@oculum/scanner 1.0.11 → 1.0.13

package/dist/model/imported-auth-detector.js

@@ -0,0 +1,199 @@
+"use strict";
+/**
+ * Imported Auth Detector
+ *
+ * Detects auth middleware/helpers imported from other files to avoid
+ * false positives on routes that are actually protected via imports.
+ *
+ * Example: A route file that does `import { authMiddleware } from '@/lib/auth'`
+ * and wraps handlers with it should not be flagged as "missing auth".
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractImports = extractImports;
+exports.detectImportedAuthUsage = detectImportedAuthUsage;
+exports.buildFileAuthImports = buildFileAuthImports;
+exports.fileUsesImportedAuth = fileUsesImportedAuth;
+const import_resolver_1 = require("./import-resolver");
+const sink_patterns_1 = require("./sink-patterns");
+// ============================================================================
+// Patterns
+// ============================================================================
+/**
+ * Patterns that indicate auth-related imports by name
+ */
+const AUTH_NAME_PATTERNS = [
+    /auth/i,
+    /middleware/i,
+    /protect/i,
+    /guard/i,
+    /session/i,
+    /verify/i,
+    /secure/i,
+    /jwt/i,
+    /token/i,
+];
+/**
+ * Specific auth import names commonly used
+ */
+const KNOWN_AUTH_IMPORTS = new Set([
+    // Next.js / NextAuth
+    'auth',
+    'getServerSession',
+    'getSession',
+    'withAuth',
+    'getToken',
+    'NextAuth',
+    'NextAuthOptions',
+    // Clerk
+    'auth',
+    'currentUser',
+    'clerkMiddleware',
+    'getAuth',
+    'SignedIn',
+    'SignedOut',
+    // Auth0
+    'withPageAuthRequired',
+    'withApiAuthRequired',
+    'getSession',
+    'getAccessToken',
+    // Custom auth patterns
+    'authMiddleware',
+    'requireAuth',
+    'requireAuthentication',
+    'checkAuth',
+    'verifyAuth',
+    'protectRoute',
+    'withAuthentication',
+    'authenticated',
+    'getCurrentUser',
+    'getCurrentUserId',
+    'getUser',
+    'getUserId',
+]);
+/**
+ * Patterns indicating auth-related import paths
+ */
+const AUTH_PATH_PATTERNS = [
+    /\/auth\//i,
+    /\/middleware/i,
+    /\/lib\/auth/i,
+    /\/utils\/auth/i,
+    /\/helpers\/auth/i,
+    /next-auth/i,
+    /@clerk/i,
+    /@auth0/i,
+    /lucia/i,
+];
+// ============================================================================
+// Import Extraction
+// ============================================================================
+/**
+ * Extract all imports from a file's content and classify them as auth-related.
+ * Delegates to the shared extractAllImports() for parsing, then applies auth filters.
+ */
+function extractImports(content) {
+    const allImports = (0, import_resolver_1.extractAllImports)(content, '');
+    return allImports
+        .filter(imp => !imp.isReExport)
+        .map((imp) => {
+        // For default imports, use the original local name (first importedName)
+        const names = imp.importedNames[0] === 'default'
+            ? imp.importedNames
+            : imp.importedNames;
+        return {
+            importPath: imp.importPath,
+            importedNames: names,
+            isAuthRelated: isAuthRelatedImport(names, imp.importPath),
+        };
+    });
+}
+/**
+ * Check if an import is auth-related based on names and path
+ */
+function isAuthRelatedImport(names, importPath) {
+    // Check if path is auth-related
+    if (AUTH_PATH_PATTERNS.some(p => p.test(importPath))) {
+        return true;
+    }
+    // Check if any imported name is auth-related
+    for (const name of names) {
+        // Known auth imports
+        if (KNOWN_AUTH_IMPORTS.has(name)) {
+            return true;
+        }
+        // Pattern-based detection
+        if (AUTH_NAME_PATTERNS.some(p => p.test(name))) {
+            return true;
+        }
+    }
+    return false;
+}
+// ============================================================================
+// Auth Usage Detection
+// ============================================================================
+/**
+ * Check if imported auth is actually used to protect routes/handlers
+ */
+function detectImportedAuthUsage(content, authImports) {
+    if (authImports.length === 0)
+        return false;
+    const authNames = authImports.flatMap(imp => imp.importedNames);
+    for (const name of authNames) {
+        // Pattern 1: Handler wrapping - export const GET = authMiddleware(...)
+        const wrapperPattern = new RegExp(`(?:export\\s+(?:const|function)\\s+(?:GET|POST|PUT|PATCH|DELETE|handler)\\s*=\\s*${(0, sink_patterns_1.escapeRegex)(name)}\\s*\\()` +
+            `|(?:${(0, sink_patterns_1.escapeRegex)(name)}\\s*\\(\\s*(?:async\\s+)?(?:function|\\())`);
+        if (wrapperPattern.test(content)) {
+            return true;
+        }
+        // Pattern 2: Middleware chain - app.use(authMiddleware)
+        const middlewareChainPattern = new RegExp(`\\.(?:use|all|get|post|put|patch|delete)\\s*\\([^)]*${(0, sink_patterns_1.escapeRegex)(name)}`);
+        if (middlewareChainPattern.test(content)) {
+            return true;
+        }
+        // Pattern 3: Express/Fastify route with middleware - router.get('/', requireAuth, handler)
+        const routeMiddlewarePattern = new RegExp(`\\.(?:get|post|put|patch|delete)\\s*\\([^,]+,\\s*${(0, sink_patterns_1.escapeRegex)(name)}`);
+        if (routeMiddlewarePattern.test(content)) {
+            return true;
+        }
+        // Pattern 4: HOC pattern - withAuth(Component)
+        const hocPattern = new RegExp(`${(0, sink_patterns_1.escapeRegex)(name)}\\s*\\(\\s*\\w+\\s*\\)`);
+        if (hocPattern.test(content)) {
+            return true;
+        }
+        // Pattern 5: Auth function call at top of handler - const session = await auth()
+        const authCallPattern = new RegExp(`(?:await\\s+)?${(0, sink_patterns_1.escapeRegex)(name)}\\s*\\(\\s*\\)` +
+            `|${(0, sink_patterns_1.escapeRegex)(name)}\\s*\\(\\s*(?:req|request|ctx|context)\\s*[,)]`);
+        if (authCallPattern.test(content)) {
+            return true;
+        }
+    }
+    return false;
+}
+// ============================================================================
+// Registry Builder
+// ============================================================================
+/**
+ * Build a registry of files and their auth imports
+ */
+function buildFileAuthImports(files) {
+    const registry = new Map();
+    for (const file of files) {
+        const allImports = extractImports(file.content);
+        const authImports = allImports.filter(imp => imp.isAuthRelated);
+        const usesImportedAuth = authImports.length > 0 &&
+            detectImportedAuthUsage(file.content, authImports);
+        registry.set(file.path, {
+            filePath: file.path,
+            imports: authImports,
+            usesImportedAuth,
+        });
+    }
+    return registry;
+}
+/**
+ * Check if a specific file uses imported auth protection
+ */
+function fileUsesImportedAuth(filePath, registry) {
+    return registry.get(filePath)?.usesImportedAuth ?? false;
+}
+//# sourceMappingURL=imported-auth-detector.js.map

package/dist/model/imported-auth-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"imported-auth-detector.js","sourceRoot":"","sources":["../../src/model/imported-auth-detector.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AA2GH,wCAiBC;AAkCD,0DAmDC;AASD,oDAmBC;AAKD,oDAKC;AApPD,uDAAqD;AAErD,mDAA6C;AAkB7C,+EAA+E;AAC/E,WAAW;AACX,+EAA+E;AAE/E;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACzB,OAAO;IACP,aAAa;IACb,UAAU;IACV,QAAQ;IACR,UAAU;IACV,SAAS;IACT,SAAS;IACT,MAAM;IACN,QAAQ;CACT,CAAA;AAED;;GAEG;AACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,qBAAqB;IACrB,MAAM;IACN,kBAAkB;IAClB,YAAY;IACZ,UAAU;IACV,UAAU;IACV,UAAU;IACV,iBAAiB;IAEjB,QAAQ;IACR,MAAM;IACN,aAAa;IACb,iBAAiB;IACjB,SAAS;IACT,UAAU;IACV,WAAW;IAEX,QAAQ;IACR,sBAAsB;IACtB,qBAAqB;IACrB,YAAY;IACZ,gBAAgB;IAEhB,uBAAuB;IACvB,gBAAgB;IAChB,aAAa;IACb,uBAAuB;IACvB,WAAW;IACX,YAAY;IACZ,cAAc;IACd,oBAAoB;IACpB,eAAe;IACf,gBAAgB;IAChB,kBAAkB;IAClB,SAAS;IACT,WAAW;CACZ,CAAC,CAAA;AAEF;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACzB,WAAW;IACX,eAAe;IACf,cAAc;IACd,gBAAgB;IAChB,kBAAkB;IAClB,YAAY;IACZ,SAAS;IACT,SAAS;IACT,QAAQ;CACT,CAAA;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;GAGG;AACH,SAAgB,cAAc,CAAC,OAAe;IAC5C,MAAM,UAAU,GAAG,IAAA,mCAAiB,EAAC,OAAO,EAAE,EAAE,CAAC,CAAA;IAEjD,OAAO,UAAU;SACd,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC;SAC9B,GAAG,CAAC,CAAC,GAAiB,EAAE,EAAE;QACzB,wEAAwE;QACxE,MAAM,KAAK,GAAG,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,SAAS;YAC9C,CAAC,CAAC,GAAG,CAAC,aAAa;YACnB,CAAC,CAAC,GAAG,CAAC,aAAa,CAAA;QAErB,OAAO;YACL,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,aAAa,EAAE,KAAK;YACpB,aAAa,EAAE,mBAAmB,CAAC,KAAK,EAAE,GAAG,CAAC,UAAU,CAAC;SAC1D,CAAA;IACH,CAAC,CAAC,CAAA;AACN,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,KAAe,EAAE,UAAkB;IAC9D,gCAAgC;IAChC,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;QACrD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,6CAA6C;IAC7C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,qBAAqB;QACrB,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,OAAO,IAAI,CAAA;QACb,CAAC;QAED,0BAA0B;QAC1B,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC/C,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,uBAAuB,CACrC,OAAe,EACf,WAA+B;IAE/B,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IAE1C,MAAM,SAAS,GAAG,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IAE/D,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,uEAAuE;QACvE,MAAM,cAAc,GAAG,IAAI,MAAM,CAC/B,oFAAoF,IAAA,2BAAW,EAAC,IAAI,CAAC,UAAU;YAC/G,OAAO,IAAA,2BAAW,EAAC,IAAI,CAAC,4CAA4C,CACrE,CAAA;QACD,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,OAAO,IAAI,CAAA;QACb,CAAC;QAED,wDAAwD;QACxD,MAAM,sBAAsB,GAAG,IAAI,MAAM,CACvC,uDAAuD,IAAA,2BAAW,EAAC,IAAI,CAAC,EAAE,CAC3E,CAAA;QACD,IAAI,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,OAAO,IAAI,CAAA;QACb,CAAC;QAED,2FAA2F;QAC3F,MAAM,sBAAsB,GAAG,IAAI,MAAM,CACvC,oDAAoD,IAAA,2BAAW,EAAC,IAAI,CAAC,EAAE,CACxE,CAAA;QACD,IAAI,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,OAAO,IAAI,CAAA;QACb,CAAC;QAED,+CAA+C;QAC/C,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,GAAG,IAAA,2BAAW,EAAC,IAAI,CAAC,wBAAwB,CAAC,CAAA;QAC3E,IAAI,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAA;QACb,CAAC;QAED,iFAAiF;QACjF,MAAM,eAAe,GAAG,IAAI,MAAM,CAChC,iBAAiB,IAAA,2BAAW,EAAC,IAAI,CAAC,gBAAgB;YAClD,IAAI,IAAA,2BAAW,EAAC,IAAI,CAAC,gDAAgD,CACtE,CAAA;QACD,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,oBAAoB,CAAC,KAAiB;IACpD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA2B,CAAA;IAEnD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAC/C,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;QAE/D,MAAM,gBAAgB,GACpB,WAAW,CAAC,MAAM,GAAG,CAAC;YACtB,uBAAuB,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;QAEpD,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;YACtB,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,OAAO,EAAE,WAAW;YACpB,gBAAgB;SACjB,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAClC,QAAgB,EAChB,QAAsC;IAEtC,OAAO,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,gBAAgB,IAAI,KAAK,CAAA;AAC1D,CAAC"}

package/dist/model/index.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Project Model Builder — Assembles the full project model from source files.
+ *
+ * Orchestrates middleware detection, auth imports, project context, and
+ * detector context into a single ProjectModel used by the scan pipeline.
+ */
+import type { ScanFile, DetectorContext } from '../shared/types';
+import type { ProjectContext } from './project-context';
+import { type MiddlewareAuthConfig } from './middleware-detector';
+import { type FileAuthImports } from './imported-auth-detector';
+import type { ContextEngineResult } from './taint-types';
+import type { ModuleGraphStats } from './module-graph';
+export interface RouteDiscoveryStats {
+    totalRoutes: number;
+    authedRoutes: number;
+    publicRoutes: number;
+    unprotectedRoutes: number;
+    frameworksDetected: string[];
+    duration: number;
+}
+export interface ProjectModel {
+    contextEngine: ContextEngineResult;
+    middlewareConfig: MiddlewareAuthConfig;
+    fileAuthImports: Map<string, FileAuthImports>;
+    detectorContext: DetectorContext;
+    taintStats: TaintAnalysisStats;
+    routeStats: RouteDiscoveryStats;
+    moduleGraphStats?: ModuleGraphStats;
+}
+/**
+ * Build the full project model from source files.
+ * Detects auth middleware, file auth imports, project context, and detector context.
+ */
+export declare function buildProjectModel(files: ScanFile[]): ProjectModel;
+export interface TaintAnalysisStats {
+    filesAnalyzed: number;
+    filesWithSources: number;
+    filesWithTaintPaths: number;
+    totalSources: number;
+    totalTaintedVars: number;
+    totalTaintPaths: number;
+    unsanitisedPaths: number;
+    sanitisedPaths: number;
+    totalSanitisers: number;
+    sourceTypeBreakdown: Record<string, number>;
+    sinkTypeBreakdown: Record<string, number>;
+    duration: number;
+}
+/**
+ * Build a DetectorContext from ProjectContext
+ * This provides rich context to Layer 2 detectors for smarter decisions
+ */
+export declare function buildDetectorContext(projectContext: ProjectContext, middlewareConfig: MiddlewareAuthConfig | undefined): DetectorContext;
+/**
+ * Build file-specific context for a single file
+ * This is merged with the project-level DetectorContext
+ */
+export declare function buildFileDetectorContext(baseContext: DetectorContext, filePath: string): DetectorContext;
+/**
+ * Check if file is a configuration file
+ */
+export declare function isConfigFile(filePath: string): boolean;
+//# sourceMappingURL=index.d.ts.map

package/dist/model/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/model/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAEhE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAEvD,OAAO,EAA8B,KAAK,oBAAoB,EAAE,MAAM,uBAAuB,CAAA;AAC7F,OAAO,EAAwB,KAAK,eAAe,EAAE,MAAM,0BAA0B,CAAA;AAOrF,OAAO,KAAK,EAAqB,mBAAmB,EAAE,MAAM,eAAe,CAAA;AAS3E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAStD,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,YAAY,EAAE,MAAM,CAAA;IACpB,iBAAiB,EAAE,MAAM,CAAA;IACzB,kBAAkB,EAAE,MAAM,EAAE,CAAA;IAC5B,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,mBAAmB,CAAA;IAClC,gBAAgB,EAAE,oBAAoB,CAAA;IACtC,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;IAC7C,eAAe,EAAE,eAAe,CAAA;IAChC,UAAU,EAAE,kBAAkB,CAAA;IAC9B,UAAU,EAAE,mBAAmB,CAAA;IAC/B,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;CACpC;AAMD;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,QAAQ,EAAE,GAAG,YAAY,CA4CjE;AA6CD,MAAM,WAAW,kBAAkB;IACjC,aAAa,EAAE,MAAM,CAAA;IACrB,gBAAgB,EAAE,MAAM,CAAA;IACxB,mBAAmB,EAAE,MAAM,CAAA;IAC3B,YAAY,EAAE,MAAM,CAAA;IACpB,gBAAgB,EAAE,MAAM,CAAA;IACxB,eAAe,EAAE,MAAM,CAAA;IACvB,gBAAgB,EAAE,MAAM,CAAA;IACxB,cAAc,EAAE,MAAM,CAAA;IACtB,eAAe,EAAE,MAAM,CAAA;IACvB,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC3C,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IACzC,QAAQ,EAAE,MAAM,CAAA;CACjB;AA8DD;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,cAAc,EAAE,cAAc,EAC9B,gBAAgB,EAAE,oBAAoB,GAAG,SAAS,GACjD,eAAe,CAwCjB;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,eAAe,EAC5B,QAAQ,EAAE,MAAM,GACf,eAAe,CAWjB;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAetD"}

package/dist/model/index.js

@@ -0,0 +1,272 @@
+"use strict";
+/**
+ * Project Model Builder — Assembles the full project model from source files.
+ *
+ * Orchestrates middleware detection, auth imports, project context, and
+ * detector context into a single ProjectModel used by the scan pipeline.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildProjectModel = buildProjectModel;
+exports.buildDetectorContext = buildDetectorContext;
+exports.buildFileDetectorContext = buildFileDetectorContext;
+exports.isConfigFile = isConfigFile;
+const types_1 = require("../shared/types");
+const project_context_1 = require("./project-context");
+const middleware_detector_1 = require("./middleware-detector");
+const imported_auth_detector_1 = require("./imported-auth-detector");
+const file_classifier_1 = require("../parse/file-classifier");
+const source_discovery_1 = require("./source-discovery");
+const sanitiser_detection_1 = require("./sanitiser-detection");
+const taint_tracker_1 = require("./taint-tracker");
+const sink_matcher_1 = require("./sink-matcher");
+const route_discovery_1 = require("./route-discovery");
+const route_auth_resolver_1 = require("./route-auth-resolver");
+const module_graph_1 = require("./module-graph");
+const function_classifier_1 = require("./function-classifier");
+const cross_file_taint_1 = require("./cross-file-taint");
+const framework_models_1 = require("./framework-models");
+// ============================================================================
+// Project Model Builder
+// ============================================================================
+/**
+ * Build the full project model from source files.
+ * Detects auth middleware, file auth imports, project context, and detector context.
+ */
+function buildProjectModel(files) {
+    const middlewareConfig = (0, middleware_detector_1.detectGlobalAuthMiddleware)(files);
+    const fileAuthImports = (0, imported_auth_detector_1.buildFileAuthImports)(files);
+    const projectContext = (0, project_context_1.buildProjectContext)(files);
+    const detectorContext = buildDetectorContext(projectContext, middlewareConfig);
+    const { analyses: fileTaintAnalyses, stats: taintStats } = buildFileTaintAnalyses(files);
+    // CE Phase 4: Module Graph & Cross-File Analysis
+    const moduleGraph = (0, module_graph_1.buildModuleGraph)(files);
+    const functionProfiles = (0, function_classifier_1.buildFunctionProfiles)(files, moduleGraph);
+    const crossFileTaintPaths = (0, cross_file_taint_1.analyzeCrossFileTaint)(files, moduleGraph, functionProfiles, fileTaintAnalyses);
+    // CE Phase 2: Route Discovery (uses module graph for cross-file auth)
+    const routeStart = Date.now();
+    const { routeMap: rawRouteMap, mountPoints } = (0, route_discovery_1.discoverRoutes)(files, projectContext.frameworks.primary);
+    const routeMap = (0, route_auth_resolver_1.resolveRouteAuth)(rawRouteMap, mountPoints, files, middlewareConfig, moduleGraph);
+    const routeDuration = Date.now() - routeStart;
+    const routeStats = buildRouteStats(routeMap, routeDuration);
+    // CE Phase 5: Framework-Aware Analysis
+    const frameworkAnalyses = (0, framework_models_1.analyzeFrameworkPatterns)(files, projectContext);
+    const contextEngine = {
+        projectContext,
+        fileTaintAnalyses,
+        routeMap,
+        moduleGraph,
+        crossFileTaintPaths,
+        functionProfiles,
+        frameworkAnalyses,
+    };
+    return {
+        contextEngine,
+        middlewareConfig,
+        fileAuthImports,
+        detectorContext,
+        taintStats,
+        routeStats,
+        moduleGraphStats: moduleGraph.stats,
+    };
+}
+// ============================================================================
+// Route Discovery Stats (Context Engine Phase 2)
+// ============================================================================
+function buildRouteStats(routeMap, duration) {
+    const routes = routeMap.routes;
+    const authedRoutes = routes.filter(r => r.authMiddleware.length > 0).length;
+    const publicRoutes = routes.filter(r => r.isPublic).length;
+    const unprotectedRoutes = routes.filter(r => r.authMiddleware.length === 0 && !r.isPublic).length;
+    const frameworksDetected = [...new Set(routes.map(r => r.framework))];
+    return {
+        totalRoutes: routes.length,
+        authedRoutes,
+        publicRoutes,
+        unprotectedRoutes,
+        frameworksDetected,
+        duration,
+    };
+}
+// ============================================================================
+// Taint Analysis (Context Engine Phase 1)
+// ============================================================================
+const CODE_EXTENSIONS = new Set(['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.php', '.go', '.java', '.cs']);
+function isCodeFile(filePath) {
+    const ext = filePath.substring(filePath.lastIndexOf('.'));
+    return CODE_EXTENSIONS.has(ext.toLowerCase());
+}
+function analyzeFileTaint(content, filePath) {
+    const sources = (0, source_discovery_1.discoverSources)(content, filePath);
+    if (sources.length === 0) {
+        return { filePath, sources: [], taintedVariables: [], taintPaths: [], sanitisers: [] };
+    }
+    const sanitisers = (0, sanitiser_detection_1.detectSanitisers)(content, filePath);
+    const taintedVariables = (0, taint_tracker_1.propagateTaint)(content, filePath, sources, sanitisers);
+    const taintPaths = (0, sink_matcher_1.matchSinks)(content, filePath, taintedVariables, sanitisers);
+    return { filePath, sources, taintedVariables, taintPaths, sanitisers };
+}
+function buildFileTaintAnalyses(files) {
+    const startTime = Date.now();
+    const analyses = new Map();
+    const sourceTypeBreakdown = {};
+    const sinkTypeBreakdown = {};
+    let filesAnalyzed = 0;
+    let totalSources = 0;
+    let totalTaintedVars = 0;
+    let totalTaintPaths = 0;
+    let unsanitisedPaths = 0;
+    let sanitisedPaths = 0;
+    let totalSanitisers = 0;
+    for (const file of files) {
+        if (!isCodeFile(file.path) || (0, file_classifier_1.isTestOrMockFile)(file.path))
+            continue;
+        filesAnalyzed++;
+        const analysis = analyzeFileTaint(file.content, file.path);
+        if (analysis.sources.length > 0 || analysis.taintPaths.length > 0) {
+            analyses.set(file.path, analysis);
+        }
+        // Accumulate stats
+        totalSources += analysis.sources.length;
+        totalTaintedVars += analysis.taintedVariables.length;
+        totalTaintPaths += analysis.taintPaths.length;
+        totalSanitisers += analysis.sanitisers.length;
+        for (const src of analysis.sources) {
+            sourceTypeBreakdown[src.sourceType] = (sourceTypeBreakdown[src.sourceType] || 0) + 1;
+        }
+        for (const tp of analysis.taintPaths) {
+            if (tp.sanitised)
+                sanitisedPaths++;
+            else
+                unsanitisedPaths++;
+            sinkTypeBreakdown[tp.sink.sinkType] = (sinkTypeBreakdown[tp.sink.sinkType] || 0) + 1;
+        }
+    }
+    return {
+        analyses,
+        stats: {
+            filesAnalyzed,
+            filesWithSources: Array.from(analyses.values()).filter(a => a.sources.length > 0).length,
+            filesWithTaintPaths: Array.from(analyses.values()).filter(a => a.taintPaths.length > 0).length,
+            totalSources,
+            totalTaintedVars,
+            totalTaintPaths,
+            unsanitisedPaths,
+            sanitisedPaths,
+            totalSanitisers,
+            sourceTypeBreakdown,
+            sinkTypeBreakdown,
+            duration: Date.now() - startTime,
+        },
+    };
+}
+// ============================================================================
+// Detector Context Builder (Phase 2b)
+// ============================================================================
+/**
+ * Build a DetectorContext from ProjectContext
+ * This provides rich context to Layer 2 detectors for smarter decisions
+ */
+function buildDetectorContext(projectContext, middlewareConfig) {
+    // Map ProjectContext to DetectorContext format
+    const context = (0, types_1.createEmptyDetectorContext)();
+    // Auth context
+    if (middlewareConfig?.hasAuthMiddleware) {
+        context.auth.middleware = {
+            hasAuthMiddleware: true,
+            authType: middlewareConfig.authType ?? null,
+            protectedPaths: middlewareConfig.protectedPaths,
+            publicPaths: middlewareConfig.publicPaths,
+        };
+    }
+    // Auth helpers from project context
+    if (projectContext.auth.throwingAuthHelpers.length > 0) {
+        context.auth.authHelpers = {
+            hasThrowingHelpers: true,
+            throwingHelperNames: projectContext.auth.throwingAuthHelpers.map(h => h.name),
+        };
+    }
+    // Public endpoints
+    context.auth.publicEndpoints = projectContext.auth.publicPaths;
+    // Framework context
+    context.framework = {
+        primary: projectContext.frameworks.primary ?? null,
+        frontend: projectContext.frameworks.frontend ?? null,
+        hasTypeScript: projectContext.frameworks.usesTypeScript,
+    };
+    // Data access context
+    context.dataAccess = {
+        orm: mapOrmToDataAccessOrm(projectContext.dataAccess.orm),
+        hasRLS: projectContext.dataAccess.hasRLS,
+        validationLib: mapValidationLib(projectContext.dataAccess.validationLibrary),
+    };
+    return context;
+}
+/**
+ * Build file-specific context for a single file
+ * This is merged with the project-level DetectorContext
+ */
+function buildFileDetectorContext(baseContext, filePath) {
+    return {
+        ...baseContext,
+        file: {
+            isServerOnly: (0, file_classifier_1.isServerOnlyFile)(filePath),
+            isClientBundled: (0, file_classifier_1.isClientBundledFile)(filePath),
+            isTestFile: (0, file_classifier_1.isTestOrMockFile)(filePath),
+            isConfigFile: isConfigFile(filePath),
+            isToolingDir: (0, file_classifier_1.isToolingDirectory)(filePath),
+        },
+    };
+}
+/**
+ * Check if file is a configuration file
+ */
+function isConfigFile(filePath) {
+    const configPatterns = [
+        /config\.(ts|js|json|yaml|yml)$/i,
+        /settings\.(ts|js|json)$/i,
+        /constants\.(ts|js)$/i,
+        /\.config\.(ts|js|mjs|cjs)$/i,
+        /\.env/i,
+        /tsconfig\.json$/i,
+        /package\.json$/i,
+        /jest\.config/i,
+        /vitest\.config/i,
+        /eslint/i,
+        /prettier/i,
+    ];
+    return configPatterns.some(p => p.test(filePath));
+}
+/**
+ * Map ProjectContext ORM to DetectorContext ORM
+ */
+function mapOrmToDataAccessOrm(orm) {
+    if (!orm)
+        return null;
+    switch (orm) {
+        case 'prisma':
+        case 'drizzle':
+        case 'typeorm':
+        case 'sequelize':
+        case 'knex':
+            return orm;
+        default:
+            return null;
+    }
+}
+/**
+ * Map validation library to DetectorContext format
+ */
+function mapValidationLib(lib) {
+    if (!lib)
+        return null;
+    switch (lib) {
+        case 'zod':
+        case 'yup':
+        case 'joi':
+        case 'valibot':
+            return lib;
+        default:
+            return null;
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/model/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/model/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AA2DH,8CA4CC;AA4HD,oDA2CC;AAMD,4DAcC;AAKD,oCAeC;AAnTD,2CAAkF;AAElF,uDAAuD;AACvD,+DAA6F;AAC7F,qEAAqF;AACrF,8DAKiC;AAEjC,yDAAoD;AACpD,+DAAwD;AACxD,mDAAgD;AAChD,iDAA2C;AAC3C,uDAAkD;AAElD,+DAAwD;AACxD,iDAAiD;AAEjD,+DAA6D;AAC7D,yDAA0D;AAC1D,yDAA6D;AAyB7D,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,KAAiB;IACjD,MAAM,gBAAgB,GAAG,IAAA,gDAA0B,EAAC,KAAK,CAAC,CAAA;IAC1D,MAAM,eAAe,GAAG,IAAA,6CAAoB,EAAC,KAAK,CAAC,CAAA;IACnD,MAAM,cAAc,GAAG,IAAA,qCAAmB,EAAC,KAAK,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,oBAAoB,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAAA;IAC9E,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAA;IAExF,iDAAiD;IACjD,MAAM,WAAW,GAAG,IAAA,+BAAgB,EAAC,KAAK,CAAC,CAAA;IAC3C,MAAM,gBAAgB,GAAG,IAAA,2CAAqB,EAAC,KAAK,EAAE,WAAW,CAAC,CAAA;IAClE,MAAM,mBAAmB,GAAG,IAAA,wCAAqB,EAC/C,KAAK,EAAE,WAAW,EAAE,gBAAgB,EAAE,iBAAiB,CACxD,CAAA;IAED,sEAAsE;IACtE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAC7B,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,IAAA,gCAAc,EAAC,KAAK,EAAE,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,CAAA;IACvG,MAAM,QAAQ,GAAG,IAAA,sCAAgB,EAAC,WAAW,EAAE,WAAW,EAAE,KAAK,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAA;IACjG,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAA;IAE7C,MAAM,UAAU,GAAG,eAAe,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAA;IAE3D,uCAAuC;IACvC,MAAM,iBAAiB,GAAG,IAAA,2CAAwB,EAAC,KAAK,EAAE,cAAc,CAAC,CAAA;IAEzE,MAAM,aAAa,GAAwB;QACzC,cAAc;QACd,iBAAiB;QACjB,QAAQ;QACR,WAAW;QACX,mBAAmB;QACnB,gBAAgB;QAChB,iBAAiB;KAClB,CAAA;IAED,OAAO;QACL,aAAa;QACb,gBAAgB;QAChB,eAAe;QACf,eAAe;QACf,UAAU;QACV,UAAU;QACV,gBAAgB,EAAE,WAAW,CAAC,KAAK;KACpC,CAAA;AACH,CAAC;AAED,+EAA+E;AAC/E,iDAAiD;AACjD,+EAA+E;AAE/E,SAAS,eAAe,CAAC,QAAkB,EAAE,QAAgB;IAC3D,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAA;IAC9B,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM,CAAA;IAC3E,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAA;IAC1D,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAA;IACjG,MAAM,kBAAkB,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;IAErE,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,MAAM;QAC1B,YAAY;QACZ,YAAY;QACZ,iBAAiB;QACjB,kBAAkB;QAClB,QAAQ;KACT,CAAA;AACH,CAAC;AAED,+EAA+E;AAC/E,0CAA0C;AAC1C,+EAA+E;AAE/E,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAA;AAE5H,SAAS,UAAU,CAAC,QAAgB;IAClC,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAA;IACzD,OAAO,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAA;AAC/C,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IACzD,MAAM,OAAO,GAAG,IAAA,kCAAe,EAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;IAClD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAA;IACxF,CAAC;IACD,MAAM,UAAU,GAAG,IAAA,sCAAgB,EAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;IACtD,MAAM,gBAAgB,GAAG,IAAA,8BAAc,EAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,CAAC,CAAA;IAC/E,MAAM,UAAU,GAAG,IAAA,yBAAU,EAAC,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,CAAC,CAAA;IAC9E,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,UAAU,EAAE,CAAA;AACxE,CAAC;AAiBD,SAAS,sBAAsB,CAAC,KAAiB;IAC/C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAC5B,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA6B,CAAA;IACrD,MAAM,mBAAmB,GAA2B,EAAE,CAAA;IACtD,MAAM,iBAAiB,GAA2B,EAAE,CAAA;IACpD,IAAI,aAAa,GAAG,CAAC,CAAA;IACrB,IAAI,YAAY,GAAG,CAAC,CAAA;IACpB,IAAI,gBAAgB,GAAG,CAAC,CAAA;IACxB,IAAI,eAAe,GAAG,CAAC,CAAA;IACvB,IAAI,gBAAgB,GAAG,CAAC,CAAA;IACxB,IAAI,cAAc,GAAG,CAAC,CAAA;IACtB,IAAI,eAAe,GAAG,CAAC,CAAA;IAEvB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAA,kCAAgB,EAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAQ;QACnE,aAAa,EAAE,CAAA;QACf,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;QAC1D,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QACnC,CAAC;QAED,mBAAmB;QACnB,YAAY,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAA;QACvC,gBAAgB,IAAI,QAAQ,CAAC,gBAAgB,CAAC,MAAM,CAAA;QACpD,eAAe,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAA;QAC7C,eAAe,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAA;QAE7C,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACnC,mBAAmB,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;QACtF,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,SAAS;gBAAE,cAAc,EAAE,CAAA;;gBAC7B,gBAAgB,EAAE,CAAA;YACvB,iBAAiB,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;QACtF,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ;QACR,KAAK,EAAE;YACL,aAAa;YACb,gBAAgB,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM;YACxF,mBAAmB,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM;YAC9F,YAAY;YACZ,gBAAgB;YAChB,eAAe;YACf,gBAAgB;YAChB,cAAc;YACd,eAAe;YACf,mBAAmB;YACnB,iBAAiB;YACjB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;SACjC;KACF,CAAA;AACH,CAAC;AAED,+EAA+E;AAC/E,sCAAsC;AACtC,+EAA+E;AAE/E;;;GAGG;AACH,SAAgB,oBAAoB,CAClC,cAA8B,EAC9B,gBAAkD;IAElD,+CAA+C;IAC/C,MAAM,OAAO,GAAG,IAAA,kCAA0B,GAAE,CAAA;IAE5C,eAAe;IACf,IAAI,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;QACxC,OAAO,CAAC,IAAI,CAAC,UAAU,GAAG;YACxB,iBAAiB,EAAE,IAAI;YACvB,QAAQ,EAAE,gBAAgB,CAAC,QAAQ,IAAI,IAAI;YAC3C,cAAc,EAAE,gBAAgB,CAAC,cAAc;YAC/C,WAAW,EAAE,gBAAgB,CAAC,WAAW;SAC1C,CAAA;IACH,CAAC;IAED,oCAAoC;IACpC,IAAI,cAAc,CAAC,IAAI,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvD,OAAO,CAAC,IAAI,CAAC,WAAW,GAAG;YACzB,kBAAkB,EAAE,IAAI;YACxB,mBAAmB,EAAE,cAAc,CAAC,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAC9E,CAAA;IACH,CAAC;IAED,mBAAmB;IACnB,OAAO,CAAC,IAAI,CAAC,eAAe,GAAG,cAAc,CAAC,IAAI,CAAC,WAAW,CAAA;IAE9D,oBAAoB;IACpB,OAAO,CAAC,SAAS,GAAG;QAClB,OAAO,EAAE,cAAc,CAAC,UAAU,CAAC,OAAO,IAAI,IAAI;QAClD,QAAQ,EAAE,cAAc,CAAC,UAAU,CAAC,QAAQ,IAAI,IAAI;QACpD,aAAa,EAAE,cAAc,CAAC,UAAU,CAAC,cAAc;KACxD,CAAA;IAED,sBAAsB;IACtB,OAAO,CAAC,UAAU,GAAG;QACnB,GAAG,EAAE,qBAAqB,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,CAAC;QACzD,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,MAAM;QACxC,aAAa,EAAE,gBAAgB,CAAC,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC;KAC7E,CAAA;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAgB,wBAAwB,CACtC,WAA4B,EAC5B,QAAgB;IAEhB,OAAO;QACL,GAAG,WAAW;QACd,IAAI,EAAE;YACJ,YAAY,EAAE,IAAA,kCAAgB,EAAC,QAAQ,CAAC;YACxC,eAAe,EAAE,IAAA,qCAAmB,EAAC,QAAQ,CAAC;YAC9C,UAAU,EAAE,IAAA,kCAAgB,EAAC,QAAQ,CAAC;YACtC,YAAY,EAAE,YAAY,CAAC,QAAQ,CAAC;YACpC,YAAY,EAAE,IAAA,oCAAkB,EAAC,QAAQ,CAAC;SAC3C;KACF,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,QAAgB;IAC3C,MAAM,cAAc,GAAG;QACrB,iCAAiC;QACjC,0BAA0B;QAC1B,sBAAsB;QACtB,6BAA6B;QAC7B,QAAQ;QACR,kBAAkB;QAClB,iBAAiB;QACjB,eAAe;QACf,iBAAiB;QACjB,SAAS;QACT,WAAW;KACZ,CAAA;IACD,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AACnD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,GAAwC;IAExC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAA;IACrB,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,QAAQ,CAAC;QACd,KAAK,SAAS,CAAC;QACf,KAAK,SAAS,CAAC;QACf,KAAK,WAAW,CAAC;QACjB,KAAK,MAAM;YACT,OAAO,GAAG,CAAA;QACZ;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,GAAuB;IAEvB,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAA;IACrB,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,KAAK,CAAC;QACX,KAAK,KAAK,CAAC;QACX,KAAK,KAAK,CAAC;QACX,KAAK,SAAS;YACZ,OAAO,GAAG,CAAA;QACZ;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC"}

package/dist/model/middleware-detector.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Middleware Auth Detection
+ * Detects global authentication middleware (Next.js, Express, etc.)
+ * and determines which routes are protected
+ */
+import type { ScanFile } from '../shared/types';
+/**
+ * Configuration describing detected auth middleware
+ */
+export interface MiddlewareAuthConfig {
+    /** Whether auth middleware was detected */
+    hasAuthMiddleware: boolean;
+    /** The type of auth detected */
+    authType?: 'clerk' | 'nextauth' | 'auth0' | 'supabase' | 'custom' | 'unknown';
+    /** File path where middleware was found */
+    middlewareFile?: string;
+    /** Protected path patterns (glob-like) */
+    protectedPaths: string[];
+    /** Public/excluded path patterns */
+    publicPaths: string[];
+    /** Raw matcher patterns found */
+    matchers: string[];
+    /** Additional context about the auth setup */
+    context: {
+        usesAuthProtect: boolean;
+        usesGetToken: boolean;
+        usesSession: boolean;
+        hasPublicRoutes: boolean;
+    };
+}
+/**
+ * Detect global auth middleware from scanned files
+ * Looks for Next.js middleware.ts, Express auth patterns, etc.
+ */
+export declare function detectGlobalAuthMiddleware(files: ScanFile[]): MiddlewareAuthConfig;
+/**
+ * Check if a given route path is protected by the middleware
+ */
+export declare function isRouteProtectedByMiddleware(routePath: string, config: MiddlewareAuthConfig): {
+    isProtected: boolean;
+    reason: string;
+};
+/**
+ * Extract route path from a file path (e.g., app/api/users/route.ts -> /api/users)
+ */
+export declare function getRoutePathFromFile(filePath: string): string | null;
+/**
+ * Get user-scoping patterns from file content
+ * Detects patterns like: user_id, userId, session.user.id
+ */
+export declare function detectUserScopingPatterns(content: string): {
+    hasUserScoping: boolean;
+    patterns: string[];
+};
+//# sourceMappingURL=middleware-detector.d.ts.map

package/dist/model/middleware-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware-detector.d.ts","sourceRoot":"","sources":["../../src/model/middleware-detector.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAA;AAG/C;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,2CAA2C;IAC3C,iBAAiB,EAAE,OAAO,CAAA;IAC1B,gCAAgC;IAChC,QAAQ,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,OAAO,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,CAAA;IAC7E,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,0CAA0C;IAC1C,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,oCAAoC;IACpC,WAAW,EAAE,MAAM,EAAE,CAAA;IACrB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,EAAE,CAAA;IAClB,8CAA8C;IAC9C,OAAO,EAAE;QACP,eAAe,EAAE,OAAO,CAAA;QACxB,YAAY,EAAE,OAAO,CAAA;QACrB,WAAW,EAAE,OAAO,CAAA;QACpB,eAAe,EAAE,OAAO,CAAA;KACzB,CAAA;CACF;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,QAAQ,EAAE,GAAG,oBAAoB,CAuElF;AA0MD;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,oBAAoB,GAC3B;IAAE,WAAW,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAmD1C;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAgBpE;AAgDD;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG;IAC1D,cAAc,EAAE,OAAO,CAAA;IACvB,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB,CA2BA"}