npm - @oculum/scanner - Versions diffs - 1.0.14 → 1.0.15 - Mend

@oculum/scanner 1.0.14 → 1.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1323) hide show

package/dist/detect/ai-code/index.d.ts +6 -11
package/dist/detect/ai-code/index.d.ts.map +1 -1
package/dist/detect/ai-code/index.js +6 -24
package/dist/detect/ai-code/index.js.map +1 -1
package/dist/detect/ast-rules/agent-tools-ast.d.ts +14 -0
package/dist/detect/ast-rules/agent-tools-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/agent-tools-ast.js +809 -0
package/dist/detect/ast-rules/agent-tools-ast.js.map +1 -0
package/dist/detect/ast-rules/ai-fingerprinting-ast.d.ts +14 -0
package/dist/detect/ast-rules/ai-fingerprinting-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/ai-fingerprinting-ast.js +344 -0
package/dist/detect/ast-rules/ai-fingerprinting-ast.js.map +1 -0
package/dist/detect/ast-rules/auth-patterns-ast.d.ts +14 -0
package/dist/detect/ast-rules/auth-patterns-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/auth-patterns-ast.js +280 -0
package/dist/detect/ast-rules/auth-patterns-ast.js.map +1 -0
package/dist/detect/ast-rules/byok-ast.d.ts +13 -0
package/dist/detect/ast-rules/byok-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/byok-ast.js +180 -0
package/dist/detect/ast-rules/byok-ast.js.map +1 -0
package/dist/detect/ast-rules/child-process-ast.d.ts +13 -0
package/dist/detect/ast-rules/child-process-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/child-process-ast.js +252 -0
package/dist/detect/ast-rules/child-process-ast.js.map +1 -0
package/dist/detect/ast-rules/dangerous-eval-ast.d.ts +13 -0
package/dist/detect/ast-rules/dangerous-eval-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/dangerous-eval-ast.js +218 -0
package/dist/detect/ast-rules/dangerous-eval-ast.js.map +1 -0
package/dist/detect/ast-rules/data-exposure-ast.d.ts +13 -0
package/dist/detect/ast-rules/data-exposure-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/data-exposure-ast.js +158 -0
package/dist/detect/ast-rules/data-exposure-ast.js.map +1 -0
package/dist/detect/ast-rules/dom-xss-ast.d.ts +14 -0
package/dist/detect/ast-rules/dom-xss-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/dom-xss-ast.js +217 -0
package/dist/detect/ast-rules/dom-xss-ast.js.map +1 -0
package/dist/detect/ast-rules/endpoint-protection-ast.d.ts +13 -0
package/dist/detect/ast-rules/endpoint-protection-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/endpoint-protection-ast.js +228 -0
package/dist/detect/ast-rules/endpoint-protection-ast.js.map +1 -0
package/dist/detect/ast-rules/entropy-ast.d.ts +17 -0
package/dist/detect/ast-rules/entropy-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/entropy-ast.js +265 -0
package/dist/detect/ast-rules/entropy-ast.js.map +1 -0
package/dist/detect/ast-rules/flask-debug-ast.d.ts +10 -0
package/dist/detect/ast-rules/flask-debug-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/flask-debug-ast.js +125 -0
package/dist/detect/ast-rules/flask-debug-ast.js.map +1 -0
package/dist/detect/ast-rules/framework-checks-ast.d.ts +13 -0
package/dist/detect/ast-rules/framework-checks-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/framework-checks-ast.js +185 -0
package/dist/detect/ast-rules/framework-checks-ast.js.map +1 -0
package/dist/detect/ast-rules/helpers/call-analysis.d.ts +62 -0
package/dist/detect/ast-rules/helpers/call-analysis.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/call-analysis.js +217 -0
package/dist/detect/ast-rules/helpers/call-analysis.js.map +1 -0
package/dist/detect/ast-rules/helpers/context-detection.d.ts +33 -0
package/dist/detect/ast-rules/helpers/context-detection.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/context-detection.js +256 -0
package/dist/detect/ast-rules/helpers/context-detection.js.map +1 -0
package/dist/detect/ast-rules/helpers/control-flow.d.ts +40 -0
package/dist/detect/ast-rules/helpers/control-flow.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/control-flow.js +174 -0
package/dist/detect/ast-rules/helpers/control-flow.js.map +1 -0
package/dist/detect/ast-rules/helpers/import-analysis.d.ts +43 -0
package/dist/detect/ast-rules/helpers/import-analysis.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/import-analysis.js +149 -0
package/dist/detect/ast-rules/helpers/import-analysis.js.map +1 -0
package/dist/detect/ast-rules/helpers/index.d.ts +16 -0
package/dist/detect/ast-rules/helpers/index.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/index.js +112 -0
package/dist/detect/ast-rules/helpers/index.js.map +1 -0
package/dist/detect/ast-rules/helpers/python-helpers.d.ts +215 -0
package/dist/detect/ast-rules/helpers/python-helpers.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/python-helpers.js +935 -0
package/dist/detect/ast-rules/helpers/python-helpers.js.map +1 -0
package/dist/detect/ast-rules/helpers/scope-analysis.d.ts +50 -0
package/dist/detect/ast-rules/helpers/scope-analysis.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/scope-analysis.js +194 -0
package/dist/detect/ast-rules/helpers/scope-analysis.js.map +1 -0
package/dist/detect/ast-rules/helpers/string-analysis.d.ts +57 -0
package/dist/detect/ast-rules/helpers/string-analysis.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/string-analysis.js +184 -0
package/dist/detect/ast-rules/helpers/string-analysis.js.map +1 -0
package/dist/detect/ast-rules/helpers/type-extraction.d.ts +44 -0
package/dist/detect/ast-rules/helpers/type-extraction.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/type-extraction.js +125 -0
package/dist/detect/ast-rules/helpers/type-extraction.js.map +1 -0
package/dist/detect/ast-rules/helpers/user-input.d.ts +35 -0
package/dist/detect/ast-rules/helpers/user-input.d.ts.map +1 -0
package/dist/detect/ast-rules/helpers/user-input.js +243 -0
package/dist/detect/ast-rules/helpers/user-input.js.map +1 -0
package/dist/detect/ast-rules/index.d.ts +112 -0
package/dist/detect/ast-rules/index.d.ts.map +1 -0
package/dist/detect/ast-rules/index.js +232 -0
package/dist/detect/ast-rules/index.js.map +1 -0
package/dist/detect/ast-rules/json-parse-ast.d.ts +13 -0
package/dist/detect/ast-rules/json-parse-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/json-parse-ast.js +143 -0
package/dist/detect/ast-rules/json-parse-ast.js.map +1 -0
package/dist/detect/ast-rules/log-injection-ast.d.ts +14 -0
package/dist/detect/ast-rules/log-injection-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/log-injection-ast.js +235 -0
package/dist/detect/ast-rules/log-injection-ast.js.map +1 -0
package/dist/detect/ast-rules/logic-gates-ast.d.ts +14 -0
package/dist/detect/ast-rules/logic-gates-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/logic-gates-ast.js +312 -0
package/dist/detect/ast-rules/logic-gates-ast.js.map +1 -0
package/dist/detect/ast-rules/mcp-security-ast.d.ts +14 -0
package/dist/detect/ast-rules/mcp-security-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/mcp-security-ast.js +755 -0
package/dist/detect/ast-rules/mcp-security-ast.js.map +1 -0
package/dist/detect/ast-rules/model-supply-chain-ast.d.ts +13 -0
package/dist/detect/ast-rules/model-supply-chain-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/model-supply-chain-ast.js +188 -0
package/dist/detect/ast-rules/model-supply-chain-ast.js.map +1 -0
package/dist/detect/ast-rules/package-hallucination-ast.d.ts +13 -0
package/dist/detect/ast-rules/package-hallucination-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/package-hallucination-ast.js +607 -0
package/dist/detect/ast-rules/package-hallucination-ast.js.map +1 -0
package/dist/detect/ast-rules/prompt-hygiene-ast.d.ts +15 -0
package/dist/detect/ast-rules/prompt-hygiene-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/prompt-hygiene-ast.js +332 -0
package/dist/detect/ast-rules/prompt-hygiene-ast.js.map +1 -0
package/dist/detect/ast-rules/rag-safety-ast.d.ts +18 -0
package/dist/detect/ast-rules/rag-safety-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/rag-safety-ast.js +640 -0
package/dist/detect/ast-rules/rag-safety-ast.js.map +1 -0
package/dist/detect/ast-rules/request-validation-ast.d.ts +13 -0
package/dist/detect/ast-rules/request-validation-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/request-validation-ast.js +116 -0
package/dist/detect/ast-rules/request-validation-ast.js.map +1 -0
package/dist/detect/ast-rules/risky-imports-ast.d.ts +14 -0
package/dist/detect/ast-rules/risky-imports-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/risky-imports-ast.js +114 -0
package/dist/detect/ast-rules/risky-imports-ast.js.map +1 -0
package/dist/detect/ast-rules/schema-validation-ast.d.ts +14 -0
package/dist/detect/ast-rules/schema-validation-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/schema-validation-ast.js +233 -0
package/dist/detect/ast-rules/schema-validation-ast.js.map +1 -0
package/dist/detect/ast-rules/secret-patterns-ast.d.ts +17 -0
package/dist/detect/ast-rules/secret-patterns-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/secret-patterns-ast.js +199 -0
package/dist/detect/ast-rules/secret-patterns-ast.js.map +1 -0
package/dist/detect/ast-rules/security-headers-ast.d.ts +14 -0
package/dist/detect/ast-rules/security-headers-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/security-headers-ast.js +187 -0
package/dist/detect/ast-rules/security-headers-ast.js.map +1 -0
package/dist/detect/ast-rules/sql-injection-ast.d.ts +17 -0
package/dist/detect/ast-rules/sql-injection-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/sql-injection-ast.js +497 -0
package/dist/detect/ast-rules/sql-injection-ast.js.map +1 -0
package/dist/detect/ast-rules/ssrf-ast.d.ts +14 -0
package/dist/detect/ast-rules/ssrf-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/ssrf-ast.js +573 -0
package/dist/detect/ast-rules/ssrf-ast.js.map +1 -0
package/dist/detect/ast-rules/taint-fix-templates.d.ts +18 -0
package/dist/detect/ast-rules/taint-fix-templates.d.ts.map +1 -0
package/dist/detect/ast-rules/taint-fix-templates.js +92 -0
package/dist/detect/ast-rules/taint-fix-templates.js.map +1 -0
package/dist/detect/ast-rules/taint-flow-ast.d.ts +24 -0
package/dist/detect/ast-rules/taint-flow-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/taint-flow-ast.js +340 -0
package/dist/detect/ast-rules/taint-flow-ast.js.map +1 -0
package/dist/detect/ast-rules/variables-ast.d.ts +24 -0
package/dist/detect/ast-rules/variables-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/variables-ast.js +362 -0
package/dist/detect/ast-rules/variables-ast.js.map +1 -0
package/dist/detect/ast-rules/weak-crypto-ast.d.ts +15 -0
package/dist/detect/ast-rules/weak-crypto-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/weak-crypto-ast.js +406 -0
package/dist/detect/ast-rules/weak-crypto-ast.js.map +1 -0
package/dist/detect/ast-rules/xxe-ast.d.ts +13 -0
package/dist/detect/ast-rules/xxe-ast.d.ts.map +1 -0
package/dist/detect/ast-rules/xxe-ast.js +157 -0
package/dist/detect/ast-rules/xxe-ast.js.map +1 -0
package/dist/detect/config/agent-skill-injection.d.ts.map +1 -1
package/dist/detect/config/agent-skill-injection.js +2 -24
package/dist/detect/config/agent-skill-injection.js.map +1 -1
package/dist/detect/config/index.d.ts +1 -0
package/dist/detect/config/index.d.ts.map +1 -1
package/dist/detect/config/index.js +3 -1
package/dist/detect/config/index.js.map +1 -1
package/dist/detect/config/osv-check.d.ts.map +1 -1
package/dist/detect/config/osv-check.js +6 -1
package/dist/detect/config/osv-check.js.map +1 -1
package/dist/detect/config/package-check.d.ts.map +1 -1
package/dist/detect/config/package-check.js +6 -1
package/dist/detect/config/package-check.js.map +1 -1
package/dist/detect/config/rules-file-backdoor.d.ts +36 -0
package/dist/detect/config/rules-file-backdoor.d.ts.map +1 -0
package/dist/detect/config/rules-file-backdoor.js +379 -0
package/dist/detect/config/rules-file-backdoor.js.map +1 -0
package/dist/detect/index.d.ts +43 -6
package/dist/detect/index.d.ts.map +1 -1
package/dist/detect/index.js +70 -7
package/dist/detect/index.js.map +1 -1
package/dist/detect/secrets/config-audit.d.ts.map +1 -1
package/dist/detect/secrets/config-audit.js +36 -3
package/dist/detect/secrets/config-audit.js.map +1 -1
package/dist/detect/secrets/entropy.d.ts.map +1 -1
package/dist/detect/secrets/entropy.js +180 -0
package/dist/detect/secrets/entropy.js.map +1 -1
package/dist/detect/secrets/index.d.ts +0 -2
package/dist/detect/secrets/index.d.ts.map +1 -1
package/dist/detect/secrets/index.js +7 -17
package/dist/detect/secrets/index.js.map +1 -1
package/dist/detect/structural/index.d.ts +15 -28
package/dist/detect/structural/index.d.ts.map +1 -1
package/dist/detect/structural/index.js +20 -497
package/dist/detect/structural/index.js.map +1 -1
package/dist/index.d.ts +3 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +9 -1
package/dist/index.js.map +1 -1
package/dist/model/auth-helper-detector.d.ts.map +1 -1
package/dist/model/auth-helper-detector.js +2 -7
package/dist/model/auth-helper-detector.js.map +1 -1
package/dist/model/import-resolver.d.ts.map +1 -1
package/dist/model/import-resolver.js +94 -0
package/dist/model/import-resolver.js.map +1 -1
package/dist/model/imported-auth-detector.js +8 -8
package/dist/model/imported-auth-detector.js.map +1 -1
package/dist/model/index.d.ts +8 -0
package/dist/model/index.d.ts.map +1 -1
package/dist/model/index.js +198 -73
package/dist/model/index.js.map +1 -1
package/dist/model/module-graph.d.ts.map +1 -1
package/dist/model/module-graph.js +22 -9
package/dist/model/module-graph.js.map +1 -1
package/dist/model/project-context.d.ts +1 -1
package/dist/model/project-context.d.ts.map +1 -1
package/dist/model/project-context.js +34 -0
package/dist/model/project-context.js.map +1 -1
package/dist/model/route-auth-resolver.d.ts.map +1 -1
package/dist/model/route-auth-resolver.js +17 -2
package/dist/model/route-auth-resolver.js.map +1 -1
package/dist/model/route-discovery/index.js +1 -1
package/dist/model/route-discovery/index.js.map +1 -1
package/dist/model/route-discovery/nextjs.js +1 -1
package/dist/model/route-discovery/nextjs.js.map +1 -1
package/dist/model/route-discovery/python.d.ts +6 -3
package/dist/model/route-discovery/python.d.ts.map +1 -1
package/dist/model/route-discovery/python.js +132 -9
package/dist/model/route-discovery/python.js.map +1 -1
package/dist/model/route-discovery/types.d.ts +1 -1
package/dist/model/route-discovery/types.d.ts.map +1 -1
package/dist/model/route-discovery/utils.d.ts +8 -0
package/dist/model/route-discovery/utils.d.ts.map +1 -1
package/dist/model/route-discovery/utils.js +70 -0
package/dist/model/route-discovery/utils.js.map +1 -1
package/dist/model/taint-types.d.ts +0 -4
package/dist/model/taint-types.d.ts.map +1 -1
package/dist/parse/ast.d.ts +58 -0
package/dist/parse/ast.d.ts.map +1 -0
package/dist/parse/ast.js +230 -0
package/dist/parse/ast.js.map +1 -0
package/dist/parse/call-graph.d.ts +41 -0
package/dist/parse/call-graph.d.ts.map +1 -0
package/dist/parse/call-graph.js +386 -0
package/dist/parse/call-graph.js.map +1 -0
package/dist/parse/file-classifier.d.ts +11 -0
package/dist/parse/file-classifier.d.ts.map +1 -1
package/dist/parse/file-classifier.js +63 -15
package/dist/parse/file-classifier.js.map +1 -1
package/dist/parse/node-index.d.ts +32 -0
package/dist/parse/node-index.d.ts.map +1 -0
package/dist/parse/node-index.js +103 -0
package/dist/parse/node-index.js.map +1 -0
package/dist/parse/type-extractor.d.ts +50 -0
package/dist/parse/type-extractor.d.ts.map +1 -0
package/dist/parse/type-extractor.js +243 -0
package/dist/parse/type-extractor.js.map +1 -0
package/dist/pipeline/config.d.ts +7 -1
package/dist/pipeline/config.d.ts.map +1 -1
package/dist/pipeline/config.js.map +1 -1
package/dist/pipeline/index.d.ts +3 -3
package/dist/pipeline/index.d.ts.map +1 -1
package/dist/pipeline/index.js +192 -64
package/dist/pipeline/index.js.map +1 -1
package/dist/pipeline/modes/incremental.d.ts.map +1 -1
package/dist/pipeline/modes/incremental.js +2 -7
package/dist/pipeline/modes/incremental.js.map +1 -1
package/dist/postprocess/dedup.d.ts +5 -2
package/dist/postprocess/dedup.d.ts.map +1 -1
package/dist/postprocess/dedup.js +47 -16
package/dist/postprocess/dedup.js.map +1 -1
package/dist/report/build-result.d.ts +9 -4
package/dist/report/build-result.d.ts.map +1 -1
package/dist/report/build-result.js +15 -4
package/dist/report/build-result.js.map +1 -1
package/dist/report/formatters/cli-terminal.d.ts +1 -1
package/dist/report/formatters/cli-terminal.d.ts.map +1 -1
package/dist/report/formatters/cli-terminal.js +434 -231
package/dist/report/formatters/cli-terminal.js.map +1 -1
package/dist/report/sanitize.d.ts +10 -0
package/dist/report/sanitize.d.ts.map +1 -0
package/dist/report/sanitize.js +19 -0
package/dist/report/sanitize.js.map +1 -0
package/dist/score/adjustments.d.ts +20 -2
package/dist/score/adjustments.d.ts.map +1 -1
package/dist/score/adjustments.js +108 -37
package/dist/score/adjustments.js.map +1 -1
package/dist/score/confidence.d.ts +6 -0
package/dist/score/confidence.d.ts.map +1 -1
package/dist/score/confidence.js +10 -4
package/dist/score/confidence.js.map +1 -1
package/dist/score/evidence.d.ts +25 -0
package/dist/score/evidence.d.ts.map +1 -0
package/dist/score/evidence.js +51 -0
package/dist/score/evidence.js.map +1 -0
package/dist/score/index.d.ts +3 -1
package/dist/score/index.d.ts.map +1 -1
package/dist/score/index.js +25 -50
package/dist/score/index.js.map +1 -1
package/dist/score/types.d.ts +5 -1
package/dist/score/types.d.ts.map +1 -1
package/dist/shared/category-filter.d.ts.map +1 -1
package/dist/shared/category-filter.js +12 -0
package/dist/shared/category-filter.js.map +1 -1
package/dist/shared/regex-utils.d.ts +3 -0
package/dist/shared/regex-utils.d.ts.map +1 -0
package/dist/shared/regex-utils.js +8 -0
package/dist/shared/regex-utils.js.map +1 -0
package/dist/shared/registry-clients.d.ts +7 -0
package/dist/shared/registry-clients.d.ts.map +1 -1
package/dist/shared/registry-clients.js +94 -17
package/dist/shared/registry-clients.js.map +1 -1
package/dist/shared/rules/metadata.d.ts.map +1 -1
package/dist/shared/rules/metadata.js +17 -0
package/dist/shared/rules/metadata.js.map +1 -1
package/dist/shared/types.d.ts +59 -15
package/dist/shared/types.d.ts.map +1 -1
package/dist/shared/types.js +38 -21
package/dist/shared/types.js.map +1 -1
package/dist/taint/async-flow.d.ts +44 -0
package/dist/taint/async-flow.d.ts.map +1 -0
package/dist/taint/async-flow.js +271 -0
package/dist/taint/async-flow.js.map +1 -0
package/dist/taint/cfg-builder.d.ts +35 -0
package/dist/taint/cfg-builder.d.ts.map +1 -0
package/dist/taint/cfg-builder.js +980 -0
package/dist/taint/cfg-builder.js.map +1 -0
package/dist/taint/cfg-types.d.ts +76 -0
package/dist/taint/cfg-types.d.ts.map +1 -0
package/dist/taint/cfg-types.js +13 -0
package/dist/taint/cfg-types.js.map +1 -0
package/dist/taint/constant-propagation.d.ts +34 -0
package/dist/taint/constant-propagation.d.ts.map +1 -0
package/dist/taint/constant-propagation.js +164 -0
package/dist/taint/constant-propagation.js.map +1 -0
package/dist/taint/cross-file-analyzer.d.ts +27 -0
package/dist/taint/cross-file-analyzer.d.ts.map +1 -0
package/dist/taint/cross-file-analyzer.js +99 -0
package/dist/taint/cross-file-analyzer.js.map +1 -0
package/dist/taint/cross-file-index.d.ts +59 -0
package/dist/taint/cross-file-index.d.ts.map +1 -0
package/dist/taint/cross-file-index.js +183 -0
package/dist/taint/cross-file-index.js.map +1 -0
package/dist/taint/def-use.d.ts +27 -0
package/dist/taint/def-use.d.ts.map +1 -0
package/dist/taint/def-use.js +519 -0
package/dist/taint/def-use.js.map +1 -0
package/dist/taint/file-analysis-cache.d.ts +47 -0
package/dist/taint/file-analysis-cache.d.ts.map +1 -0
package/dist/taint/file-analysis-cache.js +107 -0
package/dist/taint/file-analysis-cache.js.map +1 -0
package/dist/taint/framework-models.d.ts +77 -0
package/dist/taint/framework-models.d.ts.map +1 -0
package/dist/taint/framework-models.js +258 -0
package/dist/taint/framework-models.js.map +1 -0
package/dist/taint/helpers.d.ts +31 -0
package/dist/taint/helpers.d.ts.map +1 -0
package/dist/taint/helpers.js +130 -0
package/dist/taint/helpers.js.map +1 -0
package/dist/taint/index.d.ts +28 -0
package/dist/taint/index.d.ts.map +1 -0
package/dist/taint/index.js +77 -0
package/dist/taint/index.js.map +1 -0
package/dist/taint/llm-registry.d.ts +47 -0
package/dist/taint/llm-registry.d.ts.map +1 -0
package/dist/taint/llm-registry.js +152 -0
package/dist/taint/llm-registry.js.map +1 -0
package/dist/taint/llm-risk-scoring.d.ts +54 -0
package/dist/taint/llm-risk-scoring.d.ts.map +1 -0
package/dist/taint/llm-risk-scoring.js +376 -0
package/dist/taint/llm-risk-scoring.js.map +1 -0
package/dist/taint/propagation-types.d.ts +104 -0
package/dist/taint/propagation-types.d.ts.map +1 -0
package/dist/taint/propagation-types.js +98 -0
package/dist/taint/propagation-types.js.map +1 -0
package/dist/taint/propagation.d.ts +111 -0
package/dist/taint/propagation.d.ts.map +1 -0
package/dist/taint/propagation.js +1576 -0
package/dist/taint/propagation.js.map +1 -0
package/dist/taint/sanitizer-registry.d.ts +26 -0
package/dist/taint/sanitizer-registry.d.ts.map +1 -0
package/dist/taint/sanitizer-registry.js +422 -0
package/dist/taint/sanitizer-registry.js.map +1 -0
package/dist/taint/sink-classifier.d.ts +27 -0
package/dist/taint/sink-classifier.d.ts.map +1 -0
package/dist/taint/sink-classifier.js +1166 -0
package/dist/taint/sink-classifier.js.map +1 -0
package/dist/taint/source-classifier.d.ts +29 -0
package/dist/taint/source-classifier.d.ts.map +1 -0
package/dist/taint/source-classifier.js +814 -0
package/dist/taint/source-classifier.js.map +1 -0
package/dist/taint/taint-analyzer.d.ts +33 -0
package/dist/taint/taint-analyzer.d.ts.map +1 -0
package/dist/taint/taint-analyzer.js +88 -0
package/dist/taint/taint-analyzer.js.map +1 -0
package/dist/taint/taint-summary.d.ts +37 -0
package/dist/taint/taint-summary.d.ts.map +1 -0
package/dist/taint/taint-summary.js +293 -0
package/dist/taint/taint-summary.js.map +1 -0
package/dist/taint/types.d.ts +47 -0
package/dist/taint/types.d.ts.map +1 -0
package/dist/taint/types.js +19 -0
package/dist/taint/types.js.map +1 -0
package/dist/validate/clients.d.ts +2 -1
package/dist/validate/clients.d.ts.map +1 -1
package/dist/validate/clients.js +3 -2
package/dist/validate/clients.js.map +1 -1
package/dist/validate/index.d.ts +5 -6
package/dist/validate/index.d.ts.map +1 -1
package/dist/validate/index.js +22 -21
package/dist/validate/index.js.map +1 -1
package/dist/validate/prompts/modules/ai-patterns.d.ts +1 -1
package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -1
package/dist/validate/prompts/modules/ai-patterns.js +16 -0
package/dist/validate/prompts/modules/ai-patterns.js.map +1 -1
package/dist/validate/prompts/modules/common.d.ts +1 -1
package/dist/validate/prompts/modules/common.d.ts.map +1 -1
package/dist/validate/prompts/modules/common.js +12 -3
package/dist/validate/prompts/modules/common.js.map +1 -1
package/dist/validate/providers/anthropic.d.ts +4 -4
package/dist/validate/providers/anthropic.d.ts.map +1 -1
package/dist/validate/providers/anthropic.js +85 -58
package/dist/validate/providers/anthropic.js.map +1 -1
package/dist/validate/providers/openai.d.ts +4 -4
package/dist/validate/providers/openai.d.ts.map +1 -1
package/dist/validate/providers/openai.js +149 -99
package/dist/validate/providers/openai.js.map +1 -1
package/dist/validate/request-builder.d.ts +2 -8
package/dist/validate/request-builder.d.ts.map +1 -1
package/dist/validate/request-builder.js +4 -34
package/dist/validate/request-builder.js.map +1 -1
package/dist/validate/types.d.ts +9 -0
package/dist/validate/types.d.ts.map +1 -1
package/dist/validate/types.js.map +1 -1
package/dist/validate/utils/path-helpers.js +2 -2
package/dist/validate/utils/path-helpers.js.map +1 -1
package/dist/validate/utils/response-parser.d.ts +10 -0
package/dist/validate/utils/response-parser.d.ts.map +1 -1
package/dist/validate/utils/response-parser.js +21 -2
package/dist/validate/utils/response-parser.js.map +1 -1
package/dist/validate/utils/retry.d.ts.map +1 -1
package/dist/validate/utils/retry.js +19 -4
package/dist/validate/utils/retry.js.map +1 -1
package/package.json +7 -4
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1 -1
package/src/__tests__/benchmark/planted-benchmark.test.ts +337 -0
package/src/__tests__/benchmark/utils/test-runner.ts +38 -4
package/src/__tests__/category-filter.test.ts +5 -1
package/src/__tests__/context-engine/route-discovery/python.test.ts +726 -0
package/src/__tests__/detect/ast-rules.test.ts +1043 -0
package/src/__tests__/detect/offline-mode.test.ts +147 -0
package/src/__tests__/detect/python-ast-rules.test.ts +569 -0
package/src/__tests__/detect/python-helpers.test.ts +536 -0
package/src/__tests__/detect/python-sast-rules.test.ts +453 -0
package/src/__tests__/detect/rules-file-backdoor-decoders.test.ts +151 -0
package/src/__tests__/detect/rules-file-backdoor.test.ts +284 -0
package/src/__tests__/detect/taint-fix-templates.test.ts +150 -0
package/src/__tests__/detect/taint-path-serialization.test.ts +170 -0
package/src/__tests__/parse/call-graph.test.ts +300 -0
package/src/__tests__/parse/python-parser.test.ts +274 -0
package/src/__tests__/regression/known-false-positives.test.ts +491 -9
package/src/__tests__/regression/rules-file-backdoor.test.ts +137 -0
package/src/__tests__/score/adjustments.test.ts +34 -16
package/src/__tests__/score/confidence.test.ts +84 -57
package/src/__tests__/score/evidence-scoring.test.ts +249 -0
package/src/__tests__/score/evidence.test.ts +144 -0
package/src/__tests__/score/scoring-integration.test.ts +56 -34
package/src/__tests__/score/taint-adjustments.test.ts +14 -228
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +65 -59
package/src/__tests__/snapshots/scan-depth.test.ts +39 -7
package/src/__tests__/taint/async-flow.test.ts +247 -0
package/src/__tests__/taint/cfg-builder.test.ts +835 -0
package/src/__tests__/taint/constant-propagation.test.ts +302 -0
package/src/__tests__/taint/cross-file-index.test.ts +683 -0
package/src/__tests__/taint/cross-file-integration.test.ts +275 -0
package/src/__tests__/taint/cross-file-propagation.test.ts +910 -0
package/src/__tests__/taint/def-use.test.ts +132 -0
package/src/__tests__/taint/field-sensitive-sinks.test.ts +179 -0
package/src/__tests__/taint/field-sensitivity.test.ts +342 -0
package/src/__tests__/taint/file-analysis-cache.test.ts +290 -0
package/src/__tests__/taint/framework-models.test.ts +227 -0
package/src/__tests__/taint/llm-flow-graph.test.ts +850 -0
package/src/__tests__/taint/llm-risk-scoring.test.ts +439 -0
package/src/__tests__/taint/performance-parity.test.ts +315 -0
package/src/__tests__/taint/propagation.test.ts +621 -0
package/src/__tests__/taint/python-cross-file.test.ts +494 -0
package/src/__tests__/taint/python-taint.test.ts +1344 -0
package/src/__tests__/taint/sanitizer-registry.test.ts +304 -0
package/src/__tests__/taint/sanitizer-regression.test.ts +111 -0
package/src/__tests__/taint/sink-classifier.test.ts +537 -0
package/src/__tests__/taint/source-classifier.test.ts +367 -0
package/src/__tests__/taint/taint-pipeline.test.ts +418 -0
package/src/__tests__/taint/taint-smoke.test.ts +400 -0
package/src/__tests__/taint/taint-summary.test.ts +472 -0
package/src/detect/ai-code/index.ts +6 -11
package/src/detect/ast-rules/agent-tools-ast.ts +861 -0
package/src/detect/ast-rules/ai-fingerprinting-ast.ts +451 -0
package/src/detect/ast-rules/auth-patterns-ast.ts +304 -0
package/src/detect/ast-rules/byok-ast.ts +195 -0
package/src/detect/ast-rules/child-process-ast.ts +276 -0
package/src/detect/ast-rules/dangerous-eval-ast.ts +227 -0
package/src/detect/ast-rules/data-exposure-ast.ts +162 -0
package/src/detect/ast-rules/dom-xss-ast.ts +260 -0
package/src/detect/ast-rules/endpoint-protection-ast.ts +231 -0
package/src/detect/ast-rules/entropy-ast.ts +268 -0
package/src/detect/ast-rules/flask-debug-ast.ts +148 -0
package/src/detect/ast-rules/framework-checks-ast.ts +200 -0
package/src/detect/ast-rules/helpers/call-analysis.ts +256 -0
package/src/detect/ast-rules/helpers/context-detection.ts +277 -0
package/src/detect/ast-rules/helpers/control-flow.ts +179 -0
package/src/detect/ast-rules/helpers/import-analysis.ts +185 -0
package/src/detect/ast-rules/helpers/index.ts +133 -0
package/src/detect/ast-rules/helpers/python-helpers.ts +1054 -0
package/src/detect/ast-rules/helpers/scope-analysis.ts +224 -0
package/src/detect/ast-rules/helpers/string-analysis.ts +215 -0
package/src/detect/ast-rules/helpers/type-extraction.ts +138 -0
package/src/detect/ast-rules/helpers/user-input.ts +256 -0
package/src/detect/ast-rules/index.ts +311 -0
package/src/detect/ast-rules/json-parse-ast.ts +162 -0
package/src/detect/ast-rules/log-injection-ast.ts +243 -0
package/src/detect/ast-rules/logic-gates-ast.ts +343 -0
package/src/detect/ast-rules/mcp-security-ast.ts +808 -0
package/src/detect/ast-rules/model-supply-chain-ast.ts +202 -0
package/src/detect/ast-rules/package-hallucination-ast.ts +664 -0
package/src/detect/ast-rules/prompt-hygiene-ast.ts +329 -0
package/src/detect/ast-rules/rag-safety-ast.ts +689 -0
package/src/detect/ast-rules/request-validation-ast.ts +122 -0
package/src/detect/ast-rules/risky-imports-ast.ts +133 -0
package/src/detect/ast-rules/schema-validation-ast.ts +244 -0
package/src/detect/ast-rules/secret-patterns-ast.ts +223 -0
package/src/detect/ast-rules/security-headers-ast.ts +206 -0
package/src/detect/ast-rules/sql-injection-ast.ts +614 -0
package/src/detect/ast-rules/ssrf-ast.ts +601 -0
package/src/detect/ast-rules/taint-fix-templates.ts +108 -0
package/src/detect/ast-rules/taint-flow-ast.ts +416 -0
package/src/detect/ast-rules/variables-ast.ts +446 -0
package/src/detect/ast-rules/weak-crypto-ast.ts +441 -0
package/src/detect/ast-rules/xxe-ast.ts +184 -0
package/src/detect/config/agent-skill-injection.ts +2 -24
package/src/detect/config/index.ts +1 -0
package/src/detect/config/osv-check.ts +6 -1
package/src/detect/config/package-check.ts +6 -1
package/src/detect/config/rules-file-backdoor.ts +438 -0
package/src/detect/index.ts +146 -52
package/src/detect/secrets/config-audit.ts +37 -3
package/src/detect/secrets/entropy.ts +195 -0
package/src/detect/secrets/index.ts +7 -16
package/src/detect/structural/index.ts +23 -566
package/src/index.ts +7 -0
package/src/model/auth-helper-detector.ts +1 -7
package/src/model/import-resolver.ts +104 -0
package/src/model/imported-auth-detector.ts +1 -1
package/src/model/index.ts +240 -80
package/src/model/module-graph.ts +17 -5
package/src/model/project-context.ts +28 -1
package/src/model/route-auth-resolver.ts +18 -3
package/src/model/route-discovery/index.ts +1 -1
package/src/model/route-discovery/nextjs.ts +1 -1
package/src/model/route-discovery/python.ts +156 -9
package/src/model/route-discovery/types.ts +1 -1
package/src/model/route-discovery/utils.ts +73 -0
package/src/model/taint-types.ts +1 -6
package/src/parse/ast.ts +271 -0
package/src/parse/call-graph.ts +419 -0
package/src/parse/file-classifier.ts +69 -15
package/src/parse/node-index.ts +118 -0
package/src/parse/type-extractor.ts +293 -0
package/src/pipeline/config.ts +7 -0
package/src/pipeline/index.ts +464 -199
package/src/pipeline/modes/incremental.ts +1 -7
package/src/postprocess/dedup.ts +48 -17
package/src/report/build-result.ts +57 -29
package/src/report/formatters/cli-terminal.ts +731 -415
package/src/report/sanitize.ts +27 -0
package/src/score/adjustments.ts +113 -40
package/src/score/confidence.ts +10 -5
package/src/score/evidence.ts +55 -0
package/src/score/index.ts +27 -55
package/src/score/types.ts +4 -0
package/src/shared/category-filter.ts +12 -0
package/src/shared/regex-utils.ts +4 -0
package/src/shared/registry-clients.ts +106 -18
package/src/shared/rules/__tests__/metadata.test.ts +5 -1
package/src/shared/rules/metadata.ts +19 -0
package/src/shared/types.ts +372 -253
package/src/taint/async-flow.ts +301 -0
package/src/taint/cfg-builder.ts +1127 -0
package/src/taint/cfg-types.ts +110 -0
package/src/taint/constant-propagation.ts +170 -0
package/src/taint/cross-file-analyzer.ts +118 -0
package/src/taint/cross-file-index.ts +275 -0
package/src/taint/def-use.ts +556 -0
package/src/taint/file-analysis-cache.ts +145 -0
package/src/taint/framework-models.ts +313 -0
package/src/taint/helpers.ts +138 -0
package/src/taint/index.ts +71 -0
package/src/taint/llm-registry.ts +174 -0
package/src/taint/llm-risk-scoring.ts +412 -0
package/src/taint/propagation-types.ts +188 -0
package/src/taint/propagation.ts +1750 -0
package/src/taint/sanitizer-registry.ts +490 -0
package/src/taint/sink-classifier.ts +1402 -0
package/src/taint/source-classifier.ts +859 -0
package/src/taint/taint-analyzer.ts +112 -0
package/src/taint/taint-summary.ts +341 -0
package/src/taint/types.ts +86 -0
package/src/validate/clients.ts +3 -2
package/src/validate/index.ts +89 -53
package/src/validate/prompts/modules/ai-patterns.ts +16 -0
package/src/validate/prompts/modules/common.ts +12 -3
package/src/validate/providers/anthropic.ts +254 -148
package/src/validate/providers/openai.ts +363 -218
package/src/validate/request-builder.ts +2 -45
package/src/validate/types.ts +9 -0
package/src/validate/utils/path-helpers.ts +2 -2
package/src/validate/utils/response-parser.ts +32 -3
package/src/validate/utils/retry.ts +19 -4
package/dist/ai-context/index.d.ts +0 -6
package/dist/ai-context/index.d.ts.map +0 -1
package/dist/ai-context/index.js +0 -13
package/dist/ai-context/index.js.map +0 -1
package/dist/ai-context/manager.d.ts +0 -67
package/dist/ai-context/manager.d.ts.map +0 -1
package/dist/ai-context/manager.js +0 -104
package/dist/ai-context/manager.js.map +0 -1
package/dist/baseline/diff.d.ts +0 -32
package/dist/baseline/diff.d.ts.map +0 -1
package/dist/baseline/diff.js +0 -119
package/dist/baseline/diff.js.map +0 -1
package/dist/baseline/index.d.ts +0 -9
package/dist/baseline/index.d.ts.map +0 -1
package/dist/baseline/index.js +0 -19
package/dist/baseline/index.js.map +0 -1
package/dist/baseline/manager.d.ts +0 -67
package/dist/baseline/manager.d.ts.map +0 -1
package/dist/baseline/manager.js +0 -180
package/dist/baseline/manager.js.map +0 -1
package/dist/baseline/types.d.ts +0 -91
package/dist/baseline/types.d.ts.map +0 -1
package/dist/baseline/types.js +0 -12
package/dist/baseline/types.js.map +0 -1
package/dist/category-filter.d.ts +0 -125
package/dist/category-filter.d.ts.map +0 -1
package/dist/category-filter.js +0 -360
package/dist/category-filter.js.map +0 -1
package/dist/detect/ai-code/agent-tools.d.ts +0 -22
package/dist/detect/ai-code/agent-tools.d.ts.map +0 -1
package/dist/detect/ai-code/agent-tools.js +0 -1509
package/dist/detect/ai-code/agent-tools.js.map +0 -1
package/dist/detect/ai-code/byok-patterns.d.ts +0 -15
package/dist/detect/ai-code/byok-patterns.d.ts.map +0 -1
package/dist/detect/ai-code/byok-patterns.js +0 -313
package/dist/detect/ai-code/byok-patterns.js.map +0 -1
package/dist/detect/ai-code/endpoint-protection.d.ts +0 -38
package/dist/detect/ai-code/endpoint-protection.d.ts.map +0 -1
package/dist/detect/ai-code/endpoint-protection.js +0 -349
package/dist/detect/ai-code/endpoint-protection.js.map +0 -1
package/dist/detect/ai-code/execution-sinks.d.ts +0 -21
package/dist/detect/ai-code/execution-sinks.d.ts.map +0 -1
package/dist/detect/ai-code/execution-sinks.js +0 -1158
package/dist/detect/ai-code/execution-sinks.js.map +0 -1
package/dist/detect/ai-code/fingerprinting.d.ts +0 -10
package/dist/detect/ai-code/fingerprinting.d.ts.map +0 -1
package/dist/detect/ai-code/fingerprinting.js +0 -665
package/dist/detect/ai-code/fingerprinting.js.map +0 -1
package/dist/detect/ai-code/mcp-security.d.ts +0 -20
package/dist/detect/ai-code/mcp-security.d.ts.map +0 -1
package/dist/detect/ai-code/mcp-security.js +0 -880
package/dist/detect/ai-code/mcp-security.js.map +0 -1
package/dist/detect/ai-code/model-supply-chain.d.ts +0 -23
package/dist/detect/ai-code/model-supply-chain.d.ts.map +0 -1
package/dist/detect/ai-code/model-supply-chain.js +0 -447
package/dist/detect/ai-code/model-supply-chain.js.map +0 -1
package/dist/detect/ai-code/package-hallucination.d.ts +0 -22
package/dist/detect/ai-code/package-hallucination.d.ts.map +0 -1
package/dist/detect/ai-code/package-hallucination.js +0 -841
package/dist/detect/ai-code/package-hallucination.js.map +0 -1
package/dist/detect/ai-code/prompt-hygiene.d.ts +0 -22
package/dist/detect/ai-code/prompt-hygiene.d.ts.map +0 -1
package/dist/detect/ai-code/prompt-hygiene.js +0 -1177
package/dist/detect/ai-code/prompt-hygiene.js.map +0 -1
package/dist/detect/ai-code/rag-safety.d.ts +0 -24
package/dist/detect/ai-code/rag-safety.d.ts.map +0 -1
package/dist/detect/ai-code/rag-safety.js +0 -913
package/dist/detect/ai-code/rag-safety.js.map +0 -1
package/dist/detect/ai-code/schema-validation.d.ts +0 -28
package/dist/detect/ai-code/schema-validation.d.ts.map +0 -1
package/dist/detect/ai-code/schema-validation.js +0 -378
package/dist/detect/ai-code/schema-validation.js.map +0 -1
package/dist/detect/secrets/patterns.d.ts +0 -11
package/dist/detect/secrets/patterns.d.ts.map +0 -1
package/dist/detect/secrets/patterns.js +0 -518
package/dist/detect/secrets/patterns.js.map +0 -1
package/dist/detect/secrets/weak-crypto.d.ts +0 -10
package/dist/detect/secrets/weak-crypto.d.ts.map +0 -1
package/dist/detect/secrets/weak-crypto.js +0 -432
package/dist/detect/secrets/weak-crypto.js.map +0 -1
package/dist/detect/structural/auth-patterns.d.ts +0 -22
package/dist/detect/structural/auth-patterns.d.ts.map +0 -1
package/dist/detect/structural/auth-patterns.js +0 -533
package/dist/detect/structural/auth-patterns.js.map +0 -1
package/dist/detect/structural/dangerous-functions/child-process.d.ts +0 -16
package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/child-process.js +0 -74
package/dist/detect/structural/dangerous-functions/child-process.js.map +0 -1
package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +0 -34
package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/dom-xss.js +0 -230
package/dist/detect/structural/dangerous-functions/dom-xss.js.map +0 -1
package/dist/detect/structural/dangerous-functions/index.d.ts +0 -16
package/dist/detect/structural/dangerous-functions/index.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/index.js +0 -1193
package/dist/detect/structural/dangerous-functions/index.js.map +0 -1
package/dist/detect/structural/dangerous-functions/json-parse.d.ts +0 -31
package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/json-parse.js +0 -326
package/dist/detect/structural/dangerous-functions/json-parse.js.map +0 -1
package/dist/detect/structural/dangerous-functions/math-random.d.ts +0 -111
package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/math-random.js +0 -684
package/dist/detect/structural/dangerous-functions/math-random.js.map +0 -1
package/dist/detect/structural/dangerous-functions/patterns.d.ts +0 -21
package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/patterns.js +0 -163
package/dist/detect/structural/dangerous-functions/patterns.js.map +0 -1
package/dist/detect/structural/dangerous-functions/request-validation.d.ts +0 -13
package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/request-validation.js +0 -126
package/dist/detect/structural/dangerous-functions/request-validation.js.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +0 -24
package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/control-flow.js +0 -70
package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +0 -31
package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/helpers.js +0 -147
package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/index.d.ts +0 -9
package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/index.js +0 -23
package/dist/detect/structural/dangerous-functions/utils/index.js.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +0 -22
package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +0 -1
package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +0 -102
package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +0 -1
package/dist/detect/structural/data-exposure.d.ts +0 -19
package/dist/detect/structural/data-exposure.d.ts.map +0 -1
package/dist/detect/structural/data-exposure.js +0 -262
package/dist/detect/structural/data-exposure.js.map +0 -1
package/dist/detect/structural/framework-checks.d.ts +0 -10
package/dist/detect/structural/framework-checks.d.ts.map +0 -1
package/dist/detect/structural/framework-checks.js +0 -389
package/dist/detect/structural/framework-checks.js.map +0 -1
package/dist/detect/structural/log-injection.d.ts +0 -18
package/dist/detect/structural/log-injection.d.ts.map +0 -1
package/dist/detect/structural/log-injection.js +0 -217
package/dist/detect/structural/log-injection.js.map +0 -1
package/dist/detect/structural/logic-gates.d.ts +0 -10
package/dist/detect/structural/logic-gates.d.ts.map +0 -1
package/dist/detect/structural/logic-gates.js +0 -227
package/dist/detect/structural/logic-gates.js.map +0 -1
package/dist/detect/structural/risky-imports.d.ts +0 -10
package/dist/detect/structural/risky-imports.d.ts.map +0 -1
package/dist/detect/structural/risky-imports.js +0 -168
package/dist/detect/structural/risky-imports.js.map +0 -1
package/dist/detect/structural/security-headers.d.ts +0 -18
package/dist/detect/structural/security-headers.d.ts.map +0 -1
package/dist/detect/structural/security-headers.js +0 -196
package/dist/detect/structural/security-headers.js.map +0 -1
package/dist/detect/structural/ssrf-detection.d.ts +0 -18
package/dist/detect/structural/ssrf-detection.d.ts.map +0 -1
package/dist/detect/structural/ssrf-detection.js +0 -263
package/dist/detect/structural/ssrf-detection.js.map +0 -1
package/dist/detect/structural/variables.d.ts +0 -11
package/dist/detect/structural/variables.d.ts.map +0 -1
package/dist/detect/structural/variables.js +0 -159
package/dist/detect/structural/variables.js.map +0 -1
package/dist/detect/structural/xxe-detection.d.ts +0 -18
package/dist/detect/structural/xxe-detection.d.ts.map +0 -1
package/dist/detect/structural/xxe-detection.js +0 -245
package/dist/detect/structural/xxe-detection.js.map +0 -1
package/dist/filtering/context-adjustments.d.ts +0 -23
package/dist/filtering/context-adjustments.d.ts.map +0 -1
package/dist/filtering/context-adjustments.js +0 -100
package/dist/filtering/context-adjustments.js.map +0 -1
package/dist/filtering/index.d.ts +0 -3
package/dist/filtering/index.d.ts.map +0 -1
package/dist/filtering/index.js +0 -8
package/dist/filtering/index.js.map +0 -1
package/dist/filtering/pipeline.d.ts +0 -48
package/dist/filtering/pipeline.d.ts.map +0 -1
package/dist/filtering/pipeline.js +0 -76
package/dist/filtering/pipeline.js.map +0 -1
package/dist/formatters/ai-context.d.ts +0 -23
package/dist/formatters/ai-context.d.ts.map +0 -1
package/dist/formatters/ai-context.js +0 -238
package/dist/formatters/ai-context.js.map +0 -1
package/dist/formatters/cli-terminal.d.ts +0 -65
package/dist/formatters/cli-terminal.d.ts.map +0 -1
package/dist/formatters/cli-terminal.js +0 -735
package/dist/formatters/cli-terminal.js.map +0 -1
package/dist/formatters/github-comment.d.ts +0 -41
package/dist/formatters/github-comment.d.ts.map +0 -1
package/dist/formatters/github-comment.js +0 -370
package/dist/formatters/github-comment.js.map +0 -1
package/dist/formatters/grouping.d.ts +0 -52
package/dist/formatters/grouping.d.ts.map +0 -1
package/dist/formatters/grouping.js +0 -152
package/dist/formatters/grouping.js.map +0 -1
package/dist/formatters/ide/claude-code.d.ts +0 -17
package/dist/formatters/ide/claude-code.d.ts.map +0 -1
package/dist/formatters/ide/claude-code.js +0 -94
package/dist/formatters/ide/claude-code.js.map +0 -1
package/dist/formatters/ide/cursor.d.ts +0 -13
package/dist/formatters/ide/cursor.d.ts.map +0 -1
package/dist/formatters/ide/cursor.js +0 -125
package/dist/formatters/ide/cursor.js.map +0 -1
package/dist/formatters/ide/index.d.ts +0 -62
package/dist/formatters/ide/index.d.ts.map +0 -1
package/dist/formatters/ide/index.js +0 -184
package/dist/formatters/ide/index.js.map +0 -1
package/dist/formatters/ide/windsurf.d.ts +0 -13
package/dist/formatters/ide/windsurf.d.ts.map +0 -1
package/dist/formatters/ide/windsurf.js +0 -117
package/dist/formatters/ide/windsurf.js.map +0 -1
package/dist/formatters/index.d.ts +0 -11
package/dist/formatters/index.d.ts.map +0 -1
package/dist/formatters/index.js +0 -54
package/dist/formatters/index.js.map +0 -1
package/dist/formatters/vscode-diagnostic.d.ts +0 -103
package/dist/formatters/vscode-diagnostic.d.ts.map +0 -1
package/dist/formatters/vscode-diagnostic.js +0 -151
package/dist/formatters/vscode-diagnostic.js.map +0 -1
package/dist/layer1/comments.d.ts +0 -11
package/dist/layer1/comments.d.ts.map +0 -1
package/dist/layer1/comments.js +0 -203
package/dist/layer1/comments.js.map +0 -1
package/dist/layer1/config-audit.d.ts +0 -11
package/dist/layer1/config-audit.d.ts.map +0 -1
package/dist/layer1/config-audit.js +0 -311
package/dist/layer1/config-audit.js.map +0 -1
package/dist/layer1/config-mcp-audit.d.ts +0 -23
package/dist/layer1/config-mcp-audit.d.ts.map +0 -1
package/dist/layer1/config-mcp-audit.js +0 -239
package/dist/layer1/config-mcp-audit.js.map +0 -1
package/dist/layer1/entropy.d.ts +0 -11
package/dist/layer1/entropy.d.ts.map +0 -1
package/dist/layer1/entropy.js +0 -741
package/dist/layer1/entropy.js.map +0 -1
package/dist/layer1/file-flags.d.ts +0 -10
package/dist/layer1/file-flags.d.ts.map +0 -1
package/dist/layer1/file-flags.js +0 -119
package/dist/layer1/file-flags.js.map +0 -1
package/dist/layer1/index.d.ts +0 -38
package/dist/layer1/index.d.ts.map +0 -1
package/dist/layer1/index.js +0 -170
package/dist/layer1/index.js.map +0 -1
package/dist/layer1/patterns.d.ts +0 -11
package/dist/layer1/patterns.d.ts.map +0 -1
package/dist/layer1/patterns.js +0 -512
package/dist/layer1/patterns.js.map +0 -1
package/dist/layer1/urls.d.ts +0 -11
package/dist/layer1/urls.d.ts.map +0 -1
package/dist/layer1/urls.js +0 -444
package/dist/layer1/urls.js.map +0 -1
package/dist/layer1/weak-crypto.d.ts +0 -10
package/dist/layer1/weak-crypto.d.ts.map +0 -1
package/dist/layer1/weak-crypto.js +0 -428
package/dist/layer1/weak-crypto.js.map +0 -1
package/dist/layer2/ai-agent-tools.d.ts +0 -22
package/dist/layer2/ai-agent-tools.d.ts.map +0 -1
package/dist/layer2/ai-agent-tools.js +0 -1490
package/dist/layer2/ai-agent-tools.js.map +0 -1
package/dist/layer2/ai-endpoint-protection.d.ts +0 -38
package/dist/layer2/ai-endpoint-protection.d.ts.map +0 -1
package/dist/layer2/ai-endpoint-protection.js +0 -346
package/dist/layer2/ai-endpoint-protection.js.map +0 -1
package/dist/layer2/ai-execution-sinks.d.ts +0 -21
package/dist/layer2/ai-execution-sinks.d.ts.map +0 -1
package/dist/layer2/ai-execution-sinks.js +0 -1155
package/dist/layer2/ai-execution-sinks.js.map +0 -1
package/dist/layer2/ai-fingerprinting.d.ts +0 -10
package/dist/layer2/ai-fingerprinting.d.ts.map +0 -1
package/dist/layer2/ai-fingerprinting.js +0 -650
package/dist/layer2/ai-fingerprinting.js.map +0 -1
package/dist/layer2/ai-mcp-security.d.ts +0 -20
package/dist/layer2/ai-mcp-security.d.ts.map +0 -1
package/dist/layer2/ai-mcp-security.js +0 -877
package/dist/layer2/ai-mcp-security.js.map +0 -1
package/dist/layer2/ai-package-hallucination.d.ts +0 -22
package/dist/layer2/ai-package-hallucination.d.ts.map +0 -1
package/dist/layer2/ai-package-hallucination.js +0 -828
package/dist/layer2/ai-package-hallucination.js.map +0 -1
package/dist/layer2/ai-prompt-hygiene.d.ts +0 -22
package/dist/layer2/ai-prompt-hygiene.d.ts.map +0 -1
package/dist/layer2/ai-prompt-hygiene.js +0 -1156
package/dist/layer2/ai-prompt-hygiene.js.map +0 -1
package/dist/layer2/ai-rag-safety.d.ts +0 -24
package/dist/layer2/ai-rag-safety.d.ts.map +0 -1
package/dist/layer2/ai-rag-safety.js +0 -910
package/dist/layer2/ai-rag-safety.js.map +0 -1
package/dist/layer2/ai-schema-validation.d.ts +0 -28
package/dist/layer2/ai-schema-validation.d.ts.map +0 -1
package/dist/layer2/ai-schema-validation.js +0 -375
package/dist/layer2/ai-schema-validation.js.map +0 -1
package/dist/layer2/auth-antipatterns.d.ts +0 -22
package/dist/layer2/auth-antipatterns.d.ts.map +0 -1
package/dist/layer2/auth-antipatterns.js +0 -522
package/dist/layer2/auth-antipatterns.js.map +0 -1
package/dist/layer2/byok-patterns.d.ts +0 -15
package/dist/layer2/byok-patterns.d.ts.map +0 -1
package/dist/layer2/byok-patterns.js +0 -302
package/dist/layer2/byok-patterns.js.map +0 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +0 -16
package/dist/layer2/dangerous-functions/child-process.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/child-process.js +0 -74
package/dist/layer2/dangerous-functions/child-process.js.map +0 -1
package/dist/layer2/dangerous-functions/dom-xss.d.ts +0 -34
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/dom-xss.js +0 -230
package/dist/layer2/dangerous-functions/dom-xss.js.map +0 -1
package/dist/layer2/dangerous-functions/index.d.ts +0 -16
package/dist/layer2/dangerous-functions/index.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/index.js +0 -1152
package/dist/layer2/dangerous-functions/index.js.map +0 -1
package/dist/layer2/dangerous-functions/json-parse.d.ts +0 -31
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/json-parse.js +0 -319
package/dist/layer2/dangerous-functions/json-parse.js.map +0 -1
package/dist/layer2/dangerous-functions/math-random.d.ts +0 -111
package/dist/layer2/dangerous-functions/math-random.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/math-random.js +0 -684
package/dist/layer2/dangerous-functions/math-random.js.map +0 -1
package/dist/layer2/dangerous-functions/patterns.d.ts +0 -21
package/dist/layer2/dangerous-functions/patterns.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/patterns.js +0 -163
package/dist/layer2/dangerous-functions/patterns.js.map +0 -1
package/dist/layer2/dangerous-functions/request-validation.d.ts +0 -13
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/request-validation.js +0 -119
package/dist/layer2/dangerous-functions/request-validation.js.map +0 -1
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +0 -24
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/utils/control-flow.js +0 -70
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +0 -1
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +0 -31
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/utils/helpers.js +0 -147
package/dist/layer2/dangerous-functions/utils/helpers.js.map +0 -1
package/dist/layer2/dangerous-functions/utils/index.d.ts +0 -9
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/utils/index.js +0 -23
package/dist/layer2/dangerous-functions/utils/index.js.map +0 -1
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +0 -22
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +0 -1
package/dist/layer2/dangerous-functions/utils/schema-validation.js +0 -102
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +0 -1
package/dist/layer2/data-exposure.d.ts +0 -19
package/dist/layer2/data-exposure.d.ts.map +0 -1
package/dist/layer2/data-exposure.js +0 -255
package/dist/layer2/data-exposure.js.map +0 -1
package/dist/layer2/framework-checks.d.ts +0 -10
package/dist/layer2/framework-checks.d.ts.map +0 -1
package/dist/layer2/framework-checks.js +0 -384
package/dist/layer2/framework-checks.js.map +0 -1
package/dist/layer2/index.d.ts +0 -74
package/dist/layer2/index.d.ts.map +0 -1
package/dist/layer2/index.js +0 -544
package/dist/layer2/index.js.map +0 -1
package/dist/layer2/log-injection.d.ts +0 -18
package/dist/layer2/log-injection.d.ts.map +0 -1
package/dist/layer2/log-injection.js +0 -214
package/dist/layer2/log-injection.js.map +0 -1
package/dist/layer2/logic-gates.d.ts +0 -10
package/dist/layer2/logic-gates.d.ts.map +0 -1
package/dist/layer2/logic-gates.js +0 -220
package/dist/layer2/logic-gates.js.map +0 -1
package/dist/layer2/model-supply-chain.d.ts +0 -23
package/dist/layer2/model-supply-chain.d.ts.map +0 -1
package/dist/layer2/model-supply-chain.js +0 -444
package/dist/layer2/model-supply-chain.js.map +0 -1
package/dist/layer2/risky-imports.d.ts +0 -10
package/dist/layer2/risky-imports.d.ts.map +0 -1
package/dist/layer2/risky-imports.js +0 -165
package/dist/layer2/risky-imports.js.map +0 -1
package/dist/layer2/security-headers.d.ts +0 -18
package/dist/layer2/security-headers.d.ts.map +0 -1
package/dist/layer2/security-headers.js +0 -187
package/dist/layer2/security-headers.js.map +0 -1
package/dist/layer2/ssrf-detection.d.ts +0 -18
package/dist/layer2/ssrf-detection.d.ts.map +0 -1
package/dist/layer2/ssrf-detection.js +0 -252
package/dist/layer2/ssrf-detection.js.map +0 -1
package/dist/layer2/variables.d.ts +0 -11
package/dist/layer2/variables.d.ts.map +0 -1
package/dist/layer2/variables.js +0 -156
package/dist/layer2/variables.js.map +0 -1
package/dist/layer2/xxe-detection.d.ts +0 -18
package/dist/layer2/xxe-detection.d.ts.map +0 -1
package/dist/layer2/xxe-detection.js +0 -242
package/dist/layer2/xxe-detection.js.map +0 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +0 -24
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +0 -1
package/dist/layer3/anthropic/auto-dismiss.js +0 -199
package/dist/layer3/anthropic/auto-dismiss.js.map +0 -1
package/dist/layer3/anthropic/clients.d.ts +0 -44
package/dist/layer3/anthropic/clients.d.ts.map +0 -1
package/dist/layer3/anthropic/clients.js +0 -81
package/dist/layer3/anthropic/clients.js.map +0 -1
package/dist/layer3/anthropic/index.d.ts +0 -41
package/dist/layer3/anthropic/index.d.ts.map +0 -1
package/dist/layer3/anthropic/index.js +0 -141
package/dist/layer3/anthropic/index.js.map +0 -1
package/dist/layer3/anthropic/prompts/index.d.ts +0 -8
package/dist/layer3/anthropic/prompts/index.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/index.js +0 -16
package/dist/layer3/anthropic/prompts/index.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +0 -19
package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +0 -156
package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +0 -9
package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/auth-access.js +0 -25
package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/common.d.ts +0 -11
package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/common.js +0 -152
package/dist/layer3/anthropic/prompts/modules/common.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/index.d.ts +0 -54
package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/index.js +0 -185
package/dist/layer3/anthropic/prompts/modules/index.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +0 -8
package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +0 -84
package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +0 -8
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +0 -68
package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +0 -1
package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +0 -8
package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +0 -22
package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +0 -1
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +0 -15
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/semantic-analysis.js +0 -169
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +0 -1
package/dist/layer3/anthropic/prompts/validation.d.ts +0 -18
package/dist/layer3/anthropic/prompts/validation.d.ts.map +0 -1
package/dist/layer3/anthropic/prompts/validation.js +0 -25
package/dist/layer3/anthropic/prompts/validation.js.map +0 -1
package/dist/layer3/anthropic/providers/anthropic.d.ts +0 -21
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic/providers/anthropic.js +0 -269
package/dist/layer3/anthropic/providers/anthropic.js.map +0 -1
package/dist/layer3/anthropic/providers/index.d.ts +0 -8
package/dist/layer3/anthropic/providers/index.d.ts.map +0 -1
package/dist/layer3/anthropic/providers/index.js +0 -15
package/dist/layer3/anthropic/providers/index.js.map +0 -1
package/dist/layer3/anthropic/providers/openai.d.ts +0 -18
package/dist/layer3/anthropic/providers/openai.d.ts.map +0 -1
package/dist/layer3/anthropic/providers/openai.js +0 -343
package/dist/layer3/anthropic/providers/openai.js.map +0 -1
package/dist/layer3/anthropic/request-builder.d.ts +0 -27
package/dist/layer3/anthropic/request-builder.d.ts.map +0 -1
package/dist/layer3/anthropic/request-builder.js +0 -150
package/dist/layer3/anthropic/request-builder.js.map +0 -1
package/dist/layer3/anthropic/types.d.ts +0 -88
package/dist/layer3/anthropic/types.d.ts.map +0 -1
package/dist/layer3/anthropic/types.js +0 -38
package/dist/layer3/anthropic/types.js.map +0 -1
package/dist/layer3/anthropic/utils/context-extractor.d.ts +0 -55
package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +0 -1
package/dist/layer3/anthropic/utils/context-extractor.js +0 -161
package/dist/layer3/anthropic/utils/context-extractor.js.map +0 -1
package/dist/layer3/anthropic/utils/index.d.ts +0 -11
package/dist/layer3/anthropic/utils/index.d.ts.map +0 -1
package/dist/layer3/anthropic/utils/index.js +0 -27
package/dist/layer3/anthropic/utils/index.js.map +0 -1
package/dist/layer3/anthropic/utils/path-helpers.d.ts +0 -21
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +0 -1
package/dist/layer3/anthropic/utils/path-helpers.js +0 -69
package/dist/layer3/anthropic/utils/path-helpers.js.map +0 -1
package/dist/layer3/anthropic/utils/response-parser.d.ts +0 -40
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +0 -1
package/dist/layer3/anthropic/utils/response-parser.js +0 -285
package/dist/layer3/anthropic/utils/response-parser.js.map +0 -1
package/dist/layer3/anthropic/utils/retry.d.ts +0 -15
package/dist/layer3/anthropic/utils/retry.d.ts.map +0 -1
package/dist/layer3/anthropic/utils/retry.js +0 -62
package/dist/layer3/anthropic/utils/retry.js.map +0 -1
package/dist/layer3/index.d.ts +0 -27
package/dist/layer3/index.d.ts.map +0 -1
package/dist/layer3/index.js +0 -150
package/dist/layer3/index.js.map +0 -1
package/dist/layer3/osv-check.d.ts +0 -75
package/dist/layer3/osv-check.d.ts.map +0 -1
package/dist/layer3/osv-check.js +0 -308
package/dist/layer3/osv-check.js.map +0 -1
package/dist/layer3/package-check.d.ts +0 -63
package/dist/layer3/package-check.d.ts.map +0 -1
package/dist/layer3/package-check.js +0 -508
package/dist/layer3/package-check.js.map +0 -1
package/dist/model/cross-file-taint.d.ts +0 -40
package/dist/model/cross-file-taint.d.ts.map +0 -1
package/dist/model/cross-file-taint.js +0 -290
package/dist/model/cross-file-taint.js.map +0 -1
package/dist/model/function-classifier.d.ts +0 -32
package/dist/model/function-classifier.d.ts.map +0 -1
package/dist/model/function-classifier.js +0 -143
package/dist/model/function-classifier.js.map +0 -1
package/dist/model/sanitiser-detection.d.ts +0 -27
package/dist/model/sanitiser-detection.d.ts.map +0 -1
package/dist/model/sanitiser-detection.js +0 -224
package/dist/model/sanitiser-detection.js.map +0 -1
package/dist/model/sink-matcher.d.ts +0 -17
package/dist/model/sink-matcher.d.ts.map +0 -1
package/dist/model/sink-matcher.js +0 -141
package/dist/model/sink-matcher.js.map +0 -1
package/dist/model/sink-patterns.d.ts +0 -19
package/dist/model/sink-patterns.d.ts.map +0 -1
package/dist/model/sink-patterns.js +0 -88
package/dist/model/sink-patterns.js.map +0 -1
package/dist/model/source-discovery.d.ts +0 -15
package/dist/model/source-discovery.d.ts.map +0 -1
package/dist/model/source-discovery.js +0 -170
package/dist/model/source-discovery.js.map +0 -1
package/dist/model/taint-tracker.d.ts +0 -21
package/dist/model/taint-tracker.d.ts.map +0 -1
package/dist/model/taint-tracker.js +0 -281
package/dist/model/taint-tracker.js.map +0 -1
package/dist/modes/incremental.d.ts +0 -66
package/dist/modes/incremental.d.ts.map +0 -1
package/dist/modes/incremental.js +0 -200
package/dist/modes/incremental.js.map +0 -1
package/dist/rules/framework-fixes.d.ts +0 -48
package/dist/rules/framework-fixes.d.ts.map +0 -1
package/dist/rules/framework-fixes.js +0 -439
package/dist/rules/framework-fixes.js.map +0 -1
package/dist/rules/index.d.ts +0 -8
package/dist/rules/index.d.ts.map +0 -1
package/dist/rules/index.js +0 -18
package/dist/rules/index.js.map +0 -1
package/dist/rules/metadata.d.ts +0 -43
package/dist/rules/metadata.d.ts.map +0 -1
package/dist/rules/metadata.js +0 -800
package/dist/rules/metadata.js.map +0 -1
package/dist/score/auto-dismiss.d.ts +0 -28
package/dist/score/auto-dismiss.d.ts.map +0 -1
package/dist/score/auto-dismiss.js +0 -200
package/dist/score/auto-dismiss.js.map +0 -1
package/dist/suppression/config-loader.d.ts +0 -74
package/dist/suppression/config-loader.d.ts.map +0 -1
package/dist/suppression/config-loader.js +0 -424
package/dist/suppression/config-loader.js.map +0 -1
package/dist/suppression/hash.d.ts +0 -48
package/dist/suppression/hash.d.ts.map +0 -1
package/dist/suppression/hash.js +0 -88
package/dist/suppression/hash.js.map +0 -1
package/dist/suppression/index.d.ts +0 -11
package/dist/suppression/index.d.ts.map +0 -1
package/dist/suppression/index.js +0 -39
package/dist/suppression/index.js.map +0 -1
package/dist/suppression/inline-parser.d.ts +0 -39
package/dist/suppression/inline-parser.d.ts.map +0 -1
package/dist/suppression/inline-parser.js +0 -218
package/dist/suppression/inline-parser.js.map +0 -1
package/dist/suppression/manager.d.ts +0 -94
package/dist/suppression/manager.d.ts.map +0 -1
package/dist/suppression/manager.js +0 -292
package/dist/suppression/manager.js.map +0 -1
package/dist/suppression/types.d.ts +0 -151
package/dist/suppression/types.d.ts.map +0 -1
package/dist/suppression/types.js +0 -28
package/dist/suppression/types.js.map +0 -1
package/dist/types.d.ts +0 -331
package/dist/types.d.ts.map +0 -1
package/dist/types.js +0 -124
package/dist/types.js.map +0 -1
package/dist/utils/auth-helper-detector.d.ts +0 -56
package/dist/utils/auth-helper-detector.d.ts.map +0 -1
package/dist/utils/auth-helper-detector.js +0 -360
package/dist/utils/auth-helper-detector.js.map +0 -1
package/dist/utils/code-analysis.d.ts +0 -39
package/dist/utils/code-analysis.d.ts.map +0 -1
package/dist/utils/code-analysis.js +0 -159
package/dist/utils/code-analysis.js.map +0 -1
package/dist/utils/comment-analyzer.d.ts +0 -38
package/dist/utils/comment-analyzer.d.ts.map +0 -1
package/dist/utils/comment-analyzer.js +0 -218
package/dist/utils/comment-analyzer.js.map +0 -1
package/dist/utils/context-helpers.d.ts +0 -219
package/dist/utils/context-helpers.d.ts.map +0 -1
package/dist/utils/context-helpers.js +0 -886
package/dist/utils/context-helpers.js.map +0 -1
package/dist/utils/diff-detector.d.ts +0 -53
package/dist/utils/diff-detector.d.ts.map +0 -1
package/dist/utils/diff-detector.js +0 -104
package/dist/utils/diff-detector.js.map +0 -1
package/dist/utils/diff-parser.d.ts +0 -80
package/dist/utils/diff-parser.d.ts.map +0 -1
package/dist/utils/diff-parser.js +0 -202
package/dist/utils/diff-parser.js.map +0 -1
package/dist/utils/environment-context.d.ts +0 -76
package/dist/utils/environment-context.d.ts.map +0 -1
package/dist/utils/environment-context.js +0 -271
package/dist/utils/environment-context.js.map +0 -1
package/dist/utils/imported-auth-detector.d.ts +0 -37
package/dist/utils/imported-auth-detector.d.ts.map +0 -1
package/dist/utils/imported-auth-detector.js +0 -251
package/dist/utils/imported-auth-detector.js.map +0 -1
package/dist/utils/intent-detector.d.ts +0 -66
package/dist/utils/intent-detector.d.ts.map +0 -1
package/dist/utils/intent-detector.js +0 -282
package/dist/utils/intent-detector.js.map +0 -1
package/dist/utils/middleware-detector.d.ts +0 -55
package/dist/utils/middleware-detector.d.ts.map +0 -1
package/dist/utils/middleware-detector.js +0 -260
package/dist/utils/middleware-detector.js.map +0 -1
package/dist/utils/oauth-flow-detector.d.ts +0 -41
package/dist/utils/oauth-flow-detector.d.ts.map +0 -1
package/dist/utils/oauth-flow-detector.js +0 -202
package/dist/utils/oauth-flow-detector.js.map +0 -1
package/dist/utils/parsed-file.d.ts +0 -51
package/dist/utils/parsed-file.d.ts.map +0 -1
package/dist/utils/parsed-file.js +0 -95
package/dist/utils/parsed-file.js.map +0 -1
package/dist/utils/path-exclusions.d.ts +0 -55
package/dist/utils/path-exclusions.d.ts.map +0 -1
package/dist/utils/path-exclusions.js +0 -224
package/dist/utils/path-exclusions.js.map +0 -1
package/dist/utils/project-context-builder.d.ts +0 -119
package/dist/utils/project-context-builder.d.ts.map +0 -1
package/dist/utils/project-context-builder.js +0 -534
package/dist/utils/project-context-builder.js.map +0 -1
package/dist/utils/registry-clients.d.ts +0 -93
package/dist/utils/registry-clients.d.ts.map +0 -1
package/dist/utils/registry-clients.js +0 -273
package/dist/utils/registry-clients.js.map +0 -1
package/dist/utils/route-hierarchy.d.ts +0 -50
package/dist/utils/route-hierarchy.d.ts.map +0 -1
package/dist/utils/route-hierarchy.js +0 -226
package/dist/utils/route-hierarchy.js.map +0 -1
package/dist/utils/schema-semantics.d.ts +0 -45
package/dist/utils/schema-semantics.d.ts.map +0 -1
package/dist/utils/schema-semantics.js +0 -193
package/dist/utils/schema-semantics.js.map +0 -1
package/dist/utils/trpc-analyzer.d.ts +0 -78
package/dist/utils/trpc-analyzer.d.ts.map +0 -1
package/dist/utils/trpc-analyzer.js +0 -297
package/dist/utils/trpc-analyzer.js.map +0 -1
package/src/__tests__/context-engine/cross-file-taint.test.ts +0 -284
package/src/__tests__/context-engine/function-classifier.test.ts +0 -146
package/src/__tests__/context-engine/integration.test.ts +0 -320
package/src/__tests__/context-engine/sanitiser-detection.test.ts +0 -187
package/src/__tests__/context-engine/sink-matcher.test.ts +0 -251
package/src/__tests__/context-engine/source-discovery.test.ts +0 -186
package/src/__tests__/context-engine/taint-tracker.test.ts +0 -182
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +0 -750
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +0 -555
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +0 -321
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +0 -439
package/src/detect/ai-code/agent-tools.ts +0 -1662
package/src/detect/ai-code/byok-patterns.ts +0 -354
package/src/detect/ai-code/endpoint-protection.ts +0 -406
package/src/detect/ai-code/execution-sinks.ts +0 -1310
package/src/detect/ai-code/fingerprinting.ts +0 -774
package/src/detect/ai-code/mcp-security.ts +0 -937
package/src/detect/ai-code/model-supply-chain.ts +0 -535
package/src/detect/ai-code/package-hallucination.ts +0 -955
package/src/detect/ai-code/prompt-hygiene.ts +0 -1314
package/src/detect/ai-code/rag-safety.ts +0 -977
package/src/detect/ai-code/schema-validation.ts +0 -427
package/src/detect/secrets/patterns.ts +0 -561
package/src/detect/secrets/weak-crypto.ts +0 -485
package/src/detect/structural/__tests__/math-random-enhanced.test.ts +0 -405
package/src/detect/structural/auth-patterns.ts +0 -621
package/src/detect/structural/dangerous-functions/child-process.ts +0 -98
package/src/detect/structural/dangerous-functions/dom-xss.ts +0 -292
package/src/detect/structural/dangerous-functions/index.ts +0 -1556
package/src/detect/structural/dangerous-functions/json-parse.ts +0 -393
package/src/detect/structural/dangerous-functions/math-random.ts +0 -789
package/src/detect/structural/dangerous-functions/patterns.ts +0 -176
package/src/detect/structural/dangerous-functions/request-validation.ts +0 -153
package/src/detect/structural/dangerous-functions/utils/control-flow.ts +0 -35
package/src/detect/structural/dangerous-functions/utils/helpers.ts +0 -170
package/src/detect/structural/dangerous-functions/utils/index.ts +0 -25
package/src/detect/structural/dangerous-functions/utils/schema-validation.ts +0 -106
package/src/detect/structural/data-exposure.ts +0 -302
package/src/detect/structural/framework-checks.ts +0 -439
package/src/detect/structural/log-injection.ts +0 -254
package/src/detect/structural/logic-gates.ts +0 -256
package/src/detect/structural/risky-imports.ts +0 -197
package/src/detect/structural/security-headers.ts +0 -231
package/src/detect/structural/ssrf-detection.ts +0 -300
package/src/detect/structural/variables.ts +0 -177
package/src/detect/structural/xxe-detection.ts +0 -295
package/src/model/cross-file-taint.ts +0 -374
package/src/model/function-classifier.ts +0 -184
package/src/model/sanitiser-detection.ts +0 -268
package/src/model/sink-matcher.ts +0 -178
package/src/model/sink-patterns.ts +0 -109
package/src/model/source-discovery.ts +0 -209
package/src/model/taint-tracker.ts +0 -333
package/src/score/auto-dismiss.ts +0 -224

package/dist/detect/ast-rules/secret-patterns-ast.js ADDED Viewed

@@ -0,0 +1,199 @@
+"use strict";
+/**
+ * AST-Based Hardcoded Secret Pattern Detection
+ *
+ * Migrates secrets/patterns.ts from regex to AST for source code files.
+ * Scans string literals in the AST for known secret patterns (API keys, tokens).
+ *
+ * AST advantages over regex:
+ * - Only scans actual string values (not comments, type annotations, JSDoc)
+ * - Understands assignment context (can check if value is env ref or placeholder)
+ * - Handles template literals with interpolation
+ * - Can detect secrets split across string concatenation
+ *
+ * NOTE: The regex version in secrets/patterns.ts continues to handle
+ * non-AST-parseable files (.env, .yaml, Dockerfile, etc.)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_1 = require("./index");
+const string_analysis_1 = require("./helpers/string-analysis");
+const file_classifier_1 = require("../../parse/file-classifier");
+// ============================================================================
+// Helpers
+// ============================================================================
+function isInsideTypeDeclaration(node) {
+    let current = node.parent;
+    while (current) {
+        if (current.type === 'type_alias_declaration' ||
+            current.type === 'interface_declaration' ||
+            current.type === 'type_annotation')
+            return true;
+        current = current.parent;
+    }
+    return false;
+}
+const SECRET_PATTERNS = [
+    { name: 'OpenAI API Key', pattern: /sk-[a-zA-Z0-9]{20,}/, severity: 'critical', description: 'OpenAI API key detected' },
+    { name: 'OpenAI Project API Key', pattern: /sk-proj-[a-zA-Z0-9]{48,}/, severity: 'critical', description: 'OpenAI project API key detected (new format)' },
+    { name: 'Anthropic API Key', pattern: /sk-ant-[a-zA-Z0-9-]{20,}/, severity: 'critical', description: 'Anthropic API key detected' },
+    { name: 'Anthropic API Key (Full)', pattern: /sk-ant-api03-[a-zA-Z0-9_-]{90,}/, severity: 'critical', description: 'Anthropic API key detected (full format)' },
+    { name: 'GitHub Token', pattern: /ghp_[a-zA-Z0-9]{36,}/, severity: 'critical', description: 'GitHub personal access token detected' },
+    { name: 'GitHub OAuth Token', pattern: /gho_[a-zA-Z0-9]{36,}/, severity: 'critical', description: 'GitHub OAuth token detected' },
+    { name: 'GitHub App Token', pattern: /ghu_[a-zA-Z0-9]{36,}/, severity: 'critical', description: 'GitHub App user token detected' },
+    { name: 'GitHub Refresh Token', pattern: /ghr_[a-zA-Z0-9]{36,}/, severity: 'critical', description: 'GitHub refresh token detected' },
+    { name: 'Stripe Secret Key', pattern: /sk_live_[a-zA-Z0-9]{24,}/, severity: 'critical', description: 'Stripe live secret key detected' },
+    { name: 'Stripe Test Key', pattern: /sk_test_[a-zA-Z0-9]{24,}/, severity: 'medium', description: 'Stripe test secret key detected' },
+    { name: 'Stripe Publishable Key', pattern: /pk_(live|test)_[a-zA-Z0-9]{24,}/, severity: 'low', description: 'Stripe publishable key detected (usually safe but verify)' },
+    { name: 'Square Access Token', pattern: /sq0csp-[a-zA-Z0-9\-_]{43}/, severity: 'critical', description: 'Square access token detected' },
+    { name: 'AWS Access Key ID', pattern: /AKIA[0-9A-Z]{16}/, severity: 'critical', description: 'AWS Access Key ID detected' },
+    { name: 'Google API Key', pattern: /AIza[0-9A-Za-z\-_]{35}/, severity: 'high', description: 'Google API key detected' },
+    { name: 'Slack Token', pattern: /xox[baprs]-[0-9a-zA-Z]{10,}/, severity: 'critical', description: 'Slack token detected' },
+    { name: 'Slack Webhook', pattern: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/, severity: 'high', description: 'Slack webhook URL detected' },
+    { name: 'Discord Webhook', pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+/, severity: 'high', description: 'Discord webhook URL detected' },
+    { name: 'Twilio API Key', pattern: /SK[a-f0-9]{32}/, severity: 'critical', description: 'Twilio API key detected' },
+    { name: 'SendGrid API Key', pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/, severity: 'critical', description: 'SendGrid API key detected' },
+    { name: 'Mailgun API Key', pattern: /key-[a-zA-Z0-9]{32}/, severity: 'critical', description: 'Mailgun API key detected' },
+    { name: 'NPM Token', pattern: /npm_[a-zA-Z0-9]{36}/, severity: 'critical', description: 'NPM access token detected' },
+    { name: 'PyPI Token', pattern: /pypi-[a-zA-Z0-9]{32,}/, severity: 'critical', description: 'PyPI API token detected' },
+    { name: 'Private Key', pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/, severity: 'critical', description: 'Private key detected' },
+    { name: 'Database Connection String', pattern: /(mongodb|postgres|mysql|redis|amqp)(\+srv)?:\/\/[^:@\s"']+:[^@\s"']+@/, severity: 'high', description: 'Database connection string with credentials detected' },
+    { name: 'Hardcoded JWT Token', pattern: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/, severity: 'high', description: 'Hardcoded JWT token detected' },
+    { name: 'Generic Password in URL', pattern: /[a-zA-Z]{3,10}:\/\/[^:]+:[^@]+@/, severity: 'high', description: 'Password in URL detected' },
+    { name: 'Vercel Token', pattern: /vercel_[a-zA-Z0-9]{24,}/i, severity: 'critical', description: 'Vercel API token detected' },
+    { name: 'Netlify Token', pattern: /nfp_[a-zA-Z0-9]{40,}/i, severity: 'critical', description: 'Netlify personal access token detected' },
+    { name: 'Generic API Key Assignment', pattern: /api[_-]?key.*[:=]\s*['"][a-zA-Z0-9_-]{20,}['"]/i, severity: 'medium', description: 'Possible API key assignment detected', isGeneric: true },
+    { name: 'Generic Secret Key Assignment', pattern: /secret[_-]?key.*[:=]\s*['"][a-zA-Z0-9_-]{20,}['"]/i, severity: 'medium', description: 'Possible secret key assignment detected', isGeneric: true },
+];
+// ============================================================================
+// Filters
+// ============================================================================
+const PLACEHOLDER_PATTERNS = [
+    /^your[-_]/i, /^my[-_]/i, /^test[-_]/i, /^sample[-_]/i,
+    /^example[-_]/i, /^demo[-_]/i, /^placeholder/i,
+    /^xxx+$/i, /^yyy+$/i, /^\*+$/, /^\.{3,}$/,
+    /^<.*>$/, /^\[.*\]$/, /^\{.*\}$/,
+];
+function isPlaceholder(value, lineContent) {
+    if (PLACEHOLDER_PATTERNS.some(p => p.test(value)))
+        return true;
+    if (/example|sample|demo|test|dummy|fake|mock/i.test(value))
+        return true;
+    if (/^[a-z]+_[a-z]+_[a-z]+$/i.test(value) || /^your[_-]/i.test(value))
+        return true;
+    if (/\[REDACTED\]|\[MASKED\]|\[HIDDEN\]|\*{3,}/i.test(value))
+        return true;
+    return false;
+}
+function hasTestVarName(line) {
+    const match = line.match(/(?:const|let|var|export\s+const)\s+([A-Z_][A-Z0-9_]*)\s*=/i);
+    if (!match)
+        return false;
+    const name = match[1];
+    return /^(TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE|PLACEHOLDER|DEMO)/i.test(name) ||
+        /_(TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE)$/i.test(name);
+}
+function isDocFile(filePath) {
+    return /README|CHANGELOG|CONTRIBUTING|LICENSE|\.md$|\.mdx$|\.rst$|\/docs\/|\/examples?\//i.test(filePath);
+}
+// ============================================================================
+// AST Rule: Secret Patterns
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-secret-pattern',
+    title: 'Hardcoded secret detected',
+    description: 'Known secret pattern found in string literal',
+    severity: 'critical',
+    category: 'hardcoded_secret',
+    suggestedFix: 'Move this secret to an environment variable. Never commit secrets to version control.',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.70,
+    layer: 1,
+    source: 'secrets',
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isExampleFile)(ast.filePath))
+            return [];
+        if (isDocFile(ast.filePath))
+            return [];
+        const matches = [];
+        const root = ast.tree.rootNode;
+        const lines = content.split('\n');
+        const isServerFile = (0, file_classifier_1.isServerOnlyFile)(ast.filePath);
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        // Walk all string nodes in the AST
+        nodeLoop: for (const node of (0, index_1.getNodes)(nodeIndex, 'string', 'template_string')) {
+            if (isInsideTypeDeclaration(node))
+                continue;
+            const value = (0, string_analysis_1.extractStringValue)(node);
+            if (!value || value.length < 8)
+                continue; // skip, too short
+            const line = lines[node.startPosition.row] ?? '';
+            // Skip placeholders
+            if (isPlaceholder(value, line))
+                continue;
+            if (hasTestVarName(line))
+                continue;
+            // Check BYOK context
+            if ((0, file_classifier_1.isBYOKContext)(line, ast.filePath)) {
+                if (isServerFile && (0, file_classifier_1.isEnvVarReference)(line))
+                    continue;
+                if (!/['"`][a-zA-Z0-9_-]{20,}['"`]/.test(line))
+                    continue;
+            }
+            // Test each secret pattern
+            for (const secret of SECRET_PATTERNS) {
+                if (!secret.pattern.test(value))
+                    continue;
+                let adjustedSeverity = secret.severity;
+                let adjustedDescription = secret.description;
+                let requiresAI = secret.isGeneric ?? false;
+                // JWT / Supabase context handling
+                const isJWT = secret.name.includes('Supabase') || secret.name.includes('JWT') || /eyJ[a-zA-Z0-9_-]+\.eyJ/.test(value);
+                if (isJWT) {
+                    const ctx = (0, file_classifier_1.getServiceRoleKeyContext)(line, ast.filePath);
+                    if (ctx === 'safe_server')
+                        continue nodeLoop;
+                    if (ctx === 'client_exposure') {
+                        adjustedSeverity = 'critical';
+                        requiresAI = true;
+                        adjustedDescription = (0, file_classifier_1.isNextPublicEnvVar)(line)
+                            ? `${secret.description} - EXPOSED via NEXT_PUBLIC_ prefix`
+                            : `${secret.description} - may be exposed to client bundle`;
+                    }
+                    else {
+                        if ((0, file_classifier_1.isEnvVarReference)(line)) {
+                            adjustedSeverity = 'medium';
+                            requiresAI = true;
+                            adjustedDescription = `${secret.description} - verify this is not exposed to client`;
+                        }
+                        else if (isServerFile) {
+                            adjustedSeverity = 'high';
+                            requiresAI = true;
+                            adjustedDescription = `${secret.description} - hardcoded in server file, should use env var`;
+                        }
+                        else {
+                            adjustedSeverity = 'critical';
+                            requiresAI = true;
+                        }
+                    }
+                }
+                // Test file downgrade
+                if (isTestFile) {
+                    adjustedSeverity = adjustedSeverity === 'critical' ? 'medium'
+                        : adjustedSeverity === 'high' ? 'low' : 'info';
+                    adjustedDescription += ' (in test file)';
+                }
+                matches.push({
+                    node,
+                    severity: adjustedSeverity,
+                    note: adjustedDescription,
+                });
+                break; // one match per string
+            }
+        }
+        return matches;
+    },
+});
+//# sourceMappingURL=secret-patterns-ast.js.map

package/dist/detect/ast-rules/secret-patterns-ast.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"secret-patterns-ast.js","sourceRoot":"","sources":["../../../src/detect/ast-rules/secret-patterns-ast.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;AAGH,mCAAsF;AAEtF,+DAA8D;AAC9D,iEASoC;AAGpC,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,SAAS,uBAAuB,CAAC,IAAuB;IACtD,IAAI,OAAO,GAAG,IAAI,CAAC,MAAM,CAAA;IACzB,OAAO,OAAO,EAAE,CAAC;QACf,IAAI,OAAO,CAAC,IAAI,KAAK,wBAAwB;YACzC,OAAO,CAAC,IAAI,KAAK,uBAAuB;YACxC,OAAO,CAAC,IAAI,KAAK,iBAAiB;YAAE,OAAO,IAAI,CAAA;QACnD,OAAO,GAAG,OAAO,CAAC,MAAM,CAAA;IAC1B,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAcD,MAAM,eAAe,GAAuB;IAC1C,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,yBAAyB,EAAE;IACxH,EAAE,IAAI,EAAE,wBAAwB,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,8CAA8C,EAAE;IAC1J,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,4BAA4B,EAAE;IACnI,EAAE,IAAI,EAAE,0BAA0B,EAAE,OAAO,EAAE,iCAAiC,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,0CAA0C,EAAE;IAC/J,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,uCAAuC,EAAE;IACrI,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,6BAA6B,EAAE;IACjI,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,gCAAgC,EAAE;IAClI,EAAE,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,+BAA+B,EAAE;IACrI,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,iCAAiC,EAAE;IACxI,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,iCAAiC,EAAE;IACpI,EAAE,IAAI,EAAE,wBAAwB,EAAE,OAAO,EAAE,iCAAiC,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,2DAA2D,EAAE;IACzK,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,2BAA2B,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,8BAA8B,EAAE;IACxI,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,4BAA4B,EAAE;IAC3H,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,wBAAwB,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,yBAAyB,EAAE;IACvH,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,6BAA6B,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,sBAAsB,EAAE;IAC1H,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,sFAAsF,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,4BAA4B,EAAE;IACvL,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,uEAAuE,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,8BAA8B,EAAE;IAC5K,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,yBAAyB,EAAE;IACnH,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,0CAA0C,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,2BAA2B,EAAE;IACjJ,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,0BAA0B,EAAE;IAC1H,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,2BAA2B,EAAE;IACrH,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,yBAAyB,EAAE;IACtH,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,sDAAsD,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,sBAAsB,EAAE;IACnJ,EAAE,IAAI,EAAE,4BAA4B,EAAE,OAAO,EAAE,uEAAuE,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,sDAAsD,EAAE;IAC/M,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,kEAAkE,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,8BAA8B,EAAE;IAC3K,EAAE,IAAI,EAAE,yBAAyB,EAAE,OAAO,EAAE,iCAAiC,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,0BAA0B,EAAE;IAC1I,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,0BAA0B,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,2BAA2B,EAAE;IAC7H,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,wCAAwC,EAAE;IACxI,EAAE,IAAI,EAAE,4BAA4B,EAAE,OAAO,EAAE,iDAAiD,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,sCAAsC,EAAE,SAAS,EAAE,IAAI,EAAE;IAC5L,EAAE,IAAI,EAAE,+BAA+B,EAAE,OAAO,EAAE,oDAAoD,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,yCAAyC,EAAE,SAAS,EAAE,IAAI,EAAE;CACtM,CAAA;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,MAAM,oBAAoB,GAAG;IAC3B,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc;IACtD,eAAe,EAAE,YAAY,EAAE,eAAe;IAC9C,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,UAAU;IACzC,QAAQ,EAAE,UAAU,EAAE,UAAU;CACjC,CAAA;AAED,SAAS,aAAa,CAAC,KAAa,EAAE,WAAmB;IACvD,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAA;IAC9D,IAAI,2CAA2C,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACxE,IAAI,yBAAyB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAClF,IAAI,4CAA4C,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACzE,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,4DAA4D,CAAC,CAAA;IACtF,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAA;IACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;IACrB,OAAO,0DAA0D,CAAC,IAAI,CAAC,IAAI,CAAC;QACrE,0CAA0C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AAC9D,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB;IACjC,OAAO,mFAAmF,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AAC3G,CAAC;AAED,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,oBAAoB;IACxB,KAAK,EAAE,2BAA2B;IAClC,WAAW,EAAE,8CAA8C;IAC3D,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,kBAAkB;IAC5B,YAAY,EAAE,uFAAuF;IACrG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,SAAS;IACjB,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QACnD,IAAI,IAAA,+BAAa,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAC1C,IAAI,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAEtC,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACjC,MAAM,YAAY,GAAG,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACnD,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAEjD,mCAAmC;QACnC,QAAQ,EAAE,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,QAAQ,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC/E,IAAI,uBAAuB,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAE3C,MAAM,KAAK,GAAG,IAAA,oCAAkB,EAAC,IAAI,CAAC,CAAA;YACtC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAQ,CAAC,kBAAkB;YAE3D,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,EAAE,CAAA;YAEhD,oBAAoB;YACpB,IAAI,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC;gBAAE,SAAQ;YACxC,IAAI,cAAc,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAElC,qBAAqB;YACrB,IAAI,IAAA,+BAAa,EAAC,IAAI,EAAE,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtC,IAAI,YAAY,IAAI,IAAA,mCAAiB,EAAC,IAAI,CAAC;oBAAE,SAAQ;gBACrD,IAAI,CAAC,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAQ;YAC1D,CAAC;YAED,2BAA2B;YAC3B,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;gBACrC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;oBAAE,SAAQ;gBAEzC,IAAI,gBAAgB,GAAG,MAAM,CAAC,QAAQ,CAAA;gBACtC,IAAI,mBAAmB,GAAG,MAAM,CAAC,WAAW,CAAA;gBAC5C,IAAI,UAAU,GAAG,MAAM,CAAC,SAAS,IAAI,KAAK,CAAA;gBAE1C,kCAAkC;gBAClC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,wBAAwB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;gBACrH,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,GAAG,GAAG,IAAA,0CAAwB,EAAC,IAAI,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAA;oBACxD,IAAI,GAAG,KAAK,aAAa;wBAAE,SAAS,QAAQ,CAAA;oBAC5C,IAAI,GAAG,KAAK,iBAAiB,EAAE,CAAC;wBAC9B,gBAAgB,GAAG,UAAU,CAAA;wBAC7B,UAAU,GAAG,IAAI,CAAA;wBACjB,mBAAmB,GAAG,IAAA,oCAAkB,EAAC,IAAI,CAAC;4BAC5C,CAAC,CAAC,GAAG,MAAM,CAAC,WAAW,oCAAoC;4BAC3D,CAAC,CAAC,GAAG,MAAM,CAAC,WAAW,oCAAoC,CAAA;oBAC/D,CAAC;yBAAM,CAAC;wBACN,IAAI,IAAA,mCAAiB,EAAC,IAAI,CAAC,EAAE,CAAC;4BAC5B,gBAAgB,GAAG,QAAQ,CAAA;4BAC3B,UAAU,GAAG,IAAI,CAAA;4BACjB,mBAAmB,GAAG,GAAG,MAAM,CAAC,WAAW,yCAAyC,CAAA;wBACtF,CAAC;6BAAM,IAAI,YAAY,EAAE,CAAC;4BACxB,gBAAgB,GAAG,MAAM,CAAA;4BACzB,UAAU,GAAG,IAAI,CAAA;4BACjB,mBAAmB,GAAG,GAAG,MAAM,CAAC,WAAW,iDAAiD,CAAA;wBAC9F,CAAC;6BAAM,CAAC;4BACN,gBAAgB,GAAG,UAAU,CAAA;4BAC7B,UAAU,GAAG,IAAI,CAAA;wBACnB,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,sBAAsB;gBACtB,IAAI,UAAU,EAAE,CAAC;oBACf,gBAAgB,GAAG,gBAAgB,KAAK,UAAU,CAAC,CAAC,CAAC,QAAQ;wBAC3D,CAAC,CAAC,gBAAgB,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;oBAChD,mBAAmB,IAAI,iBAAiB,CAAA;gBAC1C,CAAC;gBAED,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,QAAQ,EAAE,gBAAgB;oBAC1B,IAAI,EAAE,mBAAmB;iBAC1B,CAAC,CAAA;gBACF,MAAK,CAAC,uBAAuB;YAC/B,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA"}

package/dist/detect/ast-rules/security-headers-ast.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * AST-Based Security Headers Detection
+ *
+ * Migrates structural/security-headers.ts from regex to AST.
+ * Detects missing HTTP security headers in server configurations.
+ *
+ * AST advantages over regex:
+ * - Understands import structure (Express vs Fastify vs custom)
+ * - Can verify helmet middleware is actually registered (not just imported)
+ * - Can check CSP config object structure
+ * - Understands 'use client' directives from AST
+ */
+export {};
+//# sourceMappingURL=security-headers-ast.d.ts.map

package/dist/detect/ast-rules/security-headers-ast.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"security-headers-ast.d.ts","sourceRoot":"","sources":["../../../src/detect/ast-rules/security-headers-ast.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG"}

package/dist/detect/ast-rules/security-headers-ast.js ADDED Viewed

@@ -0,0 +1,187 @@
+"use strict";
+/**
+ * AST-Based Security Headers Detection
+ *
+ * Migrates structural/security-headers.ts from regex to AST.
+ * Detects missing HTTP security headers in server configurations.
+ *
+ * AST advantages over regex:
+ * - Understands import structure (Express vs Fastify vs custom)
+ * - Can verify helmet middleware is actually registered (not just imported)
+ * - Can check CSP config object structure
+ * - Understands 'use client' directives from AST
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_1 = require("./index");
+const import_analysis_1 = require("./helpers/import-analysis");
+const call_analysis_1 = require("./helpers/call-analysis");
+const context_detection_1 = require("./helpers/context-detection");
+const file_classifier_1 = require("../../parse/file-classifier");
+// ============================================================================
+// Helpers
+// ============================================================================
+function isClientSideFile(root, filePath, content) {
+    if ((0, context_detection_1.getFileDirective)(root) === 'use client')
+        return true;
+    const clientPaths = [/\/components\//i, /\/hooks\//i, /\/pages\/(?!api\/)/i, /\.client\./i];
+    if (!clientPaths.some(p => p.test(filePath)))
+        return false;
+    // Check for server indicators that override (use content pre-check before AST walk)
+    if (/\b(express|http|https)\b/.test(content)) {
+        const modules = (0, import_analysis_1.getImportedModules)(root);
+        if (modules.has('express') || modules.has('http') || modules.has('https'))
+            return false;
+    }
+    if ((0, context_detection_1.getFileDirective)(root) === 'use server')
+        return false;
+    return true;
+}
+function isNextConfig(filePath) {
+    return /next\.config\.(m?js|ts)$/.test(filePath);
+}
+// ============================================================================
+// AST Rule: Express without Helmet
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-security-headers-no-helmet',
+    title: 'Express app without helmet security headers',
+    description: 'Express application does not use helmet middleware, missing critical HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)',
+    severity: 'medium',
+    category: 'missing_security_headers',
+    suggestedFix: 'Install and add helmet middleware: npm install helmet && app.use(helmet())',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.35,
+    layer: 2,
+    source: 'structural',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isTestOrMockFile)(ast.filePath))
+            return [];
+        // Content pre-check: skip files without express mention
+        if (!/express/i.test(content))
+            return [];
+        const root = ast.tree.rootNode;
+        if (isClientSideFile(root, ast.filePath, content))
+            return [];
+        // Check if file uses Express
+        const hasExpress = (0, import_analysis_1.hasImport)(root, 'express') ||
+            (0, import_analysis_1.hasImport)(root, /^express$/);
+        if (!hasExpress)
+            return [];
+        // Check if file imports helmet
+        const hasHelmet = (0, import_analysis_1.hasImport)(root, 'helmet') ||
+            (0, import_analysis_1.hasImport)(root, '@fastify/helmet');
+        if (hasHelmet)
+            return [];
+        // Find the express() call for reporting
+        const matches = [];
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const fn = node.childForFieldName('function');
+            if (fn?.text === 'express' && node.childForFieldName('arguments')?.namedChildren.length === 0) {
+                matches.push({ node });
+                break;
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Helmet with CSP Disabled
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-security-headers-csp-disabled',
+    title: 'Helmet CSP disabled',
+    description: 'Content Security Policy is explicitly disabled in helmet configuration. CSP is a critical defense against XSS attacks.',
+    severity: 'low',
+    category: 'missing_security_headers',
+    suggestedFix: 'Configure a Content Security Policy instead of disabling it: helmet({ contentSecurityPolicy: { directives: { ... } } })',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.35,
+    layer: 2,
+    source: 'structural',
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isTestOrMockFile)(ast.filePath))
+            return [];
+        // Content pre-check: skip files without helmet mention
+        if (!/helmet/i.test(content))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!(0, import_analysis_1.hasImport)(root, 'helmet') && !(0, import_analysis_1.hasImport)(root, '@fastify/helmet'))
+            return [];
+        const matches = [];
+        // Find helmet() calls and check for contentSecurityPolicy: false
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const fn = node.childForFieldName('function');
+            if (!fn)
+                continue;
+            // helmet({...}) or app.use(helmet({...}))
+            const isHelmetCall = fn.text === 'helmet' ||
+                (fn.type === 'identifier' && fn.text === 'helmet');
+            if (!isHelmetCall)
+                continue;
+            const args = node.childForFieldName('arguments');
+            const configArg = args?.namedChildren[0];
+            if (configArg?.type === 'object') {
+                const cspProp = (0, call_analysis_1.getObjectLiteralProperty)(configArg, 'contentSecurityPolicy');
+                if (cspProp && (cspProp.text === 'false' || cspProp.type === 'false')) {
+                    matches.push({ node: cspProp });
+                }
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Next.js Config Missing Headers
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-security-headers-nextjs',
+    title: 'Next.js config missing security headers',
+    description: 'next.config does not export a headers() function. Security headers should be configured in Next.js config or middleware.',
+    severity: 'medium',
+    category: 'missing_security_headers',
+    suggestedFix: 'Add a headers() function to next.config.js that returns security headers array',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'medium',
+    baseConfidence: 0.35,
+    layer: 2,
+    source: 'structural',
+    requiresAIValidation: true,
+    detect(ast, _content, nodeIndex) {
+        if (!isNextConfig(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        // Look for headers property or method in the exported config
+        let hasHeadersConfig = false;
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'method_definition', 'pair', 'shorthand_property_identifier')) {
+            // headers() method or headers: async () =>
+            if (node.type === 'method_definition' || node.type === 'pair') {
+                const name = node.type === 'method_definition'
+                    ? node.childForFieldName('name')?.text
+                    : node.childForFieldName('key')?.text;
+                if (name === 'headers') {
+                    hasHeadersConfig = true;
+                    break;
+                }
+            }
+            // Property shorthand
+            if (node.type === 'shorthand_property_identifier') {
+                if (node.text === 'headers') {
+                    hasHeadersConfig = true;
+                    break;
+                }
+            }
+        }
+        if (hasHeadersConfig)
+            return [];
+        // Report on the first line (the config file itself)
+        return [{ node: root.firstChild ?? root }];
+    },
+});
+//# sourceMappingURL=security-headers-ast.js.map

package/dist/detect/ast-rules/security-headers-ast.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security-headers-ast.js","sourceRoot":"","sources":["../../../src/detect/ast-rules/security-headers-ast.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAIH,mCAAsF;AACtF,+DAAyE;AACzE,2DAAkF;AAClF,mEAA8D;AAC9D,iEAGoC;AAEpC,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,SAAS,gBAAgB,CAAC,IAAuB,EAAE,QAAgB,EAAE,OAAe;IAClF,IAAI,IAAA,oCAAgB,EAAC,IAAI,CAAC,KAAK,YAAY;QAAE,OAAO,IAAI,CAAA;IAExD,MAAM,WAAW,GAAG,CAAC,iBAAiB,EAAE,YAAY,EAAE,qBAAqB,EAAE,aAAa,CAAC,CAAA;IAC3F,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAAE,OAAO,KAAK,CAAA;IAE1D,oFAAoF;IACpF,IAAI,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAA,oCAAkB,EAAC,IAAI,CAAC,CAAA;QACxC,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;YAAE,OAAO,KAAK,CAAA;IACzF,CAAC;IACD,IAAI,IAAA,oCAAgB,EAAC,IAAI,CAAC,KAAK,YAAY;QAAE,OAAO,KAAK,CAAA;IAEzD,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB;IACpC,OAAO,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AAClD,CAAC;AAID,+EAA+E;AAC/E,mCAAmC;AACnC,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,gCAAgC;IACpC,KAAK,EAAE,6CAA6C;IACpD,WAAW,EAAE,iJAAiJ;IAC9J,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,0BAA0B;IACpC,YAAY,EAAE,4EAA4E;IAC1F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,oBAAoB,EAAE,IAAI;IAC1B,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QACnD,IAAI,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE7C,wDAAwD;QACxD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAExC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAC9B,IAAI,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAE5D,6BAA6B;QAC7B,MAAM,UAAU,GAAG,IAAA,2BAAS,EAAC,IAAI,EAAE,SAAS,CAAC;YAC3C,IAAA,2BAAS,EAAC,IAAI,EAAE,WAAW,CAAC,CAAA;QAE9B,IAAI,CAAC,UAAU;YAAE,OAAO,EAAE,CAAA;QAE1B,+BAA+B;QAC/B,MAAM,SAAS,GAAG,IAAA,2BAAS,EAAC,IAAI,EAAE,QAAQ,CAAC;YACzC,IAAA,2BAAS,EAAC,IAAI,EAAE,iBAAiB,CAAC,CAAA;QAEpC,IAAI,SAAS;YAAE,OAAO,EAAE,CAAA;QAExB,wCAAwC;QACxC,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAA;YAC7C,IAAI,EAAE,EAAE,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,EAAE,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9F,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAA;gBACtB,MAAK;YACP,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,qCAAqC;AACrC,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,mCAAmC;IACvC,KAAK,EAAE,qBAAqB;IAC5B,WAAW,EAAE,wHAAwH;IACrI,QAAQ,EAAE,KAAK;IACf,QAAQ,EAAE,0BAA0B;IACpC,YAAY,EAAE,yHAAyH;IACvI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QACnD,IAAI,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE7C,uDAAuD;QACvD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAEvC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAC9B,IAAI,CAAC,IAAA,2BAAS,EAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,IAAA,2BAAS,EAAC,IAAI,EAAE,iBAAiB,CAAC;YAAE,OAAO,EAAE,CAAA;QAEhF,MAAM,OAAO,GAAmB,EAAE,CAAA;QAElC,iEAAiE;QACjE,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAA;YAC7C,IAAI,CAAC,EAAE;gBAAE,SAAQ;YAEjB,0CAA0C;YAC1C,MAAM,YAAY,GAAG,EAAE,CAAC,IAAI,KAAK,QAAQ;gBACvC,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,IAAI,EAAE,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAA;YAEpD,IAAI,CAAC,YAAY;gBAAE,SAAQ;YAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAA;YAChD,MAAM,SAAS,GAAG,IAAI,EAAE,aAAa,CAAC,CAAC,CAAC,CAAA;YACxC,IAAI,SAAS,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACjC,MAAM,OAAO,GAAG,IAAA,wCAAwB,EAAC,SAAS,EAAE,uBAAuB,CAAC,CAAA;gBAC5E,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC,EAAE,CAAC;oBACtE,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAA;gBACjC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,2CAA2C;AAC3C,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,6BAA6B;IACjC,KAAK,EAAE,yCAAyC;IAChD,WAAW,EAAE,0HAA0H;IACvI,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,0BAA0B;IACpC,YAAY,EAAE,gFAAgF;IAC9F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,QAAQ;IACpB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,oBAAoB,EAAE,IAAI;IAC1B,MAAM,CAAC,GAAc,EAAE,QAAgB,EAAE,SAAqB;QAC5D,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE1C,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAE9B,6DAA6D;QAC7D,IAAI,gBAAgB,GAAG,KAAK,CAAA;QAC5B,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,mBAAmB,EAAE,MAAM,EAAE,+BAA+B,CAAC,EAAE,CAAC;YACtG,2CAA2C;YAC3C,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;gBAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,KAAK,mBAAmB;oBAC5C,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,IAAI;oBACtC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,IAAI,CAAA;gBACvC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;oBACvB,gBAAgB,GAAG,IAAI,CAAA;oBACvB,MAAK;gBACP,CAAC;YACH,CAAC;YACD,qBAAqB;YACrB,IAAI,IAAI,CAAC,IAAI,KAAK,+BAA+B,EAAE,CAAC;gBAClD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;oBAC5B,gBAAgB,GAAG,IAAI,CAAA;oBACvB,MAAK;gBACP,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,gBAAgB;YAAE,OAAO,EAAE,CAAA;QAE/B,oDAAoD;QACpD,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC,CAAA;IAC5C,CAAC;CACF,CAAC,CAAA"}

package/dist/detect/ast-rules/sql-injection-ast.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * AST-Based SQL Injection Detection
+ *
+ * Migrates dangerous-functions SQL injection detection to AST.
+ *
+ * AST advantages:
+ * - Detects template literal interpolation in SQL strings from AST nodes
+ * - Distinguishes parameterized queries (.query('?', [val])) from string concat
+ * - Detects ORM method calls (safe) vs raw queries (dangerous)
+ * - Finds schema validation (zod/yup) in enclosing function scope
+ * - Handles Prisma tagged templates (safe parameterization)
+ */
+/** Check if a file is a migration/seed file based on path and content */
+export declare function isMigrationFile(filePath: string, content: string): boolean;
+/** Check if file is a test utility/helper file with DB cleanup operations */
+export declare function isTestUtilityFile(filePath: string, content: string): boolean;
+//# sourceMappingURL=sql-injection-ast.d.ts.map

package/dist/detect/ast-rules/sql-injection-ast.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"sql-injection-ast.d.ts","sourceRoot":"","sources":["../../../src/detect/ast-rules/sql-injection-ast.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAuIH,yEAAyE;AACzE,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAc1E;AAED,6EAA6E;AAC7E,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CA+B5E"}