@oculum/scanner 1.0.11 → 1.0.13

package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap

@@ -3,6 +3,7 @@
 exports[`Refactor Safety - dangerous-functions.ts Deserialization detection should detect pickle.loads (Python) 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Unsafe deserialization can lead to remote code execution",
@@ -12,6 +13,7 @@ Array [
     "lineContent": "data = pickle.loads(user_data)",
     "lineNumber": 2,
     "severity": "critical",
+    "source": "structural",
     "suggestedFix": "Use safe loaders (yaml.safe_load) or validate input before deserializing",
     "title": "Unsafe deserialization",
   },
@@ -23,6 +25,7 @@ exports[`Refactor Safety - dangerous-functions.ts Deserialization detection shou
 exports[`Refactor Safety - dangerous-functions.ts File path detection should detect dynamic file path in API handlers 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Dynamic file paths can lead to path traversal attacks",
@@ -32,6 +35,7 @@ Array [
     "lineContent": "const file = fs.readFileSync(req.params.filename);",
     "lineNumber": 2,
     "severity": "medium",
+    "source": "structural",
     "suggestedFix": "Validate and sanitize file paths, use path.resolve with a base directory",
     "title": "Dynamic file path",
   },
@@ -41,6 +45,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts File path detection should detect path traversal risk 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "User input in file paths can lead to path traversal attacks",
@@ -50,6 +55,7 @@ Array [
     "lineContent": "const fullPath = path.join(uploadDir, req.query.path);",
     "lineNumber": 2,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Validate paths and ensure they stay within allowed directories",
     "title": "Path traversal risk",
   },
@@ -59,6 +65,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts File path detection should detect path traversal with sanitization as lower severity 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "low",
     "description": "Dynamic file path with path traversal protection detected. Verify the protection is complete and covers all attack vectors.",
@@ -68,6 +75,7 @@ Array [
     "lineContent": "fs.readFileSync(fullPath);",
     "lineNumber": 5,
     "severity": "info",
+    "source": "structural",
     "suggestedFix": "Ensure path normalization and base directory checks are applied consistently.",
     "title": "Dynamic file path (protected)",
   },
@@ -77,6 +85,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts File path detection should skip dynamic paths in CLI tools 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "low",
     "description": "Dynamic file path in CLI tool. CLI tools typically have trusted operators, but consider adding path validation if user input is involved.",
@@ -86,6 +95,7 @@ Array [
     "lineContent": "const content = fs.readFileSync(filePath);",
     "lineNumber": 2,
     "severity": "info",
+    "source": "structural",
     "suggestedFix": "Add path validation if accepting paths from untrusted sources.",
     "title": "Dynamic file path (CLI tool)",
   },
@@ -109,6 +119,7 @@ exports[`Refactor Safety - dangerous-functions.ts LLM prompt context detection s
 exports[`Refactor Safety - dangerous-functions.ts Math.random detection should classify Math.random for UI IDs as info 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "low",
     "description": "Math.random() generating short UI identifier (7-char string). Acceptable for React keys, temp IDs.",
@@ -118,6 +129,7 @@ Array [
     "lineContent": "const key = Math.random().toString(36).substring(2, 9);",
     "lineNumber": 2,
     "severity": "info",
+    "source": "structural",
     "suggestedFix": "For security tokens, use crypto.randomBytes(). For unique IDs, crypto.randomUUID().",
     "title": "Math.random() in UI identifier generation (7-char string)",
   },
@@ -127,6 +139,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts Math.random detection should classify business IDs as low severity 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "low",
     "description": "Math.random() generating business identifier (variable: orderId). Verify this is not used for security purposes.",
@@ -136,6 +149,7 @@ Array [
     "lineContent": "const orderId = 'ORD-' + Math.random().toString(36).substring(2, 12);",
     "lineNumber": 2,
     "severity": "low",
+    "source": "structural",
     "suggestedFix": "For business IDs, crypto.randomUUID() is preferred. For security tokens, use crypto.randomBytes().",
     "title": "Math.random() in non-security usage (variable: orderId)",
   },
@@ -145,6 +159,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts Math.random detection should detect Math.random for security tokens as high 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Math.random() is being used in a security-sensitive context. This is NOT cryptographically secure and should be replaced.",
@@ -154,6 +169,7 @@ Array [
     "lineContent": "return Math.random().toString(36);",
     "lineNumber": 3,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Use crypto.randomBytes() for Node.js or crypto.getRandomValues() for browsers.",
     "title": "Math.random() in security-sensitive function",
   },
@@ -163,6 +179,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts Math.random detection should detect Math.random in security context as high 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Math.random() assigned to security-sensitive variable 'secret'. Math.random() is NOT cryptographically secure.",
@@ -172,6 +189,7 @@ Array [
     "lineContent": "const secret = Math.random().toString(36).substring(2);",
     "lineNumber": 2,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive values.",
     "title": "Math.random() in security-sensitive variable",
   },
@@ -185,6 +203,7 @@ exports[`Refactor Safety - dangerous-functions.ts Math.random detection should s
 exports[`Refactor Safety - dangerous-functions.ts Prototype pollution detection should detect Object.assign with user input 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Object.assign with user input can lead to prototype pollution",
@@ -194,6 +213,7 @@ Array [
     "lineContent": "const merged = Object.assign({}, req.body);",
     "lineNumber": 2,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Validate and sanitize input, or use a safe merge function",
     "title": "Object.assign with user input",
   },
@@ -203,6 +223,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts Prototype pollution detection should detect spread operator with user input 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Spreading user input can lead to mass assignment vulnerabilities",
@@ -212,6 +233,7 @@ Array [
     "lineContent": "const user = { ...req.body, createdAt: new Date() };",
     "lineNumber": 2,
     "severity": "medium",
+    "source": "structural",
     "suggestedFix": "Explicitly pick allowed properties instead of spreading all input",
     "title": "Spread operator with user input",
   },
@@ -221,6 +243,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts Regex DoS detection should detect dynamic regex construction 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Dynamic regex construction can lead to ReDoS attacks",
@@ -230,6 +253,7 @@ Array [
     "lineContent": "const pattern = new RegExp(userPattern);",
     "lineNumber": 2,
     "severity": "medium",
+    "source": "structural",
     "suggestedFix": "Validate regex patterns and consider using safe-regex library",
     "title": "Potentially unsafe regex",
   },
@@ -243,6 +267,7 @@ exports[`Refactor Safety - dangerous-functions.ts SQL injection detection should
 exports[`Refactor Safety - dangerous-functions.ts SQL injection detection should detect raw SQL with template literal 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Template literals in SQL queries can lead to SQL injection",
@@ -252,6 +277,7 @@ Array [
     "lineContent": "const query = \`SELECT * FROM users WHERE id = \${userId}\`;",
     "lineNumber": 2,
     "severity": "critical",
+    "source": "structural",
     "suggestedFix": "Use parameterized queries with placeholders (?, $1, etc.)",
     "title": "SQL template literal",
   },
@@ -263,6 +289,7 @@ exports[`Refactor Safety - dangerous-functions.ts Static bootstrap script detect
 exports[`Refactor Safety - dangerous-functions.ts Test file handling should downgrade severity in test files 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "low",
     "description": "Direct innerHTML assignment can lead to XSS vulnerabilities This appears to use dynamic content which increases XSS risk. (in test file)",
@@ -273,6 +300,7 @@ Array [
     "lineNumber": 3,
     "requiresAIValidation": true,
     "severity": "low",
+    "source": "structural",
     "suggestedFix": "Use textContent for text, or sanitize HTML with DOMPurify",
     "title": "innerHTML assignment",
   },
@@ -286,6 +314,7 @@ exports[`Refactor Safety - dangerous-functions.ts child_process detection should
 exports[`Refactor Safety - dangerous-functions.ts child_process detection should detect exec with user input 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Shell command execution can lead to command injection",
@@ -295,6 +324,7 @@ Array [
     "lineContent": "exec(\`ls \${userInput}\`, callback);",
     "lineNumber": 3,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Validate and sanitize all inputs, prefer execFile over exec",
     "title": "child_process exec",
   },
@@ -306,6 +336,7 @@ exports[`Refactor Safety - dangerous-functions.ts child_process detection should
 exports[`Refactor Safety - dangerous-functions.ts child_process detection should detect spawn with dynamic args 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Shell command execution can lead to command injection",
@@ -315,6 +346,7 @@ Array [
     "lineContent": "spawn('node', [userInput]);",
     "lineNumber": 3,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Validate and sanitize all inputs, prefer execFile over exec",
     "title": "child_process exec",
   },
@@ -324,6 +356,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts eval/Function detection should detect Function constructor 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Function constructor can execute arbitrary code like eval()",
@@ -334,10 +367,12 @@ Array [
     "lineNumber": 2,
     "requiresAIValidation": true,
     "severity": "critical",
+    "source": "structural",
     "suggestedFix": "Refactor to use static functions or safe alternatives",
     "title": "Function constructor",
   },
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Function constructor can execute arbitrary code like eval()",
@@ -348,6 +383,7 @@ Array [
     "lineNumber": 3,
     "requiresAIValidation": true,
     "severity": "critical",
+    "source": "structural",
     "suggestedFix": "Refactor to use static functions or safe alternatives",
     "title": "Function constructor",
   },
@@ -357,6 +393,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts eval/Function detection should detect eval() usage 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "eval() executes arbitrary code and is a major security risk",
@@ -367,6 +404,7 @@ Array [
     "lineNumber": 2,
     "requiresAIValidation": true,
     "severity": "critical",
+    "source": "structural",
     "suggestedFix": "Use JSON.parse() for JSON data, or refactor to avoid dynamic code execution",
     "title": "eval() usage",
   },
@@ -376,6 +414,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts eval/Function detection should detect setTimeout/setInterval with string 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "setTimeout/setInterval with string argument acts like eval()",
@@ -385,10 +424,12 @@ Array [
     "lineContent": "setTimeout('alert(\\"hello\\")', 1000);",
     "lineNumber": 2,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Pass a function reference instead of a string",
     "title": "setTimeout/setInterval with string",
   },
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "setTimeout/setInterval with string argument acts like eval()",
@@ -398,6 +439,7 @@ Array [
     "lineContent": "setInterval('console.log(\\"tick\\")', 500);",
     "lineNumber": 3,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Pass a function reference instead of a string",
     "title": "setTimeout/setInterval with string",
   },
@@ -407,6 +449,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts innerHTML/XSS detection should detect dangerouslySetInnerHTML 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "dangerouslySetInnerHTML can lead to XSS if content is not sanitized This appears to use dynamic content which increases XSS risk.",
@@ -417,6 +460,7 @@ Array [
     "lineNumber": 2,
     "requiresAIValidation": true,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Sanitize HTML content with DOMPurify before rendering",
     "title": "dangerouslySetInnerHTML",
   },
@@ -426,6 +470,7 @@ Array [
 exports[`Refactor Safety - dangerous-functions.ts innerHTML/XSS detection should detect document.write 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "document.write can introduce XSS vulnerabilities",
@@ -435,6 +480,7 @@ Array [
     "lineContent": "document.write('<script>alert(1)</script>');",
     "lineNumber": 2,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Use DOM manipulation methods instead",
     "title": "document.write",
   },
@@ -446,6 +492,7 @@ exports[`Refactor Safety - dangerous-functions.ts innerHTML/XSS detection should
 exports[`Refactor Safety - dangerous-functions.ts innerHTML/XSS detection should detect innerHTML with dynamic content 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Direct innerHTML assignment can lead to XSS vulnerabilities This appears to use dynamic content which increases XSS risk.",
@@ -456,10 +503,12 @@ Array [
     "lineNumber": 2,
     "requiresAIValidation": true,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Use textContent for text, or sanitize HTML with DOMPurify",
     "title": "innerHTML assignment",
   },
   Object {
+    "baseConfidence": 0.4,
     "category": "dangerous_function",
     "confidence": "high",
     "description": "Direct innerHTML assignment can lead to XSS vulnerabilities This appears to use dynamic content which increases XSS risk.",
@@ -470,6 +519,7 @@ Array [
     "lineNumber": 3,
     "requiresAIValidation": true,
     "severity": "high",
+    "source": "structural",
     "suggestedFix": "Use textContent for text, or sanitize HTML with DOMPurify",
     "title": "innerHTML assignment",
   },
@@ -487,6 +537,7 @@ exports[`Refactor Safety - dangerous-functions.ts request.json() validation dete
 exports[`Refactor Safety - dangerous-functions.ts request.json() validation detection should suggest schema validation for request.json() 1`] = `
 Array [
   Object {
+    "baseConfidence": 0.35,
     "category": "dangerous_function",
     "confidence": "low",
     "description": "API endpoint parses request body without visible schema validation. Consider validating the shape of incoming data.",
@@ -496,6 +547,7 @@ Array [
     "lineContent": "const body = await request.json();",
     "lineNumber": 3,
     "severity": "info",
+    "source": "structural",
     "suggestedFix": "Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);",
     "title": "Request body without schema validation",
   },

package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap

@@ -108,13 +108,13 @@ Array [
 exports[`Scan Depth Snapshots Mixed Severity - Multiple Issue Types full scan should detect all issues 1`] = `
 Array [
   Object {
-    "category": "insecure_config",
-    "confidence": "medium",
+    "category": "missing_security_headers",
+    "confidence": "high",
     "layer": 2,
     "lineContent": "const app = express()",
     "lineNumber": 4,
     "severity": "medium",
-    "title": "[express] Express without helmet",
+    "title": "Express app without helmet security headers",
   },
   Object {
     "category": "ai_pattern",
@@ -161,15 +161,6 @@ Array [
     "severity": "high",
     "title": "innerHTML assignment",
   },
-  Object {
-    "category": "ai_pattern",
-    "confidence": "low",
-    "layer": 2,
-    "lineContent": "console.log('Debug:', sensitiveData)",
-    "lineNumber": 19,
-    "severity": "info",
-    "title": "[AI Pattern] AI console.log debugging",
-  },
 ]
 `;
 

package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts

@@ -7,8 +7,8 @@
  * DO NOT modify these tests unless intentionally changing validation behavior.
  */
 
-import { applyAutoDismissRules } from '../../layer3/anthropic'
-import type { Vulnerability, VulnerabilityCategory, VulnerabilitySeverity } from '../../types'
+import { applyAutoDismissRules } from '../../validate'
+import type { Vulnerability, VulnerabilityCategory, VulnerabilitySeverity } from '../../shared/types'
 
 // Helper to create test findings
 function createFinding(overrides: Partial<Vulnerability> = {}): Vulnerability {
@@ -217,7 +217,7 @@ describe('Refactor Safety - anthropic.ts Auto-Dismiss Rules', () => {
       expect(result).toMatchSnapshot()
     })
 
-    it('should NOT auto-dismiss info severity for AI-assisted tier', () => {
+    it('should auto-dismiss info severity ai_pattern findings (code quality, not security)', () => {
       const findings = [
         createFinding({
           severity: 'info',

package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts

@@ -7,7 +7,7 @@
  * DO NOT modify these tests unless intentionally changing detection behavior.
  */
 
-import { detectDangerousFunctions } from '../../layer2/dangerous-functions'
+import { detectDangerousFunctions } from '../../detect/structural/dangerous-functions'
 
 describe('Refactor Safety - dangerous-functions.ts', () => {
   describe('eval/Function detection', () => {

package/src/__tests__/snapshots/scan-depth.test.ts

@@ -8,9 +8,9 @@
  * Update snapshots: npx jest --updateSnapshot
  */
 
-import { runLayer1Scan } from '../../layer1'
-import { runLayer2Scan } from '../../layer2'
-import type { ScanFile, Vulnerability } from '../../types'
+import { runLayer1Scan } from '../../detect/secrets'
+import { runLayer2Scan } from '../../detect/structural'
+import type { ScanFile, Vulnerability } from '../../shared/types'
 
 // Helper to normalize vulnerability output for snapshot comparison
 // Removes volatile fields like timestamps and IDs

package/src/__tests__/validate/route-annotations.test.ts

@@ -0,0 +1,138 @@
+import { buildFindingRouteAnnotation, buildFileRouteSummary } from '../../validate/request-builder'
+import type { RouteMap, RouteDefinition } from '../../model/route-discovery'
+import type { Vulnerability } from '../../shared/types'
+
+function makeRoute(overrides: Partial<RouteDefinition> = {}): RouteDefinition {
+  return {
+    filePath: 'src/api/users.ts',
+    methods: ['GET'],
+    path: '/api/users',
+    handler: 'getUsers',
+    handlerLine: 5,
+    framework: 'express',
+    authMiddleware: [],
+    rateLimiting: false,
+    isPublic: false,
+    inputs: [],
+    ...overrides,
+  }
+}
+
+function makeFinding(overrides: Partial<Vulnerability> = {}): Vulnerability {
+  return {
+    id: 'test-1',
+    filePath: 'src/api/users.ts',
+    lineNumber: 10,
+    lineContent: 'const data = req.body',
+    severity: 'medium',
+    category: 'missing_auth',
+    title: 'Missing auth',
+    description: 'No auth check',
+    confidence: 'medium',
+    layer: 2,
+    ...overrides,
+  }
+}
+
+function makeRouteMap(routes: RouteDefinition[]): RouteMap {
+  const fileToRoutes = new Map<string, RouteDefinition[]>()
+  for (const r of routes) {
+    const existing = fileToRoutes.get(r.filePath) || []
+    existing.push(r)
+    fileToRoutes.set(r.filePath, existing)
+  }
+  return { routes, fileToRoutes }
+}
+
+describe('Route Annotations', () => {
+  describe('buildFindingRouteAnnotation', () => {
+    it('returns route context for matching file', () => {
+      const route = makeRoute({ authMiddleware: ['authGuard'] })
+      const routeMap = makeRouteMap([route])
+      const finding = makeFinding()
+      const annotation = buildFindingRouteAnnotation(finding, 'src/api/users.ts', routeMap)
+
+      expect(annotation).toContain('Route Context')
+      expect(annotation).toContain('express')
+      expect(annotation).toContain('/api/users')
+      expect(annotation).toContain('authGuard')
+    })
+
+    it('shows NONE for missing auth', () => {
+      const route = makeRoute()
+      const routeMap = makeRouteMap([route])
+      const finding = makeFinding()
+      const annotation = buildFindingRouteAnnotation(finding, 'src/api/users.ts', routeMap)
+
+      expect(annotation).toContain('Auth middleware: NONE')
+    })
+
+    it('returns empty for non-route files', () => {
+      const routeMap = makeRouteMap([])
+      const finding = makeFinding({ filePath: 'src/utils.ts' })
+      const annotation = buildFindingRouteAnnotation(finding, 'src/utils.ts', routeMap)
+
+      expect(annotation).toBe('')
+    })
+
+    it('selects closest route to finding line', () => {
+      const route1 = makeRoute({ handlerLine: 5, path: '/api/users' })
+      const route2 = makeRoute({ handlerLine: 20, path: '/api/items' })
+      const routeMap = makeRouteMap([route1, route2])
+      const finding = makeFinding({ lineNumber: 25 })
+      const annotation = buildFindingRouteAnnotation(finding, 'src/api/users.ts', routeMap)
+
+      expect(annotation).toContain('/api/items')
+    })
+
+    it('shows rate limiting status', () => {
+      const route = makeRoute({ rateLimiting: true })
+      const routeMap = makeRouteMap([route])
+      const finding = makeFinding()
+      const annotation = buildFindingRouteAnnotation(finding, 'src/api/users.ts', routeMap)
+
+      expect(annotation).toContain('Rate limiting: Yes')
+    })
+
+    it('shows public endpoint flag', () => {
+      const route = makeRoute({ isPublic: true })
+      const routeMap = makeRouteMap([route])
+      const finding = makeFinding()
+      const annotation = buildFindingRouteAnnotation(finding, 'src/api/users.ts', routeMap)
+
+      expect(annotation).toContain('Public endpoint: Yes')
+    })
+  })
+
+  describe('buildFileRouteSummary', () => {
+    it('returns route map summary', () => {
+      const routes = [
+        makeRoute({ methods: ['GET'], path: '/api/users', handlerLine: 5, authMiddleware: ['auth'] }),
+        makeRoute({ methods: ['POST'], path: '/api/users', handlerLine: 15 }),
+      ]
+      const routeMap = makeRouteMap(routes)
+      const summary = buildFileRouteSummary('src/api/users.ts', routeMap)
+
+      expect(summary).toContain('Route Map')
+      expect(summary).toContain('GET')
+      expect(summary).toContain('POST')
+      expect(summary).toContain('[auth: auth]')
+      expect(summary).toContain('[no auth]')
+    })
+
+    it('returns empty for non-route files', () => {
+      const routeMap = makeRouteMap([])
+      const summary = buildFileRouteSummary('src/utils.ts', routeMap)
+      expect(summary).toBe('')
+    })
+
+    it('shows rate limiting and public flags', () => {
+      const route = makeRoute({ rateLimiting: true, isPublic: true })
+      const routeMap = makeRouteMap([route])
+      const summary = buildFileRouteSummary('src/api/users.ts', routeMap)
+
+      expect(summary).toContain('[rate-limited]')
+      expect(summary).toContain('[public]')
+    })
+  })
+})

package/src/__tests__/validation/analyze-results.ts

@@ -12,7 +12,7 @@
 
 import * as fs from 'fs'
 import * as path from 'path'
-import type { ScanResult, Vulnerability, VulnerabilityCategory, VulnerabilitySeverity } from '../../types'
+import type { ScanResult, Vulnerability, VulnerabilityCategory, VulnerabilitySeverity } from '../../shared/types'
 
 const RESULTS_DIR = path.join(__dirname, '../../../validation-results')
 

package/src/__tests__/validation/extract-for-triage.ts

@@ -7,7 +7,7 @@
 
 import * as fs from 'fs'
 import * as path from 'path'
-import type { ScanResult, Vulnerability } from '../../types'
+import type { ScanResult, Vulnerability } from '../../shared/types'
 
 const RESULTS_DIR = path.join(__dirname, '../../../validation-results')
 const REPOS_DIR = path.join(__dirname, '../../../validation-repos')

package/src/__tests__/validation/fp-deep-analysis.ts

@@ -9,7 +9,7 @@
 
 import * as fs from 'fs'
 import * as path from 'path'
-import type { ScanResult, Vulnerability } from '../../types'
+import type { ScanResult, Vulnerability } from '../../shared/types'
 
 const RESULTS_DIR = path.join(__dirname, '../../../validation-results')
 const OUTPUT_PATH = path.join(__dirname, '../../../docs/FP_DEEP_ANALYSIS.md')