics
+ */
+export function printMetrics(metrics: BenchmarkMetrics): void {
+  console.log('\n' + '='.repeat(80))
+  console.log('DETAILED PERFORMANCE METRICS')
+  console.log('='.repeat(80))
+  // Overall detection stats
+  console.log('\n📊 Detection Statistics:')
+  console.log(`  Total findings:        ${metrics.detection.totalVulnerabilitiesDetected}`)
+  console.log(`  True positives:        ${metrics.detection.truePositiveDetections}`)
+  console.log(`  False positives:       ${metrics.detection.falsePositiveDetections}`)
+  console.log(`  Missed vulnerabilities: ${metrics.detection.missedVulnerabilities}`)
+  // Severity distribution
+  console.log('\n🎯 Severity Distribution (All Findings):')
+  console.log(`  Critical: ${metrics.severityDistribution.critical}`)
+  console.log(`  High:     ${metrics.severityDistribution.high}`)
+  console.log(`  Medium:   ${metrics.severityDistribution.medium}`)
+  console.log(`  Low:      ${metrics.severityDistribution.low}`)
+  console.log(`  Info:     ${metrics.severityDistribution.info}`)
+  if (metrics.detection.falsePositiveDetections > 0) {
+    console.log('\n⚠️  False Positive Severity Distribution:')
+    console.log(`  Critical: ${metrics.falsePositiveSeverity.critical}`)
+    console.log(`  High:     ${metrics.falsePositiveSeverity.high}`)
+    console.log(`  Medium:   ${metrics.falsePositiveSeverity.medium}`)
+    console.log(`  Low:      ${metrics.falsePositiveSeverity.low}`)
+    console.log(`  Info:     ${metrics.falsePositiveSeverity.info}`)
+  }
+  // Detector performance
+  if (metrics.byDetector.length > 0) {
+    console.log('\n🔍 Detector Performance (sorted by false positives):')
+    console.log('  Detector                    TP   FP   FN   Precision   Recall')
+    console.log('  ' + '─'.repeat(70))
+    for (const detector of metrics.byDetector) {
+      const name = detector.name.padEnd(25)
+      const tp = detector.truePositives.toString().padStart(4)
+      const fp = detector.falsePositives.toString().padStart(4)
+      const fn = detector.falseNegatives.toString().padStart(4)
+      const precision = (detector.precision * 100).toFixed(1).padStart(10) + '%'
+      const recall = (detector.recall * 100).toFixed(1).padStart(8) + '%'
+      console.log(`  ${name} ${tp}  ${fp}  ${fn}  ${precision}  ${recall}`)
+    }
+  }
+  // Coverage
+  console.log('\n📋 Category Coverage:')
+  console.log(`  Categories tested: ${metrics.coverage.categoriesTested}/${metrics.coverage.totalCategories} (${metrics.coverage.coveragePercent.toFixed(1)}%)`)
+  if (metrics.coverage.untestedCategories.length > 0) {
+    console.log('  Untested categories:', metrics.coverage.untestedCategories.join(', '))
+  }
+  // Tier stats
+  console.log('\n🎚️  Performance by Tier:')
+  console.log(`  Tier A (Core):        ${metrics.byTier.tierA.passed}/${metrics.byTier.tierA.tested} findings validated`)
+  console.log(`  Tier B (AI-Assisted): ${metrics.byTier.tierB.passed}/${metrics.byTier.tierB.tested} findings validated`)
+  console.log(`  Tier C (Experimental): ${metrics.byTier.tierC.passed}/${metrics.byTier.tierC.tested} findings validated`)
+}
+/**
+ * Print final benchmark summary
+ */
+export function printSummary(summary: BenchmarkSummary): void {
+  console.log('\n' + '='.repeat(80))
+  console.log('FINAL SCORE')
+  console.log('='.repeat(80))
+  console.log(`\n  True Positive Tests:  ${summary.truePositivePassed}/${summary.truePositivePassed + summary.truePositiveFailed} passed`)
+  console.log(`  False Negative Tests: ${summary.falseNegativePassed}/${summary.falseNegativePassed + summary.falseNegativeFailed} passed`)
+  console.log(`  ─────────────────────────────`)
+  console.log(`  Total:                ${summary.passedTests}/${summary.totalTests} (${summary.passRate.toFixed(1)}%)`)
+  if (summary.passRate === 100) {
+    console.log('\n  🎉 ALL TESTS PASSED!')
+  } else {
+    console.log('\n  ⚠️  Some tests need attention')
+    // Show failed tests
+    const failedTests = summary.results.filter(r => !r.passed)
+    if (failedTests.length > 0) {
+      console.log('\n  Failed tests:')
+      for (const test of failedTests) {
+        console.log(`    - ${test.name}: ${test.failureReason}`)
+      }
+    }
+  }
+  console.log('\n' + '='.repeat(80))
+}