npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/src/utils/auth-helper-detector.ts ADDED Viewed

@@ -0,0 +1,443 @@
+/**
+ * Auth Helper Detector
+ *
+ * Detects authentication helper functions that throw on missing auth,
+ * return non-null types, and provide security guarantees.
+ *
+ * When these helpers are called, subsequent code is GUARANTEED to have
+ * an authenticated user - no additional `if (!userId)` checks are needed.
+ */
+import type { ScanFile } from '../types'
+// ============================================================================
+// Types
+// ============================================================================
+export interface AuthHelper {
+  /** Name of the helper function */
+  name: string
+  /** File where it's defined (if detected) */
+  definedIn?: string
+  /** Whether it throws on missing auth (vs returning null) */
+  throwsOnMissing: boolean
+  /** Return type if detected (e.g., 'string', 'User', 'Promise<string>') */
+  returnType?: string
+  /** Whether return type is non-null */
+  returnsNonNull: boolean
+  /** Pattern that matches calls to this helper */
+  callPattern: RegExp
+}
+export interface AuthHelperContext {
+  /** All detected auth helpers */
+  helpers: AuthHelper[]
+  /** Whether the project has any throwing auth helpers */
+  hasThrowingHelpers: boolean
+  /** Summary for AI validation */
+  summary: string
+}
+// ============================================================================
+// Well-Known Auth Helper Patterns
+// ============================================================================
+/**
+ * Common patterns for auth helpers that THROW on missing auth
+ * These are functions that guarantee authenticated context after call
+ */
+const THROWING_AUTH_HELPER_PATTERNS = [
+  // Generic patterns
+  {
+    namePattern: /^(get|fetch|require|ensure)(Current)?(User|UserId|Auth|Session|Principal)(Id)?$/i,
+    callPattern: /\b(get|fetch|require|ensure)(Current)?(User|UserId|Auth|Session|Principal)(Id)?\s*\(/gi,
+    description: 'Auth helper that retrieves authenticated user',
+  },
+  // Clerk patterns
+  {
+    namePattern: /^auth$/,
+    callPattern: /\bauth\s*\(\s*\)/gi,
+    description: 'Clerk auth() helper',
+  },
+  {
+    namePattern: /^currentUser$/,
+    callPattern: /\bcurrentUser\s*\(\s*\)/gi,
+    description: 'Clerk currentUser() helper',
+  },
+  // NextAuth patterns
+  {
+    namePattern: /^getServerSession$/,
+    callPattern: /\bgetServerSession\s*\(/gi,
+    description: 'NextAuth getServerSession()',
+  },
+  {
+    namePattern: /^getSession$/,
+    callPattern: /\bgetSession\s*\(/gi,
+    description: 'Session helper',
+  },
+  // Supabase patterns
+  {
+    namePattern: /^getUser$/,
+    callPattern: /\bsupabase\.auth\.getUser\s*\(/gi,
+    description: 'Supabase getUser()',
+  },
+]
+/**
+ * Patterns that indicate a function THROWS on missing auth
+ */
+const THROWING_INDICATORS = [
+  /throw\s+new\s+(Error|UnauthorizedError|AuthError|HttpException)/i,
+  /throw\s+.*401/i,
+  /throw\s+.*unauthorized/i,
+  /throw\s+.*unauthenticated/i,
+  /return\s+.*401/i,
+  /NextResponse\.json\s*\([^)]*401/i,
+  /res\.status\s*\(\s*401\s*\)/i,
+  /redirect\s*\(\s*['"`].*login/i,
+]
+/**
+ * Patterns that indicate NON-NULL return type
+ */
+const NON_NULL_RETURN_PATTERNS = [
+  /:\s*Promise<string>/i,        // : Promise<string>
+  /:\s*string(?!\s*\|)/i,        // : string (not string | null)
+  /:\s*Promise<User>/i,          // : Promise<User>
+  /:\s*User(?!\s*\|)/i,          // : User (not User | null)
+  /:\s*Promise<\w+>(?!\s*\|)/i,  // : Promise<SomeType>
+  /\w+!$/i,                       // Non-null assertion in return
+]
+// ============================================================================
+// Detection Functions
+// ============================================================================
+/**
+ * Detect auth helper functions in the codebase
+ */
+export function detectAuthHelpers(files: ScanFile[]): AuthHelperContext {
+  const helpers: AuthHelper[] = []
+  const detectedNames = new Set<string>()
+  // First pass: find auth helper definitions
+  for (const file of files) {
+    // Skip non-code files
+    if (!/\.(ts|tsx|js|jsx)$/i.test(file.path)) continue
+    // Look for function definitions that look like auth helpers
+    const functionMatches = findAuthHelperDefinitions(file.content, file.path)
+    for (const helper of functionMatches) {
+      if (!detectedNames.has(helper.name)) {
+        detectedNames.add(helper.name)
+        helpers.push(helper)
+      }
+    }
+  }
+  // Add well-known helpers if not already detected
+  for (const pattern of THROWING_AUTH_HELPER_PATTERNS) {
+    const nameMatch = pattern.namePattern.source.replace(/[\^\$\\b]/g, '')
+    if (!detectedNames.has(nameMatch)) {
+      // Check if this pattern is used in any file
+      const isUsed = files.some(f => pattern.callPattern.test(f.content))
+      if (isUsed) {
+        helpers.push({
+          name: nameMatch,
+          throwsOnMissing: true, // Assume throwing for well-known patterns
+          returnsNonNull: true,
+          callPattern: pattern.callPattern,
+        })
+      }
+    }
+  }
+  // Generate summary
+  const throwingHelpers = helpers.filter(h => h.throwsOnMissing)
+  const summary = generateAuthHelperSummary(helpers)
+  return {
+    helpers,
+    hasThrowingHelpers: throwingHelpers.length > 0,
+    summary,
+  }
+}
+/**
+ * Find auth helper function definitions in a file
+ */
+function findAuthHelperDefinitions(content: string, filePath: string): AuthHelper[] {
+  const helpers: AuthHelper[] = []
+  const lines = content.split('\n')
+  // Patterns for function definitions
+  const funcDefPatterns = [
+    // async function getCurrentUserId(): Promise<string> { ... throw
+    /(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\([^)]*\)\s*(?::\s*([^{]+))?\s*\{/gi,
+    // const getCurrentUserId = async (): Promise<string> => { ... throw
+    /(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s*)?\([^)]*\)\s*(?::\s*([^=]+))?\s*=>/gi,
+  ]
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    for (const pattern of funcDefPatterns) {
+      pattern.lastIndex = 0
+      const match = pattern.exec(line)
+      if (!match) continue
+      const funcName = match[1]
+      const returnType = match[2]?.trim()
+      // Check if this looks like an auth helper by name
+      const isAuthHelperName = THROWING_AUTH_HELPER_PATTERNS.some(p =>
+        p.namePattern.test(funcName)
+      )
+      if (!isAuthHelperName) continue
+      // Look ahead for throwing patterns and return type
+      const functionBody = extractFunctionBody(lines, i)
+      const throwsOnMissing = THROWING_INDICATORS.some(p => p.test(functionBody))
+      const returnsNonNull = returnType
+        ? NON_NULL_RETURN_PATTERNS.some(p => p.test(`: ${returnType}`))
+        : false
+      // Create call pattern for this helper
+      const callPattern = new RegExp(`\\b${escapeRegex(funcName)}\\s*\\(`, 'gi')
+      helpers.push({
+        name: funcName,
+        definedIn: filePath,
+        throwsOnMissing,
+        returnType,
+        returnsNonNull: returnsNonNull || throwsOnMissing, // If it throws, the return is non-null
+        callPattern,
+      })
+    }
+  }
+  return helpers
+}
+/**
+ * Extract function body for analysis (up to closing brace)
+ */
+function extractFunctionBody(lines: string[], startLine: number, maxLines: number = 50): string {
+  let braceCount = 0
+  let started = false
+  const bodyLines: string[] = []
+  for (let i = startLine; i < Math.min(lines.length, startLine + maxLines); i++) {
+    const line = lines[i]
+    bodyLines.push(line)
+    for (const char of line) {
+      if (char === '{') {
+        braceCount++
+        started = true
+      } else if (char === '}') {
+        braceCount--
+        if (started && braceCount === 0) {
+          return bodyLines.join('\n')
+        }
+      }
+    }
+  }
+  return bodyLines.join('\n')
+}
+/**
+ * Check if a code line uses a throwing auth helper
+ * Returns the helper if found, undefined otherwise
+ */
+export function usesThrowingAuthHelper(
+  lineContent: string,
+  surroundingContent: string,
+  helpers: AuthHelper[]
+): AuthHelper | undefined {
+  // Check if any throwing helper is called in the surrounding context
+  const throwingHelpers = helpers.filter(h => h.throwsOnMissing)
+  for (const helper of throwingHelpers) {
+    helper.callPattern.lastIndex = 0
+    if (helper.callPattern.test(surroundingContent)) {
+      return helper
+    }
+  }
+  return undefined
+}
+/**
+ * Well-known auth helper call patterns - used as fallback when no helpers are detected
+ * These patterns are common across frameworks and should be recognized even without project analysis
+ */
+const WELL_KNOWN_AUTH_CALL_PATTERNS: Array<{ pattern: RegExp; name: string }> = [
+  // Generic throwing auth patterns
+  { pattern: /\bgetCurrentUserId\s*\(/i, name: 'getCurrentUserId' },
+  { pattern: /\bgetCurrentUser\s*\(/i, name: 'getCurrentUser' },
+  { pattern: /\brequireAuth\s*\(/i, name: 'requireAuth' },
+  { pattern: /\brequireUser\s*\(/i, name: 'requireUser' },
+  { pattern: /\bensureAuth\s*\(/i, name: 'ensureAuth' },
+  { pattern: /\bensureAuthenticated\s*\(/i, name: 'ensureAuthenticated' },
+  { pattern: /\bverifyAuth\s*\(/i, name: 'verifyAuth' },
+  { pattern: /\bcheckAuth\s*\(/i, name: 'checkAuth' },
+  { pattern: /\bvalidateAuth\s*\(/i, name: 'validateAuth' },
+  { pattern: /\bassertAuth\s*\(/i, name: 'assertAuth' },
+  { pattern: /\bgetAuth\s*\(/i, name: 'getAuth' },
+  { pattern: /\bfetchCurrentUser\s*\(/i, name: 'fetchCurrentUser' },
+  // Clerk
+  { pattern: /\bauth\s*\(\s*\)\.protect\s*\(/i, name: 'auth().protect' },
+  { pattern: /\bcurrentUser\s*\(\s*\)/i, name: 'currentUser' },
+  // NextAuth
+  { pattern: /\bgetServerSession\s*\(/i, name: 'getServerSession' },
+  // Supabase
+  { pattern: /\bsupabase\.auth\.getUser\s*\(/i, name: 'supabase.auth.getUser' },
+  // Destructuring pattern
+  { pattern: /const\s+\{\s*user\s*\}\s*=\s*await\s+auth/i, name: 'destructured auth' },
+]
+/**
+ * Check if a file has auth helper calls before a given line
+ * This indicates the code after the call is in authenticated context
+ */
+export function hasAuthHelperCallBefore(
+  content: string,
+  lineNumber: number,
+  helpers: AuthHelper[]
+): { hasCall: boolean; helper?: AuthHelper; callLine?: number } {
+  const lines = content.split('\n')
+  const throwingHelpers = helpers.filter(h => h.throwsOnMissing)
+  // Increase search window from 30 to 100 lines for better coverage
+  const searchStart = Math.max(0, lineNumber - 100)
+  // Look backwards from the current line
+  for (let i = lineNumber - 1; i >= searchStart; i--) {
+    const line = lines[i]
+    // Check detected helpers first
+    for (const helper of throwingHelpers) {
+      helper.callPattern.lastIndex = 0
+      if (helper.callPattern.test(line)) {
+        return { hasCall: true, helper, callLine: i + 1 }
+      }
+    }
+    // Stop at function boundaries (for module-level helpers, we still check inside function)
+    if (/\b(function|async function|=>|export\s+default)\b/.test(line) && /\{/.test(line)) {
+      // If this is the route handler definition line, continue checking inside it
+      if (i !== lineNumber - 1) {
+        break
+      }
+    }
+  }
+  // FORWARD SEARCH: Always search forward into the function body
+  // This catches auth helpers called INSIDE the route handler, not just before it
+  // Example: export async function GET() { const userId = await getCurrentUserId(); ... }
+  const endLine = Math.min(lines.length, lineNumber + 30)
+  for (let i = lineNumber; i < endLine; i++) {
+    const line = lines[i]
+    // Check detected helpers
+    for (const helper of throwingHelpers) {
+      helper.callPattern.lastIndex = 0
+      if (helper.callPattern.test(line)) {
+        return { hasCall: true, helper, callLine: i + 1 }
+      }
+    }
+    // Also check well-known patterns (fallback for single-file scans)
+    for (const known of WELL_KNOWN_AUTH_CALL_PATTERNS) {
+      if (known.pattern.test(line)) {
+        return {
+          hasCall: true,
+          helper: {
+            name: known.name,
+            throwsOnMissing: true,
+            returnsNonNull: true,
+            callPattern: known.pattern,
+          },
+          callLine: i + 1
+        }
+      }
+    }
+    // Stop at another function boundary (but not the current line)
+    if (i > lineNumber && /\bexport\s+(async\s+)?function\s+(GET|POST|PUT|DELETE|PATCH)\s*\(/i.test(line)) {
+      break
+    }
+  }
+  return { hasCall: false }
+}
+/**
+ * Generate summary for AI validation
+ */
+function generateAuthHelperSummary(helpers: AuthHelper[]): string {
+  if (helpers.length === 0) {
+    return 'No auth helper functions detected.'
+  }
+  const throwing = helpers.filter(h => h.throwsOnMissing)
+  const lines: string[] = []
+  lines.push('### Auth Helper Functions')
+  lines.push('')
+  if (throwing.length > 0) {
+    lines.push('**Throwing auth helpers** (guarantee authenticated context when called):')
+    for (const h of throwing) {
+      const location = h.definedIn ? ` (defined in ${h.definedIn})` : ''
+      lines.push(`- \`${h.name}()\`${location}`)
+    }
+    lines.push('')
+    lines.push('When these helpers are called at the start of a function, subsequent code is GUARANTEED to have an authenticated user. Do NOT flag "missing auth" or suggest `if (!userId)` checks after these calls.')
+  }
+  return lines.join('\n')
+}
+/**
+ * Escape special regex characters
+ */
+function escapeRegex(str: string): string {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+}
+/**
+ * Check if code suggests user ID is already validated
+ * Detects patterns like: const userId = await getCurrentUserId()
+ */
+export function isUserIdAlreadyValidated(
+  content: string,
+  lineNumber: number,
+  helpers: AuthHelper[]
+): boolean {
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 20)
+  const context = lines.slice(contextStart, lineNumber).join('\n')
+  // Check for throwing helper calls
+  const throwingHelpers = helpers.filter(h => h.throwsOnMissing)
+  for (const helper of throwingHelpers) {
+    helper.callPattern.lastIndex = 0
+    if (helper.callPattern.test(context)) {
+      return true
+    }
+  }
+  // Check for common validation patterns
+  const validationPatterns = [
+    /const\s+(?:userId|user_id|currentUserId)\s*=\s*await/i,
+    /if\s*\(\s*!(?:userId|user_id|user|session)\s*\)/i, // Already has the check
+    /(?:userId|user_id)\s*\|\|\s*throw/i,
+    /auth\(\)\.protect\(\)/i, // Clerk protect
+  ]
+  return validationPatterns.some(p => p.test(context))
+}