npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/src/utils/context-helpers.ts ADDED Viewed

@@ -0,0 +1,535 @@
+/**
+ * Shared Context Helpers
+ * Centralized utility functions for detecting file and code context
+ * Used across Layer 1 and Layer 2 scanners to reduce false positives
+ */
+// ============================================================================
+// File Path Context Detection
+// ============================================================================
+/**
+ * Check if file is server-only (not bundled to client)
+ * Server-only files can safely use service role keys and other admin secrets
+ */
+export function isServerOnlyFile(filePath: string): boolean {
+  const serverPatterns = [
+    /lib\/supabase\/(server|admin|middleware)\.(ts|js)$/i,
+    /\/api\//i,                    // Next.js API routes
+    /\/server\//i,                 // Server directories
+    /\.server\.(ts|js|tsx|jsx)$/i, // .server.ts files
+    /\/actions\//i,                // Server actions
+    /middleware\.(ts|js)$/i,       // Middleware files
+    /\/cron\//i,                   // Cron jobs
+    /\/workers?\//i,               // Worker files
+    /\/scripts?\//i,               // Scripts
+    /\/seed\//i,                   // Database seeds
+    /\/migrations?\//i,            // Database migrations
+    /\/lib\/[^/]+\/server/i,       // lib/*/server patterns
+    /\/utils\/server/i,            // utils/server
+    /\/helpers\/server/i,          // helpers/server
+    /\.action\.(ts|js)$/i,         // .action.ts files
+    /route\.(ts|js)$/i,            // Next.js route handlers
+  ]
+  return serverPatterns.some(pattern => pattern.test(filePath))
+}
+/**
+ * Check if file is a test, mock, or fixture file
+ * These files often contain fake secrets and should have lower severity
+ */
+export function isTestOrMockFile(filePath: string): boolean {
+  const testPatterns = [
+    /\.(test|spec)\.(ts|tsx|js|jsx)$/i,
+    /\/__tests__\//i,
+    /\/test\//i,
+    /\/tests\//i,
+    /\/mock/i,
+    /\/mocks\//i,
+    /\/fixtures?\//i,
+    /\.mock\.(ts|tsx|js|jsx)$/i,
+    /\.stub\.(ts|tsx|js|jsx)$/i,
+    /\.(stories|story)\.(ts|tsx|js|jsx)$/i,  // Storybook
+    /\/e2e\//i,                               // E2E tests
+    /\/cypress\//i,                           // Cypress tests
+    /\/playwright\//i,                        // Playwright tests
+    /\/vitest\//i,                            // Vitest
+    /\/jest\//i,                              // Jest
+  ]
+  return testPatterns.some(pattern => pattern.test(filePath))
+}
+/**
+ * Check if file is an example/sample/template file
+ * These files should be skipped or have significantly reduced severity
+ */
+export function isExampleFile(filePath: string): boolean {
+  return (
+    filePath.includes('.example') ||
+    filePath.includes('.sample') ||
+    filePath.includes('.template') ||
+    filePath.includes('README') ||
+    filePath.includes('/examples/') ||
+    filePath.includes('/example/') ||
+    filePath.includes('/demo/') ||
+    filePath.includes('/demos/')
+  )
+}
+/**
+ * Check if file is in an examples/demo directory
+ * Stronger check than isExampleFile - specifically for directories
+ * These are typically tutorial/demo code, not production patterns
+ */
+export function isExampleDirectory(filePath: string): boolean {
+  const examplePatterns = [
+    /\/examples?\//i,
+    /\/demos?\//i,
+    /\/templates?\//i,
+    /\/samples?\//i,
+    /\/tutorials?\//i,
+    /\/cookbook\//i,
+    /\/quickstart\//i,
+    /\/getting-started\//i,
+  ]
+  return examplePatterns.some(pattern => pattern.test(filePath))
+}
+/**
+ * Check if file is library/framework code (base classes, utilities)
+ * Library code is intentionally generic - consumers add security
+ * This applies to: langchain, vercel/ai, llamaindex, etc.
+ */
+export function isLibraryCode(filePath: string): boolean {
+  const libraryPatterns = [
+    // Package source directories in monorepos
+    /\/libs\/[^/]+\/src\//i,
+    /\/packages\/[^/]+\/src\//i,
+    // Common library patterns
+    /\/langchain-/i,
+    /\/llamaindex/i,
+    // Source files that aren't examples or tests
+    /\/src\/(?!.*(?:examples?|demos?|tests?)\/).*\.(ts|js)$/i,
+  ]
+  // Must match library pattern AND not be example/test
+  return (
+    libraryPatterns.some(pattern => pattern.test(filePath)) &&
+    !isExampleDirectory(filePath) &&
+    !isTestOrMockFile(filePath)
+  )
+}
+/**
+ * Check if file is a fixture file (test data, mock responses)
+ * Fixtures contain fake data and should have reduced severity
+ */
+export function isFixtureFile(filePath: string): boolean {
+  const fixturePatterns = [
+    /__fixtures__\//i,
+    /\.fixture\./i,
+    /fixtures?\//i,
+    /testdata\//i,
+    /test-data\//i,
+    /test_data\//i,
+    /mock-data\//i,
+    /mockdata\//i,
+    /\.mock\./i,
+    /\.stub\./i,
+  ]
+  return fixturePatterns.some(pattern => pattern.test(filePath))
+}
+/**
+ * Check if file is documentation (README, CHANGELOG, etc.)
+ * These files should typically be skipped for security scanning
+ */
+export function isDocumentationFile(filePath: string): boolean {
+  const docPatterns = [
+    /README/i,
+    /CHANGELOG/i,
+    /CONTRIBUTING/i,
+    /LICENSE/i,
+    /\.md$/i,
+    /\.mdx$/i,
+    /\/docs\//i,
+    /\/documentation\//i,
+  ]
+  return docPatterns.some(pattern => pattern.test(filePath))
+}
+/**
+ * Check if file is scanner code, fixture, or rule definition
+ * Avoid flagging the scanner's own code/test cases
+ */
+export function isScannerOrFixtureFile(filePath: string): boolean {
+  const scannerPatterns = [
+    /\/scanner\//i,
+    /\/detector\//i,
+    /\/security\//i,
+    /\/rules?\//i,
+    /\/patterns?\//i,
+    /\/fixtures?\//i,
+    /\/testdata\//i,
+    /\/test-data\//i,
+    /\/test_data\//i,
+  ]
+  return scannerPatterns.some(pattern => pattern.test(filePath))
+}
+/**
+ * Check if file is likely client-bundled (exposed to browser)
+ */
+export function isClientBundledFile(filePath: string): boolean {
+  // Files in these locations are typically client-bundled
+  const clientPatterns = [
+    /\/components\//i,
+    /\/pages\//i,           // Next.js pages (can be SSR, but code visible)
+    /\/app\/.*page\.(ts|tsx|js|jsx)$/i,  // Next.js app router pages
+    /\/hooks\//i,
+    /\/contexts?\//i,
+    /\/providers?\//i,
+    /\/stores?\//i,         // State management
+    /\.client\.(ts|js|tsx|jsx)$/i,  // .client.ts files
+  ]
+  // But not if they're also server files
+  if (isServerOnlyFile(filePath)) {
+    return false
+  }
+  return clientPatterns.some(pattern => pattern.test(filePath))
+}
+// ============================================================================
+// Code Line Context Detection
+// ============================================================================
+/**
+ * Check if line uses environment variable reference (not hardcoded)
+ */
+export function isEnvVarReference(line: string): boolean {
+  return (
+    /process\.env\.[A-Z_]+/.test(line) ||
+    /\$\{?[A-Z_]+\}?/.test(line) ||
+    /import\.meta\.env\.[A-Z_]+/.test(line) ||
+    /Deno\.env\.get\(/.test(line) ||
+    /os\.environ\[/.test(line) ||      // Python
+    /os\.getenv\(/.test(line) ||       // Python
+    /ENV\[['"]/.test(line) ||          // Ruby
+    /env\(["']/.test(line)             // Laravel PHP
+  )
+}
+/**
+ * Check if line uses NEXT_PUBLIC_ prefix (client-exposed)
+ */
+export function isNextPublicEnvVar(line: string): boolean {
+  return /NEXT_PUBLIC_[A-Z_]+/.test(line)
+}
+/**
+ * Check if line is a comment
+ */
+export function isComment(lineContent: string): boolean {
+  const trimmed = lineContent.trim()
+  return (
+    trimmed.startsWith('//') ||
+    trimmed.startsWith('#') ||
+    trimmed.startsWith('*') ||
+    trimmed.startsWith('/*') ||
+    trimmed.startsWith('"""') ||
+    trimmed.startsWith("'''") ||
+    trimmed.startsWith('<!--')
+  )
+}
+/**
+ * Check if value/line appears to be a placeholder
+ */
+export function isPlaceholderValue(value: string, line: string): boolean {
+  const placeholderPatterns = [
+    /xxx/i,
+    /your[-_]?/i,
+    /YOUR[-_]?/i,
+    /placeholder/i,
+    /example/i,
+    /REPLACE[-_]?/i,
+    /CHANGEME/i,
+    /<[a-z_-]+>/i,           // <your-api-key>
+    /\[\s*[a-z_-]+\s*\]/i,   // [API_KEY]
+    /todo/i,
+    /fixme/i,
+  ]
+  return placeholderPatterns.some(pattern =>
+    pattern.test(value) || pattern.test(line)
+  )
+}
+// ============================================================================
+// Security Context Detection
+// ============================================================================
+/**
+ * Check if line/path indicates a public endpoint (health, webhook, cron)
+ * These don't need authentication
+ */
+export function isPublicEndpoint(lineContent: string, filePath: string): boolean {
+  // Health check patterns
+  const healthCheckPatterns = [
+    /\/health\/?["'`]?/i,
+    /\/healthz\/?["'`]?/i,
+    /\/ready\/?["'`]?/i,
+    /\/readyz\/?["'`]?/i,
+    /\/live\/?["'`]?/i,
+    /\/livez\/?["'`]?/i,
+    /\/ping\/?["'`]?/i,
+    /\/status\/?["'`]?/i,
+    /\/api\/health/i,
+    /\/api\/status/i,
+    /\/_health/i,
+  ]
+  // Webhook patterns
+  const webhookPatterns = [
+    /\/webhook/i,
+    /\/webhooks\//i,
+    /\/callback/i,
+    /\/stripe\/webhook/i,
+    /\/github\/webhook/i,
+    /\/clerk\/webhook/i,
+  ]
+  // Cron/scheduled job patterns
+  const cronPatterns = [
+    /\/cron\//i,
+    /\/scheduled\//i,
+    /\/tasks?\//i,
+    /\/jobs?\//i,
+  ]
+  // Check line content
+  const allPatterns = [...healthCheckPatterns, ...webhookPatterns, ...cronPatterns]
+  if (allPatterns.some(pattern => pattern.test(lineContent))) {
+    return true
+  }
+  // Check file path
+  if (filePath.includes('/health') ||
+      filePath.includes('/webhook') ||
+      filePath.includes('/cron') ||
+      filePath.includes('/scheduled')) {
+    return true
+  }
+  return false
+}
+/**
+ * Check if webhook has signature verification nearby
+ */
+export function hasWebhookSignatureVerification(lines: string[], lineIndex: number, windowSize: number = 15): boolean {
+  const signaturePatterns = [
+    /verifySignature/i,
+    /validateSignature/i,
+    /checkSignature/i,
+    /signature.*verify/i,
+    /verify.*signature/i,
+    /hmac/i,
+    /x-hub-signature/i,
+    /stripe-signature/i,
+    /svix-signature/i,
+    /webhook.*secret/i,
+    /constructEvent/i,      // Stripe webhook verification
+    /Webhook\.verify/i,     // Generic webhook verify
+  ]
+  const start = Math.max(0, lineIndex - windowSize)
+  const end = Math.min(lines.length, lineIndex + windowSize)
+  for (let i = start; i < end; i++) {
+    if (signaturePatterns.some(pattern => pattern.test(lines[i]))) {
+      return true
+    }
+  }
+  return false
+}
+/**
+ * Check if there's an auth check nearby (bidirectional search)
+ */
+export function hasAuthCheckNearby(lines: string[], lineIndex: number, windowSize: number = 20): boolean {
+  const authPatterns = [
+    /authorization/i,
+    /bearer\s+token/i,
+    /req\.user/i,
+    /request\.user/i,
+    /\.user\s*[=!]/,
+    /isAuthenticated/i,
+    /requireAuth/i,
+    /ensureAuth/i,
+    /checkAuth/i,
+    /verifyToken/i,
+    /validateToken/i,
+    /checkPermission/i,
+    /getServerSession/i,
+    /middleware.*auth/i,
+    /session\.user/i,
+    /currentUser/i,
+    /getSession\(/i,
+    /useSession\(/i,
+    /auth\(\)/i,             // Next-Auth auth()
+    /withAuth/i,
+    /protected/i,
+    /verifySignature/i,      // Webhook signature
+    /checkApiKey/i,
+    /validateApiKey/i,
+    /requireRole/i,
+    /hasRole/i,
+    /isAdmin/i,
+  ]
+  // Search bidirectionally
+  const start = Math.max(0, lineIndex - windowSize)
+  const end = Math.min(lines.length, lineIndex + windowSize)
+  for (let i = start; i < end; i++) {
+    if (authPatterns.some(pattern => pattern.test(lines[i]))) {
+      return true
+    }
+  }
+  return false
+}
+// ============================================================================
+// BYOK (Bring Your Own Key) Context Detection
+// ============================================================================
+/**
+ * Check if this appears to be a BYOK (user-provided key) context
+ * BYOK is a feature, not a vulnerability, unless improperly handled
+ */
+export function isBYOKContext(lineContent: string, filePath: string): boolean {
+  // Common BYOK patterns
+  const byokPatterns = [
+    /user.*api.*key/i,
+    /customer.*key/i,
+    /your.*api.*key/i,
+    /provide.*key/i,
+    /enter.*key/i,
+    /input.*key/i,
+    /form.*key/i,
+    /settings.*key/i,
+    /config.*key.*user/i,
+    /BYOK/i,
+    /bring.*your.*own/i,
+  ]
+  // Form/input contexts
+  const inputPatterns = [
+    /input.*type/i,
+    /onChange/i,
+    /onSubmit/i,
+    /handleSubmit/i,
+    /useState.*key/i,
+    /form.*data/i,
+  ]
+  // Settings/config UI patterns
+  const settingsPatterns = [
+    /\/settings\//i,
+    /\/config\//i,
+    /\/preferences\//i,
+    /\/profile\//i,
+  ]
+  // Check line content
+  if (byokPatterns.some(p => p.test(lineContent)) ||
+      inputPatterns.some(p => p.test(lineContent))) {
+    return true
+  }
+  // Check file path
+  if (settingsPatterns.some(p => p.test(filePath))) {
+    // In settings files, look for user input context
+    if (inputPatterns.some(p => p.test(lineContent))) {
+      return true
+    }
+  }
+  return false
+}
+/**
+ * Check if key is being stored/handled properly (not exposed)
+ */
+export function isKeyProperlyHandled(lineContent: string, lines: string[], lineIndex: number): boolean {
+  // Proper handling patterns (encryption, secure storage, etc.)
+  const properHandlingPatterns = [
+    /encrypt/i,
+    /hash/i,
+    /secure.*storage/i,
+    /keychain/i,
+    /vault/i,
+    /secretsManager/i,
+    /kms/i,
+    /\.env/i,
+  ]
+  // Check current line
+  if (properHandlingPatterns.some(p => p.test(lineContent))) {
+    return true
+  }
+  // Check nearby lines (5 lines before and after)
+  const start = Math.max(0, lineIndex - 5)
+  const end = Math.min(lines.length, lineIndex + 5)
+  for (let i = start; i < end; i++) {
+    if (properHandlingPatterns.some(p => p.test(lines[i]))) {
+      return true
+    }
+  }
+  return false
+}
+// ============================================================================
+// Service Role Key Context
+// ============================================================================
+/**
+ * Check if this is a service role key usage that's acceptable
+ * Server-only + env var = acceptable
+ * Client exposure = critical
+ */
+export function getServiceRoleKeyContext(
+  lineContent: string,
+  filePath: string
+): 'safe_server' | 'needs_review' | 'client_exposure' {
+  const isServer = isServerOnlyFile(filePath)
+  const usesEnvVar = isEnvVarReference(lineContent)
+  const isClientFile = isClientBundledFile(filePath)
+  const isNextPublic = isNextPublicEnvVar(lineContent)
+  // NEXT_PUBLIC_ service role key = always critical (client exposure)
+  if (isNextPublic) {
+    return 'client_exposure'
+  }
+  // Server-only file using env var = safe
+  if (isServer && usesEnvVar) {
+    return 'safe_server'
+  }
+  // Client-bundled file = exposure risk
+  if (isClientFile) {
+    return 'client_exposure'
+  }
+  // Hardcoded or ambiguous = needs review
+  return 'needs_review'
+}

package/src/utils/diff-detector.ts ADDED Viewed

@@ -0,0 +1,135 @@
+/**
+ * Diff Detection Utility
+ * Compares current repository tree against previous scan data to detect changed files
+ * Used for incremental scanning (Story D)
+ */
+export interface TreeFileInfo {
+  path: string
+  sha: string
+}
+export interface DiffResult {
+  /** Files that are new (not in previous scan) */
+  added: string[]
+  /** Files whose SHA changed (content modified) */
+  modified: string[]
+  /** Files that were deleted (in previous scan but not in current) */
+  deleted: string[]
+  /** Files that haven't changed */
+  unchanged: string[]
+  /** Total count of changed files (added + modified) */
+  changedCount: number
+  /** Whether this is a significant change warranting incremental scan */
+  shouldUseIncremental: boolean
+}
+/**
+ * Maximum number of changed files before falling back to full scan
+ * Beyond this threshold, incremental mode provides diminishing returns
+ */
+const MAX_CHANGED_FILES_FOR_INCREMENTAL = 50
+/**
+ * Detect which files have changed between the current tree and previous scan
+ *
+ * @param currentTree - Array of files from current GitHub tree (path + sha)
+ * @param previousFileShas - Map of {file_path: sha} from previous scan
+ * @returns DiffResult with categorized file changes
+ */
+export function detectChangedFiles(
+  currentTree: TreeFileInfo[],
+  previousFileShas: Record<string, string> | null | undefined
+): DiffResult {
+  // If no previous data, everything is "new"
+  if (!previousFileShas || Object.keys(previousFileShas).length === 0) {
+    return {
+      added: currentTree.map(f => f.path),
+      modified: [],
+      deleted: [],
+      unchanged: [],
+      changedCount: currentTree.length,
+      shouldUseIncremental: false, // No baseline = full scan
+    }
+  }
+  const added: string[] = []
+  const modified: string[] = []
+  const unchanged: string[] = []
+  const currentPaths = new Set<string>()
+  // Compare current files against previous
+  for (const file of currentTree) {
+    currentPaths.add(file.path)
+    const previousSha = previousFileShas[file.path]
+    if (!previousSha) {
+      // File didn't exist before
+      added.push(file.path)
+    } else if (previousSha !== file.sha) {
+      // File content changed (SHA differs)
+      modified.push(file.path)
+    } else {
+      // Same SHA = unchanged
+      unchanged.push(file.path)
+    }
+  }
+  // Find deleted files (in previous but not in current)
+  const deleted: string[] = []
+  for (const path of Object.keys(previousFileShas)) {
+    if (!currentPaths.has(path)) {
+      deleted.push(path)
+    }
+  }
+  const changedCount = added.length + modified.length
+  const shouldUseIncremental = changedCount > 0 && changedCount <= MAX_CHANGED_FILES_FOR_INCREMENTAL
+  return {
+    added,
+    modified,
+    deleted,
+    unchanged,
+    changedCount,
+    shouldUseIncremental,
+  }
+}
+/**
+ * Build a file SHA map from a GitHub tree response
+ * Filters to only include blob (file) entries
+ *
+ * @param tree - GitHub tree items with path and sha
+ * @returns Map of {file_path: sha}
+ */
+export function buildFileShaMap(
+  tree: Array<{ path: string; sha: string; type: 'blob' | 'tree' }>
+): Record<string, string> {
+  const map: Record<string, string> = {}
+  for (const item of tree) {
+    // Only include files (blobs), not directories (trees)
+    if (item.type === 'blob') {
+      map[item.path] = item.sha
+    }
+  }
+  return map
+}
+/**
+ * Check if two tree SHAs are different
+ * Quick check before doing detailed file comparison
+ *
+ * @param currentTreeSha - SHA of current tree
+ * @param previousTreeSha - SHA from previous scan
+ * @returns true if trees are different (need detailed comparison)
+ */
+export function hasTreeChanged(
+  currentTreeSha: string,
+  previousTreeSha: string | null | undefined
+): boolean {
+  if (!previousTreeSha) return true
+  return currentTreeSha !== previousTreeSha
+}