npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/layer2/dangerous-functions/utils/schema-validation.ts ADDED Viewed

@@ -0,0 +1,91 @@
+/**
+ * Schema Validation Detection Utilities
+ *
+ * Functions for detecting schema validation patterns (zod, yup, joi, etc.)
+ * and manual validation patterns.
+ */
+/**
+ * Check if schema validation is applied near a JSON.parse call
+ * Looks for zod, yup, joi, or similar validation patterns
+ */
+export function hasSchemaValidationNearby(content: string, lineNumber: number): boolean {
+  const lines = content.split('\n')
+  const start = Math.max(0, lineNumber - 5)
+  const end = Math.min(lines.length, lineNumber + 10)
+  const context = lines.slice(start, end).join('\n')
+  const schemaValidationPatterns = [
+    // Zod patterns
+    /z\.(object|string|number|array|boolean)\s*\(/i,
+    /\.parse\s*\(/i,
+    /\.safeParse\s*\(/i,
+    /schema\.parse/i,
+    /Schema\.parse/i,
+    // Yup patterns
+    /yup\.(object|string|number|array|boolean)\s*\(/i,
+    /\.validate\s*\(/i,
+    /\.validateSync\s*\(/i,
+    // Joi patterns
+    /Joi\.(object|string|number|array|boolean)\s*\(/i,
+    /\.validateAsync\s*\(/i,
+    // Valibot patterns
+    /v\.(object|string|number|array|boolean)\s*\(/i,
+    // AJV patterns
+    /ajv\.compile/i,
+    /validate\s*\(\s*schema/i,
+    // TypeBox patterns
+    /Type\.(Object|String|Number|Array|Boolean)\s*\(/i,
+    // Generic validation patterns
+    /validateSchema/i,
+    /schemaValidator/i,
+    /parseAndValidate/i,
+  ]
+  return schemaValidationPatterns.some(p => p.test(context))
+}
+/**
+ * Check if this file appears to have form/input validation elsewhere
+ * (manual checks on body fields, type guards, etc.)
+ */
+export function hasManualValidation(content: string): boolean {
+  const manualValidationPatterns = [
+    // Type checking / type guards
+    /typeof\s+\w+\s*[!=]==?\s*['"](?:string|number|boolean|object)['"]|Array\.isArray\s*\(/i,
+    // Field existence checks followed by throws/returns
+    /if\s*\(\s*!(?:body|data|input)\.\w+\s*\)\s*\{?\s*(throw|return)/i,
+    // Property access with type assertion comments or inline validation
+    /\b(body|data|input)\s*as\s+\w+/i, // Type assertion
+    // Manual validation with error handling
+    /if\s*\(\s*![\w.]+\s*\|\|\s*typeof\s+[\w.]+/i,
+    // Using type predicates
+    /is\w+\s*\([\w.]+\)/i, // isFoo(bar) pattern
+  ]
+  return manualValidationPatterns.some(p => p.test(content))
+}
+/**
+ * Check if SQL query uses whitelist validation pattern
+ * e.g., columns validated against allowedColumns array before use
+ */
+export function hasSQLWhitelistValidation(content: string, lineNumber: number): boolean {
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(lines.length, lineNumber + 5)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+  // Whitelist/allowlist validation patterns
+  const whitelistPatterns = [
+    /allowed\w*\s*=\s*\[/i, // allowedColumns = [...]
+    /whitelist\w*\s*=\s*\[/i, // whitelistFields = [...]
+    /valid\w*\s*=\s*\[/i, // validColumns = [...]
+    /\.filter\s*\([^)]*\.includes\s*\(/i, // .filter(c => allowed.includes(c))
+    /\.includes\s*\([^)]*\)/i, // allowedColumns.includes(col)
+    /\.every\s*\([^)]*\.includes/i, // columns.every(c => allowed.includes(c))
+    /if\s*\(\s*!.*\.includes/i, // if (!allowed.includes(...))
+  ]
+  return whitelistPatterns.some(p => p.test(context))
+}

package/src/layer2/data-exposure.ts CHANGED Viewed

@@ -5,7 +5,7 @@
  */
 import type { Vulnerability, VulnerabilitySeverity } from '../types'
-import { isComment, isTestOrMockFile } from '../utils/context-helpers'
+import { isComment, isTestOrMockFile, isScannerOrFixtureFile } from '../utils/context-helpers'
 interface DataExposurePattern {
   name: string
@@ -174,6 +174,10 @@ export function detectDataExposure(
   filePath: string
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
+  // Skip scanner/fixture files to avoid self-detection
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
   const lines = content.split('\n')
   const isTestFile = isTestOrMockFile(filePath)
   const isLowRiskFile = isLowRiskLoggingFile(filePath)

package/src/layer2/framework-checks.ts CHANGED Viewed

@@ -10,6 +10,7 @@ import {
   isEnvVarReference,
   getServiceRoleKeyContext,
   isTestOrMockFile,
+  isScannerOrFixtureFile,
 } from '../utils/context-helpers'
 interface FrameworkPattern {
@@ -281,6 +282,10 @@ export function detectFrameworkIssues(
   filePath: string
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
+  // Skip scanner/fixture files to avoid self-detection
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
   const lines = content.split('\n')
   const detectedFrameworks = detectFramework(content, filePath)
   const isTestFile = isTestOrMockFile(filePath)

package/src/layer2/index.ts CHANGED Viewed

@@ -31,6 +31,11 @@ import { detectAIAgentTools } from './ai-agent-tools'
 import { detectRAGSafetyIssues } from './ai-rag-safety'
 import { detectAIEndpointProtection } from './ai-endpoint-protection'
 import { detectAISchemaValidation } from './ai-schema-validation'
+// AI Detection Roadmap Phase 1
+import { detectAIPackageHallucination } from './ai-package-hallucination'
+import { detectMCPSecurity } from './ai-mcp-security'
+// AI Detection Roadmap Phase 2
+import { detectModelSupplyChain } from './model-supply-chain'
 // Tier system imports
 import {
   type TierStats,
@@ -90,6 +95,11 @@ type Layer2DetectorStats = {
   ragSafety: number
   endpointProtection: number
   schemaValidation: number
+  // AI Detection Roadmap Phase 1
+  packageHallucination: number
+  mcpSecurity: number
+  // AI Detection Roadmap Phase 2
+  modelSupplyChain: number
 }
 // Process a single file through all Layer 2 detectors
@@ -114,10 +124,27 @@ function processFileLayer2(
     ragSafety: 0,
     endpointProtection: 0,
     schemaValidation: 0,
+    // AI Detection Roadmap Phase 1
+    packageHallucination: 0,
+    mcpSecurity: 0,
+    // AI Detection Roadmap Phase 2
+    modelSupplyChain: 0,
   }
-  // Skip non-code files
+  // Check if this is a manifest file (package.json, requirements.txt, etc.)
+  const isManifestFile = (filePath: string) => {
+    const manifestFiles = ['package.json', 'requirements.txt', 'Pipfile', 'pyproject.toml', 'setup.py']
+    return manifestFiles.some(f => filePath.endsWith(f))
+  }
+  // For non-code files, only run package hallucination detector on manifest files
   if (!isCodeFile(file.path)) {
+    if (isManifestFile(file.path)) {
+      // Run package hallucination detector on manifest files
+      const packageHallucinationFindings = detectAIPackageHallucination(file.content, file.path)
+      stats.packageHallucination = packageHallucinationFindings.length
+      return { findings: packageHallucinationFindings, stats }
+    }
     return { findings: [], stats }
   }
@@ -143,6 +170,11 @@ function processFileLayer2(
     middlewareConfig: options.middlewareConfig,
   })
   const schemaValidationFindings = detectAISchemaValidation(file.content, file.path)
+  // AI Detection Roadmap Phase 1
+  const packageHallucinationFindings = detectAIPackageHallucination(file.content, file.path)
+  const mcpSecurityFindings = detectMCPSecurity(file.content, file.path)
+  // AI Detection Roadmap Phase 2
+  const modelSupplyChainFindings = detectModelSupplyChain(file.content, file.path)
   // Update stats
   stats.variables = variableFindings.length
@@ -160,6 +192,11 @@ function processFileLayer2(
   stats.ragSafety = ragSafetyFindings.length
   stats.endpointProtection = endpointProtectionFindings.length
   stats.schemaValidation = schemaValidationFindings.length
+  // AI Detection Roadmap Phase 1
+  stats.packageHallucination = packageHallucinationFindings.length
+  stats.mcpSecurity = mcpSecurityFindings.length
+  // AI Detection Roadmap Phase 2
+  stats.modelSupplyChain = modelSupplyChainFindings.length
   return {
     findings: [
@@ -178,6 +215,11 @@ function processFileLayer2(
       ...ragSafetyFindings,
       ...endpointProtectionFindings,
       ...schemaValidationFindings,
+      // AI Detection Roadmap Phase 1
+      ...packageHallucinationFindings,
+      ...mcpSecurityFindings,
+      // AI Detection Roadmap Phase 2
+      ...modelSupplyChainFindings,
     ],
     stats,
   }
@@ -212,6 +254,11 @@ export async function runLayer2Scan(
     ragSafety: 0,
     endpointProtection: 0,
     schemaValidation: 0,
+    // AI Detection Roadmap Phase 1
+    packageHallucination: 0,
+    mcpSecurity: 0,
+    // AI Detection Roadmap Phase 2
+    modelSupplyChain: 0,
   }
   // Detect auth helpers once for all files (if not already provided)
@@ -303,6 +350,11 @@ export async function runLayer2Scan(
     ai_rag_safety: stats.ragSafety,
     ai_endpoint_protection: stats.endpointProtection,
     ai_schema_validation: stats.schemaValidation,
+    // AI Detection Roadmap Phase 1
+    ai_package_hallucination: stats.packageHallucination,
+    ai_mcp_security: stats.mcpSecurity,
+    // AI Detection Roadmap Phase 2
+    model_supply_chain: stats.modelSupplyChain,
   }
   // Compute deduped counts per category
@@ -341,6 +393,11 @@ export async function runLayer2Scan(
     ai_rag_safety: 'ai_rag_safety',
     ai_endpoint_protection: 'ai_endpoint_protection',
     ai_schema_validation: 'ai_schema_validation',
+    // AI Detection Roadmap Phase 1
+    ai_package_hallucination: 'ai_package_hallucination',
+    ai_mcp_security: 'ai_mcp_security',
+    // AI Detection Roadmap Phase 2
+    model_supply_chain: 'model_supply_chain',
   }
   // Heuristic breakdown available in stats.raw and stats.tiers for debugging
@@ -538,3 +595,8 @@ export { detectAIAgentTools } from './ai-agent-tools'
 export { detectRAGSafetyIssues } from './ai-rag-safety'
 export { detectAIEndpointProtection } from './ai-endpoint-protection'
 export { detectAISchemaValidation } from './ai-schema-validation'
+// AI Detection Roadmap Phase 1
+export { detectAIPackageHallucination } from './ai-package-hallucination'
+export { detectMCPSecurity } from './ai-mcp-security'
+// AI Detection Roadmap Phase 2
+export { detectModelSupplyChain } from './model-supply-chain'

package/src/layer2/logic-gates.ts CHANGED Viewed

@@ -4,6 +4,7 @@
  */
 import type { Vulnerability } from '../types'
+import { isScannerOrFixtureFile } from '../utils/context-helpers'
 interface LogicPattern {
   name: string
@@ -134,6 +135,10 @@ export function detectLogicGates(
   filePath: string
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
+  // Skip scanner/fixture files to avoid self-detection
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
   const lines = content.split('\n')
   // Check each line against patterns