@oculum/scanner 1.0.12 → 1.0.13

package/dist/detect/config/urls.js

@@ -0,0 +1,450 @@
+"use strict";
+/**
+ * Layer 1: URL Pattern Matching
+ * Detects hardcoded sensitive URLs that may indicate security issues
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.aggregateLocalhostFindings = aggregateLocalhostFindings;
+exports.detectSensitiveURLs = detectSensitiveURLs;
+const file_classifier_1 = require("../../parse/file-classifier");
+const environment_context_1 = require("../../shared/environment-context");
+const route_hierarchy_1 = require("../../model/route-hierarchy");
+const BASE_CONFIDENCE_WEBHOOK = 0.55;
+const BASE_CONFIDENCE_LOCALHOST = 0.30;
+// Check if file is documentation/README/example
+function isDocumentationFile(filePath) {
+    const docPatterns = [
+        /README/i,
+        /CHANGELOG/i,
+        /CONTRIBUTING/i,
+        /LICENSE/i,
+        /\.md$/i,
+        /\.mdx$/i,
+        /\.rst$/i,
+        /\.adoc$/i,
+        /\/docs\//i,
+        /\/documentation\//i,
+        /\/wiki\//i,
+        /\/guides?\//i,
+        /\/tutorials?\//i,
+        /\/examples?\//i,
+    ];
+    return docPatterns.some(p => p.test(filePath));
+}
+/**
+ * Check if file path indicates it's inside an authenticated route group
+ * Modern frameworks use route groups/layouts that handle auth at the layout level
+ *
+ * Examples:
+ * - Next.js: (authenticated)/dashboard/page.tsx, (admin)/users/page.tsx
+ * - Remix: _authenticated+/dashboard.tsx
+ * - SvelteKit: (protected)/+page.svelte
+ */
+function isInsideAuthenticatedRouteGroup(filePath) {
+    const authRoutePatterns = [
+        // Next.js App Router - route groups with auth-related names
+        /\/\(authenticated\)\//i,
+        /\/\(protected\)\//i,
+        /\/\(auth\)\//i,
+        /\/\(admin\)\//i,
+        /\/\(dashboard\)\//i,
+        /\/\(private\)\//i,
+        /\/\(secure\)\//i,
+        /\/\(user\)\//i,
+        /\/\(account\)\//i,
+        /\/\(settings\)\//i,
+        /\/\(app\)\//i, // Common pattern for authenticated app routes
+        // Remix - authenticated route conventions
+        /\/_authenticated\+\//i,
+        /\/_protected\+\//i,
+        /\/_auth\+\//i,
+        /\/__authenticated\//i,
+        // Generic patterns that indicate auth-protected sections
+        /\/dashboard\//i,
+        /\/admin\//i,
+        /\/account\//i,
+        /\/settings\//i,
+        /\/profile\//i,
+        /\/my-/i, // /my-account/, /my-orders/
+        /\/user\//i,
+        /\/users\/\[/i, // /users/[userId]/ - user-specific routes
+    ];
+    return authRoutePatterns.some(p => p.test(filePath));
+}
+// Check if file is a config/constants file where localhost is expected
+function isDevConfigFile(filePath) {
+    const devConfigPatterns = [
+        /\.env\.local$/i,
+        /\.env\.development$/i,
+        /\.env\.dev$/i,
+        /\.env\.example$/i,
+        /\.env\.sample$/i,
+        /config\.dev\./i,
+        /config\.development\./i,
+        /config\.local\./i,
+        /\/config\/development\//i,
+        /\/config\/local\//i,
+        /constants\.dev\./i,
+    ];
+    return devConfigPatterns.some(p => p.test(filePath));
+}
+// Check if file is a locale/i18n file where URLs are example placeholders
+function isLocaleFile(filePath) {
+    const localePatterns = [
+        /\/locales?\//i, // /locale/ or /locales/
+        /\/i18n\//i, // /i18n/
+        /\/translations?\//i, // /translation/ or /translations/
+        /\/lang\//i, // /lang/
+        /\/languages?\//i, // /language/ or /languages/
+        /\.\w{2}(-\w{2})?\.json$/i, // .en.json, .zh-CN.json, etc.
+    ];
+    return localePatterns.some(p => p.test(filePath));
+}
+// Check if line contains URL placeholder/example text
+function isUrlPlaceholderText(line) {
+    const placeholderPatterns = [
+        /placeholder['"]\s*:/i, // "placeholder": "http://..."
+        /example['"]\s*:/i, // "example": "http://..."
+        /e\.g\./i, // e.g. http://localhost
+        /for\s+example/i, // for example http://...
+        /such\s+as/i, // such as http://localhost
+        /like\s+http/i, // like http://localhost
+        /格式.*http/i, // Chinese: format http://...
+        /例如.*http/i, // Chinese: for example http://...
+        /beispiel.*http/i, // German: example http://...
+        /ejemplo.*http/i, // Spanish: example http://...
+        /exemple.*http/i, // French: example http://...
+    ];
+    return placeholderPatterns.some(p => p.test(line));
+}
+// URL patterns that may indicate security issues
+const URL_PATTERNS = [
+    // Internal/staging endpoints in production code
+    {
+        pattern: /https?:\/\/localhost[:\d]*/gi,
+        name: 'Localhost URL',
+        severity: 'medium',
+        description: 'Hardcoded localhost URL found - may cause issues in production',
+    },
+    {
+        pattern: /https?:\/\/127\.0\.0\.1[:\d]*/gi,
+        name: 'Loopback URL',
+        severity: 'medium',
+        description: 'Hardcoded loopback IP address found',
+    },
+    {
+        pattern: /https?:\/\/[^\/]*staging[^\/]*\.[a-z]+/gi,
+        name: 'Staging URL',
+        severity: 'medium',
+        description: 'Hardcoded staging environment URL found',
+    },
+    {
+        pattern: /https?:\/\/[^\/]*\bdev\b[^\/]*\.[a-z]+/gi,
+        name: 'Development URL',
+        severity: 'low',
+        description: 'Hardcoded development environment URL found',
+    },
+    {
+        pattern: /https?:\/\/[^\/]*internal[^\/]*\.[a-z]+/gi,
+        name: 'Internal URL',
+        severity: 'high',
+        description: 'Hardcoded internal URL found - may expose internal infrastructure',
+    },
+    {
+        pattern: /https?:\/\/[^\/]*\btest\b[^\/]*\.[a-z]+/gi,
+        name: 'Test Environment URL',
+        severity: 'low',
+        description: 'Hardcoded test environment URL found',
+    },
+    // Admin/sensitive endpoints - heavily downgraded
+    // In most modern frameworks, these are protected by middleware or layout auth
+    // Flagging them creates noise when they're inside authenticated route groups
+    {
+        pattern: /['"`]\/admin(?:\/|['"`])/gi,
+        name: 'Admin Endpoint',
+        severity: 'info',
+        description: 'Admin endpoint path found - typically protected by auth middleware',
+    },
+    {
+        pattern: /['"`]\/api\/admin/gi,
+        name: 'Admin API Endpoint',
+        severity: 'info', // Downgraded from low - usually behind middleware
+        description: 'Admin API endpoint found - typically protected by auth middleware',
+    },
+    // API keys in URLs
+    {
+        pattern: /\?api[_-]?key=[a-zA-Z0-9_-]{10,}/gi,
+        name: 'API Key in URL Query',
+        severity: 'high',
+        description: 'API key exposed in URL query parameter',
+    },
+    {
+        pattern: /&api[_-]?key=[a-zA-Z0-9_-]{10,}/gi,
+        name: 'API Key in URL Query',
+        severity: 'high',
+        description: 'API key exposed in URL query parameter',
+    },
+    {
+        pattern: /\?token=[a-zA-Z0-9_-]{10,}/gi,
+        name: 'Token in URL Query',
+        severity: 'high',
+        description: 'Token exposed in URL query parameter',
+    },
+    {
+        pattern: /\?secret=[a-zA-Z0-9_-]{10,}/gi,
+        name: 'Secret in URL Query',
+        severity: 'critical',
+        description: 'Secret exposed in URL query parameter',
+    },
+    // Webhook URLs (may contain secrets)
+    {
+        pattern: /https:\/\/hooks\.slack\.com\/services\/[a-zA-Z0-9\/]+/gi,
+        name: 'Slack Webhook URL',
+        severity: 'high',
+        description: 'Slack webhook URL found - should be stored as environment variable',
+    },
+    {
+        pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+/gi,
+        name: 'Discord Webhook URL',
+        severity: 'high',
+        description: 'Discord webhook URL found - should be stored as environment variable',
+    },
+    // Debug/test endpoints - downgraded (often in test files or intentional)
+    {
+        pattern: /['"`]\/debug(?:\/|['"`])/gi,
+        name: 'Debug Endpoint',
+        severity: 'low', // Downgraded from medium
+        description: 'Debug endpoint found - verify not accessible in production',
+    },
+    {
+        pattern: /['"`]\/test(?:\/|['"`])/gi,
+        name: 'Test Endpoint',
+        severity: 'info', // Downgraded from low
+        description: 'Test endpoint found - typically safe in test context',
+    },
+];
+// Check if line is a comment
+function isComment(lineContent) {
+    const trimmed = lineContent.trim();
+    return (trimmed.startsWith('//') ||
+        trimmed.startsWith('#') ||
+        trimmed.startsWith('*') ||
+        trimmed.startsWith('/*'));
+}
+// Check if it's in a test file
+function isTestFile(filePath) {
+    return /\.(test|spec)\.(ts|tsx|js|jsx)$/i.test(filePath) ||
+        /\/__tests__\//i.test(filePath) ||
+        /\/test\//i.test(filePath);
+}
+// Check if URL is in an environment variable reference
+function isEnvVarReference(lineContent) {
+    return lineContent.includes('process.env') ||
+        lineContent.includes('${') ||
+        lineContent.includes('import.meta.env');
+}
+/**
+ * Check if localhost URL is used as a fallback default value
+ * This is a common safe pattern in development:
+ * - process.env.API_URL || 'http://localhost:3000'
+ * - baseUrl ?? 'http://localhost:3000'
+ * - config.url || 'http://localhost'
+ * - config?.url ?? 'http://localhost'
+ */
+function isLocalhostFallback(lineContent) {
+    const fallbackPatterns = [
+        // Logical OR fallback: something || 'http://localhost...'
+        /\|\|\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+        // Nullish coalescing fallback: something ?? 'http://localhost...'
+        /\?\?\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+        // Default parameter: = 'http://localhost...'
+        /=\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)[^'"]*['"`]\s*(,|\)|$)/i,
+        // Ternary with env check: process.env.X ? ... : 'http://localhost'
+        /process\.env\.\w+\s*\?\s*[^:]+\s*:\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+        // Object property default: url: process.env.X || 'http://localhost'
+        /:\s*process\.env\.\w+\s*\|\|\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+        // Import.meta.env fallback
+        /import\.meta\.env\.\w+\s*\|\|\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+        /import\.meta\.env\.\w+\s*\?\?\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+    ];
+    return fallbackPatterns.some(p => p.test(lineContent));
+}
+// Get URL context for smarter detection
+function getURLContext(lineContent, filePath) {
+    return {
+        isDevOnly: /['"]?BASE_URL['"]?|['"]?API_URL['"]?|['"]?NEXT_PUBLIC_/.test(lineContent),
+        isConfigFile: /config|settings|constants/.test(filePath.toLowerCase()),
+        isTestFile: isTestFile(filePath),
+        isEnvRef: isEnvVarReference(lineContent)
+    };
+}
+// Aggregate repeated localhost findings per file
+function aggregateLocalhostFindings(vulnerabilities) {
+    const localhostByFile = new Map();
+    const result = [];
+    for (const vuln of vulnerabilities) {
+        // Check if this is a localhost/127.0.0.1 URL
+        if (vuln.category === 'sensitive_url' &&
+            /localhost|127\.0\.0\.1/i.test(vuln.lineContent)) {
+            const key = vuln.filePath;
+            if (!localhostByFile.has(key)) {
+                localhostByFile.set(key, { lines: [], urls: [], original: vuln });
+            }
+            const entry = localhostByFile.get(key);
+            entry.lines.push(vuln.lineNumber);
+            entry.urls.push(vuln.lineContent);
+        }
+        else {
+            result.push(vuln);
+        }
+    }
+    // Create aggregated findings for localhost URLs
+    for (const [filePath, data] of localhostByFile) {
+        const aggregated = {
+            ...data.original,
+            title: `Localhost URLs in development code (${data.lines.length} instances)`,
+            description: `Found ${data.lines.length} localhost references on lines ${data.lines.join(', ')}. ` +
+                `This is typically safe in development but should use environment variables.`,
+            lineNumber: data.lines[0],
+            severity: 'info', // Downgraded to info
+        };
+        result.push(aggregated);
+    }
+    return result;
+}
+function detectSensitiveURLs(content, filePath, options) {
+    const vulnerabilities = [];
+    // Skip documentation files entirely - they often contain example URLs
+    if (isDocumentationFile(filePath)) {
+        return vulnerabilities;
+    }
+    // Get environment context for smart handling
+    const envContext = (0, environment_context_1.getEnvironmentContext)(filePath);
+    // Get route protection context
+    const routeHierarchy = (0, route_hierarchy_1.getRouteProtectionContext)(filePath);
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    const inTestFile = isTestFile(filePath);
+    const inDevConfig = isDevConfigFile(filePath);
+    const inTestConfig = (0, file_classifier_1.isTestConfigFile)(filePath);
+    const isPython = (0, file_classifier_1.isPythonFile)(filePath);
+    const inAuthRoute = isInsideAuthenticatedRouteGroup(filePath) || routeHierarchy.isInProtectedHierarchy;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // Skip comments
+        if (isComment(line))
+            continue;
+        // Skip Python docstrings - they often contain example URLs
+        if (isPython && (0, file_classifier_1.isInsidePythonDocstring)(lines, i)) {
+            continue;
+        }
+        // Get context for this line
+        const context = getURLContext(line, filePath);
+        // Skip environment variable references entirely
+        if (context.isEnvRef)
+            continue;
+        for (const { pattern, name, severity, description } of URL_PATTERNS) {
+            // Reset regex state
+            const regex = new RegExp(pattern.source, pattern.flags);
+            const match = regex.exec(line);
+            if (match) {
+                const url = match[0];
+                // Special handling for localhost URLs
+                if (/localhost|127\.0\.0\.1/i.test(url)) {
+                    // Skip localhost as fallback/default values - this is standard practice
+                    // e.g., process.env.API_URL || 'http://localhost:3000'
+                    if (isLocalhostFallback(line)) {
+                        continue;
+                    }
+                    // Use environment context for smarter handling
+                    // Skip localhost in environments where it's expected (templates, tests, tooling)
+                    if (envContext.allowsLocalhostDefaults) {
+                        continue;
+                    }
+                    // Skip localhost in test files, dev-only contexts, test config files, or dev config files
+                    if (context.isTestFile || context.isDevOnly || inDevConfig || inTestConfig) {
+                        continue;
+                    }
+                    // Skip localhost in placeholder attributes (placeholder="https://localhost...")
+                    if ((0, environment_context_1.isInPlaceholderAttribute)(line)) {
+                        continue;
+                    }
+                    // Skip localhost when used as default parameter value
+                    if ((0, environment_context_1.isDefaultParameterValue)(line)) {
+                        continue;
+                    }
+                    // Skip localhost in locale/i18n files - these are example placeholders for users
+                    if (isLocaleFile(filePath)) {
+                        continue;
+                    }
+                    // Skip localhost in placeholder/example text (e.g., "e.g. http://localhost")
+                    if (isUrlPlaceholderText(line)) {
+                        continue;
+                    }
+                    // Use smart severity determination based on context
+                    const adjustedSeverity = (0, environment_context_1.getLocalhostSeverity)(filePath, line);
+                    // Skip info-level findings in non-production contexts
+                    if (adjustedSeverity === 'info' && !filePath.includes('.env.production')) {
+                        continue;
+                    }
+                    vulnerabilities.push({
+                        id: `url-${filePath}-${i + 1}-${name}`,
+                        filePath,
+                        lineNumber: i + 1,
+                        lineContent: line.trim(),
+                        severity: adjustedSeverity,
+                        category: 'sensitive_url',
+                        title: name,
+                        description: description + (adjustedSeverity === 'high' ? ' (in production config!)' : ' (in dev/config file)'),
+                        suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
+                        confidence: adjustedSeverity === 'high' ? 'high' : 'low',
+                        baseConfidence: BASE_CONFIDENCE_LOCALHOST,
+                        layer: 1,
+                        source: 'config',
+                    });
+                }
+                else {
+                    // Normal URL handling (non-localhost)
+                    // Lower severity for test files - downgrade more aggressively
+                    let adjustedSeverity = severity;
+                    let contextNote = '';
+                    if (inTestFile) {
+                        if (severity === 'critical')
+                            adjustedSeverity = 'high';
+                        else if (severity === 'high')
+                            adjustedSeverity = 'low';
+                        else
+                            adjustedSeverity = 'info';
+                        contextNote = ' (in test file)';
+                    }
+                    // Downgrade admin/sensitive endpoint findings inside authenticated route groups
+                    // These routes are already protected by layout/middleware auth
+                    if (inAuthRoute && (name === 'Admin Endpoint' || name === 'Admin API Endpoint')) {
+                        adjustedSeverity = 'info';
+                        contextNote = ' (inside authenticated route group)';
+                    }
+                    // Non-critical URL findings require AI validation
+                    const requiresAIValidation = severity !== 'critical';
+                    vulnerabilities.push({
+                        id: `url-${filePath}-${i + 1}-${name}`,
+                        filePath,
+                        lineNumber: i + 1,
+                        lineContent: line.trim(),
+                        severity: adjustedSeverity,
+                        category: 'sensitive_url',
+                        title: name,
+                        description: description + contextNote,
+                        suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
+                        confidence: inTestFile ? 'low' : 'medium',
+                        baseConfidence: BASE_CONFIDENCE_WEBHOOK,
+                        layer: 1,
+                        source: 'config',
+                        requiresAIValidation,
+                    });
+                }
+                break; // Only report one URL issue per line
+            }
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=urls.js.map

package/dist/detect/config/urls.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"urls.js","sourceRoot":"","sources":["../../../src/detect/config/urls.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAqTH,gEA0CC;AAED,kDA8JC;AA3fD,iEAAqG;AACrG,0EAKyC;AACzC,iEAAuE;AAEvE,MAAM,uBAAuB,GAAG,IAAI,CAAA;AACpC,MAAM,yBAAyB,GAAG,IAAI,CAAA;AAEtC,gDAAgD;AAChD,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,MAAM,WAAW,GAAG;QAClB,SAAS;QACT,YAAY;QACZ,eAAe;QACf,UAAU;QACV,QAAQ;QACR,SAAS;QACT,SAAS;QACT,UAAU;QACV,WAAW;QACX,oBAAoB;QACpB,WAAW;QACX,cAAc;QACd,iBAAiB;QACjB,gBAAgB;KACjB,CAAA;IACD,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AAChD,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,+BAA+B,CAAC,QAAgB;IACvD,MAAM,iBAAiB,GAAG;QACxB,4DAA4D;QAC5D,wBAAwB;QACxB,oBAAoB;QACpB,eAAe;QACf,gBAAgB;QAChB,oBAAoB;QACpB,kBAAkB;QAClB,iBAAiB;QACjB,eAAe;QACf,kBAAkB;QAClB,mBAAmB;QACnB,cAAc,EAAY,8CAA8C;QAExE,0CAA0C;QAC1C,uBAAuB;QACvB,mBAAmB;QACnB,cAAc;QACd,sBAAsB;QAEtB,yDAAyD;QACzD,gBAAgB;QAChB,YAAY;QACZ,cAAc;QACd,eAAe;QACf,cAAc;QACd,QAAQ,EAAkB,4BAA4B;QACtD,WAAW;QACX,cAAc,EAAY,0CAA0C;KACrE,CAAA;IAED,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AACtD,CAAC;AAED,uEAAuE;AACvE,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,iBAAiB,GAAG;QACxB,gBAAgB;QAChB,sBAAsB;QACtB,cAAc;QACd,kBAAkB;QAClB,iBAAiB;QACjB,gBAAgB;QAChB,wBAAwB;QACxB,kBAAkB;QAClB,0BAA0B;QAC1B,oBAAoB;QACpB,mBAAmB;KACpB,CAAA;IACD,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AACtD,CAAC;AAED,0EAA0E;AAC1E,SAAS,YAAY,CAAC,QAAgB;IACpC,MAAM,cAAc,GAAG;QACrB,eAAe,EAAY,wBAAwB;QACnD,WAAW,EAAgB,SAAS;QACpC,oBAAoB,EAAO,kCAAkC;QAC7D,WAAW,EAAgB,SAAS;QACpC,iBAAiB,EAAU,4BAA4B;QACvD,0BAA0B,EAAE,8BAA8B;KAC3D,CAAA;IACD,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AACnD,CAAC;AAED,sDAAsD;AACtD,SAAS,oBAAoB,CAAC,IAAY;IACxC,MAAM,mBAAmB,GAAG;QAC1B,sBAAsB,EAAO,8BAA8B;QAC3D,kBAAkB,EAAW,0BAA0B;QACvD,SAAS,EAAoB,wBAAwB;QACrD,gBAAgB,EAAa,yBAAyB;QACtD,YAAY,EAAiB,2BAA2B;QACxD,cAAc,EAAe,wBAAwB;QACrD,WAAW,EAAgB,6BAA6B;QACxD,WAAW,EAAgB,kCAAkC;QAC7D,iBAAiB,EAAY,6BAA6B;QAC1D,gBAAgB,EAAa,8BAA8B;QAC3D,gBAAgB,EAAa,6BAA6B;KAC3D,CAAA;IACD,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;AACpD,CAAC;AAED,iDAAiD;AACjD,MAAM,YAAY,GAAG;IACnB,gDAAgD;IAChD;QACE,OAAO,EAAE,8BAA8B;QACvC,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,gEAAgE;KAC9E;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,qCAAqC;KACnD;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,yCAAyC;KACvD;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,KAAc;QACxB,WAAW,EAAE,6CAA6C;KAC3D;IACD;QACE,OAAO,EAAE,2CAA2C;QACpD,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,mEAAmE;KACjF;IACD;QACE,OAAO,EAAE,2CAA2C;QACpD,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,KAAc;QACxB,WAAW,EAAE,sCAAsC;KACpD;IAED,iDAAiD;IACjD,8EAA8E;IAC9E,6EAA6E;IAC7E;QACE,OAAO,EAAE,4BAA4B;QACrC,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,oEAAoE;KAClF;IACD;QACE,OAAO,EAAE,qBAAqB;QAC9B,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAe,EAAG,kDAAkD;QAC9E,WAAW,EAAE,mEAAmE;KACjF;IAED,mBAAmB;IACnB;QACE,OAAO,EAAE,oCAAoC;QAC7C,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,wCAAwC;KACtD;IACD;QACE,OAAO,EAAE,mCAAmC;QAC5C,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,wCAAwC;KACtD;IACD;QACE,OAAO,EAAE,8BAA8B;QACvC,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,sCAAsC;KACpD;IACD;QACE,OAAO,EAAE,+BAA+B;QACxC,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,UAAmB;QAC7B,WAAW,EAAE,uCAAuC;KACrD;IAED,qCAAqC;IACrC;QACE,OAAO,EAAE,yDAAyD;QAClE,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,oEAAoE;KAClF;IACD;QACE,OAAO,EAAE,yEAAyE;QAClF,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,sEAAsE;KACpF;IAED,yEAAyE;IACzE;QACE,OAAO,EAAE,4BAA4B;QACrC,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,KAAc,EAAG,yBAAyB;QACpD,WAAW,EAAE,4DAA4D;KAC1E;IACD;QACE,OAAO,EAAE,2BAA2B;QACpC,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAe,EAAG,sBAAsB;QAClD,WAAW,EAAE,sDAAsD;KACpE;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,WAAmB;IACpC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAA;IAClC,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,+BAA+B;AAC/B,SAAS,UAAU,CAAC,QAAgB;IAClC,OAAO,kCAAkC,CAAC,IAAI,CAAC,QAAQ,CAAC;QACjD,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC/B,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AACnC,CAAC;AAED,uDAAuD;AACvD,SAAS,iBAAiB,CAAC,WAAmB;IAC5C,OAAO,WAAW,CAAC,QAAQ,CAAC,aAAa,CAAC;QACnC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC;QAC1B,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAA;AAChD,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,mBAAmB,CAAC,WAAmB;IAC9C,MAAM,gBAAgB,GAAG;QACvB,0DAA0D;QAC1D,kDAAkD;QAClD,kEAAkE;QAClE,kDAAkD;QAClD,6CAA6C;QAC7C,qEAAqE;QACrE,mEAAmE;QACnE,gFAAgF;QAChF,oEAAoE;QACpE,0EAA0E;QAC1E,2BAA2B;QAC3B,2EAA2E;QAC3E,2EAA2E;KAC5E,CAAA;IACD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;AACxD,CAAC;AAED,wCAAwC;AACxC,SAAS,aAAa,CAAC,WAAmB,EAAE,QAAgB;IAM1D,OAAO;QACL,SAAS,EAAE,wDAAwD,CAAC,IAAI,CAAC,WAAW,CAAC;QACrF,YAAY,EAAE,2BAA2B,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QACtE,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC;QAChC,QAAQ,EAAE,iBAAiB,CAAC,WAAW,CAAC;KACzC,CAAA;AACH,CAAC;AAED,iDAAiD;AACjD,SAAgB,0BAA0B,CACxC,eAAgC;IAEhC,MAAM,eAAe,GAAG,IAAI,GAAG,EAI3B,CAAA;IAEJ,MAAM,MAAM,GAAoB,EAAE,CAAA;IAElC,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,6CAA6C;QAC7C,IAAI,IAAI,CAAC,QAAQ,KAAK,eAAe;YACjC,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAErD,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAA;YACzB,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC9B,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAA;YACnE,CAAC;YACD,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAE,CAAA;YACvC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;YACjC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QACnC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACnB,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,KAAK,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,eAAe,EAAE,CAAC;QAC/C,MAAM,UAAU,GAAkB;YAChC,GAAG,IAAI,CAAC,QAAQ;YAChB,KAAK,EAAE,uCAAuC,IAAI,CAAC,KAAK,CAAC,MAAM,aAAa;YAC5E,WAAW,EAAE,SAAS,IAAI,CAAC,KAAK,CAAC,MAAM,kCAAkC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;gBAChG,6EAA6E;YAC/E,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YACzB,QAAQ,EAAE,MAAM,EAAG,qBAAqB;SACzC,CAAA;QACD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IACzB,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAgB,mBAAmB,CACjC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,sEAAsE;IACtE,IAAI,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,6CAA6C;IAC7C,MAAM,UAAU,GAAG,IAAA,2CAAqB,EAAC,QAAQ,CAAC,CAAA;IAElD,+BAA+B;IAC/B,MAAM,cAAc,GAAG,IAAA,2CAAyB,EAAC,QAAQ,CAAC,CAAA;IAE1D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC3D,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAA;IACvC,MAAM,WAAW,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAA;IAC7C,MAAM,YAAY,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC/C,MAAM,QAAQ,GAAG,IAAA,8BAAY,EAAC,QAAQ,CAAC,CAAA;IACvC,MAAM,WAAW,GAAG,+BAA+B,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,sBAAsB,CAAA;IAEtG,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAErB,gBAAgB;QAChB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,2DAA2D;QAC3D,IAAI,QAAQ,IAAI,IAAA,yCAAuB,EAAC,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC;YAClD,SAAQ;QACV,CAAC;QAED,4BAA4B;QAC5B,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QAE7C,gDAAgD;QAChD,IAAI,OAAO,CAAC,QAAQ;YAAE,SAAQ;QAE9B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,YAAY,EAAE,CAAC;YACpE,oBAAoB;YACpB,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;YAEvD,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC9B,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;gBAEpB,sCAAsC;gBACtC,IAAI,yBAAyB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACxC,wEAAwE;oBACxE,uDAAuD;oBACvD,IAAI,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC9B,SAAQ;oBACV,CAAC;oBAED,+CAA+C;oBAC/C,iFAAiF;oBACjF,IAAI,UAAU,CAAC,uBAAuB,EAAE,CAAC;wBACvC,SAAQ;oBACV,CAAC;oBAED,0FAA0F;oBAC1F,IAAI,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,SAAS,IAAI,WAAW,IAAI,YAAY,EAAE,CAAC;wBAC3E,SAAQ;oBACV,CAAC;oBAED,gFAAgF;oBAChF,IAAI,IAAA,8CAAwB,EAAC,IAAI,CAAC,EAAE,CAAC;wBACnC,SAAQ;oBACV,CAAC;oBAED,sDAAsD;oBACtD,IAAI,IAAA,6CAAuB,EAAC,IAAI,CAAC,EAAE,CAAC;wBAClC,SAAQ;oBACV,CAAC;oBAED,iFAAiF;oBACjF,IAAI,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAC3B,SAAQ;oBACV,CAAC;oBAED,6EAA6E;oBAC7E,IAAI,oBAAoB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC/B,SAAQ;oBACV,CAAC;oBAED,oDAAoD;oBACpD,MAAM,gBAAgB,GAAG,IAAA,0CAAoB,EAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;oBAE7D,sDAAsD;oBACtD,IAAI,gBAAgB,KAAK,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;wBACzE,SAAQ;oBACV,CAAC;oBAED,eAAe,CAAC,IAAI,CAAC;wBACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE;wBACtC,QAAQ;wBACR,UAAU,EAAE,CAAC,GAAG,CAAC;wBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,QAAQ,EAAE,gBAAgB;wBAC1B,QAAQ,EAAE,eAAe;wBACzB,KAAK,EAAE,IAAI;wBACX,WAAW,EAAE,WAAW,GAAG,CAAC,gBAAgB,KAAK,MAAM,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC,CAAC,uBAAuB,CAAC;wBAC/G,YAAY,EAAE,6FAA6F;wBAC3G,UAAU,EAAE,gBAAgB,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK;wBACxD,cAAc,EAAE,yBAAyB;wBACzC,KAAK,EAAE,CAAC;wBACZ,MAAM,EAAE,QAAiB;qBACtB,CAAC,CAAA;gBACJ,CAAC;qBAAM,CAAC;oBACN,sCAAsC;oBACtC,8DAA8D;oBAC9D,IAAI,gBAAgB,GAAG,QAAQ,CAAA;oBAC/B,IAAI,WAAW,GAAG,EAAE,CAAA;oBAEpB,IAAI,UAAU,EAAE,CAAC;wBACf,IAAI,QAAQ,KAAK,UAAU;4BAAE,gBAAgB,GAAG,MAAM,CAAA;6BACjD,IAAI,QAAQ,KAAK,MAAM;4BAAE,gBAAgB,GAAG,KAAK,CAAA;;4BACjD,gBAAgB,GAAG,MAAM,CAAA;wBAC9B,WAAW,GAAG,iBAAiB,CAAA;oBACjC,CAAC;oBAED,gFAAgF;oBAChF,+DAA+D;oBAC/D,IAAI,WAAW,IAAI,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,KAAK,oBAAoB,CAAC,EAAE,CAAC;wBAChF,gBAAgB,GAAG,MAAM,CAAA;wBACzB,WAAW,GAAG,qCAAqC,CAAA;oBACrD,CAAC;oBAED,kDAAkD;oBAClD,MAAM,oBAAoB,GAAG,QAAQ,KAAK,UAAU,CAAA;oBAEpD,eAAe,CAAC,IAAI,CAAC;wBACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE;wBACtC,QAAQ;wBACR,UAAU,EAAE,CAAC,GAAG,CAAC;wBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,QAAQ,EAAE,gBAAgB;wBAC1B,QAAQ,EAAE,eAAe;wBACzB,KAAK,EAAE,IAAI;wBACX,WAAW,EAAE,WAAW,GAAG,WAAW;wBACtC,YAAY,EAAE,6FAA6F;wBAC3G,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ;wBACzC,cAAc,EAAE,uBAAuB;wBACvC,KAAK,EAAE,CAAC;wBACZ,MAAM,EAAE,QAAiB;wBACrB,oBAAoB;qBACrB,CAAC,CAAA;gBACJ,CAAC;gBACD,MAAK,CAAC,qCAAqC;YAC7C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/index.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Detection Stage — Runs Layer 1 + Layer 2 detectors and handles localhost aggregation.
+ *
+ * Returns raw findings before noisy aggregation/enrichment (those are called
+ * by the orchestrator to keep stage boundaries clean).
+ */
+import type { ScanFile, Vulnerability, CancellationToken, DetectorContext, ProgressCallback } from '../shared/types';
+import type { MiddlewareAuthConfig } from '../model/middleware-detector';
+import type { FileAuthImports } from '../model/imported-auth-detector';
+import type { FilterPipeline } from '../postprocess/filtering/pipeline';
+export interface DetectorInput {
+    files: ScanFile[];
+    middlewareConfig?: MiddlewareAuthConfig;
+    fileAuthImports?: Map<string, FileAuthImports>;
+    detectorContext: DetectorContext;
+    onProgress?: ProgressCallback;
+    cancellationToken?: CancellationToken;
+    filterPipeline: FilterPipeline;
+    repoName: string;
+    quiet: boolean;
+}
+export interface DetectorOutput {
+    /** Combined Layer 1 + Layer 2 findings (after localhost aggregation) */
+    findings: Vulnerability[];
+    /** Phase timing */
+    phaseTiming: {
+        layer1?: number;
+        layer2?: number;
+    };
+}
+/**
+ * Run all detectors (Layer 1 + Layer 2) and return combined raw findings.
+ */
+export declare function runDetectors(input: DetectorInput): Promise<DetectorOutput>;
+export { runLayer1Scan, type Layer1Result } from './secrets';
+export { runLayer2Scan, type Layer2Result } from './structural';
+//# sourceMappingURL=index.d.ts.map

package/dist/detect/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/detect/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,QAAQ,EACR,aAAa,EACb,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EACjB,MAAM,iBAAiB,CAAA;AAIxB,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAA;AACxE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAA;AACtE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAA;AAEvE,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,QAAQ,EAAE,CAAA;IACjB,gBAAgB,CAAC,EAAE,oBAAoB,CAAA;IACvC,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;IAC9C,eAAe,EAAE,eAAe,CAAA;IAChC,UAAU,CAAC,EAAE,gBAAgB,CAAA;IAC7B,iBAAiB,CAAC,EAAE,iBAAiB,CAAA;IACrC,cAAc,EAAE,cAAc,CAAA;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,KAAK,EAAE,OAAO,CAAA;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,wEAAwE;IACxE,QAAQ,EAAE,aAAa,EAAE,CAAA;IACzB,mBAAmB;IACnB,WAAW,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAClD;AAKD;;GAEG;AACH,wBAAsB,YAAY,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC,CAgFhF;AAGD,OAAO,EAAE,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,WAAW,CAAA;AAC5D,OAAO,EAAE,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,cAAc,CAAA"}

package/dist/detect/index.js

@@ -0,0 +1,77 @@
+"use strict";
+/**
+ * Detection Stage — Runs Layer 1 + Layer 2 detectors and handles localhost aggregation.
+ *
+ * Returns raw findings before noisy aggregation/enrichment (those are called
+ * by the orchestrator to keep stage boundaries clean).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runLayer2Scan = exports.runLayer1Scan = void 0;
+exports.runDetectors = runDetectors;
+const secrets_1 = require("./secrets");
+const structural_1 = require("./structural");
+const urls_1 = require("./config/urls");
+const fid = (v) => `${v.filePath}:${v.lineNumber}:${v.category}`;
+/**
+ * Run all detectors (Layer 1 + Layer 2) and return combined raw findings.
+ */
+async function runDetectors(input) {
+    const { files, middlewareConfig, fileAuthImports, detectorContext, onProgress, cancellationToken, filterPipeline, repoName, quiet, } = input;
+    const log = (message) => {
+        if (!quiet)
+            console.log(message);
+    };
+    const reportProgress = (status, message, vulnerabilitiesFound = 0) => {
+        if (onProgress) {
+            onProgress({
+                status,
+                message,
+                filesProcessed: files.length,
+                totalFiles: files.length,
+                vulnerabilitiesFound,
+            });
+        }
+    };
+    const phaseTiming = {};
+    // Layer 1: Surface Scan
+    const layer1Start = Date.now();
+    reportProgress('layer1', 'Running surface scan (patterns, entropy, config)...');
+    let layer1Result = await (0, secrets_1.runLayer1Scan)(files, onProgress, cancellationToken);
+    // Aggregate repeated localhost findings
+    const layer1RawCount = layer1Result.vulnerabilities.length;
+    const layer1BeforeAggregation = layer1Result.vulnerabilities;
+    layer1Result = {
+        ...layer1Result,
+        vulnerabilities: (0, urls_1.aggregateLocalhostFindings)(layer1Result.vulnerabilities)
+    };
+    if (filterPipeline.isEnabled) {
+        const afterIds = new Set(layer1Result.vulnerabilities.map(fid));
+        for (const v of layer1BeforeAggregation) {
+            if (!afterIds.has(fid(v))) {
+                filterPipeline.record(fid(v), { stage: 'localhost_aggregation', action: 'aggregated', reason: 'Aggregated repeated localhost finding' });
+            }
+        }
+    }
+    phaseTiming.layer1 = Date.now() - layer1Start;
+    log(`[Layer1] repo=${repoName} findings_raw=${layer1RawCount} findings_deduped=${layer1Result.vulnerabilities.length} duration=${phaseTiming.layer1}ms`);
+    // Layer 2: Structural Scan
+    const layer2Start = Date.now();
+    reportProgress('layer2', 'Running structural scan (variables, logic gates)...', layer1Result.vulnerabilities.length);
+    const layer2Result = await (0, structural_1.runLayer2Scan)(files, { middlewareConfig, fileAuthImports, detectorContext }, onProgress, cancellationToken);
+    // Format heuristic breakdown for logging
+    const heuristicBreakdown = Object.entries(layer2Result.stats.raw)
+        .filter(([, count]) => count > 0)
+        .map(([name, count]) => `${name}:${count}`)
+        .join(',');
+    phaseTiming.layer2 = Date.now() - layer2Start;
+    log(`[Layer2] repo=${repoName} findings_raw=${Object.values(layer2Result.stats.raw).reduce((a, b) => a + b, 0)} findings_deduped=${layer2Result.vulnerabilities.length} duration=${phaseTiming.layer2}ms heuristic_breakdown={${heuristicBreakdown}}`);
+    // Combine Layer 1 and Layer 2 findings
+    const findings = [...layer1Result.vulnerabilities, ...layer2Result.vulnerabilities];
+    return { findings, phaseTiming };
+}
+// Re-export layer results for external consumers
+var secrets_2 = require("./secrets");
+Object.defineProperty(exports, "runLayer1Scan", { enumerable: true, get: function () { return secrets_2.runLayer1Scan; } });
+var structural_2 = require("./structural");
+Object.defineProperty(exports, "runLayer2Scan", { enumerable: true, get: function () { return structural_2.runLayer2Scan; } });
+//# sourceMappingURL=index.js.map

package/dist/detect/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/detect/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAyCH,oCAgFC;AAhHD,uCAA4D;AAC5D,6CAA+D;AAC/D,wCAA0D;AAwB1D,MAAM,GAAG,GAAG,CAAC,CAA8D,EAAE,EAAE,CAC7E,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAA;AAE/C;;GAEG;AACI,KAAK,UAAU,YAAY,CAAC,KAAoB;IACrD,MAAM,EACJ,KAAK,EACL,gBAAgB,EAChB,eAAe,EACf,eAAe,EACf,UAAU,EACV,iBAAiB,EACjB,cAAc,EACd,QAAQ,EACR,KAAK,GACN,GAAG,KAAK,CAAA;IAET,MAAM,GAAG,GAAG,CAAC,OAAe,EAAE,EAAE;QAC9B,IAAI,CAAC,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IAClC,CAAC,CAAA;IAED,MAAM,cAAc,GAAG,CACrB,MAA2B,EAC3B,OAAe,EACf,uBAA+B,CAAC,EAChC,EAAE;QACF,IAAI,UAAU,EAAE,CAAC;YACf,UAAU,CAAC;gBACT,MAAM;gBACN,OAAO;gBACP,cAAc,EAAE,KAAK,CAAC,MAAM;gBAC5B,UAAU,EAAE,KAAK,CAAC,MAAM;gBACxB,oBAAoB;aACrB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC,CAAA;IAED,MAAM,WAAW,GAAyC,EAAE,CAAA;IAE5D,wBAAwB;IACxB,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAC9B,cAAc,CAAC,QAAQ,EAAE,qDAAqD,CAAC,CAAA;IAC/E,IAAI,YAAY,GAAG,MAAM,IAAA,uBAAa,EAAC,KAAK,EAAE,UAAU,EAAE,iBAAiB,CAAC,CAAA;IAE5E,wCAAwC;IACxC,MAAM,cAAc,GAAG,YAAY,CAAC,eAAe,CAAC,MAAM,CAAA;IAC1D,MAAM,uBAAuB,GAAG,YAAY,CAAC,eAAe,CAAA;IAC5D,YAAY,GAAG;QACb,GAAG,YAAY;QACf,eAAe,EAAE,IAAA,iCAA0B,EAAC,YAAY,CAAC,eAAe,CAAC;KAC1E,CAAA;IACD,IAAI,cAAc,CAAC,SAAS,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;QAC/D,KAAK,MAAM,CAAC,IAAI,uBAAuB,EAAE,CAAC;YACxC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1B,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,uBAAuB,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC,CAAA;YAC1I,CAAC;QACH,CAAC;IACH,CAAC;IACD,WAAW,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAA;IAC7C,GAAG,CAAC,iBAAiB,QAAQ,iBAAiB,cAAc,qBAAqB,YAAY,CAAC,eAAe,CAAC,MAAM,aAAa,WAAW,CAAC,MAAM,IAAI,CAAC,CAAA;IAExJ,2BAA2B;IAC3B,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAC9B,cAAc,CAAC,QAAQ,EAAE,qDAAqD,EAAE,YAAY,CAAC,eAAe,CAAC,MAAM,CAAC,CAAA;IACpH,MAAM,YAAY,GAAG,MAAM,IAAA,0BAAa,EACtC,KAAK,EACL,EAAE,gBAAgB,EAAE,eAAe,EAAE,eAAe,EAAE,EACtD,UAAU,EACV,iBAAiB,CAClB,CAAA;IAED,yCAAyC;IACzC,MAAM,kBAAkB,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC;SAC9D,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,GAAG,CAAC,CAAC;SAChC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,IAAI,KAAK,EAAE,CAAC;SAC1C,IAAI,CAAC,GAAG,CAAC,CAAA;IACZ,WAAW,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAA;IAC7C,GAAG,CAAC,iBAAiB,QAAQ,iBAAiB,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,qBAAqB,YAAY,CAAC,eAAe,CAAC,MAAM,aAAa,WAAW,CAAC,MAAM,2BAA2B,kBAAkB,GAAG,CAAC,CAAA;IAEtP,uCAAuC;IACvC,MAAM,QAAQ,GAAG,CAAC,GAAG,YAAY,CAAC,eAAe,EAAE,GAAG,YAAY,CAAC,eAAe,CAAC,CAAA;IAEnF,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAA;AAClC,CAAC;AAED,iDAAiD;AACjD,qCAA4D;AAAnD,wGAAA,aAAa,OAAA;AACtB,2CAA+D;AAAtD,2GAAA,aAAa,OAAA"}

package/dist/detect/secrets/config-audit.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Layer 1: Configuration Auditing
+ * Scans configuration files for security misconfigurations
+ */
+import type { ConfigRule, Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+export declare const CONFIG_RULES: ConfigRule[];
+export declare function auditConfiguration(content: string, filePath: string, options?: {
+    parsed?: ParsedFile;
+}): Vulnerability[];
+//# sourceMappingURL=config-audit.d.ts.map

package/dist/detect/secrets/config-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-audit.d.ts","sourceRoot":"","sources":["../../../src/detect/secrets/config-audit.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAmB,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACpF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAM1D,eAAO,MAAM,YAAY,EAAE,UAAU,EAgSpC,CAAA;AAkBD,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CA4BjB"}