npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/src/utils/registry-clients.ts ADDED Viewed

@@ -0,0 +1,351 @@
+/**
+ * Registry Clients for Package Metadata
+ * Fetches package information from npm and PyPI registries
+ * Used by the Hallucination Firewall (Story C) to assess dependency risk
+ */
+// Cache for package metadata to avoid repeated requests
+const npmMetadataCache = new Map<string, NPMPackageMetadata | null>()
+const pypiMetadataCache = new Map<string, PyPIPackageMetadata | null>()
+// Rate limiting configuration
+const RATE_LIMIT_DELAY_MS = 100
+/**
+ * NPM Package Metadata Interface
+ */
+export interface NPMPackageMetadata {
+  name: string
+  version: string
+  description?: string
+  maintainers: Array<{ name: string; email?: string }>
+  time: {
+    created: string
+    modified: string
+    [version: string]: string
+  }
+  repository?: {
+    type: string
+    url: string
+  }
+  homepage?: string
+  license?: string
+  downloads?: {
+    weekly: number
+  }
+}
+/**
+ * PyPI Package Metadata Interface
+ */
+export interface PyPIPackageMetadata {
+  name: string
+  version: string
+  summary?: string
+  author?: string
+  authorEmail?: string
+  license?: string
+  projectUrls?: Record<string, string>
+  releaseDate?: string
+  requiresPython?: string
+}
+/**
+ * Extracted dependency information
+ */
+export interface ExtractedDependency {
+  name: string
+  version?: string
+  source: 'dependencies' | 'devDependencies' | 'peerDependencies' | 'optionalDependencies' | 'requirements'
+  line: number
+}
+/**
+ * Fetch package metadata from npm registry
+ * Returns null if package doesn't exist
+ */
+export async function fetchNPMMetadata(packageName: string): Promise<NPMPackageMetadata | null> {
+  // Check cache first
+  if (npmMetadataCache.has(packageName)) {
+    return npmMetadataCache.get(packageName) || null
+  }
+  try {
+    // Fetch package info from npm registry
+    const registryResponse = await fetch(
+      `https://registry.npmjs.org/${encodeURIComponent(packageName)}`,
+      {
+        headers: {
+          'Accept': 'application/json',
+        },
+      }
+    )
+    if (!registryResponse.ok) {
+      if (registryResponse.status === 404) {
+        npmMetadataCache.set(packageName, null)
+        return null
+      }
+      // Non-404 error - don't cache, might be transient
+      console.warn(`[Registry] npm registry error for ${packageName}: ${registryResponse.status}`)
+      return null
+    }
+    const data = await registryResponse.json() as Record<string, unknown>
+    // Fetch download counts separately (different API)
+    let weeklyDownloads = 0
+    try {
+      const downloadsResponse = await fetch(
+        `https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(packageName)}`
+      )
+      if (downloadsResponse.ok) {
+        const downloadsData = await downloadsResponse.json() as Record<string, unknown>
+        weeklyDownloads = (downloadsData.downloads as number) || 0
+      }
+    } catch {
+      // Download count is optional, don't fail
+    }
+    const metadata: NPMPackageMetadata = {
+      name: data.name as string,
+      version: ((data['dist-tags'] as Record<string, string>)?.latest) || '',
+      description: data.description as string | undefined,
+      maintainers: (data.maintainers as Array<{ name: string; email?: string }>) || [],
+      time: (data.time as NPMPackageMetadata['time']) || { created: '', modified: '' },
+      repository: data.repository as NPMPackageMetadata['repository'],
+      homepage: data.homepage as string | undefined,
+      license: data.license as string | undefined,
+      downloads: { weekly: weeklyDownloads },
+    }
+    npmMetadataCache.set(packageName, metadata)
+    return metadata
+  } catch (error) {
+    console.warn(`[Registry] Failed to fetch npm metadata for ${packageName}:`, error)
+    // Don't cache network errors
+    return null
+  }
+}
+/**
+ * Fetch package metadata from PyPI registry
+ * Returns null if package doesn't exist
+ */
+export async function fetchPyPIMetadata(packageName: string): Promise<PyPIPackageMetadata | null> {
+  // Check cache first
+  if (pypiMetadataCache.has(packageName)) {
+    return pypiMetadataCache.get(packageName) || null
+  }
+  try {
+    const response = await fetch(
+      `https://pypi.org/pypi/${encodeURIComponent(packageName)}/json`,
+      {
+        headers: {
+          'Accept': 'application/json',
+        },
+      }
+    )
+    if (!response.ok) {
+      if (response.status === 404) {
+        pypiMetadataCache.set(packageName, null)
+        return null
+      }
+      console.warn(`[Registry] PyPI registry error for ${packageName}: ${response.status}`)
+      return null
+    }
+    const data = await response.json() as Record<string, unknown>
+    const info = (data.info || {}) as Record<string, unknown>
+    // Get release date from the latest version
+    let releaseDate: string | undefined
+    const releases = (data.releases as Record<string, Array<{ upload_time?: string }>>)?.[info.version as string]
+    if (releases && releases.length > 0) {
+      releaseDate = releases[0].upload_time
+    }
+    const metadata: PyPIPackageMetadata = {
+      name: info.name as string,
+      version: info.version as string,
+      summary: info.summary as string | undefined,
+      author: info.author as string | undefined,
+      authorEmail: info.author_email as string | undefined,
+      license: info.license as string | undefined,
+      projectUrls: info.project_urls as Record<string, string> | undefined,
+      releaseDate,
+      requiresPython: info.requires_python as string | undefined,
+    }
+    pypiMetadataCache.set(packageName, metadata)
+    return metadata
+  } catch (error) {
+    console.warn(`[Registry] Failed to fetch PyPI metadata for ${packageName}:`, error)
+    return null
+  }
+}
+/**
+ * Extract dependencies from package.json content
+ */
+export function extractNpmDependencies(content: string): ExtractedDependency[] {
+  try {
+    const pkg = JSON.parse(content)
+    const deps: ExtractedDependency[] = []
+    const lines = content.split('\n')
+    const depSections = [
+      { key: 'dependencies', source: 'dependencies' as const },
+      { key: 'devDependencies', source: 'devDependencies' as const },
+      { key: 'peerDependencies', source: 'peerDependencies' as const },
+      { key: 'optionalDependencies', source: 'optionalDependencies' as const },
+    ]
+    for (const { key, source } of depSections) {
+      const depsObj = pkg[key]
+      if (!depsObj || typeof depsObj !== 'object') continue
+      for (const [name, version] of Object.entries(depsObj)) {
+        // Find the line number for this dependency
+        const lineIndex = lines.findIndex(l => l.includes(`"${name}"`))
+        deps.push({
+          name,
+          version: version as string,
+          source,
+          line: lineIndex >= 0 ? lineIndex + 1 : 1,
+        })
+      }
+    }
+    return deps
+  } catch {
+    return []
+  }
+}
+/**
+ * Extract dependencies from requirements.txt content
+ */
+export function extractPythonRequirements(content: string): ExtractedDependency[] {
+  const deps: ExtractedDependency[] = []
+  const lines = content.split('\n')
+  lines.forEach((line, index) => {
+    // Skip comments and empty lines
+    const trimmed = line.trim()
+    if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) {
+      return
+    }
+    // Parse package name and optional version
+    // Formats: package, package==1.0.0, package>=1.0.0, package[extra], etc.
+    const match = trimmed.match(/^([a-zA-Z0-9_-]+)(?:\[.*?\])?(?:[=<>~!]+(.+))?/)
+    if (match) {
+      deps.push({
+        name: match[1],
+        version: match[2],
+        source: 'requirements',
+        line: index + 1,
+      })
+    }
+  })
+  return deps
+}
+/**
+ * Extract dependencies from pyproject.toml content
+ */
+export function extractPyprojectDependencies(content: string): ExtractedDependency[] {
+  const deps: ExtractedDependency[] = []
+  const lines = content.split('\n')
+  let inDependencies = false
+  lines.forEach((line, index) => {
+    const trimmed = line.trim()
+    // Check for dependencies section
+    if (trimmed === '[project.dependencies]' || trimmed === 'dependencies = [') {
+      inDependencies = true
+      return
+    }
+    // Exit dependencies section
+    if (inDependencies && (trimmed.startsWith('[') || trimmed === ']')) {
+      inDependencies = false
+      return
+    }
+    if (inDependencies) {
+      // Parse dependency line: "package>=1.0.0", or package = ">=1.0.0"
+      const match = trimmed.match(/^["']?([a-zA-Z0-9_-]+)(?:\[.*?\])?(?:[=<>~!]+)?/)
+      if (match && match[1]) {
+        deps.push({
+          name: match[1],
+          version: undefined,
+          source: 'requirements',
+          line: index + 1,
+        })
+      }
+    }
+  })
+  return deps
+}
+/**
+ * Determine the package file type from path
+ */
+export function getPackageFileType(filePath: string): 'npm' | 'python' | null {
+  const fileName = filePath.split('/').pop()?.toLowerCase() || ''
+  if (fileName === 'package.json' ||
+      fileName === 'package-lock.json' ||
+      fileName === 'yarn.lock' ||
+      fileName === 'pnpm-lock.yaml') {
+    return 'npm'
+  }
+  if (fileName === 'requirements.txt' ||
+      fileName === 'pyproject.toml' ||
+      fileName === 'pipfile' ||
+      fileName === 'pipfile.lock') {
+    return 'python'
+  }
+  return null
+}
+/**
+ * Calculate package age in days from creation date
+ */
+export function calculatePackageAgeDays(createdDate: string | undefined): number {
+  if (!createdDate) return Infinity // Unknown age, treat as old (safe)
+  try {
+    const created = new Date(createdDate)
+    const now = new Date()
+    const diffMs = now.getTime() - created.getTime()
+    return Math.floor(diffMs / (1000 * 60 * 60 * 24))
+  } catch {
+    return Infinity
+  }
+}
+/**
+ * Rate limiter helper - adds delay between registry requests
+ */
+export async function rateLimitDelay(): Promise<void> {
+  return new Promise(resolve => setTimeout(resolve, RATE_LIMIT_DELAY_MS))
+}
+/**
+ * Clear all caches (useful for testing)
+ */
+export function clearRegistryCaches(): void {
+  npmMetadataCache.clear()
+  pypiMetadataCache.clear()
+}