@oculum/scanner 1.0.14 → 1.0.15

package/src/detect/ai-code/prompt-hygiene.ts

@@ -1,1314 +0,0 @@
-/**
- * Layer 2: AI Prompt Hygiene Detection
- * Detects prompt injection vulnerabilities and secrets in LLM prompts
- *
- * Covers:
- * - B1: Prompt & template hygiene (LLM01)
- * - B3: Secrets & sensitive data in prompts (LLM06)
- */
-
-import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
-import type { ParsedFile } from '../../shared/parsed-file'
-import {
-  isComment,
-  isTestOrMockFile,
-  isDocumentationFile,
-  isScannerOrFixtureFile,
-} from '../../parse/file-classifier'
-
-const BASE_CONFIDENCE = 0.40
-
-/**
- * Check if a file is in an LLM/AI context based on path and content
- */
-function isLLMContextFile(filePath: string, content: string): boolean {
-  // File path indicators of AI/LLM code
-  const llmPathPatterns = [
-    /\/(ai|llm|chat|openai|anthropic|gpt|claude)\//i,
-    /\/(assistants?|agents?|prompts?)\//i,
-    /(chat|ai|llm|prompt|assistant|agent).*\.(ts|js|tsx|jsx|py)$/i,
-  ]
-
-  if (llmPathPatterns.some(p => p.test(filePath))) {
-    return true
-  }
-
-  // Content patterns suggesting LLM API usage
-  const llmContentPatterns = [
-    /\.create\s*\(\s*\{[^}]*messages\s*:/i,          // OpenAI/Anthropic SDK
-    /from\s+['"](@anthropic-ai|openai|langchain|llama[-_]?index)/i, // Imports
-    /\bsystem\s*:\s*['"`]/i,                         // System message definition
-    /role:\s*['"`](user|assistant|system)['"`]/i,    // Message roles
-    /\b(systemPrompt|userPrompt|assistantPrompt)\b/i, // Prompt variables
-    /messages\s*:\s*\[/i,                            // Messages array
-    /\.chat\.completions?\.create/i,                 // OpenAI chat completion
-    /\.messages\.create/i,                           // Anthropic messages
-    /ChatCompletion|MessageCreate/i,                 // SDK types
-  ]
-
-  return llmContentPatterns.some(p => p.test(content))
-}
-
-/**
- * Check if user input delimiter/fence patterns are present
- */
-function hasPromptDelimiters(lineContent: string, contextLines: string[]): boolean {
-  const context = [lineContent, ...contextLines].join('\n')
-
-  const delimiterPatterns = [
-    /```/,                          // Triple backticks
-    /<user>|<\/user>/i,             // XML-style user tags
-    /<human>|<\/human>/i,           // Human tags
-    /---+/,                         // Horizontal rules
-    /\[USER\]|\[\/USER\]/i,         // Bracket tags
-    /\{\{user\}\}/i,                // Template variable
-    /###\s*User|###\s*Input/i,      // Markdown headers
-    /INPUT:|OUTPUT:/i,              // Section markers
-  ]
-
-  return delimiterPatterns.some(p => p.test(context))
-}
-
-/**
- * Check if content looks like proper parameterization rather than concatenation
- */
-function isProperlyParameterized(lineContent: string): boolean {
-  const safePatterns = [
-    /\{\{.*\}\}/,                    // Handlebars/mustache templates
-    /\{[a-zA-Z_]+\}/,               // Python format strings (positional)
-    /\$\{.*\}.*sanitize|escape/i,   // Template with sanitization
-    /placeholder|PLACEHOLDER/,       // Explicit placeholders
-  ]
-
-  return safePatterns.some(p => p.test(lineContent))
-}
-
-// ============================================================================
-// Pattern Definitions
-// ============================================================================
-
-interface PromptHygienePattern {
-  name: string
-  pattern: RegExp
-  severity: VulnerabilitySeverity
-  description: string
-  suggestedFix: string
-  checkDelimiters?: boolean  // If true, downgrade if delimiters found
-}
-
-/**
- * B1: Unsafe prompt interpolation patterns
- */
-const UNSAFE_INTERPOLATION_PATTERNS: PromptHygienePattern[] = [
-  // Template literals with user input in system prompts
-  {
-    name: 'User input in system prompt',
-    pattern: /system\s*[=:]\s*`[^`]*\$\{.*(?:user|input|req|request|body|query|params|data).*\}[^`]*`/gi,
-    severity: 'high',
-    description: 'User input is directly interpolated into a system prompt. This creates a prompt injection vulnerability where attackers can manipulate the AI\'s behavior.',
-    suggestedFix: 'Use clear delimiters (```, <user>, ---) between system instructions and user content. Consider using structured input rather than string interpolation.',
-    checkDelimiters: true,
-  },
-  // String concatenation in prompt building
-  {
-    name: 'Prompt string concatenation with user input',
-    pattern: /(?:system|prompt|instruction)\s*[=+]\s*.*\+\s*(?:user|input|req|request|body|query|params)(?:\.|Input|\[)/gi,
-    severity: 'high',
-    description: 'User input is concatenated into prompt strings. Attackers can inject malicious instructions.',
-    suggestedFix: 'Use delimiters to clearly separate system instructions from user content. Example: ```user input here```',
-    checkDelimiters: true,
-  },
-  // Messages array with dynamic user content in system role
-  {
-    name: 'Dynamic content in system message',
-    pattern: /role:\s*['"`]system['"`]\s*,\s*content:\s*`[^`]*\$\{/gi,
-    severity: 'medium',
-    description: 'System message content includes dynamic values. If user-controlled, this enables prompt injection.',
-    suggestedFix: 'Keep system messages static. Place user input in messages with role: "user" instead.',
-    checkDelimiters: true,
-  },
-  // f-strings in Python with user input
-  {
-    name: 'Python f-string prompt with user input',
-    pattern: /f['"][^'"]*\{.*(?:user|input|request|body).*\}[^'"]*['"]/gi,
-    severity: 'high',
-    description: 'User input in Python f-string prompt creates prompt injection risk.',
-    suggestedFix: 'Use explicit delimiters: f"System instructions...\n---\n{user_input}\n---"',
-    checkDelimiters: true,
-  },
-]
-
-// ============================================================================
-// Secret Patterns - Comprehensive provider-specific detection
-// ============================================================================
-
-/**
- * Provider-specific secret patterns with known prefixes
- * These are high-confidence patterns that don't need context matching
- */
-const KNOWN_SECRET_PREFIXES = [
-  // OpenAI
-  { name: 'OpenAI API Key', pattern: /sk-[a-zA-Z0-9]{20,}/g, severity: 'critical' as const },
-  { name: 'OpenAI Project Key', pattern: /sk-proj-[a-zA-Z0-9]{48,}/g, severity: 'critical' as const },
-  // Anthropic
-  { name: 'Anthropic API Key', pattern: /sk-ant-[a-zA-Z0-9-]{20,}/g, severity: 'critical' as const },
-  { name: 'Anthropic Full Key', pattern: /sk-ant-api03-[a-zA-Z0-9_-]{90,}/g, severity: 'critical' as const },
-  // GitHub
-  { name: 'GitHub PAT', pattern: /ghp_[a-zA-Z0-9]{36,}/g, severity: 'critical' as const },
-  { name: 'GitHub OAuth', pattern: /gho_[a-zA-Z0-9]{36,}/g, severity: 'critical' as const },
-  { name: 'GitHub App Token', pattern: /ghu_[a-zA-Z0-9]{36,}/g, severity: 'critical' as const },
-  { name: 'GitHub Refresh Token', pattern: /ghr_[a-zA-Z0-9]{36,}/g, severity: 'critical' as const },
-  { name: 'GitHub Fine-grained PAT', pattern: /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/g, severity: 'critical' as const },
-  // Stripe
-  { name: 'Stripe Live Secret', pattern: /sk_live_[a-zA-Z0-9]{24,}/g, severity: 'critical' as const },
-  { name: 'Stripe Test Secret', pattern: /sk_test_[a-zA-Z0-9]{24,}/g, severity: 'medium' as const },
-  { name: 'Stripe Restricted Key', pattern: /rk_live_[a-zA-Z0-9]{24,}/g, severity: 'critical' as const },
-  // AWS
-  { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/g, severity: 'critical' as const },
-  { name: 'AWS Session Token', pattern: /ASIA[0-9A-Z]{16}/g, severity: 'critical' as const },
-  // Google
-  { name: 'Google API Key', pattern: /AIza[0-9A-Za-z-_]{35}/g, severity: 'high' as const },
-  // Slack
-  { name: 'Slack Bot Token', pattern: /xoxb-[0-9a-zA-Z-]{50,}/g, severity: 'critical' as const },
-  { name: 'Slack User Token', pattern: /xoxp-[0-9a-zA-Z-]{50,}/g, severity: 'critical' as const },
-  { name: 'Slack App Token', pattern: /xoxa-[0-9a-zA-Z-]{50,}/g, severity: 'critical' as const },
-  { name: 'Slack Legacy Token', pattern: /xox[baprs]-[0-9a-zA-Z]{10,}/g, severity: 'critical' as const },
-  // Twilio
-  { name: 'Twilio API Key', pattern: /SK[a-f0-9]{32}/g, severity: 'critical' as const },
-  { name: 'Twilio Account SID', pattern: /AC[a-f0-9]{32}/g, severity: 'high' as const },
-  // SendGrid
-  { name: 'SendGrid API Key', pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g, severity: 'critical' as const },
-  // Mailgun
-  { name: 'Mailgun API Key', pattern: /key-[a-zA-Z0-9]{32}/g, severity: 'critical' as const },
-  // NPM/PyPI
-  { name: 'NPM Token', pattern: /npm_[a-zA-Z0-9]{36}/g, severity: 'critical' as const },
-  { name: 'PyPI Token', pattern: /pypi-[a-zA-Z0-9]{32,}/g, severity: 'critical' as const },
-  // Vercel/Netlify
-  { name: 'Vercel Token', pattern: /vercel_[a-zA-Z0-9]{24,}/g, severity: 'critical' as const },
-  { name: 'Netlify Token', pattern: /nfp_[a-zA-Z0-9]{40,}/g, severity: 'critical' as const },
-  // Square
-  { name: 'Square Access Token', pattern: /sq0csp-[a-zA-Z0-9-_]{43}/g, severity: 'critical' as const },
-  { name: 'Square OAuth Secret', pattern: /sq0csp-[a-zA-Z0-9-_]{40,}/g, severity: 'critical' as const },
-  // Shopify
-  { name: 'Shopify Access Token', pattern: /shpat_[a-fA-F0-9]{32}/g, severity: 'critical' as const },
-  { name: 'Shopify Private App', pattern: /shppa_[a-fA-F0-9]{32}/g, severity: 'critical' as const },
-  // Datadog
-  { name: 'Datadog API Key', pattern: /dd[a-z]{1}[a-f0-9]{39}/g, severity: 'critical' as const },
-  // HuggingFace
-  { name: 'HuggingFace Token', pattern: /hf_[a-zA-Z0-9]{34,}/g, severity: 'critical' as const },
-  // Replicate
-  { name: 'Replicate API Token', pattern: /r8_[a-zA-Z0-9]{37}/g, severity: 'critical' as const },
-  // OpenRouter
-  { name: 'OpenRouter Key', pattern: /sk-or-v1-[a-zA-Z0-9]{64}/g, severity: 'critical' as const },
-  // Cohere
-  { name: 'Cohere API Key', pattern: /[a-zA-Z0-9]{40}(?=.*cohere)/gi, severity: 'high' as const },
-  // Private Keys
-  { name: 'Private Key', pattern: /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/g, severity: 'critical' as const },
-  // JWT Tokens (full format)
-  { name: 'JWT Token', pattern: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g, severity: 'high' as const },
-  // Database URLs with credentials
-  { name: 'Database URL', pattern: /(mongodb|postgres|mysql|redis|amqp)(\+srv)?:\/\/[^:]+:[^@\s]+@[^\s"']+/gi, severity: 'critical' as const },
-  // Webhook URLs (often contain secrets)
-  { name: 'Slack Webhook', pattern: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/g, severity: 'high' as const },
-  { name: 'Discord Webhook', pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+/g, severity: 'high' as const },
-]
-
-/**
- * B3: Secrets in prompt context patterns (original context-aware patterns)
- * Note: Using [^\n;]* instead of [^;]* to prevent matching across lines
- */
-const SECRETS_IN_PROMPTS_PATTERNS: PromptHygienePattern[] = [
-  // API keys in message content (same line only)
-  {
-    name: 'API key in prompt content',
-    pattern: /(?:messages|prompt|system|content)\s*[=:][^\n;]*(?:sk-[a-zA-Z0-9]{20,}|api[_-]?key\s*[:=]\s*['"][^'"]{16,}['"])/gi,
-    severity: 'critical',
-    description: 'API key appears to be hardcoded in prompt content. Keys in prompts may be logged, cached, or sent to model providers.',
-    suggestedFix: 'Never include API keys in prompts. Use environment variables and keep them server-side only.',
-  },
-  // AWS keys in prompts
-  {
-    name: 'AWS credentials in prompt',
-    pattern: /(?:messages|prompt|system|content)\s*[=:][^\n;]*(?:AKIA[A-Z0-9]{16}|aws[_-]?(?:secret|access)[_-]?key)/gi,
-    severity: 'critical',
-    description: 'AWS credentials detected in prompt content.',
-    suggestedFix: 'Remove credentials from prompts. Use IAM roles or environment variables instead.',
-  },
-  // Database URLs with credentials
-  {
-    name: 'Database credentials in prompt',
-    pattern: /(?:messages|prompt|system|content)[^\n]*(?:mongodb|postgres|mysql|redis):\/\/[^:]+:[^@]+@/gi,
-    severity: 'critical',
-    description: 'Database connection string with credentials in prompt. This exposes database access.',
-    suggestedFix: 'Never include connection strings in prompts. Reference data by ID instead.',
-  },
-  // Passwords in prompt context
-  {
-    name: 'Password in prompt content',
-    pattern: /(?:messages|prompt|content)\s*[=:][^\n]*(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`]{8,}/gi,
-    severity: 'high',
-    description: 'Password appears in prompt content. This may be logged or exposed to model providers.',
-    suggestedFix: 'Remove passwords from prompts. Use authentication tokens or session references instead.',
-  },
-  // Private keys
-  {
-    name: 'Private key in prompt',
-    pattern: /(?:messages|prompt|content)[^\n]*(?:-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----)/gi,
-    severity: 'critical',
-    description: 'Private key material detected in prompt context.',
-    suggestedFix: 'Never include private keys in prompts. Sign data server-side instead.',
-  },
-  // Generic token patterns
-  {
-    name: 'Access token in prompt',
-    pattern: /(?:messages|prompt|content)\s*[=:][^\n]*(?:access[_-]?token|auth[_-]?token|bearer)\s*[:=]\s*['"`][a-zA-Z0-9_.-]{20,}/gi,
-    severity: 'high',
-    description: 'Access token detected in prompt content. Tokens in prompts risk exposure.',
-    suggestedFix: 'Do not include tokens in prompts. Pass token context through secure server-side channels.',
-  },
-]
-
-// ============================================================================
-// Variable Flow Detection - Secrets flowing into prompts
-// ============================================================================
-
-/**
- * Patterns for detecting secret variable declarations
- */
-const SECRET_VARIABLE_PATTERNS = [
-  // Direct assignment patterns
-  /(?:const|let|var)\s+(\w*(?:key|token|secret|password|credential|apiKey|authToken|accessToken)\w*)\s*=\s*['"`]([^'"`]{16,})['"`]/gi,
-  // Object property patterns
-  /(\w*(?:key|token|secret|password|credential|apiKey|authToken|accessToken)\w*)\s*:\s*['"`]([^'"`]{16,})['"`]/gi,
-]
-
-/**
- * Patterns for detecting prompt variable usage
- */
-const PROMPT_USAGE_PATTERNS = [
-  // Template literal interpolation
-  /`[^`]*\$\{(\w+)\}[^`]*`/g,
-  // String concatenation
-  /\+\s*(\w+)\s*(?:\+|$)/g,
-  // f-string interpolation (Python)
-  /f['"][^'"]*\{(\w+)\}[^'"]*['"]/g,
-  // Format string
-  /\.format\s*\([^)]*(\w+)[^)]*\)/g,
-]
-
-/**
- * Check if a variable name suggests it contains a secret
- */
-function isSecretVariableName(varName: string): boolean {
-  const secretIndicators = [
-    /api[_-]?key/i,
-    /secret[_-]?key/i,
-    /access[_-]?token/i,
-    /auth[_-]?token/i,
-    /password/i,
-    /credential/i,
-    /private[_-]?key/i,
-    /bearer/i,
-    /jwt/i,
-    /oauth/i,
-    /^sk_/i,
-    /^pk_/i,
-    /token$/i,
-    /key$/i,
-    /secret$/i,
-  ]
-  return secretIndicators.some(p => p.test(varName))
-}
-
-/**
- * Detect secrets flowing from variables into prompts (variable indirection)
- */
-function detectSecretVariableFlow(
-  content: string,
-  filePath: string,
-  isTestFile: boolean,
-  lines?: string[]
-): Vulnerability[] {
-  const vulnerabilities: Vulnerability[] = []
-  const _lines = lines ?? content.split('\n')
-
-  // First pass: collect all secret variable declarations
-  const secretVariables = new Map<string, { line: number; value: string }>()
-
-  for (let i = 0; i < _lines.length; i++) {
-    const line = _lines[i]
-    if (isComment(line)) continue
-
-    for (const pattern of SECRET_VARIABLE_PATTERNS) {
-      const regex = new RegExp(pattern.source, pattern.flags)
-      let match
-      while ((match = regex.exec(line)) !== null) {
-        const varName = match[1]
-        const value = match[2]
-
-        // Check if variable name suggests it's a secret
-        if (isSecretVariableName(varName)) {
-          secretVariables.set(varName, { line: i + 1, value })
-        }
-      }
-    }
-  }
-
-  // Second pass: find where these variables flow into prompts
-  const promptContextPatterns = [
-    /(?:system|prompt|message|content)\s*[:=]/i,
-    /role:\s*['"`](?:system|user|assistant)['"`]/i,
-    /\.chat\.completions?\.create/i,
-    /\.messages\.create/i,
-    /messages\s*:\s*\[/i,
-  ]
-
-  for (let i = 0; i < _lines.length; i++) {
-    const line = _lines[i]
-    if (isComment(line)) continue
-
-    // Check if this line or nearby lines are in prompt context
-    const contextWindow = _lines.slice(Math.max(0, i - 5), Math.min(_lines.length, i + 5)).join('\n')
-    const isPromptContext = promptContextPatterns.some(p => p.test(contextWindow))
-
-    if (!isPromptContext) continue
-
-    // Check for template interpolation of secret variables
-    const templateMatch = line.match(/\$\{(\w+)\}/)
-    if (templateMatch) {
-      const varName = templateMatch[1]
-      if (secretVariables.has(varName)) {
-        const secretInfo = secretVariables.get(varName)!
-        let severity: VulnerabilitySeverity = 'high'
-        let description = `Secret variable '${varName}' (defined at line ${secretInfo.line}) is interpolated into LLM prompt. This exposes the secret to the model provider.`
-
-        if (isTestFile) {
-          severity = 'low'
-          description += ' (in test file)'
-        }
-
-        vulnerabilities.push({
-          id: `secret-flow-${filePath}-${i + 1}-${varName}`,
-          filePath,
-          lineNumber: i + 1,
-          lineContent: line.trim(),
-          severity,
-          category: 'hardcoded_secret',
-          title: `Secret variable '${varName}' in prompt`,
-          description,
-          suggestedFix: `Remove the secret from the prompt. If the AI needs to use an API, make the call server-side instead of passing credentials to the model.`,
-          confidence: 'medium',
-          layer: 2,
-        source: 'ai_code' as const,
-          requiresAIValidation: true,
-          baseConfidence: BASE_CONFIDENCE,
-        })
-      }
-    }
-
-    // Check for string concatenation with secret variables
-    for (const [varName] of secretVariables) {
-      if (line.includes(`+ ${varName}`) || line.includes(`${varName} +`) || line.includes(`+ ${varName} +`)) {
-        const secretInfo = secretVariables.get(varName)!
-        let severity: VulnerabilitySeverity = 'high'
-        let description = `Secret variable '${varName}' (defined at line ${secretInfo.line}) is concatenated into prompt. This exposes the secret to the model provider.`
-
-        if (isTestFile) {
-          severity = 'low'
-          description += ' (in test file)'
-        }
-
-        vulnerabilities.push({
-          id: `secret-concat-${filePath}-${i + 1}-${varName}`,
-          filePath,
-          lineNumber: i + 1,
-          lineContent: line.trim(),
-          severity,
-          category: 'hardcoded_secret',
-          title: `Secret variable '${varName}' concatenated in prompt`,
-          description,
-          suggestedFix: `Remove the secret from the prompt. If the AI needs to use an API, make the call server-side.`,
-          confidence: 'medium',
-          layer: 2,
-        source: 'ai_code' as const,
-          requiresAIValidation: true,
-          baseConfidence: BASE_CONFIDENCE,
-        })
-      }
-    }
-  }
-
-  return vulnerabilities
-}
-
-// ============================================================================
-// Phase 2: Indirect Prompt Injection Detection
-// ============================================================================
-
-/**
- * Check if content filtering/sanitization is present for external content
- */
-function hasContentFiltering(content: string, lineNumber: number, lines?: string[]): boolean {
-  const _lines = lines ?? content.split('\n')
-  const contextStart = Math.max(0, lineNumber - 20)
-  const contextEnd = Math.min(_lines.length, lineNumber + 10)
-  const context = _lines.slice(contextStart, contextEnd).join('\n')
-
-  const filteringPatterns = [
-    /filterContent|sanitizeContent|cleanContent/i,
-    /sanitizeContext|filterContext/i,
-    /contentModeration|moderateContent/i,
-    /stripInstructions|removeInstructions/i,
-    /escapePrompt|sanitizePrompt/i,
-    /validateInput|inputValidation/i,
-  ]
-
-  return filteringPatterns.some(p => p.test(context))
-}
-
-/**
- * Check if proper delimiters are used for external content
- */
-function hasExternalContentDelimiters(content: string, lineNumber: number, lines?: string[]): boolean {
-  const _lines = lines ?? content.split('\n')
-  const contextStart = Math.max(0, lineNumber - 15)
-  const contextEnd = Math.min(_lines.length, lineNumber + 15)
-  const context = _lines.slice(contextStart, contextEnd).join('\n')
-
-  const delimiterPatterns = [
-    /<context>|<\/context>/i,
-    /<document>|<\/document>/i,
-    /<retrieved>|<\/retrieved>/i,
-    /<external>|<\/external>/i,
-    /```[^`]*context|context[^`]*```/i,
-    /---\s*(?:context|document|retrieved)/i,
-    /\[CONTEXT\]|\[\/CONTEXT\]/i,
-    /\[DOCUMENT\]|\[\/DOCUMENT\]/i,
-  ]
-
-  return delimiterPatterns.some(p => p.test(context))
-}
-
-/**
- * Indirect prompt injection patterns - external content flowing to LLM context
- */
-const INDIRECT_INJECTION_PATTERNS: PromptHygienePattern[] = [
-  // ========== External Fetch to Prompt ==========
-  {
-    name: 'Fetched content in prompt',
-    // Pattern looks for: fetch() -> then/await -> result flows into messages/content
-    // Use word boundary \b to avoid matching function names like "validatedFetch"
-    // The pattern looks for: actual fetch call -> await/then -> use in LLM messages
-    pattern: /\bfetch\s*\(\s*[^)]+\)[\s\S]{0,80}(?:\.then|\.json)[\s\S]{0,150}(?:role:\s*['"`](?:system|user)['"`]|messages\s*:\s*\[)/gi,
-    severity: 'high',
-    description: 'Content fetched from external URL flows into LLM prompt. Malicious websites can embed instructions that hijack the model\'s behavior (indirect prompt injection).',
-    suggestedFix: 'Wrap external content with clear delimiters: <external_content>...</external_content>. Implement content filtering to strip instruction-like patterns.',
-    checkDelimiters: true,
-  },
-  {
-    name: 'HTTP response in system prompt',
-    pattern: /(?:axios|fetch|got|request)[\s\S]{0,150}(?:system|systemPrompt|instructions)\s*[:=+]/gi,
-    severity: 'high',
-    description: 'HTTP response content used in system prompt. External data in system prompts is especially dangerous as it can override model instructions.',
-    suggestedFix: 'Never put external content in system prompts. Use user messages with clear delimiters for context. Implement content sanitization.',
-    checkDelimiters: true,
-  },
-
-  // ========== RAG Vector Store to Prompt ==========
-  {
-    name: 'Vector store results in system message',
-    pattern: /(?:vectorStore|similaritySearch|query|search|retrieve)[\s\S]{0,200}role:\s*['"`]system['"`]/gi,
-    severity: 'high',
-    description: 'Vector store search results injected into system message. Poisoned documents in the corpus can hijack model behavior.',
-    suggestedFix: 'Place retrieved content in user messages, not system. Use delimiters: <retrieved_context>...</retrieved_context>. Implement document sanitization before indexing.',
-    checkDelimiters: true,
-  },
-  {
-    name: 'RAG retrieval directly in context',
-    pattern: /(?:retriever\.invoke|retrieve|getRelevantDocuments)\s*\([^)]*\)[\s\S]{0,150}(?:context|prompt|messages)/gi,
-    severity: 'high',
-    description: 'Retrieved documents flow directly into LLM context. Adversarial documents can contain prompt injection payloads.',
-    suggestedFix: 'Sanitize retrieved content before including in prompt. Use XML tags to clearly separate context from instructions.',
-    checkDelimiters: true,
-  },
-
-  // ========== Document Loading to LLM ==========
-  {
-    name: 'Loaded documents in LLM chain',
-    pattern: /(?:loadDocuments|DirectoryLoader|TextLoader|PDFLoader)[\s\S]{0,200}(?:chain|llm|invoke|call)/gi,
-    severity: 'high',
-    description: 'Documents loaded from files flow into LLM chain. Malicious files (PDFs, docs) can contain hidden prompt injection text.',
-    suggestedFix: 'Scan loaded documents for instruction-like patterns. Use separate document processing pipeline with content filtering.',
-    checkDelimiters: true,
-  },
-  {
-    name: 'Document content interpolated',
-    pattern: /\$\{.*(?:document|doc|file|page)(?:Content|Text|Data).*\}[\s\S]{0,50}(?:prompt|messages|llm)/gi,
-    severity: 'medium',
-    description: 'Document content interpolated into LLM prompt. Documents may contain adversarial instructions.',
-    suggestedFix: 'Wrap document content with delimiters: ```document\\n${content}\\n```. Implement text sanitization.',
-    checkDelimiters: true,
-  },
-
-  // ========== Web Scraping to Prompt ==========
-  {
-    name: 'Scraped content in prompt',
-    pattern: /(?:scrape|crawl|spider|puppeteer|playwright|cheerio)[\s\S]{0,200}(?:prompt|messages|context|content\s*:)/gi,
-    severity: 'high',
-    description: 'Web-scraped content flows into LLM prompt. Malicious websites can embed instructions in their HTML content.',
-    suggestedFix: 'Sanitize scraped content to remove instruction-like patterns. Use delimiters: <scraped_content url="...">...</scraped_content>',
-    checkDelimiters: true,
-  },
-  {
-    name: 'HTML content in LLM context',
-    // Pattern: Reading HTML (.innerHTML) and then using it in prompt/messages
-    // NOT: Writing LLM output TO innerHTML (that's output handling, different category)
-    // Look for: getting innerHTML value -> flowing to prompt context
-    pattern: /(?:\.innerHTML\s*[;,]|\.html\s*\(\s*\))[\s\S]{0,150}(?:role:\s*['"`](?:system|user)['"`]|messages\s*:\s*\[)/gi,
-    severity: 'medium',
-    description: 'HTML content from web pages used in LLM context. Web pages can contain hidden prompt injection in metadata, comments, or invisible text.',
-    suggestedFix: 'Extract only relevant text content. Filter out scripts, comments, and metadata. Use content sanitization.',
-    checkDelimiters: true,
-  },
-
-  // ========== Email/Message Content to Prompt ==========
-  {
-    name: 'Email content in prompt',
-    pattern: /(?:email|message|inbox)(?:Content|Body|Text)[\s\S]{0,150}(?:prompt|messages|llm|analyze)/gi,
-    severity: 'medium',
-    description: 'Email or message content flows into LLM prompt. Attackers can craft emails with embedded prompt injection.',
-    suggestedFix: 'Sanitize email content before LLM processing. Remove potentially malicious patterns. Use clear delimiters.',
-    checkDelimiters: true,
-  },
-
-  // ========== Database Content to Prompt ==========
-  {
-    name: 'Database record in system prompt',
-    pattern: /(?:findOne|findById|query|select)[\s\S]{0,150}(?:system|systemPrompt|instructions)\s*[:=]/gi,
-    severity: 'medium',
-    description: 'Database content used in system prompt. If users can modify database records, they can inject malicious instructions.',
-    suggestedFix: 'Keep system prompts static. Place database content in user messages with delimiters. Validate data before use.',
-    checkDelimiters: true,
-  },
-
-  // ========== Generic External Data Patterns ==========
-  {
-    name: 'External data concatenation',
-    pattern: /(?:externalData|fetchedContent|scrapedData|retrievedText)\s*\+[\s\S]{0,50}(?:prompt|system|instructions)/gi,
-    severity: 'medium',
-    description: 'External data concatenated with prompt content without clear separation.',
-    suggestedFix: 'Use structured prompts with XML/markdown delimiters to separate instructions from external content.',
-    checkDelimiters: true,
-  },
-]
-
-/**
- * Missing boundary patterns - prompts without clear user/system separation
- */
-const MISSING_BOUNDARY_PATTERNS: PromptHygienePattern[] = [
-  // Direct concatenation without any markers
-  {
-    name: 'Missing prompt boundaries',
-    pattern: /(?:content|prompt)\s*[:=]\s*(?:systemInstructions?|instructions?)\s*\+\s*(?:userMessage|userInput|input)/gi,
-    severity: 'medium',
-    description: 'Prompt concatenates system instructions with user input without clear boundaries.',
-    suggestedFix: 'Add delimiters between instructions and user content: "Instructions...\n---\n" + userInput + "\n---"',
-  },
-  // Template literals building prompts without delimiters
-  {
-    name: 'Unbounded template prompt',
-    pattern: /`(?:You are|As an|Your task)[^`]{20,}\$\{(?!.*(?:```|<user|---|\[USER))/gi,
-    severity: 'medium',
-    description: 'Prompt template interpolates values without clear delimiter boundaries.',
-    suggestedFix: 'Wrap interpolated user content with delimiters: ```${userInput}```',
-  },
-  // M5: RAG-specific prompt injection patterns
-  {
-    name: 'Retrieved context in system prompt',
-    pattern: /role:\s*['"`]system['"`]\s*,\s*content:\s*`[^`]*\$\{.*(?:context|chunks|documents|retrieved|sources)/gi,
-    severity: 'high',
-    description: 'Retrieved documents injected into system prompt. Poisoned documents could hijack model behavior.',
-    suggestedFix: 'Place retrieved context in user messages with clear delimiters. Use structured prompts separating instructions from data.',
-    checkDelimiters: true,
-  },
-  {
-    name: 'Mixed user input and retrieved context',
-    pattern: /\$\{.*(?:userInput|query|question).*\}[^`]*\$\{.*(?:context|chunks|documents).*\}|\$\{.*(?:context|chunks|documents).*\}[^`]*\$\{.*(?:userInput|query|question).*\}/gi,
-    severity: 'medium',
-    description: 'User input and retrieved context concatenated without clear separation. Both could contain injection attempts.',
-    suggestedFix: 'Clearly separate user input from retrieved context using XML tags or delimiters: <user_query>...</user_query><context>...</context>',
-    checkDelimiters: true,
-  },
-  {
-    name: 'RAG context directly interpolated',
-    pattern: /(?:system|prompt)\s*[:=].*(?:retrievedContext|ragContext|documentContext|knowledgeBase)\s*(?:\+|,)/gi,
-    severity: 'medium',
-    description: 'RAG context directly concatenated into prompt. Could enable data poisoning attacks.',
-    suggestedFix: 'Use structured prompt format with clear boundaries between instructions, context, and user input.',
-    checkDelimiters: true,
-  },
-]
-
-// ============================================================================
-// Sprint 6: Model-Specific Injection Syntax Detection
-// ============================================================================
-
-/**
- * Model-specific injection markers that could manipulate prompt structure
- * These patterns detect when user input might contain control tokens
- */
-const MODEL_SPECIFIC_INJECTION_PATTERNS: PromptHygienePattern[] = [
-  // Claude/ChatML XML-style markers
-  {
-    name: 'Claude/ChatML injection markers in user input',
-    pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*<\|?(?:system|human|assistant|user)\|?>/gi,
-    severity: 'high',
-    description: 'User input may contain system/role markers that could manipulate prompt structure. Attackers can inject fake system or assistant messages.',
-    suggestedFix: 'Strip or escape control tokens from user input: input.replace(/<\\|?(?:system|human|assistant|user)\\|?>/gi, "")',
-  },
-  // OpenAI ChatML markers
-  {
-    name: 'OpenAI ChatML control tokens',
-    pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*<\|im_(?:start|end)\|>/gi,
-    severity: 'high',
-    description: 'User input contains OpenAI ChatML control tokens (<|im_start|>, <|im_end|>) that could break message boundaries.',
-    suggestedFix: 'Filter ChatML tokens from user input before processing: input.replace(/<\\|im_(?:start|end)\\|>/gi, "")',
-  },
-  // Anthropic Human/Assistant turn markers
-  {
-    name: 'Anthropic turn markers in user input',
-    pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*\\n\\n(?:Human|Assistant):\s*/gi,
-    severity: 'medium',
-    description: 'User input contains Anthropic turn markers (Human:, Assistant:) that could inject fake assistant responses.',
-    suggestedFix: 'Sanitize turn markers from user input: input.replace(/\\n\\n(Human|Assistant):\\s*/gi, "")',
-  },
-  // Generic role injection attempts
-  {
-    name: 'Role injection in user input',
-    pattern: /`[^`]*\$\{[^}]*(?:user|input|query)[^}]*\}[^`]*(?:system|assistant|Human:|Assistant:|<\|)/gi,
-    severity: 'high',
-    description: 'User input is interpolated near role markers without proper boundaries. Could enable role impersonation.',
-    suggestedFix: 'Use strict message formatting and strip role-like patterns from user input.',
-    checkDelimiters: true,
-  },
-  // Instruction override attempts in templates
-  {
-    name: 'Instruction override pattern',
-    pattern: /`[^`]*\$\{[^}]*\}[^`]*(?:ignore\s+(?:all\s+)?previous|disregard\s+(?:your\s+)?(?:rules|instructions)|you\s+are\s+now)/gi,
-    severity: 'medium',
-    description: 'Template allows interpolation near common jailbreak phrases. User could inject instruction override attempts.',
-    suggestedFix: 'Filter jailbreak patterns from user input before interpolation.',
-    checkDelimiters: true,
-  },
-]
-
-// ============================================================================
-// Sprint 6: Encoding-Based Escape Detection
-// ============================================================================
-
-/**
- * Patterns for detecting encoding-based prompt injection bypasses
- */
-const ENCODING_ESCAPE_PATTERNS: PromptHygienePattern[] = [
-  // Base64 decoded content flowing to prompts
-  {
-    name: 'Base64 decoded content in prompt',
-    pattern: /(?:atob|Buffer\.from|base64\.decode|b64decode)\s*\([^)]+\)[^;]*(?:\+|,)[^;]*(?:prompt|system|message|content)/gi,
-    severity: 'medium',
-    description: 'Decoded base64 content concatenated with prompts. Attackers can hide malicious instructions in base64 encoding to bypass filters.',
-    suggestedFix: 'Validate and sanitize decoded content before including in prompts. Apply same security checks to decoded content.',
-  },
-  // URL decoded content in prompts
-  {
-    name: 'URL decoded content in prompt',
-    pattern: /(?:unescape|decodeURIComponent|decodeURI|urllib\.parse\.unquote)\s*\([^)]+\)[^;]*(?:\+|,)[^;]*(?:prompt|system|message|content)/gi,
-    severity: 'medium',
-    description: 'URL decoded content flows into prompt. Encoded payloads can bypass input sanitization.',
-    suggestedFix: 'Sanitize content after decoding. Apply prompt injection filters to the decoded output.',
-  },
-  // HTML entity decoded content
-  {
-    name: 'HTML decoded content in prompt',
-    pattern: /(?:htmlDecode|decodeHTMLEntities|he\.decode|html\.unescape)\s*\([^)]+\)[^;]*(?:\+|,)[^;]*(?:prompt|system|message|content)/gi,
-    severity: 'medium',
-    description: 'HTML decoded content flows into prompt. HTML entities can hide malicious instructions.',
-    suggestedFix: 'Apply prompt injection filters after HTML decoding.',
-  },
-  // JSON parsed content directly in prompt (could contain encoded payloads)
-  {
-    name: 'Unvalidated JSON in prompt',
-    pattern: /JSON\.parse\s*\([^)]*(?:userInput|body|request|external)[^)]*\)[^;]*(?:\+|,)[^;]*(?:prompt|system|message)/gi,
-    severity: 'medium',
-    description: 'Parsed JSON content directly used in prompt. JSON values could contain encoded injection payloads.',
-    suggestedFix: 'Validate JSON schema and sanitize string values before including in prompts.',
-    checkDelimiters: true,
-  },
-  // Unicode escape sequences that could hide instructions
-  {
-    name: 'Unicode content in prompt',
-    pattern: /(?:String\.fromCharCode|String\.fromCodePoint|chr\(|unichr\()\s*\([^)]+\)[^;]*(?:\+|,)[^;]*(?:prompt|system|message)/gi,
-    severity: 'low',
-    description: 'Unicode character construction flows into prompt. Could be used to hide malicious characters.',
-    suggestedFix: 'Normalize and validate Unicode content before including in prompts.',
-  },
-]
-
-// ============================================================================
-// Sprint 6: Jailbreak Pattern Detection
-// ============================================================================
-
-/**
- * Common jailbreak preamble patterns that indicate injection attempts
- * These detect when user input flow might contain jailbreak phrases
- */
-const JAILBREAK_INDICATOR_PATTERNS: PromptHygienePattern[] = [
-  // Instruction override phrases flowing to LLM
-  {
-    name: 'Instruction override phrases in input flow',
-    pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*(?:ignore\s+(?:all\s+)?previous\s+(?:instructions|prompts)|disregard\s+(?:your\s+)?(?:rules|guidelines|instructions))/gi,
-    severity: 'high',
-    description: 'User input variable contains instruction override phrases. Classic jailbreak attempt detected.',
-    suggestedFix: 'Implement jailbreak detection filter. Block or sanitize inputs containing instruction override patterns.',
-  },
-  // Role-playing jailbreak attempts
-  {
-    name: 'Role-playing jailbreak in input',
-    pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*(?:you\s+are\s+now\s+(?:a|an)\s+\w+|pretend\s+(?:you|to\s+be)\s+(?:are\s+)?(?:a|an|not)|act\s+as\s+(?:if|though)\s+you)/gi,
-    severity: 'medium',
-    description: 'User input contains role-playing jailbreak patterns. Attempts to make model assume a different persona.',
-    suggestedFix: 'Filter role-manipulation phrases from user input. Implement persona consistency checks.',
-  },
-  // "From now on" style instruction changes
-  {
-    name: 'Instruction change phrases',
-    pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*(?:from\s+now\s+on\s+(?:you\s+will|ignore)|for\s+the\s+rest\s+of\s+this\s+(?:conversation|session))/gi,
-    severity: 'medium',
-    description: 'User input contains temporal instruction override attempts. Tries to change model behavior for the session.',
-    suggestedFix: 'Sanitize phrases that attempt to change ongoing behavior.',
-  },
-  // Developer mode / DAN style jailbreaks
-  {
-    name: 'Developer mode jailbreak patterns',
-    pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*(?:developer\s+mode|DAN|Do\s+Anything\s+Now|jailbreak|no\s+restrictions)/gi,
-    severity: 'high',
-    description: 'User input contains known jailbreak terminology (DAN, developer mode). High-confidence malicious input.',
-    suggestedFix: 'Block inputs containing known jailbreak terminology. Log for security review.',
-  },
-  // Hypothetical scenario framing
-  {
-    name: 'Hypothetical framing jailbreak',
-    pattern: /(?:userInput|userMessage|input|message|query)\s*[=:][^\n]*(?:hypothetically|in\s+a\s+(?:fictional|imaginary)\s+(?:world|scenario)|what\s+if\s+you\s+(?:could|had\s+no))/gi,
-    severity: 'low',
-    description: 'User input uses hypothetical framing often used in jailbreak attempts. May be legitimate creative use.',
-    suggestedFix: 'Apply additional scrutiny to hypothetically-framed requests. Consider context before blocking.',
-  },
-]
-
-/**
- * Check if input sanitization is present for jailbreak patterns
- */
-function hasJailbreakFiltering(content: string, lineNumber: number, lines?: string[]): boolean {
-  const _lines = lines ?? content.split('\n')
-  const contextStart = Math.max(0, lineNumber - 20)
-  const contextEnd = Math.min(_lines.length, lineNumber + 10)
-  const context = _lines.slice(contextStart, contextEnd).join('\n')
-
-  const filteringPatterns = [
-    /filterJailbreak|detectJailbreak|jailbreakFilter/i,
-    /sanitizePrompt|filterPrompt|cleanPrompt/i,
-    /blockInjection|preventInjection/i,
-    /moderationApi|contentModeration/i,
-    /instructionFilter|roleFilter/i,
-    /guardRails|guardrail/i,
-    /promptGuard|inputGuard/i,
-  ]
-
-  return filteringPatterns.some(p => p.test(context))
-}
-
-/**
- * Check if encoding sanitization is present
- */
-function hasEncodingSanitization(content: string, lineNumber: number, lines?: string[]): boolean {
-  const _lines = lines ?? content.split('\n')
-  const contextStart = Math.max(0, lineNumber - 15)
-  const contextEnd = Math.min(_lines.length, lineNumber + 5)
-  const context = _lines.slice(contextStart, contextEnd).join('\n')
-
-  const sanitizationPatterns = [
-    /validateDecoded|sanitizeDecoded/i,
-    /afterDecode.*sanitize|decode.*then.*filter/i,
-    /normalizeInput|sanitizeInput/i,
-    /schema\.parse|validate.*schema/i,
-    /stripControlChars|removeControlTokens/i,
-  ]
-
-  return sanitizationPatterns.some(p => p.test(context))
-}
-
-// ============================================================================
-// Detection Functions
-// ============================================================================
-
-/**
- * Get surrounding context lines for analysis
- */
-function getSurroundingContext(content: string, lineIndex: number, windowSize: number = 10, lines?: string[]): string[] {
-  const _lines = lines ?? content.split('\n')
-  const start = Math.max(0, lineIndex - windowSize)
-  const end = Math.min(_lines.length, lineIndex + windowSize)
-  return _lines.slice(start, end)
-}
-
-/**
- * Main detection function for AI prompt hygiene issues
- */
-export function detectAIPromptHygiene(
-  content: string,
-  filePath: string,
-  options?: { parsed?: ParsedFile }
-): Vulnerability[] {
-  const vulnerabilities: Vulnerability[] = []
-
-  // Skip non-applicable files
-  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
-  if (isDocumentationFile(filePath)) return vulnerabilities
-
-  // Only scan files that appear to be in LLM context
-  if (!isLLMContextFile(filePath, content)) {
-    return vulnerabilities
-  }
-
-  const lines = options?.parsed?.lines ?? content.split('\n')
-  const isTestFile = isTestOrMockFile(filePath)
-
-  // Scan for unsafe interpolation patterns (B1)
-  for (const pattern of UNSAFE_INTERPOLATION_PATTERNS) {
-    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
-    let match
-
-    while ((match = regex.exec(content)) !== null) {
-      const lineNumber = content.substring(0, match.index).split('\n').length
-      const lineContent = lines[lineNumber - 1]?.trim() || ''
-
-      // Skip comments
-      if (isComment(lineContent)) continue
-
-      // Skip if properly parameterized
-      if (isProperlyParameterized(lineContent)) continue
-
-      // Check for delimiters if applicable
-      let severity = pattern.severity
-      let description = pattern.description
-      const contextLines = getSurroundingContext(content, lineNumber - 1, 15, lines)
-
-      if (pattern.checkDelimiters && hasPromptDelimiters(lineContent, contextLines)) {
-        // Delimiters present - downgrade severity
-        severity = 'info'
-        description += ' (Note: Delimiters detected in context, which mitigates this risk.)'
-      }
-
-      // Downgrade test files
-      if (isTestFile) {
-        severity = 'info'
-        description += ' (in test file)'
-      }
-
-      vulnerabilities.push({
-        id: `ai-prompt-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-        filePath,
-        lineNumber,
-        lineContent,
-        severity,
-        category: 'ai_prompt_injection',
-        title: pattern.name,
-        description,
-        suggestedFix: pattern.suggestedFix,
-        confidence: severity === 'info' ? 'low' : 'medium',
-        layer: 2,
-        source: 'ai_code' as const,
-        requiresAIValidation: severity !== 'info',
-        baseConfidence: BASE_CONFIDENCE,
-      })
-    }
-  }
-
-  // Scan for secrets in prompts (B3) - Original context-aware patterns
-  for (const pattern of SECRETS_IN_PROMPTS_PATTERNS) {
-    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
-    let match
-
-    while ((match = regex.exec(content)) !== null) {
-      const lineNumber = content.substring(0, match.index).split('\n').length
-      const lineContent = lines[lineNumber - 1]?.trim() || ''
-
-      // Skip comments
-      if (isComment(lineContent)) continue
-
-      // Check if it's an env var reference (safe pattern)
-      const isEnvRef = /process\.env|import\.meta\.env|os\.environ|getenv/i.test(lineContent)
-      if (isEnvRef) continue
-
-      // Skip test variable names
-      if (/(?:const|let|var)\s+(?:TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE)[_A-Z0-9]*\s*=/i.test(lineContent)) continue
-      if (/(?:const|let|var)\s+\w*(?:test|mock|example|dummy|fake|sample)\w*\s*=/i.test(lineContent)) continue
-
-      // Skip placeholder/example values in the line
-      if (/example|sample|demo|placeholder|your[_-]?api[_-]?key/i.test(lineContent)) continue
-
-      let severity = pattern.severity
-      let description = pattern.description
-
-      // Downgrade test files but still flag
-      if (isTestFile) {
-        severity = severity === 'critical' ? 'medium' : 'low'
-        description += ' (in test file - still review for accidental commits)'
-      }
-
-      vulnerabilities.push({
-        id: `ai-secret-prompt-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-        filePath,
-        lineNumber,
-        lineContent,
-        severity,
-        category: 'hardcoded_secret', // Use existing category for consistency
-        title: pattern.name + ' (in LLM context)',
-        description: description + ' Secrets in prompts are especially risky as they may be logged, shared, or sent to external AI providers.',
-        suggestedFix: pattern.suggestedFix,
-        confidence: 'high',
-        layer: 2,
-        source: 'ai_code' as const,
-        requiresAIValidation: false, // Secrets don't need AI validation - they're definitive
-        baseConfidence: BASE_CONFIDENCE,
-      })
-    }
-  }
-
-  // ========== NEW: Direct secret detection with known prefixes ==========
-  // Scan for any known secret patterns anywhere in prompt-related code
-  const seenSecretLines = new Set<number>()  // Avoid duplicates
-
-  for (const secretDef of KNOWN_SECRET_PREFIXES) {
-    const regex = new RegExp(secretDef.pattern.source, secretDef.pattern.flags)
-    let match
-
-    while ((match = regex.exec(content)) !== null) {
-      const lineNumber = content.substring(0, match.index).split('\n').length
-      const lineContent = lines[lineNumber - 1]?.trim() || ''
-
-      // Skip if already reported on this line
-      const lineKey = `${lineNumber}-${secretDef.name}`
-      if (seenSecretLines.has(lineNumber)) continue
-      seenSecretLines.add(lineNumber)
-
-      // Skip comments
-      if (isComment(lineContent)) continue
-
-      // Skip env var references
-      if (/process\.env|import\.meta\.env|os\.environ|getenv/i.test(lineContent)) continue
-
-      // Skip obvious placeholders/examples in the value
-      const matchValue = match[0]
-      if (/example|sample|demo|dummy|fake|mock|your[_-]|placeholder/i.test(matchValue)) continue
-      if (/example|sample|demo|placeholder/i.test(lineContent)) continue
-
-      // Skip values that contain "test" right after the prefix (e.g., sk-test..., ghp_test...)
-      // These are clearly test/development keys, not production secrets
-      if (/^(sk-|ghp_|gho_|sk_live_|sk_test_|xoxb-|SG\.)test/i.test(matchValue)) continue
-      if (/[-_]test[-_0-9]/i.test(matchValue)) continue
-
-      // Skip test variable names (e.g., TEST_API_KEY, MOCK_SECRET)
-      if (/(?:const|let|var)\s+(?:TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE)[_A-Z0-9]*\s*=/i.test(lineContent)) continue
-
-      // Skip if variable name contains test/mock/example (broader check)
-      if (/(?:const|let|var)\s+\w*(?:test|mock|example|dummy|fake|sample)\w*\s*=/i.test(lineContent)) continue
-
-      let severity: VulnerabilitySeverity = secretDef.severity
-      let description = `${secretDef.name} detected in LLM-related code. This secret may be exposed to the model provider, logged, or cached.`
-
-      // Downgrade test files
-      if (isTestFile) {
-        severity = severity === 'critical' ? 'medium' : 'low'
-        description += ' (in test file)'
-      }
-
-      vulnerabilities.push({
-        id: `ai-direct-secret-${filePath}-${lineNumber}-${secretDef.name.replace(/\s+/g, '-')}`,
-        filePath,
-        lineNumber,
-        lineContent,
-        severity,
-        category: 'hardcoded_secret',
-        title: `${secretDef.name} in LLM context`,
-        description,
-        suggestedFix: 'Remove the hardcoded secret. Use environment variables server-side. Never expose secrets to LLM prompts.',
-        confidence: 'high',
-        layer: 2,
-        source: 'ai_code' as const,
-        requiresAIValidation: false,
-        baseConfidence: BASE_CONFIDENCE,
-      })
-    }
-  }
-
-  // ========== NEW: Variable flow detection ==========
-  // Detect secrets flowing from variables into prompts
-  const flowVulns = detectSecretVariableFlow(content, filePath, isTestFile, lines)
-  vulnerabilities.push(...flowVulns)
-
-  // Scan for missing boundary patterns (B1 continued)
-  for (const pattern of MISSING_BOUNDARY_PATTERNS) {
-    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
-    let match
-
-    while ((match = regex.exec(content)) !== null) {
-      const lineNumber = content.substring(0, match.index).split('\n').length
-      const lineContent = lines[lineNumber - 1]?.trim() || ''
-
-      // Skip comments
-      if (isComment(lineContent)) continue
-
-      const contextLines = getSurroundingContext(content, lineNumber - 1, 10, lines)
-
-      // Skip if delimiters are present
-      if (hasPromptDelimiters(lineContent, contextLines)) continue
-
-      let severity = pattern.severity
-      let description = pattern.description
-
-      if (isTestFile) {
-        severity = 'info'
-        description += ' (in test file)'
-      }
-
-      vulnerabilities.push({
-        id: `ai-boundary-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-        filePath,
-        lineNumber,
-        lineContent,
-        severity,
-        category: 'ai_prompt_injection',
-        title: pattern.name,
-        description,
-        suggestedFix: pattern.suggestedFix,
-        confidence: 'medium',
-        layer: 2,
-        source: 'ai_code' as const,
-        requiresAIValidation: true,
-        baseConfidence: BASE_CONFIDENCE,
-      })
-    }
-  }
-
-  // Scan for indirect prompt injection patterns (Phase 2)
-  for (const pattern of INDIRECT_INJECTION_PATTERNS) {
-    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
-    let match
-
-    while ((match = regex.exec(content)) !== null) {
-      const lineNumber = content.substring(0, match.index).split('\n').length
-      const lineContent = lines[lineNumber - 1]?.trim() || ''
-
-      // Skip comments
-      if (isComment(lineContent)) continue
-
-      let severity = pattern.severity
-      let description = pattern.description
-
-      // Check for content filtering/sanitization
-      const hasFiltering = hasContentFiltering(content, lineNumber, lines)
-      const hasDelimiters = hasExternalContentDelimiters(content, lineNumber, lines)
-
-      if (hasFiltering && hasDelimiters) {
-        // Both mitigations present - fully mitigated
-        severity = 'info'
-        description += ' (Content filtering and delimiters detected - mitigated.)'
-      } else if (hasFiltering) {
-        // Partial mitigation - filtering present
-        severity = severity === 'high' ? 'medium' : 'low'
-        description += ' (Content filtering detected.)'
-      } else if (hasDelimiters) {
-        // Partial mitigation - delimiters present
-        severity = severity === 'high' ? 'medium' : 'low'
-        description += ' (External content delimiters detected.)'
-      }
-
-      // Downgrade test files
-      if (isTestFile) {
-        severity = 'info'
-        description += ' (in test file)'
-      }
-
-      vulnerabilities.push({
-        id: `ai-indirect-injection-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-        filePath,
-        lineNumber,
-        lineContent,
-        severity,
-        category: 'ai_prompt_injection',
-        title: pattern.name + ' (Indirect Injection)',
-        description,
-        suggestedFix: pattern.suggestedFix,
-        confidence: severity === 'info' ? 'low' : 'medium',
-        layer: 2,
-        source: 'ai_code' as const,
-        requiresAIValidation: severity !== 'info',
-        baseConfidence: BASE_CONFIDENCE,
-      })
-    }
-  }
-
-  // ========== Sprint 6: Model-specific injection markers ==========
-  for (const pattern of MODEL_SPECIFIC_INJECTION_PATTERNS) {
-    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
-    let match
-
-    while ((match = regex.exec(content)) !== null) {
-      const lineNumber = content.substring(0, match.index).split('\n').length
-      const lineContent = lines[lineNumber - 1]?.trim() || ''
-
-      // Skip comments
-      if (isComment(lineContent)) continue
-
-      let severity = pattern.severity
-      let description = pattern.description
-      const contextLines = getSurroundingContext(content, lineNumber - 1, 15, lines)
-
-      // Check for delimiters/sanitization
-      if (pattern.checkDelimiters && hasPromptDelimiters(lineContent, contextLines)) {
-        severity = 'info'
-        description += ' (Delimiters detected, risk mitigated.)'
-      }
-
-      // Check for jailbreak filtering
-      if (hasJailbreakFiltering(content, lineNumber, lines)) {
-        severity = severity === 'high' ? 'medium' : 'low'
-        description += ' (Jailbreak filtering detected.)'
-      }
-
-      if (isTestFile) {
-        severity = 'info'
-        description += ' (in test file)'
-      }
-
-      vulnerabilities.push({
-        id: `ai-model-injection-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-        filePath,
-        lineNumber,
-        lineContent,
-        severity,
-        category: 'ai_prompt_injection',
-        title: pattern.name,
-        description,
-        suggestedFix: pattern.suggestedFix,
-        confidence: severity === 'info' ? 'low' : 'medium',
-        layer: 2,
-        source: 'ai_code' as const,
-        requiresAIValidation: severity !== 'info' && severity !== 'low',
-        baseConfidence: BASE_CONFIDENCE,
-      })
-    }
-  }
-
-  // ========== Sprint 6: Encoding-based escape detection ==========
-  for (const pattern of ENCODING_ESCAPE_PATTERNS) {
-    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
-    let match
-
-    while ((match = regex.exec(content)) !== null) {
-      const lineNumber = content.substring(0, match.index).split('\n').length
-      const lineContent = lines[lineNumber - 1]?.trim() || ''
-
-      // Skip comments
-      if (isComment(lineContent)) continue
-
-      let severity = pattern.severity
-      let description = pattern.description
-      const contextLines = getSurroundingContext(content, lineNumber - 1, 15, lines)
-
-      // Check for encoding sanitization
-      if (hasEncodingSanitization(content, lineNumber, lines)) {
-        severity = 'info'
-        description += ' (Encoding sanitization detected.)'
-      }
-
-      // Check for delimiters
-      if (pattern.checkDelimiters && hasPromptDelimiters(lineContent, contextLines)) {
-        severity = 'info'
-        description += ' (Delimiters detected.)'
-      }
-
-      if (isTestFile) {
-        severity = 'info'
-        description += ' (in test file)'
-      }
-
-      vulnerabilities.push({
-        id: `ai-encoding-escape-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-        filePath,
-        lineNumber,
-        lineContent,
-        severity,
-        category: 'ai_prompt_injection',
-        title: pattern.name + ' (Encoding Bypass)',
-        description,
-        suggestedFix: pattern.suggestedFix,
-        confidence: 'medium',
-        layer: 2,
-        source: 'ai_code' as const,
-        requiresAIValidation: severity !== 'info',
-        baseConfidence: BASE_CONFIDENCE,
-      })
-    }
-  }
-
-  // ========== Sprint 6: Jailbreak pattern detection ==========
-  for (const pattern of JAILBREAK_INDICATOR_PATTERNS) {
-    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
-    let match
-
-    while ((match = regex.exec(content)) !== null) {
-      const lineNumber = content.substring(0, match.index).split('\n').length
-      const lineContent = lines[lineNumber - 1]?.trim() || ''
-
-      // Skip comments
-      if (isComment(lineContent)) continue
-
-      let severity = pattern.severity
-      let description = pattern.description
-
-      // Check for jailbreak filtering
-      if (hasJailbreakFiltering(content, lineNumber, lines)) {
-        severity = 'info'
-        description += ' (Jailbreak filtering detected - mitigated.)'
-      }
-
-      if (isTestFile) {
-        severity = 'info'
-        description += ' (in test file)'
-      }
-
-      vulnerabilities.push({
-        id: `ai-jailbreak-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
-        filePath,
-        lineNumber,
-        lineContent,
-        severity,
-        category: 'ai_prompt_injection',
-        title: pattern.name + ' (Jailbreak Risk)',
-        description,
-        suggestedFix: pattern.suggestedFix,
-        confidence: severity === 'info' ? 'low' : 'medium',
-        layer: 2,
-        source: 'ai_code' as const,
-        requiresAIValidation: severity !== 'info' && severity !== 'low',
-        baseConfidence: BASE_CONFIDENCE,
-      })
-    }
-  }
-
-  return vulnerabilities
-}
-
-// Export helper for use in other modules
-export { isLLMContextFile }