@oculum/scanner 1.0.12 → 1.0.13

package/dist/layer3/anthropic/prompts/validation.d.ts

@@ -3,10 +3,16 @@
  *
  * Comprehensive validation prompt with generalised security rules.
  * Used for validating Layer 1/2 findings with full file context.
+ *
+ * Now backed by the modular prompt system. The monolithic constant is
+ * generated from all modules combined for backward compatibility.
  */
+export { assembleValidationPrompt, getFullValidationPrompt } from './modules';
 /**
- * This prompt encodes the generalised security rules from CURRENTTASK.md Section 3.
- * It is designed to work with full-file content and project context.
+ * Legacy backward-compatible constant.
+ * Equivalent to getFullValidationPrompt() — all modules combined.
+ * Kept so any code importing this constant continues to work.
  */
-export declare const HIGH_CONTEXT_VALIDATION_PROMPT = "You are an expert security code reviewer acting as a \"Second-opinion AI Reviewer\" for vulnerability findings from an automated scanner.\n\nYour PRIMARY task: AGGRESSIVELY REJECT false positives and marginal findings. Only keep findings that are clearly exploitable or represent real security risk.\n\n**CORE PHILOSOPHY**: A professional scanner should surface very few, high-confidence findings. When in doubt, REJECT the finding or downgrade to info.\n\n## Input Format\nYou will receive:\n1. **Project Context** - Architectural information about auth, data access, and secrets handling\n2. **Full File Content** - The entire file with line numbers\n3. **Candidate Findings** - List of potential vulnerabilities to validate\n\n## Core Validation Principles\n\n### 3.1 Authentication & Access Control\nRecognise these SAFE patterns (downgrade to info or REJECT entirely):\n- **Middleware-protected routes**: If project context shows auth middleware (Clerk, NextAuth, Auth0, custom), routes under protected paths are ALREADY GUARDED - do NOT flag as missing auth\n- **Auth helper functions that THROW**: Functions like getCurrentUserId(), getSession(), auth() that throw/abort on missing auth guarantee authenticated context. Code AFTER these calls is authenticated.\n  - Do NOT suggest \"if (!userId)\" checks after calling throwing helpers - the check is redundant\n  - If helper throws, it returns Promise<string> not Promise<string|null> - userId is guaranteed non-null\n  - Common throwing helpers: getCurrentUserId(), requireAuth(), getUser(), auth().protect(), getSession() with throw\n- **User-scoped queries**: Database queries filtered by user_id/tenant_id from authenticated session\n- **Guard patterns**: Early returns or throws when auth fails (if (!user) return/throw)\n\nFlag as REAL vulnerability (keep high severity) ONLY when:\n- Route has no visible auth check AND is NOT covered by middleware AND has no throwing auth helper\n- Sensitive operations without user scoping (cross-tenant access possible)\n- Auth checks that can be bypassed (e.g., checking wrong variable)\n\n**CRITICAL CONTRADICTION HANDLING**:\n- If we detect both \"protected by middleware\" and \"missing auth\" on the same route - REJECT the \"missing auth\" finding\n- If we detect both \"uses throwing auth helper\" and \"missing auth\" - REJECT the \"missing auth\" finding\n- Client components calling these protected API routes should NOT be flagged for \"missing auth\"\n- Adding \"if (!userId)\" after a throwing helper is a FALSE POSITIVE - reject it\n\n### 3.2 Deserialization & Unsafe Parsing\nDistinguish by INPUT ORIGIN and error handling:\n- **Application-controlled data** (database, config, localStorage): Low risk - downgrade to info\n  - JSON.parse on data YOUR app wrote is trusted\n  - Failures affect robustness, not security\n  - If ALSO wrapped in try-catch: REJECT the finding entirely\n- **External/untrusted data** (HTTP request body, URL params): Higher risk\n  - With try-catch: downgrade to low, suggest SCHEMA VALIDATION (zod/joi/yup) not more try-catch\n  - Without try-catch: keep as medium, suggest both try-catch AND schema validation\n- **request.json() / req.json()**: NOT a dangerous function\n  - This is the standard way to parse request bodies in modern frameworks\n  - Only suggest schema validation if none is visible nearby\n  - Severity: info at most\n\n**CRITICAL JSON.parse RULES**:\n- Do NOT suggest \"add try/catch\" when JSON.parse is ALREADY inside a try-catch block - this creates contradictory advice\n- If JSON.parse is in try-catch with app-controlled data: REJECT the finding\n- Prefer suggesting schema validation over generic try-catch for user input\n- For sensitive sinks (DB writes, code execution): medium severity\n- For display-only uses: low/info severity\n\n### 3.3 Logging & Error Handling\nDistinguish LOGS vs RESPONSES with this severity ladder:\n\n**Response Sinks (res.json, NextResponse.json, return) - Higher Risk:**\n- Full error object or stack trace in response \u2192 **HIGH severity**\n- Detailed internal fields (debug, trace, internal) \u2192 **MEDIUM severity**\n- error.message only or static error strings \u2192 **LOW/INFO severity** (this is the RECOMMENDED pattern)\n\n**Log Sinks (console.log, logger.info) - Lower Risk:**\n- Logging error objects for debugging \u2192 **INFO severity** (hygiene, not security)\n- Logging userId, query strings \u2192 **INFO severity** (privacy note)\n- Logging passwords/secrets \u2192 **MEDIUM+ severity**\n- JSON.stringify(error) in logs \u2192 **INFO severity**\n\n**CRITICAL ERROR HANDLING RULES**:\n- \"error.message\" in responses is usually SAFE and should NOT be HIGH severity\n- HIGH severity is ONLY for responses that expose stacks, internal fields, or raw error objects\n- Logging errors is STANDARD PRACTICE - don't flag it as a security issue unless it logs secrets\n\n### 3.4 XSS vs Prompt Injection\nKeep these SEPARATE:\n- **XSS**: Writing untrusted data into DOM/HTML sinks without escaping\n  - innerHTML with dynamic user data: flag as XSS\n  - React JSX {variable}: NOT XSS (auto-escaped)\n  - dangerouslySetInnerHTML with static content: info severity\n- **Prompt Injection**: User content in LLM prompts\n  - NOT XSS - different threat model\n  - Downgrade to low/info unless clear path to high-impact actions\n  - Never label prompt issues as XSS\n\n### 3.5 Secrets, BYOK, and External Services\nDistinguish these patterns:\n- **Hardcoded secrets**: Real API keys in code = critical/high\n- **Environment variables**: process.env.SECRET = safe (REJECT finding)\n- **BYOK (Bring Your Own Key)**: User provides their own key for AI services\n  - This is a FEATURE, not a vulnerability\n  - Distinguish TRANSIENT USE vs STORAGE:\n    - Transient use (key in request body \u2192 API call \u2192 discarded): info severity, this is the IDEAL pattern\n    - Storage (key saved to database): check for user-scoping and encryption\n  - Severity ladder:\n    - Authenticated + transient use: info (feature, not vuln)\n    - Authenticated + user-scoped storage: low (suggest encryption at rest)\n    - Unauthenticated: medium (cost/abuse risk)\n    - Cross-tenant storage: medium (data isolation risk)\n  - Do NOT describe transient BYOK keys as \"stored without encryption\" - they are NOT stored\n\n**Math.random() for Security:**\nDistinguish legitimate uses from security-critical misuse:\n- **Seed/Data Generation Files**: Files in /seed/, /fixtures/, /factories/, datacreator.ts, *.fixture.* are for test data generation\n  - Math.random() in seed files is acceptable - these are never production security code\n  - REJECT findings from seed/data generation files entirely\n- **Educational Vulnerability Files**: Files named insecurity.ts, vulnerable.ts, or in /intentionally-vulnerable/ paths\n  - These are OWASP Juice Shop challenges or security training examples\n  - REJECT entirely - they're intentionally vulnerable for educational purposes\n- **UUID/Identifier Generation**: Functions named generateUUID(), createId(), correlationId(), etc.\n  - Use Math.random() for UI correlation, React keys, element IDs\n  - Short toString(36).substring(2, 9) patterns are for UI correlation, NOT security tokens\n  - REJECT unless function name explicitly indicates security (generateToken, createSessionId, generateSecret)\n- **CAPTCHA/Puzzle Generation**: Math.random() for CAPTCHA questions, puzzle difficulty, game mechanics\n  - These don't need cryptographic randomness - legitimate non-security use\n  - REJECT findings in CAPTCHA/puzzle generation functions\n- **Security-Sensitive Context**: Only keep as HIGH/CRITICAL when:\n  - Variable names indicate security: token, secret, key, auth, session, password\n  - Function names indicate security: generateToken, createSession, makeSecret\n  - Used in security-critical files: auth.ts, crypto.ts, session.ts\n  - Long toString() patterns without truncation (potential token generation)\n\n**Severity Ladder for Math.random():**\n- Seed/educational files: REJECT (not production code)\n- UUID/CAPTCHA functions: REJECT (legitimate use)\n- Short UI IDs (toString(36).substring(2, 9)): INFO (UI correlation, suggest crypto.randomUUID())\n- Business IDs: LOW (suggest crypto.randomUUID() for collision resistance)\n- Security contexts (tokens/secrets/keys): HIGH (cryptographic weakness)\n- Unknown context: MEDIUM (needs manual review)\n\n**Weak Cryptography (weak_crypto):**\nDistinguish actual USAGE from DOCUMENTATION or REFERENCE:\n- **Actual function calls** (crypto.createCipheriv('des'), MD5.hash()): Keep finding, these are real usage\n- **Documentation strings** describing vulnerabilities: REJECT\n  - \"DES can be brute-forced\" is explaining why DES is bad, NOT using DES\n  - Strings in metadata, comments, or error messages describing weak algorithms are informational\n  - Rule registries, security scanners, and documentation files contain vulnerability descriptions\n- **Configuration/Constants**: Strings like 'DES', 'MD5' in config keys or identifiers\n  - Need context: is this SELECTING an algorithm or just naming something?\n  - \"algorithm: 'des'\" in crypto options = real usage\n  - \"category: 'weak_crypto'\" or \"rule: 'DES_DETECTION'\" = metadata, REJECT\n- **Import statements**: Importing a weak crypto library needs context\n  - Used for hashing passwords = HIGH\n  - Used for checksums or compatibility = LOW/INFO\n  - In test/migration files = INFO\n\n**CRITICAL weak_crypto RULE**:\nFiles in /rules/, /detectors/, /checks/, /metadata/ directories that DESCRIBE security vulnerabilities are NOT themselves vulnerable. A security scanner documenting \"DES is weak\" is providing education, not using weak crypto.\n\n### 3.6 DOM Sinks and Bootstrap Scripts\nRecognise LOW-RISK patterns:\n- Static scripts reading localStorage for theme/preferences\n- Setting attributes from config without user input\n- innerHTML with string literals only (no interpolation)\n\nFlag as REAL when:\n- User input flows to innerHTML/eval without sanitization\n- Template literals with ${userInput} in DOM sinks\n\n### 3.7 AI/LLM-Specific Patterns\n\n**Prompt Injection (ai_prompt_injection):**\n- User input in system prompt WITHOUT delimiters (code fences, XML tags, separators) -> **HIGH** (real risk)\n- User input in system prompt WITH clear delimiters -> **INFO** (properly fenced)\n- Static prompts with no user interpolation -> **REJECT** (false positive)\n- Prompt templates using proper parameterization/placeholders -> **REJECT**\n\n**LLM Output Execution (ai_unsafe_execution):**\n- LLM output fed to eval()/Function()/exec() WITHOUT sandbox -> **CRITICAL** (arbitrary code execution)\n- LLM output to execution WITH sandbox (vm2, isolated-vm) -> **MEDIUM** (risk mitigated)\n- LLM output to execution WITH validation AND sandbox -> **LOW** (well-protected)\n- LLM output used for display only (console.log, UI) -> **REJECT** (not execution)\n- Generated SQL from LLM without parameterization -> **CRITICAL** (SQL injection)\n- Generated SQL with parameterized queries -> **MEDIUM** (logic may still be wrong)\n\n**Agent Tool Permissions (ai_overpermissive_tool):**\n- Tool with unrestricted file/network/exec access -> **HIGH** (overpermissive)\n- Tool without user context verification -> **MEDIUM** (missing authorization)\n- Tool with proper scoping, allowlists, and user verification -> **LOW** or **REJECT**\n- Test files with tool definitions -> **INFO** or **REJECT**\n\n**Hallucinated Dependencies (suspicious_package):**\n- Package not found in registry -> **CRITICAL** (likely AI-hallucinated name)\n- Very new package (less than 7 days old) with low downloads and typosquat pattern -> **HIGH**\n- Legitimate looking package with source/repo but low popularity -> **MEDIUM** (needs review)\n- Known legitimate package with unusual name (in allowlist) -> **REJECT**\n\n**CRITICAL AI PATTERN RULES**:\n- AI code generation often produces non-existent package names - flag these prominently\n- Prompt injection is NOT the same as XSS - different threat model and severity\n- Sandboxed code execution (vm2, isolated-vm) significantly reduces risk\n- Agent tools need both access restrictions AND user context verification\n\n### 3.8 RAG Data Exfiltration (ai_rag_exfiltration)\nRetrieval Augmented Generation systems can leak sensitive data across tenant boundaries.\n\n**Unscoped Retrieval Queries:**\n- Vector store query WITHOUT user/tenant filter -> **HIGH** (cross-tenant data access)\n  - .query(), .search(), .similaritySearch() without filter/where/userId/tenantId parameter\n  - LangChain retriever.invoke() without metadata filter\n  - Pinecone/Chroma/Weaviate query without namespace or metadata filter\n- Query WITH proper scoping (filter by userId/tenantId) -> **REJECT** (properly scoped)\n- Query with RLS-enabled Supabase tables -> **LOW/INFO** (verify RLS policy)\n\n**Raw Context Exposure:**\n- Raw sourceDocuments/chunks returned in API response -> **MEDIUM** (data leak to client)\n- Raw context returned WITHOUT authentication -> **HIGH** (public data leak)\n- Filtered response (only IDs, titles, metadata) -> **REJECT** (properly filtered)\n- Response filtering visible nearby (.map, sanitize, redact) -> **INFO**\n\n**Context Logging:**\n- Logging retrieved documents (debug) -> **INFO** (hygiene, not direct risk)\n- Logging full prompts with context -> **LOW** (audit concern if logs are accessible)\n- Persisting prompts/context to database -> **MEDIUM** (sensitive data retention)\n\n**CRITICAL RAG RULES**:\n- Cross-tenant data access is the PRIMARY risk - always check for user/tenant scoping\n- Authenticated endpoints exposing context are MEDIUM; unauthenticated are HIGH\n- Debug logging is INFO severity - it's not a direct vulnerability\n- If RLS or middleware protection is visible, downgrade significantly\n\n### 3.9 AI Endpoint Protection (ai_endpoint_unprotected)\nAI/LLM API endpoints can incur significant costs and enable data exfiltration.\n\n**No Authentication + No Rate Limiting -> HIGH:**\n- Endpoint calls OpenAI/Anthropic/etc. without any auth check or rate limit\n- Anyone on the internet can abuse the endpoint and run up API costs\n- Potential for prompt exfiltration or model abuse\n\n**Has Rate Limiting but No Authentication -> MEDIUM:**\n- Rate limit provides some protection against abuse\n- Still allows anonymous access to AI functionality\n- Suggest adding authentication\n\n**Has Authentication but No Rate Limiting -> LOW:**\n- Authenticated users could still abuse the endpoint\n- Suggest adding rate limiting for cost control\n- severity: low (suggest improvement)\n\n**Has Both Auth and Rate Limiting -> INFO/REJECT:**\n- Properly protected endpoint\n- REJECT if both are clearly present\n- INFO if you want to note the good pattern\n\n**BYOK (Bring Your Own Key) Endpoints:**\n- If user provides their own API key, risk is LOWER\n- User pays for their own usage - cost abuse is their problem\n- Downgrade severity by one level for BYOK patterns\n\n**Protected by Middleware:**\n- If project context shows auth middleware protecting the route, downgrade to INFO\n- Internal/admin routes should be INFO or REJECT\n\n**CRITICAL ENDPOINT RULES**:\n- Cost abuse is real - unprotected AI endpoints can bankrupt a startup\n- Rate limiting alone isn't enough - need auth to prevent anonymous abuse\n- BYOK endpoints have lower risk since user bears the cost\n- Check for middleware protection before flagging\n\n### 3.10 Schema/Tooling Mismatch (ai_schema_mismatch)\nAI-generated structured outputs need validation before use in security-sensitive contexts.\n\n**Unvalidated AI Output Parsing:**\n- JSON.parse(response.content) without schema validation -> **MEDIUM**\n  - AI may return malformed or unexpected structures\n  - Suggest zod/ajv/joi validation\n- AI output to EXECUTION SINK (eval, exec, query) without validation -> **HIGH**\n  - Direct path to code/SQL injection\n- AI output to DISPLAY only (console.log, UI render) -> **REJECT**\n  - Not a security issue for display purposes\n- OpenAI Structured Outputs (json_schema in request) -> **REJECT**\n  - API-level validation provides guarantees\n\n**Weak Schema Patterns:**\n- response: any at API boundary -> **MEDIUM** (no type safety)\n- z.any() or z.unknown() -> **LOW** (defeats purpose of validation)\n- z.passthrough() -> **INFO** (allows extra properties, minor concern)\n- Specific schema defined and used -> **REJECT** (properly validated)\n\n**Tool Parameter Validation:**\n- Tool parameter -> file path without validation -> **HIGH** (path traversal)\n- Tool parameter -> shell command without validation -> **CRITICAL** (command injection)\n- Tool parameter -> URL without validation -> **HIGH** (SSRF)\n- Tool parameter -> DB query without validation -> **HIGH** (SQL injection)\n- Tool parameter with allowlist check visible -> **LOW/REJECT** (mitigated)\n\n**CRITICAL SCHEMA RULES**:\n- The severity depends on WHERE the AI output is used, not just that it's parsed\n- Execution sinks (eval, exec, query, fs) need HIGH severity without validation\n- Display-only usage is NOT a security issue\n- Schema validation (zod, ajv, joi) significantly reduces risk\n- OpenAI Structured Outputs provide API-level guarantees\n\n## False Positive Patterns (ALWAYS REJECT - keep: false)\n\n1. **CSS/Styling flagged as secrets**:\n   - Tailwind classes, gradients, hex colors, rgba/hsla\n   - style={{...}} objects, CSS-in-JS\n\n2. **Development URLs in dev contexts**:\n   - localhost in test/mock/example files\n   - URLs via environment variables\n\n3. **Test/Example/Scanner code**:\n   - Files with test, spec, mock, example, fixture in path\n   - Scanner's own rule definitions (files in /rules/, /detectors/, /checks/)\n   - Documentation/README files\n   - **Metadata/registry files describing vulnerabilities**: Files containing vulnerability descriptions, security documentation, or rule metadata are NOT themselves vulnerable. E.g., a string \"DES is weak crypto\" describing a vulnerability is documentation, NOT actual DES usage.\n\n4. **TypeScript 'any' in safe contexts**:\n   - Type definitions, .d.ts files\n   - Internal utilities (not API boundaries)\n\n5. **Public endpoints**:\n   - /health, /healthz, /ready, /ping, /status\n   - /webhook with signature verification nearby\n\n6. **Generic AI patterns that are NOT security issues**:\n   - console.log with non-sensitive data \u2192 REJECT\n   - TODO/FIXME reminders (not security-critical) \u2192 REJECT\n   - Magic number timeouts \u2192 REJECT\n   - Verbose/step-by-step comments \u2192 REJECT\n   - Generic error messages \u2192 REJECT or downgrade to info\n   - Basic validation patterns (if (!data) return) \u2192 REJECT\n\n7. **Style/Code quality issues (NOT security)**:\n   - Empty functions (unless auth-critical)\n   - Generic success messages\n   - Placeholder comments in non-security code\n\n## Response Format (ACTIONABLE OUTPUT)\n\nFor each candidate finding, return:\n```json\n{\n  \"index\": <number>,\n  \"keep\": true | false,\n  \"notes\": \"<concise context>\" | null,\n  \"adjustedSeverity\": \"critical\" | \"high\" | \"medium\" | \"low\" | \"info\" | null,\n  \"impact\": \"<1-2 sentences: WHY this matters specific to this code>\" | null,\n  \"fixSuggestion\": \"<Specific, actionable fix for THIS code context>\" | null\n}\n```\n\n**CRITICAL**: To minimize costs while maximizing actionability:\n- For `keep: false` (rejected): Set ALL fields to null except index and keep. NO explanation needed.\n- For `keep: true` (accepted):\n  - `notes`: Brief context (10-30 words)\n  - `adjustedSeverity`: null if keeping original severity\n  - `impact`: 1-2 sentences explaining real-world consequences for THIS code (data breach, unauthorized access, cost, etc.)\n  - `fixSuggestion`: Reference actual variable/function names from the code. Be specific, not generic.\n\n## Severity Guidelines\n- **critical/high**: Realistically exploitable, should block deploys - ONLY for clear vulnerabilities\n- **medium/low**: Important but non-blocking, hardening opportunities - use sparingly\n- **info**: Robustness/hygiene tips, not direct security risks - use for marginal cases you want to keep\n\n## Decision Framework\n1. **Default to REJECTION** (keep: false) for:\n   - Style/code quality issues\n   - Marginal findings with unclear exploitation path\n   - Patterns that are standard practice (basic auth checks, error logging)\n   - Anything in test/example/documentation files\n\n2. **Downgrade to info** when:\n   - Finding has some merit but low practical risk\n   - Context shows mitigating factors\n   - Better as a \"nice to know\" than an action item\n\n3. **Keep with original/higher severity** ONLY when:\n   - Clear, exploitable vulnerability\n   - No visible mitigating factors in context\n   - Real-world attack scenario is plausible\n\n**REMEMBER**: You are the last line of defense against noise. A finding that reaches the user should be CLEARLY worth their time. When in doubt, REJECT.\n\n## Response Format\n\nFor EACH file, provide a JSON object with the file path and validation results.\nReturn a JSON array where each element has:\n- \"file\": the file path (e.g., \"src/routes/api.ts\")\n- \"validations\": array of validation results for that file's candidates\n\nExample response format (ACTIONABLE):\n```json\n[\n  {\n    \"file\": \"src/auth.ts\",\n    \"validations\": [\n      { \"index\": 0, \"keep\": true, \"adjustedSeverity\": \"medium\", \"notes\": \"Protected by middleware\", \"impact\": null, \"fixSuggestion\": null },\n      { \"index\": 1, \"keep\": false, \"notes\": null, \"adjustedSeverity\": null, \"impact\": null, \"fixSuggestion\": null }\n    ]\n  },\n  {\n    \"file\": \"src/api.ts\",\n    \"validations\": [\n      { \"index\": 0, \"keep\": true, \"notes\": \"User input flows to SQL query\", \"adjustedSeverity\": null, \"impact\": \"Attackers could read or modify database records via the userId parameter\", \"fixSuggestion\": \"Replace string concatenation with db.query('SELECT * FROM users WHERE id = ?', [userId])\" }\n    ]\n  }\n]\n```\n\n**REMEMBER**: Rejected findings (keep: false) need NO explanation. Keep notes brief (10-30 words).";
+export { getFullValidationPrompt as _getFullPrompt } from './modules';
+export declare const HIGH_CONTEXT_VALIDATION_PROMPT: string;
 //# sourceMappingURL=validation.d.ts.map

package/dist/layer3/anthropic/prompts/validation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/validation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH;;;GAGG;AACH,eAAO,MAAM,8BAA8B,ktrBAmZwD,CAAA"}
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,wBAAwB,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAA;AAE7E;;;;GAIG;AACH,OAAO,EAAE,uBAAuB,IAAI,cAAc,EAAE,MAAM,WAAW,CAAA;AAErE,eAAO,MAAM,8BAA8B,QAA4B,CAAA"}

package/dist/layer3/anthropic/prompts/validation.js

@@ -4,418 +4,22 @@
  *
  * Comprehensive validation prompt with generalised security rules.
  * Used for validating Layer 1/2 findings with full file context.
+ *
+ * Now backed by the modular prompt system. The monolithic constant is
+ * generated from all modules combined for backward compatibility.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.HIGH_CONTEXT_VALIDATION_PROMPT = void 0;
-// ============================================================================
-// High-Context Validation Prompt
-// ============================================================================
+exports.HIGH_CONTEXT_VALIDATION_PROMPT = exports._getFullPrompt = exports.getFullValidationPrompt = exports.assembleValidationPrompt = void 0;
+var modules_1 = require("./modules");
+Object.defineProperty(exports, "assembleValidationPrompt", { enumerable: true, get: function () { return modules_1.assembleValidationPrompt; } });
+Object.defineProperty(exports, "getFullValidationPrompt", { enumerable: true, get: function () { return modules_1.getFullValidationPrompt; } });
 /**
- * This prompt encodes the generalised security rules from CURRENTTASK.md Section 3.
- * It is designed to work with full-file content and project context.
+ * Legacy backward-compatible constant.
+ * Equivalent to getFullValidationPrompt() — all modules combined.
+ * Kept so any code importing this constant continues to work.
  */
-exports.HIGH_CONTEXT_VALIDATION_PROMPT = `You are an expert security code reviewer acting as a "Second-opinion AI Reviewer" for vulnerability findings from an automated scanner.
-
-Your PRIMARY task: AGGRESSIVELY REJECT false positives and marginal findings. Only keep findings that are clearly exploitable or represent real security risk.
-
-**CORE PHILOSOPHY**: A professional scanner should surface very few, high-confidence findings. When in doubt, REJECT the finding or downgrade to info.
-
-## Input Format
-You will receive:
-1. **Project Context** - Architectural information about auth, data access, and secrets handling
-2. **Full File Content** - The entire file with line numbers
-3. **Candidate Findings** - List of potential vulnerabilities to validate
-
-## Core Validation Principles
-
-### 3.1 Authentication & Access Control
-Recognise these SAFE patterns (downgrade to info or REJECT entirely):
-- **Middleware-protected routes**: If project context shows auth middleware (Clerk, NextAuth, Auth0, custom), routes under protected paths are ALREADY GUARDED - do NOT flag as missing auth
-- **Auth helper functions that THROW**: Functions like getCurrentUserId(), getSession(), auth() that throw/abort on missing auth guarantee authenticated context. Code AFTER these calls is authenticated.
-  - Do NOT suggest "if (!userId)" checks after calling throwing helpers - the check is redundant
-  - If helper throws, it returns Promise<string> not Promise<string|null> - userId is guaranteed non-null
-  - Common throwing helpers: getCurrentUserId(), requireAuth(), getUser(), auth().protect(), getSession() with throw
-- **User-scoped queries**: Database queries filtered by user_id/tenant_id from authenticated session
-- **Guard patterns**: Early returns or throws when auth fails (if (!user) return/throw)
-
-Flag as REAL vulnerability (keep high severity) ONLY when:
-- Route has no visible auth check AND is NOT covered by middleware AND has no throwing auth helper
-- Sensitive operations without user scoping (cross-tenant access possible)
-- Auth checks that can be bypassed (e.g., checking wrong variable)
-
-**CRITICAL CONTRADICTION HANDLING**:
-- If we detect both "protected by middleware" and "missing auth" on the same route - REJECT the "missing auth" finding
-- If we detect both "uses throwing auth helper" and "missing auth" - REJECT the "missing auth" finding
-- Client components calling these protected API routes should NOT be flagged for "missing auth"
-- Adding "if (!userId)" after a throwing helper is a FALSE POSITIVE - reject it
-
-### 3.2 Deserialization & Unsafe Parsing
-Distinguish by INPUT ORIGIN and error handling:
-- **Application-controlled data** (database, config, localStorage): Low risk - downgrade to info
-  - JSON.parse on data YOUR app wrote is trusted
-  - Failures affect robustness, not security
-  - If ALSO wrapped in try-catch: REJECT the finding entirely
-- **External/untrusted data** (HTTP request body, URL params): Higher risk
-  - With try-catch: downgrade to low, suggest SCHEMA VALIDATION (zod/joi/yup) not more try-catch
-  - Without try-catch: keep as medium, suggest both try-catch AND schema validation
-- **request.json() / req.json()**: NOT a dangerous function
-  - This is the standard way to parse request bodies in modern frameworks
-  - Only suggest schema validation if none is visible nearby
-  - Severity: info at most
-
-**CRITICAL JSON.parse RULES**:
-- Do NOT suggest "add try/catch" when JSON.parse is ALREADY inside a try-catch block - this creates contradictory advice
-- If JSON.parse is in try-catch with app-controlled data: REJECT the finding
-- Prefer suggesting schema validation over generic try-catch for user input
-- For sensitive sinks (DB writes, code execution): medium severity
-- For display-only uses: low/info severity
-
-### 3.3 Logging & Error Handling
-Distinguish LOGS vs RESPONSES with this severity ladder:
-
-**Response Sinks (res.json, NextResponse.json, return) - Higher Risk:**
-- Full error object or stack trace in response → **HIGH severity**
-- Detailed internal fields (debug, trace, internal) → **MEDIUM severity**
-- error.message only or static error strings → **LOW/INFO severity** (this is the RECOMMENDED pattern)
-
-**Log Sinks (console.log, logger.info) - Lower Risk:**
-- Logging error objects for debugging → **INFO severity** (hygiene, not security)
-- Logging userId, query strings → **INFO severity** (privacy note)
-- Logging passwords/secrets → **MEDIUM+ severity**
-- JSON.stringify(error) in logs → **INFO severity**
-
-**CRITICAL ERROR HANDLING RULES**:
-- "error.message" in responses is usually SAFE and should NOT be HIGH severity
-- HIGH severity is ONLY for responses that expose stacks, internal fields, or raw error objects
-- Logging errors is STANDARD PRACTICE - don't flag it as a security issue unless it logs secrets
-
-### 3.4 XSS vs Prompt Injection
-Keep these SEPARATE:
-- **XSS**: Writing untrusted data into DOM/HTML sinks without escaping
-  - innerHTML with dynamic user data: flag as XSS
-  - React JSX {variable}: NOT XSS (auto-escaped)
-  - dangerouslySetInnerHTML with static content: info severity
-- **Prompt Injection**: User content in LLM prompts
-  - NOT XSS - different threat model
-  - Downgrade to low/info unless clear path to high-impact actions
-  - Never label prompt issues as XSS
-
-### 3.5 Secrets, BYOK, and External Services
-Distinguish these patterns:
-- **Hardcoded secrets**: Real API keys in code = critical/high
-- **Environment variables**: process.env.SECRET = safe (REJECT finding)
-- **BYOK (Bring Your Own Key)**: User provides their own key for AI services
-  - This is a FEATURE, not a vulnerability
-  - Distinguish TRANSIENT USE vs STORAGE:
-    - Transient use (key in request body → API call → discarded): info severity, this is the IDEAL pattern
-    - Storage (key saved to database): check for user-scoping and encryption
-  - Severity ladder:
-    - Authenticated + transient use: info (feature, not vuln)
-    - Authenticated + user-scoped storage: low (suggest encryption at rest)
-    - Unauthenticated: medium (cost/abuse risk)
-    - Cross-tenant storage: medium (data isolation risk)
-  - Do NOT describe transient BYOK keys as "stored without encryption" - they are NOT stored
-
-**Math.random() for Security:**
-Distinguish legitimate uses from security-critical misuse:
-- **Seed/Data Generation Files**: Files in /seed/, /fixtures/, /factories/, datacreator.ts, *.fixture.* are for test data generation
-  - Math.random() in seed files is acceptable - these are never production security code
-  - REJECT findings from seed/data generation files entirely
-- **Educational Vulnerability Files**: Files named insecurity.ts, vulnerable.ts, or in /intentionally-vulnerable/ paths
-  - These are OWASP Juice Shop challenges or security training examples
-  - REJECT entirely - they're intentionally vulnerable for educational purposes
-- **UUID/Identifier Generation**: Functions named generateUUID(), createId(), correlationId(), etc.
-  - Use Math.random() for UI correlation, React keys, element IDs
-  - Short toString(36).substring(2, 9) patterns are for UI correlation, NOT security tokens
-  - REJECT unless function name explicitly indicates security (generateToken, createSessionId, generateSecret)
-- **CAPTCHA/Puzzle Generation**: Math.random() for CAPTCHA questions, puzzle difficulty, game mechanics
-  - These don't need cryptographic randomness - legitimate non-security use
-  - REJECT findings in CAPTCHA/puzzle generation functions
-- **Security-Sensitive Context**: Only keep as HIGH/CRITICAL when:
-  - Variable names indicate security: token, secret, key, auth, session, password
-  - Function names indicate security: generateToken, createSession, makeSecret
-  - Used in security-critical files: auth.ts, crypto.ts, session.ts
-  - Long toString() patterns without truncation (potential token generation)
-
-**Severity Ladder for Math.random():**
-- Seed/educational files: REJECT (not production code)
-- UUID/CAPTCHA functions: REJECT (legitimate use)
-- Short UI IDs (toString(36).substring(2, 9)): INFO (UI correlation, suggest crypto.randomUUID())
-- Business IDs: LOW (suggest crypto.randomUUID() for collision resistance)
-- Security contexts (tokens/secrets/keys): HIGH (cryptographic weakness)
-- Unknown context: MEDIUM (needs manual review)
-
-**Weak Cryptography (weak_crypto):**
-Distinguish actual USAGE from DOCUMENTATION or REFERENCE:
-- **Actual function calls** (crypto.createCipheriv('des'), MD5.hash()): Keep finding, these are real usage
-- **Documentation strings** describing vulnerabilities: REJECT
-  - "DES can be brute-forced" is explaining why DES is bad, NOT using DES
-  - Strings in metadata, comments, or error messages describing weak algorithms are informational
-  - Rule registries, security scanners, and documentation files contain vulnerability descriptions
-- **Configuration/Constants**: Strings like 'DES', 'MD5' in config keys or identifiers
-  - Need context: is this SELECTING an algorithm or just naming something?
-  - "algorithm: 'des'" in crypto options = real usage
-  - "category: 'weak_crypto'" or "rule: 'DES_DETECTION'" = metadata, REJECT
-- **Import statements**: Importing a weak crypto library needs context
-  - Used for hashing passwords = HIGH
-  - Used for checksums or compatibility = LOW/INFO
-  - In test/migration files = INFO
-
-**CRITICAL weak_crypto RULE**:
-Files in /rules/, /detectors/, /checks/, /metadata/ directories that DESCRIBE security vulnerabilities are NOT themselves vulnerable. A security scanner documenting "DES is weak" is providing education, not using weak crypto.
-
-### 3.6 DOM Sinks and Bootstrap Scripts
-Recognise LOW-RISK patterns:
-- Static scripts reading localStorage for theme/preferences
-- Setting attributes from config without user input
-- innerHTML with string literals only (no interpolation)
-
-Flag as REAL when:
-- User input flows to innerHTML/eval without sanitization
-- Template literals with \${userInput} in DOM sinks
-
-### 3.7 AI/LLM-Specific Patterns
-
-**Prompt Injection (ai_prompt_injection):**
-- User input in system prompt WITHOUT delimiters (code fences, XML tags, separators) -> **HIGH** (real risk)
-- User input in system prompt WITH clear delimiters -> **INFO** (properly fenced)
-- Static prompts with no user interpolation -> **REJECT** (false positive)
-- Prompt templates using proper parameterization/placeholders -> **REJECT**
-
-**LLM Output Execution (ai_unsafe_execution):**
-- LLM output fed to eval()/Function()/exec() WITHOUT sandbox -> **CRITICAL** (arbitrary code execution)
-- LLM output to execution WITH sandbox (vm2, isolated-vm) -> **MEDIUM** (risk mitigated)
-- LLM output to execution WITH validation AND sandbox -> **LOW** (well-protected)
-- LLM output used for display only (console.log, UI) -> **REJECT** (not execution)
-- Generated SQL from LLM without parameterization -> **CRITICAL** (SQL injection)
-- Generated SQL with parameterized queries -> **MEDIUM** (logic may still be wrong)
-
-**Agent Tool Permissions (ai_overpermissive_tool):**
-- Tool with unrestricted file/network/exec access -> **HIGH** (overpermissive)
-- Tool without user context verification -> **MEDIUM** (missing authorization)
-- Tool with proper scoping, allowlists, and user verification -> **LOW** or **REJECT**
-- Test files with tool definitions -> **INFO** or **REJECT**
-
-**Hallucinated Dependencies (suspicious_package):**
-- Package not found in registry -> **CRITICAL** (likely AI-hallucinated name)
-- Very new package (less than 7 days old) with low downloads and typosquat pattern -> **HIGH**
-- Legitimate looking package with source/repo but low popularity -> **MEDIUM** (needs review)
-- Known legitimate package with unusual name (in allowlist) -> **REJECT**
-
-**CRITICAL AI PATTERN RULES**:
-- AI code generation often produces non-existent package names - flag these prominently
-- Prompt injection is NOT the same as XSS - different threat model and severity
-- Sandboxed code execution (vm2, isolated-vm) significantly reduces risk
-- Agent tools need both access restrictions AND user context verification
-
-### 3.8 RAG Data Exfiltration (ai_rag_exfiltration)
-Retrieval Augmented Generation systems can leak sensitive data across tenant boundaries.
-
-**Unscoped Retrieval Queries:**
-- Vector store query WITHOUT user/tenant filter -> **HIGH** (cross-tenant data access)
-  - .query(), .search(), .similaritySearch() without filter/where/userId/tenantId parameter
-  - LangChain retriever.invoke() without metadata filter
-  - Pinecone/Chroma/Weaviate query without namespace or metadata filter
-- Query WITH proper scoping (filter by userId/tenantId) -> **REJECT** (properly scoped)
-- Query with RLS-enabled Supabase tables -> **LOW/INFO** (verify RLS policy)
-
-**Raw Context Exposure:**
-- Raw sourceDocuments/chunks returned in API response -> **MEDIUM** (data leak to client)
-- Raw context returned WITHOUT authentication -> **HIGH** (public data leak)
-- Filtered response (only IDs, titles, metadata) -> **REJECT** (properly filtered)
-- Response filtering visible nearby (.map, sanitize, redact) -> **INFO**
-
-**Context Logging:**
-- Logging retrieved documents (debug) -> **INFO** (hygiene, not direct risk)
-- Logging full prompts with context -> **LOW** (audit concern if logs are accessible)
-- Persisting prompts/context to database -> **MEDIUM** (sensitive data retention)
-
-**CRITICAL RAG RULES**:
-- Cross-tenant data access is the PRIMARY risk - always check for user/tenant scoping
-- Authenticated endpoints exposing context are MEDIUM; unauthenticated are HIGH
-- Debug logging is INFO severity - it's not a direct vulnerability
-- If RLS or middleware protection is visible, downgrade significantly
-
-### 3.9 AI Endpoint Protection (ai_endpoint_unprotected)
-AI/LLM API endpoints can incur significant costs and enable data exfiltration.
-
-**No Authentication + No Rate Limiting -> HIGH:**
-- Endpoint calls OpenAI/Anthropic/etc. without any auth check or rate limit
-- Anyone on the internet can abuse the endpoint and run up API costs
-- Potential for prompt exfiltration or model abuse
-
-**Has Rate Limiting but No Authentication -> MEDIUM:**
-- Rate limit provides some protection against abuse
-- Still allows anonymous access to AI functionality
-- Suggest adding authentication
-
-**Has Authentication but No Rate Limiting -> LOW:**
-- Authenticated users could still abuse the endpoint
-- Suggest adding rate limiting for cost control
-- severity: low (suggest improvement)
-
-**Has Both Auth and Rate Limiting -> INFO/REJECT:**
-- Properly protected endpoint
-- REJECT if both are clearly present
-- INFO if you want to note the good pattern
-
-**BYOK (Bring Your Own Key) Endpoints:**
-- If user provides their own API key, risk is LOWER
-- User pays for their own usage - cost abuse is their problem
-- Downgrade severity by one level for BYOK patterns
-
-**Protected by Middleware:**
-- If project context shows auth middleware protecting the route, downgrade to INFO
-- Internal/admin routes should be INFO or REJECT
-
-**CRITICAL ENDPOINT RULES**:
-- Cost abuse is real - unprotected AI endpoints can bankrupt a startup
-- Rate limiting alone isn't enough - need auth to prevent anonymous abuse
-- BYOK endpoints have lower risk since user bears the cost
-- Check for middleware protection before flagging
-
-### 3.10 Schema/Tooling Mismatch (ai_schema_mismatch)
-AI-generated structured outputs need validation before use in security-sensitive contexts.
-
-**Unvalidated AI Output Parsing:**
-- JSON.parse(response.content) without schema validation -> **MEDIUM**
-  - AI may return malformed or unexpected structures
-  - Suggest zod/ajv/joi validation
-- AI output to EXECUTION SINK (eval, exec, query) without validation -> **HIGH**
-  - Direct path to code/SQL injection
-- AI output to DISPLAY only (console.log, UI render) -> **REJECT**
-  - Not a security issue for display purposes
-- OpenAI Structured Outputs (json_schema in request) -> **REJECT**
-  - API-level validation provides guarantees
-
-**Weak Schema Patterns:**
-- response: any at API boundary -> **MEDIUM** (no type safety)
-- z.any() or z.unknown() -> **LOW** (defeats purpose of validation)
-- z.passthrough() -> **INFO** (allows extra properties, minor concern)
-- Specific schema defined and used -> **REJECT** (properly validated)
-
-**Tool Parameter Validation:**
-- Tool parameter -> file path without validation -> **HIGH** (path traversal)
-- Tool parameter -> shell command without validation -> **CRITICAL** (command injection)
-- Tool parameter -> URL without validation -> **HIGH** (SSRF)
-- Tool parameter -> DB query without validation -> **HIGH** (SQL injection)
-- Tool parameter with allowlist check visible -> **LOW/REJECT** (mitigated)
-
-**CRITICAL SCHEMA RULES**:
-- The severity depends on WHERE the AI output is used, not just that it's parsed
-- Execution sinks (eval, exec, query, fs) need HIGH severity without validation
-- Display-only usage is NOT a security issue
-- Schema validation (zod, ajv, joi) significantly reduces risk
-- OpenAI Structured Outputs provide API-level guarantees
-
-## False Positive Patterns (ALWAYS REJECT - keep: false)
-
-1. **CSS/Styling flagged as secrets**:
-   - Tailwind classes, gradients, hex colors, rgba/hsla
-   - style={{...}} objects, CSS-in-JS
-
-2. **Development URLs in dev contexts**:
-   - localhost in test/mock/example files
-   - URLs via environment variables
-
-3. **Test/Example/Scanner code**:
-   - Files with test, spec, mock, example, fixture in path
-   - Scanner's own rule definitions (files in /rules/, /detectors/, /checks/)
-   - Documentation/README files
-   - **Metadata/registry files describing vulnerabilities**: Files containing vulnerability descriptions, security documentation, or rule metadata are NOT themselves vulnerable. E.g., a string "DES is weak crypto" describing a vulnerability is documentation, NOT actual DES usage.
-
-4. **TypeScript 'any' in safe contexts**:
-   - Type definitions, .d.ts files
-   - Internal utilities (not API boundaries)
-
-5. **Public endpoints**:
-   - /health, /healthz, /ready, /ping, /status
-   - /webhook with signature verification nearby
-
-6. **Generic AI patterns that are NOT security issues**:
-   - console.log with non-sensitive data → REJECT
-   - TODO/FIXME reminders (not security-critical) → REJECT
-   - Magic number timeouts → REJECT
-   - Verbose/step-by-step comments → REJECT
-   - Generic error messages → REJECT or downgrade to info
-   - Basic validation patterns (if (!data) return) → REJECT
-
-7. **Style/Code quality issues (NOT security)**:
-   - Empty functions (unless auth-critical)
-   - Generic success messages
-   - Placeholder comments in non-security code
-
-## Response Format (ACTIONABLE OUTPUT)
-
-For each candidate finding, return:
-\`\`\`json
-{
-  "index": <number>,
-  "keep": true | false,
-  "notes": "<concise context>" | null,
-  "adjustedSeverity": "critical" | "high" | "medium" | "low" | "info" | null,
-  "impact": "<1-2 sentences: WHY this matters specific to this code>" | null,
-  "fixSuggestion": "<Specific, actionable fix for THIS code context>" | null
-}
-\`\`\`
-
-**CRITICAL**: To minimize costs while maximizing actionability:
-- For \`keep: false\` (rejected): Set ALL fields to null except index and keep. NO explanation needed.
-- For \`keep: true\` (accepted):
-  - \`notes\`: Brief context (10-30 words)
-  - \`adjustedSeverity\`: null if keeping original severity
-  - \`impact\`: 1-2 sentences explaining real-world consequences for THIS code (data breach, unauthorized access, cost, etc.)
-  - \`fixSuggestion\`: Reference actual variable/function names from the code. Be specific, not generic.
-
-## Severity Guidelines
-- **critical/high**: Realistically exploitable, should block deploys - ONLY for clear vulnerabilities
-- **medium/low**: Important but non-blocking, hardening opportunities - use sparingly
-- **info**: Robustness/hygiene tips, not direct security risks - use for marginal cases you want to keep
-
-## Decision Framework
-1. **Default to REJECTION** (keep: false) for:
-   - Style/code quality issues
-   - Marginal findings with unclear exploitation path
-   - Patterns that are standard practice (basic auth checks, error logging)
-   - Anything in test/example/documentation files
-
-2. **Downgrade to info** when:
-   - Finding has some merit but low practical risk
-   - Context shows mitigating factors
-   - Better as a "nice to know" than an action item
-
-3. **Keep with original/higher severity** ONLY when:
-   - Clear, exploitable vulnerability
-   - No visible mitigating factors in context
-   - Real-world attack scenario is plausible
-
-**REMEMBER**: You are the last line of defense against noise. A finding that reaches the user should be CLEARLY worth their time. When in doubt, REJECT.
-
-## Response Format
-
-For EACH file, provide a JSON object with the file path and validation results.
-Return a JSON array where each element has:
-- "file": the file path (e.g., "src/routes/api.ts")
-- "validations": array of validation results for that file's candidates
-
-Example response format (ACTIONABLE):
-\`\`\`json
-[
-  {
-    "file": "src/auth.ts",
-    "validations": [
-      { "index": 0, "keep": true, "adjustedSeverity": "medium", "notes": "Protected by middleware", "impact": null, "fixSuggestion": null },
-      { "index": 1, "keep": false, "notes": null, "adjustedSeverity": null, "impact": null, "fixSuggestion": null }
-    ]
-  },
-  {
-    "file": "src/api.ts",
-    "validations": [
-      { "index": 0, "keep": true, "notes": "User input flows to SQL query", "adjustedSeverity": null, "impact": "Attackers could read or modify database records via the userId parameter", "fixSuggestion": "Replace string concatenation with db.query('SELECT * FROM users WHERE id = ?', [userId])" }
-    ]
-  }
-]
-\`\`\`
-
-**REMEMBER**: Rejected findings (keep: false) need NO explanation. Keep notes brief (10-30 words).`;
+var modules_2 = require("./modules");
+Object.defineProperty(exports, "_getFullPrompt", { enumerable: true, get: function () { return modules_2.getFullValidationPrompt; } });
+const modules_3 = require("./modules");
+exports.HIGH_CONTEXT_VALIDATION_PROMPT = (0, modules_3.getFullValidationPrompt)();
 //# sourceMappingURL=validation.js.map

package/dist/layer3/anthropic/prompts/validation.js.map

@@ -1 +1 @@
-{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/validation.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEH,+EAA+E;AAC/E,iCAAiC;AACjC,+EAA+E;AAE/E;;;GAGG;AACU,QAAA,8BAA8B,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;mGAmZqD,CAAA"}
+{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/validation.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAEH,qCAA6E;AAApE,mHAAA,wBAAwB,OAAA;AAAE,kHAAA,uBAAuB,OAAA;AAE1D;;;;GAIG;AACH,qCAAqE;AAA5D,yGAAA,uBAAuB,OAAkB;AAClD,uCAAmD;AACtC,QAAA,8BAA8B,GAAG,IAAA,iCAAuB,GAAE,CAAA"}

package/dist/layer3/anthropic/providers/anthropic.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"anthropic.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/providers/anthropic.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAoB,MAAM,gBAAgB,CAAA;AAC/E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wCAAwC,CAAA;AAE5E,OAAO,KAAK,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAUnE;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,aAAa,EAAE,EACzB,KAAK,EAAE,QAAQ,EAAE,EACjB,cAAc,EAAE,cAAc,GAAG,SAAS,EAC1C,KAAK,EAAE,eAAe,EACtB,UAAU,CAAC,EAAE,CAAC,QAAQ,EAAE;IAAE,cAAc,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,KAAK,IAAI,GAC9F,OAAO,CAAC,kBAAkB,CAAC,CAkR7B;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C"}
+{"version":3,"file":"anthropic.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/providers/anthropic.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAoB,MAAM,gBAAgB,CAAA;AAC/E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wCAAwC,CAAA;AAE5E,OAAO,KAAK,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAUnE;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,aAAa,EAAE,EACzB,KAAK,EAAE,QAAQ,EAAE,EACjB,cAAc,EAAE,cAAc,GAAG,SAAS,EAC1C,KAAK,EAAE,eAAe,EACtB,UAAU,CAAC,EAAE,CAAC,QAAQ,EAAE;IAAE,cAAc,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,KAAK,IAAI,GAC9F,OAAO,CAAC,kBAAkB,CAAC,CAyR7B;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C"}

package/dist/layer3/anthropic/providers/anthropic.js

@@ -91,8 +91,11 @@ async function validateWithAnthropic(findings, files, projectContext, stats, onP
         }
         const batchStartTime = Date.now();
         try {
-            // Build multi-file validation request
-            const validationRequest = (0, request_builder_1.buildMultiFileValidationRequest)(fileDataList.map(({ file, findings }) => ({ file, findings })), context);
+            // Build multi-file validation request with scoped context
+            const validationRequest = (0, request_builder_1.buildMultiFileValidationRequest)(fileDataList.map(({ file, findings }) => ({ file, findings })), context, { contextMode: 'scoped' });
+            // Assemble category-aware prompt for this batch
+            const batchCategories = [...new Set(fileBatch.flatMap(([, fileFindings]) => fileFindings.map(f => f.category)))];
+            const systemPrompt = (0, validation_1.assembleValidationPrompt)(batchCategories);
             // Use Anthropic prompt caching with multi-file request
             const response = await (0, retry_1.makeAnthropicRequestWithRetry)(() => client.messages.create({
                 model: 'claude-3-5-haiku-20241022',
@@ -100,7 +103,7 @@ async function validateWithAnthropic(findings, files, projectContext, stats, onP
                 system: [
                     {
                         type: 'text',
-                        text: validation_1.HIGH_CONTEXT_VALIDATION_PROMPT,
+                        text: systemPrompt,
                         cache_control: { type: 'ephemeral' }, // Cache for 5 minutes
                     },
                 ],

package/dist/layer3/anthropic/providers/anthropic.js.map

@@ -1 +1 @@
-{"version":3,"file":"anthropic.js","sourceRoot":"","sources":["../../../../src/layer3/anthropic/providers/anthropic.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;AAkBH,sDAwRC;AAKD,kDAEC;AA7SD,oFAA4E;AAE5E,wCAAmF;AACnF,0CAA8D;AAC9D,8DAA4H;AAC5H,wDAAoE;AACpE,sDAAsE;AAEtE,kDAAkD;AAClD,IAAI,oBAAoB,GAA0B,IAAI,CAAA;AAEtD;;GAEG;AACI,KAAK,UAAU,qBAAqB,CACzC,QAAyB,EACzB,KAAiB,EACjB,cAA0C,EAC1C,KAAsB,EACtB,UAA+F;IAE/F,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAA;IAC/D,MAAM,MAAM,GAAG,IAAA,4BAAkB,GAAE,CAAA;IAEnC,sCAAsC;IACtC,MAAM,OAAO,GAAG,cAAc,IAAI,oBAAoB,IAAI,IAAA,6CAAmB,EAAC,KAAK,CAAC,CAAA;IACpF,IAAI,CAAC,cAAc,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC7C,oBAAoB,GAAG,OAAO,CAAA;QAC9B,OAAO,CAAC,GAAG,CAAC,wCAAwC,EAAE;YACpD,iBAAiB,EAAE,OAAO,CAAC,IAAI,CAAC,mBAAmB;YACnD,YAAY,EAAE,OAAO,CAAC,IAAI,CAAC,YAAY;YACvC,GAAG,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG;YAC3B,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO;SACtC,CAAC,CAAA;IACJ,CAAC;IAED,kDAAkD;IAClD,MAAM,cAAc,GAAG,IAAI,GAAG,EAA2B,CAAA;IACzD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;QAC3D,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QACtB,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;IAChD,CAAC;IAED,MAAM,iBAAiB,GAAoB,EAAE,CAAA;IAE7C,+BAA+B;IAC/B,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAA;IAExD,gBAAgB;IAChB,IAAI,kBAAkB,GAAG,CAAC,CAAA;IAC1B,IAAI,eAAe,GAAG,CAAC,CAAA;IAEvB,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,6BAAmB,CAAC,CAAA;IAC5E,OAAO,CAAC,GAAG,CAAC,uCAAuC,WAAW,CAAC,MAAM,aAAa,gBAAgB,mBAAmB,6BAAmB,eAAe,CAAC,CAAA;IAExJ,+CAA+C;IAC/C,IAAI,cAAc,GAAG,CAAC,CAAA;IAEtB,4EAA4E;IAC5E,KAAK,IAAI,UAAU,GAAG,CAAC,EAAE,UAAU,GAAG,WAAW,CAAC,MAAM,EAAE,UAAU,IAAI,6BAAmB,EAAE,CAAC;QAC5F,MAAM,SAAS,GAAG,WAAW,CAAC,KAAK,CAAC,UAAU,EAAE,UAAU,GAAG,6BAAmB,CAAC,CAAA;QACjF,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,6BAAmB,CAAC,GAAG,CAAC,CAAA;QAEjE,0CAA0C;QAC1C,IAAI,UAAU,EAAE,CAAC;YACf,UAAU,CAAC;gBACT,cAAc,EAAE,cAAc;gBAC9B,UAAU,EAAE,WAAW,CAAC,MAAM;gBAC9B,MAAM,EAAE,uBAAuB,QAAQ,IAAI,gBAAgB,EAAE;aAC9D,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,6BAA6B,QAAQ,IAAI,gBAAgB,KAAK,SAAS,CAAC,MAAM,QAAQ,CAAC,CAAA;QAEnG,sCAAsC;QACtC,MAAM,YAAY,GAA2E,EAAE,CAAA;QAC/F,MAAM,mBAAmB,GAA2D,EAAE,CAAA;QAEtF,KAAK,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC,IAAI,SAAS,EAAE,CAAC;YACjD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAA;YACjD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,mBAAmB,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC,CAAA;YAChE,CAAC;iBAAM,CAAC;gBACN,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC,CAAA;YAC/D,CAAC;QACH,CAAC;QAED,uDAAuD;QACvD,KAAK,MAAM,EAAE,QAAQ,EAAE,IAAI,mBAAmB,EAAE,CAAC;YAC/C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,iBAAiB,CAAC,IAAI,CAAC;oBACrB,GAAG,CAAC;oBACJ,aAAa,EAAE,KAAK;oBACpB,gBAAgB,EAAE,eAAmC;oBACrD,eAAe,EAAE,2CAA2C;iBAC7D,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,SAAQ;QACV,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEjC,IAAI,CAAC;YACH,sCAAsC;YACtC,MAAM,iBAAiB,GAAG,IAAA,iDAA+B,EACvD,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,EAC9D,OAAO,CACR,CAAA;YAED,uDAAuD;YACvD,MAAM,QAAQ,GAAG,MAAM,IAAA,qCAA6B,EAAC,GAAG,EAAE,CACxD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACrB,KAAK,EAAE,2BAA2B;gBAClC,UAAU,EAAE,IAAI,EAAE,yDAAyD;gBAC3E,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,2CAA8B;wBACpC,aAAa,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,sBAAsB;qBAC7D;iBACF;gBACD,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;aACzD,CAAC,CACH,CAAA;YAED,uBAAuB;YACvB,KAAK,CAAC,QAAQ,EAAE,CAAA;YAChB,eAAe,EAAE,CAAA;YAEjB,mCAAmC;YACnC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAA;YAC5B,IAAI,KAAK,EAAE,CAAC;gBACV,6DAA6D;gBAC7D,OAAO,CAAC,GAAG,CAAC,iBAAiB,QAAQ,6BAA6B,CAAC,CAAA;gBACnE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;gBAC3C,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAA;gBACjC,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,CAAC,YAAY,IAAI,CAAC,EAAE,CAAC,CAAA;gBAC3D,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,CAAC,aAAa,IAAI,CAAC,EAAE,CAAC,CAAA;gBAC7D,aAAa;gBACb,OAAO,CAAC,GAAG,CAAC,oCAAoC,KAAK,CAAC,2BAA2B,IAAI,CAAC,EAAE,CAAC,CAAA;gBACzF,aAAa;gBACb,OAAO,CAAC,GAAG,CAAC,gCAAgC,KAAK,CAAC,uBAAuB,IAAI,CAAC,EAAE,CAAC,CAAA;gBAEjF,KAAK,CAAC,oBAAoB,IAAI,KAAK,CAAC,YAAY,IAAI,CAAC,CAAA;gBACrD,KAAK,CAAC,qBAAqB,IAAI,KAAK,CAAC,aAAa,IAAI,CAAC,CAAA;gBAEvD,6CAA6C;gBAC7C,MAAM,aAAa,GAAG,KAAK,CAAC,2BAA2B,IAAI,CAAC,CAAA;gBAC5D,aAAa;gBACb,MAAM,SAAS,GAAG,KAAK,CAAC,uBAAuB,IAAI,CAAC,CAAA;gBAEpD,KAAK,CAAC,mBAAmB,IAAI,aAAa,CAAA;gBAC1C,KAAK,CAAC,eAAe,IAAI,SAAS,CAAA;YACpC,CAAC;YAED,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAuB,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC,CAAA;YAC7F,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;gBAChD,yDAAyD;gBACzD,KAAK,MAAM,EAAE,QAAQ,EAAE,IAAI,YAAY,EAAE,CAAC;oBACxC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;wBACzB,iBAAiB,CAAC,IAAI,CAAC;4BACrB,GAAG,CAAC;4BACJ,aAAa,EAAE,KAAK;4BACpB,gBAAgB,EAAE,eAAmC;4BACrD,eAAe,EAAE,2BAA2B;yBAC7C,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;gBACD,SAAQ;YACV,CAAC;YAED,4BAA4B;YAC5B,MAAM,aAAa,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAA;YAClE,MAAM,oBAAoB,GAAG,IAAA,kDAAgC,EAAC,WAAW,CAAC,IAAI,EAAE,aAAa,CAAC,CAAA;YAE9F,yBAAyB;YACzB,KAAK,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,YAAY,EAAE,CAAC;gBAClD,MAAM,WAAW,GAAG,oBAAoB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBAEtD,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC7C,iEAAiE;oBACjE,MAAM,iBAAiB,GAAG,IAAA,yCAAuB,EAAC,WAAW,CAAC,IAAI,CAAC,CAAA;oBAEnE,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAC9D,gDAAgD;wBAChD,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,cAAc,EAAE,GAAG,IAAA,wCAAsB,EAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAA;wBAC5G,KAAK,CAAC,iBAAiB,IAAI,iBAAiB,CAAC,MAAM,GAAG,cAAc,CAAA;wBACpE,KAAK,CAAC,iBAAiB,IAAI,cAAc,CAAA;wBACzC,KAAK,MAAM,SAAS,IAAI,iBAAiB,EAAE,CAAC;4BAC1C,IAAI,SAAS,CAAC,gBAAgB,KAAK,WAAW,EAAE,CAAC;gCAC/C,KAAK,CAAC,iBAAiB,EAAE,CAAA;4BAC3B,CAAC;iCAAM,IAAI,SAAS,CAAC,gBAAgB,KAAK,YAAY,EAAE,CAAC;gCACvD,KAAK,CAAC,kBAAkB,EAAE,CAAA;4BAC5B,CAAC;4BACD,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;wBACnC,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,oFAAoF;wBACpF,OAAO,CAAC,IAAI,CAAC,kCAAkC,QAAQ,gBAAgB,QAAQ,CAAC,MAAM,WAAW,CAAC,CAAA;wBAClG,KAAK,CAAC,iBAAiB,IAAI,QAAQ,CAAC,MAAM,CAAA;wBAC1C,KAAK,CAAC,iBAAiB,IAAI,QAAQ,CAAC,MAAM,CAAA;wBAC1C,yDAAyD;oBAC3D,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,yCAAyC;oBACzC,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,cAAc,EAAE,GAAG,IAAA,wCAAsB,EAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;oBACtG,KAAK,CAAC,iBAAiB,IAAI,iBAAiB,CAAC,MAAM,GAAG,cAAc,CAAA;oBACpE,KAAK,CAAC,iBAAiB,IAAI,cAAc,CAAA;oBACzC,KAAK,MAAM,SAAS,IAAI,iBAAiB,EAAE,CAAC;wBAC1C,IAAI,SAAS,CAAC,gBAAgB,KAAK,WAAW,EAAE,CAAC;4BAC/C,KAAK,CAAC,iBAAiB,EAAE,CAAA;wBAC3B,CAAC;6BAAM,IAAI,SAAS,CAAC,gBAAgB,KAAK,YAAY,EAAE,CAAC;4BACvD,KAAK,CAAC,kBAAkB,EAAE,CAAA;wBAC5B,CAAC;wBACD,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;oBACnC,CAAC;gBACH,CAAC;YACH,CAAC;QAEH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,kCAAkC,QAAQ,GAAG,EAAE,KAAK,CAAC,CAAA;YACnE,wDAAwD;YACxD,KAAK,MAAM,EAAE,QAAQ,EAAE,IAAI,YAAY,EAAE,CAAC;gBACxC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;oBACzB,iBAAiB,CAAC,IAAI,CAAC;wBACrB,GAAG,CAAC;wBACJ,aAAa,EAAE,KAAK;wBACpB,gBAAgB,EAAE,eAAmC;wBACrD,eAAe,EAAE,oCAAoC;qBACtD,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,CAAA;QACjD,kBAAkB,IAAI,aAAa,CAAA;QAEnC,iCAAiC;QACjC,cAAc,IAAI,SAAS,CAAC,MAAM,CAAA;QAElC,yCAAyC;QACzC,IAAI,UAAU,EAAE,CAAC;YACf,UAAU,CAAC;gBACT,cAAc,EAAE,cAAc;gBAC9B,UAAU,EAAE,WAAW,CAAC,MAAM;gBAC9B,MAAM,EAAE,oCAAoC,QAAQ,IAAI,gBAAgB,EAAE;aAC3E,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,MAAM,oBAAoB,GAAG,KAAK,CAAC,mBAAmB,GAAG,KAAK,CAAC,eAAe,CAAA;IAC9E,KAAK,CAAC,YAAY,GAAG,oBAAoB,GAAG,CAAC;QAC3C,CAAC,CAAC,KAAK,CAAC,eAAe,GAAG,oBAAoB;QAC9C,CAAC,CAAC,CAAC,CAAA;IAEL,8CAA8C;IAC9C,MAAM,cAAc,GAAG,CAAC,KAAK,CAAC,oBAAoB,GAAG,uBAAa,CAAC,KAAK,CAAC,GAAG,OAAS,CAAA;IACrF,MAAM,cAAc,GAAG,CAAC,KAAK,CAAC,mBAAmB,GAAG,uBAAa,CAAC,UAAU,CAAC,GAAG,OAAS,CAAA;IACzF,MAAM,aAAa,GAAG,CAAC,KAAK,CAAC,eAAe,GAAG,uBAAa,CAAC,SAAS,CAAC,GAAG,OAAS,CAAA;IACnF,MAAM,UAAU,GAAG,CAAC,KAAK,CAAC,qBAAqB,GAAG,uBAAa,CAAC,MAAM,CAAC,GAAG,OAAS,CAAA;IAEnF,KAAK,CAAC,aAAa,GAAG,cAAc,GAAG,cAAc,GAAG,aAAa,GAAG,UAAU,CAAA;IAElF,0DAA0D;IAC1D,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAA;IACrC,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,aAAa,EAAE,CAAC,CAAA;IACzD,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,CAAC,iBAAiB,EAAE,CAAC,CAAA;IAC3D,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,iBAAiB,EAAE,CAAC,CAAA;IACxD,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,iBAAiB,EAAE,CAAC,CAAA;IACxD,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,CAAC,kBAAkB,EAAE,CAAC,CAAA;IAC1D,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAA;IAC/C,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;IAC/B,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;IAC/E,OAAO,CAAC,GAAG,CAAC,4BAA4B,eAAe,EAAE,CAAC,CAAA;IAC1D,OAAO,CAAC,GAAG,CAAC,4BAA4B,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,kBAAkB,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;IAC9H,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAA;IACjC,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,mBAAmB,CAAC,cAAc,EAAE,SAAS,CAAC,CAAA;IACvF,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,CAAC,eAAe,CAAC,cAAc,EAAE,SAAS,CAAC,CAAA;IAClF,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,KAAK,CAAC,YAAY,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;IAC9E,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;IAC/B,OAAO,CAAC,GAAG,CAAC,wBAAwB,KAAK,CAAC,oBAAoB,CAAC,cAAc,EAAE,SAAS,CAAC,CAAA;IACzF,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,qBAAqB,CAAC,cAAc,EAAE,SAAS,CAAC,CAAA;IACnF,OAAO,CAAC,GAAG,CAAC,wBAAwB,KAAK,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;IAErE,wCAAwC;IACxC,oBAAoB,GAAG,IAAI,CAAA;IAE3B,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB;IACjC,oBAAoB,GAAG,IAAI,CAAA;AAC7B,CAAC"}
+{"version":3,"file":"anthropic.js","sourceRoot":"","sources":["../../../../src/layer3/anthropic/providers/anthropic.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;AAkBH,sDA+RC;AAKD,kDAEC;AApTD,oFAA4E;AAE5E,wCAAmF;AACnF,0CAA8D;AAC9D,8DAA4H;AAC5H,wDAAoE;AACpE,sDAAgE;AAEhE,kDAAkD;AAClD,IAAI,oBAAoB,GAA0B,IAAI,CAAA;AAEtD;;GAEG;AACI,KAAK,UAAU,qBAAqB,CACzC,QAAyB,EACzB,KAAiB,EACjB,cAA0C,EAC1C,KAAsB,EACtB,UAA+F;IAE/F,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAA;IAC/D,MAAM,MAAM,GAAG,IAAA,4BAAkB,GAAE,CAAA;IAEnC,sCAAsC;IACtC,MAAM,OAAO,GAAG,cAAc,IAAI,oBAAoB,IAAI,IAAA,6CAAmB,EAAC,KAAK,CAAC,CAAA;IACpF,IAAI,CAAC,cAAc,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC7C,oBAAoB,GAAG,OAAO,CAAA;QAC9B,OAAO,CAAC,GAAG,CAAC,wCAAwC,EAAE;YACpD,iBAAiB,EAAE,OAAO,CAAC,IAAI,CAAC,mBAAmB;YACnD,YAAY,EAAE,OAAO,CAAC,IAAI,CAAC,YAAY;YACvC,GAAG,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG;YAC3B,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO;SACtC,CAAC,CAAA;IACJ,CAAC;IAED,kDAAkD;IAClD,MAAM,cAAc,GAAG,IAAI,GAAG,EAA2B,CAAA;IACzD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;QAC3D,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QACtB,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;IAChD,CAAC;IAED,MAAM,iBAAiB,GAAoB,EAAE,CAAA;IAE7C,+BAA+B;IAC/B,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAA;IAExD,gBAAgB;IAChB,IAAI,kBAAkB,GAAG,CAAC,CAAA;IAC1B,IAAI,eAAe,GAAG,CAAC,CAAA;IAEvB,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,6BAAmB,CAAC,CAAA;IAC5E,OAAO,CAAC,GAAG,CAAC,uCAAuC,WAAW,CAAC,MAAM,aAAa,gBAAgB,mBAAmB,6BAAmB,eAAe,CAAC,CAAA;IAExJ,+CAA+C;IAC/C,IAAI,cAAc,GAAG,CAAC,CAAA;IAEtB,4EAA4E;IAC5E,KAAK,IAAI,UAAU,GAAG,CAAC,EAAE,UAAU,GAAG,WAAW,CAAC,MAAM,EAAE,UAAU,IAAI,6BAAmB,EAAE,CAAC;QAC5F,MAAM,SAAS,GAAG,WAAW,CAAC,KAAK,CAAC,UAAU,EAAE,UAAU,GAAG,6BAAmB,CAAC,CAAA;QACjF,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,6BAAmB,CAAC,GAAG,CAAC,CAAA;QAEjE,0CAA0C;QAC1C,IAAI,UAAU,EAAE,CAAC;YACf,UAAU,CAAC;gBACT,cAAc,EAAE,cAAc;gBAC9B,UAAU,EAAE,WAAW,CAAC,MAAM;gBAC9B,MAAM,EAAE,uBAAuB,QAAQ,IAAI,gBAAgB,EAAE;aAC9D,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,6BAA6B,QAAQ,IAAI,gBAAgB,KAAK,SAAS,CAAC,MAAM,QAAQ,CAAC,CAAA;QAEnG,sCAAsC;QACtC,MAAM,YAAY,GAA2E,EAAE,CAAA;QAC/F,MAAM,mBAAmB,GAA2D,EAAE,CAAA;QAEtF,KAAK,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC,IAAI,SAAS,EAAE,CAAC;YACjD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAA;YACjD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,mBAAmB,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC,CAAA;YAChE,CAAC;iBAAM,CAAC;gBACN,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC,CAAA;YAC/D,CAAC;QACH,CAAC;QAED,uDAAuD;QACvD,KAAK,MAAM,EAAE,QAAQ,EAAE,IAAI,mBAAmB,EAAE,CAAC;YAC/C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,iBAAiB,CAAC,IAAI,CAAC;oBACrB,GAAG,CAAC;oBACJ,aAAa,EAAE,KAAK;oBACpB,gBAAgB,EAAE,eAAmC;oBACrD,eAAe,EAAE,2CAA2C;iBAC7D,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,SAAQ;QACV,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEjC,IAAI,CAAC;YACH,0DAA0D;YAC1D,MAAM,iBAAiB,GAAG,IAAA,iDAA+B,EACvD,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,EAC9D,OAAO,EACP,EAAE,WAAW,EAAE,QAAQ,EAAE,CAC1B,CAAA;YAED,gDAAgD;YAChD,MAAM,eAAe,GAAG,CAAC,GAAG,IAAI,GAAG,CACjC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAC3E,CAAC,CAAA;YACF,MAAM,YAAY,GAAG,IAAA,qCAAwB,EAAC,eAAe,CAAC,CAAA;YAE9D,uDAAuD;YACvD,MAAM,QAAQ,GAAG,MAAM,IAAA,qCAA6B,EAAC,GAAG,EAAE,CACxD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACrB,KAAK,EAAE,2BAA2B;gBAClC,UAAU,EAAE,IAAI,EAAE,yDAAyD;gBAC3E,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,YAAY;wBAClB,aAAa,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,sBAAsB;qBAC7D;iBACF;gBACD,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;aACzD,CAAC,CACH,CAAA;YAED,uBAAuB;YACvB,KAAK,CAAC,QAAQ,EAAE,CAAA;YAChB,eAAe,EAAE,CAAA;YAEjB,mCAAmC;YACnC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAA;YAC5B,IAAI,KAAK,EAAE,CAAC;gBACV,6DAA6D;gBAC7D,OAAO,CAAC,GAAG,CAAC,iBAAiB,QAAQ,6BAA6B,CAAC,CAAA;gBACnE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;gBAC3C,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAA;gBACjC,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,CAAC,YAAY,IAAI,CAAC,EAAE,CAAC,CAAA;gBAC3D,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,CAAC,aAAa,IAAI,CAAC,EAAE,CAAC,CAAA;gBAC7D,aAAa;gBACb,OAAO,CAAC,GAAG,CAAC,oCAAoC,KAAK,CAAC,2BAA2B,IAAI,CAAC,EAAE,CAAC,CAAA;gBACzF,aAAa;gBACb,OAAO,CAAC,GAAG,CAAC,gCAAgC,KAAK,CAAC,uBAAuB,IAAI,CAAC,EAAE,CAAC,CAAA;gBAEjF,KAAK,CAAC,oBAAoB,IAAI,KAAK,CAAC,YAAY,IAAI,CAAC,CAAA;gBACrD,KAAK,CAAC,qBAAqB,IAAI,KAAK,CAAC,aAAa,IAAI,CAAC,CAAA;gBAEvD,6CAA6C;gBAC7C,MAAM,aAAa,GAAG,KAAK,CAAC,2BAA2B,IAAI,CAAC,CAAA;gBAC5D,aAAa;gBACb,MAAM,SAAS,GAAG,KAAK,CAAC,uBAAuB,IAAI,CAAC,CAAA;gBAEpD,KAAK,CAAC,mBAAmB,IAAI,aAAa,CAAA;gBAC1C,KAAK,CAAC,eAAe,IAAI,SAAS,CAAA;YACpC,CAAC;YAED,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAuB,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC,CAAA;YAC7F,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;gBAChD,yDAAyD;gBACzD,KAAK,MAAM,EAAE,QAAQ,EAAE,IAAI,YAAY,EAAE,CAAC;oBACxC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;wBACzB,iBAAiB,CAAC,IAAI,CAAC;4BACrB,GAAG,CAAC;4BACJ,aAAa,EAAE,KAAK;4BACpB,gBAAgB,EAAE,eAAmC;4BACrD,eAAe,EAAE,2BAA2B;yBAC7C,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;gBACD,SAAQ;YACV,CAAC;YAED,4BAA4B;YAC5B,MAAM,aAAa,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAA;YAClE,MAAM,oBAAoB,GAAG,IAAA,kDAAgC,EAAC,WAAW,CAAC,IAAI,EAAE,aAAa,CAAC,CAAA;YAE9F,yBAAyB;YACzB,KAAK,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,YAAY,EAAE,CAAC;gBAClD,MAAM,WAAW,GAAG,oBAAoB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;gBAEtD,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC7C,iEAAiE;oBACjE,MAAM,iBAAiB,GAAG,IAAA,yCAAuB,EAAC,WAAW,CAAC,IAAI,CAAC,CAAA;oBAEnE,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAC9D,gDAAgD;wBAChD,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,cAAc,EAAE,GAAG,IAAA,wCAAsB,EAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAA;wBAC5G,KAAK,CAAC,iBAAiB,IAAI,iBAAiB,CAAC,MAAM,GAAG,cAAc,CAAA;wBACpE,KAAK,CAAC,iBAAiB,IAAI,cAAc,CAAA;wBACzC,KAAK,MAAM,SAAS,IAAI,iBAAiB,EAAE,CAAC;4BAC1C,IAAI,SAAS,CAAC,gBAAgB,KAAK,WAAW,EAAE,CAAC;gCAC/C,KAAK,CAAC,iBAAiB,EAAE,CAAA;4BAC3B,CAAC;iCAAM,IAAI,SAAS,CAAC,gBAAgB,KAAK,YAAY,EAAE,CAAC;gCACvD,KAAK,CAAC,kBAAkB,EAAE,CAAA;4BAC5B,CAAC;4BACD,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;wBACnC,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,oFAAoF;wBACpF,OAAO,CAAC,IAAI,CAAC,kCAAkC,QAAQ,gBAAgB,QAAQ,CAAC,MAAM,WAAW,CAAC,CAAA;wBAClG,KAAK,CAAC,iBAAiB,IAAI,QAAQ,CAAC,MAAM,CAAA;wBAC1C,KAAK,CAAC,iBAAiB,IAAI,QAAQ,CAAC,MAAM,CAAA;wBAC1C,yDAAyD;oBAC3D,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,yCAAyC;oBACzC,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,cAAc,EAAE,GAAG,IAAA,wCAAsB,EAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;oBACtG,KAAK,CAAC,iBAAiB,IAAI,iBAAiB,CAAC,MAAM,GAAG,cAAc,CAAA;oBACpE,KAAK,CAAC,iBAAiB,IAAI,cAAc,CAAA;oBACzC,KAAK,MAAM,SAAS,IAAI,iBAAiB,EAAE,CAAC;wBAC1C,IAAI,SAAS,CAAC,gBAAgB,KAAK,WAAW,EAAE,CAAC;4BAC/C,KAAK,CAAC,iBAAiB,EAAE,CAAA;wBAC3B,CAAC;6BAAM,IAAI,SAAS,CAAC,gBAAgB,KAAK,YAAY,EAAE,CAAC;4BACvD,KAAK,CAAC,kBAAkB,EAAE,CAAA;wBAC5B,CAAC;wBACD,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;oBACnC,CAAC;gBACH,CAAC;YACH,CAAC;QAEH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,kCAAkC,QAAQ,GAAG,EAAE,KAAK,CAAC,CAAA;YACnE,wDAAwD;YACxD,KAAK,MAAM,EAAE,QAAQ,EAAE,IAAI,YAAY,EAAE,CAAC;gBACxC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;oBACzB,iBAAiB,CAAC,IAAI,CAAC;wBACrB,GAAG,CAAC;wBACJ,aAAa,EAAE,KAAK;wBACpB,gBAAgB,EAAE,eAAmC;wBACrD,eAAe,EAAE,oCAAoC;qBACtD,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,CAAA;QACjD,kBAAkB,IAAI,aAAa,CAAA;QAEnC,iCAAiC;QACjC,cAAc,IAAI,SAAS,CAAC,MAAM,CAAA;QAElC,yCAAyC;QACzC,IAAI,UAAU,EAAE,CAAC;YACf,UAAU,CAAC;gBACT,cAAc,EAAE,cAAc;gBAC9B,UAAU,EAAE,WAAW,CAAC,MAAM;gBAC9B,MAAM,EAAE,oCAAoC,QAAQ,IAAI,gBAAgB,EAAE;aAC3E,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,MAAM,oBAAoB,GAAG,KAAK,CAAC,mBAAmB,GAAG,KAAK,CAAC,eAAe,CAAA;IAC9E,KAAK,CAAC,YAAY,GAAG,oBAAoB,GAAG,CAAC;QAC3C,CAAC,CAAC,KAAK,CAAC,eAAe,GAAG,oBAAoB;QAC9C,CAAC,CAAC,CAAC,CAAA;IAEL,8CAA8C;IAC9C,MAAM,cAAc,GAAG,CAAC,KAAK,CAAC,oBAAoB,GAAG,uBAAa,CAAC,KAAK,CAAC,GAAG,OAAS,CAAA;IACrF,MAAM,cAAc,GAAG,CAAC,KAAK,CAAC,mBAAmB,GAAG,uBAAa,CAAC,UAAU,CAAC,GAAG,OAAS,CAAA;IACzF,MAAM,aAAa,GAAG,CAAC,KAAK,CAAC,eAAe,GAAG,uBAAa,CAAC,SAAS,CAAC,GAAG,OAAS,CAAA;IACnF,MAAM,UAAU,GAAG,CAAC,KAAK,CAAC,qBAAqB,GAAG,uBAAa,CAAC,MAAM,CAAC,GAAG,OAAS,CAAA;IAEnF,KAAK,CAAC,aAAa,GAAG,cAAc,GAAG,cAAc,GAAG,aAAa,GAAG,UAAU,CAAA;IAElF,0DAA0D;IAC1D,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAA;IACrC,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,aAAa,EAAE,CAAC,CAAA;IACzD,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,CAAC,iBAAiB,EAAE,CAAC,CAAA;IAC3D,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,iBAAiB,EAAE,CAAC,CAAA;IACxD,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,iBAAiB,EAAE,CAAC,CAAA;IACxD,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,CAAC,kBAAkB,EAAE,CAAC,CAAA;IAC1D,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAA;IAC/C,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;IAC/B,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;IAC/E,OAAO,CAAC,GAAG,CAAC,4BAA4B,eAAe,EAAE,CAAC,CAAA;IAC1D,OAAO,CAAC,GAAG,CAAC,4BAA4B,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,kBAAkB,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;IAC9H,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAA;IACjC,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,mBAAmB,CAAC,cAAc,EAAE,SAAS,CAAC,CAAA;IACvF,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,CAAC,eAAe,CAAC,cAAc,EAAE,SAAS,CAAC,CAAA;IAClF,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,KAAK,CAAC,YAAY,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;IAC9E,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;IAC/B,OAAO,CAAC,GAAG,CAAC,wBAAwB,KAAK,CAAC,oBAAoB,CAAC,cAAc,EAAE,SAAS,CAAC,CAAA;IACzF,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,qBAAqB,CAAC,cAAc,EAAE,SAAS,CAAC,CAAA;IACnF,OAAO,CAAC,GAAG,CAAC,wBAAwB,KAAK,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;IAErE,wCAAwC;IACxC,oBAAoB,GAAG,IAAI,CAAA;IAE3B,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB;IACjC,oBAAoB,GAAG,IAAI,CAAA;AAC7B,CAAC"}

package/dist/layer3/anthropic/providers/openai.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"openai.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/providers/openai.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAoB,MAAM,gBAAgB,CAAA;AAC/E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wCAAwC,CAAA;AAE5E,OAAO,KAAK,EAAE,eAAe,EAAE,kBAAkB,EAAoB,MAAM,UAAU,CAAA;AAWrF;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,aAAa,EAAE,EACzB,KAAK,EAAE,QAAQ,EAAE,EACjB,cAAc,EAAE,cAAc,GAAG,SAAS,EAC1C,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,kBAAkB,CAAC,CA2V7B;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAEvC"}
+{"version":3,"file":"openai.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/providers/openai.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAoB,MAAM,gBAAgB,CAAA;AAC/E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wCAAwC,CAAA;AAE5E,OAAO,KAAK,EAAE,eAAe,EAAE,kBAAkB,EAAoB,MAAM,UAAU,CAAA;AAWrF;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,aAAa,EAAE,EACzB,KAAK,EAAE,QAAQ,EAAE,EACjB,cAAc,EAAE,cAAc,GAAG,SAAS,EAC1C,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,kBAAkB,CAAC,CAkW7B;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAEvC"}

package/dist/layer3/anthropic/providers/openai.js

@@ -85,13 +85,16 @@ async function validateWithOpenAI(findings, files, projectContext, stats) {
             return batchFindings;
         }
         try {
-            // Build multi-file validation request
-            const validationRequest = (0, request_builder_1.buildMultiFileValidationRequest)(fileDataList.map(({ file, findings: fileFindings }) => ({ file, findings: fileFindings })), context);
+            // Build multi-file validation request with scoped context
+            const validationRequest = (0, request_builder_1.buildMultiFileValidationRequest)(fileDataList.map(({ file, findings: fileFindings }) => ({ file, findings: fileFindings })), context, { contextMode: 'scoped' });
+            // Assemble category-aware prompt for this batch
+            const batchCategories = [...new Set(fileDataList.flatMap(({ findings: fileFindings }) => fileFindings.map(f => f.category)))];
+            const systemPrompt = (0, validation_1.assembleValidationPrompt)(batchCategories);
             // Call OpenAI GPT-5-mini with retry logic
             const response = await (0, retry_1.makeOpenAIRequestWithRetry)(async () => client.chat.completions.create({
                 model: 'gpt-5-mini-2025-08-07',
                 messages: [
-                    { role: 'system', content: validation_1.HIGH_CONTEXT_VALIDATION_PROMPT },
+                    { role: 'system', content: systemPrompt },
                     { role: 'user', content: validationRequest },
                 ],
                 max_completion_tokens: 4096, // Sufficient for larger batches with many findings