@oculum/scanner 1.0.11 → 1.0.13

package/dist/layer3/anthropic/prompts/modules/index.js

@@ -0,0 +1,185 @@
+"use strict";
+/**
+ * Prompt Module System
+ *
+ * Provides category-aware prompt assembly for AI validation.
+ * Only includes relevant prompt sections based on the categories in each batch,
+ * reducing token usage by ~40-60% while maintaining identical behavior.
+ *
+ * Modules are assembled in fixed order to maximize Anthropic prefix cache hits.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OWASP_CLASSIC_MODULE = exports.AI_PATTERNS_MODULE = exports.SECRETS_CRYPTO_MODULE = exports.XSS_PROMPT_MODULE = exports.AUTH_ACCESS_MODULE = exports.COMMON_PROMPT = exports.INTENTIONALLY_UNMAPPED = exports.CATEGORY_TO_MODULE = void 0;
+exports.assembleValidationPrompt = assembleValidationPrompt;
+exports.getFullValidationPrompt = getFullValidationPrompt;
+const common_1 = require("./common");
+const auth_access_1 = require("./auth-access");
+const xss_prompt_1 = require("./xss-prompt");
+const secrets_crypto_1 = require("./secrets-crypto");
+const ai_patterns_1 = require("./ai-patterns");
+const owasp_classic_1 = require("./owasp-classic");
+// ============================================================================
+// Module Definitions (fixed order for prefix cache hits)
+// ============================================================================
+const MODULES = [
+    {
+        name: 'auth_access',
+        content: auth_access_1.AUTH_ACCESS_MODULE,
+        categories: new Set(['missing_auth', 'security_bypass']),
+    },
+    {
+        name: 'xss_prompt',
+        content: xss_prompt_1.XSS_PROMPT_MODULE,
+        categories: new Set(['xss', 'ai_prompt_injection']),
+    },
+    {
+        name: 'secrets_crypto',
+        content: secrets_crypto_1.SECRETS_CRYPTO_MODULE,
+        categories: new Set([
+            'hardcoded_secret',
+            'high_entropy_string',
+            'sensitive_variable',
+            'weak_crypto',
+        ]),
+    },
+    {
+        name: 'ai_patterns',
+        content: ai_patterns_1.AI_PATTERNS_MODULE,
+        categories: new Set([
+            'ai_pattern',
+            'ai_prompt_injection',
+            'ai_unsafe_execution',
+            'ai_overpermissive_tool',
+            'suspicious_package',
+            'ai_rag_exfiltration',
+            'ai_endpoint_unprotected',
+            'ai_schema_mismatch',
+            'ai_package_hallucination',
+            'ai_rag_corpus_poisoning',
+            'ai_rag_pii_leakage',
+            'ai_mcp_tool_poisoning',
+            'ai_mcp_credential_issue',
+            'ai_mcp_confused_deputy',
+            'ai_mcp_description_injection',
+            'ai_mcp_server_shadowing',
+            'ai_mcp_config_secrets',
+            'ai_mcp_config_permissions',
+            'ai_rag_query_injection',
+            'ai_rag_embedding_poisoning',
+            'ai_rag_chunk_injection',
+            'ai_package_typosquat',
+            'ai_package_malicious',
+            'ai_unsafe_model_load',
+            'ai_unverified_model',
+            'ai_unsafe_finetuning',
+            'ai_excessive_agency',
+        ]),
+    },
+    {
+        name: 'owasp_classic',
+        content: owasp_classic_1.OWASP_CLASSIC_MODULE,
+        categories: new Set([
+            'missing_security_headers',
+            'ssrf',
+            'log_injection',
+            'xxe',
+        ]),
+    },
+];
+// ============================================================================
+// Category-to-Module Mapping
+// ============================================================================
+/**
+ * Maps each VulnerabilityCategory to the module(s) it requires.
+ * Categories not in this map get COMMON only (intentionally unmapped).
+ */
+exports.CATEGORY_TO_MODULE = (() => {
+    const map = new Map();
+    for (const mod of MODULES) {
+        for (const cat of mod.categories) {
+            const existing = map.get(cat) || [];
+            existing.push(mod.name);
+            map.set(cat, existing);
+        }
+    }
+    return map;
+})();
+/**
+ * Categories that are intentionally unmapped to any specific module.
+ * They get the COMMON prompt only (which includes condensed heuristic reminders).
+ * If a new category is added to VulnerabilityCategory but not here or in CATEGORY_TO_MODULE,
+ * the category completeness test will fail.
+ */
+exports.INTENTIONALLY_UNMAPPED = new Set([
+    'dangerous_function',
+    'sql_injection',
+    'command_injection',
+    'insecure_config',
+    'cors_misconfiguration',
+    'root_container',
+    'dangerous_file',
+    'sensitive_url',
+    'data_exposure',
+]);
+// ============================================================================
+// Assembler Functions
+// ============================================================================
+/**
+ * Assemble a validation prompt containing only the modules relevant to
+ * the given set of vulnerability categories.
+ *
+ * Always starts with COMMON, then adds modules in fixed order:
+ * auth_access -> xss_prompt -> secrets_crypto -> ai_patterns -> owasp_classic
+ *
+ * Deterministic ordering ensures Anthropic prefix cache hits across batches.
+ *
+ * @param categories - The vulnerability categories present in the current batch
+ * @returns The assembled prompt string
+ */
+function assembleValidationPrompt(categories) {
+    // Determine which modules are needed
+    const neededModules = new Set();
+    for (const cat of categories) {
+        const modules = exports.CATEGORY_TO_MODULE.get(cat);
+        if (modules) {
+            for (const mod of modules) {
+                neededModules.add(mod);
+            }
+        }
+        // Unmapped categories just get COMMON (no additional module)
+    }
+    // Build prompt: COMMON first, then modules in fixed order
+    const parts = [common_1.COMMON_PROMPT];
+    for (const mod of MODULES) {
+        if (neededModules.has(mod.name)) {
+            parts.push(mod.content);
+        }
+    }
+    return parts.join('\n');
+}
+/**
+ * Get the full validation prompt with all modules included.
+ * Equivalent to the old monolithic HIGH_CONTEXT_VALIDATION_PROMPT.
+ * Used for legacy compatibility and the completeness test.
+ */
+function getFullValidationPrompt() {
+    const parts = [common_1.COMMON_PROMPT];
+    for (const mod of MODULES) {
+        parts.push(mod.content);
+    }
+    return parts.join('\n');
+}
+// Re-export module constants for direct access in tests
+var common_2 = require("./common");
+Object.defineProperty(exports, "COMMON_PROMPT", { enumerable: true, get: function () { return common_2.COMMON_PROMPT; } });
+var auth_access_2 = require("./auth-access");
+Object.defineProperty(exports, "AUTH_ACCESS_MODULE", { enumerable: true, get: function () { return auth_access_2.AUTH_ACCESS_MODULE; } });
+var xss_prompt_2 = require("./xss-prompt");
+Object.defineProperty(exports, "XSS_PROMPT_MODULE", { enumerable: true, get: function () { return xss_prompt_2.XSS_PROMPT_MODULE; } });
+var secrets_crypto_2 = require("./secrets-crypto");
+Object.defineProperty(exports, "SECRETS_CRYPTO_MODULE", { enumerable: true, get: function () { return secrets_crypto_2.SECRETS_CRYPTO_MODULE; } });
+var ai_patterns_2 = require("./ai-patterns");
+Object.defineProperty(exports, "AI_PATTERNS_MODULE", { enumerable: true, get: function () { return ai_patterns_2.AI_PATTERNS_MODULE; } });
+var owasp_classic_2 = require("./owasp-classic");
+Object.defineProperty(exports, "OWASP_CLASSIC_MODULE", { enumerable: true, get: function () { return owasp_classic_2.OWASP_CLASSIC_MODULE; } });
+//# sourceMappingURL=index.js.map

package/dist/layer3/anthropic/prompts/modules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAuJH,4DAsBC;AAOD,0DAMC;AAvLD,qCAAwC;AACxC,+CAAkD;AAClD,6CAAgD;AAChD,qDAAwD;AACxD,+CAAkD;AAClD,mDAAsD;AAmBtD,+EAA+E;AAC/E,yDAAyD;AACzD,+EAA+E;AAE/E,MAAM,OAAO,GAA4B;IACvC;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,gCAAkB;QAC3B,UAAU,EAAE,IAAI,GAAG,CAAwB,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAC;KAChF;IACD;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,8BAAiB;QAC1B,UAAU,EAAE,IAAI,GAAG,CAAwB,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;KAC3E;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,sCAAqB;QAC9B,UAAU,EAAE,IAAI,GAAG,CAAwB;YACzC,kBAAkB;YAClB,qBAAqB;YACrB,oBAAoB;YACpB,aAAa;SACd,CAAC;KACH;IACD;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,gCAAkB;QAC3B,UAAU,EAAE,IAAI,GAAG,CAAwB;YACzC,YAAY;YACZ,qBAAqB;YACrB,qBAAqB;YACrB,wBAAwB;YACxB,oBAAoB;YACpB,qBAAqB;YACrB,yBAAyB;YACzB,oBAAoB;YACpB,0BAA0B;YAC1B,yBAAyB;YACzB,oBAAoB;YACpB,uBAAuB;YACvB,yBAAyB;YACzB,wBAAwB;YACxB,8BAA8B;YAC9B,yBAAyB;YACzB,uBAAuB;YACvB,2BAA2B;YAC3B,wBAAwB;YACxB,4BAA4B;YAC5B,wBAAwB;YACxB,sBAAsB;YACtB,sBAAsB;YACtB,sBAAsB;YACtB,qBAAqB;YACrB,sBAAsB;YACtB,qBAAqB;SACtB,CAAC;KACH;IACD;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,oCAAoB;QAC7B,UAAU,EAAE,IAAI,GAAG,CAAwB;YACzC,0BAA0B;YAC1B,MAAM;YACN,eAAe;YACf,KAAK;SACN,CAAC;KACH;CACO,CAAA;AAEV,+EAA+E;AAC/E,6BAA6B;AAC7B,+EAA+E;AAE/E;;;GAGG;AACU,QAAA,kBAAkB,GAA2D,CAAC,GAAG,EAAE;IAC9F,MAAM,GAAG,GAAG,IAAI,GAAG,EAA6C,CAAA;IAChE,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAA;YACnC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;YACvB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;QACxB,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC,CAAC,EAAE,CAAA;AAEJ;;;;;GAKG;AACU,QAAA,sBAAsB,GAAuC,IAAI,GAAG,CAAC;IAChF,oBAAoB;IACpB,eAAe;IACf,mBAAmB;IACnB,iBAAiB;IACjB,uBAAuB;IACvB,gBAAgB;IAChB,gBAAgB;IAChB,eAAe;IACf,eAAe;CAChB,CAAC,CAAA;AAEF,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;;;;;;;;;;GAWG;AACH,SAAgB,wBAAwB,CAAC,UAAmC;IAC1E,qCAAqC;IACrC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAoB,CAAA;IACjD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,0BAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC3C,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;gBAC1B,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YACxB,CAAC;QACH,CAAC;QACD,6DAA6D;IAC/D,CAAC;IAED,0DAA0D;IAC1D,MAAM,KAAK,GAAa,CAAC,sBAAa,CAAC,CAAA;IACvC,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAChC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACzB,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACzB,CAAC;AAED;;;;GAIG;AACH,SAAgB,uBAAuB;IACrC,MAAM,KAAK,GAAa,CAAC,sBAAa,CAAC,CAAA;IACvC,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IACzB,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACzB,CAAC;AAED,wDAAwD;AACxD,mCAAwC;AAA/B,uGAAA,aAAa,OAAA;AACtB,6CAAkD;AAAzC,iHAAA,kBAAkB,OAAA;AAC3B,2CAAgD;AAAvC,+GAAA,iBAAiB,OAAA;AAC1B,mDAAwD;AAA/C,uHAAA,qBAAqB,OAAA;AAC9B,6CAAkD;AAAzC,iHAAA,kBAAkB,OAAA;AAC3B,iDAAsD;AAA7C,qHAAA,oBAAoB,OAAA"}

package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts

@@ -0,0 +1,8 @@
+/**
+ * OWASP Classic Module
+ *
+ * Categories: missing_security_headers, ssrf, log_injection, xxe
+ * Contains rules for classic OWASP vulnerabilities added in Workstream 1.
+ */
+export declare const OWASP_CLASSIC_MODULE = "\n### Missing Security Headers (missing_security_headers)\nHTTP security headers protect against common web attacks.\n\n**CDN/Reverse Proxy Headers:**\n- If project deploys behind Cloudflare, Vercel, AWS CloudFront -> **REJECT** (CDN adds headers)\n- If Vercel deployment (Next.js) and using middleware for headers -> **REJECT**\n- Dev-only server config -> **INFO** (not production-facing)\n\n**Express without Helmet:**\n- No helmet AND no manual header setting -> **MEDIUM** (real gap)\n- Has helmet but CSP disabled -> **LOW** (partial protection)\n- Framework adds headers automatically (e.g., Fastify with @fastify/helmet) -> **REJECT**\n\n**Next.js Config:**\n- No headers() but uses middleware.ts for headers -> **REJECT** (headers set in middleware)\n- No headers() and no middleware -> **MEDIUM** (suggest adding)\n\n### Server-Side Request Forgery (ssrf)\nSSRF allows servers to make requests to unintended destinations.\n\n**Direct Taint (req.body/query -> fetch/axios):**\n- User input directly in HTTP request -> **HIGH** (clear SSRF)\n- URL from environment variable (process.env) -> **REJECT** (not user-controlled)\n- URL from config object/constant -> **REJECT** (not user-controlled)\n- URL from database with auth-scoped query -> **LOW** (indirect, needs review)\n\n**Mitigations:**\n- Allowlist/whitelist validation nearby -> **REJECT** or **INFO**\n- URL validation with hostname/origin check -> **LOW** (partial mitigation)\n- IP range checking (isPrivateIP, block 10.x/192.168.x) -> **REJECT** (properly mitigated)\n\n**SSRF is Server-Only:**\n- Client-side fetch() in browser -> **REJECT** (not SSRF, browser makes the request)\n- 'use client' files -> **REJECT**\n\n### Log Injection (log_injection)\nUnsanitized user input in logs can forge entries.\n\n**Structured Logging:**\n- JSON-formatted structured logging (pino, winston JSON) with redaction -> **REJECT**\n- Structured logging without redaction -> **INFO** (good pattern, suggest redaction)\n\n**Request Data in Logs:**\n- req.headers in console.log -> **MEDIUM** (CRLF injection risk)\n- req.body field in console.log -> **LOW** (log forging)\n- req.ip, req.method, req.url -> **REJECT** (server-controlled, standard logging)\n\n**Not Log Injection:**\n- Error objects in catch blocks (console.error(err)) -> **REJECT**\n- Internal IDs (userId, sessionId) -> **REJECT** (not from request)\n- Static strings -> **REJECT**\n- Morgan/express-winston middleware -> **REJECT** (intentional access logging)\n\n### XML External Entity (xxe)\nXXE allows attackers to read server files via XML parsing.\n\n**Python:**\n- defusedxml imported anywhere in file -> **REJECT** (safe library)\n- Standard xml.etree/lxml without defusedxml -> **HIGH** (Python XML is vulnerable by default)\n\n**Java:**\n- DocumentBuilderFactory with disallow-doctype-decl feature -> **REJECT** (safe)\n- Without feature -> **HIGH** (Java defaults are unsafe)\n\n**Node.js:**\n- xml2js v0.5+: safer defaults -> **MEDIUM** (may still be vulnerable on older versions)\n- fast-xml-parser with processEntities: false -> **REJECT** (safe)\n- DOMParser in browser/client -> **REJECT** (browsers block XXE)\n\n**PHP:**\n- libxml_disable_entity_loader(true) before parsing -> **REJECT** (safe)\n- Without disable -> **HIGH**\n";
+//# sourceMappingURL=owasp-classic.d.ts.map

package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"owasp-classic.d.ts","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/owasp-classic.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,oBAAoB,6sGAyEhC,CAAA"}

package/dist/layer3/anthropic/prompts/modules/owasp-classic.js

@@ -0,0 +1,84 @@
+"use strict";
+/**
+ * OWASP Classic Module
+ *
+ * Categories: missing_security_headers, ssrf, log_injection, xxe
+ * Contains rules for classic OWASP vulnerabilities added in Workstream 1.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OWASP_CLASSIC_MODULE = void 0;
+exports.OWASP_CLASSIC_MODULE = `
+### Missing Security Headers (missing_security_headers)
+HTTP security headers protect against common web attacks.
+
+**CDN/Reverse Proxy Headers:**
+- If project deploys behind Cloudflare, Vercel, AWS CloudFront -> **REJECT** (CDN adds headers)
+- If Vercel deployment (Next.js) and using middleware for headers -> **REJECT**
+- Dev-only server config -> **INFO** (not production-facing)
+
+**Express without Helmet:**
+- No helmet AND no manual header setting -> **MEDIUM** (real gap)
+- Has helmet but CSP disabled -> **LOW** (partial protection)
+- Framework adds headers automatically (e.g., Fastify with @fastify/helmet) -> **REJECT**
+
+**Next.js Config:**
+- No headers() but uses middleware.ts for headers -> **REJECT** (headers set in middleware)
+- No headers() and no middleware -> **MEDIUM** (suggest adding)
+
+### Server-Side Request Forgery (ssrf)
+SSRF allows servers to make requests to unintended destinations.
+
+**Direct Taint (req.body/query -> fetch/axios):**
+- User input directly in HTTP request -> **HIGH** (clear SSRF)
+- URL from environment variable (process.env) -> **REJECT** (not user-controlled)
+- URL from config object/constant -> **REJECT** (not user-controlled)
+- URL from database with auth-scoped query -> **LOW** (indirect, needs review)
+
+**Mitigations:**
+- Allowlist/whitelist validation nearby -> **REJECT** or **INFO**
+- URL validation with hostname/origin check -> **LOW** (partial mitigation)
+- IP range checking (isPrivateIP, block 10.x/192.168.x) -> **REJECT** (properly mitigated)
+
+**SSRF is Server-Only:**
+- Client-side fetch() in browser -> **REJECT** (not SSRF, browser makes the request)
+- 'use client' files -> **REJECT**
+
+### Log Injection (log_injection)
+Unsanitized user input in logs can forge entries.
+
+**Structured Logging:**
+- JSON-formatted structured logging (pino, winston JSON) with redaction -> **REJECT**
+- Structured logging without redaction -> **INFO** (good pattern, suggest redaction)
+
+**Request Data in Logs:**
+- req.headers in console.log -> **MEDIUM** (CRLF injection risk)
+- req.body field in console.log -> **LOW** (log forging)
+- req.ip, req.method, req.url -> **REJECT** (server-controlled, standard logging)
+
+**Not Log Injection:**
+- Error objects in catch blocks (console.error(err)) -> **REJECT**
+- Internal IDs (userId, sessionId) -> **REJECT** (not from request)
+- Static strings -> **REJECT**
+- Morgan/express-winston middleware -> **REJECT** (intentional access logging)
+
+### XML External Entity (xxe)
+XXE allows attackers to read server files via XML parsing.
+
+**Python:**
+- defusedxml imported anywhere in file -> **REJECT** (safe library)
+- Standard xml.etree/lxml without defusedxml -> **HIGH** (Python XML is vulnerable by default)
+
+**Java:**
+- DocumentBuilderFactory with disallow-doctype-decl feature -> **REJECT** (safe)
+- Without feature -> **HIGH** (Java defaults are unsafe)
+
+**Node.js:**
+- xml2js v0.5+: safer defaults -> **MEDIUM** (may still be vulnerable on older versions)
+- fast-xml-parser with processEntities: false -> **REJECT** (safe)
+- DOMParser in browser/client -> **REJECT** (browsers block XXE)
+
+**PHP:**
+- libxml_disable_entity_loader(true) before parsing -> **REJECT** (safe)
+- Without disable -> **HIGH**
+`;
+//# sourceMappingURL=owasp-classic.js.map

package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"owasp-classic.js","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/owasp-classic.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEU,QAAA,oBAAoB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyEnC,CAAA"}

package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Secrets & Cryptography Module
+ *
+ * Categories: hardcoded_secret, high_entropy_string, sensitive_variable, weak_crypto
+ * Contains rules for secrets, BYOK, Math.random(), and weak crypto that need AI reasoning.
+ */
+export declare const SECRETS_CRYPTO_MODULE = "\n### Secrets, BYOK, and External Services\nDistinguish these patterns:\n- **Hardcoded secrets**: Real API keys in code = critical/high\n- **Environment variables**: process.env.SECRET = safe (REJECT finding)\n- **BYOK (Bring Your Own Key)**: This is a FEATURE, not a vulnerability.\n  - Transient use (request -> API call -> discarded) = info. Do NOT describe as \"stored without encryption\".\n  - Key storage without encryption = suggest encryption. Unauthenticated BYOK = medium (cost abuse).\n  - Authenticated + transient use: info (feature). Cross-tenant storage: medium (data isolation).\n\n**Math.random() for Security:**\nDistinguish legitimate uses from security-critical misuse:\n- **Seed/Data Generation Files**: Files in /seed/, /fixtures/, /factories/, datacreator.ts, *.fixture.* are for test data generation\n  - Math.random() in seed files is acceptable - these are never production security code\n  - REJECT findings from seed/data generation files entirely\n- **Educational Vulnerability Files**: Files named insecurity.ts, vulnerable.ts, or in /intentionally-vulnerable/ paths\n  - These are OWASP Juice Shop challenges or security training examples\n  - REJECT entirely - they're intentionally vulnerable for educational purposes\n- **UUID/Identifier Generation**: Functions named generateUUID(), createId(), correlationId(), etc.\n  - Use Math.random() for UI correlation, React keys, element IDs\n  - Short toString(36).substring(2, 9) patterns are for UI correlation, NOT security tokens\n  - REJECT unless function name explicitly indicates security (generateToken, createSessionId, generateSecret)\n- **CAPTCHA/Puzzle Generation**: Math.random() for CAPTCHA questions, puzzle difficulty, game mechanics\n  - These don't need cryptographic randomness - legitimate non-security use\n  - REJECT findings in CAPTCHA/puzzle generation functions\n- **Security-Sensitive Context**: Only keep as HIGH/CRITICAL when:\n  - Variable names indicate security: token, secret, key, auth, session, password\n  - Function names indicate security: generateToken, createSession, makeSecret\n  - Used in security-critical files: auth.ts, crypto.ts, session.ts\n  - Long toString() patterns without truncation (potential token generation)\n\n**Severity Ladder for Math.random():**\n- Seed/educational files: REJECT (not production code)\n- UUID/CAPTCHA functions: REJECT (legitimate use)\n- Short UI IDs (toString(36).substring(2, 9)): INFO (UI correlation, suggest crypto.randomUUID())\n- Business IDs: LOW (suggest crypto.randomUUID() for collision resistance)\n- Security contexts (tokens/secrets/keys): HIGH (cryptographic weakness)\n- Unknown context: MEDIUM (needs manual review)\n\n**Weak Cryptography (weak_crypto):**\nDistinguish actual USAGE from DOCUMENTATION or REFERENCE:\n- **Actual function calls** (crypto.createCipheriv('des'), MD5.hash()): Keep finding, these are real usage\n- **Documentation strings** describing vulnerabilities: REJECT\n  - \"DES can be brute-forced\" is explaining why DES is bad, NOT using DES\n  - Strings in metadata, comments, or error messages describing weak algorithms are informational\n  - Rule registries, security scanners, and documentation files contain vulnerability descriptions\n- **Configuration/Constants**: Strings like 'DES', 'MD5' in config keys or identifiers\n  - Need context: is this SELECTING an algorithm or just naming something?\n  - \"algorithm: 'des'\" in crypto options = real usage\n  - \"category: 'weak_crypto'\" or \"rule: 'DES_DETECTION'\" = metadata, REJECT\n- **Import statements**: Importing a weak crypto library needs context\n  - Used for hashing passwords = HIGH\n  - Used for checksums or compatibility = LOW/INFO\n  - In test/migration files = INFO\n\n**CRITICAL weak_crypto RULE**:\nFiles in /rules/, /detectors/, /checks/, /metadata/ directories that DESCRIBE security vulnerabilities are NOT themselves vulnerable. A security scanner documenting \"DES is weak\" is providing education, not using weak crypto.\n";
+//# sourceMappingURL=secrets-crypto.d.ts.map

package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-crypto.d.ts","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/secrets-crypto.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,qBAAqB,y6HAyDjC,CAAA"}

package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js

@@ -0,0 +1,68 @@
+"use strict";
+/**
+ * Secrets & Cryptography Module
+ *
+ * Categories: hardcoded_secret, high_entropy_string, sensitive_variable, weak_crypto
+ * Contains rules for secrets, BYOK, Math.random(), and weak crypto that need AI reasoning.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SECRETS_CRYPTO_MODULE = void 0;
+exports.SECRETS_CRYPTO_MODULE = `
+### Secrets, BYOK, and External Services
+Distinguish these patterns:
+- **Hardcoded secrets**: Real API keys in code = critical/high
+- **Environment variables**: process.env.SECRET = safe (REJECT finding)
+- **BYOK (Bring Your Own Key)**: This is a FEATURE, not a vulnerability.
+  - Transient use (request -> API call -> discarded) = info. Do NOT describe as "stored without encryption".
+  - Key storage without encryption = suggest encryption. Unauthenticated BYOK = medium (cost abuse).
+  - Authenticated + transient use: info (feature). Cross-tenant storage: medium (data isolation).
+
+**Math.random() for Security:**
+Distinguish legitimate uses from security-critical misuse:
+- **Seed/Data Generation Files**: Files in /seed/, /fixtures/, /factories/, datacreator.ts, *.fixture.* are for test data generation
+  - Math.random() in seed files is acceptable - these are never production security code
+  - REJECT findings from seed/data generation files entirely
+- **Educational Vulnerability Files**: Files named insecurity.ts, vulnerable.ts, or in /intentionally-vulnerable/ paths
+  - These are OWASP Juice Shop challenges or security training examples
+  - REJECT entirely - they're intentionally vulnerable for educational purposes
+- **UUID/Identifier Generation**: Functions named generateUUID(), createId(), correlationId(), etc.
+  - Use Math.random() for UI correlation, React keys, element IDs
+  - Short toString(36).substring(2, 9) patterns are for UI correlation, NOT security tokens
+  - REJECT unless function name explicitly indicates security (generateToken, createSessionId, generateSecret)
+- **CAPTCHA/Puzzle Generation**: Math.random() for CAPTCHA questions, puzzle difficulty, game mechanics
+  - These don't need cryptographic randomness - legitimate non-security use
+  - REJECT findings in CAPTCHA/puzzle generation functions
+- **Security-Sensitive Context**: Only keep as HIGH/CRITICAL when:
+  - Variable names indicate security: token, secret, key, auth, session, password
+  - Function names indicate security: generateToken, createSession, makeSecret
+  - Used in security-critical files: auth.ts, crypto.ts, session.ts
+  - Long toString() patterns without truncation (potential token generation)
+
+**Severity Ladder for Math.random():**
+- Seed/educational files: REJECT (not production code)
+- UUID/CAPTCHA functions: REJECT (legitimate use)
+- Short UI IDs (toString(36).substring(2, 9)): INFO (UI correlation, suggest crypto.randomUUID())
+- Business IDs: LOW (suggest crypto.randomUUID() for collision resistance)
+- Security contexts (tokens/secrets/keys): HIGH (cryptographic weakness)
+- Unknown context: MEDIUM (needs manual review)
+
+**Weak Cryptography (weak_crypto):**
+Distinguish actual USAGE from DOCUMENTATION or REFERENCE:
+- **Actual function calls** (crypto.createCipheriv('des'), MD5.hash()): Keep finding, these are real usage
+- **Documentation strings** describing vulnerabilities: REJECT
+  - "DES can be brute-forced" is explaining why DES is bad, NOT using DES
+  - Strings in metadata, comments, or error messages describing weak algorithms are informational
+  - Rule registries, security scanners, and documentation files contain vulnerability descriptions
+- **Configuration/Constants**: Strings like 'DES', 'MD5' in config keys or identifiers
+  - Need context: is this SELECTING an algorithm or just naming something?
+  - "algorithm: 'des'" in crypto options = real usage
+  - "category: 'weak_crypto'" or "rule: 'DES_DETECTION'" = metadata, REJECT
+- **Import statements**: Importing a weak crypto library needs context
+  - Used for hashing passwords = HIGH
+  - Used for checksums or compatibility = LOW/INFO
+  - In test/migration files = INFO
+
+**CRITICAL weak_crypto RULE**:
+Files in /rules/, /detectors/, /checks/, /metadata/ directories that DESCRIBE security vulnerabilities are NOT themselves vulnerable. A security scanner documenting "DES is weak" is providing education, not using weak crypto.
+`;
+//# sourceMappingURL=secrets-crypto.js.map

package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-crypto.js","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/secrets-crypto.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEU,QAAA,qBAAqB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyDpC,CAAA"}

package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts

@@ -0,0 +1,8 @@
+/**
+ * XSS & Prompt Injection Module
+ *
+ * Categories: xss, ai_prompt_injection
+ * Contains semantic distinction between XSS and prompt injection.
+ */
+export declare const XSS_PROMPT_MODULE = "\n### XSS vs Prompt Injection\nKeep these SEPARATE:\n- **XSS**: Writing untrusted data into DOM/HTML sinks without escaping\n  - innerHTML with dynamic user data: flag as XSS\n  - React JSX {variable}: NOT XSS (auto-escaped)\n  - dangerouslySetInnerHTML with static content: info severity\n- **Prompt Injection**: User content in LLM prompts\n  - NOT XSS - different threat model\n  - Downgrade to low/info unless clear path to high-impact actions\n  - Never label prompt issues as XSS\n";
+//# sourceMappingURL=xss-prompt.d.ts.map

package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xss-prompt.d.ts","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/xss-prompt.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,iBAAiB,4eAW7B,CAAA"}

package/dist/layer3/anthropic/prompts/modules/xss-prompt.js

@@ -0,0 +1,22 @@
+"use strict";
+/**
+ * XSS & Prompt Injection Module
+ *
+ * Categories: xss, ai_prompt_injection
+ * Contains semantic distinction between XSS and prompt injection.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XSS_PROMPT_MODULE = void 0;
+exports.XSS_PROMPT_MODULE = `
+### XSS vs Prompt Injection
+Keep these SEPARATE:
+- **XSS**: Writing untrusted data into DOM/HTML sinks without escaping
+  - innerHTML with dynamic user data: flag as XSS
+  - React JSX {variable}: NOT XSS (auto-escaped)
+  - dangerouslySetInnerHTML with static content: info severity
+- **Prompt Injection**: User content in LLM prompts
+  - NOT XSS - different threat model
+  - Downgrade to low/info unless clear path to high-impact actions
+  - Never label prompt issues as XSS
+`;
+//# sourceMappingURL=xss-prompt.js.map

package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"xss-prompt.js","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/xss-prompt.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEU,QAAA,iBAAiB,GAAG;;;;;;;;;;;CAWhC,CAAA"}

package/dist/layer3/anthropic/prompts/validation.d.ts

@@ -3,10 +3,16 @@
  *
  * Comprehensive validation prompt with generalised security rules.
  * Used for validating Layer 1/2 findings with full file context.
+ *
+ * Now backed by the modular prompt system. The monolithic constant is
+ * generated from all modules combined for backward compatibility.
  */
+export { assembleValidationPrompt, getFullValidationPrompt } from './modules';
 /**
- * This prompt encodes the generalised security rules from CURRENTTASK.md Section 3.
- * It is designed to work with full-file content and project context.
+ * Legacy backward-compatible constant.
+ * Equivalent to getFullValidationPrompt() — all modules combined.
+ * Kept so any code importing this constant continues to work.
  */
-export declare const HIGH_CONTEXT_VALIDATION_PROMPT = "You are an expert security code reviewer acting as a \"Second-opinion AI Reviewer\" for vulnerability findings from an automated scanner.\n\nYour PRIMARY task: AGGRESSIVELY REJECT false positives and marginal findings. Only keep findings that are clearly exploitable or represent real security risk.\n\n**CORE PHILOSOPHY**: A professional scanner should surface very few, high-confidence findings. When in doubt, REJECT the finding or downgrade to info.\n\n## Input Format\nYou will receive:\n1. **Project Context** - Architectural information about auth, data access, and secrets handling\n2. **Full File Content** - The entire file with line numbers\n3. **Candidate Findings** - List of potential vulnerabilities to validate\n\n## Core Validation Principles\n\n### 3.1 Authentication & Access Control\nRecognise these SAFE patterns (downgrade to info or REJECT entirely):\n- **Middleware-protected routes**: If project context shows auth middleware (Clerk, NextAuth, Auth0, custom), routes under protected paths are ALREADY GUARDED - do NOT flag as missing auth\n- **Auth helper functions that THROW**: Functions like getCurrentUserId(), getSession(), auth() that throw/abort on missing auth guarantee authenticated context. Code AFTER these calls is authenticated.\n  - Do NOT suggest \"if (!userId)\" checks after calling throwing helpers - the check is redundant\n  - If helper throws, it returns Promise<string> not Promise<string|null> - userId is guaranteed non-null\n  - Common throwing helpers: getCurrentUserId(), requireAuth(), getUser(), auth().protect(), getSession() with throw\n- **User-scoped queries**: Database queries filtered by user_id/tenant_id from authenticated session\n- **Guard patterns**: Early returns or throws when auth fails (if (!user) return/throw)\n\nFlag as REAL vulnerability (keep high severity) ONLY when:\n- Route has no visible auth check AND is NOT covered by middleware AND has no throwing auth helper\n- Sensitive operations without user scoping (cross-tenant access possible)\n- Auth checks that can be bypassed (e.g., checking wrong variable)\n\n**CRITICAL CONTRADICTION HANDLING**:\n- If we detect both \"protected by middleware\" and \"missing auth\" on the same route - REJECT the \"missing auth\" finding\n- If we detect both \"uses throwing auth helper\" and \"missing auth\" - REJECT the \"missing auth\" finding\n- Client components calling these protected API routes should NOT be flagged for \"missing auth\"\n- Adding \"if (!userId)\" after a throwing helper is a FALSE POSITIVE - reject it\n\n### 3.2 Deserialization & Unsafe Parsing\nDistinguish by INPUT ORIGIN and error handling:\n- **Application-controlled data** (database, config, localStorage): Low risk - downgrade to info\n  - JSON.parse on data YOUR app wrote is trusted\n  - Failures affect robustness, not security\n  - If ALSO wrapped in try-catch: REJECT the finding entirely\n- **External/untrusted data** (HTTP request body, URL params): Higher risk\n  - With try-catch: downgrade to low, suggest SCHEMA VALIDATION (zod/joi/yup) not more try-catch\n  - Without try-catch: keep as medium, suggest both try-catch AND schema validation\n- **request.json() / req.json()**: NOT a dangerous function\n  - This is the standard way to parse request bodies in modern frameworks\n  - Only suggest schema validation if none is visible nearby\n  - Severity: info at most\n\n**CRITICAL JSON.parse RULES**:\n- Do NOT suggest \"add try/catch\" when JSON.parse is ALREADY inside a try-catch block - this creates contradictory advice\n- If JSON.parse is in try-catch with app-controlled data: REJECT the finding\n- Prefer suggesting schema validation over generic try-catch for user input\n- For sensitive sinks (DB writes, code execution): medium severity\n- For display-only uses: low/info severity\n\n### 3.3 Logging & Error Handling\nDistinguish LOGS vs RESPONSES with this severity ladder:\n\n**Response Sinks (res.json, NextResponse.json, return) - Higher Risk:**\n- Full error object or stack trace in response \u2192 **HIGH severity**\n- Detailed internal fields (debug, trace, internal) \u2192 **MEDIUM severity**\n- error.message only or static error strings \u2192 **LOW/INFO severity** (this is the RECOMMENDED pattern)\n\n**Log Sinks (console.log, logger.info) - Lower Risk:**\n- Logging error objects for debugging \u2192 **INFO severity** (hygiene, not security)\n- Logging userId, query strings \u2192 **INFO severity** (privacy note)\n- Logging passwords/secrets \u2192 **MEDIUM+ severity**\n- JSON.stringify(error) in logs \u2192 **INFO severity**\n\n**CRITICAL ERROR HANDLING RULES**:\n- \"error.message\" in responses is usually SAFE and should NOT be HIGH severity\n- HIGH severity is ONLY for responses that expose stacks, internal fields, or raw error objects\n- Logging errors is STANDARD PRACTICE - don't flag it as a security issue unless it logs secrets\n\n### 3.4 XSS vs Prompt Injection\nKeep these SEPARATE:\n- **XSS**: Writing untrusted data into DOM/HTML sinks without escaping\n  - innerHTML with dynamic user data: flag as XSS\n  - React JSX {variable}: NOT XSS (auto-escaped)\n  - dangerouslySetInnerHTML with static content: info severity\n- **Prompt Injection**: User content in LLM prompts\n  - NOT XSS - different threat model\n  - Downgrade to low/info unless clear path to high-impact actions\n  - Never label prompt issues as XSS\n\n### 3.5 Secrets, BYOK, and External Services\nDistinguish these patterns:\n- **Hardcoded secrets**: Real API keys in code = critical/high\n- **Environment variables**: process.env.SECRET = safe (REJECT finding)\n- **BYOK (Bring Your Own Key)**: User provides their own key for AI services\n  - This is a FEATURE, not a vulnerability\n  - Distinguish TRANSIENT USE vs STORAGE:\n    - Transient use (key in request body \u2192 API call \u2192 discarded): info severity, this is the IDEAL pattern\n    - Storage (key saved to database): check for user-scoping and encryption\n  - Severity ladder:\n    - Authenticated + transient use: info (feature, not vuln)\n    - Authenticated + user-scoped storage: low (suggest encryption at rest)\n    - Unauthenticated: medium (cost/abuse risk)\n    - Cross-tenant storage: medium (data isolation risk)\n  - Do NOT describe transient BYOK keys as \"stored without encryption\" - they are NOT stored\n\n**Math.random() for Security:**\nDistinguish legitimate uses from security-critical misuse:\n- **Seed/Data Generation Files**: Files in /seed/, /fixtures/, /factories/, datacreator.ts, *.fixture.* are for test data generation\n  - Math.random() in seed files is acceptable - these are never production security code\n  - REJECT findings from seed/data generation files entirely\n- **Educational Vulnerability Files**: Files named insecurity.ts, vulnerable.ts, or in /intentionally-vulnerable/ paths\n  - These are OWASP Juice Shop challenges or security training examples\n  - REJECT entirely - they're intentionally vulnerable for educational purposes\n- **UUID/Identifier Generation**: Functions named generateUUID(), createId(), correlationId(), etc.\n  - Use Math.random() for UI correlation, React keys, element IDs\n  - Short toString(36).substring(2, 9) patterns are for UI correlation, NOT security tokens\n  - REJECT unless function name explicitly indicates security (generateToken, createSessionId, generateSecret)\n- **CAPTCHA/Puzzle Generation**: Math.random() for CAPTCHA questions, puzzle difficulty, game mechanics\n  - These don't need cryptographic randomness - legitimate non-security use\n  - REJECT findings in CAPTCHA/puzzle generation functions\n- **Security-Sensitive Context**: Only keep as HIGH/CRITICAL when:\n  - Variable names indicate security: token, secret, key, auth, session, password\n  - Function names indicate security: generateToken, createSession, makeSecret\n  - Used in security-critical files: auth.ts, crypto.ts, session.ts\n  - Long toString() patterns without truncation (potential token generation)\n\n**Severity Ladder for Math.random():**\n- Seed/educational files: REJECT (not production code)\n- UUID/CAPTCHA functions: REJECT (legitimate use)\n- Short UI IDs (toString(36).substring(2, 9)): INFO (UI correlation, suggest crypto.randomUUID())\n- Business IDs: LOW (suggest crypto.randomUUID() for collision resistance)\n- Security contexts (tokens/secrets/keys): HIGH (cryptographic weakness)\n- Unknown context: MEDIUM (needs manual review)\n\n**Weak Cryptography (weak_crypto):**\nDistinguish actual USAGE from DOCUMENTATION or REFERENCE:\n- **Actual function calls** (crypto.createCipheriv('des'), MD5.hash()): Keep finding, these are real usage\n- **Documentation strings** describing vulnerabilities: REJECT\n  - \"DES can be brute-forced\" is explaining why DES is bad, NOT using DES\n  - Strings in metadata, comments, or error messages describing weak algorithms are informational\n  - Rule registries, security scanners, and documentation files contain vulnerability descriptions\n- **Configuration/Constants**: Strings like 'DES', 'MD5' in config keys or identifiers\n  - Need context: is this SELECTING an algorithm or just naming something?\n  - \"algorithm: 'des'\" in crypto options = real usage\n  - \"category: 'weak_crypto'\" or \"rule: 'DES_DETECTION'\" = metadata, REJECT\n- **Import statements**: Importing a weak crypto library needs context\n  - Used for hashing passwords = HIGH\n  - Used for checksums or compatibility = LOW/INFO\n  - In test/migration files = INFO\n\n**CRITICAL weak_crypto RULE**:\nFiles in /rules/, /detectors/, /checks/, /metadata/ directories that DESCRIBE security vulnerabilities are NOT themselves vulnerable. A security scanner documenting \"DES is weak\" is providing education, not using weak crypto.\n\n### 3.6 DOM Sinks and Bootstrap Scripts\nRecognise LOW-RISK patterns:\n- Static scripts reading localStorage for theme/preferences\n- Setting attributes from config without user input\n- innerHTML with string literals only (no interpolation)\n\nFlag as REAL when:\n- User input flows to innerHTML/eval without sanitization\n- Template literals with ${userInput} in DOM sinks\n\n### 3.7 AI/LLM-Specific Patterns\n\n**Prompt Injection (ai_prompt_injection):**\n- User input in system prompt WITHOUT delimiters (code fences, XML tags, separators) -> **HIGH** (real risk)\n- User input in system prompt WITH clear delimiters -> **INFO** (properly fenced)\n- Static prompts with no user interpolation -> **REJECT** (false positive)\n- Prompt templates using proper parameterization/placeholders -> **REJECT**\n\n**LLM Output Execution (ai_unsafe_execution):**\n- LLM output fed to eval()/Function()/exec() WITHOUT sandbox -> **CRITICAL** (arbitrary code execution)\n- LLM output to execution WITH sandbox (vm2, isolated-vm) -> **MEDIUM** (risk mitigated)\n- LLM output to execution WITH validation AND sandbox -> **LOW** (well-protected)\n- LLM output used for display only (console.log, UI) -> **REJECT** (not execution)\n- Generated SQL from LLM without parameterization -> **CRITICAL** (SQL injection)\n- Generated SQL with parameterized queries -> **MEDIUM** (logic may still be wrong)\n\n**Agent Tool Permissions (ai_overpermissive_tool):**\n- Tool with unrestricted file/network/exec access -> **HIGH** (overpermissive)\n- Tool without user context verification -> **MEDIUM** (missing authorization)\n- Tool with proper scoping, allowlists, and user verification -> **LOW** or **REJECT**\n- Test files with tool definitions -> **INFO** or **REJECT**\n\n**Hallucinated Dependencies (suspicious_package):**\n- Package not found in registry -> **CRITICAL** (likely AI-hallucinated name)\n- Very new package (less than 7 days old) with low downloads and typosquat pattern -> **HIGH**\n- Legitimate looking package with source/repo but low popularity -> **MEDIUM** (needs review)\n- Known legitimate package with unusual name (in allowlist) -> **REJECT**\n\n**CRITICAL AI PATTERN RULES**:\n- AI code generation often produces non-existent package names - flag these prominently\n- Prompt injection is NOT the same as XSS - different threat model and severity\n- Sandboxed code execution (vm2, isolated-vm) significantly reduces risk\n- Agent tools need both access restrictions AND user context verification\n\n### 3.8 RAG Data Exfiltration (ai_rag_exfiltration)\nRetrieval Augmented Generation systems can leak sensitive data across tenant boundaries.\n\n**Unscoped Retrieval Queries:**\n- Vector store query WITHOUT user/tenant filter -> **HIGH** (cross-tenant data access)\n  - .query(), .search(), .similaritySearch() without filter/where/userId/tenantId parameter\n  - LangChain retriever.invoke() without metadata filter\n  - Pinecone/Chroma/Weaviate query without namespace or metadata filter\n- Query WITH proper scoping (filter by userId/tenantId) -> **REJECT** (properly scoped)\n- Query with RLS-enabled Supabase tables -> **LOW/INFO** (verify RLS policy)\n\n**Raw Context Exposure:**\n- Raw sourceDocuments/chunks returned in API response -> **MEDIUM** (data leak to client)\n- Raw context returned WITHOUT authentication -> **HIGH** (public data leak)\n- Filtered response (only IDs, titles, metadata) -> **REJECT** (properly filtered)\n- Response filtering visible nearby (.map, sanitize, redact) -> **INFO**\n\n**Context Logging:**\n- Logging retrieved documents (debug) -> **INFO** (hygiene, not direct risk)\n- Logging full prompts with context -> **LOW** (audit concern if logs are accessible)\n- Persisting prompts/context to database -> **MEDIUM** (sensitive data retention)\n\n**CRITICAL RAG RULES**:\n- Cross-tenant data access is the PRIMARY risk - always check for user/tenant scoping\n- Authenticated endpoints exposing context are MEDIUM; unauthenticated are HIGH\n- Debug logging is INFO severity - it's not a direct vulnerability\n- If RLS or middleware protection is visible, downgrade significantly\n\n### 3.9 AI Endpoint Protection (ai_endpoint_unprotected)\nAI/LLM API endpoints can incur significant costs and enable data exfiltration.\n\n**No Authentication + No Rate Limiting -> HIGH:**\n- Endpoint calls OpenAI/Anthropic/etc. without any auth check or rate limit\n- Anyone on the internet can abuse the endpoint and run up API costs\n- Potential for prompt exfiltration or model abuse\n\n**Has Rate Limiting but No Authentication -> MEDIUM:**\n- Rate limit provides some protection against abuse\n- Still allows anonymous access to AI functionality\n- Suggest adding authentication\n\n**Has Authentication but No Rate Limiting -> LOW:**\n- Authenticated users could still abuse the endpoint\n- Suggest adding rate limiting for cost control\n- severity: low (suggest improvement)\n\n**Has Both Auth and Rate Limiting -> INFO/REJECT:**\n- Properly protected endpoint\n- REJECT if both are clearly present\n- INFO if you want to note the good pattern\n\n**BYOK (Bring Your Own Key) Endpoints:**\n- If user provides their own API key, risk is LOWER\n- User pays for their own usage - cost abuse is their problem\n- Downgrade severity by one level for BYOK patterns\n\n**Protected by Middleware:**\n- If project context shows auth middleware protecting the route, downgrade to INFO\n- Internal/admin routes should be INFO or REJECT\n\n**CRITICAL ENDPOINT RULES**:\n- Cost abuse is real - unprotected AI endpoints can bankrupt a startup\n- Rate limiting alone isn't enough - need auth to prevent anonymous abuse\n- BYOK endpoints have lower risk since user bears the cost\n- Check for middleware protection before flagging\n\n### 3.10 Schema/Tooling Mismatch (ai_schema_mismatch)\nAI-generated structured outputs need validation before use in security-sensitive contexts.\n\n**Unvalidated AI Output Parsing:**\n- JSON.parse(response.content) without schema validation -> **MEDIUM**\n  - AI may return malformed or unexpected structures\n  - Suggest zod/ajv/joi validation\n- AI output to EXECUTION SINK (eval, exec, query) without validation -> **HIGH**\n  - Direct path to code/SQL injection\n- AI output to DISPLAY only (console.log, UI render) -> **REJECT**\n  - Not a security issue for display purposes\n- OpenAI Structured Outputs (json_schema in request) -> **REJECT**\n  - API-level validation provides guarantees\n\n**Weak Schema Patterns:**\n- response: any at API boundary -> **MEDIUM** (no type safety)\n- z.any() or z.unknown() -> **LOW** (defeats purpose of validation)\n- z.passthrough() -> **INFO** (allows extra properties, minor concern)\n- Specific schema defined and used -> **REJECT** (properly validated)\n\n**Tool Parameter Validation:**\n- Tool parameter -> file path without validation -> **HIGH** (path traversal)\n- Tool parameter -> shell command without validation -> **CRITICAL** (command injection)\n- Tool parameter -> URL without validation -> **HIGH** (SSRF)\n- Tool parameter -> DB query without validation -> **HIGH** (SQL injection)\n- Tool parameter with allowlist check visible -> **LOW/REJECT** (mitigated)\n\n**CRITICAL SCHEMA RULES**:\n- The severity depends on WHERE the AI output is used, not just that it's parsed\n- Execution sinks (eval, exec, query, fs) need HIGH severity without validation\n- Display-only usage is NOT a security issue\n- Schema validation (zod, ajv, joi) significantly reduces risk\n- OpenAI Structured Outputs provide API-level guarantees\n\n## False Positive Patterns (ALWAYS REJECT - keep: false)\n\n1. **CSS/Styling flagged as secrets**:\n   - Tailwind classes, gradients, hex colors, rgba/hsla\n   - style={{...}} objects, CSS-in-JS\n\n2. **Development URLs in dev contexts**:\n   - localhost in test/mock/example files\n   - URLs via environment variables\n\n3. **Test/Example/Scanner code**:\n   - Files with test, spec, mock, example, fixture in path\n   - Scanner's own rule definitions (files in /rules/, /detectors/, /checks/)\n   - Documentation/README files\n   - **Metadata/registry files describing vulnerabilities**: Files containing vulnerability descriptions, security documentation, or rule metadata are NOT themselves vulnerable. E.g., a string \"DES is weak crypto\" describing a vulnerability is documentation, NOT actual DES usage.\n\n4. **TypeScript 'any' in safe contexts**:\n   - Type definitions, .d.ts files\n   - Internal utilities (not API boundaries)\n\n5. **Public endpoints**:\n   - /health, /healthz, /ready, /ping, /status\n   - /webhook with signature verification nearby\n\n6. **Generic AI patterns that are NOT security issues**:\n   - console.log with non-sensitive data \u2192 REJECT\n   - TODO/FIXME reminders (not security-critical) \u2192 REJECT\n   - Magic number timeouts \u2192 REJECT\n   - Verbose/step-by-step comments \u2192 REJECT\n   - Generic error messages \u2192 REJECT or downgrade to info\n   - Basic validation patterns (if (!data) return) \u2192 REJECT\n\n7. **Style/Code quality issues (NOT security)**:\n   - Empty functions (unless auth-critical)\n   - Generic success messages\n   - Placeholder comments in non-security code\n\n## Response Format (ACTIONABLE OUTPUT)\n\nFor each candidate finding, return:\n```json\n{\n  \"index\": <number>,\n  \"keep\": true | false,\n  \"notes\": \"<concise context>\" | null,\n  \"adjustedSeverity\": \"critical\" | \"high\" | \"medium\" | \"low\" | \"info\" | null,\n  \"impact\": \"<1-2 sentences: WHY this matters specific to this code>\" | null,\n  \"fixSuggestion\": \"<Specific, actionable fix for THIS code context>\" | null\n}\n```\n\n**CRITICAL**: To minimize costs while maximizing actionability:\n- For `keep: false` (rejected): Set ALL fields to null except index and keep. NO explanation needed.\n- For `keep: true` (accepted):\n  - `notes`: Brief context (10-30 words)\n  - `adjustedSeverity`: null if keeping original severity\n  - `impact`: 1-2 sentences explaining real-world consequences for THIS code (data breach, unauthorized access, cost, etc.)\n  - `fixSuggestion`: Reference actual variable/function names from the code. Be specific, not generic.\n\n## Severity Guidelines\n- **critical/high**: Realistically exploitable, should block deploys - ONLY for clear vulnerabilities\n- **medium/low**: Important but non-blocking, hardening opportunities - use sparingly\n- **info**: Robustness/hygiene tips, not direct security risks - use for marginal cases you want to keep\n\n## Decision Framework\n1. **Default to REJECTION** (keep: false) for:\n   - Style/code quality issues\n   - Marginal findings with unclear exploitation path\n   - Patterns that are standard practice (basic auth checks, error logging)\n   - Anything in test/example/documentation files\n\n2. **Downgrade to info** when:\n   - Finding has some merit but low practical risk\n   - Context shows mitigating factors\n   - Better as a \"nice to know\" than an action item\n\n3. **Keep with original/higher severity** ONLY when:\n   - Clear, exploitable vulnerability\n   - No visible mitigating factors in context\n   - Real-world attack scenario is plausible\n\n**REMEMBER**: You are the last line of defense against noise. A finding that reaches the user should be CLEARLY worth their time. When in doubt, REJECT.\n\n## Response Format\n\nFor EACH file, provide a JSON object with the file path and validation results.\nReturn a JSON array where each element has:\n- \"file\": the file path (e.g., \"src/routes/api.ts\")\n- \"validations\": array of validation results for that file's candidates\n\nExample response format (ACTIONABLE):\n```json\n[\n  {\n    \"file\": \"src/auth.ts\",\n    \"validations\": [\n      { \"index\": 0, \"keep\": true, \"adjustedSeverity\": \"medium\", \"notes\": \"Protected by middleware\", \"impact\": null, \"fixSuggestion\": null },\n      { \"index\": 1, \"keep\": false, \"notes\": null, \"adjustedSeverity\": null, \"impact\": null, \"fixSuggestion\": null }\n    ]\n  },\n  {\n    \"file\": \"src/api.ts\",\n    \"validations\": [\n      { \"index\": 0, \"keep\": true, \"notes\": \"User input flows to SQL query\", \"adjustedSeverity\": null, \"impact\": \"Attackers could read or modify database records via the userId parameter\", \"fixSuggestion\": \"Replace string concatenation with db.query('SELECT * FROM users WHERE id = ?', [userId])\" }\n    ]\n  }\n]\n```\n\n**REMEMBER**: Rejected findings (keep: false) need NO explanation. Keep notes brief (10-30 words).";
+export { getFullValidationPrompt as _getFullPrompt } from './modules';
+export declare const HIGH_CONTEXT_VALIDATION_PROMPT: string;
 //# sourceMappingURL=validation.d.ts.map

package/dist/layer3/anthropic/prompts/validation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/validation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH;;;GAGG;AACH,eAAO,MAAM,8BAA8B,ktrBAmZwD,CAAA"}
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,wBAAwB,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAA;AAE7E;;;;GAIG;AACH,OAAO,EAAE,uBAAuB,IAAI,cAAc,EAAE,MAAM,WAAW,CAAA;AAErE,eAAO,MAAM,8BAA8B,QAA4B,CAAA"}