@oculum/scanner 1.0.12 → 1.0.13

package/dist/pipeline/modes/incremental.js

@@ -0,0 +1,200 @@
+"use strict";
+/**
+ * Incremental Scan Mode
+ * Optimized scanning for PR workflows - only scan changed files and surface relevant findings
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runIncrementalScan = runIncrementalScan;
+exports.createPRScanConfig = createPRScanConfig;
+exports.formatIncrementalForPR = formatIncrementalForPR;
+const secrets_1 = require("../../detect/secrets");
+const structural_1 = require("../../detect/structural");
+const diff_parser_1 = require("../../shared/diff-parser");
+const middleware_detector_1 = require("../../model/middleware-detector");
+/**
+ * Run an incremental scan optimized for PR workflows
+ *
+ * This scans:
+ * 1. All changed files (added + modified)
+ * 2. Files that import changed files (for context)
+ * 3. Middleware files (for auth context)
+ *
+ * And only surfaces findings on/near changed lines.
+ */
+async function runIncrementalScan(allFiles, options) {
+    const startTime = Date.now();
+    const { diffContent, changedFiles, strictLineMatching = false, contextWindow = 5, markAsIntroduced = true, previousFindings = [], } = options;
+    // Parse diff or file list to get changed files
+    let diffs;
+    if (diffContent) {
+        diffs = (0, diff_parser_1.parseDiff)(diffContent, contextWindow);
+    }
+    else if (changedFiles && changedFiles.length > 0) {
+        diffs = (0, diff_parser_1.parseChangedFileList)(changedFiles);
+    }
+    else {
+        // No diff info - scan everything but don't filter
+        console.log('[Incremental] No diff info provided, scanning all files');
+        diffs = new Map();
+    }
+    const changedPaths = (0, diff_parser_1.getChangedFilePaths)(diffs);
+    console.log(`[Incremental] Changed files: ${changedPaths.length}`);
+    // Build file index for import resolution
+    const fileIndex = new Map();
+    for (const file of allFiles) {
+        fileIndex.set(file.path, file);
+    }
+    // Determine which files to scan
+    const filesToScan = [];
+    const scannedPaths = new Set();
+    // 1. Add all changed files
+    for (const path of changedPaths) {
+        const file = fileIndex.get(path);
+        if (file && !scannedPaths.has(path)) {
+            filesToScan.push(file);
+            scannedPaths.add(path);
+        }
+    }
+    // 2. Add files that import changed files (for context)
+    // This helps detect issues where changes break dependencies
+    const importers = findImporters(allFiles, changedPaths);
+    for (const path of importers) {
+        if (!scannedPaths.has(path)) {
+            const file = fileIndex.get(path);
+            if (file) {
+                filesToScan.push(file);
+                scannedPaths.add(path);
+            }
+        }
+    }
+    // 3. Always include middleware files for auth context
+    const middlewareFile = allFiles.find(f => f.path.includes('middleware.ts') ||
+        f.path.includes('middleware.js'));
+    if (middlewareFile && !scannedPaths.has(middlewareFile.path)) {
+        filesToScan.push(middlewareFile);
+        scannedPaths.add(middlewareFile.path);
+    }
+    console.log(`[Incremental] Scanning ${filesToScan.length} files (${changedPaths.length} changed + ${importers.size} importers)`);
+    // Detect auth middleware from ALL files (for context)
+    const middlewareConfig = (0, middleware_detector_1.detectGlobalAuthMiddleware)(allFiles);
+    // Run Layer 1 + Layer 2 on selected files
+    const layer1Result = await (0, secrets_1.runLayer1Scan)(filesToScan);
+    const layer2Result = await (0, structural_1.runLayer2Scan)(filesToScan, { middlewareConfig });
+    let allFindings = [...layer1Result.vulnerabilities, ...layer2Result.vulnerabilities];
+    // Filter to only findings on/near changed lines
+    if (diffs.size > 0) {
+        const beforeFilter = allFindings.length;
+        allFindings = (0, diff_parser_1.filterToChangedLines)(allFindings, diffs, { strictMode: strictLineMatching });
+        console.log(`[Incremental] Filtered findings: ${beforeFilter} → ${allFindings.length} (on/near changed lines)`);
+    }
+    // Mark findings as introduced and separate pre-existing
+    const introduced = [];
+    const preExisting = [];
+    if (previousFindings.length > 0) {
+        // Create fingerprints for previous findings
+        const previousFingerprints = new Set(previousFindings.map(f => `${f.filePath}:${f.lineNumber}:${f.category}`));
+        for (const finding of allFindings) {
+            const fingerprint = `${finding.filePath}:${finding.lineNumber}:${finding.category}`;
+            if (previousFingerprints.has(fingerprint)) {
+                preExisting.push(finding);
+            }
+            else {
+                if (markAsIntroduced) {
+                    finding.validationNotes = (finding.validationNotes || '') + ' [Introduced in this PR]';
+                }
+                introduced.push(finding);
+            }
+        }
+    }
+    else {
+        // No previous findings - all are "introduced"
+        introduced.push(...allFindings);
+    }
+    const duration = Date.now() - startTime;
+    console.log(`[Incremental] Scan completed in ${duration}ms: ${introduced.length} new, ${preExisting.length} pre-existing`);
+    return {
+        findings: allFindings,
+        introduced,
+        preExisting,
+        filesScanned: filesToScan.length,
+        filesChanged: changedPaths.length,
+        diffs,
+        duration,
+    };
+}
+/**
+ * Find files that import any of the changed files
+ */
+function findImporters(allFiles, changedPaths) {
+    const importers = new Set();
+    // Create patterns to match imports
+    const importPatterns = changedPaths.map(path => {
+        // Remove extension for import matching
+        const withoutExt = path.replace(/\.[^/.]+$/, '');
+        // Get just the filename without path for relative imports
+        const filename = withoutExt.split('/').pop() || '';
+        return { fullPath: withoutExt, filename };
+    });
+    for (const file of allFiles) {
+        // Skip if this file is already in changed paths
+        if (changedPaths.includes(file.path))
+            continue;
+        // Check if this file imports any changed file
+        for (const { fullPath, filename } of importPatterns) {
+            // Match various import patterns
+            const importRegex = new RegExp(`(?:import|require)\\s*(?:\\([^)]*|[^;]*from\\s*)['"]` +
+                `(?:\\.{0,2}/)?(?:${escapeRegex(fullPath)}|[^'"]*/${escapeRegex(filename)})['"]`, 'i');
+            if (importRegex.test(file.content)) {
+                importers.add(file.path);
+                break;
+            }
+        }
+    }
+    return importers;
+}
+/**
+ * Escape special regex characters
+ */
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Create a PR-optimized scan config
+ */
+function createPRScanConfig(changedFiles, options = {}) {
+    return {
+        mode: 'incremental',
+        changedFiles,
+        skipAIValidation: false, // Use AI for validation
+        skipLayer3: true, // Skip deep analysis for speed
+        maxAIValidationFiles: 20,
+        maxLayer3Files: 0,
+        scanDepth: 'local', // Fast feedback for PRs
+        ...options,
+    };
+}
+/**
+ * Format incremental scan result for PR comment
+ */
+function formatIncrementalForPR(result) {
+    const blocking = result.introduced.filter(f => f.severity === 'critical' || f.severity === 'high');
+    let summary;
+    if (result.introduced.length === 0) {
+        summary = `✅ No new security issues introduced in this PR`;
+    }
+    else if (blocking.length > 0) {
+        summary = `🚨 ${blocking.length} blocking issue${blocking.length === 1 ? '' : 's'} introduced`;
+    }
+    else {
+        summary = `⚠️ ${result.introduced.length} new issue${result.introduced.length === 1 ? '' : 's'} to review`;
+    }
+    if (result.preExisting.length > 0) {
+        summary += ` (${result.preExisting.length} pre-existing)`;
+    }
+    return {
+        summary,
+        hasNewIssues: result.introduced.length > 0,
+        blockingIssues: blocking.length,
+    };
+}
+//# sourceMappingURL=incremental.js.map

package/dist/pipeline/modes/incremental.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"incremental.js","sourceRoot":"","sources":["../../../src/pipeline/modes/incremental.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AA8DH,gDAkIC;AAkDD,gDAcC;AAKD,wDA4BC;AA9RD,kDAAoD;AACpD,wDAAuD;AACvD,0DAMiC;AACjC,yEAA4E;AAwC5E;;;;;;;;;GASG;AACI,KAAK,UAAU,kBAAkB,CACtC,QAAoB,EACpB,OAA+B;IAE/B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAE5B,MAAM,EACJ,WAAW,EACX,YAAY,EACZ,kBAAkB,GAAG,KAAK,EAC1B,aAAa,GAAG,CAAC,EACjB,gBAAgB,GAAG,IAAI,EACvB,gBAAgB,GAAG,EAAE,GACtB,GAAG,OAAO,CAAA;IAEX,+CAA+C;IAC/C,IAAI,KAA4B,CAAA;IAEhC,IAAI,WAAW,EAAE,CAAC;QAChB,KAAK,GAAG,IAAA,uBAAS,EAAC,WAAW,EAAE,aAAa,CAAC,CAAA;IAC/C,CAAC;SAAM,IAAI,YAAY,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnD,KAAK,GAAG,IAAA,kCAAoB,EAAC,YAAY,CAAC,CAAA;IAC5C,CAAC;SAAM,CAAC;QACN,kDAAkD;QAClD,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAA;QACtE,KAAK,GAAG,IAAI,GAAG,EAAE,CAAA;IACnB,CAAC;IAED,MAAM,YAAY,GAAG,IAAA,iCAAmB,EAAC,KAAK,CAAC,CAAA;IAC/C,OAAO,CAAC,GAAG,CAAC,gCAAgC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAA;IAElE,yCAAyC;IACzC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAoB,CAAA;IAC7C,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IAChC,CAAC;IAED,gCAAgC;IAChC,MAAM,WAAW,GAAe,EAAE,CAAA;IAClC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAA;IAEtC,2BAA2B;IAC3B,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QAChC,IAAI,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YACtB,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QACxB,CAAC;IACH,CAAC;IAED,uDAAuD;IACvD,4DAA4D;IAC5D,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAA;IACvD,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;YAChC,IAAI,IAAI,EAAE,CAAC;gBACT,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBACtB,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACvC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC;QAChC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CACjC,CAAA;IACD,IAAI,cAAc,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,WAAW,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QAChC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,CAAA;IACvC,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,0BAA0B,WAAW,CAAC,MAAM,WAAW,YAAY,CAAC,MAAM,cAAc,SAAS,CAAC,IAAI,aAAa,CAAC,CAAA;IAEhI,sDAAsD;IACtD,MAAM,gBAAgB,GAAG,IAAA,gDAA0B,EAAC,QAAQ,CAAC,CAAA;IAE7D,0CAA0C;IAC1C,MAAM,YAAY,GAAG,MAAM,IAAA,uBAAa,EAAC,WAAW,CAAC,CAAA;IACrD,MAAM,YAAY,GAAG,MAAM,IAAA,0BAAa,EAAC,WAAW,EAAE,EAAE,gBAAgB,EAAE,CAAC,CAAA;IAE3E,IAAI,WAAW,GAAG,CAAC,GAAG,YAAY,CAAC,eAAe,EAAE,GAAG,YAAY,CAAC,eAAe,CAAC,CAAA;IAEpF,gDAAgD;IAChD,IAAI,KAAK,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACnB,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CAAA;QACvC,WAAW,GAAG,IAAA,kCAAoB,EAAC,WAAW,EAAE,KAAK,EAAE,EAAE,UAAU,EAAE,kBAAkB,EAAE,CAAC,CAAA;QAC1F,OAAO,CAAC,GAAG,CAAC,oCAAoC,YAAY,MAAM,WAAW,CAAC,MAAM,0BAA0B,CAAC,CAAA;IACjH,CAAC;IAED,wDAAwD;IACxD,MAAM,UAAU,GAAoB,EAAE,CAAA;IACtC,MAAM,WAAW,GAAoB,EAAE,CAAA;IAEvC,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,4CAA4C;QAC5C,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAClC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CACzE,CAAA;QAED,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,WAAW,GAAG,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAA;YAEnF,IAAI,oBAAoB,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC1C,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;YAC3B,CAAC;iBAAM,CAAC;gBACN,IAAI,gBAAgB,EAAE,CAAC;oBACrB,OAAO,CAAC,eAAe,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,CAAC,GAAG,0BAA0B,CAAA;gBACxF,CAAC;gBACD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,8CAA8C;QAC9C,UAAU,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAA;IACjC,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAA;IACvC,OAAO,CAAC,GAAG,CAAC,mCAAmC,QAAQ,OAAO,UAAU,CAAC,MAAM,SAAS,WAAW,CAAC,MAAM,eAAe,CAAC,CAAA;IAE1H,OAAO;QACL,QAAQ,EAAE,WAAW;QACrB,UAAU;QACV,WAAW;QACX,YAAY,EAAE,WAAW,CAAC,MAAM;QAChC,YAAY,EAAE,YAAY,CAAC,MAAM;QACjC,KAAK;QACL,QAAQ;KACT,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,QAAoB,EAAE,YAAsB;IACjE,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAA;IAEnC,mCAAmC;IACnC,MAAM,cAAc,GAAG,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;QAC7C,uCAAuC;QACvC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAA;QAChD,0DAA0D;QAC1D,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAA;QAClD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAA;IAC3C,CAAC,CAAC,CAAA;IAEF,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,gDAAgD;QAChD,IAAI,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAQ;QAE9C,8CAA8C;QAC9C,KAAK,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,cAAc,EAAE,CAAC;YACpD,gCAAgC;YAChC,MAAM,WAAW,GAAG,IAAI,MAAM,CAC5B,sDAAsD;gBACtD,oBAAoB,WAAW,CAAC,QAAQ,CAAC,WAAW,WAAW,CAAC,QAAQ,CAAC,OAAO,EAChF,GAAG,CACJ,CAAA;YAED,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBACxB,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAA;AACnD,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAChC,YAAsB,EACtB,UAAmC,EAAE;IAErC,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,YAAY;QACZ,gBAAgB,EAAE,KAAK,EAAG,wBAAwB;QAClD,UAAU,EAAE,IAAI,EAAW,+BAA+B;QAC1D,oBAAoB,EAAE,EAAE;QACxB,cAAc,EAAE,CAAC;QACjB,SAAS,EAAE,OAAO,EAAS,wBAAwB;QACnD,GAAG,OAAO;KACX,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB,CAAC,MAA6B;IAKlE,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CACvC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CACxD,CAAA;IAED,IAAI,OAAe,CAAA;IAEnB,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO,GAAG,gDAAgD,CAAA;IAC5D,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,kBAAkB,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,aAAa,CAAA;IAChG,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,MAAM,aAAa,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,YAAY,CAAA;IAC5G,CAAC;IAED,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,KAAK,MAAM,CAAC,WAAW,CAAC,MAAM,gBAAgB,CAAA;IAC3D,CAAC;IAED,OAAO;QACL,OAAO;QACP,YAAY,EAAE,MAAM,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;QAC1C,cAAc,EAAE,QAAQ,CAAC,MAAM;KAChC,CAAA;AACH,CAAC"}

package/dist/postprocess/aggregation.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Noisy Finding Aggregation — Groups repeated findings in the same file.
+ *
+ * When 3+ findings share the same file + category + base title, they are
+ * collapsed into a single aggregated finding to reduce clutter.
+ */
+import type { Vulnerability } from '../shared/types';
+/**
+ * Aggregate noisy findings in the same file to reduce clutter
+ * Groups repeated findings with same filePath + category + title
+ * Especially useful for AI pattern spam
+ */
+export declare function aggregateNoisyFindings(vulnerabilities: Vulnerability[]): Vulnerability[];
+//# sourceMappingURL=aggregation.d.ts.map

package/dist/postprocess/aggregation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aggregation.d.ts","sourceRoot":"","sources":["../../src/postprocess/aggregation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAGpD;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,eAAe,EAAE,aAAa,EAAE,GAAG,aAAa,EAAE,CA0DxF"}

package/dist/postprocess/aggregation.js

@@ -0,0 +1,63 @@
+"use strict";
+/**
+ * Noisy Finding Aggregation — Groups repeated findings in the same file.
+ *
+ * When 3+ findings share the same file + category + base title, they are
+ * collapsed into a single aggregated finding to reduce clutter.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.aggregateNoisyFindings = aggregateNoisyFindings;
+const parsed_file_1 = require("../shared/parsed-file");
+/**
+ * Aggregate noisy findings in the same file to reduce clutter
+ * Groups repeated findings with same filePath + category + title
+ * Especially useful for AI pattern spam
+ */
+function aggregateNoisyFindings(vulnerabilities) {
+    // Group findings by file + category + title
+    const groups = new Map();
+    for (const vuln of vulnerabilities) {
+        // Create grouping key: same file, category, and base title (without line-specific info)
+        const baseTitle = vuln.title.replace(/\s*\(\d+ instances?\)/, '').trim();
+        const key = `${vuln.filePath}|${vuln.category}|${baseTitle}`;
+        const existing = groups.get(key) || [];
+        existing.push(vuln);
+        groups.set(key, existing);
+    }
+    const result = [];
+    for (const [, group] of groups) {
+        // If only 1-2 findings, keep them as-is
+        if (group.length <= 2) {
+            result.push(...group);
+            continue;
+        }
+        // For 3+ similar findings in same file, aggregate into one
+        const first = group[0];
+        const lineNumbers = group.map(v => v.lineNumber).sort((a, b) => a - b);
+        const uniqueLines = [...new Set(lineNumbers)];
+        // Format line numbers nicely (show first few, then "...")
+        const lineDisplay = uniqueLines.length > 5
+            ? `${uniqueLines.slice(0, 5).join(', ')}... (${uniqueLines.length} total)`
+            : uniqueLines.join(', ');
+        // Keep highest severity from the group
+        const highestSeverity = group.reduce((max, v) => (0, parsed_file_1.severityRank)(v.severity) > (0, parsed_file_1.severityRank)(max.severity) ? v : max, group[0]).severity;
+        // Create aggregated finding
+        const aggregated = {
+            id: `${first.id}-aggregated`,
+            filePath: first.filePath,
+            lineNumber: uniqueLines[0], // First occurrence
+            lineContent: `${group.length} instances across this file`,
+            severity: highestSeverity,
+            category: first.category,
+            title: `${first.title.replace(/\s*\(\d+ instances?\)/, '')} (${group.length} instances)`,
+            description: `${first.description}\n\nFound ${group.length} occurrences at lines: ${lineDisplay}`,
+            suggestedFix: first.suggestedFix,
+            confidence: first.confidence,
+            layer: first.layer,
+            requiresAIValidation: first.requiresAIValidation,
+        };
+        result.push(aggregated);
+    }
+    return result;
+}
+//# sourceMappingURL=aggregation.js.map

package/dist/postprocess/aggregation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aggregation.js","sourceRoot":"","sources":["../../src/postprocess/aggregation.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAUH,wDA0DC;AAjED,uDAAoD;AAEpD;;;;GAIG;AACH,SAAgB,sBAAsB,CAAC,eAAgC;IACrE,4CAA4C;IAC5C,MAAM,MAAM,GAAG,IAAI,GAAG,EAA2B,CAAA;IAEjD,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,wFAAwF;QACxF,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAA;QACxE,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,IAAI,SAAS,EAAE,CAAA;QAE5D,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAA;QACtC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACnB,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IAC3B,CAAC;IAED,MAAM,MAAM,GAAoB,EAAE,CAAA;IAElC,KAAK,MAAM,CAAC,EAAE,KAAK,CAAC,IAAI,MAAM,EAAE,CAAC;QAC/B,wCAAwC;QACxC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACtB,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAA;YACrB,SAAQ;QACV,CAAC;QAED,2DAA2D;QAC3D,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACtB,MAAM,WAAW,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;QACtE,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC,CAAA;QAE7C,0DAA0D;QAC1D,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC;YACxC,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,WAAW,CAAC,MAAM,SAAS;YAC1E,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAE1B,uCAAuC;QACvC,MAAM,eAAe,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAC9C,IAAA,0BAAY,EAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,IAAA,0BAAY,EAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,EAC/D,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;QAEpB,4BAA4B;QAC5B,MAAM,UAAU,GAAkB;YAChC,EAAE,EAAE,GAAG,KAAK,CAAC,EAAE,aAAa;YAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,EAAE,mBAAmB;YAC/C,WAAW,EAAE,GAAG,KAAK,CAAC,MAAM,6BAA6B;YACzD,QAAQ,EAAE,eAAe;YACzB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,KAAK,EAAE,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC,KAAK,KAAK,CAAC,MAAM,aAAa;YACxF,WAAW,EAAE,GAAG,KAAK,CAAC,WAAW,aAAa,KAAK,CAAC,MAAM,0BAA0B,WAAW,EAAE;YACjG,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;SACjD,CAAA;QAED,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IACzB,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/postprocess/contradictions.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Contradiction Resolution — Resolves conflicting findings on the same route/file.
+ *
+ * Key contradiction types:
+ * 1. Same route has both "protected by middleware" (info) AND "missing auth" (high/critical)
+ *    → Keep only the info-level "protected by middleware" finding
+ * 2. Same file has BYOK "transient use" (info) AND "key stored insecurely" (high)
+ *    → Keep only the most accurate one based on context
+ * 3. Same line has conflicting severities from different layers
+ *    → Prefer the lower severity if one explicitly notes protection
+ */
+import type { Vulnerability } from '../shared/types';
+import { type MiddlewareAuthConfig } from '../model/middleware-detector';
+/**
+ * Resolve contradictions in findings
+ */
+export declare function resolveContradictions(vulnerabilities: Vulnerability[], middlewareConfig?: MiddlewareAuthConfig): Vulnerability[];
+//# sourceMappingURL=contradictions.d.ts.map

package/dist/postprocess/contradictions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"contradictions.d.ts","sourceRoot":"","sources":["../../src/postprocess/contradictions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EACL,KAAK,oBAAoB,EAG1B,MAAM,8BAA8B,CAAA;AAErC;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,eAAe,EAAE,aAAa,EAAE,EAChC,gBAAgB,CAAC,EAAE,oBAAoB,GACtC,aAAa,EAAE,CAsGjB"}

package/dist/postprocess/contradictions.js

@@ -0,0 +1,99 @@
+"use strict";
+/**
+ * Contradiction Resolution — Resolves conflicting findings on the same route/file.
+ *
+ * Key contradiction types:
+ * 1. Same route has both "protected by middleware" (info) AND "missing auth" (high/critical)
+ *    → Keep only the info-level "protected by middleware" finding
+ * 2. Same file has BYOK "transient use" (info) AND "key stored insecurely" (high)
+ *    → Keep only the most accurate one based on context
+ * 3. Same line has conflicting severities from different layers
+ *    → Prefer the lower severity if one explicitly notes protection
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveContradictions = resolveContradictions;
+const middleware_detector_1 = require("../model/middleware-detector");
+/**
+ * Resolve contradictions in findings
+ */
+function resolveContradictions(vulnerabilities, middlewareConfig) {
+    // Group findings by file path for contradiction analysis
+    const byFile = new Map();
+    for (const vuln of vulnerabilities) {
+        const existing = byFile.get(vuln.filePath) || [];
+        existing.push(vuln);
+        byFile.set(vuln.filePath, existing);
+    }
+    const result = [];
+    for (const [filePath, fileVulns] of byFile) {
+        // Check for auth contradictions in this file
+        const authFindings = fileVulns.filter(v => v.category === 'missing_auth');
+        const otherFindings = fileVulns.filter(v => v.category !== 'missing_auth');
+        // Identify protected routes (middleware or auth helper)
+        const protectedInfos = authFindings.filter(v => v.severity === 'info' &&
+            (v.validationNotes === 'MIDDLEWARE_PROTECTED' ||
+                v.validationNotes === 'AUTH_HELPER_PROTECTED' ||
+                v.title.includes('protected by middleware') ||
+                v.title.includes('uses auth helper')));
+        // NEW: Check if this file's route is protected by middleware (even without explicit info finding)
+        // This catches Layer 3 findings that don't have the Layer 2 protection info
+        const routePath = (0, middleware_detector_1.getRoutePathFromFile)(filePath);
+        const isAPIRouteProtected = routePath && middlewareConfig?.hasAuthMiddleware
+            ? (0, middleware_detector_1.isRouteProtectedByMiddleware)(routePath, middlewareConfig).isProtected
+            : false;
+        // Also check if file is a client component calling protected API routes
+        // Client components (components/, app/ without route.ts) calling /api/** are safe
+        const isClientCallingProtectedAPI = middlewareConfig?.hasAuthMiddleware &&
+            (filePath.includes('/components/') ||
+                (filePath.includes('/app/') && !filePath.includes('route.ts')));
+        // If we have protected route info findings OR the route is protected by middleware
+        if (protectedInfos.length > 0 || isAPIRouteProtected || isClientCallingProtectedAPI) {
+            // Keep the protected info findings
+            result.push(...protectedInfos);
+            // For other auth findings on same file, either drop or downgrade to info
+            const otherAuthFindings = authFindings.filter(v => !protectedInfos.includes(v));
+            for (const vuln of otherAuthFindings) {
+                // If it's high/critical missing auth on a protected route, drop it entirely
+                // (the middleware/helper protection supersedes)
+                if (vuln.severity === 'critical' || vuln.severity === 'high') {
+                    continue; // Skip this finding
+                }
+                // Keep lower severity auth findings as-is
+                result.push(vuln);
+            }
+        }
+        else {
+            // No protection detected - keep all auth findings as-is
+            result.push(...authFindings);
+        }
+        // Handle BYOK contradictions
+        const byokFindings = otherFindings.filter(v => v.category === 'ai_pattern' && v.title.toLowerCase().includes('byok'));
+        const nonByokFindings = otherFindings.filter(v => !(v.category === 'ai_pattern' && v.title.toLowerCase().includes('byok')));
+        if (byokFindings.length > 0) {
+            // Check if we have both transient (low) and storage (high) BYOK findings
+            const transientByok = byokFindings.filter(v => v.severity === 'low' || v.severity === 'info');
+            const storageByok = byokFindings.filter(v => v.severity === 'high' || v.severity === 'medium');
+            if (transientByok.length > 0 && storageByok.length > 0) {
+                // If we detected transient usage, prefer the lower severity
+                // The higher severity ones may be false positives
+                result.push(...transientByok);
+                // Mark high-severity BYOK for review
+                for (const vuln of storageByok) {
+                    result.push({
+                        ...vuln,
+                        severity: 'low',
+                        validationNotes: `${vuln.validationNotes || ''} (downgraded: transient BYOK usage detected in same file)`.trim(),
+                    });
+                }
+            }
+            else {
+                // Keep all BYOK findings as-is
+                result.push(...byokFindings);
+            }
+        }
+        // Add non-BYOK other findings
+        result.push(...nonByokFindings);
+    }
+    return result;
+}
+//# sourceMappingURL=contradictions.js.map

package/dist/postprocess/contradictions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"contradictions.js","sourceRoot":"","sources":["../../src/postprocess/contradictions.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AAYH,sDAyGC;AAlHD,sEAIqC;AAErC;;GAEG;AACH,SAAgB,qBAAqB,CACnC,eAAgC,EAChC,gBAAuC;IAEvC,yDAAyD;IACzD,MAAM,MAAM,GAAG,IAAI,GAAG,EAA2B,CAAA;IACjD,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;QAChD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACnB,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;IACrC,CAAC;IAED,MAAM,MAAM,GAAoB,EAAE,CAAA;IAElC,KAAK,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,MAAM,EAAE,CAAC;QAC3C,6CAA6C;QAC7C,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,cAAc,CAAC,CAAA;QACzE,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,cAAc,CAAC,CAAA;QAE1E,wDAAwD;QACxD,MAAM,cAAc,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAC7C,CAAC,CAAC,QAAQ,KAAK,MAAM;YACrB,CAAC,CAAC,CAAC,eAAe,KAAK,sBAAsB;gBAC5C,CAAC,CAAC,eAAe,KAAK,uBAAuB;gBAC7C,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,yBAAyB,CAAC;gBAC3C,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CACvC,CAAA;QAED,kGAAkG;QAClG,4EAA4E;QAC5E,MAAM,SAAS,GAAG,IAAA,0CAAoB,EAAC,QAAQ,CAAC,CAAA;QAChD,MAAM,mBAAmB,GAAG,SAAS,IAAI,gBAAgB,EAAE,iBAAiB;YAC1E,CAAC,CAAC,IAAA,kDAA4B,EAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC,WAAW;YACvE,CAAC,CAAC,KAAK,CAAA;QAET,wEAAwE;QACxE,kFAAkF;QAClF,MAAM,2BAA2B,GAC/B,gBAAgB,EAAE,iBAAiB;YACnC,CAAC,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC;gBACjC,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;QAElE,mFAAmF;QACnF,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,mBAAmB,IAAI,2BAA2B,EAAE,CAAC;YACpF,mCAAmC;YACnC,MAAM,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAA;YAE9B,yEAAyE;YACzE,MAAM,iBAAiB,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;YAE/E,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;gBACrC,4EAA4E;gBAC5E,gDAAgD;gBAChD,IAAI,IAAI,CAAC,QAAQ,KAAK,UAAU,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;oBAC7D,SAAQ,CAAC,oBAAoB;gBAC/B,CAAC;gBAED,0CAA0C;gBAC1C,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YACnB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,wDAAwD;YACxD,MAAM,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAA;QAC9B,CAAC;QAED,6BAA6B;QAC7B,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAC5C,CAAC,CAAC,QAAQ,KAAK,YAAY,IAAI,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CACtE,CAAA;QACD,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAC/C,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,YAAY,IAAI,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CACzE,CAAA;QAED,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,yEAAyE;YACzE,MAAM,aAAa,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAC5C,CAAC,CAAC,QAAQ,KAAK,KAAK,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAC9C,CAAA;YACD,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAC1C,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CACjD,CAAA;YAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvD,4DAA4D;gBAC5D,kDAAkD;gBAClD,MAAM,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAA;gBAC7B,qCAAqC;gBACrC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;oBAC/B,MAAM,CAAC,IAAI,CAAC;wBACV,GAAG,IAAI;wBACP,QAAQ,EAAE,KAAK;wBACf,eAAe,EAAE,GAAG,IAAI,CAAC,eAAe,IAAI,EAAE,2DAA2D,CAAC,IAAI,EAAE;qBACjH,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,+BAA+B;gBAC/B,MAAM,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAA;YAC9B,CAAC;QACH,CAAC;QAED,8BAA8B;QAC9B,MAAM,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAA;IACjC,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/postprocess/dedup.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Deduplication — Remove duplicate vulnerabilities.
+ *
+ * Handles standard dedup (same file, line, category) and cross-layer URL dedup
+ * (e.g., Layer 1 sensitive_url + Layer 2 ai_pattern on same line).
+ */
+import type { Vulnerability } from '../shared/types';
+/**
+ * Remove duplicate vulnerabilities (same file, line, category)
+ * Also handles cross-layer URL duplicates (sensitive_url + ai_pattern)
+ */
+export declare function deduplicateVulnerabilities(vulnerabilities: Vulnerability[]): Vulnerability[];
+//# sourceMappingURL=dedup.d.ts.map

package/dist/postprocess/dedup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dedup.d.ts","sourceRoot":"","sources":["../../src/postprocess/dedup.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAGpD;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,eAAe,EAAE,aAAa,EAAE,GAAG,aAAa,EAAE,CA+C5F"}

package/dist/postprocess/dedup.js

@@ -0,0 +1,58 @@
+"use strict";
+/**
+ * Deduplication — Remove duplicate vulnerabilities.
+ *
+ * Handles standard dedup (same file, line, category) and cross-layer URL dedup
+ * (e.g., Layer 1 sensitive_url + Layer 2 ai_pattern on same line).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deduplicateVulnerabilities = deduplicateVulnerabilities;
+const parsed_file_1 = require("../shared/parsed-file");
+/**
+ * Remove duplicate vulnerabilities (same file, line, category)
+ * Also handles cross-layer URL duplicates (sensitive_url + ai_pattern)
+ */
+function deduplicateVulnerabilities(vulnerabilities) {
+    const seen = new Map();
+    const urlDedupMap = new Map();
+    for (const vuln of vulnerabilities) {
+        // Special handling for URL duplicates across layers
+        // (e.g., Layer 1 detects as sensitive_url, Layer 2 detects as ai_pattern on same line)
+        // Route based on category, not lineContent regex — a sensitive_url finding is a URL
+        // finding regardless of what scheme appears in the line content.
+        if (vuln.category === 'sensitive_url' || vuln.category === 'ai_pattern') {
+            // Create compound key that ignores category differences for URLs
+            const urlKey = `${vuln.filePath}:${vuln.lineNumber}:url_finding`;
+            const existing = urlDedupMap.get(urlKey);
+            if (!existing) {
+                urlDedupMap.set(urlKey, vuln);
+            }
+            else {
+                // Keep Layer 1 (more specific) over Layer 2 AI pattern
+                // Or keep higher severity
+                if (vuln.layer < existing.layer ||
+                    (0, parsed_file_1.severityRank)(vuln.severity) > (0, parsed_file_1.severityRank)(existing.severity)) {
+                    urlDedupMap.set(urlKey, vuln);
+                }
+            }
+            continue;
+        }
+        // Standard deduplication for non-URL findings
+        const key = `${vuln.filePath}:${vuln.lineNumber}:${vuln.category}`;
+        const existing = seen.get(key);
+        // Keep the higher severity or higher confidence finding
+        if (!existing) {
+            seen.set(key, vuln);
+        }
+        else if ((0, parsed_file_1.severityRank)(vuln.severity) > (0, parsed_file_1.severityRank)(existing.severity)) {
+            seen.set(key, vuln);
+        }
+        else if ((0, parsed_file_1.severityRank)(vuln.severity) === (0, parsed_file_1.severityRank)(existing.severity) &&
+            (0, parsed_file_1.confidenceRank)(vuln.confidence) > (0, parsed_file_1.confidenceRank)(existing.confidence)) {
+            seen.set(key, vuln);
+        }
+    }
+    // Combine URL and non-URL findings
+    return [...Array.from(seen.values()), ...Array.from(urlDedupMap.values())];
+}
+//# sourceMappingURL=dedup.js.map

package/dist/postprocess/dedup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dedup.js","sourceRoot":"","sources":["../../src/postprocess/dedup.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AASH,gEA+CC;AArDD,uDAAoE;AAEpE;;;GAGG;AACH,SAAgB,0BAA0B,CAAC,eAAgC;IACzE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAyB,CAAA;IAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,EAAyB,CAAA;IAEpD,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,oDAAoD;QACpD,uFAAuF;QACvF,oFAAoF;QACpF,iEAAiE;QACjE,IAAI,IAAI,CAAC,QAAQ,KAAK,eAAe,IAAI,IAAI,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;YAExE,iEAAiE;YACjE,MAAM,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,cAAc,CAAA;YAChE,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;YAExC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;YAC/B,CAAC;iBAAM,CAAC;gBACN,uDAAuD;gBACvD,0BAA0B;gBAC1B,IAAI,IAAI,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK;oBAC3B,IAAA,0BAAY,EAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,IAAA,0BAAY,EAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAClE,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;gBAC/B,CAAC;YACH,CAAC;YACD,SAAQ;QACV,CAAC;QAED,8CAA8C;QAC9C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAA;QAClE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAE9B,wDAAwD;QACxD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QACrB,CAAC;aAAM,IAAI,IAAA,0BAAY,EAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,IAAA,0BAAY,EAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QACrB,CAAC;aAAM,IACL,IAAA,0BAAY,EAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAA,0BAAY,EAAC,QAAQ,CAAC,QAAQ,CAAC;YAC/D,IAAA,4BAAc,EAAC,IAAI,CAAC,UAAU,CAAC,GAAG,IAAA,4BAAc,EAAC,QAAQ,CAAC,UAAU,CAAC,EACrE,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QACrB,CAAC;IACH,CAAC;IAED,mCAAmC;IACnC,OAAO,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;AAC5E,CAAC"}

package/dist/postprocess/filtering/context-adjustments.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Centralized Context-Based Severity Adjustments
+ *
+ * Consolidates the duplicate filter logic from:
+ * - layer2/index.ts applyFileContextAdjustments() — per-file with full FileContext
+ * - index.ts applyGlobalContextAdjustments() — post-layers with tooling-dir only
+ *
+ * Both functions are replaced by a single applyContextAdjustments() that handles
+ * all context-based severity downgrades in one place.
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { FileContext } from '../../parse/file-classifier';
+/**
+ * Apply context-based severity adjustments to findings.
+ *
+ * When called with a FileContext (from Layer 2 per-file processing), applies
+ * full context-aware rules: test files, tooling dirs, server-only files.
+ *
+ * When called without a FileContext (from the orchestrator for Layer 1 findings),
+ * applies only tooling-directory downgrades based on file path.
+ */
+export declare function applyContextAdjustments(findings: Vulnerability[], fileContext?: FileContext): Vulnerability[];
+//# sourceMappingURL=context-adjustments.d.ts.map

package/dist/postprocess/filtering/context-adjustments.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context-adjustments.d.ts","sourceRoot":"","sources":["../../../src/postprocess/filtering/context-adjustments.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,6BAA6B,CAAA;AAmB9D;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,aAAa,EAAE,EACzB,WAAW,CAAC,EAAE,WAAW,GACxB,aAAa,EAAE,CA2DjB"}

package/dist/postprocess/filtering/context-adjustments.js

@@ -0,0 +1,100 @@
+"use strict";
+/**
+ * Centralized Context-Based Severity Adjustments
+ *
+ * Consolidates the duplicate filter logic from:
+ * - layer2/index.ts applyFileContextAdjustments() — per-file with full FileContext
+ * - index.ts applyGlobalContextAdjustments() — post-layers with tooling-dir only
+ *
+ * Both functions are replaced by a single applyContextAdjustments() that handles
+ * all context-based severity downgrades in one place.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyContextAdjustments = applyContextAdjustments;
+/** Categories that are expected and not risky in tooling directories */
+const TOOLING_DOWNGRADABLE_CATEGORIES = [
+    'dangerous_function', // exec, spawn, etc. are expected in scripts
+    'command_injection', // child_process usage is expected in build scripts
+    'weak_crypto', // Math.random() for seeding is fine in scripts
+    'data_exposure', // Logging is expected in tooling
+    'ai_pattern', // AI patterns in scripts are typically fine
+];
+/** Categories that are expected and not risky in test files */
+const TEST_DOWNGRADABLE_CATEGORIES = [
+    'ai_pattern',
+    'dangerous_function',
+    'sensitive_variable',
+    'data_exposure',
+];
+/**
+ * Apply context-based severity adjustments to findings.
+ *
+ * When called with a FileContext (from Layer 2 per-file processing), applies
+ * full context-aware rules: test files, tooling dirs, server-only files.
+ *
+ * When called without a FileContext (from the orchestrator for Layer 1 findings),
+ * applies only tooling-directory downgrades based on file path.
+ */
+function applyContextAdjustments(findings, fileContext) {
+    return findings.map(finding => {
+        // Never downgrade critical findings
+        if (finding.severity === 'critical') {
+            return finding;
+        }
+        if (fileContext) {
+            // Full per-file context available (Layer 2 path)
+            // Test files: Downgrade specific categories
+            if (fileContext.isTestFile) {
+                if (TEST_DOWNGRADABLE_CATEGORIES.includes(finding.category)) {
+                    return {
+                        ...finding,
+                        severity: 'info',
+                        validationNotes: 'Downgraded: test/fixture file',
+                    };
+                }
+            }
+            // Tooling directories: Downgrade expected patterns
+            if (fileContext.isToolingDir) {
+                if (TOOLING_DOWNGRADABLE_CATEGORIES.includes(finding.category)) {
+                    return {
+                        ...finding,
+                        severity: 'info',
+                        validationNotes: 'Downgraded: tooling/scripts directory',
+                    };
+                }
+            }
+            // Server-only files: Client-exposure concerns don't apply
+            if (fileContext.isServerOnly) {
+                if (finding.category === 'hardcoded_secret' &&
+                    finding.title.toLowerCase().includes('service role')) {
+                    return {
+                        ...finding,
+                        severity: 'info',
+                        validationNotes: 'Downgraded: server-only file (service role key expected)',
+                    };
+                }
+            }
+        }
+        else {
+            // No file context — apply path-based adjustments only (orchestrator path)
+            // This catches Layer 1 findings that didn't go through Layer 2's per-file adjustments
+            const inToolingDir = isToolingPath(finding.filePath);
+            if (inToolingDir && TOOLING_DOWNGRADABLE_CATEGORIES.includes(finding.category)) {
+                return {
+                    ...finding,
+                    severity: 'info',
+                    validationNotes: `${finding.validationNotes || ''} Downgraded: tooling/scripts directory`.trim(),
+                };
+            }
+        }
+        return finding;
+    });
+}
+/**
+ * Tooling-path check for findings without FileContext.
+ * Uses the same regex as utils/context-helpers.ts isToolingDirectory().
+ */
+function isToolingPath(filePath) {
+    return /\/(scripts?|cli|tools?|bin|devtools|build|tasks)\//i.test(filePath);
+}
+//# sourceMappingURL=context-adjustments.js.map