npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/src/layer2/ai-prompt-hygiene.ts ADDED Viewed

@@ -0,0 +1,411 @@
+/**
+ * Layer 2: AI Prompt Hygiene Detection
+ * Detects prompt injection vulnerabilities and secrets in LLM prompts
+ *
+ * Covers:
+ * - B1: Prompt & template hygiene (LLM01)
+ * - B3: Secrets & sensitive data in prompts (LLM06)
+ */
+import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import {
+  isComment,
+  isTestOrMockFile,
+  isDocumentationFile,
+  isScannerOrFixtureFile,
+} from '../utils/context-helpers'
+/**
+ * Check if a file is in an LLM/AI context based on path and content
+ */
+function isLLMContextFile(filePath: string, content: string): boolean {
+  // File path indicators of AI/LLM code
+  const llmPathPatterns = [
+    /\/(ai|llm|chat|openai|anthropic|gpt|claude)\//i,
+    /\/(assistants?|agents?|prompts?)\//i,
+    /(chat|ai|llm|prompt|assistant|agent).*\.(ts|js|tsx|jsx|py)$/i,
+  ]
+  if (llmPathPatterns.some(p => p.test(filePath))) {
+    return true
+  }
+  // Content patterns suggesting LLM API usage
+  const llmContentPatterns = [
+    /\.create\s*\(\s*\{[^}]*messages\s*:/i,          // OpenAI/Anthropic SDK
+    /from\s+['"](@anthropic-ai|openai|langchain|llama[-_]?index)/i, // Imports
+    /\bsystem\s*:\s*['"`]/i,                         // System message definition
+    /role:\s*['"`](user|assistant|system)['"`]/i,    // Message roles
+    /\b(systemPrompt|userPrompt|assistantPrompt)\b/i, // Prompt variables
+    /messages\s*:\s*\[/i,                            // Messages array
+    /\.chat\.completions?\.create/i,                 // OpenAI chat completion
+    /\.messages\.create/i,                           // Anthropic messages
+    /ChatCompletion|MessageCreate/i,                 // SDK types
+  ]
+  return llmContentPatterns.some(p => p.test(content))
+}
+/**
+ * Check if user input delimiter/fence patterns are present
+ */
+function hasPromptDelimiters(lineContent: string, contextLines: string[]): boolean {
+  const context = [lineContent, ...contextLines].join('\n')
+  const delimiterPatterns = [
+    /```/,                          // Triple backticks
+    /<user>|<\/user>/i,             // XML-style user tags
+    /<human>|<\/human>/i,           // Human tags
+    /---+/,                         // Horizontal rules
+    /\[USER\]|\[\/USER\]/i,         // Bracket tags
+    /\{\{user\}\}/i,                // Template variable
+    /###\s*User|###\s*Input/i,      // Markdown headers
+    /INPUT:|OUTPUT:/i,              // Section markers
+  ]
+  return delimiterPatterns.some(p => p.test(context))
+}
+/**
+ * Check if content looks like proper parameterization rather than concatenation
+ */
+function isProperlyParameterized(lineContent: string): boolean {
+  const safePatterns = [
+    /\{\{.*\}\}/,                    // Handlebars/mustache templates
+    /\{[a-zA-Z_]+\}/,               // Python format strings (positional)
+    /\$\{.*\}.*sanitize|escape/i,   // Template with sanitization
+    /placeholder|PLACEHOLDER/,       // Explicit placeholders
+  ]
+  return safePatterns.some(p => p.test(lineContent))
+}
+// ============================================================================
+// Pattern Definitions
+// ============================================================================
+interface PromptHygienePattern {
+  name: string
+  pattern: RegExp
+  severity: VulnerabilitySeverity
+  description: string
+  suggestedFix: string
+  checkDelimiters?: boolean  // If true, downgrade if delimiters found
+}
+/**
+ * B1: Unsafe prompt interpolation patterns
+ */
+const UNSAFE_INTERPOLATION_PATTERNS: PromptHygienePattern[] = [
+  // Template literals with user input in system prompts
+  {
+    name: 'User input in system prompt',
+    pattern: /system\s*[=:]\s*`[^`]*\$\{.*(?:user|input|req|request|body|query|params|data).*\}[^`]*`/gi,
+    severity: 'high',
+    description: 'User input is directly interpolated into a system prompt. This creates a prompt injection vulnerability where attackers can manipulate the AI\'s behavior.',
+    suggestedFix: 'Use clear delimiters (```, <user>, ---) between system instructions and user content. Consider using structured input rather than string interpolation.',
+    checkDelimiters: true,
+  },
+  // String concatenation in prompt building
+  {
+    name: 'Prompt string concatenation with user input',
+    pattern: /(?:system|prompt|instruction)\s*[=+]\s*.*\+\s*(?:user|input|req|request|body|query|params)(?:\.|Input|\[)/gi,
+    severity: 'high',
+    description: 'User input is concatenated into prompt strings. Attackers can inject malicious instructions.',
+    suggestedFix: 'Use delimiters to clearly separate system instructions from user content. Example: ```user input here```',
+    checkDelimiters: true,
+  },
+  // Messages array with dynamic user content in system role
+  {
+    name: 'Dynamic content in system message',
+    pattern: /role:\s*['"`]system['"`]\s*,\s*content:\s*`[^`]*\$\{/gi,
+    severity: 'medium',
+    description: 'System message content includes dynamic values. If user-controlled, this enables prompt injection.',
+    suggestedFix: 'Keep system messages static. Place user input in messages with role: "user" instead.',
+    checkDelimiters: true,
+  },
+  // f-strings in Python with user input
+  {
+    name: 'Python f-string prompt with user input',
+    pattern: /f['"][^'"]*\{.*(?:user|input|request|body).*\}[^'"]*['"]/gi,
+    severity: 'high',
+    description: 'User input in Python f-string prompt creates prompt injection risk.',
+    suggestedFix: 'Use explicit delimiters: f"System instructions...\n---\n{user_input}\n---"',
+    checkDelimiters: true,
+  },
+]
+/**
+ * B3: Secrets in prompt context patterns
+ */
+const SECRETS_IN_PROMPTS_PATTERNS: PromptHygienePattern[] = [
+  // API keys in message content
+  {
+    name: 'API key in prompt content',
+    pattern: /(?:messages|prompt|system|content)\s*[=:][^;]*(?:sk-[a-zA-Z0-9]{20,}|api[_-]?key\s*[:=]\s*['"][^'"]{16,}['"])/gi,
+    severity: 'critical',
+    description: 'API key appears to be hardcoded in prompt content. Keys in prompts may be logged, cached, or sent to model providers.',
+    suggestedFix: 'Never include API keys in prompts. Use environment variables and keep them server-side only.',
+  },
+  // AWS keys in prompts
+  {
+    name: 'AWS credentials in prompt',
+    pattern: /(?:messages|prompt|system|content)\s*[=:][^;]*(?:AKIA[A-Z0-9]{16}|aws[_-]?(?:secret|access)[_-]?key)/gi,
+    severity: 'critical',
+    description: 'AWS credentials detected in prompt content.',
+    suggestedFix: 'Remove credentials from prompts. Use IAM roles or environment variables instead.',
+  },
+  // Database URLs with credentials
+  {
+    name: 'Database credentials in prompt',
+    pattern: /(?:messages|prompt|system|content).*(?:mongodb|postgres|mysql|redis):\/\/[^:]+:[^@]+@/gi,
+    severity: 'critical',
+    description: 'Database connection string with credentials in prompt. This exposes database access.',
+    suggestedFix: 'Never include connection strings in prompts. Reference data by ID instead.',
+  },
+  // Passwords in prompt context
+  {
+    name: 'Password in prompt content',
+    pattern: /(?:messages|prompt|content)\s*[=:].*(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`]{8,}/gi,
+    severity: 'high',
+    description: 'Password appears in prompt content. This may be logged or exposed to model providers.',
+    suggestedFix: 'Remove passwords from prompts. Use authentication tokens or session references instead.',
+  },
+  // Private keys
+  {
+    name: 'Private key in prompt',
+    pattern: /(?:messages|prompt|content).*(?:-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----)/gi,
+    severity: 'critical',
+    description: 'Private key material detected in prompt context.',
+    suggestedFix: 'Never include private keys in prompts. Sign data server-side instead.',
+  },
+  // Generic token patterns
+  {
+    name: 'Access token in prompt',
+    pattern: /(?:messages|prompt|content)\s*[=:].*(?:access[_-]?token|auth[_-]?token|bearer)\s*[:=]\s*['"`][a-zA-Z0-9_.-]{20,}/gi,
+    severity: 'high',
+    description: 'Access token detected in prompt content. Tokens in prompts risk exposure.',
+    suggestedFix: 'Do not include tokens in prompts. Pass token context through secure server-side channels.',
+  },
+]
+/**
+ * Missing boundary patterns - prompts without clear user/system separation
+ */
+const MISSING_BOUNDARY_PATTERNS: PromptHygienePattern[] = [
+  // Direct concatenation without any markers
+  {
+    name: 'Missing prompt boundaries',
+    pattern: /(?:content|prompt)\s*[:=]\s*(?:systemInstructions?|instructions?)\s*\+\s*(?:userMessage|userInput|input)/gi,
+    severity: 'medium',
+    description: 'Prompt concatenates system instructions with user input without clear boundaries.',
+    suggestedFix: 'Add delimiters between instructions and user content: "Instructions...\n---\n" + userInput + "\n---"',
+  },
+  // Template literals building prompts without delimiters
+  {
+    name: 'Unbounded template prompt',
+    pattern: /`(?:You are|As an|Your task)[^`]{20,}\$\{(?!.*(?:```|<user|---|\[USER))/gi,
+    severity: 'medium',
+    description: 'Prompt template interpolates values without clear delimiter boundaries.',
+    suggestedFix: 'Wrap interpolated user content with delimiters: ```${userInput}```',
+  },
+  // M5: RAG-specific prompt injection patterns
+  {
+    name: 'Retrieved context in system prompt',
+    pattern: /role:\s*['"`]system['"`]\s*,\s*content:\s*`[^`]*\$\{.*(?:context|chunks|documents|retrieved|sources)/gi,
+    severity: 'high',
+    description: 'Retrieved documents injected into system prompt. Poisoned documents could hijack model behavior.',
+    suggestedFix: 'Place retrieved context in user messages with clear delimiters. Use structured prompts separating instructions from data.',
+    checkDelimiters: true,
+  },
+  {
+    name: 'Mixed user input and retrieved context',
+    pattern: /\$\{.*(?:userInput|query|question).*\}[^`]*\$\{.*(?:context|chunks|documents).*\}|\$\{.*(?:context|chunks|documents).*\}[^`]*\$\{.*(?:userInput|query|question).*\}/gi,
+    severity: 'medium',
+    description: 'User input and retrieved context concatenated without clear separation. Both could contain injection attempts.',
+    suggestedFix: 'Clearly separate user input from retrieved context using XML tags or delimiters: <user_query>...</user_query><context>...</context>',
+    checkDelimiters: true,
+  },
+  {
+    name: 'RAG context directly interpolated',
+    pattern: /(?:system|prompt)\s*[:=].*(?:retrievedContext|ragContext|documentContext|knowledgeBase)\s*(?:\+|,)/gi,
+    severity: 'medium',
+    description: 'RAG context directly concatenated into prompt. Could enable data poisoning attacks.',
+    suggestedFix: 'Use structured prompt format with clear boundaries between instructions, context, and user input.',
+    checkDelimiters: true,
+  },
+]
+// ============================================================================
+// Detection Functions
+// ============================================================================
+/**
+ * Get surrounding context lines for analysis
+ */
+function getSurroundingContext(content: string, lineIndex: number, windowSize: number = 10): string[] {
+  const lines = content.split('\n')
+  const start = Math.max(0, lineIndex - windowSize)
+  const end = Math.min(lines.length, lineIndex + windowSize)
+  return lines.slice(start, end)
+}
+/**
+ * Main detection function for AI prompt hygiene issues
+ */
+export function detectAIPromptHygiene(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+  // Skip non-applicable files
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+  if (isDocumentationFile(filePath)) return vulnerabilities
+  // Only scan files that appear to be in LLM context
+  if (!isLLMContextFile(filePath, content)) {
+    return vulnerabilities
+  }
+  const lines = content.split('\n')
+  const isTestFile = isTestOrMockFile(filePath)
+  // Scan for unsafe interpolation patterns (B1)
+  for (const pattern of UNSAFE_INTERPOLATION_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+      // Skip comments
+      if (isComment(lineContent)) continue
+      // Skip if properly parameterized
+      if (isProperlyParameterized(lineContent)) continue
+      // Check for delimiters if applicable
+      let severity = pattern.severity
+      let description = pattern.description
+      const contextLines = getSurroundingContext(content, lineNumber - 1, 15)
+      if (pattern.checkDelimiters && hasPromptDelimiters(lineContent, contextLines)) {
+        // Delimiters present - downgrade severity
+        severity = 'info'
+        description += ' (Note: Delimiters detected in context, which mitigates this risk.)'
+      }
+      // Downgrade test files
+      if (isTestFile) {
+        severity = 'info'
+        description += ' (in test file)'
+      }
+      vulnerabilities.push({
+        id: `ai-prompt-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'ai_prompt_injection',
+        title: pattern.name,
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: severity === 'info' ? 'low' : 'medium',
+        layer: 2,
+        requiresAIValidation: severity !== 'info',
+      })
+    }
+  }
+  // Scan for secrets in prompts (B3)
+  for (const pattern of SECRETS_IN_PROMPTS_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+      // Skip comments
+      if (isComment(lineContent)) continue
+      // Check if it's an env var reference (safe pattern)
+      const isEnvRef = /process\.env|import\.meta\.env|os\.environ|getenv/i.test(lineContent)
+      if (isEnvRef) continue
+      let severity = pattern.severity
+      let description = pattern.description
+      // Downgrade test files but still flag
+      if (isTestFile) {
+        severity = severity === 'critical' ? 'medium' : 'low'
+        description += ' (in test file - still review for accidental commits)'
+      }
+      vulnerabilities.push({
+        id: `ai-secret-prompt-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'hardcoded_secret', // Use existing category for consistency
+        title: pattern.name + ' (in LLM context)',
+        description: description + ' Secrets in prompts are especially risky as they may be logged, shared, or sent to external AI providers.',
+        suggestedFix: pattern.suggestedFix,
+        confidence: 'high',
+        layer: 2,
+        requiresAIValidation: false, // Secrets don't need AI validation - they're definitive
+      })
+    }
+  }
+  // Scan for missing boundary patterns (B1 continued)
+  for (const pattern of MISSING_BOUNDARY_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+      // Skip comments
+      if (isComment(lineContent)) continue
+      const contextLines = getSurroundingContext(content, lineNumber - 1, 10)
+      // Skip if delimiters are present
+      if (hasPromptDelimiters(lineContent, contextLines)) continue
+      let severity = pattern.severity
+      let description = pattern.description
+      if (isTestFile) {
+        severity = 'info'
+        description += ' (in test file)'
+      }
+      vulnerabilities.push({
+        id: `ai-boundary-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'ai_prompt_injection',
+        title: pattern.name,
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: 'medium',
+        layer: 2,
+        requiresAIValidation: true,
+      })
+    }
+  }
+  return vulnerabilities
+}
+// Export helper for use in other modules
+export { isLLMContextFile }