@oculum/scanner 1.0.12 → 1.0.13

package/dist/shared/baseline/types.d.ts

@@ -0,0 +1,91 @@
+/**
+ * Baseline Types
+ * Types for baseline/diff mode functionality
+ */
+import type { VulnerabilityCategory, VulnerabilitySeverity, SeverityCounts, ScanDepth } from '../types';
+/**
+ * A finding stored in the baseline
+ * Contains enough information to identify and display the finding
+ */
+export interface BaselineFinding {
+    /** Finding hash (from computeFindingHash) */
+    hash: string;
+    /** File path relative to project root */
+    filePath: string;
+    /** Line number in the file */
+    lineNumber: number;
+    /** Vulnerability category */
+    category: VulnerabilityCategory;
+    /** Severity level */
+    severity: VulnerabilitySeverity;
+    /** Finding title */
+    title: string;
+}
+/**
+ * Baseline data stored in .oculum/baseline.json
+ */
+export interface BaselineData {
+    /** Schema version for forward compatibility */
+    version: 1;
+    /** ISO 8601 timestamp when baseline was created */
+    createdAt: string;
+    /** Git commit SHA when baseline was created (optional) */
+    commit?: string;
+    /** Git branch name when baseline was created (optional) */
+    branch?: string;
+    /** Scan depth used when creating baseline */
+    scanDepth?: ScanDepth;
+    /** List of findings in the baseline */
+    findings: BaselineFinding[];
+    /** Summary statistics */
+    stats: {
+        total: number;
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+        info: number;
+    };
+}
+/**
+ * Result of comparing current findings against baseline
+ */
+export interface DiffResult {
+    /** Findings in current scan but NOT in baseline (new issues) */
+    new: import('../types').Vulnerability[];
+    /** Findings in baseline but NOT in current scan (fixed issues) */
+    fixed: BaselineFinding[];
+    /** Findings in both current scan AND baseline (existing issues) */
+    existing: import('../types').Vulnerability[];
+    /** Summary statistics */
+    stats: {
+        newCount: number;
+        fixedCount: number;
+        existingCount: number;
+        newBySeverity: SeverityCounts;
+        fixedBySeverity: SeverityCounts;
+    };
+}
+/**
+ * Baseline diff metadata attached to ScanResult
+ * Only present when --new flag is used
+ */
+export interface BaselineDiff {
+    /** When the baseline was created */
+    baselineCreatedAt: string;
+    /** Git commit of the baseline (if available) */
+    baselineCommit?: string;
+    /** Number of new findings (not in baseline) */
+    newCount: number;
+    /** Number of fixed findings (in baseline, not in current) */
+    fixedCount: number;
+    /** Number of existing findings (in both) */
+    existingCount: number;
+    /** Details of fixed findings for display */
+    fixedFindings: BaselineFinding[];
+}
+/** Default baseline file path relative to project root */
+export declare const BASELINE_FILE_PATH = ".oculum/baseline.json";
+/** Directory for oculum files */
+export declare const OCULUM_DIR = ".oculum";
+//# sourceMappingURL=types.d.ts.map

package/dist/shared/baseline/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/shared/baseline/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAEvG;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAA;IACZ,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAA;IAChB,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAA;IAClB,6BAA6B;IAC7B,QAAQ,EAAE,qBAAqB,CAAA;IAC/B,qBAAqB;IACrB,QAAQ,EAAE,qBAAqB,CAAA;IAC/B,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAA;CACd;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,+CAA+C;IAC/C,OAAO,EAAE,CAAC,CAAA;IACV,mDAAmD;IACnD,SAAS,EAAE,MAAM,CAAA;IACjB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,6CAA6C;IAC7C,SAAS,CAAC,EAAE,SAAS,CAAA;IACrB,uCAAuC;IACvC,QAAQ,EAAE,eAAe,EAAE,CAAA;IAC3B,yBAAyB;IACzB,KAAK,EAAE;QACL,KAAK,EAAE,MAAM,CAAA;QACb,QAAQ,EAAE,MAAM,CAAA;QAChB,IAAI,EAAE,MAAM,CAAA;QACZ,MAAM,EAAE,MAAM,CAAA;QACd,GAAG,EAAE,MAAM,CAAA;QACX,IAAI,EAAE,MAAM,CAAA;KACb,CAAA;CACF;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,gEAAgE;IAChE,GAAG,EAAE,OAAO,UAAU,EAAE,aAAa,EAAE,CAAA;IACvC,kEAAkE;IAClE,KAAK,EAAE,eAAe,EAAE,CAAA;IACxB,mEAAmE;IACnE,QAAQ,EAAE,OAAO,UAAU,EAAE,aAAa,EAAE,CAAA;IAC5C,yBAAyB;IACzB,KAAK,EAAE;QACL,QAAQ,EAAE,MAAM,CAAA;QAChB,UAAU,EAAE,MAAM,CAAA;QAClB,aAAa,EAAE,MAAM,CAAA;QACrB,aAAa,EAAE,cAAc,CAAA;QAC7B,eAAe,EAAE,cAAc,CAAA;KAChC,CAAA;CACF;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,iBAAiB,EAAE,MAAM,CAAA;IACzB,gDAAgD;IAChD,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAA;IAChB,6DAA6D;IAC7D,UAAU,EAAE,MAAM,CAAA;IAClB,4CAA4C;IAC5C,aAAa,EAAE,MAAM,CAAA;IACrB,4CAA4C;IAC5C,aAAa,EAAE,eAAe,EAAE,CAAA;CACjC;AAED,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,0BAA0B,CAAA;AAEzD,iCAAiC;AACjC,eAAO,MAAM,UAAU,YAAY,CAAA"}

package/dist/shared/baseline/types.js

@@ -0,0 +1,12 @@
+"use strict";
+/**
+ * Baseline Types
+ * Types for baseline/diff mode functionality
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OCULUM_DIR = exports.BASELINE_FILE_PATH = void 0;
+/** Default baseline file path relative to project root */
+exports.BASELINE_FILE_PATH = '.oculum/baseline.json';
+/** Directory for oculum files */
+exports.OCULUM_DIR = '.oculum';
+//# sourceMappingURL=types.js.map

package/dist/shared/baseline/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/shared/baseline/types.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAyFH,0DAA0D;AAC7C,QAAA,kBAAkB,GAAG,uBAAuB,CAAA;AAEzD,iCAAiC;AACpB,QAAA,UAAU,GAAG,SAAS,CAAA"}

package/dist/shared/category-filter.d.ts

@@ -0,0 +1,125 @@
+/**
+ * Category-Based Filtering
+ *
+ * Enables CI to fail only on specific vulnerability categories,
+ * allowing gradual rollout (e.g., "only block prompt injection")
+ * and fine-grained control over which findings are blocking.
+ *
+ * @example
+ * // Fail only on AI-related and secret categories
+ * --fail-on-categories ai-*,secrets-*
+ *
+ * @example
+ * // Combined with severity
+ * --fail-on high --fail-on-categories ai-*
+ * // Only fail on high+ AI findings
+ */
+import type { VulnerabilityCategory, Vulnerability, VulnerabilitySeverity } from './types';
+/**
+ * Category group definitions for wildcard expansion
+ *
+ * These groups allow users to specify broad categories like "ai-*"
+ * which expand to all AI-related vulnerability categories.
+ */
+export declare const CATEGORY_GROUPS: Record<string, VulnerabilityCategory[]>;
+/**
+ * All known valid category names for validation
+ */
+export declare const ALL_CATEGORIES: VulnerabilityCategory[];
+/**
+ * Normalize category name for comparison
+ * - Converts to lowercase
+ * - Converts hyphens to underscores
+ * - Trims whitespace
+ *
+ * @example
+ * normalizeCategory('SQL-Injection') // 'sql_injection'
+ * normalizeCategory('high_entropy_string') // 'high_entropy_string'
+ */
+export declare function normalizeCategory(category: string): string;
+/**
+ * Expand a wildcard pattern or single category to a list of categories
+ *
+ * @param pattern - Category name or wildcard (e.g., 'sql_injection', 'ai-*')
+ * @returns Array of matching categories
+ *
+ * @example
+ * expandCategoryPattern('ai-*') // Returns all ai_* categories
+ * expandCategoryPattern('sql_injection') // Returns ['sql_injection']
+ * expandCategoryPattern('unknown-*') // Returns []
+ */
+export declare function expandCategoryPattern(pattern: string): VulnerabilityCategory[];
+/**
+ * Check if a category matches any pattern in the filter list
+ *
+ * @param category - The vulnerability category to check
+ * @param patterns - Array of category patterns (names or wildcards)
+ * @returns true if the category matches any pattern
+ *
+ * @example
+ * matchesAnyCategory('ai_prompt_injection', ['ai-*']) // true
+ * matchesAnyCategory('sql_injection', ['ai-*']) // false
+ * matchesAnyCategory('sql_injection', ['sql_injection', 'xss']) // true
+ */
+export declare function matchesAnyCategory(category: VulnerabilityCategory, patterns: string[]): boolean;
+/**
+ * Check if vulnerabilities should cause failure based on category filter
+ *
+ * When both category patterns and severity threshold are provided,
+ * BOTH conditions must match for a finding to cause failure.
+ *
+ * @param vulnerabilities - List of vulnerabilities to check
+ * @param categoryPatterns - Category patterns to filter on
+ * @param severityThreshold - Optional severity threshold (both must match)
+ * @returns true if any vulnerability matches and should cause failure
+ *
+ * @example
+ * // Only fail on AI findings
+ * shouldFailOnCategories(vulns, ['ai-*'])
+ *
+ * @example
+ * // Only fail on HIGH+ AI findings
+ * shouldFailOnCategories(vulns, ['ai-*'], 'high')
+ */
+export declare function shouldFailOnCategories(vulnerabilities: Vulnerability[], categoryPatterns: string[], severityThreshold?: VulnerabilitySeverity): boolean;
+/**
+ * Get the categories that matched the filter from vulnerabilities
+ * Useful for error messages showing which categories caused failure
+ */
+export declare function getMatchingCategories(vulnerabilities: Vulnerability[], categoryPatterns: string[], severityThreshold?: VulnerabilitySeverity): VulnerabilityCategory[];
+/**
+ * Parse comma-separated category string into array
+ *
+ * @param input - Comma-separated category string
+ * @returns Array of trimmed category patterns
+ *
+ * @example
+ * parseCategoryList('ai-*, secrets-*') // ['ai-*', 'secrets-*']
+ * parseCategoryList('sql_injection, xss') // ['sql_injection', 'xss']
+ */
+export declare function parseCategoryList(input: string): string[];
+/**
+ * Validate category names, separating valid from invalid
+ *
+ * @param categories - Array of category patterns to validate
+ * @returns Object with valid and invalid category arrays
+ *
+ * @example
+ * validateCategories(['ai-*', 'sql_injection', 'fake_category'])
+ * // { valid: ['ai-*', 'sql_injection'], invalid: ['fake_category'] }
+ */
+export declare function validateCategories(categories: string[]): {
+    valid: string[];
+    invalid: string[];
+};
+/**
+ * Get a human-readable list of available category groups
+ * Useful for help text and error messages
+ */
+export declare function getAvailableCategoryGroups(): string[];
+/**
+ * Get the count of categories in each group
+ * Useful for documentation and help text
+ */
+export declare function getCategoryGroupCounts(): Record<string, number>;
+//# sourceMappingURL=category-filter.d.ts.map

package/dist/shared/category-filter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"category-filter.d.ts","sourceRoot":"","sources":["../../src/shared/category-filter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA;AAG1F;;;;;GAKG;AACH,eAAO,MAAM,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,EAAE,CA6CnE,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,cAAc,EAAE,qBAAqB,EA4CjD,CAAA;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAK1D;AAUD;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,qBAAqB,EAAE,CAgC9E;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,qBAAqB,EAC/B,QAAQ,EAAE,MAAM,EAAE,GACjB,OAAO,CAiBT;AAID;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,aAAa,EAAE,EAChC,gBAAgB,EAAE,MAAM,EAAE,EAC1B,iBAAiB,CAAC,EAAE,qBAAqB,GACxC,OAAO,CA6BT;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,eAAe,EAAE,aAAa,EAAE,EAChC,gBAAgB,EAAE,MAAM,EAAE,EAC1B,iBAAiB,CAAC,EAAE,qBAAqB,GACxC,qBAAqB,EAAE,CAyBzB;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,CASzD;AAED;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG;IACxD,KAAK,EAAE,MAAM,EAAE,CAAA;IACf,OAAO,EAAE,MAAM,EAAE,CAAA;CAClB,CA4BA;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,IAAI,MAAM,EAAE,CAErD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAM/D"}

package/dist/shared/category-filter.js

@@ -0,0 +1,360 @@
+"use strict";
+/**
+ * Category-Based Filtering
+ *
+ * Enables CI to fail only on specific vulnerability categories,
+ * allowing gradual rollout (e.g., "only block prompt injection")
+ * and fine-grained control over which findings are blocking.
+ *
+ * @example
+ * // Fail only on AI-related and secret categories
+ * --fail-on-categories ai-*,secrets-*
+ *
+ * @example
+ * // Combined with severity
+ * --fail-on high --fail-on-categories ai-*
+ * // Only fail on high+ AI findings
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ALL_CATEGORIES = exports.CATEGORY_GROUPS = void 0;
+exports.normalizeCategory = normalizeCategory;
+exports.expandCategoryPattern = expandCategoryPattern;
+exports.matchesAnyCategory = matchesAnyCategory;
+exports.shouldFailOnCategories = shouldFailOnCategories;
+exports.getMatchingCategories = getMatchingCategories;
+exports.parseCategoryList = parseCategoryList;
+exports.validateCategories = validateCategories;
+exports.getAvailableCategoryGroups = getAvailableCategoryGroups;
+exports.getCategoryGroupCounts = getCategoryGroupCounts;
+const parsed_file_1 = require("./parsed-file");
+/**
+ * Category group definitions for wildcard expansion
+ *
+ * These groups allow users to specify broad categories like "ai-*"
+ * which expand to all AI-related vulnerability categories.
+ */
+exports.CATEGORY_GROUPS = {
+    'ai-*': [
+        'ai_pattern',
+        'ai_prompt_injection',
+        'ai_unsafe_execution',
+        'ai_overpermissive_tool',
+        'ai_rag_exfiltration',
+        'ai_endpoint_unprotected',
+        'ai_schema_mismatch',
+        'ai_package_hallucination',
+        'ai_rag_corpus_poisoning',
+        'ai_rag_pii_leakage',
+        'ai_mcp_tool_poisoning',
+        'ai_mcp_credential_issue',
+        'ai_mcp_confused_deputy',
+        'ai_mcp_description_injection',
+        'ai_mcp_server_shadowing',
+        'ai_mcp_config_secrets',
+        'ai_mcp_config_permissions',
+        'ai_rag_query_injection',
+        'ai_rag_embedding_poisoning',
+        'ai_rag_chunk_injection',
+        'ai_package_typosquat',
+        'ai_package_malicious',
+        'ai_unsafe_model_load',
+        'ai_unverified_model',
+        'ai_unsafe_finetuning',
+        'ai_excessive_agency',
+    ],
+    'secrets-*': [
+        'hardcoded_secret',
+        'high_entropy_string',
+        'sensitive_variable',
+    ],
+    'owasp-*': [
+        'sql_injection',
+        'xss',
+        'command_injection',
+        'missing_auth',
+        'security_bypass',
+        'insecure_config',
+        'cors_misconfiguration',
+        'data_exposure',
+        'weak_crypto',
+    ],
+};
+/**
+ * All known valid category names for validation
+ */
+exports.ALL_CATEGORIES = [
+    'hardcoded_secret',
+    'high_entropy_string',
+    'sensitive_variable',
+    'security_bypass',
+    'dangerous_function',
+    'sql_injection',
+    'xss',
+    'command_injection',
+    'insecure_config',
+    'missing_auth',
+    'suspicious_package',
+    'cors_misconfiguration',
+    'root_container',
+    'dangerous_file',
+    'ai_pattern',
+    'sensitive_url',
+    'weak_crypto',
+    'data_exposure',
+    'ai_prompt_injection',
+    'ai_unsafe_execution',
+    'ai_overpermissive_tool',
+    'ai_rag_exfiltration',
+    'ai_endpoint_unprotected',
+    'ai_schema_mismatch',
+    'ai_package_hallucination',
+    'ai_rag_corpus_poisoning',
+    'ai_rag_pii_leakage',
+    'ai_mcp_tool_poisoning',
+    'ai_mcp_credential_issue',
+    'ai_mcp_confused_deputy',
+    'ai_mcp_description_injection',
+    'ai_mcp_server_shadowing',
+    'ai_mcp_config_secrets',
+    'ai_mcp_config_permissions',
+    'ai_rag_query_injection',
+    'ai_rag_embedding_poisoning',
+    'ai_rag_chunk_injection',
+    'ai_package_typosquat',
+    'ai_package_malicious',
+    'ai_unsafe_model_load',
+    'ai_unverified_model',
+    'ai_unsafe_finetuning',
+    'ai_excessive_agency',
+];
+/**
+ * Normalize category name for comparison
+ * - Converts to lowercase
+ * - Converts hyphens to underscores
+ * - Trims whitespace
+ *
+ * @example
+ * normalizeCategory('SQL-Injection') // 'sql_injection'
+ * normalizeCategory('high_entropy_string') // 'high_entropy_string'
+ */
+function normalizeCategory(category) {
+    return category
+        .toLowerCase()
+        .trim()
+        .replace(/-/g, '_');
+}
+/**
+ * Check if a string is a valid wildcard pattern
+ * Valid wildcards end with '-*' or '_*'
+ */
+function isWildcardPattern(pattern) {
+    return pattern.endsWith('-*') || pattern.endsWith('_*');
+}
+/**
+ * Expand a wildcard pattern or single category to a list of categories
+ *
+ * @param pattern - Category name or wildcard (e.g., 'sql_injection', 'ai-*')
+ * @returns Array of matching categories
+ *
+ * @example
+ * expandCategoryPattern('ai-*') // Returns all ai_* categories
+ * expandCategoryPattern('sql_injection') // Returns ['sql_injection']
+ * expandCategoryPattern('unknown-*') // Returns []
+ */
+function expandCategoryPattern(pattern) {
+    const normalized = normalizeCategory(pattern);
+    // Check for wildcard patterns
+    if (isWildcardPattern(normalized)) {
+        // Normalize the wildcard pattern (both ai-* and ai_* should work)
+        const normalizedWildcard = normalized.replace('_*', '-*');
+        // Look up in category groups
+        const expanded = exports.CATEGORY_GROUPS[normalizedWildcard];
+        if (expanded) {
+            return [...expanded];
+        }
+        // Unknown wildcard - return empty
+        return [];
+    }
+    // Single category - validate and return
+    // Handle both hyphenated and underscored versions
+    const normalizedCategory = normalized;
+    if (exports.ALL_CATEGORIES.includes(normalizedCategory)) {
+        return [normalizedCategory];
+    }
+    // Try hyphenated version converted to underscore
+    const underscored = normalized.replace(/-/g, '_');
+    if (exports.ALL_CATEGORIES.includes(underscored)) {
+        return [underscored];
+    }
+    return [];
+}
+/**
+ * Check if a category matches any pattern in the filter list
+ *
+ * @param category - The vulnerability category to check
+ * @param patterns - Array of category patterns (names or wildcards)
+ * @returns true if the category matches any pattern
+ *
+ * @example
+ * matchesAnyCategory('ai_prompt_injection', ['ai-*']) // true
+ * matchesAnyCategory('sql_injection', ['ai-*']) // false
+ * matchesAnyCategory('sql_injection', ['sql_injection', 'xss']) // true
+ */
+function matchesAnyCategory(category, patterns) {
+    if (!patterns || patterns.length === 0) {
+        return false;
+    }
+    const normalizedCategory = normalizeCategory(category);
+    for (const pattern of patterns) {
+        const expanded = expandCategoryPattern(pattern);
+        // Check if category is in the expanded list
+        if (expanded.some(c => normalizeCategory(c) === normalizedCategory)) {
+            return true;
+        }
+    }
+    return false;
+}
+// severityRank imported from utils/parsed-file
+/**
+ * Check if vulnerabilities should cause failure based on category filter
+ *
+ * When both category patterns and severity threshold are provided,
+ * BOTH conditions must match for a finding to cause failure.
+ *
+ * @param vulnerabilities - List of vulnerabilities to check
+ * @param categoryPatterns - Category patterns to filter on
+ * @param severityThreshold - Optional severity threshold (both must match)
+ * @returns true if any vulnerability matches and should cause failure
+ *
+ * @example
+ * // Only fail on AI findings
+ * shouldFailOnCategories(vulns, ['ai-*'])
+ *
+ * @example
+ * // Only fail on HIGH+ AI findings
+ * shouldFailOnCategories(vulns, ['ai-*'], 'high')
+ */
+function shouldFailOnCategories(vulnerabilities, categoryPatterns, severityThreshold) {
+    if (!vulnerabilities || vulnerabilities.length === 0) {
+        return false;
+    }
+    if (!categoryPatterns || categoryPatterns.length === 0) {
+        return false;
+    }
+    const thresholdRank = severityThreshold ? (0, parsed_file_1.severityRank)(severityThreshold) : 0;
+    for (const vuln of vulnerabilities) {
+        // Check if category matches any pattern
+        if (!matchesAnyCategory(vuln.category, categoryPatterns)) {
+            continue;
+        }
+        // If no severity threshold specified, any matching category triggers failure
+        if (!severityThreshold) {
+            return true;
+        }
+        // Check if severity meets threshold
+        if ((0, parsed_file_1.severityRank)(vuln.severity) >= thresholdRank) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Get the categories that matched the filter from vulnerabilities
+ * Useful for error messages showing which categories caused failure
+ */
+function getMatchingCategories(vulnerabilities, categoryPatterns, severityThreshold) {
+    if (!vulnerabilities || vulnerabilities.length === 0) {
+        return [];
+    }
+    if (!categoryPatterns || categoryPatterns.length === 0) {
+        return [];
+    }
+    const thresholdRank = severityThreshold ? (0, parsed_file_1.severityRank)(severityThreshold) : 0;
+    const matched = new Set();
+    for (const vuln of vulnerabilities) {
+        // Check if category matches any pattern
+        if (!matchesAnyCategory(vuln.category, categoryPatterns)) {
+            continue;
+        }
+        // If no severity threshold, or severity meets threshold
+        if (!severityThreshold || (0, parsed_file_1.severityRank)(vuln.severity) >= thresholdRank) {
+            matched.add(vuln.category);
+        }
+    }
+    return Array.from(matched);
+}
+/**
+ * Parse comma-separated category string into array
+ *
+ * @param input - Comma-separated category string
+ * @returns Array of trimmed category patterns
+ *
+ * @example
+ * parseCategoryList('ai-*, secrets-*') // ['ai-*', 'secrets-*']
+ * parseCategoryList('sql_injection, xss') // ['sql_injection', 'xss']
+ */
+function parseCategoryList(input) {
+    if (!input || typeof input !== 'string') {
+        return [];
+    }
+    return input
+        .split(',')
+        .map(s => s.trim())
+        .filter(s => s.length > 0);
+}
+/**
+ * Validate category names, separating valid from invalid
+ *
+ * @param categories - Array of category patterns to validate
+ * @returns Object with valid and invalid category arrays
+ *
+ * @example
+ * validateCategories(['ai-*', 'sql_injection', 'fake_category'])
+ * // { valid: ['ai-*', 'sql_injection'], invalid: ['fake_category'] }
+ */
+function validateCategories(categories) {
+    const valid = [];
+    const invalid = [];
+    for (const category of categories) {
+        const normalized = normalizeCategory(category);
+        // Check if it's a valid wildcard
+        if (isWildcardPattern(normalized)) {
+            const normalizedWildcard = normalized.replace('_*', '-*');
+            if (exports.CATEGORY_GROUPS[normalizedWildcard]) {
+                valid.push(category);
+            }
+            else {
+                invalid.push(category);
+            }
+            continue;
+        }
+        // Check if it's a valid category name
+        const expanded = expandCategoryPattern(category);
+        if (expanded.length > 0) {
+            valid.push(category);
+        }
+        else {
+            invalid.push(category);
+        }
+    }
+    return { valid, invalid };
+}
+/**
+ * Get a human-readable list of available category groups
+ * Useful for help text and error messages
+ */
+function getAvailableCategoryGroups() {
+    return Object.keys(exports.CATEGORY_GROUPS);
+}
+/**
+ * Get the count of categories in each group
+ * Useful for documentation and help text
+ */
+function getCategoryGroupCounts() {
+    const counts = {};
+    for (const [group, categories] of Object.entries(exports.CATEGORY_GROUPS)) {
+        counts[group] = categories.length;
+    }
+    return counts;
+}
+//# sourceMappingURL=category-filter.js.map

package/dist/shared/category-filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"category-filter.js","sourceRoot":"","sources":["../../src/shared/category-filter.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AAqHH,8CAKC;AAqBD,sDAgCC;AAcD,gDAoBC;AAuBD,wDAiCC;AAMD,sDA6BC;AAYD,8CASC;AAYD,gDA+BC;AAMD,gEAEC;AAMD,wDAMC;AA7XD,+CAA4C;AAE5C;;;;;GAKG;AACU,QAAA,eAAe,GAA4C;IACtE,MAAM,EAAE;QACN,YAAY;QACZ,qBAAqB;QACrB,qBAAqB;QACrB,wBAAwB;QACxB,qBAAqB;QACrB,yBAAyB;QACzB,oBAAoB;QACpB,0BAA0B;QAC1B,yBAAyB;QACzB,oBAAoB;QACpB,uBAAuB;QACvB,yBAAyB;QACzB,wBAAwB;QACxB,8BAA8B;QAC9B,yBAAyB;QACzB,uBAAuB;QACvB,2BAA2B;QAC3B,wBAAwB;QACxB,4BAA4B;QAC5B,wBAAwB;QACxB,sBAAsB;QACtB,sBAAsB;QACtB,sBAAsB;QACtB,qBAAqB;QACrB,sBAAsB;QACtB,qBAAqB;KACtB;IACD,WAAW,EAAE;QACX,kBAAkB;QAClB,qBAAqB;QACrB,oBAAoB;KACrB;IACD,SAAS,EAAE;QACT,eAAe;QACf,KAAK;QACL,mBAAmB;QACnB,cAAc;QACd,iBAAiB;QACjB,iBAAiB;QACjB,uBAAuB;QACvB,eAAe;QACf,aAAa;KACd;CACF,CAAA;AAED;;GAEG;AACU,QAAA,cAAc,GAA4B;IACrD,kBAAkB;IAClB,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,oBAAoB;IACpB,eAAe;IACf,KAAK;IACL,mBAAmB;IACnB,iBAAiB;IACjB,cAAc;IACd,oBAAoB;IACpB,uBAAuB;IACvB,gBAAgB;IAChB,gBAAgB;IAChB,YAAY;IACZ,eAAe;IACf,aAAa;IACb,eAAe;IACf,qBAAqB;IACrB,qBAAqB;IACrB,wBAAwB;IACxB,qBAAqB;IACrB,yBAAyB;IACzB,oBAAoB;IACpB,0BAA0B;IAC1B,yBAAyB;IACzB,oBAAoB;IACpB,uBAAuB;IACvB,yBAAyB;IACzB,wBAAwB;IACxB,8BAA8B;IAC9B,yBAAyB;IACzB,uBAAuB;IACvB,2BAA2B;IAC3B,wBAAwB;IACxB,4BAA4B;IAC5B,wBAAwB;IACxB,sBAAsB;IACtB,sBAAsB;IACtB,sBAAsB;IACtB,qBAAqB;IACrB,sBAAsB;IACtB,qBAAqB;CACtB,CAAA;AAED;;;;;;;;;GASG;AACH,SAAgB,iBAAiB,CAAC,QAAgB;IAChD,OAAO,QAAQ;SACZ,WAAW,EAAE;SACb,IAAI,EAAE;SACN,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;AACvB,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CAAC,OAAe;IACxC,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAA;AACzD,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,qBAAqB,CAAC,OAAe;IACnD,MAAM,UAAU,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAA;IAE7C,8BAA8B;IAC9B,IAAI,iBAAiB,CAAC,UAAU,CAAC,EAAE,CAAC;QAClC,kEAAkE;QAClE,MAAM,kBAAkB,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;QAEzD,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,uBAAe,CAAC,kBAAkB,CAAC,CAAA;QACpD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAA;QACtB,CAAC;QAED,kCAAkC;QAClC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,wCAAwC;IACxC,kDAAkD;IAClD,MAAM,kBAAkB,GAAG,UAAmC,CAAA;IAC9D,IAAI,sBAAc,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC,kBAAkB,CAAC,CAAA;IAC7B,CAAC;IAED,iDAAiD;IACjD,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAA0B,CAAA;IAC1E,IAAI,sBAAc,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACzC,OAAO,CAAC,WAAW,CAAC,CAAA;IACtB,CAAC;IAED,OAAO,EAAE,CAAA;AACX,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,kBAAkB,CAChC,QAA+B,EAC/B,QAAkB;IAElB,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAA;IAEtD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;QAE/C,4CAA4C;QAC5C,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,iBAAiB,CAAC,CAAC,CAAC,KAAK,kBAAkB,CAAC,EAAE,CAAC;YACpE,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,+CAA+C;AAE/C;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,sBAAsB,CACpC,eAAgC,EAChC,gBAA0B,EAC1B,iBAAyC;IAEzC,IAAI,CAAC,eAAe,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,aAAa,GAAG,iBAAiB,CAAC,CAAC,CAAC,IAAA,0BAAY,EAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IAE7E,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,wCAAwC;QACxC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC,EAAE,CAAC;YACzD,SAAQ;QACV,CAAC;QAED,6EAA6E;QAC7E,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAA,0BAAY,EAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,aAAa,EAAE,CAAC;YACjD,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,qBAAqB,CACnC,eAAgC,EAChC,gBAA0B,EAC1B,iBAAyC;IAEzC,IAAI,CAAC,eAAe,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,CAAA;IACX,CAAC;IAED,IAAI,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvD,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,aAAa,GAAG,iBAAiB,CAAC,CAAC,CAAC,IAAA,0BAAY,EAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IAC7E,MAAM,OAAO,GAAG,IAAI,GAAG,EAAyB,CAAA;IAEhD,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,wCAAwC;QACxC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC,EAAE,CAAC;YACzD,SAAQ;QACV,CAAC;QAED,wDAAwD;QACxD,IAAI,CAAC,iBAAiB,IAAI,IAAA,0BAAY,EAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,aAAa,EAAE,CAAC;YACvE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAC5B,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;AAC5B,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,iBAAiB,CAAC,KAAa;IAC7C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,OAAO,KAAK;SACT,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SAClB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;AAC9B,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,kBAAkB,CAAC,UAAoB;IAIrD,MAAM,KAAK,GAAa,EAAE,CAAA;IAC1B,MAAM,OAAO,GAAa,EAAE,CAAA;IAE5B,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;QAClC,MAAM,UAAU,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAA;QAE9C,iCAAiC;QACjC,IAAI,iBAAiB,CAAC,UAAU,CAAC,EAAE,CAAC;YAClC,MAAM,kBAAkB,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;YACzD,IAAI,uBAAe,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBACxC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YACtB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YACxB,CAAC;YACD,SAAQ;QACV,CAAC;QAED,sCAAsC;QACtC,MAAM,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAA;QAChD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACtB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACxB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAA;AAC3B,CAAC;AAED;;;GAGG;AACH,SAAgB,0BAA0B;IACxC,OAAO,MAAM,CAAC,IAAI,CAAC,uBAAe,CAAC,CAAA;AACrC,CAAC;AAED;;;GAGG;AACH,SAAgB,sBAAsB;IACpC,MAAM,MAAM,GAA2B,EAAE,CAAA;IACzC,KAAK,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,uBAAe,CAAC,EAAE,CAAC;QAClE,MAAM,CAAC,KAAK,CAAC,GAAG,UAAU,CAAC,MAAM,CAAA;IACnC,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/shared/code-analysis.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Shared Code Analysis Utilities
+ *
+ * ParsedFile-aware versions of control flow analysis and context extraction.
+ * Consolidates duplicated logic from control-flow.ts and various detectors.
+ */
+import { ParsedFile } from './parsed-file';
+/**
+ * Check if a line is inside a try-catch block.
+ * Tracks brace depth from the start of the file to the target line.
+ */
+export declare function isInsideTryCatch(file: ParsedFile, lineNumber: number): boolean;
+/**
+ * Simpler heuristic: check if there's a try-catch in the same function scope.
+ * Looks for try { before the line and } catch after, within reasonable bounds.
+ */
+export declare function hasTryCatchNearby(file: ParsedFile, lineNumber: number, windowSize?: number): boolean;
+/**
+ * Extract function context where a call is being made.
+ * Looks backwards from the current line to find enclosing function name.
+ * Returns lowercase function name or null if not found.
+ */
+export declare function extractFunctionContext(file: ParsedFile, lineNumber: number): string | null;
+/**
+ * Search surrounding lines for any of the given patterns.
+ * Consolidates the ±N line search pattern used across 55+ occurrences.
+ *
+ * @param file ParsedFile to search in
+ * @param lineIndex 0-based center line
+ * @param patterns RegExp patterns to search for
+ * @param windowSize number of lines before and after to search
+ * @returns found: true if any pattern matched, with matched line and pattern
+ */
+export declare function searchSurroundingLines(file: ParsedFile, lineIndex: number, patterns: RegExp[], windowSize: number): {
+    found: boolean;
+    matchedLine?: number;
+    matchedPattern?: RegExp;
+};
+//# sourceMappingURL=code-analysis.d.ts.map

package/dist/shared/code-analysis.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"code-analysis.d.ts","sourceRoot":"","sources":["../../src/shared/code-analysis.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAG1C;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CA2C9E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,GAAE,MAAW,GAAG,OAAO,CAgCxG;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA6C1F;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAAE,EAClB,UAAU,EAAE,MAAM,GACjB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,CAcnE"}