npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/layer2/ai-prompt-hygiene.ts CHANGED Viewed

@@ -135,14 +135,90 @@ const UNSAFE_INTERPOLATION_PATTERNS: PromptHygienePattern[] = [
   },
 ]
+// ============================================================================
+// Secret Patterns - Comprehensive provider-specific detection
+// ============================================================================
 /**
- * B3: Secrets in prompt context patterns
+ * Provider-specific secret patterns with known prefixes
+ * These are high-confidence patterns that don't need context matching
+ */
+const KNOWN_SECRET_PREFIXES = [
+  // OpenAI
+  { name: 'OpenAI API Key', pattern: /sk-[a-zA-Z0-9]{20,}/g, severity: 'critical' as const },
+  { name: 'OpenAI Project Key', pattern: /sk-proj-[a-zA-Z0-9]{48,}/g, severity: 'critical' as const },
+  // Anthropic
+  { name: 'Anthropic API Key', pattern: /sk-ant-[a-zA-Z0-9-]{20,}/g, severity: 'critical' as const },
+  { name: 'Anthropic Full Key', pattern: /sk-ant-api03-[a-zA-Z0-9_-]{90,}/g, severity: 'critical' as const },
+  // GitHub
+  { name: 'GitHub PAT', pattern: /ghp_[a-zA-Z0-9]{36,}/g, severity: 'critical' as const },
+  { name: 'GitHub OAuth', pattern: /gho_[a-zA-Z0-9]{36,}/g, severity: 'critical' as const },
+  { name: 'GitHub App Token', pattern: /ghu_[a-zA-Z0-9]{36,}/g, severity: 'critical' as const },
+  { name: 'GitHub Refresh Token', pattern: /ghr_[a-zA-Z0-9]{36,}/g, severity: 'critical' as const },
+  { name: 'GitHub Fine-grained PAT', pattern: /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/g, severity: 'critical' as const },
+  // Stripe
+  { name: 'Stripe Live Secret', pattern: /sk_live_[a-zA-Z0-9]{24,}/g, severity: 'critical' as const },
+  { name: 'Stripe Test Secret', pattern: /sk_test_[a-zA-Z0-9]{24,}/g, severity: 'medium' as const },
+  { name: 'Stripe Restricted Key', pattern: /rk_live_[a-zA-Z0-9]{24,}/g, severity: 'critical' as const },
+  // AWS
+  { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/g, severity: 'critical' as const },
+  { name: 'AWS Session Token', pattern: /ASIA[0-9A-Z]{16}/g, severity: 'critical' as const },
+  // Google
+  { name: 'Google API Key', pattern: /AIza[0-9A-Za-z-_]{35}/g, severity: 'high' as const },
+  // Slack
+  { name: 'Slack Bot Token', pattern: /xoxb-[0-9a-zA-Z-]{50,}/g, severity: 'critical' as const },
+  { name: 'Slack User Token', pattern: /xoxp-[0-9a-zA-Z-]{50,}/g, severity: 'critical' as const },
+  { name: 'Slack App Token', pattern: /xoxa-[0-9a-zA-Z-]{50,}/g, severity: 'critical' as const },
+  { name: 'Slack Legacy Token', pattern: /xox[baprs]-[0-9a-zA-Z]{10,}/g, severity: 'critical' as const },
+  // Twilio
+  { name: 'Twilio API Key', pattern: /SK[a-f0-9]{32}/g, severity: 'critical' as const },
+  { name: 'Twilio Account SID', pattern: /AC[a-f0-9]{32}/g, severity: 'high' as const },
+  // SendGrid
+  { name: 'SendGrid API Key', pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g, severity: 'critical' as const },
+  // Mailgun
+  { name: 'Mailgun API Key', pattern: /key-[a-zA-Z0-9]{32}/g, severity: 'critical' as const },
+  // NPM/PyPI
+  { name: 'NPM Token', pattern: /npm_[a-zA-Z0-9]{36}/g, severity: 'critical' as const },
+  { name: 'PyPI Token', pattern: /pypi-[a-zA-Z0-9]{32,}/g, severity: 'critical' as const },
+  // Vercel/Netlify
+  { name: 'Vercel Token', pattern: /vercel_[a-zA-Z0-9]{24,}/g, severity: 'critical' as const },
+  { name: 'Netlify Token', pattern: /nfp_[a-zA-Z0-9]{40,}/g, severity: 'critical' as const },
+  // Square
+  { name: 'Square Access Token', pattern: /sq0csp-[a-zA-Z0-9-_]{43}/g, severity: 'critical' as const },
+  { name: 'Square OAuth Secret', pattern: /sq0csp-[a-zA-Z0-9-_]{40,}/g, severity: 'critical' as const },
+  // Shopify
+  { name: 'Shopify Access Token', pattern: /shpat_[a-fA-F0-9]{32}/g, severity: 'critical' as const },
+  { name: 'Shopify Private App', pattern: /shppa_[a-fA-F0-9]{32}/g, severity: 'critical' as const },
+  // Datadog
+  { name: 'Datadog API Key', pattern: /dd[a-z]{1}[a-f0-9]{39}/g, severity: 'critical' as const },
+  // HuggingFace
+  { name: 'HuggingFace Token', pattern: /hf_[a-zA-Z0-9]{34,}/g, severity: 'critical' as const },
+  // Replicate
+  { name: 'Replicate API Token', pattern: /r8_[a-zA-Z0-9]{37}/g, severity: 'critical' as const },
+  // OpenRouter
+  { name: 'OpenRouter Key', pattern: /sk-or-v1-[a-zA-Z0-9]{64}/g, severity: 'critical' as const },
+  // Cohere
+  { name: 'Cohere API Key', pattern: /[a-zA-Z0-9]{40}(?=.*cohere)/gi, severity: 'high' as const },
+  // Private Keys
+  { name: 'Private Key', pattern: /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/g, severity: 'critical' as const },
+  // JWT Tokens (full format)
+  { name: 'JWT Token', pattern: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g, severity: 'high' as const },
+  // Database URLs with credentials
+  { name: 'Database URL', pattern: /(mongodb|postgres|mysql|redis|amqp)(\+srv)?:\/\/[^:]+:[^@\s]+@[^\s"']+/gi, severity: 'critical' as const },
+  // Webhook URLs (often contain secrets)
+  { name: 'Slack Webhook', pattern: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/g, severity: 'high' as const },
+  { name: 'Discord Webhook', pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+/g, severity: 'high' as const },
+]
+/**
+ * B3: Secrets in prompt context patterns (original context-aware patterns)
+ * Note: Using [^\n;]* instead of [^;]* to prevent matching across lines
  */
 const SECRETS_IN_PROMPTS_PATTERNS: PromptHygienePattern[] = [
-  // API keys in message content
+  // API keys in message content (same line only)
   {
     name: 'API key in prompt content',
-    pattern: /(?:messages|prompt|system|content)\s*[=:][^;]*(?:sk-[a-zA-Z0-9]{20,}|api[_-]?key\s*[:=]\s*['"][^'"]{16,}['"])/gi,
+    pattern: /(?:messages|prompt|system|content)\s*[=:][^\n;]*(?:sk-[a-zA-Z0-9]{20,}|api[_-]?key\s*[:=]\s*['"][^'"]{16,}['"])/gi,
     severity: 'critical',
     description: 'API key appears to be hardcoded in prompt content. Keys in prompts may be logged, cached, or sent to model providers.',
     suggestedFix: 'Never include API keys in prompts. Use environment variables and keep them server-side only.',
@@ -150,7 +226,7 @@ const SECRETS_IN_PROMPTS_PATTERNS: PromptHygienePattern[] = [
   // AWS keys in prompts
   {
     name: 'AWS credentials in prompt',
-    pattern: /(?:messages|prompt|system|content)\s*[=:][^;]*(?:AKIA[A-Z0-9]{16}|aws[_-]?(?:secret|access)[_-]?key)/gi,
+    pattern: /(?:messages|prompt|system|content)\s*[=:][^\n;]*(?:AKIA[A-Z0-9]{16}|aws[_-]?(?:secret|access)[_-]?key)/gi,
     severity: 'critical',
     description: 'AWS credentials detected in prompt content.',
     suggestedFix: 'Remove credentials from prompts. Use IAM roles or environment variables instead.',
@@ -158,7 +234,7 @@ const SECRETS_IN_PROMPTS_PATTERNS: PromptHygienePattern[] = [
   // Database URLs with credentials
   {
     name: 'Database credentials in prompt',
-    pattern: /(?:messages|prompt|system|content).*(?:mongodb|postgres|mysql|redis):\/\/[^:]+:[^@]+@/gi,
+    pattern: /(?:messages|prompt|system|content)[^\n]*(?:mongodb|postgres|mysql|redis):\/\/[^:]+:[^@]+@/gi,
     severity: 'critical',
     description: 'Database connection string with credentials in prompt. This exposes database access.',
     suggestedFix: 'Never include connection strings in prompts. Reference data by ID instead.',
@@ -166,7 +242,7 @@ const SECRETS_IN_PROMPTS_PATTERNS: PromptHygienePattern[] = [
   // Passwords in prompt context
   {
     name: 'Password in prompt content',
-    pattern: /(?:messages|prompt|content)\s*[=:].*(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`]{8,}/gi,
+    pattern: /(?:messages|prompt|content)\s*[=:][^\n]*(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`]{8,}/gi,
     severity: 'high',
     description: 'Password appears in prompt content. This may be logged or exposed to model providers.',
     suggestedFix: 'Remove passwords from prompts. Use authentication tokens or session references instead.',
@@ -174,7 +250,7 @@ const SECRETS_IN_PROMPTS_PATTERNS: PromptHygienePattern[] = [
   // Private keys
   {
     name: 'Private key in prompt',
-    pattern: /(?:messages|prompt|content).*(?:-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----)/gi,
+    pattern: /(?:messages|prompt|content)[^\n]*(?:-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----)/gi,
     severity: 'critical',
     description: 'Private key material detected in prompt context.',
     suggestedFix: 'Never include private keys in prompts. Sign data server-side instead.',
@@ -182,13 +258,342 @@ const SECRETS_IN_PROMPTS_PATTERNS: PromptHygienePattern[] = [
   // Generic token patterns
   {
     name: 'Access token in prompt',
-    pattern: /(?:messages|prompt|content)\s*[=:].*(?:access[_-]?token|auth[_-]?token|bearer)\s*[:=]\s*['"`][a-zA-Z0-9_.-]{20,}/gi,
+    pattern: /(?:messages|prompt|content)\s*[=:][^\n]*(?:access[_-]?token|auth[_-]?token|bearer)\s*[:=]\s*['"`][a-zA-Z0-9_.-]{20,}/gi,
     severity: 'high',
     description: 'Access token detected in prompt content. Tokens in prompts risk exposure.',
     suggestedFix: 'Do not include tokens in prompts. Pass token context through secure server-side channels.',
   },
 ]
+// ============================================================================
+// Variable Flow Detection - Secrets flowing into prompts
+// ============================================================================
+/**
+ * Patterns for detecting secret variable declarations
+ */
+const SECRET_VARIABLE_PATTERNS = [
+  // Direct assignment patterns
+  /(?:const|let|var)\s+(\w*(?:key|token|secret|password|credential|apiKey|authToken|accessToken)\w*)\s*=\s*['"`]([^'"`]{16,})['"`]/gi,
+  // Object property patterns
+  /(\w*(?:key|token|secret|password|credential|apiKey|authToken|accessToken)\w*)\s*:\s*['"`]([^'"`]{16,})['"`]/gi,
+]
+/**
+ * Patterns for detecting prompt variable usage
+ */
+const PROMPT_USAGE_PATTERNS = [
+  // Template literal interpolation
+  /`[^`]*\$\{(\w+)\}[^`]*`/g,
+  // String concatenation
+  /\+\s*(\w+)\s*(?:\+|$)/g,
+  // f-string interpolation (Python)
+  /f['"][^'"]*\{(\w+)\}[^'"]*['"]/g,
+  // Format string
+  /\.format\s*\([^)]*(\w+)[^)]*\)/g,
+]
+/**
+ * Check if a variable name suggests it contains a secret
+ */
+function isSecretVariableName(varName: string): boolean {
+  const secretIndicators = [
+    /api[_-]?key/i,
+    /secret[_-]?key/i,
+    /access[_-]?token/i,
+    /auth[_-]?token/i,
+    /password/i,
+    /credential/i,
+    /private[_-]?key/i,
+    /bearer/i,
+    /jwt/i,
+    /oauth/i,
+    /^sk_/i,
+    /^pk_/i,
+    /token$/i,
+    /key$/i,
+    /secret$/i,
+  ]
+  return secretIndicators.some(p => p.test(varName))
+}
+/**
+ * Detect secrets flowing from variables into prompts (variable indirection)
+ */
+function detectSecretVariableFlow(
+  content: string,
+  filePath: string,
+  isTestFile: boolean
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+  const lines = content.split('\n')
+  // First pass: collect all secret variable declarations
+  const secretVariables = new Map<string, { line: number; value: string }>()
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+    for (const pattern of SECRET_VARIABLE_PATTERNS) {
+      const regex = new RegExp(pattern.source, pattern.flags)
+      let match
+      while ((match = regex.exec(line)) !== null) {
+        const varName = match[1]
+        const value = match[2]
+        // Check if variable name suggests it's a secret
+        if (isSecretVariableName(varName)) {
+          secretVariables.set(varName, { line: i + 1, value })
+        }
+      }
+    }
+  }
+  // Second pass: find where these variables flow into prompts
+  const promptContextPatterns = [
+    /(?:system|prompt|message|content)\s*[:=]/i,
+    /role:\s*['"`](?:system|user|assistant)['"`]/i,
+    /\.chat\.completions?\.create/i,
+    /\.messages\.create/i,
+    /messages\s*:\s*\[/i,
+  ]
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+    // Check if this line or nearby lines are in prompt context
+    const contextWindow = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 5)).join('\n')
+    const isPromptContext = promptContextPatterns.some(p => p.test(contextWindow))
+    if (!isPromptContext) continue
+    // Check for template interpolation of secret variables
+    const templateMatch = line.match(/\$\{(\w+)\}/)
+    if (templateMatch) {
+      const varName = templateMatch[1]
+      if (secretVariables.has(varName)) {
+        const secretInfo = secretVariables.get(varName)!
+        let severity: VulnerabilitySeverity = 'high'
+        let description = `Secret variable '${varName}' (defined at line ${secretInfo.line}) is interpolated into LLM prompt. This exposes the secret to the model provider.`
+        if (isTestFile) {
+          severity = 'low'
+          description += ' (in test file)'
+        }
+        vulnerabilities.push({
+          id: `secret-flow-${filePath}-${i + 1}-${varName}`,
+          filePath,
+          lineNumber: i + 1,
+          lineContent: line.trim(),
+          severity,
+          category: 'hardcoded_secret',
+          title: `Secret variable '${varName}' in prompt`,
+          description,
+          suggestedFix: `Remove the secret from the prompt. If the AI needs to use an API, make the call server-side instead of passing credentials to the model.`,
+          confidence: 'medium',
+          layer: 2,
+          requiresAIValidation: true,
+        })
+      }
+    }
+    // Check for string concatenation with secret variables
+    for (const [varName] of secretVariables) {
+      if (line.includes(`+ ${varName}`) || line.includes(`${varName} +`) || line.includes(`+ ${varName} +`)) {
+        const secretInfo = secretVariables.get(varName)!
+        let severity: VulnerabilitySeverity = 'high'
+        let description = `Secret variable '${varName}' (defined at line ${secretInfo.line}) is concatenated into prompt. This exposes the secret to the model provider.`
+        if (isTestFile) {
+          severity = 'low'
+          description += ' (in test file)'
+        }
+        vulnerabilities.push({
+          id: `secret-concat-${filePath}-${i + 1}-${varName}`,
+          filePath,
+          lineNumber: i + 1,
+          lineContent: line.trim(),
+          severity,
+          category: 'hardcoded_secret',
+          title: `Secret variable '${varName}' concatenated in prompt`,
+          description,
+          suggestedFix: `Remove the secret from the prompt. If the AI needs to use an API, make the call server-side.`,
+          confidence: 'medium',
+          layer: 2,
+          requiresAIValidation: true,
+        })
+      }
+    }
+  }
+  return vulnerabilities
+}
+// ============================================================================
+// Phase 2: Indirect Prompt Injection Detection
+// ============================================================================
+/**
+ * Check if content filtering/sanitization is present for external content
+ */
+function hasContentFiltering(content: string, lineNumber: number): boolean {
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 20)
+  const contextEnd = Math.min(lines.length, lineNumber + 10)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const filteringPatterns = [
+    /filterContent|sanitizeContent|cleanContent/i,
+    /sanitizeContext|filterContext/i,
+    /contentModeration|moderateContent/i,
+    /stripInstructions|removeInstructions/i,
+    /escapePrompt|sanitizePrompt/i,
+    /validateInput|inputValidation/i,
+  ]
+  return filteringPatterns.some(p => p.test(context))
+}
+/**
+ * Check if proper delimiters are used for external content
+ */
+function hasExternalContentDelimiters(content: string, lineNumber: number): boolean {
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(lines.length, lineNumber + 15)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const delimiterPatterns = [
+    /<context>|<\/context>/i,
+    /<document>|<\/document>/i,
+    /<retrieved>|<\/retrieved>/i,
+    /<external>|<\/external>/i,
+    /```[^`]*context|context[^`]*```/i,
+    /---\s*(?:context|document|retrieved)/i,
+    /\[CONTEXT\]|\[\/CONTEXT\]/i,
+    /\[DOCUMENT\]|\[\/DOCUMENT\]/i,
+  ]
+  return delimiterPatterns.some(p => p.test(context))
+}
+/**
+ * Indirect prompt injection patterns - external content flowing to LLM context
+ */
+const INDIRECT_INJECTION_PATTERNS: PromptHygienePattern[] = [
+  // ========== External Fetch to Prompt ==========
+  {
+    name: 'Fetched content in prompt',
+    // Pattern looks for: fetch() -> then/await -> result flows into messages/content
+    // Use word boundary \b to avoid matching function names like "validatedFetch"
+    // The pattern looks for: actual fetch call -> await/then -> use in LLM messages
+    pattern: /\bfetch\s*\(\s*[^)]+\)[\s\S]{0,80}(?:\.then|\.json)[\s\S]{0,150}(?:role:\s*['"`](?:system|user)['"`]|messages\s*:\s*\[)/gi,
+    severity: 'high',
+    description: 'Content fetched from external URL flows into LLM prompt. Malicious websites can embed instructions that hijack the model\'s behavior (indirect prompt injection).',
+    suggestedFix: 'Wrap external content with clear delimiters: <external_content>...</external_content>. Implement content filtering to strip instruction-like patterns.',
+    checkDelimiters: true,
+  },
+  {
+    name: 'HTTP response in system prompt',
+    pattern: /(?:axios|fetch|got|request)[\s\S]{0,150}(?:system|systemPrompt|instructions)\s*[:=+]/gi,
+    severity: 'high',
+    description: 'HTTP response content used in system prompt. External data in system prompts is especially dangerous as it can override model instructions.',
+    suggestedFix: 'Never put external content in system prompts. Use user messages with clear delimiters for context. Implement content sanitization.',
+    checkDelimiters: true,
+  },
+  // ========== RAG Vector Store to Prompt ==========
+  {
+    name: 'Vector store results in system message',
+    pattern: /(?:vectorStore|similaritySearch|query|search|retrieve)[\s\S]{0,200}role:\s*['"`]system['"`]/gi,
+    severity: 'high',
+    description: 'Vector store search results injected into system message. Poisoned documents in the corpus can hijack model behavior.',
+    suggestedFix: 'Place retrieved content in user messages, not system. Use delimiters: <retrieved_context>...</retrieved_context>. Implement document sanitization before indexing.',
+    checkDelimiters: true,
+  },
+  {
+    name: 'RAG retrieval directly in context',
+    pattern: /(?:retriever\.invoke|retrieve|getRelevantDocuments)\s*\([^)]*\)[\s\S]{0,150}(?:context|prompt|messages)/gi,
+    severity: 'high',
+    description: 'Retrieved documents flow directly into LLM context. Adversarial documents can contain prompt injection payloads.',
+    suggestedFix: 'Sanitize retrieved content before including in prompt. Use XML tags to clearly separate context from instructions.',
+    checkDelimiters: true,
+  },
+  // ========== Document Loading to LLM ==========
+  {
+    name: 'Loaded documents in LLM chain',
+    pattern: /(?:loadDocuments|DirectoryLoader|TextLoader|PDFLoader)[\s\S]{0,200}(?:chain|llm|invoke|call)/gi,
+    severity: 'high',
+    description: 'Documents loaded from files flow into LLM chain. Malicious files (PDFs, docs) can contain hidden prompt injection text.',
+    suggestedFix: 'Scan loaded documents for instruction-like patterns. Use separate document processing pipeline with content filtering.',
+    checkDelimiters: true,
+  },
+  {
+    name: 'Document content interpolated',
+    pattern: /\$\{.*(?:document|doc|file|page)(?:Content|Text|Data).*\}[\s\S]{0,50}(?:prompt|messages|llm)/gi,
+    severity: 'medium',
+    description: 'Document content interpolated into LLM prompt. Documents may contain adversarial instructions.',
+    suggestedFix: 'Wrap document content with delimiters: ```document\\n${content}\\n```. Implement text sanitization.',
+    checkDelimiters: true,
+  },
+  // ========== Web Scraping to Prompt ==========
+  {
+    name: 'Scraped content in prompt',
+    pattern: /(?:scrape|crawl|spider|puppeteer|playwright|cheerio)[\s\S]{0,200}(?:prompt|messages|context|content\s*:)/gi,
+    severity: 'high',
+    description: 'Web-scraped content flows into LLM prompt. Malicious websites can embed instructions in their HTML content.',
+    suggestedFix: 'Sanitize scraped content to remove instruction-like patterns. Use delimiters: <scraped_content url="...">...</scraped_content>',
+    checkDelimiters: true,
+  },
+  {
+    name: 'HTML content in LLM context',
+    // Pattern: Reading HTML (.innerHTML) and then using it in prompt/messages
+    // NOT: Writing LLM output TO innerHTML (that's output handling, different category)
+    // Look for: getting innerHTML value -> flowing to prompt context
+    pattern: /(?:\.innerHTML\s*[;,]|\.html\s*\(\s*\))[\s\S]{0,150}(?:role:\s*['"`](?:system|user)['"`]|messages\s*:\s*\[)/gi,
+    severity: 'medium',
+    description: 'HTML content from web pages used in LLM context. Web pages can contain hidden prompt injection in metadata, comments, or invisible text.',
+    suggestedFix: 'Extract only relevant text content. Filter out scripts, comments, and metadata. Use content sanitization.',
+    checkDelimiters: true,
+  },
+  // ========== Email/Message Content to Prompt ==========
+  {
+    name: 'Email content in prompt',
+    pattern: /(?:email|message|inbox)(?:Content|Body|Text)[\s\S]{0,150}(?:prompt|messages|llm|analyze)/gi,
+    severity: 'medium',
+    description: 'Email or message content flows into LLM prompt. Attackers can craft emails with embedded prompt injection.',
+    suggestedFix: 'Sanitize email content before LLM processing. Remove potentially malicious patterns. Use clear delimiters.',
+    checkDelimiters: true,
+  },
+  // ========== Database Content to Prompt ==========
+  {
+    name: 'Database record in system prompt',
+    pattern: /(?:findOne|findById|query|select)[\s\S]{0,150}(?:system|systemPrompt|instructions)\s*[:=]/gi,
+    severity: 'medium',
+    description: 'Database content used in system prompt. If users can modify database records, they can inject malicious instructions.',
+    suggestedFix: 'Keep system prompts static. Place database content in user messages with delimiters. Validate data before use.',
+    checkDelimiters: true,
+  },
+  // ========== Generic External Data Patterns ==========
+  {
+    name: 'External data concatenation',
+    pattern: /(?:externalData|fetchedContent|scrapedData|retrievedText)\s*\+[\s\S]{0,50}(?:prompt|system|instructions)/gi,
+    severity: 'medium',
+    description: 'External data concatenated with prompt content without clear separation.',
+    suggestedFix: 'Use structured prompts with XML/markdown delimiters to separate instructions from external content.',
+    checkDelimiters: true,
+  },
+]
 /**
  * Missing boundary patterns - prompts without clear user/system separation
  */
@@ -320,7 +725,7 @@ export function detectAIPromptHygiene(
     }
   }
-  // Scan for secrets in prompts (B3)
+  // Scan for secrets in prompts (B3) - Original context-aware patterns
   for (const pattern of SECRETS_IN_PROMPTS_PATTERNS) {
     const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
     let match
@@ -336,6 +741,13 @@ export function detectAIPromptHygiene(
       const isEnvRef = /process\.env|import\.meta\.env|os\.environ|getenv/i.test(lineContent)
       if (isEnvRef) continue
+      // Skip test variable names
+      if (/(?:const|let|var)\s+(?:TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE)[_A-Z0-9]*\s*=/i.test(lineContent)) continue
+      if (/(?:const|let|var)\s+\w*(?:test|mock|example|dummy|fake|sample)\w*\s*=/i.test(lineContent)) continue
+      // Skip placeholder/example values in the line
+      if (/example|sample|demo|placeholder|your[_-]?api[_-]?key/i.test(lineContent)) continue
       let severity = pattern.severity
       let description = pattern.description
@@ -362,6 +774,76 @@ export function detectAIPromptHygiene(
     }
   }
+  // ========== NEW: Direct secret detection with known prefixes ==========
+  // Scan for any known secret patterns anywhere in prompt-related code
+  const seenSecretLines = new Set<number>()  // Avoid duplicates
+  for (const secretDef of KNOWN_SECRET_PREFIXES) {
+    const regex = new RegExp(secretDef.pattern.source, secretDef.pattern.flags)
+    let match
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+      // Skip if already reported on this line
+      const lineKey = `${lineNumber}-${secretDef.name}`
+      if (seenSecretLines.has(lineNumber)) continue
+      seenSecretLines.add(lineNumber)
+      // Skip comments
+      if (isComment(lineContent)) continue
+      // Skip env var references
+      if (/process\.env|import\.meta\.env|os\.environ|getenv/i.test(lineContent)) continue
+      // Skip obvious placeholders/examples in the value
+      const matchValue = match[0]
+      if (/example|sample|demo|dummy|fake|mock|your[_-]|placeholder/i.test(matchValue)) continue
+      if (/example|sample|demo|placeholder/i.test(lineContent)) continue
+      // Skip values that contain "test" right after the prefix (e.g., sk-test..., ghp_test...)
+      // These are clearly test/development keys, not production secrets
+      if (/^(sk-|ghp_|gho_|sk_live_|sk_test_|xoxb-|SG\.)test/i.test(matchValue)) continue
+      if (/[-_]test[-_0-9]/i.test(matchValue)) continue
+      // Skip test variable names (e.g., TEST_API_KEY, MOCK_SECRET)
+      if (/(?:const|let|var)\s+(?:TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE)[_A-Z0-9]*\s*=/i.test(lineContent)) continue
+      // Skip if variable name contains test/mock/example (broader check)
+      if (/(?:const|let|var)\s+\w*(?:test|mock|example|dummy|fake|sample)\w*\s*=/i.test(lineContent)) continue
+      let severity: VulnerabilitySeverity = secretDef.severity
+      let description = `${secretDef.name} detected in LLM-related code. This secret may be exposed to the model provider, logged, or cached.`
+      // Downgrade test files
+      if (isTestFile) {
+        severity = severity === 'critical' ? 'medium' : 'low'
+        description += ' (in test file)'
+      }
+      vulnerabilities.push({
+        id: `ai-direct-secret-${filePath}-${lineNumber}-${secretDef.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'hardcoded_secret',
+        title: `${secretDef.name} in LLM context`,
+        description,
+        suggestedFix: 'Remove the hardcoded secret. Use environment variables server-side. Never expose secrets to LLM prompts.',
+        confidence: 'high',
+        layer: 2,
+        requiresAIValidation: false,
+      })
+    }
+  }
+  // ========== NEW: Variable flow detection ==========
+  // Detect secrets flowing from variables into prompts
+  const flowVulns = detectSecretVariableFlow(content, filePath, isTestFile)
+  vulnerabilities.push(...flowVulns)
   // Scan for missing boundary patterns (B1 continued)
   for (const pattern of MISSING_BOUNDARY_PATTERNS) {
     const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
@@ -404,6 +886,62 @@ export function detectAIPromptHygiene(
     }
   }
+  // Scan for indirect prompt injection patterns (Phase 2)
+  for (const pattern of INDIRECT_INJECTION_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+      // Skip comments
+      if (isComment(lineContent)) continue
+      let severity = pattern.severity
+      let description = pattern.description
+      // Check for content filtering/sanitization
+      const hasFiltering = hasContentFiltering(content, lineNumber)
+      const hasDelimiters = hasExternalContentDelimiters(content, lineNumber)
+      if (hasFiltering && hasDelimiters) {
+        // Both mitigations present - fully mitigated
+        severity = 'info'
+        description += ' (Content filtering and delimiters detected - mitigated.)'
+      } else if (hasFiltering) {
+        // Partial mitigation - filtering present
+        severity = severity === 'high' ? 'medium' : 'low'
+        description += ' (Content filtering detected.)'
+      } else if (hasDelimiters) {
+        // Partial mitigation - delimiters present
+        severity = severity === 'high' ? 'medium' : 'low'
+        description += ' (External content delimiters detected.)'
+      }
+      // Downgrade test files
+      if (isTestFile) {
+        severity = 'info'
+        description += ' (in test file)'
+      }
+      vulnerabilities.push({
+        id: `ai-indirect-injection-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'ai_prompt_injection',
+        title: pattern.name + ' (Indirect Injection)',
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: severity === 'info' ? 'low' : 'medium',
+        layer: 2,
+        requiresAIValidation: severity !== 'info',
+      })
+    }
+  }
   return vulnerabilities
 }