npm - @oculum/scanner - Versions diffs - 1.0.11 → 1.0.13 - Mend

@oculum/scanner 1.0.11 → 1.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1178) hide show

package/dist/ai-context/index.d.ts +6 -0
package/dist/ai-context/index.d.ts.map +1 -0
package/dist/ai-context/index.js +13 -0
package/dist/ai-context/index.js.map +1 -0
package/dist/ai-context/manager.d.ts +67 -0
package/dist/ai-context/manager.d.ts.map +1 -0
package/dist/ai-context/manager.js +104 -0
package/dist/ai-context/manager.js.map +1 -0
package/dist/category-filter.d.ts +125 -0
package/dist/category-filter.d.ts.map +1 -0
package/dist/category-filter.js +360 -0
package/dist/category-filter.js.map +1 -0
package/dist/detect/ai-code/agent-tools.d.ts +22 -0
package/dist/detect/ai-code/agent-tools.d.ts.map +1 -0
package/dist/detect/ai-code/agent-tools.js +1509 -0
package/dist/detect/ai-code/agent-tools.js.map +1 -0
package/dist/detect/ai-code/byok-patterns.d.ts +15 -0
package/dist/detect/ai-code/byok-patterns.d.ts.map +1 -0
package/dist/detect/ai-code/byok-patterns.js +313 -0
package/dist/detect/ai-code/byok-patterns.js.map +1 -0
package/dist/detect/ai-code/endpoint-protection.d.ts +38 -0
package/dist/detect/ai-code/endpoint-protection.d.ts.map +1 -0
package/dist/detect/ai-code/endpoint-protection.js +349 -0
package/dist/detect/ai-code/endpoint-protection.js.map +1 -0
package/dist/detect/ai-code/execution-sinks.d.ts +21 -0
package/dist/detect/ai-code/execution-sinks.d.ts.map +1 -0
package/dist/detect/ai-code/execution-sinks.js +1158 -0
package/dist/detect/ai-code/execution-sinks.js.map +1 -0
package/dist/detect/ai-code/fingerprinting.d.ts +10 -0
package/dist/detect/ai-code/fingerprinting.d.ts.map +1 -0
package/dist/detect/ai-code/fingerprinting.js +665 -0
package/dist/detect/ai-code/fingerprinting.js.map +1 -0
package/dist/detect/ai-code/index.d.ts +12 -0
package/dist/detect/ai-code/index.d.ts.map +1 -0
package/dist/detect/ai-code/index.js +26 -0
package/dist/detect/ai-code/index.js.map +1 -0
package/dist/detect/ai-code/mcp-security.d.ts +20 -0
package/dist/detect/ai-code/mcp-security.d.ts.map +1 -0
package/dist/detect/ai-code/mcp-security.js +880 -0
package/dist/detect/ai-code/mcp-security.js.map +1 -0
package/dist/detect/ai-code/model-supply-chain.d.ts +23 -0
package/dist/detect/ai-code/model-supply-chain.d.ts.map +1 -0
package/dist/detect/ai-code/model-supply-chain.js +447 -0
package/dist/detect/ai-code/model-supply-chain.js.map +1 -0
package/dist/detect/ai-code/package-hallucination.d.ts +22 -0
package/dist/detect/ai-code/package-hallucination.d.ts.map +1 -0
package/dist/detect/ai-code/package-hallucination.js +841 -0
package/dist/detect/ai-code/package-hallucination.js.map +1 -0
package/dist/detect/ai-code/prompt-hygiene.d.ts +22 -0
package/dist/detect/ai-code/prompt-hygiene.d.ts.map +1 -0
package/dist/detect/ai-code/prompt-hygiene.js +1177 -0
package/dist/detect/ai-code/prompt-hygiene.js.map +1 -0
package/dist/detect/ai-code/rag-safety.d.ts +24 -0
package/dist/detect/ai-code/rag-safety.d.ts.map +1 -0
package/dist/detect/ai-code/rag-safety.js +913 -0
package/dist/detect/ai-code/rag-safety.js.map +1 -0
package/dist/detect/ai-code/schema-validation.d.ts +28 -0
package/dist/detect/ai-code/schema-validation.d.ts.map +1 -0
package/dist/detect/ai-code/schema-validation.js +378 -0
package/dist/detect/ai-code/schema-validation.js.map +1 -0
package/dist/detect/config/agent-skill-injection.d.ts +27 -0
package/dist/detect/config/agent-skill-injection.d.ts.map +1 -0
package/dist/detect/config/agent-skill-injection.js +472 -0
package/dist/detect/config/agent-skill-injection.js.map +1 -0
package/dist/detect/config/comments.d.ts +11 -0
package/dist/detect/config/comments.d.ts.map +1 -0
package/dist/detect/config/comments.js +206 -0
package/dist/detect/config/comments.js.map +1 -0
package/dist/detect/config/file-flags.d.ts +10 -0
package/dist/detect/config/file-flags.d.ts.map +1 -0
package/dist/detect/config/file-flags.js +124 -0
package/dist/detect/config/file-flags.js.map +1 -0
package/dist/detect/config/index.d.ts +7 -0
package/dist/detect/config/index.d.ts.map +1 -0
package/dist/detect/config/index.js +17 -0
package/dist/detect/config/index.js.map +1 -0
package/dist/detect/config/osv-check.d.ts +75 -0
package/dist/detect/config/osv-check.d.ts.map +1 -0
package/dist/detect/config/osv-check.js +309 -0
package/dist/detect/config/osv-check.js.map +1 -0
package/dist/detect/config/package-check.d.ts +63 -0
package/dist/detect/config/package-check.d.ts.map +1 -0
package/dist/detect/config/package-check.js +509 -0
package/dist/detect/config/package-check.js.map +1 -0
package/dist/detect/config/urls.d.ts +11 -0
package/dist/detect/config/urls.d.ts.map +1 -0
package/dist/detect/config/urls.js +450 -0
package/dist/detect/config/urls.js.map +1 -0
package/dist/detect/index.d.ts +37 -0
package/dist/detect/index.d.ts.map +1 -0
package/dist/detect/index.js +77 -0
package/dist/detect/index.js.map +1 -0
package/dist/detect/secrets/config-audit.d.ts +11 -0
package/dist/detect/secrets/config-audit.d.ts.map +1 -0
package/dist/detect/secrets/config-audit.js +315 -0
package/dist/detect/secrets/config-audit.js.map +1 -0
package/dist/detect/secrets/config-mcp-audit.d.ts +23 -0
package/dist/detect/secrets/config-mcp-audit.d.ts.map +1 -0
package/dist/detect/secrets/config-mcp-audit.js +243 -0
package/dist/detect/secrets/config-mcp-audit.js.map +1 -0
package/dist/detect/secrets/entropy.d.ts +11 -0
package/dist/detect/secrets/entropy.d.ts.map +1 -0
package/dist/detect/secrets/entropy.js +751 -0
package/dist/detect/secrets/entropy.js.map +1 -0
package/dist/detect/secrets/index.d.ts +36 -0
package/dist/detect/secrets/index.d.ts.map +1 -0
package/dist/detect/secrets/index.js +174 -0
package/dist/detect/secrets/index.js.map +1 -0
package/dist/detect/secrets/patterns.d.ts +11 -0
package/dist/detect/secrets/patterns.d.ts.map +1 -0
package/dist/detect/secrets/patterns.js +518 -0
package/dist/detect/secrets/patterns.js.map +1 -0
package/dist/detect/secrets/weak-crypto.d.ts +10 -0
package/dist/detect/secrets/weak-crypto.d.ts.map +1 -0
package/dist/detect/secrets/weak-crypto.js +432 -0
package/dist/detect/secrets/weak-crypto.js.map +1 -0
package/dist/detect/structural/auth-patterns.d.ts +22 -0
package/dist/detect/structural/auth-patterns.d.ts.map +1 -0
package/dist/detect/structural/auth-patterns.js +533 -0
package/dist/detect/structural/auth-patterns.js.map +1 -0
package/dist/detect/structural/dangerous-functions/child-process.d.ts +16 -0
package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/child-process.js +74 -0
package/dist/detect/structural/dangerous-functions/child-process.js.map +1 -0
package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +34 -0
package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/dom-xss.js +230 -0
package/dist/detect/structural/dangerous-functions/dom-xss.js.map +1 -0
package/dist/detect/structural/dangerous-functions/index.d.ts +16 -0
package/dist/detect/structural/dangerous-functions/index.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/index.js +1193 -0
package/dist/detect/structural/dangerous-functions/index.js.map +1 -0
package/dist/detect/structural/dangerous-functions/json-parse.d.ts +31 -0
package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/json-parse.js +326 -0
package/dist/detect/structural/dangerous-functions/json-parse.js.map +1 -0
package/dist/detect/structural/dangerous-functions/math-random.d.ts +111 -0
package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/math-random.js +684 -0
package/dist/detect/structural/dangerous-functions/math-random.js.map +1 -0
package/dist/detect/structural/dangerous-functions/patterns.d.ts +21 -0
package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/patterns.js +163 -0
package/dist/detect/structural/dangerous-functions/patterns.js.map +1 -0
package/dist/detect/structural/dangerous-functions/request-validation.d.ts +13 -0
package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/request-validation.js +126 -0
package/dist/detect/structural/dangerous-functions/request-validation.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +24 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.js +70 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.js +147 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/index.d.ts +9 -0
package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/index.js +23 -0
package/dist/detect/structural/dangerous-functions/utils/index.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +102 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/detect/structural/data-exposure.d.ts +19 -0
package/dist/detect/structural/data-exposure.d.ts.map +1 -0
package/dist/detect/structural/data-exposure.js +262 -0
package/dist/detect/structural/data-exposure.js.map +1 -0
package/dist/detect/structural/framework-checks.d.ts +10 -0
package/dist/detect/structural/framework-checks.d.ts.map +1 -0
package/dist/detect/structural/framework-checks.js +389 -0
package/dist/detect/structural/framework-checks.js.map +1 -0
package/dist/detect/structural/index.d.ts +71 -0
package/dist/detect/structural/index.d.ts.map +1 -0
package/dist/detect/structural/index.js +510 -0
package/dist/detect/structural/index.js.map +1 -0
package/dist/detect/structural/log-injection.d.ts +18 -0
package/dist/detect/structural/log-injection.d.ts.map +1 -0
package/dist/detect/structural/log-injection.js +217 -0
package/dist/detect/structural/log-injection.js.map +1 -0
package/dist/detect/structural/logic-gates.d.ts +10 -0
package/dist/detect/structural/logic-gates.d.ts.map +1 -0
package/dist/detect/structural/logic-gates.js +227 -0
package/dist/detect/structural/logic-gates.js.map +1 -0
package/dist/detect/structural/risky-imports.d.ts +10 -0
package/dist/detect/structural/risky-imports.d.ts.map +1 -0
package/dist/detect/structural/risky-imports.js +168 -0
package/dist/detect/structural/risky-imports.js.map +1 -0
package/dist/detect/structural/security-headers.d.ts +18 -0
package/dist/detect/structural/security-headers.d.ts.map +1 -0
package/dist/detect/structural/security-headers.js +196 -0
package/dist/detect/structural/security-headers.js.map +1 -0
package/dist/detect/structural/ssrf-detection.d.ts +18 -0
package/dist/detect/structural/ssrf-detection.d.ts.map +1 -0
package/dist/detect/structural/ssrf-detection.js +263 -0
package/dist/detect/structural/ssrf-detection.js.map +1 -0
package/dist/detect/structural/variables.d.ts +11 -0
package/dist/detect/structural/variables.d.ts.map +1 -0
package/dist/detect/structural/variables.js +159 -0
package/dist/detect/structural/variables.js.map +1 -0
package/dist/detect/structural/xxe-detection.d.ts +18 -0
package/dist/detect/structural/xxe-detection.d.ts.map +1 -0
package/dist/detect/structural/xxe-detection.js +245 -0
package/dist/detect/structural/xxe-detection.js.map +1 -0
package/dist/filtering/context-adjustments.d.ts +23 -0
package/dist/filtering/context-adjustments.d.ts.map +1 -0
package/dist/filtering/context-adjustments.js +100 -0
package/dist/filtering/context-adjustments.js.map +1 -0
package/dist/filtering/index.d.ts +3 -0
package/dist/filtering/index.d.ts.map +1 -0
package/dist/filtering/index.js +8 -0
package/dist/filtering/index.js.map +1 -0
package/dist/filtering/pipeline.d.ts +48 -0
package/dist/filtering/pipeline.d.ts.map +1 -0
package/dist/filtering/pipeline.js +76 -0
package/dist/filtering/pipeline.js.map +1 -0
package/dist/formatters/ai-context.d.ts +23 -0
package/dist/formatters/ai-context.d.ts.map +1 -0
package/dist/formatters/ai-context.js +238 -0
package/dist/formatters/ai-context.js.map +1 -0
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +2 -2
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/ide/claude-code.d.ts +17 -0
package/dist/formatters/ide/claude-code.d.ts.map +1 -0
package/dist/formatters/ide/claude-code.js +94 -0
package/dist/formatters/ide/claude-code.js.map +1 -0
package/dist/formatters/ide/cursor.d.ts +13 -0
package/dist/formatters/ide/cursor.d.ts.map +1 -0
package/dist/formatters/ide/cursor.js +125 -0
package/dist/formatters/ide/cursor.js.map +1 -0
package/dist/formatters/ide/index.d.ts +62 -0
package/dist/formatters/ide/index.d.ts.map +1 -0
package/dist/formatters/ide/index.js +184 -0
package/dist/formatters/ide/index.js.map +1 -0
package/dist/formatters/ide/windsurf.d.ts +13 -0
package/dist/formatters/ide/windsurf.d.ts.map +1 -0
package/dist/formatters/ide/windsurf.js +117 -0
package/dist/formatters/ide/windsurf.js.map +1 -0
package/dist/formatters/index.d.ts +2 -0
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +17 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +17 -60
package/dist/index.d.ts.map +1 -1
package/dist/index.js +67 -824
package/dist/index.js.map +1 -1
package/dist/layer1/comments.d.ts +4 -1
package/dist/layer1/comments.d.ts.map +1 -1
package/dist/layer1/comments.js +1 -1
package/dist/layer1/comments.js.map +1 -1
package/dist/layer1/config-audit.d.ts +4 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +45 -11
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +4 -1
package/dist/layer1/config-mcp-audit.d.ts.map +1 -1
package/dist/layer1/config-mcp-audit.js +2 -2
package/dist/layer1/config-mcp-audit.js.map +1 -1
package/dist/layer1/entropy.d.ts +4 -1
package/dist/layer1/entropy.d.ts.map +1 -1
package/dist/layer1/entropy.js +212 -1
package/dist/layer1/entropy.js.map +1 -1
package/dist/layer1/file-flags.d.ts +4 -1
package/dist/layer1/file-flags.d.ts.map +1 -1
package/dist/layer1/file-flags.js +12 -5
package/dist/layer1/file-flags.js.map +1 -1
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +14 -19
package/dist/layer1/index.js.map +1 -1
package/dist/layer1/patterns.d.ts +4 -1
package/dist/layer1/patterns.d.ts.map +1 -1
package/dist/layer1/patterns.js +34 -4
package/dist/layer1/patterns.js.map +1 -1
package/dist/layer1/urls.d.ts +4 -1
package/dist/layer1/urls.d.ts.map +1 -1
package/dist/layer1/urls.js +162 -14
package/dist/layer1/urls.js.map +1 -1
package/dist/layer1/weak-crypto.d.ts +4 -1
package/dist/layer1/weak-crypto.d.ts.map +1 -1
package/dist/layer1/weak-crypto.js +144 -7
package/dist/layer1/weak-crypto.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts +4 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +661 -2
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts +2 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +1 -1
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts +4 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +252 -43
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts +4 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +25 -32
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +4 -1
package/dist/layer2/ai-mcp-security.d.ts.map +1 -1
package/dist/layer2/ai-mcp-security.js +200 -2
package/dist/layer2/ai-mcp-security.js.map +1 -1
package/dist/layer2/ai-package-hallucination.d.ts +4 -1
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -1
package/dist/layer2/ai-package-hallucination.js +136 -4
package/dist/layer2/ai-package-hallucination.js.map +1 -1
package/dist/layer2/ai-prompt-hygiene.d.ts +4 -1
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +342 -28
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts +4 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +82 -2
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/ai-schema-validation.d.ts +4 -1
package/dist/layer2/ai-schema-validation.d.ts.map +1 -1
package/dist/layer2/ai-schema-validation.js +2 -2
package/dist/layer2/ai-schema-validation.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts +2 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +205 -20
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts +4 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +2 -2
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/dom-xss.d.ts +9 -4
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/dom-xss.js +73 -22
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -1
package/dist/layer2/dangerous-functions/index.d.ts +4 -1
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/index.js +551 -20
package/dist/layer2/dangerous-functions/index.js.map +1 -1
package/dist/layer2/dangerous-functions/math-random.d.ts +54 -4
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/math-random.js +241 -16
package/dist/layer2/dangerous-functions/math-random.js.map +1 -1
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/patterns.js +3 -1
package/dist/layer2/dangerous-functions/patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +3 -2
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/utils/control-flow.js +41 -120
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -1
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/utils/helpers.js +26 -3
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -1
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -1
package/dist/layer2/dangerous-functions/utils/schema-validation.js +14 -1
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -1
package/dist/layer2/data-exposure.d.ts +4 -1
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +11 -38
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts +4 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -10
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +13 -1
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +107 -52
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/log-injection.d.ts +18 -0
package/dist/layer2/log-injection.d.ts.map +1 -0
package/dist/layer2/log-injection.js +214 -0
package/dist/layer2/log-injection.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +4 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +54 -20
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +4 -1
package/dist/layer2/model-supply-chain.d.ts.map +1 -1
package/dist/layer2/model-supply-chain.js +72 -4
package/dist/layer2/model-supply-chain.js.map +1 -1
package/dist/layer2/risky-imports.d.ts +4 -1
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +2 -2
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/security-headers.d.ts +18 -0
package/dist/layer2/security-headers.d.ts.map +1 -0
package/dist/layer2/security-headers.js +187 -0
package/dist/layer2/security-headers.js.map +1 -0
package/dist/layer2/ssrf-detection.d.ts +18 -0
package/dist/layer2/ssrf-detection.d.ts.map +1 -0
package/dist/layer2/ssrf-detection.js +252 -0
package/dist/layer2/ssrf-detection.js.map +1 -0
package/dist/layer2/variables.d.ts +4 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +2 -2
package/dist/layer2/variables.js.map +1 -1
package/dist/layer2/xxe-detection.d.ts +18 -0
package/dist/layer2/xxe-detection.d.ts.map +1 -0
package/dist/layer2/xxe-detection.js +242 -0
package/dist/layer2/xxe-detection.js.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.js +11 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -1
package/dist/layer3/anthropic/prompts/index.d.ts +1 -1
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -1
package/dist/layer3/anthropic/prompts/index.js +3 -1
package/dist/layer3/anthropic/prompts/index.js.map +1 -1
package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +19 -0
package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +156 -0
package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +9 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.js +25 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/common.d.ts +11 -0
package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/common.js +152 -0
package/dist/layer3/anthropic/prompts/modules/common.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/index.d.ts +54 -0
package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/index.js +185 -0
package/dist/layer3/anthropic/prompts/modules/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +8 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +84 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +8 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +68 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +8 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +22 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +9 -3
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -1
package/dist/layer3/anthropic/prompts/validation.js +14 -410
package/dist/layer3/anthropic/prompts/validation.js.map +1 -1
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -1
package/dist/layer3/anthropic/providers/anthropic.js +6 -3
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -1
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -1
package/dist/layer3/anthropic/providers/openai.js +6 -3
package/dist/layer3/anthropic/providers/openai.js.map +1 -1
package/dist/layer3/anthropic/request-builder.d.ts +11 -4
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -1
package/dist/layer3/anthropic/request-builder.js +32 -16
package/dist/layer3/anthropic/request-builder.js.map +1 -1
package/dist/layer3/anthropic/utils/context-extractor.d.ts +55 -0
package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/context-extractor.js +161 -0
package/dist/layer3/anthropic/utils/context-extractor.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +2 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -1
package/dist/layer3/anthropic/utils/index.js +4 -1
package/dist/layer3/anthropic/utils/index.js.map +1 -1
package/dist/model/auth-helper-detector.d.ts +56 -0
package/dist/model/auth-helper-detector.d.ts.map +1 -0
package/dist/model/auth-helper-detector.js +360 -0
package/dist/model/auth-helper-detector.js.map +1 -0
package/dist/model/cross-file-taint.d.ts +40 -0
package/dist/model/cross-file-taint.d.ts.map +1 -0
package/dist/model/cross-file-taint.js +290 -0
package/dist/model/cross-file-taint.js.map +1 -0
package/dist/model/framework-models/django.d.ts +9 -0
package/dist/model/framework-models/django.d.ts.map +1 -0
package/dist/model/framework-models/django.js +82 -0
package/dist/model/framework-models/django.js.map +1 -0
package/dist/model/framework-models/express.d.ts +9 -0
package/dist/model/framework-models/express.d.ts.map +1 -0
package/dist/model/framework-models/express.js +52 -0
package/dist/model/framework-models/express.js.map +1 -0
package/dist/model/framework-models/index.d.ts +20 -0
package/dist/model/framework-models/index.d.ts.map +1 -0
package/dist/model/framework-models/index.js +102 -0
package/dist/model/framework-models/index.js.map +1 -0
package/dist/model/framework-models/nextjs.d.ts +9 -0
package/dist/model/framework-models/nextjs.d.ts.map +1 -0
package/dist/model/framework-models/nextjs.js +71 -0
package/dist/model/framework-models/nextjs.js.map +1 -0
package/dist/model/framework-models/prisma.d.ts +10 -0
package/dist/model/framework-models/prisma.d.ts.map +1 -0
package/dist/model/framework-models/prisma.js +54 -0
package/dist/model/framework-models/prisma.js.map +1 -0
package/dist/model/framework-models/react.d.ts +9 -0
package/dist/model/framework-models/react.d.ts.map +1 -0
package/dist/model/framework-models/react.js +67 -0
package/dist/model/framework-models/react.js.map +1 -0
package/dist/model/framework-models/sequelize.d.ts +9 -0
package/dist/model/framework-models/sequelize.d.ts.map +1 -0
package/dist/model/framework-models/sequelize.js +62 -0
package/dist/model/framework-models/sequelize.js.map +1 -0
package/dist/model/framework-models/types.d.ts +43 -0
package/dist/model/framework-models/types.d.ts.map +1 -0
package/dist/model/framework-models/types.js +10 -0
package/dist/model/framework-models/types.js.map +1 -0
package/dist/model/function-classifier.d.ts +32 -0
package/dist/model/function-classifier.d.ts.map +1 -0
package/dist/model/function-classifier.js +143 -0
package/dist/model/function-classifier.js.map +1 -0
package/dist/model/import-resolver.d.ts +45 -0
package/dist/model/import-resolver.d.ts.map +1 -0
package/dist/model/import-resolver.js +410 -0
package/dist/model/import-resolver.js.map +1 -0
package/dist/model/imported-auth-detector.d.ts +38 -0
package/dist/model/imported-auth-detector.d.ts.map +1 -0
package/dist/model/imported-auth-detector.js +199 -0
package/dist/model/imported-auth-detector.js.map +1 -0
package/dist/model/index.d.ts +63 -0
package/dist/model/index.d.ts.map +1 -0
package/dist/model/index.js +272 -0
package/dist/model/index.js.map +1 -0
package/dist/model/middleware-detector.d.ts +55 -0
package/dist/model/middleware-detector.d.ts.map +1 -0
package/dist/model/middleware-detector.js +382 -0
package/dist/model/middleware-detector.js.map +1 -0
package/dist/model/module-graph.d.ts +46 -0
package/dist/model/module-graph.d.ts.map +1 -0
package/dist/model/module-graph.js +187 -0
package/dist/model/module-graph.js.map +1 -0
package/dist/model/oauth-flow-detector.d.ts +41 -0
package/dist/model/oauth-flow-detector.d.ts.map +1 -0
package/dist/model/oauth-flow-detector.js +202 -0
package/dist/model/oauth-flow-detector.js.map +1 -0
package/dist/model/project-context.d.ts +119 -0
package/dist/model/project-context.d.ts.map +1 -0
package/dist/model/project-context.js +534 -0
package/dist/model/project-context.js.map +1 -0
package/dist/model/route-auth-resolver.d.ts +27 -0
package/dist/model/route-auth-resolver.d.ts.map +1 -0
package/dist/model/route-auth-resolver.js +182 -0
package/dist/model/route-auth-resolver.js.map +1 -0
package/dist/model/route-discovery/express.d.ts +25 -0
package/dist/model/route-discovery/express.d.ts.map +1 -0
package/dist/model/route-discovery/express.js +225 -0
package/dist/model/route-discovery/express.js.map +1 -0
package/dist/model/route-discovery/index.d.ts +21 -0
package/dist/model/route-discovery/index.d.ts.map +1 -0
package/dist/model/route-discovery/index.js +67 -0
package/dist/model/route-discovery/index.js.map +1 -0
package/dist/model/route-discovery/nextjs.d.ts +16 -0
package/dist/model/route-discovery/nextjs.d.ts.map +1 -0
package/dist/model/route-discovery/nextjs.js +179 -0
package/dist/model/route-discovery/nextjs.js.map +1 -0
package/dist/model/route-discovery/python.d.ts +16 -0
package/dist/model/route-discovery/python.d.ts.map +1 -0
package/dist/model/route-discovery/python.js +181 -0
package/dist/model/route-discovery/python.js.map +1 -0
package/dist/model/route-discovery/types.d.ts +36 -0
package/dist/model/route-discovery/types.d.ts.map +1 -0
package/dist/model/route-discovery/types.js +16 -0
package/dist/model/route-discovery/types.js.map +1 -0
package/dist/model/route-discovery/utils.d.ts +18 -0
package/dist/model/route-discovery/utils.d.ts.map +1 -0
package/dist/model/route-discovery/utils.js +55 -0
package/dist/model/route-discovery/utils.js.map +1 -0
package/dist/model/route-hierarchy.d.ts +50 -0
package/dist/model/route-hierarchy.d.ts.map +1 -0
package/dist/model/route-hierarchy.js +226 -0
package/dist/model/route-hierarchy.js.map +1 -0
package/dist/model/sanitiser-detection.d.ts +27 -0
package/dist/model/sanitiser-detection.d.ts.map +1 -0
package/dist/model/sanitiser-detection.js +224 -0
package/dist/model/sanitiser-detection.js.map +1 -0
package/dist/model/sink-matcher.d.ts +17 -0
package/dist/model/sink-matcher.d.ts.map +1 -0
package/dist/model/sink-matcher.js +141 -0
package/dist/model/sink-matcher.js.map +1 -0
package/dist/model/sink-patterns.d.ts +19 -0
package/dist/model/sink-patterns.d.ts.map +1 -0
package/dist/model/sink-patterns.js +88 -0
package/dist/model/sink-patterns.js.map +1 -0
package/dist/model/source-discovery.d.ts +15 -0
package/dist/model/source-discovery.d.ts.map +1 -0
package/dist/model/source-discovery.js +170 -0
package/dist/model/source-discovery.js.map +1 -0
package/dist/model/taint-tracker.d.ts +21 -0
package/dist/model/taint-tracker.d.ts.map +1 -0
package/dist/model/taint-tracker.js +281 -0
package/dist/model/taint-tracker.js.map +1 -0
package/dist/model/taint-types.d.ts +74 -0
package/dist/model/taint-types.d.ts.map +1 -0
package/dist/model/taint-types.js +9 -0
package/dist/model/taint-types.js.map +1 -0
package/dist/model/trpc-analyzer.d.ts +78 -0
package/dist/model/trpc-analyzer.d.ts.map +1 -0
package/dist/model/trpc-analyzer.js +297 -0
package/dist/model/trpc-analyzer.js.map +1 -0
package/dist/modes/incremental.js +1 -1
package/dist/parse/file-classifier.d.ts +228 -0
package/dist/parse/file-classifier.d.ts.map +1 -0
package/dist/parse/file-classifier.js +933 -0
package/dist/parse/file-classifier.js.map +1 -0
package/dist/parse/path-exclusions.d.ts +55 -0
package/dist/parse/path-exclusions.d.ts.map +1 -0
package/dist/parse/path-exclusions.js +224 -0
package/dist/parse/path-exclusions.js.map +1 -0
package/dist/pipeline/config.d.ts +39 -0
package/dist/pipeline/config.d.ts.map +1 -0
package/dist/pipeline/config.js +46 -0
package/dist/pipeline/config.js.map +1 -0
package/dist/pipeline/index.d.ts +34 -0
package/dist/pipeline/index.d.ts.map +1 -0
package/dist/pipeline/index.js +377 -0
package/dist/pipeline/index.js.map +1 -0
package/dist/pipeline/modes/incremental.d.ts +66 -0
package/dist/pipeline/modes/incremental.d.ts.map +1 -0
package/dist/pipeline/modes/incremental.js +200 -0
package/dist/pipeline/modes/incremental.js.map +1 -0
package/dist/postprocess/aggregation.d.ts +14 -0
package/dist/postprocess/aggregation.d.ts.map +1 -0
package/dist/postprocess/aggregation.js +63 -0
package/dist/postprocess/aggregation.js.map +1 -0
package/dist/postprocess/contradictions.d.ts +18 -0
package/dist/postprocess/contradictions.d.ts.map +1 -0
package/dist/postprocess/contradictions.js +99 -0
package/dist/postprocess/contradictions.js.map +1 -0
package/dist/postprocess/dedup.d.ts +13 -0
package/dist/postprocess/dedup.d.ts.map +1 -0
package/dist/postprocess/dedup.js +58 -0
package/dist/postprocess/dedup.js.map +1 -0
package/dist/postprocess/filtering/context-adjustments.d.ts +23 -0
package/dist/postprocess/filtering/context-adjustments.d.ts.map +1 -0
package/dist/postprocess/filtering/context-adjustments.js +100 -0
package/dist/postprocess/filtering/context-adjustments.js.map +1 -0
package/dist/postprocess/filtering/index.d.ts +3 -0
package/dist/postprocess/filtering/index.d.ts.map +1 -0
package/dist/postprocess/filtering/index.js +8 -0
package/dist/postprocess/filtering/index.js.map +1 -0
package/dist/postprocess/filtering/pipeline.d.ts +48 -0
package/dist/postprocess/filtering/pipeline.d.ts.map +1 -0
package/dist/postprocess/filtering/pipeline.js +76 -0
package/dist/postprocess/filtering/pipeline.js.map +1 -0
package/dist/postprocess/index.d.ts +41 -0
package/dist/postprocess/index.d.ts.map +1 -0
package/dist/postprocess/index.js +85 -0
package/dist/postprocess/index.js.map +1 -0
package/dist/postprocess/suppression/config-loader.d.ts +74 -0
package/dist/postprocess/suppression/config-loader.d.ts.map +1 -0
package/dist/postprocess/suppression/config-loader.js +424 -0
package/dist/postprocess/suppression/config-loader.js.map +1 -0
package/dist/postprocess/suppression/hash.d.ts +48 -0
package/dist/postprocess/suppression/hash.d.ts.map +1 -0
package/dist/postprocess/suppression/hash.js +88 -0
package/dist/postprocess/suppression/hash.js.map +1 -0
package/dist/postprocess/suppression/index.d.ts +11 -0
package/dist/postprocess/suppression/index.d.ts.map +1 -0
package/dist/postprocess/suppression/index.js +39 -0
package/dist/postprocess/suppression/index.js.map +1 -0
package/dist/postprocess/suppression/inline-parser.d.ts +39 -0
package/dist/postprocess/suppression/inline-parser.d.ts.map +1 -0
package/dist/postprocess/suppression/inline-parser.js +218 -0
package/dist/postprocess/suppression/inline-parser.js.map +1 -0
package/dist/postprocess/suppression/manager.d.ts +94 -0
package/dist/postprocess/suppression/manager.d.ts.map +1 -0
package/dist/postprocess/suppression/manager.js +292 -0
package/dist/postprocess/suppression/manager.js.map +1 -0
package/dist/postprocess/suppression/types.d.ts +151 -0
package/dist/postprocess/suppression/types.d.ts.map +1 -0
package/dist/postprocess/suppression/types.js +28 -0
package/dist/postprocess/suppression/types.js.map +1 -0
package/dist/postprocess/validation-cap.d.ts +17 -0
package/dist/postprocess/validation-cap.d.ts.map +1 -0
package/dist/postprocess/validation-cap.js +64 -0
package/dist/postprocess/validation-cap.js.map +1 -0
package/dist/report/build-result.d.ts +33 -0
package/dist/report/build-result.d.ts.map +1 -0
package/dist/report/build-result.js +59 -0
package/dist/report/build-result.js.map +1 -0
package/dist/report/enrichment.d.ts +19 -0
package/dist/report/enrichment.d.ts.map +1 -0
package/dist/report/enrichment.js +44 -0
package/dist/report/enrichment.js.map +1 -0
package/dist/report/formatters/ai-context.d.ts +23 -0
package/dist/report/formatters/ai-context.d.ts.map +1 -0
package/dist/report/formatters/ai-context.js +238 -0
package/dist/report/formatters/ai-context.js.map +1 -0
package/dist/report/formatters/cli-terminal.d.ts +65 -0
package/dist/report/formatters/cli-terminal.d.ts.map +1 -0
package/dist/report/formatters/cli-terminal.js +735 -0
package/dist/report/formatters/cli-terminal.js.map +1 -0
package/dist/report/formatters/github-comment.d.ts +41 -0
package/dist/report/formatters/github-comment.d.ts.map +1 -0
package/dist/report/formatters/github-comment.js +370 -0
package/dist/report/formatters/github-comment.js.map +1 -0
package/dist/report/formatters/grouping.d.ts +52 -0
package/dist/report/formatters/grouping.d.ts.map +1 -0
package/dist/report/formatters/grouping.js +152 -0
package/dist/report/formatters/grouping.js.map +1 -0
package/dist/report/formatters/ide/claude-code.d.ts +17 -0
package/dist/report/formatters/ide/claude-code.d.ts.map +1 -0
package/dist/report/formatters/ide/claude-code.js +94 -0
package/dist/report/formatters/ide/claude-code.js.map +1 -0
package/dist/report/formatters/ide/cursor.d.ts +13 -0
package/dist/report/formatters/ide/cursor.d.ts.map +1 -0
package/dist/report/formatters/ide/cursor.js +125 -0
package/dist/report/formatters/ide/cursor.js.map +1 -0
package/dist/report/formatters/ide/index.d.ts +62 -0
package/dist/report/formatters/ide/index.d.ts.map +1 -0
package/dist/report/formatters/ide/index.js +184 -0
package/dist/report/formatters/ide/index.js.map +1 -0
package/dist/report/formatters/ide/windsurf.d.ts +13 -0
package/dist/report/formatters/ide/windsurf.d.ts.map +1 -0
package/dist/report/formatters/ide/windsurf.js +117 -0
package/dist/report/formatters/ide/windsurf.js.map +1 -0
package/dist/report/formatters/index.d.ts +11 -0
package/dist/report/formatters/index.d.ts.map +1 -0
package/dist/report/formatters/index.js +54 -0
package/dist/report/formatters/index.js.map +1 -0
package/dist/report/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/report/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/report/formatters/vscode-diagnostic.js +151 -0
package/dist/report/formatters/vscode-diagnostic.js.map +1 -0
package/dist/report/summary.d.ts +27 -0
package/dist/report/summary.d.ts.map +1 -0
package/dist/report/summary.js +57 -0
package/dist/report/summary.js.map +1 -0
package/dist/rules/metadata.d.ts.map +1 -1
package/dist/rules/metadata.js +66 -0
package/dist/rules/metadata.js.map +1 -1
package/dist/score/adjustments.d.ts +22 -0
package/dist/score/adjustments.d.ts.map +1 -0
package/dist/score/adjustments.js +373 -0
package/dist/score/adjustments.js.map +1 -0
package/dist/score/auto-dismiss.d.ts +28 -0
package/dist/score/auto-dismiss.d.ts.map +1 -0
package/dist/score/auto-dismiss.js +200 -0
package/dist/score/auto-dismiss.js.map +1 -0
package/dist/score/confidence.d.ts +19 -0
package/dist/score/confidence.d.ts.map +1 -0
package/dist/score/confidence.js +52 -0
package/dist/score/confidence.js.map +1 -0
package/dist/score/index.d.ts +61 -0
package/dist/score/index.d.ts.map +1 -0
package/dist/score/index.js +250 -0
package/dist/score/index.js.map +1 -0
package/dist/score/types.d.ts +160 -0
package/dist/score/types.d.ts.map +1 -0
package/dist/score/types.js +14 -0
package/dist/score/types.js.map +1 -0
package/dist/shared/ai-context/index.d.ts +6 -0
package/dist/shared/ai-context/index.d.ts.map +1 -0
package/dist/shared/ai-context/index.js +13 -0
package/dist/shared/ai-context/index.js.map +1 -0
package/dist/shared/ai-context/manager.d.ts +67 -0
package/dist/shared/ai-context/manager.d.ts.map +1 -0
package/dist/shared/ai-context/manager.js +104 -0
package/dist/shared/ai-context/manager.js.map +1 -0
package/dist/shared/baseline/diff.d.ts +32 -0
package/dist/shared/baseline/diff.d.ts.map +1 -0
package/dist/shared/baseline/diff.js +119 -0
package/dist/shared/baseline/diff.js.map +1 -0
package/dist/shared/baseline/index.d.ts +9 -0
package/dist/shared/baseline/index.d.ts.map +1 -0
package/dist/shared/baseline/index.js +19 -0
package/dist/shared/baseline/index.js.map +1 -0
package/dist/shared/baseline/manager.d.ts +67 -0
package/dist/shared/baseline/manager.d.ts.map +1 -0
package/dist/shared/baseline/manager.js +180 -0
package/dist/shared/baseline/manager.js.map +1 -0
package/dist/shared/baseline/types.d.ts +91 -0
package/dist/shared/baseline/types.d.ts.map +1 -0
package/dist/shared/baseline/types.js +12 -0
package/dist/shared/baseline/types.js.map +1 -0
package/dist/shared/category-filter.d.ts +125 -0
package/dist/shared/category-filter.d.ts.map +1 -0
package/dist/shared/category-filter.js +360 -0
package/dist/shared/category-filter.js.map +1 -0
package/dist/shared/code-analysis.d.ts +39 -0
package/dist/shared/code-analysis.d.ts.map +1 -0
package/dist/shared/code-analysis.js +159 -0
package/dist/shared/code-analysis.js.map +1 -0
package/dist/shared/comment-analyzer.d.ts +38 -0
package/dist/shared/comment-analyzer.d.ts.map +1 -0
package/dist/shared/comment-analyzer.js +218 -0
package/dist/shared/comment-analyzer.js.map +1 -0
package/dist/shared/diff-detector.d.ts +53 -0
package/dist/shared/diff-detector.d.ts.map +1 -0
package/dist/shared/diff-detector.js +104 -0
package/dist/shared/diff-detector.js.map +1 -0
package/dist/shared/diff-parser.d.ts +80 -0
package/dist/shared/diff-parser.d.ts.map +1 -0
package/dist/shared/diff-parser.js +202 -0
package/dist/shared/diff-parser.js.map +1 -0
package/dist/shared/environment-context.d.ts +76 -0
package/dist/shared/environment-context.d.ts.map +1 -0
package/dist/shared/environment-context.js +271 -0
package/dist/shared/environment-context.js.map +1 -0
package/dist/shared/intent-detector.d.ts +66 -0
package/dist/shared/intent-detector.d.ts.map +1 -0
package/dist/shared/intent-detector.js +282 -0
package/dist/shared/intent-detector.js.map +1 -0
package/dist/shared/parsed-file.d.ts +51 -0
package/dist/shared/parsed-file.d.ts.map +1 -0
package/dist/shared/parsed-file.js +95 -0
package/dist/shared/parsed-file.js.map +1 -0
package/dist/shared/registry-clients.d.ts +93 -0
package/dist/shared/registry-clients.d.ts.map +1 -0
package/dist/shared/registry-clients.js +273 -0
package/dist/shared/registry-clients.js.map +1 -0
package/dist/shared/rules/framework-fixes.d.ts +48 -0
package/dist/shared/rules/framework-fixes.d.ts.map +1 -0
package/dist/shared/rules/framework-fixes.js +439 -0
package/dist/shared/rules/framework-fixes.js.map +1 -0
package/dist/shared/rules/index.d.ts +8 -0
package/dist/shared/rules/index.d.ts.map +1 -0
package/dist/shared/rules/index.js +18 -0
package/dist/shared/rules/index.js.map +1 -0
package/dist/shared/rules/metadata.d.ts +43 -0
package/dist/shared/rules/metadata.d.ts.map +1 -0
package/dist/shared/rules/metadata.js +819 -0
package/dist/shared/rules/metadata.js.map +1 -0
package/dist/shared/schema-semantics.d.ts +45 -0
package/dist/shared/schema-semantics.d.ts.map +1 -0
package/dist/shared/schema-semantics.js +193 -0
package/dist/shared/schema-semantics.js.map +1 -0
package/dist/shared/types.d.ts +337 -0
package/dist/shared/types.d.ts.map +1 -0
package/dist/shared/types.js +126 -0
package/dist/shared/types.js.map +1 -0
package/dist/tiers.d.ts +4 -4
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +17 -7
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +79 -9
package/dist/types.d.ts.map +1 -1
package/dist/types.js +34 -0
package/dist/types.js.map +1 -1
package/dist/utils/code-analysis.d.ts +39 -0
package/dist/utils/code-analysis.d.ts.map +1 -0
package/dist/utils/code-analysis.js +159 -0
package/dist/utils/code-analysis.js.map +1 -0
package/dist/utils/comment-analyzer.d.ts +38 -0
package/dist/utils/comment-analyzer.d.ts.map +1 -0
package/dist/utils/comment-analyzer.js +218 -0
package/dist/utils/comment-analyzer.js.map +1 -0
package/dist/utils/context-helpers.d.ts +108 -1
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +351 -2
package/dist/utils/context-helpers.js.map +1 -1
package/dist/utils/environment-context.d.ts +76 -0
package/dist/utils/environment-context.d.ts.map +1 -0
package/dist/utils/environment-context.js +271 -0
package/dist/utils/environment-context.js.map +1 -0
package/dist/utils/intent-detector.d.ts +66 -0
package/dist/utils/intent-detector.d.ts.map +1 -0
package/dist/utils/intent-detector.js +282 -0
package/dist/utils/intent-detector.js.map +1 -0
package/dist/utils/parsed-file.d.ts +51 -0
package/dist/utils/parsed-file.d.ts.map +1 -0
package/dist/utils/parsed-file.js +95 -0
package/dist/utils/parsed-file.js.map +1 -0
package/dist/utils/route-hierarchy.d.ts +50 -0
package/dist/utils/route-hierarchy.d.ts.map +1 -0
package/dist/utils/route-hierarchy.js +226 -0
package/dist/utils/route-hierarchy.js.map +1 -0
package/dist/utils/schema-semantics.d.ts +45 -0
package/dist/utils/schema-semantics.d.ts.map +1 -0
package/dist/utils/schema-semantics.js +193 -0
package/dist/utils/schema-semantics.js.map +1 -0
package/dist/validate/clients.d.ts +44 -0
package/dist/validate/clients.d.ts.map +1 -0
package/dist/validate/clients.js +81 -0
package/dist/validate/clients.js.map +1 -0
package/dist/validate/index.d.ts +41 -0
package/dist/validate/index.d.ts.map +1 -0
package/dist/validate/index.js +141 -0
package/dist/validate/index.js.map +1 -0
package/dist/validate/prompts/index.d.ts +8 -0
package/dist/validate/prompts/index.d.ts.map +1 -0
package/dist/validate/prompts/index.js +16 -0
package/dist/validate/prompts/index.js.map +1 -0
package/dist/validate/prompts/modules/ai-patterns.d.ts +19 -0
package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -0
package/dist/validate/prompts/modules/ai-patterns.js +156 -0
package/dist/validate/prompts/modules/ai-patterns.js.map +1 -0
package/dist/validate/prompts/modules/auth-access.d.ts +9 -0
package/dist/validate/prompts/modules/auth-access.d.ts.map +1 -0
package/dist/validate/prompts/modules/auth-access.js +25 -0
package/dist/validate/prompts/modules/auth-access.js.map +1 -0
package/dist/validate/prompts/modules/common.d.ts +11 -0
package/dist/validate/prompts/modules/common.d.ts.map +1 -0
package/dist/validate/prompts/modules/common.js +186 -0
package/dist/validate/prompts/modules/common.js.map +1 -0
package/dist/validate/prompts/modules/index.d.ts +54 -0
package/dist/validate/prompts/modules/index.d.ts.map +1 -0
package/dist/validate/prompts/modules/index.js +186 -0
package/dist/validate/prompts/modules/index.js.map +1 -0
package/dist/validate/prompts/modules/owasp-classic.d.ts +8 -0
package/dist/validate/prompts/modules/owasp-classic.d.ts.map +1 -0
package/dist/validate/prompts/modules/owasp-classic.js +84 -0
package/dist/validate/prompts/modules/owasp-classic.js.map +1 -0
package/dist/validate/prompts/modules/secrets-crypto.d.ts +8 -0
package/dist/validate/prompts/modules/secrets-crypto.d.ts.map +1 -0
package/dist/validate/prompts/modules/secrets-crypto.js +68 -0
package/dist/validate/prompts/modules/secrets-crypto.js.map +1 -0
package/dist/validate/prompts/modules/xss-prompt.d.ts +8 -0
package/dist/validate/prompts/modules/xss-prompt.d.ts.map +1 -0
package/dist/validate/prompts/modules/xss-prompt.js +22 -0
package/dist/validate/prompts/modules/xss-prompt.js.map +1 -0
package/dist/validate/prompts/semantic-analysis.d.ts +15 -0
package/dist/validate/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/validate/prompts/semantic-analysis.js +169 -0
package/dist/validate/prompts/semantic-analysis.js.map +1 -0
package/dist/validate/prompts/validation.d.ts +18 -0
package/dist/validate/prompts/validation.d.ts.map +1 -0
package/dist/validate/prompts/validation.js +25 -0
package/dist/validate/prompts/validation.js.map +1 -0
package/dist/validate/providers/anthropic.d.ts +17 -0
package/dist/validate/providers/anthropic.d.ts.map +1 -0
package/dist/validate/providers/anthropic.js +260 -0
package/dist/validate/providers/anthropic.js.map +1 -0
package/dist/validate/providers/index.d.ts +8 -0
package/dist/validate/providers/index.d.ts.map +1 -0
package/dist/validate/providers/index.js +13 -0
package/dist/validate/providers/index.js.map +1 -0
package/dist/validate/providers/openai.d.ts +14 -0
package/dist/validate/providers/openai.d.ts.map +1 -0
package/dist/validate/providers/openai.js +336 -0
package/dist/validate/providers/openai.js.map +1 -0
package/dist/validate/request-builder.d.ts +61 -0
package/dist/validate/request-builder.d.ts.map +1 -0
package/dist/validate/request-builder.js +346 -0
package/dist/validate/request-builder.js.map +1 -0
package/dist/validate/types.d.ts +88 -0
package/dist/validate/types.d.ts.map +1 -0
package/dist/validate/types.js +38 -0
package/dist/validate/types.js.map +1 -0
package/dist/validate/utils/context-extractor.d.ts +55 -0
package/dist/validate/utils/context-extractor.d.ts.map +1 -0
package/dist/validate/utils/context-extractor.js +161 -0
package/dist/validate/utils/context-extractor.js.map +1 -0
package/dist/validate/utils/index.d.ts +11 -0
package/dist/validate/utils/index.d.ts.map +1 -0
package/dist/validate/utils/index.js +27 -0
package/dist/validate/utils/index.js.map +1 -0
package/dist/validate/utils/path-helpers.d.ts +21 -0
package/dist/validate/utils/path-helpers.d.ts.map +1 -0
package/dist/validate/utils/path-helpers.js +69 -0
package/dist/validate/utils/path-helpers.js.map +1 -0
package/dist/validate/utils/response-parser.d.ts +40 -0
package/dist/validate/utils/response-parser.d.ts.map +1 -0
package/dist/validate/utils/response-parser.js +286 -0
package/dist/validate/utils/response-parser.js.map +1 -0
package/dist/validate/utils/retry.d.ts +15 -0
package/dist/validate/utils/retry.d.ts.map +1 -0
package/dist/validate/utils/retry.js +62 -0
package/dist/validate/utils/retry.js.map +1 -0
package/package.json +8 -7
package/src/__tests__/benchmark/fixtures/layer1/agent-skill-injection.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +3 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +27 -0
package/src/__tests__/benchmark/fixtures/layer2/log-injection.ts +147 -0
package/src/__tests__/benchmark/fixtures/layer2/phase5-excessive-agency.ts +580 -0
package/src/__tests__/benchmark/fixtures/layer2/security-headers.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/sprint6-ai-enhancements.ts +515 -0
package/src/__tests__/benchmark/fixtures/layer2/ssrf-detection.ts +210 -0
package/src/__tests__/benchmark/fixtures/layer2/xxe-detection.ts +195 -0
package/src/__tests__/benchmark/run-depth-validation.ts +12 -12
package/src/__tests__/benchmark/run-real-world-test.ts +4 -4
package/src/__tests__/benchmark/types.ts +1 -1
package/src/__tests__/benchmark/utils/test-runner.ts +3 -3
package/src/__tests__/category-filter.test.ts +478 -0
package/src/__tests__/context-engine/cross-file-taint.test.ts +284 -0
package/src/__tests__/context-engine/framework-models.test.ts +457 -0
package/src/__tests__/context-engine/function-classifier.test.ts +146 -0
package/src/__tests__/context-engine/import-resolver.test.ts +328 -0
package/src/__tests__/context-engine/integration.test.ts +320 -0
package/src/__tests__/context-engine/module-graph.test.ts +159 -0
package/src/__tests__/context-engine/route-discovery/auth-resolver.test.ts +353 -0
package/src/__tests__/context-engine/route-discovery/express.test.ts +150 -0
package/src/__tests__/context-engine/route-discovery/nextjs.test.ts +138 -0
package/src/__tests__/context-engine/route-discovery/python.test.ts +95 -0
package/src/__tests__/context-engine/sanitiser-detection.test.ts +187 -0
package/src/__tests__/context-engine/sink-matcher.test.ts +251 -0
package/src/__tests__/context-engine/source-discovery.test.ts +186 -0
package/src/__tests__/context-engine/taint-tracker.test.ts +182 -0
package/src/__tests__/regression/agent-skill-benign.test.ts +174 -0
package/src/__tests__/regression/known-false-positives.test.ts +801 -3
package/src/__tests__/score/adjustments.test.ts +385 -0
package/src/__tests__/score/confidence.test.ts +283 -0
package/src/__tests__/score/framework-scoring.test.ts +275 -0
package/src/__tests__/score/route-scoring.test.ts +156 -0
package/src/__tests__/score/scoring-integration.test.ts +165 -0
package/src/__tests__/score/taint-adjustments.test.ts +244 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +50 -58
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +52 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +3 -12
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +3 -3
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +1 -1
package/src/__tests__/snapshots/scan-depth.test.ts +3 -3
package/src/__tests__/validate/route-annotations.test.ts +138 -0
package/src/__tests__/validation/analyze-results.ts +1 -1
package/src/__tests__/validation/extract-for-triage.ts +1 -1
package/src/__tests__/validation/fp-deep-analysis.ts +1 -1
package/src/__tests__/validation/run-validation.ts +7 -7
package/src/{layer2/ai-agent-tools.ts → detect/ai-code/agent-tools.ts} +729 -4
package/src/{layer2 → detect/ai-code}/byok-patterns.ts +20 -6
package/src/{layer2/ai-endpoint-protection.ts → detect/ai-code/endpoint-protection.ts} +10 -4
package/src/{layer2/ai-execution-sinks.ts → detect/ai-code/execution-sinks.ts} +272 -46
package/src/{layer2/ai-fingerprinting.ts → detect/ai-code/fingerprinting.ts} +46 -34
package/src/detect/ai-code/index.ts +11 -0
package/src/{layer2/ai-mcp-security.ts → detect/ai-code/mcp-security.ts} +212 -5
package/src/{layer2 → detect/ai-code}/model-supply-chain.ts +85 -6
package/src/{layer2/ai-package-hallucination.ts → detect/ai-code/package-hallucination.ts} +170 -6
package/src/{layer2/ai-prompt-hygiene.ts → detect/ai-code/prompt-hygiene.ts} +393 -28
package/src/{layer2/ai-rag-safety.ts → detect/ai-code/rag-safety.ts} +91 -4
package/src/{layer2/ai-schema-validation.ts → detect/ai-code/schema-validation.ts} +10 -4
package/src/detect/config/agent-skill-injection.ts +551 -0
package/src/{layer1 → detect/config}/comments.ts +8 -2
package/src/{layer1 → detect/config}/file-flags.ts +23 -6
package/src/detect/config/index.ts +6 -0
package/src/{layer3 → detect/config}/osv-check.ts +3 -2
package/src/{layer3 → detect/config}/package-check.ts +3 -2
package/src/{layer1 → detect/config}/urls.ts +196 -15
package/src/detect/index.ts +131 -0
package/src/{layer1 → detect/secrets}/config-audit.ts +56 -12
package/src/{layer1 → detect/secrets}/config-mcp-audit.ts +11 -4
package/src/{layer1 → detect/secrets}/entropy.ts +256 -11
package/src/{layer1 → detect/secrets}/index.ts +43 -46
package/src/{layer1 → detect/secrets}/patterns.ts +51 -6
package/src/{layer1 → detect/secrets}/weak-crypto.ts +174 -17
package/src/{layer2/auth-antipatterns.ts → detect/structural/auth-patterns.ts} +249 -27
package/src/{layer2 → detect/structural}/dangerous-functions/dom-xss.ts +94 -22
package/src/{layer2 → detect/structural}/dangerous-functions/index.ts +672 -65
package/src/{layer2 → detect/structural}/dangerous-functions/json-parse.ts +10 -2
package/src/{layer2 → detect/structural}/dangerous-functions/math-random.ts +269 -17
package/src/{layer2 → detect/structural}/dangerous-functions/patterns.ts +4 -2
package/src/{layer2 → detect/structural}/dangerous-functions/request-validation.ts +10 -2
package/src/detect/structural/dangerous-functions/utils/control-flow.ts +35 -0
package/src/{layer2 → detect/structural}/dangerous-functions/utils/schema-validation.ts +16 -1
package/src/{layer2 → detect/structural}/data-exposure.ts +23 -40
package/src/{layer2 → detect/structural}/framework-checks.ts +13 -12
package/src/{layer2 → detect/structural}/index.ts +144 -122
package/src/detect/structural/log-injection.ts +254 -0
package/src/{layer2 → detect/structural}/logic-gates.ts +69 -24
package/src/{layer2 → detect/structural}/risky-imports.ts +10 -4
package/src/detect/structural/security-headers.ts +231 -0
package/src/detect/structural/ssrf-detection.ts +300 -0
package/src/{layer2 → detect/structural}/variables.ts +10 -4
package/src/detect/structural/xxe-detection.ts +295 -0
package/src/index.ts +64 -1038
package/src/{utils → model}/auth-helper-detector.ts +1 -1
package/src/model/cross-file-taint.ts +374 -0
package/src/model/framework-models/django.ts +82 -0
package/src/model/framework-models/express.ts +54 -0
package/src/model/framework-models/index.ts +116 -0
package/src/model/framework-models/nextjs.ts +69 -0
package/src/model/framework-models/prisma.ts +57 -0
package/src/model/framework-models/react.ts +63 -0
package/src/model/framework-models/sequelize.ts +63 -0
package/src/model/framework-models/types.ts +46 -0
package/src/model/function-classifier.ts +184 -0
package/src/model/import-resolver.ts +453 -0
package/src/{utils → model}/imported-auth-detector.ts +21 -85
package/src/model/index.ts +353 -0
package/src/{utils → model}/middleware-detector.ts +156 -17
package/src/model/module-graph.ts +254 -0
package/src/{utils → model}/oauth-flow-detector.ts +1 -1
package/src/{utils/project-context-builder.ts → model/project-context.ts} +1 -1
package/src/model/route-auth-resolver.ts +216 -0
package/src/model/route-discovery/express.ts +251 -0
package/src/model/route-discovery/index.ts +83 -0
package/src/model/route-discovery/nextjs.ts +216 -0
package/src/model/route-discovery/python.ts +214 -0
package/src/model/route-discovery/types.ts +48 -0
package/src/model/route-discovery/utils.ts +54 -0
package/src/model/route-hierarchy.ts +250 -0
package/src/model/sanitiser-detection.ts +268 -0
package/src/model/sink-matcher.ts +178 -0
package/src/model/sink-patterns.ts +109 -0
package/src/model/source-discovery.ts +209 -0
package/src/model/taint-tracker.ts +333 -0
package/src/model/taint-types.ts +149 -0
package/src/{utils → model}/trpc-analyzer.ts +1 -1
package/src/{utils/context-helpers.ts → parse/file-classifier.ts} +462 -2
package/src/{utils → parse}/path-exclusions.ts +1 -1
package/src/pipeline/config.ts +81 -0
package/src/pipeline/index.ts +437 -0
package/src/{modes → pipeline/modes}/incremental.ts +6 -6
package/src/postprocess/aggregation.ts +74 -0
package/src/postprocess/contradictions.ts +128 -0
package/src/postprocess/dedup.ts +62 -0
package/src/postprocess/filtering/__tests__/pipeline.test.ts +134 -0
package/src/postprocess/filtering/context-adjustments.ts +111 -0
package/src/postprocess/filtering/index.ts +10 -0
package/src/postprocess/filtering/pipeline.ts +130 -0
package/src/postprocess/index.ts +118 -0
package/src/{suppression → postprocess/suppression}/config-loader.ts +1 -1
package/src/{suppression → postprocess/suppression}/hash.ts +1 -1
package/src/{suppression → postprocess/suppression}/inline-parser.ts +1 -1
package/src/{suppression → postprocess/suppression}/manager.ts +1 -1
package/src/{suppression → postprocess/suppression}/types.ts +2 -2
package/src/postprocess/validation-cap.ts +66 -0
package/src/report/build-result.ts +94 -0
package/src/report/enrichment.ts +52 -0
package/src/report/formatters/__tests__/ai-context.test.ts +254 -0
package/src/report/formatters/ai-context.ts +302 -0
package/src/{formatters → report/formatters}/cli-terminal.ts +11 -11
package/src/{formatters → report/formatters}/github-comment.ts +4 -4
package/src/{formatters → report/formatters}/grouping.ts +8 -8
package/src/report/formatters/ide/__tests__/ide.test.ts +319 -0
package/src/report/formatters/ide/claude-code.ts +110 -0
package/src/report/formatters/ide/cursor.ts +147 -0
package/src/report/formatters/ide/index.ts +216 -0
package/src/report/formatters/ide/windsurf.ts +135 -0
package/src/{formatters → report/formatters}/index.ts +24 -0
package/src/{formatters → report/formatters}/vscode-diagnostic.ts +1 -1
package/src/report/summary.ts +70 -0
package/src/score/adjustments.ts +387 -0
package/src/{layer3/anthropic → score}/auto-dismiss.ts +26 -14
package/src/score/confidence.ts +66 -0
package/src/score/index.ts +316 -0
package/src/score/types.ts +187 -0
package/src/shared/__tests__/code-analysis.test.ts +165 -0
package/src/shared/__tests__/parsed-file.test.ts +124 -0
package/src/shared/ai-context/__tests__/manager.test.ts +193 -0
package/src/shared/ai-context/index.ts +15 -0
package/src/shared/ai-context/manager.ts +145 -0
package/src/{baseline → shared/baseline}/__tests__/diff.test.ts +2 -2
package/src/{baseline → shared/baseline}/__tests__/manager.test.ts +2 -2
package/src/{baseline → shared/baseline}/diff.ts +1 -1
package/src/{baseline → shared/baseline}/manager.ts +1 -1
package/src/shared/category-filter.ts +400 -0
package/src/{layer2/dangerous-functions/utils/control-flow.ts → shared/code-analysis.ts} +56 -39
package/src/shared/comment-analyzer.ts +249 -0
package/src/shared/environment-context.ts +304 -0
package/src/shared/intent-detector.ts +318 -0
package/src/shared/parsed-file.ts +103 -0
package/src/{rules → shared/rules}/__tests__/metadata.test.ts +7 -0
package/src/{rules → shared/rules}/framework-fixes.ts +1 -1
package/src/{rules → shared/rules}/metadata.ts +94 -0
package/src/shared/schema-semantics.ts +233 -0
package/src/{types.ts → shared/types.ts} +142 -11
package/src/tiers.ts +27 -10
package/src/validate/__tests__/context-extractor.test.ts +191 -0
package/src/validate/__tests__/prompt-assembly.test.ts +233 -0
package/src/validate/__tests__/request-builder.test.ts +347 -0
package/src/{layer3/anthropic → validate}/index.ts +8 -7
package/src/{layer3/anthropic → validate}/prompts/index.ts +2 -0
package/src/validate/prompts/modules/ai-patterns.ts +153 -0
package/src/validate/prompts/modules/auth-access.ts +22 -0
package/src/validate/prompts/modules/common.ts +183 -0
package/src/validate/prompts/modules/index.ts +204 -0
package/src/validate/prompts/modules/owasp-classic.ts +81 -0
package/src/validate/prompts/modules/secrets-crypto.ts +65 -0
package/src/validate/prompts/modules/xss-prompt.ts +19 -0
package/src/validate/prompts/validation.ts +20 -0
package/src/{layer3/anthropic → validate}/providers/anthropic.ts +28 -27
package/src/validate/providers/index.ts +8 -0
package/src/{layer3/anthropic → validate}/providers/openai.ts +30 -25
package/src/validate/request-builder.ts +448 -0
package/src/{layer3/anthropic → validate}/types.ts +1 -1
package/src/validate/utils/context-extractor.ts +220 -0
package/src/{layer3/anthropic → validate}/utils/index.ts +10 -0
package/src/{layer3/anthropic → validate}/utils/response-parser.ts +2 -1
package/src/layer3/anthropic/prompts/validation.ts +0 -419
package/src/layer3/anthropic/providers/index.ts +0 -8
package/src/layer3/anthropic/request-builder.ts +0 -150
package/src/layer3/index.ts +0 -168
/package/src/{layer3 → detect/config}/__tests__/osv-check.test.ts +0 -0
/package/src/{layer2 → detect/structural}/__tests__/math-random-enhanced.test.ts +0 -0
/package/src/{layer2 → detect/structural}/dangerous-functions/child-process.ts +0 -0
/package/src/{layer2 → detect/structural}/dangerous-functions/utils/helpers.ts +0 -0
/package/src/{layer2 → detect/structural}/dangerous-functions/utils/index.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/config-loader.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/hash.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/inline-parser.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/manager.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/index.ts +0 -0
/package/src/{baseline → shared/baseline}/index.ts +0 -0
/package/src/{baseline → shared/baseline}/types.ts +0 -0
/package/src/{utils → shared}/diff-detector.ts +0 -0
/package/src/{utils → shared}/diff-parser.ts +0 -0
/package/src/{utils → shared}/registry-clients.ts +0 -0
/package/src/{rules → shared/rules}/__tests__/framework-fixes.test.ts +0 -0
/package/src/{rules → shared/rules}/index.ts +0 -0
/package/src/{layer3/anthropic → validate}/clients.ts +0 -0
/package/src/{layer3/anthropic → validate}/prompts/semantic-analysis.ts +0 -0
/package/src/{layer3/anthropic → validate}/utils/path-helpers.ts +0 -0
/package/src/{layer3/anthropic → validate}/utils/retry.ts +0 -0

package/dist/detect/structural/auth-patterns.js ADDED Viewed

@@ -0,0 +1,533 @@
+"use strict";
+/**
+ * Layer 2: Authentication Anti-Pattern Detection
+ * Identifies weak or missing authentication/authorization patterns
+ *
+ * Key improvements:
+ * - Respects global middleware protection (caps severity at info)
+ * - Detects throwing auth helpers and suppresses redundant null checks
+ * - Properly classifies public endpoints
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectAuthAntipatterns = detectAuthAntipatterns;
+const middleware_detector_1 = require("../../model/middleware-detector");
+const auth_helper_detector_1 = require("../../model/auth-helper-detector");
+const file_classifier_1 = require("../../parse/file-classifier");
+const route_hierarchy_1 = require("../../model/route-hierarchy");
+const schema_semantics_1 = require("../../shared/schema-semantics");
+const intent_detector_1 = require("../../shared/intent-detector");
+const BASE_CONFIDENCE = 0.40;
+const AUTH_ANTIPATTERNS = [
+    // Missing auth checks
+    {
+        name: 'Unprotected API route',
+        pattern: /export\s+(async\s+)?function\s+(GET|POST|PUT|DELETE|PATCH)\s*\(/gi,
+        severity: 'medium',
+        description: 'API route handler may lack authentication - verify auth is checked',
+        suggestedFix: 'Add authentication middleware or check session at the start of the handler',
+    },
+    {
+        name: 'Express route without auth middleware',
+        pattern: /\.(get|post|put|delete|patch)\s*\(\s*['"][^'"]+['"]\s*,\s*(async\s*)?\(\s*(req|request)/gi,
+        severity: 'medium',
+        description: 'Express route may lack authentication middleware',
+        suggestedFix: 'Add authentication middleware before the route handler',
+    },
+    // Weak authentication patterns
+    {
+        name: 'Hardcoded credentials check',
+        pattern: /if\s*\(\s*(username|user|email)\s*===?\s*['"][^'"]+['"]\s*&&\s*(password|pass|pwd)\s*===?\s*['"][^'"]+['"]/gi,
+        severity: 'critical',
+        description: 'Hardcoded credentials in authentication logic',
+        suggestedFix: 'Use a proper user database with hashed passwords',
+    },
+    {
+        name: 'Password in plain text comparison',
+        pattern: /password\s*===?\s*user\.password|user\.password\s*===?\s*password/gi,
+        severity: 'high',
+        description: 'Plain text password comparison detected',
+        suggestedFix: 'Use bcrypt.compare() or similar for password verification',
+    },
+    {
+        name: 'JWT without verification',
+        pattern: /jwt\.decode\s*\([^)]+\)(?!.*verify)/gi,
+        severity: 'high',
+        description: 'JWT decoded without signature verification',
+        suggestedFix: 'Use jwt.verify() instead of jwt.decode() for authentication',
+    },
+    {
+        name: 'Weak JWT secret',
+        pattern: /jwt\.sign\s*\([^)]+,\s*['"][^'"]{1,20}['"]/gi,
+        severity: 'high',
+        description: 'JWT signed with a short/weak secret',
+        suggestedFix: 'Use a strong, random secret of at least 256 bits from environment variables',
+    },
+    // Session issues
+    {
+        name: 'Session without secure flag',
+        pattern: /session\s*\(\s*\{[^}]*(?!secure\s*:\s*true)[^}]*\}/gi,
+        severity: 'medium',
+        description: 'Session configuration may lack secure flag',
+        suggestedFix: 'Set secure: true for cookies in production',
+    },
+    // NOTE: Cookie httpOnly detection removed - causes false positives
+    // Client-side code (document.cookie) cannot set httpOnly - it's a server-only flag
+    // Server-side cookie libraries have proper defaults
+    // The pattern was triggering on client-side cookie access which is conceptually wrong
+    // Authorization issues
+    // NOTE: We intentionally do NOT flag "if (!user)" or "if (!userId)" patterns as issues
+    // when throwing auth helpers are in use. Those helpers guarantee the user exists.
+    // This pattern is now much more targeted.
+    {
+        name: 'Missing role check for admin operation',
+        pattern: /\b(admin|superuser|moderator|owner)\b.*(?:delete|remove|update|modify|grant|revoke)/gi,
+        severity: 'low',
+        description: 'Potentially privileged operation - verify role/permission checks are in place',
+        suggestedFix: 'Add role-based access control for sensitive operations',
+    },
+    {
+        name: 'Client-side only auth check',
+        pattern: /if\s*\(\s*!?\s*(isAuthenticated|isLoggedIn|user)\s*\)\s*\{?\s*(router\.push|navigate|redirect|window\.location)/gi,
+        severity: 'medium',
+        description: 'Client-side only authentication redirect detected',
+        suggestedFix: 'Implement server-side authentication checks as well',
+    },
+    // Insecure token handling
+    {
+        name: 'Token in URL',
+        pattern: /\?.*token=|&token=|\?.*api_key=|&api_key=/gi,
+        severity: 'high',
+        description: 'Sensitive token passed in URL query parameter',
+        suggestedFix: 'Pass tokens in Authorization header or request body',
+    },
+    {
+        name: 'Token in localStorage',
+        pattern: /localStorage\.(setItem|getItem)\s*\(\s*['"](token|jwt|auth|session|apiKey)/gi,
+        severity: 'medium',
+        description: 'Sensitive token stored in localStorage (XSS vulnerable)',
+        suggestedFix: 'Use httpOnly cookies for token storage',
+    },
+    // OAuth/Social auth issues
+    // NOTE: OAuth detection narrowed significantly to reduce false positives.
+    // Previously matched any line containing "oauth" which flagged variable names, imports, etc.
+    // Now only matches actual OAuth authorization URL construction.
+    {
+        name: 'OAuth state parameter missing',
+        // Only match actual OAuth authorization URL construction without state parameter
+        // Must have: authorize endpoint + client_id/redirect_uri but missing state
+        pattern: /['"`]https?:\/\/[^'"]*\/(?:oauth|authorize|auth)[^'"]*client_id=[^'"]*(?!.*state=)/gi,
+        severity: 'medium',
+        description: 'OAuth authorization URL may lack state parameter for CSRF protection',
+        suggestedFix: 'Include a random state parameter in OAuth authorization requests',
+    },
+    // Password handling issues
+    {
+        name: 'Password logged',
+        pattern: /console\.(log|info|debug|warn|error)\s*\([^)]*password/gi,
+        severity: 'critical',
+        description: 'Password may be logged to console',
+        suggestedFix: 'Never log passwords or sensitive credentials',
+    },
+    // NOTE: 'Password in error message' pattern now uses smart intent detection
+    // Error CODES like 'SAME_PASSWORD' are not flagged (they're codes, not values)
+    // Only actual password values concatenated into errors are flagged
+    // This is handled specially in detectAuthAntipatterns() below
+    // Rate limiting
+    {
+        name: 'Login without rate limiting',
+        pattern: /\/(login|signin|auth|authenticate)\s*['"],\s*(async\s*)?\(/gi,
+        severity: 'medium',
+        description: 'Login endpoint may lack rate limiting',
+        suggestedFix: 'Add rate limiting to prevent brute force attacks',
+    },
+    // 2FA bypass
+    {
+        name: 'Potential 2FA bypass',
+        pattern: /skip2fa|bypass2fa|disable2fa|twoFactor\s*[=:]\s*false/gi,
+        severity: 'high',
+        description: 'Two-factor authentication bypass detected',
+        suggestedFix: 'Remove 2FA bypass options in production',
+    },
+];
+// Check if line is a comment
+function isComment(line) {
+    const trimmed = line.trim();
+    return (trimmed.startsWith('//') ||
+        trimmed.startsWith('#') ||
+        trimmed.startsWith('*') ||
+        trimmed.startsWith('/*'));
+}
+// Check if file is likely an auth-related file
+function isAuthRelatedFile(filePath) {
+    const authKeywords = ['auth', 'login', 'session', 'user', 'account', 'credential', 'password', 'token', 'jwt', 'oauth'];
+    const lowerPath = filePath.toLowerCase();
+    return authKeywords.some(keyword => lowerPath.includes(keyword));
+}
+/**
+ * Check if file is an auth implementation/library file
+ * These files ARE the auth system - flagging them for "missing auth" is wrong
+ *
+ * Examples:
+ * - packages/auth/src/handlers.ts
+ * - lib/auth/middleware.ts
+ * - services/authentication/index.ts
+ */
+function isAuthImplementationFile(filePath) {
+    const authImplPatterns = [
+        /\/packages\/auth\//i,
+        /\/lib\/auth\//i,
+        /\/utils\/auth\//i,
+        /\/services\/auth/i,
+        /\/authentication\//i,
+        /\/auth-provider/i,
+        /\/auth-helpers/i,
+        /\/auth-utils/i,
+        /\/passport-/i, // Passport.js strategy files
+        /\/next-auth\//i, // NextAuth config
+        /\/lucia\//i, // Lucia auth
+        /\/better-auth\//i, // Better Auth
+        /\/supabase\/auth/i, // Supabase auth
+        /\/clerk\//i, // Clerk auth
+        /\/auth0\//i, // Auth0
+        /\/keycloak\//i, // Keycloak
+    ];
+    return authImplPatterns.some(p => p.test(filePath));
+}
+// Check if endpoint is a known public endpoint (health checks, webhooks, cron)
+function isKnownPublicEndpoint(lineContent, filePath) {
+    const PUBLIC_ENDPOINTS = [
+        // Health checks
+        /\/health\b/i,
+        /\/healthz\b/i,
+        /\/ready\b/i,
+        /\/live\b/i,
+        /\/ping\b/i,
+        /\/status\b/i,
+        /\/_health/i,
+        // Webhooks (receive external calls)
+        /\/webhook\b/i,
+        /\/webhooks\//i,
+        /\/callback\b/i,
+        /\/stripe\/webhook/i,
+        /\/clerk\/webhook/i,
+        /\/svix\//i,
+        // Cron/scheduled tasks
+        /\/cron\//i,
+        /\/scheduled\//i,
+        /\/tasks\//i,
+        /\/jobs?\//i,
+        // Public APIs - intentionally unauthenticated
+        /\/public\//i,
+        /\/openpage/i, // OpenPage API pattern (intentionally public)
+        /\/open-api\//i,
+        /\/api\/public\//i,
+        /\/api\/v\d+\/public\//i,
+        /\bGET\b.*\/api\/\w+\/\[id\]/i, // Public resource reads with ID param
+        // Auth endpoints (must be public for users to authenticate)
+        /\/api\/auth\//i,
+        /\/auth\//i,
+        /\/login\b/i,
+        /\/signup\b/i,
+        /\/register\b/i,
+        /\/forgot-password/i,
+        /\/reset-password/i,
+        /\/verify-email/i,
+        /\/magic-link/i,
+        /\/oauth\//i,
+        // RSS/Atom feeds (typically public)
+        /\/feed\b/i,
+        /\/rss\b/i,
+        /\/atom\b/i,
+        // Sitemap/robots (always public)
+        /\/sitemap/i,
+        /\/robots/i,
+        // OpenGraph/meta endpoints
+        /\/og\//i,
+        /\/opengraph/i,
+        /\/meta\//i,
+        // Share/embed endpoints
+        /\/share\//i,
+        /\/embed\//i,
+        /\/widget\//i,
+    ];
+    return PUBLIC_ENDPOINTS.some(pattern => pattern.test(lineContent) || pattern.test(filePath));
+}
+// Check if there are auth indicators in nearby lines (within 15 lines)
+function hasAuthCheckNearby(lines, lineIndex) {
+    const startLine = Math.max(0, lineIndex);
+    const endLine = Math.min(lines.length, lineIndex + 15);
+    const searchWindow = lines.slice(startLine, endLine);
+    const authIndicators = [
+        /authorization/i,
+        /bearer\s+token/i,
+        /req\.user/,
+        /request\.user/,
+        /isAuthenticated/,
+        /requireAuth/,
+        /verifyToken/,
+        /checkPermission/,
+        /getServerSession/,
+        /auth\(\)/,
+        /middleware.*auth/i,
+        /session\s*\.\s*user/,
+        // Internal secret checks (network-level auth)
+        /internal.?secret/i,
+        /INTERNAL_SECRET/,
+        /x-internal-secret/i,
+        /admin.?secret/i,
+        /service.?token/i,
+        // BYOK patterns - user provides their own API key (implicit auth)
+        /userApiKey|user_api_key|clientApiKey/i,
+        /req\.body\.(?:apiKey|api_key|openaiKey|anthropicKey)/i,
+        /headers\[['"`]x-(?:openai|api|anthropic)-key['"`]\]/i,
+        // Next.js / React auth patterns (expanded)
+        /const\s+session\s*=\s*await\s+auth\s*\(\)/, // const session = await auth()
+        /const\s+\{\s*session\s*\}\s*=\s*await\s+auth\s*\(\)/, // const { session } = await auth()
+        /if\s*\(\s*!session\?\.user/, // if (!session?.user)
+        /if\s*\(\s*!session\s*\)/, // if (!session)
+        /session\s*\?\.\s*user/, // session?.user
+        /getServerSession\s*\(\s*authOptions/, // getServerSession(authOptions)
+        /getServerSession\s*\(\s*req\s*,\s*res/, // getServerSession(req, res, ...)
+        /useSession\s*\(\)/, // useSession()
+        /signIn\s*\(/, // signIn()
+        /signOut\s*\(/, // signOut()
+        // Clerk auth patterns
+        /currentUser\s*\(\)/, // currentUser()
+        /auth\s*\(\)\s*\.\s*protect/, // auth().protect
+        /auth\s*\(\)\s*\.\s*userId/, // auth().userId
+        /clerkClient/i,
+        /getAuth\s*\(/,
+        /ClerkProvider/,
+        // Supabase auth patterns
+        /supabase\s*\.\s*auth\s*\.\s*getUser/, // supabase.auth.getUser()
+        /supabase\s*\.\s*auth\s*\.\s*getSession/, // supabase.auth.getSession()
+        /createServerClient/, // Supabase server client
+        /createRouteHandlerClient/,
+        // Lucia auth patterns
+        /lucia\s*\.\s*validateSession/,
+        /validateRequest/,
+        // Better Auth patterns
+        /betterAuth/,
+        /auth\.api\./,
+        // Throwing auth helpers (if these are called, route is authenticated)
+        /throw\s+new\s+Error\s*\(\s*['"]unauthorized/i,
+        /throw\s+new\s+Error\s*\(\s*['"]unauthenticated/i,
+        /ChatSDKError\s*\(\s*['"]unauthorized/i,
+        /return\s+new\s+Response\s*\(\s*.*401/,
+        /return\s+NextResponse\s*\.\s*json\s*\(\s*.*401/,
+    ];
+    return searchWindow.some(line => authIndicators.some(pattern => pattern.test(line)));
+}
+function detectAuthAntipatterns(content, filePath, options = {}) {
+    const { middlewareConfig, authHelpers, fileAuthImports, parsed } = options;
+    const vulnerabilities = [];
+    // Skip scanner/fixture files to avoid self-detection
+    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    const lines = parsed?.lines ?? content.split('\n');
+    const isAuthFile = isAuthRelatedFile(filePath);
+    const isAuthImpl = isAuthImplementationFile(filePath);
+    // Check framework route hierarchy protection (Remix, Next.js route groups)
+    const routeHierarchy = (0, route_hierarchy_1.getRouteProtectionContext)(filePath);
+    // Check if this route is protected by global middleware
+    const routePath = (0, middleware_detector_1.getRoutePathFromFile)(filePath);
+    const middlewareProtection = routePath && middlewareConfig
+        ? (0, middleware_detector_1.isRouteProtectedByMiddleware)(routePath, middlewareConfig)
+        : { isProtected: false, reason: '' };
+    // Check if file uses imported auth middleware/helpers
+    const importedAuthProtection = fileAuthImports?.get(filePath);
+    const usesImportedAuth = importedAuthProtection?.usesImportedAuth ?? false;
+    // Check if file uses throwing auth helpers
+    const helpersList = authHelpers?.helpers || [];
+    // Check if this is a component only used in authenticated contexts
+    const isAuthOnlyComponent = (0, route_hierarchy_1.isAuthenticatedOnlyComponent)(filePath);
+    lines.forEach((line, index) => {
+        // Skip comment lines
+        if (isComment(line))
+            return;
+        for (const pattern of AUTH_ANTIPATTERNS) {
+            const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+            if (regex.test(line)) {
+                // Special handling for unprotected route patterns
+                if (pattern.name === 'Unprotected API route' ||
+                    pattern.name === 'Express route without auth middleware') {
+                    // PRIORITY -1: Skip auth implementation files entirely
+                    // These files ARE the auth system - flagging them for "missing auth" is conceptually wrong
+                    if (isAuthImpl) {
+                        break; // Skip this pattern
+                    }
+                    // PRIORITY 0: Check if this is actually a route file
+                    // In Next.js, routes must be in `route.ts/js` files. Files like `handlers.ts`,
+                    // `safe-handlers.ts`, `utils.ts` etc. are NOT actual API routes even if they
+                    // export GET/POST functions.
+                    const isActualRouteFile = /\/(route|page)\.(ts|js|tsx|jsx)$/i.test(filePath) ||
+                        /\/(api|routes?)\/.*\/(index|route)\.(ts|js)$/i.test(filePath) ||
+                        // Express/Koa routes typically have 'routes' or 'router' in path
+                        /\/(routes?|router|controllers?)\.[tj]s$/i.test(filePath);
+                    // Files explicitly named as handlers, helpers, utils are not routes
+                    const isUtilityFile = /(handler|helper|util|mock|test|fixture|safe|example)/i.test(filePath);
+                    if (!isActualRouteFile || isUtilityFile) {
+                        // Not an actual route file - skip this finding
+                        break;
+                    }
+                    // PRIORITY 0.5: Check if route is in a protected route hierarchy
+                    // Framework route conventions (Remix _authenticated+, Next.js route groups)
+                    if (routeHierarchy.isInProtectedHierarchy) {
+                        // Route is in a protected hierarchy - cap severity at info
+                        vulnerabilities.push({
+                            id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
+                            filePath,
+                            lineNumber: index + 1,
+                            lineContent: line.trim(),
+                            severity: 'info',
+                            category: 'missing_auth',
+                            title: pattern.name + ' (in protected route hierarchy)',
+                            description: `This route is within a protected route hierarchy (${routeHierarchy.protectionSource.join(', ')}). Authentication is likely handled by parent layout/middleware.`,
+                            suggestedFix: 'Verify parent layout enforces authentication. If not, add auth check here.',
+                            confidence: 'low',
+                            baseConfidence: BASE_CONFIDENCE,
+                            layer: 2,
+                            source: 'structural',
+                        });
+                        break; // Only report once per line
+                    }
+                    // PRIORITY 0.75: Check if this is a component only used in authenticated contexts
+                    if (isAuthOnlyComponent) {
+                        // Component is in admin/dashboard/etc - skip entirely
+                        break;
+                    }
+                    // PRIORITY 1: Check if route is protected by global middleware
+                    // This is the STRONGEST signal - if middleware protects the route, suppress entirely
+                    if (middlewareProtection.isProtected) {
+                        // Route is authenticated by middleware - no finding needed
+                        break; // Skip this pattern, route is protected
+                    }
+                    // PRIORITY 1.5: Check if file imports and uses auth middleware
+                    // e.g., import { authMiddleware } from '@/lib/auth' + wraps handlers
+                    if (usesImportedAuth) {
+                        // File imports auth middleware and uses it - no finding needed
+                        break; // Skip this pattern, route is protected via imported auth
+                    }
+                    // PRIORITY 2: Check if file uses throwing auth helpers
+                    // If getCurrentUserId() or similar is called, the route is authenticated
+                    const authHelperCall = (0, auth_helper_detector_1.hasAuthHelperCallBefore)(content, index, helpersList);
+                    if (authHelperCall.hasCall && authHelperCall.helper) {
+                        // Route uses a throwing auth helper - no finding needed
+                        // The auth helper guarantees authenticated context
+                        break; // Skip this pattern, route is protected
+                    }
+                    // PRIORITY 3: Check if this is a known public endpoint
+                    if (isKnownPublicEndpoint(line, filePath)) {
+                        vulnerabilities.push({
+                            id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
+                            filePath,
+                            lineNumber: index + 1,
+                            lineContent: line.trim(),
+                            severity: 'info',
+                            category: 'missing_auth',
+                            title: pattern.name + ' (public endpoint)',
+                            description: 'This appears to be a public endpoint (health check, webhook, cron, etc.). Verify this is intentionally public and consider rate limiting if needed.',
+                            suggestedFix: 'If this is a webhook or cron endpoint, ensure it has appropriate authentication (API keys, signatures, etc.). Health checks typically do not need auth.',
+                            confidence: 'low',
+                            baseConfidence: BASE_CONFIDENCE,
+                            layer: 2,
+                            source: 'structural',
+                        });
+                        break; // Only report once per line
+                    }
+                    // PRIORITY 4: Check if auth check exists nearby (inline check)
+                    if (hasAuthCheckNearby(lines, index)) {
+                        vulnerabilities.push({
+                            id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
+                            filePath,
+                            lineNumber: index + 1,
+                            lineContent: line.trim(),
+                            severity: 'low',
+                            category: 'missing_auth',
+                            title: pattern.name,
+                            description: pattern.description + ' (auth check detected in nearby lines)',
+                            suggestedFix: pattern.suggestedFix,
+                            confidence: 'low',
+                            baseConfidence: BASE_CONFIDENCE,
+                            layer: 2,
+                            source: 'structural',
+                        });
+                        break; // Only report once per line
+                    }
+                }
+                // Standard handling for all patterns (or fallback for route patterns)
+                // Boost confidence for auth-related files
+                const confidence = isAuthFile ? 'high' : 'medium';
+                vulnerabilities.push({
+                    id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
+                    filePath,
+                    lineNumber: index + 1,
+                    lineContent: line.trim(),
+                    severity: pattern.severity,
+                    category: 'missing_auth',
+                    title: pattern.name,
+                    description: pattern.description,
+                    suggestedFix: pattern.suggestedFix,
+                    confidence,
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 2,
+                    source: 'structural',
+                });
+                break; // Only report once per line
+            }
+        }
+    });
+    // Special handling: Password in error message with smart intent detection
+    // Only flag actual password VALUES, not error CODES like 'SAME_PASSWORD'
+    const passwordErrorPattern = /throw\s+new\s+Error\s*\([^)]*password|Error\s*\([^)]*password/gi;
+    lines.forEach((line, index) => {
+        if (isComment(line))
+            return;
+        if (passwordErrorPattern.test(line)) {
+            // Reset regex state
+            passwordErrorPattern.lastIndex = 0;
+            // Skip if this is an error CODE, not a VALUE
+            if ((0, intent_detector_1.isPasswordErrorCode)(line)) {
+                return; // This is fine - 'SAME_PASSWORD' is a code, not a value
+            }
+            // Only flag if actual password value is in the error
+            if ((0, intent_detector_1.hasPasswordValueInError)(line)) {
+                vulnerabilities.push({
+                    id: `auth-antipattern-${filePath}-${index + 1}-password-in-error`,
+                    filePath,
+                    lineNumber: index + 1,
+                    lineContent: line.trim(),
+                    severity: 'high',
+                    category: 'missing_auth',
+                    title: 'Password value in error message',
+                    description: 'Actual password value may be included in error message, exposing sensitive data.',
+                    suggestedFix: 'Never include actual password values in error messages. Use error codes instead.',
+                    confidence: 'high',
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 2,
+                    source: 'structural',
+                });
+            }
+        }
+    });
+    // Special handling: 2FA optional fields with OR validation
+    // Don't flag .optional() on 2FA fields if there's .refine() enforcing OR logic
+    const twoFAOptionalPattern = /\.(totp|otp|backupCode|recoveryCode|twoFactor|2fa|mfa).*\.optional\s*\(\)/gi;
+    lines.forEach((line, index) => {
+        if (isComment(line))
+            return;
+        if (twoFAOptionalPattern.test(line)) {
+            // Reset regex state
+            twoFAOptionalPattern.lastIndex = 0;
+            // Check if this is legitimate OR validation (either TOTP or backup code required)
+            if ((0, schema_semantics_1.is2FAOrValidation)(content, index)) {
+                // This is legitimate OR validation - skip or report as info
+                return;
+            }
+            // Only flag if this truly allows bypassing 2FA
+            // Most cases with .refine() are fine - this is handled by schema-semantics.ts
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=auth-patterns.js.map

package/dist/detect/structural/auth-patterns.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-patterns.js","sourceRoot":"","sources":["../../../src/detect/structural/auth-patterns.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AAiXH,wDAmPC;AA/lBD,yEAAoG;AAEpG,2EAAoG;AAEpG,iEAAoE;AACpE,iEAAqG;AACrG,oEAAiE;AACjE,kEAA2F;AAE3F,MAAM,eAAe,GAAG,IAAI,CAAA;AAU5B,MAAM,iBAAiB,GAAsB;IAC3C,sBAAsB;IACtB;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,mEAAmE;QAC5E,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,oEAAoE;QACjF,YAAY,EAAE,4EAA4E;KAC3F;IACD;QACE,IAAI,EAAE,uCAAuC;QAC7C,OAAO,EAAE,2FAA2F;QACpG,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,kDAAkD;QAC/D,YAAY,EAAE,wDAAwD;KACvE;IAED,+BAA+B;IAC/B;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,8GAA8G;QACvH,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+CAA+C;QAC5D,YAAY,EAAE,kDAAkD;KACjE;IACD;QACE,IAAI,EAAE,mCAAmC;QACzC,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yCAAyC;QACtD,YAAY,EAAE,2DAA2D;KAC1E;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,uCAAuC;QAChD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,6DAA6D;KAC5E;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,8CAA8C;QACvD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qCAAqC;QAClD,YAAY,EAAE,6EAA6E;KAC5F;IAED,iBAAiB;IACjB;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,sDAAsD;QAC/D,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,4CAA4C;KAC3D;IACD,mEAAmE;IACnE,mFAAmF;IACnF,oDAAoD;IACpD,sFAAsF;IAEtF,uBAAuB;IACvB,uFAAuF;IACvF,kFAAkF;IAClF,0CAA0C;IAC1C;QACE,IAAI,EAAE,wCAAwC;QAC9C,OAAO,EAAE,uFAAuF;QAChG,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,+EAA+E;QAC5F,YAAY,EAAE,wDAAwD;KACvE;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,mHAAmH;QAC5H,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,mDAAmD;QAChE,YAAY,EAAE,qDAAqD;KACpE;IAED,0BAA0B;IAC1B;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,+CAA+C;QAC5D,YAAY,EAAE,qDAAqD;KACpE;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,8EAA8E;QACvF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,yDAAyD;QACtE,YAAY,EAAE,wCAAwC;KACvD;IAED,2BAA2B;IAC3B,0EAA0E;IAC1E,6FAA6F;IAC7F,gEAAgE;IAChE;QACE,IAAI,EAAE,+BAA+B;QACrC,iFAAiF;QACjF,2EAA2E;QAC3E,OAAO,EAAE,sFAAsF;QAC/F,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sEAAsE;QACnF,YAAY,EAAE,kEAAkE;KACjF;IAED,2BAA2B;IAC3B;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,0DAA0D;QACnE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mCAAmC;QAChD,YAAY,EAAE,8CAA8C;KAC7D;IACD,4EAA4E;IAC5E,+EAA+E;IAC/E,mEAAmE;IACnE,8DAA8D;IAE9D,gBAAgB;IAChB;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,uCAAuC;QACpD,YAAY,EAAE,kDAAkD;KACjE;IAED,aAAa;IACb;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,yDAAyD;QAClE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2CAA2C;QACxD,YAAY,EAAE,yCAAyC;KACxD;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,+CAA+C;AAC/C,SAAS,iBAAiB,CAAC,QAAgB;IACzC,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAA;IACvH,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAA;IACxC,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAA;AAClE,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,wBAAwB,CAAC,QAAgB;IAChD,MAAM,gBAAgB,GAAG;QACvB,qBAAqB;QACrB,gBAAgB;QAChB,kBAAkB;QAClB,mBAAmB;QACnB,qBAAqB;QACrB,kBAAkB;QAClB,iBAAiB;QACjB,eAAe;QACf,cAAc,EAAe,6BAA6B;QAC1D,gBAAgB,EAAa,kBAAkB;QAC/C,YAAY,EAAiB,aAAa;QAC1C,kBAAkB,EAAW,cAAc;QAC3C,mBAAmB,EAAU,gBAAgB;QAC7C,YAAY,EAAiB,aAAa;QAC1C,YAAY,EAAiB,QAAQ;QACrC,eAAe,EAAc,WAAW;KACzC,CAAA;IACD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AACrD,CAAC;AAED,+EAA+E;AAC/E,SAAS,qBAAqB,CAAC,WAAmB,EAAE,QAAgB;IAClE,MAAM,gBAAgB,GAAG;QACvB,gBAAgB;QAChB,aAAa;QACb,cAAc;QACd,YAAY;QACZ,WAAW;QACX,WAAW;QACX,aAAa;QACb,YAAY;QAEZ,oCAAoC;QACpC,cAAc;QACd,eAAe;QACf,eAAe;QACf,oBAAoB;QACpB,mBAAmB;QACnB,WAAW;QAEX,uBAAuB;QACvB,WAAW;QACX,gBAAgB;QAChB,YAAY;QACZ,YAAY;QAEZ,8CAA8C;QAC9C,aAAa;QACb,aAAa,EAAS,8CAA8C;QACpE,eAAe;QACf,kBAAkB;QAClB,wBAAwB;QACxB,8BAA8B,EAAG,sCAAsC;QAEvE,4DAA4D;QAC5D,gBAAgB;QAChB,WAAW;QACX,YAAY;QACZ,aAAa;QACb,eAAe;QACf,oBAAoB;QACpB,mBAAmB;QACnB,iBAAiB;QACjB,eAAe;QACf,YAAY;QAEZ,oCAAoC;QACpC,WAAW;QACX,UAAU;QACV,WAAW;QAEX,iCAAiC;QACjC,YAAY;QACZ,WAAW;QAEX,2BAA2B;QAC3B,SAAS;QACT,cAAc;QACd,WAAW;QAEX,wBAAwB;QACxB,YAAY;QACZ,YAAY;QACZ,aAAa;KACd,CAAA;IAED,OAAO,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACrC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CACpD,CAAA;AACH,CAAC;AAED,uEAAuE;AACvE,SAAS,kBAAkB,CAAC,KAAe,EAAE,SAAiB;IAC5D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;IACxC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,EAAE,CAAC,CAAA;IACtD,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;IAEpD,MAAM,cAAc,GAAG;QACrB,gBAAgB;QAChB,iBAAiB;QACjB,WAAW;QACX,eAAe;QACf,iBAAiB;QACjB,aAAa;QACb,aAAa;QACb,iBAAiB;QACjB,kBAAkB;QAClB,UAAU;QACV,mBAAmB;QACnB,qBAAqB;QACrB,8CAA8C;QAC9C,mBAAmB;QACnB,iBAAiB;QACjB,oBAAoB;QACpB,gBAAgB;QAChB,iBAAiB;QACjB,kEAAkE;QAClE,uCAAuC;QACvC,uDAAuD;QACvD,sDAAsD;QAEtD,2CAA2C;QAC3C,2CAA2C,EAAW,+BAA+B;QACrF,qDAAqD,EAAE,mCAAmC;QAC1F,4BAA4B,EAA2B,sBAAsB;QAC7E,yBAAyB,EAA8B,gBAAgB;QACvE,uBAAuB,EAAgC,gBAAgB;QACvE,qCAAqC,EAAkB,gCAAgC;QACvF,uCAAuC,EAAe,kCAAkC;QACxF,mBAAmB,EAAoC,eAAe;QACtE,aAAa,EAA0C,WAAW;QAClE,cAAc,EAAyC,YAAY;QAEnE,sBAAsB;QACtB,oBAAoB,EAAmC,gBAAgB;QACvE,4BAA4B,EAA0B,iBAAiB;QACvE,2BAA2B,EAA2B,gBAAgB;QACtE,cAAc;QACd,cAAc;QACd,eAAe;QAEf,yBAAyB;QACzB,qCAAqC,EAAgB,0BAA0B;QAC/E,wCAAwC,EAAa,6BAA6B;QAClF,oBAAoB,EAAmC,yBAAyB;QAChF,0BAA0B;QAE1B,sBAAsB;QACtB,8BAA8B;QAC9B,iBAAiB;QAEjB,uBAAuB;QACvB,YAAY;QACZ,aAAa;QAEb,sEAAsE;QACtE,8CAA8C;QAC9C,iDAAiD;QACjD,uCAAuC;QACvC,sCAAsC;QACtC,gDAAgD;KACjD,CAAA;IAED,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC9B,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CACnD,CAAA;AACH,CAAC;AASD,SAAgB,sBAAsB,CACpC,OAAe,EACf,QAAgB,EAChB,UAAkC,EAAE;IAEpC,MAAM,EAAE,gBAAgB,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAC1E,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAClD,MAAM,UAAU,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAA;IAC9C,MAAM,UAAU,GAAG,wBAAwB,CAAC,QAAQ,CAAC,CAAA;IAErD,2EAA2E;IAC3E,MAAM,cAAc,GAAG,IAAA,2CAAyB,EAAC,QAAQ,CAAC,CAAA;IAE1D,wDAAwD;IACxD,MAAM,SAAS,GAAG,IAAA,0CAAoB,EAAC,QAAQ,CAAC,CAAA;IAChD,MAAM,oBAAoB,GAAG,SAAS,IAAI,gBAAgB;QACxD,CAAC,CAAC,IAAA,kDAA4B,EAAC,SAAS,EAAE,gBAAgB,CAAC;QAC3D,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAA;IAEtC,sDAAsD;IACtD,MAAM,sBAAsB,GAAG,eAAe,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAA;IAC7D,MAAM,gBAAgB,GAAG,sBAAsB,EAAE,gBAAgB,IAAI,KAAK,CAAA;IAE1E,2CAA2C;IAC3C,MAAM,WAAW,GAAG,WAAW,EAAE,OAAO,IAAI,EAAE,CAAA;IAE9C,mEAAmE;IACnE,MAAM,mBAAmB,GAAG,IAAA,8CAA4B,EAAC,QAAQ,CAAC,CAAA;IAElE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,qBAAqB;QACrB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAEvE,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,kDAAkD;gBAClD,IAAI,OAAO,CAAC,IAAI,KAAK,uBAAuB;oBACxC,OAAO,CAAC,IAAI,KAAK,uCAAuC,EAAE,CAAC;oBAE7D,uDAAuD;oBACvD,2FAA2F;oBAC3F,IAAI,UAAU,EAAE,CAAC;wBACf,MAAK,CAAC,oBAAoB;oBAC5B,CAAC;oBAED,qDAAqD;oBACrD,+EAA+E;oBAC/E,6EAA6E;oBAC7E,6BAA6B;oBAC7B,MAAM,iBAAiB,GAAG,mCAAmC,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAC1E,+CAA+C,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAC9D,iEAAiE;wBACjE,0CAA0C,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;oBAE3D,oEAAoE;oBACpE,MAAM,aAAa,GAAG,uDAAuD,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;oBAE5F,IAAI,CAAC,iBAAiB,IAAI,aAAa,EAAE,CAAC;wBACxC,+CAA+C;wBAC/C,MAAK;oBACP,CAAC;oBAED,iEAAiE;oBACjE,4EAA4E;oBAC5E,IAAI,cAAc,CAAC,sBAAsB,EAAE,CAAC;wBAC1C,2DAA2D;wBAC3D,eAAe,CAAC,IAAI,CAAC;4BACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;4BAC/D,QAAQ;4BACR,UAAU,EAAE,KAAK,GAAG,CAAC;4BACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,QAAQ,EAAE,MAAM;4BAChB,QAAQ,EAAE,cAAc;4BACxB,KAAK,EAAE,OAAO,CAAC,IAAI,GAAG,iCAAiC;4BACvD,WAAW,EAAE,qDAAqD,cAAc,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,kEAAkE;4BAC9K,YAAY,EAAE,4EAA4E;4BAC1F,UAAU,EAAE,KAAK;4BACjB,cAAc,EAAE,eAAe;4BAC/B,KAAK,EAAE,CAAC;4BACd,MAAM,EAAE,YAAqB;yBACxB,CAAC,CAAA;wBACF,MAAK,CAAC,4BAA4B;oBACpC,CAAC;oBAED,kFAAkF;oBAClF,IAAI,mBAAmB,EAAE,CAAC;wBACxB,sDAAsD;wBACtD,MAAK;oBACP,CAAC;oBAED,+DAA+D;oBAC/D,qFAAqF;oBACrF,IAAI,oBAAoB,CAAC,WAAW,EAAE,CAAC;wBACrC,2DAA2D;wBAC3D,MAAK,CAAC,wCAAwC;oBAChD,CAAC;oBAED,+DAA+D;oBAC/D,qEAAqE;oBACrE,IAAI,gBAAgB,EAAE,CAAC;wBACrB,+DAA+D;wBAC/D,MAAK,CAAC,0DAA0D;oBAClE,CAAC;oBAED,uDAAuD;oBACvD,yEAAyE;oBACzE,MAAM,cAAc,GAAG,IAAA,8CAAuB,EAAC,OAAO,EAAE,KAAK,EAAE,WAAW,CAAC,CAAA;oBAC3E,IAAI,cAAc,CAAC,OAAO,IAAI,cAAc,CAAC,MAAM,EAAE,CAAC;wBACpD,wDAAwD;wBACxD,mDAAmD;wBACnD,MAAK,CAAC,wCAAwC;oBAChD,CAAC;oBAED,uDAAuD;oBACvD,IAAI,qBAAqB,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;wBAC1C,eAAe,CAAC,IAAI,CAAC;4BACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;4BAC/D,QAAQ;4BACR,UAAU,EAAE,KAAK,GAAG,CAAC;4BACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,QAAQ,EAAE,MAAM;4BAChB,QAAQ,EAAE,cAAc;4BACxB,KAAK,EAAE,OAAO,CAAC,IAAI,GAAG,oBAAoB;4BAC1C,WAAW,EAAE,qJAAqJ;4BAClK,YAAY,EAAE,yJAAyJ;4BACvK,UAAU,EAAE,KAAK;4BACjB,cAAc,EAAE,eAAe;4BAC/B,KAAK,EAAE,CAAC;4BACd,MAAM,EAAE,YAAqB;yBACxB,CAAC,CAAA;wBACF,MAAK,CAAC,4BAA4B;oBACpC,CAAC;oBAED,+DAA+D;oBAC/D,IAAI,kBAAkB,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,CAAC;wBACrC,eAAe,CAAC,IAAI,CAAC;4BACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;4BAC/D,QAAQ;4BACR,UAAU,EAAE,KAAK,GAAG,CAAC;4BACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,QAAQ,EAAE,KAAK;4BACf,QAAQ,EAAE,cAAc;4BACxB,KAAK,EAAE,OAAO,CAAC,IAAI;4BACnB,WAAW,EAAE,OAAO,CAAC,WAAW,GAAG,wCAAwC;4BAC3E,YAAY,EAAE,OAAO,CAAC,YAAY;4BAClC,UAAU,EAAE,KAAK;4BACjB,cAAc,EAAE,eAAe;4BAC/B,KAAK,EAAE,CAAC;4BACd,MAAM,EAAE,YAAqB;yBACxB,CAAC,CAAA;wBACF,MAAK,CAAC,4BAA4B;oBACpC,CAAC;gBACH,CAAC;gBAED,sEAAsE;gBACtE,0CAA0C;gBAC1C,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;gBAEjD,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;oBAC/D,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,OAAO,CAAC,IAAI;oBACnB,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,YAAY,EAAE,OAAO,CAAC,YAAY;oBAClC,UAAU;oBACV,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;gBACF,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,0EAA0E;IAC1E,yEAAyE;IACzE,MAAM,oBAAoB,GAAG,iEAAiE,CAAA;IAC9F,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,oBAAoB;YACpB,oBAAoB,CAAC,SAAS,GAAG,CAAC,CAAA;YAElC,6CAA6C;YAC7C,IAAI,IAAA,qCAAmB,EAAC,IAAI,CAAC,EAAE,CAAC;gBAC9B,OAAM,CAAC,wDAAwD;YACjE,CAAC;YAED,qDAAqD;YACrD,IAAI,IAAA,yCAAuB,EAAC,IAAI,CAAC,EAAE,CAAC;gBAClC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,oBAAoB;oBACjE,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,iCAAiC;oBACxC,WAAW,EAAE,kFAAkF;oBAC/F,YAAY,EAAE,kFAAkF;oBAChG,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,2DAA2D;IAC3D,+EAA+E;IAC/E,MAAM,oBAAoB,GAAG,6EAA6E,CAAA;IAC1G,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,oBAAoB;YACpB,oBAAoB,CAAC,SAAS,GAAG,CAAC,CAAA;YAElC,kFAAkF;YAClF,IAAI,IAAA,oCAAiB,EAAC,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;gBACtC,4DAA4D;gBAC5D,OAAM;YACR,CAAC;YAED,+CAA+C;YAC/C,8EAA8E;QAChF,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/structural/dangerous-functions/child-process.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * Child Process Detection
+ *
+ * Detection logic for child_process functions (exec, spawn, execFile, etc.)
+ * that can lead to command injection vulnerabilities.
+ */
+/**
+ * Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
+ * Returns true if this is a child_process exec call that should be flagged
+ */
+export declare function isChildProcessExec(content: string, lineContent: string): boolean;
+/**
+ * Check if spawn/execFile/execSync is from child_process
+ */
+export declare function isChildProcessSpawn(content: string, lineContent: string): boolean;
+//# sourceMappingURL=child-process.d.ts.map

package/dist/detect/structural/dangerous-functions/child-process.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"child-process.d.ts","sourceRoot":"","sources":["../../../../src/detect/structural/dangerous-functions/child-process.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAiEhF;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAgBjF"}

package/dist/detect/structural/dangerous-functions/child-process.js ADDED Viewed

@@ -0,0 +1,74 @@
+"use strict";
+/**
+ * Child Process Detection
+ *
+ * Detection logic for child_process functions (exec, spawn, execFile, etc.)
+ * that can lead to command injection vulnerabilities.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isChildProcessExec = isChildProcessExec;
+exports.isChildProcessSpawn = isChildProcessSpawn;
+/**
+ * Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
+ * Returns true if this is a child_process exec call that should be flagged
+ */
+function isChildProcessExec(content, lineContent) {
+    // Check for child_process import
+    const hasChildProcessImport = /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
+        /from\s+['"]child_process['"]/.test(content) ||
+        /import\s+.*child_process/.test(content) ||
+        /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
+        /from\s+['"]node:child_process['"]/.test(content);
+    // If no child_process import, this is likely RegExp.exec or similar
+    if (!hasChildProcessImport) {
+        return false;
+    }
+    // Check if this specific line is RegExp.exec pattern
+    // RegExp.exec is called as: regex.exec(string) or /pattern/.exec(string)
+    const isRegExpExec = /\.\s*exec\s*\(/.test(lineContent) && // Method call on an object
+        !/\bexec\s*\(/.test(lineContent.replace(/\.\s*exec\s*\(/, '')); // Not a standalone exec()
+    // Also check for common RegExp patterns
+    const isRegExpPattern = /\/[^/]+\/[gimsuy]*\.exec\s*\(/.test(lineContent) || // /pattern/.exec()
+        /new\s+RegExp\s*\([^)]+\)\.exec\s*\(/.test(lineContent) || // new RegExp().exec()
+        /regex\.exec\s*\(/i.test(lineContent) || // regex.exec()
+        /pattern\.exec\s*\(/i.test(lineContent) || // pattern.exec()
+        /match\.exec\s*\(/i.test(lineContent) || // match.exec()
+        /re\.exec\s*\(/i.test(lineContent); // re.exec()
+    if (isRegExpExec || isRegExpPattern) {
+        return false;
+    }
+    // Check if exec is imported/destructured from child_process
+    const execImported = /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]child_process['"]/.test(content) ||
+        /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]node:child_process['"]/.test(content) ||
+        /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]child_process['"]/.test(content) ||
+        /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]node:child_process['"]/.test(content);
+    // If exec is directly imported from child_process, standalone exec() is dangerous
+    if (execImported && /\bexec\s*\(/.test(lineContent)) {
+        return true;
+    }
+    // Check for child_process.exec() pattern
+    if (/child_process\.exec\s*\(/.test(lineContent) ||
+        /cp\.exec\s*\(/.test(lineContent) ||
+        /childProcess\.exec\s*\(/.test(lineContent)) {
+        return true;
+    }
+    // If we have child_process import but can't determine usage, be conservative
+    // Only flag if it looks like a standalone exec() call
+    return /\bexec\s*\(/.test(lineContent) && !/\.\s*exec\s*\(/.test(lineContent);
+}
+/**
+ * Check if spawn/execFile/execSync is from child_process
+ */
+function isChildProcessSpawn(content, lineContent) {
+    // Check for child_process import
+    const hasChildProcessImport = /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
+        /from\s+['"]child_process['"]/.test(content) ||
+        /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
+        /from\s+['"]node:child_process['"]/.test(content);
+    if (!hasChildProcessImport) {
+        return false;
+    }
+    // These functions are always from child_process when that module is imported
+    return /\b(spawn|spawnSync|execSync|execFile|execFileSync)\s*\(/.test(lineContent);
+}
+//# sourceMappingURL=child-process.js.map