@oculum/scanner 1.0.10 → 1.0.12

package/dist/suppression/manager.js

@@ -0,0 +1,292 @@
+"use strict";
+/**
+ * Suppression Manager
+ * Central class for managing all suppression logic
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SuppressionManager = void 0;
+const minimatch_1 = require("minimatch");
+const config_loader_1 = require("./config-loader");
+const inline_parser_1 = require("./inline-parser");
+const hash_1 = require("./hash");
+/**
+ * SuppressionManager handles all suppression logic
+ *
+ * Priority order for suppressions:
+ * 1. Inline comment suppressions (highest priority)
+ * 2. Config file finding suppressions (by hash)
+ * 3. Config file rule suppressions (by category)
+ */
+class SuppressionManager {
+    constructor(options) {
+        // Cache for inline suppressions by file path
+        this.inlineSuppressionCache = new Map();
+        this.projectPath = options.projectPath;
+        this.includeExpired = options.includeExpired ?? false;
+        if (options.config) {
+            this.config = options.config;
+            this.configPath = undefined;
+            this.configErrors = [];
+        }
+        else {
+            const result = (0, config_loader_1.loadSuppressionConfig)(options.projectPath);
+            this.config = result.config;
+            this.configPath = result.configPath;
+            this.configErrors = result.errors;
+        }
+    }
+    /**
+     * Get configuration errors (if any)
+     */
+    getConfigErrors() {
+        return this.configErrors;
+    }
+    /**
+     * Get the path to the config file (if found)
+     */
+    getConfigPath() {
+        return this.configPath;
+    }
+    /**
+     * Check if a file path should be ignored entirely
+     */
+    isPathIgnored(filePath) {
+        if (!this.config.ignore || this.config.ignore.length === 0) {
+            return false;
+        }
+        const normalizedPath = (0, hash_1.normalizePathForHash)(filePath);
+        return this.config.ignore.some(pattern => (0, minimatch_1.minimatch)(normalizedPath, pattern, { dot: true }));
+    }
+    /**
+     * Parse inline suppressions for a file
+     */
+    getInlineSuppressions(filePath, content) {
+        // Check cache first
+        const cached = this.inlineSuppressionCache.get(filePath);
+        if (cached) {
+            return cached;
+        }
+        // Parse and cache
+        const suppressions = (0, inline_parser_1.parseInlineSuppressions)(content);
+        this.inlineSuppressionCache.set(filePath, suppressions);
+        return suppressions;
+    }
+    /**
+     * Check if a finding is suppressed
+     *
+     * Priority:
+     * 1. Inline comment (highest)
+     * 2. Config finding suppression (by hash)
+     * 3. Config rule suppression (by category)
+     */
+    isFindingSuppressed(finding, fileContent) {
+        const hash = (0, hash_1.computeFindingHash)(finding);
+        const normalizedPath = (0, hash_1.normalizePathForHash)(finding.filePath);
+        // 1. Check inline suppressions (if file content provided)
+        if (fileContent) {
+            const inlineSuppressions = this.getInlineSuppressions(finding.filePath, fileContent);
+            const inlineSuppression = (0, inline_parser_1.isLineSuppressed)(inlineSuppressions, finding.lineNumber, finding.category);
+            if (inlineSuppression) {
+                return {
+                    suppressed: true,
+                    match: {
+                        type: 'inline',
+                        reason: inlineSuppression.reason,
+                    },
+                    hash,
+                };
+            }
+        }
+        // 2. Check config finding suppressions (by hash)
+        const findingSuppressions = this.config.suppressions?.findings || [];
+        const findingSuppression = findingSuppressions.find(s => s.hash === hash);
+        if (findingSuppression) {
+            const expired = (0, config_loader_1.isExpired)(findingSuppression.expires);
+            if (expired && !this.includeExpired) {
+                // Expired - not suppressed
+                return {
+                    suppressed: false,
+                    match: {
+                        type: 'config-finding',
+                        reason: findingSuppression.reason,
+                        expires: findingSuppression.expires,
+                        expired: true,
+                    },
+                    hash,
+                };
+            }
+            return {
+                suppressed: true,
+                match: {
+                    type: 'config-finding',
+                    reason: findingSuppression.reason,
+                    expires: findingSuppression.expires,
+                    expired,
+                },
+                hash,
+            };
+        }
+        // 3. Check config rule suppressions (by category)
+        const ruleSuppressions = this.config.suppressions?.rules || [];
+        const ruleSuppression = ruleSuppressions.find(s => {
+            // Must match category
+            if (s.category !== finding.category) {
+                return false;
+            }
+            // If paths specified, must match one of them
+            if (s.paths && s.paths.length > 0) {
+                const matchesPath = s.paths.some(pattern => (0, minimatch_1.minimatch)(normalizedPath, pattern, { dot: true }));
+                if (!matchesPath) {
+                    return false;
+                }
+            }
+            return true;
+        });
+        if (ruleSuppression) {
+            const expired = (0, config_loader_1.isExpired)(ruleSuppression.expires);
+            if (expired && !this.includeExpired) {
+                // Expired - not suppressed
+                return {
+                    suppressed: false,
+                    match: {
+                        type: 'config-rule',
+                        reason: ruleSuppression.reason,
+                        expires: ruleSuppression.expires,
+                        expired: true,
+                    },
+                    hash,
+                };
+            }
+            return {
+                suppressed: true,
+                match: {
+                    type: 'config-rule',
+                    reason: ruleSuppression.reason,
+                    expires: ruleSuppression.expires,
+                    expired,
+                },
+                hash,
+            };
+        }
+        // Not suppressed
+        return {
+            suppressed: false,
+            hash,
+        };
+    }
+    /**
+     * Apply suppressions to a list of findings
+     */
+    applySuppressions(findings, files) {
+        // Build file content lookup
+        const fileContentMap = new Map();
+        for (const file of files) {
+            fileContentMap.set((0, hash_1.normalizePathForHash)(file.path), file.content);
+        }
+        const passed = [];
+        const suppressed = [];
+        let expiredCount = 0;
+        const stats = {
+            total: findings.length,
+            inlineSuppressed: 0,
+            configFindingSuppressed: 0,
+            configRuleSuppressed: 0,
+            expired: 0,
+        };
+        for (const finding of findings) {
+            // Get file content for inline suppression checking
+            const normalizedPath = (0, hash_1.normalizePathForHash)(finding.filePath);
+            const fileContent = fileContentMap.get(normalizedPath);
+            const result = this.isFindingSuppressed(finding, fileContent);
+            if (result.suppressed) {
+                suppressed.push({
+                    vulnerability: {
+                        id: finding.id,
+                        filePath: finding.filePath,
+                        lineNumber: finding.lineNumber,
+                        category: finding.category,
+                        severity: finding.severity,
+                        title: finding.title,
+                    },
+                    suppression: {
+                        type: result.match.type,
+                        reason: result.match.reason,
+                        expires: result.match.expires,
+                        hash: result.hash,
+                    },
+                });
+                // Update stats
+                switch (result.match.type) {
+                    case 'inline':
+                        stats.inlineSuppressed++;
+                        break;
+                    case 'config-finding':
+                        stats.configFindingSuppressed++;
+                        break;
+                    case 'config-rule':
+                        stats.configRuleSuppressed++;
+                        break;
+                }
+            }
+            else {
+                passed.push(finding);
+                // Track expired suppressions
+                if (result.match?.expired) {
+                    expiredCount++;
+                    stats.expired++;
+                }
+            }
+        }
+        return {
+            findings: passed,
+            suppressed,
+            expiredSuppressions: expiredCount,
+            stats,
+        };
+    }
+    /**
+     * Get all suppressions from config
+     */
+    getAllSuppressions() {
+        return {
+            rules: this.config.suppressions?.rules || [],
+            findings: this.config.suppressions?.findings || [],
+        };
+    }
+    /**
+     * Get ignore patterns from config
+     */
+    getIgnorePatterns() {
+        return this.config.ignore || [];
+    }
+    /**
+     * Check if suppression system is active (has any suppressions)
+     */
+    hasSuppressions() {
+        const rules = this.config.suppressions?.rules || [];
+        const findings = this.config.suppressions?.findings || [];
+        const ignore = this.config.ignore || [];
+        return rules.length > 0 || findings.length > 0 || ignore.length > 0;
+    }
+    /**
+     * Get summary of suppression configuration
+     */
+    getSummary() {
+        return {
+            configPath: this.configPath,
+            ruleCount: this.config.suppressions?.rules?.length || 0,
+            findingCount: this.config.suppressions?.findings?.length || 0,
+            ignorePatternCount: this.config.ignore?.length || 0,
+            hasErrors: this.configErrors.length > 0,
+        };
+    }
+    /**
+     * Clear the inline suppression cache
+     * (useful if files have been modified)
+     */
+    clearCache() {
+        this.inlineSuppressionCache.clear();
+    }
+}
+exports.SuppressionManager = SuppressionManager;
+//# sourceMappingURL=manager.js.map

package/dist/suppression/manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/suppression/manager.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,yCAAqC;AAWrC,mDAAkE;AAClE,mDAA2E;AAC3E,iCAAiE;AAcjE;;;;;;;GAOG;AACH,MAAa,kBAAkB;IAU7B,YAAY,OAAkC;QAH9C,6CAA6C;QACrC,2BAAsB,GAAgD,IAAI,GAAG,EAAE,CAAA;QAGrF,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;QACtC,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,KAAK,CAAA;QAErD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAA;YAC5B,IAAI,CAAC,UAAU,GAAG,SAAS,CAAA;YAC3B,IAAI,CAAC,YAAY,GAAG,EAAE,CAAA;QACxB,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,IAAA,qCAAqB,EAAC,OAAO,CAAC,WAAW,CAAC,CAAA;YACzD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAA;YAC3B,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAA;YACnC,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,CAAA;QACnC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO,IAAI,CAAC,YAAY,CAAA;IAC1B,CAAC;IAED;;OAEG;IACH,aAAa;QACX,OAAO,IAAI,CAAC,UAAU,CAAA;IACxB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,QAAgB;QAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3D,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,cAAc,GAAG,IAAA,2BAAoB,EAAC,QAAQ,CAAC,CAAA;QAErD,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACvC,IAAA,qBAAS,EAAC,cAAc,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAClD,CAAA;IACH,CAAC;IAED;;OAEG;IACK,qBAAqB,CAC3B,QAAgB,EAChB,OAAe;QAEf,oBAAoB;QACpB,MAAM,MAAM,GAAG,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACxD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAA;QACf,CAAC;QAED,kBAAkB;QAClB,MAAM,YAAY,GAAG,IAAA,uCAAuB,EAAC,OAAO,CAAC,CAAA;QACrD,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAA;QACvD,OAAO,YAAY,CAAA;IACrB,CAAC;IAED;;;;;;;OAOG;IACH,mBAAmB,CACjB,OAAsB,EACtB,WAAoB;QAEpB,MAAM,IAAI,GAAG,IAAA,yBAAkB,EAAC,OAAO,CAAC,CAAA;QACxC,MAAM,cAAc,GAAG,IAAA,2BAAoB,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;QAE7D,0DAA0D;QAC1D,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,kBAAkB,GAAG,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;YACpF,MAAM,iBAAiB,GAAG,IAAA,gCAAgB,EACxC,kBAAkB,EAClB,OAAO,CAAC,UAAU,EAClB,OAAO,CAAC,QAAQ,CACjB,CAAA;YAED,IAAI,iBAAiB,EAAE,CAAC;gBACtB,OAAO;oBACL,UAAU,EAAE,IAAI;oBAChB,KAAK,EAAE;wBACL,IAAI,EAAE,QAAQ;wBACd,MAAM,EAAE,iBAAiB,CAAC,MAAM;qBACjC;oBACD,IAAI;iBACL,CAAA;YACH,CAAC;QACH,CAAC;QAED,iDAAiD;QACjD,MAAM,mBAAmB,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,QAAQ,IAAI,EAAE,CAAA;QACpE,MAAM,kBAAkB,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAA;QAEzE,IAAI,kBAAkB,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,IAAA,yBAAS,EAAC,kBAAkB,CAAC,OAAO,CAAC,CAAA;YAErD,IAAI,OAAO,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpC,2BAA2B;gBAC3B,OAAO;oBACL,UAAU,EAAE,KAAK;oBACjB,KAAK,EAAE;wBACL,IAAI,EAAE,gBAAgB;wBACtB,MAAM,EAAE,kBAAkB,CAAC,MAAM;wBACjC,OAAO,EAAE,kBAAkB,CAAC,OAAO;wBACnC,OAAO,EAAE,IAAI;qBACd;oBACD,IAAI;iBACL,CAAA;YACH,CAAC;YAED,OAAO;gBACL,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE;oBACL,IAAI,EAAE,gBAAgB;oBACtB,MAAM,EAAE,kBAAkB,CAAC,MAAM;oBACjC,OAAO,EAAE,kBAAkB,CAAC,OAAO;oBACnC,OAAO;iBACR;gBACD,IAAI;aACL,CAAA;QACH,CAAC;QAED,kDAAkD;QAClD,MAAM,gBAAgB,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,IAAI,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;YAChD,sBAAsB;YACtB,IAAI,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACpC,OAAO,KAAK,CAAA;YACd,CAAC;YAED,6CAA6C;YAC7C,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACzC,IAAA,qBAAS,EAAC,cAAc,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAClD,CAAA;gBACD,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,OAAO,KAAK,CAAA;gBACd,CAAC;YACH,CAAC;YAED,OAAO,IAAI,CAAA;QACb,CAAC,CAAC,CAAA;QAEF,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,OAAO,GAAG,IAAA,yBAAS,EAAC,eAAe,CAAC,OAAO,CAAC,CAAA;YAElD,IAAI,OAAO,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpC,2BAA2B;gBAC3B,OAAO;oBACL,UAAU,EAAE,KAAK;oBACjB,KAAK,EAAE;wBACL,IAAI,EAAE,aAAa;wBACnB,MAAM,EAAE,eAAe,CAAC,MAAM;wBAC9B,OAAO,EAAE,eAAe,CAAC,OAAO;wBAChC,OAAO,EAAE,IAAI;qBACd;oBACD,IAAI;iBACL,CAAA;YACH,CAAC;YAED,OAAO;gBACL,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE;oBACL,IAAI,EAAE,aAAa;oBACnB,MAAM,EAAE,eAAe,CAAC,MAAM;oBAC9B,OAAO,EAAE,eAAe,CAAC,OAAO;oBAChC,OAAO;iBACR;gBACD,IAAI;aACL,CAAA;QACH,CAAC;QAED,iBAAiB;QACjB,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,IAAI;SACL,CAAA;IACH,CAAC;IAED;;OAEG;IACH,iBAAiB,CACf,QAAyB,EACzB,KAAiB;QAEjB,4BAA4B;QAC5B,MAAM,cAAc,GAAG,IAAI,GAAG,EAAkB,CAAA;QAChD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,cAAc,CAAC,GAAG,CAAC,IAAA,2BAAoB,EAAC,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;QACnE,CAAC;QAED,MAAM,MAAM,GAAoB,EAAE,CAAA;QAClC,MAAM,UAAU,GAA8B,EAAE,CAAA;QAChD,IAAI,YAAY,GAAG,CAAC,CAAA;QAEpB,MAAM,KAAK,GAAG;YACZ,KAAK,EAAE,QAAQ,CAAC,MAAM;YACtB,gBAAgB,EAAE,CAAC;YACnB,uBAAuB,EAAE,CAAC;YAC1B,oBAAoB,EAAE,CAAC;YACvB,OAAO,EAAE,CAAC;SACX,CAAA;QAED,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,mDAAmD;YACnD,MAAM,cAAc,GAAG,IAAA,2BAAoB,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;YAC7D,MAAM,WAAW,GAAG,cAAc,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;YAEtD,MAAM,MAAM,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;YAE7D,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,UAAU,CAAC,IAAI,CAAC;oBACd,aAAa,EAAE;wBACb,EAAE,EAAE,OAAO,CAAC,EAAE;wBACd,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;wBAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;qBACrB;oBACD,WAAW,EAAE;wBACX,IAAI,EAAE,MAAM,CAAC,KAAM,CAAC,IAAI;wBACxB,MAAM,EAAE,MAAM,CAAC,KAAM,CAAC,MAAM;wBAC5B,OAAO,EAAE,MAAM,CAAC,KAAM,CAAC,OAAO;wBAC9B,IAAI,EAAE,MAAM,CAAC,IAAI;qBAClB;iBACF,CAAC,CAAA;gBAEF,eAAe;gBACf,QAAQ,MAAM,CAAC,KAAM,CAAC,IAAI,EAAE,CAAC;oBAC3B,KAAK,QAAQ;wBACX,KAAK,CAAC,gBAAgB,EAAE,CAAA;wBACxB,MAAK;oBACP,KAAK,gBAAgB;wBACnB,KAAK,CAAC,uBAAuB,EAAE,CAAA;wBAC/B,MAAK;oBACP,KAAK,aAAa;wBAChB,KAAK,CAAC,oBAAoB,EAAE,CAAA;wBAC5B,MAAK;gBACT,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;gBAEpB,6BAA6B;gBAC7B,IAAI,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;oBAC1B,YAAY,EAAE,CAAA;oBACd,KAAK,CAAC,OAAO,EAAE,CAAA;gBACjB,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,UAAU;YACV,mBAAmB,EAAE,YAAY;YACjC,KAAK;SACN,CAAA;IACH,CAAC;IAED;;OAEG;IACH,kBAAkB;QAIhB,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,IAAI,EAAE;YAC5C,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,QAAQ,IAAI,EAAE;SACnD,CAAA;IACH,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAA;IACjC,CAAC;IAED;;OAEG;IACH,eAAe;QACb,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,IAAI,EAAE,CAAA;QACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,QAAQ,IAAI,EAAE,CAAA;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAA;QAEvC,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAA;IACrE,CAAC;IAED;;OAEG;IACH,UAAU;QAOR,OAAO;YACL,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,EAAE,MAAM,IAAI,CAAC;YACvD,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;YAC7D,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC;YACnD,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC;SACxC,CAAA;IACH,CAAC;IAED;;;OAGG;IACH,UAAU;QACR,IAAI,CAAC,sBAAsB,CAAC,KAAK,EAAE,CAAA;IACrC,CAAC;CACF;AAlVD,gDAkVC"}

package/dist/suppression/types.d.ts

@@ -0,0 +1,151 @@
+/**
+ * Suppression System Types
+ * Defines types for the finding suppression/ignore system
+ */
+import type { VulnerabilityCategory, VulnerabilitySeverity } from '../types';
+/**
+ * Suppression configuration file structure
+ * Supports .oculum.yaml, .oculum.yml, oculum.config.json, .oculumrc
+ */
+export interface SuppressionConfig {
+    /** Config schema version */
+    version: 1;
+    /** Suppression rules */
+    suppressions?: {
+        /** Rule-based suppressions (by category) */
+        rules?: RuleSuppression[];
+        /** Finding-based suppressions (by hash) */
+        findings?: FindingSuppression[];
+    };
+    /** Path patterns to ignore entirely (glob format) */
+    ignore?: string[];
+}
+/**
+ * Suppress all findings of a specific category/rule
+ */
+export interface RuleSuppression {
+    /** Category to suppress (e.g., 'high_entropy_string') */
+    category: VulnerabilityCategory;
+    /** Reason for suppression (required for audit trail) */
+    reason: string;
+    /** Optional: Only suppress in specific files (glob patterns) */
+    paths?: string[];
+    /** Optional: Expiration date (ISO 8601 format) */
+    expires?: string;
+    /** Optional: Who added this suppression */
+    suppressedBy?: string;
+    /** Optional: When this was added (ISO 8601 format) */
+    suppressedAt?: string;
+}
+/**
+ * Suppress a specific finding by its hash
+ */
+export interface FindingSuppression {
+    /** Finding hash (computed from file path, content, and category) */
+    hash: string;
+    /** File path where the finding was detected */
+    file: string;
+    /** Line number (for reference, not used in matching) */
+    line?: number;
+    /** Reason for suppression (required for audit trail) */
+    reason: string;
+    /** Optional: Expiration date (ISO 8601 format) */
+    expires?: string;
+    /** Optional: Who added this suppression */
+    suppressedBy?: string;
+    /** Optional: When this was added (ISO 8601 format) */
+    suppressedAt?: string;
+}
+/**
+ * Inline suppression from code comments
+ */
+export interface InlineSuppression {
+    /** Line number this suppression applies to */
+    lineNumber: number;
+    /** Type of inline suppression */
+    type: 'next-line' | 'same-line' | 'block-start' | 'block-end';
+    /** Reason from the comment */
+    reason: string;
+    /** Optional: Specific rule/category to suppress */
+    ruleId?: VulnerabilityCategory;
+    /** Original comment text */
+    commentText: string;
+}
+/**
+ * Result of checking if a finding is suppressed
+ */
+export interface SuppressionMatch {
+    /** Whether the finding is suppressed */
+    suppressed: boolean;
+    /** The matching suppression (if any) */
+    match?: {
+        /** Type of suppression that matched */
+        type: 'inline' | 'config-finding' | 'config-rule';
+        /** Reason for suppression */
+        reason: string;
+        /** Expiration date (if any) */
+        expires?: string;
+        /** Whether the suppression is expired */
+        expired?: boolean;
+    };
+    /** Hash of the finding (always computed) */
+    hash: string;
+}
+/**
+ * Suppressed vulnerability with metadata
+ */
+export interface SuppressedVulnerability {
+    /** The original vulnerability */
+    vulnerability: {
+        id: string;
+        filePath: string;
+        lineNumber: number;
+        category: VulnerabilityCategory;
+        severity: VulnerabilitySeverity;
+        title: string;
+    };
+    /** Suppression details */
+    suppression: {
+        /** Type of suppression that matched */
+        type: 'inline' | 'config-finding' | 'config-rule';
+        /** Reason for suppression */
+        reason: string;
+        /** Expiration date (if any) */
+        expires?: string;
+        /** Finding hash */
+        hash: string;
+    };
+}
+/**
+ * Result of applying suppressions to findings
+ */
+export interface SuppressionResult {
+    /** Findings that passed through (not suppressed) */
+    findings: import('../types').Vulnerability[];
+    /** Findings that were suppressed */
+    suppressed: SuppressedVulnerability[];
+    /** Count of expired suppressions (findings reappear) */
+    expiredSuppressions: number;
+    /** Statistics */
+    stats: {
+        /** Total findings before suppression */
+        total: number;
+        /** Findings suppressed by inline comments */
+        inlineSuppressed: number;
+        /** Findings suppressed by config (finding hash) */
+        configFindingSuppressed: number;
+        /** Findings suppressed by config (rule) */
+        configRuleSuppressed: number;
+        /** Findings that would have been suppressed but suppression expired */
+        expired: number;
+    };
+}
+/**
+ * Suppression configuration file names (in order of priority)
+ */
+export declare const SUPPRESSION_CONFIG_FILES: readonly [".oculum.yaml", ".oculum.yml", "oculum.config.json", ".oculumrc"];
+/**
+ * Default suppression config (empty)
+ */
+export declare const DEFAULT_SUPPRESSION_CONFIG: SuppressionConfig;
+//# sourceMappingURL=types.d.ts.map

package/dist/suppression/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/suppression/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAA;AAE5E;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,4BAA4B;IAC5B,OAAO,EAAE,CAAC,CAAA;IAEV,wBAAwB;IACxB,YAAY,CAAC,EAAE;QACb,4CAA4C;QAC5C,KAAK,CAAC,EAAE,eAAe,EAAE,CAAA;QACzB,2CAA2C;QAC3C,QAAQ,CAAC,EAAE,kBAAkB,EAAE,CAAA;KAChC,CAAA;IAED,qDAAqD;IACrD,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,yDAAyD;IACzD,QAAQ,EAAE,qBAAqB,CAAA;IAC/B,wDAAwD;IACxD,MAAM,EAAE,MAAM,CAAA;IACd,gEAAgE;IAChE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;IAChB,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,2CAA2C;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,sDAAsD;IACtD,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,oEAAoE;IACpE,IAAI,EAAE,MAAM,CAAA;IACZ,+CAA+C;IAC/C,IAAI,EAAE,MAAM,CAAA;IACZ,wDAAwD;IACxD,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,wDAAwD;IACxD,MAAM,EAAE,MAAM,CAAA;IACd,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,2CAA2C;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,sDAAsD;IACtD,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,8CAA8C;IAC9C,UAAU,EAAE,MAAM,CAAA;IAClB,iCAAiC;IACjC,IAAI,EAAE,WAAW,GAAG,WAAW,GAAG,aAAa,GAAG,WAAW,CAAA;IAC7D,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAA;IACd,mDAAmD;IACnD,MAAM,CAAC,EAAE,qBAAqB,CAAA;IAC9B,4BAA4B;IAC5B,WAAW,EAAE,MAAM,CAAA;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,wCAAwC;IACxC,UAAU,EAAE,OAAO,CAAA;IACnB,wCAAwC;IACxC,KAAK,CAAC,EAAE;QACN,uCAAuC;QACvC,IAAI,EAAE,QAAQ,GAAG,gBAAgB,GAAG,aAAa,CAAA;QACjD,6BAA6B;QAC7B,MAAM,EAAE,MAAM,CAAA;QACd,+BAA+B;QAC/B,OAAO,CAAC,EAAE,MAAM,CAAA;QAChB,yCAAyC;QACzC,OAAO,CAAC,EAAE,OAAO,CAAA;KAClB,CAAA;IACD,4CAA4C;IAC5C,IAAI,EAAE,MAAM,CAAA;CACb;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,iCAAiC;IACjC,aAAa,EAAE;QACb,EAAE,EAAE,MAAM,CAAA;QACV,QAAQ,EAAE,MAAM,CAAA;QAChB,UAAU,EAAE,MAAM,CAAA;QAClB,QAAQ,EAAE,qBAAqB,CAAA;QAC/B,QAAQ,EAAE,qBAAqB,CAAA;QAC/B,KAAK,EAAE,MAAM,CAAA;KACd,CAAA;IACD,0BAA0B;IAC1B,WAAW,EAAE;QACX,uCAAuC;QACvC,IAAI,EAAE,QAAQ,GAAG,gBAAgB,GAAG,aAAa,CAAA;QACjD,6BAA6B;QAC7B,MAAM,EAAE,MAAM,CAAA;QACd,+BAA+B;QAC/B,OAAO,CAAC,EAAE,MAAM,CAAA;QAChB,mBAAmB;QACnB,IAAI,EAAE,MAAM,CAAA;KACb,CAAA;CACF;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,oDAAoD;IACpD,QAAQ,EAAE,OAAO,UAAU,EAAE,aAAa,EAAE,CAAA;IAC5C,oCAAoC;IACpC,UAAU,EAAE,uBAAuB,EAAE,CAAA;IACrC,wDAAwD;IACxD,mBAAmB,EAAE,MAAM,CAAA;IAC3B,iBAAiB;IACjB,KAAK,EAAE;QACL,wCAAwC;QACxC,KAAK,EAAE,MAAM,CAAA;QACb,6CAA6C;QAC7C,gBAAgB,EAAE,MAAM,CAAA;QACxB,mDAAmD;QACnD,uBAAuB,EAAE,MAAM,CAAA;QAC/B,2CAA2C;QAC3C,oBAAoB,EAAE,MAAM,CAAA;QAC5B,uEAAuE;QACvE,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;CACF;AAED;;GAEG;AACH,eAAO,MAAM,wBAAwB,6EAK3B,CAAA;AAEV;;GAEG;AACH,eAAO,MAAM,0BAA0B,EAAE,iBAOxC,CAAA"}

package/dist/suppression/types.js

@@ -0,0 +1,28 @@
+"use strict";
+/**
+ * Suppression System Types
+ * Defines types for the finding suppression/ignore system
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_SUPPRESSION_CONFIG = exports.SUPPRESSION_CONFIG_FILES = void 0;
+/**
+ * Suppression configuration file names (in order of priority)
+ */
+exports.SUPPRESSION_CONFIG_FILES = [
+    '.oculum.yaml',
+    '.oculum.yml',
+    'oculum.config.json',
+    '.oculumrc',
+];
+/**
+ * Default suppression config (empty)
+ */
+exports.DEFAULT_SUPPRESSION_CONFIG = {
+    version: 1,
+    suppressions: {
+        rules: [],
+        findings: [],
+    },
+    ignore: [],
+};
+//# sourceMappingURL=types.js.map

package/dist/suppression/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/suppression/types.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAsJH;;GAEG;AACU,QAAA,wBAAwB,GAAG;IACtC,cAAc;IACd,aAAa;IACb,oBAAoB;IACpB,WAAW;CACH,CAAA;AAEV;;GAEG;AACU,QAAA,0BAA0B,GAAsB;IAC3D,OAAO,EAAE,CAAC;IACV,YAAY,EAAE;QACZ,KAAK,EAAE,EAAE;QACT,QAAQ,EAAE,EAAE;KACb;IACD,MAAM,EAAE,EAAE;CACX,CAAA"}

package/dist/tiers.d.ts

@@ -56,7 +56,7 @@ export declare const LAYER1_CATEGORY_TO_DETECTOR: Partial<Record<VulnerabilityCa
 /**
  * Layer 2 detector names (internal identifiers matching detector function names)
  */
-export type Layer2DetectorName = 'dangerous_functions' | 'byok_patterns' | 'ai_execution_sinks' | 'ai_agent_tools' | 'auth_antipatterns' | 'data_exposure' | 'ai_fingerprinting' | 'ai_prompt_hygiene' | 'logic_gates' | 'variables' | 'risky_imports' | 'framework_checks' | 'ai_rag_safety' | 'ai_endpoint_protection' | 'ai_schema_validation';
+export type Layer2DetectorName = 'dangerous_functions' | 'byok_patterns' | 'ai_execution_sinks' | 'ai_agent_tools' | 'auth_antipatterns' | 'data_exposure' | 'ai_fingerprinting' | 'ai_prompt_hygiene' | 'logic_gates' | 'variables' | 'risky_imports' | 'framework_checks' | 'ai_rag_safety' | 'ai_endpoint_protection' | 'ai_schema_validation' | 'ai_package_hallucination' | 'ai_mcp_security' | 'model_supply_chain';
 /**
  * Layer 2 tier assignments
  *
@@ -106,11 +106,11 @@ export declare function getLayer2DetectorTier(detector: Layer2DetectorName): Det
 /**
  * Check if a tier should be visible at a given scan depth
  */
-export declare function isTierVisibleAtDepth(tier: DetectorTier, depth: 'cheap' | 'validated' | 'deep'): boolean;
+export declare function isTierVisibleAtDepth(tier: DetectorTier, depth: 'local' | 'verified' | 'deep'): boolean;
 /**
  * Check if a tier should go through AI validation at a given scan depth
  */
-export declare function shouldValidateWithAI(tier: DetectorTier, depth: 'cheap' | 'validated' | 'deep'): boolean;
+export declare function shouldValidateWithAI(tier: DetectorTier, depth: 'local' | 'verified' | 'deep'): boolean;
 /**
  * Compute tier statistics from an array of vulnerabilities
  */

package/dist/tiers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tiers.d.ts","sourceRoot":"","sources":["../src/tiers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA;AAEpD;;;;;;GAMG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,aAAa,GAAG,cAAc,CAAA;AAElE;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;CACrB;AAMD;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,eAAe,GACf,aAAa,GACb,gBAAgB,GAChB,SAAS,GACT,cAAc,GACd,YAAY,GACZ,aAAa,CAAA;AAEjB;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB,EAAE,MAAM,CAAC,kBAAkB,EAAE,YAAY,CAQ1E,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,2BAA2B,EAAE,OAAO,CAAC,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC,CASlG,CAAA;AAMD;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,qBAAqB,GACrB,eAAe,GACf,oBAAoB,GACpB,gBAAgB,GAChB,mBAAmB,GACnB,eAAe,GACf,mBAAmB,GACnB,mBAAmB,GACnB,aAAa,GACb,WAAW,GACX,eAAe,GACf,kBAAkB,GAElB,eAAe,GACf,wBAAwB,GACxB,sBAAsB,CAAA;AAE1B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,qBAAqB,EAAE,MAAM,CAAC,kBAAkB,EAAE,YAAY,CAuB1E,CAAA;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,2BAA2B,EAAE,OAAO,CAAC,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC,CAkClG,CAAA;AAMD;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,qBAAqB,EAC/B,KAAK,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GACf,YAAY,CAoBd;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,YAAY,CAEhF;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,YAAY,CAEhF;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,YAAY,EAClB,KAAK,EAAE,OAAO,GAAG,WAAW,GAAG,MAAM,GACpC,OAAO,CAYT;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,YAAY,EAClB,KAAK,EAAE,OAAO,GAAG,WAAW,GAAG,MAAM,GACpC,OAAO,CAUT;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,eAAe,EAAE,KAAK,CAAC;IAAE,QAAQ,EAAE,qBAAqB,CAAC;IAAC,KAAK,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;CAAE,CAAC,GAC5E,SAAS,CAaX;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAExD"}
+{"version":3,"file":"tiers.d.ts","sourceRoot":"","sources":["../src/tiers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA;AAEpD;;;;;;GAMG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,aAAa,GAAG,cAAc,CAAA;AAElE;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;CACrB;AAMD;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,eAAe,GACf,aAAa,GACb,gBAAgB,GAChB,SAAS,GACT,cAAc,GACd,YAAY,GACZ,aAAa,CAAA;AAEjB;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB,EAAE,MAAM,CAAC,kBAAkB,EAAE,YAAY,CAQ1E,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,2BAA2B,EAAE,OAAO,CAAC,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC,CASlG,CAAA;AAMD;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,qBAAqB,GACrB,eAAe,GACf,oBAAoB,GACpB,gBAAgB,GAChB,mBAAmB,GACnB,eAAe,GACf,mBAAmB,GACnB,mBAAmB,GACnB,aAAa,GACb,WAAW,GACX,eAAe,GACf,kBAAkB,GAElB,eAAe,GACf,wBAAwB,GACxB,sBAAsB,GAEtB,0BAA0B,GAC1B,iBAAiB,GAEjB,oBAAoB,CAAA;AAExB;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,qBAAqB,EAAE,MAAM,CAAC,kBAAkB,EAAE,YAAY,CA6B1E,CAAA;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,2BAA2B,EAAE,OAAO,CAAC,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC,CA2DlG,CAAA;AAMD;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,qBAAqB,EAC/B,KAAK,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GACf,YAAY,CAoBd;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,YAAY,CAEhF;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,YAAY,CAEhF;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,YAAY,EAClB,KAAK,EAAE,OAAO,GAAG,UAAU,GAAG,MAAM,GACnC,OAAO,CAYT;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,YAAY,EAClB,KAAK,EAAE,OAAO,GAAG,UAAU,GAAG,MAAM,GACnC,OAAO,CAUT;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,eAAe,EAAE,KAAK,CAAC;IAAE,QAAQ,EAAE,qBAAqB,CAAC;IAAC,KAAK,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;CAAE,CAAC,GAC5E,SAAS,CAaX;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAExD"}

package/dist/tiers.js

@@ -100,6 +100,11 @@ exports.LAYER2_DETECTOR_TIERS = {
     ai_rag_safety: 'core', // Tier A - Cross-tenant data access is critical
     ai_endpoint_protection: 'core', // Tier A - Cost abuse / API exposure has clear signals
     ai_schema_validation: 'ai_assisted', // Tier B - Context-dependent, benefits from AI validation
+    // AI Detection Roadmap Phase 1
+    ai_package_hallucination: 'core', // Tier A - Supply chain attacks are critical
+    ai_mcp_security: 'core', // Tier A - MCP tool security is critical for AI agents
+    // AI Detection Roadmap Phase 2
+    model_supply_chain: 'core', // Tier A - Model supply chain risks are critical (RCE)
 };
 /**
  * Mapping from vulnerability category to Layer 2 detector name
@@ -142,6 +147,28 @@ exports.LAYER2_CATEGORY_TO_DETECTOR = {
     ai_rag_exfiltration: 'ai_rag_safety',
     ai_endpoint_unprotected: 'ai_endpoint_protection',
     ai_schema_mismatch: 'ai_schema_validation',
+    // AI Detection Roadmap Phase 1 categories
+    ai_package_hallucination: 'ai_package_hallucination',
+    ai_rag_corpus_poisoning: 'ai_rag_safety', // Extended RAG detector
+    ai_rag_pii_leakage: 'ai_rag_safety', // Extended RAG detector
+    ai_mcp_tool_poisoning: 'ai_mcp_security',
+    ai_mcp_credential_issue: 'ai_mcp_security',
+    ai_mcp_confused_deputy: 'ai_mcp_security',
+    // Phase 1 Enhancement Backlog categories
+    ai_mcp_description_injection: 'ai_mcp_security',
+    ai_mcp_server_shadowing: 'ai_mcp_security',
+    ai_mcp_config_secrets: 'ai_mcp_security', // Note: Layer 1 detector, but core tier
+    ai_mcp_config_permissions: 'ai_mcp_security', // Note: Layer 1 detector
+    ai_rag_query_injection: 'ai_rag_safety',
+    ai_rag_embedding_poisoning: 'ai_rag_safety',
+    ai_rag_chunk_injection: 'ai_rag_safety',
+    ai_package_typosquat: 'ai_package_hallucination',
+    ai_package_malicious: 'ai_package_hallucination',
+    // AI Detection Roadmap Phase 2 categories
+    ai_unsafe_model_load: 'model_supply_chain',
+    ai_unverified_model: 'model_supply_chain',
+    ai_unsafe_finetuning: 'model_supply_chain',
+    ai_excessive_agency: 'ai_agent_tools', // Extended in ai-agent-tools.ts
 };
 // ============================================================================
 // Tier Lookup Helpers
@@ -186,14 +213,14 @@ function getLayer2DetectorTier(detector) {
  */
 function isTierVisibleAtDepth(tier, depth) {
     switch (depth) {
-        case 'cheap':
-            // Only Tier A (core) findings are visible in cheap scans
+        case 'local':
+            // Only Tier A (core) findings are visible in local scans
             return tier === 'core';
-        case 'validated':
+        case 'verified':
             // Tier A always visible, Tier B visible after AI validation
             return tier === 'core' || tier === 'ai_assisted';
         case 'deep':
-            // Same as validated for visibility (deep adds Layer 3, not more tiers)
+            // Same as verified for visibility (deep adds Layer 3, not more tiers)
             return tier === 'core' || tier === 'ai_assisted';
     }
 }
@@ -201,11 +228,11 @@ function isTierVisibleAtDepth(tier, depth) {
  * Check if a tier should go through AI validation at a given scan depth
  */
 function shouldValidateWithAI(tier, depth) {
-    // Cheap scans skip AI validation entirely
-    if (depth === 'cheap') {
+    // Local scans skip AI validation entirely
+    if (depth === 'local') {
         return false;
     }
-    // In validated/deep, Tier B findings should go through AI validation
+    // In verified/deep, Tier B findings should go through AI validation
     // Tier A is high-precision and doesn't need AI validation
     // Tier C is hidden anyway
     return tier === 'ai_assisted';

package/dist/tiers.js.map

@@ -1 +1 @@
-{"version":3,"file":"tiers.js","sourceRoot":"","sources":["../src/tiers.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AA4MH,gDAuBC;AAKD,sDAEC;AAKD,sDAEC;AAKD,oDAeC;AAKD,oDAaC;AAKD,4CAeC;AAKD,0CAEC;AA5QD;;;;;;;;;;;;;;;GAeG;AACU,QAAA,qBAAqB,GAA6C;IAC7E,aAAa,EAAE,MAAM;IACrB,WAAW,EAAE,MAAM;IACnB,cAAc,EAAE,MAAM;IACtB,OAAO,EAAE,aAAa;IACtB,YAAY,EAAE,aAAa;IAC3B,UAAU,EAAE,aAAa,EAAG,4CAA4C;IACxE,WAAW,EAAE,cAAc;CAC5B,CAAA;AAED;;;GAGG;AACU,QAAA,2BAA2B,GAA+D;IACrG,gBAAgB,EAAE,eAAe;IACjC,WAAW,EAAE,aAAa;IAC1B,aAAa,EAAE,gBAAgB;IAC/B,mBAAmB,EAAE,SAAS;IAC9B,eAAe,EAAE,cAAc;IAC/B,cAAc,EAAE,cAAc;IAC9B,cAAc,EAAE,YAAY;IAC5B,UAAU,EAAE,aAAa,EAAG,0CAA0C;CACvE,CAAA;AA2BD;;;;;;;;;;;;;;;;;;;;GAoBG;AACU,QAAA,qBAAqB,GAA6C;IAC7E,iCAAiC;IACjC,mBAAmB,EAAE,MAAM;IAC3B,aAAa,EAAE,MAAM;IACrB,kBAAkB,EAAE,MAAM;IAC1B,cAAc,EAAE,MAAM;IAEtB,kCAAkC;IAClC,iBAAiB,EAAE,aAAa;IAChC,aAAa,EAAE,aAAa;IAC5B,iBAAiB,EAAE,aAAa;IAChC,iBAAiB,EAAE,aAAa;IAEhC,qCAAqC;IACrC,WAAW,EAAE,cAAc;IAC3B,SAAS,EAAE,cAAc;IACzB,aAAa,EAAE,cAAc;IAC7B,gBAAgB,EAAE,cAAc;IAEhC,2BAA2B;IAC3B,aAAa,EAAE,MAAM,EAAY,gDAAgD;IACjF,sBAAsB,EAAE,MAAM,EAAG,uDAAuD;IACxF,oBAAoB,EAAE,aAAa,EAAE,0DAA0D;CAChG,CAAA;AAED;;;;;;;;;;GAUG;AACU,QAAA,2BAA2B,GAA+D;IACrG,kCAAkC;IAClC,kBAAkB,EAAE,qBAAqB;IACzC,aAAa,EAAE,qBAAqB;IACpC,iBAAiB,EAAE,qBAAqB;IACxC,mBAAmB,EAAE,oBAAoB;IACzC,sBAAsB,EAAE,gBAAgB;IAExC,oBAAoB;IACpB,YAAY,EAAE,mBAAmB;IACjC,aAAa,EAAE,eAAe;IAC9B,mBAAmB,EAAE,mBAAmB;IAExC,6EAA6E;IAC7E,+DAA+D;IAC/D,8CAA8C;IAC9C,iEAAiE;IACjE,yFAAyF;IACzF,qEAAqE;IACrE,UAAU,EAAE,mBAAmB;IAE/B,oBAAoB;IACpB,eAAe,EAAE,aAAa;IAC9B,kBAAkB,EAAE,WAAW;IAC/B,kBAAkB,EAAE,eAAe;IACnC,qBAAqB,EAAE,kBAAkB;IACzC,6DAA6D;IAC7D,sFAAsF;IACtF,eAAe,EAAE,kBAAkB;IAEnC,4BAA4B;IAC5B,mBAAmB,EAAE,eAAe;IACpC,uBAAuB,EAAE,wBAAwB;IACjD,kBAAkB,EAAE,sBAAsB;CAC3C,CAAA;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,kBAAkB,CAChC,QAA+B,EAC/B,KAAgB;IAEhB,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,MAAM,QAAQ,GAAG,mCAA2B,CAAC,QAAQ,CAAC,CAAA;QACtD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;QACxC,CAAC;IACH,CAAC;SAAM,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,mCAA2B,CAAC,QAAQ,CAAC,CAAA;QACtD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;QACxC,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,OAAO,MAAM,CAAA;IACf,CAAC;IAED,oFAAoF;IACpF,OAAO,aAAa,CAAA;AACtB,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,QAA4B;IAChE,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,QAA4B;IAChE,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAClC,IAAkB,EAClB,KAAqC;IAErC,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,OAAO;YACV,yDAAyD;YACzD,OAAO,IAAI,KAAK,MAAM,CAAA;QACxB,KAAK,WAAW;YACd,4DAA4D;YAC5D,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,aAAa,CAAA;QAClD,KAAK,MAAM;YACT,uEAAuE;YACvE,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,aAAa,CAAA;IACpD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAClC,IAAkB,EAClB,KAAqC;IAErC,0CAA0C;IAC1C,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,qEAAqE;IACrE,0DAA0D;IAC1D,0BAA0B;IAC1B,OAAO,IAAI,KAAK,aAAa,CAAA;AAC/B,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,eAA6E;IAE7E,MAAM,KAAK,GAAc;QACvB,IAAI,EAAE,CAAC;QACP,WAAW,EAAE,CAAC;QACd,YAAY,EAAE,CAAC;KAChB,CAAA;IAED,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;QAC1D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAA;IACf,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,KAAgB;IAC9C,OAAO,eAAe,KAAK,CAAC,IAAI,gBAAgB,KAAK,CAAC,WAAW,iBAAiB,KAAK,CAAC,YAAY,GAAG,CAAA;AACzG,CAAC"}
+{"version":3,"file":"tiers.js","sourceRoot":"","sources":["../src/tiers.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAgPH,gDAuBC;AAKD,sDAEC;AAKD,sDAEC;AAKD,oDAeC;AAKD,oDAaC;AAKD,4CAeC;AAKD,0CAEC;AAhTD;;;;;;;;;;;;;;;GAeG;AACU,QAAA,qBAAqB,GAA6C;IAC7E,aAAa,EAAE,MAAM;IACrB,WAAW,EAAE,MAAM;IACnB,cAAc,EAAE,MAAM;IACtB,OAAO,EAAE,aAAa;IACtB,YAAY,EAAE,aAAa;IAC3B,UAAU,EAAE,aAAa,EAAG,4CAA4C;IACxE,WAAW,EAAE,cAAc;CAC5B,CAAA;AAED;;;GAGG;AACU,QAAA,2BAA2B,GAA+D;IACrG,gBAAgB,EAAE,eAAe;IACjC,WAAW,EAAE,aAAa;IAC1B,aAAa,EAAE,gBAAgB;IAC/B,mBAAmB,EAAE,SAAS;IAC9B,eAAe,EAAE,cAAc;IAC/B,cAAc,EAAE,cAAc;IAC9B,cAAc,EAAE,YAAY;IAC5B,UAAU,EAAE,aAAa,EAAG,0CAA0C;CACvE,CAAA;AAgCD;;;;;;;;;;;;;;;;;;;;GAoBG;AACU,QAAA,qBAAqB,GAA6C;IAC7E,iCAAiC;IACjC,mBAAmB,EAAE,MAAM;IAC3B,aAAa,EAAE,MAAM;IACrB,kBAAkB,EAAE,MAAM;IAC1B,cAAc,EAAE,MAAM;IAEtB,kCAAkC;IAClC,iBAAiB,EAAE,aAAa;IAChC,aAAa,EAAE,aAAa;IAC5B,iBAAiB,EAAE,aAAa;IAChC,iBAAiB,EAAE,aAAa;IAEhC,qCAAqC;IACrC,WAAW,EAAE,cAAc;IAC3B,SAAS,EAAE,cAAc;IACzB,aAAa,EAAE,cAAc;IAC7B,gBAAgB,EAAE,cAAc;IAEhC,2BAA2B;IAC3B,aAAa,EAAE,MAAM,EAAY,gDAAgD;IACjF,sBAAsB,EAAE,MAAM,EAAG,uDAAuD;IACxF,oBAAoB,EAAE,aAAa,EAAE,0DAA0D;IAE/F,+BAA+B;IAC/B,wBAAwB,EAAE,MAAM,EAAG,6CAA6C;IAChF,eAAe,EAAE,MAAM,EAAY,uDAAuD;IAC1F,+BAA+B;IAC/B,kBAAkB,EAAE,MAAM,EAAS,uDAAuD;CAC3F,CAAA;AAED;;;;;;;;;;GAUG;AACU,QAAA,2BAA2B,GAA+D;IACrG,kCAAkC;IAClC,kBAAkB,EAAE,qBAAqB;IACzC,aAAa,EAAE,qBAAqB;IACpC,iBAAiB,EAAE,qBAAqB;IACxC,mBAAmB,EAAE,oBAAoB;IACzC,sBAAsB,EAAE,gBAAgB;IAExC,oBAAoB;IACpB,YAAY,EAAE,mBAAmB;IACjC,aAAa,EAAE,eAAe;IAC9B,mBAAmB,EAAE,mBAAmB;IAExC,6EAA6E;IAC7E,+DAA+D;IAC/D,8CAA8C;IAC9C,iEAAiE;IACjE,yFAAyF;IACzF,qEAAqE;IACrE,UAAU,EAAE,mBAAmB;IAE/B,oBAAoB;IACpB,eAAe,EAAE,aAAa;IAC9B,kBAAkB,EAAE,WAAW;IAC/B,kBAAkB,EAAE,eAAe;IACnC,qBAAqB,EAAE,kBAAkB;IACzC,6DAA6D;IAC7D,sFAAsF;IACtF,eAAe,EAAE,kBAAkB;IAEnC,4BAA4B;IAC5B,mBAAmB,EAAE,eAAe;IACpC,uBAAuB,EAAE,wBAAwB;IACjD,kBAAkB,EAAE,sBAAsB;IAE1C,0CAA0C;IAC1C,wBAAwB,EAAE,0BAA0B;IACpD,uBAAuB,EAAE,eAAe,EAAK,wBAAwB;IACrE,kBAAkB,EAAE,eAAe,EAAU,wBAAwB;IACrE,qBAAqB,EAAE,iBAAiB;IACxC,uBAAuB,EAAE,iBAAiB;IAC1C,sBAAsB,EAAE,iBAAiB;IAEzC,yCAAyC;IACzC,4BAA4B,EAAE,iBAAiB;IAC/C,uBAAuB,EAAE,iBAAiB;IAC1C,qBAAqB,EAAE,iBAAiB,EAAO,wCAAwC;IACvF,yBAAyB,EAAE,iBAAiB,EAAG,yBAAyB;IACxE,sBAAsB,EAAE,eAAe;IACvC,0BAA0B,EAAE,eAAe;IAC3C,sBAAsB,EAAE,eAAe;IACvC,oBAAoB,EAAE,0BAA0B;IAChD,oBAAoB,EAAE,0BAA0B;IAEhD,0CAA0C;IAC1C,oBAAoB,EAAE,oBAAoB;IAC1C,mBAAmB,EAAE,oBAAoB;IACzC,oBAAoB,EAAE,oBAAoB;IAC1C,mBAAmB,EAAE,gBAAgB,EAAG,gCAAgC;CACzE,CAAA;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,kBAAkB,CAChC,QAA+B,EAC/B,KAAgB;IAEhB,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,MAAM,QAAQ,GAAG,mCAA2B,CAAC,QAAQ,CAAC,CAAA;QACtD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;QACxC,CAAC;IACH,CAAC;SAAM,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,mCAA2B,CAAC,QAAQ,CAAC,CAAA;QACtD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;QACxC,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,OAAO,MAAM,CAAA;IACf,CAAC;IAED,oFAAoF;IACpF,OAAO,aAAa,CAAA;AACtB,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,QAA4B;IAChE,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,QAA4B;IAChE,OAAO,6BAAqB,CAAC,QAAQ,CAAC,CAAA;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAClC,IAAkB,EAClB,KAAoC;IAEpC,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,OAAO;YACV,yDAAyD;YACzD,OAAO,IAAI,KAAK,MAAM,CAAA;QACxB,KAAK,UAAU;YACb,4DAA4D;YAC5D,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,aAAa,CAAA;QAClD,KAAK,MAAM;YACT,sEAAsE;YACtE,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,aAAa,CAAA;IACpD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAClC,IAAkB,EAClB,KAAoC;IAEpC,0CAA0C;IAC1C,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,oEAAoE;IACpE,0DAA0D;IAC1D,0BAA0B;IAC1B,OAAO,IAAI,KAAK,aAAa,CAAA;AAC/B,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,eAA6E;IAE7E,MAAM,KAAK,GAAc;QACvB,IAAI,EAAE,CAAC;QACP,WAAW,EAAE,CAAC;QACd,YAAY,EAAE,CAAC;KAChB,CAAA;IAED,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;QAC1D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAA;IACf,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,KAAgB;IAC9C,OAAO,eAAe,KAAK,CAAC,IAAI,gBAAgB,KAAK,CAAC,WAAW,iBAAiB,KAAK,CAAC,YAAY,GAAG,CAAA;AACzG,CAAC"}