npm - @oculum/scanner - Versions diffs - 1.0.14 → 1.0.15 - Mend

@oculum/scanner 1.0.14 → 1.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1323) hide show

package/dist/detect/ai-code/index.d.ts +6 -11
package/dist/detect/ai-code/index.d.ts.map +1 -1
package/dist/detect/ai-code/index.js +6 -24
package/dist/detect/ai-code/index.js.map +1 -1
package/dist/detect/ast-rules/agent-tools-ast.d.ts +14 -0
package/dist/detect/ast-rules/agent-tools-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/agent-tools-ast.js +809 -0
package/dist/detect/ast-rules/agent-tools-ast.js.map +1 -0
package/dist/detect/ast-rules/ai-fingerprinting-ast.d.ts +14 -0
package/dist/detect/ast-rules/ai-fingerprinting-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/ai-fingerprinting-ast.js +344 -0
package/dist/detect/ast-rules/ai-fingerprinting-ast.js.map +1 -0
package/dist/detect/ast-rules/auth-patterns-ast.d.ts +14 -0
package/dist/detect/ast-rules/auth-patterns-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/auth-patterns-ast.js +280 -0
package/dist/detect/ast-rules/auth-patterns-ast.js.map +1 -0
package/dist/detect/ast-rules/byok-ast.d.ts +13 -0
package/dist/detect/ast-rules/byok-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/byok-ast.js +180 -0
package/dist/detect/ast-rules/byok-ast.js.map +1 -0
package/dist/detect/ast-rules/child-process-ast.d.ts +13 -0
package/dist/detect/ast-rules/child-process-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/child-process-ast.js +252 -0
package/dist/detect/ast-rules/child-process-ast.js.map +1 -0
package/dist/detect/ast-rules/dangerous-eval-ast.d.ts +13 -0
package/dist/detect/ast-rules/dangerous-eval-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/dangerous-eval-ast.js +218 -0
package/dist/detect/ast-rules/dangerous-eval-ast.js.map +1 -0
package/dist/detect/ast-rules/data-exposure-ast.d.ts +13 -0
package/dist/detect/ast-rules/data-exposure-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/data-exposure-ast.js +158 -0
package/dist/detect/ast-rules/data-exposure-ast.js.map +1 -0
package/dist/detect/ast-rules/dom-xss-ast.d.ts +14 -0
package/dist/detect/ast-rules/dom-xss-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/dom-xss-ast.js +217 -0
package/dist/detect/ast-rules/dom-xss-ast.js.map +1 -0
package/dist/detect/ast-rules/endpoint-protection-ast.d.ts +13 -0
package/dist/detect/ast-rules/endpoint-protection-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/endpoint-protection-ast.js +228 -0
package/dist/detect/ast-rules/endpoint-protection-ast.js.map +1 -0
package/dist/detect/ast-rules/entropy-ast.d.ts +17 -0
package/dist/detect/ast-rules/entropy-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/entropy-ast.js +265 -0
package/dist/detect/ast-rules/entropy-ast.js.map +1 -0
package/dist/detect/ast-rules/flask-debug-ast.d.ts +10 -0
package/dist/detect/ast-rules/flask-debug-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/flask-debug-ast.js +125 -0
package/dist/detect/ast-rules/flask-debug-ast.js.map +1 -0
package/dist/detect/ast-rules/framework-checks-ast.d.ts +13 -0
package/dist/detect/ast-rules/framework-checks-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/framework-checks-ast.js +185 -0
package/dist/detect/ast-rules/framework-checks-ast.js.map +1 -0
package/dist/detect/ast-rules/helpers/call-analysis.d.ts +62 -0
package/dist/detect/ast-rules/helpers/call-analysis.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/call-analysis.js +217 -0
package/dist/detect/ast-rules/helpers/call-analysis.js.map +1 -0
package/dist/detect/ast-rules/helpers/context-detection.d.ts +33 -0
package/dist/detect/ast-rules/helpers/context-detection.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/context-detection.js +256 -0
package/dist/detect/ast-rules/helpers/context-detection.js.map +1 -0
package/dist/detect/ast-rules/helpers/control-flow.d.ts +40 -0
package/dist/detect/ast-rules/helpers/control-flow.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/control-flow.js +174 -0
package/dist/detect/ast-rules/helpers/control-flow.js.map +1 -0
package/dist/detect/ast-rules/helpers/import-analysis.d.ts +43 -0
package/dist/detect/ast-rules/helpers/import-analysis.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/import-analysis.js +149 -0
package/dist/detect/ast-rules/helpers/import-analysis.js.map +1 -0
package/dist/detect/ast-rules/helpers/index.d.ts +16 -0
package/dist/detect/ast-rules/helpers/index.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/index.js +112 -0
package/dist/detect/ast-rules/helpers/index.js.map +1 -0
package/dist/detect/ast-rules/helpers/python-helpers.d.ts +215 -0
package/dist/detect/ast-rules/helpers/python-helpers.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/python-helpers.js +935 -0
package/dist/detect/ast-rules/helpers/python-helpers.js.map +1 -0
package/dist/detect/ast-rules/helpers/scope-analysis.d.ts +50 -0
package/dist/detect/ast-rules/helpers/scope-analysis.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/scope-analysis.js +194 -0
package/dist/detect/ast-rules/helpers/scope-analysis.js.map +1 -0
package/dist/detect/ast-rules/helpers/string-analysis.d.ts +57 -0
package/dist/detect/ast-rules/helpers/string-analysis.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/string-analysis.js +184 -0
package/dist/detect/ast-rules/helpers/string-analysis.js.map +1 -0
package/dist/detect/ast-rules/helpers/type-extraction.d.ts +44 -0
package/dist/detect/ast-rules/helpers/type-extraction.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/type-extraction.js +125 -0
package/dist/detect/ast-rules/helpers/type-extraction.js.map +1 -0
package/dist/detect/ast-rules/helpers/user-input.d.ts +35 -0
package/dist/detect/ast-rules/helpers/user-input.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/user-input.js +243 -0
package/dist/detect/ast-rules/helpers/user-input.js.map +1 -0
package/dist/detect/ast-rules/index.d.ts +112 -0
package/dist/detect/ast-rules/index.d.ts.map +1 -0
package/dist/detect/ast-rules/index.js +232 -0
package/dist/detect/ast-rules/index.js.map +1 -0
package/dist/detect/ast-rules/json-parse-ast.d.ts +13 -0
package/dist/detect/ast-rules/json-parse-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/json-parse-ast.js +143 -0
package/dist/detect/ast-rules/json-parse-ast.js.map +1 -0
package/dist/detect/ast-rules/log-injection-ast.d.ts +14 -0
package/dist/detect/ast-rules/log-injection-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/log-injection-ast.js +235 -0
package/dist/detect/ast-rules/log-injection-ast.js.map +1 -0
package/dist/detect/ast-rules/logic-gates-ast.d.ts +14 -0
package/dist/detect/ast-rules/logic-gates-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/logic-gates-ast.js +312 -0
package/dist/detect/ast-rules/logic-gates-ast.js.map +1 -0
package/dist/detect/ast-rules/mcp-security-ast.d.ts +14 -0
package/dist/detect/ast-rules/mcp-security-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/mcp-security-ast.js +755 -0
package/dist/detect/ast-rules/mcp-security-ast.js.map +1 -0
package/dist/detect/ast-rules/model-supply-chain-ast.d.ts +13 -0
package/dist/detect/ast-rules/model-supply-chain-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/model-supply-chain-ast.js +188 -0
package/dist/detect/ast-rules/model-supply-chain-ast.js.map +1 -0
package/dist/detect/ast-rules/package-hallucination-ast.d.ts +13 -0
package/dist/detect/ast-rules/package-hallucination-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/package-hallucination-ast.js +607 -0
package/dist/detect/ast-rules/package-hallucination-ast.js.map +1 -0
package/dist/detect/ast-rules/prompt-hygiene-ast.d.ts +15 -0
package/dist/detect/ast-rules/prompt-hygiene-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/prompt-hygiene-ast.js +332 -0
package/dist/detect/ast-rules/prompt-hygiene-ast.js.map +1 -0
package/dist/detect/ast-rules/rag-safety-ast.d.ts +18 -0
package/dist/detect/ast-rules/rag-safety-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/rag-safety-ast.js +640 -0
package/dist/detect/ast-rules/rag-safety-ast.js.map +1 -0
package/dist/detect/ast-rules/request-validation-ast.d.ts +13 -0
package/dist/detect/ast-rules/request-validation-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/request-validation-ast.js +116 -0
package/dist/detect/ast-rules/request-validation-ast.js.map +1 -0
package/dist/detect/ast-rules/risky-imports-ast.d.ts +14 -0
package/dist/detect/ast-rules/risky-imports-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/risky-imports-ast.js +114 -0
package/dist/detect/ast-rules/risky-imports-ast.js.map +1 -0
package/dist/detect/ast-rules/schema-validation-ast.d.ts +14 -0
package/dist/detect/ast-rules/schema-validation-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/schema-validation-ast.js +233 -0
package/dist/detect/ast-rules/schema-validation-ast.js.map +1 -0
package/dist/detect/ast-rules/secret-patterns-ast.d.ts +17 -0
package/dist/detect/ast-rules/secret-patterns-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/secret-patterns-ast.js +199 -0
package/dist/detect/ast-rules/secret-patterns-ast.js.map +1 -0
package/dist/detect/ast-rules/security-headers-ast.d.ts +14 -0
package/dist/detect/ast-rules/security-headers-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/security-headers-ast.js +187 -0
package/dist/detect/ast-rules/security-headers-ast.js.map +1 -0
package/dist/detect/ast-rules/sql-injection-ast.d.ts +17 -0
package/dist/detect/ast-rules/sql-injection-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/sql-injection-ast.js +497 -0
package/dist/detect/ast-rules/sql-injection-ast.js.map +1 -0
package/dist/detect/ast-rules/ssrf-ast.d.ts +14 -0
package/dist/detect/ast-rules/ssrf-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/ssrf-ast.js +573 -0
package/dist/detect/ast-rules/ssrf-ast.js.map +1 -0
package/dist/detect/ast-rules/taint-fix-templates.d.ts +18 -0
package/dist/detect/ast-rules/taint-fix-templates.d.ts.map +1 -0
package/dist/detect/ast-rules/taint-fix-templates.js +92 -0
package/dist/detect/ast-rules/taint-fix-templates.js.map +1 -0
package/dist/detect/ast-rules/taint-flow-ast.d.ts +24 -0
package/dist/detect/ast-rules/taint-flow-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/taint-flow-ast.js +340 -0
package/dist/detect/ast-rules/taint-flow-ast.js.map +1 -0
package/dist/detect/ast-rules/variables-ast.d.ts +24 -0
package/dist/detect/ast-rules/variables-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/variables-ast.js +362 -0
package/dist/detect/ast-rules/variables-ast.js.map +1 -0
package/dist/detect/ast-rules/weak-crypto-ast.d.ts +15 -0
package/dist/detect/ast-rules/weak-crypto-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/weak-crypto-ast.js +406 -0
package/dist/detect/ast-rules/weak-crypto-ast.js.map +1 -0
package/dist/detect/ast-rules/xxe-ast.d.ts +13 -0
package/dist/detect/ast-rules/xxe-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/xxe-ast.js +157 -0
package/dist/detect/ast-rules/xxe-ast.js.map +1 -0
package/dist/detect/config/agent-skill-injection.d.ts.map +1 -1
package/dist/detect/config/agent-skill-injection.js +2 -24
package/dist/detect/config/agent-skill-injection.js.map +1 -1
package/dist/detect/config/index.d.ts +1 -0
package/dist/detect/config/index.d.ts.map +1 -1
package/dist/detect/config/index.js +3 -1
package/dist/detect/config/index.js.map +1 -1
package/dist/detect/config/osv-check.d.ts.map +1 -1
package/dist/detect/config/osv-check.js +6 -1
package/dist/detect/config/osv-check.js.map +1 -1
package/dist/detect/config/package-check.d.ts.map +1 -1
package/dist/detect/config/package-check.js +6 -1
package/dist/detect/config/package-check.js.map +1 -1
package/dist/detect/config/rules-file-backdoor.d.ts +36 -0
package/dist/detect/config/rules-file-backdoor.d.ts.map +1 -0
package/dist/detect/config/rules-file-backdoor.js +379 -0
package/dist/detect/config/rules-file-backdoor.js.map +1 -0
package/dist/detect/index.d.ts +43 -6
package/dist/detect/index.d.ts.map +1 -1
package/dist/detect/index.js +70 -7
package/dist/detect/index.js.map +1 -1
package/dist/detect/secrets/config-audit.d.ts.map +1 -1
package/dist/detect/secrets/config-audit.js +36 -3
package/dist/detect/secrets/config-audit.js.map +1 -1
package/dist/detect/secrets/entropy.d.ts.map +1 -1
package/dist/detect/secrets/entropy.js +180 -0
package/dist/detect/secrets/entropy.js.map +1 -1
package/dist/detect/secrets/index.d.ts +0 -2
package/dist/detect/secrets/index.d.ts.map +1 -1
package/dist/detect/secrets/index.js +7 -17
package/dist/detect/secrets/index.js.map +1 -1
package/dist/detect/structural/index.d.ts +15 -28
package/dist/detect/structural/index.d.ts.map +1 -1
package/dist/detect/structural/index.js +20 -497
package/dist/detect/structural/index.js.map +1 -1
package/dist/index.d.ts +3 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +9 -1
package/dist/index.js.map +1 -1
package/dist/model/auth-helper-detector.d.ts.map +1 -1
package/dist/model/auth-helper-detector.js +2 -7
package/dist/model/auth-helper-detector.js.map +1 -1
package/dist/model/import-resolver.d.ts.map +1 -1
package/dist/model/import-resolver.js +94 -0
package/dist/model/import-resolver.js.map +1 -1
package/dist/model/imported-auth-detector.js +8 -8
package/dist/model/imported-auth-detector.js.map +1 -1
package/dist/model/index.d.ts +8 -0
package/dist/model/index.d.ts.map +1 -1
package/dist/model/index.js +198 -73
package/dist/model/index.js.map +1 -1
package/dist/model/module-graph.d.ts.map +1 -1
package/dist/model/module-graph.js +22 -9
package/dist/model/module-graph.js.map +1 -1
package/dist/model/project-context.d.ts +1 -1
package/dist/model/project-context.d.ts.map +1 -1
package/dist/model/project-context.js +34 -0
package/dist/model/project-context.js.map +1 -1
package/dist/model/route-auth-resolver.d.ts.map +1 -1
package/dist/model/route-auth-resolver.js +17 -2
package/dist/model/route-auth-resolver.js.map +1 -1
package/dist/model/route-discovery/index.js +1 -1
package/dist/model/route-discovery/index.js.map +1 -1
package/dist/model/route-discovery/nextjs.js +1 -1
package/dist/model/route-discovery/nextjs.js.map +1 -1
package/dist/model/route-discovery/python.d.ts +6 -3
package/dist/model/route-discovery/python.d.ts.map +1 -1
package/dist/model/route-discovery/python.js +132 -9
package/dist/model/route-discovery/python.js.map +1 -1
package/dist/model/route-discovery/types.d.ts +1 -1
package/dist/model/route-discovery/types.d.ts.map +1 -1
package/dist/model/route-discovery/utils.d.ts +8 -0
package/dist/model/route-discovery/utils.d.ts.map +1 -1
package/dist/model/route-discovery/utils.js +70 -0
package/dist/model/route-discovery/utils.js.map +1 -1
package/dist/model/taint-types.d.ts +0 -4
package/dist/model/taint-types.d.ts.map +1 -1
package/dist/parse/ast.d.ts +58 -0
package/dist/parse/ast.d.ts.map +1 -0
package/dist/parse/ast.js +230 -0
package/dist/parse/ast.js.map +1 -0
package/dist/parse/call-graph.d.ts +41 -0
package/dist/parse/call-graph.d.ts.map +1 -0
package/dist/parse/call-graph.js +386 -0
package/dist/parse/call-graph.js.map +1 -0
package/dist/parse/file-classifier.d.ts +11 -0
package/dist/parse/file-classifier.d.ts.map +1 -1
package/dist/parse/file-classifier.js +63 -15
package/dist/parse/file-classifier.js.map +1 -1
package/dist/parse/node-index.d.ts +32 -0
package/dist/parse/node-index.d.ts.map +1 -0
package/dist/parse/node-index.js +103 -0
package/dist/parse/node-index.js.map +1 -0
package/dist/parse/type-extractor.d.ts +50 -0
package/dist/parse/type-extractor.d.ts.map +1 -0
package/dist/parse/type-extractor.js +243 -0
package/dist/parse/type-extractor.js.map +1 -0
package/dist/pipeline/config.d.ts +7 -1
package/dist/pipeline/config.d.ts.map +1 -1
package/dist/pipeline/config.js.map +1 -1
package/dist/pipeline/index.d.ts +3 -3
package/dist/pipeline/index.d.ts.map +1 -1
package/dist/pipeline/index.js +192 -64
package/dist/pipeline/index.js.map +1 -1
package/dist/pipeline/modes/incremental.d.ts.map +1 -1
package/dist/pipeline/modes/incremental.js +2 -7
package/dist/pipeline/modes/incremental.js.map +1 -1
package/dist/postprocess/dedup.d.ts +5 -2
package/dist/postprocess/dedup.d.ts.map +1 -1
package/dist/postprocess/dedup.js +47 -16
package/dist/postprocess/dedup.js.map +1 -1
package/dist/report/build-result.d.ts +9 -4
package/dist/report/build-result.d.ts.map +1 -1
package/dist/report/build-result.js +15 -4
package/dist/report/build-result.js.map +1 -1
package/dist/report/formatters/cli-terminal.d.ts +1 -1
package/dist/report/formatters/cli-terminal.d.ts.map +1 -1
package/dist/report/formatters/cli-terminal.js +434 -231
package/dist/report/formatters/cli-terminal.js.map +1 -1
package/dist/report/sanitize.d.ts +10 -0
package/dist/report/sanitize.d.ts.map +1 -0
package/dist/report/sanitize.js +19 -0
package/dist/report/sanitize.js.map +1 -0
package/dist/score/adjustments.d.ts +20 -2
package/dist/score/adjustments.d.ts.map +1 -1
package/dist/score/adjustments.js +108 -37
package/dist/score/adjustments.js.map +1 -1
package/dist/score/confidence.d.ts +6 -0
package/dist/score/confidence.d.ts.map +1 -1
package/dist/score/confidence.js +10 -4
package/dist/score/confidence.js.map +1 -1
package/dist/score/evidence.d.ts +25 -0
package/dist/score/evidence.d.ts.map +1 -0
package/dist/score/evidence.js +51 -0
package/dist/score/evidence.js.map +1 -0
package/dist/score/index.d.ts +3 -1
package/dist/score/index.d.ts.map +1 -1
package/dist/score/index.js +25 -50
package/dist/score/index.js.map +1 -1
package/dist/score/types.d.ts +5 -1
package/dist/score/types.d.ts.map +1 -1
package/dist/shared/category-filter.d.ts.map +1 -1
package/dist/shared/category-filter.js +12 -0
package/dist/shared/category-filter.js.map +1 -1
package/dist/shared/regex-utils.d.ts +3 -0
package/dist/shared/regex-utils.d.ts.map +1 -0
package/dist/shared/regex-utils.js +8 -0
package/dist/shared/regex-utils.js.map +1 -0
package/dist/shared/registry-clients.d.ts +7 -0
package/dist/shared/registry-clients.d.ts.map +1 -1
package/dist/shared/registry-clients.js +94 -17
package/dist/shared/registry-clients.js.map +1 -1
package/dist/shared/rules/metadata.d.ts.map +1 -1
package/dist/shared/rules/metadata.js +17 -0
package/dist/shared/rules/metadata.js.map +1 -1
package/dist/shared/types.d.ts +59 -15
package/dist/shared/types.d.ts.map +1 -1
package/dist/shared/types.js +38 -21
package/dist/shared/types.js.map +1 -1
package/dist/taint/async-flow.d.ts +44 -0
package/dist/taint/async-flow.d.ts.map +1 -0
package/dist/taint/async-flow.js +271 -0
package/dist/taint/async-flow.js.map +1 -0
package/dist/taint/cfg-builder.d.ts +35 -0
package/dist/taint/cfg-builder.d.ts.map +1 -0
package/dist/taint/cfg-builder.js +980 -0
package/dist/taint/cfg-builder.js.map +1 -0
package/dist/taint/cfg-types.d.ts +76 -0
package/dist/taint/cfg-types.d.ts.map +1 -0
package/dist/taint/cfg-types.js +13 -0
package/dist/taint/cfg-types.js.map +1 -0
package/dist/taint/constant-propagation.d.ts +34 -0
package/dist/taint/constant-propagation.d.ts.map +1 -0
package/dist/taint/constant-propagation.js +164 -0
package/dist/taint/constant-propagation.js.map +1 -0
package/dist/taint/cross-file-analyzer.d.ts +27 -0
package/dist/taint/cross-file-analyzer.d.ts.map +1 -0
package/dist/taint/cross-file-analyzer.js +99 -0
package/dist/taint/cross-file-analyzer.js.map +1 -0
package/dist/taint/cross-file-index.d.ts +59 -0
package/dist/taint/cross-file-index.d.ts.map +1 -0
package/dist/taint/cross-file-index.js +183 -0
package/dist/taint/cross-file-index.js.map +1 -0
package/dist/taint/def-use.d.ts +27 -0
package/dist/taint/def-use.d.ts.map +1 -0
package/dist/taint/def-use.js +519 -0
package/dist/taint/def-use.js.map +1 -0
package/dist/taint/file-analysis-cache.d.ts +47 -0
package/dist/taint/file-analysis-cache.d.ts.map +1 -0
package/dist/taint/file-analysis-cache.js +107 -0
package/dist/taint/file-analysis-cache.js.map +1 -0
package/dist/taint/framework-models.d.ts +77 -0
package/dist/taint/framework-models.d.ts.map +1 -0
package/dist/taint/framework-models.js +258 -0
package/dist/taint/framework-models.js.map +1 -0
package/dist/taint/helpers.d.ts +31 -0
package/dist/taint/helpers.d.ts.map +1 -0
package/dist/taint/helpers.js +130 -0
package/dist/taint/helpers.js.map +1 -0
package/dist/taint/index.d.ts +28 -0
package/dist/taint/index.d.ts.map +1 -0
package/dist/taint/index.js +77 -0
package/dist/taint/index.js.map +1 -0
package/dist/taint/llm-registry.d.ts +47 -0
package/dist/taint/llm-registry.d.ts.map +1 -0
package/dist/taint/llm-registry.js +152 -0
package/dist/taint/llm-registry.js.map +1 -0
package/dist/taint/llm-risk-scoring.d.ts +54 -0
package/dist/taint/llm-risk-scoring.d.ts.map +1 -0
package/dist/taint/llm-risk-scoring.js +376 -0
package/dist/taint/llm-risk-scoring.js.map +1 -0
package/dist/taint/propagation-types.d.ts +104 -0
package/dist/taint/propagation-types.d.ts.map +1 -0
package/dist/taint/propagation-types.js +98 -0
package/dist/taint/propagation-types.js.map +1 -0
package/dist/taint/propagation.d.ts +111 -0
package/dist/taint/propagation.d.ts.map +1 -0
package/dist/taint/propagation.js +1576 -0
package/dist/taint/propagation.js.map +1 -0
package/dist/taint/sanitizer-registry.d.ts +26 -0
package/dist/taint/sanitizer-registry.d.ts.map +1 -0
package/dist/taint/sanitizer-registry.js +422 -0
package/dist/taint/sanitizer-registry.js.map +1 -0
package/dist/taint/sink-classifier.d.ts +27 -0
package/dist/taint/sink-classifier.d.ts.map +1 -0
package/dist/taint/sink-classifier.js +1166 -0
package/dist/taint/sink-classifier.js.map +1 -0
package/dist/taint/source-classifier.d.ts +29 -0
package/dist/taint/source-classifier.d.ts.map +1 -0
package/dist/taint/source-classifier.js +814 -0
package/dist/taint/source-classifier.js.map +1 -0
package/dist/taint/taint-analyzer.d.ts +33 -0
package/dist/taint/taint-analyzer.d.ts.map +1 -0
package/dist/taint/taint-analyzer.js +88 -0
package/dist/taint/taint-analyzer.js.map +1 -0
package/dist/taint/taint-summary.d.ts +37 -0
package/dist/taint/taint-summary.d.ts.map +1 -0
package/dist/taint/taint-summary.js +293 -0
package/dist/taint/taint-summary.js.map +1 -0
package/dist/taint/types.d.ts +47 -0
package/dist/taint/types.d.ts.map +1 -0
package/dist/taint/types.js +19 -0
package/dist/taint/types.js.map +1 -0
package/dist/validate/clients.d.ts +2 -1
package/dist/validate/clients.d.ts.map +1 -1
package/dist/validate/clients.js +3 -2
package/dist/validate/clients.js.map +1 -1
package/dist/validate/index.d.ts +5 -6
package/dist/validate/index.d.ts.map +1 -1
package/dist/validate/index.js +22 -21
package/dist/validate/index.js.map +1 -1
package/dist/validate/prompts/modules/ai-patterns.d.ts +1 -1
package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -1
package/dist/validate/prompts/modules/ai-patterns.js +16 -0
package/dist/validate/prompts/modules/ai-patterns.js.map +1 -1
package/dist/validate/prompts/modules/common.d.ts +1 -1
package/dist/validate/prompts/modules/common.d.ts.map +1 -1
package/dist/validate/prompts/modules/common.js +12 -3
package/dist/validate/prompts/modules/common.js.map +1 -1
package/dist/validate/providers/anthropic.d.ts +4 -4
package/dist/validate/providers/anthropic.d.ts.map +1 -1
package/dist/validate/providers/anthropic.js +85 -58
package/dist/validate/providers/anthropic.js.map +1 -1
package/dist/validate/providers/openai.d.ts +4 -4
package/dist/validate/providers/openai.d.ts.map +1 -1
package/dist/validate/providers/openai.js +149 -99
package/dist/validate/providers/openai.js.map +1 -1
package/dist/validate/request-builder.d.ts +2 -8
package/dist/validate/request-builder.d.ts.map +1 -1
package/dist/validate/request-builder.js +4 -34
package/dist/validate/request-builder.js.map +1 -1
package/dist/validate/types.d.ts +9 -0
package/dist/validate/types.d.ts.map +1 -1
package/dist/validate/types.js.map +1 -1
package/dist/validate/utils/path-helpers.js +2 -2
package/dist/validate/utils/path-helpers.js.map +1 -1
package/dist/validate/utils/response-parser.d.ts +10 -0
package/dist/validate/utils/response-parser.d.ts.map +1 -1
package/dist/validate/utils/response-parser.js +21 -2
package/dist/validate/utils/response-parser.js.map +1 -1
package/dist/validate/utils/retry.d.ts.map +1 -1
package/dist/validate/utils/retry.js +19 -4
package/dist/validate/utils/retry.js.map +1 -1
package/package.json +7 -4
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1 -1
package/src/__tests__/benchmark/planted-benchmark.test.ts +337 -0
package/src/__tests__/benchmark/utils/test-runner.ts +38 -4
package/src/__tests__/category-filter.test.ts +5 -1
package/src/__tests__/context-engine/route-discovery/python.test.ts +726 -0
package/src/__tests__/detect/ast-rules.test.ts +1043 -0
package/src/__tests__/detect/offline-mode.test.ts +147 -0
package/src/__tests__/detect/python-ast-rules.test.ts +569 -0
package/src/__tests__/detect/python-helpers.test.ts +536 -0
package/src/__tests__/detect/python-sast-rules.test.ts +453 -0
package/src/__tests__/detect/rules-file-backdoor-decoders.test.ts +151 -0
package/src/__tests__/detect/rules-file-backdoor.test.ts +284 -0
package/src/__tests__/detect/taint-fix-templates.test.ts +150 -0
package/src/__tests__/detect/taint-path-serialization.test.ts +170 -0
package/src/__tests__/parse/call-graph.test.ts +300 -0
package/src/__tests__/parse/python-parser.test.ts +274 -0
package/src/__tests__/regression/known-false-positives.test.ts +491 -9
package/src/__tests__/regression/rules-file-backdoor.test.ts +137 -0
package/src/__tests__/score/adjustments.test.ts +34 -16
package/src/__tests__/score/confidence.test.ts +84 -57
package/src/__tests__/score/evidence-scoring.test.ts +249 -0
package/src/__tests__/score/evidence.test.ts +144 -0
package/src/__tests__/score/scoring-integration.test.ts +56 -34
package/src/__tests__/score/taint-adjustments.test.ts +14 -228
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +65 -59
package/src/__tests__/snapshots/scan-depth.test.ts +39 -7
package/src/__tests__/taint/async-flow.test.ts +247 -0
package/src/__tests__/taint/cfg-builder.test.ts +835 -0
package/src/__tests__/taint/constant-propagation.test.ts +302 -0
package/src/__tests__/taint/cross-file-index.test.ts +683 -0
package/src/__tests__/taint/cross-file-integration.test.ts +275 -0
package/src/__tests__/taint/cross-file-propagation.test.ts +910 -0
package/src/__tests__/taint/def-use.test.ts +132 -0
package/src/__tests__/taint/field-sensitive-sinks.test.ts +179 -0
package/src/__tests__/taint/field-sensitivity.test.ts +342 -0
package/src/__tests__/taint/file-analysis-cache.test.ts +290 -0
package/src/__tests__/taint/framework-models.test.ts +227 -0
package/src/__tests__/taint/llm-flow-graph.test.ts +850 -0
package/src/__tests__/taint/llm-risk-scoring.test.ts +439 -0
package/src/__tests__/taint/performance-parity.test.ts +315 -0
package/src/__tests__/taint/propagation.test.ts +621 -0
package/src/__tests__/taint/python-cross-file.test.ts +494 -0
package/src/__tests__/taint/python-taint.test.ts +1344 -0
package/src/__tests__/taint/sanitizer-registry.test.ts +304 -0
package/src/__tests__/taint/sanitizer-regression.test.ts +111 -0
package/src/__tests__/taint/sink-classifier.test.ts +537 -0
package/src/__tests__/taint/source-classifier.test.ts +367 -0
package/src/__tests__/taint/taint-pipeline.test.ts +418 -0
package/src/__tests__/taint/taint-smoke.test.ts +400 -0
package/src/__tests__/taint/taint-summary.test.ts +472 -0
package/src/detect/ai-code/index.ts +6 -11
package/src/detect/ast-rules/agent-tools-ast.ts +861 -0
package/src/detect/ast-rules/ai-fingerprinting-ast.ts +451 -0
package/src/detect/ast-rules/auth-patterns-ast.ts +304 -0
package/src/detect/ast-rules/byok-ast.ts +195 -0
package/src/detect/ast-rules/child-process-ast.ts +276 -0
package/src/detect/ast-rules/dangerous-eval-ast.ts +227 -0
package/src/detect/ast-rules/data-exposure-ast.ts +162 -0
package/src/detect/ast-rules/dom-xss-ast.ts +260 -0
package/src/detect/ast-rules/endpoint-protection-ast.ts +231 -0
package/src/detect/ast-rules/entropy-ast.ts +268 -0
package/src/detect/ast-rules/flask-debug-ast.ts +148 -0
package/src/detect/ast-rules/framework-checks-ast.ts +200 -0
package/src/detect/ast-rules/helpers/call-analysis.ts +256 -0
package/src/detect/ast-rules/helpers/context-detection.ts +277 -0
package/src/detect/ast-rules/helpers/control-flow.ts +179 -0
package/src/detect/ast-rules/helpers/import-analysis.ts +185 -0
package/src/detect/ast-rules/helpers/index.ts +133 -0
package/src/detect/ast-rules/helpers/python-helpers.ts +1054 -0
package/src/detect/ast-rules/helpers/scope-analysis.ts +224 -0
package/src/detect/ast-rules/helpers/string-analysis.ts +215 -0
package/src/detect/ast-rules/helpers/type-extraction.ts +138 -0
package/src/detect/ast-rules/helpers/user-input.ts +256 -0
package/src/detect/ast-rules/index.ts +311 -0
package/src/detect/ast-rules/json-parse-ast.ts +162 -0
package/src/detect/ast-rules/log-injection-ast.ts +243 -0
package/src/detect/ast-rules/logic-gates-ast.ts +343 -0
package/src/detect/ast-rules/mcp-security-ast.ts +808 -0
package/src/detect/ast-rules/model-supply-chain-ast.ts +202 -0
package/src/detect/ast-rules/package-hallucination-ast.ts +664 -0
package/src/detect/ast-rules/prompt-hygiene-ast.ts +329 -0
package/src/detect/ast-rules/rag-safety-ast.ts +689 -0
package/src/detect/ast-rules/request-validation-ast.ts +122 -0
package/src/detect/ast-rules/risky-imports-ast.ts +133 -0
package/src/detect/ast-rules/schema-validation-ast.ts +244 -0
package/src/detect/ast-rules/secret-patterns-ast.ts +223 -0
package/src/detect/ast-rules/security-headers-ast.ts +206 -0
package/src/detect/ast-rules/sql-injection-ast.ts +614 -0
package/src/detect/ast-rules/ssrf-ast.ts +601 -0
package/src/detect/ast-rules/taint-fix-templates.ts +108 -0
package/src/detect/ast-rules/taint-flow-ast.ts +416 -0
package/src/detect/ast-rules/variables-ast.ts +446 -0
package/src/detect/ast-rules/weak-crypto-ast.ts +441 -0
package/src/detect/ast-rules/xxe-ast.ts +184 -0
package/src/detect/config/agent-skill-injection.ts +2 -24
package/src/detect/config/index.ts +1 -0
package/src/detect/config/osv-check.ts +6 -1
package/src/detect/config/package-check.ts +6 -1
package/src/detect/config/rules-file-backdoor.ts +438 -0
package/src/detect/index.ts +146 -52
package/src/detect/secrets/config-audit.ts +37 -3
package/src/detect/secrets/entropy.ts +195 -0
package/src/detect/secrets/index.ts +7 -16
package/src/detect/structural/index.ts +23 -566
package/src/index.ts +7 -0
package/src/model/auth-helper-detector.ts +1 -7
package/src/model/import-resolver.ts +104 -0
package/src/model/imported-auth-detector.ts +1 -1
package/src/model/index.ts +240 -80
package/src/model/module-graph.ts +17 -5
package/src/model/project-context.ts +28 -1
package/src/model/route-auth-resolver.ts +18 -3
package/src/model/route-discovery/index.ts +1 -1
package/src/model/route-discovery/nextjs.ts +1 -1
package/src/model/route-discovery/python.ts +156 -9
package/src/model/route-discovery/types.ts +1 -1
package/src/model/route-discovery/utils.ts +73 -0
package/src/model/taint-types.ts +1 -6
package/src/parse/ast.ts +271 -0
package/src/parse/call-graph.ts +419 -0
package/src/parse/file-classifier.ts +69 -15
package/src/parse/node-index.ts +118 -0
package/src/parse/type-extractor.ts +293 -0
package/src/pipeline/config.ts +7 -0
package/src/pipeline/index.ts +464 -199
package/src/pipeline/modes/incremental.ts +1 -7
package/src/postprocess/dedup.ts +48 -17
package/src/report/build-result.ts +57 -29
package/src/report/formatters/cli-terminal.ts +731 -415
package/src/report/sanitize.ts +27 -0
package/src/score/adjustments.ts +113 -40
package/src/score/confidence.ts +10 -5
package/src/score/evidence.ts +55 -0
package/src/score/index.ts +27 -55
package/src/score/types.ts +4 -0
package/src/shared/category-filter.ts +12 -0
package/src/shared/regex-utils.ts +4 -0
package/src/shared/registry-clients.ts +106 -18
package/src/shared/rules/__tests__/metadata.test.ts +5 -1
package/src/shared/rules/metadata.ts +19 -0
package/src/shared/types.ts +372 -253
package/src/taint/async-flow.ts +301 -0
package/src/taint/cfg-builder.ts +1127 -0
package/src/taint/cfg-types.ts +110 -0
package/src/taint/constant-propagation.ts +170 -0
package/src/taint/cross-file-analyzer.ts +118 -0
package/src/taint/cross-file-index.ts +275 -0
package/src/taint/def-use.ts +556 -0
package/src/taint/file-analysis-cache.ts +145 -0
package/src/taint/framework-models.ts +313 -0
package/src/taint/helpers.ts +138 -0
package/src/taint/index.ts +71 -0
package/src/taint/llm-registry.ts +174 -0
package/src/taint/llm-risk-scoring.ts +412 -0
package/src/taint/propagation-types.ts +188 -0
package/src/taint/propagation.ts +1750 -0
package/src/taint/sanitizer-registry.ts +490 -0
package/src/taint/sink-classifier.ts +1402 -0
package/src/taint/source-classifier.ts +859 -0
package/src/taint/taint-analyzer.ts +112 -0
package/src/taint/taint-summary.ts +341 -0
package/src/taint/types.ts +86 -0
package/src/validate/clients.ts +3 -2
package/src/validate/index.ts +89 -53
package/src/validate/prompts/modules/ai-patterns.ts +16 -0
package/src/validate/prompts/modules/common.ts +12 -3
package/src/validate/providers/anthropic.ts +254 -148
package/src/validate/providers/openai.ts +363 -218
package/src/validate/request-builder.ts +2 -45
package/src/validate/types.ts +9 -0
package/src/validate/utils/path-helpers.ts +2 -2
package/src/validate/utils/response-parser.ts +32 -3
package/src/validate/utils/retry.ts +19 -4
package/dist/ai-context/index.d.ts +0 -6
package/dist/ai-context/index.d.ts.map +0 -1
package/dist/ai-context/index.js +0 -13
package/dist/ai-context/index.js.map +0 -1
package/dist/ai-context/manager.d.ts +0 -67
package/dist/ai-context/manager.d.ts.map +0 -1
package/dist/ai-context/manager.js +0 -104
package/dist/ai-context/manager.js.map +0 -1
package/dist/baseline/diff.d.ts +0 -32
package/dist/baseline/diff.d.ts.map +0 -1
package/dist/baseline/diff.js +0 -119
package/dist/baseline/diff.js.map +0 -1
package/dist/baseline/index.d.ts +0 -9
package/dist/baseline/index.d.ts.map +0 -1
package/dist/baseline/index.js +0 -19
package/dist/baseline/index.js.map +0 -1
package/dist/baseline/manager.d.ts +0 -67
package/dist/baseline/manager.d.ts.map +0 -1
package/dist/baseline/manager.js +0 -180
package/dist/baseline/manager.js.map +0 -1
package/dist/baseline/types.d.ts +0 -91
package/dist/baseline/types.d.ts.map +0 -1
package/dist/baseline/types.js +0 -12
package/dist/baseline/types.js.map +0 -1
package/dist/category-filter.d.ts +0 -125
package/dist/category-filter.d.ts.map +0 -1
package/dist/category-filter.js +0 -360
package/dist/category-filter.js.map +0 -1
package/dist/detect/ai-code/agent-tools.d.ts +0 -22
package/dist/detect/ai-code/agent-tools.d.ts.map +0 -1
package/dist/detect/ai-code/agent-tools.js +0 -1509
package/dist/detect/ai-code/agent-tools.js.map +0 -1
package/dist/detect/ai-code/byok-patterns.d.ts +0 -15
package/dist/detect/ai-code/byok-patterns.d.ts.map +0 -1
package/dist/detect/ai-code/byok-patterns.js +0 -313
package/dist/detect/ai-code/byok-patterns.js.map +0 -1
package/dist/detect/ai-code/endpoint-protection.d.ts +0 -38
package/dist/detect/ai-code/endpoint-protection.d.ts.map +0 -1
package/dist/detect/ai-code/endpoint-protection.js +0 -349
package/dist/detect/ai-code/endpoint-protection.js.map +0 -1
package/dist/detect/ai-code/execution-sinks.d.ts +0 -21
package/dist/detect/ai-code/execution-sinks.d.ts.map +0 -1
package/dist/detect/ai-code/execution-sinks.js +0 -1158
package/dist/detect/ai-code/execution-sinks.js.map +0 -1
package/dist/detect/ai-code/fingerprinting.d.ts +0 -10
package/dist/detect/ai-code/fingerprinting.d.ts.map +0 -1
package/dist/detect/ai-code/fingerprinting.js +0 -665
package/dist/detect/ai-code/fingerprinting.js.map +0 -1
package/dist/detect/ai-code/mcp-security.d.ts +0 -20
package/dist/detect/ai-code/mcp-security.d.ts.map +0 -1
package/dist/detect/ai-code/mcp-security.js +0 -880
package/dist/detect/ai-code/mcp-security.js.map +0 -1
package/dist/detect/ai-code/model-supply-chain.d.ts +0 -23
package/dist/detect/ai-code/model-supply-chain.d.ts.map +0 -1
package/dist/detect/ai-code/model-supply-chain.js +0 -447
package/dist/detect/ai-code/model-supply-chain.js.map +0 -1
package/dist/detect/ai-code/package-hallucination.d.ts +0 -22
package/dist/detect/ai-code/package-hallucination.d.ts.map +0 -1
package/dist/detect/ai-code/package-hallucination.js +0 -841
package/dist/detect/ai-code/package-hallucination.js.map +0 -1
package/dist/detect/ai-code/prompt-hygiene.d.ts +0 -22
package/dist/detect/ai-code/prompt-hygiene.d.ts.map +0 -1
package/dist/detect/ai-code/prompt-hygiene.js +0 -1177
package/dist/detect/ai-code/prompt-hygiene.js.map +0 -1
package/dist/detect/ai-code/rag-safety.d.ts +0 -24
package/dist/detect/ai-code/rag-safety.d.ts.map +0 -1
package/dist/detect/ai-code/rag-safety.js +0 -913
package/dist/detect/ai-code/rag-safety.js.map +0 -1
package/dist/detect/ai-code/schema-validation.d.ts +0 -28
package/dist/detect/ai-code/schema-validation.d.ts.map +0 -1
package/dist/detect/ai-code/schema-validation.js +0 -378
package/dist/detect/ai-code/schema-validation.js.map +0 -1
package/dist/detect/secrets/patterns.d.ts +0 -11
package/dist/detect/secrets/patterns.d.ts.map +0 -1
package/dist/detect/secrets/patterns.js +0 -518
package/dist/detect/secrets/patterns.js.map +0 -1
package/dist/detect/secrets/weak-crypto.d.ts +0 -10
package/dist/detect/secrets/weak-crypto.d.ts.map +0 -1
package/dist/detect/secrets/weak-crypto.js +0 -432
package/dist/detect/secrets/weak-crypto.js.map +0 -1
package/dist/detect/structural/auth-patterns.d.ts +0 -22
package/dist/detect/structural/auth-patterns.d.ts.map +0 -1
package/dist/detect/structural/auth-patterns.js +0 -533
package/dist/detect/structural/auth-patterns.js.map +0 -1
package/dist/detect/structural/dangerous-functions/child-process.d.ts +0 -16
package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/child-process.js +0 -74
package/dist/detect/structural/dangerous-functions/child-process.js.map +0 -1
package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +0 -34
package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/dom-xss.js +0 -230
package/dist/detect/structural/dangerous-functions/dom-xss.js.map +0 -1
package/dist/detect/structural/dangerous-functions/index.d.ts +0 -16
package/dist/detect/structural/dangerous-functions/index.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/index.js +0 -1193
package/dist/detect/structural/dangerous-functions/index.js.map +0 -1
package/dist/detect/structural/dangerous-functions/json-parse.d.ts +0 -31
package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/json-parse.js +0 -326
package/dist/detect/structural/dangerous-functions/json-parse.js.map +0 -1
package/dist/detect/structural/dangerous-functions/math-random.d.ts +0 -111
package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/math-random.js +0 -684
package/dist/detect/structural/dangerous-functions/math-random.js.map +0 -1
package/dist/detect/structural/dangerous-functions/patterns.d.ts +0 -21
package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/patterns.js +0 -163
package/dist/detect/structural/dangerous-functions/patterns.js.map +0 -1
package/dist/detect/structural/dangerous-functions/request-validation.d.ts +0 -13
package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/request-validation.js +0 -126
package/dist/detect/structural/dangerous-functions/request-validation.js.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +0 -24
package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/control-flow.js +0 -70
package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +0 -31
package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/helpers.js +0 -147
package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/index.d.ts +0 -9
package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/index.js +0 -23
package/dist/detect/structural/dangerous-functions/utils/index.js.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +0 -22
package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +0 -102
package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +0 -1
package/dist/detect/structural/data-exposure.d.ts +0 -19
package/dist/detect/structural/data-exposure.d.ts.map +0 -1
package/dist/detect/structural/data-exposure.js +0 -262
package/dist/detect/structural/data-exposure.js.map +0 -1
package/dist/detect/structural/framework-checks.d.ts +0 -10
package/dist/detect/structural/framework-checks.d.ts.map +0 -1
package/dist/detect/structural/framework-checks.js +0 -389
package/dist/detect/structural/framework-checks.js.map +0 -1
package/dist/detect/structural/log-injection.d.ts +0 -18
package/dist/detect/structural/log-injection.d.ts.map +0 -1
package/dist/detect/structural/log-injection.js +0 -217
package/dist/detect/structural/log-injection.js.map +0 -1
package/dist/detect/structural/logic-gates.d.ts +0 -10
package/dist/detect/structural/logic-gates.d.ts.map +0 -1
package/dist/detect/structural/logic-gates.js +0 -227
package/dist/detect/structural/logic-gates.js.map +0 -1
package/dist/detect/structural/risky-imports.d.ts +0 -10
package/dist/detect/structural/risky-imports.d.ts.map +0 -1
package/dist/detect/structural/risky-imports.js +0 -168
package/dist/detect/structural/risky-imports.js.map +0 -1
package/dist/detect/structural/security-headers.d.ts +0 -18
package/dist/detect/structural/security-headers.d.ts.map +0 -1
package/dist/detect/structural/security-headers.js +0 -196
package/dist/detect/structural/security-headers.js.map +0 -1
package/dist/detect/structural/ssrf-detection.d.ts +0 -18
package/dist/detect/structural/ssrf-detection.d.ts.map +0 -1
package/dist/detect/structural/ssrf-detection.js +0 -263
package/dist/detect/structural/ssrf-detection.js.map +0 -1
package/dist/detect/structural/variables.d.ts +0 -11
package/dist/detect/structural/variables.d.ts.map +0 -1
package/dist/detect/structural/variables.js +0 -159
package/dist/detect/structural/variables.js.map +0 -1
package/dist/detect/structural/xxe-detection.d.ts +0 -18
package/dist/detect/structural/xxe-detection.d.ts.map +0 -1
package/dist/detect/structural/xxe-detection.js +0 -245
package/dist/detect/structural/xxe-detection.js.map +0 -1
package/dist/filtering/context-adjustments.d.ts +0 -23
package/dist/filtering/context-adjustments.d.ts.map +0 -1
package/dist/filtering/context-adjustments.js +0 -100
package/dist/filtering/context-adjustments.js.map +0 -1
package/dist/filtering/index.d.ts +0 -3
package/dist/filtering/index.d.ts.map +0 -1
package/dist/filtering/index.js +0 -8
package/dist/filtering/index.js.map +0 -1
package/dist/filtering/pipeline.d.ts +0 -48
package/dist/filtering/pipeline.d.ts.map +0 -1
package/dist/filtering/pipeline.js +0 -76
package/dist/filtering/pipeline.js.map +0 -1
package/dist/formatters/ai-context.d.ts +0 -23
package/dist/formatters/ai-context.d.ts.map +0 -1
package/dist/formatters/ai-context.js +0 -238
package/dist/formatters/ai-context.js.map +0 -1
package/dist/formatters/cli-terminal.d.ts +0 -65
package/dist/formatters/cli-terminal.d.ts.map +0 -1
package/dist/formatters/cli-terminal.js +0 -735
package/dist/formatters/cli-terminal.js.map +0 -1
package/dist/formatters/github-comment.d.ts +0 -41
package/dist/formatters/github-comment.d.ts.map +0 -1
package/dist/formatters/github-comment.js +0 -370
package/dist/formatters/github-comment.js.map +0 -1
package/dist/formatters/grouping.d.ts +0 -52
package/dist/formatters/grouping.d.ts.map +0 -1
package/dist/formatters/grouping.js +0 -152
package/dist/formatters/grouping.js.map +0 -1
package/dist/formatters/ide/claude-code.d.ts +0 -17
package/dist/formatters/ide/claude-code.d.ts.map +0 -1
package/dist/formatters/ide/claude-code.js +0 -94
package/dist/formatters/ide/claude-code.js.map +0 -1
package/dist/formatters/ide/cursor.d.ts +0 -13
package/dist/formatters/ide/cursor.d.ts.map +0 -1
package/dist/formatters/ide/cursor.js +0 -125
package/dist/formatters/ide/cursor.js.map +0 -1
package/dist/formatters/ide/index.d.ts +0 -62
package/dist/formatters/ide/index.d.ts.map +0 -1
package/dist/formatters/ide/index.js +0 -184
package/dist/formatters/ide/index.js.map +0 -1
package/dist/formatters/ide/windsurf.d.ts +0 -13
package/dist/formatters/ide/windsurf.d.ts.map +0 -1
package/dist/formatters/ide/windsurf.js +0 -117
package/dist/formatters/ide/windsurf.js.map +0 -1
package/dist/formatters/index.d.ts +0 -11
package/dist/formatters/index.d.ts.map +0 -1
package/dist/formatters/index.js +0 -54
package/dist/formatters/index.js.map +0 -1
package/dist/formatters/vscode-diagnostic.d.ts +0 -103
package/dist/formatters/vscode-diagnostic.d.ts.map +0 -1
package/dist/formatters/vscode-diagnostic.js +0 -151
package/dist/formatters/vscode-diagnostic.js.map +0 -1
package/dist/layer1/comments.d.ts +0 -11
package/dist/layer1/comments.d.ts.map +0 -1
package/dist/layer1/comments.js +0 -203
package/dist/layer1/comments.js.map +0 -1
package/dist/layer1/config-audit.d.ts +0 -11
package/dist/layer1/config-audit.d.ts.map +0 -1
package/dist/layer1/config-audit.js +0 -311
package/dist/layer1/config-audit.js.map +0 -1
package/dist/layer1/config-mcp-audit.d.ts +0 -23
package/dist/layer1/config-mcp-audit.d.ts.map +0 -1
package/dist/layer1/config-mcp-audit.js +0 -239
package/dist/layer1/config-mcp-audit.js.map +0 -1
package/dist/layer1/entropy.d.ts +0 -11
package/dist/layer1/entropy.d.ts.map +0 -1
package/dist/layer1/entropy.js +0 -741
package/dist/layer1/entropy.js.map +0 -1
package/dist/layer1/file-flags.d.ts +0 -10
package/dist/layer1/file-flags.d.ts.map +0 -1
package/dist/layer1/file-flags.js +0 -119
package/dist/layer1/file-flags.js.map +0 -1
package/dist/layer1/index.d.ts +0 -38
package/dist/layer1/index.d.ts.map +0 -1
package/dist/layer1/index.js +0 -170
package/dist/layer1/index.js.map +0 -1
package/dist/layer1/patterns.d.ts +0 -11
package/dist/layer1/patterns.d.ts.map +0 -1
package/dist/layer1/patterns.js +0 -512
package/dist/layer1/patterns.js.map +0 -1
package/dist/layer1/urls.d.ts +0 -11
package/dist/layer1/urls.d.ts.map +0 -1
package/dist/layer1/urls.js +0 -444
package/dist/layer1/urls.js.map +0 -1
package/dist/layer1/weak-crypto.d.ts +0 -10
package/dist/layer1/weak-crypto.d.ts.map +0 -1
package/dist/layer1/weak-crypto.js +0 -428
package/dist/layer1/weak-crypto.js.map +0 -1
package/dist/layer2/ai-agent-tools.d.ts +0 -22
package/dist/layer2/ai-agent-tools.d.ts.map +0 -1
package/dist/layer2/ai-agent-tools.js +0 -1490
package/dist/layer2/ai-agent-tools.js.map +0 -1
package/dist/layer2/ai-endpoint-protection.d.ts +0 -38
package/dist/layer2/ai-endpoint-protection.d.ts.map +0 -1
package/dist/layer2/ai-endpoint-protection.js +0 -346
package/dist/layer2/ai-endpoint-protection.js.map +0 -1
package/dist/layer2/ai-execution-sinks.d.ts +0 -21
package/dist/layer2/ai-execution-sinks.d.ts.map +0 -1
package/dist/layer2/ai-execution-sinks.js +0 -1155
package/dist/layer2/ai-execution-sinks.js.map +0 -1
package/dist/layer2/ai-fingerprinting.d.ts +0 -10
package/dist/layer2/ai-fingerprinting.d.ts.map +0 -1
package/dist/layer2/ai-fingerprinting.js +0 -650
package/dist/layer2/ai-fingerprinting.js.map +0 -1
package/dist/layer2/ai-mcp-security.d.ts +0 -20
package/dist/layer2/ai-mcp-security.d.ts.map +0 -1
package/dist/layer2/ai-mcp-security.js +0 -877
package/dist/layer2/ai-mcp-security.js.map +0 -1
package/dist/layer2/ai-package-hallucination.d.ts +0 -22
package/dist/layer2/ai-package-hallucination.d.ts.map +0 -1
package/dist/layer2/ai-package-hallucination.js +0 -828
package/dist/layer2/ai-package-hallucination.js.map +0 -1
package/dist/layer2/ai-prompt-hygiene.d.ts +0 -22
package/dist/layer2/ai-prompt-hygiene.d.ts.map +0 -1
package/dist/layer2/ai-prompt-hygiene.js +0 -1156
package/dist/layer2/ai-prompt-hygiene.js.map +0 -1
package/dist/layer2/ai-rag-safety.d.ts +0 -24
package/dist/layer2/ai-rag-safety.d.ts.map +0 -1
package/dist/layer2/ai-rag-safety.js +0 -910
package/dist/layer2/ai-rag-safety.js.map +0 -1
package/dist/layer2/ai-schema-validation.d.ts +0 -28
package/dist/layer2/ai-schema-validation.d.ts.map +0 -1
package/dist/layer2/ai-schema-validation.js +0 -375
package/dist/layer2/ai-schema-validation.js.map +0 -1
package/dist/layer2/auth-antipatterns.d.ts +0 -22
package/dist/layer2/auth-antipatterns.d.ts.map +0 -1
package/dist/layer2/auth-antipatterns.js +0 -522
package/dist/layer2/auth-antipatterns.js.map +0 -1
package/dist/layer2/byok-patterns.d.ts +0 -15
package/dist/layer2/byok-patterns.d.ts.map +0 -1
package/dist/layer2/byok-patterns.js +0 -302
package/dist/layer2/byok-patterns.js.map +0 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +0 -16
package/dist/layer2/dangerous-functions/child-process.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/child-process.js +0 -74
package/dist/layer2/dangerous-functions/child-process.js.map +0 -1
package/dist/layer2/dangerous-functions/dom-xss.d.ts +0 -34
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/dom-xss.js +0 -230
package/dist/layer2/dangerous-functions/dom-xss.js.map +0 -1
package/dist/layer2/dangerous-functions/index.d.ts +0 -16
package/dist/layer2/dangerous-functions/index.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/index.js +0 -1152
package/dist/layer2/dangerous-functions/index.js.map +0 -1
package/dist/layer2/dangerous-functions/json-parse.d.ts +0 -31
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/json-parse.js +0 -319
package/dist/layer2/dangerous-functions/json-parse.js.map +0 -1
package/dist/layer2/dangerous-functions/math-random.d.ts +0 -111
package/dist/layer2/dangerous-functions/math-random.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/math-random.js +0 -684
package/dist/layer2/dangerous-functions/math-random.js.map +0 -1
package/dist/layer2/dangerous-functions/patterns.d.ts +0 -21
package/dist/layer2/dangerous-functions/patterns.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/patterns.js +0 -163
package/dist/layer2/dangerous-functions/patterns.js.map +0 -1
package/dist/layer2/dangerous-functions/request-validation.d.ts +0 -13
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/request-validation.js +0 -119
package/dist/layer2/dangerous-functions/request-validation.js.map +0 -1
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +0 -24
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/utils/control-flow.js +0 -70
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +0 -1
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +0 -31
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/utils/helpers.js +0 -147
package/dist/layer2/dangerous-functions/utils/helpers.js.map +0 -1
package/dist/layer2/dangerous-functions/utils/index.d.ts +0 -9
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/utils/index.js +0 -23
package/dist/layer2/dangerous-functions/utils/index.js.map +0 -1
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +0 -22
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/utils/schema-validation.js +0 -102
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +0 -1
package/dist/layer2/data-exposure.d.ts +0 -19
package/dist/layer2/data-exposure.d.ts.map +0 -1
package/dist/layer2/data-exposure.js +0 -255
package/dist/layer2/data-exposure.js.map +0 -1
package/dist/layer2/framework-checks.d.ts +0 -10
package/dist/layer2/framework-checks.d.ts.map +0 -1
package/dist/layer2/framework-checks.js +0 -384
package/dist/layer2/framework-checks.js.map +0 -1
package/dist/layer2/index.d.ts +0 -74
package/dist/layer2/index.d.ts.map +0 -1
package/dist/layer2/index.js +0 -544
package/dist/layer2/index.js.map +0 -1
package/dist/layer2/log-injection.d.ts +0 -18
package/dist/layer2/log-injection.d.ts.map +0 -1
package/dist/layer2/log-injection.js +0 -214
package/dist/layer2/log-injection.js.map +0 -1
package/dist/layer2/logic-gates.d.ts +0 -10
package/dist/layer2/logic-gates.d.ts.map +0 -1
package/dist/layer2/logic-gates.js +0 -220
package/dist/layer2/logic-gates.js.map +0 -1
package/dist/layer2/model-supply-chain.d.ts +0 -23
package/dist/layer2/model-supply-chain.d.ts.map +0 -1
package/dist/layer2/model-supply-chain.js +0 -444
package/dist/layer2/model-supply-chain.js.map +0 -1
package/dist/layer2/risky-imports.d.ts +0 -10
package/dist/layer2/risky-imports.d.ts.map +0 -1
package/dist/layer2/risky-imports.js +0 -165
package/dist/layer2/risky-imports.js.map +0 -1
package/dist/layer2/security-headers.d.ts +0 -18
package/dist/layer2/security-headers.d.ts.map +0 -1
package/dist/layer2/security-headers.js +0 -187
package/dist/layer2/security-headers.js.map +0 -1
package/dist/layer2/ssrf-detection.d.ts +0 -18
package/dist/layer2/ssrf-detection.d.ts.map +0 -1
package/dist/layer2/ssrf-detection.js +0 -252
package/dist/layer2/ssrf-detection.js.map +0 -1
package/dist/layer2/variables.d.ts +0 -11
package/dist/layer2/variables.d.ts.map +0 -1
package/dist/layer2/variables.js +0 -156
package/dist/layer2/variables.js.map +0 -1
package/dist/layer2/xxe-detection.d.ts +0 -18
package/dist/layer2/xxe-detection.d.ts.map +0 -1
package/dist/layer2/xxe-detection.js +0 -242
package/dist/layer2/xxe-detection.js.map +0 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +0 -24
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +0 -1
package/dist/layer3/anthropic/auto-dismiss.js +0 -199
package/dist/layer3/anthropic/auto-dismiss.js.map +0 -1
package/dist/layer3/anthropic/clients.d.ts +0 -44
package/dist/layer3/anthropic/clients.d.ts.map +0 -1
package/dist/layer3/anthropic/clients.js +0 -81
package/dist/layer3/anthropic/clients.js.map +0 -1
package/dist/layer3/anthropic/index.d.ts +0 -41
package/dist/layer3/anthropic/index.d.ts.map +0 -1
package/dist/layer3/anthropic/index.js +0 -141
package/dist/layer3/anthropic/index.js.map +0 -1
package/dist/layer3/anthropic/prompts/index.d.ts +0 -8
package/dist/layer3/anthropic/prompts/index.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/index.js +0 -16
package/dist/layer3/anthropic/prompts/index.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +0 -19
package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +0 -156
package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +0 -9
package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/auth-access.js +0 -25
package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/common.d.ts +0 -11
package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/common.js +0 -152
package/dist/layer3/anthropic/prompts/modules/common.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/index.d.ts +0 -54
package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/index.js +0 -185
package/dist/layer3/anthropic/prompts/modules/index.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +0 -8
package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +0 -84
package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +0 -8
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +0 -68
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +0 -8
package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +0 -22
package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +0 -1
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +0 -15
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/semantic-analysis.js +0 -169
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +0 -1
package/dist/layer3/anthropic/prompts/validation.d.ts +0 -18
package/dist/layer3/anthropic/prompts/validation.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/validation.js +0 -25
package/dist/layer3/anthropic/prompts/validation.js.map +0 -1
package/dist/layer3/anthropic/providers/anthropic.d.ts +0 -21
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic/providers/anthropic.js +0 -269
package/dist/layer3/anthropic/providers/anthropic.js.map +0 -1
package/dist/layer3/anthropic/providers/index.d.ts +0 -8
package/dist/layer3/anthropic/providers/index.d.ts.map +0 -1
package/dist/layer3/anthropic/providers/index.js +0 -15
package/dist/layer3/anthropic/providers/index.js.map +0 -1
package/dist/layer3/anthropic/providers/openai.d.ts +0 -18
package/dist/layer3/anthropic/providers/openai.d.ts.map +0 -1
package/dist/layer3/anthropic/providers/openai.js +0 -343
package/dist/layer3/anthropic/providers/openai.js.map +0 -1
package/dist/layer3/anthropic/request-builder.d.ts +0 -27
package/dist/layer3/anthropic/request-builder.d.ts.map +0 -1
package/dist/layer3/anthropic/request-builder.js +0 -150
package/dist/layer3/anthropic/request-builder.js.map +0 -1
package/dist/layer3/anthropic/types.d.ts +0 -88
package/dist/layer3/anthropic/types.d.ts.map +0 -1
package/dist/layer3/anthropic/types.js +0 -38
package/dist/layer3/anthropic/types.js.map +0 -1
package/dist/layer3/anthropic/utils/context-extractor.d.ts +0 -55
package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +0 -1
package/dist/layer3/anthropic/utils/context-extractor.js +0 -161
package/dist/layer3/anthropic/utils/context-extractor.js.map +0 -1
package/dist/layer3/anthropic/utils/index.d.ts +0 -11
package/dist/layer3/anthropic/utils/index.d.ts.map +0 -1
package/dist/layer3/anthropic/utils/index.js +0 -27
package/dist/layer3/anthropic/utils/index.js.map +0 -1
package/dist/layer3/anthropic/utils/path-helpers.d.ts +0 -21
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +0 -1
package/dist/layer3/anthropic/utils/path-helpers.js +0 -69
package/dist/layer3/anthropic/utils/path-helpers.js.map +0 -1
package/dist/layer3/anthropic/utils/response-parser.d.ts +0 -40
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +0 -1
package/dist/layer3/anthropic/utils/response-parser.js +0 -285
package/dist/layer3/anthropic/utils/response-parser.js.map +0 -1
package/dist/layer3/anthropic/utils/retry.d.ts +0 -15
package/dist/layer3/anthropic/utils/retry.d.ts.map +0 -1
package/dist/layer3/anthropic/utils/retry.js +0 -62
package/dist/layer3/anthropic/utils/retry.js.map +0 -1
package/dist/layer3/index.d.ts +0 -27
package/dist/layer3/index.d.ts.map +0 -1
package/dist/layer3/index.js +0 -150
package/dist/layer3/index.js.map +0 -1
package/dist/layer3/osv-check.d.ts +0 -75
package/dist/layer3/osv-check.d.ts.map +0 -1
package/dist/layer3/osv-check.js +0 -308
package/dist/layer3/osv-check.js.map +0 -1
package/dist/layer3/package-check.d.ts +0 -63
package/dist/layer3/package-check.d.ts.map +0 -1
package/dist/layer3/package-check.js +0 -508
package/dist/layer3/package-check.js.map +0 -1
package/dist/model/cross-file-taint.d.ts +0 -40
package/dist/model/cross-file-taint.d.ts.map +0 -1
package/dist/model/cross-file-taint.js +0 -290
package/dist/model/cross-file-taint.js.map +0 -1
package/dist/model/function-classifier.d.ts +0 -32
package/dist/model/function-classifier.d.ts.map +0 -1
package/dist/model/function-classifier.js +0 -143
package/dist/model/function-classifier.js.map +0 -1
package/dist/model/sanitiser-detection.d.ts +0 -27
package/dist/model/sanitiser-detection.d.ts.map +0 -1
package/dist/model/sanitiser-detection.js +0 -224
package/dist/model/sanitiser-detection.js.map +0 -1
package/dist/model/sink-matcher.d.ts +0 -17
package/dist/model/sink-matcher.d.ts.map +0 -1
package/dist/model/sink-matcher.js +0 -141
package/dist/model/sink-matcher.js.map +0 -1
package/dist/model/sink-patterns.d.ts +0 -19
package/dist/model/sink-patterns.d.ts.map +0 -1
package/dist/model/sink-patterns.js +0 -88
package/dist/model/sink-patterns.js.map +0 -1
package/dist/model/source-discovery.d.ts +0 -15
package/dist/model/source-discovery.d.ts.map +0 -1
package/dist/model/source-discovery.js +0 -170
package/dist/model/source-discovery.js.map +0 -1
package/dist/model/taint-tracker.d.ts +0 -21
package/dist/model/taint-tracker.d.ts.map +0 -1
package/dist/model/taint-tracker.js +0 -281
package/dist/model/taint-tracker.js.map +0 -1
package/dist/modes/incremental.d.ts +0 -66
package/dist/modes/incremental.d.ts.map +0 -1
package/dist/modes/incremental.js +0 -200
package/dist/modes/incremental.js.map +0 -1
package/dist/rules/framework-fixes.d.ts +0 -48
package/dist/rules/framework-fixes.d.ts.map +0 -1
package/dist/rules/framework-fixes.js +0 -439
package/dist/rules/framework-fixes.js.map +0 -1
package/dist/rules/index.d.ts +0 -8
package/dist/rules/index.d.ts.map +0 -1
package/dist/rules/index.js +0 -18
package/dist/rules/index.js.map +0 -1
package/dist/rules/metadata.d.ts +0 -43
package/dist/rules/metadata.d.ts.map +0 -1
package/dist/rules/metadata.js +0 -800
package/dist/rules/metadata.js.map +0 -1
package/dist/score/auto-dismiss.d.ts +0 -28
package/dist/score/auto-dismiss.d.ts.map +0 -1
package/dist/score/auto-dismiss.js +0 -200
package/dist/score/auto-dismiss.js.map +0 -1
package/dist/suppression/config-loader.d.ts +0 -74
package/dist/suppression/config-loader.d.ts.map +0 -1
package/dist/suppression/config-loader.js +0 -424
package/dist/suppression/config-loader.js.map +0 -1
package/dist/suppression/hash.d.ts +0 -48
package/dist/suppression/hash.d.ts.map +0 -1
package/dist/suppression/hash.js +0 -88
package/dist/suppression/hash.js.map +0 -1
package/dist/suppression/index.d.ts +0 -11
package/dist/suppression/index.d.ts.map +0 -1
package/dist/suppression/index.js +0 -39
package/dist/suppression/index.js.map +0 -1
package/dist/suppression/inline-parser.d.ts +0 -39
package/dist/suppression/inline-parser.d.ts.map +0 -1
package/dist/suppression/inline-parser.js +0 -218
package/dist/suppression/inline-parser.js.map +0 -1
package/dist/suppression/manager.d.ts +0 -94
package/dist/suppression/manager.d.ts.map +0 -1
package/dist/suppression/manager.js +0 -292
package/dist/suppression/manager.js.map +0 -1
package/dist/suppression/types.d.ts +0 -151
package/dist/suppression/types.d.ts.map +0 -1
package/dist/suppression/types.js +0 -28
package/dist/suppression/types.js.map +0 -1
package/dist/types.d.ts +0 -331
package/dist/types.d.ts.map +0 -1
package/dist/types.js +0 -124
package/dist/types.js.map +0 -1
package/dist/utils/auth-helper-detector.d.ts +0 -56
package/dist/utils/auth-helper-detector.d.ts.map +0 -1
package/dist/utils/auth-helper-detector.js +0 -360
package/dist/utils/auth-helper-detector.js.map +0 -1
package/dist/utils/code-analysis.d.ts +0 -39
package/dist/utils/code-analysis.d.ts.map +0 -1
package/dist/utils/code-analysis.js +0 -159
package/dist/utils/code-analysis.js.map +0 -1
package/dist/utils/comment-analyzer.d.ts +0 -38
package/dist/utils/comment-analyzer.d.ts.map +0 -1
package/dist/utils/comment-analyzer.js +0 -218
package/dist/utils/comment-analyzer.js.map +0 -1
package/dist/utils/context-helpers.d.ts +0 -219
package/dist/utils/context-helpers.d.ts.map +0 -1
package/dist/utils/context-helpers.js +0 -886
package/dist/utils/context-helpers.js.map +0 -1
package/dist/utils/diff-detector.d.ts +0 -53
package/dist/utils/diff-detector.d.ts.map +0 -1
package/dist/utils/diff-detector.js +0 -104
package/dist/utils/diff-detector.js.map +0 -1
package/dist/utils/diff-parser.d.ts +0 -80
package/dist/utils/diff-parser.d.ts.map +0 -1
package/dist/utils/diff-parser.js +0 -202
package/dist/utils/diff-parser.js.map +0 -1
package/dist/utils/environment-context.d.ts +0 -76
package/dist/utils/environment-context.d.ts.map +0 -1
package/dist/utils/environment-context.js +0 -271
package/dist/utils/environment-context.js.map +0 -1
package/dist/utils/imported-auth-detector.d.ts +0 -37
package/dist/utils/imported-auth-detector.d.ts.map +0 -1
package/dist/utils/imported-auth-detector.js +0 -251
package/dist/utils/imported-auth-detector.js.map +0 -1
package/dist/utils/intent-detector.d.ts +0 -66
package/dist/utils/intent-detector.d.ts.map +0 -1
package/dist/utils/intent-detector.js +0 -282
package/dist/utils/intent-detector.js.map +0 -1
package/dist/utils/middleware-detector.d.ts +0 -55
package/dist/utils/middleware-detector.d.ts.map +0 -1
package/dist/utils/middleware-detector.js +0 -260
package/dist/utils/middleware-detector.js.map +0 -1
package/dist/utils/oauth-flow-detector.d.ts +0 -41
package/dist/utils/oauth-flow-detector.d.ts.map +0 -1
package/dist/utils/oauth-flow-detector.js +0 -202
package/dist/utils/oauth-flow-detector.js.map +0 -1
package/dist/utils/parsed-file.d.ts +0 -51
package/dist/utils/parsed-file.d.ts.map +0 -1
package/dist/utils/parsed-file.js +0 -95
package/dist/utils/parsed-file.js.map +0 -1
package/dist/utils/path-exclusions.d.ts +0 -55
package/dist/utils/path-exclusions.d.ts.map +0 -1
package/dist/utils/path-exclusions.js +0 -224
package/dist/utils/path-exclusions.js.map +0 -1
package/dist/utils/project-context-builder.d.ts +0 -119
package/dist/utils/project-context-builder.d.ts.map +0 -1
package/dist/utils/project-context-builder.js +0 -534
package/dist/utils/project-context-builder.js.map +0 -1
package/dist/utils/registry-clients.d.ts +0 -93
package/dist/utils/registry-clients.d.ts.map +0 -1
package/dist/utils/registry-clients.js +0 -273
package/dist/utils/registry-clients.js.map +0 -1
package/dist/utils/route-hierarchy.d.ts +0 -50
package/dist/utils/route-hierarchy.d.ts.map +0 -1
package/dist/utils/route-hierarchy.js +0 -226
package/dist/utils/route-hierarchy.js.map +0 -1
package/dist/utils/schema-semantics.d.ts +0 -45
package/dist/utils/schema-semantics.d.ts.map +0 -1
package/dist/utils/schema-semantics.js +0 -193
package/dist/utils/schema-semantics.js.map +0 -1
package/dist/utils/trpc-analyzer.d.ts +0 -78
package/dist/utils/trpc-analyzer.d.ts.map +0 -1
package/dist/utils/trpc-analyzer.js +0 -297
package/dist/utils/trpc-analyzer.js.map +0 -1
package/src/__tests__/context-engine/cross-file-taint.test.ts +0 -284
package/src/__tests__/context-engine/function-classifier.test.ts +0 -146
package/src/__tests__/context-engine/integration.test.ts +0 -320
package/src/__tests__/context-engine/sanitiser-detection.test.ts +0 -187
package/src/__tests__/context-engine/sink-matcher.test.ts +0 -251
package/src/__tests__/context-engine/source-discovery.test.ts +0 -186
package/src/__tests__/context-engine/taint-tracker.test.ts +0 -182
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +0 -750
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +0 -555
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +0 -321
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +0 -439
package/src/detect/ai-code/agent-tools.ts +0 -1662
package/src/detect/ai-code/byok-patterns.ts +0 -354
package/src/detect/ai-code/endpoint-protection.ts +0 -406
package/src/detect/ai-code/execution-sinks.ts +0 -1310
package/src/detect/ai-code/fingerprinting.ts +0 -774
package/src/detect/ai-code/mcp-security.ts +0 -937
package/src/detect/ai-code/model-supply-chain.ts +0 -535
package/src/detect/ai-code/package-hallucination.ts +0 -955
package/src/detect/ai-code/prompt-hygiene.ts +0 -1314
package/src/detect/ai-code/rag-safety.ts +0 -977
package/src/detect/ai-code/schema-validation.ts +0 -427
package/src/detect/secrets/patterns.ts +0 -561
package/src/detect/secrets/weak-crypto.ts +0 -485
package/src/detect/structural/__tests__/math-random-enhanced.test.ts +0 -405
package/src/detect/structural/auth-patterns.ts +0 -621
package/src/detect/structural/dangerous-functions/child-process.ts +0 -98
package/src/detect/structural/dangerous-functions/dom-xss.ts +0 -292
package/src/detect/structural/dangerous-functions/index.ts +0 -1556
package/src/detect/structural/dangerous-functions/json-parse.ts +0 -393
package/src/detect/structural/dangerous-functions/math-random.ts +0 -789
package/src/detect/structural/dangerous-functions/patterns.ts +0 -176
package/src/detect/structural/dangerous-functions/request-validation.ts +0 -153
package/src/detect/structural/dangerous-functions/utils/control-flow.ts +0 -35
package/src/detect/structural/dangerous-functions/utils/helpers.ts +0 -170
package/src/detect/structural/dangerous-functions/utils/index.ts +0 -25
package/src/detect/structural/dangerous-functions/utils/schema-validation.ts +0 -106
package/src/detect/structural/data-exposure.ts +0 -302
package/src/detect/structural/framework-checks.ts +0 -439
package/src/detect/structural/log-injection.ts +0 -254
package/src/detect/structural/logic-gates.ts +0 -256
package/src/detect/structural/risky-imports.ts +0 -197
package/src/detect/structural/security-headers.ts +0 -231
package/src/detect/structural/ssrf-detection.ts +0 -300
package/src/detect/structural/variables.ts +0 -177
package/src/detect/structural/xxe-detection.ts +0 -295
package/src/model/cross-file-taint.ts +0 -374
package/src/model/function-classifier.ts +0 -184
package/src/model/sanitiser-detection.ts +0 -268
package/src/model/sink-matcher.ts +0 -178
package/src/model/sink-patterns.ts +0 -109
package/src/model/source-discovery.ts +0 -209
package/src/model/taint-tracker.ts +0 -333
package/src/score/auto-dismiss.ts +0 -224

package/src/report/formatters/cli-terminal.ts CHANGED Viewed

@@ -3,68 +3,86 @@
  * Formats scan results with ANSI colors for terminal output
  */
-import type { ScanResult, Vulnerability, VulnerabilitySeverity } from '../../shared/types'
-import { groupByTheme, getBlockingIssues, GroupedFindings, THEME_CONFIG } from './grouping'
-import { computeFindingHash } from '../../postprocess/suppression/hash'
+import * as path from "path";
+import type {
+  ScanResult,
+  Vulnerability,
+  VulnerabilitySeverity,
+} from "../../shared/types";
+import {
+  groupByTheme,
+  getBlockingIssues,
+  GroupedFindings,
+  THEME_CONFIG,
+} from "./grouping";
+import { computeFindingHash } from "../../postprocess/suppression/hash";
+import { sanitizeScanResult } from "../sanitize";
 /**
  * ANSI color codes
  */
 const colors = {
-  reset: '\x1b[0m',
-  bold: '\x1b[1m',
-  dim: '\x1b[2m',
-  underline: '\x1b[4m',
+  reset: "\x1b[0m",
+  bold: "\x1b[1m",
+  dim: "\x1b[2m",
+  underline: "\x1b[4m",
   // Foreground colors
-  red: '\x1b[31m',
-  green: '\x1b[32m',
-  yellow: '\x1b[33m',
-  blue: '\x1b[34m',
-  magenta: '\x1b[35m',
-  cyan: '\x1b[36m',
-  white: '\x1b[37m',
-  gray: '\x1b[90m',
+  red: "\x1b[31m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  blue: "\x1b[34m",
+  magenta: "\x1b[35m",
+  cyan: "\x1b[36m",
+  white: "\x1b[37m",
+  gray: "\x1b[90m",
   // Background colors
-  bgRed: '\x1b[41m',
-  bgYellow: '\x1b[43m',
-  bgBlue: '\x1b[44m',
-}
+  bgRed: "\x1b[41m",
+  bgYellow: "\x1b[43m",
+  bgBlue: "\x1b[44m",
+};
 /**
  * Severity colors and symbols
  */
-const SEVERITY_STYLE: Record<VulnerabilitySeverity, { color: string; symbol: string; label: string }> = {
-  critical: { color: colors.bgRed + colors.white, symbol: '●', label: 'CRITICAL' },
-  high: { color: colors.red, symbol: '●', label: 'HIGH' },
-  medium: { color: colors.yellow, symbol: '●', label: 'MEDIUM' },
-  low: { color: colors.blue, symbol: '○', label: 'LOW' },
-  info: { color: colors.gray, symbol: '○', label: 'INFO' },
-}
+const SEVERITY_STYLE: Record<
+  VulnerabilitySeverity,
+  { color: string; symbol: string; label: string }
+> = {
+  critical: {
+    color: colors.bgRed + colors.white,
+    symbol: "●",
+    label: "CRITICAL",
+  },
+  high: { color: colors.red, symbol: "●", label: "HIGH" },
+  medium: { color: colors.yellow, symbol: "●", label: "MEDIUM" },
+  low: { color: colors.blue, symbol: "○", label: "LOW" },
+  info: { color: colors.gray, symbol: "○", label: "INFO" },
+};
 /**
  * Format colored text
  */
 function c(color: string, text: string): string {
-  return `${color}${text}${colors.reset}`
+  return `${color}${text}${colors.reset}`;
 }
 /**
  * Format severity badge
  */
 function severityBadge(severity: VulnerabilitySeverity): string {
-  const style = SEVERITY_STYLE[severity]
-  return c(style.color, `${style.symbol} ${style.label}`)
+  const style = SEVERITY_STYLE[severity];
+  return c(style.color, `${style.symbol} ${style.label}`);
 }
 /**
  * Format options for single finding
  */
 interface FormatFindingOptions {
-  indent?: string
-  compact?: boolean
-  verbose?: boolean
+  indent?: string;
+  compact?: boolean;
+  verbose?: boolean;
 }
 /**
@@ -73,272 +91,497 @@ interface FormatFindingOptions {
  * Compact: Severity + title + location only
  * Verbose: All of the above plus references and validation notes
  */
-function formatFinding(finding: Vulnerability, options: FormatFindingOptions = {}): string {
-  const { indent = '  ', compact = false, verbose = false } = options
-  const badge = severityBadge(finding.severity)
-  const location = c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`)
-  const hash = computeFindingHash(finding)
+function formatFinding(
+  finding: Vulnerability,
+  options: FormatFindingOptions = {},
+): string {
+  const { indent = "  ", compact = false, verbose = false } = options;
+  const badge = severityBadge(finding.severity);
+  const location = c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`);
+  const hash = computeFindingHash(finding);
   // Compact mode: just severity, title, and location
   if (compact) {
-    return `${indent}${badge} ${c(colors.bold, finding.title)}  ${location}\n`
+    return `${indent}${badge} ${c(colors.bold, finding.title)}  ${location}\n`;
   }
   // Default actionable output
-  let output = `${indent}${badge} ${c(colors.bold, finding.title)}\n`
-  output += `${indent}   ${location}\n`
-  output += '\n'
+  let output = `${indent}${badge} ${c(colors.bold, finding.title)}\n`;
+  output += `${indent}   ${location}\n`;
+  output += "\n";
   // Impact (why this matters) - shown by default
   if (finding.impact) {
-    output += `${indent}   ${c(colors.yellow + colors.bold, 'Impact:')} ${finding.impact}\n`
-    output += '\n'
+    output += `${indent}   ${c(colors.yellow + colors.bold, "Impact:")} ${finding.impact}\n`;
+    output += "\n";
+  }
+  // Taint flow path — shown for taint-based findings
+  if (finding.taintPath && finding.taintPath.steps.length > 0) {
+    output += `${indent}   ${c(colors.yellow + colors.bold, "Flow:")}\n`;
+    for (const step of finding.taintPath.steps) {
+      const icon =
+        step.stepType === "source"
+          ? "▶"
+          : step.stepType === "sink"
+            ? "◀"
+            : step.stepType === "sanitizer"
+              ? "✕"
+              : "→";
+      const lineRef = step.filePath
+        ? `${step.filePath}:${step.line}`
+        : `L${step.line}`;
+      const varPart = step.variable ? ` ${c(colors.cyan, step.variable)}` : "";
+      output += `${indent}     ${c(colors.dim, icon)} ${c(colors.dim, lineRef)}${varPart} ${c(colors.dim, "—")} ${step.description}\n`;
+    }
+    output += "\n";
   }
   // Code snippet
   if (finding.lineContent && finding.lineContent.trim()) {
-    output += `${indent}   ${c(colors.dim, 'Code:')} ${c(colors.white, finding.lineContent.trim().substring(0, 80))}${finding.lineContent.trim().length > 80 ? '...' : ''}\n`
-    output += '\n'
+    output += `${indent}   ${c(colors.dim, "Code:")} ${c(colors.white, finding.lineContent.trim().substring(0, 80))}${finding.lineContent.trim().length > 80 ? "..." : ""}\n`;
+    output += "\n";
   }
   // Fix steps - shown by default (numbered list)
   if (finding.fixSteps && finding.fixSteps.length > 0) {
-    output += `${indent}   ${c(colors.green + colors.bold, 'Fix:')}\n`
+    output += `${indent}   ${c(colors.green + colors.bold, "Fix:")}\n`;
     finding.fixSteps.forEach((step, i) => {
-      output += `${indent}   ${c(colors.green, `${i + 1}. ${step}`)}\n`
-    })
-    output += '\n'
+      output += `${indent}   ${c(colors.green, `${i + 1}. ${step}`)}\n`;
+    });
+    output += "\n";
   } else if (finding.suggestedFix) {
     // Fallback to legacy suggestedFix field
-    output += `${indent}   ${c(colors.green, finding.suggestedFix)}\n`
-    output += '\n'
+    output += `${indent}   ${c(colors.green, finding.suggestedFix)}\n`;
+    output += "\n";
   }
   // Verbose mode: show additional details
   if (verbose) {
     // Description
-    output += `${indent}   ${c(colors.dim, finding.description)}\n`
+    output += `${indent}   ${c(colors.dim, finding.description)}\n`;
     // References (OWASP/CWE links)
     if (finding.references && finding.references.length > 0) {
-      output += `${indent}   ${c(colors.blue, 'References:')}\n`
-      finding.references.forEach(ref => {
-        output += `${indent}   ${c(colors.blue, `  • ${ref}`)}\n`
-      })
+      output += `${indent}   ${c(colors.blue, "References:")}\n`;
+      finding.references.forEach((ref) => {
+        output += `${indent}   ${c(colors.blue, `  • ${ref}`)}\n`;
+      });
     }
     // Validation notes (if AI validated)
     if (finding.validationNotes) {
-      output += `${indent}   ${c(colors.dim, `[AI] ${finding.validationNotes}`)}\n`
+      output += `${indent}   ${c(colors.dim, `[AI] ${finding.validationNotes}`)}\n`;
     }
     // AI enhanced indicator
     if (finding.aiEnhanced) {
-      output += `${indent}   ${c(colors.magenta, '[AI] Enhanced fix suggestion')}\n`
+      output += `${indent}   ${c(colors.magenta, "[AI] Enhanced fix suggestion")}\n`;
     }
   }
   // Suppress command - always shown
-  output += `${indent}   ${c(colors.dim, `Suppress: oculum ignore ${hash} --file "${finding.filePath}:${finding.lineNumber}" --reason "..."`)}\n`
+  output += `${indent}   ${c(colors.dim, `Suppress: oculum ignore ${hash} --file "${finding.filePath}:${finding.lineNumber}" --reason "..."`)}\n`;
-  return output
+  return output;
 }
 /**
  * Format a group of findings
  */
-function formatGroup(group: GroupedFindings, options: {
-  maxFindings?: number
-  compact?: boolean
-  verbose?: boolean
-} = {}): string {
-  const { maxFindings = 10, compact = false, verbose = false } = options
-  const { theme, themeName, findings, severityCounts } = group
-  const config = THEME_CONFIG[theme]
+function formatGroup(
+  group: GroupedFindings,
+  options: {
+    maxFindings?: number;
+    compact?: boolean;
+    verbose?: boolean;
+  } = {},
+): string {
+  const { maxFindings = 10, compact = false, verbose = false } = options;
+  const { theme, themeName, findings, severityCounts } = group;
+  const config = THEME_CONFIG[theme];
   // Count summary
-  const counts: string[] = []
-  if (severityCounts.critical > 0) counts.push(c(colors.red, `${severityCounts.critical} critical`))
-  if (severityCounts.high > 0) counts.push(c(colors.red, `${severityCounts.high} high`))
-  if (severityCounts.medium > 0) counts.push(c(colors.yellow, `${severityCounts.medium} medium`))
-  if (severityCounts.low > 0) counts.push(c(colors.blue, `${severityCounts.low} low`))
-  if (severityCounts.info > 0) counts.push(c(colors.gray, `${severityCounts.info} info`))
-  let output = `\n${c(colors.bold, `${config.icon} ${themeName}`)} (${counts.join(', ')})\n`
-  output += c(colors.dim, '─'.repeat(60)) + '\n'
+  const counts: string[] = [];
+  if (severityCounts.critical > 0)
+    counts.push(c(colors.red, `${severityCounts.critical} critical`));
+  if (severityCounts.high > 0)
+    counts.push(c(colors.red, `${severityCounts.high} high`));
+  if (severityCounts.medium > 0)
+    counts.push(c(colors.yellow, `${severityCounts.medium} medium`));
+  if (severityCounts.low > 0)
+    counts.push(c(colors.blue, `${severityCounts.low} low`));
+  if (severityCounts.info > 0)
+    counts.push(c(colors.gray, `${severityCounts.info} info`));
+  let output = `\n${c(colors.bold, `${config.icon} ${themeName}`)} (${counts.join(", ")})\n`;
+  output += c(colors.dim, "─".repeat(60)) + "\n";
   // Show findings
-  const shown = findings.slice(0, maxFindings)
+  const shown = findings.slice(0, maxFindings);
   for (const finding of shown) {
-    output += formatFinding(finding, { compact, verbose }) + '\n'
+    output += formatFinding(finding, { compact, verbose }) + "\n";
   }
   // Truncation notice
   if (findings.length > maxFindings) {
-    output += c(colors.dim, `  ... and ${findings.length - maxFindings} more\n`)
+    output += c(
+      colors.dim,
+      `  ... and ${findings.length - maxFindings} more\n`,
+    );
   }
-  return output
+  return output;
 }
 /**
  * Format baseline diff summary
  */
-function formatDiffSummary(baselineDiff: NonNullable<ScanResult['baselineDiff']>): string {
-  let output = ''
+function formatDiffSummary(
+  baselineDiff: NonNullable<ScanResult["baselineDiff"]>,
+): string {
+  let output = "";
-  output += c(colors.bold, 'Baseline Comparison') + '\n'
-  output += c(colors.dim, '─'.repeat(40)) + '\n'
-  output += `  + ${c(colors.yellow, `${baselineDiff.newCount} new`)} findings\n`
-  output += `  - ${c(colors.green, `${baselineDiff.fixedCount} fixed`)} since baseline\n`
-  output += `  = ${c(colors.dim, `${baselineDiff.existingCount} existing`)} (in baseline)\n`
-  output += '\n'
+  output += c(colors.bold, "Baseline Comparison") + "\n";
+  output += c(colors.dim, "─".repeat(40)) + "\n";
+  output += `  + ${c(colors.yellow, `${baselineDiff.newCount} new`)} findings\n`;
+  output += `  - ${c(colors.green, `${baselineDiff.fixedCount} fixed`)} since baseline\n`;
+  output += `  = ${c(colors.dim, `${baselineDiff.existingCount} existing`)} (in baseline)\n`;
+  output += "\n";
   // Format baseline date
-  const baselineDate = new Date(baselineDiff.baselineCreatedAt)
-  const dateStr = baselineDate.toLocaleDateString('en-US', {
-    year: 'numeric',
-    month: 'short',
-    day: 'numeric',
-  })
-  const commitStr = baselineDiff.baselineCommit ? ` (${baselineDiff.baselineCommit})` : ''
-  output += c(colors.dim, `Baseline from ${dateStr}${commitStr}`) + '\n\n'
-  return output
+  const baselineDate = new Date(baselineDiff.baselineCreatedAt);
+  const dateStr = baselineDate.toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "short",
+    day: "numeric",
+  });
+  const commitStr = baselineDiff.baselineCommit
+    ? ` (${baselineDiff.baselineCommit})`
+    : "";
+  output += c(colors.dim, `Baseline from ${dateStr}${commitStr}`) + "\n\n";
+  return output;
+}
+/**
+ * Collapse findings that share the same title|severity|category signature
+ * across 3+ distinct files into a single representative entry.
+ * Applied at display time only — does not mutate the underlying scan result.
+ */
+function collapseAcrossFiles(findings: Vulnerability[]): Vulnerability[] {
+  const bySignature = new Map<string, Vulnerability[]>();
+  for (const f of findings) {
+    const sig = `${f.title}|${f.severity}|${f.category}`;
+    const group = bySignature.get(sig) ?? [];
+    group.push(f);
+    bySignature.set(sig, group);
+  }
+  const result: Vulnerability[] = [];
+  for (const [, group] of bySignature) {
+    const files = [...new Set(group.map((f) => f.filePath))];
+    if (files.length >= 3) {
+      const first = group[0];
+      const fileList = files
+        .slice(0, 3)
+        .map((f) => path.basename(f))
+        .join(", ");
+      result.push({
+        ...first,
+        title: `${first.title} (${files.length} routes)`,
+        description: `${first.description}\n\nAffects ${files.length} files: ${fileList}${files.length > 3 ? `, ... and ${files.length - 3} more` : ""}`,
+      });
+    } else {
+      result.push(...group);
+    }
+  }
+  return result;
 }
 /**
  * Format full scan result for terminal
  */
-export function formatTerminalOutput(result: ScanResult, options: {
-  maxFindingsPerGroup?: number
-  showAllFindings?: boolean
-  noColor?: boolean
-  compact?: boolean
-  verbose?: boolean
-} = {}): string {
+export function formatTerminalOutput(
+  result: ScanResult,
+  options: {
+    maxFindingsPerGroup?: number;
+    showAllFindings?: boolean;
+    noColor?: boolean;
+    compact?: boolean;
+    verbose?: boolean;
+  } = {},
+): string {
   const {
     maxFindingsPerGroup = 10,
     showAllFindings = false,
     compact = false,
     verbose = false,
-  } = options
+  } = options;
-  const { vulnerabilities, severityCounts, hasBlockingIssues, filesScanned, scanDuration, baselineDiff } = result
+  const {
+    vulnerabilities,
+    severityCounts,
+    hasBlockingIssues,
+    filesScanned,
+    scanDuration,
+    baselineDiff,
+  } = result;
-  let output = '\n'
+  let output = "\n";
   // Header
-  output += c(colors.bold, '═'.repeat(60)) + '\n'
-  output += c(colors.bold, '  OCULUM SECURITY SCAN RESULTS') + '\n'
-  output += c(colors.bold, '═'.repeat(60)) + '\n\n'
+  output += c(colors.bold, "═".repeat(60)) + "\n";
+  output += c(colors.bold, "  OCULUM SECURITY SCAN RESULTS") + "\n";
+  output += c(colors.bold, "═".repeat(60)) + "\n\n";
   // Baseline diff summary (if present)
   if (baselineDiff) {
-    output += formatDiffSummary(baselineDiff)
+    output += formatDiffSummary(baselineDiff);
   }
   // Status
   if (hasBlockingIssues) {
-    const blocking = severityCounts.critical + severityCounts.high
-    output += c(colors.bgRed + colors.white + colors.bold, ` ! ${blocking} BLOCKING ISSUES FOUND `) + '\n\n'
+    const blocking = severityCounts.critical + severityCounts.high;
+    output +=
+      c(
+        colors.bgRed + colors.white + colors.bold,
+        ` ! ${blocking} BLOCKING ISSUES FOUND `,
+      ) + "\n\n";
   } else if (vulnerabilities.length > 0) {
-    output += c(colors.yellow, `${vulnerabilities.length} issues found (no blocking issues)`) + '\n\n'
+    output +=
+      c(
+        colors.yellow,
+        `${vulnerabilities.length} issues found (no blocking issues)`,
+      ) + "\n\n";
   } else {
-    output += c(colors.green, 'No security issues found!') + '\n\n'
-    output += c(colors.dim, `Scanned ${filesScanned} files in ${(scanDuration / 1000).toFixed(1)}s`) + '\n'
-    return output
+    output += c(colors.green, "No security issues found!") + "\n\n";
+    output +=
+      c(
+        colors.dim,
+        `Scanned ${filesScanned} files in ${(scanDuration / 1000).toFixed(1)}s`,
+      ) + "\n";
+    return output;
   }
   // Summary counts
-  output += c(colors.bold, 'Summary:') + '\n'
-  if (severityCounts.critical > 0) output += `  ${severityBadge('critical')}  ${severityCounts.critical}\n`
-  if (severityCounts.high > 0) output += `  ${severityBadge('high')}      ${severityCounts.high}\n`
-  if (severityCounts.medium > 0) output += `  ${severityBadge('medium')}    ${severityCounts.medium}\n`
-  if (severityCounts.low > 0) output += `  ${severityBadge('low')}       ${severityCounts.low}\n`
-  if (severityCounts.info > 0) output += `  ${severityBadge('info')}      ${severityCounts.info}\n`
-  output += '\n'
+  output += c(colors.bold, "Summary:") + "\n";
+  if (severityCounts.critical > 0)
+    output += `  ${severityBadge("critical")}  ${severityCounts.critical}\n`;
+  if (severityCounts.high > 0)
+    output += `  ${severityBadge("high")}      ${severityCounts.high}\n`;
+  if (severityCounts.medium > 0)
+    output += `  ${severityBadge("medium")}    ${severityCounts.medium}\n`;
+  if (severityCounts.low > 0)
+    output += `  ${severityBadge("low")}       ${severityCounts.low}\n`;
+  if (severityCounts.info > 0)
+    output += `  ${severityBadge("info")}      ${severityCounts.info}\n`;
+  output += "\n";
   // Blocking issues first
-  const blockingIssues = getBlockingIssues(vulnerabilities)
+  const blockingIssues = getBlockingIssues(vulnerabilities);
+  const blockingIds = new Set(blockingIssues.map((f) => f.id));
   if (blockingIssues.length > 0) {
-    output += c(colors.bgRed + colors.white + colors.bold, ' BLOCKING ISSUES ') + '\n'
-    output += c(colors.red, 'These must be fixed before merging:') + '\n\n'
+    output +=
+      c(colors.bgRed + colors.white + colors.bold, " BLOCKING ISSUES ") + "\n";
+    output += c(colors.red, "These must be fixed before merging:") + "\n\n";
     for (const finding of blockingIssues.slice(0, 10)) {
-      output += formatFinding(finding, { compact, verbose })
-      output += '\n'
+      output += formatFinding(finding, { compact, verbose });
+      output += "\n";
     }
     if (blockingIssues.length > 10) {
-      output += c(colors.dim, `  ... and ${blockingIssues.length - 10} more blocking issues\n`)
+      output += c(
+        colors.dim,
+        `  ... and ${blockingIssues.length - 10} more blocking issues\n`,
+      );
     }
-    output += '\n'
+    output += "\n";
   }
   // Grouped findings
-  const grouped = groupByTheme(vulnerabilities)
-  output += c(colors.bold, '─'.repeat(60)) + '\n'
-  output += c(colors.bold, 'ALL FINDINGS BY CATEGORY') + '\n'
-  for (const group of grouped) {
-    // Skip if only showing non-blocking and all are blocking
-    if (!showAllFindings) {
-      const nonBlocking = group.findings.filter(
-        f => f.severity !== 'critical' && f.severity !== 'high'
-      )
-      if (nonBlocking.length === 0 && blockingIssues.length > 0) continue
+  const grouped = groupByTheme(vulnerabilities);
+  // Check if any groups have non-blocking findings to display
+  const hasNonBlockingGroups =
+    showAllFindings ||
+    grouped.some((group) => {
+      const displayFindings = group.findings.filter(
+        (f) => !blockingIds.has(f.id),
+      );
+      return displayFindings.length > 0;
+    });
+  if (hasNonBlockingGroups) {
+    output += c(colors.bold, "─".repeat(60)) + "\n";
+    output += c(colors.bold, "ALL FINDINGS BY CATEGORY") + "\n";
+    for (const group of grouped) {
+      const displayFindings = showAllFindings
+        ? group.findings
+        : group.findings.filter((f) => !blockingIds.has(f.id));
+      if (displayFindings.length === 0) continue;
+      const collapsed = collapseAcrossFiles(displayFindings);
+      // Recompute severity counts from the filtered/collapsed findings
+      const filteredCounts: Record<string, number> = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        info: 0,
+      };
+      for (const f of collapsed)
+        filteredCounts[f.severity] = (filteredCounts[f.severity] ?? 0) + 1;
+      output += formatGroup(
+        {
+          ...group,
+          findings: collapsed,
+          severityCounts: filteredCounts as typeof group.severityCounts,
+        },
+        {
+          maxFindings: maxFindingsPerGroup,
+          compact,
+          verbose,
+        },
+      );
     }
-    output += formatGroup(group, { maxFindings: maxFindingsPerGroup, compact, verbose })
   }
   // Suppressed findings section (if any)
-  if (result.suppressedVulnerabilities && result.suppressedVulnerabilities.length > 0) {
-    output += '\n' + c(colors.dim, '─'.repeat(60)) + '\n'
-    output += c(colors.dim + colors.bold, 'SUPPRESSED FINDINGS') + '\n'
-    output += c(colors.dim, `${result.suppressedVulnerabilities.length} findings suppressed`) + '\n\n'
+  if (
+    result.suppressedVulnerabilities &&
+    result.suppressedVulnerabilities.length > 0
+  ) {
+    output += "\n" + c(colors.dim, "─".repeat(60)) + "\n";
+    output += c(colors.dim + colors.bold, "SUPPRESSED FINDINGS") + "\n";
+    output +=
+      c(
+        colors.dim,
+        `${result.suppressedVulnerabilities.length} findings suppressed`,
+      ) + "\n\n";
     for (const suppressed of result.suppressedVulnerabilities.slice(0, 5)) {
-      const typeLabel = suppressed.suppressionType === 'inline' ? 'inline'
-        : suppressed.suppressionType === 'config-finding' ? 'config'
-        : 'rule'
-      output += c(colors.dim, `  ${suppressed.hash.slice(0, 8)} ${suppressed.filePath}:${suppressed.lineNumber}`) + '\n'
-      output += c(colors.dim, `    ${suppressed.title}`) + '\n'
-      output += c(colors.dim, `    [${typeLabel}] ${suppressed.suppressionReason}`) + '\n'
+      const typeLabel =
+        suppressed.suppressionType === "inline"
+          ? "inline"
+          : suppressed.suppressionType === "config-finding"
+            ? "config"
+            : "rule";
+      output +=
+        c(
+          colors.dim,
+          `  ${suppressed.hash.slice(0, 8)} ${suppressed.filePath}:${suppressed.lineNumber}`,
+        ) + "\n";
+      output += c(colors.dim, `    ${suppressed.title}`) + "\n";
+      output +=
+        c(colors.dim, `    [${typeLabel}] ${suppressed.suppressionReason}`) +
+        "\n";
       if (suppressed.expires) {
-        output += c(colors.dim, `    Expires: ${suppressed.expires}`) + '\n'
+        output += c(colors.dim, `    Expires: ${suppressed.expires}`) + "\n";
       }
-      output += '\n'
+      output += "\n";
     }
     if (result.suppressedVulnerabilities.length > 5) {
-      output += c(colors.dim, `  ... and ${result.suppressedVulnerabilities.length - 5} more suppressed\n`)
+      output += c(
+        colors.dim,
+        `  ... and ${result.suppressedVulnerabilities.length - 5} more suppressed\n`,
+      );
     }
   }
   // Suppression stats (if any)
-  if (result.suppressionStats && (result.suppressionStats.inlineSuppressed > 0 ||
+  if (
+    result.suppressionStats &&
+    (result.suppressionStats.inlineSuppressed > 0 ||
       result.suppressionStats.configFindingSuppressed > 0 ||
-      result.suppressionStats.configRuleSuppressed > 0)) {
-    const stats = result.suppressionStats
-    const parts: string[] = []
-    if (stats.inlineSuppressed > 0) parts.push(`${stats.inlineSuppressed} inline`)
-    if (stats.configFindingSuppressed > 0) parts.push(`${stats.configFindingSuppressed} config`)
-    if (stats.configRuleSuppressed > 0) parts.push(`${stats.configRuleSuppressed} rule`)
-    if (stats.expired > 0) parts.push(`${stats.expired} expired`)
+      result.suppressionStats.configRuleSuppressed > 0)
+  ) {
+    const stats = result.suppressionStats;
+    const parts: string[] = [];
+    if (stats.inlineSuppressed > 0)
+      parts.push(`${stats.inlineSuppressed} inline`);
+    if (stats.configFindingSuppressed > 0)
+      parts.push(`${stats.configFindingSuppressed} config`);
+    if (stats.configRuleSuppressed > 0)
+      parts.push(`${stats.configRuleSuppressed} rule`);
+    if (stats.expired > 0) parts.push(`${stats.expired} expired`);
     if (!result.suppressedVulnerabilities) {
-      output += '\n' + c(colors.dim, `Suppressed: ${parts.join(', ')}`) + '\n'
+      output += "\n" + c(colors.dim, `Suppressed: ${parts.join(", ")}`) + "\n";
+    }
+  }
+  // For Review section (confidence-suppressed findings eligible for review)
+  const MAX_FOR_REVIEW = 5;
+  if (result.forReviewFindings && result.forReviewFindings.length > 0) {
+    output += "\n" + c(colors.dim, "─".repeat(60)) + "\n";
+    output += c(colors.yellow + colors.bold, "FOR REVIEW") + " ";
+    output +=
+      c(
+        colors.dim,
+        `(${result.forReviewFindings.length} lower-confidence findings)`,
+      ) + "\n";
+    output +=
+      c(colors.dim, "Run with -d verified to AI-validate these findings.") +
+      "\n\n";
+    for (const finding of result.forReviewFindings.slice(0, MAX_FOR_REVIEW)) {
+      const score = Math.round(finding.confidenceScore * 100);
+      output += `  ${severityBadge(finding.severity)} ${finding.title}\n`;
+      output +=
+        c(colors.dim, `     ${finding.filePath}:${finding.lineNumber}`) + " ";
+      output += c(colors.dim, `[${score}%]`) + "\n";
+    }
+    if (result.forReviewFindings.length > MAX_FOR_REVIEW) {
+      output +=
+        c(
+          colors.dim,
+          `\n  ... and ${result.forReviewFindings.length - MAX_FOR_REVIEW} more`,
+        ) + "\n";
     }
   }
+  // Unvalidated findings notice
+  const unvalidatedCount = vulnerabilities.filter(
+    (v) => v.validationStatus === "not_validated",
+  ).length;
+  if (unvalidatedCount > 0) {
+    output +=
+      "\n" +
+      c(
+        colors.yellow,
+        `  ⚠ ${unvalidatedCount} finding(s) need AI review (run with --depth verified)`,
+      ) +
+      "\n";
+  }
   // Footer
-  output += '\n' + c(colors.dim, '─'.repeat(60)) + '\n'
-  output += c(colors.dim, `Scanned ${filesScanned} files in ${(scanDuration / 1000).toFixed(1)}s`) + '\n'
+  output += "\n" + c(colors.dim, "─".repeat(60)) + "\n";
+  // Language breakdown
+  if (result.languageStats && Object.keys(result.languageStats).length > 0) {
+    const langParts = Object.entries(result.languageStats)
+      .sort(([, a], [, b]) => b - a)
+      .map(([lang, count]) => `${count} ${lang}`);
+    output += c(colors.dim, `Scanned: ${langParts.join(", ")}`) + "\n";
+  }
+  output +=
+    c(
+      colors.dim,
+      `Scanned ${filesScanned} files in ${(scanDuration / 1000).toFixed(1)}s`,
+    ) + "\n";
-  return output
+  return output;
 }
 /**
@@ -346,13 +589,13 @@ export function formatTerminalOutput(result: ScanResult, options: {
  */
 export interface CompactSummaryOptions {
   /** Number findings for reference with show command */
-  showNumbers?: boolean
+  showNumbers?: boolean;
   /** Limit shown per severity (default: 5) */
-  maxPerSeverity?: number
+  maxPerSeverity?: number;
   /** Show "Run oculum show..." hint */
-  showHint?: boolean
+  showHint?: boolean;
   /** Disable colors */
-  noColor?: boolean
+  noColor?: boolean;
 }
 /**
@@ -364,19 +607,19 @@ export interface CompactSummaryOptions {
  */
 export function formatCompactSummary(
   vulnerabilities: Vulnerability[],
-  options: CompactSummaryOptions = {}
+  options: CompactSummaryOptions = {},
 ): string {
   const {
     showNumbers = true,
     maxPerSeverity = 5,
     showHint = true,
     noColor = false,
-  } = options
+  } = options;
   if (vulnerabilities.length === 0) {
     return noColor
-      ? 'No security issues found.'
-      : c(colors.green, 'No security issues found.')
+      ? "No security issues found."
+      : c(colors.green, "No security issues found.");
   }
   // Group by severity
@@ -386,82 +629,96 @@ export function formatCompactSummary(
     medium: [],
     low: [],
     info: [],
-  }
+  };
   for (const v of vulnerabilities) {
-    bySeverity[v.severity].push(v)
+    bySeverity[v.severity].push(v);
   }
   // Build output
-  let output = ''
-  let globalIndex = 1
-  const severityOrder: VulnerabilitySeverity[] = ['critical', 'high', 'medium', 'low', 'info']
+  let output = "";
+  let globalIndex = 1;
+  const severityOrder: VulnerabilitySeverity[] = [
+    "critical",
+    "high",
+    "medium",
+    "low",
+    "info",
+  ];
   const severityColors: Record<VulnerabilitySeverity, string> = {
     critical: colors.bgRed + colors.white,
     high: colors.red,
     medium: colors.yellow,
     low: colors.blue,
     info: colors.gray,
-  }
+  };
   for (const severity of severityOrder) {
-    const findings = bySeverity[severity]
-    if (findings.length === 0) continue
+    const findings = bySeverity[severity];
+    if (findings.length === 0) continue;
     // Severity header
-    const label = severity.toUpperCase()
+    const label = severity.toUpperCase();
     const header = noColor
       ? `${label} (${findings.length})`
-      : c(severityColors[severity] + colors.bold, `${label} (${findings.length})`)
-    output += `\n  ${header}\n`
+      : c(
+          severityColors[severity] + colors.bold,
+          `${label} (${findings.length})`,
+        );
+    output += `\n  ${header}\n`;
     // Show findings
-    const shown = findings.slice(0, maxPerSeverity)
+    const shown = findings.slice(0, maxPerSeverity);
     for (const finding of shown) {
-      const num = showNumbers ? `${globalIndex}. ` : ''
+      const num = showNumbers ? `${globalIndex}. ` : "";
       const location = noColor
         ? `${finding.filePath}:${finding.lineNumber}`
-        : c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`)
+        : c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`);
       output += noColor
         ? `     ${num}${finding.title} in ${location}\n`
-        : `     ${c(colors.dim, num)}${finding.title} ${c(colors.dim, 'in')} ${location}\n`
+        : `     ${c(colors.dim, num)}${finding.title} ${c(colors.dim, "in")} ${location}\n`;
-      globalIndex++
+      globalIndex++;
     }
     // Show truncation notice
     if (findings.length > maxPerSeverity) {
-      const more = findings.length - maxPerSeverity
+      const more = findings.length - maxPerSeverity;
       const truncated = noColor
         ? `     ... and ${more} more\n`
-        : c(colors.dim, `     ... and ${more} more\n`)
-      output += truncated
-      globalIndex += more // Increment for hidden findings
+        : c(colors.dim, `     ... and ${more} more\n`);
+      output += truncated;
+      globalIndex += more; // Increment for hidden findings
     }
   }
   // Hint at bottom
   if (showHint && vulnerabilities.length > 0) {
-    output += '\n'
+    output += "\n";
     output += noColor
       ? "Run 'oculum show 1' for details · 'oculum fix' for suggestions\n"
-      : c(colors.dim, "Run 'oculum show 1' for details · 'oculum fix' for suggestions\n")
+      : c(
+          colors.dim,
+          "Run 'oculum show 1' for details · 'oculum fix' for suggestions\n",
+        );
   }
-  return output
+  return output;
 }
 /**
  * Format a numbered finding list for the show command
  * Returns findings with their numbers for reference
  */
-export function getNumberedFindings(vulnerabilities: Vulnerability[]): Array<{ number: number; finding: Vulnerability }> {
+export function getNumberedFindings(
+  vulnerabilities: Vulnerability[],
+): Array<{ number: number; finding: Vulnerability }> {
   return vulnerabilities.map((finding, index) => ({
     number: index + 1,
     finding,
-  }))
+  }));
 }
 /**
@@ -470,212 +727,242 @@ export function getNumberedFindings(vulnerabilities: Vulnerability[]): Array<{ n
 export function formatFindingDetail(
   finding: Vulnerability,
   number: number,
-  options: { verbose?: boolean; noColor?: boolean } = {}
+  options: { verbose?: boolean; noColor?: boolean } = {},
 ): string {
-  const { verbose = false, noColor = false } = options
+  const { verbose = false, noColor = false } = options;
-  let output = ''
+  let output = "";
   // Header
   const badge = noColor
     ? `[${finding.severity.toUpperCase()}]`
-    : severityBadge(finding.severity)
-  const title = noColor ? finding.title : c(colors.bold, finding.title)
-  output += `\n#${number} ${badge} ${title}\n`
+    : severityBadge(finding.severity);
+  const title = noColor ? finding.title : c(colors.bold, finding.title);
+  output += `\n#${number} ${badge} ${title}\n`;
   // Location
   const location = noColor
-    ? finding.filePath + ':' + finding.lineNumber
-    : c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`)
-  output += `   ${location}\n`
-  output += '\n'
+    ? finding.filePath + ":" + finding.lineNumber
+    : c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`);
+  output += `   ${location}\n`;
+  output += "\n";
   // Impact
   if (finding.impact) {
-    const impactLabel = noColor ? 'Impact:' : c(colors.yellow + colors.bold, 'Impact:')
-    output += `   ${impactLabel} ${finding.impact}\n`
-    output += '\n'
+    const impactLabel = noColor
+      ? "Impact:"
+      : c(colors.yellow + colors.bold, "Impact:");
+    output += `   ${impactLabel} ${finding.impact}\n`;
+    output += "\n";
   }
   // Code snippet
   if (finding.lineContent && finding.lineContent.trim()) {
-    const codeLabel = noColor ? 'Code:' : c(colors.dim, 'Code:')
-    const code = finding.lineContent.trim().substring(0, 100)
-    const codeText = noColor ? code : c(colors.white, code)
-    output += `   ${codeLabel} ${codeText}${finding.lineContent.trim().length > 100 ? '...' : ''}\n`
-    output += '\n'
+    const codeLabel = noColor ? "Code:" : c(colors.dim, "Code:");
+    const code = finding.lineContent.trim().substring(0, 100);
+    const codeText = noColor ? code : c(colors.white, code);
+    output += `   ${codeLabel} ${codeText}${finding.lineContent.trim().length > 100 ? "..." : ""}\n`;
+    output += "\n";
   }
   // Description
   output += noColor
     ? `   ${finding.description}\n`
-    : `   ${c(colors.dim, finding.description)}\n`
-  output += '\n'
+    : `   ${c(colors.dim, finding.description)}\n`;
+  output += "\n";
   // Fix steps
   if (finding.fixSteps && finding.fixSteps.length > 0) {
-    const fixLabel = noColor ? 'How to fix:' : c(colors.green + colors.bold, 'How to fix:')
-    output += `   ${fixLabel}\n`
+    const fixLabel = noColor
+      ? "How to fix:"
+      : c(colors.green + colors.bold, "How to fix:");
+    output += `   ${fixLabel}\n`;
     finding.fixSteps.forEach((step, i) => {
-      const stepText = noColor ? `${i + 1}. ${step}` : c(colors.green, `${i + 1}. ${step}`)
-      output += `   ${stepText}\n`
-    })
-    output += '\n'
+      const stepText = noColor
+        ? `${i + 1}. ${step}`
+        : c(colors.green, `${i + 1}. ${step}`);
+      output += `   ${stepText}\n`;
+    });
+    output += "\n";
   } else if (finding.suggestedFix) {
-    const fixLabel = noColor ? 'Suggested fix:' : c(colors.green + colors.bold, 'Suggested fix:')
-    output += `   ${fixLabel} ${finding.suggestedFix}\n`
-    output += '\n'
+    const fixLabel = noColor
+      ? "Suggested fix:"
+      : c(colors.green + colors.bold, "Suggested fix:");
+    output += `   ${fixLabel} ${finding.suggestedFix}\n`;
+    output += "\n";
   }
   // Verbose mode: additional details
   if (verbose) {
     // References
     if (finding.references && finding.references.length > 0) {
-      const refLabel = noColor ? 'References:' : c(colors.blue, 'References:')
-      output += `   ${refLabel}\n`
-      finding.references.forEach(ref => {
+      const refLabel = noColor ? "References:" : c(colors.blue, "References:");
+      output += `   ${refLabel}\n`;
+      finding.references.forEach((ref) => {
         output += noColor
           ? `   - ${ref}\n`
-          : `   ${c(colors.blue, `- ${ref}`)}\n`
-      })
-      output += '\n'
+          : `   ${c(colors.blue, `- ${ref}`)}\n`;
+      });
+      output += "\n";
     }
     // Validation notes
     if (finding.validationNotes) {
-      const notesLabel = noColor ? '[AI]' : c(colors.magenta, '[AI]')
-      output += `   ${notesLabel} ${finding.validationNotes}\n`
-      output += '\n'
+      const notesLabel = noColor ? "[AI]" : c(colors.magenta, "[AI]");
+      output += `   ${notesLabel} ${finding.validationNotes}\n`;
+      output += "\n";
     }
     // Category and confidence
     output += noColor
-      ? `   Category: ${finding.category} · Confidence: ${finding.confidence || 'medium'} · Layer: ${finding.layer}\n`
-      : c(colors.dim, `   Category: ${finding.category} · Confidence: ${finding.confidence || 'medium'} · Layer: ${finding.layer}\n`)
+      ? `   Category: ${finding.category} · Confidence: ${finding.confidence || "medium"} · Layer: ${finding.layer}\n`
+      : c(
+          colors.dim,
+          `   Category: ${finding.category} · Confidence: ${finding.confidence || "medium"} · Layer: ${finding.layer}\n`,
+        );
   }
-  return output
+  return output;
 }
 /**
  * Format as simple list (no grouping, no colors)
  */
 export function formatSimpleList(vulnerabilities: Vulnerability[]): string {
-  let output = ''
+  let output = "";
   for (const finding of vulnerabilities) {
-    const severity = finding.severity.toUpperCase().padEnd(8)
-    output += `[${severity}] ${finding.filePath}:${finding.lineNumber} - ${finding.title}\n`
+    const severity = finding.severity.toUpperCase().padEnd(8);
+    output += `[${severity}] ${finding.filePath}:${finding.lineNumber} - ${finding.title}\n`;
   }
-  return output
+  return output;
 }
 /**
  * Format as JSON (for piping to other tools)
  */
-export function formatJSON(result: ScanResult, pretty: boolean = false): string {
-  if (pretty) {
-    return JSON.stringify(result, null, 2)
-  }
-  return JSON.stringify(result)
+export function formatJSON(
+  result: ScanResult,
+  pretty: boolean = false,
+): string {
+  const sanitized = sanitizeScanResult(result);
+  return pretty
+    ? JSON.stringify(sanitized, null, 2)
+    : JSON.stringify(sanitized);
 }
 /**
  * Rule metadata for SARIF output
  */
-const RULE_METADATA: Record<string, { name: string; description: string; helpUri: string; tags: string[] }> = {
+const RULE_METADATA: Record<
+  string,
+  { name: string; description: string; helpUri: string; tags: string[] }
+> = {
   hardcoded_secret: {
-    name: 'Hardcoded Secret',
-    description: 'Sensitive credentials or API keys hardcoded in source code. These can be extracted from version control history or compiled binaries.',
-    helpUri: 'https://oculum.dev/docs/rules/hardcoded-secrets',
-    tags: ['security', 'secrets', 'credentials'],
+    name: "Hardcoded Secret",
+    description:
+      "Sensitive credentials or API keys hardcoded in source code. These can be extracted from version control history or compiled binaries.",
+    helpUri: "https://oculum.dev/docs/rules/hardcoded-secrets",
+    tags: ["security", "secrets", "credentials"],
   },
   high_entropy_string: {
-    name: 'High Entropy String',
-    description: 'A high-entropy string that may be a secret or API key. Review to ensure it is not sensitive data.',
-    helpUri: 'https://oculum.dev/docs/rules/high-entropy',
-    tags: ['security', 'secrets'],
+    name: "High Entropy String",
+    description:
+      "A high-entropy string that may be a secret or API key. Review to ensure it is not sensitive data.",
+    helpUri: "https://oculum.dev/docs/rules/high-entropy",
+    tags: ["security", "secrets"],
   },
   ai_prompt_injection: {
-    name: 'AI Prompt Injection',
-    description: 'User input is included in AI prompts without proper sanitization, potentially allowing prompt injection attacks.',
-    helpUri: 'https://oculum.dev/docs/rules/prompt-injection',
-    tags: ['security', 'ai', 'injection'],
+    name: "AI Prompt Injection",
+    description:
+      "User input is included in AI prompts without proper sanitization, potentially allowing prompt injection attacks.",
+    helpUri: "https://oculum.dev/docs/rules/prompt-injection",
+    tags: ["security", "ai", "injection"],
   },
   ai_unsafe_execution: {
-    name: 'AI Unsafe Execution',
-    description: 'AI-generated content is used in code execution, SQL queries, or other dangerous sinks without validation.',
-    helpUri: 'https://oculum.dev/docs/rules/unsafe-execution',
-    tags: ['security', 'ai', 'injection'],
+    name: "AI Unsafe Execution",
+    description:
+      "AI-generated content is used in code execution, SQL queries, or other dangerous sinks without validation.",
+    helpUri: "https://oculum.dev/docs/rules/unsafe-execution",
+    tags: ["security", "ai", "injection"],
   },
   ai_overpermissive_tool: {
-    name: 'AI Overpermissive Tool',
-    description: 'AI agent tool has excessive permissions without proper restrictions or sandboxing.',
-    helpUri: 'https://oculum.dev/docs/rules/overpermissive-tools',
-    tags: ['security', 'ai', 'authorization'],
+    name: "AI Overpermissive Tool",
+    description:
+      "AI agent tool has excessive permissions without proper restrictions or sandboxing.",
+    helpUri: "https://oculum.dev/docs/rules/overpermissive-tools",
+    tags: ["security", "ai", "authorization"],
   },
   ai_rag_exfiltration: {
-    name: 'AI RAG Data Exfiltration',
-    description: 'RAG (Retrieval Augmented Generation) queries may expose data across tenant boundaries or leak sensitive context.',
-    helpUri: 'https://oculum.dev/docs/rules/rag-exfiltration',
-    tags: ['security', 'ai', 'data-exposure'],
+    name: "AI RAG Data Exfiltration",
+    description:
+      "RAG (Retrieval Augmented Generation) queries may expose data across tenant boundaries or leak sensitive context.",
+    helpUri: "https://oculum.dev/docs/rules/rag-exfiltration",
+    tags: ["security", "ai", "data-exposure"],
   },
   ai_endpoint_unprotected: {
-    name: 'AI Endpoint Unprotected',
-    description: 'AI endpoint lacks authentication or rate limiting, potentially allowing abuse or cost attacks.',
-    helpUri: 'https://oculum.dev/docs/rules/unprotected-endpoints',
-    tags: ['security', 'ai', 'authentication'],
+    name: "AI Endpoint Unprotected",
+    description:
+      "AI endpoint lacks authentication or rate limiting, potentially allowing abuse or cost attacks.",
+    helpUri: "https://oculum.dev/docs/rules/unprotected-endpoints",
+    tags: ["security", "ai", "authentication"],
   },
   ai_schema_mismatch: {
-    name: 'AI Schema Validation Missing',
-    description: 'AI-generated output is used without schema validation, potentially allowing malformed or malicious data.',
-    helpUri: 'https://oculum.dev/docs/rules/schema-validation',
-    tags: ['security', 'ai', 'validation'],
+    name: "AI Schema Validation Missing",
+    description:
+      "AI-generated output is used without schema validation, potentially allowing malformed or malicious data.",
+    helpUri: "https://oculum.dev/docs/rules/schema-validation",
+    tags: ["security", "ai", "validation"],
   },
   sql_injection: {
-    name: 'SQL Injection',
-    description: 'User input is concatenated into SQL queries without parameterization, allowing SQL injection attacks.',
-    helpUri: 'https://oculum.dev/docs/rules/sql-injection',
-    tags: ['security', 'injection', 'database'],
+    name: "SQL Injection",
+    description:
+      "User input is concatenated into SQL queries without parameterization, allowing SQL injection attacks.",
+    helpUri: "https://oculum.dev/docs/rules/sql-injection",
+    tags: ["security", "injection", "database"],
   },
   xss: {
-    name: 'Cross-Site Scripting (XSS)',
-    description: 'User input is rendered in HTML without proper escaping, allowing script injection.',
-    helpUri: 'https://oculum.dev/docs/rules/xss',
-    tags: ['security', 'injection', 'web'],
+    name: "Cross-Site Scripting (XSS)",
+    description:
+      "User input is rendered in HTML without proper escaping, allowing script injection.",
+    helpUri: "https://oculum.dev/docs/rules/xss",
+    tags: ["security", "injection", "web"],
   },
   command_injection: {
-    name: 'Command Injection',
-    description: 'User input is passed to shell commands without sanitization, allowing arbitrary command execution.',
-    helpUri: 'https://oculum.dev/docs/rules/command-injection',
-    tags: ['security', 'injection', 'shell'],
+    name: "Command Injection",
+    description:
+      "User input is passed to shell commands without sanitization, allowing arbitrary command execution.",
+    helpUri: "https://oculum.dev/docs/rules/command-injection",
+    tags: ["security", "injection", "shell"],
   },
   missing_auth: {
-    name: 'Missing Authentication',
-    description: 'Sensitive endpoint or route lacks authentication checks.',
-    helpUri: 'https://oculum.dev/docs/rules/missing-auth',
-    tags: ['security', 'authentication'],
+    name: "Missing Authentication",
+    description: "Sensitive endpoint or route lacks authentication checks.",
+    helpUri: "https://oculum.dev/docs/rules/missing-auth",
+    tags: ["security", "authentication"],
   },
   data_exposure: {
-    name: 'Data Exposure',
-    description: 'Sensitive data may be exposed through logging, error messages, or API responses.',
-    helpUri: 'https://oculum.dev/docs/rules/data-exposure',
-    tags: ['security', 'data-exposure'],
+    name: "Data Exposure",
+    description:
+      "Sensitive data may be exposed through logging, error messages, or API responses.",
+    helpUri: "https://oculum.dev/docs/rules/data-exposure",
+    tags: ["security", "data-exposure"],
   },
   insecure_config: {
-    name: 'Insecure Configuration',
-    description: 'Security-relevant configuration is set to an insecure value.',
-    helpUri: 'https://oculum.dev/docs/rules/insecure-config',
-    tags: ['security', 'configuration'],
+    name: "Insecure Configuration",
+    description: "Security-relevant configuration is set to an insecure value.",
+    helpUri: "https://oculum.dev/docs/rules/insecure-config",
+    tags: ["security", "configuration"],
   },
   dangerous_function: {
-    name: 'Dangerous Function',
-    description: 'Use of a function known to be dangerous or deprecated for security reasons.',
-    helpUri: 'https://oculum.dev/docs/rules/dangerous-functions',
-    tags: ['security', 'code-quality'],
+    name: "Dangerous Function",
+    description:
+      "Use of a function known to be dangerous or deprecated for security reasons.",
+    helpUri: "https://oculum.dev/docs/rules/dangerous-functions",
+    tags: ["security", "code-quality"],
   },
-}
+};
 /**
  * Format as SARIF (Static Analysis Results Interchange Format)
@@ -690,122 +977,144 @@ export function formatSARIF(result: ScanResult): object {
     message: {
       text: v.description,
     },
-    locations: [{
-      physicalLocation: {
-        artifactLocation: {
-          uri: v.filePath,
-          uriBaseId: '%SRCROOT%',
-        },
-        region: {
-          startLine: v.lineNumber,
-          startColumn: 1,
-          snippet: v.lineContent ? { text: v.lineContent } : undefined,
+    locations: [
+      {
+        physicalLocation: {
+          artifactLocation: {
+            uri: v.filePath,
+            uriBaseId: "%SRCROOT%",
+          },
+          region: {
+            startLine: v.lineNumber,
+            startColumn: 1,
+            snippet: v.lineContent ? { text: v.lineContent } : undefined,
+          },
         },
       },
-    }],
+    ],
     fingerprints: {
-      'oculum/v1': `${v.category}:${v.filePath}:${v.lineNumber}`,
+      "oculum/v1": `${v.category}:${v.filePath}:${v.lineNumber}`,
     },
-    fixes: v.suggestedFix ? [{
-      description: {
-        text: v.suggestedFix,
-      },
-    }] : undefined,
+    fixes: v.suggestedFix
+      ? [
+          {
+            description: {
+              text: v.suggestedFix,
+            },
+          },
+        ]
+      : undefined,
     properties: {
       confidence: v.confidence,
       layer: v.layer,
     },
-  }))
+  }));
   // Build results from suppressed vulnerabilities (with SARIF suppression state)
-  const suppressedResults = (result.suppressedVulnerabilities || []).map((s) => ({
-    ruleId: s.category,
-    ruleIndex: 0, // Will be resolved by GitHub
-    level: mapSeverityToSARIF(s.severity),
-    message: {
-      text: s.title,
-    },
-    locations: [{
-      physicalLocation: {
-        artifactLocation: {
-          uri: s.filePath,
-          uriBaseId: '%SRCROOT%',
+  const suppressedResults = (result.suppressedVulnerabilities || []).map(
+    (s) => ({
+      ruleId: s.category,
+      ruleIndex: 0, // Will be resolved by GitHub
+      level: mapSeverityToSARIF(s.severity),
+      message: {
+        text: s.title,
+      },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: {
+              uri: s.filePath,
+              uriBaseId: "%SRCROOT%",
+            },
+            region: {
+              startLine: s.lineNumber,
+              startColumn: 1,
+            },
+          },
         },
-        region: {
-          startLine: s.lineNumber,
-          startColumn: 1,
+      ],
+      fingerprints: {
+        "oculum/v1": `${s.category}:${s.filePath}:${s.lineNumber}`,
+        "oculum/hash": s.hash,
+      },
+      suppressions: [
+        {
+          kind: s.suppressionType === "inline" ? "inSource" : "external",
+          justification: s.suppressionReason,
+          state: "accepted",
         },
+      ],
+      properties: {
+        suppressionType: s.suppressionType,
+        expires: s.expires,
       },
-    }],
-    fingerprints: {
-      'oculum/v1': `${s.category}:${s.filePath}:${s.lineNumber}`,
-      'oculum/hash': s.hash,
-    },
-    suppressions: [{
-      kind: s.suppressionType === 'inline' ? 'inSource' : 'external',
-      justification: s.suppressionReason,
-      state: 'accepted',
-    }],
-    properties: {
-      suppressionType: s.suppressionType,
-      expires: s.expires,
-    },
-  }))
+    }),
+  );
   return {
-    $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
-    version: '2.1.0',
-    runs: [{
-      tool: {
-        driver: {
-          name: 'Oculum',
-          version: '1.0.0',
-          informationUri: 'https://oculum.dev',
-          organization: 'Oculum Security',
-          rules: getUniqueRules(result.vulnerabilities),
+    $schema:
+      "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "Oculum",
+            version: "1.0.0",
+            informationUri: "https://oculum.dev",
+            organization: "Oculum Security",
+            rules: getUniqueRules(result.vulnerabilities),
+          },
         },
+        results: [...activeResults, ...suppressedResults],
+        columnKind: "utf16CodeUnits",
       },
-      results: [...activeResults, ...suppressedResults],
-      columnKind: 'utf16CodeUnits',
-    }],
-  }
+    ],
+  };
 }
-function mapSeverityToSARIF(severity: VulnerabilitySeverity): 'error' | 'warning' | 'note' {
+function mapSeverityToSARIF(
+  severity: VulnerabilitySeverity,
+): "error" | "warning" | "note" {
   switch (severity) {
-    case 'critical':
-    case 'high':
-      return 'error'
-    case 'medium':
-      return 'warning'
+    case "critical":
+    case "high":
+      return "error";
+    case "medium":
+      return "warning";
     default:
-      return 'note'
+      return "note";
   }
 }
-function getRuleIndex(vulnerabilities: Vulnerability[], category: string): number {
-  const seen = new Set<string>()
-  let index = 0
+function getRuleIndex(
+  vulnerabilities: Vulnerability[],
+  category: string,
+): number {
+  const seen = new Set<string>();
+  let index = 0;
   for (const v of vulnerabilities) {
     if (!seen.has(v.category)) {
-      if (v.category === category) return index
-      seen.add(v.category)
-      index++
+      if (v.category === category) return index;
+      seen.add(v.category);
+      index++;
     }
   }
-  return 0
+  return 0;
 }
 function getUniqueRules(vulnerabilities: Vulnerability[]): object[] {
-  const seen = new Set<string>()
-  const rules: object[] = []
+  const seen = new Set<string>();
+  const rules: object[] = [];
   for (const v of vulnerabilities) {
-    if (seen.has(v.category)) continue
-    seen.add(v.category)
+    if (seen.has(v.category)) continue;
+    seen.add(v.category);
-    const metadata = RULE_METADATA[v.category]
-    const ruleName = metadata?.name || v.category.replace(/_/g, ' ').replace(/\b\w/g, c => c.toUpperCase())
+    const metadata = RULE_METADATA[v.category];
+    const ruleName =
+      metadata?.name ||
+      v.category.replace(/_/g, " ").replace(/\b\w/g, (c) => c.toUpperCase());
     rules.push({
       id: v.category,
@@ -814,36 +1123,43 @@ function getUniqueRules(vulnerabilities: Vulnerability[]): object[] {
       fullDescription: {
         text: metadata?.description || v.description,
       },
-      helpUri: metadata?.helpUri || `https://oculum.dev/docs/rules/${v.category.replace(/_/g, '-')}`,
+      helpUri:
+        metadata?.helpUri ||
+        `https://oculum.dev/docs/rules/${v.category.replace(/_/g, "-")}`,
       help: {
         text: metadata?.description || v.description,
-        markdown: `# ${ruleName}\n\n${metadata?.description || v.description}\n\n[Learn more](${metadata?.helpUri || 'https://oculum.dev/docs'})`,
+        markdown: `# ${ruleName}\n\n${metadata?.description || v.description}\n\n[Learn more](${metadata?.helpUri || "https://oculum.dev/docs"})`,
       },
       defaultConfiguration: {
         level: mapSeverityToSARIF(v.severity),
       },
       properties: {
-        tags: metadata?.tags || ['security'],
-        precision: v.confidence === 'high' ? 'high' : v.confidence === 'medium' ? 'medium' : 'low',
-        'security-severity': mapSeverityToScore(v.severity),
+        tags: metadata?.tags || ["security"],
+        precision:
+          v.confidence === "high"
+            ? "high"
+            : v.confidence === "medium"
+              ? "medium"
+              : "low",
+        "security-severity": mapSeverityToScore(v.severity),
       },
-    })
+    });
   }
-  return rules
+  return rules;
 }
 function mapSeverityToScore(severity: VulnerabilitySeverity): string {
   switch (severity) {
-    case 'critical':
-      return '9.0'
-    case 'high':
-      return '7.0'
-    case 'medium':
-      return '5.0'
-    case 'low':
-      return '3.0'
+    case "critical":
+      return "9.0";
+    case "high":
+      return "7.0";
+    case "medium":
+      return "5.0";
+    case "low":
+      return "3.0";
     default:
-      return '1.0'
+      return "1.0";
   }
 }