npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/layer3/anthropic/providers/anthropic.ts ADDED Viewed

@@ -0,0 +1,310 @@
+/**
+ * Anthropic Provider Implementation
+ *
+ * Validation using Anthropic Claude 3.5 Haiku model.
+ */
+import type { Vulnerability, ScanFile, ValidationStatus } from '../../../types'
+import type { ProjectContext } from '../../../utils/project-context-builder'
+import { buildProjectContext } from '../../../utils/project-context-builder'
+import type { ValidationStats, AIValidationResult } from '../types'
+import { getAnthropicClient, HAIKU_PRICING, FILES_PER_API_BATCH } from '../clients'
+import { makeAnthropicRequestWithRetry } from '../utils/retry'
+import { parseMultiFileValidationResponse, parseValidationResponse, applyValidationResults } from '../utils/response-parser'
+import { buildMultiFileValidationRequest } from '../request-builder'
+import { HIGH_CONTEXT_VALIDATION_PROMPT } from '../prompts/validation'
+// Cache for project context (built once per scan)
+let cachedProjectContext: ProjectContext | null = null
+/**
+ * Validate findings using Anthropic Claude 3.5 Haiku
+ */
+export async function validateWithAnthropic(
+  findings: Vulnerability[],
+  files: ScanFile[],
+  projectContext: ProjectContext | undefined,
+  stats: ValidationStats,
+  onProgress?: (progress: { filesProcessed: number; totalFiles: number; status: string }) => void
+): Promise<AIValidationResult> {
+  console.log('[AI Validation] Initializing Anthropic client...')
+  const client = getAnthropicClient()
+  // Build or use cached project context
+  const context = projectContext || cachedProjectContext || buildProjectContext(files)
+  if (!projectContext && !cachedProjectContext) {
+    cachedProjectContext = context
+    console.log('[AI Validation] Built project context:', {
+      hasAuthMiddleware: context.auth.hasGlobalMiddleware,
+      authProvider: context.auth.authProvider,
+      orm: context.dataAccess.orm,
+      framework: context.frameworks.primary,
+    })
+  }
+  // Group findings by file for efficient validation
+  const findingsByFile = new Map<string, Vulnerability[]>()
+  for (const finding of findings) {
+    const existing = findingsByFile.get(finding.filePath) || []
+    existing.push(finding)
+    findingsByFile.set(finding.filePath, existing)
+  }
+  const validatedFindings: Vulnerability[] = []
+  // Phase 2: Multi-file batching
+  const fileEntries = Array.from(findingsByFile.entries())
+  // Track metrics
+  let totalBatchWaitTime = 0
+  let totalApiBatches = 0
+  const totalFileBatches = Math.ceil(fileEntries.length / FILES_PER_API_BATCH)
+  console.log(`[AI Validation] Phase 2: Processing ${fileEntries.length} files in ${totalFileBatches} API batch(es) (${FILES_PER_API_BATCH} files/batch)`)
+  // Track files processed for progress reporting
+  let filesValidated = 0
+  // Process files in batches - each batch is ONE API call with multiple files
+  for (let batchStart = 0; batchStart < fileEntries.length; batchStart += FILES_PER_API_BATCH) {
+    const fileBatch = fileEntries.slice(batchStart, batchStart + FILES_PER_API_BATCH)
+    const batchNum = Math.floor(batchStart / FILES_PER_API_BATCH) + 1
+    // Report progress before processing batch
+    if (onProgress) {
+      onProgress({
+        filesProcessed: filesValidated,
+        totalFiles: fileEntries.length,
+        status: `AI validating batch ${batchNum}/${totalFileBatches}`,
+      })
+    }
+    console.log(`[AI Validation] API Batch ${batchNum}/${totalFileBatches}: ${fileBatch.length} files`)
+    // Prepare file data for batch request
+    const fileDataList: Array<{ file: ScanFile; findings: Vulnerability[]; filePath: string }> = []
+    const filesWithoutContent: Array<{ filePath: string; findings: Vulnerability[] }> = []
+    for (const [filePath, fileFindings] of fileBatch) {
+      const file = files.find(f => f.path === filePath)
+      if (!file) {
+        filesWithoutContent.push({ filePath, findings: fileFindings })
+      } else {
+        fileDataList.push({ file, findings: fileFindings, filePath })
+      }
+    }
+    // Handle files without content - mark as not validated
+    for (const { findings } of filesWithoutContent) {
+      for (const f of findings) {
+        validatedFindings.push({
+          ...f,
+          validatedByAI: false,
+          validationStatus: 'not_validated' as ValidationStatus,
+          validationNotes: 'File content not available for validation',
+        })
+      }
+    }
+    // Skip API call if no files with content
+    if (fileDataList.length === 0) {
+      continue
+    }
+    const batchStartTime = Date.now()
+    try {
+      // Build multi-file validation request
+      const validationRequest = buildMultiFileValidationRequest(
+        fileDataList.map(({ file, findings }) => ({ file, findings })),
+        context
+      )
+      // Use Anthropic prompt caching with multi-file request
+      const response = await makeAnthropicRequestWithRetry(() =>
+        client.messages.create({
+          model: 'claude-3-5-haiku-20241022',
+          max_tokens: 1500, // Reduced from 4096 - optimized format needs less output
+          system: [
+            {
+              type: 'text',
+              text: HIGH_CONTEXT_VALIDATION_PROMPT,
+              cache_control: { type: 'ephemeral' }, // Cache for 5 minutes
+            },
+          ],
+          messages: [{ role: 'user', content: validationRequest }],
+        })
+      )
+      // Track API call stats
+      stats.apiCalls++
+      totalApiBatches++
+      // Extract cache metrics from usage
+      const usage = response.usage
+      if (usage) {
+        // DEBUG: Log full usage object to understand token breakdown
+        console.log(`[DEBUG] Batch ${batchNum} - Full API Response Usage:`)
+        console.log(JSON.stringify(usage, null, 2))
+        console.log(`[DEBUG] Breakdown:`)
+        console.log(`  - input_tokens: ${usage.input_tokens || 0}`)
+        console.log(`  - output_tokens: ${usage.output_tokens || 0}`)
+        // @ts-ignore
+        console.log(`  - cache_creation_input_tokens: ${usage.cache_creation_input_tokens || 0}`)
+        // @ts-ignore
+        console.log(`  - cache_read_input_tokens: ${usage.cache_read_input_tokens || 0}`)
+        stats.estimatedInputTokens += usage.input_tokens || 0
+        stats.estimatedOutputTokens += usage.output_tokens || 0
+        // @ts-ignore - cache fields not in types yet
+        const cacheCreation = usage.cache_creation_input_tokens || 0
+        // @ts-ignore
+        const cacheRead = usage.cache_read_input_tokens || 0
+        stats.cacheCreationTokens += cacheCreation
+        stats.cacheReadTokens += cacheRead
+      }
+      const textContent = response.content.find((block: { type: string }) => block.type === 'text')
+      if (!textContent || textContent.type !== 'text') {
+        // No valid response - mark all findings as not validated
+        for (const { findings } of fileDataList) {
+          for (const f of findings) {
+            validatedFindings.push({
+              ...f,
+              validatedByAI: false,
+              validationStatus: 'not_validated' as ValidationStatus,
+              validationNotes: 'No valid response from AI',
+            })
+          }
+        }
+        continue
+      }
+      // Parse multi-file response
+      const expectedFiles = fileDataList.map(({ filePath }) => filePath)
+      const validationResultsMap = parseMultiFileValidationResponse(textContent.text, expectedFiles)
+      // Apply results per file
+      for (const { filePath, findings } of fileDataList) {
+        const fileResults = validationResultsMap.get(filePath)
+        if (!fileResults || fileResults.length === 0) {
+          // No results for this file - try single-file parsing as fallback
+          const singleFileResults = parseValidationResponse(textContent.text)
+          if (singleFileResults.length > 0 && fileDataList.length === 1) {
+            // Single file in batch, use single-file parsing
+            const { processed: processedFindings, dismissedCount } = applyValidationResults(findings, singleFileResults)
+            stats.validatedFindings += processedFindings.length + dismissedCount
+            stats.dismissedFindings += dismissedCount
+            for (const processed of processedFindings) {
+              if (processed.validationStatus === 'confirmed') {
+                stats.confirmedFindings++
+              } else if (processed.validationStatus === 'downgraded') {
+                stats.downgradedFindings++
+              }
+              validatedFindings.push(processed)
+            }
+          } else {
+            // No validation results - REJECT all findings for this file (conservative approach)
+            console.warn(`[AI Validation] No results for ${filePath} - REJECTING ${findings.length} findings`)
+            stats.validatedFindings += findings.length
+            stats.dismissedFindings += findings.length
+            // Don't add to validatedFindings - findings are rejected
+          }
+        } else {
+          // Apply validation results for this file
+          const { processed: processedFindings, dismissedCount } = applyValidationResults(findings, fileResults)
+          stats.validatedFindings += processedFindings.length + dismissedCount
+          stats.dismissedFindings += dismissedCount
+          for (const processed of processedFindings) {
+            if (processed.validationStatus === 'confirmed') {
+              stats.confirmedFindings++
+            } else if (processed.validationStatus === 'downgraded') {
+              stats.downgradedFindings++
+            }
+            validatedFindings.push(processed)
+          }
+        }
+      }
+    } catch (error) {
+      console.error(`[AI Validation] Error in batch ${batchNum}:`, error)
+      // Fallback: keep all findings but mark as not validated
+      for (const { findings } of fileDataList) {
+        for (const f of findings) {
+          validatedFindings.push({
+            ...f,
+            validatedByAI: false,
+            validationStatus: 'not_validated' as ValidationStatus,
+            validationNotes: 'Validation failed due to API error',
+          })
+        }
+      }
+    }
+    const batchDuration = Date.now() - batchStartTime
+    totalBatchWaitTime += batchDuration
+    // Update files validated counter
+    filesValidated += fileBatch.length
+    // Report progress after batch completion
+    if (onProgress) {
+      onProgress({
+        filesProcessed: filesValidated,
+        totalFiles: fileEntries.length,
+        status: `AI validation complete for batch ${batchNum}/${totalFileBatches}`,
+      })
+    }
+  }
+  // Calculate cache hit rate
+  const totalCacheableTokens = stats.cacheCreationTokens + stats.cacheReadTokens
+  stats.cacheHitRate = totalCacheableTokens > 0
+    ? stats.cacheReadTokens / totalCacheableTokens
+    : 0
+  // Calculate estimated cost with cache pricing
+  const freshInputCost = (stats.estimatedInputTokens * HAIKU_PRICING.input) / 1_000_000
+  const cacheWriteCost = (stats.cacheCreationTokens * HAIKU_PRICING.cacheWrite) / 1_000_000
+  const cacheReadCost = (stats.cacheReadTokens * HAIKU_PRICING.cacheRead) / 1_000_000
+  const outputCost = (stats.estimatedOutputTokens * HAIKU_PRICING.output) / 1_000_000
+  stats.estimatedCost = freshInputCost + cacheWriteCost + cacheReadCost + outputCost
+  // Log validation stats with cache metrics and performance
+  console.log(`[AI Validation] Stats:`)
+  console.log(`  - Total findings: ${stats.totalFindings}`)
+  console.log(`  - AI validated: ${stats.validatedFindings}`)
+  console.log(`  - Confirmed: ${stats.confirmedFindings}`)
+  console.log(`  - Dismissed: ${stats.dismissedFindings}`)
+  console.log(`  - Downgraded: ${stats.downgradedFindings}`)
+  console.log(`  - API calls: ${stats.apiCalls}`)
+  console.log(`  - Performance:`)
+  console.log(`    - Total duration: ${(totalBatchWaitTime / 1000).toFixed(1)}s`)
+  console.log(`    - Total API batches: ${totalApiBatches}`)
+  console.log(`    - Avg time per file: ${fileEntries.length > 0 ? (totalBatchWaitTime / fileEntries.length).toFixed(0) : 0}ms`)
+  console.log(`  - Cache metrics:`)
+  console.log(`    - Cache writes: ${stats.cacheCreationTokens.toLocaleString()} tokens`)
+  console.log(`    - Cache reads: ${stats.cacheReadTokens.toLocaleString()} tokens`)
+  console.log(`    - Cache hit rate: ${(stats.cacheHitRate * 100).toFixed(1)}%`)
+  console.log(`  - Token usage:`)
+  console.log(`    - Input (total): ${stats.estimatedInputTokens.toLocaleString()} tokens`)
+  console.log(`    - Output: ${stats.estimatedOutputTokens.toLocaleString()} tokens`)
+  console.log(`  - Estimated cost: $${stats.estimatedCost.toFixed(4)}`)
+  // Clear cache after validation complete
+  cachedProjectContext = null
+  return { vulnerabilities: validatedFindings, stats }
+}
+/**
+ * Clear cached project context (called after validation complete)
+ */
+export function clearAnthropicCache(): void {
+  cachedProjectContext = null
+}

package/src/layer3/anthropic/providers/index.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * AI Providers Index
+ *
+ * Re-exports all AI provider implementations.
+ */
+export { validateWithOpenAI, clearOpenAICache } from './openai'
+export { validateWithAnthropic, clearAnthropicCache } from './anthropic'