npm - @oculum/scanner - Versions diffs - 1.0.10 → 1.0.12 - Mend

@oculum/scanner 1.0.10 → 1.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (520) hide show

package/dist/ai-context/index.d.ts +6 -0
package/dist/ai-context/index.d.ts.map +1 -0
package/dist/ai-context/index.js +13 -0
package/dist/ai-context/index.js.map +1 -0
package/dist/ai-context/manager.d.ts +67 -0
package/dist/ai-context/manager.d.ts.map +1 -0
package/dist/ai-context/manager.js +104 -0
package/dist/ai-context/manager.js.map +1 -0
package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/category-filter.d.ts +125 -0
package/dist/category-filter.d.ts.map +1 -0
package/dist/category-filter.js +360 -0
package/dist/category-filter.js.map +1 -0
package/dist/filtering/context-adjustments.d.ts +23 -0
package/dist/filtering/context-adjustments.d.ts.map +1 -0
package/dist/filtering/context-adjustments.js +100 -0
package/dist/filtering/context-adjustments.js.map +1 -0
package/dist/filtering/index.d.ts +3 -0
package/dist/filtering/index.d.ts.map +1 -0
package/dist/filtering/index.js +8 -0
package/dist/filtering/index.js.map +1 -0
package/dist/filtering/pipeline.d.ts +48 -0
package/dist/filtering/pipeline.d.ts.map +1 -0
package/dist/filtering/pipeline.js +76 -0
package/dist/filtering/pipeline.js.map +1 -0
package/dist/formatters/ai-context.d.ts +23 -0
package/dist/formatters/ai-context.d.ts.map +1 -0
package/dist/formatters/ai-context.js +238 -0
package/dist/formatters/ai-context.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +2 -2
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +77 -13
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/ide/claude-code.d.ts +17 -0
package/dist/formatters/ide/claude-code.d.ts.map +1 -0
package/dist/formatters/ide/claude-code.js +94 -0
package/dist/formatters/ide/claude-code.js.map +1 -0
package/dist/formatters/ide/cursor.d.ts +13 -0
package/dist/formatters/ide/cursor.d.ts.map +1 -0
package/dist/formatters/ide/cursor.js +125 -0
package/dist/formatters/ide/cursor.js.map +1 -0
package/dist/formatters/ide/index.d.ts +62 -0
package/dist/formatters/ide/index.d.ts.map +1 -0
package/dist/formatters/ide/index.js +184 -0
package/dist/formatters/ide/index.js.map +1 -0
package/dist/formatters/ide/windsurf.d.ts +13 -0
package/dist/formatters/ide/windsurf.d.ts.map +1 -0
package/dist/formatters/ide/windsurf.js +117 -0
package/dist/formatters/ide/windsurf.js.map +1 -0
package/dist/formatters/index.d.ts +3 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +20 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +11 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +423 -56
package/dist/index.js.map +1 -1
package/dist/layer1/comments.d.ts +4 -1
package/dist/layer1/comments.d.ts.map +1 -1
package/dist/layer1/comments.js +1 -1
package/dist/layer1/comments.js.map +1 -1
package/dist/layer1/config-audit.d.ts +4 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +65 -14
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +23 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +4 -1
package/dist/layer1/entropy.d.ts.map +1 -1
package/dist/layer1/entropy.js +212 -1
package/dist/layer1/entropy.js.map +1 -1
package/dist/layer1/file-flags.d.ts +4 -1
package/dist/layer1/file-flags.d.ts.map +1 -1
package/dist/layer1/file-flags.js +12 -5
package/dist/layer1/file-flags.js.map +1 -1
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +22 -19
package/dist/layer1/index.js.map +1 -1
package/dist/layer1/patterns.d.ts +4 -1
package/dist/layer1/patterns.d.ts.map +1 -1
package/dist/layer1/patterns.js +34 -4
package/dist/layer1/patterns.js.map +1 -1
package/dist/layer1/urls.d.ts +4 -1
package/dist/layer1/urls.d.ts.map +1 -1
package/dist/layer1/urls.js +162 -14
package/dist/layer1/urls.js.map +1 -1
package/dist/layer1/weak-crypto.d.ts +4 -1
package/dist/layer1/weak-crypto.d.ts.map +1 -1
package/dist/layer1/weak-crypto.js +144 -7
package/dist/layer1/weak-crypto.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts +4 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +964 -2
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts +2 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +18 -4
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts +4 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +688 -29
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts +4 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +28 -32
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +20 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +877 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +22 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +828 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +4 -1
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +817 -17
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts +4 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +454 -3
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/ai-schema-validation.d.ts +4 -1
package/dist/layer2/ai-schema-validation.d.ts.map +1 -1
package/dist/layer2/ai-schema-validation.js +2 -2
package/dist/layer2/ai-schema-validation.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts +2 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +209 -20
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts +4 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +5 -2
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +34 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +230 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +16 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +1152 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +111 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +684 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +163 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +24 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +70 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +147 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +102 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +4 -1
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +14 -38
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts +4 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +5 -2
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +12 -1
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +110 -45
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts +4 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +58 -20
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +23 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +444 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +4 -1
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +6 -2
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts +4 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +6 -2
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +199 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/modes/incremental.js +1 -1
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +3 -3
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +34 -7
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +140 -9
package/dist/types.d.ts.map +1 -1
package/dist/types.js +34 -0
package/dist/types.js.map +1 -1
package/dist/utils/code-analysis.d.ts +39 -0
package/dist/utils/code-analysis.d.ts.map +1 -0
package/dist/utils/code-analysis.js +159 -0
package/dist/utils/code-analysis.js.map +1 -0
package/dist/utils/comment-analyzer.d.ts +38 -0
package/dist/utils/comment-analyzer.d.ts.map +1 -0
package/dist/utils/comment-analyzer.js +218 -0
package/dist/utils/comment-analyzer.js.map +1 -0
package/dist/utils/context-helpers.d.ts +112 -1
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +364 -11
package/dist/utils/context-helpers.js.map +1 -1
package/dist/utils/environment-context.d.ts +76 -0
package/dist/utils/environment-context.d.ts.map +1 -0
package/dist/utils/environment-context.js +271 -0
package/dist/utils/environment-context.js.map +1 -0
package/dist/utils/intent-detector.d.ts +66 -0
package/dist/utils/intent-detector.d.ts.map +1 -0
package/dist/utils/intent-detector.js +282 -0
package/dist/utils/intent-detector.js.map +1 -0
package/dist/utils/parsed-file.d.ts +51 -0
package/dist/utils/parsed-file.d.ts.map +1 -0
package/dist/utils/parsed-file.js +95 -0
package/dist/utils/parsed-file.js.map +1 -0
package/dist/utils/route-hierarchy.d.ts +50 -0
package/dist/utils/route-hierarchy.d.ts.map +1 -0
package/dist/utils/route-hierarchy.js +226 -0
package/dist/utils/route-hierarchy.js.map +1 -0
package/dist/utils/schema-semantics.d.ts +45 -0
package/dist/utils/schema-semantics.d.ts.map +1 -0
package/dist/utils/schema-semantics.js +193 -0
package/dist/utils/schema-semantics.js.map +1 -0
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +30 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/benchmark/fixtures/layer2/phase5-excessive-agency.ts +580 -0
package/src/__tests__/benchmark/fixtures/layer2/sprint6-ai-enhancements.ts +515 -0
package/src/__tests__/benchmark/run-depth-validation.ts +9 -9
package/src/__tests__/category-filter.test.ts +478 -0
package/src/__tests__/regression/known-false-positives.test.ts +490 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +762 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +0 -9
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/__tests__/validation/run-validation.ts +7 -7
package/src/ai-context/__tests__/manager.test.ts +193 -0
package/src/ai-context/index.ts +15 -0
package/src/ai-context/manager.ts +145 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/category-filter.ts +400 -0
package/src/filtering/__tests__/pipeline.test.ts +134 -0
package/src/filtering/context-adjustments.ts +111 -0
package/src/filtering/index.ts +10 -0
package/src/filtering/pipeline.ts +130 -0
package/src/formatters/__tests__/ai-context.test.ts +254 -0
package/src/formatters/ai-context.ts +302 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +82 -14
package/src/formatters/ide/__tests__/ide.test.ts +319 -0
package/src/formatters/ide/claude-code.ts +110 -0
package/src/formatters/ide/cursor.ts +147 -0
package/src/formatters/ide/index.ts +216 -0
package/src/formatters/ide/windsurf.ts +135 -0
package/src/formatters/index.ts +28 -0
package/src/index.ts +506 -45
package/src/layer1/comments.ts +3 -1
package/src/layer1/config-audit.ts +74 -14
package/src/layer1/config-mcp-audit.ts +278 -0
package/src/layer1/entropy.ts +234 -1
package/src/layer1/file-flags.ts +17 -6
package/src/layer1/index.ts +29 -23
package/src/layer1/patterns.ts +42 -4
package/src/layer1/urls.ts +188 -14
package/src/layer1/weak-crypto.ts +168 -16
package/src/layer2/ai-agent-tools.ts +1043 -2
package/src/layer2/ai-endpoint-protection.ts +19 -4
package/src/layer2/ai-execution-sinks.ts +755 -29
package/src/layer2/ai-fingerprinting.ts +33 -33
package/src/layer2/ai-mcp-security.ts +933 -0
package/src/layer2/ai-package-hallucination.ts +940 -0
package/src/layer2/ai-prompt-hygiene.ts +898 -17
package/src/layer2/ai-rag-safety.ts +467 -5
package/src/layer2/ai-schema-validation.ts +4 -2
package/src/layer2/auth-antipatterns.ts +235 -20
package/src/layer2/byok-patterns.ts +9 -3
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +292 -0
package/src/layer2/dangerous-functions/index.ts +1533 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +789 -0
package/src/layer2/dangerous-functions/patterns.ts +176 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +35 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +106 -0
package/src/layer2/data-exposure.ts +18 -39
package/src/layer2/framework-checks.ts +9 -2
package/src/layer2/index.ts +124 -43
package/src/layer2/logic-gates.ts +64 -22
package/src/layer2/model-supply-chain.ts +531 -0
package/src/layer2/risky-imports.ts +9 -2
package/src/layer2/variables.ts +9 -2
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +223 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/modes/incremental.ts +1 -1
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +45 -9
package/src/types.ts +212 -8
package/src/utils/__tests__/code-analysis.test.ts +165 -0
package/src/utils/__tests__/parsed-file.test.ts +124 -0
package/src/utils/code-analysis.ts +179 -0
package/src/utils/comment-analyzer.ts +249 -0
package/src/utils/context-helpers.ts +421 -11
package/src/utils/environment-context.ts +304 -0
package/src/utils/intent-detector.ts +318 -0
package/src/utils/parsed-file.ts +103 -0
package/src/utils/route-hierarchy.ts +250 -0
package/src/utils/schema-semantics.ts +233 -0
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/category-filter.ts ADDED Viewed

@@ -0,0 +1,400 @@
+/**
+ * Category-Based Filtering
+ *
+ * Enables CI to fail only on specific vulnerability categories,
+ * allowing gradual rollout (e.g., "only block prompt injection")
+ * and fine-grained control over which findings are blocking.
+ *
+ * @example
+ * // Fail only on AI-related and secret categories
+ * --fail-on-categories ai-*,secrets-*
+ *
+ * @example
+ * // Combined with severity
+ * --fail-on high --fail-on-categories ai-*
+ * // Only fail on high+ AI findings
+ */
+import type { VulnerabilityCategory, Vulnerability, VulnerabilitySeverity } from './types'
+import { severityRank } from './utils/parsed-file'
+/**
+ * Category group definitions for wildcard expansion
+ *
+ * These groups allow users to specify broad categories like "ai-*"
+ * which expand to all AI-related vulnerability categories.
+ */
+export const CATEGORY_GROUPS: Record<string, VulnerabilityCategory[]> = {
+  'ai-*': [
+    'ai_pattern',
+    'ai_prompt_injection',
+    'ai_unsafe_execution',
+    'ai_overpermissive_tool',
+    'ai_rag_exfiltration',
+    'ai_endpoint_unprotected',
+    'ai_schema_mismatch',
+    'ai_package_hallucination',
+    'ai_rag_corpus_poisoning',
+    'ai_rag_pii_leakage',
+    'ai_mcp_tool_poisoning',
+    'ai_mcp_credential_issue',
+    'ai_mcp_confused_deputy',
+    'ai_mcp_description_injection',
+    'ai_mcp_server_shadowing',
+    'ai_mcp_config_secrets',
+    'ai_mcp_config_permissions',
+    'ai_rag_query_injection',
+    'ai_rag_embedding_poisoning',
+    'ai_rag_chunk_injection',
+    'ai_package_typosquat',
+    'ai_package_malicious',
+    'ai_unsafe_model_load',
+    'ai_unverified_model',
+    'ai_unsafe_finetuning',
+    'ai_excessive_agency',
+  ],
+  'secrets-*': [
+    'hardcoded_secret',
+    'high_entropy_string',
+    'sensitive_variable',
+  ],
+  'owasp-*': [
+    'sql_injection',
+    'xss',
+    'command_injection',
+    'missing_auth',
+    'security_bypass',
+    'insecure_config',
+    'cors_misconfiguration',
+    'data_exposure',
+    'weak_crypto',
+  ],
+}
+/**
+ * All known valid category names for validation
+ */
+export const ALL_CATEGORIES: VulnerabilityCategory[] = [
+  'hardcoded_secret',
+  'high_entropy_string',
+  'sensitive_variable',
+  'security_bypass',
+  'dangerous_function',
+  'sql_injection',
+  'xss',
+  'command_injection',
+  'insecure_config',
+  'missing_auth',
+  'suspicious_package',
+  'cors_misconfiguration',
+  'root_container',
+  'dangerous_file',
+  'ai_pattern',
+  'sensitive_url',
+  'weak_crypto',
+  'data_exposure',
+  'ai_prompt_injection',
+  'ai_unsafe_execution',
+  'ai_overpermissive_tool',
+  'ai_rag_exfiltration',
+  'ai_endpoint_unprotected',
+  'ai_schema_mismatch',
+  'ai_package_hallucination',
+  'ai_rag_corpus_poisoning',
+  'ai_rag_pii_leakage',
+  'ai_mcp_tool_poisoning',
+  'ai_mcp_credential_issue',
+  'ai_mcp_confused_deputy',
+  'ai_mcp_description_injection',
+  'ai_mcp_server_shadowing',
+  'ai_mcp_config_secrets',
+  'ai_mcp_config_permissions',
+  'ai_rag_query_injection',
+  'ai_rag_embedding_poisoning',
+  'ai_rag_chunk_injection',
+  'ai_package_typosquat',
+  'ai_package_malicious',
+  'ai_unsafe_model_load',
+  'ai_unverified_model',
+  'ai_unsafe_finetuning',
+  'ai_excessive_agency',
+]
+/**
+ * Normalize category name for comparison
+ * - Converts to lowercase
+ * - Converts hyphens to underscores
+ * - Trims whitespace
+ *
+ * @example
+ * normalizeCategory('SQL-Injection') // 'sql_injection'
+ * normalizeCategory('high_entropy_string') // 'high_entropy_string'
+ */
+export function normalizeCategory(category: string): string {
+  return category
+    .toLowerCase()
+    .trim()
+    .replace(/-/g, '_')
+}
+/**
+ * Check if a string is a valid wildcard pattern
+ * Valid wildcards end with '-*' or '_*'
+ */
+function isWildcardPattern(pattern: string): boolean {
+  return pattern.endsWith('-*') || pattern.endsWith('_*')
+}
+/**
+ * Expand a wildcard pattern or single category to a list of categories
+ *
+ * @param pattern - Category name or wildcard (e.g., 'sql_injection', 'ai-*')
+ * @returns Array of matching categories
+ *
+ * @example
+ * expandCategoryPattern('ai-*') // Returns all ai_* categories
+ * expandCategoryPattern('sql_injection') // Returns ['sql_injection']
+ * expandCategoryPattern('unknown-*') // Returns []
+ */
+export function expandCategoryPattern(pattern: string): VulnerabilityCategory[] {
+  const normalized = normalizeCategory(pattern)
+  // Check for wildcard patterns
+  if (isWildcardPattern(normalized)) {
+    // Normalize the wildcard pattern (both ai-* and ai_* should work)
+    const normalizedWildcard = normalized.replace('_*', '-*')
+    // Look up in category groups
+    const expanded = CATEGORY_GROUPS[normalizedWildcard]
+    if (expanded) {
+      return [...expanded]
+    }
+    // Unknown wildcard - return empty
+    return []
+  }
+  // Single category - validate and return
+  // Handle both hyphenated and underscored versions
+  const normalizedCategory = normalized as VulnerabilityCategory
+  if (ALL_CATEGORIES.includes(normalizedCategory)) {
+    return [normalizedCategory]
+  }
+  // Try hyphenated version converted to underscore
+  const underscored = normalized.replace(/-/g, '_') as VulnerabilityCategory
+  if (ALL_CATEGORIES.includes(underscored)) {
+    return [underscored]
+  }
+  return []
+}
+/**
+ * Check if a category matches any pattern in the filter list
+ *
+ * @param category - The vulnerability category to check
+ * @param patterns - Array of category patterns (names or wildcards)
+ * @returns true if the category matches any pattern
+ *
+ * @example
+ * matchesAnyCategory('ai_prompt_injection', ['ai-*']) // true
+ * matchesAnyCategory('sql_injection', ['ai-*']) // false
+ * matchesAnyCategory('sql_injection', ['sql_injection', 'xss']) // true
+ */
+export function matchesAnyCategory(
+  category: VulnerabilityCategory,
+  patterns: string[]
+): boolean {
+  if (!patterns || patterns.length === 0) {
+    return false
+  }
+  const normalizedCategory = normalizeCategory(category)
+  for (const pattern of patterns) {
+    const expanded = expandCategoryPattern(pattern)
+    // Check if category is in the expanded list
+    if (expanded.some(c => normalizeCategory(c) === normalizedCategory)) {
+      return true
+    }
+  }
+  return false
+}
+// severityRank imported from utils/parsed-file
+/**
+ * Check if vulnerabilities should cause failure based on category filter
+ *
+ * When both category patterns and severity threshold are provided,
+ * BOTH conditions must match for a finding to cause failure.
+ *
+ * @param vulnerabilities - List of vulnerabilities to check
+ * @param categoryPatterns - Category patterns to filter on
+ * @param severityThreshold - Optional severity threshold (both must match)
+ * @returns true if any vulnerability matches and should cause failure
+ *
+ * @example
+ * // Only fail on AI findings
+ * shouldFailOnCategories(vulns, ['ai-*'])
+ *
+ * @example
+ * // Only fail on HIGH+ AI findings
+ * shouldFailOnCategories(vulns, ['ai-*'], 'high')
+ */
+export function shouldFailOnCategories(
+  vulnerabilities: Vulnerability[],
+  categoryPatterns: string[],
+  severityThreshold?: VulnerabilitySeverity
+): boolean {
+  if (!vulnerabilities || vulnerabilities.length === 0) {
+    return false
+  }
+  if (!categoryPatterns || categoryPatterns.length === 0) {
+    return false
+  }
+  const thresholdRank = severityThreshold ? severityRank(severityThreshold) : 0
+  for (const vuln of vulnerabilities) {
+    // Check if category matches any pattern
+    if (!matchesAnyCategory(vuln.category, categoryPatterns)) {
+      continue
+    }
+    // If no severity threshold specified, any matching category triggers failure
+    if (!severityThreshold) {
+      return true
+    }
+    // Check if severity meets threshold
+    if (severityRank(vuln.severity) >= thresholdRank) {
+      return true
+    }
+  }
+  return false
+}
+/**
+ * Get the categories that matched the filter from vulnerabilities
+ * Useful for error messages showing which categories caused failure
+ */
+export function getMatchingCategories(
+  vulnerabilities: Vulnerability[],
+  categoryPatterns: string[],
+  severityThreshold?: VulnerabilitySeverity
+): VulnerabilityCategory[] {
+  if (!vulnerabilities || vulnerabilities.length === 0) {
+    return []
+  }
+  if (!categoryPatterns || categoryPatterns.length === 0) {
+    return []
+  }
+  const thresholdRank = severityThreshold ? severityRank(severityThreshold) : 0
+  const matched = new Set<VulnerabilityCategory>()
+  for (const vuln of vulnerabilities) {
+    // Check if category matches any pattern
+    if (!matchesAnyCategory(vuln.category, categoryPatterns)) {
+      continue
+    }
+    // If no severity threshold, or severity meets threshold
+    if (!severityThreshold || severityRank(vuln.severity) >= thresholdRank) {
+      matched.add(vuln.category)
+    }
+  }
+  return Array.from(matched)
+}
+/**
+ * Parse comma-separated category string into array
+ *
+ * @param input - Comma-separated category string
+ * @returns Array of trimmed category patterns
+ *
+ * @example
+ * parseCategoryList('ai-*, secrets-*') // ['ai-*', 'secrets-*']
+ * parseCategoryList('sql_injection, xss') // ['sql_injection', 'xss']
+ */
+export function parseCategoryList(input: string): string[] {
+  if (!input || typeof input !== 'string') {
+    return []
+  }
+  return input
+    .split(',')
+    .map(s => s.trim())
+    .filter(s => s.length > 0)
+}
+/**
+ * Validate category names, separating valid from invalid
+ *
+ * @param categories - Array of category patterns to validate
+ * @returns Object with valid and invalid category arrays
+ *
+ * @example
+ * validateCategories(['ai-*', 'sql_injection', 'fake_category'])
+ * // { valid: ['ai-*', 'sql_injection'], invalid: ['fake_category'] }
+ */
+export function validateCategories(categories: string[]): {
+  valid: string[]
+  invalid: string[]
+} {
+  const valid: string[] = []
+  const invalid: string[] = []
+  for (const category of categories) {
+    const normalized = normalizeCategory(category)
+    // Check if it's a valid wildcard
+    if (isWildcardPattern(normalized)) {
+      const normalizedWildcard = normalized.replace('_*', '-*')
+      if (CATEGORY_GROUPS[normalizedWildcard]) {
+        valid.push(category)
+      } else {
+        invalid.push(category)
+      }
+      continue
+    }
+    // Check if it's a valid category name
+    const expanded = expandCategoryPattern(category)
+    if (expanded.length > 0) {
+      valid.push(category)
+    } else {
+      invalid.push(category)
+    }
+  }
+  return { valid, invalid }
+}
+/**
+ * Get a human-readable list of available category groups
+ * Useful for help text and error messages
+ */
+export function getAvailableCategoryGroups(): string[] {
+  return Object.keys(CATEGORY_GROUPS)
+}
+/**
+ * Get the count of categories in each group
+ * Useful for documentation and help text
+ */
+export function getCategoryGroupCounts(): Record<string, number> {
+  const counts: Record<string, number> = {}
+  for (const [group, categories] of Object.entries(CATEGORY_GROUPS)) {
+    counts[group] = categories.length
+  }
+  return counts
+}

package/src/filtering/__tests__/pipeline.test.ts ADDED Viewed

@@ -0,0 +1,134 @@
+import { FilterPipeline } from '../pipeline'
+import type { FilterDecision } from '../pipeline'
+describe('FilterPipeline', () => {
+  describe('when disabled', () => {
+    it('does not record decisions', () => {
+      const pipeline = new FilterPipeline(false)
+      pipeline.record('finding-1', {
+        stage: 'auto_dismiss',
+        action: 'dismissed',
+        reason: 'test file',
+      })
+      expect(pipeline.getAuditTrail()).toEqual([])
+    })
+    it('reports isEnabled as false', () => {
+      expect(new FilterPipeline(false).isEnabled).toBe(false)
+      expect(new FilterPipeline().isEnabled).toBe(false)
+    })
+  })
+  describe('when enabled', () => {
+    let pipeline: FilterPipeline
+    beforeEach(() => {
+      pipeline = new FilterPipeline(true)
+    })
+    it('reports isEnabled as true', () => {
+      expect(pipeline.isEnabled).toBe(true)
+    })
+    it('records and retrieves decisions', () => {
+      const decision: FilterDecision = {
+        stage: 'auto_dismiss',
+        action: 'dismissed',
+        reason: 'test file detected',
+        ruleName: 'test_file_dismiss',
+      }
+      pipeline.record('finding-1', decision)
+      const trail = pipeline.getAuditTrail()
+      expect(trail).toHaveLength(1)
+      expect(trail[0].findingId).toBe('finding-1')
+      expect(trail[0].decisions).toEqual([decision])
+      expect(trail[0].finalStatus).toBe('dismissed')
+    })
+    it('accumulates multiple decisions for the same finding', () => {
+      pipeline.record('finding-1', {
+        stage: 'file_context_adjustment',
+        action: 'downgraded',
+        reason: 'tooling directory',
+        originalSeverity: 'medium',
+        newSeverity: 'info',
+      })
+      pipeline.record('finding-1', {
+        stage: 'ai_validation',
+        action: 'kept',
+        reason: 'AI confirmed the finding',
+      })
+      const decisions = pipeline.explainDismissal('finding-1')
+      expect(decisions).toHaveLength(2)
+      expect(decisions[0].stage).toBe('file_context_adjustment')
+      expect(decisions[1].stage).toBe('ai_validation')
+    })
+    it('marks final status as surfaced when no dismissal', () => {
+      pipeline.record('finding-1', {
+        stage: 'ai_validation',
+        action: 'kept',
+        reason: 'confirmed',
+      })
+      const trail = pipeline.getAuditTrail()
+      expect(trail[0].finalStatus).toBe('surfaced')
+    })
+    it('marks final status as dismissed for deduplicated findings', () => {
+      pipeline.record('finding-1', {
+        stage: 'deduplication',
+        action: 'deduplicated',
+        reason: 'duplicate of finding-2',
+      })
+      const trail = pipeline.getAuditTrail()
+      expect(trail[0].finalStatus).toBe('dismissed')
+    })
+    it('marks final status as dismissed for suppressed findings', () => {
+      pipeline.record('finding-1', {
+        stage: 'user_suppression',
+        action: 'suppressed',
+        reason: 'inline oculum-ignore comment',
+      })
+      const trail = pipeline.getAuditTrail()
+      expect(trail[0].finalStatus).toBe('dismissed')
+    })
+    it('returns empty array for unknown finding in explainDismissal', () => {
+      expect(pipeline.explainDismissal('nonexistent')).toEqual([])
+    })
+  })
+  describe('getSummaryStats', () => {
+    it('aggregates counts per stage and action', () => {
+      const pipeline = new FilterPipeline(true)
+      pipeline.record('f1', { stage: 'auto_dismiss', action: 'dismissed', reason: 'test' })
+      pipeline.record('f2', { stage: 'auto_dismiss', action: 'dismissed', reason: 'css' })
+      pipeline.record('f3', { stage: 'auto_dismiss', action: 'kept', reason: 'real finding' })
+      pipeline.record('f4', { stage: 'ai_validation', action: 'downgraded', reason: 'lower severity' })
+      pipeline.record('f5', { stage: 'deduplication', action: 'deduplicated', reason: 'dup' })
+      const stats = pipeline.getSummaryStats()
+      expect(stats.auto_dismiss.dismissed).toBe(2)
+      expect(stats.auto_dismiss.kept).toBe(1)
+      expect(stats.ai_validation.downgraded).toBe(1)
+      expect(stats.deduplication.deduplicated).toBe(1)
+      expect(stats.localhost_aggregation.dismissed).toBe(0)
+    })
+    it('returns zero counts when no decisions recorded', () => {
+      const pipeline = new FilterPipeline(true)
+      const stats = pipeline.getSummaryStats()
+      expect(stats.auto_dismiss.dismissed).toBe(0)
+      expect(stats.tier_filter.kept).toBe(0)
+    })
+  })
+})

package/src/filtering/context-adjustments.ts ADDED Viewed

@@ -0,0 +1,111 @@
+/**
+ * Centralized Context-Based Severity Adjustments
+ *
+ * Consolidates the duplicate filter logic from:
+ * - layer2/index.ts applyFileContextAdjustments() — per-file with full FileContext
+ * - index.ts applyGlobalContextAdjustments() — post-layers with tooling-dir only
+ *
+ * Both functions are replaced by a single applyContextAdjustments() that handles
+ * all context-based severity downgrades in one place.
+ */
+import type { Vulnerability } from '../types'
+import type { FileContext } from '../utils/context-helpers'
+/** Categories that are expected and not risky in tooling directories */
+const TOOLING_DOWNGRADABLE_CATEGORIES = [
+  'dangerous_function',   // exec, spawn, etc. are expected in scripts
+  'command_injection',    // child_process usage is expected in build scripts
+  'weak_crypto',          // Math.random() for seeding is fine in scripts
+  'data_exposure',        // Logging is expected in tooling
+  'ai_pattern',           // AI patterns in scripts are typically fine
+]
+/** Categories that are expected and not risky in test files */
+const TEST_DOWNGRADABLE_CATEGORIES = [
+  'ai_pattern',
+  'dangerous_function',
+  'sensitive_variable',
+  'data_exposure',
+]
+/**
+ * Apply context-based severity adjustments to findings.
+ *
+ * When called with a FileContext (from Layer 2 per-file processing), applies
+ * full context-aware rules: test files, tooling dirs, server-only files.
+ *
+ * When called without a FileContext (from the orchestrator for Layer 1 findings),
+ * applies only tooling-directory downgrades based on file path.
+ */
+export function applyContextAdjustments(
+  findings: Vulnerability[],
+  fileContext?: FileContext
+): Vulnerability[] {
+  return findings.map(finding => {
+    // Never downgrade critical findings
+    if (finding.severity === 'critical') {
+      return finding
+    }
+    if (fileContext) {
+      // Full per-file context available (Layer 2 path)
+      // Test files: Downgrade specific categories
+      if (fileContext.isTestFile) {
+        if (TEST_DOWNGRADABLE_CATEGORIES.includes(finding.category)) {
+          return {
+            ...finding,
+            severity: 'info' as const,
+            validationNotes: 'Downgraded: test/fixture file',
+          }
+        }
+      }
+      // Tooling directories: Downgrade expected patterns
+      if (fileContext.isToolingDir) {
+        if (TOOLING_DOWNGRADABLE_CATEGORIES.includes(finding.category)) {
+          return {
+            ...finding,
+            severity: 'info' as const,
+            validationNotes: 'Downgraded: tooling/scripts directory',
+          }
+        }
+      }
+      // Server-only files: Client-exposure concerns don't apply
+      if (fileContext.isServerOnly) {
+        if (finding.category === 'hardcoded_secret' &&
+            finding.title.toLowerCase().includes('service role')) {
+          return {
+            ...finding,
+            severity: 'info' as const,
+            validationNotes: 'Downgraded: server-only file (service role key expected)',
+          }
+        }
+      }
+    } else {
+      // No file context — apply path-based adjustments only (orchestrator path)
+      // This catches Layer 1 findings that didn't go through Layer 2's per-file adjustments
+      const inToolingDir = isToolingPath(finding.filePath)
+      if (inToolingDir && TOOLING_DOWNGRADABLE_CATEGORIES.includes(finding.category)) {
+        return {
+          ...finding,
+          severity: 'info' as const,
+          validationNotes: `${finding.validationNotes || ''} Downgraded: tooling/scripts directory`.trim(),
+        }
+      }
+    }
+    return finding
+  })
+}
+/**
+ * Tooling-path check for findings without FileContext.
+ * Uses the same regex as utils/context-helpers.ts isToolingDirectory().
+ */
+function isToolingPath(filePath: string): boolean {
+  return /\/(scripts?|cli|tools?|bin|devtools|build|tasks)\//i.test(filePath)
+}

package/src/filtering/index.ts ADDED Viewed

@@ -0,0 +1,10 @@
+export {
+  FilterPipeline,
+  type FilterStage,
+  type FilterAction,
+  type FilterDecision,
+  type AnnotatedFinding,
+  type FilterStageSummary,
+} from './pipeline'
+export { applyContextAdjustments } from './context-adjustments'