@oculum/scanner 1.0.11 → 1.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1178) hide show
  1. package/dist/ai-context/index.d.ts +6 -0
  2. package/dist/ai-context/index.d.ts.map +1 -0
  3. package/dist/ai-context/index.js +13 -0
  4. package/dist/ai-context/index.js.map +1 -0
  5. package/dist/ai-context/manager.d.ts +67 -0
  6. package/dist/ai-context/manager.d.ts.map +1 -0
  7. package/dist/ai-context/manager.js +104 -0
  8. package/dist/ai-context/manager.js.map +1 -0
  9. package/dist/category-filter.d.ts +125 -0
  10. package/dist/category-filter.d.ts.map +1 -0
  11. package/dist/category-filter.js +360 -0
  12. package/dist/category-filter.js.map +1 -0
  13. package/dist/detect/ai-code/agent-tools.d.ts +22 -0
  14. package/dist/detect/ai-code/agent-tools.d.ts.map +1 -0
  15. package/dist/detect/ai-code/agent-tools.js +1509 -0
  16. package/dist/detect/ai-code/agent-tools.js.map +1 -0
  17. package/dist/detect/ai-code/byok-patterns.d.ts +15 -0
  18. package/dist/detect/ai-code/byok-patterns.d.ts.map +1 -0
  19. package/dist/detect/ai-code/byok-patterns.js +313 -0
  20. package/dist/detect/ai-code/byok-patterns.js.map +1 -0
  21. package/dist/detect/ai-code/endpoint-protection.d.ts +38 -0
  22. package/dist/detect/ai-code/endpoint-protection.d.ts.map +1 -0
  23. package/dist/detect/ai-code/endpoint-protection.js +349 -0
  24. package/dist/detect/ai-code/endpoint-protection.js.map +1 -0
  25. package/dist/detect/ai-code/execution-sinks.d.ts +21 -0
  26. package/dist/detect/ai-code/execution-sinks.d.ts.map +1 -0
  27. package/dist/detect/ai-code/execution-sinks.js +1158 -0
  28. package/dist/detect/ai-code/execution-sinks.js.map +1 -0
  29. package/dist/detect/ai-code/fingerprinting.d.ts +10 -0
  30. package/dist/detect/ai-code/fingerprinting.d.ts.map +1 -0
  31. package/dist/detect/ai-code/fingerprinting.js +665 -0
  32. package/dist/detect/ai-code/fingerprinting.js.map +1 -0
  33. package/dist/detect/ai-code/index.d.ts +12 -0
  34. package/dist/detect/ai-code/index.d.ts.map +1 -0
  35. package/dist/detect/ai-code/index.js +26 -0
  36. package/dist/detect/ai-code/index.js.map +1 -0
  37. package/dist/detect/ai-code/mcp-security.d.ts +20 -0
  38. package/dist/detect/ai-code/mcp-security.d.ts.map +1 -0
  39. package/dist/detect/ai-code/mcp-security.js +880 -0
  40. package/dist/detect/ai-code/mcp-security.js.map +1 -0
  41. package/dist/detect/ai-code/model-supply-chain.d.ts +23 -0
  42. package/dist/detect/ai-code/model-supply-chain.d.ts.map +1 -0
  43. package/dist/detect/ai-code/model-supply-chain.js +447 -0
  44. package/dist/detect/ai-code/model-supply-chain.js.map +1 -0
  45. package/dist/detect/ai-code/package-hallucination.d.ts +22 -0
  46. package/dist/detect/ai-code/package-hallucination.d.ts.map +1 -0
  47. package/dist/detect/ai-code/package-hallucination.js +841 -0
  48. package/dist/detect/ai-code/package-hallucination.js.map +1 -0
  49. package/dist/detect/ai-code/prompt-hygiene.d.ts +22 -0
  50. package/dist/detect/ai-code/prompt-hygiene.d.ts.map +1 -0
  51. package/dist/detect/ai-code/prompt-hygiene.js +1177 -0
  52. package/dist/detect/ai-code/prompt-hygiene.js.map +1 -0
  53. package/dist/detect/ai-code/rag-safety.d.ts +24 -0
  54. package/dist/detect/ai-code/rag-safety.d.ts.map +1 -0
  55. package/dist/detect/ai-code/rag-safety.js +913 -0
  56. package/dist/detect/ai-code/rag-safety.js.map +1 -0
  57. package/dist/detect/ai-code/schema-validation.d.ts +28 -0
  58. package/dist/detect/ai-code/schema-validation.d.ts.map +1 -0
  59. package/dist/detect/ai-code/schema-validation.js +378 -0
  60. package/dist/detect/ai-code/schema-validation.js.map +1 -0
  61. package/dist/detect/config/agent-skill-injection.d.ts +27 -0
  62. package/dist/detect/config/agent-skill-injection.d.ts.map +1 -0
  63. package/dist/detect/config/agent-skill-injection.js +472 -0
  64. package/dist/detect/config/agent-skill-injection.js.map +1 -0
  65. package/dist/detect/config/comments.d.ts +11 -0
  66. package/dist/detect/config/comments.d.ts.map +1 -0
  67. package/dist/detect/config/comments.js +206 -0
  68. package/dist/detect/config/comments.js.map +1 -0
  69. package/dist/detect/config/file-flags.d.ts +10 -0
  70. package/dist/detect/config/file-flags.d.ts.map +1 -0
  71. package/dist/detect/config/file-flags.js +124 -0
  72. package/dist/detect/config/file-flags.js.map +1 -0
  73. package/dist/detect/config/index.d.ts +7 -0
  74. package/dist/detect/config/index.d.ts.map +1 -0
  75. package/dist/detect/config/index.js +17 -0
  76. package/dist/detect/config/index.js.map +1 -0
  77. package/dist/detect/config/osv-check.d.ts +75 -0
  78. package/dist/detect/config/osv-check.d.ts.map +1 -0
  79. package/dist/detect/config/osv-check.js +309 -0
  80. package/dist/detect/config/osv-check.js.map +1 -0
  81. package/dist/detect/config/package-check.d.ts +63 -0
  82. package/dist/detect/config/package-check.d.ts.map +1 -0
  83. package/dist/detect/config/package-check.js +509 -0
  84. package/dist/detect/config/package-check.js.map +1 -0
  85. package/dist/detect/config/urls.d.ts +11 -0
  86. package/dist/detect/config/urls.d.ts.map +1 -0
  87. package/dist/detect/config/urls.js +450 -0
  88. package/dist/detect/config/urls.js.map +1 -0
  89. package/dist/detect/index.d.ts +37 -0
  90. package/dist/detect/index.d.ts.map +1 -0
  91. package/dist/detect/index.js +77 -0
  92. package/dist/detect/index.js.map +1 -0
  93. package/dist/detect/secrets/config-audit.d.ts +11 -0
  94. package/dist/detect/secrets/config-audit.d.ts.map +1 -0
  95. package/dist/detect/secrets/config-audit.js +315 -0
  96. package/dist/detect/secrets/config-audit.js.map +1 -0
  97. package/dist/detect/secrets/config-mcp-audit.d.ts +23 -0
  98. package/dist/detect/secrets/config-mcp-audit.d.ts.map +1 -0
  99. package/dist/detect/secrets/config-mcp-audit.js +243 -0
  100. package/dist/detect/secrets/config-mcp-audit.js.map +1 -0
  101. package/dist/detect/secrets/entropy.d.ts +11 -0
  102. package/dist/detect/secrets/entropy.d.ts.map +1 -0
  103. package/dist/detect/secrets/entropy.js +751 -0
  104. package/dist/detect/secrets/entropy.js.map +1 -0
  105. package/dist/detect/secrets/index.d.ts +36 -0
  106. package/dist/detect/secrets/index.d.ts.map +1 -0
  107. package/dist/detect/secrets/index.js +174 -0
  108. package/dist/detect/secrets/index.js.map +1 -0
  109. package/dist/detect/secrets/patterns.d.ts +11 -0
  110. package/dist/detect/secrets/patterns.d.ts.map +1 -0
  111. package/dist/detect/secrets/patterns.js +518 -0
  112. package/dist/detect/secrets/patterns.js.map +1 -0
  113. package/dist/detect/secrets/weak-crypto.d.ts +10 -0
  114. package/dist/detect/secrets/weak-crypto.d.ts.map +1 -0
  115. package/dist/detect/secrets/weak-crypto.js +432 -0
  116. package/dist/detect/secrets/weak-crypto.js.map +1 -0
  117. package/dist/detect/structural/auth-patterns.d.ts +22 -0
  118. package/dist/detect/structural/auth-patterns.d.ts.map +1 -0
  119. package/dist/detect/structural/auth-patterns.js +533 -0
  120. package/dist/detect/structural/auth-patterns.js.map +1 -0
  121. package/dist/detect/structural/dangerous-functions/child-process.d.ts +16 -0
  122. package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +1 -0
  123. package/dist/detect/structural/dangerous-functions/child-process.js +74 -0
  124. package/dist/detect/structural/dangerous-functions/child-process.js.map +1 -0
  125. package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +34 -0
  126. package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +1 -0
  127. package/dist/detect/structural/dangerous-functions/dom-xss.js +230 -0
  128. package/dist/detect/structural/dangerous-functions/dom-xss.js.map +1 -0
  129. package/dist/detect/structural/dangerous-functions/index.d.ts +16 -0
  130. package/dist/detect/structural/dangerous-functions/index.d.ts.map +1 -0
  131. package/dist/detect/structural/dangerous-functions/index.js +1193 -0
  132. package/dist/detect/structural/dangerous-functions/index.js.map +1 -0
  133. package/dist/detect/structural/dangerous-functions/json-parse.d.ts +31 -0
  134. package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +1 -0
  135. package/dist/detect/structural/dangerous-functions/json-parse.js +326 -0
  136. package/dist/detect/structural/dangerous-functions/json-parse.js.map +1 -0
  137. package/dist/detect/structural/dangerous-functions/math-random.d.ts +111 -0
  138. package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +1 -0
  139. package/dist/detect/structural/dangerous-functions/math-random.js +684 -0
  140. package/dist/detect/structural/dangerous-functions/math-random.js.map +1 -0
  141. package/dist/detect/structural/dangerous-functions/patterns.d.ts +21 -0
  142. package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +1 -0
  143. package/dist/detect/structural/dangerous-functions/patterns.js +163 -0
  144. package/dist/detect/structural/dangerous-functions/patterns.js.map +1 -0
  145. package/dist/detect/structural/dangerous-functions/request-validation.d.ts +13 -0
  146. package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +1 -0
  147. package/dist/detect/structural/dangerous-functions/request-validation.js +126 -0
  148. package/dist/detect/structural/dangerous-functions/request-validation.js.map +1 -0
  149. package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +24 -0
  150. package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +1 -0
  151. package/dist/detect/structural/dangerous-functions/utils/control-flow.js +70 -0
  152. package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +1 -0
  153. package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +31 -0
  154. package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +1 -0
  155. package/dist/detect/structural/dangerous-functions/utils/helpers.js +147 -0
  156. package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +1 -0
  157. package/dist/detect/structural/dangerous-functions/utils/index.d.ts +9 -0
  158. package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +1 -0
  159. package/dist/detect/structural/dangerous-functions/utils/index.js +23 -0
  160. package/dist/detect/structural/dangerous-functions/utils/index.js.map +1 -0
  161. package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +22 -0
  162. package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
  163. package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +102 -0
  164. package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +1 -0
  165. package/dist/detect/structural/data-exposure.d.ts +19 -0
  166. package/dist/detect/structural/data-exposure.d.ts.map +1 -0
  167. package/dist/detect/structural/data-exposure.js +262 -0
  168. package/dist/detect/structural/data-exposure.js.map +1 -0
  169. package/dist/detect/structural/framework-checks.d.ts +10 -0
  170. package/dist/detect/structural/framework-checks.d.ts.map +1 -0
  171. package/dist/detect/structural/framework-checks.js +389 -0
  172. package/dist/detect/structural/framework-checks.js.map +1 -0
  173. package/dist/detect/structural/index.d.ts +71 -0
  174. package/dist/detect/structural/index.d.ts.map +1 -0
  175. package/dist/detect/structural/index.js +510 -0
  176. package/dist/detect/structural/index.js.map +1 -0
  177. package/dist/detect/structural/log-injection.d.ts +18 -0
  178. package/dist/detect/structural/log-injection.d.ts.map +1 -0
  179. package/dist/detect/structural/log-injection.js +217 -0
  180. package/dist/detect/structural/log-injection.js.map +1 -0
  181. package/dist/detect/structural/logic-gates.d.ts +10 -0
  182. package/dist/detect/structural/logic-gates.d.ts.map +1 -0
  183. package/dist/detect/structural/logic-gates.js +227 -0
  184. package/dist/detect/structural/logic-gates.js.map +1 -0
  185. package/dist/detect/structural/risky-imports.d.ts +10 -0
  186. package/dist/detect/structural/risky-imports.d.ts.map +1 -0
  187. package/dist/detect/structural/risky-imports.js +168 -0
  188. package/dist/detect/structural/risky-imports.js.map +1 -0
  189. package/dist/detect/structural/security-headers.d.ts +18 -0
  190. package/dist/detect/structural/security-headers.d.ts.map +1 -0
  191. package/dist/detect/structural/security-headers.js +196 -0
  192. package/dist/detect/structural/security-headers.js.map +1 -0
  193. package/dist/detect/structural/ssrf-detection.d.ts +18 -0
  194. package/dist/detect/structural/ssrf-detection.d.ts.map +1 -0
  195. package/dist/detect/structural/ssrf-detection.js +263 -0
  196. package/dist/detect/structural/ssrf-detection.js.map +1 -0
  197. package/dist/detect/structural/variables.d.ts +11 -0
  198. package/dist/detect/structural/variables.d.ts.map +1 -0
  199. package/dist/detect/structural/variables.js +159 -0
  200. package/dist/detect/structural/variables.js.map +1 -0
  201. package/dist/detect/structural/xxe-detection.d.ts +18 -0
  202. package/dist/detect/structural/xxe-detection.d.ts.map +1 -0
  203. package/dist/detect/structural/xxe-detection.js +245 -0
  204. package/dist/detect/structural/xxe-detection.js.map +1 -0
  205. package/dist/filtering/context-adjustments.d.ts +23 -0
  206. package/dist/filtering/context-adjustments.d.ts.map +1 -0
  207. package/dist/filtering/context-adjustments.js +100 -0
  208. package/dist/filtering/context-adjustments.js.map +1 -0
  209. package/dist/filtering/index.d.ts +3 -0
  210. package/dist/filtering/index.d.ts.map +1 -0
  211. package/dist/filtering/index.js +8 -0
  212. package/dist/filtering/index.js.map +1 -0
  213. package/dist/filtering/pipeline.d.ts +48 -0
  214. package/dist/filtering/pipeline.d.ts.map +1 -0
  215. package/dist/filtering/pipeline.js +76 -0
  216. package/dist/filtering/pipeline.js.map +1 -0
  217. package/dist/formatters/ai-context.d.ts +23 -0
  218. package/dist/formatters/ai-context.d.ts.map +1 -0
  219. package/dist/formatters/ai-context.js +238 -0
  220. package/dist/formatters/ai-context.js.map +1 -0
  221. package/dist/formatters/github-comment.d.ts +1 -1
  222. package/dist/formatters/github-comment.d.ts.map +1 -1
  223. package/dist/formatters/github-comment.js +2 -2
  224. package/dist/formatters/github-comment.js.map +1 -1
  225. package/dist/formatters/ide/claude-code.d.ts +17 -0
  226. package/dist/formatters/ide/claude-code.d.ts.map +1 -0
  227. package/dist/formatters/ide/claude-code.js +94 -0
  228. package/dist/formatters/ide/claude-code.js.map +1 -0
  229. package/dist/formatters/ide/cursor.d.ts +13 -0
  230. package/dist/formatters/ide/cursor.d.ts.map +1 -0
  231. package/dist/formatters/ide/cursor.js +125 -0
  232. package/dist/formatters/ide/cursor.js.map +1 -0
  233. package/dist/formatters/ide/index.d.ts +62 -0
  234. package/dist/formatters/ide/index.d.ts.map +1 -0
  235. package/dist/formatters/ide/index.js +184 -0
  236. package/dist/formatters/ide/index.js.map +1 -0
  237. package/dist/formatters/ide/windsurf.d.ts +13 -0
  238. package/dist/formatters/ide/windsurf.d.ts.map +1 -0
  239. package/dist/formatters/ide/windsurf.js +117 -0
  240. package/dist/formatters/ide/windsurf.js.map +1 -0
  241. package/dist/formatters/index.d.ts +2 -0
  242. package/dist/formatters/index.d.ts.map +1 -1
  243. package/dist/formatters/index.js +17 -1
  244. package/dist/formatters/index.js.map +1 -1
  245. package/dist/index.d.ts +17 -60
  246. package/dist/index.d.ts.map +1 -1
  247. package/dist/index.js +67 -824
  248. package/dist/index.js.map +1 -1
  249. package/dist/layer1/comments.d.ts +4 -1
  250. package/dist/layer1/comments.d.ts.map +1 -1
  251. package/dist/layer1/comments.js +1 -1
  252. package/dist/layer1/comments.js.map +1 -1
  253. package/dist/layer1/config-audit.d.ts +4 -1
  254. package/dist/layer1/config-audit.d.ts.map +1 -1
  255. package/dist/layer1/config-audit.js +45 -11
  256. package/dist/layer1/config-audit.js.map +1 -1
  257. package/dist/layer1/config-mcp-audit.d.ts +4 -1
  258. package/dist/layer1/config-mcp-audit.d.ts.map +1 -1
  259. package/dist/layer1/config-mcp-audit.js +2 -2
  260. package/dist/layer1/config-mcp-audit.js.map +1 -1
  261. package/dist/layer1/entropy.d.ts +4 -1
  262. package/dist/layer1/entropy.d.ts.map +1 -1
  263. package/dist/layer1/entropy.js +212 -1
  264. package/dist/layer1/entropy.js.map +1 -1
  265. package/dist/layer1/file-flags.d.ts +4 -1
  266. package/dist/layer1/file-flags.d.ts.map +1 -1
  267. package/dist/layer1/file-flags.js +12 -5
  268. package/dist/layer1/file-flags.js.map +1 -1
  269. package/dist/layer1/index.d.ts.map +1 -1
  270. package/dist/layer1/index.js +14 -19
  271. package/dist/layer1/index.js.map +1 -1
  272. package/dist/layer1/patterns.d.ts +4 -1
  273. package/dist/layer1/patterns.d.ts.map +1 -1
  274. package/dist/layer1/patterns.js +34 -4
  275. package/dist/layer1/patterns.js.map +1 -1
  276. package/dist/layer1/urls.d.ts +4 -1
  277. package/dist/layer1/urls.d.ts.map +1 -1
  278. package/dist/layer1/urls.js +162 -14
  279. package/dist/layer1/urls.js.map +1 -1
  280. package/dist/layer1/weak-crypto.d.ts +4 -1
  281. package/dist/layer1/weak-crypto.d.ts.map +1 -1
  282. package/dist/layer1/weak-crypto.js +144 -7
  283. package/dist/layer1/weak-crypto.js.map +1 -1
  284. package/dist/layer2/ai-agent-tools.d.ts +4 -1
  285. package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
  286. package/dist/layer2/ai-agent-tools.js +661 -2
  287. package/dist/layer2/ai-agent-tools.js.map +1 -1
  288. package/dist/layer2/ai-endpoint-protection.d.ts +2 -0
  289. package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
  290. package/dist/layer2/ai-endpoint-protection.js +1 -1
  291. package/dist/layer2/ai-endpoint-protection.js.map +1 -1
  292. package/dist/layer2/ai-execution-sinks.d.ts +4 -1
  293. package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
  294. package/dist/layer2/ai-execution-sinks.js +252 -43
  295. package/dist/layer2/ai-execution-sinks.js.map +1 -1
  296. package/dist/layer2/ai-fingerprinting.d.ts +4 -1
  297. package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
  298. package/dist/layer2/ai-fingerprinting.js +25 -32
  299. package/dist/layer2/ai-fingerprinting.js.map +1 -1
  300. package/dist/layer2/ai-mcp-security.d.ts +4 -1
  301. package/dist/layer2/ai-mcp-security.d.ts.map +1 -1
  302. package/dist/layer2/ai-mcp-security.js +200 -2
  303. package/dist/layer2/ai-mcp-security.js.map +1 -1
  304. package/dist/layer2/ai-package-hallucination.d.ts +4 -1
  305. package/dist/layer2/ai-package-hallucination.d.ts.map +1 -1
  306. package/dist/layer2/ai-package-hallucination.js +136 -4
  307. package/dist/layer2/ai-package-hallucination.js.map +1 -1
  308. package/dist/layer2/ai-prompt-hygiene.d.ts +4 -1
  309. package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
  310. package/dist/layer2/ai-prompt-hygiene.js +342 -28
  311. package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
  312. package/dist/layer2/ai-rag-safety.d.ts +4 -1
  313. package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
  314. package/dist/layer2/ai-rag-safety.js +82 -2
  315. package/dist/layer2/ai-rag-safety.js.map +1 -1
  316. package/dist/layer2/ai-schema-validation.d.ts +4 -1
  317. package/dist/layer2/ai-schema-validation.d.ts.map +1 -1
  318. package/dist/layer2/ai-schema-validation.js +2 -2
  319. package/dist/layer2/ai-schema-validation.js.map +1 -1
  320. package/dist/layer2/auth-antipatterns.d.ts +2 -0
  321. package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
  322. package/dist/layer2/auth-antipatterns.js +205 -20
  323. package/dist/layer2/auth-antipatterns.js.map +1 -1
  324. package/dist/layer2/byok-patterns.d.ts +4 -1
  325. package/dist/layer2/byok-patterns.d.ts.map +1 -1
  326. package/dist/layer2/byok-patterns.js +2 -2
  327. package/dist/layer2/byok-patterns.js.map +1 -1
  328. package/dist/layer2/dangerous-functions/dom-xss.d.ts +9 -4
  329. package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -1
  330. package/dist/layer2/dangerous-functions/dom-xss.js +73 -22
  331. package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -1
  332. package/dist/layer2/dangerous-functions/index.d.ts +4 -1
  333. package/dist/layer2/dangerous-functions/index.d.ts.map +1 -1
  334. package/dist/layer2/dangerous-functions/index.js +551 -20
  335. package/dist/layer2/dangerous-functions/index.js.map +1 -1
  336. package/dist/layer2/dangerous-functions/math-random.d.ts +54 -4
  337. package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -1
  338. package/dist/layer2/dangerous-functions/math-random.js +241 -16
  339. package/dist/layer2/dangerous-functions/math-random.js.map +1 -1
  340. package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -1
  341. package/dist/layer2/dangerous-functions/patterns.js +3 -1
  342. package/dist/layer2/dangerous-functions/patterns.js.map +1 -1
  343. package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +3 -2
  344. package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -1
  345. package/dist/layer2/dangerous-functions/utils/control-flow.js +41 -120
  346. package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -1
  347. package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -1
  348. package/dist/layer2/dangerous-functions/utils/helpers.js +26 -3
  349. package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -1
  350. package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -1
  351. package/dist/layer2/dangerous-functions/utils/schema-validation.js +14 -1
  352. package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -1
  353. package/dist/layer2/data-exposure.d.ts +4 -1
  354. package/dist/layer2/data-exposure.d.ts.map +1 -1
  355. package/dist/layer2/data-exposure.js +11 -38
  356. package/dist/layer2/data-exposure.js.map +1 -1
  357. package/dist/layer2/framework-checks.d.ts +4 -1
  358. package/dist/layer2/framework-checks.d.ts.map +1 -1
  359. package/dist/layer2/framework-checks.js +3 -10
  360. package/dist/layer2/framework-checks.js.map +1 -1
  361. package/dist/layer2/index.d.ts +13 -1
  362. package/dist/layer2/index.d.ts.map +1 -1
  363. package/dist/layer2/index.js +107 -52
  364. package/dist/layer2/index.js.map +1 -1
  365. package/dist/layer2/log-injection.d.ts +18 -0
  366. package/dist/layer2/log-injection.d.ts.map +1 -0
  367. package/dist/layer2/log-injection.js +214 -0
  368. package/dist/layer2/log-injection.js.map +1 -0
  369. package/dist/layer2/logic-gates.d.ts +4 -1
  370. package/dist/layer2/logic-gates.d.ts.map +1 -1
  371. package/dist/layer2/logic-gates.js +54 -20
  372. package/dist/layer2/logic-gates.js.map +1 -1
  373. package/dist/layer2/model-supply-chain.d.ts +4 -1
  374. package/dist/layer2/model-supply-chain.d.ts.map +1 -1
  375. package/dist/layer2/model-supply-chain.js +72 -4
  376. package/dist/layer2/model-supply-chain.js.map +1 -1
  377. package/dist/layer2/risky-imports.d.ts +4 -1
  378. package/dist/layer2/risky-imports.d.ts.map +1 -1
  379. package/dist/layer2/risky-imports.js +2 -2
  380. package/dist/layer2/risky-imports.js.map +1 -1
  381. package/dist/layer2/security-headers.d.ts +18 -0
  382. package/dist/layer2/security-headers.d.ts.map +1 -0
  383. package/dist/layer2/security-headers.js +187 -0
  384. package/dist/layer2/security-headers.js.map +1 -0
  385. package/dist/layer2/ssrf-detection.d.ts +18 -0
  386. package/dist/layer2/ssrf-detection.d.ts.map +1 -0
  387. package/dist/layer2/ssrf-detection.js +252 -0
  388. package/dist/layer2/ssrf-detection.js.map +1 -0
  389. package/dist/layer2/variables.d.ts +4 -1
  390. package/dist/layer2/variables.d.ts.map +1 -1
  391. package/dist/layer2/variables.js +2 -2
  392. package/dist/layer2/variables.js.map +1 -1
  393. package/dist/layer2/xxe-detection.d.ts +18 -0
  394. package/dist/layer2/xxe-detection.d.ts.map +1 -0
  395. package/dist/layer2/xxe-detection.js +242 -0
  396. package/dist/layer2/xxe-detection.js.map +1 -0
  397. package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -1
  398. package/dist/layer3/anthropic/auto-dismiss.js +11 -0
  399. package/dist/layer3/anthropic/auto-dismiss.js.map +1 -1
  400. package/dist/layer3/anthropic/prompts/index.d.ts +1 -1
  401. package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -1
  402. package/dist/layer3/anthropic/prompts/index.js +3 -1
  403. package/dist/layer3/anthropic/prompts/index.js.map +1 -1
  404. package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +19 -0
  405. package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +1 -0
  406. package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +156 -0
  407. package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +1 -0
  408. package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +9 -0
  409. package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +1 -0
  410. package/dist/layer3/anthropic/prompts/modules/auth-access.js +25 -0
  411. package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +1 -0
  412. package/dist/layer3/anthropic/prompts/modules/common.d.ts +11 -0
  413. package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +1 -0
  414. package/dist/layer3/anthropic/prompts/modules/common.js +152 -0
  415. package/dist/layer3/anthropic/prompts/modules/common.js.map +1 -0
  416. package/dist/layer3/anthropic/prompts/modules/index.d.ts +54 -0
  417. package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +1 -0
  418. package/dist/layer3/anthropic/prompts/modules/index.js +185 -0
  419. package/dist/layer3/anthropic/prompts/modules/index.js.map +1 -0
  420. package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +8 -0
  421. package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +1 -0
  422. package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +84 -0
  423. package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +1 -0
  424. package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +8 -0
  425. package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +1 -0
  426. package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +68 -0
  427. package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +1 -0
  428. package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +8 -0
  429. package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +1 -0
  430. package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +22 -0
  431. package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +1 -0
  432. package/dist/layer3/anthropic/prompts/validation.d.ts +9 -3
  433. package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -1
  434. package/dist/layer3/anthropic/prompts/validation.js +14 -410
  435. package/dist/layer3/anthropic/prompts/validation.js.map +1 -1
  436. package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -1
  437. package/dist/layer3/anthropic/providers/anthropic.js +6 -3
  438. package/dist/layer3/anthropic/providers/anthropic.js.map +1 -1
  439. package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -1
  440. package/dist/layer3/anthropic/providers/openai.js +6 -3
  441. package/dist/layer3/anthropic/providers/openai.js.map +1 -1
  442. package/dist/layer3/anthropic/request-builder.d.ts +11 -4
  443. package/dist/layer3/anthropic/request-builder.d.ts.map +1 -1
  444. package/dist/layer3/anthropic/request-builder.js +32 -16
  445. package/dist/layer3/anthropic/request-builder.js.map +1 -1
  446. package/dist/layer3/anthropic/utils/context-extractor.d.ts +55 -0
  447. package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +1 -0
  448. package/dist/layer3/anthropic/utils/context-extractor.js +161 -0
  449. package/dist/layer3/anthropic/utils/context-extractor.js.map +1 -0
  450. package/dist/layer3/anthropic/utils/index.d.ts +2 -0
  451. package/dist/layer3/anthropic/utils/index.d.ts.map +1 -1
  452. package/dist/layer3/anthropic/utils/index.js +4 -1
  453. package/dist/layer3/anthropic/utils/index.js.map +1 -1
  454. package/dist/model/auth-helper-detector.d.ts +56 -0
  455. package/dist/model/auth-helper-detector.d.ts.map +1 -0
  456. package/dist/model/auth-helper-detector.js +360 -0
  457. package/dist/model/auth-helper-detector.js.map +1 -0
  458. package/dist/model/cross-file-taint.d.ts +40 -0
  459. package/dist/model/cross-file-taint.d.ts.map +1 -0
  460. package/dist/model/cross-file-taint.js +290 -0
  461. package/dist/model/cross-file-taint.js.map +1 -0
  462. package/dist/model/framework-models/django.d.ts +9 -0
  463. package/dist/model/framework-models/django.d.ts.map +1 -0
  464. package/dist/model/framework-models/django.js +82 -0
  465. package/dist/model/framework-models/django.js.map +1 -0
  466. package/dist/model/framework-models/express.d.ts +9 -0
  467. package/dist/model/framework-models/express.d.ts.map +1 -0
  468. package/dist/model/framework-models/express.js +52 -0
  469. package/dist/model/framework-models/express.js.map +1 -0
  470. package/dist/model/framework-models/index.d.ts +20 -0
  471. package/dist/model/framework-models/index.d.ts.map +1 -0
  472. package/dist/model/framework-models/index.js +102 -0
  473. package/dist/model/framework-models/index.js.map +1 -0
  474. package/dist/model/framework-models/nextjs.d.ts +9 -0
  475. package/dist/model/framework-models/nextjs.d.ts.map +1 -0
  476. package/dist/model/framework-models/nextjs.js +71 -0
  477. package/dist/model/framework-models/nextjs.js.map +1 -0
  478. package/dist/model/framework-models/prisma.d.ts +10 -0
  479. package/dist/model/framework-models/prisma.d.ts.map +1 -0
  480. package/dist/model/framework-models/prisma.js +54 -0
  481. package/dist/model/framework-models/prisma.js.map +1 -0
  482. package/dist/model/framework-models/react.d.ts +9 -0
  483. package/dist/model/framework-models/react.d.ts.map +1 -0
  484. package/dist/model/framework-models/react.js +67 -0
  485. package/dist/model/framework-models/react.js.map +1 -0
  486. package/dist/model/framework-models/sequelize.d.ts +9 -0
  487. package/dist/model/framework-models/sequelize.d.ts.map +1 -0
  488. package/dist/model/framework-models/sequelize.js +62 -0
  489. package/dist/model/framework-models/sequelize.js.map +1 -0
  490. package/dist/model/framework-models/types.d.ts +43 -0
  491. package/dist/model/framework-models/types.d.ts.map +1 -0
  492. package/dist/model/framework-models/types.js +10 -0
  493. package/dist/model/framework-models/types.js.map +1 -0
  494. package/dist/model/function-classifier.d.ts +32 -0
  495. package/dist/model/function-classifier.d.ts.map +1 -0
  496. package/dist/model/function-classifier.js +143 -0
  497. package/dist/model/function-classifier.js.map +1 -0
  498. package/dist/model/import-resolver.d.ts +45 -0
  499. package/dist/model/import-resolver.d.ts.map +1 -0
  500. package/dist/model/import-resolver.js +410 -0
  501. package/dist/model/import-resolver.js.map +1 -0
  502. package/dist/model/imported-auth-detector.d.ts +38 -0
  503. package/dist/model/imported-auth-detector.d.ts.map +1 -0
  504. package/dist/model/imported-auth-detector.js +199 -0
  505. package/dist/model/imported-auth-detector.js.map +1 -0
  506. package/dist/model/index.d.ts +63 -0
  507. package/dist/model/index.d.ts.map +1 -0
  508. package/dist/model/index.js +272 -0
  509. package/dist/model/index.js.map +1 -0
  510. package/dist/model/middleware-detector.d.ts +55 -0
  511. package/dist/model/middleware-detector.d.ts.map +1 -0
  512. package/dist/model/middleware-detector.js +382 -0
  513. package/dist/model/middleware-detector.js.map +1 -0
  514. package/dist/model/module-graph.d.ts +46 -0
  515. package/dist/model/module-graph.d.ts.map +1 -0
  516. package/dist/model/module-graph.js +187 -0
  517. package/dist/model/module-graph.js.map +1 -0
  518. package/dist/model/oauth-flow-detector.d.ts +41 -0
  519. package/dist/model/oauth-flow-detector.d.ts.map +1 -0
  520. package/dist/model/oauth-flow-detector.js +202 -0
  521. package/dist/model/oauth-flow-detector.js.map +1 -0
  522. package/dist/model/project-context.d.ts +119 -0
  523. package/dist/model/project-context.d.ts.map +1 -0
  524. package/dist/model/project-context.js +534 -0
  525. package/dist/model/project-context.js.map +1 -0
  526. package/dist/model/route-auth-resolver.d.ts +27 -0
  527. package/dist/model/route-auth-resolver.d.ts.map +1 -0
  528. package/dist/model/route-auth-resolver.js +182 -0
  529. package/dist/model/route-auth-resolver.js.map +1 -0
  530. package/dist/model/route-discovery/express.d.ts +25 -0
  531. package/dist/model/route-discovery/express.d.ts.map +1 -0
  532. package/dist/model/route-discovery/express.js +225 -0
  533. package/dist/model/route-discovery/express.js.map +1 -0
  534. package/dist/model/route-discovery/index.d.ts +21 -0
  535. package/dist/model/route-discovery/index.d.ts.map +1 -0
  536. package/dist/model/route-discovery/index.js +67 -0
  537. package/dist/model/route-discovery/index.js.map +1 -0
  538. package/dist/model/route-discovery/nextjs.d.ts +16 -0
  539. package/dist/model/route-discovery/nextjs.d.ts.map +1 -0
  540. package/dist/model/route-discovery/nextjs.js +179 -0
  541. package/dist/model/route-discovery/nextjs.js.map +1 -0
  542. package/dist/model/route-discovery/python.d.ts +16 -0
  543. package/dist/model/route-discovery/python.d.ts.map +1 -0
  544. package/dist/model/route-discovery/python.js +181 -0
  545. package/dist/model/route-discovery/python.js.map +1 -0
  546. package/dist/model/route-discovery/types.d.ts +36 -0
  547. package/dist/model/route-discovery/types.d.ts.map +1 -0
  548. package/dist/model/route-discovery/types.js +16 -0
  549. package/dist/model/route-discovery/types.js.map +1 -0
  550. package/dist/model/route-discovery/utils.d.ts +18 -0
  551. package/dist/model/route-discovery/utils.d.ts.map +1 -0
  552. package/dist/model/route-discovery/utils.js +55 -0
  553. package/dist/model/route-discovery/utils.js.map +1 -0
  554. package/dist/model/route-hierarchy.d.ts +50 -0
  555. package/dist/model/route-hierarchy.d.ts.map +1 -0
  556. package/dist/model/route-hierarchy.js +226 -0
  557. package/dist/model/route-hierarchy.js.map +1 -0
  558. package/dist/model/sanitiser-detection.d.ts +27 -0
  559. package/dist/model/sanitiser-detection.d.ts.map +1 -0
  560. package/dist/model/sanitiser-detection.js +224 -0
  561. package/dist/model/sanitiser-detection.js.map +1 -0
  562. package/dist/model/sink-matcher.d.ts +17 -0
  563. package/dist/model/sink-matcher.d.ts.map +1 -0
  564. package/dist/model/sink-matcher.js +141 -0
  565. package/dist/model/sink-matcher.js.map +1 -0
  566. package/dist/model/sink-patterns.d.ts +19 -0
  567. package/dist/model/sink-patterns.d.ts.map +1 -0
  568. package/dist/model/sink-patterns.js +88 -0
  569. package/dist/model/sink-patterns.js.map +1 -0
  570. package/dist/model/source-discovery.d.ts +15 -0
  571. package/dist/model/source-discovery.d.ts.map +1 -0
  572. package/dist/model/source-discovery.js +170 -0
  573. package/dist/model/source-discovery.js.map +1 -0
  574. package/dist/model/taint-tracker.d.ts +21 -0
  575. package/dist/model/taint-tracker.d.ts.map +1 -0
  576. package/dist/model/taint-tracker.js +281 -0
  577. package/dist/model/taint-tracker.js.map +1 -0
  578. package/dist/model/taint-types.d.ts +74 -0
  579. package/dist/model/taint-types.d.ts.map +1 -0
  580. package/dist/model/taint-types.js +9 -0
  581. package/dist/model/taint-types.js.map +1 -0
  582. package/dist/model/trpc-analyzer.d.ts +78 -0
  583. package/dist/model/trpc-analyzer.d.ts.map +1 -0
  584. package/dist/model/trpc-analyzer.js +297 -0
  585. package/dist/model/trpc-analyzer.js.map +1 -0
  586. package/dist/modes/incremental.js +1 -1
  587. package/dist/parse/file-classifier.d.ts +228 -0
  588. package/dist/parse/file-classifier.d.ts.map +1 -0
  589. package/dist/parse/file-classifier.js +933 -0
  590. package/dist/parse/file-classifier.js.map +1 -0
  591. package/dist/parse/path-exclusions.d.ts +55 -0
  592. package/dist/parse/path-exclusions.d.ts.map +1 -0
  593. package/dist/parse/path-exclusions.js +224 -0
  594. package/dist/parse/path-exclusions.js.map +1 -0
  595. package/dist/pipeline/config.d.ts +39 -0
  596. package/dist/pipeline/config.d.ts.map +1 -0
  597. package/dist/pipeline/config.js +46 -0
  598. package/dist/pipeline/config.js.map +1 -0
  599. package/dist/pipeline/index.d.ts +34 -0
  600. package/dist/pipeline/index.d.ts.map +1 -0
  601. package/dist/pipeline/index.js +377 -0
  602. package/dist/pipeline/index.js.map +1 -0
  603. package/dist/pipeline/modes/incremental.d.ts +66 -0
  604. package/dist/pipeline/modes/incremental.d.ts.map +1 -0
  605. package/dist/pipeline/modes/incremental.js +200 -0
  606. package/dist/pipeline/modes/incremental.js.map +1 -0
  607. package/dist/postprocess/aggregation.d.ts +14 -0
  608. package/dist/postprocess/aggregation.d.ts.map +1 -0
  609. package/dist/postprocess/aggregation.js +63 -0
  610. package/dist/postprocess/aggregation.js.map +1 -0
  611. package/dist/postprocess/contradictions.d.ts +18 -0
  612. package/dist/postprocess/contradictions.d.ts.map +1 -0
  613. package/dist/postprocess/contradictions.js +99 -0
  614. package/dist/postprocess/contradictions.js.map +1 -0
  615. package/dist/postprocess/dedup.d.ts +13 -0
  616. package/dist/postprocess/dedup.d.ts.map +1 -0
  617. package/dist/postprocess/dedup.js +58 -0
  618. package/dist/postprocess/dedup.js.map +1 -0
  619. package/dist/postprocess/filtering/context-adjustments.d.ts +23 -0
  620. package/dist/postprocess/filtering/context-adjustments.d.ts.map +1 -0
  621. package/dist/postprocess/filtering/context-adjustments.js +100 -0
  622. package/dist/postprocess/filtering/context-adjustments.js.map +1 -0
  623. package/dist/postprocess/filtering/index.d.ts +3 -0
  624. package/dist/postprocess/filtering/index.d.ts.map +1 -0
  625. package/dist/postprocess/filtering/index.js +8 -0
  626. package/dist/postprocess/filtering/index.js.map +1 -0
  627. package/dist/postprocess/filtering/pipeline.d.ts +48 -0
  628. package/dist/postprocess/filtering/pipeline.d.ts.map +1 -0
  629. package/dist/postprocess/filtering/pipeline.js +76 -0
  630. package/dist/postprocess/filtering/pipeline.js.map +1 -0
  631. package/dist/postprocess/index.d.ts +41 -0
  632. package/dist/postprocess/index.d.ts.map +1 -0
  633. package/dist/postprocess/index.js +85 -0
  634. package/dist/postprocess/index.js.map +1 -0
  635. package/dist/postprocess/suppression/config-loader.d.ts +74 -0
  636. package/dist/postprocess/suppression/config-loader.d.ts.map +1 -0
  637. package/dist/postprocess/suppression/config-loader.js +424 -0
  638. package/dist/postprocess/suppression/config-loader.js.map +1 -0
  639. package/dist/postprocess/suppression/hash.d.ts +48 -0
  640. package/dist/postprocess/suppression/hash.d.ts.map +1 -0
  641. package/dist/postprocess/suppression/hash.js +88 -0
  642. package/dist/postprocess/suppression/hash.js.map +1 -0
  643. package/dist/postprocess/suppression/index.d.ts +11 -0
  644. package/dist/postprocess/suppression/index.d.ts.map +1 -0
  645. package/dist/postprocess/suppression/index.js +39 -0
  646. package/dist/postprocess/suppression/index.js.map +1 -0
  647. package/dist/postprocess/suppression/inline-parser.d.ts +39 -0
  648. package/dist/postprocess/suppression/inline-parser.d.ts.map +1 -0
  649. package/dist/postprocess/suppression/inline-parser.js +218 -0
  650. package/dist/postprocess/suppression/inline-parser.js.map +1 -0
  651. package/dist/postprocess/suppression/manager.d.ts +94 -0
  652. package/dist/postprocess/suppression/manager.d.ts.map +1 -0
  653. package/dist/postprocess/suppression/manager.js +292 -0
  654. package/dist/postprocess/suppression/manager.js.map +1 -0
  655. package/dist/postprocess/suppression/types.d.ts +151 -0
  656. package/dist/postprocess/suppression/types.d.ts.map +1 -0
  657. package/dist/postprocess/suppression/types.js +28 -0
  658. package/dist/postprocess/suppression/types.js.map +1 -0
  659. package/dist/postprocess/validation-cap.d.ts +17 -0
  660. package/dist/postprocess/validation-cap.d.ts.map +1 -0
  661. package/dist/postprocess/validation-cap.js +64 -0
  662. package/dist/postprocess/validation-cap.js.map +1 -0
  663. package/dist/report/build-result.d.ts +33 -0
  664. package/dist/report/build-result.d.ts.map +1 -0
  665. package/dist/report/build-result.js +59 -0
  666. package/dist/report/build-result.js.map +1 -0
  667. package/dist/report/enrichment.d.ts +19 -0
  668. package/dist/report/enrichment.d.ts.map +1 -0
  669. package/dist/report/enrichment.js +44 -0
  670. package/dist/report/enrichment.js.map +1 -0
  671. package/dist/report/formatters/ai-context.d.ts +23 -0
  672. package/dist/report/formatters/ai-context.d.ts.map +1 -0
  673. package/dist/report/formatters/ai-context.js +238 -0
  674. package/dist/report/formatters/ai-context.js.map +1 -0
  675. package/dist/report/formatters/cli-terminal.d.ts +65 -0
  676. package/dist/report/formatters/cli-terminal.d.ts.map +1 -0
  677. package/dist/report/formatters/cli-terminal.js +735 -0
  678. package/dist/report/formatters/cli-terminal.js.map +1 -0
  679. package/dist/report/formatters/github-comment.d.ts +41 -0
  680. package/dist/report/formatters/github-comment.d.ts.map +1 -0
  681. package/dist/report/formatters/github-comment.js +370 -0
  682. package/dist/report/formatters/github-comment.js.map +1 -0
  683. package/dist/report/formatters/grouping.d.ts +52 -0
  684. package/dist/report/formatters/grouping.d.ts.map +1 -0
  685. package/dist/report/formatters/grouping.js +152 -0
  686. package/dist/report/formatters/grouping.js.map +1 -0
  687. package/dist/report/formatters/ide/claude-code.d.ts +17 -0
  688. package/dist/report/formatters/ide/claude-code.d.ts.map +1 -0
  689. package/dist/report/formatters/ide/claude-code.js +94 -0
  690. package/dist/report/formatters/ide/claude-code.js.map +1 -0
  691. package/dist/report/formatters/ide/cursor.d.ts +13 -0
  692. package/dist/report/formatters/ide/cursor.d.ts.map +1 -0
  693. package/dist/report/formatters/ide/cursor.js +125 -0
  694. package/dist/report/formatters/ide/cursor.js.map +1 -0
  695. package/dist/report/formatters/ide/index.d.ts +62 -0
  696. package/dist/report/formatters/ide/index.d.ts.map +1 -0
  697. package/dist/report/formatters/ide/index.js +184 -0
  698. package/dist/report/formatters/ide/index.js.map +1 -0
  699. package/dist/report/formatters/ide/windsurf.d.ts +13 -0
  700. package/dist/report/formatters/ide/windsurf.d.ts.map +1 -0
  701. package/dist/report/formatters/ide/windsurf.js +117 -0
  702. package/dist/report/formatters/ide/windsurf.js.map +1 -0
  703. package/dist/report/formatters/index.d.ts +11 -0
  704. package/dist/report/formatters/index.d.ts.map +1 -0
  705. package/dist/report/formatters/index.js +54 -0
  706. package/dist/report/formatters/index.js.map +1 -0
  707. package/dist/report/formatters/vscode-diagnostic.d.ts +103 -0
  708. package/dist/report/formatters/vscode-diagnostic.d.ts.map +1 -0
  709. package/dist/report/formatters/vscode-diagnostic.js +151 -0
  710. package/dist/report/formatters/vscode-diagnostic.js.map +1 -0
  711. package/dist/report/summary.d.ts +27 -0
  712. package/dist/report/summary.d.ts.map +1 -0
  713. package/dist/report/summary.js +57 -0
  714. package/dist/report/summary.js.map +1 -0
  715. package/dist/rules/metadata.d.ts.map +1 -1
  716. package/dist/rules/metadata.js +66 -0
  717. package/dist/rules/metadata.js.map +1 -1
  718. package/dist/score/adjustments.d.ts +22 -0
  719. package/dist/score/adjustments.d.ts.map +1 -0
  720. package/dist/score/adjustments.js +373 -0
  721. package/dist/score/adjustments.js.map +1 -0
  722. package/dist/score/auto-dismiss.d.ts +28 -0
  723. package/dist/score/auto-dismiss.d.ts.map +1 -0
  724. package/dist/score/auto-dismiss.js +200 -0
  725. package/dist/score/auto-dismiss.js.map +1 -0
  726. package/dist/score/confidence.d.ts +19 -0
  727. package/dist/score/confidence.d.ts.map +1 -0
  728. package/dist/score/confidence.js +52 -0
  729. package/dist/score/confidence.js.map +1 -0
  730. package/dist/score/index.d.ts +61 -0
  731. package/dist/score/index.d.ts.map +1 -0
  732. package/dist/score/index.js +250 -0
  733. package/dist/score/index.js.map +1 -0
  734. package/dist/score/types.d.ts +160 -0
  735. package/dist/score/types.d.ts.map +1 -0
  736. package/dist/score/types.js +14 -0
  737. package/dist/score/types.js.map +1 -0
  738. package/dist/shared/ai-context/index.d.ts +6 -0
  739. package/dist/shared/ai-context/index.d.ts.map +1 -0
  740. package/dist/shared/ai-context/index.js +13 -0
  741. package/dist/shared/ai-context/index.js.map +1 -0
  742. package/dist/shared/ai-context/manager.d.ts +67 -0
  743. package/dist/shared/ai-context/manager.d.ts.map +1 -0
  744. package/dist/shared/ai-context/manager.js +104 -0
  745. package/dist/shared/ai-context/manager.js.map +1 -0
  746. package/dist/shared/baseline/diff.d.ts +32 -0
  747. package/dist/shared/baseline/diff.d.ts.map +1 -0
  748. package/dist/shared/baseline/diff.js +119 -0
  749. package/dist/shared/baseline/diff.js.map +1 -0
  750. package/dist/shared/baseline/index.d.ts +9 -0
  751. package/dist/shared/baseline/index.d.ts.map +1 -0
  752. package/dist/shared/baseline/index.js +19 -0
  753. package/dist/shared/baseline/index.js.map +1 -0
  754. package/dist/shared/baseline/manager.d.ts +67 -0
  755. package/dist/shared/baseline/manager.d.ts.map +1 -0
  756. package/dist/shared/baseline/manager.js +180 -0
  757. package/dist/shared/baseline/manager.js.map +1 -0
  758. package/dist/shared/baseline/types.d.ts +91 -0
  759. package/dist/shared/baseline/types.d.ts.map +1 -0
  760. package/dist/shared/baseline/types.js +12 -0
  761. package/dist/shared/baseline/types.js.map +1 -0
  762. package/dist/shared/category-filter.d.ts +125 -0
  763. package/dist/shared/category-filter.d.ts.map +1 -0
  764. package/dist/shared/category-filter.js +360 -0
  765. package/dist/shared/category-filter.js.map +1 -0
  766. package/dist/shared/code-analysis.d.ts +39 -0
  767. package/dist/shared/code-analysis.d.ts.map +1 -0
  768. package/dist/shared/code-analysis.js +159 -0
  769. package/dist/shared/code-analysis.js.map +1 -0
  770. package/dist/shared/comment-analyzer.d.ts +38 -0
  771. package/dist/shared/comment-analyzer.d.ts.map +1 -0
  772. package/dist/shared/comment-analyzer.js +218 -0
  773. package/dist/shared/comment-analyzer.js.map +1 -0
  774. package/dist/shared/diff-detector.d.ts +53 -0
  775. package/dist/shared/diff-detector.d.ts.map +1 -0
  776. package/dist/shared/diff-detector.js +104 -0
  777. package/dist/shared/diff-detector.js.map +1 -0
  778. package/dist/shared/diff-parser.d.ts +80 -0
  779. package/dist/shared/diff-parser.d.ts.map +1 -0
  780. package/dist/shared/diff-parser.js +202 -0
  781. package/dist/shared/diff-parser.js.map +1 -0
  782. package/dist/shared/environment-context.d.ts +76 -0
  783. package/dist/shared/environment-context.d.ts.map +1 -0
  784. package/dist/shared/environment-context.js +271 -0
  785. package/dist/shared/environment-context.js.map +1 -0
  786. package/dist/shared/intent-detector.d.ts +66 -0
  787. package/dist/shared/intent-detector.d.ts.map +1 -0
  788. package/dist/shared/intent-detector.js +282 -0
  789. package/dist/shared/intent-detector.js.map +1 -0
  790. package/dist/shared/parsed-file.d.ts +51 -0
  791. package/dist/shared/parsed-file.d.ts.map +1 -0
  792. package/dist/shared/parsed-file.js +95 -0
  793. package/dist/shared/parsed-file.js.map +1 -0
  794. package/dist/shared/registry-clients.d.ts +93 -0
  795. package/dist/shared/registry-clients.d.ts.map +1 -0
  796. package/dist/shared/registry-clients.js +273 -0
  797. package/dist/shared/registry-clients.js.map +1 -0
  798. package/dist/shared/rules/framework-fixes.d.ts +48 -0
  799. package/dist/shared/rules/framework-fixes.d.ts.map +1 -0
  800. package/dist/shared/rules/framework-fixes.js +439 -0
  801. package/dist/shared/rules/framework-fixes.js.map +1 -0
  802. package/dist/shared/rules/index.d.ts +8 -0
  803. package/dist/shared/rules/index.d.ts.map +1 -0
  804. package/dist/shared/rules/index.js +18 -0
  805. package/dist/shared/rules/index.js.map +1 -0
  806. package/dist/shared/rules/metadata.d.ts +43 -0
  807. package/dist/shared/rules/metadata.d.ts.map +1 -0
  808. package/dist/shared/rules/metadata.js +819 -0
  809. package/dist/shared/rules/metadata.js.map +1 -0
  810. package/dist/shared/schema-semantics.d.ts +45 -0
  811. package/dist/shared/schema-semantics.d.ts.map +1 -0
  812. package/dist/shared/schema-semantics.js +193 -0
  813. package/dist/shared/schema-semantics.js.map +1 -0
  814. package/dist/shared/types.d.ts +337 -0
  815. package/dist/shared/types.d.ts.map +1 -0
  816. package/dist/shared/types.js +126 -0
  817. package/dist/shared/types.js.map +1 -0
  818. package/dist/tiers.d.ts +4 -4
  819. package/dist/tiers.d.ts.map +1 -1
  820. package/dist/tiers.js +17 -7
  821. package/dist/tiers.js.map +1 -1
  822. package/dist/types.d.ts +79 -9
  823. package/dist/types.d.ts.map +1 -1
  824. package/dist/types.js +34 -0
  825. package/dist/types.js.map +1 -1
  826. package/dist/utils/code-analysis.d.ts +39 -0
  827. package/dist/utils/code-analysis.d.ts.map +1 -0
  828. package/dist/utils/code-analysis.js +159 -0
  829. package/dist/utils/code-analysis.js.map +1 -0
  830. package/dist/utils/comment-analyzer.d.ts +38 -0
  831. package/dist/utils/comment-analyzer.d.ts.map +1 -0
  832. package/dist/utils/comment-analyzer.js +218 -0
  833. package/dist/utils/comment-analyzer.js.map +1 -0
  834. package/dist/utils/context-helpers.d.ts +108 -1
  835. package/dist/utils/context-helpers.d.ts.map +1 -1
  836. package/dist/utils/context-helpers.js +351 -2
  837. package/dist/utils/context-helpers.js.map +1 -1
  838. package/dist/utils/environment-context.d.ts +76 -0
  839. package/dist/utils/environment-context.d.ts.map +1 -0
  840. package/dist/utils/environment-context.js +271 -0
  841. package/dist/utils/environment-context.js.map +1 -0
  842. package/dist/utils/intent-detector.d.ts +66 -0
  843. package/dist/utils/intent-detector.d.ts.map +1 -0
  844. package/dist/utils/intent-detector.js +282 -0
  845. package/dist/utils/intent-detector.js.map +1 -0
  846. package/dist/utils/parsed-file.d.ts +51 -0
  847. package/dist/utils/parsed-file.d.ts.map +1 -0
  848. package/dist/utils/parsed-file.js +95 -0
  849. package/dist/utils/parsed-file.js.map +1 -0
  850. package/dist/utils/route-hierarchy.d.ts +50 -0
  851. package/dist/utils/route-hierarchy.d.ts.map +1 -0
  852. package/dist/utils/route-hierarchy.js +226 -0
  853. package/dist/utils/route-hierarchy.js.map +1 -0
  854. package/dist/utils/schema-semantics.d.ts +45 -0
  855. package/dist/utils/schema-semantics.d.ts.map +1 -0
  856. package/dist/utils/schema-semantics.js +193 -0
  857. package/dist/utils/schema-semantics.js.map +1 -0
  858. package/dist/validate/clients.d.ts +44 -0
  859. package/dist/validate/clients.d.ts.map +1 -0
  860. package/dist/validate/clients.js +81 -0
  861. package/dist/validate/clients.js.map +1 -0
  862. package/dist/validate/index.d.ts +41 -0
  863. package/dist/validate/index.d.ts.map +1 -0
  864. package/dist/validate/index.js +141 -0
  865. package/dist/validate/index.js.map +1 -0
  866. package/dist/validate/prompts/index.d.ts +8 -0
  867. package/dist/validate/prompts/index.d.ts.map +1 -0
  868. package/dist/validate/prompts/index.js +16 -0
  869. package/dist/validate/prompts/index.js.map +1 -0
  870. package/dist/validate/prompts/modules/ai-patterns.d.ts +19 -0
  871. package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -0
  872. package/dist/validate/prompts/modules/ai-patterns.js +156 -0
  873. package/dist/validate/prompts/modules/ai-patterns.js.map +1 -0
  874. package/dist/validate/prompts/modules/auth-access.d.ts +9 -0
  875. package/dist/validate/prompts/modules/auth-access.d.ts.map +1 -0
  876. package/dist/validate/prompts/modules/auth-access.js +25 -0
  877. package/dist/validate/prompts/modules/auth-access.js.map +1 -0
  878. package/dist/validate/prompts/modules/common.d.ts +11 -0
  879. package/dist/validate/prompts/modules/common.d.ts.map +1 -0
  880. package/dist/validate/prompts/modules/common.js +186 -0
  881. package/dist/validate/prompts/modules/common.js.map +1 -0
  882. package/dist/validate/prompts/modules/index.d.ts +54 -0
  883. package/dist/validate/prompts/modules/index.d.ts.map +1 -0
  884. package/dist/validate/prompts/modules/index.js +186 -0
  885. package/dist/validate/prompts/modules/index.js.map +1 -0
  886. package/dist/validate/prompts/modules/owasp-classic.d.ts +8 -0
  887. package/dist/validate/prompts/modules/owasp-classic.d.ts.map +1 -0
  888. package/dist/validate/prompts/modules/owasp-classic.js +84 -0
  889. package/dist/validate/prompts/modules/owasp-classic.js.map +1 -0
  890. package/dist/validate/prompts/modules/secrets-crypto.d.ts +8 -0
  891. package/dist/validate/prompts/modules/secrets-crypto.d.ts.map +1 -0
  892. package/dist/validate/prompts/modules/secrets-crypto.js +68 -0
  893. package/dist/validate/prompts/modules/secrets-crypto.js.map +1 -0
  894. package/dist/validate/prompts/modules/xss-prompt.d.ts +8 -0
  895. package/dist/validate/prompts/modules/xss-prompt.d.ts.map +1 -0
  896. package/dist/validate/prompts/modules/xss-prompt.js +22 -0
  897. package/dist/validate/prompts/modules/xss-prompt.js.map +1 -0
  898. package/dist/validate/prompts/semantic-analysis.d.ts +15 -0
  899. package/dist/validate/prompts/semantic-analysis.d.ts.map +1 -0
  900. package/dist/validate/prompts/semantic-analysis.js +169 -0
  901. package/dist/validate/prompts/semantic-analysis.js.map +1 -0
  902. package/dist/validate/prompts/validation.d.ts +18 -0
  903. package/dist/validate/prompts/validation.d.ts.map +1 -0
  904. package/dist/validate/prompts/validation.js +25 -0
  905. package/dist/validate/prompts/validation.js.map +1 -0
  906. package/dist/validate/providers/anthropic.d.ts +17 -0
  907. package/dist/validate/providers/anthropic.d.ts.map +1 -0
  908. package/dist/validate/providers/anthropic.js +260 -0
  909. package/dist/validate/providers/anthropic.js.map +1 -0
  910. package/dist/validate/providers/index.d.ts +8 -0
  911. package/dist/validate/providers/index.d.ts.map +1 -0
  912. package/dist/validate/providers/index.js +13 -0
  913. package/dist/validate/providers/index.js.map +1 -0
  914. package/dist/validate/providers/openai.d.ts +14 -0
  915. package/dist/validate/providers/openai.d.ts.map +1 -0
  916. package/dist/validate/providers/openai.js +336 -0
  917. package/dist/validate/providers/openai.js.map +1 -0
  918. package/dist/validate/request-builder.d.ts +61 -0
  919. package/dist/validate/request-builder.d.ts.map +1 -0
  920. package/dist/validate/request-builder.js +346 -0
  921. package/dist/validate/request-builder.js.map +1 -0
  922. package/dist/validate/types.d.ts +88 -0
  923. package/dist/validate/types.d.ts.map +1 -0
  924. package/dist/validate/types.js +38 -0
  925. package/dist/validate/types.js.map +1 -0
  926. package/dist/validate/utils/context-extractor.d.ts +55 -0
  927. package/dist/validate/utils/context-extractor.d.ts.map +1 -0
  928. package/dist/validate/utils/context-extractor.js +161 -0
  929. package/dist/validate/utils/context-extractor.js.map +1 -0
  930. package/dist/validate/utils/index.d.ts +11 -0
  931. package/dist/validate/utils/index.d.ts.map +1 -0
  932. package/dist/validate/utils/index.js +27 -0
  933. package/dist/validate/utils/index.js.map +1 -0
  934. package/dist/validate/utils/path-helpers.d.ts +21 -0
  935. package/dist/validate/utils/path-helpers.d.ts.map +1 -0
  936. package/dist/validate/utils/path-helpers.js +69 -0
  937. package/dist/validate/utils/path-helpers.js.map +1 -0
  938. package/dist/validate/utils/response-parser.d.ts +40 -0
  939. package/dist/validate/utils/response-parser.d.ts.map +1 -0
  940. package/dist/validate/utils/response-parser.js +286 -0
  941. package/dist/validate/utils/response-parser.js.map +1 -0
  942. package/dist/validate/utils/retry.d.ts +15 -0
  943. package/dist/validate/utils/retry.d.ts.map +1 -0
  944. package/dist/validate/utils/retry.js +62 -0
  945. package/dist/validate/utils/retry.js.map +1 -0
  946. package/package.json +8 -7
  947. package/src/__tests__/benchmark/fixtures/layer1/agent-skill-injection.ts +204 -0
  948. package/src/__tests__/benchmark/fixtures/layer1/index.ts +3 -0
  949. package/src/__tests__/benchmark/fixtures/layer2/index.ts +27 -0
  950. package/src/__tests__/benchmark/fixtures/layer2/log-injection.ts +147 -0
  951. package/src/__tests__/benchmark/fixtures/layer2/phase5-excessive-agency.ts +580 -0
  952. package/src/__tests__/benchmark/fixtures/layer2/security-headers.ts +197 -0
  953. package/src/__tests__/benchmark/fixtures/layer2/sprint6-ai-enhancements.ts +515 -0
  954. package/src/__tests__/benchmark/fixtures/layer2/ssrf-detection.ts +210 -0
  955. package/src/__tests__/benchmark/fixtures/layer2/xxe-detection.ts +195 -0
  956. package/src/__tests__/benchmark/run-depth-validation.ts +12 -12
  957. package/src/__tests__/benchmark/run-real-world-test.ts +4 -4
  958. package/src/__tests__/benchmark/types.ts +1 -1
  959. package/src/__tests__/benchmark/utils/test-runner.ts +3 -3
  960. package/src/__tests__/category-filter.test.ts +478 -0
  961. package/src/__tests__/context-engine/cross-file-taint.test.ts +284 -0
  962. package/src/__tests__/context-engine/framework-models.test.ts +457 -0
  963. package/src/__tests__/context-engine/function-classifier.test.ts +146 -0
  964. package/src/__tests__/context-engine/import-resolver.test.ts +328 -0
  965. package/src/__tests__/context-engine/integration.test.ts +320 -0
  966. package/src/__tests__/context-engine/module-graph.test.ts +159 -0
  967. package/src/__tests__/context-engine/route-discovery/auth-resolver.test.ts +353 -0
  968. package/src/__tests__/context-engine/route-discovery/express.test.ts +150 -0
  969. package/src/__tests__/context-engine/route-discovery/nextjs.test.ts +138 -0
  970. package/src/__tests__/context-engine/route-discovery/python.test.ts +95 -0
  971. package/src/__tests__/context-engine/sanitiser-detection.test.ts +187 -0
  972. package/src/__tests__/context-engine/sink-matcher.test.ts +251 -0
  973. package/src/__tests__/context-engine/source-discovery.test.ts +186 -0
  974. package/src/__tests__/context-engine/taint-tracker.test.ts +182 -0
  975. package/src/__tests__/regression/agent-skill-benign.test.ts +174 -0
  976. package/src/__tests__/regression/known-false-positives.test.ts +801 -3
  977. package/src/__tests__/score/adjustments.test.ts +385 -0
  978. package/src/__tests__/score/confidence.test.ts +283 -0
  979. package/src/__tests__/score/framework-scoring.test.ts +275 -0
  980. package/src/__tests__/score/route-scoring.test.ts +156 -0
  981. package/src/__tests__/score/scoring-integration.test.ts +165 -0
  982. package/src/__tests__/score/taint-adjustments.test.ts +244 -0
  983. package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +50 -58
  984. package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +52 -0
  985. package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +3 -12
  986. package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +3 -3
  987. package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +1 -1
  988. package/src/__tests__/snapshots/scan-depth.test.ts +3 -3
  989. package/src/__tests__/validate/route-annotations.test.ts +138 -0
  990. package/src/__tests__/validation/analyze-results.ts +1 -1
  991. package/src/__tests__/validation/extract-for-triage.ts +1 -1
  992. package/src/__tests__/validation/fp-deep-analysis.ts +1 -1
  993. package/src/__tests__/validation/run-validation.ts +7 -7
  994. package/src/{layer2/ai-agent-tools.ts → detect/ai-code/agent-tools.ts} +729 -4
  995. package/src/{layer2 → detect/ai-code}/byok-patterns.ts +20 -6
  996. package/src/{layer2/ai-endpoint-protection.ts → detect/ai-code/endpoint-protection.ts} +10 -4
  997. package/src/{layer2/ai-execution-sinks.ts → detect/ai-code/execution-sinks.ts} +272 -46
  998. package/src/{layer2/ai-fingerprinting.ts → detect/ai-code/fingerprinting.ts} +46 -34
  999. package/src/detect/ai-code/index.ts +11 -0
  1000. package/src/{layer2/ai-mcp-security.ts → detect/ai-code/mcp-security.ts} +212 -5
  1001. package/src/{layer2 → detect/ai-code}/model-supply-chain.ts +85 -6
  1002. package/src/{layer2/ai-package-hallucination.ts → detect/ai-code/package-hallucination.ts} +170 -6
  1003. package/src/{layer2/ai-prompt-hygiene.ts → detect/ai-code/prompt-hygiene.ts} +393 -28
  1004. package/src/{layer2/ai-rag-safety.ts → detect/ai-code/rag-safety.ts} +91 -4
  1005. package/src/{layer2/ai-schema-validation.ts → detect/ai-code/schema-validation.ts} +10 -4
  1006. package/src/detect/config/agent-skill-injection.ts +551 -0
  1007. package/src/{layer1 → detect/config}/comments.ts +8 -2
  1008. package/src/{layer1 → detect/config}/file-flags.ts +23 -6
  1009. package/src/detect/config/index.ts +6 -0
  1010. package/src/{layer3 → detect/config}/osv-check.ts +3 -2
  1011. package/src/{layer3 → detect/config}/package-check.ts +3 -2
  1012. package/src/{layer1 → detect/config}/urls.ts +196 -15
  1013. package/src/detect/index.ts +131 -0
  1014. package/src/{layer1 → detect/secrets}/config-audit.ts +56 -12
  1015. package/src/{layer1 → detect/secrets}/config-mcp-audit.ts +11 -4
  1016. package/src/{layer1 → detect/secrets}/entropy.ts +256 -11
  1017. package/src/{layer1 → detect/secrets}/index.ts +43 -46
  1018. package/src/{layer1 → detect/secrets}/patterns.ts +51 -6
  1019. package/src/{layer1 → detect/secrets}/weak-crypto.ts +174 -17
  1020. package/src/{layer2/auth-antipatterns.ts → detect/structural/auth-patterns.ts} +249 -27
  1021. package/src/{layer2 → detect/structural}/dangerous-functions/dom-xss.ts +94 -22
  1022. package/src/{layer2 → detect/structural}/dangerous-functions/index.ts +672 -65
  1023. package/src/{layer2 → detect/structural}/dangerous-functions/json-parse.ts +10 -2
  1024. package/src/{layer2 → detect/structural}/dangerous-functions/math-random.ts +269 -17
  1025. package/src/{layer2 → detect/structural}/dangerous-functions/patterns.ts +4 -2
  1026. package/src/{layer2 → detect/structural}/dangerous-functions/request-validation.ts +10 -2
  1027. package/src/detect/structural/dangerous-functions/utils/control-flow.ts +35 -0
  1028. package/src/{layer2 → detect/structural}/dangerous-functions/utils/schema-validation.ts +16 -1
  1029. package/src/{layer2 → detect/structural}/data-exposure.ts +23 -40
  1030. package/src/{layer2 → detect/structural}/framework-checks.ts +13 -12
  1031. package/src/{layer2 → detect/structural}/index.ts +144 -122
  1032. package/src/detect/structural/log-injection.ts +254 -0
  1033. package/src/{layer2 → detect/structural}/logic-gates.ts +69 -24
  1034. package/src/{layer2 → detect/structural}/risky-imports.ts +10 -4
  1035. package/src/detect/structural/security-headers.ts +231 -0
  1036. package/src/detect/structural/ssrf-detection.ts +300 -0
  1037. package/src/{layer2 → detect/structural}/variables.ts +10 -4
  1038. package/src/detect/structural/xxe-detection.ts +295 -0
  1039. package/src/index.ts +64 -1038
  1040. package/src/{utils → model}/auth-helper-detector.ts +1 -1
  1041. package/src/model/cross-file-taint.ts +374 -0
  1042. package/src/model/framework-models/django.ts +82 -0
  1043. package/src/model/framework-models/express.ts +54 -0
  1044. package/src/model/framework-models/index.ts +116 -0
  1045. package/src/model/framework-models/nextjs.ts +69 -0
  1046. package/src/model/framework-models/prisma.ts +57 -0
  1047. package/src/model/framework-models/react.ts +63 -0
  1048. package/src/model/framework-models/sequelize.ts +63 -0
  1049. package/src/model/framework-models/types.ts +46 -0
  1050. package/src/model/function-classifier.ts +184 -0
  1051. package/src/model/import-resolver.ts +453 -0
  1052. package/src/{utils → model}/imported-auth-detector.ts +21 -85
  1053. package/src/model/index.ts +353 -0
  1054. package/src/{utils → model}/middleware-detector.ts +156 -17
  1055. package/src/model/module-graph.ts +254 -0
  1056. package/src/{utils → model}/oauth-flow-detector.ts +1 -1
  1057. package/src/{utils/project-context-builder.ts → model/project-context.ts} +1 -1
  1058. package/src/model/route-auth-resolver.ts +216 -0
  1059. package/src/model/route-discovery/express.ts +251 -0
  1060. package/src/model/route-discovery/index.ts +83 -0
  1061. package/src/model/route-discovery/nextjs.ts +216 -0
  1062. package/src/model/route-discovery/python.ts +214 -0
  1063. package/src/model/route-discovery/types.ts +48 -0
  1064. package/src/model/route-discovery/utils.ts +54 -0
  1065. package/src/model/route-hierarchy.ts +250 -0
  1066. package/src/model/sanitiser-detection.ts +268 -0
  1067. package/src/model/sink-matcher.ts +178 -0
  1068. package/src/model/sink-patterns.ts +109 -0
  1069. package/src/model/source-discovery.ts +209 -0
  1070. package/src/model/taint-tracker.ts +333 -0
  1071. package/src/model/taint-types.ts +149 -0
  1072. package/src/{utils → model}/trpc-analyzer.ts +1 -1
  1073. package/src/{utils/context-helpers.ts → parse/file-classifier.ts} +462 -2
  1074. package/src/{utils → parse}/path-exclusions.ts +1 -1
  1075. package/src/pipeline/config.ts +81 -0
  1076. package/src/pipeline/index.ts +437 -0
  1077. package/src/{modes → pipeline/modes}/incremental.ts +6 -6
  1078. package/src/postprocess/aggregation.ts +74 -0
  1079. package/src/postprocess/contradictions.ts +128 -0
  1080. package/src/postprocess/dedup.ts +62 -0
  1081. package/src/postprocess/filtering/__tests__/pipeline.test.ts +134 -0
  1082. package/src/postprocess/filtering/context-adjustments.ts +111 -0
  1083. package/src/postprocess/filtering/index.ts +10 -0
  1084. package/src/postprocess/filtering/pipeline.ts +130 -0
  1085. package/src/postprocess/index.ts +118 -0
  1086. package/src/{suppression → postprocess/suppression}/config-loader.ts +1 -1
  1087. package/src/{suppression → postprocess/suppression}/hash.ts +1 -1
  1088. package/src/{suppression → postprocess/suppression}/inline-parser.ts +1 -1
  1089. package/src/{suppression → postprocess/suppression}/manager.ts +1 -1
  1090. package/src/{suppression → postprocess/suppression}/types.ts +2 -2
  1091. package/src/postprocess/validation-cap.ts +66 -0
  1092. package/src/report/build-result.ts +94 -0
  1093. package/src/report/enrichment.ts +52 -0
  1094. package/src/report/formatters/__tests__/ai-context.test.ts +254 -0
  1095. package/src/report/formatters/ai-context.ts +302 -0
  1096. package/src/{formatters → report/formatters}/cli-terminal.ts +11 -11
  1097. package/src/{formatters → report/formatters}/github-comment.ts +4 -4
  1098. package/src/{formatters → report/formatters}/grouping.ts +8 -8
  1099. package/src/report/formatters/ide/__tests__/ide.test.ts +319 -0
  1100. package/src/report/formatters/ide/claude-code.ts +110 -0
  1101. package/src/report/formatters/ide/cursor.ts +147 -0
  1102. package/src/report/formatters/ide/index.ts +216 -0
  1103. package/src/report/formatters/ide/windsurf.ts +135 -0
  1104. package/src/{formatters → report/formatters}/index.ts +24 -0
  1105. package/src/{formatters → report/formatters}/vscode-diagnostic.ts +1 -1
  1106. package/src/report/summary.ts +70 -0
  1107. package/src/score/adjustments.ts +387 -0
  1108. package/src/{layer3/anthropic → score}/auto-dismiss.ts +26 -14
  1109. package/src/score/confidence.ts +66 -0
  1110. package/src/score/index.ts +316 -0
  1111. package/src/score/types.ts +187 -0
  1112. package/src/shared/__tests__/code-analysis.test.ts +165 -0
  1113. package/src/shared/__tests__/parsed-file.test.ts +124 -0
  1114. package/src/shared/ai-context/__tests__/manager.test.ts +193 -0
  1115. package/src/shared/ai-context/index.ts +15 -0
  1116. package/src/shared/ai-context/manager.ts +145 -0
  1117. package/src/{baseline → shared/baseline}/__tests__/diff.test.ts +2 -2
  1118. package/src/{baseline → shared/baseline}/__tests__/manager.test.ts +2 -2
  1119. package/src/{baseline → shared/baseline}/diff.ts +1 -1
  1120. package/src/{baseline → shared/baseline}/manager.ts +1 -1
  1121. package/src/shared/category-filter.ts +400 -0
  1122. package/src/{layer2/dangerous-functions/utils/control-flow.ts → shared/code-analysis.ts} +56 -39
  1123. package/src/shared/comment-analyzer.ts +249 -0
  1124. package/src/shared/environment-context.ts +304 -0
  1125. package/src/shared/intent-detector.ts +318 -0
  1126. package/src/shared/parsed-file.ts +103 -0
  1127. package/src/{rules → shared/rules}/__tests__/metadata.test.ts +7 -0
  1128. package/src/{rules → shared/rules}/framework-fixes.ts +1 -1
  1129. package/src/{rules → shared/rules}/metadata.ts +94 -0
  1130. package/src/shared/schema-semantics.ts +233 -0
  1131. package/src/{types.ts → shared/types.ts} +142 -11
  1132. package/src/tiers.ts +27 -10
  1133. package/src/validate/__tests__/context-extractor.test.ts +191 -0
  1134. package/src/validate/__tests__/prompt-assembly.test.ts +233 -0
  1135. package/src/validate/__tests__/request-builder.test.ts +347 -0
  1136. package/src/{layer3/anthropic → validate}/index.ts +8 -7
  1137. package/src/{layer3/anthropic → validate}/prompts/index.ts +2 -0
  1138. package/src/validate/prompts/modules/ai-patterns.ts +153 -0
  1139. package/src/validate/prompts/modules/auth-access.ts +22 -0
  1140. package/src/validate/prompts/modules/common.ts +183 -0
  1141. package/src/validate/prompts/modules/index.ts +204 -0
  1142. package/src/validate/prompts/modules/owasp-classic.ts +81 -0
  1143. package/src/validate/prompts/modules/secrets-crypto.ts +65 -0
  1144. package/src/validate/prompts/modules/xss-prompt.ts +19 -0
  1145. package/src/validate/prompts/validation.ts +20 -0
  1146. package/src/{layer3/anthropic → validate}/providers/anthropic.ts +28 -27
  1147. package/src/validate/providers/index.ts +8 -0
  1148. package/src/{layer3/anthropic → validate}/providers/openai.ts +30 -25
  1149. package/src/validate/request-builder.ts +448 -0
  1150. package/src/{layer3/anthropic → validate}/types.ts +1 -1
  1151. package/src/validate/utils/context-extractor.ts +220 -0
  1152. package/src/{layer3/anthropic → validate}/utils/index.ts +10 -0
  1153. package/src/{layer3/anthropic → validate}/utils/response-parser.ts +2 -1
  1154. package/src/layer3/anthropic/prompts/validation.ts +0 -419
  1155. package/src/layer3/anthropic/providers/index.ts +0 -8
  1156. package/src/layer3/anthropic/request-builder.ts +0 -150
  1157. package/src/layer3/index.ts +0 -168
  1158. /package/src/{layer3 → detect/config}/__tests__/osv-check.test.ts +0 -0
  1159. /package/src/{layer2 → detect/structural}/__tests__/math-random-enhanced.test.ts +0 -0
  1160. /package/src/{layer2 → detect/structural}/dangerous-functions/child-process.ts +0 -0
  1161. /package/src/{layer2 → detect/structural}/dangerous-functions/utils/helpers.ts +0 -0
  1162. /package/src/{layer2 → detect/structural}/dangerous-functions/utils/index.ts +0 -0
  1163. /package/src/{suppression → postprocess/suppression}/__tests__/config-loader.test.ts +0 -0
  1164. /package/src/{suppression → postprocess/suppression}/__tests__/hash.test.ts +0 -0
  1165. /package/src/{suppression → postprocess/suppression}/__tests__/inline-parser.test.ts +0 -0
  1166. /package/src/{suppression → postprocess/suppression}/__tests__/manager.test.ts +0 -0
  1167. /package/src/{suppression → postprocess/suppression}/index.ts +0 -0
  1168. /package/src/{baseline → shared/baseline}/index.ts +0 -0
  1169. /package/src/{baseline → shared/baseline}/types.ts +0 -0
  1170. /package/src/{utils → shared}/diff-detector.ts +0 -0
  1171. /package/src/{utils → shared}/diff-parser.ts +0 -0
  1172. /package/src/{utils → shared}/registry-clients.ts +0 -0
  1173. /package/src/{rules → shared/rules}/__tests__/framework-fixes.test.ts +0 -0
  1174. /package/src/{rules → shared/rules}/index.ts +0 -0
  1175. /package/src/{layer3/anthropic → validate}/clients.ts +0 -0
  1176. /package/src/{layer3/anthropic → validate}/prompts/semantic-analysis.ts +0 -0
  1177. /package/src/{layer3/anthropic → validate}/utils/path-helpers.ts +0 -0
  1178. /package/src/{layer3/anthropic → validate}/utils/retry.ts +0 -0
package/src/shared/schema-semantics.ts ADDED
@@ -0,0 +1,233 @@
1
+ /**
2
+ * Schema Semantics Utility
3
+ * Understands validation schema logic, particularly Zod/Yup/Joi patterns
4
+ *
5
+ * This addresses false positives where OR validation (either A or B required)
6
+ * is flagged as "bypass" when individual fields are marked optional.
7
+ *
8
+ * Key insight: `.optional()` + `.refine()` = OR validation, not bypass
9
+ */
10
+
11
+ export interface SchemaAnalysis {
12
+ /** Whether the schema has cross-field refinement/validation */
13
+ hasRefinement: boolean
14
+ /** Type of refinement detected */
15
+ refinementType?: 'or_logic' | 'super_refine' | 'custom_validation' | 'none'
16
+ /** Number of optional fields in the schema */
17
+ optionalFieldCount: number
18
+ /** Whether this looks like legitimate OR validation */
19
+ isOrValidation: boolean
20
+ }
21
+
22
+ /**
23
+ * Patterns that indicate cross-field validation refinements
24
+ */
25
+ const REFINEMENT_PATTERNS = [
26
+ // Zod .refine() with OR logic
27
+ /\.refine\s*\(\s*\([^)]*\)\s*=>\s*[^,]*\|\|/,
28
+ /\.refine\s*\(\s*\(\s*\{\s*\w+\s*,/, // Destructured refine
29
+ /\.refine\s*\(\s*\(?data\)?\s*=>/, // data => refine
30
+
31
+ // Zod .superRefine()
32
+ /\.superRefine\s*\(/,
33
+
34
+ // Yup .test() with cross-field validation
35
+ /\.test\s*\(\s*['"][^'"]+['"]\s*,\s*['"][^'"]+['"]\s*,\s*function/,
36
+ /\.test\s*\(\s*['"][^'"]+['"]\s*,\s*['"][^'"]+['"]\s*,\s*\([^)]*\)\s*=>/,
37
+
38
+ // Joi custom validation
39
+ /\.custom\s*\(/,
40
+ /Joi\.alternatives\s*\(\)/,
41
+ /\.xor\s*\(/,
42
+ /\.or\s*\(/,
43
+ ]
44
+
45
+ /**
46
+ * Patterns indicating OR logic in refinement callbacks
47
+ */
48
+ const OR_LOGIC_PATTERNS = [
49
+ // Direct OR in refine: (data) => data.a || data.b
50
+ /=>\s*[^,;]*\|\|/,
51
+ // Negated AND: !(a && b)
52
+ /=>\s*!\s*\([^)]*&&/,
53
+ // Ternary with OR
54
+ /\?\s*[^:]*\|\|/,
55
+ ]
56
+
57
+ /**
58
+ * Find the start of a schema definition containing a given line
59
+ */
60
+ function findSchemaStart(lines: string[], lineNumber: number): number {
61
+ // Look backwards for schema definition patterns
62
+ const schemaStartPatterns = [
63
+ /(?:const|let|var)\s+\w+\s*=\s*z\.object\s*\(/,
64
+ /(?:const|let|var)\s+\w+\s*=\s*Yup\.object\s*\(/,
65
+ /(?:const|let|var)\s+\w+\s*=\s*Joi\.object\s*\(/,
66
+ /export\s+(?:const|let|var)\s+\w+\s*=\s*z\.object\s*\(/,
67
+ /z\.object\s*\(\s*\{/,
68
+ /Yup\.object\s*\(\s*\{/,
69
+ /Joi\.object\s*\(\s*\{/,
70
+ ]
71
+
72
+ for (let i = lineNumber; i >= 0; i--) {
73
+ if (schemaStartPatterns.some(pattern => pattern.test(lines[i]))) {
74
+ return i
75
+ }
76
+ // Don't look back more than 50 lines
77
+ if (lineNumber - i > 50) break
78
+ }
79
+
80
+ return Math.max(0, lineNumber - 10)
81
+ }
82
+
83
+ /**
84
+ * Find the end of a schema definition containing a given line
85
+ */
86
+ function findSchemaEnd(lines: string[], schemaStart: number): number {
87
+ let braceCount = 0
88
+ let inSchema = false
89
+
90
+ for (let i = schemaStart; i < lines.length; i++) {
91
+ const line = lines[i]
92
+
93
+ // Count braces/parens
94
+ for (const char of line) {
95
+ if (char === '(' || char === '{') {
96
+ braceCount++
97
+ inSchema = true
98
+ } else if (char === ')' || char === '}') {
99
+ braceCount--
100
+ }
101
+ }
102
+
103
+ // Schema ends when we return to zero brace count after entering
104
+ if (inSchema && braceCount === 0) {
105
+ return i + 1
106
+ }
107
+
108
+ // Don't look forward more than 100 lines
109
+ if (i - schemaStart > 100) break
110
+ }
111
+
112
+ return Math.min(lines.length, schemaStart + 50)
113
+ }
114
+
115
+ /**
116
+ * Count .optional() calls in content
117
+ */
118
+ function countOptionalFields(content: string): number {
119
+ const matches = content.match(/\.optional\s*\(\s*\)/g)
120
+ return matches ? matches.length : 0
121
+ }
122
+
123
+ /**
124
+ * Analyze a validation schema for OR-logic refinement patterns
125
+ *
126
+ * @param content - The full file content
127
+ * @param lineNumber - The 0-indexed line number where the pattern was found
128
+ * @returns SchemaAnalysis with refinement information
129
+ */
130
+ export function analyzeSchemaSemantics(
131
+ content: string,
132
+ lineNumber: number
133
+ ): SchemaAnalysis {
134
+ const lines = content.split('\n')
135
+
136
+ // Find the schema boundaries
137
+ const schemaStart = findSchemaStart(lines, lineNumber)
138
+ const schemaEnd = findSchemaEnd(lines, schemaStart)
139
+
140
+ // Extract schema content
141
+ const schemaLines = lines.slice(schemaStart, schemaEnd)
142
+ const schemaContent = schemaLines.join('\n')
143
+
144
+ // Check for refinement patterns
145
+ const hasRefine = REFINEMENT_PATTERNS.some(pattern => pattern.test(schemaContent))
146
+ const hasSuperRefine = /\.superRefine\s*\(/.test(schemaContent)
147
+ const hasOrLogic = OR_LOGIC_PATTERNS.some(pattern => pattern.test(schemaContent))
148
+
149
+ // Count optional fields
150
+ const optionalCount = countOptionalFields(schemaContent)
151
+
152
+ // Determine if this is OR validation
153
+ // OR validation pattern: multiple optional fields + refine with || logic
154
+ const isOrValidation = optionalCount >= 2 && hasRefine && hasOrLogic
155
+
156
+ // Determine refinement type
157
+ let refinementType: SchemaAnalysis['refinementType'] = 'none'
158
+ if (hasSuperRefine) {
159
+ refinementType = 'super_refine'
160
+ } else if (hasOrLogic && hasRefine) {
161
+ refinementType = 'or_logic'
162
+ } else if (hasRefine) {
163
+ refinementType = 'custom_validation'
164
+ }
165
+
166
+ return {
167
+ hasRefinement: hasRefine || hasSuperRefine,
168
+ refinementType,
169
+ optionalFieldCount: optionalCount,
170
+ isOrValidation,
171
+ }
172
+ }
173
+
174
+ /**
175
+ * Check if a line with .optional() is part of legitimate OR validation
176
+ *
177
+ * @param content - The full file content
178
+ * @param lineNumber - The 0-indexed line number where .optional() was found
179
+ * @returns true if this is part of OR validation (not a bypass)
180
+ */
181
+ export function isLegitimateOrValidation(
182
+ content: string,
183
+ lineNumber: number
184
+ ): boolean {
185
+ const analysis = analyzeSchemaSemantics(content, lineNumber)
186
+ return analysis.isOrValidation || analysis.refinementType === 'super_refine'
187
+ }
188
+
189
+ /**
190
+ * Check if a 2FA-related field with .optional() has proper OR validation
191
+ * Specifically for 2FA patterns where either totpCode OR backupCode is required
192
+ *
193
+ * @param content - The full file content
194
+ * @param lineNumber - The 0-indexed line number
195
+ * @returns true if this is legitimate 2FA OR validation
196
+ */
197
+ export function is2FAOrValidation(
198
+ content: string,
199
+ lineNumber: number
200
+ ): boolean {
201
+ const lines = content.split('\n')
202
+ const line = lines[lineNumber] || ''
203
+
204
+ // Check if this line is about 2FA fields
205
+ const is2FAField = /\b(totp|otp|backupCode|recoveryCode|twoFactor|2fa|mfa)\b/i.test(line)
206
+ if (!is2FAField) {
207
+ return false
208
+ }
209
+
210
+ // Check for OR validation in the schema
211
+ const analysis = analyzeSchemaSemantics(content, lineNumber)
212
+
213
+ // If there's refinement with OR logic, this is legitimate
214
+ if (analysis.isOrValidation) {
215
+ return true
216
+ }
217
+
218
+ // Check for specific 2FA OR patterns in nearby content
219
+ const schemaStart = findSchemaStart(lines, lineNumber)
220
+ const schemaEnd = findSchemaEnd(lines, schemaStart)
221
+ const schemaContent = lines.slice(schemaStart, schemaEnd).join('\n')
222
+
223
+ // Patterns like: "Either TOTP or backup code required"
224
+ const twoFAOrPatterns = [
225
+ /either.*or.*required/i,
226
+ /totp.*\|\|.*backup/i,
227
+ /backup.*\|\|.*totp/i,
228
+ /code.*\|\|.*code/i,
229
+ /one\s+of.*required/i,
230
+ ]
231
+
232
+ return twoFAOrPatterns.some(pattern => pattern.test(schemaContent))
233
+ }
package/src/{types.ts → shared/types.ts} RENAMED
@@ -54,6 +54,13 @@ export type VulnerabilityCategory =
54
54
  | 'ai_unverified_model' // Model loaded without integrity verification
55
55
  | 'ai_unsafe_finetuning' // Training on unvalidated data
56
56
  | 'ai_excessive_agency' // Unbounded agent autonomy risks
57
+ // Agent skill file security
58
+ | 'ai_skill_injection' // Agent skill file with prompt injection, data exfil, or hidden execution
59
+ // OWASP Workstream 1: Classic vulnerability detectors
60
+ | 'missing_security_headers' // Missing HTTP security headers (CSP, HSTS, etc.)
61
+ | 'ssrf' // Server-Side Request Forgery
62
+ | 'log_injection' // Log injection / log forging
63
+ | 'xxe' // XML External Entity injection
57
64
 
58
65
  export type ValidationStatus = 'confirmed' | 'downgraded' | 'dismissed' | 'not_validated'
59
66
 
@@ -68,7 +75,10 @@ export interface Vulnerability {
68
75
  description: string
69
76
  suggestedFix?: string
70
77
  confidence: 'high' | 'medium' | 'low'
71
- layer: 1 | 2 | 3 // Which scan layer detected this
78
+ /** @deprecated Use `source` instead. Kept for backward compatibility. */
79
+ layer: 1 | 2 | 3
80
+ /** Which detector group produced this finding */
81
+ source?: 'secrets' | 'structural' | 'ai_code' | 'config' | 'validation'
72
82
  requiresAIValidation?: boolean // If true, must pass through AI validation before surfacing
73
83
 
74
84
  // AI validation metadata
@@ -83,6 +93,9 @@ export interface Vulnerability {
83
93
  fixSteps?: string[] // Step-by-step fix instructions
84
94
  references?: string[] // OWASP/CWE documentation links
85
95
  aiEnhanced?: boolean // True if AI provided custom impact/fix beyond registry defaults
96
+
97
+ /** Base confidence score (0.0-1.0) set by the detector. Used by scoring stage. */
98
+ baseConfidence?: number
86
99
  }
87
100
 
88
101
  /**
@@ -256,16 +269,21 @@ export interface ScanResult {
256
269
  title: string
257
270
  }>
258
271
  }
272
+
273
+ /** Filter audit trail (when includeFilterAudit option is enabled) */
274
+ filterAuditTrail?: import('../postprocess/filtering/pipeline').AnnotatedFinding[]
259
275
  }
260
276
 
261
277
  export interface ScanProgress {
262
- status: 'fetching' | 'scanning_layer1' | 'scanning_layer2' | 'scanning_layer3' | 'complete' | 'failed'
263
- currentFile?: string
278
+ status: 'fetching' | 'layer1' | 'layer2' | 'layer3' | 'validating' | 'complete' | 'failed'
279
+ message: string
264
280
  filesProcessed: number
265
281
  totalFiles: number
266
282
  vulnerabilitiesFound: number
267
283
  }
268
284
 
285
+ export type ProgressCallback = (progress: ScanProgress) => void
286
+
269
287
  // Pattern definitions for Layer 1
270
288
  export interface SecretPattern {
271
289
  name: string
@@ -312,12 +330,124 @@ export interface AIFinding {
312
330
  suggestedFix: string
313
331
  }
314
332
 
333
+ // ============================================================================
334
+ // Detector Context (for Layer 2 context-aware detection)
335
+ // ============================================================================
336
+
337
+ /**
338
+ * DetectorContext provides rich context information to Layer 2 detectors
339
+ * This allows detectors to make smarter decisions based on:
340
+ * - Project-level auth configuration
341
+ * - Framework detection
342
+ * - Per-file context (server vs client, test vs production)
343
+ */
344
+ export interface DetectorContext {
345
+ // Auth context (project-wide)
346
+ auth: {
347
+ /** Middleware configuration (if detected) */
348
+ middleware: MiddlewareAuthContextSummary | null
349
+ /** Auth helpers detected in the project */
350
+ authHelpers: AuthHelperContextSummary
351
+ /** Public endpoint patterns (health, webhook, etc.) */
352
+ publicEndpoints: string[]
353
+ }
354
+
355
+ // Framework context (project-wide)
356
+ framework: {
357
+ /** Primary backend framework detected */
358
+ primary: 'nextjs' | 'express' | 'fastify' | 'koa' | 'hono' | 'nestjs' | 'django' | 'flask' | 'rails' | 'unknown' | null
359
+ /** Frontend framework detected */
360
+ frontend: 'react' | 'vue' | 'svelte' | 'angular' | 'unknown' | null
361
+ /** Whether the project uses TypeScript */
362
+ hasTypeScript: boolean
363
+ }
364
+
365
+ // Data access context (project-wide)
366
+ dataAccess: {
367
+ /** ORM/query builder detected */
368
+ orm: 'prisma' | 'drizzle' | 'typeorm' | 'sequelize' | 'knex' | null
369
+ /** Whether RLS (Row-Level Security) is detected */
370
+ hasRLS: boolean
371
+ /** Validation library detected */
372
+ validationLib: 'zod' | 'yup' | 'joi' | 'valibot' | null
373
+ }
374
+
375
+ // Per-file context (computed for each file)
376
+ file: {
377
+ /** Whether this file is server-only (not bundled to client) */
378
+ isServerOnly: boolean
379
+ /** Whether this file is client-bundled (exposed to browser) */
380
+ isClientBundled: boolean
381
+ /** Whether this file is a test/mock/fixture file */
382
+ isTestFile: boolean
383
+ /** Whether this file is a config file */
384
+ isConfigFile: boolean
385
+ /** Whether this file is in a tooling directory */
386
+ isToolingDir: boolean
387
+ }
388
+ }
389
+
390
+ /** Simplified middleware auth config for DetectorContext */
391
+ export interface MiddlewareAuthContextSummary {
392
+ /** Whether auth middleware was detected */
393
+ hasAuthMiddleware: boolean
394
+ /** The type of auth detected */
395
+ authType: 'clerk' | 'nextauth' | 'auth0' | 'supabase' | 'custom' | 'unknown' | null
396
+ /** Protected path patterns */
397
+ protectedPaths: string[]
398
+ /** Public/excluded path patterns */
399
+ publicPaths: string[]
400
+ }
401
+
402
+ /** Simplified auth helper context for DetectorContext */
403
+ export interface AuthHelperContextSummary {
404
+ /** Whether the project has throwing auth helpers */
405
+ hasThrowingHelpers: boolean
406
+ /** Names of throwing auth helpers */
407
+ throwingHelperNames: string[]
408
+ }
409
+
410
+ /**
411
+ * Create an empty/default DetectorContext
412
+ * Useful for tests or when context isn't available
413
+ */
414
+ export function createEmptyDetectorContext(): DetectorContext {
415
+ return {
416
+ auth: {
417
+ middleware: null,
418
+ authHelpers: {
419
+ hasThrowingHelpers: false,
420
+ throwingHelperNames: [],
421
+ },
422
+ publicEndpoints: [],
423
+ },
424
+ framework: {
425
+ primary: null,
426
+ frontend: null,
427
+ hasTypeScript: false,
428
+ },
429
+ dataAccess: {
430
+ orm: null,
431
+ hasRLS: false,
432
+ validationLib: null,
433
+ },
434
+ file: {
435
+ isServerOnly: false,
436
+ isClientBundled: false,
437
+ isTestFile: false,
438
+ isConfigFile: false,
439
+ isToolingDir: false,
440
+ },
441
+ }
442
+ }
443
+
315
444
  // Supported file extensions for scanning
316
445
  export const SCANNABLE_EXTENSIONS = [
317
446
  '.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs',
318
447
  '.py', '.rb', '.php', '.go', '.java', '.cs',
319
448
  '.env', '.yaml', '.yml', '.json', '.toml',
320
449
  '.dockerfile', '.sh', '.bash',
450
+ '.md', // Agent skill files (SKILL.md, copilot-instructions.md, etc.)
321
451
  ]
322
452
 
323
453
  // Files to always scan regardless of extension
@@ -333,6 +463,7 @@ export const SPECIAL_FILES = [
333
463
  'requirements.txt',
334
464
  'Gemfile',
335
465
  'go.mod',
466
+ '.cursorrules',
336
467
  ]
337
468
 
338
469
  // Max file size to scan (50KB as per PRD)
@@ -353,13 +484,13 @@ export type ScanMode = 'full' | 'incremental'
353
484
  /**
354
485
  * Scan depth controls AI usage independent of full vs incremental mode
355
486
  *
356
- * - cheap: Layer 1 + Layer 2 only. No AI validation, no Layer 3.
487
+ * - local: Layer 1 + Layer 2 only. No AI validation, no Layer 3.
357
488
  * Only Tier A (core) findings are surfaced.
358
489
  * Target: <5s for typical PR scans.
359
490
  *
360
- * - validated: Layer 1 + Layer 2 + AI validation on selected findings. No Layer 3.
361
- * Tier A is surfaced directly, Tier B goes through AI validation.
362
- * Target: <15s with <10 AI calls.
491
+ * - verified: Layer 1 + Layer 2 + AI validation on selected findings. No Layer 3.
492
+ * Tier A is surfaced directly, Tier B goes through AI validation.
493
+ * Target: <15s with <10 AI calls.
363
494
  *
364
495
  * - deep: Layer 1 + Layer 2 + AI validation + Layer 3 semantic analysis.
365
496
  * Full analysis for initial onboarding or deep security audits.
@@ -369,13 +500,13 @@ export type ScanMode = 'full' | 'incremental'
369
500
  *
370
501
  * | Workflow | Default Depth | Rationale |
371
502
  * |----------------|---------------|--------------------------------------|
372
- * | GitHub PR | cheap | Fast feedback, high-signal findings |
373
- * | VS Code | validated | Interactive, balance depth + speed |
374
- * | CLI (default) | cheap | Fast local scans |
503
+ * | GitHub PR | local | Fast feedback, high-signal findings |
504
+ * | VS Code | verified | Interactive, balance depth + speed |
505
+ * | CLI (default) | local | Fast local scans |
375
506
  * | CLI --deep | deep | Thorough analysis when requested |
376
507
  * | Onboarding | deep | Full picture on first scan |
377
508
  */
378
- export type ScanDepth = 'cheap' | 'validated' | 'deep'
509
+ export type ScanDepth = 'local' | 'verified' | 'deep'
379
510
 
380
511
  export interface ScanModeConfig {
381
512
  /** The scan mode */
package/src/tiers.ts CHANGED
@@ -11,7 +11,7 @@
11
11
  * - Avoids "accidental promotion" of an experimental heuristic to production output
12
12
  */
13
13
 
14
- import type { VulnerabilityCategory } from './types'
14
+ import type { VulnerabilityCategory } from './shared/types'
15
15
 
16
16
  /**
17
17
  * Detector tiers control visibility and trust level:
@@ -117,6 +117,11 @@ export type Layer2DetectorName =
117
117
  | 'ai_mcp_security' // ai-mcp-security.ts - MCP tool security
118
118
  // AI Detection Roadmap Phase 2
119
119
  | 'model_supply_chain' // model-supply-chain.ts - Model loading/finetuning risks
120
+ // OWASP Workstream 1
121
+ | 'security_headers' // security-headers.ts - Missing HTTP security headers
122
+ | 'ssrf_detection' // ssrf-detection.ts - Server-Side Request Forgery
123
+ | 'log_injection' // log-injection.ts - Log injection / forging
124
+ | 'xxe_detection' // xxe-detection.ts - XML External Entity injection
120
125
 
121
126
  /**
122
127
  * Layer 2 tier assignments
@@ -168,6 +173,12 @@ export const LAYER2_DETECTOR_TIERS: Record<Layer2DetectorName, DetectorTier> = {
168
173
  ai_mcp_security: 'core', // Tier A - MCP tool security is critical for AI agents
169
174
  // AI Detection Roadmap Phase 2
170
175
  model_supply_chain: 'core', // Tier A - Model supply chain risks are critical (RCE)
176
+
177
+ // OWASP Workstream 1
178
+ security_headers: 'ai_assisted', // Tier B - Context-dependent (CDN/proxy may add headers)
179
+ ssrf_detection: 'core', // Tier A - SSRF is high-impact with clear signals
180
+ log_injection: 'ai_assisted', // Tier B - Context-dependent (structured logging may be fine)
181
+ xxe_detection: 'core', // Tier A - XXE is high-impact with clear signals
171
182
  }
172
183
 
173
184
  /**
@@ -240,6 +251,12 @@ export const LAYER2_CATEGORY_TO_DETECTOR: Partial<Record<VulnerabilityCategory,
240
251
  ai_unverified_model: 'model_supply_chain',
241
252
  ai_unsafe_finetuning: 'model_supply_chain',
242
253
  ai_excessive_agency: 'ai_agent_tools', // Extended in ai-agent-tools.ts
254
+
255
+ // OWASP Workstream 1 categories
256
+ missing_security_headers: 'security_headers',
257
+ ssrf: 'ssrf_detection',
258
+ log_injection: 'log_injection',
259
+ xxe: 'xxe_detection',
243
260
  }
244
261
 
245
262
  // ============================================================================
@@ -293,17 +310,17 @@ export function getLayer2DetectorTier(detector: Layer2DetectorName): DetectorTie
293
310
  */
294
311
  export function isTierVisibleAtDepth(
295
312
  tier: DetectorTier,
296
- depth: 'cheap' | 'validated' | 'deep'
313
+ depth: 'local' | 'verified' | 'deep'
297
314
  ): boolean {
298
315
  switch (depth) {
299
- case 'cheap':
300
- // Only Tier A (core) findings are visible in cheap scans
316
+ case 'local':
317
+ // Only Tier A (core) findings are visible in local scans
301
318
  return tier === 'core'
302
- case 'validated':
319
+ case 'verified':
303
320
  // Tier A always visible, Tier B visible after AI validation
304
321
  return tier === 'core' || tier === 'ai_assisted'
305
322
  case 'deep':
306
- // Same as validated for visibility (deep adds Layer 3, not more tiers)
323
+ // Same as verified for visibility (deep adds Layer 3, not more tiers)
307
324
  return tier === 'core' || tier === 'ai_assisted'
308
325
  }
309
326
  }
@@ -313,14 +330,14 @@ export function isTierVisibleAtDepth(
313
330
  */
314
331
  export function shouldValidateWithAI(
315
332
  tier: DetectorTier,
316
- depth: 'cheap' | 'validated' | 'deep'
333
+ depth: 'local' | 'verified' | 'deep'
317
334
  ): boolean {
318
- // Cheap scans skip AI validation entirely
319
- if (depth === 'cheap') {
335
+ // Local scans skip AI validation entirely
336
+ if (depth === 'local') {
320
337
  return false
321
338
  }
322
339
 
323
- // In validated/deep, Tier B findings should go through AI validation
340
+ // In verified/deep, Tier B findings should go through AI validation
324
341
  // Tier A is high-precision and doesn't need AI validation
325
342
  // Tier C is hidden anyway
326
343
  return tier === 'ai_assisted'