@oculum/scanner 1.0.11 → 1.0.13

package/dist/model/framework-models/nextjs.js

@@ -0,0 +1,71 @@
+"use strict";
+/**
+ * Next.js Framework Security Model
+ *
+ * App Router Server Components cannot access browser APIs (no DOM XSS).
+ * searchParams/params are user-controlled. Server Actions receive FormData.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.nextjsModel = void 0;
+const USE_CLIENT_RE = /['"]use client['"]/;
+const SEARCH_PARAMS_RE = /searchParams/;
+const PARAMS_RE = /\bparams\b/;
+const FORM_DATA_RE = /FormData|formData/;
+function isAppRouterServerComponent(filePath) {
+    // Files in app/ directory without 'use client' at the top are Server Components
+    return /\/app\//.test(filePath) || /\\app\\/.test(filePath);
+}
+exports.nextjsModel = {
+    framework: 'nextjs',
+    safePatterns: [
+        {
+            id: 'nextjs_server_component_no_dom',
+            suppressesCategory: ['xss', 'dangerous_function'],
+            detect: (_line, filePath, fileContent) => {
+                // Server Components can't access DOM — no client-side XSS
+                if (!isAppRouterServerComponent(filePath))
+                    return false;
+                // Check file extension is React
+                if (!/\.(tsx|jsx)$/.test(filePath))
+                    return false;
+                // Client Components have 'use client' — they ARE in the browser
+                if (USE_CLIENT_RE.test(fileContent))
+                    return false;
+                return true;
+            },
+            reason: 'Next.js Server Component cannot access browser DOM — client-side XSS not applicable',
+        },
+    ],
+    unsafePatterns: [
+        {
+            id: 'nextjs_search_params_user_input',
+            boostsCategory: ['sql_injection', 'xss', 'command_injection', 'ssrf'],
+            detect: (line, _filePath, _fileContent) => SEARCH_PARAMS_RE.test(line),
+            reason: 'Next.js searchParams are user-controlled input — treat as untrusted',
+        },
+        {
+            id: 'nextjs_params_user_input',
+            boostsCategory: ['sql_injection', 'xss', 'command_injection', 'ssrf'],
+            detect: (line, _filePath, _fileContent) => {
+                // Only flag when it looks like destructuring or accessing params in a handler context
+                if (!PARAMS_RE.test(line))
+                    return false;
+                // Avoid false positives on generic variable names
+                return /\{\s*params\s*\}/.test(line) || /params\.\w+/.test(line);
+            },
+            reason: 'Next.js route params are user-controlled input',
+        },
+        {
+            id: 'nextjs_server_action_form_data',
+            boostsCategory: ['sql_injection', 'command_injection', 'xss'],
+            detect: (line, _filePath, fileContent) => {
+                // Only flag FormData usage in Server Action files
+                if (!/['"]use server['"]/.test(fileContent))
+                    return false;
+                return FORM_DATA_RE.test(line);
+            },
+            reason: 'Next.js Server Actions receive FormData — user-controlled input',
+        },
+    ],
+};
+//# sourceMappingURL=nextjs.js.map

package/dist/model/framework-models/nextjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../../../src/model/framework-models/nextjs.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAIH,MAAM,aAAa,GAAG,oBAAoB,CAAA;AAC1C,MAAM,gBAAgB,GAAG,cAAc,CAAA;AACvC,MAAM,SAAS,GAAG,YAAY,CAAA;AAC9B,MAAM,YAAY,GAAG,mBAAmB,CAAA;AAExC,SAAS,0BAA0B,CAAC,QAAgB;IAClD,gFAAgF;IAChF,OAAO,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AAC7D,CAAC;AAEY,QAAA,WAAW,GAA2B;IACjD,SAAS,EAAE,QAAQ;IAEnB,YAAY,EAAE;QACZ;YACE,EAAE,EAAE,gCAAgC;YACpC,kBAAkB,EAAE,CAAC,KAAK,EAAE,oBAAoB,CAAC;YACjD,MAAM,EAAE,CAAC,KAAa,EAAE,QAAgB,EAAE,WAAmB,EAAE,EAAE;gBAC/D,0DAA0D;gBAC1D,IAAI,CAAC,0BAA0B,CAAC,QAAQ,CAAC;oBAAE,OAAO,KAAK,CAAA;gBACvD,gCAAgC;gBAChC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAAE,OAAO,KAAK,CAAA;gBAChD,gEAAgE;gBAChE,IAAI,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC;oBAAE,OAAO,KAAK,CAAA;gBACjD,OAAO,IAAI,CAAA;YACb,CAAC;YACD,MAAM,EAAE,qFAAqF;SAC9F;KACF;IAED,cAAc,EAAE;QACd;YACE,EAAE,EAAE,iCAAiC;YACrC,cAAc,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,mBAAmB,EAAE,MAAM,CAAC;YACrE,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;YAC9F,MAAM,EAAE,qEAAqE;SAC9E;QACD;YACE,EAAE,EAAE,0BAA0B;YAC9B,cAAc,EAAE,CAAC,eAAe,EAAE,KAAK,EAAE,mBAAmB,EAAE,MAAM,CAAC;YACrE,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE;gBAChE,sFAAsF;gBACtF,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,OAAO,KAAK,CAAA;gBACvC,kDAAkD;gBAClD,OAAO,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAClE,CAAC;YACD,MAAM,EAAE,gDAAgD;SACzD;QACD;YACE,EAAE,EAAE,gCAAgC;YACpC,cAAc,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,KAAK,CAAC;YAC7D,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,WAAmB,EAAE,EAAE;gBAC/D,kDAAkD;gBAClD,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,WAAW,CAAC;oBAAE,OAAO,KAAK,CAAA;gBACzD,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAChC,CAAC;YACD,MAAM,EAAE,iEAAiE;SAC1E;KACF;CACF,CAAA"}

package/dist/model/framework-models/prisma.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Prisma Framework Security Model
+ *
+ * Prisma Client methods (findMany, findFirst, create, etc.) are parameterised
+ * by default. $queryRaw with tagged templates is also safe.
+ * $queryRawUnsafe/$executeRawUnsafe and string concatenation bypass protections.
+ */
+import type { FrameworkSecurityModel } from './types';
+export declare const prismaModel: FrameworkSecurityModel;
+//# sourceMappingURL=prisma.d.ts.map

package/dist/model/framework-models/prisma.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prisma.d.ts","sourceRoot":"","sources":["../../../src/model/framework-models/prisma.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAA;AAYrD,eAAO,MAAM,WAAW,EAAE,sBAoCzB,CAAA"}

package/dist/model/framework-models/prisma.js

@@ -0,0 +1,54 @@
+"use strict";
+/**
+ * Prisma Framework Security Model
+ *
+ * Prisma Client methods (findMany, findFirst, create, etc.) are parameterised
+ * by default. $queryRaw with tagged templates is also safe.
+ * $queryRawUnsafe/$executeRawUnsafe and string concatenation bypass protections.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.prismaModel = void 0;
+// Safe ORM patterns — Prisma methods are parameterised by default
+const PRISMA_METHOD_RE = /prisma\.\w+\.(findMany|findFirst|findUnique|findFirstOrThrow|findUniqueOrThrow|create|createMany|update|updateMany|upsert|delete|deleteMany|count|aggregate|groupBy)\s*\(/;
+// $queryRaw with tagged template literal (Prisma.sql or template tag) is safe
+const PRISMA_TAGGED_RAW_RE = /\$queryRaw\s*`/;
+// Unsafe patterns
+const PRISMA_UNSAFE_RAW_RE = /\$(queryRawUnsafe|executeRawUnsafe)\s*\(/;
+const PRISMA_RAW_STRING_CONCAT_RE = /\$(queryRaw|executeRaw)\s*\([^`]*\+/;
+exports.prismaModel = {
+    framework: 'prisma',
+    safePatterns: [
+        {
+            id: 'orm_prisma_parameterised',
+            suppressesCategory: ['sql_injection', 'dangerous_function'],
+            detect: (line, _filePath, _fileContent) => PRISMA_METHOD_RE.test(line),
+            reason: 'Prisma Client methods use parameterised queries by default — SQL injection not applicable',
+        },
+        {
+            id: 'orm_prisma_tagged_raw',
+            suppressesCategory: ['sql_injection'],
+            detect: (line, _filePath, _fileContent) => PRISMA_TAGGED_RAW_RE.test(line),
+            reason: 'Prisma $queryRaw with tagged template literal is parameterised — SQL injection mitigated',
+        },
+    ],
+    unsafePatterns: [
+        {
+            id: 'prisma_unsafe_raw_concat',
+            boostsCategory: ['sql_injection'],
+            detect: (line, _filePath, _fileContent) => PRISMA_UNSAFE_RAW_RE.test(line),
+            reason: '$queryRawUnsafe/$executeRawUnsafe accepts raw SQL strings — SQL injection risk',
+        },
+        {
+            id: 'prisma_raw_string_concat',
+            boostsCategory: ['sql_injection'],
+            detect: (line, _filePath, _fileContent) => {
+                // Only flag when concatenation is used (not tagged templates)
+                if (PRISMA_TAGGED_RAW_RE.test(line))
+                    return false;
+                return PRISMA_RAW_STRING_CONCAT_RE.test(line);
+            },
+            reason: '$queryRaw/$executeRaw with string concatenation bypasses parameterisation — SQL injection risk',
+        },
+    ],
+};
+//# sourceMappingURL=prisma.js.map

package/dist/model/framework-models/prisma.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prisma.js","sourceRoot":"","sources":["../../../src/model/framework-models/prisma.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAIH,kEAAkE;AAClE,MAAM,gBAAgB,GAAG,2KAA2K,CAAA;AAEpM,8EAA8E;AAC9E,MAAM,oBAAoB,GAAG,gBAAgB,CAAA;AAE7C,kBAAkB;AAClB,MAAM,oBAAoB,GAAG,0CAA0C,CAAA;AACvE,MAAM,2BAA2B,GAAG,qCAAqC,CAAA;AAE5D,QAAA,WAAW,GAA2B;IACjD,SAAS,EAAE,QAAQ;IAEnB,YAAY,EAAE;QACZ;YACE,EAAE,EAAE,0BAA0B;YAC9B,kBAAkB,EAAE,CAAC,eAAe,EAAE,oBAAoB,CAAC;YAC3D,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;YAC9F,MAAM,EAAE,2FAA2F;SACpG;QACD;YACE,EAAE,EAAE,uBAAuB;YAC3B,kBAAkB,EAAE,CAAC,eAAe,CAAC;YACrC,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC;YAClG,MAAM,EAAE,0FAA0F;SACnG;KACF;IAED,cAAc,EAAE;QACd;YACE,EAAE,EAAE,0BAA0B;YAC9B,cAAc,EAAE,CAAC,eAAe,CAAC;YACjC,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC;YAClG,MAAM,EAAE,gFAAgF;SACzF;QACD;YACE,EAAE,EAAE,0BAA0B;YAC9B,cAAc,EAAE,CAAC,eAAe,CAAC;YACjC,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE;gBAChE,8DAA8D;gBAC9D,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,OAAO,KAAK,CAAA;gBACjD,OAAO,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC/C,CAAC;YACD,MAAM,EAAE,gGAAgG;SACzG;KACF;CACF,CAAA"}

package/dist/model/framework-models/react.d.ts

@@ -0,0 +1,9 @@
+/**
+ * React/JSX Framework Security Model
+ *
+ * React auto-escapes JSX expressions by default, preventing XSS.
+ * dangerouslySetInnerHTML and ref.innerHTML bypass this protection.
+ */
+import type { FrameworkSecurityModel } from './types';
+export declare const reactModel: FrameworkSecurityModel;
+//# sourceMappingURL=react.d.ts.map

package/dist/model/framework-models/react.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"react.d.ts","sourceRoot":"","sources":["../../../src/model/framework-models/react.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAA;AAOrD,eAAO,MAAM,UAAU,EAAE,sBAgDxB,CAAA"}

package/dist/model/framework-models/react.js

@@ -0,0 +1,67 @@
+"use strict";
+/**
+ * React/JSX Framework Security Model
+ *
+ * React auto-escapes JSX expressions by default, preventing XSS.
+ * dangerouslySetInnerHTML and ref.innerHTML bypass this protection.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.reactModel = void 0;
+const JSX_EXPRESSION_RE = /\{[^}]+\}/;
+const DANGEROUS_INNER_HTML_RE = /dangerouslySetInnerHTML/;
+const REF_INNER_HTML_RE = /\.current\.innerHTML\s*=/;
+const CREATE_ELEMENT_RE = /React\.createElement\s*\(/;
+exports.reactModel = {
+    framework: 'react',
+    safePatterns: [
+        {
+            id: 'react_jsx_auto_escape',
+            suppressesCategory: ['xss', 'dangerous_function'],
+            detect: (line, filePath, _fileContent) => {
+                // Only applies to JSX files
+                if (!/\.(jsx|tsx)$/.test(filePath))
+                    return false;
+                // Require JSX context: a JSX tag or return with JSX on the line
+                const hasJSXContext = /<[A-Za-z][\w.]*/.test(line) || /return\s*\(?\s*</.test(line);
+                if (!hasJSXContext)
+                    return false;
+                // JSX expression interpolation auto-escapes
+                if (!JSX_EXPRESSION_RE.test(line))
+                    return false;
+                // Unless it's dangerouslySetInnerHTML
+                if (DANGEROUS_INNER_HTML_RE.test(line))
+                    return false;
+                return true;
+            },
+            reason: 'React JSX auto-escapes interpolated expressions — not an XSS vector',
+        },
+        {
+            id: 'react_create_element_safe',
+            suppressesCategory: ['xss'],
+            detect: (line, _filePath, _fileContent) => {
+                // React.createElement with string children is auto-escaped
+                if (!CREATE_ELEMENT_RE.test(line))
+                    return false;
+                if (DANGEROUS_INNER_HTML_RE.test(line))
+                    return false;
+                return true;
+            },
+            reason: 'React.createElement auto-escapes string children',
+        },
+    ],
+    unsafePatterns: [
+        {
+            id: 'react_dangerous_inner_html',
+            boostsCategory: ['xss'],
+            detect: (line, _filePath, _fileContent) => DANGEROUS_INNER_HTML_RE.test(line),
+            reason: 'dangerouslySetInnerHTML bypasses React auto-escaping — XSS risk if input is unsanitised',
+        },
+        {
+            id: 'react_ref_inner_html',
+            boostsCategory: ['xss'],
+            detect: (line, _filePath, _fileContent) => REF_INNER_HTML_RE.test(line),
+            reason: 'Direct ref.innerHTML assignment bypasses React virtual DOM escaping',
+        },
+    ],
+};
+//# sourceMappingURL=react.js.map

package/dist/model/framework-models/react.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"react.js","sourceRoot":"","sources":["../../../src/model/framework-models/react.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAIH,MAAM,iBAAiB,GAAG,WAAW,CAAA;AACrC,MAAM,uBAAuB,GAAG,yBAAyB,CAAA;AACzD,MAAM,iBAAiB,GAAG,0BAA0B,CAAA;AACpD,MAAM,iBAAiB,GAAG,2BAA2B,CAAA;AAExC,QAAA,UAAU,GAA2B;IAChD,SAAS,EAAE,OAAO;IAElB,YAAY,EAAE;QACZ;YACE,EAAE,EAAE,uBAAuB;YAC3B,kBAAkB,EAAE,CAAC,KAAK,EAAE,oBAAoB,CAAC;YACjD,MAAM,EAAE,CAAC,IAAY,EAAE,QAAgB,EAAE,YAAoB,EAAE,EAAE;gBAC/D,4BAA4B;gBAC5B,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAAE,OAAO,KAAK,CAAA;gBAChD,gEAAgE;gBAChE,MAAM,aAAa,GAAG,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBACnF,IAAI,CAAC,aAAa;oBAAE,OAAO,KAAK,CAAA;gBAChC,4CAA4C;gBAC5C,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,OAAO,KAAK,CAAA;gBAC/C,sCAAsC;gBACtC,IAAI,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,OAAO,KAAK,CAAA;gBACpD,OAAO,IAAI,CAAA;YACb,CAAC;YACD,MAAM,EAAE,qEAAqE;SAC9E;QACD;YACE,EAAE,EAAE,2BAA2B;YAC/B,kBAAkB,EAAE,CAAC,KAAK,CAAC;YAC3B,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE;gBAChE,2DAA2D;gBAC3D,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,OAAO,KAAK,CAAA;gBAC/C,IAAI,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,OAAO,KAAK,CAAA;gBACpD,OAAO,IAAI,CAAA;YACb,CAAC;YACD,MAAM,EAAE,kDAAkD;SAC3D;KACF;IAED,cAAc,EAAE;QACd;YACE,EAAE,EAAE,4BAA4B;YAChC,cAAc,EAAE,CAAC,KAAK,CAAC;YACvB,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC;YACrG,MAAM,EAAE,yFAAyF;SAClG;QACD;YACE,EAAE,EAAE,sBAAsB;YAC1B,cAAc,EAAE,CAAC,KAAK,CAAC;YACvB,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;YAC/F,MAAM,EAAE,qEAAqE;SAC9E;KACF;CACF,CAAA"}

package/dist/model/framework-models/sequelize.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Sequelize Framework Security Model
+ *
+ * Sequelize ORM methods (findAll, findOne, create, update, destroy) are
+ * parameterised by default. Raw queries with template literals are unsafe.
+ */
+import type { FrameworkSecurityModel } from './types';
+export declare const sequelizeModel: FrameworkSecurityModel;
+//# sourceMappingURL=sequelize.d.ts.map

package/dist/model/framework-models/sequelize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sequelize.d.ts","sourceRoot":"","sources":["../../../src/model/framework-models/sequelize.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAA;AAWrD,eAAO,MAAM,cAAc,EAAE,sBA4C5B,CAAA"}

package/dist/model/framework-models/sequelize.js

@@ -0,0 +1,62 @@
+"use strict";
+/**
+ * Sequelize Framework Security Model
+ *
+ * Sequelize ORM methods (findAll, findOne, create, update, destroy) are
+ * parameterised by default. Raw queries with template literals are unsafe.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sequelizeModel = void 0;
+// Safe ORM patterns
+const SEQUELIZE_ORM_RE = /\.(findAll|findOne|findByPk|findOrCreate|create|update|destroy|bulkCreate|count|sum|max|min)\s*\(/;
+const SEQUELIZE_REPLACEMENTS_RE = /sequelize\.query\s*\([^)]*replacements\s*:/;
+// Unsafe raw query patterns
+const SEQUELIZE_RAW_TEMPLATE_RE = /sequelize\.query\s*\(\s*`/;
+const SEQUELIZE_RAW_CONCAT_RE = /sequelize\.query\s*\([^)]*\+/;
+const SEQUELIZE_LITERAL_RE = /Sequelize\.literal\s*\(/;
+exports.sequelizeModel = {
+    framework: 'sequelize',
+    safePatterns: [
+        {
+            id: 'orm_sequelize_parameterised',
+            suppressesCategory: ['sql_injection', 'dangerous_function'],
+            detect: (line, _filePath, _fileContent) => SEQUELIZE_ORM_RE.test(line),
+            reason: 'Sequelize ORM methods use parameterised queries — SQL injection not applicable',
+        },
+        {
+            id: 'orm_sequelize_replacements',
+            suppressesCategory: ['sql_injection'],
+            detect: (line, _filePath, _fileContent) => SEQUELIZE_REPLACEMENTS_RE.test(line),
+            reason: 'sequelize.query() with replacements is parameterised — SQL injection mitigated',
+        },
+    ],
+    unsafePatterns: [
+        {
+            id: 'sequelize_raw_template',
+            boostsCategory: ['sql_injection'],
+            detect: (line, _filePath, _fileContent) => {
+                if (SEQUELIZE_REPLACEMENTS_RE.test(line))
+                    return false;
+                return SEQUELIZE_RAW_TEMPLATE_RE.test(line);
+            },
+            reason: 'sequelize.query() with template literal is raw SQL — NOT parameterised',
+        },
+        {
+            id: 'sequelize_raw_concat',
+            boostsCategory: ['sql_injection'],
+            detect: (line, _filePath, _fileContent) => {
+                if (SEQUELIZE_REPLACEMENTS_RE.test(line))
+                    return false;
+                return SEQUELIZE_RAW_CONCAT_RE.test(line);
+            },
+            reason: 'sequelize.query() with string concatenation is raw SQL — NOT parameterised',
+        },
+        {
+            id: 'sequelize_literal_injection',
+            boostsCategory: ['sql_injection'],
+            detect: (line, _filePath, _fileContent) => SEQUELIZE_LITERAL_RE.test(line),
+            reason: 'Sequelize.literal() injects raw SQL expressions — injection risk with user input',
+        },
+    ],
+};
+//# sourceMappingURL=sequelize.js.map

package/dist/model/framework-models/sequelize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sequelize.js","sourceRoot":"","sources":["../../../src/model/framework-models/sequelize.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAIH,oBAAoB;AACpB,MAAM,gBAAgB,GAAG,mGAAmG,CAAA;AAC5H,MAAM,yBAAyB,GAAG,4CAA4C,CAAA;AAE9E,4BAA4B;AAC5B,MAAM,yBAAyB,GAAG,2BAA2B,CAAA;AAC7D,MAAM,uBAAuB,GAAG,8BAA8B,CAAA;AAC9D,MAAM,oBAAoB,GAAG,yBAAyB,CAAA;AAEzC,QAAA,cAAc,GAA2B;IACpD,SAAS,EAAE,WAAW;IAEtB,YAAY,EAAE;QACZ;YACE,EAAE,EAAE,6BAA6B;YACjC,kBAAkB,EAAE,CAAC,eAAe,EAAE,oBAAoB,CAAC;YAC3D,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;YAC9F,MAAM,EAAE,gFAAgF;SACzF;QACD;YACE,EAAE,EAAE,4BAA4B;YAChC,kBAAkB,EAAE,CAAC,eAAe,CAAC;YACrC,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;YACvG,MAAM,EAAE,gFAAgF;SACzF;KACF;IAED,cAAc,EAAE;QACd;YACE,EAAE,EAAE,wBAAwB;YAC5B,cAAc,EAAE,CAAC,eAAe,CAAC;YACjC,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE;gBAChE,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,OAAO,KAAK,CAAA;gBACtD,OAAO,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC7C,CAAC;YACD,MAAM,EAAE,wEAAwE;SACjF;QACD;YACE,EAAE,EAAE,sBAAsB;YAC1B,cAAc,EAAE,CAAC,eAAe,CAAC;YACjC,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE;gBAChE,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,OAAO,KAAK,CAAA;gBACtD,OAAO,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC3C,CAAC;YACD,MAAM,EAAE,4EAA4E;SACrF;QACD;YACE,EAAE,EAAE,6BAA6B;YACjC,cAAc,EAAE,CAAC,eAAe,CAAC;YACjC,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC;YAClG,MAAM,EAAE,kFAAkF;SAC3F;KACF;CACF,CAAA"}

package/dist/model/framework-models/types.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Framework Security Model Types
+ *
+ * Interfaces for encoding framework-specific security guarantees.
+ * Each framework model declares safe patterns (suppress findings)
+ * and unsafe patterns (boost findings).
+ */
+export interface FrameworkSecurityModel {
+    /** Which framework this model covers */
+    framework: string;
+    /** Patterns that are safe by design — suppress findings */
+    safePatterns: FrameworkSafePattern[];
+    /** Patterns that are unsafe despite framework — boost findings */
+    unsafePatterns: FrameworkUnsafePattern[];
+}
+export interface FrameworkSafePattern {
+    /** Rule identifier */
+    id: string;
+    /** What vulnerability categories this suppresses */
+    suppressesCategory: string[];
+    /** Detect the safe pattern on a line */
+    detect: (lineContent: string, filePath: string, fileContent: string) => boolean;
+    /** Human-readable explanation for scoring/AI */
+    reason: string;
+}
+export interface FrameworkUnsafePattern {
+    /** Rule identifier */
+    id: string;
+    /** What vulnerability categories this boosts */
+    boostsCategory: string[];
+    /** Detect the unsafe pattern on a line */
+    detect: (lineContent: string, filePath: string, fileContent: string) => boolean;
+    /** Human-readable explanation */
+    reason: string;
+}
+/** Per-file framework analysis result */
+export interface FileFrameworkAnalysis {
+    /** Which safe patterns matched lines in this file */
+    safeLines: Map<number, FrameworkSafePattern[]>;
+    /** Which unsafe patterns matched lines in this file */
+    unsafeLines: Map<number, FrameworkUnsafePattern[]>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/model/framework-models/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/model/framework-models/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,sBAAsB;IACrC,wCAAwC;IACxC,SAAS,EAAE,MAAM,CAAA;IACjB,2DAA2D;IAC3D,YAAY,EAAE,oBAAoB,EAAE,CAAA;IACpC,kEAAkE;IAClE,cAAc,EAAE,sBAAsB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,oBAAoB;IACnC,sBAAsB;IACtB,EAAE,EAAE,MAAM,CAAA;IACV,oDAAoD;IACpD,kBAAkB,EAAE,MAAM,EAAE,CAAA;IAC5B,wCAAwC;IACxC,MAAM,EAAE,CAAC,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,KAAK,OAAO,CAAA;IAC/E,gDAAgD;IAChD,MAAM,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,sBAAsB;IACrC,sBAAsB;IACtB,EAAE,EAAE,MAAM,CAAA;IACV,gDAAgD;IAChD,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,0CAA0C;IAC1C,MAAM,EAAE,CAAC,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,KAAK,OAAO,CAAA;IAC/E,iCAAiC;IACjC,MAAM,EAAE,MAAM,CAAA;CACf;AAED,yCAAyC;AACzC,MAAM,WAAW,qBAAqB;IACpC,qDAAqD;IACrD,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,oBAAoB,EAAE,CAAC,CAAA;IAC9C,uDAAuD;IACvD,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,sBAAsB,EAAE,CAAC,CAAA;CACnD"}

package/dist/model/framework-models/types.js

@@ -0,0 +1,10 @@
+"use strict";
+/**
+ * Framework Security Model Types
+ *
+ * Interfaces for encoding framework-specific security guarantees.
+ * Each framework model declares safe patterns (suppress findings)
+ * and unsafe patterns (boost findings).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/model/framework-models/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/model/framework-models/types.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG"}

package/dist/model/function-classifier.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Function Classifier — Analyze exported functions to determine dangerous operations.
+ *
+ * For each exported function, extracts its body and scans for sink patterns
+ * and source patterns to build a security profile. Used by cross-file taint
+ * analysis to determine if calling an imported function can reach a sink.
+ */
+import type { ScanFile } from '../shared/types';
+import type { ParsedExport } from './import-resolver';
+import type { ModuleGraph } from './module-graph';
+import type { SinkType, UserInputSourceType } from './taint-types';
+export interface ExportedFunctionProfile {
+    name: string;
+    filePath: string;
+    reachesSinks: SinkType[];
+    returnsUserData: boolean;
+    returnSourceType?: UserInputSourceType;
+    hasSanitisation: boolean;
+    paramNames: string[];
+    dangerousParams: string[];
+    line: number;
+}
+export type FunctionProfileMap = Map<string, ExportedFunctionProfile[]>;
+/**
+ * Classify exported functions in a file by their security profile.
+ */
+export declare function classifyExportedFunctions(content: string, filePath: string, fileExports: ParsedExport[]): ExportedFunctionProfile[];
+/**
+ * Build function profiles for all files that are imported by at least one other file.
+ */
+export declare function buildFunctionProfiles(files: ScanFile[], graph: ModuleGraph): FunctionProfileMap;
+//# sourceMappingURL=function-classifier.d.ts.map

package/dist/model/function-classifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"function-classifier.d.ts","sourceRoot":"","sources":["../../src/model/function-classifier.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAA;AAC/C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AACrD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,KAAK,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAA;AAQlE,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,QAAQ,EAAE,CAAA;IACxB,eAAe,EAAE,OAAO,CAAA;IACxB,gBAAgB,CAAC,EAAE,mBAAmB,CAAA;IACtC,eAAe,EAAE,OAAO,CAAA;IACxB,UAAU,EAAE,MAAM,EAAE,CAAA;IACpB,eAAe,EAAE,MAAM,EAAE,CAAA;IACzB,IAAI,EAAE,MAAM,CAAA;CACb;AAED,MAAM,MAAM,kBAAkB,GAAG,GAAG,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,CAAA;AAiCvE;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,YAAY,EAAE,GAC1B,uBAAuB,EAAE,CA+D3B;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,QAAQ,EAAE,EACjB,KAAK,EAAE,WAAW,GACjB,kBAAkB,CAiBpB"}

package/dist/model/function-classifier.js

@@ -0,0 +1,143 @@
+"use strict";
+/**
+ * Function Classifier — Analyze exported functions to determine dangerous operations.
+ *
+ * For each exported function, extracts its body and scans for sink patterns
+ * and source patterns to build a security profile. Used by cross-file taint
+ * analysis to determine if calling an imported function can reach a sink.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.classifyExportedFunctions = classifyExportedFunctions;
+exports.buildFunctionProfiles = buildFunctionProfiles;
+const utils_1 = require("./route-discovery/utils");
+const sink_patterns_1 = require("./sink-patterns");
+// Source patterns indicating the function returns user data, with associated source types
+const RETURN_SOURCE_PATTERNS = [
+    { pattern: /return\s+.*\breq\.body\b/, sourceType: 'http_body' },
+    { pattern: /return\s+.*\breq\.query\b/, sourceType: 'http_query' },
+    { pattern: /return\s+.*\breq\.params\b/, sourceType: 'http_params' },
+    { pattern: /return\s+.*\brequest\.args\b/, sourceType: 'http_query' },
+    { pattern: /return\s+.*\brequest\.form\b/, sourceType: 'form_data' },
+    { pattern: /return\s+.*\brequest\.json\b/, sourceType: 'http_body' },
+    { pattern: /return\s+.*\brequest\.GET\b/, sourceType: 'http_query' },
+    { pattern: /return\s+.*\brequest\.POST\b/, sourceType: 'http_body' },
+    { pattern: /return\s+.*\bsearchParams\b/, sourceType: 'url_search_params' },
+    { pattern: /return\s+.*\bformData\b/, sourceType: 'form_data' },
+];
+// Sanitiser patterns
+const SANITISER_PATTERNS = [
+    /\bsanitize\w*\s*\(/i,
+    /\bescape\w*\s*\(/i,
+    /\bDOMPurify\.sanitize\s*\(/,
+    /\.parse\s*\(/, // zod, joi
+    /\.validate\s*\(/,
+    /\bNumber\s*\(/,
+    /\bparseInt\s*\(/,
+    /\bparseFloat\s*\(/,
+    /\bpath\.normalize\s*\(/,
+];
+// ============================================================================
+// Function Classification
+// ============================================================================
+/**
+ * Classify exported functions in a file by their security profile.
+ */
+function classifyExportedFunctions(content, filePath, fileExports) {
+    const profiles = [];
+    const lines = content.split('\n');
+    for (const exp of fileExports) {
+        if (exp.kind !== 'function' && exp.kind !== 'variable')
+            continue;
+        // Extract function body
+        const startLine = Math.max(0, exp.line - 1);
+        const body = (0, utils_1.extractBlock)(lines, startLine);
+        if (!body || body.length < 5)
+            continue;
+        // Extract parameter names from the function signature
+        const paramNames = extractParamNames(lines[startLine] || '');
+        // Scan body for sinks
+        const bodyLines = body.split('\n');
+        const sinkTypes = new Set();
+        const dangerousParams = new Set();
+        for (const bodyLine of bodyLines) {
+            const trimmed = bodyLine.trim();
+            if (trimmed.startsWith('//') || trimmed.startsWith('*'))
+                continue;
+            for (const sp of sink_patterns_1.SINK_PATTERNS) {
+                if (sp.pattern.test(bodyLine)) {
+                    sinkTypes.add(sp.sinkType);
+                    // Check which params appear on this sink line
+                    for (const param of paramNames) {
+                        const paramRegex = new RegExp(`\\b${(0, sink_patterns_1.escapeRegex)(param)}\\b`);
+                        if (paramRegex.test(bodyLine)) {
+                            dangerousParams.add(param);
+                        }
+                    }
+                }
+            }
+        }
+        // Check if function returns user data and extract source type
+        const matchedReturnSource = RETURN_SOURCE_PATTERNS.find(p => p.pattern.test(body));
+        const returnsUserData = !!matchedReturnSource;
+        const returnSourceType = matchedReturnSource?.sourceType;
+        // Check for sanitisation
+        const hasSanitisation = SANITISER_PATTERNS.some(p => p.test(body));
+        if (sinkTypes.size > 0 || returnsUserData) {
+            profiles.push({
+                name: exp.name,
+                filePath,
+                reachesSinks: [...sinkTypes],
+                returnsUserData,
+                returnSourceType,
+                hasSanitisation,
+                paramNames,
+                dangerousParams: [...dangerousParams],
+                line: exp.line,
+            });
+        }
+    }
+    return profiles;
+}
+/**
+ * Build function profiles for all files that are imported by at least one other file.
+ */
+function buildFunctionProfiles(files, graph) {
+    const profileMap = new Map();
+    for (const file of files) {
+        const node = graph.nodes.get(file.path);
+        if (!node)
+            continue;
+        // Only process files that are imported by at least one other file
+        if (node.importedBy.size === 0)
+            continue;
+        if (node.exports.length === 0)
+            continue;
+        const profiles = classifyExportedFunctions(file.content, file.path, node.exports);
+        if (profiles.length > 0) {
+            profileMap.set(file.path, profiles);
+        }
+    }
+    return profileMap;
+}
+// ============================================================================
+// Helpers
+// ============================================================================
+function extractParamNames(signatureLine) {
+    // Match function params: function foo(a, b, c) or (a, b) => or async (a: Type, b) =>
+    const paramMatch = signatureLine.match(/\(([^)]*)\)/);
+    if (!paramMatch)
+        return [];
+    return paramMatch[1]
+        .split(',')
+        .map(p => {
+        // Strip type annotations, defaults, destructuring braces
+        const cleaned = p.trim()
+            .replace(/\s*[:=].*/g, '') // remove type annotations and defaults
+            .replace(/[{}[\]]/g, '') // remove destructuring
+            .replace(/\.\.\./g, '') // remove spread
+            .trim();
+        return cleaned;
+    })
+        .filter(p => p.length > 0 && /^\w+$/.test(p));
+}
+//# sourceMappingURL=function-classifier.js.map

package/dist/model/function-classifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"function-classifier.js","sourceRoot":"","sources":["../../src/model/function-classifier.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AA6DH,8DAmEC;AAKD,sDAoBC;AAnJD,mDAAsD;AACtD,mDAA4D;AAoB5D,0FAA0F;AAC1F,MAAM,sBAAsB,GAAgE;IAC1F,EAAE,OAAO,EAAE,0BAA0B,EAAE,UAAU,EAAE,WAAW,EAAE;IAChE,EAAE,OAAO,EAAE,2BAA2B,EAAE,UAAU,EAAE,YAAY,EAAE;IAClE,EAAE,OAAO,EAAE,4BAA4B,EAAE,UAAU,EAAE,aAAa,EAAE;IACpE,EAAE,OAAO,EAAE,8BAA8B,EAAE,UAAU,EAAE,YAAY,EAAE;IACrE,EAAE,OAAO,EAAE,8BAA8B,EAAE,UAAU,EAAE,WAAW,EAAE;IACpE,EAAE,OAAO,EAAE,8BAA8B,EAAE,UAAU,EAAE,WAAW,EAAE;IACpE,EAAE,OAAO,EAAE,6BAA6B,EAAE,UAAU,EAAE,YAAY,EAAE;IACpE,EAAE,OAAO,EAAE,8BAA8B,EAAE,UAAU,EAAE,WAAW,EAAE;IACpE,EAAE,OAAO,EAAE,6BAA6B,EAAE,UAAU,EAAE,mBAAmB,EAAE;IAC3E,EAAE,OAAO,EAAE,yBAAyB,EAAE,UAAU,EAAE,WAAW,EAAE;CAChE,CAAA;AAED,qBAAqB;AACrB,MAAM,kBAAkB,GAAG;IACzB,qBAAqB;IACrB,mBAAmB;IACnB,4BAA4B;IAC5B,cAAc,EAAG,WAAW;IAC5B,iBAAiB;IACjB,eAAe;IACf,iBAAiB;IACjB,mBAAmB;IACnB,wBAAwB;CACzB,CAAA;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,yBAAyB,CACvC,OAAe,EACf,QAAgB,EAChB,WAA2B;IAE3B,MAAM,QAAQ,GAA8B,EAAE,CAAA;IAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,IAAI,GAAG,CAAC,IAAI,KAAK,UAAU,IAAI,GAAG,CAAC,IAAI,KAAK,UAAU;YAAE,SAAQ;QAEhE,wBAAwB;QACxB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAA;QAC3C,MAAM,IAAI,GAAG,IAAA,oBAAY,EAAC,KAAK,EAAE,SAAS,CAAC,CAAA;QAC3C,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,SAAQ;QAEtC,sDAAsD;QACtD,MAAM,UAAU,GAAG,iBAAiB,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAA;QAE5D,sBAAsB;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAClC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAY,CAAA;QACrC,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAA;QAEzC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAA;YAC/B,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAQ;YAEjE,KAAK,MAAM,EAAE,IAAI,6BAAa,EAAE,CAAC;gBAC/B,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC9B,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAA;oBAE1B,8CAA8C;oBAC9C,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;wBAC/B,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,MAAM,IAAA,2BAAW,EAAC,KAAK,CAAC,KAAK,CAAC,CAAA;wBAC5D,IAAI,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;4BAC9B,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;wBAC5B,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,MAAM,mBAAmB,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QAClF,MAAM,eAAe,GAAG,CAAC,CAAC,mBAAmB,CAAA;QAC7C,MAAM,gBAAgB,GAAG,mBAAmB,EAAE,UAAU,CAAA;QAExD,yBAAyB;QACzB,MAAM,eAAe,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QAElE,IAAI,SAAS,CAAC,IAAI,GAAG,CAAC,IAAI,eAAe,EAAE,CAAC;YAC1C,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ;gBACR,YAAY,EAAE,CAAC,GAAG,SAAS,CAAC;gBAC5B,eAAe;gBACf,gBAAgB;gBAChB,eAAe;gBACf,UAAU;gBACV,eAAe,EAAE,CAAC,GAAG,eAAe,CAAC;gBACrC,IAAI,EAAE,GAAG,CAAC,IAAI;aACf,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CACnC,KAAiB,EACjB,KAAkB;IAElB,MAAM,UAAU,GAAuB,IAAI,GAAG,EAAE,CAAA;IAEhD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACvC,IAAI,CAAC,IAAI;YAAE,SAAQ;QACnB,kEAAkE;QAClE,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC;YAAE,SAAQ;QACxC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,SAAQ;QAEvC,MAAM,QAAQ,GAAG,yBAAyB,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;QACjF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QACrC,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAA;AACnB,CAAC;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,SAAS,iBAAiB,CAAC,aAAqB;IAC9C,qFAAqF;IACrF,MAAM,UAAU,GAAG,aAAa,CAAC,KAAK,CAAC,aAAa,CAAC,CAAA;IACrD,IAAI,CAAC,UAAU;QAAE,OAAO,EAAE,CAAA;IAE1B,OAAO,UAAU,CAAC,CAAC,CAAC;SACjB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE;QACP,yDAAyD;QACzD,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE;aACrB,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAE,uCAAuC;aAClE,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAK,uBAAuB;aACnD,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAM,gBAAgB;aAC5C,IAAI,EAAE,CAAA;QACT,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;AACjD,CAAC"}

package/dist/model/import-resolver.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Import Resolver — Shared module for parsing imports/exports and resolving paths.
+ *
+ * Extracted from imported-auth-detector.ts and middleware-detector.ts to provide
+ * a single source of truth for import resolution used by the module graph,
+ * cross-file taint analysis, and existing auth detection.
+ */
+import type { ScanFile } from '../shared/types';
+export interface ParsedImport {
+    importPath: string;
+    importedNames: string[];
+    isReExport: boolean;
+    isNamespace: boolean;
+    line: number;
+    isLocal: boolean;
+}
+export interface ParsedExport {
+    name: string;
+    kind: 'function' | 'class' | 'variable' | 'reexport';
+    line: number;
+    sourceModule?: string;
+    isDefault: boolean;
+}
+/**
+ * Build an O(1) lookup map for resolving import paths to ScanFiles.
+ * Keys include the raw path and normalized variants for fast lookup.
+ */
+export declare function buildFileIndex(files: ScanFile[]): Map<string, ScanFile>;
+/**
+ * Extract all imports from a file's content.
+ * Supports ES6 named/default/namespace, CommonJS destructured/default,
+ * re-exports, and Python imports.
+ */
+export declare function extractAllImports(content: string, _filePath: string): ParsedImport[];
+/**
+ * Extract exported symbols from a file's content.
+ * Supports ES6 exports, CommonJS module.exports, and Python top-level defs.
+ */
+export declare function extractExports(content: string, filePath: string): ParsedExport[];
+/**
+ * Resolve an import path to a ScanFile using the file index.
+ * Handles @/, ~/, relative paths, extension resolution, and index file fallback.
+ */
+export declare function resolveImportPath(importPath: string, fromFilePath: string, fileIndex: Map<string, ScanFile>): ScanFile | null;
+//# sourceMappingURL=import-resolver.d.ts.map

package/dist/model/import-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"import-resolver.d.ts","sourceRoot":"","sources":["../../src/model/import-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAA;AAM/C,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAA;IAClB,aAAa,EAAE,MAAM,EAAE,CAAA;IACvB,UAAU,EAAE,OAAO,CAAA;IACnB,WAAW,EAAE,OAAO,CAAA;IACpB,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,UAAU,GAAG,OAAO,GAAG,UAAU,GAAG,UAAU,CAAA;IACpD,IAAI,EAAE,MAAM,CAAA;IACZ,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,SAAS,EAAE,OAAO,CAAA;CACnB;AAMD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAgCvE;AAMD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,YAAY,EAAE,CA2KpF;AAMD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,YAAY,EAAE,CAoHhF;AAMD;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,EACpB,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,GAC/B,QAAQ,GAAG,IAAI,CAyCjB"}