npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/baseline/types.ts ADDED Viewed

@@ -0,0 +1,97 @@
+/**
+ * Baseline Types
+ * Types for baseline/diff mode functionality
+ */
+import type { VulnerabilityCategory, VulnerabilitySeverity, SeverityCounts, ScanDepth } from '../types'
+/**
+ * A finding stored in the baseline
+ * Contains enough information to identify and display the finding
+ */
+export interface BaselineFinding {
+  /** Finding hash (from computeFindingHash) */
+  hash: string
+  /** File path relative to project root */
+  filePath: string
+  /** Line number in the file */
+  lineNumber: number
+  /** Vulnerability category */
+  category: VulnerabilityCategory
+  /** Severity level */
+  severity: VulnerabilitySeverity
+  /** Finding title */
+  title: string
+}
+/**
+ * Baseline data stored in .oculum/baseline.json
+ */
+export interface BaselineData {
+  /** Schema version for forward compatibility */
+  version: 1
+  /** ISO 8601 timestamp when baseline was created */
+  createdAt: string
+  /** Git commit SHA when baseline was created (optional) */
+  commit?: string
+  /** Git branch name when baseline was created (optional) */
+  branch?: string
+  /** Scan depth used when creating baseline */
+  scanDepth?: ScanDepth
+  /** List of findings in the baseline */
+  findings: BaselineFinding[]
+  /** Summary statistics */
+  stats: {
+    total: number
+    critical: number
+    high: number
+    medium: number
+    low: number
+    info: number
+  }
+}
+/**
+ * Result of comparing current findings against baseline
+ */
+export interface DiffResult {
+  /** Findings in current scan but NOT in baseline (new issues) */
+  new: import('../types').Vulnerability[]
+  /** Findings in baseline but NOT in current scan (fixed issues) */
+  fixed: BaselineFinding[]
+  /** Findings in both current scan AND baseline (existing issues) */
+  existing: import('../types').Vulnerability[]
+  /** Summary statistics */
+  stats: {
+    newCount: number
+    fixedCount: number
+    existingCount: number
+    newBySeverity: SeverityCounts
+    fixedBySeverity: SeverityCounts
+  }
+}
+/**
+ * Baseline diff metadata attached to ScanResult
+ * Only present when --new flag is used
+ */
+export interface BaselineDiff {
+  /** When the baseline was created */
+  baselineCreatedAt: string
+  /** Git commit of the baseline (if available) */
+  baselineCommit?: string
+  /** Number of new findings (not in baseline) */
+  newCount: number
+  /** Number of fixed findings (in baseline, not in current) */
+  fixedCount: number
+  /** Number of existing findings (in both) */
+  existingCount: number
+  /** Details of fixed findings for display */
+  fixedFindings: BaselineFinding[]
+}
+/** Default baseline file path relative to project root */
+export const BASELINE_FILE_PATH = '.oculum/baseline.json'
+/** Directory for oculum files */
+export const OCULUM_DIR = '.oculum'

package/src/formatters/cli-terminal.ts CHANGED Viewed

@@ -5,6 +5,7 @@
 import type { ScanResult, Vulnerability, VulnerabilitySeverity } from '../types'
 import { groupByTheme, getBlockingIssues, GroupedFindings, THEME_CONFIG } from './grouping'
+import { computeFindingHash } from '../suppression/hash'
 /**
  * ANSI color codes
@@ -57,28 +58,101 @@ function severityBadge(severity: VulnerabilitySeverity): string {
   return c(style.color, `${style.symbol} ${style.label}`)
 }
+/**
+ * Format options for single finding
+ */
+interface FormatFindingOptions {
+  indent?: string
+  compact?: boolean
+  verbose?: boolean
+}
 /**
  * Format a single finding for terminal
+ * Default: Actionable output with impact, code, and fix steps
+ * Compact: Severity + title + location only
+ * Verbose: All of the above plus references and validation notes
  */
-function formatFinding(finding: Vulnerability, indent: string = '  '): string {
+function formatFinding(finding: Vulnerability, options: FormatFindingOptions = {}): string {
+  const { indent = '  ', compact = false, verbose = false } = options
   const badge = severityBadge(finding.severity)
   const location = c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`)
+  const hash = computeFindingHash(finding)
+  // Compact mode: just severity, title, and location
+  if (compact) {
+    return `${indent}${badge} ${c(colors.bold, finding.title)}  ${location}\n`
+  }
+  // Default actionable output
   let output = `${indent}${badge} ${c(colors.bold, finding.title)}\n`
   output += `${indent}   ${location}\n`
-  output += `${indent}   ${c(colors.dim, finding.description)}\n`
+  output += '\n'
+  // Impact (why this matters) - shown by default
+  if (finding.impact) {
+    output += `${indent}   ${c(colors.yellow + colors.bold, 'Impact:')} ${finding.impact}\n`
+    output += '\n'
+  }
+  // Code snippet
+  if (finding.lineContent && finding.lineContent.trim()) {
+    output += `${indent}   ${c(colors.dim, 'Code:')} ${c(colors.white, finding.lineContent.trim().substring(0, 80))}${finding.lineContent.trim().length > 80 ? '...' : ''}\n`
+    output += '\n'
+  }
-  if (finding.suggestedFix) {
+  // Fix steps - shown by default (numbered list)
+  if (finding.fixSteps && finding.fixSteps.length > 0) {
+    output += `${indent}   ${c(colors.green + colors.bold, 'Fix:')}\n`
+    finding.fixSteps.forEach((step, i) => {
+      output += `${indent}   ${c(colors.green, `${i + 1}. ${step}`)}\n`
+    })
+    output += '\n'
+  } else if (finding.suggestedFix) {
+    // Fallback to legacy suggestedFix field
     output += `${indent}   ${c(colors.green, '💡 ' + finding.suggestedFix)}\n`
+    output += '\n'
   }
+  // Verbose mode: show additional details
+  if (verbose) {
+    // Description
+    output += `${indent}   ${c(colors.dim, finding.description)}\n`
+    // References (OWASP/CWE links)
+    if (finding.references && finding.references.length > 0) {
+      output += `${indent}   ${c(colors.blue, 'References:')}\n`
+      finding.references.forEach(ref => {
+        output += `${indent}   ${c(colors.blue, `  • ${ref}`)}\n`
+      })
+    }
+    // Validation notes (if AI validated)
+    if (finding.validationNotes) {
+      output += `${indent}   ${c(colors.dim, `[AI] ${finding.validationNotes}`)}\n`
+    }
+    // AI enhanced indicator
+    if (finding.aiEnhanced) {
+      output += `${indent}   ${c(colors.magenta, '✨ AI-enhanced fix suggestion')}\n`
+    }
+  }
+  // Suppress command - always shown
+  output += `${indent}   ${c(colors.dim, `Suppress: oculum ignore ${hash} --file "${finding.filePath}:${finding.lineNumber}" --reason "..."`)}\n`
   return output
 }
 /**
  * Format a group of findings
  */
-function formatGroup(group: GroupedFindings, maxFindings: number = 10): string {
+function formatGroup(group: GroupedFindings, options: {
+  maxFindings?: number
+  compact?: boolean
+  verbose?: boolean
+} = {}): string {
+  const { maxFindings = 10, compact = false, verbose = false } = options
   const { theme, themeName, findings, severityCounts } = group
   const config = THEME_CONFIG[theme]
@@ -96,7 +170,7 @@ function formatGroup(group: GroupedFindings, maxFindings: number = 10): string {
   // Show findings
   const shown = findings.slice(0, maxFindings)
   for (const finding of shown) {
-    output += formatFinding(finding) + '\n'
+    output += formatFinding(finding, { compact, verbose }) + '\n'
   }
   // Truncation notice
@@ -107,6 +181,32 @@ function formatGroup(group: GroupedFindings, maxFindings: number = 10): string {
   return output
 }
+/**
+ * Format baseline diff summary
+ */
+function formatDiffSummary(baselineDiff: NonNullable<ScanResult['baselineDiff']>): string {
+  let output = ''
+  output += c(colors.bold, 'Baseline Comparison') + '\n'
+  output += c(colors.dim, '─'.repeat(40)) + '\n'
+  output += `  🆕 ${c(colors.yellow, `${baselineDiff.newCount} new`)} findings\n`
+  output += `  ✅ ${c(colors.green, `${baselineDiff.fixedCount} fixed`)} since baseline\n`
+  output += `  📋 ${c(colors.dim, `${baselineDiff.existingCount} existing`)} (in baseline)\n`
+  output += '\n'
+  // Format baseline date
+  const baselineDate = new Date(baselineDiff.baselineCreatedAt)
+  const dateStr = baselineDate.toLocaleDateString('en-US', {
+    year: 'numeric',
+    month: 'short',
+    day: 'numeric',
+  })
+  const commitStr = baselineDiff.baselineCommit ? ` (${baselineDiff.baselineCommit})` : ''
+  output += c(colors.dim, `Baseline from ${dateStr}${commitStr}`) + '\n\n'
+  return output
+}
 /**
  * Format full scan result for terminal
  */
@@ -114,13 +214,17 @@ export function formatTerminalOutput(result: ScanResult, options: {
   maxFindingsPerGroup?: number
   showAllFindings?: boolean
   noColor?: boolean
+  compact?: boolean
+  verbose?: boolean
 } = {}): string {
   const {
     maxFindingsPerGroup = 10,
     showAllFindings = false,
+    compact = false,
+    verbose = false,
   } = options
-  const { vulnerabilities, severityCounts, hasBlockingIssues, filesScanned, scanDuration } = result
+  const { vulnerabilities, severityCounts, hasBlockingIssues, filesScanned, scanDuration, baselineDiff } = result
   let output = '\n'
@@ -129,6 +233,11 @@ export function formatTerminalOutput(result: ScanResult, options: {
   output += c(colors.bold, '  OCULUM SECURITY SCAN RESULTS') + '\n'
   output += c(colors.bold, '═'.repeat(60)) + '\n\n'
+  // Baseline diff summary (if present)
+  if (baselineDiff) {
+    output += formatDiffSummary(baselineDiff)
+  }
   // Status
   if (hasBlockingIssues) {
     const blocking = severityCounts.critical + severityCounts.high
@@ -157,7 +266,7 @@ export function formatTerminalOutput(result: ScanResult, options: {
     output += c(colors.red, 'These must be fixed before merging:') + '\n\n'
     for (const finding of blockingIssues.slice(0, 10)) {
-      output += formatFinding(finding)
+      output += formatFinding(finding, { compact, verbose })
       output += '\n'
     }
@@ -182,7 +291,47 @@ export function formatTerminalOutput(result: ScanResult, options: {
       if (nonBlocking.length === 0 && blockingIssues.length > 0) continue
     }
-    output += formatGroup(group, maxFindingsPerGroup)
+    output += formatGroup(group, { maxFindings: maxFindingsPerGroup, compact, verbose })
+  }
+  // Suppressed findings section (if any)
+  if (result.suppressedVulnerabilities && result.suppressedVulnerabilities.length > 0) {
+    output += '\n' + c(colors.dim, '─'.repeat(60)) + '\n'
+    output += c(colors.dim + colors.bold, 'SUPPRESSED FINDINGS') + '\n'
+    output += c(colors.dim, `${result.suppressedVulnerabilities.length} findings suppressed`) + '\n\n'
+    for (const suppressed of result.suppressedVulnerabilities.slice(0, 5)) {
+      const typeLabel = suppressed.suppressionType === 'inline' ? 'inline'
+        : suppressed.suppressionType === 'config-finding' ? 'config'
+        : 'rule'
+      output += c(colors.dim, `  ${suppressed.hash.slice(0, 8)} ${suppressed.filePath}:${suppressed.lineNumber}`) + '\n'
+      output += c(colors.dim, `    ${suppressed.title}`) + '\n'
+      output += c(colors.dim, `    [${typeLabel}] ${suppressed.suppressionReason}`) + '\n'
+      if (suppressed.expires) {
+        output += c(colors.dim, `    Expires: ${suppressed.expires}`) + '\n'
+      }
+      output += '\n'
+    }
+    if (result.suppressedVulnerabilities.length > 5) {
+      output += c(colors.dim, `  ... and ${result.suppressedVulnerabilities.length - 5} more suppressed\n`)
+    }
+  }
+  // Suppression stats (if any)
+  if (result.suppressionStats && (result.suppressionStats.inlineSuppressed > 0 ||
+      result.suppressionStats.configFindingSuppressed > 0 ||
+      result.suppressionStats.configRuleSuppressed > 0)) {
+    const stats = result.suppressionStats
+    const parts: string[] = []
+    if (stats.inlineSuppressed > 0) parts.push(`${stats.inlineSuppressed} inline`)
+    if (stats.configFindingSuppressed > 0) parts.push(`${stats.configFindingSuppressed} config`)
+    if (stats.configRuleSuppressed > 0) parts.push(`${stats.configRuleSuppressed} rule`)
+    if (stats.expired > 0) parts.push(`${stats.expired} expired`)
+    if (!result.suppressedVulnerabilities) {
+      output += '\n' + c(colors.dim, `Suppressed: ${parts.join(', ')}`) + '\n'
+    }
   }
   // Footer
@@ -192,6 +341,222 @@ export function formatTerminalOutput(result: ScanResult, options: {
   return output
 }
+/**
+ * Compact summary options
+ */
+export interface CompactSummaryOptions {
+  /** Number findings for reference with show command */
+  showNumbers?: boolean
+  /** Limit shown per severity (default: 5) */
+  maxPerSeverity?: number
+  /** Show "Run oculum show..." hint */
+  showHint?: boolean
+  /** Disable colors */
+  noColor?: boolean
+}
+/**
+ * Format compact summary grouped by severity
+ * Output format:
+ *   HIGH (2)
+ *      1. SQL injection in src/api/users.ts:42
+ *      2. Missing auth in src/api/admin.ts:15
+ */
+export function formatCompactSummary(
+  vulnerabilities: Vulnerability[],
+  options: CompactSummaryOptions = {}
+): string {
+  const {
+    showNumbers = true,
+    maxPerSeverity = 5,
+    showHint = true,
+    noColor = false,
+  } = options
+  if (vulnerabilities.length === 0) {
+    return noColor
+      ? 'No security issues found.'
+      : c(colors.green, '✓ No security issues found.')
+  }
+  // Group by severity
+  const bySeverity: Record<VulnerabilitySeverity, Vulnerability[]> = {
+    critical: [],
+    high: [],
+    medium: [],
+    low: [],
+    info: [],
+  }
+  for (const v of vulnerabilities) {
+    bySeverity[v.severity].push(v)
+  }
+  // Build output
+  let output = ''
+  let globalIndex = 1
+  const severityOrder: VulnerabilitySeverity[] = ['critical', 'high', 'medium', 'low', 'info']
+  const severityColors: Record<VulnerabilitySeverity, string> = {
+    critical: colors.bgRed + colors.white,
+    high: colors.red,
+    medium: colors.yellow,
+    low: colors.blue,
+    info: colors.gray,
+  }
+  for (const severity of severityOrder) {
+    const findings = bySeverity[severity]
+    if (findings.length === 0) continue
+    // Severity header
+    const label = severity.toUpperCase()
+    const header = noColor
+      ? `${label} (${findings.length})`
+      : c(severityColors[severity] + colors.bold, `${label} (${findings.length})`)
+    output += `\n  ${header}\n`
+    // Show findings
+    const shown = findings.slice(0, maxPerSeverity)
+    for (const finding of shown) {
+      const num = showNumbers ? `${globalIndex}. ` : ''
+      const location = noColor
+        ? `${finding.filePath}:${finding.lineNumber}`
+        : c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`)
+      output += noColor
+        ? `     ${num}${finding.title} in ${location}\n`
+        : `     ${c(colors.dim, num)}${finding.title} ${c(colors.dim, 'in')} ${location}\n`
+      globalIndex++
+    }
+    // Show truncation notice
+    if (findings.length > maxPerSeverity) {
+      const more = findings.length - maxPerSeverity
+      const truncated = noColor
+        ? `     ... and ${more} more\n`
+        : c(colors.dim, `     ... and ${more} more\n`)
+      output += truncated
+      globalIndex += more // Increment for hidden findings
+    }
+  }
+  // Hint at bottom
+  if (showHint && vulnerabilities.length > 0) {
+    output += '\n'
+    output += noColor
+      ? "Run 'oculum show 1' for details · 'oculum fix' for suggestions\n"
+      : c(colors.dim, "Run 'oculum show 1' for details · 'oculum fix' for suggestions\n")
+  }
+  return output
+}
+/**
+ * Format a numbered finding list for the show command
+ * Returns findings with their numbers for reference
+ */
+export function getNumberedFindings(vulnerabilities: Vulnerability[]): Array<{ number: number; finding: Vulnerability }> {
+  return vulnerabilities.map((finding, index) => ({
+    number: index + 1,
+    finding,
+  }))
+}
+/**
+ * Format a single finding detail view for the show command
+ */
+export function formatFindingDetail(
+  finding: Vulnerability,
+  number: number,
+  options: { verbose?: boolean; noColor?: boolean } = {}
+): string {
+  const { verbose = false, noColor = false } = options
+  let output = ''
+  // Header
+  const badge = noColor
+    ? `[${finding.severity.toUpperCase()}]`
+    : severityBadge(finding.severity)
+  const title = noColor ? finding.title : c(colors.bold, finding.title)
+  output += `\n#${number} ${badge} ${title}\n`
+  // Location
+  const location = noColor
+    ? finding.filePath + ':' + finding.lineNumber
+    : c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`)
+  output += `   ${location}\n`
+  output += '\n'
+  // Impact
+  if (finding.impact) {
+    const impactLabel = noColor ? 'Impact:' : c(colors.yellow + colors.bold, 'Impact:')
+    output += `   ${impactLabel} ${finding.impact}\n`
+    output += '\n'
+  }
+  // Code snippet
+  if (finding.lineContent && finding.lineContent.trim()) {
+    const codeLabel = noColor ? 'Code:' : c(colors.dim, 'Code:')
+    const code = finding.lineContent.trim().substring(0, 100)
+    const codeText = noColor ? code : c(colors.white, code)
+    output += `   ${codeLabel} ${codeText}${finding.lineContent.trim().length > 100 ? '...' : ''}\n`
+    output += '\n'
+  }
+  // Description
+  output += noColor
+    ? `   ${finding.description}\n`
+    : `   ${c(colors.dim, finding.description)}\n`
+  output += '\n'
+  // Fix steps
+  if (finding.fixSteps && finding.fixSteps.length > 0) {
+    const fixLabel = noColor ? 'How to fix:' : c(colors.green + colors.bold, 'How to fix:')
+    output += `   ${fixLabel}\n`
+    finding.fixSteps.forEach((step, i) => {
+      const stepText = noColor ? `${i + 1}. ${step}` : c(colors.green, `${i + 1}. ${step}`)
+      output += `   ${stepText}\n`
+    })
+    output += '\n'
+  } else if (finding.suggestedFix) {
+    const fixLabel = noColor ? 'Suggested fix:' : c(colors.green + colors.bold, 'Suggested fix:')
+    output += `   ${fixLabel} ${finding.suggestedFix}\n`
+    output += '\n'
+  }
+  // Verbose mode: additional details
+  if (verbose) {
+    // References
+    if (finding.references && finding.references.length > 0) {
+      const refLabel = noColor ? 'References:' : c(colors.blue, 'References:')
+      output += `   ${refLabel}\n`
+      finding.references.forEach(ref => {
+        output += noColor
+          ? `   - ${ref}\n`
+          : `   ${c(colors.blue, `- ${ref}`)}\n`
+      })
+      output += '\n'
+    }
+    // Validation notes
+    if (finding.validationNotes) {
+      const notesLabel = noColor ? '[AI]' : c(colors.magenta, '[AI]')
+      output += `   ${notesLabel} ${finding.validationNotes}\n`
+      output += '\n'
+    }
+    // Category and confidence
+    output += noColor
+      ? `   Category: ${finding.category} · Confidence: ${finding.confidence || 'medium'} · Layer: ${finding.layer}\n`
+      : c(colors.dim, `   Category: ${finding.category} · Confidence: ${finding.confidence || 'medium'} · Layer: ${finding.layer}\n`)
+  }
+  return output
+}
 /**
  * Format as simple list (no grouping, no colors)
  */
@@ -317,6 +682,76 @@ const RULE_METADATA: Record<string, { name: string; description: string; helpUri
  * For integration with GitHub Code Scanning
  */
 export function formatSARIF(result: ScanResult): object {
+  // Build results from active vulnerabilities
+  const activeResults = result.vulnerabilities.map((v, index) => ({
+    ruleId: v.category,
+    ruleIndex: getRuleIndex(result.vulnerabilities, v.category),
+    level: mapSeverityToSARIF(v.severity),
+    message: {
+      text: v.description,
+    },
+    locations: [{
+      physicalLocation: {
+        artifactLocation: {
+          uri: v.filePath,
+          uriBaseId: '%SRCROOT%',
+        },
+        region: {
+          startLine: v.lineNumber,
+          startColumn: 1,
+          snippet: v.lineContent ? { text: v.lineContent } : undefined,
+        },
+      },
+    }],
+    fingerprints: {
+      'oculum/v1': `${v.category}:${v.filePath}:${v.lineNumber}`,
+    },
+    fixes: v.suggestedFix ? [{
+      description: {
+        text: v.suggestedFix,
+      },
+    }] : undefined,
+    properties: {
+      confidence: v.confidence,
+      layer: v.layer,
+    },
+  }))
+  // Build results from suppressed vulnerabilities (with SARIF suppression state)
+  const suppressedResults = (result.suppressedVulnerabilities || []).map((s) => ({
+    ruleId: s.category,
+    ruleIndex: 0, // Will be resolved by GitHub
+    level: mapSeverityToSARIF(s.severity),
+    message: {
+      text: s.title,
+    },
+    locations: [{
+      physicalLocation: {
+        artifactLocation: {
+          uri: s.filePath,
+          uriBaseId: '%SRCROOT%',
+        },
+        region: {
+          startLine: s.lineNumber,
+          startColumn: 1,
+        },
+      },
+    }],
+    fingerprints: {
+      'oculum/v1': `${s.category}:${s.filePath}:${s.lineNumber}`,
+      'oculum/hash': s.hash,
+    },
+    suppressions: [{
+      kind: s.suppressionType === 'inline' ? 'inSource' : 'external',
+      justification: s.suppressionReason,
+      state: 'accepted',
+    }],
+    properties: {
+      suppressionType: s.suppressionType,
+      expires: s.expires,
+    },
+  }))
   return {
     $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
     version: '2.1.0',
@@ -330,39 +765,7 @@ export function formatSARIF(result: ScanResult): object {
           rules: getUniqueRules(result.vulnerabilities),
         },
       },
-      results: result.vulnerabilities.map((v, index) => ({
-        ruleId: v.category,
-        ruleIndex: getRuleIndex(result.vulnerabilities, v.category),
-        level: mapSeverityToSARIF(v.severity),
-        message: {
-          text: v.description,
-        },
-        locations: [{
-          physicalLocation: {
-            artifactLocation: {
-              uri: v.filePath,
-              uriBaseId: '%SRCROOT%',
-            },
-            region: {
-              startLine: v.lineNumber,
-              startColumn: 1,
-              snippet: v.lineContent ? { text: v.lineContent } : undefined,
-            },
-          },
-        }],
-        fingerprints: {
-          'oculum/v1': `${v.category}:${v.filePath}:${v.lineNumber}`,
-        },
-        fixes: v.suggestedFix ? [{
-          description: {
-            text: v.suggestedFix,
-          },
-        }] : undefined,
-        properties: {
-          confidence: v.confidence,
-          layer: v.layer,
-        },
-      })),
+      results: [...activeResults, ...suppressedResults],
       columnKind: 'utf16CodeUnits',
     }],
   }