@oculum/scanner 1.0.13 → 1.0.15

package/dist/detect/ai-code/prompt-hygiene.js

@@ -1,1177 +0,0 @@
-"use strict";
-/**
- * Layer 2: AI Prompt Hygiene Detection
- * Detects prompt injection vulnerabilities and secrets in LLM prompts
- *
- * Covers:
- * - B1: Prompt & template hygiene (LLM01)
- * - B3: Secrets & sensitive data in prompts (LLM06)
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.detectAIPromptHygiene = detectAIPromptHygiene;
-exports.isLLMContextFile = isLLMContextFile;
-const file_classifier_1 = require("../../parse/file-classifier");
-const BASE_CONFIDENCE = 0.40;
-/**
- * Check if a file is in an LLM/AI context based on path and content
- */
-function isLLMContextFile(filePath, content) {
-    // File path indicators of AI/LLM code
-    const llmPathPatterns = [
-        /\/(ai|llm|chat|openai|anthropic|gpt|claude)\//i,
-        /\/(assistants?|agents?|prompts?)\//i,
-        /(chat|ai|llm|prompt|assistant|agent).*\.(ts|js|tsx|jsx|py)$/i,
-    ];
-    if (llmPathPatterns.some(p => p.test(filePath))) {
-        return true;
-    }
-    // Content patterns suggesting LLM API usage
-    const llmContentPatterns = [
-        /\.create\s*\(\s*\{[^}]*messages\s*:/i, // OpenAI/Anthropic SDK
-        /from\s+['"](@anthropic-ai|openai|langchain|llama[-_]?index)/i, // Imports
-        /\bsystem\s*:\s*['"`]/i, // System message definition
-        /role:\s*['"`](user|assistant|system)['"`]/i, // Message roles
-        /\b(systemPrompt|userPrompt|assistantPrompt)\b/i, // Prompt variables
-        /messages\s*:\s*\[/i, // Messages array
-        /\.chat\.completions?\.create/i, // OpenAI chat completion
-        /\.messages\.create/i, // Anthropic messages
-        /ChatCompletion|MessageCreate/i, // SDK types
-    ];
-    return llmContentPatterns.some(p => p.test(content));
-}
-/**
- * Check if user input delimiter/fence patterns are present
- */
-function hasPromptDelimiters(lineContent, contextLines) {
-    const context = [lineContent, ...contextLines].join('\n');
-    const delimiterPatterns = [
-        /```/, // Triple backticks
-        /<user>|<\/user>/i, // XML-style user tags
-        /<human>|<\/human>/i, // Human tags
-        /---+/, // Horizontal rules
-        /\[USER\]|\[\/USER\]/i, // Bracket tags
-        /\{\{user\}\}/i, // Template variable
-        /###\s*User|###\s*Input/i, // Markdown headers
-        /INPUT:|OUTPUT:/i, // Section markers
-    ];
-    return delimiterPatterns.some(p => p.test(context));
-}
-/**
- * Check if content looks like proper parameterization rather than concatenation
- */
-function isProperlyParameterized(lineContent) {
-    const safePatterns = [
-        /\{\{.*\}\}/, // Handlebars/mustache templates
-        /\{[a-zA-Z_]+\}/, // Python format strings (positional)
-        /\$\{.*\}.*sanitize|escape/i, // Template with sanitization
-        /placeholder|PLACEHOLDER/, // Explicit placeholders
-    ];
-    return safePatterns.some(p => p.test(lineContent));
-}
-/**
- * B1: Unsafe prompt interpolation patterns
- */
-const UNSAFE_INTERPOLATION_PATTERNS = [
-    // Template literals with user input in system prompts
-    {
-        name: 'User input in system prompt',
-        pattern: /system\s*[=:]\s*`[^`]*\$\{.*(?:user|input|req|request|body|query|params|data).*\}[^`]*`/gi,
-        severity: 'high',
-        description: 'User input is directly interpolated into a system prompt. This creates a prompt injection vulnerability where attackers can manipulate the AI\'s behavior.',
-        suggestedFix: 'Use clear delimiters (```, <user>, ---) between system instructions and user content. Consider using structured input rather than string interpolation.',
-        checkDelimiters: true,
-    },
-    // String concatenation in prompt building
-    {
-        name: 'Prompt string concatenation with user input',
-        pattern: /(?:system|prompt|instruction)\s*[=+]\s*.*\+\s*(?:user|input|req|request|body|query|params)(?:\.|Input|\[)/gi,
-        severity: 'high',
-        description: 'User input is concatenated into prompt strings. Attackers can inject malicious instructions.',
-        suggestedFix: 'Use delimiters to clearly separate system instructions from user content. Example: ```user input here```',
-        checkDelimiters: true,
-    },
-    // Messages array with dynamic user content in system role
-    {
-        name: 'Dynamic content in system message',
-        pattern: /role:\s*['"`]system['"`]\s*,\s*content:\s*`[^`]*\$\{/gi,
-        severity: 'medium',
-        description: 'System message content includes dynamic values. If user-controlled, this enables prompt injection.',
-        suggestedFix: 'Keep system messages static. Place user input in messages with role: "user" instead.',
-        checkDelimiters: true,
-    },
-    // f-strings in Python with user input
-    {
-        name: 'Python f-string prompt with user input',
-        pattern: /f['"][^'"]*\{.*(?:user|input|request|body).*\}[^'"]*['"]/gi,
-        severity: 'high',
-        description: 'User input in Python f-string prompt creates prompt injection risk.',
-        suggestedFix: 'Use explicit delimiters: f"System instructions...\n---\n{user_input}\n---"',
-        checkDelimiters: true,
-    },
-];
-// ============================================================================
-// Secret Patterns - Comprehensive provider-specific detection
-// ============================================================================
-/**
- * Provider-specific secret patterns with known prefixes
- * These are high-confidence patterns that don't need context matching
- */
-const KNOWN_SECRET_PREFIXES = [
-    // OpenAI
-    { name: 'OpenAI API Key', pattern: /sk-[a-zA-Z0-9]{20,}/g, severity: 'critical' },
-    { name: 'OpenAI Project Key', pattern: /sk-proj-[a-zA-Z0-9]{48,}/g, severity: 'critical' },
-    // Anthropic
-    { name: 'Anthropic API Key', pattern: /sk-ant-[a-zA-Z0-9-]{20,}/g, severity: 'critical' },
-    { name: 'Anthropic Full Key', pattern: /sk-ant-api03-[a-zA-Z0-9_-]{90,}/g, severity: 'critical' },
-    // GitHub
-    { name: 'GitHub PAT', pattern: /ghp_[a-zA-Z0-9]{36,}/g, severity: 'critical' },
-    { name: 'GitHub OAuth', pattern: /gho_[a-zA-Z0-9]{36,}/g, severity: 'critical' },
-    { name: 'GitHub App Token', pattern: /ghu_[a-zA-Z0-9]{36,}/g, severity: 'critical' },
-    { name: 'GitHub Refresh Token', pattern: /ghr_[a-zA-Z0-9]{36,}/g, severity: 'critical' },
-    { name: 'GitHub Fine-grained PAT', pattern: /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/g, severity: 'critical' },
-    // Stripe
-    { name: 'Stripe Live Secret', pattern: /sk_live_[a-zA-Z0-9]{24,}/g, severity: 'critical' },
-    { name: 'Stripe Test Secret', pattern: /sk_test_[a-zA-Z0-9]{24,}/g, severity: 'medium' },
-    { name: 'Stripe Restricted Key', pattern: /rk_live_[a-zA-Z0-9]{24,}/g, severity: 'critical' },
-    // AWS
-    { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/g, severity: 'critical' },
-    { name: 'AWS Session Token', pattern: /ASIA[0-9A-Z]{16}/g, severity: 'critical' },
-    // Google
-    { name: 'Google API Key', pattern: /AIza[0-9A-Za-z-_]{35}/g, severity: 'high' },
-    // Slack
-    { name: 'Slack Bot Token', pattern: /xoxb-[0-9a-zA-Z-]{50,}/g, severity: 'critical' },
-    { name: 'Slack User Token', pattern: /xoxp-[0-9a-zA-Z-]{50,}/g, severity: 'critical' },
-    { name: 'Slack App Token', pattern: /xoxa-[0-9a-zA-Z-]{50,}/g, severity: 'critical' },
-    { name: 'Slack Legacy Token', pattern: /xox[baprs]-[0-9a-zA-Z]{10,}/g, severity: 'critical' },
-    // Twilio
-    { name: 'Twilio API Key', pattern: /SK[a-f0-9]{32}/g, severity: 'critical' },
-    { name: 'Twilio Account SID', pattern: /AC[a-f0-9]{32}/g, severity: 'high' },
-    // SendGrid
-    { name: 'SendGrid API Key', pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g, severity: 'critical' },
-    // Mailgun
-    { name: 'Mailgun API Key', pattern: /key-[a-zA-Z0-9]{32}/g, severity: 'critical' },
-    // NPM/PyPI
-    { name: 'NPM Token', pattern: /npm_[a-zA-Z0-9]{36}/g, severity: 'critical' },
-    { name: 'PyPI Token', pattern: /pypi-[a-zA-Z0-9]{32,}/g, severity: 'critical' },
-    // Vercel/Netlify
-    { name: 'Vercel Token', pattern: /vercel_[a-zA-Z0-9]{24,}/g, severity: 'critical' },
-    { name: 'Netlify Token', pattern: /nfp_[a-zA-Z0-9]{40,}/g, severity: 'critical' },
-    // Square
-    { name: 'Square Access Token', pattern: /sq0csp-[a-zA-Z0-9-_]{43}/g, severity: 'critical' },
-    { name: 'Square OAuth Secret', pattern: /sq0csp-[a-zA-Z0-9-_]{40,}/g, severity: 'critical' },
-    // Shopify
-    { name: 'Shopify Access Token', pattern: /shpat_[a-fA-F0-9]{32}/g, severity: 'critical' },
-    { name: 'Shopify Private App', pattern: /shppa_[a-fA-F0-9]{32}/g, severity: 'critical' },
-    // Datadog
-    { name: 'Datadog API Key', pattern: /dd[a-z]{1}[a-f0-9]{39}/g, severity: 'critical' },
-    // HuggingFace
-    { name: 'HuggingFace Token', pattern: /hf_[a-zA-Z0-9]{34,}/g, severity: 'critical' },
-    // Replicate
-    { name: 'Replicate API Token', pattern: /r8_[a-zA-Z0-9]{37}/g, severity: 'critical' },
-    // OpenRouter
-    { name: 'OpenRouter Key', pattern: /sk-or-v1-[a-zA-Z0-9]{64}/g, severity: 'critical' },
-    // Cohere
-    { name: 'Cohere API Key', pattern: /[a-zA-Z0-9]{40}(?=.*cohere)/gi, severity: 'high' },
-    // Private Keys
-    { name: 'Private Key', pattern: /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/g, severity: 'critical' },
-    // JWT Tokens (full format)
-    { name: 'JWT Token', pattern: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g, severity: 'high' },
-    // Database URLs with credentials
-    { name: 'Database URL', pattern: /(mongodb|postgres|mysql|redis|amqp)(\+srv)?:\/\/[^:]+:[^@\s]+@[^\s"']+/gi, severity: 'critical' },
-    // Webhook URLs (often contain secrets)
-    { name: 'Slack Webhook', pattern: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/g, severity: 'high' },
-    { name: 'Discord Webhook', pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+/g, severity: 'high' },
-];
-/**
- * B3: Secrets in prompt context patterns (original context-aware patterns)
- * Note: Using [^\n;]* instead of [^;]* to prevent matching across lines
- */
-const SECRETS_IN_PROMPTS_PATTERNS = [
-    // API keys in message content (same line only)
-    {
-        name: 'API key in prompt content',
-        pattern: /(?:messages|prompt|system|content)\s*[=:][^\n;]*(?:sk-[a-zA-Z0-9]{20,}|api[_-]?key\s*[:=]\s*['"][^'"]{16,}['"])/gi,
-        severity: 'critical',
-        description: 'API key appears to be hardcoded in prompt content. Keys in prompts may be logged, cached, or sent to model providers.',
-        suggestedFix: 'Never include API keys in prompts. Use environment variables and keep them server-side only.',
-    },
-    // AWS keys in prompts
-    {
-        name: 'AWS credentials in prompt',
-        pattern: /(?:messages|prompt|system|content)\s*[=:][^\n;]*(?:AKIA[A-Z0-9]{16}|aws[_-]?(?:secret|access)[_-]?key)/gi,
-        severity: 'critical',
-        description: 'AWS credentials detected in prompt content.',
-        suggestedFix: 'Remove credentials from prompts. Use IAM roles or environment variables instead.',
-    },
-    // Database URLs with credentials
-    {
-        name: 'Database credentials in prompt',
-        pattern: /(?:messages|prompt|system|content)[^\n]*(?:mongodb|postgres|mysql|redis):\/\/[^:]+:[^@]+@/gi,
-        severity: 'critical',
-        description: 'Database connection string with credentials in prompt. This exposes database access.',
-        suggestedFix: 'Never include connection strings in prompts. Reference data by ID instead.',
-    },
-    // Passwords in prompt context
-    {
-        name: 'Password in prompt content',
-        pattern: /(?:messages|prompt|content)\s*[=:][^\n]*(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`]{8,}/gi,
-        severity: 'high',
-        description: 'Password appears in prompt content. This may be logged or exposed to model providers.',
-        suggestedFix: 'Remove passwords from prompts. Use authentication tokens or session references instead.',
-    },
-    // Private keys
-    {
-        name: 'Private key in prompt',
-        pattern: /(?:messages|prompt|content)[^\n]*(?:-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----)/gi,
-        severity: 'critical',
-        description: 'Private key material detected in prompt context.',
-        suggestedFix: 'Never include private keys in prompts. Sign data server-side instead.',
-    },
-    // Generic token patterns
-    {
-        name: 'Access token in prompt',
-        pattern: /(?:messages|prompt|content)\s*[=:][^\n]*(?:access[_-]?token|auth[_-]?token|bearer)\s*[:=]\s*['"`][a-zA-Z0-9_.-]{20,}/gi,
-        severity: 'high',
-        description: 'Access token detected in prompt content. Tokens in prompts risk exposure.',
-        suggestedFix: 'Do not include tokens in prompts. Pass token context through secure server-side channels.',
-    },
-];
-// ============================================================================
-// Variable Flow Detection - Secrets flowing into prompts
-// ============================================================================
-/**
- * Patterns for detecting secret variable declarations
- */
-const SECRET_VARIABLE_PATTERNS = [
-    // Direct assignment patterns
-    /(?:const|let|var)\s+(\w*(?:key|token|secret|password|credential|apiKey|authToken|accessToken)\w*)\s*=\s*['"`]([^'"`]{16,})['"`]/gi,
-    // Object property patterns
-    /(\w*(?:key|token|secret|password|credential|apiKey|authToken|accessToken)\w*)\s*:\s*['"`]([^'"`]{16,})['"`]/gi,
-];
-/**
- * Patterns for detecting prompt variable usage
- */
-const PROMPT_USAGE_PATTERNS = [
-    // Template literal interpolation
-    /`[^`]*\$\{(\w+)\}[^`]*`/g,
-    // String concatenation
-    /\+\s*(\w+)\s*(?:\+|$)/g,
-    // f-string interpolation (Python)
-    /f['"][^'"]*\{(\w+)\}[^'"]*['"]/g,
-    // Format string
-    /\.format\s*\([^)]*(\w+)[^)]*\)/g,
-];
-/**
- * Check if a variable name suggests it contains a secret
- */
-function isSecretVariableName(varName) {
-    const secretIndicators = [
-        /api[_-]?key/i,
-        /secret[_-]?key/i,
-        /access[_-]?token/i,
-        /auth[_-]?token/i,
-        /password/i,
-        /credential/i,
-        /private[_-]?key/i,
-        /bearer/i,
-        /jwt/i,
-        /oauth/i,
-        /^sk_/i,
-        /^pk_/i,
-        /token$/i,
-        /key$/i,
-        /secret$/i,
-    ];
-    return secretIndicators.some(p => p.test(varName));
-}
-/**
- * Detect secrets flowing from variables into prompts (variable indirection)
- */
-function detectSecretVariableFlow(content, filePath, isTestFile, lines) {
-    const vulnerabilities = [];
-    const _lines = lines ?? content.split('\n');
-    // First pass: collect all secret variable declarations
-    const secretVariables = new Map();
-    for (let i = 0; i < _lines.length; i++) {
-        const line = _lines[i];
-        if ((0, file_classifier_1.isComment)(line))
-            continue;
-        for (const pattern of SECRET_VARIABLE_PATTERNS) {
-            const regex = new RegExp(pattern.source, pattern.flags);
-            let match;
-            while ((match = regex.exec(line)) !== null) {
-                const varName = match[1];
-                const value = match[2];
-                // Check if variable name suggests it's a secret
-                if (isSecretVariableName(varName)) {
-                    secretVariables.set(varName, { line: i + 1, value });
-                }
-            }
-        }
-    }
-    // Second pass: find where these variables flow into prompts
-    const promptContextPatterns = [
-        /(?:system|prompt|message|content)\s*[:=]/i,
-        /role:\s*['"`](?:system|user|assistant)['"`]/i,
-        /\.chat\.completions?\.create/i,
-        /\.messages\.create/i,
-        /messages\s*:\s*\[/i,
-    ];
-    for (let i = 0; i < _lines.length; i++) {
-        const line = _lines[i];
-        if ((0, file_classifier_1.isComment)(line))
-            continue;
-        // Check if this line or nearby lines are in prompt context
-        const contextWindow = _lines.slice(Math.max(0, i - 5), Math.min(_lines.length, i + 5)).join('\n');
-        const isPromptContext = promptContextPatterns.some(p => p.test(contextWindow));
-        if (!isPromptContext)
-            continue;
-        // Check for template interpolation of secret variables
-        const templateMatch = line.match(/\$\{(\w+)\}/);
-        if (templateMatch) {
-            const varName = templateMatch[1];
-            if (secretVariables.has(varName)) {
-                const secretInfo = secretVariables.get(varName);
-                let severity = 'high';
-                let description = `Secret variable '${varName}' (defined at line ${secretInfo.line}) is interpolated into LLM prompt. This exposes the secret to the model provider.`;
-                if (isTestFile) {
-                    severity = 'low';
-                    description += ' (in test file)';
-                }
-                vulnerabilities.push({
-                    id: `secret-flow-${filePath}-${i + 1}-${varName}`,
-                    filePath,
-                    lineNumber: i + 1,
-                    lineContent: line.trim(),
-                    severity,
-                    category: 'hardcoded_secret',
-                    title: `Secret variable '${varName}' in prompt`,
-                    description,
-                    suggestedFix: `Remove the secret from the prompt. If the AI needs to use an API, make the call server-side instead of passing credentials to the model.`,
-                    confidence: 'medium',
-                    layer: 2,
-                    source: 'ai_code',
-                    requiresAIValidation: true,
-                    baseConfidence: BASE_CONFIDENCE,
-                });
-            }
-        }
-        // Check for string concatenation with secret variables
-        for (const [varName] of secretVariables) {
-            if (line.includes(`+ ${varName}`) || line.includes(`${varName} +`) || line.includes(`+ ${varName} +`)) {
-                const secretInfo = secretVariables.get(varName);
-                let severity = 'high';
-                let description = `Secret variable '${varName}' (defined at line ${secretInfo.line}) is concatenated into prompt. This exposes the secret to the model provider.`;
-                if (isTestFile) {
-                    severity = 'low';
-                    description += ' (in test file)';
-                }
-                vulnerabilities.push({
-                    id: `secret-concat-${filePath}-${i + 1}-${varName}`,
-                    filePath,
-                    lineNumber: i + 1,
-                    lineContent: line.trim(),
-                    severity,
-                    category: 'hardcoded_secret',
-                    title: `Secret variable '${varName}' concatenated in prompt`,
-                    description,
-                    suggestedFix: `Remove the secret from the prompt. If the AI needs to use an API, make the call server-side.`,
-                    confidence: 'medium',
-                    layer: 2,
-                    source: 'ai_code',
-                    requiresAIValidation: true,
-                    baseConfidence: BASE_CONFIDENCE,
-                });
-            }
-        }
-    }
-    return vulnerabilities;
-}
-// ============================================================================
-// Phase 2: Indirect Prompt Injection Detection
-// ============================================================================
-/**
- * Check if content filtering/sanitization is present for external content
- */
-function hasContentFiltering(content, lineNumber, lines) {
-    const _lines = lines ?? content.split('\n');
-    const contextStart = Math.max(0, lineNumber - 20);
-    const contextEnd = Math.min(_lines.length, lineNumber + 10);
-    const context = _lines.slice(contextStart, contextEnd).join('\n');
-    const filteringPatterns = [
-        /filterContent|sanitizeContent|cleanContent/i,
-        /sanitizeContext|filterContext/i,
-        /contentModeration|moderateContent/i,
-        /stripInstructions|removeInstructions/i,
-        /escapePrompt|sanitizePrompt/i,
-        /validateInput|inputValidation/i,
-    ];
-    return filteringPatterns.some(p => p.test(context));
-}
-/**
- * Check if proper delimiters are used for external content
- */
-function hasExternalContentDelimiters(content, lineNumber, lines) {
-    const _lines = lines ?? content.split('\n');
-    const contextStart = Math.max(0, lineNumber - 15);
-    const contextEnd = Math.min(_lines.length, lineNumber + 15);
-    const context = _lines.slice(contextStart, contextEnd).join('\n');
-    const delimiterPatterns = [
-        /<context>|<\/context>/i,
-        /<document>|<\/document>/i,
-        /<retrieved>|<\/retrieved>/i,
-        /<external>|<\/external>/i,
-        /```[^`]*context|context[^`]*```/i,
-        /---\s*(?:context|document|retrieved)/i,
-        /\[CONTEXT\]|\[\/CONTEXT\]/i,
-        /\[DOCUMENT\]|\[\/DOCUMENT\]/i,
-    ];
-    return delimiterPatterns.some(p => p.test(context));
-}
-/**
- * Indirect prompt injection patterns - external content flowing to LLM context
- */
-const INDIRECT_INJECTION_PATTERNS = [
-    // ========== External Fetch to Prompt ==========
-    {
-        name: 'Fetched content in prompt',
-        // Pattern looks for: fetch() -> then/await -> result flows into messages/content
-        // Use word boundary \b to avoid matching function names like "validatedFetch"
-        // The pattern looks for: actual fetch call -> await/then -> use in LLM messages
-        pattern: /\bfetch\s*\(\s*[^)]+\)[\s\S]{0,80}(?:\.then|\.json)[\s\S]{0,150}(?:role:\s*['"`](?:system|user)['"`]|messages\s*:\s*\[)/gi,
-        severity: 'high',
-        description: 'Content fetched from external URL flows into LLM prompt. Malicious websites can embed instructions that hijack the model\'s behavior (indirect prompt injection).',
-        suggestedFix: 'Wrap external content with clear delimiters: <external_content>...</external_content>. Implement content filtering to strip instruction-like patterns.',
-        checkDelimiters: true,
-    },
-    {
-        name: 'HTTP response in system prompt',
-        pattern: /(?:axios|fetch|got|request)[\s\S]{0,150}(?:system|systemPrompt|instructions)\s*[:=+]/gi,
-        severity: 'high',
-        description: 'HTTP response content used in system prompt. External data in system prompts is especially dangerous as it can override model instructions.',
-        suggestedFix: 'Never put external content in system prompts. Use user messages with clear delimiters for context. Implement content sanitization.',
-        checkDelimiters: true,
-    },
-    // ========== RAG Vector Store to Prompt ==========
-    {
-        name: 'Vector store results in system message',
-        pattern: /(?:vectorStore|similaritySearch|query|search|retrieve)[\s\S]{0,200}role:\s*['"`]system['"`]/gi,
-        severity: 'high',
-        description: 'Vector store search results injected into system message. Poisoned documents in the corpus can hijack model behavior.',
-        suggestedFix: 'Place retrieved content in user messages, not system. Use delimiters: <retrieved_context>...</retrieved_context>. Implement document sanitization before indexing.',
-        checkDelimiters: true,
-    },
-    {
-        name: 'RAG retrieval directly in context',
-        pattern: /(?:retriever\.invoke|retrieve|getRelevantDocuments)\s*\([^)]*\)[\s\S]{0,150}(?:context|prompt|messages)/gi,
-        severity: 'high',
-        description: 'Retrieved documents flow directly into LLM context. Adversarial documents can contain prompt injection payloads.',
-        suggestedFix: 'Sanitize retrieved content before including in prompt. Use XML tags to clearly separate context from instructions.',
-        checkDelimiters: true,
-    },
-    // ========== Document Loading to LLM ==========
-    {
-        name: 'Loaded documents in LLM chain',
-        pattern: /(?:loadDocuments|DirectoryLoader|TextLoader|PDFLoader)[\s\S]{0,200}(?:chain|llm|invoke|call)/gi,
-        severity: 'high',
-        description: 'Documents loaded from files flow into LLM chain. Malicious files (PDFs, docs) can contain hidden prompt injection text.',
-        suggestedFix: 'Scan loaded documents for instruction-like patterns. Use separate document processing pipeline with content filtering.',
-        checkDelimiters: true,
-    },
-    {
-        name: 'Document content interpolated',
-        pattern: /\$\{.*(?:document|doc|file|page)(?:Content|Text|Data).*\}[\s\S]{0,50}(?:prompt|messages|llm)/gi,
-        severity: 'medium',
-        description: 'Document content interpolated into LLM prompt. Documents may contain adversarial instructions.',
-        suggestedFix: 'Wrap document content with delimiters: ```document\\n${content}\\n```. Implement text sanitization.',
-        checkDelimiters: true,
-    },
-    // ========== Web Scraping to Prompt ==========
-    {
-        name: 'Scraped content in prompt',
-        pattern: /(?:scrape|crawl|spider|puppeteer|playwright|cheerio)[\s\S]{0,200}(?:prompt|messages|context|content\s*:)/gi,
-        severity: 'high',
-        description: 'Web-scraped content flows into LLM prompt. Malicious websites can embed instructions in their HTML content.',
-        suggestedFix: 'Sanitize scraped content to remove instruction-like patterns. Use delimiters: <scraped_content url="...">...</scraped_content>',
-        checkDelimiters: true,
-    },
-    {
-        name: 'HTML content in LLM context',
-        // Pattern: Reading HTML (.innerHTML) and then using it in prompt/messages
-        // NOT: Writing LLM output TO innerHTML (that's output handling, different category)
-        // Look for: getting innerHTML value -> flowing to prompt context
-        pattern: /(?:\.innerHTML\s*[;,]|\.html\s*\(\s*\))[\s\S]{0,150}(?:role:\s*['"`](?:system|user)['"`]|messages\s*:\s*\[)/gi,
-        severity: 'medium',
-        description: 'HTML content from web pages used in LLM context. Web pages can contain hidden prompt injection in metadata, comments, or invisible text.',
-        suggestedFix: 'Extract only relevant text content. Filter out scripts, comments, and metadata. Use content sanitization.',
-        checkDelimiters: true,
-    },
-    // ========== Email/Message Content to Prompt ==========
-    {
-        name: 'Email content in prompt',
-        pattern: /(?:email|message|inbox)(?:Content|Body|Text)[\s\S]{0,150}(?:prompt|messages|llm|analyze)/gi,
-        severity: 'medium',
-        description: 'Email or message content flows into LLM prompt. Attackers can craft emails with embedded prompt injection.',
-        suggestedFix: 'Sanitize email content before LLM processing. Remove potentially malicious patterns. Use clear delimiters.',
-        checkDelimiters: true,
-    },
-    // ========== Database Content to Prompt ==========
-    {
-        name: 'Database record in system prompt',
-        pattern: /(?:findOne|findById|query|select)[\s\S]{0,150}(?:system|systemPrompt|instructions)\s*[:=]/gi,
-        severity: 'medium',
-        description: 'Database content used in system prompt. If users can modify database records, they can inject malicious instructions.',
-        suggestedFix: 'Keep system prompts static. Place database content in user messages with delimiters. Validate data before use.',
-        checkDelimiters: true,
-    },
-    // ========== Generic External Data Patterns ==========
-    {
-        name: 'External data concatenation',
-        pattern: /(?:externalData|fetchedContent|scrapedData|retrievedText)\s*\+[\s\S]{0,50}(?:prompt|system|instructions)/gi,
-        severity: 'medium',
-        description: 'External data concatenated with prompt content without clear separation.',
-        suggestedFix: 'Use structured prompts with XML/markdown delimiters to separate instructions from external content.',
-        checkDelimiters: true,
-    },
-];
-/**
- * Missing boundary patterns - prompts without clear user/system separation
- */
-const MISSING_BOUNDARY_PATTERNS = [
-    // Direct concatenation without any markers
-    {
-        name: 'Missing prompt boundaries',
-        pattern: /(?:content|prompt)\s*[:=]\s*(?:systemInstructions?|instructions?)\s*\+\s*(?:userMessage|userInput|input)/gi,
-        severity: 'medium',
-        description: 'Prompt concatenates system instructions with user input without clear boundaries.',
-        suggestedFix: 'Add delimiters between instructions and user content: "Instructions...\n---\n" + userInput + "\n---"',
-    },
-    // Template literals building prompts without delimiters
-    {
-        name: 'Unbounded template prompt',
-        pattern: /`(?:You are|As an|Your task)[^`]{20,}\$\{(?!.*(?:```|<user|---|\[USER))/gi,
-        severity: 'medium',
-        description: 'Prompt template interpolates values without clear delimiter boundaries.',
-        suggestedFix: 'Wrap interpolated user content with delimiters: ```${userInput}```',
-    },
-    // M5: RAG-specific prompt injection patterns
-    {
-        name: 'Retrieved context in system prompt',
-        pattern: /role:\s*['"`]system['"`]\s*,\s*content:\s*`[^`]*\$\{.*(?:context|chunks|documents|retrieved|sources)/gi,
-        severity: 'high',
-        description: 'Retrieved documents injected into system prompt. Poisoned documents could hijack model behavior.',
-        suggestedFix: 'Place retrieved context in user messages with clear delimiters. Use structured prompts separating instructions from data.',
-        checkDelimiters: true,
-    },
-    {
-        name: 'Mixed user input and retrieved context',
-        pattern: /\$\{.*(?:userInput|query|question).*\}[^`]*\$\{.*(?:context|chunks|documents).*\}|\$\{.*(?:context|chunks|documents).*\}[^`]*\$\{.*(?:userInput|query|question).*\}/gi,
-        severity: 'medium',
-        description: 'User input and retrieved context concatenated without clear separation. Both could contain injection attempts.',
-        suggestedFix: 'Clearly separate user input from retrieved context using XML tags or delimiters: <user_query>...</user_query><context>...</context>',
-        checkDelimiters: true,
-    },
-    {
-        name: 'RAG context directly interpolated',
-        pattern: /(?:system|prompt)\s*[:=].*(?:retrievedContext|ragContext|documentContext|knowledgeBase)\s*(?:\+|,)/gi,
-        severity: 'medium',
-        description: 'RAG context directly concatenated into prompt. Could enable data poisoning attacks.',
-        suggestedFix: 'Use structured prompt format with clear boundaries between instructions, context, and user input.',
-        checkDelimiters: true,
-    },
-];
-// ============================================================================
-// Sprint 6: Model-Specific Injection Syntax Detection
-// ============================================================================
-/**
- * Model-specific injection markers that could manipulate prompt structure
- * These patterns detect when user input might contain control tokens
- */
-const MODEL_SPECIFIC_INJECTION_PATTERNS = [
-    // Claude/ChatML XML-style markers
-    {
-        name: 'Claude/ChatML injection markers in user input',
-        pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*<\|?(?:system|human|assistant|user)\|?>/gi,
-        severity: 'high',
-        description: 'User input may contain system/role markers that could manipulate prompt structure. Attackers can inject fake system or assistant messages.',
-        suggestedFix: 'Strip or escape control tokens from user input: input.replace(/<\\|?(?:system|human|assistant|user)\\|?>/gi, "")',
-    },
-    // OpenAI ChatML markers
-    {
-        name: 'OpenAI ChatML control tokens',
-        pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*<\|im_(?:start|end)\|>/gi,
-        severity: 'high',
-        description: 'User input contains OpenAI ChatML control tokens (<|im_start|>, <|im_end|>) that could break message boundaries.',
-        suggestedFix: 'Filter ChatML tokens from user input before processing: input.replace(/<\\|im_(?:start|end)\\|>/gi, "")',
-    },
-    // Anthropic Human/Assistant turn markers
-    {
-        name: 'Anthropic turn markers in user input',
-        pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*\\n\\n(?:Human|Assistant):\s*/gi,
-        severity: 'medium',
-        description: 'User input contains Anthropic turn markers (Human:, Assistant:) that could inject fake assistant responses.',
-        suggestedFix: 'Sanitize turn markers from user input: input.replace(/\\n\\n(Human|Assistant):\\s*/gi, "")',
-    },
-    // Generic role injection attempts
-    {
-        name: 'Role injection in user input',
-        pattern: /`[^`]*\$\{[^}]*(?:user|input|query)[^}]*\}[^`]*(?:system|assistant|Human:|Assistant:|<\|)/gi,
-        severity: 'high',
-        description: 'User input is interpolated near role markers without proper boundaries. Could enable role impersonation.',
-        suggestedFix: 'Use strict message formatting and strip role-like patterns from user input.',
-        checkDelimiters: true,
-    },
-    // Instruction override attempts in templates
-    {
-        name: 'Instruction override pattern',
-        pattern: /`[^`]*\$\{[^}]*\}[^`]*(?:ignore\s+(?:all\s+)?previous|disregard\s+(?:your\s+)?(?:rules|instructions)|you\s+are\s+now)/gi,
-        severity: 'medium',
-        description: 'Template allows interpolation near common jailbreak phrases. User could inject instruction override attempts.',
-        suggestedFix: 'Filter jailbreak patterns from user input before interpolation.',
-        checkDelimiters: true,
-    },
-];
-// ============================================================================
-// Sprint 6: Encoding-Based Escape Detection
-// ============================================================================
-/**
- * Patterns for detecting encoding-based prompt injection bypasses
- */
-const ENCODING_ESCAPE_PATTERNS = [
-    // Base64 decoded content flowing to prompts
-    {
-        name: 'Base64 decoded content in prompt',
-        pattern: /(?:atob|Buffer\.from|base64\.decode|b64decode)\s*\([^)]+\)[^;]*(?:\+|,)[^;]*(?:prompt|system|message|content)/gi,
-        severity: 'medium',
-        description: 'Decoded base64 content concatenated with prompts. Attackers can hide malicious instructions in base64 encoding to bypass filters.',
-        suggestedFix: 'Validate and sanitize decoded content before including in prompts. Apply same security checks to decoded content.',
-    },
-    // URL decoded content in prompts
-    {
-        name: 'URL decoded content in prompt',
-        pattern: /(?:unescape|decodeURIComponent|decodeURI|urllib\.parse\.unquote)\s*\([^)]+\)[^;]*(?:\+|,)[^;]*(?:prompt|system|message|content)/gi,
-        severity: 'medium',
-        description: 'URL decoded content flows into prompt. Encoded payloads can bypass input sanitization.',
-        suggestedFix: 'Sanitize content after decoding. Apply prompt injection filters to the decoded output.',
-    },
-    // HTML entity decoded content
-    {
-        name: 'HTML decoded content in prompt',
-        pattern: /(?:htmlDecode|decodeHTMLEntities|he\.decode|html\.unescape)\s*\([^)]+\)[^;]*(?:\+|,)[^;]*(?:prompt|system|message|content)/gi,
-        severity: 'medium',
-        description: 'HTML decoded content flows into prompt. HTML entities can hide malicious instructions.',
-        suggestedFix: 'Apply prompt injection filters after HTML decoding.',
-    },
-    // JSON parsed content directly in prompt (could contain encoded payloads)
-    {
-        name: 'Unvalidated JSON in prompt',
-        pattern: /JSON\.parse\s*\([^)]*(?:userInput|body|request|external)[^)]*\)[^;]*(?:\+|,)[^;]*(?:prompt|system|message)/gi,
-        severity: 'medium',
-        description: 'Parsed JSON content directly used in prompt. JSON values could contain encoded injection payloads.',
-        suggestedFix: 'Validate JSON schema and sanitize string values before including in prompts.',
-        checkDelimiters: true,
-    },
-    // Unicode escape sequences that could hide instructions
-    {
-        name: 'Unicode content in prompt',
-        pattern: /(?:String\.fromCharCode|String\.fromCodePoint|chr\(|unichr\()\s*\([^)]+\)[^;]*(?:\+|,)[^;]*(?:prompt|system|message)/gi,
-        severity: 'low',
-        description: 'Unicode character construction flows into prompt. Could be used to hide malicious characters.',
-        suggestedFix: 'Normalize and validate Unicode content before including in prompts.',
-    },
-];
-// ============================================================================
-// Sprint 6: Jailbreak Pattern Detection
-// ============================================================================
-/**
- * Common jailbreak preamble patterns that indicate injection attempts
- * These detect when user input flow might contain jailbreak phrases
- */
-const JAILBREAK_INDICATOR_PATTERNS = [
-    // Instruction override phrases flowing to LLM
-    {
-        name: 'Instruction override phrases in input flow',
-        pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*(?:ignore\s+(?:all\s+)?previous\s+(?:instructions|prompts)|disregard\s+(?:your\s+)?(?:rules|guidelines|instructions))/gi,
-        severity: 'high',
-        description: 'User input variable contains instruction override phrases. Classic jailbreak attempt detected.',
-        suggestedFix: 'Implement jailbreak detection filter. Block or sanitize inputs containing instruction override patterns.',
-    },
-    // Role-playing jailbreak attempts
-    {
-        name: 'Role-playing jailbreak in input',
-        pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*(?:you\s+are\s+now\s+(?:a|an)\s+\w+|pretend\s+(?:you|to\s+be)\s+(?:are\s+)?(?:a|an|not)|act\s+as\s+(?:if|though)\s+you)/gi,
-        severity: 'medium',
-        description: 'User input contains role-playing jailbreak patterns. Attempts to make model assume a different persona.',
-        suggestedFix: 'Filter role-manipulation phrases from user input. Implement persona consistency checks.',
-    },
-    // "From now on" style instruction changes
-    {
-        name: 'Instruction change phrases',
-        pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*(?:from\s+now\s+on\s+(?:you\s+will|ignore)|for\s+the\s+rest\s+of\s+this\s+(?:conversation|session))/gi,
-        severity: 'medium',
-        description: 'User input contains temporal instruction override attempts. Tries to change model behavior for the session.',
-        suggestedFix: 'Sanitize phrases that attempt to change ongoing behavior.',
-    },
-    // Developer mode / DAN style jailbreaks
-    {
-        name: 'Developer mode jailbreak patterns',
-        pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*(?:developer\s+mode|DAN|Do\s+Anything\s+Now|jailbreak|no\s+restrictions)/gi,
-        severity: 'high',
-        description: 'User input contains known jailbreak terminology (DAN, developer mode). High-confidence malicious input.',
-        suggestedFix: 'Block inputs containing known jailbreak terminology. Log for security review.',
-    },
-    // Hypothetical scenario framing
-    {
-        name: 'Hypothetical framing jailbreak',
-        pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*(?:hypothetically|in\s+a\s+(?:fictional|imaginary)\s+(?:world|scenario)|what\s+if\s+you\s+(?:could|had\s+no))/gi,
-        severity: 'low',
-        description: 'User input uses hypothetical framing often used in jailbreak attempts. May be legitimate creative use.',
-        suggestedFix: 'Apply additional scrutiny to hypothetically-framed requests. Consider context before blocking.',
-    },
-];
-/**
- * Check if input sanitization is present for jailbreak patterns
- */
-function hasJailbreakFiltering(content, lineNumber, lines) {
-    const _lines = lines ?? content.split('\n');
-    const contextStart = Math.max(0, lineNumber - 20);
-    const contextEnd = Math.min(_lines.length, lineNumber + 10);
-    const context = _lines.slice(contextStart, contextEnd).join('\n');
-    const filteringPatterns = [
-        /filterJailbreak|detectJailbreak|jailbreakFilter/i,
-        /sanitizePrompt|filterPrompt|cleanPrompt/i,
-        /blockInjection|preventInjection/i,
-        /moderationApi|contentModeration/i,
-        /instructionFilter|roleFilter/i,
-        /guardRails|guardrail/i,
-        /promptGuard|inputGuard/i,
-    ];
-    return filteringPatterns.some(p => p.test(context));
-}
-/**
- * Check if encoding sanitization is present
- */
-function hasEncodingSanitization(content, lineNumber, lines) {
-    const _lines = lines ?? content.split('\n');
-    const contextStart = Math.max(0, lineNumber - 15);
-    const contextEnd = Math.min(_lines.length, lineNumber + 5);
-    const context = _lines.slice(contextStart, contextEnd).join('\n');
-    const sanitizationPatterns = [
-        /validateDecoded|sanitizeDecoded/i,
-        /afterDecode.*sanitize|decode.*then.*filter/i,
-        /normalizeInput|sanitizeInput/i,
-        /schema\.parse|validate.*schema/i,
-        /stripControlChars|removeControlTokens/i,
-    ];
-    return sanitizationPatterns.some(p => p.test(context));
-}
-// ============================================================================
-// Detection Functions
-// ============================================================================
-/**
- * Get surrounding context lines for analysis
- */
-function getSurroundingContext(content, lineIndex, windowSize = 10, lines) {
-    const _lines = lines ?? content.split('\n');
-    const start = Math.max(0, lineIndex - windowSize);
-    const end = Math.min(_lines.length, lineIndex + windowSize);
-    return _lines.slice(start, end);
-}
-/**
- * Main detection function for AI prompt hygiene issues
- */
-function detectAIPromptHygiene(content, filePath, options) {
-    const vulnerabilities = [];
-    // Skip non-applicable files
-    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
-        return vulnerabilities;
-    if ((0, file_classifier_1.isDocumentationFile)(filePath))
-        return vulnerabilities;
-    // Only scan files that appear to be in LLM context
-    if (!isLLMContextFile(filePath, content)) {
-        return vulnerabilities;
-    }
-    const lines = options?.parsed?.lines ?? content.split('\n');
-    const isTestFile = (0, file_classifier_1.isTestOrMockFile)(filePath);
-    // Scan for unsafe interpolation patterns (B1)
-    for (const pattern of UNSAFE_INTERPOLATION_PATTERNS) {
-        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-        let match;
-        while ((match = regex.exec(content)) !== null) {
-            const lineNumber = content.substring(0, match.index).split('\n').length;
-            const lineContent = lines[lineNumber - 1]?.trim() || '';
-            // Skip comments
-            if ((0, file_classifier_1.isComment)(lineContent))
-                continue;
-            // Skip if properly parameterized
-            if (isProperlyParameterized(lineContent))
-                continue;
-            // Check for delimiters if applicable
-            let severity = pattern.severity;
-            let description = pattern.description;
-            const contextLines = getSurroundingContext(content, lineNumber - 1, 15, lines);
-            if (pattern.checkDelimiters && hasPromptDelimiters(lineContent, contextLines)) {
-                // Delimiters present - downgrade severity
-                severity = 'info';
-                description += ' (Note: Delimiters detected in context, which mitigates this risk.)';
-            }
-            // Downgrade test files
-            if (isTestFile) {
-                severity = 'info';
-                description += ' (in test file)';
-            }
-            vulnerabilities.push({
-                id: `ai-prompt-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-                filePath,
-                lineNumber,
-                lineContent,
-                severity,
-                category: 'ai_prompt_injection',
-                title: pattern.name,
-                description,
-                suggestedFix: pattern.suggestedFix,
-                confidence: severity === 'info' ? 'low' : 'medium',
-                layer: 2,
-                source: 'ai_code',
-                requiresAIValidation: severity !== 'info',
-                baseConfidence: BASE_CONFIDENCE,
-            });
-        }
-    }
-    // Scan for secrets in prompts (B3) - Original context-aware patterns
-    for (const pattern of SECRETS_IN_PROMPTS_PATTERNS) {
-        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-        let match;
-        while ((match = regex.exec(content)) !== null) {
-            const lineNumber = content.substring(0, match.index).split('\n').length;
-            const lineContent = lines[lineNumber - 1]?.trim() || '';
-            // Skip comments
-            if ((0, file_classifier_1.isComment)(lineContent))
-                continue;
-            // Check if it's an env var reference (safe pattern)
-            const isEnvRef = /process\.env|import\.meta\.env|os\.environ|getenv/i.test(lineContent);
-            if (isEnvRef)
-                continue;
-            // Skip test variable names
-            if (/(?:const|let|var)\s+(?:TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE)[_A-Z0-9]*\s*=/i.test(lineContent))
-                continue;
-            if (/(?:const|let|var)\s+\w*(?:test|mock|example|dummy|fake|sample)\w*\s*=/i.test(lineContent))
-                continue;
-            // Skip placeholder/example values in the line
-            if (/example|sample|demo|placeholder|your[_-]?api[_-]?key/i.test(lineContent))
-                continue;
-            let severity = pattern.severity;
-            let description = pattern.description;
-            // Downgrade test files but still flag
-            if (isTestFile) {
-                severity = severity === 'critical' ? 'medium' : 'low';
-                description += ' (in test file - still review for accidental commits)';
-            }
-            vulnerabilities.push({
-                id: `ai-secret-prompt-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-                filePath,
-                lineNumber,
-                lineContent,
-                severity,
-                category: 'hardcoded_secret', // Use existing category for consistency
-                title: pattern.name + ' (in LLM context)',
-                description: description + ' Secrets in prompts are especially risky as they may be logged, shared, or sent to external AI providers.',
-                suggestedFix: pattern.suggestedFix,
-                confidence: 'high',
-                layer: 2,
-                source: 'ai_code',
-                requiresAIValidation: false, // Secrets don't need AI validation - they're definitive
-                baseConfidence: BASE_CONFIDENCE,
-            });
-        }
-    }
-    // ========== NEW: Direct secret detection with known prefixes ==========
-    // Scan for any known secret patterns anywhere in prompt-related code
-    const seenSecretLines = new Set(); // Avoid duplicates
-    for (const secretDef of KNOWN_SECRET_PREFIXES) {
-        const regex = new RegExp(secretDef.pattern.source, secretDef.pattern.flags);
-        let match;
-        while ((match = regex.exec(content)) !== null) {
-            const lineNumber = content.substring(0, match.index).split('\n').length;
-            const lineContent = lines[lineNumber - 1]?.trim() || '';
-            // Skip if already reported on this line
-            const lineKey = `${lineNumber}-${secretDef.name}`;
-            if (seenSecretLines.has(lineNumber))
-                continue;
-            seenSecretLines.add(lineNumber);
-            // Skip comments
-            if ((0, file_classifier_1.isComment)(lineContent))
-                continue;
-            // Skip env var references
-            if (/process\.env|import\.meta\.env|os\.environ|getenv/i.test(lineContent))
-                continue;
-            // Skip obvious placeholders/examples in the value
-            const matchValue = match[0];
-            if (/example|sample|demo|dummy|fake|mock|your[_-]|placeholder/i.test(matchValue))
-                continue;
-            if (/example|sample|demo|placeholder/i.test(lineContent))
-                continue;
-            // Skip values that contain "test" right after the prefix (e.g., sk-test..., ghp_test...)
-            // These are clearly test/development keys, not production secrets
-            if (/^(sk-|ghp_|gho_|sk_live_|sk_test_|xoxb-|SG\.)test/i.test(matchValue))
-                continue;
-            if (/[-_]test[-_0-9]/i.test(matchValue))
-                continue;
-            // Skip test variable names (e.g., TEST_API_KEY, MOCK_SECRET)
-            if (/(?:const|let|var)\s+(?:TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE)[_A-Z0-9]*\s*=/i.test(lineContent))
-                continue;
-            // Skip if variable name contains test/mock/example (broader check)
-            if (/(?:const|let|var)\s+\w*(?:test|mock|example|dummy|fake|sample)\w*\s*=/i.test(lineContent))
-                continue;
-            let severity = secretDef.severity;
-            let description = `${secretDef.name} detected in LLM-related code. This secret may be exposed to the model provider, logged, or cached.`;
-            // Downgrade test files
-            if (isTestFile) {
-                severity = severity === 'critical' ? 'medium' : 'low';
-                description += ' (in test file)';
-            }
-            vulnerabilities.push({
-                id: `ai-direct-secret-${filePath}-${lineNumber}-${secretDef.name.replace(/\s+/g, '-')}`,
-                filePath,
-                lineNumber,
-                lineContent,
-                severity,
-                category: 'hardcoded_secret',
-                title: `${secretDef.name} in LLM context`,
-                description,
-                suggestedFix: 'Remove the hardcoded secret. Use environment variables server-side. Never expose secrets to LLM prompts.',
-                confidence: 'high',
-                layer: 2,
-                source: 'ai_code',
-                requiresAIValidation: false,
-                baseConfidence: BASE_CONFIDENCE,
-            });
-        }
-    }
-    // ========== NEW: Variable flow detection ==========
-    // Detect secrets flowing from variables into prompts
-    const flowVulns = detectSecretVariableFlow(content, filePath, isTestFile, lines);
-    vulnerabilities.push(...flowVulns);
-    // Scan for missing boundary patterns (B1 continued)
-    for (const pattern of MISSING_BOUNDARY_PATTERNS) {
-        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-        let match;
-        while ((match = regex.exec(content)) !== null) {
-            const lineNumber = content.substring(0, match.index).split('\n').length;
-            const lineContent = lines[lineNumber - 1]?.trim() || '';
-            // Skip comments
-            if ((0, file_classifier_1.isComment)(lineContent))
-                continue;
-            const contextLines = getSurroundingContext(content, lineNumber - 1, 10, lines);
-            // Skip if delimiters are present
-            if (hasPromptDelimiters(lineContent, contextLines))
-                continue;
-            let severity = pattern.severity;
-            let description = pattern.description;
-            if (isTestFile) {
-                severity = 'info';
-                description += ' (in test file)';
-            }
-            vulnerabilities.push({
-                id: `ai-boundary-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-                filePath,
-                lineNumber,
-                lineContent,
-                severity,
-                category: 'ai_prompt_injection',
-                title: pattern.name,
-                description,
-                suggestedFix: pattern.suggestedFix,
-                confidence: 'medium',
-                layer: 2,
-                source: 'ai_code',
-                requiresAIValidation: true,
-                baseConfidence: BASE_CONFIDENCE,
-            });
-        }
-    }
-    // Scan for indirect prompt injection patterns (Phase 2)
-    for (const pattern of INDIRECT_INJECTION_PATTERNS) {
-        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-        let match;
-        while ((match = regex.exec(content)) !== null) {
-            const lineNumber = content.substring(0, match.index).split('\n').length;
-            const lineContent = lines[lineNumber - 1]?.trim() || '';
-            // Skip comments
-            if ((0, file_classifier_1.isComment)(lineContent))
-                continue;
-            let severity = pattern.severity;
-            let description = pattern.description;
-            // Check for content filtering/sanitization
-            const hasFiltering = hasContentFiltering(content, lineNumber, lines);
-            const hasDelimiters = hasExternalContentDelimiters(content, lineNumber, lines);
-            if (hasFiltering && hasDelimiters) {
-                // Both mitigations present - fully mitigated
-                severity = 'info';
-                description += ' (Content filtering and delimiters detected - mitigated.)';
-            }
-            else if (hasFiltering) {
-                // Partial mitigation - filtering present
-                severity = severity === 'high' ? 'medium' : 'low';
-                description += ' (Content filtering detected.)';
-            }
-            else if (hasDelimiters) {
-                // Partial mitigation - delimiters present
-                severity = severity === 'high' ? 'medium' : 'low';
-                description += ' (External content delimiters detected.)';
-            }
-            // Downgrade test files
-            if (isTestFile) {
-                severity = 'info';
-                description += ' (in test file)';
-            }
-            vulnerabilities.push({
-                id: `ai-indirect-injection-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-                filePath,
-                lineNumber,
-                lineContent,
-                severity,
-                category: 'ai_prompt_injection',
-                title: pattern.name + ' (Indirect Injection)',
-                description,
-                suggestedFix: pattern.suggestedFix,
-                confidence: severity === 'info' ? 'low' : 'medium',
-                layer: 2,
-                source: 'ai_code',
-                requiresAIValidation: severity !== 'info',
-                baseConfidence: BASE_CONFIDENCE,
-            });
-        }
-    }
-    // ========== Sprint 6: Model-specific injection markers ==========
-    for (const pattern of MODEL_SPECIFIC_INJECTION_PATTERNS) {
-        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-        let match;
-        while ((match = regex.exec(content)) !== null) {
-            const lineNumber = content.substring(0, match.index).split('\n').length;
-            const lineContent = lines[lineNumber - 1]?.trim() || '';
-            // Skip comments
-            if ((0, file_classifier_1.isComment)(lineContent))
-                continue;
-            let severity = pattern.severity;
-            let description = pattern.description;
-            const contextLines = getSurroundingContext(content, lineNumber - 1, 15, lines);
-            // Check for delimiters/sanitization
-            if (pattern.checkDelimiters && hasPromptDelimiters(lineContent, contextLines)) {
-                severity = 'info';
-                description += ' (Delimiters detected, risk mitigated.)';
-            }
-            // Check for jailbreak filtering
-            if (hasJailbreakFiltering(content, lineNumber, lines)) {
-                severity = severity === 'high' ? 'medium' : 'low';
-                description += ' (Jailbreak filtering detected.)';
-            }
-            if (isTestFile) {
-                severity = 'info';
-                description += ' (in test file)';
-            }
-            vulnerabilities.push({
-                id: `ai-model-injection-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-                filePath,
-                lineNumber,
-                lineContent,
-                severity,
-                category: 'ai_prompt_injection',
-                title: pattern.name,
-                description,
-                suggestedFix: pattern.suggestedFix,
-                confidence: severity === 'info' ? 'low' : 'medium',
-                layer: 2,
-                source: 'ai_code',
-                requiresAIValidation: severity !== 'info' && severity !== 'low',
-                baseConfidence: BASE_CONFIDENCE,
-            });
-        }
-    }
-    // ========== Sprint 6: Encoding-based escape detection ==========
-    for (const pattern of ENCODING_ESCAPE_PATTERNS) {
-        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-        let match;
-        while ((match = regex.exec(content)) !== null) {
-            const lineNumber = content.substring(0, match.index).split('\n').length;
-            const lineContent = lines[lineNumber - 1]?.trim() || '';
-            // Skip comments
-            if ((0, file_classifier_1.isComment)(lineContent))
-                continue;
-            let severity = pattern.severity;
-            let description = pattern.description;
-            const contextLines = getSurroundingContext(content, lineNumber - 1, 15, lines);
-            // Check for encoding sanitization
-            if (hasEncodingSanitization(content, lineNumber, lines)) {
-                severity = 'info';
-                description += ' (Encoding sanitization detected.)';
-            }
-            // Check for delimiters
-            if (pattern.checkDelimiters && hasPromptDelimiters(lineContent, contextLines)) {
-                severity = 'info';
-                description += ' (Delimiters detected.)';
-            }
-            if (isTestFile) {
-                severity = 'info';
-                description += ' (in test file)';
-            }
-            vulnerabilities.push({
-                id: `ai-encoding-escape-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-                filePath,
-                lineNumber,
-                lineContent,
-                severity,
-                category: 'ai_prompt_injection',
-                title: pattern.name + ' (Encoding Bypass)',
-                description,
-                suggestedFix: pattern.suggestedFix,
-                confidence: 'medium',
-                layer: 2,
-                source: 'ai_code',
-                requiresAIValidation: severity !== 'info',
-                baseConfidence: BASE_CONFIDENCE,
-            });
-        }
-    }
-    // ========== Sprint 6: Jailbreak pattern detection ==========
-    for (const pattern of JAILBREAK_INDICATOR_PATTERNS) {
-        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-        let match;
-        while ((match = regex.exec(content)) !== null) {
-            const lineNumber = content.substring(0, match.index).split('\n').length;
-            const lineContent = lines[lineNumber - 1]?.trim() || '';
-            // Skip comments
-            if ((0, file_classifier_1.isComment)(lineContent))
-                continue;
-            let severity = pattern.severity;
-            let description = pattern.description;
-            // Check for jailbreak filtering
-            if (hasJailbreakFiltering(content, lineNumber, lines)) {
-                severity = 'info';
-                description += ' (Jailbreak filtering detected - mitigated.)';
-            }
-            if (isTestFile) {
-                severity = 'info';
-                description += ' (in test file)';
-            }
-            vulnerabilities.push({
-                id: `ai-jailbreak-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-                filePath,
-                lineNumber,
-                lineContent,
-                severity,
-                category: 'ai_prompt_injection',
-                title: pattern.name + ' (Jailbreak Risk)',
-                description,
-                suggestedFix: pattern.suggestedFix,
-                confidence: severity === 'info' ? 'low' : 'medium',
-                layer: 2,
-                source: 'ai_code',
-                requiresAIValidation: severity !== 'info' && severity !== 'low',
-                baseConfidence: BASE_CONFIDENCE,
-            });
-        }
-    }
-    return vulnerabilities;
-}
-//# sourceMappingURL=prompt-hygiene.js.map