@oculum/scanner 1.0.12 → 1.0.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/detect/ai-code/agent-tools.d.ts +22 -0
- package/dist/detect/ai-code/agent-tools.d.ts.map +1 -0
- package/dist/detect/ai-code/agent-tools.js +1509 -0
- package/dist/detect/ai-code/agent-tools.js.map +1 -0
- package/dist/detect/ai-code/byok-patterns.d.ts +15 -0
- package/dist/detect/ai-code/byok-patterns.d.ts.map +1 -0
- package/dist/detect/ai-code/byok-patterns.js +313 -0
- package/dist/detect/ai-code/byok-patterns.js.map +1 -0
- package/dist/detect/ai-code/endpoint-protection.d.ts +38 -0
- package/dist/detect/ai-code/endpoint-protection.d.ts.map +1 -0
- package/dist/detect/ai-code/endpoint-protection.js +349 -0
- package/dist/detect/ai-code/endpoint-protection.js.map +1 -0
- package/dist/detect/ai-code/execution-sinks.d.ts +21 -0
- package/dist/detect/ai-code/execution-sinks.d.ts.map +1 -0
- package/dist/detect/ai-code/execution-sinks.js +1158 -0
- package/dist/detect/ai-code/execution-sinks.js.map +1 -0
- package/dist/detect/ai-code/fingerprinting.d.ts +10 -0
- package/dist/detect/ai-code/fingerprinting.d.ts.map +1 -0
- package/dist/detect/ai-code/fingerprinting.js +665 -0
- package/dist/detect/ai-code/fingerprinting.js.map +1 -0
- package/dist/detect/ai-code/index.d.ts +12 -0
- package/dist/detect/ai-code/index.d.ts.map +1 -0
- package/dist/detect/ai-code/index.js +26 -0
- package/dist/detect/ai-code/index.js.map +1 -0
- package/dist/detect/ai-code/mcp-security.d.ts +20 -0
- package/dist/detect/ai-code/mcp-security.d.ts.map +1 -0
- package/dist/detect/ai-code/mcp-security.js +880 -0
- package/dist/detect/ai-code/mcp-security.js.map +1 -0
- package/dist/detect/ai-code/model-supply-chain.d.ts +23 -0
- package/dist/detect/ai-code/model-supply-chain.d.ts.map +1 -0
- package/dist/detect/ai-code/model-supply-chain.js +447 -0
- package/dist/detect/ai-code/model-supply-chain.js.map +1 -0
- package/dist/detect/ai-code/package-hallucination.d.ts +22 -0
- package/dist/detect/ai-code/package-hallucination.d.ts.map +1 -0
- package/dist/detect/ai-code/package-hallucination.js +841 -0
- package/dist/detect/ai-code/package-hallucination.js.map +1 -0
- package/dist/detect/ai-code/prompt-hygiene.d.ts +22 -0
- package/dist/detect/ai-code/prompt-hygiene.d.ts.map +1 -0
- package/dist/detect/ai-code/prompt-hygiene.js +1177 -0
- package/dist/detect/ai-code/prompt-hygiene.js.map +1 -0
- package/dist/detect/ai-code/rag-safety.d.ts +24 -0
- package/dist/detect/ai-code/rag-safety.d.ts.map +1 -0
- package/dist/detect/ai-code/rag-safety.js +913 -0
- package/dist/detect/ai-code/rag-safety.js.map +1 -0
- package/dist/detect/ai-code/schema-validation.d.ts +28 -0
- package/dist/detect/ai-code/schema-validation.d.ts.map +1 -0
- package/dist/detect/ai-code/schema-validation.js +378 -0
- package/dist/detect/ai-code/schema-validation.js.map +1 -0
- package/dist/detect/config/agent-skill-injection.d.ts +27 -0
- package/dist/detect/config/agent-skill-injection.d.ts.map +1 -0
- package/dist/detect/config/agent-skill-injection.js +472 -0
- package/dist/detect/config/agent-skill-injection.js.map +1 -0
- package/dist/detect/config/comments.d.ts +11 -0
- package/dist/detect/config/comments.d.ts.map +1 -0
- package/dist/detect/config/comments.js +206 -0
- package/dist/detect/config/comments.js.map +1 -0
- package/dist/detect/config/file-flags.d.ts +10 -0
- package/dist/detect/config/file-flags.d.ts.map +1 -0
- package/dist/detect/config/file-flags.js +124 -0
- package/dist/detect/config/file-flags.js.map +1 -0
- package/dist/detect/config/index.d.ts +7 -0
- package/dist/detect/config/index.d.ts.map +1 -0
- package/dist/detect/config/index.js +17 -0
- package/dist/detect/config/index.js.map +1 -0
- package/dist/detect/config/osv-check.d.ts +75 -0
- package/dist/detect/config/osv-check.d.ts.map +1 -0
- package/dist/detect/config/osv-check.js +309 -0
- package/dist/detect/config/osv-check.js.map +1 -0
- package/dist/detect/config/package-check.d.ts +63 -0
- package/dist/detect/config/package-check.d.ts.map +1 -0
- package/dist/detect/config/package-check.js +509 -0
- package/dist/detect/config/package-check.js.map +1 -0
- package/dist/detect/config/urls.d.ts +11 -0
- package/dist/detect/config/urls.d.ts.map +1 -0
- package/dist/detect/config/urls.js +450 -0
- package/dist/detect/config/urls.js.map +1 -0
- package/dist/detect/index.d.ts +37 -0
- package/dist/detect/index.d.ts.map +1 -0
- package/dist/detect/index.js +77 -0
- package/dist/detect/index.js.map +1 -0
- package/dist/detect/secrets/config-audit.d.ts +11 -0
- package/dist/detect/secrets/config-audit.d.ts.map +1 -0
- package/dist/detect/secrets/config-audit.js +315 -0
- package/dist/detect/secrets/config-audit.js.map +1 -0
- package/dist/detect/secrets/config-mcp-audit.d.ts +23 -0
- package/dist/detect/secrets/config-mcp-audit.d.ts.map +1 -0
- package/dist/detect/secrets/config-mcp-audit.js +243 -0
- package/dist/detect/secrets/config-mcp-audit.js.map +1 -0
- package/dist/detect/secrets/entropy.d.ts +11 -0
- package/dist/detect/secrets/entropy.d.ts.map +1 -0
- package/dist/detect/secrets/entropy.js +751 -0
- package/dist/detect/secrets/entropy.js.map +1 -0
- package/dist/detect/secrets/index.d.ts +36 -0
- package/dist/detect/secrets/index.d.ts.map +1 -0
- package/dist/detect/secrets/index.js +174 -0
- package/dist/detect/secrets/index.js.map +1 -0
- package/dist/detect/secrets/patterns.d.ts +11 -0
- package/dist/detect/secrets/patterns.d.ts.map +1 -0
- package/dist/detect/secrets/patterns.js +518 -0
- package/dist/detect/secrets/patterns.js.map +1 -0
- package/dist/detect/secrets/weak-crypto.d.ts +10 -0
- package/dist/detect/secrets/weak-crypto.d.ts.map +1 -0
- package/dist/detect/secrets/weak-crypto.js +432 -0
- package/dist/detect/secrets/weak-crypto.js.map +1 -0
- package/dist/detect/structural/auth-patterns.d.ts +22 -0
- package/dist/detect/structural/auth-patterns.d.ts.map +1 -0
- package/dist/detect/structural/auth-patterns.js +533 -0
- package/dist/detect/structural/auth-patterns.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/child-process.d.ts +16 -0
- package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/child-process.js +74 -0
- package/dist/detect/structural/dangerous-functions/child-process.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +34 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.js +230 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/index.d.ts +16 -0
- package/dist/detect/structural/dangerous-functions/index.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/index.js +1193 -0
- package/dist/detect/structural/dangerous-functions/index.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts +31 -0
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/json-parse.js +326 -0
- package/dist/detect/structural/dangerous-functions/json-parse.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/math-random.d.ts +111 -0
- package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/math-random.js +684 -0
- package/dist/detect/structural/dangerous-functions/math-random.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/patterns.d.ts +21 -0
- package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/patterns.js +163 -0
- package/dist/detect/structural/dangerous-functions/patterns.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts +13 -0
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/request-validation.js +126 -0
- package/dist/detect/structural/dangerous-functions/request-validation.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +24 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js +70 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +31 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.js +147 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts +9 -0
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/index.js +23 -0
- package/dist/detect/structural/dangerous-functions/utils/index.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +22 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +102 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +1 -0
- package/dist/detect/structural/data-exposure.d.ts +19 -0
- package/dist/detect/structural/data-exposure.d.ts.map +1 -0
- package/dist/detect/structural/data-exposure.js +262 -0
- package/dist/detect/structural/data-exposure.js.map +1 -0
- package/dist/detect/structural/framework-checks.d.ts +10 -0
- package/dist/detect/structural/framework-checks.d.ts.map +1 -0
- package/dist/detect/structural/framework-checks.js +389 -0
- package/dist/detect/structural/framework-checks.js.map +1 -0
- package/dist/detect/structural/index.d.ts +71 -0
- package/dist/detect/structural/index.d.ts.map +1 -0
- package/dist/detect/structural/index.js +510 -0
- package/dist/detect/structural/index.js.map +1 -0
- package/dist/detect/structural/log-injection.d.ts +18 -0
- package/dist/detect/structural/log-injection.d.ts.map +1 -0
- package/dist/detect/structural/log-injection.js +217 -0
- package/dist/detect/structural/log-injection.js.map +1 -0
- package/dist/detect/structural/logic-gates.d.ts +10 -0
- package/dist/detect/structural/logic-gates.d.ts.map +1 -0
- package/dist/detect/structural/logic-gates.js +227 -0
- package/dist/detect/structural/logic-gates.js.map +1 -0
- package/dist/detect/structural/risky-imports.d.ts +10 -0
- package/dist/detect/structural/risky-imports.d.ts.map +1 -0
- package/dist/detect/structural/risky-imports.js +168 -0
- package/dist/detect/structural/risky-imports.js.map +1 -0
- package/dist/detect/structural/security-headers.d.ts +18 -0
- package/dist/detect/structural/security-headers.d.ts.map +1 -0
- package/dist/detect/structural/security-headers.js +196 -0
- package/dist/detect/structural/security-headers.js.map +1 -0
- package/dist/detect/structural/ssrf-detection.d.ts +18 -0
- package/dist/detect/structural/ssrf-detection.d.ts.map +1 -0
- package/dist/detect/structural/ssrf-detection.js +263 -0
- package/dist/detect/structural/ssrf-detection.js.map +1 -0
- package/dist/detect/structural/variables.d.ts +11 -0
- package/dist/detect/structural/variables.d.ts.map +1 -0
- package/dist/detect/structural/variables.js +159 -0
- package/dist/detect/structural/variables.js.map +1 -0
- package/dist/detect/structural/xxe-detection.d.ts +18 -0
- package/dist/detect/structural/xxe-detection.d.ts.map +1 -0
- package/dist/detect/structural/xxe-detection.js +245 -0
- package/dist/detect/structural/xxe-detection.js.map +1 -0
- package/dist/index.d.ts +17 -64
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +49 -1034
- package/dist/index.js.map +1 -1
- package/dist/layer2/framework-checks.d.ts.map +1 -1
- package/dist/layer2/framework-checks.js +1 -8
- package/dist/layer2/framework-checks.js.map +1 -1
- package/dist/layer2/index.d.ts +4 -0
- package/dist/layer2/index.d.ts.map +1 -1
- package/dist/layer2/index.js +50 -1
- package/dist/layer2/index.js.map +1 -1
- package/dist/layer2/log-injection.d.ts +18 -0
- package/dist/layer2/log-injection.d.ts.map +1 -0
- package/dist/layer2/log-injection.js +214 -0
- package/dist/layer2/log-injection.js.map +1 -0
- package/dist/layer2/security-headers.d.ts +18 -0
- package/dist/layer2/security-headers.d.ts.map +1 -0
- package/dist/layer2/security-headers.js +187 -0
- package/dist/layer2/security-headers.js.map +1 -0
- package/dist/layer2/ssrf-detection.d.ts +18 -0
- package/dist/layer2/ssrf-detection.d.ts.map +1 -0
- package/dist/layer2/ssrf-detection.js +252 -0
- package/dist/layer2/ssrf-detection.js.map +1 -0
- package/dist/layer2/xxe-detection.d.ts +18 -0
- package/dist/layer2/xxe-detection.d.ts.map +1 -0
- package/dist/layer2/xxe-detection.js +242 -0
- package/dist/layer2/xxe-detection.js.map +1 -0
- package/dist/layer3/anthropic/prompts/index.d.ts +1 -1
- package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -1
- package/dist/layer3/anthropic/prompts/index.js +3 -1
- package/dist/layer3/anthropic/prompts/index.js.map +1 -1
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +19 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +156 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +9 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.js +25 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/common.d.ts +11 -0
- package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/common.js +152 -0
- package/dist/layer3/anthropic/prompts/modules/common.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/index.d.ts +54 -0
- package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/index.js +185 -0
- package/dist/layer3/anthropic/prompts/modules/index.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +84 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +68 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +22 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +1 -0
- package/dist/layer3/anthropic/prompts/validation.d.ts +9 -3
- package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -1
- package/dist/layer3/anthropic/prompts/validation.js +14 -410
- package/dist/layer3/anthropic/prompts/validation.js.map +1 -1
- package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -1
- package/dist/layer3/anthropic/providers/anthropic.js +6 -3
- package/dist/layer3/anthropic/providers/anthropic.js.map +1 -1
- package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -1
- package/dist/layer3/anthropic/providers/openai.js +6 -3
- package/dist/layer3/anthropic/providers/openai.js.map +1 -1
- package/dist/layer3/anthropic/request-builder.d.ts +11 -4
- package/dist/layer3/anthropic/request-builder.d.ts.map +1 -1
- package/dist/layer3/anthropic/request-builder.js +32 -16
- package/dist/layer3/anthropic/request-builder.js.map +1 -1
- package/dist/layer3/anthropic/utils/context-extractor.d.ts +55 -0
- package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/context-extractor.js +161 -0
- package/dist/layer3/anthropic/utils/context-extractor.js.map +1 -0
- package/dist/layer3/anthropic/utils/index.d.ts +2 -0
- package/dist/layer3/anthropic/utils/index.d.ts.map +1 -1
- package/dist/layer3/anthropic/utils/index.js +4 -1
- package/dist/layer3/anthropic/utils/index.js.map +1 -1
- package/dist/model/auth-helper-detector.d.ts +56 -0
- package/dist/model/auth-helper-detector.d.ts.map +1 -0
- package/dist/model/auth-helper-detector.js +360 -0
- package/dist/model/auth-helper-detector.js.map +1 -0
- package/dist/model/cross-file-taint.d.ts +40 -0
- package/dist/model/cross-file-taint.d.ts.map +1 -0
- package/dist/model/cross-file-taint.js +290 -0
- package/dist/model/cross-file-taint.js.map +1 -0
- package/dist/model/framework-models/django.d.ts +9 -0
- package/dist/model/framework-models/django.d.ts.map +1 -0
- package/dist/model/framework-models/django.js +82 -0
- package/dist/model/framework-models/django.js.map +1 -0
- package/dist/model/framework-models/express.d.ts +9 -0
- package/dist/model/framework-models/express.d.ts.map +1 -0
- package/dist/model/framework-models/express.js +52 -0
- package/dist/model/framework-models/express.js.map +1 -0
- package/dist/model/framework-models/index.d.ts +20 -0
- package/dist/model/framework-models/index.d.ts.map +1 -0
- package/dist/model/framework-models/index.js +102 -0
- package/dist/model/framework-models/index.js.map +1 -0
- package/dist/model/framework-models/nextjs.d.ts +9 -0
- package/dist/model/framework-models/nextjs.d.ts.map +1 -0
- package/dist/model/framework-models/nextjs.js +71 -0
- package/dist/model/framework-models/nextjs.js.map +1 -0
- package/dist/model/framework-models/prisma.d.ts +10 -0
- package/dist/model/framework-models/prisma.d.ts.map +1 -0
- package/dist/model/framework-models/prisma.js +54 -0
- package/dist/model/framework-models/prisma.js.map +1 -0
- package/dist/model/framework-models/react.d.ts +9 -0
- package/dist/model/framework-models/react.d.ts.map +1 -0
- package/dist/model/framework-models/react.js +67 -0
- package/dist/model/framework-models/react.js.map +1 -0
- package/dist/model/framework-models/sequelize.d.ts +9 -0
- package/dist/model/framework-models/sequelize.d.ts.map +1 -0
- package/dist/model/framework-models/sequelize.js +62 -0
- package/dist/model/framework-models/sequelize.js.map +1 -0
- package/dist/model/framework-models/types.d.ts +43 -0
- package/dist/model/framework-models/types.d.ts.map +1 -0
- package/dist/model/framework-models/types.js +10 -0
- package/dist/model/framework-models/types.js.map +1 -0
- package/dist/model/function-classifier.d.ts +32 -0
- package/dist/model/function-classifier.d.ts.map +1 -0
- package/dist/model/function-classifier.js +143 -0
- package/dist/model/function-classifier.js.map +1 -0
- package/dist/model/import-resolver.d.ts +45 -0
- package/dist/model/import-resolver.d.ts.map +1 -0
- package/dist/model/import-resolver.js +410 -0
- package/dist/model/import-resolver.js.map +1 -0
- package/dist/model/imported-auth-detector.d.ts +38 -0
- package/dist/model/imported-auth-detector.d.ts.map +1 -0
- package/dist/model/imported-auth-detector.js +199 -0
- package/dist/model/imported-auth-detector.js.map +1 -0
- package/dist/model/index.d.ts +63 -0
- package/dist/model/index.d.ts.map +1 -0
- package/dist/model/index.js +272 -0
- package/dist/model/index.js.map +1 -0
- package/dist/model/middleware-detector.d.ts +55 -0
- package/dist/model/middleware-detector.d.ts.map +1 -0
- package/dist/model/middleware-detector.js +382 -0
- package/dist/model/middleware-detector.js.map +1 -0
- package/dist/model/module-graph.d.ts +46 -0
- package/dist/model/module-graph.d.ts.map +1 -0
- package/dist/model/module-graph.js +187 -0
- package/dist/model/module-graph.js.map +1 -0
- package/dist/model/oauth-flow-detector.d.ts +41 -0
- package/dist/model/oauth-flow-detector.d.ts.map +1 -0
- package/dist/model/oauth-flow-detector.js +202 -0
- package/dist/model/oauth-flow-detector.js.map +1 -0
- package/dist/model/project-context.d.ts +119 -0
- package/dist/model/project-context.d.ts.map +1 -0
- package/dist/model/project-context.js +534 -0
- package/dist/model/project-context.js.map +1 -0
- package/dist/model/route-auth-resolver.d.ts +27 -0
- package/dist/model/route-auth-resolver.d.ts.map +1 -0
- package/dist/model/route-auth-resolver.js +182 -0
- package/dist/model/route-auth-resolver.js.map +1 -0
- package/dist/model/route-discovery/express.d.ts +25 -0
- package/dist/model/route-discovery/express.d.ts.map +1 -0
- package/dist/model/route-discovery/express.js +225 -0
- package/dist/model/route-discovery/express.js.map +1 -0
- package/dist/model/route-discovery/index.d.ts +21 -0
- package/dist/model/route-discovery/index.d.ts.map +1 -0
- package/dist/model/route-discovery/index.js +67 -0
- package/dist/model/route-discovery/index.js.map +1 -0
- package/dist/model/route-discovery/nextjs.d.ts +16 -0
- package/dist/model/route-discovery/nextjs.d.ts.map +1 -0
- package/dist/model/route-discovery/nextjs.js +179 -0
- package/dist/model/route-discovery/nextjs.js.map +1 -0
- package/dist/model/route-discovery/python.d.ts +16 -0
- package/dist/model/route-discovery/python.d.ts.map +1 -0
- package/dist/model/route-discovery/python.js +181 -0
- package/dist/model/route-discovery/python.js.map +1 -0
- package/dist/model/route-discovery/types.d.ts +36 -0
- package/dist/model/route-discovery/types.d.ts.map +1 -0
- package/dist/model/route-discovery/types.js +16 -0
- package/dist/model/route-discovery/types.js.map +1 -0
- package/dist/model/route-discovery/utils.d.ts +18 -0
- package/dist/model/route-discovery/utils.d.ts.map +1 -0
- package/dist/model/route-discovery/utils.js +55 -0
- package/dist/model/route-discovery/utils.js.map +1 -0
- package/dist/model/route-hierarchy.d.ts +50 -0
- package/dist/model/route-hierarchy.d.ts.map +1 -0
- package/dist/model/route-hierarchy.js +226 -0
- package/dist/model/route-hierarchy.js.map +1 -0
- package/dist/model/sanitiser-detection.d.ts +27 -0
- package/dist/model/sanitiser-detection.d.ts.map +1 -0
- package/dist/model/sanitiser-detection.js +224 -0
- package/dist/model/sanitiser-detection.js.map +1 -0
- package/dist/model/sink-matcher.d.ts +17 -0
- package/dist/model/sink-matcher.d.ts.map +1 -0
- package/dist/model/sink-matcher.js +141 -0
- package/dist/model/sink-matcher.js.map +1 -0
- package/dist/model/sink-patterns.d.ts +19 -0
- package/dist/model/sink-patterns.d.ts.map +1 -0
- package/dist/model/sink-patterns.js +88 -0
- package/dist/model/sink-patterns.js.map +1 -0
- package/dist/model/source-discovery.d.ts +15 -0
- package/dist/model/source-discovery.d.ts.map +1 -0
- package/dist/model/source-discovery.js +170 -0
- package/dist/model/source-discovery.js.map +1 -0
- package/dist/model/taint-tracker.d.ts +21 -0
- package/dist/model/taint-tracker.d.ts.map +1 -0
- package/dist/model/taint-tracker.js +281 -0
- package/dist/model/taint-tracker.js.map +1 -0
- package/dist/model/taint-types.d.ts +74 -0
- package/dist/model/taint-types.d.ts.map +1 -0
- package/dist/model/taint-types.js +9 -0
- package/dist/model/taint-types.js.map +1 -0
- package/dist/model/trpc-analyzer.d.ts +78 -0
- package/dist/model/trpc-analyzer.d.ts.map +1 -0
- package/dist/model/trpc-analyzer.js +297 -0
- package/dist/model/trpc-analyzer.js.map +1 -0
- package/dist/parse/file-classifier.d.ts +228 -0
- package/dist/parse/file-classifier.d.ts.map +1 -0
- package/dist/parse/file-classifier.js +933 -0
- package/dist/parse/file-classifier.js.map +1 -0
- package/dist/parse/path-exclusions.d.ts +55 -0
- package/dist/parse/path-exclusions.d.ts.map +1 -0
- package/dist/parse/path-exclusions.js +224 -0
- package/dist/parse/path-exclusions.js.map +1 -0
- package/dist/pipeline/config.d.ts +39 -0
- package/dist/pipeline/config.d.ts.map +1 -0
- package/dist/pipeline/config.js +46 -0
- package/dist/pipeline/config.js.map +1 -0
- package/dist/pipeline/index.d.ts +34 -0
- package/dist/pipeline/index.d.ts.map +1 -0
- package/dist/pipeline/index.js +377 -0
- package/dist/pipeline/index.js.map +1 -0
- package/dist/pipeline/modes/incremental.d.ts +66 -0
- package/dist/pipeline/modes/incremental.d.ts.map +1 -0
- package/dist/pipeline/modes/incremental.js +200 -0
- package/dist/pipeline/modes/incremental.js.map +1 -0
- package/dist/postprocess/aggregation.d.ts +14 -0
- package/dist/postprocess/aggregation.d.ts.map +1 -0
- package/dist/postprocess/aggregation.js +63 -0
- package/dist/postprocess/aggregation.js.map +1 -0
- package/dist/postprocess/contradictions.d.ts +18 -0
- package/dist/postprocess/contradictions.d.ts.map +1 -0
- package/dist/postprocess/contradictions.js +99 -0
- package/dist/postprocess/contradictions.js.map +1 -0
- package/dist/postprocess/dedup.d.ts +13 -0
- package/dist/postprocess/dedup.d.ts.map +1 -0
- package/dist/postprocess/dedup.js +58 -0
- package/dist/postprocess/dedup.js.map +1 -0
- package/dist/postprocess/filtering/context-adjustments.d.ts +23 -0
- package/dist/postprocess/filtering/context-adjustments.d.ts.map +1 -0
- package/dist/postprocess/filtering/context-adjustments.js +100 -0
- package/dist/postprocess/filtering/context-adjustments.js.map +1 -0
- package/dist/postprocess/filtering/index.d.ts +3 -0
- package/dist/postprocess/filtering/index.d.ts.map +1 -0
- package/dist/postprocess/filtering/index.js +8 -0
- package/dist/postprocess/filtering/index.js.map +1 -0
- package/dist/postprocess/filtering/pipeline.d.ts +48 -0
- package/dist/postprocess/filtering/pipeline.d.ts.map +1 -0
- package/dist/postprocess/filtering/pipeline.js +76 -0
- package/dist/postprocess/filtering/pipeline.js.map +1 -0
- package/dist/postprocess/index.d.ts +41 -0
- package/dist/postprocess/index.d.ts.map +1 -0
- package/dist/postprocess/index.js +85 -0
- package/dist/postprocess/index.js.map +1 -0
- package/dist/postprocess/suppression/config-loader.d.ts +74 -0
- package/dist/postprocess/suppression/config-loader.d.ts.map +1 -0
- package/dist/postprocess/suppression/config-loader.js +424 -0
- package/dist/postprocess/suppression/config-loader.js.map +1 -0
- package/dist/postprocess/suppression/hash.d.ts +48 -0
- package/dist/postprocess/suppression/hash.d.ts.map +1 -0
- package/dist/postprocess/suppression/hash.js +88 -0
- package/dist/postprocess/suppression/hash.js.map +1 -0
- package/dist/postprocess/suppression/index.d.ts +11 -0
- package/dist/postprocess/suppression/index.d.ts.map +1 -0
- package/dist/postprocess/suppression/index.js +39 -0
- package/dist/postprocess/suppression/index.js.map +1 -0
- package/dist/postprocess/suppression/inline-parser.d.ts +39 -0
- package/dist/postprocess/suppression/inline-parser.d.ts.map +1 -0
- package/dist/postprocess/suppression/inline-parser.js +218 -0
- package/dist/postprocess/suppression/inline-parser.js.map +1 -0
- package/dist/postprocess/suppression/manager.d.ts +94 -0
- package/dist/postprocess/suppression/manager.d.ts.map +1 -0
- package/dist/postprocess/suppression/manager.js +292 -0
- package/dist/postprocess/suppression/manager.js.map +1 -0
- package/dist/postprocess/suppression/types.d.ts +151 -0
- package/dist/postprocess/suppression/types.d.ts.map +1 -0
- package/dist/postprocess/suppression/types.js +28 -0
- package/dist/postprocess/suppression/types.js.map +1 -0
- package/dist/postprocess/validation-cap.d.ts +17 -0
- package/dist/postprocess/validation-cap.d.ts.map +1 -0
- package/dist/postprocess/validation-cap.js +64 -0
- package/dist/postprocess/validation-cap.js.map +1 -0
- package/dist/report/build-result.d.ts +33 -0
- package/dist/report/build-result.d.ts.map +1 -0
- package/dist/report/build-result.js +59 -0
- package/dist/report/build-result.js.map +1 -0
- package/dist/report/enrichment.d.ts +19 -0
- package/dist/report/enrichment.d.ts.map +1 -0
- package/dist/report/enrichment.js +44 -0
- package/dist/report/enrichment.js.map +1 -0
- package/dist/report/formatters/ai-context.d.ts +23 -0
- package/dist/report/formatters/ai-context.d.ts.map +1 -0
- package/dist/report/formatters/ai-context.js +238 -0
- package/dist/report/formatters/ai-context.js.map +1 -0
- package/dist/report/formatters/cli-terminal.d.ts +65 -0
- package/dist/report/formatters/cli-terminal.d.ts.map +1 -0
- package/dist/report/formatters/cli-terminal.js +735 -0
- package/dist/report/formatters/cli-terminal.js.map +1 -0
- package/dist/report/formatters/github-comment.d.ts +41 -0
- package/dist/report/formatters/github-comment.d.ts.map +1 -0
- package/dist/report/formatters/github-comment.js +370 -0
- package/dist/report/formatters/github-comment.js.map +1 -0
- package/dist/report/formatters/grouping.d.ts +52 -0
- package/dist/report/formatters/grouping.d.ts.map +1 -0
- package/dist/report/formatters/grouping.js +152 -0
- package/dist/report/formatters/grouping.js.map +1 -0
- package/dist/report/formatters/ide/claude-code.d.ts +17 -0
- package/dist/report/formatters/ide/claude-code.d.ts.map +1 -0
- package/dist/report/formatters/ide/claude-code.js +94 -0
- package/dist/report/formatters/ide/claude-code.js.map +1 -0
- package/dist/report/formatters/ide/cursor.d.ts +13 -0
- package/dist/report/formatters/ide/cursor.d.ts.map +1 -0
- package/dist/report/formatters/ide/cursor.js +125 -0
- package/dist/report/formatters/ide/cursor.js.map +1 -0
- package/dist/report/formatters/ide/index.d.ts +62 -0
- package/dist/report/formatters/ide/index.d.ts.map +1 -0
- package/dist/report/formatters/ide/index.js +184 -0
- package/dist/report/formatters/ide/index.js.map +1 -0
- package/dist/report/formatters/ide/windsurf.d.ts +13 -0
- package/dist/report/formatters/ide/windsurf.d.ts.map +1 -0
- package/dist/report/formatters/ide/windsurf.js +117 -0
- package/dist/report/formatters/ide/windsurf.js.map +1 -0
- package/dist/report/formatters/index.d.ts +11 -0
- package/dist/report/formatters/index.d.ts.map +1 -0
- package/dist/report/formatters/index.js +54 -0
- package/dist/report/formatters/index.js.map +1 -0
- package/dist/report/formatters/vscode-diagnostic.d.ts +103 -0
- package/dist/report/formatters/vscode-diagnostic.d.ts.map +1 -0
- package/dist/report/formatters/vscode-diagnostic.js +151 -0
- package/dist/report/formatters/vscode-diagnostic.js.map +1 -0
- package/dist/report/summary.d.ts +27 -0
- package/dist/report/summary.d.ts.map +1 -0
- package/dist/report/summary.js +57 -0
- package/dist/report/summary.js.map +1 -0
- package/dist/rules/metadata.d.ts.map +1 -1
- package/dist/rules/metadata.js +66 -0
- package/dist/rules/metadata.js.map +1 -1
- package/dist/score/adjustments.d.ts +22 -0
- package/dist/score/adjustments.d.ts.map +1 -0
- package/dist/score/adjustments.js +373 -0
- package/dist/score/adjustments.js.map +1 -0
- package/dist/score/auto-dismiss.d.ts +28 -0
- package/dist/score/auto-dismiss.d.ts.map +1 -0
- package/dist/score/auto-dismiss.js +200 -0
- package/dist/score/auto-dismiss.js.map +1 -0
- package/dist/score/confidence.d.ts +19 -0
- package/dist/score/confidence.d.ts.map +1 -0
- package/dist/score/confidence.js +52 -0
- package/dist/score/confidence.js.map +1 -0
- package/dist/score/index.d.ts +61 -0
- package/dist/score/index.d.ts.map +1 -0
- package/dist/score/index.js +250 -0
- package/dist/score/index.js.map +1 -0
- package/dist/score/types.d.ts +160 -0
- package/dist/score/types.d.ts.map +1 -0
- package/dist/score/types.js +14 -0
- package/dist/score/types.js.map +1 -0
- package/dist/shared/ai-context/index.d.ts +6 -0
- package/dist/shared/ai-context/index.d.ts.map +1 -0
- package/dist/shared/ai-context/index.js +13 -0
- package/dist/shared/ai-context/index.js.map +1 -0
- package/dist/shared/ai-context/manager.d.ts +67 -0
- package/dist/shared/ai-context/manager.d.ts.map +1 -0
- package/dist/shared/ai-context/manager.js +104 -0
- package/dist/shared/ai-context/manager.js.map +1 -0
- package/dist/shared/baseline/diff.d.ts +32 -0
- package/dist/shared/baseline/diff.d.ts.map +1 -0
- package/dist/shared/baseline/diff.js +119 -0
- package/dist/shared/baseline/diff.js.map +1 -0
- package/dist/shared/baseline/index.d.ts +9 -0
- package/dist/shared/baseline/index.d.ts.map +1 -0
- package/dist/shared/baseline/index.js +19 -0
- package/dist/shared/baseline/index.js.map +1 -0
- package/dist/shared/baseline/manager.d.ts +67 -0
- package/dist/shared/baseline/manager.d.ts.map +1 -0
- package/dist/shared/baseline/manager.js +180 -0
- package/dist/shared/baseline/manager.js.map +1 -0
- package/dist/shared/baseline/types.d.ts +91 -0
- package/dist/shared/baseline/types.d.ts.map +1 -0
- package/dist/shared/baseline/types.js +12 -0
- package/dist/shared/baseline/types.js.map +1 -0
- package/dist/shared/category-filter.d.ts +125 -0
- package/dist/shared/category-filter.d.ts.map +1 -0
- package/dist/shared/category-filter.js +360 -0
- package/dist/shared/category-filter.js.map +1 -0
- package/dist/shared/code-analysis.d.ts +39 -0
- package/dist/shared/code-analysis.d.ts.map +1 -0
- package/dist/shared/code-analysis.js +159 -0
- package/dist/shared/code-analysis.js.map +1 -0
- package/dist/shared/comment-analyzer.d.ts +38 -0
- package/dist/shared/comment-analyzer.d.ts.map +1 -0
- package/dist/shared/comment-analyzer.js +218 -0
- package/dist/shared/comment-analyzer.js.map +1 -0
- package/dist/shared/diff-detector.d.ts +53 -0
- package/dist/shared/diff-detector.d.ts.map +1 -0
- package/dist/shared/diff-detector.js +104 -0
- package/dist/shared/diff-detector.js.map +1 -0
- package/dist/shared/diff-parser.d.ts +80 -0
- package/dist/shared/diff-parser.d.ts.map +1 -0
- package/dist/shared/diff-parser.js +202 -0
- package/dist/shared/diff-parser.js.map +1 -0
- package/dist/shared/environment-context.d.ts +76 -0
- package/dist/shared/environment-context.d.ts.map +1 -0
- package/dist/shared/environment-context.js +271 -0
- package/dist/shared/environment-context.js.map +1 -0
- package/dist/shared/intent-detector.d.ts +66 -0
- package/dist/shared/intent-detector.d.ts.map +1 -0
- package/dist/shared/intent-detector.js +282 -0
- package/dist/shared/intent-detector.js.map +1 -0
- package/dist/shared/parsed-file.d.ts +51 -0
- package/dist/shared/parsed-file.d.ts.map +1 -0
- package/dist/shared/parsed-file.js +95 -0
- package/dist/shared/parsed-file.js.map +1 -0
- package/dist/shared/registry-clients.d.ts +93 -0
- package/dist/shared/registry-clients.d.ts.map +1 -0
- package/dist/shared/registry-clients.js +273 -0
- package/dist/shared/registry-clients.js.map +1 -0
- package/dist/shared/rules/framework-fixes.d.ts +48 -0
- package/dist/shared/rules/framework-fixes.d.ts.map +1 -0
- package/dist/shared/rules/framework-fixes.js +439 -0
- package/dist/shared/rules/framework-fixes.js.map +1 -0
- package/dist/shared/rules/index.d.ts +8 -0
- package/dist/shared/rules/index.d.ts.map +1 -0
- package/dist/shared/rules/index.js +18 -0
- package/dist/shared/rules/index.js.map +1 -0
- package/dist/shared/rules/metadata.d.ts +43 -0
- package/dist/shared/rules/metadata.d.ts.map +1 -0
- package/dist/shared/rules/metadata.js +819 -0
- package/dist/shared/rules/metadata.js.map +1 -0
- package/dist/shared/schema-semantics.d.ts +45 -0
- package/dist/shared/schema-semantics.d.ts.map +1 -0
- package/dist/shared/schema-semantics.js +193 -0
- package/dist/shared/schema-semantics.js.map +1 -0
- package/dist/shared/types.d.ts +337 -0
- package/dist/shared/types.d.ts.map +1 -0
- package/dist/shared/types.js +126 -0
- package/dist/shared/types.js.map +1 -0
- package/dist/tiers.d.ts +2 -2
- package/dist/tiers.d.ts.map +1 -1
- package/dist/tiers.js +10 -0
- package/dist/tiers.js.map +1 -1
- package/dist/types.d.ts +1 -1
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/dist/validate/clients.d.ts +44 -0
- package/dist/validate/clients.d.ts.map +1 -0
- package/dist/validate/clients.js +81 -0
- package/dist/validate/clients.js.map +1 -0
- package/dist/validate/index.d.ts +41 -0
- package/dist/validate/index.d.ts.map +1 -0
- package/dist/validate/index.js +141 -0
- package/dist/validate/index.js.map +1 -0
- package/dist/validate/prompts/index.d.ts +8 -0
- package/dist/validate/prompts/index.d.ts.map +1 -0
- package/dist/validate/prompts/index.js +16 -0
- package/dist/validate/prompts/index.js.map +1 -0
- package/dist/validate/prompts/modules/ai-patterns.d.ts +19 -0
- package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -0
- package/dist/validate/prompts/modules/ai-patterns.js +156 -0
- package/dist/validate/prompts/modules/ai-patterns.js.map +1 -0
- package/dist/validate/prompts/modules/auth-access.d.ts +9 -0
- package/dist/validate/prompts/modules/auth-access.d.ts.map +1 -0
- package/dist/validate/prompts/modules/auth-access.js +25 -0
- package/dist/validate/prompts/modules/auth-access.js.map +1 -0
- package/dist/validate/prompts/modules/common.d.ts +11 -0
- package/dist/validate/prompts/modules/common.d.ts.map +1 -0
- package/dist/validate/prompts/modules/common.js +186 -0
- package/dist/validate/prompts/modules/common.js.map +1 -0
- package/dist/validate/prompts/modules/index.d.ts +54 -0
- package/dist/validate/prompts/modules/index.d.ts.map +1 -0
- package/dist/validate/prompts/modules/index.js +186 -0
- package/dist/validate/prompts/modules/index.js.map +1 -0
- package/dist/validate/prompts/modules/owasp-classic.d.ts +8 -0
- package/dist/validate/prompts/modules/owasp-classic.d.ts.map +1 -0
- package/dist/validate/prompts/modules/owasp-classic.js +84 -0
- package/dist/validate/prompts/modules/owasp-classic.js.map +1 -0
- package/dist/validate/prompts/modules/secrets-crypto.d.ts +8 -0
- package/dist/validate/prompts/modules/secrets-crypto.d.ts.map +1 -0
- package/dist/validate/prompts/modules/secrets-crypto.js +68 -0
- package/dist/validate/prompts/modules/secrets-crypto.js.map +1 -0
- package/dist/validate/prompts/modules/xss-prompt.d.ts +8 -0
- package/dist/validate/prompts/modules/xss-prompt.d.ts.map +1 -0
- package/dist/validate/prompts/modules/xss-prompt.js +22 -0
- package/dist/validate/prompts/modules/xss-prompt.js.map +1 -0
- package/dist/validate/prompts/semantic-analysis.d.ts +15 -0
- package/dist/validate/prompts/semantic-analysis.d.ts.map +1 -0
- package/dist/validate/prompts/semantic-analysis.js +169 -0
- package/dist/validate/prompts/semantic-analysis.js.map +1 -0
- package/dist/validate/prompts/validation.d.ts +18 -0
- package/dist/validate/prompts/validation.d.ts.map +1 -0
- package/dist/validate/prompts/validation.js +25 -0
- package/dist/validate/prompts/validation.js.map +1 -0
- package/dist/validate/providers/anthropic.d.ts +17 -0
- package/dist/validate/providers/anthropic.d.ts.map +1 -0
- package/dist/validate/providers/anthropic.js +260 -0
- package/dist/validate/providers/anthropic.js.map +1 -0
- package/dist/validate/providers/index.d.ts +8 -0
- package/dist/validate/providers/index.d.ts.map +1 -0
- package/dist/validate/providers/index.js +13 -0
- package/dist/validate/providers/index.js.map +1 -0
- package/dist/validate/providers/openai.d.ts +14 -0
- package/dist/validate/providers/openai.d.ts.map +1 -0
- package/dist/validate/providers/openai.js +336 -0
- package/dist/validate/providers/openai.js.map +1 -0
- package/dist/validate/request-builder.d.ts +61 -0
- package/dist/validate/request-builder.d.ts.map +1 -0
- package/dist/validate/request-builder.js +346 -0
- package/dist/validate/request-builder.js.map +1 -0
- package/dist/validate/types.d.ts +88 -0
- package/dist/validate/types.d.ts.map +1 -0
- package/dist/validate/types.js +38 -0
- package/dist/validate/types.js.map +1 -0
- package/dist/validate/utils/context-extractor.d.ts +55 -0
- package/dist/validate/utils/context-extractor.d.ts.map +1 -0
- package/dist/validate/utils/context-extractor.js +161 -0
- package/dist/validate/utils/context-extractor.js.map +1 -0
- package/dist/validate/utils/index.d.ts +11 -0
- package/dist/validate/utils/index.d.ts.map +1 -0
- package/dist/validate/utils/index.js +27 -0
- package/dist/validate/utils/index.js.map +1 -0
- package/dist/validate/utils/path-helpers.d.ts +21 -0
- package/dist/validate/utils/path-helpers.d.ts.map +1 -0
- package/dist/validate/utils/path-helpers.js +69 -0
- package/dist/validate/utils/path-helpers.js.map +1 -0
- package/dist/validate/utils/response-parser.d.ts +40 -0
- package/dist/validate/utils/response-parser.d.ts.map +1 -0
- package/dist/validate/utils/response-parser.js +286 -0
- package/dist/validate/utils/response-parser.js.map +1 -0
- package/dist/validate/utils/retry.d.ts +15 -0
- package/dist/validate/utils/retry.d.ts.map +1 -0
- package/dist/validate/utils/retry.js +62 -0
- package/dist/validate/utils/retry.js.map +1 -0
- package/package.json +8 -7
- package/src/__tests__/benchmark/fixtures/layer1/agent-skill-injection.ts +204 -0
- package/src/__tests__/benchmark/fixtures/layer1/index.ts +3 -0
- package/src/__tests__/benchmark/fixtures/layer2/index.ts +15 -0
- package/src/__tests__/benchmark/fixtures/layer2/log-injection.ts +147 -0
- package/src/__tests__/benchmark/fixtures/layer2/security-headers.ts +197 -0
- package/src/__tests__/benchmark/fixtures/layer2/ssrf-detection.ts +210 -0
- package/src/__tests__/benchmark/fixtures/layer2/xxe-detection.ts +195 -0
- package/src/__tests__/benchmark/run-depth-validation.ts +3 -3
- package/src/__tests__/benchmark/run-real-world-test.ts +4 -4
- package/src/__tests__/benchmark/types.ts +1 -1
- package/src/__tests__/benchmark/utils/test-runner.ts +3 -3
- package/src/__tests__/category-filter.test.ts +2 -2
- package/src/__tests__/context-engine/cross-file-taint.test.ts +284 -0
- package/src/__tests__/context-engine/framework-models.test.ts +457 -0
- package/src/__tests__/context-engine/function-classifier.test.ts +146 -0
- package/src/__tests__/context-engine/import-resolver.test.ts +328 -0
- package/src/__tests__/context-engine/integration.test.ts +320 -0
- package/src/__tests__/context-engine/module-graph.test.ts +159 -0
- package/src/__tests__/context-engine/route-discovery/auth-resolver.test.ts +353 -0
- package/src/__tests__/context-engine/route-discovery/express.test.ts +150 -0
- package/src/__tests__/context-engine/route-discovery/nextjs.test.ts +138 -0
- package/src/__tests__/context-engine/route-discovery/python.test.ts +95 -0
- package/src/__tests__/context-engine/sanitiser-detection.test.ts +187 -0
- package/src/__tests__/context-engine/sink-matcher.test.ts +251 -0
- package/src/__tests__/context-engine/source-discovery.test.ts +186 -0
- package/src/__tests__/context-engine/taint-tracker.test.ts +182 -0
- package/src/__tests__/regression/agent-skill-benign.test.ts +174 -0
- package/src/__tests__/regression/known-false-positives.test.ts +312 -4
- package/src/__tests__/score/adjustments.test.ts +385 -0
- package/src/__tests__/score/confidence.test.ts +283 -0
- package/src/__tests__/score/framework-scoring.test.ts +275 -0
- package/src/__tests__/score/route-scoring.test.ts +156 -0
- package/src/__tests__/score/scoring-integration.test.ts +165 -0
- package/src/__tests__/score/taint-adjustments.test.ts +244 -0
- package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +37 -49
- package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +52 -0
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +3 -3
- package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +2 -2
- package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +1 -1
- package/src/__tests__/snapshots/scan-depth.test.ts +3 -3
- package/src/__tests__/validate/route-annotations.test.ts +138 -0
- package/src/__tests__/validation/analyze-results.ts +1 -1
- package/src/__tests__/validation/extract-for-triage.ts +1 -1
- package/src/__tests__/validation/fp-deep-analysis.ts +1 -1
- package/src/{layer2/ai-agent-tools.ts → detect/ai-code/agent-tools.ts} +23 -3
- package/src/{layer2 → detect/ai-code}/byok-patterns.ts +17 -5
- package/src/{layer2/ai-endpoint-protection.ts → detect/ai-code/endpoint-protection.ts} +8 -4
- package/src/{layer2/ai-execution-sinks.ts → detect/ai-code/execution-sinks.ts} +8 -4
- package/src/{layer2/ai-fingerprinting.ts → detect/ai-code/fingerprinting.ts} +20 -4
- package/src/detect/ai-code/index.ts +11 -0
- package/src/{layer2/ai-mcp-security.ts → detect/ai-code/mcp-security.ts} +7 -3
- package/src/{layer2 → detect/ai-code}/model-supply-chain.ts +7 -3
- package/src/{layer2/ai-package-hallucination.ts → detect/ai-code/package-hallucination.ts} +18 -3
- package/src/{layer2/ai-prompt-hygiene.ts → detect/ai-code/prompt-hygiene.ts} +25 -3
- package/src/{layer2/ai-rag-safety.ts → detect/ai-code/rag-safety.ts} +7 -3
- package/src/{layer2/ai-schema-validation.ts → detect/ai-code/schema-validation.ts} +7 -3
- package/src/detect/config/agent-skill-injection.ts +551 -0
- package/src/{layer1 → detect/config}/comments.ts +6 -2
- package/src/{layer1 → detect/config}/file-flags.ts +9 -3
- package/src/detect/config/index.ts +6 -0
- package/src/{layer3 → detect/config}/osv-check.ts +3 -2
- package/src/{layer3 → detect/config}/package-check.ts +3 -2
- package/src/{layer1 → detect/config}/urls.ts +12 -5
- package/src/detect/index.ts +131 -0
- package/src/{layer1 → detect/secrets}/config-audit.ts +7 -2
- package/src/{layer1 → detect/secrets}/config-mcp-audit.ts +8 -3
- package/src/{layer1 → detect/secrets}/entropy.ts +23 -11
- package/src/{layer1 → detect/secrets}/index.ts +31 -30
- package/src/{layer1 → detect/secrets}/patterns.ts +10 -3
- package/src/{layer1 → detect/secrets}/weak-crypto.ts +7 -2
- package/src/{layer2/auth-antipatterns.ts → detect/structural/auth-patterns.ts} +23 -11
- package/src/{layer2 → detect/structural}/dangerous-functions/dom-xss.ts +1 -1
- package/src/{layer2 → detect/structural}/dangerous-functions/index.ts +47 -24
- package/src/{layer2 → detect/structural}/dangerous-functions/json-parse.ts +10 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/math-random.ts +2 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/patterns.ts +1 -1
- package/src/{layer2 → detect/structural}/dangerous-functions/request-validation.ts +10 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/utils/control-flow.ts +2 -2
- package/src/{layer2 → detect/structural}/data-exposure.ts +11 -3
- package/src/{layer2 → detect/structural}/framework-checks.ts +10 -11
- package/src/{layer2 → detect/structural}/index.ts +80 -77
- package/src/detect/structural/log-injection.ts +254 -0
- package/src/{layer2 → detect/structural}/logic-gates.ts +13 -5
- package/src/{layer2 → detect/structural}/risky-imports.ts +7 -3
- package/src/detect/structural/security-headers.ts +231 -0
- package/src/detect/structural/ssrf-detection.ts +300 -0
- package/src/{layer2 → detect/structural}/variables.ts +7 -3
- package/src/detect/structural/xxe-detection.ts +295 -0
- package/src/index.ts +39 -1291
- package/src/{utils → model}/auth-helper-detector.ts +1 -1
- package/src/model/cross-file-taint.ts +374 -0
- package/src/model/framework-models/django.ts +82 -0
- package/src/model/framework-models/express.ts +54 -0
- package/src/model/framework-models/index.ts +116 -0
- package/src/model/framework-models/nextjs.ts +69 -0
- package/src/model/framework-models/prisma.ts +57 -0
- package/src/model/framework-models/react.ts +63 -0
- package/src/model/framework-models/sequelize.ts +63 -0
- package/src/model/framework-models/types.ts +46 -0
- package/src/model/function-classifier.ts +184 -0
- package/src/model/import-resolver.ts +453 -0
- package/src/{utils → model}/imported-auth-detector.ts +21 -85
- package/src/model/index.ts +353 -0
- package/src/{utils → model}/middleware-detector.ts +156 -17
- package/src/model/module-graph.ts +254 -0
- package/src/{utils → model}/oauth-flow-detector.ts +1 -1
- package/src/{utils/project-context-builder.ts → model/project-context.ts} +1 -1
- package/src/model/route-auth-resolver.ts +216 -0
- package/src/model/route-discovery/express.ts +251 -0
- package/src/model/route-discovery/index.ts +83 -0
- package/src/model/route-discovery/nextjs.ts +216 -0
- package/src/model/route-discovery/python.ts +214 -0
- package/src/model/route-discovery/types.ts +48 -0
- package/src/model/route-discovery/utils.ts +54 -0
- package/src/model/sanitiser-detection.ts +268 -0
- package/src/model/sink-matcher.ts +178 -0
- package/src/model/sink-patterns.ts +109 -0
- package/src/model/source-discovery.ts +209 -0
- package/src/model/taint-tracker.ts +333 -0
- package/src/model/taint-types.ts +149 -0
- package/src/{utils → model}/trpc-analyzer.ts +1 -1
- package/src/{utils/context-helpers.ts → parse/file-classifier.ts} +54 -0
- package/src/{utils → parse}/path-exclusions.ts +1 -1
- package/src/pipeline/config.ts +81 -0
- package/src/pipeline/index.ts +437 -0
- package/src/{modes → pipeline/modes}/incremental.ts +5 -5
- package/src/postprocess/aggregation.ts +74 -0
- package/src/postprocess/contradictions.ts +128 -0
- package/src/postprocess/dedup.ts +62 -0
- package/src/{filtering → postprocess/filtering}/__tests__/pipeline.test.ts +1 -1
- package/src/{filtering → postprocess/filtering}/context-adjustments.ts +2 -2
- package/src/{filtering → postprocess/filtering}/pipeline.ts +2 -2
- package/src/postprocess/index.ts +118 -0
- package/src/{suppression → postprocess/suppression}/config-loader.ts +1 -1
- package/src/{suppression → postprocess/suppression}/hash.ts +1 -1
- package/src/{suppression → postprocess/suppression}/inline-parser.ts +1 -1
- package/src/{suppression → postprocess/suppression}/manager.ts +1 -1
- package/src/{suppression → postprocess/suppression}/types.ts +2 -2
- package/src/postprocess/validation-cap.ts +66 -0
- package/src/report/build-result.ts +94 -0
- package/src/report/enrichment.ts +52 -0
- package/src/{formatters → report/formatters}/ai-context.ts +1 -1
- package/src/{formatters → report/formatters}/cli-terminal.ts +11 -11
- package/src/{formatters → report/formatters}/github-comment.ts +1 -1
- package/src/{formatters → report/formatters}/grouping.ts +8 -8
- package/src/{formatters → report/formatters}/ide/claude-code.ts +1 -1
- package/src/{formatters → report/formatters}/ide/cursor.ts +1 -1
- package/src/{formatters → report/formatters}/ide/windsurf.ts +1 -1
- package/src/{formatters → report/formatters}/vscode-diagnostic.ts +1 -1
- package/src/report/summary.ts +70 -0
- package/src/score/adjustments.ts +387 -0
- package/src/{layer3/anthropic → score}/auto-dismiss.ts +15 -14
- package/src/score/confidence.ts +66 -0
- package/src/score/index.ts +316 -0
- package/src/score/types.ts +187 -0
- package/src/{baseline → shared/baseline}/__tests__/diff.test.ts +2 -2
- package/src/{baseline → shared/baseline}/diff.ts +1 -1
- package/src/{baseline → shared/baseline}/manager.ts +1 -1
- package/src/{category-filter.ts → shared/category-filter.ts} +1 -1
- package/src/{utils → shared}/code-analysis.ts +1 -1
- package/src/{rules → shared/rules}/__tests__/metadata.test.ts +7 -0
- package/src/{rules → shared/rules}/framework-fixes.ts +1 -1
- package/src/{rules → shared/rules}/metadata.ts +94 -0
- package/src/{types.ts → shared/types.ts} +22 -5
- package/src/tiers.ts +18 -1
- package/src/validate/__tests__/context-extractor.test.ts +191 -0
- package/src/validate/__tests__/prompt-assembly.test.ts +233 -0
- package/src/validate/__tests__/request-builder.test.ts +347 -0
- package/src/{layer3/anthropic → validate}/index.ts +8 -7
- package/src/{layer3/anthropic → validate}/prompts/index.ts +2 -0
- package/src/validate/prompts/modules/ai-patterns.ts +153 -0
- package/src/validate/prompts/modules/auth-access.ts +22 -0
- package/src/validate/prompts/modules/common.ts +183 -0
- package/src/validate/prompts/modules/index.ts +204 -0
- package/src/validate/prompts/modules/owasp-classic.ts +81 -0
- package/src/validate/prompts/modules/secrets-crypto.ts +65 -0
- package/src/validate/prompts/modules/xss-prompt.ts +19 -0
- package/src/validate/prompts/validation.ts +20 -0
- package/src/{layer3/anthropic → validate}/providers/anthropic.ts +28 -27
- package/src/validate/providers/index.ts +8 -0
- package/src/{layer3/anthropic → validate}/providers/openai.ts +30 -25
- package/src/validate/request-builder.ts +448 -0
- package/src/{layer3/anthropic → validate}/types.ts +1 -1
- package/src/validate/utils/context-extractor.ts +220 -0
- package/src/{layer3/anthropic → validate}/utils/index.ts +10 -0
- package/src/{layer3/anthropic → validate}/utils/response-parser.ts +2 -1
- package/src/layer3/anthropic/prompts/validation.ts +0 -419
- package/src/layer3/anthropic/providers/index.ts +0 -8
- package/src/layer3/anthropic/request-builder.ts +0 -150
- package/src/layer3/index.ts +0 -168
- /package/src/{layer3 → detect/config}/__tests__/osv-check.test.ts +0 -0
- /package/src/{layer2 → detect/structural}/__tests__/math-random-enhanced.test.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/child-process.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/helpers.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/index.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/schema-validation.ts +0 -0
- /package/src/{utils → model}/route-hierarchy.ts +0 -0
- /package/src/{filtering → postprocess/filtering}/index.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/config-loader.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/hash.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/inline-parser.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/manager.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/index.ts +0 -0
- /package/src/{formatters → report/formatters}/__tests__/ai-context.test.ts +0 -0
- /package/src/{formatters → report/formatters}/ide/__tests__/ide.test.ts +0 -0
- /package/src/{formatters → report/formatters}/ide/index.ts +0 -0
- /package/src/{formatters → report/formatters}/index.ts +0 -0
- /package/src/{utils → shared}/__tests__/code-analysis.test.ts +0 -0
- /package/src/{utils → shared}/__tests__/parsed-file.test.ts +0 -0
- /package/src/{ai-context → shared/ai-context}/__tests__/manager.test.ts +0 -0
- /package/src/{ai-context → shared/ai-context}/index.ts +0 -0
- /package/src/{ai-context → shared/ai-context}/manager.ts +0 -0
- /package/src/{baseline → shared/baseline}/__tests__/manager.test.ts +0 -0
- /package/src/{baseline → shared/baseline}/index.ts +0 -0
- /package/src/{baseline → shared/baseline}/types.ts +0 -0
- /package/src/{utils → shared}/comment-analyzer.ts +0 -0
- /package/src/{utils → shared}/diff-detector.ts +0 -0
- /package/src/{utils → shared}/diff-parser.ts +0 -0
- /package/src/{utils → shared}/environment-context.ts +0 -0
- /package/src/{utils → shared}/intent-detector.ts +0 -0
- /package/src/{utils → shared}/parsed-file.ts +0 -0
- /package/src/{utils → shared}/registry-clients.ts +0 -0
- /package/src/{rules → shared/rules}/__tests__/framework-fixes.test.ts +0 -0
- /package/src/{rules → shared/rules}/index.ts +0 -0
- /package/src/{utils → shared}/schema-semantics.ts +0 -0
- /package/src/{layer3/anthropic → validate}/clients.ts +0 -0
- /package/src/{layer3/anthropic → validate}/prompts/semantic-analysis.ts +0 -0
- /package/src/{layer3/anthropic → validate}/utils/path-helpers.ts +0 -0
- /package/src/{layer3/anthropic → validate}/utils/retry.ts +0 -0
|
@@ -54,6 +54,13 @@ export type VulnerabilityCategory =
|
|
|
54
54
|
| 'ai_unverified_model' // Model loaded without integrity verification
|
|
55
55
|
| 'ai_unsafe_finetuning' // Training on unvalidated data
|
|
56
56
|
| 'ai_excessive_agency' // Unbounded agent autonomy risks
|
|
57
|
+
// Agent skill file security
|
|
58
|
+
| 'ai_skill_injection' // Agent skill file with prompt injection, data exfil, or hidden execution
|
|
59
|
+
// OWASP Workstream 1: Classic vulnerability detectors
|
|
60
|
+
| 'missing_security_headers' // Missing HTTP security headers (CSP, HSTS, etc.)
|
|
61
|
+
| 'ssrf' // Server-Side Request Forgery
|
|
62
|
+
| 'log_injection' // Log injection / log forging
|
|
63
|
+
| 'xxe' // XML External Entity injection
|
|
57
64
|
|
|
58
65
|
export type ValidationStatus = 'confirmed' | 'downgraded' | 'dismissed' | 'not_validated'
|
|
59
66
|
|
|
@@ -68,7 +75,10 @@ export interface Vulnerability {
|
|
|
68
75
|
description: string
|
|
69
76
|
suggestedFix?: string
|
|
70
77
|
confidence: 'high' | 'medium' | 'low'
|
|
71
|
-
|
|
78
|
+
/** @deprecated Use `source` instead. Kept for backward compatibility. */
|
|
79
|
+
layer: 1 | 2 | 3
|
|
80
|
+
/** Which detector group produced this finding */
|
|
81
|
+
source?: 'secrets' | 'structural' | 'ai_code' | 'config' | 'validation'
|
|
72
82
|
requiresAIValidation?: boolean // If true, must pass through AI validation before surfacing
|
|
73
83
|
|
|
74
84
|
// AI validation metadata
|
|
@@ -83,6 +93,9 @@ export interface Vulnerability {
|
|
|
83
93
|
fixSteps?: string[] // Step-by-step fix instructions
|
|
84
94
|
references?: string[] // OWASP/CWE documentation links
|
|
85
95
|
aiEnhanced?: boolean // True if AI provided custom impact/fix beyond registry defaults
|
|
96
|
+
|
|
97
|
+
/** Base confidence score (0.0-1.0) set by the detector. Used by scoring stage. */
|
|
98
|
+
baseConfidence?: number
|
|
86
99
|
}
|
|
87
100
|
|
|
88
101
|
/**
|
|
@@ -258,17 +271,19 @@ export interface ScanResult {
|
|
|
258
271
|
}
|
|
259
272
|
|
|
260
273
|
/** Filter audit trail (when includeFilterAudit option is enabled) */
|
|
261
|
-
filterAuditTrail?: import('
|
|
274
|
+
filterAuditTrail?: import('../postprocess/filtering/pipeline').AnnotatedFinding[]
|
|
262
275
|
}
|
|
263
276
|
|
|
264
277
|
export interface ScanProgress {
|
|
265
|
-
status: 'fetching' | '
|
|
266
|
-
|
|
278
|
+
status: 'fetching' | 'layer1' | 'layer2' | 'layer3' | 'validating' | 'complete' | 'failed'
|
|
279
|
+
message: string
|
|
267
280
|
filesProcessed: number
|
|
268
281
|
totalFiles: number
|
|
269
282
|
vulnerabilitiesFound: number
|
|
270
283
|
}
|
|
271
284
|
|
|
285
|
+
export type ProgressCallback = (progress: ScanProgress) => void
|
|
286
|
+
|
|
272
287
|
// Pattern definitions for Layer 1
|
|
273
288
|
export interface SecretPattern {
|
|
274
289
|
name: string
|
|
@@ -377,7 +392,7 @@ export interface MiddlewareAuthContextSummary {
|
|
|
377
392
|
/** Whether auth middleware was detected */
|
|
378
393
|
hasAuthMiddleware: boolean
|
|
379
394
|
/** The type of auth detected */
|
|
380
|
-
authType: 'clerk' | 'nextauth' | 'auth0' | 'custom' | 'unknown' | null
|
|
395
|
+
authType: 'clerk' | 'nextauth' | 'auth0' | 'supabase' | 'custom' | 'unknown' | null
|
|
381
396
|
/** Protected path patterns */
|
|
382
397
|
protectedPaths: string[]
|
|
383
398
|
/** Public/excluded path patterns */
|
|
@@ -432,6 +447,7 @@ export const SCANNABLE_EXTENSIONS = [
|
|
|
432
447
|
'.py', '.rb', '.php', '.go', '.java', '.cs',
|
|
433
448
|
'.env', '.yaml', '.yml', '.json', '.toml',
|
|
434
449
|
'.dockerfile', '.sh', '.bash',
|
|
450
|
+
'.md', // Agent skill files (SKILL.md, copilot-instructions.md, etc.)
|
|
435
451
|
]
|
|
436
452
|
|
|
437
453
|
// Files to always scan regardless of extension
|
|
@@ -447,6 +463,7 @@ export const SPECIAL_FILES = [
|
|
|
447
463
|
'requirements.txt',
|
|
448
464
|
'Gemfile',
|
|
449
465
|
'go.mod',
|
|
466
|
+
'.cursorrules',
|
|
450
467
|
]
|
|
451
468
|
|
|
452
469
|
// Max file size to scan (50KB as per PRD)
|
package/src/tiers.ts
CHANGED
|
@@ -11,7 +11,7 @@
|
|
|
11
11
|
* - Avoids "accidental promotion" of an experimental heuristic to production output
|
|
12
12
|
*/
|
|
13
13
|
|
|
14
|
-
import type { VulnerabilityCategory } from './types'
|
|
14
|
+
import type { VulnerabilityCategory } from './shared/types'
|
|
15
15
|
|
|
16
16
|
/**
|
|
17
17
|
* Detector tiers control visibility and trust level:
|
|
@@ -117,6 +117,11 @@ export type Layer2DetectorName =
|
|
|
117
117
|
| 'ai_mcp_security' // ai-mcp-security.ts - MCP tool security
|
|
118
118
|
// AI Detection Roadmap Phase 2
|
|
119
119
|
| 'model_supply_chain' // model-supply-chain.ts - Model loading/finetuning risks
|
|
120
|
+
// OWASP Workstream 1
|
|
121
|
+
| 'security_headers' // security-headers.ts - Missing HTTP security headers
|
|
122
|
+
| 'ssrf_detection' // ssrf-detection.ts - Server-Side Request Forgery
|
|
123
|
+
| 'log_injection' // log-injection.ts - Log injection / forging
|
|
124
|
+
| 'xxe_detection' // xxe-detection.ts - XML External Entity injection
|
|
120
125
|
|
|
121
126
|
/**
|
|
122
127
|
* Layer 2 tier assignments
|
|
@@ -168,6 +173,12 @@ export const LAYER2_DETECTOR_TIERS: Record<Layer2DetectorName, DetectorTier> = {
|
|
|
168
173
|
ai_mcp_security: 'core', // Tier A - MCP tool security is critical for AI agents
|
|
169
174
|
// AI Detection Roadmap Phase 2
|
|
170
175
|
model_supply_chain: 'core', // Tier A - Model supply chain risks are critical (RCE)
|
|
176
|
+
|
|
177
|
+
// OWASP Workstream 1
|
|
178
|
+
security_headers: 'ai_assisted', // Tier B - Context-dependent (CDN/proxy may add headers)
|
|
179
|
+
ssrf_detection: 'core', // Tier A - SSRF is high-impact with clear signals
|
|
180
|
+
log_injection: 'ai_assisted', // Tier B - Context-dependent (structured logging may be fine)
|
|
181
|
+
xxe_detection: 'core', // Tier A - XXE is high-impact with clear signals
|
|
171
182
|
}
|
|
172
183
|
|
|
173
184
|
/**
|
|
@@ -240,6 +251,12 @@ export const LAYER2_CATEGORY_TO_DETECTOR: Partial<Record<VulnerabilityCategory,
|
|
|
240
251
|
ai_unverified_model: 'model_supply_chain',
|
|
241
252
|
ai_unsafe_finetuning: 'model_supply_chain',
|
|
242
253
|
ai_excessive_agency: 'ai_agent_tools', // Extended in ai-agent-tools.ts
|
|
254
|
+
|
|
255
|
+
// OWASP Workstream 1 categories
|
|
256
|
+
missing_security_headers: 'security_headers',
|
|
257
|
+
ssrf: 'ssrf_detection',
|
|
258
|
+
log_injection: 'log_injection',
|
|
259
|
+
xxe: 'xxe_detection',
|
|
243
260
|
}
|
|
244
261
|
|
|
245
262
|
// ============================================================================
|
|
@@ -0,0 +1,191 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Tests for the context extractor utility.
|
|
3
|
+
*
|
|
4
|
+
* Verifies:
|
|
5
|
+
* - Small files get full content
|
|
6
|
+
* - Large files get scoped content with omission markers
|
|
7
|
+
* - Adjacent findings merge ranges
|
|
8
|
+
* - High coverage falls back to full file
|
|
9
|
+
* - Edge cases (line 1, last line, empty)
|
|
10
|
+
* - mergeRanges helper
|
|
11
|
+
*/
|
|
12
|
+
|
|
13
|
+
import { extractRelevantContext, mergeRanges } from '../utils/context-extractor'
|
|
14
|
+
|
|
15
|
+
// ============================================================================
|
|
16
|
+
// Helpers
|
|
17
|
+
// ============================================================================
|
|
18
|
+
|
|
19
|
+
function generateFile(lineCount: number): string {
|
|
20
|
+
return Array.from({ length: lineCount }, (_, i) => `line ${i + 1} content`).join('\n')
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
// ============================================================================
|
|
24
|
+
// mergeRanges
|
|
25
|
+
// ============================================================================
|
|
26
|
+
|
|
27
|
+
describe('mergeRanges', () => {
|
|
28
|
+
test('empty input returns empty', () => {
|
|
29
|
+
expect(mergeRanges([])).toEqual([])
|
|
30
|
+
})
|
|
31
|
+
|
|
32
|
+
test('single range returns unchanged', () => {
|
|
33
|
+
expect(mergeRanges([{ start: 5, end: 10 }])).toEqual([{ start: 5, end: 10 }])
|
|
34
|
+
})
|
|
35
|
+
|
|
36
|
+
test('overlapping ranges merge', () => {
|
|
37
|
+
const result = mergeRanges([
|
|
38
|
+
{ start: 1, end: 10 },
|
|
39
|
+
{ start: 5, end: 15 },
|
|
40
|
+
])
|
|
41
|
+
expect(result).toEqual([{ start: 1, end: 15 }])
|
|
42
|
+
})
|
|
43
|
+
|
|
44
|
+
test('adjacent ranges merge', () => {
|
|
45
|
+
const result = mergeRanges([
|
|
46
|
+
{ start: 1, end: 10 },
|
|
47
|
+
{ start: 11, end: 20 },
|
|
48
|
+
])
|
|
49
|
+
expect(result).toEqual([{ start: 1, end: 20 }])
|
|
50
|
+
})
|
|
51
|
+
|
|
52
|
+
test('disjoint ranges remain separate', () => {
|
|
53
|
+
const result = mergeRanges([
|
|
54
|
+
{ start: 1, end: 10 },
|
|
55
|
+
{ start: 20, end: 30 },
|
|
56
|
+
])
|
|
57
|
+
expect(result).toEqual([
|
|
58
|
+
{ start: 1, end: 10 },
|
|
59
|
+
{ start: 20, end: 30 },
|
|
60
|
+
])
|
|
61
|
+
})
|
|
62
|
+
|
|
63
|
+
test('unsorted input gets sorted and merged', () => {
|
|
64
|
+
const result = mergeRanges([
|
|
65
|
+
{ start: 20, end: 30 },
|
|
66
|
+
{ start: 1, end: 10 },
|
|
67
|
+
{ start: 5, end: 25 },
|
|
68
|
+
])
|
|
69
|
+
expect(result).toEqual([{ start: 1, end: 30 }])
|
|
70
|
+
})
|
|
71
|
+
|
|
72
|
+
test('multiple separate ranges', () => {
|
|
73
|
+
const result = mergeRanges([
|
|
74
|
+
{ start: 1, end: 5 },
|
|
75
|
+
{ start: 10, end: 15 },
|
|
76
|
+
{ start: 20, end: 25 },
|
|
77
|
+
])
|
|
78
|
+
expect(result).toEqual([
|
|
79
|
+
{ start: 1, end: 5 },
|
|
80
|
+
{ start: 10, end: 15 },
|
|
81
|
+
{ start: 20, end: 25 },
|
|
82
|
+
])
|
|
83
|
+
})
|
|
84
|
+
})
|
|
85
|
+
|
|
86
|
+
// ============================================================================
|
|
87
|
+
// extractRelevantContext
|
|
88
|
+
// ============================================================================
|
|
89
|
+
|
|
90
|
+
describe('extractRelevantContext', () => {
|
|
91
|
+
test('small file (50 lines) returns full content', () => {
|
|
92
|
+
const content = generateFile(50)
|
|
93
|
+
const result = extractRelevantContext(content, [25])
|
|
94
|
+
expect(result.isFullFile).toBe(true)
|
|
95
|
+
expect(result.linesSent).toBe(50)
|
|
96
|
+
expect(result.totalLines).toBe(50)
|
|
97
|
+
expect(result.content).toContain('line 1 content')
|
|
98
|
+
expect(result.content).toContain('line 50 content')
|
|
99
|
+
expect(result.content).not.toContain('lines omitted')
|
|
100
|
+
})
|
|
101
|
+
|
|
102
|
+
test('large file with single finding returns scoped content', () => {
|
|
103
|
+
const content = generateFile(300)
|
|
104
|
+
const result = extractRelevantContext(content, [150])
|
|
105
|
+
expect(result.isFullFile).toBe(false)
|
|
106
|
+
expect(result.totalLines).toBe(300)
|
|
107
|
+
expect(result.linesSent).toBeLessThan(300)
|
|
108
|
+
// Should contain the finding line
|
|
109
|
+
expect(result.content).toContain('line 150 content')
|
|
110
|
+
// Should contain imports (first 15 lines)
|
|
111
|
+
expect(result.content).toContain('line 1 content')
|
|
112
|
+
expect(result.content).toContain('line 15 content')
|
|
113
|
+
// Should have omission markers
|
|
114
|
+
expect(result.content).toContain('lines omitted')
|
|
115
|
+
})
|
|
116
|
+
|
|
117
|
+
test('adjacent findings merge ranges (no omission between them)', () => {
|
|
118
|
+
const content = generateFile(300)
|
|
119
|
+
const result = extractRelevantContext(content, [100, 110])
|
|
120
|
+
// Lines 100 and 110 are within padding distance, so should merge
|
|
121
|
+
expect(result.content).toContain('line 100 content')
|
|
122
|
+
expect(result.content).toContain('line 110 content')
|
|
123
|
+
// The region between 100 and 110 should NOT have omission
|
|
124
|
+
const lines = result.content.split('\n')
|
|
125
|
+
const between = lines.filter(l =>
|
|
126
|
+
l.includes('lines omitted') &&
|
|
127
|
+
l.includes('100') &&
|
|
128
|
+
l.includes('110')
|
|
129
|
+
)
|
|
130
|
+
expect(between).toHaveLength(0)
|
|
131
|
+
})
|
|
132
|
+
|
|
133
|
+
test('high coverage falls back to full file', () => {
|
|
134
|
+
const content = generateFile(200)
|
|
135
|
+
// 3 findings spread across the file covering >60%
|
|
136
|
+
const result = extractRelevantContext(content, [30, 100, 170])
|
|
137
|
+
expect(result.isFullFile).toBe(true)
|
|
138
|
+
expect(result.linesSent).toBe(200)
|
|
139
|
+
})
|
|
140
|
+
|
|
141
|
+
test('finding at line 1', () => {
|
|
142
|
+
const content = generateFile(300)
|
|
143
|
+
const result = extractRelevantContext(content, [1])
|
|
144
|
+
expect(result.content).toContain('line 1 content')
|
|
145
|
+
// Should not have negative line references
|
|
146
|
+
expect(result.content).not.toContain('line 0')
|
|
147
|
+
expect(result.content).not.toContain('line -')
|
|
148
|
+
})
|
|
149
|
+
|
|
150
|
+
test('finding at last line', () => {
|
|
151
|
+
const content = generateFile(300)
|
|
152
|
+
const result = extractRelevantContext(content, [300])
|
|
153
|
+
expect(result.content).toContain('line 300 content')
|
|
154
|
+
})
|
|
155
|
+
|
|
156
|
+
test('empty file returns full content', () => {
|
|
157
|
+
const result = extractRelevantContext('', [1])
|
|
158
|
+
expect(result.isFullFile).toBe(true)
|
|
159
|
+
expect(result.totalLines).toBe(1) // empty string splits to ['']
|
|
160
|
+
})
|
|
161
|
+
|
|
162
|
+
test('empty findings returns full content', () => {
|
|
163
|
+
const content = generateFile(300)
|
|
164
|
+
const result = extractRelevantContext(content, [])
|
|
165
|
+
expect(result.isFullFile).toBe(true)
|
|
166
|
+
})
|
|
167
|
+
|
|
168
|
+
test('custom config: smaller padding', () => {
|
|
169
|
+
const content = generateFile(300)
|
|
170
|
+
const result = extractRelevantContext(content, [150], { padding: 5 })
|
|
171
|
+
expect(result.isFullFile).toBe(false)
|
|
172
|
+
// Should have much fewer lines with small padding
|
|
173
|
+
expect(result.linesSent).toBeLessThan(50)
|
|
174
|
+
expect(result.content).toContain('line 150 content')
|
|
175
|
+
})
|
|
176
|
+
|
|
177
|
+
test('content includes line numbers in correct format', () => {
|
|
178
|
+
const content = generateFile(300)
|
|
179
|
+
const result = extractRelevantContext(content, [150])
|
|
180
|
+
// Should have " 1 | line 1 content" format
|
|
181
|
+
expect(result.content).toMatch(/^\s+1 \| line 1 content/m)
|
|
182
|
+
expect(result.content).toMatch(/\s+150 \| line 150 content/m)
|
|
183
|
+
})
|
|
184
|
+
|
|
185
|
+
test('omission markers show correct line ranges', () => {
|
|
186
|
+
const content = generateFile(300)
|
|
187
|
+
const result = extractRelevantContext(content, [150], { padding: 10, importLines: 5 })
|
|
188
|
+
// Should have omission markers with line ranges
|
|
189
|
+
expect(result.content).toMatch(/\[\.\.\..*lines omitted.*\]/)
|
|
190
|
+
})
|
|
191
|
+
})
|
|
@@ -0,0 +1,233 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Tests for the modular prompt assembly system.
|
|
3
|
+
*
|
|
4
|
+
* Verifies:
|
|
5
|
+
* - Category-to-module mapping correctness
|
|
6
|
+
* - Prompt assembly includes only relevant modules
|
|
7
|
+
* - Deterministic ordering for cache hits
|
|
8
|
+
* - Legacy compatibility
|
|
9
|
+
* - Category completeness (no unmapped categories slip through)
|
|
10
|
+
*/
|
|
11
|
+
|
|
12
|
+
import type { VulnerabilityCategory } from '../../shared/types'
|
|
13
|
+
import {
|
|
14
|
+
assembleValidationPrompt,
|
|
15
|
+
getFullValidationPrompt,
|
|
16
|
+
CATEGORY_TO_MODULE,
|
|
17
|
+
INTENTIONALLY_UNMAPPED,
|
|
18
|
+
COMMON_PROMPT,
|
|
19
|
+
AUTH_ACCESS_MODULE,
|
|
20
|
+
XSS_PROMPT_MODULE,
|
|
21
|
+
SECRETS_CRYPTO_MODULE,
|
|
22
|
+
AI_PATTERNS_MODULE,
|
|
23
|
+
OWASP_CLASSIC_MODULE,
|
|
24
|
+
} from '../prompts/modules'
|
|
25
|
+
import { HIGH_CONTEXT_VALIDATION_PROMPT } from '../prompts/validation'
|
|
26
|
+
|
|
27
|
+
// ============================================================================
|
|
28
|
+
// Key phrases for each module (used to verify inclusion/exclusion)
|
|
29
|
+
// ============================================================================
|
|
30
|
+
|
|
31
|
+
const COMMON_KEY_PHRASE = 'Validate security findings'
|
|
32
|
+
const COMMON_RESPONSE_FORMAT = 'Response Format'
|
|
33
|
+
const AUTH_KEY_PHRASE = 'CRITICAL CONTRADICTION HANDLING'
|
|
34
|
+
const XSS_KEY_PHRASE = 'XSS vs Prompt Injection'
|
|
35
|
+
const SECRETS_KEY_PHRASE = 'Math.random() for Security'
|
|
36
|
+
const AI_KEY_PHRASE = 'RAG Data Exfiltration'
|
|
37
|
+
const OWASP_KEY_PHRASE = 'Server-Side Request Forgery'
|
|
38
|
+
|
|
39
|
+
describe('assembleValidationPrompt', () => {
|
|
40
|
+
test('empty categories returns COMMON only', () => {
|
|
41
|
+
const result = assembleValidationPrompt([])
|
|
42
|
+
expect(result).toContain(COMMON_KEY_PHRASE)
|
|
43
|
+
expect(result).toContain(COMMON_RESPONSE_FORMAT)
|
|
44
|
+
// Should NOT contain module-specific content
|
|
45
|
+
expect(result).not.toContain(AUTH_KEY_PHRASE)
|
|
46
|
+
expect(result).not.toContain(XSS_KEY_PHRASE)
|
|
47
|
+
expect(result).not.toContain(SECRETS_KEY_PHRASE)
|
|
48
|
+
expect(result).not.toContain(AI_KEY_PHRASE)
|
|
49
|
+
expect(result).not.toContain(OWASP_KEY_PHRASE)
|
|
50
|
+
})
|
|
51
|
+
|
|
52
|
+
test('single module: missing_auth includes auth_access only', () => {
|
|
53
|
+
const result = assembleValidationPrompt(['missing_auth'])
|
|
54
|
+
expect(result).toContain(COMMON_KEY_PHRASE)
|
|
55
|
+
expect(result).toContain(AUTH_KEY_PHRASE)
|
|
56
|
+
// Should NOT contain other modules
|
|
57
|
+
expect(result).not.toContain(SECRETS_KEY_PHRASE)
|
|
58
|
+
expect(result).not.toContain(AI_KEY_PHRASE)
|
|
59
|
+
expect(result).not.toContain(OWASP_KEY_PHRASE)
|
|
60
|
+
})
|
|
61
|
+
|
|
62
|
+
test('multiple modules: auth + secrets + owasp', () => {
|
|
63
|
+
const result = assembleValidationPrompt([
|
|
64
|
+
'missing_auth',
|
|
65
|
+
'hardcoded_secret',
|
|
66
|
+
'ssrf',
|
|
67
|
+
])
|
|
68
|
+
expect(result).toContain(COMMON_KEY_PHRASE)
|
|
69
|
+
expect(result).toContain(AUTH_KEY_PHRASE)
|
|
70
|
+
expect(result).toContain(SECRETS_KEY_PHRASE)
|
|
71
|
+
expect(result).toContain(OWASP_KEY_PHRASE)
|
|
72
|
+
// Should NOT contain unrelated modules
|
|
73
|
+
expect(result).not.toContain(AI_KEY_PHRASE)
|
|
74
|
+
})
|
|
75
|
+
|
|
76
|
+
test('unknown/unmapped categories get COMMON only, no crash', () => {
|
|
77
|
+
const result = assembleValidationPrompt(['dangerous_function'])
|
|
78
|
+
expect(result).toContain(COMMON_KEY_PHRASE)
|
|
79
|
+
expect(result).toContain(COMMON_RESPONSE_FORMAT)
|
|
80
|
+
// No module-specific content
|
|
81
|
+
expect(result).not.toContain(AUTH_KEY_PHRASE)
|
|
82
|
+
expect(result).not.toContain(XSS_KEY_PHRASE)
|
|
83
|
+
expect(result).not.toContain(SECRETS_KEY_PHRASE)
|
|
84
|
+
expect(result).not.toContain(AI_KEY_PHRASE)
|
|
85
|
+
expect(result).not.toContain(OWASP_KEY_PHRASE)
|
|
86
|
+
})
|
|
87
|
+
|
|
88
|
+
test('deterministic ordering: different input order produces same output', () => {
|
|
89
|
+
const result1 = assembleValidationPrompt(['ssrf', 'missing_auth', 'hardcoded_secret'])
|
|
90
|
+
const result2 = assembleValidationPrompt(['missing_auth', 'hardcoded_secret', 'ssrf'])
|
|
91
|
+
const result3 = assembleValidationPrompt(['hardcoded_secret', 'ssrf', 'missing_auth'])
|
|
92
|
+
expect(result1).toBe(result2)
|
|
93
|
+
expect(result2).toBe(result3)
|
|
94
|
+
})
|
|
95
|
+
|
|
96
|
+
test('ai_prompt_injection triggers both xss_prompt AND ai_patterns modules', () => {
|
|
97
|
+
const result = assembleValidationPrompt(['ai_prompt_injection'])
|
|
98
|
+
expect(result).toContain(XSS_KEY_PHRASE)
|
|
99
|
+
expect(result).toContain(AI_KEY_PHRASE)
|
|
100
|
+
})
|
|
101
|
+
|
|
102
|
+
test('duplicate categories do not cause duplicate modules', () => {
|
|
103
|
+
const result1 = assembleValidationPrompt(['missing_auth'])
|
|
104
|
+
const result2 = assembleValidationPrompt(['missing_auth', 'missing_auth', 'missing_auth'])
|
|
105
|
+
expect(result1).toBe(result2)
|
|
106
|
+
})
|
|
107
|
+
})
|
|
108
|
+
|
|
109
|
+
describe('getFullValidationPrompt', () => {
|
|
110
|
+
test('contains key phrases from EVERY module', () => {
|
|
111
|
+
const full = getFullValidationPrompt()
|
|
112
|
+
expect(full).toContain(COMMON_KEY_PHRASE)
|
|
113
|
+
expect(full).toContain(COMMON_RESPONSE_FORMAT)
|
|
114
|
+
expect(full).toContain(AUTH_KEY_PHRASE)
|
|
115
|
+
expect(full).toContain(XSS_KEY_PHRASE)
|
|
116
|
+
expect(full).toContain(SECRETS_KEY_PHRASE)
|
|
117
|
+
expect(full).toContain(AI_KEY_PHRASE)
|
|
118
|
+
expect(full).toContain(OWASP_KEY_PHRASE)
|
|
119
|
+
})
|
|
120
|
+
})
|
|
121
|
+
|
|
122
|
+
describe('legacy compatibility', () => {
|
|
123
|
+
test('HIGH_CONTEXT_VALIDATION_PROMPT equals getFullValidationPrompt()', () => {
|
|
124
|
+
expect(HIGH_CONTEXT_VALIDATION_PROMPT).toBe(getFullValidationPrompt())
|
|
125
|
+
})
|
|
126
|
+
})
|
|
127
|
+
|
|
128
|
+
describe('category completeness guard', () => {
|
|
129
|
+
/**
|
|
130
|
+
* Every VulnerabilityCategory must be either:
|
|
131
|
+
* 1. Mapped to a module in CATEGORY_TO_MODULE, or
|
|
132
|
+
* 2. Listed in INTENTIONALLY_UNMAPPED
|
|
133
|
+
*
|
|
134
|
+
* If a new category is added to types.ts without updating the mapping,
|
|
135
|
+
* this test will fail.
|
|
136
|
+
*/
|
|
137
|
+
test('every VulnerabilityCategory is accounted for', () => {
|
|
138
|
+
// Get all categories from the type system at runtime
|
|
139
|
+
// We can't enumerate a TS union at runtime, so we maintain this list manually.
|
|
140
|
+
// This list MUST match the VulnerabilityCategory union in types.ts exactly.
|
|
141
|
+
const ALL_CATEGORIES: VulnerabilityCategory[] = [
|
|
142
|
+
'hardcoded_secret',
|
|
143
|
+
'high_entropy_string',
|
|
144
|
+
'sensitive_variable',
|
|
145
|
+
'security_bypass',
|
|
146
|
+
'dangerous_function',
|
|
147
|
+
'sql_injection',
|
|
148
|
+
'xss',
|
|
149
|
+
'command_injection',
|
|
150
|
+
'insecure_config',
|
|
151
|
+
'missing_auth',
|
|
152
|
+
'suspicious_package',
|
|
153
|
+
'cors_misconfiguration',
|
|
154
|
+
'root_container',
|
|
155
|
+
'dangerous_file',
|
|
156
|
+
'ai_pattern',
|
|
157
|
+
'sensitive_url',
|
|
158
|
+
'weak_crypto',
|
|
159
|
+
'data_exposure',
|
|
160
|
+
'ai_prompt_injection',
|
|
161
|
+
'ai_unsafe_execution',
|
|
162
|
+
'ai_overpermissive_tool',
|
|
163
|
+
'ai_rag_exfiltration',
|
|
164
|
+
'ai_endpoint_unprotected',
|
|
165
|
+
'ai_schema_mismatch',
|
|
166
|
+
'ai_package_hallucination',
|
|
167
|
+
'ai_rag_corpus_poisoning',
|
|
168
|
+
'ai_rag_pii_leakage',
|
|
169
|
+
'ai_mcp_tool_poisoning',
|
|
170
|
+
'ai_mcp_credential_issue',
|
|
171
|
+
'ai_mcp_confused_deputy',
|
|
172
|
+
'ai_mcp_description_injection',
|
|
173
|
+
'ai_mcp_server_shadowing',
|
|
174
|
+
'ai_mcp_config_secrets',
|
|
175
|
+
'ai_mcp_config_permissions',
|
|
176
|
+
'ai_rag_query_injection',
|
|
177
|
+
'ai_rag_embedding_poisoning',
|
|
178
|
+
'ai_rag_chunk_injection',
|
|
179
|
+
'ai_package_typosquat',
|
|
180
|
+
'ai_package_malicious',
|
|
181
|
+
'ai_unsafe_model_load',
|
|
182
|
+
'ai_unverified_model',
|
|
183
|
+
'ai_unsafe_finetuning',
|
|
184
|
+
'ai_excessive_agency',
|
|
185
|
+
'ai_skill_injection',
|
|
186
|
+
'missing_security_headers',
|
|
187
|
+
'ssrf',
|
|
188
|
+
'log_injection',
|
|
189
|
+
'xxe',
|
|
190
|
+
]
|
|
191
|
+
|
|
192
|
+
for (const cat of ALL_CATEGORIES) {
|
|
193
|
+
const isMapped = CATEGORY_TO_MODULE.has(cat)
|
|
194
|
+
const isUnmapped = INTENTIONALLY_UNMAPPED.has(cat)
|
|
195
|
+
expect({
|
|
196
|
+
category: cat,
|
|
197
|
+
mapped: isMapped,
|
|
198
|
+
intentionallyUnmapped: isUnmapped,
|
|
199
|
+
accountedFor: isMapped || isUnmapped,
|
|
200
|
+
}).toEqual(expect.objectContaining({ accountedFor: true }))
|
|
201
|
+
}
|
|
202
|
+
})
|
|
203
|
+
|
|
204
|
+
test('no category is both mapped AND intentionally unmapped', () => {
|
|
205
|
+
for (const cat of INTENTIONALLY_UNMAPPED) {
|
|
206
|
+
expect(CATEGORY_TO_MODULE.has(cat)).toBe(false)
|
|
207
|
+
}
|
|
208
|
+
})
|
|
209
|
+
})
|
|
210
|
+
|
|
211
|
+
describe('module content integrity', () => {
|
|
212
|
+
test('COMMON_PROMPT contains taint analysis guidance', () => {
|
|
213
|
+
expect(COMMON_PROMPT).toContain('Taint Analysis Context')
|
|
214
|
+
expect(COMMON_PROMPT).toContain('User input reaches this sink')
|
|
215
|
+
expect(COMMON_PROMPT).toContain('No user-input data flow reaches this line')
|
|
216
|
+
expect(COMMON_PROMPT).toContain('Sanitised: Yes')
|
|
217
|
+
expect(COMMON_PROMPT).toContain('Confidence levels')
|
|
218
|
+
})
|
|
219
|
+
|
|
220
|
+
test('COMMON_PROMPT contains condensed heuristic reminders', () => {
|
|
221
|
+
expect(COMMON_PROMPT).toContain('JSON.parse')
|
|
222
|
+
expect(COMMON_PROMPT).toContain('error.message')
|
|
223
|
+
expect(COMMON_PROMPT).toContain('innerHTML')
|
|
224
|
+
})
|
|
225
|
+
|
|
226
|
+
test('each module is non-empty', () => {
|
|
227
|
+
expect(AUTH_ACCESS_MODULE.length).toBeGreaterThan(50)
|
|
228
|
+
expect(XSS_PROMPT_MODULE.length).toBeGreaterThan(50)
|
|
229
|
+
expect(SECRETS_CRYPTO_MODULE.length).toBeGreaterThan(50)
|
|
230
|
+
expect(AI_PATTERNS_MODULE.length).toBeGreaterThan(50)
|
|
231
|
+
expect(OWASP_CLASSIC_MODULE.length).toBeGreaterThan(50)
|
|
232
|
+
})
|
|
233
|
+
})
|