@oculum/scanner 1.0.12 → 1.0.13

package/src/{layer1 → detect/config}/urls.ts

@@ -3,16 +3,19 @@
  * Detects hardcoded sensitive URLs that may indicate security issues
  */
 
-import type { Vulnerability } from '../types'
-import type { ParsedFile } from '../utils/parsed-file'
-import { isTestConfigFile, isPythonFile, isInsidePythonDocstring } from '../utils/context-helpers'
+import type { Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import { isTestConfigFile, isPythonFile, isInsidePythonDocstring } from '../../parse/file-classifier'
 import {
   getEnvironmentContext,
   isInPlaceholderAttribute,
   isDefaultParameterValue,
   getLocalhostSeverity,
-} from '../utils/environment-context'
-import { getRouteProtectionContext } from '../utils/route-hierarchy'
+} from '../../shared/environment-context'
+import { getRouteProtectionContext } from '../../model/route-hierarchy'
+
+const BASE_CONFIDENCE_WEBHOOK = 0.55
+const BASE_CONFIDENCE_LOCALHOST = 0.30
 
 // Check if file is documentation/README/example
 function isDocumentationFile(filePath: string): boolean {
@@ -459,7 +462,9 @@ export function detectSensitiveURLs(
             description: description + (adjustedSeverity === 'high' ? ' (in production config!)' : ' (in dev/config file)'),
             suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
             confidence: adjustedSeverity === 'high' ? 'high' : 'low',
+            baseConfidence: BASE_CONFIDENCE_LOCALHOST,
             layer: 1,
+        source: 'config' as const,
           })
         } else {
           // Normal URL handling (non-localhost)
@@ -495,7 +500,9 @@ export function detectSensitiveURLs(
             description: description + contextNote,
             suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
             confidence: inTestFile ? 'low' : 'medium',
+            baseConfidence: BASE_CONFIDENCE_WEBHOOK,
             layer: 1,
+        source: 'config' as const,
             requiresAIValidation,
           })
         }

package/src/detect/index.ts

@@ -0,0 +1,131 @@
+/**
+ * Detection Stage — Runs Layer 1 + Layer 2 detectors and handles localhost aggregation.
+ *
+ * Returns raw findings before noisy aggregation/enrichment (those are called
+ * by the orchestrator to keep stage boundaries clean).
+ */
+
+import type {
+  ScanFile,
+  Vulnerability,
+  CancellationToken,
+  DetectorContext,
+  ProgressCallback,
+} from '../shared/types'
+import { runLayer1Scan, type Layer1Result } from './secrets'
+import { runLayer2Scan, type Layer2Result } from './structural'
+import { aggregateLocalhostFindings } from './config/urls'
+import type { MiddlewareAuthConfig } from '../model/middleware-detector'
+import type { FileAuthImports } from '../model/imported-auth-detector'
+import type { FilterPipeline } from '../postprocess/filtering/pipeline'
+
+export interface DetectorInput {
+  files: ScanFile[]
+  middlewareConfig?: MiddlewareAuthConfig
+  fileAuthImports?: Map<string, FileAuthImports>
+  detectorContext: DetectorContext
+  onProgress?: ProgressCallback
+  cancellationToken?: CancellationToken
+  filterPipeline: FilterPipeline
+  repoName: string
+  quiet: boolean
+}
+
+export interface DetectorOutput {
+  /** Combined Layer 1 + Layer 2 findings (after localhost aggregation) */
+  findings: Vulnerability[]
+  /** Phase timing */
+  phaseTiming: { layer1?: number; layer2?: number }
+}
+
+const fid = (v: Pick<Vulnerability, 'filePath' | 'lineNumber' | 'category'>) =>
+  `${v.filePath}:${v.lineNumber}:${v.category}`
+
+/**
+ * Run all detectors (Layer 1 + Layer 2) and return combined raw findings.
+ */
+export async function runDetectors(input: DetectorInput): Promise<DetectorOutput> {
+  const {
+    files,
+    middlewareConfig,
+    fileAuthImports,
+    detectorContext,
+    onProgress,
+    cancellationToken,
+    filterPipeline,
+    repoName,
+    quiet,
+  } = input
+
+  const log = (message: string) => {
+    if (!quiet) console.log(message)
+  }
+
+  const reportProgress = (
+    status: 'layer1' | 'layer2',
+    message: string,
+    vulnerabilitiesFound: number = 0
+  ) => {
+    if (onProgress) {
+      onProgress({
+        status,
+        message,
+        filesProcessed: files.length,
+        totalFiles: files.length,
+        vulnerabilitiesFound,
+      })
+    }
+  }
+
+  const phaseTiming: { layer1?: number; layer2?: number } = {}
+
+  // Layer 1: Surface Scan
+  const layer1Start = Date.now()
+  reportProgress('layer1', 'Running surface scan (patterns, entropy, config)...')
+  let layer1Result = await runLayer1Scan(files, onProgress, cancellationToken)
+
+  // Aggregate repeated localhost findings
+  const layer1RawCount = layer1Result.vulnerabilities.length
+  const layer1BeforeAggregation = layer1Result.vulnerabilities
+  layer1Result = {
+    ...layer1Result,
+    vulnerabilities: aggregateLocalhostFindings(layer1Result.vulnerabilities)
+  }
+  if (filterPipeline.isEnabled) {
+    const afterIds = new Set(layer1Result.vulnerabilities.map(fid))
+    for (const v of layer1BeforeAggregation) {
+      if (!afterIds.has(fid(v))) {
+        filterPipeline.record(fid(v), { stage: 'localhost_aggregation', action: 'aggregated', reason: 'Aggregated repeated localhost finding' })
+      }
+    }
+  }
+  phaseTiming.layer1 = Date.now() - layer1Start
+  log(`[Layer1] repo=${repoName} findings_raw=${layer1RawCount} findings_deduped=${layer1Result.vulnerabilities.length} duration=${phaseTiming.layer1}ms`)
+
+  // Layer 2: Structural Scan
+  const layer2Start = Date.now()
+  reportProgress('layer2', 'Running structural scan (variables, logic gates)...', layer1Result.vulnerabilities.length)
+  const layer2Result = await runLayer2Scan(
+    files,
+    { middlewareConfig, fileAuthImports, detectorContext },
+    onProgress,
+    cancellationToken
+  )
+
+  // Format heuristic breakdown for logging
+  const heuristicBreakdown = Object.entries(layer2Result.stats.raw)
+    .filter(([, count]) => count > 0)
+    .map(([name, count]) => `${name}:${count}`)
+    .join(',')
+  phaseTiming.layer2 = Date.now() - layer2Start
+  log(`[Layer2] repo=${repoName} findings_raw=${Object.values(layer2Result.stats.raw).reduce((a, b) => a + b, 0)} findings_deduped=${layer2Result.vulnerabilities.length} duration=${phaseTiming.layer2}ms heuristic_breakdown={${heuristicBreakdown}}`)
+
+  // Combine Layer 1 and Layer 2 findings
+  const findings = [...layer1Result.vulnerabilities, ...layer2Result.vulnerabilities]
+
+  return { findings, phaseTiming }
+}
+
+// Re-export layer results for external consumers
+export { runLayer1Scan, type Layer1Result } from './secrets'
+export { runLayer2Scan, type Layer2Result } from './structural'

package/src/{layer1 → detect/secrets}/config-audit.ts

@@ -3,8 +3,11 @@
  * Scans configuration files for security misconfigurations
  */
 
-import type { ConfigRule, ConfigViolation, Vulnerability } from '../types'
-import type { ParsedFile } from '../utils/parsed-file'
+import type { ConfigRule, ConfigViolation, Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+
+// Base confidence for configuration audit findings
+const BASE_CONFIDENCE = 0.50
 
 // Configuration audit rules
 export const CONFIG_RULES: ConfigRule[] = [
@@ -336,7 +339,9 @@ export function auditConfiguration(
           description: violation.message,
           suggestedFix: getConfigFix(rule.name, violation),
           confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
           layer: 1,
+        source: 'secrets' as const,
         })
       }
     }

package/src/{layer1 → detect/secrets}/config-mcp-audit.ts

@@ -13,15 +13,18 @@
  * - Insecure transport (http:// instead of https://)
  */
 
-import type { Vulnerability, VulnerabilitySeverity, VulnerabilityCategory } from '../types'
-import type { ParsedFile } from '../utils/parsed-file'
+import type { Vulnerability, VulnerabilitySeverity, VulnerabilityCategory } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
 import {
   isComment,
   isTestOrMockFile,
   isDocumentationFile,
   isScannerOrFixtureFile,
   isExampleDirectory,
-} from '../utils/context-helpers'
+} from '../../parse/file-classifier'
+
+// Base confidence for MCP configuration audit findings
+const BASE_CONFIDENCE = 0.50
 
 // ============================================================================
 // Configuration File Detection
@@ -268,7 +271,9 @@ export function detectMCPConfigIssues(
         description,
         suggestedFix: pattern.suggestedFix,
         confidence: pattern.category === 'ai_mcp_config_secrets' ? 'high' : 'medium',
+        baseConfidence: BASE_CONFIDENCE,
         layer: 1,
+        source: 'secrets' as const,
         requiresAIValidation: severity !== 'info' && severity !== 'low',
       })
     }

package/src/{layer1 → detect/secrets}/entropy.ts

@@ -3,8 +3,8 @@
  * Uses Shannon entropy to detect potential secrets that don't match known patterns
  */
 
-import type { Vulnerability } from '../types'
-import type { ParsedFile } from '../utils/parsed-file'
+import type { Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
 import {
   isTestOrMockFile,
   isComment,
@@ -12,7 +12,10 @@ import {
   isExampleFile,
   isFixtureFile,
   isExampleDirectory,
-} from '../utils/context-helpers'
+} from '../../parse/file-classifier'
+
+// Base confidence for entropy-based findings (statistical, requires AI validation)
+const BASE_CONFIDENCE = 0.30
 
 // Shannon entropy calculation
 export function calculateEntropy(str: string): number {
@@ -152,19 +155,23 @@ function isTemplateWithCode(str: string, lineContent: string): boolean {
   if (!lineContent.includes('`') && !lineContent.includes('${')) {
     return false
   }
-  
+
+  // Multiple interpolations (3+) = formatting string, not a secret
+  const interpolationCount = (lineContent.match(/\$\{/g) || []).length
+  if (interpolationCount >= 3) {
+    return true
+  }
+
   // Common code patterns inside template literals that create high entropy
   const codePatterns = [
-    /\$\{[^}]*\.(toString|padStart|padEnd|toFixed|toLocaleString)\s*\(/i,  // Method calls
+    /\$\{[^}]*\.\w+\s*\(/,  // Method call inside interpolation: ${x.foo()}
+    /\$\{\w+\s*\(/,  // Function call inside interpolation: ${funcName(...)}
     /\$\{[^}]*\?\.[^}]*\}/,  // Optional chaining
     /\$\{[^}]*\s*\?\s*[^:]+\s*:\s*[^}]+\}/,  // Ternary operators
     /var\s*\(\s*\$\{/,  // CSS var() with template
-    /\$\{[^}]*\.find\s*\(/i,  // Array methods
-    /\$\{[^}]*\.map\s*\(/i,
-    /\$\{[^}]*\.filter\s*\(/i,
-    /\$\{new\s+Date\(\)/i,  // Date formatting
+    /\$\{new\s+\w+\(/i,  // Constructor calls: ${new Date()}
   ]
-  
+
   return codePatterns.some(pattern => pattern.test(lineContent))
 }
 
@@ -332,11 +339,14 @@ function isDocumentationFile(filePath: string): boolean {
   return docPatterns.some(p => p.test(filePath))
 }
 
-// Check if string is a console.log/debug statement content
+// Check if string is a logging/output statement content
 function isDebugLogContent(lineContent: string): boolean {
   const debugPatterns = [
     /console\.(log|debug|info|warn|error)\s*\(/i,
     /logger\.(log|debug|info|warn|error)\s*\(/i,
+    /\bthis\.log\s*\(/i,                          // Instance method logging
+    /\bcore\.(info|debug|warning|error|notice)\s*\(/i,  // GitHub Actions core
+    /\bvscode\.window\.show(Information|Warning|Error)Message\s*\(/i,  // VS Code API
     /\[.*Debug.*\]/i,
     /\[.*Log.*\]/i,
   ]
@@ -841,7 +851,9 @@ export function detectHighEntropyStrings(
           description: `High-entropy string found (entropy: ${entropy.toFixed(2)}). This may be a hardcoded secret, API key, or password.${inTestFile ? ' (in test file)' : ''}`,
           suggestedFix: 'Move this value to an environment variable and access it via process.env',
           confidence,
+          baseConfidence: BASE_CONFIDENCE,
           layer: 1,
+        source: 'secrets' as const,
           requiresAIValidation: true,  // Entropy findings must be validated by AI
         })
       }

package/src/{layer1 → detect/secrets}/index.ts

@@ -4,29 +4,24 @@
  * file flags, comment analysis, URL detection, and weak crypto detection
  */
 
-import type { Vulnerability, ScanFile, CancellationToken } from '../types'
-import type { ProgressCallback } from '../index'
+import type { Vulnerability, ScanFile, CancellationToken } from '../../shared/types'
+import type { ProgressCallback } from '../../shared/types'
 import { detectHighEntropyStrings } from './entropy'
 import { detectKnownPatterns } from './patterns'
 import { auditConfiguration } from './config-audit'
-import { detectDangerousFiles } from './file-flags'
-import { detectAICommentPatterns } from './comments'
-import { detectSensitiveURLs } from './urls'
+import { detectDangerousFiles } from '../config/file-flags'
+import { detectAICommentPatterns } from '../config/comments'
+import { detectSensitiveURLs } from '../config/urls'
 import { detectWeakCrypto } from './weak-crypto'
 import { detectMCPConfigIssues } from './config-mcp-audit'
-import {
-  type TierStats,
-  computeTierStats,
-  formatTierStats,
-  getLayer1DetectorTier,
-  type Layer1DetectorName,
-} from '../tiers'
+import { detectAgentSkillInjection } from '../config/agent-skill-injection'
+// Tier system removed in Phase 2B — confidence scoring handles routing
 import {
   filterFindingsByPath,
   type ExclusionConfig,
-} from '../utils/path-exclusions'
-import { severityRank } from '../utils/parsed-file'
-import { ParsedFile } from '../utils/parsed-file'
+} from '../../parse/path-exclusions'
+import { severityRank } from '../../shared/parsed-file'
+import { ParsedFile } from '../../shared/parsed-file'
 
 /**
  * Layer 1 detector stats for raw finding counts before deduplication
@@ -36,8 +31,6 @@ export interface Layer1Stats {
   raw: Record<string, number>
   /** Deduped finding counts per category */
   deduped: Record<string, number>
-  /** Tier breakdown of deduped findings */
-  tiers: TierStats
   /** Number of findings suppressed by path exclusions */
   suppressedByPath: number
 }
@@ -50,8 +43,18 @@ export interface Layer1Result {
   stats: Layer1Stats
 }
 
-// Extended stats type to include MCP config detector
-type Layer1StatsRecord = Record<Layer1DetectorName, number> & { mcp_config: number }
+// Layer 1 detector stat keys
+type Layer1StatsRecord = {
+  known_secrets: number
+  weak_crypto: number
+  sensitive_urls: number
+  entropy: number
+  config_audit: number
+  file_flags: number
+  ai_comments: number
+  mcp_config: number
+  agent_skill: number
+}
 
 // Process a single file through all Layer 1 detectors
 function processFileLayer1(file: ScanFile): {
@@ -67,6 +70,7 @@ function processFileLayer1(file: ScanFile): {
     file_flags: 0,
     ai_comments: 0,
     mcp_config: 0,
+    agent_skill: 0,
   }
 
   // Create ParsedFile once for all detectors to share
@@ -80,6 +84,7 @@ function processFileLayer1(file: ScanFile): {
   const urlFindings = detectSensitiveURLs(file.content, file.path, { parsed })
   const cryptoFindings = detectWeakCrypto(file.content, file.path, { parsed })
   const mcpConfigFindings = detectMCPConfigIssues(file.content, file.path, { parsed })
+  const agentSkillFindings = detectAgentSkillInjection(file.content, file.path, { parsed })
 
   stats.entropy = entropyFindings.length
   stats.known_secrets = patternFindings.length
@@ -89,6 +94,7 @@ function processFileLayer1(file: ScanFile): {
   stats.sensitive_urls = urlFindings.length
   stats.weak_crypto = cryptoFindings.length
   stats.mcp_config = mcpConfigFindings.length
+  stats.agent_skill = agentSkillFindings.length
 
   return {
     findings: [
@@ -100,6 +106,7 @@ function processFileLayer1(file: ScanFile): {
       ...urlFindings,
       ...cryptoFindings,
       ...mcpConfigFindings,
+      ...agentSkillFindings,
     ],
     stats,
   }
@@ -128,6 +135,7 @@ export async function runLayer1Scan(
     file_flags: 0,
     ai_comments: 0,
     mcp_config: 0,
+    agent_skill: 0,
   }
 
   // Track progress for frequent updates
@@ -180,13 +188,6 @@ export async function runLayer1Scan(
     dedupedStats[cat] = (dedupedStats[cat] || 0) + 1
   }
 
-  // Compute tier breakdown (all Layer 1 findings have layer: 1)
-  const tierStats = computeTierStats(
-    uniqueVulnerabilities.map(v => ({ category: v.category, layer: 1 as const }))
-  )
-
-  // Heuristic breakdown available in stats.raw and stats.tiers for debugging
-
   return {
     vulnerabilities: uniqueVulnerabilities,
     filesScanned: files.length,
@@ -194,7 +195,6 @@ export async function runLayer1Scan(
     stats: {
       raw: rawStats,
       deduped: dedupedStats,
-      tiers: tierStats,
       suppressedByPath: suppressed.length,
     },
   }
@@ -222,8 +222,9 @@ function deduplicateFindings(vulnerabilities: Vulnerability[]): Vulnerability[]
 export { detectHighEntropyStrings } from './entropy'
 export { detectKnownPatterns } from './patterns'
 export { auditConfiguration } from './config-audit'
-export { detectDangerousFiles } from './file-flags'
-export { detectAICommentPatterns } from './comments'
-export { detectSensitiveURLs } from './urls'
+export { detectDangerousFiles } from '../config/file-flags'
+export { detectAICommentPatterns } from '../config/comments'
+export { detectSensitiveURLs } from '../config/urls'
 export { detectWeakCrypto } from './weak-crypto'
 export { detectMCPConfigIssues } from './config-mcp-audit'
+export { detectAgentSkillInjection } from '../config/agent-skill-injection'

package/src/{layer1 → detect/secrets}/patterns.ts

@@ -3,8 +3,8 @@
  * Curated library of high-fidelity regex patterns for detecting secrets
  */
 
-import type { SecretPattern, Vulnerability } from '../types'
-import type { ParsedFile } from '../utils/parsed-file'
+import type { SecretPattern, Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
 import {
   isServerOnlyFile,
   isExampleFile,
@@ -18,7 +18,12 @@ import {
   getServiceRoleKeyContext,
   isPythonFile,
   isInsidePythonDocstring,
-} from '../utils/context-helpers'
+} from '../../parse/file-classifier'
+
+// Base confidence for known API key format patterns (AWS, GitHub, Stripe, etc.)
+const BASE_CONFIDENCE_KNOWN = 0.70
+// Base confidence for generic secret patterns (api_key=, secret_key=, etc.)
+const BASE_CONFIDENCE_GENERIC = 0.50
 
 // Check if file is documentation/README
 function isDocumentationFile(filePath: string): boolean {
@@ -543,7 +548,9 @@ export function detectKnownPatterns(
           description: adjustedDescription,
           suggestedFix: 'Move this secret to an environment variable. Never commit secrets to version control.',
           confidence: adjustedConfidence,
+          baseConfidence: isGenericPattern ? BASE_CONFIDENCE_GENERIC : BASE_CONFIDENCE_KNOWN,
           layer: 1,
+        source: 'secrets' as const,
           requiresAIValidation: finalRequiresAIValidation,
         })
       }

package/src/{layer1 → detect/secrets}/weak-crypto.ts

@@ -3,8 +3,11 @@
  * Detects usage of deprecated or weak cryptographic algorithms
  */
 
-import type { Vulnerability } from '../types'
-import type { ParsedFile } from '../utils/parsed-file'
+import type { Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+
+// Base confidence for weak cryptography findings
+const BASE_CONFIDENCE = 0.45
 
 // Weak/deprecated cryptographic patterns
 const WEAK_CRYPTO_PATTERNS = [
@@ -469,7 +472,9 @@ export function detectWeakCrypto(
           description,
           suggestedFix: fix,
           confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
           layer: 1,
+        source: 'secrets' as const,
         })
         break // Only report one crypto issue per line
       }

package/src/{layer2/auth-antipatterns.ts → detect/structural/auth-patterns.ts}

@@ -8,17 +8,19 @@
  * - Properly classifies public endpoints
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
-import type { ParsedFile } from '../utils/parsed-file'
-import type { MiddlewareAuthConfig } from '../utils/middleware-detector'
-import { isRouteProtectedByMiddleware, getRoutePathFromFile } from '../utils/middleware-detector'
-import type { AuthHelper, AuthHelperContext } from '../utils/auth-helper-detector'
-import { hasAuthHelperCallBefore, isUserIdAlreadyValidated } from '../utils/auth-helper-detector'
-import type { FileAuthImports } from '../utils/imported-auth-detector'
-import { isScannerOrFixtureFile } from '../utils/context-helpers'
-import { getRouteProtectionContext, isAuthenticatedOnlyComponent } from '../utils/route-hierarchy'
-import { is2FAOrValidation } from '../utils/schema-semantics'
-import { isPasswordErrorCode, hasPasswordValueInError } from '../utils/intent-detector'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import type { MiddlewareAuthConfig } from '../../model/middleware-detector'
+import { isRouteProtectedByMiddleware, getRoutePathFromFile } from '../../model/middleware-detector'
+import type { AuthHelper, AuthHelperContext } from '../../model/auth-helper-detector'
+import { hasAuthHelperCallBefore, isUserIdAlreadyValidated } from '../../model/auth-helper-detector'
+import type { FileAuthImports } from '../../model/imported-auth-detector'
+import { isScannerOrFixtureFile } from '../../parse/file-classifier'
+import { getRouteProtectionContext, isAuthenticatedOnlyComponent } from '../../model/route-hierarchy'
+import { is2FAOrValidation } from '../../shared/schema-semantics'
+import { isPasswordErrorCode, hasPasswordValueInError } from '../../shared/intent-detector'
+
+const BASE_CONFIDENCE = 0.40
 
 interface AuthAntiPattern {
   name: string
@@ -457,7 +459,9 @@ export function detectAuthAntipatterns(
               description: `This route is within a protected route hierarchy (${routeHierarchy.protectionSource.join(', ')}). Authentication is likely handled by parent layout/middleware.`,
               suggestedFix: 'Verify parent layout enforces authentication. If not, add auth check here.',
               confidence: 'low',
+              baseConfidence: BASE_CONFIDENCE,
               layer: 2,
+        source: 'structural' as const,
             })
             break // Only report once per line
           }
@@ -504,7 +508,9 @@ export function detectAuthAntipatterns(
               description: 'This appears to be a public endpoint (health check, webhook, cron, etc.). Verify this is intentionally public and consider rate limiting if needed.',
               suggestedFix: 'If this is a webhook or cron endpoint, ensure it has appropriate authentication (API keys, signatures, etc.). Health checks typically do not need auth.',
               confidence: 'low',
+              baseConfidence: BASE_CONFIDENCE,
               layer: 2,
+        source: 'structural' as const,
             })
             break // Only report once per line
           }
@@ -522,7 +528,9 @@ export function detectAuthAntipatterns(
               description: pattern.description + ' (auth check detected in nearby lines)',
               suggestedFix: pattern.suggestedFix,
               confidence: 'low',
+              baseConfidence: BASE_CONFIDENCE,
               layer: 2,
+        source: 'structural' as const,
             })
             break // Only report once per line
           }
@@ -543,7 +551,9 @@ export function detectAuthAntipatterns(
           description: pattern.description,
           suggestedFix: pattern.suggestedFix,
           confidence,
+          baseConfidence: BASE_CONFIDENCE,
           layer: 2,
+        source: 'structural' as const,
         })
         break // Only report once per line
       }
@@ -578,7 +588,9 @@ export function detectAuthAntipatterns(
           description: 'Actual password value may be included in error message, exposing sensitive data.',
           suggestedFix: 'Never include actual password values in error messages. Use error codes instead.',
           confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
           layer: 2,
+        source: 'structural' as const,
         })
       }
     }

package/src/{layer2 → detect/structural}/dangerous-functions/dom-xss.ts

@@ -5,7 +5,7 @@
  * and document.write.
  */
 
-import type { ParsedFile } from '../../utils/parsed-file'
+import type { ParsedFile } from '../../../shared/parsed-file'
 
 /**
  * Check if innerHTML is being used on a style element (CSS injection is not XSS)