npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/src/types.ts ADDED Viewed

@@ -0,0 +1,284 @@
+/**
+ * Scanner Types and Interfaces
+ * Defines the core data structures for the security scanning engine
+ */
+export type VulnerabilitySeverity = 'critical' | 'high' | 'medium' | 'low' | 'info'
+export type VulnerabilityCategory =
+  | 'hardcoded_secret'
+  | 'high_entropy_string'
+  | 'sensitive_variable'
+  | 'security_bypass'
+  | 'dangerous_function'
+  | 'sql_injection'
+  | 'xss'
+  | 'command_injection'
+  | 'insecure_config'
+  | 'missing_auth'
+  | 'suspicious_package'
+  | 'cors_misconfiguration'
+  | 'root_container'
+  | 'dangerous_file'
+  | 'ai_pattern'
+  | 'sensitive_url'
+  | 'weak_crypto'
+  | 'data_exposure'  // Logging/exposing sensitive data
+  // AI-specific categories (Story B)
+  | 'ai_prompt_injection'     // B1: Prompt hygiene issues - user input in system prompts
+  | 'ai_unsafe_execution'     // B2: LLM output fed to dangerous sinks (eval, exec, SQL)
+  | 'ai_overpermissive_tool'  // B4: Agent tools with excessive permissions
+  // AI-era vulnerability categories (M5)
+  | 'ai_rag_exfiltration'     // M5: RAG data leakage - cross-tenant retrieval, raw context exposure
+  | 'ai_endpoint_unprotected' // M5: AI endpoints without auth/rate limiting
+  | 'ai_schema_mismatch'      // M5: Missing schema validation on AI-generated outputs
+export type ValidationStatus = 'confirmed' | 'downgraded' | 'dismissed' | 'not_validated'
+export interface Vulnerability {
+  id: string
+  filePath: string
+  lineNumber: number
+  lineContent: string
+  severity: VulnerabilitySeverity
+  category: VulnerabilityCategory
+  title: string
+  description: string
+  suggestedFix?: string
+  confidence: 'high' | 'medium' | 'low'
+  layer: 1 | 2 | 3 // Which scan layer detected this
+  requiresAIValidation?: boolean // If true, must pass through AI validation before surfacing
+  // AI validation metadata
+  validatedByAI?: boolean // true if this finding was processed by AI validation
+  validationStatus?: ValidationStatus // outcome of AI validation
+  validationNotes?: string // e.g., "Route protected by Clerk middleware"
+  originalSeverity?: VulnerabilitySeverity // For downgraded findings, the original severity
+}
+export interface ScanFile {
+  path: string
+  content: string
+  language: string
+  size: number
+}
+// Severity counts for issue-mix display
+export interface SeverityCounts {
+  critical: number
+  high: number
+  medium: number
+  low: number
+  info: number
+}
+// Category counts keyed by VulnerabilityCategory
+export type CategoryCounts = Partial<Record<VulnerabilityCategory, number>>
+export interface ScanResult {
+  repoName: string
+  repoUrl: string
+  branch: string
+  filesScanned: number
+  filesSkipped: number
+  vulnerabilities: Vulnerability[]
+  // Issue-mix fields - use these for displaying security posture
+  severityCounts: SeverityCounts
+  categoryCounts: CategoryCounts
+  hasBlockingIssues: boolean // true if any critical or high severity issues
+  scanDuration: number // milliseconds
+  timestamp: string
+  // AI Validation stats (Phase 1 optimization metrics)
+  validationStats?: {
+    totalFindings: number
+    validatedFindings: number
+    confirmedFindings: number
+    dismissedFindings: number
+    downgradedFindings: number
+    autoDismissedFindings: number
+    estimatedInputTokens: number
+    estimatedOutputTokens: number
+    estimatedCost: number
+    apiCalls: number
+    cacheCreationTokens: number
+    cacheReadTokens: number
+    cacheHitRate: number
+  }
+}
+export interface ScanProgress {
+  status: 'fetching' | 'scanning_layer1' | 'scanning_layer2' | 'scanning_layer3' | 'complete' | 'failed'
+  currentFile?: string
+  filesProcessed: number
+  totalFiles: number
+  vulnerabilitiesFound: number
+}
+// Pattern definitions for Layer 1
+export interface SecretPattern {
+  name: string
+  pattern: RegExp
+  severity: VulnerabilitySeverity
+  description: string
+}
+// Config audit rules for Layer 1
+export interface ConfigRule {
+  name: string
+  filePatterns: string[]
+  check: (content: string, filePath: string) => ConfigViolation[]
+}
+export interface ConfigViolation {
+  line: number
+  lineContent: string
+  message: string
+  severity: VulnerabilitySeverity
+}
+// Layer 2 heuristics
+export interface SensitiveVariablePattern {
+  pattern: RegExp
+  severity: VulnerabilitySeverity
+  description: string
+}
+// Layer 3 AI analysis
+export interface AIAnalysisRequest {
+  filePath: string
+  content: string
+  context: string
+}
+export interface AIFinding {
+  lineNumber: number
+  lineContent: string
+  severity: VulnerabilitySeverity
+  category: VulnerabilityCategory
+  title: string
+  description: string
+  suggestedFix: string
+}
+// Supported file extensions for scanning
+export const SCANNABLE_EXTENSIONS = [
+  '.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs',
+  '.py', '.rb', '.php', '.go', '.java', '.cs',
+  '.env', '.yaml', '.yml', '.json', '.toml',
+  '.dockerfile', '.sh', '.bash',
+]
+// Files to always scan regardless of extension
+export const SPECIAL_FILES = [
+  'Dockerfile',
+  'docker-compose.yml',
+  'docker-compose.yaml',
+  '.env',
+  '.env.local',
+  '.env.production',
+  '.env.development',
+  'package.json',
+  'requirements.txt',
+  'Gemfile',
+  'go.mod',
+]
+// Max file size to scan (50KB as per PRD)
+export const MAX_FILE_SIZE = 50 * 1024
+// ============================================================================
+// Scan Mode Configuration
+// ============================================================================
+/**
+ * Scan mode determines the depth and cost of the scan
+ *
+ * - full: Complete scan with AI validation on all files (initial onboarding, deep audits)
+ * - incremental: Focused scan on changed files only (CI/CD, fast feedback)
+ */
+export type ScanMode = 'full' | 'incremental'
+/**
+ * Scan depth controls AI usage independent of full vs incremental mode
+ *
+ * - cheap: Layer 1 + Layer 2 only. No AI validation, no Layer 3.
+ *          Only Tier A (core) findings are surfaced.
+ *          Target: <5s for typical PR scans.
+ *
+ * - validated: Layer 1 + Layer 2 + AI validation on selected findings. No Layer 3.
+ *              Tier A is surfaced directly, Tier B goes through AI validation.
+ *              Target: <15s with <10 AI calls.
+ *
+ * - deep: Layer 1 + Layer 2 + AI validation + Layer 3 semantic analysis.
+ *         Full analysis for initial onboarding or deep security audits.
+ *         Target: Complete thoroughness, cost secondary.
+ *
+ * ## Workflow Profile Recommendations:
+ *
+ * | Workflow       | Default Depth | Rationale                            |
+ * |----------------|---------------|--------------------------------------|
+ * | GitHub PR      | cheap         | Fast feedback, high-signal findings  |
+ * | VS Code        | validated     | Interactive, balance depth + speed   |
+ * | CLI (default)  | cheap         | Fast local scans                     |
+ * | CLI --deep     | deep          | Thorough analysis when requested     |
+ * | Onboarding     | deep          | Full picture on first scan           |
+ */
+export type ScanDepth = 'cheap' | 'validated' | 'deep'
+export interface ScanModeConfig {
+  /** The scan mode */
+  mode: ScanMode
+  /** For incremental scans: paths of changed files */
+  changedFiles?: string[]
+  /** For incremental scans: base commit/branch to diff against */
+  baseBranch?: string
+  /** Whether to skip AI validation entirely (for very fast scans) */
+  skipAIValidation?: boolean
+  /** Whether to skip Layer 3 deep analysis (reduces cost) */
+  skipLayer3?: boolean
+  /** Maximum files to send to AI validation (cost control) */
+  maxAIValidationFiles?: number
+  /** Maximum files for Layer 3 analysis (cost control) */
+  maxLayer3Files?: number
+  /** Scan depth mode (cheap/validated/deep) - controls AI usage */
+  scanDepth?: ScanDepth
+  /** Whether to exclude test files from scanning (default: true) */
+  excludeTestFiles?: boolean
+  /** Whether to exclude seed files from scanning (default: true) */
+  excludeSeedFiles?: boolean
+  /** Custom file path patterns to exclude (glob format) */
+  customExclusions?: string[]
+}
+/**
+ * Default configurations for each scan mode
+ */
+export const SCAN_MODE_DEFAULTS: Record<ScanMode, Partial<ScanModeConfig>> = {
+  full: {
+    mode: 'full',
+    skipAIValidation: false,
+    skipLayer3: false,
+    maxAIValidationFiles: 50,
+    maxLayer3Files: 15,
+  },
+  incremental: {
+    mode: 'incremental',
+    skipAIValidation: false,
+    skipLayer3: true, // Skip expensive Layer 3 for incremental
+    maxAIValidationFiles: 20,
+    maxLayer3Files: 5,
+  },
+}