@oculum/scanner 1.0.11 → 1.0.13

package/src/{layer2/auth-antipatterns.ts → detect/structural/auth-patterns.ts}

@@ -8,13 +8,19 @@
  * - Properly classifies public endpoints
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
-import type { MiddlewareAuthConfig } from '../utils/middleware-detector'
-import { isRouteProtectedByMiddleware, getRoutePathFromFile } from '../utils/middleware-detector'
-import type { AuthHelper, AuthHelperContext } from '../utils/auth-helper-detector'
-import { hasAuthHelperCallBefore, isUserIdAlreadyValidated } from '../utils/auth-helper-detector'
-import type { FileAuthImports } from '../utils/imported-auth-detector'
-import { isScannerOrFixtureFile } from '../utils/context-helpers'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import type { MiddlewareAuthConfig } from '../../model/middleware-detector'
+import { isRouteProtectedByMiddleware, getRoutePathFromFile } from '../../model/middleware-detector'
+import type { AuthHelper, AuthHelperContext } from '../../model/auth-helper-detector'
+import { hasAuthHelperCallBefore, isUserIdAlreadyValidated } from '../../model/auth-helper-detector'
+import type { FileAuthImports } from '../../model/imported-auth-detector'
+import { isScannerOrFixtureFile } from '../../parse/file-classifier'
+import { getRouteProtectionContext, isAuthenticatedOnlyComponent } from '../../model/route-hierarchy'
+import { is2FAOrValidation } from '../../shared/schema-semantics'
+import { isPasswordErrorCode, hasPasswordValueInError } from '../../shared/intent-detector'
+
+const BASE_CONFIDENCE = 0.40
 
 interface AuthAntiPattern {
   name: string
@@ -79,13 +85,10 @@ const AUTH_ANTIPATTERNS: AuthAntiPattern[] = [
     description: 'Session configuration may lack secure flag',
     suggestedFix: 'Set secure: true for cookies in production',
   },
-  {
-    name: 'Cookie without httpOnly',
-    pattern: /cookie\s*\(\s*['"][^'"]+['"]\s*,[^)]*(?!httpOnly)[^)]*\)|setCookie\s*\([^)]*(?!httpOnly)/gi,
-    severity: 'medium',
-    description: 'Cookie set without httpOnly flag',
-    suggestedFix: 'Add httpOnly: true to prevent XSS access to cookies',
-  },
+  // NOTE: Cookie httpOnly detection removed - causes false positives
+  // Client-side code (document.cookie) cannot set httpOnly - it's a server-only flag
+  // Server-side cookie libraries have proper defaults
+  // The pattern was triggering on client-side cookie access which is conceptually wrong
   
   // Authorization issues
   // NOTE: We intentionally do NOT flag "if (!user)" or "if (!userId)" patterns as issues
@@ -123,12 +126,17 @@ const AUTH_ANTIPATTERNS: AuthAntiPattern[] = [
   },
   
   // OAuth/Social auth issues
+  // NOTE: OAuth detection narrowed significantly to reduce false positives.
+  // Previously matched any line containing "oauth" which flagged variable names, imports, etc.
+  // Now only matches actual OAuth authorization URL construction.
   {
     name: 'OAuth state parameter missing',
-    pattern: /oauth|authorize\?.*(?!state=)/gi,
+    // Only match actual OAuth authorization URL construction without state parameter
+    // Must have: authorize endpoint + client_id/redirect_uri but missing state
+    pattern: /['"`]https?:\/\/[^'"]*\/(?:oauth|authorize|auth)[^'"]*client_id=[^'"]*(?!.*state=)/gi,
     severity: 'medium',
-    description: 'OAuth flow may lack state parameter for CSRF protection',
-    suggestedFix: 'Include a random state parameter in OAuth requests',
+    description: 'OAuth authorization URL may lack state parameter for CSRF protection',
+    suggestedFix: 'Include a random state parameter in OAuth authorization requests',
   },
   
   // Password handling issues
@@ -139,13 +147,10 @@ const AUTH_ANTIPATTERNS: AuthAntiPattern[] = [
     description: 'Password may be logged to console',
     suggestedFix: 'Never log passwords or sensitive credentials',
   },
-  {
-    name: 'Password in error message',
-    pattern: /throw\s+new\s+Error\s*\([^)]*password|Error\s*\([^)]*password/gi,
-    severity: 'high',
-    description: 'Password may be included in error message',
-    suggestedFix: 'Never include passwords in error messages',
-  },
+  // NOTE: 'Password in error message' pattern now uses smart intent detection
+  // Error CODES like 'SAME_PASSWORD' are not flagged (they're codes, not values)
+  // Only actual password values concatenated into errors are flagged
+  // This is handled specially in detectAuthAntipatterns() below
   
   // Rate limiting
   {
@@ -184,6 +189,37 @@ function isAuthRelatedFile(filePath: string): boolean {
   return authKeywords.some(keyword => lowerPath.includes(keyword))
 }
 
+/**
+ * Check if file is an auth implementation/library file
+ * These files ARE the auth system - flagging them for "missing auth" is wrong
+ *
+ * Examples:
+ * - packages/auth/src/handlers.ts
+ * - lib/auth/middleware.ts
+ * - services/authentication/index.ts
+ */
+function isAuthImplementationFile(filePath: string): boolean {
+  const authImplPatterns = [
+    /\/packages\/auth\//i,
+    /\/lib\/auth\//i,
+    /\/utils\/auth\//i,
+    /\/services\/auth/i,
+    /\/authentication\//i,
+    /\/auth-provider/i,
+    /\/auth-helpers/i,
+    /\/auth-utils/i,
+    /\/passport-/i,              // Passport.js strategy files
+    /\/next-auth\//i,            // NextAuth config
+    /\/lucia\//i,                // Lucia auth
+    /\/better-auth\//i,          // Better Auth
+    /\/supabase\/auth/i,         // Supabase auth
+    /\/clerk\//i,                // Clerk auth
+    /\/auth0\//i,                // Auth0
+    /\/keycloak\//i,             // Keycloak
+  ]
+  return authImplPatterns.some(p => p.test(filePath))
+}
+
 // Check if endpoint is a known public endpoint (health checks, webhooks, cron)
 function isKnownPublicEndpoint(lineContent: string, filePath: string): boolean {
   const PUBLIC_ENDPOINTS = [
@@ -194,20 +230,60 @@ function isKnownPublicEndpoint(lineContent: string, filePath: string): boolean {
     /\/live\b/i,
     /\/ping\b/i,
     /\/status\b/i,
+    /\/_health/i,
 
     // Webhooks (receive external calls)
     /\/webhook\b/i,
     /\/webhooks\//i,
     /\/callback\b/i,
+    /\/stripe\/webhook/i,
+    /\/clerk\/webhook/i,
+    /\/svix\//i,
 
     // Cron/scheduled tasks
     /\/cron\//i,
     /\/scheduled\//i,
     /\/tasks\//i,
+    /\/jobs?\//i,
 
-    // Public APIs
+    // Public APIs - intentionally unauthenticated
     /\/public\//i,
+    /\/openpage/i,        // OpenPage API pattern (intentionally public)
+    /\/open-api\//i,
+    /\/api\/public\//i,
+    /\/api\/v\d+\/public\//i,
     /\bGET\b.*\/api\/\w+\/\[id\]/i,  // Public resource reads with ID param
+
+    // Auth endpoints (must be public for users to authenticate)
+    /\/api\/auth\//i,
+    /\/auth\//i,
+    /\/login\b/i,
+    /\/signup\b/i,
+    /\/register\b/i,
+    /\/forgot-password/i,
+    /\/reset-password/i,
+    /\/verify-email/i,
+    /\/magic-link/i,
+    /\/oauth\//i,
+
+    // RSS/Atom feeds (typically public)
+    /\/feed\b/i,
+    /\/rss\b/i,
+    /\/atom\b/i,
+
+    // Sitemap/robots (always public)
+    /\/sitemap/i,
+    /\/robots/i,
+
+    // OpenGraph/meta endpoints
+    /\/og\//i,
+    /\/opengraph/i,
+    /\/meta\//i,
+
+    // Share/embed endpoints
+    /\/share\//i,
+    /\/embed\//i,
+    /\/widget\//i,
   ]
 
   return PUBLIC_ENDPOINTS.some(pattern =>
@@ -244,6 +320,47 @@ function hasAuthCheckNearby(lines: string[], lineIndex: number): boolean {
     /userApiKey|user_api_key|clientApiKey/i,
     /req\.body\.(?:apiKey|api_key|openaiKey|anthropicKey)/i,
     /headers\[['"`]x-(?:openai|api|anthropic)-key['"`]\]/i,
+
+    // Next.js / React auth patterns (expanded)
+    /const\s+session\s*=\s*await\s+auth\s*\(\)/,          // const session = await auth()
+    /const\s+\{\s*session\s*\}\s*=\s*await\s+auth\s*\(\)/, // const { session } = await auth()
+    /if\s*\(\s*!session\?\.user/,                          // if (!session?.user)
+    /if\s*\(\s*!session\s*\)/,                             // if (!session)
+    /session\s*\?\.\s*user/,                               // session?.user
+    /getServerSession\s*\(\s*authOptions/,                 // getServerSession(authOptions)
+    /getServerSession\s*\(\s*req\s*,\s*res/,              // getServerSession(req, res, ...)
+    /useSession\s*\(\)/,                                   // useSession()
+    /signIn\s*\(/,                                         // signIn()
+    /signOut\s*\(/,                                        // signOut()
+
+    // Clerk auth patterns
+    /currentUser\s*\(\)/,                                  // currentUser()
+    /auth\s*\(\)\s*\.\s*protect/,                         // auth().protect
+    /auth\s*\(\)\s*\.\s*userId/,                          // auth().userId
+    /clerkClient/i,
+    /getAuth\s*\(/,
+    /ClerkProvider/,
+
+    // Supabase auth patterns
+    /supabase\s*\.\s*auth\s*\.\s*getUser/,               // supabase.auth.getUser()
+    /supabase\s*\.\s*auth\s*\.\s*getSession/,            // supabase.auth.getSession()
+    /createServerClient/,                                  // Supabase server client
+    /createRouteHandlerClient/,
+
+    // Lucia auth patterns
+    /lucia\s*\.\s*validateSession/,
+    /validateRequest/,
+
+    // Better Auth patterns
+    /betterAuth/,
+    /auth\.api\./,
+
+    // Throwing auth helpers (if these are called, route is authenticated)
+    /throw\s+new\s+Error\s*\(\s*['"]unauthorized/i,
+    /throw\s+new\s+Error\s*\(\s*['"]unauthenticated/i,
+    /ChatSDKError\s*\(\s*['"]unauthorized/i,
+    /return\s+new\s+Response\s*\(\s*.*401/,
+    /return\s+NextResponse\s*\.\s*json\s*\(\s*.*401/,
   ]
 
   return searchWindow.some(line =>
@@ -255,6 +372,7 @@ export interface AuthAntipatternOptions {
   middlewareConfig?: MiddlewareAuthConfig
   authHelpers?: AuthHelperContext
   fileAuthImports?: Map<string, FileAuthImports>
+  parsed?: ParsedFile
 }
 
 export function detectAuthAntipatterns(
@@ -262,14 +380,18 @@ export function detectAuthAntipatterns(
   filePath: string,
   options: AuthAntipatternOptions = {}
 ): Vulnerability[] {
-  const { middlewareConfig, authHelpers, fileAuthImports } = options
+  const { middlewareConfig, authHelpers, fileAuthImports, parsed } = options
   const vulnerabilities: Vulnerability[] = []
 
   // Skip scanner/fixture files to avoid self-detection
   if (isScannerOrFixtureFile(filePath)) return vulnerabilities
 
-  const lines = content.split('\n')
+  const lines = parsed?.lines ?? content.split('\n')
   const isAuthFile = isAuthRelatedFile(filePath)
+  const isAuthImpl = isAuthImplementationFile(filePath)
+
+  // Check framework route hierarchy protection (Remix, Next.js route groups)
+  const routeHierarchy = getRouteProtectionContext(filePath)
 
   // Check if this route is protected by global middleware
   const routePath = getRoutePathFromFile(filePath)
@@ -284,6 +406,9 @@ export function detectAuthAntipatterns(
   // Check if file uses throwing auth helpers
   const helpersList = authHelpers?.helpers || []
 
+  // Check if this is a component only used in authenticated contexts
+  const isAuthOnlyComponent = isAuthenticatedOnlyComponent(filePath)
+
   lines.forEach((line, index) => {
     // Skip comment lines
     if (isComment(line)) return
@@ -296,6 +421,12 @@ export function detectAuthAntipatterns(
         if (pattern.name === 'Unprotected API route' ||
             pattern.name === 'Express route without auth middleware') {
 
+          // PRIORITY -1: Skip auth implementation files entirely
+          // These files ARE the auth system - flagging them for "missing auth" is conceptually wrong
+          if (isAuthImpl) {
+            break // Skip this pattern
+          }
+
           // PRIORITY 0: Check if this is actually a route file
           // In Next.js, routes must be in `route.ts/js` files. Files like `handlers.ts`,
           // `safe-handlers.ts`, `utils.ts` etc. are NOT actual API routes even if they
@@ -313,6 +444,34 @@ export function detectAuthAntipatterns(
             break
           }
 
+          // PRIORITY 0.5: Check if route is in a protected route hierarchy
+          // Framework route conventions (Remix _authenticated+, Next.js route groups)
+          if (routeHierarchy.isInProtectedHierarchy) {
+            // Route is in a protected hierarchy - cap severity at info
+            vulnerabilities.push({
+              id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
+              filePath,
+              lineNumber: index + 1,
+              lineContent: line.trim(),
+              severity: 'info',
+              category: 'missing_auth',
+              title: pattern.name + ' (in protected route hierarchy)',
+              description: `This route is within a protected route hierarchy (${routeHierarchy.protectionSource.join(', ')}). Authentication is likely handled by parent layout/middleware.`,
+              suggestedFix: 'Verify parent layout enforces authentication. If not, add auth check here.',
+              confidence: 'low',
+              baseConfidence: BASE_CONFIDENCE,
+              layer: 2,
+        source: 'structural' as const,
+            })
+            break // Only report once per line
+          }
+
+          // PRIORITY 0.75: Check if this is a component only used in authenticated contexts
+          if (isAuthOnlyComponent) {
+            // Component is in admin/dashboard/etc - skip entirely
+            break
+          }
+
           // PRIORITY 1: Check if route is protected by global middleware
           // This is the STRONGEST signal - if middleware protects the route, suppress entirely
           if (middlewareProtection.isProtected) {
@@ -349,7 +508,9 @@ export function detectAuthAntipatterns(
               description: 'This appears to be a public endpoint (health check, webhook, cron, etc.). Verify this is intentionally public and consider rate limiting if needed.',
               suggestedFix: 'If this is a webhook or cron endpoint, ensure it has appropriate authentication (API keys, signatures, etc.). Health checks typically do not need auth.',
               confidence: 'low',
+              baseConfidence: BASE_CONFIDENCE,
               layer: 2,
+        source: 'structural' as const,
             })
             break // Only report once per line
           }
@@ -367,7 +528,9 @@ export function detectAuthAntipatterns(
               description: pattern.description + ' (auth check detected in nearby lines)',
               suggestedFix: pattern.suggestedFix,
               confidence: 'low',
+              baseConfidence: BASE_CONFIDENCE,
               layer: 2,
+        source: 'structural' as const,
             })
             break // Only report once per line
           }
@@ -388,12 +551,71 @@ export function detectAuthAntipatterns(
           description: pattern.description,
           suggestedFix: pattern.suggestedFix,
           confidence,
+          baseConfidence: BASE_CONFIDENCE,
           layer: 2,
+        source: 'structural' as const,
         })
         break // Only report once per line
       }
     }
   })
 
+  // Special handling: Password in error message with smart intent detection
+  // Only flag actual password VALUES, not error CODES like 'SAME_PASSWORD'
+  const passwordErrorPattern = /throw\s+new\s+Error\s*\([^)]*password|Error\s*\([^)]*password/gi
+  lines.forEach((line, index) => {
+    if (isComment(line)) return
+
+    if (passwordErrorPattern.test(line)) {
+      // Reset regex state
+      passwordErrorPattern.lastIndex = 0
+
+      // Skip if this is an error CODE, not a VALUE
+      if (isPasswordErrorCode(line)) {
+        return // This is fine - 'SAME_PASSWORD' is a code, not a value
+      }
+
+      // Only flag if actual password value is in the error
+      if (hasPasswordValueInError(line)) {
+        vulnerabilities.push({
+          id: `auth-antipattern-${filePath}-${index + 1}-password-in-error`,
+          filePath,
+          lineNumber: index + 1,
+          lineContent: line.trim(),
+          severity: 'high',
+          category: 'missing_auth',
+          title: 'Password value in error message',
+          description: 'Actual password value may be included in error message, exposing sensitive data.',
+          suggestedFix: 'Never include actual password values in error messages. Use error codes instead.',
+          confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
+          layer: 2,
+        source: 'structural' as const,
+        })
+      }
+    }
+  })
+
+  // Special handling: 2FA optional fields with OR validation
+  // Don't flag .optional() on 2FA fields if there's .refine() enforcing OR logic
+  const twoFAOptionalPattern = /\.(totp|otp|backupCode|recoveryCode|twoFactor|2fa|mfa).*\.optional\s*\(\)/gi
+  lines.forEach((line, index) => {
+    if (isComment(line)) return
+
+    if (twoFAOptionalPattern.test(line)) {
+      // Reset regex state
+      twoFAOptionalPattern.lastIndex = 0
+
+      // Check if this is legitimate OR validation (either TOTP or backup code required)
+      if (is2FAOrValidation(content, index)) {
+        // This is legitimate OR validation - skip or report as info
+        return
+      }
+
+      // Only flag if this truly allows bypassing 2FA
+      // Most cases with .refine() are fine - this is handled by schema-semantics.ts
+    }
+  })
+
   return vulnerabilities
 }

package/src/{layer2 → detect/structural}/dangerous-functions/dom-xss.ts

@@ -5,15 +5,18 @@
  * and document.write.
  */
 
+import type { ParsedFile } from '../../../shared/parsed-file'
+
 /**
  * Check if innerHTML is being used on a style element (CSS injection is not XSS)
  */
 export function isStyleElementInnerHTML(
   lineContent: string,
   content: string,
-  lineNumber: number
+  lineNumber: number,
+  lines?: string[]
 ): boolean {
-  const lines = content.split('\n')
+  const _lines = lines ?? content.split('\n')
 
   // Direct style element patterns on the line
   const stylePatterns = [
@@ -32,7 +35,7 @@ export function isStyleElementInnerHTML(
   // Check surrounding context for style element creation
   const contextStart = Math.max(0, lineNumber - 10)
   const contextEnd = lineNumber
-  const contextBefore = lines.slice(contextStart, contextEnd).join('\n')
+  const contextBefore = _lines.slice(contextStart, contextEnd).join('\n')
 
   // Look for style element creation that flows into innerHTML
   const styleCreationPatterns = [
@@ -52,14 +55,15 @@ export function isStyleElementInnerHTML(
 export function isStaticHTMLContent(
   lineContent: string,
   content: string,
-  lineNumber: number
+  lineNumber: number,
+  lines?: string[]
 ): boolean {
-  const lines = content.split('\n')
+  const _lines = lines ?? content.split('\n')
 
   // Get surrounding context (5 lines before and after)
   const contextStart = Math.max(0, lineNumber - 6)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   // Static HTML indicators - string literals only
   const staticIndicators = [
@@ -75,9 +79,9 @@ export function isStaticHTMLContent(
     // Find the closing backtick in subsequent lines
     let templateContent = ''
     let foundClosing = false
-    for (let i = lineNumber - 1; i < lines.length && i < lineNumber + 50; i++) {
-      templateContent += lines[i] + '\n'
-      if (lines[i].includes('`') && i > lineNumber - 1) {
+    for (let i = lineNumber - 1; i < _lines.length && i < lineNumber + 50; i++) {
+      templateContent += _lines[i] + '\n'
+      if (_lines[i].includes('`') && i > lineNumber - 1) {
         foundClosing = true
         break
       }
@@ -113,12 +117,13 @@ export function isStaticHTMLContent(
 export function hasDOMPurifySanitization(
   lineContent: string,
   content: string,
-  lineNumber: number
+  lineNumber: number,
+  lines?: string[]
 ): boolean {
-  const lines = content.split('\n')
+  const _lines = lines ?? content.split('\n')
   const contextStart = Math.max(0, lineNumber - 10)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   // DOMPurify sanitization patterns
   const sanitizationPatterns = [
@@ -168,17 +173,83 @@ export function isLLMPromptContext(
   ]
 
   // Check the line and surrounding context
-  const lines = content.split('\n')
-  const lineIndex = lines.findIndex(
+  const _lines = content.split('\n')
+  const lineIndex = _lines.findIndex(
     l => l === lineContent || l.includes(lineContent.trim())
   )
   const startLine = Math.max(0, lineIndex - 10)
-  const endLine = Math.min(lines.length, lineIndex + 10)
-  const context = lines.slice(startLine, endLine).join('\n')
+  const endLine = Math.min(_lines.length, lineIndex + 10)
+  const context = _lines.slice(startLine, endLine).join('\n')
 
   return llmApiPatterns.some(p => p.test(lineContent) || p.test(context))
 }
 
+/**
+ * Check if innerHTML uses output from trusted HTML rendering libraries
+ * Libraries like Shiki, highlight.js, marked, etc. produce sanitized HTML
+ */
+export function isTrustedLibraryHTMLOutput(
+  lineContent: string,
+  content: string,
+  lineNumber: number,
+  lines?: string[]
+): boolean {
+  const _lines = lines ?? content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
+
+  // Trusted HTML rendering library patterns
+  const trustedLibraryPatterns = [
+    // Syntax highlighting
+    /\bshiki\b/i,
+    /\bcodeToHtml\s*\(/i,          // Shiki's codeToHtml()
+    /\bhighlight(?:er)?\.highlight/i,  // highlight.js
+    /\bhljs\.highlight/i,
+    /\bPrism\.highlight/i,         // Prism.js
+    /\bPrismJS/i,
+
+    // Markdown rendering
+    /\bmarked\s*\(/i,              // marked library
+    /\bmarkdownIt/i,               // markdown-it
+    /\bremark/i,                   // remark
+    /\brehype/i,                   // rehype
+    /\bMDX/i,
+    /\bserialize\s*\(.*mdx/i,      // next-mdx-remote
+    /\bcompileMDX/i,
+
+    // Rich text editors (output is sanitized)
+    /\bTiptap/i,
+    /\bProseMirror/i,
+    /\bQuill/i,
+    /\bSlate/i,
+    /\bLexical/i,
+    /\bDraft(?:JS)?/i,
+    /\.getHTML\s*\(\)/i,           // Editor getHTML() output
+
+    // React components that handle sanitization
+    /\brenderToString\s*\(/i,       // Server-rendered React
+    /\brenderToStaticMarkup\s*\(/i,
+
+    // Code formatting/display libraries
+    /\bprettier/i,
+    /\bbeautify/i,
+
+    // SVG rendering
+    /\bcanvg/i,
+    /\.toSVG\s*\(/i,
+  ]
+
+  // Also check imports at top of file
+  const fullContent = content.substring(0, 2000) // First 2000 chars for imports
+
+  return (
+    trustedLibraryPatterns.some(p => p.test(lineContent)) ||
+    trustedLibraryPatterns.some(p => p.test(context)) ||
+    trustedLibraryPatterns.some(p => p.test(fullContent))
+  )
+}
+
 /**
  * Check if this is a static bootstrap script (e.g., localStorage theme reader)
  * These are very low risk even with dangerouslySetInnerHTML
@@ -186,12 +257,13 @@ export function isLLMPromptContext(
 export function isStaticBootstrapScript(
   _lineContent: string,
   content: string,
-  lineNumber: number
+  lineNumber: number,
+  lines?: string[]
 ): boolean {
-  const lines = content.split('\n')
+  const _lines = lines ?? content.split('\n')
   const contextStart = Math.max(0, lineNumber - 10)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   // Bootstrap script indicators (reading from localStorage, setting attributes)
   const bootstrapPatterns = [