npm - @oculum/scanner - Versions diffs - 1.0.12 → 1.0.13 - Mend

@oculum/scanner 1.0.12 → 1.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (961) hide show

package/dist/detect/ai-code/agent-tools.d.ts +22 -0
package/dist/detect/ai-code/agent-tools.d.ts.map +1 -0
package/dist/detect/ai-code/agent-tools.js +1509 -0
package/dist/detect/ai-code/agent-tools.js.map +1 -0
package/dist/detect/ai-code/byok-patterns.d.ts +15 -0
package/dist/detect/ai-code/byok-patterns.d.ts.map +1 -0
package/dist/detect/ai-code/byok-patterns.js +313 -0
package/dist/detect/ai-code/byok-patterns.js.map +1 -0
package/dist/detect/ai-code/endpoint-protection.d.ts +38 -0
package/dist/detect/ai-code/endpoint-protection.d.ts.map +1 -0
package/dist/detect/ai-code/endpoint-protection.js +349 -0
package/dist/detect/ai-code/endpoint-protection.js.map +1 -0
package/dist/detect/ai-code/execution-sinks.d.ts +21 -0
package/dist/detect/ai-code/execution-sinks.d.ts.map +1 -0
package/dist/detect/ai-code/execution-sinks.js +1158 -0
package/dist/detect/ai-code/execution-sinks.js.map +1 -0
package/dist/detect/ai-code/fingerprinting.d.ts +10 -0
package/dist/detect/ai-code/fingerprinting.d.ts.map +1 -0
package/dist/detect/ai-code/fingerprinting.js +665 -0
package/dist/detect/ai-code/fingerprinting.js.map +1 -0
package/dist/detect/ai-code/index.d.ts +12 -0
package/dist/detect/ai-code/index.d.ts.map +1 -0
package/dist/detect/ai-code/index.js +26 -0
package/dist/detect/ai-code/index.js.map +1 -0
package/dist/detect/ai-code/mcp-security.d.ts +20 -0
package/dist/detect/ai-code/mcp-security.d.ts.map +1 -0
package/dist/detect/ai-code/mcp-security.js +880 -0
package/dist/detect/ai-code/mcp-security.js.map +1 -0
package/dist/detect/ai-code/model-supply-chain.d.ts +23 -0
package/dist/detect/ai-code/model-supply-chain.d.ts.map +1 -0
package/dist/detect/ai-code/model-supply-chain.js +447 -0
package/dist/detect/ai-code/model-supply-chain.js.map +1 -0
package/dist/detect/ai-code/package-hallucination.d.ts +22 -0
package/dist/detect/ai-code/package-hallucination.d.ts.map +1 -0
package/dist/detect/ai-code/package-hallucination.js +841 -0
package/dist/detect/ai-code/package-hallucination.js.map +1 -0
package/dist/detect/ai-code/prompt-hygiene.d.ts +22 -0
package/dist/detect/ai-code/prompt-hygiene.d.ts.map +1 -0
package/dist/detect/ai-code/prompt-hygiene.js +1177 -0
package/dist/detect/ai-code/prompt-hygiene.js.map +1 -0
package/dist/detect/ai-code/rag-safety.d.ts +24 -0
package/dist/detect/ai-code/rag-safety.d.ts.map +1 -0
package/dist/detect/ai-code/rag-safety.js +913 -0
package/dist/detect/ai-code/rag-safety.js.map +1 -0
package/dist/detect/ai-code/schema-validation.d.ts +28 -0
package/dist/detect/ai-code/schema-validation.d.ts.map +1 -0
package/dist/detect/ai-code/schema-validation.js +378 -0
package/dist/detect/ai-code/schema-validation.js.map +1 -0
package/dist/detect/config/agent-skill-injection.d.ts +27 -0
package/dist/detect/config/agent-skill-injection.d.ts.map +1 -0
package/dist/detect/config/agent-skill-injection.js +472 -0
package/dist/detect/config/agent-skill-injection.js.map +1 -0
package/dist/detect/config/comments.d.ts +11 -0
package/dist/detect/config/comments.d.ts.map +1 -0
package/dist/detect/config/comments.js +206 -0
package/dist/detect/config/comments.js.map +1 -0
package/dist/detect/config/file-flags.d.ts +10 -0
package/dist/detect/config/file-flags.d.ts.map +1 -0
package/dist/detect/config/file-flags.js +124 -0
package/dist/detect/config/file-flags.js.map +1 -0
package/dist/detect/config/index.d.ts +7 -0
package/dist/detect/config/index.d.ts.map +1 -0
package/dist/detect/config/index.js +17 -0
package/dist/detect/config/index.js.map +1 -0
package/dist/detect/config/osv-check.d.ts +75 -0
package/dist/detect/config/osv-check.d.ts.map +1 -0
package/dist/detect/config/osv-check.js +309 -0
package/dist/detect/config/osv-check.js.map +1 -0
package/dist/detect/config/package-check.d.ts +63 -0
package/dist/detect/config/package-check.d.ts.map +1 -0
package/dist/detect/config/package-check.js +509 -0
package/dist/detect/config/package-check.js.map +1 -0
package/dist/detect/config/urls.d.ts +11 -0
package/dist/detect/config/urls.d.ts.map +1 -0
package/dist/detect/config/urls.js +450 -0
package/dist/detect/config/urls.js.map +1 -0
package/dist/detect/index.d.ts +37 -0
package/dist/detect/index.d.ts.map +1 -0
package/dist/detect/index.js +77 -0
package/dist/detect/index.js.map +1 -0
package/dist/detect/secrets/config-audit.d.ts +11 -0
package/dist/detect/secrets/config-audit.d.ts.map +1 -0
package/dist/detect/secrets/config-audit.js +315 -0
package/dist/detect/secrets/config-audit.js.map +1 -0
package/dist/detect/secrets/config-mcp-audit.d.ts +23 -0
package/dist/detect/secrets/config-mcp-audit.d.ts.map +1 -0
package/dist/detect/secrets/config-mcp-audit.js +243 -0
package/dist/detect/secrets/config-mcp-audit.js.map +1 -0
package/dist/detect/secrets/entropy.d.ts +11 -0
package/dist/detect/secrets/entropy.d.ts.map +1 -0
package/dist/detect/secrets/entropy.js +751 -0
package/dist/detect/secrets/entropy.js.map +1 -0
package/dist/detect/secrets/index.d.ts +36 -0
package/dist/detect/secrets/index.d.ts.map +1 -0
package/dist/detect/secrets/index.js +174 -0
package/dist/detect/secrets/index.js.map +1 -0
package/dist/detect/secrets/patterns.d.ts +11 -0
package/dist/detect/secrets/patterns.d.ts.map +1 -0
package/dist/detect/secrets/patterns.js +518 -0
package/dist/detect/secrets/patterns.js.map +1 -0
package/dist/detect/secrets/weak-crypto.d.ts +10 -0
package/dist/detect/secrets/weak-crypto.d.ts.map +1 -0
package/dist/detect/secrets/weak-crypto.js +432 -0
package/dist/detect/secrets/weak-crypto.js.map +1 -0
package/dist/detect/structural/auth-patterns.d.ts +22 -0
package/dist/detect/structural/auth-patterns.d.ts.map +1 -0
package/dist/detect/structural/auth-patterns.js +533 -0
package/dist/detect/structural/auth-patterns.js.map +1 -0
package/dist/detect/structural/dangerous-functions/child-process.d.ts +16 -0
package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/child-process.js +74 -0
package/dist/detect/structural/dangerous-functions/child-process.js.map +1 -0
package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +34 -0
package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/dom-xss.js +230 -0
package/dist/detect/structural/dangerous-functions/dom-xss.js.map +1 -0
package/dist/detect/structural/dangerous-functions/index.d.ts +16 -0
package/dist/detect/structural/dangerous-functions/index.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/index.js +1193 -0
package/dist/detect/structural/dangerous-functions/index.js.map +1 -0
package/dist/detect/structural/dangerous-functions/json-parse.d.ts +31 -0
package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/json-parse.js +326 -0
package/dist/detect/structural/dangerous-functions/json-parse.js.map +1 -0
package/dist/detect/structural/dangerous-functions/math-random.d.ts +111 -0
package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/math-random.js +684 -0
package/dist/detect/structural/dangerous-functions/math-random.js.map +1 -0
package/dist/detect/structural/dangerous-functions/patterns.d.ts +21 -0
package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/patterns.js +163 -0
package/dist/detect/structural/dangerous-functions/patterns.js.map +1 -0
package/dist/detect/structural/dangerous-functions/request-validation.d.ts +13 -0
package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/request-validation.js +126 -0
package/dist/detect/structural/dangerous-functions/request-validation.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +24 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.js +70 -0
package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.js +147 -0
package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/index.d.ts +9 -0
package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/index.js +23 -0
package/dist/detect/structural/dangerous-functions/utils/index.js.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +102 -0
package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/detect/structural/data-exposure.d.ts +19 -0
package/dist/detect/structural/data-exposure.d.ts.map +1 -0
package/dist/detect/structural/data-exposure.js +262 -0
package/dist/detect/structural/data-exposure.js.map +1 -0
package/dist/detect/structural/framework-checks.d.ts +10 -0
package/dist/detect/structural/framework-checks.d.ts.map +1 -0
package/dist/detect/structural/framework-checks.js +389 -0
package/dist/detect/structural/framework-checks.js.map +1 -0
package/dist/detect/structural/index.d.ts +71 -0
package/dist/detect/structural/index.d.ts.map +1 -0
package/dist/detect/structural/index.js +510 -0
package/dist/detect/structural/index.js.map +1 -0
package/dist/detect/structural/log-injection.d.ts +18 -0
package/dist/detect/structural/log-injection.d.ts.map +1 -0
package/dist/detect/structural/log-injection.js +217 -0
package/dist/detect/structural/log-injection.js.map +1 -0
package/dist/detect/structural/logic-gates.d.ts +10 -0
package/dist/detect/structural/logic-gates.d.ts.map +1 -0
package/dist/detect/structural/logic-gates.js +227 -0
package/dist/detect/structural/logic-gates.js.map +1 -0
package/dist/detect/structural/risky-imports.d.ts +10 -0
package/dist/detect/structural/risky-imports.d.ts.map +1 -0
package/dist/detect/structural/risky-imports.js +168 -0
package/dist/detect/structural/risky-imports.js.map +1 -0
package/dist/detect/structural/security-headers.d.ts +18 -0
package/dist/detect/structural/security-headers.d.ts.map +1 -0
package/dist/detect/structural/security-headers.js +196 -0
package/dist/detect/structural/security-headers.js.map +1 -0
package/dist/detect/structural/ssrf-detection.d.ts +18 -0
package/dist/detect/structural/ssrf-detection.d.ts.map +1 -0
package/dist/detect/structural/ssrf-detection.js +263 -0
package/dist/detect/structural/ssrf-detection.js.map +1 -0
package/dist/detect/structural/variables.d.ts +11 -0
package/dist/detect/structural/variables.d.ts.map +1 -0
package/dist/detect/structural/variables.js +159 -0
package/dist/detect/structural/variables.js.map +1 -0
package/dist/detect/structural/xxe-detection.d.ts +18 -0
package/dist/detect/structural/xxe-detection.d.ts.map +1 -0
package/dist/detect/structural/xxe-detection.js +245 -0
package/dist/detect/structural/xxe-detection.js.map +1 -0
package/dist/index.d.ts +17 -64
package/dist/index.d.ts.map +1 -1
package/dist/index.js +49 -1034
package/dist/index.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +1 -8
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +4 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +50 -1
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/log-injection.d.ts +18 -0
package/dist/layer2/log-injection.d.ts.map +1 -0
package/dist/layer2/log-injection.js +214 -0
package/dist/layer2/log-injection.js.map +1 -0
package/dist/layer2/security-headers.d.ts +18 -0
package/dist/layer2/security-headers.d.ts.map +1 -0
package/dist/layer2/security-headers.js +187 -0
package/dist/layer2/security-headers.js.map +1 -0
package/dist/layer2/ssrf-detection.d.ts +18 -0
package/dist/layer2/ssrf-detection.d.ts.map +1 -0
package/dist/layer2/ssrf-detection.js +252 -0
package/dist/layer2/ssrf-detection.js.map +1 -0
package/dist/layer2/xxe-detection.d.ts +18 -0
package/dist/layer2/xxe-detection.d.ts.map +1 -0
package/dist/layer2/xxe-detection.js +242 -0
package/dist/layer2/xxe-detection.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +1 -1
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -1
package/dist/layer3/anthropic/prompts/index.js +3 -1
package/dist/layer3/anthropic/prompts/index.js.map +1 -1
package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +19 -0
package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +156 -0
package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +9 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.js +25 -0
package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/common.d.ts +11 -0
package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/common.js +152 -0
package/dist/layer3/anthropic/prompts/modules/common.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/index.d.ts +54 -0
package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/index.js +185 -0
package/dist/layer3/anthropic/prompts/modules/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +8 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +84 -0
package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +8 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +68 -0
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +1 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +8 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +22 -0
package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +9 -3
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -1
package/dist/layer3/anthropic/prompts/validation.js +14 -410
package/dist/layer3/anthropic/prompts/validation.js.map +1 -1
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -1
package/dist/layer3/anthropic/providers/anthropic.js +6 -3
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -1
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -1
package/dist/layer3/anthropic/providers/openai.js +6 -3
package/dist/layer3/anthropic/providers/openai.js.map +1 -1
package/dist/layer3/anthropic/request-builder.d.ts +11 -4
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -1
package/dist/layer3/anthropic/request-builder.js +32 -16
package/dist/layer3/anthropic/request-builder.js.map +1 -1
package/dist/layer3/anthropic/utils/context-extractor.d.ts +55 -0
package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/context-extractor.js +161 -0
package/dist/layer3/anthropic/utils/context-extractor.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +2 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -1
package/dist/layer3/anthropic/utils/index.js +4 -1
package/dist/layer3/anthropic/utils/index.js.map +1 -1
package/dist/model/auth-helper-detector.d.ts +56 -0
package/dist/model/auth-helper-detector.d.ts.map +1 -0
package/dist/model/auth-helper-detector.js +360 -0
package/dist/model/auth-helper-detector.js.map +1 -0
package/dist/model/cross-file-taint.d.ts +40 -0
package/dist/model/cross-file-taint.d.ts.map +1 -0
package/dist/model/cross-file-taint.js +290 -0
package/dist/model/cross-file-taint.js.map +1 -0
package/dist/model/framework-models/django.d.ts +9 -0
package/dist/model/framework-models/django.d.ts.map +1 -0
package/dist/model/framework-models/django.js +82 -0
package/dist/model/framework-models/django.js.map +1 -0
package/dist/model/framework-models/express.d.ts +9 -0
package/dist/model/framework-models/express.d.ts.map +1 -0
package/dist/model/framework-models/express.js +52 -0
package/dist/model/framework-models/express.js.map +1 -0
package/dist/model/framework-models/index.d.ts +20 -0
package/dist/model/framework-models/index.d.ts.map +1 -0
package/dist/model/framework-models/index.js +102 -0
package/dist/model/framework-models/index.js.map +1 -0
package/dist/model/framework-models/nextjs.d.ts +9 -0
package/dist/model/framework-models/nextjs.d.ts.map +1 -0
package/dist/model/framework-models/nextjs.js +71 -0
package/dist/model/framework-models/nextjs.js.map +1 -0
package/dist/model/framework-models/prisma.d.ts +10 -0
package/dist/model/framework-models/prisma.d.ts.map +1 -0
package/dist/model/framework-models/prisma.js +54 -0
package/dist/model/framework-models/prisma.js.map +1 -0
package/dist/model/framework-models/react.d.ts +9 -0
package/dist/model/framework-models/react.d.ts.map +1 -0
package/dist/model/framework-models/react.js +67 -0
package/dist/model/framework-models/react.js.map +1 -0
package/dist/model/framework-models/sequelize.d.ts +9 -0
package/dist/model/framework-models/sequelize.d.ts.map +1 -0
package/dist/model/framework-models/sequelize.js +62 -0
package/dist/model/framework-models/sequelize.js.map +1 -0
package/dist/model/framework-models/types.d.ts +43 -0
package/dist/model/framework-models/types.d.ts.map +1 -0
package/dist/model/framework-models/types.js +10 -0
package/dist/model/framework-models/types.js.map +1 -0
package/dist/model/function-classifier.d.ts +32 -0
package/dist/model/function-classifier.d.ts.map +1 -0
package/dist/model/function-classifier.js +143 -0
package/dist/model/function-classifier.js.map +1 -0
package/dist/model/import-resolver.d.ts +45 -0
package/dist/model/import-resolver.d.ts.map +1 -0
package/dist/model/import-resolver.js +410 -0
package/dist/model/import-resolver.js.map +1 -0
package/dist/model/imported-auth-detector.d.ts +38 -0
package/dist/model/imported-auth-detector.d.ts.map +1 -0
package/dist/model/imported-auth-detector.js +199 -0
package/dist/model/imported-auth-detector.js.map +1 -0
package/dist/model/index.d.ts +63 -0
package/dist/model/index.d.ts.map +1 -0
package/dist/model/index.js +272 -0
package/dist/model/index.js.map +1 -0
package/dist/model/middleware-detector.d.ts +55 -0
package/dist/model/middleware-detector.d.ts.map +1 -0
package/dist/model/middleware-detector.js +382 -0
package/dist/model/middleware-detector.js.map +1 -0
package/dist/model/module-graph.d.ts +46 -0
package/dist/model/module-graph.d.ts.map +1 -0
package/dist/model/module-graph.js +187 -0
package/dist/model/module-graph.js.map +1 -0
package/dist/model/oauth-flow-detector.d.ts +41 -0
package/dist/model/oauth-flow-detector.d.ts.map +1 -0
package/dist/model/oauth-flow-detector.js +202 -0
package/dist/model/oauth-flow-detector.js.map +1 -0
package/dist/model/project-context.d.ts +119 -0
package/dist/model/project-context.d.ts.map +1 -0
package/dist/model/project-context.js +534 -0
package/dist/model/project-context.js.map +1 -0
package/dist/model/route-auth-resolver.d.ts +27 -0
package/dist/model/route-auth-resolver.d.ts.map +1 -0
package/dist/model/route-auth-resolver.js +182 -0
package/dist/model/route-auth-resolver.js.map +1 -0
package/dist/model/route-discovery/express.d.ts +25 -0
package/dist/model/route-discovery/express.d.ts.map +1 -0
package/dist/model/route-discovery/express.js +225 -0
package/dist/model/route-discovery/express.js.map +1 -0
package/dist/model/route-discovery/index.d.ts +21 -0
package/dist/model/route-discovery/index.d.ts.map +1 -0
package/dist/model/route-discovery/index.js +67 -0
package/dist/model/route-discovery/index.js.map +1 -0
package/dist/model/route-discovery/nextjs.d.ts +16 -0
package/dist/model/route-discovery/nextjs.d.ts.map +1 -0
package/dist/model/route-discovery/nextjs.js +179 -0
package/dist/model/route-discovery/nextjs.js.map +1 -0
package/dist/model/route-discovery/python.d.ts +16 -0
package/dist/model/route-discovery/python.d.ts.map +1 -0
package/dist/model/route-discovery/python.js +181 -0
package/dist/model/route-discovery/python.js.map +1 -0
package/dist/model/route-discovery/types.d.ts +36 -0
package/dist/model/route-discovery/types.d.ts.map +1 -0
package/dist/model/route-discovery/types.js +16 -0
package/dist/model/route-discovery/types.js.map +1 -0
package/dist/model/route-discovery/utils.d.ts +18 -0
package/dist/model/route-discovery/utils.d.ts.map +1 -0
package/dist/model/route-discovery/utils.js +55 -0
package/dist/model/route-discovery/utils.js.map +1 -0
package/dist/model/route-hierarchy.d.ts +50 -0
package/dist/model/route-hierarchy.d.ts.map +1 -0
package/dist/model/route-hierarchy.js +226 -0
package/dist/model/route-hierarchy.js.map +1 -0
package/dist/model/sanitiser-detection.d.ts +27 -0
package/dist/model/sanitiser-detection.d.ts.map +1 -0
package/dist/model/sanitiser-detection.js +224 -0
package/dist/model/sanitiser-detection.js.map +1 -0
package/dist/model/sink-matcher.d.ts +17 -0
package/dist/model/sink-matcher.d.ts.map +1 -0
package/dist/model/sink-matcher.js +141 -0
package/dist/model/sink-matcher.js.map +1 -0
package/dist/model/sink-patterns.d.ts +19 -0
package/dist/model/sink-patterns.d.ts.map +1 -0
package/dist/model/sink-patterns.js +88 -0
package/dist/model/sink-patterns.js.map +1 -0
package/dist/model/source-discovery.d.ts +15 -0
package/dist/model/source-discovery.d.ts.map +1 -0
package/dist/model/source-discovery.js +170 -0
package/dist/model/source-discovery.js.map +1 -0
package/dist/model/taint-tracker.d.ts +21 -0
package/dist/model/taint-tracker.d.ts.map +1 -0
package/dist/model/taint-tracker.js +281 -0
package/dist/model/taint-tracker.js.map +1 -0
package/dist/model/taint-types.d.ts +74 -0
package/dist/model/taint-types.d.ts.map +1 -0
package/dist/model/taint-types.js +9 -0
package/dist/model/taint-types.js.map +1 -0
package/dist/model/trpc-analyzer.d.ts +78 -0
package/dist/model/trpc-analyzer.d.ts.map +1 -0
package/dist/model/trpc-analyzer.js +297 -0
package/dist/model/trpc-analyzer.js.map +1 -0
package/dist/parse/file-classifier.d.ts +228 -0
package/dist/parse/file-classifier.d.ts.map +1 -0
package/dist/parse/file-classifier.js +933 -0
package/dist/parse/file-classifier.js.map +1 -0
package/dist/parse/path-exclusions.d.ts +55 -0
package/dist/parse/path-exclusions.d.ts.map +1 -0
package/dist/parse/path-exclusions.js +224 -0
package/dist/parse/path-exclusions.js.map +1 -0
package/dist/pipeline/config.d.ts +39 -0
package/dist/pipeline/config.d.ts.map +1 -0
package/dist/pipeline/config.js +46 -0
package/dist/pipeline/config.js.map +1 -0
package/dist/pipeline/index.d.ts +34 -0
package/dist/pipeline/index.d.ts.map +1 -0
package/dist/pipeline/index.js +377 -0
package/dist/pipeline/index.js.map +1 -0
package/dist/pipeline/modes/incremental.d.ts +66 -0
package/dist/pipeline/modes/incremental.d.ts.map +1 -0
package/dist/pipeline/modes/incremental.js +200 -0
package/dist/pipeline/modes/incremental.js.map +1 -0
package/dist/postprocess/aggregation.d.ts +14 -0
package/dist/postprocess/aggregation.d.ts.map +1 -0
package/dist/postprocess/aggregation.js +63 -0
package/dist/postprocess/aggregation.js.map +1 -0
package/dist/postprocess/contradictions.d.ts +18 -0
package/dist/postprocess/contradictions.d.ts.map +1 -0
package/dist/postprocess/contradictions.js +99 -0
package/dist/postprocess/contradictions.js.map +1 -0
package/dist/postprocess/dedup.d.ts +13 -0
package/dist/postprocess/dedup.d.ts.map +1 -0
package/dist/postprocess/dedup.js +58 -0
package/dist/postprocess/dedup.js.map +1 -0
package/dist/postprocess/filtering/context-adjustments.d.ts +23 -0
package/dist/postprocess/filtering/context-adjustments.d.ts.map +1 -0
package/dist/postprocess/filtering/context-adjustments.js +100 -0
package/dist/postprocess/filtering/context-adjustments.js.map +1 -0
package/dist/postprocess/filtering/index.d.ts +3 -0
package/dist/postprocess/filtering/index.d.ts.map +1 -0
package/dist/postprocess/filtering/index.js +8 -0
package/dist/postprocess/filtering/index.js.map +1 -0
package/dist/postprocess/filtering/pipeline.d.ts +48 -0
package/dist/postprocess/filtering/pipeline.d.ts.map +1 -0
package/dist/postprocess/filtering/pipeline.js +76 -0
package/dist/postprocess/filtering/pipeline.js.map +1 -0
package/dist/postprocess/index.d.ts +41 -0
package/dist/postprocess/index.d.ts.map +1 -0
package/dist/postprocess/index.js +85 -0
package/dist/postprocess/index.js.map +1 -0
package/dist/postprocess/suppression/config-loader.d.ts +74 -0
package/dist/postprocess/suppression/config-loader.d.ts.map +1 -0
package/dist/postprocess/suppression/config-loader.js +424 -0
package/dist/postprocess/suppression/config-loader.js.map +1 -0
package/dist/postprocess/suppression/hash.d.ts +48 -0
package/dist/postprocess/suppression/hash.d.ts.map +1 -0
package/dist/postprocess/suppression/hash.js +88 -0
package/dist/postprocess/suppression/hash.js.map +1 -0
package/dist/postprocess/suppression/index.d.ts +11 -0
package/dist/postprocess/suppression/index.d.ts.map +1 -0
package/dist/postprocess/suppression/index.js +39 -0
package/dist/postprocess/suppression/index.js.map +1 -0
package/dist/postprocess/suppression/inline-parser.d.ts +39 -0
package/dist/postprocess/suppression/inline-parser.d.ts.map +1 -0
package/dist/postprocess/suppression/inline-parser.js +218 -0
package/dist/postprocess/suppression/inline-parser.js.map +1 -0
package/dist/postprocess/suppression/manager.d.ts +94 -0
package/dist/postprocess/suppression/manager.d.ts.map +1 -0
package/dist/postprocess/suppression/manager.js +292 -0
package/dist/postprocess/suppression/manager.js.map +1 -0
package/dist/postprocess/suppression/types.d.ts +151 -0
package/dist/postprocess/suppression/types.d.ts.map +1 -0
package/dist/postprocess/suppression/types.js +28 -0
package/dist/postprocess/suppression/types.js.map +1 -0
package/dist/postprocess/validation-cap.d.ts +17 -0
package/dist/postprocess/validation-cap.d.ts.map +1 -0
package/dist/postprocess/validation-cap.js +64 -0
package/dist/postprocess/validation-cap.js.map +1 -0
package/dist/report/build-result.d.ts +33 -0
package/dist/report/build-result.d.ts.map +1 -0
package/dist/report/build-result.js +59 -0
package/dist/report/build-result.js.map +1 -0
package/dist/report/enrichment.d.ts +19 -0
package/dist/report/enrichment.d.ts.map +1 -0
package/dist/report/enrichment.js +44 -0
package/dist/report/enrichment.js.map +1 -0
package/dist/report/formatters/ai-context.d.ts +23 -0
package/dist/report/formatters/ai-context.d.ts.map +1 -0
package/dist/report/formatters/ai-context.js +238 -0
package/dist/report/formatters/ai-context.js.map +1 -0
package/dist/report/formatters/cli-terminal.d.ts +65 -0
package/dist/report/formatters/cli-terminal.d.ts.map +1 -0
package/dist/report/formatters/cli-terminal.js +735 -0
package/dist/report/formatters/cli-terminal.js.map +1 -0
package/dist/report/formatters/github-comment.d.ts +41 -0
package/dist/report/formatters/github-comment.d.ts.map +1 -0
package/dist/report/formatters/github-comment.js +370 -0
package/dist/report/formatters/github-comment.js.map +1 -0
package/dist/report/formatters/grouping.d.ts +52 -0
package/dist/report/formatters/grouping.d.ts.map +1 -0
package/dist/report/formatters/grouping.js +152 -0
package/dist/report/formatters/grouping.js.map +1 -0
package/dist/report/formatters/ide/claude-code.d.ts +17 -0
package/dist/report/formatters/ide/claude-code.d.ts.map +1 -0
package/dist/report/formatters/ide/claude-code.js +94 -0
package/dist/report/formatters/ide/claude-code.js.map +1 -0
package/dist/report/formatters/ide/cursor.d.ts +13 -0
package/dist/report/formatters/ide/cursor.d.ts.map +1 -0
package/dist/report/formatters/ide/cursor.js +125 -0
package/dist/report/formatters/ide/cursor.js.map +1 -0
package/dist/report/formatters/ide/index.d.ts +62 -0
package/dist/report/formatters/ide/index.d.ts.map +1 -0
package/dist/report/formatters/ide/index.js +184 -0
package/dist/report/formatters/ide/index.js.map +1 -0
package/dist/report/formatters/ide/windsurf.d.ts +13 -0
package/dist/report/formatters/ide/windsurf.d.ts.map +1 -0
package/dist/report/formatters/ide/windsurf.js +117 -0
package/dist/report/formatters/ide/windsurf.js.map +1 -0
package/dist/report/formatters/index.d.ts +11 -0
package/dist/report/formatters/index.d.ts.map +1 -0
package/dist/report/formatters/index.js +54 -0
package/dist/report/formatters/index.js.map +1 -0
package/dist/report/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/report/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/report/formatters/vscode-diagnostic.js +151 -0
package/dist/report/formatters/vscode-diagnostic.js.map +1 -0
package/dist/report/summary.d.ts +27 -0
package/dist/report/summary.d.ts.map +1 -0
package/dist/report/summary.js +57 -0
package/dist/report/summary.js.map +1 -0
package/dist/rules/metadata.d.ts.map +1 -1
package/dist/rules/metadata.js +66 -0
package/dist/rules/metadata.js.map +1 -1
package/dist/score/adjustments.d.ts +22 -0
package/dist/score/adjustments.d.ts.map +1 -0
package/dist/score/adjustments.js +373 -0
package/dist/score/adjustments.js.map +1 -0
package/dist/score/auto-dismiss.d.ts +28 -0
package/dist/score/auto-dismiss.d.ts.map +1 -0
package/dist/score/auto-dismiss.js +200 -0
package/dist/score/auto-dismiss.js.map +1 -0
package/dist/score/confidence.d.ts +19 -0
package/dist/score/confidence.d.ts.map +1 -0
package/dist/score/confidence.js +52 -0
package/dist/score/confidence.js.map +1 -0
package/dist/score/index.d.ts +61 -0
package/dist/score/index.d.ts.map +1 -0
package/dist/score/index.js +250 -0
package/dist/score/index.js.map +1 -0
package/dist/score/types.d.ts +160 -0
package/dist/score/types.d.ts.map +1 -0
package/dist/score/types.js +14 -0
package/dist/score/types.js.map +1 -0
package/dist/shared/ai-context/index.d.ts +6 -0
package/dist/shared/ai-context/index.d.ts.map +1 -0
package/dist/shared/ai-context/index.js +13 -0
package/dist/shared/ai-context/index.js.map +1 -0
package/dist/shared/ai-context/manager.d.ts +67 -0
package/dist/shared/ai-context/manager.d.ts.map +1 -0
package/dist/shared/ai-context/manager.js +104 -0
package/dist/shared/ai-context/manager.js.map +1 -0
package/dist/shared/baseline/diff.d.ts +32 -0
package/dist/shared/baseline/diff.d.ts.map +1 -0
package/dist/shared/baseline/diff.js +119 -0
package/dist/shared/baseline/diff.js.map +1 -0
package/dist/shared/baseline/index.d.ts +9 -0
package/dist/shared/baseline/index.d.ts.map +1 -0
package/dist/shared/baseline/index.js +19 -0
package/dist/shared/baseline/index.js.map +1 -0
package/dist/shared/baseline/manager.d.ts +67 -0
package/dist/shared/baseline/manager.d.ts.map +1 -0
package/dist/shared/baseline/manager.js +180 -0
package/dist/shared/baseline/manager.js.map +1 -0
package/dist/shared/baseline/types.d.ts +91 -0
package/dist/shared/baseline/types.d.ts.map +1 -0
package/dist/shared/baseline/types.js +12 -0
package/dist/shared/baseline/types.js.map +1 -0
package/dist/shared/category-filter.d.ts +125 -0
package/dist/shared/category-filter.d.ts.map +1 -0
package/dist/shared/category-filter.js +360 -0
package/dist/shared/category-filter.js.map +1 -0
package/dist/shared/code-analysis.d.ts +39 -0
package/dist/shared/code-analysis.d.ts.map +1 -0
package/dist/shared/code-analysis.js +159 -0
package/dist/shared/code-analysis.js.map +1 -0
package/dist/shared/comment-analyzer.d.ts +38 -0
package/dist/shared/comment-analyzer.d.ts.map +1 -0
package/dist/shared/comment-analyzer.js +218 -0
package/dist/shared/comment-analyzer.js.map +1 -0
package/dist/shared/diff-detector.d.ts +53 -0
package/dist/shared/diff-detector.d.ts.map +1 -0
package/dist/shared/diff-detector.js +104 -0
package/dist/shared/diff-detector.js.map +1 -0
package/dist/shared/diff-parser.d.ts +80 -0
package/dist/shared/diff-parser.d.ts.map +1 -0
package/dist/shared/diff-parser.js +202 -0
package/dist/shared/diff-parser.js.map +1 -0
package/dist/shared/environment-context.d.ts +76 -0
package/dist/shared/environment-context.d.ts.map +1 -0
package/dist/shared/environment-context.js +271 -0
package/dist/shared/environment-context.js.map +1 -0
package/dist/shared/intent-detector.d.ts +66 -0
package/dist/shared/intent-detector.d.ts.map +1 -0
package/dist/shared/intent-detector.js +282 -0
package/dist/shared/intent-detector.js.map +1 -0
package/dist/shared/parsed-file.d.ts +51 -0
package/dist/shared/parsed-file.d.ts.map +1 -0
package/dist/shared/parsed-file.js +95 -0
package/dist/shared/parsed-file.js.map +1 -0
package/dist/shared/registry-clients.d.ts +93 -0
package/dist/shared/registry-clients.d.ts.map +1 -0
package/dist/shared/registry-clients.js +273 -0
package/dist/shared/registry-clients.js.map +1 -0
package/dist/shared/rules/framework-fixes.d.ts +48 -0
package/dist/shared/rules/framework-fixes.d.ts.map +1 -0
package/dist/shared/rules/framework-fixes.js +439 -0
package/dist/shared/rules/framework-fixes.js.map +1 -0
package/dist/shared/rules/index.d.ts +8 -0
package/dist/shared/rules/index.d.ts.map +1 -0
package/dist/shared/rules/index.js +18 -0
package/dist/shared/rules/index.js.map +1 -0
package/dist/shared/rules/metadata.d.ts +43 -0
package/dist/shared/rules/metadata.d.ts.map +1 -0
package/dist/shared/rules/metadata.js +819 -0
package/dist/shared/rules/metadata.js.map +1 -0
package/dist/shared/schema-semantics.d.ts +45 -0
package/dist/shared/schema-semantics.d.ts.map +1 -0
package/dist/shared/schema-semantics.js +193 -0
package/dist/shared/schema-semantics.js.map +1 -0
package/dist/shared/types.d.ts +337 -0
package/dist/shared/types.d.ts.map +1 -0
package/dist/shared/types.js +126 -0
package/dist/shared/types.js.map +1 -0
package/dist/tiers.d.ts +2 -2
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +10 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +1 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/validate/clients.d.ts +44 -0
package/dist/validate/clients.d.ts.map +1 -0
package/dist/validate/clients.js +81 -0
package/dist/validate/clients.js.map +1 -0
package/dist/validate/index.d.ts +41 -0
package/dist/validate/index.d.ts.map +1 -0
package/dist/validate/index.js +141 -0
package/dist/validate/index.js.map +1 -0
package/dist/validate/prompts/index.d.ts +8 -0
package/dist/validate/prompts/index.d.ts.map +1 -0
package/dist/validate/prompts/index.js +16 -0
package/dist/validate/prompts/index.js.map +1 -0
package/dist/validate/prompts/modules/ai-patterns.d.ts +19 -0
package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -0
package/dist/validate/prompts/modules/ai-patterns.js +156 -0
package/dist/validate/prompts/modules/ai-patterns.js.map +1 -0
package/dist/validate/prompts/modules/auth-access.d.ts +9 -0
package/dist/validate/prompts/modules/auth-access.d.ts.map +1 -0
package/dist/validate/prompts/modules/auth-access.js +25 -0
package/dist/validate/prompts/modules/auth-access.js.map +1 -0
package/dist/validate/prompts/modules/common.d.ts +11 -0
package/dist/validate/prompts/modules/common.d.ts.map +1 -0
package/dist/validate/prompts/modules/common.js +186 -0
package/dist/validate/prompts/modules/common.js.map +1 -0
package/dist/validate/prompts/modules/index.d.ts +54 -0
package/dist/validate/prompts/modules/index.d.ts.map +1 -0
package/dist/validate/prompts/modules/index.js +186 -0
package/dist/validate/prompts/modules/index.js.map +1 -0
package/dist/validate/prompts/modules/owasp-classic.d.ts +8 -0
package/dist/validate/prompts/modules/owasp-classic.d.ts.map +1 -0
package/dist/validate/prompts/modules/owasp-classic.js +84 -0
package/dist/validate/prompts/modules/owasp-classic.js.map +1 -0
package/dist/validate/prompts/modules/secrets-crypto.d.ts +8 -0
package/dist/validate/prompts/modules/secrets-crypto.d.ts.map +1 -0
package/dist/validate/prompts/modules/secrets-crypto.js +68 -0
package/dist/validate/prompts/modules/secrets-crypto.js.map +1 -0
package/dist/validate/prompts/modules/xss-prompt.d.ts +8 -0
package/dist/validate/prompts/modules/xss-prompt.d.ts.map +1 -0
package/dist/validate/prompts/modules/xss-prompt.js +22 -0
package/dist/validate/prompts/modules/xss-prompt.js.map +1 -0
package/dist/validate/prompts/semantic-analysis.d.ts +15 -0
package/dist/validate/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/validate/prompts/semantic-analysis.js +169 -0
package/dist/validate/prompts/semantic-analysis.js.map +1 -0
package/dist/validate/prompts/validation.d.ts +18 -0
package/dist/validate/prompts/validation.d.ts.map +1 -0
package/dist/validate/prompts/validation.js +25 -0
package/dist/validate/prompts/validation.js.map +1 -0
package/dist/validate/providers/anthropic.d.ts +17 -0
package/dist/validate/providers/anthropic.d.ts.map +1 -0
package/dist/validate/providers/anthropic.js +260 -0
package/dist/validate/providers/anthropic.js.map +1 -0
package/dist/validate/providers/index.d.ts +8 -0
package/dist/validate/providers/index.d.ts.map +1 -0
package/dist/validate/providers/index.js +13 -0
package/dist/validate/providers/index.js.map +1 -0
package/dist/validate/providers/openai.d.ts +14 -0
package/dist/validate/providers/openai.d.ts.map +1 -0
package/dist/validate/providers/openai.js +336 -0
package/dist/validate/providers/openai.js.map +1 -0
package/dist/validate/request-builder.d.ts +61 -0
package/dist/validate/request-builder.d.ts.map +1 -0
package/dist/validate/request-builder.js +346 -0
package/dist/validate/request-builder.js.map +1 -0
package/dist/validate/types.d.ts +88 -0
package/dist/validate/types.d.ts.map +1 -0
package/dist/validate/types.js +38 -0
package/dist/validate/types.js.map +1 -0
package/dist/validate/utils/context-extractor.d.ts +55 -0
package/dist/validate/utils/context-extractor.d.ts.map +1 -0
package/dist/validate/utils/context-extractor.js +161 -0
package/dist/validate/utils/context-extractor.js.map +1 -0
package/dist/validate/utils/index.d.ts +11 -0
package/dist/validate/utils/index.d.ts.map +1 -0
package/dist/validate/utils/index.js +27 -0
package/dist/validate/utils/index.js.map +1 -0
package/dist/validate/utils/path-helpers.d.ts +21 -0
package/dist/validate/utils/path-helpers.d.ts.map +1 -0
package/dist/validate/utils/path-helpers.js +69 -0
package/dist/validate/utils/path-helpers.js.map +1 -0
package/dist/validate/utils/response-parser.d.ts +40 -0
package/dist/validate/utils/response-parser.d.ts.map +1 -0
package/dist/validate/utils/response-parser.js +286 -0
package/dist/validate/utils/response-parser.js.map +1 -0
package/dist/validate/utils/retry.d.ts +15 -0
package/dist/validate/utils/retry.d.ts.map +1 -0
package/dist/validate/utils/retry.js +62 -0
package/dist/validate/utils/retry.js.map +1 -0
package/package.json +8 -7
package/src/__tests__/benchmark/fixtures/layer1/agent-skill-injection.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +3 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +15 -0
package/src/__tests__/benchmark/fixtures/layer2/log-injection.ts +147 -0
package/src/__tests__/benchmark/fixtures/layer2/security-headers.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ssrf-detection.ts +210 -0
package/src/__tests__/benchmark/fixtures/layer2/xxe-detection.ts +195 -0
package/src/__tests__/benchmark/run-depth-validation.ts +3 -3
package/src/__tests__/benchmark/run-real-world-test.ts +4 -4
package/src/__tests__/benchmark/types.ts +1 -1
package/src/__tests__/benchmark/utils/test-runner.ts +3 -3
package/src/__tests__/category-filter.test.ts +2 -2
package/src/__tests__/context-engine/cross-file-taint.test.ts +284 -0
package/src/__tests__/context-engine/framework-models.test.ts +457 -0
package/src/__tests__/context-engine/function-classifier.test.ts +146 -0
package/src/__tests__/context-engine/import-resolver.test.ts +328 -0
package/src/__tests__/context-engine/integration.test.ts +320 -0
package/src/__tests__/context-engine/module-graph.test.ts +159 -0
package/src/__tests__/context-engine/route-discovery/auth-resolver.test.ts +353 -0
package/src/__tests__/context-engine/route-discovery/express.test.ts +150 -0
package/src/__tests__/context-engine/route-discovery/nextjs.test.ts +138 -0
package/src/__tests__/context-engine/route-discovery/python.test.ts +95 -0
package/src/__tests__/context-engine/sanitiser-detection.test.ts +187 -0
package/src/__tests__/context-engine/sink-matcher.test.ts +251 -0
package/src/__tests__/context-engine/source-discovery.test.ts +186 -0
package/src/__tests__/context-engine/taint-tracker.test.ts +182 -0
package/src/__tests__/regression/agent-skill-benign.test.ts +174 -0
package/src/__tests__/regression/known-false-positives.test.ts +312 -4
package/src/__tests__/score/adjustments.test.ts +385 -0
package/src/__tests__/score/confidence.test.ts +283 -0
package/src/__tests__/score/framework-scoring.test.ts +275 -0
package/src/__tests__/score/route-scoring.test.ts +156 -0
package/src/__tests__/score/scoring-integration.test.ts +165 -0
package/src/__tests__/score/taint-adjustments.test.ts +244 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +37 -49
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +52 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +3 -3
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +2 -2
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +1 -1
package/src/__tests__/snapshots/scan-depth.test.ts +3 -3
package/src/__tests__/validate/route-annotations.test.ts +138 -0
package/src/__tests__/validation/analyze-results.ts +1 -1
package/src/__tests__/validation/extract-for-triage.ts +1 -1
package/src/__tests__/validation/fp-deep-analysis.ts +1 -1
package/src/{layer2/ai-agent-tools.ts → detect/ai-code/agent-tools.ts} +23 -3
package/src/{layer2 → detect/ai-code}/byok-patterns.ts +17 -5
package/src/{layer2/ai-endpoint-protection.ts → detect/ai-code/endpoint-protection.ts} +8 -4
package/src/{layer2/ai-execution-sinks.ts → detect/ai-code/execution-sinks.ts} +8 -4
package/src/{layer2/ai-fingerprinting.ts → detect/ai-code/fingerprinting.ts} +20 -4
package/src/detect/ai-code/index.ts +11 -0
package/src/{layer2/ai-mcp-security.ts → detect/ai-code/mcp-security.ts} +7 -3
package/src/{layer2 → detect/ai-code}/model-supply-chain.ts +7 -3
package/src/{layer2/ai-package-hallucination.ts → detect/ai-code/package-hallucination.ts} +18 -3
package/src/{layer2/ai-prompt-hygiene.ts → detect/ai-code/prompt-hygiene.ts} +25 -3
package/src/{layer2/ai-rag-safety.ts → detect/ai-code/rag-safety.ts} +7 -3
package/src/{layer2/ai-schema-validation.ts → detect/ai-code/schema-validation.ts} +7 -3
package/src/detect/config/agent-skill-injection.ts +551 -0
package/src/{layer1 → detect/config}/comments.ts +6 -2
package/src/{layer1 → detect/config}/file-flags.ts +9 -3
package/src/detect/config/index.ts +6 -0
package/src/{layer3 → detect/config}/osv-check.ts +3 -2
package/src/{layer3 → detect/config}/package-check.ts +3 -2
package/src/{layer1 → detect/config}/urls.ts +12 -5
package/src/detect/index.ts +131 -0
package/src/{layer1 → detect/secrets}/config-audit.ts +7 -2
package/src/{layer1 → detect/secrets}/config-mcp-audit.ts +8 -3
package/src/{layer1 → detect/secrets}/entropy.ts +23 -11
package/src/{layer1 → detect/secrets}/index.ts +31 -30
package/src/{layer1 → detect/secrets}/patterns.ts +10 -3
package/src/{layer1 → detect/secrets}/weak-crypto.ts +7 -2
package/src/{layer2/auth-antipatterns.ts → detect/structural/auth-patterns.ts} +23 -11
package/src/{layer2 → detect/structural}/dangerous-functions/dom-xss.ts +1 -1
package/src/{layer2 → detect/structural}/dangerous-functions/index.ts +47 -24
package/src/{layer2 → detect/structural}/dangerous-functions/json-parse.ts +10 -2
package/src/{layer2 → detect/structural}/dangerous-functions/math-random.ts +2 -2
package/src/{layer2 → detect/structural}/dangerous-functions/patterns.ts +1 -1
package/src/{layer2 → detect/structural}/dangerous-functions/request-validation.ts +10 -2
package/src/{layer2 → detect/structural}/dangerous-functions/utils/control-flow.ts +2 -2
package/src/{layer2 → detect/structural}/data-exposure.ts +11 -3
package/src/{layer2 → detect/structural}/framework-checks.ts +10 -11
package/src/{layer2 → detect/structural}/index.ts +80 -77
package/src/detect/structural/log-injection.ts +254 -0
package/src/{layer2 → detect/structural}/logic-gates.ts +13 -5
package/src/{layer2 → detect/structural}/risky-imports.ts +7 -3
package/src/detect/structural/security-headers.ts +231 -0
package/src/detect/structural/ssrf-detection.ts +300 -0
package/src/{layer2 → detect/structural}/variables.ts +7 -3
package/src/detect/structural/xxe-detection.ts +295 -0
package/src/index.ts +39 -1291
package/src/{utils → model}/auth-helper-detector.ts +1 -1
package/src/model/cross-file-taint.ts +374 -0
package/src/model/framework-models/django.ts +82 -0
package/src/model/framework-models/express.ts +54 -0
package/src/model/framework-models/index.ts +116 -0
package/src/model/framework-models/nextjs.ts +69 -0
package/src/model/framework-models/prisma.ts +57 -0
package/src/model/framework-models/react.ts +63 -0
package/src/model/framework-models/sequelize.ts +63 -0
package/src/model/framework-models/types.ts +46 -0
package/src/model/function-classifier.ts +184 -0
package/src/model/import-resolver.ts +453 -0
package/src/{utils → model}/imported-auth-detector.ts +21 -85
package/src/model/index.ts +353 -0
package/src/{utils → model}/middleware-detector.ts +156 -17
package/src/model/module-graph.ts +254 -0
package/src/{utils → model}/oauth-flow-detector.ts +1 -1
package/src/{utils/project-context-builder.ts → model/project-context.ts} +1 -1
package/src/model/route-auth-resolver.ts +216 -0
package/src/model/route-discovery/express.ts +251 -0
package/src/model/route-discovery/index.ts +83 -0
package/src/model/route-discovery/nextjs.ts +216 -0
package/src/model/route-discovery/python.ts +214 -0
package/src/model/route-discovery/types.ts +48 -0
package/src/model/route-discovery/utils.ts +54 -0
package/src/model/sanitiser-detection.ts +268 -0
package/src/model/sink-matcher.ts +178 -0
package/src/model/sink-patterns.ts +109 -0
package/src/model/source-discovery.ts +209 -0
package/src/model/taint-tracker.ts +333 -0
package/src/model/taint-types.ts +149 -0
package/src/{utils → model}/trpc-analyzer.ts +1 -1
package/src/{utils/context-helpers.ts → parse/file-classifier.ts} +54 -0
package/src/{utils → parse}/path-exclusions.ts +1 -1
package/src/pipeline/config.ts +81 -0
package/src/pipeline/index.ts +437 -0
package/src/{modes → pipeline/modes}/incremental.ts +5 -5
package/src/postprocess/aggregation.ts +74 -0
package/src/postprocess/contradictions.ts +128 -0
package/src/postprocess/dedup.ts +62 -0
package/src/{filtering → postprocess/filtering}/__tests__/pipeline.test.ts +1 -1
package/src/{filtering → postprocess/filtering}/context-adjustments.ts +2 -2
package/src/{filtering → postprocess/filtering}/pipeline.ts +2 -2
package/src/postprocess/index.ts +118 -0
package/src/{suppression → postprocess/suppression}/config-loader.ts +1 -1
package/src/{suppression → postprocess/suppression}/hash.ts +1 -1
package/src/{suppression → postprocess/suppression}/inline-parser.ts +1 -1
package/src/{suppression → postprocess/suppression}/manager.ts +1 -1
package/src/{suppression → postprocess/suppression}/types.ts +2 -2
package/src/postprocess/validation-cap.ts +66 -0
package/src/report/build-result.ts +94 -0
package/src/report/enrichment.ts +52 -0
package/src/{formatters → report/formatters}/ai-context.ts +1 -1
package/src/{formatters → report/formatters}/cli-terminal.ts +11 -11
package/src/{formatters → report/formatters}/github-comment.ts +1 -1
package/src/{formatters → report/formatters}/grouping.ts +8 -8
package/src/{formatters → report/formatters}/ide/claude-code.ts +1 -1
package/src/{formatters → report/formatters}/ide/cursor.ts +1 -1
package/src/{formatters → report/formatters}/ide/windsurf.ts +1 -1
package/src/{formatters → report/formatters}/vscode-diagnostic.ts +1 -1
package/src/report/summary.ts +70 -0
package/src/score/adjustments.ts +387 -0
package/src/{layer3/anthropic → score}/auto-dismiss.ts +15 -14
package/src/score/confidence.ts +66 -0
package/src/score/index.ts +316 -0
package/src/score/types.ts +187 -0
package/src/{baseline → shared/baseline}/__tests__/diff.test.ts +2 -2
package/src/{baseline → shared/baseline}/diff.ts +1 -1
package/src/{baseline → shared/baseline}/manager.ts +1 -1
package/src/{category-filter.ts → shared/category-filter.ts} +1 -1
package/src/{utils → shared}/code-analysis.ts +1 -1
package/src/{rules → shared/rules}/__tests__/metadata.test.ts +7 -0
package/src/{rules → shared/rules}/framework-fixes.ts +1 -1
package/src/{rules → shared/rules}/metadata.ts +94 -0
package/src/{types.ts → shared/types.ts} +22 -5
package/src/tiers.ts +18 -1
package/src/validate/__tests__/context-extractor.test.ts +191 -0
package/src/validate/__tests__/prompt-assembly.test.ts +233 -0
package/src/validate/__tests__/request-builder.test.ts +347 -0
package/src/{layer3/anthropic → validate}/index.ts +8 -7
package/src/{layer3/anthropic → validate}/prompts/index.ts +2 -0
package/src/validate/prompts/modules/ai-patterns.ts +153 -0
package/src/validate/prompts/modules/auth-access.ts +22 -0
package/src/validate/prompts/modules/common.ts +183 -0
package/src/validate/prompts/modules/index.ts +204 -0
package/src/validate/prompts/modules/owasp-classic.ts +81 -0
package/src/validate/prompts/modules/secrets-crypto.ts +65 -0
package/src/validate/prompts/modules/xss-prompt.ts +19 -0
package/src/validate/prompts/validation.ts +20 -0
package/src/{layer3/anthropic → validate}/providers/anthropic.ts +28 -27
package/src/validate/providers/index.ts +8 -0
package/src/{layer3/anthropic → validate}/providers/openai.ts +30 -25
package/src/validate/request-builder.ts +448 -0
package/src/{layer3/anthropic → validate}/types.ts +1 -1
package/src/validate/utils/context-extractor.ts +220 -0
package/src/{layer3/anthropic → validate}/utils/index.ts +10 -0
package/src/{layer3/anthropic → validate}/utils/response-parser.ts +2 -1
package/src/layer3/anthropic/prompts/validation.ts +0 -419
package/src/layer3/anthropic/providers/index.ts +0 -8
package/src/layer3/anthropic/request-builder.ts +0 -150
package/src/layer3/index.ts +0 -168
/package/src/{layer3 → detect/config}/__tests__/osv-check.test.ts +0 -0
/package/src/{layer2 → detect/structural}/__tests__/math-random-enhanced.test.ts +0 -0
/package/src/{layer2 → detect/structural}/dangerous-functions/child-process.ts +0 -0
/package/src/{layer2 → detect/structural}/dangerous-functions/utils/helpers.ts +0 -0
/package/src/{layer2 → detect/structural}/dangerous-functions/utils/index.ts +0 -0
/package/src/{layer2 → detect/structural}/dangerous-functions/utils/schema-validation.ts +0 -0
/package/src/{utils → model}/route-hierarchy.ts +0 -0
/package/src/{filtering → postprocess/filtering}/index.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/config-loader.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/hash.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/inline-parser.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/__tests__/manager.test.ts +0 -0
/package/src/{suppression → postprocess/suppression}/index.ts +0 -0
/package/src/{formatters → report/formatters}/__tests__/ai-context.test.ts +0 -0
/package/src/{formatters → report/formatters}/ide/__tests__/ide.test.ts +0 -0
/package/src/{formatters → report/formatters}/ide/index.ts +0 -0
/package/src/{formatters → report/formatters}/index.ts +0 -0
/package/src/{utils → shared}/__tests__/code-analysis.test.ts +0 -0
/package/src/{utils → shared}/__tests__/parsed-file.test.ts +0 -0
/package/src/{ai-context → shared/ai-context}/__tests__/manager.test.ts +0 -0
/package/src/{ai-context → shared/ai-context}/index.ts +0 -0
/package/src/{ai-context → shared/ai-context}/manager.ts +0 -0
/package/src/{baseline → shared/baseline}/__tests__/manager.test.ts +0 -0
/package/src/{baseline → shared/baseline}/index.ts +0 -0
/package/src/{baseline → shared/baseline}/types.ts +0 -0
/package/src/{utils → shared}/comment-analyzer.ts +0 -0
/package/src/{utils → shared}/diff-detector.ts +0 -0
/package/src/{utils → shared}/diff-parser.ts +0 -0
/package/src/{utils → shared}/environment-context.ts +0 -0
/package/src/{utils → shared}/intent-detector.ts +0 -0
/package/src/{utils → shared}/parsed-file.ts +0 -0
/package/src/{utils → shared}/registry-clients.ts +0 -0
/package/src/{rules → shared/rules}/__tests__/framework-fixes.test.ts +0 -0
/package/src/{rules → shared/rules}/index.ts +0 -0
/package/src/{utils → shared}/schema-semantics.ts +0 -0
/package/src/{layer3/anthropic → validate}/clients.ts +0 -0
/package/src/{layer3/anthropic → validate}/prompts/semantic-analysis.ts +0 -0
/package/src/{layer3/anthropic → validate}/utils/path-helpers.ts +0 -0
/package/src/{layer3/anthropic → validate}/utils/retry.ts +0 -0

package/src/__tests__/context-engine/route-discovery/nextjs.test.ts ADDED Viewed

@@ -0,0 +1,138 @@
+import { extractNextJSRoutes } from '../../../model/route-discovery/nextjs'
+import type { ScanFile } from '../../../shared/types'
+function makeFile(path: string, content: string): ScanFile {
+  return { path, content, language: 'typescript' }
+}
+describe('Next.js Route Extractor', () => {
+  it('extracts App Router GET export', () => {
+    const files = [
+      makeFile('src/app/api/users/route.ts', `
+export async function GET(request: Request) {
+  return Response.json({ users: [] })
+}
+`),
+    ]
+    const routes = extractNextJSRoutes(files, 'nextjs')
+    expect(routes).toHaveLength(1)
+    expect(routes[0].methods).toEqual(['GET'])
+    expect(routes[0].path).toBe('/api/users')
+    expect(routes[0].framework).toBe('nextjs_app')
+  })
+  it('extracts multiple HTTP method exports', () => {
+    const files = [
+      makeFile('src/app/api/items/route.ts', `
+export async function GET(request: Request) {
+  return Response.json([])
+}
+export async function POST(request: Request) {
+  const body = await request.json()
+  return Response.json({ created: true })
+}
+`),
+    ]
+    const routes = extractNextJSRoutes(files, 'nextjs')
+    expect(routes).toHaveLength(2)
+    expect(routes.map(r => r.methods[0]).sort()).toEqual(['GET', 'POST'])
+  })
+  it('handles dynamic segments [id] → :id', () => {
+    const files = [
+      makeFile('src/app/api/users/[id]/route.ts', `
+export async function GET(request: Request, { params }: { params: { id: string } }) {
+  return Response.json({ id: params.id })
+}
+`),
+    ]
+    const routes = extractNextJSRoutes(files, 'nextjs')
+    expect(routes).toHaveLength(1)
+    expect(routes[0].path).toBe('/api/users/:id')
+  })
+  it('handles catch-all [...slug]', () => {
+    const files = [
+      makeFile('src/app/api/docs/[...slug]/route.ts', `
+export async function GET() {
+  return Response.json({})
+}
+`),
+    ]
+    const routes = extractNextJSRoutes(files, 'nextjs')
+    expect(routes).toHaveLength(1)
+    expect(routes[0].path).toBe('/api/docs/:slug*')
+  })
+  it('strips route groups from path', () => {
+    const files = [
+      makeFile('src/app/(dashboard)/api/settings/route.ts', `
+export async function GET() {
+  return Response.json({})
+}
+`),
+    ]
+    const routes = extractNextJSRoutes(files, 'nextjs')
+    expect(routes).toHaveLength(1)
+    expect(routes[0].path).toBe('/api/settings')
+  })
+  it('detects protected route groups', () => {
+    const files = [
+      makeFile('src/app/(authenticated)/api/profile/route.ts', `
+export async function GET() {
+  return Response.json({})
+}
+`),
+    ]
+    const routes = extractNextJSRoutes(files, 'nextjs')
+    expect(routes).toHaveLength(1)
+    // Route hierarchy should detect (authenticated) group
+    expect(routes[0].authMiddleware.length).toBeGreaterThan(0)
+  })
+  it('extracts Pages Router default export', () => {
+    const files = [
+      makeFile('src/pages/api/search.ts', `
+export default function handler(req, res) {
+  if (req.method === 'GET') {
+    const q = req.query.q
+    res.json({ results: [] })
+  }
+}
+`),
+    ]
+    const routes = extractNextJSRoutes(files, 'nextjs')
+    expect(routes).toHaveLength(1)
+    expect(routes[0].framework).toBe('nextjs_pages')
+    expect(routes[0].path).toBe('/api/search')
+    expect(routes[0].methods).toEqual(['GET'])
+  })
+  it('detects input sources in App Router', () => {
+    const files = [
+      makeFile('src/app/api/items/route.ts', `
+export async function POST(request: Request) {
+  const body = await request.json()
+  const url = new URL(request.url)
+  const page = url.searchParams.get('page')
+  return Response.json({ ok: true })
+}
+`),
+    ]
+    const routes = extractNextJSRoutes(files, 'nextjs')
+    expect(routes).toHaveLength(1)
+    const sources = routes[0].inputs.map(i => i.source)
+    expect(sources).toContain('body')
+    expect(sources).toContain('query')
+  })
+  it('skips non-nextjs frameworks', () => {
+    const files = [
+      makeFile('src/app/api/test/route.ts', `export function GET() {}`),
+    ]
+    const routes = extractNextJSRoutes(files, 'express')
+    expect(routes).toHaveLength(0)
+  })
+})

package/src/__tests__/context-engine/route-discovery/python.test.ts ADDED Viewed

@@ -0,0 +1,95 @@
+import { extractPythonRoutes } from '../../../model/route-discovery/python'
+describe('Python Route Extractor', () => {
+  describe('Flask routes', () => {
+    it('extracts @app.route with default GET', () => {
+      const content = `
+from flask import Flask
+app = Flask(__name__)
+@app.route('/api/users')
+def get_users():
+    return jsonify(users)
+`
+      const routes = extractPythonRoutes(content, 'app.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].methods).toEqual(['GET'])
+      expect(routes[0].path).toBe('/api/users')
+      expect(routes[0].framework).toBe('flask')
+      expect(routes[0].handler).toBe('get_users')
+    })
+    it('extracts @app.route with explicit methods', () => {
+      const content = `
+@app.route('/api/items', methods=['GET', 'POST'])
+def items():
+    pass
+`
+      const routes = extractPythonRoutes(content, 'views.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].methods).toEqual(['GET', 'POST'])
+    })
+    it('detects @login_required decorator', () => {
+      const content = `
+@app.route('/api/profile')
+@login_required
+def profile():
+    pass
+`
+      const routes = extractPythonRoutes(content, 'views.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware).toContain('@login_required')
+    })
+    it('converts Flask path params to :param format', () => {
+      const content = `
+@app.route('/api/users/<int:user_id>')
+def get_user(user_id):
+    pass
+`
+      const routes = extractPythonRoutes(content, 'views.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].path).toBe('/api/users/:user_id')
+    })
+    it('detects Flask input sources', () => {
+      const content = `
+@app.route('/api/search', methods=['POST'])
+def search():
+    data = request.json
+    q = request.args.get('q')
+    return jsonify(results=[])
+`
+      const routes = extractPythonRoutes(content, 'views.py')
+      expect(routes).toHaveLength(1)
+      const sources = routes[0].inputs.map(i => i.source)
+      expect(sources).toContain('body')
+      expect(sources).toContain('query')
+    })
+  })
+  describe('Django routes', () => {
+    it('extracts Django path() in urlpatterns', () => {
+      const content = `
+from django.urls import path
+from . import views
+urlpatterns = [
+    path('api/search/', views.search_view, name='search'),
+    path('api/users/<int:pk>/', views.UserDetailView.as_view(), name='user-detail'),
+]
+`
+      const routes = extractPythonRoutes(content, 'urls.py')
+      expect(routes).toHaveLength(2)
+      expect(routes[0].path).toBe('/api/search/')
+      expect(routes[0].framework).toBe('django')
+      expect(routes[1].path).toBe('/api/users/:pk/')
+    })
+  })
+  it('skips non-Python files', () => {
+    const routes = extractPythonRoutes('app.get("/test", handler)', 'server.js')
+    expect(routes).toHaveLength(0)
+  })
+})

package/src/__tests__/context-engine/sanitiser-detection.test.ts ADDED Viewed

@@ -0,0 +1,187 @@
+/**
+ * Tests for sanitiser detection — identifying sanitisation functions in code.
+ */
+import { detectSanitisers, isSanitiserCall } from '../../model/sanitiser-detection'
+describe('detectSanitisers', () => {
+  describe('DOMPurify', () => {
+    it('detects DOMPurify.sanitize when imported', () => {
+      const code = `
+import DOMPurify from 'dompurify'
+const clean = DOMPurify.sanitize(dirty)
+`
+      const sanitisers = detectSanitisers(code, 'src/utils.ts')
+      expect(sanitisers.some(s => s.name === 'DOMPurify.sanitize')).toBe(true)
+      expect(sanitisers.find(s => s.name === 'DOMPurify.sanitize')?.sanitises).toBe('html')
+      expect(sanitisers.find(s => s.name === 'DOMPurify.sanitize')?.detection).toBe('known_library')
+    })
+    it('does not detect DOMPurify.sanitize without import', () => {
+      const code = `const clean = DOMPurify.sanitize(dirty)`
+      const sanitisers = detectSanitisers(code, 'src/utils.ts')
+      expect(sanitisers.some(s => s.name === 'DOMPurify.sanitize' && s.detection === 'known_library')).toBe(false)
+    })
+  })
+  describe('validator.js', () => {
+    it('detects validator.escape when imported', () => {
+      const code = `
+import validator from 'validator'
+const safe = validator.escape(input)
+`
+      const sanitisers = detectSanitisers(code, 'src/utils.ts')
+      expect(sanitisers.some(s => s.name === 'validator.escape')).toBe(true)
+    })
+  })
+  describe('Zod/Joi/Yup', () => {
+    it('detects zod .parse() when imported', () => {
+      const code = `
+import { z } from 'zod'
+const schema = z.object({ name: z.string() })
+const data = schema.parse(input)
+`
+      const sanitisers = detectSanitisers(code, 'src/validation.ts')
+      expect(sanitisers.some(s => s.name === 'zod.parse' && s.sanitises === 'all')).toBe(true)
+    })
+    it('detects joi .validate() when imported', () => {
+      const code = `
+import joi from 'joi'
+const result = schema.validate(input)
+`
+      const sanitisers = detectSanitisers(code, 'src/validation.ts')
+      expect(sanitisers.some(s => s.name === 'joi.validate')).toBe(true)
+    })
+    it('detects yup .validate() when imported', () => {
+      const code = `
+import * as yup from 'yup'
+const result = await schema.validate(input)
+`
+      const sanitisers = detectSanitisers(code, 'src/validation.ts')
+      expect(sanitisers.some(s => s.name === 'yup.validate')).toBe(true)
+    })
+  })
+  describe('Type coercion (universal)', () => {
+    it('detects Number()', () => {
+      const code = `const id = Number(input)`
+      const sanitisers = detectSanitisers(code, 'src/api.ts')
+      expect(sanitisers.some(s => s.name === 'Number' && s.sanitises === 'all')).toBe(true)
+    })
+    it('detects parseInt()', () => {
+      const code = `const id = parseInt(input, 10)`
+      const sanitisers = detectSanitisers(code, 'src/api.ts')
+      expect(sanitisers.some(s => s.name === 'parseInt')).toBe(true)
+    })
+    it('detects parseFloat()', () => {
+      const code = `const price = parseFloat(input)`
+      const sanitisers = detectSanitisers(code, 'src/api.ts')
+      expect(sanitisers.some(s => s.name === 'parseFloat')).toBe(true)
+    })
+    it('detects Boolean()', () => {
+      const code = `const flag = Boolean(input)`
+      const sanitisers = detectSanitisers(code, 'src/api.ts')
+      expect(sanitisers.some(s => s.name === 'Boolean')).toBe(true)
+    })
+  })
+  describe('Parameterised queries', () => {
+    it('detects ? placeholder parameterised queries', () => {
+      const code = `db.query('SELECT * FROM users WHERE id = ?', [userId])`
+      const sanitisers = detectSanitisers(code, 'src/db.ts')
+      expect(sanitisers.some(s => s.name === 'parameterised_query' && s.sanitises === 'sql')).toBe(true)
+    })
+    it('detects $1 placeholder parameterised queries', () => {
+      const code = `db.query('SELECT * FROM users WHERE id = $1', [userId])`
+      const sanitisers = detectSanitisers(code, 'src/db.ts')
+      expect(sanitisers.some(s => s.name === 'parameterised_query')).toBe(true)
+    })
+    it('detects Sequelize replacements', () => {
+      const code = `sequelize.query('SELECT * FROM users', { replacements: { id } })`
+      const sanitisers = detectSanitisers(code, 'src/db.ts')
+      expect(sanitisers.some(s => s.name === 'parameterised_query')).toBe(true)
+    })
+  })
+  describe('Path sanitisers', () => {
+    it('detects path.normalize()', () => {
+      const code = `const safe = path.normalize(input)`
+      const sanitisers = detectSanitisers(code, 'src/fs.ts')
+      expect(sanitisers.some(s => s.name === 'path.normalize' && s.sanitises === 'path')).toBe(true)
+    })
+  })
+  describe('Python sanitisers', () => {
+    it('detects shlex.quote()', () => {
+      const code = `safe = shlex.quote(user_input)`
+      const sanitisers = detectSanitisers(code, 'app/utils.py')
+      expect(sanitisers.some(s => s.name === 'shlex.quote' && s.sanitises === 'command')).toBe(true)
+    })
+    it('detects html.escape()', () => {
+      const code = `safe = html.escape(user_input)`
+      const sanitisers = detectSanitisers(code, 'app/utils.py')
+      expect(sanitisers.some(s => s.name === 'html.escape' && s.sanitises === 'html')).toBe(true)
+    })
+  })
+  describe('Name heuristic', () => {
+    it('detects functions with "sanitize" in name', () => {
+      const code = `const safe = sanitizeInput(dirty)`
+      const sanitisers = detectSanitisers(code, 'src/utils.ts')
+      expect(sanitisers.some(s => s.detection === 'name_heuristic')).toBe(true)
+    })
+  })
+  describe('Edge cases', () => {
+    it('skips comments', () => {
+      const code = `// DOMPurify.sanitize(dirty)`
+      const sanitisers = detectSanitisers(code, 'src/utils.ts')
+      expect(sanitisers).toHaveLength(0)
+    })
+    it('deduplicates sanitisers on same line', () => {
+      const code = `const id = Number(parseInt(input))`
+      const sanitisers = detectSanitisers(code, 'src/api.ts')
+      const lineOnes = sanitisers.filter(s => s.line === 1)
+      const uniqueNames = new Set(lineOnes.map(s => s.name))
+      expect(uniqueNames.size).toBe(lineOnes.length)
+    })
+  })
+})
+describe('isSanitiserCall', () => {
+  it('detects Number() as sanitiser', () => {
+    const result = isSanitiserCall('const id = Number(input)', [])
+    expect(result.sanitised).toBe(true)
+    expect(result.method).toBe('Number')
+    expect(result.target).toBe('all')
+  })
+  it('detects parseInt() as sanitiser', () => {
+    const result = isSanitiserCall('const id = parseInt(input, 10)', [])
+    expect(result.sanitised).toBe(true)
+  })
+  it('returns false for non-sanitiser calls', () => {
+    const result = isSanitiserCall('const data = someFunction(input)', [])
+    expect(result.sanitised).toBe(false)
+  })
+  it('detects file-level sanitisers', () => {
+    const fileSanitisers = [
+      { name: 'DOMPurify.sanitize', line: 5, sanitises: 'html' as const, detection: 'known_library' as const, library: 'dompurify' }
+    ]
+    const result = isSanitiserCall('const safe = DOMPurify.sanitize(dirty)', fileSanitisers)
+    expect(result.sanitised).toBe(true)
+    expect(result.target).toBe('html')
+  })
+})

package/src/__tests__/context-engine/sink-matcher.test.ts ADDED Viewed

@@ -0,0 +1,251 @@
+/**
+ * Tests for sink matching — matching tainted variables to dangerous sinks.
+ */
+import { matchSinks } from '../../model/sink-matcher'
+import type { TaintedVariable, UserInputSource, SanitiserInfo } from '../../model/taint-types'
+function makeSource(overrides: Partial<UserInputSource> = {}): UserInputSource {
+  return {
+    line: 1,
+    expression: 'req.body',
+    variable: 'userInput',
+    sourceType: 'http_body',
+    confidence: 'high',
+    ...overrides,
+  }
+}
+function makeTaintedVar(name: string, overrides: Partial<TaintedVariable> = {}): TaintedVariable {
+  return {
+    name,
+    taintedAt: 2,
+    source: makeSource(),
+    propagation: 'direct_assignment',
+    sanitised: false,
+    scopeDepth: 0,
+    ...overrides,
+  }
+}
+describe('matchSinks', () => {
+  describe('SQL injection', () => {
+    it('matches tainted variable in .query() call', () => {
+      const code = `
+const userInput = req.body
+db.query("SELECT * FROM users WHERE id = " + userInput)
+`
+      const taintedVars = [makeTaintedVar('userInput')]
+      const paths = matchSinks(code, 'src/db.ts', taintedVars, [])
+      expect(paths).toHaveLength(1)
+      expect(paths[0].sink.sinkType).toBe('sql_query')
+      expect(paths[0].sanitised).toBe(false)
+      expect(paths[0].confidence).toBe('high')
+    })
+    it('marks parameterised queries as sanitised', () => {
+      const code = `
+const userId = req.query
+db.query('SELECT * FROM users WHERE id = ?', [userId])
+`
+      const taintedVars = [makeTaintedVar('userId')]
+      const paths = matchSinks(code, 'src/db.ts', taintedVars, [])
+      expect(paths).toHaveLength(1)
+      expect(paths[0].sanitised).toBe(true)
+    })
+  })
+  describe('XSS', () => {
+    it('matches tainted variable in innerHTML assignment', () => {
+      const code = `
+const userInput = req.body
+el.innerHTML = userInput
+`
+      const taintedVars = [makeTaintedVar('userInput')]
+      const paths = matchSinks(code, 'src/render.ts', taintedVars, [])
+      expect(paths).toHaveLength(1)
+      expect(paths[0].sink.sinkType).toBe('inner_html')
+    })
+    it('matches dangerouslySetInnerHTML', () => {
+      const code = `
+const userInput = req.body
+return <div dangerouslySetInnerHTML={{ __html: userInput }} />
+`
+      const taintedVars = [makeTaintedVar('userInput')]
+      const paths = matchSinks(code, 'src/component.tsx', taintedVars, [])
+      expect(paths).toHaveLength(1)
+      expect(paths[0].sink.sinkType).toBe('inner_html')
+    })
+  })
+  describe('Command injection', () => {
+    it('matches tainted variable in exec() call', () => {
+      const code = `
+const cmd = req.body
+exec(cmd)
+`
+      const taintedVars = [makeTaintedVar('cmd')]
+      const paths = matchSinks(code, 'src/utils.ts', taintedVars, [])
+      expect(paths).toHaveLength(1)
+      expect(paths[0].sink.sinkType).toBe('exec')
+    })
+    it('matches Python subprocess.run()', () => {
+      const code = `
+cmd = request.args
+subprocess.run(cmd, shell=True)
+`
+      const taintedVars = [makeTaintedVar('cmd')]
+      const paths = matchSinks(code, 'app/utils.py', taintedVars, [])
+      expect(paths).toHaveLength(1)
+      expect(paths[0].sink.sinkType).toBe('command_exec')
+    })
+  })
+  describe('SSRF', () => {
+    it('matches tainted variable in fetch() call', () => {
+      const code = `
+const url = req.body
+fetch(url)
+`
+      const taintedVars = [makeTaintedVar('url')]
+      const paths = matchSinks(code, 'src/api.ts', taintedVars, [])
+      expect(paths).toHaveLength(1)
+      expect(paths[0].sink.sinkType).toBe('http_request')
+    })
+    it('matches tainted variable in axios call', () => {
+      const code = `
+const url = req.body
+axios.get(url)
+`
+      const taintedVars = [makeTaintedVar('url')]
+      const paths = matchSinks(code, 'src/api.ts', taintedVars, [])
+      expect(paths).toHaveLength(1)
+      expect(paths[0].sink.sinkType).toBe('http_request')
+    })
+  })
+  describe('Code execution', () => {
+    it('matches tainted variable in eval()', () => {
+      const code = `
+const code = req.body
+eval(code)
+`
+      const taintedVars = [makeTaintedVar('code')]
+      const paths = matchSinks(code, 'src/api.ts', taintedVars, [])
+      expect(paths).toHaveLength(1)
+      expect(paths[0].sink.sinkType).toBe('eval')
+    })
+  })
+  describe('File system', () => {
+    it('matches tainted variable in fs.readFile', () => {
+      const code = `
+const filePath = req.body
+fs.readFile(filePath)
+`
+      const taintedVars = [makeTaintedVar('filePath')]
+      const paths = matchSinks(code, 'src/fs.ts', taintedVars, [])
+      expect(paths.some(p => p.sink.sinkType === 'path_access')).toBe(true)
+    })
+  })
+  describe('Redirect', () => {
+    it('matches tainted variable in res.redirect()', () => {
+      const code = `
+const target = req.body
+res.redirect(target)
+`
+      const taintedVars = [makeTaintedVar('target')]
+      const paths = matchSinks(code, 'src/routes.ts', taintedVars, [])
+      expect(paths).toHaveLength(1)
+      expect(paths[0].sink.sinkType).toBe('redirect')
+    })
+  })
+  describe('Sanitised paths', () => {
+    it('marks path as sanitised when sanitiser wraps sink', () => {
+      const code = `
+const userInput = req.body
+const id = Number(userInput)
+db.query("SELECT * FROM users WHERE id = " + id)
+`
+      // id is sanitised (Number)
+      const taintedVars = [
+        makeTaintedVar('userInput'),
+        makeTaintedVar('id', { sanitised: true, sanitisedAt: 3, sanitisationMethod: 'Number' }),
+      ]
+      const paths = matchSinks(code, 'src/db.ts', taintedVars, [])
+      // Only unsanitised vars should match sinks
+      // 'id' is sanitised so it shouldn't be in activeTaintedVars
+      // 'userInput' doesn't appear on the query line, only 'id' does
+      expect(paths).toHaveLength(0)
+    })
+  })
+  describe('Static data (no match)', () => {
+    it('does not create path when no tainted variable reaches sink', () => {
+      const code = `
+const hardcodedId = "12345"
+db.query("SELECT * FROM users WHERE id = " + hardcodedId)
+`
+      const taintedVars: TaintedVariable[] = []
+      const paths = matchSinks(code, 'src/db.ts', taintedVars, [])
+      expect(paths).toHaveLength(0)
+    })
+  })
+  describe('Confidence computation', () => {
+    it('assigns high confidence for short chain with high-confidence source', () => {
+      const code = `
+const userInput = req.body
+db.query(userInput)
+`
+      const taintedVars = [makeTaintedVar('userInput')]
+      const paths = matchSinks(code, 'src/db.ts', taintedVars, [])
+      expect(paths[0].confidence).toBe('high')
+    })
+    it('assigns medium confidence for medium-confidence source', () => {
+      const code = `
+const userInput = searchParams
+db.query(userInput)
+`
+      const taintedVars = [makeTaintedVar('userInput', {
+        source: makeSource({ confidence: 'medium' }),
+      })]
+      const paths = matchSinks(code, 'src/db.ts', taintedVars, [])
+      expect(paths[0].confidence).toBe('medium')
+    })
+    it('assigns low confidence for low-confidence source', () => {
+      const code = `
+const args = process.argv
+db.query(args)
+`
+      const taintedVars = [makeTaintedVar('args', {
+        source: makeSource({ confidence: 'low' }),
+      })]
+      const paths = matchSinks(code, 'src/db.ts', taintedVars, [])
+      expect(paths[0].confidence).toBe('low')
+    })
+  })
+  describe('Deduplication', () => {
+    it('deduplicates paths with same source, sink type, and line', () => {
+      const code = `
+const userInput = req.body
+db.query(userInput)
+`
+      // Two tainted vars pointing to the same source
+      const taintedVars = [
+        makeTaintedVar('userInput'),
+      ]
+      const paths = matchSinks(code, 'src/db.ts', taintedVars, [])
+      // Should only produce one path
+      expect(paths).toHaveLength(1)
+    })
+  })
+})