@oculum/scanner 1.0.12 → 1.0.13

package/dist/index.js

@@ -1,7 +1,8 @@
 "use strict";
 /**
- * Scanner Orchestrator
- * Coordinates all three scanning layers and produces final results
+ * Scanner Public API
+ *
+ * Re-exports from stage modules. All prior exports preserved.
  */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
@@ -18,1036 +19,50 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getCategoryGroupCounts = exports.getAvailableCategoryGroups = exports.validateCategories = exports.parseCategoryList = exports.getMatchingCategories = exports.shouldFailOnCategories = exports.matchesAnyCategory = exports.expandCategoryPattern = exports.normalizeCategory = exports.ALL_CATEGORIES = exports.CATEGORY_GROUPS = exports.AI_CONTEXT_PATH = exports.AI_CONTEXT_FILE = exports.AIContextManager = exports.hasMetadata = exports.getAllCategories = exports.getRuleMetadata = exports.RULE_REGISTRY = exports.OCULUM_DIR = exports.BASELINE_FILE_PATH = exports.formatDiffSummary = exports.hasNewBlockingIssues = exports.computeDiff = exports.BaselineManager = exports.isValidHash = exports.generateSuppressionComment = exports.parseInlineSuppressions = exports.listSuppressions = exports.addRuleSuppression = exports.removeFindingSuppression = exports.addFindingSuppression = exports.loadSuppressionConfig = exports.computeFindingHash = exports.SuppressionManager = exports.createCancellationToken = exports.validateFindingsWithAI = exports.buildProjectContext = exports.runLayer3Scan = exports.runLayer2Scan = exports.runLayer1Scan = void 0;
-exports.runScan = runScan;
-exports.computeIssueMixFromVulnerabilities = computeIssueMixFromVulnerabilities;
-const types_1 = require("./types");
-const types_2 = require("./types");
-const layer1_1 = require("./layer1");
-const layer2_1 = require("./layer2");
-const layer3_1 = require("./layer3");
-const anthropic_1 = require("./layer3/anthropic");
-const urls_1 = require("./layer1/urls");
-const middleware_detector_1 = require("./utils/middleware-detector");
-const auth_helper_detector_1 = require("./utils/auth-helper-detector");
-const imported_auth_detector_1 = require("./utils/imported-auth-detector");
-// Tier system imports for filtering by scan depth
-const tiers_1 = require("./tiers");
-// Suppression system
-const suppression_1 = require("./suppression");
-// Rule metadata for actionable output (PRO-82)
-const rules_1 = require("./rules");
-// Framework-aware fix suggestions (PRO-83)
-const framework_fixes_1 = require("./rules/framework-fixes");
-// Project context for framework detection
-const project_context_builder_1 = require("./utils/project-context-builder");
-// File context helpers
-const context_helpers_1 = require("./utils/context-helpers");
-// Shared ranking utilities
-const parsed_file_1 = require("./utils/parsed-file");
-// Centralized context-based filtering
-const context_adjustments_1 = require("./filtering/context-adjustments");
-const pipeline_1 = require("./filtering/pipeline");
-// Maximum candidates per file to send to AI validation (cost control)
-const MAX_VALIDATION_CANDIDATES_PER_FILE = 10;
+exports.getCategoryGroupCounts = exports.getAvailableCategoryGroups = exports.validateCategories = exports.parseCategoryList = exports.getMatchingCategories = exports.shouldFailOnCategories = exports.matchesAnyCategory = exports.expandCategoryPattern = exports.normalizeCategory = exports.ALL_CATEGORIES = exports.CATEGORY_GROUPS = exports.AI_CONTEXT_PATH = exports.AI_CONTEXT_FILE = exports.AIContextManager = exports.hasMetadata = exports.getAllCategories = exports.getRuleMetadata = exports.RULE_REGISTRY = exports.OCULUM_DIR = exports.BASELINE_FILE_PATH = exports.formatDiffSummary = exports.hasNewBlockingIssues = exports.computeDiff = exports.BaselineManager = exports.isValidHash = exports.generateSuppressionComment = exports.parseInlineSuppressions = exports.listSuppressions = exports.addRuleSuppression = exports.removeFindingSuppression = exports.addFindingSuppression = exports.loadSuppressionConfig = exports.computeFindingHash = exports.SuppressionManager = exports.DEPTH_CONFIGS = exports.buildConfidenceLog = exports.buildAdjustmentContext = exports.scoreFindings = exports.createCancellationToken = exports.validateFindingsWithAI = exports.buildProjectContext = exports.runLayer2Scan = exports.runLayer1Scan = exports.computeIssueMixFromVulnerabilities = exports.runScan = void 0;
 // ============================================================================
-// Detector Context Builder (Phase 2b)
+// Core Scanner API
+// ============================================================================
+// Pipeline orchestrator — main entry point
+var pipeline_1 = require("./pipeline");
+Object.defineProperty(exports, "runScan", { enumerable: true, get: function () { return pipeline_1.runScan; } });
+// Summary utilities (public API for backfilling legacy scans etc.)
+var summary_1 = require("./report/summary");
+Object.defineProperty(exports, "computeIssueMixFromVulnerabilities", { enumerable: true, get: function () { return summary_1.computeIssueMixFromVulnerabilities; } });
 // ============================================================================
-/**
- * Build a DetectorContext from ProjectContext
- * This provides rich context to Layer 2 detectors for smarter decisions
- */
-function buildDetectorContext(projectContext, middlewareConfig) {
-    // Map ProjectContext to DetectorContext format
-    const context = (0, types_1.createEmptyDetectorContext)();
-    // Auth context
-    if (middlewareConfig?.hasAuthMiddleware) {
-        context.auth.middleware = {
-            hasAuthMiddleware: true,
-            authType: middlewareConfig.authType ?? null,
-            protectedPaths: middlewareConfig.protectedPaths,
-            publicPaths: middlewareConfig.publicPaths,
-        };
-    }
-    // Auth helpers from project context
-    if (projectContext.auth.throwingAuthHelpers.length > 0) {
-        context.auth.authHelpers = {
-            hasThrowingHelpers: true,
-            throwingHelperNames: projectContext.auth.throwingAuthHelpers.map(h => h.name),
-        };
-    }
-    // Public endpoints
-    context.auth.publicEndpoints = projectContext.auth.publicPaths;
-    // Framework context
-    context.framework = {
-        primary: projectContext.frameworks.primary ?? null,
-        frontend: projectContext.frameworks.frontend ?? null,
-        hasTypeScript: projectContext.frameworks.usesTypeScript,
-    };
-    // Data access context
-    context.dataAccess = {
-        orm: mapOrmToDataAccessOrm(projectContext.dataAccess.orm),
-        hasRLS: projectContext.dataAccess.hasRLS,
-        validationLib: mapValidationLib(projectContext.dataAccess.validationLibrary),
-    };
-    // Note: File context is populated per-file in buildFileDetectorContext
-    return context;
-}
-/**
- * Build file-specific context for a single file
- * This is merged with the project-level DetectorContext
- */
-function buildFileDetectorContext(baseContext, filePath) {
-    // Clone the base context and add file-specific info
-    return {
-        ...baseContext,
-        file: {
-            isServerOnly: (0, context_helpers_1.isServerOnlyFile)(filePath),
-            isClientBundled: (0, context_helpers_1.isClientBundledFile)(filePath),
-            isTestFile: (0, context_helpers_1.isTestOrMockFile)(filePath),
-            isConfigFile: isConfigFile(filePath),
-            isToolingDir: (0, context_helpers_1.isToolingDirectory)(filePath),
-        },
-    };
-}
-/**
- * Check if file is a configuration file
- */
-function isConfigFile(filePath) {
-    const configPatterns = [
-        /config\.(ts|js|json|yaml|yml)$/i,
-        /settings\.(ts|js|json)$/i,
-        /constants\.(ts|js)$/i,
-        /\.config\.(ts|js|mjs|cjs)$/i,
-        /\.env/i,
-        /tsconfig\.json$/i,
-        /package\.json$/i,
-        /jest\.config/i,
-        /vitest\.config/i,
-        /eslint/i,
-        /prettier/i,
-    ];
-    return configPatterns.some(p => p.test(filePath));
-}
-/**
- * Map ProjectContext ORM to DetectorContext ORM
- */
-function mapOrmToDataAccessOrm(orm) {
-    if (!orm)
-        return null;
-    switch (orm) {
-        case 'prisma':
-        case 'drizzle':
-        case 'typeorm':
-        case 'sequelize':
-        case 'knex':
-            return orm;
-        default:
-            return null;
-    }
-}
-/**
- * Map validation library to DetectorContext format
- */
-function mapValidationLib(lib) {
-    if (!lib)
-        return null;
-    switch (lib) {
-        case 'zod':
-        case 'yup':
-        case 'joi':
-        case 'valibot':
-            return lib;
-        default:
-            return null;
-    }
-}
-/**
- * Classify vulnerabilities by their detector tier
- */
-function classifyByTier(vulnerabilities) {
-    const result = {
-        core: [],
-        ai_assisted: [],
-        experimental: [],
-    };
-    for (const vuln of vulnerabilities) {
-        const tier = (0, tiers_1.getTierForCategory)(vuln.category, vuln.layer);
-        result[tier].push(vuln);
-    }
-    return result;
-}
-/**
- * Filter vulnerabilities based on scan depth and tier
- *
- * - cheap: Only Tier A (core) findings are surfaced
- * - validated: Tier A visible, Tier B goes through AI validation
- * - deep: Same as validated, plus Layer 3 semantic analysis
- *
- * Tier C (experimental) is NEVER surfaced to users, regardless of depth.
- */
-function filterByTierAndDepth(vulnerabilities, depth) {
-    const classified = classifyByTier(vulnerabilities);
-    const tierStats = (0, tiers_1.computeTierStats)(vulnerabilities.map(v => ({ category: v.category, layer: v.layer })));
-    switch (depth) {
-        case 'local':
-            // Only Tier A is visible, no AI validation
-            return {
-                toSurface: classified.core,
-                toValidate: [],
-                hidden: [...classified.ai_assisted, ...classified.experimental],
-                tierStats,
-            };
-        case 'verified':
-        case 'deep':
-            // Tier A always surfaces, Tier B goes to AI validation
-            // For findings that already require AI validation, only include Tier A/B
-            const coreRequiringValidation = classified.core.filter(v => v.requiresAIValidation ||
-                v.category === 'high_entropy_string' ||
-                v.category === 'hardcoded_secret' ||
-                (v.category === 'sensitive_url' && v.severity !== 'info'));
-            const coreNotRequiringValidation = classified.core.filter(v => !coreRequiringValidation.includes(v));
-            return {
-                toSurface: coreNotRequiringValidation,
-                toValidate: [...coreRequiringValidation, ...classified.ai_assisted],
-                hidden: classified.experimental,
-                tierStats,
-            };
-        default:
-            // Fallback to local behavior for unknown depths
-            console.warn(`[Scanner] Unknown scan depth "${depth}", falling back to "local"`);
-            return {
-                toSurface: classified.core,
-                toValidate: [],
-                hidden: [...classified.ai_assisted, ...classified.experimental],
-                tierStats,
-            };
-    }
-}
-/**
- * Resolve scan mode configuration from options
- *
- * Handles both scan mode (full/incremental) and depth (local/verified/deep).
- * Depth controls AI usage:
- * - local: skip AI validation + skip Layer 3
- * - verified: run AI validation, skip Layer 3
- * - deep: run AI validation + Layer 3
- */
-function resolveScanModeConfig(options) {
-    const scanModeOption = options.scanMode;
-    // Determine base mode
-    const mode = !scanModeOption ? 'full'
-        : typeof scanModeOption === 'string' ? scanModeOption
-            : scanModeOption.mode;
-    const defaults = types_2.SCAN_MODE_DEFAULTS[mode];
-    // Build config from defaults + explicit overrides
-    let config = {
-        ...defaults,
-        mode,
-        ...(typeof scanModeOption === 'object' ? scanModeOption : {}),
-    };
-    // Apply depth mode (default: 'local')
-    const depth = options.scanDepth ?? 'local';
-    config.scanDepth = depth;
-    // Map depth to skipAIValidation/skipLayer3 unless explicitly overridden
-    const hasExplicitSkipAI = typeof scanModeOption === 'object' && scanModeOption.skipAIValidation !== undefined;
-    const hasExplicitSkipL3 = typeof scanModeOption === 'object' && scanModeOption.skipLayer3 !== undefined;
-    if (!hasExplicitSkipAI) {
-        config.skipAIValidation = depth === 'local';
-    }
-    if (!hasExplicitSkipL3) {
-        config.skipLayer3 = depth !== 'deep';
-    }
-    return config;
-}
-/**
- * Run a complete security scan on the provided files
- *
- * Supports two scan modes:
- * - full: Complete scan with AI validation on all files (initial onboarding, deep audits)
- * - incremental: Focused scan on changed files only (CI/CD, fast feedback)
- */
-async function runScan(files, repoInfo, options = {}, onProgress) {
-    const startTime = Date.now();
-    const allVulnerabilities = [];
-    // Filter audit pipeline (zero overhead when disabled)
-    const filterPipeline = new pipeline_1.FilterPipeline(options.includeFilterAudit ?? false);
-    const fid = (v) => `${v.filePath}:${v.lineNumber}:${v.category}`;
-    // Resolve scan mode configuration
-    const scanModeConfig = resolveScanModeConfig(options);
-    const isIncremental = scanModeConfig.mode === 'incremental';
-    const depth = scanModeConfig.scanDepth || 'local';
-    const quiet = options.quiet ?? false;
-    const cancellationToken = options.cancellationToken;
-    // Conditional logging helper - suppresses output in quiet mode (interactive CLI)
-    const log = (message) => {
-        if (!quiet) {
-            console.log(message);
-        }
-    };
-    // Helper to check cancellation and throw if cancelled
-    const checkCancelled = () => {
-        if (cancellationToken?.cancelled) {
-            throw new Error(`Scan cancelled: ${cancellationToken.reason || 'user requested'}`);
-        }
-    };
-    log(`[Scanner] repo=${repoInfo.name} mode=${scanModeConfig.mode} depth=${depth} files=${files.length}`);
-    if (isIncremental && scanModeConfig.changedFiles) {
-        log(`[Scanner] repo=${repoInfo.name} incremental_files=${scanModeConfig.changedFiles.length}`);
-    }
-    // Filter out locale/i18n files - they contain translations, not code
-    // This dramatically reduces false positives and AI validation costs
-    const localeFileCount = files.filter(f => (0, context_helpers_1.isLocaleFile)(f.path)).length;
-    if (localeFileCount > 0) {
-        files = files.filter(f => !(0, context_helpers_1.isLocaleFile)(f.path));
-        log(`[Scanner] repo=${repoInfo.name} skipped_locale_files=${localeFileCount} remaining_files=${files.length}`);
-    }
-    // Report progress helper
-    const reportProgress = (status, message, vulnerabilitiesFound = allVulnerabilities.length) => {
-        if (onProgress) {
-            onProgress({
-                status,
-                message,
-                filesProcessed: files.length,
-                totalFiles: files.length,
-                vulnerabilitiesFound,
-            });
-        }
-    };
-    // For incremental scans, filter to only changed files for AI-heavy operations
-    // but still run static analysis on all files for context
-    const filesForAI = isIncremental && scanModeConfig.changedFiles
-        ? files.filter(f => scanModeConfig.changedFiles.some(cf => f.path.endsWith(cf) || f.path.includes(cf)))
-        : files;
-    // Declare variables that need to be accessible in catch block
-    let middlewareConfig;
-    let capturedValidationStats;
-    try {
-        checkCancelled();
-        // Detect global auth middleware before scanning (always on all files for context)
-        middlewareConfig = (0, middleware_detector_1.detectGlobalAuthMiddleware)(files);
-        if (middlewareConfig.hasAuthMiddleware) {
-            log(`[Scanner] repo=${repoInfo.name} auth_middleware=${middlewareConfig.authType || 'unknown'} file=${middlewareConfig.middlewareFile}`);
-        }
-        // Build imported auth registry for cross-file middleware detection
-        const fileAuthImports = (0, imported_auth_detector_1.buildFileAuthImports)(files);
-        const filesWithImportedAuth = Array.from(fileAuthImports.values()).filter(f => f.usesImportedAuth).length;
-        if (filesWithImportedAuth > 0) {
-            log(`[Scanner] repo=${repoInfo.name} files_with_imported_auth=${filesWithImportedAuth}`);
-        }
-        checkCancelled();
-        // Phase timing tracking
-        const phaseTiming = {};
-        // Layer 1: Surface Scan
-        const layer1Start = Date.now();
-        reportProgress('layer1', 'Running surface scan (patterns, entropy, config)...');
-        let layer1Result = await (0, layer1_1.runLayer1Scan)(files, onProgress, cancellationToken);
-        // Aggregate repeated localhost findings
-        const layer1RawCount = layer1Result.vulnerabilities.length;
-        const layer1BeforeAggregation = layer1Result.vulnerabilities;
-        layer1Result = {
-            ...layer1Result,
-            vulnerabilities: (0, urls_1.aggregateLocalhostFindings)(layer1Result.vulnerabilities)
-        };
-        if (filterPipeline.isEnabled) {
-            const afterIds = new Set(layer1Result.vulnerabilities.map(fid));
-            for (const v of layer1BeforeAggregation) {
-                if (!afterIds.has(fid(v))) {
-                    filterPipeline.record(fid(v), { stage: 'localhost_aggregation', action: 'aggregated', reason: 'Aggregated repeated localhost finding' });
-                }
-            }
-        }
-        phaseTiming.layer1 = Date.now() - layer1Start;
-        log(`[Layer1] repo=${repoInfo.name} findings_raw=${layer1RawCount} findings_deduped=${layer1Result.vulnerabilities.length} duration=${phaseTiming.layer1}ms`);
-        checkCancelled();
-        // Build project context early - used by Layer 2 DetectorContext and framework-aware fixes
-        // This detects frameworks (Next.js, Express), ORMs (Prisma, Drizzle), and frontend libs (React, Vue)
-        const projectContext = (0, project_context_builder_1.buildProjectContext)(files);
-        // Build DetectorContext for context-aware Layer 2 detection (Phase 2b)
-        const detectorContext = buildDetectorContext(projectContext, middlewareConfig);
-        // Layer 2: Structural Scan
-        const layer2Start = Date.now();
-        reportProgress('layer2', 'Running structural scan (variables, logic gates)...', layer1Result.vulnerabilities.length);
-        const layer2Result = await (0, layer2_1.runLayer2Scan)(files, { middlewareConfig, fileAuthImports, detectorContext }, onProgress, cancellationToken);
-        // Format heuristic breakdown for logging
-        const heuristicBreakdown = Object.entries(layer2Result.stats.raw)
-            .filter(([, count]) => count > 0)
-            .map(([name, count]) => `${name}:${count}`)
-            .join(',');
-        phaseTiming.layer2 = Date.now() - layer2Start;
-        log(`[Layer2] repo=${repoInfo.name} findings_raw=${Object.values(layer2Result.stats.raw).reduce((a, b) => a + b, 0)} findings_deduped=${layer2Result.vulnerabilities.length} duration=${phaseTiming.layer2}ms heuristic_breakdown={${heuristicBreakdown}}`);
-        // Combine Layer 1 and Layer 2 findings
-        const layer12Findings = [...layer1Result.vulnerabilities, ...layer2Result.vulnerabilities];
-        // Aggregate noisy findings BEFORE tier filtering to reduce noise
-        const beforeAggregationCount = layer12Findings.length;
-        const aggregatedFindings = aggregateNoisyFindings(layer12Findings);
-        const aggregatedCount = beforeAggregationCount - aggregatedFindings.length;
-        if (filterPipeline.isEnabled) {
-            const afterIds = new Set(aggregatedFindings.map(fid));
-            for (const v of layer12Findings) {
-                if (!afterIds.has(fid(v))) {
-                    filterPipeline.record(fid(v), { stage: 'noisy_aggregation', action: 'aggregated', reason: 'Aggregated noisy finding (3+ similar per file)' });
-                }
-            }
-        }
-        // Enrich findings with metadata from rule registry (PRO-82)
-        // PRO-83: Uses projectContext for framework-specific fix suggestions
-        // This provides default impact, evidence, fixSteps, references for all findings
-        // AI validation can override these later with context-aware content
-        const enrichedFindings = enrichWithMetadata(aggregatedFindings, projectContext);
-        // Apply tier-based filtering based on scan depth
-        // This is the key integration point for the detector tier system
-        const tierFiltered = filterByTierAndDepth(enrichedFindings, depth);
-        if (filterPipeline.isEnabled) {
-            for (const v of tierFiltered.hidden) {
-                filterPipeline.record(fid(v), { stage: 'tier_filter', action: 'dismissed', reason: `Hidden by tier filter at depth=${depth}` });
-            }
-        }
-        // Log tier breakdown
-        log(`[Scanner] repo=${repoInfo.name} tier_breakdown=${(0, tiers_1.formatTierStats)(tierFiltered.tierStats)}`);
-        log(`[Scanner] repo=${repoInfo.name} depth=${depth} tier_routing: surface=${tierFiltered.toSurface.length} validate=${tierFiltered.toValidate.length} hidden=${tierFiltered.hidden.length}`);
-        // For cheap scans: Tier A surfaces directly, Tier B/C are hidden
-        // For validated/deep: Tier A surfaces, Tier B goes through AI validation, Tier C hidden
-        // Some Tier A findings still need AI validation (entropy, secrets, AI-specific)
-        const additionalValidation = tierFiltered.toSurface.filter(v => v.requiresAIValidation ||
-            v.category === 'ai_prompt_injection' || // Story B1: Prompt hygiene
-            v.category === 'ai_unsafe_execution' || // Story B2: LLM output execution
-            v.category === 'ai_overpermissive_tool' // Story B4: Agent tool permissions
-        );
-        // Surface findings that don't need validation (excluding those that do)
-        const noValidationNeededRaw = tierFiltered.toSurface.filter(v => !additionalValidation.includes(v));
-        // Apply auto-dismiss rules to direct-surface findings (mode='surface')
-        // Uses 'surface' mode to exclude cost-saving rules like 'info_severity_core_only'
-        // This ensures test/scanner/example files are dismissed, but info-severity findings still surface
-        const { toValidate: noValidationNeeded, dismissed: surfaceDismissed } = (0, anthropic_1.applyAutoDismissRules)(noValidationNeededRaw, 'surface');
-        // Combine tier-filtered validation candidates with additional ones
-        const requiresValidation = [...tierFiltered.toValidate, ...additionalValidation];
-        // Apply smart auto-dismiss rules BEFORE AI validation (saves API costs)
-        const { toValidate: afterAutoDismiss, dismissed: autoDismissed } = (0, anthropic_1.applyAutoDismissRules)(requiresValidation);
-        // Record auto-dismiss decisions
-        if (filterPipeline.isEnabled) {
-            for (const d of surfaceDismissed) {
-                filterPipeline.record(fid(d.finding), { stage: 'auto_dismiss', action: 'dismissed', reason: d.reason, ruleName: d.rule });
-            }
-            for (const d of autoDismissed) {
-                filterPipeline.record(fid(d.finding), { stage: 'auto_dismiss', action: 'dismissed', reason: d.reason, ruleName: d.rule });
-            }
-        }
-        // Combine all dismissed findings for logging
-        const allDismissed = [...surfaceDismissed, ...autoDismissed];
-        // Track auto-dismiss by severity and category for logging
-        const autoDismissBySeverity = { info: 0, low: 0, medium: 0, high: 0, critical: 0 };
-        const autoDismissByCategory = {};
-        for (const d of allDismissed) {
-            autoDismissBySeverity[d.finding.severity] = (autoDismissBySeverity[d.finding.severity] || 0) + 1;
-            autoDismissByCategory[d.finding.category] = (autoDismissByCategory[d.finding.category] || 0) + 1;
-        }
-        if (allDismissed.length > 0) {
-            const categoryBreakdown = Object.entries(autoDismissByCategory)
-                .sort(([, a], [, b]) => b - a)
-                .map(([cat, count]) => `${cat}:${count}`)
-                .join(',');
-            log(`[AutoDismiss] repo=${repoInfo.name} total=${allDismissed.length} (surface=${surfaceDismissed.length} validation=${autoDismissed.length}) by_severity={info:${autoDismissBySeverity.info},low:${autoDismissBySeverity.low},medium:${autoDismissBySeverity.medium},high:${autoDismissBySeverity.high}} by_category={${categoryBreakdown}}`);
-        }
-        // Apply per-file cap to validation candidates (cost control)
-        // Use scan mode config for max files
-        const maxValidationFiles = scanModeConfig.maxAIValidationFiles || MAX_VALIDATION_CANDIDATES_PER_FILE;
-        const cappedValidation = capValidationCandidatesPerFile(afterAutoDismiss, maxValidationFiles);
-        checkCancelled();
-        // AI Validation of selected findings (if AI is enabled and not skipped by scan mode)
-        let validatedFindings = cappedValidation;
-        let capturedValidationStats = undefined;
-        const shouldValidate = options.enableAI !== false && !scanModeConfig.skipAIValidation && cappedValidation.length > 0;
-        if (shouldValidate) {
-            checkCancelled();
-            const aiValidationStart = Date.now();
-            reportProgress('validating', 'AI validating findings (entropy, secrets, AI patterns)...', cappedValidation.length);
-            // For incremental scans, only validate findings in changed files
-            const findingsToValidate = isIncremental && scanModeConfig.changedFiles
-                ? cappedValidation.filter(v => scanModeConfig.changedFiles.some(cf => v.filePath.endsWith(cf) || v.filePath.includes(cf)))
-                : cappedValidation;
-            if (findingsToValidate.length > 0) {
-                const validationResult = await (0, anthropic_1.validateFindingsWithAI)(findingsToValidate, filesForAI, undefined, // projectContext (uses default)
-                onProgress ? (progress) => {
-                    // Convert AI validation progress to ScanProgress format
-                    onProgress({
-                        status: 'validating',
-                        message: progress.status,
-                        filesProcessed: progress.filesProcessed,
-                        totalFiles: progress.totalFiles,
-                        vulnerabilitiesFound: allVulnerabilities.length,
-                    });
-                } : undefined);
-                validatedFindings = validationResult.vulnerabilities;
-                const { stats: validationStats } = validationResult;
-                capturedValidationStats = validationStats; // Capture for return
-                phaseTiming.aiValidation = Date.now() - aiValidationStart;
-                if (filterPipeline.isEnabled) {
-                    const validatedIds = new Set(validatedFindings.map(fid));
-                    for (const v of findingsToValidate) {
-                        if (!validatedIds.has(fid(v))) {
-                            filterPipeline.record(fid(v), { stage: 'ai_validation', action: 'dismissed', reason: 'Dismissed by AI validation' });
-                        }
-                    }
-                    for (const v of validatedFindings) {
-                        if (v.validationNotes?.toLowerCase().includes('downgrad')) {
-                            filterPipeline.record(fid(v), { stage: 'ai_validation', action: 'downgraded', reason: v.validationNotes || 'Downgraded by AI validation', originalSeverity: undefined, newSeverity: v.severity });
-                        }
-                    }
-                }
-                log(`[AI Validation] repo=${repoInfo.name} depth=${depth} duration=${phaseTiming.aiValidation}ms candidates=${findingsToValidate.length} capped_from=${requiresValidation.length} auto_dismissed=${autoDismissed.length} kept=${validationStats.confirmedFindings} rejected=${validationStats.dismissedFindings} downgraded=${validationStats.downgradedFindings}`);
-                log(`[AI Validation] cost_estimate: input_tokens=${validationStats.estimatedInputTokens} output_tokens=${validationStats.estimatedOutputTokens} cost=$${validationStats.estimatedCost.toFixed(4)} api_calls=${validationStats.apiCalls}`);
-                // Add back findings that weren't validated (not in changed files)
-                // Mark them as skipped rather than failed validation
-                const notValidated = cappedValidation.filter(v => !findingsToValidate.includes(v)).map(v => ({
-                    ...v,
-                    validatedByAI: false,
-                    validationStatus: 'not_validated',
-                    validationNotes: 'Skipped validation (not in changed files for incremental scan)',
-                }));
-                validatedFindings.push(...notValidated);
-            }
-        }
-        else if (scanModeConfig.skipAIValidation) {
-            log(`[AI Validation] repo=${repoInfo.name} depth=${depth} skipped=true reason=scan_mode_config findings_requiring_validation=${cappedValidation.length}`);
-            // In cheap mode, don't surface findings that require AI validation
-            // These are low-confidence without validation and would be noise
-            // Only surface high-confidence findings that don't need validation
-            validatedFindings = [];
-        }
-        // Combine validated and non-validated findings
-        allVulnerabilities.push(...validatedFindings, ...noValidationNeeded);
-        // Layer 3: AI Semantic Analysis (new findings)
-        // Skip for incremental scans by default (configurable)
-        const shouldRunLayer3 = options.enableAI !== false && !scanModeConfig.skipLayer3;
-        if (shouldRunLayer3) {
-            checkCancelled();
-            const layer3Start = Date.now();
-            reportProgress('layer3', 'Running AI semantic analysis...', allVulnerabilities.length);
-            // For incremental scans, only analyze changed files
-            const filesToAnalyze = isIncremental ? filesForAI : files;
-            const maxLayer3Files = scanModeConfig.maxLayer3Files || 10;
-            // Detect auth helpers for Layer 3 context
-            const authHelperContext = (0, auth_helper_detector_1.detectAuthHelpers)(files);
-            const layer3Result = await (0, layer3_1.runLayer3Scan)(filesToAnalyze, {
-                enableAI: options.enableAI,
-                maxFiles: maxLayer3Files,
-                projectContext: {
-                    middlewareConfig: middlewareConfig.hasAuthMiddleware ? {
-                        hasAuthMiddleware: true,
-                        authType: middlewareConfig.authType,
-                        protectedPaths: middlewareConfig.protectedPaths,
-                    } : undefined,
-                    authHelpers: authHelperContext.hasThrowingHelpers ? {
-                        hasThrowingHelpers: true,
-                        summary: authHelperContext.summary,
-                    } : undefined,
-                },
-                cancellationToken,
-            });
-            phaseTiming.layer3 = Date.now() - layer3Start;
-            allVulnerabilities.push(...layer3Result.vulnerabilities);
-            log(`[Layer3] repo=${repoInfo.name} depth=${depth} duration=${phaseTiming.layer3}ms files_analyzed=${layer3Result.aiAnalyzed} findings=${layer3Result.vulnerabilities.length}`);
-        }
-        else if (scanModeConfig.skipLayer3) {
-            log(`[Layer3] repo=${repoInfo.name} depth=${depth} skipped=true reason=scan_mode_config`);
-        }
-        // Log phase timing summary
-        const phaseTimingStr = Object.entries(phaseTiming)
-            .filter(([, ms]) => ms !== undefined)
-            .map(([phase, ms]) => `${phase}=${ms}ms`)
-            .join(' ');
-        if (phaseTimingStr) {
-            log(`[Scanner] repo=${repoInfo.name} phase_timing: ${phaseTimingStr}`);
-        }
-        // Deduplicate vulnerabilities
-        const uniqueVulnerabilities = deduplicateVulnerabilities(allVulnerabilities);
-        if (filterPipeline.isEnabled) {
-            const uniqueIds = new Set(uniqueVulnerabilities.map(fid));
-            for (const v of allVulnerabilities) {
-                if (!uniqueIds.has(fid(v))) {
-                    filterPipeline.record(fid(v), { stage: 'deduplication', action: 'deduplicated', reason: 'Duplicate finding removed' });
-                }
-            }
-        }
-        // Apply file context-based severity adjustments (Phase 2b)
-        // This applies to ALL findings from ALL layers (no FileContext = path-based adjustments only)
-        const contextAdjustedVulnerabilities = (0, context_adjustments_1.applyContextAdjustments)(uniqueVulnerabilities);
-        if (filterPipeline.isEnabled) {
-            for (let i = 0; i < uniqueVulnerabilities.length; i++) {
-                const before = uniqueVulnerabilities[i];
-                const after = contextAdjustedVulnerabilities[i];
-                if (before.severity !== after.severity) {
-                    filterPipeline.record(fid(after), { stage: 'global_context', action: 'downgraded', reason: after.validationNotes || 'Context-based severity downgrade', originalSeverity: before.severity, newSeverity: after.severity });
-                }
-            }
-        }
-        // Resolve contradictions (e.g., middleware-protected INFO vs missing-auth CRITICAL on same route)
-        const resolvedVulnerabilities = resolveContradictions(contextAdjustedVulnerabilities, middlewareConfig);
-        if (filterPipeline.isEnabled) {
-            const resolvedIds = new Set(resolvedVulnerabilities.map(fid));
-            for (const v of contextAdjustedVulnerabilities) {
-                if (!resolvedIds.has(fid(v))) {
-                    filterPipeline.record(fid(v), { stage: 'contradiction_resolution', action: 'dismissed', reason: 'Removed by contradiction resolution' });
-                }
-            }
-            for (let i = 0; i < contextAdjustedVulnerabilities.length; i++) {
-                const before = contextAdjustedVulnerabilities[i];
-                const after = resolvedVulnerabilities.find(v => fid(v) === fid(before));
-                if (after && before.severity !== after.severity) {
-                    filterPipeline.record(fid(after), { stage: 'contradiction_resolution', action: 'downgraded', reason: 'Downgraded by contradiction resolution', originalSeverity: before.severity, newSeverity: after.severity });
-                }
-            }
-        }
-        // Apply suppressions (inline comments + config file)
-        const projectPath = options.projectPath || process.cwd();
-        const suppressionManager = new suppression_1.SuppressionManager({ projectPath });
-        const suppressionResult = suppressionManager.applySuppressions(resolvedVulnerabilities, files);
-        if (filterPipeline.isEnabled) {
-            for (const s of suppressionResult.suppressed) {
-                filterPipeline.record(fid(s.vulnerability), { stage: 'user_suppression', action: 'suppressed', reason: s.suppression.reason || `Suppressed by ${s.suppression.type}` });
-            }
-        }
-        // Log suppression stats if any were suppressed
-        if (suppressionResult.suppressed.length > 0 || suppressionResult.expiredSuppressions > 0) {
-            log(`[Suppression] repo=${repoInfo.name} suppressed=${suppressionResult.suppressed.length} (inline=${suppressionResult.stats.inlineSuppressed} config_finding=${suppressionResult.stats.configFindingSuppressed} config_rule=${suppressionResult.stats.configRuleSuppressed}) expired=${suppressionResult.expiredSuppressions}`);
-        }
-        // Use the filtered findings (after suppression)
-        const afterSuppression = suppressionResult.findings;
-        // Sort by severity
-        const sortedVulnerabilities = sortBySeverity(afterSuppression);
-        // Compute issue-mix counts (based on unsuppressed findings)
-        const severityCounts = computeSeverityCounts(sortedVulnerabilities);
-        const categoryCounts = computeCategoryCounts(sortedVulnerabilities);
-        const hasBlockingIssues = severityCounts.critical > 0 || severityCounts.high > 0;
-        // Build suppressed vulnerabilities summary (for --show-suppressed)
-        const suppressedVulnerabilities = options.showSuppressed
-            ? suppressionResult.suppressed.map(s => ({
-                hash: s.suppression.hash,
-                filePath: s.vulnerability.filePath,
-                lineNumber: s.vulnerability.lineNumber,
-                category: s.vulnerability.category,
-                severity: s.vulnerability.severity,
-                title: s.vulnerability.title,
-                suppressionType: s.suppression.type,
-                suppressionReason: s.suppression.reason,
-                expires: s.suppression.expires,
-            }))
-            : undefined;
-        reportProgress('complete', 'Scan complete!', sortedVulnerabilities.length);
-        return {
-            repoName: repoInfo.name,
-            repoUrl: repoInfo.url,
-            branch: repoInfo.branch,
-            filesScanned: files.length,
-            filesSkipped: 0, // TODO: track skipped files
-            vulnerabilities: sortedVulnerabilities,
-            severityCounts,
-            categoryCounts,
-            hasBlockingIssues,
-            scanDuration: Date.now() - startTime,
-            timestamp: new Date().toISOString(),
-            validationStats: capturedValidationStats,
-            suppressionStats: suppressionResult.suppressed.length > 0 || suppressionResult.expiredSuppressions > 0
-                ? suppressionResult.stats
-                : undefined,
-            suppressedVulnerabilities,
-            filterAuditTrail: filterPipeline.isEnabled ? filterPipeline.getAuditTrail() : undefined,
-        };
-    }
-    catch (error) {
-        if (cancellationToken?.cancelled) {
-            // Return partial results on cancellation
-            reportProgress('failed', 'Scan cancelled');
-            // Compute partial results
-            const uniqueVulnerabilities = deduplicateVulnerabilities(allVulnerabilities);
-            const resolvedVulnerabilities = resolveContradictions(uniqueVulnerabilities, middlewareConfig);
-            const sortedVulnerabilities = sortBySeverity(resolvedVulnerabilities);
-            const severityCounts = computeSeverityCounts(sortedVulnerabilities);
-            const categoryCounts = computeCategoryCounts(sortedVulnerabilities);
-            return {
-                repoName: repoInfo.name,
-                repoUrl: repoInfo.url,
-                branch: repoInfo.branch,
-                filesScanned: files.length,
-                filesSkipped: 0,
-                vulnerabilities: sortedVulnerabilities,
-                severityCounts,
-                categoryCounts,
-                hasBlockingIssues: false, // Don't block on partial results
-                scanDuration: Date.now() - startTime,
-                timestamp: new Date().toISOString(),
-                validationStats: capturedValidationStats,
-                cancelled: true,
-                cancelReason: cancellationToken.reason,
-            };
-        }
-        reportProgress('failed', `Scan failed: ${error}`);
-        throw error;
-    }
-}
-/**
- * Enrich findings with metadata from the rule registry (PRO-82)
- * Sets default impact, evidence, fixSteps, and references from registry
- *
- * PRO-83: When projectContext is provided, uses framework-aware fix suggestions
- * that are tailored to the user's detected tech stack (e.g., Prisma-specific
- * SQL injection fixes instead of generic advice).
- *
- * These can be overridden later by AI-generated content
- */
-function enrichWithMetadata(findings, projectContext) {
-    return findings.map(f => {
-        const metadata = (0, rules_1.getRuleMetadata)(f.category);
-        if (!metadata)
-            return f;
-        // PRO-83: Check for framework-specific fix suggestions
-        let fixSteps = metadata.fixSteps;
-        if (projectContext) {
-            const frameworkFix = (0, framework_fixes_1.getFrameworkFix)(f.category, projectContext.frameworks, projectContext.dataAccess);
-            if (frameworkFix) {
-                fixSteps = frameworkFix.fixSteps;
-                // Optionally append code example to description if available
-                // This makes the fix more actionable
-            }
-        }
-        return {
-            ...f,
-            // Set defaults from registry (AI can override later)
-            impact: f.impact || metadata.whyItMatters,
-            evidence: f.evidence || metadata.evidence,
-            fixSteps: f.fixSteps || fixSteps,
-            references: f.references || metadata.references,
-        };
-    });
-}
-/**
- * Aggregate noisy findings in the same file to reduce clutter
- * Groups repeated findings with same filePath + category + title
- * Especially useful for AI pattern spam
- */
-function aggregateNoisyFindings(vulnerabilities) {
-    // Group findings by file + category + title
-    const groups = new Map();
-    for (const vuln of vulnerabilities) {
-        // Create grouping key: same file, category, and base title (without line-specific info)
-        const baseTitle = vuln.title.replace(/\s*\(\d+ instances?\)/, '').trim();
-        const key = `${vuln.filePath}|${vuln.category}|${baseTitle}`;
-        const existing = groups.get(key) || [];
-        existing.push(vuln);
-        groups.set(key, existing);
-    }
-    const result = [];
-    for (const [key, group] of groups) {
-        // If only 1-2 findings, keep them as-is
-        if (group.length <= 2) {
-            result.push(...group);
-            continue;
-        }
-        // For 3+ similar findings in same file, aggregate into one
-        const first = group[0];
-        const lineNumbers = group.map(v => v.lineNumber).sort((a, b) => a - b);
-        const uniqueLines = [...new Set(lineNumbers)];
-        // Format line numbers nicely (show first few, then "...")
-        const lineDisplay = uniqueLines.length > 5
-            ? `${uniqueLines.slice(0, 5).join(', ')}... (${uniqueLines.length} total)`
-            : uniqueLines.join(', ');
-        // Keep highest severity from the group
-        const highestSeverity = group.reduce((max, v) => (0, parsed_file_1.severityRank)(v.severity) > (0, parsed_file_1.severityRank)(max.severity) ? v : max, group[0]).severity;
-        // Create aggregated finding
-        const aggregated = {
-            id: `${first.id}-aggregated`,
-            filePath: first.filePath,
-            lineNumber: uniqueLines[0], // First occurrence
-            lineContent: `${group.length} instances across this file`,
-            severity: highestSeverity,
-            category: first.category,
-            title: `${first.title.replace(/\s*\(\d+ instances?\)/, '')} (${group.length} instances)`,
-            description: `${first.description}\n\nFound ${group.length} occurrences at lines: ${lineDisplay}`,
-            suggestedFix: first.suggestedFix,
-            confidence: first.confidence,
-            layer: first.layer,
-            requiresAIValidation: first.requiresAIValidation,
-        };
-        result.push(aggregated);
-    }
-    return result;
-}
-/**
- * Cap validation candidates per file to control AI costs
- * Prioritizes by:
- * 1. Tier (ai_assisted findings need AI most, so they get priority)
- * 2. Severity (critical > high > medium > low > info)
- * 3. Category importance (secrets/URLs/auth before cosmetic patterns)
- */
-function capValidationCandidatesPerFile(vulnerabilities, maxPerFile = MAX_VALIDATION_CANDIDATES_PER_FILE) {
-    // Group by file
-    const byFile = new Map();
-    for (const vuln of vulnerabilities) {
-        const existing = byFile.get(vuln.filePath) || [];
-        existing.push(vuln);
-        byFile.set(vuln.filePath, existing);
-    }
-    const result = [];
-    for (const [filePath, fileVulns] of byFile) {
-        // Sort by priority: tier first (ai_assisted needs AI most), then severity, then category
-        const sorted = [...fileVulns].sort((a, b) => {
-            // Tier comparison: ai_assisted (needs AI) > core (high precision) > experimental (hidden anyway)
-            const tierPriority = (v) => {
-                const tier = (0, tiers_1.getTierForCategory)(v.category, v.layer);
-                if (tier === 'ai_assisted')
-                    return 10; // Highest priority - these NEED AI validation
-                if (tier === 'core')
-                    return 5; // High precision, but AI can still help
-                return 1; // Experimental - shouldn't even be here
-            };
-            const tierDiff = tierPriority(b) - tierPriority(a);
-            if (tierDiff !== 0)
-                return tierDiff;
-            // Severity comparison (higher severity = higher priority)
-            const severityDiff = (0, parsed_file_1.severityRank)(b.severity) - (0, parsed_file_1.severityRank)(a.severity);
-            if (severityDiff !== 0)
-                return severityDiff;
-            // Category importance (secrets/URLs/auth before AI patterns)
-            const categoryPriority = (v) => {
-                if (v.category === 'hardcoded_secret')
-                    return 10;
-                if (v.category === 'high_entropy_string')
-                    return 9;
-                if (v.category === 'sensitive_url')
-                    return 8;
-                if (v.category === 'missing_auth')
-                    return 7;
-                if (v.category === 'ai_pattern')
-                    return 3;
-                return 5;
-            };
-            return categoryPriority(b) - categoryPriority(a);
-        });
-        // Take top N per file
-        const capped = sorted.slice(0, maxPerFile);
-        result.push(...capped);
-        // Note: Capping log removed to support quiet mode - this is debug info only
-    }
-    return result;
-}
-// applyGlobalContextAdjustments consolidated into filtering/context-adjustments.ts
-/**
- * Remove duplicate vulnerabilities (same file, line, category)
- * Also handles cross-layer URL duplicates (sensitive_url + ai_pattern)
- */
-function deduplicateVulnerabilities(vulnerabilities) {
-    const seen = new Map();
-    const urlDedupMap = new Map();
-    for (const vuln of vulnerabilities) {
-        // Special handling for URL duplicates across layers
-        // (e.g., Layer 1 detects as sensitive_url, Layer 2 detects as ai_pattern)
-        if ((vuln.category === 'sensitive_url' || vuln.category === 'ai_pattern') &&
-            /url|localhost|127\.0\.0\.1|http/i.test(vuln.lineContent)) {
-            // Create compound key that ignores category differences for URLs
-            const urlKey = `${vuln.filePath}:${vuln.lineNumber}:url_finding`;
-            const existing = urlDedupMap.get(urlKey);
-            if (!existing) {
-                urlDedupMap.set(urlKey, vuln);
-            }
-            else {
-                // Keep Layer 1 (more specific) over Layer 2 AI pattern
-                // Or keep higher severity
-                if (vuln.layer < existing.layer ||
-                    (0, parsed_file_1.severityRank)(vuln.severity) > (0, parsed_file_1.severityRank)(existing.severity)) {
-                    urlDedupMap.set(urlKey, vuln);
-                }
-            }
-            continue;
-        }
-        // Standard deduplication for non-URL findings
-        const key = `${vuln.filePath}:${vuln.lineNumber}:${vuln.category}`;
-        const existing = seen.get(key);
-        // Keep the higher severity or higher confidence finding
-        if (!existing) {
-            seen.set(key, vuln);
-        }
-        else if ((0, parsed_file_1.severityRank)(vuln.severity) > (0, parsed_file_1.severityRank)(existing.severity)) {
-            seen.set(key, vuln);
-        }
-        else if ((0, parsed_file_1.severityRank)(vuln.severity) === (0, parsed_file_1.severityRank)(existing.severity) &&
-            (0, parsed_file_1.confidenceRank)(vuln.confidence) > (0, parsed_file_1.confidenceRank)(existing.confidence)) {
-            seen.set(key, vuln);
-        }
-    }
-    // Combine URL and non-URL findings
-    return [...Array.from(seen.values()), ...Array.from(urlDedupMap.values())];
-}
-/**
- * Resolve contradictions in findings
- *
- * Key contradiction types:
- * 1. Same route has both "protected by middleware" (info) AND "missing auth" (high/critical)
- *    → Keep only the info-level "protected by middleware" finding
- * 2. Same file has BYOK "transient use" (info) AND "key stored insecurely" (high)
- *    → Keep only the most accurate one based on context
- * 3. Same line has conflicting severities from different layers
- *    → Prefer the lower severity if one explicitly notes protection
- */
-function resolveContradictions(vulnerabilities, middlewareConfig) {
-    // Group findings by file path for contradiction analysis
-    const byFile = new Map();
-    for (const vuln of vulnerabilities) {
-        const existing = byFile.get(vuln.filePath) || [];
-        existing.push(vuln);
-        byFile.set(vuln.filePath, existing);
-    }
-    const result = [];
-    for (const [filePath, fileVulns] of byFile) {
-        // Check for auth contradictions in this file
-        const authFindings = fileVulns.filter(v => v.category === 'missing_auth');
-        const otherFindings = fileVulns.filter(v => v.category !== 'missing_auth');
-        // Identify protected routes (middleware or auth helper)
-        const protectedInfos = authFindings.filter(v => v.severity === 'info' &&
-            (v.validationNotes === 'MIDDLEWARE_PROTECTED' ||
-                v.validationNotes === 'AUTH_HELPER_PROTECTED' ||
-                v.title.includes('protected by middleware') ||
-                v.title.includes('uses auth helper')));
-        // NEW: Check if this file's route is protected by middleware (even without explicit info finding)
-        // This catches Layer 3 findings that don't have the Layer 2 protection info
-        const routePath = (0, middleware_detector_1.getRoutePathFromFile)(filePath);
-        const isAPIRouteProtected = routePath && middlewareConfig?.hasAuthMiddleware
-            ? (0, middleware_detector_1.isRouteProtectedByMiddleware)(routePath, middlewareConfig).isProtected
-            : false;
-        // Also check if file is a client component calling protected API routes
-        // Client components (components/, app/ without route.ts) calling /api/** are safe
-        const isClientCallingProtectedAPI = middlewareConfig?.hasAuthMiddleware &&
-            (filePath.includes('/components/') ||
-                (filePath.includes('/app/') && !filePath.includes('route.ts')));
-        // If we have protected route info findings OR the route is protected by middleware
-        if (protectedInfos.length > 0 || isAPIRouteProtected || isClientCallingProtectedAPI) {
-            // Keep the protected info findings
-            result.push(...protectedInfos);
-            // For other auth findings on same file, either drop or downgrade to info
-            const otherAuthFindings = authFindings.filter(v => !protectedInfos.includes(v));
-            for (const vuln of otherAuthFindings) {
-                // If it's high/critical missing auth on a protected route, drop it entirely
-                // (the middleware/helper protection supersedes)
-                if (vuln.severity === 'critical' || vuln.severity === 'high') {
-                    const reason = isAPIRouteProtected
-                        ? 'API route protected by middleware'
-                        : isClientCallingProtectedAPI
-                            ? 'client component calling protected API'
-                            : 'route is protected';
-                    // Note: Contradiction log removed to support quiet mode - this is debug info only
-                    continue; // Skip this finding
-                }
-                // Keep lower severity auth findings as-is
-                result.push(vuln);
-            }
-        }
-        else {
-            // No protection detected - keep all auth findings as-is
-            result.push(...authFindings);
-        }
-        // Handle BYOK contradictions
-        const byokFindings = otherFindings.filter(v => v.category === 'ai_pattern' && v.title.toLowerCase().includes('byok'));
-        const nonByokFindings = otherFindings.filter(v => !(v.category === 'ai_pattern' && v.title.toLowerCase().includes('byok')));
-        if (byokFindings.length > 0) {
-            // Check if we have both transient (low) and storage (high) BYOK findings
-            const transientByok = byokFindings.filter(v => v.severity === 'low' || v.severity === 'info');
-            const storageByok = byokFindings.filter(v => v.severity === 'high' || v.severity === 'medium');
-            if (transientByok.length > 0 && storageByok.length > 0) {
-                // If we detected transient usage, prefer the lower severity
-                // The higher severity ones may be false positives
-                result.push(...transientByok);
-                // Mark high-severity BYOK for review
-                for (const vuln of storageByok) {
-                    result.push({
-                        ...vuln,
-                        severity: 'low',
-                        validationNotes: `${vuln.validationNotes || ''} (downgraded: transient BYOK usage detected in same file)`.trim(),
-                    });
-                }
-            }
-            else {
-                // Keep all BYOK findings as-is
-                result.push(...byokFindings);
-            }
-        }
-        // Add non-BYOK other findings
-        result.push(...nonByokFindings);
-    }
-    return result;
-}
-/**
- * Sort vulnerabilities by severity (critical first)
- */
-function sortBySeverity(vulnerabilities) {
-    return [...vulnerabilities].sort((a, b) => {
-        const severityDiff = (0, parsed_file_1.severityRank)(b.severity) - (0, parsed_file_1.severityRank)(a.severity);
-        if (severityDiff !== 0)
-            return severityDiff;
-        // Secondary sort by confidence
-        return (0, parsed_file_1.confidenceRank)(b.confidence) - (0, parsed_file_1.confidenceRank)(a.confidence);
-    });
-}
-// severityRank and confidenceRank imported from utils/parsed-file
-/**
- * Compute severity counts from vulnerabilities
- */
-function computeSeverityCounts(vulnerabilities) {
-    const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
-    for (const vuln of vulnerabilities) {
-        if (vuln.severity in counts) {
-            counts[vuln.severity]++;
-        }
-    }
-    return counts;
-}
-/**
- * Compute category counts from vulnerabilities
- */
-function computeCategoryCounts(vulnerabilities) {
-    const counts = {};
-    for (const vuln of vulnerabilities) {
-        const category = vuln.category;
-        counts[category] = (counts[category] || 0) + 1;
-    }
-    return counts;
-}
-/**
- * Helper to compute counts from vulnerabilities (for backfilling legacy scans)
- */
-function computeIssueMixFromVulnerabilities(vulnerabilities) {
-    const severityCounts = computeSeverityCounts(vulnerabilities);
-    const categoryCounts = computeCategoryCounts(vulnerabilities);
-    const hasBlockingIssues = severityCounts.critical > 0 || severityCounts.high > 0;
-    return { severityCounts, categoryCounts, hasBlockingIssues };
-}
 // Re-export types and utilities
-__exportStar(require("./types"), exports);
-var layer1_2 = require("./layer1");
-Object.defineProperty(exports, "runLayer1Scan", { enumerable: true, get: function () { return layer1_2.runLayer1Scan; } });
-var layer2_2 = require("./layer2");
-Object.defineProperty(exports, "runLayer2Scan", { enumerable: true, get: function () { return layer2_2.runLayer2Scan; } });
-var layer3_2 = require("./layer3");
-Object.defineProperty(exports, "runLayer3Scan", { enumerable: true, get: function () { return layer3_2.runLayer3Scan; } });
-var project_context_builder_2 = require("./utils/project-context-builder");
-Object.defineProperty(exports, "buildProjectContext", { enumerable: true, get: function () { return project_context_builder_2.buildProjectContext; } });
-var anthropic_2 = require("./layer3/anthropic");
-Object.defineProperty(exports, "validateFindingsWithAI", { enumerable: true, get: function () { return anthropic_2.validateFindingsWithAI; } });
-var types_3 = require("./types");
-Object.defineProperty(exports, "createCancellationToken", { enumerable: true, get: function () { return types_3.createCancellationToken; } });
+// ============================================================================
+__exportStar(require("./shared/types"), exports);
+var secrets_1 = require("./detect/secrets");
+Object.defineProperty(exports, "runLayer1Scan", { enumerable: true, get: function () { return secrets_1.runLayer1Scan; } });
+var structural_1 = require("./detect/structural");
+Object.defineProperty(exports, "runLayer2Scan", { enumerable: true, get: function () { return structural_1.runLayer2Scan; } });
+var project_context_1 = require("./model/project-context");
+Object.defineProperty(exports, "buildProjectContext", { enumerable: true, get: function () { return project_context_1.buildProjectContext; } });
+var validate_1 = require("./validate");
+Object.defineProperty(exports, "validateFindingsWithAI", { enumerable: true, get: function () { return validate_1.validateFindingsWithAI; } });
+var types_1 = require("./shared/types");
+Object.defineProperty(exports, "createCancellationToken", { enumerable: true, get: function () { return types_1.createCancellationToken; } });
+// Confidence scoring exports (Phase 2B)
+var score_1 = require("./score");
+Object.defineProperty(exports, "scoreFindings", { enumerable: true, get: function () { return score_1.scoreFindings; } });
+Object.defineProperty(exports, "buildAdjustmentContext", { enumerable: true, get: function () { return score_1.buildAdjustmentContext; } });
+Object.defineProperty(exports, "buildConfidenceLog", { enumerable: true, get: function () { return score_1.buildConfidenceLog; } });
+Object.defineProperty(exports, "DEPTH_CONFIGS", { enumerable: true, get: function () { return score_1.DEPTH_CONFIGS; } });
 // Suppression system exports
-var suppression_2 = require("./suppression");
-Object.defineProperty(exports, "SuppressionManager", { enumerable: true, get: function () { return suppression_2.SuppressionManager; } });
-Object.defineProperty(exports, "computeFindingHash", { enumerable: true, get: function () { return suppression_2.computeFindingHash; } });
-Object.defineProperty(exports, "loadSuppressionConfig", { enumerable: true, get: function () { return suppression_2.loadSuppressionConfig; } });
-Object.defineProperty(exports, "addFindingSuppression", { enumerable: true, get: function () { return suppression_2.addFindingSuppression; } });
-Object.defineProperty(exports, "removeFindingSuppression", { enumerable: true, get: function () { return suppression_2.removeFindingSuppression; } });
-Object.defineProperty(exports, "addRuleSuppression", { enumerable: true, get: function () { return suppression_2.addRuleSuppression; } });
-Object.defineProperty(exports, "listSuppressions", { enumerable: true, get: function () { return suppression_2.listSuppressions; } });
-Object.defineProperty(exports, "parseInlineSuppressions", { enumerable: true, get: function () { return suppression_2.parseInlineSuppressions; } });
-Object.defineProperty(exports, "generateSuppressionComment", { enumerable: true, get: function () { return suppression_2.generateSuppressionComment; } });
-Object.defineProperty(exports, "isValidHash", { enumerable: true, get: function () { return suppression_2.isValidHash; } });
+var suppression_1 = require("./postprocess/suppression");
+Object.defineProperty(exports, "SuppressionManager", { enumerable: true, get: function () { return suppression_1.SuppressionManager; } });
+Object.defineProperty(exports, "computeFindingHash", { enumerable: true, get: function () { return suppression_1.computeFindingHash; } });
+Object.defineProperty(exports, "loadSuppressionConfig", { enumerable: true, get: function () { return suppression_1.loadSuppressionConfig; } });
+Object.defineProperty(exports, "addFindingSuppression", { enumerable: true, get: function () { return suppression_1.addFindingSuppression; } });
+Object.defineProperty(exports, "removeFindingSuppression", { enumerable: true, get: function () { return suppression_1.removeFindingSuppression; } });
+Object.defineProperty(exports, "addRuleSuppression", { enumerable: true, get: function () { return suppression_1.addRuleSuppression; } });
+Object.defineProperty(exports, "listSuppressions", { enumerable: true, get: function () { return suppression_1.listSuppressions; } });
+Object.defineProperty(exports, "parseInlineSuppressions", { enumerable: true, get: function () { return suppression_1.parseInlineSuppressions; } });
+Object.defineProperty(exports, "generateSuppressionComment", { enumerable: true, get: function () { return suppression_1.generateSuppressionComment; } });
+Object.defineProperty(exports, "isValidHash", { enumerable: true, get: function () { return suppression_1.isValidHash; } });
 // Baseline system exports
-var baseline_1 = require("./baseline");
+var baseline_1 = require("./shared/baseline");
 Object.defineProperty(exports, "BaselineManager", { enumerable: true, get: function () { return baseline_1.BaselineManager; } });
 Object.defineProperty(exports, "computeDiff", { enumerable: true, get: function () { return baseline_1.computeDiff; } });
 Object.defineProperty(exports, "hasNewBlockingIssues", { enumerable: true, get: function () { return baseline_1.hasNewBlockingIssues; } });
@@ -1055,18 +70,18 @@ Object.defineProperty(exports, "formatDiffSummary", { enumerable: true, get: fun
 Object.defineProperty(exports, "BASELINE_FILE_PATH", { enumerable: true, get: function () { return baseline_1.BASELINE_FILE_PATH; } });
 Object.defineProperty(exports, "OCULUM_DIR", { enumerable: true, get: function () { return baseline_1.OCULUM_DIR; } });
 // Rule metadata exports (PRO-82)
-var rules_2 = require("./rules");
-Object.defineProperty(exports, "RULE_REGISTRY", { enumerable: true, get: function () { return rules_2.RULE_REGISTRY; } });
-Object.defineProperty(exports, "getRuleMetadata", { enumerable: true, get: function () { return rules_2.getRuleMetadata; } });
-Object.defineProperty(exports, "getAllCategories", { enumerable: true, get: function () { return rules_2.getAllCategories; } });
-Object.defineProperty(exports, "hasMetadata", { enumerable: true, get: function () { return rules_2.hasMetadata; } });
+var rules_1 = require("./shared/rules");
+Object.defineProperty(exports, "RULE_REGISTRY", { enumerable: true, get: function () { return rules_1.RULE_REGISTRY; } });
+Object.defineProperty(exports, "getRuleMetadata", { enumerable: true, get: function () { return rules_1.getRuleMetadata; } });
+Object.defineProperty(exports, "getAllCategories", { enumerable: true, get: function () { return rules_1.getAllCategories; } });
+Object.defineProperty(exports, "hasMetadata", { enumerable: true, get: function () { return rules_1.hasMetadata; } });
 // AI Context exports
-var ai_context_1 = require("./ai-context");
+var ai_context_1 = require("./shared/ai-context");
 Object.defineProperty(exports, "AIContextManager", { enumerable: true, get: function () { return ai_context_1.AIContextManager; } });
 Object.defineProperty(exports, "AI_CONTEXT_FILE", { enumerable: true, get: function () { return ai_context_1.AI_CONTEXT_FILE; } });
 Object.defineProperty(exports, "AI_CONTEXT_PATH", { enumerable: true, get: function () { return ai_context_1.AI_CONTEXT_PATH; } });
 // Category filter exports (Phase 2: Category-Based Filtering)
-var category_filter_1 = require("./category-filter");
+var category_filter_1 = require("./shared/category-filter");
 Object.defineProperty(exports, "CATEGORY_GROUPS", { enumerable: true, get: function () { return category_filter_1.CATEGORY_GROUPS; } });
 Object.defineProperty(exports, "ALL_CATEGORIES", { enumerable: true, get: function () { return category_filter_1.ALL_CATEGORIES; } });
 Object.defineProperty(exports, "normalizeCategory", { enumerable: true, get: function () { return category_filter_1.normalizeCategory; } });