npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/dist/suppression/hash.js ADDED Viewed

@@ -0,0 +1,88 @@
+"use strict";
+/**
+ * Finding Hash Computation
+ * Creates stable, reproducible hashes for identifying specific findings
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizePathForHash = normalizePathForHash;
+exports.normalizeContentForHash = normalizeContentForHash;
+exports.computeFindingHash = computeFindingHash;
+exports.computeHashFromComponents = computeHashFromComponents;
+exports.isValidHash = isValidHash;
+exports.formatHashForDisplay = formatHashForDisplay;
+const crypto_1 = require("crypto");
+/**
+ * Normalize a file path for hashing
+ * - Removes leading ./ or /
+ * - Converts backslashes to forward slashes
+ * - Lowercases (for case-insensitive matching)
+ */
+function normalizePathForHash(filePath) {
+    return filePath
+        .replace(/^\.\//, '') // Remove leading ./
+        .replace(/^\//, '') // Remove leading /
+        .replace(/\\/g, '/') // Normalize backslashes
+        .toLowerCase();
+}
+/**
+ * Normalize line content for hashing
+ * - Trims whitespace
+ * - Collapses multiple whitespace to single space
+ * - Removes common noise (line numbers, etc.)
+ */
+function normalizeContentForHash(content) {
+    return content
+        .trim()
+        .replace(/\s+/g, ' ') // Collapse whitespace
+        .replace(/^\d+:\s*/, ''); // Remove line number prefix if present
+}
+/**
+ * Compute a stable hash for a vulnerability finding
+ *
+ * Hash = SHA256(normalizedPath:normalizedContent:category).slice(0,16)
+ *
+ * This creates a 16-character hex hash that:
+ * - Stays stable across whitespace changes
+ * - Changes when the actual code changes
+ * - Changes when the finding category changes
+ * - Is unique enough for practical use
+ *
+ * @param finding - The vulnerability to hash
+ * @returns A 16-character hex hash string
+ */
+function computeFindingHash(finding) {
+    const normalizedPath = normalizePathForHash(finding.filePath);
+    const normalizedContent = normalizeContentForHash(finding.lineContent);
+    const category = finding.category;
+    const input = `${normalizedPath}:${normalizedContent}:${category}`;
+    const hash = (0, crypto_1.createHash)('sha256').update(input).digest('hex');
+    // Return first 16 characters (64 bits of entropy - sufficient for uniqueness)
+    return hash.slice(0, 16);
+}
+/**
+ * Compute hash from raw components (for testing or manual construction)
+ */
+function computeHashFromComponents(filePath, lineContent, category) {
+    const normalizedPath = normalizePathForHash(filePath);
+    const normalizedContent = normalizeContentForHash(lineContent);
+    const input = `${normalizedPath}:${normalizedContent}:${category}`;
+    const hash = (0, crypto_1.createHash)('sha256').update(input).digest('hex');
+    return hash.slice(0, 16);
+}
+/**
+ * Validate a hash format
+ * Must be 16 hexadecimal characters
+ */
+function isValidHash(hash) {
+    return /^[0-9a-f]{16}$/i.test(hash);
+}
+/**
+ * Format a hash for display (with truncation indicator)
+ */
+function formatHashForDisplay(hash) {
+    if (hash.length <= 16) {
+        return hash;
+    }
+    return `${hash.slice(0, 12)}...`;
+}
+//# sourceMappingURL=hash.js.map

package/dist/suppression/hash.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/suppression/hash.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAWH,oDAMC;AAQD,0DAKC;AAgBD,gDAUC;AAKD,8DAYC;AAMD,kCAEC;AAKD,oDAKC;AAzFD,mCAAmC;AAGnC;;;;;GAKG;AACH,SAAgB,oBAAoB,CAAC,QAAgB;IACnD,OAAO,QAAQ;SACZ,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,oBAAoB;SACzC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,mBAAmB;SACtC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,wBAAwB;SAC5C,WAAW,EAAE,CAAA;AAClB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,uBAAuB,CAAC,OAAe;IACrD,OAAO,OAAO;SACX,IAAI,EAAE;SACN,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,sBAAsB;SAC3C,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAA,CAAC,uCAAuC;AACpE,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAgB,kBAAkB,CAAC,OAAsB;IACvD,MAAM,cAAc,GAAG,oBAAoB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC7D,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;IAEjC,MAAM,KAAK,GAAG,GAAG,cAAc,IAAI,iBAAiB,IAAI,QAAQ,EAAE,CAAA;IAClE,MAAM,IAAI,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAE7D,8EAA8E;IAC9E,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;AAC1B,CAAC;AAED;;GAEG;AACH,SAAgB,yBAAyB,CACvC,QAAgB,EAChB,WAAmB,EACnB,QAAgB;IAEhB,MAAM,cAAc,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAA;IACrD,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;IAE9D,MAAM,KAAK,GAAG,GAAG,cAAc,IAAI,iBAAiB,IAAI,QAAQ,EAAE,CAAA;IAClE,MAAM,IAAI,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAE7D,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;AAC1B,CAAC;AAED;;;GAGG;AACH,SAAgB,WAAW,CAAC,IAAY;IACtC,OAAO,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACrC,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,IAAY;IAC/C,IAAI,IAAI,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;QACtB,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAA;AAClC,CAAC"}

package/dist/suppression/index.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+/**
+ * Suppression System
+ * Allows users to suppress findings via config files and inline comments
+ */
+export { SuppressionManager, type SuppressionManagerOptions } from './manager';
+export type { SuppressionConfig, RuleSuppression, FindingSuppression, InlineSuppression, SuppressionMatch, SuppressedVulnerability, SuppressionResult, } from './types';
+export { SUPPRESSION_CONFIG_FILES, DEFAULT_SUPPRESSION_CONFIG } from './types';
+export { computeFindingHash, computeHashFromComponents, normalizePathForHash, normalizeContentForHash, isValidHash, formatHashForDisplay, } from './hash';
+export { loadSuppressionConfig, loadConfigFromPath, findConfigFile, writeSuppressionConfig, addFindingSuppression, removeFindingSuppression, addRuleSuppression, listSuppressions, isExpired, type ConfigLoadResult, } from './config-loader';
+export { parseInlineSuppressions, isLineSuppressed, extractSuppressionReasons, generateSuppressionComment, } from './inline-parser';
+//# sourceMappingURL=index.d.ts.map

package/dist/suppression/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/suppression/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,kBAAkB,EAAE,KAAK,yBAAyB,EAAE,MAAM,WAAW,CAAA;AAG9E,YAAY,EACV,iBAAiB,EACjB,eAAe,EACf,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,uBAAuB,EACvB,iBAAiB,GAClB,MAAM,SAAS,CAAA;AAChB,OAAO,EAAE,wBAAwB,EAAE,0BAA0B,EAAE,MAAM,SAAS,CAAA;AAG9E,OAAO,EACL,kBAAkB,EAClB,yBAAyB,EACzB,oBAAoB,EACpB,uBAAuB,EACvB,WAAW,EACX,oBAAoB,GACrB,MAAM,QAAQ,CAAA;AAGf,OAAO,EACL,qBAAqB,EACrB,kBAAkB,EAClB,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,wBAAwB,EACxB,kBAAkB,EAClB,gBAAgB,EAChB,SAAS,EACT,KAAK,gBAAgB,GACtB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAChB,yBAAyB,EACzB,0BAA0B,GAC3B,MAAM,iBAAiB,CAAA"}

package/dist/suppression/index.js ADDED Viewed

@@ -0,0 +1,39 @@
+"use strict";
+/**
+ * Suppression System
+ * Allows users to suppress findings via config files and inline comments
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSuppressionComment = exports.extractSuppressionReasons = exports.isLineSuppressed = exports.parseInlineSuppressions = exports.isExpired = exports.listSuppressions = exports.addRuleSuppression = exports.removeFindingSuppression = exports.addFindingSuppression = exports.writeSuppressionConfig = exports.findConfigFile = exports.loadConfigFromPath = exports.loadSuppressionConfig = exports.formatHashForDisplay = exports.isValidHash = exports.normalizeContentForHash = exports.normalizePathForHash = exports.computeHashFromComponents = exports.computeFindingHash = exports.DEFAULT_SUPPRESSION_CONFIG = exports.SUPPRESSION_CONFIG_FILES = exports.SuppressionManager = void 0;
+// Main exports
+var manager_1 = require("./manager");
+Object.defineProperty(exports, "SuppressionManager", { enumerable: true, get: function () { return manager_1.SuppressionManager; } });
+var types_1 = require("./types");
+Object.defineProperty(exports, "SUPPRESSION_CONFIG_FILES", { enumerable: true, get: function () { return types_1.SUPPRESSION_CONFIG_FILES; } });
+Object.defineProperty(exports, "DEFAULT_SUPPRESSION_CONFIG", { enumerable: true, get: function () { return types_1.DEFAULT_SUPPRESSION_CONFIG; } });
+// Hash utilities
+var hash_1 = require("./hash");
+Object.defineProperty(exports, "computeFindingHash", { enumerable: true, get: function () { return hash_1.computeFindingHash; } });
+Object.defineProperty(exports, "computeHashFromComponents", { enumerable: true, get: function () { return hash_1.computeHashFromComponents; } });
+Object.defineProperty(exports, "normalizePathForHash", { enumerable: true, get: function () { return hash_1.normalizePathForHash; } });
+Object.defineProperty(exports, "normalizeContentForHash", { enumerable: true, get: function () { return hash_1.normalizeContentForHash; } });
+Object.defineProperty(exports, "isValidHash", { enumerable: true, get: function () { return hash_1.isValidHash; } });
+Object.defineProperty(exports, "formatHashForDisplay", { enumerable: true, get: function () { return hash_1.formatHashForDisplay; } });
+// Config utilities
+var config_loader_1 = require("./config-loader");
+Object.defineProperty(exports, "loadSuppressionConfig", { enumerable: true, get: function () { return config_loader_1.loadSuppressionConfig; } });
+Object.defineProperty(exports, "loadConfigFromPath", { enumerable: true, get: function () { return config_loader_1.loadConfigFromPath; } });
+Object.defineProperty(exports, "findConfigFile", { enumerable: true, get: function () { return config_loader_1.findConfigFile; } });
+Object.defineProperty(exports, "writeSuppressionConfig", { enumerable: true, get: function () { return config_loader_1.writeSuppressionConfig; } });
+Object.defineProperty(exports, "addFindingSuppression", { enumerable: true, get: function () { return config_loader_1.addFindingSuppression; } });
+Object.defineProperty(exports, "removeFindingSuppression", { enumerable: true, get: function () { return config_loader_1.removeFindingSuppression; } });
+Object.defineProperty(exports, "addRuleSuppression", { enumerable: true, get: function () { return config_loader_1.addRuleSuppression; } });
+Object.defineProperty(exports, "listSuppressions", { enumerable: true, get: function () { return config_loader_1.listSuppressions; } });
+Object.defineProperty(exports, "isExpired", { enumerable: true, get: function () { return config_loader_1.isExpired; } });
+// Inline comment utilities
+var inline_parser_1 = require("./inline-parser");
+Object.defineProperty(exports, "parseInlineSuppressions", { enumerable: true, get: function () { return inline_parser_1.parseInlineSuppressions; } });
+Object.defineProperty(exports, "isLineSuppressed", { enumerable: true, get: function () { return inline_parser_1.isLineSuppressed; } });
+Object.defineProperty(exports, "extractSuppressionReasons", { enumerable: true, get: function () { return inline_parser_1.extractSuppressionReasons; } });
+Object.defineProperty(exports, "generateSuppressionComment", { enumerable: true, get: function () { return inline_parser_1.generateSuppressionComment; } });
+//# sourceMappingURL=index.js.map

package/dist/suppression/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/suppression/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,eAAe;AACf,qCAA8E;AAArE,6GAAA,kBAAkB,OAAA;AAY3B,iCAA8E;AAArE,iHAAA,wBAAwB,OAAA;AAAE,mHAAA,0BAA0B,OAAA;AAE7D,iBAAiB;AACjB,+BAOe;AANb,0GAAA,kBAAkB,OAAA;AAClB,iHAAA,yBAAyB,OAAA;AACzB,4GAAA,oBAAoB,OAAA;AACpB,+GAAA,uBAAuB,OAAA;AACvB,mGAAA,WAAW,OAAA;AACX,4GAAA,oBAAoB,OAAA;AAGtB,mBAAmB;AACnB,iDAWwB;AAVtB,sHAAA,qBAAqB,OAAA;AACrB,mHAAA,kBAAkB,OAAA;AAClB,+GAAA,cAAc,OAAA;AACd,uHAAA,sBAAsB,OAAA;AACtB,sHAAA,qBAAqB,OAAA;AACrB,yHAAA,wBAAwB,OAAA;AACxB,mHAAA,kBAAkB,OAAA;AAClB,iHAAA,gBAAgB,OAAA;AAChB,0GAAA,SAAS,OAAA;AAIX,2BAA2B;AAC3B,iDAKwB;AAJtB,wHAAA,uBAAuB,OAAA;AACvB,iHAAA,gBAAgB,OAAA;AAChB,0HAAA,yBAAyB,OAAA;AACzB,2HAAA,0BAA0B,OAAA"}

package/dist/suppression/inline-parser.d.ts ADDED Viewed

@@ -0,0 +1,39 @@
+/**
+ * Inline Suppression Comment Parser
+ * Parses oculum-ignore comments from source code
+ */
+import type { InlineSuppression } from './types';
+import type { VulnerabilityCategory } from '../types';
+/**
+ * Parse all inline suppressions from file content
+ *
+ * Returns a map of line numbers to their effective suppressions.
+ * A line can be suppressed by:
+ * 1. A same-line comment (oculum-ignore)
+ * 2. A next-line comment on the previous line (oculum-ignore-next-line)
+ * 3. Being within a block suppression (oculum-ignore-block ... oculum-ignore-block-end)
+ */
+export declare function parseInlineSuppressions(content: string): Map<number, InlineSuppression>;
+/**
+ * Check if a specific line is suppressed
+ */
+export declare function isLineSuppressed(suppressions: Map<number, InlineSuppression>, lineNumber: number, category?: VulnerabilityCategory): InlineSuppression | null;
+/**
+ * Extract all unique suppression reasons from a file
+ * Useful for auditing suppressed findings
+ */
+export declare function extractSuppressionReasons(content: string): Array<{
+    reason: string;
+    ruleId?: VulnerabilityCategory;
+    lineNumber: number;
+    type: InlineSuppression['type'];
+}>;
+/**
+ * Generate a suppression comment for a given line
+ */
+export declare function generateSuppressionComment(reason: string, options?: {
+    type?: 'next-line' | 'same-line';
+    ruleId?: VulnerabilityCategory;
+    commentStyle?: '//' | '#' | '--';
+}): string;
+//# sourceMappingURL=inline-parser.d.ts.map

package/dist/suppression/inline-parser.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"inline-parser.d.ts","sourceRoot":"","sources":["../../src/suppression/inline-parser.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAA;AAChD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAA;AAkHrD;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CA+DvF;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EAC5C,UAAU,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,qBAAqB,GAC/B,iBAAiB,GAAG,IAAI,CAa1B;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,KAAK,CAAC;IAChE,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,qBAAqB,CAAA;IAC9B,UAAU,EAAE,MAAM,CAAA;IAClB,IAAI,EAAE,iBAAiB,CAAC,MAAM,CAAC,CAAA;CAChC,CAAC,CAyBD;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,MAAM,EAAE,MAAM,EACd,OAAO,GAAE;IACP,IAAI,CAAC,EAAE,WAAW,GAAG,WAAW,CAAA;IAChC,MAAM,CAAC,EAAE,qBAAqB,CAAA;IAC9B,YAAY,CAAC,EAAE,IAAI,GAAG,GAAG,GAAG,IAAI,CAAA;CAC5B,GACL,MAAM,CAUR"}

package/dist/suppression/inline-parser.js ADDED Viewed

@@ -0,0 +1,218 @@
+"use strict";
+/**
+ * Inline Suppression Comment Parser
+ * Parses oculum-ignore comments from source code
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseInlineSuppressions = parseInlineSuppressions;
+exports.isLineSuppressed = isLineSuppressed;
+exports.extractSuppressionReasons = extractSuppressionReasons;
+exports.generateSuppressionComment = generateSuppressionComment;
+/**
+ * Valid suppression comment patterns:
+ *
+ * Single-line suppressions:
+ *   // oculum-ignore-next-line: reason here
+ *   // oculum-ignore-next-line [rule-id]: reason here
+ *   code // oculum-ignore: reason here
+ *   code // oculum-ignore [rule-id]: reason here
+ *
+ * Block suppressions:
+ *   /* oculum-ignore-block: reason here * /
+ *   ... code ...
+ *   /* oculum-ignore-block-end * /
+ *
+ * Also supports:
+ *   # oculum-ignore-next-line: reason (Python, Ruby, YAML, etc.)
+ *   -- oculum-ignore-next-line: reason (SQL)
+ */
+// Regex patterns for parsing comments
+const PATTERNS = {
+    // // oculum-ignore-next-line: reason
+    // // oculum-ignore-next-line [rule-id]: reason
+    nextLine: /(?:\/\/|#|--)\s*oculum-ignore-next-line(?:\s*\[([^\]]+)\])?\s*:\s*(.+)/i,
+    // code // oculum-ignore: reason
+    // code // oculum-ignore [rule-id]: reason
+    sameLine: /(?:\/\/|#|--)\s*oculum-ignore(?:\s*\[([^\]]+)\])?\s*:\s*(.+)/i,
+    // /* oculum-ignore-block: reason */
+    // /* oculum-ignore-block [rule-id]: reason */
+    blockStart: /\/\*\s*oculum-ignore-block(?:\s*\[([^\]]+)\])?\s*:\s*([^*]+)\*\//i,
+    // /* oculum-ignore-block-end */
+    blockEnd: /\/\*\s*oculum-ignore-block-end\s*\*\//i,
+};
+/**
+ * Parse a single line for suppression comments
+ */
+function parseLineForSuppression(line, lineNumber) {
+    // Check for next-line suppression (must be the only thing on the line, aside from whitespace)
+    const trimmed = line.trim();
+    // Next-line pattern (comment at start of line)
+    if (trimmed.startsWith('//') ||
+        trimmed.startsWith('#') ||
+        trimmed.startsWith('--')) {
+        const nextLineMatch = trimmed.match(PATTERNS.nextLine);
+        if (nextLineMatch) {
+            return {
+                lineNumber,
+                type: 'next-line',
+                ruleId: nextLineMatch[1],
+                reason: nextLineMatch[2].trim(),
+                commentText: trimmed,
+            };
+        }
+    }
+    // Same-line pattern (comment at end of line with code before)
+    // Only check if there's actual code before the comment
+    const sameLineMatch = line.match(PATTERNS.sameLine);
+    if (sameLineMatch) {
+        // Find where the comment starts
+        const commentIndex = line.search(/(?:\/\/|#|--)\s*oculum-ignore/i);
+        const beforeComment = line.substring(0, commentIndex).trim();
+        // Only treat as same-line if there's code before the comment
+        // (not just whitespace or if it's at the start)
+        if (beforeComment.length > 0) {
+            return {
+                lineNumber,
+                type: 'same-line',
+                ruleId: sameLineMatch[1],
+                reason: sameLineMatch[2].trim(),
+                commentText: line.substring(commentIndex).trim(),
+            };
+        }
+    }
+    // Block start pattern
+    const blockStartMatch = line.match(PATTERNS.blockStart);
+    if (blockStartMatch) {
+        return {
+            lineNumber,
+            type: 'block-start',
+            ruleId: blockStartMatch[1],
+            reason: blockStartMatch[2].trim(),
+            commentText: blockStartMatch[0],
+        };
+    }
+    // Block end pattern
+    const blockEndMatch = line.match(PATTERNS.blockEnd);
+    if (blockEndMatch) {
+        return {
+            lineNumber,
+            type: 'block-end',
+            reason: '', // Block end has no reason
+            commentText: blockEndMatch[0],
+        };
+    }
+    return null;
+}
+/**
+ * Parse all inline suppressions from file content
+ *
+ * Returns a map of line numbers to their effective suppressions.
+ * A line can be suppressed by:
+ * 1. A same-line comment (oculum-ignore)
+ * 2. A next-line comment on the previous line (oculum-ignore-next-line)
+ * 3. Being within a block suppression (oculum-ignore-block ... oculum-ignore-block-end)
+ */
+function parseInlineSuppressions(content) {
+    const lines = content.split('\n');
+    const suppressions = new Map();
+    // Track block suppression state
+    let currentBlock = null;
+    for (let i = 0; i < lines.length; i++) {
+        const lineNumber = i + 1; // 1-indexed
+        const line = lines[i];
+        const suppression = parseLineForSuppression(line, lineNumber);
+        if (suppression) {
+            switch (suppression.type) {
+                case 'next-line':
+                    // Apply to the next line
+                    if (i + 1 < lines.length) {
+                        suppressions.set(lineNumber + 1, {
+                            ...suppression,
+                            lineNumber: lineNumber + 1,
+                        });
+                    }
+                    break;
+                case 'same-line':
+                    // Apply to this line
+                    suppressions.set(lineNumber, suppression);
+                    break;
+                case 'block-start':
+                    // Start tracking block suppression
+                    currentBlock = {
+                        startLine: lineNumber,
+                        reason: suppression.reason,
+                        ruleId: suppression.ruleId,
+                    };
+                    break;
+                case 'block-end':
+                    // End block suppression
+                    currentBlock = null;
+                    break;
+            }
+        }
+        // If we're in a block suppression, add suppression for this line
+        // (unless it's the block start/end line itself)
+        if (currentBlock && suppression?.type !== 'block-start' && suppression?.type !== 'block-end') {
+            // Don't override explicit same-line suppressions
+            if (!suppressions.has(lineNumber)) {
+                suppressions.set(lineNumber, {
+                    lineNumber,
+                    type: 'block-start', // Mark as from block
+                    reason: currentBlock.reason,
+                    ruleId: currentBlock.ruleId,
+                    commentText: `Block suppression from line ${currentBlock.startLine}`,
+                });
+            }
+        }
+    }
+    return suppressions;
+}
+/**
+ * Check if a specific line is suppressed
+ */
+function isLineSuppressed(suppressions, lineNumber, category) {
+    const suppression = suppressions.get(lineNumber);
+    if (!suppression) {
+        return null;
+    }
+    // If suppression specifies a rule and category doesn't match, not suppressed
+    if (suppression.ruleId && category && suppression.ruleId !== category) {
+        return null;
+    }
+    return suppression;
+}
+/**
+ * Extract all unique suppression reasons from a file
+ * Useful for auditing suppressed findings
+ */
+function extractSuppressionReasons(content) {
+    const suppressions = parseInlineSuppressions(content);
+    const seen = new Set();
+    const results = [];
+    for (const [lineNumber, suppression] of suppressions) {
+        // Only include unique comment sources (not duplicates from block propagation)
+        const key = `${suppression.commentText}`;
+        if (!seen.has(key) && suppression.type !== 'block-end') {
+            seen.add(key);
+            results.push({
+                reason: suppression.reason,
+                ruleId: suppression.ruleId,
+                lineNumber,
+                type: suppression.type,
+            });
+        }
+    }
+    return results;
+}
+/**
+ * Generate a suppression comment for a given line
+ */
+function generateSuppressionComment(reason, options = {}) {
+    const { type = 'next-line', ruleId, commentStyle = '//' } = options;
+    const ruleSpec = ruleId ? ` [${ruleId}]` : '';
+    if (type === 'next-line') {
+        return `${commentStyle} oculum-ignore-next-line${ruleSpec}: ${reason}`;
+    }
+    return `${commentStyle} oculum-ignore${ruleSpec}: ${reason}`;
+}
+//# sourceMappingURL=inline-parser.js.map

package/dist/suppression/inline-parser.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"inline-parser.js","sourceRoot":"","sources":["../../src/suppression/inline-parser.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AA8HH,0DA+DC;AAKD,4CAiBC;AAMD,8DA8BC;AAKD,gEAiBC;AAxQD;;;;;;;;;;;;;;;;;GAiBG;AAEH,sCAAsC;AACtC,MAAM,QAAQ,GAAG;IACf,qCAAqC;IACrC,+CAA+C;IAC/C,QAAQ,EAAE,yEAAyE;IAEnF,gCAAgC;IAChC,0CAA0C;IAC1C,QAAQ,EAAE,+DAA+D;IAEzE,oCAAoC;IACpC,8CAA8C;IAC9C,UAAU,EAAE,mEAAmE;IAE/E,gCAAgC;IAChC,QAAQ,EAAE,wCAAwC;CACnD,CAAA;AAED;;GAEG;AACH,SAAS,uBAAuB,CAC9B,IAAY,EACZ,UAAkB;IAElB,8FAA8F;IAC9F,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAE3B,+CAA+C;IAC/C,IACE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EACxB,CAAC;QACD,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;QACtD,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO;gBACL,UAAU;gBACV,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,aAAa,CAAC,CAAC,CAAsC;gBAC7D,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;gBAC/B,WAAW,EAAE,OAAO;aACrB,CAAA;QACH,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,uDAAuD;IACvD,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;IACnD,IAAI,aAAa,EAAE,CAAC;QAClB,gCAAgC;QAChC,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,gCAAgC,CAAC,CAAA;QAClE,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,IAAI,EAAE,CAAA;QAE5D,6DAA6D;QAC7D,gDAAgD;QAChD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,OAAO;gBACL,UAAU;gBACV,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,aAAa,CAAC,CAAC,CAAsC;gBAC7D,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;gBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,IAAI,EAAE;aACjD,CAAA;QACH,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;IACvD,IAAI,eAAe,EAAE,CAAC;QACpB,OAAO;YACL,UAAU;YACV,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,eAAe,CAAC,CAAC,CAAsC;YAC/D,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;YACjC,WAAW,EAAE,eAAe,CAAC,CAAC,CAAC;SAChC,CAAA;IACH,CAAC;IAED,oBAAoB;IACpB,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;IACnD,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO;YACL,UAAU;YACV,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,EAAE,EAAE,0BAA0B;YACtC,WAAW,EAAE,aAAa,CAAC,CAAC,CAAC;SAC9B,CAAA;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,uBAAuB,CAAC,OAAe;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,YAAY,GAAG,IAAI,GAAG,EAA6B,CAAA;IAEzD,gCAAgC;IAChC,IAAI,YAAY,GAAiF,IAAI,CAAA;IAErG,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAA,CAAC,YAAY;QACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAErB,MAAM,WAAW,GAAG,uBAAuB,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;QAE7D,IAAI,WAAW,EAAE,CAAC;YAChB,QAAQ,WAAW,CAAC,IAAI,EAAE,CAAC;gBACzB,KAAK,WAAW;oBACd,yBAAyB;oBACzB,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;wBACzB,YAAY,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,EAAE;4BAC/B,GAAG,WAAW;4BACd,UAAU,EAAE,UAAU,GAAG,CAAC;yBAC3B,CAAC,CAAA;oBACJ,CAAC;oBACD,MAAK;gBAEP,KAAK,WAAW;oBACd,qBAAqB;oBACrB,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,WAAW,CAAC,CAAA;oBACzC,MAAK;gBAEP,KAAK,aAAa;oBAChB,mCAAmC;oBACnC,YAAY,GAAG;wBACb,SAAS,EAAE,UAAU;wBACrB,MAAM,EAAE,WAAW,CAAC,MAAM;wBAC1B,MAAM,EAAE,WAAW,CAAC,MAAM;qBAC3B,CAAA;oBACD,MAAK;gBAEP,KAAK,WAAW;oBACd,wBAAwB;oBACxB,YAAY,GAAG,IAAI,CAAA;oBACnB,MAAK;YACT,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,gDAAgD;QAChD,IAAI,YAAY,IAAI,WAAW,EAAE,IAAI,KAAK,aAAa,IAAI,WAAW,EAAE,IAAI,KAAK,WAAW,EAAE,CAAC;YAC7F,iDAAiD;YACjD,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;gBAClC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE;oBAC3B,UAAU;oBACV,IAAI,EAAE,aAAa,EAAE,qBAAqB;oBAC1C,MAAM,EAAE,YAAY,CAAC,MAAM;oBAC3B,MAAM,EAAE,YAAY,CAAC,MAAM;oBAC3B,WAAW,EAAE,+BAA+B,YAAY,CAAC,SAAS,EAAE;iBACrE,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAA;AACrB,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,YAA4C,EAC5C,UAAkB,EAClB,QAAgC;IAEhC,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAEhD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,6EAA6E;IAC7E,IAAI,WAAW,CAAC,MAAM,IAAI,QAAQ,IAAI,WAAW,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACtE,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,WAAW,CAAA;AACpB,CAAC;AAED;;;GAGG;AACH,SAAgB,yBAAyB,CAAC,OAAe;IAMvD,MAAM,YAAY,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAA;IACrD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;IAC9B,MAAM,OAAO,GAKR,EAAE,CAAA;IAEP,KAAK,MAAM,CAAC,UAAU,EAAE,WAAW,CAAC,IAAI,YAAY,EAAE,CAAC;QACrD,8EAA8E;QAC9E,MAAM,GAAG,GAAG,GAAG,WAAW,CAAC,WAAW,EAAE,CAAA;QACxC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YACvD,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YACb,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM,EAAE,WAAW,CAAC,MAAM;gBAC1B,MAAM,EAAE,WAAW,CAAC,MAAM;gBAC1B,UAAU;gBACV,IAAI,EAAE,WAAW,CAAC,IAAI;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;GAEG;AACH,SAAgB,0BAA0B,CACxC,MAAc,EACd,UAII,EAAE;IAEN,MAAM,EAAE,IAAI,GAAG,WAAW,EAAE,MAAM,EAAE,YAAY,GAAG,IAAI,EAAE,GAAG,OAAO,CAAA;IAEnE,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,CAAA;IAE7C,IAAI,IAAI,KAAK,WAAW,EAAE,CAAC;QACzB,OAAO,GAAG,YAAY,2BAA2B,QAAQ,KAAK,MAAM,EAAE,CAAA;IACxE,CAAC;IAED,OAAO,GAAG,YAAY,iBAAiB,QAAQ,KAAK,MAAM,EAAE,CAAA;AAC9D,CAAC"}

package/dist/suppression/manager.d.ts ADDED Viewed

@@ -0,0 +1,94 @@
+/**
+ * Suppression Manager
+ * Central class for managing all suppression logic
+ */
+import type { Vulnerability, ScanFile } from '../types';
+import type { SuppressionConfig, SuppressionMatch, SuppressionResult, RuleSuppression, FindingSuppression } from './types';
+/**
+ * Options for SuppressionManager
+ */
+export interface SuppressionManagerOptions {
+    /** Path to the project root (for finding config files) */
+    projectPath: string;
+    /** Optional pre-loaded config (skips file loading) */
+    config?: SuppressionConfig;
+    /** Whether to include expired suppressions (for auditing) */
+    includeExpired?: boolean;
+}
+/**
+ * SuppressionManager handles all suppression logic
+ *
+ * Priority order for suppressions:
+ * 1. Inline comment suppressions (highest priority)
+ * 2. Config file finding suppressions (by hash)
+ * 3. Config file rule suppressions (by category)
+ */
+export declare class SuppressionManager {
+    private config;
+    private configPath;
+    private configErrors;
+    private includeExpired;
+    private projectPath;
+    private inlineSuppressionCache;
+    constructor(options: SuppressionManagerOptions);
+    /**
+     * Get configuration errors (if any)
+     */
+    getConfigErrors(): string[];
+    /**
+     * Get the path to the config file (if found)
+     */
+    getConfigPath(): string | undefined;
+    /**
+     * Check if a file path should be ignored entirely
+     */
+    isPathIgnored(filePath: string): boolean;
+    /**
+     * Parse inline suppressions for a file
+     */
+    private getInlineSuppressions;
+    /**
+     * Check if a finding is suppressed
+     *
+     * Priority:
+     * 1. Inline comment (highest)
+     * 2. Config finding suppression (by hash)
+     * 3. Config rule suppression (by category)
+     */
+    isFindingSuppressed(finding: Vulnerability, fileContent?: string): SuppressionMatch;
+    /**
+     * Apply suppressions to a list of findings
+     */
+    applySuppressions(findings: Vulnerability[], files: ScanFile[]): SuppressionResult;
+    /**
+     * Get all suppressions from config
+     */
+    getAllSuppressions(): {
+        rules: RuleSuppression[];
+        findings: FindingSuppression[];
+    };
+    /**
+     * Get ignore patterns from config
+     */
+    getIgnorePatterns(): string[];
+    /**
+     * Check if suppression system is active (has any suppressions)
+     */
+    hasSuppressions(): boolean;
+    /**
+     * Get summary of suppression configuration
+     */
+    getSummary(): {
+        configPath: string | undefined;
+        ruleCount: number;
+        findingCount: number;
+        ignorePatternCount: number;
+        hasErrors: boolean;
+    };
+    /**
+     * Clear the inline suppression cache
+     * (useful if files have been modified)
+     */
+    clearCache(): void;
+}
+//# sourceMappingURL=manager.d.ts.map

package/dist/suppression/manager.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/suppression/manager.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAA;AACvD,OAAO,KAAK,EACV,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EAGjB,eAAe,EACf,kBAAkB,EACnB,MAAM,SAAS,CAAA;AAKhB;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,0DAA0D;IAC1D,WAAW,EAAE,MAAM,CAAA;IACnB,sDAAsD;IACtD,MAAM,CAAC,EAAE,iBAAiB,CAAA;IAC1B,6DAA6D;IAC7D,cAAc,CAAC,EAAE,OAAO,CAAA;CACzB;AAED;;;;;;;GAOG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,UAAU,CAAoB;IACtC,OAAO,CAAC,YAAY,CAAU;IAC9B,OAAO,CAAC,cAAc,CAAS;IAC/B,OAAO,CAAC,WAAW,CAAQ;IAG3B,OAAO,CAAC,sBAAsB,CAAyD;gBAE3E,OAAO,EAAE,yBAAyB;IAgB9C;;OAEG;IACH,eAAe,IAAI,MAAM,EAAE;IAI3B;;OAEG;IACH,aAAa,IAAI,MAAM,GAAG,SAAS;IAInC;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAYxC;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAgB7B;;;;;;;OAOG;IACH,mBAAmB,CACjB,OAAO,EAAE,aAAa,EACtB,WAAW,CAAC,EAAE,MAAM,GACnB,gBAAgB;IAmHnB;;OAEG;IACH,iBAAiB,CACf,QAAQ,EAAE,aAAa,EAAE,EACzB,KAAK,EAAE,QAAQ,EAAE,GAChB,iBAAiB;IA2EpB;;OAEG;IACH,kBAAkB,IAAI;QACpB,KAAK,EAAE,eAAe,EAAE,CAAA;QACxB,QAAQ,EAAE,kBAAkB,EAAE,CAAA;KAC/B;IAOD;;OAEG;IACH,iBAAiB,IAAI,MAAM,EAAE;IAI7B;;OAEG;IACH,eAAe,IAAI,OAAO;IAQ1B;;OAEG;IACH,UAAU,IAAI;QACZ,UAAU,EAAE,MAAM,GAAG,SAAS,CAAA;QAC9B,SAAS,EAAE,MAAM,CAAA;QACjB,YAAY,EAAE,MAAM,CAAA;QACpB,kBAAkB,EAAE,MAAM,CAAA;QAC1B,SAAS,EAAE,OAAO,CAAA;KACnB;IAUD;;;OAGG;IACH,UAAU,IAAI,IAAI;CAGnB"}