npm - @oculum/scanner - Versions diffs - 1.0.10 → 1.0.12 - Mend

@oculum/scanner 1.0.10 → 1.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (520) hide show

package/dist/ai-context/index.d.ts +6 -0
package/dist/ai-context/index.d.ts.map +1 -0
package/dist/ai-context/index.js +13 -0
package/dist/ai-context/index.js.map +1 -0
package/dist/ai-context/manager.d.ts +67 -0
package/dist/ai-context/manager.d.ts.map +1 -0
package/dist/ai-context/manager.js +104 -0
package/dist/ai-context/manager.js.map +1 -0
package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/category-filter.d.ts +125 -0
package/dist/category-filter.d.ts.map +1 -0
package/dist/category-filter.js +360 -0
package/dist/category-filter.js.map +1 -0
package/dist/filtering/context-adjustments.d.ts +23 -0
package/dist/filtering/context-adjustments.d.ts.map +1 -0
package/dist/filtering/context-adjustments.js +100 -0
package/dist/filtering/context-adjustments.js.map +1 -0
package/dist/filtering/index.d.ts +3 -0
package/dist/filtering/index.d.ts.map +1 -0
package/dist/filtering/index.js +8 -0
package/dist/filtering/index.js.map +1 -0
package/dist/filtering/pipeline.d.ts +48 -0
package/dist/filtering/pipeline.d.ts.map +1 -0
package/dist/filtering/pipeline.js +76 -0
package/dist/filtering/pipeline.js.map +1 -0
package/dist/formatters/ai-context.d.ts +23 -0
package/dist/formatters/ai-context.d.ts.map +1 -0
package/dist/formatters/ai-context.js +238 -0
package/dist/formatters/ai-context.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +2 -2
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +77 -13
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/ide/claude-code.d.ts +17 -0
package/dist/formatters/ide/claude-code.d.ts.map +1 -0
package/dist/formatters/ide/claude-code.js +94 -0
package/dist/formatters/ide/claude-code.js.map +1 -0
package/dist/formatters/ide/cursor.d.ts +13 -0
package/dist/formatters/ide/cursor.d.ts.map +1 -0
package/dist/formatters/ide/cursor.js +125 -0
package/dist/formatters/ide/cursor.js.map +1 -0
package/dist/formatters/ide/index.d.ts +62 -0
package/dist/formatters/ide/index.d.ts.map +1 -0
package/dist/formatters/ide/index.js +184 -0
package/dist/formatters/ide/index.js.map +1 -0
package/dist/formatters/ide/windsurf.d.ts +13 -0
package/dist/formatters/ide/windsurf.d.ts.map +1 -0
package/dist/formatters/ide/windsurf.js +117 -0
package/dist/formatters/ide/windsurf.js.map +1 -0
package/dist/formatters/index.d.ts +3 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +20 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +11 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +423 -56
package/dist/index.js.map +1 -1
package/dist/layer1/comments.d.ts +4 -1
package/dist/layer1/comments.d.ts.map +1 -1
package/dist/layer1/comments.js +1 -1
package/dist/layer1/comments.js.map +1 -1
package/dist/layer1/config-audit.d.ts +4 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +65 -14
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +23 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +4 -1
package/dist/layer1/entropy.d.ts.map +1 -1
package/dist/layer1/entropy.js +212 -1
package/dist/layer1/entropy.js.map +1 -1
package/dist/layer1/file-flags.d.ts +4 -1
package/dist/layer1/file-flags.d.ts.map +1 -1
package/dist/layer1/file-flags.js +12 -5
package/dist/layer1/file-flags.js.map +1 -1
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +22 -19
package/dist/layer1/index.js.map +1 -1
package/dist/layer1/patterns.d.ts +4 -1
package/dist/layer1/patterns.d.ts.map +1 -1
package/dist/layer1/patterns.js +34 -4
package/dist/layer1/patterns.js.map +1 -1
package/dist/layer1/urls.d.ts +4 -1
package/dist/layer1/urls.d.ts.map +1 -1
package/dist/layer1/urls.js +162 -14
package/dist/layer1/urls.js.map +1 -1
package/dist/layer1/weak-crypto.d.ts +4 -1
package/dist/layer1/weak-crypto.d.ts.map +1 -1
package/dist/layer1/weak-crypto.js +144 -7
package/dist/layer1/weak-crypto.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts +4 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +964 -2
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts +2 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +18 -4
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts +4 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +688 -29
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts +4 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +28 -32
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +20 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +877 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +22 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +828 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +4 -1
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +817 -17
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts +4 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +454 -3
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/ai-schema-validation.d.ts +4 -1
package/dist/layer2/ai-schema-validation.d.ts.map +1 -1
package/dist/layer2/ai-schema-validation.js +2 -2
package/dist/layer2/ai-schema-validation.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts +2 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +209 -20
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts +4 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +5 -2
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +34 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +230 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +16 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +1152 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +111 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +684 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +163 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +24 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +70 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +147 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +102 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +4 -1
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +14 -38
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts +4 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +5 -2
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +12 -1
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +110 -45
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts +4 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +58 -20
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +23 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +444 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +4 -1
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +6 -2
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts +4 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +6 -2
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +199 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/modes/incremental.js +1 -1
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +3 -3
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +34 -7
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +140 -9
package/dist/types.d.ts.map +1 -1
package/dist/types.js +34 -0
package/dist/types.js.map +1 -1
package/dist/utils/code-analysis.d.ts +39 -0
package/dist/utils/code-analysis.d.ts.map +1 -0
package/dist/utils/code-analysis.js +159 -0
package/dist/utils/code-analysis.js.map +1 -0
package/dist/utils/comment-analyzer.d.ts +38 -0
package/dist/utils/comment-analyzer.d.ts.map +1 -0
package/dist/utils/comment-analyzer.js +218 -0
package/dist/utils/comment-analyzer.js.map +1 -0
package/dist/utils/context-helpers.d.ts +112 -1
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +364 -11
package/dist/utils/context-helpers.js.map +1 -1
package/dist/utils/environment-context.d.ts +76 -0
package/dist/utils/environment-context.d.ts.map +1 -0
package/dist/utils/environment-context.js +271 -0
package/dist/utils/environment-context.js.map +1 -0
package/dist/utils/intent-detector.d.ts +66 -0
package/dist/utils/intent-detector.d.ts.map +1 -0
package/dist/utils/intent-detector.js +282 -0
package/dist/utils/intent-detector.js.map +1 -0
package/dist/utils/parsed-file.d.ts +51 -0
package/dist/utils/parsed-file.d.ts.map +1 -0
package/dist/utils/parsed-file.js +95 -0
package/dist/utils/parsed-file.js.map +1 -0
package/dist/utils/route-hierarchy.d.ts +50 -0
package/dist/utils/route-hierarchy.d.ts.map +1 -0
package/dist/utils/route-hierarchy.js +226 -0
package/dist/utils/route-hierarchy.js.map +1 -0
package/dist/utils/schema-semantics.d.ts +45 -0
package/dist/utils/schema-semantics.d.ts.map +1 -0
package/dist/utils/schema-semantics.js +193 -0
package/dist/utils/schema-semantics.js.map +1 -0
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +30 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/benchmark/fixtures/layer2/phase5-excessive-agency.ts +580 -0
package/src/__tests__/benchmark/fixtures/layer2/sprint6-ai-enhancements.ts +515 -0
package/src/__tests__/benchmark/run-depth-validation.ts +9 -9
package/src/__tests__/category-filter.test.ts +478 -0
package/src/__tests__/regression/known-false-positives.test.ts +490 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +762 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +0 -9
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/__tests__/validation/run-validation.ts +7 -7
package/src/ai-context/__tests__/manager.test.ts +193 -0
package/src/ai-context/index.ts +15 -0
package/src/ai-context/manager.ts +145 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/category-filter.ts +400 -0
package/src/filtering/__tests__/pipeline.test.ts +134 -0
package/src/filtering/context-adjustments.ts +111 -0
package/src/filtering/index.ts +10 -0
package/src/filtering/pipeline.ts +130 -0
package/src/formatters/__tests__/ai-context.test.ts +254 -0
package/src/formatters/ai-context.ts +302 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +82 -14
package/src/formatters/ide/__tests__/ide.test.ts +319 -0
package/src/formatters/ide/claude-code.ts +110 -0
package/src/formatters/ide/cursor.ts +147 -0
package/src/formatters/ide/index.ts +216 -0
package/src/formatters/ide/windsurf.ts +135 -0
package/src/formatters/index.ts +28 -0
package/src/index.ts +506 -45
package/src/layer1/comments.ts +3 -1
package/src/layer1/config-audit.ts +74 -14
package/src/layer1/config-mcp-audit.ts +278 -0
package/src/layer1/entropy.ts +234 -1
package/src/layer1/file-flags.ts +17 -6
package/src/layer1/index.ts +29 -23
package/src/layer1/patterns.ts +42 -4
package/src/layer1/urls.ts +188 -14
package/src/layer1/weak-crypto.ts +168 -16
package/src/layer2/ai-agent-tools.ts +1043 -2
package/src/layer2/ai-endpoint-protection.ts +19 -4
package/src/layer2/ai-execution-sinks.ts +755 -29
package/src/layer2/ai-fingerprinting.ts +33 -33
package/src/layer2/ai-mcp-security.ts +933 -0
package/src/layer2/ai-package-hallucination.ts +940 -0
package/src/layer2/ai-prompt-hygiene.ts +898 -17
package/src/layer2/ai-rag-safety.ts +467 -5
package/src/layer2/ai-schema-validation.ts +4 -2
package/src/layer2/auth-antipatterns.ts +235 -20
package/src/layer2/byok-patterns.ts +9 -3
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +292 -0
package/src/layer2/dangerous-functions/index.ts +1533 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +789 -0
package/src/layer2/dangerous-functions/patterns.ts +176 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +35 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +106 -0
package/src/layer2/data-exposure.ts +18 -39
package/src/layer2/framework-checks.ts +9 -2
package/src/layer2/index.ts +124 -43
package/src/layer2/logic-gates.ts +64 -22
package/src/layer2/model-supply-chain.ts +531 -0
package/src/layer2/risky-imports.ts +9 -2
package/src/layer2/variables.ts +9 -2
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +223 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/modes/incremental.ts +1 -1
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +45 -9
package/src/types.ts +212 -8
package/src/utils/__tests__/code-analysis.test.ts +165 -0
package/src/utils/__tests__/parsed-file.test.ts +124 -0
package/src/utils/code-analysis.ts +179 -0
package/src/utils/comment-analyzer.ts +249 -0
package/src/utils/context-helpers.ts +421 -11
package/src/utils/environment-context.ts +304 -0
package/src/utils/intent-detector.ts +318 -0
package/src/utils/parsed-file.ts +103 -0
package/src/utils/route-hierarchy.ts +250 -0
package/src/utils/schema-semantics.ts +233 -0
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/baseline/diff.ts ADDED Viewed

@@ -0,0 +1,135 @@
+/**
+ * Baseline Diff Computation
+ * Computes the difference between current findings and a baseline
+ */
+import type { Vulnerability, SeverityCounts, VulnerabilitySeverity } from '../types'
+import type { BaselineData, BaselineFinding, DiffResult } from './types'
+import { computeFindingHash } from '../suppression/hash'
+/**
+ * Compute severity counts from baseline findings
+ */
+function computeBaselineSeverityCounts(findings: BaselineFinding[]): SeverityCounts {
+  const counts: SeverityCounts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 }
+  for (const finding of findings) {
+    const severity = finding.severity as VulnerabilitySeverity
+    if (severity in counts) {
+      counts[severity]++
+    }
+  }
+  return counts
+}
+/**
+ * Compute severity counts from vulnerabilities
+ */
+function computeVulnerabilitySeverityCounts(vulnerabilities: Vulnerability[]): SeverityCounts {
+  const counts: SeverityCounts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 }
+  for (const vuln of vulnerabilities) {
+    if (vuln.severity in counts) {
+      counts[vuln.severity]++
+    }
+  }
+  return counts
+}
+/**
+ * Compute the diff between current scan findings and a baseline
+ *
+ * Uses finding hashes for comparison, which are computed from:
+ * - Normalized file path
+ * - Normalized line content
+ * - Category
+ *
+ * This means findings are considered the same even if:
+ * - Line numbers changed (code moved)
+ * - Minor whitespace changes occurred
+ *
+ * @param currentFindings - Vulnerabilities from the current scan
+ * @param baseline - The baseline to compare against
+ * @returns DiffResult with new, fixed, and existing findings
+ */
+export function computeDiff(
+  currentFindings: Vulnerability[],
+  baseline: BaselineData
+): DiffResult {
+  // Build hash set from baseline for O(1) lookup
+  const baselineHashes = new Set(baseline.findings.map(f => f.hash))
+  // Build hash map from current findings
+  const currentHashMap = new Map<string, Vulnerability>()
+  for (const finding of currentFindings) {
+    const hash = computeFindingHash(finding)
+    currentHashMap.set(hash, finding)
+  }
+  // Compute new findings (in current, not in baseline)
+  const newFindings: Vulnerability[] = []
+  for (const finding of currentFindings) {
+    const hash = computeFindingHash(finding)
+    if (!baselineHashes.has(hash)) {
+      newFindings.push(finding)
+    }
+  }
+  // Compute fixed findings (in baseline, not in current)
+  const fixedFindings: BaselineFinding[] = []
+  for (const baselineFinding of baseline.findings) {
+    if (!currentHashMap.has(baselineFinding.hash)) {
+      fixedFindings.push(baselineFinding)
+    }
+  }
+  // Compute existing findings (in both)
+  const existingFindings: Vulnerability[] = []
+  for (const finding of currentFindings) {
+    const hash = computeFindingHash(finding)
+    if (baselineHashes.has(hash)) {
+      existingFindings.push(finding)
+    }
+  }
+  return {
+    new: newFindings,
+    fixed: fixedFindings,
+    existing: existingFindings,
+    stats: {
+      newCount: newFindings.length,
+      fixedCount: fixedFindings.length,
+      existingCount: existingFindings.length,
+      newBySeverity: computeVulnerabilitySeverityCounts(newFindings),
+      fixedBySeverity: computeBaselineSeverityCounts(fixedFindings),
+    },
+  }
+}
+/**
+ * Check if a diff has any new blocking issues (critical or high severity)
+ */
+export function hasNewBlockingIssues(diff: DiffResult): boolean {
+  return diff.stats.newBySeverity.critical > 0 || diff.stats.newBySeverity.high > 0
+}
+/**
+ * Format a summary string for the diff
+ */
+export function formatDiffSummary(diff: DiffResult): string {
+  const parts: string[] = []
+  if (diff.stats.newCount > 0) {
+    parts.push(`${diff.stats.newCount} new`)
+  }
+  if (diff.stats.fixedCount > 0) {
+    parts.push(`${diff.stats.fixedCount} fixed`)
+  }
+  if (diff.stats.existingCount > 0) {
+    parts.push(`${diff.stats.existingCount} existing`)
+  }
+  return parts.join(', ')
+}

package/src/baseline/index.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * Baseline Module
+ * Provides baseline/diff mode functionality for tracking security improvements
+ */
+// Types
+export type {
+  BaselineFinding,
+  BaselineData,
+  DiffResult,
+  BaselineDiff,
+} from './types'
+export { BASELINE_FILE_PATH, OCULUM_DIR } from './types'
+// Manager
+export {
+  BaselineManager,
+  type BaselineManagerOptions,
+  type LoadBaselineResult,
+  type SaveBaselineResult,
+  type ClearBaselineResult,
+} from './manager'
+// Diff computation
+export {
+  computeDiff,
+  hasNewBlockingIssues,
+  formatDiffSummary,
+} from './diff'

package/src/baseline/manager.ts ADDED Viewed

@@ -0,0 +1,230 @@
+/**
+ * Baseline Manager
+ * Handles loading, saving, and clearing baseline files
+ */
+import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync } from 'fs'
+import { join, dirname } from 'path'
+import { execFileSync } from 'child_process'
+import type { ScanResult, ScanDepth, Vulnerability } from '../types'
+import type { BaselineData, BaselineFinding } from './types'
+import { BASELINE_FILE_PATH, OCULUM_DIR } from './types'
+import { computeFindingHash } from '../suppression/hash'
+export interface BaselineManagerOptions {
+  /** Project root path */
+  projectPath: string
+}
+export interface LoadBaselineResult {
+  /** Whether a baseline was found */
+  found: boolean
+  /** The baseline data (if found) */
+  baseline?: BaselineData
+  /** Error message (if failed to load) */
+  error?: string
+}
+export interface SaveBaselineResult {
+  /** Whether the save was successful */
+  success: boolean
+  /** Path where baseline was saved */
+  path: string
+  /** Error message (if failed) */
+  error?: string
+}
+export interface ClearBaselineResult {
+  /** Whether the clear was successful */
+  success: boolean
+  /** Whether a baseline existed before clearing */
+  existed: boolean
+  /** Error message (if failed) */
+  error?: string
+}
+/**
+ * Get current git commit SHA (short form)
+ */
+function getGitCommit(projectPath: string): string | undefined {
+  try {
+    const result = execFileSync('git', ['rev-parse', '--short', 'HEAD'], {
+      cwd: projectPath,
+      stdio: ['ignore', 'pipe', 'ignore'],
+    })
+    return result.toString().trim()
+  } catch {
+    return undefined
+  }
+}
+/**
+ * Get current git branch name
+ */
+function getGitBranch(projectPath: string): string | undefined {
+  try {
+    const result = execFileSync('git', ['rev-parse', '--abbrev-ref', 'HEAD'], {
+      cwd: projectPath,
+      stdio: ['ignore', 'pipe', 'ignore'],
+    })
+    return result.toString().trim()
+  } catch {
+    return undefined
+  }
+}
+/**
+ * Convert a Vulnerability to a BaselineFinding
+ */
+function toBaselineFinding(vuln: Vulnerability): BaselineFinding {
+  return {
+    hash: computeFindingHash(vuln),
+    filePath: vuln.filePath,
+    lineNumber: vuln.lineNumber,
+    category: vuln.category,
+    severity: vuln.severity,
+    title: vuln.title,
+  }
+}
+/**
+ * Manages baseline files for diff mode
+ */
+export class BaselineManager {
+  private projectPath: string
+  private baselinePath: string
+  constructor(options: BaselineManagerOptions | string) {
+    // Support both old string arg and new options object
+    if (typeof options === 'string') {
+      this.projectPath = options
+    } else {
+      this.projectPath = options.projectPath
+    }
+    this.baselinePath = join(this.projectPath, BASELINE_FILE_PATH)
+  }
+  /**
+   * Get the full path to the baseline file
+   */
+  getBaselinePath(): string {
+    return this.baselinePath
+  }
+  /**
+   * Load baseline from .oculum/baseline.json
+   */
+  loadBaseline(): LoadBaselineResult {
+    if (!existsSync(this.baselinePath)) {
+      return { found: false }
+    }
+    try {
+      const content = readFileSync(this.baselinePath, 'utf-8')
+      const baseline = JSON.parse(content) as BaselineData
+      // Basic validation
+      if (baseline.version !== 1) {
+        return {
+          found: false,
+          error: `Unsupported baseline version: ${baseline.version}. Expected version 1.`,
+        }
+      }
+      if (!Array.isArray(baseline.findings)) {
+        return {
+          found: false,
+          error: 'Invalid baseline: missing findings array',
+        }
+      }
+      return { found: true, baseline }
+    } catch (err) {
+      return {
+        found: false,
+        error: `Failed to parse baseline: ${err instanceof Error ? err.message : 'Unknown error'}`,
+      }
+    }
+  }
+  /**
+   * Save current scan result as baseline
+   */
+  saveBaseline(
+    scanResult: ScanResult,
+    options?: { commit?: string; branch?: string; scanDepth?: ScanDepth }
+  ): SaveBaselineResult {
+    try {
+      // Ensure .oculum directory exists
+      const oculumDir = join(this.projectPath, OCULUM_DIR)
+      if (!existsSync(oculumDir)) {
+        mkdirSync(oculumDir, { recursive: true })
+      }
+      // Get git info if not provided
+      const commit = options?.commit ?? getGitCommit(this.projectPath)
+      const branch = options?.branch ?? getGitBranch(this.projectPath)
+      // Convert vulnerabilities to baseline findings
+      const findings = scanResult.vulnerabilities.map(toBaselineFinding)
+      // Build baseline data
+      const baseline: BaselineData = {
+        version: 1,
+        createdAt: new Date().toISOString(),
+        commit,
+        branch,
+        scanDepth: options?.scanDepth,
+        findings,
+        stats: {
+          total: findings.length,
+          critical: scanResult.severityCounts.critical,
+          high: scanResult.severityCounts.high,
+          medium: scanResult.severityCounts.medium,
+          low: scanResult.severityCounts.low,
+          info: scanResult.severityCounts.info,
+        },
+      }
+      // Write to file
+      writeFileSync(this.baselinePath, JSON.stringify(baseline, null, 2))
+      return { success: true, path: this.baselinePath }
+    } catch (err) {
+      return {
+        success: false,
+        path: this.baselinePath,
+        error: `Failed to save baseline: ${err instanceof Error ? err.message : 'Unknown error'}`,
+      }
+    }
+  }
+  /**
+   * Clear (delete) the baseline file
+   */
+  clearBaseline(): ClearBaselineResult {
+    const existed = existsSync(this.baselinePath)
+    if (!existed) {
+      return { success: true, existed: false }
+    }
+    try {
+      unlinkSync(this.baselinePath)
+      return { success: true, existed: true }
+    } catch (err) {
+      return {
+        success: false,
+        existed: true,
+        error: `Failed to clear baseline: ${err instanceof Error ? err.message : 'Unknown error'}`,
+      }
+    }
+  }
+  /**
+   * Check if a baseline exists
+   */
+  hasBaseline(): boolean {
+    return existsSync(this.baselinePath)
+  }
+}

package/src/baseline/types.ts ADDED Viewed

@@ -0,0 +1,97 @@
+/**
+ * Baseline Types
+ * Types for baseline/diff mode functionality
+ */
+import type { VulnerabilityCategory, VulnerabilitySeverity, SeverityCounts, ScanDepth } from '../types'
+/**
+ * A finding stored in the baseline
+ * Contains enough information to identify and display the finding
+ */
+export interface BaselineFinding {
+  /** Finding hash (from computeFindingHash) */
+  hash: string
+  /** File path relative to project root */
+  filePath: string
+  /** Line number in the file */
+  lineNumber: number
+  /** Vulnerability category */
+  category: VulnerabilityCategory
+  /** Severity level */
+  severity: VulnerabilitySeverity
+  /** Finding title */
+  title: string
+}
+/**
+ * Baseline data stored in .oculum/baseline.json
+ */
+export interface BaselineData {
+  /** Schema version for forward compatibility */
+  version: 1
+  /** ISO 8601 timestamp when baseline was created */
+  createdAt: string
+  /** Git commit SHA when baseline was created (optional) */
+  commit?: string
+  /** Git branch name when baseline was created (optional) */
+  branch?: string
+  /** Scan depth used when creating baseline */
+  scanDepth?: ScanDepth
+  /** List of findings in the baseline */
+  findings: BaselineFinding[]
+  /** Summary statistics */
+  stats: {
+    total: number
+    critical: number
+    high: number
+    medium: number
+    low: number
+    info: number
+  }
+}
+/**
+ * Result of comparing current findings against baseline
+ */
+export interface DiffResult {
+  /** Findings in current scan but NOT in baseline (new issues) */
+  new: import('../types').Vulnerability[]
+  /** Findings in baseline but NOT in current scan (fixed issues) */
+  fixed: BaselineFinding[]
+  /** Findings in both current scan AND baseline (existing issues) */
+  existing: import('../types').Vulnerability[]
+  /** Summary statistics */
+  stats: {
+    newCount: number
+    fixedCount: number
+    existingCount: number
+    newBySeverity: SeverityCounts
+    fixedBySeverity: SeverityCounts
+  }
+}
+/**
+ * Baseline diff metadata attached to ScanResult
+ * Only present when --new flag is used
+ */
+export interface BaselineDiff {
+  /** When the baseline was created */
+  baselineCreatedAt: string
+  /** Git commit of the baseline (if available) */
+  baselineCommit?: string
+  /** Number of new findings (not in baseline) */
+  newCount: number
+  /** Number of fixed findings (in baseline, not in current) */
+  fixedCount: number
+  /** Number of existing findings (in both) */
+  existingCount: number
+  /** Details of fixed findings for display */
+  fixedFindings: BaselineFinding[]
+}
+/** Default baseline file path relative to project root */
+export const BASELINE_FILE_PATH = '.oculum/baseline.json'
+/** Directory for oculum files */
+export const OCULUM_DIR = '.oculum'