@oculum/scanner 1.0.11 → 1.0.13

package/dist/score/adjustments.js

@@ -0,0 +1,373 @@
+"use strict";
+/**
+ * Confidence Adjustment Rules
+ *
+ * Data-driven list of all adjustment rules, organized by concern.
+ * Each rule has a name, source, applies() predicate, delta, and reason.
+ *
+ * Rules are evaluated against every finding; all matching rules
+ * contribute their delta to the final confidence score.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FRAMEWORK_RULES = exports.ROUTE_RULES = exports.TAINT_RULES = exports.AUTO_DISMISS_RULES = exports.FILE_CONTEXT_RULES = exports.ALL_ADJUSTMENT_RULES = void 0;
+const file_classifier_1 = require("../parse/file-classifier");
+// ============================================================================
+// File Context Rules (active now)
+// ============================================================================
+const FILE_CONTEXT_RULES = [
+    {
+        name: 'test_file',
+        source: 'file_context',
+        applies: (finding, ctx) => (0, file_classifier_1.isTestOrMockFile)(finding.filePath),
+        delta: -0.35,
+        reason: 'Finding in test/mock file',
+    },
+    {
+        name: 'example_file',
+        source: 'file_context',
+        applies: (finding, ctx) => (0, file_classifier_1.isExampleFile)(finding.filePath),
+        delta: -0.30,
+        reason: 'Finding in example/demo file',
+    },
+    {
+        name: 'doc_file',
+        source: 'file_context',
+        applies: (finding) => /\.(md|mdx|txt|rst)$/i.test(finding.filePath),
+        delta: -0.30,
+        reason: 'Finding in documentation file',
+    },
+    {
+        name: 'scanner_code',
+        source: 'file_context',
+        applies: (finding) => (0, file_classifier_1.isScannerOrFixtureFile)(finding.filePath),
+        delta: -0.30,
+        reason: 'Finding in scanner/fixture code',
+    },
+    {
+        name: 'tooling_dir',
+        source: 'file_context',
+        applies: (finding) => (0, file_classifier_1.isToolingDirectory)(finding.filePath),
+        delta: -0.25,
+        reason: 'Finding in tooling/scripts directory',
+    },
+    {
+        name: 'config_env_substitution',
+        source: 'file_context',
+        applies: (finding) => {
+            if (finding.category !== 'hardcoded_secret' && finding.category !== 'high_entropy_string') {
+                return false;
+            }
+            return (0, file_classifier_1.isEnvVarReference)(finding.lineContent);
+        },
+        delta: -0.15,
+        reason: 'Uses environment variable (not hardcoded)',
+    },
+    {
+        name: 'comment_context',
+        source: 'file_context',
+        applies: (finding) => {
+            if (finding.category === 'ai_pattern')
+                return false;
+            return (0, file_classifier_1.isComment)(finding.lineContent);
+        },
+        delta: -0.20,
+        reason: 'Code comment (not executable)',
+    },
+    {
+        name: 'server_only_client_finding',
+        source: 'file_context',
+        applies: (finding) => {
+            if (finding.category !== 'xss')
+                return false;
+            return (0, file_classifier_1.isServerOnlyFile)(finding.filePath);
+        },
+        delta: -0.10,
+        reason: 'XSS finding in server-only file',
+    },
+    {
+        name: 'client_bundled_server_finding',
+        source: 'file_context',
+        applies: (finding, ctx) => {
+            const serverOnlyCategories = [
+                'missing_auth', 'missing_authorization',
+                'data_exposure', 'sql_injection',
+                'command_injection', 'ssrf',
+            ];
+            if (!serverOnlyCategories.includes(finding.category))
+                return false;
+            if (!ctx.file.isClientBundled)
+                return false;
+            // Exclude Next.js page files — App Router pages are server components
+            // by default and Pages Router pages can have getServerSideProps.
+            // Only penalise clearly client-only paths.
+            const ambiguousPageFile = /\/pages\//i.test(finding.filePath) ||
+                /\/app\/.*page\.(ts|tsx|js|jsx)$/i.test(finding.filePath);
+            return !ambiguousPageFile;
+        },
+        delta: -0.30,
+        reason: 'Server-side concern in client-bundled file (browser code)',
+    },
+];
+exports.FILE_CONTEXT_RULES = FILE_CONTEXT_RULES;
+// ============================================================================
+// Auto-Dismiss Equivalent Rules (active now)
+// Mirrors current score/auto-dismiss.ts behavior using confidence deltas
+// ============================================================================
+const AUTO_DISMISS_RULES = [
+    {
+        name: 'css_class_pattern',
+        source: 'auto_dismiss',
+        applies: (finding) => {
+            if (finding.category !== 'high_entropy_string')
+                return false;
+            const cssIndicators = ['flex', 'grid', 'text-', 'bg-', 'px-', 'py-', 'rounded', 'shadow', 'hover:', 'dark:'];
+            const lowerLine = finding.lineContent.toLowerCase();
+            const matchCount = cssIndicators.filter(ind => lowerLine.includes(ind)).length;
+            return matchCount >= 2;
+        },
+        delta: -0.40,
+        reason: 'CSS/Tailwind classes (not a secret)',
+    },
+    {
+        name: 'health_check_endpoint',
+        source: 'auto_dismiss',
+        applies: (finding) => {
+            if (finding.category !== 'missing_auth')
+                return false;
+            return (0, file_classifier_1.isPublicEndpoint)(finding.lineContent, finding.filePath);
+        },
+        delta: -0.35,
+        reason: 'Public health check endpoint (auth not required)',
+    },
+    {
+        name: 'info_severity_low_priority',
+        source: 'auto_dismiss',
+        applies: (finding) => {
+            if (finding.severity !== 'info')
+                return false;
+            // Use baseConfidence >= 0.35 instead of getTierForCategory
+            // This replaces the tier-based 'info_severity_core_only' rule
+            return (finding.baseConfidence ?? 0) >= 0.35;
+        },
+        delta: -0.15,
+        reason: 'Already info severity for high-confidence detector (low priority)',
+    },
+    {
+        name: 'low_severity_ai_pattern',
+        source: 'auto_dismiss',
+        applies: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            return finding.severity === 'info' || finding.severity === 'low';
+        },
+        delta: -0.10,
+        reason: 'Low-severity AI pattern (code quality, not security)',
+    },
+    {
+        name: 'generic_message',
+        source: 'auto_dismiss',
+        applies: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            const genericPatterns = [
+                /['"`](success|done|ok|completed|finished|saved|updated|deleted|created)['"`]/i,
+                /['"`]something went wrong['"`]/i,
+                /['"`]an error occurred['"`]/i,
+                /console\.(log|info|debug)\s*\(\s*['"`][^'"]+['"`]\s*\)/i,
+            ];
+            return genericPatterns.some(p => p.test(finding.lineContent));
+        },
+        delta: -0.25,
+        reason: 'Generic UI message (not security-relevant)',
+    },
+    {
+        name: 'type_definition_any',
+        source: 'auto_dismiss',
+        applies: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            if (!finding.title.toLowerCase().includes('any'))
+                return false;
+            if (finding.filePath.includes('.d.ts'))
+                return true;
+            const typeDefPatterns = [/^type\s+\w+\s*=/, /^interface\s+\w+/, /declare\s+(const|let|var|function|class)/];
+            return typeDefPatterns.some(p => p.test(finding.lineContent.trim()));
+        },
+        delta: -0.25,
+        reason: 'Type definition (not runtime code)',
+    },
+    {
+        name: 'timeout_magic_number',
+        source: 'auto_dismiss',
+        applies: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            return /set(Timeout|Interval)\s*\([^,]+,\s*\d+\s*\)/.test(finding.lineContent);
+        },
+        delta: -0.20,
+        reason: 'Timeout value (code style, not security)',
+    },
+    {
+        name: 'data_config_file_secret',
+        source: 'auto_dismiss',
+        applies: (finding) => {
+            if (finding.category !== 'high_entropy_string' && finding.category !== 'hardcoded_secret') {
+                return false;
+            }
+            return /\.(yml|yaml|json|toml|ini|cfg)$/i.test(finding.filePath) &&
+                !/\.(env|secret|credential)/i.test(finding.filePath);
+        },
+        delta: -0.15,
+        reason: 'Secret finding in data/config file (often static content, not credentials)',
+    },
+];
+exports.AUTO_DISMISS_RULES = AUTO_DISMISS_RULES;
+// ============================================================================
+// Future Context Engine Rules (empty arrays — structurally present)
+// ============================================================================
+/** Taint analysis rules — Context Engine Phase 1 */
+const TAINT_RULES = [
+    {
+        name: 'confirmed_taint_unsanitised',
+        source: 'taint',
+        applies: (_finding, ctx) => ctx.taint?.confirmed === true && !ctx.taint.sanitised && ctx.taint.confidence !== 'low',
+        delta: +0.35,
+        reason: 'Confirmed taint path from user input (no sanitisation)',
+    },
+    {
+        name: 'confirmed_taint_sanitised',
+        source: 'taint',
+        applies: (_finding, ctx) => ctx.taint?.confirmed === true && ctx.taint.sanitised === true,
+        delta: +0.15,
+        reason: 'Confirmed taint path from user input (sanitised)',
+    },
+    {
+        name: 'no_taint_path',
+        source: 'taint',
+        applies: (finding, ctx) => {
+            const sinkCategories = ['dangerous_function', 'sql_injection', 'xss', 'command_injection', 'ssrf', 'data_exposure'];
+            if (!sinkCategories.includes(finding.category))
+                return false;
+            return ctx.taint !== undefined && ctx.taint.confirmed === false;
+        },
+        delta: -0.10,
+        reason: 'No taint path found (static data reaches sink)',
+    },
+    {
+        name: 'low_confidence_taint',
+        source: 'taint',
+        applies: (_finding, ctx) => ctx.taint?.confirmed === true && !ctx.taint.sanitised && ctx.taint.confidence === 'low',
+        delta: +0.10,
+        reason: 'Low-confidence taint path (long chain or indirect)',
+    },
+];
+exports.TAINT_RULES = TAINT_RULES;
+/** Auth-related categories where route auth context matters */
+const AUTH_RELATED_CATEGORIES = new Set([
+    'missing_auth', 'missing_authorization', 'data_exposure',
+    'sql_injection', 'command_injection', 'ssrf',
+    'xss', 'dangerous_function', 'xxe',
+    'ai_unsafe_execution', 'ai_endpoint_unprotected', 'ai_rag_exfiltration',
+]);
+/** Route/auth context rules — Context Engine Phase 2 */
+const ROUTE_RULES = [
+    {
+        name: 'no_auth_on_route',
+        source: 'route',
+        applies: (finding, ctx) => {
+            if (!ctx.route)
+                return false;
+            if (!AUTH_RELATED_CATEGORIES.has(finding.category))
+                return false;
+            return !ctx.route.hasAuth && !ctx.route.isPublic;
+        },
+        delta: +0.15,
+        reason: 'Route has no auth middleware and is not explicitly public',
+    },
+    {
+        name: 'has_auth_on_route',
+        source: 'route',
+        applies: (_finding, ctx) => ctx.route?.hasAuth === true,
+        delta: -0.15,
+        reason: 'Route is protected by auth middleware',
+    },
+    {
+        name: 'public_route',
+        source: 'route',
+        applies: (finding, ctx) => {
+            if (finding.category !== 'missing_auth')
+                return false;
+            return ctx.route?.isPublic === true;
+        },
+        delta: -0.25,
+        reason: 'Route is an explicitly public endpoint (health, status, etc.)',
+    },
+    {
+        name: 'mutation_route',
+        source: 'route',
+        applies: (_finding, ctx) => {
+            if (!ctx.route)
+                return false;
+            const mutationMethods = ['POST', 'PUT', 'DELETE', 'PATCH'];
+            return ctx.route.methods.some(m => mutationMethods.includes(m));
+        },
+        delta: +0.05,
+        reason: 'Route handles mutation methods (POST/PUT/DELETE/PATCH)',
+    },
+    {
+        name: 'rate_limited_route',
+        source: 'route',
+        applies: (_finding, ctx) => ctx.route?.hasRateLimiting === true,
+        delta: -0.05,
+        reason: 'Route has rate limiting applied',
+    },
+];
+exports.ROUTE_RULES = ROUTE_RULES;
+/** Framework-specific rules — Context Engine Phase 5 */
+const FRAMEWORK_RULES = [
+    {
+        name: 'framework_auto_protects',
+        source: 'framework',
+        applies: (_finding, ctx) => {
+            if (!ctx.framework?.safePatternMatch)
+                return false;
+            // ORM patterns are handled by orm_safe_query — avoid stacking
+            return !ctx.framework.safePatternMatch.id.startsWith('orm_');
+        },
+        delta: -0.30,
+        reason: 'Framework auto-protects against this vulnerability type',
+    },
+    {
+        name: 'framework_unsafe_pattern',
+        source: 'framework',
+        applies: (_finding, ctx) => ctx.framework?.unsafePatternMatch != null,
+        delta: +0.10,
+        reason: 'Finding uses a framework-unsafe pattern',
+    },
+    {
+        name: 'orm_safe_query',
+        source: 'framework',
+        applies: (finding, ctx) => {
+            if (finding.category !== 'sql_injection' && finding.category !== 'dangerous_function')
+                return false;
+            if (!ctx.framework?.orm)
+                return false;
+            return ctx.framework.safePatternMatch?.id.startsWith('orm_') ?? false;
+        },
+        delta: -0.25,
+        reason: 'ORM parameterises this query pattern by default',
+    },
+];
+exports.FRAMEWORK_RULES = FRAMEWORK_RULES;
+// ============================================================================
+// Combined Export
+// ============================================================================
+/** All active adjustment rules, evaluated in order */
+exports.ALL_ADJUSTMENT_RULES = [
+    ...FILE_CONTEXT_RULES,
+    ...AUTO_DISMISS_RULES,
+    ...TAINT_RULES,
+    ...ROUTE_RULES,
+    ...FRAMEWORK_RULES,
+];
+//# sourceMappingURL=adjustments.js.map

package/dist/score/adjustments.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adjustments.js","sourceRoot":"","sources":["../../src/score/adjustments.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAIH,8DASiC;AAEjC,+EAA+E;AAC/E,kCAAkC;AAClC,+EAA+E;AAE/E,MAAM,kBAAkB,GAAqB;IAC3C;QACE,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,GAAsB,EAAE,EAAE,CAC1D,IAAA,kCAAgB,EAAC,OAAO,CAAC,QAAQ,CAAC;QACpC,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,2BAA2B;KACpC;IACD;QACE,IAAI,EAAE,cAAc;QACpB,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,GAAsB,EAAE,EAAE,CAC1D,IAAA,+BAAa,EAAC,OAAO,CAAC,QAAQ,CAAC;QACjC,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,8BAA8B;KACvC;IACD;QACE,IAAI,EAAE,UAAU;QAChB,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE,CAClC,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC/C,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,+BAA+B;KACxC;IACD;QACE,IAAI,EAAE,cAAc;QACpB,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE,CAClC,IAAA,wCAAsB,EAAC,OAAO,CAAC,QAAQ,CAAC;QAC1C,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,iCAAiC;KAC1C;IACD;QACE,IAAI,EAAE,aAAa;QACnB,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE,CAClC,IAAA,oCAAkB,EAAC,OAAO,CAAC,QAAQ,CAAC;QACtC,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,sCAAsC;KAC/C;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,kBAAkB,IAAI,OAAO,CAAC,QAAQ,KAAK,qBAAqB,EAAE,CAAC;gBAC1F,OAAO,KAAK,CAAA;YACd,CAAC;YACD,OAAO,IAAA,mCAAiB,EAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QAC/C,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,2CAA2C;KACpD;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,OAAO,IAAA,2BAAS,EAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QACvC,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,+BAA+B;KACxC;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,KAAK;gBAAE,OAAO,KAAK,CAAA;YAC5C,OAAO,IAAA,kCAAgB,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;QAC3C,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,iCAAiC;KAC1C;IACD;QACE,IAAI,EAAE,+BAA+B;QACrC,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,GAAsB,EAAE,EAAE;YAC1D,MAAM,oBAAoB,GAAG;gBAC3B,cAAc,EAAE,uBAAuB;gBACvC,eAAe,EAAE,eAAe;gBAChC,mBAAmB,EAAE,MAAM;aAC5B,CAAA;YACD,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAAE,OAAO,KAAK,CAAA;YAClE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,eAAe;gBAAE,OAAO,KAAK,CAAA;YAC3C,sEAAsE;YACtE,iEAAiE;YACjE,2CAA2C;YAC3C,MAAM,iBAAiB,GACrB,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;gBACnC,kCAAkC,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;YAC3D,OAAO,CAAC,iBAAiB,CAAA;QAC3B,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,2DAA2D;KACpE;CACF,CAAA;AAmQC,gDAAkB;AAjQpB,+EAA+E;AAC/E,6CAA6C;AAC7C,yEAAyE;AACzE,+EAA+E;AAE/E,MAAM,kBAAkB,GAAqB;IAC3C;QACE,IAAI,EAAE,mBAAmB;QACzB,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,qBAAqB;gBAAE,OAAO,KAAK,CAAA;YAC5D,MAAM,aAAa,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAA;YAC5G,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,WAAW,EAAE,CAAA;YACnD,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAA;YAC9E,OAAO,UAAU,IAAI,CAAC,CAAA;QACxB,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,qCAAqC;KAC9C;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,cAAc;gBAAE,OAAO,KAAK,CAAA;YACrD,OAAO,IAAA,kCAAgB,EAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,kDAAkD;KAC3D;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM;gBAAE,OAAO,KAAK,CAAA;YAC7C,2DAA2D;YAC3D,8DAA8D;YAC9D,OAAO,CAAC,OAAO,CAAC,cAAc,IAAI,CAAC,CAAC,IAAI,IAAI,CAAA;QAC9C,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,mEAAmE;KAC5E;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,OAAO,OAAO,CAAC,QAAQ,KAAK,MAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,KAAK,CAAA;QAClE,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,sDAAsD;KAC/D;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,MAAM,eAAe,GAAG;gBACtB,+EAA+E;gBAC/E,iCAAiC;gBACjC,8BAA8B;gBAC9B,yDAAyD;aAC1D,CAAA;YACD,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAA;QAC/D,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,4CAA4C;KACrD;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAA;YAC9D,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,OAAO,IAAI,CAAA;YACnD,MAAM,eAAe,GAAG,CAAC,iBAAiB,EAAE,kBAAkB,EAAE,0CAA0C,CAAC,CAAA;YAC3G,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAA;QACtE,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,oCAAoC;KAC7C;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,OAAO,6CAA6C,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QAChF,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,0CAA0C;KACnD;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,CAAC,OAAsB,EAAE,EAAE;YAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,qBAAqB,IAAI,OAAO,CAAC,QAAQ,KAAK,kBAAkB,EAAE,CAAC;gBAC1F,OAAO,KAAK,CAAA;YACd,CAAC;YACD,OAAO,kCAAkC,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;gBACzD,CAAC,4BAA4B,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;QAC7D,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,4EAA4E;KACrF;CACF,CAAA;AA2JC,gDAAkB;AAzJpB,+EAA+E;AAC/E,oEAAoE;AACpE,+EAA+E;AAE/E,oDAAoD;AACpD,MAAM,WAAW,GAAqB;IACpC;QACE,IAAI,EAAE,6BAA6B;QACnC,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,CAAC,QAAuB,EAAE,GAAsB,EAAE,EAAE,CAC3D,GAAG,CAAC,KAAK,EAAE,SAAS,KAAK,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,GAAG,CAAC,KAAK,CAAC,UAAU,KAAK,KAAK;QACzF,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,wDAAwD;KACjE;IACD;QACE,IAAI,EAAE,2BAA2B;QACjC,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,CAAC,QAAuB,EAAE,GAAsB,EAAE,EAAE,CAC3D,GAAG,CAAC,KAAK,EAAE,SAAS,KAAK,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,SAAS,KAAK,IAAI;QAC/D,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,kDAAkD;KAC3D;IACD;QACE,IAAI,EAAE,eAAe;QACrB,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,CAAC,OAAsB,EAAE,GAAsB,EAAE,EAAE;YAC1D,MAAM,cAAc,GAAG,CAAC,oBAAoB,EAAE,eAAe,EAAE,KAAK,EAAE,mBAAmB,EAAE,MAAM,EAAE,eAAe,CAAC,CAAA;YACnH,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAAE,OAAO,KAAK,CAAA;YAC5D,OAAO,GAAG,CAAC,KAAK,KAAK,SAAS,IAAI,GAAG,CAAC,KAAK,CAAC,SAAS,KAAK,KAAK,CAAA;QACjE,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,gDAAgD;KACzD;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,CAAC,QAAuB,EAAE,GAAsB,EAAE,EAAE,CAC3D,GAAG,CAAC,KAAK,EAAE,SAAS,KAAK,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,GAAG,CAAC,KAAK,CAAC,UAAU,KAAK,KAAK;QACzF,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,oDAAoD;KAC7D;CACF,CAAA;AAiHC,kCAAW;AA/Gb,+DAA+D;AAC/D,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,cAAc,EAAE,uBAAuB,EAAE,eAAe;IACxD,eAAe,EAAE,mBAAmB,EAAE,MAAM;IAC5C,KAAK,EAAE,oBAAoB,EAAE,KAAK;IAClC,qBAAqB,EAAE,yBAAyB,EAAE,qBAAqB;CACxE,CAAC,CAAA;AAEF,wDAAwD;AACxD,MAAM,WAAW,GAAqB;IACpC;QACE,IAAI,EAAE,kBAAkB;QACxB,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,CAAC,OAAsB,EAAE,GAAsB,EAAE,EAAE;YAC1D,IAAI,CAAC,GAAG,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAA;YAC5B,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAAE,OAAO,KAAK,CAAA;YAChE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAA;QAClD,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,2DAA2D;KACpE;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,CAAC,QAAuB,EAAE,GAAsB,EAAE,EAAE,CAC3D,GAAG,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI;QAC7B,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,uCAAuC;KAChD;IACD;QACE,IAAI,EAAE,cAAc;QACpB,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,CAAC,OAAsB,EAAE,GAAsB,EAAE,EAAE;YAC1D,IAAI,OAAO,CAAC,QAAQ,KAAK,cAAc;gBAAE,OAAO,KAAK,CAAA;YACrD,OAAO,GAAG,CAAC,KAAK,EAAE,QAAQ,KAAK,IAAI,CAAA;QACrC,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,+DAA+D;KACxE;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,CAAC,QAAuB,EAAE,GAAsB,EAAE,EAAE;YAC3D,IAAI,CAAC,GAAG,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAA;YAC5B,MAAM,eAAe,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAA;YAC1D,OAAO,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACjE,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,wDAAwD;KACjE;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,CAAC,QAAuB,EAAE,GAAsB,EAAE,EAAE,CAC3D,GAAG,CAAC,KAAK,EAAE,eAAe,KAAK,IAAI;QACrC,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,iCAAiC;KAC1C;CACF,CAAA;AAsDC,kCAAW;AApDb,wDAAwD;AACxD,MAAM,eAAe,GAAqB;IACxC;QACE,IAAI,EAAE,yBAAyB;QAC/B,MAAM,EAAE,WAAW;QACnB,OAAO,EAAE,CAAC,QAAuB,EAAE,GAAsB,EAAE,EAAE;YAC3D,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,gBAAgB;gBAAE,OAAO,KAAK,CAAA;YAClD,8DAA8D;YAC9D,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,gBAAgB,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;QAC9D,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,yDAAyD;KAClE;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,MAAM,EAAE,WAAW;QACnB,OAAO,EAAE,CAAC,QAAuB,EAAE,GAAsB,EAAE,EAAE,CAC3D,GAAG,CAAC,SAAS,EAAE,kBAAkB,IAAI,IAAI;QAC3C,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,yCAAyC;KAClD;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,WAAW;QACnB,OAAO,EAAE,CAAC,OAAsB,EAAE,GAAsB,EAAE,EAAE;YAC1D,IAAI,OAAO,CAAC,QAAQ,KAAK,eAAe,IAAI,OAAO,CAAC,QAAQ,KAAK,oBAAoB;gBAAE,OAAO,KAAK,CAAA;YACnG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG;gBAAE,OAAO,KAAK,CAAA;YACrC,OAAO,GAAG,CAAC,SAAS,CAAC,gBAAgB,EAAE,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,KAAK,CAAA;QACvE,CAAC;QACD,KAAK,EAAE,CAAC,IAAI;QACZ,MAAM,EAAE,iDAAiD;KAC1D;CACF,CAAA;AAqBC,0CAAe;AAnBjB,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E,sDAAsD;AACzC,QAAA,oBAAoB,GAAqB;IACpD,GAAG,kBAAkB;IACrB,GAAG,kBAAkB;IACrB,GAAG,WAAW;IACd,GAAG,WAAW;IACd,GAAG,eAAe;CACnB,CAAA"}

package/dist/score/auto-dismiss.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Smart Auto-Dismiss Rules
+ *
+ * Instant filtering rules that don't require AI validation.
+ * These rules catch obvious false positives before sending to AI.
+ */
+import type { Vulnerability } from '../shared/types';
+/**
+ * Apply smart auto-dismiss rules to filter obvious false positives.
+ * Returns findings that should be sent to AI validation.
+ *
+ * @deprecated Phase 2B — Confidence scoring adjustments now handle auto-dismiss.
+ *   This function is kept for external consumers but is no longer called
+ *   from the orchestrator. Will be removed in a follow-up cleanup PR.
+ *
+ * @param findings - Array of vulnerabilities to filter
+ * @param mode - 'validation' applies all rules (for AI validation candidates),
+ *               'surface' excludes cost-saving rules (for direct-surface findings)
+ */
+export declare function applyAutoDismissRules(findings: Vulnerability[], mode?: 'validation' | 'surface'): {
+    toValidate: Vulnerability[];
+    dismissed: Array<{
+        finding: Vulnerability;
+        rule: string;
+        reason: string;
+    }>;
+};
+//# sourceMappingURL=auto-dismiss.d.ts.map

package/dist/score/auto-dismiss.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto-dismiss.d.ts","sourceRoot":"","sources":["../../src/score/auto-dismiss.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAwKpD;;;;;;;;;;;GAWG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,aAAa,EAAE,EACzB,IAAI,GAAE,YAAY,GAAG,SAAwB,GAC5C;IACD,UAAU,EAAE,aAAa,EAAE,CAAA;IAC3B,SAAS,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,aAAa,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAC3E,CA8BA"}

package/dist/score/auto-dismiss.js

@@ -0,0 +1,200 @@
+"use strict";
+/**
+ * Smart Auto-Dismiss Rules
+ *
+ * Instant filtering rules that don't require AI validation.
+ * These rules catch obvious false positives before sending to AI.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyAutoDismissRules = applyAutoDismissRules;
+const file_classifier_1 = require("../parse/file-classifier");
+// getTierForCategory removed in Phase 2B — confidence scoring handles routing
+// ============================================================================
+// Auto-Dismiss Rules
+// ============================================================================
+const AUTO_DISMISS_RULES = [
+    // Test files - often contain intentional "vulnerable" patterns for testing
+    {
+        name: 'test_file',
+        check: (finding) => (0, file_classifier_1.isTestOrMockFile)(finding.filePath),
+        reason: 'Finding in test/mock file',
+    },
+    // Example/demo code - not production code
+    {
+        name: 'example_file',
+        check: (finding) => (0, file_classifier_1.isExampleFile)(finding.filePath),
+        reason: 'Finding in example/demo file',
+    },
+    // Documentation files
+    {
+        name: 'documentation_file',
+        check: (finding) => /\.(md|mdx|txt|rst)$/i.test(finding.filePath),
+        reason: 'Finding in documentation file',
+    },
+    // Scanner/security tool code itself
+    {
+        name: 'scanner_code',
+        check: (finding) => (0, file_classifier_1.isScannerOrFixtureFile)(finding.filePath),
+        reason: 'Finding in scanner/fixture code',
+    },
+    // Environment variable references (not hardcoded secrets)
+    {
+        name: 'env_var_reference',
+        check: (finding) => {
+            if (finding.category !== 'hardcoded_secret' && finding.category !== 'high_entropy_string') {
+                return false;
+            }
+            return (0, file_classifier_1.isEnvVarReference)(finding.lineContent);
+        },
+        reason: 'Uses environment variable (not hardcoded)',
+    },
+    // Public health check endpoints don't need auth
+    {
+        name: 'health_check_endpoint',
+        check: (finding) => {
+            if (finding.category !== 'missing_auth')
+                return false;
+            return (0, file_classifier_1.isPublicEndpoint)(finding.lineContent, finding.filePath);
+        },
+        reason: 'Public health check endpoint (auth not required)',
+    },
+    // CSS/Tailwind classes flagged as high entropy
+    {
+        name: 'css_classes',
+        check: (finding) => {
+            if (finding.category !== 'high_entropy_string')
+                return false;
+            const cssIndicators = ['flex', 'grid', 'text-', 'bg-', 'px-', 'py-', 'rounded', 'shadow', 'hover:', 'dark:'];
+            const lowerLine = finding.lineContent.toLowerCase();
+            const matchCount = cssIndicators.filter(ind => lowerLine.includes(ind)).length;
+            return matchCount >= 2;
+        },
+        reason: 'CSS/Tailwind classes (not a secret)',
+    },
+    // Comment lines shouldn't be flagged for most categories
+    {
+        name: 'comment_line',
+        check: (finding) => {
+            // Some categories are valid in comments (e.g., TODO security)
+            if (finding.category === 'ai_pattern')
+                return false;
+            return (0, file_classifier_1.isComment)(finding.lineContent);
+        },
+        reason: 'Code comment (not executable)',
+    },
+    // Info severity already - no need to validate
+    // Only auto-dismiss info-severity for high-confidence detectors (baseConfidence >= 0.35)
+    // Low-confidence detectors should still go through AI validation
+    {
+        name: 'info_severity_core_only',
+        check: (finding) => {
+            if (finding.severity !== 'info')
+                return false;
+            // Use baseConfidence instead of tier lookup (Phase 2B)
+            return (finding.baseConfidence ?? 0) >= 0.35;
+        },
+        reason: 'Already info severity for high-confidence detector (low priority)',
+    },
+    // Generic success/error messages in ai_pattern
+    {
+        name: 'generic_message',
+        check: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            const genericPatterns = [
+                /['"`](success|done|ok|completed|finished|saved|updated|deleted|created)['"`]/i,
+                /['"`]something went wrong['"`]/i,
+                /['"`]an error occurred['"`]/i,
+                /console\.(log|info|debug)\s*\(\s*['"`][^'"]+['"`]\s*\)/i,
+            ];
+            return genericPatterns.some(p => p.test(finding.lineContent));
+        },
+        reason: 'Generic UI message (not security-relevant)',
+    },
+    // Type definitions with 'any' - often necessary for third-party libs
+    {
+        name: 'type_definition_any',
+        check: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            if (!finding.title.toLowerCase().includes('any'))
+                return false;
+            // Check if it's in a .d.ts file or type definition context
+            if (finding.filePath.includes('.d.ts'))
+                return true;
+            const typeDefPatterns = [/^type\s+\w+\s*=/, /^interface\s+\w+/, /declare\s+(const|let|var|function|class)/];
+            return typeDefPatterns.some(p => p.test(finding.lineContent.trim()));
+        },
+        reason: 'Type definition (not runtime code)',
+    },
+    // setTimeout/setInterval magic numbers - code style, not security
+    {
+        name: 'timeout_magic_number',
+        check: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            return /set(Timeout|Interval)\s*\([^,]+,\s*\d+\s*\)/.test(finding.lineContent);
+        },
+        reason: 'Timeout value (code style, not security)',
+    },
+    // Low-value AI pattern findings - code quality, not security
+    {
+        name: 'low_severity_ai_pattern',
+        check: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            return finding.severity === 'info' || finding.severity === 'low';
+        },
+        reason: 'Low-severity AI pattern (code quality, not security vulnerability)',
+    },
+];
+// ============================================================================
+// Apply Auto-Dismiss Rules
+// ============================================================================
+/**
+ * Rules that should NOT be applied to direct-surface findings.
+ * These rules are designed to reduce AI validation costs, not to suppress findings entirely.
+ */
+const VALIDATION_ONLY_RULES = new Set([
+    'info_severity_core_only', // Info findings should surface, just not go through expensive AI validation
+    'low_severity_ai_pattern', // Low/info AI patterns are code quality, not security — skip AI validation
+]);
+/**
+ * Apply smart auto-dismiss rules to filter obvious false positives.
+ * Returns findings that should be sent to AI validation.
+ *
+ * @deprecated Phase 2B — Confidence scoring adjustments now handle auto-dismiss.
+ *   This function is kept for external consumers but is no longer called
+ *   from the orchestrator. Will be removed in a follow-up cleanup PR.
+ *
+ * @param findings - Array of vulnerabilities to filter
+ * @param mode - 'validation' applies all rules (for AI validation candidates),
+ *               'surface' excludes cost-saving rules (for direct-surface findings)
+ */
+function applyAutoDismissRules(findings, mode = 'validation') {
+    const toValidate = [];
+    const dismissed = [];
+    // Filter rules based on mode
+    const applicableRules = mode === 'surface'
+        ? AUTO_DISMISS_RULES.filter(rule => !VALIDATION_ONLY_RULES.has(rule.name))
+        : AUTO_DISMISS_RULES;
+    for (const finding of findings) {
+        let wasDismissed = false;
+        for (const rule of applicableRules) {
+            if (rule.check(finding)) {
+                dismissed.push({
+                    finding,
+                    rule: rule.name,
+                    reason: rule.reason,
+                });
+                wasDismissed = true;
+                break;
+            }
+        }
+        if (!wasDismissed) {
+            toValidate.push(finding);
+        }
+    }
+    return { toValidate, dismissed };
+}
+//# sourceMappingURL=auto-dismiss.js.map

package/dist/score/auto-dismiss.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto-dismiss.js","sourceRoot":"","sources":["../../src/score/auto-dismiss.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAsLH,sDAoCC;AAtND,8DAOiC;AACjC,8EAA8E;AAE9E,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E,MAAM,kBAAkB,GAAsB;IAC5C,2EAA2E;IAC3E;QACE,IAAI,EAAE,WAAW;QACjB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAA,kCAAgB,EAAC,OAAO,CAAC,QAAQ,CAAC;QACtD,MAAM,EAAE,2BAA2B;KACpC;IAED,0CAA0C;IAC1C;QACE,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAA,+BAAa,EAAC,OAAO,CAAC,QAAQ,CAAC;QACnD,MAAM,EAAE,8BAA8B;KACvC;IAED,sBAAsB;IACtB;QACE,IAAI,EAAE,oBAAoB;QAC1B,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;QACjE,MAAM,EAAE,+BAA+B;KACxC;IAED,oCAAoC;IACpC;QACE,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAA,wCAAsB,EAAC,OAAO,CAAC,QAAQ,CAAC;QAC5D,MAAM,EAAE,iCAAiC;KAC1C;IAED,0DAA0D;IAC1D;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,kBAAkB,IAAI,OAAO,CAAC,QAAQ,KAAK,qBAAqB,EAAE,CAAC;gBAC1F,OAAO,KAAK,CAAA;YACd,CAAC;YACD,OAAO,IAAA,mCAAiB,EAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QAC/C,CAAC;QACD,MAAM,EAAE,2CAA2C;KACpD;IAED,gDAAgD;IAChD;QACE,IAAI,EAAE,uBAAuB;QAC7B,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,cAAc;gBAAE,OAAO,KAAK,CAAA;YACrD,OAAO,IAAA,kCAAgB,EAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;QACD,MAAM,EAAE,kDAAkD;KAC3D;IAED,+CAA+C;IAC/C;QACE,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,qBAAqB;gBAAE,OAAO,KAAK,CAAA;YAC5D,MAAM,aAAa,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAA;YAC5G,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,WAAW,EAAE,CAAA;YACnD,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAA;YAC9E,OAAO,UAAU,IAAI,CAAC,CAAA;QACxB,CAAC;QACD,MAAM,EAAE,qCAAqC;KAC9C;IAED,yDAAyD;IACzD;QACE,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,8DAA8D;YAC9D,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,OAAO,IAAA,2BAAS,EAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QACvC,CAAC;QACD,MAAM,EAAE,+BAA+B;KACxC;IAED,8CAA8C;IAC9C,yFAAyF;IACzF,iEAAiE;IACjE;QACE,IAAI,EAAE,yBAAyB;QAC/B,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM;gBAAE,OAAO,KAAK,CAAA;YAC7C,uDAAuD;YACvD,OAAO,CAAC,OAAO,CAAC,cAAc,IAAI,CAAC,CAAC,IAAI,IAAI,CAAA;QAC9C,CAAC;QACD,MAAM,EAAE,mEAAmE;KAC5E;IAED,+CAA+C;IAC/C;QACE,IAAI,EAAE,iBAAiB;QACvB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,MAAM,eAAe,GAAG;gBACtB,+EAA+E;gBAC/E,iCAAiC;gBACjC,8BAA8B;gBAC9B,yDAAyD;aAC1D,CAAA;YACD,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAA;QAC/D,CAAC;QACD,MAAM,EAAE,4CAA4C;KACrD;IAED,qEAAqE;IACrE;QACE,IAAI,EAAE,qBAAqB;QAC3B,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAA;YAC9D,2DAA2D;YAC3D,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,OAAO,IAAI,CAAA;YACnD,MAAM,eAAe,GAAG,CAAC,iBAAiB,EAAE,kBAAkB,EAAE,0CAA0C,CAAC,CAAA;YAC3G,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAA;QACtE,CAAC;QACD,MAAM,EAAE,oCAAoC;KAC7C;IAED,kEAAkE;IAClE;QACE,IAAI,EAAE,sBAAsB;QAC5B,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,OAAO,6CAA6C,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QAChF,CAAC;QACD,MAAM,EAAE,0CAA0C;KACnD;IAED,6DAA6D;IAC7D;QACE,IAAI,EAAE,yBAAyB;QAC/B,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,OAAO,OAAO,CAAC,QAAQ,KAAK,MAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,KAAK,CAAA;QAClE,CAAC;QACD,MAAM,EAAE,oEAAoE;KAC7E;CACF,CAAA;AAED,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,yBAAyB,EAAG,4EAA4E;IACxG,yBAAyB,EAAG,2EAA2E;CACxG,CAAC,CAAA;AAEF;;;;;;;;;;;GAWG;AACH,SAAgB,qBAAqB,CACnC,QAAyB,EACzB,OAAiC,YAAY;IAK7C,MAAM,UAAU,GAAoB,EAAE,CAAA;IACtC,MAAM,SAAS,GAAoE,EAAE,CAAA;IAErF,6BAA6B;IAC7B,MAAM,eAAe,GAAG,IAAI,KAAK,SAAS;QACxC,CAAC,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1E,CAAC,CAAC,kBAAkB,CAAA;IAEtB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,YAAY,GAAG,KAAK,CAAA;QAExB,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxB,SAAS,CAAC,IAAI,CAAC;oBACb,OAAO;oBACP,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,MAAM,EAAE,IAAI,CAAC,MAAM;iBACpB,CAAC,CAAA;gBACF,YAAY,GAAG,IAAI,CAAA;gBACnB,MAAK;YACP,CAAC;QACH,CAAC;QAED,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAC1B,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAA;AAClC,CAAC"}

package/dist/score/confidence.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Confidence Score Computation
+ *
+ * Single function that computes a finding's confidence score from
+ * baseConfidence + sum(applicable adjustments), then routes by thresholds.
+ */
+import type { Vulnerability } from '../shared/types';
+import type { ConfidenceComputation, AdjustmentRule, AdjustmentContext, DepthConfig } from './types';
+/**
+ * Compute confidence score for a single finding.
+ *
+ * Logic: score = clamp(base + sum(applicable deltas), 0.0, 1.0)
+ * Then route by depth thresholds:
+ *   - score >= surfaceThreshold → 'surface'
+ *   - score >= validateThreshold && aiEnabled → 'validate'
+ *   - otherwise → 'suppress'
+ */
+export declare function computeConfidence(finding: Vulnerability, context: AdjustmentContext, rules: AdjustmentRule[], depthConfig: DepthConfig): ConfidenceComputation;
+//# sourceMappingURL=confidence.d.ts.map

package/dist/score/confidence.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"confidence.d.ts","sourceRoot":"","sources":["../../src/score/confidence.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,KAAK,EACV,qBAAqB,EAErB,cAAc,EACd,iBAAiB,EACjB,WAAW,EACZ,MAAM,SAAS,CAAA;AAKhB;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,aAAa,EACtB,OAAO,EAAE,iBAAiB,EAC1B,KAAK,EAAE,cAAc,EAAE,EACvB,WAAW,EAAE,WAAW,GACvB,qBAAqB,CAgCvB"}