@oculum/scanner 1.0.11 → 1.0.13

package/src/{layer2 → detect/structural}/data-exposure.ts

@@ -4,8 +4,11 @@
  * Separates "logging concerns" from "response exposure" which have different risk profiles
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
-import { isComment, isTestOrMockFile, isScannerOrFixtureFile } from '../utils/context-helpers'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import { isComment, isTestOrMockFile, isScannerOrFixtureFile } from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.40
 
 interface DataExposurePattern {
   name: string
@@ -18,44 +21,17 @@ interface DataExposurePattern {
 
 const DATA_EXPOSURE_PATTERNS: DataExposurePattern[] = [
   // ============================================================================
-  // LOG SINKS (generally lower severity - server-side only)
-  // These are hygiene issues, not security vulnerabilities in most cases
+  // LOG SINKS - DISABLED
+  // Server logs are never exposed to users. After analysis of real codebases,
+  // 100% of console.error/warn findings were false positives.
+  // Logging is a standard debugging practice, not a security vulnerability.
   // ============================================================================
 
-  // Logging sensitive variables - kept low/info
-  // NOTE: Generic "query" or "search" logging is NOT flagged - only actual sensitive data
-  {
-    name: 'Logging user ID',
-    pattern: /console\.(log|info|debug|warn|error)\s*\([^)]*\b(userId|user_id|user\.id)\b/gi,
-    sink: 'log',
-    severity: 'info',
-    description: 'User ID logged to console. Common debugging practice - verify logs are secured.',
-    suggestedFix: 'Use structured logging with appropriate access controls. Remove before production if not needed.',
-  },
-  {
-    name: 'Logging error objects',
-    pattern: /console\.(log|error|warn)\s*\(\s*(err|error|e)\s*\)/gi,
-    sink: 'log',
-    severity: 'info', // Downgraded from 'low' - this is standard practice
-    description: 'Error object logged to console. Standard debugging practice, but may expose stack traces in logs.',
-    suggestedFix: 'Consider logging only error.message in production. Use structured logging for better control.',
-  },
-  {
-    name: 'Logging request body',
-    pattern: /console\.(log|info|debug)\s*\([^)]*\b(req\.body|request\.body|body)\b/gi,
-    sink: 'log',
-    severity: 'low',
-    description: 'Request body logged to console. May contain sensitive user input.',
-    suggestedFix: 'Redact sensitive fields (passwords, tokens) before logging.',
-  },
-  {
-    name: 'JSON.stringify error to log',
-    pattern: /console\.(log|error|warn)\s*\([^)]*JSON\.stringify\s*\(\s*(err|error|e)\s*\)/gi,
-    sink: 'log',
-    severity: 'info',
-    description: 'Error object serialized to JSON for logging. May include stack traces.',
-    suggestedFix: 'Consider logging specific error properties instead of the full serialized object.',
-  },
+  // NOTE: The following patterns have been REMOVED to eliminate false positives:
+  // - 'Logging user ID' - user IDs in logs are standard practice
+  // - 'Logging error objects' - console.error(err) is correct error handling
+  // - 'Logging request body' - server logs are not exposed to clients
+  // - 'JSON.stringify error to log' - serializing errors for logs is fine
 
   // ============================================================================
   // RESPONSE SINKS (higher severity - exposed to clients)
@@ -171,14 +147,15 @@ function isLowRiskLoggingFile(filePath: string): boolean {
  */
 export function detectDataExposure(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
   // Skip scanner/fixture files to avoid self-detection
   if (isScannerOrFixtureFile(filePath)) return vulnerabilities
 
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
   const isTestFile = isTestOrMockFile(filePath)
   const isLowRiskFile = isLowRiskLoggingFile(filePath)
 
@@ -242,7 +219,9 @@ export function detectDataExposure(
           description,
           suggestedFix: pattern.suggestedFix,
           confidence: isTestFile ? 'low' : 'medium',
+          baseConfidence: BASE_CONFIDENCE,
           layer: 2,
+        source: 'structural' as const,
         })
         break // Only one finding per line
       }
@@ -274,7 +253,9 @@ export function detectDataExposure(
       description: `${patternSummary}. Review for sensitive data exposure.\n\nFound ${logFindings.length} occurrences at lines: ${lineNumbers.join(', ')}${moreText}`,
       suggestedFix: 'Ensure logs have appropriate access controls and do not contain sensitive user data.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
   } else if (logFindings.length > 0) {
     // Report individually for small counts
@@ -292,7 +273,9 @@ export function detectDataExposure(
           description: pattern.description,
           suggestedFix: pattern.suggestedFix,
           confidence: 'low',
+          baseConfidence: BASE_CONFIDENCE,
           layer: 2,
+        source: 'structural' as const,
         })
       }
     }

package/src/{layer2 → detect/structural}/framework-checks.ts

@@ -3,7 +3,8 @@
  * Detects security issues specific to popular frameworks (Next.js, Express, React, etc.)
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
 import {
   isComment,
   isServerOnlyFile,
@@ -11,7 +12,9 @@ import {
   getServiceRoleKeyContext,
   isTestOrMockFile,
   isScannerOrFixtureFile,
-} from '../utils/context-helpers'
+} from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.20
 
 interface FrameworkPattern {
   name: string
@@ -74,14 +77,7 @@ const FRAMEWORK_PATTERNS: FrameworkPattern[] = [
   },
   
   // ==================== Express ====================
-  {
-    name: 'Express without helmet',
-    pattern: /express\s*\(\s*\)(?![\s\S]*helmet)/gi,
-    severity: 'medium',
-    description: 'Express app may lack security headers (helmet middleware)',
-    suggestedFix: 'Add helmet middleware: app.use(helmet())',
-    framework: 'express',
-  },
+  // NOTE: "Express without helmet" moved to security-headers.ts (OWASP Workstream 1)
   {
     name: 'Express CORS allow all',
     pattern: /cors\s*\(\s*\{[^}]*origin\s*:\s*['"]\*['"]/gi,
@@ -279,14 +275,15 @@ function detectFramework(content: string, filePath: string): string[] {
 
 export function detectFrameworkIssues(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
   // Skip scanner/fixture files to avoid self-detection
   if (isScannerOrFixtureFile(filePath)) return vulnerabilities
 
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
   const detectedFrameworks = detectFramework(content, filePath)
   const isTestFile = isTestOrMockFile(filePath)
 
@@ -394,7 +391,9 @@ export function detectFrameworkIssues(
             description: adjustedDescription,
             suggestedFix: pattern.suggestedFix,
             confidence: adjustedConfidence,
+            baseConfidence: BASE_CONFIDENCE,
             layer: 2,
+        source: 'structural' as const,
             requiresAIValidation,
           })
           break
@@ -427,7 +426,9 @@ export function detectFrameworkIssues(
           description: isTestFile ? `${pattern.description} (in test file)` : pattern.description,
           suggestedFix: pattern.suggestedFix,
           confidence,
+          baseConfidence: BASE_CONFIDENCE,
           layer: 2,
+        source: 'structural' as const,
         })
         break // Only report once per line
       }

package/src/{layer2 → detect/structural}/index.ts

@@ -5,45 +5,47 @@
  * and AI code fingerprinting
  */
 
-import type { Vulnerability, ScanFile, CancellationToken } from '../types'
-import type { ProgressCallback } from '../index'
-import type { MiddlewareAuthConfig } from '../utils/middleware-detector'
-import { detectAuthHelpers, type AuthHelperContext } from '../utils/auth-helper-detector'
-import type { FileAuthImports } from '../utils/imported-auth-detector'
+import type { Vulnerability, ScanFile, CancellationToken, DetectorContext } from '../../shared/types'
+import type { ProgressCallback } from '../../shared/types'
+import type { MiddlewareAuthConfig } from '../../model/middleware-detector'
+import { detectAuthHelpers, type AuthHelperContext } from '../../model/auth-helper-detector'
+import type { FileAuthImports } from '../../model/imported-auth-detector'
 import {
   filterFindingsByPath,
   type ExclusionConfig,
-} from '../utils/path-exclusions'
+} from '../../parse/path-exclusions'
+import { buildFileContext, type FileContext } from '../../parse/file-classifier'
 import { detectSensitiveVariables } from './variables'
 import { detectLogicGates } from './logic-gates'
 import { detectDangerousFunctions } from './dangerous-functions'
 import { detectRiskyImports } from './risky-imports'
-import { detectAuthAntipatterns } from './auth-antipatterns'
+import { detectAuthAntipatterns } from './auth-patterns'
 import { detectFrameworkIssues } from './framework-checks'
-import { detectAIFingerprints } from './ai-fingerprinting'
+import { detectAIFingerprints } from '../ai-code/fingerprinting'
 import { detectDataExposure } from './data-exposure'
-import { detectBYOKPatterns } from './byok-patterns'
+import { detectBYOKPatterns } from '../ai-code/byok-patterns'
 // Story B: AI-specific detection modules
-import { detectAIPromptHygiene } from './ai-prompt-hygiene'
-import { detectAIExecutionSinks } from './ai-execution-sinks'
-import { detectAIAgentTools } from './ai-agent-tools'
+import { detectAIPromptHygiene } from '../ai-code/prompt-hygiene'
+import { detectAIExecutionSinks } from '../ai-code/execution-sinks'
+import { detectAIAgentTools } from '../ai-code/agent-tools'
 // M5: New AI-era detectors
-import { detectRAGSafetyIssues } from './ai-rag-safety'
-import { detectAIEndpointProtection } from './ai-endpoint-protection'
-import { detectAISchemaValidation } from './ai-schema-validation'
+import { detectRAGSafetyIssues } from '../ai-code/rag-safety'
+import { detectAIEndpointProtection } from '../ai-code/endpoint-protection'
+import { detectAISchemaValidation } from '../ai-code/schema-validation'
 // AI Detection Roadmap Phase 1
-import { detectAIPackageHallucination } from './ai-package-hallucination'
-import { detectMCPSecurity } from './ai-mcp-security'
+import { detectAIPackageHallucination } from '../ai-code/package-hallucination'
+import { detectMCPSecurity } from '../ai-code/mcp-security'
 // AI Detection Roadmap Phase 2
-import { detectModelSupplyChain } from './model-supply-chain'
-// Tier system imports
-import {
-  type TierStats,
-  computeTierStats,
-  formatTierStats,
-  getLayer2DetectorTier,
-  type Layer2DetectorName,
-} from '../tiers'
+import { detectModelSupplyChain } from '../ai-code/model-supply-chain'
+// OWASP Workstream 1
+import { detectSecurityHeaders } from './security-headers'
+import { detectSSRFPatterns } from './ssrf-detection'
+import { detectLogInjection } from './log-injection'
+import { detectXXEPatterns } from './xxe-detection'
+// Tier system removed in Phase 2B — confidence scoring handles routing
+import { severityRank } from '../../shared/parsed-file'
+import { ParsedFile } from '../../shared/parsed-file'
+import { applyContextAdjustments } from '../../postprocess/filtering/context-adjustments'
 
 export interface Layer2Options {
   middlewareConfig?: MiddlewareAuthConfig
@@ -55,6 +57,14 @@ export interface Layer2Options {
   excludeSeedFiles?: boolean
   /** Custom exclusion patterns (glob format) */
   customExclusions?: string[]
+  /**
+   * Detector context for context-aware detection (Phase 2b)
+   * When provided, detectors can make smarter decisions based on:
+   * - Project-level auth configuration
+   * - Framework detection
+   * - Per-file context (server vs client, test vs production)
+   */
+  detectorContext?: DetectorContext
 }
 
 export interface Layer2Stats {
@@ -64,8 +74,6 @@ export interface Layer2Stats {
   deduped: Record<string, number>
   /** Severity distribution of deduped findings */
   bySeverity: Record<string, number>
-  /** Tier breakdown of deduped findings */
-  tiers: TierStats
   /** Findings suppressed by path exclusions */
   suppressedByPath: number
 }
@@ -100,6 +108,11 @@ type Layer2DetectorStats = {
   mcpSecurity: number
   // AI Detection Roadmap Phase 2
   modelSupplyChain: number
+  // OWASP Workstream 1
+  securityHeaders: number
+  ssrfDetection: number
+  logInjection: number
+  xxeDetection: number
 }
 
 // Process a single file through all Layer 2 detectors
@@ -129,8 +142,19 @@ function processFileLayer2(
     mcpSecurity: 0,
     // AI Detection Roadmap Phase 2
     modelSupplyChain: 0,
+    // OWASP Workstream 1
+    securityHeaders: 0,
+    ssrfDetection: 0,
+    logInjection: 0,
+    xxeDetection: 0,
   }
 
+  // Build file-specific context for context-aware detection (Phase 2b)
+  const fileContext = buildFileContext(file.path)
+
+  // Create ParsedFile once for all detectors to share (avoids redundant content.split('\n'))
+  const parsed = ParsedFile.from(file)
+
   // Check if this is a manifest file (package.json, requirements.txt, etc.)
   const isManifestFile = (filePath: string) => {
     const manifestFiles = ['package.json', 'requirements.txt', 'Pipfile', 'pyproject.toml', 'setup.py']
@@ -148,33 +172,40 @@ function processFileLayer2(
     return { findings: [], stats }
   }
 
-  // Run all detectors
-  const variableFindings = detectSensitiveVariables(file.content, file.path)
-  const logicFindings = detectLogicGates(file.content, file.path)
-  const dangerousFuncFindings = detectDangerousFunctions(file.content, file.path)
-  const riskyImportFindings = detectRiskyImports(file.content, file.path)
+  // Run all detectors — parsed is passed via options for detectors that support it
+  const variableFindings = detectSensitiveVariables(file.content, file.path, { parsed })
+  const logicFindings = detectLogicGates(file.content, file.path, { parsed })
+  const dangerousFuncFindings = detectDangerousFunctions(file.content, file.path, { parsed })
+  const riskyImportFindings = detectRiskyImports(file.content, file.path, { parsed })
   const authFindings = detectAuthAntipatterns(file.content, file.path, {
     middlewareConfig: options.middlewareConfig,
     authHelpers: authHelperContext,
     fileAuthImports: options.fileAuthImports,
+    parsed,
   })
-  const frameworkFindings = detectFrameworkIssues(file.content, file.path)
-  const aiFindings = detectAIFingerprints(file.content, file.path)
-  const dataExposureFindings = detectDataExposure(file.content, file.path)
-  const byokFindings = detectBYOKPatterns(file.content, file.path, options.middlewareConfig)
-  const promptHygieneFindings = detectAIPromptHygiene(file.content, file.path)
-  const executionSinkFindings = detectAIExecutionSinks(file.content, file.path)
-  const agentToolFindings = detectAIAgentTools(file.content, file.path)
-  const ragSafetyFindings = detectRAGSafetyIssues(file.content, file.path)
+  const frameworkFindings = detectFrameworkIssues(file.content, file.path, { parsed })
+  const aiFindings = detectAIFingerprints(file.content, file.path, { parsed })
+  const dataExposureFindings = detectDataExposure(file.content, file.path, { parsed })
+  const byokFindings = detectBYOKPatterns(file.content, file.path, options.middlewareConfig, { parsed })
+  const promptHygieneFindings = detectAIPromptHygiene(file.content, file.path, { parsed })
+  const executionSinkFindings = detectAIExecutionSinks(file.content, file.path, { parsed })
+  const agentToolFindings = detectAIAgentTools(file.content, file.path, { parsed })
+  const ragSafetyFindings = detectRAGSafetyIssues(file.content, file.path, { parsed })
   const endpointProtectionFindings = detectAIEndpointProtection(file.content, file.path, {
     middlewareConfig: options.middlewareConfig,
+    parsed,
   })
-  const schemaValidationFindings = detectAISchemaValidation(file.content, file.path)
+  const schemaValidationFindings = detectAISchemaValidation(file.content, file.path, { parsed })
   // AI Detection Roadmap Phase 1
-  const packageHallucinationFindings = detectAIPackageHallucination(file.content, file.path)
-  const mcpSecurityFindings = detectMCPSecurity(file.content, file.path)
+  const packageHallucinationFindings = detectAIPackageHallucination(file.content, file.path, { parsed })
+  const mcpSecurityFindings = detectMCPSecurity(file.content, file.path, { parsed })
   // AI Detection Roadmap Phase 2
-  const modelSupplyChainFindings = detectModelSupplyChain(file.content, file.path)
+  const modelSupplyChainFindings = detectModelSupplyChain(file.content, file.path, { parsed })
+  // OWASP Workstream 1
+  const securityHeaderFindings = detectSecurityHeaders(file.content, file.path, { parsed })
+  const ssrfFindings = detectSSRFPatterns(file.content, file.path, { parsed })
+  const logInjectionFindings = detectLogInjection(file.content, file.path, { parsed })
+  const xxeFindings = detectXXEPatterns(file.content, file.path, { parsed })
 
   // Update stats
   stats.variables = variableFindings.length
@@ -197,34 +228,52 @@ function processFileLayer2(
   stats.mcpSecurity = mcpSecurityFindings.length
   // AI Detection Roadmap Phase 2
   stats.modelSupplyChain = modelSupplyChainFindings.length
+  // OWASP Workstream 1
+  stats.securityHeaders = securityHeaderFindings.length
+  stats.ssrfDetection = ssrfFindings.length
+  stats.logInjection = logInjectionFindings.length
+  stats.xxeDetection = xxeFindings.length
+
+  // Combine all findings
+  const allFindings = [
+    ...variableFindings,
+    ...logicFindings,
+    ...dangerousFuncFindings,
+    ...riskyImportFindings,
+    ...authFindings,
+    ...frameworkFindings,
+    ...aiFindings,
+    ...dataExposureFindings,
+    ...byokFindings,
+    ...promptHygieneFindings,
+    ...executionSinkFindings,
+    ...agentToolFindings,
+    ...ragSafetyFindings,
+    ...endpointProtectionFindings,
+    ...schemaValidationFindings,
+    // AI Detection Roadmap Phase 1
+    ...packageHallucinationFindings,
+    ...mcpSecurityFindings,
+    // AI Detection Roadmap Phase 2
+    ...modelSupplyChainFindings,
+    // OWASP Workstream 1
+    ...securityHeaderFindings,
+    ...ssrfFindings,
+    ...logInjectionFindings,
+    ...xxeFindings,
+  ]
+
+  // Apply context-based severity adjustments (Phase 2b)
+  const adjustedFindings = applyContextAdjustments(allFindings, fileContext)
 
   return {
-    findings: [
-      ...variableFindings,
-      ...logicFindings,
-      ...dangerousFuncFindings,
-      ...riskyImportFindings,
-      ...authFindings,
-      ...frameworkFindings,
-      ...aiFindings,
-      ...dataExposureFindings,
-      ...byokFindings,
-      ...promptHygieneFindings,
-      ...executionSinkFindings,
-      ...agentToolFindings,
-      ...ragSafetyFindings,
-      ...endpointProtectionFindings,
-      ...schemaValidationFindings,
-      // AI Detection Roadmap Phase 1
-      ...packageHallucinationFindings,
-      ...mcpSecurityFindings,
-      // AI Detection Roadmap Phase 2
-      ...modelSupplyChainFindings,
-    ],
+    findings: adjustedFindings,
     stats,
   }
 }
 
+// applyFileContextAdjustments consolidated into filtering/context-adjustments.ts
+
 // Parallel batch size for Layer 2 processing (larger batches for performance)
 const LAYER2_PARALLEL_BATCH_SIZE = 50
 // Progress update interval (report every N files for better UX)
@@ -259,6 +308,11 @@ export async function runLayer2Scan(
     mcpSecurity: 0,
     // AI Detection Roadmap Phase 2
     modelSupplyChain: 0,
+    // OWASP Workstream 1
+    securityHeaders: 0,
+    ssrfDetection: 0,
+    logInjection: 0,
+    xxeDetection: 0,
   }
 
   // Detect auth helpers once for all files (if not already provided)
@@ -355,6 +409,11 @@ export async function runLayer2Scan(
     ai_mcp_security: stats.mcpSecurity,
     // AI Detection Roadmap Phase 2
     model_supply_chain: stats.modelSupplyChain,
+    // OWASP Workstream 1
+    security_headers: stats.securityHeaders,
+    ssrf_detection: stats.ssrfDetection,
+    log_injection: stats.logInjection,
+    xxe_detection: stats.xxeDetection,
   }
 
   // Compute deduped counts per category
@@ -370,38 +429,6 @@ export async function runLayer2Scan(
     severityStats[vuln.severity] = (severityStats[vuln.severity] || 0) + 1
   }
 
-  // Compute tier breakdown (all Layer 2 findings have layer: 2)
-  const tierStats = computeTierStats(
-    uniqueVulnerabilities.map(v => ({ category: v.category, layer: 2 as const }))
-  )
-
-  // Map raw stats keys to detector names for tier lookup
-  const detectorNameMap: Record<string, Layer2DetectorName> = {
-    sensitive_variables: 'variables',
-    logic_gates: 'logic_gates',
-    dangerous_functions: 'dangerous_functions',
-    risky_imports: 'risky_imports',
-    auth_antipatterns: 'auth_antipatterns',
-    framework_issues: 'framework_checks',
-    ai_fingerprints: 'ai_fingerprinting',
-    data_exposure: 'data_exposure',
-    byok_patterns: 'byok_patterns',
-    ai_prompt_hygiene: 'ai_prompt_hygiene',
-    ai_execution_sinks: 'ai_execution_sinks',
-    ai_agent_tools: 'ai_agent_tools',
-    // M5: New AI-era detectors
-    ai_rag_safety: 'ai_rag_safety',
-    ai_endpoint_protection: 'ai_endpoint_protection',
-    ai_schema_validation: 'ai_schema_validation',
-    // AI Detection Roadmap Phase 1
-    ai_package_hallucination: 'ai_package_hallucination',
-    ai_mcp_security: 'ai_mcp_security',
-    // AI Detection Roadmap Phase 2
-    model_supply_chain: 'model_supply_chain',
-  }
-
-  // Heuristic breakdown available in stats.raw and stats.tiers for debugging
-
   return {
     vulnerabilities: uniqueVulnerabilities,
     filesScanned: files.filter(f => isCodeFile(f.path)).length,
@@ -410,7 +437,6 @@ export async function runLayer2Scan(
       raw: rawStats,
       deduped: dedupedStats,
       bySeverity: severityStats,
-      tiers: tierStats,
       suppressedByPath: suppressed.length,
     },
   }
@@ -567,36 +593,32 @@ function subsumeRelatedFindings(vulnerabilities: Vulnerability[]): Vulnerability
   return result
 }
 
-function severityRank(severity: string): number {
-  const ranks: Record<string, number> = {
-    critical: 4,
-    high: 3,
-    medium: 2,
-    low: 1,
-    info: 0,
-  }
-  return ranks[severity] || 0
-}
+// severityRank imported from utils/parsed-file
 
 export { detectSensitiveVariables } from './variables'
 export { detectLogicGates } from './logic-gates'
 export { detectDangerousFunctions } from './dangerous-functions'
 export { detectRiskyImports } from './risky-imports'
-export { detectAuthAntipatterns } from './auth-antipatterns'
+export { detectAuthAntipatterns } from './auth-patterns'
 export { detectFrameworkIssues } from './framework-checks'
-export { detectAIFingerprints } from './ai-fingerprinting'
+export { detectAIFingerprints } from '../ai-code/fingerprinting'
 export { detectDataExposure } from './data-exposure'
-export { detectBYOKPatterns } from './byok-patterns'
+export { detectBYOKPatterns } from '../ai-code/byok-patterns'
 // Story B: AI-specific detectors
-export { detectAIPromptHygiene } from './ai-prompt-hygiene'
-export { detectAIExecutionSinks } from './ai-execution-sinks'
-export { detectAIAgentTools } from './ai-agent-tools'
+export { detectAIPromptHygiene } from '../ai-code/prompt-hygiene'
+export { detectAIExecutionSinks } from '../ai-code/execution-sinks'
+export { detectAIAgentTools } from '../ai-code/agent-tools'
 // M5: New AI-era detectors
-export { detectRAGSafetyIssues } from './ai-rag-safety'
-export { detectAIEndpointProtection } from './ai-endpoint-protection'
-export { detectAISchemaValidation } from './ai-schema-validation'
+export { detectRAGSafetyIssues } from '../ai-code/rag-safety'
+export { detectAIEndpointProtection } from '../ai-code/endpoint-protection'
+export { detectAISchemaValidation } from '../ai-code/schema-validation'
 // AI Detection Roadmap Phase 1
-export { detectAIPackageHallucination } from './ai-package-hallucination'
-export { detectMCPSecurity } from './ai-mcp-security'
+export { detectAIPackageHallucination } from '../ai-code/package-hallucination'
+export { detectMCPSecurity } from '../ai-code/mcp-security'
 // AI Detection Roadmap Phase 2
-export { detectModelSupplyChain } from './model-supply-chain'
+export { detectModelSupplyChain } from '../ai-code/model-supply-chain'
+// OWASP Workstream 1
+export { detectSecurityHeaders } from './security-headers'
+export { detectSSRFPatterns } from './ssrf-detection'
+export { detectLogInjection } from './log-injection'
+export { detectXXEPatterns } from './xxe-detection'