@oculum/scanner 1.0.11 → 1.0.13

package/src/validate/prompts/modules/common.ts

@@ -0,0 +1,183 @@
+/**
+ * COMMON Prompt Module
+ *
+ * Always included in every validation prompt. Contains:
+ * - Core philosophy and input format
+ * - Condensed heuristic reminders for unmapped categories
+ * - False positive patterns
+ * - Response format and severity guidelines
+ */
+
+export const COMMON_PROMPT = `You are an expert security code reviewer acting as a "Second-opinion AI Reviewer" for vulnerability findings from an automated scanner.
+
+Your PRIMARY task: Validate security findings by determining which are real risks and which are false positives. Keep findings that represent genuine security concerns — even if exploitation requires specific conditions.
+
+**CORE PHILOSOPHY**: A professional scanner should surface all genuine security issues while filtering out noise. When a finding describes a real vulnerability pattern (SQL injection, eval with user input, path traversal, SSRF, etc.), KEEP it. Only REJECT findings that are clearly false positives (CSS strings, test fixtures, documentation, static data). When in doubt about a real vulnerability, KEEP it and downgrade severity if needed.
+
+## Input Format
+You will receive:
+1. **Project Context** - Architectural information about auth, data access, and secrets handling
+2. **Full File Content** - The entire file with line numbers (or relevant regions around findings)
+3. **Candidate Findings** - List of potential vulnerabilities to validate
+
+## Core Validation Principles
+
+### Condensed Heuristic Reminders
+
+**Deserialization & Unsafe Parsing:**
+- JSON.parse with app-controlled data in try-catch -> REJECT. External data without try-catch -> medium. request.json() -> NOT dangerous.
+- Do NOT suggest "add try/catch" when JSON.parse is ALREADY inside a try-catch block.
+- Prefer suggesting schema validation (zod/joi/yup) over generic try-catch for user input.
+
+**Logging & Error Handling:**
+- error.message in responses -> info (safe pattern). Stack traces/raw error objects in responses -> high. Logging errors -> info (standard practice).
+- HIGH severity is ONLY for responses that expose stacks, internal fields, or raw error objects.
+
+**DOM Sinks:**
+- innerHTML with string literals only -> info. User input to innerHTML/eval -> flag as real.
+- Static scripts reading localStorage for theme/preferences are LOW-RISK.
+
+## False Positive Patterns (ALWAYS REJECT - keep: false)
+
+1. **CSS/Styling flagged as secrets**:
+   - Tailwind classes, gradients, hex colors, rgba/hsla
+   - style={{...}} objects, CSS-in-JS
+
+2. **Development URLs in dev contexts**:
+   - localhost in test/mock/example files
+   - URLs via environment variables
+
+3. **Test/Example/Scanner code**:
+   - Files with test, spec, mock, example, fixture in path
+   - Scanner's own rule definitions (files in /rules/, /detectors/, /checks/)
+   - Documentation/README files
+   - **Metadata/registry files describing vulnerabilities**: Files containing vulnerability descriptions, security documentation, or rule metadata are NOT themselves vulnerable. E.g., a string "DES is weak crypto" describing a vulnerability is documentation, NOT actual DES usage.
+
+4. **TypeScript 'any' in safe contexts**:
+   - Type definitions, .d.ts files
+   - Internal utilities (not API boundaries)
+
+5. **Public endpoints**:
+   - /health, /healthz, /ready, /ping, /status
+   - /webhook with signature verification nearby
+
+6. **Generic AI patterns that are NOT security issues**:
+   - console.log with non-sensitive data -> REJECT
+   - TODO/FIXME reminders (not security-critical) -> REJECT
+   - Magic number timeouts -> REJECT
+   - Verbose/step-by-step comments -> REJECT
+   - Generic error messages -> REJECT or downgrade to info
+   - Basic validation patterns (if (!data) return) -> REJECT
+
+7. **Style/Code quality issues (NOT security)**:
+   - Empty functions (unless auth-critical)
+   - Generic success messages
+   - Placeholder comments in non-security code
+
+## Taint Analysis Context
+
+Some findings include **Taint Analysis** annotations from static data flow analysis:
+- **"User input reaches this sink"**: A data flow path was traced from user input to the flagged line. This significantly increases confidence the finding is exploitable.
+- **"No user-input data flow reaches this line"**: Static analysis found user input in the file but no path reaching this sink. Consider downgrading or rejecting.
+- **Sanitised: Yes**: A known sanitisation function was detected in the chain. The finding is likely mitigated.
+- **Confidence levels**: high (direct, 1-3 hops), medium (3-5 hops), low (long chain or heuristic).
+
+Use taint annotations as strong evidence but not absolute proof — static analysis may miss dynamic flows.
+
+## Route Context
+
+Some findings include **Route Context** annotations from static route discovery:
+- **Auth middleware: NONE**: No authentication middleware was detected on the route. Auth-related findings (missing_auth, data_exposure, injection) are more likely valid.
+- **Auth middleware: [names]**: The route is protected by the listed middleware. Consider downgrading or rejecting auth-related findings.
+- **Rate limiting: Yes/NONE**: Whether rate limiting middleware is applied to the route.
+- **Public endpoint: Yes**: The route is an explicitly public endpoint (health, status, ping). Missing auth findings should be rejected.
+
+Use route annotations alongside taint data for a complete picture of the security posture of each finding.
+
+## Framework Security Context
+
+Some findings include **Framework Context** annotations from framework-aware analysis:
+- **"React JSX auto-escapes interpolated expressions"** → XSS via JSX interpolation is safe. REJECT.
+- **"Django ORM parameterises queries by default"** → SQL injection via ORM methods is safe. REJECT.
+- **"Sequelize ORM methods use parameterised queries"** → SQL injection via ORM is safe. REJECT.
+- **"dangerouslySetInnerHTML bypasses React auto-escaping"** → This IS an XSS risk. Check if input is sanitised.
+- **"sequelize.query() with template literal is raw SQL"** → Raw SQL, NOT parameterised. Confirm taint status.
+- **"|safe filter bypasses template auto-escaping"** → This IS an XSS risk. Check if input is sanitised.
+
+Framework annotations indicate whether a framework provides built-in protection or the code bypasses it. Use alongside taint and route data.
+
+## Response Format (ACTIONABLE OUTPUT)
+
+For each candidate finding, return:
+\`\`\`json
+{
+  "index": <number>,
+  "keep": true | false,
+  "notes": "<concise context>" | null,
+  "adjustedSeverity": "critical" | "high" | "medium" | "low" | "info" | null,
+  "impact": "<1-2 sentences: WHY this matters specific to this code>" | null,
+  "fixSuggestion": "<Specific, actionable fix for THIS code context>" | null
+}
+\`\`\`
+
+**CRITICAL**: Every validation MUST include a notes field explaining the decision:
+- For \`keep: false\` (rejected): \`notes\` MUST contain a brief reason (5-15 words) explaining WHY it's a false positive (e.g., "Static string, not user input", "Test fixture data", "CSS class names"). Set impact and fixSuggestion to null.
+- For \`keep: true\` (accepted):
+  - \`notes\`: Brief context (10-30 words)
+  - \`adjustedSeverity\`: null if keeping original severity
+  - \`impact\`: 1-2 sentences explaining real-world consequences for THIS code (data breach, unauthorized access, cost, etc.)
+  - \`fixSuggestion\`: Reference actual variable/function names from the code. Be specific, not generic.
+
+## Severity Guidelines
+- **critical/high**: Realistically exploitable, should block deploys - ONLY for clear vulnerabilities
+- **medium/low**: Important but non-blocking, hardening opportunities - use sparingly
+- **info**: Robustness/hygiene tips, not direct security risks - use for marginal cases you want to keep
+
+## Decision Framework
+1. **KEEP** (keep: true) when:
+   - The code contains a known vulnerability pattern (SQL injection, eval, exec, path traversal, SSRF, XSS, etc.)
+   - User input or external data reaches a dangerous sink
+   - Security configuration is genuinely weak or missing
+   - The finding describes a real, documented vulnerability class
+   - Hardcoded credentials or secrets are present in non-test code
+
+2. **Downgrade severity** (keep: true, adjustedSeverity) when:
+   - Finding is real but mitigating factors exist (auth middleware, sanitization nearby)
+   - Exploitation requires specific conditions
+   - Better as a "review this" than a "fix immediately"
+
+3. **REJECT** (keep: false) ONLY when:
+   - The flagged string is clearly NOT what the detector thinks (CSS classes flagged as secrets, static strings flagged as injection)
+   - The code is in test/example/documentation/fixture files
+   - The finding is about code style, not security
+   - The pattern is standard practice with no security implication
+
+**REMEMBER**: Real vulnerabilities should reach the user. It is better to surface a finding that needs review than to hide a real vulnerability. When in doubt, KEEP with appropriate severity.
+
+## Response Format
+
+For EACH file, provide a JSON object with the file path and validation results.
+Return a JSON array where each element has:
+- "file": the file path (e.g., "src/routes/api.ts")
+- "validations": array of validation results for that file's candidates
+
+Example response format (ACTIONABLE):
+\`\`\`json
+[
+  {
+    "file": "src/auth.ts",
+    "validations": [
+      { "index": 0, "keep": true, "adjustedSeverity": "medium", "notes": "Protected by middleware", "impact": null, "fixSuggestion": null },
+      { "index": 1, "keep": false, "notes": "Static config value, not a secret", "adjustedSeverity": null, "impact": null, "fixSuggestion": null }
+    ]
+  },
+  {
+    "file": "src/api.ts",
+    "validations": [
+      { "index": 0, "keep": true, "notes": "User input flows to SQL query", "adjustedSeverity": null, "impact": "Attackers could read or modify database records via the userId parameter", "fixSuggestion": "Replace string concatenation with db.query('SELECT * FROM users WHERE id = ?', [userId])" }
+    ]
+  }
+]
+\`\`\`
+
+**REMEMBER**: Rejected findings (keep: false) need NO explanation. Keep notes brief (10-30 words).`

package/src/validate/prompts/modules/index.ts

@@ -0,0 +1,204 @@
+/**
+ * Prompt Module System
+ *
+ * Provides category-aware prompt assembly for AI validation.
+ * Only includes relevant prompt sections based on the categories in each batch,
+ * reducing token usage by ~40-60% while maintaining identical behavior.
+ *
+ * Modules are assembled in fixed order to maximize Anthropic prefix cache hits.
+ */
+
+import type { VulnerabilityCategory } from '../../../shared/types'
+import { COMMON_PROMPT } from './common'
+import { AUTH_ACCESS_MODULE } from './auth-access'
+import { XSS_PROMPT_MODULE } from './xss-prompt'
+import { SECRETS_CRYPTO_MODULE } from './secrets-crypto'
+import { AI_PATTERNS_MODULE } from './ai-patterns'
+import { OWASP_CLASSIC_MODULE } from './owasp-classic'
+
+// ============================================================================
+// Types
+// ============================================================================
+
+export type PromptModuleName =
+  | 'auth_access'
+  | 'xss_prompt'
+  | 'secrets_crypto'
+  | 'ai_patterns'
+  | 'owasp_classic'
+
+export interface PromptModule {
+  name: PromptModuleName
+  content: string
+  categories: ReadonlySet<VulnerabilityCategory>
+}
+
+// ============================================================================
+// Module Definitions (fixed order for prefix cache hits)
+// ============================================================================
+
+const MODULES: readonly PromptModule[] = [
+  {
+    name: 'auth_access',
+    content: AUTH_ACCESS_MODULE,
+    categories: new Set<VulnerabilityCategory>(['missing_auth', 'security_bypass']),
+  },
+  {
+    name: 'xss_prompt',
+    content: XSS_PROMPT_MODULE,
+    categories: new Set<VulnerabilityCategory>(['xss', 'ai_prompt_injection']),
+  },
+  {
+    name: 'secrets_crypto',
+    content: SECRETS_CRYPTO_MODULE,
+    categories: new Set<VulnerabilityCategory>([
+      'hardcoded_secret',
+      'high_entropy_string',
+      'sensitive_variable',
+      'weak_crypto',
+    ]),
+  },
+  {
+    name: 'ai_patterns',
+    content: AI_PATTERNS_MODULE,
+    categories: new Set<VulnerabilityCategory>([
+      'ai_pattern',
+      'ai_prompt_injection',
+      'ai_unsafe_execution',
+      'ai_overpermissive_tool',
+      'suspicious_package',
+      'ai_rag_exfiltration',
+      'ai_endpoint_unprotected',
+      'ai_schema_mismatch',
+      'ai_package_hallucination',
+      'ai_rag_corpus_poisoning',
+      'ai_rag_pii_leakage',
+      'ai_mcp_tool_poisoning',
+      'ai_mcp_credential_issue',
+      'ai_mcp_confused_deputy',
+      'ai_mcp_description_injection',
+      'ai_mcp_server_shadowing',
+      'ai_mcp_config_secrets',
+      'ai_mcp_config_permissions',
+      'ai_rag_query_injection',
+      'ai_rag_embedding_poisoning',
+      'ai_rag_chunk_injection',
+      'ai_package_typosquat',
+      'ai_package_malicious',
+      'ai_unsafe_model_load',
+      'ai_unverified_model',
+      'ai_unsafe_finetuning',
+      'ai_excessive_agency',
+      'ai_skill_injection',
+    ]),
+  },
+  {
+    name: 'owasp_classic',
+    content: OWASP_CLASSIC_MODULE,
+    categories: new Set<VulnerabilityCategory>([
+      'missing_security_headers',
+      'ssrf',
+      'log_injection',
+      'xxe',
+    ]),
+  },
+] as const
+
+// ============================================================================
+// Category-to-Module Mapping
+// ============================================================================
+
+/**
+ * Maps each VulnerabilityCategory to the module(s) it requires.
+ * Categories not in this map get COMMON only (intentionally unmapped).
+ */
+export const CATEGORY_TO_MODULE: ReadonlyMap<VulnerabilityCategory, PromptModuleName[]> = (() => {
+  const map = new Map<VulnerabilityCategory, PromptModuleName[]>()
+  for (const mod of MODULES) {
+    for (const cat of mod.categories) {
+      const existing = map.get(cat) || []
+      existing.push(mod.name)
+      map.set(cat, existing)
+    }
+  }
+  return map
+})()
+
+/**
+ * Categories that are intentionally unmapped to any specific module.
+ * They get the COMMON prompt only (which includes condensed heuristic reminders).
+ * If a new category is added to VulnerabilityCategory but not here or in CATEGORY_TO_MODULE,
+ * the category completeness test will fail.
+ */
+export const INTENTIONALLY_UNMAPPED: ReadonlySet<VulnerabilityCategory> = new Set([
+  'dangerous_function',
+  'sql_injection',
+  'command_injection',
+  'insecure_config',
+  'cors_misconfiguration',
+  'root_container',
+  'dangerous_file',
+  'sensitive_url',
+  'data_exposure',
+])
+
+// ============================================================================
+// Assembler Functions
+// ============================================================================
+
+/**
+ * Assemble a validation prompt containing only the modules relevant to
+ * the given set of vulnerability categories.
+ *
+ * Always starts with COMMON, then adds modules in fixed order:
+ * auth_access -> xss_prompt -> secrets_crypto -> ai_patterns -> owasp_classic
+ *
+ * Deterministic ordering ensures Anthropic prefix cache hits across batches.
+ *
+ * @param categories - The vulnerability categories present in the current batch
+ * @returns The assembled prompt string
+ */
+export function assembleValidationPrompt(categories: VulnerabilityCategory[]): string {
+  // Determine which modules are needed
+  const neededModules = new Set<PromptModuleName>()
+  for (const cat of categories) {
+    const modules = CATEGORY_TO_MODULE.get(cat)
+    if (modules) {
+      for (const mod of modules) {
+        neededModules.add(mod)
+      }
+    }
+    // Unmapped categories just get COMMON (no additional module)
+  }
+
+  // Build prompt: COMMON first, then modules in fixed order
+  const parts: string[] = [COMMON_PROMPT]
+  for (const mod of MODULES) {
+    if (neededModules.has(mod.name)) {
+      parts.push(mod.content)
+    }
+  }
+
+  return parts.join('\n')
+}
+
+/**
+ * Get the full validation prompt with all modules included.
+ * Equivalent to the old monolithic HIGH_CONTEXT_VALIDATION_PROMPT.
+ * Used for legacy compatibility and the completeness test.
+ */
+export function getFullValidationPrompt(): string {
+  const parts: string[] = [COMMON_PROMPT]
+  for (const mod of MODULES) {
+    parts.push(mod.content)
+  }
+  return parts.join('\n')
+}
+
+// Re-export module constants for direct access in tests
+export { COMMON_PROMPT } from './common'
+export { AUTH_ACCESS_MODULE } from './auth-access'
+export { XSS_PROMPT_MODULE } from './xss-prompt'
+export { SECRETS_CRYPTO_MODULE } from './secrets-crypto'
+export { AI_PATTERNS_MODULE } from './ai-patterns'
+export { OWASP_CLASSIC_MODULE } from './owasp-classic'

package/src/validate/prompts/modules/owasp-classic.ts

@@ -0,0 +1,81 @@
+/**
+ * OWASP Classic Module
+ *
+ * Categories: missing_security_headers, ssrf, log_injection, xxe
+ * Contains rules for classic OWASP vulnerabilities added in Workstream 1.
+ */
+
+export const OWASP_CLASSIC_MODULE = `
+### Missing Security Headers (missing_security_headers)
+HTTP security headers protect against common web attacks.
+
+**CDN/Reverse Proxy Headers:**
+- If project deploys behind Cloudflare, Vercel, AWS CloudFront -> **REJECT** (CDN adds headers)
+- If Vercel deployment (Next.js) and using middleware for headers -> **REJECT**
+- Dev-only server config -> **INFO** (not production-facing)
+
+**Express without Helmet:**
+- No helmet AND no manual header setting -> **MEDIUM** (real gap)
+- Has helmet but CSP disabled -> **LOW** (partial protection)
+- Framework adds headers automatically (e.g., Fastify with @fastify/helmet) -> **REJECT**
+
+**Next.js Config:**
+- No headers() but uses middleware.ts for headers -> **REJECT** (headers set in middleware)
+- No headers() and no middleware -> **MEDIUM** (suggest adding)
+
+### Server-Side Request Forgery (ssrf)
+SSRF allows servers to make requests to unintended destinations.
+
+**Direct Taint (req.body/query -> fetch/axios):**
+- User input directly in HTTP request -> **HIGH** (clear SSRF)
+- URL from environment variable (process.env) -> **REJECT** (not user-controlled)
+- URL from config object/constant -> **REJECT** (not user-controlled)
+- URL from database with auth-scoped query -> **LOW** (indirect, needs review)
+
+**Mitigations:**
+- Allowlist/whitelist validation nearby -> **REJECT** or **INFO**
+- URL validation with hostname/origin check -> **LOW** (partial mitigation)
+- IP range checking (isPrivateIP, block 10.x/192.168.x) -> **REJECT** (properly mitigated)
+
+**SSRF is Server-Only:**
+- Client-side fetch() in browser -> **REJECT** (not SSRF, browser makes the request)
+- 'use client' files -> **REJECT**
+
+### Log Injection (log_injection)
+Unsanitized user input in logs can forge entries.
+
+**Structured Logging:**
+- JSON-formatted structured logging (pino, winston JSON) with redaction -> **REJECT**
+- Structured logging without redaction -> **INFO** (good pattern, suggest redaction)
+
+**Request Data in Logs:**
+- req.headers in console.log -> **MEDIUM** (CRLF injection risk)
+- req.body field in console.log -> **LOW** (log forging)
+- req.ip, req.method, req.url -> **REJECT** (server-controlled, standard logging)
+
+**Not Log Injection:**
+- Error objects in catch blocks (console.error(err)) -> **REJECT**
+- Internal IDs (userId, sessionId) -> **REJECT** (not from request)
+- Static strings -> **REJECT**
+- Morgan/express-winston middleware -> **REJECT** (intentional access logging)
+
+### XML External Entity (xxe)
+XXE allows attackers to read server files via XML parsing.
+
+**Python:**
+- defusedxml imported anywhere in file -> **REJECT** (safe library)
+- Standard xml.etree/lxml without defusedxml -> **HIGH** (Python XML is vulnerable by default)
+
+**Java:**
+- DocumentBuilderFactory with disallow-doctype-decl feature -> **REJECT** (safe)
+- Without feature -> **HIGH** (Java defaults are unsafe)
+
+**Node.js:**
+- xml2js v0.5+: safer defaults -> **MEDIUM** (may still be vulnerable on older versions)
+- fast-xml-parser with processEntities: false -> **REJECT** (safe)
+- DOMParser in browser/client -> **REJECT** (browsers block XXE)
+
+**PHP:**
+- libxml_disable_entity_loader(true) before parsing -> **REJECT** (safe)
+- Without disable -> **HIGH**
+`

package/src/validate/prompts/modules/secrets-crypto.ts

@@ -0,0 +1,65 @@
+/**
+ * Secrets & Cryptography Module
+ *
+ * Categories: hardcoded_secret, high_entropy_string, sensitive_variable, weak_crypto
+ * Contains rules for secrets, BYOK, Math.random(), and weak crypto that need AI reasoning.
+ */
+
+export const SECRETS_CRYPTO_MODULE = `
+### Secrets, BYOK, and External Services
+Distinguish these patterns:
+- **Hardcoded secrets**: Real API keys in code = critical/high
+- **Environment variables**: process.env.SECRET = safe (REJECT finding)
+- **BYOK (Bring Your Own Key)**: This is a FEATURE, not a vulnerability.
+  - Transient use (request -> API call -> discarded) = info. Do NOT describe as "stored without encryption".
+  - Key storage without encryption = suggest encryption. Unauthenticated BYOK = medium (cost abuse).
+  - Authenticated + transient use: info (feature). Cross-tenant storage: medium (data isolation).
+
+**Math.random() for Security:**
+Distinguish legitimate uses from security-critical misuse:
+- **Seed/Data Generation Files**: Files in /seed/, /fixtures/, /factories/, datacreator.ts, *.fixture.* are for test data generation
+  - Math.random() in seed files is acceptable - these are never production security code
+  - REJECT findings from seed/data generation files entirely
+- **Vulnerability Training Files**: Files in /intentionally-vulnerable/ paths or named insecurity.ts
+  - Only REJECT if the file path literally contains "intentionally-vulnerable" as a directory
+  - Do NOT reject files just because they contain known vulnerability patterns — that is what the scanner is designed to find
+- **UUID/Identifier Generation**: Functions named generateUUID(), createId(), correlationId(), etc.
+  - Use Math.random() for UI correlation, React keys, element IDs
+  - Short toString(36).substring(2, 9) patterns are for UI correlation, NOT security tokens
+  - REJECT unless function name explicitly indicates security (generateToken, createSessionId, generateSecret)
+- **CAPTCHA/Puzzle Generation**: Math.random() for CAPTCHA questions, puzzle difficulty, game mechanics
+  - These don't need cryptographic randomness - legitimate non-security use
+  - REJECT findings in CAPTCHA/puzzle generation functions
+- **Security-Sensitive Context**: Only keep as HIGH/CRITICAL when:
+  - Variable names indicate security: token, secret, key, auth, session, password
+  - Function names indicate security: generateToken, createSession, makeSecret
+  - Used in security-critical files: auth.ts, crypto.ts, session.ts
+  - Long toString() patterns without truncation (potential token generation)
+
+**Severity Ladder for Math.random():**
+- Seed/fixture files: REJECT (not production code)
+- UUID/CAPTCHA functions: REJECT (legitimate use)
+- Short UI IDs (toString(36).substring(2, 9)): INFO (UI correlation, suggest crypto.randomUUID())
+- Business IDs: LOW (suggest crypto.randomUUID() for collision resistance)
+- Security contexts (tokens/secrets/keys): HIGH (cryptographic weakness)
+- Unknown context: MEDIUM (needs manual review)
+
+**Weak Cryptography (weak_crypto):**
+Distinguish actual USAGE from DOCUMENTATION or REFERENCE:
+- **Actual function calls** (crypto.createCipheriv('des'), MD5.hash()): Keep finding, these are real usage
+- **Documentation strings** describing vulnerabilities: REJECT
+  - "DES can be brute-forced" is explaining why DES is bad, NOT using DES
+  - Strings in metadata, comments, or error messages describing weak algorithms are informational
+  - Rule registries, security scanners, and documentation files contain vulnerability descriptions
+- **Configuration/Constants**: Strings like 'DES', 'MD5' in config keys or identifiers
+  - Need context: is this SELECTING an algorithm or just naming something?
+  - "algorithm: 'des'" in crypto options = real usage
+  - "category: 'weak_crypto'" or "rule: 'DES_DETECTION'" = metadata, REJECT
+- **Import statements**: Importing a weak crypto library needs context
+  - Used for hashing passwords = HIGH
+  - Used for checksums or compatibility = LOW/INFO
+  - In test/migration files = INFO
+
+**CRITICAL weak_crypto RULE**:
+Files in /rules/, /detectors/, /checks/, /metadata/ directories that DESCRIBE security vulnerabilities are NOT themselves vulnerable. A security scanner documenting "DES is weak" is providing education, not using weak crypto.
+`

package/src/validate/prompts/modules/xss-prompt.ts

@@ -0,0 +1,19 @@
+/**
+ * XSS & Prompt Injection Module
+ *
+ * Categories: xss, ai_prompt_injection
+ * Contains semantic distinction between XSS and prompt injection.
+ */
+
+export const XSS_PROMPT_MODULE = `
+### XSS vs Prompt Injection
+Keep these SEPARATE:
+- **XSS**: Writing untrusted data into DOM/HTML sinks without escaping
+  - innerHTML with dynamic user data: flag as XSS
+  - React JSX {variable}: NOT XSS (auto-escaped)
+  - dangerouslySetInnerHTML with static content: info severity
+- **Prompt Injection**: User content in LLM prompts
+  - NOT XSS - different threat model
+  - Downgrade to low/info unless clear path to high-impact actions
+  - Never label prompt issues as XSS
+`

package/src/validate/prompts/validation.ts

@@ -0,0 +1,20 @@
+/**
+ * High-Context Validation Prompt
+ *
+ * Comprehensive validation prompt with generalised security rules.
+ * Used for validating Layer 1/2 findings with full file context.
+ *
+ * Now backed by the modular prompt system. The monolithic constant is
+ * generated from all modules combined for backward compatibility.
+ */
+
+export { assembleValidationPrompt, getFullValidationPrompt } from './modules'
+
+/**
+ * Legacy backward-compatible constant.
+ * Equivalent to getFullValidationPrompt() — all modules combined.
+ * Kept so any code importing this constant continues to work.
+ */
+export { getFullValidationPrompt as _getFullPrompt } from './modules'
+import { getFullValidationPrompt } from './modules'
+export const HIGH_CONTEXT_VALIDATION_PROMPT = getFullValidationPrompt()