@oculum/scanner 1.0.12 → 1.0.13

package/dist/layer2/xxe-detection.js

@@ -0,0 +1,242 @@
+"use strict";
+/**
+ * Layer 2: XXE (XML External Entity) Detector
+ * Detects XML parsing without entity expansion protection
+ *
+ * OWASP A02:2021 - Cryptographic Failures (was A04 in 2017)
+ * CWE-611: Improper Restriction of XML External Entity Reference
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectXXEPatterns = detectXXEPatterns;
+const context_helpers_1 = require("../utils/context-helpers");
+const XXE_PATTERNS = [
+    // ==================== Node.js ====================
+    {
+        pattern: /xml2js\.parseString|new\s+xml2js\.Parser/,
+        lang: 'node',
+        lib: 'xml2js',
+        safe: /explicitCharkey|xmlMode/,
+        severity: 'medium', // xml2js v0.5+ doesn't expand entities by default
+        extensions: ['.js', '.ts', '.mjs', '.cjs', '.jsx', '.tsx'],
+    },
+    {
+        pattern: /libxmljs\.parseXml/,
+        lang: 'node',
+        lib: 'libxmljs',
+        safe: /noent\s*:\s*false/,
+        severity: 'high',
+        extensions: ['.js', '.ts', '.mjs', '.cjs'],
+    },
+    {
+        pattern: /new\s+DOMParser\(\)\.parseFromString/,
+        lang: 'node',
+        lib: 'DOMParser',
+        severity: 'low', // Browsers block XXE by default
+        extensions: ['.js', '.ts', '.jsx', '.tsx'],
+    },
+    {
+        pattern: /(?:xmldom|@xmldom\/xmldom)/,
+        lang: 'node',
+        lib: 'xmldom',
+        safe: /entityExpansionEnabled\s*:\s*false/,
+        severity: 'medium',
+        extensions: ['.js', '.ts', '.mjs', '.cjs'],
+    },
+    {
+        pattern: /(?:fast-xml-parser|XMLParser)/,
+        lang: 'node',
+        lib: 'fast-xml-parser',
+        safe: /processEntities\s*:\s*false/,
+        severity: 'medium',
+        extensions: ['.js', '.ts', '.mjs', '.cjs'],
+    },
+    // ==================== Python ====================
+    {
+        pattern: /xml\.etree\.ElementTree\.parse|ET\.parse|etree\.parse/,
+        lang: 'python',
+        lib: 'xml.etree.ElementTree',
+        safe: /defusedxml/,
+        severity: 'high',
+        extensions: ['.py'],
+    },
+    {
+        pattern: /lxml\.etree\.parse|etree\.fromstring/,
+        lang: 'python',
+        lib: 'lxml.etree',
+        safe: /resolve_entities\s*=\s*False|defusedxml/,
+        severity: 'high',
+        extensions: ['.py'],
+    },
+    {
+        pattern: /xml\.sax\.parse|xml\.dom\.minidom\.parse/,
+        lang: 'python',
+        lib: 'xml.sax/minidom',
+        safe: /defusedxml/,
+        severity: 'high',
+        extensions: ['.py'],
+    },
+    {
+        pattern: /xml\.dom\.pulldom/,
+        lang: 'python',
+        lib: 'xml.dom.pulldom',
+        safe: /defusedxml/,
+        severity: 'high',
+        extensions: ['.py'],
+    },
+    // ==================== Java ====================
+    {
+        pattern: /DocumentBuilderFactory\.newInstance/,
+        lang: 'java',
+        lib: 'DocumentBuilderFactory',
+        safe: /disallow-doctype-decl|FEATURE_SECURE_PROCESSING/,
+        severity: 'high',
+        extensions: ['.java'],
+    },
+    {
+        pattern: /SAXParserFactory\.newInstance/,
+        lang: 'java',
+        lib: 'SAXParserFactory',
+        safe: /disallow-doctype-decl|external-general-entities/,
+        severity: 'high',
+        extensions: ['.java'],
+    },
+    {
+        pattern: /XMLInputFactory\.newInstance/,
+        lang: 'java',
+        lib: 'XMLInputFactory',
+        safe: /IS_SUPPORTING_EXTERNAL_ENTITIES|SUPPORT_DTD/,
+        severity: 'high',
+        extensions: ['.java'],
+    },
+    {
+        pattern: /TransformerFactory\.newInstance/,
+        lang: 'java',
+        lib: 'TransformerFactory',
+        safe: /ACCESS_EXTERNAL_DTD|ACCESS_EXTERNAL_STYLESHEET/,
+        severity: 'high',
+        extensions: ['.java'],
+    },
+    // ==================== PHP ====================
+    {
+        pattern: /simplexml_load_string|simplexml_load_file/,
+        lang: 'php',
+        lib: 'simplexml',
+        safe: /libxml_disable_entity_loader\s*\(\s*true\s*\)|LIBXML_NOENT/,
+        severity: 'high',
+        extensions: ['.php'],
+    },
+    {
+        pattern: /DOMDocument.*(?:loadXML|load)\b/,
+        lang: 'php',
+        lib: 'DOMDocument',
+        safe: /libxml_disable_entity_loader\s*\(\s*true\s*\)/,
+        severity: 'high',
+        extensions: ['.php'],
+    },
+    {
+        pattern: /XMLReader.*open/,
+        lang: 'php',
+        lib: 'XMLReader',
+        safe: /setParserProperty.*LOADDTD.*false/,
+        severity: 'high',
+        extensions: ['.php'],
+    },
+];
+/**
+ * Check if the file extension matches the expected language
+ */
+function matchesLanguageExtension(filePath, extensions) {
+    if (!extensions)
+        return true;
+    return extensions.some(ext => filePath.endsWith(ext));
+}
+/**
+ * Check surrounding context for safe configuration
+ */
+function hasSafeConfig(content, lines, lineIndex, safePattern, lang) {
+    if (!safePattern)
+        return false;
+    // For Python: check entire file for defusedxml import
+    if (lang === 'python' && /defusedxml/.test(safePattern.source)) {
+        if (/import\s+defusedxml|from\s+defusedxml/.test(content)) {
+            return true;
+        }
+    }
+    // Check surrounding context (±20 lines for Java setFeature, ±10 for others)
+    const windowSize = lang === 'java' ? 20 : 10;
+    const start = Math.max(0, lineIndex - windowSize);
+    const end = Math.min(lines.length, lineIndex + windowSize + 1);
+    const context = lines.slice(start, end).join('\n');
+    return safePattern.test(context);
+}
+/**
+ * Detect XXE patterns in code
+ */
+function detectXXEPatterns(content, filePath, options) {
+    const vulnerabilities = [];
+    if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    const isTestFile = (0, context_helpers_1.isTestOrMockFile)(filePath);
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if ((0, context_helpers_1.isComment)(line))
+            continue;
+        for (const xxePattern of XXE_PATTERNS) {
+            // Check language extension match
+            if (!matchesLanguageExtension(filePath, xxePattern.extensions))
+                continue;
+            if (!xxePattern.pattern.test(line))
+                continue;
+            // Check for safe configuration
+            if (hasSafeConfig(content, lines, i, xxePattern.safe, xxePattern.lang))
+                continue;
+            let severity = xxePattern.severity || 'high';
+            // Downgrade for test files
+            if (isTestFile) {
+                severity = 'info';
+            }
+            // DOMParser in .tsx client files is inherently safe
+            if (xxePattern.lib === 'DOMParser' && (filePath.endsWith('.tsx') || filePath.endsWith('.jsx'))) {
+                severity = 'info';
+            }
+            vulnerabilities.push({
+                id: `xxe-${filePath}-${i + 1}-${xxePattern.lib}`,
+                filePath,
+                lineNumber: i + 1,
+                lineContent: line.trim(),
+                severity,
+                category: 'xxe',
+                title: `XXE risk: ${xxePattern.lib} XML parser without entity protection`,
+                description: `${xxePattern.lib} XML parser is used without disabling external entity processing. An attacker could supply malicious XML to read server files, perform SSRF, or cause denial-of-service.`,
+                suggestedFix: getSuggestedFix(xxePattern.lang, xxePattern.lib),
+                confidence: severity === 'high' ? 'high' : 'medium',
+                layer: 2,
+                requiresAIValidation: severity !== 'high',
+            });
+            break; // One finding per line
+        }
+    }
+    return vulnerabilities;
+}
+function getSuggestedFix(lang, lib) {
+    switch (lang) {
+        case 'python':
+            return 'Use defusedxml instead of the standard xml library: pip install defusedxml && from defusedxml.ElementTree import parse';
+        case 'java':
+            return 'Disable external entities: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)';
+        case 'php':
+            return 'Disable entity loading: libxml_disable_entity_loader(true) before parsing XML';
+        case 'node':
+            if (lib === 'fast-xml-parser') {
+                return 'Disable entity processing: new XMLParser({ processEntities: false })';
+            }
+            if (lib === 'xml2js') {
+                return 'Consider upgrading to xml2js v0.5+ which has safer defaults, or use fast-xml-parser with processEntities: false';
+            }
+            return 'Disable external entity processing in the XML parser configuration';
+        default:
+            return 'Disable external entity processing in the XML parser configuration';
+    }
+}
+//# sourceMappingURL=xxe-detection.js.map

package/dist/layer2/xxe-detection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"xxe-detection.js","sourceRoot":"","sources":["../../src/layer2/xxe-detection.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AA6MH,8CA0DC;AAnQD,8DAIiC;AAqBjC,MAAM,YAAY,GAAiB;IACjC,oDAAoD;IACpD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,QAAQ;QACb,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,QAAQ,EAAE,kDAAkD;QACtE,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3D;IACD;QACE,OAAO,EAAE,oBAAoB;QAC7B,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,UAAU;QACf,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IACD;QACE,OAAO,EAAE,sCAAsC;QAC/C,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,WAAW;QAChB,QAAQ,EAAE,KAAK,EAAE,gCAAgC;QACjD,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IACD;QACE,OAAO,EAAE,4BAA4B;QACrC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,QAAQ;QACb,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IACD;QACE,OAAO,EAAE,+BAA+B;QACxC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IAED,mDAAmD;IACnD;QACE,OAAO,EAAE,uDAAuD;QAChE,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,uBAAuB;QAC5B,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IACD;QACE,OAAO,EAAE,sCAAsC;QAC/C,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,YAAY;QACjB,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IACD;QACE,OAAO,EAAE,mBAAmB;QAC5B,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IAED,iDAAiD;IACjD;QACE,OAAO,EAAE,qCAAqC;QAC9C,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,wBAAwB;QAC7B,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IACD;QACE,OAAO,EAAE,+BAA+B;QACxC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,kBAAkB;QACvB,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IACD;QACE,OAAO,EAAE,8BAA8B;QACvC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,6CAA6C;QACnD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,oBAAoB;QACzB,IAAI,EAAE,gDAAgD;QACtD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IAED,gDAAgD;IAChD;QACE,OAAO,EAAE,2CAA2C;QACpD,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,WAAW;QAChB,IAAI,EAAE,4DAA4D;QAClE,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,MAAM,CAAC;KACrB;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,aAAa;QAClB,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,MAAM,CAAC;KACrB;IACD;QACE,OAAO,EAAE,iBAAiB;QAC1B,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,WAAW;QAChB,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,MAAM,CAAC;KACrB;CACF,CAAA;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,QAAgB,EAAE,UAAqB;IACvE,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAA;IAC5B,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAA;AACvD,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CACpB,OAAe,EACf,KAAe,EACf,SAAiB,EACjB,WAA+B,EAC/B,IAAY;IAEZ,IAAI,CAAC,WAAW;QAAE,OAAO,KAAK,CAAA;IAE9B,sDAAsD;IACtD,IAAI,IAAI,KAAK,QAAQ,IAAI,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/D,IAAI,uCAAuC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1D,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,MAAM,UAAU,GAAG,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,UAAU,CAAC,CAAA;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,CAAC,CAAC,CAAA;IAC9D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAElD,OAAO,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;AAClC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,OAAe,EACf,QAAgB,EAChB,OAAoB;IAEpB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC7C,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,KAAK,MAAM,UAAU,IAAI,YAAY,EAAE,CAAC;YACtC,iCAAiC;YACjC,IAAI,CAAC,wBAAwB,CAAC,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;gBAAE,SAAQ;YAExE,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAE5C,+BAA+B;YAC/B,IAAI,aAAa,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAEhF,IAAI,QAAQ,GAA0B,UAAU,CAAC,QAAQ,IAAI,MAAM,CAAA;YAEnE,2BAA2B;YAC3B,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,GAAG,MAAM,CAAA;YACnB,CAAC;YAED,oDAAoD;YACpD,IAAI,UAAU,CAAC,GAAG,KAAK,WAAW,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBAC/F,QAAQ,GAAG,MAAM,CAAA;YACnB,CAAC;YAED,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,GAAG,EAAE;gBAChD,QAAQ;gBACR,UAAU,EAAE,CAAC,GAAG,CAAC;gBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;gBACxB,QAAQ;gBACR,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,aAAa,UAAU,CAAC,GAAG,uCAAuC;gBACzE,WAAW,EACT,GAAG,UAAU,CAAC,GAAG,0KAA0K;gBAC7L,YAAY,EAAE,eAAe,CAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC;gBAC9D,UAAU,EAAE,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;gBACnD,KAAK,EAAE,CAAC;gBACR,oBAAoB,EAAE,QAAQ,KAAK,MAAM;aAC1C,CAAC,CAAA;YAEF,MAAK,CAAC,uBAAuB;QAC/B,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,GAAW;IAChD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,QAAQ;YACX,OAAO,wHAAwH,CAAA;QACjI,KAAK,MAAM;YACT,OAAO,6GAA6G,CAAA;QACtH,KAAK,KAAK;YACR,OAAO,+EAA+E,CAAA;QACxF,KAAK,MAAM;YACT,IAAI,GAAG,KAAK,iBAAiB,EAAE,CAAC;gBAC9B,OAAO,sEAAsE,CAAA;YAC/E,CAAC;YACD,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACrB,OAAO,iHAAiH,CAAA;YAC1H,CAAC;YACD,OAAO,oEAAoE,CAAA;QAC7E;YACE,OAAO,oEAAoE,CAAA;IAC/E,CAAC;AACH,CAAC"}

package/dist/layer3/anthropic/prompts/index.d.ts

@@ -4,5 +4,5 @@
  * Re-exports all prompt templates and helpers.
  */
 export { SECURITY_ANALYSIS_PROMPT, buildAuthContextForPrompt, } from './semantic-analysis';
-export { HIGH_CONTEXT_VALIDATION_PROMPT, } from './validation';
+export { HIGH_CONTEXT_VALIDATION_PROMPT, assembleValidationPrompt, getFullValidationPrompt, } from './validation';
 //# sourceMappingURL=index.d.ts.map

package/dist/layer3/anthropic/prompts/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,wBAAwB,EACxB,yBAAyB,GAC1B,MAAM,qBAAqB,CAAA;AAE5B,OAAO,EACL,8BAA8B,GAC/B,MAAM,cAAc,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,wBAAwB,EACxB,yBAAyB,GAC1B,MAAM,qBAAqB,CAAA;AAE5B,OAAO,EACL,8BAA8B,EAC9B,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,cAAc,CAAA"}

package/dist/layer3/anthropic/prompts/index.js

@@ -5,10 +5,12 @@
  * Re-exports all prompt templates and helpers.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.HIGH_CONTEXT_VALIDATION_PROMPT = exports.buildAuthContextForPrompt = exports.SECURITY_ANALYSIS_PROMPT = void 0;
+exports.getFullValidationPrompt = exports.assembleValidationPrompt = exports.HIGH_CONTEXT_VALIDATION_PROMPT = exports.buildAuthContextForPrompt = exports.SECURITY_ANALYSIS_PROMPT = void 0;
 var semantic_analysis_1 = require("./semantic-analysis");
 Object.defineProperty(exports, "SECURITY_ANALYSIS_PROMPT", { enumerable: true, get: function () { return semantic_analysis_1.SECURITY_ANALYSIS_PROMPT; } });
 Object.defineProperty(exports, "buildAuthContextForPrompt", { enumerable: true, get: function () { return semantic_analysis_1.buildAuthContextForPrompt; } });
 var validation_1 = require("./validation");
 Object.defineProperty(exports, "HIGH_CONTEXT_VALIDATION_PROMPT", { enumerable: true, get: function () { return validation_1.HIGH_CONTEXT_VALIDATION_PROMPT; } });
+Object.defineProperty(exports, "assembleValidationPrompt", { enumerable: true, get: function () { return validation_1.assembleValidationPrompt; } });
+Object.defineProperty(exports, "getFullValidationPrompt", { enumerable: true, get: function () { return validation_1.getFullValidationPrompt; } });
 //# sourceMappingURL=index.js.map

package/dist/layer3/anthropic/prompts/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH,yDAG4B;AAF1B,6HAAA,wBAAwB,OAAA;AACxB,8HAAA,yBAAyB,OAAA;AAG3B,2CAEqB;AADnB,4HAAA,8BAA8B,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH,yDAG4B;AAF1B,6HAAA,wBAAwB,OAAA;AACxB,8HAAA,yBAAyB,OAAA;AAG3B,2CAIqB;AAHnB,4HAAA,8BAA8B,OAAA;AAC9B,sHAAA,wBAAwB,OAAA;AACxB,qHAAA,uBAAuB,OAAA"}

package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts

@@ -0,0 +1,19 @@
+/**
+ * AI Patterns Module
+ *
+ * Categories: ai_pattern, ai_prompt_injection, ai_unsafe_execution,
+ *             ai_overpermissive_tool, suspicious_package, ai_rag_exfiltration,
+ *             ai_endpoint_unprotected, ai_schema_mismatch, ai_package_hallucination,
+ *             ai_rag_corpus_poisoning, ai_rag_pii_leakage, ai_mcp_tool_poisoning,
+ *             ai_mcp_credential_issue, ai_mcp_confused_deputy,
+ *             ai_mcp_description_injection, ai_mcp_server_shadowing,
+ *             ai_mcp_config_secrets, ai_mcp_config_permissions,
+ *             ai_rag_query_injection, ai_rag_embedding_poisoning,
+ *             ai_rag_chunk_injection, ai_package_typosquat, ai_package_malicious,
+ *             ai_unsafe_model_load, ai_unverified_model, ai_unsafe_finetuning,
+ *             ai_excessive_agency
+ *
+ * Contains AI/LLM-specific patterns that require semantic AI reasoning.
+ */
+export declare const AI_PATTERNS_MODULE = "\n### AI/LLM-Specific Patterns\n\n**Prompt Injection (ai_prompt_injection):**\n- User input in system prompt WITHOUT delimiters (code fences, XML tags, separators) -> **HIGH** (real risk)\n- User input in system prompt WITH clear delimiters -> **INFO** (properly fenced)\n- Static prompts with no user interpolation -> **REJECT** (false positive)\n- Prompt templates using proper parameterization/placeholders -> **REJECT**\n\n**LLM Output Execution (ai_unsafe_execution):**\n- LLM output fed to eval()/Function()/exec() WITHOUT sandbox -> **CRITICAL** (arbitrary code execution)\n- LLM output to execution WITH sandbox (vm2, isolated-vm) -> **MEDIUM** (risk mitigated)\n- LLM output to execution WITH validation AND sandbox -> **LOW** (well-protected)\n- LLM output used for display only (console.log, UI) -> **REJECT** (not execution)\n- Generated SQL from LLM without parameterization -> **CRITICAL** (SQL injection)\n- Generated SQL with parameterized queries -> **MEDIUM** (logic may still be wrong)\n\n**Agent Tool Permissions (ai_overpermissive_tool):**\n- Tool with unrestricted file/network/exec access -> **HIGH** (overpermissive)\n- Tool without user context verification -> **MEDIUM** (missing authorization)\n- Tool with proper scoping, allowlists, and user verification -> **LOW** or **REJECT**\n- Test files with tool definitions -> **INFO** or **REJECT**\n\n**Hallucinated Dependencies (suspicious_package):**\n- Package not found in registry -> **CRITICAL** (likely AI-hallucinated name)\n- Very new package (less than 7 days old) with low downloads and typosquat pattern -> **HIGH**\n- Legitimate looking package with source/repo but low popularity -> **MEDIUM** (needs review)\n- Known legitimate package with unusual name (in allowlist) -> **REJECT**\n\n**CRITICAL AI PATTERN RULES**:\n- AI code generation often produces non-existent package names - flag these prominently\n- Prompt injection is NOT the same as XSS - different threat model and severity\n- Sandboxed code execution (vm2, isolated-vm) significantly reduces risk\n- Agent tools need both access restrictions AND user context verification\n\n### RAG Data Exfiltration (ai_rag_exfiltration)\nRetrieval Augmented Generation systems can leak sensitive data across tenant boundaries.\n\n**Unscoped Retrieval Queries:**\n- Vector store query WITHOUT user/tenant filter -> **HIGH** (cross-tenant data access)\n  - .query(), .search(), .similaritySearch() without filter/where/userId/tenantId parameter\n  - LangChain retriever.invoke() without metadata filter\n  - Pinecone/Chroma/Weaviate query without namespace or metadata filter\n- Query WITH proper scoping (filter by userId/tenantId) -> **REJECT** (properly scoped)\n- Query with RLS-enabled Supabase tables -> **LOW/INFO** (verify RLS policy)\n\n**Raw Context Exposure:**\n- Raw sourceDocuments/chunks returned in API response -> **MEDIUM** (data leak to client)\n- Raw context returned WITHOUT authentication -> **HIGH** (public data leak)\n- Filtered response (only IDs, titles, metadata) -> **REJECT** (properly filtered)\n- Response filtering visible nearby (.map, sanitize, redact) -> **INFO**\n\n**Context Logging:**\n- Logging retrieved documents (debug) -> **INFO** (hygiene, not direct risk)\n- Logging full prompts with context -> **LOW** (audit concern if logs are accessible)\n- Persisting prompts/context to database -> **MEDIUM** (sensitive data retention)\n\n**CRITICAL RAG RULES**:\n- Cross-tenant data access is the PRIMARY risk - always check for user/tenant scoping\n- Authenticated endpoints exposing context are MEDIUM; unauthenticated are HIGH\n- Debug logging is INFO severity - it's not a direct vulnerability\n- If RLS or middleware protection is visible, downgrade significantly\n\n### AI Endpoint Protection (ai_endpoint_unprotected)\nAI/LLM API endpoints can incur significant costs and enable data exfiltration.\n\n**No Authentication + No Rate Limiting -> HIGH:**\n- Endpoint calls OpenAI/Anthropic/etc. without any auth check or rate limit\n- Anyone on the internet can abuse the endpoint and run up API costs\n- Potential for prompt exfiltration or model abuse\n\n**Has Rate Limiting but No Authentication -> MEDIUM:**\n- Rate limit provides some protection against abuse\n- Still allows anonymous access to AI functionality\n- Suggest adding authentication\n\n**Has Authentication but No Rate Limiting -> LOW:**\n- Authenticated users could still abuse the endpoint\n- Suggest adding rate limiting for cost control\n- severity: low (suggest improvement)\n\n**Has Both Auth and Rate Limiting -> INFO/REJECT:**\n- Properly protected endpoint\n- REJECT if both are clearly present\n- INFO if you want to note the good pattern\n\n**BYOK (Bring Your Own Key) Endpoints:**\n- If user provides their own API key, risk is LOWER\n- User pays for their own usage - cost abuse is their problem\n- Downgrade severity by one level for BYOK patterns\n\n**Protected by Middleware:**\n- If project context shows auth middleware protecting the route, downgrade to INFO\n- Internal/admin routes should be INFO or REJECT\n\n**CRITICAL ENDPOINT RULES**:\n- Cost abuse is real - unprotected AI endpoints can bankrupt a startup\n- Rate limiting alone isn't enough - need auth to prevent anonymous abuse\n- BYOK endpoints have lower risk since user bears the cost\n- Check for middleware protection before flagging\n\n### Schema/Tooling Mismatch (ai_schema_mismatch)\nAI-generated structured outputs need validation before use in security-sensitive contexts.\n\n**Unvalidated AI Output Parsing:**\n- JSON.parse(response.content) without schema validation -> **MEDIUM**\n  - AI may return malformed or unexpected structures\n  - Suggest zod/ajv/joi validation\n- AI output to EXECUTION SINK (eval, exec, query) without validation -> **HIGH**\n  - Direct path to code/SQL injection\n- AI output to DISPLAY only (console.log, UI render) -> **REJECT**\n  - Not a security issue for display purposes\n- OpenAI Structured Outputs (json_schema in request) -> **REJECT**\n  - API-level validation provides guarantees\n\n**Weak Schema Patterns:**\n- response: any at API boundary -> **MEDIUM** (no type safety)\n- z.any() or z.unknown() -> **LOW** (defeats purpose of validation)\n- z.passthrough() -> **INFO** (allows extra properties, minor concern)\n- Specific schema defined and used -> **REJECT** (properly validated)\n\n**Tool Parameter Validation:**\n- Tool parameter -> file path without validation -> **HIGH** (path traversal)\n- Tool parameter -> shell command without validation -> **CRITICAL** (command injection)\n- Tool parameter -> URL without validation -> **HIGH** (SSRF)\n- Tool parameter -> DB query without validation -> **HIGH** (SQL injection)\n- Tool parameter with allowlist check visible -> **LOW/REJECT** (mitigated)\n\n**CRITICAL SCHEMA RULES**:\n- The severity depends on WHERE the AI output is used, not just that it's parsed\n- Execution sinks (eval, exec, query, fs) need HIGH severity without validation\n- Display-only usage is NOT a security issue\n- Schema validation (zod, ajv, joi) significantly reduces risk\n- OpenAI Structured Outputs provide API-level guarantees\n";
+//# sourceMappingURL=ai-patterns.d.ts.map

package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai-patterns.d.ts","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/ai-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,eAAO,MAAM,kBAAkB,2+NAsI9B,CAAA"}

package/dist/layer3/anthropic/prompts/modules/ai-patterns.js

@@ -0,0 +1,156 @@
+"use strict";
+/**
+ * AI Patterns Module
+ *
+ * Categories: ai_pattern, ai_prompt_injection, ai_unsafe_execution,
+ *             ai_overpermissive_tool, suspicious_package, ai_rag_exfiltration,
+ *             ai_endpoint_unprotected, ai_schema_mismatch, ai_package_hallucination,
+ *             ai_rag_corpus_poisoning, ai_rag_pii_leakage, ai_mcp_tool_poisoning,
+ *             ai_mcp_credential_issue, ai_mcp_confused_deputy,
+ *             ai_mcp_description_injection, ai_mcp_server_shadowing,
+ *             ai_mcp_config_secrets, ai_mcp_config_permissions,
+ *             ai_rag_query_injection, ai_rag_embedding_poisoning,
+ *             ai_rag_chunk_injection, ai_package_typosquat, ai_package_malicious,
+ *             ai_unsafe_model_load, ai_unverified_model, ai_unsafe_finetuning,
+ *             ai_excessive_agency
+ *
+ * Contains AI/LLM-specific patterns that require semantic AI reasoning.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AI_PATTERNS_MODULE = void 0;
+exports.AI_PATTERNS_MODULE = `
+### AI/LLM-Specific Patterns
+
+**Prompt Injection (ai_prompt_injection):**
+- User input in system prompt WITHOUT delimiters (code fences, XML tags, separators) -> **HIGH** (real risk)
+- User input in system prompt WITH clear delimiters -> **INFO** (properly fenced)
+- Static prompts with no user interpolation -> **REJECT** (false positive)
+- Prompt templates using proper parameterization/placeholders -> **REJECT**
+
+**LLM Output Execution (ai_unsafe_execution):**
+- LLM output fed to eval()/Function()/exec() WITHOUT sandbox -> **CRITICAL** (arbitrary code execution)
+- LLM output to execution WITH sandbox (vm2, isolated-vm) -> **MEDIUM** (risk mitigated)
+- LLM output to execution WITH validation AND sandbox -> **LOW** (well-protected)
+- LLM output used for display only (console.log, UI) -> **REJECT** (not execution)
+- Generated SQL from LLM without parameterization -> **CRITICAL** (SQL injection)
+- Generated SQL with parameterized queries -> **MEDIUM** (logic may still be wrong)
+
+**Agent Tool Permissions (ai_overpermissive_tool):**
+- Tool with unrestricted file/network/exec access -> **HIGH** (overpermissive)
+- Tool without user context verification -> **MEDIUM** (missing authorization)
+- Tool with proper scoping, allowlists, and user verification -> **LOW** or **REJECT**
+- Test files with tool definitions -> **INFO** or **REJECT**
+
+**Hallucinated Dependencies (suspicious_package):**
+- Package not found in registry -> **CRITICAL** (likely AI-hallucinated name)
+- Very new package (less than 7 days old) with low downloads and typosquat pattern -> **HIGH**
+- Legitimate looking package with source/repo but low popularity -> **MEDIUM** (needs review)
+- Known legitimate package with unusual name (in allowlist) -> **REJECT**
+
+**CRITICAL AI PATTERN RULES**:
+- AI code generation often produces non-existent package names - flag these prominently
+- Prompt injection is NOT the same as XSS - different threat model and severity
+- Sandboxed code execution (vm2, isolated-vm) significantly reduces risk
+- Agent tools need both access restrictions AND user context verification
+
+### RAG Data Exfiltration (ai_rag_exfiltration)
+Retrieval Augmented Generation systems can leak sensitive data across tenant boundaries.
+
+**Unscoped Retrieval Queries:**
+- Vector store query WITHOUT user/tenant filter -> **HIGH** (cross-tenant data access)
+  - .query(), .search(), .similaritySearch() without filter/where/userId/tenantId parameter
+  - LangChain retriever.invoke() without metadata filter
+  - Pinecone/Chroma/Weaviate query without namespace or metadata filter
+- Query WITH proper scoping (filter by userId/tenantId) -> **REJECT** (properly scoped)
+- Query with RLS-enabled Supabase tables -> **LOW/INFO** (verify RLS policy)
+
+**Raw Context Exposure:**
+- Raw sourceDocuments/chunks returned in API response -> **MEDIUM** (data leak to client)
+- Raw context returned WITHOUT authentication -> **HIGH** (public data leak)
+- Filtered response (only IDs, titles, metadata) -> **REJECT** (properly filtered)
+- Response filtering visible nearby (.map, sanitize, redact) -> **INFO**
+
+**Context Logging:**
+- Logging retrieved documents (debug) -> **INFO** (hygiene, not direct risk)
+- Logging full prompts with context -> **LOW** (audit concern if logs are accessible)
+- Persisting prompts/context to database -> **MEDIUM** (sensitive data retention)
+
+**CRITICAL RAG RULES**:
+- Cross-tenant data access is the PRIMARY risk - always check for user/tenant scoping
+- Authenticated endpoints exposing context are MEDIUM; unauthenticated are HIGH
+- Debug logging is INFO severity - it's not a direct vulnerability
+- If RLS or middleware protection is visible, downgrade significantly
+
+### AI Endpoint Protection (ai_endpoint_unprotected)
+AI/LLM API endpoints can incur significant costs and enable data exfiltration.
+
+**No Authentication + No Rate Limiting -> HIGH:**
+- Endpoint calls OpenAI/Anthropic/etc. without any auth check or rate limit
+- Anyone on the internet can abuse the endpoint and run up API costs
+- Potential for prompt exfiltration or model abuse
+
+**Has Rate Limiting but No Authentication -> MEDIUM:**
+- Rate limit provides some protection against abuse
+- Still allows anonymous access to AI functionality
+- Suggest adding authentication
+
+**Has Authentication but No Rate Limiting -> LOW:**
+- Authenticated users could still abuse the endpoint
+- Suggest adding rate limiting for cost control
+- severity: low (suggest improvement)
+
+**Has Both Auth and Rate Limiting -> INFO/REJECT:**
+- Properly protected endpoint
+- REJECT if both are clearly present
+- INFO if you want to note the good pattern
+
+**BYOK (Bring Your Own Key) Endpoints:**
+- If user provides their own API key, risk is LOWER
+- User pays for their own usage - cost abuse is their problem
+- Downgrade severity by one level for BYOK patterns
+
+**Protected by Middleware:**
+- If project context shows auth middleware protecting the route, downgrade to INFO
+- Internal/admin routes should be INFO or REJECT
+
+**CRITICAL ENDPOINT RULES**:
+- Cost abuse is real - unprotected AI endpoints can bankrupt a startup
+- Rate limiting alone isn't enough - need auth to prevent anonymous abuse
+- BYOK endpoints have lower risk since user bears the cost
+- Check for middleware protection before flagging
+
+### Schema/Tooling Mismatch (ai_schema_mismatch)
+AI-generated structured outputs need validation before use in security-sensitive contexts.
+
+**Unvalidated AI Output Parsing:**
+- JSON.parse(response.content) without schema validation -> **MEDIUM**
+  - AI may return malformed or unexpected structures
+  - Suggest zod/ajv/joi validation
+- AI output to EXECUTION SINK (eval, exec, query) without validation -> **HIGH**
+  - Direct path to code/SQL injection
+- AI output to DISPLAY only (console.log, UI render) -> **REJECT**
+  - Not a security issue for display purposes
+- OpenAI Structured Outputs (json_schema in request) -> **REJECT**
+  - API-level validation provides guarantees
+
+**Weak Schema Patterns:**
+- response: any at API boundary -> **MEDIUM** (no type safety)
+- z.any() or z.unknown() -> **LOW** (defeats purpose of validation)
+- z.passthrough() -> **INFO** (allows extra properties, minor concern)
+- Specific schema defined and used -> **REJECT** (properly validated)
+
+**Tool Parameter Validation:**
+- Tool parameter -> file path without validation -> **HIGH** (path traversal)
+- Tool parameter -> shell command without validation -> **CRITICAL** (command injection)
+- Tool parameter -> URL without validation -> **HIGH** (SSRF)
+- Tool parameter -> DB query without validation -> **HIGH** (SQL injection)
+- Tool parameter with allowlist check visible -> **LOW/REJECT** (mitigated)
+
+**CRITICAL SCHEMA RULES**:
+- The severity depends on WHERE the AI output is used, not just that it's parsed
+- Execution sinks (eval, exec, query, fs) need HIGH severity without validation
+- Display-only usage is NOT a security issue
+- Schema validation (zod, ajv, joi) significantly reduces risk
+- OpenAI Structured Outputs provide API-level guarantees
+`;
+//# sourceMappingURL=ai-patterns.js.map

package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai-patterns.js","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/ai-patterns.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;GAgBG;;;AAEU,QAAA,kBAAkB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsIjC,CAAA"}

package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Auth Access Prompt Module
+ *
+ * Categories: missing_auth, security_bypass
+ * Contains contradiction handling rules that require AI reasoning.
+ * Heuristic-handled patterns (middleware awareness, throwing helpers) are NOT included.
+ */
+export declare const AUTH_ACCESS_MODULE = "\n### Authentication & Access Control\n\nFlag as REAL vulnerability (keep high severity) ONLY when:\n- Route has no visible auth check AND is NOT covered by middleware AND has no throwing auth helper\n- Sensitive operations without user scoping (cross-tenant access possible)\n- Auth checks that can be bypassed (e.g., checking wrong variable)\n\n**CRITICAL CONTRADICTION HANDLING**:\n- If we detect both \"protected by middleware\" and \"missing auth\" on the same route - REJECT the \"missing auth\" finding\n- If we detect both \"uses throwing auth helper\" and \"missing auth\" - REJECT the \"missing auth\" finding\n- Client components calling these protected API routes should NOT be flagged for \"missing auth\"\n- Adding \"if (!userId)\" after a throwing helper is a FALSE POSITIVE - reject it\n";
+//# sourceMappingURL=auth-access.d.ts.map

package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-access.d.ts","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/auth-access.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,eAAO,MAAM,kBAAkB,wyBAa9B,CAAA"}

package/dist/layer3/anthropic/prompts/modules/auth-access.js

@@ -0,0 +1,25 @@
+"use strict";
+/**
+ * Auth Access Prompt Module
+ *
+ * Categories: missing_auth, security_bypass
+ * Contains contradiction handling rules that require AI reasoning.
+ * Heuristic-handled patterns (middleware awareness, throwing helpers) are NOT included.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AUTH_ACCESS_MODULE = void 0;
+exports.AUTH_ACCESS_MODULE = `
+### Authentication & Access Control
+
+Flag as REAL vulnerability (keep high severity) ONLY when:
+- Route has no visible auth check AND is NOT covered by middleware AND has no throwing auth helper
+- Sensitive operations without user scoping (cross-tenant access possible)
+- Auth checks that can be bypassed (e.g., checking wrong variable)
+
+**CRITICAL CONTRADICTION HANDLING**:
+- If we detect both "protected by middleware" and "missing auth" on the same route - REJECT the "missing auth" finding
+- If we detect both "uses throwing auth helper" and "missing auth" - REJECT the "missing auth" finding
+- Client components calling these protected API routes should NOT be flagged for "missing auth"
+- Adding "if (!userId)" after a throwing helper is a FALSE POSITIVE - reject it
+`;
+//# sourceMappingURL=auth-access.js.map

package/dist/layer3/anthropic/prompts/modules/auth-access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-access.js","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/auth-access.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAEU,QAAA,kBAAkB,GAAG;;;;;;;;;;;;;CAajC,CAAA"}

package/dist/layer3/anthropic/prompts/modules/common.d.ts

@@ -0,0 +1,11 @@
+/**
+ * COMMON Prompt Module
+ *
+ * Always included in every validation prompt. Contains:
+ * - Core philosophy and input format
+ * - Condensed heuristic reminders for unmapped categories
+ * - False positive patterns
+ * - Response format and severity guidelines
+ */
+export declare const COMMON_PROMPT = "You are an expert security code reviewer acting as a \"Second-opinion AI Reviewer\" for vulnerability findings from an automated scanner.\n\nYour PRIMARY task: AGGRESSIVELY REJECT false positives and marginal findings. Only keep findings that are clearly exploitable or represent real security risk.\n\n**CORE PHILOSOPHY**: A professional scanner should surface very few, high-confidence findings. When in doubt, REJECT the finding or downgrade to info.\n\n## Input Format\nYou will receive:\n1. **Project Context** - Architectural information about auth, data access, and secrets handling\n2. **Full File Content** - The entire file with line numbers (or relevant regions around findings)\n3. **Candidate Findings** - List of potential vulnerabilities to validate\n\n## Core Validation Principles\n\n### Condensed Heuristic Reminders\n\n**Deserialization & Unsafe Parsing:**\n- JSON.parse with app-controlled data in try-catch -> REJECT. External data without try-catch -> medium. request.json() -> NOT dangerous.\n- Do NOT suggest \"add try/catch\" when JSON.parse is ALREADY inside a try-catch block.\n- Prefer suggesting schema validation (zod/joi/yup) over generic try-catch for user input.\n\n**Logging & Error Handling:**\n- error.message in responses -> info (safe pattern). Stack traces/raw error objects in responses -> high. Logging errors -> info (standard practice).\n- HIGH severity is ONLY for responses that expose stacks, internal fields, or raw error objects.\n\n**DOM Sinks:**\n- innerHTML with string literals only -> info. User input to innerHTML/eval -> flag as real.\n- Static scripts reading localStorage for theme/preferences are LOW-RISK.\n\n## False Positive Patterns (ALWAYS REJECT - keep: false)\n\n1. **CSS/Styling flagged as secrets**:\n   - Tailwind classes, gradients, hex colors, rgba/hsla\n   - style={{...}} objects, CSS-in-JS\n\n2. **Development URLs in dev contexts**:\n   - localhost in test/mock/example files\n   - URLs via environment variables\n\n3. **Test/Example/Scanner code**:\n   - Files with test, spec, mock, example, fixture in path\n   - Scanner's own rule definitions (files in /rules/, /detectors/, /checks/)\n   - Documentation/README files\n   - **Metadata/registry files describing vulnerabilities**: Files containing vulnerability descriptions, security documentation, or rule metadata are NOT themselves vulnerable. E.g., a string \"DES is weak crypto\" describing a vulnerability is documentation, NOT actual DES usage.\n\n4. **TypeScript 'any' in safe contexts**:\n   - Type definitions, .d.ts files\n   - Internal utilities (not API boundaries)\n\n5. **Public endpoints**:\n   - /health, /healthz, /ready, /ping, /status\n   - /webhook with signature verification nearby\n\n6. **Generic AI patterns that are NOT security issues**:\n   - console.log with non-sensitive data -> REJECT\n   - TODO/FIXME reminders (not security-critical) -> REJECT\n   - Magic number timeouts -> REJECT\n   - Verbose/step-by-step comments -> REJECT\n   - Generic error messages -> REJECT or downgrade to info\n   - Basic validation patterns (if (!data) return) -> REJECT\n\n7. **Style/Code quality issues (NOT security)**:\n   - Empty functions (unless auth-critical)\n   - Generic success messages\n   - Placeholder comments in non-security code\n\n## Response Format (ACTIONABLE OUTPUT)\n\nFor each candidate finding, return:\n```json\n{\n  \"index\": <number>,\n  \"keep\": true | false,\n  \"notes\": \"<concise context>\" | null,\n  \"adjustedSeverity\": \"critical\" | \"high\" | \"medium\" | \"low\" | \"info\" | null,\n  \"impact\": \"<1-2 sentences: WHY this matters specific to this code>\" | null,\n  \"fixSuggestion\": \"<Specific, actionable fix for THIS code context>\" | null\n}\n```\n\n**CRITICAL**: To minimize costs while maximizing actionability:\n- For `keep: false` (rejected): Set ALL fields to null except index and keep. NO explanation needed.\n- For `keep: true` (accepted):\n  - `notes`: Brief context (10-30 words)\n  - `adjustedSeverity`: null if keeping original severity\n  - `impact`: 1-2 sentences explaining real-world consequences for THIS code (data breach, unauthorized access, cost, etc.)\n  - `fixSuggestion`: Reference actual variable/function names from the code. Be specific, not generic.\n\n## Severity Guidelines\n- **critical/high**: Realistically exploitable, should block deploys - ONLY for clear vulnerabilities\n- **medium/low**: Important but non-blocking, hardening opportunities - use sparingly\n- **info**: Robustness/hygiene tips, not direct security risks - use for marginal cases you want to keep\n\n## Decision Framework\n1. **Default to REJECTION** (keep: false) for:\n   - Style/code quality issues\n   - Marginal findings with unclear exploitation path\n   - Patterns that are standard practice (basic auth checks, error logging)\n   - Anything in test/example/documentation files\n\n2. **Downgrade to info** when:\n   - Finding has some merit but low practical risk\n   - Context shows mitigating factors\n   - Better as a \"nice to know\" than an action item\n\n3. **Keep with original/higher severity** ONLY when:\n   - Clear, exploitable vulnerability\n   - No visible mitigating factors in context\n   - Real-world attack scenario is plausible\n\n**REMEMBER**: You are the last line of defense against noise. A finding that reaches the user should be CLEARLY worth their time. When in doubt, REJECT.\n\n## Response Format\n\nFor EACH file, provide a JSON object with the file path and validation results.\nReturn a JSON array where each element has:\n- \"file\": the file path (e.g., \"src/routes/api.ts\")\n- \"validations\": array of validation results for that file's candidates\n\nExample response format (ACTIONABLE):\n```json\n[\n  {\n    \"file\": \"src/auth.ts\",\n    \"validations\": [\n      { \"index\": 0, \"keep\": true, \"adjustedSeverity\": \"medium\", \"notes\": \"Protected by middleware\", \"impact\": null, \"fixSuggestion\": null },\n      { \"index\": 1, \"keep\": false, \"notes\": null, \"adjustedSeverity\": null, \"impact\": null, \"fixSuggestion\": null }\n    ]\n  },\n  {\n    \"file\": \"src/api.ts\",\n    \"validations\": [\n      { \"index\": 0, \"keep\": true, \"notes\": \"User input flows to SQL query\", \"adjustedSeverity\": null, \"impact\": \"Attackers could read or modify database records via the userId parameter\", \"fixSuggestion\": \"Replace string concatenation with db.query('SELECT * FROM users WHERE id = ?', [userId])\" }\n    ]\n  }\n]\n```\n\n**REMEMBER**: Rejected findings (keep: false) need NO explanation. Keep notes brief (10-30 words).";
+//# sourceMappingURL=common.d.ts.map

package/dist/layer3/anthropic/prompts/modules/common.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"common.d.ts","sourceRoot":"","sources":["../../../../../src/layer3/anthropic/prompts/modules/common.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,eAAO,MAAM,aAAa,48MA0IyE,CAAA"}