npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/dist/layer3/anthropic/auto-dismiss.js ADDED Viewed

@@ -0,0 +1,188 @@
+"use strict";
+/**
+ * Smart Auto-Dismiss Rules
+ *
+ * Instant filtering rules that don't require AI validation.
+ * These rules catch obvious false positives before sending to AI.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyAutoDismissRules = applyAutoDismissRules;
+const context_helpers_1 = require("../../utils/context-helpers");
+const tiers_1 = require("../../tiers");
+// ============================================================================
+// Auto-Dismiss Rules
+// ============================================================================
+const AUTO_DISMISS_RULES = [
+    // Test files - often contain intentional "vulnerable" patterns for testing
+    {
+        name: 'test_file',
+        check: (finding) => (0, context_helpers_1.isTestOrMockFile)(finding.filePath),
+        reason: 'Finding in test/mock file',
+    },
+    // Example/demo code - not production code
+    {
+        name: 'example_file',
+        check: (finding) => (0, context_helpers_1.isExampleFile)(finding.filePath),
+        reason: 'Finding in example/demo file',
+    },
+    // Documentation files
+    {
+        name: 'documentation_file',
+        check: (finding) => /\.(md|mdx|txt|rst)$/i.test(finding.filePath),
+        reason: 'Finding in documentation file',
+    },
+    // Scanner/security tool code itself
+    {
+        name: 'scanner_code',
+        check: (finding) => (0, context_helpers_1.isScannerOrFixtureFile)(finding.filePath),
+        reason: 'Finding in scanner/fixture code',
+    },
+    // Environment variable references (not hardcoded secrets)
+    {
+        name: 'env_var_reference',
+        check: (finding) => {
+            if (finding.category !== 'hardcoded_secret' && finding.category !== 'high_entropy_string') {
+                return false;
+            }
+            return (0, context_helpers_1.isEnvVarReference)(finding.lineContent);
+        },
+        reason: 'Uses environment variable (not hardcoded)',
+    },
+    // Public health check endpoints don't need auth
+    {
+        name: 'health_check_endpoint',
+        check: (finding) => {
+            if (finding.category !== 'missing_auth')
+                return false;
+            return (0, context_helpers_1.isPublicEndpoint)(finding.lineContent, finding.filePath);
+        },
+        reason: 'Public health check endpoint (auth not required)',
+    },
+    // CSS/Tailwind classes flagged as high entropy
+    {
+        name: 'css_classes',
+        check: (finding) => {
+            if (finding.category !== 'high_entropy_string')
+                return false;
+            const cssIndicators = ['flex', 'grid', 'text-', 'bg-', 'px-', 'py-', 'rounded', 'shadow', 'hover:', 'dark:'];
+            const lowerLine = finding.lineContent.toLowerCase();
+            const matchCount = cssIndicators.filter(ind => lowerLine.includes(ind)).length;
+            return matchCount >= 2;
+        },
+        reason: 'CSS/Tailwind classes (not a secret)',
+    },
+    // Comment lines shouldn't be flagged for most categories
+    {
+        name: 'comment_line',
+        check: (finding) => {
+            // Some categories are valid in comments (e.g., TODO security)
+            if (finding.category === 'ai_pattern')
+                return false;
+            return (0, context_helpers_1.isComment)(finding.lineContent);
+        },
+        reason: 'Code comment (not executable)',
+    },
+    // Info severity already - no need to validate
+    // BUT: Only auto-dismiss info-severity for Tier A (core) findings
+    // Tier B (ai_assisted) findings MUST go through AI validation even at info severity
+    // because detectors may have pre-downgraded them based on partial context
+    {
+        name: 'info_severity_core_only',
+        check: (finding) => {
+            if (finding.severity !== 'info')
+                return false;
+            // Only auto-dismiss info-severity for Tier A (core) findings
+            // Tier B should always go through AI for proper validation
+            const tier = (0, tiers_1.getTierForCategory)(finding.category, finding.layer);
+            return tier === 'core';
+        },
+        reason: 'Already info severity for core detector (low priority)',
+    },
+    // Generic success/error messages in ai_pattern
+    {
+        name: 'generic_message',
+        check: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            const genericPatterns = [
+                /['"`](success|done|ok|completed|finished|saved|updated|deleted|created)['"`]/i,
+                /['"`]something went wrong['"`]/i,
+                /['"`]an error occurred['"`]/i,
+                /console\.(log|info|debug)\s*\(\s*['"`][^'"]+['"`]\s*\)/i,
+            ];
+            return genericPatterns.some(p => p.test(finding.lineContent));
+        },
+        reason: 'Generic UI message (not security-relevant)',
+    },
+    // Type definitions with 'any' - often necessary for third-party libs
+    {
+        name: 'type_definition_any',
+        check: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            if (!finding.title.toLowerCase().includes('any'))
+                return false;
+            // Check if it's in a .d.ts file or type definition context
+            if (finding.filePath.includes('.d.ts'))
+                return true;
+            const typeDefPatterns = [/^type\s+\w+\s*=/, /^interface\s+\w+/, /declare\s+(const|let|var|function|class)/];
+            return typeDefPatterns.some(p => p.test(finding.lineContent.trim()));
+        },
+        reason: 'Type definition (not runtime code)',
+    },
+    // setTimeout/setInterval magic numbers - code style, not security
+    {
+        name: 'timeout_magic_number',
+        check: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            return /set(Timeout|Interval)\s*\([^,]+,\s*\d+\s*\)/.test(finding.lineContent);
+        },
+        reason: 'Timeout value (code style, not security)',
+    },
+];
+// ============================================================================
+// Apply Auto-Dismiss Rules
+// ============================================================================
+/**
+ * Rules that should NOT be applied to direct-surface findings.
+ * These rules are designed to reduce AI validation costs, not to suppress findings entirely.
+ */
+const VALIDATION_ONLY_RULES = new Set([
+    'info_severity_core_only', // Info findings should surface, just not go through expensive AI validation
+]);
+/**
+ * Apply smart auto-dismiss rules to filter obvious false positives
+ * Returns findings that should be sent to AI validation
+ *
+ * @param findings - Array of vulnerabilities to filter
+ * @param mode - 'validation' applies all rules (for AI validation candidates),
+ *               'surface' excludes cost-saving rules (for direct-surface findings)
+ */
+function applyAutoDismissRules(findings, mode = 'validation') {
+    const toValidate = [];
+    const dismissed = [];
+    // Filter rules based on mode
+    const applicableRules = mode === 'surface'
+        ? AUTO_DISMISS_RULES.filter(rule => !VALIDATION_ONLY_RULES.has(rule.name))
+        : AUTO_DISMISS_RULES;
+    for (const finding of findings) {
+        let wasDismissed = false;
+        for (const rule of applicableRules) {
+            if (rule.check(finding)) {
+                dismissed.push({
+                    finding,
+                    rule: rule.name,
+                    reason: rule.reason,
+                });
+                wasDismissed = true;
+                break;
+            }
+        }
+        if (!wasDismissed) {
+            toValidate.push(finding);
+        }
+    }
+    return { toValidate, dismissed };
+}
+//# sourceMappingURL=auto-dismiss.js.map

package/dist/layer3/anthropic/auto-dismiss.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auto-dismiss.js","sourceRoot":"","sources":["../../../src/layer3/anthropic/auto-dismiss.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AA0KH,sDAoCC;AA1MD,iEAOoC;AACpC,uCAAgD;AAEhD,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E,MAAM,kBAAkB,GAAsB;IAC5C,2EAA2E;IAC3E;QACE,IAAI,EAAE,WAAW;QACjB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAA,kCAAgB,EAAC,OAAO,CAAC,QAAQ,CAAC;QACtD,MAAM,EAAE,2BAA2B;KACpC;IAED,0CAA0C;IAC1C;QACE,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAA,+BAAa,EAAC,OAAO,CAAC,QAAQ,CAAC;QACnD,MAAM,EAAE,8BAA8B;KACvC;IAED,sBAAsB;IACtB;QACE,IAAI,EAAE,oBAAoB;QAC1B,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;QACjE,MAAM,EAAE,+BAA+B;KACxC;IAED,oCAAoC;IACpC;QACE,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAA,wCAAsB,EAAC,OAAO,CAAC,QAAQ,CAAC;QAC5D,MAAM,EAAE,iCAAiC;KAC1C;IAED,0DAA0D;IAC1D;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,kBAAkB,IAAI,OAAO,CAAC,QAAQ,KAAK,qBAAqB,EAAE,CAAC;gBAC1F,OAAO,KAAK,CAAA;YACd,CAAC;YACD,OAAO,IAAA,mCAAiB,EAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QAC/C,CAAC;QACD,MAAM,EAAE,2CAA2C;KACpD;IAED,gDAAgD;IAChD;QACE,IAAI,EAAE,uBAAuB;QAC7B,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,cAAc;gBAAE,OAAO,KAAK,CAAA;YACrD,OAAO,IAAA,kCAAgB,EAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;QACD,MAAM,EAAE,kDAAkD;KAC3D;IAED,+CAA+C;IAC/C;QACE,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,qBAAqB;gBAAE,OAAO,KAAK,CAAA;YAC5D,MAAM,aAAa,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAA;YAC5G,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,WAAW,EAAE,CAAA;YACnD,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAA;YAC9E,OAAO,UAAU,IAAI,CAAC,CAAA;QACxB,CAAC;QACD,MAAM,EAAE,qCAAqC;KAC9C;IAED,yDAAyD;IACzD;QACE,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,8DAA8D;YAC9D,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,OAAO,IAAA,2BAAS,EAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QACvC,CAAC;QACD,MAAM,EAAE,+BAA+B;KACxC;IAED,8CAA8C;IAC9C,kEAAkE;IAClE,oFAAoF;IACpF,0EAA0E;IAC1E;QACE,IAAI,EAAE,yBAAyB;QAC/B,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM;gBAAE,OAAO,KAAK,CAAA;YAC7C,6DAA6D;YAC7D,2DAA2D;YAC3D,MAAM,IAAI,GAAG,IAAA,0BAAkB,EAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;YAChE,OAAO,IAAI,KAAK,MAAM,CAAA;QACxB,CAAC;QACD,MAAM,EAAE,wDAAwD;KACjE;IAED,+CAA+C;IAC/C;QACE,IAAI,EAAE,iBAAiB;QACvB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,MAAM,eAAe,GAAG;gBACtB,+EAA+E;gBAC/E,iCAAiC;gBACjC,8BAA8B;gBAC9B,yDAAyD;aAC1D,CAAA;YACD,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAA;QAC/D,CAAC;QACD,MAAM,EAAE,4CAA4C;KACrD;IAED,qEAAqE;IACrE;QACE,IAAI,EAAE,qBAAqB;QAC3B,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAA;YAC9D,2DAA2D;YAC3D,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,OAAO,IAAI,CAAA;YACnD,MAAM,eAAe,GAAG,CAAC,iBAAiB,EAAE,kBAAkB,EAAE,0CAA0C,CAAC,CAAA;YAC3G,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAA;QACtE,CAAC;QACD,MAAM,EAAE,oCAAoC;KAC7C;IAED,kEAAkE;IAClE;QACE,IAAI,EAAE,sBAAsB;QAC5B,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE;YACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,YAAY;gBAAE,OAAO,KAAK,CAAA;YACnD,OAAO,6CAA6C,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QAChF,CAAC;QACD,MAAM,EAAE,0CAA0C;KACnD;CACF,CAAA;AAED,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,yBAAyB,EAAG,4EAA4E;CACzG,CAAC,CAAA;AAEF;;;;;;;GAOG;AACH,SAAgB,qBAAqB,CACnC,QAAyB,EACzB,OAAiC,YAAY;IAK7C,MAAM,UAAU,GAAoB,EAAE,CAAA;IACtC,MAAM,SAAS,GAAoE,EAAE,CAAA;IAErF,6BAA6B;IAC7B,MAAM,eAAe,GAAG,IAAI,KAAK,SAAS;QACxC,CAAC,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1E,CAAC,CAAC,kBAAkB,CAAA;IAEtB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,YAAY,GAAG,KAAK,CAAA;QAExB,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxB,SAAS,CAAC,IAAI,CAAC;oBACb,OAAO;oBACP,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,MAAM,EAAE,IAAI,CAAC,MAAM;iBACpB,CAAC,CAAA;gBACF,YAAY,GAAG,IAAI,CAAA;gBACnB,MAAK;YACP,CAAC;QACH,CAAC;QAED,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAC1B,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAA;AAClC,CAAC"}

package/dist/layer3/anthropic/clients.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * AI Provider Client Factories
+ *
+ * Provides lazy-initialized clients for OpenAI and Anthropic APIs.
+ */
+import Anthropic from '@anthropic-ai/sdk';
+import OpenAI from 'openai';
+/**
+ * Initialize Anthropic client
+ */
+export declare function getAnthropicClient(): Anthropic;
+/**
+ * Initialize OpenAI client (singleton)
+ */
+export declare function getOpenAIClient(): OpenAI;
+/**
+ * GPT-5-mini pricing constants (per 1M tokens)
+ */
+export declare const GPT5_MINI_PRICING: {
+    input: number;
+    cached: number;
+    output: number;
+};
+/**
+ * Claude 3.5 Haiku pricing constants (per 1M tokens)
+ */
+export declare const HAIKU_PRICING: {
+    input: number;
+    cacheWrite: number;
+    cacheRead: number;
+    output: number;
+};
+/**
+ * Number of files to include in each API call (Phase 2 optimization)
+ * Batching multiple files reduces API overhead and leverages prompt caching better
+ */
+export declare const FILES_PER_API_BATCH = 8;
+/**
+ * Number of API batches to process in parallel (Phase 3 optimization)
+ * Higher values = faster scans but more API load
+ * OpenAI/GPT-5-mini handles this well
+ */
+export declare const PARALLEL_API_BATCHES = 6;
+//# sourceMappingURL=clients.d.ts.map

package/dist/layer3/anthropic/clients.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"clients.d.ts","sourceRoot":"","sources":["../../../src/layer3/anthropic/clients.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,SAAS,MAAM,mBAAmB,CAAA;AACzC,OAAO,MAAM,MAAM,QAAQ,CAAA;AAM3B;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,SAAS,CAM9C;AASD;;GAEG;AACH,wBAAgB,eAAe,IAAI,MAAM,CASxC;AAMD;;GAEG;AACH,eAAO,MAAM,iBAAiB;;;;CAI7B,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,aAAa;;;;;CAKzB,CAAA;AAMD;;;GAGG;AACH,eAAO,MAAM,mBAAmB,IAAI,CAAA;AAEpC;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,IAAI,CAAA"}

package/dist/layer3/anthropic/clients.js ADDED Viewed

@@ -0,0 +1,81 @@
+"use strict";
+/**
+ * AI Provider Client Factories
+ *
+ * Provides lazy-initialized clients for OpenAI and Anthropic APIs.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PARALLEL_API_BATCHES = exports.FILES_PER_API_BATCH = exports.HAIKU_PRICING = exports.GPT5_MINI_PRICING = void 0;
+exports.getAnthropicClient = getAnthropicClient;
+exports.getOpenAIClient = getOpenAIClient;
+const sdk_1 = __importDefault(require("@anthropic-ai/sdk"));
+const openai_1 = __importDefault(require("openai"));
+// ============================================================================
+// Anthropic Client
+// ============================================================================
+/**
+ * Initialize Anthropic client
+ */
+function getAnthropicClient() {
+    const apiKey = process.env.ANTHROPIC_API_KEY;
+    if (!apiKey) {
+        throw new Error('ANTHROPIC_API_KEY environment variable is not set');
+    }
+    return new sdk_1.default({ apiKey });
+}
+// ============================================================================
+// OpenAI Client
+// ============================================================================
+// Singleton instance for connection reuse
+let openaiClient = null;
+/**
+ * Initialize OpenAI client (singleton)
+ */
+function getOpenAIClient() {
+    if (!openaiClient) {
+        const apiKey = process.env.OPENAI_API_KEY;
+        if (!apiKey) {
+            throw new Error('OPENAI_API_KEY environment variable is not set');
+        }
+        openaiClient = new openai_1.default({ apiKey });
+    }
+    return openaiClient;
+}
+// ============================================================================
+// Pricing Constants
+// ============================================================================
+/**
+ * GPT-5-mini pricing constants (per 1M tokens)
+ */
+exports.GPT5_MINI_PRICING = {
+    input: 0.25, // $0.25 per 1M tokens
+    cached: 0.025, // $0.025 per 1M tokens (10% of input)
+    output: 2.00, // $2.00 per 1M tokens
+};
+/**
+ * Claude 3.5 Haiku pricing constants (per 1M tokens)
+ */
+exports.HAIKU_PRICING = {
+    input: 0.80, // $0.80 per 1M tokens
+    cacheWrite: 1.00, // $1.00 per 1M tokens (5m cache)
+    cacheRead: 0.08, // $0.08 per 1M tokens
+    output: 4.00, // $4.00 per 1M tokens
+};
+// ============================================================================
+// Batching Configuration
+// ============================================================================
+/**
+ * Number of files to include in each API call (Phase 2 optimization)
+ * Batching multiple files reduces API overhead and leverages prompt caching better
+ */
+exports.FILES_PER_API_BATCH = 8;
+/**
+ * Number of API batches to process in parallel (Phase 3 optimization)
+ * Higher values = faster scans but more API load
+ * OpenAI/GPT-5-mini handles this well
+ */
+exports.PARALLEL_API_BATCHES = 6;
+//# sourceMappingURL=clients.js.map

package/dist/layer3/anthropic/clients.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"clients.js","sourceRoot":"","sources":["../../../src/layer3/anthropic/clients.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;AAYH,gDAMC;AAYD,0CASC;AArCD,4DAAyC;AACzC,oDAA2B;AAE3B,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,kBAAkB;IAChC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAA;IAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAA;IACtE,CAAC;IACD,OAAO,IAAI,aAAS,CAAC,EAAE,MAAM,EAAE,CAAC,CAAA;AAClC,CAAC;AAED,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E,0CAA0C;AAC1C,IAAI,YAAY,GAAkB,IAAI,CAAA;AAEtC;;GAEG;AACH,SAAgB,eAAe;IAC7B,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAA;QACzC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAA;QACnE,CAAC;QACD,YAAY,GAAG,IAAI,gBAAM,CAAC,EAAE,MAAM,EAAE,CAAC,CAAA;IACvC,CAAC;IACD,OAAO,YAAY,CAAA;AACrB,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;GAEG;AACU,QAAA,iBAAiB,GAAG;IAC/B,KAAK,EAAE,IAAI,EAAO,sBAAsB;IACxC,MAAM,EAAE,KAAK,EAAK,sCAAsC;IACxD,MAAM,EAAE,IAAI,EAAM,sBAAsB;CACzC,CAAA;AAED;;GAEG;AACU,QAAA,aAAa,GAAG;IAC3B,KAAK,EAAE,IAAI,EAAQ,sBAAsB;IACzC,UAAU,EAAE,IAAI,EAAG,iCAAiC;IACpD,SAAS,EAAE,IAAI,EAAI,sBAAsB;IACzC,MAAM,EAAE,IAAI,EAAO,sBAAsB;CAC1C,CAAA;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;GAGG;AACU,QAAA,mBAAmB,GAAG,CAAC,CAAA;AAEpC;;;;GAIG;AACU,QAAA,oBAAoB,GAAG,CAAC,CAAA"}

package/dist/layer3/anthropic/index.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+/**
+ * Layer 3: AI Semantic Analysis
+ *
+ * Uses Claude to perform deep security analysis including:
+ * - Taint analysis (data flow from sources to sinks)
+ * - Business logic flaw detection
+ * - Missing authorization checks
+ * - Cryptography validation
+ * - Data exposure detection
+ * - Framework-specific deep analysis
+ *
+ * Also provides high-context validation for Layer 1/2 findings.
+ */
+import type { Vulnerability, ScanFile } from '../../types';
+import type { ProjectContext } from '../../utils/project-context-builder';
+import type { AIValidationResult, Layer3Context } from './types';
+export type { ValidationStats, AIValidationResult, Layer3Context } from './types';
+export { applyAutoDismissRules } from './auto-dismiss';
+/**
+ * Analyze a single file using AI for deep security analysis (Layer 3)
+ */
+export declare function analyzeWithAI(file: ScanFile, context?: Layer3Context): Promise<Vulnerability[]>;
+/**
+ * Batch analyze multiple files using AI (Layer 3)
+ * Processes files in batches to avoid rate limits
+ */
+export declare function batchAnalyzeWithAI(files: ScanFile[], context?: Layer3Context, maxConcurrent?: number): Promise<Vulnerability[]>;
+/**
+ * Validate Layer 1/2 findings using AI with HIGH-CONTEXT validation
+ *
+ * Key improvements over previous version:
+ * 1. Sends FULL FILE CONTENT (not just snippets) for better context
+ * 2. Includes PROJECT CONTEXT (auth patterns, data access, etc.)
+ * 3. Uses generalised rules from Section 3 of the security model
+ */
+export declare function validateFindingsWithAI(findings: Vulnerability[], files: ScanFile[], projectContext?: ProjectContext, onProgress?: (progress: {
+    filesProcessed: number;
+    totalFiles: number;
+    status: string;
+}) => void): Promise<AIValidationResult>;
+//# sourceMappingURL=index.d.ts.map

package/dist/layer3/anthropic/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/layer3/anthropic/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AAC1D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qCAAqC,CAAA;AAEzE,OAAO,KAAK,EAAmB,kBAAkB,EAAE,aAAa,EAAa,MAAM,SAAS,CAAA;AAS5F,YAAY,EAAE,eAAe,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AACjF,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AAMtD;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,QAAQ,EACd,OAAO,CAAC,EAAE,aAAa,GACtB,OAAO,CAAC,aAAa,EAAE,CAAC,CA+D1B;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,QAAQ,EAAE,EACjB,OAAO,CAAC,EAAE,aAAa,EACvB,aAAa,GAAE,MAAU,GACxB,OAAO,CAAC,aAAa,EAAE,CAAC,CAqB1B;AAMD;;;;;;;GAOG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,aAAa,EAAE,EACzB,KAAK,EAAE,QAAQ,EAAE,EACjB,cAAc,CAAC,EAAE,cAAc,EAC/B,UAAU,CAAC,EAAE,CAAC,QAAQ,EAAE;IAAE,cAAc,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,KAAK,IAAI,GAC9F,OAAO,CAAC,kBAAkB,CAAC,CAiB7B"}

package/dist/layer3/anthropic/index.js ADDED Viewed

@@ -0,0 +1,141 @@
+"use strict";
+/**
+ * Layer 3: AI Semantic Analysis
+ *
+ * Uses Claude to perform deep security analysis including:
+ * - Taint analysis (data flow from sources to sinks)
+ * - Business logic flaw detection
+ * - Missing authorization checks
+ * - Cryptography validation
+ * - Data exposure detection
+ * - Framework-specific deep analysis
+ *
+ * Also provides high-context validation for Layer 1/2 findings.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyAutoDismissRules = void 0;
+exports.analyzeWithAI = analyzeWithAI;
+exports.batchAnalyzeWithAI = batchAnalyzeWithAI;
+exports.validateFindingsWithAI = validateFindingsWithAI;
+const types_1 = require("./types");
+const clients_1 = require("./clients");
+const response_parser_1 = require("./utils/response-parser");
+const semantic_analysis_1 = require("./prompts/semantic-analysis");
+const openai_1 = require("./providers/openai");
+const anthropic_1 = require("./providers/anthropic");
+var auto_dismiss_1 = require("./auto-dismiss");
+Object.defineProperty(exports, "applyAutoDismissRules", { enumerable: true, get: function () { return auto_dismiss_1.applyAutoDismissRules; } });
+// ============================================================================
+// Layer 3: Deep AI Analysis
+// ============================================================================
+/**
+ * Analyze a single file using AI for deep security analysis (Layer 3)
+ */
+async function analyzeWithAI(file, context) {
+    const client = (0, clients_1.getAnthropicClient)();
+    // Prepare the code with line numbers for reference
+    const numberedCode = file.content
+        .split('\n')
+        .map((line, i) => `${i + 1}: ${line}`)
+        .join('\n');
+    // Build auth context for the prompt
+    const authContext = (0, semantic_analysis_1.buildAuthContextForPrompt)(context);
+    const userMessage = `Analyze this ${file.language} file for security vulnerabilities:
+File: ${file.path}${authContext}
+\`\`\`${file.language}
+${numberedCode}
+\`\`\`
+Return ONLY a JSON array of findings.`;
+    try {
+        const response = await client.messages.create({
+            model: 'claude-3-5-haiku-20241022',
+            max_tokens: 4096,
+            system: semantic_analysis_1.SECURITY_ANALYSIS_PROMPT,
+            messages: [
+                {
+                    role: 'user',
+                    content: userMessage,
+                },
+            ],
+        });
+        // Extract text content from response
+        const textContent = response.content.find((block) => block.type === 'text');
+        if (!textContent || textContent.type !== 'text') {
+            console.error('No text content in AI response');
+            return [];
+        }
+        // Parse the JSON response
+        const findings = (0, response_parser_1.parseAIResponse)(textContent.text);
+        // Convert to Vulnerability format
+        return findings.map((finding, index) => ({
+            id: `ai-${file.path}-${finding.lineNumber}-${index}`,
+            filePath: file.path,
+            lineNumber: finding.lineNumber,
+            lineContent: (0, response_parser_1.getLineContent)(file.content, finding.lineNumber),
+            severity: finding.severity,
+            category: finding.category,
+            title: finding.title,
+            description: finding.description,
+            suggestedFix: finding.suggestedFix,
+            confidence: 'high',
+            layer: 3,
+        }));
+    }
+    catch (error) {
+        console.error('AI analysis error:', error);
+        return [];
+    }
+}
+/**
+ * Batch analyze multiple files using AI (Layer 3)
+ * Processes files in batches to avoid rate limits
+ */
+async function batchAnalyzeWithAI(files, context, maxConcurrent = 3) {
+    const vulnerabilities = [];
+    // Process files in batches to avoid rate limits
+    for (let i = 0; i < files.length; i += maxConcurrent) {
+        const batch = files.slice(i, i + maxConcurrent);
+        const results = await Promise.all(batch.map(file => analyzeWithAI(file, context).catch(err => {
+            console.error(`AI analysis failed for ${file.path}:`, err);
+            return [];
+        })));
+        vulnerabilities.push(...results.flat());
+        // Small delay between batches to avoid rate limits
+        if (i + maxConcurrent < files.length) {
+            await new Promise(resolve => setTimeout(resolve, 500));
+        }
+    }
+    return vulnerabilities;
+}
+// ============================================================================
+// Layer 2.5: High-Context Validation
+// ============================================================================
+/**
+ * Validate Layer 1/2 findings using AI with HIGH-CONTEXT validation
+ *
+ * Key improvements over previous version:
+ * 1. Sends FULL FILE CONTENT (not just snippets) for better context
+ * 2. Includes PROJECT CONTEXT (auth patterns, data access, etc.)
+ * 3. Uses generalised rules from Section 3 of the security model
+ */
+async function validateFindingsWithAI(findings, files, projectContext, onProgress) {
+    // Initialize stats tracking
+    const stats = (0, types_1.createInitialStats)(findings.length);
+    if (findings.length === 0) {
+        return { vulnerabilities: [], stats };
+    }
+    // Check for provider override (GPT-5-mini is default for 47% cost savings)
+    const aiProvider = process.env.AI_PROVIDER || 'openai';
+    if (aiProvider === 'anthropic') {
+        console.log('[AI Validation] Using Anthropic provider (Claude 3.5 Haiku)');
+        return (0, anthropic_1.validateWithAnthropic)(findings, files, projectContext, stats, onProgress);
+    }
+    else {
+        console.log('[AI Validation] Using OpenAI provider (GPT-5-mini)');
+        return (0, openai_1.validateWithOpenAI)(findings, files, projectContext, stats);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/layer3/anthropic/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/layer3/anthropic/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAwBH,sCAkEC;AAMD,gDAyBC;AAcD,wDAsBC;AAvJD,mCAA4C;AAC5C,uCAA8C;AAC9C,6DAA6G;AAC7G,mEAAiG;AACjG,+CAAuD;AACvD,qDAA6D;AAI7D,+CAAsD;AAA7C,qHAAA,qBAAqB,OAAA;AAE9B,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E;;GAEG;AACI,KAAK,UAAU,aAAa,CACjC,IAAc,EACd,OAAuB;IAEvB,MAAM,MAAM,GAAG,IAAA,4BAAkB,GAAE,CAAA;IAEnC,mDAAmD;IACnD,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO;SAC9B,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;SACrC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEb,oCAAoC;IACpC,MAAM,WAAW,GAAG,IAAA,6CAAyB,EAAC,OAAO,CAAC,CAAA;IAEtD,MAAM,WAAW,GAAG,gBAAgB,IAAI,CAAC,QAAQ;;QAE3C,IAAI,CAAC,IAAI,GAAG,WAAW;;QAEvB,IAAI,CAAC,QAAQ;EACnB,YAAY;;;sCAGwB,CAAA;IAEpC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC5C,KAAK,EAAE,2BAA2B;YAClC,UAAU,EAAE,IAAI;YAChB,MAAM,EAAE,4CAAwB;YAChC,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,MAAM;oBACZ,OAAO,EAAE,WAAW;iBACrB;aACF;SACF,CAAC,CAAA;QAEF,qCAAqC;QACrC,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAuB,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC,CAAA;QAC7F,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAChD,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAA;YAC/C,OAAO,EAAE,CAAA;QACX,CAAC;QAED,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,IAAA,iCAAe,EAAC,WAAW,CAAC,IAAI,CAAC,CAAA;QAElD,kCAAkC;QAClC,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;YACvC,EAAE,EAAE,MAAM,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,UAAU,IAAI,KAAK,EAAE;YACpD,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,WAAW,EAAE,IAAA,gCAAc,EAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC;YAC7D,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,UAAU,EAAE,MAAe;YAC3B,KAAK,EAAE,CAAU;SAClB,CAAC,CAAC,CAAA;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,oBAAoB,EAAE,KAAK,CAAC,CAAA;QAC1C,OAAO,EAAE,CAAA;IACX,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,kBAAkB,CACtC,KAAiB,EACjB,OAAuB,EACvB,gBAAwB,CAAC;IAEzB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,gDAAgD;IAChD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,aAAa,EAAE,CAAC;QACrD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,CAAA;QAC/C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;YACzD,OAAO,CAAC,KAAK,CAAC,0BAA0B,IAAI,CAAC,IAAI,GAAG,EAAE,GAAG,CAAC,CAAA;YAC1D,OAAO,EAAE,CAAA;QACX,CAAC,CAAC,CAAC,CACJ,CAAA;QACD,eAAe,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QAEvC,mDAAmD;QACnD,IAAI,CAAC,GAAG,aAAa,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;YACrC,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAA;QACxD,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,+EAA+E;AAC/E,qCAAqC;AACrC,+EAA+E;AAE/E;;;;;;;GAOG;AACI,KAAK,UAAU,sBAAsB,CAC1C,QAAyB,EACzB,KAAiB,EACjB,cAA+B,EAC/B,UAA+F;IAE/F,4BAA4B;IAC5B,MAAM,KAAK,GAAoB,IAAA,0BAAkB,EAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;IAElE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,eAAe,EAAE,EAAE,EAAE,KAAK,EAAE,CAAA;IACvC,CAAC;IAED,2EAA2E;IAC3E,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,QAAQ,CAAA;IACtD,IAAI,UAAU,KAAK,WAAW,EAAE,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAA;QAC1E,OAAO,IAAA,iCAAqB,EAAC,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,UAAU,CAAC,CAAA;IAClF,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAA;QACjE,OAAO,IAAA,2BAAkB,EAAC,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,CAAC,CAAA;IACnE,CAAC;AACH,CAAC"}

package/dist/layer3/anthropic/prompts/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * Prompts Index
+ *
+ * Re-exports all prompt templates and helpers.
+ */
+export { SECURITY_ANALYSIS_PROMPT, buildAuthContextForPrompt, } from './semantic-analysis';
+export { HIGH_CONTEXT_VALIDATION_PROMPT, } from './validation';
+//# sourceMappingURL=index.d.ts.map

package/dist/layer3/anthropic/prompts/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,wBAAwB,EACxB,yBAAyB,GAC1B,MAAM,qBAAqB,CAAA;AAE5B,OAAO,EACL,8BAA8B,GAC/B,MAAM,cAAc,CAAA"}

package/dist/layer3/anthropic/prompts/index.js ADDED Viewed

@@ -0,0 +1,14 @@
+"use strict";
+/**
+ * Prompts Index
+ *
+ * Re-exports all prompt templates and helpers.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HIGH_CONTEXT_VALIDATION_PROMPT = exports.buildAuthContextForPrompt = exports.SECURITY_ANALYSIS_PROMPT = void 0;
+var semantic_analysis_1 = require("./semantic-analysis");
+Object.defineProperty(exports, "SECURITY_ANALYSIS_PROMPT", { enumerable: true, get: function () { return semantic_analysis_1.SECURITY_ANALYSIS_PROMPT; } });
+Object.defineProperty(exports, "buildAuthContextForPrompt", { enumerable: true, get: function () { return semantic_analysis_1.buildAuthContextForPrompt; } });
+var validation_1 = require("./validation");
+Object.defineProperty(exports, "HIGH_CONTEXT_VALIDATION_PROMPT", { enumerable: true, get: function () { return validation_1.HIGH_CONTEXT_VALIDATION_PROMPT; } });
+//# sourceMappingURL=index.js.map

package/dist/layer3/anthropic/prompts/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH,yDAG4B;AAF1B,6HAAA,wBAAwB,OAAA;AACxB,8HAAA,yBAAyB,OAAA;AAG3B,2CAEqB;AADnB,4HAAA,8BAA8B,OAAA"}

package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Security Analysis Prompt (Layer 3)
+ *
+ * System prompt for deep semantic security analysis using AI.
+ */
+import type { Layer3Context } from '../types';
+/**
+ * System prompt for security analysis
+ */
+export declare const SECURITY_ANALYSIS_PROMPT = "You are an expert security code reviewer. Analyze the provided code for security vulnerabilities.\n\nFocus on these specific vulnerability types:\n\n1. **Taint Analysis (Data Flow)**\n   - Track user input from sources (req.query, req.params, req.body, searchParams, URL parameters)\n   - To dangerous sinks (eval, dangerouslySetInnerHTML, exec, SQL queries, file operations)\n   - Flag any path where untrusted data reaches a dangerous function without sanitization\n\n2. **SQL Injection**\n   - String concatenation in SQL queries\n   - Template literals with user input in queries\n   - Missing parameterized queries\n\n3. **XSS (Cross-Site Scripting)**\n   - User input rendered without escaping\n   - dangerouslySetInnerHTML with user data\n   - innerHTML assignments\n   - NOTE: React/Next.js JSX automatically escapes content, so {variable} in JSX is NOT XSS\n\n4. **Command Injection**\n   - exec, spawn, execSync with user input\n   - Shell command construction with variables\n\n5. **Missing Authorization**\n   - API routes that modify data without auth checks\n   - Database writes in GET handlers\n   - Missing permission checks before sensitive operations\n\n6. **Insecure Deserialization**\n   - JSON.parse on untrusted data without validation\n   - eval of serialized data\n\n7. **Cryptography Validation**\n   - Weak algorithms: MD5 (for security), SHA1 (for security), DES, RC4\n   - Insecure random: Math.random() for tokens/keys/secrets\n   - Hardcoded encryption keys or IVs (not from env vars)\n   - ECB mode usage (patterns indicate cipher mode)\n   - Low iteration counts for PBKDF2 (< 10000)\n   - Short key lengths (< 256 bits for symmetric)\n   - Missing salt for password hashing\n   - createCipher() instead of createCipheriv()\n\n8. **Data Exposure Detection**\n   - Logging sensitive data: console.log with passwords, tokens, secrets, API keys\n   - Stack traces exposed to clients: err.stack in response\n   - Returning entire user objects (may include password hash)\n   - Debug endpoints left in code: /debug, /test, /_internal routes\n   - Verbose error messages exposing internal details\n   - Sensitive data in error responses\n\n9. **Framework-Specific Security**\n\n   **Next.js:**\n   - Server actions ('use server') without authentication\n   - Client components ('use client') accessing non-NEXT_PUBLIC_ env vars\n   - Middleware that returns NextResponse.next() without auth checks\n   - getServerSideProps without session validation\n   - Exposed API routes without rate limiting\n\n   **React:**\n   - Sensitive data stored in useState (visible in devtools)\n   - dangerouslySetInnerHTML with props/state\n   - useEffect making authenticated API calls without token validation\n\n   **Express:**\n   - Missing helmet() middleware for security headers\n   - CORS with origin: \"*\" in production\n   - Missing body-parser limits (DoS risk)\n   - Trust proxy without verification\n   - Error handlers exposing stack traces\n\nIMPORTANT - DO NOT FLAG THESE AS VULNERABILITIES (common false positives):\n\n**Framework Patterns (Safe by Design):**\n- Next.js middleware using request.url for redirects (standard pattern)\n- React/Next.js JSX rendering variables like {user.name} (auto-escaped by React)\n- Supabase/Firebase client creation with NEXT_PUBLIC_ environment variables\n- Using headers().get('host') in Next.js server actions\n\n**Data Handling (Low Risk):**\n- JSON.parse on data from YOUR OWN database (the app wrote it, it's trusted). Do NOT report this as a vulnerability. At most, you may mention an info-level robustness note if there is no error handling, but generally you should omit it.\n- JSON.parse on localStorage data (same-origin, XSS is a separate issue). This is also not a security vulnerability. At most, you may suggest an info-level robustness improvement, and usually it is not worth mentioning.\n- Passing user's own data to external APIs (user embedding their own content).\n- Error messages that use error.message in catch blocks or are returned to the client as a generic error string are standard error handling. Treat them as LOW/INFO hardening at most, and DO NOT mark them as medium/high unless the message clearly includes credentials, secrets, or full stack traces.\n- Generic configuration or feature messages like \"OpenAI API key not configured\" or \"service disabled\" are operational information, not security vulnerabilities. Treat them as info at most, or ignore them.\n\n**Authentication Patterns (Context Matters):**\n- Internal server-side functions only called from trusted code paths (OAuth callbacks, etc.)\n- Functions with userId parameters called with session.user.id from authenticated contexts\n- Service role keys used in server-side code with proper auth checks elsewhere\n- API routes that call getCurrentUserId() and use the result (the auth check IS the userId call)\n\n**BYOK (Bring Your Own Key) Patterns:**\n- User-provided API keys in BYOK mode are INTENTIONAL - the user wants to use their own key\n- This is a feature, not a vulnerability - don't flag it unless there's actual abuse potential\n- When a BYOK key is only used TRANSIENTLY in memory for a single provider call (and is never logged or stored), and the route is authenticated, do NOT report this as a medium/high vulnerability. At most, you may surface a low/info note reminding the developer not to log or persist keys.\n- Frontend components sending a BYOK key to an authenticated backend endpoint for one-shot use are expected behavior, not a vulnerability. Do NOT flag these as data_exposure or dangerous_function unless the key is logged, stored, or echoed back to the client.\n- Only raise medium/high BYOK findings when keys are clearly stored (e.g., written to a database or long-term logs), logged in plaintext, or accepted by unauthenticated endpoints that attackers could abuse at scale.\n\n**What TO Flag (Real Vulnerabilities):**\n- SQL string concatenation with user input\n- eval() or Function() with user-controlled strings\n- Missing auth checks where sensitive data could be accessed by wrong user\n- Actual hardcoded secrets (real API keys, not env var references)\n- Command injection (exec/spawn with user input)\n\nRespond ONLY with a JSON array of findings. Each finding must have:\n{\n  \"lineNumber\": <number>,\n  \"severity\": \"critical\" | \"high\" | \"medium\" | \"low\",\n  \"category\": \"sql_injection\" | \"xss\" | \"command_injection\" | \"missing_auth\" | \"dangerous_function\",\n  \"title\": \"<short title>\",\n  \"description\": \"<detailed explanation of the vulnerability>\",\n  \"suggestedFix\": \"<how to fix it>\"\n}\n\nIf no vulnerabilities are found, return an empty array: []\n\nCRITICAL: Only report REAL vulnerabilities with HIGH confidence. Be conservative - it's better to miss a low-confidence issue than to report false positives. The code is likely using modern frameworks with built-in protections.";
+/**
+ * Build auth context string for AI prompt
+ */
+export declare function buildAuthContextForPrompt(ctx?: Layer3Context): string;
+//# sourceMappingURL=semantic-analysis.d.ts.map

package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"semantic-analysis.d.ts","sourceRoot":"","sources":["../../../../src/layer3/anthropic/prompts/semantic-analysis.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAM7C;;GAEG;AACH,eAAO,MAAM,wBAAwB,sxNAuH+L,CAAA;AAMpO;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,CAAC,EAAE,aAAa,GAAG,MAAM,CA6BrE"}