@oculum/scanner 1.0.14 → 1.0.15

package/dist/utils/comment-analyzer.d.ts

@@ -1,38 +0,0 @@
-/**
- * Comment Analyzer Utility
- * Analyzes comment INTENTION - distinguishing explanatory comments from disabled code
- *
- * This addresses false positives where comments describing auth checks are flagged
- * as "disabled authentication" when they're actually explaining the code that follows.
- *
- * Key insight: A comment before active code is EXPLANATORY, not disabled code.
- * Only flag comments when:
- * 1. The comment is followed by MORE commented code (disabled code block)
- * 2. The comment matches explicit disable patterns (TODO: add auth, FIXME: needs auth)
- */
-export interface CommentAnalysis {
-    /** Type of comment based on context */
-    type: 'explanatory' | 'disabled_code' | 'todo_fixme' | 'unknown';
-    /** Whether this comment represents a security concern */
-    isSecurityRelevant: boolean;
-    /** Optional reason for the classification */
-    reason?: string;
-}
-/**
- * Analyze the INTENTION of a comment at a specific line
- *
- * @param lines - Array of all lines in the file
- * @param commentLineIndex - The 0-indexed line number of the comment to analyze
- * @returns CommentAnalysis with type and security relevance
- */
-export declare function analyzeCommentIntention(lines: string[], commentLineIndex: number): CommentAnalysis;
-/**
- * Check if a comment at a specific line indicates disabled authentication code
- * This is the main function to use for detection
- *
- * @param lines - Array of all lines in the file
- * @param lineIndex - The 0-indexed line number to check
- * @returns true if the comment indicates disabled/missing auth that should be flagged
- */
-export declare function isDisabledAuthComment(lines: string[], lineIndex: number): boolean;
-//# sourceMappingURL=comment-analyzer.d.ts.map

package/dist/utils/comment-analyzer.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"comment-analyzer.d.ts","sourceRoot":"","sources":["../../src/utils/comment-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,MAAM,WAAW,eAAe;IAC9B,uCAAuC;IACvC,IAAI,EAAE,aAAa,GAAG,eAAe,GAAG,YAAY,GAAG,SAAS,CAAA;IAChE,yDAAyD;IACzD,kBAAkB,EAAE,OAAO,CAAA;IAC3B,6CAA6C;IAC7C,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAoGD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,MAAM,EAAE,EACf,gBAAgB,EAAE,MAAM,GACvB,eAAe,CAsGjB;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAGT"}

package/dist/utils/comment-analyzer.js

@@ -1,218 +0,0 @@
-"use strict";
-/**
- * Comment Analyzer Utility
- * Analyzes comment INTENTION - distinguishing explanatory comments from disabled code
- *
- * This addresses false positives where comments describing auth checks are flagged
- * as "disabled authentication" when they're actually explaining the code that follows.
- *
- * Key insight: A comment before active code is EXPLANATORY, not disabled code.
- * Only flag comments when:
- * 1. The comment is followed by MORE commented code (disabled code block)
- * 2. The comment matches explicit disable patterns (TODO: add auth, FIXME: needs auth)
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.analyzeCommentIntention = analyzeCommentIntention;
-exports.isDisabledAuthComment = isDisabledAuthComment;
-/**
- * Patterns that explicitly indicate missing/disabled security
- * These are genuine concerns even in isolation
- */
-const EXPLICIT_DISABLE_PATTERNS = [
-    // Explicit disable statements
-    /\/\/\s*(auth|authentication|authorization)\s+(check\s+)?(disabled|removed|skipped)/i,
-    /\/\/\s*(skip|bypass|disable)\s+(auth|authentication|authorization)/i,
-    /\/\/\s*no\s+auth\s*(required|needed|check)?/i,
-    // TODO/FIXME patterns indicating missing security
-    /\/\/\s*TODO:?\s*(add|implement|enable)\s+(auth|authentication|authorization|security)/i,
-    /\/\/\s*FIXME:?\s*(add|implement|enable|missing)\s+(auth|authentication|authorization)/i,
-    /\/\/\s*HACK:?\s*(no|skip|bypass)\s+(auth|authentication)/i,
-    // Temporary bypass patterns
-    /\/\/\s*(temporarily?|temp)\s+(disabled?|removed?|skipped?)\s+(auth|authentication)/i,
-    /\/\/\s*(for\s+)?test(ing)?\s*(only)?:?\s*(skip|no|disable)\s+auth/i,
-];
-/**
- * Auth-related keywords that might appear in comments
- * Used to detect if a comment is about authentication/authorization
- */
-const AUTH_KEYWORDS = [
-    'auth',
-    'authentication',
-    'authorization',
-    'permission',
-    'verify',
-    'check',
-    'validate',
-    'ensure',
-    'require',
-    'protect',
-    'guard',
-    'secure',
-    'token',
-    'session',
-    'credential',
-];
-/**
- * Patterns indicating active auth implementation in code
- */
-const AUTH_IMPLEMENTATION_PATTERNS = [
-    /\bawait\s+auth\(/i,
-    /\bassert[A-Z]\w*Auth/i,
-    /\bverify[A-Z]\w*/i,
-    /\bcheck[A-Z]\w*Permission/i,
-    /\brequire[A-Z]\w*Auth/i,
-    /\bensure[A-Z]\w*Auth/i,
-    /\bgetServerSession/i,
-    /\bcurrentUser/i,
-    /\bgetCurrentUser/i,
-    /\bvalidate[A-Z]\w*Token/i,
-    /\bisAuthenticated/i,
-    /\bhasPermission/i,
-    /\bhasRole/i,
-    /\.protect\(/i,
-    /\.authorize\(/i,
-];
-/**
- * Check if a line is a comment
- */
-function isCommentLine(line) {
-    const trimmed = line.trim();
-    return (trimmed.startsWith('//') ||
-        trimmed.startsWith('#') ||
-        trimmed.startsWith('*') ||
-        trimmed.startsWith('/*'));
-}
-/**
- * Check if a line is empty or whitespace only
- */
-function isEmptyLine(line) {
-    return line.trim().length === 0;
-}
-/**
- * Check if comment contains auth-related keywords
- */
-function hasAuthKeyword(line) {
-    const lowerLine = line.toLowerCase();
-    return AUTH_KEYWORDS.some(keyword => lowerLine.includes(keyword));
-}
-/**
- * Check if a line contains active auth implementation
- */
-function hasAuthImplementation(line) {
-    return AUTH_IMPLEMENTATION_PATTERNS.some(pattern => pattern.test(line));
-}
-/**
- * Analyze the INTENTION of a comment at a specific line
- *
- * @param lines - Array of all lines in the file
- * @param commentLineIndex - The 0-indexed line number of the comment to analyze
- * @returns CommentAnalysis with type and security relevance
- */
-function analyzeCommentIntention(lines, commentLineIndex) {
-    const commentLine = lines[commentLineIndex];
-    if (!commentLine || !isCommentLine(commentLine)) {
-        return { type: 'unknown', isSecurityRelevant: false };
-    }
-    // PRIORITY 1: Check for explicit disable patterns (always a concern)
-    if (EXPLICIT_DISABLE_PATTERNS.some(pattern => pattern.test(commentLine))) {
-        return {
-            type: 'todo_fixme',
-            isSecurityRelevant: true,
-            reason: 'Comment explicitly indicates disabled or missing security',
-        };
-    }
-    // Check if this comment mentions auth-related keywords
-    if (!hasAuthKeyword(commentLine)) {
-        // Comment doesn't mention auth - not relevant to auth detection
-        return { type: 'unknown', isSecurityRelevant: false };
-    }
-    // PRIORITY 2: Check if next non-empty line is also a comment (disabled code block)
-    let nextLineIndex = commentLineIndex + 1;
-    while (nextLineIndex < lines.length && isEmptyLine(lines[nextLineIndex])) {
-        nextLineIndex++;
-    }
-    if (nextLineIndex < lines.length) {
-        const nextLine = lines[nextLineIndex];
-        // If next line is also a comment, this might be a disabled code block
-        if (isCommentLine(nextLine)) {
-            // Check if the commented-out code looks like auth implementation
-            // e.g., "// await verifyAuth()" or "// if (!session) return"
-            if (hasAuthImplementation(nextLine) || /\/\/\s*(if|await|return|const|let)\s/.test(nextLine)) {
-                return {
-                    type: 'disabled_code',
-                    isSecurityRelevant: true,
-                    reason: 'Comment followed by commented-out code that appears to be auth logic',
-                };
-            }
-            // Multiple consecutive comments without code - could be docs or disabled block
-            // Check deeper
-            let consecutiveComments = 1;
-            let foundCodeComment = false;
-            for (let i = nextLineIndex; i < Math.min(nextLineIndex + 5, lines.length); i++) {
-                if (isEmptyLine(lines[i]))
-                    continue;
-                if (isCommentLine(lines[i])) {
-                    consecutiveComments++;
-                    if (hasAuthImplementation(lines[i]) || /\/\/\s*(if|await|return|const|let)\s/.test(lines[i])) {
-                        foundCodeComment = true;
-                    }
-                }
-                else {
-                    break;
-                }
-            }
-            if (foundCodeComment) {
-                return {
-                    type: 'disabled_code',
-                    isSecurityRelevant: true,
-                    reason: 'Block of commented-out code containing auth logic',
-                };
-            }
-        }
-        // PRIORITY 3: Check if next line is ACTIVE auth implementation
-        // This means the comment is EXPLAINING the auth check, not disabling it
-        if (!isCommentLine(nextLine) && hasAuthImplementation(nextLine)) {
-            return {
-                type: 'explanatory',
-                isSecurityRelevant: false,
-                reason: 'Comment describes the auth check that follows',
-            };
-        }
-        // Check slightly further - the implementation might be 1-2 lines after
-        for (let i = nextLineIndex; i < Math.min(nextLineIndex + 3, lines.length); i++) {
-            const line = lines[i];
-            if (isEmptyLine(line))
-                continue;
-            if (isCommentLine(line))
-                continue;
-            if (hasAuthImplementation(line)) {
-                return {
-                    type: 'explanatory',
-                    isSecurityRelevant: false,
-                    reason: 'Comment describes nearby auth implementation',
-                };
-            }
-            break; // Stop at first non-comment, non-empty line
-        }
-    }
-    // Default: auth-related comment without clear context
-    // Be conservative - don't flag unless we're confident it's disabled code
-    return {
-        type: 'unknown',
-        isSecurityRelevant: false,
-        reason: 'Auth-related comment but no clear indication of disabled code',
-    };
-}
-/**
- * Check if a comment at a specific line indicates disabled authentication code
- * This is the main function to use for detection
- *
- * @param lines - Array of all lines in the file
- * @param lineIndex - The 0-indexed line number to check
- * @returns true if the comment indicates disabled/missing auth that should be flagged
- */
-function isDisabledAuthComment(lines, lineIndex) {
-    const analysis = analyzeCommentIntention(lines, lineIndex);
-    return analysis.isSecurityRelevant && analysis.type !== 'explanatory';
-}
-//# sourceMappingURL=comment-analyzer.js.map

package/dist/utils/comment-analyzer.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"comment-analyzer.js","sourceRoot":"","sources":["../../src/utils/comment-analyzer.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAoHH,0DAyGC;AAUD,sDAMC;AAlOD;;;GAGG;AACH,MAAM,yBAAyB,GAAG;IAChC,8BAA8B;IAC9B,qFAAqF;IACrF,qEAAqE;IACrE,8CAA8C;IAE9C,kDAAkD;IAClD,wFAAwF;IACxF,wFAAwF;IACxF,2DAA2D;IAE3D,4BAA4B;IAC5B,qFAAqF;IACrF,oEAAoE;CACrE,CAAA;AAED;;;GAGG;AACH,MAAM,aAAa,GAAG;IACpB,MAAM;IACN,gBAAgB;IAChB,eAAe;IACf,YAAY;IACZ,QAAQ;IACR,OAAO;IACP,UAAU;IACV,QAAQ;IACR,SAAS;IACT,SAAS;IACT,OAAO;IACP,QAAQ;IACR,OAAO;IACP,SAAS;IACT,YAAY;CACb,CAAA;AAED;;GAEG;AACH,MAAM,4BAA4B,GAAG;IACnC,mBAAmB;IACnB,uBAAuB;IACvB,mBAAmB;IACnB,4BAA4B;IAC5B,wBAAwB;IACxB,uBAAuB;IACvB,qBAAqB;IACrB,gBAAgB;IAChB,mBAAmB;IACnB,0BAA0B;IAC1B,oBAAoB;IACpB,kBAAkB;IAClB,YAAY;IACZ,cAAc;IACd,gBAAgB;CACjB,CAAA;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAA;AACjC,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,IAAY;IAClC,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAA;IACpC,OAAO,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAA;AACnE,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,IAAY;IACzC,OAAO,4BAA4B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;AACzE,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,KAAe,EACf,gBAAwB;IAExB,MAAM,WAAW,GAAG,KAAK,CAAC,gBAAgB,CAAC,CAAA;IAE3C,IAAI,CAAC,WAAW,IAAI,CAAC,aAAa,CAAC,WAAW,CAAC,EAAE,CAAC;QAChD,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAA;IACvD,CAAC;IAED,qEAAqE;IACrE,IAAI,yBAAyB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACzE,OAAO;YACL,IAAI,EAAE,YAAY;YAClB,kBAAkB,EAAE,IAAI;YACxB,MAAM,EAAE,2DAA2D;SACpE,CAAA;IACH,CAAC;IAED,uDAAuD;IACvD,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QACjC,gEAAgE;QAChE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAA;IACvD,CAAC;IAED,mFAAmF;IACnF,IAAI,aAAa,GAAG,gBAAgB,GAAG,CAAC,CAAA;IACxC,OAAO,aAAa,GAAG,KAAK,CAAC,MAAM,IAAI,WAAW,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;QACzE,aAAa,EAAE,CAAA;IACjB,CAAC;IAED,IAAI,aAAa,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,KAAK,CAAC,aAAa,CAAC,CAAA;QAErC,sEAAsE;QACtE,IAAI,aAAa,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,iEAAiE;YACjE,6DAA6D;YAC7D,IAAI,qBAAqB,CAAC,QAAQ,CAAC,IAAI,sCAAsC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC7F,OAAO;oBACL,IAAI,EAAE,eAAe;oBACrB,kBAAkB,EAAE,IAAI;oBACxB,MAAM,EAAE,sEAAsE;iBAC/E,CAAA;YACH,CAAC;YAED,+EAA+E;YAC/E,eAAe;YACf,IAAI,mBAAmB,GAAG,CAAC,CAAA;YAC3B,IAAI,gBAAgB,GAAG,KAAK,CAAA;YAC5B,KAAK,IAAI,CAAC,GAAG,aAAa,EAAE,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,aAAa,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC/E,IAAI,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;oBAAE,SAAQ;gBACnC,IAAI,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC5B,mBAAmB,EAAE,CAAA;oBACrB,IAAI,qBAAqB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,sCAAsC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC7F,gBAAgB,GAAG,IAAI,CAAA;oBACzB,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAK;gBACP,CAAC;YACH,CAAC;YAED,IAAI,gBAAgB,EAAE,CAAC;gBACrB,OAAO;oBACL,IAAI,EAAE,eAAe;oBACrB,kBAAkB,EAAE,IAAI;oBACxB,MAAM,EAAE,mDAAmD;iBAC5D,CAAA;YACH,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,wEAAwE;QACxE,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,qBAAqB,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChE,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,kBAAkB,EAAE,KAAK;gBACzB,MAAM,EAAE,+CAA+C;aACxD,CAAA;QACH,CAAC;QAED,uEAAuE;QACvE,KAAK,IAAI,CAAC,GAAG,aAAa,EAAE,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,aAAa,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC/E,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YACrB,IAAI,WAAW,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAC/B,IAAI,aAAa,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAEjC,IAAI,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,OAAO;oBACL,IAAI,EAAE,aAAa;oBACnB,kBAAkB,EAAE,KAAK;oBACzB,MAAM,EAAE,8CAA8C;iBACvD,CAAA;YACH,CAAC;YACD,MAAK,CAAC,4CAA4C;QACpD,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,yEAAyE;IACzE,OAAO;QACL,IAAI,EAAE,SAAS;QACf,kBAAkB,EAAE,KAAK;QACzB,MAAM,EAAE,+DAA+D;KACxE,CAAA;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,qBAAqB,CACnC,KAAe,EACf,SAAiB;IAEjB,MAAM,QAAQ,GAAG,uBAAuB,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;IAC1D,OAAO,QAAQ,CAAC,kBAAkB,IAAI,QAAQ,CAAC,IAAI,KAAK,aAAa,CAAA;AACvE,CAAC"}

package/dist/utils/context-helpers.d.ts

@@ -1,219 +0,0 @@
-/**
- * Shared Context Helpers
- * Centralized utility functions for detecting file and code context
- * Used across Layer 1 and Layer 2 scanners to reduce false positives
- */
-/**
- * Check if file is in a tooling/scripts directory
- * Files in these directories are typically build tools, CLI utilities, or dev scripts
- * and should have reduced severity for findings like file path patterns
- */
-export declare function isToolingDirectory(filePath: string): boolean;
-/**
- * Check if file is server-only (not bundled to client)
- * Server-only files can safely use service role keys and other admin secrets
- */
-export declare function isServerOnlyFile(filePath: string): boolean;
-/**
- * Check if file is a test, mock, or fixture file
- * These files often contain fake secrets and should have lower severity
- */
-export declare function isTestOrMockFile(filePath: string): boolean;
-/**
- * Check if file is an example/sample/template file
- * These files should be skipped or have significantly reduced severity
- */
-export declare function isExampleFile(filePath: string): boolean;
-/**
- * Check if file is in an examples/demo directory
- * Stronger check than isExampleFile - specifically for directories
- * These are typically tutorial/demo code, not production patterns
- */
-export declare function isExampleDirectory(filePath: string): boolean;
-/**
- * Check if file is library/framework code (base classes, utilities)
- * Library code is intentionally generic - consumers add security
- * This applies to: langchain, vercel/ai, llamaindex, etc.
- */
-export declare function isLibraryCode(filePath: string): boolean;
-/**
- * Check if file is a fixture file (test data, mock responses)
- * Fixtures contain fake data and should have reduced severity
- */
-export declare function isFixtureFile(filePath: string): boolean;
-/**
- * Check if file is documentation (README, CHANGELOG, etc.)
- * These files should typically be skipped for security scanning
- */
-export declare function isDocumentationFile(filePath: string): boolean;
-/**
- * Check if file is a locale/i18n/translation file
- * These files contain natural language translations, not code, and should be skipped entirely
- * They often contain placeholder URLs (http://localhost) and other patterns that trigger false positives
- */
-export declare function isLocaleFile(filePath: string): boolean;
-/**
- * Check if file is scanner code, fixture, or rule definition
- * Avoid flagging the scanner's own code/test cases
- *
- * Note: Uses (?:^|\/) to match both:
- * - paths with leading segments: packages/scanner/src/...
- * - paths starting with the pattern: scanner/src/...
- */
-export declare function isScannerOrFixtureFile(filePath: string): boolean;
-/**
- * Check if file is likely client-bundled (exposed to browser)
- */
-export declare function isClientBundledFile(filePath: string): boolean;
-/**
- * Check if file is a seed or data generation file
- * These files generate test/demo data and Math.random() usage is acceptable
- * Used to reduce false positives for Math.random() detection
- */
-export declare function isSeedOrDataGenFile(filePath: string): boolean;
-/**
- * Check if file is educational/intentional vulnerability code
- * These files (e.g., OWASP Juice Shop) contain intentional vulnerabilities for training
- * Should be skipped entirely to avoid false positives
- */
-export declare function isEducationalVulnerabilityFile(filePath: string): boolean;
-/**
- * Check if file is a test configuration file
- * These files (jest.config, vitest.config, etc.) are always dev/test contexts
- * Localhost URLs and similar patterns should not be flagged in these files
- */
-export declare function isTestConfigFile(filePath: string): boolean;
-/**
- * Check if file is a Python file
- */
-export declare function isPythonFile(filePath: string): boolean;
-/**
- * Check if a line is inside a Python docstring
- * Python docstrings are delimited by triple quotes (''' or """)
- * Content inside docstrings (like example URLs, connection strings) should be ignored
- *
- * @param lines - Array of all lines in the file
- * @param lineIndex - The 0-indexed line number to check
- * @returns true if the line is inside a docstring
- */
-export declare function isInsidePythonDocstring(lines: string[], lineIndex: number): boolean;
-/**
- * Check if file is in a desktop app context (Electron, Tauri, etc.)
- * Desktop apps legitimately access filesystem and spawn processes,
- * so findings in these contexts should have reduced severity.
- *
- * Used by:
- * - Dynamic file path detection (downgrade to INFO)
- * - child_process detection (downgrade to MEDIUM)
- */
-export declare function isDesktopAppContext(filePath: string): boolean;
-/**
- * Check if file is an MCP (Model Context Protocol) server
- * MCP servers legitimately spawn processes to provide tool capabilities
- */
-export declare function isMcpServerContext(filePath: string): boolean;
-/**
- * Check if file is a file loader/processor
- * File loaders legitimately access filesystem to process files
- */
-export declare function isFileLoaderContext(filePath: string): boolean;
-/**
- * Check if line uses environment variable reference (not hardcoded)
- */
-export declare function isEnvVarReference(line: string): boolean;
-/**
- * Check if line uses NEXT_PUBLIC_ prefix (client-exposed)
- */
-export declare function isNextPublicEnvVar(line: string): boolean;
-/**
- * Check if line is a comment (single-line check)
- */
-export declare function isComment(lineContent: string): boolean;
-/**
- * Check if a line is inside a multi-line comment block
- * Used to properly skip code that's been commented out
- *
- * @param lines - Array of all lines in the file
- * @param lineIndex - The 0-indexed line number to check
- * @returns true if the line is inside a multi-line comment
- */
-export declare function isInsideMultiLineComment(lines: string[], lineIndex: number): boolean;
-/**
- * Check if a line is commented out code (either single-line or multi-line comment)
- * Combines single-line and multi-line comment detection
- *
- * @param lines - Array of all lines in the file
- * @param lineIndex - The 0-indexed line number to check
- * @returns true if the line is commented out
- */
-export declare function isCommentedOutCode(lines: string[], lineIndex: number): boolean;
-/**
- * Check if a line has a linter/security ignore comment
- * These comments indicate the developer has acknowledged and accepted the risk
- *
- * @param lines - Array of all lines in the file
- * @param lineIndex - The 0-indexed line number to check
- * @returns object with hasIgnore flag and the ignore type if found
- */
-export declare function hasLinterIgnoreComment(lines: string[], lineIndex: number): {
-    hasIgnore: boolean;
-    ignoreType?: string;
-};
-/**
- * Check if value/line appears to be a placeholder
- */
-export declare function isPlaceholderValue(value: string, line: string): boolean;
-/**
- * Check if line/path indicates a public endpoint (health, webhook, cron)
- * These don't need authentication
- */
-export declare function isPublicEndpoint(lineContent: string, filePath: string): boolean;
-/**
- * Check if webhook has signature verification nearby
- */
-export declare function hasWebhookSignatureVerification(lines: string[], lineIndex: number, windowSize?: number): boolean;
-/**
- * Check if there's an auth check nearby (bidirectional search)
- */
-export declare function hasAuthCheckNearby(lines: string[], lineIndex: number, windowSize?: number): boolean;
-/**
- * Check if this appears to be a BYOK (user-provided key) context
- * BYOK is a feature, not a vulnerability, unless improperly handled
- */
-export declare function isBYOKContext(lineContent: string, filePath: string): boolean;
-/**
- * Check if key is being stored/handled properly (not exposed)
- */
-export declare function isKeyProperlyHandled(lineContent: string, lines: string[], lineIndex: number): boolean;
-/**
- * Check if this is a service role key usage that's acceptable
- * Server-only + env var = acceptable
- * Client exposure = critical
- */
-export declare function getServiceRoleKeyContext(lineContent: string, filePath: string): 'safe_server' | 'needs_review' | 'client_exposure';
-/**
- * File-specific context for Layer 2 detectors
- * Provides per-file classification for context-aware detection
- */
-export interface FileContext {
-    /** Whether this file is server-only (not bundled to client) */
-    isServerOnly: boolean;
-    /** Whether this file is client-bundled (exposed to browser) */
-    isClientBundled: boolean;
-    /** Whether this file is a test/mock/fixture file */
-    isTestFile: boolean;
-    /** Whether this file is a config file */
-    isConfigFile: boolean;
-    /** Whether this file is in a tooling directory */
-    isToolingDir: boolean;
-}
-/**
- * Check if file is a configuration file
- */
-export declare function isConfigFile(filePath: string): boolean;
-/**
- * Build file-specific context for a single file
- * Used by Layer 2 detectors for context-aware detection
- */
-export declare function buildFileContext(filePath: string): FileContext;
-//# sourceMappingURL=context-helpers.d.ts.map

package/dist/utils/context-helpers.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"context-helpers.d.ts","sourceRoot":"","sources":["../../src/utils/context-helpers.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE5D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAoB1D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAoB1D;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAWvD;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAY5D;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAkBvD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAcvD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAY7D;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAiCtD;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAahE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAmB7D;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAe7D;AAED;;;;GAIG;AACH,wBAAgB,8BAA8B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAWxE;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAyB1D;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEtD;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAoCT;AAMD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAsB7D;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAO5D;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAQ7D;AAMD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAWvD;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAExD;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAWtD;AAED;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAiCT;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAeT;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,EAAE,MAAM,GAChB;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,CA+C7C;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAgCvE;AAMD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAiD/E;AAED;;GAEG;AACH,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAE,MAAW,GAAG,OAAO,CA0BpH;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAE,MAAW,GAAG,OAAO,CA0CvG;AAMD;;;GAGG;AACH,wBAAgB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAiD5E;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CA6BrG;AAMD;;;;GAIG;AACH,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,GACf,aAAa,GAAG,cAAc,GAAG,iBAAiB,CAuBpD;AAMD;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,+DAA+D;IAC/D,YAAY,EAAE,OAAO,CAAA;IACrB,+DAA+D;IAC/D,eAAe,EAAE,OAAO,CAAA;IACxB,oDAAoD;IACpD,UAAU,EAAE,OAAO,CAAA;IACnB,yCAAyC;IACzC,YAAY,EAAE,OAAO,CAAA;IACrB,kDAAkD;IAClD,YAAY,EAAE,OAAO,CAAA;CACtB;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAetD;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,CAQ9D"}