npm - @oculum/scanner - Versions diffs - 1.0.11 → 1.0.13 - Mend

@oculum/scanner 1.0.11 → 1.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1178) hide show

package/dist/ai-context/index.d.ts +6 -0
package/dist/ai-context/index.d.ts.map +1 -0
package/dist/ai-context/index.js +13 -0
package/dist/ai-context/index.js.map +1 -0
package/dist/ai-context/manager.d.ts +67 -0
package/dist/ai-context/manager.d.ts.map +1 -0
package/dist/ai-context/manager.js +104 -0
package/dist/ai-context/manager.js.map +1 -0
package/dist/category-filter.d.ts +125 -0
package/dist/category-filter.d.ts.map +1 -0
package/dist/category-filter.js +360 -0
package/dist/category-filter.js.map +1 -0
package/dist/detect/ai-code/agent-tools.d.ts +22 -0
package/dist/detect/ai-code/agent-tools.d.ts.map +1 -0
package/dist/detect/ai-code/agent-tools.js +1509 -0
package/dist/detect/ai-code/agent-tools.js.map +1 -0
package/dist/detect/ai-code/byok-patterns.d.ts +15 -0
package/dist/detect/ai-code/byok-patterns.d.ts.map +1 -0
package/dist/detect/ai-code/byok-patterns.js +313 -0
package/dist/detect/ai-code/byok-patterns.js.map +1 -0
package/dist/detect/ai-code/endpoint-protection.d.ts +38 -0
package/dist/detect/ai-code/endpoint-protection.d.ts.map +1 -0
package/dist/detect/ai-code/endpoint-protection.js +349 -0
package/dist/detect/ai-code/endpoint-protection.js.map +1 -0
package/dist/detect/ai-code/execution-sinks.d.ts +21 -0
package/dist/detect/ai-code/execution-sinks.d.ts.map +1 -0
package/dist/detect/ai-code/execution-sinks.js +1158 -0
package/dist/detect/ai-code/execution-sinks.js.map +1 -0
package/dist/detect/ai-code/fingerprinting.d.ts +10 -0
package/dist/detect/ai-code/fingerprinting.d.ts.map +1 -0
package/dist/detect/ai-code/fingerprinting.js +665 -0
package/dist/detect/ai-code/fingerprinting.js.map +1 -0
package/dist/detect/ai-code/index.d.ts +12 -0
package/dist/detect/ai-code/index.d.ts.map +1 -0
package/dist/detect/ai-code/index.js +26 -0
package/dist/detect/ai-code/index.js.map +1 -0
package/dist/detect/ai-code/mcp-security.d.ts +20 -0
package/dist/detect/ai-code/mcp-security.d.ts.map +1 -0
package/dist/detect/ai-code/mcp-security.js +880 -0
package/dist/detect/ai-code/mcp-security.js.map +1 -0
package/dist/detect/ai-code/model-supply-chain.d.ts +23 -0
package/dist/detect/ai-code/model-supply-chain.d.ts.map +1 -0
package/dist/detect/ai-code/model-supply-chain.js +447 -0
package/dist/detect/ai-code/model-supply-chain.js.map +1 -0
package/dist/detect/ai-code/package-hallucination.d.ts +22 -0
package/dist/detect/ai-code/package-hallucination.d.ts.map +1 -0
package/dist/detect/ai-code/package-hallucination.js +841 -0
package/dist/detect/ai-code/package-hallucination.js.map +1 -0
package/dist/detect/ai-code/prompt-hygiene.d.ts +22 -0
package/dist/detect/ai-code/prompt-hygiene.d.ts.map +1 -0
package/dist/detect/ai-code/prompt-hygiene.js +1177 -0
package/dist/detect/ai-code/prompt-hygiene.js.map +1 -0
package/dist/detect/ai-code/rag-safety.d.ts +24 -0
package/dist/detect/ai-code/rag-safety.d.ts.map +1 -0
package/dist/detect/ai-code/rag-safety.js +913 -0
package/dist/detect/ai-code/rag-safety.js.map +1 -0
package/dist/detect/ai-code/schema-validation.d.ts +28 -0
package/dist/detect/ai-code/schema-validation.d.ts.map +1 -0
package/dist/detect/ai-code/schema-validation.js +378 -0
package/dist/detect/ai-code/schema-validation.js.map +1 -0
package/dist/detect/config/agent-skill-injection.d.ts +27 -0
package/dist/detect/config/agent-skill-injection.d.ts.map +1 -0
package/dist/detect/config/agent-skill-injection.js +472 -0
package/dist/detect/config/agent-skill-injection.js.map +1 -0
package/dist/detect/config/comments.d.ts +11 -0
package/dist/detect/config/comments.d.ts.map +1 -0
package/dist/detect/config/comments.js +206 -0
package/dist/detect/config/comments.js.map +1 -0
package/dist/detect/config/file-flags.d.ts +10 -0
package/dist/detect/config/file-flags.d.ts.map +1 -0
package/dist/detect/config/file-flags.js +124 -0
package/dist/detect/config/file-flags.js.map +1 -0
package/dist/detect/config/index.d.ts +7 -0
package/dist/detect/config/index.d.ts.map +1 -0
package/dist/detect/config/index.js +17 -0
package/dist/detect/config/index.js.map +1 -0
package/dist/detect/config/osv-check.d.ts +75 -0
package/dist/detect/config/osv-check.d.ts.map +1 -0
package/dist/detect/config/osv-check.js +309 -0
package/dist/detect/config/osv-check.js.map +1 -0
package/dist/detect/config/package-check.d.ts +63 -0
package/dist/detect/config/package-check.d.ts.map +1 -0
package/dist/detect/config/package-check.js +509 -0
package/dist/detect/config/package-check.js.map +1 -0
package/dist/detect/config/urls.d.ts +11 -0
package/dist/detect/config/urls.d.ts.map +1 -0
package/dist/detect/config/urls.js +450 -0
package/dist/detect/config/urls.js.map +1 -0
package/dist/detect/index.d.ts +37 -0
package/dist/detect/index.d.ts.map +1 -0
package/dist/detect/index.js +77 -0
package/dist/detect/index.js.map +1 -0
package/dist/detect/secrets/config-audit.d.ts +11 -0
package/dist/detect/secrets/config-audit.d.ts.map +1 -0
package/dist/detect/secrets/config-audit.js +315 -0
package/dist/detect/secrets/config-audit.js.map +1 -0
package/dist/detect/secrets/config-mcp-audit.d.ts +23 -0
package/dist/detect/secrets/config-mcp-audit.d.ts.map +1 -0
package/dist/detect/secrets/config-mcp-audit.js +243 -0
package/dist/detect/secrets/config-mcp-audit.js.map +1 -0
package/dist/detect/secrets/entropy.d.ts +11 -0
package/dist/detect/secrets/entropy.d.ts.map +1 -0
package/dist/detect/secrets/entropy.js +751 -0
package/dist/detect/secrets/entropy.js.map +1 -0
package/dist/detect/secrets/index.d.ts +36 -0
package/dist/detect/secrets/index.d.ts.map +1 -0
package/dist/detect/secrets/index.js +174 -0
package/dist/detect/secrets/index.js.map +1 -0
package/dist/detect/secrets/patterns.d.ts +11 -0
package/dist/detect/secrets/patterns.d.ts.map +1 -0
package/dist/detect/secrets/patterns.js +518 -0
package/dist/detect/secrets/patterns.js.map +1 -0
package/dist/detect/secrets/weak-crypto.d.ts +10 -0
package/dist/detect/secrets/weak-crypto.d.ts.map +1 -0
package/dist/detect/secrets/weak-crypto.js +432 -0
package/dist/detect/secrets/weak-crypto.js.map +1 -0
package/dist/detect/structural/auth-patterns.d.ts +22 -0
package/dist/detect/structural/auth-patterns.d.ts.map +1 -0
package/dist/detect/structural/auth-patterns.js +533 -0
package/dist/detect/structural/auth-patterns.js.map +1 -0
package/dist/detect/structural/dangerous-functions/child-process.d.ts +16 -0
package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/child-process.js +74 -0
package/dist/detect/structural/dangerous-functions/child-process.js.map +1 -0
package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +34 -0
package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/dom-xss.js +230 -0
package/dist/detect/structural/dangerous-functions/dom-xss.js.map +1 -0
package/dist/detect/structural/dangerous-functions/index.d.ts +16 -0
package/dist/detect/structural/dangerous-functions/index.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/index.js +1193 -0
package/dist/detect/structural/dangerous-functions/index.js.map +1 -0
package/dist/detect/structural/dangerous-functions/json-parse.d.ts +31 -0
package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/json-parse.js +326 -0
package/dist/detect/structural/dangerous-functions/json-parse.js.map +1 -0
package/dist/detect/structural/dangerous-functions/math-random.d.ts +111 -0
package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/math-random.js +684 -0
package/dist/detect/structural/dangerous-functions/math-random.js.map +1 -0
package/dist/detect/structural/dangerous-functions/patterns.d.ts +21 -0
package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/patterns.js +163 -0
package/dist/detect/structural/dangerous-functions/patterns.js.map +1 -0
package/dist/detect/structural/dangerous-functions/request-validation.d.ts +13 -0
package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/request-validation.js +126 -0
package/dist/detect/structural/dangerous-functions/request-validation.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +24 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.js +70 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.js +147 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/index.d.ts +9 -0
package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/index.js +23 -0
package/dist/detect/structural/dangerous-functions/utils/index.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +102 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/detect/structural/data-exposure.d.ts +19 -0
package/dist/detect/structural/data-exposure.d.ts.map +1 -0
package/dist/detect/structural/data-exposure.js +262 -0
package/dist/detect/structural/data-exposure.js.map +1 -0
package/dist/detect/structural/framework-checks.d.ts +10 -0
package/dist/detect/structural/framework-checks.d.ts.map +1 -0
package/dist/detect/structural/framework-checks.js +389 -0
package/dist/detect/structural/framework-checks.js.map +1 -0
package/dist/detect/structural/index.d.ts +71 -0
package/dist/detect/structural/index.d.ts.map +1 -0
package/dist/detect/structural/index.js +510 -0
package/dist/detect/structural/index.js.map +1 -0
package/dist/detect/structural/log-injection.d.ts +18 -0
package/dist/detect/structural/log-injection.d.ts.map +1 -0
package/dist/detect/structural/log-injection.js +217 -0
package/dist/detect/structural/log-injection.js.map +1 -0
package/dist/detect/structural/logic-gates.d.ts +10 -0
package/dist/detect/structural/logic-gates.d.ts.map +1 -0
package/dist/detect/structural/logic-gates.js +227 -0
package/dist/detect/structural/logic-gates.js.map +1 -0
package/dist/detect/structural/risky-imports.d.ts +10 -0
package/dist/detect/structural/risky-imports.d.ts.map +1 -0
package/dist/detect/structural/risky-imports.js +168 -0
package/dist/detect/structural/risky-imports.js.map +1 -0
package/dist/detect/structural/security-headers.d.ts +18 -0
package/dist/detect/structural/security-headers.d.ts.map +1 -0
package/dist/detect/structural/security-headers.js +196 -0
package/dist/detect/structural/security-headers.js.map +1 -0
package/dist/detect/structural/ssrf-detection.d.ts +18 -0
package/dist/detect/structural/ssrf-detection.d.ts.map +1 -0
package/dist/detect/structural/ssrf-detection.js +263 -0
package/dist/detect/structural/ssrf-detection.js.map +1 -0
package/dist/detect/structural/variables.d.ts +11 -0
package/dist/detect/structural/variables.d.ts.map +1 -0
package/dist/detect/structural/variables.js +159 -0
package/dist/detect/structural/variables.js.map +1 -0
package/dist/detect/structural/xxe-detection.d.ts +18 -0
package/dist/detect/structural/xxe-detection.d.ts.map +1 -0
package/dist/detect/structural/xxe-detection.js +245 -0
package/dist/detect/structural/xxe-detection.js.map +1 -0
package/dist/filtering/context-adjustments.d.ts +23 -0
package/dist/filtering/context-adjustments.d.ts.map +1 -0
package/dist/filtering/context-adjustments.js +100 -0
package/dist/filtering/context-adjustments.js.map +1 -0
package/dist/filtering/index.d.ts +3 -0
package/dist/filtering/index.d.ts.map +1 -0
package/dist/filtering/index.js +8 -0
package/dist/filtering/index.js.map +1 -0
package/dist/filtering/pipeline.d.ts +48 -0
package/dist/filtering/pipeline.d.ts.map +1 -0
package/dist/filtering/pipeline.js +76 -0
package/dist/filtering/pipeline.js.map +1 -0
package/dist/formatters/ai-context.d.ts +23 -0
package/dist/formatters/ai-context.d.ts.map +1 -0
package/dist/formatters/ai-context.js +238 -0
package/dist/formatters/ai-context.js.map +1 -0
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +2 -2
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/ide/claude-code.d.ts +17 -0
package/dist/formatters/ide/claude-code.d.ts.map +1 -0
package/dist/formatters/ide/claude-code.js +94 -0
package/dist/formatters/ide/claude-code.js.map +1 -0
package/dist/formatters/ide/cursor.d.ts +13 -0
package/dist/formatters/ide/cursor.d.ts.map +1 -0
package/dist/formatters/ide/cursor.js +125 -0
package/dist/formatters/ide/cursor.js.map +1 -0
package/dist/formatters/ide/index.d.ts +62 -0
package/dist/formatters/ide/index.d.ts.map +1 -0
package/dist/formatters/ide/index.js +184 -0
package/dist/formatters/ide/index.js.map +1 -0
package/dist/formatters/ide/windsurf.d.ts +13 -0
package/dist/formatters/ide/windsurf.d.ts.map +1 -0
package/dist/formatters/ide/windsurf.js +117 -0
package/dist/formatters/ide/windsurf.js.map +1 -0
package/dist/formatters/index.d.ts +2 -0
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +17 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +17 -60
package/dist/index.d.ts.map +1 -1
package/dist/index.js +67 -824
package/dist/index.js.map +1 -1
package/dist/layer1/comments.d.ts +4 -1
package/dist/layer1/comments.d.ts.map +1 -1
package/dist/layer1/comments.js +1 -1
package/dist/layer1/comments.js.map +1 -1
package/dist/layer1/config-audit.d.ts +4 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +45 -11
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +4 -1
package/dist/layer1/config-mcp-audit.d.ts.map +1 -1
package/dist/layer1/config-mcp-audit.js +2 -2
package/dist/layer1/config-mcp-audit.js.map +1 -1
package/dist/layer1/entropy.d.ts +4 -1
package/dist/layer1/entropy.d.ts.map +1 -1
package/dist/layer1/entropy.js +212 -1
package/dist/layer1/entropy.js.map +1 -1
package/dist/layer1/file-flags.d.ts +4 -1
package/dist/layer1/file-flags.d.ts.map +1 -1
package/dist/layer1/file-flags.js +12 -5
package/dist/layer1/file-flags.js.map +1 -1
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +14 -19
package/dist/layer1/index.js.map +1 -1
package/dist/layer1/patterns.d.ts +4 -1
package/dist/layer1/patterns.d.ts.map +1 -1
package/dist/layer1/patterns.js +34 -4
package/dist/layer1/patterns.js.map +1 -1
package/dist/layer1/urls.d.ts +4 -1
package/dist/layer1/urls.d.ts.map +1 -1
package/dist/layer1/urls.js +162 -14
package/dist/layer1/urls.js.map +1 -1
package/dist/layer1/weak-crypto.d.ts +4 -1
package/dist/layer1/weak-crypto.d.ts.map +1 -1
package/dist/layer1/weak-crypto.js +144 -7
package/dist/layer1/weak-crypto.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts +4 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +661 -2
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts +2 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +1 -1
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts +4 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +252 -43
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts +4 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +25 -32
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +4 -1
package/dist/layer2/ai-mcp-security.d.ts.map +1 -1
package/dist/layer2/ai-mcp-security.js +200 -2
package/dist/layer2/ai-mcp-security.js.map +1 -1
package/dist/layer2/ai-package-hallucination.d.ts +4 -1
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -1
package/dist/layer2/ai-package-hallucination.js +136 -4
package/dist/layer2/ai-package-hallucination.js.map +1 -1
package/dist/layer2/ai-prompt-hygiene.d.ts +4 -1
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +342 -28
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts +4 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +82 -2
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/ai-schema-validation.d.ts +4 -1
package/dist/layer2/ai-schema-validation.d.ts.map +1 -1
package/dist/layer2/ai-schema-validation.js +2 -2
package/dist/layer2/ai-schema-validation.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts +2 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +205 -20
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts +4 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +2 -2
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/dom-xss.d.ts +9 -4
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/dom-xss.js +73 -22
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -1
package/dist/layer2/dangerous-functions/index.d.ts +4 -1
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/index.js +551 -20
package/dist/layer2/dangerous-functions/index.js.map +1 -1
package/dist/layer2/dangerous-functions/math-random.d.ts +54 -4
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/math-random.js +241 -16
package/dist/layer2/dangerous-functions/math-random.js.map +1 -1
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/patterns.js +3 -1
package/dist/layer2/dangerous-functions/patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +3 -2
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/utils/control-flow.js +41 -120
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -1
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/utils/helpers.js +26 -3
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -1
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/utils/schema-validation.js +14 -1
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -1
package/dist/layer2/data-exposure.d.ts +4 -1
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +11 -38
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts +4 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -10
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +13 -1
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +107 -52
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/log-injection.d.ts +18 -0
package/dist/layer2/log-injection.d.ts.map +1 -0
package/dist/layer2/log-injection.js +214 -0
package/dist/layer2/log-injection.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +4 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +54 -20
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +4 -1
package/dist/layer2/model-supply-chain.d.ts.map +1 -1
package/dist/layer2/model-supply-chain.js +72 -4
package/dist/layer2/model-supply-chain.js.map +1 -1
package/dist/layer2/risky-imports.d.ts +4 -1
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +2 -2
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/security-headers.d.ts +18 -0
package/dist/layer2/security-headers.d.ts.map +1 -0
package/dist/layer2/security-headers.js +187 -0
package/dist/layer2/security-headers.js.map +1 -0
package/dist/layer2/ssrf-detection.d.ts +18 -0
package/dist/layer2/ssrf-detection.d.ts.map +1 -0
package/dist/layer2/ssrf-detection.js +252 -0
package/dist/layer2/ssrf-detection.js.map +1 -0
package/dist/layer2/variables.d.ts +4 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +2 -2
package/dist/layer2/variables.js.map +1 -1
package/dist/layer2/xxe-detection.d.ts +18 -0
package/dist/layer2/xxe-detection.d.ts.map +1 -0
package/dist/layer2/xxe-detection.js +242 -0
package/dist/layer2/xxe-detection.js.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.js +11 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -1
package/dist/layer3/anthropic/prompts/index.d.ts +1 -1
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -1
package/dist/layer3/anthropic/prompts/index.js +3 -1
package/dist/layer3/anthropic/prompts/index.js.map +1 -1
package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +19 -0
package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +156 -0
package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +9 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.js +25 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/common.d.ts +11 -0
package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/common.js +152 -0
package/dist/layer3/anthropic/prompts/modules/common.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/index.d.ts +54 -0
package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/index.js +185 -0
package/dist/layer3/anthropic/prompts/modules/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +8 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +84 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +8 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +68 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +8 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +22 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +9 -3
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -1
package/dist/layer3/anthropic/prompts/validation.js +14 -410
package/dist/layer3/anthropic/prompts/validation.js.map +1 -1
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -1
package/dist/layer3/anthropic/providers/anthropic.js +6 -3
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -1
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -1
package/dist/layer3/anthropic/providers/openai.js +6 -3
package/dist/layer3/anthropic/providers/openai.js.map +1 -1
package/dist/layer3/anthropic/request-builder.d.ts +11 -4
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -1
package/dist/layer3/anthropic/request-builder.js +32 -16
package/dist/layer3/anthropic/request-builder.js.map +1 -1
package/dist/layer3/anthropic/utils/context-extractor.d.ts +55 -0
package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/context-extractor.js +161 -0
package/dist/layer3/anthropic/utils/context-extractor.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +2 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -1
package/dist/layer3/anthropic/utils/index.js +4 -1
package/dist/layer3/anthropic/utils/index.js.map +1 -1
package/dist/model/auth-helper-detector.d.ts +56 -0
package/dist/model/auth-helper-detector.d.ts.map +1 -0
package/dist/model/auth-helper-detector.js +360 -0
package/dist/model/auth-helper-detector.js.map +1 -0
package/dist/model/cross-file-taint.d.ts +40 -0
package/dist/model/cross-file-taint.d.ts.map +1 -0
package/dist/model/cross-file-taint.js +290 -0
package/dist/model/cross-file-taint.js.map +1 -0
package/dist/model/framework-models/django.d.ts +9 -0
package/dist/model/framework-models/django.d.ts.map +1 -0
package/dist/model/framework-models/django.js +82 -0
package/dist/model/framework-models/django.js.map +1 -0
package/dist/model/framework-models/express.d.ts +9 -0
package/dist/model/framework-models/express.d.ts.map +1 -0
package/dist/model/framework-models/express.js +52 -0
package/dist/model/framework-models/express.js.map +1 -0
package/dist/model/framework-models/index.d.ts +20 -0
package/dist/model/framework-models/index.d.ts.map +1 -0
package/dist/model/framework-models/index.js +102 -0
package/dist/model/framework-models/index.js.map +1 -0
package/dist/model/framework-models/nextjs.d.ts +9 -0
package/dist/model/framework-models/nextjs.d.ts.map +1 -0
package/dist/model/framework-models/nextjs.js +71 -0
package/dist/model/framework-models/nextjs.js.map +1 -0
package/dist/model/framework-models/prisma.d.ts +10 -0
package/dist/model/framework-models/prisma.d.ts.map +1 -0
package/dist/model/framework-models/prisma.js +54 -0
package/dist/model/framework-models/prisma.js.map +1 -0
package/dist/model/framework-models/react.d.ts +9 -0
package/dist/model/framework-models/react.d.ts.map +1 -0
package/dist/model/framework-models/react.js +67 -0
package/dist/model/framework-models/react.js.map +1 -0
package/dist/model/framework-models/sequelize.d.ts +9 -0
package/dist/model/framework-models/sequelize.d.ts.map +1 -0
package/dist/model/framework-models/sequelize.js +62 -0
package/dist/model/framework-models/sequelize.js.map +1 -0
package/dist/model/framework-models/types.d.ts +43 -0
package/dist/model/framework-models/types.d.ts.map +1 -0
package/dist/model/framework-models/types.js +10 -0
package/dist/model/framework-models/types.js.map +1 -0
package/dist/model/function-classifier.d.ts +32 -0
package/dist/model/function-classifier.d.ts.map +1 -0
package/dist/model/function-classifier.js +143 -0
package/dist/model/function-classifier.js.map +1 -0
package/dist/model/import-resolver.d.ts +45 -0
package/dist/model/import-resolver.d.ts.map +1 -0
package/dist/model/import-resolver.js +410 -0
package/dist/model/import-resolver.js.map +1 -0
package/dist/model/imported-auth-detector.d.ts +38 -0
package/dist/model/imported-auth-detector.d.ts.map +1 -0
package/dist/model/imported-auth-detector.js +199 -0
package/dist/model/imported-auth-detector.js.map +1 -0
package/dist/model/index.d.ts +63 -0
package/dist/model/index.d.ts.map +1 -0
package/dist/model/index.js +272 -0
package/dist/model/index.js.map +1 -0
package/dist/model/middleware-detector.d.ts +55 -0
package/dist/model/middleware-detector.d.ts.map +1 -0
package/dist/model/middleware-detector.js +382 -0
package/dist/model/middleware-detector.js.map +1 -0
package/dist/model/module-graph.d.ts +46 -0
package/dist/model/module-graph.d.ts.map +1 -0
package/dist/model/module-graph.js +187 -0
package/dist/model/module-graph.js.map +1 -0
package/dist/model/oauth-flow-detector.d.ts +41 -0
package/dist/model/oauth-flow-detector.d.ts.map +1 -0
package/dist/model/oauth-flow-detector.js +202 -0
package/dist/model/oauth-flow-detector.js.map +1 -0
package/dist/model/project-context.d.ts +119 -0
package/dist/model/project-context.d.ts.map +1 -0
package/dist/model/project-context.js +534 -0
package/dist/model/project-context.js.map +1 -0
package/dist/model/route-auth-resolver.d.ts +27 -0
package/dist/model/route-auth-resolver.d.ts.map +1 -0
package/dist/model/route-auth-resolver.js +182 -0
package/dist/model/route-auth-resolver.js.map +1 -0
package/dist/model/route-discovery/express.d.ts +25 -0
package/dist/model/route-discovery/express.d.ts.map +1 -0
package/dist/model/route-discovery/express.js +225 -0
package/dist/model/route-discovery/express.js.map +1 -0
package/dist/model/route-discovery/index.d.ts +21 -0
package/dist/model/route-discovery/index.d.ts.map +1 -0
package/dist/model/route-discovery/index.js +67 -0
package/dist/model/route-discovery/index.js.map +1 -0
package/dist/model/route-discovery/nextjs.d.ts +16 -0
package/dist/model/route-discovery/nextjs.d.ts.map +1 -0
package/dist/model/route-discovery/nextjs.js +179 -0
package/dist/model/route-discovery/nextjs.js.map +1 -0
package/dist/model/route-discovery/python.d.ts +16 -0
package/dist/model/route-discovery/python.d.ts.map +1 -0
package/dist/model/route-discovery/python.js +181 -0
package/dist/model/route-discovery/python.js.map +1 -0
package/dist/model/route-discovery/types.d.ts +36 -0
package/dist/model/route-discovery/types.d.ts.map +1 -0
package/dist/model/route-discovery/types.js +16 -0
package/dist/model/route-discovery/types.js.map +1 -0
package/dist/model/route-discovery/utils.d.ts +18 -0
package/dist/model/route-discovery/utils.d.ts.map +1 -0
package/dist/model/route-discovery/utils.js +55 -0
package/dist/model/route-discovery/utils.js.map +1 -0
package/dist/model/route-hierarchy.d.ts +50 -0
package/dist/model/route-hierarchy.d.ts.map +1 -0
package/dist/model/route-hierarchy.js +226 -0
package/dist/model/route-hierarchy.js.map +1 -0
package/dist/model/sanitiser-detection.d.ts +27 -0
package/dist/model/sanitiser-detection.d.ts.map +1 -0
package/dist/model/sanitiser-detection.js +224 -0
package/dist/model/sanitiser-detection.js.map +1 -0
package/dist/model/sink-matcher.d.ts +17 -0
package/dist/model/sink-matcher.d.ts.map +1 -0
package/dist/model/sink-matcher.js +141 -0
package/dist/model/sink-matcher.js.map +1 -0
package/dist/model/sink-patterns.d.ts +19 -0
package/dist/model/sink-patterns.d.ts.map +1 -0
package/dist/model/sink-patterns.js +88 -0
package/dist/model/sink-patterns.js.map +1 -0
package/dist/model/source-discovery.d.ts +15 -0
package/dist/model/source-discovery.d.ts.map +1 -0
package/dist/model/source-discovery.js +170 -0
package/dist/model/source-discovery.js.map +1 -0
package/dist/model/taint-tracker.d.ts +21 -0
package/dist/model/taint-tracker.d.ts.map +1 -0
package/dist/model/taint-tracker.js +281 -0
package/dist/model/taint-tracker.js.map +1 -0
package/dist/model/taint-types.d.ts +74 -0
package/dist/model/taint-types.d.ts.map +1 -0
package/dist/model/taint-types.js +9 -0
package/dist/model/taint-types.js.map +1 -0
package/dist/model/trpc-analyzer.d.ts +78 -0
package/dist/model/trpc-analyzer.d.ts.map +1 -0
package/dist/model/trpc-analyzer.js +297 -0
package/dist/model/trpc-analyzer.js.map +1 -0
package/dist/modes/incremental.js +1 -1
package/dist/parse/file-classifier.d.ts +228 -0
package/dist/parse/file-classifier.d.ts.map +1 -0
package/dist/parse/file-classifier.js +933 -0
package/dist/parse/file-classifier.js.map +1 -0
package/dist/parse/path-exclusions.d.ts +55 -0
package/dist/parse/path-exclusions.d.ts.map +1 -0
package/dist/parse/path-exclusions.js +224 -0
package/dist/parse/path-exclusions.js.map +1 -0
package/dist/pipeline/config.d.ts +39 -0
package/dist/pipeline/config.d.ts.map +1 -0
package/dist/pipeline/config.js +46 -0
package/dist/pipeline/config.js.map +1 -0
package/dist/pipeline/index.d.ts +34 -0
package/dist/pipeline/index.d.ts.map +1 -0
package/dist/pipeline/index.js +377 -0
package/dist/pipeline/index.js.map +1 -0
package/dist/pipeline/modes/incremental.d.ts +66 -0
package/dist/pipeline/modes/incremental.d.ts.map +1 -0
package/dist/pipeline/modes/incremental.js +200 -0
package/dist/pipeline/modes/incremental.js.map +1 -0
package/dist/postprocess/aggregation.d.ts +14 -0
package/dist/postprocess/aggregation.d.ts.map +1 -0
package/dist/postprocess/aggregation.js +63 -0
package/dist/postprocess/aggregation.js.map +1 -0
package/dist/postprocess/contradictions.d.ts +18 -0
package/dist/postprocess/contradictions.d.ts.map +1 -0
package/dist/postprocess/contradictions.js +99 -0
package/dist/postprocess/contradictions.js.map +1 -0
package/dist/postprocess/dedup.d.ts +13 -0
package/dist/postprocess/dedup.d.ts.map +1 -0
package/dist/postprocess/dedup.js +58 -0
package/dist/postprocess/dedup.js.map +1 -0
package/dist/postprocess/filtering/context-adjustments.d.ts +23 -0
package/dist/postprocess/filtering/context-adjustments.d.ts.map +1 -0
package/dist/postprocess/filtering/context-adjustments.js +100 -0
package/dist/postprocess/filtering/context-adjustments.js.map +1 -0
package/dist/postprocess/filtering/index.d.ts +3 -0
package/dist/postprocess/filtering/index.d.ts.map +1 -0
package/dist/postprocess/filtering/index.js +8 -0
package/dist/postprocess/filtering/index.js.map +1 -0
package/dist/postprocess/filtering/pipeline.d.ts +48 -0
package/dist/postprocess/filtering/pipeline.d.ts.map +1 -0
package/dist/postprocess/filtering/pipeline.js +76 -0
package/dist/postprocess/filtering/pipeline.js.map +1 -0
package/dist/postprocess/index.d.ts +41 -0
package/dist/postprocess/index.d.ts.map +1 -0
package/dist/postprocess/index.js +85 -0
package/dist/postprocess/index.js.map +1 -0
package/dist/postprocess/suppression/config-loader.d.ts +74 -0
package/dist/postprocess/suppression/config-loader.d.ts.map +1 -0
package/dist/postprocess/suppression/config-loader.js +424 -0
package/dist/postprocess/suppression/config-loader.js.map +1 -0
package/dist/postprocess/suppression/hash.d.ts +48 -0
package/dist/postprocess/suppression/hash.d.ts.map +1 -0
package/dist/postprocess/suppression/hash.js +88 -0
package/dist/postprocess/suppression/hash.js.map +1 -0
package/dist/postprocess/suppression/index.d.ts +11 -0
package/dist/postprocess/suppression/index.d.ts.map +1 -0
package/dist/postprocess/suppression/index.js +39 -0
package/dist/postprocess/suppression/index.js.map +1 -0
package/dist/postprocess/suppression/inline-parser.d.ts +39 -0
package/dist/postprocess/suppression/inline-parser.d.ts.map +1 -0
package/dist/postprocess/suppression/inline-parser.js +218 -0
package/dist/postprocess/suppression/inline-parser.js.map +1 -0
package/dist/postprocess/suppression/manager.d.ts +94 -0
package/dist/postprocess/suppression/manager.d.ts.map +1 -0
package/dist/postprocess/suppression/manager.js +292 -0
package/dist/postprocess/suppression/manager.js.map +1 -0
package/dist/postprocess/suppression/types.d.ts +151 -0
package/dist/postprocess/suppression/types.d.ts.map +1 -0
package/dist/postprocess/suppression/types.js +28 -0
package/dist/postprocess/suppression/types.js.map +1 -0
package/dist/postprocess/validation-cap.d.ts +17 -0
package/dist/postprocess/validation-cap.d.ts.map +1 -0
package/dist/postprocess/validation-cap.js +64 -0
package/dist/postprocess/validation-cap.js.map +1 -0
package/dist/report/build-result.d.ts +33 -0
package/dist/report/build-result.d.ts.map +1 -0
package/dist/report/build-result.js +59 -0
package/dist/report/build-result.js.map +1 -0
package/dist/report/enrichment.d.ts +19 -0
package/dist/report/enrichment.d.ts.map +1 -0
package/dist/report/enrichment.js +44 -0
package/dist/report/enrichment.js.map +1 -0
package/dist/report/formatters/ai-context.d.ts +23 -0
package/dist/report/formatters/ai-context.d.ts.map +1 -0
package/dist/report/formatters/ai-context.js +238 -0
package/dist/report/formatters/ai-context.js.map +1 -0
package/dist/report/formatters/cli-terminal.d.ts +65 -0
package/dist/report/formatters/cli-terminal.d.ts.map +1 -0
package/dist/report/formatters/cli-terminal.js +735 -0
package/dist/report/formatters/cli-terminal.js.map +1 -0
package/dist/report/formatters/github-comment.d.ts +41 -0
package/dist/report/formatters/github-comment.d.ts.map +1 -0
package/dist/report/formatters/github-comment.js +370 -0
package/dist/report/formatters/github-comment.js.map +1 -0
package/dist/report/formatters/grouping.d.ts +52 -0
package/dist/report/formatters/grouping.d.ts.map +1 -0
package/dist/report/formatters/grouping.js +152 -0
package/dist/report/formatters/grouping.js.map +1 -0
package/dist/report/formatters/ide/claude-code.d.ts +17 -0
package/dist/report/formatters/ide/claude-code.d.ts.map +1 -0
package/dist/report/formatters/ide/claude-code.js +94 -0
package/dist/report/formatters/ide/claude-code.js.map +1 -0
package/dist/report/formatters/ide/cursor.d.ts +13 -0
package/dist/report/formatters/ide/cursor.d.ts.map +1 -0
package/dist/report/formatters/ide/cursor.js +125 -0
package/dist/report/formatters/ide/cursor.js.map +1 -0
package/dist/report/formatters/ide/index.d.ts +62 -0
package/dist/report/formatters/ide/index.d.ts.map +1 -0
package/dist/report/formatters/ide/index.js +184 -0
package/dist/report/formatters/ide/index.js.map +1 -0
package/dist/report/formatters/ide/windsurf.d.ts +13 -0
package/dist/report/formatters/ide/windsurf.d.ts.map +1 -0
package/dist/report/formatters/ide/windsurf.js +117 -0
package/dist/report/formatters/ide/windsurf.js.map +1 -0
package/dist/report/formatters/index.d.ts +11 -0
package/dist/report/formatters/index.d.ts.map +1 -0
package/dist/report/formatters/index.js +54 -0
package/dist/report/formatters/index.js.map +1 -0
package/dist/report/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/report/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/report/formatters/vscode-diagnostic.js +151 -0
package/dist/report/formatters/vscode-diagnostic.js.map +1 -0
package/dist/report/summary.d.ts +27 -0
package/dist/report/summary.d.ts.map +1 -0
package/dist/report/summary.js +57 -0
package/dist/report/summary.js.map +1 -0
package/dist/rules/metadata.d.ts.map +1 -1
package/dist/rules/metadata.js +66 -0
package/dist/rules/metadata.js.map +1 -1
package/dist/score/adjustments.d.ts +22 -0
package/dist/score/adjustments.d.ts.map +1 -0
package/dist/score/adjustments.js +373 -0
package/dist/score/adjustments.js.map +1 -0
package/dist/score/auto-dismiss.d.ts +28 -0
package/dist/score/auto-dismiss.d.ts.map +1 -0
package/dist/score/auto-dismiss.js +200 -0
package/dist/score/auto-dismiss.js.map +1 -0
package/dist/score/confidence.d.ts +19 -0
package/dist/score/confidence.d.ts.map +1 -0
package/dist/score/confidence.js +52 -0
package/dist/score/confidence.js.map +1 -0
package/dist/score/index.d.ts +61 -0
package/dist/score/index.d.ts.map +1 -0
package/dist/score/index.js +250 -0
package/dist/score/index.js.map +1 -0
package/dist/score/types.d.ts +160 -0
package/dist/score/types.d.ts.map +1 -0
package/dist/score/types.js +14 -0
package/dist/score/types.js.map +1 -0
package/dist/shared/ai-context/index.d.ts +6 -0
package/dist/shared/ai-context/index.d.ts.map +1 -0
package/dist/shared/ai-context/index.js +13 -0
package/dist/shared/ai-context/index.js.map +1 -0
package/dist/shared/ai-context/manager.d.ts +67 -0
package/dist/shared/ai-context/manager.d.ts.map +1 -0
package/dist/shared/ai-context/manager.js +104 -0
package/dist/shared/ai-context/manager.js.map +1 -0
package/dist/shared/baseline/diff.d.ts +32 -0
package/dist/shared/baseline/diff.d.ts.map +1 -0
package/dist/shared/baseline/diff.js +119 -0
package/dist/shared/baseline/diff.js.map +1 -0
package/dist/shared/baseline/index.d.ts +9 -0
package/dist/shared/baseline/index.d.ts.map +1 -0
package/dist/shared/baseline/index.js +19 -0
package/dist/shared/baseline/index.js.map +1 -0
package/dist/shared/baseline/manager.d.ts +67 -0
package/dist/shared/baseline/manager.d.ts.map +1 -0
package/dist/shared/baseline/manager.js +180 -0
package/dist/shared/baseline/manager.js.map +1 -0
package/dist/shared/baseline/types.d.ts +91 -0
package/dist/shared/baseline/types.d.ts.map +1 -0
package/dist/shared/baseline/types.js +12 -0
package/dist/shared/baseline/types.js.map +1 -0
package/dist/shared/category-filter.d.ts +125 -0
package/dist/shared/category-filter.d.ts.map +1 -0
package/dist/shared/category-filter.js +360 -0
package/dist/shared/category-filter.js.map +1 -0
package/dist/shared/code-analysis.d.ts +39 -0
package/dist/shared/code-analysis.d.ts.map +1 -0
package/dist/shared/code-analysis.js +159 -0
package/dist/shared/code-analysis.js.map +1 -0
package/dist/shared/comment-analyzer.d.ts +38 -0
package/dist/shared/comment-analyzer.d.ts.map +1 -0
package/dist/shared/comment-analyzer.js +218 -0
package/dist/shared/comment-analyzer.js.map +1 -0
package/dist/shared/diff-detector.d.ts +53 -0
package/dist/shared/diff-detector.d.ts.map +1 -0
package/dist/shared/diff-detector.js +104 -0
package/dist/shared/diff-detector.js.map +1 -0
package/dist/shared/diff-parser.d.ts +80 -0
package/dist/shared/diff-parser.d.ts.map +1 -0
package/dist/shared/diff-parser.js +202 -0
package/dist/shared/diff-parser.js.map +1 -0
package/dist/shared/environment-context.d.ts +76 -0
package/dist/shared/environment-context.d.ts.map +1 -0
package/dist/shared/environment-context.js +271 -0
package/dist/shared/environment-context.js.map +1 -0
package/dist/shared/intent-detector.d.ts +66 -0
package/dist/shared/intent-detector.d.ts.map +1 -0
package/dist/shared/intent-detector.js +282 -0
package/dist/shared/intent-detector.js.map +1 -0
package/dist/shared/parsed-file.d.ts +51 -0
package/dist/shared/parsed-file.d.ts.map +1 -0
package/dist/shared/parsed-file.js +95 -0
package/dist/shared/parsed-file.js.map +1 -0
package/dist/shared/registry-clients.d.ts +93 -0
package/dist/shared/registry-clients.d.ts.map +1 -0
package/dist/shared/registry-clients.js +273 -0
package/dist/shared/registry-clients.js.map +1 -0
package/dist/shared/rules/framework-fixes.d.ts +48 -0
package/dist/shared/rules/framework-fixes.d.ts.map +1 -0
package/dist/shared/rules/framework-fixes.js +439 -0
package/dist/shared/rules/framework-fixes.js.map +1 -0
package/dist/shared/rules/index.d.ts +8 -0
package/dist/shared/rules/index.d.ts.map +1 -0
package/dist/shared/rules/index.js +18 -0
package/dist/shared/rules/index.js.map +1 -0
package/dist/shared/rules/metadata.d.ts +43 -0
package/dist/shared/rules/metadata.d.ts.map +1 -0
package/dist/shared/rules/metadata.js +819 -0
package/dist/shared/rules/metadata.js.map +1 -0
package/dist/shared/schema-semantics.d.ts +45 -0
package/dist/shared/schema-semantics.d.ts.map +1 -0
package/dist/shared/schema-semantics.js +193 -0
package/dist/shared/schema-semantics.js.map +1 -0
package/dist/shared/types.d.ts +337 -0
package/dist/shared/types.d.ts.map +1 -0
package/dist/shared/types.js +126 -0
package/dist/shared/types.js.map +1 -0
package/dist/tiers.d.ts +4 -4
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +17 -7
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +79 -9
package/dist/types.d.ts.map +1 -1
package/dist/types.js +34 -0
package/dist/types.js.map +1 -1
package/dist/utils/code-analysis.d.ts +39 -0
package/dist/utils/code-analysis.d.ts.map +1 -0
package/dist/utils/code-analysis.js +159 -0
package/dist/utils/code-analysis.js.map +1 -0
package/dist/utils/comment-analyzer.d.ts +38 -0
package/dist/utils/comment-analyzer.d.ts.map +1 -0
package/dist/utils/comment-analyzer.js +218 -0
package/dist/utils/comment-analyzer.js.map +1 -0
package/dist/utils/context-helpers.d.ts +108 -1
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +351 -2
package/dist/utils/context-helpers.js.map +1 -1
package/dist/utils/environment-context.d.ts +76 -0
package/dist/utils/environment-context.d.ts.map +1 -0
package/dist/utils/environment-context.js +271 -0
package/dist/utils/environment-context.js.map +1 -0
package/dist/utils/intent-detector.d.ts +66 -0
package/dist/utils/intent-detector.d.ts.map +1 -0
package/dist/utils/intent-detector.js +282 -0
package/dist/utils/intent-detector.js.map +1 -0
package/dist/utils/parsed-file.d.ts +51 -0
package/dist/utils/parsed-file.d.ts.map +1 -0
package/dist/utils/parsed-file.js +95 -0
package/dist/utils/parsed-file.js.map +1 -0
package/dist/utils/route-hierarchy.d.ts +50 -0
package/dist/utils/route-hierarchy.d.ts.map +1 -0
package/dist/utils/route-hierarchy.js +226 -0
package/dist/utils/route-hierarchy.js.map +1 -0
package/dist/utils/schema-semantics.d.ts +45 -0
package/dist/utils/schema-semantics.d.ts.map +1 -0
package/dist/utils/schema-semantics.js +193 -0
package/dist/utils/schema-semantics.js.map +1 -0
package/dist/validate/clients.d.ts +44 -0
package/dist/validate/clients.d.ts.map +1 -0
package/dist/validate/clients.js +81 -0
package/dist/validate/clients.js.map +1 -0
package/dist/validate/index.d.ts +41 -0
package/dist/validate/index.d.ts.map +1 -0
package/dist/validate/index.js +141 -0
package/dist/validate/index.js.map +1 -0
package/dist/validate/prompts/index.d.ts +8 -0
package/dist/validate/prompts/index.d.ts.map +1 -0
package/dist/validate/prompts/index.js +16 -0
package/dist/validate/prompts/index.js.map +1 -0
package/dist/validate/prompts/modules/ai-patterns.d.ts +19 -0
package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -0
package/dist/validate/prompts/modules/ai-patterns.js +156 -0
package/dist/validate/prompts/modules/ai-patterns.js.map +1 -0
package/dist/validate/prompts/modules/auth-access.d.ts +9 -0
package/dist/validate/prompts/modules/auth-access.d.ts.map +1 -0
package/dist/validate/prompts/modules/auth-access.js +25 -0
package/dist/validate/prompts/modules/auth-access.js.map +1 -0
package/dist/validate/prompts/modules/common.d.ts +11 -0
package/dist/validate/prompts/modules/common.d.ts.map +1 -0
package/dist/validate/prompts/modules/common.js +186 -0
package/dist/validate/prompts/modules/common.js.map +1 -0
package/dist/validate/prompts/modules/index.d.ts +54 -0
package/dist/validate/prompts/modules/index.d.ts.map +1 -0
package/dist/validate/prompts/modules/index.js +186 -0
package/dist/validate/prompts/modules/index.js.map +1 -0
package/dist/validate/prompts/modules/owasp-classic.d.ts +8 -0
package/dist/validate/prompts/modules/owasp-classic.d.ts.map +1 -0
package/dist/validate/prompts/modules/owasp-classic.js +84 -0
package/dist/validate/prompts/modules/owasp-classic.js.map +1 -0
package/dist/validate/prompts/modules/secrets-crypto.d.ts +8 -0
package/dist/validate/prompts/modules/secrets-crypto.d.ts.map +1 -0
package/dist/validate/prompts/modules/secrets-crypto.js +68 -0
package/dist/validate/prompts/modules/secrets-crypto.js.map +1 -0
package/dist/validate/prompts/modules/xss-prompt.d.ts +8 -0
package/dist/validate/prompts/modules/xss-prompt.d.ts.map +1 -0
package/dist/validate/prompts/modules/xss-prompt.js +22 -0
package/dist/validate/prompts/modules/xss-prompt.js.map +1 -0
package/dist/validate/prompts/semantic-analysis.d.ts +15 -0
package/dist/validate/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/validate/prompts/semantic-analysis.js +169 -0
package/dist/validate/prompts/semantic-analysis.js.map +1 -0
package/dist/validate/prompts/validation.d.ts +18 -0
package/dist/validate/prompts/validation.d.ts.map +1 -0
package/dist/validate/prompts/validation.js +25 -0
package/dist/validate/prompts/validation.js.map +1 -0
package/dist/validate/providers/anthropic.d.ts +17 -0
package/dist/validate/providers/anthropic.d.ts.map +1 -0
package/dist/validate/providers/anthropic.js +260 -0
package/dist/validate/providers/anthropic.js.map +1 -0
package/dist/validate/providers/index.d.ts +8 -0
package/dist/validate/providers/index.d.ts.map +1 -0
package/dist/validate/providers/index.js +13 -0
package/dist/validate/providers/index.js.map +1 -0
package/dist/validate/providers/openai.d.ts +14 -0
package/dist/validate/providers/openai.d.ts.map +1 -0
package/dist/validate/providers/openai.js +336 -0
package/dist/validate/providers/openai.js.map +1 -0
package/dist/validate/request-builder.d.ts +61 -0
package/dist/validate/request-builder.d.ts.map +1 -0
package/dist/validate/request-builder.js +346 -0
package/dist/validate/request-builder.js.map +1 -0
package/dist/validate/types.d.ts +88 -0
package/dist/validate/types.d.ts.map +1 -0
package/dist/validate/types.js +38 -0
package/dist/validate/types.js.map +1 -0
package/dist/validate/utils/context-extractor.d.ts +55 -0
package/dist/validate/utils/context-extractor.d.ts.map +1 -0
package/dist/validate/utils/context-extractor.js +161 -0
package/dist/validate/utils/context-extractor.js.map +1 -0
package/dist/validate/utils/index.d.ts +11 -0
package/dist/validate/utils/index.d.ts.map +1 -0
package/dist/validate/utils/index.js +27 -0
package/dist/validate/utils/index.js.map +1 -0
package/dist/validate/utils/path-helpers.d.ts +21 -0
package/dist/validate/utils/path-helpers.d.ts.map +1 -0
package/dist/validate/utils/path-helpers.js +69 -0
package/dist/validate/utils/path-helpers.js.map +1 -0
package/dist/validate/utils/response-parser.d.ts +40 -0
package/dist/validate/utils/response-parser.d.ts.map +1 -0
package/dist/validate/utils/response-parser.js +286 -0
package/dist/validate/utils/response-parser.js.map +1 -0
package/dist/validate/utils/retry.d.ts +15 -0
package/dist/validate/utils/retry.d.ts.map +1 -0
package/dist/validate/utils/retry.js +62 -0
package/dist/validate/utils/retry.js.map +1 -0
package/package.json +8 -7
package/src/__tests__/benchmark/fixtures/layer1/agent-skill-injection.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +3 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +27 -0
package/src/__tests__/benchmark/fixtures/layer2/log-injection.ts +147 -0
package/src/__tests__/benchmark/fixtures/layer2/phase5-excessive-agency.ts +580 -0
package/src/__tests__/benchmark/fixtures/layer2/security-headers.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/sprint6-ai-enhancements.ts +515 -0
package/src/__tests__/benchmark/fixtures/layer2/ssrf-detection.ts +210 -0
package/src/__tests__/benchmark/fixtures/layer2/xxe-detection.ts +195 -0
package/src/__tests__/benchmark/run-depth-validation.ts +12 -12
package/src/__tests__/benchmark/run-real-world-test.ts +4 -4
package/src/__tests__/benchmark/types.ts +1 -1
package/src/__tests__/benchmark/utils/test-runner.ts +3 -3
package/src/__tests__/category-filter.test.ts +478 -0
package/src/__tests__/context-engine/cross-file-taint.test.ts +284 -0
package/src/__tests__/context-engine/framework-models.test.ts +457 -0
package/src/__tests__/context-engine/function-classifier.test.ts +146 -0
package/src/__tests__/context-engine/import-resolver.test.ts +328 -0
package/src/__tests__/context-engine/integration.test.ts +320 -0
package/src/__tests__/context-engine/module-graph.test.ts +159 -0
package/src/__tests__/context-engine/route-discovery/auth-resolver.test.ts +353 -0
package/src/__tests__/context-engine/route-discovery/express.test.ts +150 -0
package/src/__tests__/context-engine/route-discovery/nextjs.test.ts +138 -0
package/src/__tests__/context-engine/route-discovery/python.test.ts +95 -0
package/src/__tests__/context-engine/sanitiser-detection.test.ts +187 -0
package/src/__tests__/context-engine/sink-matcher.test.ts +251 -0
package/src/__tests__/context-engine/source-discovery.test.ts +186 -0
package/src/__tests__/context-engine/taint-tracker.test.ts +182 -0
package/src/__tests__/regression/agent-skill-benign.test.ts +174 -0
package/src/__tests__/regression/known-false-positives.test.ts +801 -3
package/src/__tests__/score/adjustments.test.ts +385 -0
package/src/__tests__/score/confidence.test.ts +283 -0
package/src/__tests__/score/framework-scoring.test.ts +275 -0
package/src/__tests__/score/route-scoring.test.ts +156 -0
package/src/__tests__/score/scoring-integration.test.ts +165 -0
package/src/__tests__/score/taint-adjustments.test.ts +244 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +50 -58
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +52 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +3 -12
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +3 -3
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +1 -1
package/src/__tests__/snapshots/scan-depth.test.ts +3 -3
package/src/__tests__/validate/route-annotations.test.ts +138 -0
package/src/__tests__/validation/analyze-results.ts +1 -1
package/src/__tests__/validation/extract-for-triage.ts +1 -1
package/src/__tests__/validation/fp-deep-analysis.ts +1 -1
package/src/__tests__/validation/run-validation.ts +7 -7
package/src/{layer2/ai-agent-tools.ts → detect/ai-code/agent-tools.ts} +729 -4
package/src/{layer2 → detect/ai-code}/byok-patterns.ts +20 -6
package/src/{layer2/ai-endpoint-protection.ts → detect/ai-code/endpoint-protection.ts} +10 -4
package/src/{layer2/ai-execution-sinks.ts → detect/ai-code/execution-sinks.ts} +272 -46
package/src/{layer2/ai-fingerprinting.ts → detect/ai-code/fingerprinting.ts} +46 -34
package/src/detect/ai-code/index.ts +11 -0
package/src/{layer2/ai-mcp-security.ts → detect/ai-code/mcp-security.ts} +212 -5
package/src/{layer2 → detect/ai-code}/model-supply-chain.ts +85 -6
package/src/{layer2/ai-package-hallucination.ts → detect/ai-code/package-hallucination.ts} +170 -6
package/src/{layer2/ai-prompt-hygiene.ts → detect/ai-code/prompt-hygiene.ts} +393 -28
package/src/{layer2/ai-rag-safety.ts → detect/ai-code/rag-safety.ts} +91 -4
package/src/{layer2/ai-schema-validation.ts → detect/ai-code/schema-validation.ts} +10 -4
package/src/detect/config/agent-skill-injection.ts +551 -0
package/src/{layer1 → detect/config}/comments.ts +8 -2
package/src/{layer1 → detect/config}/file-flags.ts +23 -6
package/src/detect/config/index.ts +6 -0
package/src/{layer3 → detect/config}/osv-check.ts +3 -2
package/src/{layer3 → detect/config}/package-check.ts +3 -2
package/src/{layer1 → detect/config}/urls.ts +196 -15
package/src/detect/index.ts +131 -0
package/src/{layer1 → detect/secrets}/config-audit.ts +56 -12
package/src/{layer1 → detect/secrets}/config-mcp-audit.ts +11 -4
package/src/{layer1 → detect/secrets}/entropy.ts +256 -11
package/src/{layer1 → detect/secrets}/index.ts +43 -46
package/src/{layer1 → detect/secrets}/patterns.ts +51 -6
package/src/{layer1 → detect/secrets}/weak-crypto.ts +174 -17
package/src/{layer2/auth-antipatterns.ts → detect/structural/auth-patterns.ts} +249 -27
package/src/{layer2 → detect/structural}/dangerous-functions/dom-xss.ts +94 -22
package/src/{layer2 → detect/structural}/dangerous-functions/index.ts +672 -65
package/src/{layer2 → detect/structural}/dangerous-functions/json-parse.ts +10 -2
package/src/{layer2 → detect/structural}/dangerous-functions/math-random.ts +269 -17
package/src/{layer2 → detect/structural}/dangerous-functions/patterns.ts +4 -2
package/src/{layer2 → detect/structural}/dangerous-functions/request-validation.ts +10 -2
package/src/detect/structural/dangerous-functions/utils/control-flow.ts +35 -0
package/src/{layer2 → detect/structural}/dangerous-functions/utils/schema-validation.ts +16 -1
package/src/{layer2 → detect/structural}/data-exposure.ts +23 -40
package/src/{layer2 → detect/structural}/framework-checks.ts +13 -12
package/src/{layer2 → detect/structural}/index.ts +144 -122
package/src/detect/structural/log-injection.ts +254 -0
package/src/{layer2 → detect/structural}/logic-gates.ts +69 -24
package/src/{layer2 → detect/structural}/risky-imports.ts +10 -4
package/src/detect/structural/security-headers.ts +231 -0
package/src/detect/structural/ssrf-detection.ts +300 -0
package/src/{layer2 → detect/structural}/variables.ts +10 -4
package/src/detect/structural/xxe-detection.ts +295 -0
package/src/index.ts +64 -1038
package/src/{utils → model}/auth-helper-detector.ts +1 -1
package/src/model/cross-file-taint.ts +374 -0
package/src/model/framework-models/django.ts +82 -0
package/src/model/framework-models/express.ts +54 -0
package/src/model/framework-models/index.ts +116 -0
package/src/model/framework-models/nextjs.ts +69 -0
package/src/model/framework-models/prisma.ts +57 -0
package/src/model/framework-models/react.ts +63 -0
package/src/model/framework-models/sequelize.ts +63 -0
package/src/model/framework-models/types.ts +46 -0
package/src/model/function-classifier.ts +184 -0
package/src/model/import-resolver.ts +453 -0
package/src/{utils → model}/imported-auth-detector.ts +21 -85
package/src/model/index.ts +353 -0
package/src/{utils → model}/middleware-detector.ts +156 -17
package/src/model/module-graph.ts +254 -0
package/src/{utils → model}/oauth-flow-detector.ts +1 -1
package/src/{utils/project-context-builder.ts → model/project-context.ts} +1 -1
package/src/model/route-auth-resolver.ts +216 -0
package/src/model/route-discovery/express.ts +251 -0
package/src/model/route-discovery/index.ts +83 -0
package/src/model/route-discovery/nextjs.ts +216 -0
package/src/model/route-discovery/python.ts +214 -0
package/src/model/route-discovery/types.ts +48 -0
package/src/model/route-discovery/utils.ts +54 -0
package/src/model/route-hierarchy.ts +250 -0
package/src/model/sanitiser-detection.ts +268 -0
package/src/model/sink-matcher.ts +178 -0
package/src/model/sink-patterns.ts +109 -0
package/src/model/source-discovery.ts +209 -0
package/src/model/taint-tracker.ts +333 -0
package/src/model/taint-types.ts +149 -0
package/src/{utils → model}/trpc-analyzer.ts +1 -1
package/src/{utils/context-helpers.ts → parse/file-classifier.ts} +462 -2
package/src/{utils → parse}/path-exclusions.ts +1 -1
package/src/pipeline/config.ts +81 -0
package/src/pipeline/index.ts +437 -0
package/src/{modes → pipeline/modes}/incremental.ts +6 -6
package/src/postprocess/aggregation.ts +74 -0
package/src/postprocess/contradictions.ts +128 -0
package/src/postprocess/dedup.ts +62 -0
package/src/postprocess/filtering/__tests__/pipeline.test.ts +134 -0
package/src/postprocess/filtering/context-adjustments.ts +111 -0
package/src/postprocess/filtering/index.ts +10 -0
package/src/postprocess/filtering/pipeline.ts +130 -0
package/src/postprocess/index.ts +118 -0
package/src/{suppression → postprocess/suppression}/config-loader.ts +1 -1
package/src/{suppression → postprocess/suppression}/hash.ts +1 -1
package/src/{suppression → postprocess/suppression}/inline-parser.ts +1 -1
package/src/{suppression → postprocess/suppression}/manager.ts +1 -1
package/src/{suppression → postprocess/suppression}/types.ts +2 -2
package/src/postprocess/validation-cap.ts +66 -0
package/src/report/build-result.ts +94 -0
package/src/report/enrichment.ts +52 -0
package/src/report/formatters/__tests__/ai-context.test.ts +254 -0
package/src/report/formatters/ai-context.ts +302 -0
package/src/{formatters → report/formatters}/cli-terminal.ts +11 -11
package/src/{formatters → report/formatters}/github-comment.ts +4 -4
package/src/{formatters → report/formatters}/grouping.ts +8 -8
package/src/report/formatters/ide/__tests__/ide.test.ts +319 -0
package/src/report/formatters/ide/claude-code.ts +110 -0
package/src/report/formatters/ide/cursor.ts +147 -0
package/src/report/formatters/ide/index.ts +216 -0
package/src/report/formatters/ide/windsurf.ts +135 -0
package/src/{formatters → report/formatters}/index.ts +24 -0
package/src/{formatters → report/formatters}/vscode-diagnostic.ts +1 -1
package/src/report/summary.ts +70 -0
package/src/score/adjustments.ts +387 -0
package/src/{layer3/anthropic → score}/auto-dismiss.ts +26 -14
package/src/score/confidence.ts +66 -0
package/src/score/index.ts +316 -0
package/src/score/types.ts +187 -0
package/src/shared/__tests__/code-analysis.test.ts +165 -0
package/src/shared/__tests__/parsed-file.test.ts +124 -0
package/src/shared/ai-context/__tests__/manager.test.ts +193 -0
package/src/shared/ai-context/index.ts +15 -0
package/src/shared/ai-context/manager.ts +145 -0
package/src/{baseline → shared/baseline}/__tests__/diff.test.ts +2 -2
package/src/{baseline → shared/baseline}/__tests__/manager.test.ts +2 -2
package/src/{baseline → shared/baseline}/diff.ts +1 -1
package/src/{baseline → shared/baseline}/manager.ts +1 -1
package/src/shared/category-filter.ts +400 -0
package/src/{layer2/dangerous-functions/utils/control-flow.ts → shared/code-analysis.ts} +56 -39
package/src/shared/comment-analyzer.ts +249 -0
package/src/shared/environment-context.ts +304 -0
package/src/shared/intent-detector.ts +318 -0
package/src/shared/parsed-file.ts +103 -0
package/src/{rules → shared/rules}/__tests__/metadata.test.ts +7 -0
package/src/{rules → shared/rules}/framework-fixes.ts +1 -1
package/src/{rules → shared/rules}/metadata.ts +94 -0
package/src/shared/schema-semantics.ts +233 -0
package/src/{types.ts → shared/types.ts} +142 -11
package/src/tiers.ts +27 -10
package/src/validate/__tests__/context-extractor.test.ts +191 -0
package/src/validate/__tests__/prompt-assembly.test.ts +233 -0
package/src/validate/__tests__/request-builder.test.ts +347 -0
package/src/{layer3/anthropic → validate}/index.ts +8 -7
package/src/{layer3/anthropic → validate}/prompts/index.ts +2 -0
package/src/validate/prompts/modules/ai-patterns.ts +153 -0
package/src/validate/prompts/modules/auth-access.ts +22 -0
package/src/validate/prompts/modules/common.ts +183 -0
package/src/validate/prompts/modules/index.ts +204 -0
package/src/validate/prompts/modules/owasp-classic.ts +81 -0
package/src/validate/prompts/modules/secrets-crypto.ts +65 -0
package/src/validate/prompts/modules/xss-prompt.ts +19 -0
package/src/validate/prompts/validation.ts +20 -0
package/src/{layer3/anthropic → validate}/providers/anthropic.ts +28 -27
package/src/validate/providers/index.ts +8 -0
package/src/{layer3/anthropic → validate}/providers/openai.ts +30 -25
package/src/validate/request-builder.ts +448 -0
package/src/{layer3/anthropic → validate}/types.ts +1 -1
package/src/validate/utils/context-extractor.ts +220 -0
package/src/{layer3/anthropic → validate}/utils/index.ts +10 -0
package/src/{layer3/anthropic → validate}/utils/response-parser.ts +2 -1
package/src/layer3/anthropic/prompts/validation.ts +0 -419
package/src/layer3/anthropic/providers/index.ts +0 -8
package/src/layer3/anthropic/request-builder.ts +0 -150
package/src/layer3/index.ts +0 -168
/package/src/{layer3 → detect/config}/__tests__/osv-check.test.ts +0 -0
/package/src/{layer2 → detect/structural}/__tests__/math-random-enhanced.test.ts +0 -0
/package/src/{layer2 → detect/structural}/dangerous-functions/child-process.ts +0 -0
/package/src/{layer2 → detect/structural}/dangerous-functions/utils/helpers.ts +0 -0
/package/src/{layer2 → detect/structural}/dangerous-functions/utils/index.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/config-loader.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/hash.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/inline-parser.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/manager.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/index.ts +0 -0
/package/src/{baseline → shared/baseline}/index.ts +0 -0
/package/src/{baseline → shared/baseline}/types.ts +0 -0
/package/src/{utils → shared}/diff-detector.ts +0 -0
/package/src/{utils → shared}/diff-parser.ts +0 -0
/package/src/{utils → shared}/registry-clients.ts +0 -0
/package/src/{rules → shared/rules}/__tests__/framework-fixes.test.ts +0 -0
/package/src/{rules → shared/rules}/index.ts +0 -0
/package/src/{layer3/anthropic → validate}/clients.ts +0 -0
/package/src/{layer3/anthropic → validate}/prompts/semantic-analysis.ts +0 -0
/package/src/{layer3/anthropic → validate}/utils/path-helpers.ts +0 -0
/package/src/{layer3/anthropic → validate}/utils/retry.ts +0 -0

package/dist/utils/schema-semantics.js ADDED Viewed

@@ -0,0 +1,193 @@
+"use strict";
+/**
+ * Schema Semantics Utility
+ * Understands validation schema logic, particularly Zod/Yup/Joi patterns
+ *
+ * This addresses false positives where OR validation (either A or B required)
+ * is flagged as "bypass" when individual fields are marked optional.
+ *
+ * Key insight: `.optional()` + `.refine()` = OR validation, not bypass
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeSchemaSemantics = analyzeSchemaSemantics;
+exports.isLegitimateOrValidation = isLegitimateOrValidation;
+exports.is2FAOrValidation = is2FAOrValidation;
+/**
+ * Patterns that indicate cross-field validation refinements
+ */
+const REFINEMENT_PATTERNS = [
+    // Zod .refine() with OR logic
+    /\.refine\s*\(\s*\([^)]*\)\s*=>\s*[^,]*\|\|/,
+    /\.refine\s*\(\s*\(\s*\{\s*\w+\s*,/, // Destructured refine
+    /\.refine\s*\(\s*\(?data\)?\s*=>/, // data => refine
+    // Zod .superRefine()
+    /\.superRefine\s*\(/,
+    // Yup .test() with cross-field validation
+    /\.test\s*\(\s*['"][^'"]+['"]\s*,\s*['"][^'"]+['"]\s*,\s*function/,
+    /\.test\s*\(\s*['"][^'"]+['"]\s*,\s*['"][^'"]+['"]\s*,\s*\([^)]*\)\s*=>/,
+    // Joi custom validation
+    /\.custom\s*\(/,
+    /Joi\.alternatives\s*\(\)/,
+    /\.xor\s*\(/,
+    /\.or\s*\(/,
+];
+/**
+ * Patterns indicating OR logic in refinement callbacks
+ */
+const OR_LOGIC_PATTERNS = [
+    // Direct OR in refine: (data) => data.a || data.b
+    /=>\s*[^,;]*\|\|/,
+    // Negated AND: !(a && b)
+    /=>\s*!\s*\([^)]*&&/,
+    // Ternary with OR
+    /\?\s*[^:]*\|\|/,
+];
+/**
+ * Find the start of a schema definition containing a given line
+ */
+function findSchemaStart(lines, lineNumber) {
+    // Look backwards for schema definition patterns
+    const schemaStartPatterns = [
+        /(?:const|let|var)\s+\w+\s*=\s*z\.object\s*\(/,
+        /(?:const|let|var)\s+\w+\s*=\s*Yup\.object\s*\(/,
+        /(?:const|let|var)\s+\w+\s*=\s*Joi\.object\s*\(/,
+        /export\s+(?:const|let|var)\s+\w+\s*=\s*z\.object\s*\(/,
+        /z\.object\s*\(\s*\{/,
+        /Yup\.object\s*\(\s*\{/,
+        /Joi\.object\s*\(\s*\{/,
+    ];
+    for (let i = lineNumber; i >= 0; i--) {
+        if (schemaStartPatterns.some(pattern => pattern.test(lines[i]))) {
+            return i;
+        }
+        // Don't look back more than 50 lines
+        if (lineNumber - i > 50)
+            break;
+    }
+    return Math.max(0, lineNumber - 10);
+}
+/**
+ * Find the end of a schema definition containing a given line
+ */
+function findSchemaEnd(lines, schemaStart) {
+    let braceCount = 0;
+    let inSchema = false;
+    for (let i = schemaStart; i < lines.length; i++) {
+        const line = lines[i];
+        // Count braces/parens
+        for (const char of line) {
+            if (char === '(' || char === '{') {
+                braceCount++;
+                inSchema = true;
+            }
+            else if (char === ')' || char === '}') {
+                braceCount--;
+            }
+        }
+        // Schema ends when we return to zero brace count after entering
+        if (inSchema && braceCount === 0) {
+            return i + 1;
+        }
+        // Don't look forward more than 100 lines
+        if (i - schemaStart > 100)
+            break;
+    }
+    return Math.min(lines.length, schemaStart + 50);
+}
+/**
+ * Count .optional() calls in content
+ */
+function countOptionalFields(content) {
+    const matches = content.match(/\.optional\s*\(\s*\)/g);
+    return matches ? matches.length : 0;
+}
+/**
+ * Analyze a validation schema for OR-logic refinement patterns
+ *
+ * @param content - The full file content
+ * @param lineNumber - The 0-indexed line number where the pattern was found
+ * @returns SchemaAnalysis with refinement information
+ */
+function analyzeSchemaSemantics(content, lineNumber) {
+    const lines = content.split('\n');
+    // Find the schema boundaries
+    const schemaStart = findSchemaStart(lines, lineNumber);
+    const schemaEnd = findSchemaEnd(lines, schemaStart);
+    // Extract schema content
+    const schemaLines = lines.slice(schemaStart, schemaEnd);
+    const schemaContent = schemaLines.join('\n');
+    // Check for refinement patterns
+    const hasRefine = REFINEMENT_PATTERNS.some(pattern => pattern.test(schemaContent));
+    const hasSuperRefine = /\.superRefine\s*\(/.test(schemaContent);
+    const hasOrLogic = OR_LOGIC_PATTERNS.some(pattern => pattern.test(schemaContent));
+    // Count optional fields
+    const optionalCount = countOptionalFields(schemaContent);
+    // Determine if this is OR validation
+    // OR validation pattern: multiple optional fields + refine with || logic
+    const isOrValidation = optionalCount >= 2 && hasRefine && hasOrLogic;
+    // Determine refinement type
+    let refinementType = 'none';
+    if (hasSuperRefine) {
+        refinementType = 'super_refine';
+    }
+    else if (hasOrLogic && hasRefine) {
+        refinementType = 'or_logic';
+    }
+    else if (hasRefine) {
+        refinementType = 'custom_validation';
+    }
+    return {
+        hasRefinement: hasRefine || hasSuperRefine,
+        refinementType,
+        optionalFieldCount: optionalCount,
+        isOrValidation,
+    };
+}
+/**
+ * Check if a line with .optional() is part of legitimate OR validation
+ *
+ * @param content - The full file content
+ * @param lineNumber - The 0-indexed line number where .optional() was found
+ * @returns true if this is part of OR validation (not a bypass)
+ */
+function isLegitimateOrValidation(content, lineNumber) {
+    const analysis = analyzeSchemaSemantics(content, lineNumber);
+    return analysis.isOrValidation || analysis.refinementType === 'super_refine';
+}
+/**
+ * Check if a 2FA-related field with .optional() has proper OR validation
+ * Specifically for 2FA patterns where either totpCode OR backupCode is required
+ *
+ * @param content - The full file content
+ * @param lineNumber - The 0-indexed line number
+ * @returns true if this is legitimate 2FA OR validation
+ */
+function is2FAOrValidation(content, lineNumber) {
+    const lines = content.split('\n');
+    const line = lines[lineNumber] || '';
+    // Check if this line is about 2FA fields
+    const is2FAField = /\b(totp|otp|backupCode|recoveryCode|twoFactor|2fa|mfa)\b/i.test(line);
+    if (!is2FAField) {
+        return false;
+    }
+    // Check for OR validation in the schema
+    const analysis = analyzeSchemaSemantics(content, lineNumber);
+    // If there's refinement with OR logic, this is legitimate
+    if (analysis.isOrValidation) {
+        return true;
+    }
+    // Check for specific 2FA OR patterns in nearby content
+    const schemaStart = findSchemaStart(lines, lineNumber);
+    const schemaEnd = findSchemaEnd(lines, schemaStart);
+    const schemaContent = lines.slice(schemaStart, schemaEnd).join('\n');
+    // Patterns like: "Either TOTP or backup code required"
+    const twoFAOrPatterns = [
+        /either.*or.*required/i,
+        /totp.*\|\|.*backup/i,
+        /backup.*\|\|.*totp/i,
+        /code.*\|\|.*code/i,
+        /one\s+of.*required/i,
+    ];
+    return twoFAOrPatterns.some(pattern => pattern.test(schemaContent));
+}
+//# sourceMappingURL=schema-semantics.js.map

package/dist/utils/schema-semantics.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"schema-semantics.js","sourceRoot":"","sources":["../../src/utils/schema-semantics.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AAyHH,wDA0CC;AASD,4DAMC;AAUD,8CAoCC;AAnND;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC1B,8BAA8B;IAC9B,4CAA4C;IAC5C,mCAAmC,EAAG,sBAAsB;IAC5D,iCAAiC,EAAK,iBAAiB;IAEvD,qBAAqB;IACrB,oBAAoB;IAEpB,0CAA0C;IAC1C,kEAAkE;IAClE,wEAAwE;IAExE,wBAAwB;IACxB,eAAe;IACf,0BAA0B;IAC1B,YAAY;IACZ,WAAW;CACZ,CAAA;AAED;;GAEG;AACH,MAAM,iBAAiB,GAAG;IACxB,kDAAkD;IAClD,iBAAiB;IACjB,yBAAyB;IACzB,oBAAoB;IACpB,kBAAkB;IAClB,gBAAgB;CACjB,CAAA;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,KAAe,EAAE,UAAkB;IAC1D,gDAAgD;IAChD,MAAM,mBAAmB,GAAG;QAC1B,8CAA8C;QAC9C,gDAAgD;QAChD,gDAAgD;QAChD,uDAAuD;QACvD,qBAAqB;QACrB,uBAAuB;QACvB,uBAAuB;KACxB,CAAA;IAED,KAAK,IAAI,CAAC,GAAG,UAAU,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,IAAI,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAChE,OAAO,CAAC,CAAA;QACV,CAAC;QACD,qCAAqC;QACrC,IAAI,UAAU,GAAG,CAAC,GAAG,EAAE;YAAE,MAAK;IAChC,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;AACrC,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,KAAe,EAAE,WAAmB;IACzD,IAAI,UAAU,GAAG,CAAC,CAAA;IAClB,IAAI,QAAQ,GAAG,KAAK,CAAA;IAEpB,KAAK,IAAI,CAAC,GAAG,WAAW,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAErB,sBAAsB;QACtB,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;YACxB,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBACjC,UAAU,EAAE,CAAA;gBACZ,QAAQ,GAAG,IAAI,CAAA;YACjB,CAAC;iBAAM,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBACxC,UAAU,EAAE,CAAA;YACd,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,IAAI,QAAQ,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,CAAA;QACd,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC,GAAG,WAAW,GAAG,GAAG;YAAE,MAAK;IAClC,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,WAAW,GAAG,EAAE,CAAC,CAAA;AACjD,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,OAAe;IAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAA;IACtD,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAA;AACrC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,sBAAsB,CACpC,OAAe,EACf,UAAkB;IAElB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,6BAA6B;IAC7B,MAAM,WAAW,GAAG,eAAe,CAAC,KAAK,EAAE,UAAU,CAAC,CAAA;IACtD,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,EAAE,WAAW,CAAC,CAAA;IAEnD,yBAAyB;IACzB,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE,SAAS,CAAC,CAAA;IACvD,MAAM,aAAa,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAE5C,gCAAgC;IAChC,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAA;IAClF,MAAM,cAAc,GAAG,oBAAoB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;IAC/D,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAA;IAEjF,wBAAwB;IACxB,MAAM,aAAa,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAA;IAExD,qCAAqC;IACrC,yEAAyE;IACzE,MAAM,cAAc,GAAG,aAAa,IAAI,CAAC,IAAI,SAAS,IAAI,UAAU,CAAA;IAEpE,4BAA4B;IAC5B,IAAI,cAAc,GAAqC,MAAM,CAAA;IAC7D,IAAI,cAAc,EAAE,CAAC;QACnB,cAAc,GAAG,cAAc,CAAA;IACjC,CAAC;SAAM,IAAI,UAAU,IAAI,SAAS,EAAE,CAAC;QACnC,cAAc,GAAG,UAAU,CAAA;IAC7B,CAAC;SAAM,IAAI,SAAS,EAAE,CAAC;QACrB,cAAc,GAAG,mBAAmB,CAAA;IACtC,CAAC;IAED,OAAO;QACL,aAAa,EAAE,SAAS,IAAI,cAAc;QAC1C,cAAc;QACd,kBAAkB,EAAE,aAAa;QACjC,cAAc;KACf,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,wBAAwB,CACtC,OAAe,EACf,UAAkB;IAElB,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAA;IAC5D,OAAO,QAAQ,CAAC,cAAc,IAAI,QAAQ,CAAC,cAAc,KAAK,cAAc,CAAA;AAC9E,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAC/B,OAAe,EACf,UAAkB;IAElB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAA;IAEpC,yCAAyC;IACzC,MAAM,UAAU,GAAG,2DAA2D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACzF,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,wCAAwC;IACxC,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAA;IAE5D,0DAA0D;IAC1D,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,uDAAuD;IACvD,MAAM,WAAW,GAAG,eAAe,CAAC,KAAK,EAAE,UAAU,CAAC,CAAA;IACtD,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,EAAE,WAAW,CAAC,CAAA;IACnD,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEpE,uDAAuD;IACvD,MAAM,eAAe,GAAG;QACtB,uBAAuB;QACvB,qBAAqB;QACrB,qBAAqB;QACrB,mBAAmB;QACnB,qBAAqB;KACtB,CAAA;IAED,OAAO,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAA;AACrE,CAAC"}

package/dist/validate/clients.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * AI Provider Client Factories
+ *
+ * Provides lazy-initialized clients for OpenAI and Anthropic APIs.
+ */
+import Anthropic from '@anthropic-ai/sdk';
+import OpenAI from 'openai';
+/**
+ * Initialize Anthropic client
+ */
+export declare function getAnthropicClient(): Anthropic;
+/**
+ * Initialize OpenAI client (singleton)
+ */
+export declare function getOpenAIClient(): OpenAI;
+/**
+ * GPT-5-mini pricing constants (per 1M tokens)
+ */
+export declare const GPT5_MINI_PRICING: {
+    input: number;
+    cached: number;
+    output: number;
+};
+/**
+ * Claude 3.5 Haiku pricing constants (per 1M tokens)
+ */
+export declare const HAIKU_PRICING: {
+    input: number;
+    cacheWrite: number;
+    cacheRead: number;
+    output: number;
+};
+/**
+ * Number of files to include in each API call (Phase 2 optimization)
+ * Batching multiple files reduces API overhead and leverages prompt caching better
+ */
+export declare const FILES_PER_API_BATCH = 8;
+/**
+ * Number of API batches to process in parallel (Phase 3 optimization)
+ * Higher values = faster scans but more API load
+ * OpenAI/GPT-5-mini handles this well
+ */
+export declare const PARALLEL_API_BATCHES = 6;
+//# sourceMappingURL=clients.d.ts.map

package/dist/validate/clients.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"clients.d.ts","sourceRoot":"","sources":["../../src/validate/clients.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,SAAS,MAAM,mBAAmB,CAAA;AACzC,OAAO,MAAM,MAAM,QAAQ,CAAA;AAM3B;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,SAAS,CAM9C;AASD;;GAEG;AACH,wBAAgB,eAAe,IAAI,MAAM,CASxC;AAMD;;GAEG;AACH,eAAO,MAAM,iBAAiB;;;;CAI7B,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,aAAa;;;;;CAKzB,CAAA;AAMD;;;GAGG;AACH,eAAO,MAAM,mBAAmB,IAAI,CAAA;AAEpC;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,IAAI,CAAA"}

package/dist/validate/clients.js ADDED Viewed

@@ -0,0 +1,81 @@
+"use strict";
+/**
+ * AI Provider Client Factories
+ *
+ * Provides lazy-initialized clients for OpenAI and Anthropic APIs.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PARALLEL_API_BATCHES = exports.FILES_PER_API_BATCH = exports.HAIKU_PRICING = exports.GPT5_MINI_PRICING = void 0;
+exports.getAnthropicClient = getAnthropicClient;
+exports.getOpenAIClient = getOpenAIClient;
+const sdk_1 = __importDefault(require("@anthropic-ai/sdk"));
+const openai_1 = __importDefault(require("openai"));
+// ============================================================================
+// Anthropic Client
+// ============================================================================
+/**
+ * Initialize Anthropic client
+ */
+function getAnthropicClient() {
+    const apiKey = process.env.ANTHROPIC_API_KEY;
+    if (!apiKey) {
+        throw new Error('ANTHROPIC_API_KEY environment variable is not set');
+    }
+    return new sdk_1.default({ apiKey });
+}
+// ============================================================================
+// OpenAI Client
+// ============================================================================
+// Singleton instance for connection reuse
+let openaiClient = null;
+/**
+ * Initialize OpenAI client (singleton)
+ */
+function getOpenAIClient() {
+    if (!openaiClient) {
+        const apiKey = process.env.OPENAI_API_KEY;
+        if (!apiKey) {
+            throw new Error('OPENAI_API_KEY environment variable is not set');
+        }
+        openaiClient = new openai_1.default({ apiKey });
+    }
+    return openaiClient;
+}
+// ============================================================================
+// Pricing Constants
+// ============================================================================
+/**
+ * GPT-5-mini pricing constants (per 1M tokens)
+ */
+exports.GPT5_MINI_PRICING = {
+    input: 0.25, // $0.25 per 1M tokens
+    cached: 0.025, // $0.025 per 1M tokens (10% of input)
+    output: 2.00, // $2.00 per 1M tokens
+};
+/**
+ * Claude 3.5 Haiku pricing constants (per 1M tokens)
+ */
+exports.HAIKU_PRICING = {
+    input: 0.80, // $0.80 per 1M tokens
+    cacheWrite: 1.00, // $1.00 per 1M tokens (5m cache)
+    cacheRead: 0.08, // $0.08 per 1M tokens
+    output: 4.00, // $4.00 per 1M tokens
+};
+// ============================================================================
+// Batching Configuration
+// ============================================================================
+/**
+ * Number of files to include in each API call (Phase 2 optimization)
+ * Batching multiple files reduces API overhead and leverages prompt caching better
+ */
+exports.FILES_PER_API_BATCH = 8;
+/**
+ * Number of API batches to process in parallel (Phase 3 optimization)
+ * Higher values = faster scans but more API load
+ * OpenAI/GPT-5-mini handles this well
+ */
+exports.PARALLEL_API_BATCHES = 6;
+//# sourceMappingURL=clients.js.map

package/dist/validate/clients.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"clients.js","sourceRoot":"","sources":["../../src/validate/clients.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;AAYH,gDAMC;AAYD,0CASC;AArCD,4DAAyC;AACzC,oDAA2B;AAE3B,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,kBAAkB;IAChC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAA;IAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAA;IACtE,CAAC;IACD,OAAO,IAAI,aAAS,CAAC,EAAE,MAAM,EAAE,CAAC,CAAA;AAClC,CAAC;AAED,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E,0CAA0C;AAC1C,IAAI,YAAY,GAAkB,IAAI,CAAA;AAEtC;;GAEG;AACH,SAAgB,eAAe;IAC7B,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAA;QACzC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAA;QACnE,CAAC;QACD,YAAY,GAAG,IAAI,gBAAM,CAAC,EAAE,MAAM,EAAE,CAAC,CAAA;IACvC,CAAC;IACD,OAAO,YAAY,CAAA;AACrB,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;GAEG;AACU,QAAA,iBAAiB,GAAG;IAC/B,KAAK,EAAE,IAAI,EAAO,sBAAsB;IACxC,MAAM,EAAE,KAAK,EAAK,sCAAsC;IACxD,MAAM,EAAE,IAAI,EAAM,sBAAsB;CACzC,CAAA;AAED;;GAEG;AACU,QAAA,aAAa,GAAG;IAC3B,KAAK,EAAE,IAAI,EAAQ,sBAAsB;IACzC,UAAU,EAAE,IAAI,EAAG,iCAAiC;IACpD,SAAS,EAAE,IAAI,EAAI,sBAAsB;IACzC,MAAM,EAAE,IAAI,EAAO,sBAAsB;CAC1C,CAAA;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;GAGG;AACU,QAAA,mBAAmB,GAAG,CAAC,CAAA;AAEpC;;;;GAIG;AACU,QAAA,oBAAoB,GAAG,CAAC,CAAA"}

package/dist/validate/index.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+/**
+ * Layer 3: AI Semantic Analysis
+ *
+ * Uses Claude to perform deep security analysis including:
+ * - Taint analysis (data flow from sources to sinks)
+ * - Business logic flaw detection
+ * - Missing authorization checks
+ * - Cryptography validation
+ * - Data exposure detection
+ * - Framework-specific deep analysis
+ *
+ * Also provides high-context validation for Layer 1/2 findings.
+ */
+import type { Vulnerability, ScanFile } from '../shared/types';
+import type { ContextEngineResult } from '../model/taint-types';
+import type { AIValidationResult, Layer3Context } from './types';
+export type { ValidationStats, AIValidationResult, Layer3Context } from './types';
+export { applyAutoDismissRules } from '../score/auto-dismiss';
+/**
+ * Analyze a single file using AI for deep security analysis (Layer 3)
+ */
+export declare function analyzeWithAI(file: ScanFile, context?: Layer3Context): Promise<Vulnerability[]>;
+/**
+ * Batch analyze multiple files using AI (Layer 3)
+ * Processes files in batches to avoid rate limits
+ */
+export declare function batchAnalyzeWithAI(files: ScanFile[], context?: Layer3Context, maxConcurrent?: number): Promise<Vulnerability[]>;
+/**
+ * Validate Layer 1/2 findings using AI with HIGH-CONTEXT validation
+ *
+ * Key improvements over previous version:
+ * 1. Sends FULL FILE CONTENT (not just snippets) for better context
+ * 2. Includes PROJECT CONTEXT (auth patterns, data access, etc.)
+ * 3. Uses generalised rules from Section 3 of the security model
+ */
+export declare function validateFindingsWithAI(findings: Vulnerability[], files: ScanFile[], ceResult?: ContextEngineResult, onProgress?: (progress: {
+    filesProcessed: number;
+    totalFiles: number;
+    status: string;
+}) => void): Promise<AIValidationResult>;
+//# sourceMappingURL=index.d.ts.map

package/dist/validate/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/validate/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAA;AAC9D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAG/D,OAAO,KAAK,EAAmB,kBAAkB,EAAE,aAAa,EAAa,MAAM,SAAS,CAAA;AAS5F,YAAY,EAAE,eAAe,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AACjF,OAAO,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAM7D;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,QAAQ,EACd,OAAO,CAAC,EAAE,aAAa,GACtB,OAAO,CAAC,aAAa,EAAE,CAAC,CA+D1B;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,QAAQ,EAAE,EACjB,OAAO,CAAC,EAAE,aAAa,EACvB,aAAa,GAAE,MAAU,GACxB,OAAO,CAAC,aAAa,EAAE,CAAC,CAqB1B;AAMD;;;;;;;GAOG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,aAAa,EAAE,EACzB,KAAK,EAAE,QAAQ,EAAE,EACjB,QAAQ,CAAC,EAAE,mBAAmB,EAC9B,UAAU,CAAC,EAAE,CAAC,QAAQ,EAAE;IAAE,cAAc,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,KAAK,IAAI,GAC9F,OAAO,CAAC,kBAAkB,CAAC,CAiB7B"}

package/dist/validate/index.js ADDED Viewed

@@ -0,0 +1,141 @@
+"use strict";
+/**
+ * Layer 3: AI Semantic Analysis
+ *
+ * Uses Claude to perform deep security analysis including:
+ * - Taint analysis (data flow from sources to sinks)
+ * - Business logic flaw detection
+ * - Missing authorization checks
+ * - Cryptography validation
+ * - Data exposure detection
+ * - Framework-specific deep analysis
+ *
+ * Also provides high-context validation for Layer 1/2 findings.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyAutoDismissRules = void 0;
+exports.analyzeWithAI = analyzeWithAI;
+exports.batchAnalyzeWithAI = batchAnalyzeWithAI;
+exports.validateFindingsWithAI = validateFindingsWithAI;
+const types_1 = require("./types");
+const clients_1 = require("./clients");
+const response_parser_1 = require("./utils/response-parser");
+const semantic_analysis_1 = require("./prompts/semantic-analysis");
+const openai_1 = require("./providers/openai");
+const anthropic_1 = require("./providers/anthropic");
+var auto_dismiss_1 = require("../score/auto-dismiss");
+Object.defineProperty(exports, "applyAutoDismissRules", { enumerable: true, get: function () { return auto_dismiss_1.applyAutoDismissRules; } });
+// ============================================================================
+// Layer 3: Deep AI Analysis
+// ============================================================================
+/**
+ * Analyze a single file using AI for deep security analysis (Layer 3)
+ */
+async function analyzeWithAI(file, context) {
+    const client = (0, clients_1.getAnthropicClient)();
+    // Prepare the code with line numbers for reference
+    const numberedCode = file.content
+        .split('\n')
+        .map((line, i) => `${i + 1}: ${line}`)
+        .join('\n');
+    // Build auth context for the prompt
+    const authContext = (0, semantic_analysis_1.buildAuthContextForPrompt)(context);
+    const userMessage = `Analyze this ${file.language} file for security vulnerabilities:
+File: ${file.path}${authContext}
+\`\`\`${file.language}
+${numberedCode}
+\`\`\`
+Return ONLY a JSON array of findings.`;
+    try {
+        const response = await client.messages.create({
+            model: 'claude-3-5-haiku-20241022',
+            max_tokens: 4096,
+            system: semantic_analysis_1.SECURITY_ANALYSIS_PROMPT,
+            messages: [
+                {
+                    role: 'user',
+                    content: userMessage,
+                },
+            ],
+        });
+        // Extract text content from response
+        const textContent = response.content.find((block) => block.type === 'text');
+        if (!textContent || textContent.type !== 'text') {
+            console.error('No text content in AI response');
+            return [];
+        }
+        // Parse the JSON response
+        const findings = (0, response_parser_1.parseAIResponse)(textContent.text);
+        // Convert to Vulnerability format
+        return findings.map((finding, index) => ({
+            id: `ai-${file.path}-${finding.lineNumber}-${index}`,
+            filePath: file.path,
+            lineNumber: finding.lineNumber,
+            lineContent: (0, response_parser_1.getLineContent)(file.content, finding.lineNumber),
+            severity: finding.severity,
+            category: finding.category,
+            title: finding.title,
+            description: finding.description,
+            suggestedFix: finding.suggestedFix,
+            confidence: 'high',
+            layer: 3,
+        }));
+    }
+    catch (error) {
+        console.error('AI analysis error:', error);
+        return [];
+    }
+}
+/**
+ * Batch analyze multiple files using AI (Layer 3)
+ * Processes files in batches to avoid rate limits
+ */
+async function batchAnalyzeWithAI(files, context, maxConcurrent = 3) {
+    const vulnerabilities = [];
+    // Process files in batches to avoid rate limits
+    for (let i = 0; i < files.length; i += maxConcurrent) {
+        const batch = files.slice(i, i + maxConcurrent);
+        const results = await Promise.all(batch.map(file => analyzeWithAI(file, context).catch(err => {
+            console.error(`AI analysis failed for ${file.path}:`, err);
+            return [];
+        })));
+        vulnerabilities.push(...results.flat());
+        // Small delay between batches to avoid rate limits
+        if (i + maxConcurrent < files.length) {
+            await new Promise(resolve => setTimeout(resolve, 500));
+        }
+    }
+    return vulnerabilities;
+}
+// ============================================================================
+// Layer 2.5: High-Context Validation
+// ============================================================================
+/**
+ * Validate Layer 1/2 findings using AI with HIGH-CONTEXT validation
+ *
+ * Key improvements over previous version:
+ * 1. Sends FULL FILE CONTENT (not just snippets) for better context
+ * 2. Includes PROJECT CONTEXT (auth patterns, data access, etc.)
+ * 3. Uses generalised rules from Section 3 of the security model
+ */
+async function validateFindingsWithAI(findings, files, ceResult, onProgress) {
+    // Initialize stats tracking
+    const stats = (0, types_1.createInitialStats)(findings.length);
+    if (findings.length === 0) {
+        return { vulnerabilities: [], stats };
+    }
+    // Check for provider override (GPT-5-mini is default for 47% cost savings)
+    const aiProvider = process.env.AI_PROVIDER || 'openai';
+    if (aiProvider === 'anthropic') {
+        console.log('[AI Validation] Using Anthropic provider (Claude 3.5 Haiku)');
+        return (0, anthropic_1.validateWithAnthropic)(findings, files, ceResult, stats, onProgress);
+    }
+    else {
+        console.log('[AI Validation] Using OpenAI provider (GPT-5-mini)');
+        return (0, openai_1.validateWithOpenAI)(findings, files, ceResult, stats);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/validate/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/validate/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAyBH,sCAkEC;AAMD,gDAyBC;AAcD,wDAsBC;AAvJD,mCAA4C;AAC5C,uCAA8C;AAC9C,6DAA6G;AAC7G,mEAAiG;AACjG,+CAAuD;AACvD,qDAA6D;AAI7D,sDAA6D;AAApD,qHAAA,qBAAqB,OAAA;AAE9B,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E;;GAEG;AACI,KAAK,UAAU,aAAa,CACjC,IAAc,EACd,OAAuB;IAEvB,MAAM,MAAM,GAAG,IAAA,4BAAkB,GAAE,CAAA;IAEnC,mDAAmD;IACnD,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO;SAC9B,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;SACrC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEb,oCAAoC;IACpC,MAAM,WAAW,GAAG,IAAA,6CAAyB,EAAC,OAAO,CAAC,CAAA;IAEtD,MAAM,WAAW,GAAG,gBAAgB,IAAI,CAAC,QAAQ;;QAE3C,IAAI,CAAC,IAAI,GAAG,WAAW;;QAEvB,IAAI,CAAC,QAAQ;EACnB,YAAY;;;sCAGwB,CAAA;IAEpC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC5C,KAAK,EAAE,2BAA2B;YAClC,UAAU,EAAE,IAAI;YAChB,MAAM,EAAE,4CAAwB;YAChC,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,MAAM;oBACZ,OAAO,EAAE,WAAW;iBACrB;aACF;SACF,CAAC,CAAA;QAEF,qCAAqC;QACrC,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAuB,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC,CAAA;QAC7F,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAChD,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAA;YAC/C,OAAO,EAAE,CAAA;QACX,CAAC;QAED,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,IAAA,iCAAe,EAAC,WAAW,CAAC,IAAI,CAAC,CAAA;QAElD,kCAAkC;QAClC,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;YACvC,EAAE,EAAE,MAAM,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,UAAU,IAAI,KAAK,EAAE;YACpD,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,WAAW,EAAE,IAAA,gCAAc,EAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC;YAC7D,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,UAAU,EAAE,MAAe;YAC3B,KAAK,EAAE,CAAU;SAClB,CAAC,CAAC,CAAA;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,oBAAoB,EAAE,KAAK,CAAC,CAAA;QAC1C,OAAO,EAAE,CAAA;IACX,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,kBAAkB,CACtC,KAAiB,EACjB,OAAuB,EACvB,gBAAwB,CAAC;IAEzB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,gDAAgD;IAChD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,aAAa,EAAE,CAAC;QACrD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,CAAA;QAC/C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;YACzD,OAAO,CAAC,KAAK,CAAC,0BAA0B,IAAI,CAAC,IAAI,GAAG,EAAE,GAAG,CAAC,CAAA;YAC1D,OAAO,EAAE,CAAA;QACX,CAAC,CAAC,CAAC,CACJ,CAAA;QACD,eAAe,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QAEvC,mDAAmD;QACnD,IAAI,CAAC,GAAG,aAAa,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;YACrC,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAA;QACxD,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,+EAA+E;AAC/E,qCAAqC;AACrC,+EAA+E;AAE/E;;;;;;;GAOG;AACI,KAAK,UAAU,sBAAsB,CAC1C,QAAyB,EACzB,KAAiB,EACjB,QAA8B,EAC9B,UAA+F;IAE/F,4BAA4B;IAC5B,MAAM,KAAK,GAAoB,IAAA,0BAAkB,EAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;IAElE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,eAAe,EAAE,EAAE,EAAE,KAAK,EAAE,CAAA;IACvC,CAAC;IAED,2EAA2E;IAC3E,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,QAAQ,CAAA;IACtD,IAAI,UAAU,KAAK,WAAW,EAAE,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAA;QAC1E,OAAO,IAAA,iCAAqB,EAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,CAAC,CAAA;IAC5E,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAA;QACjE,OAAO,IAAA,2BAAkB,EAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAA;IAC7D,CAAC;AACH,CAAC"}

package/dist/validate/prompts/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * Prompts Index
+ *
+ * Re-exports all prompt templates and helpers.
+ */
+export { SECURITY_ANALYSIS_PROMPT, buildAuthContextForPrompt, } from './semantic-analysis';
+export { HIGH_CONTEXT_VALIDATION_PROMPT, assembleValidationPrompt, getFullValidationPrompt, } from './validation';
+//# sourceMappingURL=index.d.ts.map

package/dist/validate/prompts/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/validate/prompts/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,wBAAwB,EACxB,yBAAyB,GAC1B,MAAM,qBAAqB,CAAA;AAE5B,OAAO,EACL,8BAA8B,EAC9B,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,cAAc,CAAA"}

package/dist/validate/prompts/index.js ADDED Viewed

@@ -0,0 +1,16 @@
+"use strict";
+/**
+ * Prompts Index
+ *
+ * Re-exports all prompt templates and helpers.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getFullValidationPrompt = exports.assembleValidationPrompt = exports.HIGH_CONTEXT_VALIDATION_PROMPT = exports.buildAuthContextForPrompt = exports.SECURITY_ANALYSIS_PROMPT = void 0;
+var semantic_analysis_1 = require("./semantic-analysis");
+Object.defineProperty(exports, "SECURITY_ANALYSIS_PROMPT", { enumerable: true, get: function () { return semantic_analysis_1.SECURITY_ANALYSIS_PROMPT; } });
+Object.defineProperty(exports, "buildAuthContextForPrompt", { enumerable: true, get: function () { return semantic_analysis_1.buildAuthContextForPrompt; } });
+var validation_1 = require("./validation");
+Object.defineProperty(exports, "HIGH_CONTEXT_VALIDATION_PROMPT", { enumerable: true, get: function () { return validation_1.HIGH_CONTEXT_VALIDATION_PROMPT; } });
+Object.defineProperty(exports, "assembleValidationPrompt", { enumerable: true, get: function () { return validation_1.assembleValidationPrompt; } });
+Object.defineProperty(exports, "getFullValidationPrompt", { enumerable: true, get: function () { return validation_1.getFullValidationPrompt; } });
+//# sourceMappingURL=index.js.map

package/dist/validate/prompts/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/validate/prompts/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH,yDAG4B;AAF1B,6HAAA,wBAAwB,OAAA;AACxB,8HAAA,yBAAyB,OAAA;AAG3B,2CAIqB;AAHnB,4HAAA,8BAA8B,OAAA;AAC9B,sHAAA,wBAAwB,OAAA;AACxB,qHAAA,uBAAuB,OAAA"}

package/dist/validate/prompts/modules/ai-patterns.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * AI Patterns Module
+ *
+ * Categories: ai_pattern, ai_prompt_injection, ai_unsafe_execution,
+ *             ai_overpermissive_tool, suspicious_package, ai_rag_exfiltration,
+ *             ai_endpoint_unprotected, ai_schema_mismatch, ai_package_hallucination,
+ *             ai_rag_corpus_poisoning, ai_rag_pii_leakage, ai_mcp_tool_poisoning,
+ *             ai_mcp_credential_issue, ai_mcp_confused_deputy,
+ *             ai_mcp_description_injection, ai_mcp_server_shadowing,
+ *             ai_mcp_config_secrets, ai_mcp_config_permissions,
+ *             ai_rag_query_injection, ai_rag_embedding_poisoning,
+ *             ai_rag_chunk_injection, ai_package_typosquat, ai_package_malicious,
+ *             ai_unsafe_model_load, ai_unverified_model, ai_unsafe_finetuning,
+ *             ai_excessive_agency
+ *
+ * Contains AI/LLM-specific patterns that require semantic AI reasoning.
+ */
+export declare const AI_PATTERNS_MODULE = "\n### AI/LLM-Specific Patterns\n\n**Prompt Injection (ai_prompt_injection):**\n- User input in system prompt WITHOUT delimiters (code fences, XML tags, separators) -> **HIGH** (real risk)\n- User input in system prompt WITH clear delimiters -> **INFO** (properly fenced)\n- Static prompts with no user interpolation -> **REJECT** (false positive)\n- Prompt templates using proper parameterization/placeholders -> **REJECT**\n\n**LLM Output Execution (ai_unsafe_execution):**\n- LLM output fed to eval()/Function()/exec() WITHOUT sandbox -> **CRITICAL** (arbitrary code execution)\n- LLM output to execution WITH sandbox (vm2, isolated-vm) -> **MEDIUM** (risk mitigated)\n- LLM output to execution WITH validation AND sandbox -> **LOW** (well-protected)\n- LLM output used for display only (console.log, UI) -> **REJECT** (not execution)\n- Generated SQL from LLM without parameterization -> **CRITICAL** (SQL injection)\n- Generated SQL with parameterized queries -> **MEDIUM** (logic may still be wrong)\n\n**Agent Tool Permissions (ai_overpermissive_tool):**\n- Tool with unrestricted file/network/exec access -> **HIGH** (overpermissive)\n- Tool without user context verification -> **MEDIUM** (missing authorization)\n- Tool with proper scoping, allowlists, and user verification -> **LOW** or **REJECT**\n- Test files with tool definitions -> **INFO** or **REJECT**\n\n**Hallucinated Dependencies (suspicious_package):**\n- Package not found in registry -> **CRITICAL** (likely AI-hallucinated name)\n- Very new package (less than 7 days old) with low downloads and typosquat pattern -> **HIGH**\n- Legitimate looking package with source/repo but low popularity -> **MEDIUM** (needs review)\n- Known legitimate package with unusual name (in allowlist) -> **REJECT**\n\n**CRITICAL AI PATTERN RULES**:\n- AI code generation often produces non-existent package names - flag these prominently\n- Prompt injection is NOT the same as XSS - different threat model and severity\n- Sandboxed code execution (vm2, isolated-vm) significantly reduces risk\n- Agent tools need both access restrictions AND user context verification\n\n### RAG Data Exfiltration (ai_rag_exfiltration)\nRetrieval Augmented Generation systems can leak sensitive data across tenant boundaries.\n\n**Unscoped Retrieval Queries:**\n- Vector store query WITHOUT user/tenant filter -> **HIGH** (cross-tenant data access)\n  - .query(), .search(), .similaritySearch() without filter/where/userId/tenantId parameter\n  - LangChain retriever.invoke() without metadata filter\n  - Pinecone/Chroma/Weaviate query without namespace or metadata filter\n- Query WITH proper scoping (filter by userId/tenantId) -> **REJECT** (properly scoped)\n- Query with RLS-enabled Supabase tables -> **LOW/INFO** (verify RLS policy)\n\n**Raw Context Exposure:**\n- Raw sourceDocuments/chunks returned in API response -> **MEDIUM** (data leak to client)\n- Raw context returned WITHOUT authentication -> **HIGH** (public data leak)\n- Filtered response (only IDs, titles, metadata) -> **REJECT** (properly filtered)\n- Response filtering visible nearby (.map, sanitize, redact) -> **INFO**\n\n**Context Logging:**\n- Logging retrieved documents (debug) -> **INFO** (hygiene, not direct risk)\n- Logging full prompts with context -> **LOW** (audit concern if logs are accessible)\n- Persisting prompts/context to database -> **MEDIUM** (sensitive data retention)\n\n**CRITICAL RAG RULES**:\n- Cross-tenant data access is the PRIMARY risk - always check for user/tenant scoping\n- Authenticated endpoints exposing context are MEDIUM; unauthenticated are HIGH\n- Debug logging is INFO severity - it's not a direct vulnerability\n- If RLS or middleware protection is visible, downgrade significantly\n\n### AI Endpoint Protection (ai_endpoint_unprotected)\nAI/LLM API endpoints can incur significant costs and enable data exfiltration.\n\n**No Authentication + No Rate Limiting -> HIGH:**\n- Endpoint calls OpenAI/Anthropic/etc. without any auth check or rate limit\n- Anyone on the internet can abuse the endpoint and run up API costs\n- Potential for prompt exfiltration or model abuse\n\n**Has Rate Limiting but No Authentication -> MEDIUM:**\n- Rate limit provides some protection against abuse\n- Still allows anonymous access to AI functionality\n- Suggest adding authentication\n\n**Has Authentication but No Rate Limiting -> LOW:**\n- Authenticated users could still abuse the endpoint\n- Suggest adding rate limiting for cost control\n- severity: low (suggest improvement)\n\n**Has Both Auth and Rate Limiting -> INFO/REJECT:**\n- Properly protected endpoint\n- REJECT if both are clearly present\n- INFO if you want to note the good pattern\n\n**BYOK (Bring Your Own Key) Endpoints:**\n- If user provides their own API key, risk is LOWER\n- User pays for their own usage - cost abuse is their problem\n- Downgrade severity by one level for BYOK patterns\n\n**Protected by Middleware:**\n- If project context shows auth middleware protecting the route, downgrade to INFO\n- Internal/admin routes should be INFO or REJECT\n\n**CRITICAL ENDPOINT RULES**:\n- Cost abuse is real - unprotected AI endpoints can bankrupt a startup\n- Rate limiting alone isn't enough - need auth to prevent anonymous abuse\n- BYOK endpoints have lower risk since user bears the cost\n- Check for middleware protection before flagging\n\n### Schema/Tooling Mismatch (ai_schema_mismatch)\nAI-generated structured outputs need validation before use in security-sensitive contexts.\n\n**Unvalidated AI Output Parsing:**\n- JSON.parse(response.content) without schema validation -> **MEDIUM**\n  - AI may return malformed or unexpected structures\n  - Suggest zod/ajv/joi validation\n- AI output to EXECUTION SINK (eval, exec, query) without validation -> **HIGH**\n  - Direct path to code/SQL injection\n- AI output to DISPLAY only (console.log, UI render) -> **REJECT**\n  - Not a security issue for display purposes\n- OpenAI Structured Outputs (json_schema in request) -> **REJECT**\n  - API-level validation provides guarantees\n\n**Weak Schema Patterns:**\n- response: any at API boundary -> **MEDIUM** (no type safety)\n- z.any() or z.unknown() -> **LOW** (defeats purpose of validation)\n- z.passthrough() -> **INFO** (allows extra properties, minor concern)\n- Specific schema defined and used -> **REJECT** (properly validated)\n\n**Tool Parameter Validation:**\n- Tool parameter -> file path without validation -> **HIGH** (path traversal)\n- Tool parameter -> shell command without validation -> **CRITICAL** (command injection)\n- Tool parameter -> URL without validation -> **HIGH** (SSRF)\n- Tool parameter -> DB query without validation -> **HIGH** (SQL injection)\n- Tool parameter with allowlist check visible -> **LOW/REJECT** (mitigated)\n\n**CRITICAL SCHEMA RULES**:\n- The severity depends on WHERE the AI output is used, not just that it's parsed\n- Execution sinks (eval, exec, query, fs) need HIGH severity without validation\n- Display-only usage is NOT a security issue\n- Schema validation (zod, ajv, joi) significantly reduces risk\n- OpenAI Structured Outputs provide API-level guarantees\n";
+//# sourceMappingURL=ai-patterns.d.ts.map

package/dist/validate/prompts/modules/ai-patterns.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"ai-patterns.d.ts","sourceRoot":"","sources":["../../../../src/validate/prompts/modules/ai-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,eAAO,MAAM,kBAAkB,2+NAsI9B,CAAA"}