@oculum/scanner 1.0.11 → 1.0.13

package/src/{layer2 → detect/ai-code}/byok-patterns.ts

@@ -4,10 +4,14 @@
  * BYOK is often a feature, not a vulnerability - severity depends on context
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
-import type { MiddlewareAuthConfig } from '../utils/middleware-detector'
-import { isComment, isTestOrMockFile, isExampleFile, isPlaceholderValue, isScannerOrFixtureFile } from '../utils/context-helpers'
-import { isRouteProtectedByMiddleware, getRoutePathFromFile, detectUserScopingPatterns } from '../utils/middleware-detector'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import type { MiddlewareAuthConfig } from '../../model/middleware-detector'
+import { isComment, isTestOrMockFile, isExampleFile, isPlaceholderValue, isScannerOrFixtureFile } from '../../parse/file-classifier'
+import { isRouteProtectedByMiddleware, getRoutePathFromFile, detectUserScopingPatterns } from '../../model/middleware-detector'
+
+const BASE_CONFIDENCE_STORAGE = 0.50
+const BASE_CONFIDENCE_TRANSIENT = 0.25
 
 /**
  * Check if line contains example/placeholder API key patterns
@@ -221,14 +225,15 @@ function isKeyLogged(content: string, lineNumber: number): boolean {
 export function detectBYOKPatterns(
   content: string,
   filePath: string,
-  middlewareConfig?: MiddlewareAuthConfig
+  middlewareConfig?: MiddlewareAuthConfig,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
   // Skip scanner/fixture files to avoid self-detection
   if (isScannerOrFixtureFile(filePath)) return vulnerabilities
 
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
   const isTestFile = isTestOrMockFile(filePath)
 
   // Skip example/demo files entirely - they contain placeholder credentials by design
@@ -270,6 +275,7 @@ export function detectBYOKPatterns(
         let severity: VulnerabilitySeverity
         let description: string
         let suggestedFix: string
+        let baseConfidence: number
 
         if (isAuthenticated && isTransient) {
           // Authenticated and transient - this is the IDEAL BYOK pattern
@@ -279,6 +285,7 @@ export function detectBYOKPatterns(
             severity = 'low'
             description = `BYOK feature detected: ${pattern.description}. Keys are used transiently (good!) but appear to be logged (avoid logging API keys, even in debug).`
             suggestedFix = 'Remove logging of API keys. Best practices: (1) Validate API key format, (2) Add per-user rate limiting.'
+            baseConfidence = BASE_CONFIDENCE_STORAGE
           } else {
             // IDEAL PATTERN: Authenticated + transient + no logging = no issue
             // Skip emitting a finding entirely for the ideal case
@@ -289,26 +296,31 @@ export function detectBYOKPatterns(
           severity = 'low'
           description = `BYOK feature detected: ${pattern.description}. Keys are used transiently (not stored). Consider adding authentication or rate limiting.`
           suggestedFix = 'Consider adding authentication. If intentionally public: add rate limiting, key format validation, and usage tracking.'
+          baseConfidence = BASE_CONFIDENCE_TRANSIENT
         } else if (!isAuthenticated && isStoredCentrally) {
           // Unauthenticated AND storing keys - this is the real risk
           severity = 'medium'
           description = `${pattern.description}. This endpoint appears to lack authentication AND stores keys. This could allow unauthorized key storage.`
           suggestedFix = 'Add authentication. Ensure stored keys are scoped by user_id with proper access controls.'
+          baseConfidence = BASE_CONFIDENCE_STORAGE
         } else if (isStoredCentrally && !isUserScoped) {
           // Authenticated but keys stored without user scoping - medium risk
           severity = 'medium'
           description = `${pattern.description}. Keys appear to be stored centrally without user-scoping, which could lead to cross-tenant key access.`
           suggestedFix = 'Ensure stored keys are scoped by user_id. Add proper access controls to prevent users from accessing other users\' keys.'
+          baseConfidence = BASE_CONFIDENCE_STORAGE
         } else if (isAuthenticated && isUserScoped) {
           // Authenticated and user-scoped with storage - generally okay
           severity = 'info'
           description = `${pattern.description}. Route is authenticated and operations appear user-scoped. If keys are stored, consider encryption at rest.`
           suggestedFix = 'If storing keys: consider encryption at rest. Add rate limiting to prevent cost abuse.'
+          baseConfidence = BASE_CONFIDENCE_STORAGE
         } else {
           // Authenticated but unclear scoping - needs review, but low priority
           severity = 'info'
           description = `${pattern.description}. Route is authenticated. This appears to be a BYOK feature.`
           suggestedFix = 'Verify user-scoping for stored keys. Add rate limiting for cost control.'
+          baseConfidence = BASE_CONFIDENCE_TRANSIENT
         }
 
         // Downgrade test files
@@ -329,6 +341,8 @@ export function detectBYOKPatterns(
           suggestedFix,
           confidence: isTestFile ? 'low' : 'medium',
           layer: 2,
+        source: 'ai_code' as const,
+          baseConfidence,
         })
 
         break // One finding per line

package/src/{layer2/ai-endpoint-protection.ts → detect/ai-code/endpoint-protection.ts}

@@ -8,15 +8,18 @@
  * - Missing rate limiting on AI routes
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
-import type { MiddlewareAuthConfig } from '../utils/middleware-detector'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import type { MiddlewareAuthConfig } from '../../model/middleware-detector'
 import {
   isComment,
   isTestOrMockFile,
   isDocumentationFile,
   isScannerOrFixtureFile,
   isExampleDirectory,
-} from '../utils/context-helpers'
+} from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.50
 
 // ============================================================================
 // Context Detection
@@ -255,6 +258,7 @@ const ROUTE_HANDLER_PATTERNS: EndpointProtectionPattern[] = [
 
 export interface EndpointProtectionOptions {
   middlewareConfig?: MiddlewareAuthConfig
+  parsed?: ParsedFile
 }
 
 /**
@@ -276,7 +280,7 @@ export function detectAIEndpointProtection(
     return vulnerabilities
   }
 
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
   const isTestFile = isTestOrMockFile(filePath)
   const isExample = isExampleDirectory(filePath)
 
@@ -382,7 +386,9 @@ export function detectAIEndpointProtection(
         suggestedFix,
         confidence: severity === 'info' ? 'low' : 'medium',
         layer: 2,
+        source: 'ai_code' as const,
         requiresAIValidation: severity !== 'info',
+        baseConfidence: BASE_CONFIDENCE,
       })
 
       // Only report one finding per file (file-level issue)

package/src/{layer2/ai-execution-sinks.ts → detect/ai-code/execution-sinks.ts}

@@ -11,15 +11,18 @@
  * - Template rendering: innerHTML, dangerouslySetInnerHTML
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
 import {
   isComment,
   isTestOrMockFile,
   isScannerOrFixtureFile,
   isExampleDirectory,
   isLibraryCode,
-} from '../utils/context-helpers'
-import { isLLMContextFile } from './ai-prompt-hygiene'
+} from '../../parse/file-classifier'
+import { isLLMContextFile } from './prompt-hygiene'
+
+const BASE_CONFIDENCE = 0.55
 
 // ============================================================================
 // LLM Output Variable Detection
@@ -141,11 +144,11 @@ function isAppDataInterpolation(lineContent: string, surroundingContext: string)
 /**
  * Check if execution is sandboxed
  */
-function isSandboxedExecution(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
+function isSandboxedExecution(content: string, lineNumber: number, lines?: string[]): boolean {
+  const _lines = lines ?? content.split('\n')
   const contextStart = Math.max(0, lineNumber - 25)
-  const contextEnd = Math.min(lines.length, lineNumber + 10)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 10)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   const sandboxPatterns = [
     /vm2/i,
@@ -168,11 +171,11 @@ function isSandboxedExecution(content: string, lineNumber: number): boolean {
 /**
  * Check if output has validation before execution
  */
-function hasOutputValidation(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
+function hasOutputValidation(content: string, lineNumber: number, lines?: string[]): boolean {
+  const _lines = lines ?? content.split('\n')
   const contextStart = Math.max(0, lineNumber - 15)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   const validationPatterns = [
     /validate/i,
@@ -615,6 +618,126 @@ const EXECUTION_SINK_PATTERNS: ExecutionSinkPattern[] = [
     description: 'AI-generated value interpolated into SQL query via f-string. Enables SQL injection.',
     suggestedFix: 'Use parameterized queries: cursor.execute("SELECT * FROM users WHERE id = ?", [user_id])',
   },
+
+  // ========== Sprint 6: Template Engine Injection Sinks ==========
+  {
+    name: 'LLM output to EJS template',
+    pattern: /\bejs\.(?:render|renderFile|compile)\s*\([^)]*(?:response|result|output|completion|content|message|text|answer)(?:\.|\.data\.|\.text|\.content)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'LLM output passed to EJS template engine. Server-side template injection (SSTI) can lead to remote code execution.',
+    suggestedFix: 'Sanitize LLM output before passing to templates. Use autoescaping and never pass AI output as template source.',
+  },
+  {
+    name: 'LLM output to Handlebars template',
+    pattern: /\b(?:handlebars|hbs)\.(?:compile|render)\s*\([^)]*(?:response|result|output|completion|content)(?:\.|\.data\.|\.text|\.content)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'LLM output passed to Handlebars template. If used with SafeString, SSTI is possible.',
+    suggestedFix: 'Never pass LLM output to Handlebars SafeString. Use default escaping and sanitize AI output.',
+  },
+  {
+    name: 'LLM output to Pug/Jade template',
+    pattern: /\bpug\.(?:render|compile|renderFile)\s*\([^)]*(?:response|result|output|completion|content)(?:\.|\.data\.|\.text|\.content)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'LLM output passed to Pug template engine. Unescaped interpolation (!{}) enables SSTI.',
+    suggestedFix: 'Use escaped interpolation (#{}) and sanitize LLM output before rendering.',
+  },
+  {
+    name: 'LLM output to Nunjucks template',
+    pattern: /\bnunjucks\.(?:render|renderString)\s*\([^)]*(?:response|result|output|completion|content)(?:\.|\.data\.|\.text|\.content)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'LLM output passed to Nunjucks template. SSTI risk if autoescape is disabled.',
+    suggestedFix: 'Enable autoescape and sanitize LLM output before rendering.',
+  },
+  {
+    name: 'LLM output to Jinja2 template (Python)',
+    pattern: /\b(?:jinja2\.)?Template\s*\([^)]*(?:response|result|output|completion|content)(?:\.|\.content|\.text)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'LLM output used as Jinja2 template source. SSTI can lead to RCE in Python.',
+    suggestedFix: 'Never use LLM output as template source. Use it only as template variables with autoescaping enabled.',
+  },
+  {
+    name: 'LLM output in Mustache template',
+    pattern: /\bMustache\.render\s*\([^)]*(?:response|result|output|completion|content)(?:\.|\.data\.|\.text|\.content)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'medium',
+    description: 'LLM output passed to Mustache template. While Mustache auto-escapes HTML, triple braces {{{...}}} bypass this.',
+    suggestedFix: 'Ensure LLM output is never used with triple braces. Validate template structure.',
+  },
+
+  // ========== Sprint 6: NoSQL Injection Sinks ==========
+  {
+    name: 'NoSQL injection via JSON.parse',
+    pattern: /\.(?:find|findOne|findOneAndUpdate|updateOne|updateMany|deleteOne|deleteMany|aggregate)\s*\(\s*JSON\.parse\s*\(\s*(?:response|result|output|completion|content)(?:\.|\.text|\.content)?/gi,
+    sinkType: 'sql_builder',
+    baseSeverity: 'high',
+    description: 'LLM output parsed as MongoDB query via JSON.parse. NoSQL injection can bypass authentication or leak data.',
+    suggestedFix: 'Use parameterized queries or validate/sanitize LLM output against a schema before using in queries.',
+  },
+  {
+    name: 'MongoDB $where injection',
+    pattern: /\$where\s*:\s*[^}]*(?:response|result|output|completion|content|message)(?:\.|\.text|\.content)?/gi,
+    sinkType: 'sql_builder',
+    baseSeverity: 'critical',
+    description: 'LLM output in MongoDB $where operator. $where executes JavaScript, enabling arbitrary code execution.',
+    suggestedFix: 'Avoid $where operator entirely. Use standard MongoDB query operators instead.',
+  },
+  {
+    name: 'Dynamic MongoDB query from LLM',
+    pattern: /(?:db|collection|mongoose)\.(?:find|findOne|aggregate)\s*\(\s*(?:response|result|output|completion|aiQuery)(?:\.|\.query|\.filter)?/gi,
+    sinkType: 'sql_builder',
+    baseSeverity: 'high',
+    description: 'LLM output used directly as MongoDB query. Query operators could be injected.',
+    suggestedFix: 'Validate query structure. Only allow specific operators. Use schema validation before query execution.',
+  },
+
+  // ========== Sprint 6: GraphQL Injection Sinks ==========
+  {
+    name: 'GraphQL query injection',
+    pattern: /\b(?:gql|graphql)\s*`[^`]*\$\{[^}]*(?:response|result|output|completion|content|message)[^}]*\}/gi,
+    sinkType: 'sql_builder',
+    baseSeverity: 'high',
+    description: 'LLM output interpolated into GraphQL query string. Can lead to query manipulation or unauthorized data access.',
+    suggestedFix: 'Use GraphQL variables instead of string interpolation for dynamic values.',
+  },
+  {
+    name: 'GraphQL query from LLM output',
+    pattern: /(?:apolloClient|urqlClient|client)\.query\s*\(\s*\{[^}]*query\s*:\s*(?:response|result|output|completion|aiQuery)(?:\.|\.query)?/gi,
+    sinkType: 'sql_builder',
+    baseSeverity: 'high',
+    description: 'LLM output used as GraphQL query. Malicious queries could access unauthorized data or cause DoS.',
+    suggestedFix: 'Use predefined queries with variables. Validate query structure and depth before execution.',
+  },
+
+  // ========== Sprint 6: ReDoS (Regular Expression DoS) Sinks ==========
+  {
+    name: 'Dynamic regex from LLM output',
+    pattern: /new\s+RegExp\s*\(\s*(?:response|result|output|completion|content|message|answer)(?:\.|\.text|\.content|\.pattern)?/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'medium',
+    description: 'LLM-generated regex pattern. Malicious patterns can cause catastrophic backtracking (ReDoS), hanging the server.',
+    suggestedFix: 'Validate regex complexity before compilation. Use safe-regex library or set timeout for regex execution.',
+  },
+  {
+    name: 'Python regex from LLM output',
+    pattern: /re\.compile\s*\(\s*(?:response|result|output|completion|content|pattern)(?:\.|\.text|\.content)?/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'medium',
+    description: 'LLM-generated regex compiled in Python. ReDoS attacks can cause denial of service.',
+    suggestedFix: 'Use regex_timeout or validate pattern complexity before compilation.',
+  },
+  {
+    name: 'Dynamic regex replacement',
+    pattern: /\.replace\s*\(\s*new\s+RegExp\s*\(\s*(?:response|result|output|completion|content)/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'medium',
+    description: 'LLM output used as regex pattern in replace operation. ReDoS risk.',
+    suggestedFix: 'Use string replace or validate regex pattern complexity.',
+  },
 ]
 
 // ============================================================================
@@ -626,11 +749,11 @@ const EXECUTION_SINK_PATTERNS: ExecutionSinkPattern[] = [
  * Strong validation = skip finding entirely
  * Weak validation = downgrade severity
  */
-function getURLValidationLevel(content: string, lineNumber: number): 'strong' | 'weak' | 'none' {
-  const lines = content.split('\n')
+function getURLValidationLevel(content: string, lineNumber: number, lines?: string[]): 'strong' | 'weak' | 'none' {
+  const _lines = lines ?? content.split('\n')
   const contextStart = Math.max(0, lineNumber - 15)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   // Strong validation - skip entirely
   const strongValidationPatterns = [
@@ -699,11 +822,11 @@ function isDOMSanitized(lineContent: string, surroundingContext: string): boolea
 /**
  * Check if file path is properly validated
  */
-function isPathValidated(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
+function isPathValidated(content: string, lineNumber: number, lines?: string[]): boolean {
+  const _lines = lines ?? content.split('\n')
   const contextStart = Math.max(0, lineNumber - 15)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   const pathValidationPatterns = [
     /path\.resolve\s*\([^)]*\).*startsWith/i,  // Resolved path + startsWith check
@@ -724,11 +847,11 @@ function isPathValidated(content: string, lineNumber: number): boolean {
 /**
  * Check if header value is sanitized
  */
-function isHeaderSanitized(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
+function isHeaderSanitized(content: string, lineNumber: number, lines?: string[]): boolean {
+  const _lines = lines ?? content.split('\n')
   const contextStart = Math.max(0, lineNumber - 15)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   const headerSanitizationPatterns = [
     /\.replace\s*\(\s*\/\[\\r\\n\]/i,  // CRLF removal
@@ -789,11 +912,11 @@ function isSQLParameterized(lineContent: string, surroundingContext: string): bo
 /**
  * Check if shell execution uses allowlist
  */
-function isShellAllowlisted(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
+function isShellAllowlisted(content: string, lineNumber: number, lines?: string[]): boolean {
+  const _lines = lines ?? content.split('\n')
   const contextStart = Math.max(0, lineNumber - 15)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   const shellAllowlistPatterns = [
     /allowedArgs\.includes\s*\(/i,  // Argument allowlist
@@ -807,14 +930,93 @@ function isShellAllowlisted(content: string, lineNumber: number): boolean {
   return shellAllowlistPatterns.some(p => p.test(context))
 }
 
+/**
+ * Check if template engine has autoescape enabled or uses safe rendering
+ */
+function isTemplateSafe(content: string, lineNumber: number, lines?: string[]): boolean {
+  const _lines = lines ?? content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
+
+  const templateSafePatterns = [
+    /autoescape\s*[=:]\s*true/i,  // Autoescape enabled
+    /autoescaping\s*[=:]\s*true/i,  // Alternative naming
+    /escape\s*[=:]\s*true/i,  // Escape option
+    /\.escapeHtml\s*\(/i,  // Manual escaping
+    /sanitize(?:Html|Output)?\s*\(/i,  // Sanitization function
+    /DOMPurify\.sanitize/i,  // DOMPurify sanitization
+    /#{[^}]+}/i,  // Pug escaped interpolation (safe)
+    /\{\{[^}]+\}\}/i,  // Handlebars/Mustache double-brace (escaped by default)
+  ]
+
+  // Patterns that indicate unsafe usage
+  const unsafePatterns = [
+    /autoescape\s*[=:]\s*false/i,  // Autoescape disabled
+    /!{[^}]+}/i,  // Pug unescaped interpolation
+    /{{{[^}]+}}}/i,  // Handlebars/Mustache triple-brace (unescaped)
+    /SafeString/i,  // Handlebars SafeString (bypasses escaping)
+    /\|safe\b/i,  // Jinja2/Nunjucks safe filter
+  ]
+
+  const isSafe = templateSafePatterns.some(p => p.test(context))
+  const isUnsafe = unsafePatterns.some(p => p.test(context))
+
+  return isSafe && !isUnsafe
+}
+
+/**
+ * Check if NoSQL query uses schema validation or allowlist
+ */
+function isNoSQLSafe(content: string, lineNumber: number, lines?: string[]): boolean {
+  const _lines = lines ?? content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
+
+  const safePatterns = [
+    /schema\.parse\s*\(/i,  // Zod schema validation
+    /\.validate\s*\(/i,  // Joi/Yup validation
+    /allowedOperators/i,  // Operator allowlist
+    /allowedFields/i,  // Field allowlist
+    /sanitizeQuery/i,  // Query sanitization function
+    /mongo-sanitize/i,  // mongo-sanitize library
+    /mongoose\.(?:Schema|model)/i,  // Using Mongoose models (safer)
+  ]
+
+  return safePatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if regex has complexity validation or timeout
+ */
+function isRegexSafe(content: string, lineNumber: number, lines?: string[]): boolean {
+  const _lines = lines ?? content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
+
+  const safePatterns = [
+    /safe-regex/i,  // safe-regex library
+    /recheck/i,  // recheck library
+    /regex-timeout/i,  // Timeout wrapper
+    /RE2/i,  // RE2 library (safe by design)
+    /validateRegex/i,  // Custom validation
+    /maxLength|maxPatternLength/i,  // Length limits
+    /try\s*\{[^}]*new\s+RegExp[^}]*\}\s*catch/i,  // Try-catch around regex
+  ]
+
+  return safePatterns.some(p => p.test(context))
+}
+
 /**
  * Check if dynamic import uses allowlist
  */
-function isImportAllowlisted(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
+function isImportAllowlisted(content: string, lineNumber: number, lines?: string[]): boolean {
+  const _lines = lines ?? content.split('\n')
   const contextStart = Math.max(0, lineNumber - 15)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   const importAllowlistPatterns = [
     /ALLOWED_PLUGINS\s*[=:]/i,  // Plugin allowlist
@@ -835,11 +1037,11 @@ function isImportAllowlisted(content: string, lineNumber: number): boolean {
 /**
  * Get surrounding context for analysis
  */
-function getSurroundingContext(content: string, lineIndex: number, windowSize: number = 15): string {
-  const lines = content.split('\n')
+function getSurroundingContext(content: string, lineIndex: number, windowSize: number = 15, lines?: string[]): string {
+  const _lines = lines ?? content.split('\n')
   const start = Math.max(0, lineIndex - windowSize)
-  const end = Math.min(lines.length, lineIndex + windowSize)
-  return lines.slice(start, end).join('\n')
+  const end = Math.min(_lines.length, lineIndex + windowSize)
+  return _lines.slice(start, end).join('\n')
 }
 
 /**
@@ -896,7 +1098,8 @@ function calculateSeverity(
  */
 export function detectAIExecutionSinks(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
@@ -906,7 +1109,7 @@ export function detectAIExecutionSinks(
   // Only deeply scan files that appear to be in LLM context
   // But still do basic scanning on all files for obvious patterns
   const isLLMFile = isLLMContextFile(filePath, content)
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
   const isTestFile = isTestOrMockFile(filePath)
   const isExample = isExampleDirectory(filePath)
   const isLibrary = isLibraryCode(filePath)
@@ -922,7 +1125,7 @@ export function detectAIExecutionSinks(
       // Skip comments
       if (isComment(lineContent)) continue
 
-      const surroundingContext = getSurroundingContext(content, lineNumber - 1)
+      const surroundingContext = getSurroundingContext(content, lineNumber - 1, 15, lines)
 
       // Check if this is actually in an LLM context
       const hasLLMContext = isLLMFile || hasLLMResponseContext(lineContent, surroundingContext)
@@ -953,8 +1156,8 @@ export function detectAIExecutionSinks(
       }
 
       // Check for sandboxing and validation
-      const isSandboxed = isSandboxedExecution(content, lineNumber)
-      const hasValidation = hasOutputValidation(content, lineNumber)
+      const isSandboxed = isSandboxedExecution(content, lineNumber, lines)
+      const hasValidation = hasOutputValidation(content, lineNumber, lines)
 
       // ===== SINK-SPECIFIC VALIDATION CHECKS =====
 
@@ -963,7 +1166,7 @@ export function detectAIExecutionSinks(
         pattern.name.includes('HTTP') || pattern.name.includes('redirect') ||
         pattern.name.includes('location') || pattern.name.includes('got')
       if (isNetworkSink) {
-        const urlValidLevel = getURLValidationLevel(content, lineNumber)
+        const urlValidLevel = getURLValidationLevel(content, lineNumber, lines)
         if (urlValidLevel === 'strong') {
           continue  // Skip - strong URL validation present
         }
@@ -982,14 +1185,14 @@ export function detectAIExecutionSinks(
       // Check for header sanitization
       const isHeaderSink = pattern.name.includes('header') || pattern.name.includes('cookie') ||
         pattern.name.includes('res.type')
-      if (isHeaderSink && isHeaderSanitized(content, lineNumber)) {
+      if (isHeaderSink && isHeaderSanitized(content, lineNumber, lines)) {
         continue  // Skip - header value is sanitized
       }
 
       // Check for path validation on file system sinks
       const isFileSink = pattern.name.includes('file path') || pattern.name.includes('fs operation') ||
         pattern.name.includes('path.join')
-      if (isFileSink && isPathValidated(content, lineNumber)) {
+      if (isFileSink && isPathValidated(content, lineNumber, lines)) {
         continue  // Skip - path is validated
       }
 
@@ -1001,16 +1204,37 @@ export function detectAIExecutionSinks(
 
       // Check for shell allowlist
       const isShellSink = pattern.sinkType === 'shell_command'
-      if (isShellSink && isShellAllowlisted(content, lineNumber)) {
+      if (isShellSink && isShellAllowlisted(content, lineNumber, lines)) {
         continue  // Skip - shell command uses allowlist
       }
 
       // Check for import allowlist
       const isImportSink = pattern.name.includes('import') || pattern.name.includes('require')
-      if (isImportSink && isImportAllowlisted(content, lineNumber)) {
+      if (isImportSink && isImportAllowlisted(content, lineNumber, lines)) {
         continue  // Skip - import uses allowlist
       }
 
+      // Check for template engine safety (autoescape, sanitization)
+      const isTemplateEngineSink = pattern.name.includes('EJS') || pattern.name.includes('Handlebars') ||
+        pattern.name.includes('Pug') || pattern.name.includes('Nunjucks') || pattern.name.includes('Jinja2') ||
+        pattern.name.includes('Mustache')
+      if (isTemplateEngineSink && isTemplateSafe(content, lineNumber, lines)) {
+        continue  // Skip - template engine has safe configuration
+      }
+
+      // Check for NoSQL query safety
+      const isNoSQLSink = pattern.name.includes('NoSQL') || pattern.name.includes('MongoDB') ||
+        pattern.name.includes('$where')
+      if (isNoSQLSink && isNoSQLSafe(content, lineNumber, lines)) {
+        continue  // Skip - NoSQL query is validated
+      }
+
+      // Check for regex safety (ReDoS protection)
+      const isRegexSink = pattern.name.includes('regex') || pattern.name.includes('RegExp')
+      if (isRegexSink && isRegexSafe(content, lineNumber, lines)) {
+        continue  // Skip - regex has safety measures
+      }
+
       // Check for Python-specific safe patterns
       const isPythonSink = pattern.name.includes('Python') || pattern.name.includes('pickle') ||
         pattern.name.includes('subprocess') || pattern.name.includes('os.system')
@@ -1025,7 +1249,7 @@ export function detectAIExecutionSinks(
       }
 
       // Check URL validation level for severity adjustment
-      const hasURLValid = isNetworkSink ? getURLValidationLevel(content, lineNumber) !== 'none' : false
+      const hasURLValid = isNetworkSink ? getURLValidationLevel(content, lineNumber, lines) !== 'none' : false
 
       // Combine validation checks (URL validation counts as validation for network sinks)
       const effectiveValidation = hasValidation || hasURLValid
@@ -1075,7 +1299,9 @@ export function detectAIExecutionSinks(
         suggestedFix: pattern.suggestedFix,
         confidence: hasLLMContext ? 'high' : 'medium',
         layer: 2,
+        source: 'ai_code' as const,
         requiresAIValidation: severity !== 'info' && severity !== 'low',
+        baseConfidence: BASE_CONFIDENCE,
       })
     }
   }