@oculum/scanner 1.0.13 → 1.0.15

package/dist/detect/ai-code/rag-safety.js

@@ -1,913 +0,0 @@
-"use strict";
-/**
- * Layer 2: RAG Data Safety Detection
- * Detects data exfiltration risks in Retrieval Augmented Generation systems
- *
- * Covers:
- * - M5.1: RAG data exfiltration (cross-tenant retrieval, raw context exposure)
- * - Unscoped vector store queries
- * - Raw retrieved context in responses
- * - Context logging risks
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.detectRAGSafetyIssues = detectRAGSafetyIssues;
-exports.isRAGContextFile = isRAGContextFile;
-const file_classifier_1 = require("../../parse/file-classifier");
-const BASE_CONFIDENCE = 0.45;
-// ============================================================================
-// Context Detection
-// ============================================================================
-/**
- * Check if file uses client-side fuzzy search libraries (not vector stores)
- * These are safe local search implementations, not cross-tenant data access risks
- */
-function isClientSideFuzzySearch(content) {
-    const fuzzySearchPatterns = [
-        // Fuse.js - client-side fuzzy search
-        /import.*from\s+['"]fuse\.js['"]/i,
-        /require\s*\(\s*['"]fuse\.js['"]\s*\)/i,
-        /new\s+Fuse\s*\(/i,
-        // Other client-side search libraries
-        /import.*from\s+['"]flexsearch['"]/i,
-        /import.*from\s+['"]lunr['"]/i,
-        /import.*from\s+['"]minisearch['"]/i,
-        /import.*from\s+['"]fuzzysort['"]/i,
-        /import.*from\s+['"]match-sorter['"]/i,
-    ];
-    return fuzzySearchPatterns.some(p => p.test(content));
-}
-/**
- * Check if a line contains a generic query pattern that is NOT a vector store query
- * These are common web framework patterns that should not be flagged as RAG issues
- */
-function isGenericQueryPattern(lineContent) {
-    const genericQueryPatterns = [
-        // Express/Hono/Koa query params
-        /req\.query\s*\(/i,
-        /c\.req\.query\s*\(/i,
-        /ctx\.query\s*\(/i,
-        /request\.query\s*\(/i,
-        // URL search params
-        /searchParams\.get\s*\(/i,
-        /url\.searchParams/i,
-        /URLSearchParams/i,
-        // Query string parsing
-        /querystring\.parse/i,
-        /qs\.parse/i,
-        // Database query builders (not vector stores)
-        /\.query\s*\(\s*['"`]SELECT/i,
-        /\.query\s*\(\s*['"`]INSERT/i,
-        /\.query\s*\(\s*['"`]UPDATE/i,
-        /\.query\s*\(\s*['"`]DELETE/i,
-        // GraphQL queries
-        /graphql.*query/i,
-        /useQuery\s*\(/i,
-        /useLazyQuery\s*\(/i,
-        // tRPC/React Query
-        /trpc\.\w+\.\w+\.query/i,
-        /\.useQuery\s*\(/i,
-        // Prisma/Drizzle queries
-        /prisma\.\w+\.findMany/i,
-        /db\.query\./i,
-        // Generic method chaining that isn't vector search
-        /\.query\s*\(\s*\)/i, // Empty query call
-    ];
-    return genericQueryPatterns.some(p => p.test(lineContent));
-}
-/**
- * Check if file has vector store imports (required for RAG detection)
- */
-function hasVectorStoreImport(content) {
-    const vectorStoreImports = [
-        /from\s+['"]pinecone/i,
-        /from\s+['"]@pinecone-database/i,
-        /from\s+['"]weaviate/i,
-        /from\s+['"]chromadb/i,
-        /from\s+['"]@qdrant/i,
-        /from\s+['"]qdrant/i,
-        /from\s+['"]@langchain\/vectorstores/i,
-        /from\s+['"]langchain\/vectorstores/i,
-        /from\s+['"]faiss/i,
-        /from\s+['"]milvus/i,
-        /from\s+['"]@supabase.*vector/i,
-        /pgvector/i,
-        /VectorStore/i,
-        /Embeddings/i,
-    ];
-    return vectorStoreImports.some(p => p.test(content));
-}
-/**
- * Check if a file is in a RAG/retrieval context based on path and content
- */
-function isRAGContextFile(filePath, content) {
-    // Skip client-side fuzzy search libraries - these are NOT vector stores
-    if (isClientSideFuzzySearch(content)) {
-        return false;
-    }
-    // Must have vector store imports to be considered RAG context
-    if (!hasVectorStoreImport(content)) {
-        return false;
-    }
-    // File path indicators of RAG code
-    const ragPathPatterns = [
-        /\/(rag|retrieval|retriever|embedding|vector|knowledge)\//i,
-        /\/(search|index|indexer|embeddings?)\//i,
-        /(rag|retriever|embedding|vector|knowledge).*\.(ts|js|tsx|jsx|py)$/i,
-        /(search|retrieval|indexer).*\.(ts|js|tsx|jsx|py)$/i,
-    ];
-    if (ragPathPatterns.some(p => p.test(filePath))) {
-        return true;
-    }
-    // Content patterns suggesting RAG usage - must be actual vector store clients
-    const ragContentPatterns = [
-        // Vector store patterns - specific to actual vector DBs
-        /VectorStore|Embeddings?|Retriever/i,
-        /similaritySearch|query_engine|retriever/i,
-        /vectorStore|embeddingModel|documentLoader/i,
-        // Framework imports - actual vector store SDKs
-        /from\s+['"](?:langchain|llama[-_]?index|@pinecone|@qdrant|chromadb|weaviate)/i,
-        /import.*(?:Pinecone|Chroma|Weaviate|Qdrant|Milvus|PGVector)/i,
-        // Vercel AI SDK RAG
-        /VercelKVVectorStore|SupabaseVectorStore|createEmbedding/i,
-        // Query patterns - but NOT generic .search() which could be Fuse.js
-        /\.retrieve\(|\.query\(/i,
-        /sourceDocuments|retrievedDocs|retrievedChunks/i,
-        // Supabase vector search
-        /\.rpc\s*\(\s*['"`]match_documents/i,
-        /pgvector|embedding.*vector/i,
-    ];
-    return ragContentPatterns.some(p => p.test(content));
-}
-/**
- * Check if line/context has access control scoping
- */
-function hasAccessControlScoping(context) {
-    const accessPatterns = [
-        // User/tenant scoping
-        /userId|user_id|user\.id|currentUser/i,
-        /tenantId|tenant_id|tenant\.id|orgId|org_id|workspaceId/i,
-        // Filter parameters
-        /filter\s*[:=]\s*\{[^}]*(?:user|tenant|org)/i,
-        /where\s*[:=].*(?:user|tenant|org)/i,
-        /metadata\s*[:=].*(?:user|tenant|org)/i,
-        /namespace\s*[:=]/i,
-        // Access check functions
-        /checkAccess|verifyPermission|canRead|canAccess|hasAccess/i,
-        /getAuthorized|filterByUser|filterByTenant/i,
-    ];
-    return accessPatterns.some(p => p.test(context));
-}
-/**
- * Check if response is filtered/processed before return
- */
-function hasResponseFiltering(context) {
-    const filterPatterns = [
-        // Content filtering
-        /\.map\s*\([^)]*\.(title|name|id|metadata)\)/i,
-        /\.filter\s*\(/i,
-        /sanitize|redact|mask|strip/i,
-        // Only returning specific fields
-        /return\s*\{[^}]*(?:id|title|summary)[^}]*\}(?![^}]*content)/i,
-    ];
-    return filterPatterns.some(p => p.test(context));
-}
-/**
- * Check if there's authentication in the route/function
- */
-function hasAuthenticationInContext(content) {
-    const authPatterns = [
-        /getSession|getCurrentUser|getServerSession/i,
-        /auth\(\)|requireAuth|verifyToken/i,
-        /req\.user|request\.user|context\.user/i,
-        /isAuthenticated|checkAuth|withAuth/i,
-        /Authorization.*Bearer/i,
-        /userId|user\.id|currentUserId/i,
-    ];
-    return authPatterns.some(p => p.test(content));
-}
-/**
- * Get surrounding context lines
- */
-function getSurroundingContext(content, lineIndex, windowSize = 25) {
-    const lines = content.split('\n');
-    const start = Math.max(0, lineIndex - windowSize);
-    const end = Math.min(lines.length, lineIndex + windowSize);
-    return lines.slice(start, end).join('\n');
-}
-/**
- * Unscoped retrieval query patterns
- * Detects vector store queries without user/tenant filtering
- */
-const UNSCOPED_RETRIEVAL_PATTERNS = [
-    // Generic vector store queries
-    {
-        name: 'Unscoped vector store query',
-        pattern: /\.(?:query|search|similaritySearch|retrieve)\s*\(\s*(?:["'`][^"'`]+["'`]|[a-zA-Z_]\w*)\s*\)/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'high',
-        description: 'Vector store query without user/tenant scoping. Retrieved documents may belong to other users, enabling cross-tenant data access.',
-        suggestedFix: 'Add filter/metadata parameter to scope queries: .query(query, { filter: { userId: currentUser.id } })',
-    },
-    // LangChain retriever invoke
-    {
-        name: 'LangChain retriever without filter',
-        pattern: /retriever\.(?:invoke|getRelevantDocuments)\s*\(\s*(?:["'`][^"'`]+["'`]|[a-zA-Z_]\w*)\s*\)/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'high',
-        description: 'LangChain retriever invocation without metadata filter. Documents from all users may be retrieved.',
-        suggestedFix: 'Use a filtered retriever or add metadata filter: retriever.invoke(query, { filter: { userId } })',
-    },
-    // LlamaIndex query engine
-    {
-        name: 'LlamaIndex query engine without filter',
-        pattern: /query_engine\.query\s*\(\s*["'`][^"'`]+["'`]\s*\)/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'high',
-        description: 'LlamaIndex query without node postprocessors or filters. All indexed documents are searchable.',
-        suggestedFix: 'Add node_postprocessors to filter by user/tenant metadata before retrieval.',
-    },
-    // Pinecone query
-    {
-        name: 'Pinecone query without metadata filter',
-        pattern: /\.query\s*\(\s*\{[^}]*(?:vector|topK)[^}]*\}\s*\)/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'medium',
-        description: 'Pinecone query may lack metadata filtering. Verify namespace or filter is set.',
-        suggestedFix: 'Add filter parameter: .query({ vector, topK, filter: { userId: { $eq: currentUserId } } })',
-    },
-    // Chroma query
-    {
-        name: 'Chroma collection query',
-        pattern: /collection\.query\s*\(\s*\{[^}]*query_texts[^}]*\}\s*\)/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'medium',
-        description: 'ChromaDB query without where filter. All documents in collection are searchable.',
-        suggestedFix: 'Add where parameter: collection.query({ query_texts, where: { userId: currentUserId } })',
-    },
-    // Weaviate search
-    {
-        name: 'Weaviate search without filter',
-        pattern: /\.nearText\s*\([^)]+\)\.(?:do|withLimit)/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'medium',
-        description: 'Weaviate nearText search without where filter. Results may include other users\' data.',
-        suggestedFix: 'Add .withWhere() to filter by user: .nearText({...}).withWhere({ path: ["userId"], operator: "Equal", valueString: userId })',
-    },
-    // Supabase vector search
-    {
-        name: 'Supabase vector search without RLS',
-        pattern: /\.rpc\s*\(\s*['"`]match_documents['"`]/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'medium',
-        description: 'Supabase vector search function called. Ensure RLS policies filter by user.',
-        suggestedFix: 'Verify Row Level Security (RLS) is enabled and filters documents by authenticated user.',
-    },
-];
-/**
- * Raw context exposure patterns
- * Detects retrieved documents being returned directly to clients
- */
-const CONTEXT_EXPOSURE_PATTERNS = [
-    // Returning sourceDocuments in response
-    {
-        name: 'Source documents in API response',
-        pattern: /(?:res\.json|NextResponse\.json|return)\s*\([^)]*(?:sourceDocuments|retrievedDocs|documents|chunks)/gi,
-        riskType: 'context_exposure',
-        baseSeverity: 'medium',
-        description: 'Raw retrieved documents returned in API response. Source content may leak sensitive information from the knowledge base.',
-        suggestedFix: 'Return only synthesized response or document IDs/titles. If source attribution needed, filter to metadata only.',
-    },
-    // Spreading documents into response
-    {
-        name: 'Retrieved context spread in response',
-        pattern: /(?:res\.json|return)\s*\(\s*\{[^}]*\.\.\.(?:docs|documents|chunks|sourceDocuments|context)/gi,
-        riskType: 'context_exposure',
-        baseSeverity: 'medium',
-        description: 'Retrieved document objects spread into response. Full document content may be exposed.',
-        suggestedFix: 'Extract and return only safe fields: { sources: docs.map(d => ({ id: d.id, title: d.title })) }',
-    },
-    // Returning raw context in response object
-    {
-        name: 'Raw retrieval context in response',
-        pattern: /return\s*\{[^}]*(?:context|retrievedContext|ragContext)\s*:/gi,
-        riskType: 'context_exposure',
-        baseSeverity: 'low',
-        description: 'Retrieved context included in response object. Review what data is actually exposed.',
-        suggestedFix: 'Ensure context field contains only safe, summarized content - not raw document text.',
-    },
-    // WebSocket/stream context exposure
-    {
-        name: 'Context in streaming response',
-        pattern: /(?:socket|ws|stream)\.(?:send|emit|write)\s*\([^)]*(?:sourceDocuments|context|chunks)/gi,
-        riskType: 'context_exposure',
-        baseSeverity: 'medium',
-        description: 'Retrieved context sent via streaming/WebSocket. Clients receive raw source data.',
-        suggestedFix: 'Stream only AI-generated text. Send source attribution separately with filtered metadata.',
-    },
-];
-/**
- * Context logging patterns
- * Detects logging of retrieved documents or prompts with context
- */
-const CONTEXT_LOGGING_PATTERNS = [
-    // Logging retrieved documents
-    {
-        name: 'Retrieved documents logged',
-        pattern: /(?:console|logger)\.\w+\s*\([^)]*(?:retrievedDocs|sourceDocuments|documents|chunks)/gi,
-        riskType: 'context_logging',
-        baseSeverity: 'info',
-        description: 'Retrieved documents logged. If logs are accessible, sensitive document content may be exposed.',
-        suggestedFix: 'Log document IDs/titles only: console.log("Retrieved:", docs.map(d => d.id))',
-    },
-    // Logging full prompt with context
-    {
-        name: 'Full prompt with context logged',
-        pattern: /(?:console|logger)\.\w+\s*\([^)]*(?:fullPrompt|promptWithContext|augmentedPrompt)/gi,
-        riskType: 'context_logging',
-        baseSeverity: 'low',
-        description: 'Full prompt (including retrieved context) logged. May expose sensitive document content in logs.',
-        suggestedFix: 'Log prompt length/metadata only. Avoid logging full prompt content in production.',
-    },
-    // Debug logging of RAG context
-    {
-        name: 'RAG context debug logging',
-        pattern: /(?:console\.(?:debug|log)|logger\.debug)\s*\([^)]*(?:context|ragContext|retrievalContext)/gi,
-        riskType: 'context_logging',
-        baseSeverity: 'info',
-        description: 'RAG context logged for debugging. Ensure debug logging is disabled in production.',
-        suggestedFix: 'Use conditional logging: if (process.env.NODE_ENV !== "production") console.debug(...)',
-    },
-    // Storing prompts with context
-    {
-        name: 'Prompt with context persisted',
-        pattern: /(?:\.create|\.insert|\.save)\s*\([^)]*(?:fullPrompt|promptWithContext|augmentedPrompt)/gi,
-        riskType: 'context_logging',
-        baseSeverity: 'medium',
-        description: 'Full prompt with retrieved context being persisted. May store sensitive document content.',
-        suggestedFix: 'Store user query and response separately. Do not persist raw retrieved context.',
-    },
-];
-// ============================================================================
-// AI Detection Roadmap Phase 1: Enhanced RAG Detection
-// ============================================================================
-/**
- * Corpus Poisoning Patterns
- * Detects user uploads directly embedded without sanitization
- */
-const CORPUS_POISONING_PATTERNS = [
-    // User content embedded directly
-    {
-        name: 'User content embedded directly',
-        pattern: /(?:embeddings?\.create|createEmbedding|embed)\s*\([^)]*(?:document\.content|user\.content|req\.body|req\.json|upload|file\.content)/gi,
-        riskType: 'corpus_poisoning',
-        baseSeverity: 'high',
-        description: 'User-provided content embedded directly without sanitization. Malicious instructions in uploads could poison the RAG corpus.',
-        suggestedFix: 'Sanitize user content before embedding: const sanitized = sanitizeForRAG(content); await embed(sanitized)',
-    },
-    // External content fetched and embedded
-    {
-        name: 'External content embedded without validation',
-        pattern: /(?:fetch|axios\.get|httpx\.get)\s*\([^)]+\)[^;]*(?:embed|addDocument|upsert|index)/gi,
-        riskType: 'corpus_poisoning',
-        baseSeverity: 'high',
-        description: 'External content fetched and embedded without validation. External sources could contain prompt injection payloads.',
-        suggestedFix: 'Validate and sanitize external content before embedding. Check source trustworthiness.',
-    },
-    // PDF/file content indexed without scanning
-    {
-        name: 'File content indexed without sanitization',
-        pattern: /(?:pdfParser|parse|readFile)[^;]*(?:addToCorpus|embedDocument|vectorStore\.add|index\.upsert)/gi,
-        riskType: 'corpus_poisoning',
-        baseSeverity: 'medium',
-        description: 'File content indexed without sanitization. PDFs and documents may contain hidden injection instructions.',
-        suggestedFix: 'Scan file content for injection patterns before indexing. Consider content classification.',
-    },
-    // User messages embedded
-    {
-        name: 'User messages embedded to corpus',
-        pattern: /(?:messages?|msg|chat)[^;]*(?:embedDocument|addToCorpus|vectorStore\.add)/gi,
-        riskType: 'corpus_poisoning',
-        baseSeverity: 'medium',
-        description: 'User messages being embedded into corpus. Messages could contain crafted injection payloads.',
-        suggestedFix: 'Filter user messages for instruction-like patterns. Use separate namespace for user content.',
-    },
-    // Direct upsert without sanitization
-    {
-        name: 'Direct vector upsert with user data',
-        pattern: /\.upsert\s*\(\s*\[\s*\{[^}]*content\s*:\s*(?:document|user|upload|req)/gi,
-        riskType: 'corpus_poisoning',
-        baseSeverity: 'high',
-        description: 'User data upserted directly to vector store. Content should be sanitized first.',
-        suggestedFix: 'Sanitize content before upserting: { content: sanitize(document.content), ... }',
-    },
-];
-/**
- * PII Leakage Patterns
- * Detects PII fields in embedded documents or retrieval responses
- */
-const PII_LEAKAGE_PATTERNS = [
-    // PII fields in metadata
-    {
-        name: 'PII in document metadata',
-        pattern: /metadata\s*:\s*\{[^}]*(?:email|ssn|phone(?:Number)?|fullName|dateOfBirth|dob|address|socialSecurity)/gi,
-        riskType: 'pii_leakage',
-        baseSeverity: 'high',
-        description: 'PII fields stored in document metadata. This data will be exposed when documents are retrieved.',
-        suggestedFix: 'Remove PII from metadata. Store only non-sensitive identifiers: { userId: user.id, category: doc.type }',
-    },
-    // SSN/financial data in embedded docs
-    {
-        name: 'Sensitive financial/identity data embedded',
-        pattern: /(?:metadata|doc|document)\s*[:{][^}]*(?:ssn|socialSecurity|cardNumber|cvv|accountNum|insuranceId)/gi,
-        riskType: 'pii_leakage',
-        baseSeverity: 'critical',
-        description: 'Highly sensitive data (SSN, financial) in embedded documents. This is a compliance violation.',
-        suggestedFix: 'Never embed SSN, card numbers, or financial account data. Use tokenized references instead.',
-    },
-    // Patient/medical data in embeddings
-    {
-        name: 'PHI in embedded documents',
-        pattern: /(?:embed|metadata|doc)[^;]*(?:patientName|patientDob|patientSsn|medicalRecord|diagnosis)/gi,
-        riskType: 'pii_leakage',
-        baseSeverity: 'critical',
-        description: 'Protected Health Information (PHI) in embedded documents. HIPAA compliance violation.',
-        suggestedFix: 'Remove PHI before embedding. Use de-identification and tokenization for medical data.',
-    },
-    // Returning PII in search results
-    {
-        name: 'PII in retrieval response',
-        pattern: /return\s*(?:results\.map|docs\.map)[^}]*(?:email|phone|ssn|fullName|address)/gi,
-        riskType: 'pii_leakage',
-        baseSeverity: 'high',
-        description: 'PII fields returned in retrieval response. User PII may be exposed to unauthorized queries.',
-        suggestedFix: 'Filter PII from responses: return docs.map(d => ({ id: d.id, content: d.content })) // no PII',
-    },
-    // Direct metadata exposure with PII
-    {
-        name: 'Metadata with PII exposed in response',
-        pattern: /return\s*\{[^}]*metadata\.[^}]*(?:email|phone|ssn|name|address)/gi,
-        riskType: 'pii_leakage',
-        baseSeverity: 'high',
-        description: 'Document metadata containing PII exposed in response.',
-        suggestedFix: 'Filter metadata before returning. Only include non-sensitive fields.',
-    },
-];
-// ============================================================================
-// Phase 1 Enhancement Backlog: Advanced RAG Attack Detection
-// ============================================================================
-/**
- * Query Injection Patterns
- * Detects user queries used in retrieval without sanitization
- */
-const QUERY_INJECTION_PATTERNS = [
-    // User input directly in vector store query
-    {
-        name: 'User input directly in retrieval query',
-        pattern: /(?:vectorStore|retriever|index|collection)\.(?:query|invoke|search|similaritySearch)\s*\(\s*(?:req\.|user\.|input\.|body\.|params\.)/gi,
-        riskType: 'query_injection',
-        baseSeverity: 'high',
-        description: 'User input flows directly to vector store query without sanitization. Could manipulate retrieval results.',
-        suggestedFix: 'Validate and sanitize user queries: const sanitizedQuery = sanitizeQuery(userInput)',
-    },
-    // Query from request body without validation
-    {
-        name: 'Query from request body without validation',
-        pattern: /(?:const|let|var)\s*\{\s*query\s*\}.*(?:req\.body|req\.json|request\.body)[\s\S]{0,100}(?:search|query|retrieve|similaritySearch)/gi,
-        riskType: 'query_injection',
-        baseSeverity: 'medium',
-        description: 'Query destructured from request body and used in retrieval. Validate before use.',
-        suggestedFix: 'Add input validation: const { query } = validateSchema(req.body, querySchema)',
-    },
-    // Query template with user input interpolation
-    {
-        name: 'Query template with user input',
-        pattern: /(?:prompt|query|searchQuery)\s*=\s*[`'"].*\$\{.*(?:user|input|query|req).*\}.*[`'"]/gi,
-        riskType: 'query_injection',
-        baseSeverity: 'medium',
-        description: 'Query template interpolates user input. Could inject adversarial retrieval instructions.',
-        suggestedFix: 'Use parameterized queries or sanitize user input before interpolation.',
-    },
-    // Direct query passthrough in API
-    {
-        name: 'Query passthrough to vector store',
-        pattern: /app\.(?:post|get)\s*\([^)]+(?:search|query|retrieve)[^)]*\)[^{]*\{[^}]*(?:vectorStore|retriever)\.(?:query|search)\s*\(\s*(?:req|ctx)\.(?:body|query)/gi,
-        riskType: 'query_injection',
-        baseSeverity: 'high',
-        description: 'API endpoint passes request directly to vector store. No validation layer.',
-        suggestedFix: 'Add validation middleware. Sanitize and validate queries before retrieval.',
-    },
-    // No query length validation
-    {
-        name: 'Query without length validation',
-        pattern: /(?:query|search|retrieve)\s*\(\s*(?:userQuery|searchQuery|q)\s*\)(?![\s\S]{0,50}(?:\.length|\.trim\(\)|maxLength|minLength))/gi,
-        riskType: 'query_injection',
-        baseSeverity: 'low',
-        description: 'Query used without visible length validation. Consider adding bounds.',
-        suggestedFix: 'Add query length validation: if (query.length > MAX_QUERY_LENGTH) throw new Error("Query too long")',
-    },
-];
-/**
- * Embedding Poisoning Patterns
- * Detects adversarial document embedding vulnerabilities
- */
-const EMBEDDING_POISONING_PATTERNS = [
-    // User document embedded without validation
-    {
-        name: 'User document embedded without validation',
-        pattern: /(?:embed|embeddings?\.(?:create|embed|generate)|createEmbedding)[\s\S]{0,50}(?:user|req\.|upload|file)[\s\S]{0,80}(?:vectorStore|index)\.(?:add|upsert|insert)/gis,
-        riskType: 'embedding_poisoning',
-        baseSeverity: 'high',
-        description: 'User-provided documents embedded directly. Adversarial content could poison retrieval.',
-        suggestedFix: 'Validate and sanitize user documents before embedding. Implement content classification.',
-    },
-    // Retrieval without similarity threshold
-    {
-        name: 'Retrieval without similarity threshold',
-        pattern: /similaritySearch\s*\(\s*[^,)]+\s*,\s*\d+\s*\)(?![\s\S]{0,50}(?:filter|threshold|score\s*>|minScore|scoreThreshold))/gi,
-        riskType: 'embedding_poisoning',
-        baseSeverity: 'medium',
-        description: 'Vector search without similarity threshold. Low-relevance adversarial content may be retrieved.',
-        suggestedFix: 'Add similarity threshold: similaritySearch(query, k, { scoreThreshold: 0.7 })',
-    },
-    // Batch embedding without deduplication
-    {
-        name: 'Batch embedding without duplicate detection',
-        pattern: /(?:for|forEach|map)\s*\([^)]+\)[\s\S]{0,100}(?:vectorStore|index)\.(?:add|upsert)(?![\s\S]{0,80}(?:exists|duplicate|similar|dedup))/gis,
-        riskType: 'embedding_poisoning',
-        baseSeverity: 'low',
-        description: 'Batch document embedding without duplicate detection. Attackers could flood corpus.',
-        suggestedFix: 'Check for duplicate or near-duplicate documents before embedding.',
-    },
-    // Dynamic embedding model selection
-    {
-        name: 'Dynamic embedding model from config',
-        pattern: /(?:embeddingModel|embeddings?)\s*=\s*(?:new\s+)?(?:config|options|params)\[?\s*['".]?(?:model|embedding)/gi,
-        riskType: 'embedding_poisoning',
-        baseSeverity: 'medium',
-        description: 'Embedding model selected from configuration. Malicious config could use compromised model.',
-        suggestedFix: 'Use hardcoded embedding model or validate against allowlist.',
-    },
-    // External URL content embedded
-    {
-        name: 'External URL content embedded directly',
-        pattern: /(?:fetch|axios\.get|httpx\.get)\s*\([^)]+\)[\s\S]{0,150}(?:embed|vectorStore\.add|index\.upsert)/gis,
-        riskType: 'embedding_poisoning',
-        baseSeverity: 'high',
-        description: 'Content from external URLs embedded without validation. Source could be compromised.',
-        suggestedFix: 'Validate URL source against allowlist. Sanitize fetched content before embedding.',
-    },
-];
-/**
- * Phase 6 Task 4: Cross-Tenant RAG Detection Patterns
- * Detect shared vector stores without tenant filtering that could leak data
- */
-const CROSS_TENANT_PATTERNS = [
-    // Shared vector store without tenant filter
-    {
-        name: 'Shared vector store without tenant filter',
-        pattern: /\b(?:vectorStore|index|collection)\s*=\s*(?:new\s+)?(?:PineconeStore|ChromaDB|Weaviate|Qdrant|Milvus|PGVector|VectorStore)\s*\([^)]*\)(?![\s\S]{0,100}(?:filter|where|tenant|user|org|namespace))/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'high',
-        description: 'Vector store initialized without tenant filtering. In multi-tenant applications, this could leak data across tenants.',
-        suggestedFix: 'Always include tenant/user ID in vector store configuration or filters: new VectorStore({ namespace: tenantId })',
-    },
-    // Query without tenant in metadata filter
-    {
-        name: 'Vector query missing tenant filter',
-        pattern: /\.(?:query|search|similaritySearch)\s*\(\s*[^,)]+(?:,\s*\{[^}]*\})?\s*\)(?![\s\S]{0,80}(?:tenantId|tenant_id|orgId|org_id|userId|user_id|namespace))/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'high',
-        description: 'Vector store query without tenant filtering. Results may include documents from other tenants.',
-        suggestedFix: 'Add tenant filter to query: .query(q, { filter: { tenantId: ctx.tenant.id } })',
-    },
-    // Global index access pattern
-    {
-        name: 'Global index without scoping',
-        pattern: /(?:const|let|var)\s+(?:index|vectorIndex|searchIndex)\s*=\s*(?:await\s+)?(?:getIndex|loadIndex|connectIndex|initializeIndex)\s*\(\s*(?:['"`][^'"`]+['"`])?\s*\)(?![\s\S]{0,50}(?:tenant|user|org|scope))/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'medium',
-        description: 'Global index loaded without tenant scoping. Consider using tenant-specific indexes or namespaces.',
-        suggestedFix: 'Use tenant-scoped index: const index = await getIndex(tenantId) or use namespace parameter',
-    },
-    // Multi-tenant store without isolation
-    {
-        name: 'Multi-tenant store missing isolation',
-        pattern: /(?:multiTenant|shared|global)(?:Store|Index|Collection)\s*\.(?:query|search|add|upsert)(?![\s\S]{0,80}(?:tenantId|tenant_id|isolate|partition|namespace))/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'critical',
-        description: 'Multi-tenant store accessed without tenant isolation. Data from all tenants is accessible.',
-        suggestedFix: 'Always pass tenant identifier: multiTenantStore.query(q, { tenantId })',
-    },
-    // Embedding documents without tenant metadata
-    {
-        name: 'Document embedded without tenant metadata',
-        pattern: /\.(?:addDocuments|upsert|add)\s*\(\s*\[?\s*\{[^}]*(?:content|text|pageContent)[^}]*\}(?![^}]*(?:tenantId|tenant_id|orgId|organizationId|userId|user_id))/gi,
-        riskType: 'corpus_poisoning',
-        baseSeverity: 'high',
-        description: 'Documents embedded without tenant metadata. Without tenant ID, documents cannot be filtered per-tenant.',
-        suggestedFix: 'Include tenant ID in document metadata: { content, metadata: { tenantId: ctx.tenant.id } }',
-    },
-    // Retriever without tenant context
-    {
-        name: 'Retriever created without tenant context',
-        pattern: /(?:asRetriever|createRetriever|getRetriever)\s*\(\s*(?:\{[^}]*\})?\s*\)(?![\s\S]{0,80}(?:filter|tenant|user|org|metadata))/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'medium',
-        description: 'Retriever created without tenant filtering configuration. Retrieved documents may cross tenant boundaries.',
-        suggestedFix: 'Configure retriever with tenant filter: vectorStore.asRetriever({ filter: { tenantId } })',
-    },
-    // Semantic search across all tenants
-    {
-        name: 'Semantic search without tenant restriction',
-        pattern: /semanticSearch\s*\(\s*[^,)]+\s*\)(?![\s\S]{0,50}(?:tenant|user|org|filter|where|scope))/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'high',
-        description: 'Semantic search without tenant restriction. Search results span all tenants.',
-        suggestedFix: 'Add tenant restriction: semanticSearch(query, { tenantId: ctx.tenant.id })',
-    },
-    // RAG chain without tenant context
-    {
-        name: 'RAG chain missing tenant context',
-        pattern: /(?:createRetrievalChain|RetrievalQAChain|ConversationalRetrievalChain)\.(?:fromLLM|from)?\s*\([^)]*\)(?![\s\S]{0,100}(?:filter|tenant|user|metadata))/gi,
-        riskType: 'unscoped_retrieval',
-        baseSeverity: 'medium',
-        description: 'RAG chain created without tenant context. Chain may retrieve documents from all tenants.',
-        suggestedFix: 'Pass tenant-filtered retriever to chain or add metadata filtering',
-    },
-];
-/**
- * Chunk Boundary Exploitation Patterns
- * Detects cross-chunk injection vulnerabilities
- */
-const CHUNK_INJECTION_PATTERNS = [
-    // User content chunked without per-chunk validation
-    {
-        name: 'User content chunked without validation',
-        pattern: /(?:splitter|textSplitter|chunker)\.(?:split|createDocuments|chunk)[\s\S]{0,50}(?:user|upload|req)[\s\S]{0,100}(?:vectorStore|index)\.(?:add|upsert)(?![\s\S]{0,50}(?:sanitize|validate|filter))/gis,
-        riskType: 'chunk_injection',
-        baseSeverity: 'medium',
-        description: 'User content split and embedded without per-chunk validation. Injection could span chunks.',
-        suggestedFix: 'Validate each chunk before embedding: chunks.map(c => sanitizeChunk(c))',
-    },
-    // Context joined without separators
-    {
-        name: 'Context chunks joined without separators',
-        pattern: /\.map\s*\([^)]*(?:pageContent|content|text)[^)]*\)\.join\s*\(\s*['"]['"]\s*\)/gi,
-        riskType: 'chunk_injection',
-        baseSeverity: 'low',
-        description: 'Retrieved chunks joined without separators. Adjacent chunk content could be misinterpreted.',
-        suggestedFix: 'Use clear separators: chunks.map(c => c.content).join("\\n---\\n")',
-    },
-    // Chunk metadata from user input
-    {
-        name: 'Chunk metadata from user input',
-        pattern: /(?:vectorStore|index)\.(?:add|upsert)[\s\S]{0,100}metadata\s*:\s*(?:user|req\.|input\.|body\.)/gi,
-        riskType: 'chunk_injection',
-        baseSeverity: 'medium',
-        description: 'Chunk metadata derived from user input. Could inject malicious metadata for filtering.',
-        suggestedFix: 'Generate metadata server-side. Validate any user-provided metadata fields.',
-    },
-    // No chunk size limits
-    {
-        name: 'Chunking without size validation',
-        pattern: /(?:splitter|textSplitter)\.(?:split|createDocuments)\s*\(\s*(?:content|text|document)(?![\s\S]{0,50}(?:maxChunkSize|chunkSize|maxLength))/gi,
-        riskType: 'chunk_injection',
-        baseSeverity: 'low',
-        description: 'Text splitting without explicit size limits. Very long inputs could cause issues.',
-        suggestedFix: 'Configure chunk size limits: new TextSplitter({ chunkSize: 1000, chunkOverlap: 200 })',
-    },
-    // Overlapping chunks with user content
-    {
-        name: 'Large chunk overlap with user content',
-        pattern: /(?:chunkOverlap|overlap)\s*[:=]\s*(?:\d{3,}|[a-zA-Z])[\s\S]{0,100}(?:user|upload)/gi,
-        riskType: 'chunk_injection',
-        baseSeverity: 'low',
-        description: 'Large chunk overlap configured. User-injected content could appear in multiple chunks.',
-        suggestedFix: 'Use reasonable overlap (10-20% of chunk size). Validate user content before chunking.',
-    },
-];
-// ============================================================================
-// Main Detection Function
-// ============================================================================
-/**
- * Map risk type to vulnerability category
- */
-function mapRiskTypeToCategory(riskType) {
-    switch (riskType) {
-        case 'corpus_poisoning':
-            return 'ai_rag_corpus_poisoning';
-        case 'pii_leakage':
-            return 'ai_rag_pii_leakage';
-        case 'query_injection':
-            return 'ai_rag_query_injection';
-        case 'embedding_poisoning':
-            return 'ai_rag_embedding_poisoning';
-        case 'chunk_injection':
-            return 'ai_rag_chunk_injection';
-        default:
-            return 'ai_rag_exfiltration';
-    }
-}
-/**
- * Main detection function for RAG data safety issues
- */
-function detectRAGSafetyIssues(content, filePath, options) {
-    const vulnerabilities = [];
-    // Skip non-applicable files
-    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
-        return vulnerabilities;
-    if ((0, file_classifier_1.isDocumentationFile)(filePath))
-        return vulnerabilities;
-    // Only scan files in RAG context
-    if (!isRAGContextFile(filePath, content)) {
-        return vulnerabilities;
-    }
-    const lines = options?.parsed?.lines ?? content.split('\n');
-    const isTestFile = (0, file_classifier_1.isTestOrMockFile)(filePath);
-    const isExample = (0, file_classifier_1.isExampleDirectory)(filePath);
-    const isLibrary = (0, file_classifier_1.isLibraryCode)(filePath);
-    const hasAuth = hasAuthenticationInContext(content);
-    // Process all pattern categories
-    const allPatterns = [
-        ...UNSCOPED_RETRIEVAL_PATTERNS,
-        ...CONTEXT_EXPOSURE_PATTERNS,
-        ...CONTEXT_LOGGING_PATTERNS,
-        // AI Detection Roadmap Phase 1
-        ...CORPUS_POISONING_PATTERNS,
-        ...PII_LEAKAGE_PATTERNS,
-        // Phase 1 Enhancement Backlog
-        ...QUERY_INJECTION_PATTERNS,
-        ...EMBEDDING_POISONING_PATTERNS,
-        ...CHUNK_INJECTION_PATTERNS,
-        // Phase 6: Cross-tenant detection
-        ...CROSS_TENANT_PATTERNS,
-    ];
-    for (const pattern of allPatterns) {
-        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-        let match;
-        while ((match = regex.exec(content)) !== null) {
-            const lineNumber = content.substring(0, match.index).split('\n').length;
-            const lineContent = lines[lineNumber - 1]?.trim() || '';
-            // Skip comments
-            if ((0, file_classifier_1.isComment)(lineContent))
-                continue;
-            // Skip generic query patterns (req.query, searchParams, etc.)
-            if (isGenericQueryPattern(lineContent))
-                continue;
-            // Get surrounding context for analysis
-            const context = getSurroundingContext(content, lineNumber - 1, 25);
-            // Calculate severity based on context
-            let severity = pattern.baseSeverity;
-            let description = pattern.description;
-            const notes = [];
-            // Apply context-aware severity adjustments
-            if (pattern.riskType === 'unscoped_retrieval') {
-                // Check for access control in surrounding context
-                if (hasAccessControlScoping(context)) {
-                    severity = 'info';
-                    notes.push('Access control scoping detected nearby');
-                }
-                else if (!hasAuth) {
-                    // No auth at all - higher risk
-                    if (severity === 'medium')
-                        severity = 'high';
-                    notes.push('No authentication detected in this file');
-                }
-            }
-            if (pattern.riskType === 'context_exposure') {
-                // Check if response is filtered
-                if (hasResponseFiltering(context)) {
-                    severity = 'info';
-                    notes.push('Response filtering detected');
-                }
-                else if (!hasAuth) {
-                    // Unauthenticated endpoint exposing context - higher risk
-                    if (severity === 'medium')
-                        severity = 'high';
-                    notes.push('Endpoint may be unauthenticated');
-                }
-            }
-            // Corpus poisoning - check for sanitization
-            if (pattern.riskType === 'corpus_poisoning') {
-                // Check for content sanitization in context
-                if (/sanitize|validate|filter|clean|strip/i.test(context)) {
-                    severity = 'info';
-                    notes.push('Content sanitization detected nearby');
-                }
-                // Check for content classification/scanning
-                if (/classify|scan|detect|check.*injection/i.test(context)) {
-                    severity = 'info';
-                    notes.push('Content scanning detected');
-                }
-            }
-            // PII leakage - critical data types remain high severity
-            if (pattern.riskType === 'pii_leakage') {
-                // Check for PII redaction/masking
-                if (/redact|mask|anonymize|deidentify|tokenize/i.test(context)) {
-                    severity = 'info';
-                    notes.push('PII redaction detected');
-                }
-                // SSN, CVV, and PHI patterns remain critical regardless of context
-                if (/ssn|cvv|patient/i.test(pattern.name.toLowerCase())) {
-                    // Keep severity high/critical for these
-                }
-            }
-            // Query injection - check for input validation
-            if (pattern.riskType === 'query_injection') {
-                // Check for input validation/sanitization
-                if (/sanitize|validate|clean|escape|zod|schema\.parse|safeParse/i.test(context)) {
-                    severity = 'low';
-                    notes.push('Input validation detected nearby');
-                }
-                // Check for query length/bounds validation
-                if (/maxLength|minLength|\.length\s*[<>]|slice\s*\(\s*0/i.test(context)) {
-                    if (severity === 'high')
-                        severity = 'medium';
-                    notes.push('Length validation detected');
-                }
-                // Check for rate limiting
-                if (/rateLimit|throttle|limiter/i.test(context)) {
-                    if (severity === 'high')
-                        severity = 'medium';
-                    notes.push('Rate limiting detected');
-                }
-            }
-            // Embedding poisoning - check for content validation
-            if (pattern.riskType === 'embedding_poisoning') {
-                // Check for content sanitization
-                if (/sanitize|validate|filter|clean|strip|scan/i.test(context)) {
-                    severity = 'low';
-                    notes.push('Content validation detected nearby');
-                }
-                // Check for content classification
-                if (/classify|moderation|detect.*injection|contentFilter/i.test(context)) {
-                    severity = 'info';
-                    notes.push('Content classification detected');
-                }
-                // Check for similarity threshold
-                if (/threshold|scoreThreshold|minScore|score\s*>/i.test(context)) {
-                    if (severity === 'medium')
-                        severity = 'low';
-                    notes.push('Similarity threshold configured');
-                }
-            }
-            // Chunk injection - check for chunk validation
-            if (pattern.riskType === 'chunk_injection') {
-                // Check for per-chunk validation
-                if (/chunks?\.map\s*\([^)]*sanitize|validate.*chunk|chunk.*validate/i.test(context)) {
-                    severity = 'info';
-                    notes.push('Chunk validation detected');
-                }
-                // Check for separator usage
-                if (/separator|delimiter|join\s*\(\s*['"][^'"]{2,}['"]\s*\)/i.test(context)) {
-                    if (severity === 'low')
-                        severity = 'info';
-                    notes.push('Chunk separators detected');
-                }
-                // Check for metadata sanitization
-                if (/metadata\s*[:=]\s*\{[^}]*(?:id|type|source)[^}]*\}/i.test(context)) {
-                    if (severity === 'medium')
-                        severity = 'low';
-                    notes.push('Server-generated metadata pattern');
-                }
-            }
-            // Downgrade test files
-            if (isTestFile) {
-                severity = 'info';
-                notes.push('in test file');
-            }
-            // Downgrade example/demo directories
-            if (isExample && severity !== 'info') {
-                severity = 'info';
-                notes.push('in example/demo directory');
-            }
-            // Downgrade library code - base classes are intentionally generic
-            if (isLibrary && severity !== 'info') {
-                severity = 'info';
-                notes.push('library code - consumers add access controls');
-            }
-            // Build final description
-            if (notes.length > 0) {
-                description += ` (${notes.join('; ')})`;
-            }
-            vulnerabilities.push({
-                id: `ai-rag-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-                filePath,
-                lineNumber,
-                lineContent,
-                severity,
-                category: mapRiskTypeToCategory(pattern.riskType),
-                title: pattern.name,
-                description,
-                suggestedFix: pattern.suggestedFix,
-                confidence: severity === 'info' ? 'low' : 'medium',
-                layer: 2,
-                source: 'ai_code',
-                requiresAIValidation: severity !== 'info' && pattern.riskType !== 'context_logging',
-                baseConfidence: BASE_CONFIDENCE,
-            });
-        }
-    }
-    return vulnerabilities;
-}
-//# sourceMappingURL=rag-safety.js.map