@oculum/scanner 1.0.11 → 1.0.13

package/src/{layer2 → detect/structural}/dangerous-functions/json-parse.ts

@@ -5,11 +5,13 @@
  * based on the data source and error handling context.
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../../types'
-import { isComment, isTestOrMockFile } from '../../utils/context-helpers'
+import type { Vulnerability, VulnerabilitySeverity } from '../../../shared/types'
+import { isComment, isTestOrMockFile } from '../../../parse/file-classifier'
 import { isInsideTryCatch, hasTryCatchNearby } from './utils/control-flow'
 import { hasSchemaValidationNearby } from './utils/schema-validation'
 
+const BASE_CONFIDENCE = 0.35
+
 /**
  * JSON.parse source classification
  * Determines if the input is user-controlled or internal data
@@ -339,7 +341,9 @@ export function detectJSONParseSafe(
       description,
       suggestedFix,
       confidence,
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
   })
 
@@ -362,7 +366,9 @@ export function detectJSONParseSafe(
       suggestedFix:
         'Add try-catch for error handling. If parsing user input, add schema validation.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
   } else if (instances.length > 0 && instances.length < 3) {
     // Report individually for small counts
@@ -378,7 +384,9 @@ export function detectJSONParseSafe(
         description: `JSON.parse on ${instance.source.replace('_', ' ')} data without error handling. Low risk but consider defensive coding.${isTestFile ? ' (in test file)' : ''}`,
         suggestedFix: 'Consider adding try-catch for robustness.',
         confidence: 'low',
+        baseConfidence: BASE_CONFIDENCE,
         layer: 2,
+        source: 'structural' as const,
       })
     }
   }

package/src/{layer2 → detect/structural}/dangerous-functions/math-random.ts

@@ -9,9 +9,88 @@ import {
   isTestOrMockFile,
   isSeedOrDataGenFile,
   isEducationalVulnerabilityFile,
-} from '../../utils/context-helpers'
+} from '../../../parse/file-classifier'
+import type { ParsedFile } from '../../../shared/parsed-file'
 import { extractFunctionContext } from './utils/control-flow'
 
+/**
+ * Check if Math.random() is used in a jitter/backoff/retry context
+ * These are legitimate uses of Math.random() for network resilience,
+ * not security-sensitive randomness.
+ *
+ * Examples:
+ *   const delay = baseDelay + Math.random() * jitter
+ *   setTimeout(retry, delay * Math.random())
+ *   await sleep(backoff * (1 + Math.random() * 0.1))
+ *
+ * @param content - Full file content
+ * @param lineNumber - The 0-indexed line number where Math.random() was found
+ */
+export function isJitterOrBackoffContext(
+  content: string,
+  lineNumber: number,
+  lines?: string[]
+): boolean {
+  const _lines = lines ?? content.split('\n')
+  const start = Math.max(0, lineNumber - 10)
+  const end = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(start, end).join('\n')
+
+  // Patterns indicating jitter/backoff/retry context
+  const jitterPatterns = [
+    // Direct keyword matches
+    /\b(jitter|backoff|retry|retries|exponential)\b/i,
+    // Delay/timeout with random
+    /setTimeout.*Math\.random/i,
+    /setInterval.*Math\.random/i,
+    /sleep.*Math\.random/i,
+    /await.*delay.*Math\.random/i,
+    // Common backoff patterns
+    /\* Math\.random\(\).*delay/i,
+    /delay\s*\*\s*Math\.random/i,
+    /Math\.random\(\)\s*\*\s*\d+.*delay/i,
+    // Retry-related function names
+    /function\s+(retry|withRetry|backoff|withBackoff|exponentialBackoff)/i,
+    // Common retry library patterns
+    /retryPolicy|retryConfig|retryOptions|maxRetries|retryCount/i,
+    // Network resilience patterns
+    /\b(throttle|debounce|rateLimit)\b.*Math\.random/i,
+    // Sampling/probability for non-security uses
+    /sampleRate|samplingRate|probability\s*[<>]=?\s*Math\.random/i,
+  ]
+
+  return jitterPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if Math.random() is used in a React key prop context
+ * This is a common pattern to force re-renders, not a security issue.
+ *
+ * Examples:
+ *   key={Math.random()}
+ *   key={`prefix-${Math.random()}`}
+ *   key={Math.random().toString()}
+ *
+ * @param lineContent - The line of code to check
+ * @param filePath - The file path (only check JSX/TSX files)
+ */
+export function isReactKeyPattern(lineContent: string, filePath: string): boolean {
+  // Only check in JSX/TSX files
+  if (!/\.[jt]sx$/.test(filePath)) {
+    return false
+  }
+
+  // Pattern: key={...Math.random()...}
+  // Matches:
+  //   key={Math.random()}
+  //   key={`foo-${Math.random()}`}
+  //   key={Math.random().toString()}
+  //   key={`${Math.random()}-bar`}
+  //   key={something + Math.random()}
+  const keyPattern = /key\s*=\s*\{[^}]*Math\.random\(\)/
+  return keyPattern.test(lineContent)
+}
+
 /**
  * Check if Math.random() is used for cosmetic/UI purposes (not security)
  * Cosmetic uses: CSS values, animations, UI variations, demo data
@@ -20,9 +99,10 @@ import { extractFunctionContext } from './utils/control-flow'
 export function isCosmeticMathRandom(
   lineContent: string,
   content: string,
-  lineNumber: number
+  lineNumber: number,
+  lines?: string[]
 ): boolean {
-  const lines = content.split('\n')
+  const _lines = lines ?? content.split('\n')
 
   // Check the line itself for cosmetic indicators
   const cosmeticLinePatterns = [
@@ -61,8 +141,8 @@ export function isCosmeticMathRandom(
 
   // Check surrounding context (5 lines before and after)
   const contextStart = Math.max(0, lineNumber - 5)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   // Context indicators of cosmetic use
   const cosmeticContextPatterns = [
@@ -402,7 +482,8 @@ export function classifyVariableNameRisk(
 export function analyzeMathRandomContext(
   content: string,
   filePath: string,
-  lineNumber: number
+  lineNumber: number,
+  lines?: string[]
 ): {
   inSecurityContext: boolean
   inTestContext: boolean
@@ -410,10 +491,10 @@ export function analyzeMathRandomContext(
   inBusinessLogicContext: boolean
   contextDescription: string
 } {
-  const lines = content.split('\n')
+  const _lines = lines ?? content.split('\n')
   const start = Math.max(0, lineNumber - 10)
-  const end = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(start, end).join('\n')
+  const end = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(start, end).join('\n')
 
   // Security context indicators (functions, imports, comments)
   const securityPatterns = [
@@ -438,8 +519,8 @@ export function analyzeMathRandomContext(
     testContextPatterns.some(p => p.test(context))
 
   // UI/cosmetic context (reuse existing logic)
-  const lineContent = lines[lineNumber]
-  const inUIContext = isCosmeticMathRandom(lineContent, content, lineNumber)
+  const lineContent = _lines[lineNumber]
+  const inUIContext = isCosmeticMathRandom(lineContent, content, lineNumber, _lines)
 
   // Business logic context (non-security ID generation)
   // Note: UUID/CAPTCHA patterns excluded - handled by functionIntent classification
@@ -448,6 +529,14 @@ export function analyzeMathRandomContext(
     /\b(reference|tracking|confirmation)Number\b/i,
     /\b(backoff|retry|jitter|delay|timeout|latency)\b/i,
     /\b(sample|sampling|probability|chance|rollout|experiment|abtest|cohort|bucket|variant)\b/i,
+    // Load balancing and selection patterns
+    /mode\s*===?\s*['"]random['"]/i,     // mode === 'random'
+    /\.\w*index\s*%/i,                    // round-robin patterns
+    /keys?\[.*Math\.random/i,             // keys[Math.floor(Math.random() * keys.length)]
+    /\[\s*Math\.floor\s*\(\s*Math\.random/i,  // array[Math.floor(Math.random()...)]
+    /shuffle/i,                           // shuffle functions
+    /pickRandom/i,                        // pickRandom helpers
+    /randomElement/i,                     // randomElement helpers
   ]
   const inBusinessLogicContext =
     businessLogicPatterns.some(p => p.test(context)) && !inSecurityContext
@@ -473,29 +562,169 @@ export function analyzeMathRandomContext(
   }
 }
 
+/**
+ * Check if file is an animation/motion component based on file name
+ * Files with animation-related names typically use Math.random for visual effects
+ */
+export function isAnimationFile(filePath: string): boolean {
+  const animationPatterns = [
+    /animated[-_]/i,           // animated-document-scanner.tsx
+    /[-_]animation/i,          // document-animation.tsx
+    /motion[-_]/i,             // motion-component.tsx
+    /[-_]motion/i,             // scroll-motion.tsx
+    /particles?[-_]/i,         // particles-background.tsx
+    /confetti/i,               // confetti.tsx
+    /[-_]effect/i,             // hover-effect.tsx
+    /transition[-_]/i,         // transition-wrapper.tsx
+    /visual[-_]/i,             // visual-effects.tsx
+    /canvas[-_]/i,             // canvas-animation.tsx
+  ]
+  return animationPatterns.some(p => p.test(filePath))
+}
+
+/**
+ * Check if Math.random() is used for animation/motion coordinates
+ * Common in animation libraries like framer-motion, react-spring, Three.js, etc.
+ */
+export function isAnimationCoordinateUsage(lineContent: string, context: string): boolean {
+  // Object property assignments for coordinates
+  const coordinatePatterns = [
+    /\bx:\s*Math\.random/i,           // x: Math.random()
+    /\by:\s*Math\.random/i,           // y: Math.random()
+    /\bz:\s*Math\.random/i,           // z: Math.random()
+    /\bleft:\s*.*Math\.random/i,      // left: Math.random()
+    /\btop:\s*.*Math\.random/i,       // top: Math.random()
+    /\bright:\s*.*Math\.random/i,     // right: Math.random()
+    /\bbottom:\s*.*Math\.random/i,    // bottom: Math.random()
+    /\brotation:\s*.*Math\.random/i,  // rotation: Math.random()
+    /\brotateX:\s*.*Math\.random/i,   // rotateX: Math.random()
+    /\brotateY:\s*.*Math\.random/i,   // rotateY: Math.random()
+    /\brotateZ:\s*.*Math\.random/i,   // rotateZ: Math.random()
+    /\bscaleX?:\s*.*Math\.random/i,   // scale/scaleX: Math.random()
+    /\bscaleY:\s*.*Math\.random/i,    // scaleY: Math.random()
+    /\bopacity:\s*.*Math\.random/i,   // opacity: Math.random()
+    /\bduration:\s*.*Math\.random/i,  // duration: Math.random()
+    /\bdelay:\s*.*Math\.random/i,     // delay: Math.random()
+    // 3D/Three.js specific patterns
+    /\boffset\s*=.*Math\.random/i,    // offset = Math.random()
+    /useMemo\s*\(\s*\(\s*\)\s*=>\s*Math\.random/i,  // useMemo(() => Math.random(), [])
+    /\bphase\s*[:=].*Math\.random/i,  // phase: Math.random() or phase = Math.random()
+    /\bspeed\s*[:=].*Math\.random/i,  // speed: Math.random()
+    /\bangle\s*[:=].*Math\.random/i,  // angle: Math.random()
+  ]
+
+  if (coordinatePatterns.some(p => p.test(lineContent))) {
+    return true
+  }
+
+  // Motion/animation library context patterns
+  const motionLibraryPatterns = [
+    /framer-motion/i,
+    /react-spring/i,
+    /react-motion/i,
+    /gsap/i,
+    /animejs/i,
+    /popmotion/i,
+    /motion\.div/i,
+    /useSpring/i,
+    /useAnimation/i,
+    /animate\s*\(/i,
+    /keyframes/i,
+    // Three.js and React Three Fiber patterns
+    /three/i,
+    /useFrame/i,
+    /@react-three/i,
+    /Canvas/i,      // React Three Fiber Canvas
+    /mesh/i,        // Three.js mesh
+    /geometry/i,    // Three.js geometry
+    /material/i,    // Three.js material
+  ]
+
+  return motionLibraryPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if Math.random() is used in a template placeholder generator context
+ * Template systems often use random generators for placeholder values
+ *
+ * Examples:
+ *   const templates = { random: () => Math.random().toString() }
+ *   random_hex: () => Math.random().toString(16)
+ *   {{random}} placeholder generation
+ */
+export function isTemplatePlaceholderGenerator(
+  line: string,
+  content: string,
+  lineNumber: number,
+  lines?: string[]
+): boolean {
+  const _lines = lines ?? content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 10)
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
+
+  const templatePatterns = [
+    /\{\{random\w*\}\}/i,                     // {{random}}, {{random_hex}}, etc.
+    /random:\s*\(\s*\)\s*=>\s*Math\.random/i, // random: () => Math.random()
+    /random_\w+:\s*\(\s*\)\s*=>/i,            // random_int: () => ...
+    /placeholder.*random/i,                    // placeholder context
+    /templates?\s*[=:]\s*\{/i,                // templates = { or template: {
+    /generatePlaceholder/i,                    // generatePlaceholder function
+    /placeholder\s*[:=]/i,                     // placeholder: or placeholder =
+  ]
+
+  return templatePatterns.some(p => p.test(context) || p.test(line))
+}
+
 /**
  * Check if Math.random() should be skipped entirely
- * Returns true for seed files, test fixtures, captcha/puzzle, uuid, and pure cosmetic uses
+ * Returns true for seed files, test fixtures, captcha/puzzle, uuid, React keys, jitter/backoff, and pure cosmetic uses
  */
 export function shouldSkipMathRandom(
   content: string,
   filePath: string,
-  lineNumber: number
+  lineNumber: number,
+  options?: { parsed?: ParsedFile }
 ): boolean {
   // Seed/data generation files - skip entirely
   if (isSeedOrDataGenFile(filePath)) {
     return true
   }
 
+  // Animation/motion component files - skip entirely
+  // These use Math.random for visual effects, not security
+  if (isAnimationFile(filePath)) {
+    return true
+  }
+
   // Educational/intentional vulnerability files - skip entirely
   // These include OWASP Juice Shop, intentionally-vulnerable examples, etc.
   if (isEducationalVulnerabilityFile(filePath)) {
     return true
   }
 
+  // Check for React key pattern - this is a common pattern to force re-renders
+  // It's not a security issue, just a way to reset component state
+  const lines = options?.parsed?.lines ?? content.split('\n')
+  const lineContent = lines[lineNumber] || ''
+  if (isReactKeyPattern(lineContent, filePath)) {
+    return true
+  }
+
+  // Template placeholder generators - skip entirely
+  // These generate placeholder values for templates, not security tokens
+  if (isTemplatePlaceholderGenerator(lineContent, content, lineNumber, lines)) {
+    return true
+  }
+
+  // Jitter/backoff/retry patterns - legitimate non-security use of randomness
+  // Used for network resilience, rate limiting, exponential backoff, etc.
+  if (isJitterOrBackoffContext(content, lineNumber, lines)) {
+    return true
+  }
+
   // Test files with test fixture patterns
   if (isTestOrMockFile(filePath)) {
-    const lines = content.split('\n')
     const line = lines[lineNumber]
     // If in a test file and generating test data, skip
     if (
@@ -507,9 +736,7 @@ export function shouldSkipMathRandom(
   }
 
   // Pure cosmetic usage (CSS values, animations)
-  const lines = content.split('\n')
-  const lineContent = lines[lineNumber] || ''
-  if (isCosmeticMathRandom(lineContent, content, lineNumber)) {
+  if (isCosmeticMathRandom(lineContent, content, lineNumber, lines)) {
     // Additional check: if this is for animation/style, truly skip
     const pureStylePatterns = [
       /\.style\./,
@@ -524,6 +751,15 @@ export function shouldSkipMathRandom(
     }
   }
 
+  // Animation coordinate usage (x, y, rotation, etc.)
+  // Get surrounding context for animation library detection
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(lines.length, lineNumber + 5)
+  const animContext = lines.slice(contextStart, contextEnd).join('\n')
+  if (isAnimationCoordinateUsage(lineContent, animContext)) {
+    return true
+  }
+
   // Check function context for demo/seed/captcha/uuid functions
   const functionName = extractFunctionContext(content, lineNumber)
   const functionIntent = classifyFunctionIntent(functionName)
@@ -533,5 +769,21 @@ export function shouldSkipMathRandom(
     return true
   }
 
+  // Check for fallback pattern: crypto.randomUUID?.() ?? Math.random()
+  // When a secure primary method is used with Math.random as fallback,
+  // the code is safe (Math.random only runs in environments without crypto API)
+  const prevLines = lines.slice(Math.max(0, lineNumber - 2), lineNumber + 1).join(' ')
+  const multiLineFallbackPatterns = [
+    /crypto\??\.?\s*randomUUID\??\.?\s*\(\s*\)\s*\?\?/i,         // crypto.randomUUID() ??
+    /globalThis\.crypto\??\.?\s*randomUUID\??\.?\s*\(/i,         // globalThis.crypto?.randomUUID?.()
+    /window\.crypto\??\.?\s*randomUUID\??\.?\s*\(/i,             // window.crypto?.randomUUID?.()
+    /\?\.\s*randomUUID\??\.?\s*\(\s*\)\s*\?\?/i,                 // ?.randomUUID?.() ??
+    /crypto\??\.?\s*getRandomValues\s*\(/i,                       // crypto.getRandomValues()
+    /randomUUID\??\.?\s*\(\s*\)\s*\?\?/i,                         // randomUUID?.() ?? (generic)
+  ]
+  if (multiLineFallbackPatterns.some(p => p.test(prevLines))) {
+    return true  // Skip - Math.random is only a fallback for missing crypto API
+  }
+
   return false
 }

package/src/{layer2 → detect/structural}/dangerous-functions/patterns.ts

@@ -5,7 +5,7 @@
  * These patterns are used by the main detection engine.
  */
 
-import type { VulnerabilitySeverity } from '../../types'
+import type { VulnerabilitySeverity } from '../../../shared/types'
 
 export interface DangerousFunctionPattern {
   name: string
@@ -58,9 +58,11 @@ export const DANGEROUS_FUNCTIONS: DangerousFunctionPattern[] = [
   },
 
   // SQL injection risks
+  // Note: .execute is too generic (used by axios, tRPC, request utilities)
+  // Focus on .query and .raw which are more SQL-specific
   {
     name: 'Raw SQL query construction',
-    pattern: /\.(query|execute|raw)\s*\(\s*[`'"].*\$\{|\.query\s*\(\s*['"].*\+/gi,
+    pattern: /\.(query|raw)\s*\(\s*[`'"].*\$\{|\.query\s*\(\s*['"].*\+/gi,
     severity: 'critical',
     description: 'String concatenation in SQL queries can lead to SQL injection',
     suggestedFix: 'Use parameterized queries or prepared statements',

package/src/{layer2 → detect/structural}/dangerous-functions/request-validation.ts

@@ -5,11 +5,13 @@
  * proper schema validation.
  */
 
-import type { Vulnerability } from '../../types'
-import { isComment } from '../../utils/context-helpers'
+import type { Vulnerability } from '../../../shared/types'
+import { isComment } from '../../../parse/file-classifier'
 import { hasManualValidation } from './utils/schema-validation'
 import { hasThrowingAuthHelper } from './utils/helpers'
 
+const BASE_CONFIDENCE = 0.35
+
 /**
  * Detect request.json() / req.json() and suggest schema validation
  * This is NOT a dangerous function - it's a prompt for best practices
@@ -102,7 +104,9 @@ export function detectRequestJsonValidation(
       suggestedFix:
         'While manual validation works, schema libraries provide better TypeScript integration and error messages.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
     return
   }
@@ -122,7 +126,9 @@ export function detectRequestJsonValidation(
       suggestedFix:
         'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
   } else {
     // Single instance
@@ -139,7 +145,9 @@ export function detectRequestJsonValidation(
       suggestedFix:
         'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
   }
 }

package/src/detect/structural/dangerous-functions/utils/control-flow.ts

@@ -0,0 +1,35 @@
+/**
+ * Control Flow Analysis Utilities
+ *
+ * Backward-compatible wrappers around shared code-analysis utilities.
+ * Existing callers pass (content: string, lineNumber: number) — these
+ * wrappers create a temporary ParsedFile to delegate to the shared implementation.
+ */
+
+import { ParsedFile } from '../../../../shared/parsed-file'
+import * as codeAnalysis from '../../../../shared/code-analysis'
+
+/**
+ * Check if a line is inside a try-catch block
+ * Looks for enclosing try { ... } catch pattern
+ */
+export function isInsideTryCatch(content: string, lineNumber: number): boolean {
+  return codeAnalysis.isInsideTryCatch(new ParsedFile(content, ''), lineNumber)
+}
+
+/**
+ * Simpler heuristic: check if there's a try-catch in the same function scope
+ * Looks for try { before the line and } catch after, within reasonable bounds
+ */
+export function hasTryCatchNearby(content: string, lineNumber: number, windowSize: number = 20): boolean {
+  return codeAnalysis.hasTryCatchNearby(new ParsedFile(content, ''), lineNumber, windowSize)
+}
+
+/**
+ * Extract function context where a call is being made
+ * Looks backwards from the current line to find enclosing function name
+ * Returns lowercase function name or null if not found
+ */
+export function extractFunctionContext(content: string, lineNumber: number): string | null {
+  return codeAnalysis.extractFunctionContext(new ParsedFile(content, ''), lineNumber)
+}

package/src/{layer2 → detect/structural}/dangerous-functions/utils/schema-validation.ts

@@ -72,12 +72,13 @@ export function hasManualValidation(content: string): boolean {
  */
 export function hasSQLWhitelistValidation(content: string, lineNumber: number): boolean {
   const lines = content.split('\n')
-  const contextStart = Math.max(0, lineNumber - 15)
+  const contextStart = Math.max(0, lineNumber - 20)
   const contextEnd = Math.min(lines.length, lineNumber + 5)
   const context = lines.slice(contextStart, contextEnd).join('\n')
 
   // Whitelist/allowlist validation patterns
   const whitelistPatterns = [
+    // Array-based whitelists
     /allowed\w*\s*=\s*\[/i, // allowedColumns = [...]
     /whitelist\w*\s*=\s*\[/i, // whitelistFields = [...]
     /valid\w*\s*=\s*\[/i, // validColumns = [...]
@@ -85,6 +86,20 @@ export function hasSQLWhitelistValidation(content: string, lineNumber: number):
     /\.includes\s*\([^)]*\)/i, // allowedColumns.includes(col)
     /\.every\s*\([^)]*\.includes/i, // columns.every(c => allowed.includes(c))
     /if\s*\(\s*!.*\.includes/i, // if (!allowed.includes(...))
+
+    // Object-based whitelists (Record<string, string>)
+    /\w+\s+in\s+\w*(?:sortable|allowed|valid|whitelist)\w*/i, // sorter in sortableFields
+    /\w+\s+in\s+\w+Fields/i, // key in someFields
+    /:\s*Record<string,\s*string>/i, // Type annotation: Record<string, string>
+    /const\s+\w+Fields\s*:\s*\{[^}]*\}\s*=/i, // const xyzFields: {...} = (inline type)
+    /const\s+\w+Fields\s*=\s*\{[^}]*\}/i, // const xyzFields = { ... }
+    /if\s*\([^)]*\s+in\s+\w+Fields\s*\)/i, // if (x in yFields)
+    /&&\s*\w+\s+in\s+\w+/i, // && sorter in sortableFields
+
+    // Enum-based validation (ASC/DESC, etc.)
+    /===?\s*['"](?:ASC|DESC)['"]/i, // === 'ASC' or === 'DESC'
+    /===?\s*\w+\.(?:Asc|Desc|ASC|DESC)/i, // === SortType.Asc
+    /toLowerCase\s*\(\s*\)\s*===?\s*\w+\.(?:asc|desc)/i, // .toLowerCase() === SortType.asc
   ]
 
   return whitelistPatterns.some(p => p.test(context))