npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/dist/layer2/dangerous-functions/patterns.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/patterns.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AA8JH,0CAUC;AA3JY,QAAA,mBAAmB,GAA+B;IAC7D,iBAAiB;IACjB;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,eAAe;QACxB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE,6EAA6E;KAC5F;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE,uDAAuD;KACtE;IACD;QACE,IAAI,EAAE,oCAAoC;QAC1C,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,+CAA+C;KAC9D;IAED,oBAAoB;IACpB;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,mDAAmD;QAC5D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,uDAAuD;QACpE,YAAY,EAAE,6DAA6D;KAC5E;IACD;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,uDAAuD;QACpE,YAAY,EAAE,8DAA8D;QAC5E,SAAS,EAAE,CAAC,IAAI,CAAC;KAClB;IAED,sBAAsB;IACtB;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,oEAAoE;QAC7E,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+DAA+D;QAC5E,YAAY,EAAE,kDAAkD;KACjE;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,wGAAwG;QACjH,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,4DAA4D;QACzE,YAAY,EAAE,2DAA2D;KAC1E;IAED,YAAY;IACZ;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE,2DAA2D;KAC1E;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,kDAAkD;QAC/D,YAAY,EAAE,sCAAsC;KACrD;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,sDAAsD;QAC/D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qEAAqE;QAClF,YAAY,EAAE,uDAAuD;KACtE;IAED,kBAAkB;IAClB;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,iFAAiF;QAC1F,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,0DAA0D;QACvE,YAAY,EAAE,0EAA0E;KACzF;IACD,uFAAuF;IACvF,+EAA+E;IAE/E,oBAAoB;IACpB;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,qGAAqG;QAC9G,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,uDAAuD;QACpE,YAAY,EAAE,0EAA0E;KACzF;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,0DAA0D;QACnE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE,gEAAgE;KAC/E;IAED,oBAAoB;IACpB;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,+CAA+C;QAC5D,YAAY,EAAE,wFAAwF;KACvG;IAED,YAAY;IACZ;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,6BAA6B;QACtC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sDAAsD;QACnE,YAAY,EAAE,+DAA+D;KAC9E;IAED,sBAAsB;IACtB;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,2EAA2E;QACpF,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,+DAA+D;QAC5E,YAAY,EAAE,2DAA2D;KAC1E;IACD;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,0EAA0E;QACnF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,kEAAkE;QAC/E,YAAY,EAAE,mEAAmE;KAClF;CACF,CAAA;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,QAAgB,EAAE,SAAoB;IACpE,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAErD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAA;IAC1D,OAAO,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QAC3B,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,GAAG,KAAK,IAAI,CAAA;QACtC,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;QACnE,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;QACrD,OAAO,GAAG,KAAK,IAAI,CAAA;IACrB,CAAC,CAAC,CAAA;AACJ,CAAC"}

package/dist/layer2/dangerous-functions/request-validation.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+/**
+ * Request Body Validation Detection
+ *
+ * Detection logic for request.json() / req.json() usage without
+ * proper schema validation.
+ */
+import type { Vulnerability } from '../../types';
+/**
+ * Detect request.json() / req.json() and suggest schema validation
+ * This is NOT a dangerous function - it's a prompt for best practices
+ */
+export declare function detectRequestJsonValidation(content: string, filePath: string, isTestFile: boolean, vulnerabilities: Vulnerability[]): void;
+//# sourceMappingURL=request-validation.d.ts.map

package/dist/layer2/dangerous-functions/request-validation.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"request-validation.d.ts","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/request-validation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAKhD;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,OAAO,EACnB,eAAe,EAAE,aAAa,EAAE,GAC/B,IAAI,CA2HN"}

package/dist/layer2/dangerous-functions/request-validation.js ADDED Viewed

@@ -0,0 +1,119 @@
+"use strict";
+/**
+ * Request Body Validation Detection
+ *
+ * Detection logic for request.json() / req.json() usage without
+ * proper schema validation.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectRequestJsonValidation = detectRequestJsonValidation;
+const context_helpers_1 = require("../../utils/context-helpers");
+const schema_validation_1 = require("./utils/schema-validation");
+const helpers_1 = require("./utils/helpers");
+/**
+ * Detect request.json() / req.json() and suggest schema validation
+ * This is NOT a dangerous function - it's a prompt for best practices
+ */
+function detectRequestJsonValidation(content, filePath, isTestFile, vulnerabilities) {
+    // Only check API route files
+    if (!/\/(api|routes?|handlers?|controllers?)\//i.test(filePath) &&
+        !/route\.(ts|js)$/i.test(filePath)) {
+        return;
+    }
+    // Skip if route has throwing auth helper - these are already protected routes
+    // and the schema validation suggestion is lower priority
+    if ((0, helpers_1.hasThrowingAuthHelper)(content)) {
+        return;
+    }
+    const lines = content.split('\n');
+    // Matches: request.json(), req.json(), await request.json(), etc.
+    const requestJsonPattern = /\b(request|req)\.json\s*\(\s*\)/gi;
+    // Check if file has schema validation (library-based)
+    const hasSchemaLibrary = /\b(zod|yup|joi|ajv|superstruct|valibot|typebox)\b/i.test(content) ||
+        /\.parse\s*\(|\.validate\s*\(|\.safeParse\s*\(/i.test(content);
+    // If file has schema library validation, don't report
+    if (hasSchemaLibrary)
+        return;
+    // Check for manual validation patterns (less robust but still indicates intent)
+    const hasManualCheck = (0, schema_validation_1.hasManualValidation)(content);
+    // Track instances for potential aggregation
+    const instances = [];
+    lines.forEach((line, index) => {
+        if ((0, context_helpers_1.isComment)(line))
+            return;
+        requestJsonPattern.lastIndex = 0;
+        if (!requestJsonPattern.test(line))
+            return;
+        // Check if there's validation nearby (within 10 lines after)
+        const startCheck = index;
+        const endCheck = Math.min(lines.length, index + 10);
+        const nearbyContent = lines.slice(startCheck, endCheck).join('\n');
+        // If there's validation in the nearby lines, skip
+        if (/\.parse\s*\(|\.validate\s*\(|\.safeParse\s*\(|schema\./i.test(nearbyContent)) {
+            return;
+        }
+        // If manual validation is present, skip individual reporting but track for aggregate
+        if (hasManualCheck) {
+            instances.push({ lineNumber: index + 1, lineContent: line.trim() });
+            return;
+        }
+        if (isTestFile) {
+            return; // Don't report in test files
+        }
+        instances.push({ lineNumber: index + 1, lineContent: line.trim() });
+    });
+    // Don't report if no instances found
+    if (instances.length === 0)
+        return;
+    // If manual validation exists, create a single info-level note
+    if (hasManualCheck && instances.length > 0) {
+        vulnerabilities.push({
+            id: `request-json-manual-${filePath}`,
+            filePath,
+            lineNumber: instances[0].lineNumber,
+            lineContent: instances[0].lineContent,
+            severity: 'info',
+            category: 'dangerous_function',
+            title: 'Request body with manual validation',
+            description: `API endpoint parses request body with manual validation patterns detected. Consider using a schema library (zod, yup) for more robust type-safe validation.`,
+            suggestedFix: 'While manual validation works, schema libraries provide better TypeScript integration and error messages.',
+            confidence: 'low',
+            layer: 2,
+        });
+        return;
+    }
+    // Aggregate if multiple instances without validation
+    if (instances.length >= 2) {
+        const lineNumbers = instances.map(i => i.lineNumber).slice(0, 5);
+        vulnerabilities.push({
+            id: `request-json-aggregated-${filePath}`,
+            filePath,
+            lineNumber: instances[0].lineNumber,
+            lineContent: `${instances.length} instances`,
+            severity: 'info',
+            category: 'dangerous_function',
+            title: `Request body without schema validation (${instances.length} instances)`,
+            description: `API endpoint parses request body without visible schema validation at lines: ${lineNumbers.join(', ')}. Consider validating the shape of incoming data.`,
+            suggestedFix: 'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
+            confidence: 'low',
+            layer: 2,
+        });
+    }
+    else {
+        // Single instance
+        vulnerabilities.push({
+            id: `request-json-${filePath}-${instances[0].lineNumber}`,
+            filePath,
+            lineNumber: instances[0].lineNumber,
+            lineContent: instances[0].lineContent,
+            severity: 'info',
+            category: 'dangerous_function',
+            title: 'Request body without schema validation',
+            description: 'API endpoint parses request body without visible schema validation. Consider validating the shape of incoming data.',
+            suggestedFix: 'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
+            confidence: 'low',
+            layer: 2,
+        });
+    }
+}
+//# sourceMappingURL=request-validation.js.map

package/dist/layer2/dangerous-functions/request-validation.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"request-validation.js","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/request-validation.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAWH,kEAgIC;AAxID,iEAAuD;AACvD,iEAA+D;AAC/D,6CAAuD;AAEvD;;;GAGG;AACH,SAAgB,2BAA2B,CACzC,OAAe,EACf,QAAgB,EAChB,UAAmB,EACnB,eAAgC;IAEhC,6BAA6B;IAC7B,IACE,CAAC,2CAA2C,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC3D,CAAC,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAClC,CAAC;QACD,OAAM;IACR,CAAC;IAED,8EAA8E;IAC9E,yDAAyD;IACzD,IAAI,IAAA,+BAAqB,EAAC,OAAO,CAAC,EAAE,CAAC;QACnC,OAAM;IACR,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,kEAAkE;IAClE,MAAM,kBAAkB,GAAG,mCAAmC,CAAA;IAE9D,sDAAsD;IACtD,MAAM,gBAAgB,GACpB,oDAAoD,CAAC,IAAI,CAAC,OAAO,CAAC;QAClE,gDAAgD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAEhE,sDAAsD;IACtD,IAAI,gBAAgB;QAAE,OAAM;IAE5B,gFAAgF;IAChF,MAAM,cAAc,GAAG,IAAA,uCAAmB,EAAC,OAAO,CAAC,CAAA;IAEnD,4CAA4C;IAC5C,MAAM,SAAS,GAAkD,EAAE,CAAA;IAEnE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,kBAAkB,CAAC,SAAS,GAAG,CAAC,CAAA;QAChC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAM;QAE1C,6DAA6D;QAC7D,MAAM,UAAU,GAAG,KAAK,CAAA;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,EAAE,CAAC,CAAA;QACnD,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAElE,kDAAkD;QAClD,IACE,yDAAyD,CAAC,IAAI,CAC5D,aAAa,CACd,EACD,CAAC;YACD,OAAM;QACR,CAAC;QAED,qFAAqF;QACrF,IAAI,cAAc,EAAE,CAAC;YACnB,SAAS,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,KAAK,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;YACnE,OAAM;QACR,CAAC;QAED,IAAI,UAAU,EAAE,CAAC;YACf,OAAM,CAAC,6BAA6B;QACtC,CAAC;QAED,SAAS,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,KAAK,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;IACrE,CAAC,CAAC,CAAA;IAEF,qCAAqC;IACrC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAM;IAElC,+DAA+D;IAC/D,IAAI,cAAc,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,uBAAuB,QAAQ,EAAE;YACrC,QAAQ;YACR,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,UAAU;YACnC,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW;YACrC,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,oBAAoB;YAC9B,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EAAE,6JAA6J;YAC1K,YAAY,EACV,2GAA2G;YAC7G,UAAU,EAAE,KAAK;YACjB,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;QACF,OAAM;IACR,CAAC;IAED,qDAAqD;IACrD,IAAI,SAAS,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAC1B,MAAM,WAAW,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;QAChE,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,2BAA2B,QAAQ,EAAE;YACzC,QAAQ;YACR,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,UAAU;YACnC,WAAW,EAAE,GAAG,SAAS,CAAC,MAAM,YAAY;YAC5C,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,oBAAoB;YAC9B,KAAK,EAAE,2CAA2C,SAAS,CAAC,MAAM,aAAa;YAC/E,WAAW,EAAE,gFAAgF,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,mDAAmD;YACtK,YAAY,EACV,wGAAwG;YAC1G,UAAU,EAAE,KAAK;YACjB,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;IACJ,CAAC;SAAM,CAAC;QACN,kBAAkB;QAClB,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,gBAAgB,QAAQ,IAAI,SAAS,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE;YACzD,QAAQ;YACR,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,UAAU;YACnC,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW;YACrC,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,oBAAoB;YAC9B,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EACT,qHAAqH;YACvH,YAAY,EACV,wGAAwG;YAC1G,UAAU,EAAE,KAAK;YACjB,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;IACJ,CAAC;AACH,CAAC"}

package/dist/layer2/dangerous-functions/utils/control-flow.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+ * Control Flow Analysis Utilities
+ *
+ * Functions for analyzing code control flow, including try-catch detection
+ * and function context extraction.
+ */
+/**
+ * Check if a line is inside a try-catch block
+ * Looks for enclosing try { ... } catch pattern
+ */
+export declare function isInsideTryCatch(content: string, lineNumber: number): boolean;
+/**
+ * Simpler heuristic: check if there's a try-catch in the same function scope
+ * Looks for try { before the line and } catch after, within reasonable bounds
+ */
+export declare function hasTryCatchNearby(content: string, lineNumber: number, windowSize?: number): boolean;
+/**
+ * Extract function context where a call is being made
+ * Looks backwards from the current line to find enclosing function name
+ * Returns lowercase function name or null if not found
+ */
+export declare function extractFunctionContext(content: string, lineNumber: number): string | null;
+//# sourceMappingURL=control-flow.d.ts.map

package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"control-flow.d.ts","sourceRoot":"","sources":["../../../../src/layer2/dangerous-functions/utils/control-flow.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAiD7E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,GAAE,MAAW,GAAG,OAAO,CAkCvG;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAoDzF"}

package/dist/layer2/dangerous-functions/utils/control-flow.js ADDED Viewed

@@ -0,0 +1,149 @@
+"use strict";
+/**
+ * Control Flow Analysis Utilities
+ *
+ * Functions for analyzing code control flow, including try-catch detection
+ * and function context extraction.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isInsideTryCatch = isInsideTryCatch;
+exports.hasTryCatchNearby = hasTryCatchNearby;
+exports.extractFunctionContext = extractFunctionContext;
+const context_helpers_1 = require("../../../utils/context-helpers");
+/**
+ * Check if a line is inside a try-catch block
+ * Looks for enclosing try { ... } catch pattern
+ */
+function isInsideTryCatch(content, lineNumber) {
+    const lines = content.split('\n');
+    // Track brace depth and whether we're in a try block
+    let tryDepth = 0;
+    let inTryBlock = false;
+    const braceStack = [];
+    // Scan from start to the target line
+    for (let i = 0; i < lineNumber && i < lines.length; i++) {
+        const line = lines[i];
+        // Check for try keyword (not in a comment)
+        if (/\btry\s*\{/.test(line) && !(0, context_helpers_1.isComment)(line)) {
+            inTryBlock = true;
+            tryDepth++;
+            // Count opening braces on this line
+            const openBraces = (line.match(/\{/g) || []).length;
+            const closeBraces = (line.match(/\}/g) || []).length;
+            for (let j = 0; j < openBraces - closeBraces; j++) {
+                braceStack.push('try');
+            }
+        }
+        else if (/\bcatch\s*\(/.test(line) && !(0, context_helpers_1.isComment)(line)) {
+            // Entering catch block - still protected
+            // Don't decrement tryDepth yet
+        }
+        else if (/\bfinally\s*\{/.test(line) && !(0, context_helpers_1.isComment)(line)) {
+            // Entering finally block - still protected
+        }
+        else {
+            // Track regular braces
+            const openBraces = (line.match(/\{/g) || []).length;
+            const closeBraces = (line.match(/\}/g) || []).length;
+            for (let j = 0; j < openBraces; j++) {
+                braceStack.push(inTryBlock && tryDepth > 0 ? 'try' : 'other');
+            }
+            for (let j = 0; j < closeBraces; j++) {
+                const popped = braceStack.pop();
+                if (popped === 'try') {
+                    tryDepth--;
+                    if (tryDepth === 0) {
+                        inTryBlock = false;
+                    }
+                }
+            }
+        }
+    }
+    return tryDepth > 0;
+}
+/**
+ * Simpler heuristic: check if there's a try-catch in the same function scope
+ * Looks for try { before the line and } catch after, within reasonable bounds
+ */
+function hasTryCatchNearby(content, lineNumber, windowSize = 20) {
+    const lines = content.split('\n');
+    const startLine = Math.max(0, lineNumber - windowSize);
+    const endLine = Math.min(lines.length, lineNumber + windowSize);
+    // Look backward for 'try {'
+    let foundTry = false;
+    for (let i = lineNumber - 1; i >= startLine; i--) {
+        const line = lines[i];
+        if (/\btry\s*\{/.test(line) && !(0, context_helpers_1.isComment)(line)) {
+            foundTry = true;
+            break;
+        }
+        // Stop if we hit a function boundary
+        if (/\b(function|async function|=>|class)\b/.test(line) && /\{/.test(line)) {
+            break;
+        }
+    }
+    if (!foundTry)
+        return false;
+    // Look forward for '} catch'
+    for (let i = lineNumber; i < endLine; i++) {
+        const line = lines[i];
+        if (/\}\s*catch\s*\(/.test(line) && !(0, context_helpers_1.isComment)(line)) {
+            return true;
+        }
+        // Stop if we hit another function boundary
+        if (i > lineNumber && /\b(function|async function|class)\b/.test(line) && /\{/.test(line)) {
+            break;
+        }
+    }
+    return false;
+}
+/**
+ * Extract function context where a call is being made
+ * Looks backwards from the current line to find enclosing function name
+ * Returns lowercase function name or null if not found
+ */
+function extractFunctionContext(content, lineNumber) {
+    const lines = content.split('\n');
+    const start = Math.max(0, lineNumber - 20); // Increased from 10 to 20 for nested callbacks
+    // Look backwards for function declaration
+    for (let i = lineNumber; i >= start; i--) {
+        const line = lines[i];
+        // Skip anonymous arrow functions in callbacks (e.g., .map((x) => ...), .replace(/x/g, (c) => ...))
+        // These are not the function context we're looking for
+        // Look for pattern: .methodName(..., (param) => or .methodName(...(param) =>
+        const hasMethodCallWithArrowCallback = /\.\w+\(.*\([^)]*\)\s*=>/.test(line);
+        // Skip lines that only have arrow callbacks in method calls
+        if (hasMethodCallWithArrowCallback && !/^(const|let|var|function|async|export)/.test(line.trim())) {
+            continue;
+        }
+        // Named function declaration: function funcName(
+        const funcMatch = line.match(/function\s+(\w+)\s*\(/);
+        if (funcMatch) {
+            return funcMatch[1].toLowerCase();
+        }
+        // Arrow function with const/let/var: const funcName = () => | const funcName = async () =>
+        // Must have => after the parameters to distinguish from const x = (expression)
+        // Also handles TypeScript return type annotations: const funcName = (): string =>
+        const arrowMatch = line.match(/(const|let|var)\s+(\w+)\s*=\s*(?:async\s*)?\([^)]*\)(?:\s*:\s*\w+)?\s*=>/);
+        if (arrowMatch) {
+            return arrowMatch[2].toLowerCase();
+        }
+        // Method declaration: methodName() { or async methodName() {
+        const methodMatch = line.match(/^\s*(?:async\s+)?(\w+)\s*\([^)]*\)\s*\{/);
+        if (methodMatch) {
+            return methodMatch[1].toLowerCase();
+        }
+        // Export function: export function funcName( or export const funcName = () =>
+        const exportFuncMatch = line.match(/export\s+(?:async\s+)?function\s+(\w+)\s*\(/);
+        if (exportFuncMatch) {
+            return exportFuncMatch[1].toLowerCase();
+        }
+        // Also handles TypeScript return type annotations: export const funcName = (): string =>
+        const exportConstMatch = line.match(/export\s+const\s+(\w+)\s*=\s*(?:async\s*)?\([^)]*\)(?:\s*:\s*\w+)?\s*=>/);
+        if (exportConstMatch) {
+            return exportConstMatch[1].toLowerCase();
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=control-flow.js.map

package/dist/layer2/dangerous-functions/utils/control-flow.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"control-flow.js","sourceRoot":"","sources":["../../../../src/layer2/dangerous-functions/utils/control-flow.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAQH,4CAiDC;AAMD,8CAkCC;AAOD,wDAoDC;AA1JD,oEAA0D;AAE1D;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,OAAe,EAAE,UAAkB;IAClE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,qDAAqD;IACrD,IAAI,QAAQ,GAAG,CAAC,CAAA;IAChB,IAAI,UAAU,GAAG,KAAK,CAAA;IACtB,MAAM,UAAU,GAA2B,EAAE,CAAA;IAE7C,qCAAqC;IACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAErB,2CAA2C;QAC3C,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAA,2BAAS,EAAC,IAAI,CAAC,EAAE,CAAC;YAChD,UAAU,GAAG,IAAI,CAAA;YACjB,QAAQ,EAAE,CAAA;YACV,oCAAoC;YACpC,MAAM,UAAU,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAA;YACnD,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAA;YACpD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;gBAClD,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YACxB,CAAC;QACH,CAAC;aAAM,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAA,2BAAS,EAAC,IAAI,CAAC,EAAE,CAAC;YACzD,yCAAyC;YACzC,+BAA+B;QACjC,CAAC;aAAM,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAA,2BAAS,EAAC,IAAI,CAAC,EAAE,CAAC;YAC3D,2CAA2C;QAC7C,CAAC;aAAM,CAAC;YACN,uBAAuB;YACvB,MAAM,UAAU,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAA;YACnD,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAA;YAEpD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;gBACpC,UAAU,CAAC,IAAI,CAAC,UAAU,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;YAC/D,CAAC;YAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;gBACrC,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,EAAE,CAAA;gBAC/B,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;oBACrB,QAAQ,EAAE,CAAA;oBACV,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;wBACnB,UAAU,GAAG,KAAK,CAAA;oBACpB,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,GAAG,CAAC,CAAA;AACrB,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,OAAe,EAAE,UAAkB,EAAE,aAAqB,EAAE;IAC5F,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,UAAU,CAAC,CAAA;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC,CAAA;IAE/D,4BAA4B;IAC5B,IAAI,QAAQ,GAAG,KAAK,CAAA;IACpB,KAAK,IAAI,CAAC,GAAG,UAAU,GAAG,CAAC,EAAE,CAAC,IAAI,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC;QACjD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAA,2BAAS,EAAC,IAAI,CAAC,EAAE,CAAC;YAChD,QAAQ,GAAG,IAAI,CAAA;YACf,MAAK;QACP,CAAC;QACD,qCAAqC;QACrC,IAAI,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3E,MAAK;QACP,CAAC;IACH,CAAC;IAED,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAA;IAE3B,6BAA6B;IAC7B,KAAK,IAAI,CAAC,GAAG,UAAU,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAA,2BAAS,EAAC,IAAI,CAAC,EAAE,CAAC;YACrD,OAAO,IAAI,CAAA;QACb,CAAC;QACD,2CAA2C;QAC3C,IAAI,CAAC,GAAG,UAAU,IAAI,qCAAqC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1F,MAAK;QACP,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;GAIG;AACH,SAAgB,sBAAsB,CAAC,OAAe,EAAE,UAAkB;IACxE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA,CAAC,+CAA+C;IAE1F,0CAA0C;IAC1C,KAAK,IAAI,CAAC,GAAG,UAAU,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAErB,mGAAmG;QACnG,uDAAuD;QACvD,6EAA6E;QAC7E,MAAM,8BAA8B,GAAG,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAE3E,4DAA4D;QAC5D,IAAI,8BAA8B,IAAI,CAAC,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YAClG,SAAQ;QACV,CAAC;QAED,iDAAiD;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAA;QACrD,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAA;QACnC,CAAC;QAED,2FAA2F;QAC3F,+EAA+E;QAC/E,kFAAkF;QAClF,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,0EAA0E,CAAC,CAAA;QACzG,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAA;QACpC,CAAC;QAED,6DAA6D;QAC7D,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAA;QACzE,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAA;QACrC,CAAC;QAED,8EAA8E;QAC9E,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAA;QACjF,IAAI,eAAe,EAAE,CAAC;YACpB,OAAO,eAAe,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAA;QACzC,CAAC;QAED,yFAAyF;QACzF,MAAM,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,yEAAyE,CAAC,CAAA;QAC9G,IAAI,gBAAgB,EAAE,CAAC;YACrB,OAAO,gBAAgB,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAA;QAC1C,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/layer2/dangerous-functions/utils/helpers.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * General Helper Utilities
+ *
+ * Small utility functions used across the dangerous functions detection module.
+ */
+/**
+ * Get a specific line from content by line number (0-indexed)
+ */
+export declare function getLineContent(content: string, lineNumber: number): string;
+/**
+ * Get a range of lines from content
+ */
+export declare function getLineRange(content: string, startLine: number, endLine: number): string;
+/**
+ * Check if eval/exec/Function has only static literal inputs (no user data)
+ * Static inputs like eval('({ mode: "production" })') are low risk
+ *
+ * Returns true ONLY if the argument is a string literal (not a variable)
+ */
+export declare function hasOnlyStaticInputs(lineContent: string, content: string, lineNumber: number): boolean;
+/**
+ * Check if path traversal protection is in place
+ * Looks for common sanitization patterns that prevent directory traversal attacks
+ */
+export declare function hasPathTraversalProtection(context: string, lineContent: string): boolean;
+/**
+ * Check if route has throwing auth helper (getCurrentUserId, requireAuth, etc.)
+ * Routes with throwing auth helpers are already protected
+ */
+export declare function hasThrowingAuthHelper(content: string): boolean;
+//# sourceMappingURL=helpers.d.ts.map

package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../../src/layer2/dangerous-functions/utils/helpers.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAG1E;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,GACd,MAAM,CAKR;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAgCT;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,GAClB,OAAO,CA6BT;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAmB9D"}

package/dist/layer2/dangerous-functions/utils/helpers.js ADDED Viewed

@@ -0,0 +1,124 @@
+"use strict";
+/**
+ * General Helper Utilities
+ *
+ * Small utility functions used across the dangerous functions detection module.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getLineContent = getLineContent;
+exports.getLineRange = getLineRange;
+exports.hasOnlyStaticInputs = hasOnlyStaticInputs;
+exports.hasPathTraversalProtection = hasPathTraversalProtection;
+exports.hasThrowingAuthHelper = hasThrowingAuthHelper;
+/**
+ * Get a specific line from content by line number (0-indexed)
+ */
+function getLineContent(content, lineNumber) {
+    const lines = content.split('\n');
+    return lines[lineNumber] || '';
+}
+/**
+ * Get a range of lines from content
+ */
+function getLineRange(content, startLine, endLine) {
+    const lines = content.split('\n');
+    const start = Math.max(0, startLine);
+    const end = Math.min(lines.length, endLine);
+    return lines.slice(start, end).join('\n');
+}
+/**
+ * Check if eval/exec/Function has only static literal inputs (no user data)
+ * Static inputs like eval('({ mode: "production" })') are low risk
+ *
+ * Returns true ONLY if the argument is a string literal (not a variable)
+ */
+function hasOnlyStaticInputs(lineContent, content, lineNumber) {
+    // Check if the argument to eval/exec/Function is a string literal ONLY
+    // If it's a variable, it's NOT static (could come from anywhere)
+    //
+    // String literal patterns:
+    // - Single quotes: 'content with "double quotes" inside' (no $ interpolation)
+    // - Double quotes: "content" (no $ interpolation)
+    // - Backticks without ${}: `content` (template literal but no interpolation)
+    //
+    // Note: We allow quotes INSIDE the string (e.g., 'text "with" quotes')
+    // but NOT $ (which would indicate interpolation)
+    const staticPatterns = [
+        // Single-quoted string: eval('...') - can contain anything except single quotes and $
+        /eval\s*\(\s*'[^'$]*'\s*\)/,
+        // Double-quoted string: eval("...") - can contain anything except double quotes and $
+        /eval\s*\(\s*"[^"$]*"\s*\)/,
+        // Backtick without interpolation: eval(`...`) - must not have ${ inside
+        /eval\s*\(\s*`[^`$]*`\s*\)/,
+        // Function constructor with string literal
+        /new\s+Function\s*\(\s*'[^'$]*'\s*\)/,
+        /new\s+Function\s*\(\s*"[^"$]*"\s*\)/,
+        // execSync with string literal
+        /execSync\s*\(\s*'[^'$]*'\s*\)/,
+        /execSync\s*\(\s*"[^"$]*"\s*\)/,
+        // exec with string literal
+        /exec\s*\(\s*'[^'$]*'/,
+        /exec\s*\(\s*"[^"$]*"/,
+    ];
+    // Only return true if it matches a static pattern (string literal)
+    // If it's a variable like eval(code), we can't assume it's static
+    return staticPatterns.some(p => p.test(lineContent));
+}
+/**
+ * Check if path traversal protection is in place
+ * Looks for common sanitization patterns that prevent directory traversal attacks
+ */
+function hasPathTraversalProtection(context, lineContent) {
+    const protectionPatterns = [
+        // Path normalization with base directory check
+        /path\.resolve\s*\([^)]+\).*\.startsWith\s*\(/i,
+        /\.startsWith\s*\([^)]*(?:baseDir|basePath|rootDir|uploadDir|allowedDir)/i,
+        // Explicit ".." rejection
+        /\.includes\s*\(\s*['"`]\.\.['"`]\s*\)/i,
+        /\.indexOf\s*\(\s*['"`]\.\.['"`]\s*\)/i,
+        /['"`]\.\.['"`].*(?:throw|reject|return|error)/i,
+        // Path sanitization libraries
+        /sanitizePath|sanitizeFilename|sanitize-filename/i,
+        /path-sanitizer|secure-path/i,
+        // Explicit path validation
+        /validatePath|isValidPath|checkPath|verifyPath/i,
+        /isPathAllowed|isAllowedPath|pathIsAllowed/i,
+        // Normalize and check pattern
+        /path\.normalize\s*\([^)]+\).*(?:startsWith|includes|indexOf)/i,
+        // Regex validation for safe characters only
+        /\/\^?\[a-zA-Z0-9_\-\.\\\/\]\+\$?\//, // Only alphanumeric, dash, underscore, dot
+        // Allowlist/whitelist patterns
+        /allowedExtensions|allowedTypes|whitelist/i,
+        /\.endsWith\s*\(\s*['"`]\.\w+['"`]\s*\)/i, // Extension check
+        // Path.basename to strip directory
+        /path\.basename\s*\(/i,
+        // Zod/validation for filename patterns
+        /z\.string\s*\(\s*\)\.regex\s*\(/i,
+    ];
+    return protectionPatterns.some(p => p.test(context) || p.test(lineContent));
+}
+/**
+ * Check if route has throwing auth helper (getCurrentUserId, requireAuth, etc.)
+ * Routes with throwing auth helpers are already protected
+ */
+function hasThrowingAuthHelper(content) {
+    const throwingAuthPatterns = [
+        /\bgetCurrentUserId\s*\(/i,
+        /\brequireAuth\s*\(/i,
+        /\bensureAuth\s*\(/i,
+        /\bauth\s*\(\s*\)\s*\.protect\s*\(/i, // Clerk: auth().protect()
+        /\bcurrentUser\s*\(\s*\)/i, // Clerk: currentUser()
+        /\bgetServerSession\s*\([^)]*\)/i, // NextAuth
+        /\bauth\s*\(\s*\)/i, // Generic auth() call
+        /\bcheckAuth\s*\(/i,
+        /\bverifyAuth\s*\(/i,
+        /\bvalidateAuth\s*\(/i,
+        /\bassertAuth\s*\(/i,
+        /\bgetAuth\s*\(/i,
+        /\brequireUser\s*\(/i,
+        /\bgetUser\s*\(\s*\)/i, // supabase.auth.getUser()
+        /const\s+\{\s*user\s*\}\s*=\s*await/i, // Destructuring pattern
+    ];
+    return throwingAuthPatterns.some(p => p.test(content));
+}
+//# sourceMappingURL=helpers.js.map

package/dist/layer2/dangerous-functions/utils/helpers.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../../../src/layer2/dangerous-functions/utils/helpers.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;AAKH,wCAGC;AAKD,oCASC;AAQD,kDAoCC;AAMD,gEAgCC;AAMD,sDAmBC;AA/HD;;GAEG;AACH,SAAgB,cAAc,CAAC,OAAe,EAAE,UAAkB;IAChE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,OAAO,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAA;AAChC,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAC1B,OAAe,EACf,SAAiB,EACjB,OAAe;IAEf,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;IACpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC3C,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AAC3C,CAAC;AAED;;;;;GAKG;AACH,SAAgB,mBAAmB,CACjC,WAAmB,EACnB,OAAe,EACf,UAAkB;IAElB,uEAAuE;IACvE,iEAAiE;IACjE,EAAE;IACF,2BAA2B;IAC3B,8EAA8E;IAC9E,kDAAkD;IAClD,6EAA6E;IAC7E,EAAE;IACF,uEAAuE;IACvE,iDAAiD;IACjD,MAAM,cAAc,GAAG;QACrB,sFAAsF;QACtF,2BAA2B;QAC3B,sFAAsF;QACtF,2BAA2B;QAC3B,wEAAwE;QACxE,2BAA2B;QAC3B,2CAA2C;QAC3C,qCAAqC;QACrC,qCAAqC;QACrC,+BAA+B;QAC/B,+BAA+B;QAC/B,+BAA+B;QAC/B,2BAA2B;QAC3B,sBAAsB;QACtB,sBAAsB;KACvB,CAAA;IAED,mEAAmE;IACnE,kEAAkE;IAClE,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;AACtD,CAAC;AAED;;;GAGG;AACH,SAAgB,0BAA0B,CACxC,OAAe,EACf,WAAmB;IAEnB,MAAM,kBAAkB,GAAG;QACzB,+CAA+C;QAC/C,+CAA+C;QAC/C,0EAA0E;QAC1E,0BAA0B;QAC1B,wCAAwC;QACxC,uCAAuC;QACvC,gDAAgD;QAChD,8BAA8B;QAC9B,kDAAkD;QAClD,6BAA6B;QAC7B,2BAA2B;QAC3B,gDAAgD;QAChD,4CAA4C;QAC5C,8BAA8B;QAC9B,+DAA+D;QAC/D,4CAA4C;QAC5C,oCAAoC,EAAE,2CAA2C;QACjF,+BAA+B;QAC/B,2CAA2C;QAC3C,yCAAyC,EAAE,kBAAkB;QAC7D,mCAAmC;QACnC,sBAAsB;QACtB,uCAAuC;QACvC,kCAAkC;KACnC,CAAA;IAED,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;AAC7E,CAAC;AAED;;;GAGG;AACH,SAAgB,qBAAqB,CAAC,OAAe;IACnD,MAAM,oBAAoB,GAAG;QAC3B,0BAA0B;QAC1B,qBAAqB;QACrB,oBAAoB;QACpB,oCAAoC,EAAE,0BAA0B;QAChE,0BAA0B,EAAE,uBAAuB;QACnD,iCAAiC,EAAE,WAAW;QAC9C,mBAAmB,EAAE,sBAAsB;QAC3C,mBAAmB;QACnB,oBAAoB;QACpB,sBAAsB;QACtB,oBAAoB;QACpB,iBAAiB;QACjB,qBAAqB;QACrB,sBAAsB,EAAE,0BAA0B;QAClD,qCAAqC,EAAE,wBAAwB;KAChE,CAAA;IACD,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACxD,CAAC"}

package/dist/layer2/dangerous-functions/utils/index.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Utility Functions Index
+ *
+ * Re-exports all utility functions from the dangerous-functions module.
+ */
+export { isInsideTryCatch, hasTryCatchNearby, extractFunctionContext, } from './control-flow';
+export { hasSchemaValidationNearby, hasManualValidation, hasSQLWhitelistValidation, } from './schema-validation';
+export { getLineContent, getLineRange, hasOnlyStaticInputs, hasPathTraversalProtection, hasThrowingAuthHelper, } from './helpers';
+//# sourceMappingURL=index.d.ts.map

package/dist/layer2/dangerous-functions/utils/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/layer2/dangerous-functions/utils/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,sBAAsB,GACvB,MAAM,gBAAgB,CAAA;AAEvB,OAAO,EACL,yBAAyB,EACzB,mBAAmB,EACnB,yBAAyB,GAC1B,MAAM,qBAAqB,CAAA;AAE5B,OAAO,EACL,cAAc,EACd,YAAY,EACZ,mBAAmB,EACnB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,WAAW,CAAA"}

package/dist/layer2/dangerous-functions/utils/index.js ADDED Viewed

@@ -0,0 +1,23 @@
+"use strict";
+/**
+ * Utility Functions Index
+ *
+ * Re-exports all utility functions from the dangerous-functions module.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasThrowingAuthHelper = exports.hasPathTraversalProtection = exports.hasOnlyStaticInputs = exports.getLineRange = exports.getLineContent = exports.hasSQLWhitelistValidation = exports.hasManualValidation = exports.hasSchemaValidationNearby = exports.extractFunctionContext = exports.hasTryCatchNearby = exports.isInsideTryCatch = void 0;
+var control_flow_1 = require("./control-flow");
+Object.defineProperty(exports, "isInsideTryCatch", { enumerable: true, get: function () { return control_flow_1.isInsideTryCatch; } });
+Object.defineProperty(exports, "hasTryCatchNearby", { enumerable: true, get: function () { return control_flow_1.hasTryCatchNearby; } });
+Object.defineProperty(exports, "extractFunctionContext", { enumerable: true, get: function () { return control_flow_1.extractFunctionContext; } });
+var schema_validation_1 = require("./schema-validation");
+Object.defineProperty(exports, "hasSchemaValidationNearby", { enumerable: true, get: function () { return schema_validation_1.hasSchemaValidationNearby; } });
+Object.defineProperty(exports, "hasManualValidation", { enumerable: true, get: function () { return schema_validation_1.hasManualValidation; } });
+Object.defineProperty(exports, "hasSQLWhitelistValidation", { enumerable: true, get: function () { return schema_validation_1.hasSQLWhitelistValidation; } });
+var helpers_1 = require("./helpers");
+Object.defineProperty(exports, "getLineContent", { enumerable: true, get: function () { return helpers_1.getLineContent; } });
+Object.defineProperty(exports, "getLineRange", { enumerable: true, get: function () { return helpers_1.getLineRange; } });
+Object.defineProperty(exports, "hasOnlyStaticInputs", { enumerable: true, get: function () { return helpers_1.hasOnlyStaticInputs; } });
+Object.defineProperty(exports, "hasPathTraversalProtection", { enumerable: true, get: function () { return helpers_1.hasPathTraversalProtection; } });
+Object.defineProperty(exports, "hasThrowingAuthHelper", { enumerable: true, get: function () { return helpers_1.hasThrowingAuthHelper; } });
+//# sourceMappingURL=index.js.map

package/dist/layer2/dangerous-functions/utils/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/layer2/dangerous-functions/utils/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH,+CAIuB;AAHrB,gHAAA,gBAAgB,OAAA;AAChB,iHAAA,iBAAiB,OAAA;AACjB,sHAAA,sBAAsB,OAAA;AAGxB,yDAI4B;AAH1B,8HAAA,yBAAyB,OAAA;AACzB,wHAAA,mBAAmB,OAAA;AACnB,8HAAA,yBAAyB,OAAA;AAG3B,qCAMkB;AALhB,yGAAA,cAAc,OAAA;AACd,uGAAA,YAAY,OAAA;AACZ,8GAAA,mBAAmB,OAAA;AACnB,qHAAA,0BAA0B,OAAA;AAC1B,gHAAA,qBAAqB,OAAA"}

package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Schema Validation Detection Utilities
+ *
+ * Functions for detecting schema validation patterns (zod, yup, joi, etc.)
+ * and manual validation patterns.
+ */
+/**
+ * Check if schema validation is applied near a JSON.parse call
+ * Looks for zod, yup, joi, or similar validation patterns
+ */
+export declare function hasSchemaValidationNearby(content: string, lineNumber: number): boolean;
+/**
+ * Check if this file appears to have form/input validation elsewhere
+ * (manual checks on body fields, type guards, etc.)
+ */
+export declare function hasManualValidation(content: string): boolean;
+/**
+ * Check if SQL query uses whitelist validation pattern
+ * e.g., columns validated against allowedColumns array before use
+ */
+export declare function hasSQLWhitelistValidation(content: string, lineNumber: number): boolean;
+//# sourceMappingURL=schema-validation.d.ts.map

package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"schema-validation.d.ts","sourceRoot":"","sources":["../../../../src/layer2/dangerous-functions/utils/schema-validation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAkCtF;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAe5D;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAkBtF"}