@oculum/scanner 1.0.12 → 1.0.13

package/src/validate/utils/context-extractor.ts

@@ -0,0 +1,220 @@
+/**
+ * Context Extractor
+ *
+ * Extracts only relevant regions of file content around findings,
+ * reducing token usage by ~40-60% for large files while preserving
+ * imports and sufficient context for AI validation.
+ */
+
+// ============================================================================
+// Types
+// ============================================================================
+
+export interface LineRange {
+  /** 1-based inclusive start line */
+  start: number
+  /** 1-based inclusive end line */
+  end: number
+}
+
+export interface ExtractedContext {
+  /** Formatted content with line numbers and omission markers */
+  content: string
+  /** Whether the full file was sent (no omissions) */
+  isFullFile: boolean
+  /** Number of lines included in the output */
+  linesSent: number
+  /** Total lines in the original file */
+  totalLines: number
+}
+
+export interface ExtractionConfig {
+  /** Lines of context around each finding (default: 30) */
+  padding: number
+  /** Always include first N lines for imports (default: 15) */
+  importLines: number
+  /** Send full file if merged ranges cover >60% of lines (default: 0.6) */
+  fullFileThreshold: number
+  /** Files with this many lines or fewer always get full content (default: 100) */
+  smallFileThreshold: number
+}
+
+const DEFAULT_CONFIG: ExtractionConfig = {
+  padding: 30,
+  importLines: 15,
+  fullFileThreshold: 0.6,
+  smallFileThreshold: 100,
+}
+
+// ============================================================================
+// Main Function
+// ============================================================================
+
+/**
+ * Extract relevant context regions from file content around finding locations.
+ *
+ * Algorithm:
+ * 1. Small files (<=smallFileThreshold lines) -> send full content
+ * 2. Build ranges: imports (1-importLines) + padding around each finding
+ * 3. Merge overlapping/adjacent ranges
+ * 4. If merged coverage > fullFileThreshold of file -> send full content
+ * 5. Format with omission markers between gaps
+ *
+ * @param fileContent - The full file content as a string
+ * @param findingLineNumbers - 1-based line numbers of findings
+ * @param config - Optional extraction configuration overrides
+ * @returns Extracted context with metadata
+ */
+export function extractRelevantContext(
+  fileContent: string,
+  findingLineNumbers: number[],
+  config?: Partial<ExtractionConfig>
+): ExtractedContext {
+  const cfg = { ...DEFAULT_CONFIG, ...config }
+  const lines = fileContent.split('\n')
+  const totalLines = lines.length
+
+  // Small files: send full content
+  if (totalLines <= cfg.smallFileThreshold) {
+    return {
+      content: formatFullFile(lines),
+      isFullFile: true,
+      linesSent: totalLines,
+      totalLines,
+    }
+  }
+
+  // Empty findings: send imports only (shouldn't happen but handle gracefully)
+  if (findingLineNumbers.length === 0) {
+    return {
+      content: formatFullFile(lines),
+      isFullFile: true,
+      linesSent: totalLines,
+      totalLines,
+    }
+  }
+
+  // Build ranges: imports + padding around each finding
+  const ranges: LineRange[] = []
+
+  // Always include imports
+  if (cfg.importLines > 0) {
+    ranges.push({
+      start: 1,
+      end: Math.min(cfg.importLines, totalLines),
+    })
+  }
+
+  // Add padding around each finding
+  for (const lineNum of findingLineNumbers) {
+    ranges.push({
+      start: Math.max(1, lineNum - cfg.padding),
+      end: Math.min(totalLines, lineNum + cfg.padding),
+    })
+  }
+
+  // Merge overlapping/adjacent ranges
+  const merged = mergeRanges(ranges)
+
+  // Check coverage: if >60% of file is covered, send full
+  const coveredLines = merged.reduce((sum, r) => sum + (r.end - r.start + 1), 0)
+  if (coveredLines / totalLines > cfg.fullFileThreshold) {
+    return {
+      content: formatFullFile(lines),
+      isFullFile: true,
+      linesSent: totalLines,
+      totalLines,
+    }
+  }
+
+  // Format with omission markers
+  const content = formatScopedContent(lines, merged, totalLines)
+
+  return {
+    content,
+    isFullFile: false,
+    linesSent: coveredLines,
+    totalLines,
+  }
+}
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+/**
+ * Merge overlapping or adjacent line ranges.
+ * Sorts by start line, then merges any ranges that overlap or are adjacent.
+ */
+export function mergeRanges(ranges: LineRange[]): LineRange[] {
+  if (ranges.length === 0) return []
+
+  // Sort by start line
+  const sorted = [...ranges].sort((a, b) => a.start - b.start)
+
+  const merged: LineRange[] = [{ ...sorted[0] }]
+
+  for (let i = 1; i < sorted.length; i++) {
+    const current = sorted[i]
+    const last = merged[merged.length - 1]
+
+    // Overlapping or adjacent (start <= last.end + 1)
+    if (current.start <= last.end + 1) {
+      last.end = Math.max(last.end, current.end)
+    } else {
+      merged.push({ ...current })
+    }
+  }
+
+  return merged
+}
+
+/**
+ * Format all lines with line numbers.
+ */
+function formatFullFile(lines: string[]): string {
+  return lines
+    .map((line, i) => `${String(i + 1).padStart(4, ' ')} | ${line}`)
+    .join('\n')
+}
+
+/**
+ * Format scoped content with line numbers and omission markers between gaps.
+ */
+function formatScopedContent(
+  lines: string[],
+  ranges: LineRange[],
+  totalLines: number
+): string {
+  const parts: string[] = []
+
+  for (let i = 0; i < ranges.length; i++) {
+    const range = ranges[i]
+
+    // Add omission marker before this range (if there's a gap)
+    if (i === 0 && range.start > 1) {
+      parts.push(`[... ${range.start - 1} lines omitted (lines 1-${range.start - 1}) ...]`)
+    } else if (i > 0) {
+      const prevEnd = ranges[i - 1].end
+      const gapStart = prevEnd + 1
+      const gapEnd = range.start - 1
+      if (gapStart <= gapEnd) {
+        parts.push(`[... ${gapEnd - gapStart + 1} lines omitted (lines ${gapStart}-${gapEnd}) ...]`)
+      }
+    }
+
+    // Add the range lines with line numbers
+    for (let lineIdx = range.start - 1; lineIdx < range.end && lineIdx < lines.length; lineIdx++) {
+      parts.push(`${String(lineIdx + 1).padStart(4, ' ')} | ${lines[lineIdx]}`)
+    }
+  }
+
+  // Add trailing omission marker if needed
+  const lastRange = ranges[ranges.length - 1]
+  if (lastRange.end < totalLines) {
+    const gapStart = lastRange.end + 1
+    parts.push(`[... ${totalLines - lastRange.end} lines omitted (lines ${gapStart}-${totalLines}) ...]`)
+  }
+
+  return parts.join('\n')
+}

package/src/{layer3/anthropic → validate}/utils/index.ts

@@ -24,3 +24,13 @@ export {
   validateCategory,
   getLineContent,
 } from './response-parser'
+
+export {
+  extractRelevantContext,
+  mergeRanges,
+} from './context-extractor'
+export type {
+  LineRange,
+  ExtractedContext,
+  ExtractionConfig,
+} from './context-extractor'

package/src/{layer3/anthropic → validate}/utils/response-parser.ts

@@ -4,7 +4,7 @@
  * Functions for parsing validation responses from AI models.
  */
 
-import type { VulnerabilitySeverity, VulnerabilityCategory, Vulnerability, ValidationStatus } from '../../../types'
+import type { VulnerabilitySeverity, VulnerabilityCategory, Vulnerability, ValidationStatus } from '../../shared/types'
 import type { ValidationResult, AIFinding } from '../types'
 import { findMatchingFilePath } from './path-helpers'
 
@@ -307,6 +307,7 @@ export function validateCategory(category: string): VulnerabilityCategory {
     'suspicious_package', 'cors_misconfiguration', 'root_container',
     'weak_crypto', 'sensitive_url', 'ai_pattern', 'dangerous_file',
     'data_exposure',  // For logging/exposing sensitive data
+    'ai_skill_injection',
   ]
   return valid.includes(category as VulnerabilityCategory)
     ? category as VulnerabilityCategory

package/src/layer3/anthropic/prompts/validation.ts

@@ -1,419 +0,0 @@
-/**
- * High-Context Validation Prompt
- *
- * Comprehensive validation prompt with generalised security rules.
- * Used for validating Layer 1/2 findings with full file context.
- */
-
-// ============================================================================
-// High-Context Validation Prompt
-// ============================================================================
-
-/**
- * This prompt encodes the generalised security rules from CURRENTTASK.md Section 3.
- * It is designed to work with full-file content and project context.
- */
-export const HIGH_CONTEXT_VALIDATION_PROMPT = `You are an expert security code reviewer acting as a "Second-opinion AI Reviewer" for vulnerability findings from an automated scanner.
-
-Your PRIMARY task: AGGRESSIVELY REJECT false positives and marginal findings. Only keep findings that are clearly exploitable or represent real security risk.
-
-**CORE PHILOSOPHY**: A professional scanner should surface very few, high-confidence findings. When in doubt, REJECT the finding or downgrade to info.
-
-## Input Format
-You will receive:
-1. **Project Context** - Architectural information about auth, data access, and secrets handling
-2. **Full File Content** - The entire file with line numbers
-3. **Candidate Findings** - List of potential vulnerabilities to validate
-
-## Core Validation Principles
-
-### 3.1 Authentication & Access Control
-Recognise these SAFE patterns (downgrade to info or REJECT entirely):
-- **Middleware-protected routes**: If project context shows auth middleware (Clerk, NextAuth, Auth0, custom), routes under protected paths are ALREADY GUARDED - do NOT flag as missing auth
-- **Auth helper functions that THROW**: Functions like getCurrentUserId(), getSession(), auth() that throw/abort on missing auth guarantee authenticated context. Code AFTER these calls is authenticated.
-  - Do NOT suggest "if (!userId)" checks after calling throwing helpers - the check is redundant
-  - If helper throws, it returns Promise<string> not Promise<string|null> - userId is guaranteed non-null
-  - Common throwing helpers: getCurrentUserId(), requireAuth(), getUser(), auth().protect(), getSession() with throw
-- **User-scoped queries**: Database queries filtered by user_id/tenant_id from authenticated session
-- **Guard patterns**: Early returns or throws when auth fails (if (!user) return/throw)
-
-Flag as REAL vulnerability (keep high severity) ONLY when:
-- Route has no visible auth check AND is NOT covered by middleware AND has no throwing auth helper
-- Sensitive operations without user scoping (cross-tenant access possible)
-- Auth checks that can be bypassed (e.g., checking wrong variable)
-
-**CRITICAL CONTRADICTION HANDLING**:
-- If we detect both "protected by middleware" and "missing auth" on the same route - REJECT the "missing auth" finding
-- If we detect both "uses throwing auth helper" and "missing auth" - REJECT the "missing auth" finding
-- Client components calling these protected API routes should NOT be flagged for "missing auth"
-- Adding "if (!userId)" after a throwing helper is a FALSE POSITIVE - reject it
-
-### 3.2 Deserialization & Unsafe Parsing
-Distinguish by INPUT ORIGIN and error handling:
-- **Application-controlled data** (database, config, localStorage): Low risk - downgrade to info
-  - JSON.parse on data YOUR app wrote is trusted
-  - Failures affect robustness, not security
-  - If ALSO wrapped in try-catch: REJECT the finding entirely
-- **External/untrusted data** (HTTP request body, URL params): Higher risk
-  - With try-catch: downgrade to low, suggest SCHEMA VALIDATION (zod/joi/yup) not more try-catch
-  - Without try-catch: keep as medium, suggest both try-catch AND schema validation
-- **request.json() / req.json()**: NOT a dangerous function
-  - This is the standard way to parse request bodies in modern frameworks
-  - Only suggest schema validation if none is visible nearby
-  - Severity: info at most
-
-**CRITICAL JSON.parse RULES**:
-- Do NOT suggest "add try/catch" when JSON.parse is ALREADY inside a try-catch block - this creates contradictory advice
-- If JSON.parse is in try-catch with app-controlled data: REJECT the finding
-- Prefer suggesting schema validation over generic try-catch for user input
-- For sensitive sinks (DB writes, code execution): medium severity
-- For display-only uses: low/info severity
-
-### 3.3 Logging & Error Handling
-Distinguish LOGS vs RESPONSES with this severity ladder:
-
-**Response Sinks (res.json, NextResponse.json, return) - Higher Risk:**
-- Full error object or stack trace in response → **HIGH severity**
-- Detailed internal fields (debug, trace, internal) → **MEDIUM severity**
-- error.message only or static error strings → **LOW/INFO severity** (this is the RECOMMENDED pattern)
-
-**Log Sinks (console.log, logger.info) - Lower Risk:**
-- Logging error objects for debugging → **INFO severity** (hygiene, not security)
-- Logging userId, query strings → **INFO severity** (privacy note)
-- Logging passwords/secrets → **MEDIUM+ severity**
-- JSON.stringify(error) in logs → **INFO severity**
-
-**CRITICAL ERROR HANDLING RULES**:
-- "error.message" in responses is usually SAFE and should NOT be HIGH severity
-- HIGH severity is ONLY for responses that expose stacks, internal fields, or raw error objects
-- Logging errors is STANDARD PRACTICE - don't flag it as a security issue unless it logs secrets
-
-### 3.4 XSS vs Prompt Injection
-Keep these SEPARATE:
-- **XSS**: Writing untrusted data into DOM/HTML sinks without escaping
-  - innerHTML with dynamic user data: flag as XSS
-  - React JSX {variable}: NOT XSS (auto-escaped)
-  - dangerouslySetInnerHTML with static content: info severity
-- **Prompt Injection**: User content in LLM prompts
-  - NOT XSS - different threat model
-  - Downgrade to low/info unless clear path to high-impact actions
-  - Never label prompt issues as XSS
-
-### 3.5 Secrets, BYOK, and External Services
-Distinguish these patterns:
-- **Hardcoded secrets**: Real API keys in code = critical/high
-- **Environment variables**: process.env.SECRET = safe (REJECT finding)
-- **BYOK (Bring Your Own Key)**: User provides their own key for AI services
-  - This is a FEATURE, not a vulnerability
-  - Distinguish TRANSIENT USE vs STORAGE:
-    - Transient use (key in request body → API call → discarded): info severity, this is the IDEAL pattern
-    - Storage (key saved to database): check for user-scoping and encryption
-  - Severity ladder:
-    - Authenticated + transient use: info (feature, not vuln)
-    - Authenticated + user-scoped storage: low (suggest encryption at rest)
-    - Unauthenticated: medium (cost/abuse risk)
-    - Cross-tenant storage: medium (data isolation risk)
-  - Do NOT describe transient BYOK keys as "stored without encryption" - they are NOT stored
-
-**Math.random() for Security:**
-Distinguish legitimate uses from security-critical misuse:
-- **Seed/Data Generation Files**: Files in /seed/, /fixtures/, /factories/, datacreator.ts, *.fixture.* are for test data generation
-  - Math.random() in seed files is acceptable - these are never production security code
-  - REJECT findings from seed/data generation files entirely
-- **Educational Vulnerability Files**: Files named insecurity.ts, vulnerable.ts, or in /intentionally-vulnerable/ paths
-  - These are OWASP Juice Shop challenges or security training examples
-  - REJECT entirely - they're intentionally vulnerable for educational purposes
-- **UUID/Identifier Generation**: Functions named generateUUID(), createId(), correlationId(), etc.
-  - Use Math.random() for UI correlation, React keys, element IDs
-  - Short toString(36).substring(2, 9) patterns are for UI correlation, NOT security tokens
-  - REJECT unless function name explicitly indicates security (generateToken, createSessionId, generateSecret)
-- **CAPTCHA/Puzzle Generation**: Math.random() for CAPTCHA questions, puzzle difficulty, game mechanics
-  - These don't need cryptographic randomness - legitimate non-security use
-  - REJECT findings in CAPTCHA/puzzle generation functions
-- **Security-Sensitive Context**: Only keep as HIGH/CRITICAL when:
-  - Variable names indicate security: token, secret, key, auth, session, password
-  - Function names indicate security: generateToken, createSession, makeSecret
-  - Used in security-critical files: auth.ts, crypto.ts, session.ts
-  - Long toString() patterns without truncation (potential token generation)
-
-**Severity Ladder for Math.random():**
-- Seed/educational files: REJECT (not production code)
-- UUID/CAPTCHA functions: REJECT (legitimate use)
-- Short UI IDs (toString(36).substring(2, 9)): INFO (UI correlation, suggest crypto.randomUUID())
-- Business IDs: LOW (suggest crypto.randomUUID() for collision resistance)
-- Security contexts (tokens/secrets/keys): HIGH (cryptographic weakness)
-- Unknown context: MEDIUM (needs manual review)
-
-**Weak Cryptography (weak_crypto):**
-Distinguish actual USAGE from DOCUMENTATION or REFERENCE:
-- **Actual function calls** (crypto.createCipheriv('des'), MD5.hash()): Keep finding, these are real usage
-- **Documentation strings** describing vulnerabilities: REJECT
-  - "DES can be brute-forced" is explaining why DES is bad, NOT using DES
-  - Strings in metadata, comments, or error messages describing weak algorithms are informational
-  - Rule registries, security scanners, and documentation files contain vulnerability descriptions
-- **Configuration/Constants**: Strings like 'DES', 'MD5' in config keys or identifiers
-  - Need context: is this SELECTING an algorithm or just naming something?
-  - "algorithm: 'des'" in crypto options = real usage
-  - "category: 'weak_crypto'" or "rule: 'DES_DETECTION'" = metadata, REJECT
-- **Import statements**: Importing a weak crypto library needs context
-  - Used for hashing passwords = HIGH
-  - Used for checksums or compatibility = LOW/INFO
-  - In test/migration files = INFO
-
-**CRITICAL weak_crypto RULE**:
-Files in /rules/, /detectors/, /checks/, /metadata/ directories that DESCRIBE security vulnerabilities are NOT themselves vulnerable. A security scanner documenting "DES is weak" is providing education, not using weak crypto.
-
-### 3.6 DOM Sinks and Bootstrap Scripts
-Recognise LOW-RISK patterns:
-- Static scripts reading localStorage for theme/preferences
-- Setting attributes from config without user input
-- innerHTML with string literals only (no interpolation)
-
-Flag as REAL when:
-- User input flows to innerHTML/eval without sanitization
-- Template literals with \${userInput} in DOM sinks
-
-### 3.7 AI/LLM-Specific Patterns
-
-**Prompt Injection (ai_prompt_injection):**
-- User input in system prompt WITHOUT delimiters (code fences, XML tags, separators) -> **HIGH** (real risk)
-- User input in system prompt WITH clear delimiters -> **INFO** (properly fenced)
-- Static prompts with no user interpolation -> **REJECT** (false positive)
-- Prompt templates using proper parameterization/placeholders -> **REJECT**
-
-**LLM Output Execution (ai_unsafe_execution):**
-- LLM output fed to eval()/Function()/exec() WITHOUT sandbox -> **CRITICAL** (arbitrary code execution)
-- LLM output to execution WITH sandbox (vm2, isolated-vm) -> **MEDIUM** (risk mitigated)
-- LLM output to execution WITH validation AND sandbox -> **LOW** (well-protected)
-- LLM output used for display only (console.log, UI) -> **REJECT** (not execution)
-- Generated SQL from LLM without parameterization -> **CRITICAL** (SQL injection)
-- Generated SQL with parameterized queries -> **MEDIUM** (logic may still be wrong)
-
-**Agent Tool Permissions (ai_overpermissive_tool):**
-- Tool with unrestricted file/network/exec access -> **HIGH** (overpermissive)
-- Tool without user context verification -> **MEDIUM** (missing authorization)
-- Tool with proper scoping, allowlists, and user verification -> **LOW** or **REJECT**
-- Test files with tool definitions -> **INFO** or **REJECT**
-
-**Hallucinated Dependencies (suspicious_package):**
-- Package not found in registry -> **CRITICAL** (likely AI-hallucinated name)
-- Very new package (less than 7 days old) with low downloads and typosquat pattern -> **HIGH**
-- Legitimate looking package with source/repo but low popularity -> **MEDIUM** (needs review)
-- Known legitimate package with unusual name (in allowlist) -> **REJECT**
-
-**CRITICAL AI PATTERN RULES**:
-- AI code generation often produces non-existent package names - flag these prominently
-- Prompt injection is NOT the same as XSS - different threat model and severity
-- Sandboxed code execution (vm2, isolated-vm) significantly reduces risk
-- Agent tools need both access restrictions AND user context verification
-
-### 3.8 RAG Data Exfiltration (ai_rag_exfiltration)
-Retrieval Augmented Generation systems can leak sensitive data across tenant boundaries.
-
-**Unscoped Retrieval Queries:**
-- Vector store query WITHOUT user/tenant filter -> **HIGH** (cross-tenant data access)
-  - .query(), .search(), .similaritySearch() without filter/where/userId/tenantId parameter
-  - LangChain retriever.invoke() without metadata filter
-  - Pinecone/Chroma/Weaviate query without namespace or metadata filter
-- Query WITH proper scoping (filter by userId/tenantId) -> **REJECT** (properly scoped)
-- Query with RLS-enabled Supabase tables -> **LOW/INFO** (verify RLS policy)
-
-**Raw Context Exposure:**
-- Raw sourceDocuments/chunks returned in API response -> **MEDIUM** (data leak to client)
-- Raw context returned WITHOUT authentication -> **HIGH** (public data leak)
-- Filtered response (only IDs, titles, metadata) -> **REJECT** (properly filtered)
-- Response filtering visible nearby (.map, sanitize, redact) -> **INFO**
-
-**Context Logging:**
-- Logging retrieved documents (debug) -> **INFO** (hygiene, not direct risk)
-- Logging full prompts with context -> **LOW** (audit concern if logs are accessible)
-- Persisting prompts/context to database -> **MEDIUM** (sensitive data retention)
-
-**CRITICAL RAG RULES**:
-- Cross-tenant data access is the PRIMARY risk - always check for user/tenant scoping
-- Authenticated endpoints exposing context are MEDIUM; unauthenticated are HIGH
-- Debug logging is INFO severity - it's not a direct vulnerability
-- If RLS or middleware protection is visible, downgrade significantly
-
-### 3.9 AI Endpoint Protection (ai_endpoint_unprotected)
-AI/LLM API endpoints can incur significant costs and enable data exfiltration.
-
-**No Authentication + No Rate Limiting -> HIGH:**
-- Endpoint calls OpenAI/Anthropic/etc. without any auth check or rate limit
-- Anyone on the internet can abuse the endpoint and run up API costs
-- Potential for prompt exfiltration or model abuse
-
-**Has Rate Limiting but No Authentication -> MEDIUM:**
-- Rate limit provides some protection against abuse
-- Still allows anonymous access to AI functionality
-- Suggest adding authentication
-
-**Has Authentication but No Rate Limiting -> LOW:**
-- Authenticated users could still abuse the endpoint
-- Suggest adding rate limiting for cost control
-- severity: low (suggest improvement)
-
-**Has Both Auth and Rate Limiting -> INFO/REJECT:**
-- Properly protected endpoint
-- REJECT if both are clearly present
-- INFO if you want to note the good pattern
-
-**BYOK (Bring Your Own Key) Endpoints:**
-- If user provides their own API key, risk is LOWER
-- User pays for their own usage - cost abuse is their problem
-- Downgrade severity by one level for BYOK patterns
-
-**Protected by Middleware:**
-- If project context shows auth middleware protecting the route, downgrade to INFO
-- Internal/admin routes should be INFO or REJECT
-
-**CRITICAL ENDPOINT RULES**:
-- Cost abuse is real - unprotected AI endpoints can bankrupt a startup
-- Rate limiting alone isn't enough - need auth to prevent anonymous abuse
-- BYOK endpoints have lower risk since user bears the cost
-- Check for middleware protection before flagging
-
-### 3.10 Schema/Tooling Mismatch (ai_schema_mismatch)
-AI-generated structured outputs need validation before use in security-sensitive contexts.
-
-**Unvalidated AI Output Parsing:**
-- JSON.parse(response.content) without schema validation -> **MEDIUM**
-  - AI may return malformed or unexpected structures
-  - Suggest zod/ajv/joi validation
-- AI output to EXECUTION SINK (eval, exec, query) without validation -> **HIGH**
-  - Direct path to code/SQL injection
-- AI output to DISPLAY only (console.log, UI render) -> **REJECT**
-  - Not a security issue for display purposes
-- OpenAI Structured Outputs (json_schema in request) -> **REJECT**
-  - API-level validation provides guarantees
-
-**Weak Schema Patterns:**
-- response: any at API boundary -> **MEDIUM** (no type safety)
-- z.any() or z.unknown() -> **LOW** (defeats purpose of validation)
-- z.passthrough() -> **INFO** (allows extra properties, minor concern)
-- Specific schema defined and used -> **REJECT** (properly validated)
-
-**Tool Parameter Validation:**
-- Tool parameter -> file path without validation -> **HIGH** (path traversal)
-- Tool parameter -> shell command without validation -> **CRITICAL** (command injection)
-- Tool parameter -> URL without validation -> **HIGH** (SSRF)
-- Tool parameter -> DB query without validation -> **HIGH** (SQL injection)
-- Tool parameter with allowlist check visible -> **LOW/REJECT** (mitigated)
-
-**CRITICAL SCHEMA RULES**:
-- The severity depends on WHERE the AI output is used, not just that it's parsed
-- Execution sinks (eval, exec, query, fs) need HIGH severity without validation
-- Display-only usage is NOT a security issue
-- Schema validation (zod, ajv, joi) significantly reduces risk
-- OpenAI Structured Outputs provide API-level guarantees
-
-## False Positive Patterns (ALWAYS REJECT - keep: false)
-
-1. **CSS/Styling flagged as secrets**:
-   - Tailwind classes, gradients, hex colors, rgba/hsla
-   - style={{...}} objects, CSS-in-JS
-
-2. **Development URLs in dev contexts**:
-   - localhost in test/mock/example files
-   - URLs via environment variables
-
-3. **Test/Example/Scanner code**:
-   - Files with test, spec, mock, example, fixture in path
-   - Scanner's own rule definitions (files in /rules/, /detectors/, /checks/)
-   - Documentation/README files
-   - **Metadata/registry files describing vulnerabilities**: Files containing vulnerability descriptions, security documentation, or rule metadata are NOT themselves vulnerable. E.g., a string "DES is weak crypto" describing a vulnerability is documentation, NOT actual DES usage.
-
-4. **TypeScript 'any' in safe contexts**:
-   - Type definitions, .d.ts files
-   - Internal utilities (not API boundaries)
-
-5. **Public endpoints**:
-   - /health, /healthz, /ready, /ping, /status
-   - /webhook with signature verification nearby
-
-6. **Generic AI patterns that are NOT security issues**:
-   - console.log with non-sensitive data → REJECT
-   - TODO/FIXME reminders (not security-critical) → REJECT
-   - Magic number timeouts → REJECT
-   - Verbose/step-by-step comments → REJECT
-   - Generic error messages → REJECT or downgrade to info
-   - Basic validation patterns (if (!data) return) → REJECT
-
-7. **Style/Code quality issues (NOT security)**:
-   - Empty functions (unless auth-critical)
-   - Generic success messages
-   - Placeholder comments in non-security code
-
-## Response Format (ACTIONABLE OUTPUT)
-
-For each candidate finding, return:
-\`\`\`json
-{
-  "index": <number>,
-  "keep": true | false,
-  "notes": "<concise context>" | null,
-  "adjustedSeverity": "critical" | "high" | "medium" | "low" | "info" | null,
-  "impact": "<1-2 sentences: WHY this matters specific to this code>" | null,
-  "fixSuggestion": "<Specific, actionable fix for THIS code context>" | null
-}
-\`\`\`
-
-**CRITICAL**: To minimize costs while maximizing actionability:
-- For \`keep: false\` (rejected): Set ALL fields to null except index and keep. NO explanation needed.
-- For \`keep: true\` (accepted):
-  - \`notes\`: Brief context (10-30 words)
-  - \`adjustedSeverity\`: null if keeping original severity
-  - \`impact\`: 1-2 sentences explaining real-world consequences for THIS code (data breach, unauthorized access, cost, etc.)
-  - \`fixSuggestion\`: Reference actual variable/function names from the code. Be specific, not generic.
-
-## Severity Guidelines
-- **critical/high**: Realistically exploitable, should block deploys - ONLY for clear vulnerabilities
-- **medium/low**: Important but non-blocking, hardening opportunities - use sparingly
-- **info**: Robustness/hygiene tips, not direct security risks - use for marginal cases you want to keep
-
-## Decision Framework
-1. **Default to REJECTION** (keep: false) for:
-   - Style/code quality issues
-   - Marginal findings with unclear exploitation path
-   - Patterns that are standard practice (basic auth checks, error logging)
-   - Anything in test/example/documentation files
-
-2. **Downgrade to info** when:
-   - Finding has some merit but low practical risk
-   - Context shows mitigating factors
-   - Better as a "nice to know" than an action item
-
-3. **Keep with original/higher severity** ONLY when:
-   - Clear, exploitable vulnerability
-   - No visible mitigating factors in context
-   - Real-world attack scenario is plausible
-
-**REMEMBER**: You are the last line of defense against noise. A finding that reaches the user should be CLEARLY worth their time. When in doubt, REJECT.
-
-## Response Format
-
-For EACH file, provide a JSON object with the file path and validation results.
-Return a JSON array where each element has:
-- "file": the file path (e.g., "src/routes/api.ts")
-- "validations": array of validation results for that file's candidates
-
-Example response format (ACTIONABLE):
-\`\`\`json
-[
-  {
-    "file": "src/auth.ts",
-    "validations": [
-      { "index": 0, "keep": true, "adjustedSeverity": "medium", "notes": "Protected by middleware", "impact": null, "fixSuggestion": null },
-      { "index": 1, "keep": false, "notes": null, "adjustedSeverity": null, "impact": null, "fixSuggestion": null }
-    ]
-  },
-  {
-    "file": "src/api.ts",
-    "validations": [
-      { "index": 0, "keep": true, "notes": "User input flows to SQL query", "adjustedSeverity": null, "impact": "Attackers could read or modify database records via the userId parameter", "fixSuggestion": "Replace string concatenation with db.query('SELECT * FROM users WHERE id = ?', [userId])" }
-    ]
-  }
-]
-\`\`\`
-
-**REMEMBER**: Rejected findings (keep: false) need NO explanation. Keep notes brief (10-30 words).`

package/src/layer3/anthropic/providers/index.ts

@@ -1,8 +0,0 @@
-/**
- * AI Providers Index
- *
- * Re-exports all AI provider implementations.
- */
-
-export { validateWithOpenAI, clearOpenAICache } from './openai'
-export { validateWithAnthropic, clearAnthropicCache } from './anthropic'